1 / 20

CSE International Ltd

Maastricht UAC. Provides en-route control in upper airspace (24,500 feet and above) over Belgium, Luxembourg, Netherlands, N-W Germany1.24 million flights per annum in 2003Expected traffic growth 5% per annumComplex air route structure. N-OR Computer System. New Controller Workstations (CW

clarence
Download Presentation

CSE International Ltd

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


    1. CSE International Ltd

    2. Maastricht UAC Provides en-route control in upper airspace (24,500 feet and above) over Belgium, Luxembourg, Netherlands, N-W Germany 1.24 million flights per annum in 2003 Expected traffic growth 5% per annum Complex air route structure

    3. N-OR Computer System New Controller Workstations (CWP) – 65 off Sony 2K screen + 1K support screen 2 DEC Alpha Computers per CWP Dual FDDI LAN (now Ethernet) Operational Monitoring and Control positions (OMC) Advanced record and replay functions Radar display, flight data display, support information (no paper flight progress strips used) RDP and FDP existing MAS-UAC systems Radar fallback system to provide diverse radar data UFF provides last resort flight data Thales ATM (formerly Siemens-Plessey)

    4. New Operations Room

    5. N-OR Safety Case Contract started without any requirements for safety management (or safety requirements of any sort) no declared safety standard being applied Latterly (1 year before planned O-date) need for Safety Case was decided CSE contracted to provide Safety Case Required to cover all aspects of move from existing to new ops room (N-OR) Project in advanced state when Safety Case started

    6. Safety Management Hazard management by means of Functional Hazard Assessment report rather than hazard log Safety Management Plan produced but not referred to in the final safety case output of plan is evidence which populates the safety case Safety Case constructed using GSN Initial GSN used to derive the Safety Management Plan

    7. Top Level GSN

    8. Human Factors ATC relies on human decision making in the control loop – equipment provides support Safety case cannot just address hazards due to equipment failures Vital to provide arguments and evidence that the system is fit for purpose from a human factors point of view even a perfectly working system is not safe if it does not provide appropriate HMI and ergonomics Evidence from extensive prototyping, reviews, use in simulated ATC traffic environment

    9. Human Factors and Equipment

    10. Physical Environment

    11. HMI Arguments

    12. Equipment Safety Process EUROCONTROL Safety Assessment Methodology defines FHA, PSSA and SSA stages FHA performed to derive equipment safety objectives (for control of functional hazards) occupational health and safety not addressed SSA performed to demonstrate that safety objectives would be met (PSSA omitted) Fault tree analysis FMEA Common Cause Failure Analysis Most of the safety evidence in the SSA Report

    13. Equipment Safety Objectives Failure severity based upon effect on ability to maintain safe air traffic control service Overall ATM system hazard is loss of separation (continuous variable) Accident is a mid-air collision Failure severities based on ESARR 2 ATM equipment incident reporting requirements 5 severity classes (5 is “no safety effect”) Tolerable occurrence rate of Severity Class N failure used to defined safety objective e.g. Severity Class 2 failure gives 10-6/hr target

    14. Overall Equipment Safety

    15. Equipment Safety Arguments - 1

    16. Equipment Safety Arguments - 2

    17. Software Safety Assessment Assessment of CWP software development process against IEC 61508 carried out on behalf of supplier by Advantage some omissions noted, but these largely concerned lack of functional safety assessment, which were remedied by the safety case work Second assessment performed against “evidence based” objectives in CAA SRG publication CAP 670, section SW01 this provided a useful alternative viewpoint

    18. COTS Software Operating system, X-Windows, Motif Argument of safety from widespread use in similar applications Functional testing also tests these components Orthogon ODS Toolbox No internal process evidence Not treated as COTS – extended functional testing provided adequate evidence Conclusion: evidence-based assessment concluded that software would be safe and it appears to be so (70 years of field service experience so far!)

    19. Maintenance and Operation

    20. Conclusions GSN provided a valuable tool for developing initial safety case structure and deriving safety plan, and for presentation of the safety case report GSN now recommended by EUROCONTROL Safety case was readily accepted by senior management and regulator System has operated safety to date

More Related