The recent proposal by Airservices Australia to lower the limit for Class E airspace between Cairns and Melbourne has created quite a bit of turbulence in the country’s aviation community. Pure gliders are, purportedly, exempt from the resulting transponder requirement but tugs, motorgliders and self-launchers wouldn’t be. It also creates the requirement to monitor Class E radio frequencies.
Professor Sidney Dekker
National Safety Advisor
The proposal came across as half-cocked to many in the community. For example, there was no indication of any awareness of or effort to understand the practical consequences and cost that this proposal imposes on an aviation activity like ours. Also, no accompanying Regulatory Impact Statement was delivered that could somehow justify to the Australian Government that the cost of this proposal is ‘reasonable.’ On the face of it, the proposal appears to be designed to lock out some airspace users from large sections of little-used airspace.
But perhaps even more centrally, there was no safety case. Presumably, the argument would be that this proposal, if implemented, makes aviation safer. I asked around in Europe, and there is actually no coherent evidence that carrying transponders in gliders has made aviation there ‘safer’. This could be, of course, because we don’t know the accidents transponders have supposedly prevented, but you’d think that there would be strong data on reductions of airspace incursions, midairs, airproxes and more. To date, I haven’t found such data – but if you have it or know where to get it, let me know.
So, what is a safety case? A safety case is a justification that a product, system or policy is acceptably safe for its intended role. Implicit in the growth of safety regulation across industries, including aviation, was the development of formal processes for demonstrating to a regulator that a system, installation, substance or process was safe—or that some intervention could make these things safer, which would then justify the cost. Disasters such as the 1988 Clapham Junction rail collision in London and the Cullen enquiry into the Piper Alpha disaster of the same year led to extension of a safety case approach into other sectors, like rail, offshore and, again, aviation.
Explain and Justify
In tightly regulated industries, individual organisations have little flexibility in what to present or how to present a safety case. It is largely built around compliance with what other stakeholders tell them to demonstrate. In cases of more flexibility about what standards or processes to follow, we have an obligation to explain and justify why those standards and processes are deemed appropriate and why others are not. A safety case, in either sense, presents a record of all the safety-related information concerning the product or system. This includes:
- an overall safety argument
- safety evidence from analyses of the product or polcy or system
- applicable design information
- evidence from development, testing and in-service experience
The role of argument in safety cases is frequently neglected in favour of voluminous but unstructured numeric evidence. Of course, argument without evidence is unfounded and probably unconvincing. But evidence without argument, without contextualising and explanation, can lead to pressuring stakeholders through sheer weight of numbers and the putative hard work needed to generate them. In the case of Airservices’ proposal, we actually – and remarkably – have neither.
Listening to Stakeholders
So, here are some of the things that a safety case would discover and demonstrate. It would first show that the proposal does not actually list any possible adverse consequences of the change. This suggests that no one behind its creation has even thought about non-IFR users. The first thing a safety case might do, therefore, is show some curiousity about who the stakeholders are, and listen to them.
What about the claimed benefits? Aligning Australia closer to ICAO and US ways of doing things is pretty spurious. Australia, after all, has maintained differences from ICAO and FAA regulations for many years – in some cases for good reasons. A safety case should demonstrate what benefit there is in this alignment, other than simply a goal in and of itself. The idea that it has anything to do with overseas aircraft operating here is not really applicable. They fly way above anything like the airspace being considered here on their way in, and then mostly operate into major airports already served by class C airspace. So, nothing matters to them there.
What about the supposed improved safety for Regular Public Transport (RPT) and other airspace users, by reducing complexity for pilots and controllers? RPT aircraft operating into uncontrolled airports will still need to transition from class G to class E – and at a lower level shortly after takeoff which will increase, not reduce, workload. Even if this is justified, why reduce the floor over such a large area when only small areas around the airports concerned might need it?
Then there’s the argument that the proposal enables enhanced surveillance service. A safety case would show that this doesn’t matter, because IFR aircraft are required to be in contact with ATC in class G anyway. If radar coverage is available, it will work in class G just as well as E. The same goes for the argument – again, unsupported by a safety case – that this proposal would assist controlled airspace in the containment and separation for IFR flights.
How is that helping safety? It actually isn’t. In fact, for IFR aircraft operating into uncontrolled airports, the inability to self-separate from other flights may actually be a net negative. A further claim states that this facilitates Continuous Descent Operations. There’s no evidence for that whatsoever, and also no argument that it would actually help safety.
A safety case would show that most, if not all people operating IFR in class G airspace have never had any issue with continuous descent. In any case, this would only matter in the vicinity of uncontrolled airports with significant IFR traffic. Again, a safety case would have shown this. Finally, there is the argument that this proposal improves the use and value of existing investments such as ADS-B, ACAS. Really? This is the sunk-cost fallacy of a solution looking for a problem. A serious safety case would have no time for this argument alone. What implications for safety does the ‘improved use’ of these investments create? We are left none the wiser.
For those who find a proposal like this half-baked, you find plenty of support in the science of system safety and safety cases. They’ve been around for a while, and there is no excuse for creating such havoc in aviation in Australia without using the sorts of methods that exist exactly for the purpose of combining evidence and argument. Safety people, safety engineers – or hopefully any engineers – don’t slide, gloss over or assume. They develop, they test, they check and then they do it again. I look forward to seeing even a whiff of that in relation to this proposal.
Many thanks to Clyde Stubbs for his helpful experiences and insights.