hazard analysis of nextgen arrival phase of flight...
TRANSCRIPT
![Page 1: Hazard Analysis of NextGen Arrival Phase of Flight …psas.scripts.mit.edu/home/wp-content/uploads/2014/03/...SERL Hazard Analysis of NextGen Arrival Phase of Flight Concepts: Interval](https://reader031.vdocuments.us/reader031/viewer/2022022009/5af425d67f8b9ae9488ba407/html5/thumbnails/1.jpg)
SERL
Hazard Analysis of NextGen
Arrival Phase of Flight Concepts:
Interval Management – Spacing
Cody Fleming
March 26, 2014
SYSTEMS ENGINEERING RESEARCH LABORATORY
![Page 2: Hazard Analysis of NextGen Arrival Phase of Flight …psas.scripts.mit.edu/home/wp-content/uploads/2014/03/...SERL Hazard Analysis of NextGen Arrival Phase of Flight Concepts: Interval](https://reader031.vdocuments.us/reader031/viewer/2022022009/5af425d67f8b9ae9488ba407/html5/thumbnails/2.jpg)
SERL
Agenda
• Background
• NextGen Example
• Analysis
• Future
1
![Page 3: Hazard Analysis of NextGen Arrival Phase of Flight …psas.scripts.mit.edu/home/wp-content/uploads/2014/03/...SERL Hazard Analysis of NextGen Arrival Phase of Flight Concepts: Interval](https://reader031.vdocuments.us/reader031/viewer/2022022009/5af425d67f8b9ae9488ba407/html5/thumbnails/3.jpg)
SERL
Motivation
• Shuttle
• B787
2 [Wiki Commons 1986, WSJ 2013, Guardian 2013]
![Page 4: Hazard Analysis of NextGen Arrival Phase of Flight …psas.scripts.mit.edu/home/wp-content/uploads/2014/03/...SERL Hazard Analysis of NextGen Arrival Phase of Flight Concepts: Interval](https://reader031.vdocuments.us/reader031/viewer/2022022009/5af425d67f8b9ae9488ba407/html5/thumbnails/4.jpg)
SERL
Systems Engineering Timeline
3 [ARP-4754 2010]
![Page 5: Hazard Analysis of NextGen Arrival Phase of Flight …psas.scripts.mit.edu/home/wp-content/uploads/2014/03/...SERL Hazard Analysis of NextGen Arrival Phase of Flight Concepts: Interval](https://reader031.vdocuments.us/reader031/viewer/2022022009/5af425d67f8b9ae9488ba407/html5/thumbnails/5.jpg)
SERL
Systems Engineering Timeline
4 [ARP-4754 2010]
![Page 6: Hazard Analysis of NextGen Arrival Phase of Flight …psas.scripts.mit.edu/home/wp-content/uploads/2014/03/...SERL Hazard Analysis of NextGen Arrival Phase of Flight Concepts: Interval](https://reader031.vdocuments.us/reader031/viewer/2022022009/5af425d67f8b9ae9488ba407/html5/thumbnails/6.jpg)
SERL
National Airspace Safety
• Current flight-critical systems remarkably safe
due to:
5
![Page 7: Hazard Analysis of NextGen Arrival Phase of Flight …psas.scripts.mit.edu/home/wp-content/uploads/2014/03/...SERL Hazard Analysis of NextGen Arrival Phase of Flight Concepts: Interval](https://reader031.vdocuments.us/reader031/viewer/2022022009/5af425d67f8b9ae9488ba407/html5/thumbnails/7.jpg)
SERL
National Airspace Effectiveness
• Conservative adoption of new technologies
6 [Av News 2014]
![Page 8: Hazard Analysis of NextGen Arrival Phase of Flight …psas.scripts.mit.edu/home/wp-content/uploads/2014/03/...SERL Hazard Analysis of NextGen Arrival Phase of Flight Concepts: Interval](https://reader031.vdocuments.us/reader031/viewer/2022022009/5af425d67f8b9ae9488ba407/html5/thumbnails/8.jpg)
SERL
National Airspace Safety
• Extensive decoupling of the system components
7
[Ascent 2013]
[IAC 2003]
![Page 9: Hazard Analysis of NextGen Arrival Phase of Flight …psas.scripts.mit.edu/home/wp-content/uploads/2014/03/...SERL Hazard Analysis of NextGen Arrival Phase of Flight Concepts: Interval](https://reader031.vdocuments.us/reader031/viewer/2022022009/5af425d67f8b9ae9488ba407/html5/thumbnails/9.jpg)
SERL
National Airspace Safety
• Careful introduction of automation to augment
human capabilities
• Reliance on experience and learning from the
past
8
![Page 10: Hazard Analysis of NextGen Arrival Phase of Flight …psas.scripts.mit.edu/home/wp-content/uploads/2014/03/...SERL Hazard Analysis of NextGen Arrival Phase of Flight Concepts: Interval](https://reader031.vdocuments.us/reader031/viewer/2022022009/5af425d67f8b9ae9488ba407/html5/thumbnails/10.jpg)
SERL
National Airspace Upgrades
9
• NextGen violates
these assumptions --
more potential for
component
interaction
accidents:
[IHO 2013]
![Page 11: Hazard Analysis of NextGen Arrival Phase of Flight …psas.scripts.mit.edu/home/wp-content/uploads/2014/03/...SERL Hazard Analysis of NextGen Arrival Phase of Flight Concepts: Interval](https://reader031.vdocuments.us/reader031/viewer/2022022009/5af425d67f8b9ae9488ba407/html5/thumbnails/11.jpg)
SERL
National Airspace Upgrades
10
• Use of new technologies with little prior experience in this environment
• Reliance on software increasing and allowing greater system complexity
[IHO 2013]
• Human assuming more supervisory
roles over automation, requiring more
cognitively complex human decision
making
![Page 12: Hazard Analysis of NextGen Arrival Phase of Flight …psas.scripts.mit.edu/home/wp-content/uploads/2014/03/...SERL Hazard Analysis of NextGen Arrival Phase of Flight Concepts: Interval](https://reader031.vdocuments.us/reader031/viewer/2022022009/5af425d67f8b9ae9488ba407/html5/thumbnails/12.jpg)
SERL
National Airspace Upgrades
11
• Increased coupling
and inter-
connectivity among
airborne, ground,
and satellite
systems
• Control shifting
from ground to
aircraft and shared
responsibilities
[IHO 2013]
![Page 13: Hazard Analysis of NextGen Arrival Phase of Flight …psas.scripts.mit.edu/home/wp-content/uploads/2014/03/...SERL Hazard Analysis of NextGen Arrival Phase of Flight Concepts: Interval](https://reader031.vdocuments.us/reader031/viewer/2022022009/5af425d67f8b9ae9488ba407/html5/thumbnails/13.jpg)
SERL
National Airspace Upgrades
• Attempts to re-engineer the NAS in the past have been not been terribly successful and have been very slow, partly due to inability to assure safety of the changes.
• Question: How can NAS be re-engineered incrementally without negatively impacting safety?
• Hypothesis:
– Rethinking of how to do safety assurance required to successfully introduce NextGen concepts
– Applying a new approach to safety based on systems theory can improve our ability to assure safety in these complex systems
12
![Page 14: Hazard Analysis of NextGen Arrival Phase of Flight …psas.scripts.mit.edu/home/wp-content/uploads/2014/03/...SERL Hazard Analysis of NextGen Arrival Phase of Flight Concepts: Interval](https://reader031.vdocuments.us/reader031/viewer/2022022009/5af425d67f8b9ae9488ba407/html5/thumbnails/14.jpg)
SERL
Agenda
• Background
• NextGen Example
• Analysis
• Future
13
![Page 15: Hazard Analysis of NextGen Arrival Phase of Flight …psas.scripts.mit.edu/home/wp-content/uploads/2014/03/...SERL Hazard Analysis of NextGen Arrival Phase of Flight Concepts: Interval](https://reader031.vdocuments.us/reader031/viewer/2022022009/5af425d67f8b9ae9488ba407/html5/thumbnails/15.jpg)
SERL
Interval Management – Spacing
• Arrival Interval Management – Spacing (IM-S)
concept facilitates use of flow management
constraints, while
– Enabling efficient descent patterns (OPDs)
– Reducing congestion in the arrival sector
– Increasing throughput
14
![Page 16: Hazard Analysis of NextGen Arrival Phase of Flight …psas.scripts.mit.edu/home/wp-content/uploads/2014/03/...SERL Hazard Analysis of NextGen Arrival Phase of Flight Concepts: Interval](https://reader031.vdocuments.us/reader031/viewer/2022022009/5af425d67f8b9ae9488ba407/html5/thumbnails/16.jpg)
SERL
Interval Management – Spacing
15
Traditional Approach
Approach using IM-S
[FAA 2013]
![Page 17: Hazard Analysis of NextGen Arrival Phase of Flight …psas.scripts.mit.edu/home/wp-content/uploads/2014/03/...SERL Hazard Analysis of NextGen Arrival Phase of Flight Concepts: Interval](https://reader031.vdocuments.us/reader031/viewer/2022022009/5af425d67f8b9ae9488ba407/html5/thumbnails/17.jpg)
SERL
2 Versions of IM-S
Ground-based (GIM-S)
Domain Capability
Center
TFM
• Trajectory modeling
• CDT/FMT constraint
assignment
• Speed advisory
generation and
validation without
sector-level problem
status
En route
ATC
Speed advisory
• Notification
• Indicators
• Responses
• Display control
Terminal
ATC
Tower
• Constraint List
Flight
deck
ADS-B Out (optional)
Flight Deck-Based (FIM-S)
Domain Capability
Flight
crew
• determining if an IM Operation is
desirable;
• determining the IM Aircraft, the Target
Aircraft, the Assigned Spacing Goal
and all other IM Clearance
information; verifying that all initiation
criteria are met …
• communicating the IM Clearance to the
IM Aircraft;
• ensuring separation between the IM
Aircraft and all other aircraft, including
the Target Aircraft;
• terminating the IM Operation if the
ATM goal is no longer applicable or is
not being met
• resuming non-IM Operations whenever
the IM Operation is terminated.
16 [FAA 2013] [RTCA 2011]
![Page 18: Hazard Analysis of NextGen Arrival Phase of Flight …psas.scripts.mit.edu/home/wp-content/uploads/2014/03/...SERL Hazard Analysis of NextGen Arrival Phase of Flight Concepts: Interval](https://reader031.vdocuments.us/reader031/viewer/2022022009/5af425d67f8b9ae9488ba407/html5/thumbnails/18.jpg)
SERL
2 Versions of IM-S
Ground-based (GIM-S)
Domain Capability
Center
TFM
• Trajectory modeling
• CDT/FMT constraint
assignment
• Speed advisory
generation and
validation without
sector-level problem
status
En route
ATC
Speed advisory
• Notification
• Indicators
• Responses
• Display control
Terminal
ATC
Tower
• Constraint List
Flight
deck
ADS-B Out (optional)
Flight Deck-Based (FIM-S)
Domain Capability
Flight
crew
• determining whether to accept or reject
the IM Clearance;
• making the IM Clearance information
available to the FIM Equipment;
confirming Target Aircraft
Identification to the controller;
• determining if ownship (i.e., IM
Aircraft) is capable of performing the
instructed maneuvers
• informing the controller whether they
accept or reject the IM Clearance;
• following the IM Speed and IM Turn
Point provided;
• monitoring conformance with the IM
Clearance; and
• informing the controller when the flight
crew wishes to terminate the IM
Operation. 17 [FAA 2013]
![Page 19: Hazard Analysis of NextGen Arrival Phase of Flight …psas.scripts.mit.edu/home/wp-content/uploads/2014/03/...SERL Hazard Analysis of NextGen Arrival Phase of Flight Concepts: Interval](https://reader031.vdocuments.us/reader031/viewer/2022022009/5af425d67f8b9ae9488ba407/html5/thumbnails/19.jpg)
SERL
Agenda
• Background
• NextGen Example
• Analysis
• Future
18
![Page 20: Hazard Analysis of NextGen Arrival Phase of Flight …psas.scripts.mit.edu/home/wp-content/uploads/2014/03/...SERL Hazard Analysis of NextGen Arrival Phase of Flight Concepts: Interval](https://reader031.vdocuments.us/reader031/viewer/2022022009/5af425d67f8b9ae9488ba407/html5/thumbnails/20.jpg)
SERL
Analysis Process
• Identify accidents and hazards to be analyzed
• Systems-Theoretic Process Analysis (STPA)
1. Draw the control structure
• Identify major components and controllers
• Label the control/feedback arrows
2. Identify Unsafe Control Actions (UCAs)
• Derive corresponding safety constraints
3. Identify Causal Factors
• Create controller process models
• Analyze controller, control/feedback paths, process
19
![Page 21: Hazard Analysis of NextGen Arrival Phase of Flight …psas.scripts.mit.edu/home/wp-content/uploads/2014/03/...SERL Hazard Analysis of NextGen Arrival Phase of Flight Concepts: Interval](https://reader031.vdocuments.us/reader031/viewer/2022022009/5af425d67f8b9ae9488ba407/html5/thumbnails/21.jpg)
SERL
Hazards Considered
• H-1: A pair of controlled aircraft violate
minimum separation standards (LOS)
• H-2: Aircraft enters unsafe atmospheric region
• H-3: Aircraft enters uncontrolled state
• H-4: Aircraft enters unsafe attitude
• H-5: Aircraft enters a prohibited area
20
![Page 22: Hazard Analysis of NextGen Arrival Phase of Flight …psas.scripts.mit.edu/home/wp-content/uploads/2014/03/...SERL Hazard Analysis of NextGen Arrival Phase of Flight Concepts: Interval](https://reader031.vdocuments.us/reader031/viewer/2022022009/5af425d67f8b9ae9488ba407/html5/thumbnails/22.jpg)
SERL
Analysis Process
• Identify accidents and hazards to be analyzed
• Systems-Theoretic Process Analysis (STPA)
1. Draw the control structure
• Identify major components and controllers
• Label the control/feedback arrows
2. Identify Unsafe Control Actions (UCAs)
• Derive corresponding safety constraints
3. Identify Causal Factors
• Create controller process models
• Analyze controller, control/feedback paths, process
21
![Page 23: Hazard Analysis of NextGen Arrival Phase of Flight …psas.scripts.mit.edu/home/wp-content/uploads/2014/03/...SERL Hazard Analysis of NextGen Arrival Phase of Flight Concepts: Interval](https://reader031.vdocuments.us/reader031/viewer/2022022009/5af425d67f8b9ae9488ba407/html5/thumbnails/23.jpg)
SERL
Ground-based IM-S (GIM-S)
22
En Route ATC Capabilities
• Speed Advisory Notification
Indicators
Responses
Display control
Flight Deck Capabilities
• ADS-B Out (optional)
Terminal ATC Capabilities
• Tower Constraint list
Center TFM Capabilities
• Trajectory modeling
• Constraint assignment
• Speed advisory generation
and validation
Flight plans and
amendments
• Speed advisory
acceptance and
cancellation
• Flight plans and
amendments
• Fused radar track
reports
• ADS-B reported
position, altitude,
velocity, and Time
of Applicability -
position
• Clearance
responses
• Flight crew
requests
Clearances
ADS-B
Information
TFM CDT constraint
information
TFM FMT
constraint and
speed advisory
information
Fused
track
reports
CDM information to (and
from) the Command
Center
[IM-S ConOps]
![Page 24: Hazard Analysis of NextGen Arrival Phase of Flight …psas.scripts.mit.edu/home/wp-content/uploads/2014/03/...SERL Hazard Analysis of NextGen Arrival Phase of Flight Concepts: Interval](https://reader031.vdocuments.us/reader031/viewer/2022022009/5af425d67f8b9ae9488ba407/html5/thumbnails/24.jpg)
SERL
GIM-S Control Structure
23
Aircraft
Flight Crew
ATC
Instructions & Clearances
Execute Maneuvers
Requests & Acknowledgements
Aircraft status, Position, etc…
En Route Air Traffic Controller
Flight Crew /Aircraft
TRACON
TFMCenter
FlightOperations
Center
Aircraft 2
Aircraft 3
Aircraft n
GNSSRADAR
Aircraft 1
![Page 25: Hazard Analysis of NextGen Arrival Phase of Flight …psas.scripts.mit.edu/home/wp-content/uploads/2014/03/...SERL Hazard Analysis of NextGen Arrival Phase of Flight Concepts: Interval](https://reader031.vdocuments.us/reader031/viewer/2022022009/5af425d67f8b9ae9488ba407/html5/thumbnails/25.jpg)
SERL
Analysis Process
• Identify accidents and hazards to be analyzed
• Systems-Theoretic Process Analysis (STPA)
1. Draw the control structure
• Identify major components and controllers
• Label the control/feedback arrows
2. Identify Unsafe Control Actions (UCAs)
• Derive corresponding safety constraints
3. Identify Causal Factors
• Create controller process models
• Analyze controller, control/feedback paths, process
24
![Page 26: Hazard Analysis of NextGen Arrival Phase of Flight …psas.scripts.mit.edu/home/wp-content/uploads/2014/03/...SERL Hazard Analysis of NextGen Arrival Phase of Flight Concepts: Interval](https://reader031.vdocuments.us/reader031/viewer/2022022009/5af425d67f8b9ae9488ba407/html5/thumbnails/26.jpg)
SERL
Unsafe Control Actions
Control
Action
Not Providing
Causes Hazard
Providing Causes
Hazard
Too soon, too late,
out of sequence
Stopped too
soon, applied
too long
Modify
Speed
Not providing a
speed
modification is
hazardous when
the current speed
leads to LOS
Providing a speed
modification is
hazardous if it is
the incorrect speed
Providing a speed
modification to
aircraft “i” is
hazardous if given
after (before) a
related clearance*
was already provided
to aircraft “j”
Providing a speed
modification is
hazardous if it
exceeds the aircraft
capability
(overspeed or stall)
Providing speed
modification too late
after conditions (e.g.
weather, aircraft
speed, heading, etc)
in TBFM trajectory
model have changed
25 [Not a full table. Full table shown in backup slides]
![Page 27: Hazard Analysis of NextGen Arrival Phase of Flight …psas.scripts.mit.edu/home/wp-content/uploads/2014/03/...SERL Hazard Analysis of NextGen Arrival Phase of Flight Concepts: Interval](https://reader031.vdocuments.us/reader031/viewer/2022022009/5af425d67f8b9ae9488ba407/html5/thumbnails/27.jpg)
SERL
Analysis Process
• Identify accidents and hazards to be analyzed
• Systems-Theoretic Process Analysis (STPA)
1. Draw the control structure
• Identify major components and controllers
• Label the control/feedback arrows
2. Identify Unsafe Control Actions (UCAs)
• Derive corresponding safety constraints
3. Identify Causal Factors
• Create controller process models
• Analyze controller, control/feedback paths, process
26
![Page 28: Hazard Analysis of NextGen Arrival Phase of Flight …psas.scripts.mit.edu/home/wp-content/uploads/2014/03/...SERL Hazard Analysis of NextGen Arrival Phase of Flight Concepts: Interval](https://reader031.vdocuments.us/reader031/viewer/2022022009/5af425d67f8b9ae9488ba407/html5/thumbnails/28.jpg)
SERL
Create Controller Process Models
27
En Route ATC Process Model
Aircraft / FC Model
Airspace Model
TFM Automation Model
ClearanceDecisionmaking
Flight Crew*
RADAR,ADS-B
Voice Comm,
Datalink
Contextual factors
Inputs
Center TFM
TFMAdvisory
BeaconSystem,
GNSS
Control Process: Airspace
![Page 29: Hazard Analysis of NextGen Arrival Phase of Flight …psas.scripts.mit.edu/home/wp-content/uploads/2014/03/...SERL Hazard Analysis of NextGen Arrival Phase of Flight Concepts: Interval](https://reader031.vdocuments.us/reader031/viewer/2022022009/5af425d67f8b9ae9488ba407/html5/thumbnails/29.jpg)
SERL
Controller Process Model Example
28
En Route ATC Process Model
Aircraft / FC Model Aircraft type Aircraft capability (ascent/
descent rate, stall speed) Aircraft ID Current location Current airspeed, vertical
speed, Current altitude Current advisory(ies)
Airspace Model Separation requirement Current separation, own
airspace Predicted separation, own
airspace Current downstream sector
(TRACON) capacity Predicted downstream sector
(TRACON) capacity Environment (wind,
convective weather)
TFM Automation Model Sequence algorithm (how it
decides which aircraft go first in flow)
Trajectory model CDT / FMT constraint
assignment, list User interface (how
information is displayed, user options, modifications
Clearancedecision making
Flight Crew*
Datalink(CPDLC)
ADS-B
RADARFlight Crew
Voice Comm
Control Process: Airspace Capacity Spacing, sequencing Aircraft trajectories
Contextual factors
Inputs
UCA1. Speed modification not given when current speed would result in imminent LOS
Center TFM
TFMAdvisory
Weather Winds Convective weather
OPDs are an increasingly important aspect of traffic mgmt
En route interval management has different level of priority now than in the past
Different downstream sectors might have different capacity constraints
Own sector traffic demands vs up/down stream demands
Procedures from FAA (?) Downstream capacity updates Upstream traffic constraints
* Flight crew considered to be actuation mechanism for maintaining/modifying airspace conditions. Thus, they (FC) must modify their own aircraft trajectory either via manual control or updating FMS, etc. This assumption could be validated in future implementations where updated flight plans could be input directly to the FMS from the ground, via ATC or operation center, or other.
CDT: constrained departure timeFMT: flow management time
BeaconSystem
GNSS
![Page 30: Hazard Analysis of NextGen Arrival Phase of Flight …psas.scripts.mit.edu/home/wp-content/uploads/2014/03/...SERL Hazard Analysis of NextGen Arrival Phase of Flight Concepts: Interval](https://reader031.vdocuments.us/reader031/viewer/2022022009/5af425d67f8b9ae9488ba407/html5/thumbnails/30.jpg)
SERL
Overall GIM-S Control Structure
29
Aircraft 1
En Route Air Traffic Controller
Flight Crew /Aircraft
CA.ERATCClearance,
Speed mod,‘other’
IF.FOCCDM Info
IF.TFMCDM Info
IF.TATCFlight plans,
Amendments
IF.FOCIF.FC1
FB.TFM3Flight plan
PositionHeadingAirspeed
TRACON
TFMCenter
FlightOperations
Center
FMS
FB.ERATCClearance response,
FC request
CA.TFMFMT ConstraintSpeed advisory
(long,vert)
Aircraft 2 Aircraft 3 Aircraft n CDTI
FCS
ADS-B
EVS/SVS/HUD
FB.TFM1
IF.FC2
EFB
CA.FC1
FB.FC2
FB.FC1
CA.FC1
GNSSRADAR
IF.ERATC
FB.TFM1 Speed advisory
acceptance & cancellation
Flight plans and amendments
Fused radar track reports ADS-B reported position,
alt, speed, and Time of Applicability (position)
IF.FC2 Nav charts Op manual for a/c FB.FC1 Ownship position Other a/c position Weather FB.FC1 Heading Angle of attack Airspeed
FB.TFM3Fused track
reports
CA.FC1 Input flight
plan Modify flight
plan CA.FC1 Modify
airspeed Modify
altitude Modify
heading
Aircraft 1
En Route Air Traffic Controller
Flight Crew /Aircraft
CA.ERATCClearance,
Speed mod,‘other’
IF.FOCCDM Info
IF.TFMCDM Info
IF.TATCFlight plans,
Amendments
IF.FOCIF.FC1
FB.TFM3Flight plan
PositionHeadingAirspeed
TRACON
TFMCenter
FlightOperations
Center
FMS
FB.ERATCClearance response,
FC request
CA.TFMFMT ConstraintSpeed advisory
(long,vert)
Aircraft 2 Aircraft 3 Aircraft n CDTI
FCS
ADS-B
EVS/SVS/HUD
FB.TFM1
IF.FC2
EFB
CA.FC1
FB.FC2FB.FC1
CA.FC1
GNSSRADAR
IF.ERATC
FB.TFM1 Speed advisory
acceptance & cancellation
Flight plans and amendments
Fused radar track reports ADS-B reported position,
alt, speed, and Time of Applicability (position)
IF.FC2 Nav charts Op manual for a/c FB.FC1 Ownship position Other a/c position Weather FB.FC1 Heading Angle of attack Airspeed
FB.TFM3Fused track
reports
CA.FC1 Input flight
plan Modify flight
plan CA.FC1 Modify
airspeed Modify
altitude Modify
heading
Crew /Aircraft
Crew /Aircraft
Crew /Aircraft
Aircraft 1
En Route Air Traffic Controller
Flight Crew /Aircraft
CA.ERATCClearance,
Speed mod,‘other’
IF.FOCCDM Info
IF.TFMCDM Info
IF.TATCFlight plans,
Amendments
IF.FOCIF.FC1
FB.TFM3Flight plan
PositionHeadingAirspeed
TRACON
TFMCenter
FlightOperations
Center
FMS
FB.ERATCClearance response,
FC request
CA.TFMFMT ConstraintSpeed advisory
(long,vert)
Aircraft 2 Aircraft 3 Aircraft n CDTI
FCS
ADS-B
EVS/SVS/HUD
FB.TFM1
IF.FC2
EFB
CA.FC1
FB.FC2
FB.FC1
CA.FC1
GNSSRADAR
IF.ERATC
FB.TFM1 Speed advisory
acceptance & cancellation
Flight plans and amendments
Fused radar track reports ADS-B reported position,
alt, speed, and Time of Applicability (position)
IF.FC2 Nav charts Op manual for a/c FB.FC1 Ownship position Other a/c position Weather FB.FC1 Heading Angle of attack Airspeed
FB.TFM3Fused track
reports
CA.FC1 Input flight
plan Modify flight
plan CA.FC1 Modify
airspeed Modify
altitude Modify
heading
![Page 31: Hazard Analysis of NextGen Arrival Phase of Flight …psas.scripts.mit.edu/home/wp-content/uploads/2014/03/...SERL Hazard Analysis of NextGen Arrival Phase of Flight Concepts: Interval](https://reader031.vdocuments.us/reader031/viewer/2022022009/5af425d67f8b9ae9488ba407/html5/thumbnails/31.jpg)
SERL
Analysis Process
• Identify accidents and hazards to be analyzed
• Systems-Theoretic Process Analysis (STPA)
1. Draw the control structure
• Identify major components and controllers
• Label the control/feedback arrows
2. Identify Unsafe Control Actions (UCAs)
• Derive corresponding safety constraints
3. Identify Causal Factors
• Create controller process models
• Analyze controller, control/feedback paths, process
30
![Page 32: Hazard Analysis of NextGen Arrival Phase of Flight …psas.scripts.mit.edu/home/wp-content/uploads/2014/03/...SERL Hazard Analysis of NextGen Arrival Phase of Flight Concepts: Interval](https://reader031.vdocuments.us/reader031/viewer/2022022009/5af425d67f8b9ae9488ba407/html5/thumbnails/32.jpg)
SERL
Identifying Causal Factors
31
Inadequate Control
Algorithm
(Flaws in creation,
Process changes,
Incorrect modification
or adaptation)
Component failures
Changes over time
4
Inadequate
operation
3
Controller
Actuator
Controlled Process
Sensor
Process Model
inconsistent,
incomplete, or
incorrect
3 2
Controller 2
1
Inappropriate,
ineffective or missing
control action
Delayed
operation
Control input or
external information
wrong or missing
Inadequate or
missing feedback
Feedback delays
Incorrect or no
Information provided
Measurement
inaccuracies
Feedback delays
Inappropriate,
ineffective or missing
control action
Process output
contributes to
system hazard
Process input
missing or wrong
Conflicting control actions
Inadequate
operation
4
![Page 33: Hazard Analysis of NextGen Arrival Phase of Flight …psas.scripts.mit.edu/home/wp-content/uploads/2014/03/...SERL Hazard Analysis of NextGen Arrival Phase of Flight Concepts: Interval](https://reader031.vdocuments.us/reader031/viewer/2022022009/5af425d67f8b9ae9488ba407/html5/thumbnails/33.jpg)
SERL
En Route ATC Process Model
Aircraft / FC Model
Airspace Model
TFM Automation Model
ClearanceDecisionmaking
Flight Crew*
RADAR,ADS-B
Voice Comm,
Datalink
Contextual factors
Inputs
Center TFM
TFMAdvisory
BeaconSystem,
GNSS
Control Process: Airspace
Checking for Missing Feedback
32
Are these loops “closed”?
![Page 34: Hazard Analysis of NextGen Arrival Phase of Flight …psas.scripts.mit.edu/home/wp-content/uploads/2014/03/...SERL Hazard Analysis of NextGen Arrival Phase of Flight Concepts: Interval](https://reader031.vdocuments.us/reader031/viewer/2022022009/5af425d67f8b9ae9488ba407/html5/thumbnails/34.jpg)
SERL
Example from IM-S ConOps
• “In some cases, operational conditions in the
sector may not support the controller’s
acceptance of a speed advisory. For these cases,
controllers can enter the advisory rejection into
the automation, allow the advisory to time out, or
choose a different speed (these responses are not
sent to the TFM automation)” [SBS IM-S ConOps, 2013]
33
![Page 35: Hazard Analysis of NextGen Arrival Phase of Flight …psas.scripts.mit.edu/home/wp-content/uploads/2014/03/...SERL Hazard Analysis of NextGen Arrival Phase of Flight Concepts: Interval](https://reader031.vdocuments.us/reader031/viewer/2022022009/5af425d67f8b9ae9488ba407/html5/thumbnails/35.jpg)
SERL
Example from IM-S ConOps
• “In some cases, operational conditions in the
sector may not support the controller’s
acceptance of a speed advisory. For these cases,
controllers can enter the advisory rejection into
the automation, allow the advisory to time out, or
choose a different speed (these responses are not
sent to the TFM automation)” [SBS IM-S ConOps, March 2013, emphasis added]
34
Potential question about design:
Is feedback missing for TFM automation?
![Page 36: Hazard Analysis of NextGen Arrival Phase of Flight …psas.scripts.mit.edu/home/wp-content/uploads/2014/03/...SERL Hazard Analysis of NextGen Arrival Phase of Flight Concepts: Interval](https://reader031.vdocuments.us/reader031/viewer/2022022009/5af425d67f8b9ae9488ba407/html5/thumbnails/36.jpg)
SERL
Example Causal Factor
• ATC process model flaw – ATC believes that TFM
automation is using same data as he/she sees
– ATC believes TFM uses same ‘algorithm’ (procedure) to determine advisories
• TFM process model flaw – Inaccurate information about
airspace
– e.g. Amended flight plan not provided for trajectory modeling
– e.g. Aircraft 1 in scenario (following slides) not ADS-B equipped, or ADS-B not updated correctly
35
En Route ATC Process Model
Aircraft / FC Model
Airspace Model
TBFM Automation Model
ClearanceDecisionmaking
Flight Crew*
RADAR,ADS-B
Voice Comm,
Datalink
Contextual factors
Inputs
Center TFM
TBFMAdvisory
BeaconSystem,
GNSS
Control Process: Airspace
![Page 37: Hazard Analysis of NextGen Arrival Phase of Flight …psas.scripts.mit.edu/home/wp-content/uploads/2014/03/...SERL Hazard Analysis of NextGen Arrival Phase of Flight Concepts: Interval](https://reader031.vdocuments.us/reader031/viewer/2022022009/5af425d67f8b9ae9488ba407/html5/thumbnails/37.jpg)
SERL
Scenario
36
t0 FMP1
AC1
ACk
AC2 AC3
• TFM generates advisory for AC1
• ATC gives different (faster) speed to AC1 due
to conflict with ACk
• ATC lets TFM advisory time out
![Page 38: Hazard Analysis of NextGen Arrival Phase of Flight …psas.scripts.mit.edu/home/wp-content/uploads/2014/03/...SERL Hazard Analysis of NextGen Arrival Phase of Flight Concepts: Interval](https://reader031.vdocuments.us/reader031/viewer/2022022009/5af425d67f8b9ae9488ba407/html5/thumbnails/38.jpg)
SERL
Scenario
37
t0
t1
FMP1
FMP1
AC1
ACk
AC2 AC3
AC1
ACk
AC2 AC3
• TFM generates advisory for AC1
• ATC gives different (faster) speed to AC1 due
to conflict with ACk
• ATC lets TFM advisory time out
• TFM generates new advisory for AC1 (using
assumptions based on t0 condition)
• ATC accepts advisory
![Page 39: Hazard Analysis of NextGen Arrival Phase of Flight …psas.scripts.mit.edu/home/wp-content/uploads/2014/03/...SERL Hazard Analysis of NextGen Arrival Phase of Flight Concepts: Interval](https://reader031.vdocuments.us/reader031/viewer/2022022009/5af425d67f8b9ae9488ba407/html5/thumbnails/39.jpg)
SERL
Scenario
38
t0
t1
t2
FMP1
FMP1
FMP1
AC1
ACk
AC2 AC3
AC1
ACk
AC2 AC3
AC2 AC1
• TFM generates advisory for AC1
• ATC gives different (faster) speed to AC1 due
to conflict with ACk
• ATC lets TFM advisory time out
• TFM generates new advisory for AC1 (using
assumptions based on t0 condition)
• ATC accepts advisory
• At t1, TFM did not have updated model of
aircraft position
• ATC did not update flight plan due to
concentration on conflict
![Page 40: Hazard Analysis of NextGen Arrival Phase of Flight …psas.scripts.mit.edu/home/wp-content/uploads/2014/03/...SERL Hazard Analysis of NextGen Arrival Phase of Flight Concepts: Interval](https://reader031.vdocuments.us/reader031/viewer/2022022009/5af425d67f8b9ae9488ba407/html5/thumbnails/40.jpg)
SERL
FIM Analysis – Flight Crew
39
Flight Crew Process Model
Aircraft / FBW Model Aircraft capability (ascent/
descent rate, stall speed) Current location Current airspeed, vertical
speed, heading Current altitude Current advisory(ies) Flight Plan FMS/autopilot mode Aircraft state (anomaly,
degraded modes, etc)
Airspace Model Separation requirement Current separation Predicted separation Environment (wind,
convective weather) Sequencing or flow goals Restricted airspace or other
restrictions
FIM Automation Model Algorithm e.g. how it generates Turn
Point How it generates aircraft
speed, particularly when achieve-by is given as a range
Trajectory model Constraint assignment,
speed/alt/etc User interface (how
information is displayed, user options, modifications
Navigation& Control
FMC,Yoke/Sidestick
Control Process: Aircraft Heading Airspeed Altitude Other aircraft functions (landing
gear, trim, etc)
Contextual factors
Inputs
Weather Winds Convective weather
![Page 41: Hazard Analysis of NextGen Arrival Phase of Flight …psas.scripts.mit.edu/home/wp-content/uploads/2014/03/...SERL Hazard Analysis of NextGen Arrival Phase of Flight Concepts: Interval](https://reader031.vdocuments.us/reader031/viewer/2022022009/5af425d67f8b9ae9488ba407/html5/thumbnails/41.jpg)
SERL
FIM Analysis – ATC
40
En Route ATC Process Model
Aircraft / FC Model Aircraft type Aircraft capability (ascent/
descent rate, stall speed) Aircraft ID Current location Current airspeed, vertical
speed, heading Current altitude Current advisory(ies) /
Clearance types
Airspace Model Separation requirement Current separation, own
airspace Predicted separation, own
airspace Current downstream sector
(TRACON) capacity Predicted downstream sector
(TRACON) capacity Environment (wind,
convective weather) Sequencing or flow
FIM Model Target Aircraft ID Assigned Spacing Goal IM Clearance Type Starting Event (as applicable) Achieve-by Point (as
applicable) Intercept Point (as
applicable) Planned Termination Point IM Tolerance Performance Level Target Aircraft Intended
Flight Path Information
Clearancedecision making
Flight Crew*
Datalink(CPDLC)
ADS-B
RADARFlight Crew
Voice Comm
Control Process: Airspace Capacity Spacing, sequencing Aircraft trajectories
Contextual factors
Inputs
IM DST**
Weather Winds Convective weather
FIM incentivized during high workload environment (ATC workload) due to the fact that it puts more of an onus on flight crews and their avionics
BeaconSystem
GNSS
** Analysts are unsure of what Decision Support Tools or automation will be required or available for FIM
![Page 42: Hazard Analysis of NextGen Arrival Phase of Flight …psas.scripts.mit.edu/home/wp-content/uploads/2014/03/...SERL Hazard Analysis of NextGen Arrival Phase of Flight Concepts: Interval](https://reader031.vdocuments.us/reader031/viewer/2022022009/5af425d67f8b9ae9488ba407/html5/thumbnails/42.jpg)
SERL
Scenario
41
ARTCCj ARTCCk
TRACONi
FM1
TG1
FM2
TG2
Time: t0
Merge point for TOD,
STAR, or other route
ARTCCk assigns IM
interval to FM2, relative
to TG2 of precisely 60s
ARTCCj assigns IM
interval to FM1, relative
to TG1 of precisely 60s
Sector Boundary
![Page 43: Hazard Analysis of NextGen Arrival Phase of Flight …psas.scripts.mit.edu/home/wp-content/uploads/2014/03/...SERL Hazard Analysis of NextGen Arrival Phase of Flight Concepts: Interval](https://reader031.vdocuments.us/reader031/viewer/2022022009/5af425d67f8b9ae9488ba407/html5/thumbnails/43.jpg)
SERL
Scenario
42
ARTCCj ARTCCk
TRACONi
FM1
TG1
FM2
TG2
Time: t1
TRACONi assigns IM
interval to TG2, relative
to TG1 of precisely 60s
Sector Boundary
![Page 44: Hazard Analysis of NextGen Arrival Phase of Flight …psas.scripts.mit.edu/home/wp-content/uploads/2014/03/...SERL Hazard Analysis of NextGen Arrival Phase of Flight Concepts: Interval](https://reader031.vdocuments.us/reader031/viewer/2022022009/5af425d67f8b9ae9488ba407/html5/thumbnails/44.jpg)
SERL
Scenario
43
ARTCCj ARTCCk
TRACONi
FM1
TG1
FM2
TG2
Time: t2
Sector Boundary
![Page 45: Hazard Analysis of NextGen Arrival Phase of Flight …psas.scripts.mit.edu/home/wp-content/uploads/2014/03/...SERL Hazard Analysis of NextGen Arrival Phase of Flight Concepts: Interval](https://reader031.vdocuments.us/reader031/viewer/2022022009/5af425d67f8b9ae9488ba407/html5/thumbnails/45.jpg)
SERL
Agenda
• Background
• NextGen Example
• Analysis
• Future
44
![Page 46: Hazard Analysis of NextGen Arrival Phase of Flight …psas.scripts.mit.edu/home/wp-content/uploads/2014/03/...SERL Hazard Analysis of NextGen Arrival Phase of Flight Concepts: Interval](https://reader031.vdocuments.us/reader031/viewer/2022022009/5af425d67f8b9ae9488ba407/html5/thumbnails/46.jpg)
SERL
Current & Future Work
• Can we do the analysis even earlier?
– Analyze concepts with less maturity
– Assist decision-makers in design
– Actually develop concepts?
45
![Page 47: Hazard Analysis of NextGen Arrival Phase of Flight …psas.scripts.mit.edu/home/wp-content/uploads/2014/03/...SERL Hazard Analysis of NextGen Arrival Phase of Flight Concepts: Interval](https://reader031.vdocuments.us/reader031/viewer/2022022009/5af425d67f8b9ae9488ba407/html5/thumbnails/47.jpg)
SERL
References 1. AO-2010-089, In-flight uncontained engine failure Airbus A380-842, VH-OQA, overhead Batam Island,
Indonesia, Australian Transporation Safety Board, 4 November 2010
2. Rushe, D. Boeing 787 Dreamliner's failed battery was wired incorrectly, Japan says, 20 February, 2013. http://www.theguardian.com/business/2013/feb/20/boeing-dreamliner-failed-battery-wired
3. Gara, T. FAA Statement: Boeing 787 Dreamliner Grounded, For Now, Wall Street Journal Blog, 16 January 2013.
4. Society of Automotive Engineers, SAE International. Guidelines for Development of Civil Aircraft and Systems, Aerospace Recommended Practice, ARP4754 REV. A, Issued 1996-11, Revised 2010-12
5. Kapurch, Stephen J., ed. NASA Systems Engineering Handbook. DIANE Publishing, 2010.
6. Surveillance and Broadcast Services (SBS) Concept of Operations Arrival Interval Management – Spacing (IM-S), PMO-010, Revision 02, Final March 1, 2013
7. IHO blog, http://iho.hu/blogpost/jelek-a-magasbol-1-radarokrol-transzponderekrol-131105, 11/6/2013, accessed 17 March 2014
8. FAA Surveillance and Broadcast Services (SBS) Concept of Operations. Arrival Interval Management – Spacing (IM-S) Concept of Operations for the Mid-Term Timeframe, PMO-010, Revision 02 Final March 1, 2013
9. RTCA. Safety, Performance and Interoperability Requirements Document for Airborne Spacing – Flight Deck Interval Management (ASPA-FIM), RTCA DO-328 Prepared by: SC-186, June 22, 2011
10. Interagency Airpsace Coordination, FAA and USDA, http://airspacecoordination.org/guide/index.html, accessed 22 March 2014
11. Ascent Ground School, http://www.ascentgroundschool.com/index.php/faa-references/instrument-flying-handbook/151-chapter-8-the-national-airspace-system, copyright 2013, accessed 22 March 2014
12. Aviation News, http://www.aviationnews.eu/2011/09/08/lockheed-martin-upgrades-air-traffic-control-system-in-nation%E2%80%99s-second-busiest-airspace/, Copyright 2014, accessed 23 March 2014
46