Risk assessment Aircraft operation

Risk assessment Aircraft operation Approach and landing, take-off and departure at sea and on shore Olai Rune Hjetland 2. November 2007

Agenda Dilemmas in daily operation Methodology - Presentation of some of DNV s risk assessment model for aircraft operations and handling - ADRM (Approach and Departure Risk Model) and if time: - EFA (Empirical Frequency Approach) - Ground handling - Safety culture Use of models, results and experiences Slide 2

Prioritization More important to Do the right things than to Do things right (?) Keep the large overview! to avoid sub optimization Start with a rough model providing the large picture Drill down where necessary! Slide 3

Daily dilemmas - migration towards the boundary Rasmussen, 1993 Slide 4

Operators dilemma Cost cutting exercises - Risk assessment/ management of financial risk mandatory for large investments - Risk assessment of functionality and safety risk? Requirements in regulation vs. other risks not regulated or not in conflict with regulation - Mil operations with non-mil helicopter how do we handle risk? Compensating and mitigating actions acceptable according to regulation? - Risk analysis according to accepted methodology Risk ownership - Risk within: Economy, Functionality, Safety, Environment - Establish overview - Spread correct understanding in organization - Follow up Slide 5

Risk and Risk Analysis Risk Management Safety Management What is a Risk Analysis? A systematic way of describing and/or calculate risk Slide 6

Risk management in Changing environment Retrospective Forward looking Accept criteria Goal Accept criteria Meassurements, incidents etc Decisions Mitigating actions Results Risk assessments Threats Daily operation Forward with reference to wake New systems / organization and change Slide 7

Definition of risk Probability of event Consequence of event How often Frequency; per: year flight approach Probability. RISK = Probability x Consequence Outcome 2 fatalities Material damage > 10 mill $ Production downtime >4 days Hull loss.. Slide 8

Risk analysis Methodologies Qualitatively vs. quantitatively Identify hazards - Reduce them all Coarse analysis - Better than/equal/worse than ( a reference) Quantitative modeling - Probability - Consequence - Total risk - Contributors Slide 9

Why quantification? Accept criteria / ALARP Cost/benefit - as much safety as possible for the money (J. Wright, Safety director, Avinor) Prioritize between airfields/ships - Not only prioritize actions within one object Pr landing/sortie/hour vs. Return period Slide 10

The Main Elements of a Risk Analysis System definition Identification of of hazards in in the the system system Probability assessment Consequence assessment Risk Risk calculation Accept criteria? TLS TLS <10E-7 <10E-7 Risk Risk acceptable? Yes Yes Start Start operation No No Mitigating actions actions Probability Consequence Slide 11

Aircraft Operations to/from Airport/Helideck The Need for Risk Assessment Sometimes impossible to comply fully with regulations - Regulations often opens for alternate means of compliance - Risk assessment to document acceptable risk level Risk management - risk based approach can be used to achieve: - Effective actions for risk reduction - The most cost effective ways to reduce risk DNV has developed methodology and models for: - Risk calculation for approach and departure at airports (the Approach and Departure Risk Model) - Risk assessment method for ground handling accidents (fixed wing and helicopter) - Safety culture assessment for airport organisations In cooperation with: - Avinor (airport division and ATM division), - SAS / SASBraathens, Norwegian, Widerøe, Lufttransport - CHC Helikopter Service, Norsk Helikopter (helicopter application for ADRM and ground handling risks) - Sqn 337 RNoAF (ADRM adjustments at KV Svalbard) Slide 12

Experience with ADRM - DNV and Avinor Slide 13

The ADRM Method - 1 Identify hazards that can lead to unwanted events Estimate how frequent the unwanted events occurs - Simplified fault tree approach Assess probability of hull loss as result of the unwanted events - Event tree approach Scenario- and phase based (apportioning to manageable parts) - Approaches / departures - Type of Aircraft - Runway/landing area - Divided in phases Captures expert judgement experienced flight crew and ground crew/competence - Incorporate this in the assessment (set frequencies/probabilities in the model ) Slide 14

The ADRM Method - 2 Causal analysis Consequence analysis 1. Unwanted event End event 1 3. 2. Top event End event 2 4. 5. End event 3 Hazards Fault tree Safety functions/ barriers Event tree Consequences Slide 15

1. The unwanted events 2. 3. Success criteria for a flight: We know our position - relative to terrain and - relative to ATC clearance We have sufficient control over the aircraft 4. 5. Topphendelse Scenario 1 Scenario 2 Scenario 3 We are not in conflict with other aircraft or vehicles The main problems (inverse success criteria): We do not have sufficient knowledge of our position 1. Scenario 1 We believe to know our position, but are wrong 3. 4. 2. 5. Topphendelse Scenario 2 Scenario 3 We are not able to move/steer the aircraft to where we want it We are in conflict with other traffic or activity Slide 16

System Description - Information relevant for safe operation Necessary Background Information for the Analysis Obstacles and environment Procedures Day/night Navigation systems available Traffic - Type of activity - Volume - Type of aircraft Visual aids Local weather conditions (ceiling, visibility, wind, turbulence, precipitation, etc) Helideck conditions (length/width, friction, markings, surface) Emergency preparedness Slide 17

Structure in work - Scenarios Approach or departure with rwy heading and appropriate procedure accordingly (SID / STAR, ILS / VOR/DME) and type of aircraft defines a Scenario Example onshore: - Runway 17 - Approach - Procedure: Copter ILS-17 - Super Puma Example offshore: - KV Svalbard - SCA (HCA, ELVA, HIFR, ) - Fore-and-aft Port (Relative starboard, ) - NH-90 Slide 18

Structure in work - Phases Adapted for helicopter at Bergen - Flesland - Has been adjusted for KV Svalbard, - Can be adjusted to mil. ops etc. (e.g.: Nansen NH-90) - A more generic structure provides better platform from experience across Faser for innflyging - helikopter Fase nr. 1 2 3 Beskrivelse Safe altitude (min 2000ft) MAPt (instrument). MAPt LDP* (ca 100 ft) LDP* (ca 100 ft) touchdown (TD) *) Landing Decision Point Faser for utflyging - helikopter Fase nr. 1 2 Beskrivelse Lift off TDP** (ca 100 ft/70 KTS) TDP** (ca 100 ft/70 KTS) "Safe altitude" (min 2000 ft) *) Take-off Decision Point Slide 19

Hazard Identification Process 3. 4. 1. 2. 5. Topphendelse Scenario 1 Scenario 2 Scenario 3 Scenarios SCA NH 90 HIFR S92 VERTREP LYNX Top events (i) (ii) (iii) (i) (ii) (iii) (i) (ii) (iii) Phases 1 2 3 4 Inadequate position awareness Faulty position awareness Control problems with aircraft Inadequate position awareness Faulty position awareness Control problems with aircraft Inadequate position awareness Faulty position awareness Control problems with aircraft Slide 20

Hazard Identification From Hazards to Top Events 3. 4. 1. 2. 5. Topphendelse Scenario 1 Scenario 2 Scenario 3 Hazard List Aggregated Failure Modes Top Events Technical faultsaircraft Inadequate position awareness HAZARDS Technical faultsground equipment Human factorscockpit Faulty position awareness Control problems with aircraft Environmental/ external factors Conflict with aircraft/object Slide 21

Hazard Identification -1 3. 4. 1. 2. 5. Topphendelse Scenario 1 Scenario 2 Scenario 3 Purpose: Establish a list of all possible deviations, hazardous and emergency situations that might occur with basis in: 1. Events/accidents taken place 2. Obvious hazards due to e.g. physical conditions 3. Combinations of events 4. Known hazard being accounted for through design, procedures, maintenance, etc 5. Other? Slide 22

Hazard Identification - 2 3. 4. 1. 2. 5. Topphendelse Scenario 1 Scenario 2 Scenario 3 This is a joint effort: System experts - Pilots, left-seat - HKO, FDO - Technical experts on ship systems - radar, communication, lights incl. GSI - Emergency preparedness expert - etc Local experience with respect to operations, systems, procedures, etc: - Knowledge of systems and components - Knowledge of activities and operations - Knowledge of incidents and accidents - Knowledge of deviations/hazard- and emergency situations/unwanted events DNV contributes with risk analysis tools, calculations, concepts and definitions DNV facilitate the process such that all joint knowledge becomes relevant and beneficial for the project Slide 23

Fault tree input module 3. 4. 1. 2. 5. Topphendelse Scenario 1 Scenario 2 Scenario 3 Specific numbers used for frequency and adjusted for duration of phase Data from technical statistics or other sources can be used Expert judgement PHASE 1 (i) Inadequate position awareness Top frequency: 0.00E+00 Calculated: 0.00E+00 Calculated: 0.00E+00 Calculated: 0.00E+00 Calculated: 0.00E+00 Technical faults - aircraft Technical faults - ground equipmen Human factors - cockpit Environment Recommended: 1.00E-07 Per min # min Sum risk Max Merdian Min 3:1 Max Merdian Min Value used: pr min LLZ 9.51E-07 0 0.00E+00 0.00E+00 0.00E+00 0.00E+00 per min 0.00E+00 0.00E+00 0.00E+00 per min GP 1.12E-06 0 0.00E+00 Value used: Value used: Marker 2.30E-06 0 0.00E+00 DME 3.17E-06 0 0.00E+00 VOR 4.51E-06 0 0.00E+00 NDB/L 3.57E-06 0 0.00E+00 Sum 0.00E+00 To be completed for each scenario, top event and phase Slide 24

Event tree input module 3. 4. 1. 2. 5. Topphendelse Scenario 1 Scenario 2 Scenario 3 Top event Top event frequency (ii) Faulty position awareness, landing phase 1 1.24E-05 Branch question Branch probability Comments to value used Recommended value or interval Explanation/comments to recommended values 1. P(ATC does not detect) 6.00E-01 As p22 (i) 2. P(Crew does not detect) - ATC does not detect 5.00E-03 0.001-0.01 Airport dependent 3. P(Faulty E-GWPS) - ATC does not detect, crew does not detect 1.00E-04 As p52 (i) 4.1. P(Aircraft not clear of terrain) - ATC does not detect, crew does not detect, GPW given 1.00E-03 As p63 (i) 4.2. P(Aircraft not clear of terrain) - ATC does not detect, crew does not detect, no GPW given 5.00E-02 As p64 (i) Landing phase 1 - Faulty position awareness 1.25E-05 Yes --> Branch questions: 4.00E-01 6.00E-01 1. ATC does not detect 9.95E-01 5.00E-03 2. Crew does not detect 9.999E-01 1.00E-04 3. E-GPWS not functioning 9.99E-01 1.00E-03 9.50E-01 5.00E-02 4. Aircraft not clear of obstacle/terrain 1 2 3 4 5 6 OK OK OK Hull loss OK Hull loss Sum hull loss frequency: 3.75E-11 To be completed for each scenario, top event and phase Slide 25

Risk overview/account for a scenario an example Visualise risk distribution - per phase - per top event Identify main risk contributors Easy change of parameters Instant recalculation - Check sensitivity - Potential in risk reducing measures Top event Unwanted event Phase Top event (per landing) Hull loss frequency (per landing) Distribution of total hull loss frequency (i) Inadequate position awareness 1 1,87E-04 1,06E-09 0,6 % 2 8,79E-04 8,79E-08 48,1 % 3 3,03E-05 2,95E-09 1,6 % 4 2,60E-05 3,18E-09 1,7 % Sum 1-4 - 9,51E-08 52,0 % (ii) Faulty position awareness 1 6,06E-05 3,93E-11 0,0 % 2 4,90E-05 1,81E-10 0,1 % 3 5,25E-07 5,25E-10 0,3 % 4 2,80E-06 3,59E-10 0,2 % Sum 1-4 - 1,10E-09 0,6 % (iii) Control problems - aircraft 1 9,75E-07 9,08E-12 0,0 % 2 4,90E-04 6,27E-08 34,3 % 3 6,01E-05 8,98E-09 4,9 % 4 6,59E-05 1,48E-08 8,1 % Sum 1-4 - 8,65E-08 47,4 % Sum top events (i) - (iii) 1-1,11E-09 0,6 % 2-1,51E-07 82,5 % 3-1,25E-08 6,8 % 4-1,84E-08 10,1 % Sum 1-4 - 1,83E-07 100,0 % Slide 26

Use of ADRM model - example Scenario: Circling to opposite rwy - safety area not according to regulation Risk reduction alternatives (example numbers): - Strip/safety areas according to regulation reduction 9 % - Instrumented approach straight in (vs. circling) reduction 43 % - Increased illumination for visual references during circling and final approach reduction 18 % - Turbulence warning, restrictions on wind for approach reduction 14 % Slide 27

ADRM Model Features (1) Type of operation - Approach/landing (SCA, HCA, ELVA) - HIFR - VERTREP - Hoist - Take-off/departure Obstacles (Terrain, Man made obstacles, Obstacle Assessment Surfaces) Safety areas Differences between types of aircraft - Helicopter vs Fixed wing - Performance - Passengers - Cargo (incl weapons) Differences in equipment (automation, navigation, communication/data transfer, surveillance/radar, warnings, FMS) Slide 28

ADRM Model Features (2) Navigation aids (Type, position, few/many) Visual aids (Lights, GSI, Markings) Heli deck (Length/width, surface / friction / markings) Weather (Visibility, ceiling, turbulence/wind-shear, winter conditions) ATC/HKO interaction (Equipment in HKO position, manning) Consequences (Hull loss, probability of survival in different accident scenarios (linked to no. of pax), probability of cargo/weapon damage) Slide 29

ADRM - Strengths Overview over risks from obstacle, weather, topography and contribution from different aspects in different scenarios/phases Easy to check sensitivity Use information from different sources - Technical data (reliability, certification criteria) - Expert judgement - Statistical material (MTBO, weather, ) Possible to compare helideck/airport/scenarios/phases Slide 30

Risk Accounts Potential use: Assessment of contributing causal factors Search for areas for effective mitigating actions Assessment or calculation of effect of risk reducing initiatives Assessment of planned changes - Equipment - Operational procedures - Resources Slide 31

How to improve safe and effective operation? Support the operation to ensure consistent and accurate flying - In risk assessment terms: reduce probability of unwanted events Provide safety barriers, safety areas, improve emergency preparedness - In risk assessment terms: reduce consequences of unwanted events Priority : Reduce probability of unwanted events Slide 32

Support the operation to ensure consistent and accurate flying Good references for navigation - Visual - Lighting references - GSI - Visibility/ceiling - Confusing visual information - Instrument - Alignment with approach line - On nominal decent profile - Possibility to verify position by comparing with other information - Visually - Other nav-aids or instruments Control over the aircraft - Performance of aircraft - Competence of crew - Low probability to run into severe turbulence or wind shear Slide 33

ADRM used in Helicopter Integration Project Logic is valid ajustments for helicopter implemented (mil ops partly) Scheme works as check list for certification of helicopter integration Quantitative aspects possible to introduce Do the right things Keep the large overview! avoid sub optimization Slide 34

Thank You very much for Your attention! Slide 35