This chapter describes a collision risk model (CRM) of airspace scenarios to describe their safety levels when populated by given air traffic. The model requires the use of representative data, containing a description of the flown aircraft trajectories. It is a combination of deterministic and probabilistic mathematical tools able to estimate the level of safety. Furthermore, the model captures the frequency and spatial distribution of the encounters and conflicts, the time in advance the conflict is identified and the overall reaction time of the Air Traffic Control ATC system, and finally, the effectiveness of the ATC as safety layer. The model considers that the risk of an air miss depends on two different factors: on the one hand, the frequency of exposure to risks and, on the other, the chance of collision associated to this exposure. The exposure to risk is captured following a deterministic data-driven approach, whereas the associated chance of collision is derived from a statistical mathematical model, fed by the kinematics of the encounter and the statistics associated to the accuracy of the aircraft state vector when following a planned trajectory.
- air miss
- safety barrier
- level of safety
Air miss in the airspace has been studied for decades since Marks  and Reich  formulated mathematically the collision risk probability associated with parallel route structures during the early 1960s. The Reich approach was used as the reference model by ICAO to determine the minimum safe separations applied in the ICAO NAT region. As E. Garcia  identified, it was during the 1990s when a new wave of different theoretical studies was introduced extending the Reich approach to more complex airspace scenarios [4, 5, 6, 7, 8, 9].
None of these models though consider scenarios with positive control, where the a priori planned trajectory is usually continuously monitored and modified, as it is required in high-density controlled airspaces, in order to maintain the demanded flow throughput safely.
Just by using statistical concepts applied to aircraft, flying their planned trajectories with some degree of uncertainty, it is not feasible to capture the intrinsic complexity of the traffic flows flying planned trajectories but dynamically adapted to accommodate the airspace demand-capacity balance problems.
Currently, complexity is derived from reports provided by the controllers and pilots involved in the incidents, from which the mid-air collision risk is estimated. These incidents are extremely rare events, which make them infeasible to derive any reliable statistics. Furthermore, not all incidents are reported, making it difficult to infer how many true incidents have really occurred. Finally, the used incident classification is ranked according to how close the involved aircraft finally were, omitting any associated kinematics, which could provide us with more representative information about risk.
This chapter describes how to estimate the probability of mid-air collision plus additional helpful information, used to estimate the safety level of given airspace when populated with a sample of air traffic. The process is based on an integrated hybrid approach, using flights stored in a database and a stochastic mathematical collision risk model. The database containing the trajectory description for the traffic sample is used to empirically determine the conflicts or encounters from which the frequency of risks (FoR) and the kinematics of the aircraft involved in these encounters can be determined. Whereas the mathematical model is used to estimate the probability of collision associated with each aircraft encounter, and from them the global probability of air miss , Figure 1 describes the whole process:
Risk is here understood as any event that requires immediate reaction to avoid a dangerous situation which has the potential to cause damage or harm. In particular, regarding mid-air collisions, it refers to any situation where two or more aircraft are evolving toward a loss of separation; if not corrective action is taken.
Nowadays there are different databases from which the encounter identification and characterization can be derived. They can be grouped into two families: surveillance data files, describing the aircraft trajectories by a sequence of 3D + T positions for all flights at time intervals (around every 5 s), and on event data files, containing 3D + T positions or all flights at any time the aircraft speed vector changes, for example, the Demand Data Repository 2 (DDR2) of Eurocontrol. This chapter applies the results to a particular case of use, with the purpose of showing the value of the model as a powerful safety tool. There are different tools that allow us to identify and characterize the encounters from these databases, for example, the Eurocontrol’s Network Strategic Tool (NEST) uses DDR2 to this end. In this work, the used tool was developed by E. Garcia .
2. Risk mitigation in a defensive ATM structure composed of layers and barriers
James Reason proposed in his Swiss cheese model (SCM)  that accidents and incidents can be traced through up to four different domains: organizational influences, supervision, preconditions, and specific acts. Accidents and incidents in the airspace caused by the air traffic management (ATM) are known as “air miss,” and they represent a safety issue or a risk. Safety is then usually measured by its absence, using the risk as key indicator.
Safety in ATM has two opposite sides: negative and positive. The first is given by air miss caused by the ATM system failure. Luckily, as for all safety-critical systems, these are always rare events, and removing them, as much as reasonably possible, is the main objective of the safety sciences. The positive side of safety, on the other hand, relies on the background of these systems evaluated by its intrinsic resistance to operational risk.
Within ATM, the ICAO’s Annex 19 and the Safety Management Manual [12, 13] contain the required guidance, to be used by practitioners, for measuring the safety’s negative side and, as well, the intrinsic resistance to risk. Derived from these documents, ATM organizations have built up the safety management systems (SMS) that, among others, deal with risk and risk events and how to make the ATM system more resistant to risks, based on these.
As previously mentioned, risk means in this chapter any dangerous situation that arises from hazards and requires immediate reaction, while hazard is something, such as a physical object, environmental variable, or a state of a process, that causes or leads to problems. In general terms, it can be stated that the airspace, particularly in high-density volumes, is hazardous, because there are objects (aircraft) sharing it, where weather conditions, or other unplanned events, might drive changes in their initial flight plans, and then, the operations have to be adapted in real time to ensure the safety while handling the required system throughput, even under the uncertainties derived from these and other circumstances.
ATM contains three different “defensive” big layers; air space management (ASM), air traffic flow management (ATFM), and air traffic control (ATC), all of them devoted to reduce the hazards and, when cannot be removed, the likelihood of risks produced by those hazards and the severity of such a risks. Briefly, it can be summarized that the ASM layer function is to determine the volumes (airspace availability) and the required conditions under which aircraft can operate within them safely. Complementary, ATFM layer is devoted to the function of making compatible the demand for flights with the available capacity of airspace and airports in the so-called demand-capacity balancing process. Finally, the ATC layer is looking after the separation between any pair of aircraft and ensuring they are always flying with these separations above the applicable minima while maintaining the system throughput and the efficiency of flights.
Within the ATC layer then, pilots and air traffic controllers are working together to minimize the likelihood of having an “air miss” or a loss of separation. ATC as such usually contains different safety barriers, for instance, MTCD and STCA, and beyond these ATC barriers, commercial aviation has an additional technologically supported barrier: the TCAS. Beyond that, the see and avoid and the providence are the very last chances to avoid an accident. Any foreseen air miss finally sorted becomes a “near air miss” or “near miss.”
The layered scheme presented above (Figure 2) indicates that the design of the ATM system is driven by safety. The knowledge about the contributions to the safety provided by each layer or barrier is then a paramount target in the assessment of the ATM safety performance.
This chapter focuses its interest in establishing a method to derive the level of safety produced by the ATC safety layer when a volume of airspace was populated for a given sample of flights, executing their actual trajectories, during a given timeframe. It is assumed that the sample of flown trajectories has been stored in a database.
3. Risk identification: conflict
Risk is then any dangerous situation that arises from hazards where the safety is compromised and demands an immediate reaction. When it is applied to air misses, risk is considered as any situation where two or more aircraft are in course of losing the required separation minima in the coming minutes. These events are referred here as “conflicts.”
Obviously, when we use stored data, containing just flown trajectories, almost all of them are “conflict-free,” as during their operation, the pilots and controllers, supported when required by the safety barriers, reacted and removed all of them, and, as a consequence, there aren’t dangerous situations recorded, reflecting in a hidden manner the effectiveness of the operational personnel and safety barriers but nothing regarding how hard they worked out.
This lack of information has to be sorted by performing some kind of inference to unveil where and when the conflicts appeared and how they were sorted. If the available data source contains not only the actual flown trajectories but also the planned trajectories, then it would not be so complicated to derive when a change in the expected trajectory is driven by a reaction to a conflict. But if the planned trajectories are not known, the conflict identification is inferred from the following process.
Most of the stored flown trajectories exhibit a uniform behavior during most of their flight time, that is, except for some short intervals, where the aircraft changes their vertical speed or heading, the rest of the time they broadly follow the law of the uniform movement. Consequently, the stored trajectories can be approached by an ordered sequence of straight lines (assuming flat Earth), flown at constant speed, connected by events or “joints” where some change of the vertical speed or heading is registered . This model is perfectly suited for en route airspaces but can have some limitations at terminal manoeuvre areas (TMAs), where the straight segments can be modeled by polynomial splines . It should be remarked that the initial data, containing aircraft positions every few seconds, is now transformed into the mentioned ordered sequence of segments parameterized with time.
Once the flown trajectories are represented by this sequence of segments parameterized with time, the current and expected positions within a predefined look ahead time (LAT) can be determined at any time (see Figure 3). Hence, at each time, the positions for all aircraft within the chosen LAT are well defined, and the existence of conflicts in such a time horizon can be captured.
There are different elements that characterize any conflict as:
The look ahead time (LAT), the chosen timeframe during which the current position is extrapolated, assuming uniform movement, determining the expected “short-term” trajectories of the aircraft
The involved aircraft, usually two, discretionally named as the reference aircraft (ACi) and the intruder aircraft (ACj)
The closest point of approach (CPA), the physical situation in the airspace where the two involved aircraft are (or are expected to be) at minimum distance. Note that CPA encloses the 2 physical points, representing the positions of both aircraft, the distance between them, and the time of occurrence
The time to CPA, the remaining time until the involved aircraft reach the CPA
The LAT is a key parameter that has to be adapted to the characteristics of the assessed airspace, for instance, in en route airspace, the aircraft follows extensively the assumption made considering uniform movement, unless something unexpected happens (weather, other traffic, etc.) and then extrapolating the current position through along LAT seems acceptable, say, for example, 10 min. On the other hand, in high-density TMAs, the flown trajectories have shorter straight segments, which means that is not realistic to extrapolate the current position with such LAT but with values around 2 min or less. The best value for the LAT has to be derived from the observation of the flown trajectories in the airspace of interest, establishing the average time the aircraft has been flying following uniform movement.
4. Characterization of conflicts
Working with trajectories as straight lines, parameterized with time, makes rather simple and computationally fast, using linear geometry, to find out the minimum distance between them and the time it happens. It is then applicable to explore for encounters or aircraft crossings, and particularly conflicts, at any time (t), using the chosen LAT, just by extrapolating the position at this time (t) up to (t + LAT) and computing for all flights the minimum distance between possible pairs. If this distance is equal to or below the applicable separation minima, then it is declared as a conflict; otherwise, it will be a crossing.
In high-density airspaces, the separation minima are defined by building up a protection cylinder around aircraft, which shall remain free at all times of other aircraft. For example, typical dimensions for such a cylinder are a radius of 5 nautical miles (NM) and height of 2000 feet (ft), considering the aircraft in the center. From now on, this cylinder will be named as “conflict cylinder.” Analogously, the “collision cylinder” is defined by using as horizontal (λxy) and vertical (λz) values the characteristic dimensions of the aircraft (see Figure 4).
The conflict or collision events characterization can be better observed when referred to reference aircraft (ACi) axes rather than when referred to the local axis (Earth fixed). Two reference frames fixed to ACi are used, vertical (x,y,z) reference frame and the projection frame (x1, y1, z1).
The vertical reference frame is defined by the local vertical axis (Oz). Then, the horizontal axis (Ox) is perpendicular to Oz and contained in the plane defined by this axis (Oz) and the vector velocity of the intruder (ACj) relative to ACi (). And the (OY) horizontal axis is perpendicular to the other two axes. From this vertical frame, the projection frame (x1, y1, z1) is obtained by rotating through (Oy) axis the vertical plane (y, z) until the (Ox) axis is parallel to (). Let us call the resulting (y1, z1) plane “impact plane” where the intruder (ACj) will hit this plane just when they reach the CPA.
Figure 5 shows an encounter between the reference aircraft (ACi) and the intruder (ACj), where the intruder is approaching the reference with a relative velocity (). The reference aircraft (ACi) has been represented with its collision (in yellow) and conflict volumes (not in scale) on the top left-hand side. On the bottom right-hand side, the projections of such cylinders onto the impact plane (y1 z1) are presented. As can be seen, depending on the foreseen impact of the intruder on the impact plane (red dot), the severity of the encounter can be derived, allowing, in a deterministic way, to establish if the intruder is in a course of having a conflict or even a collision or just a crossing without compromising the separation minima.
Applying the above method, the author and others  over a particular traffic sample of 1 month flying over Maastricht airspace (MUAC) that included 131,151 flights and 47,078 flown hours obtained the results shown in Figure 6.
From these results, the frequency of risk or FoR (situations requiring corrective action) is around 0.27, and the rounded frequency of air miss or near air miss is.
The above description presents and aggregated deterministic model providing relevant information about the number of initial safety issues (conflicts and near-miss) for a particular traffic sample, flying in a given airspace, just by using the stored flights in the form of surveillance data files or on event data files. In the example, the former was used.
The method proposed ignores many elements that are essential to unveil relevant information related to the actual safety level of the scenario, populated with the sample of traffic, as:
Kinematics of the encounter (relative velocity)
The available time until reaching CPA when the conflict was initially detected
The time taken by ATC to remove the conflict condition or the time to CPA when it was sorted
Uncertainty of the current and, particularly, the extrapolated position of aircraft
This information is singular for each encounter, but some aggregations illustrate relevant characteristics related to safety.
5. Time evolution of conflicts and the safety barriers
The method of using current positions at any time, and their extrapolated positions, allows to track the evolution of conflicts while evolving toward the CPA . There is neither common criteria nor common characteristics of the safety barriers applied in ATC. Although STCA is broadly applied, each ATC system can have a different value of the time to CPA value that triggers this alert to the controller (between 90 and 120 sec.). MTCD is a supporting tool that has not been always welcomed by controllers, and then, it is omitted in the following discussion, using instead the operational pre-tactical and tactical barriers (Figure 7).
Typically, in an ATC center, the controllers try to remove the conflicts as early as possible; this criterion is limited by the uncertainty associated with the extrapolation of the current aircraft positions. Some of the identified conflicts might not be actual conflict; then taking the removal decision of such uncertain conflict far in advance introduces undesirable disturbances in the aircraft planned trajectories. This is why operationally it is usually considered that a conflict sorted before around 4 min prior to reaching the CPA is a pre-tactical ATC action. On the other hand, some conflicts appear with a very short term in advance, even with times to CPA below these times.
When the removal of the conflict is taken later, but before reaching 2 min to CPA, then it is said it has been solved at the tactical level. Around these 2 min, most ATC systems provide the controllers with the STCA tool that triggers an aural and visual alert, preventing them that they shall take immediate corrective action.
When all the above barriers have failed, and the thread of an air miss remains, the involved aircraft triggers the TCAS TA just when the time to CPA reaches around 48 s. Once a TCAS TA is triggered, the aircraft still shall follow the controller instructions, but if the situation remains and the time to CPA reaches 35 s, the TCAS will trigger the RA and indicates to the involved pilots the vertical maneuver they shall follow; once RA is triggered, these pilots shall ignore any further instruction by the controller.
In the brief previous discussion, the relevance of exploring the relative frequency of unsuccessful removal of conflicts by a given safety barrier becomes clear.
Figure 8 shows a scatter plot with the number of conflicts for each time to go to CPA when the conflict was identified, the associated reaction, and the time required to sort it. The data used was drawn from the same sample than in the previous example.
As observed, most of the conflicts (33,185 AC out of 35,166) are identified with more than 4 min before the CPA, although there are some “sudden” conflicts that appear with less than 4 min and more than 2 min (1763 AC), and even there are those arising between 2 min and 45 s before reaching the CPA (190 AC), the latest demanding urgent attention. The figure also shows that few of them were not solved and reached the CPA without ending in an air miss. This fact (those cases represented over the diagonal of the graph) indicates that the separation minima were infringed, which is an ATC failure, but the involved aircraft still crossed each other with enough separation to avoid the air miss.
Additionally, Figure 8 shows that around 88% (31,109 AC enclosed by the box) of the conflicts were identified between 5.5 and 10 min to go to the CPA and sorted in a time between 30 s and 2 min and 15 s.
Figure 9 represents the times used in the previous discussion, relative to the CPA time.
Barragan  studied the value of the frequency of conflicts associated with their time to go to CPA and the overall reaction time to produce precursors about the safety status of airspace volumes. Clearly, the airspace where conflicts are identified soon, when the involved aircraft is still far from reaching the CPA, and the overall reaction time to remove them is small exhibits good behavior, whereas if the former decays and the latter grows, some concerns should have risen about the safety in this airspace. Summarizing, if is big (above 4 min) and small (below 2 min) and condition applies, then the ATC safety barriers are working properly; otherwise, some concerns arise.
6. Measuring the effect of the safety barriers
The previous section presented the time evolution of the airspace conflicts for a sample of traffic, deriving some deterministic results. This information unveils the degree of stress under which the controllers dealt with the air traffic encounters contained in the sample. The model is able to provide as well the effectiveness of the safety barriers comparing the predicted separation of the involved aircraft (at the CPA), when the conflict was identified, with the final separation of those aircraft that crossed each other. Figure 10 shows the three-dimensional results.
The red dot in the bottom of Figure 10 is defined by the coordinates:
|Predicted horizontal separation (NM)||Actual horizontal separation (NM)||Number of conflicts|
The sample then contains, among all conflicts having a “Predicted Horizontal Separation” of 0NM, 3 conflicts that finally had an actual separation of 5NM.
The bottom part of vertical plane, represented by red dotted lines, shows only two conflicts (the little peaks) with predicted horizontal separations of 2 and 4 NM that finally had an actual separation of 4NM. It can be also observed that there are no conflicts with an actual separation equal to or below 3NM.
All the sections above use a simple linear model over the database to extrapolate the current aircraft positions until the LAT and take the resulting segments, containing the time as parameter, to determine the separation between all possible aircraft pairs. If the separation is below the required minima, then a conflict is declared, and the key elements of it are retained to perform the assessment presented for a particular case of use.
Of course, as has been shown, relevant information about safety is derived, but still, there is not a simple formula that could estimate the safety level. This is the objective of the next section.
7. Estimation of the level of safety
Let us now abandon the deterministic approach followed so far, although we still require the sample of traffic in a given scenario. Now it is assumed that both the actual position and the predicted future positions are just estimates of actual position and expected future positions of the trajectory.
The objective is to estimate the probability of an air miss associated with each crossing or among all captured pairwise encounters from the aircraft population. It is pointed out that, now, we are considering not only those encounters with an expected separation at the CPA below the separation minima (conflicts) but as well as those with separations above these limits. This is to recognize that any foresee crossing; irrespectively the expected separation at the CPA might come up with an air miss.
According to Figure 5, captured encounters are identified by the CPA, which is the situation where the separation between ACi and ACj will be minimum, and the intruder (ACj) will reach the impact plane after a time () at the point, in the reference frame (x1, y1, z1), of coordinates (0, y1p, z1p).
Let us assume that the probability density function of the intruder aircraft (ACj) reaching the CPA at the time () hitting the impact at coordinates (0, y1p, z1p) is known: . Then, the probability of collision, that is to say, the probability that these coordinates are within the collision area (SPCOL, yellow area in the impact plane represented in Figure 5, right-hand side) of the reference aircraft (ACi), is given by:
The approximation made in the last term of Eq. (1) assumes that the pdf function remains constant over the collision surface, as these surface dimensions (characteristic distance below 150 ft) are very small in comparison with the characteristic horizontal (yp) and vertical (zp) distances of around 5NM and 1000 ft., respectively, that produce first-order changes in this pdf function.
Eq. (1) shows the way to establish the safety level of any scenario populated with known air traffic (positions and velocity). To this end, the two factors in the last term of the equation shall be determined for each encounter.
The surface of collision (SPCOL), defined onto the impact plane, is given by the physical typical dimensions of the aircraft () and, additionally, by the horizontal and vertical components of the velocity of the intruder (ACj) relative to the reference (ACi) aircraft (. Therefore, it can be expressed as the area of the rectangle plus the area of the two half of ellipse, resulting in:
The probability density function determination requires a careful approach to obtain realistic results, despite the random nature of the involved variables (). One key assumption is to consider that it is a bivariate normal distribution with zero mean (no biases) in , while the time to go to CPA (variable affects linearly the value of the standard deviations of those variables. Additionally, it is assumed that the two random variables are uncorrelated. Then, applying the above considerations, the expression for the results in:
where the standard deviations for coordinates ), respectively, are linearly dependent on . Eq. (3) can be expressed in terms of the vertical reference frame (x,y,z) as presented in Figure 5, becoming:
Meanwhile, the time to go to CPA (), degrades the value of the standard deviations as:
where and are the ratios giving the increase (in NM and ft., respectively, per minute) of the horizontal and vertical standard deviations, respectively, with the time to go to CPA. Now the stochastic model demands four parameters to determine the probability density function, ; these are:
|Horizontal standard deviation,||Nautical miles||It is related to the accuracy of the position for the involved ACs as stored in the database, around several NM|
|Standard deviation over Oz1 axis,||Feet||As above, around a hundred feet|
|Ratio of variation of the horizontal standard deviation,||Nautical miles per minute||This value shall be estimated assessing the errors in the model to predict the future positions, around 1NM per minute|
|Ratio of variation of the Standard deviation over Oz1 axis,||Feet per minute||Varies, when is low, say 20 ft./minute. When vz ≠ 0 is high, say 500 ft./minute|
Once the above parameters are defined, using any traffic sample of N aircraft, all crossings between aircraft can be captured and analyzed, determining their three main variables:
Time to go to the CPA () when the encounter was initially identified
Horizontal separation at the CPA (yp)
Vertical separation at the CPA (zp)
Finally, the values for the collision volume shall be determined with the parameters (λxy, λz).
With all these elements, the estimated probability of an air miss E(Pcoll), before acting the ATC barriers, for the traffic sample is given by:
where N is the number of flights in the sample, regardless of them having a crossing or not, in cases of flight without crossings, they count on N. When an aircraft has different crossings, it counts as a different flight for each.
Computationally this expression (6) is demanding, considering that the variables () are dependent on each particular aircraft pair, as they are the parameters () which are dependent. The computational burden then grows linearly with the size of the sample. When applying this model to the case of use, the obtained results are the following.
Collision risk of the traffic sample before the air traffic controllers and pilots react to remove conflicts is E(Pcoll) = . Eq. (6) can also be applied taking other times to go to CPA (); other representative times are looking for the probability of collision of encounters when triggering the STCA (say, 2 min before CPA), the result, in this case, is E(Pcoll)STCA = . If it is the one triggering TCAS TA (), we get E(Pcoll)TA = . Finally, when the conflict evolves and reaches the value that triggers the TCAS RA (), the value is E(Pcoll)RA = (Figure 11).
These values, together with the information obtained in the deterministic part of the chapter, described previously, complete the methodology CRM to assess the safety performance of a given traffic sample of flights in a defined volume of airspace.
High-density airspaces are actively managed by ATC, speeding up the traffic flows and maintaining the required separation minima at any time. Their job is based on the surveillance of the traffic flying within their volumes of responsibility (ATC sectors). The surveillance function is supported by radar and/or other sensors (multi-lateration, ADS B, etc.), and the tracks representing the state vector of the aircraft presented to controllers are, as well, usually stored in databases.
The chapter presents a collision risk model that helps to assess the safety characteristics for any volume of airspace where the above data sources are available. The model is data-driven, and most of the information comes up directly from working with the stored flown trajectories complemented with a linear prediction of future positions of the flights, up the so-called look ahead time (LAT).
In the last section, nevertheless, the stochastic nature of both, the data and the linear predictive models, have been considered, providing relevant additional information about the safety levels of the traffic in the sample for different chosen times to go to CPA.
The sampled used takes radar tracks during a month of flights through the MUAC airspace, but other sources of information can also be used, particularly DDR2 from Eurocontrol, containing significant points of the trajectories, where a special event, apart from the uniform movement, took place.
The results show interesting information closely related to the safety of the airspace volume, when populated with the flights contained in the sample, from deferent viewpoints as:
Frequency of risks at a time () before reaching CPA, where the ATC conflict was identified
The overall time required to remove the conflict (
The initial (when the conflict was identified) and final (actual) distances at CPA for each conflict
An estimation of the probability of air miss at different safety barriers
This set of information provides an exhaustive picture of the safety level exhibited by the flown trajectories. The airspace volume, and the data sample, can be chosen, with the only limits of making the results representative and, on the other hand, allowing our computational capabilities to work out with the amount of data, keeping in mind that the burden grows linearly with the size of the sample.
Most of the results shown here were obtained by E. Garcia, during his work as a PhD student, contained in his excellent thesis I was honored to supervise. Many thanks to him and, as well, to Eurocontrol for providing me with the data sample I have used in the chapter, to illustrate the results of the model.