Bernd, I still believe that there are weaknesses in the development of your scenario (#101).
In particular the omission of the overall time frame, and I believe, a biased rational for the controller’s choice of action. Yes it can happen but is it realistic - probabilities?
Re your “But we know that at Ueberlingen they did collide, and what makes my hypothetical setup sufficiently different from Ueberlingen that everyone seems to be confident it would not be a problem?”
I don’t think that anyone is saying that they are confident it is not a problem just that it appears to be sufficiently improbable. The analogy is that aircraft are certificated as being safe to fly, but some crash, more often with human involvement.
ATC Watcher, asked if Ueberlingen could happen again (#1), I replied yes.
I sense that I could become the focus of a pincer move between you and ATC Watcher; thus having identified conflicting traffic (in an uncontrolled environment), I now deviate from my flight path!
Peter, ATC Watcher, my description of safety certification was somewhat simplistic and is more related to aircraft certification and installed systems. In these instances the certification ‘does’ show the appropriate probability. However, for a combined ATC/TCAS system I would struggle to find any such rigorous analysis; and perhaps it is this aspect which is causing concern. Therefore in this discussion I believe the ‘safer’ option is for me to withdraw all numerical examples.
However, for
Bernd’s scenario and Peter’s 3 aircraft problem, perhaps looking at such things as a probability density function for the risk of collision might identify non-perfect solutions but ones with acceptable risk?
Being sceptical of independent papers and manuals, I would ask if the rare case actually induced a collision or a only a flight path conducive to a collision, i.e. a change in the level of risk (relative vs absolute). Similarly, the ‘rare case’ would in my way of thinking require an associated probability.
The increasing concern may be heightened by ‘near miss’ reports and crew error in TCAS operation. Near misses are interesting, particularly if viewed from different areas. For ATC, anything less than 5nm and 1000ft is a cause for concern, whereas a pilot, 1nm of 500ft may appear safe, and more recently anything that does not result in a TA. So ATC quite rightly ask questions about the overall system, and pilots are currently happy with TCAS's anti collision qualities. ( I caution myself to be aware of “ a threat to safe operation, which … people did not believe existed (numerically), or did not whish to believe posed a significant risk” (#87))
I am not writing this problem off, nor would I be surprised to learn that the ATC/TCAS safety case was accepted directly from N America without proof, and perhaps it is only now that we find weaknesses or at least difficulties in providing data (probabilities) for proving a level of safety.
Of course the problem might actually be in the process of determining the safety level, what is the required value and how is such a system, with its many human contributions, to be certificated? ... Automation?