A Family of Well-Clear Boundary Models for the Integration of UAS in the NAS

The FAA-sponsored Sense and Avoid Workshop for Unmanned Aircraft Systems (UAS) defines the concept of sense and avoid for remote pilots as "the capability of a UAS to remain well clear from and avoid collisions with other airborne traffic." Hence, a rigorous definition of well clear is fundamental to any separation assurance concept for the integration of UAS into civil airspace. This paper presents a family of well-clear boundary models based on the TCAS II Resolution Advisory logic. For these models, algorithms that predict well-clear violations along aircraft current trajectories are provided. These algorithms are analogous to conflict detection algorithms but instead of predicting loss of separation, they predict whether well-clear violations will occur during a given lookahead time interval. Analytical techniques are used to study the properties and relationships satisfied by the models

Validation of Ultrahigh Dependability for Software-Based Systems

Modern society depends on computers for a number of critical tasks in which failure can have very high costs. As a consequence, high levels of dependability (reliability, safety, etc.) are required from such computers, including their software. Whenever a quantitative approach to risk is adopted, these requirements must be stated in quantitative terms, and a rigorous demonstration of their being attained is necessary. For software used in the most critical roles, such demonstrations are not usually supplied. The fact is that the dependability requirements often lie near the limit of the current state of the art, or beyond, in terms not only of the ability to satisfy them, but also, and more often, of the ability to demonstrate that they are satisfied in the individual operational products (validation). We discuss reasons why such demonstrations cannot usually be provided with the means available: reliability growth models, testing with stable reliability, structural dependability modelling, as well as more informal arguments based on good engineering practice. We state some rigorous arguments about the limits of what can be validated with each of such means. Combining evidence from these different sources would seem to raise the levels that can be validated; yet this improvement is not such as to solve the problem. It appears that engineering practice must take into account the fact that no solution exists, at present, for the validation of ultra-high dependability in systems relying on complex software

An Independent and Coordinated Criterion for Kinematic Aircraft Maneuvers

This paper proposes a mathematical definition of an aircraft-separation criterion for kinematic-based horizontal maneuvers. It has been formally proved that kinematic maneu- vers that satisfy the new criterion are independent and coordinated for repulsiveness, i.e., the distance at closest point of approach increases whether one or both aircraft maneuver according to the criterion. The proposed criterion is currently used in NASA's Airborne Coordinated Resolution and Detection (ACCoRD) set of tools for the design and analysis of separation assurance systems

Probabilistic Model-Based Safety Analysis

Model-based safety analysis approaches aim at finding critical failure combinations by analysis of models of the whole system (i.e. software, hardware, failure modes and environment). The advantage of these methods compared to traditional approaches is that the analysis of the whole system gives more precise results. Only few model-based approaches have been applied to answer quantitative questions in safety analysis, often limited to analysis of specific failure propagation models, limited types of failure modes or without system dynamics and behavior, as direct quantitative analysis is uses large amounts of computing resources. New achievements in the domain of (probabilistic) model-checking now allow for overcoming this problem. This paper shows how functional models based on synchronous parallel semantics, which can be used for system design, implementation and qualitative safety analysis, can be directly re-used for (model-based) quantitative safety analysis. Accurate modeling of different types of probabilistic failure occurrence is shown as well as accurate interpretation of the results of the analysis. This allows for reliable and expressive assessment of the safety of a system in early design stages

Global navigation satellite systems performance analysis and augmentation strategies in aviation

In an era of significant air traffic expansion characterized by a rising congestion of the radiofrequency spectrum and a widespread introduction of Unmanned Aircraft Systems (UAS), Global Navigation Satellite Systems (GNSS) are being exposed to a variety of threats including signal interferences, adverse propagation effects and challenging platform-satellite relative dynamics. Thus, there is a need to characterize GNSS signal degradations and assess the effects of interfering sources on the performance of avionics GNSS receivers and augmentation systems used for an increasing number of mission-essential and safety-critical aviation tasks (e.g., experimental flight testing, flight inspection/certification of ground-based radio navigation aids, wide area navigation and precision approach). GNSS signal deteriorations typically occur due to antenna obscuration caused by natural and man-made obstructions present in the environment (e.g., elevated terrain and tall buildings when flying at low altitude) or by the aircraft itself during manoeuvring (e.g., aircraft wings and empennage masking the on-board GNSS antenna), ionospheric scintillation, Doppler shift, multipath, jamming and spurious satellite transmissions. Anyone of these phenomena can result in partial to total loss of tracking and possible tracking errors, depending on the severity of the effect and the receiver characteristics. After designing GNSS performance threats, the various augmentation strategies adopted in the Communication, Navigation, Surveillance/Air Traffic Management and Avionics (CNS + A) context are addressed in detail. GNSS augmentation can take many forms but all strategies share the same fundamental principle of providing supplementary information whose objective is improving the performance and/or trustworthiness of the system. Hence it is of paramount importance to consider the synergies offered by different augmentation strategies including Space Based Augmentation System (SBAS), Ground Based Augmentation System (GBAS), Aircraft Based Augmentation System (ABAS) and Receiver Autonomous Integrity Monitoring (RAIM). Furthermore, by employing multi-GNSS constellations and multi-sensor data fusion techniques, improvements in availability and continuity can be obtained. SBAS is designed to improve GNSS system integrity and accuracy for aircraft navigation and landing, while an alternative approach to GNSS augmentation is to transmit integrity and differential correction messages from ground-based augmentation systems (GBAS). In addition to existing space and ground based augmentation systems, GNSS augmentation may take the form of additional information being provided by other on-board avionics systems, such as in ABAS. As these on-board systems normally operate via separate principles than GNSS, they are not subject to the same sources of error or interference. Using suitable data link and data processing technologies on the ground, a certified ABAS capability could be a core element of a future GNSS Space-Ground-Aircraft Augmentation Network (SGAAN). Although current augmentation systems can provide significant improvement of GNSS navigation performance, a properly designed and flight-certified SGAAN could play a key role in trusted autonomous system and cyber-physical system applications such as UAS Sense-and-Avoid (SAA)