Causal risk models of air transport - NLR-ATSI

More documents

Recommendations

Info

After World War II aviation became a means of mass transportation. In the 1950s accidents during (test) flights were frequent [Wolfe 1979], but the knowledge gained during the flights and as a result of accident investigation contributed greatly to the development of aviation as a reliable and safe means of transport. Safety improved tremendously from 1950 to 2000, the worldwide fatal accident rate dropped from 3 accidents per million flights to less than 0.5 (see Figure 5). Most of the technological developments that contributed to improved safety were driven by a desire to increase the economical viability, with safety as a ‘byproduct’. Aircraft make money when they are in the air, not when they are grounded, and thus much effort was put into improving aircraft reliability and the ability to fly in adverse weather conditions. Technological advances that contributed significantly to aviation safety include the following: • Jet engines, which have a lower failure rate than piston engines due to their inherently simpler design with less accelerating parts [Brown 1981]. • Radio navigation systems have improved the flight crew’s ability to navigate and have virtually eliminated occurrences where aircraft get lost and run out of fuel before finding a suitable landing place [Leary 1992, Abbink 1996]. • Precision approach systems and automatic landing systems (precision approaches are five times more safe than non-precision approaches) because they help to keep the aircraft on the correct approach path, even in conditions of reduced visibility, like fog [Enders et al 1996, Abbink 1996]. • On-board weather radar has helped in avoiding hazardous weather. • Glass cockpits 19 provided an enormous increase in the possibility to directly interpret all aspects of navigation and the avoidance of bad weather and greatly increased the situational awareness of the pilots by integration of all information [Abbink 1996]. They also provide better support to the flight crew in the case of technical failures, reducing the likelihood of flight crew errors in such abnormal or emergency conditions [Roelen & Wever 2005b]. Paradoxically, they have also contributed to accidents due to poor crew understanding of their software logic [Sarter & Woods 1995]. None of these technological advances were safety driven. The reason to develop the jet engine was the need for improved performance in terms of aircraft speed and engine power. Radio navigation allowed the reduction of the flight crew to two pilots and a flight engineer, automatic landing systems increased productivity because aircraft were far less dependent on local weather conditions. Precision navigation by means of GPS became available thanks to the United States Department of Defence that needed accurate targeting and guidance for their weapon systems. The step from electromechanical cockpit instruments to a glass cockpit was made to reduce maintenance costs and weight. It also allowed the elimination of the flight engineer from the flight deck, and thus provided a significant reduction in direct operating costs for the airlines. In addition to technological leaps, overall system reliability has gradually improved. Today an engine failure is such a rare event that most pilots will never experience it in their career 20 . Technological 19 In a glass cockpit the traditional electromechanical instruments are replaced by displays that are able to present integrated information. 20 The in-flight engine shutdown rate of a modern engine like the GE90-115B is 0.005 per 1000 flight hours [Horibe et al 2004], i.e. one shutdown every 200,000 hours. For a twinengine aircraft like the Boeing 777 this means one shutdown per 100,000 hours of flight. An airline pilot will have approximately 20,000 flying hours at the moment of his 36
advancement in ATM on the other hand has been relatively slow because ATM has traditionally been the responsibility of national authorities and therefore has, until recently 21 , not experienced the effects of competition. A result is the use of technology that basically dates from WW II; VHF voice communication and radar. Regulatory requirements matured. Strength requirements for aircraft structures were specified in terms of limit loads (the maximum loads to be expected in service) and ultimate loads (limit loads multiplied by prescribed factors of safety of 1.5). Aircraft manufacturers had to show compliance to these requirements by analysis supported by strength testing of sub-components, full scale components or full scale tests of assembled components (such as a nearly complete airframe) up to limit loads and ultimate loads. The structure must be able to support ultimate loads without failure for at least 3 seconds. When tests are used to show compliance, an additional safety factor of 1.15 is typically applied to account for variability in material properties [EASA 2003a]. Regulatory requirements regarding aircraft system safety also evolved. When automatic landing systems were designed in the 1950’s, aircraft and equipment manufacturers asked the airworthiness authorities what requirements or special conditions would be applied to such systems. The authorities did not consider that they had the background and experience to write detailed requirements. Instead a target level of safety was agreed with the manufacturers as a base for certification. Applicants were required to make a case for their individual systems by assessing them against the declared objective. Subsequently detailed methods of establishing compliance were evolved. With the further development of technology and complex systems, in particular related to supersonic transport aircraft, the authorities from the USA, UK and France produced requirements that included the general principle that an inverse relationship should exist between the probability of occurrence and the degree of hazard inherent in its effect on the capability of the aircraft. In addition, they specified a level of safety to be achieved, in qualitative and quantitative terms, and required that a safety assessment should be made. The concept of requiring an inverse relationship between probability of failure and the severity of the failure effect had in practice been established from the early days of aviation and resulted in, for instance, twin magnetos and twin spark plugs on engines, dual wing rigging wires and dual control cables. What was new in the requirements was the introduction of quantitative and numerical methods for addressing risk instead of the intuitive methods that had been used before [Lloyd 1980, Lloyd & Tye 1982]. In assessing the acceptability of a system design it was recognised that rational probability values would have to be established. Historical evidence indicated that the risk of a serious accident due to operational and airframe-related causes was approximately 1 per million hours of flight. Furthermore, about 10 percent of the total could be (albeit arbitrarily) attributed to failure conditions caused by the aircraft’s systems problems. It seemed reasonable that serious accidents caused by systems should not be allowed a higher probability than this in new aircraft designs. It was thereby possible to require for new designs that the probability of a serious accident from all such system failure conditions be no greater than 1 per ten million flight hours, or 1 x 10 -7 per flight hour. As it is not possible to say whether the target has been met until all the systems on the aircraft are collectively analysed numerically, it was assumed, arbitrarily, that there are retirement. The probability that at some point in his entire career he will have had to shutdown an engine in-flight is approximately 1 in 5. 21 ANSPs in Europe are becoming more independent from the national authorities; NATS in the UK for example is fully privatised and LVNL in the Netherlands is a ‘Zelfstandig bestuursorgaan’. 37
Page 1: Causal risk models of air transport
Page 4 and 5: Dit proefschrift is goedgekeurd doo
Page 6 and 7: Acknowledgements A PhD study has be
Page 8 and 9: Chapter 6. Risk models in other ind
Page 10 and 11: List of abbreviations AC Advisory C
Page 12 and 13: STAR Standard Arrival Route STCA Sh
Page 14 and 15: esults of such models are possible
Page 16 and 17: processes? The second dimension is
Page 18 and 19: Chapter 2. Fundamentals of risk Bef
Page 20 and 21: Figure 1: Voluntary exposure to ris
Page 22 and 23: Y (RDC) [km] 495 490 485 480 475 47
Page 24 and 25: achieved (i.e. an aspirational targ
Page 26 and 27: accidents’ because these accident
Page 28 and 29: e restricted to ‘objective’ ris
Page 30 and 31: is irrelevant. The fire-fighter wil
Page 32 and 33: In this example, the drug appears b
Page 34 and 35: ender the model outcome too uncerta
Page 36 and 37: If we adopt Leveson’s [2004a] sys
Page 38 and 39: models. A strategy for avoiding thi
Page 40 and 41: Number of accidents per 100,000 fli
Page 44 and 45: about 100 potential system failure
Page 46 and 47: Airways 25 , although this is excep
Page 48 and 49: Douglas DC-10; an aircraft with a t
Page 50 and 51: of small airlines that went bankrup
Page 52 and 53: Throughout the service life of an a
Page 54 and 55: an inverse relation should exist be
Page 56 and 57: Safety versus the environment: the
Page 58 and 59: A causal risk model could support t
Page 60 and 61: adequate levels of safety in the ci
Page 62 and 63: also because of the large amount of
Page 64 and 65: met. The explanatory material empha
Page 66 and 67: Article 8 of the Seveso Directive (
Page 68 and 69: 4.4. Summary of user requirements a
Page 70 and 71: Grouped by type of requirements, th
Page 72 and 73: Representation of regulation Regula
Page 74 and 75: characteristics make test pilots ve
Page 76 and 77: Table 3: List of fatal flight test
Page 78 and 79: 4.5. User expectations: lessons fro
Page 80 and 81: helpful tool. This will have to be
Page 82 and 83: is to have a top-level representati
Page 84 and 85: Chapter 5. Examples of aviation saf
Page 86 and 87: therefore the approach cannot be co
Page 88 and 89: N az ⎡ ⎪⎧ 2λ y& z ⎪⎫ ⎤
Page 90 and 91: acceptable. The question, scope and
Page 92 and 93:
Chapter 6. Risk models in other ind
Page 94 and 95:
support [Paté-Cornell & Dillon 200
Page 96 and 97:
Techniques that have been used in t
Page 98 and 99:
airline passengers face. A complica
Page 100 and 101:
problems, already well accepted in
Page 102 and 103:
computationally more intensive. A d
Page 104 and 105:
BASIC EVENT - A basic initiating fa
Page 106 and 107:
fault trees best represent the logi
Page 108 and 109:
Bayesian Belief Nets are convenient
Page 110 and 111:
The approach for CATS was with q =
Page 112 and 113:
PDPs can be used to construct model
Page 114 and 115:
analysis is repeated for each secti
Page 116 and 117:
Chapter 8. Quantification The causa
Page 118 and 119:
hole’ is impossible to tell unles
Page 120 and 121:
An example of a complex issue for w
Page 122 and 123:
determined, given the results of th
Page 124 and 125:
Indeed it can be misleading to thin
Page 126 and 127:
determine what preventive action ma
Page 128 and 129:
to provide quantitative data to the
Page 130 and 131:
data the most accurate and detailed
Page 132 and 133:
It takes years to set up and conduc
Page 134 and 135:
Another problem with the use of aud
Page 136 and 137:
Ambiguity in the classification sys
Page 138 and 139:
vulnerable to differences in interp
Page 140 and 141:
Chapter 9. Modelling challenges In
Page 142 and 143:
considerable procedure guidance, do
Page 144 and 145:
Procedures Availability Error proba
Page 146 and 147:
9.2. Modelling safety management IC
Page 148 and 149:
phenomenon 73 . As a matter of fact
Page 150 and 151:
shift changeovers or when an aircra
Page 152 and 153:
will be crossed if no action is tak
Page 154 and 155:
capsule, Grissom realized that he w
Page 156 and 157:
According to this model, ‘fatigue
Page 158 and 159:
Archetype accident example 1: Take-
Page 160 and 161:
Table 8: Runway overrun accidents a
Page 162 and 163:
evolution 78 . An advantage of this
Page 164 and 165:
systems. They then provide a conven
Page 166 and 167:
that the rest contains no ‘new’
Page 168 and 169:
quick handling by the flight crew a
Page 170 and 171:
Cumulative probability 1 0.9 0.8 0.
Page 172 and 173:
speed 86 for the 500 ft altitude ga
Page 174 and 175:
Probability density 0.0008 0.0007 0
Page 176 and 177:
This example concerns an approach f
Page 178 and 179:
10.6. Conclusions for this section
Page 180 and 181:
accident chains in which the ultima
Page 182 and 183:
esults are being used in a certific
Page 184 and 185:
are not ‘calibrated’. These asp
Page 186 and 187:
equirements. The degree to which dy
Page 188 and 189:
this may seem to be an oversimplifi
Page 190 and 191:
Main research question: What does c
Page 192 and 193:
References AAIASB. (2006). Accident
Page 194 and 195:
BEA. (2001). Accident on 25 July 20
Page 196 and 197:
Carpenter, M.S., Cooper, L.G., Glen
Page 198 and 199:
EAI. (2002). Review of Causal Model
Page 200 and 201:
FAA. (1995a). Aviation safety actio
Page 202 and 203:
Hale, A.R. (2000). Railway safety m
Page 204 and 205:
IATA. (2008b). IOSA Standards Manua
Page 206 and 207:
Khatwa, R., Roelen, A.L.C. (1996).
Page 208 and 209:
Lloyd, E. (1980). The development o
Page 210 and 211:
Nijenhuis, W.A.S., Spek, F., Moelek
Page 212 and 213:
Onisko, A., Druzdzel M.J., Wasyluk,
Page 214 and 215:
around airports, Part 1: Main repor
Page 216 and 217:
Simons, M., Valk, P.J.L. (1998). Ea
Page 218 and 219:
Tweede Kamer. (2003b). Toekomst van
Page 220 and 221:
Summary Aviation safety is so well
Page 222 and 223:
existing data bases. Preferably the
Page 224 and 225:
verder verbeteren daarvan, zijn er
Page 226 and 227:
internationale regelgever zoals EAS
Page 228 and 229:
LPG [Tweede Kamer 1983], which set
Page 230 and 231:
of this a situation has been create
Page 232 and 233:
Holding En-route Approach Go-around
Page 234 and 235:
Approximately 5 minutes prior to de
Page 236 and 237:
cockpit announcing flight parameter
Page 238 and 239:
The ground controller then takes ov
Page 240 and 241:
aircraft input will occur. They wil
Page 242 and 243:
Basic principles for the design, co
Page 244 and 245:
egulation became evident and the In
Page 246 and 247:
its functions was to develop and ad
Page 248 and 249:
the delivery systems determines a m
Page 250:
244
show all

Causal risk models of air transport - NLR-ATSI

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?