41TH ANNUAL CONFERENCE, Cancun, Mexico, 15-19 April 2002WP No. 88The Use of Safety Nets in ATMPresented by SC1 |
Introduction
1.1 The concept of safety nets in ATM has become widely recognised and established as a major safety benefit in reducing the risk of in-flight collisions when all other defences have failed. This has lead to an increase of safety net tools being developed.
1.2 This widening of the range of safety nets has lead to discussion on the definition and the policy concerning the use of these tools. Also, it raises the question of whether their use in a specific airspace structure is a mitigation to achieve the target level of safety.
1.3. The purpose of this paper is to review the issues concerning the use of safety nets in the ATM system and the implications for IFATCA policy.
Discussion
2.1. Within ICAO and Europe, other safety net tools, additional to TCAS, have been identified to include Ground Proximity Warning System (GPWS) and its development, Enhanced (EGPWS), Minimum Safe Altitude Warning (MSAW), Short Term Conflict Alert (STCA), and Area Proximity Warning (APW). Of these, TCAS and GPWS are pilot interpreted airborne systems and MSAW, STCA, and APW are controller interpreted, ground systems.
2.2. IFATCA has policy on TCAS, STCA and MSAW. For the purposes of this paper, the following policy statements refer to the safety net aspects.
TCAS:
|
“IFATCA recognises that the development of airborne collision avoidance systems should be encouraged. However it must be accepted that the primary means of collision avoidance within a controlled airspace environment must continue to be the air traffic control system which should be totally independent of airborne emergency devices such as ACAS. TCAS devices should not be a consideration in the provision of adequate air traffic services” |
STCA:
|
“Ground based safety nets, like STCA, can enhance overall safety in the automated ATC systems. Therefore each automated ATC radar system should be provided with a ground based safety net system such as STCA, as a last resort, that only should be used to advise the controller of potential losses of separation.” |
MSAW:
|
“MSAW, as a last-ditch ground-based warning system, must be fully implemented without delay, with the necessary operational requirements and appropriate ATC procedures and training on a worldwide basis, in order to significantly reduce the number of CFIT accidents.” |
2.3. In all three cases, the emphasis is placed on the need for the ground-based system to provide appropriate separation minima although in the case of TCAS and GPWS, the pilot can react independently of his clearance if the safety of his aircraft is threatened. With the use of TCAS having been mandated in many states, both controllers and pilots have become more comfortable with the concept of it being used as a safety net but very much as the “last ditch” defence. In the case of STCA and MSAW, the warnings require positive action by the controller. The potential danger of STCA is that the controller under heavy workload becomes reliant on STCA not as a safety net but a tool to be used in extreme circumstances. Also, where TCAS is mandated, it is arguable whether STCA should be regarded as “a last resort”.
2.4. IFATCA does not have any policy on GPWS and EGPWS which are CFIT safety nets although they have the potential to impact on the ATM system in a very localised manner. Nor does it have policy on APW, which is a ground based computer safety net to prevent incursions into areas that are sensitive or dangerous to flight.
2.5. IFATCA does not have a definition of an ATM safety net. However both ICAO ATMCP and the Eurocontrol Safety Regulation Commission have been considering the issue.
SRC Pol Doc 2 (draft):
| Definition of safety net
A Safety Net is an airborne and/or ground based function (comprising procedures, equipment, people and any combination thereof) within the ATM System whose sole purpose is to alert crew/ATCO of the imminence of an hazardous situation (e.g., risk of aircraft collision, terrain collision, or airspace penetration) so that it can be resolved in a timely manner. GPWS, MSAW, STCA, APW, ACAS are examples of safety nets. As such, Safety Nets provide an analysis (such independent analysis does not necessarily imply architectural independence) of the traffic situation, which is independent from the analysis, carried out by the crew and/or the ATCO. |
ICAO ATMCP:
|
Safety Nets include two categories of defences: Collision Avoidance: those defences providing for the avoidance of an imminent collision between aircraft, aircraft and terrain, aircraft and other objects as well as of an imminent airspace penetration, with the sole purpose of alerting the operator; and Separation Protection: those defences involved in protecting against the failure of Separation Provision with the sole purpose of alerting the operator. |
2.6. The SRC definition appears to be all embracing and acceptable to controllers and pilots. However, when considering the analysis aspect, it moves away from the perceived view of a safety net being totally independent of the ATM system. It proposes that the same data that is provided to the controller can be used by another part of the system to provide alerts about hazardous situations. This is certainly true of STCA, MSAW and APW. Although these safety nets have proven to be effective, they are not independent devices such as TCAS or GPWS. TCAS relies on serviceable SSR Modes A and C. TCAS will be ineffective in a conflict event if one aircraft has either unserviceable or corrupt SSR. However, it is probable that this problem will have been identified to the controller through the standard validation and verification processes therefore appropriate action will have been taken to protect other aircraft from the problem aircraft. In the case of shared data (STCA), any unserviceability or corruption of information may compound the problem because it will be provided to the controller and to the STCA programme at the same time rendering the safety net ineffective. The problem is not insurmountable in that appropriate hazard analysis and risk management processes can establish a series of safety requirements which will translate into technical specifications and operational procedures for the equipment in order to mitigate the risk.
2.7. The issue of whether a safety net is independent or not from the ATM system may seem hypothetical but if the ICAO categories are considered, the function of the safety net is sub-divided between collision avoidance and separation protection. It is significant that IFATCA policy also makes these distinctions. Taking collision avoidance first: this is the ultimate “last ditch” defence when all else fails. In this context, it is the safety net, which prevents collisions between aircraft and hazards (irrespective of any ATM separation standards). TCAS, GPWS and MSAW clearly fit into this category although STCA is not quite so obvious because it is dependent on a number of factors such as the alerting parameters and the presentation of the alert. The second safety net category, Separation Protection, is defined as the defence against the failure of separation provision. ICAO envisages this function as an alert prior to the loss of separation provision in time for action to be taken to preserve the minimum separation standard. Furthermore, it is conceivable that to meet the TLS for predicted traffic levels in certain environments, a separation protection will be required. Certainly TCAS does not fit into this category and STCA may not either. The other issue raised by these proposed ICAO safety net categories is the lack of policy on the widening range of safety nets.
2.8. IFATCA policy on ACAS is in line with the ICAO thinking – “a last minute device not to be used for ATM purposes”. The policy on ground based safety nets is not so unequivocal in that it refers to “last resort advice” (STCA) or “last ditch …warning” (MSAW) to the controller. There is no IFATCA policy on the use of safety nets in a general context. SRC identified the need to establish policy on safety nets and drafted the following:
“Any safety benefit which may be provided by a safety net shall be considered as an additional overlay to that provided by the ATM system. The ATM system must be able to demonstrate whatever ATM safety minima and aviation level of safety are considered to be necessary, without reliance upon the safety benefit expected to be provided by safety nets”
Certain members of SRC felt this policy was too restrictive in that designer/producers and eventually operators of ATM systems would not be able to include safety nets in their systems. SRC reviewed the policy in the light of these objections and concluded that safety nets might be considered as potential risk mitigation in a safety argument. SRC cite as an example that, provided a good enough rationale was put forward by the ANS Provider and that the national safety regulator was convinced by the argument, then the installation of a safety net such as MSAW at an airport could justify the operating minima to be lower than that of non MSAW equipped airport.
2.9. The issues raised by the extension and availability of safety net devices need to be addressed so that IFATCA avoids some of the difficult and contentious debates surrounding the introduction of TCAS. It is now clear that safety nets can be divided into subgroups such as the division between air and ground-based equipment and the division between functionality. The safety benefits accruing from the use of safety nets are considerable but there are inherent risks that have to be identified.
IFATCA needs to review its current policy and ask the following questions:
a) Is current policy on ACAS/STCA/MSAW adequate to address the issues raised by the introduction of further safety nets?
b) Whenever a safety net is activated, it is probable that there has been a failure of one or more components of the ATM system. This provides a measure of effectiveness of the safety net and of the ATM system. Is policy required to capture this specific aspect?
c) Is there a case for separating airborne (pilot interpreted) safety nets from ground based ones? If so, what is the rationale?
d) Is the categorisation of safety nets into “Collision Avoidance” and “Separation Protection” justifiable or should the latter be removed because it is an ATM tool?
e) Does a safety net have to be independent of the ATM system? Do certain airspace classifications and traffic conditions require mandatory safety nets?
f) If the use of Safety Nets for ATM purposes is acceptable (e.g. separation protection), what safety requirements for the equipment and its functionality need to be established (with particular reference to the control task)?
g) Is there an argument, in the light of operational experience, for a safety net device to migrate to that of an ATM tool? If so, what is an acceptable rationale and who provides it?
Conclusions
3.1. The use of safety nets within the ATM system has been established for many years particularly with the mandating of TCAS within most states. However, their functionality has always tempted airspace and ATM system designers to extend their application into other areas such as an ATM tool, often with a view to a reduction of separation. The arguments propounded by pilots and controllers have always centred on the independence of the safety net stressing that it is the “last ditch” defence against collision with other aircraft, obstacles, or terrain. ICAO, in respect of ACAS, has vindicated this argument.
3.2. However in recent years, the scope of safety nets has extended to be not only airborne based but ground based as well. The ground based systems do not have the architectural independence of the airborne systems consequently much data is shared between the controller and the safety net. This places a different emphasis on its operation and the way action is taken in the event of an alert. Also, the concept of separation protection as opposed to collision avoidance has been introduced. This implies that the controller is alerted when the separation minima are about to be infringed and action will be taken to maintain the minima. In this case, the use of the safety net is being compromised by its use as conflict detection tool. This raises the issue of whether such safety nets can be used in a safety benefit argument to justify an appropriate level of safety assurance.
3.3. Both ICAO and Eurocontrol have been addressing the issues surrounding the use of safety nets in ATM. IFATCA has policy on ACAS, STCA and MSAW that covers certain aspects of these devices as safety nets. However, for IFATCA to participate in the ongoing discussions about the use of safety nets, with particular reference to the proposals for providing additional safety benefits that can be used as part of the overall TLS, it would seem appropriate for IFATCA to review its policy on the use of safety nets in general and amend as required.
Recommendations
It is recommended that the IFATCA definition of a safety net is as follows;
4.1 A safety net is an airborne and/or ground based function, the sole purpose of which is to alert the pilot or controller of the imminence of collision of aircraft, aircraft and terrain/obstacles, as well as airspace penetration.
Last Update: September 29, 2020