Safety Function Maps, or SAFMAPs, are essential tools that help us understand the barriers in place to prevent unwanted accident outcomes, like midair collisions. These maps document the safety defenses available within the Air Traffic Management (ATM) system, which includes both ground and airborne components. They play a vital role in the annual safety reviews conducted by EUROCONTROL SAFOPS. During these reviews, safety occurrences are examined, patterns are identified, and potential risks are analyzed.
One key principle in creating SAFMAPs is to include all barriers that are utilized within the industry, whether they are required by regulations or not. This approach allows SAFMAPs to also function as a repository of best practices. For instance, techniques like short-term conflict probes, A-SMGCS level 2 functions, and runway status lights are examples of valuable tools that contribute to safety but may not be mandatory.
Descriptions of safety barriers tend to be general. For example, stating “Pilot/driver detection of potential RWY conflict and prevention of incorrect entry onto the RWY protected area” does not specify how this is achieved, whether through stop-bars, runway guard lights, or entry lights. Similarly, when we mention the prevention of overlooking conflicting aircraft during clearances, we do not detail specific tools like MTCD, ATCO structured scans, or team support systems.
To illustrate the structure of SAFMAPs, consider the Mid-air Collision SAFMAP, which comprises six basic safety functions. The chart associated with it shows the consequences of failing these functions. If the first function, “Tactical conflict prevention,” fails, the situation escalates to “Airborne tactical conflict.” It is then up to the barriers under “Tactical separation assurance” to intervene. If they fail too, the event progresses to “Separation infringement,” and the final line of defense is “ATC collision avoidance.”
SAFMAPs are organized hierarchically. Higher-level barriers can often be broken down into several lower-level ones. The topmost levels are known as basic safety functions, which can further be divided into Level 1 safety functions, and so on, down to Level 4. Not every safety function needs to be decomposed to the same degree; further breakdown occurs only when multiple incidents highlight different ways a function might be implemented or challenged.
The arrangement of functions at the same level affects how easily they can be breached. For instance, if a higher-level barrier has multiple lower-level barriers, their layout determines the conditions for penetration. In one scenario, breaching any lower-level barrier leads to breaching the upper-level one. In another, all lower-level barriers must be breached to escalate the incident. Sometimes, an incident halts between two barriers, not directly due to a barrier itself. In such cases, the graphical representation shows a thinner barrier with a note indicating that there was no need for a specific measure.
When reviewing an incident with a SAFMAP, the goal is to identify all relevant safety functions, not just those that failed. We also look at those that succeeded, offering resilience. Each function can have different qualifications: available but not challenged, challenged and failed, challenged and succeeded, not available, or not applicable. This process leads to a comprehensive understanding of what transpired in a scenario, although it does not explain why events occurred. Investigations sometimes lack enough information to evaluate all safety functions accurately, leaving gaps in understanding.
The decomposition of the “Tactical Separation Assurance” Level 1 barrier into Level 2 safety functions illustrates this well. The thinner depiction of “No need for ATC separation infringement prevention” acknowledges that there were no active preventive measures in place.
