47TH ANNUAL CONFERENCE, Arusha, Tanzania, 10-14 March 2008WP No. 169Investigate the Professional Aspects of the Difference between Intrinsic and Tactical Safety in the Aerodrome DomainPresented by PLC |
Summary
The aim of this working paper is to investigate:
- The relation between intrinsic and tactical safety in the ATM domain;
- Their impact on everyday aerodrome operations and ATCOs’ responsibility.
Introduction
1.1 Rationale
At the 46th IFATCA Conference in Istanbul, Turkey, the ICAO Aerodrome Panel and Aerodrome safety of IFATCA, proposed the subject matter to be inserted in the PLC agenda for the year 2007-2008.
1.2 Background
The distinction between tactical and intrinsic safety was outlined at Hong Kong 2004, by the ICAO Aerodrome Panel and Aerodrome Safety of IFATCA.
There, intrinsic safety was defined as the percentage of the achieved safety level “deriving from proper design of the system” and tactical safety as the percentage achieved through the contribution of “productive activities”, as intended in the Reason’s Model.
Note: James Reason hypothesizes that most accidents can be traced to one or more of four levels of failure: Organizational influences, unsafe supervision, preconditions for unsafe acts, and the unsafe acts themselves. In the Swiss cheese model, an organization’s defences against failure are modelled as a series of barriers, represented as slices of Swiss cheese. The holes in the cheese slices represent individual weaknesses in individual parts of the system, and are continually varying in size and position in all slices. The system as a whole produces failures when all of the holes in each of the slices momentarily align, permitting (in Reason’s words) “a trajectory of accident opportunity”, so that a hazard passes through all of the holes in all of the defences, leading to a failure. “Productive Activities” as intended in the Reason’s Model is an interaction between the action taken by front line operators and the one decided from the line management to permit the operational life of the system.
It was also stated that capacity may be a direct function of “intrinsic safety” and management costs may be a direct function of “tactical safety”.
Discussion
2.1 Safety Culture
2.1.1 Safety culture is a term that came into prominence in the nuclear industry following the Chernobyl accident. Paraphrasing the International Nuclear Safety Advisory Group (INSAG), safety culture may be defined as follows:
“Safety culture is that assembly of characteristics and attitudes in organizations and individuals which establishes that, as an overriding priority, safety issues receive the attention warranted by their significance”. (HF for Safety Audit Manual Doc 9806)
2.2 Safety related definitions
2.2.1 Safety is differently defined by different authors and organisations. Here are some definitions:
“A condition in which the risk of harm or damage is limited to an acceptable level”. (ICAO Safety Audit Manual Doc 9375)
“The condition of being safe; freedom from danger or risks”. (Oxford English Dictionary, Ninth edition)
“The state of being safe; exemption from hurt or injury; freedom from danger”. (Oxford English Dictionary, CD-ROM version, 2nd edition)
“Freedom from unacceptable risk”. (EUROCONTROL – ESARR 4)
“Aviation safety is a condition achieved through the systematic process of identifying and forecasting aviation risks and developing facilities, services, programs or procedures to minimize these risks, thereby preventing the loss of aviation resources due to accidents or incidents.” (Transport Canada’s Aviation Management Guide – 1994-95)
2.2.2 Target Level of Safety (TLS) is defined as:
“A level of how far safety is to be pursued in a given context, assessed with reference to an acceptable or tolerable risk.” (EUROCONTROL – ESARR 4)
2.3 Intrinsic safety versus tactical safety
2.3.1 The concept of intrinsic safety is widely adopted in fire risk prevention and electronics. It refers to equipment and wiring that are “inherently” safe. In other words, an intrinsically safe system is one with energy levels so low they cannot cause an explosion or the ignition of fire. Of course, this objective can only be achieved embedding safety concepts in the design of the system.
Borrowing the definition, intrinsic safety in aviation can be defined as: “Safety aspect inherent to the design of the system”. In other words, an intrinsically safe aviation system is a system with risk levels made acceptable by design, a “fail safe” safe system, remaining safe against active failures, related to both safety tools (“defences”, in the Reason’s model) and human errors (“productive activities”, in the Reason’s Model).
2.3.2 The concept of tactical safety is used in the security domain, related to those defences aimed to protect against the risks of aggression. In other terms, although a definition has not been found, the concept relates to activities and devices that protect from hazards not previously removed.
In aviation, tactical safety can be defined as:
“Safety aspect related to the application of procedures and the adoption of defence equipments, where the design of the system is inadequate to achieve a given safety levels”.
2.3.3 Thence, it can be said, in relation to safety of a system, that:
- Intrinsic safety concepts are adopted to face any hazard inherent to the design of the system, and
- Tactical safety measures mitigate any hazards inherent to non eliminable design shortcomings.
- Total safety = intrinsic safety + tactical safety
Note: In terms of Threat and Error Management (TEM), intrinsic safety is about dealing with (foreseen) threats during the design phase, and tactical safety is dealing with threats as they occur in real time. Not all threats can be eliminated or anticipated in the design phase.
2.3.4 In a well designed system, total safety will have a greater component of intrinsic Safety while in a poorly designed system the greater component will be taken by Tactical Safety, which opens windows of opportunities for operational problems. If the ATM system will consider having a component of Intrinsic Safety bigger than Tactical Safety we should start to close little by little all the window shutters.
2.3.5 The international civil aviation system frequently contains latent unsafe conditions that can facilitate accidents. Safety oversight systems are designed to ensure that adequate defences exist to protect against these latent unsafe conditions. These defences include such things as legislation, regulations, authoritative safety inspections and audits to identify systemic safety deficiencies. In many ways, accidents can be viewed as the ultimate manifestation of deficiencies in safety oversight systems
2.3.6 Management and organizational factors are key concepts in system safety. Certain inherent characteristics of large industrial systems, such as their complexity and the unexpected interaction of multiple failures, can contribute to safety breakdowns — which are called system or organizational accidents. In such systems, remedial actions then must go beyond those who had the last opportunity to prevent the accident (usually the operational personnel), to include the influence of the designers and managers, as well as the organizational structure of the system.
2.3.7 In terms of Threat and Error Management (TEM) there are tools available to the airlines and to ATS providers to obtain a profile of the threats and errors and the way they are managed during normal operations. For the airlines this tool is LOSA (Line Operations Safety Audit), for ATS this tool is NOSS (Normal Operations Safety Survey).
2.3.8 The new edition of the ICAO DOC 9870 (Prevention of runway incursion) states:
“Aviation safety programmes have a common goal – to reduce hazards and mitigate and manage residual risk in air transportation”.
Also if this document is related to the Prevention of Runway Incursion, this is the first ICAO document accepting the principle that, when assessing safety, once a hazard is identified, one shall verify the possibility of removing the hazard first, and mitigate only the residual risk.
2.4 Safety aspects in the aerodrome domain
2.4.1 Aerodrome Safety issue comprises several aspects, such as Runways, taxiways and apron safety, as well as safety of in-flight operations. Runway safety has the largest potential impact on ATCOs. Runway safety comprises runway excursion, protection from wildlife, surface contamination and, particularly, runway incursion. Apart from the area of application of safety concepts, it is very important to define the approach to them. I.e., safety of a system can be considered in a “holistic”, or global, way (as IFATCA usually do) or separately, field by field of the system.
2.4.2 Aerodrome safety objective states:
“An aerodrome with its facilities, equipment and systems shall be designed and operated so that for any hazard the combination of the probability of occurrence and the seriousness of the consequences of the hazard occurring must not result in a level of risk that is unacceptable”. (Aerodrome safety workshop Kazakhstan 18-22 November 2002 – Goran SVENSSON Swedish Aerodrome Safety Inspector)
The sentence clearly leads to the holistic approach. With this in mind, new antagonist concepts arise to analyze.
2.5 General aspects for Aerodrome Design
2.5.1 When a general assessment has been made of the land area required, based on a tentative layout capable of satisfying the airport master plan, a collection of background material is begun. This information can be equally useful in evaluating an existing airport site or a potential site for a new airport. (ICAO Doc 9184 – Chap 1 -§ 5.3).
2.5.2 For aerodrome environment in this WP we consider:
- Positioning of the TWR building for optimal surveillance;
- Aerodrome lay out ( Manoeuvring area and aprons);
- Aerodrome buildings;
- Aerodrome airspace design;
- Aerodrome users ( pilots, ATCOs, airport personnel);
- Aerodrome wildlife (birds, rabbits) and surface contamination inside and outside of the aerodrome ( grass, sand, water);
- Aerodrome technical equipment;
- Aerodrome meteorological condition and geographical location;
- Aerodrome vehicle or personnel on or near the manoeuvring area or traffic operating in the vicinity of the aerodrome.
Considering all these elements, we can identify that threats connected with the operational life of the aerodrome can occur as the result of one or more common events. These common causes or events may result from a common process, manufacturing defect, or common external events. Common causes are present in almost any system where there is any commonality, such as human interface, common task and common designs.
2.5.3 The ground elements associated with runways, which are directly connected to the landing and take off of aircraft, are: runway strips, stopways, clearways and runway end safety areas (RESAs). From an operational point of view, protection of these surfaces is crucial.
2.5.4 ICAO Doc 9157 (Chap 2 – § 1.1) also states that manoeuvring area systems should be designed to minimize restriction to aircraft movement. A properly designed system should be capable of maintaining a smooth, continuous flow of aircraft ground traffic at the maximum of points requiring acceleration or deceleration. This requirement ensures that the manoeuvring area system will operate at the highest level of safety and efficiency. Restriction to aircraft movement is efficiently minimised through the adoption of design concepts already well established in the road design field. In fact, roads able to accept efficient and safe flow of traffic are those highways protected from “incursions” and crossings. The need for creating an efficient flow, and the higher energy of aircraft traffic compared to road traffic, induce the need for the global application of these concepts. We must protect the areas listed at § 2.5.2 from any unnecessary infringement.
2.5.5 It is clear that the manoeuvring area system is the least flexible of the aerodrome elements, and must therefore be considered first when planning aerodrome development. Forecasts of future activity should identify changes in the rate of aircraft movements, the nature of the traffic, and the type of aircraft and any other factors affecting the layout and dimensioning of the runway and taxiway systems.
2.6 Intrinsic and tactical safety balance in the aerodrome domain
2.6.1 Analysing the aerodrome domain and its safety objective (§ 2.3) in the light of intrinsic and tactical safety concepts, it clearly appears that the term “designed” can be related to the concept of intrinsic safety, while the term “operated” can be related to the concept of tactical safety. It is obvious that, to reach the safety objective, a “balanced” combination of the two is necessary. Unbalance between intrinsic and tactical safety may constitute latent failure of the system.
2.6.2 Renovating the similitude with fire prevention and electronics, the “energy” related to the operations in the airport system is very high and should never be underestimated. Hazards are inherent to aviation. Since energy cannot be kept at zero, related risks are a function of that energy. Due to the potential severity of an incident, any unnecessary element that increases such energy shall be removed (by design), while only the necessary ones shall be assessed, and their contribution to risk mitigated (by tactical procedures and defences). I.e., where the design of the manoeuvring area of an aerodrome is not intrinsically safe, safety levels can only be met introducing human interpreted procedures and/or warnings, issued by safety tools, such as runway holding position infringement sensors. Of course, the weak point of tactical safety is that it relies on fallible means.
2.6.3 Examples
2.6.3.1 ICAO recommends that “sufficient entrance and exit taxiways for a runway should be provided” (Annex 14 – § 3.9.2). Accessibility must be kept to a minimum, in order to reduce the chance of a runway incursion.
2.6.3.2 Airports are provided with perimeter service roads that connect different areas of the airport. Perimeter roads may, or may not, fall within runway protection surfaces; consequently may, or may not, constitute hazard in regard to runway excursion and incursion.
2.6.3.3 ICAO recommends that:
“Aerodrome controllers shall maintain a continuous watch on all flight operations on and in the vicinity of an aerodrome as well as vehicles and personnel on the manoeuvring area. Watch shall be maintained by visual observation, augmented in low visibility conditions by radar when available”.
Buildings (such as terminals and hangars) and apron lighting towers are indispensable. These can be designed to either help or hinder TWR controllers, in relation to aprons (where under the responsibility of ATS), taxiways, runways and even airspace.
2.6.3.4 The above examples clearly describe some of the elements that can create hazards not inherent to the operations themselves, but to the design of the aerodrome system. Wherever intrinsic safety is taken in due account, these elements are considered at the design stage (or, for existing aerodromes, at master-planning stage, to introduce safety improvements) and the related hazards removed. Wherever it is not, responsibility to reach the appropriate safety level is transferred to operational personnel, through the application of procedures and the use of safety tools. This responsibility is summed to that already inherent to operations, unbalancing the system toward tactical safety. This attitude should be considered unacceptable by IFATCA.
2.7 Non balanced airport systems
2.7.1 One of the points is how to define an “eliminable” operation. In our opinion, analysis must start from the reason for an airport to exist. The objective, when planning for a new airport, is to allow mobility for people and goods, using aviation, thence to allow aircraft departures and arrivals. Consequently, the objective of a runway is to allow landings and take-offs. The taxiway net shall provide “sufficient entrance and exit taxiways for a runway”. All the operations strictly connected to the above objectives are “non eliminable”. They are the reason itself for the airport to exist. At the same time, any of these operations constitute a hazard in itself and the related risks can only be managed by the operators, through appropriate procedures and with the help of safety tools. Thence through the application of tactical safety concepts.
2.7.2 Sometimes the taxiway net is insufficient. Crossing, or backtracking on a runway is not necessary in itself. It only is due to the “Decision Makers” choice to not pursue safety inherently to the design of the system, may be saving money, time and/or land. Such a choice compromises safety. To reach the same safety level existent in a well designed aerodrome, it is necessary to drastically relay on tactical safety. In other words, on the “layers” of the system, productive activities and defences, where active failures can occur, have opened all other possible windows of opportunity to threats.
2.7.3 The airport layout and configuration of an airport can be a source of threats to TWR operations. A basic airport with just a short taxiway connecting the ramp with the middle of the runway will require ATC to arrange for backtracking of the runway by most of the arriving and departing traffic. If a taxiway parallel to the runway were available, with intersections at both ends as well as in between, there would be no requirement for aircraft to backtrack the runway. Some airports are designed and/or operated in such a way that frequent runway crossings are necessary, both by aircraft under their own power and by towed aircraft or other vehicles. A taxiway around the runway would be a solution, provided the aircraft and vehicles concerned use it consistently. This includes non visibility areas where the TWR ATCOs do not have the entire movement area in sight.
2.8 Other Considerations
2.8.1 Runway safety
2.8.1.1 “Aerodrome lay-out”, clearly identified as a runway incursion contributing factor, is not even mentioned in most of the documents produced worldwide. The solution for a wrong configuration can be found inside the concept of “tactical safety” and through heavy operational personnel involvement in procedure carry-out. This poor attention to human factors principles opens “windows of opportunity” for “human errors” to happen. On the contrary, “intrinsic” safety could preserve the system, the public and the operators from the catastrophic consequences of an incident.
2.8.2 General analysis
2.8.2.1 Analysis of accident data often reveals that the situation prior to the accident was “ripe for an accident”. It may have been said that it was only a matter of time before the circumstances led to an accident. When an accident occurs there is often an element of chance present. Operating personnel involved in the accident and their colleagues may have committed these errors or unsafe practices hundreds of times before — without adverse consequences. In addition, unsafe conditions that may have facilitated their unsafe acts may have been present for many years without causing an accident. In other words, sometimes these unsafe conditions were the consequence of deliberate decisions by management who recognized the risks but in managing those risks, chose not to mitigate them. The operational personnel then unwittingly inherited system defects that remained uncorrected. They operate as part of a larger system within a context which is defined for the most part by organizational and management factors beyond their control. Accident prevention then depends on examining the total context and the system in which they operate.
2.8.2.2 Latent unsafe conditions may only become evident once the system’s defences have been breached. They may be present in the system well before an accident and are generally created (sometimes knowingly) by decision makers, regulators and other people far removed in time and space from the accident.. Safety efforts should be directed at identifying and mitigating latent unsafe conditions on a system-wide basis, rather than by localized efforts to minimize unsafe acts by individuals which are only the proverbial tip of the iceberg.
2.8.3 Human Factors
2.8.3.1 There are several vulnerabilities in monitoring manoeuvring area activity, particularly after landing and takeoff clearances have been delivered to aircraft and taxing instruction have been issued to an aircraft and an active runway must be crossed. By issuing a clearance, it can be argued that controllers have fulfilled their requirement, but investigations of runway incursions highlight examples of how monitoring can contribute to safety after clearances have been issued. Examination of the observation narratives indicated that:
- Controllers were “frequently distracted” from monitoring aerodrome movements by dealing with automated messages appearing on their computer monitor. Additionally, procedures pertaining to FDPS handling at one tower were further causing excessive “heads down” time, thus preventing the controllers from monitoring aerodrome activity;
- Controllers are overloaded when the manoeuvring area is not all in sight by the TWR;
- Controllers are more stressed when operating at airports where there are continuous runway crossing.
2.8.3.2 Controllers are nowadays involved many times during a project, but they are still mostly required to evaluate a system, rather than contributing actively to the design process. For instance, they are often interviewed or observed as sources of operational knowledge in the first phases of the design process. Or they take part in large testing sessions that are organized in the latest phases when the system has been fully developed. In other words, they are still considered as part of the system under study, and they are mainly requested to test and evaluate it. An increased participation in terms of users and occasions did not bring to a qualitatively different contribution that certainly requires other means/roles of users’ participation.
2.8.3.3 ICAO Doc. 9758 “Human Factors Guidelines for ATM Systems”, contains material on end-user involvement during system design and development.
2.8.4 Legal aspects
2.8.4.1 The aviation industry has accepted that humans cannot be changed but nonetheless are required to make the system work safely. The legal world holds the view that the system is inherently safe and that the humans are the main threat to that safety. Safety improvements in the aviation system will be achieved as a result of an open exchange of information. Human error cannot be avoided when it happens but when a complex system is designed correctly can provide ATCOs the opportunity to work in a safer way.
2.8.4.2 IFATCA needs to keep high level of attention on the aerodrome domain. In an aerodrome environment, the interaction among air traffic services and all other stakeholders expose ATCOs to extremely high levels of responsibility and professional risk. One example can be the Linate accident. The ANSV (Italian agency for Air navigation safety) report into the Linate runway incursion and collision a number of “immediate and systemic” causes for the accident. Someone of the systemic one could be considered also from an organizational point of view. Below a short list of the most relevant:
- The lack of adequate visual aids;
- Official documentation failed to report the presence of unpublished markings (S4, S5 etc) that were unknown to air traffic managers, thus preventing the ATM staff from interpreting the ambiguous information from the Cessna crew, a position report mentioning (S4);
- The aerodrome standard did not comply with ICAO Annex 14; required markings lights and signs did not exist (TWY R6) or were in dismal order and were hard to recognize especially under low visibility conditions (R5- R6), other markings were unknown to operators (S4);
- No functional Safety Management System was in operation.
2.8.4.3 At this time there are no ICAO documents or guidance material regarding Intrinsic and Tactical safety.
2.9 Possible solutions
2.9.1 Possible solutions for existing airport are:
- The monitoring of the “ Aerodrome domain” through periodic inspection by ATCOs;
- The notification to competent authority of any significant situation considered as a non acceptable risk (“Air safety report”);
- ATCOs must notify when using additional procedures settled to achieve safety (Tactical);
- If possible, simulation of the designed aerodrome must be conducted before it becomes active by expert ATCOs’ personnel to analyze the operative procedures.
Conclusions
3.1 IFATCA defines Intrinsic safety as:
“Safety aspects inherent to the design of the system”, and Tactical safety as: “Safety aspects related to the application of procedures and the adoption of defence equipments, where the design of the system is inadequate to achieve a given safety level”. |
3.2 To establish a safe airport and airspace system the design should be intrinsic safe.
3.3 MAs should notify to the ANSP and/or appropriate Authority any deficiency due to the lack of account to intrinsic safety concepts.
3.4 Expert ATCOs must be involved in the design process of a new aerodrome.
3.5 The ground elements associated with runways, which are directly connected to the landing and take off of aircraft, are: runway strips, stopways, clearways and runway end safety areas (RESAs).
3.6 From an operational point of view, protection of these surfaces is crucial.
3.7 IFATCA should carefully monitor the application of the principle stated in the ICAO Doc 9870:
“Aviation safety programmes have a common goal – to reduce hazards and mitigate and manage residual risk in air transportation”.
It would relieve operational personnel from being a safety anchor for any unsafe system. The Federation should also try to introduce the same principle in other relevant ICAO and European documents, to strengthen it.
3.8 Safety culture will not guarantee that there will be no accidents but it does reduce the risk of accidents.
Recommendations
4.1 Insert on the new created page 4512 of the IFATCA Manual the following:
4. Intrinsic and Tactical Safety
4.1 Intrinsic Safety is defined as: “Safety aspects inherent to the design of the system”
4.2 Tactical Safety is defined as: “Safety aspects related to the application of procedures and to the adoption of defences, where the design of the system is inadequate to achieve a given safety level”
4.2 IFATCA recommends that all parties involved in airport and airspace design address intrinsic safety with the highest priority.
References
HF for Safety Audit Manual Doc 9806.
ICAO Safety Audit Manual Doc 9375.
Oxford English Dictionary, Ninth edition.
Oxford English Dictionary, CD-ROM version, 2nd edition.
EUROCONTROL – ESARR 4.
Transport Canada’s Aviation Management Guide – 1994-95.
Aerodrome safety workshop Kazakhstan 18-22 November 2002.
Review of the ANSV Linate Accident Report (Version 1: 8/2/2005) GORAN SVENSSON.
Prevention of runway incursion ICAO Doc 9870.
DEEP BLUE Consulting & Research www.dblue.it
Last Update: September 29, 2020