airtraffic control case studies Daniel Jackson NSF ITR Site Visit August 4, 2003

1
air-traffic control case studiesDaniel
JacksonNSF ITR Site VisitAugust 4, 2003
2
overview

• NASA software
• CTAS a suite of advisory tools
• D2 a first-step towards free flight
• TSAFE a new automation concept
• what we did
• development of prototypes
• modelling, design, analysis
• dissemination to wider community
• lessons learnt future plans

3
CTAS

• Center-TRACON Automation System (CTAS)
• tool suite developed by NASA
• arrival departure planning
• field tests at DFW showed increased throughput by
  15
• Traffic Management Advisor (TMA) tool
• deployed by FAA to 7 Centers, TRACONS

4
traffic management advisor outputs
ETA
STA
Load graph
5
D2

• Direct-To
• looks for opportunities to skip fixes on flight
  path
• suggests best candidates to controller
• and checks for conflicts
• implemented within CTAS
• but not yet fielded

6
direct-to advisories
7
TSAFE background

• Erzbergers automated airspace concept
• computers take over most ATC functions
• controllers take strategic role instead
• mitigate dependability risk with TSAFE
• TSAFE
• small trusted computing base, truly critical
• last line of defence against system failure
• monitors traffic, detects blunders conflicts
• proposes avoidance maneuvers
• prototypes for evaluation
• Russ Paelli (NASA) within CTAS, for ATC
• MIT standalone, for software engineering

8
MIT activities

• CTAS
• NASA codebase used as testbed for data structure
  repair
• promising results can confine failure to bad
  info on one flight
• D2
• requirements and Alloy models constructed
• prototype built by UROPs
• testbed for dynamic role analysis
• TSAFE
• requirements and design
• prototype designed with new dependence notion
• code data feeds available online to other
  researchers

9
TSAFE prototype feed

• choice of feed
• Aircraft Situation Display to Industry (ASDI)
• part of Enhanced Air Traffic Mgmt System (ETMS)
• we installed ISDN modem at Volpe Transportation
  Center
• we get ASDI directly to LCS
• rationale
• real-time feed makes project more appealing to
  students
• can make recordings available to other
  researchers
• but not as accurate as host feed (especially in
  altitude)

10
TSAFE prototype platform

• choice of language
• all written in pure Java
• open source components
• choice of platform
• use Swing GUI, so platform-independent
• rationale
• Java is language most students know
• make amenable to analysis by research tools
• safety-critical system needs safe language
• Spark Ada unsuitable for testbed because few tools

11
TSAFE prototype status

• functionality
• blunder detection
• algorithms by Tom Reynolds
• challenges
• parsing flight plans
• requirements essence of TSAFE (still a puzzle)
• ASDI quality OK only for horizontal, commercial
  aviation
• resources produced
• Greg Denniss MEng thesis
• source and binaries
• sdg.lcs.mit.edu/TSAFE

12
FIG a record/replay tool
ETMS
ASDIfeed

• purpose
• users of testbed may not have ASDI feed
• need utility to record/replay
• also for filtering messages of interest
• status
• integrated with TSAFE
• uses open source relational database (QED)
• resources produced
• Roshan Guptas MEng thesis
• recorded data feeds
• sdg.lcs.mit.edu/FIG

FIG
FIG
ASDIfeed
TSAFE
13
lessons learnt future plans

• huge effort creating prototypes
• approx one year of work for each of D2, TSAFE
• intrinsic difficulty of ATC software
• objective properties hard to find
• pilot intent plays central role
• many levels of observability problems
• consequences
• slower development of case studies than hoped
• but good testbeds now available
• future plans
• exploit TSAFE code as testbed for analysis