Safety Nets: Primary or Secondary Defenses? Does it Matter?

1
Safety Nets Primary or Secondary Defenses?
Does it Matter?
Kathy H Abbott, PhD, FRAES Federal Aviation
Administration 7 June 2016
2
Safety nets come in several forms

• Safety nets can be
• People
• Alerting systems
• Automated systems
• Others

3
Alerting systems

• Examples include
• Ground proximity warning systems (GPWS)
• Terrain Awareness and Warning Systems (TAWS)
• Airborne Collision Avoidance System/ Traffic
  Collision Avoidance System (ACAS/TCAS)
• Takeoff configuration alerting
• Altitude alerting

4
These safety nets

• Have contributed to preventing accidents
• Are designed as secondary defense
• E.g., The intent of a TCAS is to serve as a
  backup to visual collision avoidance, application
  of right-of-way rules, and air traffic separation
  service.
• Advisory Circular 120-55c Air Carrier Operational
  Approval and Use of TCAS II

5
Although designed as secondary defenses, they are
sometimes (often?) used as primary

• Altitude alerter
• One thousand to go
• TCAS
• Do not deviate from an assigned clearance based
  only on TA information

6
Spanair Flight 5022 accident

• Probable cause
• The crew lost control of the aircraft as a
  result of a stall immediately after takeoff,
  which was caused by the incorrect plane
  configuration for take-off (i.e. not deploying
  the flaps and slats, following a series of errors
  and omissions), coupled with the absence of any
  warning of the incorrect configuration

7
Does it matter that secondary defenses are used
as primary?

• Inaction may result
• Skill degradation may be one consequence
• Action may be based on assuming that safety net
  is always there
• Regulatory approval assumes it is a secondary
  system
• Required reliability of secondary, backup systems
  may not be as high as it would be if its purpose
  was to be the primary safety net

8
Additional information is provided on displays BUT

• Because of design limitations, the bearing
  displayed by TCAS is not sufficiently accurate to
  support the initiation of horizontal maneuvers
  based solely on the traffic display.
• Because of the limitations that may exist with
  various display systems, the PF should not
  maneuver the aircraft based solely on the
  information shown on the TCAS display

9
Additional information is provided on displays BUT

• Required limitation in TAWS flight manuals
• Navigation must not be predicated upon the use
  of the TAWS

10
Safety nets

• Safety nets are a risk mitigation
• They might mitigate some risks but introduce
  others (e.g., go-arounds as a risk mitigation for
  unstable approaches)
• Unintended consequences

11
Risk Mitigations (in decreasing order of
effectiveness)

• Eliminate hazard
• Alter design
• Incorporate engineered features or safety devices
• Provide warning devices
• Incorporate signage, procedures, training

Decreasing effectiveness
Source MIL-STD-882E System Safety Handbook
12
Recommended Actions

• Safety nets should not be primary means of
  achieving a task. Training and operational
  procedures for pilots (or controllers) should
  address this point.
• Pilots (or controllers) should be made aware of
  the assumptions, limitations, and potential risks
  introduced by the safety nets
• Regulators (and others) should address the
  potential risks introduced by the safety nets.
  The  benefit of the safety net should be balanced
  against the risks introduced.

13
Concluding Remarks

• Avoidance of the hazard is the first preference
• Safety nets can help mitigate risks but may
  introduce different ones
• One should carefully consider both the intended
  and the unintended effects of implementing
  protection in sociotechnical systems.
• Source Denis Besnard, Erik Hollnagel. Some
  myths about industrial safety. 2012.
  lthal-00724098v1gt