Requirements Analysis of Air Traffic Control System Using Formal Methods

Maryam Jamal Nazir Ahmad ZafarDepartment ofComputer Science Department ofComputer and Information SciencesInternational Islamic University, Pakistan Institute ofEngineering & Applied Sciences

Islamabad, PAKISTAN Nilore, Islamabad, PAKISTANE-mail: maryamjamal(4@yahoo.com E-mail: nazafar(4@pieas.edu.pk

Abstract Formal Methods is a rapidly evolving technologythat uses mathematical notations to write precise and

Formal Methods is an emerging Technology that unambiguous specifications. Formal Methods make ituses mathematical notations to write precise and possible to prove and analyze certain properties of theunambiguous specifications which makes it possible to system during early stages of the development processprove and analyze certain properties of the system so so that errors in the requirement specifications can bethat errors and inconsistencies are identified during identified and removed. Studies have suggested thatearly stages of the development process. In this paper Formal Methods have tremendous potential forFormal Methods in terms ofZ notation is appliedfor improving the clarity and precision of requirementsthe specification ofsafety critical system ofAir Traffic specification, and in finding important and subtleControl (ATC). Firstly, ATC system model in real errors [11]. Using formal specification can improve theworld is described. For connectivity of diferent zones understanding of the system, which is being developedof airspace, the real world ATC system is transformed and can prevent errors being propagated through theinto a directed graph, which is then used to formalize development process [9]. As a result an error free,the major components offormal ATC Model i.e static efficient and high quality system is developed.Topology, Network State, Aircraft and Controller. The The objectives set for this paper are (i) to modelwhole Formal ATC Model is then presented as highly safety critical system of ATC system usingencapsulation of formal models of its basic Formal Methods, (ii) to apply graph theory incomponents. Finally, the Formal ATC system Model is representation of formal ATC Model and (iii) to use Zchecked and analyzed with ZIEVES tool-set. notation and Z/EVES tool-set for the development of

rigorous formal Model ofATC system.In the field of Formal Methods, ATC system is not

1. Introduction an unexplored area. The work in [4] provides a case

study of ATC system at a very abstract level usingAutomation of Air Traffic Control (ATC) system VDM. Similarly, to demonstrate the strength of a

is considered to be one of the most challenging Model based language, an example of a simpledomains because it is a highly safety critical system. hypothetical ATC system using Sum Language, dialectEven a minor error not only causes monetary losses of Z Notation, and Cogito Methodology is presented inbut also precious human lives are at risk. The safety- [8]. It also gives the idea of distributed architecture of

ATC system abstractly. The formal model in [1] isrelated software errors arose most often fromyyinadequate or misunderstood requirements. The focused on the detection and reduction of errors causedconventional techniques fail to catch many by a human operator in an ATC system. The abstract

requirements errors [I]. The conventional informal specification of an ATC system in [2] demonstrates

approaches focus more on later stages of development application of RAISE method for domain analysis,process. The errors and inconsistencies in requirements requirements capture and software architecture.specifications penetrate to later phases of development When an aircraft takes off from source to

processandtho a'rea e onl d destination the connectivity between different zones ofImplementation and Testing phases. Implementation aiscegtvryialndtrmigpoton ferorar difcl an cotl to fi,[] aircraft. The models described above are at abstract

level of representation and none of them covers the

aspect of connectivity of airspace. The model which active ATC services are provided for aircraftspresented in this paper focuses Graph Theory [10] flying in it. Within the controlled airspace extends thewhich is considered to be a compliant means in solving intricate network of airways. An airway can beproblems of connectivity. The work done in [7] has considered as a highway in sky allowing bidirectionalbeen the starting point of our work but it presents the or unidirectional flow of aircrafts. The safe journey ofmodeling of railway interlocking system as an any aircraft requires the services of ATC controllers.undirected network using VDM. In this paper ATC Each controlled airspace is being monitored andsystem is modeled as a directed graph with zones controlled by a team of controllers. The controllers in(airspace segments) as set of nodes and airway our model will be computer-based systems thosesegments connecting them as set of edges. The directed monitor and track the aircrafts within their assignedgraph is exploited because the direction of connections airspace zones. Figure 1 shows ATC Model with cubesis worthy. The presented ATC system, modeled as representing three dimensional aispace segmentsdirected graph, is formalized in terms of Z notation termed as zones and the aircrafts within them, beingbecause apart from other Formal Methods, the rich controlled by computer-based controllers.mathematical notations offered by Z make it possibleto reason rigorously and effectively about the behaviorof specified system [5].

In Section 2, Formal Methods are introduced. InSection 3, ATC system in real world is described.AiprTransformation of real world ATC Model into graphtheory is done in Section 4 and Formalization of ATCsystem in terms of Z notation is presented in Section 5. Co1 l 7 t ControIn Section 6, checking and analysis of Formal ATCsystem Model, using Z/EVES tool-set, is discussed and Figure 1. ATC Model in real worldfinally the concluding remarks are given in Section 7.

2. Formal Methods4. ATC Model in Graph Theory

The ATC system model in real world, describedFormal Methods is an emerging technology that above, is transformed as a directed graph. The

comprises of using mathematics for writing precise and controlled airspace is further divided into smallerunambiguous specifications. It provides the means for airspace segments or Zones. If there is an airwayanalyzing and proving certain properties of system to segment connecting two zones, it means the two zonesbe built so that errors in specifications can be are connected and aircrafts can fly directly betweenidentified and removed during early stages of the them. Therefore, set of all zones of the airspacesoftware development process. Using mathematical represents nodes of the graph and the set of airwayrefinements, Formal Methods are used in every stage segments connecting them as arcs. The direction of arcof development process, ensuring the development of indicates the direction of flow of traffic. Figure 2high quality and correct system with respect to its shows ATC Model in graph theory representing sixrequirements. Formal Methods are in different stages zones zi, z2, z3, z4, z5 and z6 and ten airwayof development, in a wide spectrum from formal zones interconnectiondtenthem.languages with no tool support, to internationally segments represents interconnections between them.standardized languages with tool support and industrialusers [6]. There are more than 90 techniques of FormalMethods amongst them usage of Z notation andZ/EVES tool-set is demonstrated in this paper.

3. ATC Model in Real World

The International Civil Aviation Organization Figure 2. ATC Model in Graph Theory(ICAO) is a global forum having the goal of safe andefficient air transportation [12]. ICAO broadly The directed graph in figure 2 shows the arcclassifies airspace into controlled and uncontrolled. A between zi and z2 is unidirectional i.e aircrafts can flycontrolled airspace is a three dimensional area in from zi to z2 and not from z2 to zl. This connection

can be represented as ordered pair (zl,z2) whereas the Connection: The connectivity between two zones isconnection between z2 and z6 is bi-directional i.e modeled as relation Connection. It not onlyaircrafts can fly from z2 to z6 and from z6 to z2. This represents connectivity but also indicate the directionconnection of zones is represented by ordered pairs of flow of air traffic. It is important to note that a zone(z2,z6) and (z6,z2). In this way the directed graph of is not connected with itself.ATC system, represented in figure 2, is defined usingConnections relation as shown below. Connection == I zi, z2: Zone zi # z2 . (zi, z2) I

Connections ={(zl,z2),(zl,z6),(z2,z3), (z2,z5), Static Model: The connectivity of all zones forming(z2,z6),(z3,z5),(z4,z3),(z5,z4),(z6,z2),(z6,z5)} airspace around the globe is represented in schema

StaticTopology. It actually represents the static5. Formal Model of ATC System model ofATC System.

[Runway]The ATC system, modeled as a directed graph, isformalized in terms of Z notation [5]. The Z notation is StaticTopologybased upon set theory and mathematical logic. connections: P ConnectionMathematical objects and their properties are collected Airport: Runway >-* Zonetogether in schemas, which are patterns of declarationand constraints (invariants). The major components of Vzl, z2: Zone . (zi, z2) E connectionsFormal ATC model are shown in figure 3. The v (z2, zi) ( connectionssubsequent sections describe each component in detail.

The state variables defined in schema areAir Traffic Control The state variable connections is modeled as

System Model a set of connection in network.

Although modern airports have many advanceddevices for providing efficient services to aircrafts. But

Static Network the most promising component, common to allTopology State Aircraft Controller airports, is a runway represented by abstract data type

Runway. Therefore, the variable Airport is

Figure 3. Components of Formal ATC Model modeled as a total injective function of Runway andZone. It means each Runway is assigned to exactlyone Zone and no two Zones have the same Runway.

5.1. Static Topology Invariants

The Static Topology is a fixed physical layouts of 1 The Connections relation is asymmetric. Itcomponents related together to perform intended task.The topology remains unchanged and represented by means, f an aircraft can move directly from onefixed data structures. Therefore, Zone, Airport and zone to another it may or may not be possible for itConnections represent the static Topology of an ATCSystem Model.

5.2. Network StateZone: Each Zone is defined as a three dimensionalentity of Airspace. Since an abstract model is presented The Network State of ATC system Model, definedin this paper, we are not concerned with its shape and in the schema named DynamicTopology, representsgeometry. Thus, it is modeled by variable Zone as a the dynamicity of aircrafts flying within the zones. It iscollection of abstract type POINT. assumed that there can be exactly one aircraft in a zone

at a time. Each aircraft is assigned a unique[Point] identification mark represented by abstract data typeZone == P Point Aircra ftId. The state of each zone is indicated in

variable State. If an aircraft resides in a zone, its The state variables defined in schema arestate is marked as OCCUPIED else the state is CLEAR. A Zone from which aircraft has flown is represented

[Aircraft1d] by variable s ource.

State::= CLEAR OCCUPIED A Zone to which aircraft is destined to land isrepresented by variable destination.

DynamicTopology The speed, altitude, heading, speed limit, andzoneStates: Zone >-- Aircraftld altitude limit of an Aircraft are represented as natural

numbers in variables currentSpeed,Vz: Zone currentAltitude, heading, speedLimit,

9a], a2: AircraftId*z - a] EzoneStates alt itudeLimit respectively.AZ - a2 E=-zoneStates=> a] = a2

The state variable currentPosition, of typeZone, represents the zone occupied by an aircraft at

A partial injective function of zone and any particular time.AircraftId is declared using the state variablezoneStates. It means there can be zero or exactly Invariantsone Zone for each Aircraftld (abstract data type)assigned to an aircraft. Similarly, an aircraft, 1. An Aircraft cannot have the same zone as itsrepresented by Aircraftld, belongs to zero or exactly source and destination.one Zone at a time. 2. The current speed of an aircraft should not exceed

Aircraft's speed limitation.Invariants

3. The current altitude should not exceed maximum1. Each aircraft belongs to exactly one airspace zone altitude limitation of an Aircraft.

at a time and no two zones can have a same 4. The heading of an aircraft should not be greateraircraft at any particular time. than 360 degrees.

5.3. Aircraft 5.4. Controller

The schema Aircraft describes flight data of A controller in our model is a computer-basedAircraft utilizing ATC services. Each Aircraft is system represented by schema Controller. Eachassigned a unique identification mark called controller monitors and directs an aircraft within theAircraftId, the variable Aircrafts represents airspace zones assigned to it. There is a uniquea total injective function of AircraftId and identification mark, represented by abstract data typeAircraft. It means, each AircraftId is assigned Control I d, assigned to each controller. The variableto exactly one Aircraft and no two Aircrafts have the Controls represents a total injective function ofsameAircraftId,atatime. ControlId and Controller. It means, there is

Aircrafts AircraftId >-* Aircraft exactly one ControlId assigned to each controllerand no two controllers have the same ControlId.

Aircraftsource: Zone [Controlld]destination: Zone Controls == ControlId >- ControllercurrentSpeed: N ControllercurrentAltitude: N sector: P Zoneheading: N states: Zone -* StatespeedLimit: N aircrafts: AircraftsaltitudeLimit: N capacity: NcurrentPosition: Zone

_Vz: Zone z E sector * z E dom statessource # destination Vz: Zone z E dom states . z E sectorcurrentSpeed < speedLimit Vz: Zone z E dom states . states z = OCCUPIEDcurrentAltitude < altitudeLimit aircrafts E IF Aircraftsheading < 360 # aircrafts < capacity

There are four variables declared in the schema ATCSystemThe collection of zones is termed as a Sector. The set |StaticTopology

of Zone under the command of controller is EDynamicTopologyrepresented in variable S e ct o r. airrafs: Airrafs

controls: ControlsThe variable States is defined as a total function

of Zone and State that represent the state of each Vzl, z2: Zone {z] -* z2} c connectionszone of Sector. It means each zone has a single state v {z2 -> z]} c connectionsvalue either OCCu PI ED or CLEAR. . zl E dom zoneStates A z2 E dom zoneStates

The number of aircrafts flying within the Sector is Vz: Zone z E dom zoneStatesrepresented by variable a i r cr a ft s .. z], z2: Zone {z] - z2} c connections

v {z] - z2} c connectionsThe variable capacity defined as a natural

vz=zl vz=z2

numbe, represents the maximum number of aircrafts VaId: AircraftId aId E dom aircraftsthat controller can control. 9aircraft: Aircraft aircrafts aId = aircraft

9zl, z2: Zone {z] - z2} c connectionsInvariants v {z] -> z2} c connections

* aircraft. destination = zi1. All zones in the Sector must have a state value. v aircraft. destination = z22. All the zones having a state value must belong to Vzl, z2: Zone {z] -> z2} c connections

the sector being controlled by controller. v {z] -> z2} c connections

3. All zones occupied by aircrafts must have state .cid: ControlId cid E dom controlsvalue OCCUPIED. 9control: Controller controls cid = control

. zl E control. sector A z2 E control. sector4. There must be a finite number of aircrafts flying Vzl, z2: Zone

within the Sector. 3cid: ControlId cid E dom controls5. The number of aircrafts flying within the Sector 9control: Controller controls cid = control

must be less than or equal to capacity limit . zl E control. sector A z2 ( control. sectorassigned to the controller. .z] -> z2} c connections v {z] -> z2} c connections

Vcid: ControlId cid E dom controls

5.5. ATC SYSTEM 9control: Controller controls cid = control* dom aircrafts c dom control. aircrafts

The formal models of Static Topology, Network VaId: AircraftId aId E dom aircraftsState, Aircraft and Controller, presented in earlier .cid: ControlId cid E dom controlssections, are encapsulated to model the Air Traffic 9control: Controller controls cid =controlControl system as shown in figure 4. Formal ATC dom control. aircrafts 5 dom aircraftsmodel is defined in the schema named ATC S ys t em.

The declaration part of schema includes

The schema Stat icTopology is included with allAir Traffic Control System its declarations and constraints but with no state

Static TopologyNetwork State change privileges granted on this schema.

Connections Zones AiprtZn States Similarly, the schema Dynami cTopo010gy isincluded with all its declarations and constraints butwith no state change privileges granted on it.

AircraftS Aircraft Controls Controller

Ddif.f Flig Si~ . AiaSectori. The set of aircrafts flying within all the Sectors ofSourcel Destination Flight Data lSector states Airras capacityMairspace is represented by variable a i r cra ft s.

The set of controllers controlling all the Sectors ofFigure 4. Formal Model of ATO System airspace is represented by variable controls.

Invariants g"MHIMS 290:r pmstawij X

1. All the connection of zones defined in StaticTopology must have a state value.

2. All the zones having a state value must belong tothe connection of zones defined in Static Topologyof the network.

Ir I': I v alf' - CZ t^eamchm iv Z chcamme ewe2Q

3. The destination of all the aircrafts flying withinairspace must belong to the connection of zonesdefined in Static Topology.

4. All the zones defined in connection of StaticTopology must belong to Sector under the controlof a valid controller.

5. Every zone belonging to Sector under the control Figure 5. Snapshot of Z/EVES Tool-setof a controller must be defined in connections ofStatic Topology. Further formal ATC system, modeled as directed graph

in terms of Z notation, has been done which shows the6.nAllacaf in thesb strength of Formal Methods to model any complex systemcontrol of a controller.

very preciously and unambiguously. By applying Formal7. Every aircraft under the control of a controller Methods, a deeper insight of system to be built has been

must be in the system. achieved. The errors and inconsistencies that were foundwhile describing formal specification ofATC system have

6. Analyzing Formal ATC Model been identified in early phase of development processthose would have been detected in implementation or

Z/EVES is a powerful tool for analyzing Z testing phase using Traditional Approaches. Therefore,specifications. It can be used for parsing, type the use of Formal Methods in this research has ensured

checking, domain checking, schema expansion, making high quality, reliable and correct systemprecondition calculation, refinement proofs, and specifications with respect to ATC system requirements.

proving theorems3TheformalATCModeliAnother objective of the research was to apply Zprovig thorem [3] Theforml AT Modl is notation for modeling of ATC system because apartchecked and strengthened using Z/EVES tool-set. All fom ortechni th riC matematical noatthe schemas of formal ATC model have been analyzed ofeed me tp e to eas igol andfor their syntax correctness, type and domain checking. effectivey ab e behavior o specified usy UseMoreover, all the schemas of formal ATC model have ofZeveS toot furtheranalyzed model. Uinbeen proved by the technique of reduction. It helped tospot out the errors, at requirements specification level, high confidence in our formal ATC system model.

preventing thepropagating tolaterstagesoFormal Methods is a promising field in researchpreventing them propagatng tol e of academia but there is a gap between academia anddevelopment process. Therefore, proving the formalnuty.ay rciinr aerlcntousATC Model using Z/EVES tool-set not only ensures inutyMaypciioesreeltntouesyntacticModreltnusi ZV tlttalsogivespronly euresy. Formal Methods because of many baseless myths andsyntactic correctness but also gives proof accuracy. micnetospealn inmret u FraFigure 5 shows the snapshot of Z/EVES tool-set.micnetospvalgin art.BtFml

Methods are very important for rigorous and concretemodeling of system. This has been observed in

7. Conclusion development of this ATC system in which we resolvedthe ambiguities and gave the complete and consistent

The power of applying Formal Methods in modeling definition of ATC system requirements.of a complex, highly safety critical system of ATC isshown, which was one of the objectives of our Referencesresearch. The Graph Theory, which is considered to bea convenient means of giving solution to various [1] David Leadbetter, Peter Lindsay, Andrew Neal, andconnectivity problems of real world, has been applied Mike Humphreys, "Integrating the Operator intoto solve the connectivity of different zones of airspace. Formal Models in the Air-Traffic Control Domain",

Technical report 00-34, November 2000.

[2] Dines Bjorner, "Software Systems Engineering FromDomain Analysis via Requirements Capture toSoftware Architecture", Proceedings of SoftwareEngineering Conference, Brisbane, Australia, 1995.

[3] I. Meisels, and M. Saaltink, "The Z/EVES ReferenceManual", TR-97-5493-03, ORA Canada, 1997.

[4] J. C. Bicarregui, J. S. Fitzgerald, P. A. Lindsay, R.Moore, and B. Ritchie, Proof in VDM: A Practitioner'sGuide, Springer-Verlag, New York, USA, 1994.

[5] J. M. Spivey, "The Z Notation: A Reference Manual",Englewood Cliffs, NJ, Prentice-Hall, 1992.

[6] Milica Barjaktarovic, "The State-of-the-Art in FormalMethods", AFOSR Summer Research technical reportfor Rome Research Site, Formal Methods Framework -Monthly Status Report F30602-99-C-0166, WetStoneTechnologies, January 1998.

[7] N.A. Zafar and K. Araki, "Formalizing Moving BlockRailway Interlocking System for Directed Network",Research Reports, Department of Computer Scienceand Communication Engineering, Kyushu University,Japan, 2003.

[8] Peter A. Lindsay, "A Tutorial Introduction to FormalMethods", Proceedings 3rd Australian Workshop onIndustrial Experience with Safety Critical Systems andSoftware, pp. 29-37, Australian Computer Society,Australia, 1998.

[9] Peter Gorm Larsen, John Fitzgerald and Tom Brookes,"Lessons Learned from Applying Formal Specificationin Industry", IEEE Software, May 1996.

[10] Seymour Lipschutz, Schaum's Outline of Theory andProblems of Data Structures, McGraw-Hill BookCompany, Singapore, 1998.

[11] Steve Easterbrook, Robyn Lutz, Richard Covington,John Kelly, Yoko Ampo, and David Hamilton,"Experiences Using Lightweight Formal Methods forRequirements Modeling", IEEE Transactions onSoftware Engineering, vol.24, No.1, pp. 4-14, January1998.

[12] Strategic Objectives of ICAO for 2005-2010,International Civil Aviation Organization, December2004.8. First-order headings