So it s Reliable but is it Safe? - a More Balanced Approach To ATM Safety Assessment
|
|
- Dwayne Hunt
- 5 years ago
- Views:
Transcription
1 So it s Reliable but is it Safe? - a More Balanced Approach To ATM Safety Assessment ATM R&D Seminar Barcelona 2 nd to 5 th July 2007 Derek Fowler, Gilles Le Galo, Eric Perrin EUROCONTROL Stephen Thomas Entity Systems Ltd European 0 Organisation for the Safety of Air Navigation 31 May 2006
2 The Brief Reviewers felt that presentation would benefit from: Why is the approach important?? What s different from the traditional safety assessment?? Worked example 1
3 Thesis A system can fail even though none of its individual elements has failed [after Professor Nancy Leveson, MIT] A few possibilities: Inconsistent data Dysfunctional interactions Inadequate performance Abnormal environment / inputs Misuse So why do most Software standards focus on reliability?? Software unreliability has never been the cause of a major accident 2
4 Safety Assessments in European ATM Derived from SAE ARP 4754 / 4761 (civil airborne systems): Equipment focused Failure based: Safety Requirements mainly about reliability Not a problem historically: Systems have not been highly integrated Changes have been largely equipment replacement Alluded to in some of yesterday s talks But it is a problem for the future new concepts, automation etc But it is a problem for the future new concepts, automation etc 3
5 Traditional Approach Operational Environment ATM System ATM Service Hazards 4
6 How it Works Hazards: represent some kind of failure inside the box Consequence Analysis: how serious the Hazards are Safety Objectives: how often we can allow the Hazards to occur Causal Analysis: what could cause the Hazards Safety Requirements: how often we can allow the Causes to occur ie how reliable the box needs to be ATM System Operational Environment ATM Service Hazards 10 -n fixation!! 5
7 What do we Actually Need? Need to know also what the box is supposed to do and how well it needs to do it Need a broader approach to safety assessment Need to take a total system view Need to address 2 key issues: How safe will new ATM systems be when working to spec? How safe will they be when they fail? Failure Approach Success Approach Captured in a Generic Safety Argument 6
8 Generic Safety Argument - Project Safety Case: Arg0 (to Level 1) Cr001 Acceptably safe means that risk of an accident is [safety criteria tbd]: A0001 [Assumptions tbd]: Arg 0 [Subject X] will be acceptably safe. C0001 Applies to [operational environment etc tbd]: J0001 [Justification tbd]: 7 Arg 1 [Subject X] has been specified to be acceptably safe next slide Arg 2 [Subject X] has been implemented in accordance with the specification [tbd] Arg 3 The transition to operational service of [Subject X] will be acceptably safe [tbd] What is different is in Arg1 Arg 4 The safety of [Subject X] will continue to be demonstrated in operational service [tbd]
9 Generic Safety Argument: Arg1 (to Level 2) Arg 1 [Subject X] has been specified to be acceptably safe Arg 1.1 The underlying concept is intrinsically safe Arg 1.6 That which has been specified is realistic [tbd] [tbd] Arg 1.2 The corresponding system design is complete [tbd] Arg 1.3 The system design functions correctly & coherently under all expected (normal) environmental conditions Arg 1.4 The system design is robust against external abnormalities [tbd] Arg 1.5 All risks from internal system failures have been mitigated sufficiently [tbd] 8 [tbd]
10 A Simple Case Study Anticipated Landing Clearances in Low Visibility for MLS / GBAS Operations Covers Arg1.1 to 1.5 only 9
11 Arg1.1 Concept is intrinsically safe Objectives are to : show that the Concept has the potential (in the absence of failure) to be safe identify the key parameters that make it so 10
12 ILS Cat II/III Landing Clearance LSA OFZ AC 1 AC nm Landing Clearance given such that LSA / OFZ protected 11
13 MLS / GBAS Cat II/III Landing Clearance LSA Trigger Line OFZ AC AC2 1nm Landing Clearance given such that LSA protected. AC AC2.OFZ also protected
14 Therefore ALC in LV has potential to be safe (cf ILS Cat II/II) because: (reduced) LSA is still protected OFZ is still protected Key functionality / parameters : the time for AC1 to taxi from the Trigger Line until clear of OFZ must always be less than the time for AC2 fly the last 1 nm before THR the Trigger Line must be outside the MLS/GBAS LSA AC1 must continue taxiing until clear of OFZ AC2 must be given CLR by 1 nm from THR, or go around, to achieve: stabilised landing; or safe Missed Approach These are are the the foundations, but but are are not not the the whole building! 13
15 Arg1.2 System Design is Complete The objective is to: show that sufficient Safety Requirements have been specified for each element of the system (except for issues relating to failure) 14
16 Examples of Initial Safety Requirements (1) 15 Controller shall not issue a landing clearance to an aircraft until preceding aircraft has crossed the Trigger Line on the ATC A-SMGCS display Controller shall issue a landing clearance to an aircraft by the time it has reached 1nm from the runway THR (at the latest), or issue a go-around Trigger Line shall be displayed on the Controller s A-SMGCS HMI The minimum distance between the Trigger Line and the runway edge shall be determined as follows: Trigger Line shall always be further from the runway edge than the MLS/GBAS LSA Trigger Line shall be positioned such that the time for AC1 to taxi (or be towed) from the Trigger Line until it is clear of the OFZ is always less than the time needed for AC2 to cover the last 1 nm of its Final Approach). Trigger Line position shall take full account of the slowest average speed of an aircraft in taxiing (or being towed) between the Trigger Line and the edge of the OFZ, and the fastest average groundspeed of an aircraft on Final Approach Trigger Line position shall be determined for longest aircraft using airport Trigger Line position shall take full account of the accuracy / resolution of the A-SMGCS display of aircraft position and the Trigger Line
17 Examples of Initial Safety Requirements (cont..) Aerodrome Procedures shall require Pilots to go around at 200ft above THR if no landing clearance received from ATC Aerodrome Procedures shall require Pilots to continue taxiing until passed either: the ILS CAT II/III holding point if it exists or a sign indicating when the (whole) aircraft has cleared the edge of the OFZ Aerodrome Procedures shall require Pilots to inform the Controller if forced to stop before passing either: the ILS CAT II/III holding point if it exists, or a special sign indicating when their aircraft have cleared the OFZ Aerodrome Procedures shall require Pilots to transmit RT communication on TWR frequency when crossing active runway 16
18 1.3 System functions correctly & coherently under all expected environmental conditions Objective is to: show that the system design functions correctly and coherently under all normal environmental conditions 17
19 Techniques Static analysis of the system design Scenario / what-if analyses Real-time simulations Showed that: There were no dysfunctional interactions Data was consistent (if SRs met) Controllers found the system useable 18
20 Arg1.4 System is robust against external abnormalities Considered the reaction of the system to abnormal events in its operational environment from two perspectives: How well can the system continue to operate? Could such conditions cause the system to behave in a way that introduces additional risk? 19
21 Reaction to external abnormalities Failures included: Landing aid (MLS/GBAS) or satellite interference or failure (GBAS). Communication Failure Lighting outage A-SMGCS failure loss of facility Mitigation in each case was Missed Approach (if no visual acquisition of runway) Other abnormalities considered: Aircraft on-board emergencies High crosswinds Risk was judged to be no higher than for current operations 20
22 1.5 All risks from internal system failure mitigated sufficiently Internal failure of the system assessed, by FHA/PSSA, from two perspectives: how loss of functionality would reduce the effectiveness of the system. how anomalous behaviour of the system could induce risks that might otherwise not occur. 21
23 FHA/PSSA Main Conclusions ALC in LV introduces a new main Hazard: AC1 stops after Trigger Line, but before exiting OFZ, landing clearance having been given to AC2 If AC2 lands (or goes around before 200ft agl) risk is negligible: Trigger Line guarantees wing-tip clearance for landing case (SR!) MA before 200ft agl would put AC2 above tail of AC1 Worst case is if AC2 goes around later than 200ft agl: Qualitatively, we feel that risk is probably small cf capacity benefits Quantification of FHA/PSSA is in progress, to try to confirm this 22
24 Lessons Learnt Original, failure-based (FHA/PSSA) analysis was too limited and unnecessarily complex New, broader approach: is more comprehensive addresses functional and performance issues relating to the Concept, not just reliability issues has led to a more rigorous and detailed understanding and description of the ALC Concept and how it would have to be operated in practice has produced a much more readable Preliminary Safety Case which starts with the basic idea and then gradually builds up the case Around Safety Requirements so so far far none specify reliability!!!! 23
25 So where are we now? Using (and still developing) the Generic Safety Argument on many EUROCONTROL programmes: eg FARADS, FASTI, TMA , ACAS II, TBS, MTV/SESAR very positive response from operational colleagues Put together a Safety Assessment WG to: to produce a broader framework for Safety Assessment based on the Generic Safety Argument and Life-cycle model Provide a mapping between the framework and safety-related techniques eg SAM, Safety Cases, CTA/HRA, HF Case, FT/RT simulations, CRM, IRP etc etc Deliverable a simple guide on how to do safety [properly!] 24
26 Questions??? 25
27 ILS Localizer Beamwidth Reduction Task: safety assessment of reducing ILS Localiser beamwidth from (35 deg to 16 deg) ANSP Approach: applied minor-change procedure, approved by regulator did not develop a Safety Argument carried out traditional FHA/PSSA of potential failures used quantified RCS (ie absolute approach) validity / applicability not established 26
28 ILS Safety Assessment Results 6 Hazards identified generic ILS Localizer hazards only Quantified Safety Objective for each Hazard: Two of them have max frequency of 1 event per 100,000 years! 8 Safety Requirements specified: No quantification Completely unrelated / untraceable to the Safety Objectives Assumption: Acceptable approach paths exist that are flyable and are tolerably safe Virtually, nothing in in the the safety safety assessment actually addressed the the reduction in in the the width width of of the the ILS ILS Localiser Beam Beam!!!!!! 27
29 Questions??? 28
30 Generic Safety Argument: Arg1.1 and Arg1.2 (to Level 3) Arg 1.1 The underlying concept is intrinsically safe the operational context and scope of the Concept has been clearly described differences from existing operations have been described, understood and reconciled with Safety Criteria the impact of the concept on the operational environment (including interfaces with adjacent systems) has been assessed and shown to be consistent with the Safety Criteria the key functionality and performance parameters have been defined and shown to be consistent with the safety criteria 29 Arg 1.2 The corresponding system design is complete the boundaries of the system are clearly defined the Concept of Operations fully describes how the system is intended to operate everything necessary to achieve a safe implementation of the Concept related to equipment, people, procedures and airspace design - has been specified (as safety requirements), for each element of the system all safety requirements on, and assumptions about, external elements of the end-to-end system have been captured
31 Generic Safety Argument: Arg1.3 and Arg1.4 (to Level 3) Arg 1.3 The system design functions correctly & coherently under all expected (normal) environmental conditions Arg 1.4 The system design is robust against external abnormalities 30 the design is internally coherent eg is consistent in functionality (in equipment, procedures and human tasks), and in use of data, throughout the system all reasonably foreseeable normal operational conditions / range of inputs from adjacent systems have been identified the design is capable of delivering (or maintaining) the required risk reduction for the identified operational conditions / inputs the design functions correctly in a dynamic sense, for the identified operational conditions / inputs. the boundaries of the system are clearly defined the Concept of Operations fully describes how the system is intended to operate everything necessary to achieve a safe implementation of the Concept related to equipment, people, procedures and airspace design - has been specified (as safety requirements), for each element of the system all safety requirements on, and assumptions about, external elements of the end-to-end system have been captured
32 Generic Safety Argument: Arg1.5 (to Level 3) Arg 1.5 All risks from internal system failures have been mitigated sufficiently All reasonably foreseeable hazards, at the boundary of the system, identified Severity of the effects from each hazard correctly assessed, taking account of any external mitigation means Safety Objectives set for each hazard such that the corresponding aggregate risk is within the safety criteria All reasonably foreseeable causes of each hazard have been identified Safety Requirements have been specified (or Assumptions stated) for the causes of each hazard, taking account of any internal mitigation means A risk assessment has been carried out, and shows that the corresponding aggregate risk is within the specified safety criteria. 31
33 Generic Safety Argument: Arg1.6 (to Level 3) Arg 1.6 That which has been specified is realistic All aspects of the system design have been captured as Safety Requirements or (where applicable) as Assumptions All Safety Requirements are verifiable ie satisfaction can be demonstrated by direct means (eg testing) or (where applicable) indirectly through appropriate assurance processes (eg HAL, SWAL and PAL) All Safety Requirements are capable of being satisfied in a typical implementation in hardware, software, people and procedures. All Assumptions have been show to be necessary and valid 32
EUROCONTROL Guidance Material for Area Proximity Warning Appendix B-1: Initial Safety Argument for APW System
EUROPEAN ORGANISATION FOR THE SAFETY OF AIR NAVIGATION EUROCONTROL EUROCONTROL Guidance Material for Area Proximity Warning Appendix B-1: Initial Safety Argument for APW System Edition Number : 1.0 Edition
More information2020 Foresight A Systems Engineering Approach to Assessing the Safety of the SESAR Operational Concept
2020 Foresight A Systems Engineering Approach to Assessing the Safety of the SESAR Operational Concept Eric PERRIN (speaker) Derek FOWLER Ron PIERCE Eighth USA/Europe Air Traffic Management Research and
More informationSO IT S RELIABLE BUT IS IT SAFE? A MORE BALANCED APPROACH TO ATM SAFETY ASSESSMENT
SO IT S RELIABLE BUT IS IT SAFE? A MORE BALANCED APPROACH TO ATM SAFETY ASSESSMENT Derek Fowler, Gilles Le Galo, Eric Perrin, EUROCONTROL, Brussels, Belgium Stephen Thomas, Entity Systems Ltd, UK Abstract
More informationMAXIMISING THE ATM POSITIVE CONTRIBUTION TO SAFETY -A BROADER APPROACH TO SAFETY ASSESSMENT
MAXIMISING THE ATM POSITIVE CONTRIBUTION TO SAFETY -A BROADER APPROACH TO SAFETY ASSESSMENT Eric PERRIN (speaker) Derek FOWLER Ron PIERCE EUROCONTROL Safety R&D Seminar München, Germany 21-22 October 2009
More informationAn atc-induced runway incursion
An atc-induced runway incursion Editorial note: This situational example is not a real occurrence and neither is it intended to be a full description. It has been created to allow a focus on operational
More informationPurpose. Scope. Process flow OPERATING PROCEDURE 07: HAZARD LOG MANAGEMENT
SYDNEY TRAINS SAFETY MANAGEMENT SYSTEM OPERATING PROCEDURE 07: HAZARD LOG MANAGEMENT Purpose Scope Process flow This operating procedure supports SMS-07-SP-3067 Manage Safety Change and establishes the
More informationSafety assessments for Aerodromes (Chapter 3 of the PANS-Aerodromes, 1 st ed)
Safety assessments for Aerodromes (Chapter 3 of the PANS-Aerodromes, 1 st ed) ICAO MID Seminar on Aerodrome Operational Procedures (PANS-Aerodromes) Cairo, November 2017 Avner Shilo, Technical officer
More informationSafety Criticality Analysis of Air Traffic Management Systems: A Compositional Bisimulation Approach
Third SESAR Innovation Days 26 28 November 2013, KTH, Stockholm, Sweden Safety Criticality Analysis of Air Traffic Management Systems: A Compositional Bisimulation Approach Elena De Santis, Maria Domenica
More informationUnderstanding safety life cycles
Understanding safety life cycles IEC/EN 61508 is the basis for the specification, design, and operation of safety instrumented systems (SIS) Fast Forward: IEC/EN 61508 standards need to be implemented
More informationFLIGHT CREW TRAINING NOTICE
SAFETY REGULATION GROUP FLIGHT CREW TRAINING NOTICE 06/2009 Applicability: RETRE, TRIE, TRE, SFE, TRI, SFI Effective: Immediate AIRBORNE COLLISION AVOIDANCE SYSTEM (ACAS) TRAINING 1 The purpose of this
More information1.0 PURPOSE 2.0 REFERENCES
Page 1 1.0 PURPOSE 1.1 This Advisory Circular provides Aerodrome Operators with guidance for the development of corrective action plans to be implemented in order to address findings generated during safety
More informationEUROPEAN GUIDANCE MATERIAL ON INTEGRITY DEMONSTRATION IN SUPPORT OF CERTIFICATION OF ILS AND MLS SYSTEMS
ICAO EUR DOC 016 INTERNATIONAL CIVIL AVIATION ORGANIZATION EUROPEAN GUIDANCE MATERIAL ON INTEGRITY DEMONSTRATION IN SUPPORT OF CERTIFICATION OF ILS AND MLS SYSTEMS - First Edition - 2004 PREPARED BY THE
More informationSafety-Critical Systems
Software Testing & Analysis (F22ST3) Safety-Critical Systems Andrew Ireland School of Mathematical and Computer Science Heriot-Watt University Edinburgh Software Testing & Analysis (F22ST3) 2 What Are
More informationAPPENDIX J REQUIRED NAVIGATION PERFORMANCE IMPACTS EVALUATION REPORT
APPENDIX J REQUIRED NAVIGATION PERFORMANCE IMPACTS EVALUATION REPORT February 01, 2007 Naverus, Inc. Seattle, WA This document contains commercially sensitive information and must be treated as Naverus,
More informationSafety Standards Acknowledgement and Consent (SSAC) CAP 1395
Safety Standards Acknowledgement and Consent (SSAC) CAP 1395 Contents Published by the Civil Aviation Authority, 2015 Civil Aviation Authority, Aviation House, Gatwick Airport South, West Sussex, RH6 0YR.
More informationIdentification of emergent hazards and behaviour Shifting the boundary between unimaginable and imaginable hazards. Hans de Jong and Henk Blom (NLR)
Identification of emergent hazards and behaviour Shifting the boundary between unimaginable and imaginable hazards Hans de Jong and Henk lom (NLR) Eurocontrol Safety R&D Seminar, arcelona, 26 October 2006
More informationSTPA Systems Theoretic Process Analysis John Thomas and Nancy Leveson. All rights reserved.
STPA Systems Theoretic Process Analysis 1 Agenda Quick review of hazard analysis Quick review of STAMP Intro to STPA hazard analysis 2 Hazard Analysis vs. Accident Model Dates back to Hazard Analysis Method
More informationSystems Theoretic Process Analysis (STPA)
Systems Theoretic Process Analysis (STPA) Systems approach to safety engineering (STAMP) STAMP Model (Leveson, 2012) Accidents are more than a chain of events, they involve complex dynamic processes. Treat
More informationSRC DOCUMENT 12 ASSESSMENT OF THE EATM AIR NAVIGATION SYSTEM SAFETY ASSESSMENT METHODOLOGY AS A MEANS OF COMPLIANCE WITH ESARR 4
EUROPEAN ORGANISATION FOR THE SAFETY OF AIR NAVIGATION EUROCONTROL SAFETY REGULATION COMMISSION DOCUMENT (SRC DOC) SRC DOCUMENT 12 ASSESSMENT OF THE EATM AIR NAVIGATION SYSTEM SAFETY ASSESSMENT METHODOLOGY
More informationD-Case Modeling Guide for Target System
D-Case Modeling Guide for Target System 1/32 Table of Contents 1 Scope...4 2 Overview of D-Case and SysML Modeling Guide...4 2.1 Background and Purpose...4 2.2 Target System of Modeling Guide...5 2.3 Constitution
More informationRisk Analysis Process Tool for Surface Loss of Separation Events
Eleventh USA/Europe Air Traffic Management Research and Development Seminar (ATM2015) Risk Analysis Process Tool for Surface Loss of Separation Events Eric B. Chang The MITRE Corporation Center for Advanced
More informationQuestions & Answers About the Operate within Operate within IROLs Standard
Index: Introduction to Standard...3 Expansion on Definitions...5 Questions and Answers...9 Who needs to comply with this standard?...9 When does compliance with this standard start?...10 For a System Operator
More informationDistributed Control Systems
Unit 41: Unit code Distributed Control Systems M/615/1509 Unit level 5 Credit value 15 Introduction With increased complexity and greater emphasis on cost control and environmental issues, the efficient
More informationBest Practice RBI Technology Process by SVT-PP SIMTECH
Best Practice RBI Technology Process by SVT-PP SIMTECH We define the best practice in RBI as a proactive technology process which is used to formally and reliably optimise the inspection efforts for each
More informationNew Airfield Risk Assessment / Categorisation
New Airfield Risk Assessment / Categorisation Airfield Risk Assessment Prior to commencing operations to a new airfield, airfield risk assessment and categorisation will take place. For continued operations
More informationCOSCAP-South Asia ADVISORY CIRCULAR FOR AIR OPERATORS
Cooperative Development of Operational Safety and Continuing Airworthiness Under ICAO Technical Co-operation Programme COSCAP-South Asia ADVISORY CIRCULAR FOR AIR OPERATORS Subject: GUIDANCE FOR OPERATORS
More informationTHE CANDU 9 DISTRffiUTED CONTROL SYSTEM DESIGN PROCESS
THE CANDU 9 DISTRffiUTED CONTROL SYSTEM DESIGN PROCESS J.E. HARBER, M.K. KATTAN Atomic Energy of Canada Limited 2251 Speakman Drive, Mississauga, Ont., L5K 1B2 CA9900006 and M.J. MACBETH Institute for
More information2600T Series Pressure Transmitters Plugged Impulse Line Detection Diagnostic. Pressure Measurement Engineered solutions for all applications
Application Description AG/266PILD-EN Rev. C 2600T Series Pressure Transmitters Plugged Impulse Line Detection Diagnostic Pressure Measurement Engineered solutions for all applications Increase plant productivity
More informationSafety-critical systems: Basic definitions
Safety-critical systems: Basic definitions Ákos Horváth Based on István Majzik s slides Dept. of Measurement and Information Systems Budapest University of Technology and Economics Department of Measurement
More informationA study on the relation between safety analysis process and system engineering process of train control system
A study on the relation between safety analysis process and system engineering process of train control system Abstract - In this paper, the relationship between system engineering lifecycle and safety
More informationSafety Management System and Aerodrome Resource management for AFIS Operators'
Safety Management System and Aerodrome Resource management for AFIS Operators' AFIS seminar 2010 Safety Management System regulatory requirements ICAO Annex 11 DOC 4444 DOC 9859 (Safety management manual)
More informationPSM I PROFESSIONAL SCRUM MASTER
PSM I PROFESSIONAL SCRUM MASTER 1 Upon What kind of process control is SCRUM based? a) IDEAL b) SCRUM enterprise c) Empirical d) Agile 2 If burndown charts are used to visualize progress, what do they
More informationBasic STPA Tutorial. John Thomas
Basic STPA Tutorial John Thomas How is STAMP different? STAMP Model (Leveson, 2003); (Leveson, 2011) Accidents are more than a chain of events, they involve complex dynamic processes. Treat accidents as
More informationRisk Management Qualitatively on Railway Signal System
, pp. 113-117 The Korean Society for Railway Ya-dong Zhang* and Jin Guo** Abstract Risk management is an important part of system assurance and it is widely used in safety-related system. Railway signal
More informationGo around manoeuvre How to make it safer? Capt. Bertrand de Courville
Go around manoeuvre How to make it safer? Capt. Bertrand de Courville LOC I Workshop 2012 Salzburg Year 2010 Year 2011 Jan to June 2012 + IATA Tool Kit + FSF Initiatives + ICAO Worldwide Programm Capt.
More informationSee the diagrams at the end of this manual for judging position locations.
Landing Events Penalties General Judges should use airport diagrams, satellite pictures or other means to determine, as accurately as possible, assessments of landing pattern penalties. Judges should be
More informationHelicopter Safety Recommendation Summary for Small Operators
Helicopter Safety Recommendation Summary for Small Operators Prepared by the International Helicopter Safety Team September 2009 Introduction This document is intended to provide a summary of the initial
More informationThree Approaches to Safety Engineering. Civil Aviation Nuclear Power Defense
Three Approaches to Safety Engineering Civil Aviation Nuclear Power Defense Civil Aviation Fly-fix-fly: analysis of accidents and feedback of experience to design and operation Fault Hazard Analysis: Trace
More informationSafety Management in Multidisciplinary Systems. SSRM symposium TA University, 26 October 2011 By Boris Zaets AGENDA
Safety Management in Multidisciplinary Systems SSRM symposium TA University, 26 October 2011 By Boris Zaets 2008, All rights reserved. No part of this material may be reproduced, in any form or by any
More informationAeronautical studies and Safety Assessment
Aerodrome Safeguarding Workshop Cairo, 4 6 Dec. 2017 Aeronautical studies and Safety Assessment Nawal A. Abdel Hady ICAO MID Regional Office, Aerodrome and Ground Aids (AGA) Expert References ICAO SARPS
More informationLecture 04 ( ) Hazard Analysis. Systeme hoher Qualität und Sicherheit Universität Bremen WS 2015/2016
Systeme hoher Qualität und Sicherheit Universität Bremen WS 2015/2016 Lecture 04 (02.11.2015) Hazard Analysis Christoph Lüth Jan Peleska Dieter Hutter Where are we? 01: Concepts of Quality 02: Legal Requirements:
More informationVI.B. Traffic Patterns
References: FAA-H-8083-3; FAA-H-8083-25; AC 90-42; AC90-66; AIM Objectives Key Elements Elements Schedule Equipment IP s Actions SP s Actions Completion Standards The student should develop knowledge of
More informationCESSNA 172-SP PRIVATE & COMMERCIAL COURSE
CESSNA 172-SP PRIVATE & COMMERCIAL COURSE University of Dubuque INTENTIONALLY LEFT BLANK Revision 1 Standard Operating Procedures 1 CALLOUTS CONDITION Parking Brake Released After Takeoff Power has been
More informationVR-APFD Validation report for automatic responses to ACAS RA
VR-APFD Validation report for automatic responses to ACAS RA Document information Project title Evolution of airborne safety nets Project N 04.08.02 Project Manager DSNA Deliverable Name VR-APFD Validation
More informationThe Safety Case. Structure of Safety Cases Safety Argument Notation
The Safety Case Structure of Safety Cases Safety Argument Notation Budapest University of Technology and Economics Department of Measurement and Information Systems The safety case Definition (core): The
More informationPerforming Hazard Analysis on Complex, Software- and Human-Intensive Systems
Performing Hazard Analysis on Complex, Software- and Human-Intensive Systems J. Thomas, S.M.; Massachusetts Institute of Technology; Cambridge, Massachusetts, USA N. G. Leveson Ph.D.; Massachusetts Institute
More informationHASTAC High stability Altimeter SysTem for Air data Computers
HASTAC High stability Altimeter SysTem for Air data Computers André Larsen R&D Director Memscap Sensor Solution SIXTH FRAMEWORK PROGRAMME PRIORITY 4 Aeronautics and Space EC contract no. AST4-CT-2005-012334
More informationSUMMARY OF SAFETY INVESTIGATION REPORT
Investigation Body for Railway Accidents and Incidents SUMMARY OF SAFETY INVESTIGATION REPORT COLLISION OF TWO PASSENGER TRAINS IN BUIZINGEN ON 15 FEBRUARY 2010 May 2012 On Monday 15 February 2010 at 08:28:19,
More informationComponent Specification NFQ Level TBC
Component Specification NFQ Level TBC Using Breathing Apparatus. 1. Component Details Title Teideal as Gaeilge Award Type Code Using Breathing Apparatus TBC Minor TBC Level 6 Credit Value Purpose 15 Credits
More informationIVAO International Virtual Aviation Organization Training department
1 Introduction IVAO International Virtual Aviation Organization Training department TRAFFIC PATTERN DESCRIPTION An aerodrome traffic pattern is used by VFR traffic for training purpose or to prepare the
More informationThe Safety Case. The safety case
The Safety Case Structure of safety cases Safety argument notation Budapest University of Technology and Economics Department of Measurement and Information Systems The safety case Definition (core): The
More informationPC-21 A Damage Tolerant Aircraft. Paper presented at the ICAF 2009 Symposium by Lukas Schmid
PC-21 A Damage Tolerant Aircraft Paper presented at the ICAF 2009 Symposium by Lukas Schmid PC-21 A Damage Tolerant Aircraft 12.05.2009 2 Acknowledgment Markus Gottier, Gottier Engineering Dave Boorman,
More informationAirplane Flying Handbook. Figure 6-4. Rectangular course.
Airplane Flying Handbook Rectangular Course Figure 6-4. Rectangular course. Normally, the first ground reference maneuver the pilot is introduced to is the rectangular course. [Figure 6-4] The rectangular
More informationVR-TCAP Validation report for new possible altitude capture laws
VR-TCAP Validation report for new possible capture laws Document information Project title Evolution of airborne safety nets Project N 04.08.02 Project Manager DSNA Deliverable Name VR-TCAP Validation
More informationProcedures for Off-Nominal Cases: Three Closely Spaced Parallel Runway Operations
Procedures for Off-Nominal Cases: Three Closely Spaced Parallel Runway Operations Savita Verma, Sandra Lozito, Deborah Ballinger Thomas Kozon, Herbert Resnick, Gordon Hardy, Ramesh Panda, Darrell Wooten
More informationAerodrome Inspectors Workshop
Aerodrome Inspectors Workshop Inspecting Traffic and Wind Indicators Location: Trinidad & Tobago, 9-13 JUN 2014 Presenter: Kelly J. Slusarski, FAA ACSI 1 INSPECTING TRAFFIC AND WIND INDICATORS OBJECTIVES
More informationReport on Phase 2 Causal Modeling for Schiphol Airport
Report on Phase 2 Causal Modeling for Schiphol Airport Oswaldo Morales, Roger Cooke, Dorota Kurowicka EWI, TU Delft, April 25, 2006 Introduction. This document reports on the activities of EWI during the
More informationProcess Safety Journey
Process Safety Journey Agenda The Status in early 2000s The Journey to improvement in Process Safety management Managing risks and barriers How has this impacted Kwinana? The Status in early 2000s Focus
More informationONR Transport Permissioning Stakeholder Event. 20% NCT Regulation
ONR Transport Permissioning Stakeholder Event 20% NCT Regulation Introduction The NCT 20% regulation & guidance quick overview Issues & ONR view on how they can be resolved Future changes to improve the
More informationVI.B. Traffic Patterns
References: FAA-H-8083-3; FAA-H-8083-25; AC 90-42; AC90-66; AIM Objectives Key Elements Elements Schedule Equipment IP s Actions SP s Actions Completion Standards The student should develop knowledge of
More informationEUROPEAN AVIATION SAFETY AGENCY ELECTRONIC FLIGHT BAG (EFB) SOFTWARE EVALUATION REPORT
EUROPEAN AVIATION SAFETY AGENCY ELECTRONIC FLIGHT BAG (EFB) SOFTWARE EVALUATION REPORT NAVTECH Navtech echarts (Version 15.1) 02 Feb. 2016 Page 1 of 16 REVISION RECORD REVISION NO: DATED 0 02 Feb. 2015
More informationSystems Theoretic Process Analysis (STPA)
Systems Theoretic Process Analysis (STPA) 1 Systems approach to safety engineering (STAMP) STAMP Model Accidents are more than a chain of events, they involve complex dynamic processes. Treat accidents
More informationCOASTAL SOARING ASSOCIATION, INC. STANDARD OPERATING PROCEDURES Revised 09/17/2010
A. General COASTAL SOARING ASSOCIATION, INC. STANDARD OPERATING PROCEDURES Revised 09/17/2010 1. The sailplane s canopy shall normally be kept closed and the spoilers open whenever the cockpit is unoccupied
More informationCross Border Area Safety Assessment Overview
EUROPEAN ORGANISATION FOR THE SAFETY OF AIR NAVIGATION EUROCONTROL Cross Border Area Safety Assessment Overview Edition Number : 1.0 Edition Date : 19/09/11 Status : Released Issue Intended for : General
More informationSea-going vessel versus wind turbine
Collision risk at high sea Sea-going vessel versus wind turbine Offshore wind power: Wind turbines off the German coast generally represent obstacles in the traffic routes of ships. What if a large sea-going
More informationGuidance on the Conduct of Hazard Identification, Risk Assessment and the Production of Safety Cases
Safety Regulation Group CAP 760 Guidance on the Conduct of Hazard Identification, Risk Assessment and the Production of Safety Cases For Aerodrome Operators and Air Traffic Service Providers www.caa.co.uk
More informationLecture 1 Temporal constraints: source and characterization
Real-Time Systems Lecture 1 Temporal constraints: source and characterization Basic concepts about real-time Requirements of Real-Time Systems Adapted from the slides developed by Prof. Luís Almeida for
More informationTHE SAFE ZONE FOR PAIRED CLOSELY SPACED PARALLEL APPROACHES: IMPLICATIONS FOR PROCEDURES AND AUTOMATION
THE SAFE ZONE FOR PAIRED CLOSELY SPACED PARALLEL APPROACHES: IMPLICATIONS FOR PROCEDURES AND AUTOMATION Steven Landry and Amy R. Pritchett Georgia Institute of Technology Abstract Changes to air traffic
More informationHINDSIGHT SITUATIONAL EXAMPLE. unexpected runway crossing
HINDSIGHT SITUATIONAL EXAMPLE unexpected runway crossing 68 Editorial note: The situational examples have been based on the experience of the authors and do not represent either a particular historical
More informationSPR for automatic responses to ACAS RAs
SPR for automatic responses to ACAS RAs Document information Project title Evolution of Airborne Safety Nets Project N 04.08.02 Project Manager DSNA Deliverable Name SPR for automatic responses to ACAS
More informationPRACTICAL EXAMPLES ON CSM-RA
PRACTICAL EXAMPLES ON CSM-RA Common Safety Method: What for? How? 0 SNCF Training in Budapest Technical University on CSM-RA SUMMARY CSM-RA A short history summary CSM-RA understanding What is there to
More informationAppendix 1 Transit Network Analysis
Appendix 1 Transit Network Analysis APPENDIX 1 TRANSIT NETWORK ANALYSIS The purpose of this appendix is to provide an update on the transit network analysis as it pertains to: i. SmartTrack ii. Scarborough
More informationZIN Technologies PHi Engineering Support. PHi-RPT CFD Analysis of Large Bubble Mixing. June 26, 2006
ZIN Technologies PHi Engineering Support PHi-RPT-0002 CFD Analysis of Large Bubble Mixing Proprietary ZIN Technologies, Inc. For nearly five decades, ZIN Technologies has provided integrated products and
More informationTransformational Safety Leadership. By Stanley Jules
Transformational Safety Leadership By Stanley Jules Transformational Safety Leadership Importance of Safety in Design Hazard analysis: What is it? Transformational Leadership and it s use within Task Based
More informationReview and Assessment of Engineering Factors
Review and Assessment of Engineering Factors 2013 Learning Objectives After going through this presentation the participants are expected to be familiar with: Engineering factors as follows; Defense in
More informationRYA British Youth Sailing Safety Policy
RYA British Youth Sailing Safety Policy Version Details: Programme: All RYA Youth Racing Programmes. Version: 6.1 Dated August 2016 Element Name: Author: Authorisation: RYA British Youth Sailing Safety
More informationRESEARCH OPPURTINITIES ON AIRCRAFT EMERGENCY EVACUATION. Presented by: Dr. Minesh POUDEL
RESEARCH OPPURTINITIES ON AIRCRAFT EMERGENCY EVACUATION Presented by: Dr. Minesh POUDEL Table of Content 1. Introduction and Objective 2. Aircraft Emergency Evacuation: Analysis of main Issues and regulations
More informationModule 3 Developing Timing Plans for Efficient Intersection Operations During Moderate Traffic Volume Conditions
Module 3 Developing Timing Plans for Efficient Intersection Operations During Moderate Traffic Volume Conditions CONTENTS (MODULE 3) Introduction...1 Purpose...1 Goals and Learning Outcomes...1 Organization
More informationIntroduction to Transportation Engineering. Discussion of Stopping and Passing Distances
Introduction to Transportation Engineering Discussion of Stopping and Passing Distances Dr. Antonio A. Trani Professor of Civil and Environmental Engineering Virginia Polytechnic Institute and State University
More informationEvery things under control High-Integrity Pressure Protection System (HIPPS)
Every things under control www.adico.co info@adico.co Table Of Contents 1. Introduction... 2 2. Standards... 3 3. HIPPS vs Emergency Shut Down... 4 4. Safety Requirement Specification... 4 5. Device Integrity
More informationAerodynamic study of a cyclist s moving legs using an innovative approach
Aerodynamic study of a cyclist s moving legs using an innovative approach Francesco Pozzetti 30 September 2017 Abstract During a period of four weeks in September, I completed a research project in fluid
More informationILS APPROACH WITH A320
1. Introduction ILS APPROACH WITH A320 This document presents an example of an Instrument landing system (ILS) approach performed with an Airbus 320 at LFBO airport runway 32 left. This document does not
More informationADVISORY MATERIAL JOINT AMJ
ADVISORY MATERIAL JOINT AMJ AMJ 25.1309 System Design and Analysis See JAR 25.1309 1 PURPOSE This AMJ is similar to FAA Advisory Circular AC 25.1309-1A, dated 21 June 1988. Differences between the two
More informationSoftware Reliability 1
Software Reliability 1 Software Reliability What is software reliability? the probability of failure-free software operation for a specified period of time in a specified environment input sw output We
More informationLIVERPOOL TRANSPORTATION MODELING TECHNICAL MEMO MAY 2009
LIVERPOOL TRANSPORTATION MODELING TECHNICAL MEMO MAY 2009 Syracuse Metropolitan Transportation Council 100 Clinton Square 126 N. Salina Street, Suite 100 Syracuse, NY 13202 Telephone (315) 422-5716; Fax
More informationSystem Operating Limit Definition and Exceedance Clarification
System Operating Limit Definition and Exceedance Clarification The NERC defined term System Operating Limit (SOL) is used extensively in the NERC Reliability Standards; however, there is much confusion
More informationMODEL AERONAUTICAL ASSOCIATION OF AUSTRALIA
ASSOCIATION OF AUSTRALIA APPROVED: MAAA PRESIDENT Date: 27/10/2017 Table of Contents 1. INTRODUCTION... 1 2. DEFINITIONS... 2 3. POLICY... 2 4. BASIC PROCEDURE... 3 5. EVALUATION OF RISK... 4 6. POSSIBLE
More informationFLIGHT OPERATIONS PANEL
International Civil Aviation Organization 24/04/2015 WORKING PAPER FLIGHT OPERATIONS PANEL WORKING GROUP SECOND MEETING (FLTOPSP/WG/2) Rome, Italy, 4 to 8 May 2015 Agenda Item 4 : Active work programme
More informationSteam-Boiler Control Specification Problem
Steam-Boiler Control Specification Problem Jean-Raymond Abrial 1 Problem Statement 1.1 ntroduction This text constitutes an informal specification of a program which serves to control the level of water
More informationUsing what we have. Sherman Eagles SoftwareCPR.
Using what we have Sherman Eagles SoftwareCPR seagles@softwarecpr.com 2 A question to think about Is there a difference between a medical device safety case and any non-medical device safety case? Are
More informationTest Plans & Test Results
P09051 Oxygen Gas Sensor Test Plans & Test Results By: Samuel H Shin (EE), Jeremy Goodman (ue) Table of contents 1. TITLE: OXYGEN MEASUREMENT TEST VIA FABRICATED OXYGEN GAS SENSOR SYSTEM... 2 1.1. Introduction...
More informationPedestrian Dynamics: Models of Pedestrian Behaviour
Pedestrian Dynamics: Models of Pedestrian Behaviour John Ward 19 th January 2006 Contents Macro-scale sketch plan model Micro-scale agent based model for pedestrian movement Development of JPed Results
More informationAerodrome Safeguarding Airside Operational Instruction 16. AOI Owner - Operations Developments & Safety Manager
AOI Owner - Operations Developments & Safety Manager 1. Assessment and Treatment of Obstacles 1.1 Obstacles are surveyed in accordance with the requirements of CAP 232 Aerodrome Survey Requirements and
More informationSafety of railway control systems: A new Preliminary Risk Analysis approach
Author manuscript published in IEEE International Conference on Industrial Engineering and Engineering Management Singapour : Singapour (28) Safety of railway control systems: A new Preliminary Risk Analysis
More informationSpace Power Workshop April
AEi Systems is an electrical engineering services company, with a primary focus on providing Worst Case Circuit Analysis. Other analysis services we provide include Electrical SDRLs such as FMECA, MTBF,
More informationDUKC Chart Overlay. Presentation to IHO TWL and DQ Working Groups Wollongong, March 2014
DUKC Chart Overlay Presentation to IHO TWL and DQ Working Groups Wollongong, March 2014 Outline Who is OMC? DUKC description & methodology. DUKC Chart Overlay concept. Chart Overlay application example.
More informationLow Flying Introduction
Advanced Manoeuvres Low Flying Introduction Commonly, low flying refers to any flight at or below 500 feet agl that may be practised only in designated low flying zones. By maintaining good situational
More informationCycle traffic and the Strategic Road Network. Sandra Brown, Team Leader, Safer Roads- Design
Cycle traffic and the Strategic Road Network Sandra Brown, Team Leader, Safer Roads- Design Highways England A Government owned Strategic Highways Company Department for Transport Road Investment Strategy
More informationReliability Coordinator Procedure
No. RC0210 Table of Contents Purpose... 2 1. Responsibilities... 2 2. Scope/Applicability... 2 3. Detail... 2 3.1. Monitoring System Frequency... 2 3.1.1. Frequency Trigger Limits and Actions... 2 3.2.
More informationVerification and Validation Pathfinder Release 0730 x64
403 Poyntz Avenue, Suite B Manhattan, KS 66502 USA +1.785.770.8511 www.thunderheadeng.com Verification and Validation Pathfinder 2014.2 Release 0730 x64 Disclaimer Thunderhead Engineering makes no warranty,
More information