Accident risk assessment for advanced ATM

Similar documents
EXAMINING THE FEASIBILITY OF PAIRED CLOSELY-SPACED PARALLEL APPROACHES

Monte Carlo simulation modelling of aircraft dispatch with known faults

Morningstar Investor Return

A Probabilistic Approach to Worst Case Scenarios

Simulation Validation Methods

The Measuring System for Estimation of Power of Wind Flow Generated by Train Movement and Its Experimental Testing

Capacity Utilization Metrics Revisited: Delay Weighting vs Demand Weighting. Mark Hansen Chieh-Yu Hsiao University of California, Berkeley 01/29/04

Strategic Decision Making in Portfolio Management with Goal Programming Model

Real-time Stochastic Evacuation Models for Decision Support in Actual Emergencies

Application of System Dynamics in Car-following Models

2. JOMON WARE ROPE STYLES

SIMULATION OF WAVE EFFECT ON SHIP HYDRODYNAMICS BY RANSE

The safe ships trajectory in a restricted area

Using Rates of Change to Create a Graphical Model. LEARN ABOUT the Math. Create a speed versus time graph for Steve s walk to work.

KEY CONCEPTS AND PROCESS SKILLS. 1. An allele is one of the two or more forms of a gene present in a population. MATERIALS AND ADVANCE PREPARATION

Examining the limitations for visual anglecar following models

Bill Turnblad, Community Development Director City of Stillwater Leif Garnass, PE, PTOE, Senior Associate Joe DeVore, Traffic Engineer

The t-test. What We Will Cover in This Section. A Research Situation

Do Competitive Advantages Lead to Higher Future Rates of Return?

As time goes by - Using time series based decision tree induction to analyze the behaviour of opponent players

What the Puck? an exploration of Two-Dimensional collisions

Paul M. Sommers David U. Cha And Daniel P. Glatt. March 2010 MIDDLEBURY COLLEGE ECONOMICS DISCUSSION PAPER NO

Avoiding Component Failure in Industrial Refrigeration Systems

SURFACE PAVEMENT CHARACTERISTICS AND ACCIDENT RATE

ANALYSIS OF RELIABILITY, MAINTENANCE AND RISK BASED INSPECTION OF PRESSURE SAFETY VALVES

Evaluation of a car-following model using systems dynamics

Urban public transport optimization by bus ways: a neural network-based methodology

A Liability Tracking Portfolio for Pension Fund Management

Improving Measurement Uncertainty of Differential Pressures at High Line Pressures & the Potential Impact on the Global Economy & Environment.

Evaluating the Performance of Forecasting Models for Portfolio Allocation Purposes with Generalized GRACH Method

Transit Priority Strategies for Multiple Routes Under Headway-Based Operations

Interpreting Sinusoidal Functions

Evaluating Portfolio Policies: A Duality Approach

Constructing Absolute Return Funds with ETFs: A Dynamic Risk-Budgeting Approach. July 2008

COMPARING SIMULATED ROAD SAFETY PERFORMANCE TO OBSERVED CRASH FREQUENCY AT SIGNALIZED INTERSECTIONS

LEWA intellidrive. The mechatronic All-in-One pump system. intelligent flexible dynamic high precision. Foto: ratiopharm

Overview. Do white-tailed tailed and mule deer compete? Ecological Definitions (Birch 1957): Mule and white-tailed tailed deer potentially compete.

2017 MCM/ICM Merging Area Designing Model for A Highway Toll Plaza Summary Sheet

An Alternative Mathematical Model for Oxygen Transfer Evaluation in Clean Water

KINEMATICS IN ONE DIMENSION

Revisiting the Growth of Hong Kong, Singapore, South Korea, and Taiwan, From the Perspective of a Neoclassical Model

Instruction Manual. Rugged PCB type. 1 Terminal Block. 2 Function. 3 Series Operation and Parallel Operation. 4 Assembling and Installation Method

Automatic air-main charging and pressure control system for compressed air supplies

XSz 8... XSz 50 Solenoid actuated fail-safe safety valve

8/31/11. the distance it travelled. The slope of the tangent to a curve in the position vs time graph for a particles motion gives:

CALCULATION OF EXPECTED SLIDING DISTANCE OF BREAKWATER CAISSON CONSIDERING VARIABILITY IN WAVE DIRECTION

Flexible Seasonal Closures in the Northern Prawn Fishery

3 (R) 1 (P) N/en

Lifecycle Funds. T. Rowe Price Target Retirement Fund. Lifecycle Asset Allocation

Asset Allocation with Higher Order Moments and Factor Models

Reliability Design Technology for Power Semiconductor Modules

Simulation based approach for measuring concentration risk

WELCOME! PURPOSE OF WORKSHOP

Basic Systematic Experiments and New Type Child Unit of Anchor Climber: Swarm Type Wall Climbing Robot System

Market Timing with GEYR in Emerging Stock Market: The Evidence from Stock Exchange of Thailand

PRESSURE SENSOR TECHNICAL GUIDE INTRODUCTION FEATURES OF ELECTRIC PRESSURE SENSOR. Photoelectric. Sensor. Proximity Sensor. Inductive. Sensor.

Zelio Control Measurement Relays RM4L Liquid Level Relays

Corresponding Author

FORECASTING TECHNIQUES ADE 2013 Prof Antoni Espasa TOPIC 1 PART 2 TRENDS AND ACCUMULATION OF KNOWLEDGE. SEASONALITY HANDOUT

Development of Urban Public Transit Network Structure Integrating Multi-Class Public Transit Lines and Transfer Hubs

Gas Source Localisation by Constructing Concentration Gridmaps with a Mobile Robot

QUANTITATIVE FINANCE RESEARCH CENTRE. Optimal Time Series Momentum QUANTITATIVE FINANCE RESEARCH CENTRE QUANTITATIVE F INANCE RESEARCH CENTRE

ARMENIA: Second Education Quality and Relevance Project (APL2) Procurement Plan. As of March 15, Measu rement Unit.

Chapter : Linear Motion 1

Semi-Fixed-Priority Scheduling: New Priority Assignment Policy for Practical Imprecise Computation

DYNAMIC portfolio optimization is one of the important

CMA DiRECtions for ADMinistRAtion GRADE 6. California Modified Assessment. test Examiner and Proctor Responsibilities

Stock Return Expectations in the Credit Market

Homework 2. is unbiased if. Y is consistent if. c. in real life you typically get to sample many times.

Dual Boost High Performances Power Factor Correction (PFC)

A Study on the Powering Performance of Multi-Axes Propulsion Ships with Wing Pods

Methods for Estimating Term Structure of Interest Rates

SPECIAL WIRE ROPES The Value Line

AP Physics 1 Per. Unit 2 Homework. s av

FHWA/IN/JTRP-2009/12. Panagiotis Ch. Anastasopoulos Fred L. Mannering John E. Haddock

LSU RISK ASSESSMENT FORM Please read How to Complete a Risk Assessment before completion

Dynamics of market correlations: Taxonomy and portfolio analysis

Reproducing laboratory-scale rip currents on a barred beach by a Boussinesq wave model

Sources of Over-Performance in Equity Markets: Mean Reversion, Common Trends and Herding

Bootstrapping Multilayer Neural Networks for Portfolio Construction

Keywords: (CNG1) Pressure Vessel, Design Thickness And Stress, Numerical Simulation, Failure Analysis, COMSOL Multiphasic.

Proceedings of the ASME 28th International Conference on Ocean, Offshore and Arctic Engineering OMAE2009 May 31 - June 5, 2009, Honolulu, Hawaii

WHO RIDE THE HIGH SPEED RAIL IN THE UNITED STATES THE ACELA EXPRESS CASE STUDY

Proportional Reasoning

MODEL SELECTION FOR VALUE-AT-RISK: UNIVARIATE AND MULTIVARIATE APPROACHES SANG JIN LEE

Performance Attribution for Equity Portfolios

A NEW 296 ACRE DISTRIBUTION PARK

EMPOWER SELF DEFENSE. Phases 1 & 2

The design of courier transportation networks with a nonlinear zero-one programming model

The credit portfolio management by the econometric models: A theoretical analysis

INSTRUCTIONS FOR USE. This file can only be used to produce a handout master:

3.00 m. 8. At La Ronde, the free-fall ride called the Orbit" causes a 60.0 kg person to accelerate at a rate of 9.81 m/s 2 down.

CHARACTERIZATION AND MODELING OF A PROPORTIONAL VALVE FOR CONTROL SYNTHESIS

Market timing and statistical arbitrage: Which market timing opportunities arise from equity price busts coinciding with recessions?

Improving the Tournament Performance of ATP Players from the Perspective of Efficiency Enhancement

HKS Colour System Colour system consisting of 3 series for optimum colour fidelity and colour identity

Nozzle valve system for the variable atomization of very small liquid volumes

Keywords: overfishing, voluntary vessel buy back programs, backward bending supply curve, offshore fisheries in Taiwan

Machine Learning for Stock Selection

The Current Account as A Dynamic Portfolio Choice Problem

Transcription:

Acciden risk assessmen for advanced ATM H.A.P. Blom, G.J. Bakker, P.J.G. Blanker, J. Daams, M.H.C. Everd and M.B. Klompsra Naional Aerospace Laboraory NLR PO Box 90502, 1006 BM Amserdam E-mail: blom@nlr.nl Absrac By now, safey is recognised as a key qualiy on which o selec/design advanced ATM conceps, even when capaciy and efficiency are he drivers of he developmen. The safey arge is ofen described as equal or beer in comparison wih exising pracice, allowing a large freedom in how safey is expressed, le alone measured. In effec, new CNS/ATM concep developmens are ypically accomplished wihou he use of feedback from appropriae safey assessmens. ATM concep design eams (e.g. of Free Fligh, or 4D-ATM) ry o realise capaciy-efficiency enhancemens by exploiing new echnology, changing human conroller roles and inroducing new procedures, while relying on he esablished safey-relaed indicaors in ATM such as conflic raes and ypes, workload of human operaors and failure raes and effecs of echnical sysems. ATM, however, is he resul of complex ineracions beween muliple human operaors, procedures and echnical sysems, all highly disribued. This yields ha providing safey is more han making sure ha each of he ATM elemens funcions properly safe; i is he complex ineracion beween hem ha deermines safey. The assessmen of isolaed indicaors falls shor in covering he complex ineracions beween procedures, human operaors and echnical sysems in safey-criical non-nominal siuaions. In order o improve his siuaion, his paper oulines a novel probabilisic risk assessmen mehodology which has specifically been developed for applicaion o ATM. In addiion, his paper presens risk assessmen resuls which have been obained wih his approach for wo en-roue sreams of RNP1 equipped raffic flying in opposie direcion wihin wo convenional ATM conceps and wo airborne separaion assurance based conceps. These resuls illusrae ha our new mehodology suppors safey-based ATM design. I. INTRODUCTION ATM is he resul of complex ineracions beween human operaors, procedures and echnical sysems (hardware and sofware), all highly disribued. Providing safey is more han making sure ha each of hese elemens funcions properly safe. The complex ineracions beween he various elemens of ATM significanly deermine safey. Therefore i is imperaive o undersand he safey impac of hese ineracions, paricularly in relaion wih non-nominal siuaions. Tradiional ATM design approaches end firs o design advanced ATM ha provides sufficien capaciy, and nex o exend he design wih safey feaures. The advanage of his approach is ha ATM developmens can be organised around he clusers of individual elemens, i.e. he communicaion cluser, he navigaion cluser, he surveillance cluser, he auomaion ools cluser, he HMIs, he advanced procedures, ec. The key problem is ha safey effecs say unclear. A far more effecive approach is o ry o design an ATM sysem ha is inherenly safe a he capaciy level required. From his perspecive, safey assessmen should be one of he primary filers in ATM concep developmen. An early filering of ATM design conceps on safey grounds can poenially avoid ha a cosly developmen programme urns ou ineffecive, or ha an even more cosly implemenaion programme fails. Alhough undersanding his idea is principally no very difficul, i can only be brough ino pracice when an ATM safey assessmen approach is available ha provides appropriae feedback o he ATM designers already a an early sage of he concep developmen (figure 1). ATM design Safey / Capaciy Assessmen Fig. 1. Safey feedback based ATM design

This feedback should no only provide informaion on wheher he design is safe enough, i should also idenify he safey-capaciy bole-necks. By now, consensus is building ha appropriae ATM safey modelling approaches are needed o undersand he mechanisms behind designing advanced ATM. I is also recognised ha, once such an ATM safey modelling approach is available, a safey feedback based design approach of fuure ATM will become feasible (Haraldsdoir e al., 1997; Odoni e al., 1997; EVAS, 1998). Safey is a general noion, which is ypically sudied from one of hree differen perspecives: Safey percepion (e.g. by pilo, conroller, passenger, human sociey, ec.). An ATM design ha is perceived as being unsafe will no easily be acceped by he humans involved. Fac is ha a posiive percepion abou he safey of an ATM design is an implemenaioncriical requiremen. By is very naure, however, safey percepion is a subjecive noion, and herefore insufficien o really approve safey-criical changes in ATM. Dependabiliy of a echnical sysem (e.g. of a compuer program, an aircraf navigaion sysem, a saellie based communicaion sysem, ec.). Dependabiliy merics are definiively objecive. They are widely sudied in lieraure (e.g. Randell, 1995; DAAS, 1995). However, hey have been developed o cover echnical sysems only (e.g. SAE, 1994, 1995; EATCHIP, 1996), and no he human operaors and procedures of ATM (Klompsra and Everd, 1997). Acciden risk (e.g. for 1s, 2nd and 3rd paries in air ranspor) merics definiively are objecive and are commonly in use for oher human conrolled safeycriical operaions such as chemical and nuclear indusries (Royal Sociey, 1983). Two well known ICAO adoped acciden risk merics are for collision of an aircraf wih anoher aircraf during en-roue phase, or wih fixed obsacles during landing. A recen review of various acciden risk meric possibiliies in air ranspor is given in (Moek e al., 1997). In view of he ATM safey assessmen needs, he acciden risk perspecive has he bes join characerisics: 1) I implies he use of objecive risk merics, 2) I has proven is usabiliy o human conrolled safey-criical operaions, and 3) I is suppored by ICAO. As such, in his paper ATM safey will be considered from an acciden risk perspecive, wih emphasis on risk of collision beween wo aircraf. For air raffic he faal acciden risks should be of he order of 10 7-10 10 per aircraf fligh hour. To develop some feeling of he difficuly o assess such rare evens, i is quie helpful o undersand why he well known fas ime simulaors like NASPAC, RAMS or TAAM fall shor for ha purpose. One major shorcoming of hese ools is ha hey are no really capable of modelling he aviaion safey-criical combinaions of non-nominal evens, hey ofen do no even model he single non-nominal evens. Anoher major shorcoming is ha an acciden rae of, say, 10 9 per aircraf fligh hour can no in a pracically reasonable way be reached hrough a sraighforward simulaion, since his would require a simulaion of 10 10 aircraf fligh hours. This problem is well illusraed by he ATM safey iceberg (figure 2). To assess a caasrophic acciden rae, one really needs o decompose he risk assessmen problem ino an effecive hierarchy of simpler condiional assessmen problems, where simpliciy means an appropriae combinaion of scope (e.g. volume of airspace) and deph (i.e. level of model deail) a each condiional assessmen level. Indeed, ools like TAAM apply o assessmens ha address a broad scope in combinaion wih a low level of non-nominal deail. Assessmen approach Acciden Risk Modelling Dependabiliy modelling Fas-ime simulaion Real-ime simulaion Fig. 2. ATM safey iceberg Evens Caasrophic accidens ( 10-9 /fl.hr.) Technical failures ( 10-4 /fl.hr.) ATCo acions ( 10 /fl.hr.) Pilo acions ( 100 /fl.hr.) In general, he acciden risk assessmen problem has been widely sudied for oher safey-criical operaions, such as he nuclear and chemical indusries, and for hese applicaions, numerous echniques and ools have been developed. In order o ake maximal advanage of his exising body of knowledge, we made a horough sudy of he applicabiliy of hese echniques o acciden risk assessmen in air raffic (Everd e al., 1996a). A large variey of echniques has been idenified, varying from qualiaive hazard idenificaion mehods such as Preliminary Hazard Analysis (PHA), Common Cause Analysis (CCA) and Failure Mode and Effec Analysis (FMEA), hrough saic assessmen echniques such as Faul Tree Analysis (FTA) and Even Tree Analysis (ETA), o dynamic assessmen echniques such as Peri ne and Markov chain modelling,

A 10 /T local A 0 Aircraf mission A 9 A 14 CP A 3 Pilo No Flying A 1 Flighplan aircraf A 2 Pilos Skill A 4 Pilo Flying A 6 Display aircraf A 15 A 16 A11 FPCM oher FPCM own STCD&R A 9 A 9 A17 A 12 Flighplan ADS-B daa oher aircraf A 9 A 1 *wihouatc ocurrenatc + Iniial Free Fligh equipped - TLS (Euroconrol) xtargefreeflighequipped A 10 /T local A 0 Aircraf mission A 9 A 14 CP A 3 Pilo No Flying A 1 Flighplan aircraf A 2 Pilos Skill A 4 Pilo Flying A 6 Display aircraf A 15 A 16 A11 FPCM oher FPCM own STCD&R A 9 A 9 A17 A 12 Flighplan ADS-B daa oher aircraf A 9 A 1 dynamic even rees, ec. (Aldemir e al., 1994). Each of hese echniques has advanages and disadvanages, bu hese appear o be minor in comparison o wha is required for modelling ATM relaed risk. The key finding is ha he esablished echniques fail o suppor a sysemaic approach owards modelling sochasic dynamical behaviour over ime for complex ineracions of highly disribued ATM (see figure 3). Poenial faaliies Thousands Hundreds Tens Localised ineracions Disribued ineracions Highly disribued ineracions Fig. 3. Poenial faaliies and disribuion level of ATM and oher safey criical aciviies. The esablished echniques would herefore force one o adop a raher heurisic ype of argumenaion in rying o capure he complex ineracions inheren o ATM. The basic ATM safey assessmen needs have already been idenified in (Blom, 1992b). This finding moivaed he developmen of an adequae safey assessmen approach wihin a projec named TOPAZ (Traffic Organizaion and Perurbaion AnalyZer). The scienific basis for his was he idea o explore a sochasic analysis framework (Blom, 1990) which suppors sochasic models where boh discree and coninuous variables evolve over coninuous ime, possibly affeced by probabilisic disurbances, and he knowledge ha his framework would be sufficienly general o properly model and evaluae ATM safey problems. In he mean ime, from parallel conduced sudies on advanced ATM i became crysal clear ha wihou an appropriae acciden risk model i would be difficul o ever manage a cos-effecive design of advanced ATM. In hese sudies hree complemenary perspecives have been considered: 1) he selecion of roue srucures perspecive (Blom and Bakker, 1993), 2) a sochasic dynamical game perspecive (Blom e al., 1994) and 3) an ATM overall validaion perspecive (Blom e al., 1995). The acciden risk assessmen resuls obained hrough sochasic analysis sudies have iniially been exploied for an RLD/LVB projec owards he assessmen of acciden risk for saggered landings on converging runways (Bakker e al., 1995; Everd e el., 1996c). All his conribued o he developmen of boh he TOPAZ assessmen mehodology, and a growing suie of TOPAZ ools. In his paper, emphasis is on he former, for he reason ha an effecive usage of he suie of ools requires firm background in he novel mehodology. Recenly, by a join effor of Euroconrol and FAA, in collaboraion wih some key developers of aviaion risk assessmen ools, an overview has been produced ha oulines he relevan approaches currenly in developmen and /or in use for he safe separaion assessmen of advanced procedures in air raffic (Cohen e al., 1998). In addiion o TOPAZ, four oher collision risk direced approaches, ABRM, ASAT, ICAO s Collision Risk Model (CRM) and RASRAM (Sheperd e al., 1997), have been idenified and reviewed; TOPAZ appeared o be mos advanced in going beyond esablished approaches. This paper is organised as follows. Secion II gives an overview of he mehodology. Nex, secion III oulines he principles of he underlying sochasic dynamical framework. Secion IV presens for several RNP1 example scenarios he resuls of TOPAZ based risk assessmens. Secion V gives concluding remarks on he mehodology. The paper ends wih references and acronyms. II. THE TOPAZ METHODOLOGY The TOPAZ mehodology has been developed o provide designers of advanced ATM wih safey feedback following on a (re)design cycle. An illusraive overview of how such safey feedback is obained during a TOPAZ assessmen cycle is given in figure 4. R isk (in ac cid en s/flig h h o ur) 10-5 10-6 10-7 10-8 10-9 10-10 10-11 * Aircrew overload * Crew hindrance * Pilo reacion oo lae * Pilo ignores conflic * Crew disagreemen * Reduced visibiliy *... Risk vs. roue spacing -1 10 10-2 - TLS (Euroconrol) * wihou ATC 10-3 o curren ATC + iniial Free Fligh x exended Free Fligh 10-4 a rge 0 5 10 15 20 25 30 Spacing S (in km) 1 TH [ 0 ] ϕ, ( κ T 0 H * l κ ) d P{ κ * l κ } R = = = 2 i j i l Fig. 4. TOPAZ assessmen cycle

During such assessmen cycle wo ypes of assessmens are sequenially conduced: firs a qualiaive safey assessmen (illusraed by he upper drawings in figure 4), and hen a quaniaive safey assessmen (illusraed by he middle and lower drawings in figure 4). The qualiaive assessmen sars wih a sysemaic gahering of informaion abou nominal and non-nominal behaviour of he concep design considered, concerning he human roles, he procedures, he echnical sysems, ec., and wih involvemen of all relevan expers. For he gahering of nonnominal informaion, explici use is made of srucured hazard idenificaion sessions wih a variey of expers, and hazard daa bases. The resuling lis of idenified poenial hazards is subsequenly analysed using esablished qualiaive hazard analysis echniques in order o idenify he safey-criical encouner scenarios and associaed hazards, o selec one or more of hose safey-criical encouner scenarios for quaniaive safey assessmen, and o develop a modular sysem engineering ype of represenaion of he ATM design (see upper righ corner of figure 4). Such modular represenaion is easily recognisable and undersandable for ATM designers, hus supporing an effecive communicaion beween ATM designers and safey analyss. From his poin on, he TOPAZ assessmen cycle coninues wih he quaniaive phase, which is based on sochasic modelling, sochasic analysis and numerical evaluaion. Firs, an appropriae sochasic dynamical model insaniaion is developed in an ieraive way and wih verificaion agains he resuls of he qualiaive safey assessmen phase. Nex, he acciden risk is assessed for his sochasic dynamical model, and he safey criicaliies are idenified. Finally, hese resuls are fed back o he designers (see lower lef corner of figure 4). In order o form a naural balance beween he creaive mode of he designers and he criical mode of he safey analyss, we have idenified a definiive need for he safey analyss o use a conservaive approach when adoping assumpions during he risk analysis. Obviously, he design eam need no always agree wih hese conservaive assumpions and should be aware ha a negaive oucome of a conservaive assessmen cycle does no mean ha he design is unsafe; i jus means ha sufficien safey has no been proven during ha cycle. This naural balance beween designers and safey analyss means ha boh paries should be open o accep each ohers views as being of muual use. Conservaism could be reduced by refining he insaniaed sochasic dynamical model on he appropriae issues idenified by he designers. For he designers i could even be more effecive o relax poenial safey criicaliies hrough redesign, raher han awaiing a poenial TOPAZ modelling based improvemen. Underlying o a TOPAZ cycle here is a sochasic analysis framework, which allows o disinguish he following five aciviies: a. Develop a sochasic dynamical model for he siuaion considered, b. Where necessary develop appropriae cogniive models for human operaors involved, c. Perform he sochasic analysis necessary o decompose he risk assessmen, d. Execue he various assessmen aciviies (e.g. hrough Mone Carlo simulaion, numerical evaluaion, mahemaical analysis, or a combinaion of hese), e. Validaion of he risk assessmen exercise. More deails on hese five aciviies are given below. a. Develop a sochasic dynamical model The aim of his developmen is o represen for he seleced encouner scenarios he resuls from he qualiaive safey assessmen in he form of a Sochasic Differenial Equaion (SDE) on a hybrid sae space. The reason o aim for such SDE represenaion is wofold: 1) I provides a very widely applicable class of causal models for sochasic dynamical siuaions such as in ATM, and 2) I allows he exploraion of powerful mahemaical ools from he heory of sochasic analysis (e.g. Ellio, 1982; Davis, 1984; Blom, 1990). Unforunaely, he direc idenificaion of he SDE model would be very complicaed for mos ATM siuaions. In addiion o a very large sae space of he corresponding SDE, here are many ineracions beween he many sae componens. This asks for a sysemaic approach o develop an SDE insaniaion for such complex siuaions. Such approach has been inroduced hrough he developmen of a specific ype of Peri Ne (Everd e al., 1997b; Everd and Blom, 1998), o which we refer as Dynamically Coloured Peri Ne (DCPN). Through a DCPN insaniaion an SDE insaniaion can be done sysemaically while he resul is ransparen. Once a DCPN insaniaion has been compleed, he resul defines an SDE on a hybrid sae space. Obviously, a logical par of he DCPN insaniaion is o verify he resuling DCPN agains he informaion ha is gahered during he qualiaive safey assessmen phase. b. Cogniive human modelling When assessing ATM safey, a key role is played by procedures, human operaors, and heir responsibiliies. A presen, he view on human reliabiliy has shifed from a conex-free error cenred approach, in which unreliabiliy is modelled hrough failures of human informaion processing, owards a conexual perspecive in which human

acions are he produc of human inernal saes, sraegies and he environmen. By now, i is a widely acceped belief (Amalberi and Wioland, 1997; Hollnagel, 1993; Bainbridge, 1993) ha for he modelling of he human he esablished Human Reliabiliy Analysis (HRA) echniques fall shor for complex siuaions, and ha one should raher aim for conexual performance models ha are based on generally-applicable human cogniion and responsibiliy principles. I should also be noiced ha he in HRA widely used skill-, rule- and knowledge-based errors (Reason, 1990) essenially fall shor o pay proper respec o, for example, siuaions where he operaor chooses o le an even more urgen problem receive aenion when he subjecively available ime is shor or when high workload causes one o make quick decisions, wihou bohering excessively abou he qualiy of hose decisions. I should be noiced ha hese effecs are inexricably bound up wih human flexibiliy and he abiliy of humans o deal wih unforeseen siuaions. When assessing ATM safey, i is necessary o ake hese aspecs of human performance ino accoun. The main benefis expeced from conexual models is ha hey provide beer feedback o designers and ha hey remove he need o use overly conservaive individual submodels for relevan operaor acions ha may blur undersanding of how safey is achieved in ATM. In order o develop appropriae models for his, mahemaicians and psychologiss are joinly developing high-level models of cogniive human performance, hrough a sequence of sudies (e.g., Biemans and Daams, 1997; Daams and Nhuis, 1998). A his momen his collaboraion has led o a novel conexual human ask-nework model, which is formulaed in erms of a DCPN, and which effecively combines he cogniive modes of Hollnagel (1993) wih he Muliple Resources Theory of Wickens (1992), he classical slips/lapses model (Reason, 1990) and he human capabiliy o recover from errors (Amalberi and Wioland, 1997). In addiion, we have developed a model for he evoluion of siuaional awareness errors. Compared wih hose considered in a recen sudy by (Har e al., 1997), our approach shows o be an innovaive one. c. Perform sochasic analysis Alhough i definiively is possible o realise a sraighforward Mone Carlo simulaion of he SDE model, i will be clear from he earlier discussion ha his will no be really effecive for he assessmen of caasrophic risks in aviaion. In order o develop an effecive approach o he numerical evaluaion of an SDE model, he SDE should be analysed firs by mahemaicians wih he appropriae background in he heory of sochasic analysis. A his momen his is done on a case by case basis. For each case he aim is o analyse he SDE model such ha is numerical evaluaion can be done by decomposiion ino a logical sequence of fas-ime simulaions, Mone Carlo simulaions and/or analyical evaluaions. The aim always is o firs decompose he risk assessmen problem ino several condiional assessmen problems for which appropriae assessmen echniques are available or feasible. The main principle we are using for idenifying an appropriae decomposiion is he following: under quie general condiions, he soluion of an SDE is a srong Markov process. This means ha he Markov propery also holds rue for sopping imes (someimes called Markov imes). These sopping imes serve as he mahemaical powerool o decompose he risk assessmen for an SDE model. So far his approach appeared o work saisfacorily for all siuaions evaluaed. d. Execue he various assessmen aciviies Typically, he resuling sequence of condiional assessmensreadsasfollows: 1. Run a convenional fas ime simulaion (e.g. wih TAAM) o idenify raffic densiies and encouner ype frequencies. 2. Inpu hese raffic densiies and encouner ype frequencies o a safey-direced human simulaor o idenify appropriae pilo and/or conroller characerisics. 3. Inpu hese condiional human characerisics o a Mone Carlo simulaion ha idenifies and saisically analyses criical condiional evens, such as incidens. 4. Inpu hese criical condiional even characerisics o a Mone Carlo simulaion ha idenifies poenial acciden characerisics. 5. Inpu hese poenial acciden characerisics o a condiional collision risk analyser. 6. Transform all resuls from he preceding condiional assessmens ino appropriae safey merics. 7. Idenify he safey-separaion and/or safey-modelling bolenecks, of he specifically modelled ATM concep /scenario. For each of hese aciviies, excep 1., dedicaed compuer ools have been and are being furher developed wihin he TOPAZ projec. The spliing of aciviies 3, 4 and 5, from each oher usually appears o be he mos challenging one, for he very reason ha ofen here are many dependencies beween various elemens of a hazardous air raffic siuaion. In order o handle his in a valid way, we make use of a mahemaical framework, he basis of which is explained in secion III.

e. Validaion of he risk assessmen exercise A crucial issue concerns he validaion ha a risk assessmen exercise is performed o an accepable degree, wihou he need o firs employ very expensive large scale real ime simulaions of new conceps. Due o our underlying sochasic analysis framework, such a validaion can be done hrough execuing he following aciviies: Judge he level of conservaism of he assumpions adoped for he developmen of he DCPN insaniaion for he siuaion considered. This should be done hrough acive involvemen of operaional and design expers. Verify he correcness of he insaniaed DCPN versus he resuls of he qualiaive assessmen and he assumpions adoped. This should be done by sochasic analysis TOPAZ expers, wih a leas one who has no been involved wih he DCPN insaniaion. Verify he correcness of he mahemaical ransformaions applied o he insaniaed sochasic dynamical model. This should be done by applying mahemaical ools from sochasic analysis heory. Verify ha he various assessmen aciviies have been execued according o he unambiguous mahemaical model developed, including he decomposiion. This should be done by sochasic analysis expers. III. THE MATHEMATICAL FRAMEWORK Each DCPN insaniaion can be represened by an SDE on a hybrid sae space (Everd and Blom, 1998), which has a srong Markov process f g on a hybrid sae space as is unique soluion. The hybrid sae process f g has wo componens, i.e. = (x ; ); wih x he componen assuming values in a Euclidean space and wih he componen assuming values in a discree space. From he heory of Markov processes i hen follows ha i is possible o characerise he evoluion of he densiy-disribuion p () of he join process hrough a well-defined differenial equaion in funcion space: d d p () =Lp () wih L an operaor defined by he Markov process f g. Due o he srong Markov propery, his differenial equaion also applies under he condiion of an f g-adaped sopping ime (also referred o as Markov ime): d d p () =Lp j j (); for >: I is paricularly relevan o noice ha he above equaions are well known for Markov chains, i.e. Markov processes wih discree sae space, which processes have shown o be very useful in he developmen of advanced dependabiliy and performabiliy assessmen mehodology (e.g. Paipai e al., 1993; Foa e al., 1997). For hybrid sae Markov processes, his equaion is well known in Bayesian esimaion heory (e.g. Blom, 1990) and his has a.o. led o advanced muli arge muli sensor racking applicaions (e.g. Blom e al., 1992a). The above equaions imply ha once he scenario o be assessed on collision risk has been represened hrough a DCPN insaniaion, all probabilisic properies are welldefined, including he collision risk. Le y i and v i be he componens of x ha represen he 3D locaion and 3D velociy of aircraf i, i 2 f1;::: ;ng.le y le v = y i y j, = v i v j and le D be he area such ha y 2 D means ha a momen he physical volumes of aircraf i and j are no separaed anymore (i.e. hey have collided). Each ime he process fy g eners he area D, we say an incrossing occurs, and each ime he process fy g leaves he area D, we say an oucrossing occurs. The firs incrossing for he pair (i; j) is a collision for ha pair. If we assume ha he relaive speed v is very rapidly going o zero as long as y resides in D, he chances are zero ha here is more han one incrossing per aircraf pair, and hus he expeced number of incrossings equals he expeced number of collisions. Following (Bakker and Blom, 1993) he expeced number R [0;T ] of incrossings, or collisions, beween aircraf pairs in he ime-inerval [0;T]saisfies: R [0;T ] = nx nx i=1 j>i Z T 0 ' () d wih ' () he incrossing rae, which is defined by: ' () = lim P fy #0 =2 D ;y + 2 D g= In (Bakker and Blom, 1993) i is also shown ha ' () is well-defined, and can be evaluaed under non-resricive assumpions as a funcion of he probabiliy densiy of he join relaive sae (y, v ). In general, a characerisaion of his probabiliy densiy is complex, especially since here are combinaorially many ypes of non-nominal e- vens. A plausible way ou of his is by condiioning on classes of non-nominal evens, where hose non-nominal evens are placed in he same class if hey have a similar impac on he subsequen evoluion of he relaive sae process fy, v g. This is done hrough 1) defining an appropriae even sequence classificaion process f g,such ha he join process f ; g is a srong Markov process as well, and 2) subsequenly idenifying an appropriae f ; g-adaped sopping ime such ha here is a zero

probabiliy ha he pair (i; j) collides before. Wih his, he above equaions can be ransformed ino: R [0;T ] = P f nx i=1 j>i nx X = g Z T ' ( j = ) d wih ' ( j = ) he condiional incrossing rae, being defined for by: ' ( j = ) = lim P fy =2 D ;y + 2 D j = g= #0 In figure 5, he equaion for R [0;T ] is presened R in he form of a ree, in which f T () is shor for ' ( j = ) d P f = g. This ree has some resemblance wih he well known faul ree. However, due o he underlying sochasic and physical relaions, our new ree differs significanly and is named Collision Risk Tree. R [0;T ] j+ f () j j j R ' (j) d P fg Fig. 5. Collision Risk Tree For he quanificaion of he boxes in he collision risk ree, use is made of hree ypes of evaluaions: Mone Carlo simulaions of he DCPN o quanify P f = g and he saisical properies of he relevan DCPN componens a he sopping ime. Evaluaions of he evoluion of he relaive aircraf saes from sopping ime on, and for each =. When complexiy requires, his process can even be done for a sequence of R increasing sopping imes. T Numerical evaluaion of ' ( j = ) d, using he Generalized Reich equaion of (Bakker and Blom, 1993), see also (Kremer e al., 1998). IV. RNP1 IN CONVENTIONAL AND AIRBORNE SEPARATION ASSURANCE SCENARIO EXAMPLES In his secion, he TOPAZ approach is used o evaluae a simple scenario of wo en-roue raffic sreams of RNP1 equipped raffic, flying in opposie direcion, all a one single fligh level. This raher hypoheical scenario has been developed by Euroconrol wih he aim o learn undersanding how ATC influences acciden risk, and how far he nominal separaion S beween opposie RNP1 raffic sreams can safely be reduced. The specific deails of his scenario are (Everd e al., 1997a): Sraigh roue, wih wo raffic lanes (figure 6), Fligh plans conain no lane changes Parameer S denoes disance beween he wo lanes, Opposie raffic flows along each lane, Aircraf fly a one fligh level only Traffic flow per lane is 3.6 aircraf/hour, All aircraf nominally perform RNP1, None of he aircraf are TCAS equipped, Targe level of safey is 5 : 10 9 accidens/fligh hour. This simple scenario is considered for he following four ATM conceps: A) Procedural separaion only. In his case here is no ATC surveillance sysem. This is he ype of siuaion encounered wih raffic over he Norh Alanic. B) STCA-only based ATC. In his case here is radar based surveillance and R/T communicaion, bu i is assumed ha ATC is doing nohing unless is STCA sysem issues an aler; hus assuming no monioring by he ATCo. I should be noiced ha his differs significanly from convenional ATC, where an execuive conroller auonomously moniors and issues correcive acions, while STCA is a safey ne only. C) Basic airborne separaion assurance. In his case here is ADS-B surveillance and R/T beween aircraf, bu here is no ATC. For his concep i is assumed ha aircraf behave co-operaively, in he sense ha when an aircraf s CDR (Conflic Deecion and Resoluion) sysem deecs a conflic wih anoher aircraf, hen is pilo will ry o make an avoidance manoeuver. Thus, in mos cases boh pilos will ry o make an avoidance Fig. 6. Opposie direcion raffic in a dual lane roue S

manoeuvre. D) Negoiaed airborne separaion assurance, a design ha is explicily due o he feedback received from TOPAZ based safey assessmens conduced for A), B) and C). For his concep i is assumed ha aircraf also behave co-operaively during conflic-free rajecory planning. Thus in addiion o ADS-B surveillance and R/T here also is a daa link beween aircraf o exchange and negoiae conflic free rajecory plans ha are assumed o exend five minues or more ino he fuure. Obviously, for each of hese four ATM conceps here are various raffic navigaion and encouner scenarios ha deserve an acciden risk evaluaion. We believe, however, ha i is mos effecive o learn undersanding he safe separaion issues for a simple raffic navigaion and encouner scenario firs, before considering oher and more complicaed scenarios. For each of he four ATM conceps he TOPAZ mehodology and ool se have been used o conservaively assess acciden risk for he above scenario, as a funcion of he spacing parameer S. The resuling acciden risk curves are presened in figure 7. Since all four curves are based on conservaive modelling assumpions for he ATM siuaions considered, hey provide an upper bound for he rue acciden risk. Expeced number of accidens per fligh hour 10 2 10 4 10 6 10 8 10 10 10 12 TLS D A B 5 10 15 20 25 30 10 14 0 10 20 30 40 50 60 Spacing S Fig. 7. Acciden risk for he opposie raffic scenario, as a funcion of spacing parameer S, for he four ATM conceps considered: A) Procedural separaion, B) STCA-based ATC, C) Basic airborne separaion assurance, D) Negoiaed airborne separaion assurance. The acciden risk uni used is from ICAO, where one collision beween wo aircraf couns for wo accidens. These resuls are obained over a period of wo years during hree subsequen sudies. The firs en-roue sudy C Nm km (Everd e al., 1997a) was conduced for Euroconrol, and covered ATM conceps A) and B). The assessmen of concep A) was raher sraighforward, and could also have been done wih ICAO s CRM. For he assessmen of he oher hree conceps, however, full use has been made of he TOPAZ mehodology. Concep B) has been assessed during an iniial sudy for Euroconrol (Everd e al., 1997). Concep C) has been developed (Hoeksra e al., 1997) and assessed (Daams e al., 1997) during sudies wihin NASA s Free Fligh research programme. The safey assessmen resuls from conceps A), B) and C) have subsequenly been fed back (Van Gen e al., 1997) o enable he safey based design concep D), and subsequenly o assess i wih TOPAZ (Daams e al., 1998). The risk curves in figure 7 show ha for RNP1 performing aircraf, he ATM concep may have quie an impac on he selecion of he spacing parameer S wihin a sraigh dual lane roue srucure. For he four ATM conceps considered i has been shown ha he spacing S can safely be reduced o 31 NM, 22 NM, 16 NM and 7 NM for ATM conceps A), B), C) and D) respecively. The large value of 31 NM for concep A) does no come as a real surprise, such large values are well known for procedural raffic siuaions over he ocean. The resuls for concep B) show ha STCA really is a safey ne which provides a leas a facor 15 in safey when compared wih concep A) for sufficienly large S. Apparenly, his STCA safey ne alone falls shor o suppor he kind of spacings necessary for busy fixed roue raffic siuaions. This finding confirms he prior expecaion ha concep B) is no represenaive for convenional ATC. Raher unexpecedly, he co-operaive Basic airborne separaion concep C) appears o perform beer han concep B). The reason appeared o be ha wih he ground-based concep B) here is one single monioring and decisionmaking loop (surveillance-stca-atco -R/T -pilo -a/c), while for he co-operaive airborne-based concep C) each of he wo encounering aircraf has a monioring and decision-making loop (surveillance-cdr-pilo-a/c) which are parly independen. As a resul, he safey ne of concep C) leads o a facor 5 lower risk han concep B) for he same spacing, or allows o safely reduce S from 22 NM o 16 NM. Obviously, such improved safey ne sill falls shor o suppor he kind of spacings necessary for busy fixed roue raffic siuaions. Thus in view of heir safe spacing values of 22 NM and 16 NM, conceps B) and C) do no suppor spacings ha are required for busy fixed roue siuaions over he coninen. Finally, he co-operaive Negoiaed airborne separaion assurance concep D) allows such low spacing values. This is no a coincidence, bu he resul of effecively making

use of TOPAZ based safey feedback from A), B) and C). I appeared ha for all hese hree conceps, he safe spacing was deermined by he effecs of he exponenial ails of large deviaions due o non-nominal siuaions. Thus he design objecive for concep D) was o reduce hose non-nominal effecs o a level below he TLS. To accomplish his, he wo monioring and decision-making loops of concep C) have been exended wih a largely independen and co-operaive conflic-free-planning loop. The curve for concep D) shows ha his worked ou succesfully, by which he safe spacing value for concep D) is governed by he RNP1-Gaussian navigaion error characerisics, raher han by he exponenial ails due o nonnominal siuaions. V. CONCLUDING REMARKS This paper has given an ouline of he TOPAZ mehodoloy o assess advanced ATM on mid-air collision risk, and has illusraed ha his approach may provide effecive feedback o designers of advanced ATM. From his ouline i has become clear ha his mehodology exhibis several remarkable feaures, such as: I applies esablished echniques during a qualiaive assessmen phase only; Quanificaion is based on sochasic dynamical modelling; Uses powerful ools from he heory of sochasic analysis; Handles complex ineracions beween differen ATM elemens; Incorporaes advanced human cogniive modelling; Incorporaes he Generalized Reich collision risk model; Provides effecive feedback o ATM concep design- ers; Validaion of a risk assessmen exercise forms par of he mehodology. I has also become clear ha currenly a high level of experise in sochasic analysis is required for an effecive applicaion of he mehodology. One should however be aware ha he need for sophisicaed mahemaical experise is well acceped in oher complex design areas of civil aviaion, such as he area of aerodynamic opimisaion of aircraf srucures. Obviously, wihin an overall ATM concep a large variey of relevan aircraf encouner scenarios can be idenified. As such, i is imporan o noice ha our DCPN insaniaion for a paricular ATM concep mainly depends on he ATM concep and only marginally on he encouner scenario. Thus, he DCPN insaniaions for he four RNP1 based ATM conceps of secion IV can relaively simply be exended o oher encouner scenarios. This also means ha i should be possible o idenify classes of encouner scenarios such ha i is sufficien o perform an acciden risk assessmen for one scenario from each class only. In his paper he TOPAZ mehodology has been concenraed on he risk of mid-air collision. Due o he generaliy of he mehodology, however, we believe i is also applicable o oher acciden risks in air raffic, such as risk induced by runway incursion, conrolled fligh ino errain, ec. We have, for example, already made good progress in he exension of he TOPAZ mehodology wih a probabilisic model for wake vorex induced acciden risk (Blom and Speker, 1998). REFERENCES [1] T. Aldemir, N.O. Siu, A. Mosleh, P.C. Cacciabue and B.G. Gökepe (Eds.) Reliabiliy and safey assessmen of dynamic process sysems, Springer, 1994. [2] R. Amalberi and L. Wioland, Human error in aviaion, In: Aviaion safey, pp. 91-108, H. Soekkha (Ed.), 1997. [3] L. Bainbridge, The change of conceps needed o accoun for human behaviour in complex dynamic asks, Proc. 1993 In. Conf. on Sysems, Man and Cyberneics, pp. 126-131, 1993. [4] G.J. Bakker and H.A.P. Blom, Air Traffic Collision risk modelling, Proc. 32nd IEEE Conf. on Decision and Conrol, pp. 1464-1469, 1993. [5] G.J. Bakker, H.A.P. Blom and M.H.C. Everd, Collision risk evaluaion of he dependen converging insrumen approach (DCIA) procedure under Gaussian deviaions from expeced missed approach pahs, NLR repor CR 95322 L, 1995. [6] M.C.M. Biemans and J. Daams, Human Operaor Modelling o Evaluae Reliabiliy, Organisaion and Safey, NLR repor TR 98073, 1997. [7] H.A.P. Blom, Bayesian esimaion for decision-direced sochasic conrol, Ph.D. hesis, Delf Universiy of Technology, 1990. [8] H.A.P. Blom, R.A. Hogendoorn and B.A. Van Doorn, Design of a mulisensor racking sysem for advanced air raffic conrol, Ed: Y. Bar-Shalom, Muliarge-Mulisensor Tracking, Volume II, Arech House, pp. 31-63, 1992a. [9] H.A.P. Blom, The layered safey concep, an inegraed approach o he design and validaion of air raffic managemen enhancemens, NLR repor TP 92046 L, 1992b. [10] H.A.P. Blom and G.J. Bakker, A macroscopic assessmen of he arge safey gain for differen en-roue airspace srucures wihin SUATMS, NLR repor CR 93364 L, 1993. [11] H.A.P. Blom, M.B. Klompsra and G.J. Bakker, Air Traffic Managemen as a muli-agen sochasic dynamic game under parial sae observaion, Proc. IFAC Symp. Transporaion Sysems, 1994, Tianjin, pp. 249-254. [12] H.A.P. Blom, C.F.W. Hendriks and H.B. Nhuis, Assess necessary validaion developmens, VAPORETO WP3 final repor, NLR repor CR 95524 L, 1996. [13] H.A.P. Blom and L.J.P. Speker, NLR s iniial probabilisic wake vorex model for TOPAZ, NLR draf repor, Sepember 1998. [14] S. Cohen e al., A concep paper for separaion safey modelling, FAA/Euroconrol, May 1998. [15] J. Daams, G.J. Bakker and H.A.P. Blom, Safey evaluaion of an iniial free fligh scenario wih TOPAZ, NLR repor TR 98098, 1998a.

[16] J. Daams, G.J. Bakker and H.A.P. Blom, Safey evaluaion of encouners beween free-fligh equipped aircraf in a dual roue srucure, NLR repor, forhcoming, 1998b. [17] J. Daams and H.B. Nhuis, Human Operaors Conrollabiliy of ATM safey, ARIBA, NLR final repor, forhcoming, 1998. [18] DAAS (Dependabiliy Approach o ATM Sysems), Work package repors for he European Commission DG XIII, 1995. [19] M.H.A. Davis, Piecewise Deerminisic Markov Processes: a general class of non-diffusion sochasic models, J. Royal Sais. Soc. (B), Vol 46, pp. 353-388, 1984. [20] EATCHIP, Air Navigaion Sysem Safey Mehodology, Euroconrol, Ediion 0.4, Working Draf, 1996. [21] R.J. Ellio, Sochasic calculus and applicaions, New York, Springer, 1982. [22] EVAS, EATMS Validaion Sraegy Documen, Ediion 1.1, Euroconrol, June 1998. [23] M.H.C. Everd, M.B. Klompsra, H.A.P. Blom and O.N. Foa, Evaluaion of hazard analysis echniques for applicaion o enroue ATM, MUFTIS Final Repor on Safey Model, Par I, NLR repor TR 96196 L, 1996a. [24] M.H.C. Everd, M.B. Klompsra and H.A.P. Blom, Developmen of mahemaical echniques for ATM safey analysis, MUFTIS Final repor on Safey model, Par II, NLR repor TR 96197 L, 1996b. [25] M.H.C. Everd, G.J. Bakker and H.A.P. Blom, Applicaion of Collision Risk Tree Analysis o DCIA/CRDA hrough suppor of TOPAZ, NLR repor CR 96784 L, 1996c. [26] M.H.C. Everd, G.J. Bakker, H.A.P. Blom and P.J.G. Blanker, Demonsraion repor in preparaion o Designing EATMS inherenly safe, TOSCA II WP4 phase I repor, NLR, 1997a. [27] M.H.C. Everd, H.A.P. Blom and M.B. Klompsra, Dynamically Coloured Peri Nes for Air Traffic Managemen Safey purposes, Proc. 8h IFAC Symposium on Transporaion Sysems, pp. 184-189, 1997b. [28] M.H.C. Everd and H.A.P. Blom, Piecewise Deerminisic Markov Processes represened by Dynamically Coloured Peri Nes, Submied, 1998. [29] N. Foa, M. Kaaniche and K. Kanoun, A modular and incremenal approach for building complex sochasic Peri ne models. Proc. Firs In. Conf. on Mahemaical Mehods in Reliabiliy, 1997. [30] A. Haraldsdoir e al., Air Traffic Managemen Concep Baseline Definiion, NEXTOR Repor RR-97-3, Boeing, 1997. [31] S. Har e al. A designers guide o human performance modelling, AGARD AMP Working Group 22 draf repor, 1997. [32] J.M. Hoeksra, R.C.J. Ruigrok and R.N.H.W. van Gen, Concepual design of Free Fligh Cruise wih Airborne Separaion Assurance, NLR repor TP 98252, 1997. [33] E. Hollnagel, Human Reliabiliy analysis, conex and conrol. Academic Press, London, 1993. [34] M.B. Klompsra and M.H.C. Everd, Evaluaion of JAR and EATCHIP safey assessmen mehodologies, NLR repor CR 97678 L, 1997. [35] H.J. Kremer, G.J. Bakker and H.A.P. Blom, Geomeric and probabilisic approach owards conflic predicion in free fligh, forhcoming, 1998. [36] G. Moek, M.B. Klompsra, H.A.P. Blom e al., Mehods and Techniques, GENOVA Final Repor, NLR, 1997. [37] A.R. Odoni e al., Exising and required modeling capabiliies for evaluaing ATM sysems and conceps, Final repor, MIT, March 1997. [38] K.R. Paipai, Y. Li, and H.A.P. Blom, A unified framework for he performabiliy evaluaion of faul-oleran compuer sysems, IEEE Transacions on Compuers, Vol. 42 (1993), pp. 312-326. [39] B. Randell (Ed.), Predicably dependable compuing sysems, Springer, 1995. [40] J. Reason, Human error, Cambridge Univ. Press, 1990. [41] Royal Sociey, Risk assessmen, repor of a Royal Sociey Sudy Group, 1983 [42] SAE, ARP 4761, Guidelines and mehods for conducing he safey assessmen process on civil airborne sysems and equipmen, S-18 Commiee, Sociey of Auomoive Engineers, Inc., March 1994. [43] SAE, ARP 4754, Cerificaion consideraions for highlyinegraed or complex aircraf sysems, Sysems Inegraion Requiremens Task Group AS-1C, Avionics Sysems Division, Sociey of Auomoive Engineers, Inc., Sep. 1995. [44] R. Sheperd, R. Cassell, R. Thava and D. Lee, A reduced aircraf separaion risk assessmen model, Proc. AIAA Guidance, Navigaion and Conrol Conf., New Orleans, Augus 1997. [45] R.N.H.W. Van Gen, J.M. Hoeksra and R.C.J. Ruigrok, Free Fligh wih Airborne Separaion Assurance, Proc. CEAS symposium, Ocober 1997, Amserdam. [46] C.R. Wickens, Engineering, psychology and human performance, Merrill, 1992 4D ABRM ADS-B ASAT ATC ATCo ATM CCA CDR CNS CRM DAAS DCPN EATCHIP ETA FMEA FTA HMI HRA ICAO NASPAC NLR NM PHA RAMS RASRAM RNP1 R/T SDE STCA TAAM TCAS TOPAZ ACRONYMS 4-Dimensional Analyic Blunder Risk Model Auomaic Dependen Surveillance-Broadcas Airspace Simulaion and Analysis for Terminal insrumen procedures Air Traffic Conrol Air Traffic Conroller Air Traffic Managemen Common Cause Analysis Conflic Deecion and Resoluion Communicaion, Navigaion and Surveillance Collision Risk Model Dependabiliy Approach o ATM Sysem Dynamically Coloured Peri Ne European Air Traffic Conrol Harmonisaion and Inegraion Programme Even Tree Analysis Failure Mode and Effec Analysis Faul Tree Analysis Human Machine Inerface Human Reliabiliy Analysis Inernaional Civil Aviaion Organisaion Naional Airspace Sysems Performance Analysis Capabiliy Naionaal Luch- en Ruimevaarlaboraorium Nauical Mile Preliminary Hazard Analysis Reorganized ATC Mahemaical Simulaor Reduced Aircraf Separaion Risk Assessmen Model Required Navigaional Performance (95% of ime wihin 1 NM) Radio Telephony Sochasic Differenial Equaion Shor Term Conflic Aler Toal Airspace and Airpor Modeller Traffic aler and Collision Avoidance Sysem Traffic Organizaion and Perurbaion AnalyZer

2024 © sportdocbox.com Privacy Policy | Terms of Service | Feedback