Arab J Sci EngDOI 10.1007/s13369-014-1176-6

RESEARCH ARTICLE - COMPUTER ENGINEERING AND COMPUTER SCIENCE

Safety Control Management at Airport Taxiing to Take-OffProcedure

Nazir Ahmad Zafar

Received: 15 February 2013 / Accepted: 15 July 2013© King Fahd University of Petroleum and Minerals 2014

Abstract Air traffic control (ATC) system is a safety criticalsystem because its failure may result into loss of life, con-siderable financial and environmental damages. Modellingsafe and efficient ATC system is an open research problemand has become a challenging task due to its complexity andever increasing traffic at airports. It is reported in the litera-ture that a number of collisions occurred at airports surfaceare three time larger than the collisions in the airspace. Thedelays at airport surface require effective safety and guidanceprotocols to control traffic at the airport. In this paper, formalprocedure of managing air traffic from taxiing to take-off isprovided using graph theory and Z notation. After definitionof airport surface by the graph structure in terms of nodes andedges, formal specification of taxiways, aircrafts and run-ways is provided in static part of the model. The state spaceanalysis is provided by describing optimal paths in dynamicmodel expediting the departure procedure. The safety prop-erties are described in terms of invariants over the data typescarrying critical information. Further, the safety is insuredby defining pre- and post-conditions in description of oper-ations for changing state space of the system. The proposedstudy is focussed more on the safety component; however,the efficiency of the system is not ignored. For example, themodel is based on the next generation ATC systems that usenew technologies expediting the procedures. Graph theory isused in our model under the Z specification that is a founda-tion for automating the procedure in our future work. Formalspecification is analysed and validated using Z/Eves tool. Itis observed that weaknesses of testing and simulation canbe overcome by applications of formal techniques avoidingstate space explosions problems in complex systems.

N. A. Zafar (B)Department of Computer Science, King Faisal University, Al-Ahsa,Kingdom of Saudi Arabiae-mail: nazafar@gmail.com; nazafar@kfu.edu.sa

Keywords Air traffic control · Modelling · Graph theory ·Formal analysis · Z notation · Validation and verification

1 Introduction

Safety critical systems are those whose failure could result inloss of life, severe injuries, considerable economical penalty

123

Arab J Sci Eng

and environmental damages. Air traffic control (ATC) systemis a highly safety critical system because its failure may causea huge loss in terms of deaths or financial losses. Therefore,it requires state-of-the-art techniques for development of theATC system. Because of a large increase in movement of pop-ulation and consequently a significant increase in capacity ofair traffic [1], next generation ATC systems are proposed toimprove efficiency by not compromising at safety standards[2]. Although partially an automated support to ATC systemsis currently available, but still it is heavily dependent uponhuman interaction causing delays and accidents due to failureof human communication in decision-making [3,4]. There-fore, developing automated ATC system enabling aircraftsto move safely at airport and fly freely in air is globally achallenging problem [5]. Further, we believe that modellingsafe and efficient ATC system will remain an open researchproblem because of its complexity and safety critical nature.

It is surprising that the airports have historically been moredangerous than the airspace. For example, the number of col-lisions occurred at the airport surface is three time larger thanthe in-air collisions [6]. Hence, we need effective automatedmonitoring and guiding systems to control air traffic at air-ports.

Ground and local controllers are two main sub-systems atairport for air traffic management that are very less focussedby the researchers. Main objective of ground controller is toshare information, defining priorities among various opera-tors in addition to providing an active decision support func-tions for route predictions [7]. Local controllers are respon-sible for executing processes of aircrafts waiting for run-way, taking off, landing or flying over the airport. An effec-tive communication mechanism is required between the con-trollers from taxiing to take-off which causes significant con-gestions at airports for delaying aircrafts [8].

In this paper, a formal procedure of managing air traffic atairport from taxiing to take-off is provided using graph the-ory and Z notation under certain assumptions. The Z notationis applied because of its abstract mathematical nature and arigorous computer tool support [9]. According to Europeanelectro-technical standards, the use of formal methods is rec-ommended to achieve a required level of confidence in mod-elling safety critical systems [10]. Graph theory is used fordescribing airport topology and optimization of routes whichis a good foundation for automating the procedure [11].

First of all, airport surface is represented by a graph rela-tion and then formal description of possible paths is provided.Taxiways are represented as paths by adding more informa-tion about state space that is important for sharing correctinformation and efficient decision-making. Formal specifica-tion of permissible aircrafts and runways is described as map-pings. Finally, the main operations are defined to describe thedeparture procedure from taxiing to take-off. The safety cri-teria are described in terms of invariants over the data types

carrying the critical information. For example, it is assuredthat there must exits, at most, one aircraft at a taxiway or arunway. Further, pre-/post-conditions are verified in descrip-tion of operations for consistency and correctness. It is notedthat although the safety component is more addressed, how-ever, the efficiency is not ignored in describing and modellingof the system because of the following reasons.

The model is based on next generation ATC systems. Anobjective of the next generation systems is to shift from tradi-tional ground stations to modern navigation systems improv-ing pilot-controller communications using GPS and othernew technologies expediting landing and take-off procedures[12]. Such types of systems are already in practice at someinternational airports. It is mentioned that how communica-tion is done is out of scope of this paper. Efficiency of thesystem can be achieved by automating the formal procedurefrom taxiing to take-off using automata theory. As automataare a special types of graphs, and hence, the model in graphtheory can be extended and is a good foundation for automat-ing the procedure in our future work. Formal specification isanalysed and validated using Z/Eves tool.

In most relevant work, safety criteria are developed bytesting through simulation, but unfortunately this approachis lacking in verifying correctness of ATC systems [13]. Thenumber of simulations increases exponentially to provide arequired level of confidence in such complex systems. Fur-ther, when a modification is needed, the complete set of simu-lations needs to be re-conducted to ensure that the changes didnot compromise with the safety and reliability criteria. There-fore, it has become indispensable to apply formal approachesfor correct development of ATC systems. Rest of the paperis organized as follows: In Sect. 2, the most relevant workis critically discussed. In Sect. 3, the problem statement andformulation is presented. Formal algorithm is described inSect. 4. Model analysis is provided in Sect. 5. Finally, con-clusion and future work are discussed in Sect. 6.

2 Related Work

In the most relevant work, genetic algorithm for minimumcost and maximum-flow is developed and tested to maxi-mize the airport surface capacity [14]. A planning functionfor taxi operation is developed to address uncertainties basedon the real data in [15]. In this work, only a part of the plan-ning function is evaluated using scenarios-based approach. In[16], taxi time is claimed to be reduced by defining uncertain-ties in taxiing process and aircraft queuing at the runways.Here, planning function is developed for managing trafficflow by sequencing the departure traffic at the gates. Onlya process is described, and no proper algorithm is provided.In another work, a model for estimating the ramp conges-tion delay is described by employing managed gate opera-

123

Arab J Sci Eng

tion computer tool [17]. An interesting detailed procedureis described here; however, validation or verification is notprovided to prove its correctness. PRISM tool is used to ver-ify and analyse the properties of ATC system using prob-abilistic timed automata [18]. Modelling of air traffic flowmanagement (ATFM) is provided in [19] using multi-agentspecification approach. The objective is to show applicabil-ity of agent-based simulation in modelling of the system. Inanother study conducted by NASA, a collaborative air traf-fic flow using multi-agent simulation is developed [20]. Thedrawback of this approach is that several strategies were usedto select various routes increasing its complexity. A fusion ofintelligent computing is applied for development of ATFMusing advantages of the meta-level control approach [21].In another interesting piece of work, intelligent models areclaimed for ATFM as presented in [22]. Due to increase ofair traffic and limited number of airways, a new solution foroptimal airspace and safe ATC system is proposed in [23].Various protocols for aircraft conflict identification and res-olution are proposed in which communication range of anaircraft is finite [24,26]. A predictable system is developedto choose an optimal path by minimizing fuel consumptionand delay time rather than using pre-defined flight schedules[27–29]. The performance of conflict detection and resolu-tion is presented in [30]. Aircrafts departure procedure ismodelled by activity diagrams by focussing on requirementscapturing [31]. NASA has developed surface managementsystem providing information to federal aviation authoritycontrollers and air carriers to manage the airports [32]. Trafficlimitations are relaxed and developed by simulating airportsurface for aircrafts movement in [33]. In current advances,satellite-based communication systems have been suggestedto consider free flight concept for the future ATC systems[34]. The preliminary results of this research were presentedin [35,36] in which arrival and departure procedures weredescribed using VDM++. The improved model is differentfrom the existing work in many ways. For example, the pro-posed model is described in depth considering more realisticand detailed assumptions to be applicable for a real ATCsystem. Secondly, Z notation is used in description of thesystem which is much more robust and has a rigorous com-puter tool support to analyse the specification as comparedto VDM++. Finally, it is focused on safety considering effi-ciency by defining airport and optimal routes using graphtheory. We believe that use of graph theory is a foundationfor automating the system. Other similar work is found in[37–45].

3 Problem Statement and Formulation

Primary objective of ATC system is to provide a safe and effi-cient flow of air traffic [46]. Ensuring safety and increasing

efficiency have become central issues due to increase of airtraffic [47]. The safe operation is made possible by sharinginformation and developing effective communication mech-anism through various controls to keep standard separationbetween aircrafts at airport and in the air. In this research, safeand efficient control management at airport from taxiing totake-off procedure is described.

The departing of aircraft begins with the pushback pro-cedure. After checking availability, the aircraft taxies to theramp area, then moves to taxiway and runway. It is supposedthat the ground control is responsible for aircrafts movingfrom gate to enter taxiway. The local control monitors andguides aircrafts from taxiing to runway and take-off. Thereis a communication protocol between ground and local con-trollers from taxiing to runway. The departure runway mightbe assigned after pushback request is received because therunway can only be predicted if we are able to predict timebetween pushback and take-off. However, we have supposedthat a runway is assigned after taxiing of the aircraft and pre-diction analysis is out of scope of this paper. After reachingthe runway, the aircraft is put into the departure queue andthen takes-off after the final permission.

Various factors are involved in assigning a runway to adeparting aircraft. For example, how the runways are con-figured for arriving and departing traffic which is totallydependent on the airport. Such issues are out of scope of thisresearch. In departure process, few major reasons for delayin flight are un-optimized calculation of departure sequence,inefficient push back procedures because of dynamic changein state of an airport and revisiting of route sequencesbecause of accommodating priorities. In this paper, an auto-mated formal procedure from taxiway to take-off is proposedby describing optimal paths and effective communicationbetween ground and local controllers. The detailed informa-tion, for example, aircraft type and weight, weather condi-tions, wind speed and direction which may change a runwayconfiguration, in reality are not considered in defining a route.

The airport surface is divided into blocks that are nodesof the graph as in Fig. 1. If an aircraft can move from oneblock u to another block v, then (u, v) is assumed as an edge

Ramp Area

Taxiways Runways

Fig. 1 Airport model represented by a graph relation

123

Arab J Sci Eng

in the graph relation. For an aircraft, it may not be possibleto move from v to u, and hence, the resultant model is adirected graph. In our model, we have represented gates andramp areas as undirected, whereas the taxiways and runwaysas the directed graph which is a natural requirement for anairport topology. In reality, the topology must be a weightedgraph in which an edge represents time to move from onenode to another considering all the variables related to thetime component. We have supposed an un-weighted graph todescribe an abstract and simple model. Further, a loop-freeroute is assumed in the formal specification. On the otherhand, if a loop is in a scenario because of cancellation ofa flight or due to any other reason, human intervention issupposed to resolve this issue.

The objective is to find and assign optimal routes withminimum delays meeting the real safety standards by defin-ing a sequence of operations from taxiway to take-off. Inoperational system, an aircraft sends a request for taxiing.The clearance is awarded after communication of ground andlocal controllers. Finally, the aircraft completes the take-offprocedure through an appropriate runway.

4 Formal Model Using Z Notation

In this section, formal algorithm is described to achieve theobjectives of expediting the traffic flow management for safeand efficient operation of the ATC system. Safety requiresa well-defined sequence of patterns which is described bydefining rules in terms of pre- and post-condition in a pow-erful schema structure of Z notation. The efficiency requiresto and from movement of aircrafts expeditiously which isobtained through defining state space of airport in terms ofoptimal paths. The Z is used for the formal specificationbecause of its abstraction reducing unnecessary complexityof the model.

4.1 Static Model

The static model of the ATC system consists of airport topol-ogy, paths, taxiways, runways, aircrafts, ground and localcontrollers.

Formal specification of airport topology is described bythe graph relation as in Fig. 1. The topology is representedby the Graph schema, which consists of two components. Asmallest unit of the airport surface is represented by a Blockwhich is in fact node in the graph. The connectivity of twoblocks is represented by Links which is an edge-set in thegraph. In the schema, the first one component is node-setand is defined as a finite power set of Block. The secondcomponent is edge-set, which is finite power set of Links inthe graph relation. The ordered pair (u, v) in the edge-setmeans that an aircraft can move from node u to the node v.

The schema in Z consists of two parts divided in horizon-tal dimension, i.e. definition and predicate parts. In defini-tion part, variables definitions are given and invariants aredescribed in the predicate part of the schema.

In predicate part of the above schema, it is stated that bothblocks of a link in the graph relation are in the node-set.Further, for any block of the graph, there is a link for whichthe block is an end point. It is a natural requirement becausean aircraft must be able to move from its current place (block)to any other required place at the airport.

Path schema is defined based on the graph relation to provewell-defined-ness of the route allocated to an aircraft. Theschema consists of two components, i.e. Graph schema andpath sequence. The path is defined as a sequence of blockssatisfying the invariants of connectivity. In predicate part ofthe schema, it is stated that every element of path sequenceis a block in the graph relation. Further, any two consec-utive elements in the path sequence constitute an edge inthe graph. Finally, it is described that there does not existany loop in the path sequence. This property is specifiedby stating that for any two different indices i and j in thedomain of the path sequence, the corresponding elements aredifferent.

The taxiway is represented by Taxiway schema with threetypes of information namely, taxiway identifier, route allo-cated to an aircraft and taxiway state which are denoted bytaxiwayid, taxiway andtaxistate respectively. The third com-ponent taxistate has two values, i.e. occupied or clear. Inpredicate part of the schema, it is stated that taxiway identi-

123

Arab J Sci Eng

fier is a block in the graph relation. Further, the connectivitycondition of blocks in the taxiway is verified.

There are many taxiways on an airport that are defined bya mapping from taxiway identifier to Taxiway. In predicatepart, it is stated that an element tid in the domain of thetaxiways function is same as in the Taxiway schema which isin fact image of the tid under the function. The consistency ofidentifier element in the domain of function and in the schemais checked. The priority variable Priority having two values,low or high, is used to allocate an optimal or sub-optimalroute based on the priority or any other requirement.

Runway is represented by the schema Runway which hastwo components, that is, runway identifier and its state. Theset of all runways at an airport is defined by a mapping fromrunway identifier to Runway. In predicate part of the schema,it is stated that an identifier element in the domain of therunways function is a Runway schema which is result ofapplying function over the runway identifier. We know it isnot a good modelling approach because of repetition of the

identifier both in the domain and range of the function. Thisrepetition cannot be avoided because consistency of the datais required which is verified in this way.

Formal specification of aircrafts that are allowed to land ortake-off at the airport is described. An aircraft is representedby the schema Aircraft consisting of aircraft identifier and aroute. The route is in fact the allocated path which is optimalor suboptimal based on the priority. The set of all permissibleaircrafts is defined as a mapping from aircraft identifier toAircraft. In the predicate part, it is stated that route allocatedto an aircraft is always non-empty. This is because an aircraftoccupies some space even when it is parked. Further, the stateof blocks in the taxiway is assumed as occupied. Finally, itis described that if the priority is high then an optimal routeis allocated otherwise a sub-optimal route may be given.

Formal specification of ground controller of an ATC sys-tem is described below which is represented by the schemaGroundController. The first two components, Aircrafts andTaxiways, in the schema are already defined. The taxiwayA isa mapping to represent aircrafts which are assigned the taxi-

123

Arab J Sci Eng

ways. The next component taxiwayR is a queue of aircraftswhich have requested for taxiway area. The component taxi-wayQ is used to represent the queue of aircrafts which arewaiting in the taxiway area. The next component taxiingR ofthe schema is used to denote the aircrafts which are assignedtaxiways and have requested for taxiing. The aircrafts whichhave permission for taxiing is denoted by taxiingP. The taxi-ing is the last one component having information about air-crafts which are on the taxiways.

The constraints are put to ensure minimal queue sizeenhancing efficiency of the system. The limit L1 is used forqueue of aircrafts which have requested for taxiway area.The L2 is for queue of aircrafts waiting for the taxiway. Thethird one limit L3 is put for aircrafts which have requestedfor taxiing. Finally, L4 is used for aircrafts having permissionfor taxiing.

The above information is encapsulated and put in the firstpart of the schema and invariants are defined in the secondpart. All possible relations among the components of theschema are defined.

Invariants: (i) In this property, it is stated that the totalnumber of aircrafts in the queues, as defined above, shouldnot be greater than the given limits. (ii) Any aircraft whichhas requested for a taxiway or is assigned a taxiway must bein the domain of aircrafts. (iii) If a taxiway is assigned to anaircraft then its state must be occupied which is specified asan invariant. (iv) If a taxiway is not assigned to any aircraft,its state must be clear. (v) If an aircraft is in taxiway queue,it must be assigned the taxi area. If an aircraft has requested

for taxiing, it is in the taxiway queue. If the aircraft has per-mission then it must have requested before for taxiing. If anaircraft is on a taxiway, it must have permission for taxiing.

Local controllers are responsible for controlling aircraftswaiting at runway, taking off, landing or flying near the air-port. Formal specification of local controller is described byschema LocalController. The runwayA, used in the schema,is a mapping to represent aircrafts which are assigned therunways. The runwayQ, runwayR and runwayP are used torepresent aircrafts in the queues waiting for, have requestedand have obtained the permission for occupying the runways,respectively. The onrunway is a mapping to denote aircraftsoccupying runways. The constraints are applied to ensureminimal queue size for aircrafts under the local controllers.The limits L5, L6 and L7 are used for aircrafts waiting for,requested for and having permission for occupying the run-ways, respectively.

The above components are put in first part of the schema,and invariants are defined in the second part showing rela-tionship among the components. The informal descriptionis provided for explanation of the properties following theschema.

Invariants: (i) It is stated that the total number of aircrafts inthe queues under local controllers does not exceed the givenlimits. (ii) Any aircraft which is assigned a runway must bein the permissible aircrafts at the airport. (iii-iv) If a runwayis assigned to an aircraft, then its state must be occupiedotherwise it must be clear. (v) If an aircraft is in runwayqueue, it must be assigned the runway area. If an aircraft hasrequested for runway, it is in the queue of requested for. If

123

Arab J Sci Eng

the aircraft has permission for the runway, then it must haverequested before occupying it. If an aircraft is on runway, itmust have the permission.

The ground and local controllers are defined above sepa-rately because of simplicity of the model, as there must bean effective communication mechanism between ground andlocal controllers for aircrafts to move from taxiways to run-ways. For this purpose, a new schema is defined below whichconsists of GroundController and LocalController schemas.We have supposed that when an aircraft is on taxiway andmoving towards waiting area of a runway, the aircraft willbe in record of both the ground and local controllers. In thepredicate part, it is stated that any aircraft which is on a taxi-way must be assigned a runway. Further, an aircraft is not inthe record of local controller before taxiing.

4.2 Dynamic Model

Formal specification of dynamic model is provided in thissection. The dynamic model contains the control manage-ment system used for updating state space of the airport asa result of movement from taxiing to take-off for an aircraft.The model is divided into main operations, e.g. waiting fortaxiing, taxiing, waiting for runway, at runway, take-off andupdate controllers. It is mentioned that each operation islinked with the previous one by defining the pre-conditionfor consistency and safety of the system. The correctness ofan operation is described by the post-conditions.

It is supposed that an aircraft requires permission to entertaxi area before leaving the gate. An aircraft sends a requestto the ground controller for taxi area by showing its identity.After verifying the identity and checking availability of spaceat taxi area, the ground controller accepts the request andadds in the list of aircrafts having permission. The operationis described by the schema TaxiwayRequest which contains�GroundController and aircraft identifier aid? as inputs andstate of ground controller is updated by defining the pre-and post- conditions. It is noted that post-condition must besatisfied after the successful execution of the operation. Thesymbol � used in the schema shows that state of the ground

controller is changed. The symbols? after aid represents thatit is an input variable.

Pre-/post-conditions: (i) An aircraft is added in the listof aircrafts if the size of the list is less than the maximumallowed limit. (ii) The aircraft must be in the domain of air-crafts mapping to prove that the aircraft is known to the sys-tem. (iii) The aircraft is not already in the list of aircraftshaving permission for taxi area. (iv) The list of aircrafts inthe taxi area is updated by concatenation operator by addingthe aircraft aid? at the end of the list.

After entering in the taxi area, the aircraft sends a requestto the ground controller to get route for taxiing. The proce-dure is described by the schema TaxiwayAssign which con-sists of �GroundController and aircraft identifier aid?. Inpre-conditions, it is stated that an aircraft is assigned a taxi-way if the queue size does not exceed the maximum allowedlimit. It is also checked that the aircraft must be in the taxi areaand is not assigned any taxiway. Further, it is checked thatthere exists a taxiway which is not assigned to any other air-craft. In post -conditions, if the pre-conditions are satisfied,the taxiway is assigned to the aircraft. Further, the aircraftis removed from the list of aircrafts having requests for taxiarea. Finally, the aircraft is added in the queue of aircraftswhich are waiting for taxiing.

The aircraft sends a request for taxiing to the ground con-troller. The procedure is described below by the schema Taxi-ingRequest. In predicate part, it is stated that an aircraft can

123

Arab J Sci Eng

put a request for taxiing if size of the list is less than the max-imum permissible limit. Further, it is stated that the aircraftmust be in the waiting queue and does not have put alreadysuch request. In post- condition, the aircraft is added in thelist of aircrafts which have requested for taxiing.

After putting a request for taxiing, the aircraft needs per-mission before taxiing. As mentioned above, an aircraft ontaxiway must be in the record of both the ground and localcontrollers. The procedure is described below by the Taxiing-Permission schema which consists of two components, i.e.�Controllers and aircraft identifier aid?.

Pre-conditions It is stated that an aircraft can be givenpermission for taxiing if the queue size does not exceed themaximum allowed limit. It is checked that the aircraft musthave request for taxiing and is not already having permissionfor taxiing. The state of assigned taxiway is clear.

Post-condition The aircraft is put in the list of aircraftshaving permission for taxiing. The aircraft is removed fromthe waiting and requests queues by filter operator. The filteroperator in Z takes a set and sequence as input and returns asequence as an output by removing elements of the set fromthe sequence.

The runway request procedure is defined below by theschema RunwayRequest. In predicate part, it is stated that arunway is assigned after an aircraft has obtained permission

for taxiing and the list does not exceed maximum permissiblelimit. Further, it is stated that the aircraft is not already in thelist of aircrafts having requests. The list of aircrafts havingrequests is updated by adding the aircraft aid? at the endof the list. Finally, the aircraft is removed from the list ofaircrafts on the taxiways.

After leaving the taxiway, the aircraft is only under thelocal controller and is removed from the ground controller.Runway assigning procedure is described below by theschema RunwayAssign which consists of �LocalControllerand aircraft identifier aid?.

In predicate part, it is stated that the aircraft is in the listhaving requests and is not assigned any runway. The queuerepresenting list of assigned runways does not exceed theallowed limit. It is also checked that there exists a runwaywhich is not assigned to any other aircraft. If the above con-ditions are satisfied, the runway is assigned to the aircraft.The aircraft is removed from aircrafts having requests andthe list of assigned taxiways. Finally, the aircraft is added inthe queue of aircrafts which are waiting for the runway.

An aircraft needs permission for take-off after puttingrequest to the local controller. The procedure is describedbelow by the schema RunwayPermission which consists of�LocalController, aircraft identifier aid? and runway iden-

123

Arab J Sci Eng

tifier runway?. The definitions are put in first part and pre-/post-conditions are described in the second part of theschema following the informal description.

Pre-/post-conditions: It is checked that the aircraft musthave request for runway. The aircraft is not already havingpermission for the runway. The resultant list of aircrafts hav-ing permission does not exceed its permissible limit size. Thestate of runway assigned is clear and is not already assignedto any other aircraft. The permission list is updated and theaircraft is removed from the waiting list.

The take-off procedure is defined below. Before this oper-ation, the aircraft is supposed to be on the runway having per-mission for take-off. In post-conditions, it is stated that theaircraft is removed from the permission list, runway assignedlist and the list of aircrafts which are on the runways. Finally,the aircraft is removed from the list of aircrafts which existat the airport. These properties are described by the filter anddomain subtraction operators.

Once an aircraft is inserted into a queue, it should eventu-ally be removed from the queue after the next queue becomesavailable. In other words, the formal system does not allowany situation where an aircraft is inserted into a queue andnever removed from that queue. A semi-formal procedurefor the queue management is presented in Table 1. The sec-

ond column of the Table is used for queue description. Thecolumns 3 & 4 of the Table show that once an aircraft isinserted into a queue, later on, it is removed from the queueas soon as possible.

Formal specification of the queues management propertyis described below using the schema UpdateControllers forall the queues. For example, in the first property in predicatepart of the schema, it is checked if the size of the taxiwayqueue is less than its maximum bound limit and taxiwayrequest list is not empty, then the first aircraft in the taxi-way list is moved to taxiway queue. The same property isformally described for all the queues once an aircraft movesfrom one queue to another. In this way, starvation is avoidedand efficiency is achieved by describing formal specificationof the above property. The sequence concatenation operator“�” is used for inserting an aircraft into a queue, and thefilter operator “�” is used for removing it from the queue.

5 Model Analysis

Formalism requires use of specification languages to describecorrect software systems [48]. The Z is used to write formalspecification of computer programs and to formulate evi-dences of system behaviour. The Z/Eves is a powerful tool

123

Arab J Sci Eng

Table 1 Queue management

Queue description Queue management (transitions)

Inserted into Removed from

1 Taxiway request taxiwayR –

2 Taxiway assigned taxiwayA taxiwayRtaxiway queue

taxiwayQ

3 Taxiing request taxiingR –

4 Taxiing permission taxiingP taxiwayQ

taxiing taxiingR

5 Runway request runwayR taxiingP

taxiing

taxiwayA

6 Runway assign runwayA runwayR

runwayQ

7 Runway permission runwayP runwayQon runway

onrunway

8 Take-off – runwayP

onrunway

runwayA

which enables writing, development and analysis of the Zspecification.

As we know, there does not exist any real computer toolwhich may guarantee about complete correctness of a model.That means even the specification is written well, it may causepotential errors. Hence, an art of writing formal specificationdoes not provide any promise about correctness of a model.However, if a specification is analysed with rigorous com-puter tool support, it improves a confidence by identifyingpotential errors, if it exists, in the model.

Z/Eves tool is used for analysing properties of ATC sys-tem. The tool has a much support for analysing the spec-ification. For example, parsing, type and domain check-ing, schema expansion, pre-condition calculation, refinementproofs, and theorem proving are its major facilities. Formalmodel of the ATC system is checked and analysed with fourmajor techniques, namely syntax and type checking, domainchecking, reduction and prove by reduce.

A snapshot of the specification analysis is presented inFig. 2. The first two columns on the left of the figure show syn-tax checking and proof correctness, respectively. The symbol‘Y’ shows that the formal specification is correct syntacti-cally and proof is also correct. The symbol ‘N’, if appears,represents that errors exist and specification is required tobe revised or proof by reduce is needed. All schemas of theATC system are checked to prove that specification is consis-tent, correct in syntax and has a correct proof. Some schemas

Fig. 2 Snapshot of the model analysis using Z/Eves tool

of the specification were proved using reduction techniquesavailable in the tool.

Summary of the results is provided in Table 2 as givenbelow. In first column of the Table, name of the schema isprovided. The second column is used for syntax and typechecking. Domain checking is done in column 3. Reductionand proof by reduction are represented in columns 4 & 5,respectively. The symbol ‘Y’ in the table indicates that allschemas are proved to be correct automatically. The symbolY* in the 4th column shows that reduction was used on pred-icates. In this way, it is claimed that the formal specificationof the aircrafts departure procedure from taxiing to take-offis written well and is meaningful.

6 Conclusion

In this paper, a formal departure procedure from taxiing totake-off is provided by focussing on safety and efficiency ofATFM at the airport by integrating graph theory and Z nota-tion. First of all, we described fundamental components, forexample, airport, aircrafts, taxiways and ATC controllers fordefinition of the system. The airport surface is represented bythe graph structure and then state space analysis is providedby linking the ATC components. Before description of themodel, a clear scope of the problem and set of assumptionsare defined.

The safety is achieved by defining properties in terms ofinvariants over the critical data of the static model. The safetyin dynamic model is addressed by defining pre- and post-conditions over the operations for manipulating the criticalinformation to prevent any unwanted situation. The efficiencyis achieved because the model is assumed for next generationATC system which will expedite the take-off and landing pro-

123

Arab J Sci Eng

Table 2 Results of model analysis

Schema Name Syntax Type Domain Reduction ProofCheck Check

Graph, Path Y Y Y* Y

Taxiway, Taxiways Y Y Y* Y

Runway, Runways Y Y Y Y

Aircraft, Aircrafts Y Y Y Y

GroundController Y Y Y Y

LocalController Y Y Y Y

Controllers Y Y Y Y

TaxiwayRequest Y Y Y Y

TaxiwayAssign Y Y Y Y

TaxiingRequest Y Y Y Y

TaxiingPermission Y Y Y Y

RunwayRequest Y Y Y Y

RunwayAssign Y Y Y Y

RunwayPermission Y Y Y Y

Takeoff Y Y Y Y

UpdateControllers Y Y Y Y

cedures. Further, the model is based on graph theory which isused for defining the optimal routes. The model in graph the-ory can easily be extended to automate the procedure becauseautomata are the special types of graphs. Finally, constraintsare put to ensure minimal queue size of aircrafts enhancingefficiency of the system.

Although there exist various formal specification lan-guages, Z notation is selected because of its rigorous andabstract nature for description of this complex and criticalsystem. It is observed that use of Z notation has reduced thecomplexity because of decomposition of the system into itscomponents. It is observed that the schema structure in Znotation is equally useful for both the static and dynamicaspects of the ATC system increasing reusability. The sys-tematic approach from abstraction to detailed analysis madeit easy to develop a simple and abstract model. Formal speci-fication of the system is analysed and validated using Z/Evestool.

Although there exist some good work on modelling ofATC systems as reported in Sect. 2, however, it needs to applyrigorous verifiable mathematical approaches to address thenext generation automated systems achieving the requiredlevel of safety and efficiency. The work of Carpenter et al.was found interesting [49] and was a good starting pointfor this research. In their work, gate management and rampoperations are analysed for reducing delay time, fuel burningand other costs. Their approach is fairly conservative basedon observations, and results are not fully verified and estab-lished.

Various benefits in describing formal specification ofthis system were observed. For example, modelling ofcomponent-based system provided us a complete character-ization at a higher level of abstraction. On the other hand, ifthe system was specified at a more detailed level, intuitionmay have lost. Compositional approach enabled us to givereasoning about the components and subsequently the entiresystem. The detailed model can be achieved after refinementwhile guaranteeing the transformation of syntax and seman-tics rules.

Acknowledgments The author greatly acknowledges the Deanship ofScientific Research, King Faisal University, Saudi Arabia for providinga generous funding to support research at the College of ComputerSciences and Information Technology. The author is thankful to Dr.Ishtiaq Ahmed Choudhry and Dr. Hafiz Farooq Ahmad for the proofreading of the article.

References

1. Villiers, J.: ERASMUS—A Friendly Way for Breaking the Capac-ity Barrier, p. 58. ITA, Paris Institut du Transport Aérien (2004)

2. Erzberger, H.: Automated conflict resolution for air traffic control.In: Proceedings of the 25th International Congress of the Aeronau-tical Sciences (2006)

3. Hu, J.; Prandini, M.; Sastry, S.: Optimal maneuver for multipleaircraft conflict resolution: a braid point of view. In: Proceedingsof the 39th IEEE Conference on Decision and Control, vol. 4, pp.4164–4169 (2000)

4. Shorrock, S.T.; Kirwan, B.: Development and application of ahuman error identification tool for air traffic control. Appl. Ergon.33(4), 319–336 (2002)

5. Debbache, N.E.: Toward a new organization for air traffic control.Aircr. Eng. Aerosp. Technol. 73(6), 561–567 (2001)

6. Marshall, W.; Joseph, W.I.: Airport movement area safety system.In: IEEE Proceedings of Digital Avionics Systems Conference, pp.549–552 (1992)

7. George, J.C.; Robert, K.F.; Michael, B.D.; Nathan, M.D.; SignorAri, S.; Thomas, H.: A new modeling capability for airport surfacetraffic analysis. In: 27th IEEE Digital Avionics Systems Conference(2008)

8. Guo, Y.; Cao, X.; Zhang, J.: Constraint handling based multi-objective evolutionary algorithm for aircraft landing scheduling.Int. J. Innov. Comput. Inf. Control 5(8), 2229–2238 (2009)

9. Spivey, J.M.: The Z Notation: A Reference Manual, Prentice-Hall,Englewood Cliffs, NJ (1992)

10. European Electro-Technical Standardization: Railway applicationscommunications, signaling and processing systems software forrailway control and protection systems. The European Standard,BS EN, p. 50128 (2001)

11. Xu, K.; He, J.; Zou, S.; Zhang, H.; Yan, T.; Wei, X.: A cohesivesubgraph visualization-based approach to efficiently discover largek-clique community. Arab. J. Sci. Eng. 37(7), 1959–1968 (2012)

12. Erzberger, H.; Heere, K.: Algorithm and operational concept forresolving short range conflicts. J. Aerosp. Eng. 224, 225–243(2009)

13. Farley, T.; Erzberger, H.: Fast time air traffic simulation of a conflictresolution algorithm under high air traffic demand. In: Proceedingsof the USA Europe ATM Seminar (2007)

123

Arab J Sci Eng

14. Garcia, J.; Berlanga, A.; Molina, J.M.; Besada, J.A.; Casar, J.R.:Planning techniques for airport ground operations. In: Proceedingsthe 21st Digital Avionics Systems Conference (2002)

15. Koeners, G.J.M.; Stout, E.P.; Rademaker, R.M.: Improving taxitraffic flow by real-time runway sequence optimization usingdynamic taxi route planning. In: 30th IEEE/AIAA Digital AvionicsSystems Conference (2011)

16. Rademaker, R.; Koeners, G.J.M.: Analyze possible benefits of real-time taxi flow Optimization using actual data. In: 30th IEEE/AIAADigital Avionics Systems Conference (2011)

17. Medina, M.; Sherry, L.; Feary, M.: Automation for task analysis ofnext generation air traffic management systems. Transp. Res. PartC 18, 921–929 (2010)

18. Kwiatkowska, M.; Norman, G.; Sproston, J.; Wang, F.: Symbolicmodel checking for probabilistic timed automata. Joint Confer-ence on Formal Modeling and Analysis of Timed Systems and For-mal Techniques in Real-Time and Fault Tolerant Systems, LNCS,vol. 3253, pp. 293–308. Springer, Berlin (2004)

19. Nguyen-Duc, M.; Briot, J.P.; Drogoul, A.; Duong, V.: An applica-tion of multi-agent coordination techniques in air traffic manage-ment. In: Proceedings of the IEEE/WIC International Conferenceon Intelligent Agent Technology, pp. 622–628 (2003)

20. Yang, L.C.; Kuchar, J.K.: Prototype conflict alerting system forfree flight. J. Guid. Control Dyn. 20(4) (1997)

21. Alves, D.P.; Weigang, L.; Bueno, B.; Souza, B.B.: ReinforcementLearning to Support Meta-Level Control in Air Traffic Manage-ment, Reinforcement Learning: Theory and Applications, pp. 357–372. I-Tech Education and Publishing, Vienna, Austria (2008)

22. Weigang, L.; Dib, M.V.P.; Alves, D.P.; Crespo, A.M.F.: Intelligentcomputing methods in air traffic flow management. Transp. Res.Part C Emerg. Technol. 18(5), 781–793 (2010)

23. Cavcar, A.; Cavcar, M.: Impact of aircraft performance differenceson fuel consumption of aircraft in air traffic management environ-ment. Aircr. Eng. Aerosp. Technol. 76(5), 502–515 (2004)

24. Hwang, I.; Tomlin, C.: Protocol-based conflict resolution for finiteinformation horizon. In: Proceedings of the AACC American Con-trol Conference. IEEE Publication, Piscataway, NJ (2002)

25. Hwang, I.; Hwang, J.; Tomlin, C.: Flight-mode-based aircraft con-flict detection using a residual-mean interacting multiple modelalgorithm. In: Proceedings of the AIAA Guidance Navigation, andControl Conference (2003)

26. Hwang, I.; Balakrishnan, H.; Roy, K.; Tomlin, C.: Target track-ing and identity management in clutter for air traffic control. In:Proceedings of the AACC American Control Conference (2004)

27. Bousson, K.: Waypoint-constrained free flight collision avoidance.In: Proceedings of the SAE Advances in Aviation Safety Confer-ence (2003)

28. Kahne, S.; Frolow, I.: Air traffic management: evolution with tech-nology. IEEE Control Syst. Mag. 16(4) (1996)

29. Nolan, M.S.: Fundamentals of Air Traffic Control, 3rd edn.Wadsworth, Belmont, CA (1998)

30. Kuchar, J.K.; Yang, L.C.: A review of conflict detection and res-olution modeling methods. IEEE Trans. Intell. Transp. Syst. 1(4),179–189 (2000)

31. Amy, S.; Philip, J.S.; Charles, B.: Ramp Control Issues in theDesign of a Surface Management System, Cognitive Systems Engi-neering Laboratory. The Ohio State University, Columbus (2002)

32. Michael, C.; Steven, S.: Managing gate and ramp operations toreduce delay, fuel burn, and costs. In: Integrated Communications,Navigation and Surveillance Conference (ICNS) (2012)

33. Hanh, T.T.B.; Hung, D.V.: Verification of an air traffic controlsystem with probabilistic real-time model checking. UNU-IIST,Report No. 355 (2007)

34. Hu, J.; Prandini, M.; Sastry, S.: Optimal coordinated maneuversfor three-dimensional aircraft conflict resolution. J. Guid. ControlDyn. 25(5), 888–900 (2002)

35. Yousaf, S.; Khan, S.A.; Zafar, N.A.; Ahmad, F.; Khan, M.A.: For-mal analysis of arrival procedure of air traffic control system. LifeSci. J. 9(4) (2012)

36. Yousaf, S.; Zafar, N.A.; Khan, S.A.: Formal analysis of departureprocedure of air traffic control system. In: 2nd International Con-ference on Software Technology and Engineering (2010)

37. Banach, R.; Hall, A.; Stepney, S.: Retrenchment and the atomic-ity pattern. In: Fifth IEEE International Conference on SoftwareEngineering and Formal Methods, pp. 37–46 (2007)

38. El Kawy, M.; Abo-Bakr, R.: Adaptive iterative approach classifyinglinearly and quadratically separable sets. Arab. J. Sci. Eng. 37(7),1895–1910 (2012)

39. Garcia, A.C.; Idris, H.; Vivona, R.; Green, S.: Common aircraftperformance modeling evaluation tools and experiment results. In:Proceedings of the 24th DASC, pp. 51–59 (2005)

40. Jamal, M.; Zafar, N.A.: Formal model of computer-based air trafficcontrol system using Z notation. In: Proceedings of 17th Interna-tional Conference on Computer Theory and Applications (2007)

41. Jamal, M.; Zafar, N.A.: Requirements analysis of air traffic controlsystem using formal methods. In: Proceedings of IEEE Interna-tional Conference on Information and Emerging Technologies, pp.216–222 (2007)

42. Pickin, S.; Jard, C.; Thierry, J.R.; Jeze, J.M.; Traon, Y.L.: Testsynthesis from UML models of distributed software. IEEE Trans.Softw. Eng. 33(4), 252–268 (2007)

43. Zafar, N.A.; Araki, K.: Formalizing moving block railway inter-locking system for directed network. Res. Rep. Inf. Sci. Electr.Eng. Kyushu Univ. Jpn. 8(2), 109–114 (2003)

44. Zafar, N.A.: Modeling and formal specification of automated traincontrol system using Z notation. In: IEEE Multi-Topic Conference,pp. 438–443 (2006)

45. Zafar, N.A.; Khan, S.A.; Araki, K.: Towards the safety properties ofmoving block railway interlocking system. Int. J. Innov. Comput.Inf. Control 8(8), 5677–5690 (2012)

46. Livadas, C.; Lygeros, J.; Lynch, N.A.: High level modeling andanalysis of the traffic alert and collision avoidance system. Proc.IEEE 88(7), 926–948 (2000)

47. Crespo, A.M.F.; Aquino, C.V.; Souza, B.B.; Weigang, L.; Melo,A.C.M.A.; Alves, D.P.: Distributed decision support systemapplied to tactical air traffic flow management in case of CIN-DACTA, I. J. Braz. Air Transp. Res. Soc. 4(1), 47–60 (2008)

48. Alshayeb, M.: The impact of refactoring to patterns on softwarequality attributes. Arab. J. Sci. Eng. 36(7), 1241–1251 (2011)

49. Moertl, P.M.; Atkins, S.; Hitt, J.M.; Brinton, C.; Walton, D.H.:Factors for predicting airport surface characteristics and predictionaccuracy of the surface management system. In: IEEE InternationalConference on Systems, Man and Cybernetics (2003)

123