The FAA is steadfastly focused on safety as it modernizes the National Airspace System (NAS) through NextGen.
The FAA's safety program is guided by its Safety Management System (SMS), an agency-wide approach that directs the management of modernization initiatives. The benefits of new capabilities cannot be at odds with the safe operation of the NAS. The FAA has many processes to ensure that flying remains a safe mode of transportation. The SMS requires FAA organizations to establish guidance for their own activities.
The NextGen organization follows the guidance of the Air Traffic Organization's SMS, as they are the main implementer and user of NextGen capabilities and systems. However, in order to meet its own needs, NextGen leadership has directed the development of an ANG-specific SMS manual; clearly defining processes and providing guidance to address NextGen's unique SMS requirements, such as NAS enterprise-level safety risk-assessment methodologies for Risk Based Decision Making (RBDM), research and development, and test and evaluation. The manual is tentatively scheduled for publication in 2019.
The SMS emphasizes safety management as a fundamental business process to be considered with the same priority as other aspects of business management. The SMS provides:
- A safety promotion framework to support a positive safety culture
- A structured means of Safety Risk Management (SRM) decision making
- Increased confidence in risk management through a structured safety assurance process
- An effective interface for knowledge sharing between regulator and certificate holder
- A measurable monitoring plan that identifies precursors before system failures occur
The essential idea of the SMS is to provide a systematic approach to achieving acceptable levels of safety risk. The SMS includes four functional components:
- Safety policy: Establishes senior management's commitment to continually improve safety and defines the methods, processes, and organizational structure necessary to meet safety goals
- Safety assurance: Verifies the organization meets or exceeds its safety performance objectives, and functions systematically to determine the effectiveness of safety risk controls through the collection, analysis, and assessment of information
- SRM: Complementing safety assurance, SRM is a process that describes a system and identifies hazards; analyzes, assesses, and controls risk; and defines strategies for monitoring safety risk
- Safety promotion: Includes training, communication, and other actions to create a positive safety culture in all levels of the workforce
Integrated Safety Risk Management
NextGen Safety (1:13)
Young Lee, NextGen Enterprise Safety Manager, talks about Integrated Safety Risk Management.
NextGen is at the forefront of introducing new technologies into the NAS. NextGen must also be a leader in applying SRM to those new capabilities. The interconnected nature of NextGen presents complex safety challenges that call for an integrated approach to SRM. It requires a strategy that eliminates gaps in safety analysis by assessing all aspects of equipment, operations, and procedures. While traditional SRM typically focuses on the individual systems or system modifications to the NAS, the principles of NextGen's integrated systems safety look at a wider perspective of exploring and preventing unacceptable safety risk associated with integration and interactions between various NAS components.
Integrated Safety Risk Management (ISRM) explores safety risk from a NAS enterprise framework to identify potential safety gaps inherent in NextGen capabilities. It identifies safety issues by assessing risk across organizational, system, and program boundaries, and relies strongly on FAA-wide collaboration to capture the most relevant safety information to assist in decision making.
Such collaboration is reflected through the FAA Safety Collaboration Team (SCT), a technical advisory body of safety stakeholders from across the FAA. The NextGen safety branch is a co-chair of the group. Early in the acquisition life cycle development process, the SCT fosters RBDM by addressing and raising awareness of integrated safety issues that may eventually be categorized as a hazard. The team supports ISRM and provides safety information and advice to the FAA SMS committee, which, in turn, advises the FAA SMS Executive Council.
Additionally, the SCT helps guide the ISRM process, which includes the development of Integrated System Safety Assessments. This analysis produced by the NextGen safety branch identifies and evaluates overarching safety issues that might span several NextGen portfolio elements called operational improvements. By using a broad enterprise view, the SCT can then feed data into the SRM analysis of lower level acquisition programs.
NextGen is developing a new safety assessment tool called the Hazard Enterprise Architecture Traceability Tool (HEATT) for the Systems Engineering Portal, the web application that provides FAA users with access to integrated systems engineering, architecture, and planning information that supports the evolution of NextGen and the NAS. HEATT will capture and leverage relevant enterprise safety data to support safety practitioners in conducting more thorough, data-informed safety analysis. HEATT will display the dependence or connection between safety issues and systems, actors, functions, operational activities, requirements, and other enterprise architecture elements. It will enable old data to be leveraged for new analysis and will assemble a more complete picture of existing risk in the NAS. Initial operating capability for HEATT is scheduled for 2018.
Aviation watchdogs once measured safety by the number of accidents. Commercial aviation accidents eventually became so rare that the FAA began to measure potential precursors to accidents. Loss of a safe margin of separation between aircraft became the risk measure that the FAA tracked and reported. Proximity is a valid indicator but is not a complete safety picture. It provides no insight into what causes accidents.
Capabilities and changes introduced through NextGen enhance safety while delivering capability and efficiency benefits to NAS users.
FAA resources such as the Hazard Identification, Risk Management, and Tracking Tool (HIRMT), Aviation Safety Information Analysis and Sharing (ASIAS), and the System Safety Management Transformation (SSMT) program provide the platform for improvements to the safety performance measurement infrastructure. Specifically, the enhanced risk analysis processes and new safety intelligence tools help safety analysts go beyond examining past accident data to a proactive approach that focuses on detecting and mitigating risks before accidents occur.
Tracking systems and data-recording capabilities provide better measurements, greater understanding, and more information to support accident investigations. Resources can be used more efficiently, and the actionable intelligence helps prevent major safety incidents and minimize things that could go wrong.
The System Safety Management portfolio aims to develop and implement policies, processes, and analytical tools that the FAA and industry will use to ensure the safety of the NAS. The goal is to be certain that changes introduced with NextGen capabilities maintain and enhance safety while delivering capacity and efficiency benefits to NAS users.
In March 2016, the FAA launched HIRMT, an integrated tool that provides a consistent and standardized methodology to manage and track aerospace system-level safety issues. HIRMT is a web-based agency tool developed through the RBDM initiative. It supports data sharing and the communication and coordination of safety issues across the FAA.
HIRMT collects and tracks analyses and assessments of identified safety hazards. It enables communication and collaboration among FAA organizations on the most critical safety issues. Users can look up what analyses have been done, their progress, and if mitigations have been developed.
HIRMT's objective is to track national-level safety issues within one integrated tool. With HIRMT, the latest information is documented, and the tool provides a holistic view of the interconnected safety issues managed across the agency. HIRMT is important in the evolution of the FAA's approach to safety management. Analysts and executives are empowered to collaborate and share better awareness of significant safety issues.
HIRMT enhances the FAA decision making process and enables executives and managers to prioritize activities and focus resources on the greatest safety risks.
The ASIAS program plays an important role in safety analysis as the FAA designs and deploys new NextGen capabilities. ASIAS is a unique collaboration between the FAA and the aviation community to share and analyze data and proactively advance aviation safety. The success of ASIAS is based on aviation and government entities sharing data to aggregate and analyze. The aviation community benefits from the discovery of common systemic safety problems.
Safety researchers aggregate data from multiple sources to identify safety trends in the NAS.
ASIAS combines safety data from dozens of sources across industry and government, including 46 commercial air carriers and 60 corporate/general aviation operators. The sources include voluntary safety reporting systems such as the Aviation Safety Action Program, the Air Traffic Safety Action Program, digital flight data from participating members, and other data such as surveillance, Notices to Airmen, and weather information. The primary objective of this public-private partnership is to acquire, integrate, and analyze multiple data sources in a way that provides new insights into systemic safety issues that could not otherwise be identified.
Safety researchers aggregate data from more than 300,000 voluntary safety reports and more than 16 million flight operations to identify safety trends in the NAS, leading to a comprehensive and proactive approach to aviation safety in concert with NextGen's ongoing implementation. The result provides the agency and aviation industry with a systemic view of safety issues that improves mitigation strategies.
ASIAS analyses are approved and guided by an executive committee made up of government and industry leaders, and shared with members and the Commercial Aviation Safety Team (CAST), which includes representatives from air carriers, air traffic controllers, industry associations, labor unions, manufacturers, and regulators. Through its 10-year safety plan, CAST helped reduce the fatality risk for commercial aviation in the United States by 83 percent from 1998 to 2008. CAST aims to reduce the U.S. commercial fatality risk by another 50 percent from 2010 to 2025. Safety risk-mitigation strategies identified by CAST are voluntarily implemented by its community. Over the years, CAST has adopted more than 100 safety enhancements, with several based on information derived from non-accident data.
General aviation operators have joined commercial and corporate aviation to provide voluntary, anonymous operations data to ASIAS. Additionally, the General Aviation Joint Steering Committee (GAJSC) adopted a CAST-like process to analyze accident information and devise critical safety enhancements for general aviation. ASIAS supports the GAJSC by using de-identified data to help discover systemic risks and evaluate the effectiveness of deployed safety enhancements. Recent accomplishments include more than 39 safety enhancements in areas such as training procedures, technology to address loss of control, and engine system and component issues.
Data fusion analytics, or ASIAS 2.0, is the next generation of the program. ASIAS "fusion" leverages the power of data and creates a "flight story" assembled from a variety of databases, including a composite of FAA surveillance information — known as a "threaded track" — as the foundation for analysis. With data fusion, ASIAS is able to measure and monitor relationships across multiple systems in the NAS, offering additional context for a given flight. Data-fusion techniques combine and integrate data from multiple sources to achieve better insights about NAS operations and provide enhanced analytic capabilities.
Data fusion also provides a 360-degree perspective of a safety issue, giving analysts a deeper understanding of systemic precursors and underlying factors. Safety analysts will be able to directly relate the "what" and "why" of safety incidents and hazards, leading to better insight into contributing factors of accidents, more contextual information, and improved ways to mitigate accidents.
ASIAS will continue to expand and apply its analytical capabilities beyond commercial and general aviation. Initial research is underway to develop the architecture and tools for ASIAS to accept and analyze data from new communities including Unmanned Aircraft Systems (UAS) operations. ASIAS will continue to assimilate many data sources to rapidly identify safety risks across the NAS before accidents occur.
SSMT addresses an important part of SRM — estimating the risk associated with system change. It seeks to quantify the potential impacts of NextGen proposed rules and other system changes on NAS risk. SSMT strengthens the reactive and proactive abilities of other safety activities. The program includes four tools:
- Integrated Safety Assessment Model (ISAM)
- Airport Surface Anomaly Investigation Capability (ASAIC)
- Safety Investigation Toolkit for Analysis and Reporting (SITAR)
- Wake Vortex Safety System (WVSS).
Together, these tools represent a structured and integrated approach to anomaly detection and assessment of risks, hazards, and NextGen operational improvements.
The program is improving safety by linking historical event analysis with future system-state assessment. By proactively identifying precursors contributing to risk, and using those data to assess where and when risks may increase, SSMT goes beyond recognizing and correcting failures after the fact. SSMT tools are used by stakeholders for planning, risk assessment, RBDM, risk-informed rulemaking, and evaluation. The tools can also be used for additional types of safety assessments, such as the potential changes to safety risk of proposed rules and procedure changes. They can also be scaled for multiple levels of data, from that of a single stakeholder to the entire NAS.
Three of the tools — ASAIC, SITAR, and WVSS — detect, evaluate, and report candidate safety events for surface, terminal, and en route operations, as well as for possible wake encounters. These anomaly detection tools also provide data for ISAM, which quantifies baseline risk and supports RBDM and safety risk assessments. ISAM lets analysts and investigators test what-if scenarios. By changing a few parameters, users can see what happens to the NAS relative to the current baseline. This is valuable because necessary NAS changes can be assessed for system safety before being implemented. ISAM includes models of every identified cause of fatal or serious commercial aviation accidents or incidents worldwide, and as many feasible causes as could be identified for hypothetical accident or incident scenarios that have not occurred. ISAM has been extended to include safety risk assessment models for general aviation and UAS operations.
ISAM supports the integrated safety risk-management process by linking known hazards with historical data and allowing ISAM stakeholders to determine which precursors were likely causes. It does this through subject matter expert evaluation. In addition, ISAM includes capabilities to identify barrier failures and conduct sensitivity analyses for its safety risk models.
ISAM results have been used in RBDM efforts to evaluate Performance Based Navigation and to support the Office of the Secretary of Transportation Safety Council's efforts in risk-based rulemaking. ISAM is a recommended tool identified in the Safety Risk Management Guidance for System Acquisitions.
ISAM is used across the FAA and is being developed in parallel with Eurocontrol's Integrated Risk Picture model. The FAA's Safety Data Analysis Team will use ISAM to build an agency-wide hazard library to support safety risk assessment across the FAA.
ASAIC is a research and investigation tool that allows users to retrieve information and replay an incident from any airport where a surface monitoring system, such as the Airport Surface Detection Equipment–Model X, is used. ASAIC has many uses, including training and event reconstruction. It identifies and quantifies anomalies for models that can assess impact of system changes on risk. It can observe current operational procedures and associated anomalies, or conduct scenario analysis. ASAIC also supports accident investigators by providing a high-fidelity, rapid recreation of an event. It provides an animated replay of the entire event, including contextual elements like airport layout, aircraft in the area, and weather. ASAIC significantly enhances accident investigators' capabilities by allowing them to replay events from many perspectives with its 3-D rotation capability.
The Airport Surface Anomaly Investigation Capability identifies and quantifies anomalies for models that predict future risk.
SITAR and WVSS represent newer capabilities, but their potential to support anomaly detection and safety risk assessment continues to expand. SITAR provides information about the precursors for losses of separation, including those resulting from wake encounters. WVSS analyzes detected losses of separation to identify the potential likelihood that the loss was due to a wake encounter as well as the potential severity of the encounter. Both tools offer additional analytical capabilities that can be leveraged by other FAA lines of business.