Article
citation information:
Rutkowska, P., Krzyżanowski, M.
FRAM
modelling of the transfer of control over aircraft. Scientific Journal of Silesian University of Technology. Series
Transport. 2018, 101, 159-166.
ISSN: 0209-3324. DOI: https://doi.org/10.20858/sjsutst.2018.101.15.
Paulina RUTKOWSKA[1],
Mariusz KRZYŻANOWSKI[2]
FRAM MODELLING OF
THE TRANSFER OF CONTROL OVER AIRCRAFT
Summary. Aviation is the fastest growing
but also the safest mode of transport. International aviation organizations
give the highest priority to safety while creating aviation regulations.
Therefore, a safety management system (SMS) has been created. Two approaches to
assuring safety in aviation may be distinguished: Safety-I and Safety-II.
Safety-I is the standard approach, focused on processing the information
about malfunctioning features and system elements. On the other hand, Safety-II
is a new approach to safety management, based on identifying the elements
or functions of the system that work properly, which enables the system to
confirm resilience to undesirable effects.
One of the methods
utilized for the Safety-II approach in order to study complex sociotechnical
systems is the FRAM (functional resonance analysis method). The method is
focused on analysing daily activities in various conditions in order to create
a model of work performance. The models created based on the FRAM can be used
for risk analysis, accident investigations and predicting possible future
events affecting aviation safety. This method allows us to simulate system
constraints and uncertain states. It can also be used as support for the air
traffic safety management processes based on the Safety-II approach.
The following article
presents a developed FRAM model for the transfer of control over aircraft.
This model constitutes an example of a coordination scheme limited to basic
activities of air traffic control (ATC) services, providing a general framework
for the construction and operation of the FRAM model.
Keywords: transfer of control;
functional resonance analysis method (FRAM); Safety-I; Safety-II;
sociotechnical systems
1. FRAM
The FRAM is used to study complex
sociotechnical systems. It was created and described by Erik Hollnagel [8], who
noted that complex systems contain a large number of subsystems and
components, whose performance variability is usually absorbed by
the system with minimal effect on the overall system. The main sources of
this variability are people, technology, hidden conditions and barriers.
Hollnagel stated that, as these
elements are not related to each other linearly, they can lead to
an accident. When component variations become too large to be absorbed by
the system, the result becomes adverse. This refers to a functional
resonance effect, which results from a situation in which the system is
not able to function in a normal mode of operation because of the changes
in everyday performance.
The
FRAM model describes how the functions of system components are able to
resonate and create hazards, which can get out of control and cause accidents.
1.1. FRAM principles
There are four main principles of
the FRAM, as described below. These assumptions are based on the main concepts
that are necessary to build a FRAM model of a system.
-
The principle of
the equivalence of success and failure - they have the same source and are
caused for the same reasons. While risk management emphasizes error analysis
and determines probability of failure, FRAM improves the system’s
ability to create resilient and flexible processes, as well as monitor and
improve risk models. Success is a result of the abilities of individuals,
groups of people and organizations to predict the variable risk before the
failure occurs. Failure is a temporary or permanent deviation from this
situation.
-
The principle of
approximate adjustments - everyday performance of sociotechnical systems must
be adapted to current conditions in the workplace. It is practically impossible
to create, in advance, detailed instructions that could be used in the future.
The solution is to develop guidelines and procedures that could be used for a
particular situation. Workplace operational conditions are changing in various
ways, which means that employees must be constantly ready to change plans and
be able to adjust the implementation of plans to reflect the changing
conditions.
-
The principle of
emergency operations - it is impossible to explain the features of the complex
system merely by describing the performance of its components. Variability in
normal performance is rarely large enough to cause any accident or damage.
However, the variability of many functions can combine unpredictably,
resulting in complex effects. Both the damage and normal operation of the
system are usually the result of logical events rather than random events,
because they cannot be attributed to failures of individual system
components. Sociotechnical systems are difficult to analyse because they change
and develop according to the conditions and requirements. It is not always
possible to explain the specificity of a given event.
-
The
principle of functional resonance – a detected signal, which arises from
the independent effect of the normal variability of many signals in a given
environment. Placing these signals can produce a resonance, in turn producing a
warning signal. This emphasizes the dynamics of the phenomenon, which
cannot be described by simple cause-and-effect relationships. Figure 1 below
depicts the principle of functional resonance.
Fig. 1. FRAM functional resonance
[8]
1.2. Stages of FRAM
analysis
FRAM analysis consists of the
following steps:
-
Identification and
description of the basic functions of the system, as well as characterization
of each function by using the six basic parameters.
-
Checking the
completeness and consistency of the model.
-
Characterization
of the possible variability of the functions for
the FRAM model, as well as possible current variations in the functions for one
or more model examples.
-
Definition of
functional resonance, based on the relationships between functions
and potential functional variables.
-
Identification of
resonance development monitoring in order to suppress the variability that may
cause undesirable effects or enhance the variability that may lead to desired
results.
FRAM models are made from FRAM functional
units, which consist of six parameters listed below and presented in the Figure
2:
-
Input
-
Output
-
Preconditions
-
Resources
-
Time
-
Control
Fig. 2. FRAM model unit with the six
basic parameters [8]
Table 1
Characteristics of FRAM functional
units [15]
|
Parameter |
Symbol |
Description |
|
Input |
I |
Incoming information, which is modified by the
function to output. This constitutes a reference to previous functions. It
triggers the function execution. |
|
Output |
O |
Result of the function execution. Provides a
reference to further functions. May represents the state change. |
|
Time |
T |
Time required for processing by a functional
unit. |
|
Control |
C |
Limitations, methods and control procedures.
They define how the function is monitored and controlled. |
|
Preconditions |
P |
System conditions that are determined and must
be satisfied before the execution of the function. |
|
Resources |
R |
Resources that are required or used while
processing a function. |
2. FRAM MODELLING OF THE TRANSFER OF CONTROL
OVER AIRCRAFT
2.1. Problem and methodology
formulation
The problem
selected for the exemplary analysis of FRAM model operativeness
and correctness was the event of transferring control over the aircraft
between the area control centre (ACC) and approach control (APC) units. This
activity is difficult to analyse with the previously utilized methods, related
to the Safety-I approach, mainly due to the complex interactions between the
human, technological and organizational factors. Those are highly dependent on
the functions involved at different stages of the process. Therefore, an
approach that could analyse possible events and simulate the systems’
limitations and uncertain states could prove highly beneficial for this
particular problem.
Firstly, the
activities in this process should be identified and implemented in the
FRAM Model Visualizer (FMZ) software. In the case of the transfer of control
over aircraft, those are selected on the basis of ICAO Doc 4444 [10]:
-
Flight data
processing system (FDPS) - flight data
distribution within the system, updated in real time, related to events
recognized by the flight monitoring subsystem,
-
Radar data and
flight plan - air traffic data, which allow the ATC units to monitor
and plan.
-
Air traffic
monitoring - observation, scanning and
inspection of the current situation in the airspace and providing
aircraft with information and advice about their ATC clearances
-
Air traffic
planning - coordination in planning, organization and use of air traffic.
-
Meteo data -
meteorological analysis, reports and forecasts, related to existing or expected
meteorological conditions, which are forwarded to support ATC decision-making.
-
Coordination -
between adjacent ATC units providing flight information service.
-
TRANSFER function
- authorization to passing control over the airplane to the receiving
controller.
-
ACCEPT function -
obligation of passing the aircraft communication immediately.
-
Transfer of
communication - holds over the transfer of the control point or earlier if
specified in the operational letter of agreement (LoA) between the adjacent ATC
units.
-
Transfer of
control - performed between ATC units at the same time as the transfer
of communication or just after.
-
Communication
means - voice communication system solutions, which permit the effective
interconnection of various communication systems.
Having stated the elements of the
problem and linked them with non-linear relations, the tool is able to indicate
which of them form the basis of the system’s resilience and protect it
from unforeseen circumstances. Creating the FRAM model also allows us to
greatly improve its ability to create durable and flexible processes.
The activity of the transfer of
control over aircraft, along with the model created in the FMV, is discussed in
the following chapters.
2.2. Procedures for
the transfer of control over aircraft
When it is agreed that the adjacent
ATC units have the same radar data, the process of transferring the aircraft
takes place via the TRANSFER function. This process is computer-aided and used
to eliminate verbal coordination and the manual input of the data into the
system. It is initiated by the transferring controller. Using this function
means:
-
Sending
the aircraft address
-
Confirmation
that control over the aircraft has been passed to the receiving controller
-
An
obligation to immediately transfer communication with the aircraft
Next, the receiving controller
should use the ACCEPT function for the aircraft, which means:
-
Accepting
the conditions of release and transfer of control
-
Requiring
aircraft communication to be passed immediately
After using the ACCEPT function, the
communication is sent by the transferring controller to the receiving one. The
communication transfer and release of control take place, at the latest, at the
transfer of control point, but no earlier than specified in the operational LoA
between the adjacent ATS units.
Exchange of flight data is based on
the assumption that the controllers are using the same database containing
current flight plans in the FDPS module. This server receives, automatically
analyses and processes, and then sends flight plan data to
the controllers. Any change to the current flight plan requires correcting
it in the system by the modifying unit. When the receiving authority has
no access to the system database, the controller may require the transferring
unit to pass the contents of the flight plan by telephone.
2.3. FRAM model for
aircraft control transfer
The prepared FRAM model was created
in the FMV tool. According to the instructions for the use of the FMV, crated
by Hollnagel [3], the software allows us to graphically display information and
provide useful features to check the completeness of the models.
Transfer of control of aircraft
between ACC and APP units is carried out by means of electronic coordination.
This eliminates the requirement for verbal coordination and the manual
input of data into the system, as well as reduces the time, which is needed for
transfer of control.
Traffic planning in the area of
responsibility of the controller is based on monitoring the traffic
situation by providing data to the system. These include up-to-date radar data
and flight plans or meteorological data.
When the aircraft approaches the
transfer of control point, the transferring controller initiates the TRANSFER
function, which means the obligation to immediately transfer
the communication of the aircraft and the confirmation of the release of
control of the aircraft by the receiving a controller under the agreed
conditions. Next, the receiver controller should use the ACCEPT TRANSFER
function for the aircraft, which means the immediate transfer of the
communication of the aircraft and the acceptance of the terms of the release
of control.
Figure 3 presents the created model
of the aircraft control transfer between ATC units.
Fig. 3. FRAM model of transfer of control over
the aircraft between ATC units
3. CONCLUSION
The FRAM, which complements the
Safety-II approach, is an innovative method used in aviation, as well as
medicine, nuclear power or maritime transport.
It is used to analyse daily
activities in order to create models of how to perform particular tasks. This
model can then be used for specific types of analysis in order to verify the
feasibility of proposed solutions or interventions, to identify the causes
of errors, possible threats or bottlenecks, and to understand how the
activity is accomplished. It may be the basis of risk analysis or
investigations into accidents that have already occurred or predictions of
possible future events.
In the article, the FRAM method was
used to examine a complex sociotechnical system, such as the ATC service, in
order to determine complex interactions in the daily operation of the system.
This FRAM model facilitates the monitoring and controlling of the variable performance
of ATC work. It also describes how the individual functions of the system
components are able to resonate and create hazards due to, for example, the
lack of FDPS data updates, which, if undetected in time, can lead to accidents
or serious incidents.
The presented model constitutes an
example of a coordination scheme, limited to the basic activities performed by
the ATC services, in order to show the general creation and operation rules for
FRAM models. The elements of the process have been identified and assigned with
a corresponding function type, dependent on either human, technological
or organizational factors. Links between various functions have been
implemented, based on the process of transferring control over aircraft, as
well as the general rules of FRAM analysis. Finally, after supplying the
software with the aforementioned data, it was capable of analysing
the workflow and providing the means to conduct risk analysis, as well as
preventing risk by corrective activities.
Based on the created model, it is
possible to take further steps, such as function parameterization or functional
unit input decomposition. It would allow for a more detailed model expansion,
in order to supplement the processes of coordination and control transfer
between the ATC services. The created model for the coordination and transfer
of control over aircraft may be utilized to confirm or refine the
operational instructions of the ATC services as well as perform their revision.
References
1.
Eurocontrol. 2013. From Safety-I
to Safety-II: A White Paper.
2.
Frost
B., J.P.T. Mo. 2014. System Hazard
Analysis of a Complex Socio-technical System: The Functional Resonance Analysis
Method in Hazard Identification. Melbourne: Royal Melbourne Institute of
Technology.
3.
Hollnagel
E., R. Hill. 2016. Instructions for Use
of the FRAM Model Visualiser (FMV).
4.
Hollnagel
E., J. Hounsgaard, L. 2014. Colligan.
FRAM - The Functional Resonance Analysis Method. Middelfart: Centre for
Quality.
5.
Hollnagel
E. 2006. Capturing an Uncertain Future:
The Functional Resonance Accident Model. Paris: Ecole des Mines de Paris.
6.
Hollnagel
E. 2008. From FRAM (Functional Resonance
Accident Model) to FRAM (Functional Resonance Analysis Method). Paris:
Ecole des Mines de Paris.
7.
Hollnagel
E. 2013. Research 2013:09 An Application
of the Functional Resonance Analysis Method (FRAM) to Risk Assessment of
Organisational Change. Stockholm: Swedish Radiation Safety Authority.
8.
Hollnagel
E. 2012. FRAM - The Functional Resonance
Analysis Method: Modelling Complex Socio-technical Systems. Farnham:
Ashgate.
9.
Hollnagel
E. 2011. Understanding Accidents, or How
(Not) to Learn from the Past. Odense: University of Southern Denmark.
10.
ICAO: Annex13 to the Convention on
International Civil Aviation, Aircraft Accident and Incident Investigation. 11th edition. 2016.
11.
OHS Body of Knowledge: Models of
Causation: Safety.
2012. Victoria: Safety Institute of Australia Ltd.
12.
ICAO: Doc 4444 - PANS-ATM,
Procedures for Navigation Services - Air Traffic Management. 6th edition. 2016.
13.
Mazurkiewicz
D. 2014. “Computer-aided maintenance and reliability management systems
for conveyor belts”. Eksploatacja i
Niezawodnosc - Maintenance and Reliability 16(3): 377-382.
14.
Muneera
C.P, K. Karuppanagounder. 2018. “Economic Impact of Traffic Congestion -
Estimation and Challenges”. European
Transport \ Trasporti Europei. Issue 68. Paper no 5: 1-19.
15.
Woltjer
R. Functional Modeling of Constraint
Management in Aviation Safety and Command and Control. 2009.
Linköping: Department of Computer and Information Science, Linköpings
Universitet.
16.
Zahid
H. Qureshi. 2007. A Review of Accident
Modelling Approaches for Complex Critical Sociotechnical Systems. Adelaide:
Defence Science and Technology Organisation.
Received 05.08.2018; accepted in revised form 29.10.2018
Scientific
Journal of Silesian University of Technology. Series Transport is licensed
under a Creative Commons Attribution 4.0 International License