Hostname: page-component-745bb68f8f-b95js Total loading time: 0 Render date: 2025-02-06T14:52:09.106Z Has data issue: false hasContentIssue false
  • English
  • Français

Air Traffic Control Separation Minima: Part 2 – Transition to a Trajectory-based System

Published online by Cambridge University Press:  12 September 2011

Peter Brooker
Peter Brooker*
Affiliation:
(Aviation Consultant)
*
(Email: p_brooker@btopenworld.com)
Rights & Permissions [Opens in a new window]

Abstract

Current strategic plans for Air Traffic Management (ATM) envisage a transition from radar control to a trajectory-based system. Part 1 sketched the historical origins of separation minima and then analysed the safety thinking behind current minima and the issues involved in risk modelling. Part 2 examines the future situation. This focuses on the intermediate steps to the final system – upgraded capabilities in a mixed-equipage system. Future traffic mixes two categories of traffic: V aircraft, i.e. vectored traditional ATC-handled, and 4D aircraft, i.e. flying on 4D trajectories. Conflict probe and other decision support tools will need to be in place, inter alia to prevent controller workload from increasing. Conceptually, future risks in the transition period will be the sum of three types of aircraft encounter risk: V/V, 4D/4D and 4D/V. These pose different kinds of problem for ATC, appropriate conflict alerting systems and risk assessment. The numbers of 4D/V encounters increase rapidly with growth in the proportion of 4D aircraft. With reduced minima, airborne collision avoidance systems would be unlikely to resolve higher relative velocity encounters were the ATC system to fail. It would be a difficult decision to reduce markedly ATC separation minima for any category of aircraft encounters during the transition period.

Keywords

ATMSeparation minima4D trajectories
Type
Research Article
Information
The Journal of Navigation , Volume 64 , Issue 4 , October 2011 , pp. 673 - 693
Copyright
Copyright © The Royal Institute of Navigation 2011

1. INTRODUCTION

Part 1 (Brooker, Reference Brooker2011) sketches the safety thinking behind current ATC (air traffic control) separation minima, conflict alerting/probing systems, and the issues involved in modelling mid-air collision risks. Part 2 examines the future situation, the move to new air traffic management (ATM) paradigms NextGen and SESAR. The text follows on from Part 1, and so does not repeat details of the reviews and analyses there. The main thrust of the new concepts is away from a human-centred operation. This places a variety of constraints on aircraft flight paths. The new paradigms rely on accurate design and flight of four-dimensional trajectories (4DTs). Figure 1 sketches the key safety thinking underlying these innovative concepts.

The main point of the reviews and thought experiments set out here is to identity clearly the difficult safety issues and constraints. If these are not resolved early in the process, it becomes impossible to design systems systematically – or they become an insuperable barrier to progress. There is a need to understand which problems are difficult to resolve. The next step is to see if it is possible to find ways around the difficulties if straightforward methods are unlikely to succeed. Thus, the first question one might ask is how to solve the problem. A second question might then be what prevents us from solving the problem? But a third question could ask what is meant by ‘solving’?

Figure 1. Key safety thinking underlying SESAR-like Concepts.

2. BACKGROUND

Figure 2 shows some of the transitional steps in getting from the present system to the SESAR strategic goal. The jargon terms in the Figure are nicely explained in Episode 3 (2008) documents. Again, this merely hints at the complexity of the steps involved. SESAR is still very much under development, so many optional changes and system architectures are still receiving active consideration.

Figure 2. Steps in the transition to the SESAR strategic goal.

The final form of SESAR is tightly bound up with that of the USA's NextGen programme, which has broadly similar goals. There is extensive USA/Europe R&D cooperation. But NextGen's – and hence SESAR's – core conceptual questions need to be resolved, e.g. Dixon (Reference Dixon2010):

Air/Ground Division of Responsibility: FAA needs to decide how much responsibility will be delegated to pilots in the cockpit and what duties will remain with controllers and FAA ground systems for tracking aircraft.

Level of Automation: The decision on the degree of human involvement in traffic management and separating aircraft is linked to the outcome of the division of responsibility between aircrew and controllers (and related ground systems). Possible options range from today's largely manual flight management to a largely automated system centered on machine-to-machine exchanges with little controller involvement.”

It is extremely difficult to believe that NextGen and SESAR system designers will make markedly different decisions about these core concepts. Obviously, the costs of having different equipment standards for the USA and Europe would be substantial. This would also be in the context of many tens of millions of passengers travelling between Europe and the USA each year.

The implemented version of SESAR will depend on a number of factors. The most obvious are the money available to the aviation community for investment and the need for transitions to make business sense for implementers. Thus, Brooker (Reference Brooker2009a) emphasizes quick business paybacks to customers plus infrastructure investment to be the foundations for the strategic changes. There will need to be intermediate steps to the final system. From a safety viewpoint, a ‘big bang’ in which new equipment is installed throughout the ATM system, and then ‘every participant switches on’ to the new operational concept at a specific time, would seem to be an exercise in hubris. Could good economic cases can be made for large-scale airborne equipage of new kit and/or software without the investors gaining significant early benefits from their investment, e.g. Mozdzanowska et al (Reference Mozdzanowska, Weibel, Lester and Hansman2007)?

Thus, the supposition here is that SESAR's strategic steps will need to use upgraded capabilities in a mixed-equipage system. For example, some aircraft would use datalink and others keep to voice communications. The focus here is on major changes to safety and related performance requirements required by this mixed equipage.

The existing system operates a traditional ‘first come, first served’ basis for all customers. A potential fundamental strategic shift in the NextGen/SESAR provisioning of air traffic service would be some form of priority access. The system would favour those making the first moves to the next phase of aircraft capabilities. This helps accelerate benefits from investments and improvements, while successfully rolling out and managing mixed-equipage helps to provide confidence in longer-term steps. This key transition would be to a more efficient time-based 4D navigational and ATM system. 4D-equipped aircraft in essence have a time-sequenced contract with the airport runway. They would be required to turn up at a very precise time (contrast the approximate time-keeping of current flights (Brooker, Reference Brooker2009b)). In return, they would get priority over non-equipped aircraft waiting to use the runway. This would translate into reduced delays and fuel costs. 4D also offers increased system capacity through higher runway usage if airspace capacity can be increased to match in congested airspace. A so-called best equipped, best served operation must therefore co-exist with the traditional first come, first served operation during the transition period.

What are the necessary additional safety features of a mixed-equipage system? How do ATM personnel safely manage operations, given that aircraft will have different trajectory management capabilities/priorities? How should separation minima use/criteria improve/change? What are the appropriate conceptual safety requirements for new systems? How would the novel safety components work in detail and what would be the associated risk levels? It will be vital to prevent stagnation through over-specifying the safety requirements for ATM subsystems. The aim must be to identify necessary safety ingredients in a mixed-equipage system. Implementation will require proof of resilience against complex failure modes and emergent risk properties.

3. GENERAL TRANSITION ASSUMPTIONS

Some assumptions have to be made explicit about the nature of the transition examined here. ATM is and will continue to be an incredibly complicated system. Thus, it is important to set out the characteristics of the main system aspects under consideration.

The first restriction is that the analysis here concerns commercial aircraft flying in controlled airspace, handled by controller teams, and covered by radar or equivalent non-cooperative surveillance. The focus on commercial aircraft is simply because airlines pay most of the ATC costs. Hence, the future system must ensure that airlines get a satisfactory service. Existing airspace is divided into sectors, and so will be the transitional airspace. But at some point there may well need to be considerable changes from present airspace configurations.

An issue here is the differences between how some participants might wish to see the system change and what will be realistic plans agreed by the body of stakeholders. What equipment and systems would necessarily be in place with a 4D trajectory system? It is not clear precisely what kit/operational procedures will be in place. For example, aircraft will be equipped with Mode S and FMS (Flight Management Systems). But equipage with particular applications of ADS-B (Automatic Dependent Surveillance-Broadcast) is under discussion. How this kit would be used operationally depends critically on the implemented SESAR/NextGen operational concepts. The future is set in motion by choices made in the present, particularly regarding investments in kit and promises to customers. It is one thing to commit to a new system operational/technical paradigm; but it is another to introduce this paradigm for some flights whilst operating an existing operational/technical system in parallel in the same airspace.

The mixed equipment transition – a transition from a legacy system – has to work safely and effectively in the context of previously planned system changes and fitment implementations. There must be no deus ex machina. Thus, the occurrence of a seemingly inextricable problem cannot suddenly be solved by some novel operational/equipment change. The problems have to be resolved conceptually in advance, so that appropriate implementation plans can be put in place. There is wide recognition that this is vital, but there are few definitive conclusions about SESAR or NextGen so far, e.g. (JPDO, 2009):

“It was agreed that there is need for a common understanding of the relationships and tradeoffs related to increases in capacity and mixed equipage. There are currently multiple unknowns that require resolution.”

While the Episode 3 consortium (2009) notes:

“Precise handling of traffic mix will be determined by the different mixes and different capabilities as well as designing needs. The way a conflict is solved depends on many aspects (for example,% of capabilities).”

A working assumption here is that the existing separation minima in radar-controlled airspace do not change prior to introduction of mixed equipage operations. The nature of separation minima is discussed in Part 1.

It is assumed that the transition period involves proportions of equipped and non-equipped aircraft which are both substantial. This is a vague assumption. It is there to remove situations where one of the proportions is low, e.g. a few percent of total traffic. In such a situation, there could be special arrangements to deal with the minority class of traffic rather than a need to establish system concepts that accommodated them both. For example, one method of dealing with comparatively small numbers of aircraft would be to segregate them physically from the main body of traffic. This might be segregation by volume, route or flight level. For example, non-equipped aircraft could be restricted to less-economic flight levels.

It seems unlikely that airspace segregation would be appropriate for this main transition. Pina (Reference Pina2007) discusses some of the key issues. The aim would be to fly 4D-equipped aircraft on fuel-efficient vertical flight paths. An important issue is that segregation might impose excessive penalties on the non-equipped aircraft. The latter might already be affected by higher delays than equipped aircraft (Brooker, Reference Brooker2009b). Aggregate-level system performance might suffer if the airspace reserved for equipped aircraft were to be underutilized during the early phases of the transition. These are economic and business questions, rather than safety issues.

A final assumption is that this transition period would take several years. Thus, the period of mixed operations would not simply be a very short arrangement. The introduction of 4D trajectory aircraft would need to be cautious. There would be especially careful monitoring and extra safety mitigations in the early phases. The heavy maintenance cycle for large jets is up to six years, so operators would be reluctant to reduce the cycle time. Would some parts of the transition be viewed as a mandatory safety requirement? Hollinger and Narkus-Kramer (Reference Hollinger and Narkus-Kramer2005) estimate that the minimum time for re-equipage of USA aircraft with major avionics upgrades would be around six years. They suggest that this would be the ‘equivalent of an Aviation Apollo Project’.

4. MIXED EQUIPAGE RESEARCH

There is already a considerable body of research into mixed equipage in new concept ATM systems. Tobias et al (Reference Tobias, Erzberger, Lee and O'Brien1985) is an example of early work on its effects in terminal area operations. However, the main aim of these studies is usually to explore the feasibility of the socio-technical system, rather than to assess risks. Important selected examples of largely recent research, with some relevant quotes, are given below.

Lee et al (Reference Lee, Prevot, Mercer, Smith and Palmer2005) provide some very useful insights into safety issues as perceived by the participating controllers in ‘Human in the Loop’ experiments. Their concerns included aspects of safety buffers, ambiguous information, i.e.:

“A related issue is situational awareness of AFR [i.e. airborne self-separated] aircraft. In order for AFR flights to add no workload for the controllers, they need to be near invisible to the controllers (e.g. limited depiction on the controller's display, no controller responsibility, little interaction with AFR aircraft). However, if information about AFR traffic is suppressed, the controller is less prepared to provide service for exceptional cases, such as unresolved near-term conflicts and RTA [required time of arrival] revisions. In summary, less awareness leads to inability for the controllers to deal with emergency situations but more awareness undermines the scalability premise.”

Kopardekar et al (Reference Kopardekar, Smith, Lee, Aweiss, Lee, Prevot, Mercer, Homola and Mainini2009) and Prevot et al (Reference Prevot, Homola, Mercer, Mainini and Cabrall2009) present the results of studies into NextGen air/ground operations, with ground-based automated separation assurance, with ‘controllers and pilots in the loop’ real time simulations. The research questions were: “1. What is the appropriate level of automation for routine trajectory-based operations at higher traffic densities? 2. How acceptable are trajectories generated by the automation to controllers and pilots? 3. Is mixed equipage feasible in the same airspace?” From Prevot et al (Reference Prevot, Homola, Mercer, Mainini and Cabrall2009):

“The third human-in-the-loop study, a part-task study on the feasibility of mixed operations, focused on the interplay of equipped and unequipped aircraft. Equipped aircraft were managed entirely by the automation via data link; unequipped aircraft were managed by air traffic controllers via voice communications. A detailed description of this study, including the analysis of workload, separation violations and complexity factors is available in [Kopardeckar et al (Reference Kopardekar, Smith, Lee, Aweiss, Lee, Prevot, Mercer, Homola and Mainini2009)]. The researchers conclude that “mixed equipage operations are feasible to a limit within the same airspace. The higher the traffic density of equipped aircraft, the lower the number of unequipped aircraft that can be managed within the same airspace.”

“While controller workload was low in general and they were able to resolve over 75% of scripted off-nominal short-term conflicts, many issues were identified that need to be further addressed in the area of short-term conflict detection and resolution.”

Averty et al (Reference Averty, Mehadhebi and Pirat2009) examine transition to SESAR – their ‘intermediate phase’ – and identify areas needing further work:

“One key issue will be to identify among these events those which result from an error propagation in the ATM system or from a common mode of failure. The mitigation measures to prevent these particular events will presumably be handled by pilots or ATCOs [=controllers], and will change their work profile and workload. In order to assist them new automated tools will be developed, thus increasing the complexity of the ATM system.”

“Historical experience has shown that the implicit safety margins provided by separation distances were also sufficient, in the pre-SESAR context, for the mitigation of all other causes of ATM hazards. This may not be true with the SESAR ConOps and a new set of safety criteria may need to be developed in order to define safety objectives for individual systems and organizations, and safety indicators to verify that the required safety performance is met.”

There are of course systems engineering aspects of safe and practical ATM changes. For example, the need to implement system changes in single operational and technological steps as far as possible is an extremely large subject, and is not discussed here.

5. PERFORMANCE BASED NAVIGATION

A key element in future systems will be the use of very high performance navigation on aircraft. The main current thrust is the development of Performance-Based Navigation – PBN. The sketch here is mainly based on four documents: the current PBN Manual (ICAO, 2008), the Draft ICAO PBN Operations Approval Handbook (ICAO, 2010), a Briefing Paper (Eurocontrol, 2010) and a MITRE report (Cramer, Reference Cramer2009). PBN is an extremely important step in resolving the complications that have arisen from a variety of area navigation requirements at the ICAO and regional level. It develops specifications appropriate for aircraft using satellite positioning. The assumption here is that the development of PBN will make continued good progress. But PBN implementation is known to face major challenges, see for example, Barr (Reference Barr2009).

Formal definitions of PBN terms are set out in ICAO (2008; 2010) – the description here is simplified. PBN is a performance-based area navigation requirement. There are two kinds of PBN specifications, i.e. sets of aircraft and flight crew requirements needed to support PBN operations in a defined airspace. These are labelled RNAV (Area Navigation) and RNP (Required Navigation Performance). The difference is that RNP specification includes a specific performance control and alerting requirement. RNP is most appropriate when a global navigation satellite system (GNSS) is being used. A GNSS is any global position, speed, and time determination system that includes one or more main satellite constellations. The second key assumption here is that aircraft operations in developed European airspace will satisfy tight RNP requirements. A specific goal for RNP is to enable safely reduced separation standards and/or complex PBN procedures. It is said in many documents that RNP/RNAV/PBN will allow reduced separations. However, it is not easy to find examples of calculations specifically dealing with the 3Nm or 5Nm ATC separation minima.

Performance control and alerting requirements would usually require an aircraft-based augmentation system. This augments and/or integrates the information obtained from the other GNSS elements with information available onboard the aircraft. For example, receiver autonomous integrity monitoring is a technique used in a GNSS receiver/processor to determine the integrity of its navigation signals. This uses GNSS signals, possibly enhanced with barometric altitude data, to provide a consistency check between redundant pseudo-range measurements. The final PBN concept is of Total System Error (TSE). This is the difference between the aircraft's true position and its desired position. TSE is calculated from component error sources, e.g. see ICAO (2010).

RNP system manufacturers have been working to satisfy specific numerical requirements on the TSE of the navigation system. These include accuracy, integrity and continuity requirements (Cramer, Reference Cramer2009). These are based on the RNP value:

Accuracy: each aircraft operating in RNP airspace shall have total system error components in the cross track and along track directions that are less than the RNP value 95% of the flying time.

For a specified containment limit equal to 2×RNP:

Integrity: The probability that the total system error of each aircraft operating in RNP airspace exceeds the specified cross track containment without annunciation shall be less than 10−5 per flight hour. [Note ‘cross track’.]

Continuity: The probability of annunciated loss of RNP capability (for a given RNP type) shall be less than 10−4 per flight hour.

PBN documents make it clear that “blunder errors”, such as selection of the wrong route, are not included in the requirements. A major point to note in the present context is that the requirements are solely in the horizontal plane. Thus, JPDO (2009) makes it clear that:

“There is no current means for full flight path vertical performance integrity. Vertical Required Navigation Performance (VRNP) is currently only a term for discussion – there is no definition or work plan for it to date.”

The problem is that, thanks to the variety of aircraft and FMS in operation, there are currently some parts of the flight profile where a defined vertical path does not exist. Thus, the profile is dependent on the individual aircraft's performance. In the following, it is assumed that the 1000 feet minimum and current vertical separation procedures will be retained.

Why is it reasonable to assume that appropriate PBN, based on GNSS, will be in place to support 4D trajectories? First, the components of PBN have been under development for many years. There is still a strong impetus in the aviation community for their implementation, e.g. see Dixon (Reference Dixon2010). Second, the core of SESAR and NextGen safety is delivered through navigational conformance. This means that aircraft are allocated conflict-free 4D trajectories and navigate tightly on those trajectories. PBN based on GNSS is therefore an obvious, well-supported way of producing definite trajectories of high accuracy. Of course, PBN is not free of risk-related issues. Cramer (Reference Cramer2009) discusses the use of Gaussian distribution assumptions, potential error and failure modes. These range from satellite coverage to avionics certification, and where such effects can be mitigated by (e.g.) warning alerts.

It is important to note that the use of satellite-enabled PBN changes the influence of wind on flight paths. Thus, taking a Radius to Fix segment as an example (ICAO, 2010):

“Pilots are familiar with flying turns at a constant airspeed and angle of bank which enables a circular flight path to be flown with reference to the air mass and are trained to manually compensate for the presence of wind if necessary. Pilots now need to understand that the FMS will fly an exact circular flight path over the ground and the angle of bank will be adjusted by the flight control system to maintain that circular flight path.”

How, in general, will interpolation between trajectory waypoints be performed? This is particularly important when there are vertical manoeuvres, given the absence of a VRNP (see also Mondoloni, Reference Mondoloni2009).

6. CONFLICT DETECTION, ALERTING, PROBING, ETC

ATC separation minima need to be examined in the context of the whole ATM safety system. This includes a sequence of procedural and technical safety defences (e.g. see Brooker, Reference Brooker2008). In particular, there are a variety of existing and potential future conflict detection, alerting and probing systems. The main ATM conflict aids currently in use are STCA (Short Term Conflict Alert) and ACAS (Airborne Collision Avoidance System). The latter is currently implemented through TCAS, (Traffic Alert and Collision Avoidance System). They are briefly described in Part 1 and further references are given in Brooker (Reference Brooker2008). Conflict probe systems can be used in planning clearances by enabling the controller to predict where aircraft will be in up to 20 minutes time. Medium Term Conflict Detection is an example of a conflict probe. However, there are a variety of different applications under various names and with varying degrees of technical maturity, e.g. see Brain (Reference Brain2007). Conflict probes are part of a class of software-based tools known as Decision Support Tools (DST). The common feature of DSTs is their reliance on accurate trajectory predictions, e.g. see JPDO (2009), Rentas et al (Reference Rentas, Green and Cate2009). It is worth noting that few of the research outputs produced on trajectory prediction for NextGen/SESAR appear to investigate satellite-enabled PBN, i.e. there could be a major research gap.

Conflict aids generally use aircraft system-independent data from some kind of surveillance, typically Mode S radar. This uses recent positional-state data and projects flight paths in time, i.e. extrapolates from the current and recent positions. The test for a conflict is generally based on calculating if there is an overlap of notional ‘protected volumes’ around each aircraft. The literature describes many possible different ways of processing the projection information. A too-large protected volume would generate a high proportion of nuisance alerts, where normal separation was not, or would not have been, infringed. Considerable parameter tuning is therefore needed to provide a good implementation (e.g. Beasley et al, Reference Beasley, Howells and Sonander2002). STCA and ACAS criteria are not specifically geared to ensure the achievement of separation minima. They are set to produce timely and meaningful alerts for controllers and pilots.

A major cause of nuisance alerts is the partial information the conflict aid has – it does not ‘know’ the pilot or aircraft FMS intent for the flight. Future conflict aids could incorporate aircraft data to help resolve this problem. This might use ADS-B technology or another form of datalink between aircraft and the ground. (ADS-B has two components. ADS-B Out continuously transmits an aircraft's position, altitude, and direction to controllers on the ground and to other aircraft. ADS-B In enables another aircraft to receive the transmitted data, giving pilots with ADS-B In a complete picture of their aircraft in relation to other ADS-B equipped traffic.). An ADS-B version of ACAS would probably imply using the same GNSS-based position data for all separation assurance. The conflict aid would have up-to-date accurate, GNSS-based, positional/velocity data, the latter including information on aircraft intent, i.e. the position and timing of subsequent waypoints on the flight path. Such a conflict aid would be termed dependent data. This means it uses data available from the aircraft systems rather than externally derived data from some form of independent surveillance sensing.

A large variety of possible separation assurance and conflict alerting systems could potentially be developed. As an example, the Ifly Consortium (Cuevas et al, Reference Cuevas2009) present clearly some of the options and questions that would need to be addressed for an airborne separation based operation. Is a set of linked conformance, separation assurance and conflict detection tools the ideal? But, in some cases, a valid ACAS alert could represent a failure of conflict probe arrangements. Would it be prudent to base even part of its operation on the same data that underpins the planning and conformance monitoring of the 4D aircraft? Could the concerns about ‘inconsistent’ warnings and alerts be handled by determining an acceptable 4D flight path tested against the possibility of an ACAS alert?

Will the transition phase include new versions of ACAS, e.g. some kind of hybrid of Mode S data and aircraft GNSS data? It is obviously possible that it could, but both the safety philosophy and technical work on this are still in their early stages (e.g. RTCA, 2008). If there were a ‘Hybrid ACAS’ available, then it could obviously be fitted to non-4D aircraft. A decision to implement such a system would largely be one of safety philosophy. Thus, should the data used by ACAS be independent of that used in separation assurance? The Air Traffic Management Master Plan (European Commission, 2009) states explicitly that ‘ACAS and STCA are and need to stay independent at functional level’. If the nature of STCA and ACAS were to be changed markedly, what work would be needed to understand all the implications for risk levels? Suppose aircraft intent information based on FMS/GNSS/PBN were significantly incorrect. Logically, ACAS would then become the only means of defence left if the controller did not have an independent radar-based STCA available.

Wise decision-makers learn lessons from the past. Their thinking about the nature of a future ACAS is affected by what Möller and Hansson (Reference Möller and Hansson2008) call the Titanic lesson. The Titanic's lifeboat numbers were reduced and lifeboat drills were perfunctory. This was presumably because of a hubristic confidence in the ship's safe design. Suppose a system designer thinks that ACAS is virtually never going to be required because the main safety defences are so reliable. In those circumstances, he or she would believe that it would not matter very much how effective it is against a variety of aircraft flight path configurations. Figure 3 is repeated from Part 1. Supposing that the normal ATC system fails to provide separation, this shows the time to collision for aircraft at a specific relative velocity from a starting point of a variety of separation minimum values. Take two aircraft which are 3 Nm apart and approaching with a relative velocity of 600 knots. They will collide in 18 seconds. If (say) 20 seconds (shown in the Figure) were judged the minimum time required for an ACAS device to warn the pilot, then this configuration would not be acceptable. Obviously, the smaller the separation minimum the more likely it is that a lower relative velocity would produce a breach of the 20 seconds or other time criterion. If ACAS is to be as effective in a general encounter as it is at present, then separation minima cannot be much reduced if broadly similar warning times are to be achieved.

Figure 3. Time to collision as a function of distance apart and relative speed.

7. WHAT ARE THE CONTROLLER'S PROBLEMS?

What new problems will face controllers during the transition period to a 4D system? The focus here is on potential conflicts between aircraft, but it must be noted that controllers issue changes to flight paths for a variety of reasons. Controllers may change the short-term intent for a flight in the light of new information about sector traffic. They might identify a flight path with fewer potential conflicts in some minutes time. They might see an opportunity for a more economical routeing.

A simple calculation shows some interesting features. Suppose that there is no traffic segregation between 4D aircraft (‘4D’) and traditionally controlled aircraft (‘V’– for vectored). As noted earlier, segregation could be feasible for small amounts of 4D traffic, but would probably be much less satisfactory as the 4D traffic grows. Suppose also that the probability of a particular flight being a 4D aircraft is random. This means that 4D aircraft are not restricted to particular routeings. From a safety viewpoint, controllers are most concerned about the possibilities of airspace conflicts, i.e. the (binary) interactions between flights. Selecting two random flights, and using p as the proportion of 4D flights, then the number of interactions between 4D flights will be proportional to p2, and the number of 4D/V interactions will be proportional to 2×p×(1−p).

Figure 4 plots the functions p2 and 2×p×(1−p), corresponding to 4D/4D and 4D/V interactions respectively. The V/V interactions obviously bring the total up to 100%. The 4D/V proportion grows surprisingly quickly. For example, for a 10% proportion of 4D aircraft, the 4D/4D proportion is just 1%, but the 4D/V proportion is 18%. Thus, the controller is faced with three different kinds of conflict. The traditional conflicts are the V/V type. For present purposes, it is assumed that these V/V interactions would be handled in exactly the same way as in today's system. The 4D/4D interactions would be wholly new, but presumably the role of the controller would be much less than for the V/V interactions. The most difficult conflict type is the 4D/V type – a hybrid interaction, to use the language of genetics (in which these probabilities are the Hardy-Weinberg law). For 4D/V pairs the controller would have to have a different way of dealing with conflicts than traditional V/V conflicts.

Figure 4. Functions p2 and 2×p×(1−p): 4D/4D and 4D/V interactions respectively.

It is not clear from current SESAR or NextGen work (e.g. see Episode 3, 2008; Averty, Reference Averty, Mehadhebi and Pirat2009) what would be the precise responsibilities for separation for 4D/4D interactions in either the transition phase or a fully 4D system. If aircraft are flying reasonably accurately on safe flight paths, then can the controller ignore them unless some automatic system alerts him or her to a possible safety problem, i.e. passive monitoring? If not, then what kind of controller monitoring would be required? There are some obvious rules. For any set of circumstances, there should be only one individual or system (?) that is responsible for safe separation. A person with that responsibility must have control over the tools that could best eliminate the conflict. There should be no possibility of confusion by other system participants about the controlling individual/system.

It seems improbable that controllers could handle 4D aircraft routinely in a transitional system simply by adapting current control techniques. The intrinsic problem would be the workload on the controller in dealing with a mixed population of capabilities. For example, existing route structures tend to produce restricted numbers of conflict points and largely repetitive flight paths. Human pattern recognition works well in detecting an aircraft deviating from a familiar expected track. 4D aircraft would not always add much inherent complexity. Most 4D aircraft would in fact ‘want’ to fly in nearly straight lines, although a few might be manoeuvring en route in a subtle fashion to assure safe separation. The problem for the controller would be the mixture of traditional flight routeings and direct flights. This would mainly be because of the cognitive processing required to overlay temporally-orientated projections for 4D aircraft in a largely spatial projection environment (Davison Reynolds, Reference Davison Reynolds2006).

As noted earlier, over the last decade researchers have proposed and analysed a wide variety of controller assistance methods for dealing with 4D aircraft in mixed equipage operations. This includes the work by Corker et al (Reference Corker, Gore, Flemming and Lane2000), Lee et al (Reference Lee, Prevot, Mercer, Smith and Palmer2005) and Kopardekar et al (Reference Kopardekar, Smith, Lee, Aweiss, Lee, Prevot, Mercer, Homola and Mainini2009). Most use some form of conflict probe, so that aircraft flight paths can be constructed to be free of conflicts for some specified period into the future. The intention is that this would permit aircraft flight paths to be closer, and hence reduce excess distance operating costs. The nature of this assistance raises complex human factor issues, e.g. Sheridan et al (Reference Sheridan2009). Some researchers say that this means that the controller is ‘managing’ the safety system. A caveat is that such experiments generally simulate the controller's tasks over a comparatively short period. But today's controllers play a very active role in safety for V aircraft. How then would such a role be combined with a more passive task-set in dealing with the 4D flights, e.g. see Parasuraman and Wickens (Reference Parasuraman and Wickens2008)?

Should controllers be responsible for all aspects of the safe separation of V aircraft, excepting ACAS alerting events? Some research into automated airborne separation assurance (Kopardekar et al, Reference Kopardekar, Smith, Lee, Aweiss, Lee, Prevot, Mercer, Homola and Mainini2009) suggests that it would be feasible for suitably equipped aircraft (‘AFR’ – Autonomous Flight Rules, carrying ADS-B and with FMS-integrated datalink) to take over a range of controller safety responsibilities:

“…the controllers were not responsible for the separation of AFR aircraft. In addition, the AFR aircraft were responsible for maneuvering around IFR [V here] aircraft in mixed equipage conflicts.”

As the controller would be relieved of the bulk of the usual tasks for the AFR aircraft, it is not surprising that sector capacity for mixed equipage populations could be increased. However, it is certainly not clear at present how far SESAR would adopt such a philosophy, either in any transfer of responsibility for safe separation between 4D/4D aircraft or for automation systems in 4D aircraft to resolve conflicts with V aircraft. There would be both regulatory and safety policy issues to be resolved. The fact that a small number of 4D aircraft generate a much larger number of hybrid interactions is a key concern. Proving that such an arrangement would be acceptably safe would be an extremely difficult task, given the intrinsic sparseness of data on these hybrid failure modes – see the next section and Brooker (Reference Brooker2011). A major consideration is that transitions to a more automated system will generally produce new kinds of failure mode, e.g. Amalberti (Reference Amalberti, Garland, Wise and Hopkin1998):

“People do not yet know how to optimize complex systems and reach the maximum safety level without field experience. The major reason for this long adaptive process is the need for harmonization between the new design on one hand and the policies, procedures, and moreover the mentalities of the whole aviation system on the other hand. This harmonization goes far beyond the first months or years following the introduction of the new system, both because of the superimposition of old and modern technologies during several years, and because of the natural reluctance of people and systems to change.”

If the controller retains responsibility for all V aircraft, obviously including handling all 4D/V interactions, then the control concept has to change. The Eurocontrol next-stage from MTCD is termed FASTI – The First Air Traffic Control Support Tools Implementation Programme (Brain, Reference Brain2007; Petricel and Costelloe, Reference Petricel and Costelloe2007). The idea is that MTCD will progressively be succeeded by systems that receive real-time downloaded data from aircraft FMS. So, if the pilots re-program the flight's trajectory, or they fail to do so when provided with a new clearance by ATC, the system will still predict future positions accurately. Thus, FASTI tools provide ‘interpretative’ information about the traffic situation. This reduces the workload associated with planning and maintaining separation tasks. Hence, it increases controller productivity. In the present context of a transitional 4D system, the controller would have datalinked information on the 4D aircraft and his or her usual information on the V aircraft. There would be reliance on advanced flight data processing systems (FDPS) to support these kinds of function, e.g. see Brooker (Reference Brooker2009a).

The controller would also have access to the kinds of warning systems discussed briefly earlier. As regards STCA, the safety question would be if it should remain much as at present or if data-linked satellite position/intent information would be incorporated into some variety of an advanced version – ‘aSTCA’. This would not affect the STCA/ACAS functional independence noted earlier. However, it would mean that MTCD (a planning tool) and aSTCA (a warning tool) would be using overlapping data sources. STCA could be tailored differently for 4D/4D encounters. The ATM system would necessarily ‘know’ if a pair of aircraft were both 4D, and so could use different information and/or differently optimised software parameters (e.g. Beasley et al, Reference Beasley, Howells and Sonander2002).

If potential conflicts arise, would the controller handle 4D/V interactions in the same way as V/V interactions? It is likely that the controller's display would be very different from present versions. For example, from Kopardekar et al (Reference Kopardekar, Smith, Lee, Aweiss, Lee, Prevot, Mercer, Homola and Mainini2009):

“Therefore the controller workstation was drastically redesigned. The goal of this redesign was to provide the controllers appropriate and adequate awareness of the automation managed (equipped) aircraft while maintaining focus on the unequipped aircraft that were their primary responsibility…equipped aircraft were represented by a limited data block (which could be expanded on demand) to reduce display complexity…Current day data tags were used for unequipped aircraft, whereas equipped aircraft were depicted with low-lighted directional symbols and altitudes to provide a general picture of traffic clusters.”

Thus, the intention would be that the controller could easily distinguish between displayed 4D and V aircraft.

Would the controller use a different 4D/V separation minimum from that for V/V aircraft? Separation loss generally occurs because one of the aircraft has a marked flight path deviation from what would have been a ‘reasonable intent’ trajectory, rather than large deviations simultaneously incurred by both aircraft. In a 4D/V case, it is very probable that the deviation would be by the V aircraft. This is because the 4D aircraft's intent, given FASTI facilities and datalinking, would have a much greater chance of being known to the controller. Thus, a potential conflict would generally arise in exactly the same way as for V/V aircraft; for example, potential problems with sector handovers, trainees, or non-standard traffic would still be possible.

If the controller detects a possible problem from the display/FDPS, or is alerted by means of a safety net system to a 4D/V conflict, to which pilot should he or she issue instructions? The ATM system and hence the controller will ‘know’ which are V and 4D aircraft. Should the controller endeavour to resolve the situation by instructing the V aircraft's pilot? The situation would have most probably occurred because of some confusion about the V aircraft intent, so the controller would be issuing a corrective instruction to that aircraft's pilot. Suppose the controller were to instruct the 4D aircraft. This could either be through a change to the business trajectory or requiring the flight to revert to ordinary, vectoring ATC. But this could mean that the 4D aircraft might be unable to meet its contracted time for arrival. This would disrupt airport schedules, whereas a V aircraft would not be operating under such tight time constraints (e.g. see Brooker, Reference Brooker2009b).

Finally, one of the concerns expressed about SESAR and previous automation ideas is that the controller's skill levels would tend to degrade. Given the likely timescale of transition, the controller would progressively need to change his or her skills mix. The workload components would therefore have to change, e.g. using FASTI-like systems to deal with mixed conflicts.

8. QUANTITATIVE RISK ASSESSMENT

Part 1 examined some of the key issues in safety system modelling and quantitative risk assessments for changes to the existing ATC system. It emphasised the need for appropriate validation processes (see also Brooker, Reference Brooker2011). To quote Macal (Reference Macal2005):

“In the case of models that contain elements of human decision making, validation becomes a matter of establishing credibility in the model. The task is to establish an argument that the model produces sound insights and sound data based on a wide range of tests and criteria that “stand in” for comparing model results to data from the real system.”

The following briefly examines the nature of the issues of quantitative risk assessment.

It is obvious from the discussion in previous sections here that risk assessments for a 4D transitional system are difficult. (The broader subject of safety cases is not discussed here – see Brooker (Reference Brooker2010) for some comments.) The predictive value of a model necessarily relies on the modeller's ability to anticipate all the human/physical phenomena and interactions that significantly affect a system's behaviour. For complex systems, with the likelihood of emergent attributes (Brooker, Reference Brooker2008), it may be difficult to identify all the important interactions. But it is vital to use quantitative models to the greatest extent possible. Even if their predictions cannot be validated, they are a necessary screening device to identify major risk problems.

Equation (1) below was explained in Part 1. It distinguishes between the different varieties of risk component that must add to less than the required safety target, as required by ICAO (1998).

(1)
$$\matrix{ {\rm S} \hfill & + \hfill & {\rm G} \hfill & + \hfill & {\rm L} \hfill & \les \hfill & {\rm T} \hfill \cr {} \hfill & {} \hfill & {} \hfill & {} \hfill & {} \hfill & {} \hfill & {} \hfill \cr {{\rm Specific}} \hfill & {} \hfill & {{\rm Generic}} \hfill & {} \hfill & {`{\rm Lack {\mbox {\hbox -}} of {\mbox {\hbox -}}}} \hfill & {} \hfill & {{\rm Safety}} \hfill \cr {{\rm probability}} \hfill & {} \hfill & {{\rm probability}} \hfill & {} \hfill & {{\rm probability}’} \hfill & {} \hfill & {{\rm Target}} \hfill \cr {{\rm risks}} \hfill & {} \hfill & {{\rm risks},} \hfill & {} \hfill & {{\rm risks}} \hfill & {} \hfill & {} \hfill \cr {calculated +} \hfill & {} \hfill & {calculated} \hfill & {} \hfill & {uncalculated} \hfill & {} \hfill & {} \hfill \cr {validated} \hfill & {} \hfill & { + part} \hfill & {} \hfill & {} \hfill & {} \hfill & {} \hfill \cr {} \hfill & {} \hfill & {validated} \hfill & {} \hfill & {} \hfill & {} \hfill & {} \hfill \cr} $$

’To be useful in assessing a mixed equipage environment, equation (1) needs to be separated out into the different kinds of risk components discussed in Section 7. Focusing on encounters, this produces three equations (ii) of the form:

(2)
$$\eqalign{& \matrix{ {{\rm S}_{\rm a/b}}{ \;+\;{\rm G}_{\rm a/b}}{\; +\;{\rm L}_{\rm a/b}} { \;\les\! {\rm T}_{\rm a/b}} \hfill \cr} \vskip5pt\cr& where\;a/b = V/V,\;4D/V,\;4D/4D} $$

Here, the subscripts denote the nature of the interaction, e.g. SV/V is the specifically modelled risk from V and V aircraft encounters. Equation (2) is in units of accidents per encounter, whereas equation (1) is in accidents per flying hour. The number of encounters will tend to increase with the square of the system flying hours, but the safety target would generally suppose improving system performance over time. The values of the Ta/b criteria would depend on what safety improvements would be required.

The simplest equation (2) to consider is that for V/V encounters. This is essentially the present ATM system, so it needs no analysis, and should be assessed as safe. The evidence from the last decade is that SV/V and GV/V are very small. There are obviously some implicit assumptions in making such an assertion. Conflict probes were mentioned earlier. Thus, there must not be a marked shift in controller workload so that his or her mental resources for V/V encounters are ‘squeezed’.

Equation (2) for 4D/4D encounters is essentially a statement about the safety of the end-result SESAR system, i.e. when all the legacy systems and operational concepts have been phased out. From a risk modelling viewpoint, there is a major gain because the probabilistic uncertainties of human error/omissions (see Part 1) should be much less important. For example, trajectories would be exchanged digitally rather than by voice, which would eliminate the comparatively high error rates associated with voice communications. PBN (RNP's specific performance control and alerting features) would provide information on adherence to the flight path. The S4D/4D and G4D/4D risk components could potentially be much smaller than their V/V equivalents. There is high quality research in this area. Andrews et al (Reference Andrews, Welch and Erzberger2005) is important work from the early studies on NextGen. More recently, Blum et al (Reference Blum, Thipphavong, Rentas, He, Wang and Pate-Cornell2010) studied an ‘Advanced Airspace Concept’. This is a proposed ground-based separation assurance system. It monitors and maintains safe separation between aircraft automatically. Trajectory changes are initiated by pilots and/or the ground system and are communicated via an air-ground datalink. Both studies demonstrate that these kinds of system can potentially deliver safety performance better than the current system. Neither study claims that the conceptual model it uses is precisely what will be used in the implemented NextGen. This design uncertainty is generally an issue when using R&D results to estimate SESAR/NextGen safety properties. Both calculations include the safety benefits of STCA and ACAS in collision risk assessments. However, as pointed out in Part 1, there is some institutional confusion on this point (see Brooker, Reference Brooker2008 and related references there).

These 4D/4D studies are rated as high quality because the authors are careful to identify both modelling assumptions and potential weaknesses. Andrews et al (Reference Andrews, Welch and Erzberger2005) note the importance of software, hardware, and procedures being designed for safety from the outset. Quantifying the risk implications of software in a NextGen/SESAR system is an extremely hard task. Brooker (Reference Brooker2010) provides some general references. Garrett and Apostolakis (Reference Garrett and Apostolakis1999) and Chu et al (Reference Chu, Martinez-Guridi, Yue and Lehner2006) discuss ways of incorporating software aspects into probabilistic risk assessment. Blum et al (Reference Blum, Thipphavong, Rentas, He, Wang and Pate-Cornell2010) note that their Monte Carlo-based modelling does not account for the effects of widespread power loss, pilot non-conformance and computer hacking. (Pilot non-conformance means that his or her aircraft does not execute the system-recommended safe resolution correctly.) Monte Carlo techniques may underestimate risks and uncertainties (e.g. Willows and Connell, Reference Willows and Connell2003; Brooker, Reference Brooker2011). Equation (2) for 4D/4D would certainly need to include the risks for the first two of these possibilities, while security aspects might best be examined separately.

There is still the problem of the ‘lack of probability’ component L4D/4D. One way of tackling this would be to adapt the relative risk philosophy put forward in ICAO (1998). This would endeavour to demonstrate that L4D/4D is smaller than LV/V. A starting point would be an examination of historical multi-factor mid-air collisions, such as the Überlingen and Brazil collisions noted in Part 1. This would presumably indicate that they would be less likely to occur in 4D/4D encounters. A major factor would be that some potential human causal factors would be eliminated. SESAR's 4D trajectory system would be designed to be an intrinsically safer than present ATM, with improved system hygiene (see Part 1). For example, the availability of system-wide information would enable missing key operational data – such as defective transponders or non-operational STCA – to be automatically monitored. Additionally, it would be necessary to demonstrate that multi-factor accidents in part attributable to 4D/4D technical failures/errors, would be improbable when measured against T4D/4D. One task would be to show the absence of correlated technical failures/errors. This would need to cover simultaneous causal factors attributable to STCA and ACAS operation (which supports the case for their continuing functional independence).

An important point is that both Andrews et al (Reference Andrews, Welch and Erzberger2005) and Blum et al (Reference Blum, Thipphavong, Rentas, He, Wang and Pate-Cornell2010) assume a separation minimum, i.e. take it as a given parameter. Andrews et al (Reference Andrews, Welch and Erzberger2005) use a separation requirement of 8 Nm, because currently most of the aircraft closest approach distances in encounters are larger than the separation minimum. Blum et al (Reference Blum, Thipphavong, Rentas, He, Wang and Pate-Cornell2010) adopt the current minimum of 5 Nm for their ‘Autoresolver’ function. There do not appear to be any indications from current research or analysis that ATC separation minima for 4D/4D encounters might be markedly reduced during the transition period. If risk analysis calculations suggest that a reduction would be rational, the decision-makers could still decide otherwise. They might well be influenced by the Titanic safety design lessons noted at the end of Section 6 (e.g. see Möller and Hansson, Reference Möller and Hansson2008).

Equation (2) for 4D/V encounters is the most difficult to resolve. Brooker (Reference Brooker2010) discusses the modelling and validation difficulties. The major problem for quantitative risk assessment is that mixed equipage/operations potentially generate new and different safety issues. Emergent properties is the jargon phrase. Without a track record of safety-related incidents, most of the quantified risks would be in the G4D/V component, i.e. generic probability risks. How would analysts acquire credible knowledge of infrequent, but actually risky, operational practices in a future human/automation mixed equipage and innovative software system? Garrett and Apostolakis (Reference Garrett and Apostolakis1999) note the value of ‘error forcing context’ for both human and software issues for innovative socio-technical systems (Cooper et al, Reference Cooper, Ramey-Smith and Wreathall1996):

“The idea of error-forcing context is based on the theory that human errors occur (for the most part) as a result of combinations of influences associated with the plant conditions and associated human factors issues that trigger error mechanisms in the plant personnel. In addition to plant conditions, such as sensor information, the context can include such things as working conditions, adequacy of man-machine interface, availability of procedures and time available for action.”

Thus, human/software probabilities can be viewed as context dependent. For example, human error rates are known to be functions of both the specific technical system and the stress placed on the individual.

FAA/Eurocontrol (2005), which sets out ‘Safety Principles Architecture for Aviation’, notes:

“Consequently, today, as the result of the relative data unavailability, generating human-reliability data is done from experts (expert judgements techniques), which can be quite unreliable when applied to new environments of design or procedures.”

This precisely describes the SESAR transition. To reiterate an earlier point, quantitative models would still have an important role. Even if predictions cannot be validated, they are a necessary screening device to check for major risk problems. Brooker (Reference Brooker2010) proposes high fidelity Human in the Loop simulations:

“A potential way forward is the use of high fidelity Human in the Loop simulations (HITLS) in safety decision-making, to generate confidence in the resilience of the ATM system. The focus changes from proving safety, i.e. through the kinds of validation processes examined here, to testing how resilient the evolving ATM system is to a comprehensive set of errors, blunders, etc. Resilience tests have to attack the HITLS, to expose its weak points, to show where defences are thin, insufficient, etc. These would include seeded errors, penetration testing, and crash/stress testing.”

Thus, the HITLS process would be aggressive, rather than a routine evaluative simulation of normal operations.

Therefore, it is extremely difficult to construct quantitative risk assessment arguments for 4D/V encounters that would lead to robust conclusions about separation minima. There are a variety of modelling and validation issues to resolve. HITLS would provide some help, but this needs to be in the context of the kinds of system decisions examined in the previous section.

9. CONCLUSIONS

Aviation safety decisions have to be of very high quality. Decision-makers on major safety system changes generally require good predictive models to estimate risks. The continuing challenge is to demonstrate that such changes improve on the current high level of system safety. There is a need to establish the credibility of the modelling outputs. But the aim must be to identify necessary safety ingredients for innovation. A major concern is that over-specified safety requirements would tend to produce system stagnation.

Part 1 demonstrated the difficulties in changing ATC separation minima used in the current system. Improvements in equipment, procedures, training, safety alerting systems, etc have markedly reduced what would have been the risk contributions for simple one, two or three causal factor accidents. Hence, the leading risks now derive from combinations of multi-causal factors. It is not difficult to carry out collision risk calculations. But it is very hard to demonstrate that these outputs correspond to reality.

The transition to SESAR introduces new aspects to ATC separation minima modelling. There is a new ATM paradigm, including a conceptual change in operation. During the transition period, new paradigm operations take place in parallel with the legacy concept in the same airspace. This strongly suggests that it is essential for conflict probe and other decision support tools to be in place. This would enable different categories of traffic to be handled without controller workload increasing.

The key safety point is that there are novel system contexts for error generation. Future traffic mixes two categories of traffic: V aircraft – vectored traditional ATC-handled, and 4D aircraft –flying on 4D trajectories. Conceptually, future risks in the transition period will be the sum of three types of aircraft encounter risk: V/V, 4D/4D and 4D/V. V/V encounters are essentially what occur in the present system, so the ATC separation minima would be the same, and STCA and ACAS would remain as they are (as they are fine-tuned to V operations). The risks in 4D/4D encounters are dependent on the nature of the operational control concept. The existing V/V ATC separation minima might be appropriate, perhaps with additional buffer amount during the early phases of transition. It might be that at some point the 4D/4D ATC separation minima could be reduced, but decision-makers would have to make a judgement about changes to STCA and ACAS to incorporate down-linked satellite/FMS data. Further quantitative modelling of 4D/4D encounters might be very productive, given that many of the existing human error probability aspects should be eliminated or their effects markedly reduced because of increased system resilience.

4D/V encounters raise major new safety assessment issues. They mix legacy V aircraft with new paradigm 4D aircraft, and hence introduce potential new failure modes. A simple model shows that the number of 4D/V encounters increase rapidly with the growth in the proportion of 4D aircraft. There is no opportunity to improve designs by learning about these potential risks from serious incidents or even accidents. Note the long history of ACAS implementation and improvements. 4D/V quantitative risk modelling would be an essential safety hurdle. This would probably need to be supplemented by demonstrations of system resilience. Such tests would be a way of dealing with modelling uncertainties and abnormal operations, and epistemic risks in general. The 4D/V ATC separation minima could be the present values plus an additional buffer. It might be feasible to modify STCA concepts. For example, STCA could incorporate datalinked information so that controllers would preferentially vector V aircraft in 4D/V encounters.

There are many design uncertainties for SESAR/NextGen. Existing conflict alert systems are likely to be restructured to be part of decision support tools (DST), including conflict probes. Changes to ACAS could raise questions about the genuine system independence of ACAS and DST. Decision-makers would be anxious to avoid hubristic over-confidence. A simple separation minimum-distance model shows that ACAS is unlikely to resolve high relative velocity encounters for reduced minima, were the ATC system to fail. Even if risk analysis calculations indicate that a reduction is rational, the decision-makers – influenced by the Titanic safety design lessons – could decide otherwise. The indications are that it would be a difficult decision to reduce markedly ATC separation minima for any category of aircraft encounters during the transition period. However, the use of conflict probes would generally permit aircraft flight paths to be closer on average.

References

REFERENCES

Amalberti, R. (1998). Automation in Aviation : A human factors perspective, in Garland, D., Wise, J. & Hopkin, D. (Eds) Aviation Human Factors, (pp 173192, chapter 7), Hillsdale- New Jersey: Lawrence Erlbaum Associates.Google Scholar
Andrews, J. W., Welch, J.D. and Erzberger, H., (2005). Safety analysis for advanced separation concepts. USA/Europe ATM R&D Seminar, Baltimore, MD, 27–30 June, 2005.Google Scholar
Averty, P, Mehadhebi, K., Pirat, J-L. (2009). Evaluation of ATC working practice from a safety and human factor perspective. Eighth USA/Europe Air Traffic Management Research and Development Seminar.Google Scholar
Barr, A. C. (2009). Challenges in Implementing Performance-Based Navigation in the U.S. Air Transportation System. OIG Testimony Number CC-2009-086, July 29, 2009. U.S.A. Department of Transportation.Google Scholar
Beasley, J. E., Howells, H., and Sonander, J. (2002). Improving short-term conflict alert via tabu search. Journal of the Operational Research Society. 53, 593602.CrossRefGoogle Scholar
Blum, D. M., Thipphavong, D., Rentas, T. L., He, Y., Wang, X., and Pate-Cornell, M. E. (2010). Safety Analysis of the Advanced Airspace Concept using Monte Carlo Simulation,” American Institute of Aeronautics and Astronautics (AIAA) Guidance, Navigation, and Control (GNC) Conference and Modeling and Simulation Technologies (MST) Conference, Toronto, Canada, 2–5 Aug. 2010.Google Scholar
Brain, C. (2007). FASTI: Enabling change in en-route ATC. Skyway 46 (Autumn/Winter), 101103.Google Scholar
Brooker, P. (2008). Air traffic safety: continued evolution or a new paradigm? Aeronautical Journal 112 (1132), 333344.Google Scholar
Brooker, P. (2009a). SESAR: R&D and Project Portfolios for Airline Business Needs. The Journal of Navigation. 62, 203237.CrossRefGoogle Scholar
Brooker, P. (2009b). Simple models for airport delays during transition to a trajectory based air traffic system. The Journal of Navigation. 62, 555570.CrossRefGoogle Scholar
Brooker, P. (2010). SESAR Safety Decision-Making: Lessons from Environmental, Nuclear and Defence Modelling. Safety Science. 48(7), 831844.CrossRefGoogle Scholar
Brooker, P. (2011). Air Traffic Control Separation Minima: Part 1 – The Current Stasis. The Journal of Navigation. 64, 449465.CrossRefGoogle Scholar
Chu, T. L., Martinez-Guridi, G., Yue, M., Lehner, J. (2006). A Review of Software-Induced Failure Experience. American Nuclear Society 5th International Meeting on Nuclear Plant Instrumentation Control and Human Machine Interface Technology. November 2006. http://www.bnl.gov/isd/documents/32718.pdfGoogle Scholar
Cooper, S.E., Ramey-Smith, A.M., Wreathall, G.W., et al. , A Technique for Human Error Analysis (ATHEANA), NUREGiCR-6350, NRC, Washington, D.C. (1996).CrossRefGoogle Scholar
Corker, K., Gore, B., Flemming, K. and Lane, J. (2000). Free Flight and the Context of Control: Experiments and Modeling to Determine the Impact of Distributed Air-ground Air Traffic Management on Safety and Procedures. 3rd USA/Europe Air Traffic Management R&D Seminar, ATM-2000, Napoli, Italy, June 2000.Google Scholar
Cramer, M. (2009). On-Board Performance Monitoring and Alerting (OPMA): Airborne System Calculations, Statistical Meaning and Relationships to Separation Standards Development. Center for Advanced Aviation System Development, The MITRE Corporation.Google Scholar
Cuevas, G. et al. (2009). Ifly Deliverable D1.3, Autonomous Aircraft Advanced (A3) Concept of Operations. Version: 4.2. At http://iFLY.nlr.nl.Google Scholar
Davison Reynolds, H. J (2006). Modeling the Air Traffic Controller's Cognitive Projection Process Report No. ICAT-2006-1. MIT International Center for Air Transportation.Google Scholar
Dixon, L E. (2010). Timely Actions Needed to Advance the Next Generation Air Transportation System. U.S.A. Department of Transportation Office of the Inspector General. (AV-2010-068),Google Scholar
EPISODE 3 (2008). SESAR Detailed Operational Description: Conflict Management in En-Route High & Medium/Low Density Operations - E6. EC project EPISODE 3 consortium. Document ID E3-D2.2-028. Version 3.0, 28-07-2008.Google Scholar
EPISODE 3 (2009). TMA Expert Group Report. EC project EPISODE 3 consortium D5.3.1-02 Version 2.00.Google Scholar
Eurocontrol (2010). Introducing Performance Based Navigation (PBN) and Advanced RNP (A-RNP).Google Scholar
European Commission (2009). European Air Traffic Management Master Plan – Edition 1, 30 March, 2009.Google Scholar
FAA/Eurocontrol, (2005). Aviation System Safety Principles: Safety Action Plan-15. Version 2.0 June 10, 2005.Google Scholar
Garrett, C., and Apostolakis, G., (1999). Context in the Risk Assessment of Digital Systems. Risk Analysis, 19, 2332.CrossRefGoogle Scholar
Hollinger, K. V. and Narkus-Kramer, M. (2005). Expediting an Improved Performance Based NAS: The Rationale for Accelerating Avionics Equipage. The MITRE Corporation, December 2005. http://www.mitre.org/work/tech_papers/tech_papers_05/05_1122/05_1122.pdfCrossRefGoogle Scholar
ICAO (1998). Manual on Airspace Planning Methodology for the Determination of Separation Minima. ICAO Doc 9689-AN/953, 6365.Google Scholar
ICAO (2008). Performance-Based Navigation (PBN) Manual. Doc 9613. International Civil Aviation Organization.Google Scholar
ICAO (2010). Draft ICAO PBN Operations Approval Handbook. WP/6. Presented By Australia. Sixth Meeting Of The Performance Based Navigation Task Force. International Civil Aviation Organization.Google Scholar
JPDO [Joint Planning and Development Office, FAA] (2009). Trajectory-Based Operations (TBO) Conference Meeting Summary March 24, 2009. http://www.jpdo.gov/library/tbo/20090416_TBO_Conference_Summary.pdfGoogle Scholar
Kopardekar, P., Smith, N., Lee, K., Aweiss, A., Lee, P., Prevot, T., Mercer, J., Homola, J., and Mainini, M., (2009). Feasibility of Mixed Equipage Operations in the Same Airspace,” Eighth USA/Europe Air Traffic Management Research and Development Seminar, Napa, California, June 2009.Google Scholar
Lee, P., Prevot, T., Mercer, J., Smith, N., and Palmer, E. (2005). Ground-side Perspective on Mixed Operations with Self-separating and Controller managed Aircraft. The Sixth International Air Traffic Management R&D Seminar ATM-2005, Baltimore, MD, July 2005.Google Scholar
Macal, C. M. (2005). Model Verification and Validation. Workshop on ‘Threat Anticipation: Social Science Methods and Models’. The University of Chicago and Argonne National Laboratory. April 7–9, 2005. http://jtac.uchicago.edu/conferences/05/resources/V&V_macal_pres.pdfGoogle Scholar
Möller, N. and Hansson, S. O. (2008). Principles of engineering safety: Risk and uncertainty reduction. Reliability Engineering and System Safety. 93, 776783CrossRefGoogle Scholar
Mondoloni, S. (2009). Use of Linear Aircraft Intent Response for Tactical Trajectory Based Operations. Eighth USA/Europe Air Traffic Management Research and Development Seminar (ATM2009).Google Scholar
Mozdzanowska, A., Weibel, R., Lester, E., and Hansman, R. J. (2007). The dynamics of air transportation in transition. In 7th Air Traffic Management Conference, July 2007.Google Scholar
Parasuraman, R. and Wickens, C. D. (2008). Humans:Still Vital After All These Years of Automation. Human Factors. 50(3), 511520.CrossRefGoogle ScholarPubMed
Petricel, B. and Costelloe, C. (2007). First ATC Support Tools Implementation (FASTI) Operational Concept. Edition 1.1.Google Scholar
Pina, P. E. (2007). Cognitive and operational implications of non-homogeneous aircraft equipage for aviation system transformation. Thesis, Massachusetts Institute of Technology. Thesis (S.M.). Massachusetts Institute of Technology, Dept. of Aeronautics and Astronautics, September 2007.Google Scholar
Prevot, T., Homola, J. R., Mercer, J. S., Mainini, M. J., and Cabrall, C. D. (2009) Initial Evaluation of Air/Ground Operations with Ground-Based Automated Separation Assurance, Proceedings of the 8th USA/Europe Air Traffic Management Research and Development Seminar, Napa, CA.Google Scholar
Rentas, T., Green, S. M. and Cate, K. (2009). Survey and Method for Determination of Trajectory Predictor Requirements. National Aeronautics and Space Administration, Ames Research Center. NASA/TM–2009-215400. http://www.aviationsystemsdivision.arc.nasa.gov/publications/2009/Rentas_TM_2009-215400_FINAL.pdfGoogle Scholar
RTCA (2008). Future ADS-B / TCAS Relationships. Summary of the Third Meeting, Special Committee 218 RTCA Paper No. 011-09/SC218-008.January 08, 2009Google Scholar
Sheridan, T. B. (2009). Human Factors Research Needs for NextGen-Airportal Safety. NASA/CR–2009-215372. U.S. Department of Transportation, John A. Volpe National Transportation Systems Center.Google Scholar
Tobias, L., Erzberger, H., Lee, H. Q., O'Brien, P. J. (1985). Mixing Four-Dimensional Equipped and Unequipped Aircraft in the Terminal Area. Journal of Guidance, Control and Dynamics. 8(3), 296303.CrossRefGoogle Scholar
Willows, R. and Connell, R. (Eds.) (2003). Climate adaptation Risk, uncertainty and decision-making. Oxford (United Kingdom): UK Climate Impacts Programme.Google Scholar
Figure 0

Figure 1. Key safety thinking underlying SESAR-like Concepts.

Figure 1

Figure 2. Steps in the transition to the SESAR strategic goal.

Figure 2

Figure 3. Time to collision as a function of distance apart and relative speed.

Figure 3

Figure 4. Functions p2 and 2×p×(1−p): 4D/4D and 4D/V interactions respectively.