Imagining Safety in European Air Traffic Management

[Versión en Español]

Air Traffic Management has been seen for some years as being a High Reliability Organisation (HRO). This means that it is very safe, compared to other industries. However, this implicit safety situation could change. Already in recent years there have been several tragic accidents at least partly attributable to ATM, most notably the Überlingen mid-air collision in 2002, the Milan runway incursion in 2001. Furthermore, despite the initial drop in civil air traffic following 9/11, traffic is likely to continue to increase due to passenger demand, thereby putting more stress on the system. To deal with this increased capacity of ATM, there are a range of initiatives in ATM and aviation more generally, such as giving the controller computerised assistance tools, considering new ways of structuring airspace and traffic flows, and delegating separation assurance in certain situations to the cockpit crew and systems. ATM is therefore showing potential signs of strain (accidents), is under pressure (capacity increases) and is undergoing an extended period of fundamental change. To anyone who has worked long enough in safety, these three ingredients mean that a serious safety system must be in place to avoid a sharp increase in safety-related events and ultimately more accidents.  This requires a structured process to ensure that safety is built into conceptualisation and design phases of project and this is the road onto which the Eurocontrol Experimental Centre has stepped.

The problem with High Reliability Organisations is that it is not always clear why they are so reliable/safe. Indeed, with air traffic it appears that the system evolution until now, has managed to incorporate traffic increases in its stride. Certainly the training of controllers is excellent, and the controllers themselves as a cultural entity embody the hallmarks of professionalism and care about safety. This is not surprising since controllers have safety very directly in their hands – their actions, second to second, dictate whether aircraft stay apart or not. Additionally, it has to be said that pilots and cockpit systems (most notably TCAS, the traffic alert and collision avoidance system) add significant safety to our air travel also, and until recently (Überlingen) have been seen as an entirely independent safety net on top of those used on the ground by air traffic controllers. Lastly, and perhaps not least, there is what is called providence: there is a lot of space up there, even today, so there is a degree of luck or space, depending on your perspective, which undoubtedly has occasionally saved the day. It is perhaps a salient and tragic point that the two aircraft in the mid-air collision only just touched each other, a wing slicing through the last section of a tail-plane – another fraction of a second and they would have missed each other.

These aspects, a good overall system design and procedures, professional and very involved controllers, good cockpit crews and systems, and a healthy safety margin in the sky, are therefore no doubt part of the reasons ATM is still so (relatively) safe. But Agencies such as Eurocontrol have not been content with these aspects, in part because they are implicit and so less amenable to management, and also because other industries rely more on explicit safety management systems. Therefore, Eurocontrol has been developing a series of means to help ensure that ATM does not lose its status as a HRO. These measures include formal safety management systems, risk assessment approaches, and attempts to develop an industrial safety learning system. The first means that European national organisations managing air traffic recognise their role and responsibilities in terms of safety. The second ensures that new systems and operational changes are checked using tried and tested safety assurance methods such as hazard identification, and risk assessment, to show that vulnerabilities are either removed from the system design or else are of a tolerably low risk. The third demands that national member states record and analyse incidents as a means to learning how safe they are and where their individual priorities are in terms of safety concerns. These measures, and others, are enshrined in a series of documents called ESARRs (Eurocontrol Safety Regulatory Requirements). 

Barry Kirwan will be present on the next Third International Conference on Occupational Risk Prevention, ORP2004, with the conference "Adapting Safety Methods for the Air Traffic Industry". Further information could be found at www.orp2004.com

[*] Opinions expressed in this paper are those of the authors only and nor necessarily those of Eurocontrol or other organisations.