COLLISION AVOIDANCE AND SAFETY -...

COMPANY RESTRICTED | NOT EXPORT CONTROLLED | NOT CLASSIFIED

COLLISION AVOIDANCE AND SAFETY

Johan Pellebergs, Saab AeronauticsNovember 2016This document and the information contained herein is the property of Saab ABand must not be used, disclosed or altered without Saab AB prior written consent.


CONTENT

• Flight safety

• Safety statistics

• Ground Collision Avoidance

• Mid-Air Collision Avoidance

• Requirements for collision avoidance systems

• Safety principles

2


COLLISIONS – THEY DO HAPPEN!


FLIGHT SAFETY

4


MISHAPS / CRASHES

• Main categories for catastrophicmishaps in military aviation havehistorically been:‒ Controlled flight into terrain (CFIT)‒ Engine‒ Mid-Air collision

5

0%

10%

20%

30%

40%

Mishap statistics for a military fighter


FLIGHT SAFETY

• Flight safety significantlyimproved over the past decades‒ Includes both military and civil

aviation

• Main contributing factors are‒ Strong safety attention‒ Training‒ Incident reporting‒ Reliability of flight critical systems‒ Introduction of safety enhancing

systems and automation

6

Auto-GCAS Auto-ACAS MIDCAS


GROUND COLLISION AVOIDANCE

7


AUTOMATIC GROUND COLLISION AVOIDANCE

• Terrain profile ahead of theaircraft trajectory generatedfrom onboard terrain data base

• Recovery flight pathcontinuously calculated

• Recovery flight path evaluatedagainst terrain profile

• Automatic recovery initiatedwhen margin from calculatedrecovery flight path to theterrain profile goes below aminimum value (7m)

8

EFCS SC D96

AFU ARM (MKV)

NINSterrain data base

SCANGround profile

Auto recovery Flight path predictionMargins

MMIWarning

AFU-command

(GPW)

Calculated RecoveryFlight Path at 5g

Executed RecoveryFlight Path at 5.5g

Mission System(DAL C)

Flight Control System(Redundant, DAL A)

AFU automatic/manual deactivation:• Landing gear extended• AAR probe extended• GPW manually OFF• Pilot manual inhibation• Control stick breakout


AUTO-GCAS SAVES

• Auto-GCAS has saved 4 aircraft and pilotssince its operational fielding 2 years ago

• Pilots reactions have gone from skeptical ofhaving a system that can take control awayfrom them to now not performing the mostadvanced training flights without the systemavailable!

• Acceptance of the users (pilots) is crucialwhen introducing an automatic high authoritysystem!

9


4TH AUTO-GCAS SAVE

• HUD video from 4th Auto-GCAS save when the pilotbecomes unconscious due to high G’s (GLOC)

10

G-load

Speed

Mach Radar altitude

Altitude (ft)

Velocity vector

GCAS warning


2ND AUTO GCAS SAVE

• Air Combat training mission

• “Target fascination” leads oneof the pilots to initiate amaneuver that would result in anon-recoverable groundcollision

• Letter from one of the savedpilots expressing his gratitudeof the Auto-GCAS system!

“My unexpected AGCAS recovery prompted me to aggressively recovermy aircraft, directly saving both my life and the aircraft. AGCAS workedas advertised and allowed me the honor to write this letter. I will gladlyshake the hands of the men and women who developed this life savingsystem if I ever meet them in person.”


MID-AIR COLLISION AVOIDANCE

12


MID-AIR COLLISIONS – A REAL THREAT

13


Strategic Conflict Managementn Procedures and Regulationsn Airspace designn Flight plans

MAIN LAYERS OF PROTECTION AGAINS MID-AIRCOLLISIONS

14

1.

2.Separation Provision

n Responsibility of ATC or the Pilotdepending on airspace class andflight rules (IFR/VFR)

n “Don't scare others!”

3.Collision Avoidance

n This ultimate responsibility for avoiding collisionsalways remains with the pilot.

n Mainly performed by the pilots ability to “See & Avoid”,i.e. the pilots eyes and his/hers ability to perform thecorrect decision and correct action.

n “Don't scrape paint”

Distance / Time

Criticality


AIRSPACE CLASSES

15

• Airliners‒ Operates in class A-C‒ Fly according to Instrument Flight Rules (IFR)‒ Equipped with Transponder/ADS-B, i.e. are Cooperative‒ Equipped with TCAS collision avoidance system‒ Separated from all other traffic by ATC‒ Pilot responsible for Collision Avoidance (aided by TCAS)

• Small GA aircraft‒ Operates mainly in the ”lower” airspace classes incl uncontrolled‒ Operates at lower altitudes below 10 000 ft (max speed 250 kts)‒ Large portion of flights according to Visual Flight Rules (VFR)‒ Many without Transponders/ADS-B, i.e. Non-cooperative‒ Limited or no ATC separation‒ Pilot responsible for both Separation and Collision Avoidance


REMOTELY PILOTED AIRCRAFT

16

• Terminology‒ Unmanned Aircraft System - UAS‒ Remotely Piloted Aircraft System - RPAS

• Removing the pilot from the aircraft requires anequivalent system capability to detect and avoid otheraircraft – Detect & Avoid system (D&A)

• Main requirement is to not degrade safety whenintroducing RPAS into the airspace


TRAFFIC AVOIDANCE AND COLLISION AVOIDANCE

• Detect and Avoid (D&A) consists of twosafety barriers‒ Traffic Avoidance (”don’t scare”)‒ Collision Avoidance (”don’t scrape paint”)

• D&A design objective‒ D&A Design Objective to reach the overall TLS

is a Risk Ratio of 0,01 (TBC), i.e. save 99 of100 critical encounters

17

Risk Ratio = P(NMAC with system) / P(NMAC without system)NMAC = Near Mid Air Collision


D&A SYSTEM OVERVIEW

18

EO

IR

Radar

Xpdr

ADS-B

Data FusionCollision Avoidance

Traffic Avoidance

D&AHMI

• The RPA pilot will get suggested maneuvers from the system• TrA maneuver needs to be manually activated by the remote pilot• CA maneuver can be manually activated but will activate automatically at last instance

• CA protection remains even if there is a C2 link loss

Intruder

Detect & AvoidSensors

Remote Pilot Station

RPA

C2 link


D&A COLLISION AVOIDANCE CONCEPT

19

RPAS

Intruder

A manoeuvre is continuously calculated andevaluated against the Collision Volume

When the manoeuvre prediction indicates lastchance to resolve the situation without CV breach(incl margins) the manoeuvre is activatedautomatically

CV – Collision VolumeProtected VolumeCV + uncertanties

MIDCAS flight test HMI video(Radar + EO)


SENSOR PERFORMANCE

EO video – CA with intruder aboveEO video - intruder below EO video – loitering againstsun reflex

Flight testing of D&A system in the MIDCASproject

Typical Sensor tracking performance in flight

• ADS-B: over 15 NM

• Radar: around 5 NM (8000-9000 m)

• EO: ranging from 8- 5 NM (15000-8000 m)


REQUIREMENTS AND SAFETY

21


MAIN REQUIREMENTS FOR A SAFETYENHANCING SYSTEM

3 mother requirements:• “Do good”

‒ Warn and/or engage automatic maneuver when acollision is imminent

• “No nuisance”‒ No unnecessary warning or maneuver

• “Do no harm”‒ Do not cause a catastrophic event when no

danger was present in the first place

• The most important of these 3 is …‒ No nuisance

22


DEFINITIONS AND CLASSIFICATIONS

• Classification of failure conditions by severity of effect‒ Catastrophic, Hazardous, Major, Minor, or No Safety Effect‒ A Catastrophic Failure condition is one which would result in multiple fatalities usually with

the loss of the aircraft

• Definition of Probability Terms‒ Extremely Improbable, Extremely Remote, Remote, or Probable‒ An Extremely Improbable failure condition is one so unlikely that it is not anticipated to

occur during the entire operational life of all airplanes of one type.‒ Quantitatively, these probability terms are defined as follows:

‒ Extremely Improbable 10−9 or less‒ Extremely Remote 10−7 or less‒ Remote: 10−5 or less‒ Probable: more than 10−5

23


SAFETY OBJECTIVES

Quantitative‒ The acceptable safety level for equipment and systems as installed on the aircraft are established as an

inverse relationship between Average Probability per Flight Hour and the severity of Failure Conditioneffects:‒ Failure Conditions with No Safety Effect have no probability requirement.‒ Minor Failure Conditions may be Probable(>10−5)‒ Major Failure Conditions must be Remote (<10−5)‒ Hazardous Failure Conditions must be Extremely Remote (<10−7)‒ Catastrophic Failure Conditions must be Extremely Improbable (<10−9)

‒ The safety objectives associated with Catastrophic Failure Conditions may be satisfied by demonstratingthat:‒ No single failure will result in a Catastrophic Failure Condition; and‒ Each Catastrophic Failure Condition is extremely improbable.

Qualitative‒ The failure conditions Catastrophic through No Safety Effect are assigned Functional and Item Design

Assurance Levels A, B, C, D, E, respectively

24


POSSIBILITY TO RELAX FDAL WITHPROBABILITY OF THE EXTERNAL EVENT

• Example:‒ Fire onboard an aircraft is very critical and can cause a

catastrophic crash‒ The mitigation is to install a fire extinguishing system‒ What design assurance level will be needed for this system?

• If the probability of a critical fire is sufficiently low itwill be possible to relax the FDAL requirement‒ Consequence of fire: CAT

‒ Probability is (example): 10−6

‒ FDAL can be reduced from A to B for design of the Fireextinguishing system

25

ARP 4754A


TARGET LEVEL OF SAFETY (TLS)• Large aircraft (i.e. Airliners)

‒ Hundreds of people onboard‒ Catastrophic event: 10−6

‒ 10% allowed for technical failures: 10−7

‒ Large aircraft have ~100 potentially catastrophic failures: 10−9 eachØ Thus the risk for a mid-air collision with an airliner can not be higher than

10−9 per flight hour

• Small aircraft (i.e. General Aviation)‒ Typically 1-2 people onboard‒ Hazardous event: 10−5

‒ 10% allowed for technical failures: 10−6

‒ Small aircraft have ~10 potentially catastrophic failures: 10−7 eachØ Thus the risk for a mid-air collision with a small aircraft cannot be higher

than 10−7 per flight hour

ØRPAS are considered as complex aircraft equivalent to airliners

26


SAFETY BARRIERS• To achieve very high levels of safety it

is necessary to distribute the safetytarget to several different layers orbarriers

• There are several different kinds ofbarriers‒ Inherent‒ Rules‒ Procedures‒ Technical

• Each barrier typically contributesbetween 1 and 3 orders of magnitude‒ Better to have 3 barriers with a factor of 10

each than 1 barrier with a factor of 1000

• Important to have independence orknown common mode failuresbetween the barriers!

27


If we have a Detect & Avoidsystem onboard?Why do you ask?

D&A SYSTEMS ARE RELEVANT ALSO FOR MANNEDAVIATION

COMPANY RESTRICTED | NOT EXPORT CONTROLLED | NOT CLASSIFIED 29

COLLISION AVOIDANCE AND SAFETY -...

Documents

Transcript of COLLISION AVOIDANCE AND SAFETY -...