A Safety Vulnerability Assessment of Select CAST Safety Enhancements Final Report

Submitted to

Joint Implementation Measurement Data Analysis Team (JIMDAT)

Draft Submission: February 22, 2011 Final Submission: November 7, 2011

Editorial Team:

Brian E. Smith, NASA Ames Research Center Rudi den Hertog, Fokker Aircraft Maggie Clark, The Boeing Company Andy Marosvari, NATCA/IFATCA Michael Kavoliunas, Bombardier

DISCLAIMER: T he Future Aviation Safety Team (FAST) provided this information to the CAST Joint Implementation Measurement Data Analysis Team (JIMDAT) to advance aviation safety. The use of this information is entirely voluntary, and its applicability and suitability for any particular use is the sole responsibility of the user. Neither the FAST nor the JIMDAT is responsible or liable under any circumstances for the content of this information, nor for any decisions or actions taken on the basis of this information. The views expressed by FAST in this document and its appendices do not necessarily reflect those of the organizations participating in FAST or supporting the JIMDAT.

FAST_SE_Report_11017011_final.docx

2 FAST_SE_Report_11017011_final.docx

Editorial Team Signature Page

3 FAST_SE_Report_11017011_final.docx

Table of Contents

Acronyms...... 6 Executive Summary...... 8 Introduction and Background ...... 11 Assessment Process ...... 12 Selection of Safety Enhancements...... 12 Updating Areas of Change List...... 13 Ranking of Safety Enhancements for Vulnerability to AoC Phenomena...... 13 Populating SE Vulnerability Assessment Templates...... 14 Safety Enhancement Vulnerabilities, Benefits, and Watch Items ...... 15 Loss of Control (LOC)...... 15 LOC SE Vulnerabilities and Benefits...... 15 LOC-related Watch Items...... 19 Controlled Flight Into Terrain (CFIT) ...... 21 CFIT SE Vulnerabilities and Benefits ...... 21 CFIT-related Watch Items ...... 24 Icing SEs ...... 25 Icing SE Vulnerabilities and Benefits...... 25 Icing-related Watch Items...... 27 Runway Safety SEs...... 28 Runway Safety SE Vulnerabilities and Benefits ...... 28 Runway Safety-related Watch Items ...... 30 Proactive Safety Program SE...... 31 Proactive Safety Program Vulnerabilities and Benefits...... 31 Proactive Safety Program-related Watch Items...... 33 General Observations...... 34 Conclusions...... 36 Future Directions ...... 39 Appendices:...... 40 A. Draft FAST Re-start Terms of Reference from JIMDAT...... 40 B. List of FAST Contributors ...... 44 C. Updated AOC list used for Analysis...... 45 D. Individual CAST Safety Enhancement Assessment Tables ...... 60 SE 1: CFIT TAWS – One Project...... 60 SE 2: CFIT SOPs – One Project ...... 65 SE 10: Airline Proactive Safety Programs (FOQA and ASAP) ...... 71 SE 12: CFIT Prevention Training – One Project...... 75 SE 26: LOC Policies and Procedures...... 81 SE 30: Human Factors and Automation ...... 90 SE 31: LOC Training - Advanced Maneuvers...... 99 SE 34: LOC Display and Alerting Features in New Airplane Designs ...... 108 SE 39: LOC Basic Aircraft Design-Icing ...... 118 SE 60: RI Pilot Training – One Project / SA, SOPs, CRM, All Resources...... 125 SE 85: LOC Vertical Situation Displays – All Airplane Designs ...... 130 SE 120: CFIT - TAWS Improved Functionality...... 140

4 FAST_SE_Report_11017011_final.docx

SE 133: Icing - Turboprop Aircraft Ice Detection Systems...... 145 SE 183: Wrong Runway Departures – Cockpit Moving Map Display and Runway Awareness System ...... 153 E. References ...... 159

5 FAST_SE_Report_11017011_final.docx

Acronyms

ACI Airports Council International AI anti-ice ALAR approach and landing accident reduction AoC area of change ASAP Aviation Safety Action Program ASDE airport surface detection equipment ASRS Aviation Safety Reporting System ATA Air Transport Association ATC air traffic control ATO Air Traffic Organization ATSAP Air Traffic Safety Action Program CapSA capability safety assessment CAST Commercial Aviation Safety Team CBT competence based training CFIT controlled flight into terrain COTS commercial off the shelf DGAC Direction générale de l'aviation civile (French Civil Aviation Authority) DIP detailed implementation plan EASA European Aviation Safety Agency EBT evidence based training ECAST European Commercial Aviation Safety Team EFB electronic flight bag EGPWS enhanced ground proximity warning system ESSI European Strategic Safety Initiative ESTEC European Space Technology and Engineering Center FAA Federal Aviation Administration FAST Future Aviation Safety Team FCL flight crew licensing FDR flight data recorder FMC flight management computer FMGS flight management guidance system FOQA flight operations quality assurance GNSS global navigation satellite system GPS global positioning system IATA International Air Transport Association ICAO International Civil Aviation Organization IFALPA International Federation of Air Line Pilots Organizations IFATCA International Federation of Air Traffic Controller Associations ILS instrument landing system IRS inertial reference system JAA Joint Aviation Authorities JIMDAT Joint Implementation Measurement Data Analysis Team JPDO Joint Planning and Development Office JSAT Joint Safety Analysis Team

6 FAST_SE_Report_11017011_final.docx

JSSI Joint Safety Strategy Initiative LOC loss of control LOSA line operations safety audit LRU line replaceable unit MEL minimum equipment list MLS microwave landing system NATCA National Air Traffic Controllers Association NGAP New Generation of Aviation Professionals NLR National Aerospace Laboratory (Nationaal Lucht- en Ruimtevaartlaboratorium, NLR), The Netherlands) NPRM notice of proposed rulemaking NTSB National Transportation Safety Board OEM original equipment manufacturer OI operational improvement OSD operational suitability data PAI precision-like approach implementation PED personal electronic device POI principle operations inspector PTS practical test standards RNAV area navigation RNP required navigation performance RR remaining risk SE safety enhancement SESAR Single European Sky Air traffic management Research SMS safety management system SOP standard operating procedure STAMP System–Theoretic Accident Model and Process TAWS terrain awareness and warning system TCAS traffic collision avoidance system TRACON terminal radar approach control TRTO type rating training organizations UAV unmanned aerial vehicle VSD vertical situation display XLS precision instrument landing system

7 FAST_SE_Report_11017011_final.docx

Executive Summary

As a complement to historic Commercial Aviation Safety Team (CAST) processes and diagnostic analysis of digital flight data and voluntary safety reports, the CAST Joint Implementation Measurement Data Analysis Team (JIMDAT) called for re-activation of the Future Aviation Safety Team (FAST) in early 2009 as a forward-looking safety entity. In August of 2009, the FAST embarked on an evaluation of key elements of the safety plan developed by the U.S. Commercial Aviation Safety Team (CAST) formally established effective June 23, 1998 to ensure the plan’s continuing effectiveness. The elements known as Safety Enhancements (SE) were subjectively assessed for the change in their effectiveness when projected into a time frame three to five years into the future.

Using qualitative assessment by subject-matter experts, the FAST systematically evaluated fourteen select CAST Safety Enhancements to uncover concerns, risks, and/or potential benefits brought about by projected changes within the aviation system. From these initial discussions, effectiveness assessments were synthesized including major themes, potentially detrimental and beneficial interactions, and watch items that may be helpful in determining whether postulated futures are coming about and, more importantly, whether the weak signals of potential vulnerabilities can be found in current safety performance indicators.

From the analysis, near-term future phenomena resulting in possible loss of effectiveness of both older and newer safety enhancements include:

• For Loss of Control (LOC) prevention SEs: o Shifting demographics of flight crew to younger pilots who do not have the significant benefit of military experience and unusual-attitude recovery training. Upset recovery training in actual aerobatic airplanes has been discussed in commercial aviation for years. All military pilots have this experience. Unless things change, in the future fewer and fewer civilian pilots will have had the opportunity to benefit from this exposure o Increasing reliance on computer-based pilot training and training based recent accident scenarios. o Increasing flight crew responsibilities, such as self-separation, from modernized air traffic management paradigms. o Increasingly integrated aircraft systems that may present unforeseen failure modes or cascading effects in addition to all the benefits of modern flight deck designs. o Enhanced pilot-aircraft interfaces with unintended human factors consequences.

• For Controlled Flight Into Terrain (CFIT) prevention SEs: o New CFIT-prevention flight deck equipment that in some cases may provides redundant terrain information. o New air traffic control surveillance, flow, and separation procedures that increase traffic volume and decrease separation.

8 FAST_SE_Report_11017011_final.docx

o Changing responsibilitiesfor flight crew and ATC for merging, spacing, and separation assurance for near-term ATC concepts; especially in high-density traffic or metroplex situations. o Heavy dependence on global positioning system/global navigation satellite system (GPS/GNSS), a multiplicity of electronic databases, and increasingly integrated aircraft systems. o Advances in consumer electronics that increase the potential for back-door use of this non-certified equipment. o Human-factors concerns regarding the increasing amounts of information, warnings, cautions and alerts in both flight deck and air traffic control (ATC) systems.

• For Icing prevention SEs (for aircraft not equipped with evaporative ice protection systems): o Increasing pressure to operate more efficiently o Outsourcing of training may not reflect the culture and operating nuances of that particular operator. o Potential reductions in icing research due to tightening budgets. o Enhanced future availability and graphical presentation of weather information that may lead to flight closer to regions of adverse weather. o Changing certification requirements for future ice detection and alerting technologies. o Both a shortage of pilots with appropriate experience and increasing pilot fatigue in the near-term future due to: Appearance of regulations permitting longer flight duty times. Increased regional operations. Continued pressure on crews to improve airline economics.

• For Runway Safety-related SEs: o Heterogeneity of aircraft and airports as well as heterogeneous onboard databases. o Fatigued pilots having been subject to initial and recurrent training into which additional content is being inserted that may not be operationally relevant.

• For Proactive Safety Program SEs: o Challenges in effectively implementing elements of Safety Management Systems that are intended to be the next major advance in the management of aviation safety risk. o Loss of input data sources due to economic, legal, or environmental conditions such as inappropriate prosecution/litigation and labor relations issues. o Challenges in integration and analysis of legacy and modern data formats and content. o Identification and filtering of erroneous sensor outputs. o Difficulties in identifying the weak signals of impending problems in the large data sets that continue to grow exponentially (needle in a haystack).

9 FAST_SE_Report_11017011_final.docx

The dominant source of vulnerability across all five domains addressed in this analysis is the interaction effects of multiple future phenomena not in isolated anomalies. Although in most cases these vulnerabilities are relatively minor compared with the anticipated safety benefits of ongoing and future safety initiatives, convergence of relatively benign circumstances may create a fertile environment for unusual accidents. Therefore, predictive safety assessments of specific, isolated technologies, training programs, air or ground procedures appearing in the future, as well as changes in personnel demographics or other factors must not be evaluated in isolation from the larger aviation system. It is the opinion of the FAST that potential safety issues of the future most of which introduce marginal increases in risk will arise out of unusual conjunctions of future conditions, decisions, and actions; not simple, single-point failures of particular technologies or people. In 2008, Hollnagel stated, “It is important to remember that accidents arise out of usual performance in unusual circumstances, not unusual performance in usual circumstances.” i However, a number of recent accidents have demonstrated unusual human performance – both positive and negative – in normal circumstances. One of the challenges in preventing future accidents is that there may be no common denominator. Unusual performance and unusual circumstances are almost always the result of unanticipated interactions of multiple phenomena that, if they were to occur individually, are relatively benign.

The FAST anticipates a positive future for aviation safety. If anything, because of economic factors external to the worldwide aviation system, the 2X to 3X capacity demand is not materializing as rapidly as many expected. This gives the community a great opportunity to look for those as-yet undetected subtle issues that may have emerged earlier if the demand curve had been more aggressive. The FAST recommends that independent developers of the various, powerful safety improvements that are nearing implementation continue to look for unintended consequences and the marginal risks of such systems as those systems get fielded and interact with one another. A large number of activities are underway within the aviation community to proactively address future safety issues with new technologies, processes, and policies. The present analysis confirms the focus of many of the safety initiatives underway and adds a supplementary perspective with detailed issues that may warrant further evaluation.

In the next several months, the FAST will be working with the European Commercial Aviation Safety Team (ECAST) and the JIMDAT to develop an improved methodology to identify future hazards as well as make reliable estimates of the outcome risk of implementing future technologies, procedures, and practices. This improved approach will be based on a novel fusion of best-of-breed safety assessment techniques used by various organizations. In addition, discussions are taking place regarding FAST assistance in fleshing out prognostic sections of Safety Management System (SMS) processes.

The FAST is committed to the generation of work product usable by organizations sending representatives to the FAST. This output may take the form of either detailed safety analyses or improved predictive safety methods. The FAST will only be sustained if organizations participating in the team see value added.

10 FAST_SE_Report_11017011_final.docx

Introduction and Background

In August of 2009, the Future Aviation Safety Team (FAST) embarked on an evaluation of key elements of the safety plan developed by the Commercial Aviation Safety Team (CAST). These elements known as Safety Enhancements (SE) were subjectively assessed for the change in their effectiveness when projected into the future.

In an effort to evaluate the continued effectiveness of the CAST safety plan, the co-chairs of the Joint Implementation Measurement Data Analysis Team (JIMDAT), Jay Pardee, Federal Aviation Administration, and Paul Russell, The Boeing Company, called for re-activation of the FAST in early 2009. The team was in the midst of a two-year period of inactivity (May 2007 until August 2009) in the wake of the dissolution of the European Joint Aviation Authorities (JAA), the previous sponsor of and initial driving force behind the FAST. Certain responsibilities taken onboard by the JAA, namely the domain of future aviation safety, were not immediately embraced by its successor, the European Aviation Safety Agency. However, the FAST became an associated team of ECAST in Europe upon approval of the 2007 Terms of Reference by the European Commercial Aviation Safety Team. With the recently endorsed European Aviation Safety Plan, Emerging risks has been identified as one of the important issues in the plan. It has been recognized that FAST could play an important role. The 2009 re-start charter from the JIMDAT is contained in Appendix A.

A series of six meetings of the multinational FAST were held starting in August of 2009 to perform the evaluations of important Safety Enhancements selected by the JIMDAT. The meetings alternated between venues in the U.S. and Europe. A list of FAST participants is shown in Appendix B. Over the course of these meetings, a methodology was developed, safety enhancements were assessed, and conclusions were reached. Because of the importance of accurate characterizations of the near-term future to the safety assessments, throughout this period the FAST continuously refined and updated its list of Areas of Change (AoC) originally developed at FAST workshops in 1999 and 2000. Areas of Change are defined as a consensus set of known change phenomena in the future that may affect the safety of all domains in aviation. The AoC list used for the present analysis is shown in Appendix C.

This report details the assessment process, highlights the major vulnerability and benefits findings, and offers suggestions for items to monitor and evaluate going into the near-term future.

11 FAST_SE_Report_11017011_final.docx

Assessment Process

The following diagram illustrates the process used to perform the safety vulnerability assessments of the CAST Safety Enhancements (see figure 1). Details of the five elements of the process are described in the following sections.

Figure 1 – FAST SE Assessment Process

Selection of Safety Enhancements In response to queries from the FAST, the JIMDAT provided a list of twenty CAST Safety Enhancements that were of special interest. In October of 2010, the JIMDAT directed the FAST to provide safety evaluations of only the first fourteen SEs and stop work on the remaining six in order to focus on development of a next-generation prognostic methodology. The fourteen SEs addressed key categories of worldwide fatal accidents including Controlled Flight Into Terrain, Loss of Control, Icing, Runway Incursions, and Proactive Safety Programs. The Safety Enhancements addressed domains such as standard operating procedures, training, proactive safety programs, human factors, maintenance, design, and aircraft technology systems.

The following CAST Safety Enhancements were analyzed by the FAST:

• LOC o 26; LOC Policies and Procedures, February 2003 o 30; LOC Training – Human Factors and Automation – One Project, May 2006 o 31; LOC Training – Advanced Maneuvers and Flight Training, February 2003 o 34; LOC Displays and Alerting Systems – New designs (1-2), February 2003 o 85; LOC Vertical Situation Display (Output 1), February 2003

• CFIT o 1; CFIT TAWS – One Project, August 1999 o 2; CFIT SOPs – One Project, August 1999 o 12; CFIT Prevention Training – One Project, September 1999 o 120; CFIT - TAWS Improved Functionality, February 2003

• Icing o 39; LOC Basic Airplane Design – Icing (4-5), February 2003 o 133; RR - Icing - Turboprop Aircraft Ice Detection Systems, October 2007

• Runway Safety o 60; Runway Incursion Pilot Training, February 2003

12 FAST_SE_Report_11017011_final.docx

o 183; Wrong Runway Departures – Cockpit Moving Map Display and Runway Awareness System, February 2003

• Proactive Safety Programs o 10; CFIT Proactive Safety Programs (FOQA + ASAP), August 1999

The following Safety Enhancement were not evaluated for reasons described above and are not part of this report: o SE 6, CFIT PAI – RNAV 3-D Instrument Approach (PAI 13-22) o SE 7. CFIT PAI – RNAV RNP Instrument Approach Procedures (PAI 23-27) o SE 8. CFIT PAI – XLS (ILS, MLS, GLS) (PAI 28-30) o SE 18; ALAR Maintenance Procedures – Subcontractor Guidance o SE 23, ALAR Flight Crew Training – One Project o SE 131. RR - Cargo - Safety Culture

Updating Areas of Change List In order to perform detailed assessments of the SEs, the AoC descriptions list created in 1999/2000 was updated. Related AoCs were consolidated, those no longer valid were removed, and new AoCs reflecting emergent phenomena were added. The FAST core team decided to regularly update AoCs at working sessions outside of the six FAST meetings in order to accelerate the schedule. The original list of 191 AoCs plus the 15 new AoCs was consolidated into a final list of 101 Areas of Change used for the Safety Enhancement evaluations (See Appendix C). The AoC list is continually updated, the current list can be found at www.nlr- atsi.nl/fast under the tab “Results”. A subsequent update is in progress in preparation for the next phase of FAST activity.

Ranking of Safety Enhancements for Vulnerability to AoC Phenomena Using the updated AoC list and focusing on the future 3 to 5 year time horizon, each of the SEs was evaluated for the positive and negative effects produced by each AoC, based on expert judgment. In addition to the ranking process, the team also recorded notes describing the rational associated with the numeric rating.

To answer the question: “How will this Area of Change affect the particular Safety Enhancement and/or render the controls provided by this Safety Enhancement ineffective?” the team used a five-tier rating scale, -2, -1, 0, +1, +2. If the AoC was judged to significantly reduce the effectiveness of the SE, then a -2 rating was assigned. If there was only a small negative effect on the SE, then it received a -1 rating. If the AoC significantly enhanced the performance of the SE, then a +2 rating was assigned. If there was only a small positive benefit to the SE, then it was assigned a +1 rating. A zero rating indicted a neutral effect on the SE under analysis.

In some cases, the team felt that there could be both negative and positive effects of the Area of Change on the Safety Enhancement. In these cases, both positive and negative numeric ratings were assigned.

13 FAST_SE_Report_11017011_final.docx

Populating SE Vulnerability Assessment Templates To facilitate the development of explicit safety vulnerability descriptions, the team developed an assessment template. This template contains: • Summary Information from the SE Detailed Implementation Plans (DIP): description for each SE from the CAST, the date of approval of the SE, the risk description, risk mitigation plan, and the current status of implementation. • Relevant Areas of Change: including the AoC number, AoC title, and AoC description plus the detailed SE vulnerabilities. These vulnerabilities are grouped by the following rankings: Very Vulnerable (-2), Somewhat Vulnerable (-1), Both Somewhat Vulnerable and Somewhat Beneficial (-1, 1), and Both Very Vulnerable and Very Beneficial (-2, 2). Within each rank group, the AoCs are listed in ascending numeric order not by relative importance. • Nature of Vulnerabilities: including major themes and topics and the associated AoCs. • Major Interaction Effects: highlighting interrelationships among Areas of Change that may intensify the effect of the identified vulnerabilities. • Near-term Changes to Baseline Risk or New Vulnerabilities: outlining the more near- term risks (3-5 year) in which the JIMDAT was especially interested. • Longer-term Changes to Baseline Risk or New Vulnerabilities: outlining the risks that are on a horizon beyond five years. • Precursors, Watch Items, and System-wide Measurements that Could Indicate Vulnerability: listing possible indicators and data sources to monitor for the emergence of the AoC and/or the emergence of an identified vulnerability

The completed Vulnerability Assessment Tables for each SE based on the template are attached in Appendix D.

14 FAST_SE_Report_11017011_final.docx

Safety Enhancement Vulnerabilities, Benefits, and Watch Items

The primary focus of the evaluations for the CAST Safety Enhancements was to determine the potential vulnerability of the SEs to future phenomena. This section describes the identified vulnerabilities from the analysis by the FAST. During the SE assessment process the FAST team also identified future phenomena that may have beneficial effects on the SEs. The results are grouped by category: LOC, CFIT, Icing, Runway Safety, and Proactive Safety Programs.

The final element of each section is a set of Watch Items: safety indicators that could be monitored by the aviation community. These indicators point to whether or not a particular future is emerging or whether the leading indicators are pointing to emergence of a particular vulnerability. The Watch Items identified in each of the following five sections were synthesized from those identified in the original individual CAST Safety Enhancement assessment tables and do not reflect them verbatim.

Risk managers within Safety Management Systems (SMS) may benefit from the Watch Items listed in subsequent sections of this report. While SMS will be the next great revolution in safety assurance, the quality of SMS indicators plays a crucial role in the effectiveness of these new safety management processes. Safety performance indicators used within SMS should not selected because they are readily available, but rather they should be evaluated for their relevance to a critical monitoring requirement. These indicators should have external validity, be valid for the construct under consideration, be sensitive and reliable ii . Hollnagel lists the following criteria for performance indicators: they should be 1. Objective, 2. Available, 3. Quantitative or capable of simple quantification, 4. Meaningful in their own right, and 5. Compatible with existing programs. iii These indicators should be leading rather than lagging.

Loss of Control (LOC) The Loss of Control category includes 5 SEs: • 26; LOC Policies and Procedures, February 2003 • 30; LOC Training – Human Factors and Automation – One Project, May 2006 • 31; LOC Training – Advanced Maneuvers and Flight Training, February 2003 • 34; LOC Displays and Alerting Systems – New designs (1-2), February 2003 • 85; LOC Vertical Situation Display (Output 1), February 2003

LOC SE Vulnerabilities and Benefits The interactions among shifting pilot demographics, changing pilot training, increasing crew responsibilities introduced by modern air traffic control systems, increasingly integrated aircraft systems, and enhanced pilot-aircraft interfaces may combine to create new risks in the implementation and effectiveness of these five SEs.

The commercial pilots of tomorrow will generally have civilian aviation training and experience, This means that the trend toward fewer airline pilots having military experience that began decades ago will continue into the future. The military services extensively screen their candidates and are generally required to have a four-year college degree before being accepted

15 FAST_SE_Report_11017011_final.docx

into pilot training. Once accepted, military training provides intense and rigorous classroom academic instruction as well as in-depth flight instruction that takes over one year. Additionally, pilots today coming from non-military backgrounds often do not have the challenging experience of their predecessors on which to build (e.g., flying corporate, night freight, or flight instructing) before being hired at entry-level, or regional air carriers. Where these new pilots have been exposed to and are comfortable with automation and technology, they are also potentially more prone to overdependence on these aids and potentially less resilient when emergencies arise. These demographic changes require a new focus on standardization and professionalism training and even some fundamental flying skills. The previous training programs based on the assumption of more experienced pilot candidates will not be sufficient; “one-size-fits-all” training is ill suited to the task iv .

With operational changes such as decreased separation standards and self-separation coming down the pipeline, higher expectations will be placed on flight crew. These added pressures increase the need for training and practice in high workload situations. This will be especially important for the newer generation of pilots who may have a smaller number of flight hours upon hiring by an airline than pilot recruits of the past. Proposals are being formulated to require a much higher number of minimum flight hours for First Officers than in the past 1, but there is limited consensus that these measures will achieve the desired effect. This regulation would have no effect on selection of the crew involved in the recent accident (Colgan Air 3407) that spawned this requirement.

Currently, there are few paths leading to an ATP rating. One is to work as a First Officer for a regional airline until reaching the required 1500-hour minimum. Another is accumulating hours during military service. With the significant reductions in military pilot numbers due to fewer military fighter aircraft and the use of Unmanned Aerial Systems, this option is becoming less viable.

Moving into the future, flight training organizations and Flight Crew Licensing (FCL) as the two components of the aviation skills management system must find ways to improve their relationship. Certain flaws exist with the FCL system, particularly regarding type rating and recurrent training. Entry into service of the earliest of the fourth-generation aircraft was not as smooth as expected. Training for new types was essentially based on traditional training designed for the second- and third- generation types. Compulsory requirements for type and recurrent training need reviewing, particularly in the light of increasing reliability and systems capability. Mandatory requirements must not be simply a “check-the-box exercise." v

Regulations are evolving to cope with this phenomenon. For example the symposium on the Next Generation of Aviation Professionals sponsored by the International Civil Aviation Organization (ICAO)vi addressed some of these issues. Operational suitability data (OSD) and competence based training (CBT) is not based on a fixed number of flying hours, but relies on a "job task analysis", under which observable performance criteria must be achieved by the student pilot. The competency development process is continuously assessed during the training.

1 Pending FAA actions at conclusion of 36-month implementation window for Congressionally-mandated rule requiring a 1500-hour minimum experience level for all commercial pilots including First Officers

16 FAST_SE_Report_11017011_final.docx

Evidence based training (EBT) calls for a shift from prescriptive training tasks to fleet- and operation-specific training tasks, which are based on a data-driven analysis of fleet- and operation-specific risks. Mandated training should be reviewed to ensure that typical high-stress conditions that have been implicated in many accidents and incidents are included in the curricula.

In addition, mandated training must recognize the variation in risk mitigation strategies among different operators. A training pilot participating in the FAST meetings indicated that for a smaller operator flying routes that involve approaches in high terrain flown repeatedly by their flight crews, the risk of such operations might be quite acceptable because the crews have almost daily experience with the approaches and procedures required for such operations. For a larger carrier whose pilots fly very infrequently into such terrain, the risk of operating into and out of terrain-challenged airports may be unacceptable. Evidence based training must have the flexibility to deal with such differences and not be a one-size-fits-all approach. There can be no universal “job task analysis” valid for all pilots. So while EBT may represent a transformational change in the right direction, it must be implemented carefully and account for changing conditions in the future.

As pressures mount to compress additional content into available recurrent training windows, new computerized training methods will be introduced based on improved understanding of how individuals learn and process information. Additional training will be added to reflect increasingly complex operations and advanced flight deck technologies.

Where the simulation capability within future computerized training will bring a whole new level of fidelity to the training delivery, there is still no substitute for hands-on time in the aircraft. Upset recovery training in actual aerobatic airplanes has been discussed in commercial aviation for years. All military pilots have this experience, yet very few civilian pilots have the opportunity to benefit from this exposure. It is unlikely that in the future, the military will be a significant supplier of skills to the airlines that it once was. This future shift is already evident in more extensive use of remotely-piloted unmanned aerial vehicle (UAV) surveillance and weapons platforms (operated by non-flight qualified individuals) and in cutbacks in the number of future fighter aircraft.

Today, pilot type training is driven by the practical test standards (PTS) requirements for the issuance of a type rating. Type rating training is geared to meeting the PTS requirements and the successful completion of the type check ride. It does not take into account the potential variations within aircraft types. There is also little or no space in the current type rating training curriculum for the addition of recommendations from the National Transportation Safety Board (NTSB) or the FAA that follow in the wake of aircraft accidents. This is especially true for LOC-related training. Most type rating training organizations (TRTO) currently do not offer training of this type. Adding it to the curriculum would introduce significant costs. In order to offer this training, instructors would have to be taught upset recovery, be certified as upset recovery instructors, and a special course would need to be created to give these newly qualified instructors experience in instructing.

17 FAST_SE_Report_11017011_final.docx

There are also minor concerns regarding the lack of standardized policies and procedures covering synthetic training and operating standard operating procedures (SOP) in general. Air Operator Certificate holders should not be writing their own SOPs without consideration for manufacturer recommendations. Much of the effectiveness of LOC guidance depends on its interpretation by individual companies or operators. In addition, airlines are not always compliant with U.S. Advisory Circulars or international equivalents. As an example, airlines can operate in compliance with regulations and yet have less than ideal fatigue policies in place, especially regional airlines. Regulations are evolving to cope with this. Such regulations may not be in place until 2012.

All of these training and demographic changes are taking place as while aircraft fleets continue to be heterogeneous and aircraft systems become increasingly integrated and interdependent. The overall effect of this combination is to provide pilots with an ever-increasing amount of automation, information, and responsibility. On one hand, increased integration allows for increased safety via automatic cross checking of data, potential systems architecture benefits, and weight savings. On the other hand, the essential aspects of the sophisticated behavior of these advanced avionics are difficult for pilots to keep up with, especially with compressed recurrent training. New airplane designs are also trending towards higher performance with less inherent stability thus requiring increasingly sophisticated instrumentation to aid the flight crew as well as a minimal level of manual flying skill should the flight crew need to intervene when automatic systems degrade.

Subtle differences between aircraft configurations may lead to mode awareness errors. These differences may be caused by various factors including: inconsistent software versions, airline mergers combining different fleet configurations, and differences in design between manufacturers. In addition, greater reliance on flight planning software means accurate maintenance data is critical for calculations such as weight/balance and fuel loads. Human factors issues have arisen where inadvertent activation of a function (autopilot) on the ground was a result of changes between aircraft types. The position of the Auto Pilot switch required automation to be redesigned to inhibit the function where no issue was present before. The same issue occurs for pilots transitioning from turboprops to jets.

Another concern identified in the analysis is the amount of information available to the pilot and the increasing integration and complexity of aircraft systems. Increased integration and complexity means that a failure in one system may result in erroneous information propagating to seemingly unrelated systems leading to pilot confusion or degraded performance of flight control systems. Aircraft designers need to assess the ability of the airplane to gracefully degrade to a pilot-operated configuration from more automatic modes. To prevent pilots from becoming overwhelmed and over-reliant on automated systems, the hardware and software will need to be designed to keep the pilot appropriately informed using prioritization schemes or adaptive automation. Some are questioning the need for adding more information as opposed to replacing legacy information with newer information requirements. The JIMDAT should evaluate any efforts to evaluate and remove older equipment and indications from the flight deck as new systems are added and to subsequently evaluate the associated unintended consequences of the removal of these older features.

18 FAST_SE_Report_11017011_final.docx

A special note on SE 34: This SE includes pitch limit indications but does not address pitch rate indications. Recent experience has shown pitch rate indications may be important for inclusion in modern flight decks especially for the next generation of pilots.

LOC-related Watch Items The following Watch Items are suggested for monitoring the effectiveness of LOC-related Safety Enhancements:

1. Monitor trends in responses by the flight crew to key aircraft alerts such as stall indication (stick shaker), traffic collision avoidance system (TCAS), and enhanced ground proximity warning system (EGPWS) to identify if improper responses are on the increase. Also consider correlating this information with pilot demographics and training records. 2. Monitor trends in altitude busts and rates of go-around as an indication of conservative response to deteriorating aircraft energy state, attitude or nearby traffic. 3. Monitor flight path accuracy/energy management performance during approach by long- haul flight crews that execute fewer approaches than short-haul crew. Then conduct a risk assessment comparing auto-land versus no auto-land (manual) between these groups. Consider measures to keep the manual airmanship of long-haul crews at an acceptable level in case manual intervention is necessary when executing auto-land approaches 4. Track implementation and use of vertical situation displays (VSD) in new aircraft that are so equipped and identify whether display and alerting system provided suitable information to the flight crew. 5. Track rates of conflicting warnings and alerts from terrain awareness and warning system (TAWS) and VSD and determine if these systems having similar terrain avoidance functions are creating confusion on the flight deck (Aviation Safety Reporting System [ASRS] reports?). 6. Monitor development of display concepts enabling enhanced recognition of incipient loss of control (proximity to edge of flight envelope, available control authority or engine thrust, etc.). 7. Monitor line operations safety audit (LOSA) data (flight crew performance assessments) addressing flight crew threat and error management of TAWS warnings to identify examples of superior performance that can be reinforced and used as models for training. 8. Monitor number and content of pilot safety reports on situations where flight crew indicated confusion by the information presented or where the information was misinterpreted. 9. In addition to continued monitoring of ASRS and flight operations quality assurance (FOQA) data for increasing instances of rushed and/or unstable approaches, rejected landings and missed approaches, unexpected icing conditions or problems with icing detectors, and flight crew coordination failures, consider correlating these assessments

19 FAST_SE_Report_11017011_final.docx

with aircrew demographics, proficiency, and standardization programs in particular airlines. 10. Conduct regular surveys of the pilot population to assess demographics changes that may indicate the need for revised training methods and content. 11. Determine any significant differences between scenarios in mandated training syllabi and relative frequency of degradation/failure scenarios that are happening in the operational world. 12. Re-examine what should be trained on an EBT/CBT and what in full motion simulators with emphasis on use and type of automation. Assess whether advanced maneuver training in simulators that adequately mimics the vestibular environment for the crew. 13. Identify instances of Air Operator Certificate holders writing their own SOPs and not following what the manufacturer has recommended. 14. Evaluate efforts to evaluate and remove older equipment and indications from the flight deck as new systems are added and to subsequently evaluate the associated unintended consequences of the removal of these older features.

20 FAST_SE_Report_11017011_final.docx

Controlled Flight Into Terrain (CFIT) The Controlled Flight Into Terrain category includes 4 SEs: • 1; CFIT TAWS – One Project, August 1999 • 2; CFIT SOPs – One Project, August 1999 • 12; CFIT Prevention Training – One Project, September 1999 • 120; CFIT - TAWS Improved Functionality, February 2003

CFIT SE Vulnerabilities and Benefits As was the case for the LOC-related SEs, interaction effects make these SEs potentially vulnerable to future phenomena. These interactions include new CFIT-prevention flight deck equipment that in some cases provides redundant terrain information, enhanced graphical presentation of weather information, new air traffic control surveillance, flow, and separation procedures, heavy dependence on a multiplicity of electronic databases, highly integrated aircraft systems, increasing dependence on GPS/GNSS systems for navigation and separation, potential back-door use of non-certified equipment, and the human-factors aspects of the large volume of information new flight deck systems and ATC systems will present to both flight crew and ATC.

Integration of existing TAWS with new Vertical Situation Displays and Assisted Recovery/Traffic and Terrain Avoidance avionics vii that were proposed as early as 2005 must not degrade current high level of CFIT safety performance. Although these technologies may dramatically improve CFIT safety, integrated avionics systems (auto pilot/EGPWS) may cause the aircraft to react in CFIT situations (auto pull-up) without any pilot input or incomplete understanding of the system behavior by the flight crew resulting in “automation surprise.” In a notable recent accident (Colgan Air), the flight crew took inappropriate action counter to the automated systems in the flight deck.

New and supplementary flight deck display systems may create better situational awareness for the crew. Proper prioritization of alerts generated by these systems must be carefully evaluated in procedures development and recurrent training. Interactions and potential conflicts between systems and procedures for use of EGPWS and Vertical Situation Displays that both provide terrain awareness must be must be continuously evaluated as airlines gain in-service experience with these combined safety systems. The EGPWS is a safety net that will be triggered only in the event the flight crew does not follow a safe vertical profile clearing the terrain obstacles. There is a minor risk of flight crew task overload due to new SOPs developed for use of additional flight deck CFIT-prevention equipment and procedures. However, new training methods have the potential to improve pilot performance based on improved understanding of how individuals learn and process information.

The aviation community must be on the alert for potential breakdowns occurring along the chain consisting of database development, data ownership and database approval. Avionics systems are highly dependent on accuracy checks including consistency of waypoint identifiers, frequencies, and altitudes. The integrity of the computerized navigation and performance systems rests on the quality of the flight management computer/flight management guidance system (FMC/FMGS) databases. No single worldwide standard provides unified criteria for the

21 FAST_SE_Report_11017011_final.docx

providers of electronic navigation databases used in flight management systems. Inconsistencies between FMS databases and paper-based approach charts have been known to occur.

Experienced pilots have concerns about the accuracy and integrity of the databases used in on- board flight-critical systems. Currently, radar is the back up. In the opinion of a veteran pilot, this back up will be too casual for the future. There is also a need for effective monitoring of Required Navigational Performance, as well as EGPWS/Terrain displays (also dependent on a database). Where the automation says the plane is and where the aircraft actually is could create a problematic landscape in the future if RNP and terrain depiction displays are not monitored diligently. Fortunately, databases change relatively infrequently and that the changes are for the most part minor. There is normally 28-day FMS database renew cycle. One air carrier has developed a computer-based, database comparison algorithm that has been known to generate mistakes. The flight crew is not responsible for the integrity of the databases but rather the avionics manufacturer or chart supplier (Jeppeson, for instance). In addition to corrupt data, entries by the flight crews will require verification against a database that may not exist in paper form. The Database Harmonization Working Group may be addressing many of these issues.

Advanced automation is taking full advantage of data sharing among what were previously independent line replaceable units (LRU). More integrated aircraft systems may in some cases improve the situational awareness of the flight crew as well as improve the performance of the vehicle. As more flight deck functions are automated there is a high reliance on the integrity and fidelity of the data exchanged among these systems. High and low criticality functions that have traditionally been physically isolated are now sharing computing and data bus resources. Lost or erroneous inputs can result in a cascade of effects on the aircraft. Often, sensors are the lowest reliability components and therefore need to be redundant to obtain the required system safety. Unfortunately, identical sensors are sometimes used to achieve the redundancy. Therefore, sensor failures could produce common cause, single-point failure of multiple devices.

Changing approaches to cockpit warning and alert systems including advanced audio, tactile, and visual warning systems in aircraft cockpits may positively affect crew workload and situational awareness. Better warning systems may improve the performance of the CFIT-related SEs.

Integration of additional flight deck systems such as icing detection and corresponding alerts, VSDs, and vehicle health monitoring systems must be handled with care and be reflected in unambiguous standard operating procedures so that flight crews know how to respond to multiple, additional warning systems. In future high-density traffic situations, this cross checking could lead to a lot of heads down in the cockpit, adversely affecting safety.

Integration of flight-critical safety functions across the air-ground interface must be reflected in both training and procedures. Proper attention to integration and standardization of procedures for near-term implementations of NextGen and SESAR initiatives must be reflected in flight crew training.

Other integration concerns involve the international harmonization of automation functionality for the prevention of CFIT. Training programs are needed to provide flight crew with

22 FAST_SE_Report_11017011_final.docx

appropriate systems understanding to know why and how CFIT-prevention automation from different world regions is behaving in flight. When the electronic flight bag (EFB) is providing near-flight-critical information to the crew, what is the parallel back-up system in the event of a loss of EFB data or hardware failure?

The accuracy and integrity of satellite-based systems used for navigation and separation between aircraft and terrain may be at risk without robust protection systems especially if the incidence of jamming and cyber attack increase in frequency as has been the case with laser assaults on flight crew vision. The FAST is unaware of instances of spoofing or jamming of GPS navigation signals . However, a quick search of the world wide web, reveals a wealth of material on how to jam GPS systems. In the near-term future, commercially available GPS jamming systems may become as big an issue as lasing of aircraft flight decks is today. Because of self-protection systems that are designed to ignore signals low on the horizon, GPS jammers would need to operate from airborne platforms. As is the case with other aircraft and ground systems, GPS- based navigation could be compromised in the near term by increased solar activity 2. A related concern is the integrity of data-links and databases in use throughout the aviation system.

Dependence on the reliability of non-certified equipment (i.e., smart phones and other new personal electronic devices [PED] such as iPads) may become an issue if pilots become reliant on a platform that does not have an inherent safety function. PED applications can offer amazing functionality yet not be certified. This is a safety issue now and increasingly in the next three to five years. Likewise, commercial off the shelf (COTS) products used in avionics and terrain avoidance systems may not have been subject to the verification/validation rigor required to maintain safe, dependable operation of the aviation system. This may be especially important for systems designed to compare the horizontal and vertical position of the aircraft based on GPS technology and the underlying terrain.

Other concerns in the CFIT arena include the consequences of integrating decreased separation standards, limited delegation of separation responsibility from the ground to the flight deck, and procedures for new flight control capabilities such as Assisted Recovery from unusual attitudes and terrain proximity .viii

An increasing number of low-time pilots will be hired into the system in the future. While these pilots may have greater computer fluency as a generation, they need to be armed with deep systems knowledge of how certain CFIT-prevention automation works in order to minimize the probability of flight crew error.

CFIT SOPs will need to be updated. Proper training should provide improved adherence to SOPs. However, ineffective SOPs could introduce new issues.

2 The current Solar Max cycle that will reach its peak in 2013 is within the timeframe of the analysis specified by the JIMDAT. Hardening of airborne and ground assets that have evolved since the peak of the prior 11-year cycle should include allowances for Coronal Mass Ejections that are more likely to occur during this period and their attendant effects on terrestrial systems such as radar, Tower, TRACON, and En Route backup power supplies.

23 FAST_SE_Report_11017011_final.docx

CFIT-related Watch Items The following Watch Items are suggested for monitoring the effectiveness of CFIT-related SEs:

1. Monitor instances of improper flight crew response to TAWS and/or EGPWS alerts and the circumstances the preceded them. 2. Monitor the number of new cautions/warning/alerts being introduced into the flight deck from concepts such as VSDs and Assisted Recovery/Terrain Avoidance flight controls operating independently of the flight crew. 3. Monitor the numeric test scores of individual flight crew training modules rather than whether the pilot simply passes of fails the full suite. Much insight could be gained by trending numeric scores on test modules rather than simply percent of applicants failing. 4. Monitor LOSA performance of flight crew as new technologies are introduced into the flight deck. 5. Look for correlations between flight crew fatigue and low-altitude incidents of loss of control or situational awareness. 6. Monitor for incidents in which flight crew became overwhelmed by flight deck information during events leading up to CFTT or TAWS warnings. 7. Monitor reports for out of date databases and GPS-based navigation systems failures 8. Look for increasing rates of single-point, common-cause failures of sensors and/or data corruption propagating more widely than expected in aircraft systems. 9. Appropriate entities should determine how PEDs are being used in the flight deck and how frequently. 10. Laser assault on the eyes of flight crew often occur when the aircraft is at low altitude and in close proximity to terrain. For these reasons, the industry may want to investigate the feasibility of passive laser filters build into or applied as an overlay on flight deck windows. 11. Monitor effectiveness of international harmonization efforts for flight-critical SOPs.

24 FAST_SE_Report_11017011_final.docx

Icing SEs The Icing category includes 2 SEs: • 39; LOC Basic Airplane Design – Icing (4-5), February 2003 • 133; RR - Icing - Turboprop Aircraft Ice Detection Systems, October 2007

Icing SE Vulnerabilities and Benefits

The increasing pressure to operate more efficiently may have a negative effect on the Icing SEs. Safety vulnerabilities may increase in the future due to possible outsourcing of training, decreasing commitment to icing research, legacy ice detection technologies in older aircraft, and current certification requirements, and both pilot shortages 3 as well as increasing pilot fatigue in certain future operations.

Due to the trend of airlines increasingly outsourcing training and continuing economic pressures, training shortened and compressed may not focus enough on icing detection and avoidance especially if it is shortened and compressed due to economic and regulatory pressures. Additionally, outsource training organizations may not have subject matter experts or additional icing training material to offer the customer to supplement the minimum training requirements in the basic curriculum. Unless carefully implemented and monitored, outsourced training may be cost driven rather than content driven. Shortened and compressed training may miss more frequent routine failure scenarios in favor of rare events that are required by regulators. Frequently, mandated training does not address typical high-stress conditions that have been implicated in accidents and incidents. Even minimum hour requirements for flight qualification do not guarantee that pilots encounter key flight conditions and associated decisions that must be managed well to head off an accident.

A continued commitment to icing research is needed as new composite aircraft are manufactured. Legacy ice detection systems may not provide the same benefit on newer, composite aircraft because of the different thermal characteristics of composite skin compared with aluminum. Research is also needed to understand emergent phenomena such as high- altitude engine icing.

In the wake of the Roselawn, Indiana accident (Simmons Airlines 4184), studies were conducted to evaluate the effectiveness of deicing boots as a function of their percent-of-chord coverage. A key member of the FAST was deeply involved in the aftermath of the Roselawn investigation, especially investigating the consequences for other aircraft such as the Fokker F27 and Fokker 50 aircraft. He eventually went back through research studies though dating from the 1940’s, which are still relevant to prevent future icing-related accidents. Early ice-expulsion systems covered only the first 5% of the leading edge of the wing. Such was the reason for some of the poor performance of then-day aircraft in icing conditions. Systems configured like this are still flying today. One solution to this performance issue is to extend the deicing boot much farther

3 With the onset of the proposed1500-hour minimum rule in the US, the chances of a pilot shortage are real. Successfully accumulating that many hours on either one’s own resources on the low salaries being paid to flight instructors or cargo pilots will be difficult.

25 FAST_SE_Report_11017011_final.docx

down the chord (i.e., 15%) on the upper surface and up to 10% coverage on the lower surface. While the latest certification requirements, Advisory Circulars may eventually lead the applicant for new aircraft to arrive at boot chord lengths commensurate with Kelly Johnson’s 1940 findings, the fact remains that this will leave at least several thousands of commercial and business aircraft certified to older requirements. This may result in continued operation of aircraft with reduced margin of safety. This should also be viewed against two observations: 1. That most boot systems are not very tolerant to late activation and 2. That practical pilot knowledge on icing phenomena is minimal at best but certainly leaves much to be desired. The FAST believes that reviewing the designs of the flying fleet, especially against known occurrences and what has been done already to improve safety is the logical thing to do. A typical case in point has been the recent decision by Federal Express that contracted with modifications provider Yingling Aviation to install glycol-based TKS ice protection systems built by CAV Aerospace and Garmin G600 avionics in its fleet of more than 250 Cessna 208 Caravan cargo aircraft.

Current technology ice detectors may not give sufficient time from ice accretion to detection. Therefore pilots may not have enough time for appropriate action to mitigate icing encounter for certain icing conditions. The large number of different icing encounter procedures for an aircraft type, may lead to minor confusion from one aircraft type to another. This is especially difficult because there can be a number of different V speeds from one aircraft to another. Inequalities in crew selection/training along with changing airmanship and shortened/compressed pilot training may create challenges in training for an appropriate selection of airspeeds and aircraft configurations that are essential for safe flight in icing conditions.

Current anti-ice or de-icing systems are vulnerable to severe icing conditions; fundamental recognition of icing limits for the aircraft are not easy to evaluate for the crew. As system complexity increases in the future, unrelated systems may react in a way that the pilot may not be able to properly interpret. Increasing reliance on automation and introduction of new training methodologies will require an increasing need for performance validation and self-checks of ice protection systems. Because certification requirements deliberately stay away from prescribed solutions (design, operation, maintenance, certification), implementations may differ from one aircraft to another. This makes successful translation from one aircraft’s proven ice detection/mitigation system to another aircraft challenging at best. Anti-icing/de-icing systems are very sensitive to design and certification margins and in severe conditions, not human-fault (late activation) tolerant.

Pilot shortages and the changing age limitations for pilots will require those pilots flying to spend more hours flying, potentially introducing a fatigue issue. Pilot decision making in icing conditions may be compromised by fatigue especially at the end of flight duty times.

The future evolution of weather monitoring and probabilistic prediction systems (i.e., advanced supplementary cockpit weather information systems) will allow aircraft to identify, and then fly routes that have the most favorable weather. As this technology expands in use, the density of these routes may rise accordingly and may reduce safety margins by routes intentionally flown closer to adverse weather.

26 FAST_SE_Report_11017011_final.docx

New, certified weather displays will also make it possible to decrease CFIT risk by identifying safer routes to fly. Overconfidence in these weather displays may result in pilots flying closer to regions of adverse weather if training and SOPs don’t clearly spell out appropriate limits for weather avoidance distance and penetration. With the onset of required navigation performance (RNP) approaches and area navigation (RNAV) departures at airports located in higher terrain or limited radar areas, EGPWS functionality may be vulnerable.

Icing-related Watch Items 1. Survey de-icing boot lengths in incidents and accidents and determine if there is a need for modification of certification guidelines. 2. Monitor deployment rates and effectiveness of air heated, electrically heated, electrical impulse de-icing and other leading edge anti-ice technologies. 3. Monitor airspeeds and aircraft configurations during icing conditions to determine if flight crew are monitoring and responding appropriately. 4. Monitor in-flight upsets, roll excursions, and buffet during flight in icing conditions as well as crew failure to recognize natural stall behavior with ice. 5. Monitor use of the NLR-developed “Scoring Algorithm for Flight Crew Intervention Credit in System Safety Assessments”, ref FAA report AR08-45, dated Nov 2008. 6. Review the emergence of improved training and knowledge tools actually reaching the pilots that fly today’s aircraft, in an effort to reduce or eliminate late activation. 7. Monitor deployment of electrically heated leading edge anti-ice boots. All electric aircraft may be fitted with new technology de-icing (e.g., electrical impulse de-icing) or electrically heated leading edges (e.g., using Glare [AoC 09]), the characteristics of which are not fully understood in an operational environment.

27 FAST_SE_Report_11017011_final.docx

Runway Safety SEs The Runway Safety category includes 2 SEs: • 60; Runway Incursion Pilot Training, February 2003 • 183; Wrong Runway Departures – Cockpit Moving Map Display and Runway Awareness System, February 2003

Runway Safety SE Vulnerabilities and Benefits

The interaction of changes in training with the introduction of new technologies, outsourced training, and the heterogeneity of aircraft and airports may create negative effects on the Runway Safety-related SEs. Systemic vulnerabilities may arise from the appearance of historical pilot errors when using new safety technologies especially when newer technologies are implemented alongside legacy safety systems. The community must be alert for the minor problems that arise when pilots who have been subject to recurrent training in which more material has been compressed into existing sessions operate these newer safety technologies. This complicated problem may be further compounded by a shortage of experienced pilots.

Introduction of new training methodologies for operation of advanced aircraft will lead to the following benefits: • Advanced training delivery systems that meet future staffing and training requirements • Cost-effective new equipment training guidelines and procedures. • Integrated team training for all aviation operations. • Training for mixed fleet and multi-cultured crews. • Remediation of skill decay for diagnostic and complex operational tasks.

Training flight crews to utilize moving map displays and runway awareness systems should be a top priority. Training and SOPs for Runway Safety should include unexpected and less likely failure modes 4.

The sustained growth in air traffic and limitations in existing airport infrastructure have in recent years has led to the development and standardization of future advanced surface movement guidance, control, and management systems. The objective of the technologies is to increase the traffic-flow capacity at airports, while maintaining the required safety level.

New technologies such as moving map displays allow for increased situational awareness. The much more accurate positioning of aircraft due to GPS/GNNS technologies may provide more accurate separation and flight path management, but also may require changes to existing procedures. In the future, on-board systems may possibly be updated automatically when the

4 In November of 2011, the Air and Space Academy is convening an international conference on enhancing pilot training for air transport aviation. The event will focus reducing human risks arising from unexpected operational situations as referenced throughout this report. The FAST endorses this effort to correct existing deficiencies and to anticipate changes needed in the commercial pilot profession in coming decades. This conference shares many common concerns with the regional congress of ICAO’s New Generation of Aviation Professionals (NGAP) held in December 2010. The present report identifies a wide range of specific safety concerns that should be addressed during the Air and Space Academy conference.

28 FAST_SE_Report_11017011_final.docx

aircraft arrives at the gate; (e.g., the most recent moving map is uploaded). If it works, this is an ideal situation.

Introduction of new technologies will need to be reflected in the training and SOPs for runway incursion. As aircraft are equipped with more complex and integrated equipment, training needs to be commensurate with the level of complexity. This is important regardless of the source of the training. Airport and aircraft heterogeneity could create vulnerability.

Although a limited number of airports are equipped with Runway Safety equipment (ASDE, ASDE-X, Runway Status Lights, etc.), future aircraft systems should be designed to take advantage of safety enhancements provided by these systems. An effort should be made to equip all towered airports with a common system. Aircraft and aircraft systems designed with runway safety technologies could also be of a common design to allow pilots to be familiar with one system in multiple types of aircraft.

Legacy and future aircraft won’t be equipped with the newest equipment overnight. New and old technologies will be utilized, possibly in the same aircraft, for the foreseeable future. These differing systems will need to work harmoniously to provide flight crews maximum safety on the airport surface.

Recording of cockpit video and audio data may permit enriched replay of key flight events related to runway safety, encouraging more crew interaction during debriefing, analysis, reflection and self-discovery. These technologies may offer additional insights to airline Flight Operations Quality Assurance (FOQA) staff or accident investigation teams. On the other hand, flight crew may perceive such systems as invasions of privacy and could result in reduced dialog and situational awareness.

Older and younger pilots may adapt to new technologies in different ways. Training for these technologies should be tailored to the individual pilot groups. A pilot shortage, longer duty times, and fatigue may have small adverse effects on training for use of these new technologies.

There is an increasing need to monitor incident and accident precursor trends and identify non- standard performance. Hardware and software tools to monitor performance of aviation systems are being introduced to fill this need. While these new systems can help to identify what happened, they may not be able to identify why things happened. In the future a balance between computer and human analysis will need to be refined.

29 FAST_SE_Report_11017011_final.docx

Runway Safety-related Watch Items 1. Monitor for instances of GPS, database, map-shift, and other errors observed during use of moving map displays. 2. Monitor rate of runway incursion/excursion for aircraft with and without moving map and/or runway awareness system and analyze training background and demographics of pilots involved in these incidents, if possible. 3. Monitor the rate of runway incursion incidents at specific airports, by aircraft equipage, and by pilot experience/training to discover vulnerabilities associated with an airport, equipment, or training. 4. Track implementation rate of cockpit moving map display and runway awareness system by make/model/type of the system. 5. Monitor training curricula as offered by training organizations for increases in scope and depth compared with time set aside by the airline for training in runway incursion prevention. 6. Monitor number of pilot safety reports of situations where flight crews are overloaded with information.

30 FAST_SE_Report_11017011_final.docx

Proactive Safety Program SE The Proactive Safety Programs category includes 1 SE: • 10; CFIT Proactive Safety Programs (FOQA + ASAP), August 1999

Proactive Safety Program Vulnerabilities and Benefits

Proactive safety programs such as the FAA Aviation Safety Information-sharing and Analysis System in the U.S. will be especially vulnerable to a variety of near-term future phenomena. As has been the case in the majority of the FAST findings, it will be the unintended interactions of a variety of phenomena that may weaken the effectiveness of proactive data-analysis activities. Examples of these phenomena include: challenges in implementing Safety Management Systems across multiple organizational levels, loss of input data sources due to economic, legal or environmental conditions such as labor relations, devising analytical methods that are robust in the face of disparate database formats and content, filtering of erroneous sensor outputs, integration of legacy and modern data archives, and the inability to identify the weak signals of impending problems in the large data sets that continue to be generated.

While Safety Management Systems (SMS) may provide enhanced management of safety risk within an organization, breakdown in the effectiveness of feedback and assessment mechanisms in future SMS implementations within an air carrier may adversely affect CFIT risk ix . 1. A potential risk in the implementation of SMS is an inconsistency between current SMS practices. In the future, the safety environment may drift away from the conditions under which the SMS was originally developed and approved. 2. The effectiveness of an SMS depends not only in the content of the SMS policy document itself but how each element gets implemented. An effective SMS must be integrated in an organization’s processes and all its supplier inputs to those processes, fully promoted by the management, and executed by every employee. The safety policy, understood by all stakeholders, will act as a catalyst for positive change. 3. The effectiveness of SMS implementation is heavily dependent on provision of corporate resources for effective training in use of SMS principles including assuring that there are a sufficient number of personnel with the required commitment and skills to implement an SMS. ICAO hopes to achieve an Initial Operational Capability for worldwide SMA by 2012, but implementing organizations may underestimate the challenges of both changing their safety culture as well as implementing the required safety indicator feedback and analysis systems. Related challenges include identifying the unexpected organizational policy interdependencies between SMS being adopted among government agencies and across regulatory/industry boundaries.

There are misconceptions of what an SMS is. Within healthy organizations it is not a separate system and will not be developed that way (that is the view held by ICAO). It is understanding how all the good safety processes developed over the decades contribute to maintaining safety of the product and operations, correcting ones that don't work well, getting all levels of an organization fully engaged, and constantly monitoring the processes (data) that identify safety breakdowns. All organizations right down to the smallest aviation supplier can benefit from

31 FAST_SE_Report_11017011_final.docx

SMS if everyone understands it and simply outlines what everybody knows are the right things to do but sometimes don't get implemented or shared.

Loss of input data sources due to economic, legal or environmental conditions (labor relations) could dramatically reduce incentives to share information. This finding confirms the High Risk as evaluated by the CAST. The legal liability of reporting and storing data has already affected flight data sharing and voluntary reporting program. The legal liability surrounding the reporting and storing data has already affected FOQA/ASAP programs and considerable effort from the FAA was required to maintain the participation of key stakeholders. Every accident involving a participant airline will threaten FOQA/ASAP programs until a positive precedent is set regarding the collection and use of the data. If permitted by labor agreements, recording of cockpit video and audio data may permit enriched replay of key flight events, encouraging more crew interaction during debriefing, analysis, reflection and self-discovery. These technologies may offer additional insights to airline Flight Operations Quality Assurance (FOQA) staff or accident investigation teams.

The use of U.S-centric FOQA/ASAP data may mask important trends happening in other world regions. Other geographic regions may have safety vulnerabilities that aren’t appearing in U.S. operations. These non-U.S. trends may however be leading indicators for emerging system-wide issues.

The increasing availability and improved quality of incident and operation data may improve the decision-making ability of risk managers, but the new data environment requires new methodologies, processes, and tools. Many airlines and authorities have found that computer- aided scanning and analysis of digital and discrete data on a routine basis to be a powerful safety tool by identifying exceedances, atypical flight signatures or reduced margins and assisting the safety risk managers, domain experts, and field practitioners in understanding the causes. The changing data environment may also bring new issues to light. However, risk managers may be overwhelmed by data, the information may be "hiding in plain sight" or the necessary data may not be reaching the appropriate parties. The large variety of sensor outputs and file formats will create an increasingly challenging analytical environment. It will become increasingly difficult to identify system-wide trends in heterogeneous datasets. Heterogeneous equipment and the emergence of new highly integrated ground-based and aircraft-based systems are potential sources for this added complexity. An effective proactive data analysis capability demands that erroneous sensor output be detected and removed from the data stream or flagged prior to application of analysis software. Increased complexity and heterogeneity of data will require advance analytical capabilities within the assessment platform.

The largest impact on the effectiveness of this SE will come from criminalization of errors made by aviation systems participants. This is happening now in Europe. Legal issues will increasingly prevent data sharing among organizations. Reluctance to record and archive safety data now and in the future persists because of the risk of legal use (discovery of data) after incidents and accidents. This reluctance is rooted in the “What did you know and when did you know it?” questions that may arise in the course of tort actions. Three elements must be established in every tort action. First, the plaintiff must establish that the defendant was under a legal duty to act in a particular fashion. Second, the plaintiff must demonstrate that the defendant

32 FAST_SE_Report_11017011_final.docx

breached this duty by failing to conform his or her behavior accordingly. Third, the plaintiff must prove that he suffered injury or loss as a direct result of the defendant's breach.

Although English may the international language of aviation, even when pilots and controllers both speak English fluently, there are pitfalls in the nature of language and the ways that language is heard. Improved English language skills will help avoid common types of linguistic misunderstandings. It will also result in better ASAP reports.

Introduction of "global organization" operations concepts could lead to better coordination and harmonization of technical standards and cross audits. Air carriers operating across international boundaries may employ centralized control and coordination of operations and management of fleet operations in order to control costs.

Proactive Safety Program-related Watch Items The following Watch Items are suggested for monitoring the effectiveness of Proactive Safety Program-related Safety Enhancements:

1. Monitor language and terms in new labor contracts with respect to reporter immunity and protections. If the immunity policy is not clear and adhered to by the employer and authorities, data reporting frequency and richness may degrade. 2. Monitor any decreases in reporting of categories of incidents related to recent accidents and associated ligation. A reluctance to report particular categories of incidents associated with enforcement actions may be the key indicator. 3. Monitor trends in legal actions using FOQA/ASAP data legal precedent cases regarding discovery, especially in the United States. This is the “what did you know, and when did you know it” phenomenon. 4. Monitor development of legislation that is protective of safety data. 5. Monitor participation of airlines and associated metrics derived from FOQA and ASAP programs. 6. Monitor participation in and metrics derived from the Air Traffic Safety Action Program (ATSAP).

33 FAST_SE_Report_11017011_final.docx

General Observations The following topics that do not bear directly on the effectiveness of specific Safety Enhancements evaluated by the FAST. Nevertheless, the team felt these subjects and observations were important to include as general information in this report. As a group they convey certain concerns that can be applied in a general sense to many of the Safety Enhancements and future safety intervention and risk mitigation strategies.

New, improved training methodologies will be introduced in the future for operation of advanced aircraft. Current check-and-training systems developed to maintain flight standards on earlier generation aircraft may not necessarily cover all issues relevant to operation of advanced aircraft. The FAST believes research should be pursued to: • define the changing profile of job qualifications needed by applicants • devise efficient methods and tools by which to select qualified candidates without high attrition costs • develop and validate advanced training delivery systems that meet future staffing and training requirements • create cost-effective new equipment training guidelines and procedures • provide integrated team training for all aviation operations • address training for mixed fleet and multi-cultured crews • evaluate and remediate skill decay for diagnostic and complex operational tasks

New training methods have the potential to improve pilot performance based on improved understanding of how individuals learn and process information. Civilian crews may be more open to new technologies in the flight deck than their military-trained counterparts and these new training methods should be tailored to accommodate different backgrounds.

Aspiring airline pilots will be forced to piece together whatever flight time they can such as dusting crops and glider towing (seasonal occupations), flying freight, instructing, and spending their own money renting airplanes to build time. A serious concern developing in the next three to five years is a lack of odd flying jobs offering aspiring pilots opportunities to build the 1500 hours. The average civilian pilot will likely need to pay for his or her own flight time. This quickly gets very expensive, prohibiting many pilots from attaining the required 1500 hours. Those who do attain the required hours may not be willing to work for the $20,000 a year the regional airlines currently pay their First Officers. Airlines operating on very thin profit margins may not be willing to pay these pilots the salaries they deserve. Future graduates may see the cost benefit analysis of being a pilot versus other professions as not economically viable. It is hoped that in the future market forces will adjust to create the necessary pool of trained pilots.

In the future, airlines will continue to be under economic pressures to quickly move pilots from training to revenue generating flights and to make training more cost effective. Both of these pressures will have a compression effect on training programs. Shortened and compressed training may miss more frequent routine failure scenarios in favor of rare events that are required by regulators.

34 FAST_SE_Report_11017011_final.docx

Advanced audio, tactile, and visual warning systems in aircraft cockpits may change crew workload and situational awareness. The ongoing proliferation of caution/warning systems and alerts may overwhelm the flight crew in critical phases of flight. Consideration of prioritization, total workload, prospective memory errors, and required situational awareness must precede implementation of such systems. For both pilots as well as air traffic controllers there will be a limit on the multitasking that is expected of them. It is well documented in the literature that individuals performing several tasks concurrently frequently fail to do one of the essential tasks. These failures have been directly implicated in high-profile fatal aviation accidents. Multitasking expectations are deeply ingrained in modern society, yet these processes are subject to failure 5.

Dependence on the reliability of non-certified equipment (i.e. smart phones and other new Personal Electronic Devices – PEDs - such as iPads) may become an issue if pilots become dependent on a platform that does not have an inherent safety function. PED applications can offer amazing functionality yet may not be certified. Appropriate entities should determine how these devices are being used in the flight deck and how frequently. This is potentially significant safety issue in the next three to five years.

Advancements in technology, changes in pilot demographics, data collection, and data utilization may provide significant benefits moving into the future. New, computerized systems for recording maintenance findings and actions may improve the work environment for field personnel including the portability required to make possible in situ checks and validations by line technicians. Increasing use of composite structural materials may bring benefits outside the safety domain.

A paradigm shift is occurring from paper-based to electronic based tracking of maintenance findings and actions. The electronic format of these data will benefit new diagnostic and prognostic safety analysis tools. This change may introduce new considerations such as: • ensuring quality maintenance on legacy aircraft which were previously paper based but are transitioning to a computerized format • new skill sets required of maintenance personnel because of changing processes, tools, and techniques to support the new computerized systems • assuring task verification • better coordination between maintenance and flight crews

35 FAST_SE_Report_11017011_final.docx

Conclusions

Using qualitative assessment techniques, the Future Aviation Safety Team systematically evaluated each of the 14 selected CAST Safety Enhancements to uncover potential future vulnerabilities or enhancements brought about from anticipated changes within the aviation system. Focusing on, but not limiting the assessment, to the near term future three to five years hence, the effect of each of the updated FAST Areas of Change was determined via consensus discussions among the FAST. From these initial discussions, effectiveness assessments were synthesized including major themes, potentially detrimental interactions, and watch items that may be helpful in monitoring the emergence of these futures and potential vulnerabilities. Detailed findings and recommendations are listed in the narrative text above and in the SE Assessment Tables in Appendix C.

• The LOC category SEs are particularly sensitive to the interactions among key phenomena. Shifting pilot demographics, pilot training that is potentially unresponsive to emergent issues, increasing crew responsibilities, increasingly integrated aircraft systems, and enhanced pilot-aircraft interfaces may present challenges in the implementation and effectiveness of these five SEs. Training issues will be a major factor in the upcoming NextGen/SESAR environment. It is important to keep pilot training at the forefront of pilot performance.

• The CFIT category SEs are sensitive to the interactions among new CFIT-prevention flight deck equipment that in some cases provides redundant terrain information, enhanced graphical presentation of weather information, new air traffic control surveillance, flow, and separation procedures, heavy dependence on a multiplicity of electronic databases, highly integrated aircraft systems, increasing dependence on GPS/GNSS systems for navigation and separation, potential unauthorized use of non- certified consumer electronics , and the human-factors aspects of the large volume of information new flight deck and ATC systems will present to both flight crew and ATC.

• The Icing category SEs may be negatively impacted by increasing pressure to operate more efficiently, continuing quality assurance for outsourced training, legacy ice detection technologies in older aircraft and future certification requirements, and both a pilot shortage and an increase in risk of pilot fatigue in certain future settings.

• A variety of proactive safety initiatives are in progress by ICAO, the FAA, EASA, IATA, IFALPA, EUROCONTROL, Flight Safety Foundation, ACI, and manufacturers. If not carefully orchestrated, these initiatives and the Runway Safety SEs may be somewhat negatively influenced. Non-holistic and not well-integrated approaches to introduction of new technologies, changed and outsourced training, and the heterogeneity of aircraft and databases supporting the world-wide aviation system contribute to these potential effects. Systemic vulnerabilities may arise from the convergence of many different, new technologies.

36 FAST_SE_Report_11017011_final.docx

• The Proactive Safety Program SEs may be vulnerable to the unintended interactions of disparate, well-intended safety initiatives that could weaken the overall effectiveness of proactive data-analysis activities. Examples of these phenomena include: ineffective implementation of future Safety Management Systems intended to aid in the management of safety risk, loss of key input data sources due to economic, legal or environmental conditions such as legal/tort action against data holders and labor relations, analytical methods that are not robust in the face of disparate database formats and content, inadequate integration of legacy and modern data archives, erroneous sensor outputs, and the inability to identify the weak signals of impending problems in the data sets that continue to be generated in exponentially increasing sizes from modern aircraft and air traffic surveillance systems.

The dominant source of vulnerability across all five domains addressed in this analysis is the interaction effects of multiple future phenomena. Therefore, predictive safety assessments of specific technologies, training programs, air or ground procedures appearing in the future as well as changes in personnel demographics or other factors must not be evaluated in isolation from the larger aviation system. It is the opinion of the FAST that future safety problems will arise out of unusual conjunctions of future conditions, decisions, and actions; not simple, single-point failures of particular technologies or people. Unusual future circumstances will be the result of unanticipated interactions of multiple phenomena that if they were to occur individually would be relatively benign.

While many of the identified vulnerabilities in this report are indeed minor when compared with the significant safety benefits of the CAST Safety Enhancements that have been implemented, as a group the vulnerabilities may take on a significance of their own. They provide food for thought and may be useful to safety practitioners who are committed to mitigating unanticipated effects on individual safety improvements from interactions with surrounding phenomena.

One of the principal contributions of the FAST may be to help identify potential sources of drift away from safe operations as a result of well intended but not well integrated safety systems of the future. As Dekker (2005) said…

“All open systems are continually adrift inside their safety envelopes. Pressures of scarcity and competition, the intransparency and size of complex systems, the patterns of information that surround decision makers, and the incrementalist nature of their decisions over time, can make … systems drift into failure. Drift is generated by normal processes of reconciling differential pressures [and future changes] on an organization (efficiency, capacity utilization, safety) against a background of uncertain technology and imperfect knowledge. Drift is about incrementalism contributing to extraordinary events, about the transformation of pressures of scarcity and competition into organizational mandates, and about the normalization of signals of danger so that organizational goals and “normal” assessments and decisions become aligned. In safe systems, the very processes that normally guarantee safety and generate organizational success, can also be responsible for organizational demise. The same complex, intertwined

37 FAST_SE_Report_11017011_final.docx

sociotechnical life that surrounds the operation of successful technology, is to a large extent responsible for its potential [future] failure.” x

Appropriate investment in prognostic safety analysis methods is critical to the future of aviation. The ongoing work of the Future Aviation Safety Team is helping complete the safety analysis cycle that begins with investigation of the historic causes of accidents. It leverages the diagnostic assessment of the current health of the aviation system made possible by advances in data-mining technologies and the ongoing cultivation of an atmosphere of trust and data sharing among aviation system stakeholders. The FAST prognostic approach has identified both potential future hazards as well as evaluated vulnerabilities of current controls on safety risks due to changes in the future.

38 FAST_SE_Report_11017011_final.docx

Future Directions

With the completion of the initial, Safety Enhancement assessment, the team proposes a variety of follow-on activities. As the owner of a prognostic analysis methodology,the FAST needs to move past performing detailed safety analysis on its own and concentrate on development and refinement of a robust prognostic analysis methodology.

Domain experts concerned about the future – by what keeps them up at night – will be able to use this methodology and its associated reference materials to perform their own future safety assessments without major assistance by the FAST. The FAST and its member organizations want a methodology that can be replicated in both general as well as specific settings such as behind the firewalls of a proprietary commercial enterprise or within a government regulatory entity. To move these ideas along, the FAST has been harvesting best-of-breed safety assessment techniques and resources such as the JPDO Capability Safety Assessment (CapSA) method, 3rd generation brainstorming techniques and accident/incident Event Sequence Diagrams produced by the Dutch National Aerospace Laboratory (NLR), and Nancy Leveson’s System–Theoretic Accident Model and Process (STAMP). The FAST will be fusing these and other approaches into an easy-to-use method for predicting future hazards and their associated consequences.

A key ingredient of the process is an extension of the FAST Areas of Change concept to a broader definition of future conditions affecting aviation at key points in time such as 2015, 2020, and beyond. The defined futures documents will address people, equipment, airspace characteristics, the regulatory environment, regional safety challenges, and important factors external to aviation.

Of critical importance in the year ahead is generation of work product usable by organizations sending representatives to the FAST. This output will take the form of higher fidelity descriptions of the future state of aviation, safety analyses or improved predictive safety methods.

39 FAST_SE_Report_11017011_final.docx

Appendices: A. Draft FAST Re-start Terms of Reference from JIMDAT

(Presented to the JIMDAT in 2008 for discussion but not formally approved.)

Background

In 1999 the Joint Aviation Authorities (JAA) JAA Safety Strategy Initiative (JSSI) Steering Group established a dedicated working group entitled the Future Aviation Safety Team (FAST) whose aim was to identify future hazards affecting the safety of the aviation system. As a result of developments in the European Community, the European Strategic Safety Initiative (ESSI) has assumed the functions of the JSSI.

The European Aviation Safety Agency (EASA) is the organizational centrepiece for the European Union's strategy for aviation safety. The EASA mission is to promote the highest common standards of safety and environmental protection in civil aviation. The ESSI exists within the larger EASA organisation. The aim of the ESSI is to reduce the rate of accidents and the fatality risk, irrespective of the volume of air traffic within Europe and for European aviation worldwide.

Within JIMDAT-ESSI, the FAST shall develop a prognostic approach to aviation safety aimed at identifying future hazards and at reducing risks arising from future system changes either within or outside the aviation domain. Under the JSSI, the FAST served as a network of excellence for prognostic safety analysis. It developed a method to identify, prioritise and analyse changes and hazards arising from changes. A JIMDAT-ESSI FAST shall be established to continue development and application of methods for prognostic safety analysis.

Early 2008, it was recognized that FAST should be re-established for a variety of reasons, notably: • ESSI/ECAST would only employ FAST services to assist ongoing SMS work • JIMDAT/CAST is in the process of moving from Historic- to diagnostic safety felt that a prognostic activity was also required, while at the same time felt that some “FAST retooling” would be beneficial.

Vision: Identify possible future hazards to the safety of aviation in order to prevent those hazards from appearing within the future aviation system.

Mission: Enable individuals or organisations and in particular the ESSI, to evaluate proposed changes to the aviation system, identify hazards that may be created by such changes and by interaction effects, and subsequently develop mitigating actions.

Goal: To prevent aviation accidents by eliminating or mitigating future hazards.

Objectives

40 FAST_SE_Report_11017011_final.docx

• Provide and maintain a systematic methodology for discovery of future hazards based upon on-going and future changes either within or outside the aviation system. • Identify and prioritize future hazards and, as appropriate, develop and prioritize recommendations addressing those hazards. • Develop and maintain a repository of Areas of Change (AoCs) affecting the aviation system, potential future operational paradigms, and future hazards. • Ensure FAST prognostic safety approach ties in with other risk assessment processes and activities.

Scope

• Assist all segments of the aviation community in application of the FAST prognostic method to future safety topics of interest. • Develop recommendations to prevent accidents through the application of the FAST methodology. • Enrich and augment existing best practices for risk assessment and risk management traditionally employed in the historic and diagnostic domains for near-term hazard analyses. • Support the work of ESSI and CAST/JIMDAT and its partners.

Governance

The FAST is chartered by and shall report to the JIMDAT and ECAST.

Working Method

• The FAST shall obtain JIMDAT and ESSI approval of new working areas. • Meetings of the FAST will be held at regular intervals and full use will be made of other means of communication to achieve the objectives. • FAST will provide progress reports to the JIMDAT and ECAST, and on completion of tasks, the FAST will provide reports of results. • Expert teams may be created to achieve specific tasks under the guidance of the FAST. • Specific tasking dealing with timelines, resources, etc shall be established for expert teams.

Composition

The FAST is open to members from industry, professional organisations, research organisations, and authorities. Ideally, the FAST members will have expertise in the domains foreseen in the list of AoCs.

The FAST will be co-chaired by a member from the authorities and a member from industry. The co-chairs shall make recommendations to the JIMDAT and ECAST to ensure that the FAST team has sufficient breadth and depth to accomplish its objectives.

41 FAST_SE_Report_11017011_final.docx

Deliverables

FAST is to deliver and continuously improve the following: • A repository of Areas of Change affecting the future aviation system • A handbook explaining the FAST Methodology and guidance material on its application • A standard presentation describing the FAST prognostic safety approach • A repository of potential future aviation paradigms plus the identified hazards associated with them. • Safety Enhancement recommendations • A public web site where FAST information will be maintained

1-Year Work Plan Outline

During this year, the FAST shall: • Update FAST AoC list (November 2008) • 10-year Horizon Futures Study (January 2009) − Looking broadly across the aviation system… − What’s on the drawing board? − What’s been ordered? − What’s the deployment schedule? − Include changes in current business practices − Should not duplicate SESAR/JPDO-NGATS work − Baseline near-term “futures” that are real and concrete. • Output: 25-page white paper describing generally known aviation future in 2019 timeframe • Distant Aviation Futures Workshop (April 2009) • Starting from 10-year Horizon Futures Study … − Identify technology, market, organizational, and regulatory trends that may reflect the future 15-20 years-out − Utilizing best-practices brainstorming, AoC list/interaction analysis and domain experts, predict likely system-level and domain-specific hazards − Formulate range of future hazards and publish for the aviation community − Identify credible failure modes (need details for this to be credible) • Outputs: − Updated FAST methodology and prognostic “best practices” − Probable aviation futures in 2025 -2030 in major domains including possible branch points − Potential system-wide hazards − Potential lower-level, domain-specific hazards • Evaluate year-one activities and determine next steps for prognostic safety analysis • Respond as necessary to requests submitted to the FAST or to the ESSI and JIMDAT for FAST analysis, and • Disseminate the FAST methodology and investigate best practices for prognostic safety analysis, and.

42 FAST_SE_Report_11017011_final.docx

• In order to improve and adapt the FAST methodology, participate in aviation conferences and workshops as appropriate, and. • Update FAST guidance material, and • Update the FAST web site as required • Assess work progress in reference to the ICAO Global Aviation Safety Road Map

Specific tasks by year include :

2007: Go live with the FAST web site; update the 2006 Area of Change list and re-prioritize the AoCs using an appropriate method and a set of safety recommendations combining those from the JSSI/FAST analyses of AC-13 “Increasing Reliance on Flight Deck Automation” and ANS-1 “Emergence of New Concepts for Airspace Management” accomplished via a hazard analysis of EUROCONTROL ConOps 2011 2009: Update 2007 Area of Change list and re-prioritize AoCs using an appropriate method 2011: Update 2009 Area of Change list and re-prioritize AoCs using an appropriate method and submit a FAST transition plan

Follow-On Work

Continuation of the prognostic safety analysis capability will be re-evaluated over the course of the five-year work plan. Long-term institutionalisation of prognostic safety analysis capability is desirable and will permit continued effective response to the ongoing changes affecting the global aviation system. The FAST will present a plan for continuation by the end of 2011.

End of Text

43 FAST_SE_Report_11017011_final.docx

B. List of FAST Contributors August 2009 through December 2010

A. Major Contributors to the Final Report

Andy Marosvari NATCA/IFATCA Brian Smith NASA Ames Research Center Maggie Clark The Boeing Company Michael Kavoliunas Bombardier Rudi den Hertog Fokker Aircraft

B. Meeting participants

Alan Roy Southwest Airlines Alfred Roelen National Aerospace Laboratory (NLR) Allan Dunville Bombardier Amer Younossi FAA/ICAO Andrew McClymott International Federation of Airworthiness Ann Azevedo FAA Chief Scientist for Risk Assessment Clement Audard European Aviation Safety Agency Gerard Guyot Aeroconseil Airbus Jean Pierre Magny DGAC John Colomy FAA Small Airplane Directorate John David Allied Pilots Association John Orme NASA Aviation Safety Program Juliette Avignon French Navy Kent Lewis Airline Pilots Association Maite Trujillo European Space Technology and Engineering Center (ESTEC) Mariken Everdij National Aerospace Laboratory (NLR) Michael Bartron Pratt and Whitney Michel Masson European Aviation Safety Agency Michael Piers National Aerospace Laboratory (NLR) Mont Smith ATA Phil Hosey International Federation of Airworthiness Rich Jones UK Flight Safety Committee Rune Haug Booz Allen Hamilton Sam Morello National Institutes of Aerospace Sharon Monica Jones NASA Langley Research Center Sherry Borener FAA Steve Smith FAA ATO (ret) Tina Beard NASA Ames Research Center

44 FAST_SE_Report_11017011_final.docx

C. Updated AOC list used for Analysis

New AoC Title Description and Explanatory Comments AoC # AoC_1 Introduction of new Improvements to the modern airplane may occur as a result of breakthroughs aircraft types in many fields permitting evolutionary improvements in performance, improved computational capabilities permitting multidisciplinary analysis and design, and use novel ideas to redesign the airplane. Future aircraft should be designed and built to accommodate retrofits that can be made without degrading safety. AoC_3 Changes in design Aircraft manufacturers are moving away from traditional role as responsibility and designer/builder to integrator/assembler. Many modern commercial aircraft design roles among are all new, not derivatives, whereas past experience may be more manufacturing applicable to derivative equipment selection, design solutions and its organizations validation and certification. At the same time manufacturers also delegate much of the design responsibility to partnering companies and equipment manufacturers. This dual development may well result in inadequate transfer of expertise and/or inadequate interface management. Finally, lessons learned from past experience may not be sufficiently covered by FARs and JARs. AoC_5 Introduction of new Operation of Runway-Independent Aircraft (tilt-wing, tilt-rotor, VSTOL, runway-independent airships, wing-in-ground-effect) may have significant effects on safety and aircraft concepts capacity, airspace operations, and ATC systems integration. AoC_6 Introduction of second- Technical feasibility, environmental, regulatory and certification studies for generation supersonic Supersonic Business Jets (SBJ) and follow-on projects may result in product transport aircraft launch decisions by aircraft manufacturers and airline partners. Supersonic aircraft operating at high altitude may expose not only passengers and flight crew to significant radiation levels. Materials such as isotopes of magnesium may accumulate on air conditioning system filters and engine components on airplanes flying above FL400-500 building up to hazardous quantities. AoC_7 Introduction of This class of vehicles may be used as hypersonic transports and satellite hypersonic aircraft launch platforms. Like the supersonic aircraft, the hypersonic aircraft may expose passengers and crew to significant radiation levels. AoC_9 Accelerating scientific Aircraft productivity and efficiency will likely be improved through advances in and technological aircraft aerodynamics, materials, structures, and other disciplines that advances enabling improve performance parameters such as lift-to-drag ratio (L/D), ratio of improved empty weight to MTOW, and specific fuel consumption. Technological performance, increase approaches to the above goals include the use of boundary layer control to fuel economy, and reduce profile drag and parasite drag and the use of new materials to reduce reduced noise structural weight fraction. These technological advances may be sudden and disruptive to aviation operational paradigms and safety. AoC_11 Increasingly Not all aircraft may have the same level of equipage in the future. The heterogeneous aircraft variation in sophistication of digital and electromechanical systems within an fleets (varying individual aircraft type must also be considered. An unavoidable mix of new software, equipment, and reused (legacy) software is a future trend and there may be increasing capabilities, etc.) numbers of regional jets equipped with possibly more advanced avionics than legacy aircraft. This could lead to flight crew confusion and problems maintaining situational awareness.

45 FAST_SE_Report_11017011_final.docx

New AoC Title Description and Explanatory Comments AoC # AoC_13 Increasing crew Increasing flight deck automation has occurred as a result of increased reliance on flight deck workload for the flight crew due to more complex operational environments, automation for flight- aircraft systems and navigation (traffic and weather). In future ATM path management, concepts, responsibility for separation may increasingly be delegated to the separation assurance automated systems of the aircraft. As a result of increased automation, the and terrain avoidance flight crew may be placed in a monitoring role potentially compromising their ability to intervene when necessary. Unfamiliar modes of aircraft automation may result in a perfectly normal flying aircraft suddenly taking on characteristics that the pilot has seldom or never previously encountered. Latent flaws in the displays or primary flight control system may go undetected, because not enough human-in-the-loop testing is performed, and the pilots are not trained about the philosophy of the automation. AoC_14 Increasing reliance on Future vehicle health systems may be based on continuously updated vehicle automated vehicle state matrices derived from networks of multiple sensors. The sensor health management network outputs may be processed by advanced software models systems incorporating the functional characteristics of the vehicle. Such complex systems if used for flight critical functions must be subject to rigorous software certification techniques that may not exist today. AoC_18 Increasing Recording of cockpit video and audio data may permit enriched replay of key implementation of new flight events, encouraging more crew interaction during debriefing, analysis, cockpit reflection and self-discovery. These technologies may offer additional surveillance/recording insights to airline Flight Operations Quality Assurance (FOQA) staff or systems accident investigation teams. On the other hand, such systems may be perceived as invasions of privacy by the flight crew and result in reduced dialog and situational awareness. AoC_19 Emergence of high- Advanced systems such as prop-fans and hydrogen-fueled aircraft and high- energy propulsion and pressure hydraulic systems may be used in future aircraft. The introduction control systems of very large engines for twin-jet application may introduce special operational considerations. AoC_21 Implementation of The future evolution of weather monitoring systems (i.e. advanced advanced supplementary cockpit weather information systems) will allow aircraft to supplementary cockpit identify, and then fly routes that have the most favorable weather. As this weather information technology expands in use, the density of these routes may rise accordingly. systems Dependence on the reliability of non-certified equipment (i.e. smart phones) may become an issue if pilots become dependent on a platform which does not have an inherent safety function. AoC_22 Changing approaches Advanced audio, tactile, and visual warning systems in aircraft cockpits may to cockpit warning and change crew workload and situational awareness. The proliferation of alert systems caution/warning systems and alerts may overwhelm the flight crew in critical phases of flight. Consideration of prioritization, total workload, and required situational awareness must precede implementation of such systems. AoC_27 New demands on Buyer furnished equipment (BFE) is becoming increasingly complex, aircraft systems for especially in-flight entertainment (IFE) systems and seats. Power support of next- requirements, wiring requirements, and effects of internal and external high- generation in-flight energy radiated fields emitted from these systems may place increasing entertainment, and demands on flight-critical aircraft systems and required maintenance business systems procedures. AoC_31 Increasing GA cockpits are becoming more advanced than airliner cockpits. Airline implementation of avionics may resemble advanced GA cockpits in the near future, because it glass-cockpit designs is cheaper to build an integrated cockpit design than it is to build individual in general aviation instruments. Research is required to evaluate ability of general aviation pilots aircraft. to transition effectively among glass cockpit installations supplied by various manufacturers.

46 FAST_SE_Report_11017011_final.docx

New AoC Title Description and Explanatory Comments AoC # AoC_33 Entry into service of These new 5 to 6 seat aircraft will be capable of speeds above 380 knots and small, low-cost Very certified for altitudes in excess of FL410. Further, they are expected to sell Light Jets aircraft for significantly less than competing business jets and are expected to have designs lower direct operating costs. It is not entirely clear what will be the result if these (slower and lighter) VLJs share airways used by larger, faster aircraft. ATC control, wake turbulence, and loss of separation have been mentioned as possible problem areas. AoC_36 Increasing More and more airlines are transitioning from paper to electronic information dependence on services known as Electronic Flight Bags. These capabilities will provide for Electronic Flight Bag electronic distribution and viewing of navigation charts and other information (EFB) for efficient and to be used on the ground in flight operations or distributed to crew members safe operations for on-line viewing or data download. AoC_39 Increasing use of The use of composites will continue to increase in aircraft structure. composite structural Concerns with this trend may include, but not be limited to: materials - Ability to withstand lightening strikes due to unique dielectric prosperities - In-flight stress monitoring techniques - Techniques for effective in-situ inspection and/or testing - Assurance of post-repair structural integrity - Long-term performance of composite materials used in advanced aircraft structures - Crashworthiness - Smoke and toxicity AoC_41 Ongoing electronic There is increasing concern about the susceptibility of line replaceable units component to ionizing radiation as a result of ongoing component miniaturization. Other miniaturization concerns may include power and cooling needs and required physical separation of redundant systems. AoC_43 Increasing Advanced automation is taking full advantage of data sharing among implementation of previously independent LRUs. As more crew functions are automated there highly-integrated, is a high reliance on the integrity and fidelity of the data exchanged. High interdependent aircraft and low criticality functions have traditionally been physically isolated are now systems sharing computing and data bus resources. Software-based isolation and independence is much more "fluid" and difficult to assure than relying on hardware. Lost or erroneous inputs can result in a cascade of effects on the aircraft. Often, sensors are the lowest reliability components and therefore need to be redundant to obtain the required system safety. Unfortunately, identical sensors are used to achieve the redundancy. Therefore, sensor failures could produce a single point failure of multiple devices. Complex systems increase the need for self-checks to verify software for accuracy and integrity. AoC_47 Changing human Increasing understanding of the capabilities/limits of human performance and factors assumptions of best practices for human-machine interaction. Increasing pressure to for implementing augment humans with automated systems and/or decision-support systems automation may characterize future design philosophies. There may be an increasing need to adequately design systems from the start to take advantage of human flexibility and creativity and to augment human abilities and limitations with computers in ground and aircraft systems. AoC_51 Delegation of New approaches to organizational approvals may lead to more and more responsibility from the delegation of responsibility and privileges to the design, manufacturer and regulating authority to maintenance organizations that may lead to inconsistencies in compliance the manufacturing, with the regulations. operating or maintaining organization

47 FAST_SE_Report_11017011_final.docx

New AoC Title Description and Explanatory Comments AoC # AoC_53 Trend toward A growing number of countries have shifted their government-sponsored air privatization of traffic control systems into free-standing corporations directly funded by government ATC airlines and private-plane users. In Germany, New Zealand, South Africa systems and airports and Switzerland, the new companies are owned by governments but operate outside of civil service and procurement rules and outside of most governments' budgets. In Canada, and soon in Britain, the companies are partly or entirely owned by private investors. In all cases, the governments continue as air-safety regulators and may have approval power over user-fee increases. AoC_58 Shift toward The full safety implications of the introduction and interaction of these new, performance-based performance-based systems must be carefully considered. (Examples: solutions and Required Navigation, Communications, Surveillance Performance; RNP, regulations RCP, RSP) AoC_59 Emergence of new The new EASA mission is twofold. It shall provide technical expertise to the safety regulatory European Union by assisting in the drafting of rules for aviation safety in bodies such as the various areas and providing technical input to the conclusion of the relevant establishment of the international agreements. European Aviation In addition, EASA has been given the power to carry out certain executive Safety Agency tasks related to aviation safety, such as the certification of aeronautical products and organizations involved in their design, production and maintenance. These certification activities help to ensure compliance with airworthiness and environmental protection standards. With national authorities being re-organized, there may be a reduction in the quality of oversight. AoC_64 Increased Remote Tower operations will result in reduced staffing of ground personnel implementation of and may result in lower quality guidance/clearance information being Virtual Tower communicated to flight crew from remote tower controllers. operational concepts AoC_65 Increasing likelihood of Following the events of 9/11, there may be an increasing risk that an airliner military action against encountering a prolonged loss of communication will be shot down under civilian aircraft government approved procedures. States and Military are getting more sensitive about suspicious air movements and situations. In Germany, there was a law proposed allowing the military to shoot down aircraft under certain circumstances; the supreme court however rejected this bill. AoC_66 Increasing societal Potential criminal liability may reduce normal incentives to perform research pressure to find that may reveal possible design defects and operational errors. Criminal individuals and prosecution triggered by occurrence reports cause aviation personnel such organizations as pilots and Air Traffic Controllers to be reluctant to file safety reports, thus criminally liable for reducing the possibility of learning from occurrences. A shift of focus from a errors in design and pro-active form of oversight to a culture of blame may cause industry operations members to take a more defensive rather than co-operative attitude towards regulators. Not only does this distract aviation professionals from a major task (i.e. contributing to safety improvements), but it also disturbs the open atmosphere in which industry and authorities jointly discuss safety issues.

48 FAST_SE_Report_11017011_final.docx

New AoC Title Description and Explanatory Comments AoC # AoC_67 Increasing economic Aviation-related businesses have engaged in partnership and outsourcing incentives to form activities for many years, but recently the pace and scope of aviation partnerships and outsourcing has increased. While considerable opportunities exist, outsource businesses need to prepare carefully and take into consideration a plethora organizational of strategic, business, operational and legal issues in deciding what to activities outsource and whether to form partnerships. Added complexity in organizations tends to degrade prior, robust, aviation cultures that were previously based on personal relationships.

This has been seen in: -The outsourcing of aviation maintenance, engineering, and logistics services by nearly every major airline some without robust reporting systems in the outsource organizations. - Increasing US airport reliance on outsourcing a wide range of facilities and services. -The emergence of virtual airlines where aircraft are owned by a leasing company and operated by a separate airline entity -Airlines, IT vendors -Complex industrial partnerships between engine, airframe, component and system manufacturers AoC_68 Introduction of "global Future commercial organizations may consist of geographically distributed organization" functional nodes (under separate ownership) connected electronically with operations concepts one another. The five major global airline alliances now control half of the passenger travel market, according to Airports Council International. Star Alliance, OneWorld, Skyteam, KLM/Northwest have over 50 percent of total world scheduled passenger numbers in 2003 based on ACI and IATA statistics. This could lead to safety problems escaping notice due to lack of coordination. AoC_69 Shift away from direct In a rapidly changing environment an understanding of organizational trends lines of authority and is required to facilitate the choice of more effective management solutions command toward which may involve complicated interactions among people, materials, and distribution of financial arrangements. responsibilities within airlines AoC_73 Increasing complexity There is concern that the complexity of a "System of Systems" will exceed arising from a "System our ability to truly understand its characteristics and mitigate safety problems of Systems" approach produced by the complexity itself. Addressing organizational considerations to the air implicit within a complex, automated system with multiple interacting agents transportation system across highly heterogeneous levels will be a challenge. The civil aviation of the future infrastructure is extraordinarily dependent on computer-telecommunications information systems. Some of the most prominent and widely used systems include those for air traffic control, navigation, reservations, and aircraft flight control. Increasingly, these information systems have become critical to the spectrum of activities in aviation. AoC_78 Increasing availability The increasing availability and improved quality of incident and operation and quality of incident, data may improve the decision making ability of risk managers, but the new maintenance, ATM, data environment requires new methodologies, processes, and tools. Many and operations data airlines and authorities have found that computer-aided scanning and analysis of FDR data on a routine basis to be a powerful safety tool by identifying exceedances, atypical flight signatures or reduced margins and assisting the safety risk managers (domain experts and field practitioners) in understanding the causes. The changing data environment may also bring new issues to light. For example, risk managers may be overwhelmed by data, the information may be “hiding in plain sight", or the necessary data may not be reaching the appropriate parties. Greater reliance on flight planning software means accurate maintenance data is critical for calculations such as weight/balance and fuel loads.

49 FAST_SE_Report_11017011_final.docx

New AoC Title Description and Explanatory Comments AoC # AoC_80 Loss of design, The knowledge of why aircraft are designed as such, how key maintenance is operational, and to be performed, and why the operational rules are as they are is being lost maintenance due to long product design cycle times, extended product life, and increasing knowledge staff turn over. Unforeseen uses of the product (such as operation at higher load factors) also present special challenges in order to maintain safe operations. The longevity of aircraft designs requires access to design records that may only exist in hardcopy or software archives that are not compatible with modern data storage software. Identification of safety- sensitive information within difficult to access legacy data storage systems will remain a significant challenge. AoC_82 Decreasing separation In order to provide increased utilization of the airspace, separation standards standards may decrease between runways, between aircraft, between landing operations, and for vertical separation. The risk of runway incursions may also increase as a result. The reliability of technologies and procedures enabling reduced separation must be assured. AoC_83 Operation of low- Technology in ATM and aircraft is continuously developing with the aim of technology aircraft in becoming safer and more efficient. However, existing aircraft are not ATM environments necessarily updated or reequipped with such new technology. This can lead featuring advanced to a situation where low-technology aircraft are mixed with high technology capabilities aircraft in high-technology airspace. NextGen and SESAR are engaged in ongoing use of automated decision support and enhanced workstation displays to mitigate increased complexity associated with diverse aircraft operating characteristics. Examples of such automation aircraft conformance monitors with flight plan or trajectory. Advanced computer-human interaction (CHI) tools and methods will provide additional information on aircraft capabilities and characteristics not currently found in today¹s flight environment. AoC_85 Potential information There may be an increased requirement for effective and timely shared inequality among decision-making in a multi-agent context (multiple aircraft, ATC, AOC, aviation system automation). Shared decision making requires equality of information of the participants in decision makers. If one of the decision maker’s information is out-dated, situations requiring inaccurate, absent, etc, the decision making process will be flawed. This shared decision- principle applies to tactical (e.g., traffic conflict resolution involving air-ground making and air-air communication) and strategic (e.g., route design) decision making. AoC_86 Increasing amount of There may be increased expectations for aircraft performance and traffic information available situation awareness by ATM personnel. However, most ATC facilities will to ATM personnel require new displays for presentation of these data. This may create potential errors due to lack of effective information integration and monitoring. Too many operational modes may be available in ATC hardware leading to loss of awareness of the system status and mode confusion or distraction. AoC_87 Changing design, The underlying knowledge of why ANS systems are designed as such, how operational expertise, key maintenance is to be performed, and why resulting ATC operational rules and maintenance are as they are is being lost due to long design cycle times, extended expertise involving hardware life, and failure to document and archive design data, initial ANS equipment specifications, test data, and lessons learned. Maintenance expertise is declining because there is a disparity between the requirements for systems maintenance and an adequate number of skilled people maintaining them. AoC_89 Increasing The proliferation of new technologies along side legacy systems may heterogeneity of complicate maintenance, drive up costs, preclude software reuse, increase hardware and software training requirements, and increase the potential for human error. These within the ANS system systems may be characterized by a lack of a unifying technical architecture as well as different or incompatible communication protocols/data formats, and user interfaces. Maintenance of next-generation ground-based hardware and software systems may require greater care and verification once completed.

50 FAST_SE_Report_11017011_final.docx

New AoC Title Description and Explanatory Comments AoC # AoC_93 Increasing reliance on Future air navigation systems will feature international agreement on a "next- satellite-based generation" plan for more efficient communication, navigation, surveillance systems for CNS and air traffic management (CNS/ATM), based heavily on satellite functions technology. The much more accurate positioning of aircraft in the airway due to GPS/GNNS technologies may also require changes to existing procedures. AoC_95 Changing approaches Advanced audio, tactile, and visual warning systems in ATM environments to ATM warning and may change controller workload and situational awareness. The proliferation alert systems of caution/warning systems and alerts may overwhelm the controllers in periods of heavy workload. Consideration of prioritization must precede implementation of such systems. AoC_96 Increasing interactions As all systems become more complex there will be an increasing level of between highly- interaction between ground-based and aircraft-based systems. This automated ground- increased interaction may introduce incompatibilities that may result in based and aircraft greater system development, integration, maintenance, and reduce overall based systems system performance. Variation in design cycle times and implementation schedules between airborne systems and ground-based systems may result in lack of coordinated development. These issues underline the need for the introduction of the increased capacity, flexibility, and security of the next generation of ground to aircraft communication systems. AoC_97 Introduction of artificial Future ATM tools may achieve enhanced functionality using software intelligence in ATM intelligent agents or adaptive automation. The characteristics of these agents systems can differ significantly from most software tools in use today. They may be very complex in function, and may include intent and reasoning systems not well understood by the controller. They may approach a semi-autonomous status in the eyes of those interacting with them. They may have unique, unfamiliar, and unanticipated characteristics and interfaces. This can lead to the potential for error especially if these systems are given limited control of the ATM functions independent of the human. AoC_99 Increasing GPS, digital terrain elevation data, and ground obstacle data may be dependence on incorporated into future FMS databases and airport moving map displays. accurate databases The integrity of the computerized navigation and performance systems rests on the quality of the FMC/FMGS databases. Avionics and airframe manufacturers and regulatory authorities have recognized the potential for entering incorrect data through the FMC/FMGS. The final safety net in the process of checking the accuracy of the database information currently lies with the pilot who should cross-check electronic data against printed data. Future flight guidance databases may have no printed data against which the pilots can cross-check information. AoC_100 Increasing operations As operations of military and civilian UAS in shared military, civilian, and of military and civilian special use airspace increase, critical issues may include: UAS in shared military, - Detection and avoidance of military and civilian UAS in civilian ATM civilian, and special systems use airspace - Increased requirement for coordination and merging of military/civilian/Special Use Airspace - Increasing coordination of crewed aircraft with UAS (civilian and military operators) - Failsafe UAS designs and operations AoC_101 Increasing need to Increased future traffic may require redesigning the airspace or dynamically redesign or altering the airspace boundaries to accommodate variable aircraft equipage dynamically configure and ATC procedures. airspace AoC_107 Increasing pressure for Air carriers operating across international boundaries currently employ centralized control of centralized control and coordination of operations and management of fleet user operations operations to control costs. Such coordination may take on greater importance and may be enabled by advanced operational management systems in the future.

51 FAST_SE_Report_11017011_final.docx

New AoC Title Description and Explanatory Comments AoC # AoC_109 Increasing numbers of Increased operations of regional jets and smaller turboprop aircraft into smaller aircraft traffic smaller airports via previously little used airway routes may result in additional demands on ATC and may result in greater numbers of published procedures to mitigate the increased noise impact on local communities. AoC_113 Increased operations Airship development projects are currently under development in various of lighter-than-air countries with vehicle types ranging from small observation platforms to very vehicles including large freight carriers. There is an extensive body of historical experience with dirigibles and airships airship operations that should be used as the basis for future integration of increasingly larger and more numerous airships with fixed- and rotary-wing aircraft operations. AoC_114 Increasing operations These aircraft will operate differently from passenger operations. These of cargo aircraft operations may raise serious issues: - potentially utilizing less well equipped airfields - operations at low traffic hours i.e. very late or at night (with associated noise issues) - operations at higher and lower average take-off gross weights - may be flown differently (less concern for ride quality resulting in greater exposure to turbulence) - may be generally older than passenger-carrying aircraft (aircraft operate for a full "second" life after cargo conversion) AoC_117 Increasing frequency Economic pressures may result in an increase of Extended-range Twin- of very long-range engine Operations with longer flight times, and flights greater than 7000 nm. operations, polar There are concerns about duty times, passenger and crew safety, and operations, and inadequacy of support and/or medical facilities at airports to which flights may ETOPS flights. be diverted and survival after a crash in cold environments. AoC_118 Movement away from With approximately 10,000 airports in the United States (a large portion of hub-and-spoke which are small outlying airports), 'city-pair' or 'point-to-point' operations, operations concepts which permit commuters to land as close to their final destination as possible, toward alternate are increasing in frequency. Airline decisions to adopt these different operational models operational models may affect many areas of aviation including: - the introduction of new aircraft designed for non hub and spoke operations - large fleets of small aircraft instead of small fleets of large aircraft - infrastructure concerns at smaller airports - new routes into these airports for noise abatement and other traffic concerns AoC_119 Increasing requirement In the past decade, the number of Light Sport Aircraft (LSA), hang-gliders, for coordination with a para-gliders and their motorized versions has increased significantly. These new generation of light sport aircraft are restricted from certain airspace and are frequently sport-flying devices. commanded by people lacking basic knowledge of the airspace structure. AoC_122 Accelerated transition Economic pressures to recruit needed pilots for Part 121 operations will likely of pilots from simple to result in more rapid transition of trainees from simple to complex aircraft. complex aircraft Current certification standards may need to be revisited in light of this phenomenon. Training curricula must provide the skills needed for command of complex, advanced aircraft. AoC_125 Increasing market Low-Cost Carriers have different business models than the business models share of low-cost, no characteristic of legacy carriers. This may also mean that the way safety is frills airline operators managed within the company is different. Although this way of operating is not necessarily better or worse, the fact that it is different may perhaps result in unforeseen difficulties or misunderstanding, (e.g., in safety oversight by the authorities), or when it comes to joint (low-cost and legacy airline) safety initiatives.

52 FAST_SE_Report_11017011_final.docx

New AoC Title Description and Explanatory Comments AoC # AoC_129 Increasing pressure to Independent of demand trends, the ATM system continues to require improve aviation additional capacity. As demand approaches capacity, airlines increase load system throughput factors and reduce schedules, the pressure to improve throughput will increase. Because of these conditions, SESAR and NextGen have been designed to upgrade ATM.Potential hazards exist from these changes in:- impacts of complexity- international harmonization- change of roles and responsibilities for pilot, controllers and others due to new concepts of operation- possible new systems such as a traffic optimizer, that will change operational paradigms and affect flight profiles, dispatching- policies, and other aspects of aircraft operationThese changes will require frequent safety and hazard assessment re-evaluation. AoC_133 Increasing pressure to A user fees system comparable to those constructed in Europe and Canada assess or raise user may affect aviation businesses and the safety of operations in America and fees within the aviation other countries. Fees for common services such as landings, approaches, system to recover weather reports, flight plans, and certification, may provide an incentive not to costs of operation utilize those services. The potential consequences of user fees system on safety may result in the classification of similar financial matters as “safety critical” that shall be analyzed as such in decision making. AoC_135 Decreasing market Because other high-tech industries are on such a rapid growth curve, the share of high-tech advanced products purchased by the aviation sector of the economy now aviation products in represent a smaller share of the overall production capability for these comparison to other specialized products. This may create a situation where the aviation industry sectors may have a more difficult time obtaining the necessary components (both new and replacement) at favorable prices. As a result, obsolescence of flight-critical digital system components may create safety issues in the future. AoC_136 Increasing use of Economic pressures are driving many commercial and governmental Commercial Off The operators within the aviation system toward purchase of COTS products. Shelf (COTS) products Although these products may have a favorable cost-to-performance ratio, in aviation they may not have been subject to the verification/validation rigor required to maintain safe, dependable operation of the aviation system. Examples include microprocessors (from PC industry), operating systems (e.g., Windows and LINUX), and graphics processors (from video game industry). AoC_138 Increased need to There is an increasing need to monitor incident and accident precursor trends monitor incident and and identify non-standard performance. Prolifer0ation of hardware and accident precursor software tools to monitor performance of aviation systems are being trends introduced to fill this need. While these new systems can help to identify what happened, they may not be able to identify why things happened. In the future a balance between computer and human analysis will need to be established.

AoC_139 Increasingly stringent Aircraft noise and emissions concerns may become the most important noise and emissions strategic obstacles for future development of air transport. These concerns constraints on aviation impact the system in many ways, including: - changes in certification operations requirements for aircraft- new policies on runway use- new take-off and landing profiles which may reduce safety margins- changing aircraft traffic management- introduction of environmental levies or the market based approach of emissions trading AoC_141 Changes in aviation Global environmental and safety concerns may require use of alternative fuel composition fuels and the elimination of leaded fuels to address emissions and volatility concerns. These new fuels may introduce new safety concerns such as: - fuel specifications with differing properties such as lubricity, lower aromatic content, etc. - changes pipelines to prevent cross contamination with incompatible fuels - infrastructure requirements for normal operations and emergency situations such as diversions The migration of fuel specifications in response to environmental pressure needs to be controlled to assure the performance, reliability and safety of aircraft fuel systems and engine hardware.

53 FAST_SE_Report_11017011_final.docx

New AoC Title Description and Explanatory Comments AoC # AoC_142 Increasing requirement Although English may the international language of aviation, even when pilots for harmonization of and controllers both speak English fluently, there are pitfalls in the nature of language among language and the ways that language is heard. Subtle miscues can subvert operators of aviation messages that seem clear to the sender. Pilots and controllers must be system aware of, and avoid, common types of linguistic misunderstandings. AoC_144 Increasing economic Changes in economic pressures on aviation industry may result in significant pressures affecting modifications in management structure, resulting in the loss of: management and - technical expertise in management ranks labor relationships - realignment of relationships between management and labor resulting in role ambiguity and loss of technical oversight - poor resource allocation decision-making due to profitability concerns that are not cognizant of safety issues - inadequate planning for staffing transitions and role redefinitions (including situational awareness training) resulting from investment, allocation decisions - labor-management disputes resulting in poor operational performance AoC_148 Increasing frequency Hostile acts against the aviation system are manifested in several ways: of hostile acts against - cyber attacks on data links, databases and digital/ electromechanical the aviation system systems, jamming resulting in loss of RF signals used for critical CNS functions and FADEC operation. - increasing sophistication and proliferation of explosive materials, biological/chemical toxic agents, and anti-aircraft weapons. - increasing frequency of distraction, glare and temporary flash blindness from easily available and low cost of high-strength lasers AoC_151 Decreasing Investments in basic research do have substantial economic benefits and commitment to basic that there remains an enormous reservoir of research opportunities for which research and there are no immediate commercial benefits. Without robust funding for technology basic research, many of these opportunities will not receive the attention they development in both deserve. Potential future decreases in projected funding for research government and pertains to both basic and applied research in science and technology. The private sectors three sectors of the world economy that support basic research -- military, private industry, and federal -- all have downsized. AoC_161 Increasing rate of bird The rate of bird strikes is increasing due to: strikes - Increasing populations of various species of large flocking birds (particularly in regions of high-density air traffic) - Trend toward locating runways adjacent to bodies of water, resulting in approach and departure paths with greater exposure to over-water flight conditions and greater likelihood of bird strikes - Increasing numbers of wetlands restoration projects near major airports AoC_170 Increasing Economic pressure on aircraft manufacturers can cause them to offer manufacturer price incentives, such as warranty against defects, which the likelihood that and cost incentives operators will respond to risk issues that may be regulated at a later date. may create market Incentives that warranty against Airworthiness Directives may be an incentive distortions for operators to delay responses to known risks indefinitely. AoC_174 Introduction of new The sustained growth in air traffic and limitations in existing airport surface traffic flow infrastructure have in recent years put a strong emphasis on the development management and standardization of future advanced surface movement guidance, control, technologies and management systems. The objective of the technologies is to increase the traffic-flow capacity at airports, while maintaining the required safety level. AoC_175 Changing New materials and compositions as well as surface treatments may be characteristics of developed for runway, taxiway, and overrun surfaces. This may include airport surfaces improved runway surface friction management techniques. AoC_180 Re-using military With the decrease of military activity in some areas, there is a trend of airfields as civil converting military airfields into commercially used civil airports. One concern airports is that airspace design is not compatible with these civil operations, another that it does not fit the demand of the increasing number of flights conducted therein.

54 FAST_SE_Report_11017011_final.docx

New AoC Title Description and Explanatory Comments AoC # AoC_184 Increasing amount of Flight Crews will be required to interact with an increased amount of information available information like CPDLC data, traffic information on CDTIs for ASAS to flight crew applications, electronic route manuals/flight bags and even the World Wide Web. This information will likely be presented on extra displays, requiring the crew to divide their attention. This information may be integrated in existing systems or may be presented on a single screen which may introduce the problem of cluttering. Pilots will have to be trained to efficiently use the new data and interfaces. AoC_185 Introduction of artificial Future flight decks may contain, or be expected to interact with, software intelligence (self "intelligent agents." The characteristics of these agents may differ learning) in avionics significantly from most software tools in use today. These tools may: - be very complex- including intent and reasoning systems not well understood by the pilot- have unique, unfamiliar, and unanticipated characteristics and interfaces- approach a semi-autonomous status with interfacing systemsThese systems could present new unforeseen risks, especially if these systems are given limited control of the vehicle independent of the crew. AoC_187 Shift in responsibility With the introduction of technologies like ASAS (Airborne Separation for separation Assistance Systems) and ADS-B (Automatic Dependent Surveillance), future assurance from ATC flight crews may be faced with increased responsibility for separation to flight crew assurance during all phases of flight. One example is Airborne Information for Lateral Spacing (AILS) approaches to close parallel runways in Instrument Meteorological Conditions (IMC) will increase the capacity of parallel runways to be equivalent to those in VMC conditions. Future operational concepts shift the responsibility for separation and appropriate evasive maneuvers from ATC to the flight deck. AoC_188 Introduction of new Current check-and-training systems developed to maintain flight standards on training methodologies earlier generation aircraft may not necessarily cover all issues relevant to for operation of operation of advanced aircraft. advanced aircraft Research must be pursued to: - define the changing profile of job qualifications needed by applicants - devise efficient methods and tools by which to select qualified candidates without high attrition costs - develop and validate advanced training delivery systems that meet future staffing and training requirements - create cost-effective new equipment training guidelines and procedures - provide integrated team training for all aviation operations - address training for mixed fleet and multi-cultured crews - evaluate and remediate skill decay for diagnostic and complex operational tasks AoC_189 Shifting demographics Previously many flight crews were drawn from the ranks of retired military from military to civilian personnel with significant military flight experience and training. In the future trained pilots pilots will more than likely be drawn from civilian flight schools. This demographic shift may result in diminished basic airmanship including aircraft energy management, lack of aircraft system knowledge and diagnostic skills, manual handling, ability to operate advanced aircraft in abnormal situations/attitudes, and recover from unanticipated situations when there is no checklist. AoC_196 Increasing working life Need to reconcile the complex issues raised by the fact that pilots and cabin of crew members attendants are living longer and maintaining skills and proficiencies into later years. Regulatory authorities may increase age at which flight personnel must retire.

55 FAST_SE_Report_11017011_final.docx

New AoC Title Description and Explanatory Comments AoC # AoC_200 Increased dependence Advanced desk-top training environments are being proposed that may have on synthetic training in serious shortcomings compared with full-realism flight simulators. Some lieu of full-realism aspects (such as aircraft dynamics) are best covered using high fidelity simulators simulators, while others can be tackled using simpler approaches. Part-task trainers and limited range of motion high-fidelity simulators may not sufficiently emulate loss-of-control situations to enable effective upset recovery training. These types of training simulators can lead to negative transfer of training. However, some simulators may be effective in training for recognition and early detection of the conditions preceding loss of control situations. Implementation may be more widespread due to lower cost of part-task trainers. For certain accident types, training may not help; aircraft changes may well be necessary. Upset prevention (via recognition) may improve using part-task simulators, but actual ability to recover from unusual attitudes may worsen. AoC_202 Increasing pressure to Simulator training time is becoming more compressed. In order to save time shorten and compress and money: pilot training - emergency/abnormal scenarios are being combined together, even though the events are extremely unlikely to occur together - recent accident scenarios are emphasized and "Routine" flight operations are under-emphasized - more training is being added without analyzing the current curriculum to remove unnecessary or redundant segments AoC_205 Increasing risk of flight Future flight operations might bear the risk of increased fatigue of flight crew fatigue crews. This may result from: - ultra long range flights with minimum crew - harmonized European legislation allowing longer flight duty times - increased regional operations - increased pressure on crews to improve economics - passenger and crew screening requirements AoC_211 Economic pressures to Economic pressure by airline operators to strive for maximum economy may reduce the authority of result in reduction of fuel loads below what pilot wants to accommodate the pilot in command changes in flight path due to weather or for diversion to alternate airports. relative to airline This may be more of an issue in some parts of the world than in others. dispatch coordinators AoC_218 Increasing pressure to As supplementary passenger protection and restraint systems, like provide supplementary passenger airbags and smoke hoods, are being developed. Some of theses passenger protection systems have been adopted by general and business aviation and may and restraint systems eventually find their way onto airliners. New requirements for increased passenger safety may also force these changes. AoC_220 Increasing functions Functions and use of personal electronic devices by passengers and flight and use of personal crew are increasing and there are no means to ensure that passengers turn electronic devices by off all electronics in critical phases of flight and disable transmit/receive passengers and flight functions while on the aircraft. The wide variety of transmission sources and crew their potential locations within the passenger cabin make it very difficult to predict all possible effects and failure modes. AoC_221 Introduction of new The operational characteristics of future space vehicles may require adoption space vehicles of different ATM approaches for conventional aircraft sharing the same airspace. If space tourism becomes popular enough to require facilities close to areas of high air traffic, this will be a factor. Also procedures for emergency reentries will have ATM impact. Interface development between space control and "normal" ATM-structures. AoC_222 Advent of standards It is uncertain how commercial indemnification authority will be established in and certification for the future. It is also not clear how certification and regulatory bodies will be space vehicles established with objective and targeted levels of safety. New SIDs, STARs, and emergency procedures will be required.

56 FAST_SE_Report_11017011_final.docx

New AoC Title Description and Explanatory Comments AoC # AoC_223 Increasing frequency Rapid, routine clearances for penetration of flight levels (typically utilized by of commercial and commercial aircraft) may be required by expendable launch vehicles, re- government space usable launch vehicles, and commercial space operations. Wing-borne vehicle traffic space vehicles may require re-entry trajectories that can be predicted accurately even in emergency situations. These procedures will need to be coordinated with destination and alternate airports. In addition, special operational procedures may be required for penetration of restricted airspace in both normal and abnormal situations. Establishment of commercial spaceports in areas such as New Mexico is underway. AoC_224 Introduction of space A key issue related to space tourism is the certification of the transportation tourism and systems and regulation of the commercial operations. In 1995, the National accompanying Aerospace Laboratory (NAL) conducted a survey in North America (U.S. and safety/reliability Canada) of 1020 households, which was the first actual market research of considerations its type to be conducted in America. The results concluded that overall, 60% of those surveyed were interested in traveling to space for a vacation. This figure is comprised of more than 75% of those under 40, 60% of those age 40 to 60, and more than 25% age 60-80.

Risk management issues when transitioning from an exploratory development phase with paying risk-accepting passengers to a phase where certification requirements reach air transport levels. A natural development of space tourism is point-to-point space travel in order to reach other spaceports across the globe in a minimum of time. This will have produce deeper ATM challenges, as well as environmental issues. AoC_225 Entry into service of Commission on the Future of the United States Aerospace Industry made commercial, space- special note of the promise of public space travel. The demand will rise tourism passenger without limit as the price drops. The Commission suggested that space vehicles tourism markets might help fund the launch industry through its current market slump. Increased launch demand thanks to space tourism could help drive launch costs down, they concluded, perhaps ultimately support a robust space transportation industry with "airline-like operations." For a space tourism industry to be viable, flight rates about two orders of magnitude higher than those required for conventional space lift would be mandatory. That translates into a paradigm shift; a culture change in rethinking and redesigning all the major components of a space plane system. Vehicle reliabilities must approach those of commercial aircraft. AoC_226 Changes in the The shortage of certified maintenance personnel may result in lower quality qualifications of servicing and maintenance of aircraft with a concomitant reduction in the maintenance reliability of both new and aging aircraft. Servicing of advanced avionics will personnel require specialized skills, yet training in disciplines such as composite material repair, nondestructive inspection, solid-state electronics/avionics/built-In test equipment, principles of troubleshooting and human factor is currently only an option within maintenance training curricula. As the number of non-certified staff increases, the need to check their work increases. Certified staff may begin to accept poor quality work either because of time limitations or because errors are not detected. Other issues, such as tightening of controls on maintenance procedures, limitation of working hours, vision tests, etc. will also reduce the availability of certified maintenance personnel.

57 FAST_SE_Report_11017011_final.docx

New AoC Title Description and Explanatory Comments AoC # AoC_228 Increasing application Human factors in maintenance are recognized as being increasingly of Maintenance important. EASA 145 requires and the US FAA is encouraging the Resource implementation of a maintenance human factors program by maintenance Management providers. The areas to be covered include event investigation, human techniques factors training in a variety of areas, shift and task handover, writing good procedures, procedural non-compliance, planning, fatigue, error capturing, and signing off tasks not seen nor checked. Although MRM addresses the human component of maintenance, there may be an over-reliance on Minimum Equipment List (MEL) procedures as safety nets. If the airline operation center has incorrect information on the MEL, an aircraft could be inappropriately released. AoC_230 Paradigm shift from In the future complex, integrated aircraft will require more and more paper based to automation for fault detection, diagnosis, and resolution. In addition, new electronic based diagnostic and prognostic safety analysis will require electronic tracking of maintenance maintenance findings and actions. These changes may introduce new considerations such as: - ensuring quality maintenance on legacy aircraft which were previously paper based but are transitioning to a computerized format - new skill sets will be required of maintenance personnel because of changing processes, tools, and techniques to support the new computerized systems - greater care and task verification will be required - better coordination between maintenance and flight crews AoC_234 Aging avionics, power New approaches may be required to guarantee aircraft structural integrity plants, electrical and and proper function of propulsion and mechanical systems. Aging mechanical systems, mechanical systems aboard aircraft may become a critical safety issue. This and structures issue has a number of implications due to extended aircraft lifetime. Structural and aircraft system aging problems are already being addressed by regulatory authorities. AoC_236 Increasing use of Digital/electronic mock-ups are now being adopted by the industry as virtual mockups for substitutes for the physical mock-ups. It should be recognized that the training and for current digital mock-up capability together with available human modeling evaluation of capability does not permit total maintenance/assembly task simulation maintenance (perhaps 2-5 years away). While any safety related risk is low, if a situation requirements is not recognized during design phase, it will not emerge or be addressed until assembly of first aircraft. This results in a cost/schedule penalty and aircraft maintainability issues. AoC_240 Increase of predictive An increase of predictive logistic and supply system services may be a by logistic and supply product of concepts such as just-in-time production and delivery. system services Performance based logistics is intended to guarantee a higher level of performance and system capability. The dramatically increasing quantity of electronic maintenance data will demand adequate information technology infrastructure for timely identification of trends and on-condition maintenance. AoC_241 Increasing risk of Reduction in staff, economic incentives available to maintenance technicians fatigue plus shifts toward night schedules for critical maintenance increase the among maintenance likelihood of fatigue. In addition, the number of maintenance employees per personnel aircraft has been reduced significantly. Only in specific maintenance tasks such as primary flight control work this ratio is still more or less normal. Many countries still have not set maximum duration working times for maintenance staff like there are for pilots. Due to tight daytime flight schedules, there is increasing pressure for nightshift operations on the involved maintenance organization.

58 FAST_SE_Report_11017011_final.docx

New AoC Title Description and Explanatory Comments AoC # AoC_242 Increasing single- The use of one engine out taxi techniques is on the increase as one means engine taxi operations to reduce fuel burn. These same techniques have been used in the past, and concerns have been voiced and issues have been raised. Consequences of this operational procedure may include excessive jet blast to achieve wheel un-stick, warning issues related to accidental single-engine take-off, engine thermal characteristics, use of standard operating procedures (SOP) and checklists to avoid cancelled take-offs and/or malfunctions as well as unintended degraded safety. AoC_243 Introduction of novel To minimize fuel burn, noise, and environmental impact novel technologies to technologies to move move aircraft from gate-to-runway and runway-to-gate will be introduced. aircraft from gate-to- One concept is for tugs to be replaced by an APU powered motor-generators runway and runway-to- which drive the associated aircraft wheel. Another concept is for tugs to bring gate aircraft all the way from the gate to the runway. These new systems may present a number of safety concerns: - changing risk of runway incursions - effectiveness of new pilot interfaces - inadequate visibility from the flight deck - engine run-up and checklist completion AoC_244 Introduction of high- High density passenger cabin configurations are being explored to increase density passenger the numbers of passengers that can be accommodated economy class for cabin configurations short-haul flights. More passengers equals more revenue and this approach would enable higher passenger loads on each aircraft. It also presents evacuation, emergency equipment, crash worthiness, and passenger amenity concerns. AoC_245 Inconsistencies in the A potential risk in the implementation of SMS is an inconsistency between the implementation of SMS policy and the working environment and conditions under which it had SMS actually been adopted. There is also concern over significant differences in the implementation of SMS among individual organizations and potential misunderstandings that this may cause. AoC_246 World wide climate Global average surface temperatures have risen at an average rate of 0.13°F change trending per decade since 1901. Since the late 1970s, however, the United States has towards warmer warmed at nearly twice the global rate. Worldwide, 2000–2009 was the temperatures warmest decade on record. These changing climates may affect the global air transportation system in many ways including, but not limited to:– Heat waves– Increased precipitation duration and intensity– More frequent and intensified winds and storms– Rising sea levels and ocean acidity levels– Changed bird migration habits Source: US EPA (http://www.epa.gov/climatechange,)

D. Individual CAST Safety Enhancement Assessment Tables

SE 1: CFIT TAWS – One Project

Summary information from SE 1 DIP Summary of SE: Controlled flight into terrain (CFIT) - accidents, where a properly functioning aircraft under the control of a fully qualified and certificated crew is flown into terrain with no apparent awareness on the part of crew, could be substantially reduced or eliminated with the installation of TAWS equipment. Manufacturers of turbine aircraft and air carriers operating turbine aircraft under FAR Part 121 should install TAWS equipment on the entire U.S. air carrier fleet and establish procedures for its use. Substantially reduce or eliminate the CFIT accident rate by improving pilot situational awareness with respect to terrain avoidance by establishing appropriate procedures for the installation and use of TAWS. Procedures must include proper flight crew reaction in regard to TAWS aural and visual warnings Date of Approval: August 1999 Risk Description: Medium Risk. The development of the SOP template is a relatively low-risk activity. The only medium-risk items that can be identified at this point is the timeframe involved in coordinating, writing and implementing ACs and HBATs and the willingness of the operators to review and revise their manuals based upon a new set of guidelines. Risk Mitigation Plan: The intent of the project is to include the operators as team- members of the template design process. This will provide them the opportunity to voice concerns at the early stages of template design to hopefully mitigate and risks later in the process. The use of SOPs has been encouraged through other industry activities such as the CFIT Training Aid, CFIT Training Document, Flight Safety Foundation CFIT ALAR report and the ICAO cover-letter accompanying the CFIT Training Document. Implementation Progress:

Relevant Areas of Change:

Very Vulnerable

AoC Title Description Vulnerability

AoC_184 Increasing Flight Crews will be required to interact with With more information presented to amount of an increased amount of information like the flight crew there is a danger of information CPDLC data, traffic information on CDTIs for pilots being overwhelmed by available to flight ASAS applications, electronic route information. An increasing amount of crew manuals/flight bags and even the World Wide information will need to be displayed in Web. This information will likely be presented a logical format and prioritized to on extra displays, requiring the crew to divide provide maximum usefulness to the their attention. This information may be flight crew. There is a need for proper integrated in existing systems or may be systems and procedures integration presented on a single screen, which may for use of TAWS systems that provide introduce the problem of cluttering. Pilots will similar terrain awareness information have to be trained to efficiently use the new to the flight crew. data and interfaces.

- 60 -

Somewhat Vulnerable

AoC Title Description Vulnerability

AoC_36 Increasing More and more airlines are transitioning from Data integrity could be an issue. dependence on paper to electronic information services Standardization may be needed to Electronic Flight known as Electronic Flight Bags. These ensure data presented to pilots is Bag (EFB) for capabilities will provide for electronic accurate and useful. When the EFB efficient and safe distribution and viewing of navigation charts is providing near-flight-critical operations and other information to be used on the information to the crew, what is the ground in flight operations or distributed to parallel back-up system in the event of crew members for on-line viewing or data a loss of EFB data or hardware download. failure?

AoC_99 Increasing GPS, digital terrain elevation data, and The integrity of the computerized dependence on ground obstacle data may be incorporated navigation and performance systems accurate into future FMS databases and airport moving rests on the quality of the FMC/FMGS databases for map displays. The integrity of the databases. In addition to corrupt data, flight-critical computerized navigation and performance entries by the flight crews will require functions systems rests on the quality of the verification to a database that may not FMC/FMGS databases. Avionics and exist in paper form. The chain of airframe manufacturers and regulatory database development, data authorities have recognized the potential for ownership and database approval entering incorrect data through the depend on accuracy checks along the FMC/FMGS. The final safety net in the process. process of checking the accuracy of the database information currently lies with the pilot who should cross-check electronic data against printed data. Future flight guidance databases may have no printed data against which the pilots can cross-check information.

AoC_136 Increasing use of Economic pressures are driving many COTS products used in avionics and Commercial Off commercial and governmental operators terrain avoidance systems may not The Shelf within the aviation system toward purchase of have been subject to the (COTS) products COTS products. Although these products verification/validation rigor required to in aviation may have a favorable cost-to-performance maintain safe, dependable operation ratio, they may not have been subject to the of the aviation system. This may be verification/validation rigor required to especially important for systems maintain safe, dependable operation of the designed to compare the horizontal aviation system. Examples include and vertical position of the aircraft and microprocessors (from PC industry), the underlying terrain. operating systems (e.g., Windows and LINUX), and graphics processors (from the video game industry).

AoC_148 Increasing Hostile acts against the aviation system are Navigation signals are not subject to frequency of manifested in several ways: ground jamming yet. Incidents of hostile acts - cyber-attacks on data links, databases and jamming of such signals are almost against the digital/ electromechanical systems, jamming non-existent in the operational record. aviation system resulting in loss of RF signals used for critical This is not vulnerability but is a CNS functions and FADEC operation. concern. A related concern would be - increasing sophistication and proliferation of the integrity of data-links and explosive materials, biological/chemical toxic databases in use throughout the agents, and anti-aircraft weapons. aviation system. - increasing frequency of distraction, glare and temporary flash blindness from easily Laser assault on the eyes of flight available and low cost of high-strength lasers crew often occur when the aircraft is at

- 61 -

low altitude and in close proximity to terrain. For these reasons, the industry may want to investigate the feasibility of passive laser filters build into or applied as an overlay on flight deck windows. AoC_205 Increasing risk of Future flight operations might bear the risk of Concern that fatigue will affect the way flight crew fatigue increased fatigue of flight crews. This may flight crews react and respond to result from: TAWS alerts particularly in the - ultra long range flights with minimum crew approach and landing phase of flight. - harmonized European legislation allowing Unnecessary persistent TAWS alarms longer flight duty times may create fatigue as well. - increased regional operations - increased pressure on crews to improve economics - passenger and crew screening requirements

Both Somewhat Vulnerable and Somewhat Beneficial

AoC Title Description Vulnerability

AoC_21 Implementation The future evolution of weather monitoring Better weather information may of advanced systems (i.e. advanced supplementary increase the likelihood that flight crew supplementary cockpit weather information systems) will will fly closer to adverse weather to cockpit weather allow aircraft to identify, and then fly routes gain flight path efficiencies. information that have the most favorable weather. As this systems technology expands in use, the density of The use of advanced cockpit weather these routes may rise accordingly. information systems should identify Dependence on the reliability of non-certified weather conditions that previously equipment (i.e. smart phones) may become may have created more CFIT risk. an issue if pilots become dependent on a platform that does not have an inherent Dependence on the reliability of non- safety function. certified equipment (i.e. smart phones and other new Personal Electronic Devices – PEDs - such as iPads) may become an issue if pilots become dependent on a platform that does not have an inherent safety function. PED applications can offer amazing functionality but are not certified. Appropriate entities should determine how these devices are being used in the flight deck and how frequently. This is potentially significant safety issue in the next three to five years. AoC_43 Increasing Advanced automation is taking full advantage Integrated systems (auto pilot/TAWS) implementation of data sharing among what were previously may cause the aircraft to react in CFIT of highly- independent LRUs. As more crew functions situations (auto pull-up) without any integrated, are automated there is a high reliance on the pilot input or incomplete understanding interdependent integrity and fidelity of the data exchanged. of the system behavior by the flight flight-critical High and low criticality functions have crew. aircraft systems traditionally been physically isolated are now sharing computing and data bus resources. Interdependent, integrated flight Software-based isolation and independence critical systems may monitor each is much more "fluid" and difficult to assure other and the system determines the than relying on hardware. Lost or erroneous failure, not the pilot. inputs can result in a cascade of effects on the aircraft. Often, sensors are the lowest Newer systems need to be designed reliability components and therefore need to so pilots can interpret all alerts be redundant to obtain the required system presented. Less than complete

- 62 -

safety. Unfortunately, identical sensors are understanding of these integrated, used to achieve the redundancy. Therefore, complex systems may create sensor failures could produce a single point vulnerabilities. failure of multiple devices. Complex systems increase the need for self-checks to verify More integrated systems may in some software for accuracy and integrity. cases improve the situational awareness of the flight crew as well as improve the performance of the vehicle.

Nature of Vulnerabilities: • Accuracy and Integrity of flight information databases AoCs 36, 99 • Variation of COTS products using multiple operating systems AoC 136 • Multiple systems/displays causing information overload AoC 184, 36, 21 • Flight crew understanding of new, complex, integrated systems AoC 43

Major Interaction Effects: • Interactions among the various elements of the chain consisting of database development, data ownership and database approval depend on accuracy checks including consistency of waypoint identifiers, frequencies, and altitudes.

Near-term Changes to Baseline Risks or New Vulnerabilities: • Hostile acts (lasing and electronic jamming) occurring at low altitudes where terrain awareness and energy/flight path management are critical.

Precursors, Watch Items, and System-wide Measurements that Could Indicate Vulnerability: • Query ASRS reports for the correlation between flight crew fatigue and low-altitude incidents of loss of control or situational awareness • Monitor instances of improper response to TAWS alerts and the circumstances the

- 63 -

preceded them. • Look for increasing rates of single-point failures of sensors and/or data corruption propagating more widely than expected in aircraft systems • Monitor use of non-approved electronic devices in the flight deck • Monitor emergence of tools and methods for validation of navigation databases

- 64 -

SE 2: CFIT SOPs – One Project

Summary information from SE 2 DIP: Summary of SE: All operators should have standard operating procedures/training manual/chapter. This manual/chapter should address all projected normal situations crews/company personnel will encounter. This manual will address: use of checklists, what each person’s responsibilities are, use of available equipment, and expected procedures to be used during preflight, taxi, take-off, climb, cruise, descent, approach, missed approach, landing, taxi and parking. Use of line crews to develop new procedures increase acceptance and understanding of these procedures. Standard operating procedures for any new equipment will be developed, published, and trained before any new equipment is used/installed. Operators will train proficiency in their SOPs and crews will use published company SOPs. To improve aviation safety by: 1. Ensuring that all operators establish flight crew Standard Operating Procedures (SOPs) that fit that operator’s particular operation. 2. Ensuring that all operators train their SOPs and encourage that all SOPs be utilized in all normal operations.

Date of Approval: August 1999 Risk Description: Medium Risk. The development of the SOP template is a relatively low-risk activity. The only medium-risk items that can be identified at this point is the timeframe involved in coordinating, writing and implementing ACs and HBATs and the willingness of the operators to review and revise their manuals based upon a new set of guidelines Risk Mitigation Plan: The intent of the project is to include the operators as team- members of the template design process. This will provide them the opportunity to voice concerns at the early stages of template design to hopefully mitigate and risks later in the process. The use of SOPs has been encouraged through other industry activities such as the CFIT Training Aid, CFIT Training Document, Flight Safety Foundation CFIT ALAR report and the ICAO cover-letter accompanying the CFIT Training Document. Implementation Progress:

Relevant Areas of Change:

Very Vulnerable AoC Title Description Vulnerability

AoC_82 Decreasing In order to provide increased utilization of the Decreased separation standards may separation airspace, separation standards may decrease change the way pilots react and standards between runways, between aircraft, between respond to TAWS alerts. Appropriate landing operations, and for vertical procedures will be needed to handle separation. The risk of runway incursions theses new operational paradigms may also increase as a result. The reliability resulting from NextGen. The reliability of technologies and procedures enabling of technologies and procedures reduced separation must be assured. enabling reduced separation must be assured.

An increasing number of aircraft are

- 65 -

flying an expanding number of RNAV SIDs and STARs, RNP approaches, and GPS MEA airways may introduce an increased risk for CFIT. Pilots flying these procedures are totally dependent on satellite navigation; in some cases below or beyond radar coverage of control facilities.

Pilots may become so dependent on the accuracy of GPS that in the event of a loss of sufficient GPS signal, be unable to recover the aircraft when in a position where GPS accuracy is critical.

Increasing Independent of demand trends, the ATM Complex new ATM systems will AoC_129 pressure to system continues to require additional require coordination between NextGen improve aviation capacity. As demand approaches capacity, and SESAR working groups to system airlines increase load factors and reduce determine the impacts of these new, throughput schedules, the pressure to improve complex systems. The changing roles throughput will increase. Because of these and responsibilities of both pilots and conditions, SESAR and NextGen have been controllers that may result from designed to upgrade ATM. concepts such as delegated Potential hazards exist from these changes separation [to the flight deck] will in: require evaluation and potentially - impacts of complexity revised procedures. - international harmonization - change of roles and responsibilities for pilot, controllers and others due to new concepts of operation - possible new systems such as a traffic optimizer, that will change operational paradigms and affect flight profiles, dispatching - policies, and other aspects of aircraft operation

These changes will require frequent safety and hazard assessment re-evaluation.

AoC_184 Increasing Flight Crews will be required to interact with Training may need to emphasize amount of an increased amount of information like prioritization of the increasing amount information CPDLC data, traffic information on CDTIs for of information available in the cockpit available to flight ASAS applications, electronic route including new icing warning systems, crew manuals/flight bags and even the World Wide Vertical Situation Displays, and Web. This information will likely be presented advanced vehicle health monitoring on extra displays, requiring the crew to divide systems. their attention. This information may be integrated in existing systems or may be presented on a single screen that may introduce the problem of cluttering. Pilots will have to be trained to efficiently use the new data and interfaces.

Somewhat Vulnerable AoC Title Description Vulnerability

- 66 -

AoC_13 Increasing crew Increasing flight deck automation has In NextGen and SESAR operational reliance on flight occurred as a result of increased workload for concepts, pilots will have an deck automation the flight crew due to more complex increasing responsibility for total flight for flight-path operational environments, aircraft systems management. For this reason, training management, and navigation (traffic and weather). In future in automation modes and flight control separation ATM concepts, responsibility for separation systems will require updating to assurance and may increasingly be delegated to the prevent automation surprises. Greater terrain avoidance automated systems of the aircraft. As a result reliance on automation may require of increased automation, the flight crew may more training, not less. be placed in a monitoring role potentially compromising their ability to intervene when necessary. Unfamiliar modes of aircraft automation may result in a perfectly normal flying aircraft suddenly taking on characteristics that the pilot has seldom or never previously encountered. Latent flaws in the display or primary flight control system may go undetected, because not enough human-in-the-loop testing is performed, and the pilots are not trained about the philosophy of the automation.

AoC_22 Changing Advanced audio, tactile, and visual warning SOPs may be vulnerable if not approaches to systems in aircraft cockpits may change crew updated to include advanced cockpit warning workload and situational awareness. The warning/alerting systems and the and alert proliferation of caution/warning systems and increased workload this may create. systems alerts may overwhelm the flight crew in Pilots may become more dependent critical phases of flight. Consideration of on warning and alert systems with less prioritization, total workload, and required emphasis on basic flying skills such as situational awareness must precede monitoring and scanning. implementation of such systems.

AoC_43 Increasing Advanced automation is taking full advantage Interface between these highly implementation of data sharing among what were previously integrated systems may require more of highly- independent LRUs. As more crew functions knowledge of how these systems integrated, are automated there is a high reliance on the interact. SOPs should include interdependent integrity and fidelity of the data exchanged. procedures for single/multiple point flight-critical High and low criticality functions have failures and procedures for verification aircraft systems traditionally been physically isolated are now of integrity of data exchanged between sharing computing and data bus resources. these interdependent systems. Software-based isolation and independence Sufficient attention must be paid to is much more "fluid" and difficult to assure graceful degradation of integrated than relying on hardware. Lost or erroneous systems. inputs can result in a cascade of effects on the aircraft. Often, sensors are the lowest reliability components and therefore need to be redundant to obtain the required system safety. Unfortunately, identical sensors are used to achieve the redundancy. Therefore, sensor failures could produce a single point failure of multiple devices. Complex systems increase the need for self-checks to verify software for accuracy and integrity.

AoC_185 Introduction of Future flight decks may contain, or be This may be a long-term issue. artificial expected to interact with, software "intelligent Assisted Recovery Systems may be intelligence (self agents." The characteristics of these agents employed to avoid CFIT. Such learning) in may differ significantly from most software systems have been tested and avionics tools in use today. These tools may: evaluated several years ago. - be very complex - including intent and reasoning systems not To what extent should “learned” well understood by the pilot behavior acquired by such avionics in

- 67 -

- have unique, unfamiliar, and unanticipated one aircraft be shared among other characteristics and interfaces aircraft in the fleet? - approach a semi-autonomous status with interfacing systems How does the flight crew know that the These systems could present new avionics is now behaving differently unforeseen risks, especially if these systems based upon its “learning?” are given limited control of the vehicle independent of the crew.

AoC_187 Shift in With the introduction of technologies like New procedures may be required to responsibility for ASAS (Airborne Separation Assistance help flight crews prioritize tasks due to separation Systems) and ADS-B (Automatic Dependent an inevitable shift toward responsibility assurance from Surveillance), future flight crews may be for separation, merging, and ATC to flight faced with increased responsibility for sequencing from the ground to the crew separation assurance during all phases of flight deck. Task overload resulting flight. One example is Airborne Information from changes in flight crew roles may for Lateral Spacing (AILS) approaches to increase the risk of CFIT. Flight crews close parallel runways in Instrument are particularly concerned about the Meteorological Conditions (IMC) will increase uncertainty of who is responsible for the capacity of parallel runways to be separation and how such transitions equivalent to those in VMC conditions. Future between ground and air responsibility operational concepts shift the responsibility are made clear. for separation and appropriate evasive maneuvers from ATC to the flight deck.

AoC_202 Increasing Simulator training time is becoming more Additional training requirements are pressure to compressed. In order to save time and being added to an already full training shorten and money: syllabus forcing the compression of compress pilot - emergency/abnormal scenarios are being training time. In addition pilot type training combined together, even though the events training is driven by the Pilot Training are extremely unlikely to occur together Standards (PTS) requirements for the - recent accident scenarios are emphasized issuance of a type rating. The PTS and "Routine" flight operations are under- does not take into account the wide emphasized variations in aircraft types. Type rating - more training is being added without training is geared to meeting the PTS analyzing the current curriculum to remove requirements and the successful unnecessary or redundant segments completion of the type check ride. There is a risk that “fast-track” training doesn’t confer students with a deep, domain-specific knowledge of aircraft systems and their interactions. AoC_245 Inconsistencies A potential risk in the implementation of SMS There is a concern over significant in the is an inconsistency between the SMS policy differences in the implementation of implementation and the working environment and conditions SMS among individual organizations of SMS under which it had actually been adopted. and potential misunderstandings. There is also concern over significant SMS effectiveness is highly dependent differences in the implementation of SMS on being embraced and advocated by among individual organizations and potential senior management. SMS once misunderstandings that this may cause. implemented should be audited to ensure consistent compliance among multiple organizations.

Both Somewhat Vulnerable and Somewhat Beneficial

AoC Title Description Vulnerability

AoC_21 Implementation The future evolution of weather monitoring The use of advanced cockpit weather of advanced systems (i.e. advanced supplementary information systems should identify supplementary cockpit weather information systems) will weather conditions that previously cockpit weather allow aircraft to identify, and then fly routes may have created more CFIT risk. information that have the most favorable weather. As this systems technology expands in use, the density of More advanced cockpit weather

- 68 -

these routes may rise accordingly. information systems may enable flight Dependence on the reliability of non-certified closer to adverse weather situations equipment (i.e. smart phones) may become more prone to CFIT. The increasing an issue if pilots become dependent on a use of non-certified devices for platform that does not have an inherent weather display could also increase safety function. CFIT risk.

AoC_188 Introduction of Current check-and-training systems New training methods have the new training developed to maintain flight standards on potential to improve pilot performance methodologies earlier generation aircraft may not necessarily based on improved understanding of for operation of cover all issues relevant to operation of how individuals learn and process advanced aircraft advanced aircraft. information. Research must be pursued to: - define the changing profile of job Conventional training methods may qualifications needed by applicants not be suitable for advanced aircraft - devise efficient methods and tools by which featuring fundamentally different to select qualified candidates without high aircraft system architectures and flight attrition costs deck concepts. - develop and validate advanced training delivery systems that meet future staffing and However, advanced aircraft won’t training requirements appear overnight and SOPs will likely - create cost-effective new equipment training be generated to reflect the new guidelines and procedures designs. - provide integrated team training for all aviation operations Cultural and language differences - address training for mixed fleet and multi- might require different training cultured crews methods. - evaluate and remediate skill decay for diagnostic and complex operational tasks

Nature of Vulnerabilities: • Changing responsibilities of flight crews with respect to air traffic control roles. Flight crew may be asked to accept more responsibility for maintenance of separation and conformance to new SOPs that emerge during this paradigm shift. AoC 187 • SOP revisions/updates, checklists, and training need to include more complex flight automation equipment. AoCs 21, 22, 43, 187

Major Interaction Effects: • Integration of additional flight deck systems such as icing detection and warnings, vertical situation displays, and vehicle health monitoring systems must be handled with care and be reflected in unambiguous standard operating procedures so flight crews know how to respond to multiple, additional warning systems. • Integration of flight-critical safety functions across the air-ground interface must be reflected in both training and procedures. • Integration and standardization of procedures for near-term implementations of NextGen and SESAR initiatives requiring flight crew training. SOPs being used by pilots flying between the U.S. and Europe must be harmonized to avoid unsafe situations. Operational requirements should drive SOPs rather than vice versa.

- 69 -

Near-term Changes to Baseline Risk or New Risks: • Breakdown in the effectiveness of SMS within an air carrier due to complacency or lack of management support. • Flight crew task overload due to new SOPs developed for use of additional flight deck equipment. • Overconfidence in weather displays resulting into flying closer to regions of adverse weather – greater risk exposure – if training and SOPs don’t clearly spell out appropriate limits for weather penetration.

Longer-term Changes to Baseline Risk or New Risks: • Introduction of artificial intelligence (AI) into flight control systems may create situations in flight (for instance, unexpected control movements initiated by the flight control system) for which no SOPs are relevant. AI may introduce avionics response complexities that the training program hasn’t ever simulated. How should the crew react when the aircraft does its own thing?

Precursors, Watch Items, and System-wide Measurements that Could Indicate Vulnerability: • Monitor LOSA results for indications of flight crew difficulties encountered as new technologies are introduced into the flight deck. • Monitor ASRS reports or other sources for indications of flight crew confusion or mistakes when using new equipment and/or procedures associated with advanced flight deck equipment such as synthetic vision and Vertical Situation Displays. • Monitor ASRS reports or other sources for problems associated with delegation of separation responsibility to flight crew following initial implementation. • Monitor international harmonization efforts for flight-critical SOPs to avoid regional inconsistencies.

- 70 -

SE 10: Airline Proactive Safety Programs (FOQA and ASAP)

Summary information from SE 10 DIP: Description of SE: Develop and implement a mutually agreed upon methodology to use de-identified Flight Operations and Quality Assurance (FOQA), and Aviation Safety Action Partnership (ASAP) information for the purpose of proactively identifying safety related issues and corrective actions. Key to the development and implementation of this project is to ensure that legislative, regulatory and contractual actions are taken which prevent misuse of information. Included in this development and implementation of proactive safety programs are the development of analytical tools which will enable the identification of system safety deficiencies and corrective actions. Date of Approval: 8/26/99 Risk Description: High risk. Without the ability to implement these programs, industry will lose the opportunity to perform proactive safety analysis on a full range of operational issues. Given the current “legal” environment regarding data collection and use, and potential punitive actions coupled with the resistance within some organizations of the government, the probability of widespread implementation of detailed FOQA and ASAP programs is low. Risk Mitigation Plan: Identify ways, procedures and protocols, to implement components of FOQA and ASAP programs that are not reliant on data use restrictions. Efforts could be undertaken to identify which components could be implemented, or what procedures could be employed to mitigate the lack of data restrictions. This will be difficult and will result in limiting the quality of data collected. This in turn will narrow the scope of the usefulness of the program. Implementation Progress : FOQA/ASAP is one of the earliest, and is well implemented. ASIAS and the IAT (Airlines) is evidence that it is in place. Arose because failure to follow procedures appears all over the accident record. The data also have alerted to many other problems (ATC, etc.). The FOQA rule for disclosure protection of reported data was issued in October 2001. FOQA and ASAP are voluntary programs.

Relevant Areas of Change:

Very Vulnerable AoC Title Description Vulnerability AoC_43 Increasing Advanced automation is taking full advantage With the advent of increasing amounts implementation of data sharing among what was previously of data from more complicated aircraft of highly- independent LRUs. As more crew functions systems it may be difficult to identify integrated, are automated there is a high reliance on the trends in these large data sets. interdependent integrity and fidelity of the data exchanged. Improved analytical capabilities are flight-critical High and low criticality functions have needed that can be implemented aircraft systems traditionally been physically isolated are now economically. In addition, techniques sharing computing and databus resources. are needed for identifying atypical Software-based isolation and independence system behaviors that do not rise to

- 71 -

is much more "fluid" and difficult to assure the level of a threshold exceedance. than relying on hardware. Lost or erroneous inputs can result in a cascade of effects on the aircraft. Often, sensors are the lowest reliability components and therefore need to be redundant to obtain the required system safety. Unfortunately, identical sensors are used to achieve the redundancy. Therefore, sensor failures could produce a single point failure of multiple devices. AoC_66 Increasing Potential criminal liability may reduce normal Due to pending litigation it may be societal pressure incentives to perform research that may difficult to identify contributing factors to find individuals reveal possible design defects and and causes as data may not be and operational errors. Criminal prosecution available for safety analysis. organizations triggered by occurrence reports cause Reluctance to report and collect data if criminally liable aviation personnel such as pilots and Air it could be used against the reporter for errors in Traffic Controllers to be reluctant to file safety may reduce data available for design and reports, thus reducing the possibility of contributing factors and causal operations learning from occurrences. A shift of focus analysis. from a pro-active form of oversight to a culture of blame may cause industry members to take a more defensive rather than co-operative attitude towards regulators. Not only does this distract aviation professionals from a major task (i.e. contributing to safety improvements), but it also disturbs the open atmosphere in which industry and authorities jointly discuss safety issues. AoC_144 Increasing Changes in economic pressures on aviation Poor management/labor relations may economic industry may result in significant modifications inappropriately influence interpretation pressures in management structure, resulting in the loss of data and causal analysis. The lack affecting of: of trust between labor and management and - technical expertise in management ranks management may make it impossible labor - realignment of relationships between to link FOQA data from specific flights relationships management and labor resulting in role to the crew that flew them even if the ambiguity and loss of technical oversight data are de-identified. The - poor resource allocation decision-making consequence of this may be only a due to profitability concerns that are not partial understanding of the reasons cognizant of safety issues for specific crew actions leading up to - inadequate planning for staffing transitions an accident or incident and the and role redefinitions (including situational associated contributing factors. awareness training) resulting from investment, allocation decisions - labor-management disputes resulting in poor operational performance

Somewhat Vulnerable AoC Title Description Vulnerability AoC_11 Increasingly Not all aircraft may have the same level of The large variation among data heterogeneous equipage in the future. The variation in recorders adds to complexity of aircraft fleets sophistication of digital and electromechanical analysis due to the different formats (varying systems within an individual aircraft type must of data. Formats for data files software, also be considered. An unavoidable mix of recorded by sensors on highly equipment, new and reused (legacy) software is a future heterogeneous aircraft fleets will capabilities, etc.) trend and there may be increasing numbers of require format translators for effective regional jets equipped with possibly more comparative analysis. In addition, advanced avionics than legacy aircraft. This modern data recorders may not could lead to flight crew confusion and necessarily be backward compatible. problems maintaining situational awareness. It is critical to define what data is required and the rate at which it must

- 72 -

be recorded in order to yield fruitful analysis. In many cases, the reliability of the monitoring sensors is less than the systems that they are intended to monitor. Erroneous sensor output must be detected and removed from the data stream or flagged. AoC_96 Increasing As all systems become more complex there FOQA data analysis may be made interactions will be an increasing level of interaction more difficult by the lack of between highly- between ground-based and aircraft-based compatibility between ever more automated systems. This increased interaction may advanced airborne and ground ground-based introduce incompatibilities that may result in analysis systems. Such systems and aircraft greater system development, integration, may take the form of real-time, based systems maintenance, and reduce overall system airborne preprocessing and linkage performance. Variation in design cycle times to vehicle health management and implementation schedules between systems, air-to-ground data airborne systems and ground-based systems transmission of FOQA parameters or may result in lack of coordinated development. groundside downloads of data upon These issues underline the need for the arrival at the gate. introduction of the increased capacity, flexibility, and security of the next generation of ground to aircraft communication systems.

Nature of Vulnerabilities: • Loss of input data sources due to economic, legal or environmental conditions (labor relations) could dramatically reduce incentives to share information. AoC 66 and 144 • Increase complexity of data and analytical capabilities required within the assessment platform due to the heterogeneous equipment and the emergence of new highly integrated ground based and aircraft based systems. AoC 11, 43 and 96 • Erroneous sensor output must be detected and removed from the data stream or flagged prior to application of analysis software. AoC 11, 43 and 96

Major Interaction Effects:

• The large variety of sensor outputs and file formats will create an increasingly challenging analytical environment. It will become increasingly difficult to identify system-wide trends in heterogeneous datasets.

Near-term Changes to Baseline Risk or New Vulnerabilities:

• This analysis confirms the High Risk as evaluated by the CAST in the SE of future implementation due to legal liability concerns. • SMS success is highly dependent on accurate data and timely analysis. • The legal liability of reporting and storing data has already affected FOQA/ASAP programs and considerable effort from the FAA was required to maintain the participation of key stakeholders. Every accident involving a participant airline will threaten FOQA/ASAP programs until a positive precedent is set regarding the collection and use of the data.

- 73 -

• The use of U.S-centric FOQA/ASAP data may mask important trends happening in other world regions. Other geographic regions may have safety vulnerabilities that aren’t appearing in U.S. operations. These non-U.S. trends may be leading indictors for emerging system-wide issues.

Longer-term Changes to Baseline Risk or New Vulnerabilities: • Same as Near-term vulnerabilities.

Precursors, Watch Items, and System-wide Measurements that Could Indicate Vulnerability: • Monitor any decreases in reporting of categories of incidents related to recent accidents and associated ligation because a reluctance to report incidents associated with enforcement actions may be the key indicator. Place special emphasis on analysis of ASRS reports related to recent accidents and incidents. • Monitor language and terms in new labor contracts. If the immunity policy is not clear and adhered to by the employer and authorities, data reporting frequency and richness may degrade. • Monitor trend in legal actions using FOQA/ASAP data legal precedent cases regarding discovery – especially in the United States. The “what did you know, and when did you know it” phenomenon. • Monitor development of legislation that is protective of safety data. • Monitor number of airlines registering with or leaving FOQA, ASAP programs. • Monitor participation in the Air Traffic Safety Action Program (ATSAP) and look for correlations between report intake and actions against controllers. • Contact ASRS program and inquire whether report intake (ASRS or ASAP) is being affected by misuse of data by the legal system.

- 74 -

SE 12: CFIT Prevention Training – One Project

Summary information from SE 12 DIP Summary of SE: Controlled Flight Into Terrain (CFIT) - accidents are the leading cause of commercial aviation equipment loss and fatalities, worldwide. CFIT accidents could be substantially reduced if all air carriers operating under Part 121 and Part 142 training centers developed CFIT prevention training and procedures to be added to their approved training curricula stressing position awareness and escape maneuvers in the event of a terrain warning indication. Substantially reduce the CFIT accident rate by the addition of CFIT prevention training and procedures to all Part 121 air carriers approved training curriculums, emphasizing pilot situational awareness and escape procedures for flight crews to use in the event of a terrain warning indication.

Date of Approval: September 1999 ◦ Risk Description: The training aid is not user friendly and needs updating. ◦ Challenging of Handbook Bulletin and POI by the air carriers and Part 142 training centers. ◦ CFIT training requirement by all Part 121 air carriers and Part 142 training centers may require a rule. ◦ Will significantly delay CFIT training by all Part 121 air carriers. Risk Mitigation Plan: Pending successful completion of Handbook guidance that would require CFIT prevention training and TAWS rule making, the FAA and ATA continue to encourage voluntary CFIT prevention training by all Part 121 air carriers and Part 142 training centers. Implementation Progress:

Relevant Areas of Change:

Very Vulnerable

AoC Title Description Vulnerability

AoC_82 Decreasing In order to provide increased utilization of the Decreased separation standards may separation airspace, separation standards may decrease create situations where response to standards between runways, between aircraft, between TAWS alerts create additional hazards landing operations, and for vertical to other aircraft such as climb/descent separation. The risk of runway incursions into the paths of nearby aircraft when may also increase as a result. The reliability executing escape procedures. of technologies and procedures enabling reduced separation must be assured. An increasing number of aircraft are flying an expanding number of RNAV SIDs and STARs, RNP approaches, and GPS MEA airways may introduce an increased risk for CFIT in the event aircraft avoidance escape maneuvers are required due to closer proximity. AoC_129 Increasing Independent of demand trends, the ATM Increased separation responsibility pressure to system continues to require additional and operations in busier airspace with improve aviation capacity. As demand approaches capacity, decreased separation standards for system airlines increase load factors and reduce improved throughput may change the throughput schedules, the pressure to improve role of pilots and controllers. Complex

- 75 -

throughput will increase. Because of these new ATM systems will require conditions, SESAR and NextGen have been coordination between NextGen and designed to upgrade ATM. SESAR working groups to determine Potential hazards exist from these changes the impacts of these new, complex in: systems. The changing roles and - impacts of complexity responsibilities of both pilots and - international harmonization controllers that may result from - change of roles and responsibilities for pilot, concepts such as delegated controllers and others due to new concepts of separation [to the flight deck] will operation require evaluation and potentially - possible new systems such as a traffic revised procedures. optimizer, that will change operational paradigms and affect flight profiles, dispatching - policies, and other aspects of aircraft operation

These changes will require frequent safety and hazard assessment re-evaluation.

AoC_184 Increasing Flight Crews will be required to interact with The amount of information available to amount of an increased amount of information like the crew may become overwhelming information CPDLC data, traffic information on CDTIs for particularly when TAWS warnings are available to flight ASAS applications, electronic route combined with possible flight-deck crew manuals/flight bags and even the World Wide trajectory conformance monitors and Web. This information will likely be presented Vertical Situation displays in a self- on extra displays, requiring the crew to divide separation environment (likely no their attention. This information may be earlier than five years but this may integrated in existing systems or may be change). Prioritization of duties presented on a single screen that may becomes an important training item. introduce the problem of cluttering. Pilots will Multiple displays may divide the have to be trained to efficiently use the new attention of the crew and single data and interfaces. displays for multiple systems may exceed the information processing abilities of the flight crew and may delay into decision-making.

Somewhat Vulnerable

AoC Title Description Vulnerability

AoC_13 Increasing crew Increasing flight deck automation has Automation that generates control reliance on flight occurred as a result of increased workload for inputs arising from TAWS signals such deck automation the flight crew due to more complex as Honeywell’s EGPWS assisted for flight-path operational environments, aircraft systems recovery technologies may lead to a management, and navigation (traffic and weather). In future degradation of basic flying skills. Such separation ATM concepts, responsibility for separation systems may become so complex that assurance and may increasingly be delegated to the crews may not fully understand all terrain avoidance automated systems of the aircraft. As a result modes of operation. Training may of increased automation, the flight crew may need to emphasize how and why be placed in a monitoring role potentially these systems respond as they do. compromising their ability to intervene when necessary. Unfamiliar modes of aircraft automation may result in a perfectly normal flying aircraft suddenly taking on characteristics that the pilot has seldom or never previously encountered. Latent flaws in the display, or primary flight control system may go undetected, because not enough human-in-the-loop testing is performed, and the pilots are not trained about the philosophy of the automation.

- 76 -

AoC_22 Changing Advanced audio, tactile, and visual warning Increasing numbers of alarms related approaches to systems in aircraft cockpits may change crew to TAWS and terrain awareness cockpit warning workload and situational awareness. The systems (e.g., VSD) systems can be and alert proliferation of caution/warning systems and overloading and confusing. systems alerts may overwhelm the flight crew in Compressed training may result in an critical phases of flight. Consideration of incomplete understanding of such prioritization, total workload, and required alerts. Some warnings and alerts may situational awareness must precede be correct but different cultures may implementation of such systems. respond differently. Training may need to be revised to emphasize prioritization of multiple alerts and the need for complete system knowledge. AoC_43 Increasing Advanced automation is taking full advantage Evaluate future TAWS/Autopilot implementation of data sharing among what were previously interfaces that may function of highly- independent LRUs. As more crew functions independently of pilot input such as integrated, are automated there is a high reliance on the Honeywell’s EGPWS assisted interdependent integrity and fidelity of the data exchanged. recovery. flight-critical High and low criticality functions have aircraft systems traditionally been physically isolated are now Odd and unusual warnings may occur sharing computing and data bus resources. as a result of more highly integrated Software-based isolation and independence architectures and this information is much more "fluid" and difficult to assure needs to be properly prioritized and than relying on hardware. Lost or erroneous presented to the flight crew. This inputs can result in a cascade of effects on information often becomes “tribal the aircraft. Often, sensors are the lowest knowledge” but needs to be captured reliability components and therefore need to and disseminated to operators and be redundant to obtain the required system manufacturers. Passing on tribal safety. Unfortunately, identical sensors are knowledge is a poor substitute for used to achieve the redundancy. Therefore, good system knowledge and proper sensor failures could produce a single point training. failure of multiple devices. Complex systems increase the need for self-checks to verify Systems may determine failures software for accuracy and integrity. through monitoring of other systems- the crew may be unaware of pending failures that have been detected minutes earlier by monitoring algorithms. CFIT training should include complete system knowledge of these highly integrated, interdependent, flight critical systems that may incorporate novel automated responses to TAWS signals. AoC_47 Changing human Increasing understanding of the CFIT training for more automated flight factors capabilities/limits of human performance and systems should include additional assumptions for of best practices for human-machine human in the loop testing to merge implementing interaction. Increasing pressure to augment human capabilities with advances in automation humans with automated systems and/or automation. decision-support systems may characterize future design philosophies. There may be an increasing need to adequately design systems from the start to take advantage of human flexibility and creativity and to augment human abilities and limitations with computers in ground and aircraft systems.

AoC_185 Introduction of Future flight decks may contain, or be Training should include a full artificial expected to interact with, software "intelligent understanding of the very complex intelligence (self agents." The characteristics of these agents and unique characteristics that future learning) in may differ significantly from most software flight decks may contain such as

- 77 -

avionics tools in use today. These tools may: EGPWS assisted recovery. This may - be very complex be outside the 3-5 year time frame but - including intent and reasoning systems not any system that may take limited well understood by the pilot control away from the flight crew could - have unique, unfamiliar, and unanticipated become a vulnerability to CFIT characteristics and interfaces training. - approach a semi-autonomous status with interfacing systems To what extent should “learned” These systems could present new behavior acquired by such avionics in unforeseen risks, especially if these systems one aircraft be shared among other are given limited control of the vehicle aircraft in the fleet? independent of the crew. How does the flight crew know that the avionics is now behaving differently based upon its “learning?” AoC_187 Shift in With the introduction of technologies like New procedures may be required to responsibility for ASAS (Airborne Separation Assistance help flight crews prioritize tasks due to separation Systems) and ADS-B (Automatic Dependent an inevitable shift toward responsibility assurance from Surveillance), future flight crews may be for separation, merging, and ATC to flight faced with increased responsibility for sequencing from the ground to the crew separation assurance during all phases of flight deck. Task overload resulting flight. One example is Airborne Information from changes in flight crew roles may for Lateral Spacing (AILS) approaches to increase the risk of CFIT. Flight crews close parallel runways in Instrument are particularly concerned about the Meteorological Conditions (IMC) will increase uncertainty of who is responsible for the capacity of parallel runways to be separation and how such transitions equivalent to those in VMC conditions. Future between ground and air responsibility operational concepts shift the responsibility are made clear. for separation and appropriate evasive maneuvers from ATC to the flight deck.

AoC_189 Shifting Previously many flight crew were drawn from CFIT training may require revisions to demographics the ranks of retired military personnel with accommodate pilots who have from military to significant military flight experience and received their training through civilian civilian trained training. In the future pilots will more than schools in lower performance aircraft. pilots likely be drawn from civilian flight schools. This demographic shift may result in diminished basic airmanship including aircraft energy management, lack of aircraft system knowledge and diagnostic skills, manual handling, ability to operate advanced aircraft in abnormal situations/attitudes, and recover from unanticipated situations when there is no checklist.

AoC_202 Increasing Simulator training time is becoming more A shortened, compressed training pressure to compressed. In order to save time and period must contain CFIT recognition, shorten and money: escape, and recovery curricula. During compress pilot - emergency/abnormal scenarios are being simulator training, routine flight training combined together, even though the events scenarios with CFIT risks may be are extremely unlikely to occur together more beneficial than situations that are - recent accident scenarios are emphasized extremely unlikely to occur. and "Routine" flight operations are under- Job changes and retirements may emphasized create a situation in which two pilots, - more training is being added without both with shortened, compressed, analyzing the current curriculum to remove training regiments, are flying in unnecessary or redundant segments significant CFIT risks without proper training.

Both Somewhat Vulnerable and Somewhat Beneficial

- 78 -

AoC Title Description Vulnerability AoC_21 Implementation The future evolution of weather monitoring Advanced cockpit weather systems of advanced systems (i.e. advanced supplementary may allow more frequent flight in supplementary cockpit weather information systems) will weather and terrain with a higher CFIT cockpit weather allow aircraft to identify, and then fly routes risk. The increasing use of non- information that have the most favorable weather. As this certified devices for weather display systems technology expands in use, the density of could also increase CFIT risk. these routes may rise accordingly. Dependence on the reliability of non-certified New, certified weather displays will equipment (i.e. smart phones) may become also make it possible to decrease an issue if pilots become dependent on a CFIT risk my identifying safer routes to platform that does not have an inherent fly. safety function.

AoC_188 Introduction of Current check-and-training systems Conventional training methods may new training developed to maintain flight standards on not be suitable for advanced aircraft methodologies earlier generation aircraft may not necessarily featuring fundamentally different for operation of cover all issues relevant to operation of aircraft system architectures and flight advanced aircraft advanced aircraft. deck concepts. CFIT training may Research must be pursued to: require updating for advanced aircraft - define the changing profile of job due to new equipment and a changing qualifications needed by applicants pilot demographic. Today’s teaching - devise efficient methods and tools by which methods may not fit the future pilot to select qualified candidates without high population. attrition costs - develop and validate advanced training Newer designed aircraft should delivery systems that meet future staffing and include updated CFIT training prior to training requirements certification. - create cost-effective new equipment training guidelines and procedures New training methodologies could be - provide integrated team training for all monitored through actual FAA test aviation operations scores versus pass/fail data. - address training for mixed fleet and multi- cultured crews - evaluate and remediate skill decay for diagnostic and complex operational tasks

Nature of Vulnerabilities: • With expected advanced procedures and reduced separation criteria, there will be smaller margins for error in situations involving Controlled Flight Toward Terrain, especially for escape maneuvers following TAWS warnings. AoCs 82, 129, 187 • Training issues related to supplementary cockpit display and alert systems • Human factors issues due to more complex human/automation interactions • Changing flight crew responsibilities due to changing ATM rules

Major Interaction Effects: • Major areas of concern are the consequences of integrating decreased separation standards, limited delegation of separation responsibility from the ground to the flight deck, and procedures for new flight control capabilities such as Assisted Recovery from unusual attitudes and terrain proximity. • Integration of existing TAWS with new Vertical Situation Displays and proposed

- 79 -

Assisted Recovery/Terrain Avoidance avionics must not degrade current high level of CFIT safety performance. • Other integration concerns involve harmonizing automation for the prevention of CFIT and the training programs needed to provide flight crew with appropriate systems understanding to know why and how this automation is behaving in flight. Adverse mental states and physical/mental limitations can be directly linked to the inability of pilots to cope with confusing automation behavior.

Near-term Changes to Baseline Risk or New Risks: • Flight crew error may be more likely if proper prioritization of alerts generated by new and supplementary flight deck display systems nominally intended to reduce CFIT probability is not given adequate attention in procedures development and recurrent training. • With an increasing number of low-time pilots being hired into the system in the next few years, the lack of deep systems knowledge of how certain CFIT-prevention automation works may create increased probability of crew error.

Longer-term Changes to Baseline Risk or New Risks: • CFIT accidents are quite rare now even with existing flight deck warning systems. Implementation of proposed new and supplementary avionics and flight control systems must not degrade current safety levels. Extreme care must be exercised in introducing new technologies for CFIT prevention and there associated training regimens to avoid unintended consequences.

Precursors, Watch Items, and System-wide Measurements that Could Indicate Vulnerability: • Monitor the numeric test scores of individual flight crew training modules rather than whether the pilot simply passes or fails the full suite. Much insight could be gained by trending performance percentages rather than percent of applicants failing. • Query ASRS databases and other sources for incidents in which flight crew became overwhelmed with flight deck information during events leading up to Controlled Flight Toward Terrain or TAWS warnings. • Monitor the number of new cautions/warning/alerts being introduced into the flight deck from concepts such as Vertical Situation Displays and Assisted Recovery/Terrain Avoidance flight controls operating independently of the flight crew.

- 80 -

SE 26: LOC Policies and Procedures

Summary information from SE 26 DIP: Summary of SE: The purpose of this project is to ensure that all airline operators publish and enforce clear, concise, and accurate flight crew standard operating procedures (SOP). These procedures should include expected procedures during pre/post flight and all phases of flight i.e.: checklists, simulator training, PF/PNF duties, transfer of control, automation operation, rushed and/or unstabilized approaches, rejected landings and missed approaches, in-flight pilot icing reporting, and flight crew coordination. Operator instructors and check airman should ensure these SOPs are trained and enforced in their aircrew proficiency and standardization programs. The establishment, maintenance, and appropriate use of flight crew SOPs in accordance with AC 120 71 (Standard Operating Procedures for Flight Deck Crewmembers) will improve aviation safety. Date of Approval: February 2003 Risk description: Low-Medium Risk. The revision of the SOP information is a relatively low-risk activity because the operators participated in the initial ATA SOP review and AC 120-71 design. The operators should be willing to address the LOC intervention information and make appropriate revisions. The only medium-risk items that can be identified at this point are: • The timeframe involved in the review and recommendations to the operator SOPs and AC. • The timeframe to write and implement the revised AC and FSAT. • The willingness of the operators to review and revise their manuals based upon a new set of guidelines and their staff time in competition with other projects. Risk mitigation plan: The project will include the operators as team-members of the SOP information review/revision process. This will provide them the opportunities to voice concerns at the early stages of information re-design to hopefully mitigate the risks later in the process. The success of this project may depend on operators' willingness to revise long-standing procedures. The use of SOPs has been encouraged through many other recent industry activities such as the CFIT Training Aid, CFIT Training Document, Flight Safety Foundation CFIT ALAR report, and the ICAO cover letter accompanying the CFIT Training Document. Implementation progress: Guidance was issued in 2003. Since this is an old SE, and addresses procedures, implementation should be fairly well established.

Relevant Areas of Change:

Very Vulnerable

AoC Title Description Vulnerability

- 81 -

are extremely unlikely to occur together confidence and promote - recent accident scenarios are emphasized understanding of the desired and "Routine" flight operations are under- maneuvers. In simulators pilots are emphasized exposed to so many complete failures - more training is being added without that routine failures may be left out in analyzing the current curriculum to remove an effort to compress training time. unnecessary or redundant segments Rarely are simulations frozen in the unusual attitude prior to executing the recovery maneuver. G-loading is important in learning the maneuvers but compressed training is de- emphasizing full-motion simulations.

AoC_205 Increasing risk of Future flight operations might bear the risk of Effectiveness of LOC guidance flight crew fatigue increased fatigue of flight crews. This may depends on its interpretation by result from: individual companies or operators. - ultra long range flights with minimum crew Airlines are not always compliant with - harmonized European legislation allowing advisory circulars. They can still longer flight duty times operate in compliance with AC and still - increased regional operations have poor fatigue policies in place, - increased pressure on crews to improve especially regional airlines. Company economics and crews operate to accommodate. - passenger and crew screening The regulation addressing fatigue has requirements recently changed, but the effectiveness has not yet been evaluated and may not be specific enough.

There are reports from crews that indicate that airlines, particularly those involved in long haul, are applying to the civil authority for routes by quoting sector times that are very tight in the Flight Time Limitation (FTL) terms available to meet the actual flight time under normally circumstances, but are even more unrealistic when the sectors are being flown with the lowest cost indices possible, which often the case in these austere, fuel conscious days. These become even worse when unrealistic, short turn round times are scheduled into airports in order to stay within FTL. In addition, duty report times are often being squeezed on these operations leaving insufficient time for crews to brief themselves correctly - particularly for those airlines with a poor NOTAM collation and prioritization arrangements.

- 82 -

looking for new hires all at the same time is in numbers we haven't seen before. A good idea at a time when it may be more difficult to implement than we care to admit.

Somewhat Vulnerable AoC Title Description Vulnerability

AoC_1 Introduction of Improvements to the modern airplane may While any certified aircraft should be new aircraft occur as a result of breakthroughs in many capable of recovery from loss of types fields permitting evolutionary improvements in control situations, LOC may occur performance, improved computational when the automation is operating at a capabilities permitting multidisciplinary degraded level. Training on advanced analysis and design, and use novel ideas to aircraft that are heavily automated and redesign the airplane. Future aircraft should flight-envelope protected may be be designed and built to accommodate conducted with the automation retrofits that can be made without degrading assumed to be at maximum safety functionality. Procedures developed at the time of this safety enhancement (2003) may need to be updated for aircraft arriving on the scene in the next five years. AoC_11 Increasingly Not all aircraft may have the same level of In a perfect world, airplane heterogeneous equipage in the future. The variation in manufacturers and/or airlines would aircraft fleets sophistication of digital and develop a single set of SOPs so that (varying electromechanical systems within an pilots could follow a consistent set of software, individual aircraft type must also be procedures. equipment, considered. An unavoidable mix of new and capabilities, etc.) reused (legacy) software is a future trend and Common theme SOPs are more there may be increasing numbers of regional challenging for airlines with mixed jets equipped with possibly more advanced fleets. Air Operators Certificate avionics than legacy aircraft. This could lead holders should write their SOPs to to flight crew confusion and problems include the recommendations from the maintaining situational awareness. manufacturer. For decades, many operators of mixed fleets have insisted their pilots operate a variety of types the same way. However, aircraft manufacturers may have designed the aircraft with totally different operating philosophies. AoC_13 Increasing crew Increasing flight deck automation has Over-confidence in automation, a lack reliance on flight occurred as a result of increased workload for of understanding of what the deck automation the flight crew due to more complex automation is trying to achieve, and for flight-path operational environments, aircraft systems possible loss of manual flying skills management, and navigation (traffic and weather). In future presents the potential for pilots to lose separation ATM concepts, responsibility for separation situational awareness and “get behind assurance and may increasingly be delegated to the the airplane.” Critical and non-critical terrain avoidance automated systems of the aircraft. As a result functions can become blurred in use. of increased automation, the flight crew may There is the potential for greater loss be placed in a monitoring role potentially of flight critical functions and crew compromising their ability to intervene when understanding of failure cases. necessary. Unfamiliar modes of aircraft automation may result in a perfectly normal flying aircraft suddenly taking on characteristics that the pilot has seldom or never previously encountered. Latent flaws in the display, or primary flight control system may go undetected, because not enough human-in-the-loop testing is performed, and

- 83 -

the pilots are not trained about the philosophy of the automation. AoC_43 Increasing Advanced automation is taking full advantage Systems that formerly were implementation of data sharing among what was previously independent are now integrated; one of highly- independent LRUs. As more crew functions failure may cause all of them to fail. integrated, are automated there is a high reliance on the Checklists and SOPs must include interdependent integrity and fidelity of the data exchanged. more system checks and cross flight-critical High and low criticality functions have checks. Lost or erroneous signals aircraft systems traditionally been physically isolated are now may make recognition and recovery sharing computing and data bus resources. more difficult in these highly integrated Software-based isolation and independence systems. is much more "fluid" and difficult to assure than relying on hardware. Lost or erroneous inputs can result in a cascade of effects on the aircraft. Often, sensors are the lowest reliability components and therefore need to be redundant to obtain the required system safety. Unfortunately, identical sensors are used to achieve the redundancy. Therefore, sensor failures could produce a single point failure of multiple devices. AoC_67 Increasing Aviation-related businesses have engaged in There a risk of non-standardized economic partnership and outsourcing activities for implementation of safety processes incentives to many years, but recently the pace and scope like SMS across organizations. form partnerships of aviation outsourcing has increased. While SOPs developed under contract may and outsource considerable opportunities exist, businesses not be in accordance with organizational need to prepare carefully and take into manufacturers recommendations. This activities consideration a plethora of strategic, may create situations in which business, operational and legal issues in inappropriate SOPs are applied to a deciding what to outsource and whether to particular aircraft. form partnerships. Added complexity in organizations tends to degrade prior, robust, Operators are not likely to have the aviation cultures that were previously based resources and the incentives to adopt on personal relationships. consensus policies and procedures relating to mode awareness and This has been seen in: energy state management or to -The outsourcing of aviation maintenance and introduce new training programs. engineering by nearly every major airline. Airlines are under constant pressure to - Increasing US airport reliance on cut costs. outsourcing a wide range of facilities and services. -The emergence of virtual airlines where aircraft are owned by a leasing company and operated by a separate airline entity -Airlines, IT vendors -Complex industrial partnerships between engine, airframe, component and system manufacturers AoC_80 Loss of design, The knowledge of why aircraft are designed There is a risk of complacency in that operational, and as such, how key maintenance is to be operational practices may be blindly maintenance performed, and why the operational rules are continued without validating original knowledge as they are is being lost due to long product design assumptions. Front-line staff design cycle times, extended product life, and may not be familiar with the historic increasing staff turn over. Unforeseen uses rationale behind an SOP requirement of the product (such as operation at higher related to loss of control. load factors) also present special challenges in order to maintain safe operations. Failure to document and archive design data, initial specifications, test data, and lessons learned may also increase safety risk.

- 84 -

AoC_82 Decreasing In order to provide increased utilization of the Decreasing separation standards separation airspace, separation standards may decrease required under new ATC operating standards between runways, between aircraft, between rules may require updated flight deck landing operations, and for vertical procedures to avoid situations in which separation. The risk of runway incursions flight crew actions in response to may also increase as a result. The reliability closer aircraft may result in loss of of technologies and procedures enabling control. reduced separation must be assured. AoC_122 Accelerated Economic pressures to recruit needed pilots The true situation may actually be the transition of pilots for Part 121 operations will likely result in transition of pilots trained in complex, from simple to more rapid transition of trainees from simple advanced flight decks being assigned complex aircraft to complex aircraft. Current certification to simpler, less advanced aircraft. standards may need to be revisited in light of Inexperienced flight crew is the true this phenomenon. Training curricula must issue. SOPs developed for one provide the skills needed for command of aircraft type may not be applicable to complex, advanced aircraft. another aircraft. Accelerated transitions may not adequately highlight the important subtleties between the SOPs.

Previous experience in simple or complex aircraft and frame of reference is critical as is the ability to see through problems and into the reality of the situation. Seeing through the problem has been difficult to train into pilots under the current regime. The capability to see the big picture is something that comes from an experiential basis. So if you only ever fly reliable aircraft with reliable systems where do you get your experience?

There is a vast repository of these experiences in the database that is worthy of further exploration. It is within this material that the roots of advanced training will be found. AoC_129 Increasing Independent of demand trends, the ATM Pressure to keep airport acceptance pressure to system continues to require additional rate high may result in procedures improve aviation capacity. As demand approaches capacity, such as late runway changes. These system airlines increase load factors and reduce last-minute clearances increase the throughput schedules, the pressure to improve risk for aircraft on a stabilized throughput will increase. Because of these approach being put in situations where conditions, SESAR and NextGen have been the crew cannot follow SOPs or have designed to upgrade ATM. enough time to re-program the FMS. Potential hazards exist from these changes in: - impacts of complexity - international harmonization - change of roles and responsibilities for pilot, controllers and others due to new concepts of operation - possible new systems such as a traffic optimizer, that will change operational paradigms and affect flight profiles, dispatching - policies, and other aspects of aircraft operation

These changes will require frequent safety

- 85 -

and hazard assessment re-evaluation.

AoC_148 Increasing Hostile acts against the aviation system are Because prank or hostile lasing of frequency of manifested in several ways: aircraft cockpits typically occurs at hostile acts - cyber attacks on data links, databases and lower altitude where aircraft loss of against the digital/ electromechanical systems, jamming control has more serious aviation system resulting in loss of RF signals used for critical consequences, the procedures CNS functions and FADEC operation. described in this Safety Enhancement - increasing sophistication and proliferation of may need to be updated to reflect new explosive materials, biological/chemical toxic crew coordination required following a agents, and anti-aircraft weapons. lasing event. In additional, depending - increasing frequency of distraction, glare on the trend in lasing events, and temporary flash blindness from easily technology fixes involving adaptation available and low cost of high-strength lasers of low response time aircraft window shielding from the military domain may be required. AoC_184 Increasing Flight Crews will be required to interact with New or revised procedures must be amount of an increased amount of information like put in place to give pilots guidance on information CPDLC data, traffic information on CDTIs for processing and responding to new available to flight ASAS applications, electronic route information sources and displays that crew manuals/flight bags and even the World Wide present flight-critical information such Web. This information will likely be presented as terrain clearance. For systems on extra displays, requiring the crew to divide presenting nearly identical information their attention. This information may be such as EGPWS and Vertical Situation integrated in existing systems or may be Displays, procedures must be presented on a single screen that may developed for prioritizing and selecting introduce the problem of cluttering. Pilots will the most reliable decision support tool have to be trained to efficiently use the new among the many options. data and interfaces. AoC_189 Shifting Previously many flight crew were drawn from Because of the larger percentage of demographics the ranks of retired military personnel with civilian pilots entering the workforce from military to significant military flight experience and (compared with military trained) SOPs civilian trained training. In the future, pilots will more than will need to be more specific and not pilots likely be drawn from civilian flight schools. assume domain knowledge delivered This demographic shift may result in in military training curricula. diminished basic airmanship including aircraft energy management, lack of aircraft system knowledge and diagnostic skills, manual handling, ability to operate advanced aircraft in abnormal situations/attitudes, and recover from unanticipated situations when there is no checklist. AoC_200 Increased Advanced desktop training environments are Some skills simply cannot be learned dependence on being proposed that may have serious in synthetic CBTs. If pilots are trained synthetic training shortcomings compared with full-fidelity flight to expect or feel incorrect sensations in lieu of full- simulators. Some aspects (such as aircraft or they have not received enough fidelity simulators dynamics) are best covered using high fidelity training for the failure scenario, they simulators, while others can be tackled using may not be able to make the right simpler approaches. Part-task trainers and decisions in emergency situations. In limited range of motion high-fidelity simulators some cases (particularly upset may not sufficiently emulate loss-of-control recovery) training in an actual situations to enable effective upset recovery aerobatic airplane would be best. training. These types of training simulators Some airlines have already adopted can lead to negative transfer of training. this approach. In addition, regulations However, some simulators may be effective regarding simulator fidelity are in training for recognition and early detection unclear. of the conditions preceding loss of control situations. Implementation may be more widespread due to lower cost of part-task trainers. For certain accident types, training may not help; aircraft changes may well be

- 86 -

necessary. Upset prevention (via recognition) may improve using part-task simulators, but actual ability to recover from unusual attitudes may worsen.

Both Somewhat Vulnerable and Somewhat Beneficial AoC Title Description Vulnerability AoC_188 Introduction of Current check-and-training systems Simulation capability within present new training developed to maintain flight standards on day CBTs brings a whole new level of methodologies earlier generation aircraft may not necessarily fidelity to the training delivery. This for operation of cover all issues relevant to operation of can also be web deployed to the advanced aircraft advanced aircraft. financial relief of the customer airline Research must be pursued to: and the learning benefit for the student - define the changing profile of job pilot. As this approach to training is qualifications needed by applicants developed and improved the industry - devise efficient methods and tools by which will benefit through further to select qualified candidates without high implementation of high fidelity attrition costs simulation content of the aircraft being - develop and validate advanced training learned. New training methodologies delivery systems that meet future staffing and are primarily reflected in adoption of training requirements computer based training systems. - create cost-effective new equipment training SOPs must reflect the limits and guidelines and procedures benefits of such revised simulators. - provide integrated team training for all aviation operations - address training for mixed fleet and multi- cultured crews - evaluate and remediate skill decay for diagnostic and complex operational tasks AoC_47 Changing human Increasing understanding of the Major changes in flight deck factors capabilities/limits of human performance and procedures may be required as flight assumptions for of best practices for human-machine decks are increasingly designed to implementing interaction. Increasing pressure to augment accommodate human cognitive automation humans with automated systems and/or strengths and weaknesses. The decision-support systems may characterize improved designs may allow for future design philosophies. There may be an simpler and more intuitive procedures, increasing need to adequately design but procedures must be changed to systems from the start to take advantage of account for this. human flexibility and creativity and to augment human abilities and limitations with computers in ground and aircraft systems. Nature of Vulnerabilities : • Shortened and compressed training may miss more frequent routine failure scenarios in favor of rare events that are required by regulators. AoC 202 • Pilot type training is driven by the Practical Test Standards (PTS) requirements for the issuance of a type rating. The PTS does not take into account the wide variations in aircraft types. Type rating training is geared to meeting the PTS requirements and the successful completion of the type check ride. There is little or no space in the current type rating training curriculum for the additional recommendations of the NTSB and FAA following the recent rash of aircraft accidents, especially LOC. This type of training recommended by these agencies is additional cost and would require specialty training. AoC 202 • With regard to Upset/LOC, presently most Type Rating Training Organizations (TRTO) do not provide this kind of specialty training and it would require several things on the part of the TRTO. Instructors would have to be taught Upset

- 87 -

Recovery, certified as Upset Recovery Instructors and a specialty course designed for these newly qualified instructors to instruct. In the case of Bombardier, it is unlikely that this TRTO will take this on. We believe it to be a licensing issue and something that should be addressed during the initial phase of pilot training before they show up at TRTO for type training. We believe this to be the case for other major manufacturersas well. Individual airlines may decide to provide this kind of specialty training to their crews. AoC 202 • Effectiveness of LoC prevention guidance depends on its interpretation by individual companies or operators. Airlines are not always compliant with Advisory Circulars. They can operate in compliance with regulations and yet have poor fatigue policies in place, especially regional airlines. AoC 205 • There is a risk of conducting training for operation of advanced aircraft with all automation assumed to be fully functional. Training in aircraft that are heavily automated and flight-envelope protected must be conducted with realistic functionalities that should reflect realistic degraded modes. Training programs should be optimized to cover more realistic scenarios with automation operating at “MEL” levels. AoC 13 • Air Operator Certificate holders writing their own SOPs and ignoring what the manufacturer has recommended. AoC 11 • Although simulation capabilities within present day CBTs brings a whole new level of fidelity to training delivery, the lack of standardized policies and procedures covering synthetic training may have undesirable consequences. AoC 200 • Re-draw/re-formulate the total training scheme – ab initio/type-training/re-current- training/special training – if only because an engine failure exactly at V 1 will not be the most frequent hazard for the average pilot. AoC 202 • Re-examine what should be trained on an EBT/CBT and what in full motion simulators with emphasis on use and type of automation as well as advanced maneuver training in simulators that adequately mimic the vestibular environment for the crew. AoC 122, 202

Major Interaction Effects: • Interactions between stiffer hiring standards and new fatigue rules. New regulations for minimum hours and new rules for flight crew duty cycles impose a hardship on crewing for operators. As a consequence operators will have to recruit additional pilots at a time when regulations impose stiffer entry level qualifications for Part 121 flight crew, and at time when retirements are about to increase. An additional concern is that airlines will be looking for new hires all at the same time in numbers we haven't seen before. • Compressed pilot training may not cover all critical aspects of the sophisticated behavior of advanced avionics. • What is routinely trained does not reflect the realities of typical degradations in the performance of automation and other systems observed in service. • Practical Test Standards (PTS) requirements for the issuance of a type rating do not take into account the wide variations in aircraft types. PTS only partially reflect the realities of the operational world.

- 88 -

Near-term Changes to Baseline Risk or New Vulnerabilities: • Failure to implement the revised Advisory Circulars and Flight Standards Information Bulletins for Air Transportation (FSATs). • Reluctance of operators to review and revise their SOPs due to a new set of advisory material, demographics changes (pilot population) and the need to update training to address common degraded operating modes.

Longer-term Changes to Baseline Risk or New Vulnerabilities: • Today's approach to SOP design for flight crews of new aircraft may need to be modified to account for the changing demographics and technology. • Advanced automation that features artificial (self-learning) underlying principles will require specific training in how this type of automation behaves. • SOPs will have to be written so that flight crew can be responsible for separation and route changes. Extreme care must be taken in drafting SOPs that will adequately handle system degradations and failures. • Automation sophistication must reflect the current understanding of the strengths and weaknesses of human behavior and the limits of automation. Flight crew may lose situational awareness unless the automation decision-support tools present information appropriately in dynamic situations. This may require an adaptive- automation approach.

Precursors, Watch Items, and System-wide Measurements that Could Indicate Vulnerability: • Conduct regular surveys of the pilot population to assess demographics changes that may indicate the need for revised training methods and content. • Determine any significant differences between scenarios in mandated training syllabi and relative frequency of degradation/failure scenarios that are happening in the operational world. • In addition to continued monitoring of ASRS and FOQA data for increasing instances of rushed and/or unstabilized approaches, rejected landings and missed approaches, in-flight pilot icing reporting, and flight crew coordination failures, correlate these assessments with aircrew proficiency and standardization programs in particular airlines. • Monitor trends in lasing of aircraft and development of mitigation technologies. • Monitor application for certification of avionics based on self-learning algorithms.

- 89 -

SE 30: Human Factors and Automation

Summary information from SE 30 DIP Summary of SE: To reduce loss of control accidents, Part 121 air carriers will be encouraged to adopt consensus policies and procedures relating to mode awareness and energy state management, as appropriate to their respective operations. To improve the overall performance of flight crews to recognize and prevent loss of control accidents, through effective use of automation. Date of Approval: May 2006 Risk Description: None in DIP Risk Mitigation Plan: None in DIP Implementation Progress: Outputs, including upset recovery training guidance and videos, are available at http://www.faa.gov/other_visit/aviation_industry/airline_operators/training/

We are unsure how many airlines or training organizations have implemented this training.

Relevant Areas of Change:

Very Vulnerable

AoC Title Description Vulnerability

AoC_22 Changing Advanced audio, tactile, and visual warning Changes to alerting systems approaches to systems in aircraft cockpits may change crew philosophies will require updating the cockpit workload and situational awareness. The outputs of this Safety Enhancement. warning and proliferation of caution/warning systems and If additional warning information is alert systems alerts may overwhelm the flight crew in critical available, current guidance may phases of flight. Consideration of prioritization, become obsolete. Research suggests total workload, and required situational that crews have difficulty coping with awareness must precede implementation of more than 6 aural flight deck alerts. such systems. However, ever more alerts are being mandated (low speed aural following the Turkish airlines accident). Aural alerts must be carefully integrated with visual warnings. AoC_80 Loss of design, The knowledge of why aircraft are designed as Loss of knowledge of the rationale operational, such, how key maintenance is to be behind automation policies and and performed, and why the operational rules are procedures related to mode maintenance as they are is being lost due to long product awareness and energy state knowledge design cycle times, extended product life, and management may result in increasing staff turn over. Unforeseen uses of inappropriate updates by current the product (such as operation at higher load personnel. factors) also present special challenges in order to maintain safe operations. Failure to document and archive design data, initial specifications, test data, and lessons learned may also increase safety risk. AoC_184 Increasing Flight Crews will be required to interact with an Automation policies and procedures amount of increased amount of information like CPDLC will require substantial cooperation to information data, traffic information on CDTIs for ASAS obtain consensus that may not be available to applications, electronic route manuals/flight readily adopted by all carriers if they flight crew bags and even the World Wide Web. This limit their capabilities provided by the information will likely be presented on extra new information systems. New

- 90 -

displays, requiring the crew to divide their procedures will involve greater CRM attention. This information may be integrated and increased training in the already in existing systems or may be presented on a full training syllabi. There are known single screen that may introduce the problem FANS Controller Pilot Data Link of cluttering. Pilots will have to be trained to Communications (CPDLC) incidents: efficiently use the new data and interfaces. Erroneous Presentation of ATC LOG Data. Aircraft operators and Air Navigation Service Providers have already been warned about the potential for erroneous presentation of ATC LOG data to flight crew while in Oceanic FANS CPDLC operation. See: http://www.skybrary.aero/index.php/S afety_Warning_Message,_20100608, _FANS_CPDLC:_Erroneous_ATC_L og_Data_Presentation

Past uses of CPDLC have been for non-time-critical communications. Future use of CPDLC may involve time-critical communications such as separation information.

Electronic Flight Bag (EFB) implementation may be helpful, but must be managed with care. Will flight critical information relative to mode awareness and flight path management be provided by this auxiliary device?

AoC_189 Shifting Previously many flight crews were drawn from There is a risk that fast track training demographics the ranks of retired military personnel with may de-emphasize key skill needed from military to significant military flight experience and for mode awareness and energy state civilian trained training. In the future pilots will more than management. New pilots may bring a pilots likely be drawn from civilian flight schools. This mindset of what do I need to know to demographic shift may result in diminished maintain my currency. basic airmanship including aircraft energy management, lack of aircraft system Automation is changing the skills knowledge and diagnostic skills, manual required by flight crew from flying and handling, ability to operate advanced aircraft in airmanship to computer operation. abnormal situations/attitudes, and recover There is a lack of opportunity to from unanticipated situations when there is no practice skills or using basic standby checklist. instruments because SOP does not permit the practice in revenue service.

The core military training philosophy of “FLY THE AIRPLANE” may not be prevalent in non-military trained pilot populations.

AoC_200 Increased Advanced desk-top training environments are Computer Based Desktop Simulation dependence being proposed that may have serious to execute energy state management on synthetic shortcomings compared with full-fidelity flight procedures will not provide training in lieu simulators. Some aspects (such as aircraft representative conditions to the pilot. of full-fidelity dynamics) are best covered using high fidelity Conditions that have resulted in LOC simulators simulators, while others can be tackled using accidents may not be adequately simpler approaches. Part-task trainers and simulated in CBT. Recognition of limited range of motion high-fidelity simulators adverse changes in aircraft energy may not sufficiently emulate loss-of-control state in synthetic training devices

- 91 -

situations to enable effective upset recovery may not be fully representative of training. These types of training simulators flight conditions provided by full- can lead to negative transfer of training. motion simulators. However, some simulators may be effective in training for recognition and early detection of the conditions preceding loss of control situations. Implementation may be more widespread due to lower cost of part-task trainers. For certain accident types, training may not help; aircraft changes may well be necessary. Upset prevention (via recognition) may improve using part-task simulators, but actual ability to recover from unusual attitudes may worsen. AoC_202 Increasing Simulator training time is becoming more Additional training requirements pressure to compressed. In order to save time and (more SOPs) are being added to an shorten and money: already full training syllabus. compress pilot - emergency/abnormal scenarios are being training combined together, even though the events Pilot type training is driven by the are extremely unlikely to occur together PTS requirements for the issuance of - recent accident scenarios are emphasized a type rating. The PTS does not take and "Routine" flight operations are under- into account the wide variations in emphasized aircraft types. Type rating training is - more training is being added without geared to meeting the PTS analyzing the current curriculum to remove requirements and the successful unnecessary or redundant segments completion of the type check ride. There is little or no space in the current type rating training curriculum for the additional recommendations in the arena of mode awareness and energy state management of the NTSB and FAA following the recent rash of aircraft accidents, especially LOC. The supplemental training recommended by these agencies will come at additional cost and would require specialized certification. With regard to Upset/LOC, presently most TRTOs do not provide this kind of specialty training and it would require several things on the part of the TRTO. Instructors would have to be taught Upset Recovery, certified as Upset Recovery Instructors and a specialty course designed for these newly qualified instructors to instruct. In the case of Bombardier, it is unlikely that this TRTO will take this on. We believe this to be a licensing issue and something that should be addressed during the initial phase of pilot training before pilots show up at OEM or airline training facilities. This kind of specialty training should be left to the individual airlines to provide their crews if their operational environment demands it – a risk- based approach.

There is a risk that “fast-track” training that doesn’t confer students with a deep, domain-specific

- 92 -

knowledge of aerodynamics and aircraft systems - minimum functional proficiency that results in a minimum functional level of safety – may results in a shallow level of aviating. There is one organization that is addressing this problem: The Professional Aviation Board of Certification (PABC). The PABC is an organization of experienced industry professionals who are seeking to establish an industry wide consensus on requisite levels of academics, training, and experience to quality for certain professional positions such as Corporate Pilot or Regional and Major Airline First Officer. Their approach is to engage industry in the process of defining the minimum education and training standards for employment.

Somewhat Vulnerable

AoC Title Description Vulnerability

AoC_11 Increasingly Not all aircraft may have the same level of Confusion as to the functions of the heterogeneous equipage in the future. The variation in systems and the interdependencies to aircraft fleets sophistication of digital and various equipment failures and the (varying electromechanical systems within an required procedures for energy state software, individual aircraft type must also be management. equipment, considered. An unavoidable mix of new and capabilities, reused (legacy) software is a future trend and Confusion resulting from configuration etc.) there may be increasing numbers of regional differences and lack of understanding jets equipped with possibly more advanced of the system functions between the avionics than legacy aircraft. This could lead older (steam gages) and newer to flight crew confusion and problems (digital) systems may degrade mode maintaining situational awareness. and energy state awareness. AoC_13 Increasing Increasing flight deck automation has More reliance on automation has to be crew reliance occurred as a result of increased workload for carefully evaluated in order to maintain on flight deck the flight crew due to more complex the effectiveness of the procedures. automation for operational environments, aircraft systems Increasing reliance on automation may flight-path and navigation (traffic and weather). In future increase the gap between crew management, ATM concepts, responsibility for separation understanding of the systems and the separation may increasingly be delegated to the role the systems play in flying the assurance and automated systems of the aircraft. As a result airplane. The rigor with which crew terrain of increased automation, the flight crew may follow the appropriate procedures may avoidance be placed in a monitoring role potentially be adversely affected by this lack of compromising their ability to intervene when systems knowledge necessary. Unfamiliar modes of aircraft automation may result in a perfectly normal Another vulnerability has to do with flying aircraft suddenly taking on new technology. Flight deck characteristics that the pilot has seldom or technologies such as terrain displays never previously encountered. Latent flaws are likely to reduce development of in the display or primary flight control system improved CFIT prevention training or may go undetected, because not enough procedures. A prevailing assumption human-in-the-loop testing is performed, and is that with terrain and Vertical the pilots are not trained about the philosophy Situation Displays, the crew will of the automation. maintain terrain awareness and avoid CFIT/LOC. Other technologies that may be less directly related (like GPS, or improved radar coverage) can also

- 93 -

reduce motivation to practice key CFIT/LOC avoidance techniques given the assumption by designers and flight crew that the technology will always work correctly and that the crew will always be aware of the information presented by the technology. Both assumptions are wrong.

While any certified aircraft should be capable of recovery from loss of control situations, LOC may occur when the avionics automation is operating at a degraded level. Training on advanced aircraft that are heavily automated and flight-envelope protected is typically conducted with the automation assumed to be at maximum functionality. This approach may make give the crew a false sense of confidence in the automated systems during real emergencies. AoC_67 Increasing Aviation-related businesses have engaged in All training organizations must follow economic partnership and outsourcing activities for the required SOPs and be applied in incentives to many years, but recently the pace and scope consensus. Operators are not likely to form of aviation outsourcing has increased. While have the resources and the incentives partnerships considerable opportunities exist, businesses to adopt consensus policies and and outsource need to prepare carefully and take into procedures relating to mode organizational consideration a plethora of strategic, awareness and energy state activities business, operational and legal issues in management or to introduce new deciding what to outsource and whether to training programs. Airlines are under form partnerships. Added complexity in constant pressure to cut costs. organizations tends to degrade prior, robust, aviation cultures that were previously based on personal relationships.

This has been seen in: -The outsourcing of aviation maintenance and engineering by nearly every major airline. - Increasing US airport reliance on outsourcing a wide range of facilities and services. -The emergence of virtual airlines where aircraft are owned by a leasing company and operated by a separate airline entity -Airlines, IT vendors -Complex industrial partnerships between engine, airframe, component and system manufacturers AoC_96 Increasingly As all systems become more complex there The next generation of flight crew may complex will be an increasing level of interaction focus more on operation of specific interactions between ground-based and aircraft-based flight deck equipment than having a among highly- systems. This increased interaction may thorough understanding of overall automated introduce incompatibilities that may result in aircraft systems and ground-based greater system development, integration, interdependencies. This may result in and flight-deck maintenance, and reduce overall system a lack of understanding of the intent of systems performance. Variation in design cycle times energy state and flight path and implementation schedules between management procedures. This can airborne systems and ground-based systems lead to a lack of adherence to those may result in lack of coordinated procedures. development. These issues underline the need for the introduction of the increased

- 94 -

capacity, flexibility, and security of the next generation of ground to aircraft communication systems. AoC_122 Accelerated Economic pressures to recruit needed pilots The true vulnerability may actually be transition of for Part 121 operations will likely result in in the transition of pilots trained in pilots from more rapid transition of trainees from simple complex, advanced flight decks simple to to complex aircraft. Current certification backward to simpler, less advanced complex standards may need to be revisited in light of aircraft that are in widespread aircraft this phenomenon. Training curricula must commercial service. Inexperienced provide the skills needed for command of flight crew is the true issue. SOPs complex, advanced aircraft. developed for one aircraft type may not be applicable to another aircraft. Accelerated transitions may not adequately highlight the important subtleties among the SOPs.

Previous experience in simple or complex aircraft and their frame of reference is critical as is the ability to diagnose in-flight problems. Adequate problem assessment has been difficult to train into pilots under the current regime. The capability to see the big picture is something that comes from an experiential basis. So if you only ever fly reliable aircraft with reliable systems where do you get your experience?

There is a vast repository of these experiences in the database that is worthy of further exploration. It is within this material that the roots of advanced training will be found. AoC_205 Increasing risk Future flight operations might bear the risk of Policies to more heavily depend on of flight crew increased fatigue of flight crews. This may automation may lead to inattention to fatigue result from: flight path and energy state - ultra long range flights with minimum crew management. - harmonized European legislation allowing longer flight duty times - increased regional operations - increased pressure on crews to improve economics - passenger and crew screening requirements

Both Somewhat Vulnerable and Somewhat Beneficial

AoC Title Description Vulnerability

AoC_1 Introduction of Improvements to the modern airplane may Procedures developed at the time of new aircraft occur as a result of breakthroughs in many this safety enhancement (2003) may types fields permitting evolutionary improvements in need to be updated for advance performance, improved computational aircraft arriving on the scene in the capabilities permitting multidisciplinary next five years. analysis and design, and use novel ideas to redesign the airplane. Future aircraft should be designed and built to accommodate retrofits that can be made without degrading safety.

- 95 -

AoC_188 Introduction of Current check-and-training systems Proper implementation of new training new training developed to maintain flight standards on methodologies will enhance training of methodologies earlier generation aircraft may not necessarily energy state and mode awareness. for operation of cover all issues relevant to operation of advanced advanced aircraft. Partially implemented training aircraft Research must be pursued to: methodologies may lead to confusion - define the changing profile of job of energy state management qualifications needed by applicants procedures and mode awareness. - devise efficient methods and tools by which to select qualified candidates without high Simulation capability within present attrition costs day CBTs brings a whole new level of - develop and validate advanced training fidelity to the training delivery. This can delivery systems that meet future staffing and also be web deployed to the financial training requirements relief of the customer airline and the - create cost-effective new equipment training learning benefit for the student pilot. guidelines and procedures New training methodologies are - provide integrated team training for all primarily reflected in adoption of aviation operations computer based training systems. - address training for mixed fleet and multi- SOPs must reflect the limits and cultured crews benefits of such revised simulators - evaluate and remediate skill decay for especially as they relate to energy diagnostic and complex operational tasks state awareness and flight path management.

Nature of Vulnerabilities: • Static guidance material will become obsolete due to changes in automation philosophies and operations. AoC 1, 13, 22, 96, 184 and 205 • Lack of complete implementation of guidance material (pick and choose) in the training organizations could lead to non-standard policies and procedures. AoC 67, 122, 188, 200 and 202 • Loss of knowledge of the intent behind the policies and procedures for energy state awareness and flight path management possibly resulting in non-adherence. AoC 11, 80, 96 and 189 • SE 30 recommendations may fail because they are not posed with enough specificity. This is the result of the fact that in the next 3-5 years, there is no reason to expect any changes to human nature, or to organizational culture in the relevant organizations (operators, regulators, manufacturers, or unions). So what hasn't worked in the past isn't likely to work in the future. Just doing more of the same isn't likely to change that.

Major Interaction Effects: • Interactions between pilot training programs and the wide variety of backgrounds among flight crew may present a key vulnerability. Heterogeneous backgrounds among pilots may make some energy management procedures safe for some and unsafe for others. In addition, full motion simulators are known to lack fidelity in off- design conditions such as buffet, stall, etc, further aggravating the situation. • Interaction between over-estimation of technological failure frequency by flight crew and under-confidence in automated systems. There is some evidence that pilots - who are exhaustively trained to cope with technological failures - may over- estimate their likelihood. It has been reported that military pilots have gotten into accidents situations because they refused to trust that the aircraft’s new automatic

- 96 -

terrain-following following system would keep them a safe distance from the ground. Similar incidents have been reported in civil aircraft. A mid-air collision between a Russian airliner and a DHL cargo plane, over Germany in July 2002, for example, was arguably the result of under-confidence.

Near-term Changes to Baseline Risk or New Vulnerabilities: • The SE is very vulnerable to a number of AoCs that are emerging in the short term that are linked to training limitations in full fidelity simulators and the different philosophies of automation between aircraft types that flight crew must not confuse. Aircraft avionics are subject to the same irreconcilable ambiguities as their electronic and mechanical predecessors, but that their integrity should be amenable to a-priori formal proof has proved a deeply pervasive idea, that has influenced the wider conception of aircraft reliability assessment by publics and policy makers. • HF issues have arisen where inadvertent activation of a function (autopilot) on ground was a result of changes between aircraft types in AP switch placement that required automation to be redesigned to inhibit the function where no issue was present before. This issue confirms that a small heterogeneity between two aircraft types from the same manufacturer can lead to a mode awareness error. The same is applicable for pilots transitioning from turboprops to jets, reference the presentation, “Human Factors from Other Aircraft Contributing to Incidents and Accidents” at the 1994 Flight Safety Foundation EASS in Lisbon. • Prevent misunderstanding of various training applicability to the aircraft type which could lead to an aircraft upset (i.e. tail plane icing stall recovery training for an aircraft not susceptible tail plane icing stalls) or on aircraft having no aural low speed warning while other aircraft have it. • The SE-30 Data Review Team has identified broad topics that should be addressed in automation policies. Only a specific air carrier knows what is best for its own circumstances, but these topics provide a basic exemplar, based on current practices that are known to be effective and that are based on incident analysis by an expert panel. For the optimum use of automation, carriers should promote the following, in which the central point remains “fly the airplane.” • Understanding the integration of AP/FD and A/THR-A/T modes (pairing of modes). • Understanding all mode transition and reversion sequences. • Understanding pilot-system interfaces for: o pilot-to-system communication (for mode engagement and target selections) o system-to-pilot feedback (i.e., for mode and target cross-check) • Awareness of available guidance (AP/FD and A/THR or A/T status and which modes are armed or engaged, active targets). • Alertness to adapt the level of automation to the task and/or circumstances, or to revert to hand flying or manual thrust/throttle control, if required. • Adherence to the aircraft specific design and operating philosophy and the air carriers SOPs. • If doubt exists regarding the aircraft flight path or speed control, do not attempt to reprogram the automated systems. • Selected guidance or hand flying together with the use of raw data from

- 97 -

NAVAIDs should be used until time and conditions permit reprogramming the AP/FD or FMS. • If the aircraft does not follow the intended flight path, check the AP and A/THR or A/T engagement status. • If engaged, disconnect the AP and/or A/THR or A/T using the associated disconnect push button(s), to revert to hand flying (with FD guidance or with reference to raw data) and/or to manual thrust control. • In hand flying, the FD commands should be followed. Otherwise the FD bars should be cleared from display, AP and A/THR or A/T.

Longer-term Changes to Baseline Risk or New Vulnerabilities: • The SE is very vulnerable to the changing pilot community that will have different airmanship skills. The large number of retirements of veteran pilots is placing increasing pressure to hire and train the next generation of pilots in an efficient and cost-effective manner. • As aircraft continue to become completely integrated between systems and most functions become automated, the crew will need a higher level of training to better understand and monitor these systems to detect failure of these functions. The impressive reliability levels of modern aircraft and automation didn’t emerge from modern regulations, so much as modern regulations emerged from past unreliability. The regulations could not have existed without the early years of low reliability, because, with all the ambiguities of technological evaluation, it would have been impossible to stipulate in advance what those regulations should demand.

Precursors, Watch Items, and System-wide Measurements that Could Indicate Vulnerability: • Monitor trends in responses by the flight crew to key aircraft alerts such as stall indication (stick shaker), TCAS, and EGPWS to identify if improper responses are on the increase. • Monitor trends in ATC data on altitude busts and rates of go-arounds (an indication of conservative response to deteriorating aircraft energy state, attitude or nearby traffic. • Track the frequency of ATC reports of emergencies declared due to control issues • Monitor new signal sources that are anticipated as advanced avionics and associated logic are introduced. • Monitor performance differences in flight path accuracy/energy management comparing auto-land versus no auto-land in today's environment.

- 98 -

SE 31: LOC Training - Advanced Maneuvers

Summary information from SE 31 DIP: Summary of SE: Advanced Maneuvers Training (AMT) refers to training to prevent and recover from hazardous flight conditions outside of the normal flight envelope, such as, in- flight upsets, stalls, ground proximity and wind shear escape maneuvers, and inappropriate energy state management conditions. Pilots will be better trained to avoid and recover from excursions from normal flight and loss of control. Date of Approval: February 2003 Risk Description: • Some special interests might discredit AMT simulator training • POIs might ignore AMT materials and/or Handbook Bulletin • Operators might ignore AMT materials and/or Handbook Bulletin • Operators of non-swept wing aircraft and the manufacturers might be reluctant to develop AMT material specific to these type of aircraft • Operators might not accept the potential costs of this training Risk Mitigation Plan: Many of the air carriers presently provide AMT. Cooperation between FAA and industry organizations to obtain widespread implementation of the AMT would result in a substantial reduction or elimination of the causes of loss of control accidents. Implementation progress: Guidance was issued in 2003. Since this is an old SE, and addresses procedures, implementation should be fairly well established.

Relevant Areas of Change:

Very Vulnerable

AoC Title Description Vulnerability

AoC_202 Increasing Simulator training time is becoming more Because of cost drivers, unusual pressure to compressed. In order to save time and attitudes are trained, but usually not to shorten and money: fully developed stall conditions that compress pilot - emergency/abnormal scenarios are being can be catastrophic in flight. Flight training combined together, even though the events crew training must enhance are extremely unlikely to occur together confidence and promote - recent accident scenarios are emphasized understanding of the desired and "Routine" flight operations are under- maneuvers. In simulators pilots are emphasized exposed to so many complete failures - more training is being added without that routine failures may be left out in analyzing the current curriculum to remove an effort to compress training time. unnecessary or redundant segments Rarely are simulations frozen in the unusual attitude prior to executing the recovery maneuver. G-loading is important in learning the maneuvers but compressed training is de- emphasizing full-motion simulations. AoC_205 Increasing risk of Future flight operations might bear the risk of Effectiveness of LOC guidance flight crew fatigue increased fatigue of flight crews. This may depends on its interpretation by result from: individual companies or operators. - ultra long range flights with minimum crew Airlines are not always compliant with - harmonized European legislation allowing advisory circulars. They can still

- 99 -

longer flight duty times operate in compliance with AC and still - increased regional operations have poor fatigue policies in place, - increased pressure on crews to improve especially regional airlines. Company economics and crews operate to accommodate. - passenger and crew screening The regulation addressing fatigue has requirements recently changed, but the effectiveness has not yet been evaluated and may not be specific enough.

Some airlines are challenging regulators on approved shift roster policy by proving that the civil-authority compliant roster, when applied to their shift patterns, was less safe than a modified, non-compliant shift pattern that the airline wanted to introduce. The airline analyzed its ASR data and demonstrated that there were more incidents during the latter part of the civil-authority compliant roster than would (and did in fact) occur if they were permitted to use a modified roster that did not comply with the civil- authority scheme. Accordingly, the airline was given a waiver to operate the non-compliant roster on the basis that it was safer and less fatiguing when applied to their operational routes.

In other words being compliant does not always mean safer regardless and the rate of fatigue over time needs to be considered as much as fatigue from one particular short series of flights.

New fatigue regulations impose a hardship on crewing numbers for operators. First of all, it means operators will have to recruit additional pilots at a time when regulations impose stiffer entry level qualifications for Part 121 flight crew, and at time when retirements are about to increase. The interesting thing in all of this, the number of airlines looking for new hires all at the same time in numbers we haven't seen before. A good idea at a time when it may be more difficult to implement than we care to admit.

Somewhat Vulnerable

AoC Title Description Vulnerability

- 100 -

analysis and design, and use novel ideas to aircraft that are heavily automated and redesign the airplane. Future aircraft should flight-envelope protected may be be designed and built to accommodate conducted with the automation retrofits that can be made without degrading assumed to be at maximum safety. functionality. Procedures developed at the time of this safety enhancement (2003) may need to be updated for aircraft arriving on the scene in the next five years. AoC_11 Increasingly Not all aircraft may have the same level of In a perfect world, airplane heterogeneous equipage in the future. The variation in manufacturers and/or airlines would aircraft fleets sophistication of digital and develop a single advanced maneuvers (varying electromechanical systems within an training so that pilots could follow a software, individual aircraft type must also be consistent set of procedures. equipment, considered. An unavoidable mix of new and capabilities, etc.) reused (legacy) software is a future trend and Common theme SOPs are more there may be increasing numbers of regional challenging for airlines with mixed jets equipped with possibly more advanced fleets. Air Operators Certificate avionics than legacy aircraft. This could lead holders should write their SOPs to to flight crew confusion and problems include the recommendations from the maintaining situational awareness. manufacturer. For decades, many operators of mixed fleets have insisted their pilots operate a variety of types the same way. However, aircraft manufacturers may have designed the aircraft with totally different operating philosophies. AoC_13 Increasing crew Increasing flight deck automation has Over-confidence in automation, a lack reliance on flight occurred as a result of increased workload for of understanding of what the deck automation the flight crew due to more complex automation is trying to achieve, and for flight-path operational environments, aircraft systems possible loss of manual flying skills management, and navigation (traffic and weather). In future presents the potential for pilots to lose separation ATM concepts, responsibility for separation situational awareness and “get behind assurance and may increasingly be delegated to the the airplane.” Critical and non-critical terrain avoidance automated systems of the aircraft. As a result functions can become blurred in use. of increased automation, the flight crew may There is the potential for greater loss be placed in a monitoring role potentially of flight critical functions and crew compromising their ability to intervene when understanding of failure cases. necessary. Unfamiliar modes of aircraft automation may result in a perfectly normal flying aircraft suddenly taking on characteristics that the pilot has seldom or never previously encountered. Latent flaws in the display, or primary flight control system may go undetected, because not enough human-in-the-loop testing is performed, and the pilots are not trained about the philosophy of the automation. AoC_43 Increasing Advanced automation is taking full advantage Systems that formerly were implementation of data sharing among what was previously independent are now integrated; one of highly- independent LRUs. As more crew functions failure may cause all of them to fail. integrated, are automated there is a high reliance on the Checklists and SOPs must include interdependent integrity and fidelity of the data exchanged. more system checks and cross flight-critical High and low criticality functions have checks. Lost or erroneous signals aircraft systems traditionally been physically isolated are now may make recognition and recovery sharing computing and database resources. more difficult in these highly integrated Software-based isolation and independence systems. is much more "fluid" and difficult to assure than relying on hardware. Lost or erroneous inputs can result in a cascade of effects on the aircraft. Often, sensors are the lowest reliability components and therefore need to

- 101 -

be redundant to obtain the required system safety. Unfortunately, identical sensors are used to achieve the redundancy. Therefore, sensor failures could produce a single point failure of multiple devices. AoC_67 Increasing Aviation-related businesses have engaged in There a risk of non-standardized economic partnership and outsourcing activities for implementation of safety processes incentives to many years, but recently the pace and scope like SMS across organizations. form partnerships of aviation outsourcing has increased. While and outsource considerable opportunities exist, businesses SOPs developed under contract may organizational need to prepare carefully and take into not be in accordance with activities consideration a plethora of strategic, manufacturers recommendations. This business, operational and legal issues in may create situations in which deciding what to outsource and whether to inappropriate SOPs are applied to a form partnerships. Added complexity in particular aircraft. organizations tends to degrade prior, robust, aviation cultures that were previously based Operators are not likely to have the on personal relationships. resources and the incentives to adopt consensus policies and procedures This has been seen in: relating to mode awareness and -The outsourcing of aviation maintenance and energy state management or to engineering by nearly every major airline. introduce new training programs. - Increasing US airport reliance on Airlines are under constant pressure to outsourcing a wide range of facilities and cut costs. services. -The emergence of virtual airlines where aircraft are owned by a leasing company and operated by a separate airline entity -Airlines, IT vendors -Complex industrial partnerships between engine, airframe, component and system manufacturers AoC_80 Loss of design, The knowledge of why aircraft are designed There is a risk of complacency in that operational, and as such, how key maintenance is to be operational practices may be blindly maintenance performed, and why the operational rules are continued without validating original knowledge as they are is being lost due to long product design assumptions. Front-line staff design cycle times, extended product life, and may not be familiar with the historic increasing staff turn over. Unforeseen uses rationale behind an SOP requirement of the product (such as operation at higher related to loss of control. load factors) also present special challenges in order to maintain safe operations. Failure to document and archive design data, initial specifications, test data, and lessons learned may also increase safety risk. AoC_82 Decreasing In order to provide increased utilization of the Decreasing separation standards separation airspace, separation standards may decrease required under new ATC operating standards between runways, between aircraft, between rules may require updated flight deck landing operations, and for vertical procedures to avoid situations in which separation. The risk of runway incursions closer proximity of aircraft may result may also increase as a result. The reliability in loss of control. of technologies and procedures enabling reduced separation must be assured. AoC_122 Accelerated Economic pressures to recruit needed pilots The true situation may actually be the transition of pilots for Part 121 operations will likely result in transition of pilots trained in complex, from simple to more rapid transition of trainees from simple advanced flight decks being assigned complex aircraft to complex aircraft. Current certification to simpler, less advanced aircraft. standards may need to be revisited in light of Inexperienced flight crew is the true this phenomenon. Training curricula must issue. SOPs developed for one provide the skills needed for command of aircraft type may not be applicable to complex, advanced aircraft. another aircraft. Accelerated transitions may not adequately highlight the important subtleties

- 102 -

between the SOPs.

These changes will require frequent safety and hazard assessment re-evaluation. AoC_184 Increasing Flight Crews will be required to interact with New or revised procedures must be amount of an increased amount of information like put in place to give pilots guidance on information CPDLC data, traffic information on CDTIs for processing and responding to new available to flight ASAS applications, electronic route information sources and displays that crew manuals/flight bags and even the World Wide present flight-critical information such Web. This information will likely be presented as terrain clearance. For systems on extra displays, requiring the crew to divide presenting nearly identical information their attention. This information may be such as EGPWS and Vertical Situation integrated in existing systems or may be Displays, procedures must be presented on a single screen that may developed for prioritizing and selecting introduce the problem of cluttering. Pilots will the most reliable decision support tool have to be trained to efficiently use the new among the many options. data and interfaces. AoC_189 Shifting Previously many flight crew were drawn from Because of the larger percentage of demographics the ranks of retired military personnel with civilian pilots entering the workforce from military to significant military flight experience and (compared with military trained) SOPs civilian trained training. In the future pilots will more than will need to be more specific and not

- 103 -

pilots likely be drawn from civilian flight schools. assume domain knowledge delivered This demographic shift may result in in military training curricula. diminished basic airmanship including aircraft energy management, lack of aircraft system knowledge and diagnostic skills, manual handling, ability to operate advanced aircraft in abnormal situations/attitudes, and recover from unanticipated situations when there is no checklist. AoC_200 Increased Advanced desktop training environments are Some skills simply cannot be learned dependence on being proposed that may have serious in synthetic CBTs. If pilots are trained synthetic training shortcomings compared with full-fidelity flight to expect or feel incorrect sensations in lieu of full- simulators. Some aspects (such as aircraft or they have not received enough fidelity simulators dynamics) are best covered using high fidelity training for the failure scenario, they simulators, while others can be tackled using may not be able to make the right simpler approaches. Part-task trainers and decisions in emergency situations. In limited range of motion high-fidelity simulators some cases (particularly upset may not sufficiently emulate loss-of-control recovery) training in an actual situations to enable effective upset recovery aerobatic airplane would be best. training. These types of training simulators Some airlines have already adopted can lead to negative transfer of training. this approach. In addition, regulations However, some simulators may be effective regarding simulator fidelity, especially in training for recognition and early detection at or near the edge of the flight of the conditions preceding loss of control envelope are unclear. situations. Implementation may be more widespread due to lower cost of part-task trainers. For certain accident types, training may not help; aircraft changes may well be necessary. Upset prevention (via recognition) may improve using part-task simulators, but actual ability to recover from unusual attitudes may worsen.

Both Somewhat Vulnerable and Somewhat Beneficial AoC Title Description Vulnerability AoC_47 Changing human Increasing understanding of the Major changes in flight deck factors capabilities/limits of human performance and procedures may be required as flight assumptions for of best practices for human-machine decks are increasingly designed to implementing interaction. Increasing pressure to augment accommodate human cognitive automation humans with automated systems and/or strengths and weaknesses. The decision-support systems may characterize improved designs may allow for future design philosophies. There may be an simpler and more intuitive procedures, increasing need to adequately design but procedures must be changed to systems from the start to take advantage of account for this. human flexibility and creativity and to augment human abilities and limitations with computers in ground and aircraft systems. AoC_188 Introduction of Current check-and-training systems Simulation capability within present new training developed to maintain flight standards on day CBTs brings a whole new level of methodologies earlier generation aircraft may not necessarily fidelity to the training delivery. This can for operation of cover all issues relevant to operation of also be web deployed to the financial advanced aircraft advanced aircraft. relief of the customer airline and the Research must be pursued to: learning benefit for the student pilot. - define the changing profile of job New training methodologies are qualifications needed by applicants primarily reflected in adoption of - devise efficient methods and tools by which computer-based training systems. to select qualified candidates without high SOPs must reflect the limits and attrition costs benefits of such revised simulators. - develop and validate advanced training delivery systems that meet future staffing and On the other hand, advanced

- 104 -

training requirements maneuvers training must be conducted - create cost-effective new equipment training in simulators (ore preferable flight guidelines and procedures situations) that adequately mimic the - provide integrated team training for all vestibular environment for the crew. aviation operations - address training for mixed fleet and multi- cultured crews - evaluate and remediate skill decay for diagnostic and complex operational tasks

Nature of Vulnerabilities: • Shortened and compressed training may miss more frequent routine failure scenarios in favor of rare events that are required by regulators. AoC 202 • Pilot type training is driven by the Practical Test Standards (PTS) requirements for the issuance of a type rating. The PTS does not take into account the wide variations in aircraft types. Type rating training is geared to meeting the PTS requirements and the successful completion of the type check ride. There is little or no space in the current type rating training curriculum for the additional recommendations of the NTSB and FAA following the recent rash of aircraft accidents, especially LOC. This type of training recommended by these agencies is additional cost and would require specialty training. AoC 202 • With regard to Upset/LOC, presently most Type Rating Training Organizations (TRTO) do not provide this kind of specialty training and it would require several things on the part of the TRTO. Instructors would have to be taught Upset Recovery, certified as Upset Recovery Instructors and a specialty course designed for these newly qualified instructors to instruct. In the case of Bombardier, it is unlikely that this TRTO will take this on. We believe it to be a licensing issue and something that should be addressed during the initial phase of pilot training before they show up at TRTO for type training. We believe this to be the case case for other major manufacturersas well Individual airlines may decide to provide this kind of specialty training to their crews. AoC 202 • Effectiveness of LoC prevention guidance depends on its interpretation by individual companies or operators. Airlines are not always compliant with Advisory Circulars. They can operate in compliance with regulations and yet have poor fatigue policies in place, especially regional airlines. AoC 205 • There is a risk of conducting training for operation of advanced aircraft with all automation assumed to be fully functional. Training in aircraft that are heavily automated and flight-envelope protected must be conducted with realistic functionalities that should reflect realistic degraded modes. Training programs should be optimized to cover more realistic scenarios with automation operating at “MEL” levels. AoC 13 • Air Operator Certificate holders writing their own SOPs and ignoring what the manufacturer has recommended. AoC 11 • Although simulation capabilities within present day CBTs brings a whole new level of fidelity to training delivery, the lack of standardized policies and procedures covering synthetic training may have undesirable consequences. AoC 200 • Re-draw/re-formulate the total training scheme – ab initio/type-training/re-current- training/special training – if only because an engine failure exactly at V 1 will not be

- 105 -

the most frequent hazard for the average pilot. AoC 202 • Re-examine what should be trained on an EBT/CBT and what in full motion simulators with emphasis on use and type of automation as well as advanced maneuver training in simulators that adequately mimic the vestibular environment for the crew.

Major Interaction Effects: • Interactions between stiffer hiring standards and new fatigue rules. New regulations for minimum hours and new rules for flight crew duty cycles impose a hardship on crewing for operators. As a consequence operators will have to recruit additional pilots at a time when regulations impose stiffer entry level qualifications for Part 121 flight crew, and at time when retirements are about to increase. An additional concern is that airlines will be looking for new hires all at the same time in numbers we haven't seen before. • Compressed pilot training may not cover all important aspects of the sophisticated behavior of advanced avionics • What is routinely trained does not reflect the realities of typical degradations in the performance of automation and other systems observed in service. • Practical Test Standards (PTS) requirements for the issuance of a type rating do not take into account the wide variations in aircraft types. PTS only partially reflect the realities of the operational world.

Longer-term Changes to Baseline Risk or New Vulnerabilities: • Today's approach to SOP design for flight crews of new aircraft may need to be modified to account for the changing demographics and technology. • Advanced automation that features artificial (self-learning) underlying principles will require specific training in how this type of automation behaves. • SOPs will have to be written so that flight crew can be responsible for separation and route changes. Extreme care must be taken in drafting SOPs that will adequately handle system degradations and failures. • Automation sophistication must reflect the current understanding of the strengths and weaknesses of human behavior and the limits of automation. Flight crew may lose situational awareness unless the human or automation decisions are made appropriately in dynamic situations.. • Additional Watch Items from Dave Prior (specifics)

- 106 -

Precursors, Watch Items, and System-wide Measurements that Could Indicate Vulnerability: • Conduct regular surveys of the pilot population to assess demographics changes that may indicate the need for revised training methods dealing with recognition of and response to unusual attitudes and subsequent recovery techniques. • Determine any significant differences between scenarios in mandated training syllabi and relative frequency of degradation/failure scenarios that are happening in the operational world. • In addition to continued monitoring of ASRS and FOQA data for increasing instances of rushed and/or unstabilized approaches, rejected landings and missed approaches, in-flight pilot icing reporting, and flight crew coordination failures, correlate these assessments with aircrew proficiency and standardization programs in particular airlines. • Monitor trends in lasing of aircraft and development of mitigation technologies. • Monitor application for certification of avionics based on self-learning algorithms.

- 107 -

SE 34: LOC Display and Alerting Features in New Airplane Designs

Summary information from SE 34 DIP: Summary of SE: New airplane designs include several display and alerting systems that improve flight crew situational awareness and assist in identifying situations that could lead to loss of control . Such systems should include: • Graphic speed trend information • A pitch limit indication • Bank angle limits to buffet • Barber poles and amber bands on primary airspeed indications • Detection and annunciation of conflicting attitude, airspeed and altitude data information • Detection and removal of invalid attitude, airspeed and altitude data information (i.e.., from an internal fault) • Detection and removal of misleading attitude, airspeed and altitude data information (e.g., from an external sensor fault) to the extent feasible • Information to perform effective manual recovery from unusual attitudes using chevrons, sky pointers, and/or permanent ground-sky horizon on all attitude indications • Salient annunciation of autoflight mode changes and engagement status changes (e.g., blinking/colored/boxed mode information) • Effective sideslip information and alerting of excessive sideslip (e.g., split trapezoid on attitude indicator) • Clear annunciation of engine limit exceedances and significant thrust loss Date of Approval: February 2003 Risk Description: • Normal policy process and timeframe (e.g., ARAC, harmonization, etc.) • Potential failures to implement advisory material • New airplanes will represent a miniscule part of fleet in 2007 • Potential economic burden on manufacturers and operators • Potential inadequate resource availability for manufacturers and operators and FAA • Potential unwillingness to voluntarily implement project outputs • Difficulty to incorporate a list of recommended display features into AC 25-11 without constraining manufacturer’s ability to develop an integrated pilot interface design Risk Mitigation Plan: • CAST will support timely and successful completion of Aviation Rulemaking Advisory Committee (ARAC) activity • Ensure manufacturer and human factors input to AC 25-11 revision process Implementation Progress: Display and Alerting Features in New Airplane Designs are intended to help the pilots know when the airplane is getting slow/approaching upset/etc. AC 25-11A, Electronic

- 108 -

Flight Deck Displays was revised to include recommendations developed by the Task Avionics Working Group (ASHWG) ARAC. This AC provides guidance for showing compliance with certain requirements of Title 14, Code of Federal Regulations (CFR), part 25, as well as general guidance for the design, installation, integration, and approval of electronic flight deck displays, components, and systems installed in transport category airplanes. AC 25-11A is available at www.faa.gov under Regulations and Policies, Advisory Circulars (AC).

Relevant Areas of Change:

Very Vulnerable

AoC Title Description Vulnerability

AoC_11 Proliferation of Not all aircraft may have the same level of Changes in the presentation of the heterogeneous equipage in the future. The variation in display and alerting systems that aircraft with sophistication of digital and assist in identifying situations that widely-varying electromechanical systems within an could lead to loss of control introduce equipment and individual aircraft type must also be the potential risk of misinterpretation capabilities considered. An unavoidable mix of new and by crews familiar with a different reused (legacy) software is a future trend and design approaches. Although this AoC there may be increasing numbers of regional will increase heterogeneity in the short jets equipped with possibly more advanced term, in the long term this vulnerability avionics than legacy aircraft. This could lead should decrease. to flight crew confusion and problems maintaining situational awareness.

- 109 -

compatible with modern data storage software. Identification of safety-sensitive information within difficult to access legacy data storage systems will remain a significant challenge. AoC_82 Decreasing In order to provide increased utilization of the This is a potential vulnerability separation airspace, separation standards may decrease because it may increase nuisance standards between runways, between aircraft, between alerts. The threshold at which the alert landing operations, and for vertical goes off could be too restrictive for separation. The risk of runway incursions decreased separation standards. may also increase as a result. The reliability Because SOPs require the crews to of technologies and procedures enabling respond to the alerts even if they reduced separation must be assured. believe them to be false this could potentially introduce unnecessary risks or desensitization to the alert. Updated alert technology software or procedures could correct this and the FAA may mandate such updates, but world wide there is no requirement to update systems or software to reflect changing operational standards.

With the decreased separation standards, in the event of a system failure, erroneous data, or other data issue the criticality of the situation will be significantly higher than a failure of the system today. AoC_184 Increasing Flight Crews will be required to interact with The increasing amount of information amount of an increased amount of information like available to flight crew may overload information CPDLC data, traffic information on CDTIs for the pilots and cause workload issues available to flight ASAS applications, electronic route in critical flight phases. As new crew manuals/flight bags and even the World Wide features are added are the old Web. This information will likely be presented unnecessary ones being removed? Is on extra displays, requiring the crew to divide the information being presented to the their attention. This information may be pilots in an efficient manner they can integrated in existing systems or may be understand? Is it being prioritized? presented on a single screen that may This could have a much more introduce the problem of cluttering. Pilots will significant impact on SE 34 as have to be trained to efficiently use the new opposed to SE 85 because this SE data and interfaces. mentions so many different changes and functions within the flight deck that may all have unique issues.

Somewhat Vulnerable

AoC Title Description Vulnerability

AoC_67 Increasing Aviation-related businesses have engaged in The manufacturer may lose core economic partnership and outsourcing activities for capabilities within their organization. incentives to many years, but recently the pace and scope When partnerships are developed, the form partnerships of aviation outsourcing has increased. While manufacturer must maintain design and outsource considerable opportunities exist, businesses capability. This is necessary for organizational need to prepare carefully and take into maintaining oversight capability to activities consideration a plethora of strategic, ensure product quality and safety. business, operational and legal issues in Outsourcing can also lead to deciding what to outsource and whether to difficulties in collecting failure data and form partnerships. Added complexity in delivering that data back to the parties organizations tends to degrade prior, robust, who can act on it such as OEMs. aviation cultures that were previously based on personal relationships. This is particularly a concern for software especially involving future

- 110 -

This has been seen in: updates/maintenance. When a -The outsourcing of aviation maintenance, different organization develops the engineering, and logistics services by nearly software than the hardware or a every major airline some without robust different organization updates reporting systems in the outsource software that was originally built in organizations. house potentially opens the system to - Increasing US airport reliance on safety issues. outsourcing a wide range of facilities and services. -The emergence of virtual airlines where aircraft are owned by a leasing company and operated by a separate airline entity -Airlines, IT vendors -Complex industrial partnerships between engine, airframe, component and system manufacturers AoC_85 Potential There may be an increased requirement for Potential negative influence if the information effective and timely shared decision-making information from the on-board system inequality among in a multi-agent context (multiple aircraft, conflicts with ATC instructions or aviation system ATC, AOC, automation). Shared decision information and ATC is unaware that participants in making requires equality of information of the the pilot is using conflicting information situations decision makers. If one of the decision to maintain aircraft control. requiring shared maker’s information is out-dated, inaccurate, decision-making absent, etc., the decision making process will be flawed. This principle applies to tactical (e.g., traffic conflict resolution involving air- ground and air-air communication) and strategic (e.g., route design) decision making. AoC_99 Increasing GPS, digital terrain elevation data, and In the immediate future, there is dependence on ground obstacle data may be incorporated concern about the availability and accurate into future FMS databases and airport moving reliability of GPS networks and the use databases for map displays. The integrity of the of these networks with no other secure flight-critical computerized navigation and performance sources of data. In the far future this functions systems rests on the quality of the issue should work itself out as new, FMC/FMGS databases. Avionics and varied technologies are introduced. airframe manufacturers and regulatory authorities have recognized the potential for entering incorrect data through the FMC/FMGS. The final safety net in the process of checking the accuracy of the database information currently lies with the pilot who should cross-check electronic data against printed data. Future flight guidance databases may have no printed data against which pilots can cross-check information. AoC_135 Decreasing Because other high-tech industries are on This SE relies on specialized market share of such a rapid growth curve, the advanced hardware and software which may be high-tech products purchased by the aviation sector of subject to shortages or price aviation products the economy now represent a smaller share escalation. This may also cause in comparison to of the overall production capability for these heterogeneity within fleets because other sectors specialized products. This may create a some aircraft may be updated before situation where the aviation industry may others. have a more difficult time obtaining the necessary components (both new and replacement) at favorable prices. As a result, obsolescence of flight-critical digital system components may create safety issues in the future. AoC_139 Increasingly Aircraft noise and emissions concerns may The effect of the AOC on the SE could stringent noise become the most important strategic potentially have a small negative and emissions obstacles for future development of air because operations may need to be constraints on transport. These concerns impact the system adapted to noise and emissions

- 111 -

aviation in many ways, including: abatement procedures. Problems with operations - changes in certification requirements for nuisance alerts may arise if this does aircraft not happen quickly and correctly - new policies on runway use making the system less effective. - new take-off and landing profiles which may reduce safety margins - changing aircraft traffic management - introduction of environmental levies or the market based approach of emissions trading

AoC_148 Increasing Hostile acts against the aviation system are Although it is still relatively rare, GPS frequency of manifested in several ways: jamming and signal corruption can hostile acts - cyber attacks on data links, databases and occur. Also, there is the potential for against the digital/ electromechanical systems, jamming loss/corruption of database aviation system resulting in loss of RF signals used for critical information. Crews may trust this CNS functions and FADEC operation. corrupted data over other sources of - increasing sophistication and proliferation of correct data potentially leading to explosive materials, biological/chemical toxic devastating consequences. The agents, and anti-aircraft weapons. instances of lasers being directed into - increasing frequency of distraction, glare aircraft cockpits and temporarily and temporary flash blindness from easily disorienting the crews are on the rise. available and low cost of high-strength lasers. AoC_200 Increased Advanced desk-top training environments are The addition of new equipment in the dependence on being proposed that may have serious flight deck will require specific training. synthetic training shortcomings compared with full-realism flight Some skills simply cannot be learned in lieu of full- simulators. Some aspects (such as aircraft in synthetic CBTs. If pilots are trained fidelity simulators dynamics) are best covered using high fidelity to expect or feel incorrect sensations simulators, while others can be tackled using or they have not received enough simpler approaches. Part-task trainers and training for the failure scenario, they limited range of motion high-fidelity simulators may not be able to make the right may not sufficiently emulate loss-of-control decisions in an emergency situation. situations to enable effective upset recovery In some cases (particularly upset training. These types of training simulators recovery) training in an actual can lead to negative transfer of training. aerobatic airplane would be best. However, some simulators may be effective Some airlines have already adopted in training for recognition and early detection this approach. of the conditions preceding loss of control situations. Implementation may be more widespread due to lower cost of part-task trainers. For certain accident types, training may not help; aircraft changes may well be necessary. Upset prevention (via recognition) may improve using part-task simulators, but actual ability to recover from unusual attitudes may worsen. AoC_202 Increasing Simulator training time is becoming more Proper use of vertical situation pressure to compressed. In order to save time and displays will require training. This shorten and money: training may be mandated and may be compress pilot - emergency/abnormal scenarios are being required to be inserted into existing, training combined together, even though the events fixed-duration training sessions, are extremely unlikely to occur together However it may not fit in the schedule - recent accident scenarios are emphasized or if it is squeezed in less time may be and "Routine" flight operations are under- available for other essential training emphasized components. Programs like AQP - more training is being added without (Advanced Qualification Programs) analyzing the current curriculum to remove may provide a venue for this advanced unnecessary or redundant segments. training and not force the displacement of other critical training modules.

Both Somewhat Vulnerable and Somewhat Beneficial

- 112 -

AoC Title Description Vulnerability AoC_43 Increasing Advanced automation is taking full advantage Where increased integration allows for implementation of data sharing among what was previously cross checking of data and the of highly- independent LRUs. As more crew functions potential to lose systems and not integrated, are automated there is a high reliance on the affect the flight of the aircraft, it also interdependent integrity and fidelity of the data exchanged. presents significant safety challenges. aircraft systems High and low criticality functions have There is an increased potential for traditionally been physically isolated are now flight crews to misinterpret failures sharing computing and data bus resources. because of seemingly unrelated Software-based isolation and independence indications and cascading effects is much more "fluid" and difficult to assure among the systems. Also, the than relying on hardware. Lost or erroneous increased complexity may mask inputs can result in a cascade of effects on interdependencies potentially the aircraft. Often, sensors are the lowest rendering intended independence reliability components and therefore need to ineffective. be redundant to obtain the required system safety. Unfortunately, identical sensors are used to achieve the redundancy. Therefore, sensor failures could produce a single point failure of multiple devices. Complex systems increase the need for self-checks to verify software for accuracy and integrity. AoC_51 Delegation of New approaches to organizational approvals Depending on how this is implemented responsibility may lead to more and more delegation of this could either be beneficial or from the responsibility and privileges to the design, detrimental. From the manufacturers regulating manufacturer and maintenance organizations perspective, delegation of authority to the that may lead to inconsistencies in responsibility may be positive for manufacturing, compliance with the regulations. safety. Left to their own devices, operating or manufacturers believe that they will maintaining hold themselves to a higher standard organization than the regulator would and the system would be safer as a result. From the regulators perspective delegation of responsibility may be negative for safety. Delegation may provide a greater potential for divergent interpretation of airworthiness codes and a risk of complacency within the manufacturing organizations. AoC_189 Shifting Previously many flight crew were drawn from This could be positive or negative. demographics the ranks of retired military personnel with Where the new civilian trained crews from military to significant military flight experience and may not have as much abnormal civilian trained training. In the future pilots will more than situation training as their older military pilots likely be drawn from civilian flight schools. counterparts, the civilian crews may This demographic shift may result in be more open to new technologies in diminished basic airmanship including aircraft the flight deck. Older military trained energy management, lack of aircraft system crews may be reluctant to trust the knowledge and diagnostic skills, manual new technological aids and may handling, ability to operate advanced aircraft refuse use/listen to the device or even in abnormal situations/attitudes, and recover turn it on. Training will need to be from unanticipated situations when there is adjusted to fit the needs of the no checklist. individual pilot in order for this SE to be effective, regardless of whether the pilot is from a military or civilian background. AoC_230 Paradigm shift In the future complex, integrated aircraft will Where fault detection, tracking, and from paper require more and more automation for fault consistent diagnoses avoiding “no based to detection, diagnosis, and resolution. In fault found” removals will likely electronic based addition, new diagnostic and prognostic improve, there is also the potential for

- 113 -

maintenance safety analysis will require electronic tracking maintenance staff to become over- of maintenance findings and actions. These reliant on these technologies. Where changes may introduce new considerations data may now be available on more such as: maintenance events, data richness - ensuring quality maintenance on legacy may be lost. Personnel who may have aircraft which were previously paper based included detailed notes in paper based but are transitioning to a computerized format systems may not have time to - new skill sets will be required of incorporate such detail in the maintenance personnel because of changing electronic systems so less detailed processes, tools, and techniques to support information will flow back into the the new computerized systems safety correction systems. - greater care and task verification will be required - better coordination between maintenance and flight crews

Both Very Vulnerable and Very Beneficial

AoC Title Description Vulnerability

AoC_13 Increasing crew Increasing flight deck automation has This SE provides more automation reliance on flight occurred as a result of increased workload for aimed at assisting the pilot in difficult deck automation the flight crew due to more complex situations and in some cases for flight-path operational environments, aircraft systems automation could be better than management, and navigation (traffic and weather). In future humans. However, more confidence in separation ATM concepts, responsibility for separation automation with loss of manual flying assurance and may increasingly be delegated to the skills presents the potential for pilots to terrain avoidance automated systems of the aircraft. As a result lose situational awareness and “get of increased automation, the flight crew may behind the airplane.”. Critical and non- be placed in a monitoring role potentially critical functions can become blurred compromising their ability to intervene when in use. There is the potential for necessary. Unfamiliar modes of aircraft greater loss of flight critical functions automation may result in a perfectly normal and crew understanding of failure flying aircraft suddenly taking on cases. characteristics that the pilot has seldom or never previously encountered. Latent flaws Comment on automation from EASA in the display, or primary flight control system Safety Information Bulletin may go undetected, because not enough SIB No.: 2010-33 human-in-the-loop testing is performed, and Issued: 18 November 2010 the pilots are not trained about the philosophy of the automation. “Nevertheless, automation has its limits. Critically, in complex and highly automated aircraft, flight crews can lose situational awareness of the automation mode under which the aircraft is operating or may not understand the interaction between a mode of automation and a particular phase of flight or pilot input. Such confusion can lead to the mismanagement of the energy state of the aircraft or to the aircraft deviating from the intended flight path.” AoC_188 Introduction of Advanced desk-top training environments are There is a risk that new training new training being proposed that may have serious materials may not be fully customized methodologies shortcomings compared with full-realism flight for advanced aircraft for operation of simulators. Some aspects (such as aircraft If well done, the positive effect in that advanced aircraft dynamics) are best covered using high fidelity the new methodologies will take into simulators, while others can be tackled using account the human factors linked to simpler approaches. Part-task trainers and new technologies of advanced aircraft. limited range of motion high-fidelity simulators may not sufficiently emulate loss-of-control

- 114 -

situations to enable effective upset recovery training. These types of training simulators can lead to negative transfer of training. However, some simulators may be effective in training for recognition and early detection of the conditions preceding loss of control situations. Implementation may be more widespread due to lower cost of part-task trainers. For certain accident types, training may not help; aircraft changes may well be necessary. Upset prevention (via recognition) may improve using part-task simulators, but actual ability to recover from unusual attitudes may worsen.

Nature of Vulnerabilities: • System updates and data integrity. System updates are a concern because of fleet heterogeneity. Pilots may become confused between different configurations of the same aircraft type or between different aircraft types (input from line pilot participants in FAST meeting). There is also concern that unless mandated, upgrades that improve safety may not be incorporated. Data integrity is a concern because of problems, failures, or attack on GPS and stored databases. Associated AoCs: 11, 82, 85, 99, 135, 139, and 148. • System integration, pilot-aircraft interface and pilot workload/training. Today’s highly integrated, interdependent systems are providing the pilots with an ever- increasing amount of automation, information, and responsibility. To prevent pilots from becoming overwhelmed and over-reliant on these systems, the hardware/software will need to be designed to keep the pilot appropriately informed using prioritization schemes. Also, there will be a need to better prepare for and practice high workload periods, especially as pilot demographics transition from military to civilian backgrounds. Training challenges such as less use of full-fidelity simulators and compressed schedules added to pilot diversity will create a greater need for individualized pilot training. Associated AoCs: 13, 43, 85, 184, 188, 189, 200, and 202. • Organizational concerns. There are a number of organizational concerns including criminalization of design or operational errors, design delegation and outsourcing, knowledge management and paper vs. electronic based systems. Where these concerns are relevant to the SE, they are also relevant to the system as a whole and will need to be tracked as the future unfolds. Associated AoCs: 80, 66, 67, 51, 230

Major Interaction Effects: • The interactions among highly integrated systems, pilot-aircraft interface, changing crew responsibilities, pilot demographics, and pilot training may present significant challenges in the implementation and effectiveness of SE 34. • Today’s highly integrated, interdependent systems are providing the pilots with an ever-increasing amount of automation, information, and responsibility. • In addition, new airplanes are designed for high performance with less inherent stability. With that goes a greater need to implement more sophisticated

- 115 -

instrumentation to aid the flight crew.

Near-term Changes to Baseline Risk or New Vulnerabilities: • This SE includes pitch limit indications but does not address pitch rate indications. Recent experience has shown pitch rate indications to be important for inclusion in modern flight decks especially for the next generation of pilots. • Partial implementation that may not yield full benefits. There is significant concern about heterogeneity. Where operators implement an initial release, consequent updates are not guaranteed. Pilots may be confused between different configurations of the same aircraft type. • There is also a significant concern about the amount of automation and information available to the pilot. Information presented to the pilot will need to be prioritized to keep the pilot in the loop. Are there any efforts to evaluate and remove older equipment and indications from the flight deck as new systems are added and to evaluate the impact of the removal of these older features (unintended consequences)? • There is also a significant concern about the increasing integration and complexity of systems. This increased integration and complexity means that a failure in one system may result in erroneous information propagating to seemingly unrelated systems leading to pilot confusion or degraded performance of flight control systems. • Pilots will need to be better prepared for and practice high workload periods, especially as pilot demographics transition from military to civilian backgrounds. Also, airplane designers need to assess the ability of the airplane to gracefully degrade to a pilot operated configuration. • Training challenges such as decreasing use of full-fidelity simulators and compressed schedules coupled with pilot diversity will create a greater need for individualized pilot training. Upset recovery training in actual aerobatic airplanes has been discussed in commercial aviation for years. All military pilots have this experience and very few civilian pilots have it.

- 116 -

continue to grow especially with decreasing opportunities to practice manual flying skills to proficiency and therefore decreasing ability to fly the plane manually. We already have accidents where the crew was so busy managing the systems that they forgot to fly the plane.

Precursors, Watch Items, and System-wide Measurements that Could Indicate Vulnerability: • Track rates of bank and pitch angle exceedances and identify whether display and alerting system provided suitable information to the flight crew • Track rates of engine limit exceedances and significant thrust loss in operational data and identify whether display and alerting system provided suitable information to the flight crew • Track rates of conflicting attitude, airspeed and altitude data and identify whether display and alerting system provided suitable information to the flight crew • Airlines should consider correlating pilot demographics and training records with LoC precursors behind their own firewalls (bank and pitch angle exceedances, etc.) • Monitor development of display concepts enabling enhanced recognition of incipient loss of control (proximity to edge of flight envelope, available control authority or engine thrust, etc.) • Monitor number of pilot safety reports on situations where flight crew is overloaded with information or where the information is misinterpreted. • Monitor LOSA data for threat and error management of unusual attitudes by flight crew. • Monitor trend in number of alerts presented to flight crew per unit time or by flight using FOQA data. Consider evaluating numbers of alerts by aircraft generation.

- 117 -

SE 39: LOC Basic Aircraft Design-Icing

Summary information from SE 39 DIP: Summary of SE: Regulations and guidance materials are in place that adopt the principles embodied in the final reports of the ARAC Ice Protection Harmonization Working Group and the ARAC Flight Test Harmonization Working Group to establish new icing certification criteria, for airplanes not equipped with evaporative systems, that include performance and handling qualities requirements for the following: • Residual ice • Intercycle ice • Delayed anti-icing/de-icing system activation • De-icing/anti-icing system malfunction

Date of Approval: February 2003 Risk Description: • Normal policy/rulemaking process and timeframe (e.g., ARAC, harmonization, etc.) • Potential failures to implement recommendations of the ARAC into regulatory and advisory material • New airplanes will represent a miniscule part of fleet in 2007 • Potential economic burden on manufacturers and operators • Potential inadequate resource availability for manufacturers and operators and FAA Risk Mitigation Plan: • CAST will support timely and successful completion of ARAC activity • Pending successful change to Part 25, industry will continue to comply with the more stringent JAA icing requirements Implementation Progress: Numerous accidents have involved airframe icing as contributory or causal factors. The intent of this project element is to ensure that the proposed rulemaking product of the ARAC Flight Test Harmonization Working Group (FTHWG) includes those criteria that are significant to loss-of-control. Implementation of this project element will consist of: • Providing the FTHWG with these criteria, and • Supporting continued research regarding the effects of airframe icing on the performance and handling characteristics of aircraft It is not yet implemented.

Relevant Areas of Change:

Very Vulnerable

AoC Title Description Vulnerability

AoC_80 Loss of design, The knowledge of why aircraft are designed As personnel change because of operational, and as such, how key maintenance is to be retirements, attrition or other maintenance performed, and why the operational rules are mechanisms, knowledge management knowledge as they are is being lost due to long product becomes a concern. Personnel

- 118 -

design cycle times, extended product life, and responsible for system-wide changes increasing staff turnover. Unforeseen uses of may not be around and information the product (such as operation at higher load and expertise are often lost with factors) also present special challenges in turnover. order to maintain safe operations. The longevity of aircraft designs requires access Sometimes the original “whys” of a to design records that may only exist in particular design practice or hardcopy or software archives that are not operational policy may be forgotten compatible with modern data storage making it difficult to understand the software. Identification of safety-sensitive legacy safety measures. For example, information within difficult to access legacy information from the last icing accident data storage systems will remain a significant may be forgotten with the onset of the challenge. next major accident.

For better or worse, people learn lessons, organizations sometimes don’t. Documentation and expertise are two different things. AoC_151 Decreasing Investments in basic research do have Dismantling of facilities that support commitment to substantial economic benefits and that there icing research may have a negative basic research remains an enormous reservoir of research long-term impact. Without a strong and technology opportunities for which there are no commitment to R&D, these icing- development in immediate commercial benefits. Without related SEs are vulnerable. both government robust funding for basic research, many of and private these opportunities will not receive the sectors attention they deserve. Potential future decreases in projected funding for research pertains to both basic and applied research in science and technology. The three sectors of the world economy that support basic research -- military, private industry, and federal -- all have downsized.

Somewhat Vulnerable

AoC Title Description Vulnerability

AoC_43 Increasing Advanced automation is taking full advantage Ice detection systems have continuous implementation of data sharing among what were previously monitors and self-check to annunciate of highly- independent LRUs. As more crew functions system failures. However, a full integrated, are automated there is a high reliance on the comprehension of technological interdependent integrity and fidelity of the data exchanged. limitations to detect ice, accurate flight-critical High and low criticality functions have accretion rate on critical surfaces and aircraft systems traditionally been physically isolated are now deice systems must be clearly sharing computing and data bus resources. understood by both the manufacturer Software-based isolation and independence and operators Automated checks is much more "fluid" and difficult to assure may provide erroneous data to the than relying on hardware. Lost or erroneous crew which lead to dismissing obvious inputs can result in a cascade of effects on signs during operation indicative of the aircraft. Often, sensors are the lowest airframe icing. Over monitoring and reliability components and therefore need to false alerts create flight crew be redundant to obtain the required system confusion and doubt as to the system safety. Unfortunately, identical sensors are reliability possible leading to incorrect used to achieve the redundancy. Therefore, crew actions. Flight crews must fully sensor failures could produce a single point understand the effects of icing on the failure of multiple devices. Complex systems aircraft model in normal de-icing increase the need for self-checks to verify operation, failed operation and severe software for accuracy and integrity. icing conditions to execute the appropriate procedures.

- 119 -

AoC_66 Increasing Potential criminal liability may reduce normal A manufacturer or airline may be societal pressure incentives to perform research that may found liable in the event of an accident to find individuals reveal possible design defects and if they did not provide performance and operational errors. Criminal prosecution and handling guidance for every organizations triggered by occurrence reports cause worst-case icing encounter or delayed criminally liable aviation personnel such as pilots and Air anti-ice activation. The liability for errors in Traffic Controllers to be reluctant to file safety concerns may make organizations design and reports, thus reducing the possibility of reluctant to develop or implement new operations learning from occurrences. A shift of focus guidance or procedures, especially from a pro-active form of oversight to a after an accident because some legal culture of blame may cause industry systems will consider these members to take a more defensive rather improvements an admission of defect than co-operative attitude towards regulators. in the existing procedures and Not only does this distract aviation designs. professionals from a major task (i.e. contributing to safety improvements), but it also disturbs the open atmosphere in which industry and authorities jointly discuss safety issues.

AoC_129 Increasing Independent of demand trends, the ATM High-density operations will require pressure to system continues to require additional faster turn-around in busier conditions. improve aviation capacity. As demand approaches capacity, More equipment issues will occur in system airlines increase load factors and reduce busier operations simply because of throughput schedules, the pressure to improve the increased volume. With short turn throughput will increase. Because of these times checks of icing detection conditions, SESAR and NextGen have been systems may be delayed as long as designed to upgrade ATM. possible due to time constraints. Potential hazards exist from these changes in: - impacts of complexity - international harmonization - change of roles and responsibilities for pilot, controllers and others due to new concepts of operation - possible new systems such as a traffic optimizer, that will change operational paradigms and affect flight profiles, dispatching - policies, and other aspects of aircraft operation

These changes will require frequent safety and hazard assessment re-evaluation.

AoC_226 Changes in the The shortage of certified maintenance Newer and more advanced designs qualifications of personnel may result in lower quality may require maintenance personnel to maintenance servicing and maintenance of aircraft with a be more experienced with icing personnel concomitant reduction in the reliability of both detection and self-check systems. new and aging aircraft. Servicing of Possible problems with non-qualified advanced avionics will require specialized or under qualified personnel skills, yet training in disciplines such as dispatching aircraft Some systems composite material repair, nondestructive may be disabled upon dispatch. Will inspection, and solid-state icing detection and alerting systems electronics/avionics/built S In test equipment, be part of Minimum Equipment Lists? principles of troubleshooting and human factor is currently only an option within maintenance training curricula. As the number of non-certified staff increases, the need to check their work increases. Certified staff may begin to accept poor quality work either because of time limitations or because

- 120 -

errors are not detected. Other issues, such as tightening of controls on maintenance procedures, limitation of working hours, vision tests, etc. will also reduce the availability of certified maintenance personnel.

Both Somewhat Vulnerable & Somewhat Beneficial AoC Title Description Vulnerability

AoC_39 Increasing use of The use of composites will continue to The use of composite structures will composite increase in aircraft structure. Concerns with require specific consideration for structural this trend may include, but not be limited to: certain anti-ice and de-icing systems. materials - Ability to withstand lightning strikes due to There is the possibility that the new unique dielectric prosperities surfaces will provide certain - In-flight stress monitoring techniques advantages than current surfaces. - Techniques for effective in-situ inspection There is also the possibility that they and/or testing will present new challenges and - Assurance of post-repair structural integrity require new technology solutions. - Long-term performance of composite materials used in advanced aircraft structures - Crashworthiness - Smoke and toxicity

AoC_51 Delegation of New approaches to organizational approvals Beneficial- Manufactures may be responsibility may lead to more and more delegation of encouraged to think outside the box from the responsibility and privileges to the design, and design a better system if they are regulating manufacturer and maintenance organizations not so tightly bound to the regulator authority to the which may lead to inconsistencies in who may not fully understand the new manufacturing, compliance with the regulations. technology. operating or maintaining Vulnerable- Multiple manufactures organization may be operating independently causing issues with pilots flying multiple aircraft types. This is also related to AoC 245: Inconsistencies in the implementation of SMS. AoC_230 Paradigm shift In the future complex, integrated aircraft will Maintenance of ice detection and from paper require more and more automation for fault removal systems will be critical for based to detection, diagnosis, and resolution. In smaller, commuter-class aircraft. electronic based addition, new diagnostic and prognostic Great care must be taken to ensure maintenance safety analysis will require electronic tracking that maintenance records are kept in of maintenance findings and actions. These an easy to access database. Field changes may introduce new considerations personnel must design new such as: computerized systems for easy use. - ensuring quality maintenance on legacy These systems must be portable to aircraft which were previously paper based make possible in situ checks and but are transitioning to a computerized format validations by line technicians. - new skill sets will be required of maintenance personnel because of changing processes, tools, and techniques to support the new computerized systems - greater care and task verification will be required - better coordination between maintenance and flight crews

Both Very Vulnerable and Very Beneficial

- 121 -

AoC_184 Increasing Flight Crews will be required to interact with More information on the condition of amount of an increased amount of information like aircraft surfaces can be beneficial but information CPDLC data, traffic information on CDTIs for must be balanced with other essential available to flight ASAS applications, electronic route information, There is a limited amount crew manuals/flight bags and even the World Wide of space available to display the Web. This information will likely be presented information and pilot capabilities are on extra displays, requiring the crew to divide already stretched to absorb all the their attention. This information may be information being provided to them. integrated in existing systems or may be The increased amount of information presented on a single screen that may available to flight crew may overload introduce the problem of cluttering. Pilots will the pilots and cause workload issues have to be trained to efficiently use the new in critical flight phases. As new data and interfaces. features are added are the old unnecessary ones being removed? Is the information being presented to the pilots in an efficient manner they can understand? Is it being prioritized? AoC_188 Introduction of Current check-and-training systems Advanced aircraft training new training developed to maintain flight standards on requirements differ from earlier methodologies earlier generation aircraft may not necessarily generation aircraft. Ground based for operation of cover all issues relevant to operation of training may not uncover holes in the advanced aircraft advanced aircraft. training. Operational constraints differ Research must be pursued to: from training. - define the changing profile of job qualifications needed by applicants Partially implemented training - devise efficient methods and tools by which methodologies may lead to confusion to select qualified candidates without high of energy state management attrition costs procedures and mode awareness. - develop and validate advanced training delivery systems that meet future staffing and Simulation capability within present training requirements day CBTs brings a whole new level of - create cost-effective new equipment training fidelity to the training delivery. This guidelines and procedures can also be web deployed to the - provide integrated team training for all financial relief of the customer airline aviation operations and the learning benefit for the student - address training for mixed fleet and multi- pilot. New training methodologies are cultured crews primarily reflected in adoption of - evaluate and remediate skill decay for computer based training systems. diagnostic and complex operational tasks SOPs must reflect the limits and benefits of such revised simulators especially as they relate to energy state awareness and flight path management. AoC_189 Shifting Previously many flight crews were drawn This could be positive or negative. demographics from the ranks of retired military personnel Where the new civilian trained crews from military to with significant military flight experience and may not have as much abnormal civilian trained training. In the future, pilots will more than situation training as their military pilots likely be drawn from civilian flight schools. counterparts, the civilian crews may This demographic shift may result in be more open to new technologies in diminished basic airmanship including aircraft the flight deck. Military trained crews energy management, lack of aircraft system may be reluctant to trust the new knowledge and diagnostic skills, manual technological aids and may refuse handling, ability to operate advanced aircraft use/listen to the device or even turn it in abnormal situations/attitudes, and recover on. Training will need to be adjusted to from unanticipated situations when there is fit the needs of the individual pilot in no checklist. order for this SE to be effective, regardless of whether the pilot is from a military or civilian background.

Nature of Vulnerabilities: • Loss of deep domain expertise – regulators, operators and OEMs - to arrive at a

- 122 -

reasonable set of criteria that will withstand erosion due to experts coming and going (e.g., very few people know that back in 1940, Clarence “Kelly” Johnson from Lockheed, flight tested 6% and 12% of wing chord de-icing boots to find that with only 6% wing chord boots, separation-induced stalls were inevitable following ice accretion; with 12% chord boots, even forward-facing ice steps on the wing would not cause catastrophic separation and stall). AoC 80 • Decreasing commitment to fundamental and operational research that could contribute to a better understanding of ice accretion and detection. Potential loss of key icing research facilities. AoC 151 • Because of the ever-increasing societal pressure to find individuals and organizations criminally liable for errors in design and operations, the likelihood to identifying and correcting design, operational and/or maintenance issues related to icing detection, self-check, and alerting systems will be decreasing. As a result, quick correction as well as retrievable know-how and know-why will become less and less available. AoC 39, 66, 80 • To apply the correct training for the particular aircraft will be further complicated by increased outsourcing, as well as increasing pressure to shorten and compress pilots training. In addition, certification requirements do not allow for correction or enhancement of crew response upon detection of ice accretion in the airline training package. AoC 51 • Because certification requirements deliberately stay away from prescribed solutions (design, operation, maintenance, certification), implementations may differ from one aircraft to another. This makes successful translation from one aircraft’s proven ice detection/mitigation system to another aircraft extremely difficult. AoC 39 Major Interaction Effects : • Key staff turnover, along with more information available to the crew may lead to incorrect information potentially undetected to flight crew (e.g., tail plane stall) AoC 80 and 184. Also interactions with AoC 51, may have a positive effect since scientific advances coupled to more delegation of certification to the OEM may actually mitigate the negative interaction. • Mismatch between crew selection/training along with changing airman ship as well as shortened/compressed pilot training may lead to the inability to train appropriate procedures that are essential for safe flight.

Near-term Changes to Baseline Risk or New Vulnerabilities: • Even the best-protected aircraft against ice may find themselves in severe icing conditions; there are numerous cases in which the encountered flight ice was far beyond certification ice criteria. In these cases, the only way to save the aircraft has been to maneuver out of the ice clouds in order to save the aircraft. It is unknown if this has always saved the day. Current technology ice detectors may not give sufficient time from ice accretion to detection. Therefore pilots may not have enough time for appropriate action to mitigate icing encounter for certain icing conditions. • The large number of different icing encounter procedures for an aircraft type, may

- 123 -

lead to confusion from one aircraft type to another. • Current anti-ice or de-icing systems are vulnerable to severe icing conditions; fundamental recognition of icing limits for the aircraft are not easy to evaluate for the crew.

Longer-term Changes to Baseline Risk or New Vulnerabilities: • All electric aircraft may be fitted with new technology de-icing e.g. electrical impulse de-icing or electrically heated leading edges e.g. using Glare (AoC 09), the characteristics of which are not fully understood in an operational environment.

Precursors, Watch Items, and System-wide Measurements that Could Indicate Vulnerability: • Monitor operational events related to ice detection, self-check, and alerting systems • Track use and monitoring of ICE speeds during flight, in flight anomalies (in flight upsets, roll excursions, buffet) • Monitor emergence of electrically heated leading edges Monitor use of the NLR-developed “Scoring Algorithm for Flight Crew intervention Credit in System Safety Assessments”, ref FAA report AR08-45, dated Nov 2008

- 124 -

SE 60: RI Pilot Training – One Project / SA, SOPs, CRM, All Resources

Summary information from SE 60 DIP: Summary of SE: Substantially reduce or eliminate the risk of Runway Incursions (RI) by the incorporation of RI training into flight crew qualification, approved training, and other pilot training programs. This training will increase the pilot’s ability to recognize and avoid situations leading to runway incursions. Develop policies, procedures, and implementation guidelines for Pilot Training programs to prevent runway incursions. The outcome of this work will be: • Training and/or standardization programs emphasizing situational awareness, standard operating procedures, and pre-flight planning. • Emphasis on Cockpit resource Management (CRM) and command leadership training skills to address the dynamic operating environment faced by pilots • Guidance for prioritization in a multi-tasking environment to emphasize situational awareness, ground operations, and use of all resources. Date of Approval: February 2003 Risk Description: • Possible added training cost for carriers and general aviation • Resistance to voluntary compliance by some carriers, training centers and general aviation segment of industry. Risk Mitigation Plan: • Many of the air carriers and training centers presently provide Runway Incursion training. • Cooperation between FAA and industry organizations would preclude entering into the rule making process. Implementation Progress : SE60 came out of the Runway Incursion JSAT in 2000. Since then, the Runway Safety Program Office established and published a reference library or runway safety materials to be shared with industry. The number of runway surface movement tasks was increased on all required Pilot Certification Practical Test, first by Policy Memo and Flight Standards Information Bulletin (FSIB) and then by revision to all required Written Test and the Practical Test Standards. Additionally, the FAA categorizes and tracks RIs, and their reduction (and interventions to achieve such) is tracked as a Flight Plan item.

Relevant Areas of Change:

Very Vulnerable AoC Title Description Vulnerability

AoC_122 Accelerated Economic pressures to recruit needed pilots The true situation may actually be the transition of pilots for Part 121 operations will likely result in transition of pilots trained in complex, from simple to more rapid transition of trainees from simple advanced flight decks being assigned complex aircraft to complex aircraft. Current certification to simpler, less advanced aircraft. standards may need to be revisited in light of Inexperienced flight crew is the true this phenomenon. Training curricula must issue. Training developed for one

- 125 -

provide the skills needed for command of type of equipment may not be complex, advanced aircraft. applicable to other types of equipment. Accelerated transitions may not adequately highlight the important subtleties.

Previous experience in simple or complex aircraft and a strong frame of reference is critical to seeing through problems and into the reality of the situation. The capability to see the big picture is something that comes from experience, so if you only ever fly reliable aircraft with reliable systems where do you get your experience?

Somewhat Vulnerable

AoC Title Description Vulnerability

AoC_5 Introduction of Operation of Runway-Independent Aircraft Although this AoC is more long-term, new runway- (tilt-wing, tilt-rotor, VSTOL, airships, wing-in- operation of future Runway- independent ground-effect) may have significant effects on Independent Aircraft may affect aircraft concepts. safety and capacity, airspace operations, and ground operations and require new ATC systems integration. techniques for prevention of runway incursions. AoC_11 Increasingly Not all aircraft may have the same level of In a perfect world, airplane heterogeneous equipage in the future. The variation in manufacturers and/or airlines would aircraft fleets sophistication of digital and develop a single equipment designs (varying electromechanical systems within an so that pilots could follow a consistent software, individual aircraft type must also be set of procedures. equipment, considered. An unavoidable mix of new and capabilities, etc.) reused (legacy) software is a future trend and This may be a bigger challenge for there may be increasing numbers of regional airlines with mixed fleets. For jets equipped with possibly more advanced decades, many operators of mixed avionics than legacy aircraft. This could lead fleets have insisted their pilots operate to flight crew confusion and problems a variety of types the same way. maintaining situational awareness. However, aircraft manufacturers may have designed the aircraft with totally different operating philosophies.

AoC_22 Changing Advanced audio, tactile, and visual warning This AoC may lead to pilots relying approaches to systems in aircraft cockpits may change crew more on warning and alert systems for cockpit warning workload and situational awareness. The runway incursion management and and alert proliferation of caution/warning systems and relying less on their basic training. The systems alerts may overwhelm the flight crew in basic training as recommended by the critical phases of flight. Consideration of SE may therefore be less effective. prioritization, total workload, and required situational awareness must precede implementation of such systems. AoC_64 Increased Remote Tower operations will result in Virtual tower concepts will create a implementation reduced staffing of ground personnel and different situation on the airport of Virtual Tower may result in lower quality surface for the pilots. Current Runway operational guidance/clearance information being Incursion prevention training will have concepts communicated to flight crew from remote to be modified to account for these tower controllers. changes in tower operations. AoC_67 Increasing Aviation-related businesses have engaged in Outsourcing may not only apply to economic partnership and outsourcing activities for pilot training, but also to air traffic incentives to many years, but recently the pace and scope control training. Outsourcing of training form partnerships of aviation outsourcing has increased. While may lead to disconnects between the and outsource considerable opportunities exist, businesses airline/ATC and the training organizational need to prepare carefully and take into organization, potentially resulting in

- 126 -

activities consideration a plethora of strategic, differences between the way business, operational and legal issues in pilots/ATC are trained and the way in deciding what to outsource and whether to which they operate. form partnerships. Added complexity in organizations tends to degrade prior, robust, aviation cultures that were previously based on personal relationships.

This has been seen in: -The outsourcing of aviation maintenance, engineering, and logistics services by nearly every major airline some without robust reporting systems in the outsource organizations. - Increasing US airport reliance on outsourcing a wide range of facilities and services. -The emergence of virtual airlines where aircraft are owned by a leasing company and operated by a separate airline entity -Airlines, IT vendors -Complex industrial partnerships between engine, airframe, component and system manufacturers" AoC_184 Increasing Flight Crews will be required to interact with New or revised procedures and amount of an increased amount of information like training must be put in place to give information CPDLC data, traffic information on CDTIs for pilots guidance on processing and available to flight ASAS applications, electronic route responding to new information sources crew manuals/flight bags and even the World Wide and displays in the flight deck. For Web. This information will likely be presented systems presenting nearly identical on extra displays, requiring the crew to divide information, procedures must be their attention. This information may be developed for prioritizing and selecting integrated in existing systems or may be the most reliable decision support tool presented on a single screen that may among the many options. introduce the problem of cluttering. Pilots will have to be trained to efficiently use the new data and interfaces. AoC_189 Shifting Previously many flight crews were drawn Because of the larger percentage of demographics from the ranks of retired military personnel civilian pilots entering the workforce from military to with significant military flight experience and (compared with military trained) civilian trained training. In the future, pilots will more than training will need to be more specific pilots likely be drawn from civilian flight schools. and not assume domain knowledge This demographic shift may result in delivered in military training curricula. diminished basic airmanship including aircraft energy management, lack of aircraft system knowledge and diagnostic skills, manual handling, ability to operate advanced aircraft in abnormal situations/attitudes, and recover from unanticipated situations when there is no checklist. AoC_202 Increasing "Simulator training time is becoming more Additional training requirements are pressure to compressed. In order to save time and being added to an already full training shorten and money: syllabus forcing the compression of compress pilot - emergency/abnormal scenarios are being training time. In addition pilot type training combined together, even though the events training is driven by the PTS are extremely unlikely to occur together requirements for the issuance of a - recent accident scenarios are emphasized type rating. The PTS does not take and "Routine" flight operations are under- into account the wide variations in emphasized aircraft types. Type rating training is - more training is being added without geared to meeting the PTS analyzing the current curriculum to remove requirements and the successful unnecessary or redundant segments" completion of the type check ride.

- 127 -

There is a risk that “fast-track” training doesn’t confer students with a deep, domain-specific knowledge of aircraft systems and their interactions. AoC_205 Increasing risk of Future flight operations might bear the risk of Fatigue reduces the ability of the crew flight crew fatigue increased fatigue of flight crews. This may to implement all that has been learned result from: during training. If they are fatigued, - ultra long range flights with minimum crew much of what has been learned during - harmonized European legislation allowing RI training may be forgotten or longer flight duty times misapplied especially during time- - increased regional operations critical, non-normal situations. - increased pressure on crews to improve economics - passenger and crew screening requirements" AoC_242 Increasing The use of one engine out taxi techniques is Increasing single-engine taxi single-engine taxi on the increase as one means to reduce fuel operations creates vulnerability operations burn. These same techniques have been because pre-flight checks that used to used in the past, and concerns have been be performed at the gate are now voiced and issues have been raised. being delayed to high workload Consequences of this operational procedure periods. By adding procedures and may include excessive jet blast to achieve checks to already high workload wheel un-stick, warning issues related to periods the risk of missed steps accidental single-engine take-off, engine leading to runway incursions and other thermal characteristics, use of standard takeoff issues is greatly increased. operating procedures (SOP) and checklists to avoid cancelled take-offs and/or malfunctions as well as unintended degraded safety. AoC_243 Introduction of To minimize fuel burn, noise, and Although this a long-term issue, novel environmental impact novel technologies to changing the mechanism in which technologies to move aircraft from gate-to-runway and airplanes are moved around the move aircraft runway-to-gate will be introduced. One airport surface will impact runway from gate-to- concept is for tugs to be replaced by an APU incursion training. As this new runway and powered motor-generators that drive the technology becomes available runway runway-to-gate associated aircraft wheel. Another concept is incursion training will need to be for tugs to bring aircraft all the way from the modified to prevent vulnerabilities from gate to the runway. These new systems may appearing. present a number of safety concerns: - changing risk of runway incursions - effectiveness of new pilot interfaces - inadequate visibility from the flight deck - engine run-up and checklist completion

Both Somewhat Vulnerable and Somewhat Beneficial

AoC Title Description Vulnerability

AoC_96 Increasing As all systems become more complex there New technologies such as moving interactions will be an increasing level of interaction map displays allow for increased between highly- between ground-based and aircraft-based situational awareness. On the other automated systems. This increased interaction may hand, these new technologies may ground-based introduce incompatibilities that may result in also distract pilots. Also, new training and aircraft greater system development, integration, and SOPs will need to be created to based systems maintenance, and reduce overall system cater for operations when the performance. Variation in design cycle times equipment is not operational. (MEL). and implementation schedules between airborne systems and ground-based systems may result in lack of coordinated development. These issues underline the need for the introduction of the increased capacity, flexibility, and security of the next generation of ground to aircraft

- 128 -

communication systems.

Nature of Vulnerabilities: • Heterogeneity of aircraft and airports pose a problem to standardized training and procedures. AoC 11, 64, 242, 243 • The changing training and crew advancement environment may introduce new runway incursion vulnerabilities. AoC 122, 67, 189, 202, 205 • Introduction of new technologies will need to be managed in the training and SOPs for runway incursion. Left unchecked, these new technologies could lead to significant vulnerabilities in the system. AoC 5, 22, 96, 184, 243

Major Interaction Effects: • The interaction of changes in training with the introduction of new technologies and the heterogeneity of aircraft and airports may escalate the problems associated with these themes on their own. Systemic vulnerabilities may arise from the convergence of many different, new technologies interspersed with legacy technologies being operated by fatigued pilots with compressed training schedules that may or may not cover the intricacies of each of the different equipment and airport configurations. This complicated problem may be further compounded by a shortage of experienced pilots, and loss of sterile cockpit discipline

Near-term Changes to Baseline Risk or New Vulnerabilities: • There is significant concern about the ongoing pressure to reduce training costs. Increased requirements for RI training may result in further increase of training costs unless a reduction is made elsewhere in the training program. This may result in less time available for basic pilot training or the RI training will be very lean and therefore not effective. The airline may also be forced to reduce training costs by outsourcing the training to the cheapest available alternative, but this may not always result in the highest quality.

Longer-term Changes to Baseline Risk or New Vulnerabilities: • Operation of future technologies, such as Runway-Independent Aircraft (tilt-wing, tilt-rotor, VSTOL, airships, wing-in-ground-effect) and novel ground handling equipment concepts, may affect ground operations and require new training, procedures and potentially new techniques for prevention of runway incursions.

- 129 -

Precursors, Watch Items, and System-wide Measurements that Could Indicate Vulnerability: • Monitor training curriculum as offered by training organizations for increases in scope and depth compared with time set aside by the airline for training in runway incursion prevention. • Monitor the rate of runway incursion incidents at specific airports, by aircraft equipage, and by pilot experience/training to discover vulnerabilities associated with an airport, equipment, or training.

SE 85: LOC Vertical Situation Displays – All Airplane Designs

Summary information from SE 85 DIP: Summary of SE: All airplane designs should be modified, if feasible to include a real time graphical depiction of their vertical situation. Date of Approval: February 2003 Risk Description: • Potential economic burden on manufacturers and operators • Potential inadequate resource availability for manufacturers, operators and FAA • Potential inadequate findings from required surveys/studies • Potential unwillingness to voluntarily implement project outputs • Reluctance to retrofit aging fleets Risk Mitigation Plan: • CAST will advocate voluntary implementation among non-aligned air carriers • Failure to implement advisory material for existing aircraft may require additional rulemaking • Seek consensus on the use of existing studies and surveys by citing use in industry • Model-specific feasibility study for implementation in existing aircraft will be used to mitigate economic impacts and inadequate resource availability Implementation Progress: Vertical Situation Displays – All Airplane Designs Safety Enhancement is tied in with the other loss of control SEs, but is of more recent vintage. Aerospace Industries Association communicated with Airbus Industries, Boeing, Embraer, and Bombardier Aerospace encouraging them to incorporate vertical situation displays into all new aircraft designs. All four manufacturers have agreed to incorporate vertical situation displays into future airplane designs.

Relevant Areas of Change:

Very Vulnerable

AoC Title Description Vulnerability

Aoc_11 Proliferation of Not all aircraft may have the same level of Changes/differences in the heterogeneous equipage in the future. The variation in presentation of the vertical situation to aircraft with sophistication of digital and flight crews introduce the potential risk widely-varying electromechanical systems within an of misinterpretation by crews familiar equipment and individual aircraft type must also be with a different design. Although this

- 130 -

capabilities considered. An unavoidable mix of new and AoC only concerns new aircraft, reused (legacy) software is a future trend and software updates will be a factor within there may be increasing numbers of regional 5 years. We already see that this is a jets equipped with possibly more advanced potential problem for TAWS. avionics than legacy aircraft. This could lead Approaches have been designed to flight crew confusion and problems assuming that a particular version of maintaining situational awareness. TAWS is available.

AoC_66 Increasing Potential criminal liability may reduce normal This is a double-edged sword, a societal pressure incentives to perform research that may manufacturer or airline may be found to find individuals reveal possible design defects and liable if they don’t have a particular and operational errors. Criminal prosecution advanced technology and if they do organizations triggered by occurrence reports cause have it they may be liable for its use or criminally liable aviation personnel such as pilots and Air misuse. This liability may make for errors in Traffic Controllers to be reluctant to file safety organizations reluctant to develop or design and reports, thus reducing the possibility of implement new designs, especially operations learning from occurrences. A shift of focus after an accident because some from a pro-active form of oversight to a countries will consider improvements culture of blame may cause industry an admission of guilt. There is also the members to take a more defensive rather potential risk of not reporting human- than co-operative attitude towards regulators. error based safety issues because of Not only does this distract aviation criminalization cases. professionals from a major task (i.e. contributing to safety improvements), but it also disturbs the open atmosphere in which industry and authorities jointly discuss safety issues. AoC_80 Loss of design, The knowledge of why aircraft are designed As personnel change because of operational, and as such, how key maintenance is to be retirements, attrition or other maintenance performed, and why the operational rules are mechanisms, knowledge management knowledge as they are is being lost due to long product becomes a concern. Sometimes the design cycle times, extended product life, and original “whys” of a particular design increasing staff turn over. Unforeseen uses practice or operational policy may be of the product (such as operation at higher forgotten, making it difficult to load factors) also present special challenges understand the legacy safety in order to maintain safe operations. The measures. For better or worse, longevity of aircraft designs requires access people learn lessons, organizations to design records that may only exist in sometimes don’t. hardcopy or software archives that are not compatible with modern data storage software. Identification of safety-sensitive information within difficult to access legacy data storage systems will remain a significant challenge. AoC_82 Decreasing In order to provide increased utilization of the This is a potential vulnerability separation airspace, separation standards may decrease because it may increase nuisance standards between runways, between aircraft, between alerts. The threshold at which the alert landing operations, and for vertical goes off could be too restrictive for separation. The risk of runway incursions decreased separation standards. may also increase as a result. The reliability Because SOPs require the crews to of technologies and procedures enabling respond to the alerts even if they reduced separation must be assured. believe them to be false this could potentially introduce unnecessary risks or desensitization to the alert. Updated alert technology software or procedures could correct this and the FAA may mandate such updates, but world wide there is no requirement to update systems or software to reflect changing operational standards.

With the decreased separation

- 131 -

standards, in the event of a system failure, erroneous data, or other data issue, the criticality of the situation will be significantly higher than a failure of the system today. AoC_99 Increasing GPS, digital terrain elevation data, and Crews may trust this corrupted data dependence on ground obstacle data may be incorporated over other sources of correct data, accurate into future FMS databases and airport moving potentially leading to devastating databases for map displays. The integrity of the consequences. And if the vertical flight-critical computerized navigation and performance situation displays rely on GPS and functions systems rests on the quality of the terrain databases with no backup FMC/FMGS databases. Avionics and systems and those signals/ databases airframe manufacturers and regulatory are compromised in some fashion, it authorities have recognized the potential for could lead to a serious problem. entering incorrect data through the FMC/FMGS. The final safety net in the process of checking the accuracy of the database information currently lies with the pilot who should cross check electronic data against printed data. Future flight guidance databases may have no printed data against which the pilots can cross-check information.

Somewhat Vulnerable AoC Title Description Vulnerability

AoC_67 Increasing Aviation-related businesses have engaged in The manufacturer may loose core economic partnership and outsourcing activities for capabilities within their organization. incentives to many years, but recently the pace and scope When partnerships are developed, the form partnerships of aviation outsourcing has increased. While manufacturer must maintain design and outsource considerable opportunities exist, businesses capability. This is necessary for organizational need to prepare carefully and take into maintaining oversight capability to activities consideration a plethora of strategic, ensure product quality and safety. business, operational and legal issues in Outsourcing can also lead to deciding what to outsource and whether to difficulties in collecting failure data and form partnerships. Added complexity in delivering that data back to the parties organizations tends to degrade prior, robust, who can act on it such as OEMs. aviation cultures that were previously based on personal relationships. This is particularly a concern for software. When a different This has been seen in: organization develops the software -The outsourcing of aviation maintenance, than the hardware or a different engineering, and logistics services by nearly organization updates software that every major airline some without robust was originally built in house it reporting systems in the outsource potentially opens the system to safety organizations. issues. - Increasing US airport reliance on outsourcing a wide range of facilities and services. -The emergence of virtual airlines where aircraft are owned by a leasing company and operated by a separate airline entity -Airlines, IT vendors -Complex industrial partnerships between engine, airframe, component and system manufacturers AoC_85 Potential There may be an increased requirement for Potential negative influence if the information effective and timely shared decision-making information from the on-board system inequality among in a multi-agent context (multiple aircraft, conflicts with ATC instructions or aviation system ATC, AOC, automation). Shared decision information and ATC is unaware that participants in making requires equality of information of the the pilot is using conflicting information

- 132 -

situations decision makers. If one of the decision to maintain aircraft control. requiring shared maker’s information is out-dated, inaccurate, decision-making absent etc, the decision making process will be flawed. This principle applies to tactical (e.g. traffic conflict resolution involving air- ground and air-air communication) and strategic (e.g. route design) decision making. AoC_135 Decreasing Because other high-tech industries are on This SE relies on specialized market share of such a rapid growth curve, the advanced hardware and software that may be high-tech products purchased by the aviation sector of subject to shortages or price aviation products the economy now represent a smaller share escalation. This may also cause in comparison to of the overall production capability for these heterogeneity within fleets because other sectors specialized products. This may create a some aircraft may be updated before situation where the aviation industry may others. have a more difficult time obtaining the necessary components (both new and replacement) at favorable prices. As a result, obsolescence of flight-critical digital system components may create safety issues in the future. AoC_139 Increasingly Aircraft noise and emissions concerns may This AOC could potentially have a stringent noise become the most important strategic small negative effect on the SE and emissions obstacles for future development of air because flight procedures and constraints on transport. These concerns impact the system operations may need to be adapted to aviation in many ways, including: noise and emissions abatement operations - changes in certification requirements for procedures. Problems with nuisance aircraft alerts may arise if procedures are not - new policies on runway use adapted quickly and correctly making - new take-off and landing profiles which may the system less effective. reduce safety margins - changing aircraft traffic management - introduction of environmental levies or the market based approach of emissions trading

- 133 -

their attention. This information may be pilots in an efficient manner they can integrated in existing systems or may be understand? Is it being prioritized? presented on a single screen that may Lesser impact on SE 85 (compared to introduce the problem of cluttering. Pilots will 34) because this is only about a have to be trained to efficiently use the new single, separate display instead of data and interfaces. many displays. AoC_200 Increased Advanced desk top training environments are The addition of new equipment in the dependence on being proposed that may have serious flight deck will require specific training. synthetic training shortcomings compared with full-realism flight Some skills simply cannot be learned in lieu of full- simulators. Some aspects (such as aircraft in synthetic CBTs. If pilots are trained fidelity simulators dynamics) are best covered using high fidelity to expect or feel incorrect sensations simulators, while others can be tackled using or they have not received enough simpler approaches. Part-task trainers and training for the failure scenario, they limited range of motion high-fidelity simulators may not be able to make the right may not sufficiently emulate loss-of-control decisions in an emergency situation. situations to enable effective upset recovery In some cases (particularly upset training. These types of training simulators recovery) training in an actual can lead to negative transfer of training. aerobatic airplane would be best. However, some simulators may be effective Some airlines have already adopted in training for recognition and early detection this approach. of the conditions preceding loss of control situations. Implementation may be more widespread due to lower cost of part-task trainers. For certain accident types, training may not help; aircraft changes may well be necessary. Upset prevention (via recognition) may improve using part-task simulators, but actual ability to recover from unusual attitudes may worsen. AoC_202 Increasing Simulator training time is becoming more Proper use of vertical situation pressure to compressed. In order to save time and displays will require training. This shorten and money: training may be mandated and be compress pilot - emergency/abnormal scenarios are being inserted into existing, fixed-duration training combined together, even though the events training sessions, However it may not are extremely unlikely to occur together fit in the schedule or if it is squeezed in - recent accident scenarios are emphasized less time may be available for other and "Routine" flight operations are under- essential training components. emphasized Programs like AQP (Advanced - more training is being added without Qualification Programs) may provide a analyzing the current curriculum to remove venue for this advanced training and unnecessary or redundant segments. not force the displacement of other critical training modules.

Both Somewhat Vulnerable and Somewhat Beneficial

AoC Title Description Vulnerability

AoC_43 Increasing Advanced automation is taking full advantage Where increased integration allows for implementation of data sharing among what was previously cross checking of data and the of highly- independent LRUs. As more crew functions potential to lose systems and not integrated, are automated there is a high reliance on the affect the flight of the aircraft, it also interdependent integrity and fidelity of the data exchanged. presents significant safety challenges. aircraft systems High and low criticality functions have There is an increased potential for traditionally been physically isolated are now flight crews to misinterpret failures sharing computing and data bus resources. because of seemingly unrelated Software-based isolation and independence indications and cascading effects is much more "fluid" and difficult to assure among the systems. Also, the than relying on hardware. Lost or erroneous increased complexity may mask inputs can result in a cascade of effects on interdependencies potentially the aircraft. Often, sensors are the lowest rendering intended independence reliability components and therefore need to ineffective. be redundant to obtain the required system

- 134 -

safety. Unfortunately, identical sensors are used to achieve the redundancy. Therefore, sensor failures could produce a single point failure of multiple devices. Complex systems increase the need for self-checks to verify software for accuracy and integrity. AoC_51 Delegation of New approaches to organizational approvals Depending on how this is implemented responsibility may lead to more and more delegation of this could either be beneficial or from the responsibility and privileges to the design, detrimental. From the manufacturers regulating manufacturer and maintenance organizations perspective, delegation of authority to the that may lead to inconsistencies in responsibility maybe positive for manufacturing, compliance with the regulations. safety. Left to their own devices, operating or manufacturers believe that they will maintaining hold themselves to a higher standard organization than the regulator would and the system would be safer as a result. From the regulators perspective delegation of responsibility may be negative for safety. Delegation may provide a greater potential for divergent interpretation of airworthiness codes and a risk of complacency within the manufacturing organizations. AoC_96 Increasing As all systems become more complex there This depends on the type of data. interactions will be an increasing level of interaction Complex systems have so many between highly- between ground-based and aircraft-based connections that interrelationships are automated systems. This increased interaction may impossible to fully determine. ground-based introduce incompatibilities that may result in Complicated systems although having and aircraft greater system development, integration, many interconnections, are well based systems maintenance, and reduce overall system understood and interconnections can performance. Variation in design cycle times be identified and tracked. Techniques and implementation schedules between like Model Based Design may be a airborne systems and ground-based systems good way assess the safety of new may result in lack of coordinated designs. development. These issues underline the need for the introduction of the increased capacity, flexibility, and security of the next generation of ground to aircraft communication systems. AoC_189 Shifting Previously many flight crews were drawn This could be positive or negative. demographics from the ranks of retired military personnel Where the new civilian trained crews from military to with significant military flight experience and may not have as much abnormal civilian trained training. In the future, pilots will more than situation training as their older military pilots likely be drawn from civilian flight schools. counterparts, the civilian crews may This demographic shift may result in be more open to new technologies in diminished basic airmanship including aircraft the flight deck. Older military trained energy management, lack of aircraft system crews may be reluctant to trust the knowledge and diagnostic skills, manual new technological aids and may handling, ability to operate advanced aircraft refuse use/listen to the device or even in abnormal situations/attitudes, and recover turn it on. Training will need to be from unanticipated situations when there is adjusted to fit the needs of the no checklist. individual pilot in order for this SE to be effective, regardless of whether the pilot is from a military or civilian background. AoC_230 Paradigm shift In the future complex, integrated aircraft will Where fault detection, tracking, and from paper require more and more automation for fault consistent diagnoses avoiding “no based to detection, diagnosis, and resolution. In fault found” removals will likely electronic based addition, new diagnostic and prognostic improve, there is also the potential for maintenance safety analysis will require electronic tracking maintenance staff to become over- of maintenance findings and actions. These reliant on these technologies. Where

- 135 -

changes may introduce new considerations data may now be available on more such as: maintenance events, data richness - ensuring quality maintenance on legacy may be lost. Personnel who may have aircraft which were previously paper based included detailed notes in paper-based but are transitioning to a computerized format systems may become frustrated with - new skill sets will be required of the new electronic systems. This maintenance personnel because of changing frustration may prevent some of the processes, tools, and techniques to support detailed information from flowing back the new computerized systems into the safety correction systems. - greater care and task verification will be required - better coordination between maintenance and flight crews

Both Very Vulnerable and Somewhat Beneficial

AoC Title Description Vulnerability

Both Very Vulnerable and Very Beneficial

AoC Title Description Vulnerability

AoC_188 Introduction of Advanced desk-top training environments are There is a risk that new training new training being proposed that may have serious materials may not be fully customized methodologies shortcomings compared with full-realism flight for advanced aircraft for operation of simulators. Some aspects (such as aircraft If well done, the positive effect is that advanced aircraft dynamics) are best covered using high fidelity the new methodologies will take into simulators, while others can be tackled using account the human factors linked to simpler approaches. Part-task trainers and new technologies of advanced aircraft. limited range of motion high-fidelity simulators may not sufficiently emulate loss-of-control situations to enable effective upset recovery training. These types of training simulators can lead to negative transfer of training. However, some simulators may be effective in training for recognition and early detection of the conditions preceding loss of control situations. Implementation may be more widespread due to lower cost of part-task trainers. For certain accident types, training

- 136 -

may not help; aircraft changes may well be necessary. Upset prevention (via recognition) may improve using part-task simulators, but actual ability to recover from unusual attitudes may worsen.

Nature of Vulnerabilities: • System updates and data integrity. System updates are a concern because of fleet heterogeneity. Pilots may become confused between different configurations of the same aircraft type or between different aircraft types (input from line pilot participants in FAST meeting). There is also concern that unless mandated, upgrades that improve safety may not be incorporated. Data integrity is a concern because of problems, failures, or attack on GPS and stored databases. Associated AoCs: 11, 82, 85, 96, 99, 135, 139, 148, and 180. • System integration, pilot-aircraft interface and pilot workload/training. Today’s highly integrated, interdependent systems are providing the pilots with an ever- increasing amount of automation, information, and responsibility. To prevent pilots from becoming overwhelmed and over-reliant on these systems, the hardware/software will need to be designed to keep the pilot appropriately informed using prioritization schemes. Also, there will be a need to better prepare for and practice high workload periods, especially as pilot demographics transition from military to civilian backgrounds. Training challenges such as less use of full-fidelity simulators and compressed schedules added to pilot diversity will create a greater need for individualized pilot training. Associated AoCs: 13, 43, 85, 184, 188, 189, 200, and 202. • Organizational concerns. There are a number of organizational concerns including criminalization of design or operational errors, design delegation and outsourcing, knowledge management and paper vs. electronic based systems. Where these concerns are relevant to the SE, they are also relevant to the system as a whole and will need to be tracked as the future unfolds. Associated AoCs: 80, 66, 67, 51, 230

Major Interaction Effects: • The interactions among highly integrated systems, pilot-aircraft interface, changing crew responsibilities, pilot demographics, and pilot training may present significant challenges in the implementation and effectiveness of SE 85. Today’s highly integrated, interdependent systems are providing the pilots with an ever-increasing amount of automation, information, and responsibility. In addition, new airplanes are designed for high performance with less inherent stability. With that goes a greater need to implement more sophisticated instrumentation to aid the flight crew.

- 137 -

Near-term Changes to Baseline Risk or New Vulnerabilities: • Partial implementation that may not yield full benefits. There is significant concern about heterogeneity. Where operators implement an initial release, consequent updates are not guaranteed. Pilots may be confused between different configurations of the same aircraft type. • There is also a significant concern about the amount of automation and information available to the pilot. Information presented to the pilot will need to be prioritized to keep the pilot in the loop. Are there any efforts to evaluate and remove older equipment and indications from the flight deck as new systems are added and to evaluate the impact of the removal of these older features? Failure to remove older features may result in unintended consequences. • There is also a significant concern about the increasing integration and complexity of systems. This increased integration and complexity means that a failure in one system may result in erroneous information propagating to seemingly unrelated systems leading to pilot confusion or degraded performance of flight control systems. • Pilots will need to be better prepared for and practice high workload periods, especially as pilot demographics transition from military to civilian backgrounds. Also, airplane designers need to assess the ability of the airplane to gracefully degrade to a pilot operated configuration. • Training challenges such as decreasing use of full-fidelity simulators and compressed schedules coupled with pilot diversity will create a greater need for individualized pilot training. Upset recovery training in actual aerobatic airplanes has been discussed in commercial aviation for years. All military pilots have this experience and very few civilian pilots have it.

Longer-term Changes to Baseline Risk or New Vulnerabilities: • New changes to automation or philosophies can impact the guidance and training material. • The SE is vulnerable to the changing pilot community (large number of retirements) that will have different airmanship skills. The retiring pilots are the ones with the military (and unusual attitude recovery) skills. • As aircraft continue to become more highly integrated and functions become increasingly automated, the crew will need a higher level of training to understand and monitor to detect failure of these functions. This gap in understanding may continue to grow especially with decreasing opportunities to practice manual flying skills to proficiency and therefore decreasing ability to fly the plane manually. We already have accidents where the crew was so busy managing the systems that they forgot to fly the plane.

- 138 -

Precursors, Watch Items, and System-wide Measurements that Could Indicate Vulnerability: • Track rates of TAWS alerts and identify whether current display and alerting systems provided suitable information to the flight crew • Track implementation and use of VSDs in new aircraft that are so equipped and identify whether display and alerting system provided suitable information to the flight crew • Track rates of conflicting warnings and alerts from TAWS and VSD and determine if these systems having similar terrain avoidance functions are creating confusion on the flight deck (ASRS reports?) • Monitor number of pilot safety reports on situations where flight crew is overloaded with information or where the information is misinterpreted. • Airlines should consider correlating pilot demographics and training records with Controlled Flight Toward Terrain precursors behind their own firewalls (loss of situational awareness, response to EGPWS warnings, etc.) • Monitor development of display concepts enabling enhanced recognition of incipient loss of control in Controlled Flight Toward Terrain situations (proximity to edge of flight envelope, available control authority or engine thrust, etc.) • Monitor LOSA data (flight crew performance) addressing threat and error management of Controlled Flight Toward Terrain and/or TAWS warnings. • Monitor trend in number of alerts presented to flight crew per unit time or by flight using FOQA data

- 139 -

SE 120: CFIT - TAWS Improved Functionality

Summary information from SE 120 DIP: Summary of SE: Controlled Flight Into Terrain (CFIT) - accidents, where a properly functioning aircraft under the control of a fully qualified and certificated crew is flown into terrain with no apparent awareness on the part of crew, could be substantially reduced or eliminated with the addition of GPS navigation data to the TAWS equipment. GPS sensors are also critical to achieving the full potential of SE-1 (TAWS) in a limited ground navigation aid environment. Additionally, timely revisions to TAWS terrain databases, alerting algorithms, and optional features should be incorporated into the TAWS equipment to ensure the accuracy and timeliness of the TAWS warnings and displays. Existing airplanes used in commercial operations worldwide have varying operational capabilities and limitations. These various capabilities and limitations require the development and employment of a variety of strategies to improve the overall safety of approach operations. Current production models, new type design airplanes, and existing aircraft where appropriate include GPS equipment to allow incorporation of certain TAWS enhancements. Standard operating procedures should be established to help flight crews operate in areas with limited navigation aids.

Date of Approval: October 2006 Risk Description: This SE (Outputs 2 and 3) installs GPS so that TAWS can utilize GPS position information. GPS updating ensures that TAWS functions reliably when operating into areas with limited ground base navigation aids and reduces the risk in those situations where a map shift/navigation error may occur. The initial TAWS fatality risk reduction estimate was based on the assumption that the navigation system would be reliable and accurate. The lack of GPS will adversely affect the safety benefits of the CAST plan in regions other than the U.S. and Europe (e.g., Latin America CFIT is 67% of the total risk) Note: Additionally, GPS position could enable improved TCAS effectiveness and advanced runway incursion systems. Note: Additionally, GPS position could enable improved TCAS effectiveness and advanced runway incursion systems. Risk Mitigation Plan: None listed in DIP Implementation Progress:

Relevant Areas of Change:

Somewhat Vulnerable

AoC Title Description Vulnerability

- 140 -

crew members for on-line viewing or data a loss of EFB data or hardware download. failure?

The use of non-approved EFBs or out of date databases will need to be monitored. AoC_93 Increasing Future air navigation systems will feature The accuracy and integrity of satellite- reliance on international agreement on a "next- based systems used for navigation satellite-based generation" plan for more efficient and separation between aircraft and systems for CNS communication, navigation, surveillance and terrain may be at risk without robust functions air traffic management (CNS/ATM), based protection systems especially as the heavily on satellite technology. The much incidence of jamming and cyber attack more accurate positioning of aircraft in the increase in frequency. The much more airspace due to GPS/GNNS technologies accurate positioning of aircraft due to may also require changes to existing GPS/GNNS technologies may also procedures. require changes to existing procedures particularly in emergency situations. AoC_99 Increasing GPS, digital terrain elevation data, and The integrity of the computerized dependence on ground obstacle data may be incorporated navigation and performance systems accurate into future FMS databases and airport moving rests on the quality of the FMC/FMGS databases for map displays. The integrity of the databases. In addition to corrupt data, flight-critical computerized navigation and performance entries by the flight crews will require functions systems rests on the quality of the verification to a database that may not FMC/FMGS databases. Avionics and exist in paper form. The Database airframe manufacturers and regulatory Harmonization Working Group may be authorities have recognized the potential for addressing the chain of database entering incorrect data through the development; data ownership and FMC/FMGS. The final safety net in the database approval depend on process of checking the accuracy of the accuracy checks along the process. database information currently lies with the pilot who should cross check electronic data against printed data. Future flight guidance databases may have no printed data against which the pilots can cross check information.

AoC_136 Increasing use of Economic pressures are driving many COTS products used in avionics and Commercial Off commercial and governmental operators terrain avoidance systems may not The Shelf within the aviation system toward purchase of have been subject to the (COTS) products COTS products. Although these products verification/validation rigor required to in aviation may have a favorable cost-to-performance maintain safe, dependable operation ratio, they may not have been subject to the of the aviation system. This may be verification/validation rigor required to especially important for systems maintain safe, dependable operation of the designed to compare the horizontal aviation system. Examples include and vertical position of the aircraft microprocessors (from PC industry), based on GPS technology and the operating systems (e.g., Windows and underlying terrain. LINUX), and graphics processors (from video game industry).

AoC_148 Increasing Hostile acts against the aviation system are GPS navigation signals are not subject frequency of manifested in several ways: to ground jamming yet. Incidents of hostile acts - cyber attacks on data links, databases and jamming of such signals are almost against the digital/ electromechanical systems, jamming non-existent in the operational record. aviation system resulting in loss of RF signals used for critical This is not vulnerability but is a CNS functions and FADEC operation. concern. A related concern would be - increasing sophistication and proliferation of the integrity of data-links and explosive materials, biological/chemical toxic databases in use throughout the agents, and anti-aircraft weapons. aviation system. - increasing frequency of distraction, glare and temporary flash blindness from easily Laser assault on the eyes of flight available and low cost of high-strength lasers crews often occur when the aircraft is

- 141 -

at low altitude and in close proximity to terrain. For these reasons, the industry may want to investigate the feasibility of passive laser filters build into or applied as an overlay on flight deck windows.

Both Somewhat Vulnerable and Somewhat Beneficial AoC Title Description Vulnerability

AoC_21 Implementation The future evolution of weather monitoring Advanced weather information of advanced systems (i.e. advanced supplementary systems may allow more aircraft to fly supplementary cockpit weather information systems) will in closer proximity to adverse weather cockpit weather allow aircraft to identify, and then fly routes than current systems would allow. information that have the most favorable weather. As this With the onset of RNP approaches systems technology expands in use, the density of and RNAV departures at airports these routes may rise accordingly. located in higher terrain or limited Dependence on the reliability of non-certified radar areas, EGPWS functionality may equipment (i.e. smart phones) may become be vulnerable. an issue if pilots become dependent on a platform that does not have an inherent The use of advanced cockpit weather safety function. information systems should identify weather conditions that previously may have created more CFIT risk. AoC_43 Increasing Advanced automation is taking full advantage TAWS functionality will be integrated implementation of data sharing among what were previously into a highly automated cockpit using of highly- independent LRUs. As more crew functions shared resources. These software- integrated, are automated there is a high reliance on the based systems may be vulnerable to interdependent integrity and fidelity of the data exchanged. independent failures that may cause flight-critical High and low criticality functions have multiple failures that are difficult to aircraft systems traditionally been physically isolated are now diagnose. sharing computing and data bus resources. Software-based isolation and independence Integrated systems (auto is much more "fluid" and difficult to assure pilot/EGPWS) may cause the aircraft than relying on hardware. Lost or erroneous to react in CFIT situations (auto pull- inputs can result in a cascade of effects on up) without any pilot input or the aircraft. Often, sensors are the lowest incomplete understanding of the reliability components and therefore need to system behavior by the flight crew. be redundant to obtain the required system safety. Unfortunately, identical sensors are More integrated systems may in some used to achieve the redundancy. Therefore, cases improve the situational sensor failures could produce a single point awareness of the flight crew as well as failure of multiple devices. Complex systems improve the performance of the increase the need for self-checks to verify vehicle. software for accuracy and integrity.

Nature of Vulnerabilities: • Accuracy and Integrity of satellite-based systems and flight information AoCs 36, 93, 99, 136, 148 • Multiple systems/displays causing information overload AoC 21, 36, 184 • Flight crew misunderstanding of new, complex, integrated systems AoC 43

Major Interaction Effects: • Integration of systems and procedures for use of EGPWS and Vertical Situation

- 142 -

Displays that both provide terrain awareness. • Interaction/conflicts between on-board navigation databases and satellite-based positioning systems. • Interactions among the various elements of the chain consisting of database development, data ownership and database approval depend on accuracy checks including consistency of waypoint identifiers, frequencies, and altitudes.

Near-term Changes to Baseline Risk or New Vulnerabilities: • Hostile acts (lasing and electronic jamming) occurring at low altitudes where terrain awareness and energy/flight path management are critical. • Advanced weather information systems may allow more aircraft to fly into in closer proximity to adverse weather that current systems would allow. With the onset of RNP approaches and RNAV departures at airports located in higher terrain or limited radar areas, EGPWS functionality may be vulnerable.

Longer-term Changes to Baseline Risk or New Vulnerabilities: • The integrity of the computerized navigation and performance systems rests on the quality of the FMC/FMGS databases. Avionics and airframe manufacturers and regulatory authorities have recognized the potential for entering incorrect data through the FMC/FMGS. • More extensive use of COTS products. Although these products may have a favorable cost-to-performance ratio, they may not have been subject to the verification/validation rigor required to maintain safe, dependable operation of the aviation system. • Dependence on the reliability of non-certified equipment (i.e. smart phones) may become an issue if pilots become dependent on a platform that does not have an inherent safety function. • As more crew functions are automated there is a high reliance on the integrity and fidelity of the data exchanged. High and low criticality functions that have traditionally been physically isolated will increasingly share computing and data bus resources. Software-based isolation and independence will be much more "fluid" and difficult to assure than relying on hardware. • Eventually, the TAWS databases maybe updated at the gate via wireless systems. Cyber attack on these information links as well as configuration control may become an issue. • Automatic flight control system commands to avoid terrain at altitudes where EGPWS alerts may be generated. How should the crew react to near- simultaneous EGPWS alerts and the airplane engaging in an un-commanded (by the crew) terrain avoidance maneuver?

Precursors, Watch Items, and System-wide Measurements that Could Indicate Vulnerability: • Identify reports of GPS-based navigation systems failures and associated causes • Monitor instances of improper response to EGPWS alerts and the circumstances the preceded them • Query ASRS reports for the correlation between flight crew fatigue and low-altitude

- 143 -

incidents of loss of control or situational awareness • Monitor emergence of tools and methods for validation of navigation databases • Identify incidents involving use of non-approved GPS electronic devices in the flight deck • Monitor field evaluations and initial operational deployment of flight control systems that automatically avoid terrain via control inputs not generated by the crew • Identify incidents involving use of non-approved GPS electronic devices in the flight deck

- 144 -

SE 133: Icing - Turboprop Aircraft Ice Detection Systems

Summary information from SE 133 DIP: Summary of SE: Adapt and implement systems that automatically detect ice, measure the rate of ice accretion, and provide annunciation to the flight crew, on turboprop aircraft that have non-evaporative ice protection systems and non-powered flight controls on all aircraft operated in commercial passenger and cargo revenue service.

Date of Approval: October 2007 Risk Description: none in current DIP Risk Mitigation Plan: none in current DIP, but actions are as follows: 1. AIA encourages manufacturers to adapt existing probe technology to provide “rate” measurement capability for turboprop aircraft 2. FAA review AC 25.1419-1A “ Certification of transport category airplanes for flight in icing conditions “ and if necessary develop additional guidance for design and certification of these systems (particularly “rate” capability) 3. Airframe manufacturers select and install probe technology that can detect ice, measure icing accretion rate and provide crew annunciation 4. Manufactures develop operating procedures for use of the ice detection system above 5. Operators train flight crews on use of this system. 6. Conduct feasibility study to determine if it is appropriate to install ice detection systems for each type of turboprop aircraft. 7. Refer the completed study to the CAST for follow on action as outlined in the CAST Process. Implementation Progress: Icing – Safety Enhancement 133, Turboprop Aircraft Ice Detection Systems, is fairly recent and seeks to have more definitive icing detection. It is not implemented yet.

Relevant Areas of Change:

Very Vulnerable

AoC Title Description Vulnerability

AoC_43 Increasing Advanced automation is taking full advantage Ice detection systems have continuous implementation of data sharing among what was previously monitors and self-check to annunciate of highly- independent LRUs. As more crew functions system failures. However, a full integrated, are automated there is a high reliance on the comprehension of technological interdependent integrity and fidelity of the data exchanged. limitations to detect ice, accurate flight-critical High and low criticality functions have accretion rate on critical surfaces and aircraft systems traditionally been physically isolated are now deice systems has to be clearly sharing computing and data bus resources. understood by both the manufacturer Software-based isolation and independence and operators. is much more "fluid" and difficult to assure than relying on hardware. Lost or erroneous Automated checks may provide inputs can result in a cascade of effects on erroneous data to the crews that lead the aircraft. Often, sensors are the lowest to dismissing obvious signs during reliability components and therefore need to operation indicative of airframe icing. be redundant to obtain the required system

- 145 -

safety. Unfortunately, identical sensors are Over monitoring and false alerts used to achieve the redundancy. Therefore, create flight crew confusion and doubt sensor failures could produce a single point as to the system reliability possible failure of multiple devices. Complex systems leading to incorrect crew actions. increase the need for self-checks to verify software for accuracy and integrity. Flight crews must fully understand the effects of icing on the aircraft model in normal de-icing operation, failed operation and severe icing conditions to execute the appropriate procedures. AoC_80 Loss of design, The longevity of aircraft designs requires As personnel change because of operational, and access to design records that may only exist retirements, attrition or other maintenance in hardcopy or software archives that are not mechanisms, knowledge management knowledge compatible with modern data storage becomes a concern. Personnel software. Identification of safety-sensitive responsible for system-wide changes information within difficult to access legacy may not be around and information data storage systems will remain a significant and expertise are often lost with challenge. turnover.

Sometimes the original “whys” of a particular design practice or operational policy may be forgotten making it difficult to understand the legacy safety measures. For example, information from the last icing accident may be forgotten with the onset of the next major accident. Evidence: there are pilots who are unsure about the why their aircraft does or does not require tail plane de- icing.

As certification standards vary over time, experts on these topics possess valuable information that needs to be passed on or it is lost. Documentation of expertise is rare. AoC_151 Decreasing Investments in basic research do have Dismantling of facilities that support commitment to substantial economic benefits and that there icing research may have a negative basic research remains an enormous reservoir of research long-term impact. Without a strong and technology opportunities for which there are no commitment to R&D, these icing- development in immediate commercial benefits. Without related SEs are vulnerable. both government robust funding for basic research, many of and private these opportunities will not receive the sectors attention they deserve. Potential future decreases in projected funding for research pertains to both basic and applied research in science and technology. The three sectors of the world economy that support basic research -- military, private industry, and federal -- all have downsized.

Somewhat Vulnerable AoC Title Description Vulnerability

AoC_11 Increasingly Not all aircraft may have the same level of New aircraft of the same model could heterogeneous equipage in the future. The variation in be outfitted with different equipment. aircraft fleets sophistication of digital and Differences in the presentation of (varying electromechanical systems within an information to flight crews introduce software, individual aircraft type must also be the potential risk of misinterpretation

- 146 -

equipment, considered. An unavoidable mix of new and by crews familiar with a different capabilities, etc.) reused (legacy) software is a future trend and design. Although this AoC will there may be increasing numbers of regional increase heterogeneity in the short jets equipped with possibly more advanced term, in the long term this vulnerability avionics than legacy aircraft. This could lead should decrease. to flight crew confusion and problems maintaining situational awareness.

AoC_14 Increasing Future vehicle health systems may be based Latent failures in an automated ice reliance on on continuously updated vehicle state detection and accumulation rate automated matrices derived from networks of multiple sensor could go undetected based on vehicle health sensors. Advanced software models non-critical software used to monitor management incorporating the functional characteristics of critical equipment. It may be systems the vehicle may process the sensor network problematic to verify proper function of outputs. Such complex systems if used for ice detection systems without actually flight critical functions must be subject to accumulating ice. rigorous software certification techniques that may not exist today. Ice systems are currently advisory systems. Annunciation lights do not automate the activation of the de-icing or anti-icing system. The technology used for ice detection systems is currently not designed as a flight- critical system. Therefore, automatic ice detection systems have a reliability associated with the criticality of the current use. In addition, there are known cases with ice detectors (vibrating pin type) will not detect ice with ice accumulation. An example is at the suction peak on the wing upper surface; this happens just under 0 deg; the ice then forms on the wing with the temperature below zero at the negative pressure peak, that is critical at higher temperatures when the Liquid Water Content (LWC) is the highest. The other is super-cooled water droplets that require a larger surface area to form on than the vibrating probes can provide.

Crew annunciation of ice may not necessarily be best practice amidst a myriad of other events on a flight deck, especially in ice conditions. Automated recognition of an ice situation may happen too late under various operating conditions.

Automated coupling of wing and engine anti-ice may be appropriate as selection of engine anti-icing is virtually never forgotten. AoC_66 Increasing Potential criminal liability may reduce normal A manufacturer or airline may be societal pressure incentives to perform research that may found liable in the event of an accident to find individuals reveal possible design defects and if they did not provide ice detection and operational errors. Criminal prosecution equipment and guidance for every organizations triggered by occurrence reports cause worst case icing encounter or delayed criminally liable aviation personnel such as pilots and Air anti-ice activation. . The liability for errors in Traffic Controllers to be reluctant to file safety concerns may make organizations

- 147 -

design and reports, thus reducing the possibility of reluctant to develop or implement new operations learning from occurrences. A shift of focus equipment or procedures, especially from a pro-active form of oversight to a after an accident because some legal culture of blame may cause industry systems will consider these members to take a more defensive rather improvements an admission of defect than co-operative attitude towards regulators. in the existing procedures and Not only does this distract aviation designs. professionals from a major task (i.e. contributing to safety improvements), but it also disturbs the open atmosphere in which industry and authorities jointly discuss safety issues.

AoC_122 Accelerated Economic pressures to recruit needed pilots Training on more automated and transition of pilots for Part 121 operations will likely result in complex aircraft requires the same or from simple to more rapid transition of trainees from simple more training not less especially in the complex aircraft to complex aircraft. Current certification domain of icing detection and standards may need to be revisited in light of appropriate aircraft handling. this phenomenon. Training curricula must provide the skills needed for command of complex, advanced aircraft.

AoC_129 Increasing Independent of demand trends, the ATM High-density operations will require pressure to system continues to require additional faster turn around in busier conditions. improve aviation capacity. As demand approaches capacity, More equipment issues will occur in system airlines increase load factors and reduce busier operations simply because of throughput schedules, the pressure to improve the increased volume. With short turn throughput will increase. Because of these times checks of icing detection conditions, SESAR and NextGen have been systems may be delayed as long as designed to upgrade ATM. possible due to time constraints. Potential hazards exist from these changes in: - impacts of complexity - international harmonization - change of roles and responsibilities for pilot, controllers and others due to new concepts of operation - possible new systems such as a traffic optimizer, that will change operational paradigms and affect flight profiles, dispatching - policies, and other aspects of aircraft operation

These changes will require frequent safety and hazard assessment re-evaluation.

AoC_135 Decreasing Because other high-tech industries are on Out of production parts for icing market share of such a rapid growth curve, the advanced detection and alerting systems may high-tech products purchased by the aviation sector of become expensive, and companies aviation products the economy now represent a smaller share may be unwilling to pay the higher in comparison to of the overall production capability for these price. other sectors specialized products. This may create a situation where the aviation industry may Unexpectedly found to be within the 3 have a more difficult time obtaining the to 5 year time frame. Some systems necessary components (both new and become obsolete in the box. Off-the- replacement) at favorable prices. As a result, shelf boxes become obsolete when obsolescence of flight-critical digital system parts run out. Ice detection systems components may create safety issues in the are especially likely to be affected by future. obsolescence because of the large amounts of research being done in

- 148 -

this area.

AoC_202 Increasing Simulator training time is becoming more Ground based training for icing must pressure to compressed. In order to save time and accurately represent the change in shorten and money: aircraft handling qualities as well as compress pilot - emergency/abnormal scenarios are being emphasize proper response to training combined together, even though the events automated warnings such as stick are extremely unlikely to occur together pusher activation. Training should - recent accident scenarios are emphasized include understanding the system and "Routine" flight operations are under- failures. Flight crew have a poor emphasized understanding of aircraft limitations - more training is being added without with ice accretion analyzing the current curriculum to remove unnecessary or redundant segments

AoC_226 Changes in the The shortage of certified maintenance Newer and more advanced designs qualifications of personnel may result in lower quality may require maintenance personnel to maintenance servicing and maintenance of aircraft with a be more experienced with icing personnel concomitant reduction in the reliability of both detection and self-check systems. new and aging aircraft. Servicing of Possible problems with non-qualified advanced avionics will require specialized or under qualified personnel skills, yet training in disciplines such as dispatching aircraft Some systems composite material repair, nondestructive may be disabled upon dispatch. Will inspection, solid-state electronics/avionics icing detection and alerting systems built-In test equipment, principles of be part of Minimum Equipment Lists? troubleshooting and human factor is currently only an option within maintenance training If so, under what limitations? curricula. As the number of non-certified staff increases, the need to check their work increases. Certified staff may begin to accept poor quality work either because of time limitations or because errors are not detected. Other issues, such as tightening of controls on maintenance procedures, limitation of working hours, vision tests, etc. will also reduce the availability of certified maintenance personnel.

Both Somewhat Vulnerable and Somewhat Beneficial

AoC Title Description Vulnerability

AoC_51 Delegation of New approaches to organizational approvals Beneficial- Manufacturers may be responsibility may lead to more and more delegation of encouraged to think outside the box from the responsibility and privileges to the design, and design a better system if they are regulating manufacturer and maintenance organizations not so tightly bound to the regulator authority to the that may lead to inconsistencies in who may not fully understand the new manufacturing, compliance with the regulations. technology. operating or maintaining Vulnerable- Multiple manufactures organization may be operating independently causing issues with pilots flying multiple aircraft types. This is also related to AoC 245-Inconsistencies in the implementation of SMS. AoC_184 Increasing Flight Crews will be required to interact with More information on the condition of amount of an increased amount of information like aircraft surfaces can be beneficial but information CPDLC data, traffic information on CDTIs for must be balanced with other essential available to flight ASAS applications, electronic route information, There is a limited amount crew manuals/flight bags and even the World Wide of space available to display the

- 149 -

Web. This information will likely be presented information and pilot capabilities are on extra displays, requiring the crew to divide already stretched to absorb all the their attention. This information may be information being provided to them. integrated in existing systems or may be presented on a single screen that may The increased amount of information introduce the problem of cluttering. Pilots will available to flight crew may overload have to be trained to efficiently use the new the pilots and cause workload issues data and interfaces. in critical flight phases. As new features are added are the old unnecessary ones being removed? Is the information being presented to the pilots in an efficient manner they can understand? Is it being prioritized? AoC_188 Introduction of Current check-and-training systems Advanced aircraft training new training developed to maintain flight standards on requirements differ from earlier methodologies earlier generation aircraft may not necessarily generation aircraft. Ground based for operation of cover all issues relevant to operation of training may not uncover holes in the advanced aircraft advanced aircraft. training. Operational constraints differ Research must be pursued to: from training. - define the changing profile of job qualifications needed by applicants Partially implemented training - devise efficient methods and tools by which methodologies may lead to confusion to select qualified candidates without high of energy state management attrition costs procedures and mode awareness. - develop and validate advanced training delivery systems that meet future staffing and Simulation capability within present training requirements day CBTs brings a whole new level of - create cost-effective new equipment training fidelity to the training delivery. This guidelines and procedures can also be web deployed to the - provide integrated team training for all financial relief of the customer airline aviation operations and the learning benefit for the student - address training for mixed fleet and multi- pilot. New training methodologies are cultured crews primarily reflected in adoption of - evaluate and remediate skill decay for computer based training systems. diagnostic and complex operational tasks SOPs must reflect the limits and benefits of such revised simulators especially as they relate to energy state awareness and flight path management. AoC_189 Shifting Previously many flight crews were drawn This could be positive or negative. demographics from the ranks of retired military personnel Where the new civilian trained crews from military to with significant military flight experience and may not have as much abnormal civilian trained training. In the future pilots will more than situation training as their military pilots likely be drawn from civilian flight schools. counterparts, the civilian crews may This demographic shift may result in be more open to new technologies in diminished basic airmanship including aircraft the flight deck. Military trained crews energy management, lack of aircraft system may be reluctant to trust the new knowledge and diagnostic skills, manual technological aids and may refuse handling, ability to operate advanced aircraft use/listen to the device or even turn it in abnormal situations/attitudes, and recover on. Training will need to be adjusted to from unanticipated situations when there is fit the needs of the individual pilot in no checklist. order for this SE to be effective, regardless of whether the pilot is from a military or civilian background.

- 150 -

Nature of Vulnerabilities: • Loss of deep domain expertise – regulators, operators, and OEMs - to arrive at a reasonable set of criteria that will withstand erosion due to experts coming and going. (e.g., very few people know that back in 1940, Clarence “Kelly” Johnson from Lockheed flight tested 6% and 12% of wing chord de-icing boots to find that with only 6% wing chord boots, separation-induced stalls were inevitable following ice accretion; with 12% chord boots, even forward-facing ice steps on the wing would not cause catastrophic separation and stall). AoC 80, 226 • Decreasing commitment to fundamental and operational research that could contribute to a better understanding of ice accretion and detection. Potential loss of key icing research facilities. AoC 151 • Some ice detectors may not accurately measure ice accretion, because initial roughness, inter-cycle ice, etc. appears in different shape and roughness on rubber boots as on the ice detector as well as not on the detector but with ice on the boots, coupled with unclear self- check routines, as well as new training philosophies for pilots, may leave significant open safety holes. AoC 43 • Because of the ever-increasing societal pressure to find individuals and organizations criminally liable for errors in design and operations, the likelihood to identify and correct design, operational and/or maintenance issues related to icing detection, self-check, and alerting systems may be impeded. As a result, quick correction as well as retrievable know-how and know-why will become less and less available. AoC 14, 66 • To apply the correct training for the particular aircraft will be further complicated by increased outsourcing, as well as increasing pressure to shorten and compress pilots training. AoC 11,122,188,202 • Because certification requirements deliberately stay away from prescribed solutions (design, operation, maintenance, and certification), anti-icing system implementations may differ from one aircraft to another. This makes successful translation from one aircraft’s proven ice detection/mitigation system to another aircraft extremely difficult. AoC 11, 43,184

Major Interaction Effects: • Increasing reliance on automation, introduction of new training methodologies against a background of increasing need for performance validation and self- checks • Increasing reliance on automation with the introduction of new training methodologies and an increasing need for performance validation and self-checks • Increased training outsourcing and the increasing pressure to shorten and compress pilots training will increase the vulnerability of pilot confusion between different system operation and indications for different aircraft types.. • Increased complexity and integration of unrelated systems increases the vulnerability of the flight crew misinterpreting indications and understanding the systems failures or degraded modes of operation.

- 151 -

Near-term Changes to Baseline Risk or New Vulnerabilities: • Inability for pilots to timely translate ice detector signals into appropriate action to select appropriate V speeds. • Even the best-protected aircraft against ice may find themselves in severe icing conditions; there are numerous cases in which the encountered flight ice was far beyond certification ice criteria. • Current technology ice detectors may not give sufficient time from detection to allow pilots timely appropriate action to mitigate icing encounter for all icing conditions. • Vast number of different icing encounter procedures by aircraft type, leading to confusion from one aircraft type to another • Current anti-ice or de-icing systems are vulnerable to severe icing conditions. Fundamental recognition of icing limits for the aircraft may not be easy to evaluate for the crew.

Longer-term Changes to Baseline Risk or New Vulnerabilities: • Certification getting more complex as years progress, not leading to ease of operation for pilots (no simple process) • All electric aircraft maybe fitted with new technology de-icing; e.g. electrical impulse de-icing or electrically heated leading edges e.g. using Glare (AoC 09), the characteristics of which are not fully understood in an operational environment.

Precursors, Watch Items, and System-wide Measurements that Could Indicate Vulnerability: • Monitor emergence of good process checklists from operators • Monitor development of certification rules related to ice detection, alerting, and self- check systems • Monitor increase of in-flight upsets, roll excursions, buffet due to icing • Monitor crew failure to recognize natural stall behavior with ice • Anti-icing/de-icing systems are very sensitive to design and certification margins and in severe conditions, not human-fault (late activation) tolerant, hence concrete advice on early action benefits will be very difficult. However, this analysis reveals the following items for further review - Survey of de-icing boot lengths, incidents and accidents and determine if there is a need to do something and - Introduce, when appropriate a link between Engine Anti-Ice ON and stall warning and/or increased speed selection. - Improved safety through simplified procedures - Cost reduction, no need to wait for new ice detector development • Evaluate the merits of ATC intervention, to get early warning of impending severe icing as well as improved routing to get out of the icing

- 152 -

SE 183: Wrong Runway Departures – Cockpit Moving Map Display and Runway Awareness System

Summary information from SE 183 DIP: Summary of SE: The purpose of this safety enhancement is to reduce wrong runway departures and runway incursions by encouraging the installation of own-ship moving map display and/or runway awareness systems that provide as many of the following features as possible: • Attempted take-off on the wrong runway • The taxiway/runway that the airplane is approaching • The taxiway/runway that the airplane is on • Attempted take-off on a taxiway • Attempted take-off on a runway with insufficient length Date of Approval: February 2003 Risk Description: Not listed in DIP. Risk Mitigation Plan: Not listed in DIP . Implementation Progress: WR is a recent activity, so the SEs are pretty new. We are not certain how many aircraft have moving map installed.

Relevant Areas of Change:

Somewhat Vulnerable

AoC Title Description Vulnerability

AoC_11 Increasingly "Not all aircraft may have the same level of In a perfect world, airplane heterogeneous equipage in the future. The variation in manufacturers and/or airlines would aircraft fleets sophistication of digital and develop a single equipment designs (varying electromechanical systems within an so that pilots could follow a consistent software, individual aircraft type must also be set of procedures. equipment, considered. An unavoidable mix of new and This may be a bigger challenge for capabilities, etc.) reused (legacy) software is a future trend and airlines with mixed fleets. For there may be increasing numbers of regional decades, many operators of mixed jets equipped with possibly more advanced fleets have insisted their pilots operate avionics than legacy aircraft. This could lead a variety of types the same way. to flight crew confusion and problems However, aircraft manufacturers may maintaining situational awareness. have designed the aircraft with totally different operating philosophies.

AoC_22 Changing Advanced audio, tactile, and visual warning Risk of overload. If there are additional approaches to systems in aircraft cockpits may change crew warning and alert systems then the cockpit warning workload and situational awareness. The pilot may not be able to handle the and alert proliferation of caution/warning systems and information from the map display systems alerts may overwhelm the flight crew in especially if that information consists critical phases of flight. Consideration of of another set of caution/warning prioritization, total workload, and required annunciations dealing with wrong situational awareness must precede runways. implementation of such systems. Additionally, this AoC may lead to pilots relying more on warning and alert systems for runway incursion management and relying less on their basic training.

- 153 -

AoC_83 Operation of low- Technology in ATM and aircraft is Aircraft not equipped with moving map technology continuously developing with the aim of displays may not ‘cooperate’ with aircraft in ATM becoming safer and more efficient. However, equipped aircraft. environments existing aircraft are not necessarily updated Ground conflicts may arise if a non- featuring or reequipped with such new technology. This equipped aircraft does not appear on advanced can lead to a situation where 'low-technology the display of equipped aircraft. Radar capabilities aircraft' are mixed with 'high technology screen target data blocks representing aircraft' in a 'high-technology airspace'. aircraft may not reflect the capabilities NextGen and SESAR are engaged in of non-equipped aircraft. ongoing use of automated decision support and enhanced workstation displays to mitigate increased complexity associated with diverse aircraft operating characteristics. Examples of such automation aircraft conformance monitors with flight plan or trajectory. Advanced computer-human interaction (CHI) tools and methods will provide additional information on aircraft capabilities and characteristics not currently found in today¹s flight environment. AoC_85 Potential There may be an increased requirement for If the decision maker’s information is information effective and timely shared decision-making inaccurate or absent, the display and inequality among in a multi-agent context (multiple aircraft, awareness system designed to aviation system ATC, AOC, automation). Shared decision prevent wrong runway departures and participants in making requires equality of information of the runway incursions may not be situations decision makers. If one of the decision effective. As described above, radar requiring shared maker’s information is out-dated, inaccurate, screen target data blocks representing decision-making absent etc, the decision making process will aircraft may not reflect the capabilities be flawed. This principle applies to tactical of non-equipped aircraft. (e.g. traffic conflict resolution involving air- ground and air-air communication) and strategic (e.g. route design) decision making. AoC_122 Accelerated Economic pressures to recruit needed pilots The true situation may actually be the transition of pilots for Part 121 operations will likely result in transition of pilots trained in complex, from simple to more rapid transition of trainees from simple advanced flight decks being assigned complex aircraft to complex aircraft. Current certification to simpler, less advanced aircraft. standards may need to be revisited in light of Inexperienced flight crew is the true this phenomenon. Training curricula must issue. Training developed for one provide the skills needed for command of type of equipment may not be complex, advanced aircraft. applicable to other types of equipment. Accelerated transitions may not adequately highlight the important subtleties.

If the pilot is not sufficiently trained to use the new equipment due to accelerated training regimens, the effectiveness of new equipment may be reduced or even counterproductive.

- 154 -

AoC_135 Decreasing Because other high-tech industries are on This may create a situation where the market share of such a rapid growth curve, the advanced aviation industry may have a more high-tech products purchased by the aviation sector of difficult time obtaining the necessary aviation products the economy now represent a smaller share components for cockpit moving map in comparison to of the overall production capability for these displays and runway awareness other sectors specialized products. This may create a systems. Obsolescence and reliability situation where the aviation industry may of systems may create safety issues. have a more difficult time obtaining the However, it is also believed that the necessary components (both new and market forces will generate supply if replacement) at favorable prices. As a result, there is a need, so it is unlikely to be a obsolescence of flight-critical digital system big problem. components may create safety issues in the future. AoC_136 Increasing use of Economic pressures are driving many Although COTS products may have a Commercial Off commercial and governmental operators favorable cost-to-performance ratio, The Shelf within the aviation system toward purchase of they may not have been subject to the (COTS) products COTS products. Although these products verification/validation rigor required to in aviation may have a favorable cost-to-performance maintain safe, dependable operation ratio, they may not have been subject to the of the aviation system. Examples verification/validation rigor required to include microprocessors (from PC maintain safe, dependable operation of the industry), operating systems (e.g., aviation system. Examples include Windows and LINUX), and graphics microprocessors (from PC industry), processors (from video game operating systems (e.g., Windows and industry). LINUX), and graphics processors (from video game industry). AoC_148 Increasing Hostile acts against the aviation system are Cyber attack on electronic system may frequency of manifested in several ways: affect the performance of the moving hostile acts - cyber attacks on data links, databases and map displays or runway awareness against the digital/ electromechanical systems, jamming systems. Temporary flash blindness aviation system resulting in loss of RF signals used for critical from a laser may result in disabled CNS functions and FADEC operation. pilots who (temporarily) cannot use - increasing sophistication and proliferation of moving map or runway awareness explosive materials, biological/chemical toxic system. The later is viewed as the agents, and anti-aircraft weapons. larger threat. - increasing frequency of distraction, glare and temporary flash blindness from easily available and low cost of high-strength lasers" AoC_184 Increasing Flight Crews will be required to interact with Increased information can lead to amount of an increased amount of information like distraction and therefore less effective information CPDLC data, traffic information on CDTIs for use by the pilots of the moving map or available to flight ASAS applications, electronic route runway awareness system. This is crew manuals/flight bags and even the World Wide related to the proliferation of caution Web. This information will likely be presented and warning systems on the flight on extra displays, requiring the crew to divide deck. their attention. This information may be integrated in existing systems or may be New or revised procedures and presented on a single screen that may training must be put in place to give introduce the problem of cluttering. Pilots will pilots guidance on processing and have to be trained to efficiently use the new responding to new information sources data and interfaces. and displays in the flight deck. For systems presenting nearly identical information, procedures must be developed for prioritizing and selecting the most reliable decision support tool among the many options. AoC_189 Shifting Previously many flight crews were drawn Military pilots are trained to be self- demographics from the ranks of retired military personnel sufficient and recover from from military to with significant military flight experience and unanticipated situations. As a result, civilian trained training. In the future pilots will more than they may be better able to cope with pilots likely be drawn from civilian flight schools. failures of cockpit moving map or

- 155 -

This demographic shift may result in runway awareness systems. The diminished basic airmanship including aircraft prevailing culture in civilian training energy management, lack of aircraft system programs may not fully replicate the knowledge and diagnostic skills, manual safety aspects of a military training handling, ability to operate advanced aircraft environment especially ab initio in abnormal situations/attitudes, and recover training. from unanticipated situations when there is no checklist. Because of the larger percentage of civilian pilots entering the workforce (compared with those having military experience) training will need to be more specific and not assume domain knowledge delivered in military training curricula.

AoC_202 Increasing "Simulator training time is becoming more Additional training requirements are pressure to compressed. In order to save time and being added to an already full training shorten and money: syllabus forcing the compression of compress pilot - emergency/abnormal scenarios are being training time. In addition pilot type training combined together, even though the events training is driven by the Pilot Training are extremely unlikely to occur together Standards (PTS) requirements for the - recent accident scenarios are emphasized issuance of a type rating. The PTS and "Routine" flight operations are under- does not take into account the wide emphasized variations in aircraft types. Type rating - more training is being added without training is geared to meeting the PTS analyzing the current curriculum to remove requirements and the successful unnecessary or redundant segments" completion of the type check ride. There is a risk that “fast-track” training doesn’t confer students with a deep, domain-specific knowledge of aircraft systems and their interactions. AoC_205 Increasing risk of Future flight operations might bear the risk of Fatigue reduces the ability of the crew flight crew fatigue increased fatigue of flight crews. This may to implement all that has been learned result from: during training. If they are fatigued, - ultra long range flights with minimum crew much of what has been learned during - harmonized European legislation allowing RI training may be forgotten or longer flight duty times misapplied especially during time- - increased regional operations critical, non-normal situations. - increased pressure on crews to improve economics - passenger and crew screening requirements" AoC_220 Increasing Functions and use of personal electronic Electromagnetic interference from functions and devices by passengers and flight crew are personal electronic devices may use of personal increasing and there are no means to ensure contribute to system malfunctions. electronic that passengers turn off all electronics in Cross testing of avionics with all devices by critical phases of flight and disable potential frequencies used by cell passengers and transmit/receive functions while on the phone and data systems employed flight crew aircraft. The wide variety of transmission worldwide is not feasible. In addition, sources and their potential locations within unauthorized use of personal the passenger cabin make it very difficult to electronic devices by the flight crew predict all possible effects and failure modes. has been a recent phenomenon. AoC_226 Changes in the The shortage of certified maintenance Reliability of the equipment and the qualifications of personnel may result in lower quality integrity/reliability of databases that maintenance servicing and maintenance of aircraft with a the systems rely on may be reduced if personnel concomitant reduction in the reliability of both maintenance personnel qualifications new and aging aircraft. Servicing of change and result in lower quality of advanced avionics will require specialized work related to the loading of skills, yet training in disciplines such as databases used by systems called for composite material repair, nondestructive within this safety enhancement. The inspection, solid-state concern is who will be ultimately electronics/avionics/built-in test equipment, responsible for maintaining the

- 156 -

principles of troubleshooting and human currency of databases used by factors is currently only an option within airborne systems if maintenance maintenance training curricula. As the personnel are not performing this number of non-certified staff increases, the function in the future. need to check their work increases. Certified staff may begin to accept poor quality work either because of time limitations or because errors are not detected. Other issues, such as tightening of controls on maintenance procedures, limitation of working hours, vision tests, etc. will also reduce the availability of certified maintenance personnel.

Both Somewhat Vulnerable and Somewhat Beneficial

AoC Title Description Vulnerability

AoC_96 Increasing As all systems become more complex there These interactions can potentially be interactions will be an increasing level of interaction very beneficial but can also create between highly- between ground-based and aircraft-based problems. In the future, on-board automated systems. This increased interaction may systems may possibly be updated ground-based introduce incompatibilities that may result in automatically when the aircraft arrives and aircraft greater system development, integration, at the gate; e.g. the most recent based systems maintenance, and reduce overall system moving map is uploaded. If it works performance. Variation in design cycle times this is an ideal situation. If it does not and implementation schedules between work, and the pilot doesn’t notice, airborne systems and ground-based systems integrity problems may be created. It may result in lack of coordinated may be difficult for pilots to verify that development. These issues underline the the correct information is uploaded. need for the introduction of the increased New technologies such as moving capacity, flexibility, and security of the next map displays allow for increased generation of ground to aircraft situational awareness. On the other communication systems. hand, these new technologies may also distract pilots. Also, new training and SOPs will need to be created to cater for operations when the equipment is not operational. (MEL).

Nature of Vulnerabilities: • Inadequate training of the flight crew to work effectively with moving map or runway awareness systems. AoC 11, AoC 22, AoC 122, AoC 184, AoC 189, AoC 196. • Unexpected failure modes and lack of system reliability. AoC 135, AoC 136, AoC 148, AoC 226, AoC 96. • Management of new technologies in the training and SOPs for runway incursion prevention. AoC 83, AoC 85, AoC 220.

Major Interaction Effects: • The interaction of changes in training with the introduction of new technologies and the heterogeneity of aircraft and airports may escalate the problems associated with these themes on their own. With many different, new technologies interspersed with legacy technologies being operated by fatigued pilots with compressed training schedules which may or may not cover the intricacies of each of the different equipment and airport mixes. This complicated problem may be further compounded by a shortage of experienced pilots and loss of sterile cockpit

- 157 -

discipline.

Near-term Changes to Baseline Risk or New Vulnerabilities: • There is a significant concern about the amount of automation and information available to the pilot. Information presented to the pilot will need to be prioritized to keep the pilot in the loop. Are there any efforts to evaluate and remove older equipment and indications from the flight deck as new systems are added?

Longer-term Changes to Baseline Risk or New Vulnerabilities: • The SE is vulnerable to the changing pilot community (large number of retirements) that will have different airmanship skills. • As aircraft continue to become completely integrated between systems and most functions become automated, the crew will need a different level of training to understand the functionalities and interactions of these systems. Furthermore, they may need enhanced training for detection of degradation and failure of these functions, while at the same time maintaining flying skills. • There is significant concern about heterogeneity. Where operators implement an initial release, consequent updates are not guaranteed. Pilots may be confused between different configurations of the same aircraft type. This confusion may contribute to loss of situational awareness.

Precursors, Watch Items, and System-wide Measurements that Could Indicate Vulnerability: • Track implementation rate of cockpit moving map display and runway awareness system by make/model/type of the system. • Monitor rate of runway incursion/excursion for aircraft with and without moving map and/or runway awareness system and analyze training background and demographics of pilots involved in these incidents if possible. • Monitor number of pilot safety reports of situations where flight crew is overloaded with information. • Monitor instances of database, map-shift and other errors observed during use of moving map displays.

- 158 -

E. References i Hollnagel, Erik. (2008). The Changing Nature Of Risks. Ergonomics Australia Journal 22, 1-2 (2008) 33-46. Ecole des Mines de Paris, Sophia Antipolis, France ii Hollnagel, Erik (2006). Safety Management: From protection to resilience. UIC Safety Platform, Paris iii Dykstra, Arthur (2005). Resilience Engineering and Safety Management Systems in Aviation. KLM Royal Dutch Airlines / TU Delft Netherlands iv Statement of Capt. John Prater, President Air Line Pilots Association, International before the Subcommittee on Aviation, Committee on Transportation and Infrastructure, September 16, 2010; http://www.airlinepilotforums.com/major/40914-latest-hearing- alpa.html v http://www.flightglobal.com/articles/2009/01/27/321562/airline-pilot-training-needs-a- complete-re-think.html vi http://www.icao.int/NGAP/documentation.htm vii Airbus studies emergency traffic avoidance system to act without pilots; http://www.flightglobal.com/articles/2006/03/22/205580/airbus-studies-emergency- traffic-avoidance-system-to-act-without.html viii http://www.ainonline.com/ain-and-ainalerts/aviation-international-news/single- publication-story/browse/0/article/fly-by-wire-filtering-down-to-bizjets- 9015/?no_cache=1&tx_ttnews%5Bmode%5D=1 ix Input from Dave Prior, Director of Safety and Security, easyJet Airline Company Limited x Dekker, Sidney W. A. (2005). Why we need new accident models. Tech Report 2005- 02. Lund University School of Aviation

- 159 -