Digital SNOWTAM Safety Impact Assessment Viewed from a
- Slides: 22
Digital SNOWTAM Safety Impact Assessment Viewed from a non-safety expert SNOWTAM Trial Safety Impact Assessment 1
Purpose of the Assessment
Safety Impact Assessment Purpose Demonstrate that the Digital SNOWTAM infrastructure is providing a satisfactory service to the users involved The test facility fulfils its intended function It is acceptably safe SNOWTAM Trial Safety Impact Assessment 3
Overall Safety Argument in GSN* ‘Success’ approach ‘Failure’ approach Normal operations Failure modes GSN: Goal Structuring Notation SNOWTAM Trial Safety Impact Assessment 4
Safety ‘coverage’ of the V-cycle Arg 2: Failure Mode (failure approach) Arg 1: Nominal Mod (success approach) Intended Functions Operations Specification Implementation Design SNOWTAM Trial Safety Impact Assessment 5
‘Success’ approach
Users and Intended Functions SNOWTAM Trial Safety Impact Assessment 7
System Fulfils its Intended Functions Test infrastructure fulfils intended functions Specification Design Implementation How to help the Safety Expert checking this? Operation Traceability SNOWTAM Trial Safety Impact Assessment 8
Specifications Related IF# NO TA M offi ce Air port Sys tem Dev elo per B. 1, C. 1, D 1 S 02: Generation of digital SNOWTAM encodings either from existing current SNOWTAM messages or through direct input (using graphical and forms tools) B. 2 C. 3 S 03: Output of the generated SNOWTAM text message (after conversion from digital SNOWTAM encodings) B. 2 C. 3 Specification S 01: Automatic conversion between current SNOWTAM messages and digital SNOWTAM encodings, i. e. : To exploit the semi-structured format of the SNOWTAM messages in order to automatically convert them into digital SNOWTAM encodings; Airl ine A. 1 A. 2 (*) Table partially reproduced SNOWTAM Trial Safety Impact Assessment 9
Design Related S# D 02: Conversion module for SNOWTAM messages, which creates AIXM 5. 1 Surface Contamination data from messages received from EAD INO (4). S 01 D 03: Graphical User Interface (GUI) for data provider, which enables: The direct input by NOTAM operators and airport managers in the application database of surface contamination data; Manage Rejected SNOWTAM – indicating the syntax errors that have stopped the automatic interpretation of the message and allowing the correction and re-submission of the SNOWTAM message to the interpreter (only for selected users); All the functionality available for the data user, as described at D 5. S 02 SNOWTAM Trial Safety Impact Assessment S 05 S 04 S 05 10
‘Failure’ approach
System is Acceptably Safe Hazard analysis ▼ Safety requirements SNOWTAM Trial Safety Impact Assessment Check safety requirements are covered 12
Simplified process Hazard analysis Mitigation means Safety requirements Specification, Design Test infrastructure, Operations SNOWTAM Trial Safety Impact Assessment 13
Identified Hazards SNOWTAM Trial Safety Impact Assessment 14
Mitigation means => Safety Requirements Airline NOTAM office Syst. Dev. Airport A B 1 B 2 C 1 C 2 C 3 X X X X SR-1 The evaluation of the Digital SNOWTAM application shall be carried out by users only when time permitted and shall not be detrimental to operational tasks they must conduct. X SR-2 The access to information for pilots and airline operational centres has to be limited, without possibility of modifying data in the Digital SNOWTAM application. X SR-3 Official SNOWTAM information shall prevail, for airline operational centres and for pilots, to support decision making. X SR-4 For pilots the information shall not be directly accessible during the flight (only accessible in the pre-flight phase). X SR-5 Pilots shall use last update of the surface contamination and friction coefficient provided by the corresponding airport controller (TWR) or by the ATIS. X SR-6 In case of inconsistency between the official SNOWTAM messages and the Digital SNOWTAM information is detected, NOTAM office uses current means to check its validity and modify it if and as necessary. D 1 X (*) Table partially reproduced SNOWTAM Trial Safety Impact Assessment 15
Checking coverage of safety requirements Implementation elements PI-1 The Digital SNOWTAM application is only accessible thought Internet at the EUROCONTROL portal http: //extranet. eurocontrol. int. PI-3 The logo “TRIAL SNOWTAM” is presented to the user in all the screenshots of the application in order to remind the user that the information provided by the Digital SNOWTAM application is not to be used for operational purposes. UI-4 UI-5 In complement to the dedicated training, supporting documentation is provided to the different users in order to be able to manipulate the Digital SNOWTAM application ([10]). Contractual agreement to be signed by NOTAM office stating that the use of Digital SNOWTAM application is for trial purpose only, i. e. official SNOWTAM information prevails, and current means are to be used to check its validity and modify it if/as necessary. S R 1 S R 2 S R 3 S R 4 S R 5 S R 6 S R 7 S R 8 S R 9 S R 10 S R 11 S R 12 A X A B B A A B B (*) Table partially reproduced SNOWTAM Trial Safety Impact Assessment 16
Assessment caveats
Caveats - Assumptions - Outstanding Issues Digital SNOWTAM performances depend on the availability and the quality of some external data as the SNOWTAM information itself and some static aeronautical information (e. g. airport layout) - Limitations The real effectiveness for most of the Safety Requirements mainly depends on each user and their awareness on the use they can do of Digital SNOWTAM infrastructure SNOWTAM Trial Safety Impact Assessment 18
Conclusion
Assessment Conclusions - The proposed Digital SNOWTAM infrastructure fulfils the intended functions for the Digital SNOWTAM trial. - There is no impact on real ATM related operations while using Digital SNOWTAM infrastructure during the trial. SNOWTAM Trial Safety Impact Assessment 20
Developer’s ‘mantras’ - Integrate safety aspects in your development as soon as possible - Traceability SNOWTAM Trial Safety Impact Assessment 21
Questions?