Accident risk assessment for advanced ATM - ATM Seminar

More documents

Recommendations

Info

e. Validation of the risk assessment exerciseA crucial issue concerns the validation that a risk assessmentexercise is performed to an acceptable degree,without the need to first employ very expensive large scalereal time simulations of new concepts. Due to our underlyingstochastic analysis framework, such a validation canbe done through executing the following activities: Judge the level of conservatism of the assumptionsadopted for the development of the DCPN instantiationfor the situation considered. This should be donethrough active involvement of operational and designexperts. Verify the correctness of the instantiated DCPN versusthe results of the qualitative assessment and theassumptions adopted. This should be done by stochasticanalysis TOPAZ experts, with at least one who hasnot been involved with the DCPN instantiation. Verify the correctness of the mathematical transformationsapplied to the instantiated stochastic dynamicalmodel. This should be done by applying mathematicaltools from stochastic analysis theory. Verify that the various assessment activities have beenexecuted according to the unambiguous mathematicalmodel developed, including the decomposition. Thisshould be done by stochastic analysis experts.III. THE MATHEMATICAL FRAMEWORKEach DCPN instantiation can be represented by an SDEon a hybrid state space (Everdij and Blom, 1998), whichhas a strong Markov process f t g on a hybrid state spaceas its unique solution. The hybrid state process f t g hastwo components, i.e. t = (x t ; t ); with x t the componentassuming values in a Euclidean space and with t the componentassuming values in a discrete space. From the theoryof Markov processes it then follows that it is possibleto characterise the evolution of the density-distributionp t () of the joint process through a well-defined differentialequation in function space:ddt p t() =Lp t ()with L an operator defined by the Markov process f t g.Due to the strong Markov property, this differential equationalso applies under the condition of an f t g-adaptedstopping time (also referred to as Markov time):dp dt () =Lp tj tj (); for t>:It is particularly relevant to notice that the above equationsare well known for Markov chains, i.e. Markov processeswith discrete state space, which processes have shown tobe very useful in the development of advanced dependabilityand performability assessment methodology (e.g.Pattipati et al., 1993; Fota et al., 1997). For hybrid stateMarkov processes, this equation is well known in Bayesianestimation theory (e.g. Blom, 1990) and this has a.o. ledto advanced multi target multi sensor tracking applications(e.g. Blom et al., 1992a).The above equations imply that once the scenario to beassessed on collision risk has been represented through aDCPN instantiation, all probabilistic properties are welldefined,including the collision risk. Let yt i and vt i be thecomponents of x t that represent the 3D location and 3Dvelocity of aircraft i, i 2 f1;::: ;ng.Let y ijtlet v ijt= y i ty j t ,= v i tv j and let t Dij be the area such that y ijt2 D ijmeans that at moment t the physical volumes of aircraft iand j are not separated anymore (i.e. they have collided).Each time the process fy ijt g enters the area Dij , we say anincrossing occurs, and each time the process fy ijt g leavesthe area D ij , we say an outcrossing occurs. The first incrossingfor the pair (i; j) is a collision for that pair. If weassume that the relative speed v ijtis very rapidly going tozero as long as y ijtresides in D ij , the chances are zero thatthere is more than one incrossing per aircraft pair, and thusthe expected number of incrossings equals the expectednumber of collisions. Following (Bakker and Blom, 1993)the expected number R [0;T ] of incrossings, or collisions,between aircraft pairs in the time-interval [0;T]satisfies:R [0;T ] =nXnXi=1 j>iZ T0' ij (t) dtwith ' ij (t) the incrossing rate, which is defined by:' ij (t) = lim P fy ijt#0=2 D ij ;y ijt+ 2 Dij g=In (Bakker and Blom, 1993) it is also shown that ' ij (t)is well-defined, and can be evaluated under non-restrictiveassumptions as a function of the probability density of thejoint relative state (y ij, t vij t). In general, a characterisationof this probability density is complex, especially sincethere are combinatorially many types of non-nominal e-vents. A plausible way out of this is by conditioning onclasses of non-nominal events, where those non-nominalevents are placed in the same class if they have a similarimpact on the subsequent evolution of the relative stateprocess fy ij , t vij tg. This is done through 1) defining an appropriateevent sequence classification process f t g,suchthat the joint process f t ; t g is a strong Markov processas well, and 2) subsequently identifying an appropriatef t ; t g-adapted stopping time ij such that there is a zero
probability that the pair (i; j) collides before ij . Withthis, the above equations can be transformed into:R [0;T ] =P f ij ijnXi=1 j>inX X= gZ T' ij (t j ij= ) dt ij ijwith ' ij (t j ij= ) the conditional incrossing rate, ijbeing defined for t ij by:' ij (t j ij ij = ) =lim P fy ijt t =2 Dij ;y ijt+ 2 Dij j ij= g=#0 ijIn figure 5, the equation for R [0;T ] is presented R in the formof a tree, in which f ij T() is short for ' ij (t ij j ij= ij) dt P f ij= g. This tree has some resemblance with ijthe well known fault tree. However, due to the underlyingstochastic and physical relations, our new tree differssignificantly and is named Collision Risk Tree.R [0;T ]j+f ij ()j j jR 'ij(tj) dt PfgFig. 5. Collision Risk TreeFor the quantification of the boxes in the collision risktree, use is made of three types of evaluations: Monte Carlo simulations of the DCPN to quantifyP f ij= g and the statistical properties of the ijrelevant DCPN components at the stopping time ij . Evaluations of the evolution of the relative aircraftstates from stopping time ij on, and for each ij= ij. When complexity requires, this process can evenbe done for a sequence of R increasing stopping times.T Numerical evaluation of ' ij (t ij j ij = ) dt, ijusing the Generalized Reich equation of (Bakker andBlom, 1993), see also (Kremer et al., 1998).IV. RNP1 IN CONVENTIONAL AND AIRBORNESEPARATION ASSURANCE SCENARIO EXAMPLESIn this section, the TOPAZ approach is used to evaluatea simple scenario of two en-route traffic streams ofRNP1 equipped traffic, flying in opposite direction, all atone single flight level. This rather hypothetical scenariohas been developed by Eurocontrol with the aim to learnunderstanding how ATC influences accident risk, and howfar the nominal separation S between opposite RNP1 trafficstreams can safely be reduced. The specific details ofthis scenario are (Everdij et al., 1997a): Straight route, with two traffic lanes (figure 6), Flight plans contain no lane changes Parameter S denotes distance between the two lanes, Opposite traffic flows along each lane, Aircraft fly at one flight level only Traffic flow per lane is 3.6 aircraft/hour, All aircraft nominally perform RNP1, None of the aircraft are TCAS equipped, Target level of safety is 5 : 10 9 accidents/flight hour.This simple scenario is considered for the following fourATM concepts:A) Procedural separation only. In this case there is noATC surveillance system. This is the type of situationencountered with traffic over the North Atlantic.B) STCA-only based ATC. In this case there is radarbased surveillance and R/T communication, but it isassumed that ATC is doing nothing unless its STCAsystem issues an alert; thus assuming no monitoringby the ATCo. It should be noticed that this differs significantlyfrom conventional ATC, where an executivecontroller autonomously monitors and issues correctiveactions, while STCA is a safety net only.C) Basic airborne separation assurance. In this casethere is ADS-B surveillance and R/T between aircraft,but there is no ATC. For this concept it is assumed thataircraft behave co-operatively, in the sense that whenan aircraft’s CDR (Conflict Detection and Resolution)system detects a conflict with another aircraft, then itspilot will try to make an avoidance manoeuver. Thus,in most cases both pilots will try to make an avoidanceFig. 6. Opposite direction traffic in a dual lane routeS
Page 1 and 2: Accident risk assessment for advanc
Page 3: A 10/T localA 0AircraftmissionA 9A
Page 10: [16] J. Daams, G.J. Bakker and H.A.

Accident risk assessment for advanced ATM - ATM Seminar

Create successful ePaper yourself

Delete template?

Save as template?