Automation and Product Liability Insurance

At the recent AGM of the International Union of Aerospace Insurers (IUAI) in Bengaluru in June 2015, as part of the product liability panel, we gave a presentation of the future new technologies within the SES (Single European Sky-SESAR programme) and the capabilities of these technologies to change the current allocation of risk and liability among the various operators in the aviation sector. In particular, some of the most important technologies which will be implemented once SES comes into operation were examined in an attempt to understand whether such technologies will change the current position with regards allocation of responsibility and subsequently insurance obligations.

It is clear that such an analysis was carried out when the issue at hand concerns a defective product in the aviation sector.

Therefore, after looking at some of the new technologies such as SWIM and ACAS X, two accidents of relevance to our study were presented, since the accidents occurred following a defect in the technology adopted or a failure to use adequate technology available at the time of the accident. Moreover, as we will see from the Courts’ decisions, it was established that more up-to-date technology existed at the time of both accidents and therefore the lack of more adequate technology in preventing the accidents in question could be considered one of the causes. Examining previous accidents was a way for us to consider whether in future the use of more sophisticated technology, which undoubtedly will increase air traffic safety, will be able to reallocate responsibility and also insurance obligations.

The first technology under examination is the SWIM programme

The continuous increase of international air travel and as a result higher aviation capacity demands clearly means that all air traffic management stakeholders will rely more than ever before on accurate, consistent and timely information. For the air traffic management system and its peers to operate to their full potential, pertinent information needs to be available where and when required.

Current air traffic information management systems are composed of a wide variety of legacy systems and applications developed over time for specific purposes and various users most notably –

  • Pilots – taking off, navigating and landing the aircraft
  • Airport Operations Center –managing departures, surface movements, gates and arrivals
  • Airline Operations Center – building schedules, planning flight routes and fuel uplift, ensuring passenger connections and minimizing the impact of delays
  • Air Navigation Service Providers (ANSPs) –organizing and managing airspace over a country and with Air Traffic Services – managing air traffic passing through their airspace
  • Meteorology Service Providers – providing weather reports and forecasts
  • Military Operations Center – planning missions, blocking airspace to conduct training operations, fulfilling national security tasks

Today’s systems are characterised by many customised communication protocols, each with its own self-contained information systems: on board the aircraft, in the air traffic control center, at the airline operation center and at the military operation center. Each of these interfaces is fullycustom designed, developed, managed and maintained individually and locally. These individual systems are inefficient and no longer meet the requirements of today’s air traffic information management. To improve safety and efficiency such critical information should be organized and provided through flexible means that support system-wide interoperability, ensuring seamless information access and information exchange.

Therefore, the next generation air traffic information management will offer a System Wide Information Management, in short SWIM.

SWIM could be best described as the future internet of air traffic management information.The concept of SWIM implies a complete change of how information is managed amongst its peers across the whole ATM system.The next generation information system is about moving from a ‘product-centric’ approach where data is typically locked up in applications and duplicated from application to application to a ‘net- centric’ (AIM) approach where data is decoupled from applications via open standard exchange models and this data freely moves between applications. SWIM significantly improves the information sharing process via an instant web-based system which includes the following data:

  • Aeronautical – Information resulting from the assembly, analysis and formatting of aeronautical data
  • Flight trajectory – the detailed route of the aircraft defined in four dimensions (4D), so that the position of the aircraft is also defined with respect to the time component.
  • Airport operations – the status of different aspects of the airport, including approaches, runways, taxiways, gate and aircraft turn-around information.
  • Meteorological – information on the past, current and future state of earth’s atmosphere relevant for air traffic’.
  • Air traffic flow – the network management information necessary to understand the overall air traffic and air traffic services situation.
  • Surveillance – positioning information from radar, satellite navigation systems, aircraft datalinks, etc.
  • Capacity and demand

SWIM covers all air traffic management information and provides the same information at the same time to all parties. Aircraft operators will have up-to-date, accurate and integrated information for flight planning and aircraft operation while ATM service providers will have a better knowledge of flight intentions for operational and planning purposes. Therefore, all peers will share a common situational awareness with regard to the status and condition of the aeronautical infrastructure, the weather, the air traffic situation and other relevant flight management information.

SWIM greatly benefits safety because all parties will share access to the same, consistent, and accurate flight information. Greater automation of ATM will allow air traffic controllers to focus more on monitoring and contingency planning which will reduce human error factors, especially data entry errors.

The next technological system examined was the ACAS X and in particular the ACAS Xawhich is set to be the replacementfor TCAS II.

ACAS X – the future of airborne collision avoidance

The next generation Airborne Collision Avoidance System ACAS X is a family of systems for Large Commercial Aircraft (Xa), Unmanned Aircraft Systems (Xu) and General Aviation (Xp).

The systems are under development by MIT Lincoln Laboratory (Massachusetts Institute of Technology). It is funded by FAA and has been ongoing since 2008. The expectation is that ACAS X MOPS, Minimum Operational Performance Standards, will be developed by 2018 and that ACAS X may be operational before 2025.

The abbreviations ACAS and TCAS can be confusing but it is actually the same system. ACAS is the name used by manufacturerswhereas Air Traffic Controllers and pilots prefer to talk about TCAS and they will continue to do so in the future.

TCAS was developed to reduce the risk of mid-air collisions between aircraft

On August 31, 1986, a mid-air collision occurred in California, involving an Aeromexico DC-9 and a small Piper aircraft carrying a family of three. The DC-9 was descending toward Los Angeles International Airport in clear skies, flying at 6,500 feet. The Piper hit the DC-9’s tail, causing both aircraft to fall from the sky. The accident resulted in the deaths of all 67 people aboard the two planes, as well as 15 people on the ground.

As a result of this accident, U.S. became the first ICAO member state in 1993 to mandate carriage of an airborne collision avoidance system for passenger carrying aircraft in its airspace. Aircraft with 10 to 30 seats were required to have TCAS I which provided traffic advisories (TA’s) to alert crew of conflicting traffic. Aircraft with more than 30 seats were mandated to have TCAS II which provides both traffic advisories and resolution advisories (RA’s) which directs pilots to climb, descend or level off.

In 2003 (after 10 years), all passenger and cargo aircraft were required to have TCAS II. Today, we have approximately 25,000 TCAS II equipped aircraft world-wide. The system is manufactured by three U.S. manufacturers.

 

A successful but old system

 

TCAS II has proved to be very effective and it has resolved nearly all of the critical near mid-air collisions involving TCAS equipped aircraft. However, TCAS cannot handle all situations.

The TCAS system relies solely on transponders and it will not detect any non-transponder equipped aircraft or aircraft with an inoperative transponder. It is also dependent on the accuracy of the threat aircraft’s reported altitude and on the expectation that the threat aircraft will follow the TCAS Resolution Advisory (RA). TCAS II, though, is an old system and to make it safer the software has gradually been updated since the 1980s. The latest upgrade that is available is TCAS II version 7.1 (the reasons behind the upgrade are explored below).

Why develop ACAS X?

Air traffic congestion is likely to double in the next 20 years and more capable systems are being introduced in Aviation and Air Traffic Management through programs like SESAR and NextGen. TCAS II is not compatible with the new operational concepts that both SESAR and NextGen plan to implement as it would generate too many alerts. ACAS X would mitigate these alerts.

More efficient and optimized use of separation minima or spacing between aircraft is needed for an efficient flow of traffic when traffic increases. ACAS X will be designed to meet such requirements. The increased traffic requires a new system logic and integration of sensor data from several sources to timelyidentify potential collision risks both on the vertical and lateral planeand notify the pilot.

Which are the key differences between TCAS II and ACASX in future implementation?

 

  1. The collision avoidance logic: TCAS II issues alerts against a potential threat on the basis of time of closest approach and projected miss distance. ACAS X collision avoidance is based on dynamic programming. The computer calculates the minimum manoeuvre to avoid Resolution Advisories, ie, the computer finds the safest and the most efficient way to avoid RAs.

 

  1. Sources of surveillance data: TCASreliessolely on transponder-based surveillance but ACAS X will be able to incorporate satellite-based navigation and advanced ADS-B functionality, radar, infrared and electro-optical surveillance systems. Through integration of sensor data from several sources the pilot will timely identify potential collision risks both on the vertical and lateral plane.

 

  1. The Air Traffic Controller will see the RAs on their screens which is not the case today.

 

Which are the anticipated benefits of ACAS X?

 

ACAS X is expected to reduce risk of collisions and to minimize unnecessary advisories which shouldreduce pilot workload.

 

The system will allowa reduction in spacing between aircraft and enable aircraft to fly the safest and most economical way.

 

Shorter software update cycles are expected to reduce implementation costs.

 

ACAS X is planned to extend collision avoidance to General Aviation and Unmanned Aircraft Systems.

 

There will be minimal changes for pilots and controllers to switch from TCAS II to ACAS X. ACAS X will use the same hardware (antennas, processors and displays) as the current TCAS II system and the same range of Resolution Advisories as in TCAS II version 7.1. ACAS X will also only issue RAs in the vertical plane and not trigger alerts when the aircraft is close to ground.

 

Finally, it is important to point out that the pilot is still responsible for avoiding collisions and the controller is still responsible for the separation of aircraft!

 

The Überlingen accident of 2002

Having looked at two of the currently most significant technologies, two accidents which happened in the past will be examinedin detail from the technological and legal point of view, in order to identify the current position of the jurisprudence regarding product liability issues.

On the night of July 1st, 2002 a mid-air collision occurred over Überlingen in Germany between a Tupolev TU-154M aircraft chartered to operate for Bashkirian Airlines (BAL) travelling from Moscow to Barcelona and a Boeing 757-200 freighter operated by DHL Airways Flight 611, travelling from Bergamo to Brussels.

Following are the most significant facts of the civil claim procedure for product liability in the case. The TCAS II systems installed issued Resolution Advisory (RA) to both aircraft. The Tupolev received an initial RA to climb while the DHL B757 received an initial RA to descend.The DHL B757 aircraft followed the RA and started its descent. However, the Tupolev 154 had received prior instructions from an air traffic controller (ATC) at the Zurich Air Traffic Control Centre to descend, and followed the instructions of the ATC, disregarding the RA issued by TCAS II.

What is also key in this case is that the conditions and opportunity for a reversal RA were met many times during the 23-second window before the collision. Despite this, the TCAS II system on board the two aircraft did not issue a reversal RA. This resulted in the two aircraft continuing to advance towards one another, approaching at the same altitude.

In the criminal proceedings following the accident, the organizational weaknesses were highlighted. However, the judges did not find intentional criminal activity, but pointed out that the convicted ATCOs employees and managers had an opportunity to remedy known safety measures, but failed to do so. In the civil judgement for product liability, concluded in Barcelona in 2012, the malfunction of the TCAS II version 7 was stressed.

Three defects in the TCAS II product were alleged against the designers and manufacturers  as  producer, designer, distributor and seller of the TCAS:

  1. The system did not invert the RAs due to reasons that were intrinsic to the system; furthermore, the device did not comply with the minimum requirements established by the FAA;
  2. The TCAS Pilots Manual did not clearly indicate that priority to TCAS orders that must be given in the event of conflicting orders: FAA regulations at the time indicated that “RA” warnings from TCASs were obligatory. In the event of a conflict between an RA and an ATC order, as was the case, the crew must always follow instructions from the TCAS (therefore a manufacturer’s omission).
  3. Design was faulty, despite the fact that there was a software update already available to correct the problems of version 7, as also stated by Eurocontrol (therefore a designer omission).

In assessing the legal basis in the ruling against the designer and manufacturer of TCAS II, the Court found that the delay in processing information was a TCAS II malfunction – if the system had been able to refresh data every second (bearing in mind the 23-second window available before collision),  the reversal RA could have been issued and the accident could have been avoided, thereby opportunities were lost to give the pilots correct and updated instructions.

The omission of the designer lies in the architecture of the software and the design of the hardware of the TCAS II system, Version 7, which did not meet the minimum standards and was thus considered defective. The omission of the manufacturer was attributed to the fact that it was aware of defects but did not adopt the necessary measures to resolve them (the same legal conclusion, albeit with different facts, was reached in the Linate case).

At the Court of Appeal in Barcelona, the Court experts’ investigation showed that the potential for an accident had been predicted in 2000 as it was affirmed that the absence of a reversal RA was a factor that had contributed to another serious accident in Yaizu (Japan) in 2001, shortly before the mid-air collision in Überlingen. The Court concluded that the Überlingen accident and the other incidents could have been avoided with the installation of the upgraded version 7.1 of TCAS II.

In its concluding remarks, the Court found that the poor functioning of the Zurich Air Traffic Control Centre was not the final cause of the collision and the conduct of the Tupolev crew was foundnot negligent with no evidence in this regard (no vicarious civil liability).

They stated that a reversal RA would undoubtedly have prevented the accident and therefore the responsibility was exclusively that of the designer and manufacturer. If the TCAS had not been installed, the air traffic controller would have prevented the collision, despite giving the order very late, because the Tupolev would have descended and the Boeing would have continued at the altitude it was at. The Court stated:  “the final and actual cause of the airplane accident in Überlingen was the TCAS II system and its defects”.

The Milan- Linate accident of 2001

The second accident under examination refers to the Scandinavian Airlines Flight 686 – Cessna Citation CJ2 Accident at Milan-Linate Airport, which occurred on 8th October, 2001 where the Scandinavian Airlines aircraft collided during take-off with the Cessna Citation CJ2 business jet.

The accident happened on a very foggy day with visibility of less than 200m and the events surrounding the accident included the incursion of the Cessna business aircraft in a runway designated for commercial airlines, the airport was operating without a ground radar system on that day, the audio was often distorted and unclear due to technical problems in the R/T, the runway signs were inadequate – the signs were old (written in ICAO standard font) and no longer in use at the airport, but still present and visible on the taxi lines. Moreover, the Cessna was allowed to land, even though aircraft and pilot were not licensed to operate in the airport. Again, in the criminal judgment omissive action this time due to inadequate technology was cited, whereas both the ATCOs and managers of Italian ANSP were found criminally liable.

In the Court of First Instance in Milan in 2004, several crimes of omission in the implementation of adequate technology and safety measures were found by the Court, and were identified as follows: the CEO of the Italian ANSP was liable because the old radar system had been deactivated, and the new radar system had not been put into operation; the ATCOs because they had failed to identify the correct position of the Cessna jet and finally, the Linate-Malpensa Airport Directors (employees of CAA) because they had failed to ensure that the Italian ANSP and other bodies had all necessary safety measures in place throughout the airport. At the Court of Appeal in Milan in July 2006, the outcome was quite different.

The Court confirmed that the accident was the result of technology omission and declared that the accident was caused by a lack of an operative radar system (responsibility of the ANSP), human error (the Cessna pilots and ATCOs) but the ultimate cause of the accident was the failure by Italian ANSP to use new technology (ground radar system) at the airport.

According to the Court’s ruling, had the radar system been in operation, the Court held that there would have been approximately a 100% probability of avoiding the accident and in light of this probability, the Court of Appeal acquitted the Airport Directors, declaring that the non-use of the necessary technology was the fundamental cause of the accident.

 

Conclusion

When looking at the product liability insurance implications for the future, it is clear that NextGen ATM systems and new technology will improve safety and automation will reduce (but not entirely eliminate) the human error factor.Furthermore, new technology may also create new risks for human errors.However, with new technology liability risks will change, where manufacturer product liability risk might increase and operator liability risk might decrease. This will call for new insurance solutions for the airline industry, considering potential financial losses caused by system malfunctioning and the insurance industry must prepare itself to address ever-changing insurance implications and scenarios.

Cyber security will be a high risk category for next Gen ATM

A high risk area of highly interoperable and inter-connected air traffic management systems is cyber security. System-wide information management will extend flight data and information to aircraft and actors in the system.Consequently, data and information becomes ahighrisk factor within the system. Aircraft, airports and ATC will rely on SWIM-based flight management data and information. Data and information security will be more critical to guarantee flight safety in next generation ATM. System-wide data exchange increases vulnerability for cyber attacks. Cyber security and risk assessment methodologies used for flight safety must now include cyber risks. Frequency and severity of cyber-related losses might increase in the future. A great challenge for next generation ATM systems is to find the right balance between performance, safety and security.

In 2014, the Ponemon Institute assessed the impact of a cyber attack against the GPS systems of a major US airline resulting in a grounding of the aircraft fleet. This scenario implied cyber security could cost USD 1.35Bn per year (1).

Current standard aviation hull and liability policies do not address cyber risks. Generally, they do not provide coverage for Non-BI or Non-PD type claims.

Product Liability Insurance

Software malfunctioning, aircraft hacking or flight data spoofing are high risk areas ofsystem or component manufacturers of next generation ATM technology. Breach of flight data integrity and security is a main threat. Flight safety risks associated with malfunctioning software or erroneous flight data increases as a result of digitalization and automation. Products liability risks resulting from new technologies are corresponding and will be extended.

Standard Aviation Product Liability Insurance provide coverage for legal liability resulting from bodily injury or property damage caused by an occurrence arising out of the products hazard in connection with the aviation business or operations.

The proximate cause for an accident might be a cyber event or cyber activities might be one causal factor in a multiple causes event. Under current standardpolicies no coverage is provided for non-occurrence cyber events.

Whilst no specific cyber risk cover is provided, standard wordings also do not have specific cyber risk exclusions. Main exclusions under aviation products liability insurance are malicious acts and acts of sabotage.No defense exists currently for manufacturers and suppliers for non-malicious cyber events. Another IT related exclusion is the date change recognition exclusion, the so-called millennium clause.

Automation will create new demand for insurance solutions. Financial losses as a result of airspace closures, aircraft groundings, cancellations, delays and diversions might increase. Operators might seek to transfer the financial risk to insurers.

One of the challenges and opportunities for the insurance market might be linked to new threats and interests in the aviation industry, such as

  • Damage to digital assets i.e. data and programs
  • Non-physical business interruption and extra expenses
  • Reputational risk
  • Cyber extortion
  • Privacy Liability
  • Confidentiality Liability
  • IT Liability
  • Regulatory fines, costs and expenses
  • Crisis management costs, including notification expenses, forensic expenses, public relations costs, credit monitoring and other assistance costs

It remains to be seen whether current legislation will evolve with improving technology, whether liability will be increasingly channelled to a single liable party such as the operator or system user, and if strict liability will apply to the liable party, whether a limited liability cap will be established with limitations on the amount of compensation.

 

 

 

 

 

[(1) Ponemon Institute LLC: “Cyber Catastrophes: Understanding the Risk and Exposure” P&C Insurers Association of America, 2014]

 

Facebooktwittergoogle_plusredditpinterestlinkedinmail