43RD ANNUAL CONFERENCE, Hong Kong, China (SAR), 22-26 March 2004

WP No. 172



Following the increased awareness that Safety was not obviously inherent in the system, and that there is a need to improve safety in order to achieve an acceptable level of safety in aviation, ICAO and other international organisations, have embarked on safety improvement initiatives. In the first part of this paper attempts are made to outline some theoretical information of Safety; the second part looks at how the current operational ATM world looks like; the third part, some recommendations are made for Member Associations to assist in understanding and improving safety and finally in the fourth part various ongoing safety initiatives with relevance to IFATCA activities are detailed. Although the paper works with a lot of example from the European Region it should not been seen as European paper only. The fact that the European Region has a very advanced theoretical description of Safety influences the general tenure of this paper.


2.1. Theoretical approach

Safety is the “raison d’être” of Air Traffic Control. IFATCA as the global professional voice of Controllers has for many years been asking for its assurance. This claim for more Safety, although most of the time pertinent and justified has always been refuted with arguments that Safety is inherent in the system. However, many of our membership have experienced that for various reasons Safety was easily pushed into a “Backstage” status. Delays, economics, culture, management arrogance, ATCO misbehaviour (i.e. Calling for strike by some ATM Union in order to stop training of new students – leading to pay increase and reduce numbers of ATCOs) and higher political objectives etc. have been invoked to reduce Safety to an economically acceptable minimum. Why have the controllers failed through argument to highlight the importance of Safety ? Do we really need to wait for a serious incident and/or accident to show the outside world in a tragic and dramatic way that safety should take a more prominent role in our daily work? But do we as professionals understand safety correctly? Have we understood the public service we are working in and if yes what are we doing to improve the understanding beyond Our daily working environment?

Studying safety in ATC is a difficult and steep learning curve, understanding it becomes even more delicate. To develop a Safety culture in ATC takes many years for any organisation, be it a professional organisation, an ATC Team or an Air Traffic Service Provider. The way it is approached, understood and developed depends heavily on basic ATM knowledge, cultural background and the awareness of the ATM as a service of general public interest. Let us briefly study an approach to understand safety. ICAO states that in the aviation context safety is generally thought of, by the public, as being an absence of aircraft accidents. While the elimination of accidents would be desirable, it must be recognized that such “perfect safety” is an unachievable goal; failure and errors can still occur in spite of the best efforts to avoid them. While it is not possible to completely eliminate the likelihood of harm or damage, it is possible to control the processes, which could lead to hazardous events, and so ensure that the likelihood of being exposed to harm or damage is as low as reasonable possible. (ICAO, the manual on Safety Management System for ATS, p. A10, Draft, Montreal, 2003)

Various models do exists, the Eurocontrol Agency defines it as: Safety of a system can be defined in ATM as being the interaction between Procedures, People and Equipment. All these three elements can be broken down into various parts. Only by integrating the Procedures, People and Equipment as the ATM, together with the Ground and Airborne parts will the Total Aviation System Safety be defined. A schematic view taken from the Eurocontrol Workshop on ESARR 4 (Risk Management in ATM) introduction can be found as annexe 1 to this working paper:

To explain the nature of human error and as such a definition of safety another used Model is the SHELL model. This model was first developed by Edwards (1972). It was known as the SHEL model to denote the three kinds of interactive resources; Software – the rules, procedures, spoken words, etc., which are part and parcel of standard operating procedures; Hardware – the Air Traffic Control suites, their configuration, controls and surfaces, displays and functional systems; Environment – the social and economic climate in which the air Traffic Controller operates as well as the natural environment; and Liveware – the human beings – the controller with other controllers, flight crews, maintenance personnel, management and administration people – within the system. Later Frank Hawkins (1984) modified the model to include the interactive nature of the person to person relationship or Liveware to Liveware and denoted this model as SHELL (see annex 2 description of the SHELL model)(ISAAC A. RUITENBERG B., Air Traffic Control: Human Performance Factors, Ashgate, Aldershot UK, 1999). The reason to adopt the SHELL model instead of others is that SHELL considers all applicable laws and regulations (not only procedures), all concerned infrastructures and equipment (not only these last), the environment as part of the system (because we act on it, i.e. by setting wildlife safeguards up and cutting trees) and not only surrounding it. And, mainly, because it is human centered and considers the system from a Human Factors point of view.

From a mathematical point of view the ATM system can be defined into tolerable safety levels and at a certain point the mathematicians tend to say that it is not safe anymore. IFATCA is talking about a Target Level of Safety (the level of safety which the total system is designed to meet) in its’ publications and policies. But what is it? (

A level of how far safety is to be pursued in a given context, assessed with reference to an acceptable or tolerable risk. This notion of TLS is widely used in ICAO but related and limited to specific types of accidents or causes of accidents. ESARR 4 introduces a high-level quantified input to the design of the ATM systems, in the form of a Target Level of Safety (TLS) expressed as the maximum probability of ATM contributing directly to an accident. Referring to ESARR 4 and to recent amendment to Annex 11 Safety Minimum/TLS could also be expressed, in addition, as the maximum probability of occurrence of incidents in ATM. Typically; such TLS applies to the ATM systems as a whole and not directly to each and every element/piece of the ATM system.

Without going into too deep analysis one could define what an acceptable and/or tolerable risk is. Eurocontrol is illustrating schematically what should be understood (see figure as annexe 3). This is commonly known as Risk Assessment (annexe 4 provides a classification scheme).

2.1.2 Safety Assessment

Having established what are the Target Level of Safety and/or the acceptable and tolerable risk to work with new procedures, equipment and human factors/resources related issues will then go into a second stage. How will the system meet the Target Level of Safety. Commonly a lot of experts tend to say that a safety case has to be established. In short a safety case (an analysis presenting an overall justification for the declaration that a particular systems satisfies its safety requirements) will establish that a new procedure is meeting the TLS as required. Normally this is achieved with a Functional Hazard analysis. Operational and system experts sit together and elaborate a list of possible Hazards which could occur introducing a new piece of equipment, a new procedure and a new human factors/resources related issue. This analysis is documented and all possible hazards are identified. Then the Hazards are quantified and mitigation means are proposed. The second part of the Safety Case will concentrate on what has to be done to have the mitigation means in place the day of the introduction of any new elements in the current aviation system. This might be a lot of work, which is frequently underestimated by ATCOs, ANSPs and the Safety Regulator. In a state of the art Safety Case all relevant steps have to be documented. Schematically:

Based on a target level of safety ICAO defines Procedure for Air Navigation Services (PANS) and Standards and Recommended Practices (SARPS) and/or regional supplementary (SUP) standards and Recommended Practises. Eurocontrol defines Eurocontrol Safety Regulatory Requirement (ESARR). Further Eurocontrol has established what national authority should define as a Target Level of Safety. Annexe 4 shows how a National ATM Safety Minima (Target level of Safety) can be elaborated. What is essential is to keep in mind the total system approach taking into account interfaces/interactions.

The rationale (EUROCONTROL, ESARR4 GUI4/EAM) is that:

  • Each State is responsible for the safety of the national airspace, this includes the specification and promulgation via the national AIS of the required aircraft equipage to fly in the national airspace and related airspace classes,
  • The overall safety of an airspace is related, among other things, to the level of equipage and adequacy of operations of aircraft flying into that airspace. For example, for the safety offered by an RNAV route to be implemented according to the planned tolerable level of safety, aircraft must be equipped and must fly according to a minimum set of requirements. Equally, If a number of aircraft fly into a specific class of airspace (e.g. 8.33 kHz or RVSM airspace) without being equipped according to required equipment/performance, they jeopardize the safety of this airspace, hence the safety of all other aircraft flying into that airspace,
  • ECAC, at MATSE IV (1997), requires in its institutional strategy that a total system approach be adopted to the management of safety in aviation,
  • The ATM System is being considered in EUROCONTROL as one part of the Air Navigation System, composed of a Ground Based ATM component and an airborne ATM component,
  • Hazards usually result from a chain of events. Therefore, some hazards will result from a combination of failures/errors, originating from both the airborne and ground segment of the ATM System (see annex 5 the Reason model explaining this in a graphical form),
  • There may also be more than one solution available to reduce the severity of effect of hazards, their probability of occurrence, some implying safety requirements on the ground part , others on the airborne part and finally others on both of the ATM system,
  • The increased integration of ATM functions between the aircraft and the provision of ATM, and the contemplated delegation of ATM responsibilities to aircraft, implies that the aircraft is not autonomous anymore and should be taken into account as one enabler to ATM in any risk assessment and the mitigation process,
  • Aircraft related studies such as those related to Flight Management Systems (FMS) have suggested that incompatibility between the aircraft system and the wider environment, such as ATC, seems more apparent than lack of understanding on the part of the crew. Validation of FMS requirements against user experience and the ATC environment, requirements, for example, was considered as incomplete.

Note: Some changes to the ATM System may not necessitate such a total system approach as it implies no direct interaction with the aircraft segment. In that case, there will only be a need to show that no interaction exists.

Interactions and Interfaces/Elements

The rationale is that;

  • Providing safety is more than making sure that each element of a wider system functions properly safe. The complex interaction between the various elements of ATM significantly determine safety,
  • At a time of increased automation and system distribution, the adequacy of the equipment with its mode of operations and the impact on the human operator of that equipment becomes areas of specific safety interest,
  • Hazards will often result from a chain of events, from a combination of failures of equipment and/or human errors,
  • Hazards resulting from a failure in a part of a system cannot be taken in isolation. Hazards may result from a combination of failures in that part of the system and other parts, or from the interface between two parts of the ATM System,
  • There is a risk that addressing a part of a system in isolation leads to assumptions being made on other parts (or on environment) which are not correct, and – Common Cause/Mode of failures must also be addressed.

The implications are:

  • The internal interactions within the system under consideration must be addressed by the ATM service provider and closely reviewed by regulators,
  • Human factor assessment and related procedures and equipment to the future operator and maintenance staff become more and more an area of safety importance, at a time of significant operational and technical changes,
  • The safety regulator should verify that all stakeholders involved in a change, either directly or indirectly, as being responsible for a part of a system with which the system under assessment interfaces with, are involved; this applies in particular to ATM related changes at an airport. (Also, referred to as ‘Total System Approach’), and
  • A specific focus should be placed on how external interfaces are addressed. Entities responsible for a external part to the one under assessment should be involved at least in the validation of the safety assumptions made on their system/part and on the validation of safety requirements placed on them when applying ESARR 4; furthermore, the regulator should verify that they have committed to the continuous implementation of those safety requirements they have responsibility for.

The achieved level of safety can only be assessed after the event. A good past safety record is not a guarantee of freedom from future accidents, particularly given that major aircraft accidents in which the ATS system is contributory factor are rare events. (ICAO, op. cit. A-10)

Once a state or an ATS provider has set it’s target level of safety it needs to manage the safety. This is done by a so called Safety Management System. ICAO states that an effective safety management system should adopt a proactive approach, incorporating procedures for:

a) identification, before an accident occurs, of potential system weaknesses which could contribute to an accident;

b) Estimation, in advance, of the risk of accidents occurring; and

c) Implementation of risk mitigation measures to reduce risk where unacceptable levels of risk have been identified.

There is an absolute need to have more than a blind compliance procedure in place with regard to meeting ICAO SARPS. An organisation providing Air Traffic Control needs to be pro-active and work towards a safe system. Therefore the need to invest not only in tools but as well in the Human Factor when it comes to achieving acceptable level of safety (Gleave D., Presentation RM AFM IFATCA 2003, Jordan). ICAO talks about:

“safety is the condition in which the risk of harm or damage is limited to an acceptable level”. This is the so-called ALARP (as low as reasonably practical) approach which is used by many modern Safety Management systems in ATM. Eurocontrol defines Safety as “safety is freedom from unacceptable risk”.

The management of safety

The philosophy of safety management as described by ICAO, states: experience in other industries and lessons learned in investigation of aircraft accidents have emphasized the importance of managing safety in an explicit, systematic and proactive manner.

Explicit means that all safety management activities should be documented, visible and performed independently from other management activities.

Systematic means that safety management activities will be in accordance with a predetermined plan, and will be applied in a consistent manner throughout the organization.

Proactive means that adoption of an approach which emphasizes prevention, through the identification of hazards and the introduction of risk mitigation measures before the riskbearing event occurs and adversely affects safety performance.

Effective safety management requires more than setting up an organisational structure and promulgating rules or directives specifying the procedures to be followed. It requires genuine commitment to safety on the part of senior management, and an organisational culture such that staff at all levels are safety conscious in their approach to their tasks. This is the Safety culture. There is a close correlation between the philosophy of safety management and this concept of a safety culture. The philosophy defines a way of thinking about safety. The safety culture is a result of this way of thinking being translated into actions, so that organizational culture becomes safety oriented. The safety policy provides the starting point for the development of a safety culture.

2.1.2 Safety Culture

Characteristics of an organization with a positive safety culture include:

a) senior management places a strong emphasis on safety as part of the strategy of controlling risks;

b) decision makers and operational personnel hold a realistic view of the short- and long term hazards involved in the organization’s activities;

c) managers in top positions do not use their influence to force their views or to avoid criticism;

d) managers in top positions foster a climate with a positive attitude towards criticism, comments and feedback from lower levels of the organisation;

e) awareness of the importance of communicating relevant safety information at all levels of the organisation is present (both within it and with outside entities);

f) promotion of appropriate, realistic and workable rules relating to hazards, safety and potential sources of damage, with such rules being supported and endorsed throughout the organisation;

g) personnel are well trained and understand the consequences of unsafe acts; and

h) there is a low incidence of risk taking behaviour, and a safety ethic which discourages such behaviour.

There is also a significant degree of interdependence between the safety culture and other aspects of the safety management system (SMS) A positive safety culture is essential for the effective operation of the SMS. However, the culture of the organisation is also shaped by the existence of a formal SMS, in particular, the safety promotion activities. An organisation should not, therefore, wait until it has achieved an ideal safety culture before introducing a SMS. The culture will develop as exposure to and experience with safety management increases.

Basic safety management system concepts

The requirements, procedures and practises which make up the safety management system can be grouped under following headings:

a) the organisation’s safety policy

b) the core safety management activities which are:

– safety monitoring

– safety assessment

– safety auditing

– safety promotion;

c) the supporting organizational requirements, which:

– the safety management organizational structure

– the role of the safety manager

– safety responsibility and accountability and

– training and competency of personnel

The need to manage Safety more in a harmonised way has been identified by political decision makers at ECAC and the European Union as well. The ECAC Transport Ministers have endorsed the ATM2000+ Strategy which states “to improve safety levels by ensuring that the numbers of ATM induced accidents and serious, or risk bearing incidents do not increase and, where possible, decrease”, with a doubling of traffic a reduction of the costs and the delays. Eurocontrol has established thorough Regulation Requirements for its member states (together with its member states and all the stakeholders) implementation dates are set.

Note: Safety Regulation and Safety Management – Principles Safety Regulation is the process applied by States, within national legal duties and frameworks, for establishing, overseeing and enforcing minimum safety levels in the public interest. It includes rulemaking, usually in the form of safety regulatory requirements, together with a means for ensuring compliance by those subject to safety regulation. Safety management is the process used by organisations providing safety related services or products to ensure that all safety aspects of that provision have been adequately addressed. The process includes the setting of organisational safety policies and standards (which meet, as a minimum, the provisions of regulatory requirements), a means for measuring safety achievement and a mechanism for the rectification of deficiencies. Both activities have a common aim – the achievement of safety – and are complementary to one another. The way in which they are implemented depends upon the structure and capabilities of the industry. 

Eurocontrol has a very similar than the ICAO Safety management proposal already in place or on the verge to be introduced.

ESARR1 (tentative title – National ATM safety Regulatory Framework)

ESARR2 Reporting and Assessment of Safety Occurrences in ATM

ESARR3 Use of Safety Management Systems by ATM Providers

ESARR4 Risk Assessment and Mitigation in ATM

ESARR5 Safety Regulation Requirements for ATM Services’ Personnel

ESARR6 Software in ATM Systems

The schematic view below tries to better explain what a Safety Management could look like for a Region like Europe.

2.2. How does the real operational world look like when it comes to safety?

Through the work of AGAS (High level Action Group for ATM safety) it has become visible that although the theoretical approach to enhanced Safety Regulatory Requirements has been taken, a lot of States have not realised, nor understood what was at stake. The European ATM community cannot start to talk about Safety awareness and safety management without understanding Safety. Many States have for example great difficulties to implement ESARR2 because they realise that they would have in certain cases to amend the national criminal laws which rank extremely high in the domestic law hierarchy and are consequently particularly difficult to change.

Management in general terms should be based on understanding the product and its components, understand the regulation mechanism of the industry. From this general understanding, strategy and concepts can be developed and implementation of measures can be formulated. In the end benchmarking will help to position the product towards the outside world. Managing safety should be looked at as the main activity for the whole ATM community; however we are still far away – astonishingly enough from the general principles mentioned above.

In some area of the world basic ATM infrastructure is not fit for doing a correct job and ATCOs are the sole mean of mitigation together with the pilot’s and special procedure like TIBA.

In other parts of the world increased commercialised approach in ATM has seen ATCOs confronted with the fact that safety has been seen less important than capacity, economics, politics and efficiency. Too often arguments by ATCOs in a commercialised environment have been dismissed by management as social arguments when it came down to ensure Safety. Numerous examples could and should be given:

– Single Man Operations – in any and all situation because of staff shortage

– Introduction of new procedures with no training, simulator etc, due to staff shortage

– Introduction of new technical tools for economic reasons which should never be released – the ATCO is being asked to mitigate the technical problem, with workaround procedures resulting in increased workload

– No respect of the Safety regulators recommendations – for economic reasons only – Financial logic applied when accepting a higher rate of traffic, without capacity or flow regulations

– Agreeing on special (non ICAO compliant) procedures for landing and departing aircraft under pressure from the home carriers

– Using shiftlogic™ tool to enhance productivity and cut controller shortage – leading to more sick leave days, total disrupted fatigue management of the ATCO’s and an increase in incidents

– Making safety cases, but stopping any mitigation measures needed to meet the TLS or the risk assessment, since the mitigation measures are apparently unaffordable

– Ignoring basic RNP requirement in design of new routes in order to improve capacity, invent new procedures which are not in conformity with ICAO

– Weak regulator was mis-used to rubberstamp any of these procedures

– Ignoring reports of ATCOs on safety incidents on airports (leading to runway incursions of similar type)

– Blaming the ATCO – always, and adding that it was a human error to protect the system and the management failures

– No refresher training for numerous years

– 70% of the AGAS recommendations are only re-enforcement of programs which have not been implemented. Failure to comply with rules and regulations, by States and ANSPs

So defining safety is more than 1000ft, 5 nautical miles and a little bit of luck. However to understand safety everybody working in aviation should have a basic knowledge about elements such as TLS, Risk Management, Functional Hazard Analysis and Mitigation measures. This counts especially for the human operator. To keep the Human in the loop starts with his basic education about safety. During this education theories (Amalberti R., Les effets pervers de l’utrasécurité, La Recherche, Paris, Avril 1999) and fieldwork on human errors in Aviation should be taught as well. But is education sufficient to understand safety?

Understanding safety can be a total academic approach, which can turn out to be totally useless in the operational field. Understanding safety has to do with the degree of safety awareness. Professor Patrick Hudson (Leiden University) has published a way to achieve a better understanding of safety which is mentioned in a graphical form (Hudson P., Aviation Safety Culture, Safeskies, Centre for Safety Science, Leiden University, 2001):

To develop a Safety Culture in an ATM service needs not only understanding and awareness but mostly commitment. Commitment can only be achieved if all the actors are talking the same language and are informed about what are the objectives of developing a safety culture. Many “successful” companies outside of aviation have understood this and started systematically to invest in Safety, which only brought about a change in the safety culture. What can be safe for an Aviation Regulator might turn out to be totally unsafe for the ATCO or the pilot. An acceptable Risk for an ATCO might be seen as unacceptable for ANSP Managers. What is important is that Safety is not taken for granted or inherent but that safety is proven and assured and becomes an integral part of the daily life of all categories of personnel.

Therefore IFATCA and its’ members, have to continuously strive for the achievement of implementing a safety culture in ATM or expressed in the words of Prof. Hudson “Safety behaviour is fully integrated in everything we do”. This includes much more than Safety Regulation and Safety Management. That means by YOU as an Air Traffic Controller. Otherwise the old devils of failed managers and failed management decisions in ATM will repeat themselves. And you as ATCO’s will be once again used as the scapegoat.

2.3. Recommendations for IFATCA members

Air traffic controllers should become champions in safety. This is only possible if the education and information available for ATCOs about safety is sufficiently accurate.

There is sufficient information available, which can or should be used by the ATCO’s. Depending on the ATS unit the ATCO might be already embarked on various safety initiatives. As a guide to improving in safety this paper proposes possible ways of improving safety of the system (this list is by no means complete):

1. Understand the theoretical approach of safety

By reading or making available material from various sources talking about a target level of safety, a functional hazard analysis, a safety case, a risk assessment, a mitigation procedure.

2. Use the knowledge gained in your ATS unit

By questioning yourself, your unit manager about the various elements. When introducing a new procedure ask about the risk assessment and the mitigation means. Are they documented, do you have access to them, are they understood. What happens if your satellite phone breaks down with your adjacent centre – how can you transmit the Flight plan elements in cases like this?

3. Broaden this to your working environment

By creating safety round tables – or exchange platforms with pilots operating at your airport, with ground staff (i.e. AGAS recommendation to establish interdisciplinary airport safety teams to prevent runway incursions).

4. Ask for an establishment of a safety policy and the commitment of your management

5. Set up an incident reporting scheme where it can be done in a just culture

By collecting information on incidents, mistakes, lapses etc which do occur in the daily ATC environment. Whereas the legal impediments for a just culture approach (non criminalisation of errors) are not in place in many countries – there might be a possibility to have a incident reporting scheme to help identifying trends of unsafe procedures, systems and/or human errors. Where the ground infrastructure is not adequate and fails regularly this should be reported (see WP C 5.13.)

6. Get better knowledge of what are the safety realities in the daily operational world

As it is difficult to establish pro-actively guidance material on this topic. However the following items seem to be sufficiently interesting to be introduced at this stage of the paper. Following the work in AGAS the need for better understanding of the operational realities with regard to safety has been identified by member associations and the Executive Board. On the outlook for some scientific basis treating with this matter IFATCA has come across some meaningful work, done by Hollnagel, Woods, Helmreich, Reason and Dekker. A possible way forward is being proposed by Woods in the so-called “Nine Steps to move forward from error” (see annexe 7 the full text). An executive summary is given at this stage.

6.1. Pursue second stories beneath the surface to discover multiple contributors

When an issue breaks with safety at the centre, it has been and will be told as a ‘first story’. First stories, biased by knowledge of outcome, are overly simplified accounts of the apparent ‘cause’ of the undesired outcome. The hindsight bias narrows and distorts our view of practice after-thefact. As a result:

– there is premature closure on the set of contributors that lead to failure;

– the pressures and dilemmas that drive human performance are masked; and

– how people and organisations work to overcome hazards and make safety is obscured.

6.2. Escape the hindsight bias

The first story after celebrated accidents tells us nothing about the factors that influence human performance before the fact. Rather the first story represents how we, with knowledge of outcome and as stakeholders, react to failures. Reactions to failure are driven by the consequences of failure for victims and other stakeholders and by the costs associated with changes made to satisfy stakeholders that the threats represented by the failure are under sufficient control. This is a social and political process about how we attribute ‘cause’ for dreadful and surprising breakdowns in systems that we depend on (Woods et al 1994; Schon 1995).

Knowledge of outcome distorts our view of the nature of practice. We simplify the dilemmas, complexities and difficulties practitioners face and how they usually cope with these factors to produce success. The distorted view leads people to propose ‘solutions’ that actually can be counterproductive.

(a) if they degrade the flow of information that supports learning about systemic vulnerabilities; and

(b) if they create new complexities to plague practice.

6.3. Understand work as performed at the sharp end of the system

When we start to pursue the ‘second story’, our attention is directed to people working at the sharp end of a system such as health care. The substance of the second story resides at the sharp end of the system as organisational, economic, human and technological factors play out to create outcomes. Sharp end practitioners who work in this setting face of a variety of difficulties, complexities, dilemmas and trade-offs and are called on to achieve multiple, often conflicting, goals. Safety is created here at the sharp end as practitioners interact with the hazardous processes inherent in the field of activity in the face of the multiple demands and using the available tools and resources. To follow second stories, one looks more broadly than a single case to understand how practitioners at the sharp end function – the nature of technical work as experienced by the practitioner in context. This is seen in research as a practice-centred view of technical work in context (Barley and Orr 1997).

Ultimately, all efforts to improve safety will be translated into new demands, constraints, tools or resources that appear at the sharp end. Improving safety depends on investing in resources that support practitioners in meeting the demands and overcoming the inherent hazards in that setting.

6.4. Search for systemic vulnerabilities

Through practice-centred observation and studies of technical work in context, safety is not found in a single person, device or department of an organisation. Instead, safety is created and sometimes broken in systems, not individuals (Cook et al 2000). The issue is finding systemic vulnerabilities, not flawed individuals.

6.5. Study how practice creates safety

Typically, reactions to failure assume the system is ‘safe’ (or has been made safe) inherently and that overt failures are only the mark of an unreliable component. But what is irreducible is uncertainty about the future, change and finite resources. As a result, all systems confront inherent hazards, trade-offs and are vulnerable to failure. Second stories reveal how practice is organised to allow practitioners to create success in the face of threats. Individuals, teams and organisations are aware of hazards and adapt their practices and tools to guard against or defuse these threats to safety. It is these efforts that ‘make safety’. This view of the human role in safety has been a part of complex systems research since its origins (see Rasmussen et al 1994, ch. 6).

The Technical Work in Context maxim tell us to study how practice copes with hazards and resolves trade-offs, for the most part succeeding yet in some situations failing. However, the adaptations of individuals, teams and organisations can be limited or stale so that feedback about how well adaptations are working or about how the environment is changing is critical. Examining the weaknesses and strengths, costs and benefits of these adaptations points to the areas ripe for improvement. As a result, progress depends on studying how practice creates safety in the face of challenges – expertise in context (Feltovich et al 1997; Klein, 1998).

6.6. Search for underlying patterns

In the discussions of some particular episode or ‘hot button’ issue it is easy for commentators to examine only surface characteristics of the area in question. Progress has come from going beyond the surface descriptions (the phenotypes of failures) to discover underlying patterns of systemic factors (genotypical patterns; see Hollnagel 1993; 1998).

The Genotypes Maxim

Progress on safety comes from going beyond the surface descriptions (the phenotypes of failures) to discover underlying patterns of systemic factors (genotypical patterns). Genotypes are concepts and models about how people, teams and organisations coordinate information and activities to handle evolving situations and cope with the complexities of that work domain. These underlying patterns are not simply about knowledge of one area in particular field of practice. Rather, they apply, test and extend knowledge about how people contribute to safety and failure and how complex systems fail by addressing the factors at work in this particular setting. As a result, when we examine technical work, search for underlying patterns by contrasting sets of cases.

6.7. Examine how change will produce new vulnerabilities and paths to failure

As capabilities, tools, organisations and economic pressures change, vulnerabilities to failure change as well.

Safety is a Dynamic Process Maxim

The state of safety in any system always is dynamic. Systems exist in a changing world. The environment, organisation, economics, capabilities, technology, management and regulatory context all change over time. This backdrop of continuous systemic change ensures that hazards and how they are managed are constantly changing. Plus, the basic pattern in complex systems is a drift toward failure as planned defences erode in the face of production pressures and change. As a result, when we examine technical work in context, we need to understand how economic, organisational and technological change can create new vulnerabilities in spite of or in addition to providing new benefits. Research reveals that organisations that manage potentially hazardous technical operations remarkably successfully create safety by anticipating and planning for unexpected events and future surprises. These organizations did not take past success as a reason for confidence. Instead they continued to invest in anticipating the changing potential for failure because of the deeply held understanding that their knowledge base was fragile in the face of the hazards inherent in their work and the changes omnipresent in their environment (Rochlin 1999).

Law of Stretched Systems

Under resource pressure, the benefits of change are taken in increased productivity, pushing the system back to the edge of the performance envelope. Change occurs to improve systems. However, because the system is under resource and performance pressures from stakeholders, we tend to take the benefits of change in the form of increased productivity and efficiency and not in the form of a more resilient, robust and therefore safer system (Rasmussen 1986). Researchers in the field speak of this observation as follows: systems under pressure move back to the ‘edge of the performance envelope’ or the Law of Stretched Systems (Woods 2002):

…we are talking about a law of systems development, which is every system operates, always at its capacity. As soon as there is some improvement, some new technology, we stretch it… (Hirschhorn 1997)

Change under resource and performance pressures tends to increase coupling, that is, the interconnections between parts and activities, in order to achieve greater efficiency and productivity. However, research has found that increasing coupling also increases operational complexity and increases the difficulty of the problems practitioners can face. Jens Rasmussen (1986) and Charles Perrow (1984) provided some of the first accounts of the role of coupling and complexity in modern system failures.

6.8. Use new technology to support and enhance human expertise

The notion that it is easy to get ‘substantial gains’ through computerisation is common in many fields. The implication is that computerisation by itself reduces human error and system breakdown. Any difficulties that are raised about the computerisation process become mere details to be worked out later.

6.9. Tame complexity through new forms of feedback

The theme that leaps out from past results is that failure represents breakdowns in adaptations directed at coping with complexity. Success relates to organisations, groups and individuals who are skilful at recognising the need to adapt in a changing, variable world and in developing ways to adapt plans to meet these changing conditions despite the risk of negative side effects.

Recovery before negative consequences occur, adapting plans to handle variations and surprise, and recognising side effects of change are all critical to high resilience in human and organisational performance. Yet, all of these processes depend fundamentally on the ability to see the emerging effects of decisions, actions, policies – feedback, especially feedback about the future. In general, increasing complexity can be balanced with improved feedback. Improving feedback is a critical investment area for improving human performance and guarding against paths toward failure. The constructive response to issues on safety is to study where and how to invest in better feedback.

2.4. ongoing safety initiatives with relevance to IFATCA activities


The conclusion of AN-Conf11 will have an impact on Safety in ATM. Not only will the draft manual on safety management for air traffic services become a PANS-ATM (Doc 4444) requirement, but some of the outcome of the ATMCP will lead to more relevance of Safety in the technical domain. Something, which nowadays is limited to TLS of a technical system, will be more complex as the systems and their architecture will be an integral part of providing safety. This will be monitored by the EB through the various inputs in the ICAO work.

ICAO has set a global safety performance target in the specification of the objectives of the Global Aviation Safety Programme (GASP). The GASP serves to focus the safety-related activities within ICAO on those safety initiatives, either planned or in progress, that offer the best safety dividend in terms of reducing accident numbers and rates worldwide. This GASP programme can be consulted at the ICAO website.

ICAO has established through the publication of the Line Operations Safety Audit (LOSA) Manual (ICAO Doc. 9803, ICAO, Montreal, Canada) an additional layer of looking at how to improve safety. All conventional sources of safety data in the aviation industry are related to occurrences: incident reporting, accident investigation, flight data recorder analysis, etcetera. Complementing these sources is a system of individual proficiency checking that is common for pilots and not-so-common for air traffic controllers. Such proficiency checking can be done in a simulator or during real operations, or as a combination of both options. From a safety management perspective though proficiency checks provide little information on the safety status of the system, for the individuals who are checked generally display their best behaviour (“angel behaviour”) during the check, which is not necessarily the behaviour they display when in a “normal” work situation. Yet in a normal work situation the same individuals or crews must cope with a multitude of factors that potentially affect the safety of the flight(s) for which they are responsible. Knowing what those factors are and how the crews manage them in real-life situations provides an additional source of safety information that an aviation organisation can use for its safety change process. This source therefore is an additional component to the organisation’s safety management system. Therefore the notion of Threat and Error Management has been introduced on the flight deck. For well over a decade aircrew have received Crew Resource Management (CRM) training on a structural basis. The aim of CRM training is to give the crews a tool for error management that can be used in their normal working environment. CRM has evolved into its sixth generation, which can be characterized as “Threat and Error Management” (TEM)(Ruitenberg B., Report for IFATCA of the first NOSS Workshop, IFATCA, 2003). In ATC Team Resource Management (TRM) has been introduced in analogy of CRM. Tentatively ICAO and other interested parties have established the need to extend the notion of LOSA and TEM into ATC. This has led to the organization of the first workshop of Normal Operations Safety Survey NOSS. IFATCA HFS has participated to this workshop and he will make a presentation on the outcome of NOSS during the Hong Kong Conference in Committee B and C.

ICAO Bangkok, Dakar and Nairobi office do work on a so – called ATS deficiency list which should highlight safety relevant deficiencies in ATS. Whereas in the AFM region of IFATCA we participate in this work, in the ASP region there is still some discussion ongoing if we should participate and in which form. See as well WP 04 B 6.1.3. discussing this initiative. Several items have to be clarified with regard to such an ATS deficiency list:

– INFORMATION: Does IFATCA wishes to educate it’s Members to use these ICAO forms? There is certainly a need to clearly explain what is required and what is not and how such a list should be used. There may even be a need to have explanatory material produced for the ATCO’s.

– MODALITY OF COLLECTION: How does IFATCA wish to update and collect the reports which would be delivered by our Member Associations? Through the IFATCA Office or the Regional EVP ? This has to be sorted out as well. If we do institutionalise the ATS deficiency list then we might have to re-organise collection of data.

– LEGAL ISSUES: What is the legality of such data collection? Some reports could not even be published because we are not the owner of the information, neither are we sure that there might not be a legal battle following some of the data being published etc.

– WHAT IS THE AIM OF SUCH A LIST? How would IFATCA use such a list of ATS deficiencies? Only through ICAO or at the Annual Conference would we update it like IFALPA does at some of their conferences.


IATA has embarked on a global safety initiative (ASNET). IFATCA has been invited to participate in this important work and the EB has agreed to this. This can take various forms. The IATA initiative looks at establishing in all it’s region similar ATS Safety platforms (i.e. AFI, or Steades in Europe). IFATCA has indicated that there is a need to have a common understanding of taxonomy and various elements. Our Human Factor Specialist B. Ruitenberg has participated in a sub-group which looks at classification of accidents and serious incidents of IATA member airlines for the first time in January (see annexe 6 the report). Keziah Ogutu has participated for 2nd time to the IATA AFI work (see WP 04 B 6.1.2.).


Publishes a so-called “star” list – which looks at the deficiencies of airport, ATC etc. analysing various aspects from security through to safety, based on pilots reports. IFATCA has tried at some of the conference to give some feedback to IFALPA with regard to this list. Sometimes it does cause undue hard-ship for ATCO’s. A recent request by IFALPA to address together the criminalisation issue of professionals (pilots and ATCOs) will be dealt with over the coming months.


AGAS outcome and the SSAP (See WP 04 C 5.16) where IFATCA participates and gives support to this initiative. Eurocontrol is preparing education material for Air Traffic Controller – to increase awareness among the work force on basic principles of Safety. This will be published by the end of the year 2004 and will be available through the Eurocontrol website.

IFATCA participates as well in the Eurocontrol Safety R&D Advisory group. This group looks at needs and possible R&D to understand, promote and improve safety for the ECAC states.

Further IFATCA has participated at the legal-impediment workshop organised by Eurocontrol in December 2003 (see WP 04 C 5.13).


The Global Aviation Information Network (GAIN) 20is an industry-led international coalition of airlines, manufacturers, employee groups, governments and other aviation organizations formed to promote and facilitate the voluntary collection and sharing of safety information by and among users in the international aviation community to improve aviation safety.

The GAIN concept was proposed in May 1996 as a way to significantly improve aviation safety through the enhanced use of safety information. The GAIN philosophy is that the collection, analysis, and sharing of safety information using advanced technologies in a just culture environment will illuminate safety concerns and permit identification and implementation of effective mitigations.

Over 1,000 aviation safety professionals from 54 countries have participated in the GAIN program since its inception in 1996. Organizations participating in GAIN include airlines, airframe manufacturers, avionics and safety software developers, employee groups (pilots, mechanics, air traffic controllers, and flight attendants), civil aviation authorities, accident investigation boards, air traffic service providers, aviation trade associations, military aviation, and university groups involved in aviation safety. IFATCA participates through SC4 members attending some of the working groups looking at ATC. In his function as National representative of NATCA our EVP Finance, Dale Wright is member of the Steering committee of GAIN.

Eurocontrol Safety Regulation Commission started to work more closely with GAIN There is a WP Working Group E (Flight Ops/ATC Ops Safety Information Sharing) of GAIN which looks at the possibility of having more ATC input into GAIN (flight ops). The head of the SRU is co- chairing this group.


ISASI ( is a society formed to promote air safety by the exchange of ideas, experiences and information about aircraft accident investigations, and to otherwise aid in the advancement of flight safety; to promote technical advancement by providing professional education through lectures, displays and presentations and by the exchange of information for mutual development of improved investigations; to broaden professional relationships among members; to maintain and increase the prestige, standing and influence of the Air Safety Investigator in matters of air safety. The Society was founded in the United States under articles of incorporation in the District of Columbia on August 14, 1964. Our Human Factor Specialist, Bert Ruitenberg participates an individual member of ISASI and as such tries to use his expertise as ATCO and HF person to the benefit of both ISASI and IFATCA.


3.1. As air traffic controllers we should champion the cause of safety. This papers tries to provide some general overview on Safety issues.

3.2. That this paper is read in conjunction with the following WP B.6.1.2., B 6.1.3., C 5.11 – C 5.17., and is being discussed by Directors for further possible action.


4.1. That this paper is accepted as information material.


AMALBERTI R. Les effets pervers de l’ultrasécurité, La Recherche, Paris, Avril 1999.

AMALBERTI R. La conduite des systèmes à risques, Paris, PUF, 1996.

BAUMGARTNER M., GILGEN C., LAURSEN T., Where are we? Presentation to Skyguide, unpubished internal note, Geneva, 2003.

BOEING Cornerstone of ATM Performance, WTT, Seattle, 2002.

BOUGRINE Y. Dualité Stress – Sécurité le contrôle du trafic aérien, unpublished DU report, LAA5, Paris, 2001.

BOUGRINE Y., GAWINOWSKI G., et al., Models de sécurité appliqués au contrôle du trafic aérien : comprendre le métier de contrôleur, Intermediate report, Eurocontrol, Brétigny – sur – Orge, May 2001.

DEKKER S. When Human error becomes a crime, Journal of Human Factors and Aerospace Safety, (not published) Sweden, 2003.

DEKKER S., The Field Guide to Human Error Investigations. Ashgate, 2002.

DOMOGALA P. « Key Issue for 2003 – Safety », The Controller 4/2002, vol.41 ISSN 00108073, IFATCA.

EK A. ET AL Safety cultura in the Swedish air navigation services, Report 4th Conference of the european Academy of Occupational Health Psychology, Viena, December 2002, 58-61.

EUROCONTROL Skyway Magazine, Eurocontrol, Summer 2003, Bruxelles.

EUROCONTROL, ESARR2, Reporting and assessment of safety occurrences in ATM, Eurocontrol, Brussel, 3.11.2000.

EUROCONTROL, EAM2/GUI2, ESARR2 guidance to ATM safety regulators, Publication and Confidentiality Policy, Eurocontrol, Brussels, 12.11.1999.

EUROCONTROL, EAM2/GUI2, ESARR2 guidance to ATM safety regulators, Publication and Confidentiality Policy, Eurocontrol, Brussels, 12.11.1999.Art. 1 p.8.

EUROCONTROL. Integrated task and job analysis of air traffic controllers, phase 3, Eurocontrol, Brussels, September 2000.

EUROCONTROL. Short report on human performance models and taxonomies of human error in ATM (HERA), Eurocontrol, Brussels, April 2002.

EUROCONTROL. Technical review of human performance models and taxonomies of human error in ATM (HERA), Eurocontrol, Brussels, April 2002.

FASSERT C. La transparence en question : les incidents dans le contrôle de la navigation aérienne,Mémoire de D.E.A. de Philosophie, Paris, September 2001.

GAWINOWSKI G. Contribution de l’approche stress aux models de la sécurité aérienne, unpublished UD report LAA5, Paris, 2001.

GUICHARD L. De la théorie du stress au mur de la sécurité : le travail des controllers aériens,unpublished UD report, LAA5, Paris, 2001.

HOLLNAGEL E. Understanding Accidents – From Root Causes to Performance Variability, Sweden, 2003.

HUDSON P., Aviation Safety Culture, Safeskies, Centre for Safety Science, Leiden University, 2001.

ICAO Annexe 13 to the convention on International Civil Aviation, Aircraft Accident and Incident Investigation, 9th Edition, ICAO, Montreal, July 2001.

ICAO Doc 4444 PANS-ATM, ICAO, Montreal, 2002.

ICAO Manual on Safety Management for Air Navigation Services Information Paper 9ANConf 11, Montreal, 2003.

ICAO Appendix 11, Montreal, ICAO, 12th edition 1998.

IFATCA THINK! SES, IFATCA, Montreal, 2003.

IFATCA. Manual, IFATCA, Montreal, June 2002.

ISAAC A., RUITENBERG B. Air traffic control: Human performance Factors, Ashgate, Aldershot, Hampshire, UK, 1999.

KASTNER M. Belastung und Beanspruchung in den Flugsicherungsdiensten, Kurzfassung des arbeitswissenschafltichen Gutachtens Universität Dortmund, Deutsche Flugsicherung GmbH, Offenbach, 1998.

LE GOFF M. Stress et contrôle aérien, mémoire UD, Université Pierre and Marie Curie – Paris VI, Paris, 1998.

LEVESLEY JOHN, Report of SCST, IFATCA, 2003, UK internal note.

LEVESLEY JOHN, Comments on ERC ConOps, IFATCA 2003, UK, internal note.

NLR REACH Aviation Safety Management in Switzerland, Recovering from the myth of perfection, Holland, 2003.

OECD Emerging Risk of the 21st Century, Paris 2003.

REASON J.T. The Chernobyl erros. Bulletin of the British Psychological Society, 40 210216.

REASON J.T. Human error. Cambridge, UK, Cambridge University press, 1990.

REASON J.T. Managing the risks of organizational accidents, Aldershot, Uk, Ashgate, 1997.

RUITENBERG B., Notes for IFATCA on NOSS, IFATCA 2003, NL, internal note.

SCHUBERT F., La responsibilité des agences du contrôle de la circulation aérienne, Lenticuralis, Opfikon, 1994.

VIDLER N. Under control, Griffin Press Pty. Ltd. Netley, Sydney, 2001.

WOODS D., Creating Foresight: How Resilience Enginering can transform NASA’s Approach to Risky Decisión Making, Testimony on the future of NASA, USA Congress, 29.10.2003.

Annex 1

Annex 2

Graphical description of the SHELL Model

Annex 3

Risk Assessment Matrix

Annex 4

Eurocontrol definition to Determine National ATM Safety Minima

The basic steps are as follows:

Step 1

Determine the annual rate of accidents (The present ESARR 4 only defines an ECAC Safety Minima for Commercial Air Transport flights involving Aircraft (excluding helicopters) with a Maximum Take-off Weight (MTOW) greater than 2,25 tonnes. ESARR 4 also recommends the definition of TLS in other areas of airspace, for example where exclusive General Aviation operations are carried out. For ATM, one accident can involve 2 or more aircraft. See A2 of ESARR 2) with Direct ATM contribution based on historical data (See A3-2 of ESARR 2 and associated definition in ESARR 2. SRC Policy Document 1 used the period 1988 to 1999).

Within SRC POLICY DOC 1 this took two steps, firstly the derivation of annual accident data, and then secondly a derivation of the percentage of accidents with direct ATM contribution. States could follow the mechanism in SRC POL DOC 1 by organising an expert group which will analyse the causes of accidents and determine the ATM direct contribution.

The multiplication of these gave the annual rate of accidents with Direct ATM contribution.

Step 2

Determine expected number of flight hours (or number of flights) in 2015 from present figures and expected rate of traffic growth for period to 2015.

Step 3

Determine unadjusted National ATM Safety Minima for 2015. This is the annual rate of accidents with ATM direct contribution derived in step 1 divided by the number of flight hours (or number of flights) in 2015 derived in Step 2 (As the number of national accidents with direct ATM contribution are not allowed to increase (Equivalent to the safety objective from the ATM 2000+ Strategy for ECAC wide accidents)).

Step 4

Compare unadjusted National ATM Safety minima for 2015 derived in step 3 with the ECAC ATM Safety minima derived from POLICY DOC 1 (1.55 x 10-8 per flight hour or 2.31 x 10-8 per flight).

Where the unadjusted National ATM Safety Minima for 2015 derived from step 3 is numerically greater than the ECAC TLS, then this indicates that the expected performance of the National ATM system will be less safe than the ECAC Safety Minima requires. In such cases, the ECAC ATM Safety Minima shall be the Target National ATM Safety Minima used.

Where the unadjusted National ATM Safety Minima for 2015 derived from step 3 is numerically smaller than the ECAC Safety Minima for 2015, i.e. expected to indicate the unadjusted National ATM Safety Minima is safer than the ECAC ATM Safety Minima for 2015, then the unadjusted National ATM Safety Minima for 2015 or the ECAC ATM Safety Minima for 2015 can be used for the Target National ATM Safety Minima for 2015.

Step 5

Decide on National ATM Safety Minima for 2015.

The Nation still has the option of using a National ATM Safety Minima for 2015, when designing the national ATM system, that is numerically smaller than the ECAC ATM Safety Minima for 2015 (This allows National Authorities to set more stringent (Safer – numerically smaller) Safety Minima if desired. Some countries also consider the obligation under the ECAC ATM 2000+ strategy to mean that the number of accidents in the country shall not increase. This would mean that these countries could not take the ECAC ATM Safety Minima if this is numerically larger than the National ATM Safety Minima).

However this might not be as easy as lined out therefore further provisions are being given by Eurocontrol.

Guidance for when the general method fails

When the data review is carried out, it can be expected that some states will find that the data indicates one of the following conditions:

  • no accidents (used in step 1) (see paragraph 0),
  • some accidents, but none with an identified ATM direct contribution (used in step 1) (see paragraph 0),
  • unknown national traffic growth (used in step 2) (see paragraph 0).

No Accidents Recorded in National Database

This is the case when states do not have any record for accidents. Therefore no data is available to start working on the safety minima. In this case:

  • States can interrogate ICAO database (or others) and identify if records are available within that database that apply to their state.
  • should no records be available within ICAO database states could make use of the historical derived rate of 1.55 * 10-8 accident/flight hour (or 2.31 x 10-8 per flight) with ATM direct contribution used within the SRC POL DOC 1.

No ATM Direct Contribution Identified from the Analysis of Accidents Recorded in the National Database

This is the case when no ATM direct contribution can be determined from the analysis of the causes of the accidents recorded in the period chosen for the analysis. This case has the following possible solutions:

  • States could adopt the figure used within SRC POL DOC 1 for the ATM direct contribution: 2%. States could then form an expert group to decide if this value is appropriate for their environment of operations. or
  • States could form an expert group to decide the percentage figure for ATM direct contribution appropriate for their environment of operations.

No Traffic Forecast is Available at National Level

This is the case when no forecast mechanism is available at national level and states can not assume which is the percentage which their traffic will increase or decrease. When such situation is encountered states could adopt the STATFOR (See for further information) forecast plan. The STATFOR is (in 2003) proposing three scenarios which include:

  • low scenario increase by 2,5% per annum,
  • baseline scenario increase by 3,6% per annum,
  • high level scenario increase by 4,7% per annum.

The high level scenario (or when appropriate, the individual regional forecasts in the STATFOR report) could be given preference unless national situation can justify another choice.

Regular Review of national atm safety minima

It is considered that the initial data capture exercise to determine the National ATM Safety Minima will be open to a great deal of uncertainty depending on the quality of data available. The purpose of this step is to undertake a regular review of the National ATM Safety Minima to ensure that the latest data is used. The review is then necessary to determine if the National ATM Safety Minima remains consistent with ESARR 4 or indicates required changes to the Risk Tolerability scheme at national level.

Annex 5

James Reason Model

The Swiss cheese model of how defences, barriers, and safeguards may be penetrated by an accident trajectory.

Annex 6

Report of IATA Classificaton Working Group meeting attended by the HFS


IATA Classification Working Group meeting
CDG Airport, Paris, France, 12-16 January 2004
Report by Bert Ruitenberg

One of the aims of my attendance was to find out if IFATCA should become involved in the work of the CWG on a permanent basis.

The CWG comprises flight safety experts from various airlines (usually the safety managers in their respective companies) and aircraft manufacturers (Boeing, Airbus, Bombardier and Embraer were represented in Paris) as well as invited specialists from ICAO, IFALPA and now also IFATCA.

What they do in their January meeting each year is review the aircraft accidents of the preceding year and try to classify the events according a specific IATA categorisation system. The group also identifies possible preventive strategies for the events. This combined product is subsequently given to the IATA Safety Committee for the production of the IATA Annual Safety Report which contains a lot of statistical information and safety recommendations.

In previous years the group had identified a lack of expertise in the ATC domain when coding certain events, hence the invitation for IFATCA to become involved in the CWG.

To prepare for the meeting all CWG members had received an overview of the events of 2003, subdivided in western built/eastern built aircraft, jets/turboprops and hull loss/structural damage categories. There also was a document with the various IATA classifications available.

The overview of the events also contained a set of narratives for the various categories, which basically consisted of the information available from public sources such as press reports, internet bulletins etcetera, augmented with information from one of the world’s leading aviation insurers (Airclaims Ltd.). This may seem strange, but until the official investigation reports are available (usually much later than in January the following year) this is all there is to go on for the CWG. It should be remembered that the CWG is not trying to come up with an investigation report themselves, but with data for statistics on which to base safety recommendations.

After doing the preparatory work before coming to the meeting, I was entertaining the opinion that perhaps someone from Eurocontrol involved in the HEIDI project would be a better candidate for CWG membership than IFATCA. However, having been involved in the work of the CWG for almost three days I don’t hold that opinion anymore. There definitely is a need for a person in the group with a current ATC background, knowledge of international air transport operations and an international network for information at his/her disposal. IFATCA would seem to be a logical supplier of such a person.

I found that I was able to contribute to the work of the CWG by just participating in the discussions around the coding of the events. In many cases the group members were able to provide additional information that was not in the narratives, in particular the manufacturers.

Also, there were at least three ATC related cases on which information was lacking that I may be able to supply using the IFATCA channels. These cases comprise one in Kenya, one in Taiwan and one in Nigeria. In fact I was able to provide information on the Taiwan case already in the meeting, following a quick e-mail exchange with K.F. Chou, a former ATCO who now works for the Taiwanese accident investigation bureau. At the time of writing this report I’ve not yet received any response to my requests for information from our colleagues in Kenya and Nigeria, but I intend to follow this up.

There are some interesting trends noticeable in the 2003 events. Several accidents were related to landings on runways that were contaminated with water in or after heavy rain over the airport. Information about the presence of water on the runway was not passed to the crews by ATC in almost all of the cases. (Whether or not ATC had that information available is another question. From a systemic perspective however it can be argued they should have.) Another recurring factor was ferry flight operations, and a third was related to the execution of non-precision approaches in poor weather.

In summary, it is my view that I was able to contribute something to the CWG as an IFATCA representative that otherwise wouldn’t have been available. Whether this is sufficient for IFATCA to decide to become permanently involved in the CWG work is for the EB to decide.

Last Update: September 29, 2020  

March 25, 2020   489   Jean-Francois Lepage    2004    

Comments are closed.

  • Search Knowledgebase