The safety case for aviation today is based primarily on the lessons learned from serious incidents and accidents where lives have been lost. This approach to safety has been very successful and has led the aviation industry to be recognised as the benchmark for safety performance for many other industries; often referred to as ‘ultra-safe’.
Our open and just culture is a key reason why aviation has earned this reputation, but the industry must not become complacent. We must continually review the effectiveness of our approaches. Past performance only helps us understand safety risk if the environment and all the actors within the system remain exactly the same – but the environment is constantly changing, so the risks change with it. The aviation system we know today will be unrecognisable in 2050; our approach to developing the safety case for the future must therefore change if we are to maintain or exceed current levels of safety performance.
A different approach for tomorrow
Tomorrow, the safety case will need to be based on the level of safety risk we are willing to tolerate (the discussion around what a tolerable level of safety is for the future aviation system being a different topic in itself). Managing safety risk is about managing the uncertainty within the business in terms of delivering operational services and the related supporting activities in a safe manner.
To do it, we need a systematic analysis of the future aviation system based on the operational scenarios that we envisage will occur in the future. The analysis must also consider resilience principles; recognising that things will always go wrong in the future (it is a complex system) and we must be prepared for this.
This analysis will form the basis of the new approach to safety cases ensuring it is fit for a new aviation system. The concept of ‘safety by design’ is familiar to engineers in the rail and construction industries. A concept where there is a systematic analysis of the actors and the activities that drive the level of risk; it is a ‘top-down’ approach that goes beyond the current focus of preventing and learning from system ‘failures’. It also moves towards a more integrated view of safety risk management recognising the inherent dependencies between multiple actors in the system and that each actor has a role to play in both the prevention and mitigation of hazards. The segregated view of hazard analysis that exists in the current safety case approach must adapt, otherwise we may end up with an ineffective and inefficient approach to safety risk management that masks the true risk insights. The analysis also provides the opportunity to implement mitigations that are an inherent part of the design of the system. Mitigations that are implemented within the information that flows between these actors within the total aviation environment. It is an opportunity that, as an industry, aviation should also explore.
Figure 1 Stakeholders in the Future Aviation Safety System
The collaboration between aviation stakeholders to manage safety risk must continue even if the stakeholders will change. Aviation is safety critical but some of today’s aviation sectors like En-Route Air Navigation Service Provision are not, they are safety-related and provide one, albeit important, form of mitigation in the progression of different accident scenarios. Will this change in the future? Possibly. So, it’s important to explore the responsibility of actors, and their contributions, in the current system versus the future. For example, will the role of autonomous traffic management make it safety critical? It could be, for those airspace environments where the opportunity for “see and avoid” or “sense and avoid” in the new parlance is limited or ineffective. Will technologies such as over-the-air (OTA) software updates of aircraft systems used by MRO organisations change their risk contribution? Will this introduce new threats to safety?
To help us understand how to make these judgements we will need to define a common set of operational scenarios that all actors can connect with. In addition, we need to understand the set of desired states that the industry must work together on to achieve. This will be based on a combination of today’s safety events as well as potential new events based on the future scenarios. Whether it is recognised items like maintaining cleared aircraft trajectory or emerging events like protecting the airborne vehicles from malicious take-over from a 3rd party – we need to understand how all actors contribute to the delivery of these desired states.
Towards a total aviation safety case
It was the UK’s Industrial Strategy Future Flight challenge, delivered by UK Research and Innovation that provided an opportunity for focused thinking on this topic. They are exploring how to safely integrate future flight vehicles as well as new entrants to aviation; and they are analysing the basis for the safety case, supported by Egis and the University of York. The objective of this type of work must be to support communication of the safety requirements to the aviation community and especially those new entrants who do not have experience of designing, operating and maintaining aircraft in the highly regulated aviation sector. The focus is not just new entrants however, because existing actors must also understand the safety requirements of the future aviation system, especially as we move away from a human-oriented traffic management system to a more autonomous system.
Let’s look at what might be involved in creating a Future Aviation Safety Case. Here is an initial framework – but what is missing?
STEP ONE: Describe a set of operational scenarios that we envisage in 2050; the new entrants in all airspace environments. For example, unmanned aerial vehicles transporting people from one location to another in urban environments.
STEP TWO: Describe the desired state(s) that we wish to see for each of the operational scenarios; in a positive context rather than negative one. For example, drone does not enter into any controlled airspace without permission.
STEP THREE: Describe the actors (human, machine, environment, organisations) that we understand will deliver or contribute to the delivery of the operational scenarios to support achieving the desired states. For example, autonomous drone vehicle, drone manufacturer, drone designer/engineer, drone operator, drone port operator, traffic management provider, regulator etc.
STEP FOUR: Analyse the tasks and information flows between each of the actors to ensure the desired states are delivered. For example, flight plan information from operator uploaded to drone vehicle, drone engineer design autonomous functionality, drone port GPS take-off / landing GPS co-ordinates distributed to drone operator.
STEP FIVE: Analyse the tasks and information flows to identify failure modes and new actors, tasks and information that is required to mitigate these failure modes. For example, the registry of all drone ports and their GPS co-ordinates is managed by aeronautical information publications.
I asked what is missing – one area that may seem trivial, but is incredibly important in any new or heavily modified system where there is significant interdependency, is the need to define a language or set of terminology that stakeholders understand and can relate to. This ensures consistent and accurate communication of important concepts across stakeholder groups and minimises the opportunity for misinterpretation and misidentification. In a safety context, one person’s hazard can be another person’s causal factor for example. It is key that a common language is defined and communicated as early as possible as part of the development of the safety case framework.
Wider benefits today
Following this kind of framework will help us identify new ‘safety requirements’ for the Future Aviation Safety Case. Identifying them early allows us to channel effort into trialling any particular arrangements to support the analysis findings, and to fine tuning them. It also helps to ensure appropriate engagement with the aviation community.
This framework could have other benefits for aviation too; namely, a systematic approach for industry stakeholders to understand and analyse proposed changes. The benefits could include:
- Understanding the key safety requirements that must be met for different actor types.
- Assessing the impact of any future actors that are proposed.
- Evaluating the opportunity and risk associated with any changes to how actors interact.
- Gauging the potential governance required (e.g. through regulators) beyond current arrangements
- Identifying the potential management and organisational requirements involved in the design, operation and maintenance of systems
We have a strong safety foundation in our aviation system today, but we can and must learn more: building on those foundations but approaching safety differently; keeping in mind the regulatory environment, the safety management approach and the culture of the people working in and using aviation.
We cannot foresee with any accuracy what the aviation system will look like in 2050. New entrants and technology providers will continue to provide massive innovation and we must ensure our safety case framework is flexible and scalable to achieve this. Whatever the approach we choose to take, we must start as soon as possible. The journey will be interesting, challenging but ultimately rewarding, as we ensure the safety case framework is fit for purpose for the new aviation system. It is what society expects, and rightfully so.