Identification of emergent hazards and behaviour Shifting the boundary between unimaginable and imaginable hazards. Hans de Jong and Henk Blom (NLR)

Similar documents
Safety assessments for Aerodromes (Chapter 3 of the PANS-Aerodromes, 1 st ed)

HINDSIGHT SITUATIONAL EXAMPLE. unexpected runway crossing

Aeronautical studies and Safety Assessment

FLIGHT CREW TRAINING NOTICE

So it s Reliable but is it Safe? - a More Balanced Approach To ATM Safety Assessment

Questions & Answers About the Operate within Operate within IROLs Standard

Federal Aviation Administration Safety & Human Factors Analysis of a Wake Vortex Mitigation Display System

Sharing practice: OEM prescribed maintenance. Peter Kohler / Andy Webb

A systematic hazard analysis and management process for the concept design phase of an autonomous vessel.

Safety Criticality Analysis of Air Traffic Management Systems: A Compositional Bisimulation Approach

SO IT S RELIABLE BUT IS IT SAFE? A MORE BALANCED APPROACH TO ATM SAFETY ASSESSMENT

Safety Management System and Aerodrome Resource management for AFIS Operators'

Time-based Spaced Continuous Descent Approaches in busy Terminal Manoeuvring Areas

A Conceptual Approach for Using the UCF Driving Simulator as a Test Bed for High Risk Locations

Missing no Interaction Using STPA for Identifying Hazardous Interactions of Automated Driving Systems

Simulation with IBIS in Tight Timing Budget Systems

An atc-induced runway incursion

Performing Hazard Analysis on Complex, Software- and Human-Intensive Systems

Transportation Engineering - II Dr. Rajat Rastogi Department of Civil Engineering Indian Institute of Technology - Roorkee. Lecture - 35 Exit Taxiway

RAPID CITY REGIONAL AIRPORT MOVEMENT AREA DRIVING TEST

PRIVATE PILOT MANEUVERS Practical Test Standards FAA-S A

Guidance on the Conduct of Hazard Identification, Risk Assessment and the Production of Safety Cases

COLLISION RISK ANALYSIS IN AIR TRAFFIC CONTROL

Introduction to Transportation Engineering. Discussion of Stopping and Passing Distances

Introduction to Transportation Engineering. Discussion of Stopping and Passing Distances

Flaws of Averages. BLOSSOMS Module. Supplement to Flaw of Averages #3: The average depends on your perspective

Risk Analysis Process Tool for Surface Loss of Separation Events

Driver Training School Instructor Curriculum Requirements for Student Learning & Performance Goals

A GUIDE TO WRITING A RISK ASSESSMENT FOR A BMAA EVENT

RFFS Procedures. Airside Operational Instruction 18. Content

STPA Systems Theoretic Process Analysis John Thomas and Nancy Leveson. All rights reserved.

Tools for safety management Effectiveness of risk mitigation measures. Bernhard KOHL

A CHANCE TO RIDE. Lesson 3 Pedestrian Safety & Awareness of Surroundings

Exemplary Conditional Automation (Level 3) Use Case Description Submitted by the Experts of OICA as input to the IWG ITS/AD

Determination of the Design Load for Structural Safety Assessment against Gas Explosion in Offshore Topside

HOW TO MANAGE VAPORIZATION IN AN ANALYTICAL SYSTEM By Dean Slejko and Tony Waters

MRI-2: Integrated Simulation and Safety

THE SAFE ZONE FOR PAIRED CLOSELY SPACED PARALLEL APPROACHES: IMPLICATIONS FOR PROCEDURES AND AUTOMATION

SUMMARY OF SAFETY INVESTIGATION REPORT

CITY OF WEST KELOWNA COUNCIL POLICY MANUAL

Human Factors for Limited-Ability Autonomous Driving Systems

Suppleness or Resistance? Training Committee Recommended CPD 2016

Air-Sea Interaction Spar Buoy Systems

EUROCONTROL Guidance Material for Area Proximity Warning Appendix B-1: Initial Safety Argument for APW System

Procedures for Off-Nominal Cases: Three Closely Spaced Parallel Runway Operations

OPERATIONS MANUAL PART A INSTRUCTIONS AND TRAINING REQUIREMENTS FOR THE AVOIDANCE OF CONTROLLED FLIGHT INTO TERRAIN AND POLICIES FOR THE USE OF GPWS

SCT Trajectory & Separation Optimization

Flock Theory, Applied (To Scrum)

Goodyear Safety Research Project 2008 Presentation by Competitive Measure at the FEI Eventing Safety Forum. Presented by Tim Deans and Martin Herbert

Leakage Current Testing Is it right for your application?

(DD/MMM/YYYY): 10/01/2013 IP

EUROCONTROL Guidance Material for Short Term Conflict Alert Appendix D-2: Functional Hazard Assessment of STCA for ATCC Semmerzake

Param Express. Param Sankalp December Newsletter winners. Key Activities Concluded. Watch Out For

The risk assessment of ships manoeuvring on the waterways based on generalised simulation data

Tenth USA/Europe Air Traffic Management Research and Development Seminar

6.0 OPERATING CONDITIONS. 6.1 Jet Engine Exhaust Velocities and Temperatures 6.2 Airport and Community Noise

7 th International Conference on Wind Turbine Noise Rotterdam 2 nd to 5 th May 2017

Universal Atmospheric Hazard Criteria

USING HAZOP TO IDENTIFY AND MINIMISE HUMAN ERRORS IN OPERATING PROCESS PLANT

MRI-2: Integrated Simulation and Safety

Purpose. Scope. Process flow OPERATING PROCEDURE 07: HAZARD LOG MANAGEMENT

Economic and Social Council

PROCEDURES GUIDE. FLIGHT MANEUVERS for the SPORT PILOT

Car Following by Optical Parameters

Simulation Analysis of Intersection Treatments for Cycle Tracks

Lifesaving Society National Lifeguard Instructor Candidate Self-Assessment

ROUNDABOUT CAPACITY: THE UK EMPIRICAL METHODOLOGY

Global Journal of Engineering Science and Research Management

HANDLINGSENSE LEAFLET 1 TWIN PISTON AEROPLANES

2.2 TRANSIT VISION 2040 FROM VISION TO ACTION. Emphasize transit priority solutions STRATEGIC DIRECTION

Basic STPA Tutorial. John Thomas

THE CANDU 9 DISTRffiUTED CONTROL SYSTEM DESIGN PROCESS

Transformational Safety Leadership. By Stanley Jules

Amendments to the International Convention on maritime search and rescue of 27 April Concluded London, 18 May 1998.

Cross Border Area Safety Assessment Overview

Introduction Definition of decision-making: the capacity of the player to execute an action following some conscious tactical or strategical choice.

Golf. By Matthew Cooke. Game Like Training

SPR for automatic responses to ACAS RAs

WARRIOR RECREATION INTRAMURAL SPORTS HANDBOOK

Reliability Coordinator Procedure

GUIDE TO RUNNING A BIKE SHARE. h o w t o p l a n a n d o p e r a t e a s u c c e s s f u l b i k e s h a r e p r o g r a m

Utilization of the spare capacity of exclusive bus lanes based on a dynamic allocation strategy

RESEARCH OPPURTINITIES ON AIRCRAFT EMERGENCY EVACUATION. Presented by: Dr. Minesh POUDEL

Trial 3: Interactions Between Autonomous Vehicles and Pedestrians and Cyclists

SAFETY OF NAVIGATION OPERATING ANOMALIES IDENTIFIED WITHIN ECDIS

A Guide to SCRUMstudy Certifications and Courses SDC SMC SPOC AEC ESM.

Chapter 2: Standards for Access, Non-Motorized, and Transit

A Guide to SCRUMstudy Certifications and Courses SDC SMC SPOC AEC ESM.

Convention on the International Regulations for Preventing Collisions at Sea, 1972 (COLREGs) EXPLANATORY NOTES

These guidance notes should be used together with the Climbing Wall Development Instructor handbook.

Montana Teen Driver Education and Training. Module 3.3. Mixing with Traffic. Montana Teen Driver Curriculum

New Airfield Risk Assessment / Categorisation

Section 1 Types of Waves. Distinguish between mechanical waves and electromagnetic waves.

INF.41/Add.1/Rev.1. Economic Commission for Europe Inland Transport Committee

An Agile PM Isn t What You Think Where Does Traditional Project Management Fit in an Agile Project Using Scrum? By Jimi Fosdick

Citation for published version (APA): Canudas Romo, V. (2003). Decomposition Methods in Demography Groningen: s.n.

VI.B. Traffic Patterns

Umpires. Coach Professional. Development Program

Go around manoeuvre How to make it safer? Capt. Bertrand de Courville

System Operating Limit Definition and Exceedance Clarification

Transcription:

Identification of emergent hazards and behaviour Shifting the boundary between unimaginable and imaginable hazards Hans de Jong and Henk lom (NLR) Eurocontrol Safety R&D Seminar, arcelona, 26 October 2006

Introduction Four generations in hazard identification 1 the functional approach 2 the HZOP approach 3 the pure brainstorming approach 4 the modeling and simulation approach Use a runway crossing operation for illustration hazards How do subsets of hazards identified by the various approaches relate eyond hazards interactions and dynamical behaviour play a key role in interpreting safety risks 2

3 runway crossing operation few years ago, Runway 18R/36L was introducted at msterdam irport Schiphol 18R 36L 18C 36C

0 9 runway crossing operation To limit taxiing times to/from 18R/36L, initially crossings over 18C/36C were considered ICO recommends not to introduce active runway crossings when developing airports In order to deal with this, introduce new control concept: the runway controller responsible for all traffic on/around runway direct communication with all this traffic runway incursion alerting system (RIS) stop bar violation alerts runway incursion alerts To/from Runway 18R/36L VM V N9 V P5 P4 W9 W8 W3 36 C 36C W10 18C W6 W7 W10 W5 C 1 8 W4 23 24 25 26 27 28 V W2 W1 W W 22 09 S N5 21 R S irport centre S2 4 19 19 1

5 runway crossing operation

Hazard identification the functional approach Hazard: anything that might negatively influence safety identifying as many hazards as possible is prerequisite unidentified hazards lead to too optimistic perspective The functional approach to hazard identification is wellknown from system engineering determine for each function, including human operator tasks, all possible failure conditions and their effects for instance contained in FH of Eurocontrol s SM V1 6

Example application I n FH kind of safety assessment for the aforementioned runway crossing operations yielded, inter alia, The RIS safety related performance budgets shall be: a minimum availability of the total RIS functionality of 99.9%... a minimum human reliability in responding to a warning issued by the RIS of 99.995%... How about that These and other requirements were used in the development of the operations and especially the RIS 7

Hazard identification HZOP HZOP (Hazard and Operability study) identifies and analyses hazards with operational experts involves brainstorming along keywords also non-functional hazards can be identified HZOP sessions are also used to assess risks and identify potential solutions for hazards Unfortunately analysis and solution disturb the identification process potential solutions may introduce new hazards 8

Hazard identification pure brainstorming NLR has recognized issues with FH and HZOP and developed a pure brainstorming approach with TCo and pilot no analysis and no solving TCo and pilot need to be able to play devil s advocates criticism is forbidden the risk associated with the hazard is not relevant yet rather mention another hazard! a moderator needs to steer the hazard identification subtly along several dimensions conflict scenarios, flight phases, service provision aspects,... keep the brainstorming group as small as possible! TCo, pilot, moderator/note taker, (expert on operation) better repeat it with another group! short sessions and many coffee breaks and... 9

10... bottles of wine for the most creative hazard the last hazard and inspriation, if necessary... Hazard identification pure brainstorming

Hazard identification pure brainstorming The pure brainstorming approach to hazard identification incorporated in Eurocontrol SM Version 2 FH Chapter 3 Guidance Material 2: Identification of hazards How to make imaginable the hazards that are functionally unimaginable available from hdejong@nlr.nl The functional and pure brainstorming approach complement each other apply brainstorming first! or use a fresh team 11

Example application II safety assessment of the crossing operation used pure brainstorming which yielded about 100 hazards: h1: Runway incursion alerting system reacts late or not h2: System gives nuisance alert h3: Pilot misunderstands TCo and takes off erroneously h4: System gives alert, TCo doesn t react appropriately h5: Pilot on the wrong frequency h6: TCo abuses alerting system for efficiency reasons h7: Pilot triggered by the elapsing of prescribed wake vortex separation time with previous take-off and takes off without clearance h8: Pilot on incorrect frequency eventually takes off independently h9: Pilot has the wrong awareness/ is mistaken/ confused/ lost due to taxiway complexity and unintendingly enters runway functional approach pure brainstorming approach 12

0 9 Example application II h9: pilot lost due to complex taxiway structure accidentally enters the runway may concern an aircraft not intending to cross! was not identified in the first safety assessment (functionally) unimaginable The second safety assessment showed that the risk of h9 and similar hazards was very high r/t communication is a bottleneck a perfect RIS would not improve much... Redevelopment of the operation pass active Runway 18C/36C via perimeter no RIS for the time being To/from Runway 18R/36L VM V N9 V P5 P4 W9 W8 W3 36 C 36C W10 18C W6 W7 W10 W5 C 1 8 W4 W2 23 24 25 26 27 28 V W1 W W 22 09 S N5 21 R S 13 irport centre S2 19 19 1

Hazard identification a graphical impression How do the subsets of hazards identified by functional and pure brainstorming approaches compare However, you are still not exhaustive How to improve further ll hazards associated with an operation Hazards identified by functional approach Functionally unimaginable hazards Hazards identified by pure brainstorming approach 14

Monte Carlo model simulation Model the behaviour of the elements of the operations, e.g. controller (monitoring, communicating,...) surveillance system and RIS communication system pilots taxiing aircraft arriving/departing aircraft weather conditions and the interactions between these elements, e.g. controller noticing aircraft approaching runway (or not) pilots braking the departing aircraft r/t calls blocking others and causing delay in instructions ehaviour is modeled dynamically and stochastically 15

Modeling, simulation and hazards You try to model how elements and interactions normally behave and also how things go when things go wrong Make the models sufficiently rich so that their behaviour may exhibit the hazards identified In systematic modeling, even more hazards are identified entrance via exit entrance via exit,, C, D,... departing pilots misunderstands clearance taxiing... In simulation, many combinations of hazards arise taxiing aircraft lost and delayed instruction to departing pilot and dynamics turns out to be crucial... 16

17 How on earth to handle this complexity

0 9 Example application III safety assessment with Monte Carlo model simulations has been performed for redeveloped operation Some of the interesting results lost pilots indeed a big safety risk controller identifies good share of conflicts, but contribution to timely resolution is small many resolution instructions concern conflicts already solved by pilots many instructions are too late for the pilots to avoid successfully a collision the taxiing pilots have the largest capability to prevent a collision These dependencies, interactions and dynamical aspects are difficult to handle well in another way To/from Runway 18R/36L VM V N9 V P5 P4 W9 W8 W3 36 C 36C W10 18C W6 W7 W10 W5 C 1 8 W4 23 24 25 26 27 28 V W2 W1 W W 22 09 S N5 21 R S irport centre 18 S2 19 19 1

Conclusions With the pure brainstorming approach you will identify many (functionally) unimaginable hazards risk is often concentrated on unimaginable hazards Monte Carlo model simulation yields even more hazards by systematic modeling by combinations arising in simulating from that point, the value of hazard as concept fades away interactions and dynamical behaviour play key role in understanding the risks Monte Carlo model simulations help to identify, interpret and evaluate such behaviour 19

20 Questions

2024 © sportdocbox.com Privacy Policy | Terms of Service | Feedback