Failure Effects Evaluation for ATC Automation System
ATC (air traffic control) automation system is a complex system, which helps maintain the air traffic order, guarantee the flight interval, and prevent aircraft collision. It is essential to ensure the safety of air traffic. Failure effects evaluation is an important part of ATC automation system reliability engineering. The failure effects evaluation of ATC automation system is aimed at the effects of modules or components which affect the performance and functionality of the system. By analyzing and evaluating the failure modes and their causes and effects, some reasonable improvement measures and preventive maintenance plans can be established. In this paper, the failure effects evaluation framework considering performance and functionality of the system is established on the basis of reliability theory. Some algorithms for the quantitative evaluation of failure effects on performance of ATC automation system are proposed. According to the algorithms, the quantitative evaluation of reliability, availability, maintainability, and other assessment indicators can be calculated.
ATC (air traffic control) is a service provided by ground-based controllers who direct aircraft on the ground and through controlled airspace and provide advisory services to aircraft in noncontrolled airspace. The main objectives of air traffic control (ATC) are to ensure flights safety and an efficient organization of traffic flows [1, 2]. ATC automation system is a kind of complex electronic system combined with computer and information technology. It is usually used to maintain the air traffic order, guarantee the interval, and prevent aircraft collision . It is essential for regional control and terminal airspace control. The reliability of ATC automation system has direct effects on air traffic safety.
In recent years, the air traffic control efficiency has been improved due to the employment of various types of ATC automation systems. But the majority of imported ATC automation systems have been used for many years. The hardware and software have declined gradually. And because the serve time of homemade systems is relatively short, there is obvious uncertainty in the evaluation of failure and risk. So the collection of failure records and evaluation of the failure effects are especially urgent. Lots of researches are aimed at reliability forecasting of ATC software. Wang and Liu collected the 36-month failure data of ATC automation system, and Markov chain is employed to predict its reliability . Ternov and Akselsson proposed a new method for identifying hazards in a complex system based on DBE (disturbance, effect, and barrier) analysis and applied it to an air traffic control unit in Malmoe, Sweden . Gómez et al. illustrated a recommender framework for assisting flight controllers, which combines argumentation theory and model checking in the evaluation of trade-offs and compromises to be made in the presence of incomplete and potentially inconsistent information . Zhang et al. established the air traffic management system safety evaluating indicator system considering person-equipment-environment-management . Woltjer et al. described the approach taken and results to develop guidance and to include resilience engineering principles in methodology for safety assessment of functional changes, in air traffic management . Mayer developed an integrated aviation and ATC modeling platform for comparing and evaluating proposed aircraft flight operations and ATC procedures . Flavio Vismari and Camargo Junior proposed a methodology for safety assessment of ATC system by combining “absolute” and “relative” safety assessment methods, using Fluid Stochastic Petri Nets (FSPN) as the modeling formalism . Moon et al. had evaluated the relationship between air traffic volume and human error in air traffic control (ATC) on the basis of reviews of existing literature and interviews and surveys of ATC safety experts . Vanderhaegen  also considered the effects of human errors on the ATC system.
The aim of this paper is to establish an available framework to evaluate the effects of failures of subsystems or components to the whole ATC system, so common reliability theory is utilized, such as reliability logic diagram and FMECA (Failure Mode, Effects, and Criticality Analysis), rather than the abstruse algorithms. A general structure of ATC automation system is used as the research object. The relationship between structure composition and functions is analyzed. An evaluation framework is established for failure effects appraisement according to performance effects and function effects. Section 2 gives the structure and function corresponding diagram of ATC automation system. In Section 3, evaluation framework of failure effects on performance is discussed and, in Section 4, evaluation framework of failure effects on function is proposed.
2. Basic Concept of ATC Automation System
An ATC automation system can deal with different types of radar data and form the flight path by information fusion. The autorelation of radar target and flight plan can be realized. The subsystems of a general ATC automation system include RFP (radar data front processing subsystem), RDP (radar processing subsystem), FDP (flight data processing subsystem), SDD (situation data display), FDD (flight data processing terminal), DRP (data record play), and CMD (condition monitoring display). The structure and function corresponding diagram is shown in Figure 1.
Among the subsystems of ATC automation system, RFP, RDP, FDP, and DRP have two redundancies. When the main equipment fails, the spare one will be switched as main equipment. SDD and FDD are display terminals; the breakdown of a single SDD or FDD will not affect others. CMD is used to set up system parameters. Failures of each subsystem have effects on the function and performance of the whole ATC automation system.
3. Evaluation of Failure Effects on Performance of ATC Automation System
On the basis of the past records and history data, the reliability, availability, maintainability, system load, and system response time can be quantitatively evaluated using proper mathematical models. The diagram of performance evaluation is shown in Figure 2.
3.1. Evaluation of Failure Effects on Reliability
The redundant configuration of ATC automation has diversity in different manufactures, for example, single-redundancy, two-redundancy, or three-redundancy. The model for evaluating reliability should be established according to the actual redundant configuration. A general reliability based on diagram of ATC automation system is shown in Figure 3.
In Figure 3, the same redundant subsystems are parallel connection. The different redundant subsystems are serial connection. Supposing that there are work points in the whole system, the system reliability can be calculated as follows:where is the reliability of the subsystem .
3.2. Evaluation of Failure Effects on Availability
The indexes of availability of ATC automation system can be estimated on the basis of maintenance records and statistical models. For example, the stable availability of ATC automation can be calculated usingwhere MTBF is mean time between failures and MTTR is mean time to repair. MTBF can be calculated by
3.3. Evaluation of Failure Effects on Maintainability
The indexes of maintainability of ATC automation system (e.g., repair rate, MTTR) can also be estimated on the basis of maintenance records and statistical models. The stable availability of ATC automation can be calculated using
The mean repair rate of ATC automation is
And the maintainability of ATC automation is
3.4. Evaluation of Failure Effects on System Load
When some redundant modules are broken down but at least a redundant module is normal, the ATC system can work normally. But the loading of normal modules must be increased. For example, the occupancy rate of CPU, RAM, and hard disk of server may be increased and so is the network flow. According to historical data, the change of occupancy rate of each subsystem should be considered, and then the load-time curve can be plotted.
The equipment load in time is the weighted sum of its single index (e.g., RAM occupancy rate), as shown inwhere is the load of equipment in time and is the weight of the single index. The load of subsystem and the whole system are calculated as follows:where and are the load of subsystem and the whole system in time , respectively. is the weight of the equipment and is the weight of the subsystem.
3.5. Evaluation of Failure Effects on System Response Time
According to the operating data of ATC automation system, response time of each typical operation is statistically calculated. And then the mean system response time iswhere is the mean response time of system. is the number of typical operations. is the response time of the typical operations.
4. Evaluation of Failure Effects on Function of ATC Automation System
The failure effects on function of ATC automation system are evaluated by using FMECA. FMECA (Failure Mode, Effects, and Criticality Analysis) is generally employed to analyze all the possible failure modes of components in a complex system in its whole lifetime . The reasons of each mode and its effects to every layer are found out. And then improvement measures can be put forward. The procedure of FMECA for ATC automation system is shown in Figure 4.
4.1. Failure Modes Analysis
The purpose of failure mode analysis is to find out the possible failure modes of the ATC system from the requirement of the function and the failure criterion of the system definition.
Common failure modes are determined according to standard for failure classification of ATC equipment. The uncovered failures modes can be found out of maintain log or subjective experience of technicians.
4.2. Failure Reason Analysis
The failure reason is divided into direct causes and indirect reasons. The direct cause is the physical and chemical process of the ATC system itself, which leads to the failure or potential failure of the system, while the indirect failure is caused by the failure of other products, environmental factors, human factors, and so forth.
Failure reason analysis helps to identify the factors of the design, manufacture, usage, and maintenance that cause the failure. And then improvement measures and compensation measures can be taken into account to prevent or reduce the possibility of failure.
Before analysis, firstly the features of the ATC automatic system should be classified, and the relevant description should be determined. Analysts must be able to accurately describe each function and its related modules and failure mode.
The FMEA form of ATC automation system correlation between target trajectories and flight plans is shown in Table 1. Table 1 is established on the basis of the analysis of the anomalies of the track  and the causes of wrong correlation between target trajectories and flight plans , from the perspective of flight plan track related technology principle , radar system, and multiradar data processing system.
4.3. Failure Effect Analysis
Failure effect refers to the effects of each failure mode of the ATC system on its usage, function, and status.
When the failure mode of a module is affected by the failure of the other modules of the system, it is usually carried out according to the predefined system level structure. The structure and function corresponding diagram of ATC automation system is shown in Figure 1. According to the hierarchical structure of ATC automatic system, it can be divided into inverted tree type structure. Through the hierarchical structure diagram and the structure and function corresponding diagram, the modules failure effects on ATC automation system capability can be analyzed.
The effects of failure are clarified into four levels based on different incidence of single equipment to control unit, as shown in Table 2.
4.4. Criticality Analysis
A failure assessment follows the failure analysis, and RPN (Risk Priority Number) number is generally used. RPN is the product of , , and . With the RPN, a ranking of the identified failure causes and their failure connection to the failure effect can be done.
, which indicates occurrence, estimates how probable the occurrence of the failure cause is. According to Table 3, the scoring criteria for the occurrence probability grade are given. The value of failure probability is corresponding to the rating of expected number of failures in the product life cycle.
, which indicates severity, describes the severity of a failure effect. It used in the evaluation of the eventual impact on the failure mode of the analysis. Usually, the description of failure mode to the users should be visible. According to Table 4, the scoring methods of the severity are given.
, which indicates detection, determines how successful the detection of the failure cause is.
According to Table 5, is the probability of the failure mode and cause.
After completing the above steps, the number of RPN could be calculated. For the high harmful failure mode, we should put forward improvement measures.
In order to evaluate the effects of subsystem failures to ATC automation system, a framework considering effects on performance and function is established. On the basis of the framework, failure effects on system performance are calculated considering reliability, maintainability, availability, system load, and response time. The mathematical models for each index are given according to the reliability theory. The failure effects on function of ATC automation system are evaluated using FMECA. The procedure of FMECA of ATC automation system is proposed. The framework can be used to guide the reliability analysis procedures of ATC.
Conflicts of Interest
The authors declare that there are no conflicts of interest regarding the publication of this paper.
R. H. Mayer, “Estimating operational benefits of aircraft navigation and air traffic control procedures using an integrated aviation modeling and evaluation platform,” in Proceedings of the Winter Simulation Conference (WSC '06), vol. 8, pp. 1569–1577, IEEE, December 2006.View at: Publisher Site | Google Scholar
B. Bertsche, A. Schauz, and K. Pickard, Reliability in Automotive and Mechanical Engineering, Springer, Berlin, Germany, 2008.View at: Publisher Site
X. J. Jiang, “The abnormal phenomenon analysis about the tack of ATC automation system,” Information Security and Technology, vol. 4, no. 9, pp. 86–87, 2013.View at: Google Scholar
G. Y. Tian and C. H. Shi, “Analysis of reasons for no correlation between target trajectories and flight plans,” Air Traffic Management, no. 4, pp. 17–21, 2011.View at: Google Scholar
W. Guo, “Research on problems of correlation between target trajectories and flight plans,” Silicon Valley, no. 3, pp. 8–25, 2015.View at: Google Scholar