A Risk Assessment Model for Free Flight Terminal Area Reduced Separation

航空

游客，如果您要查看本帖隐藏内容请回复

航空

A Risk Assessment Model for Free Flight-
Terminal Area Reduced Separation

by

Rick Cassell, Alex Smith, Roger Shepherd
Rannoch Corporation, 1800 Diagonal Road, Suite 430, Alexandria, VA 22314

ABSTRACT
Safety levels are a vital concern as new technologies and procedures are introduced into the National Airspace System. Despite a wealth of information from flight operations and testing programs, there is no accepted method to quantify the relationship between safety levels and aircraft separation standards in the terminal area. This paper presents a modeling approach to quantify the risk associated with reducing aircraft separation. The model is used to assess the overall level of safety associated with reducing separation standards and the introduction of new technology and procedures, as envisaged under the Free Flight concept.

INTRODUCTION
The objective of the research presented in this paper is to develop a computer model that will link aircraft separation to quantitative safety levels. The model is called the Reduced Aircraft Separation Risk Assessment Model (RASRAM). The modeling approach taken is to evaluate safety risks for a variety of flight scenarios relating to final approach, landing, and rollout for parallel and single runways. Although the emphasis is on the terminal area, the modeling research is applicable to the en route phases of flight. The research is being performed for NASA as an integral part of NASA’s Terminal Area Productivity (TAP) program, and in coordination with the FAA. NASA’s TAP program has the goal of achieving clear weather capacities in instrument weather conditions.
As defined by RTCA, free flight is “a safe and efficient flight operating capability under instrument flight rules in which the operators have the freedom to select their path and speed in real time. Air traffic restrictions are only imposed to ensure separation...”[1] Although free flight is generally thought to apply primarily to the en route environment it really encompasses all phases of flight or is “chock to chock” as stated by RTCA. It is recognized that with regard to the terminal area, free flight will have many more restrictions than for en route due to higher traffic density and proximity to the ground.
Nonetheless, RTCA concluded “this does not mean free flight will not be permitted; free flight is not a switch that’s either on or off. Rather, free flight is a broad concept extending throughout the en route and terminal airspace that permits maximum flexibility consistent with safety and assured separation.” There are several procedural changes anticipated for terminal area operations along with the introduction of new technologies to permit an incremental implementation of free flight. These include DGPS, Automatic Dependent Surveillance (ADS-B) and several technologies under development by the NASA TAP program - Center Tracon Automation System (CTAS), Automated Vortex Spacing System (AVOSS), Dynamic Runway Occupancy Measurement (DROM) and Airborne Information for Lateral Spacing (AILS). The basic approach of RASRAM is to quantify and compare the risk associated with current separation standards to that for reduced separation operations during instrument meteorological conditions considering procedural and technological changes.
The paper contains a brief review of prior separation modeling efforts and an overview of the initial RASRAM model development. Much of the effort was focused on integrating existing modeling work from other research, especially that related to precision runway monitoring. Three main modeling scenarios are presented: lateral separation during parallel approaches, runway occupancy, and wake vortex, the latter two dealing with in-trail separation. Several innovations in the model are discussed: the application of fault trees to separation risk modeling, integration of fixed and time dependent probability distributions, and use of a functional form instead of discrete points for response time distributions. This research was performed under contract to NASA and in cooperation with the FAA’s Office of System Safety (ASY). The views and opinions expressed in this paper are those of the authors and do not represent official policies of NASA or FAA.

PRIOR MODELING

This paper presents modeling that fits in the category of aircraft separation risk models. Separation models analyze the rules and procedural parameters that are applied to keep any two aircraft from getting dangerously close to each other. Most separation models focus on a single separation rule or standard such as the distance required between runway centerlines to allow the airport to operate independent approaches to a pair of runways. It is necessary for separation models to be defined in terms of a specific operational scenario in order to evaluate some crucial aspects of the subject separation standard. Risk models generally quantify safety in terms of the probability of the distance between two aircraft violating some minimum criteria. When the criteria is that aircraft are close enough to collide, the analysis is often called collision-risk modeling. Generally the operational scenario is considered safe if the probability of a near-miss is less than a certain target level of safety.
Separation risk modeling has been pursued independently in at least three domains of air traffic operations: oceanic, en route, and terminal. Table 1 lists the primary risk models that were reviewed in the development of RASRAM. Within these domains, separation risk models have been developed and refined over time by many researchers. Separation risk is treated as a function of three major components: aircraft performance, exposure, and intervention (see Figure 1). Aircraft performance refers to the ability of an aircraft to maintain conformance with its normal operating zone. A typical risk measure for performance is a probability distribution for the distance that a flight will stray from its assigned normal operating zone.

Table 1. Selected Separation Risk Models

Domain  Scenario  Separation  References 
Oceanic  Parallel track  Lateral  [2] [3] 
system 
Oceanic  Parallel track  In-trail  [2] 
system 
En Route  Parallel tracks  Lateral  [4] 
Terminal  Parallel final approaches  Lateral  [5] [6] 
Terminal  Single-runway approaches  In-trail  [7] 
Terminal  Landing and roll-out  In-trail  [8] 

In some scenarios, such as over the ocean, a flight may stray many miles without being a threat to, or threatened by, other traffic. The exposure component computes the risk that an unexpected aircraft poses to other traffic based on route configuration and traffic density, or the risk to an aircraft because of physical hazards such as wake vortices, obstructions, or the ground. A typical risk measure for exposure is a probability function for the closest approach between an aircraft and some other aircraft. These first two components would be sufficient to perform risk analysis if there were no independent surveillance and monitoring. Interventions mitigate the other risks; the effectiveness of the mitigation depends on the timing of the detailed steps of the intervention.
Separation Risk
Fig. 1. Aircraft Separation Risk Modeling Overview
MODEL DESCRIPTION
RASRAM is divided into the three scenarios shown in Figure 2. The general approach to the model development is discussed first, followed by the features for the three specific scenarios. Although not traditionally considered in separation models, we have included wake vortex to evaluate the safety of reduced in-trail separation between aircraft on final approach and landing.

Lateral Separation 

Blunder 

Fig. 2. Model Scenarios

Overview
The overall organization of RASRAM is a fault-tree analysis of the major failure modes in specific operational scenarios, emphasizing the effects of
Exposure
*
Route Configuration

*
Traffic Density

*  
Wake Vortex Strength

Aircraft
*  
Navigation Performance

*  
Response to Wake Vortices

Intervention
*  
Surveillance Performance

*
ATC

*
Pilot

*
Communications

separation parameters and the effects of applying new technologies. The approach includes time-budget analyses of dynamic interactions among multiple participants in a scenario, each with defined roles, responsibilities, information sources, and performance functions. Probability risk measures link accident risks to a hierarchy of fail-safe mechanisms characterized by procedures and interventions. The RASRAM methodology works directly with the functional form of probability distributions thus improving on models that rely entirely on Monte Carlo simulation techniques.
Fault trees are typically used in analyzing the events leading to potential failure modes of systems. The technique is based on the use of digital logic. Here an “OR” gate signifies that an event will occur if any one of the input events occurs. An “AND” gate signifies that an event will occur only if all of the input events occur simultaneously. Common usage of fault trees assumes the primary events have fixed probabilities of occurrence. For example, the probability of an event happening may be 2.0x10-4 per hour. If two events with this failure rate must occur simultaneously to result in a second event this would be represented by the AND gate, and the overall probability of occurrence is multiplicative and would be 4.0x10-8 per hour. If the occurrence of either of these two events could result in the outcome this would be represented by the OR gate, and the overall probability of occurrence is additive and would be 4.0x10-4.
We have applied this technique to RASRAM in a unique way. Instead of limiting fault tree events to fixed probabilities over time, we have incorporated events whose probabilities are characterized by time distributions. This is primarily the case for modeling response times. Examples are the time it takes an air traffic controller or pilot to respond to an event. These are typically characterized by curves where there is a high probability of response initially followed by increasingly smaller probabilities over time. In RASRAM both fixed probabilities and time dependent probabilities are integrated together.

SCENARIOS
Three scenarios are presented: lateral, in trail runway occupancy, and in-trail wake vortex.

Lateral Scenario
The operational context for this scenario is a pair of independent approaches to parallel runways. The defining characteristic is a blundering aircraft that strays from its own final approach, crossing the path of the other approach stream. Given a set of operational parameters, the parallel blunder scenario is considered safe if the performance of the technology and the response times of the pilots and the controllers are expected to keep the aircraft safely separated more frequently than an established target level of safety. The encounter geometry is shown in Figure 3.  In this scenario the blundering aircraft is assumed to continue on its path without responding to controller directives. The safety of the scenario is determined by the performance of the controller in detecting the blunder and issuing breakout instructions to the evader aircraft, and the performance of the pilot and aircraft in completing the evasive maneuver. Not shown here but also included in the model is the normal navigation performance of the two aircraft. That is, both aircraft will normally deviate laterally about the extended runway centerline. The lateral deviation distribution of the aircraft has been modeled statistically and included in the model.
Fault Tree: An initial fault tree for the lateral scenario is shown in Figure 4.  Three possible types of collision risk are identified: collision risk for aircraft on the parallel approaches; risk of a mid-air collision following a breakout; risk of collision with terrain following a breakout. The latter two are secondary risks in that a blunder of some duration or other non-normal event must occur first causing a breakout from the approach. Of primary interest is the risk of collision for aircraft on parallel approaches.

Evader Aircraft

Blunder Aircraft

 

Fig 3. Lateral Blunder Scenario
The initial event that must occur is a blunder as illustrated in Figure 3.  After the initial blunder there is the probability that the pilot of the blundering aircraft is able to intervene. Assuming the blundering aircraft crosses the parallel aircraft’s path the model then factors in the probability of encountering another aircraft depending upon traffic density, geometry (primarily breakout climb altitude) and relative velocities. The remaining portions of the fault tree are the effectiveness of ATC surveillance to detect and initiate evasive action by the endangered aircraft. The probability of the blunder and failure of evasive action are multiplied since both events must occur to result in a NMAC (Near Mid-Air Collision), which is defined to be a slant range separation less than 500 ft. As shown in the top right portion of the fault tree, the model includes risks associated with the breakout maneuver.
One portion of the model is based on the Blunder Risk Model associated with the Precision Runway Monitor (PRM) system [6,9]. The key parameters associated with the PRM are controller response time, communications delay, and pilot response time. Since time delays associated with any of these elements can cause a failure of evasive action they are summed through an OR gate in the fault tree. Finally, the fault tree incorporates the application of ADS-B to provide CDTI (Cockpit Display of Traffic Information) and the TCAS-like function AILS, a TAP technology currently under development. For reduced separation operations this replaces PRM in providing alerts when an aircraft deviates significantly from the approach. In this scenario, ATC and communications elements are eliminated, leaving only pilot response time. This illustrates why a TCAS-like function has the potential for allowing reductions in separation since it eliminates at least two delay factors in initiating aircraft breakouts. The total accident risk is determined after factoring in the ratios of NMACs to accident, since only a small portion of NMACs result in an collision when aircraft size is considered.
Time Budget Analysis: The major events in an encounter are blunder, warning, intervention, evasion, and termination (see Figure 3). For an evading aircraft that is at risk from the blundering aircraft, there is a finite time window for beginning an effective evasive maneuver. In RASRAM the time intervals consist of both fixed and probabilistic response times. For the probabilistic variables the overall time delays are obtained by computing the convolution of individual response times. An example is shown in Figure 5, which illustrates the convolution of controller and pilot response times.

Total Collision Risk

Collision Risk
Incident to Accident Ratio
NMAC Incident Risk
Probability of Aircraft
Breakout

Blunder Aircraft Crosses
Parallel Approach Path

Evasive Action Fails

 

Aircraft Not
Alerted

Aircraft Fails to
Breakout

 

PRM System
Failure

ADS-B System
Failure

Flight Control
System Failure

Pilot Failure

Ground
Aircraft
Data Link
Sensor
Equipment
Failure
Failure
Failure

Fig. 4. Lateral Scenario Fault Tree
probability value
Adding controller & pilot response times
Cumulative Distribution
0.4
100
0.3
CDF(%)
0.2
0.1
50
0
response time in seconds
pilot controller
combined
Fig. 5. Convolution of Response Times
0

This convolution was computed by using smooth splines fitted to the original data. Splines are piece-wise polynomial functions that are at least twice continuously differentiable. In the RASRAM approach, splines are used for probability distributions and many other functions. Splines offer a number of computational advantages, including allowing the approximation of a set of sample points in the usual least squares sense using straightforward linear regression techniques. When the approximated function is a statistical distribution, a spline can be fitted efficiently without knowing the parametric form of the underlying distribution.
Initial Results: Figure 6 represents the miss distances for a specific lateral blunder scenario (30 degree blunder at 9 NM from threshold, 3400 ft. runway separation).
400
300

Count
200 
100 
0 0  1000  2000  3000  4000  5000  6000  7000  8000  9000  1 104 
Miss Distance 
Fig. 6. Lateral Miss Distances 

Figure 7 presents the same data in terms of a cumulative
distribution function or CDF. A probability density function is essentially the derivative of a CDF. The principal summary measure used in this modeling is a miss distance distribution, usually represented as a CDF. A miss distance of zero represents the (abstract) situation in which the centers of the two aircraft are in exactly the same place at the same time. The probability of collision can be estimated by using a distance that represents the combined size of two aircraft. Based on the data shown the probability of a miss distance of less than 500 feet (NMAC) was determined to be 0.004. When an assumed unresolved blunder risk of 10-5 per approach is included, the overall risk of NMAC is 4.0x10-8 per approach.
Miss Distance
Fig. 7. Lateral Miss Distance Distribution
In-Trail Runway Occupancy Scenario
The runway occupancy scenario is based on several risks associated with in-trail separation during landing and rollout.  One risk is defined as the probability of the leading aircraft being on the runway while the follower crosses the threshold, which is a violation of air traffic procedures. We have termed this event Simultaneous Runway Occupancy. The fault tree is shown in Figure
8. There is also the risk of the two aircraft colliding. The probability of the lead aircraft still being on the runway (i.e., runway occupancy time of the lead aircraft) is considered to be the sum of weighted normal time distributions of the various runway exits. The inter-arrival time distribution is the projected time between aircraft arriving at the threshold and is calculated by transforming the separation distribution to a time distribution using the velocity profile during final
approach. The following probability distributions are inputs to the model.
Inter-Arrival Time Distribution:  The projected time between aircraft arriving at the threshold is primarily dictated by the in-trail separation criteria. To convert the distance distribution to a time distribution the velocity profile during final approach of the various categories of aircraft was modeled. This model was
based on the three phases of descent during final approach. The first phase consists of constant velocity which ends around 5 to 6 NM from threshold. The nominal value for this parameter in the model is 170 knots. In the second phase the aircraft decelerates to reach its landing speed. The time taken for this phase is aircraft category dependent. The final phase is a constant velocity to touchdown. The model also takes into account wind speed and deceleration rate as velocity is reduced.  Figure 9 is an example inter-arrival time distribution at the threshold. This is based on measured aircraft separation and computed approach velocities.

distribution, again based on data collected for the PRM program. The convolution of these three distributions gives the probability distribution of the resultant time delay before a go-around is achieved. Given the velocity profile of individual categories of aircraft, the time to threshold from 0.5 NM is calculated.  If the time to
threshold lies within the range of the total delay
distribution, there is a non-zero probability of the aircraft crossing the threshold before a go-around is
executed.

Probability of Go-
Around

 

Time (sec) Intrail Sep.
Fig. 9. Distribution of Inter-Arrival Time
Initial Results: The probability of simultaneous runway occupancy was found by convolution of the inter-arrival distribution and the runway occupancy distribution curves shown in Figure 9 and 10 respectively. The resultant curve (Figure 11) is the net difference in the inter-arrival time and runway occupancy time. Hence, the probability of simultaneous runway occupancy is the area under the curve for time less than zero.

Probability of Landing Aircraft Fails to
Go-Around Go Around

Projected Landing Aircraft at Threshold
Projected Excessive
Runway Occupancy

Landing Aircraft Not
Aware of Aircraft on

Risk of Pilot Failure

ATC Fails to
ATC Fails to
Communicate
Detect Conflict
with Aircraft

Fig. 8. Runway Occupancy Scenario Fault Tree
Runway Occupancy Distribution:  The runway occupancy time distributions are considered to be weighted normal distributions. The runway occupancy time distributions for each of the exits are weighted by the probability of the aircraft using that exit.  The probability of aircraft exiting the runway is based on operational data from the FAA and ICAO according to exit type (normal or high speed), location, and aircraft category. Figure 10 shows an example set of the individual exit and weighted sum total runway occupancy time distributions.

Probability of Unsuccessful Go-Around:  This portion
of the model determines if the aircraft successfully
initiates a go-around when instructed by ATC. In some cases the actual go-around may not occur before the aircraft crosses the runway threshold, thus violating the simultaneous runway occupancy criteria. The model assumes the alert is given to the following aircraft when it is 0.5 NM from threshold.  The time delay for the go-around to begin is a function of several time distributions - controller alert delay, communications delay, and pilot response delay. The communications and controller delay data used in the model is derived from data associated with the Blunder Risk Model of the PRM. The pilot response is generated as a simplified
Time (sec)
Weighted Sum Individual Exits
Fig. 10. Total Runway Occupancy Time Distribution
For the example set of data, the probability of simultaneous runway occupancy, given no intervention, was calculated to be 0.034.  Previous studies by Swedish [8], using normal distributions to represent runway occupancy and inter-arrival times showed the probability of an intervention due to simultaneous runway occupancy to be 0.014. The probability of an unsuccessful go-around for four categories of aircraft and their nominal landing speeds is given in Table 2, category A being the smallest and category D the largest.  The last column is the probability of an aircraft crossing the threshold when a go-around instruction is given 0.5 NM from threshold. The result from Table 2 indicates that the slower, smaller, aircraft have a longer time to execute a go-around and hence the probability of crossing the threshold is very low. However, the faster, larger classes of aircraft have a considerably higher probability of crossing the threshold before they can execute a go-around and consequently a higher probability of simultaneous runway occupancy.
Probability
0.03
0.02
0.01

 

In-Trail Wake Vortex Scenario
The wake vortex portion of the model is used to determine risks associated with in-trail spacing due to potential encounters with wake vortices. Hazards associated with wake vortices drive the current in-trail IMC separation standards, which are currently pair dependent based on aircraft weight classification. Various proposals are under consideration for modifying current standards, including reductions for specific categories of aircraft. RASRAM will be used to evaluate the overall safety impact of such modifications. Two tools under development by TAP, CTAS and AVOSS, are being developed for sequencing aircraft more
Ground
Sensor
Failure
A/C
Sensor
Failure

A/C Sys.
Failure

Pilot
Failure

efficiently on final approach. AVOSS is intended to optimize the wake vortex separation given the weather conditions and aircraft types.
Fault Tree: The fault tree (Figure 12) for the wake vortex scenario takes into account all of the key variables that determine whether an accident will occur due to a wake vortex encounter. Key variables include time separation between aircraft, vortex decay and transport, aircraft flight paths, possible detection and avoidance techniques, and the probability of the encounter becoming an incident or accident.

Fig. 12. Wake Vortex Scenario Fault Tree
Time separation between aircraft pairs is modeled as the probability of time separation when the leading aircraft is at specific points on the approach. The time separation is computed based on distance separation and the speed of the trailing aircraft. The result is a probability distribution versus time, similar to Figure 9. The separations are based on empirical data and are dependent upon types of aircraft pairs according to weight classifications. Vortex decay and transport are also modeled based on empirical data. The input to the model is the probability of the vortex remaining within a defined safety zone over time. As with aircraft separation, the probabilities are aircraft pair dependent according to weight classifications. The model takes into account that aircraft do not fly perfect flight paths. There are normal lateral and vertical variations about nominal paths. One example of how this affects the resulting probability of encounter is a trailing aircraft above the nominal glide slope has a reduced probability of encounter because the vortices sink towards the ground.

MODEL VALIDATION
The lateral blunder portion of the model was initially based on the PRM Blunder Risk Model developed by MIT Lincoln Laboratory. This scenario has been analyzed extensively using real-time, man-in-the-loop simulations. For several specific scenarios, performance response time distributions are available for the evader pilot/aircraft and for the controller. This form of the RASRAM lateral model has been validated against the Blunder Risk Model, indicating equivalent results. The runway occupancy element for current operations is primarily based on operational data defining in-trail separation and runway occupancy. Therefore the requirements for validation will not be extensive.
Information defining the elements of the wake vortex portion of RASRAM will be determined from a combination of operational data and simulator studies. Wake vortex transport and decay modeling will be based primarily on flight test measurements. The distribution of aircraft separation is based on data collected at operational airports. Other portions of the model will be based on the results obtained in simulator testing. The overall risks of wake vortex encounters predicted by RASRAM will be compared with available operational data. This will serve as a confirmation that the predicted risks are in general agreement with operational experience. Portions of RASRAM that model the performance of new technologies such as ADS-B will be based on the analysis of existing information. It will also include the results of flight simulator tests of reduced separation procedures.

CONCLUSIONS
The RASRAM has direct application to evaluating the safety impact of Free Flight procedures and technologies. Due to advances in enabling technologies, free flight is often discussed in terms of the roles that technology will play. Technologies include GPS for navigation, ADS-B for surveillance and airborne conflict detection, automation systems for flow management and separation assurance (CTAS), dynamic runway occupancy measurement, and dynamic vortex spacing systems. RASRAM provides a framework for evaluating these different technologies and their impact on the safety of free flight operations. The model can also be used to provide a relative comparison of the safety of proposed new procedures with the safety of current operations and technologies. The safety associated with independent parallel approaches using PRM has been quantified previously. Using RASRAM, the safety of further separation reductions for parallel approaches using new technologies can be analyzed and compared with current procedures. Similarly, the safety of reductions in in-trail separation can be compared with current procedures. Although being developed for initial application to terminal area final approach and landing, the basic approach to modeling separation risk has direct application to free flight for all phases of flight.

ACKNOWLEDGEMENTS
The authors gratefully acknowledge the contributions of Dr. Mary Connors of NASA Ames Research Center and Mr. Jack Wojciech of the FAA’s Office of System Safety.

REFERENCES
[1] Final Report of RTCA Task Force 3 - Free Flight Implementation.(1995). RTCA, Inc. Washington, DC. October 26, 1995.
[2] Coote, M. A., Schraw, G. W., and Schwab, R. W. (1993). Oceanic Requirements and Benefits Modeling for Automatic Dependent Surveillance (ADS), Air Traffic Control Quarterly, Vol. 1(1) 31-57. New York, NY: John Wiley & Sons, Inc.
[3] International Civil Aviation Organization (ICAO) (1984). Air Traffic Services Planning Manual, Doc 9426-AN/924. Amendments dated 15 Aug 85, 11 Sep 85, 3 Nov 88. Montreal, Canada.
[4] ICAO (1994). Manual on Required Navigation Performance. Doc. 9613-AN/937. Montreal, Canada.
[5] Kullstam, Per A. (1972). Parallel Runway Spacing, Journal of the Institute of Navigation, Vol. 19, No. 1, Spring 1972. Alexandria, VA.
[6] Shank, E. M., and Hollister, K. M. (1994). Precision Runway Monitor, Lincoln Laboratory Journal, Vol. 7, No. 2. Lexington, MA: Lincoln Laboratory, MIT.
[7] Boswell, S. B. (1993). Evaluation of the Capacity & Delay Benefits of Terminal Air Traffic Control Automation, Report ATC-192. Lexington, MA: Lincoln Laboratory, MIT.
[8] Swedish, W. J. (1979). Evaluation of the Potential for Reduced Longitudinal Spacing on Final Approach, US DOT/FAA FAA-EM-79-7.
[9] Precision Runway Monitor Demonstration Report (1991). U.S. DOT FAA/RD-91/5, February 1991.