close

Вход

Забыли?

вход по аккаунту

?

6.2011-6529

код для вставкиСкачать
AIAA 2011-6529
AIAA Guidance, Navigation, and Control Conference
08 - 11 August 2011, Portland, Oregon
Failure Mode and Effects Analysis for
Super Dense Operations
Downloaded by UNIVERSITY OF ADELAIDE on October 28, 2017 | http://arc.aiaa.org | DOI: 10.2514/6.2011-6529
Moein Ganji, Ph.D.* and Jimmy Krozel, Ph.D.†
Metron Aviation, Inc., Dulles, VA, 20166
The concept of operations for Super Dense Operations (SDO) has been established in the
literature, and algorithmic approaches to SDO routing have been studied. To follow on with
the development of SDO, this paper addresses a Failure Mode and Effects Analysis (FMEA)
for SDO. A team of Subject Matter Experts (SMEs) was consulted in order to perform this
FMEA; the main failure modes as well as their effects affecting the nominal SDO were
identified and their potential impacts on the system were ranked. The results of this study
will provide guidance for future developments of mitigation procedures to safely and
efficiently overcome SDO off-nominal conditions.
Abbreviations (note: Airport standard 3-letter abbreviations are omitted)
AAR
Aircraft Arrival Rate
N/A
Not Applicable
ADR
Airport Departure Rate
NAS
National Airspace System
AOC
Airline Operations Center
NASA
National Aeronautics and Space Admin.
ARTCC Air Route Traffic Control Center
NextGen Next Generation Air Transportation System
AT
Air Traffic
NORDO No Radio
ATC
Air Traffic Control
NOTAMs Notice To Airmen
ATCT
Airport Traffic Control Tower
NRA
NASA Research Announcement
ATM
Air Traffic Management
NTSB
National Transportation Safety Board
AVG
Average
OC
Off-Nominal Condition
CFR
Code of Federal Regulations
PIC
Pilot in Command
CNS
Communications, Navigation and
RNP
Required Navigation Performance
Surveillance
RPN
Risk Priority Number
DAC
Dynamic Airspace Configuration
SAR
Search and Rescue
DHS
Department of Homeland Security
SDO
Super Density Operations
DoD
U.S. Department of Defense
SME
Subject Matter Expert
DST
Decision Support Tool
SUA
Special Use Airspace
EC
Emergency Condition
TFM
Traffic Flow Management
FAA
Federal Aviation Administration
TFR
Temporary Flight Restriction
FC
Failure Condition
TMU
Traffic Management Unit
FMEA
Failure Mode and Effects Analysis
TRACON Terminal Radar Approach Control
MIT
Miles-in-Trail
UAV
Unmanned Aerial Vehicle
I. Introduction
S
uper Dense Operations (SDO) is an operational concept developed for safe and efficient travel in the transition
airspace around a metroplex for implementation of the Next Generation Air Transportation System (NextGen).
SDO strives to achieve the highest possible throughput into and out of the metroplex, while taking into consideration
other criteria such as fuel, time-efficient arrival and departure profiles, accommodating customer priorities and
constraints, and ensuring safety and environmental constraints.
While prior work has defined the operational concept for SDO [KMP07a, KSS07] as well as algorithmic
solutions to capacity estimation for SDO [KMP07b, KPM08, KZK09], routing around convective weather hazards
in SDO airspace [KPP07, PKM08], human factors issues related to the SDO design [SSE08, SSE09, SAS09], and
*
Analyst, Advanced Research and Concept Engineering Department, 45300 Catalina Ct, Suite 101
Sr. Engineer, Advanced Research and Concept Engineering Department, 45300 Catalina Ct, Suite 101, AIAA
Associate Fellow
1
American Institute of Aeronautics and Astronautics
†
Copyright © 2011 by the American Institute of Aeronautics and Astronautics, Inc. All rights reserved.
strategic Traffic Flow Management (TFM) to set up SDO in the transition airspace [JK08], in order for SDO to
mature in terms of technology readiness level, the operational concept and related algorithms must be adapted to
consider both nominal and off-nominal conditions. The purpose of this paper is to investigate off-nominal conditions
using Failure Mode and Effects Analysis (FMEA).
This paper is organized as follows. First, we describe background material for the nominal SDO operational
concept and define terms. Next, we present the FMEA organized into a five-step process. Each step in the FMEA is
described with supporting results. We finish with conclusions and references for the paper.
II. Background and Definition of Terms
Downloaded by UNIVERSITY OF ADELAIDE on October 28, 2017 | http://arc.aiaa.org | DOI: 10.2514/6.2011-6529
In this section we provide background material related to the FMEA.
A. Nominal Conditions for SDO
SDO requires that the surface/terminal domain, transition airspace domain, en route domain, and their supporting
Decision Support Tools (DSTs) work together to establish SDO conditions in the National Airspace System (NAS).
Surface/Terminal DSTs control takeoff times to ensure that departures meet SDO requirements, manage surface
traffic so that SDO arrivals are unimpeded by surface constraints, set Airport Arrival Rate (AAR), Airport Departure
Rate (ADR), and runway configuration changes within the metroplex with sufficient look-ahead to set up SDO in en
route and transition airspace, and integrate environmental constraints into SDO terminal routing.
Transition
Airspace
DSTs
estimate the capacity of SDO
airspace, feed capacity estimates to
strategic TFM algorithms, which in
turn set the demand into SDO transition airspace to equal the capacity
of SDO airspace. The Transition
Airspace DSTs also determine the
mode of operations for route
structures using either unstructured
or structured routing approaches
(Figure 1), adjust Dynamic Airspace Configuration (DAC) boundaries so that the flexible routing
(a) Unstructured Routing
(b) Tree-based Route Planning
structures are within controller
Figure 1. Example flexible routing solutions for SDO.
workload limits, allocate the number and location of arrival and departure fixes depending on arrival versus departure demand levels, and set the
Required Navigation Performance (RNP) requirements for routing structures and fixes based on the size of gaps
between hazardous weather constraints and aircraft navigation characteristics of the traffic demand.
En route domain DSTs manage takeoff times for aircraft participating in SDO operations, allocate routing to the
SDO transition airspace boundary to meet RNP requirements, and assign en route delays such that just enough
aircraft show up at or below the capacity estimate for each quadrant of SDO airspace.
While only briefly stated here, these conditions define the nominal SDO conditions for this paper. Further details
on these components are addressed in the literature.
B. Definition of Terms
FMEA. FMEA is a systematic method of identifying and preventing problems in a product or a process before they
occur [MMB09]. FMEAs are preferably conducted during the design phase of product development. In order to
perform an FMEA for SDO the following steps need to be taken:
1. Define the system functional breakdown for SDO
2. Identify failure modes associated with SDO
3. Perform a causality diagram analysis, identifying the relationships between failure causes and failure
effects related to SDO
4. Identify severity ranking and frequency of occurrence of each failure mode
5. Identify the actions to be taken to mitigate the effect of a failure on SDO
Failure Mode. A failure mode is the manner by which the loss of an intended function of a system element under
stated conditions negatively impacts the operation of the system. An unlimited number of events and incidents can
2
American Institute of Aeronautics and Astronautics
Downloaded by UNIVERSITY OF ADELAIDE on October 28, 2017 | http://arc.aiaa.org | DOI: 10.2514/6.2011-6529
cause the SDO system to enter into a failure mode. Any distinct effect of such event or incidence can be described
by a failure mode.
Next, we define the following operating conditions for the FMEA:
Nominal Condition. All elements of the system are operating as designed, and operational and environmental
factors are as planned and as forecast. Runway configurations are in service as planned. Weather phenomena occur
as forecast with minimal forecast errors. Nominal conditions include time periods of low as well as high traffic
loads, and include typical values of system input.
Off-Nominal Condition. All elements of the system are operating as designed, but operational or environmental
factors are not as planned or as forecast. Weather phenomena occur outside the forecast parameters (time, intensity,
position, or coverage).
Emergency Condition. Most elements of the system are operating as designed, but one or more of them are in a
condition that requires special handling. These states include airborne circumstances that are time-critical to safety,
such as an aircraft mechanical problem or a passenger medical situation resulting in the declaration of an
emergency.
Failure Condition. One or more components cease to perform as designed, planned, or expected, resulting in
significant impact to one or more elements of the system.
III. FMEA for SDO
We focus on an FMEA that addresses TFM-level system impacts for SDO. Thus, we don’t address the details of
failures inside the aircraft system unrelated to SDO, inside the Air Traffic Management (ATM) system unrelated to
SDO, or inside the Airline Operations Center (AOC) system unrelated to SDO.
A. System Functional Breakdown for SDO
In prior research [VAMS06], a team of experts developed a functional model of the national air transportation
system (Table 1). This model forms the basis of our functional breakdown. Six high-level functions are identified.
Three of these functions are primarily ATM functions: (1) Planning and Collaboration, (2) Flow/Fleet Management,
and (3) Conflict Management, Control, and Advisory; (4) Communications, Navigation, and Surveillance (CNS) and
Weather support ATM functions; (5) Infrastructure includes a host of functions that are related to ATM functions, or
are part of the larger air transportation system that the ATM system supports. Infrastructure includes the landside
part of the airport (e.g., parking, interconnections to land transportation), airport terminals (e.g., gates), cargo,
security (e.g., passenger screening), the aircraft that fly in the system, and a number of additional functions and data
that are required for the smooth and efficient operations of the air transportation system. The last high-level
function, (6) DHS, DoD, etc., includes the functions that are external to the routine day-to-day operation of the air
transportation system, but that require resources from the system. These include the functions performed by the
Departments of Homeland Security (DHS) and Defense (DoD), law enforcement, and others as they interact with
the air transportation system.
Note: The original version of Table 1 included many elements of the NAS which are not needed to describe the
SDO concept. Thus, there are some numbered items in Table 1 that are missing, for instance, there are no items 5.1,
5.2, and 5.3. The FMEA analysis only focuses on functions important to tactical SDO planning and execution, and
thus the analysis will separate strategic from tactical functions.
B. Failure Modes for SDO
Next, we identify the failure modes based on our FMEA analysis.
In the course of the FMEA, we consulted with SMEs and previous SDO researchers to ensure that our proposed
failure modes are in fact the most important and for which it is worthwhile developing a distinctive mitigation
strategy. Three SMEs provided input into this process; these SMEs have the following credentials:
 SME 1 – a controller with 31 years of experience holding controller positions at the Traffic Management Unit
(TMU) position.
 SME 2 – a dispatcher with 32 years of experience in 14 CFR Part 121 flight dispatch and related activities.
 SME 3 – an FAA certified Air Transport Pilot with over 15,000 hours of military and airline flight time and is a
rated Captain on the B-777, B-737, MD-11, MD-80/DC-9, and L-300. He is also a former fully rated ATC
specialist in one radar approach control and three control towers. He is a trained aircraft accident investigator
with experience in six NTSB investigations as well as numerous military aircraft accident investigations.
To manage the process of identifying a suitable set of failure modes we considered four main infrastructural
components comprising an SDO system: (1) aircraft, (2) airport, (3) airspace, and (4) communication.
3
American Institute of Aeronautics and Astronautics
Table 1. National Air Transportation System functions related to SDO.
Air Transportation System Functions
Downloaded by UNIVERSITY OF ADELAIDE on October 28, 2017 | http://arc.aiaa.org | DOI: 10.2514/6.2011-6529
1.
2.
3.
4.
2 Flow/Fleet
Management
3 Conflict
Management,
control &
Advisory
1.1 AOC
1.2 AT
1.3 Flight Deck
2.1 AOC (fleet management)
2.2 Air Traffic (flow management)
3.1 Air Traffic conflict management
3.2 Air Traffic control and advisory
3.4 Flight deck control and advisory
3.5 Flight deck conflict management
4.1. Communication (ground-ground, air-ground, air-air)
4.2. Navigation
4.3. Surveillance (air, ground)
4.4. Weather (air, ground)
5.4. Security
5.5. Airspace
5.6. Rules and Procedures
5.7. Airport Airside (gates, taxiways, runways)
5.8. Aircraft
5 Infrastructure 5.9. NAS Management
5.10 Facilities and Infrastructure
5.13 Outage Database
5.14 NOTAMS, Security Advisories
5.15 Aircraft Data
5.16 Weather Data Sources
6 DHS, DoD, UAV, 6.1 Homeland Security (TFR)
6.2 DoD (SUA)
Space, Law
enforcement, SAR 6.3 UAV Operations
4 CNS &
Weather
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
Tactical
1 Planning &
Collaboration
Sub Functions
Strategic
Primary
Functions
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
Airport: Each failure mode for an airport is identified based on (i) the magnitude of the failure mode and (ii) the
duration of failure effects on the airport’s element. The magnitude of the failure indicates if it affects a single
runway or an entire airport. The duration indicates if the failure modes last for a short time (<15 min) or for a
long time. Knowing these attributes helps to more effectively alleviate the effects of the failure mode. As an
example, “Single arrival runway shut down (short term < 15 min)” refers to those conditions that result in
arrival runways being out of service for less than 15 minutes.
Aircraft: Each failure mode is identified based on the specific mitigation actions required to alleviate the effects
of the root causes. For example the failure mode “Aircraft needs diversion and emergency landing” refers to
several potential aircraft failures (root causes), such as certain engine failures and broken cabin windows, such
that the aircraft needs to be routed to the nearest suitable airport.
Airspace: For airspace, we identified failure modes based on (i) the type of airspace resource affected and (ii)
duration. For instance the failure mode “Reduced Arrival fix capacity possibly to zero (short term <15 min)”
refers to those failures that cause the capacity of an arrival fix to be reduced for 15 minutes or less. These
failures may be caused by an unpredicted convective weather cell around the arrival fix for a short period of
time, an unexpected microburst or thunderstorm, or the unscheduled declaration of Special Use Airspace
(SUA).
Communication: Loss of communication can severely disrupt the nominal air traffic flow. We have listed the
potential failure modes that may occur for communication components, as described by SMEs. The following
communication network facilities were taken into account for the set of failure modes related to degraded
communication capabilities: 1-Aircraft, 2-ATCT, 3-TRACON, 4-ARTCC.
4
American Institute of Aeronautics and Astronautics
B-Airport
C-Airspace
DComm.
Downloaded by UNIVERSITY OF ADELAIDE on October 28, 2017 | http://arc.aiaa.org | DOI: 10.2514/6.2011-6529
A-Aircraft
Component
Table 2: SDO Failure Modes.
Failure Mode
Involved System Functions
A1-EC: Aircraft needs using holding pattern
A2-EC: Aircraft needs change of altitude
N/A
N/A
2.2
2.2
3
3
4
4
A3-EC: Aircraft needs emergency landing (no diversion)
N/A
2.2
3
4
A4-OC: Aircraft needs diversion
N/A
2.2
3
4
A5-EC: Aircraft needs diversion and emergency landing
N/A
2.2
3
4
A6-OC: Pilot makes error in following the plan
A7-OC: Pop up aircraft enters the SDO airspace
A8-EC: Aircraft is NORDO
A9-OC: Non-cooperative Aircraft enters SDO airspace
N/A
N/A
N/A
N/A
2.2
2.2
2.2
2.2
3
3
3
3
4
4
4
4
B1-FC: An Airport completely shuts down
1.2
2.2
3
4
B2-OC: Degraded AAR (short term <15 min)
N/A
2.2
3
4
B3-OC: Degraded AAR (long term)
1.2
2.2
3
4
B4-FC: Single arrival runway shut down (short term
<15min)
N/A
2.2
3
4
B5-FC: Single arrival runway shut down (long term)
1.2
2.2
3
4
B6-FC: Single departure runway shut down (short term <15
min)
N/A
2.2
3
4
B7-FC: Single departure runway shut down (long term)
1.2
2.2
3
4
1.2
2.2
3
N/A
2.2
N/A
C1-FC: Some volume of airspace (e.g. sector) becomes
unusable (unpredicted)
C2-OC: Partial routing structure blockage occurs
C3-OC: Reduced merging fix capacity possibly to zero
(short term <15 min)
C4-OC: Reduced merging fix capacity possibly to zero
(long term)
C5-OC: Reduced arrival fix capacity possibly to zero (short
term <15 min)
C6-OC: Reduced arrival fix capacity possibly to zero (long
term)
C7-OC: Reduced departure fix capacity possibly to zero
(short term <15 min)
C8-OC: Reduced departure fix capacity possibly to zero
(long term)
D1-FC: Loss of communication with an aircraft
D2-FC: Communication failure at ARTCC facilities
D3-FC: Communication failure at TRACON
D4-FC: Communication failure at ATCT
5.7, 5.8
5.7, 5.8
5.5, 5.6,
5.7, 5.8
5.5, 5.6,
5.7, 5.7
5.5, 5.6,
5.7, 5.8
5.5
5.5
5.5
5.5
5.5, 5.7,
5.8
5.5, 5.7,
5.8
5.5, 5.7,
5.8
5.5, 5.7,
5.8
5.5, 5.7,
5.8
5.5, 5.7,
5.8
5.5, 5.7,
5.8
N/A
N/A
4
5.5, 5.6
6
3
4
5.5, 5.6
6
2.2
3
4
5.5, 5.6
N/A
1.2
2.2
3
4
5.5, 5.6
N/A
N/A
2.2
3
4
5.5, 5.6
N/A
1.2
2.2
3
4
5.5, 5.6
N/A
N/A
2.2
3
4
5.5, 5.6
N/A
1.2
2.2
3
4
5.5, 5.6
N/A
N/A
N/A
1.2
N/A
N/A
N/A
N/A
N/A
3
3
3
3
4
4
4
4
5.6, 5.8
5.6, 5.8
5.6, 5.8
5.6, 5.8
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
6
N/A
N/A
N/A
N/A
N/A
N/A
N/A
SMEs determined the potential root causes that may occur within each SDO component. We then used the lists
provided by SMEs to create a set of failure modes that are presented in Table 2. For each failure mode we also list
the involved ATM system functions. In Table 2 the numbers and the color codes of involved functions match with
those in Table 1. Note: OC stands for Off-Nominal Conditions, EC stands for Emergency Conditions, and FC stands
for Failure Conditions.
Each failure mode presented in Table 2 can be the result of numerous root causes, e.g., several types of engine
failures or on-board medical emergencies may cause failure mode A5. The union of all the failure modes listed in
Table 2 covers all of the functions in Table 1 marked as tactical.
5
American Institute of Aeronautics and Astronautics

Downloaded by UNIVERSITY OF ADELAIDE on October 28, 2017 | http://arc.aiaa.org | DOI: 10.2514/6.2011-6529


In general, the set of proposed failure modes has the following properties:
Comprehensiveness: For any given possible off-nominal, emergency, or failure condition that may occur
within an SDO transition airspace, there is at least one failure mode that can be identified as a distinct effect of
that condition.
Generality: Several events and incidents (root causes) may generate the same failure mode.
Uniqueness: Each failure mode requires a unique set of mitigation actions. A subset of the set of mitigation
actions, however, may not be unique.
C. Causality Analysis
A causality analysis [KMP08] investigates the causes and effects of off-nominal, emergency, and failure conditions
within SDO. The relationships between the causes, failure modes, and effects are illustrated through a set of
causality diagrams.
1. Causality Analysis for Aircraft
Figure 2 presents a causality diagram that starts with some root causes, such as fire or low air pressure, that result in
an emergency condition for the aircraft. Once the emergency condition is identified, the Pilot In Command (PIC)
informs ATC of its situation. The PIC identifies the level of urgency based on facts and experience, and asks for
corresponding required actions. The required actions may include:
Immediate landing at nearest suitable airport: The suitable airport will be chosen based on several factors such
as aircraft characteristics, location, and the severity of the emergency condition, as well as the candidate airports’
characteristics and conditions. Once the suitable airport is identified, an algorithm will find a suitable path from the
current location of the aircraft to the target airport. A suitable path is preferably the shortest feasible path that is fully
consistent with the system’s hard constraints. These constraints include hazardous areas and required separation
minima. After identifying the suitable path, ATC will give the highest priority to the emergency aircraft in case there
is a trajectory conflict with other flights. According to the level of urgency for landing, the suitable path may be
partially consistent with the nominal flight plan or may be completely different from the nominal flight plan. The
suitable path generated by the algorithm may be a direct path toward the target airport (Figure 3) that may not be
consistent with standard jet routes, hence causing trajectory conflicts with other flights.
Change of altitude: depending on the severity of emergency condition, the aircraft may significantly lower its
altitude. This action may mitigate the aircraft’s internal pressure or avoid trajectory conflicts with the main line of
traffic flow.
Request an emergency landing: the aircraft may request an emergency landing and ask for special ground
services to be available upon landing. The emergency landing may cause the target runway to stay out of service for
a longer time than normal headways between consecutive flights. This reduces the runway acceptance rate
temporarily. The reduced AAR will propagate backward up to the arrival fixes, and ATC needs to apply traffic flow
control mechanisms (e.g., MIT) to regulate the demand for that arrival fix.
Emergency landing may require
special assistant and occupy
runway longer than normal
Raise low level
safety concerns
Aircraft
Emergency
Condition
Pilot request
preparations and
possible emergency
Landing
An arrival runway
capacity is
reduced
by X% for Z
minutes
Possible application of OPM to
avoid hazardous weather or
restrictive areas
Fire Detection,
Low Air pressure,
Fuel Leakage,
Loss of Power,
medical emergency,
Fuel exhaustion
Required a
feasible path to
the new
destination
Pilot request
immediate Landing
The path for aircraft on
emergency must be
clear of any other
traffic
Some volume of
airspace capacity
reduced to zero for
z minutes
Communication
Raise high level
safety concerns
Pilot request change
of altitude to h feet
disruption of neighbor traffic
Possible MIT
restrictions,
Holding patterns
and vectoring
Increased
Controller
Workload
Reduced
Airspace
Capacity
Figure 2: Causality diagram analyzing the ATM impacts of aircraft-related failures.
6
American Institute of Aeronautics and Astronautics
Hazardous weather
constraint must be
avoided
Most direct path possible
to the target airport-obey
hard constraints but not the
nominal flight plan
Flights that might have
4D trajectory conflict
with an emergency
aircraft will be held off
Downloaded by UNIVERSITY OF ADELAIDE on October 28, 2017 | http://arc.aiaa.org | DOI: 10.2514/6.2011-6529
AAR and arrival fix capacity
decrease temporarily to
accommodate emergency landing
Figure 3: Emergency landing.
2. Causality Analysis for Airports
Figure 4 presents a causality diagram for some of the major failure modes related to the airports. For this analysis we
are only interested in a set failure modes whose immediate effects reduce AAR, ADR, or both. The AAR and ADR
are the main metrics of interest as they directly affect the nominal SDO in transition airspace. For example, in case
of lightning occurrence near the airport, FAA safety regulations require all ground crews to move inside the airport
building. In the absence of ground crews, most of the surface services such as loading and unloading of aircraft or
fueling process are halted. Therefore the AAR and/or ADR will significantly decline. The level of the airport’s
service rate reduction may be estimated based on the duration and the severity of the event.
Another example of a surface-related failure mode is the presence of an obstacle on the runway. The obstacle
may be debris, or a delayed ground service vehicle, or an aircraft that is immoveable on the runway due to some
mechanical failure or any other emergency condition. In any case, the flow of traffic for that runway will be halted
until the obstacle is removed from the runway. The process of clearing the runway may cause a capacity-demand
imbalance for the corresponding arrival/departure fixes that accommodate the traffic flow in and out of that runway.
If the problem is not resolved quickly, the tower may start the process of runway configuration change to regulate
the traffic in and out of the airport.
Lightning
near airport
For the safety of
personnel
Fewer number of
landing per unit of
time per runway
Ground Crew are
forced to get
inside
Reduced AAR
by X% for Z
minutes
Number of flights
passed through arrival
fix should sync with
runway reduced
capacity
Possible MIT
restrictions and
Holding patterns
to control the
flow rate
arrival fix (s)
capacity is
reduced
by X% for Z
minutes
Runways
Reconfiguration
to increase a
reduced AAR
Aircraft, surface
vehicles, trash, animals
Communication
Obstacle on
runway
Heavy Rain
at airport
Stop the traffic to
clear the runway
Slippery runwayRequired longer
distance for take
off/landing
Reduced ADR
by X% for Z
minutes
Reduced friction
between tire and
concrete
Fewer number of take
offs per unit of time
per runway
departures need
to be delayed
Nominal capacity of
some SDO routes
become infeasible
Increased
Controller
Workload
Dynamic
re-sectorization
to adjust the
workload
Reduced
Airspace
Capacity
Increased workload
reduces the
number of flights
that can be
handled safely
Modify Arrival/
departure routes
Queue builds up at
taxiways and gates
Figure 4: Causality diagram analyzing the ATM impacts of airport-related failures.
3. Causality Analysis for Airspace
Weather forecasting can assist ATM to develop flight plans to avoid convective weather constrained areas. SDO will
take advantage of new NextGen technologies to maximize the capacity and utilization of the high-demand airspace
resources. However, the uncertainty associated with weather events will always remain a challenge for flight
7
American Institute of Aeronautics and Astronautics
Downloaded by UNIVERSITY OF ADELAIDE on October 28, 2017 | http://arc.aiaa.org | DOI: 10.2514/6.2011-6529
planning. Any underestimation or overestimation of the convective weather effects will result in corresponding offnominal overutilization or underutilization of airspace resources. Figure 5 presents the relationship between the offnominal conditions related to the convective weather and their effects on the transition airspace. We assume that
ATM has identified the existence of a convective weather situation and SDO has constructed a routing structure that
avoids the constrained areas. However, the hazardous weather covers an area larger than anticipated. In such case,
ATC considers fewer passable gaps among the weather cells which in turn reduces the capacity of that section of the
airspace. In this situation ATC requires reroutes some flights away from the affected area. The process of rerouting
flights creates extra workload for ATC at adjacent sectors. This in turn may reduce throughput of those sectors due
to safety concerns and consequently may require dynamic re-sectorization if the situation lasts for long period. All
these mitigation actions require additional time for communication between the Air Route Traffic Control Center
(ARTCC) and flights, which also increases the workload. Air traffic controllers can only handle a limited number of
flights per time unit and additional flights may be assigned to the holding patterns until they can be safely navigated
through the constrained area. As a result of all these adjustments, the SDO route structure can become partially
blocked.
RNP containment
region needs to be
maintained
Inefficient
forecasting/Under
prediction
Fewer Passible
gaps between
weather cells
Reroute some
flights to different
fixes or routes
PIREP
Processing
Reduced
Airspace
Capacity
Hazardous
constraints larger
than predicted
Increased
Controller
Workload
Communication
Convective
Weather
-Some SDO routing
structures become
infeasible
-Increased workload
reduces the number
of flights that can be
handled safely
The SDO route
structure is
partially blocked
Required SDO
route structure
adjustment
Over flow into
adjacent SDO
sectors
-Modify Arrival/
departure routes
-Modify merging point
location
-Dynamic resectorization needed
-Possible MIT
restrictions
Figure 5: Causality diagram analyzing the ATM impacts of airspace-related failures.
For example, as shown in Figure 6, constrained area number 1 has moved and blocked the nominal planned
route. The new flexible routing structure techniques will allow for a change in the location of the merging fix from
point x to point y. the location of point y will be computed such that it causes the minimum perturbation to the
current flight plans while satisfying the updated airspace constraints. The new routing may have some negative
effects. For example, the routing may require adjustments to the sector boundaries to control the workload of the
nearby sector controllers.
y
(a) Nominal
x
1
(b) Off-Nominal
Figure 6: Dynamic SDO route structure.
8
American Institute of Aeronautics and Astronautics
4. Causality Analysis for Communications
Figure 7 presents a causality diagram for loss of communications. For example if one of the ATC radar facilities
loses its communication capability, the corresponding ARTCC will curtail ATC support once airborne flights are
transferred to surrounding ATC facilities. Consequently, the ATCSCC will stop or reroute all departures around the
lost ATC facility.
Loss of
communication
Downloaded by UNIVERSITY OF ADELAIDE on October 28, 2017 | http://arc.aiaa.org | DOI: 10.2514/6.2011-6529
ARTCC
Sector capacity goes
to zero
Remaining flight in the
sector will fly out of the
sector either by
previous instruction or
by Niebuhr ARTCC
No other flights will
enter the sector
ATC ZERO
Sector get
evacuated
Most ATCT facilities
can establish
emergency towers
somewhere on the
airfield (ramp towers,
Dynamic
re-sectorization
Nominal capacity of
some SDO routes
become infeasible
Number of flights
passing over arrival fix
should sync with
runway reduced
capacity
Establish
emergency towers
reduced the AAR/
ADR
arrival fix (s)
capacity is
reduced
by X% for Z
minutes
Try to make a contact
or gain info via FOC,
satellite cell phone,
Move any flights that
are a separation
problem along the last
route assigned by ATC
Increased
Controller
Workload
Clear the path
Possible MIT
restrictions and
Holding patterns
previous ATC..etc
NORDO
Aircraft
Some volume of
airspace (sector)
become unusable
Fewer number of
landing and departure
per unit of time per
runway
mobile surface towers
ATCT
Flights receive ground
delays, reroutes, or
holding
Contact the flight
by other means
Reduced
Airspace
Capacity
Modify Arrival/
departure routes
Increased workload
reduces the
number of flights
that can be
handled safely
Figure 7: Causality diagram analyzing impacts of communication failure modes.
5. Master Causality Diagram
Finally, Figure 8 shows a master causality diagram. This diagram presents the relationships between some of the
main root causes and the identified failure modes affecting SDO. The root causes are grouped into off-nominal
conditions, emergency conditions, and failure conditions. Each group is represented with a different color and points
to failure modes that are identified as the main effects of those conditions, negatively impacting the SDO nominal
operational conditions. It should be mentioned that these failure modes are not necessarily independent. This means
one failure mode can cause another failure mode. For example, the reduced AAR can reduce the capacity of an
arrival fix.
D. Statistical Analysis of Air Interruptions
All failure modes related to SDO off-nominal, emergency, and failure conditions eventually cause interruptions to
some flights. The interruption can be in form of diversion to an airport other than the filed one or change of arrival
fix.
In order to quantify the frequency of occurrence for arrival interruptions, we analyzed all the flights in 2010 with
a filed arrival airport in the top 35 airports. We used the actual flight track data to find only flights that diverted to an
alternative airport or incurred a changed arrival fix while they were within 200 nm of their filed arrival airports. We
chose a 200 nm threshold because it approximates the outer boundary of the SDO transitional airspace. In Table 3,
the second column is the maximum number of flights diverted in a single hour (e.g., 13:00-14:00, 16:00-17:00). The
third column indicates how many flights from the second column received airborne holding prior to diversion. The
fourth column is the maximum number of flights diverted in a single day. The fifth column is the total number of
diversions for each airport in the whole year. The sixth and the seventh columns show the total number of actual
arrivals and total number of arrival fix changes, respectively. The last column shows the maximum number of
arrival fix changes that occurred in a single day.
9
American Institute of Aeronautics and Astronautics
-Power Outage
-Network malfunctioning
Communication failure at
ATCT
Airport major
operations are halted
-Wind direction change
-Metroplex traffic conflict
-Low visibility
-Standing water/
snow on the
runway
Airport capacity is reduced
by X% for Z minutes
Change in runway
configuration
Downloaded by UNIVERSITY OF ADELAIDE on October 28, 2017 | http://arc.aiaa.org | DOI: 10.2514/6.2011-6529
Increased work load
-ILS failure
-Aircraft fails to
clear RWY
-Unstabilized
approach
Reduced AAR
by X% for Z minutes
Reduced ADR
by X% for Z minutes
Arrival fix(s) capacity is
reduced
by X% for Z minutes
Communication failure at
TRACON
Departure fix(s) capacity is
reduced
by X% for Z minutes
-Partial SDO routing
structure blockage
-Fewer passable gaps
between weather cells
Sector capacity is reduced
by X% for Z minutes
Volcanic ash,
Tornado, Hail,
Thunderstorm, Wind
gusts, Microburst
Inefficient forecasting
or under prediction
Upstream metering fix(s)
capacity is
Reduced by X% for
Z minutes
Presence of a Noncooperative aircraft
-Mechanical Failure
-Fuel Exhaustion
-Medical Emergency
Emergency condition
requires diversion and
emergency landing
Implement
resectorization
Cause
Failure
condition
Heavy rain/snow
at airport
-Fog
Obstacle on
runway (FOD)
Communication failure at
ARTCC
Aircraft requires
to Go Around
-Explosion
-Accident
-Fire
-Flood
-Heavy snow
-Severe weather
An area around
the aircraft must
stay clear of any
other traffic
Diverting path
may conflict with
other traffic
Enforce MIT
Emergency
condition
Off nominal
condition
SDO route capacity
is reduced
by X% for Z minutes
Assigne holding
patterns
Aircraft
failure mode
Pilot navigational error
Implement route / fix
modification
Airspace
failure mode
Airport
failure mode
Support diversions
Communication
failure mode
Mitigation
Figure 8: Master causality diagram.
DFW and ATL are the airports that had the maximum number of diversions in a single hour (29 flights). DFW
had the maximum number of diversions both in a single day and in the whole year 2010 (64 and 771 flights,
respectively). ORD had the maximum number of arrival fix changes both in a single day and in the whole year (291
and 60,100 flights, respectively), while the airport with the maximum number of actual arrivals is ATL (470,000
flights).
10
American Institute of Aeronautics and Astronautics
Table 3. Statistical analysis of air interruptions within 200 nm of arrival airport.
Downloaded by UNIVERSITY OF ADELAIDE on October 28, 2017 | http://arc.aiaa.org | DOI: 10.2514/6.2011-6529
Diversion within 200 nm of the Arrival Airport
Actual Arrivals
Arrival Fix Change
Total in 2010
Daily Max.
(×1000)
Top 35
airports
Hourly
Max.
Hourly Max
with Holding
Daily Max.
Total in
2010
Total in 2010
(×1000)
ATL
BOS
BWI
CLE
CLT
CVG
DCA
DEN
DFW
DTW
EWR
FLL
HNL
IAD
IAH
JFK
LAS
LAX
LGA
MCO
MDW
MEM
MIA
MSP
ORD
PDX
PHL
PHX
PIT
SAN
SEA
SFO
SLC
STL
TPA
Average
Max
29
10
11
4
13
12
9
25
29
13
15
7
1
12
27
8
16
3
16
9
9
15
8
17
18
3
11
13
4
7
2
10
9
4
7
12
29
N/A
27
10
11
2
11
10
9
25
28
11
15
6
1
12
27
8
11
3
16
8
7
13
8
16
18
3
10
11
4
6
1
9
8
3
7
11
28
N/A
53
14
17
13
26
19
21
51
64
34
18
13
2
21
42
14
22
7
25
16
12
15
18
32
33
3
18
33
5
15
3
17
26
10
17
21
64
N/A
650
160
154
98
306
103
136
556
771
220
330
168
33
533
391
190
148
105
407
124
232
189
135
207
480
70
197
144
62
117
43
202
151
94
136
230
771
8042
470
173
133
96
259
87
135
315
323
225
201
126
94
180
264
199
200
283
181
155
115
168
184
216
436
107
223
217
69
93
155
190
160
91
92
189
470
6612
Total
11.4
5.4
1.6
1.9
3.3
3.7
2.3
39.8
7.6
9.6
1.9
5.5
0.0
5.1
14.7
0.7
2.5
2.4
1.0
5.2
0.9
6.5
6.6
7.5
60.1
2.0
2.7
5.0
1.1
4.6
1.0
2.9
17.1
1.5
4.3
7
60.1
249.4
191
97
35
55
109
44
40
284
180
156
36
58
0
56
237
26
46
60
57
109
44
118
86
137
291
17
81
80
20
140
18
75
85
41
44
90
291
N/A
E. Risk Priority Numbers
FMEA establishes a Risk Priority Number (RPN) for each failure mode. The RPN is a measure used when assessing
risk to help identify critical failure modes associated with the SDO design or process; however, it does not play an
important part in the choice of an action against failure modes. RPNs are threshold values in the evaluation of these
actions. After ranking the severity, occurrence, and detectability, the RPN is calculated as RPN = S × O × D, where
S, O, and D are defined as follows:
 Severity (S) - a numerical subjective estimate of how severe the end user will perceive the effect of a failure.
 Occurrence (O) - a numerical subjective estimate of how often a failure mode may occur.
 Detection (D) - a numerical subjective estimate of the effectiveness of the controls to prevent or detect the
cause or failure mode before the failure reaches the customer.
RPNs have no value or meaning in themselves. Although it is true that larger RPN values normally indicate more
critical failure modes, this is not always the case. As a general rule, any failure mode that has an effect resulting in a
severity 9 or 10 would have top priority. Severity is given the most weight when assessing risk. Next, the Severity
and Occurrence (S x O) combination would be considered, since this, in effect, represents the criticality.
11
American Institute of Aeronautics and Astronautics
Downloaded by UNIVERSITY OF ADELAIDE on October 28, 2017 | http://arc.aiaa.org | DOI: 10.2514/6.2011-6529
We conducted a survey and asked SDO SMEs to rank all the defined failure modes with regard to severity,
occurrence, and detectability. We also divided the severity estimate into two independent sub-estimates. The first
one is set to measure severity related to safety, and the second one is set to measure the severity related to
unexpected excessive delays. In the survey we asked SMEs to answer the following questions in order to rank all the
failure modes associated with each RPN components.

Severity (Safety): On a scale of 1 to 10, how serious are the safety concerns corresponding to this failure
mode? Consider operational difficulties, number of lives at risk, prior experience, etc.

Severity (Efficiency): How many flights may receive airborne delay (more than 5 minutes) due to this failure
mode (directly or indirectly) from when they start descending until they land (~ 30 to 45 minutes of transition
airspace operation) – See Table 4.

Occurrence Rate: How often this failure mode may occur per major airport (40 to 200 nm out from airport) –
See Table 5. For most of the identified failure modes it was very difficult to measure their frequency of
occurrences based on real data. In the absence of real world data, we asked our SMEs’ to estimate the frequency
of occurrence of each failure mode based on the guidelines in Table 5.

Detectability: On a scale of 1 to 10, how unlikely it is to be able to detect this failure mode before it happens
such that the system might be able to prevent its effects to some extent.
The survey was conducted in two steps. In the first step, the SMEs were asked to provide their best estimates
individually. In the second step, we documented all the results from the first step in one file, and asked the SMEs to
revise their first estimates as a group. The results are presented in Table 6. We used the weighted average of the
three estimates (2 for SME1: Controller, 2 for SME2: Dispatcher, 1 for SME3: Pilot) to assess a final rank for each
RPN component regarding each failure mode. We assigned a smaller weight factor to the pilot SME estimations
because pilots’ experiences are based on their responsibility for a single aircraft, as opposed to a dispatcher or a
controller that normally handles many flights continuously. Based on this assumption, we hypothesized that
dispatchers and controllers were most capable to envision the system perspective of an off-nominal SDO condition.
For each failure mode the outcome for severity (safety), criticality (S × O), and the RPN are highlighted in red for
high numbers (RPN > 343), orange for medium numbers (125 ≤ RPN ≤ 343), and yellow for low numbers
(RPN<125). The combination of these numbers for each failure mode will guide us to identify the most critical
failure modes and develop the proper mitigation action that safely and efficiently brings the system back to its
nominal condition.
Table 4. Severity (delay) ranking.
Rank
Flights
1
2
3
4
5
6
7
8
9
10
0 to 10 11 to 20 21 to 30 31 to 40 41 to 50 51 to 60 61 to 70 71 to 80 81 to 90 91 or more
Table 5. Occurrence rate ranking.
Rank
Frequency
1
About Once a year or less
2
About Twice a year
3
About Once a season
4
About Twice a season (i.e. worst case season)
5
About Once a month
6
About Twice a month
7
About Once a week
8
About Twice a week
9
About Once a day
10
About Twice a day or more
12
American Institute of Aeronautics and Astronautics
Failure Mode
Table 6. Failure Modes Risk Priority Assessment.
Severity
Severity (safety)
Occurrence
(delay)
A1&A2-EC: Aircraft needs change of
5 3
altitude
A3-EC: Aircraft needs emergency
10 8
landing (no diversion)
Downloaded by UNIVERSITY OF ADELAIDE on October 28, 2017 | http://arc.aiaa.org | DOI: 10.2514/6.2011-6529
4.2
1 1 1
1
7 7 10 7.6 10 10 10 10
32
319
5
8.2
1 1 1
1
7 7 10 7.6 10 10 10 10
62
623
5
4.2
1 1 1
1 10 10 10 10 10 10 10 10
42
420
10
8.8
1 1 1
1
7 7 10 7.6 10 10 10 10
67
669
5
7
1 1 5 1.8 10 10 10 10 10 10 10 10
126
1260
8
4
1 1 1
14
136
10 10 5
9
2 1 1 1.4 1 1 1
1 10 10 10 10
13
126
A5-EC: Aircraft needs diversion and
10 7
emergency landing
A6-OC: Pilot makes error in following
10 5
the plan
A7&A8-EC: An aircraft is NORDO
5 1
A9-OC: A Non-cooperative Aircraft
enters SDO airspace
B1-FC: An Airport completely shuts
down
B2&B3-OC: Degraded AAR
CritiRPN
cality
5
5 3
A4-OC: An aircraft needs diversion
Detection
1
3 3 5 3.4 10 10 10 10
1 2
5
2.2 10 8 10 9.2 4 4 2 3.6 3 5 5 4.2
73
306
2 2
5
2.6
4 2 10 4.4 4 4 4
3 4 3 3.4
46
156
B4-FC: Single arrival runway shut
down (short term <15min)
2 2
3
2.2
2 2 3 2.2 8 8 7 7.8 3 10 3 5.8
38
219
B5-FC: Single arrival runway shut
down (long term)
1 3
5
2.6
7 5 5 5.8 8 8 4 7.2 5 10 3 6.6
109
717
B6-FC: Single departure runway shut
down (short term <15 min)
1 1
1
1
1 1 2 1.2 8 8 7 7.8 5 10 3 6.6
9
62
1 2
1
1.4
1 1 3 1.4 8 8 6 7.6 5 10 3 6.6
15
98
2 1
3
1.8
1 1 5 1.8 10 10 10 10 5 5 4 4.8
32
156
3 2
5
3
3 2 10 4
9 10 10 9.6 5 5 4 4.8
115
553
1 1
2
1.2
2 2 5 2.6 10 10 10 10 5 5 4 4.8
31
150
52
311
B7-FC: Single departure runway shut
down (long term)
C1-FC: Some volume of airspace (e.g.
sector) becomes unusable
(unpredicted)
Some volume of airspace becomes
unusable (long term)
C2-OC: Partial routing structure
blockage occurs
4
C3-OC: Reduced merging fix capacity
2
possibly to zero (short term <15 min)
1
3
1.8
2 3 5
C4-OC: Reduced merging fix capacity
2
possibly to zero (long term)
2
5
2.6
2 6 8 4.8 5 10 10 8
9 5 4 6.4
100
639
2 3
3
2.6
1 3 5 2.6 10 10 10 10 5 5 4 4.8
68
324
2 4
5
3.4
2 6 8 4.8 5 10 10 8
9 5 4 6.4
131
836
2 1
1
1.4
2 1 3 1.8 10 10 10 10 5 5 4 4.8
25
121
1 2
1
1.4
5 1 4 3.2 5 10 10 8
6
36
215
7
7.8 10 5 5
5 7 2 5.2 10 10 10 10
284
2839
7
7.8 10 5 7 7.4 5 7 2 5.2 10 10 10 10
300
3001
C5-OC: Reduced arrival fix capacity
possibly to zero (short term <15 min)
C6-OC: Reduced arrival fix capacity
possibly to zero (long term)
C7-OC: Reduced departure fix
capacity possibly to zero (short term
<15min)
C8-OC: Reduced departure fix
capacity possibly to zero (long term)
D2-FC: Communication failure at
10 6
ARTCC facilities
D3&D4-FC: Communication failure at
10 6
ATCT
3
7
9 10 10 9.6 8 5 4
13
American Institute of Aeronautics and Astronautics
8 5 4
6
Downloaded by UNIVERSITY OF ADELAIDE on October 28, 2017 | http://arc.aiaa.org | DOI: 10.2514/6.2011-6529
F. Mitigation Strategies
In this section, we briefly present some of the basic strategies, classifications, and prioritizations that shape
mitigation solutions and procedures.
The following factors about a failure mode determine whether a temporary solution, a long-term solution, or
both are required:
 Time (beginning, duration).
 Location (distance from runway, fixes, merge points).
 Dimension (the size of the impacted area beyond what has been predicted).
 Demand (traffic demand, density and the number of flight affected by the event).
Temporary solutions are flight-based solutions such as vectoring, route modification, speed control, capping,
tunneling, holding, and diversion; long-term solutions are flow-based such as dynamic route structure changes,
modifying demand, establishing holding patterns for one or more groups of flights, and diversions for several groups
of flights.
Figure 9 represents an example of mitigation procedure for a set of emergency events (e.g., mechanical failure)
that cause failure modes related to an aircraft. The failure mode can be a required emergency landing or a required
change of altitude. The change of altitude may be followed by a required emergency landing or another required
change of altitude.
After declaring an emergency, the pilot will file a request for a new altitude or an emergency landing at the
nearest suitable airport. The nearest suitable airport is not necessarily the geometrically nearest airport as such
airport may not be a feasible or reasonable choice. A suitable airport is defined as one that, in the opinion of the
Captain/PIC, is suitable based on the circumstances.
Once the new destination is chosen, ATC needs to work with the pilot to provide a path from the current position
of the aircraft to the new destination. The path should avoid the hazardous weather as well as SUA. The path also
should preferably avoid the main streams of traffic flow, as this will save the system from a major disruption.
However, this might be inevitable due to specific location of the flight experiencing emergency condition. If this is
the case then ATC must give the highest priority to the emergency flight and clear its new diversion path from any
other flights. This in turn requires establishing set of holding patterns to sufficiently embed all the flights that their
trajectory conflict with the emergency flight. Once the emergency flight starts proceeding through its new diversion
path, the ARTCC gradually clears its path from other flights by rerouting and putting them in holding patterns and
releasing those flights that are then conflict free.
Figure 10 represents an example of mitigation procedures for a set of off-nominal conditions that cause route
blockage in an SDO. In this example, “route blockage” is a general term that covers a wide range of failure modes
related to different sizes of the affected airspace. For example, the route blockage could refer to a case in which a
relatively large volume of airspace or arrival fix becomes unusable. Each route blockage can be either a short-term
event or a long-term event. The mitigation procedures more likely would be flight-based for a short-term event and
flow-based for long-term events.
The flight-based mitigation procedure starts with identifying the set of flights whose nominal flight plans are or
will be blocked. Next, for each affected flight, ATC and pilots collaboratively find a new trajectory that circumvents
the blocked area. Once we have developed all the possible contingency plans, ATC must maintain the minimum
separation between all aircraft. This may require assigning some of the flights to set of holding patterns within the
designated areas until the blockage is removed.
For long-term events, it may not be feasible to seek a unique contingency plan for every single flight, because
this implies an exhaustive workload and consequently it will significantly reduce the airspace capacity. Therefore
flow-based mitigation procedures are meant to provide more structured changes that can be accountable for longer
periods and eventually become part of the new nominal conditions. Basically, ATC must adjust the main SDO
routing structures such that new traffic flow trajectories do not intersect with a blocked area. In addition, ATC must
control the incoming traffic throughput until the new routing structure is safely established.
Note: The numbers and the color codes indicate which ATM system function (Table 1) is involved in every step
of the mitigation process. Thus, the colors in Figure 9 and Figure 10 follow the same color code as established in
Table 1.
14
American Institute of Aeronautics and Astronautics
Fuel
Exhaustion
Mechanical
Failure
Declared
PIREP
Processing 4.1
Downloaded by UNIVERSITY OF ADELAIDE on October 28, 2017 | http://arc.aiaa.org | DOI: 10.2514/6.2011-6529
Flight
Charactristics,
status, conditions
1.3
Flight location,
speed, direction
1.2.2
List of Near by
Airports+ their
possible restrictive
conditions
Medical
Emergency
Emergency landing
required
Identify the nearest suitable
airport
yes
Change of altitude
required
Involved
Traffic flow
trajectory
2.2.8
Weather
constrained
Area, volume
4.4.4
Airport Airside Functions
5.7.1
yes
Identify the shortest
possible path
yes
Traffic Conflict
Clear the path from any
other flight(s), put them in
holding patterns, path
stretch and /or deviation
3.1
Near by flights
location, speed,
and direction
3.2.10
Special Use
Airspace
2.2.2
Direct the flight to
the suitable airport
3.2
Direct the flight to
the proper altitude
Conflict
resolved
Release the held flights
3.2.2
Figure 9: Mitigation procedures for emergency events related to aircraft.
15
American Institute of Aeronautics and Astronautics
Route
blockage
yes
Downloaded by UNIVERSITY OF ADELAIDE on October 28, 2017 | http://arc.aiaa.org | DOI: 10.2514/6.2011-6529
1 Planning &
Collaboration,
Short term
3 AT Conflict
Management Air Traffic
and Flight Deck Control
and Advisory Functions
no
Location &
dimensions of
route
blockage
3.2.9
Modify demand
2.2.7
SDO
nominal
route
structure
2.2.1
Flight Deck Planning
and Collaboration
Functions 1.3
2 Flow/Fleet
Management - ATC
Manages Major Flows
Weather
constraine
d Area,
volume
4.4.4
Flights plans and
contingency plans
1.1
Updated/ revised
current/near future
weather forecast
Flight location,
speed, direction
1.2.2
Special Use
Airspace
2.2.2
Wiggle
rooms
5.5.5
Identify alternative trajectory
success
Use holding
pattern, path
stretch, diversion
4 CNS & Weather
yes
3.1 AT Conflict
Management
Functions
Provide new route structure
2.2.1 & 2.2.5
(tools e.g. DAC)
yes
success
Conflict
resolved
Back to Nominal
conditions
Figure 10: Mitigation procedures for off-nominal events related to airspace resources.
16
American Institute of Aeronautics and Astronautics
IV. Conclusions
Downloaded by UNIVERSITY OF ADELAIDE on October 28, 2017 | http://arc.aiaa.org | DOI: 10.2514/6.2011-6529
The concept of operations for Super Dense Operations (SDO) has been established in the literature, and algorithmic
approaches to SDO routing have been studied. To follow on with the development of SDO, this paper addressed a
Failure Mode and Effects Analysis (FMEA) for SDO. A team of Subject Matter Experts (SMEs) was consulted in
order to perform this FMEA. As a result of this study, the main failure modes, as well as their effects affecting the
nominal SDO, were identified and their impacts on the system were ranked. The ranking results identify the failure
modes that are most frequent and that have the most significant effects on the system. The FMEA revealed that loss
of communication with ATCT and ARTCC facilities were highest risks to the SDO hence demand the highest level
of attention and system readiness. Reduced arrival fix capacity, arrival runway closure leading to the reduced arrival
fix capacity and reduced merging fix capacity are also among the high risks to the SDO. Pilot error is among high
risks to the system due to its frequency of occurrence. The results of this study will provide guidance for future
developments of mitigation procedures to safely and efficiently overcome SDO off-nominal, emergency, and failure
conditions.
Acknowledgments
This research was funded by NASA Ames Research Center under NRA contract NNA10DF52C Mitigation of OffNominal Events in Super-Density Operations. The authors appreciate inputs from the NASA contract monitor Doug
Isaacson. Also, we appreciate the financial support of the sponsor of the research, NASA Ames Research Center and
the NextGen Project Manager, Dr. Parimal Kopardekar.
References
[IWP08]
Integrated Work Plan for the Next Generation Air Transportation System Version 0.2, Joint Planning and
Development Office, Washington D.C., Feb. 15, 2008.
[JK08]
Jakobovits, R., and Krozel, J., “Traffic Flow Management for Super-Dense Operations,” AIAA Guidance,
Navigation, and Control Conf., Honolulu, HI, Aug., 2008.
[KMP07a] Krozel, J., Mitchell, J.S.B., Prete, J., Smith, P., and Andre, A., “Designing 4-D Trajectories for Super-Dense
Operations Given Weather Constraints,” 26th Digital Avionics Systems Conf., Dallas, TX, Oct., 2007.
[KMP07b] Krozel, J., Mitchell, J.S.B., Polishchuk, V., and Prete, J., “Airspace Capacity Estimation with Convective Weather
Constraints,” AIAA Guidance, Navigation, and Control Conf., Hilton Head, SC, Aug., 2007.
[KMP08] Krozel, J., McNichols, W., Prete, J., and Lindholm, T., “Causality Analysis for Aviation Weather Hazards,” AIAA
Aviation Technology, Integration, and Operations Conf., Anchorage, AK, Sept., 2008.
[KPM08] Krozel, J., Prete, J., Mitchell, J.S.B., Kim, J., and Zou, J., “Capacity Estimation for Super-Dense Operations,” AIAA
Guidance, Navigation, and Control Conf., Honolulu, HI, Aug., 2008.
[KSS07]
Krozel, J., Spencer, A., Smith, P., and Andre, A., “Requirements for Super-Dense Operations for the NGATS
Terminal Airspace,” Integrated Communications, Navigation, and Surveillance Conf., Herndon, VA, May, 2007.
[KZK09]
Kim, J., Zou, J., Krozel, J., and Mitchell, J.S.B., “Sensitivity of Capacity Estimates given Convective Weather
Constraints,” AIAA Guidance, Navigation, and Control Conf., Chicago, IL, Aug., 2009.
[MMB09] McDermott, R., Mikulak, R., and Beauregard, M., The Basics of FMEA, 2nd Ed., CRC Press, New York, NY, 2009.
[OPS07]
Concept of Operations for the Next Generation Air Transportation System Version 2.0, Joint Planning and
Development Office, Washington D.C., June 13, 2007.
[PKM08] Prete, J., Krozel, J., Mitchell, J.S.B., Kim, J., and Zou, J., “Flexible, Performance-based Route Planning for SuperDense Operations,” AIAA Guidance, Navigation, and Control Conf., Honolulu, HI, Aug., 2008.
[SAS09]
Smith, P.J., Andre, T., Spencer, A., Evans, M., and Krozel, J., “A Critique of an Operational Concept for Managing
Traffic in Super Dense Operations Airspace,” 28th Digital Avionics Systems Conf., Orlando, FL, Oct., 2009.
[SSE08]
Smith, P.J., Spencer, A., Evans, M., Krozel, J., and Andre, T., “Managing Arrivals in Super-Dense Operations:
Guidance based on a Cognitive Walkthrough,” 27th Digital Avionics Systems Conf., Minneapolis, MN, Oct., 2008.
[SSE09]
Smith, P.J., Spencer, A., Evans, M., Andre, T., and Krozel, J., “Human Factors Issues in the Design of Super-Dense
Operations Airspace,” Proc of the Human Factors and Ergonomics Society 53rd annual Meeting, San Antonio, TX,
Oct., 2009.
[VAMS06] VAMS Project Office, Virtual Airspace Modeling and Simulation System-Wide Concept Report, NASA Ames
Research Center, Moffett Field, CA, June, 2006.
17
American Institute of Aeronautics and Astronautics
Документ
Категория
Без категории
Просмотров
0
Размер файла
605 Кб
Теги
2011, 6529
1/--страниц
Пожаловаться на содержимое документа