ABSTRACT

The air traffic environment is a complex system that involves several players. Between the air navigation service provider (ANPS) and the final client, many different organizations act with different purposes but are strongly interfaced. Changes and modifications in terms of technology, predefined process, or personnel are constantly needed, requiring coordination among the stakeholders. However, due to the high level of interaction between the players, any change in a complex system like the air traffic environment requires risk management. This paper demonstrates the suitability and advantages of the System-Theoretic Accident Model and Processes/Systems-Theoretic Process Analysis (STAMP/STPA) method to be applied to the risk assessment of an operational air traffic modification. The method, which had never been used on an air traffic problem in Brazil before, was applied considering the implementation of segregated simultaneous operation at the Guarulhos International Airport. The results were proven to be effective in terms of deriving useful safety requirements. From such demonstration, STAMP/STPA can be considered as a feasible alternative to the brainstorming method currently applied for risk assessment and generation of safety requirements regarding modifications in the structure of the air traffic services (ATS) in Brazil.

Keywords
Safety analysis; GNSS; Causal factors; Feature interactions

INTRODUCTION

In recent years, there has been a significant increase in the air traffic flow (IATA 2019[IATA] Associação Internacional de Transporte Aéreo (2019). Demanda por transporte aéreo de passageiros continua com alta moderada. [accessed Apr. 17 2021]. https://www.iata.org/contentassets/39f95e0f60c141188fe38c0159260aff/2019-11-07-01-pt.pdf
https://www.iata.org/contentassets/39f95... ). To ensure safety and effectiveness of operations, air navigation service providers (ANSPs), operators and airlines, have pursued alternative means and procedures to increase the continuous flow of the air traffic.

In Brazil, air navigation procedures are based on conventional radio navigation aids on the ground, such as VHF Omnidirectional Range (VOR), as well as on Global Navigation Satellite System (GNSS) for area navigation (RNAV) procedures. This kind of navigation method optimizes the use of airspace when compared to conventional procedures, since it allows the aircraft to operate on any desired flight path within the coverage of navigation aids referenced at stations or within the limits of the autonomous aid, or a combination of them (ICAO 2013[ICAO] International Civil Aviation Organization (2013) Doc 9613: Performance-based navigation (PBN) manual (4 ed.). Montreal: ICAO. [accessed Jan 23 2020]. https://www.icao.int/sam/documents/2009/samig3/pbn%20manual%20-%20doc%209613%20final%205%2010%2008%20with%20bookmarks1.pdf
https://www.icao.int/sam/documents/2009/... ). Some of the Brazilian airports operate with parallel runways in addition to having procedures based on RNAV, such as the Guarulhos International Airport, São Paulo state.

One solution to deal with the growth of the air traffic mentioned above is to increase the airport operating capacity. In airports with high levels of traffic, it is vital that the runways are used more efficiently, such as using the parallel runways optimally or building new lanes. Among the possibilities to meet the high air traffic demand, the parallel runways operation has excellent applicability, since the avionics systems of the aircraft have been developed based on requirements for this type of operation, in addition to being more economically viable, when compared to the construction of new runways (Almeida 2014Almeida RA (2014) Aumento da capacidade de pistas paralelas e próximas: Um estudo de caso do Aeroporto Internacional de Guarulhos (master’s thesis in Aeronautical Infrastructure Engineering, Air Transport Area). São José dos Campos: Instituto Tecnológico de Aeronáutica. In Portuguese.).

In order to improve operations at the Guarulhos International Airport, thereby seeking better performance and operational flow for the airport, the Agile GRU Project Working Group was established to study viable solutions to increase the efficiency of simultaneous approach, landing and take-off operations at the Guarulhos airport. This working group idealized the implementation of the operation with simultaneous parallel runways, which will start operating in 2022. This work was performed based on Annex 14 of the International Civil Aviation Organization (ICAO) and Risk Management Document for the Implementation of Segregated Operations at the Guarulhos Airport (DECEA 2021[DECEA] Departamento de Controle do Espaço Aéreo. Decea participa de coletiva de imprensa do lançamento do projeto Agile Gru. [accessed Apr 17 2021]. https://www.decea.mil.br/?i=midia-e-informacao&p=pg_noticia&materia=decea-participa-de-coletiva-de-imprensa-do-lancamento-do-projeto-agile-gru
https://www.decea.mil.br/?i=midia-e-info... ).

In order to implement segregated simultaneous operations in SBGR (ICAO location indicator for Guarulhos Airport), based on Instrument Flight Rules (IFR) operations under Visual Meteorological Conditions (VMCs), the Agile GRU study group (Alonso et al. 2018Alonso PR et al. (2018) Proyecto Agile Gru, Lima- Perú.) was established, based on Annex 14 of the ICAO. It has representatives of the Brazilian Department of Airspace Control (DECEA), the Brazilian Association of Airlines (ABEAR), the GRU Airport Company, and the International Air Transport Association (IATA).

The implementation of the operation was programmed gradually, being divided into 5 phases, starting with approaches under VMCs and reduced separation from 5.5 to 3 nautical miles. Currently, the SBGR is operating under Phase Two where the side-step maneuver is adopted in the approach in addition to the reduction in separation between aircraft. In the side-step maneuver, the aircraft conducts IFR landing procedure using the Instrument Landing System from a given runway, but switches, using visual references, a landing maneuver on the runway parallel to the one the approach was initiated.

This kind of change in the air traffic control service involves several stakeholders, such as the ones cited as part of the Agile Working Group, and requires a safety assessment to identify eventual hazards at a system level, i.e., technical, procedural, or human aspects. The result of this safety assessment is summarized in a Safety Risk Management Document and contains mostly the hazards of the proposed operational change with their associated risk and their respective mitigation actions. This document is typically made by a group of experts that rely solely on their experience to classify the risks through a brainstorming process.

In Brazil, the stakeholders affected by operational changes on the aspects related to the air traffic services (ATS) do not count on a well-defined methodology other than having the criteria for categorization of hazards and computation of risks, which are general guidelines from the national regulatory organization. The steps to identify the hazards from all possible perspectives come, as previously mentioned, from the brainstorming process performed by an established team. Such a process does not make the final results unsafe or incomplete, but requires a significant effort, takes days or months to be concluded, and costs valuable hours of qualified personnel.

From this context, the clear definition of a detailed procedure to be conducted by the safety assessment team, able to capture the main hazards and their respective mitigation actions—which can naturally be interpreted as safety requirements—in a systematic process would be of great benefit for the operational risk assessment. Therefore, the goal of the present work is to demonstrate the usefulness and advantages of applying a system-wide methodology with a well-defined procedure applied to an operational modification in the context of the ATS.

The chosen method is the Systems-Theoretic Process Analysis (STPA) tool (Leveson 2016Leveson NG (2016) Engineering a safer world: Systems thinking applied to safety. The MIT Press.), which is derived from the System-Theoretic Accident Model and Processes (STAMP). By using this method, it is possible to define the control structures and identify the losses, hazards, and control actions necessary to mitigate the factors contributing to an accident. This technique aims at identifying the risks of a given system by following a well-established methodology applied to an air traffic control and air navigation context. The results are useful when defining changes in the procedures of air traffic flow with the possibility of applying effective mitigation strategies (Leveson and Thomas 2018Leveson NG, Thomas JP (2018) STPA handbook. n.l: n.p. [accessed Apr 17 2021]. https://psas.scripts.mit.edu/home/get_file.php?name=stpa_handbook.pdf
https://psas.scripts.mit.edu/home/get_fi... ).

The STPA analysis is performed for the segregated simultaneous operation at the Guarulhos International Airport. As part of the motivation for this analysis, is the fact that in a 10-year interval (2010–2019) there were 590 accidents, 423 serious incidents, 2,809 incidents, and 373 ground occurrences in the area of civil aviation aerodromes in Brazil, making a total of 4,195 occurrences in Brazilian aerodromes (CENIPA 2010–2019[CENIPA] Centro de Investigação e Prevenção de Acidentes Aeronáuticos (2010-2019) Estatística. [accessed Jan 13 2022]. https://www2.fab.mil.br/cenipa/index.php/estatisticas
https://www2.fab.mil.br/cenipa/index.php... ). The Guarulhos Airport was the one that had the most occurrences in the above-mentioned period, thus requiring special attention in the risk analysis. In this context, the organizations that implement strategies to prevent aeronautical accidents can benefit from the presented methodology.

METHODOLOGY

In order to apply systems theory into risk analysis, a new accident causality model is needed that expands on what is currently being used. As defined by Leveson (2019)Leveson NG (2019) Cast handbook: How to learn more from incidents and accidents. n.l.: n.p. [accessed Jul. 11 2019]. http://sunnyday.mit.edu/CAST-Handbook.pdf
http://sunnyday.mit.edu/CAST-Handbook.pd... , System-Theoretic Accident Model and Processes (STAMP) expands the traditional causality model beyond a chain of directly related failure events or component failures to include more complex processes and unsafe interactions between system components. At STAMP, accidents are caused by complex interactions between physical, human, and social systems. Safety is treated as a dynamic control problem and not as a failure prevention problem.

New techniques have been developed to analyze an occurrence in which the causes of the accident are not seen as a chain of events. On that occasion lies the understanding that losses are not only a consequence, but a complex and dynamic process (Leveson 2016Leveson NG (2016) Engineering a safer world: Systems thinking applied to safety. The MIT Press.). The STAMP is a causality model of an occurrence based on systems theory developed by Professor Nancy Leveson (Massachusetts Institute of Technology) to design safer systems. The STPA is a hazard analysis technique based on STAMP (Leveson and Thomas 2018Leveson NG, Thomas JP (2018) STPA handbook. n.l: n.p. [accessed Apr 17 2021]. https://psas.scripts.mit.edu/home/get_file.php?name=stpa_handbook.pdf
https://psas.scripts.mit.edu/home/get_fi... ), and it has applicability in the segments of aviation, space, defense, nuclear, automobile, among others. The model analyzes causal factors of design such as decision making, organizational culture, and software, which start to increasingly threaten the integrity of a system (Leveson 2016Leveson NG (2016) Engineering a safer world: Systems thinking applied to safety. The MIT Press.). Using the STPA technique within a given scenario can be essential to mitigate factors that may contribute to an eventual accident in addition to identifying the control structure of a system, the losses and hazards to be avoided, and the control actions to be taken to avoid risk.

The consequences in a system failure that can be tragic is defined as Hazard, which faces up to a scale. The STPA is a hazard analysis that assumes that accidents can also be caused by precarious interactions of system components, none of which may have failed (Leveson and Thomas 2018Leveson NG, Thomas JP (2018) STPA handbook. n.l: n.p. [accessed Apr 17 2021]. https://psas.scripts.mit.edu/home/get_file.php?name=stpa_handbook.pdf
https://psas.scripts.mit.edu/home/get_fi... ).

RESULTS

In risk analysis, the idealization of the STAMP technique by Professor Nancy Leveson inspired several researchers to conduct their work using this methodology. As an example, it is possible to cite the use of STAMP in the US Ballistic Missile Defense System, in studies conducted by Pereira et al. (2006)Pereira SJ, Lee G, Howard J (2006) A system-theoretic hazard analysis methodology for a non-advocate safety assessment of the ballistic missile defense system. American Institute of Aeronautics and Astronautics Missile Sciences Conference, 1606:ADA466864. https://apps.dtic.mil/sti/pdfs/ADA466864.pdf
https://apps.dtic.mil/sti/pdfs/ADA466864... . The safety assessment methodology based on systems theory provided a structured and organized way to carry out the analysis. It was possible to obtain the necessary information to characterize the residual safety risk of the hazards associated with the system. Also, many studies using STAMP/STPA have been performed in the aeronautics operation field (Berquó 2015Berquó EJ (2015) Safety: Há algo de novo no horizonte II. Melhore Seus Conhecimentos 52:4-6. [accessed Oct. 3 2020]. http://www.dcabr.org.br/download/artigos/msc_52.pdf
http://www.dcabr.org.br/download/artigos... ; Fleming and Leveson 2015Fleming CH, Leveson N (2015) Including safety during early development phases of future air traffic management concepts. In: 11th USA/Europe Air Traffic Management Research and Development Seminar (ATM2015). [accessed Dec 12 2020]. http://sunnyday.mit.edu/papers/ATM-2015.pdf
http://sunnyday.mit.edu/papers/ATM-2015.... ; Fleming et al. 2013Fleming CH, Leveson N, Placke S (2013) Assuring safety of nextgen procedures. In: 10th USA/Europe Air Traffic Management Research and Development Seminar (ATM2013). [accessed Jun 24 2020]. http://sunnyday.mit.edu/papers/ATM2013.pdf
http://sunnyday.mit.edu/papers/ATM2013.p... ; Scarinci 2017Scarinci A (2017). Monitoring safety during airline operations: A systems approach (doctoral dissertation). Cambridge: Massachusetts Institute of Technology; Schmid et al. 2018Schmid D, Vollrath M, Stanton NA (2018) The system theoretic accident modelling and process (STAMP) of medical pilot knock-out events: Pilot incapacitation and homicide-suicide. Saf Sci 110(Part A):58-71. https://doi.org/10.1016/j.ssci.2018.07.015
https://doi.org/10.1016/j.ssci.2018.07.0... ). In Brazil, Castilho (2015Castilho DS (2015) Aplicação da técnica stpa na análise de risco da decolagem de aeronaves leves com vento cruzado limítrofe. (master’s thesis in Aeronautical and Mechanical Engineering). São José dos Campos: Instituto Tecnológico de Aeronáutica. In Portuguese.; 2019)Castilho DS (2019) Active STPA: Integration of hazard analysis into a safety management system framework. (doctoral thesis). Cambridge: Massachusetts Institute of Technology. and Castilho et al. (2018)Castilho DS, Urbina LMS, Andrade D (2018). STPA for continuous controls: A flight testing study of aircraft crosswind takeoffs. Saf Sci 108:129-139. https://doi.org/10.1016/j.ssci.2018.04.013
https://doi.org/10.1016/j.ssci.2018.04.0... applied the STPA tool (derived from STAMP) in the risk analysis of light aircraft take-off with crosswind. These works show the relevance of the theme and the large potential of generating the ability to integrate risk analysis tools in aeronautical systems, making it possible to identify possible losses and hazards to which a control structure for a given system is exposed within a given scenario.

When applying the STPA tool to identify the risks involved in the Operation of the Simultaneous Parallel Runways in Guarulhos, it is necessary to start by identifying the possible losses that these risks can lead to. Hence, the first step of the analysis was to identify the losses (identified by L followed by its identification number in the topics below) generated by a possible accident with operations of the parallel runways at Guarulhos Airport. The following losses were identified as:

• L1 – Loss of human life, injuries, and psychic damages:

  • Loss of crewmember, passenger, and third-party lives;

  • Injury to crewmembers, passengers, and third parties;

  • Panic and stress in crewmembers, passengers, third parties, and aviation users in general.

• L2 – Environmental losses:

  • Air Pollution from CO₂ emissions generated by aircraft fuel burning.

• L3 – Material losses:

  • The airline has expenses with fuel and crew overtime caused by missed approaches;

  • Damage or total loss of the aircraft, collapse of the wreckage of an accident, and lawsuits;

  • The aircraft manufacturer has expenses with the investigation of the accident and changes to the aircraft’s technical instruction manuals and checklists;

  • Insurance companies have indemnity expenses for the crew, passengers, and third parties;

  • Outsourced companies (such as food companies, power source operators, pushback operators, etc.) have contract losses caused by the decrease in the demand for services by the airline that had an accident;

  • Airport management companies have expenses with damages and interdictions on the runways;

  • Passengers have the loss of their goods (personal belongings they take with them in their luggage) and the inconvenience caused by the interruption of their trip;

  • The countries involved have expenses with search and rescue missions and with the investigation of the accident by a public entity.

• L4 – Loss of Airline reputation:

  • Customers avoid flying with the company that had an accident;

  • Negative impact on the image of the Brazilian state before International Organizations.

• L5 – Loss of operational performance:

  • The Air Traffic Control Service has operational losses due to the removal of air traffic controllers involved in the occurrence;

  • Delays and cancellations in the planning of air operations.

After the definition of losses, the next step is to identify what hazards (H) the system is exposed to and the losses that each hazard can generate:

• H1 – Aircraft does not respect the parameters established for an approach (L1, L2, L3, L4, and L5):

• H1.1 – Horizontal instability:

  • Aircraft gets in the profile of another aircraft that performs the procedure for the parallel runway;

  • Aircraft lands with the landing gear not aligned with the runway;

  • Aircraft lands outside the runway’s lateral limits.

• H1.2 – Vertical instability:

  • Aircraft has a hard landing;

  • Aircraft lands beyond the runway’s longitudinal limits;

  • Aircraft lands before the runway’s longitudinal limits.

• H1.3 – Controlled flight into terrain.

• H2 – Aircraft violates minimum separation from other aircraft in the airspace (L1, L2, L3, L4, and L5);

  • Air collision between aircraft (L1, L2, L3, L4, and L5).

• H3 – Missed approach procedure (L1, L3, L4 e L5):

  • H3.1 – Aircraft performs another landing procedure, but with less fuel (L3 and L5);

  • H3.2 – Air Traffic Controller (ATCo) keeps the aircraft performing a waiting procedure [L3 and L5].

All hazards are related to at least one loss, and it is at this point in the analysis that the elements of the system relate to each other. Based on the list of hazards, System-Level Constrains (SLC) and System-Level Requirements (SLR) that already exist within the structure are identified:

• SLC1 – The aircraft shall respect and comply with the parameters provided for the procedures in use at the aerodrome (H1);

  • SLC1.1 – The aircraft shall respect the lateral limits of the procedure (H1.1);

  • SLC1.2 – The aircraft shall respect the vertical limits of the procedure (H1.2);

  • SLC1.3 – The aircraft must dissipate its excess mechanical energy (excess height or speed) before landing (H1.2);

  • SLC1.4 – The aircraft shall maintain minimum indices of its mechanical energy in order to preserve maneuverability during the procedure (H1.2);

  • SLC1.5 – The aircraft shall be under pilot control during the entire flight (H1.3);

• SLR1 – ATCo shall detect when flight parameters violate the approach limits:

  • SLR1.1 – If the aircraft violates the lateral parameters of the procedure, the crew shall be informed by the ATCo (H1.1);

  • SLR1.2 – If the aircraft is vertically unstable, the pilot shall start the missed approach (H1.2, H3);

  • SLR1.3 – Pilots shall have the training to maintain control of the aircraft during the flight (H1.3);

• SLC2 – The aircraft shall fly at an altitude equal to or higher than the Minimum Sector Altitude (MSA) (H2);

• SLR2 – If the aircraft flies below the MSA, it shall be informed by the ATCo and the crew shall react by going up with full power to correct the deviation (H2);

• SLC3 – The aircraft shall maintain a minimum separation from other aircraft (H2);

• SLR3 – The violation in the minimum separation parameters of other aircraft shall be detected and reported by ATCo or TCAS (Traffic Alert and Collision System). When alerted, the crew shall react to increase the separation within the minimum standards (H2, H3);

• SLC4 – The aircraft shall land with fuel above the minimum level (H1.3, H3.1);

• SLR4 – The crew shall manage the fuel consumption and inform the ATCo when the ATCo’s instructions may result in a low fuel level before landing (H1.3, H3.1);

• SLC5 – The crew shall not operate the aircraft with the Ground Proximity Warning System equipment turned off (H1, H2);

• SLR5 – The aircraft shall have the minimum equipment necessary to comply with the profile of the RNAV procedure (H1, H2).

With the identification of the risks to which the system is exposed, the hazards caused by these risks, the possible losses, and the constraints at the system level, as well as the existing requirements, it is possible to define the Control Structure, based on the controlling agents and controlled elements from the system.

The process for modeling the control structure was divided into two stages: the High-Level Hierarchical Control Structure and the Detailed Hierarchical Control Structure of the Analyzed System. In the first case, high-level controls were mapped, divided between Brazilian Air Force Command (COMAER – Comando da Aeronáutica), Brazilian National Civil Aviation Agency (ANAC – Agência Nacional de Aviação Civil), Brazilian Department of Airspace Control (DECEA – Departamento de Controle do Espaço Aéreo), Guarulhos Airport Air Traffic Service (ATS-GR), Guarulhos Aerodrome Operator (GRU Airport), Airline and Aircraft.

COMAER is responsible for managing air traffic in the Brazilian airspace. This mission is accomplished by DECEA, an organization subordinate to that Command, responsible for regulating the Brazilian airspace and providing air navigation services within the country. DECEA regulates air traffic and the ATS-GR issues authorizations for operations in the Airspace and monitors compliance with air traffic rules. ANAC is responsible for the management of civil aviation, monitoring the services provided by aerodrome operators and airlines. The High-Level Control Structure is formed by the elements that make up an Air Traffic System which is shown in Fig. 1.

In the Detailed Hierarchical Control Structure, the system components were identified and mapped at a detailed level, divided into ATS, Flight Crew, Position Monitoring Systems, and Aircraft. The ATS has direct interaction with the Flight Crew through the copilot of the aircraft, in addition to receiving information from the monitoring systems (radar and transponder). The crew is in the aircraft context, and the pilots are responsible for interacting with their control systems. The flying pilot acts on the primary flight controls (elevator, aileron, and rudder), on the throttle, on the flight automation systems (autothrottle, autopilot, and flight director), and interacts with the monitoring pilot. The latter establishes communication with the ATS, acts on the secondary flight commands (by order of the flying pilot), gives and receives inputs from the flight director and receives the data from the monitoring systems. Figure 2 shows the detailed hierarchical control structure.

By analyzing the control structures, it was possible to identify the most relevant Unsafe Control Actions (UCAs) for this analysis, as they directly involve air traffic, specifically the violation of the approach parameters. The UCAs are presented in Tables 1 and 2.

From the identification of the UCAs, it is possible to identify the scenario and the causal factor associated with it. With these data, a rational analysis about the UCA is developed and then it is possible to define which safety restrictions or safety requirements should be taken to mitigate them, as shown in the Tables 3 to 8.

The rational analysis of the causal factors results in mitigating actions whose objective is to exclude the possibility of the execution of the UCA by the crew and the ATCo, making sure that the safety requirements and restrictions are met. The application of mitigating actions by the controlling agents of the subsystems is the result expected from this study.

Most of the proposed mitigating actions are already carried out by common sense, but it is essential that they based on safety requirements or safety restrictions. They must be formally described in the regulations governing the performance of the procedures, and disseminated in sectors responsible for the operations of airlines and air traffic control agencies. In this sense, there should be an ATCo exclusively monitoring and controlling the aircraft that performs the RNAV RNP procedure.

Regarding the latter requirement, it is worth mentioning that the ionospheric layer strongly affects the GNSS signals used in RNAV procedures, more intensively in low-latitude regions, which is the case of Brazil. The scenarios in which the operation can be compromised by the ionosphere can be found in Marini-Pereira et al. (2021)Marini-Pereira L, Pullen S, Moraes AO, Sousasantos J. (2021) Ground-Based Augmentation Systems Operation in Low Latitudes – Part 1: Challenges, Mitigations, and Future Prospects. Journal of Aerospace Technology and Management, 13. https://doi.org/10.1590/jatm.v13.1236
https://doi.org/10.1590/jatm.v13.1236... and Sousasantos et al. (2021)Sousasantos J, Marini-Pereira L, Moraes AO, Pullen S (2021) Ground-based augmentation system operation in low latitudes - Part 2: Space weather, ionospheric behavior and challenges. J Aerosp Technol Manag 13:e4821. https://doi.org/10.1590/jatm.v13.1237
https://doi.org/10.1590/jatm.v13.1237... and has been the motivation for several studies as reported in Monico et al. (2022)Monico JFG, Paula, ERD, Moraes ADO, Costa E, Shimabukuro MH, Alves DBM,... Aguiar CR (2022). The GNSS NavAer INCT Project Overview and Main Results. Journal of Aerospace Technology and Management, 14. https://doi.org/10.1590/jatm.v14.1249
https://doi.org/10.1590/jatm.v14.1249... . As a consequence of such interference, there could be loss of RNP capacity or GNSS signal degradation, derived from actions respectively related to the OBPMA and the ABAS subsystems. Hence, the safety requirements related to eventual ionospheric interferences on GNSS positioning over Brazil are covered by the scenarios described in Tables 6 and 8.

Regarding the meteorological conditions, it is essential that the ATCo informs the aircraft performing the procedure about the direction and intensity of the wind, so that the crewmembers can calculate any deviations caused by this type of meteorological phenomenon, and apply the necessary corrections. The corrections in the trajectory are essential due to the proximity of the aircraft following the RNAV RNP procedure because even though both suffer from the interference of the wind, aircraft of different categories have different aerodynamic reactions.

To ensure a correct radar plot about the positioning of the aircraft, the ATCo must ensure that the aircraft has the C mode activated in the aircraft transponder. To do this, the ATCo must confirm that he/she receives latitude, longitude, and altitude information on the radar screen. In addition, ATCo must request that the crew activate the IDENT button on the referred equipment.

Concerning the flight crew, when receiving the alert from the OBPMA, pilots must immediately report the condition to the ATCo and request an alternative landing procedure, since it is not possible to remain in the profile of the RNAV RNP, due to the loss of RNP capacity. Airline operations department should add the obligation to inform the ATCo about the OBPMA alert.

As for the degradation of the GNSS signal, the aircraft may eventually lose accuracy in receiving the global positioning signal, in airspace in the Brazilian territory, due to the interference caused by magnetic phenomena in the Ionosphere. In this case, the ABAS system issues an alert. Pilots must then comply with the system notification, notify the ATCo about the degradation, request an alternative landing procedure, and abandon the RNAV procedure.

CONCLUSIONS

In Brazil, the air traffic has increased considerably in the last 30 years, and it is estimated that in 2030 it will be increased 89% compared to 2010. Such increase should be probably noted on the Guarulhos International Airport, which is the largest airport in Brazil. This characteristic highlights the need for establishing safety requirements for operations that aim at optimizing the local air traffic. Therefore, it is understood that it is required an effective systematic approach on hazard analysis to assess and mitigate possible problems that can occur at the Guarulhos Airport considering the current air traffic flow.

From this demand, this paper has presented the application of STPA as a systemic analysis of hazards as a possibility to replace the brainstorming process currently applied in Brazil when an operational change takes place in the ATS. The STPA method applied has considered the implementation of simultaneous parallel operations of runways at the Guarulhos International Airport. High-levelaccidents and the hazards associated with them have been identified and can be traced back to the causal factors leading to the identified losses (L1, L2, L3, L4, and L5). A hierarchical safety control structure was designed to analyze the impacts on the elements that are responsible for the control of the aircraft and systems processes (as captured in Figs. 1 and 2). The safety control structure contributes to provide a general view of the system and its interactions. It allows analysis for the allocation of control constraints where lack of control leads to an accident (see Tables 1 and 2). After analyzing the conditions that make control actions unsafe, the causal scenarios that lead to losses were described (see Tables 3 to 8). They helped to demonstrate how each potential hazard can occur for each unsafe control action that affects simultaneous operations at the Guarulhos International Airport.

An interesting aspect that came out from the resulting analysis is about the ionosphere influence on RNAV procedures over Brazil. Thinking upon safety for GNSS procedures of the simultaneous operation on runways at the Guarulhos Airport, it is possible to estate that even with the interferences of the ionosphere on the GNSS-based subsystems there are safe conditions to conduct the intended simultaneous operations, considering the RNAV requirements.

Thus, strategies for safety operations at the studied airport are vital due to the increasing growth in the demand for air transportation. Therefore, this work concludes that STPA analysis has proved to be a reliable method to assess hazards and their mitigation means (safety requirements) in the air traffic context.

REFERENCES

Edited by

Publication Dates

History