comparing different functional allocations in … · (f ):m [f ] 6 |= ' all possible ......

ComparingDifferentFunctionalAllocationsin

AutomatedAirTrafficControlDesign

CristianMattarei1,AlessandroCimatti1,MarcoGario1,StefanoTonetta1,andKristinY.Rozier2

1FondazioneBrunoKessler,Trento,Italy2UniversityofCincinnati,Ohio,USA

FMCAD2015,September27-30

AirTrafficControl:Chicago-regionAirSector

www.flightradar24.com2

AirTrafficControl:Chicago-regionAirSector

www.flightradar24.com

• Inthisexample:262Aircraft (notonatrafficpeak)

• Expected4times currenttrafficinthenext20years

• Needforanewtechnologyabletomanagethetrafficincrease

3

AirTrafficControl:CurrentApproach

Radio

Radio

AC1

AC2

Position

ATC Radar

AC1&AC2Positions

AC1Intention

Time

4

AirTrafficControl:CurrentApproach

Radio

Radio

AC1

AC2

Position

ATC Radar

AC1&AC2Positions

AC1Intention

Time

5

AirTrafficControl:CurrentApproach

Radio

Radio

AC1

AC2

Position

ATC Radar

AC1&AC2Positions

AC1Intention

Time

LossofSeparation

6

AirTrafficControl:CurrentApproach

Radio

Radio

AC1

AC2

Position

ATC Radar

AC1&AC2Positions

AC1Intention

Time

7

AirTrafficControl:CurrentApproach

Radio

Radio

AC1

AC2

Position

ATC Radar

AC1&AC2Positions

AC1Intention

Time

8

AirTrafficControl:CurrentApproach

Radio

Radio

AC1

AC2

Position

ATC Radar

AC1&AC2Positions

Time

9

AirTrafficControl:CurrentApproach

Radio

Radio

AC1

AC2

Position

Time

SystemFunction Technology Allocation

CollisionAvoidance TCAS On-Board

TacticalSeparation Controller/ATC On-Ground

StrategicSeparation Controller/ATC On-Ground 10

AirTrafficControl:FunctionalAllocationQuestions

Radio

Radio

AC1

AC2

Position

Time

SystemFunction Technology Allocation

CollisionAvoidance TCAS/ACAS-X On-Board

TacticalSeparation Controller/ATC On-Ground ->Distributed? On-Board?

StrategicSeparation Controller/ATC On-Ground ->Distributed?On-Board?11

NASAproject:NextGen oftheAirTrafficControl

• Needforamorerobust,reliable,andsafeapproach

• Alotofdifferentperspectivestobetakenintoaccounte.g.,politicalandenvironmentalimpact,costanalysis,usability,safety,…

• Differentfunctionallocations,andimplementationsneedtobeanalyzed

12

NASANextGen ofATC:TheFunctionalAllocationProject

• Provideapartialorder overthesetofwaystoallocatesystemfunctions,fromasafety pointofview

• RelyonaFormalValidation,Verification,andSafetyAssessmentapproach,basedonsymbolicmodelchecking

• Defineformalmodelandsystemrequirementsfromapreliminarydesignofthesystemarchitecture

13

NASANextGen ofATC:TheFunctionalAllocationProject

Inthiswork• Formalmodeling ofasetofdifferentpossiblefunctionalallocations

• AdaptationofFormalValidation,Verification,andSafetyAssessment tocompareearlysystemdesigns

• Real-worldcasestudyfromatightcollaborationwith"FlightDynamics,TrajectoryandControlsBranch”ofNASAAmeshttps://es-static.fbk.eu/projects/nasa-aac/

14

FormalModelingforComparativeAnalysis

FunctionalAllocation:GSEPandSSEP

CollisionAvoidance TacticalSeparation Strategic Separation

TCAS/ACAS-X

ATC

CollisionAvoidance TacticalSeparation Strategic Separation

TCAS/ACAS-X

ATC Backup

CD&R OnBoard Primary

CurrentApproach:OnlyGroundSeparatedAircraft(GSEP)

WithadditionaldistributedConflictDetectionandResolution(CD&R)on-board:GroundandSelfSeparatedAircraft(SSEP)

16

FormalModeling:ConflictAreas

AC1$

AC2$

X$

Tj1$

Tj2$

Tj3$ Tj4$

Tj5$

X$

• AbstractconcretetrajectorieswithConflictAreas(CA)• Twoaircraftareinthesameconflictareaiftheirtrajectories intersectinagivenintervaloftime

• Example:ifAC1 andAC2 followTJ2 andTj3 theyareinthesameConflictArea

17

FormalModeling:TimeWindows

Current Near Mid Far

Conflict Avoidance Tactical Strategic

Current Near Mid Far

Conflict Avoidance Tactical Strategic

Time 0

Time 1

CA1 CA1 CA1 CA1 CA2

CA2 CA2 CA3 CA1 CA1

…..

…..

Current Near Mid Far

Conflict Avoidance Tactical Strategic

Time 2

AC1

AC2

• Fourdifferenttimewindows:– ConflictAvoidance:Current– TacticalSeparation:NearandMid– StrategicSeparation:Far

• Thepassageofaunitoftimecausesawindowshifting• ALossofSeparation (LOS)occurswhentwoaircraftareinthesame

CAinthecurrenttimewindow18

FormalModeling:SystemComponents

Communica)on*Network*

ATC*

GSEP*1*

ADS$B&

GSEP*2*

ADS$B&

GSEP*3*

ADS$B&

SSEP*1**

ADS$B&

SSEP*2**

ADS$B&

SSEP*3**

ADS$B&

CD&R& CD&R& CD&R&

• GSEP:GroundSeparatedAircraft• SSEP:SelfSeparatedAircraftwithCD&R(ConflictDetectionandResolution)on-board

• ADS-B:AutomaticDependentSurveillanceBroadcast

ADS-BInandOut

ADS-BOutonly

19

FormalModeling:ScenariosInstantiation

ScenarioCode GSEPs SSEPs #Bool Vars

G 3 0 122M1 3 1 185M2 2 2 193M3 1 3 201S 0 3 146ALL 3 3 353

• Non-Mixed(onlyG/SSEP)andMixed(bothG/SSEP)operationsconsidered

• Multipleimplementationoptions(EnabledorDisabled)– GSEP-Far:GSEPssendFarintentionsoverADS-BOut– SSEP-Far:SSEPssendFarintentionstoATC.

20

FormalValidationandVerification

21

FormalValidation

• PureAirspaceasUncontrolledSystem andCD&Ragents(ATC,andCD&Ron-board)asControllers

• SeparatedValidationforUncontrolledSystemandControllers• All37propertiesCTLandLTLpropertiesvalidatedusingnuXmv

modelchecker

UncontrolledSystem

Controller

Actuates Senses

ControlledSystem

22

FormalVerification

• 93LTLpropertiesverified,usingnuXmv,onall20possibleconfigurations(ofthecontrolledsystem)byvarying:– NumberofinvolvedGSEPsandSSEPsaircraft– Informationsharingimplementation

• Outcome:tablerepresentingpass/failresults

UncontrolledSystem

Controller

ControlledSystem

Actuates Senses

23

FormalSafetyAnalysis

Yes No+Counterexample

It is not possible toreach aLoss ofSeparation.

M'

M |= '

FormalValidationandVerification

25

FaultTree

FormalSafetyAssessment

M[F ]

�(F) : M[F ] 6|= '

AllpossibleassignmentstoFsuchthatM doesnotsatisfyϕ

It is not possible toreach aLoss ofSeparation. '

26

FormalSafetyAssessment:FaultTreeAnalysis

LossofSeparation

G1.apply_near G2.apply_near G1.apply_far G1.comm_atc_partialG3.apply_near

• FaultTreeAnalysisasMinimalCutsets Computation [Bozzanoetal.CAV15]viaxSAP

• CS={f1,…,fn}isacutset ofM,𝜑ifthereexistsacounterexample𝜋 ofM ⊨ 𝜑 thattriggersf1,…,fn

• ACutset CSisMinimaliff ∀𝐶𝑆* ⊂ 𝐶𝑆, 𝐶𝑆′ isnotacutset ofM,𝜑

TopLevelEvent(TLE)¬𝜑BasicFault

MinimalCutset

27

FormalValidation,Verification,andSafetyAssessmentProcess

• FormalRequirementsandModelValidation– Outcome:positiveresultsforallchecks

• FormalModelVerification– Outcome:tablewherethecelli,j expresseswhethertheconfigurationi satisfiesornotthepropertyj.

• FormalSafetyAssessment– Outcome:aFaultTreeforeachpairofconfiguration,property…Howdowecomparethem?

28

FormalSafetyAssessment:MinimalCutsets Comparison

• Impactonthe“LossofSeparation”whenvaryingthesharingofGSEPsFarintentions(GFar):– Samenumberofsinglepointoffailure(5)– Whiledoublefailureincreases(¬GFar),triplefailuresdecreases

MCSCardinality

3GSEPs-1SSEP (M1) 2GSEPs-2SSEPs(M2)...

GFar ¬GFar GFar ¬GFar

0 0 0 0 0

…1 5 5 5 5

2 12 15 12 16

3 33 24 35 23

… … … …

29

FormalSafetyAssessment:MinimalCutsets Comparison

• AnalyzesetrelationsbetweenMinimalCutsets i.e.,MCSaresetofsetoffaults

• ComparetheMCSwithTLEas“LoS betweenSSEPandGSEP”varyingGSEP-Far (GF)informationsharing:– MCS¬GF ={<…>,{FATC}}

FATC =G.F_comm_ATC_tot,S.F_comm_ATC_tot– MCSGF ={<…>,{FATC,ATC.F_mid_res},

{FATC,ATC.F_far_res},{FATC,G.F_comm_adsb},{FATC,S.cdr.F_future_resolve,S.cdr.F_resolve_detection}

30

FormalSafetyAssessment:ReliabilityFunctionEvaluation

• SetrelationoverMinimalCutsets mightbeinconclusivei.e.,twosetscanbeincomparable

• FromMinimalCutsets toReliabilityFunction(P(TLE):ℝ𝑛 ↦ ℝ)[Bozzanoetal.ICECCS15],assumingnofaultsdependency

• AnalyzeunderwhichconditiononeReliabilityFunctiondominatestheothers

31

FormalSafetyAssessment:ReliabilityFunctionEvaluation

• LossofSeparationbetweenSSEPsandGSEPsasTLE,varyingP(failureATC)andP(failureADS-B).Otherprobabilityoffailuresarefixed

• Stillconceptualdesign,thusnumericalvaluesarenotyetdefined

10−4

10−3

10−2

10−1

10−3.69886

10−3.69886

10−3.69886

10−3.69886

10−3.69885

10−3.69885

F(ATC)

PT

LE

LOS S−S (F(ADS−B)=10−1.5)

LOS S−S (F(ADS−B)=10−1.8)

LOS S−S (F(ADS−B)=10−8)

LOS G−G

32

ConclusionandFutureWorks

Conclusion

• Modelingofareal-worldcasestudy,fromaconceptual architecturedescription

• ApplicationandtailoringofacomprehensiveFormalValidation,Verification,andSafetyAssessment processtoevaluatedifferentfunctionalallocations

• Collaborationwith"FlightDynamics,TrajectoryandControlsBranch”ofNASAAmestosupportdecisionmaking

34

FutureWorks

• ExtendthemodelingtocopewiththewholesetofFunctionalAllocationsandScenariosi.e.,>1600

• IntegrationwithCompositionalModelingandVerification

• Evaluationofoverlappedsupervision i.e.,withmorethanoneATC

• AnalysisoftheimpactofUnmannedAutonomousSystems

35

CristianMattarei- mattarei@fbk.eu

ComparingDifferentFunctionalAllocationsinAutomatedAirTrafficControlDesign• ModelingwithConflictAreasandTimeWindows• FormalValidationandVerification,controlledand

uncontrolledsystem• Safetyanalysisviaminimalcutsets andreliabilityfunction

computation• Website:https://es-static.fbk.eu/projects/nasa-aac/

Thankyou!