631

1 INTRODUCTION

The first step shall be to describe the operational

environment at the scenario including the level of

ATS provided, CNS equipment, the airport ground

equipment, airspace and any procedures in place. The

purpose of the operational description is to define the

CONOPS specific to the airport. The objective is

therefore to provide detailed information on the

operational environment and compare it to.

2 LIST OF HAZARDS

The Final FHA of LPV approaches is based on the

Operational Model of LPV approaches in the ECAC

Area, which clearly defined nominal operations prior

to analyse degraded cases. For each operational action

(performed by either system, human operator or

jointly in the successive phases of flight), relevant

failure modes were identified. Each failure mode was

then analysed in turn in terms of examples of causes

(to check its validity), operational consequences and

mitigations, hazards, rough risk comparison against

Safety Case Activities in SHERPA Project

A. Fellner

Silesian University of Technology, Katowice, Poland

ABSTRACT: This paper has been issued in the framework of the SHERPA project under the Grant Agreement

No 287246 with the GSA (European GNSS Agency). This document contains the main technical activities

conducted by PANSA in the frame of project’s WP2000. The objectives of WP2000 are: To work towards the

implementation of a LPV procedure at each of the scenarios; To develop EGNOS National Implementation

Plans, To develop and EGNOS Regional Implementation Plan, To summarise EGNOS expected benefits in a

single airport. Specifically, the objectives of this document are technical activities conducted towards the

implementation of a LPV procedure in scenario: procedure design, safety assessment, business case, EGNOS

service provision requirements. The first step shall be to describe the operational environment at the scenario

including the level of ATS provided, CNS equipment, the airport ground equipment, airspace and any

procedures in place. The purpose of the operational description is to define the CONOPS specific to the airport.

The Final FHA of LPV approaches is based on the Operational Model of LPV approaches in the ECAC Area,

which clearly defined nominal operations prior to analyse degraded cases. For each operational action

(performed by either system, human operator or jointly in the successive phases of flight), relevant failure

modes were identified. Each failure mode was then analysed in turn in terms of examples of causes (to check its

validity), operational consequences and mitigations, hazards, rough risk comparison against ILS operations,

and when pertinent, recommendations in terms of risk reducing measures to be considered. Safety Case

Activities drawn up as part of the SHERPA project was accepted by GSA, EUROCONTROL. At present an

algorithm of acting while designing and executing procedures constitutes final approaches according to GNSS.

http://www.transnav.eu

the

International Journal

on Marine Navigation

and Safety of Sea Transportation

Volume 14

Number 3

September 2020

DOI:

10.12716/1001.14.03.14

632

ILS operations, and when pertinent,

recommendations in terms of risk reducing measures

to be considered. A more detailed view on the

hazards identification method is provided in the next

section, where the Final FHA table is described. In

deviation to the SAM FHA guidance, a brainstorming

FHA session bringing together the adequate

operational and technical experts was not possible

given the constraints of the project and the experts’

availability. Consequently, the work was organized as

follows:

1 In a first iteration FHA tables were filled in by a

safety expert, with support (questions/answers)

from two technical experts;

2 Then several FHA working sessions were

organized:

− Three half-day working sessions were held

with 3 technical experts from an airframer,

among which one has a solid operational

background as well; and

− One half-day working session was held with

ANSP relevant specialists: 4 APP, ATCO, one

En-route ATCO and one technical expert.

During those working sessions, the operational

model was first submitted to experts for validation,

and then the FHA as initiated by the safety expert was

submitted for discussion and further development. As

the FHA table was projected on screen, conclusions of

the discussions were recorded on-line on reaching

agreement. Note that, as a mature operational concept

is not yet available for the LPV operations, a major

amount of effort (including the FHA working

sessions) was spent to complete, refine and validate

the operational model. The Final FHA table was

submitted for review to a sub-set of RAFG

participants and other relevant operational and

technical experts. Main results of a Final FHA

intermediary version and open issues were submitted

to the validation of the operational and technical

experts at the occasion of the Safety Assessment

workshop mainly dedicated to the PSSA.

3 EVENT TREE ANALYSIS

The next step, which is the second part of the FHA, is

to analyse the hazards with the help of event tree

analysis. This methodology can be broken down into

several steps:

1 Identify the hazard consequences and classify

them according to severity of effects.

Table 1. Summary of consequences of hazards.

_______________________________________________

ID Consequence Severity of effect

_______________________________________________

C1 Controlled Flight Into Catastrophic (Severity 1)

Terrain (CFIT)

C2 Landing accident Catastrophic (Severity 1)

C3 Mid-air collision Catastrophic (Severity 1)

C4 Missed approach Minor (Severity 4)

C5 Safe landing No effect

_______________________________________________

2 Identify mitigations and their effect. The

probability of any hazard leading to a catastrophic

event (accident) is affected by mitigations.

Mitigations are potential barriers which can

prevent hazard leading to an accident. It is

proposed to fill the following table:

Table 2. List of mitigations

__________________________________________________________________________________________________

ID Mitigation Description Max

probability

of failure

__________________________________________________________________________________________________

M1 Deviation Aircraft can wrongly fly at a lower altitude than the approach procedure minima or can Warszawa

is not deviate from the approach path or MA procedure path. Thus the aircraft is in a risk of CFIT. 0.5

towards The mitigation of this risk is that there is no obstacle in that area and the approach/ Katowice

obstacle manoeuvre/MA can be finished safely. In the generic safety case, E

UROCONTROL proposed 0.5

value 0.5.

The value for Warszawa and Katowice was set to 0.5, but further reduction possible.

Warszawa is not located in a mountainous area. In addition, the approach path is relatively

obstacle free (this was included in the NPA GNSS approach safety assessment).

M2 Deviation Aircraft can wrongly deviate from the approach path or MA procedure path. Thus the Warszawa

is not aircraft is in a risk of mid air collision. The mitigation of this risk is that there is not any 0.05

towards traffic in the vicinity of the aircraft on approach, hence the deviation is not towards another, Katowice

another aircraft. In the generic case E

UROCONTROL used value 0.05. 0.05

aircraft The values for Warszawa due to crossing RWY is being reviewed and Katowice -specific

value is consistent with this.

Probability of deviation towards another aircraft depends on multiple parameters (e.g.

airport & runways configuration, departure routes structure, etc). Although it could be fairly

assumed that the probability of having two aircraft in the same airspace with conflicting

trajectories is much lower than the probability to converge to obstacles, the proposed value

for flying towards an aircraft is Q = 0.05.

M3 Missed The aircraft may deviate from the final approach path (vertically or laterally), air crew may Warszawa

Approach detect some FAS errors or can fail to establish visual contact with the RWY above DA, and 0.5

(MA) thus will initiate MA to avoid CFIT or landing accident. E

URCONTROL used probability value Katowice

timely of 0.5 in the generic safety case. 0.5

initiated

and

correctly

executed

633

M4 Approach Air crew can fail to laterally intercept the final approach path or aircraft can be too high Warszawa

is before FAWP. In such situation, air crew can decide to intercept the final approach path 0.1

stabilising from above, in violation of the normal procedure. On deciding to capture the glide slope Katowice

from above, the flight crew have some confidence on succeeding. However, this manoeuvre 0.1

involves certain risk that the crew will not be able to stabilise the aircraft path. The mitigation

is that crew is able to stabilise the aircraft (intercept the final approach path, decelerate to

extend flaps and landing gear) on time and land safely. E

UROCONTROL’s probability of failure

of this mitigation is 0.1. The value for Warszawa and Katowice is consistent with it.

M5 Aircraft Crew may decide to descend below DA without visual. This involves a risk of CFIT. Warszawa

is in However,if aircraft manages to descend safely to an altitude where visual contact is 0.5

right established, it can be in right position for landing. E

UROCONTROL’s probability of failure Katowice

position for this mitigation is 0.5. The value for Warszawa and Katowice is consistent with it. 0.5

for Value for this mitigation reflects the degree of information available by this time.

landing According to E

UROCONTROL, when further information is collected,this figure might evolve.

M6 Recovery Proximity to terrain, obstacle or another aircraft can be recovered by the flight crew via Warszawa

with visual visual cues by launching a MA or avoidance manoeuvre. The effectiveness of this mitigation 0.5

cues depends on the number of factors, such as weather, day/night, airport lighting, surrounding Katowice

vicinity lighting, etc. For this reason the probability of failure has to be rather conservative 0.5

and is consistent with E

UROCONTROL’S assumption in the generic safety case.

Difference in airport lighting in favour for Warszawa so value could be further decreased.

M7 Recovery Proximity to terrain, obstacle or another aircraft can be recovered by the flight crew via Warszawa

with visual cues by launching a MA or avoidance manoeuvre and is assumed to be 0.5 for M8 0.1

visual when the aircraft is on final approach path. Katowice

cues – Note that M7 mitigation during MA is considered five times more efficient than on final 0.1

specific approach path. On final approach, guidance is very accurate and has a high integrity. One

to missed can assume that the crew will trust this and therefore will less monitor the final path itself.

approach During missed approach, the crew is aware of the route to fly, and of the fact that precision

(H8) is lower than on final approach. Also, as the route is not converging towards a known point,

the crew will be more involved in the navigation process than it was during final approach.

Therefore, fail of recovery via on-board detection of incorrect MA path execution is assumed

0.1 and is consistent with E

UROCONTROL’S probability of failure.

M8 Recovery Recovery via aircrew detection onboard mitigates risk resulting from deviating from the Warszawa

via correct final approach path or MA path. 0.5

aircrew Some deviations are noticeable (e.g. magnetic heading differs from what is expected, too Katowice

detection high or too low vertical speed, abnormal engine thrust settings, sudden deviation due to 0.5

onboard some discontinuity), other cannot be determined, especially deviations at the end of the FAS

are the most dangerous. Aircrew might detect discrepancies with respect to chart by monitoring

the distance to threshold (displayed to pilots) which allows them to roughly estimate if current

height is right (about 300 ft resolution) compared to altitudes on the charts.

With regard to these various means a rough probability of 0.5 for recovery via aircrew detection

was defined. This is in line with E

UROCONTROL’s probability of failure.

M9 Recovery The ATCO detection that an aircraft flies low while intercepting the final approach path Warszawa

via ATC strongly depends on the size of the vertical deviation and the distance to runway. A 1000 ft 0.5

radar Mode C deviation at 8 Nm away from the runway should attract his attention. Based on that, Katowice

detection the adopted probability for detection and recovery is 0.5 0.5

M10 External Even when the aircraft is not in perfect landing conditions above the runway threshold, this Warszawa

conditions should not necessarily lead to a landing accident: Probability that External conditions 0.01

(runway (runway dry or long, luck…) favour collision is 0.01. In both cases the value was consistent Katowice

dry or with E

UROCONTROL’s probability of failure. 0.01

long,

luck…)

__________________________________________________________________________________________________

3 Analyse the hazard consequences with the use of

event trees. Analyse the hazard consequences with

the use of event trees, in order to allow assessing

the risk associated to those hazards. Once the

analysis is done, it is proposed to States to provide

the final conclusion for each of the hazards by

means of the following table:

Table 3. Summary of event trees analysis

_______________________________________________

ID General conclusion Consequence Frequency

_______________________________________________

H3 No additional barriers as to CFIT Warszawa

EUROCONTROL FHA (catastrophic) 0.125

identified. The safety nets Katowice

were not included in this 0.125

calculation.

H4 No additional barriers as to Landing Warszawa

EUROCONTROL FHA accident 0.00025

identified. The safety nets (catastrophic) Katowice

were not included in this 0.00025

calculation.

H6 No additional barriers as to CFIT Warszawa

EUROCONTROL FHA (catastrophic) 0.125

identified. The safety nets Katowice

were not included in this 0.125

calculation.

H7 No additional barriers as to CFIT Warszawa

EUROCONTROL FHA (catastrophic) 0.125

identified. The safety nets Katowice

were not included in this 0.125

calculation. Landing Warszawa

accident 0.125

(catastrophic) Katowice

0.125

H8 No additional barriers as CFIT Warszawa

to EUROCONTROL FHA (catastrophic) 0.0025

identified. The safety nets Katowice

were not included in this 0.0025

calculation. Midair collision Warszawa

(catastrophic) 0.00025

Katowice

0.00025

_______________________________________________

634

4 Establish the TLS - identify relevant categories of

accidents and find target level of safety for each of

these accidents. It is proposed to fill the following

table:

Table 4. Summary of LPV TLSs

_______________________________________________

Accident type LPV TLS

_______________________________________________

Controlled Flight Into Terrain (CFIT) 1 x 10

-8

Landing accident 1 x 10

-10

Mid-air collision 2 x 10

-7

_______________________________________________

5 Allocate safety objectives - allocate TLS from step 1

for each type of accident to individual hazards by

using risk tree analysis. Risk trees for individual

accident categories shall be prepared. Allocation

has to be done apportioning the TLS among the

branches that compose each risk tree. Then, the

Safety Objectives will determine the allocation of

Safety Requirements to system elements in the

fault tree analysis. Using the probabilities coming

from the previous section:

( )

accident

TLS

SO C

= ⋅

(1)

where:

Q are the event probabilities in sequences initiated by

Hazard X that end up in the applicable accident;

C is the allocation chosen for each branch of the trees.

The candidate Safety Objectives for each accident

shall be presented in the next table (a new table must

be generated for each accident):

Table 5. Candidate safety objectives for CFIT

_______________________________________________

Hazard Candidate Safety Objective Contribution of the

branch to CFIT TLS

_______________________________________________

H3 1.6e-8 20%

H4 Not applicable - Hazard does not

lead to CFIT

H6 1.6e-8 20%

H7 1.6e-8 20%

H8 1.6e-8 20%

_______________________________________________

Safety 2e-9 20%

margin

_______________________________________________

Table 6. Candidate safety objectives for landing accident

_______________________________________________

Hazard Candidate Safety Objective Contribution of the

branch to the

landing accident TLS

_______________________________________________

H3 Not applicable - Hazard does -

not lead to LA

H4 2.67e-4 33%

H6 Not applicable - Hazard does -

not lead to LA

H7 5.33-7 33%

H8 Not applicable - Hazard does -

not lead to LA

_______________________________________________

Safety 5.67e-8 33%

margin

_______________________________________________

Table 7. Candidate safety objectives for MAC

_______________________________________________

Hazard Candidate Safety Objective Contribution of the

branch to the

MAC TLS

_______________________________________________

H3 Not applicable - Hazard does -

not lead to MAC

H4 Not applicable - Hazard does -

not lead to MAC

H6 Not applicable - Hazard does -

not lead to MAC

H7 Not applicable - Hazard does -

not lead to MAC

H8 2e-7 50%

_______________________________________________

Safety 5e-11 50%

margin

_______________________________________________

6 Derive final Safety Objectives: when one hazard

has more than one ultimate consequence (i.e.

contributes to more than one type of accident), the

most constraining objective has to be kept. Please

fill the following table:

Table 8. Final safety objectives

__________________________________________________________________________________________________

ID Title Consequences SO in

environment

__________________________________________________________________________________________________

H3 Fly low while intercepting the final approach path Missed approach if detected. Safe landing if 1.6e-8

undetected and barriers work. CFIT if undetected

and barriers fail

H4 Attempt to intercept the final approach path from Missed approach or safe landing if barriers work. 2.66-4

above CFIT if barriers fail

H6 Failure to follow the correct final approach path Missed approach or safe landing if detected and/or 1.6e-8

barriers work. CFIT if undetected and barriers fail

H7 Descending below DA without visual Missed approach if detected. Safe landing if barriers 4e-9

work. Landing accident if deviation is not towards

obstacle but other barriers fail. CFIT if undetected and

in case deviation is towards obstacle

H8 Failure to execute correct missed approach No major impact on safety if detected and corrected- 2e-7

ultimate result would be missed approach or safe

landing. CFIT if all barriers fail and deviation is towards

obstacle. MAC if all barriers fail and deviation is towards

aircraft

__________________________________________________________________________________________________

635

4 FAULT TREE ANALYSIS

The Fault tree analysis consists in apportioning the

Safety Objectives of each hazard into Safety

Requirements to elements of the system. In other

words, one fault tree analysis has to be done for each

of the hazards identified in Table. The fault tree

analysis contains all the causes that can potentially

incur to the hazard. States are aimed to develop the

fault trees and perform the associated qualitative and

quantitative analyses.

The probability of occurrence of each of the causes

must be combined as specified by the developed fault

tree (sequence of AND and OR functions) to obtain

the final probability of occurrence for each hazard.

Obviously, probability of occurrence shall be lower

than the applicable Safety Objective. In case that the

Safety Objective is not met, it is necessary to define

additional:

− Safety Requirements (SR), which define additional

functions to those already mentioned in the

nominal case; or

− Integrity Requirements (IRs), which define the

level of performance of certain elements and

functions.

To summarise the final results of the fault tree

analysis, it is proposed to States to fill in the following

table:

Table 9. Summary of all hazards’ achieved probability of

occurrence

_______________________________________________

Hazard Safety Achieved probability Objective

ID Objective of occurrence met

_______________________________________________

H3 1.6e-8 Idem (according to Eurocontrol Yes

PSSA)

H4 2.66-4 Idem (according to Eurocontrol Yes

PSSA)

H6 1.6e-8 1.84e-6 No

H7 4e-9 Idem (according to Eurocontrol Yes

PSSA)

H8 2e-7 Idem (according to Eurocontrol Yes

PSSA)

_______________________________________________

5 CONSEQUENCES ANALYSIS

Consequences analysis involves identifying the

sequences of events initiated by an OH, defined by

the success/failure of a series of barriers or other

relevant events and ending up in unacceptable end

consequences (accidents like CFIT, MAC and landing

accident) that are usually used in the NAV domain.

TLS-DNV clarifies what events are covered by these

accident categories:

− Mid-air collision is where two aircraft come into

contact with each other while both are airborne.

This includes any in-flight collision between an

aircraft and another flying vehicle, whether

commercial, military or general aviation, including

microlights, hang-gliders, gliders and balloons. It

excludes collisions caused by hostile attack (i.e.

terrorism, hijack, sabotage or military attack) but

includes collisions caused in all other ways. This is

consistent with the CAST/ICAO common

terminology for mid-air collision;

− Controlled flight into terrain (CFIT) is an in-flight

collision with terrain, water or another obstacle

without prior loss of control. This excludes

intentional flight into terrain/buildings due to

hostile attack. It also excludes cases where the

aircraft lands short or to one side of the runway

(covered under landing accidents). It includes

cases where the CFIT follows or is caused by an in-

flight disruption such as a fire or engine failure,

provided that flight control is maintained. This is

consistent with the CAST/ICAO occurrence

category “controlled flight into or toward terrain”;

− Landing accidents include all types of accidents

during the landing phase of flight (see below),

other than collision. This includes abnormal

runway contacts (e.g. hard landings, gear-up

landings), loss of control on the runway (e.g. due

to wind-shear or surface contamination), runway

incursions (e.g. by animals, vehicles or people, but

not aircraft), runway excursions (e.g. veer-off,

overrun), off-runway touchdown (e.g. undershoot,

overshoot and offside touchdown). It includes

external causes (e.g. snow/ice/rain and wind-

shear), technical causes (e.g. gear failure) and

human causes (e.g. flight crew misjudgements). It

includes cases where the landing accident follows

or is caused by an in-flight disruption such as a

fire or engine failure, provided that sufficient

control is maintained to attempt a normal or

emergency landing. It includes cases where the

landing accident is followed by collision with

another aircraft outside the runway. There is no

specific CAST/ICAO equivalent for this term.

The consequences analysis is performed using the

Event Trees, but only the event sequences relevant for

the safety assessment (which determine the Safety

Objectives) are shown in the subsequent tables. The

full Event Trees, providing a graphical representation

of all the sequences of events developing

subsequently to an operational hazard (OH)

occurrence and their final outcomes, are provided in

Annex IV. Rough probability values will be assumed

for the events/barriers occurrence, based on field

feedback experience, expert judgement and other

qualitative considerations that will be duly justified.

In a first version of the FHA, efficiency of the ground

and airborne safety nets equipage were considered as

potential barriers to prevent accidents. In the final

version of the FHA they do not more influence the

safety objectives determination process. Meanwhile

their impact on the consequences analysis is provided

for information in annex V.

REFERENCES

APV SBAS Approach - Concept of Operations, CONOPS,

2009;

Operational and Functional model of LPV approaches in the

ECAC area, OFM-LPV 2.0 2007;

636

Draft Guidance Material for the Implementation of RNP

APCH Operations PBN TF6 WP06 Rev 1 05/01/2012

SHERPA Grant Agreement Grant number 287246

EASA - AMC 20-26 : Airworthiness Approval and

Operational Criteria for RNP AR Operations;

EASA - AMC 20-27: Airworthiness Approval and

Operational Criteria for RNP APPROACH (RNP

APCH) Operations Including APV BARO VNAV

Operations;

EASA - Helicopters Deploy GNSS in Europe (HEDGE)

project documentation,

EATMP Navigation Strategy for ECAC;

EGNOS Introduction in European Eastern Region MIELEC

project documentation,

EUR Document 001/RNAV/5 Guidance Material Relating to

the Implemen-tation of European Air Traffic

Management Programme;

FAA - AC 20-105: Approval Guidance for RNP Operations

and Barometric Vertical Navigation in the U.S. National

Airspace System;

FAA - AC 20-129: Airworthiness Approval for Vertical

Navigation (VNAV) Systems for Use in the U.S.

National Airspace System (NAS) and Alaska;

FAA - TSO C146A: Stand-Alone Airborne Navigation

Equipment Using the Global Positioning System

Augmented by the Wide Area Augmentation System

(WAAS);

FAA: TSO C145A: Airborne Navigation Sensors Using the

Global Positioning System (GPS) Augmented by the

Wide Area Augmentation System (WAAS);

Fellner A. SHERPA-PANSA-NMA-D11EP Issue: 01-00

EGNOS Poland Marked Analysis, 2012

Fellner A. SHERPA- PANSA-NSR-D21EP,2014

ICAO Annex 10,

ICAO Doc 8168 – PANS-OPS,

ICAO Doc 9613 – PBN Manual,

ICAO Doc 9905 – RNP AR Procedure Design Manual

ICAO Doc. 7754 European Region Air Navigation Plan;

ICAO European Region Transition Plan to CNS/ATM;

ICAO Global Air Navigation Plan for CNS/ATM Systems.

Doc 9750;