Publications

Advanced separation assurance concepts involving higher degrees of automation must meet the challenge of maintaining safety in the presence of inevitable subsystem faults, including the complete failure of the supporting automation infrastructure. This paper examines the types of design features and safeguards that might be used to preserve safety in a highly automated environment. The Advanced Airspace Concept (AAC) being developed by NASA is used as the basis for a fault-tree analysis. Multiple layers of protection, with carefully specified fault management strategies, appear to be important to achieving the desired level of safety.

Aviation planners have called for increasing the capacity of the air transportation system by factors of two or three over the next 20 years. The inherent spatial capacity of en route airspace appears able to accommodate such traffic densities. But controller workload presents a formidable obstacle to achieving such goals. New approaches to providing separation assurance are being investigated to overcome workload limitations and allow airspace capacity to be fully utilized. One approach is to employ computer automation as the basis for separation-assurance task. This would permit traffic densities that exceed the level at which human cognition and decision-making can assure separation. One of the challenges that must be faced involves the ability of such highly automated systems to maintain safety in the presence of inevitable subsystem faults, including the complete failure of the supporting computer system. Traffic density and flow complexity will make it impossible for human service providers to safely reinitiate manual control in the event of computer failure, so the automated system must have inherent fail-soft features. This paper presents a preliminary analysis of the ability of a highly automated separation assurance system to tolerate general types of faults such as nonconformance and computer outages. Safety-related design features are defined using the Advanced Airspace Concept (AAC) as the base architecture. Special attention is given to the impact of a severe failure in which all computer support is terminated within a defined region. The growth and decay of risk during an outage is evaluated using fault tree methods that integrate risk over time. It is shown that when a conflict free plan covers the region of the outage, this plan can be used to safely transition aircraft to regions where service can still be provided.