Capturing Emerging Complex Interactions Safety Analysis in ATM
advertisement
Capturing Emerging Complex Interactions Safety Analysis in ATM Massimo Felici LFCS, School of Informatics The University of Edinburgh mfelici@inf.ed.ac.uk The 5th Annual DIRC Research Conference Overview o What’s happening in the Air Traffic Management (ATM) domain? o Are there complex interactions in ATM? o An example of complex interaction – An accident o How complex is the ATM domain? Other domains? o Safety Analysis (in ATM) o Limitations o Capturing Emerging Complex Interactions o Evolutionary Safety Analysis o Examples o Before I start… please fast your seat belt, read the safety guidelines located in the seat in front of you and locate your nearest safety exist… © Massimo Felici 2005 The 5th Annual DIRC Research Conference 2 What’s happening in ATM? o The EUROCONTROL ATM 2000+ Strategy o The EU Single European Sky Initiative o The over all objective is, “for all phases of flight, to enable the safe, economic, expeditious and orderly flow of traffic through the provision of ATM services, which are adaptable and scalable to the requirements of all users and areas of European airspace.” o New ATM concept (ATC -> ATM), new system approach, cultural and structural revision of ATM processes,… o Reduced Vertical Separation Minima Requirement, Free Flight, Gate-to-Gate, Medium-Term and Long-term Conflict Detection/Projection,… © Massimo Felici 2005 The 5th Annual DIRC Research Conference 3 Safety vs. Performance: the way ahead? Source: Flight Safety Foundation © Massimo Felici 2005 The 5th Annual DIRC Research Conference 4 Unfortunate Complex Interactions Tupolev TU 154 M – Boeing B757-200 Source: BFU Investigation Report © Massimo Felici 2005 The 5th Annual DIRC Research Conference 5 Accident Scenario: Tupolev TU 154 M – Boeing B757-200 Time Actor(s) Event(s) T1 TCAS(B) Crew(B) The TCAS on both aircrafts give a Traffic Advisory TCAS(T) Crew(T) T2 ATCer, Crew(T) ATCer tell Crew(T): “descend flight level 350, expedite, I have crossing traffic” T3 TCAS(B) Crew(B) Both aircrafts get a TCAS Resolution Advisory (RA); Crew(B) complies; Crew(T) remains at FL350 TCAS(T) Crew(T) T4 ATCer, Crew(T) ATCer repeats the instruction to descend; Crew(T) complies T5 TCAS(B), Crew(B) “Increase descent” T6 Crew(B), ATCer Crew(B) reports to ATCer that they are doing a TCAS discend T7 TCAS(T), Crew(T) “Increase climb” T8 © Massimo Felici 2005 Collision The 5th Annual DIRC Research Conference 6 Coupling vs. Interactions Perrow, 1999 © Massimo Felici 2005 The 5th Annual DIRC Research Conference 7 Safety Analysis in ATM – ESARR4 o hazard identification as well as risk assessment and mitigation are systematically conducted for any changes o hazard identification, risk assessment and mitigation processes shall include: o determination of the scope o determination of the safety objectives (e.g., hazards, failure conditions, severity tolerability) o Identification of risk mitigation strategies © Massimo Felici 2005 The 5th Annual DIRC Research Conference and 8 Safety Assessment Methodology (SAM) © Massimo Felici 2005 The 5th Annual DIRC Research Conference 9 Exposed Limitations o (unsafe) complex interaction between aircraft and ATM safety functions o Humans using complex language procedures mediate this interaction and o Work practice and systems evolve rapidly in response to demand and a culture of continuous improvements o (Dis)Trust in technology © Massimo Felici 2005 The 5th Annual DIRC Research Conference 10 Capturing Emerging Complex Interactions Evolutionary Safety Analysis Current Solution Models Solution Issues Future Solution Models System Modeling Transformation Safety Analysis Models Safety Issues Future Safety Analysis Models Safety Analysis Modeling Transformation Operational Models Operational Issues Future Operational Models Operational Modeling Transformation © Massimo Felici 2005 The 5th Annual DIRC Research Conference 11 System Modeling Transformation Current Solution Models Solution Issues Future Solution Models o Requirements, as mappings between socio-technical solutions and problems, represent an account of the history of socio-technical issues arising and being solved within industrial settings o The formal extension of these mappings (or solution space transformations) identifies a framework to model and capture evolutionary system features (e.g., requirements evolution, evolutionary dependencies, etc.) © Massimo Felici 2005 The 5th Annual DIRC Research Conference 12 System Modeling Transformation: Example Current Solution Models © Massimo Felici 2005 Solution Issues The 5th Annual DIRC Research Conference Future Solution Models 13 Safety Analysis Modeling Transfromation Safety Analysis Models Safety Issues Future Safety Analysis Models o Safety arguments change, too o Safety arguments may eventually become unclear o Structured Safety arguments (e.g., GSN) © Massimo Felici 2005 The 5th Annual DIRC Research Conference 14 A Safety-case Lifecycle Greenwell, Strunk and Knight, 2004 © Massimo Felici 2005 The 5th Annual DIRC Research Conference 15 A Safety Case Evolution An Accident invalidates the Safety Argument Greenwell, Strunk and Knight, 2004 © Massimo Felici 2005 The 5th Annual DIRC Research Conference 16 Operational Modeling Transformation o Structured Scenarios o Pattern of interaction (changes) o Work practice changes (e.g., workaround) Operational Models Operational Issues Future Operational Models Aviation Safety Reporting System © Massimo Felici 2005 The 5th Annual DIRC Research Conference 17 Operational Modeling Transformation o Technically, operational observations are reported anomalies o (or faults), which may trigger errors eventually resulting in failures Erroneous actions (Hollnagel, 1993): ``An erroneous action can be defined as an action which fails to produce the expected result and/or which produces an unwanted consequence'' o o o o In the context of socio-technical systems, erroneous actions usually occur in the interfaces or interactions (e.g., man-machine interactions). The cause of erroneous actions can logically lie with either human beings, systems and/or conditions when actions were carried out Erroneous actions can occur on all system levels and at any stage of the lifecycle. In a continuously changing environment like ATM, adaption enhances the coupling between man and machine (Hollnagel, 1995) o o o Adaption Through Design Adaption through Performance Adaption through Management © Massimo Felici 2005 The 5th Annual DIRC Research Conference 18 Capturing Emerging Complex Interactions Evolutionary Safety Analysis Current Solution Models Solution Issues Future Solution Models System Modeling Transformation Safety Analysis Models Safety Issues Future Safety Analysis Models Safety Analysis Modeling Transformation Operational Models Operational Issues Future Operational Models Operational Modeling Transformation © Massimo Felici 2005 The 5th Annual DIRC Research Conference 19 Conclusions Air Traffic Management (ATM) complex interactions in ATM may trigger unsafe (catastrophic) failures Safety Analysis (in ATM) Limitations: system scope, evolution, human factors Capturing Emerging Complex Interactions Evolutionary Safety Analysis (Framework) Examples Future work… What About Trust? How to understand the relationship between Trust, Risk and Knowledge (in ATM)? © Massimo Felici 2005 The 5th Annual DIRC Research Conference 20
