10 - Safety and Security
STRESSING SAFETY ASSESSMENT METHODS BY HIGHER LEVELS OF AUTOMATION
L. Meyer¹, C. Bjursten Carlsson¹, Å. Svensson¹, M. Peukert¹, L. Danielson, SDATS, Sweden; B. Josefsson¹; ¹LFV, Sweden
Automation has an increasing role in supporting operators across all safety-related domains with the purpose to increase cost-effectiveness and safety. In air traffic control, en-route controllers use a set of tools that support identifying and solving conflicts. The current level of automation is generally very low in air traffic control, rather providing additional information to the ATCO than suggesting solutions or executing them. The reason for the rather automation-resistant approach of air traffic control is the acceptance by operators and the unbeatable safety performance record of human operators so far. Nevertheless, workload and cost-efficiency arguments are of increasing interest and push the trend towards automated decision support.rnThis paper explores the existing methodological implications of providing predictive safety evidence of whether automated solutions are at least as safe as human operators. The paper presents a review and a problem analysis of conventional safety assessment methods applied by today’s ANSPs. Linking hypothetical risk-related hazard events with their associated combination of causal factors, referred to as risk factors, and potential operational consequences, such as the Bow-Tie diagram, is subject to several methodological limitations. These potentially undermine the quality of risk estimation related to automation that is foreseen for implementation. rnThe results of the review point to two areas. The first addresses risk factors that are related to the probability of an unsafe act in human-machine interaction and the resulting possibility of an accident. As described by James Reason’s Model of Accident Trajectory (Swiss Cheese Model), an accident is the result of a unique combination of latent failures, or referred to as risk factors, breaching the layers of defense. The interaction loop brings into play numerous new relationships between the internal states of automation, as well as associated functions, and the s