1、Copyright International Civil Aviation Organization Provided by IHS under license with ICAONot for ResaleNo reproduction or networking permitted without license from IHS-,-,-Cir 314 AN11 78 Threat and Error Management (TEM) in Air Traffic Control Approved by the Secretary General and published under
2、 his authority International Civil Aviation Organization Copyright International Civil Aviation Organization Provided by IHS under license with ICAONot for ResaleNo reproduction or networking permitted without license from IHS-,-,-Published in separate Arabic, Chinese, English, French, Spanish and R
3、ussian editions by the INTERNATIONAL CIVIL AVIATION ORGANIZATION 999 University Street, Montrbal, Quebec, Canada H3C 5H7 For ordering information and for a complete listing of sales agents and booksellers, please go to the ICAO website at www.icao.int ICAO Cir 314, Threat and Emr Management (TEM) in
4、 Air Traffic Control Order Number: CIR314 ISBN 978-92-9231-1 50-6 All rights reserved. No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, without prior permission in writing from the International Civil Aviation Organization. Copyr
5、ight International Civil Aviation Organization Provided by IHS under license with ICAONot for ResaleNo reproduction or networking permitted without license from IHS-,-,-This circular describes an overarching safety framework intended to contribute to the management of safety in aviation operations a
6、nd known as Threat and Error Management (TEM). TEM is based on a model developed by the Human Factors Research Project of the University of Texas in Austin (United States): the University of Texas Threat and Error Management Model (UTTEM). The main objective of introducing the TEM framework to the A
7、ir Traffic Services (ATS) community in general, and the Air Traffic Control (ATC) community in particular, is to enhance aviation safety and efficiency. This is achieved by providing an operationally relevant and highly intuitive framework for understanding and managing system and human performance
8、in operational contexts. A further objective in introducing TEM is to lay the foundation for ATS providers for the adoption of a TEM-based tool that involves the monitoring of safety during normal operations as part of ATC safety management systems. The name of this tool is the Normal Operations Saf
9、ety Survey (NOSS). The development of NOSS is a consequence of Recommendation 215 “Monitoring of safety during normal operations“ from the I lth ICAO Air Navigation Conference in 2003, which reads as follows: “That ICAO initiate studies on the development of guidance material for the monitoring of s
10、afety during normal air traffic service operations, taking into account, but not limited to, the line operations safety audit (LOSA) programmes which have been implemented by a number of airlines.“ In order to comply with Recommendation 215, ICAO has developed Doc 9910, Normal Operations Safety Surv
11、ey (NOSS), a methodology of NOSS, to which this circular on TEM is intended as a precursor. The TEM framework can be applied in all ATS operations, regardless of the implementation of NOSS, however, NOSS cannot be implemented without embracing the TEM concept. It must be made clear from the outset t
12、hat TEM and NOSS are neither human performancelHuman Factors research tools, nor human performance evaluation/assessment tools. TEM and NOSS are operational tools designed to be primarily, but not exclusively, used by safety managers in their endeavours to identify and manage safety issues as they m
13、ay affect safety and efficiency of aviation operations. This circular contains the following: a) a generic introduction to the TEM framework, including definitions; components of the framework; threat and error countermeasures; and threats, errors and undesired states in relation to outcomes; b) a d
14、iscussion on TEM in ATC, including definitions; threats in ATC; errors; undesired states; managing threats and errors; TEM-based analysis of actual ATC situations; TEM training for ATC personnel; integrating TEM in safety management; and normal operations monitoring; and c) a list of related documen
15、ts. The circular was developed with the assistance of the Normal Operations Safety Survey Study Group (NOSSSG). Note.- IKroughouf these guidelines, genders have been used interchangeably. Copyright International Civil Aviation Organization Provided by IHS under license with ICAONot for ResaleNo repr
16、oduction or networking permitted without license from IHS-,-,-Page Introduction 1 . The Threat and Error Management (TEM) framework 2 . The components of the TEM framework . 3 . Threat and error countermeasures . : 4 . TEM: A safety investigation perspective . 5 . TEM in ATC 6 . Threats in air traff
17、ic control 7 . ATSP internal threats 8 . ATSP external threats . 9 . Airborne threats . 10 . Environmental threats . 11 . Errors in air traffic control 12 . Undesired states in air traffic control . 13 . Managing threats and error . 14 . TEM-based analysis of actual ATC situations . 15 . TEM trainin
18、g for ATC personnel . 16 . Integrating TEM in safety management . . 17 . Normal operations monitoring 18 . Normal Operations Safety Survey (NOSS) . 19 . Related documents . (vii) Copyright International Civil Aviation Organization Provided by IHS under license with ICAONot for ResaleNo reproduction
19、or networking permitted without license from IHS-,-,-1. Threat and Error Management (TEM) is an overarching safety concept regarding aviation operations and human performance. TEM is not a revolutionary concept, but one that has evolved gradually, as a consequence of the constant drive to improve th
20、e margins of safety in aviation operations through the practical integration of Human Factors knowledge. 2. TEM was developed as a product of collective aviation industry experience. Such experience fostered the recognition that past studies and, most importantly, operational consideration of human
21、performance in aviation had largely overlooked the most important factor influencing human performance in dynamic work environments: the interaction between people and the operational context (i.e. organizational, regulatory and environmental factors) within which people discharged their operational
22、 duties. 3. The recognition of the influence of the operational context in human performance led to the conclusion that the study and consideration of human performance in aviation operations must not be an end in itself. With regard to the improvement of margins of safety in aviation operations, th
23、e study and consideration of human performance without context addresses only part of the larger issue. TEM therefore aims to provide a principled approach to the broad examination of the dynamic and challenging complexities of the operational context in human performance, for it is the influence of
24、 these complexities that generates the consequences that directly affect safety. Copyright International Civil Aviation Organization Provided by IHS under license with ICAONot for ResaleNo reproduction or networking permitted without license from IHS-,-,-THREAT AND ERROR MANAGEMENT (TEM) IN AIR TRAF
25、FIC CONTROL 1. THE THREAT AND ERROR MANAGEMENT (TEM) FRAMEWORK 1 .I The Threat and Error Management (TEM) framework is a conceptual model that assists in understanding, from an operational perspective, the interrelationship between safety and human performance in dynamic and challenging operational
26、contexts. 1.2 The TEM framework focuses simultaneously on the operational context and the people discharging operational duties in such a context. The framework is descriptive and diagnostic of both human and system performance. It is descriptive because it captures human and system performance in t
27、he normal operational context, resulting in realistic descriptions. It is diagnostic because it allows quantifying the complexities of the operational context in relation to the description of human performance in that context, and vice versa. 1.3 The TEM framework can be used in several ways. As a
28、safety analysis tool, the framework can focus on a single event, as is the case with accidentlincident analysis; or it can be used to understand systemic patterns within a large set of events, as is the case with operational audits. The TEM framework can be used to inform about licensing requirement
29、s, helping clarify. human performance needs, strengths and vulnerabilities, thus allowing the definition of competencies from a broader safety management perspective. Subsequently the TEM framework can be a useful tool in On-the-Job Training (OJT). The TEM framework can be used as guidance to inform
30、 about training requirements, helping an organization improve the effectiveness of its training interventions, and consequently of its organizational safeguards. The TEM framework can be used to provide training to quality assurance specialists who are responsible for evaluating facility operations
31、as part of certification. 1.4 Originally developed for flight deck operations, the TEM framework can nonetheless be used at different levels and sectors within an organization, and across different organizations within the aviation industry. It is therefore important, when applying TEM, to keep the
32、users perspective in the forefront. Depending on “who“ is using TEM (i.e. front-line personnel, middle management, senior management, flight operations, maintenance, air traffic control), slight adjustments to related definitions may be required. This circular focuses on the Air Traffic Control (ATC
33、) environment, and the discussion herein presents the perspective of air traffic controllers use of TEM. 2. THE COMPONENTS OF THE TEM FRAMEWORK 2.1 Overview There are three basic components in the TEM framework, from the perspective of air traffic controllers: threats, errors and undesired states. T
34、he framework proposes that threats and errors are part of everyday aviation operations that must be managed by air traffic controllers, since both threats and errors carry the potential to generate undesired states. Air traffic controllers must also manage undesired states, since they carry the pote
35、ntial for unsafe outcomes. Undesired state management is an essential component of the TEM framework, as important as threat and error management. Undesired state management largely represents the last opportunity to avoid an unsafe outcome and thus maintain safety margins in ATC operations. Copyrig
36、ht International Civil Aviation Organization Provided by IHS under license with ICAONot for ResaleNo reproduction or networking permitted without license from IHS-,-,-ICA 0 Circular 3 14-AN/178 2.2 Threats 2.2.1 Threats are defined as events or errors that occur beyond the influence of the air traff
37、ic controller, increase operational complexity, and which must be managed to maintain the margins of safety. During typical ATC operations, air traffic controllers have to take into account various contextual complexities in order to manage traffic. Such complexities would include, for example, deal
38、ing with adverse meteorological conditions, airports surrounded by high mountains, congested airspace, aircraft malfunctions, and/or errors committed by other people outside of the air traffic control room (i.e. flight crews, ground staff or maintenance workers). The TEM framework considers these co
39、mplexities as threats because they all have the potential to negatively affect ATC operations by reducing margins of safety. 2.2.2 Some threats can be anticipated, since they are expected or known to the air traffic controller. For example, an air traffic controller can use information from the weat
40、her forecast to anticipate runway changes or diversions. Another example is the unreliable quality of high frequency (HF) communications that necessitates the availability of alternative options. 2.2.3 Some threats can occur unexpectedly, such as pilots carrying out instructions that were intended f
41、or another aircraft as a result of call sign confusion. In this case, air traffic controllers must apply skills and knowledge acquired through training and operational experience to manage the situation. 2.2.4 Regardless of whether threats are expected or unexpected, one measure of the effectiveness
42、 of an air traffic controllers ability to manage threats is whether threats are detected with the necessary anticipation to enable the air traffic controller to respond to them through deployment of appropriate countermeasures. 2.2.5 The TEM framework considers threats as actual (threats exist and c
43、annot be avoided) and their consequences as potential. Unserviceable equipment is one example. Whether primary andlor secondary equipment fails, or whether equipment becomes unavailable as a result of pre-scheduled maintenance work, it is an actual threat. The difference is in terms of the potential
44、 consequences and the required countermeasures the air traffic controller employs to manage the threat. If the primary equipment fails unexpectedly, the potential consequences are more serious than if a secondary system is taken out of service for maintenance. The air traffic controller countermeasu
45、res are different for each scenario (switching from radar separation to procedural separation in the case of an unexpected radar failure or preparing to work without the secondary system in the second case). If the threat (loss of radar) results in errors being made and separation being compromised,
46、 an undesired state now exists - a product of mismanaged threats and errors. At such point, a controller forgets about threats and errors, and manages the undesired state. The point here is that, under the TEM rationale, threats are situations andlor events that cannot be avoided or eliminated by op
47、erational personnel; they can only be managed. This is why TEM adheres to the notion of threat management as opposed to threat avoidance or elimination. No matter what they do or how much they anticipate the threat, air traffic controllers can only manage its potential consequences through counterme
48、asures strategies. The definition of threat in 2.2.1 intends to convey this notion: “events . that occur beyond the influence of the air traffic controller . which must be managed .“ It is a fundamental premise of TEM that threats are unavoidable components of complex operational contexts, which is
49、why TEM advocates management as opposed to avoidance or elimination. 2.2.6 It would be tempting to consider ergonomic deficiencies in equipment design, less than optimum procedures, and organizational factors in general, as latent threats. However, they are also actual threats. They are present every day in the work place. Their consequences, however, are potential. Examples of these threat
