Towards a Functionally-Formed Air Traffic System-of-Systems Sheila R. Conway Maria C. Consiglio Old Dominion University NASA Langley Research Center Norfolk, Virginia, USA Hampton, Virginia, USA NASA Langley Research Center [email protected] Hampton, Virginia, USA [email protected] Abstract - Incremental improvements to the national The uncertainty of future demand is reflected in aviation infrastructure have not resulted in sufficient comments such as those of Secretary of Transportation increases in capacity and flexibility to meet emerging Norman Mineta, who recently called for tripling the air demand. Unfortunately, revolutionary changes capable of traffic capacity of the United States in the next 15 to 20 substantial and rapid increases in capacity have proven years. He and others are projecting a substantial impact of elusive. Moreover, significant changes have been difficult new transportation modes such as jet taxies (e.g. Dayjet, to implement, and the operational consequences of such publicly launched April 2005) and unmanned aerial change, difficult to predict due to the system’s complexity. vehicles on the character and volume of future traffic. He stated, “The changes that are coming are too big, too Some research suggests redistributing air traffic control fundamental for incremental adaptation…We need to functions through the system, but this work has largely modernize and transform our global transportation system, been dismissed out of hand, accused of being impractical. starting right now.” [3] However, the case for functionally-based reorganization of form can be made from a theoretical, systems perspective. 2 ATS and ATM: The Status Quo This paper investigates Air Traffic Management functions and their intrinsic biases towards centralized/distributed The operational ATS element that involves the safe operations, grounded in systems engineering and and efficient management of flights is commonly referred information technology theories. Application of these to as Air Traffic Management (ATM). ATM is concepts to a small airport operations design is discussed. accomplished by the combined effort of pilots, air traffic From this groundwork, a robust, scalable system trans- controllers, airline dispatchers, and flow managers, all of formation plan may be made in light of uncertain demand. whom adhere to procedures and regulations that limit the possibility of traffic conflicts. The air traffic control Keywords: Air Traffic Management (ATM), distributed system can be thought of as a heterogeneous distributed vs. centralized control, functionally driven, Air Traffic system composed of multiple, highly interconnected Control (ATC). subsystems that interact and share data and resources. Air Traffic Control (ATC) is also often considered to be highly 1 Motivation centralized, as all local control of aircraft stems from a central ATC entity (itself a system of entities). It seems Changes in the demand for air transportation are then that the amount of centralization is a matter of degree, inevitable, and indeed seem to be upon us.[1] The National and its determination highly dependent on the observer. Airspace System (NAS) improvement initiatives are largely ATS is nominally considered to encompass focused on incremental improvements in today’s Air commercial air carriers, general aviation operations, the Transportation System (ATS), but are unlikely to satisfy passengers they serve, as well as the infrastructure within future demand. The Federal Aviation Administration which they operate. All of these entities operate for their (FAA) admits that their own plans to increase system own purposes, optimizing or “gaming the system” to capacity by 30% or more will be insufficient to meet their benefit their own set of criteria which may or may not own projected demand growth stemming from expansion overlap with those of others. Regardless of the of existing airline and general aviation operations. Cost, complement of system elements one might choose to maintenance, and integration complexity burdens continue include, or the labels that are applied, there is an overriding to rise as new systems and technologies are added to the necessity for ATM. NAS, creating not a “system-of-systems” as commonly The FAA states that the fundamental purpose of ATM defined in the literature,[2] but rather a collection of poorly is to ensure for a safe and efficient system which means integrated legacy elements. accident prevention and management of traffic. Beer’s systems science work suggests that for continued success, In today’s system, airline pilots and dispatchers the system must accommodate both of these functions perform the lion’s share of this function, though the FAA independently while also mediating their interaction.[4] has increased its role with the relatively recent Additionally, the balance of these activities must be implementation of the national route program. FAA continuously revisited and adjusted to meet present and participation entails their acceptance of user-preferred expected future objectives. These functions could be routes (assumedly for flight optimization or area hazard captured by an enumeration of operational tasks: avoidance) implicitly agreeing to provide continued safe arbitration of resource conflicts, optimization of limited traffic management for the new route. resources, ensuring security, data collection and 2.1.4 Sequencing dissemination, traffic conflict detection and resolution, and ATM operations often create situations where demand limitation (the last line of defense against system resources must be shared, such as multiple aircraft overload). Itself a system-of-systems, ATM provides operating at a single airport or runway. Sequencing is the operational control for the larger ATS. mediation of a shared resource by forming an ordered queue for resource allocation, thus eliminating ambiguity 2.1 Today’s ATM Implementation or “ties” in resource requests. Sequencing can be granted ATM is often described by its constituent actors (e.g. first-come, first-served, or can be determined with other controllers, pilots, etc.) or entities (e.g. sector control, schema such as system utilization maxima. approach control, etc.). Though there are some functional Functionally speaking, sequencing is a vital portion of ATM descriptions, they often focus narrowly on one or two many ATC instructions, and is implicit in all ATC-defined tasks (e.g. traffic separation) while not addressing others. It routing (vectoring). is likely that any future ATM system, regardless of its form, will have to provide the same functions as the present 2.1.5 Separation system. In this light, the nature of these functions and the Primarily a safety constraint, the separation function core activities in the present-day ATS that impart them affords a physical interval between aircraft, intended to warrant further inspection. The following rendering is a eliminate collision risk. The interval is operation-specific more elemental, functional image, ordered roughly by and dependent on conditions and operational uncertainty. operational and temporal scope: Typically, today’s operations using secondary radar data strive to maintain a minimum distance between 2.1.1 Regulating scheduled over-demand aircraft in flight. ATC clearances (procedure initiation, Control of demand is the most extreme regulatory tool direction, altitude and speed of flight, etc.) are largely available in the ATS. This function can be invoked when predicated on providing separation. Special considerations the forecasted demand exceeds system capacity and are given to operations constrained to precision guidance threatens viability. Operations can be disallowed from the approaches and other guidance-based procedures that system, grounding aircraft or delaying flights. Alternately, reduce allowable separation minima. this function can be used as an optimization tool, 2.1.6 Spacing improving average operating efficiency for aircraft in use Spacing requires one aircraft to control its position by delaying excess flight operations until such time they relative to another, e.g. x miles in-trail (a fixed distance could be expected to be serviced. along a common guidance path). Because both an order The expression of this function in today’s ATS is flow and an interval are assigned, a spacing operation supplants management, a toolset including ground holds which limit both the safety function of separation and the mediation demand for a critical resource such as an approach. function of sequencing. Because aircraft in today’s system have little data 2.1.2 Regulating dynamic over-demand regarding other aircraft, responsibility for this function’s A less aggressive regulation function reallocates flight performance lies largely with ATC. operations away from system bottlenecks into areas of excess capacity. 2.1.7 Collision Avoidance This function, akin to Beer’s autonomic function, is Though the collision avoidance function is also safety exemplified by rerouting flights from busy enroute sectors. related, it is distinct from separation in a number of ways: While the primary function of separation achieves safety 2.1.3 Route Planning and hazard avoidance by minimizing opportunity for collision, it offers no Flight planning and real-time re-planning functions strategy to resolve conflicts. However, if a traffic conflict must also be supported. Unlike fixed road infrastructure, persists, or evolves from an abrupt maneuver or breech of aviation routing is more adaptable, being responsive to city procedure to create a very near-term collision risk, a pairings, weather, prevailing winds, and other dynamic collision avoidance function can offer conflict resolution factors. Not only does ATM have to accommodate various advisories, providing either or both aircraft an escape routes, it plays an active role by creating and disseminating maneuver to avoid the collision. Thus both the availability system information and delineating hazards. of immediate resolutions and the short time horizon of this function make it distinct from other system functions. 3 Form and Function TCAS, the Traffic Collision Avoidance System, is an airborne system that fulfills this function. The FAA’s role There is a growing gap between conventional ATM is limited to mandating the necessary equipment, enforcing methods and the nature of the demand for ATM services. compliance to TCAS advisories, and employing ATC The continued safety and efficient management of flights procedures for coping with aircraft responses to advisories. begs for a rethinking of the way the ATS provides ATM functionality: A systemic, flexible, and purposeful design is 2.2 Improvement Programs required. The ATS can no longer afford to be constrained to legacy equipment or operations. Granted, a transformed Recent attempts to modernize the ATS have mainly system will provide much of the same functionality as the focused on the technological infrastructure legacy, current ATS, but perhaps through different means. The commonly known as the National Airspace System (NAS), functions by themselves do not define the design, but may and bringing its components up to date. But these shape a system’s architecture or form. technological improvements have largely proven “Form follows function” is a concept stemming from operationally fruitless. A case in point is the enroute the architectural realm that has been adopted by designers controller station replacement program. After many years in many other areas, from biology to manufacturing. It of hard work getting modernized stations installed in ATC implies that the inherent nature of things, including both facilities, there has been little difference in the their purpose and the constraints that may limit their methodology or effectiveness of the controllers using the manifestation, favor particular designs. This is not to new equipment.[5] Another case is the FAA’s suggest that function is the only design influence, but that CAPSTONE program that successfully deployed (in a it should be prominent, well considered, and most of all, limited region) an entirely new surveillance system capable satisfied. This notion is well accepted in information of both conventional air-to-ground and innovative air-to-air technology (IT), where there is an expectation that system data dissemination. Unfortunately, the program is only architectures are compatible with software function.[7] exploring traffic management functions that use these data identically to those in a traditional radar environment. 3.1 System Form: Centralized/Distributed Systemic change driven by such “technology-push” has not been successful outside the NAS either. Airframe In IT as well as many other fields, two major manufacturers and airlines have been investing in classifications of designed system forms or architectures improved airborne avionics, but have not strongly are generally recognized: centralized and distributed. advocated changes in the ATC system that would allow the Centralized forms generally consist of a single, large capabilities of the new equipment to be realized. Many warehouse or processing center for data, control, etc, and aircraft carry systems capable of direct point-to-point single-point collection and redistribution infrastructure to routing and more efficient altitude profiles, but they are amass and dispense information throughout the system unable to utilize these functions in ATC operations that respectively, akin to an airline hub-and-spoke routing rely on fixed routes and altitude stratification. Slowly, design. Distributed forms have data, processing capability, there has been some lifting of constraints such that users etc. scattered amongst system constituents, and can, for example, request an altitude that may be more fuel infrastructures that are more loosely coupled. These and time efficient, but these opportunities are still the connections can be regular and follow rigid rules, or can be exception rather than the rule. determined by function, as scale-free networks (often The common thread in all of these failures seems to be exemplified by Southwest Airlines’ routes [8]) appear to allowing the demands and constraints of technology be. (particularly the legacy systems of the ATS), rather than The theory of distributed systems that unfolded in the the functional demands of the new air traffic environment domain of IT to describe the behavior and address the to drive the design process. System design based on challenges presented by the rapid development of computer functionality rather than technology seems obvious, yet networks can also be used to understand other distributed design always involves tradeoffs between implementation systems. Analytical methods and algorithms developed for (cost, complexity, maintenance, etc) and functionality. In distributed computer systems can be applied to analyze the case of ATS, the functional requirements of the system other systems such as the ATS. have been overwhelmed by these constraints. A distributed system can be defined as a collection of Some researchers have indeed taken a broader look, independent subsystems that cooperate to solve a single suggesting redistribution of ATC function through the problem. To its users, it appears to be a single coherent system [6], though their work is often regarded as system [9]. According to Sycara [10], a distributed system unrealistic, or at the very least, impractical. Naysayers is one that is comprised of asynchronous subsystems, has raise issues of predictability, certification, and acceptance no global control, and utilizes decentralized data. However, of new roles and responsibilities. But the case for such communication and synchronization among subsystems is functionally-based redistribution of form from a required for a distributed system to operate correctly. theoretical, system-of-systems perspective is strong. Different implementation philosophies are often proposed to address these system properties, ranging from highly access. Communication requirements are proportional to centralized to fully distributed solutions. Parallels can be the number of users requesting access to the resource. drawn to show how the ATS can satisfy these definitions: Also, users may join the user group at any time, since the • Systems are Asynchronous: Global time is not known by arbiter keeps track of membership. The main problem with all subsystems, and actions performed by the individual this approach is that the arbiter represents a single point of subsystems must be coordinated to ensure proper failure, and can become a bottleneck at times of high ordering. In Air Traffic, while many operations rely on demand. Also, the cost of a dedicated subsystem to be the planned time of occurrence, synchronization is loose at arbiter needs to be considered. All communications must best, and is difficult to enforce due to the flight be reliable, i.e. all messages must be acknowledged. environment’s variability. To cope with this issue, For example, an airport tower providing approach and operations afford flexibility around timed events (e.g. a departure sequencing instructions to pilots represents a take-off window rather than a single departure time) and centralized solution to the mutual exclusion problem. It is mechanisms to enforce control in real time rather than to simple to understand and implement, the number of a precise schedule. However, a result of "padding" the message exchanges is low (proportional to the number of event schedule is reduced system-wide capacity. users), and it allows users to join the system at any time. The obvious drawback is that the tower represents a single • Decentralized Control: There is no global system control. point of failure, making airport sequencing and separation No single subsystem can arbitrate over other subsystems services solely reliant on this resource. without communication and synchronization. Each subsystem has incomplete information or capabilities for 3.1.2 Distributed Solutions to Mutual Exclusion solving problems and, thus, has a limited viewpoint. Both A distributed algorithm for guaranteeing mutual supporting and counter examples are seen in the ATS: exclusion is generally complex, and some times not Each sector controller is responsible for traffic possible. A fully distributed solution requires a known and management within their own sector, but there is a stable user group to negotiate the access order and to systemic control function known as flow control which coordinate the resource use. During a round of negotiations, limits flight volumes in each sector to manageable levels. new users cannot join the group and must wait. In the • Decentralized Data: No single subsystem has complete airport tower example, this would mean that the airport knowledge about the system at any given time and would be closed to new operations during such periods. subsystems frequently depend on each other to Knowledge about the state of the shared resource is communicate data required to perform their functions. distributed among all the users and needs to be Different models of communications are applied communicated to all before any action can be taken. In a depending on the specific user and data requirements. In distributed architecture, all users send time stamped airline operations, for example, while controllers and requests to everybody else in the group using a special pilots negotiate flight routing in real time, pilots and time-stamping method that guaranties message ordering airline dispatchers do too, as the dispatcher is privy to [11]. Receivers respond by granting or denying access company information such as gate availability at the depending on their state and the message timestamps. Since destination that the other actors are not. access to a shared resource requires the permission of all participants in the group, all users are potential bottlenecks. One of the fundamental problems in all systems, The number of messages exchanged by this approach is on regardless of their form, is shared resource management. the order of the square of the number of users. Every Some resources can be shared by many users at a time (i.e. resource request requires each user to exchange messages weather reports), while others (e.g. runway, taxi ways, etc) with every other user. This algorithm can have multiple need to be shared in sequential order, by one user at a time. failure points and does not scale very well given the large Thus, a safety critical system-of-systems must guarantee number of messages that need to be exchanged to achieve mutual exclusion. Coordination among users must be consensus. As with centralized control, all communications enforced through a communication and synchronization must be reliable. mechanisms to ensure the proper and correct use of the resource. Both centralized and distributed approaches are 3.1.3 Tradeoffs: Centralized/Distributed Designs possible, but they each have advantages or disadvantages. How and by whom the resource is controlled depends on Even assuming performance could be met by either a implementation. distributed or centralized design, other considerations must be weighed. Hildebrand [12] and Harbitter [13] elaborate 3.1.1 Centralized Solutions to Mutual Exclusion some general trade-offs between the approaches: • Bandwidth – Costly bandwidth favors centralized Centralized control is conceptually the simplest way to functions since data consolidation and transmission achieve mutual exclusion: A single entity is in charge of problems have less influence on system performance. arbitrating resources, and is the only entity that has (or needs) knowledge of the resources’ state. All users request and release access through an arbiter who grants/denies • Cost – Centralization can minimize redundancy, 4 Functional System Design equating to cost savings in staffing and technology. The concept of form following function does not by • Troubleshooting – Hildebrand claims that “there is no itself constitute a comprehensive design guideline. doubt that finding and eliminating problems is simpler Granted, the form must complement the function, but what in a centralized environment”. are the necessary functions for a complex, system-of- • Backup and disaster recovery: a double-edged sword: systems in general and how are these functions manifest in It is easier to backup and recreate a single entity, but the ATS? A first place to look is the literature, where we they are more susceptible to site-induced problems find that Beer spent much effort struggling with this such as power outage, etc, and offer no geographic question. Beer concluded that irrespective of a complex protection. system’s form, there are indeed a set of necessary and sufficient functions to ensure its viability. He concluded • Investment – Distribution affords cost sharing and that viability was maintained by engaging in different incremental growth, while centralization requires a activities, keeping them from interfering with each other, larger initial investment to establish central resource. managing them together, and providing for review of the • Security – Centralized approach affords access control former in light of the system’s future interests. and unified guidelines for system participation. Once the system-of-systems’ functions are established, Though security exposure is extreme at the central an idealized system architecture or form is developed, location, it is easier to protect this single asset. Both necessitating a high-level operational concept and goal-set. approaches require “electronic trust” or authentication. Subsequently, operational, practical, and pragmatic • Reliability and accuracy – Distributed point-source constraints are heeded, morphing the idealized system to a users are motivated by their own discipline, policies, down-to-earth detailed design which outlines the interfaces and requirements to keep information current. between member systems, legacy systems to remain, etc. The result is a system-of-systems design, potentially • Scalability – Harbitter states, “A distributed strategy implemented both centrally and distributed as required has a clear advantage in the area of scalability”. within technical and political realities, rather than letting the realities over-constrain the solution. This becomes a 3.2 Form vs. Function: Scope Matters target end state model. Then the work of transformation The centralization vs. distribution of an approach is in begins: actions that react to and motivate the changing of the eye of the beholder. Take for example a simple re- constraints to move the system toward the target model. routing of two aircraft to avoid a traffic conflict. From a pilot’s perspective, the system is highly centralized. The 5 A Design Example local actors, the pilots, have no direct control of the aircrafts’ closure geometry, and rely on a central, common An example of an ATM operation stemming from resource (a controller) to resolve the problem. However, functional system design is the Small Aircraft looking at the bigger picture of resolving traffic conflicts in Transportation System Higher Volume Operations (SATS the NAS, the problem is distributed amongst many HVO) concept which was developed to increase the localized control facilities and controllers, with little utilization of non-towered, non radar airports. At the heart coordination related to this function. of SATS HVO are sequencing and separation functions that As described above, centralized technology does not were implemented in an innovative, efficient way given the necessarily imply the same centrality in function. objectives and constraints of the system Discrimination between the nature of a function and its The SATS HVO concept relies on a volume of airspace implementation is important. A function can be a local, around an airport where pilots assume responsibility for distributed one such as traffic light switching at a busy self-separation using onboard equipment and datalink intersection that is also implemented locally, e.g. with communications together with published procedures [15]. sensors and relay switching at the intersection. However, Pilots approaching the airspace are given sequencing one could also consolidate local data to a central repository information by an automated function at the airport that and analysis function that determines an appropriate represents a (locally) centralized form of control. It response to the sensor data and returns an action to the implements the critical function of mutual exclusion by localized system. Continuing the example, if the system at informing pilots of their relative landing order. Airborne hand was not considered to be an intersection, but rather automation providing separation, as described in the light control along a busy stretch of road, some level of concept, represents a distributed form of control otherwise synchronization and information sharing between the local centralized in the ATS. These design choices were derived intersections would be required. Synchronization alone directly from the application of a functionally-formed air does not necessitate a centralized approach, however, as traffic system-of-systems. Strogatz and Stewart demonstrated with their study of self- Research suggests that SATS HVO can safely provide organizing oscillators [14]. Yet the net effect can be a 4 to 5X increase in operational capacity relative to today’s considered to be a global rather than local functionality. operations. While these results may not be typical of basic functions on which the current system operates and potential benefits across the ATS, they are an indication the form of its control. This in turn will require a that further application of these functional system-of- systematic, functionally-based approach to future ATS systems approaches are worthy of pursuit for ATM design. design. A functionally-formed system may afford scalability and minimal constraint obliged by system 6 Conclusions science. If we don’t take a functional approach to design and Some ATM researchers call for a largely centralized let ourselves continue to be lead by “technology push” and solution [16] while others have argued for one that is political pull, we will not realize the full potential of the completely distributed [6]. Not surprisingly, a future ATS. As air traffic demand grows and changes in nature, system at either extreme has been a hard sell, considering the ATS may quickly run into gridlock, or worse, into a the limitations of scale, safety, security and performance scenario where its stellar safety record is compromised. concerns that they both can have. Hybrid solutions have slowly been winning converts in the mainstream ATS 7 References research community. There are attributes of both approaches that influence functional performance which [1] Cistone, “Next Century Aerospace Traffic Mgment: The may cause one to be preferred over the other for Sky is no Longer the Limit” J. of Aircft, v.41 n.1 2004 implementations of specific functions within the system Regardless of these caveats, there are some [2] Keating et al, “Systems of Systems Engineering”, generalizations concerning centralized vs. distributed Engineering Management Journal, v.15, n.3, 2003 approaches to ATM functions that may be illuminating: [3] Transportation Secretary Mineta, speech to the Aero • Mediation of a shared, high demand resource favors a Club of Wash., US DOT , Jan 27, 2004 www.dot.gov centralized approach. Regulating a scheduled over- demand in this manner minimizes opportunities for [4] Leonard, “A Viable System Model: Consideration of deadlocks or inaction. Knowledge Management”, Journal of Knowledge Management Practice, v. 1, August 1999 • Optimization in situations with sizable resources favors a distributed, localized approach. [5] Shea, “Standard Terminal Automation Replacement System” NATCA testimony to US Congress, March 2001 • Optimization of limited local resources demands a “local” centralization. [6]Hoekstra et al, “Free flight in a Crowded Airspace” 3rd US/Europe ATM R&D Seminar, Napoli, Italy, June 2000 • Very short-period functions e.g. collision avoidance, may require autonomic-like, distributed approaches. [7] May & Beck, “Architecture for tomorrow’s • Many functions are best acted upon locally in a administrative systems”, PennPrintout, U. of PA, 9:6, 1993 distributed fashion with centralized oversight. [8] Watts, Small Worlds, Princeton Univ. Press, NJ 1999 This latter point is supported by the direction that flow [9] Tanembaum and van Steen, Distributed Systems: management is going. Spacing also may be seen to fall Principles and Paradigms,Prentice Hall, 2002 into this category. It is likely that distributed implementations of spacing tools amongst aircraft will be [10] Sycara, K. “Multiagent Systems”, AI Magazine, affordable augmentations to already sophisticated on-board American Assoc..for Artificial Intelligence, p79-92, 1998 automation in the near future. While spacing is currently [11] Lamport: “Time, Clocks and the Ordering of Events in accomplished via a combination of ground-generated speed a Distributed System”. Communications of the ACM, vol targets and airborne execution, the inner-closed-loop 21, no. 7, pp558-565, July 1978 control dynamic beg for local management while outer loop or higher order functions, such as providing interval [12] Hildebrand , “Weighing centralized, distributed data targets based on traffic flow, could be centralized. centers”, Storage, Feb 2003 Though it is important to update the system to enable [13] Harbitter, “A critical look at centralized & distributed its continued, day-to-day maintenance, there is also a need strategies for large-scale justice information sharing to ensure the system will meet its goals under future applications” Intg’d. Justice Info Sys Monograph, 2004 demand. Changes aimed at this latter effort should not be [14] Strogatz and Stewart “Coupled oscillators and entirely limited by today’s operations. Granted, an biological synchronization” Scientific American 269 operationally critical system-of-systems such as air (6):102-9, 1993 transport cannot be shut down and rebuilt from the ground up. However, changing the ATS substantively may require [15] Williams et al, “Preliminary Validation of the SATS revisiting current policy and future goals, and focusing HVO Concept”, 24th ICAS. Yokohama, Japan, 2004 transition to a system more aligned with its objectives [16]Erzberger & Nedell, “Design of Automated System for within realistic constraints. This requires revisiting the Management of Arrival Traffic”, NASA TM-102201,1989