CIRC 314-AN 178 INP EN EDENPROD 195309 v1
CIRC 314-AN 178 INP EN EDENPROD 195309 v1
CIRC 314-AN 178 INP EN EDENPROD 195309 v1
AN/178
ICAO Cir 314, Threat and Error Management (TEM) in Air Traffic Control
Order Number: CIR314
ISBN 978-92-9231-150-6
© ICAO 2008
This circular describes an overarching safety framework intended to contribute to the management of safety in aviation
operations and known as Threat and Error Management (TEM). TEM is based on a model developed by the Human
Factors Research Project of the University of Texas in Austin (United States): the University of Texas Threat and Error
Management Model (UTTEM).
The main objective of introducing the TEM framework to the Air Traffic Services (ATS) community in general, and the Air
Traffic Control (ATC) community in particular, is to enhance aviation safety and efficiency. This is achieved by providing
an operationally relevant and highly intuitive framework for understanding and managing system and human
performance in operational contexts. A further objective in introducing TEM is to lay the foundation for ATS providers for
the adoption of a TEM-based tool that involves the monitoring of safety during normal operations as part of ATC safety
management systems. The name of this tool is the Normal Operations Safety Survey (NOSS).
The development of NOSS is a consequence of Recommendation 2/5 “Monitoring of safety during normal operations”
from the 11th ICAO Air Navigation Conference in 2003, which reads as follows: “That ICAO initiate studies on the
development of guidance material for the monitoring of safety during normal air traffic service operations, taking into
account, but not limited to, the line operations safety audit (LOSA) programmes which have been implemented by a
number of airlines.”
In order to comply with Recommendation 2/5, ICAO has developed Doc 9910, Normal Operations Safety Survey
(NOSS), a methodology of NOSS, to which this circular on TEM is intended as a precursor. The TEM framework can be
applied in all ATS operations, regardless of the implementation of NOSS, however, NOSS cannot be implemented
without embracing the TEM concept.
It must be made clear from the outset that TEM and NOSS are neither human performance/Human Factors research
tools, nor human performance evaluation/assessment tools. TEM and NOSS are operational tools designed to be
primarily, but not exclusively, used by safety managers in their endeavours to identify and manage safety issues as they
may affect safety and efficiency of aviation operations.
a) a generic introduction to the TEM framework, including definitions; components of the framework;
threat and error countermeasures; and threats, errors and undesired states in relation to outcomes;
b) a discussion on TEM in ATC, including definitions; threats in ATC; errors; undesired states; managing
threats and errors; TEM-based analysis of actual ATC situations; TEM training for ATC personnel;
integrating TEM in safety management; and normal operations monitoring; and
The circular was developed with the assistance of the Normal Operations Safety Survey Study Group (NOSSSG).
_____________________
(iii)
TABLE OF CONTENTS
Page
_____________________
(v)
INTRODUCTION
1. Threat and Error Management (TEM) is an overarching safety concept regarding aviation operations and
human performance. TEM is not a revolutionary concept, but one that has evolved gradually, as a consequence of the
constant drive to improve the margins of safety in aviation operations through the practical integration of Human Factors
knowledge.
2. TEM was developed as a product of collective aviation industry experience. Such experience fostered the
recognition that past studies and, most importantly, operational consideration of human performance in aviation had
largely overlooked the most important factor influencing human performance in dynamic work environments: the
interaction between people and the operational context (i.e. organizational, regulatory and environmental factors) within
which people discharged their operational duties.
3. The recognition of the influence of the operational context in human performance led to the conclusion that
the study and consideration of human performance in aviation operations must not be an end in itself. With regard to the
improvement of margins of safety in aviation operations, the study and consideration of human performance without
context addresses only part of the larger issue. TEM therefore aims to provide a principled approach to the broad
examination of the dynamic and challenging complexities of the operational context in human performance, for it is the
influence of these complexities that generates the consequences that directly affect safety.
_____________________
(vii)
THREAT AND ERROR MANAGEMENT (TEM) IN
AIR TRAFFIC CONTROL
1.1 The Threat and Error Management (TEM) framework is a conceptual model that assists in understanding,
from an operational perspective, the interrelationship between safety and human performance in dynamic and
challenging operational contexts.
1.2 The TEM framework focuses simultaneously on the operational context and the people discharging
operational duties in such a context. The framework is descriptive and diagnostic of both human and system
performance. It is descriptive because it captures human and system performance in the normal operational context,
resulting in realistic descriptions. It is diagnostic because it allows quantifying the complexities of the operational context
in relation to the description of human performance in that context, and vice versa.
1.3 The TEM framework can be used in several ways. As a safety analysis tool, the framework can focus on a
single event, as is the case with accident/incident analysis; or it can be used to understand systemic patterns within a
large set of events, as is the case with operational audits. The TEM framework can be used to inform about licensing
requirements, helping clarify human performance needs, strengths and vulnerabilities, thus allowing the definition of
competencies from a broader safety management perspective. Subsequently the TEM framework can be a useful tool in
On-the-Job Training (OJT). The TEM framework can be used as guidance to inform about training requirements, helping
an organization improve the effectiveness of its training interventions, and consequently of its organizational safeguards.
The TEM framework can be used to provide training to quality assurance specialists who are responsible for evaluating
facility operations as part of certification.
1.4 Originally developed for flight deck operations, the TEM framework can nonetheless be used at different
levels and sectors within an organization, and across different organizations within the aviation industry. It is therefore
important, when applying TEM, to keep the user's perspective in the forefront. Depending on “who” is using TEM (i.e.
front-line personnel, middle management, senior management, flight operations, maintenance, air traffic control), slight
adjustments to related definitions may be required. This circular focuses on the Air Traffic Control (ATC) environment,
and the discussion herein presents the perspective of air traffic controllers' use of TEM.
2.1 Overview
There are three basic components in the TEM framework, from the perspective of air traffic controllers: threats, errors
and undesired states. The framework proposes that threats and errors are part of everyday aviation operations that must
be managed by air traffic controllers, since both threats and errors carry the potential to generate undesired states. Air
traffic controllers must also manage undesired states, since they carry the potential for unsafe outcomes. Undesired
state management is an essential component of the TEM framework, as important as threat and error management.
Undesired state management largely represents the last opportunity to avoid an unsafe outcome and thus maintain
safety margins in ATC operations.
1
2 ICAO Circular 314-AN/178
2.2 Threats
2.2.1 Threats are defined as events or errors that occur beyond the influence of the air traffic controller, increase
operational complexity, and which must be managed to maintain the margins of safety. During typical ATC operations,
air traffic controllers have to take into account various contextual complexities in order to manage traffic. Such
complexities would include, for example, dealing with adverse meteorological conditions, airports surrounded by high
mountains, congested airspace, aircraft malfunctions, and/or errors committed by other people outside of the air traffic
control room (i.e. flight crews, ground staff or maintenance workers). The TEM framework considers these complexities
as threats because they all have the potential to negatively affect ATC operations by reducing margins of safety.
2.2.2 Some threats can be anticipated, since they are expected or known to the air traffic controller. For
example, an air traffic controller can use information from the weather forecast to anticipate runway changes or
diversions. Another example is the unreliable quality of high frequency (HF) communications that necessitates the
availability of alternative options.
2.2.3 Some threats can occur unexpectedly, such as pilots carrying out instructions that were intended for
another aircraft as a result of call sign confusion. In this case, air traffic controllers must apply skills and knowledge
acquired through training and operational experience to manage the situation.
2.2.4 Regardless of whether threats are expected or unexpected, one measure of the effectiveness of an air
traffic controller's ability to manage threats is whether threats are detected with the necessary anticipation to enable the
air traffic controller to respond to them through deployment of appropriate countermeasures.
2.2.5 The TEM framework considers threats as actual (threats exist and cannot be avoided) and their
consequences as potential. Unserviceable equipment is one example. Whether primary and/or secondary equipment
fails, or whether equipment becomes unavailable as a result of pre-scheduled maintenance work, it is an actual threat.
The difference is in terms of the potential consequences and the required countermeasures the air traffic controller
employs to manage the threat. If the primary equipment fails unexpectedly, the potential consequences are more serious
than if a secondary system is taken out of service for maintenance. The air traffic controller countermeasures are
different for each scenario (switching from radar separation to procedural separation in the case of an unexpected radar
failure or preparing to work without the secondary system in the second case). If the threat (loss of radar) results in
errors being made and separation being compromised, an undesired state now exists — a product of mismanaged
threats and errors. At such point, a controller forgets about threats and errors, and manages the undesired state. The
point here is that, under the TEM rationale, threats are situations and/or events that cannot be avoided or eliminated by
operational personnel; they can only be managed. This is why TEM adheres to the notion of threat management as
opposed to threat avoidance or elimination. No matter what they do or how much they anticipate the threat, air traffic
controllers can only manage its potential consequences through countermeasures strategies. The definition of threat in
2.2.1 intends to convey this notion: “events...that occur beyond the influence of the air traffic controller... which must be
managed...” It is a fundamental premise of TEM that threats are unavoidable components of complex operational
contexts, which is why TEM advocates management as opposed to avoidance or elimination.
2.2.6 It would be tempting to consider ergonomic deficiencies in equipment design, less than optimum
procedures, and organizational factors in general, as latent threats. However, they are also actual threats. They are
present every day in the work place. Their consequences, however, are potential. Examples of these threats include
equipment design issues in non-frequently used system functions, such as back-up modes or degraded modes, that only
manifest themselves at the time when the system is used in that particular mode. Controllers cannot avoid or eliminate
poor design or clumsily designed procedures (management can, and therein lays the rationale for the Normal
Operations Safety Survey (NOSS) discussed in paragraph 18). No matter how much they anticipate them, controllers
can only deploy countermeasures to manage the damaging potential of such threats.
2.2.7 Threat management is a building block to error management and undesired states management. Archival
data on flight deck operations demonstrates that mismanaged threats are frequently linked to flight crew errors, which in
turn are often linked to undesired states. However, the threat-error-undesired states relationship is not necessarily
ICAO Circular 314-AN/178 3
straightforward and it may not always be possible to establish a linear relationship, or one-to-one linkage between
threats, errors and undesired states. There are two important caveats in the TEM Framework, strictly speaking:
(1) threats can on occasion lead directly to undesired states without the inclusion of errors; and (2) operational personnel
may on occasion make errors when no threats are observable. Furthermore it should be realized that with some threats,
errors or undesired states there may not be a realistic opportunity to manage them.
2.2.8 Threat management provides the most proactive option for maintaining margins of safety in ATC
operations by nullifying safety-compromising situations at their outset. As threat managers, air traffic controllers are
among the last line of defence for minimizing the impact of threats on ATC operations.
2.3 Errors
2.3.1 Errors are defined as actions or inactions by the air traffic controller that lead to deviations from
organizational or air traffic controller intentions or expectations. Unmanaged and/or mismanaged errors frequently lead
to undesired states. Errors in the operational context thus tend to reduce the margins of safety and increase the
probability of an undesirable event.
2.3.2 Errors can be spontaneous (i.e. without a direct link to specific, obvious threats), linked to threats, or part of
an error chain. Examples of errors would include: not detecting a readback error by a pilot; clearing an aircraft or vehicle
to use a runway that was already occupied; selecting an inappropriate function in an automated system; data entry
errors, and so forth.
2.3.3 Regardless of the type of error, its effect on safety depends on whether the air traffic controller detects and
responds to the error before it leads to an undesired state, or if unaddressed, to an unsafe outcome. This is why one of
the objectives of TEM is to understand error management (i.e. detection and response), rather than focusing solely on
error causality (i.e. causation and commission). From a safety perspective, operational errors that are detected in a
timely manner and are promptly countered (i.e. properly managed), and errors that do not lead to undesired states or do
not reduce margins of safety in ATC operations become operationally inconsequential. In addition to its safety value,
proper error management represents an example of successful human performance, presenting both learning and
training values.
2.3.4 Capturing how errors are managed is then as important, if not more, than capturing the relevance of
different types of errors. It is of interest to capture if and when errors are detected, by whom, the response upon
detecting errors, and the outcome of those errors. Some errors are quickly detected and resolved, thus becoming
inconsequential, while others go undetected or are mismanaged. A mismanaged error is defined as one that is linked to
or induces an additional error or undesired state.
2.3.5 The TEM framework uses the “primary interaction” as the point of reference for defining the error
categories. The three basic error categories in TEM are equipment handling errors, procedural errors and
communication errors. The TEM framework classifies errors based upon the primary interaction of the air traffic
controller at the moment the error is committed. Thus, in order to be classified as equipment handling error, the air traffic
controller must be incorrectly interacting with the equipment (i.e. through its controls, automation or systems). In order to
be classified as procedural error, the air traffic controller must be incorrectly executing a procedure (i.e. checklists;
SOPs; etc.). In order to be classified as communication error, the air traffic controller must be incorrectly interacting with
people (i.e. flight crew, ground crew, other air traffic controllers, etc.).
2.3.6 The three basic error categories are not mutually exclusive, nor are they exhaustive. A controller issuing
instructions using non-standard phraseology may be involved in both procedural and communication errors. Equipment
handling errors, procedural errors and communication errors may be unintentional or involve intentional non-compliance.
Similarly, proficiency considerations (i.e. skill or knowledge deficiencies, training system deficiencies) may underlie all
three categories of error. The TEM framework does not consider intentional non-compliance and proficiency as separate
categories of error, but rather as sub-sets of the three major categories of error. In order to avoid adding levels of
4 ICAO Circular 314-AN/178
classification, and focusing upon collecting safety data that managers can act on, the error classification in the TEM
framework is limited to what are considered to be three high-level categories of operational errors.
2.4.1 Undesired states are defined as operational conditions where an unintended traffic situation results in a
reduction in margins of safety. Undesired states that result from ineffective threat and/or error management may lead to
compromised situations and reduce margins of safety in ATC operations. Often considered the last stage before an
incident or accident, undesired states must be managed by air traffic controllers. Examples of undesired states would
include an aircraft climbing or descending to another flight level/altitude than it should or an aircraft turning in a direction
other than flight-planned or directed. Events such as equipment malfunctions or flight crew errors can also reduce
margins of safety in ATC operations. These however are considered to be threats. Undesired states can be managed
effectively, restoring margins of safety, or the air traffic controller's response(s) can induce an additional error, incident,
or accident.
2.4.2 An important learning and training point for air traffic controllers is the timely switching from error
management to undesired state management. An example would be as follows: if after a data entry error it is found that
an aircraft has climbed to a flight level other than it should (undesired state), controllers must give higher priority to
dealing with the potential traffic conflict (undesired state management) rather than correcting the data entry in the
system (error management).
2.4.3 From a learning and training perspective, it is important to establish a clear differentiation between
undesired states and outcomes. Undesired states are transitional states between a normal operational state (i.e. an
aircraft in climb to an assigned altitude) and an outcome. Outcomes, on the other hand, are end states, most notably,
reportable occurrences (i.e. incidents and accidents). An example would be as follows: an aircraft climbing to an
assigned altitude (normal operational state) is re-cleared to another altitude. The flight crew incorrectly reads back the
new assigned altitude as a higher one, but the air traffic controller does not catch the misread readback. The aircraft is
thus climbing to an incorrect altitude (undesired state), which could result in a loss of separation (outcome).
2.4.4 The training and remedial implications of the differentiation between undesired states and outcomes are of
significance. While at the undesired state stage, the air traffic controller has the possibility, through appropriate TEM, of
recovering the situation and returning it to a normal operational state, thereby restoring the required margins of safety.
Once the undesired state becomes an outcome, recovery of the situation without loss of safety margins is no longer
possible. This is not to imply that air traffic controllers would not attempt to mitigate the impact of the outcome, but that
the margins of safety were compromised and must therefore be restored.
2.4.5 Figure 1 presents a graphic summary of the Threat and Error Management framework. It is suggested that
the dotted lines represent paths that are less common than those indicated by the unbroken lines.
3.1 Air traffic controllers must, as part of the normal discharge of their operational duties, employ
countermeasures to keep threats, errors and undesired states from reducing margins of safety in ATC operations.
Examples of countermeasures would include checklists, briefings, and prescribed procedures, as well as personal
strategies and tactics. It is an interesting observation from the flight deck environment that flight crews dedicate
significant amounts of time and energy to the application of countermeasures to ensure margins of safety during flight
operations. Empirical observations during training and checking suggest that as much as 70 per cent of flight crew
activities may be countermeasures-related activities. A similar scenario is likely in ATC.
3.2 Many but not all countermeasures are necessarily air traffic controller actions. Some countermeasures to
threats, errors and undesired states that air traffic controllers employ build upon “hard” resources provided by the
ICAO Circular 314-AN/178 5
Undesired
Threat
state
Threat-linked Spontaneous
crew error crew error
Undesired
state
Undesired state
Resolved/managed management
(diagnosis/recovery)
Crew error-linked
incident/accident
aviation system. These resources are already in place in the system before air traffic controllers report for duty, and are
therefore considered as systemic-based countermeasures. The following would be examples of “hard” resources that air
traffic controllers employ as systemic-based countermeasures:
d) briefings; and
e) professional training.
3.3 Other countermeasures are more directly related to the human contribution to the safety of ATC
operations. These are personal strategies and tactics and individual and team countermeasures that typically include
canvassed skills, knowledge and attitudes developed by human performance training, most notably, by Team Resource
Management (TRM) training. There are basically four categories of individual and team countermeasures:
a) team countermeasures: leadership and the communication environment — essential for the flow of
information and team member participation;
d) review/modify countermeasures: evaluation of plans, inquiry — essential for managing the changing
conditions of a shift.
3.4 In its optimal form, TEM is the product of the combined use of systemic-based and individual and team
countermeasures.
3.5 In summary, the TEM framework captures the dynamic activity of an operational ATC crew working in real
time and under real conditions. The utility of the framework is that it can be applied proactively or retrospectively, at the
individual, organizational, and/or systemic levels.
4.1 In the night of 1 July 2002 a mid-air collision occurred between a Tupolev 154 and a Boeing 757 over the
town of Ueberlingen, Germany. One aircraft was descending to comply with an instruction from ATC; the other aircraft
was descending in response to a Resolution Advisory (RA) from its Traffic Alert and Collision Avoidance System
(TCAS). The aircraft involved were operating in airspace that was delegated by Germany to the Area Control Centre
(ACC) in Zurich, Switzerland. That particular night there was maintenance work being performed on the automated ATC
system of the Zurich ACC and also on the voice communication system between Zurich ACC and other ATC facilities.
4.2 As an example of the retrospective application of the TEM framework the following represents a list (non-
exhaustive) of threats from the controller's perspective that could be identified from the investigation into this mid-air
collision:
ICAO Circular 314-AN/178 7
c) the ATC system was available only in a degraded mode with reduced functionality;
d) no training for working with the ATC system in a degraded mode was provided;
e) a delayed and unexpected flight to a regional airport in the airspace had to be accommodated;
f) a second working position had to be opened in order to handle the flight to the regional airport;
g) there was a technical failure in the back-up phone system (which the controller had to use to
coordinate the in-bound flight with the regional airport);
h) a single-person nightshift culture prevailed at the Area Control Centre (ACC) concerned; and
i) there were blocked simultaneous transmissions in the Radio Telephony (R/T) communication.
4.3 If the outcome of the event had been different (i.e. the aircraft had passed each other or separation had
been maintained) these same threats would still have existed. From a safety management perspective this suggests that
corrective action can and should be taken as soon as threats have been identified (i.e. before any negative outcomes
draw attention to their existence).
5. TEM IN ATC
5.1 When the TEM framework is introduced to operational aviation personnel (air traffic controllers, pilots, etc.)
the common reaction is one of recognition. Operational personnel have been aware of the factors that are considered as
“threats” in the TEM framework almost since the start of their aviation careers. The difference is that this awareness
used to be implicit whereas the TEM framework makes it explicit, principled and therefore manageable. The following
two scenarios are proposed to assist ATC staff in understanding TEM.
5.2 In an ideal context, a generic ATC shift could develop along the following lines:
a) The Air Traffic Controller (ATCO) reports for duty ahead of the official starting time of the shift. The
ATCO checks the daily briefing material available in a well-organized and clear format. Before taking
over the working position from a colleague, the ATCO receives the last update on that day's weather
situation and the technical status of the ATC equipment from the unit supervisor.
b) After plugging in the headset at the assigned working position, the ATCO spends a few minutes just
listening to the communications between the colleague she is replacing and the traffic that the
colleague is handling. The ATCO then indicates to her colleague that she is ready to take over, so the
colleague briefs her on tasks that are pending and the short-term agreements that are in place at that
time with adjacent air traffic control positions.
c) After the ATCO takes over the position and begins communicating with the traffic, her colleague
remains at her side for a few minutes in order to ensure that the handover goes smoothly and nothing
is forgotten. Once the controllers are both convinced that this is the case the colleague leaves to go on
his rest break.
8 ICAO Circular 314-AN/178
d) During the shift the weather remains fine, just as predicted, with a wind from a direction that is fully
compatible with the runways in use. There are no technical problems with the ATC equipment and
there is no maintenance work scheduled that day.
e) The traffic flow is sufficiently challenging to keep the ATCO occupied without overloading her. There
are several complex traffic situations developing during the shift, but the ATCO is able to resolve these
by issuing timely and concise instructions to the pilots concerned who cooperate fully to ensure a safe,
orderly and expeditious flow of traffic.
f) After an hour and a half a relief colleague returns to take over the position from the ATCO. The
colleague listens to the communications and monitors the traffic situation, after which he indicates that
he is ready to take over. The ATCO lets the colleague assume responsibility for the traffic, but stays at
his side for a few minutes to update him on the latest agreements with other control positions and the
tasks that are still pending. Once convinced her colleague is comfortable at the position, the ATCO
leaves the operations room and goes on a break.
g) The ATCO works two further sessions at different working positions after this first break. The traffic is
challenging yet manageable, the weather remains fine as predicted, and there are no technical
problems.
5.3 However, ideal contexts do not exist so this is how a shift could develop in reality:
a) The Air Traffic Controller (ATCO) reports just in time for duty. After arriving in the operations room, the
ATCO goes straight to the position that he is supposed to take over. The ATCO barely has time to
look at the traffic situation and plug in before the colleague walks away from the control position.
b) The traffic situation is complex and quite different from the way the ATCO would like to have it
organized. The ATCO spends some time rearranging the setup of the ATC equipment and discovers
that not all functionality of the automated system is available. Next the ATCO calls an adjacent control
position to arrange the handover of one particular flight, only to be told that a temporary arrangement
was in place for the next two hours with the colleague who covers all such handovers.
c) The meteorology office has forecasted deteriorating weather, but the ATCO is not aware of it since he
did not look at the forecast before taking over the working position. Consequently, the weather change
comes as a surprise, and he is pressed to stay on top of the traffic while adapting to the new situation.
d) After more than two hours with heavy and complex traffic, the ATCO is relieved by a colleague who
plugs in the headset and states that he is assuming responsibility for the position as of that moment.
The ATCO walks away immediately, in order to rest before taking over the next position 15 minutes
later.
e) In the subsequent session the ATCO works a position with little traffic. Due to distraction, the ATCO
misses several initial calls from aircraft and responds only to their second calls. The ATCO also has to
be reminded by colleagues that he needs to transfer traffic to their frequencies but, of course, he
manages to do this well before the sector boundary.
f) After another short break, during which the ATCO attended to some urgent paperwork, he is back on a
position with complex and heavy traffic. While engaged in busy communications with aircraft and other
control positions, a technician arrives and asks if he can start testing the secondary radio channels as
per the maintenance schedule. Since the work is according to a schedule obviously approved by
management, the ATCO agrees reluctantly. Two more technicians appear and they all start working
on the equipment near the ATCO, while he is controlling his traffic.
ICAO Circular 314-AN/178 9
g) The ATCO then notices that the radios are not working properly. He asks the technicians to stop
working and reaches for the emergency radio set. It takes a few moments to select the appropriate
frequencies, but communications can be resumed using the emergency set. The traffic was not
affected by the radio failure and separation was maintained at all times. The technicians undo the
mistake that caused the main radio to fail and, after a few minutes, the ATCO can again communicate
normally.
5.4 Of the scenarios presented above, the second would be the one that most operational air traffic controllers
would identify with more easily. Also, to other persons, the differences between the scenarios will be easy to spot and
the first scenario will appear less realistic than the second one. What may not be immediately apparent however – and
perhaps cannot be emphasized strongly enough – is that even in the second scenario there are few events – if any –
that would be likely to be reported under conventional safety reporting systems. In other words, the second scenario
would be considered a normal shift in most, if not all, Air Traffic Services (ATS) organizations. Yet there are several
elements in the scenario that can affect safety, particularly when they are not managed adequately by the air traffic
controller. These elements are the threats in the TEM framework.
6.1 Threats in ATC can be grouped into the following four broad categories:
c) airborne; and
d) environmental.
6.2 These four categories can be subdivided into other categories as presented in the table below as an
example. Awareness about these threats will assist the deployment of both individual and organizational
countermeasures to maintain margins of safety during normal ATC operations.
7.1 Equipment
Equipment design is a frequent source of threats for ATC. Malfunctions and design compromises are among the
conditions that controllers have to manage to varying degrees during everyday operations. Additional threats under this
10 ICAO Circular 314-AN/178
category include radio communication that is of poor quality, and telephone connections to other ATC centres that may
not always be functioning correctly. Inputs to automated systems may become a threat if the desired input is rejected by
the system and the controller has to find out why the input wasn't accepted and how to remedy the situation. Inadequate
equipment is a threat seen in many ATC facilities around the world. Lastly, a significant threat in ATC is maintenance
work (scheduled or unannounced) concurrent with normal ATC operations. Maintenance activity also may produce
threats that only manifest themselves when the equipment concerned is next put into service.
This category of threats comprises items such as glare, reflections, room temperature, non-adjustable chairs,
background noise, and so forth. A controller's work is more difficult if there are reflections from the room lighting on the
screens. A tower controller may have problems visually acquiring traffic at night if there are reflections from the interior
lighting in the windows of the tower. A high background noise level (i.e. from fans necessary to cool the equipment) may
make it more difficult to accurately understand incoming radio transmissions. Similarly it may make outgoing
transmissions harder to understand for the receiving parties.
7.3 Procedures
Procedures may also constitute threats for ATC. This applies not only to procedures for the handling of traffic, but also to
procedures for internal and external communication and/or coordination. Cumbersome or inappropriate procedures may
lead to shortcuts taken (intentional non-compliance) with the intent to help the traffic but with the potential to generate
errors or undesired states.
Other controllers from the same unit can be a threat as well. Proposed solutions for traffic situations may not be
accepted, intentions can be misunderstood or misinterpreted, and internal coordination may be inadequate. Other
controllers may engage in social conversation, creating a distraction from the traffic, or relief may be late. Other
controllers in the unit may be handling traffic less efficiently than they should and so cannot accept the additional traffic a
controller wants to hand-off to them.
The layout and configuration of an airport can be a source of threats to ATC operations in the tower environment. A
basic airport with just a short taxiway connecting the ramp with the middle of the runway will require ATC to arrange for
backtracking of the runway by most of the arriving and departing traffic. If a taxiway parallel to the runway were
available, with intersections at both ends as well as in between, there would be no requirement for aircraft to backtrack
the runway. Some airports are designed and/or operated in such a way that frequent runway crossings are necessary,
both by aircraft under their own power and by towed aircraft or other vehicles. A taxiway around the runway would be a
solution, provided the aircraft and vehicles concerned use it consistently.
Navaids that unexpectedly become unserviceable (i.e. because of maintenance) can pose a threat to ATC, by creating
changes to procedures or causing inaccuracy in navigation and effecting separation of aircraft. Instrument Landing
ICAO Circular 314-AN/178 11
Systems (ILS) available for both directions of the same runway are another example of this category of threats. Normally
only one ILS is active at any one time, so with a runway change the ILS for the current runway direction may not yet be
activated although controllers are already clearing aircraft to intercept it.
The design or classification of airspace is another potential source of threats for ATC. If useable airspace is restricted it
becomes more difficult to handle a high volume of traffic. Restricted or Danger Areas that are not permanently active
may be a threat if the procedures for communicating the status of the areas to the controllers are inadequate. Providing
an ATC service to traffic in Class A airspace is less open to threats than, for example, in Class E airspace where there
can be unknown traffic that interferes with the traffic controlled by ATC.
Controllers from adjacent units may forget to coordinate traffic, a hand-off may be coordinated correctly but incorrectly
executed, and airspace boundaries may be infringed. A controller from the adjacent centre may not accept a proposed
non-standard hand-off, requiring that an alternative solution be devised. Adjacent centres may not be able to accept the
amount of traffic that a unit wants to transfer to them. There may be language difficulties between controllers from
different countries.
9. AIRBORNE THREATS
9.1 Pilots
Pilots who are unfamiliar with the airspace or airports can pose a threat to ATC. Pilots may not advise ATC of certain
manoeuvres they may need to make (i.e. when avoiding weather) which can be a threat to ATC. Pilots may forget to
report passing a waypoint or altitude, or they may acknowledge an instruction and subsequently fail to comply. In the
TEM framework, an error by a pilot is a threat to ATC.
Controllers are familiar with the normal performance of most aircraft types or categories they handle, but sometimes the
performance may be different to that expected. A Boeing 747 (B747) with a destination close to the point of departure
will climb much faster and steeper than one with a destination that is far away, because of a lighter fuel load. It will also
require a shorter take-off roll on the runway. Some new-generation turboprop aircraft will outperform medium jet aircraft
in the initial stages after take-off. Subsequent aircraft series may have a significantly higher final approach speed than
earlier series. All these differing performance aspects, if not recognized, can pose threats to ATC.
Readback errors by pilots are threats to ATC. (Similarly, a hearback error by a controller is a threat to the pilot.) R/T
procedures are designed with the aim to detect and correct such errors (thus avoiding threats) but in actual practice this
doesn't always work to perfection. Communications between pilots and controllers may be compromised by language
issues. The use of two languages on the same frequency or two or more ATC units sharing the same frequency are also
considered threats under this category.
12 ICAO Circular 314-AN/178
9.4 Traffic
Controllers become accustomed to the normal flow of traffic in their areas and how these are usually handled. Non-
routine aircraft activity such as photo flights, survey flights, calibration flights (navaids), parachute-jumping activities,
road-traffic monitoring flights and banner-towing flights all pose threats to how routine traffic is handled. The earlier a
controller is aware of any additional traffic, the better the opportunity to adequately manage the threat.
10.1 Weather
Weather is perhaps the most common category of threats to all aspects of aviation, including ATC operations. Managing
this threat is made easier by knowing the current weather and the forecast trend for at least the duration of a controller's
shift. For example: changes in wind direction may involve runway changes. The busier the traffic, the more crucial
becomes the timing for a runway change. A controller will plan strategies to make the change with minimal disruption to
the traffic flow. For en-route controllers, knowing areas of significant weather will help to anticipate requests for
diversions. Appropriate knowledge of local weather phenomena (i.e. turbulence over mountainous terrain, fog-patterns,
intensity of thunderstorms) and/or sudden weather occurrences, such as windshear or microbursts, contributes towards
successful weather threat management.
Threats in this category comprise high terrain or obstacles in the controller's area of responsibility. Less obvious threats
can be posed by, for example, residential areas that must not be overflown below certain altitudes or during certain
hours. At some airports runway changes are mandatory at specified times of day for environmental reasons.
11.1 Section 2.3 discusses errors from the perspective of the TEM framework. This section furthers the
discussion, and provides specific examples of errors in air traffic control from the perspective of TEM. One of the
premises in TEM is that perspectives on errors as portrayed by traditional views on human error do not properly reflect
the realities of operational contexts. Operational personnel in ultra-safe industries, of which aviation is a perfect
example, do not adopt courses of action merely by choosing between a good and a bad outcome. Rather they adopt
courses of action that seem to be the best in the light of their training, experience and understanding of the situation.
They make sense of the operational context in which they are immersed, based upon cues and clues provided by the
context of the situation. Only afterwards, when the result of such attempt at making sense is known (the outcome), is it
possible to suggest, with the benefit of hindsight, that a different view would probably have resulted in a more desirable
outcome.
11.2 In cases where the outcome was an undesirable one, the attempt at making sense leading to that outcome
is usually classified as an “error”. This can only be done when the outcome is known (which is not the case when the
deliberation took place) and when additional information about the context of the situation is available (which was not
available to the people attempting to make sense of the prevailing operational conditions) that suggests another course
of action may have been more appropriate than the one taken.
11.3 What is stated in the previous paragraphs about generic decision errors applies similarly to equipment
handling errors, procedural errors and/or communication errors. When the equipment is handled, the procedure is
applied or the communication takes place, the people involved are convinced that what they're doing is the best thing (or
ICAO Circular 314-AN/178 13
at least the correct thing) to do in that situation. It is not until afterwards that it is possible to see that perhaps the
equipment should have been handled differently, or that another procedure should have been applied, or that the
communication was not adequate.
11.4 The question that begs answering thus becomes: “why was this additional information not available to the
controller at the time of the event?” Among the various answers, one that is relevant to TEM is that they were not
actively engaged in the identification of threats. Threats are such an integral and embedded part of the operational
context that they are routinely handled without a second thought. Through extended exposure to a threat-rich
environment, operational personnel have learned to live with threats as normal components of operational contexts. Yet,
for all the existing “normalization” of threats, mismanaged threats continue to hold their full safety-damaging potential.
11.5 Under TEM, a threat is not a problem in and of itself, but it could develop into one if not managed properly.
Not every threat leads to an error, and not every error leads to an undesired state, yet the potential is there and should
be recognized. For example, visitors in an ATC operations room are a “threat”: their presence in itself is not a dangerous
situation, but if the visitors engage in discussions with the ATC crew or otherwise distract them, they might lead the
controller to make an error. Recognizing this situation as a threat will enable the controllers to manage it accordingly,
thereby minimizing or preventing any distraction and thus not allowing the safety margins in the operational context to be
reduced.
11.6 Specific examples of errors in air traffic control from the perspective of TEM are included hereunder. The
list is illustrative and not comprehensive.
Equipment handling errors — Radar usage: selecting an inappropriate radar source; selecting an
inappropriate range; not selecting the correct mode (SSR on/off, mode C
on/off).
— Checklists: items missed; checklist not used or used at the wrong time.
12.1 The notion of undesired states is unique to the process of monitoring safety in normal operations. An
undesired state is transient in nature – it exists only for a limited period of time, after which the undesired state becomes
an outcome (that is, either a resolved or managed situation, an incident or an accident). Conventional safety data
collection systems become active only after an outcome is classified as potentially consequential to safety, i.e. after an
incident or accident has taken place, or some infringement of regulations, procedures, or instruction has occurred.
Nothing can be done to change an outcome, for an outcome is an end-state.
12.2 During normal operations monitoring, there is often an opportunity to observe a situation evolving in real
time where there is a difference in the way the controller expects the traffic to develop and the way in which it actually
develops. There are opportunities for the controller to identify this divergence and take corrective measures to avoid an
unwanted outcome before margins of safety are compromised. The time between the provoking threat or error and the
application of corrective measures (or the absence thereof) can be considered the lifespan of the undesired state. An
undesired state is often the first indication to a controller that an earlier threat or error was not adequately managed.
a) Aircraft taxiing when/where it should stop; aircraft stopping when/where it should continue taxiing;
b) Aircraft entering a taxiway that it shouldn’t use; aircraft not entering a taxiway that it should use;
d) Aircraft making a pushback from the gate when it should hold; aircraft holding at the gate when it
should be pushing back; and
e) Aircraft vacating the runway at a position other than where it should; aircraft not vacating the runway
at the position where it should.
a) Aircraft not turning when it should; aircraft turning when it should not; aircraft turning in direction other
than that flight-planned;
b) Aircraft climbing/descending to another flight level/altitude than it should; aircraft not climbing or
descending to the flight level/altitude where it should;
c) Aircraft not reaching the required flight level/altitude at the time/point when/where it should;
d) Aircraft flying to another waypoint/position than where it should; aircraft not flying to the
waypoint/position where it should; and
13.1 The first step in the process of managing threats is threat identification. As an example, a meteorological
office that provides regular weather forecasts already constitutes a way to understand bad weather as a threat. Likewise,
a controller may ask aircraft about wind (direction and speed) at a certain altitude or level, to be able to provide more
accurate radar vectors.
13.2 A further step is to share real-time information about the existence of threats with other controllers. To use
an example of “aircraft performance”, when observing the climb performance of a B747 with a destination relatively close
to the departure airport the tower controller could alert the departure controller to the fact that the B747 is climbing faster
than average. Passing information about differing wind speeds and directions at different altitudes from one controller to
the next is another example of sharing knowledge about threats.
13.3 In the case of “environment” being a threat, managing it can be made easier for controllers if the high
terrain or obstacles are depicted on the radar map. This applies as well for residential areas that must be avoided for
noise abatement purposes below certain altitudes or during certain hours. If these areas can be presented on the radar
map when necessary, controllers will be able to manage the threat more adequately.
13.4 At the individual level, threats can also be managed by keeping track of the number of threats that are
present at any given time. The more threats there are at the same time, the more reason there may be to adjust the
operation as it is being carried out at that moment.
13.5 As a general rule, it could be said that the greater the lead-time between threat identification and when the
threat manifests itself, the better the chance that the threat will be adequately managed. Briefings about expected survey
flights, photo flights, road-traffic control missions, etc. will enable including this traffic in the planning. Without a briefing,
such additional workload may come as a surprise and could disrupt the operation.
13.6 The following table shows threat and error countermeasures for ATC:
COUNTERMEASURE DESCRIPTION
Team Climate
Planning
Execution
Flight strip management Flight strips are properly organized and updated to keep
track of traffic developments
Review/Modify
Note.— Managing error is discussed in Doc 9758, Human Factors Guidelines for Air Traffic Management
(ATM) Systems.
Situation: A Boeing 737 (B737) was given an interception heading for the ILS but failed to intercept the localiser. An
Airbus 320 (A320) on the opposite base leg was descending to the same altitude as that of the B737 and the lateral
distance between the two a/c rapidly became less as a result of the B737 continuing on its interception heading.
The controller noticed the B737 crossing the localiser, instructed it to turn right to intercept and also instructed the
A320 to turn right to avoid the B737. The pilot of the A320 reported visual contact with the B737 throughout the
manoeuvring.
Undesired state: B737 not intercepting the localiser and continuing on heading; distance between aircraft rapidly
diminishing.
Undesired state management: additional instructions to both aircraft by controller after detection of deviation.
Situation: A Boeing 747 (B747) was rolling out on the runway after landing. On the parallel taxiway another B747 was
approaching the rapid exit taxiway where the landing aircraft would vacate the runway and was told by Ground
Control to hold short of that intersection. The Tower (TWR) controller informed the B747 on the runway that the
other aircraft would give way, and told the pilot to “keep it rolling, and after vacating contact Ground on 121.7”. This
was acknowledged, after which the B747 was observed to continue taxiing on the runway to the next rapid exit
taxiway. This meant that the runway was occupied by the B747 for longer than the controller had anticipated. The
TWR controller had to instruct a DC10 on short final to make a go-around.
Threats: conflicting aircraft working on different frequencies; misinterpretation of TWR instruction by landing B747 crew.
Undesired state: B747 continuing on the runway to a more distant rapid exit taxiway with a DC10 on short final.
Situation: To expedite departures the traffic was distributed over three different intersections near the beginning of the
runway. When the TWR controller wanted to clear an ABC B737 that was lined up at the very beginning of the
runway for take-off, he noticed that an Airbus 310 (A310) was entering the runway in front of the ABC B737 from
another intersection. The A310 had not received any instructions from the TWR to do so. When the A310 had
checked in on the TWR frequency, they were told to “hold short” and this had been acknowledged by the crew.
Since the A310 had already crossed the “clearance line” (painted yellow marking on the intersection), the TWR
decided to let the A310 depart ahead of the ABC B737. It later was established that the A310 crew had
misinterpreted information from Ground Control that was given earlier and on another frequency, i.e. “in sequence
behind XYZ B737”; when the A310 crew saw the XYZ B737 taking-off (before the ABC 737) they took that as their
cue to line up on the runway.
Threats: use of multiple intersections; use of the phrase “in sequence” by Ground Control; misinterpretation by A310
crew; failure of the A310 crew to comply with the “hold short” instruction from TWR.
Undesired state: A310 entering the runway without instruction/clearance from TWR.
Undesired state management: movement of A310 detected by TWR controller; change made in order of departure
sequence.
Situation: The last aircraft of a series of inbounds on the main landing runway was cleared for a circling approach to the
departure runway and had received its landing clearance. There was no outbound traffic for the departure runway at
that time. While the controller became involved in a social conversation with the ground controller and an assistant
controller, an outbound aircraft was transferred by ground to tower and subsequently cleared for take-off from the
departure runway. The circling aircraft had not landed yet, however. After a few moments the controller looked
outside and noticed the aircraft on final for the departure runway while the outbound aircraft was lining up. The
18 ICAO Circular 314-AN/178
controller asked the outbound aircraft to expedite, and told the circling aircraft that there would be a departure in
front. The pilot of the circling aircraft acknowledged the information and said that they had the departing traffic in
sight. The departing aircraft got airborne before the landing aircraft crossed the threshold.
Threat: the controller became involved in a social conversation with the ground controller and an assistant controller
(Distraction/Underload).
Error: the controller cleared the outbound aircraft for take off when there was traffic on final (with a landing clearance).
Undesired state: both aircraft were cleared to use the runway at the same time.
Undesired state management: when the controller looked outside he realised he'd made an error. He considered
instructing the aircraft on final to make a go-around, but in view of the position of both aircraft relative to the runway
and the prevailing strong wind at the time he judged that the departing traffic could be gone in time to allow the
inbound aircraft to complete its landing. Consequently he asked the outbound to expedite because of traffic on final.
He also provided information about the situation to the inbound aircraft.
Situation: At time 0350 the area controller received coordination from an adjacent centre on a Boeing 767 (B767)
estimating waypoint XYZ at 0440 Flight Level (FL) 370, negative Reduced Vertical Separation Minima (RVSM). This
information was correctly written on the scratchpad, however FL350 was entered into the electronic label. (FL370
and the time 0350 were written close together on the scratchpad). A handover/takeover occurred at the working
position and shortly afterwards the adjacent centre called the new controller with an amended estimate for XYZ. The
controller read back the new estimate and FL350. The adjacent centre informed the controller that the B767 was at
FL370. The controller confirmed this level with the adjacent centre. Shortly afterwards the Controller noticed that he
had an Airbus 330 on a converging route at FL380 and instructed that aircraft to climb to FL390. This was done
after coordinating with the adjacent centre and instructing them to tell the B767 to descend to FL350.
Threats: non-RVSM aircraft in RVSM airspace; similar digits written in close proximity on the scratchpad; data entry
error (wrong FL) by the first Controller; position handover/takeover; amendment of the estimated time.
Undesired state: aircraft at another FL than it should be (i.e. from the second Controller's perspective).
Undesired state management: the FL anomaly was detected as a result of strict adherence to standard coordination
procedures (threat management strategy) at the time the amended estimate was coordinated. The Undesired
State was managed by climbing the A330 and instructing the adjacent centre to descend the B767.
Situation: Moderate to high level of traffic worked over a 45-minute period, followed by a reduction in traffic to a low
level. At this point, the data (planner) position was combined into the radar position thereby reducing the sector
staffing to a single controller. A minimal sector briefing was carried out between controllers. Shortly after assuming
control for the entire sector, the single controller noticed a discrepancy between the aircraft’s altitude and what had
been coordinated with the next sector. He subsequently coordinated with the sector to pass the revised altitude
information.
ICAO Circular 314-AN/178 19
Threats: low workload; combining of two positions into one; single person operation; minimal briefing.
Error: incorrect altitude coordinated with the next sector. (N.B. If this error was made by the controller who went away
after combining the positions it would become a threat for the remaining controller.)
Undesired state: aircraft at other altitude than that coordinated with the next sector.
Undesired state management: the controller coordinated the correct altitude with the next sector.
Situation: A group of eight aircraft on an oceanic airway transitioned from non-radar airspace into radar coverage. The
aircraft ranged in altitude from FL300 to FL370 and there were approximately 40 Nautical Miles (NM) between the
first and last aircraft. Two aircraft were subsequently given the same altitude (FL320) and were spaced by
approximately 13 NM (5 NM required). Estimates were passed to the next sector and the initiating controller asked if
the receiving controller wanted speed restrictions placed on the aircraft to ensure the required spacing was
maintained. This was declined despite the receiving controller's comments that while he would be able to radar
monitor the aircraft, he would be unable to communicate directly with them due to frequency coverage limitations.
Just as the first B747 was to exit the first controller’s airspace, the B747 reported “encountering moderate
turbulence and reducing speed to Mach .84”.
Threats: transition from non-radar to radar airspace; same FL assigned to two aircraft; receiving controller declining
speed restrictions; frequency coverage limitations; speed reduction by first B747.
Undesired state: aircraft with higher speed following slower aircraft at the same FL and same route creating the
potential for an overtake situation in an area where neither controller may have been able to communicate with the
aircraft.
Undesired state management: the first controller issued a climb to the second B747 to FL 330 (the only available
altitude) and effected proper coordination with the next sector.
Material used by one Air Traffic Services Provider (ATSP) in a TEM training programme for its ATC officers is available
at www.icao.int/anb/safetymanagement/Documents.html. This material was produced before this circular, so differences
in definitions may occur. More recent material from another ATSP for a TEM training programme, based on the contents
of this circular, can also be accessed at this website. ATC training departments are encouraged to use this material
together with this circular to design a suitable TEM training package for their environment.
16.1 The distinction between the different categories of threats may be trivial to operational controllers: the
reality is that threats exist and need to be managed during everyday shifts. Training managers, on the other hand, may
20 ICAO Circular 314-AN/178
wish to note which categories of threats are being addressed in the curriculum for their unit (although they're most likely
not presented as threats in the training). Some of the threats are often addressed in a less formal way, i.e. as anecdotal
information during on-the-job training.
16.2 An example is the airport with basic layout where backtracking of the runway is required for movements.
Controllers working at that aerodrome will have received specific training (in the classroom, in the simulator or on-the-
job) to enable them to control the traffic correctly, and they will be used to managing the threat. Nevertheless, every
backtracking aircraft poses a threat to the ATC operation and needs to be managed by the controllers.
16.3 From the perspective of an ATC safety manager, it is relevant to know how this particular threat is
managed by the controllers on a day-to-day basis. Are they able to manage it without any significant problems or are the
difficulties involved in managing it so common that they go unreported? In the case of the former, there may be no
requirement for the safety manager to take specific action. In case of the latter there obviously is a need for safety
management action. The question then becomes: how can a safety manager know what threats exist in the operations
of the unit and how these threats are being managed?
Safety managers of an increasing number of airlines have embraced a tool called the Line Operations Safety Audit
(LOSA). LOSA is a tool for the collection of safety data during normal airline operations. Specifically, LOSA is a tool
used to collect information on threats that pilots of the airline have to face in everyday operations, how these threats are
managed, what errors may result from the threats and how the crews manage these errors. After the information from
LOSA observations is processed, the airlines have a clear overview of the strengths and weaknesses of their flight
operations with respect to threats, errors and undesired states encountered by their crews in normal operations. This is
a category of safety information that is not available through any other methods.
Note.— Guidance material on LOSA is provided in Line Operations Safety Audit (LOSA) (Doc 9803).
18.1 Following the successful implementation of LOSA by a number of airlines, ICAO is pursuing the
development of a similar tool for the monitoring of safety in normal ATC operations. The name for this tool is Normal
Operations Safety Survey (NOSS). Although NOSS is modelled after LOSA, it is a unique tool with unique
characteristics, tailored for the ATC environment.
18.2 In its anticipated form, NOSS will entail over-the-shoulder observations during normal shifts and will not be
applied in any training situations. The programme will require joint sponsorship from management and the association
representing air traffic controllers. All participation will be voluntary and data collected will be de-identified and treated as
confidential and not for disciplinary purposes. NOSS will use a standard observation form, trained and standardized
observers, trusted data collection sites, and a data “cleaning” process. In addition, it will spell out targets for safety
enhancement and provide feedback to participating controllers.
18.3 The idea behind NOSS is to furnish the ATC community with a means for providing robust data on threats,
errors and undesired states to safety managers. Analysis of NOSS data, together with safety data from conventional
sources, should make it possible to focus the safety change process on the areas that need attention the most.
18.4 The methodology of NOSS is explained in Doc 9910, Normal Operations Safety Survey (NOSS).
ICAO Circular 314-AN/178 21
Human Factors Guidelines for Air Traffic Management (ATM) Systems (Doc 9758)
Human Factors Training Manual (Doc 9683)
Line Operations Safety Audit (LOSA) (Doc 9803)
Normal Operations Safety Survey (NOSS) (Doc 9910)
Safety Management Manual (SMM) (Doc 9859)
— END —