collision avoidance and safety -...
TRANSCRIPT
COMPANY RESTRICTED | NOT EXPORT CONTROLLED | NOT CLASSIFIED
COLLISION AVOIDANCE AND SAFETY
Johan Pellebergs, Saab AeronauticsNovember 2016This document and the information contained herein is the property of Saab ABand must not be used, disclosed or altered without Saab AB prior written consent.
COMPANY RESTRICTED | NOT EXPORT CONTROLLED | NOT CLASSIFIED
CONTENT
• Flight safety
• Safety statistics
• Ground Collision Avoidance
• Mid-Air Collision Avoidance
• Requirements for collision avoidance systems
• Safety principles
2
COMPANY RESTRICTED | NOT EXPORT CONTROLLED | NOT CLASSIFIED
MISHAPS / CRASHES
• Main categories for catastrophicmishaps in military aviation havehistorically been:‒ Controlled flight into terrain (CFIT)‒ Engine‒ Mid-Air collision
5
0%
10%
20%
30%
40%
Mishap statistics for a military fighter
COMPANY RESTRICTED | NOT EXPORT CONTROLLED | NOT CLASSIFIED
FLIGHT SAFETY
• Flight safety significantlyimproved over the past decades‒ Includes both military and civil
aviation
• Main contributing factors are‒ Strong safety attention‒ Training‒ Incident reporting‒ Reliability of flight critical systems‒ Introduction of safety enhancing
systems and automation
6
Auto-GCAS Auto-ACAS MIDCAS
COMPANY RESTRICTED | NOT EXPORT CONTROLLED | NOT CLASSIFIED
AUTOMATIC GROUND COLLISION AVOIDANCE
• Terrain profile ahead of theaircraft trajectory generatedfrom onboard terrain data base
• Recovery flight pathcontinuously calculated
• Recovery flight path evaluatedagainst terrain profile
• Automatic recovery initiatedwhen margin from calculatedrecovery flight path to theterrain profile goes below aminimum value (7m)
8
EFCS SC D96
AFU ARM (MKV)
NINSterrain data base
SCANGround profile
Auto recovery Flight path predictionMargins
MMIWarning
AFU-command
(GPW)
Calculated RecoveryFlight Path at 5g
Executed RecoveryFlight Path at 5.5g
Mission System(DAL C)
Flight Control System(Redundant, DAL A)
AFU automatic/manual deactivation:• Landing gear extended• AAR probe extended• GPW manually OFF• Pilot manual inhibation• Control stick breakout
COMPANY RESTRICTED | NOT EXPORT CONTROLLED | NOT CLASSIFIED
AUTO-GCAS SAVES
• Auto-GCAS has saved 4 aircraft and pilotssince its operational fielding 2 years ago
• Pilots reactions have gone from skeptical ofhaving a system that can take control awayfrom them to now not performing the mostadvanced training flights without the systemavailable!
• Acceptance of the users (pilots) is crucialwhen introducing an automatic high authoritysystem!
9
COMPANY RESTRICTED | NOT EXPORT CONTROLLED | NOT CLASSIFIED
4TH AUTO-GCAS SAVE
• HUD video from 4th Auto-GCAS save when the pilotbecomes unconscious due to high G’s (GLOC)
10
G-load
Speed
Mach Radar altitude
Altitude (ft)
Velocity vector
GCAS warning
COMPANY RESTRICTED | NOT EXPORT CONTROLLED | NOT CLASSIFIED
2ND AUTO GCAS SAVE
• Air Combat training mission
• “Target fascination” leads oneof the pilots to initiate amaneuver that would result in anon-recoverable groundcollision
• Letter from one of the savedpilots expressing his gratitudeof the Auto-GCAS system!
“My unexpected AGCAS recovery prompted me to aggressively recovermy aircraft, directly saving both my life and the aircraft. AGCAS workedas advertised and allowed me the honor to write this letter. I will gladlyshake the hands of the men and women who developed this life savingsystem if I ever meet them in person.”
COMPANY RESTRICTED | NOT EXPORT CONTROLLED | NOT CLASSIFIED
Strategic Conflict Managementn Procedures and Regulationsn Airspace designn Flight plans
MAIN LAYERS OF PROTECTION AGAINS MID-AIRCOLLISIONS
14
1.
2.Separation Provision
n Responsibility of ATC or the Pilotdepending on airspace class andflight rules (IFR/VFR)
n “Don't scare others!”
3.Collision Avoidance
n This ultimate responsibility for avoiding collisionsalways remains with the pilot.
n Mainly performed by the pilots ability to “See & Avoid”,i.e. the pilots eyes and his/hers ability to perform thecorrect decision and correct action.
n “Don't scrape paint”
Distance / Time
Criticality
COMPANY RESTRICTED | NOT EXPORT CONTROLLED | NOT CLASSIFIED
AIRSPACE CLASSES
15
• Airliners‒ Operates in class A-C‒ Fly according to Instrument Flight Rules (IFR)‒ Equipped with Transponder/ADS-B, i.e. are Cooperative‒ Equipped with TCAS collision avoidance system‒ Separated from all other traffic by ATC‒ Pilot responsible for Collision Avoidance (aided by TCAS)
• Small GA aircraft‒ Operates mainly in the ”lower” airspace classes incl uncontrolled‒ Operates at lower altitudes below 10 000 ft (max speed 250 kts)‒ Large portion of flights according to Visual Flight Rules (VFR)‒ Many without Transponders/ADS-B, i.e. Non-cooperative‒ Limited or no ATC separation‒ Pilot responsible for both Separation and Collision Avoidance
COMPANY RESTRICTED | NOT EXPORT CONTROLLED | NOT CLASSIFIED
REMOTELY PILOTED AIRCRAFT
16
• Terminology‒ Unmanned Aircraft System - UAS‒ Remotely Piloted Aircraft System - RPAS
• Removing the pilot from the aircraft requires anequivalent system capability to detect and avoid otheraircraft – Detect & Avoid system (D&A)
• Main requirement is to not degrade safety whenintroducing RPAS into the airspace
COMPANY RESTRICTED | NOT EXPORT CONTROLLED | NOT CLASSIFIED
TRAFFIC AVOIDANCE AND COLLISION AVOIDANCE
• Detect and Avoid (D&A) consists of twosafety barriers‒ Traffic Avoidance (”don’t scare”)‒ Collision Avoidance (”don’t scrape paint”)
• D&A design objective‒ D&A Design Objective to reach the overall TLS
is a Risk Ratio of 0,01 (TBC), i.e. save 99 of100 critical encounters
17
Risk Ratio = P(NMAC with system) / P(NMAC without system)NMAC = Near Mid Air Collision
COMPANY RESTRICTED | NOT EXPORT CONTROLLED | NOT CLASSIFIED
D&A SYSTEM OVERVIEW
18
EO
IR
Radar
Xpdr
ADS-B
Data FusionCollision Avoidance
Traffic Avoidance
D&AHMI
• The RPA pilot will get suggested maneuvers from the system• TrA maneuver needs to be manually activated by the remote pilot• CA maneuver can be manually activated but will activate automatically at last instance
• CA protection remains even if there is a C2 link loss
Intruder
Detect & AvoidSensors
Remote Pilot Station
RPA
C2 link
COMPANY RESTRICTED | NOT EXPORT CONTROLLED | NOT CLASSIFIED
D&A COLLISION AVOIDANCE CONCEPT
19
RPAS
Intruder
A manoeuvre is continuously calculated andevaluated against the Collision Volume
When the manoeuvre prediction indicates lastchance to resolve the situation without CV breach(incl margins) the manoeuvre is activatedautomatically
CV – Collision VolumeProtected VolumeCV + uncertanties
MIDCAS flight test HMI video(Radar + EO)
COMPANY RESTRICTED | NOT EXPORT CONTROLLED | NOT CLASSIFIED
SENSOR PERFORMANCE
EO video – CA with intruder aboveEO video - intruder below EO video – loitering againstsun reflex
Flight testing of D&A system in the MIDCASproject
Typical Sensor tracking performance in flight
• ADS-B: over 15 NM
• Radar: around 5 NM (8000-9000 m)
• EO: ranging from 8- 5 NM (15000-8000 m)
COMPANY RESTRICTED | NOT EXPORT CONTROLLED | NOT CLASSIFIED
MAIN REQUIREMENTS FOR A SAFETYENHANCING SYSTEM
3 mother requirements:• “Do good”
‒ Warn and/or engage automatic maneuver when acollision is imminent
• “No nuisance”‒ No unnecessary warning or maneuver
• “Do no harm”‒ Do not cause a catastrophic event when no
danger was present in the first place
• The most important of these 3 is …‒ No nuisance
22
COMPANY RESTRICTED | NOT EXPORT CONTROLLED | NOT CLASSIFIED
DEFINITIONS AND CLASSIFICATIONS
• Classification of failure conditions by severity of effect‒ Catastrophic, Hazardous, Major, Minor, or No Safety Effect‒ A Catastrophic Failure condition is one which would result in multiple fatalities usually with
the loss of the aircraft
• Definition of Probability Terms‒ Extremely Improbable, Extremely Remote, Remote, or Probable‒ An Extremely Improbable failure condition is one so unlikely that it is not anticipated to
occur during the entire operational life of all airplanes of one type.‒ Quantitatively, these probability terms are defined as follows:
‒ Extremely Improbable 10−9 or less‒ Extremely Remote 10−7 or less‒ Remote: 10−5 or less‒ Probable: more than 10−5
23
COMPANY RESTRICTED | NOT EXPORT CONTROLLED | NOT CLASSIFIED
SAFETY OBJECTIVES
Quantitative‒ The acceptable safety level for equipment and systems as installed on the aircraft are established as an
inverse relationship between Average Probability per Flight Hour and the severity of Failure Conditioneffects:‒ Failure Conditions with No Safety Effect have no probability requirement.‒ Minor Failure Conditions may be Probable(>10−5)‒ Major Failure Conditions must be Remote (<10−5)‒ Hazardous Failure Conditions must be Extremely Remote (<10−7)‒ Catastrophic Failure Conditions must be Extremely Improbable (<10−9)
‒ The safety objectives associated with Catastrophic Failure Conditions may be satisfied by demonstratingthat:‒ No single failure will result in a Catastrophic Failure Condition; and‒ Each Catastrophic Failure Condition is extremely improbable.
Qualitative‒ The failure conditions Catastrophic through No Safety Effect are assigned Functional and Item Design
Assurance Levels A, B, C, D, E, respectively
24
COMPANY RESTRICTED | NOT EXPORT CONTROLLED | NOT CLASSIFIED
POSSIBILITY TO RELAX FDAL WITHPROBABILITY OF THE EXTERNAL EVENT
• Example:‒ Fire onboard an aircraft is very critical and can cause a
catastrophic crash‒ The mitigation is to install a fire extinguishing system‒ What design assurance level will be needed for this system?
• If the probability of a critical fire is sufficiently low itwill be possible to relax the FDAL requirement‒ Consequence of fire: CAT
‒ Probability is (example): 10−6
‒ FDAL can be reduced from A to B for design of the Fireextinguishing system
25
ARP 4754A
COMPANY RESTRICTED | NOT EXPORT CONTROLLED | NOT CLASSIFIED
TARGET LEVEL OF SAFETY (TLS)• Large aircraft (i.e. Airliners)
‒ Hundreds of people onboard‒ Catastrophic event: 10−6
‒ 10% allowed for technical failures: 10−7
‒ Large aircraft have ~100 potentially catastrophic failures: 10−9 eachØ Thus the risk for a mid-air collision with an airliner can not be higher than
10−9 per flight hour
• Small aircraft (i.e. General Aviation)‒ Typically 1-2 people onboard‒ Hazardous event: 10−5
‒ 10% allowed for technical failures: 10−6
‒ Small aircraft have ~10 potentially catastrophic failures: 10−7 eachØ Thus the risk for a mid-air collision with a small aircraft cannot be higher
than 10−7 per flight hour
ØRPAS are considered as complex aircraft equivalent to airliners
26
COMPANY RESTRICTED | NOT EXPORT CONTROLLED | NOT CLASSIFIED
SAFETY BARRIERS• To achieve very high levels of safety it
is necessary to distribute the safetytarget to several different layers orbarriers
• There are several different kinds ofbarriers‒ Inherent‒ Rules‒ Procedures‒ Technical
• Each barrier typically contributesbetween 1 and 3 orders of magnitude‒ Better to have 3 barriers with a factor of 10
each than 1 barrier with a factor of 1000
• Important to have independence orknown common mode failuresbetween the barriers!
27
COMPANY RESTRICTED | NOT EXPORT CONTROLLED | NOT CLASSIFIED
If we have a Detect & Avoidsystem onboard?Why do you ask?
D&A SYSTEMS ARE RELEVANT ALSO FOR MANNEDAVIATION