Safety Criticality Analysis of Air Traffic Management Systems: A Compositional Bisimulation Approach

Similar documents
VR-TCAP Validation report for new possible altitude capture laws

FLIGHT CREW TRAINING NOTICE

2020 Foresight A Systems Engineering Approach to Assessing the Safety of the SESAR Operational Concept

COLLISION RISK ANALYSIS IN AIR TRAFFIC CONTROL

Tenth USA/Europe Air Traffic Management Research and Development Seminar

MAXIMISING THE ATM POSITIVE CONTRIBUTION TO SAFETY -A BROADER APPROACH TO SAFETY ASSESSMENT

So it s Reliable but is it Safe? - a More Balanced Approach To ATM Safety Assessment

HASTAC High stability Altimeter SysTem for Air data Computers

Safety assessments for Aerodromes (Chapter 3 of the PANS-Aerodromes, 1 st ed)

Time-based Spaced Continuous Descent Approaches in busy Terminal Manoeuvring Areas

Investigating the capacity benefit of airborne speed adjustment

THE WAY AHEAD. Indra s Contributions to Automation and SWIM in the SESAR JU

An atc-induced runway incursion

Procedures for Off-Nominal Cases: Three Closely Spaced Parallel Runway Operations

SPR for automatic responses to ACAS RAs

STPA Systems Theoretic Process Analysis John Thomas and Nancy Leveson. All rights reserved.

Basic STPA Tutorial. John Thomas

VR-APFD Validation report for automatic responses to ACAS RA

A study on the relation between safety analysis process and system engineering process of train control system

Report on Phase 2 Causal Modeling for Schiphol Airport

Basic STPA Exercises. Dr. John Thomas

Universal Atmospheric Hazard Criteria

Preliminary System Safety Analysis for the Controller Access Parameter service delivered by Mode S Enhanced Surveillance

Identification of emergent hazards and behaviour Shifting the boundary between unimaginable and imaginable hazards. Hans de Jong and Henk Blom (NLR)

Safety-Critical Systems

Go around manoeuvre How to make it safer? Capt. Bertrand de Courville

HINDSIGHT SITUATIONAL EXAMPLE. unexpected runway crossing

#19 MONITORING AND PREDICTING PEDESTRIAN BEHAVIOR USING TRAFFIC CAMERAS

EUROPEAN COMMISSION DG RTD. evader

Assignment for Next Class. Information Systems ISM Put In Nonsense, Get Out Chaos. System and Modeling Concepts. Components of a System.

APPENDIX J REQUIRED NAVIGATION PERFORMANCE IMPACTS EVALUATION REPORT

EASA need for Standards and AMC for Unmanned Aircraft

AIP MACAO GUANG ZHOU FIR HONG KONG FIR AD2-VMMC-60 SID MACAO RWY MAY 2016 (BIGRO 4 D, MIPAG 5 D, NLG 5 D, SHL 5 D) CAT A, B, C, D

FIRE PROTECTION. In fact, hydraulic modeling allows for infinite what if scenarios including:

SO IT S RELIABLE BUT IS IT SAFE? A MORE BALANCED APPROACH TO ATM SAFETY ASSESSMENT

PC-21 A Damage Tolerant Aircraft. Paper presented at the ICAF 2009 Symposium by Lukas Schmid

AN AUTONOMOUS DRIVER MODEL FOR THE OVERTAKING MANEUVER FOR USE IN MICROSCOPIC TRAFFIC SIMULATION

EUROCONTROL Guidance Material for Short Term Conflict Alert Appendix D-2: Functional Hazard Assessment of STCA for ATCC Semmerzake

Distributed Control Systems

COSCAP-South Asia ADVISORY CIRCULAR FOR AIR OPERATORS

Continuous Descent Final Approach

OPERATIONS MANUAL PART A INSTRUCTIONS AND TRAINING REQUIREMENTS FOR THE AVOIDANCE OF CONTROLLED FLIGHT INTO TERRAIN AND POLICIES FOR THE USE OF GPWS

3rd Eurocontrol CDO Workshop

Queue analysis for the toll station of the Öresund fixed link. Pontus Matstoms *

1.0 PURPOSE 2.0 REFERENCES

Lecture 04 ( ) Hazard Analysis. Systeme hoher Qualität und Sicherheit Universität Bremen WS 2015/2016

Cross Border Area Safety Assessment Overview

PASSENGER SHIP SAFETY. Preliminary recommendations arising from the Costa Concordia marine casualty investigation. Submitted by Italy SUMMARY

MAPPING OF RISKS ON THE MAIN ROAD NETWORK OF SERBIA

New Airfield Risk Assessment / Categorisation

Update to Airline Transport Pilot Test July 2010 Airline Transport Pilot Test Prep 2010

A hybrid and multiscale approach to model and simulate mobility in the context of public event

Aerodynamic investigations on a wing in ground effect

Aeronautical studies and Safety Assessment

Collision Avoidance System using Common Maritime Information Environment.

Outline. TAMU Campus Projects TxDOT Innovative Research Project Mobileye Shield+ Pilot

Chapter Capacity and LOS Analysis of a Signalized I/S Overview Methodology Scope Limitation

2 ETSO-C115c#9 Airborne Area Navigation Equipment Flight Management Systems (FMS) Using Multi-Sensor Inputs

SUMMARY OF SAFETY INVESTIGATION REPORT

Systems Theoretic Process Analysis (STPA)

Safety When Using Liquid Coatings

Understanding safety life cycles

HUMAN ERROR AS THE MAIN CAUSE OF ACCIDENTS AT SEA

ROSE-HULMAN INSTITUTE OF TECHNOLOGY Department of Mechanical Engineering. Mini-project 3 Tennis ball launcher

Improvement of an Artificial Stall Warning System for Sailplanes

Unmanned Aerial Vehicle Failure Modes Algorithm Modeling

AIC FRANCE A 31/12. Publication date: DEC 27. Page 1/7. SUBJECT : Deployment of CDO (continuous descent operations) on the French territory

Lecture 1 Temporal constraints: source and characterization

Missing no Interaction Using STPA for Identifying Hazardous Interactions of Automated Driving Systems

Wake Vortices OPERATIONS. Where do Wake Vortices come from? What are the characteristics of wake vortices? CLAUDE LELAIE Former Head of Flight Test

Estimating the Clearance Depth Required in UXO Contaminated Areas NSGG

Iteration: while, for, do while, Reading Input with Sentinels and User-defined Functions

Safety Standards Acknowledgement and Consent (SSAC) CAP 1395

Descent Planning with a Mechanical E6-B Flight Computer

IMO DEVELOPMENT OF MODEL PROCEDURE FOR EXECUTING SHIPBOARD EMERGENCY MEASURES. Emergency steering drills. Submitted by the Republic of Korea

Federal Aviation Administration Safety & Human Factors Analysis of a Wake Vortex Mitigation Display System

EEC 686/785 Modeling & Performance Evaluation of Computer Systems. Lecture 6. Wenbing Zhao. Department of Electrical and Computer Engineering

Engineering: Measurement Technology Pressure/Level (SCQF level 6)

Blocking time reduction for level crossings using the genetic algorithm

Software Reliability 1

Design of Altitude Measurement System for Aerospace Applications (Digital Barometric Altimeter)

PRACTICAL EXAMPLES ON CSM-RA

Outline. Terminology. EEC 686/785 Modeling & Performance Evaluation of Computer Systems. Lecture 6. Steps in Capacity Planning and Management

Using STPA in the Design of a new Manned Spacecraft

Analyzing football matches using relational performance data

NAVIGATION ACCIDENTS AND THEIR CAUSES IS SHIPBOARD TECHNOLOGY A HELP OR HINDERANCE? CAPT.CLEANTHIS ORPHANOS MSc HEAD MAIC SERVICE

Attitude Instrument Flying and Aerodynamics

The EU funded NEWSLETTER 4. December In this issue

Transmitter mod. TR-A/V. SIL Safety Report

Autodesk Moldflow Communicator Process settings

FAQ s Walsh Road / Ferguson Road Pilot Scheme

JAR-23 Normal, Utility, Aerobatic, and Commuter Category Aeroplanes \ Issued 11 March 1994 \ Section 1- Requirements \ Subpart C - Structure \ General

Systems Theoretic Process Analysis (STPA)

Helicopter Safety Recommendation Summary for Small Operators

XII.A-D. Basic Attitude Instrument Flight

Towards Simulation Tools for Innovative Street Designs

High-Rise Fireground Field Experiments Results

USPA National Speed Skydiving Championships Competition Rules. Chapter 14. United States Parachute Association Copyright 2018 by USPA

THE SAFE ZONE FOR PAIRED CLOSELY SPACED PARALLEL APPROACHES: IMPLICATIONS FOR PROCEDURES AND AUTOMATION

Sea-going vessel versus wind turbine

Transcription:

Third SESAR Innovation Days 26 28 November 2013, KTH, Stockholm, Sweden Safety Criticality Analysis of Air Traffic Management Systems: A Compositional Bisimulation Approach Elena De Santis, Maria Domenica Di Benedetto, Mariken Everdij, Davide Pezzuti, Giordano Pola and Luca Scarciolla University of L Aquila (Italy) and NLR (The Netherlands)

WP-E MAREA Project Project: Mathematical approach towards resilience engineering in ATM Acronym: MAREA Theme: Mastering Complex Systems Safely Project type: Medium Duration: 30 months Coordinator: NLR Consortium members: NLR, University of l Aquila, VU University of Amsterdam

Outline Mathematical framework for modelling and analysing complex ATM systems - Modelling - Analysis of hazards and MASA inconsistencies - Complexity reduction Application to the Terminal Manoeuvring Area (TMA) T1 operation Conclusion

Outline Mathematical framework for modelling and analysing complex ATM systems - Modelling - Analysis of hazards and MASA inconsistencies - Complexity reduction Application to the Terminal Manoeuvring Area (TMA) T1 operation Conclusion

Mathematical Framework: Modelling A Finite State Machine (FSM) is a tuple M = (Q,q 0,U,Y,H,Δ), q 0 y 2 u 1 q 3 y 2 where: Q is a finite set of states q 0 is the initial state U is a finite set of input symbols Y is a finite set of output symbols H : Q Y is an output map Δ Q x U x Q is a transition relation u 2 u 2 u 2 q 1 q 2 y 1 y 1 u 1 u 1 q 4 u 1 y 2

Mathematical Framework: Modelling An Arena of Finite State Machines (AFSM) is specified by a directed graph A = (V,E), where: V is a collection of N FSMs M i = (Q i,q i0,u i,y i,h i,δ i ) E V x V describes the communication network of FSMs M i M1 M3 M2

Mathematical Framework: Modelling Modelling of hazards and MASA inconsistencies can be approached by resorting to the notion of critical states Let R Q be the set of critical states of a FSMH Blue state: Critical State

Mathematical Framework: Analysis Goal: Study the possibility of detecting the occurrence of unsafe and/or unallowed operations in a FSM M Consider a FSM M and a set R of critical states. M is R critically observable if it is possible to construct a critical observer that is able to detect if q R or not on the basis of inputs and outputs u y Obs q?

Mathematical Framework: Analysis Critical observability of FSMs naturally extends to AFSMs by appropriately defining a critical relation that extends the set of critical states to a collection of FSMs in an AFSM. Given an AFSM A = (V,E), consider the following tuple R c = (R 1 c, R 2 c,, R N c) where: R 1 c is the collection of sets R i1 Q i1 of critical states for M i1 R 2 c is the collection of sets R i1,i2 Q i1 Q i2 of critical states arising from the interaction of M i1 and M i2 R N c is the collection of sets R i1,,in Q i1 Q i2 Q in of critical states arising from the interaction of M i j with j = 1, 2,, N

Mathematical Framework: Complexity reduction Critical compositional bisimulation groups agents that are equivalent Two agents are equivalent if They are of the same type (e.g. two aircraft) They have the same role in the procedure (e.g. two aircraft performing a Standard Instrument Departure (SID)) They communicate with equivalent agents They share critical situations with equivalent agents If AFSMs A 1 and A 2 are (R c1,r c2 )-critically compositionally bisimilar, then A 1 is R c1 -critically observable if and only if A 2 is R c2 -critically observable

Outline Mathematical framework for modelling and analysing complex ATM systems - Modelling - Analysis of hazards and MASA inconsistencies - Complexity reduction Application to the Terminal Manoeuvring Area (TMA) T1 operation Conclusion

TMA T1 operation The aim of the SESAR (Single European Sky Air Traffic Management Research) Programme is to improve efficiency in future ATM In the SESAR 2020 Concept of Operations (ConOps) a 4D trajectory planning based operation is assumed, which is implemented through the exchange of Reference Business Trajectories (RBTs) The use of RBTs allows pilots to follow their assigned trajectories with a sensible reduction of the controller interventions We chose the Terminal Manoeuvring Area (TMA) T1 operation as a meaningful case study, since it exhibits most of the key features that arise in the SESAR 2020 ConOps Here, T1 refers to the reduction of separation minima in the TMA

TMA T1 operation In the TMA T1 operation, routes are typically Standard Instrument Departure (SID) routes, Standard Terminal Arrival Routes (STAR) and also cruise routes at a lower flight level. Agent involved in the TMA T1 scenario: Aircraft agent Air Traffic Controller Human Machine Interface Cockpit Human Machine Interface Tactical Controller agent Aircraft Crew agent

TMA T1 operation Assumptions: The two pilots of each aircraft are represented as one crew agent All aircraft flight-plans/rbts are according to the STAR, SID or Cruise route on which the respective aircraft fly There is no explicit negotiation of RBTs in the model The model only considers the tactical air traffic controller, i.e. traffic flow and capacity management is not considered Conflicts between two aircraft can be detected by the air traffic controller through the Short Term Conflict Alert (STCA)

TMA T1 operation Selection of hazards from MAREA deliverable D2.1 (NLR): Failure of Flight Management System (FMS) (hazard no. 19) Failure of cockpit display and failure of the Controller Pilot Data Link Communications (CPDLC) (hazards no. 5, 63, 115 and 137) False alert of an airborne system (hazard no. 21) Short Term Conflict Alert (STCA) or conflict alert is underestimated or ignored by the ATCo (hazards no. 254, 322 and 326) Misunderstanding of controller instruction by pilot (hazard no. 292)

TMA T1 operation The Crew Agent: Critical states considered: q6,crew - Crew updates flight trajectory data. Situation awareness incorrect wrt his RBT q8,crew Heavy workload q10,crew - Pilot misinterprets communication (hazard no. 292) q11,crew - Pilot does not realize a warning (hazard no. 137)

TMA T1 operation Aircraft dynamics: where:

TMA T1 operation Selected Scenario 3 SIDs aircraft 2 STARs aircraft 3 CRUISE ROUTES aircraft 1 ATCo HMI 1 ATCo Aircraft agent Air Traffic Controller Human Machine Interface Cockpit Human Machine Interface Tactical Controller agent Aircraft Crew agent

Analysis of Critical Situations Whenever two aircraft are closer than 3NM apart in horizontal direction while being closer than 1000ft apart in vertical direction, they are said to be in conflict z 1.5 NM 1000 ft x y

Analysis of Critical Situations Whenever two aircraft are closer than 3NM apart in horizontal direction while being closer than 1000ft apart in vertical direction, they are said to be in conflict M 1 M 2 M 3 M 4

Analysis of Critical Situations Whenever two aircraft are closer than 3NM apart in horizontal direction while being closer than 1000ft apart in vertical direction, they are said to be in conflict M 1 M 2 M 3 M 4 R = ( R 12, R 23, R 24, R 34, R 234 )

MASA Inconsistencies (q2,crew1,q2,crew2) a simultaneous conflict resolution manoeuvre of two aircraft that are flying in each other's vicinity (q4,crew1,q4,crew2) a simultaneous flight-plan deviation avoidance manoeuvre of two aircraft that are flying in each other's vicinity (q2,crew1,q4,crew2) and (q4,crew1,q2,crew2) one of the two aircraft that are flying in each other's vicinity, performs a conflict resolution manoeuvre and the other one performs a flight-plan deviation avoidance manoeuvre and vice-versa (q1,crew1,q2,crew2) and (q2,crew1,q1,crew2) one of the two aircraft that are flying in each other's vicinity, performs a conflict resolution manoeuvre and the other one is in the monitoring state and vice-versa (q1,crew1,q4,crew2) and (q4,crew1,q1,crew2) one of the two aircraft that are flying in each other's vicinity, performs a flight-plan deviation avoidance manoeuvre and the other one is in the monitoring state and vice-versa

MASA Inconsistencies (q5,crew1,q5,crew2,q5,atco) two crews of aircraft that are flying in each other's vicinity, simultaneously require a radio communication but the controller is engaged in another radio communication of sending radar vectors to a third crew. This situation may lead to a delay that may cause conflicts (q5,crew1,q5,crew2,q3,atco) two crews of aircraft that are flying in each other's vicinity, simultaneously require a radio communication but the controller is engaged in another radio communication of manoeuvre conflict resolution; this situation may lead to a delay that may cause conflicts (q2,crew1,q2,crew2,q2,crew3) three aircraft performing deviation from their corresponding RBTs while flying in each other's vicinity

Analysis of Critical Situations

Analysis of Critical Situations AFSM: Critical Relation among the agents: Space complexity:

Analysis of Critical Situations Reduced AFSM Â: Critical Relation among the agents: Space complexity:

Analysis of Critical Situations Critical Observers

Outcome of the analysis Hazards that can be detected (in the sense of critical observability): Failure of FMS (hazard no. 19) False alert of an airborne system (hazard no. 21) Hazards that cannot be detected: Failure of cockpit display and failure of the CPDLC (hazards no. 5, 63, 115 and 137) STCA or conflict alert is underestimated or ignored by the ATCo (hazards no. 254, 322 and 326) Misunderstanding of controller instruction by pilot (hazard no. 292)

Outcome of the analysis MASA inconsistencies that can be detected (in the sense of critical observability): Pairs of crew agents corresponding to aircraft that simultaneously perform a flight plan deviation avoidance manoeuvre while flying in each other s vicinity Triplets of agents, one of which is the ATCo agent, and two of which are the Crew agents that correspond with two aircraft flying in each other s vicinity while requiring a radio communication with the ATCo to receive instructions, but the ATCo is busy doing other activities

Outcome of the analysis MASA inconsistencies that cannot be detected: Pairs of crew agents corresponding with aircraft that simultaneously perform a conflict resolution manoeuvre while flying in each other s vicinity, or where one of the aircraft performs a conflict resolution anoeuvre while the other one performs a flight-plan deviation avoidance manoeuvre while flying in each other s vicinity, or where one aircraft performs a conflict resolution manoeuvre while the other one is in the monitoring state while flying in each other s vicinity, or where one aircraft performs a flight-plan deviation avoidance manoeuvre while the other one is in the monitoring state while flying in each other s vicinity. Triplets of Crew agents, corresponding with three aircraft performing deviations from their corresponding RBTs while flying in each other s vicinity.

Outline Mathematical framework for modelling and analysing complex ATM systems - Modelling - Analysis of hazards and MASA inconsistencies - Complexity reduction Application to the Terminal Manoeuvring Area (TMA) T1 operation Conclusion

Conclusion Conclusions Modeling and analysis of safety critical ATM operations A mathematical framework that appropriately models each agent acting in ATM procedures A compositional framework, based on arenas of finite state machines, models the interaction among the agents involved in ATM procedures that appropriately A mathematical framework, based on critical observability, to analyze hazards and MASA inconsistencies Complexity reduction for large-scale ATM systems Efficient algorithms, based on critical compositional bisimulation, for the reduction of the computational complexity arising in the analysis of realistic ATM scenarios involving a large number of agents To validate our approach we analyzed the TMA T1 operation and showed that not all hazards and MASA inconsistencies can be detected

2024 © sportdocbox.com Privacy Policy | Terms of Service | Feedback