PRELIMINARY SAFETY CASE FOR ADS-B AIRPORT SURFACE SURVEILLANCE APPLICATION PSC ADS-B-APT

Transcription

1 EUROPEAN ORGANISATION FOR THE SAFETY OF AIR NAVIGATION EUROCONTROL PRELIMINARY SAFETY CASE FOR ADS-B AIRPORT SURFACE SURVEILLANCE APPLICATION PSC ADS-B-APT Edition: 1.2 Edition Date: Status: Class: November 2011 General Public Released Issue CASCADE PROGRAMME

2 EUROPEAN ORGANISATION FOR THE SAFETY OF AIR NAVIGATION EUROCONTROL CASCADE PROGRAMME

3 DOCUMENT IDENTIFICATION SHEET Document Title DOCUMENT DESCRIPTION Preliminary Safety Case for ADS-B Airport Surface Surveillance Application Edition : 1.2 Edition Date : Abstract This Preliminary Safety Case documents the results of the EUROCAE ED-163/RTCA DO-321 Safety Performance and Interoperability Requirements Document for ADS-B-APT Application (ADS-B surveillance on aerodrome surfaces). This document aims at being an input to ANSPs to produce their own local Safety Case for the implementation of ADS-B-APT. Keywords Preliminary Case CASCADE Programme Safety Safety Argument Safety Evidence ESARR-4 Aerodrome control service Safety Target Safety Objective ADS-B-APT Airport ADS-B Contact Gilbert CALIGARIS Person +32.(0) Business Division DNM/COO/DC/SCC DOCUMENT STATUS STATUS CATEGORY CLASSIFICATION Working Draft Executive Task General Public Draft Specialist Task Restricted Proposed Issue Lower Layer Released Issue ELECTRONIC BACKUP INTERNAL REFERENCE NAME : CASCADE ADS-B-APT Preliminary Safety Case v1.2 Edition: 1.2 Released Issue Page i

4 DOCUMENT CHANGE RECORD The following table records the complete history of the successive editions of the present document. EDITION DATE TRACK OF CHANGES SECTIONS / /08/2010 First issue: safety argument structure All /01/2011 Sections 1 to 6 completed; Logical Model defined and described. Section 10 completed /02/2011 Safety requirements introduced into Section 7.5. Section 10.7 modified to be consistent. Section 7.6 and 7.7 completed. Sections 9 and 12 worked on. Terminology tables added /02/2011 Document updated from sections 1 to 6 following internal review and comments. Section 1.8 completed. Section rewritten and completed. Logical Model figures updated. Requirements traceability table started (annex H) /03/2011 Document cleaned up and changes accepted for 1 st SRC review /04/2011 March SRC review comments integrated. Annexes G and H added. Section 8 completed; Sections 9 and 10 ready for 1 st review. Guidance material added in section /05/2011 April SRC review comments integrated. Section 15 added. Annex F added. Further fine-tuning of the document /06/2011 May SRC review comments integrated. Completion of all sections. Addition of an annex on the event tree sensitivity analysis. 1.0 June 2011 Released issue that passed a Safety Regulatory Review Process conducted by representatives of National Supervisory Authorities/States within the SRC Coordination Group acting on behalf of the Safety Regulation Commission. 1.1 June 2011 Released issue that passed a Safety Regulatory Review Process conducted by representatives of National Supervisory Authorities/States within the SRC Coordination Group acting on behalf of the Safety Regulation Commission. 1.2 November 2011 Updates following SRC-CG review All All PAGES AFFECTED Sections 1 to 6; Sections 7.3, 7.3.5; Annex H All All All All All All (editorial changes) Executive summary,, sections 1.1 & 15 Edition: 1.2 Released Issue Page ii

5 TABLE OF CONTENTS DOCUMENT IDENTIFICATION SHEET...1 DOCUMENT CHANGE RECORD...2 TABLE OF CONTENTS...3 TABLE OF TABLES...8 TABLE OF FIGURES...10 PAGE LEFT BLANK INTENTIONALLYEXECUTIVE SUMMARY...12 EXECUTIVE SUMMARY INTRODUCTION Background Aim Intended Audience Scope Definition of General Terms Used in This Document Next Step towards a Local Safety Case Reference and Applicable Documents Document Layout OVERALL SAFETY ARGUMENT (ARG 0) Claim Typical Operational Environment Description The Manoeuvring Area The Apron Airport Characteristics Traffic Characteristics visibility conditions Airspace Class...14 Edition: 1.2 Released Issue Page iii

6 2.2.7 Equipage Rate Safety Criterion Strategy for Decomposing the Claim ATC SERVICE DEFINITION (ARG 1) Strategy for Demonstrating Arg Aerodrome Control Service Description (Arg 1) ADS-B-APT DESIGN (ARG 2) Strategy for Demonstrating Arg Strategy for Decomposing Arg APPROPRIATE SAFETY TARGETS DERIVATION (ARG 2.1) Safety Target Safety Target DESIGN SATISFACTION OF SAFETY TARGETS (ARG 2.2) Strategy for Decomposing Arg LOGICAL DESIGN DESCRIPTION (ARG 2.2.1) Safety Target Strategy for Decomposing Arg Description of the ADS-B-APT Logical Design (Arg ) Operational Procedures to Support the Provision of the ATC Services Interactions between Human Actors and Interfacing Equipments Technical Surveillance Data Items on the Air Traffic Controllers Interface Surveillance Functions Performance Characteristics Differences Between ADS-B-APT and Reference Designs and Reconciliation (Arg ) Differences at Operational Procedures Level Differences at Controller and Flight Crew Interfaces Level Differences at Functional Level ADS-B-APT Safety Requirements (Arg ) Safety Requirements on Mobile Domain Elements: Aircraft Safety Requirements on Mobile Domain Elements: Ground Vehicle Safety Requirements on Ground Domain Elements External Elements (Arg )...73 Edition: 1.2 Released Issue Page iv

7 7.6.1 Air-Ground Communication Systems Other Airborne Systems GNSS Signal-in-Space (External Positioning Source) Other Ground Systems Other ATS Units Conclusions on Arg Logical Design Derivation ADS-B-APT DESIGN CORRECTNESS (ARG 2.2.2) Strategy for Arg Data Items at Interface D Conclusions on Arg Design Correctness LOGICAL DESIGN ROBUSTNESS (ARG 2.2.3) Safety Targets Strategy for Decomposing Arg Reaction to Abnormalities of the Environment (Arg ) Capacity Overload Extreme Weather Unequipped/Uncertified Mobiles Solar Phenomena Reaction to Abnormalities of External systems (Arg ) Air-Ground Communication Failures Other Airborne Systems GNSS Signal-in-Space Failures Other Ground Systems Failures Other ATS Units Conclusions on Arg Design Robustness MITIGATION OF INTERNAL FAILURES (ARG 2.2.4) Safety Targets Strategy for Decomposing Arg Hazards Identification (Arg ) Hazards Effect Assessment and Severity Assignment (Arg ) Hazards Effect Assessment Severity Assignment Safety Requirements and Assumptions related to the Event Tree Analysis Determination of Pe values Determination of Safety Objectives (at equipment level) (Arg ) Edition: 1.2 Released Issue Page v

8 10.6 Hazards Causes Identification and Internal Mitigation Means (Arg ) Hazard Causes Internal Mitigation Means Safety Requirements and Assumptions related to Fault Trees Analysis (Arg ) Safety Requirements and Assumptions on Mobile Domain Elements Safety Requirements and Assumptions on Ground Domain Elements Safety Assumptions on External Elements Safety Objectives Achievement Conclusions on Arg Internal Failures LOGICAL DESIGN REALISM (ARG 2.3) Strategy Validation of Design Requirements and Assumptions TRUSTWORTHINESS OF THE EVIDENCE FOR THE LOGICAL DESIGN (ARG 2.4) Strategy Approach and Methods for Design ASSUMPTIONS, ISSUES AND LIMITATIONS Assumptions Outstanding Safety Issues for Local Specification and Design Limitations CONCLUSIONS REFERENCES GLOSSARY ANNEX A HAZARD CLASSIFICATION MATRIX ANNEX B ORGANIZATIONS INVOLVED IN SPECIFICATION OF ADS-B-APT ANNEX C GOAL STRUCTURING NOTATION LEGEND ANNEX D FULL GSN STRUCTURE FOR ADS-B-APT ANNEX E DETAILS ON SAFETY TARGET ST Edition: 1.2 Released Issue Page vi

9 ANNEX F GNSS GROUND MONITORING FUNCTION ANNEX G HUMAN TASKS ANNEX H CHOICE OF A REFERENCE SYSTEM FOR THIS PSC ANNEX I LOW SPEED COLLISION EFFECT ANALYSIS ANNEX J REQUIREMENTS TRACEABILITY TO ED ANNEX K SUMMARY OF GUIDANCE MATERIAL Edition: 1.2 Released Issue Page vii

10 TABLE OF TABLES Table 1. Terminology from ED-163 Used in the PSC...2 Table 2. Top-Down Safety Targets for the ADS-B-APT System...28 Table 3. Bottom-Up Consolidated Risk for the ADS-B-APT System...28 Table 4. Terminology from ED-163 Used in Section Table 5. Operational Surveillance Data Items on the ATCo Interface...42 Table 6. Operational Data Items on the FC Interface...43 Table 7. Technical Surveillance Data Items on the ATCo Interface...44 Table 8. ADS-B-APT Functions in the ADS-B Ground Domain...47 Table 9. ADS-B-APT Functions in the ADS-B Mobile Domain...48 Table 10. Table 11. Table 12. ADS-B Performance Parameters at Interface E ADS-B Performance Parameters at Interface D...54 Differences at Operational Surveillance Data Items Level...59 Table 13. FC Related Requirements and Assumptions...62 Table 14. Table 15. Table 16. Table 17. FC Interface Related Requirements...62 GNSS On-board Receive Function Safety Requirements and Assumptions...63 Pressure Source Requirements and Assumptions...64 Identity, Emergency Data and SPI Source Requirements...64 Table 18. Aircraft ADS-B Function Safety Requirements...65 Table 19. Table 20. Table 21. ADS-B Mobile Domain Safety Assumptions...66 Vehicle Operator Related Assumptions...66 Vehicle Operator Interface Related Assumptions...67 Table 22. Vehicle ADS-B Function Safety Requirements...67 Table 23. ATCo Procedures Requirements and Assumptions...68 Table 24. ATC Surveillance Data Display Function Requirements and Assumptions...69 Table 25. Ground ADS-B Surveillance Processing Function Requirements...69 Edition: 1.2 Released Issue Page viii

11 Table 26. Ground ADS-B Receive Function Requirements...70 Table 27. Table 28. Table 29. ADS-B Ground Domain Requirements and Assumptions...70 Interoperability Requirements for Data Items at D...81 Possible Abnormal Modes for Equipage of Mobiles...86 Table 30. Terminology from ED-163 Used in Section Table 31. ADS-B-APT Hazards...95 Table 32. List of Assumptions and Requirements Used in the Event Trees...98 Table 33. ADS-B-APT Hazards Effects, Severity, Pe and EMM & EC and SO for all Hazards.103 Table 34. Mobile Domain Hazard Contributions of Continuity Failures Table 35. ADS-B Mobile Domain Requirements and Assumptions Table 36. ADS-B Ground Domain Requirements and Assumptions Table 37. GNSS Horizontal Position Source Assumptions Table 38. Safety Objectives versus Top Event Results Table 39. Compliance with ESARR-4 Section Table 40. Assumptions of the PSC Table 41. Safety Issues of the PSC Table 42. Limitations of the PSC Table 43. Hazards Classification Matrix (from ED-78A/DO-264) Table 44. Terminology from ED-163 Used in Annex E Table 45. ATM Safety Targets Table 46. Safety Targets and Total Number of Hazards at ATM Level Table 47. Consolidated Bottom-Up ADS-B-APT Risk per Severity Class Table 48. GNSS ground monitoring function Table 49. ADS-B-APT GNSS Ground Monitoring Function Requirements and Assumptions 151 Table 50. Terminology Used in Annex G Table 51. Table 52. Conclusions of Sensitivity Analysis Traceability to ED-163 SPR.# Edition: 1.2 Released Issue Page ix

12 Table 53. Traceability to ED-163 IR.# Table 54. Traceability to ED-163 ASSUMP.# Table 55. New Safety Requirements Table 56. ADS-B-APT PSC Guidance Material TABLE OF FIGURES Figure.1 Illustration of Generic Characteristics of the Typical OE versus Local OE Characteristics...6 Figure.2 Decomposition of Argument 0 (Claim)...11 Figure.3 Barrier Model for ATM...15 Figure.4 Decomposition of Argument Figure.5 Definition of Phases Composing Aerodrome Control Service...20 Figure.6 ICAO PANS ATM Doc 4444, Figure Figure.7 Decomposition of Argument Figure.8 Decomposition of Argument Figure.9 Decomposition of Argument Figure.10 Strategy for Addressing Arg Figure.11 ADS-B-APT Logical Model...34 Figure.12 Reference Logical Model...35 Figure.13 Limiting Case of Physical Characteristics of Scenarios Analysed in the SPR...51 Figure.14 Along Track Forward Error Bounds (With Respect to Source Position 95% Error Radius Ra for Stationary Target with Speed Error 1m/s 95%)...52 Figure.15 Decomposition of Argument Figure.16 Abnormalities to Assess for ADS-B-APT System Robustness...84 Figure.17 Decomposition of Argument Figure.18 Figure.19 Figure.20 OSA Process Overview...92 Full GSN Structure for ADS-B-APT Chapter 8 PANS-ATM ATS Surveillance Services Edition: 1.2 Released Issue Page x

13 Figure.21 Sensitivity Analysis in OH01u Event Tree Figure.22 Sensitivity Analysis in OH03u-B Event Tree Edition: 1.2 Released Issue Page xi

14 PAGE INTENTIONALLY LEFT BLANK Edition: 1.2 Released Issue Page xii

15 EXECUTIVE SUMMARY What is ADS- B-APT about? The Claim ADS-B (Automatic Dependent Surveillance Broadcast) is a surveillance technique that relies on aircraft periodically broadcasting its parameters, such as identity, position and other onboard information. ADS-B is automatic in the sense that, provided that the transponder has been turned on, no flight crew (FC) or air traffic controller (ATCo) action is required for the surveillance information to be transmitted from the aircraft at regular intervals. It is dependent surveillance in the sense that the surveillance-type information so obtained depends on the suitable position source and broadcast capability. This signal can be captured on the ground for surveillance purposes (ADS-B OUT) or on board other aircraft for air traffic situational awareness (ADS-B IN) and airborne separation assistance. The EUROCONTROL Co-operative ATS through Surveillance and Communication Applications Deployed in ECAC (CASCADE) Programme coordinates the implementation of Wide Area Multilateration (WAM) applications and the Automatic Dependent Surveillance-Broadcast (ADS-B) applications related to the Package I [Ref.2]of ground and airborne based surveillance applications. Part of the EUROCONTROL CASCADE Programme, ADS-B-APT (ADS-B Airport Surface Surveillance application) will enhance aerodrome operations by adding ADS-B surveillance to an aerodrome with no surveillance equipment and providing the controller with a display to view the surveillance data. This will provide enhancement to aerodrome control services in a way similar to the introduction of a Surface Movement Radar (SMR). ADS-B-APT may also be introduced at an aerodrome equipped with an SMR that is intended to be decommissioned. Note: The cases where ADS-B surveillance is used to support Area and Approach Control Service is addressed through other ADS-B applications, namely ADS-B in Non Radar Areas (ADS-B-NRA)[Ref.16] and ADS-B in Radar Areas (ADS-B-RAD [Ref.17]). The purpose of this Preliminary Safety Case (PSC) is to demonstrate that the ADS-B-APT system, i.e. the use of ADS-B surveillance information to augment SMGCS procedures to provide an aerodrome control service, will be acceptably safe. Associated to the Claim, this PSC focuses on the provision of ADS-B surveillance and does not cover the addition to an already existing surveillance system (e.g. Multilateration or SMR). ADS-B-APT can in principle support all Air Traffic Services (ATS) performed on an aerodrome surface, but as detailed in the Claim, the aerodrome control service, i.e. the Air Traffic Control (ATC) service for aerodrome traffic, was selected for defining the ADS-B- APT requirements. This choice was done assuming that if the ADS-B-APT system (encompassing procedures, people and equipment) can support the ATC service, then these requirements will be sufficient to support the other less demanding air traffic services (e.g. alerting service) from a surveillance perspective. Preliminary standing for By definition a safety case is built on a set of Arguments, i.e. statements set out hierarchically claiming that something is true, along with supporting Evidence showing that the Argument is valid. Goal Structuring Notation - GSN is often used, and it is the case here, for graphically representing this Argument/Evidence structure. The high-level safety Argument structure proposed in this safety case covers all the safety lifecycle steps, from the development of the ADS-B-APT system, to bringing it into service and maintaining it throughout its operational life. This safety case is preliminary in that it only addresses the design stage of the ADS-B- APT system development (identification of the related safety requirements) considering Edition: 1.2 Released Issue Page xiii

16 typical operating environment characteristics. The PSC does not include implementation, transition and in-service related issues. At whom is this PSC aimed? This Preliminary Safety Case for ADS-B-APT passed a Safety Regulatory Review Process conducted by representatives of National Supervisory Authorities/States within the SRC Coordination Group acting on behalf of the Safety Regulation Commission. The SRC Position Paper [Ref.22] is the formal output of the review of the PSC. Implementers are encouraged to take account this document, and other guidance information, as support and input to Implementers and States when using this PSC as a basis to develop their Local Safety Case (LSC). The aim of this PSC is to be an input to the Air Navigation Service Providers (ANSPs) to produce their own full safety cases (in accordance with the requirements of the local regulator) for a local implementation of ADS-B-APT. ANSPs wishing to implement the ADS-B-APT system on their airport surface should consider the information and processes presented in this PSC. These may be re-applied to assist the local implementation of ADS-B-APT should there be a need to perform additional analysis to take local implementing conditions into consideration, and in particular for the development of the LSC (see Section 1.6). In order to facilitate the task of the ANSPs, guidance on the specification and design issues considered in this document that need to be reviewed and reconsidered for local implementation are directly included in the corresponding sections of the document in form of Guidance Material Boxes. Sixty guidance material elements have been specifically developed. Existing related and applicable standards As a means of supporting European ANSPs in optimising their implementation of the ADS-B-APT system, several standards and procedures have been specifically developed. In particular, the EUROCAE/RTCA ED-163/DO-321 joint standard [Ref.1] provides the minimum operational, safety and performance requirements (SPR) and the interoperability (INTEROP) for the implementation of the ADS-B-APT system. This joint standard was developed, based on ED-78A [Ref.8] guidance and SAM [Ref.5] methodology, by the Requirement Focus Group - RFG. This working group represents a large panel in Air Traffic Management and Aviation expertise, bringing a large number of perspectives, in particular from industry, and consists of members from FAA, EUROCONTROL, RTCA and EUROCAE with participation of AirServices Australia, NAV Canada and Japan, providing technical and operational expertise to RFG activities. The PSC document gathers the results from the RFG work, as well as results from some other standards and related activities (ICAO annexes and documents, EASA reference documents, other EUROCONTROL work and standards, etc.), in order to provide appropriate and sufficient Evidence to demonstrate the Claim through the proposed Arguments. The information presented in this PSC has been in some cases adapted and summarized from its original form in order to obtain a coherent and simplified document. It is however important to note that the PSC does not supersede all assumptions and results made in the reference documents, in particular those from ED-163. Acceptably safe with respect to what? The ADS-B-APT system is defined as all the elements allowing the use of ADS-B surveillance to augment SMGCS procedures to provide an aerodrome control service. In this PSC, all the elements of the end-to-end ADS-B-APT system are considered, i.e., the aerodrome design, people, procedures and equipment, including ground-based, airborne, vehicle and space-based elements. And the main purpose is to demonstrate that Edition: 1.2 Released Issue Page xiv

17 From baseline proposed change to it is acceptably safe. But what does acceptably safe mean? The safety broader approach (as named in SAME Part 2 [Ref.15]) applied in the safety case addresses both the positive (success approach) and the negative (failure approach) contribution of the ADS-B-APT system to the related ATM risk. A safety criterion used to define acceptably safe is a comparative approach in which it is requested that the risk of an accident/incident for the ATC service supported by the ADS- B-APT system is no greater than when supported by a system with no surveillance equipment ( Reference system ). As part of the strategy adopted to assess the ADS-B-APT system, a comparison is made to a Reference system. This comparison is made considering the same Operational Environment (OE) for both systems characterized by the type of airport, the procedures in place and the means available for the controller to perform the aerodrome control services. The main assumptions made on the operational conditions both for the Reference system and the ADS-B-APT system are listed hereafter: The analysis considers that all mobiles (ground vehicles and aircraft, excluding rotorcraft) are visible by the Ground Domain (in the Reference system, the ATCo has visual on all mobiles; with ADS-B, 100% certified 1 equipage and coverage on the manoeuvring area is assumed); Visual observation is the primary means of obtaining and maintaining situational awareness for the controller (though augmented by ADS-B surveillance in the ADS- B-APT system) and on which control decisions are based. Aid memoirs, VHF voice communications, paper strips and other equivalent tools are also available in both Reference and ADS-B-APT systems; SMGCS procedures are applied; The aerodrome layout considered is simple to complex with many taxiways, possibly multiple terminals and aprons and possibly multiple runways, but limited up to two active runways at a time; Aerodromes with reference code numbers/letters of 3D or 4C or higher have been considered, with respect to the minimum dimensions of runways, taxiways and holding positions. This includes a minimum runway width of 45m. Visibility conditions 1 to 3 are considered; The air traffic characteristics in visibility conditions 1 and 2 are assumed to be in the order of movements per hour for a single runway configuration, and up to 35 total aerodrome movements per hour for multiple runway configurations. The capacity of the active runway is assumed to be reduced to 15 movements per hour in visibility conditions 3. For a single controller operation the maximum number of mobiles on the frequency at the same time has been assumed to be in the order of 8. In visibility conditions 3, this peak of controller workload is assumed to be reached only 10% of the time. These assumptions are to be interpreted as assumptions made for the purpose of this analysis, and are not meant to limit the scope of the implementation of the ADS-B-APT system. The Arguments to To specify that ADS-B-APT is safe, an overall Claim is made stating that the ADS-B-APT system is acceptably safe, and this Claim is then broken down into a set of safety Arguments each supported by rationales and Evidence, such that the Claim may be 1 It is recognised that ground vehicles are not certified, but the term is used in a broader sense see definition of certified in Table 1. Edition: 1.2 Released Issue Page xv

18 demonstrate considered to be valid if (and only if) the Evidence shows each Argument to be true. The aim of the PSC is to show that an acceptable level of safety is achieved for the design and specification of the ADS-B-APT system. As such, the two principal Arguments that are addressed herein are that the ADS-B-APT system, at service level, has been specified to be acceptably safe - Argument 1 - and the fact that the system is designed to be acceptably safe - Argument 2. For Argument 1, constructing the Evidence consists in describing the ATC service referred to in this ADS-B application and in stating that there is no change when this service is supported by the Reference system (i.e. with no surveillance equipment) or by the ADS-B-APT system (i.e. with ADS-B surveillance) in the operating conditions considered in the assessment. Argument 2 consists in demonstrating that all necessary safety requirements have been captured at system design level to safely provide the service described in the previous Argument, taking into account nominal conditions, abnormal conditions as well as system failure cases. These safety requirements can be found from Sections 7 to 10 of this document. In Argument 2, safety targets are set for the ADS-B-APT system in line with the safety criterion presented above, i.e. to represent that the risk of incidents or accidents arising from the ADS-B-APT system is no higher than for the Reference system, and that this risk is within an appropriate portion of the ATM Target Level of Safety (TLS) as defined by ESARR-4 [Ref.6] and ED-125 [Ref.10] Risk Classification Schemes (RCS). In nominal conditions, the strategy adopted to define the corresponding safety requirements is, in line with the safety criterion presented above, a direct comparison between the Reference system and the ADS-B-APT system, in terms of operational procedures and tasks to be done, operational and technical data items used by the system, functions provided by each element of the system and their corresponding performances. Requirements for the external elements to the ADS-B-APT system are considered as well as requirements derived to ensure the robustness and resilience of the ADS-B-APT system vis-à-vis of failures or non-specified behaviour of external elements or events. In nominal conditions, ADS-B surveillance is considered to be only used, as an augmentation to SMGCS procedures, by the controllers to apply the aerodrome control service. Regarding ADS-B-APT system non nominal conditions, a risk assessment of potential internal failures of the ADS-B-APT system (parts of the system related to ADS-B) is conducted to assess the integrity of the system design, providing the related safety requirements mitigating the associated risk and ensuring that the safety targets allocated from ESARR-4 [Ref.6] and ED-125 [Ref.10] are satisfied. In non nominal conditions, in addition to system failures, the non-nominal use of the system has been taken into account and it has been considered that the controller may, from time-to-time, use the surveillance data on its own to issue a clearance if certain conditions prevail. Safety activities are conducted to show that the Evidence provided is trustworthy, i.e. that it can be relied upon, in terms of sound process, correctly applied by competent personnel to obtain them. It is also necessary to show that the safety requirements are realistic in the sense that they are verifiable and that they are capable of being satisfied in a typical implementation. and the Evidence provided In addressing these Arguments, the Evidence presented in the first part of the PSC (specification related Argument) sets out the concerned ATC service (unchanged for Reference and ADS-B-APT systems) described as per ICAO PANS-ATM doc 4444 [Ref.3] Edition: 1.2 Released Issue Page xvi

19 and Annex 11 [Ref.12]. In the second part of the PSC (Argument 2), the Evidence provided shows that the system is designed to be acceptably safe. For the safety targets, the apportionment from the ATM to the aerodrome surveillance level has been done based on ESARR-4 [Ref.6] and ED-125 [Ref.10] leading to acceptable risks related to ADS-B-APT (per hazard) no higher than: 3.33E-10 per flight hour for accidents; 6.67E-08 per flight hour for serious incidents; 3.33E-07 per flight hour for major incidents; 1.30E-05 per flight hour for significant incidents. These figures are calculated based on the characteristics of the OE considered, in which the unit flight hour corresponds to the amount of time a mobile is operating on the manoeuvring area of an airport. An ambition factor of 10 has been applied to the ESARR- 4 TLS in order to ensure that the system is future-proofed (against unknown environmental characteristics in the future) and that subjective expert judgement is given margin of error in the assessment done. In addition, a bottom-up risk calculation has been performed a posteriori when considering the safety assessment of ED-163. These results, presented in the following table, show that ADS-B-APT only takes a limited portion of the entire ATM risk (see 4 th column). Severity class i ATM ST [flight.h] Consolidated Bottom Up ADS-B-APT risk [ flight hour] % for APT Severity 1 1E E % Severity 2 1E E % Severity 3 1E E % Severity 4 1E E % All necessary safety requirements are presented in the document: safety requirements on data items provided and display features for the controller (e.g. related to the horizontal position data and its related quality indicator for each mobile), on new functions (e.g. ADS- B data processing onboard the mobile and in the ADS-B Ground Domain) and related performance (e.g. latency) as well as requirements on how ADS-B-APT should be used (e.g. not for guidance purposes, but only for situational awareness). Finally, a certain number of assumptions have been made and validated, mainly concerning performances of external elements (e.g. GNSS integrity) and human actions (e.g. detection by the controller of incorrect information on the display). All these results have been obtained based on the RFG working approach. The large number of RFG participants, the variety of perspectives (US, Europe, etc), the involvement of operational people (controllers and pilots), the number of ANSPs including future European implementers, are all elements which contribute to demonstrate that the RFG brought key competence to apply the mentioned methodologies and approaches and to shown that all the safety requirements are achievable in a generic implementation of the ADS-B-APT system. Safe? Yes This PSC concludes that the ADS-B-APT system, i.e. the use of ADS-B surveillance Edition: 1.2 Released Issue Page xvii

20 but taking into account that information to augment SMGCS procedures to provide an aerodrome control service is acceptably safe, subject to the satisfaction of the requirements mentioned before but also to certain caveats highlighted here: The PSC is limited to generic aspects, i.e. to a typical ATC service and to the typical design of the ADS-B-APT system in typical operational environments. The PSC only addresses the design stage of the application. It does not address implementation, transition and in-service stages of the safety lifecycle. Human factors as they are closely related to the implementation are out of the scope of the PSC. The PSC defines a service (aerodrome control service) taking place in a typical operational environment supported by an ADS-B-APT system, which is derived by comparison with a Reference situation with no surveillance equipment. The ADS-B surveillance is limited to the manoeuvring area and just beyond to allow for track initiation, and does not extend fully into the apron area (e.g. fingers/gate area). Therefore, the use of surveillance to augment SMGCS procedures for the delivery of the service within the apron area is not in scope. Grassed areas within the manoeuvring area and other areas within the manoeuvring area that are protected (e.g. around navigation aids) have not been analysed and are therefore out of scope. In the PSC, a line was drawn to distinguish between nominal use (in the success case) when the surveillance is used as an augmentation to SMGCS without surveillance (and therefore always with visual as the main means of surveillance), and the non-nominal use covered in the failure case, when the ATCos may break the procedures and base some decisions on the surveillance only. GNSS has been identified as the sole source of information for the horizontal position data and its corresponding quality indicator. Alternative positioning sources are not covered by this document. This PSC corresponds to a specific design in which ADS-B surveillance is the unique technical surveillance source presented to the ATCos. The case where ADS-B information is to be used as a supplement to a Surface Movement Radar (SMR) is out of scope of this document Security issues such as those related to intentional or deliberate interference or disturbance of the ADS-B surveillance system are out of scope of this analysis. It s important to highlight that the analysis only considers mobiles that are equipped and certified for ADS-B-APT, hence the two following statements: ADS-B-APT is not designed as an A-SMGCS compliant system. As such, it is recognised that the ADS-B-APT system is not specifically designed to assist in the detection of intruders, as they are not authorized and/or not ADS-B-APT equipped. For the analysis, it is assumed that the risk of an Intruder is linked to the effectiveness of security measures implemented at the local airport and not related to surveillance. The proportion of ADS-B-APT equipped mobiles is an issue that needs to be addressed locally by each ADS-B-APT implementer, should there not be 100% equipage in the local environment. Both aircraft and authorised vehicles have been included in the scope of this PSC however the specific operation of rotorcraft (such as for air taxiing) has not been included and are out of scope. Flight crew utilising ADS-B IN equipment have not been considered in the analysis. Edition: 1.2 Released Issue Page xviii

21 The safety effects of the hazards caused by the ADS-B-APT system considered in this analysis are assumed to involve at least two mobiles where at least one of the mobiles is an aircraft. The horizontal position accuracy, as required in this PSC and in ED-163, needs to be less than or equal to 10m. The most straight forward way to ensure this requirement would be to receive a position accuracy qualifier of NACp = 10. However, it is recognized that there are some limitations in obtaining NACp 10 with high availability, at least in today s environment. Therefore, this PSC includes recommendations in Annex F to cover this possible limitation through the use of an additional function ( GNSS ground monitoring function ). Edition: 1.2 Released Issue Page xix

22 1 INTRODUCTION 1.1 BACKGROUND ADS-B (Automatic Dependent Surveillance Broadcast) is a surveillance technique (see definition in Table 1) that relies on aircraft periodically broadcasting its parameters, such as identity, position and other onboard information. ADS-B is automatic in the sense that, provided that the transponder has been turned on, no flight crew (FC) or air traffic controller (ATCo) action is required for the surveillance information to be transmitted from the aircraft at regular intervals. It is dependent surveillance in the sense that the surveillance-type information so obtained depends on the suitable position source and broadcast capability. This signal can be captured on the ground for surveillance purposes (ADS-B OUT) or on board other aircraft for air traffic situational awareness (ADS-B IN) and airborne separation assistance. ADS-B-APT (ADS-B Airport Surface Surveillance) is a programme undertaken by EUROCONTROL as part of the Co-operative ATS through Surveillance and Communication Applications Deployed in ECAC (CASCADE) Programme, which coordinates the implementation of Wide Area Multilateration (WAM) applications and the Automatic Dependent Surveillance-Broadcast (ADS-B) applications, related to the Package I [Ref.2] of ground and airborne based surveillance applications. A total of nine ADS-B applications have been dealt with by CASCADE so far. More details on these ADS-B applications can be found in of EUROCAE ED-163/RTCA DO-321 joint standard [Ref.1]. The ADS-B-APT system is described as all the elements (people, procedures and equipment) allowing to augment SMGCS procedures to provide an aerodrome control service, where the aerodrome control service is defined as the Air Traffic Control (ATC) service applied to aerodrome traffic (see Table 1). Note : in the rest of this document, the term ATC refers to the aerodrome control service and excludes the Area or Approach Control Services which are not part of ADS-B-APT (see ADS-B-RAD [Ref.17] and ADS-B-NRA [Ref.16]). The principal objective of ADS-B-APT is to utilise ADS-B surveillance the visual scanning methods and the controller/flight crew or controller/vehicle operator radio communications that are nominally used for supporting SMGCS procedures on what are currently airport surfaces with no surveillance equipment, thereby supporting safe operations, and enhancing the efficiency, predictability and in some cases the capacity of surface operations at controlled airports. The ADS-B-APT system will enhance aerodrome operations by providing the controller with a display of the airport layout (showing as a minimum runway and taxiway boundaries) and the positions of the mobiles on the manoeuvring area, along with the surveillance data associated to those mobiles (at a minimum position, identification, altitude - for airborne aircraft- and discrete emergency codes), where the term mobile refers to an aircraft or a ground vehicle circulating on the manoeuvring area. Note: The case where ADS-B surveillance is used to support Area and Approach Control Service is addressed through other ADS-B applications, namely ADS-B in Non Radar Areas (ADS-B-NRA) and ADS-B in Radar Areas (ADS-B-RAD) Benefits will be seen through the improvement of the controllers situational awareness leading to an improvement in decision making, anticipation and selection of the most efficient surface movement particularly during Low Visibility Operations (LVO). Although LVO will still be in place during reduced visibility, the introduction of a surveillance system that brings data about the mobiles on the manoeuvring area, such as their position, identity information (see definition in Section 7.3), mobile derived direction indication (also supported while the mobile is stationary) and pressure altitude (particularly useful for on-ground status determination) all combine to enable the controller to augment situational awareness and support a more efficient flow of traffic. Edition: 1.2 Released Issue Page 1

23 Although not targeted from a quantitative perspective, the implementation of the ADS-B-APT system may also bring safety benefits during LVO/night operations where controllers may detect potential unsafe situations developing which may not have otherwise been detectable. The following terminology is used throughout this document: Table 1. Terminology from ED-163 Used in the PSC Term Aerodrome service Aerodrome traffic Air traffic services control Air traffic control service Apron Certified equipage Hazard Identification supported surveillance equipment) Intruders (when by Low visibility operations (LVO) Manoeuvring area Mobile Meaning Air traffic control service for aerodrome traffic. All traffic on the manoeuvring area of an aerodrome and all aircraft flying in the vicinity of an aerodrome. A generic term meaning variously, flight information service, alerting service, air traffic advisory service, air traffic control service (area control service, approach control service or aerodrome control service). A service provided for the purpose of: preventing collisions between aircraft, and on the manoeuvring area between aircraft and obstructions; and expediting and maintaining an orderly flow of air traffic. A defined area on a land aerodrome, intended to accommodate aircraft for purposes of loading or unloading passengers, mail or cargo, fuelling, parking or maintenance. This refers to ADS-B equipment which is in line with the mobile requirements part from sections and of this document and which has been certified through the EASA Certification Specification material (CS-A-CNS [Ref.11] to be published in line with the European Commission SPI-IR). Note: it is recognised that no official certification process exists for vehicles. In this document, the term certified is still used for vehicles, meaning that the equipment is in line with the vehicle requirements from sections and Any condition, event, or circumstance, which could lead to an operational effect (e.g. incident and/or accident). This refers to the ICAO general procedures used to identify aircraft using identity information, through the correlation of a known aerodrome movement call-sign with the target of that mobile on the display of the surveillance system. Mobiles not transmitting ADS-B data or not using certified ADS-B equipment, and without approval or clearance for operations on the airport surface. The set of low visibility procedures applied whenever conditions are such that all or part of the manoeuvring area cannot be visually monitored from the control tower. That part of an aerodrome to be used for the take-off, landing (extended up to 200ft above ground level) and taxiing of aircraft, excluding aprons. Note: The term on the manoeuvring area does not include the movement of vehicles operating in between taxiways and runways on grassed areas/areas not accessible to aircraft. The management of these areas is as per procedures that exist in the reference environment. Note: The ICAO definition of manoeuvring area includes only the airport surface. It has been extended to 200ft above ground level for completeness of the analysis to extend the coverage of ADS-B-APT. Generic term used when no distinction is necessary between aircraft (excluding Edition: 1.2 Released Issue Page 2

24 Operational effect Qualified mobile Visibility conditions Risk Safety target Severity class SMGCS rotorcraft) and ground vehicle that circulate on, or in the vicinity of, the airport surface. The potential ultimate result of an operational hazard. The severity of an operational effect is reduced by external mitigations when they are available. A mobile transmitting ADS-B OUT data that meet the related requirements and assumptions defined in this document. visibility condition 1 (VIS 1): Visibility sufficient for the flight crew to taxi and to avoid collision with other traffic on taxiways and at intersections by visual reference, and for personnel of control units to exercise control over all traffic on the basis of visual surveillance. visibility condition 2 (VIS 2): Visibility sufficient for the flight crew to taxi and to avoid collision with other traffic on taxiways and at intersections by visual reference, but insufficient for personnel of control units to exercise control over all traffic on the basis of visual surveillance. visibility condition 3 (VIS 3): Visibility sufficient for the flight crew to taxi but insufficient for the flight crew to avoid collision with other traffic on taxiways and at intersections by visual reference, and insufficient for personnel of control units to exercise control over all traffic on the basis of visual surveillance. For taxiing this is normally taken as visibilities equivalent to a Runway Visual Range (RVR) of less than 400 m but more than 75 m. visibility condition 4 (VIS 4): Visibility insufficient for the flight crew to taxi by visual guidance only. This is normally taken as an RVR of 75 m or less. Note 1: The above visibility conditions apply for both day and night operations. Note 2: Reduced visibility refers to visibility conditions insufficient for personnel of control units to exercise control over all traffic on the basis of visual surveillance (correspond to visibility conditions 2, 3 and 4) The combination of the probability or frequency of occurrence of a defined operational hazard and the severity / magnitude of the effects of the occurrence. Statement that defines the overall (i.e. ATM) maximum frequency or probability at which an operational effect for a given severity class can be tolerated to occur. Qualitative classification of severity of the operational effects. Severity class is used to determine the hazard class based on the hazard s effects on operations. Surface Movement Control and Guidance Systems: Systems providing routing, guidance, surveillance and control to aircraft and affected vehicles in order to maintain movement rates under all local weather conditions within the Aerodrome Visibility Operational Level (AVOL) whilst maintaining the required level of safety. 1.2 AIM The aim of the ADS-B-APT Preliminary Safety Case (PSC) is to demonstrate that the ADS-B- APT system, i.e. the use of ADS-B surveillance information to augment SMGCS procedures to provide an aerodrome control service, has been designed to be acceptably safe (see Section 2.3 for the corresponding safety criteria) through the identification of all the related safety requirements. This PSC particularly focuses on the ATC service on the manoeuvring area 2. As a means of supporting European Air Navigation Service Providers (ANSP) in optimising their implementation of the ADS-B-APT system, several standards and procedures have been developed. In particular, the EUROCAE ED-163/RTCA DO-321 joint standard [Ref.1] provides the minimum operational, safety and performance requirements (SPR) and interoperability requirements (INTEROP) for the implementation of the ADS-B-APT system. This PSC 2 The operations analysed occur on the manoeuvring area the effects of the hazards analysed occur on the manoeuvring area Edition: 1.2 Released Issue Page 3

25 documents the results of this assessment, as well as results from some other standards and related activities, as input to the ANSPs to produce their own, local full safety cases in accordance wit the requirements of the local regulator. This PSC covers both the airborne (mobile) and the ground elements. This PSC will derive the most demanding ADS-B avionics requirements through the consideration of the most stringent case, i.e. the ATC service (as defined in this document 3. This document identifies all the airborne and ground safety requirements, using the following tag: SAFxxx. Safety requirements are mainly identified in the Sections 7 to 10 of this document. In addition, Assumptions, Issues and Limitations identified throughout this document are labelled Axxx, Ixxx and Lxxx and the corresponding justifications, implications or related actions required are identified in Section 13 (Assumptions, Issues and Limitations). Note: The term Limitation used in this document refers to the limitation of the scope of the ADS-B-APT system assessed (e.g. analysis limited to GNSS as sole positioning source, etc.) and does not restrict the definition of local ADS-B-APT systems for which additional analyses may have to be performed. This preliminary safety case for ADS-B-APT passed a Safety Regulatory Review Process conducted by representatives of National Supervisory Authorities/States within the SRC Coordination Group acting on behalf of the Safety Regulation Commission. The SRC Position Paper [Ref.22] is the formal output of the review of the PSC. Implementers are encouraged to take account this document, and other guidance information, as support and input to implementers and States when using this PSC as a basis to develop their Local Safety Case (LSC). 1.3 INTENDED AUDIENCE The intended audience for this document consists of the stakeholders responsible for implementing the ADS-B-APT system locally. It will help them to conduct their national and/or local safety assessments for ADS-B-APT implementation. This will include the ANSPs. National Safety Authorities (NSA) are also concerned as they will need to ensure safety oversight of changes to functional systems (as per EC 1315/2007 [Ref.18], based, amongst other things on the local implementation safety Argument and Evidence provided by ANSPs. More specifically, the safety requirements, assumptions, limitations and issues, together with the accompanying Guidance Material (GM) derived in this PSC should be considered by the various Stakeholders as follows: Mobile Domain 4 safety requirements and assumptions (in line with the EUROCAE ED- 163/RTCA DO-321 joint standard [Ref.1]mobile requirements) are used as input to the development of the certification material (ADS-B OUT Certification Specification (CS) [Ref.11] under development at the time of edition of this document). Should the local implementation require an amendment of these requirements, this change would need to be justified through the LSC activities. The national regulator will also have to ensure that these requirements / assumptions have been implemented during Arg 3 (implementation phase). Ground Domain 4 safety requirements and assumptions, limitations and issues, together with the accompanying guidance material derived in this PSC should be considered by ANSPs when conducting their own LSC. 3 In the context of this document, the term ATC service implies ATC service for aerodrome traffic, also referred to as the aerodrome control service see Table 1 in Section See the logical model of the ADS-B-APT system in Figure.11 for a representation of the Mobile and Ground Domains. Edition: 1.2 Released Issue Page 4