Safety Function Maps (SAFMAPs)

Safety Function Maps (SAFMAPs)

Description

SAFMAPs (safety function maps) are barrier models based on a structured documentation of the available defences against particular unwanted accident outcomes (e.g. midair collision). These barriers are either part of the ATM system (ground and/or airborne component) or can impact the safety performance of ATM or aircraft navigation.

SAFMAPS are used in the annual reviews conducted by EUROCONTROL SAFOPS. These reviews include examination and analysis of safety occurrences and identification of patterns and safety risks.

A principle applied to the construction of SAFMAPs is to include all barriers which are available and "used by someone" in the industry. This means that SAFMAPs also serve as a repository of best practices that are not necessarily required by regulations. Examples of these are the use of short-term conflict probes, A-SMGCS level 2 functions or runway status lights.

The description of a safety barrier is usually generic. For example, "Pilot/driver detection of potential RWY conflict and prevention of incorrect entry onto the RWY protected area" does not specify the actual means for implementation such as stop-bars, runway guard lights or runway entry lights. Similarly, "Prevention of overlooking potentially conflicting aircraft when issuing clearance or instruction" does not specify the actual tools and procedures such as MTCD, ATCO structured scan of their situation display, team member support, short-term conflict probe or Cleared Flight Level (CFL) processing and alerting by the STCA.

The following example is provided as a means to illustrate this structure using the Mid-air collision SAFMAP. It has six basic safety functions. These, as well as the consequences of them failing, are depicted on the chart below.

The arrows show the development of the occurrence. If the first basic function ("Tactical conflict prevention") fails, then the phase moves to "Airborne tactical conflict". It is now up to the barriers within "Tactical separation assurance" to prevent further development. If those fail as well, the event becomes "Separation infringement" and further development is to be stopped by "ATC collision avoidance".

SAFMAPs are hierarchical structures. This means that higher-level barriers (functions) can often be decomposed into several lower-level barriers. The highest levels are called basic safety functions. Each of those is then decomposed into more detailed Level 1 safety functions and, in the same manner, each of the Level 1 safety functions may be further decomposed into several Level 2 safety functions. Currently, Level 4 is the most detailed specification and not all safety function levels are necessarily decomposed to the same extent. A function is decomposed further, only if there is a need demonstrated by the occurrence of several incidents that have illustrated different ways in which a particular function can be implemented or challenged.

The arrangement of functions within the same level affects the way in which they can be penetrated. When a function is decomposed into more than one lower level barriers, their arrangement determnins the conditions for penetration. See the picture below for examples.

In Scenario 1, penetration of any of the lower level barriers would lead to penetration of the upper level barrier. In Scenario 2, all three lower level barriers need to be penetrated in order for the incident to develop further. In Scenario 3, Barrier 3 and one of the the others (1 or 2) need to fail in order for the occurrence to progress.

When an incident is reviewed with the help of a SAFMAP, the objective is to identify all relevant safety functions. The process is not limited only to identifying the functions that failed, but also those that worked and provided resilience. The following qualifications for a function are possible:

  • Not challenged but available;
  • Challenged and failed;
  • Challenged and worked;
  • Not challenged but not available;
  • Not applicable to the scenario.

Thus, each incident is described as a sequence of safety functions and their status (challenged, worked, etc.). This creates an elaborate description of what happened in the particular scenario (but not why things happened). Note that oftentimes the investigation report does not provide sufficient information to qualify the performance of all safety functions. Therefore, the information for some of them is either missing or a function is qualified without any contextual information.

Sometimes an incident is stopped between two barriers but not by a barrier itself. In such situations, the graphical representation includes a thinner barrier and the text "No need for XXX" where XXX is the barrier that was not breached. The picture below provides an example of this.

Decomposition of the "Tactical Separation Assurance" Level 1 barrier into Level 2 safety functions (the previous and next Level 1 barriers are provided for context). The "No need for ATC separation infringement prevention" is intentionally thinner to account for the fact that it does not include active preventive measures.

Categories

SKYbrary Partners:

Safety knowledge contributed by: