130 likes | 146 Views
Safety Nets: Primary or Secondary Defenses? Does it Matter?. Kathy H Abbott, PhD, FRAES Federal Aviation Administration 7 June 2016. Safety nets come in several forms. Safety nets can be: People Alerting systems Automated systems Others. Alerting systems. Examples include:
E N D
Safety Nets: Primary or Secondary Defenses? Does it Matter? Kathy H Abbott, PhD, FRAES Federal Aviation Administration 7 June 2016
Safety nets come in several forms Safety nets can be: • People • Alerting systems • Automated systems • Others
Alerting systems • Examples include: • Ground proximity warning systems (GPWS) • Terrain Awareness and Warning Systems (TAWS) • Airborne Collision Avoidance System/ Traffic Collision Avoidance System (ACAS/TCAS) • Takeoff configuration alerting • Altitude alerting
These safety nets • Have contributed to preventing accidents • Are designed as secondary defense • E.g., “The intent of a TCAS is to serve as a backup to visual collision avoidance, application of right-of-way rules, and air traffic separation service.” Advisory Circular 120-55c Air Carrier Operational Approval and Use of TCAS II
Although designed as secondary defenses, they are sometimes (often?) used as primary • Altitude alerter • “One thousand to go” • TCAS: • “Do not deviate from an assigned clearance based only on TA information”
Spanair Flight 5022 accident Probable cause: “The crew lost control of the aircraft as a result of a stall immediately after takeoff, which was caused by the incorrect plane configuration for take-off (i.e. not deploying the flaps and slats, following a series of errors and omissions), coupled with the absence of any warning of the incorrect configuration…”
Does it matter that secondary defenses are used as primary? • Inaction may result • Skill degradation may be one consequence • Action may be based on assuming that safety net is always there • Regulatory approval assumes it is a secondary system • Required reliability of secondary, backup systems may not be as high as it would be if its purpose was to be the primary safety net
Additional information is provided on displays BUT “Because of design limitations, the bearing displayed by TCAS is not sufficiently accurate to support the initiation of horizontal maneuvers based solely on the traffic display.” “Because of the limitations that may exist with various display systems, the PF should not maneuver the aircraft based solely on the information shown on the TCAS display”
Additional information is provided on displays BUT Required limitation in TAWS flight manuals: “Navigation must not be predicated upon the use of the TAWS”
Safety nets • Safety nets are a risk mitigation • They might mitigate some risks but introduce others (e.g., go-arounds as a risk mitigation for unstable approaches) • Unintended consequences
Risk Mitigations (in decreasing order of effectiveness) • Eliminate hazard • Alter design • Incorporate engineered features or safety devices • Provide warning devices • Incorporate signage, procedures, training Decreasing effectiveness Source: MIL-STD-882E System Safety Handbook
Recommended Actions • Safety nets should not be primary means of achieving a task. Training and operational procedures for pilots (or controllers) should address this point. • Pilots (or controllers) should be made aware of the assumptions, limitations, and potential risks introduced by the “safety nets” • Regulators (and others) should address the potential risks introduced by the safety nets. The benefit of the safety net should be balanced against the risks introduced.
Concluding Remarks • Avoidance of the hazard is the first preference • Safety nets can help mitigate risks but may introduce different ones • “One should carefully consider both the intended and the unintended effects of implementing protection in sociotechnical systems.”* *Source: Denis Besnard, Erik Hollnagel. Some myths about industrial safety. 2012. <hal-00724098v1>