Risk Assessment on the Transition Program for Air Traffic Control Automation System Upgrade

We analyzed the safety risks of the transition program for Air Traffic Control (ATC) automation system upgrade by using the event tree analysis method in this paper. We decomposed the occurrence progress of the three transition phase and built the event trees corresponding to the three stages, and then we determined the probability of success of each factor and calculated probability of success of the air traffic control automation system upgrade transition. In the conclusion, we illustrate the transition program safety risk according to the results.


Introduction
Upgrading the air traffic control automation system can enhance the ATC operating environment and operational efficiency, and the upgrading process will inevitably lead to some risks, so risk assessment on the transition program is the key element to ensure the transition process safe.
Event tree analysis is a technique of risk analysis which deduces the possible consequences according to a chronological series of subsequent events from the initiating event.Event tree analysis is a temporal logical method of accident analysis, Which begins with an initiating event, analyzes step by step according to the development stage of the accident, where consequence of this event only takes one of the two diametrically opposed species status (success or failure, normal or fault, safety or hazard), progressively develops to the end until a system failure or an accident.
Air traffic control automation system upgrade transition program divides the upgrade transition into three stages, gradually develops until the final end of the transition, which is similar to the process of event tree, so this paper analyzes the safety risk of the three stages in the transition process using the event tree method.

The Transition Program
The transition program includes a total of seven parts: 1: General; 2: Organization and responsibilities; 3: Transition program for ATC operations; 4: Transition program for equipment support; 5: emergency response preplans; 6: organization and training of personnel; 7: annex.Wherein the third and fourth part is the core content of the transition program; The fifth part is to provide a preplan for the emergency during the program transition process, so as to make sure that transition go forward smoothly; The sixth part is to provide personnel preparation for the transition, to support on the relevant personnel to master the new system and make sure a smooth transition.
In accordance with the main content of the program, the transition process can be described by the diagram as follows: While the transition condition is ready, the transition will go through three stages and then a safe system transition is finished.Three stages are shown as

Risk Assessment
Safety risk analysis of the transition program is to assess whether each stage can be successfully moving forward.In this part the three transitional phases (the preparatory phase of transition, the operational phase of transition, and the stable operation phase) are evaluated by using event tree method.The key elements those determine the probability of success are analyzed, finally the success probability is calculated based on the

Preparatory Phase of Transition
There are three main elements those need to be considered in the preparatory phase of transition: 1. whether the operators have been familiar enough with the operation of the new system; 2. whether the new system has been proved to be acceptable in the technique; 3 whether the backup ATC automation system can be made sure to run independently during the transition period, because only backup system is in use during the upgrade process from the old version to the new version which will take about two hours; At that time air traffic controllers rely on this backup system to command, so to ensure the normal operation of the backup system is the key.According to the analysis above, the events tree for the preparatory phase of transition is illustrated in Fig 2.

Operational Phase of Transition
During the operational phase of transition, the secondary control system is used to control by the controllers, and the new air traffic control automation system synchronization is operating normally, if the above two conditions are satisfied, the new system will be switched to be used to command to air, but in more than two hours when the original secondary system is switched to be enabled as primary system, there is no other secondary system, so the system operating properly is very important.The remaining seats will be switched in if the operation is normal after the new system switched to be in use, if the phase of full load operation is normal, it will enter the next stage of stable operation.Based on the above analysis, we use event tree to illustrate the program of the operational phase of transition which is shown in Fig 3.

Stable Operation Phase
The situation in the stable operation phase is much simpler comparing with last phase, the event tree with two main results is shown in  After the completion of the preparatory phase, P 1 will be 1, the probability P of the program to a successful transition on the condition that after completing is:P=P 1 ×P 2 ×P 3 =70% (the preparatory phase of transition is completed).
While the transition proceeding, P 1 and P 2 are both value of 1 after the completion of the operational phase of transition, the probability P of the program to a successful transition on the condition that after completing the operational phase of transition is:P=P 1 ×P 2 ×P 3 =90% (operational phase of the transition is completed).while the new system upgrade is implemented successfully after the completion of the stable operation phase , the probability of the success of the transition program will reach the maximum value:P=P 1 ×P 2 ×P 3 =100% (Stable operation phase is completed).
The data above can be used as reference values to evaluate the safety risk of the program, not the exact values.And this values indicate the probability of the success in completion of the new system with the program in this paper.If the transition to the new system fails, the program presents the detailed response measures and emergency response in case of failure in the three event trees, which is to say that this program can ensure not to affect the safe operation even if the transition to the new system cannot be completed.

Summary
We draw the conclusion that the early reference probability of the safety risk is 56% using event tree analysis method to study the program , although the probability is not high, it can be improved by increasing the stability of the new system, thereby improving the overall probability of success; as the transition proceeds, the probability of smooth transition after the completion of the preparatory phase of transition reaches 70%, the probability of smooth transition after completion of the operational phase of transition reaches 90%, the probability of smooth transition after completion of the stable operation phase reaches 100%.The program presents the detailed response measures for the transition failure, the program can ensure to return to the original operation and it will not affect the safe operation regardless of the transition is successful or not.

Fig 1 .
Fig 1. Transition phase diagram Therein, D0 refers to the transition day, T0 refers to the transition time.D0-1 refers to the day before the transition day, D0+7 refers to seven days after the transition, D0+8 and D0+30 and so on.

Fig 2 .
Fig 2. The Event Tree for the Preparatory Phase of Transition

Fig 3 .
Fig 3.The Event Tree for the Operational Phase of Transition Fig 4.

Fig 4 .
Fig 4. The Event Tree for the Stable Operation Phase