• Tidak ada hasil yang ditemukan

EASA Requirements of Risk Assessment Methods

S AFETY O RGANIZ ATION 3

3.9 EASA Requirements of Risk Assessment Methods

SAFETY ORGANIZATION AND RISK MANAGEMENT 9 7

9 8 COGNITIVE ENGINEERING AND SAFETY ORGANIZATION

• Identify hazards using a multidisciplinary team of analysts and ensure that the team develops a common mental model of hazards.

• Combine hazards into a risk framework and develop a risk model of the system; examine how risk levels are influenced by various contributing factors that may amplify/damp the consequences of hazards.

• Evaluate risks and assess how risks may evolve over time.

• Identify potential risk controls (barriers) and reassess the residual risk until the ALARP criterion is reached (i.e., risks should become as low as reasonably practicable).

Aircraft in adverse meteorological conditions (low level wind

shear-LLWS)

Aircraft unintentionally deviates from normal

in-flight parameters (aircraft upset)

Barrier-1a Barrier-2a

Flight crew performs upset recovery

procedure (in response to monitoring and/or automated warnings)

go around

Barrier-1b Barrier-2b Barrier-3bBarrier-3a

Automated systems assist aircraft recovery (e.g., automated angle of

bank recovery)

Aircraft design certification margin

between approved envelope and structural failure

Cabin secured via adherence to cabin

procedures

Passengers and crews secured by instructions to keep seat belts fastened at

all times

Cabin design features minimize injuries

Uncontrolled collision with terrain or catastrophic in-flight

structural failure resulting in fatalities

Unsecured objects/persons in cabin

resulting in injuries to passengers and/or crew

Figure 3.8 Right hand part of a bow-tie analysis.

SAFETY ORGANIZATION AND RISK MANAGEMENT 9 9

Table 3.3 A Generic Data Structure for Conducting Risk Assessment

• SEVERITY

• Traffic complexity

• Rate of closure

• Traffic density

• Number of convergent routes

• Number of path changes to aircraft

• Number of aircraft around conflicts

• Number of intersecting flight paths

• Environment

• Weather conditions

• Volcanic ash

• Visibility conditions

• Wind shear

• Day/night

• Terraino

• Safety nets/ barriers

• Short term conflict alert (TCA)

• Medium term conflict alert (MTCD)

• Traffic collision avoidance system (TCAS)

• Prevention

• Data for traffic synchronization

• Plannable conflict

• Air traffic flow and capacity management (ATFCM) measures

• Plannable conflict

• Conflicts from traffic sequence

• Unplannable conflict

• Conflict from airspace penetration

• Conflict from unmanned aerial system

• Conflict from VFR traffic

• Conflict from flight deviation

• CONTROLLABILITY

• Resolution

• Conflict detection by controllers

• Conflict detection by pilots

• Recovery

• Controllers recovery the problem

• Pilots take evasive action

• Coordination

• Within sector coordination

• Inter-sector coordination

• REPEATABILITY

• Equipment

• Degraded modes

• Design of equipment

• Procedures

• Incomplete/procedures, incomplete ambiguous, operations manual, unit training plans, unit competency schemes, and contingency plans.

10 0 COGNITIVE ENGINEERING AND SAFETY ORGANIZATION

• Establish a plan for monitoring the effectiveness of risk con-trols proposed in earlier steps (i.e., safety monitoring and veri-fication); this may involve setting key performance indicators that show the work progress made.

• Consider the feedback loop of organizational learning and process improvement.

Because it is unusual to find a single method that satisfies all cri-teria, safety analysts may choose a battery of two or three methods as far as they are compatible to each other.

The literature has proposed several criteria for comparing risk assessment methods, which are beyond the scope of this chapter.

However, it is worth presenting some criteria that have been proposed in Action EME 1.1 of the European Aviation Safety Plan (EASp).

In assessing future risks in aviation, risk assessment methodologies should:

• Yield an integrated risk assessment

• Have sufficient power of anticipation

• Consider a range of possible hazardous scenarios in future

• Evaluate system variation during normal operations

• Consider the complexity of the system

• Have the ability to model dynamic phenomena

• Assist in identifying unanticipated uses of technology or pro-cedures by the operational practitioners

• Provide a means of prioritizing hazards/risks

• Identify warning signals that indicate a drift to failure

• Be simple and practical to apply by knowledgeable domain experts

General risk assessment requirements can be supplemented by recent developments in complexity theory. Modern industries should pay particular attention to the emerging risks, that is, risks arising from structural changes in future aviation environments, risks emerg-ing slowly over time without immediate symptoms, and risks arisemerg-ing from migration to safety boundaries. Many emerging risks have been discussed in SESAR and NextGen while others have been addressed by general studies at the societal level. The authors have done a review in order to identify contributing factors that could amplify risks as

SAFETY ORGANIZATION AND RISK MANAGEMENT 101

modern aviation increases its complexity. Contributing factors create a fertile ground for risks to crop up and amplify.

An indicative list of contributing factors is described below as an essential element of risk assessment methodologies (IRGC 2010;

Dekker 2011; Stacey et al. 2000):

• Loss of safety margin created by the tight coupling of systems that leave little margin for recovery; the margin can be under-stood as the system’s buffering capacity or time slack in the event of system overload or failure.

• Trade-offs between different goals and interests that may tip the balance to different directions under different work scenarios.

• Positive or reinforcing feedback loops that may strengthen the initiating event and produce nonlinear disastrous effects.

• Time dynamics where initiating events take a long time to display observable symptoms for the operating teams to detect and take action. Alternatively, the time cycle of the event may be much longer than the decision cycle of a safety manager who may focus on short-term goals.

• Tipping points or thresholds where changes or transitions occur unexpectedly as the system flips from one state to another.

• Unforeseen adaptations where workers may use procedures and barriers in ways that have not been foreseen by the designers.

• Bumpy transfer of control between automation and controllers.

• Social system dynamics and cultural issues that may amplify or dampen earlier perceptions of risk.

• Asymmetries in information from withholding of safety information, wrong delivery of information or delays that impede an understanding of risks.

• Perverse incentives or goals, such as seeking short-term pro-ductivity gains at the expense of recognizing risks that take longer periods of time to manifest themselves.

These contributing factors can be used by safety analysts to select appropriate system models that describe the complexity and cou-pling of modern systems, to examine factors that may influence the

10 2 COGNITIVE ENGINEERING AND SAFETY ORGANIZATION

risk model, to see how risks may change over time, and to think of candidate risk solutions that avoid side-effects. Chapters 12 and 13 provide further discussion on how to incorporate these complexity factors in the organizational analysis of systems using system think-ing approaches.

3.10 Concluding Remarks: Toward Resilient Risk Assessment Methods

Unduh sekarang "Cognitive Engineering ..."

Garis besar

Dokumen terkait