1. 1
__________________________________________________________________________________
Spl. Independentei 313, 060042 Bucuresti www.aero.pub.ro tel: (+40)21 402 3812
„Elie Carafoli” Aerospace Sciences Department
Modelling Changes in Socio-technical Systems
-FRAM in ATC-
BEng Final Project
Author: Stefan Diana-Alexandra
Supervisor(s): S.l. Dr. Ing. Silviu Zancu (UPB)
Dr. Ing. André Perott (Deutsche Flugsicherung DFS)
Ing. Nils Schader (Deutsche Flugsicherung DFS)
Session: July 2015
University
Politehnica
of
Bucharest Air Navigation
Faculty
of
Aerospace
Engineering

2. 2
Anti-Plagiarism Declaration
I the undersigned STEFAN DIANA-ALEXANDRA student of the University Politehnica of
Bucharest, Faculty of Aerospace Engineering declare herewith and certify that this final project is the
result of my own, original, individual work. All the external sources of information used were quoted
and included in the References. All the figures, diagrams, and tables taken from external sources
include a reference to the source.
Date: _________ Signature: __________________________

3. 3
Content
Anti-Plagiarism Declaration..................................................................................................................... 2
List of Figures........................................................................................................................................... 5
List of Tables............................................................................................................................................ 7
Glossary of Terms.................................................................................................................................... 8
Acronyms............................................................................................................................................... 10
Executive Summary............................................................................................................................... 11
Rezumat................................................................................................................................................. 13
1. Introduction. The Need ..................................................................................................................... 15
2. State of the Art.................................................................................................................................. 16
2.1. FRAM-General Information........................................................................................................ 16
2.1.1. Its motivation and purpose ................................................................................................. 16
2.1.2. FRAM’ Principles.................................................................................................................. 16
2.1.2.1. The Equivalence of Failures and Success...................................................................... 16
2.1.2.2. The Approximate Adjustments..................................................................................... 17
2.1.2.3. The Principle of Emergent Outcomes........................................................................... 18
2.1.2.4. The Principle of Resonance .......................................................................................... 19
2.1.3. How to use the Method ...................................................................................................... 21
2.1.3.1. Functions Description. The 6 Aspects .......................................................................... 21
2.1.3.2. Relations between functions. The Aggregation of Variability...................................... 22
2.1.3.3. Graphical Representation of a FRAM Analysis............................................................. 24
2.1.4. How to interpret a FRAM Analysis ...................................................................................... 24
2.2. Catalogue of FRAM Examples. Discussion.................................................................................. 25
2.3. Safety Management System in ATM.......................................................................................... 30
2.3.1. Description of ATM.............................................................................................................. 30
2.3.1.1. Definition. Objectives................................................................................................... 30
2.3.1.2. Complexity.................................................................................................................... 30
2.3.2. Safety Management System................................................................................................ 31
2.3.2.1. Risk Management Process............................................................................................ 32
2.3.2.2. Management of Change............................................................................................... 36
2.3.2.3. Safety Investigations .................................................................................................... 37
2.4. Chapter Conclusion .................................................................................................................... 39
3. Application of FRAM in SMS.............................................................................................................. 40

4. 4
3.1. Modelling Methods-Why do we need them? ............................................................................ 41
3.2. Discussion on SMS Approach ..................................................................................................... 42
3.3. FRAM integration in SMS ........................................................................................................... 43
3.4. FRAM and Best Practices............................................................................................................ 44
3.4.1. Discussion regarding Safety Investigation........................................................................... 44
3.4.2. Discussion regarding Risk Management.............................................................................. 48
3.4.3. Discussion regarding Management of Change.................................................................... 53
3.5 Chapter Conclusion ..................................................................................................................... 56
4. 2TID Risk Assessment Study Case..................................................................................................... 57
4.1. Case Selection............................................................................................................................. 57
4.2 Approach ..................................................................................................................................... 57
4.3. German ATC System Overview................................................................................................... 58
4.4. 2TID Description......................................................................................................................... 58
4.5. Scope of the Assessment............................................................................................................ 59
4.6. Bowtie Method........................................................................................................................... 60
4.7. FRAM Method ............................................................................................................................ 67
4.9. Chapter Conclusions................................................................................................................... 76
5. Conclusion ......................................................................................................................................... 79
Acknowledgements............................................................................................................................... 80
Biography............................................................................................................................................... 81
Annex 1-Bowtie Report ......................................................................................................................... 84
Annex 2-Bowtie Diagram....................................................................................................................... 88
Annex 3-FRAM Report........................................................................................................................... 89
Annex 4-FRAM Diagram ........................................................................................................................ 94

5. 5
List of Figures
Figure 2.1.2.2.1-The principle of approximate adjustments.................................................................. 17
Figure 2.1.2.3.1-Resultant Outcome...................................................................................................... 18
Figure 2.1.2.4.1-Classical Resonance.................................................................................................... 19
Figure 2.1.2.4.2-Stochastic Resonance.................................................................................................. 20
Figure 2.1.2.4.3-Functional Resonance................................................................................................. 20
Figure 2.1.3.2.1-Couplings for Function E............................................................................................ 23
Figure 2.1.3.3.1-The six aspects of a function or an activity ................................................................ 24
Figure 2.3.2.1-SMS Framework............................................................................................................ 31
Figure 2.3.2.1.1- Risk Assessment Framework..................................................................................... 33
Figure 2.3.2.1.2 –FTA........................................................................................................................... 34
Figure 2.3.2.1.3-Bowtie Framework ..................................................................................................... 35
Figure 2.3.2.1.4-Bowtie Analysis Steps ................................................................................................ 35
Figure 2.3.2.2.1- Safety Action Plan..................................................................................................... 36
Figure 2.3.2.3.1-Safety Occurrence Investigation Package................................................................... 37
Figure 2.3.2.3.2 -Elaboration of the Generic Phases in Occurrence Investigation................................ 38
Figure 2.3.2.3.3-SOAM Framework ..................................................................................................... 39
Figure 2.3.2.3.4 -SOAM analysis key steps .......................................................................................... 39
Figure 3.1 - SESAR Performance Concept........................................................................................... 40
Figure 4.6.1-Hazard and Top Event ...................................................................................................... 60
Figure 4.6.2-Threats .............................................................................................................................. 61
Figure 4.6.3-Consequances ................................................................................................................... 62
Figure 4.6.4-Risk Assessment............................................................................................................... 62
Figure 4.6.5-Risk Matrix....................................................................................................................... 63
Figure 4.6.6-Bowtie scenarios............................................................................................................... 64
Figure 4.6.7-Control Barriers ................................................................................................................ 64
Figure 4.6.8-Recovery Barriers............................................................................................................. 65
Figure 4.6.9-Escalation factor and Escalation factor barrier................................................................. 66
Figure 4.7.1-2TID Design function....................................................................................................... 67
Figure 4.7.2-2TID Design output.......................................................................................................... 68
Figure 4.7.3-Provide Information function ........................................................................................... 68
Figure 4.7.4-Receive Information function........................................................................................... 69
Figure 4.7.5-Process Information function............................................................................................ 69
Figure 4.7.6-Determine Action function ............................................................................................... 70

6. 6
Figure 4.7.7-Execute Traffic Sequencing function ............................................................................... 70
Figure 4.7.8-Provide Clearances to pilot............................................................................................... 70
Figure 4.7.9-Interconnections................................................................................................................ 71
Figure 4.7.10-Keep the traffic picture function..................................................................................... 71
Figure 4.7.11-Input clearances in the system ........................................................................................ 72
Figure 4.7.12-Detect potential conflicts function.................................................................................. 72
Figure 4.7.13-Deconflicting Traffic function........................................................................................ 73
Figure 4.7.14-FRAM Model ................................................................................................................. 74

7. 7
List of Tables
Table 2.2.1-Calatalogue of FRAM examples........................................................................................ 27
Table 3.4.1.1 – Advantages and Challenges in SOAM methodology................................................... 45
Table 3.4.1.2 – Gap Analysis of SOAM and FRAM with respect to Occurrence Investigation process
............................................................................................................................................................... 48
Table 3.4.2.1 - Advantages and Challenges in Bowtie Methodology ................................................... 49
Table 3.4.2.2 – GAP Analysis of Bowtie and FRAM with respect to Risk Management process........ 52
Table 3.4.3.1 -Advantages and Disadvantages of Safety Action Plan Strategy.................................... 53
Table 3.4.3.2 - Gap Analysis of Safety Action Plan and FRAM with respect to Management of Change
process................................................................................................................................................... 55
Table 4.8.1-FRAM findings .................................................................................................................. 76
Table 4.8.2-Bowtie findings.................................................................................................................. 77

8. 8
Glossary of Terms
Accident: An occurrence associated with the operation of an aircraft which takes place between the
time any person boards the aircraft with the intention of flight until such time as all such persons have
disembarked, in which a person is fatally or seriously injured or the aircraft sustains damage or
structural failure or the aircraft is missing or is completely inaccessible.
(Approximate) Adjustments: When working conditions are underspecified or when time or resources
are limited, it is necessary to adjust performance to match the conditions. This is a main reason for
performance variability. But the very conditions that make performance adjustments necessary also
mean that the adjustments will be approximate rather than perfect. The approximations are, however,
under most conditions good enough to ensure successful performance.
Causality: relation between an event (the cause) and a second event (the effect), where the first event
is understood to be responsible for the second.
Data-link: the mean of sending digital information between aircraft and air traffic controllers.
Decomposition Principle: to break up or separate into basic components or parts.
Efficiency-thoroughness trade-off: The efficiency thoroughness trade-off (ETTO) describes the fact
that people (and organisations) as part of their activities practically always must make a trade-off
between the resources (time and effort) they spend on preparing an activity and the resources (time,
effort and materials) they spend on doing it.
Emergence: In a growing number of cases it is difficult or impossible to explain what happens as a
result of known processes or developments. The outcomes are said to be emergent rather than
resultant. Emergent outcomes are not additive, not predictable from knowledge of their components
and not decomposable into those components.
Functional resonance: Functional resonance is defined as the detectable signal that emerges from the
unintended interaction of the everyday variability of multiple signals. The signals are usually
subliminal, comprised of both the “target” signal and the remaining signals that constitute the noise.
But the variability of the signals is subject to certain regularities that characterize different types of
functions; hence these variabilities are not random or stochastic. Since the resonance effects result
from the ways in which the system functions, the phenomenon is called functional resonance
rather than stochastic resonance.
Human Error: is a very controversial wording. Human error was used to be seen as the cause of an
unwanted event and it used to represent the end of an investigation. In the new view, Human Error is
designed as a structural by-product of people trying to pursue success in resource-constrained,
uncertain, imperfect systems.
Inbound flights: flights that intend to land at a certain airport.
Incident: An occurrence, other than an accident, associated with the operation of an aircraft that
affects or could affect the safety of operations.

9. 9
Outbound flights: flights that had already taken off from a certain airport, heading to the upper area.
Performance variability: The contemporary approach to safety (Safety-II), is based on the principle
of equivalence of successes and failures and the principle of approximate adjustments. Performance is
therefore in practice always variable. The performance variability may propagate from one function to
others, and thereby lead to non-linear or emergent effects.
Proactive: serving to prepare for, intervene in, or control an expected occurrence or situation,
especially a negative or difficult one.
Reactive: tendency to react after an event happens.
Resilience: A system is said to be resilient if it can adjust its functioning prior to, during, or following
changes and disturbances, and thereby sustain required operations under both expected and unexpected
conditions.
Resilience engineering: The scientific discipline that focuses on developing the principles and
practices that are necessary to enable systems to be resilient.
Safety-I: Safety is the condition where the number of adverse outcomes (accidents / incidents / near
misses) is as low as possible. Safety-I is achieved by trying to make sure that things do not go wrong,
either by eliminating the causes of malfunctions and hazards, or by containing their effects.
Safety-II: Safety is a condition where the number of successful outcomes is as high as possible. It is
the ability to succeed under varying conditions. Safety-II is achieved by trying to make sure that things
go right, rather than by preventing them from going wrong.
Socio-technical Systems: complex organisational work design that recognizes the interaction between
people and technology in workplaces.
Work-as-Imagined/ Work-as-Done: Because performance adjustments are always necessary, Work-
as-Done (WAD) is always different than Work-as-Imagined (WAI). These two terms explain how
proximal, or sharp-end factors, in combination with distal or blunt-end factors can lead to accidents.
Workers at the sharp end accept that WAD is, and must be, different from WAI. For them it is no
surprise that descriptions based on WAI cannot be used in practice and that actual work is different
from prescribed work. Unlike Safety-I, Safety-II considers WAD at the sharp end and the blunt end on
equal terms, and recognizes that performance adjustments are required in both cases. Safety-II
acknowledges that WAI and WAD are different, and focuses analysis on WAD.

10. 10
Acronyms
2TID=Two Touch Input Device
ACC=Area Control Centre
ANSP=Air Navigation Service Provider
ASW=Air Situation Window
ATC=Air Traffic Control
ATCo=Air Traffic Controller
ATM=Air Traffic Management
CANSO=Civil Air Navigation Services Organisation
ESARR=EUROCONTROL Safety Regulatory Requirement
FAA=Federal Aviation Administration
FMEA=Failure Modes and Effects Analysis
FRAM=Functional Resonance Analysis Method
FTA=Fault Tree Analysis
LTID=Left Touch Input Device
MSAW=Minimum Safe Altitude Warning
NTSB=National Transport Safety Board
PSS=Paperless Strip System
RTID=Right Touch Input Device
SES=Single European Sky
SESAR=Single European Sky ATM Research
SOAM=Systematic Occurrence Analysis Method
SMS=Safety Management System
STEP= Sequentially Timed Events Plotting
TCAS=Traffic Collision Avoiding System
TWR= Tower
UACC=Upper Area Control Centre

11. 11
Executive Summary
The main purpose of this thesis is to determine if the Functional Resonance Analysis Method
(FRAM) can be integrated in the Safety Management System (SMS) and to identify and evaluate the
possible fields of application.
For achieving the above mentioned goal several steps were followed.
 A research upon FRAM and SMS was conducted that led to a deeper understanding of the
method and revealed the systematic elements within SMS where FRAM could contribute. The
summary of the research is that FRAM is is a method that brings a new view by explaining outcomes
in terms of functional coupling and resonance rather than failure and malfunction. The relevant SMS
elements identified are: Risk Management, Management of Change and Safety Investigations.
 Based on the knowledge gained in the research phase, an analysis of the SMS framework in
current ATM system was developed in order to assess its effectiveness. The conclusion reached was
that the focus of Safety Management Systems is set on occurrence investigations and less safety
assessments and almost no effort in understanding the system; therefore, an unbalanced and inefficient
approach that is almost exclusively based on hindsight.
 Following the above conclusion, an investigation was done in order to determine if FRAM
philosophy and features could meet the challenges discovered. It was concluded that FRAM could fit
perfectly in SMS because it brings new ideas regarding system complexity and represents the
proactive side of the analysis, thus filling the gaps of current philosophy.
 Next step was to address the specifics features that FRAM could bring for three SMS elements
and determine which of them could benefit the most. An comparison between current methodologies
and FRAM was performed and the following conclusion were reached:
 Safety Investigation is a reactive process while FRAM is a proactive method; therefore
there is no valid reasoning for using FRAM method in this purpose. FRAM could be
used as a complementary method because it can give a better overview of the event but
the conclusion is that it is not worth the effort.
 From a theoretical point of view it seems that FRAM would be the perfect methodology
for Risk assessment, able to replace completely the traditional methods, due to the fact
that incorporates all the advantages and disadvantages of current methods and it also
brings a new perspective, meeting the future requirements.
 FRAM could be a great asset for Management of Change process because its ability to
link performance variability with changes in the system helps reducing the discrepancy
between ’work as done’ and ’work as imagined’; this achievement leads to a safer ATM
system, a relaxed work environment for operators and cost reduction for the
organisations.

12. 12
 The overall conclusion is that FRAM seems to be the right methodology for complementing or
even replacing the best practices of Risk Management and Management of Change elements.
 This theoretical finding is further assessed through a study case which contrasts the Bowtie
Method and the Functional Resonance Analysis Method (FRAM) for risk assessment related to a
change in the German ATC systems. The programmes used were FRAM Model Visualiser (FMV) and
BowtieXP and the information required was gathered through a tree-month internship at DFS
Deutsche Flugsicherung. The study illustrated that Bowtie helps to represents linear cause-effect
connections, while FRAM depicts the dynamic interactions within complex socio-technical systems by
describing non-linear dependencies, variability, and their impact on the system; therefore FRAM can
bring major improvements to Risk Management and Management of Change processes.
To conclude, although there are still challenges to be solved in the application of FRAM, the
main finding of this thesis is that the FRAM method brings the appropriate perspective and framework
for Risk Management and Management of Change in current and future ATM context.

13. 13
Rezumat
Scopul principal al acestei teze este de a determina dacă metoda FRAM poate fi integrată în
Sistemul de Management al Siguranței (SMS) și de a identifica domeniile in care aplicarea metodei ar
aduce cele mai mari beneficii.
Pentru realizarea acestui obiectiv au fost parcurse următoarele etape:
 Efectuarea unui studiu știintific asupra FRAM și Sistemului de Management al Siguranței care
a dus la o înțelegere mai profundă a metodei și la descoperirea elementelor sistematice în cadrul SMS
unde FRAM ar putea contribui. S-a constatat faptul că FRAM este o metodă care aduce o nouă viziune
deoarece nu pune consecințele unei schimbări pe seama eșecului sau defecțiunii unui anumit element
din sistem, ci pe seama dependențelor funcționale și a variabilității. De asemenea, s-au identificat
elementele din cadrul Sistemul de Management al Siguranței care sunt relevante pentru acest studiu:
Evaluarea și Managementul Riscului, Managementul Schimbării și Investigarea Incidentelor si
Accidentelor.
 Pe baza cunoștințelor acumulate în faza de cercetare, s-a analizat actualul Sistem de
Management as Siguranței cu scopul de a evalua eficacitatea acestuia. Concluzia a fost că prioritatea
Sistemelor de Management al Siguranței este reprezentata de Investigarea Accidentelor si Incidentelor,
in timp ce Evaluarea Siguranței este neglijată, nexistand o abordare coerenta pentru a înțelege modul
de functionare al sistemului. Prin urmare, Sistemul de Management al Siguranței se bazeaza pe o
abordare dezechilibrată și ineficientă.
 În urma constatărilor de mai sus, s-a analizat dacă metoda FRAM ar putea răspunde
provocărilor descoperite in Sistemul de Management al Siguranței. S-a concluzionat că FRAM s-ar
încadra perfect in Sistemul de Management al Siguranței pentru că aduce idei noi în ceea ce privește
complexitatea sistemului și reprezintă partea proactivă a analizei, completând astfel filosofia și modul
de lucru actuale.
 Urmatorul pas a fost abordarea caracteristicilor specifice pe care FRAM le-ar putea aduce
pentru cele trei elemente sistematice ale Sistemului de Management al Siguranței și a determina care
dintre ele ar putea beneficia cel mai mult de pe urma utilizării metodei. S-a efectuat o comparație între
metodologiile actuale și FRAM și s-a ajuns la următoarele concluzii:
 Investigarea Accidentelor si Incidentelor este un proces reactiv în timp ce FRAM este o
metodă proactivă; Prin urmare, nu există niciun raționament valid pentru utilizarea
metodei FRAM în acest scop. FRAM ar putea fi folosită ca o metodă complementară,
pentru că poate oferi o imagine de ansamblu a evenimentului, dar concluzia este că
efortul depus in acest sens nu este proportional cu impactul asupra siguranței sistemului.
 Din punct de vedere teoretic, FRAM pare a fi metodologia perfecta pentru Evaluarea si
Managementul Riscurilor; ar putea chiar înlocui complet metodele tradiționale, datorită
faptului că include toate avantajele acestora și in plus, aduce o nouă perspectivă care va
ajuta la implementarea schimbarilor din viitorul apropiat.

14. 14
 FRAM ar putea fi un mare atu pentru procesul de Management al Schimbării, deoarece
capacitatea sa de a conecta variabilitatea performanței cu schimbarile ce au loc in sistem,
ajută la minimizarea discrepanței dintre "work-as-done" și "work-as-imagined";
Realizarea acestui lucru duce la un Management al Traficului Aerian (ATM) mai sigur,
un mediu de lucru relaxat pentru operatori și la reducerea costurilor pentru organizație.
 Concluzia este că FRAM pare a fi metodologia potrivita pentru completarea sau chiar
înlocuirea metodelor folosite astazi pentru Evaluarea și Managementul Riscurilor și Managementul
Schimbării, din cadrul Sistemului de Management al Siguranței traficului aerian.
 Această constatare teoretică este demonstrată printr-un studiu de caz care compară metodele
Bowtie și FRAM pentru evaluarea riscului produs de o schimbare în sistemul de control al traficului
aerian (ATC). Programele utilizate au fost FMV și BowtieXP iar informația necesară a fost acumulată
în cadrul stagiului de practică în compania DFS Deutsche Flugsicherung. Studiul a ilustrat că Bowtie
ajută la reprezentarea conexiunilor liniare cauză-efect, în timp ce FRAM descrie interacțiunile
dinamice din cadrul sistemelor socio-tehnice complexe prin descrierea dependențelor neliniare,
variabilitatea, și impactul acestora asupra sistemului; Prin urmare, FRAM poate aduce îmbunătățiri
majore în cadrul Managementului Riscurilor și a Schimbărilor.
Principala concluzie a acestei teze este că metoda FRAM aduce perspectiva și cadrul adecvat
pentru Evaluarea si Managementul Riscurilor și Managementul Schimbăriilor intr-un mod eficient,
atât în contextul actual cât și în perspectiva dezvoltării viitoare a Managementului Traficului Aerian.

15. 15
1. Introduction. The Need
European airspace is now in a period of rapid technological and political change. The Single
European Sky ATM Research (SESAR) project has as primary objectives to handle 3 times more
traffic, to reduce environmental impact per flight by 10%, to cut Air Traffic Management cost per
flight by 50% and to improve Safety by a factor of 10 by 2020. Consequently, in the near future, the
European Air Traffic Management system will be facing major structural, functional and
organisational changes in order to comply with the increased air traffic flow while simultaneously
improving safety.
For most people, the common understanding of safety, denoted as Safety-I, is the absence of
unwanted outcomes such as incidents or accidents. Since the purpose of safety management is to
achieve and maintain that condition, safety goals are defined in terms of achieving that acceptable
number. In the current context of aviation, this approach has become ineffective. [1]
An important underlying assumption of Safety-I is that we can understand our systems by
looking at their components and how these function or malfunction (as failures, errors). Another
important assumption is that the reasons why things go wrong are different than the reasons why
things go right. These assumption are no longer valid therefore, methods built on these assumptions
can no longer be efficient. New tools and methods need to be developed. [1]
Safety-II accepts that we cannot understand our system entirely. Instead of looking only at
adverse events, Safety-II focuses on everyday work and situations where things go right. Safety-II
does not define safety as the absence of adverse events, but as the presence of successful everyday
functioning. The foundation of Safety-II is that performance adjustments are ubiquitous and that
performance therefore always is variable; the ability to make performance adjustments is an essential
human contribution to work, without which only the most trivial activity would be possible. [1]
While Safety-II emphasizes the importance of understanding how everyday work succeeds, it
is, of course, still necessary to spend time understanding failures. This concept is known as Resilience
Engineering. A system is said to be resilient if it can adjust its functioning prior to, during, or
following events (changes, opportunities, and disturbances) and thereby sustain required operations
under both expected and unexpected conditions. The focus of resilience engineering is therefore both
situations where things go wrong and where things go right. [1]
The FRAM is an analysis tool that reflects Resilience Engineering and Safety-II thinking. The
development of the FRAM coincided with the development of Resilience Engineering as an
alternative to traditional safety thinking and the FRAM can be seen as a tool for this new way of
looking at safety. [1]
Although FRAM seems to be promising, it is not yet used in ATM. This thesis serves as a
starting point to identify and evaluate possible fields of application for FRAM in SMS context.

16. 16
2. State of the Art
2.1. FRAM-General Information
2.1.1. Motivation and Purpose
FRAM is a method that recognizes successes as the flip side of failures. In other words,
FRAM is following the Safety II concept, focusing on understanding the everyday activities that
generally generate positive outcomes, rather than failures and their nature. FRAM looks into the
reasons why things go – or might go- wrong, by first describing how things go-or should go right in a
complex system so that the discrepancy between work-as-done and work-as-imagined to be
minimum.[2] In Hollnagel view, the method is a bidirectional one, meaning that it is able to analyze
past events as well as possible future events in order to provide a comprehensive picture about the
status/resilience of a system in present and future times. Its purpose is to build a model of how things
work rather than to interpret what happens in the terms of a model. What makes FRAM unique is its
dynamic, wider approach of safety and the principles that stand behind its philosophy.[3]
According to other users, FRAM on its own can be most useful for modelling the system at a
high level of abstraction[4] or FRAM forces consideration of the different contextual aspects that are
usually not included in a traditional analysis and its application felt more intuitive because it does not
require consideration of failures and absolute consequences.[5]
2.1.2. FRAM’ Principles
2.1.2.1. The Equivalence of Failure and Success
This phrase wants to suggest that failures and successes have the same origin and it implies
that is necessary to study both in order to understand how a system works. Usually when thinking
about safety the concern is projected on failures, and a great amount of effort is invested in
understanding the unexpected and almost none in understanding how or why things go right in the
first place. This limited desire of understanding is generated by the assumption that positive outcomes
are a consequence of a good design of the system and the negative outcomes happen due to the failure
of several parts in the system which is usually translated as the poor performance of somebody. What
this assumption is actually saying is that these two kinds of outcomes have completely different causes
which is an unreasonable argument because the intention is always to do the right thing and the
decision making process that leads to a particular choice is based on the expectations rather than the
actual outcome. Failures and successes are equivalent in the sense that one can only say whether the
preceding action was right or wrong after the outcome is known. [3]

17. 17
2.1.2.2. The Approximate Adjustments
The second principle of FRAM philosophy that Hollnagel developed from scratch refers to
performance variability in complex systems. Hollnagel together with David Woods reached the
conclusion that the main characteristic of a complex system is ‘the surprise’, event that is impossible
to predict, therefore complex systems like socio-technical systems can only be partially understood.
This leads to the fact that actual work is never completely in agreement with what was expected or
predicted. [2]
“In order to carry out work it is therefore necessary to constantly adjust performance to fit the
existing conditions (resources, time, tools, information, requirements, opportunities, conflicts,
interruptions). These adjustments are made by individuals, by groups and by organizations and take
place at all levels, from the performance of a specific task to planning and management.” [6] pp. 17
These adjustments are part of the work-as-done in every complex system and they need to be
understood because they are the reason why things mostly go right, but also the reason why they
occasionally go wrong. This performance variability is strength because it is the only way to cope with
complexity and it is often the primary reason why socio-technical systems functions as well as they
do. It is in the nature of human beings to be adaptable and find effective ways of overcoming problems
and difficult situations, to anticipate, manage risk etc. and these capabilities are crucial for both safety
and productivity. [7]
This duality of performance variability needs to be address when talking about safety and
FRAM is an assessment method that is able to do that. [3]
Figure 2.1.2.2.1-The principle of approximate adjustments [6]

18. 18
2.1.2.3. The Principle of Emergent Outcomes
English philosopher George Henry Lewes (1817-1878) was the first to use of the term
‘emergent’, who described emergent effects as not being additive and neither predictable from
knowledge of their components. In contemporary vocabulary this means that the effects are non-linear
and an explanation in term of cause-effect for an event is not accurate and appropriate, especially in
complex systems. This is due to the interconnections between elements and the fact that things happen
in such a way that it cannot be explained, therefore it is impossible to apply the decomposition
principle. An unwanted outcome cannot be explained by saying is caused by something but by
explaining how consequences arise. Error and everyday work can be explained as emerging from
variability rather than a cause of it. This means that the outcomes can no longer be attributed to
malfunctions or defects in specific components or parts. [3]
Figure 2.1.2.3.1-Resultant Outcome [6]
“Figure 2.1.2.3.1 shows how the emerging outcome can be seen as being produced by unstable
(short-term) combinations of states and events. The consequences can however not be explained as an
effect of specific components or functions. Instead the incident occurs because of conditions that are
transient or temporary. The ’causes’ are configurations of states and events that existed at a certain
point of time. Their existence may be inferred, but they cannot be found. The outcome is a stable
change in the system or its parts.” [6] pg 19

19. 19
2.1.2.4. The Principle of Resonance
In physics, resonance is the tendency of a system to oscillate with greater amplitude at some
frequencies than at others. Frequencies at which the response amplitude is a relative maximum are
known as the system's resonant frequencies, or resonance frequencies. These frequencies can produce
large amplitude oscillations, because the system stores vibration energy. There are three types of
resonance.
Classical resonance is the phenomenon that states that a system can oscillate with larger
amplitude at some frequencies than at others. At these frequencies even small external forces, if
regularly applied, can produce large oscillations, which may seriously damage or even destroy the
system. This phenomenon has been known at least since ancient Greece. An illustration of it and its
effects over time can be seen when a child is swinging. [6]
Figure 2.1.2.4.1-Classical Resonance [8]
Another type of resonance is stochastic resonance. It can be defined as “the enhanced
sensitivity of a device to a weak signal that occurs when random noise is added to the mix.” This
means the outcome of stochastic resonance is non-linear. This concept can be use not understand how
unexpected things happen. The disadvantage of this type of resonance is its randomness and in safety
it is necessary to be more precise and able to predict what may happen in a deterministic sense. [6]

20. 20
Figure 2.1.2.4.2-Stochastic Resonance [8]
The third type of resonance, which lays on FRAM foundation, is called functional resonance.
It is based on the fact that the variability of a number of functions may sometimes coincide, thus
influencing each other. This can cause unusually large amplitudes for one or more functions (leading
to positive or negative outcomes). Therefore, functional resonance is defined as “the detectable signal
that emerges from the unintended interaction of the everyday variability of multiple signals.” As a
phenomenon, functional resonance describes the performance variability in a socio-technical system.
This variability emerges due to the multiple approximate adjustments that are the basis for daily work
activities. The approximate adjustments can be perceived as a number of short-cuts or heuristics,
which means that performance variability, is in some ways predictable. Functional resonance offers
the mean to understand outcomes that are both emergent and non-linear in a way that they can be
controlled. [6]
Figure 2.1.2.4.3-Functional Resonance [8]

21. 21
FRAM uses resonance as an alternative to cause-effect relations, but uses it as an analogy and
not literally and the value of this concept is that it overcomes some important limitations of
traditionally safety I thinking. [6]
2.1.3. How to use the method
FRAM pictures, in a systematic approach, a description or representation of how an activity
usually takes place. The event is described in term of the functions that are necessary to perform the
activity, the potential links between the functions and the typically variability of the functions. [3]
There are four essential steps needed to be followed:
Step 1. Identify essential system functions, and characterizes each function by six basic parameters.
Step 2. Characterize the potential variability by address the interconnection between human,
technological, and organizational aspects of each function.
Step 3. Define the functional resonance based on possible dependencies among functions and the
potential functional variability. The links between functions are found by analyzing functions and
identifying common or related aspects. These links may then be combined to illustrate how the
variability of one function may have an impact on another and the on system.
Step 4. Identify damping factors for the variability identified and specifying required monitoring.
FRAM is able to distinguish between normal variability and unwanted variability. [3]
2.1.3.1. Functions Description. The 6 Aspects
In engineering, a function means a specific process, action or task that a system is able to
complete. [9]
A function in human factors represents the actions or activities, simple or complex, “which are
required to produce a certain result. A function usually describes what people individually and
collectively- have to do to perform a specific task and thus achieve a specific aim.” A function can
also be linked to an organisation. Functions can be automated, interactive or socio-technical. [3]

22. 22
The six Aspects
Input=defined as the entry data for the function which will generate the output, it can represent matter,
energy and information. Or it can be an activity which actives the function or provides energy for its
development. For example in aviation it might be a clearance or an instruction which has to be
detected by the function. The input is usually a noun. [3]
Output=described as the result of the function, the result of processing the input in the defined time
frame and conditions. As the input it can represent material, energy and information and it describes a
change of state of the system or of one or more output parameters or it could be the start of a new
function. The output is described as a noun. [3]
Precondition=in almost every case a function cannot start before the preconditions are established. The
preconditions are always there and they need to be taken into consideration when describing a
function. They can be understood as systems states or as conditions that need to be verified and
accomplished before the function can start. However a precondition does not itself constitute the
signal that starts the function. A precondition must always be an output from another function. The
description is a noun or a noun phrase. [3]
Resource (Execution Condition)=something that is needed or consumed while a function is carried
out. Besides the representations of the other 3 aspects described above a resource can also be a
competence, software, tools, manpower etc. There are two types: a proper resource that is consumed
by the function, so it will diminish with time and a execution condition which only need to be there
while an action is active. [3]
Control= is that which supervises or regulates a function. It can be a plan, a schedule, a procedure, a
set of guidelines or instructions, a program etc. Another type which can be found is social control
which can be external like the expectations of others or internal like his/her own expectations and what
he/she imagines what others expect from them. [3]
Time=represent the way time can interfere in the output of a function. These temporal relations are a
form of control when time represents the sequencing conditions. [3]
2.1.3.2. Relations between functions. The Aggregation of Variability
FRAM is a qualitative approach generating a functional (rather than structural) model of the
relationships between sub/systems. [18] FRAM analysis starts from the functions themselves and the
description of their aspects. This represents a great advantage because is helping understand better the
interconnections and the way they constitute the system. [3]
In FRAM changes and relationships are defined by aspects of functions. The term used for the
relationships is ’coupling’ and the dependencies are called ’potentially couplings’ because possible
relationships or dependencies are described for a typical but not specific situation. These couplings are
often ’many to many’.

23. 23
The first step in understanding how functions can be interconnected is to characterize the
variability. The analysis focuses more on the variability of the Output because, if the performance of a
function is variable without reflecting it in Output, then the variability is in principle not important. On
the other hand, if the Output of a function is variable, then it becomes interesting because it determines
the quality of the Output. [3]
Hollnagel describes three different reasons why the Output of a function is variable: [6]
 The variability of the Output can be a result of variability of the function itself because of
its uniqueness or character. This is called internal or endogenous variability.
 The variability of Output may be linked to the work environment. This is called external
or exogenous variability.
 The variability of Output may appear due to variability of the Output from upstream
functions. This type of coupling is the basis of functional resonance and is called
functional upstream-downstream coupling.
The variability of a function can also be due to a combination of those three: internal
variability, external variability and upstream-downstream couplings. [6] After the sources of variability
have been identified it follows the description of how the variability will appear in the function’s
output. The manifestations of variability can be described in two ways, one being efficient, but not as
thorough while the other one is more thorough, but not as efficient. The approach depends on the
results wanted for different systems. [3]
Figure 2.1.3.2.1-Couplings for Function E [6]

24. 24
2.1.3.3. Graphical Representation of a FRAM Model
FRAM model uses hexagons to represent functions without defining a specific orientation or
order. “An instantiation of the FRAM model shows how a subset of functions can be mutually coupled
under given conditions or within a given time frame. The couplings contained in a specific
instantiation are assumed to be stable during the scenario.” [6]
Figure 2.1.3.3.1-The six aspects of a function or an activity [6]
2.1.4. How to interpret a FRAM Analysis
“The final step in a FRAM analysis is to propose ways to manage the possible occurrences of
uncontrolled performance variability-or possible conditions of functional resonance” that have been
found in the model and to show how they spread through the system. In order to detect this unwanted
performance variability, it is necessary to define indicators referring to functions or aspects of
functions. [10]
The analysis show the daily way of working and emphasizes the problematic areas that need to
be taken care of. Once the issues have been found, monitoring and damping solutions are used.
FRAM can be used as a way to detect and manage undesired variability. Therefore, performance
indicators may be developed for every function and every link between functions. [10]

25. 25
2.2. Catalogue of FRAM Examples. Discussion
The following catalogue of examples shows that FRAM method can be used for various
purposes and in different domains. It is basically a statement that FRAM and its philosophy are suited
for any complex system, where the traditional linear thinking is not giving results anymore. Another
interesting aspect is the variety of users that used the method, from PhD students to managers of
quality in health care systems to operational researchers, investigators and physicians which
emphasises that fact that the method is easy to understand and its application is not rocket science.
Title Description Model Discussion Source
Patient
with
Spinal
Fracture
-Danish
Health
Service
The example
describes the
case of a patient
with a Spinal
Fracture, where
it was reported a
inappropriate
treatment.
The purpose of
the investigation
was to
understand how
the GP could
misunderstand
the work-up
results for the
Patient.
The analysis
indicated that the
patient had a
different course in
the process, then
usual and this lead
to the missing of
the important
information. The
analysis it also
revealed that the
GP performed his
job according to his
normal routine.
[6]
Alaska
Airlines
flight 261
accident
Alaska Airlines
flight 261
crashes into the
Pacific Ocean;
after airplane
pitch control was
lost as a result of
the inflight
failure of the
horizontal
stabilizer trim
system
jackscrew
assembly's
acmenut threads
(NTSB, 2003).
FRAM barrier
vocabulary enabled
the specification of
damping
factors where
undesirable
variability was
expected or
detected. The
second effort in
safety management
is therefore the
monitoring of
variability and the
examination of
when this
variability is
undesired.
[11]

26. 26
Commun
ication
and
handove
r in
Health
Care
Settings
Systematic risk
assessment prior
to the adoption
of any
technological or
procedural
solution
regarding
communication
and handover,
which was
recognised as
threat to patient
safety, in order to
ensure that risks
have been
properly
understood.
FRAM practitioners
were able to
structure their
reasoning about
what happens when
the pre-alert is not
perfect and provide
insights of how the
dynamic of the
system may be
affected. The
vulnerabilities in
the emergency care
pathway were
identified and an
assessment of their
potential impact
was provided. It
was concluded that
the handover
between paramedic
and triage nurse is a
critical activity.
[5]
Comair
flight
5191
accident
in
Lexingto
n, KY
The aircraft
taxied out
uneventfully and
then
inadvertently
proceeded to
depart from the
shorter general
aviation runway.
The aircraft
became
momentarily
airborne after it
struck an earthen
berm, then
collided with
trees, and
crashed.
FRAM method built
up an explanation of
the accident
addressing all
contributing factors
going behind
human error. The
NTSB
recommendations
consisted mainly of
constraining
performance to
ensure procedure
compliance but
does not consider
managing
performance or
controlling the
sources of
performance
variability
[12]

27. 27
DFS
MSAW
Safety
Assess-
ment
Safety
assessment
focused on the
evaluation of the
impact of the
new ground
based safety net
system: MSAW
in the ATM.
Specifically,
FRAM was used
to assess
potential
emergent risks
for an ad hoc
landing approach
scenario at
Stuttgart airport.
Illustrated how an
inappropriate
enabling of the alert
transmission in
combination with a
“trivial”
anticipation of a
clearance could
result in degraded
performance of the
Monitoring
function. Indicates
that degradation and
therefore the risk of
something going
wrong does not
result from a direct
cause effect link
between a MSAW
function and the
Monitoring function
[13]
NAX541
incident-
Late
runway
change
A Norwegian Air
Shuttle Boeing
737-36N was en-
route from
Stavanger Sola
airport to Oslo
airport (OSL).
Approaching the
destination, the
crew had to
initiate a go-
around (GA) due
to several
contributing
factors
FRAM sketches a
‘functional slide
show’ with its
illustrations of
functions, aspects,
and emerging links
between them in
instances, indicating
the what and when,
and common
performance
conditions,
variability, and
functional
resonance,
indicating why.
FRAM provides a
more thorough
understanding of
the incident in
relation to how
work is normally
performed.
[14]
Table 2.2.1-Calatalogue of FRAM examples
In each of the examples gathered, the overall conclusion was that FRAM has a different
approach compared with traditional methodologies. It brings a new and ample perspective regardless
of the application and domain.

28. 28
Throughout their experience with the method and its application, diverse users had identified
some of the features that make the method unique and its usefulness in various applications. Some of
this critical opinions reached have been collected in order to emphasize the method’s relevancy.
”FRAM focuses on variability and possible situations of resonance rather than on failures and
cause-effect links. FRAM provided insights into how the system dynamic is affected by small
variations in system functions.” [5]
“The relationships between constraint, constraint management, and functional representations,
have been interpreted in a new way through the functional resonance analysis thinking of FRAM. It
thus provides an alternative to the modelling of constraints and functions that overcomes certain
limitations of established modelling methods.” [15]
“FRAM can make it easier to identify potential risks in the future use of the modelled system,
by combining common performance conditions and variability phenotypes with couplings among
functions.” [16]
“FRAM has the potential to describe and analyze functions involved in adversarial C2, and
enables the analyst to specify the constraints on own and adversary functions, in order to identify
strengths and weaknesses in function performance on both sides, which may be used to determine
which actions to plan for in order to provide for agile command and control. The FRAM methodology
has been successfully extended to allow for the description of military activity at the tactical and
operational levels and their relationship to command and control functions.” [17]
”With the increasing emergence of large scale and complex systems, including those that
evolve independently of a central organizing architecture, the importance of techniques such as FRAM
that allow the exploration of system behavioural and complexity effects will become increasingly
critical to architecting systems that are safe by design.” [18]
FRAM is a method that challenges most of the traditional methods and brings a new view
regarding complex systems approach. It is based on a different mentality, which is hard to be
assimilated; therefore, research regarding its practicality is still conducted. Some of the challenges
found were gathered.
”The functional resonance analysis method, thus also in its early development, needs to be
developed further to supply guidance to analysts in order to generate consistent results and be
generally more understandable for a wider audience, as each of the steps in the method is currently
underspecified to some extent. It has not been the purpose of this thesis to write detailed guidance on
the application of the method, but such detailed specification with many more examples than have
been shown here in a handbook would be desirable.” [15]
“The method would need to be further developed, applied, and evaluated in field studies of
actual military operations, in order to reach its full potential.” [17]
Some other relevant papers involved FRAM and several other traditional methods with the
purpose to reach a conclusion regarding FRAM suitability and efficiency for the purpose in matter.
Some of the results are indicated below.

29. 29
” When practitioners compared the application of FRAM with FMEA, they noted essentially
two differences. First, FRAM forces consideration of the different contextual aspects that are usually
not included in such a systematic way in the simple sequential process maps that form the basis for the
application of FMEA in healthcare. Second, FRAM felt more intuitive because it does not require
consideration of failures and absolute consequences. Practitioners felt more comfortable reasoning
qualitatively about possible sources of variation. This way of reasoning could provide some further
insights into the severity classification derived by the application of FMEA. For example, the
application of FMEA to the pre-alert, provided estimates that not receiving a pre-alert could lead to the
death of the patient. However, using FRAM, practitioners were able to structure their reasoning about
what happens when the pre-alert is not perfect and provide insights of how the dynamic of the system
may be affected. This is, of course, different and complementary to the assessment of the worst
credible outcome.” [5]
“The main finding is that STEP helps to illustrate what happened, whereas FRAM illustrates
the dynamic interactions within socio-technical systems and lets the analyst understand the how and
why by describing non-linear dependencies, performance conditions, variability, and their resonance
across functions.” [14]

30. 30
2.3. Safety Management System in ATM
2.3.1. Description of ATM
2.3.1.1. Definition. Objectives.
Air Traffic Management as defined by ICAO is ‘’the dynamic integrated management of air
traffic and airspace including air traffic services, airspace management and air traffic flow
management-safely, economically and efficiently-through the provision of facilities and seamless
services in collaboration with all parties and involving airborne and ground based functions’’ [19]
In other words, Air Traffic Management is the system that manages complex processes and
procedures, complex technological systems, information and human resources in order to ensure the
most efficient use of the airspace in a safe manner. [20]
Air Traffic Management primarily consists of three activities:
 Air Traffic Control
 Air Traffic Flow Management
 Aeronautical Information Services [20]
2.3.1.2. Complexity
Following the ICAO definition, ATM system can be considered as a set of interacting
components that have to complete a certain mission and provide a certain service. It is a complex
system because of this integration of sub-systems that perform complicated functions, involving
technical and also other functional issues. [19]
ATM complexity is related to several factors like system size, the interconnections between
the diverse actors that are sharing the airspace, the constraints and boundaries of the system, etc.
However the factors that contribute the most to this state of the system are the uncertainty factors like
weather and the performance variability. Due to this reason, the complexity of ATM is mostly
transferred to ATC sub-system which is the ultimate responsible for safety and efficiency.
In order to ensure safety in such a complex system, a standard framework and a systematic
system was created: the Safety Management System.
In the next subchapter some relevant SMS components will be reviewed.

31. 31
2.3.2. Safety Management System
ICAO defines safety management system as ‘’a systematic approach to managing safety,
including the necessary organisational structures, accountabilities, policies and procedures’’ [19]
A more explicit definition is given by EUROCONTROL through ESARR3 regulation as
follows: “Safety Management System (SMS) - A systematic and explicit approach defining the
activities by which safety management is undertaken by an organisation in order to achieve acceptable
or tolerable safety.” [21]
In the ATM industry, the level of SMS development and implementation differs from one
ANSP to the other. Some are still in the early stages of implementation while others are very mature
systems, which are fully integrated into the operations. [22] The following analysis will be related to
the latter.
There are three regulatory frameworks for SMS in Europe:
 ICAO Annex 11 - Air Traffic Services
 EUROCONTROL ESARR 3 - Use of Safety Management Systems by ATM Service
Providers
 CANSO Standard of Excellence [22]
For the purpose of this study I will use the latter giving the fact that it provides an advanced
statement of precise actions and requirements that need to be followed in all four functional
components of the SMS, combining both ICAO and EUROCONTROL requirements and regulations.
The CANSO Standard of Excellence consists of a system enabler (Safety Culture) and a
framework of five components addressing 16 elements. The structure is presented below:
Figure 2.3.2.1-SMS Framework [23]

32. 32
The components that concern this thesis are the Safety Risk Management and Safety
Assurance mainly because they complement each other and need to be linked. The diagram below
suggests perfectly the link between the two functions. From these two components, the main elements
concerning the systematic actions which are interesting for the purpose of this thesis are:
 Risk Management Process
 The Management of Change
 Safety Reporting, Investigation and Improvement
The understanding of these elements and the methods used will be used to further analyze if
FRAM application can provide benefits in these systematic areas of the Safety Management System.
2.3.2.1. Risk Management Process
Each ANSP must develop and implement a risk management process which can permit the
identification of hazards, risk assessment and mitigation. [24]
The scope of risk assessment and mitigation activities is usually dependent on the safety
significance of the system. Other factors, such as the complexity of the system, may also influence the
scope of the assessment. [24]
Risk Management process should primarily be focussed on the operational units. ACC or
TWR are examples of operational units to deal with. For example, significant equipment in operational
units may be specifically considered through further risk assessment and mitigation actions. [24]
The figure below is illustrating Risk Management framework.

33. 33
Figure 2.3.2.1.1- Risk Assessment Framework [25]

34. 34
Risk assessment methods have been developed over a number of years in a variety of different
branches of industry. There are several techniques developed for each step of the safety analysis, but
there is no method that can enclose all these steps, especially in case of the overall system.
This thesis is interested in those methods that look at all the system components and the most
popular ones are the Fault Tree Analysis and the Bowtie Analysis methods.
Fault Tree Analysis Method (FTA)
Fault Tree Analysis is the most common method used to look at all system’s aspects,
determining the possible causes of a hazard, whether single or multiple. A fault tree uses Boolean
AND/OR gates to model causal relationships between events, usually unwanted events. [27]
Although the Boolean logic gates in Fault Tree Analysis allow to integrate in the model actual
failure probabilities, this information is seldom available due to the costs of testing and human
influence on the system. [27]
Figure 2.3.2.1.2 -FTA [28]
Bowtie Analysis Method
The Bowtie method is a risk evaluation method that can be used to analyze causal
relationships in high risk scenarios A Bowtie diagram gives a visual summary of all plausible accident
scenarios that could exist around a certain Hazard and identifying barriers to control those scenarios.
[28]
The left side of the Bowtie diagram consists of a simplified Fault Tree (without possibilities),
while the right side of a Bowtie diagram resembles an Event Tree. However, the Bowtie method is not
looking for probability or frequency information but rather making sure that the controls are working
properly. [27]

35. 35
Figure 2.3.2.1.3-Bowtie Framework [29]
Terminology
 Hazard - potential source of harm to people, assets, the environment and reputation
 Top Event - the incident that occurs when a hazard is realized
 Threats – what could cause the top event to occur
 Consequences - what it could happen if the top event occurs
 Barrier - what is preventing or reducing the likelihood of a threat
 Recovery Measure - what prevents minimizes or helps recovery from the consequence
 Escalation Factor - what could prevent the barrier or recovery measure from working
properly
 Escalation Factor Control - what prevents or minimizes the chance of barriers or
recovery measures to become ineffective [30]
Bowtie Steps
Figure 2.3.2.1.4-Bowtie Analysis Steps [30]

36. 36
2.3.2.2. Management of Change
The service provider shall develop and maintain a formal process to identify changes which
may affect the level of safety risk and to identify and manage the safety risks that may arise from those
changes. Change appears due to a number of factors including, but not limited to:
 Organizational expansion or contraction
 Change to internal systems, processes or procedures
 Changes to the operating environment [31]
A change may affect the effectiveness of existing safety risk mitigation strategies but also
introduce new hazards and safety risks into the system [31]
The Management of Change process is usually focused on making sure that new proposed
changes do not increase risk from a safety perspective. This means that all possible impacts of a new
operation or system should be assessed, and their combined risks determined. This analysis involves
considering the scope of the assessment, and then identifying all possible hazards and the severity of
their consequences. The analyst then determines how probable these failures are, as well as how likely
the system is to recover from such failures. This culminates in an overall risk estimate for the system.
[26]
Figure 2.3.2.2.1- Safety Action Plan [26]

37. 37
Safety reviews
“Safety reviews are conducted during introduction and deployment of new technologies,
change or implementation of procedures, or in situations of a structural change in operations. Safety
reviews are a fundamental component of the management of change. They have a clearly defined
objective that is linked to the change under consideration.” [32]
2.3.2.3. Safety Investigation
Safety occurrences are events which happened due to a deviation from the desired system
state, resulting in loss or damage to equipment or personnel, or increased potential for such outcomes.
Every occurrence provides an opportunity to study how the deviation occurred, and to identify ways of
preventing it from happening again. [33]
The objectives of safety occurrence investigation are to:
 Establish what happened
 Identify the contextual conditions and organisational factors that contributed
 Review the efficiency of existing system controls and barriers
 Formulate recommendations
 Identify and distribute key lessons from the safety occurrence
 Detect trends that may highlight specific system deficiencies or recurring problems. [34]
Figure 2.3.2.3.1-Safety Occurrence Investigation Package [34]

38. 38
A number of phases or steps are common to many occurrence investigation and reporting
systems. Each of these phases is considered and recommended practices are identified.
EUROCONTROL advices ATM service providers to address the investigation process as illustrated
below or in a similar way. [34]
Figure 2.3.2.3.2 -Elaboration of the Generic Phases in Occurrence Investigation [34]
Several methods have been developed for the purpose of occurrence investigation, from
which, the most but the most common one is SOAM analysis method.
SOAM-Safety Occurrences Analysis Method
SOAM is one of several accident analysis methods based on principles of the "Reason Model"
of organisational accidents (Reason, 1990, 1991). SOAM is a process for conducting a systemic
analysis of the data collected in a safety occurrence investigation, and for summarising this
information using a structured framework and standard terminology. SOAM draws on the theoretical
concepts of the Reason Model, but also provides a practical tool for depicting the inter-relationships
between all contributing factors in a safety occurrence. [35]

39. 39
Figure 2.3.2.3.3-SOAM Framework [35]
The steps used in SOAM Analysis are the following:
Figure 2.3.2.3.4 -SOAM analysis key steps [35]
Regardless of the method used, the fundamental purpose of a safety investigation is the
prevention of further occurrences.
2.4. Chapter Conclusion
This chapter described the FRAM method and identified and detailed the systematic elements
of a SMS: Risk Management, Management of Change and Safety Reporting, Investigation and
Improvement. An analysis of FRAM integration in each one of the three elements will be conducted
in the following chapter.

40. 40
3. Application of FRAM in SMS
The programs running in aviation industry today such as SESAR and Single European Sky
(SES) have as a primary objective to increase capacity and efficiency while safety gets only the second
place. Also the world’s aircraft manufactures leaders, Airbus and Boeing are now building all their
aircrafts with advanced technological features that will allow Continuous Descent Arrivals, flying on
4D flight paths and data-link communications. This rapid technological change mounts pressure on the
national ANSPs to reorganize the way airspace is structured and upgrade the ATM system so that the
aviation community can benefit from these technologies, in a safely way. By upgrading the ATM
system I mean invest in new ATC systems that will allow the ATCo to cope with the increasing
demand by offering features and applications that can detect alerts in advance or can provide solutions
in short term, systems that will allow more a more semi automatic decision making process. This
pressure will, in the end, be transmitted to the Safety Management Department which will need to find
way of handling these changes, propose solutions and maintain the system safe.
Figure 3.1 - SESAR Performance Concept [36]
All this new technology: the change in airspace, in trajectory philosophies, automation, new
displays with new features and alerts, the minimization of displays, etc. that are already implemented
or soon to be, will lead to a dramatic increase in the number of possible interactions between ATC
system components and the ANSPs will have to find new practices to help them keep the situation
under control. This new vulnerability of the system will bring new challenges to the ATM System and
will force the change in mentality and the way we used to think about failure. A complex socio-
technical system can fail even though all this components are working properly because of those
unexpected interactions and this is why I believe an advanced safety framework need to be
implemented in order to foresee this future changes and try to understand as much as possible how the
system will work and how is the variability impacting it.

41. 41
Therefore, the SMS framework and its elements need to be improved. The historical
development of safety approaches, and associated safety assessment methods, from the age of
Technology to Resilience Engineering, shows how thinking about safety has changed in relation to the
evolution of technology and organisation. Up to the age of Safety Management, the changes in safety
approaches concerned mainly a broader scope of analysis. From being focused on technology, models
and methods acknowledged the need to include humans and organisations in the identification of
hazards and safety assessment. This acknowledgement required accident models to change from being
linear to being epidemiological, i.e. to recognise the contribution of multiple factors to accidents.
Despite the great changes which took place in their development, safety approaches shared a common
point: models and methods were interested exclusively in negative organisational outcomes, i.e.
catastrophes, accidents, incidents, near misses etc. In this decade, a proactive element (looking for
what goes right) needs to be added to the existing reactive approach.
The faster cheaper better approach should take a step back when talking about safety
especially in this stage of the civil aviation where change happens fast and adaptation is the key word.
ANSPs need to invest more in Safety in order to keep up with this rapid growth. There is room for
improvement in all the SMS elements but I believe the greatest impact on safety will have the
improvements done to the systematic elements: Risk Assessment, Management of Change and
Occurrence Investigations, which are also the core of a SMS and their modelling plays a major role.
New perspectives and systematic methods are needed in order to handle the traffic growth, capacity
issues and to cope with the increased level of automation. The complexity of Air Traffic Management
systems requires the application of methods able to capture real system's dynamics and performance,
able to anticipate risks, to eliminate some of them (not all risks can be predicted and therefore
eliminated) and to create the conditions to cope with disturbances in an effective manner.
This chapter tries to determine whether FRAM could be an option for complementing the
current best practices for the systematic elements of the Safety Management System.
3.1. Modelling Methods-Why do we need them?
Aviation's top priority should be to ensure safe but efficient operations and a great part of this
responsibility relies on the Air Navigation Service Providers because they are responsible for
managing the ATC socio-technical system. Due to the rapid growth of the air traffic and the fast
development of aviation it emerged the need for a systematic approach on safety, a standardized
system, today the Safety Management System and its afferent modelling methods. Modelling methods
are very important in SMS because they generate a framework which allows a deeper understanding of
the system, of the way it works and it further allows you to take a systematic approach on it. The
purpose of the modelling methods is to show/represent in a graphical way the reality of our system and
to identify the things that are working well and the areas that need improvement in our system.
Regardless of the type of the modelling methods, quantitative or qualitative, they should allow the
users to represent the system as close to reality as possible and to capture ‘’work as done’’ instead of
‘’work as imagined’’. The results of the modelling methods should be made available to all
engineering and managing decision making levels and they should be made public at any
organizational level in order to increase the awareness about safety and help the instalment of Safety
Culture.

42. 42
3.2. Discussion on SMS Approach
The main focus of a Safety Management System is the reactive processes and its approach on
them is linear. This mentality is inherited from the industrial era where the system and the task of
personnel was quite simple and it could be split in parts because that was the way the system was
functioning. Take for example an assembly line which is indeed a socio-technical system, but a simple
one, because each individual has its own machine to work with. This kind of system can be modelled
using just the traditional methods because the philosophy behind is simple and therefore a
representation of it is very close to the reality. There are no couplings between each task; they just
come one after another and then of course if one if the tasks fail it will influence the others like in a
domino model. The traditional models made perfect sense at the moment when they were created
because the industry was simple, underdeveloped; there was no automation or interconnections
between its functions. Nowadays this is not valid anymore. The complexity of your systems has
increased enormously due to the technology boom and the scale that our systems had reached. In all
this equations safety plays a great role and it needs to be involved in the whole system and get
updated. All the best practices used today in SMS are somehow based on those traditional models that
were developed during the 50’when aviation industry and ATM had a different status therefore I
question their ability to express the reality of our system. I wonder if the way safety is done nowadays
is actually having an impact on safety assurance or are we feeding ourselves with invalid information
that does not help the system but on the opposite, it constrains it? How much does the system actually
have to adapt in order to maintain the acceptable level of safety? These are questions that need to be
asked and answered.
Interconnection is the word that describes the major industries in this decade and probably
many to come. Either we talk about business, economics, healthcare, programming; they are all
described by connectivity. ATM started to adapt to this trend and started to realize the importance of a
Collaborative Decision Making programme that allows all the users of aviation to work together in
order to satisfy the demand. Now, Safety needs to do the same. It needs to realize that what defines an
ATC systems today are the interconnections between all the elements and it must make an effort to
understand the actual status of the system and to be able to recognize how future developments will
affect it. Safety needs to change its philosophy in order to keep up with the rapid growth and change of
the system and management should encourage this because people are looking more and more for their
safety and health and public opinion needs to be taken very seriously. The methods used now do not
look at the system as a whole and do not capture its dynamics as they should. What one can model
with the actual methods are just parts of the system, for example, one particular event or just one
particular hazard and this cannot give you an effective overview of the system because all the
components of the system might work within limits but together could lead to disastrous
consequences.
Another drawback of the modelling methods used in SMS is the fact that they channel you to
human error and they don’t really give one the opportunity to go beyond this. This is also part of the
reactive mentality we talked about that if all the subparts of the design of the system work than it has
to be human error if something bad happens which could not be more false. The ‘human error’ means
nothing else than the fact that the system design, the procedures, the working position, the workload
was not tailored for their needs and somewhere deep, at the system’s origins something is not working
as it should. Therefore the methods should let you look for these deeper issues of the system and it
should help you bring them to surface no matter of your biases as an employee. Also risk assessment

43. 43
methods should be used for system design and their impact on the operational site in order to prevent
the future discrepancy between ATCo needs and your new system.
In conclusion, the best practices used so far don’t not pay off quite well due to the fact that the
focus of Safety Management Systems is set on occurrence investigations and less safety assessments
and almost no effort in understanding the system. Waiting for something bad to happen before react is
clearly an unhealthy thinking especially in aviation because nothing can guarantee you that bad things
won’t happen even though there were no such events in the past. To be effective and efficient, safety
management cannot be based solely on hindsight. This point highlights the control problems that arise
from the attempt to steer safety, by just looking at what has happened in the past, or waiting for
problems to emerge, before finding solutions. History had shown and we can still see this in the
presents (keeping in mind the accidents and incidents that happen in the last few years) that although
one can learn some things from accidents this can definitely not prevent other accidents from
happening.
3.3. FRAM integration in SMS
FRAM is a method that supports the systematic way of thinking in the context of a complex
system, having already been used in engineering, health care and economics. Although it has a great
potential, it is not yet used in ATM.
To ensure safety, we must reconsider the idea of basing safety assessment only on abstract,
simplified representation of the socio-technical system and instead to represent the system in normal
and functioning states as real as possible. This also includes realizing that the ATC system has become
so complex that we are not be able to understand it completely. Also we will need to foresee that
surprises will happen in the system and in order to manage them we have to first acknowledge this
state of „uncertainty” and then train accordingly. This is the philosophy that stands at the base of
FRAM and this it wants makes the model so unique.
The ATC system cannot currently work without humans and the way they adjust to situations
and keep most of the time the system safe and this is another issue that needs to be taken into
consideration and understood when system’s safety is examined. This performance variability, its
effect and the way it propagates through the system needs to be understood in order to improve system
safety and FRAM is the proper method to be used in this case.
Another feature that FRAM can bring to SMS is the way that allows the users to integrate in
the model as many functions as they need in order to get to the desired analysis. There are no
limitations regarding the number of functions nor the number of entries for each aspect and this is very
helpful when you want a comprehensive and complete analysis of your system, view not no other
traditional method can give and with the proper knowledge this is very easy to accomplish.
With FRAM one can produce a model of the every-day performance instead of explaining
events in terms of an already existing method therefore focusing on identification and reduction of
emergent risk in the chosen dynamic environment.
FRAM is a qualitative methods having no levels for failure or success, nor levels of wrong or
good actions but resonant functions that indicates where there might be problems in the system, where

44. 44
are the areas that need attention and improvement and this way of thinking about a system or an
incident is in total conformance with Safety II way of thinking and Just Culture.
In conclusion, FRAM could fit perfectly in SMS because it includes all the above mentioned
features and new ideas regarding system complexity and it can be at least a complementary method for
the systemic elements within the SMS. FRAM represents the proactive side of the analysis and is
filling the gaps of current philosophy. We shall see in the following subchapter which are the specifics
that FRAM could bring for three SMS elements: Risk Assessment, Management of Change,
Occurrence Analysis and which of them could benefit the most.
3.4. FRAM and Best Practices
We already commented on the systematic functions that exist in a Safety Management System
and we have seen that FRAM can bring a new perspective in SMS and the next step is two establish in
which of these three elements FRAM could contribute the most. At a first look, due to its affinity to
the proactive way of approaching Safety, FRAM could be much helpful for modelling the system,
finding hazards in the system in its current state or finding hazards that might appear due to a change
introduced in the system in favour of an accident or incident investigation, although studies done by
now focused on the latter. But this will be further analysed in the following discussion for each of the
three SMS systematic functions and through an analysis between the best practices and FRAM for
each of the three: Risk Assessment, Management of Change and Safety Investigations.
3.4.1. Discussion regarding Safety Investigations
Looking at history of aviation disasters, one can see that not much was learnt from the study of
accident and incidents although a great part of the resources of a SMS department are going in that
direction. Indeed improvements of the system emerged from disastrous events but the bottom line is
that the analysis of accidents or incidents did not prevent accidents to happen again, even in similar
conditions. They cannot due to several reasons: there is not yet a standard practice implemented nor
the afferent taxonomy, the results of the analysis were not shared between ANSPs until recently, the
contributing factors and the interconnections between them, the environmental conditions, the
procedures and the mindset of the controllers, are not the same for another accident. When things
starts cascading, there is always something different that emerges and can lead to unwanted events.
Another aspect that needs to be address is the discrepancy between FRAM’s philosophy and
the ideology of Safety Investigation systematic element in SMS. Occurrence Investigation is a reactive
process that looks at past events, trying to explain what went wrong by analyzing how and why things
happened in a certain way in order to identify gaps in the system and solve them throughout
recommendations. On the other hand, FRAM is based on Safety II view, embracing the proactive side
of an analysis, looking at what is working well in the system and identifying areas that need
improvement by understanding the system variability. To sum up, one is a reactive process while the
other one is a proactive method and this leads to the question: Does it make sense to use FRAM for
Safety Investigations? As discussed earlier, a lot of energy and effort is put in this reactive process
which, in the end, does not contribute very much to system’s safety; therefore there is no valid
reasoning for using FRAM method in this purpose.

45. 45
But before jumping to conclusions, we shall still make an analysis to verify if the reasoning is
correct. We shall review how occurrence investigations are approached using SOAM, the most
common occurrence investigation methodology, and discuss if FRAM could bring something to the
process that will have an impact on system’s safety.
The discussion starts by looking at SOAM and its approach for the occurrence investigation
process. The first step is finding advantages and challenges in the current methodology that will be
further discussed in relationship with FRAM in order to analyze if FRAM could bring a contribution
to the process or not.
Advantages Challenges
Conducting systemic analysis of the data
collected
No broad overview of the event
Identify contributing factors Depicting relationships between factors in a
causal way
Structured and simple framework Use of decomposition principle
Usage of taxonomy
Identify systems’ contra measures
Comprehensive output
Identify safety issues
Integrated with the reporting system
Ease transferring of information
Applicable to actual event and generic types of
occurrences
Enable the drawing of conclusions
Consistence with Just Culture Principles
Table 3.4.1.1 – Advantages and Challenges in SOAM methodology
When investigating an accident or incident the most important step is gathering all the data
and not stops at the obvious factors, look deep in the system in order to find all the linked elements
that lead to that event because this step of the analysis is influencing the graphical model and further
on the recommendation. However this step does not interfere with the above mentioned methods. If
the data collected is valid and complete and the investigator has the proper mindset then he/she already

46. 46
has an overall picture of the event and he/she can model the system in a correct manner using FRAM
or SOAM.
With respect to the framework they generate the models are quite different. SOAM set quite a
strict framework allowing you to stack the contributing factors in only 5 area of interest: Other
Organisational Factors, Organisational Factors, Contextual Conditions, Human Involvement and
Barriers while FRAM does not limit the investigator at all. In this case of analysis both approaches
have their own meas. For SOAM these requirements of placing one contributing factors in just one of
the five boxes might get trick because of the interconnections between them. The user might have even
more than two options regarding the right placement of a particular factor. And there is also the
question of human involvement and barriers which was for very long time discussed. Do you place a
human involvement factor in the Barrier box? According to old beliefs yes especially that this model is
based on the REASON Model but this is not correct. As mentioned in the State of the Art chapter it is
proved that humans are making safety in such a complex system because human beings are the only
ones capable to adapt and produce safety. Therefore the issue with the model from this perspective is
that it has this gap that might let people influenced by their biases. On the other hand providing one
standardized methodology and structure for all ANSPs investigators is good for keeping records of the
past occurrences and it might help the safety and just culture overall by sharing the results in the same
format so that everyone can relate. With FRAM, having no specific framework, I see neither
advantages nor disadvantages but it seems that in this aspect it might be more convenient to use
SOAM instead of FRAM because it is simpler to model and is uses a common taxonomy, a common
language for both trained users but also management and this facilitates the data exchange between
ANSPs and it is easing the communication with the top management, it makes it simpler to summarize
the outcome of an investigated occurrence.
Both FRAM and SOAM have an investigation philosophy that supports the Safety Culture and
Just Culture philosophies but in a different way. As previously discussed FRAM considers „human
error” as a symptom of the system and this in completely concordance with the above mentioned
philosophies. SOAM, on the other hand, provides the means to be consistent with the Just Culture
principles through the standardize methods and the taxonomy used that ease the sharing of the data
with other ANSPs and increase the popularity of the reporting systems. On the other hand the model
itself still allows you to analyze the event with the old mentality and in order to work properly and in
the margins of Just Culture, the training of the investigators should be done very thoroughly in order
for the method to have an impact on increasing awareness of safety issues.
Another issue is related to the way the methods are looking at the event. FRAM method
captures the dynamics of the event in the way the outcome is presented throughout the visible
interconnections that do not follow a pattern but they are rather random thus depicting a more realistic
overall picture of the event. SOAM is looking at the event in a more segmented way, focusing on
identifying the issues in those 5 categories. Nevertheless the factors contribution to the event can be
linked, but in a simpler way, following a line of reasoning, starting from the Organisational Factors to
Failed Barriers, resembling with the causal relationships which are failing to become suitable in the
system nowadays.
With SOAM is easy to make recommendations and to trace them back to the model but this is
a bit limiting because the recommendation refer only to organisational issues and barriers while not
taking too much in consideration the contextual conditions that might actually have a great impact on
the event. The recommendations in SOAM are done for a specific contributing factor, not a

47. 47
combination of them and therefore they might not be complete or through enough to make a big
impact. With FRAM one integrates all the factors and makes more general recommendations,
indicating the way the factors contributed to the event and in this way the awareness is raised and the
recommendations are formulated in a more complete way. Usually it is better to make general
recommendations and let the party involved in the event to decide how to proceed but this needs to be
done carefully because too general sometimes leads to a poor implementation of those
recommendations.
To sum up, there are advantages and disadvantages for both methods; therefore we face again
with the Efficiency Thoroughness Trade-off problem. Will safety benefit from a standardized method
or one that allows you to model the event in a more dynamic and realistic way? Would an efficient but
rather incomplete model of an accident have a greater impact than a thorough but more complicated
model? Following the discussion above, it seems that the statement we started this analysis with, is
correct. With the proper training of the investigators, SOAM could be the right method to use for
occurrence investigations. Indeed, FRAM could be used as a complementary method because it can
give a better overview of the event but the conclusion is that it is not worth the effort.
This reasoning shall also be seen in the following GAP analysis of the two discussed methods.
The specific requirements of an Occurrence Investigation process will be address from both methods
perspective. The source of the requirements is EUROCONTROL ESAR2-REPORTING AND
ASSESSMENT OF SAFETY OCCURRENCES IN ATM, issued on 02 December 2009. [38]
REQUIREMENTS SOAM FRAM
formal means of safety occurrence reporting and assessment is
implemented for all ATM-related occurrences that pose an actual
or potential threat to flight safety, or can compromise the
provision of safe ATM services
ATM personnel and third parties are encouraged by every means
to systematically and consistently report occurrences
All relevant data that would aid understanding of the
circumstances surrounding such occurrences are adequately
identified, with the data being secured, recorded and stored in a
manner which ensures their quality and confidentiality as well as
permitting subsequent collation and assessment
Investigation or assessment, by a team with the necessary
expertise, of those occurrences that are considered to have
significant implications on flight safety and/or on the ability to
provide safe ATM services, takes place immediately, and any
necessary remedial action taken

48. 48
The severity of each such occurrence is determined, the risk
posed by each such occurrence classified, and the results
recorded
The causes of such occurrences are analysed, to the utmost
degree of objectivity, to identify the extent to which the ATM
system helped, or could have helped, to reduce the risk incurred,
with the results recorded
Safety recommendations, interventions and corrective actions
are developed, recorded where necessary, and their
implementation monitored
To the extent possible, safety experience, based upon collected
safety occurrence data and assessment, is exchanged between
States in order to develop a more representative and common
awareness of typical hazards and related causes, as well as safety
trends and areas where changes to the ATM system could
improve safety.
Table 3.4.1.2 – Gap Analysis of SOAM and FRAM with respect to Safety Investigation process
The outcome of this GAP analysis reinforces the argument that the Safety Investigation
process is the main focus of the Safety Management System due to the fact that the requirements are
rather complete. There are some elements that are not mentioned as requirements but as discussed
earlier they are not fundamental for the purpose of Safety Investigations.
3.4.2. Discussion regarding Risk Management
Risk Management is a proactive process and therefore it should be the main focus of the
Safety Management System’s efforts because the proactive side of an analysis is the one that will keep
the network safer in the near future. The reasoning behind this statement is elementary; the percentage
of positive outcomes in current ATM is approximate 99.9% while the percentage of unwanted
outcomes is 0.01%. Occurrence Investigation process is responsible for looking in that 0.01% and this
is why this process has reach a point of saturation, a point from which not too many conclusions can
be drawn. It is clear that 0.01% is not saying much about our system. In this rapid changing
environment we shall try to understand why the 99.9% of the time we have positive events otherwise
we will not be able to integrate the changes to come and to maintain the system safe.
The proactivity consists in understanding the system and the way it works, identifying the
areas where the system is already mature but also indentifying the risks that are already present in
operations and some others that might emerge due to all the factors we already discussed about. The
efficiency of risk management relies on the ability to emphasize, in advance, the challenges in the
overall system, since their non-identification will leave the system and operators unprepared to cope
with them.