Open access peer-reviewed chapter

How to Manage Failures in Air Traffic Control Software Systems

By Luca Montanari, Roberto Baldoni, Fabrizio Morciano, Marco Rizzuto and Francesca Matarese

Submitted: December 14th 2011Reviewed: April 24th 2012Published: August 1st 2012

DOI: 10.5772/48685

1. Introduction

Collision risk estimation in airspace and mathematical modeling of mid-air collisions have been carried out for over more than 40 years . During this period there has been a development of mathematical models for processes leading to possible collisions of aircraft flying nearby in order to estimate the risk of collision.

B. L. Marks  developed the principles in which a collision risk model could be developed in the early 1960s. Marks' work was modified and enhanced by P. Reich  and that model, later called the Reich model, has been the basis for many of the important developments in this field.

The Reich model uses information related to the probabilistic distributions of aircraft's lateral and vertical position, traffic flows of the routes, aircraft's relative velocities and aircraft dimensions to generate estimation of collision risk. However, this model does not cover adequately situations where ground controllers monitor the air traffic through radar surveillance and provide tactical instructions to the aircraft crews. Furthermore, the problem of collision risk modeling in the analysis of “high traffic density” ATC scenarios is different to that of “procedural scenarios”, which have been developed by Reich  and Brooker , amongst others. This is mainly due to the active role of Controllers in the first case. In this case positive control is used extensively to modify the planned aircraft route. This requires the inclusion in the model of “human factor response” behavior.

These "collision risk models" were initially applied in the 60s to determine safe separation standards between pairs of aircraft flying at the same altitude on parallel courses over the North Atlantic Ocean . Since then, new models have been developed and continually refined and improved. They have been applied for different geographic regions (USA , European airspace ), for oceanic or radar  environments, and different flight regimes (for example, high-altitude cruise and landing on close [10,11,12] and ultra close spaced runways [13,14]), for specific flight phases  (focused for example on the separation between aircraft on final approach and landing, when flight risks are greater than during any other phase of flight), for different types of separation (vertical, longitudinal and lateral) and also for current and future operational concepts , such as free flight , airborne self separation ,….

Most of these models, amongst them the formula proposed by Brooker  for mid-air collision risk, involve the aggregation of terms comprising different factors related to: initiating events which produce defective flight paths; the probability of safety defenses correcting these defective flight plans; and traffic and kinematic scalers. But, as he indicates: “it does no more than spell out the mechanisms by which collisions logically have to occur. The hard problem is how to populate the parameters in the formulation with sensible numbers”.

Risk models have also been developed for the estimation of conflict probability (understood as the probability that the distance between a pair of aircraft becomes smaller than some specified minimum separation value). Paielli and Erzberger’s [20,21] emphasis was on the development of algorithms to numerically evaluate approximations of conflict probabilities. Prandini et al. [22,23] emphasized the analysis of the problem and distinguished three sub-problems of evaluating conflict probability.

The main point of conflict probability is its clear relation to a well known safety criterion in civil aviation: the separation minimum, which puts a requirement on the air traffic management system; not to let aircraft come closer to each other than a certain minimum distance. In addition to minimum separation values, ICAO (International Civil Aviation Organization) has also defined limiting criteria for acceptable risk levels of fatal accident, and in particular, for the risk of mid air collision [24 ]. The allowed probability values for such events are of the order of one mid-air collision or physical crossing per 10^9 flight hour.

Furthermore, some effort has been also devoted to the problem of aircraft conflict detection. An excellent survey of the different conflict detection and resolution schemes has been carried out by Kuchar [25,26], where the conflict detection schemes are classified according to the modeling method used for projecting the aircraft position in the future.

According to Brooker , mid-air collisions derived from radar inaccuracies are very rare, so to estimate their frequency, it is necessary to model the factors that might lead to such events. But this extremely low value makes it difficult to obtain reliable empirical results from reasonably computational amount of data.

As collisions are very unlikely events most of the previous approaches to estimate collision risk were centered on simulations techniques applicable to rare event estimations such as Montecarlo simulations [27,28]. Nevertheless, simulations are not enough, as the components of the collision models have to be verifiable, i.e. match reality, and cautious. ‘Verifiable’ in the present context means that the model description can be demonstrated to match what happens in practice, and that most of the parameters in the model can be measured directly by analyzing air traffic patterns.

Some authors, like Dr. L. Burt , have formulated expressions that attempt to estimate Pa, distinguishing four different aircraft encounters geometries. The mathematical formulas are customized for these geometries so they are only applicable for circumstances that they have been developed for. They barely provide an estimate of the average conditional probability of collision Pa but they do not provide an individual value of Pa for each encounter. Therefore, this approach does not assess the severity of each individual potential encounter.

Other authors, such as Campos  have calculated the probability of coincidence for aircraft on arbitrary straight flight paths (either climbing, descending, or in level flight) with constant speed as an upper bound for the probability of collision. Although in this approach the time and distance of closest approach are used to calculate the position for maximum probability of coincidence. In reference  same authors illustrate the relationship between the aircraft RMS (Root Mean Square) position error and the minimum separation distance for achieving a certain Target Level of Safety (TLS) for low probability of collision.

Nevertheless, most of the researches on this field have just worked in the estimation of probabilities of conflict (before deliberate actions are taken to solve the conflicts) and how these probabilities depend on aircraft separation standards. Different current and future Air Traffic Management operational concepts have been studied under this perspective in an attempt to reduce aircraft separation standards [32,33] or with the aim of designing proper avoidance maneuvers in order to maintain the prescribed minimum separation standards among aircraft [34,35].

The previous considerations give an idea of the complexity of using stored aircraft tracks, within a given scenario and time frame, to infer safety level, collision risk probability and associated system weaknesses. In most high density airspace scenarios recorded tracks can be obtained for all aircraft flying in it, for example, from Radar Data Processing systems (RDP). In fact, this provides us with a robust data source, which could be used for safety analysis. This could include indirect information which is closely related to the “human factor response”. Despaite its importance not much effort have been devoted to the development of risk and collision models based upon the analysis of the stored aircraft tracks.

Furthermore, it has to be considered that the distribution of aircraft position errors over their intended tracks is one of the most important factors in determining route safety, and consequently it has been broadly studied. Reference , for instance, presents a modeling technique to compute the probability density function of position errors as the aircraft proceed along the route taking into account not only the time dependence, but also all the factors influencing an aircraft's position errors, e.g., surveillance and navigation errors, surveillance fix rate, and air traffic control procedures.

Following the research line initiated on [31,37,38] by the mentioned previous work, the authors are developing a more detailed mathematical model for both components of probability of collision in a radar ATC (Air Traffic Control) environment.

2. Fundamentals behind probability of collision estimation

Jaroslav Krystul  defines the risk as the probability of a particular adverse event occurring during a stated period of time. Usually, this is an event occurring when the system reaches a particular critical state. These events with a very small probability of occurrence are called rare events. Applying this definition to an ATC scenario, it is accepted that risk is closely related to those situations in which two aircraft are on conflict course and would not only pass closer than the prescribed horizontal and vertical separation minima but which would, in fact, collide.

The work presented here was originally inspired by the principle stated in  by B. L. Marks: “… the task of relating collision risk to a traffic configuration can be taken in two parts:

parts:

1. Determining the frequency with which aircraft are exposed to risk by passing close together; and

2. Determining what chance of collision is inherent in the passing”.

According to this idea, the probability of aircraft collision can be expressed as:

P(collision)=FeRP(pot.coll/pot.conf)P(coll/pot.coll).E1

where:

 FeR, Frequency of exposition to Risk, here is considered as the relative frequency that an aircraft would potentially violate the separation standards defined for the particular situation, here referred to as potential conflict. It is easily seen that this value increases with the traffic density.

 P(pot.coll/pot.conf) is the conditional probability of a potential collision (pot.coll) between two aircraft that have previously violated the separation standards (pot. conf). Its value depends on the encounter kinematics and uncertainties associated to predicted positions. It represents the intrinsic severity of the encounter and it is independent of the traffic density.

 P(coll/pot.coll ) is the conditional probability of collision among potential collisions having failed all the safety barriers (ATC, TCAS) which are in place to mitigate the risk.

A time horizon is established within which all aircraft positions are projected to explore existence of “potential conflicts”. In the following discussion 10 minutes look ahead time has been considered. Accordingly, the relative frequency of potential collisions among potential conflicts F(pot.coll/pot.conf) could be expressed as:

F(pot.coll/pot.conf)=Num.ofpot.collisionsNum.ofpot.conflictsE[Pa].E2

where Num.pot.collisions is the number of aircraft that are about to collide (and will do if all safety barriers fail).

An initial expectation for probability of potential collision among potential conflicts, E(Pa), could be obtained as the relative frequency that two aircraft, on a conflict course, would not only pass closer than the prescribed horizontal and vertical separation minima, but would in fact collide. This expression provides an expected, or global, value and does not assess the severity of each individual potential encounter itself. This chapter proposes an approach to estimate the severity of the encounter using the conditional probability of a potential collision Pa for each particular aircraft encounter. This proposed approach aims at improving the previous works by:

• Providing an individual probability of collision for each individual encounter based on the: (1) geometry and kinematics of the encounter, (2) the minimum predicted lateral separation at the CPA, and (3) the minimum predicted vertical separation at the CPA.

• Taking into consideration the radar data errors and the segmentation errors.

2.1. Consideration of aircraft protection zones

As stated by Ennis , a protected zone represents a region around a given aircraft that no other aircraft should penetrate.

A simplification of the Bellantoni  approach for the definition of a collision surface can be made by modelling the aircraft as a cylinder of diameter xy and height z as indicated in figure 1.

Two aircraft are taken as colliding if their cylinders touch. With this bounded and closed airspace region representing the aircraft, a “collision cylinder” can be defined as a larger cylinder of twice the dimensions represented in figure 1, and defined by height 2z and radius 2xy (see figure 2).

On the other hand, all high density traffic ATC scenarios have established minimum separation standards defined by two values, the minimum horizontal (R) and vertical (H) separations. When two aircraft are closer than these distances the ATC system is considered to have failed. These values (R, H) allow us to use another cylinder shaped protection model for all aircraft which should be free of any other aircraft to fulfil this separation minima (see figure 3). This volume will be called the “conflict cylinder” as it is considered that two aircraft potentially violating these separations are exposed to risk.

During the en route phase of flight, for example, the conflict cylinder would be 5 nm in radius and 2,000 ft in height. However, these current minimum separation standards were determined many years ago and the method by which they were calculated is not well documented. Recently, Reynolds & Hansman  identified factors involved in defining the aircraft separation standards and discussed the importance of accurate state information for controllers in maintaining them. Ennis & Zhao  examined the physical compositions of the protected zone and presented a formal approach to the analysis of minimum separation standards.

A summary of the modelling cylinders defined so far is presented in the following table.

When civil aircraft are climbing or descending, it is considered that pitch angles are small and so, vertical and horizontal dimensions have small changes. Therefore, all the “modelling cylinders” will be considered as horizontal, as indicated on figure 4.

As all the cylinders are considered parallel, the longitudes and surfaces ratios among them will be constant when they are projected onto any plane.

 Cylinder Diameter Height Aircraft representation λxy λz Collision 2λxy 2λz Conflict 2R 2H

Table 1.

Modelling cylinders definition.

3. Derivation of a general expression for probability of collision (Pa)

In order to obtain a general expression of Pa an impact plane is defined as a generic projection plane containing the centre of reference aircraft ACi (assumed as static) and perpendicular to vji(relative velocity vector between the two aircraft i and j involved in the proximity event). Additionally, the collision area is defined as the projection, over the impact plane, of the collision cylinder (2λxy,2λz). If the conflict cylinder is settled in ACi, where its centroid is the one of the cylinder as well, the conflict area could also be defined as the projection of the conflict cylinder (2R, 2H). The CPAP (Closest Point Of Approach Projection) is a point with coordinates y1p and z1p obtained by projecting intruder aircraft. Figure 5 shows that a conflict will occur if ACj encounters the stationary conflict area, that is, if the CPAp coordinates (y1p, z1p) are inside the conflict area. In the same way, a collision will occur if ACj encounters the stationary collision area, that is, if the CPAp coordinates are inside the collision area.

Considering the changes in the CPA coordinates due to radar and radar data segmentation errors, the probability of potential collision for an intruder aircraft that has violated the separation standards and whose projection consequently hits within the conflict area can be calculated as:

Pa(y1p,z1p)=SPCFdP1P2SPCOL·SPCFf1(y'1py1p',z'1pz1p)·f2(y'1pz'1p)dy'1dz'1E3

This equation provides and individual probability of collision based on:

• geometry and kinematics of the encounter (SPCOL),

• the predicted minimum lateral separation at the CPA (y1p), and

• the predicted minimum vertical separation at the CPA (z1p).

This takes into consideration the two probability density functions stating segmentation lateral and vertical errors and the projection lateral and vertical errors characterization.

As a result, the bi-dimensional probability density function of the CPAs can be derived from previous equation as:

fa(y1p,z1p)=SPCFf1(y'1py1p',z'1pz1p)f2(y'1pz'1p)dy'1dz'1E4

Where:

• fa is the bi-dimensional probability density function of the CPAs,

• y1p is the minimum predicted lateral separation at the CPA,

• z1p is the minimum predicted vertical separation at the CPA,

• SPCF is the conflict area

• f2(y1,z1) is the probability density function, representing the distribution of y1p and z1p coordinates errors due to the errors in the segmentation process, and

• f1(y’1p,z’1p) is the statistically determined bi-dimensional probability density function (pdf) of the CPA’p coordinates (y’1p,z’1p) for each projected segment associated to an individual encounter.

Both expressions estimate the probability of potential collision, having a potential separation violation (potential conflict), for each aircraft encounter, provided that uncertainties in the projection of segmented trajectories and in the segmentation process have been characterised by associated pdfs, f1 and f2, respectively.

4. Results and discussion

The previous mathematical formulation is supported by the previously mentioned ad-hoc software, which has been developed by the authors for Eurocontrol in the framework of the 3D-CRM programme. This software is intended to measure the collision risk in high density ATC en route airspace, based on an analysis of the stored aircraft tracks that have flown in it within a given time frame.

With the purpose of evaluating the mathematical expressions to estimate the probability of collisions, the previously mentioned software tool has been applied to a radar data sample from the Maastricht Upper Area Control Centre (MUAC). EUROCONTROL’s Maastricht Upper Area Control Centre (MUAC) is a regional air traffic control centre providing seamless air navigation services in the upper airspace (above 24,500ft) for a large (approximately 700,000 square kilometres) multinational airspace in Europe. An advanced and complex ATC automated system named MADAP (Maastricht Automated Data Processing and Display System) is the technical enabler responsible for managing, processing and presenting in real time information relating to the air traffic flows in the whole area. MADAP performs centralized multi-radar tracking using the information provided by a large number of radars and computes a high quality air traffic situation. In MUAC, a unique horizontal separation standard of 5 NM is used throughout the total area of responsibility. The vertical separation minimum of 1000 ft. is used.

4.1. Empirical estimation for Pa

The general expression of expected Pa is calculated numerically from the relative frequency of potential collisions among all potential conflicts using the following equation:

E[P(pot.coll/pot.conf)]=E[Pa]Num.ofpot.collisionsNum.ofpot.conflicts=1935166=5.4*104E5

Figure 8 illustrates the obtained bi-dimensional histogram of the projected horizontal and vertical separations at the CPA for the whole data period analysed. As it is shown, the number of potential conflicts are higher when encounters are between aircraft established at the same flight level (0ft vertical separation) and, as well, between aircraft having 2.5 and 5NM of lateral separation. It could also be noticed that the number of encounters having 1000ft separation is higher than for any other vertical separation except the 0ft. This is easily understood when taking into account that within the en-route airspace most of the time aircraft are in level flight (namaly always 1000ft apart between contiguous flight levels). If safety barriers have not been applied the number of collisions to happen would have been 19. The area used to compute the number of potential collisions is shown circled by a red dotted circle. Figure 8.histogram of projected horizontal and vertical separations at the CPA (31 days of radar data)

4.2. Pa estimation for each aircraft encounter

Once the empirical general or expected value for Pa has been obtained, Pa was estimated for each particular encounter by the next expression.

Pa(yp,zp)=4λxyλzvxvx2+vz2[1+π4λxyλzvzvx]f2*(yp,zp)==2λxyf2y(yp)2λzλ2z(zp)vxvx2+vz2[1+π4λxyλzvzvx]E6

This equation provides and individual probability of collision based on:

• kinematics of the encounter (ratio vz,to,vx),

• the predicted minimum lateral separation at the CPA (yp), and

• the predicted minimum vertical separation at the CPA (zp).

It also takes into consideration the segmentation of lateral and vertical errors (f2y and f2z).

A result for Pa estimation for leveled flight encounter is shown in the upper part of figure 8. In this case when CPAp coordinates (yp,zp) are very close to the reference aircraft (ACi), Pa estimated value reaches 3*10-2. This value has a magnitude of two orders higher than the empirical expected result (5.4 10-4), but strongly decreases when predicted CPAp lays apart from ACi, resulting in values much lower than the empirical one. In the lower part of this figure, the graphs show when one or both aircraft are climbing/descending but having vz/vr ratio close to zero, it could be seen that regardeless the decrease of the maximum value of Pa (7*10-3), It is still greater than the empirical expected result for Pa. Furthermore, the probability of collision for CPAp for which yp coordinates close to zero but zp coordinates separated from the ACi remains significant. Pa estimation for encounters having two different aircraft climbing/descending (vz / vx) ratios is shown in figure 9. Figure 9.Pa estimation for different CPAp. Aircraft established at a defined flight level or vz equals to zero (upper) and aircraft with vz close to zero (lower).

Despite the fact that the shape of both functions for Pa are similar to the one obtained in the lower part of figure 10 (aircraft climbing/descending and vz/vx close to zero), the maximum values for Pa are different in both cases (9*10-3 for vz/vx=0.1, and 2*10-2 for vz/vx=20), showing that Pa maximum values for CPAp close to reference aircraft (ACi) has a decreasing trend when vz/vr ratio increases. The following table summarises the results obtained from empirical and estimated Pa for the worst case, that is to say Pa for predicted CPAp=(0,0).

The results clearly shows that it is unrealistic to assign the same probability for potential collisions to all potential conflicts, independently of the predicted coordinates for CPA, no matter how these coordinates have been derived.

 Empirical result for expected Pa, E[Pa] 5.4·10-4 Estimated Pa for CPAp=(0,0) and level flight 3·10-2 Estimated Pa for CPAp=(0,0) and vz /vx ≈0 7·10-3 Estimated Pa for CPAp=(0,0) and vz /vx =0.1 9·10-3 Estimated Pa for CPAp=(0,0) and vz /vx =20 2·10-2

Table 2.

Worst case Pa estimation Figure 10.Pa estimation for different CPAp. Aircraft climbing/descending and different vz / vx ratios. vz / vx=0.1(upper), vz / vx=20 (lower)

4.3. Expected Pa estimation for a given scenario and traffic sample

When a collision risk analysis is applied to a representative aircraft population, using segmentation of their stored radar tracks, a 2D histogram of projected horizontal and vertical separations at the CPA can be obtained, as it is shown in figure 8. This histogram provides a first approach for expected Pa using equation (4), which is the way we used to obtain E[Pa]= 5.4*10-4, (this value can taken as reference value for Pa). If the histogram exhibits a close to uniform distribution, it can be understood that any “generic” potential conflict would became a potential collision with the same probability. It is also possible to propose a different approach to establish the expected value for Pa in a given scenario and for a given aircraft population, discussed below.

E[Pa]=1NjiPa(yji,zji,rji)=λxyλzNji[1+π4λxyλzrji]f2y(yji)f2z(zji)==λxyλzNji[1+π4λxyλzrji]f2y(yji)f2zji(zji)E7

Where Pa(yji,zji,rji) is the individual probability of each potential collision where:

• rji=vz/vx the between vertical and horizontal relative speeds,

• f2zji the probability density function applied to each aircraft encounter (between each pair of aircraft, i and j).

When this equation is applied to previous MUAC data sample, expected value for Pa results 8.2*10-4, which is slightly higher than the empirical results.

4. Conclusions

This chapter analyse in detail the inherent collision risk involved for each aircraft proximity event by assessing the conditional probability Pa of a potential collision between aircraft that are exposed to risk, that is to say, they are potentially going to violate the separation standards defined for a specific airspace if no corrective action is taken. The proposed approach allows the determination of the severity of each aircraft encounter as the probability of potential collision for each individual aircraft encounter in high density ATC en route airspace, based on an analysis of the stored aircraft tracks that have flown within a given time frame. The authors propose a mathematical formulation to characterise the severity of each aircraft proximity event using the convolution of the bi-dimensional probability density function of the predicted Closest Point of Approach between the aircraft involved and the distribution of lateral and vertical error in the projected position of the aircraft.The presented work aims to provide an individual probability of collision based on the geometry and kinematics of the encounter and the minimum lateral separation and the minimum vertical separation at the predicted Closest Point of Approach or CPA. The formula takes into consideration uncertainties introduced by the radar data error and the segmentation error. The results of this chapter shows that there is not the same severity for all the proximity events on which aircraft pass closer than the prescribed horizontal and vertical separation minima, and also that the expected severity for given a scenario and traffic sample can also vary depending on the kinematic characteristics of aircraft involved within this scenario. It is also considered that collision risk for high density of air traffic can be analysed from the estimation of three different factors:

• Relative frequency of exposition to risk (FeR). The value of this factor can be easily obtained from any radar data sample and strongly depends on the minimum applied horizontal and vertical separations standard and increases with air traffic density,

• Expected severity E(Pa). This value can be directly derived from individual probabilities of potential collision (Pa). Furthermore, having individual severities, it also permits additional assessment on safety (hot spots identification, etc.).

• Expected probability of failure of safety barriers (ATC, TCAS, etc.)

As the two first factors can be derived from the stored tracks of the traffic sample, using the software tool developed by the authors , further work is now devoted to develop the probability of failure of the ATM safety barriers. Once the probability of failure were stated and validated, it will be possible to estimate the collision risk for individual encounters, scenarios and air traffic samples. Results obtained for MUAC, with data sample used in previous discussion, exhibits a rounded value for frequency of exposition to risk of FeR=0.3. Probability of potential collision among encounters exposed to risk, Pa or its expected value E(Pa) for the same sample, oscillates between 8.2*10-4(expected) and 2*10-2(worst case). Previous results demand a probability of “safety barrier failure” lower than 0.4*10-5 and 1.7*10-7 respectively, to reach the ATM en route target level of safety of TLS=10-9. This last value is normally the one used as TLS. For instance, in reference (Eurocontrol, 2006) mid-air collision given as accident frequency (per flight) is 5.4*10-09, specifying that, among them, the frequency of fatal accident, directly caused by ATC (per flight), is 3.5*10-09.

How to cite and reference

Cite this chapter Copy to clipboard

Luca Montanari, Roberto Baldoni, Fabrizio Morciano, Marco Rizzuto and Francesca Matarese (August 1st 2012). How to Manage Failures in Air Traffic Control Software Systems, Advances in Air Navigation Services, Tone Magister, IntechOpen, DOI: 10.5772/48685. Available from:

Related Content

This Book

Edited by Tone Magister

Next chapter

A Multi-Agent Approach for Designing Next Generation of Air Traffic Systems

By José Miguel Canino, Juan Besada Portas, José Manuel Molina and Jesús García

First chapter

One Dimensional Morphing Structures for Advanced Aircraft

By Robert D. Vocke III, Curt S. Kothera, Benjamin K.S. Woods, Edward A. Bubert and Norman M. Wereley

We are IntechOpen, the world's leading publisher of Open Access books. Built by scientists, for scientists. Our readership spans scientists, professors, researchers, librarians, and students, as well as business professionals. We share our knowledge and peer-reveiwed research papers with libraries, scientific and engineering societies, and also work with corporate R&D departments and government entities.

View all books