Safety Analysis Tool for Automated Airspace Concepts (SafeATAC)

Similar documents
An Automated Airspace Concept for the Next Generation Air Traffic Control System

Establishing a Risk-Based Separation Standard for Unmanned Aircraft Self Separation

Surveillance and Broadcast Services

For a 1309 System Approach of the Conflict Management

REMOTELY PILOTED AIRCRAFT SYSTEMS SYMPOSIUM March Detect and Avoid. DI Gerhard LIPPITSCH. ICAO RPAS Panel Detect & Avoid Rapporteur

Trajectory Based Operations

Session III Issues for the Future of ATM

NextGen Trajectory-Based Operations Status Update Environmental Working Group Operations Standing Committee

Operational Evaluation of a Flight-deck Software Application

Estimation of Potential Conflict Rates as a function of Sector Loading

Workshop. SESAR 2020 Concept. A Brief View of the Business Trajectory

A 3 Concept of Operations. Overview. Petr Cásek. June 1, th ICRAT, Budapest, Hungary

COLLISION AVOIDANCE FOR RPAS

RNP AR and Air Traffic Management

SECTORLESS ATM ANALYSIS AND SIMULATION RESULTS

A Framework for the Development of ATM-Weather Integration

Future Automation Scenarios

New issues raised on collision avoidance by the introduction of remotely piloted aircraft (RPA) in the ATM system

Concept for Next Generation Air Traffic Control System

Wake Turbulence Research Modeling

Roadmapping Breakout Session Overview

Avionics Certification. Dhruv Mittal

FLIGHT PATH FOR THE FUTURE OF MOBILITY

Unmanned Aircraft System Loss of Link Procedure Evaluation Methodology

Human Factors of Remotely Piloted Aircraft. Alan Hobbs San Jose State University/NASA Ames Research Center

ACTION PLAN 1 FAA/EUROCONTROL COOPERATIVE R&D. Principles of Operation for the Use of Airborne Separation Assurance Systems

SESAR Solutions. Display Options

LARGE HEIGHT DEVIATION ANALYSIS FOR THE WESTERN ATLANTIC ROUTE SYSTEM (WATRS) AIRSPACE CALENDAR YEAR 2016

EXPERIMENTAL ANALYSIS OF THE INTEGRATION OF MIXED SURVEILLANCE FREQUENCY INTO OCEANIC ATC OPERATIONS

30 th Digital Avionics Systems Conference (DASC)

CASCADE OPERATIONAL FOCUS GROUP (OFG)

NextGen AeroSciences, LLC Seattle, Washington Williamsburg, Virginia Palo Alto, Santa Cruz, California

PBN and airspace concept

NASA s Automatic Dependent Surveillance Broadcast: ADS-B Sense-and-Avoid System

Real-time Simulations to Evaluate the RPAS Integration in Shared Airspace

NM Top 5 Safety Priorities. Tzvetomir BLAJEV

Aviation Noise and Emissions Symposium February 27, 2018

MODELLING AND SIMULATION IN AIR TRAFFIC MANAGEMENT

Sensitivity Analysis for the Integrated Safety Assessment Model (ISAM) John Shortle George Mason University May 28, 2015

Pilot RVSM Training Guidance Material

A METHODOLOGY AND INITIAL RESULTS SPECIFYING REQUIREMENTS FOR FREE FLIGHT TRANSITIONS. Dr. Anthony Warren

Interval Management A Brief Overview of the Concept, Benefits, and Spacing Algorithms

Appendix B. Comparative Risk Assessment Form

Fly at the speed of ingenuity on your Learjet 85

Flight Testing the Wake Encounter Avoidance and Advisory system: First results

OVERVIEW OF THE FAA ADS-B LINK DECISION

NextGen Priorities: Multiple Runway Operations & RECAT

AIRSAW TF Status Report

Cockpit Display of Traffic Information (CDTI) Assisted Visual Separation (CAVS)

ERASMUS. Strategic deconfliction to benefit SESAR. Rosa Weber & Fabrice Drogoul

Subject: Automatic Dependent Surveillance-Broadcast (ADS-B) Operations and Operational Authorization

TRANSFORMING THE NAS: THE NEXT GENERATION AIR TRAFFIC CONTROL SYSTEM Heinz Erzberger NASA Ames Research Center Moffett Field, CA 94035

Analysis of Aircraft Separations and Collision Risk Modeling

Analysis of Operational Impacts of Continuous Descent Arrivals (CDA) using runwaysimulator

NASA s Role in Integration of UAVs

Boeing Air Traffic Management Overview and Status

Mid-Air Collision Risk And Areas Of High Benefit For Traffic Alerting

NextGen and GA 2014 Welcome Outline Safety Seminars Safety Seminars

Applicability / Compatibility of STPA with FAA Regulations & Guidance. First STAMP/STPA Workshop. Federal Aviation Administration

A STUDY ON OPERATION CONCEPT FOR NEXT GENERATION AIR VEHICLES IN KOREA

Enabling Civilian Low-Altitude Airspace and Unmanned Aerial System (UAS) Operations. Unmanned Aerial System Traffic Management (UTM)

Appendix E NextGen Appendix

AN INTEGRATED SAFETY AND OPERATIONAL AVAILABILITY ANALYSIS SYSTEM FOR AIR TRAFFIC SYSTEMS

Seychelles Civil Aviation Authority. Telecomm & Information Services Unit

ART Workshop Airport Capacity

USE OF RADAR IN THE APPROACH CONTROL SERVICE

Air/Ground ATN Implementation Status ATN Seminar, Chiang Mai - 11/14 December

NASA LANGLEY AND NLR RESEARCH OF DISTRIBUTED AIR/GROUND TRAFFIC MANAGEMENT. Mark G. Ballin * NASA Langley Research Center, Hampton, Virginia

9 th USA / Europe Air Traffic Management R&D Seminar June 14 June 17, 2011 Berlin, Germany

AIRCRAFT INCIDENT REPORT

TWELFTH AIR NAVIGATION CONFERENCE

OPERATIONAL SAFETY STUDY

Information Requirements and Sharing for NGATS Function Allocation Concepts

Evaluation of Predictability as a Performance Measure

Combined ASIOACG and INSPIRE Working Group Meeting, 2013 Dubai, UAE, 11 th to 14 th December 2013

Official Journal of the European Union L 186/27

Application of TOPAZ and Other Statistical Methods to Proposed USA ConOps for Reduced Wake Vortex Separation

to Reduce Greenhouse Effects

Safety Enhancement RNAV Safe Operating and Design Practices for STARs and RNAV Departures

Taking your Pro Line 21 King Air into NextGen airspace. Pro Line 21 INTEGRATED AVIONICS SYSTEM FOR KING AIR

Beijing, 18 h of September 2014 Pierre BACHELIER Head of ATM Programme. Cockpit Initiatives. ATC Global 2014

Cross-sectional time-series analysis of airspace capacity in Europe

Garrecht TRX 1500 Traffic-Sensor

Date: 01 Aug 2016 Time: 1344Z Position: 5441N 00241W

Arash Yousefi George L. Donohue, Ph.D. Chun-Hung Chen, Ph.D.

Estimating the Risk of a New Launch Vehicle Using Historical Design Element Data

Analyzing Risk at the FAA Flight Systems Laboratory

Enabling Civilian Low-Altitude Airspace and Unmanned Aerial System (UAS) Operations. Unmanned Aerial System Traffic Management (UTM)

MetroAir Virtual Airlines

GOVERNMENT OF INDIA OFFICE OF DIRECTOR GENERAL OF CIVIL AVIATION

Advanced Flight Control System Failure States Airworthiness Requirements and Verification

Overview of On-Going and Future R&D. 20 January 06 Ray Miraflor, NASA Ames Research Center

GENERAL REPORT. Reduced Lateral Separation Minima RLatSM Phase 2. RLatSM Phase 3

Aircraft Arrival Sequencing: Creating order from disorder

Unmanned Aircraft Operations in the National Airspace System. AGENCY: Federal Aviation Administration (FAA), DOT.

2012 Performance Framework AFI

Mode S & ACAS Programme Operational Introduction of SSR Mode S

TWELFTH AIR NAVIGATION CONFERENCE

Trajectory Based Operations (TBO)

Traffic Flow Management

Transcription:

Safety Analysis Tool for Automated Airspace Concepts (SafeATAC) 31 st Digital Avionics Systems Conference Williamsburg, VA October 2012 1 Metron Aviation, Inc: NASA Ames Tech Monitors: David Thipphavong Dr. Heinz Erzberger Arash Yousefi, Ph.D., Richard Xie, Ph.D., Shubh Krishna, GMU: John Shortle, Ph.D., Yimin Zhang

Motivation Various NextGen automation concepts are proposed to provide increased levels of airspace capacity by reducing human workload increasing airspace capacity enhancing safety in higher levels of traffic density Different concepts propose varying levels of automation different system architectures (i.e. centralized vs. distributed) different roles/responsibilities for human operators (ATC vs. pilot automation) Two types of SA system architecture: Centralized: Automated Airspace Concept i.e. Advanced Airspace Concept (AAC) Distributed: Automated Flight Rules i.e. Automated Flight Rules (AFR) System level safety-capacity analysis is needed to guide the decision makers in selecting capacity enhancing concepts that maintain target level of safety 2

Objective For selected NextGen concepts: Establish safety-capacity trade off relations Perform phase transition analysis to understand the conditions under which the system should transition from maintaining high capacity to maintaining safety Sensitivity analysis to identify critical points of failure and required redundancies Safety-driven methods for concept design & refinement Required reliability measures of system components? (e.g. required Mean Time to Failure for onboard automated separation software) Optimal system architecture? (e.g. required redundancies and safety nets) 3

Basic Definitions in our Safety Modeling System = Automated Separation Assurance (SA) System System mission= Provide Separation Services System failure = System fails to prevent a conflict Initiating event = There exist at least two aircraft with conflicting 4DTs Conflict = Los of Separation (LOS), Near Mid-Air Collisions (NMAC), or Mid-Air Collisions (MAC) Describe System Identify Hazards Analyze Risk Assess Risk Treat Risk

Advanced Airspace Concept (AAC) Transmit aircraft state (position, velocity, flight plan) to central (ground ) host Detect conflicts and generate resolutions at the central host Transmit conflict resolutions from the central host to the pilot Reference: Erzberger, H., 2009, Separation Assurance in the Future Air Traffic System, 2009 ENRI International Workshop on ATM/CNS, Mar. 5 6.

Automated Flight Rules (AFR) ConOps Transmit aircraft state vector (position, velocity, intent) and flight plan via ADS-B Detect conflicts and generate resolution options onboard for AFR flights The AFR pilot relies on onboard automation for CD&R All aircraft (IFR, AFR) state vectors (position, speed) via ADS-B in All aircraft planned trajectories via ADS-B in Reference: Wing, D., and M. Ballin, 2004, Pilot in command: A feasibility assessment of autonomous flight management operations, 24th International Congress of the Aeronautical Sciences. RTA at TRACON boundary if any issued by the ATS via CPDLC Onboard conflict resolver Ownship aircraft state vector Right-of-way rules Airline/aircraft efficiency considerations (i.e. Fuel, wind aloft, etc) CR: horizontal or vertical maneuvers or speed adjustment. FMS Flight crew Desired resolution action Broadcast via ADS-B out

Calculation of Conflict Probability Pr{Collision} = Pr{Aircraft on course for conflict} Part I Assumes no conflict resolution Establishes safety-capacity relationship Simulation runs (e.g. FACET) x Pr{Collision Aircraft on course for conflict} Part II Analyze effect of intervention by AAC and AFR SafeATAC

Simulation runs to estimate conflict rate Conflict types considered here: Conflict Type Lateral Vertica l Loss of separation 5NM 1000 ft (LOS) Critical loss of 1.1NM 100ft separation (CLOS) Near mid-air collision 500ft 100ft (NMAC) Mid-air collision (MAC) 100ft 30ft Conflict rates provided through NAS simulators (e.g. FACET) Flight trajectories simulated using FACET with 1.5 x traffic schedule Direct routes flown, no conflict resolution Two cases: Great circle routes, airway routes 50 simulation replications, varying departure times Conflict detection for sectors in Chicago center. 8 Reference: Belle, A., J. Shortle, A. Yousefi, and R. Xie, 2012, Estimation of Potential Conflict Rates as a function of Sector Loading, 5th International Conference on Research in Air Transportation (ICRAT 2012), Berkeley, CA, May.

Part II - SafeATAC Model system-level events that lead to CD&R failure or success Reference: Model the functional events that lead to events in DET Model how components work together to perform a function Model how component performance changes over the time Yousefi, A. and R. Xie, 2011, Safety-Capacity Trade-off and Phase Transition Analysis of Automated Separation Assurance Concepts, 30th Digital Avionics Systems Conference (DASC), Seattle, WA, October 16-20. Xie, R. and A. Yousefi, 2012, Safety Analysis of Primary and Secondary Conflicts for Automated Airspace Concepts, 12th AIAA Aviation Technology, Integration, and Operations (ATIO) Conference, Indianapolis, IN, September.

Dynamic Event Tree (DET) for AFR Strategic Timeframe If failed Tactical Timeframe If failed TCAS Timeframe If failed Pilot See-and-Avoid Timeframe If failed Conflict realized

Fault Tree Layer Dynamic Event Tree Fault Trees (an example)

Reliability Block Diagram Airborne ASAS to detect a potential conflict Source of conflicting flight s positions Source of ownship s positions

Component Modeling functional P ww functional functional functional P ww P wn P nw P wn Pnw P nn P nn Non-functional Non-functional Non-functional Non-functional User s input Hardware: P wn is a constant Software: P wn or P nw is a function of time P nw Pilot: P wn or P nw is a function of time Time

Safety Analysis Tool for Automated Airspace Concepts (SafeATAC) Workflow Event Tree Fault Tree Reference: Yousefi, A., R. Xie, and S. Krishna, 2012, Safety Analysis Tool for Automated Airspace Concepts (SafeATAC) User Manual, Metron Aviation Technical Report to NASA Ames Research Center, Rep # NNH09ZEA001N, July. Safety-Capacity Analysis Reliability Block Diagram Component Reliability Data SafeATAC Full Factorial Analysis (Sensitivity of Overall System Safety to Individual Component Reliability Metrics) Conflict Rate 1. Revise System Design 2. Revise Component Reliability

SafeATAC Specifying Input Files DET Structure CD&R Stages Fault Tree Reliability Block Diagram Component Reliability Data Conflict Rate

16 SafeATAC Interactive Visualization Dynamic Event Tree plot Click Event 1.2.2 Event Description Fault Tree diagram Reliability Block Diagram Click to see fault tree Click to reveal Reliability Block Diagram

Automatic Report Generation Click on the menu item to start analysis and generate report 17

Automatic Report Generation HTML Report Sample View 1-18

Automatic Report Generation Report Sample View 2-19

Experimental Results Experimental results for alternative system architectures of AAC and AFR 1. Safety-Capacity analysis and Phase Transition for different ConOps 2. Safety net analysis 3. Impact of strategic and tactical CD&R on overall system safety within AAC and AFR 4. Full Factorial Analysis to Identify safety critical components 5. Transitional phases in implementation of AAC 6. Secondary conflict within distributed separation assurance 20

S-C Tradeoff for the Baseline 1.40E-09 1.20E-09 Prob(NMAC / Flight) 1.00E-09 8.00E-10 6.00E-10 4.00E-10 2.00E-10 0.00E+00 0 10 20 30 40 50 60 70 80 Flight Count per 15 minutes per sector

Safety Performance of AFR Baseline Case Pr {Conflict Not Resolved Trajectory Conflict} = 3.77 x 10-8 Decomposed into each timeframe CD&R Timeframe CD&R failure probability Strategic ASAS 3.24 10-5 Tactical ASAS 5.48 10-2 99.9% of conflict will be solved by Strategic ASAS! TCAS 2.26 10-2 Pilot See-and- Avoid 0.938 Pilot See-and-Avoid is the least effective means for CD&R

System Characteristics Phase Transition 2.00E-09 1.80E-09 1.60E-09 Performance Change in Transponder Baseline TRN Failure = 1e-3 TRN Failure = 1e-5 Prob(NMAC / Flight) 1.40E-09 1.20E-09 1.00E-09 8.00E-10 6.00E-10 4.00E-10 2.00E-10 0.00E+00 0 10 20 30 40 50 60 70 80 Flight Count per 15 minutes per sector

Safety Sensitivity Curve to Effectiveness of ASAS Strategic CD Software 1.00E-04 1.00E-06 Prob(NMAC Not Resolved) 1.00E-08 1.00E-10 1.00E-12 1.00E-14 1.00E-16 1.00E-18 1.00E-20 1.00E-22 0.00 0.10 0.20 0.30 0.40 0.50 0.60 0.70 ASAS Strategic Detection Software Transition Probability

Impact of TSAFE or AR on overall System Safety within AAC Baseline safety level is 1.98 x 10-8, given a trajectory conflict Experiment 1: TSAFE is removed from the baseline AAC model, by setting the initial failure probability as 1, and probability of transitioning from nonworking to working as 0 Safety level becomes 3.6 x 10-8 Risk almost doubled (same order of magnitude) Experiment 2: AR is removed from the baseline AAC model Safety level becomes 2.22 x 10-7 Risk is 12 times worse than the baseline Other factors that can be changed : Length of strategic and tactical time frames Time step size of each time frame Performance of the components in each CD&R system 25

Impact of ASAS on overall System Safety within AFR Baseline safety level is 1.46 x 10-7, given a trajectory conflict Experiment 1: ASAS Tactical Resolution is removed from the baseline AAC model, by setting the initial failure probability as 1, and probability of transitioning from nonworking to working as 0 Safety level becomes 3.94 x 10-7 Risk almost tripled Experiment 2: ASAS Strategic Resolution is removed from the baseline AAC model Safety level becomes 1.32 x 10-6 Risk is 9 times worse than the baseline Factors in play include: Length of strategic and tactical time frames Time step size of each time frame Performance of the components in each CD&R system 26

FFA to Identify Safety-Critical Components Fractional Factorial Analysis (FFA) Sparsity-of-effects principle: a system is usually dominated by single-factor effects or two-factor interactions Based on that principle, FFA is conducted using a subset of all factors to analyze system behavior SSR + Vary one parameter at a time Baseline Transponder + + In one FFA example, following components are chosen ASAS Detection Software, ASAS Strategic Resolution Software, ASAS Intent-based Tactical Resolution Software, ASAS State-based Tactical Resolution Software, and Mode A/C/S Transponder SSR + Full Factorial x x 6 5 x 7 x 2 x 1 x 3 Transponder + x 8 x 4 + 27

FFA Results Increasing reliability of Strategic Resolution Software by 10x increases system safety by about 8x Increasing reliability of other components by 10x (and associated component pairings) have little effect on overall safety 28

Safety Analysis of Transitional Phases in Implementation of AAC A transitional phase bridges the current operation and a future ConOps Current operations are Controller in charge of CD&R in strategic timeframe In tactical timeframe: URET detects, controller resolves Safety level: 1.45 x 10-7, given a trajectory conflict An example of transitional ConOps is Controller still in charge in strategic CD&R In tactical timeframe: TSAFE detects and resolves Safety level: 1.49 x 10-7, given a trajectory conflict AAC Baseline safety level: 1.98 x 10-8 AR improves safety by more than 8 folds 29

Secondary Conflict on Distributed Separation Assurance Possible failure of intent sharing causes sidewalk conflicts in AFR (secondary conflict) A hypothetical AFR model contains perfect intent sharing between flights Perfect intent sharing will eliminate the sidewalk conflict, and increases the probability of resolving the primary conflict Probabilities Baseline (with secondary conflict) AFR w/o secondary conflict CD&R Success 0.9999997514 0.99999985385 without secondary conflict Secondary Conflict 1.024e-7 0 30

Summary Developed tool in Matlab to facilitate safety analyses (SafeATAC) SafeATAC capabilities: User-friendly interactive model implementation (i.e. DET, fault trees, reliability block diagrams & component reliability modeling) Safety-capacity trade off relations Phase transition analysis when transitioning from maintaining high capacity to maintaining safety Sensitivity analysis to identify critical points of failure and required redundancies Sample Experiments Impact of strategic and tactical CD&R on overall system safety for both AAC and AFR Removing strategic CD&R has much more effect on decreasing safety levels Full Factorial Analysis to Identify safety critical components Transitional phases in implementation of AAC Adding TSAFE improves safety by more than 8-fold Secondary conflict within distributed separation assurance Risk was small 31

Future Work Modeling component reliability as a function of traffic load and complexity (i.e. ADS-B jamming as a function of traffic load) Modeling risk factors that distinguish centralized and distributed systems (e.g. roll-call interrogation capability for centralized) Verification and Validation (V&V) of SafeATAC Models Safety analysis of UAS integration in the NAS 32

Questions? 33

2024 © travelsdocbox.com Privacy Policy | Terms of Service | Feedback