Safer systems: A NextGen aviation safety strategic goal

The Joint Planning and Development Office (JPDO), is charged by Congress with developing the concepts and plans for the Next Generation Air Transportation System (NextGen). The national aviation safety strategic plan (NASSP), developed by the Safety Working Group of the JPDO, focuses on establishing the goals, objectives, and strategies needed to realize the safety objectives of the NextGen integrated plan. The three goal areas of the NASSP are safer practices, safer systems, and safer worldwide. Safer practices emphasizes an integrated, systematic approach to safety risk management through implementation of formalized safety management systems (SMS) that incorporate safety data analysis processes, and the enhancement of methods for ensuring safety is an inherent characteristic of NextGen. Safer systems emphasizes implementation of safety-enhancing technologies, which will improve safety for human-centered interfaces and enhance the safety of airborne and ground-based systems. Safer worldwide encourages coordinating the adoption of the safer practices and safer systems technologies, policies and procedures worldwide, such that the maximum level of safety is achieved across air transportation system boundaries. This paper introduces the NASSP and its development, and focuses on the Safer systems elements of the NASSP, which incorporates three objectives for NextGen systems: (1) provide risk reducing system interfaces, (2) provide safety enhancements for airborne systems, and (3) provide safety enhancements for ground-based systems. The goal of this paper is to expose avionics and air traffic management system developers to NASSP objectives and safer systems strategies.

The three goal areas of the NASSP are Safer Practices, Safer Systems, and Safer Worldwide. Safer Practices emphasizes an integrated, systematic approach to safety risk management through implementation of formalized Safety Management Systems (SMS) that incorporate safety data analysis processes, and the enhancement of methods for ensuring safety is an inherent characteristic of NextGen.
Safer Systems emphasizes implementation of safety-enhancing technologies, which will improve safety for humancentered interfaces and enhance the safety of airborne and ground-based systems. Safer Worldwide encourages coordinating the adoption of the safer practices and safer systems technologies, policies and procedures worldwide, such that the maximum level of safety is achieved across air transportation system boundaries.
This paper introduces the NASSP and its development, and focuses on the Safer Systems elements of the NASSP, which incorporates three objectives for NextGen systems: 1) provide risk reducing system interfaces, 2) provide safety enhancements for airborne systems, and 3) provide safety enhancements for ground-based systems. The goal of this paper is to expose avionics and air traffic management system developers to NASSP objectives and Safer Systems strategies.

Background
The United States' Air Transportation System (ATS) facilitates the safe and efficient movement of people and goods around the globe and serves as a critical economic engine for the nation. The existing ATS is reaching the limits of its potential for growth and it is not scalable to safely accommodate future demand [2]. Improvements are needed to safely accommodate increasing demand. Failure to accommodate this growing demand in the years ahead will result in costly delays throughout the system and compromise the Country's ability to create jobs and economic growth.
In 1997, the National Civil Aviation Review Commission's (NCARC) report, A Consensus for Change, stated that the current course of the air transportation system will impair our domestic economy, reduce our standing in the global marketplace, and result in a long-term deterioration of aviation safety. One major recommendation of the Commission was that the FAA and the aviation industry develop a strategic plan to improve safety, with specific priorities based on objective, quantitative analysis of safety information and data. The Commission reported that problems with the air transportation system can be rectified, but will take dramatic change.
In 2003, President George W. Bush and Congress took a significant step toward transforming the air transportation system with the enactment of the VISION 100 -Century of Aviation Reauthorization Act. The VISION 100 Act established a mandate for the Next Generation Air Transportation System (NextGen) initiative to achieve the goals of accommodating a significant increase in demand for air transportation, accommodate all users, and improve aviation safety. To manage these efforts, the VISION 100 Act created the Joint Planning and Development Office (JPDO) -a unique, cooperative partnership between public and private stakeholders. The JPDO represents the aviation interests of the Department of Transportation (DOT), Department of Defense (DoD), Department of Commerce (DOC), Department of Homeland Security (DHS), National Aeronautics and Space Administration (NASA), the White House Office of Science and Technology Policy (OSTP) and industry stakeholders.
The Next Generation Air Transportation System Integrated Plan, the first product of this groundbreaking effort, was delivered by the JPDO to Congress in December 2004 [1].
The JPDO Senior Policy Committee is chaired by the Secretary of Transportation and includes senior executives representing the Federal entities that make up the JPDO. The Committee oversees JPDO work, including NextGen plan development, and is responsible for execution of NextGen strategies and plans by the departments, agencies, or offices its members lead or represent. Among its key activities, the Committee works to provide policy guidance, resolve major policy issues, and identify and align resource needs. The Senior Policy Committee is responsible for approving the National Aviation Safety Strategic Plan (NASSP) as a supplement to the Next Generation Air Transportation System Integrated Plan.
In addition to responding to the social, economic, political, and technological changes that are evolving worldwide, the transformation to NextGen must meet the country's air transportation safety, security, mobility, efficiency, and capacity needs. The JPDO is charged with developing the concepts, architectures, roadmaps and implementation plans for transforming the current national air transportation system into the Next Generation Air Transportation System. Upon adoption by the Senior Policy Committee of the JPDO, the member departments and agencies will be charged with incorporating these products into their plans.

Safety Working Group
The JPDO Safety Working Group is tasked with developing products and plans for achieving the NextGen safety goals. The JPDO Safety Working Group chartered a Strategic Planning Standing Committee, comprised of public and private stakeholders, to develop the NASSP. The NASSP provides strategies for achieving NextGen safety goals through practice, procedure, and system improvements implemented domestically and coordinated worldwide. The NASSP defines the objectives, strategies and work areas for aviation safety improvements, that will ensure aviation safety increases are commensurate with the growing demands on the air transportation system. When adopted by the JPDO, member agencies and departments, through the OMB, will align their aviation safety research, development, and implementation plans to the NASSP.

Three Goal Areas
The NASSP is organized by its three goal areas: Safer Practices, Safer Systems, and Safer Worldwide.
Safer Practices emphasizes an integrated, systematic approach to safety risk management through implementation of formalized Safety Management Systems (SMS) that incorporate safety data analysis processes and the enhancement of methods for ensuring safety is an inherent characteristic of NextGen. The objectives of safer practices are to provide consistent safety management approaches that are implemented throughout government and industry; to provide enhanced monitoring and safety analysis of the air transportation system; and to provide enhanced methods for ensuring safety is an inherent characteristic of NextGen.
Safer Systems emphasizes implementation of safety-enhancing technologies, which will improve safety for human-centered interfaces and enhance the safety of airborne and ground-based systems. The objectives of safer systems are to provide risk reducing systems interfaces; to provide safety enhancements for airborne systems; and to provide safety enhancements for ground-based systems.
Safer Worldwide provides strategies for coordinating the adoption of technologies, policies, and procedures worldwide such that safety improvements are commensurate with increases in demand to achieve the maximum level of safety across air transportation system boundaries. The objectives of safer worldwide are to encourage development and implementation of safer practices and safer systems worldwide and to establish equivalent levels of safety across air transportation system boundaries.

Development and Substantiation
The NASSP was developed and vetted by the JPDO partner departments and agencies and through close collaboration with subject matter experts and industry stakeholders. This plan is a living document that the JPDO will maintain, review, and update on an annual basis. This will ensure that the appropriate safety focus is maintained and the most effective safety management approaches and technologies are identified, assessed, and implemented.
Development of the NASSP began with the top-down identification of safety goals and objectives by safety subject matter experts participating as members of the JPDO Safety Working Group's Strategic Planning Standing Committee.
NASSP strategies supporting the objectives were similarly derived. Substantiation of the NASSP strategies included the gathering of critical safety issues from aviation stakeholders worldwide, and surveying aviation safety subject matter experts to determine the priority of the safety issues and the NASSP strategies, and rating the applicability of the NASSP strategies to the safety issues. Multidimensional preference and statistical analyses of the ranking and rating data provided a basis for refinement of the NASSP, and for demonstrating compliance with the NCARC recommendation for a national plan based on objective, quantitative analysis of safety information and data.

Safer Systems Goal
Aviation system technologies for safety are aimed at managing hazards, eliminating recurring accidents, and mitigating accident and incident consequences. NextGen operational requirements for both ground-based and airborne systems will lead to the implementation of advanced technologies with improved capabilities in all NAS domains, including the following: communication, navigation, and surveillance; air traffic management; vehicle systems; manufacturing methods; vehicle and ground systems health management; maintenance; and human-centered interfaces for air and ground systems.
The integration of safety-derived requirements and safety-specific functions and technologies within all NextGen domains, as well as the implementation of safety-focused systems will be required for the Next Generation Air Transportation System to achieve its safety goals.
The eight NextGen key capabilities: Network-Enabled Information Access, Performance-Based Operations and Services, Weather-Assimilated Decision-Making, Layered Adaptive Security, Broad-Area Precision Navigation, Aircraft Trajectory-Based Operations, Equivalent Visual Operations, and Super Density Operations, will each require implementing new systems. The systems that enable key capabilities will be comprised of multiple interfaces between hardware, software, people, facilities, and procedures. These elements will be organized to accomplish common objectives. Integrating safety into the NextGen key capabilities will require development of specific safety-related requirements for the capabilities.

Objective 1: Provide Risk Reducing System Interfaces
For the time epoch of this plan, the overall safety and efficiency of the air transportation system will depend upon human operators as the ultimate integrators of the numerous space, air, and ground elements. Understanding and accounting for the role of humans, and their positive and potentially negative contributions, will be important to maintaining and improving safety, while also improving efficiency. While data exist on human error, empirical data on humans' positive contributions are lacking. A review of aviation accidents indicates that human error continues to be a primary contributing factor in commercial, publicuse, and general aviation accidents [3][4][5]. However, numerous events can be cited where humans found and successfully compensated for a wide variety of vulnerabilities and inefficiencies in design, implementation, training, procedures, and operations. The human is able to react to unknowns and unexpected events by applying experience, learned skills, innovation, and general knowledge [6].
In many cases, these errors resulted from failures in the transfer or communication of critical information [7]. Typical failures include operator misinterpretation of information presented by automated systems or in written guidance, unfamiliarity with systems or information, failure to monitor the systems state, or miscommunication between key operators.
Automation, if not designed and trained properly, can increase the chances for human error [8][9].
Human cognitive processing capability, communication, and coordination must be supported. One key element is situation awareness. Situation awareness includes the state of awareness, which encompasses an accurate perception of elements in the environment within a volume of time and space (the situation), an accurate comprehension of their meaning, and the ability to make an accurate projection of their status [10] and the process of achieving this state of awareness. Some cognitive processing activities critical to dynamic, event-driven, and multi-task decisions, such as those required of pilots, controllers, and dispatchers, include sensory perception, memory, attention, and categorization.
To respond adequately and efficiently, to make productive decisions, and to communicate effectively, it is essential that the operator have an accurate awareness of their situation.
Therefore, a primary consideration in the design of risk reducing systems is to increase operator situation awareness across a host of dimensions, defined by the goals and decision tasks for a particular operator's job. For pilots, this might include temporal and spatial positioning, as well as an acute awareness of the system state, limits, and future sequences. In nominal conditions, greater awareness of systems health will help to prevent accidents through actions taken by operators to ensure that operational demands do not exceed system capabilities. In off-nominal conditions, operators and maintainers will be able to mitigate the consequences of a failure or undesirable system state through timely responses in intervening, managing and restoring full system capabilities. Especially in the presence of partial system failures, both operators and maintainers will need an accurate awareness of systems health, for both aircraft and air traffic management systems. Systems designed to increase situation awareness will provide operators with relevant information in an accessible, understandable, and usable format.
This objective focuses on effective and safe systems interfaces that improve individual and collaborative situation awareness, information management, and decision-making. It includes human-to-human, human-to-automation and automation-to-automation interfaces. It emphasizes the exchange and presentation of information, the means to obtain information for sound decisionmaking, and the appropriate role of humans, human interaction, and automation in the future's highly automated systems needed to accomplish the NextGen goals. Though the primary focus will be on systems interfaces for the front-line operator (e.g. pilot, controller, maintenance technician, and security personnel), the same concepts extend to the larger population of users of information whose decisions directly or indirectly affect the front-line operator. The following four strategies will be adopted in the development and implementation of risk reducing systems interfaces.
Ensure the availability and accessibility of required information, to include providing and assuring the continuity of critical information and limiting the manipulation required for operator access.
Increase the usefulness and understandability of information, such that priority is given to critical information, that it is presented in a clear and concise manner, and is grouped and ordered in a consistent and logical sequence.
Available, accessible, useful, and understandable information will be instrumental in decreasing operator confusion and increasing appropriate, timely, and accurate decision-making.
To meet demands for capacity and safety, the current trend toward automated systems with increased capabilities will continue. However, developing and implementing these systems responsibly will require maintaining appropriate human engagement.
System designers must consider the limits of human performance in both nominal and off-nominal conditions to secure and maintain the operator's attention without exceeding their ability to interact and process. When system degradation prompts an automated reversion to lower system performance limits, automation-toautomation design integrity is critical.
An appropriate allocation of human versus automation functions will decrease the possibility for authorityresponsibility double binds where the human is responsible for the tedious monitoring of highly reliable automation, will allow the operator to successfully attend to and satisfy the most pressing tasks, and will provide the operator with a coherent set of tasks supported by reliable automated functions.
NextGen operational concepts will require more effective and efficient communication and collaboration between pilots, controllers, dispatch, and maintenance personnel, especially during offnominal events. Therefore, improve operational decision aids, by developing decision-aiding automation for airborne and ground-based systems that assists appropriate operator interaction and intervention. A key component of developing decision-aiding interfaces is identifying the best methods to communicate critical information, and standardizing the training of these methods and required interactions.
Improving operational decision aids and the communication of critical information in a timely and effective manner will help to reduce communication errors, decrease decision errors, and ultimately improve response to unforeseen events on the system.

Objective 2: Provide Safety Enhancements for Airborne Systems
In the Next Generation Air Transportation System, airborne systems will become an increasingly integral part of the overall air traffic management system.
The JPDO Concept of Operations for the Next Generation Air Transportation System [11] proposes to include aircraft as interactive nodes on an air traffic management network under the Network Enabled Operations concept. It also identifies several key capabilities, such as Aircraft Trajectory-Based Operations, Equivalent Visual Operations, and Super Density Operations that will require aircraft automation systems to carry out functions that today are performed by air traffic control systems. Likewise, pilots, whether onboard, remote, or automated, will be required to take on responsibilities traditionally performed by air traffic controllers.
To increase system throughput, reductions in aircraft spacing (longitudinal, lateral, and/ or vertical) in all operational phases of flight (including the ground phase) will be required. To minimize the risk of aircraft collisions and wake vortex encounters, barriers to reduced separation will be addressed, to include performance limits of communications, navigation, and surveillance systems.
This objective focuses on integrating safety requirements into the development and implementation of capacity-enhancing advancements for aircraft, to maintain or improve safety as capacity is increased. The following five strategies will be adopted in the development and implementation of airborne systems.
Improve the reliability and airworthiness of aircraft, through increased reliability of control, avionics, software, and information management systems, as well as the long-term structural airworthiness of new materials and advanced aircraft designs. The result will be reduced systems failures and reduced diversions or incomplete missions.

Improve
vehicle systems health management through advanced monitoring systems and decision aids. These systems can monitor all aspects of systems health, both during flight and through post-flight analysis, including vehicle structures, propulsion systems, control system elements, and avionics hardware and software.
To provide pilots, dispatchers and maintenance personnel with ready access to system health information, advanced aircraft monitoring systems will be developed that integrate sensor information. Integration of advanced monitoring systems will increase operators' timely and accurate understanding of system health, resulting in quicker identification of sub-system faults and failures and increased opportunity to successfully mitigate and prevent these failures. Enhanced decision aids will assist operators in preventing unacceptable safety risks from developing, enhancing operators' recognition and incorporation of complex factors in situation assessment and mitigative decisionmaking. To ensure an efficient response, certain system failures will precipitate automatic transition to alternate operating parameters, with backup procedures in the event of anomalous conditions. Executing this strategy will help to reduce the number of hazards encountered, enhance the understanding of off-nominal conditions, and reduce the response time in making optimal decisions, ultimately improving operator awareness and mitigative response to airborne events and hazards.
Increase the reliability and accuracy of data and information by implementing strict controls on the acquisition and processing of information critical for air crew response in both nominal and off-nominal operating conditions.
The data acquisition process must ensure the integrity of data through quality checking for displayed data and for the execution of automated programming, especially those supporting automated reversion functions and automation-to-automation interfaces. Timeliness of data is critical to maintaining data accuracy and integrity for time-critical decisions. These controls will become increasingly important as aircraft are more highly integrated in the air traffic management system. This strategy will help to lower instances of system degradation caused by data latency, faults, and/ or failures, and increase air crew confidence in the use of and reliance on the data.
Ensure aircraft conformance to more stringent operations requirements; achieving many NextGen capacity gains will require a higher level of performance in some aspects of navigation, guidance and control, especially for reducedseparation and trajectory-based operations. In meeting these requirements, careful examination must also be made that other causes of deviations from assigned flight trajectories will not increase the potential for near miss and collision incidents and accidents, or to runway incursions.
While it is preferable to prevent rather than mitigate the consequences of aircraft accidents, ultimately, it is not possible to prevent all accidents, across all sectors of aviation, under all operating conditions. Therefore, work must be undertaken to increase aircraft system contributions to survival in crash scenarios, with systems and technologies designed to mitigate the consequences and hazards associated with accidents, such as post-crash fires, toxic fumes, and impact loads. This will help to reduce fatalities and severe injuries from the levels sustained in accidents today.

Objective 3: Provide Safety Enhancements for Ground-Based Systems
NextGen concepts, such as Network Enabled Operations, Aircraft Trajectory-Based Operations, and Super-Density Operations, require the integration of ground-based and airborne systems, and the introduction of collaborative air traffic control functions. Associated ground-based system safety enhancements must mitigate the risks associated with new or changing operational concepts. Considering the appropriate level of automation and human performance limits will be critical to maintaining air transportation system safety. Ground-based support elements, such as aircraft and air traffic management maintenance systems, as well as airport infrastructure, must evolve to support the proposed capacity enhancing concepts of NextGen.
This objective focuses on increasing the level of safety with the advancement of ground-based systems to meet complex operational demands from an increasingly complex set of air transportation users. In addition to the community of commercial, general aviation, rotorcraft, public-use, and military air transportation system users, additional users will include both unmanned aircraft and space vehicle operators. The following four strategies will be adopted to assure safety in the development and implementation of ground-based systems.
Improve ground-based systems health management through advanced monitoring systems and decision aids. NextGen concepts will require new levels of automation in air traffic, maintenance, and other ground-based systems. These systems will be designed to meet increased demands during nominal operations and maintain integrity at degraded performance levels in offnominal conditions. Operators of ground-based systems should have a clear understanding of the internal and external factors that affect their operation. The concomitant, relevant performance limits of the system must be respected to maintain safety. To improve operator awareness, advanced monitoring systems will continuously communicate system state information and detect system faults and failures. Integration of advanced monitoring systems will increase key operators' timely and accurate understanding of system health, resulting in quicker identification of system failures and increased opportunity for their successful mitigation and prevention. Enhanced decision aids will be developed to assist operators in preventing unacceptable safety risks from developing. They will enhance operator recognition and incorporation of complex factors in situation assessment and in decision-making.
As with aircraft systems, maintaining the appropriate level of automation and human engagement will be critical. To ensure an efficient response, certain system failures will initiate automatic transition to alternate operating parameters, with backup procedures in the event of anomalous conditions. Executing this strategy will help to improve operator awareness and mitigative response to events and hazards by reducing the number of hazards encountered, enhancing the understanding of off-nominal conditions, and reducing the response time required to make optimal decisions.
Increase the reliability and accuracy of ground-based systems data and information by implementing strict controls on the acquisition and processing of information critical for ground-based system response in both nominal and off-nominal operating conditions. The data acquisition process must ensure the integrity of data through quality checking for displayed data and for the execution of automated programming, especially those supporting automated reversion functions and automation-to-automation interfaces. Timeliness of data is critical to maintaining data accuracy and integrity for time-critical decisions. These controls will become increasingly important as the air transportation system becomes more highly integrated.
This strategy will help to lower instances of system degradation caused by data latency, faults, and/ or failures, and increase users' confidence in the use of and reliance on groundbased systems.
Ensure ground-based system conformance to more stringent operations requirements; implementing NextGen capacity enhancing concepts will require a higher level of accuracy and complexity in ground-based systems in collaborating with advanced aircraft systems. Future ground systems will be designed to meet the requirements of reduced separation and trajectorybased operations. Strict conformance to these requirements will result in fewer deviations from assigned flight trajectories, fewer near miss and collision incidents and accidents, and fewer runway incursions.
As aircraft and air traffic system reliability has improved, the work associated with aviation safety has turned from mitigation of accidents and their consequences to their prevention. However, it is not possible to prevent all aviation accidents. We must increase ground-based system contributions to survival in crash scenarios by implementing advanced emergency detection capabilities, response methods, and airport infrastructure that minimize the effects of both runway excursions and off-site landings. These advancements will play a key role in the reduction of the severity of accidents, and provide a more timely and effective emergency response, leading to fewer fatalities and less severe injuries than those sustained in accidents today.

Conclusion
The National Aviation Safety Strategic Plan defines national goals, objectives, and strategies for improving aviation safety commensurate with the growing demands on the air transportation system. The plan was developed and vetted by the JPDO partner departments and agencies and through close collaboration with subject matter experts and industry stakeholders, and is a living document that the JPDO will maintain, review, and update on an annual basis.
The Safer Systems goal supports NextGen operational improvements for both ground-based and airborne systems that will require implementation of advanced technologies with improved capabilities in all NAS domains. These domains include communication, navigation, and surveillance; air traffic management; vehicle systems; manufacturing methods; vehicle and ground systems health management; maintenance; and human-centered interfaces for air and ground systems.
The integration of safety-derived requirements and safety-specific functions and technologies within all NextGen domains, as well as the implementation of safety-focused systems will be required for NextGen to achieve its safety goals.
Safer Systems is only one part of the plan, however. Systems are implemented in conjunction with operational procedures and supported by training. The Safer Practices goal area of the NASSP provides additional objectives and strategies associated with managing safety within NextGen, while the Safer Worldwide goal acknowledges the global nature of aviation and promotes coordinating safety across national and modal boundaries. The JPDO's Integrated Work Plan safety elements reflect the organizational structure of the NASSP and provide additional detail on specific safety related aspects of NextGen operational improvements, enablers, and R&D actions needed to realize NextGen safety goals.
The NASSP is expected to complete JPDO agency review in September 2008, after which it will be presented to the JPDO Board and subsequently to the JPDO Senior Policy Committee for approval. Once approved, its goals will become the NextGen safety goals; the Joint Planning and Development Office (JPDO) member departments and agencies will plan their aviation safety resources to support its objectives, and the Office of Management and Budget (OMB) will use it to align agency budgets relative to aviation safety.