Functional Hazard Assessment of FPL2012 Implementation
Total Page:16
File Type:pdf, Size:1020Kb
Briefing Paper Functional Hazard Assessment of FPL2012 implementation 09 of June 2011
This Briefing Paper is prepared by Integra, on behalf of the DNM at Eurocontrol, for the planned Functional Hazard Assessment Workshop on 09 of June at EUR/NAT Office of ICAO.
Introduction
The purpose of this briefing paper is to give a short introduction to the Functional Hazard Assessment (FHA) Workshop to be performed on 09 June 2011. The introduction of the new ICAO Flight Plan Format in November 2012 for the EUR Region will follow the standard DNM safety assessment process. This means that it is necessary to confirm if the change affects the output of our services (e.g. new output). The introduction of FPL2012 should not add any new output, nor remove any existing output, but would change the contents of messages (that is, significant changes to data structures, in particular in the syntax of messages, the use of new indications in Europe or the update of ADEXP specifications, which will affect all systems). DNM will introduce a new function, named “Translation Tool”. The purpose of this function is to translate the new 2012 flight plan format to the present FPL format. The function will be used in the transition period to enable the DNM to send the present FPL format to ANSPs, who are not able to receive the new 2012 FPL format. The FHA session will also address the transition period, which is the period where DNM will distribute both the new and the present flight plan format. From a DNM perspective, we should therefore focus on whether the change affects the severity or frequency of occurrence of known hazards and what we can do to mitigate these hazards. The hazards we will refer to are mainly related to the Flight Message Checking and Distribution Service, which are: - Incorrect ACK/REJ (DNM acknowledges an incorrect FPL or rejects a correct FPL) - Incorrect Flight Plan (DNM distributes an incorrect FPL) - Inconsistent Flight Plan (DNM distributes the FPL to some, but not all recipients) - Missing Flight Plan (DNM does not distribute the FPL or changes hereto at all) - Missing FLS Message (DNM does not distribute the Flight Suspension message) - Incorrect DES (DNM distributes an incorrect De-suspension message)
The safety criticality of CFMU services is determined by the impact such services may have on the CFMU Customers, i.e. the impact on operations and/or safety of the services, CFMU customers provide. The impact is based on the output from the individual services, which might be: Incorrect, missing, too early or too late. The hazards are defined at the boundary between the service and the DNM customers. The focus of the workshop will be on the transition period and the after the implementation of FPL2012.
______
May 2011 Assessment of Safety Impact of Transition to FPL2012 Page 1 Objective of Workshop
The objective of the workshop is to provide the basis to determine the safety criticality of the service in the transition period and after the transition to FPL2012. The offset for such work is to identify the hazardous events (including how severe they can be) that may be the result of an incorrect or inconsistent output of a CFMU Service. This is done through a Functional Hazard Assessment (FHA) session together with CFMU Customers. Subsequently, it should be discussed what may cause a hazardous event to occur and what can be done to prevent or reduce the likelihood of such event. The methodology to be applied at the FHA session and the subsequent analysis activities is fully compliant with the Eurocontrol Safety Assessment Methodology (SAM). The following five steps will be performed in connection with the FHA: 1. Briefing (initiation of session) Short introduction to familiarise the participants with a few baseline elements of the applied methodology and to explain in further details the scope of the Major Crisis Management and the processes involved. 2. Hazard identification Brainstorming exercise where hazards are identified. A moderator will manage the brainstorming. 3. Identification of hazard effects For each identified hazard, the potential effects on operation, which the hazard can lead to, are identified for a set of representative operational modes. 4. Severity allocation Each identified hazard effect is allocated a severity class. The severity classification scheme to be used is contained in Appendix 3. 5. Causes and mitigation Each hazard should be assessed concerning what could cause the hazard to occur and which mitigation should be implemented.
The results of the FHA Workshop (the Hazard Log) will provide the input to the next part of the Safety Assessment concerned with identification of Safety Requirements / Safety Assurance Activities. The relevant definitions are explained in Appendix 2, which also include an example to illustrate the context. The severity classification scheme to be applied is in found in Appendix 3 to this Briefing Paper. The agenda for the FHA Workshop is included in Appendix 1.
______
May 2011 Assessment of Safety Impact of Transition to FPL2012 Page 2 APPENDIX 1: Agenda for the 2012 FPL FHA Workshop
Time Topics 10.00 Introduction to the change of service, and safety assessment methodology +10 DNM safety baseline (presentation of existing DNM hazards related to the services affected and their severities) +90 Identification / confirmation of hazards effects Allocation / confirmation of severity of hazards (worst credibe effect) +60 Lunch +90 Identification / confirmation of hazards effects Allocation / confirmation of severity of hazards (worst credibe effect) +15 Break +90 Identification of causes / potential mitigation means (safety requirements) +25 Wrap-up and Any Other Business
______
May 2011 Assessment of Safety Impact of Transition to FPL2012 Page 3 APPENDIX 2: Definitions
Hazard The participants shall identify potential hazards.
A hazard is defined as any condition, event or circumstance which could induce an accident or incident (ICAO DOC 9422)
Hazards related to CFMU services are defined related to the output of the CFMU:
CFMUCFMU ServiceService
hazard: incorrect / output inconsistent output
CFMU CFMU customer customer
Incorrect: corrupted, missing and/or incomplete Inconsistent: users have inconsistent data
Hazard Effects When the participants are satisfied and agree that all hazards have been identified, each hazard shall be analysed for its potential effects on operation.
A hazard effect is defined as the potential effects on operation that a hazard may create Operational Effects The operational effects list the effects the hazard will have on the operation and emphasise the impact / changes the hazard will introduce compared with “normal operation”. E.g. incorrect flight rerouting resulting in the flight being heading restricted airspace. Safety Effects The safety effects are derived from the operational effects by deciding the impact on the safe provision of ATS. E.g. flight enters closed airspace. Determining hazard effects need to consider external mitigation means in place E.g. the flight crew is will not land at a closed airport as …….
When discussing the effects, focus shall be placed on how the hazard may affect:
the flights/air crew and/or the air traffic controllers (e.g., workload, ability to perform his/her functions)
the aircraft functional capabilities
the functional capabilities of the ground part of the ATM System (e.g. Flight Data Processing System (FDPS)) ______
May 2011 Assessment of Safety Impact of Transition to FPL2012 Page 4 the ability to provide safe ATM Services (e.g. magnitude of loss or corruption / interruption of ATM services/functions).
Severity Classification Each identified hazard effect shall then be assessed to identify the severity, i.e. the impact on operation or the harm an individual may suffer. A specific severity class shall be assigned on the basis of the severity classification scheme included in Appendix 3.
Severity Classification is a grading, ranging from 1 (accidents) to 5 (no immediate effect on safety), as an expression of the magnitude of the hazard effect on flight operations
Illustration
The following example is provided only to illustrate the definitions listed above. E E x x t t e e r r n n a a l l
m m
Incorrect flight i i • cause 1 t t i i re-routing g • Flight enters closed airspace g 3 • cause 2 a a t t i i
• cause 3 o o
n • Flight lands at closed aerodrome n
• . m m
• . e e 4
a • Increased ATCO workload a
• cause x n n s s
Cause Hazard Effect Severity
______
May 2011 Assessment of Safety Impact of Transition to FPL2012 Page 5 APPENDIX 3: ATFCM Severity Classification Scheme
1 5 Severity Class 2 3 4 [Most severe] [Least severe] Effects on ATFCM No immediate Accidents Operations effect on safety SEVERITY INDICATORS SET 1: EFFECTS ON AIR NAVIGATION SERVICES (ANS) One or more catastrophic accidents, One or more aircraft enter closed One or more aircraft approach One or more aircraft are prevented 1.1. Entering closed including mid-air collisions and/or airspace without any ATCO able to closed airspace with ATCO able to by ATCO from entering closed No effect airspace shooting down. control the situation. control the situation. airspace. One or more catastrophic accidents, One or more aircraft land at a One or more aircraft try to land at a One or more aircraft are prevented 1.2. Landing at a closed including collisions on the ground closed airport without any ATCO closed airport with ATCO able to by ATCOs from landing at a closed No effect airport and/or able to control the situation. control the situation. airport. Controlled Flight Into Terrain. One or more catastrophic accidents, Loss of separation without any Loss of separation with ATCO able Loss of separation prevented by 1.3. Loss of separation including mid-air collisions and/or No effect ATCO able to control the situation. to control the situation. ATCO's intervention. Controlled Flight Into Terrain. 1.4 Effect on ground ATM Large reduction of functional Significant reduction of functional Slight reduction of functional System Functional Total loss of functional capabilities. No effect capabilities capabilities capabilities Capabilities 1.5 Effect on Aircraft Large reduction of functional Significant reduction of functional Slight reduction of functional Total loss of functional capabilities. No effect Functional Capabilities capabilities capabilities capabilities Workload, stress or working Workload, stress or working Workload, stress or working Workload, stress or working 1.6 Increased workload of conditions are such that they cannot conditions are such that the ability of conditions are such that ATCO is conditions such that the ability of No effect ATCO perform their tasks at all. ATCO is slightly impaired but they unable to perform their tasks safely. ATCO is significantly impaired. can safely perform their tasks. Workload, stress or working Workload, stress or working Workload, stress or working Workload, stress or working 1.7 Increased workload of conditions are such that Flight Crew conditions are such that the ability of conditions are such that they cannot conditions such that the ability of No effect Flight Crew is unable to perform their tasks Flight Crew is slightly impaired but perform their tasks at all. Flight Crew is significantly impaired. safely. they can safely perform their tasks. SEVERITY INDICATORS SET 2: EXPOSURE The presence of the hazard is almost permanent. Reduction of Hazard may persist for a medium 2.1. Duration of the hazard safety margins persists even after Hazard may persist for a long time. Hazard may persist for a short time. No effect duration. recovering from the immediate problem. 2.2. Number of flights Significant number of flights affected All flights affected by the hazard. All flights affected by the hazard. Some flights affected by the hazard. No effect exposed by the hazard.
2.3. Complexity of the Hazard occurring in a high Hazard occurring in a high Hazard occurring in a medium Hazard occurring in a low No effect situation complexity situation. complexity situation. complexity situation. complexity situation.
All CFMU information affected by High amount of CFMU information Significant amount of CFMU Low amount of CFMU information 2.4. Amount of information No effect the hazard. affected by the hazard. information affected by the hazard. affected by the hazard. SEVERITY INDICATORS SET 3: RECOVERY ______
May 2011 Assessment of Safety Transition to FPL2012 Page 6 1 5 Severity Class 2 3 4 [Most severe] [Least severe] Effects on ATFCM No immediate Accidents Operations effect on safety Unexpected misleading or May require interpretation. 3.1. Indication, Detection Undetected misleading indication. Clear indication. Easily detected, ambiguous indication. Not easily Detectable. Incorrect diagnosis No effect and Diagnosis Incorrect diagnosis. reliable diagnosis. detected. Incorrect diagnosis likely. possible. Contingency measures available, Limited contingency measures, providing most of required providing only partial replacement No existing contingency measures functionality. Fall back equipment Reliable, automatic, comprehensive 3.2. Contingency measures functionality. Staff not familiar with No effect available. usually reliable. Staff intervention contingency measures. procedures or may need to devise a required, but a practiced procedure new procedure at the time. within the scope of normal training. 3.3. Predictability of Impossible to predict. Impossible to predict. Difficult to predict. Possible to predict. No effect recovery
______
May 2011 Assessment of Safety Transition to FPL2012 Page 7