Ivonne A. Herrera

Comparing a multi-linear (STEP) and systemic (FRAM) method for accident analysis

Accident models and analysis methods affect what accident investigators look for, which contributory factors are found, and which recommendations are issued. This paper contrasts the Sequentially Timed Events Plotting (STEP) method and the Functional Resonance Analysis Method (FRAM) for accident analysis and modelling. The main issue addressed in this paper is the comparison of the established multi-linear method STEP with the new systemic method FRAM and which new insights the latter provides for accident analysis in comparison to the former established multi-linear method. Since STEP and FRAM are based on a different understandings of the nature of accidents, the comparison of the methods focuses on what we can learn from both methods, how, when, and why to apply them. The main finding is that STEP helps to illustrate what happened, involving which actors at what time, whereas FRAM illustrates the dynamic interactions within socio-technical systems and lets the analyst understand the how and why by describing non-linear dependencies, performance conditions, variability, and their resonance across functions.

Aviation safety and maintenance under major organizational changes, investigating non-existing accidents.

The objective of this paper is to discuss the following questions: Do concurrent organizational changes have a direct impact on aviation maintenance and safety, if so, how can this be measured? These questions were part of the investigation carried out by the Accident Investigation Board, Norway (AIBN). The AIBN investigated whether Norwegian aviation safety had been affected due to major organizational changes between 2000 and 2004. The main concern was the reduction in safety margins and its consequences. This paper presents a summary of the techniques used and explains how they were applied in three airlines and by two offshore helicopter operators. The paper also discusses the development of safety related indicators in the aviation industry. In addition, there is a summary of the lessons learned and safety recommendations. The Norwegian Ministry of Transport has required all players in the aviation industry to follow up the findings and recommendations of the AIBN study.

Building change: Resilience Engineering after ten years

Abstract Resilience Engineering (RE) has developed theories, methods, and tools to deliberately manage the adaptive ability of organizations in order to function effectively and safely. As the first peer-reviewed journal publication in the field, this special issue has three purposes: to provide the scientific and industrial communities with the opportunity to present current work in RE, to critically view RE׳s progress and contributions to research and practice, and to pose questions to stimulate thinking about RE׳s future. We propose three values for the RE field of practice: observation, analysis, and design and development. The special issue׳s content and viewpoints are not intended to provide conclusive answers, but rather to stimulate further inquiry and growth.

Where Is the Organization Looking in Order to Be Proactive about Safety? A Framework for Revealing whether It Is Mostly Looking Back, Also Looking Forward or Simply Looking Away

Despite the desire to utilize proactive safety metrics, research results indicate imbalances can arise between economic performance metrics and safety metrics. Imbalances can arise, first, because there are fewer proactive metrics available relative to the data an organization can compile to build reactive metrics. Second, there are a number of factors that lead organizations to discount proactive metrics when they conflict with shorter‐term and more definitive reactive metrics. This paper introduces the Q4‐Balance Framework to analyse economy‐safety trade‐offs. Plotting the sets of metrics used by an organization in the four‐quadrant visualization can be used to identify misalignments, overlap and false diversity. It results in a visualization of the set of metrics an organization uses and where these conflict or reinforce each other. The framework also provides a way to assess an organizations safety energy as a kind of analysis of an organizations capability to be proactive about safety.

Using dynamic risk modelling in Single European Sky Air Traffic Management Research (SESAR)

The SESAR research & development programme aims to drastically change Air Traffic Management (ATM) in the European airspace. The SESAR project “Develop techniques for Dynamic Risk Modelling (DRM)” aims at demonstrating the need for and potential added value of DRM in the safety assessment of new developments. The main deliverable is a DRM guideline that will help safety practitioners to decide whether DRM modelling is expected to provide added value, and how to conduct the assessment. The added value of DRM is being demonstrated by its application to a SESAR test case. situations. These guidelines are aimed to be included in a future edition of the SESAR Safety Reference Material (SRM) (SESAR SRM 2012). 1.3 Organisation of the paper This paper is organized as follows: Section 2 explains the criteria that have been developed by the DRM project for deciding whether a given SESAR application requires the use of DRM, and it explains how the DRM project has applied these criteria to select a SESAR test case application. Section 3 explains the process that led to the selection of one particular DRM method from a list of candidate methods. Section 4 briefly explains this DRM method in steps, and presents preliminary results of its application to the test case selected in Section 2. Section 5 presents concluding remarks. 2 CRITERIA FOR APPLYING DRM The SESAR safety assessment approach typically uses static risk modelling techniques: safety criteria and objectives are identified based on accident incident models and further safety requirements are derived using Fault Trees, Failures Modes and Effects Analysis or similar techniques. This section presents criteria to identify specific cases where DRM application is required. Criterion 1: In SESAR an initial risk evaluation using a conventional (static) method has been conducted and the level of uncertainty in the risk results is such that it cannot be conclusively argued whether the risk is acceptable or not. Criterion 2: The system behaviour, when considering equipment functional variability, failures, human performance variability and errors, involves occurrences which cannot be considered in isolation, as they strongly depend on system status over time. Criterion 3: The system behaviour when considering equipment functional variability, failures, human performance variability and errors depends on process variables. If Criterion 1 is fulfilled together with at least one of Criteria 2 or 3, it is considered that the case is eligible to risk assessment with a DRM method. The anchoring points in a preceding conventional static analysis need to be clearly identified (i.e. the Operational Hazards that will be specifically modeled with DRM, their severities and associated safety objectives together with the justifications developed during the static safety risk assessment). This will serve as the basis for developing the Dynamic Risk Modelling cycle. The DRM project applied these criteria to SESAR concepts and as a result it selected the use case “Land vs Line up” within the Conflicting ATC clearances project P06.07.01. Conflicting ATC Clearance (CATC) detection is a system that detects early situations of conflicting clearances that, if not corrected would end up in hazardous situations. The “land vs line up” use case considers one aircraft landing and another aircraft lining up to take off on the same runway used in mixed mode. For the detection to work, the controller needs to inform the system (input) each time he provides a clearance to an aircraft. In case of a “land vs line-up” CATC alert, the controller shall resolve the hazardous situation (i.e. avoid a runway collision) by immediately cancelling the line-up instruction and/or instructing a go around, as appropriate. Figure 1. The land vs line-up CATC alert operation. The static safety assessment initially performed within the SESAR project (SAR CATC 2012) identified a major uncertainty w.r.t. the efficiency of the operational use of “land vs line-up” CATC alert, in relation to the time required for the controller to interpret the alert and communicate the resolution instruction(s) to the involved aircraft and for the pilot(s) to implement the instruction(s). Therefore this case was selected as a suitable test case for DRM. 3 SURVEY OF POTENTIAL DRM METHODS A variety of methods and tools for conducting DRM exist. Some methods have been in use for many years, while others are of newer date. The level of maturity of the methods varies a lot. The DRM project has identified and described a range of methods, and assessed the methods with regards to suitability for SESAR needs. In total 11 quantitative and qualitative methods have been studied. Priority has been given to methods that provide quantification of results. The surveyed DRM methods are: Dynamic Event Trees; Dynamic Flowgraph Methodology; Discrete state-transition approaches (Markov chains, Petri Nets & extensions); Dynamic Bayesian Networks; Direct system simulation; DRM for aircraft certification; TOPAZ (Traffic Organization and Perturbation Analyzer); SoTeRia (Socio-Technical Risk Analysis); FRAM (Functional Resonance Analysis Method); STPA Hazard analysis (Systems-Theoretic Process Analysis); Collision Risk Modelling; Encounter-based model methodology. For references and brief descriptions of all these methods, refer to (DRM D04 2012). By means of an analysis against several DRMrelated criteria, the DRM project has selected TOPAZ as a suitable solution for the safety risk assessment of ATM operational scenarios. TOPAZ is an agent-based DRM method that uses Monte Carlo simulations and uncertainty evaluations to analyse the safety risk of air traffic operations up to the level of collisions. For each application, the dynamics of the agents and the time-dependent interactions within and between the agents are modelled in the syntax of Dynamically Coloured Petri Nets (DCPN) (Everdij 2010). The compositional specification by DCPNs allows for the modelling of sociotechnical systems by its broad syntax, including stochastic differential equations (e.g. describing aircraft position and velocity), discrete state transitions (e.g. describing system states or human tasks), and interactions (e.g. describing the recognition of safety-relevant conditions by humans. Detailed descriptions of TOPAZ agent-based DRM and its application to ATM operations can be accessed in Blom et al. (2001, 2006), Stroeve et al. (2009) and Eurocontrol / FAA AP15 Safety (2014). 4 APPLICATION OF DRM METHOD TO TEST CASE The TOPAZ-based DRM method follows 10 steps which are listed below. 1. Determine the scope of operation / system for

The Aniketos Design-Time Framework Applied – A Case in Air Traffic Management

In order to assess the industrial relevance of the Aniketos design-time framework, we report on its application to a typical use-case of the Air Traffic Management (ATM) System Wide Information Management (SWIM) system: a meteorological information request from a pilot in an aircraft involving air-ground data-link communications. The scope of the study runs from security requirements elicitation, to the deployment of dummy services implementing the meteorological request secured process and communication functions. The evaluation shows that a rich set of security requirements can be captured and managed throughout the design-time engineering process. The Aniketos design-time framework is assessed as a sound baseline. To allow for an industrial exploitation follow-up, some required improvements have been proposed.