A Quantitative Approach to Resilience Engineering for the Future ATM ... · A Quantitative Approach...

12th USA/Europe Air Traffic Management Research and Development Seminar, 27 - 30 June 2017, Seattle, WA, USA

A Quantitative Approach

to Resilience Engineering

for the Future ATM System:

Case Studies Results

R. Palumbo, E. Filippone

CIRA – Italian Aerospace Research Center

Presented by Roberto Palumbo

1/30


Topic:

SESAR JU E2.21 SAFECORAM Project (2013-2016)

(Sharing of Authority in Failure/Emergency Conditions for Resilience of ATM)

developed by CIRA in the framework of SESAR’s WPE.

Presentation Outline

1. Introduction to Resilience in Air Traffic Management

2. SAFECORAM Approach to Resilience Engineering in ATM

3. Case Studies Results

4. Discussion and Future Work

2/30


Introduction (1/2)

The Air Traffic Management system is rapidly growing in complexity.

Increased demand on the air

transportation system has increased

the traffic density.

• Costs

• Delays

• Emissions

• Workload

International programs are developing new operational concepts to redesign and

reorganize the ATM system in a more efficient way increasing capacity, efficiency

and safety.

3/30


The expected performance will be achieved:

• increasing the level of automation

• moving toward a network centric approach

• moving toward time-based operations

Introduction (2/2)

The objective is to reach the

performance expectations in the

11 Key Performance Areas

defined by ICAO.

4/30


Recently, the ATM research community is starting to give

more attention to the concept of resilience as a possible

way to analyze the capabilities of the ATM system to

recover an acceptable level of performance when non-

nominal conditions occur.

Resilience is a property of a system that describes its ability to return

to its original state (at some later time), after the removal of a

[deforming] stress.

Resilience in ATM (1/2)

In this context, disruptive events will call for an efficient

re-allocation of tasks and authority sharing between humans

and automated systems in order to mitigate the degradation of

performance caused by the off-nominal condition.

5/30


Resilience in ATM (2/2)

“the intrinsic ability of a system to adjust its functioning prior to, during,

or following changes and disturbances, so that it can sustain required

operations under both expected and unexpected conditions” **

In 2009, EUROCONTROL defined resilience in the context of ATM as:

There are still open questions regarding

how to quantify the ATM system resilience,

how to measure it and how to improve it.

** EUROCONTROL, “A white paper on resilience engineering for ATM,” Report of the Project Resilience Engineering for ATM, 2009.

6/30


SAFECORAM definition of Resilience

is based on a quantitative measure of the

global performance of the ATM system.

Objective of SAFECORAM:

To define a quantitative measure of resilience based

on the concept of tasks re-allocation and authority

sharing between humans and systems within the

future ATM system (year 2050).

SAFECORAM Project

7/30


Global Performance and Resilience (1/3)

The global performance of the ATM

system can be thought as the

fulfilment of the performance

expectations in the 11 Key

Performance Areas (KPAs) defined

by ICAO plus Human Performance

If we are able to assign a performance level to each KPA,

then we could interpret the yellow area in the picture,

as the global performance of the ATM system at a given state.

8/30


When a disturbance occurs, the ATM

system can no longer perform in its

nominal condition and its global

performance will inevitably change.

The ATM system reacts to the disturbance applying a set of mitigation actions that are aimed

at restoring the nominal performance (i.e. the original yellow area) as much as possible.

However, not all mitigation strategies are alike.

Different mitigation

strategies may recover

different levels of

global performance


Nominal

Global

Performance

Recovered

Global

Performance

(w/ Strategy 2)

Recovered

Global

Performance

(w/ Strategy 1)

9/30



In SAFECORAM approach:

Resilience is defined as

the optimal level of the residual global

performance of the ATM system resulting from

mitigation actions, triggered by the occurrence of

an off-nominal condition

Therefore an ATM system is more resilient the more it is able to reorganize itself

towards the most similar state with respect to the reference (nominal) one.

Performance loss can be pictured as the area

difference between the nominal area and the

degraded one.

To evaluate resilience we need to provide:

• a methodology to quantify and use the performance levels of the KPAs

• a methodology to establish the best re-allocation of tasks

10/30


SAFECORAM Methodological Approach

ASSUMPTIONS:

• the framework is the future ATM system (year 2050)

• SESAR ConOps fully deployed

• Highly automated

• RPAS and PATS (with their related infrastructure) are fully integrated

• no stochastic events

In the SAFECORAM methodology we have considered a scenario based approach.

ATM Scenario

Description

Disturbance

Analysis and

Task Allocation

Performance

Evaluation

Resilience

Quantification

and Optimization

Off-Nominal

Condition

The SAFECORAM approach consists of several steps:

11/30

The description of the methodology will be carried out alongside the description of Case Study 1

Case studies were developed with the help of ATM operational experts that supported the project.


Step 1 - Scenario Description: Methodology

In SAFECORAM a scenario description is made of:

• a nominal situation, to assess the nominal performance of the system

• an off-nominal condition, to evaluate performance degradation

The objective of a scenario is to explore alternative

mitigation strategies (task re-allocations) when an

off-nominal condition occurs.

12/30

Let’s see what this means considering Case Study 1


• 4 en-route A/C that travel across a specific air sector

• 4 A/C that depart from an airport inside that same air sector.

Case Study 1: Scenario Description

The nominal flow of events:

• the 4 en-route A/C fly their assigned 4D

contract crossing the specific air sector,

• and the 4 on-ground A/C depart from the

airport inside the air sector.

The unexpected event: the airspace sector is

affected by a temporary GNSS unavailability.

Step 1 - Scenario Description: Application

Case Study 1: GNSS Unavailability in Airspace Sector

How do we analyze the performance of this system?

13/30


The nominal flow is the set of

tasks and actions that describes

the nominal execution of the

scenario and guarantees the

nominal global performance.

A scenario description may be broken down into a flow of tasks and

actions performed by the actors of the scenario.

Step 2 - Task Analysis: Methodology (1/2)

14/30

Reference global performance


When an off-nominal condition occurs, there are several task reallocation

alternatives and different flows of actions that may be performed to

mitigate the effect of the disturbance.

Each path is characterized

by different levels of global

performance

Step 2 - Task Analysis: Methodology (2/2)

(different task

reallocation strategies)

15/30

Each new off-nominal task

contributes to performance

degradation.


Step 2 - Task Analysis: Application

Case Study 1 is extremely simple and the task breakdown can be done without the

use of a computational tool.

Case Study 1: Task and Failure Analysis

NOMINAL

FLOW

It is possible to

identify 8

alternative flows

16/30

The task breakdown is

reported in tabular

form in order to be

read by our software.

ALTERNATIVE FLOWS


Step 3 - Evaluation of Performance: Methodology (1/2)

At the moment, the SAFECORAM project takes into account only the following KPAs:

• K1 - efficiency (fuel burn);

• K2 - efficiency (delay);

• K3 - environment (emissions);

• K4 - capacity (throughput).

as the performance of these areas can be expressed with quantitative KPIs.

K1

K2

K3

K4

Nominal Global

Performance

Degraded Global

Performance

17/30

How do we evaluate the level of performance of the system?


Assuming a relationship between

KPIs (e.g. AREA)

Scenario description

in tabular form +

degradation criteria for off-nom tasks

(ki,j(1),…,ki,j

(m))

Ti,j

...... ...

vstart

vend

SlSl

Weighted Directed Acyclic Graph:

• vertices are tasks

• performance degradation is weighted

along the connecting edges

• nominal and alternative flows are PATHS

Step 3 - Evaluation of Performance: Methodology (2/2)

Quantify the global performance along the

nominal flow and along each alternative flow

SAFECORAM

software

demonstrator

K1

K2

K3

K4

Nominal Global

Performance

Degraded Global

Performance

18/30


Step 3 - Evaluation of Performance: Application (1/2)

Case Study 1: Evaluation of Performance

The graph is generated

Tables are read by the software

demonstrator

The task reallocation

strategies (PATHS) are

determined with their

associated level of global

performance

19/30


1. [START-00, ACC1-01, ACT1_4-01, ACD1_4-01, A/CT1-01, A/CT2-01, A/CT3-01, A/CT4-01, A/CD1-01, A/CD2-01, A/CD3-01, A/CD4-01]

2. [START-01, ACC1-02, SWIM-01, NM-01, ACC1-03, SWIM-04, A/CD1-02, A/CD2-02, A/CD3-02, A/CD4-02, ACT1_4-04, A/CT1-04, A/CT2-04, A/CT3-04, A/CT4-04]

3. [START-01, ACC1-02, SWIM-01, NM-01, ACC1-04, SWIM-04, A/CD1-02, A/CD2-02, A/CD3-02, A/CD4-02, ACT1_4-05, A/CT1-05, A/CT2-05, A/CT3-05, A/CT4-05]

4. [START-01, ACC1-02, SWIM-01, NM-02, ACC1-05, SWIM-02, NM-03, ACT1_4-02, A/CT1-02, A/CT2-02, A/CT3-02, A/CT4-02, SWIM-04, A/CD1-02,

A/CD2-02, A/CD3-02, A/CD4-02]

5. [START-01, ACC1-02, SWIM-01, NM-02, ACC1-05, SWIM-02, NM-03, ACT1_4-02, A/CT1-02, A/CT2-02, A/CT3-02, A/CT4-02, SWIM-05, A/CD1-03, A/CD2-03, A/CD3-03, A/CD4-03]

6. [START-01, ACC1-02, SWIM-01, NM-02, ACC1-05, SWIM-02, NM-03, ACT1_4-02, A/CT1-02, A/CT2-02, A/CT3-02, A/CT4-02, SWIM-06, A/CD1-04, A/CD2-04, A/CD3-04, A/CD4-04]

7. [START-01, ACC1-02, SWIM-01, NM-02, ACC1-06, NM-03, SWIM-03, ACT1_4-03, A/CT1-03, A/CT2-03, A/CT3-03, A/CT4-03, SWIM-06, A/CD1-04, A/CD2-04, A/CD3-04, A/CD4-04]



Output for Case Study 1:

Step 3 - Evaluation of Performance: Application (2/2)

Case Study 1: Evaluation of Performance

1 Nominal Path

8 Alternative Paths

Each path is characterized by its level of global performance

20/30


In this way it is possible to quantify and compare the global performance of each

alternative flow w.r.t. the nominal flow.

If we define a distance function d(⋅) between the nominal task flow and the

alternative ones:

Sopt = arg minSl∈Γ

𝕊 RL𝕊 Sl = arg min

Sl∈Γ 𝕊 d S0, Si

with RLS(Sl) resilience loss metric in the scenario S

e.g. AREA DIFFERENCE:

level of residual performance

Step 4 - Resilience Quantification: Methodology

21/30


Step 4 - Resilience Quantification: Application (1/2)

Number of Alternative Paths Best Area Distance Worst Area Distance

8 2.5 5.4

Case Study 1: Resilience Quantification

The optimization process

tries to find the mitigation

solution that keeps the

normalized KPIs as close as

possible to 1.

KPIs Nominal Best Worst

Efficiency (fuel) 1 1.1 1.2

Efficiency (delay) 1 3.6 6.4

Environment (emissions) 1 1.1 1.2

Capacity 1 0.9 0.8

The solution flow is better when the

distance metric tends towards zero.

The system is more resilient the more

it is able to reorganize itself towards

the most similar state w.r.t. the

reference one.

Alternative Path

(Mitigation Strategy)

Area

Distance

1 4.9

2 5.4

3 4.9

4 3.9

5 2.9

6 2.5

7 4.5

8 3.5

22/30


Capacity

Emissions

Delay

Fuel

A sector inside the airspace is closed due to temporary

GNSS unavailability

Manage A/C already inside the sector (increase separation)

ALLOW LIMITED NUMBER OF A/C

Allow 50% of en-route traffic

UDPP selects 50% of A/C for transit sector

NM decides for departing A/C in affected airport

2 A/C authorized for transit (50%)

2 A/C deviated

TRANSIT

TRANSIT

DEVIATED

DEVIATED

Allow 50% departures

A sector inside the airspace is closed due to temporary

GNSS unavailability

CLOSE SECTOR

DO NOT RESECTORIZE affected airspace

STOP ALL DEPARTURES

DEVIATE ALL A/C (intersecting the area)

INCREASE SEPARATION



Efficiency (delay) 1 3.6 6.4Environment

(emissions)1 1.1 1.2

Capacity 1 0.9 0.8

Step 4 - Resilience Quantification: Application (2/2)

Delay is the driving factor

in this solution.

Best Mitigation Strategy Worst Mitigation Strategy

Of course, the solution is strictly related to the scenario description, to the

task analysis, to the degradation criteria and to the considered KPIs.

23/30


The SAFECORAM resilience metric is time-independent in the sense that

it is a function of the available resources at each given state of the

system.

Considerations on Time

The ATM system, however, is a complex hybrid system, encompassing

both discrete (finite state) and continuous dynamics.

The simulation of the solution flow

“as is” in a real-time world can

demonstrate if the optimal task flow

is compatible with the dynamical and

physical evolution of the scenario

A further step is required to validate the optimal flow:

time-based simulation.

24/30


Case Study 2: Weather Hazard on TMA

Scenario Description

Terminal Area that includes:

• 2 main airports (AP1 and AP2) for commercial flights

• 1 small airport for RPAS and Personal Air Transportation Systems (PATS)

Two other airports outside the TMA for possible diversions (EAP1 and EAP2).

The unexpected event: a relevant snow storm limits the nominal functioning of the

airport runways.

The small airport has to be closed while the 2 major airports can use just 1

runway each (of the 3 normally available).

EAP1 and EAP2 are outside the storm area.

In the nominal flow of events:

• 10 commercial A/C are expected to land on AP1 and AP2

• 3 RPAS and 2 PATS are expected to land on the small airport

• 10 A/C are expected to depart from the AP1 and AP2

25/30


A/C waiting for clearance to land may decide to either hold or divert to one of the

airports outside the area (EAP1 or EAP2).


The Flow Manager (FM) must decide how to cope with the airplanes departing and

arriving.

For departing airplanes, the FM can decide to:

• STOP all departures,

• ALLOW half,

• NO LIMITS.

For landing airplanes, the FM can decide between 3 different strategies:

• segregated sequence (i.e. commercial airplanes on AP1 while PATS/RPAS on AP2),

• optimized sequence (i.e. grouping similar A/C to reduce wake vortex separation),

• first come first served sequence.

Evaluation of Performance

26/30


Number of

Alternative

Paths

Best

Area

Distance

Worst

Area

Distance

132 1.4 13.6




Efficiency (delay) 1 2.6 14.6

Environment

(emissions)1 1.1 1.1

Capacity 1 0.8 0.9

Resilience Quantification

This case study shows how

the system can become

extremely complex and

impossible to treat without

graph theory results.

27/30


Resilience Quantification


• Allow departures with no limitations

• Allow landings with first-come-first-

serve sequence.

• Prefer holding procedures to

diversions.

• Stop all departures

• Allow landings with segregated

sequence.

• Don’t put in hold but divert to an

alternative airport.

Best Mitigation Strategy Worst Mitigation Strategy

Emissions

Capacity

Delay Fuel

Of course, the solution is strictly

related to the scenario description, to

the task analysis, to the degradation

criteria and to the considered KPIs.

28/30


Discussion and Future Work

Although the SAFECORAM methodology produces measurable results, the

approach is far from being applicable in short time to actual situations.

In addition, the current optimization algorithm is not able to manage loops

possibly present in the graph.

Cyclic activities are, instead, possible in the ATM system and therefore such kind

of improvement has to be considered.

The methodology is based on quantitative models not completely defined so far:

• ATM performance model, to measure the whole set of KPIs:

objective of SESAR Performance Framework

• Quantitative task allocation model:

the use of flow diagrams to describe ATM processes is a simplification

29/30


Thank you!

Acknowledgments

30/30


KPA KPI ID Calculation

Efficiency Average Taxi/En-

Route/TMA in fuel

burn per flight

Amount of fuel burn in taxi/En-Route/TMA phase

divided by number of movements:

where M is the number of movements of

vehicles (Aircraft/PATS/RPAS), N is the number

of flights. fi is the fuel burn in taxi/En-Route/TMA

phase.

Efficiency Delay The time difference between the scheduled time

at a certain point and the actual time over that

point:

where N is the total number of vehicles

(Aircraft/PATS/RPAS), ts,k is the scheduled time

at a certain point for aircraft k and ta,k is the

actual time over that point for aircraft k.

Environment Emission Amount of emissions of pollutant e per flight for a

given set of flights:

where Ee is the amount of emissions of pollutant

e per flight for a given set of flights, N is the total

number of vehicles (Aircraft/PATS/RPAS), ce is

the emission factor for pollutant and ∆fF,k is the

amount of fuel consumed by aircraft k.

Capacity En-Route/TMA/RWY

Increased Throughput

Total number of movements M per (volume of

En-Route/TMA airspace) or per (one runway)

per hour for specific traffic mix and density.

Notes

N

i

ifuelburn fM

KPI1

1

N

k

kskadelay ttN

KPI1

,,

1

N

k

kFee fcN

E1

,

1

31/30


Notes

A suitable weight may be assigned to each KPI in order to set the importance of

the KPI with respect to the others.

Three sets of coefficients may roughly correspond to three ATM stakeholders

point of view: General, Airline and Airport.

Stakeholder Fuel Burn coefficient Delay coefficient Pollution coefficient Capacity coefficient

Airline 1 0.5 0 0

Airport 0 1 0 0

General 1 1 1 1

32/30

A Quantitative Approach to Resilience Engineering for the Future ATM ... · A Quantitative Approach...

Documents

Transcript of A Quantitative Approach to Resilience Engineering for the Future ATM ... · A Quantitative Approach...