Sorry

This bit of the thread is baffling me.

I assume that most of those posting are talking about the situation in Class A and B airspace.

In my limited experience, mainly outside of this type of airspace, taking TCAS over ATC is quite dangerous. In Class G, for example, there are many a/c either not squawking or using Mode A only. For them to ignore an ATC contact and only work off their TCAS seems to be perverse.

robin,

whose "Class A, B, G airspace" are you talking about?

PBL

The UK's airspace

I do not want to interfere too much in this fascinating debate but there are a couple of misconceptions and assumptions ( most coming from Fullwings ), that I’d like to correct :
Fullwings :
Not quite. In real life, late ATC intervention is rather common for various reasons, not all due to ATC errors, and 99,9999 % of the cases it solves the problem. There is no consequence. If a controller had to be replaced every time he use the word “expedite” there will be little staff left in my center !
ATC works on establishing separation ( typically 1000 ft and 5 NM )
TCAS was not designed to re-establish separation ..It was designed to prevent metal from touching each other.
(In most cases TCAS missed distance is unlikely to be more that 300 feet.)
Mixing the 2 leads to misconceptions on how both work in real life.
The misconception that once you get below “separation “ a controller should not issue any instruction is totally wrong and dangerous. ATC is responsible to provide separation , and anti collision avoidance at all times , unless the PIC in command has informed him that the crew is following an ACAS RA. From this moment on , pilot takes over responsibility of anti collision from ATC., but before that moment, the controller is responsible, above or below 5NM .
The problem we encountered in Ueberlingen ( and in many other less dramatic incidents ) is that ACAS intervenes BEFORE separation is lost , and pilots do not inform ATC that they are following an RA, enforcing the controller’s mind that everything is still under HIS control, and might even continue to issue instructions well after TCAS has interfered.
Note : As a controller you do not know if an aircraft has a functioning TCAS or not (e.g. : one can fly 10 days with a U/S unit) and the same service is given regardless of having TCAS or not.
Fullwings :
From my ATC experience and recorded data, until very recently, most RAs were not due to ATC but caused by excessive vertical rates by crew. Therefore the ICAO note to reduce vertical rate before leveling off.
There are many non-ATC other cases , such as ghosts targets, or level busts for instance , that are causing RAs.
The notion that an RA only occur when ATC has failed is wrong.
Lastly :
Fullwings again :
Not a UFO, but a military a/c ( quite a few where I come from ) or an out of tolerance SSR that will not be accepted by TCAS., but visible on radar.
In my ATC system, an SSR failure will be compensated and tracked on primary , that one too will be invisible on TCAS . Remember that I have legally to separate aircraft from what I know.
If ATC instructions differ from what TCAS is telling you , there you have a dilemna. Do I have , as a controller, the right picture, with every player, moving as my radar tells me, or does TCAS has the correct solution ? . You will never know until you try , but either way, it is not a 100% guarantee that what you chose is the correct action.
Finaly :
Bsieker :
This is indeed one of the real issues .Seeing the data I see , all post 2002, leads me to believe that we have not solved the problem yet and that another accident is probable.

My comapny's SOP
 

At my company, the SOP is to ALWAYS FOLLOW THE TCAS RA, except in cases of windshear, terrain warnings, and stall warnings. We are to follow the RA, and as soon as practical, inform ATC of the RA maneuver.

THIS INCLUDES FLIGHT IN VMC WHERE THE OFFENDING TRAFFIC IS IN SIGHT. (Is what you're looking at really the conflicting traffic, or is there another aircraft out there that you don't see, that's about to hit you!!!!)

The logic is this: The RA is a coordination between two aircraft with TCAS. The two TCAS computers have identified a conflict and have devised a resolution. Failure of one aircraft to follow the plan...will screw things up...since nobody tells the TCAS computer of aircraft #2 that the pilot(s) of aircraft #1 has decided to do his own thing.

At my company, several years ago, there was a major $%%^&. One of our flights was departing a Florida airport...climbing out...received a TCAS RA. The flight was in IMC. They followed the RA...as per SOP...but, immediately afterward, got a second RA. They followed it, as per SOP, as well.

At first thought, one would assume that the second RA was due to the following of the first RA. After the BIG investigation, it was determined that the controller, that morning, suffered from a major brain fXrt...and the two conflicts were real...and the second one was not due to the crew following the RA of the first conflict...it was the real thing, too.

Now, the crew figured they were having a bad day, too. What's up with getting two RAs...one right after the other...in IMC!!!!!

Thank God, these guys followed the SOP! Otherwise, we'd be doing a 'coulda, shoulda, woulda' analysis on PPrune!


PantLoad

FullWings, pursues the more practical and simpler route (#60 onwards), which often the regulatory segments of the industry choose to follow, albeit hidden in the paperwork. This practical approach has been most valuable in persuading the industry of the relevance of new equipment in the threat environment, and the need for standardised (world wide) procedures.
ACAS, like EGPWS and windshear warning systems, has enabled the industry to visualise a particular threat to safe operation, which previously many people did not believe existed (numerically), or did not whish to believe posed a significant risk. We now have growing evidence of the magnitude of the threat and a means (amongst others) of counteracting it.

I suspect that ACAS will continue to evolve (refinable) as did GPWS. I further suspect that any significant ‘failures’ in the overall ACAS safety system will originate from human error at the point of operation and not at the point of design, again compare this with EGPWS and the many incidents of incorrect crew action (again a suspicion, not provable).
The greater problem for the industry is how to get pilots to follow the ‘instructions on the tin’; something which applies to many systems and is fundamental to human behaviour.
ACAS may not assist our quest for correct behaviour in its use of terminology, e.g. using ‘advisory’ and ‘resolution’ (legal/engineering bias) when describing situations which warrant much higher or urgent levels of alerting and warning. These terms may mislead non English speaking pilots or the regulators (often with government/ legal structures) who may apply ICAO recommendations from their perspective and not from that of the crew. But such is the outcome of the worldwide adoption of a system based on a single national culture, perhaps without the necessary depth of understanding and debate on its design philosophy and operation.

ATC Watcher identifies a significant issue with the ATC/ACAS system, perhaps the issue; communications. The ATC based anti collision avoidance depends on communications at all times. Communications are fallible; even the alleviating action of the aircraft informing ATC of an ACAS manoeuvre depends on communication. Until this problem is resolved then there is a role for ACAS.
From the descriptions above, I see ATC anti collision avoidance as the strategic activity, generally proactive, but reactive when necessary and if the conditions (time) allow. ACAS is the tactical, reactive system; the last line of defence and thus at the time of warning it must have precedence.

There are similarities here with CFIT. ATC can provide early defences with safe altitudes and alerts, but still suffer problems of communication in the reactive sense, e.g. delays in transmitting MSAW warnings. EGPWS again provides the tactical, last line of defence.
For both ACAS and EGPWS, the success of these systems depends entirely on the crew following the instructions.

Peter Re PhD; x,y,z, = the 3 aircraft, but lets use your coordinate system. Am I correct in assuming that the 3D solutions to the quartic equation are inside the ACAS alerting area, and thus are realistic solutions for the risk of collision and not just imaginary space-time zones?

You assume that the instructions inevitably would have lead to a collision.

Controlling the airspace by radio communications takes time. A controller telling one aircraft to descend, the other to climb or maintain altitude can make these instructions only sequentially. In this scenario the controller's instructions would have prevented a collision.

If the TCAS system recognises this collision threat and if the second instruction was made not timely enough, TCAS issues an RA, which can be inverted to the controllers instructions.

Now, the controller cannot judge the sitiuation and actions of the aircraft under his control. He can only pray, that they solve the conflict on their own. Hardly a mental state I want to be in.:bored:

robin,

The UK is unusual in offering some level of IFR separation through ATC in its Class G airspace. Most countries, such as the US, only offer separation in Class G airspace through flight planning (that is, ATM not ATC).

Most TCAS-equipped kit will be flying most of the time in Class A or B airspace, and (in most countries) ATC is not going to be providing separation under IFR for Class G airspace, so TCAS-ATC interactions in Class G airspace would not be an issue in most countries. However, I have no experience with IFR in Class G airspace in the UK, so I can't usefully comment on that.

PBL

alf,

I don't necessarily agree that *the* issue with ACAS/ATC interaction is communication. The communication issue would theoretically be solved by having secondary radar interpret and display the Mode S interactions between two TCAS-equipped aircraft undergoing an RA sequence.
Under a TCAS RA manoeuvre, the aircraft involved can well depart cleared airspace. That means that the controller has suddenly to replan, and that may neither be desirable nor, in some circumstances, possible, perfect communication or not.

And since TCAS may (and does) propose manoeuvres when aircraft are still legally separated, (and in the case of "zoom climbs" the crews likely will not bust their clearance) that means this replanning problem may be artificially introduced.

I must say that it does surprise me that, even at this late date, many line aircrew seem to be unaware of the problems of TCAS/ATC interaction. (For example, FullWings suggested he wasn't aware of problems; ATC Watcher implicitly pointed out that he was aware of lots.) I could have understood it, say, a decade ago, but I don't understand it five years after Überlingen.

I think some of it may be due to Eurocontrol's and others' attempts to impose uniform RA behavior on aircrew. If you are trying to get all pilots everywhere to follow an RA, it works against that message to publicise all the incidents in which TCAS might prompt inadvisable or unnecessary manoeuvres. So the incident narratives are suppressed (to which phenomenon I can attest, having tried to get data on TCAS incidents).

I originally said that I am not taking a stand on whether this is a "good" or a "bad" thing; that I was simply noting a phenomenon. That is not quite true; I do take a stand. I am for transparency of information on all safety-relevant systems in which there is a public interest. Just as the UK has an Airprox Board that reports publically on all designated near misses, I think data on TCAS manoeuvres should be publically collected and publically analysed and displayed.

Then maybe we would not see such travesties as Eurocontrol's declaration in their EUR-RVSM Safety Case that they had not identified any anomalous ACAS-RVSM interactions and that therefore they did not need to address such potential interactions in the Safety Case (even after I pointed such out to them, they maintained their "view").

PBL

Exactly. And one of the questions is, if you have been following this thread, what does it do with *three* aircraft?

Answer: no one actually knows, but many people seem to assume it will just be OK.

PBL

Yes, good question!!!
 

PBL,

Yes, good question!!!!

In the case of my company's incident that occurred several years ago, I honestly don't know the version of TCAS that was installed on our aircraft at that particular time. But, the TCAS system worked for the two conflicts. The second conflict occurred almost immediately after the first.

But, who knows what would happen if two or more conflicts occurred at exactly the same time...from two or more different directions...two or more different altitudes!!!!!

I guess, if that happens to you, you can definitely classify that as a 'bad day'!!!! :rolleyes:


PantLoad

Wow, seems to be a lot of interest in this subject... Shame I can't post from the jet (yet!).

ATC Watcher,

Absolutely. I have stated that quite positively.

Not what I said. What I am saying is that the penalty for assuming that TCAS has got it wrong (and being wrong in that assumption) is much higher than for assuming ATC has got it wrong (and being wrong in that assumption). Apply a bit of logic to that and you can see why I'd follow an RA. It's a sort of Pascal's Wager for aeroplanes...

At the end of the day it's down to probabilities, isn't it? In order to hit an aircraft during an RA (assuming you're following the guidance correctly) there would have to be another aircraft in addition to the one(s) that gave you the RA that a) Doesn't have a working TCAS or transponder and b) just happens to be in exactly the right place at the right time. I would suggest (although I haven't published a paper on it yet) that you are much more at risk from the *known* target(s) you are avoiding because of a *definite* risk of collision than the *unknown* ones that *might* be there (or not)?

alf5071h,

The voice of reason, as always.

joernstu,

If you (as a controller) have sent two aircraft directly at each other and there is no further intervention (from you, pilots, TCAS, etc.) then they're going to collide. ATC in Africa have plenty of practice at setting this up!

We don't know. ATC voice instructions have a very high potential latency compared with TCAS interactions. If there are other aircraft on the frequency and one transmits for, say, 20 seconds then there is no chance to issue any avoiding instructions until too late. The situation becomes worse because if a potentially serious conflict is noticed by pilots, one of the first things that often happens is they check with ATC about the situation, thereby blocking information flow from ATC to the pilot(s); Standard VHF R/T is only half-duplex.

PBL,

Taking some comments out-of-order...

I can't disagree with that, although "public" should really mean interested academic groups, IMHO, unless you want it all appearing in the Daily Mail under "Killer Deathjets in Head-on Plunge!!"

Without wishing to be rude, I think you've got it slightly backwards. What we really don't need is people going around responding to RAs with Manoeuvre($Random). I'm sure you can see that?

I'll take your word for it. I suppose you might have to cross proprietary and DPA boundaries to get this information as an individual, although I'm sure that agencies such as the AAIB and CAA would have as much access as they desired?

Maybe what needs to be done is to run a series of simulated encounters, no, let's make that a *lot* of encounters, using the actual software involved and analyse the results, possibly making changes to the software... Hmm I wonder if anyone has ever done that? (Sorry, been up for 36hrs after a delayed nightflight so am a bit sarky. ;) )

If this really is the case, how do you explain, that not every loss of separation situation inevitably lead to a mid-air?

I understand that you - and many company's SOPs - instruct the crew to follow the TCAS RA. This will be the solution for 2 aircraft situations, which are the most probable to occur. But this threat is not only about what TCAS can do, but also about what it cannot do - and the effects the TCAS design produce.

I imagine, there is a reason for stagger and right-of-way rules in poorly monitored areas.:)
But if the african ATC is so capable in producing dangerous situations, and the probablity of aircraft flying without operational TCAS is highest in poor regions like Africa, why don't we hear about more mid-air collisions over Africa in the news?

So, there is a probablity, that ATC will not solve a critical solution. But why does it sound to me, that you weight the probability of shortcomings in the TCAS system more lightly, than you weight an ATC instruction not solving a conflict situation. (Note that the scenario was not about latency in communications, preventing the crew to get the instruction.)

Latency and problems with half-duplex communication are well known problems, but what would solve this? I don't think that one can rely on technical conflict solution as much, as would be necessary for freeflight, e.g..
Perhaps the introduction of full-duplex digital communications and transmission of digitized instruction, with person-to-person communication being an exception for uncommon situations could help, but their impact on aviation safety is still unknown.

Only if
- they're going directly head-on
- both are flying very accurately.

The latter is usually true these days with high-precision navigation, although some oscillations around the exact altitude are normal for every feedback-control loop. (I don't know about other types, but Airbus FBW aircraft's autopilots have a "soft-altitude" mode for cruise that allows up to 50ft deviation to reduce thrust changes for comfort and economy.)

As to the first point, of the two recent Mid-Airs, only in one were they going in directly opposite directions (GOL/ExelAire), in the other (Bashkirian/DHL)they were at around 90 degrees, and for a collision in that setup you have to get it exactly right, otherwise they'll miss.

I'm curious what statistic this assertion is based on.

The penalty for both might be a Mid-Air. The DHL crew in the Ueberlingen accident followed the RA to the letter. And were rewarded with a collision.

Consider the Ueberlingen scenario with a slight modification: The Tuplolev has, as allowed for dispatch, an unserviceable TCAS system, but fully working transponder.

Thus, the DHL Boeing gets a resolution advisoary, but the Tupolev gets none. The Tupolev does get, however, a manoevering instruction from ATC ("descend FL350 expedite", iirc). The difference here being between not following an RA versus not getting it. Educate me about TCAS: would the DHL crew have known about the Baskirian's TCAS being inoperable?


Bernd

OK. "Separation" in an ATC sense means the horizontal, vertical and time buffers between aircraft. If any of these becomes less that the proscribed value for the type of airspace/aeroplane/service, etc. then there has been a "loss of separation". This does not mean that there has been/will be a collision, simply that the "protected area" around an aircraft has been infringed. If the limit in a particular scenario is 5nm and the aircraft come within 3nm of each other, then that is a "loss of separation"; On the NATS 10 minute separation is applied with 1,000' vertically and 60nm laterally (well, a bit less as you are allowed to offset) - if you end up 8mins apart, action is taken to increase the separation again.

We fly offsets and make position reports to each other on a common frequency. Conflicts are often discovered and managed by the pilots and may not involve ATC at all...

This sort of thing has been slowly coming for quite a while. We use ADS & CPDLC in remote areas quite a bit now, and are trialling them in the Maastrict FIR. I think we also did a FANS flight from the Southern USA on a direct track to the holding fix in the UK. It's getting there.

Yes...

Would the DHL crew know about the other aircraft's TCAS? No, unless they'd been told about it.

Would the DHL aircraft's TCAS know about this? Yes. It would treat the Tu-154 as a "dumb" target and expect to be doing all the manoeuvring whilst tracking it.

If two or more TCAS equipped aircraft come into conflict with each other there may be an element of coordination between the TCAS units to decide who does what; e.g. "You go up, I'll go down". This is what makes manoeuvring against an RA potentially serious as other aircraft may have begun to manoeuvre in expectation of a certain manoeuvre from you. It's a bit like indicating left on a busy road then suddenly turning right.

FullWings,

thanks for the reply,

I have no intimate knowledge of the TCAS algorithms, but my point was to see if this was a credible scenario:

- Two airliners, both with transponders, one with serviceable TCAS, the other unserviceable.

- On conflicting trajectories ("collision course")

- TCAS-aircraft gets RA ("Descend, Descend!"), complete with red area, possibly larger than in the case whin which the conflict is expected to climb, but I'm on shaky ground on this.

- Non-TCAS aircraft gets ATC-instruction to descend, but, significantly, does not get an RA. (With the instruction to descend to the next FL below, separation is supposedly restored, from an ATC point of view.)

This scenario is facilitated by:

- Lack of knowledge by ATC of RA
- Lack of knowledge by TCAS-aircraft flight crew of lack of TCAS in conflict aircraft
- Rules of dispatch for U/S TCAS unit (10 days, is it?).

If this isn't a clear hazard (read: danger) created by following an RA I don't know what is.

And for this scenario we don't even need to suppose one flight crew disregarding an RA, rules may well be for all operators to always follow the RA!

I'd be grateful for anyone to point out possible factual errors in this one, since I'm not familiar with TCAS internals and the exact conditions under which what kind of RA will be issued by TCAS on encountering a "dumb" target.


Bernd

Bernd, when setting such a scenario it should be to qualified with the probability of it occurring.
Your example assumes one TCAS inoperative, that the strategic defence has already failed (ATC plan), and that the Controller’s command occurs after the TCAS warning. The latter involving a critical time span of approx 30sec.
Then there is the assumption that the two aircraft will manoeuvre precisely as required to result in a collision.

TCAS will command a minimum descent (1500ft/min ? (check spec values)), the manoeuvre assumes a standard crew response time and acceleration (2sec, 1.25g).
The aircraft responding to an urgent ATC command is not bounded by time or acceleration, but experience suggest that it will not be greater than the TCAS manoeuvre.
Thus there is a vast range of variables in both the start and action conditions that will not result in a collision.
However, given that the initial manoeuvres meet the collision criteria, then TCAS will continue to evaluate the situation and can increase the decent rate attempting to avoid the collision.
If you wish to debate the next level of what-if … ATC demands a higher rate of descent for the non TCAS aircraft, then the whole gambit of time, reaction, acceleration, and TCAS counter-counter response starts again. The practical number of what-ifs depends on the total time span, which provides a limit to the scenario.

No doubt in theory a collision scenario can be generated, but to a simplistic pilot this seems most unlikely and thus we are required to trust the overall controller / ACAS system; ergo training / discipline.
The safety certification should show that the probability of the collision scenario is sufficiently extreme to discount it; thence it meets an acceptable level of safety. The principle of aviation safety is that it is not absolute; it accepts that rare events can occur, but the probability of them resulting in death has to be extremely remote (10-9).
Your approach appears to take the limit case as ‘the’ hazard without qualifying (bounding) it with the probability of its occurrence. Yes it is a real hazard, but if by following TCAS it only occurs in one manoeuvre in 10 million, then the industry accepts that following TCAS is the safer option.

alf5071h,

It is extremely hard, to quantify the probabilities of very rare events.

But here is the reason why I think that it is not too far-fetched, and is a realistic, if rare, scenario to be considered when advocating "Always follow TCAS!".

It is essentially the same scenario as happened at Ueberlingen, the only difference being that at Ueberlingen, the Tupolev did get an RA, but chose to follow ATC instead. And that scenario did result in a collision. In that case, too, the Boeing's TCAS would have monitored the Tuploev's course, and it issued an increase-descend RA.

It has been debated why the Boeing's TCAS did not issue a reversal RA ("CLIMB NOW! CLIMB!") in this instance, as would seem appropriate.


While it may be true that this particular accident could have been avoided, if both pilots had followed their respective TCAS RAs, the Bashkirian crew's action were rational in light of the perceived three-aircraft-conflict.

But let's look at the decisions of the individuals involved in the modified setup:

- TCAS-aircraft crew:
Get TCAS RA (possibly after a TA)
SOP: follow ATC, except when getting in RA, in which case follow RA
Rational choices available: follow RA
Rational choice taken: follow RA.

- non-TCAS-aircraft crew:
Get ATC instruction
SOP: follow ATC, except when getting in RA, in which case follow RA
Rational choices available: follow ATC
Rational choice taken: follow ATC (in the absence of an RA)

- ATC:
notice conflicting traffic at the same FL
SOP: separate traffic
Rational choices available: issue climb or descend instructions to either of the involved aircraft
Rational choice taken: issue descend order to non-TCAS aircraft

So, ATC could take any of four different choices, but without knowing the circumstances, neither is favoured over the others (perhaps descend instructions are favoured, because it is unclear if the aircraft can climb quickly enough, or if it is even at its operational ceiling). Other factours may make the descend instruction to the non-TCAS aircraft the preferred one.

Are there data availabel on the availability of TCAS? What, thus, are the chances of two aircraft with inop TCAS "meet" each other?


Bernd

alf,

"Should" but rarely "does".

The quality of safety certification is a big issue. I have my problems with some of it (see my paper on the EUR-RVSM safety case). The big three issues concerning the U.S. and U.K. principals on certification of dependable-system SW are
* Explicit and accurate statements of dependability claims
* The provision of evidence sufficient to demonstrate those claims
* Transparency: public disclosure of the claims and evidence so that they can (one hopes) be checked through peer review

I just ran a panel session on this at SAFECOMP. It is a problem not just in aviation.

Let me add a bit of personal history for those who like gossip. Back in the days when I was a more assertive debater than the softie I have become :) , I got into a discussion on the Bluecoat list with an ex-MD avionics engineer name of Ray Hudson, who claimed he had seen enough in-flight evidence of the reliability of his systems to justify the usual 10^-9 claim. I said no, Ray, that is not possible and here are the scientific papers that show it definitively. He called me the usual non-pilot, non-avionics names as well as commented frequently on my ancestry; I said that whether or not he had evidence for his claims really didn't depend on how many legs my mother had. Result was that I was made a "participation offer" by Bill Bulfer that I couldn't accept, and departed.

Many years later, this theme has been the subject of a PhD dissertation at Cornell (John Downer) after I suggested it to Trevor Pinch; a main theme in the U.S. National Academy of Sciences Committee on Certifiably Dependable Software Systems recent report on just that; a major public concern of the U.K. principals in BSI oversight of IEC 61508 (the non-aviation international standard on functional safety of programmable electronic systems), and subject of concern in major non-aviation sectors (such as the automobile industry, which, in contrast to aviation, really does have kit that goes 10^9 operational hours - and sometimes more). As well as my panel at SAFECOMP. And Bluecoat appears moribund. Bad call by BB :p

PBL

@bsieker

I think, the chances of your scenario leading to a mid-air collision will be rather low. As my knowledge on TCAS algorithms is mostly based on the Ueberlingen accident report, it is an educated guess, though.

This is how I think the system will work:

aircraft 1 (TCAS) get's RA descend.
aircraft 2 (ATC) get's instruction descend.

Both aircraft will descend following SOPs (1.25g, reaching approximately 1500ft/min descend rate).

TCAS onboard aircraft1 will monitor conflict situation. If aircraft 2 is lower than aircraft 1, TCAS will issue a Level off or perhaps a Reversal RA, if aircraft 1 is lower than aircraft 2, it will issue an Increase RA. In case the altitude of aircraft 1 and aircraft 2 are identical, I think TCAS would vote for an increase RA, as this would probably be more comfortable for the passengers and the course of action would be more straight forward (but this is only a guess).

In the Level off/Reversal RA scenario, aircraft 2 will continue its descend with 1500ft/min, aircraft 1 will reduce its descend rate. As aircraft 1 was above aircraft 2, the chances are, that both aircraft will avoid a mid-air.

In the Increase RA scenario, aircraft 1 will increase its decend rate following SOPs (1.25g, reaching approximately 2500ft/min). As aircraft 2 will continue its descend with 1500ft/min and aircraft 1 was lower than aircraft 2, chances are, that both aircraft will miss each other.

Both scenarios are based on the assumption, that ATC does not give further instructions to aircraft 2 after the first "descend" order.

If ATC was monitoring the situation, the controller could have noticed, that aircraft 1 was descending. In this case, the heshe could have issued a "level off" order to aircraft 2.

This case only has an impact on the "Level off/Reversal" Scenario above, where it would reduce the chances of both aircraft avoiding a mid-air.

But the premises for this last scenario would be rather high, as conflict recognition systems at ATC most probably will identify the conflict situation between aircraft 1 and 2, influencing the controller's actions.

Peter,

Totally off-thread, but I'd rather follow a moribund thread on Bluecoat than a liveley one in this place. Isn't there enough water under the bridge for you and Rainman to come back, collectively or individually, to liven the old place up?

Joern,

I agree with you that what you describe is a likely outcome. I don't think, particularly in crossing (as opposed to opposite) traffic, that the chances of a collision are very high, particularly if both aircraft manoeuvre.

But "rather low", as you put it, is not a level of probability I'd be comfortable with if it describes mid-air collisions. I'd prefer "extremely remote". ;)

But we know that at Ueberlingen they did collide, and what makes my hypothetical setup sufficiently different from Ueberlingen that everyone seems to be confident it would not be a problem?

Yes, a lot of factors have to come together, such as land-communications failure, ground based collision warning system failure, high ATC workload, ...

But it does happen in real life. And who can put a number on its probability?

Or even give a sound argument why it is low enough to discount in the face of an actual occurrence?


Bernd

Bus14,

Ray lost the argument some years before he began it, so that's not an issue :)

The main points about Bluecoat and my participation are
* I spend much of my time thinking about and discussing accidents. That is a no-no on bluecoat.
* BB's participation philosophy includes careful control of discussion, and that was my real problem. My experience with technical on-line discussion groups, which extends over some 25 years now, is that they are fragile things whose worth is equally shared between the contributions of its "top" members and the occasional decisive intervention by chatterers. So I am not much into control of discussion because one loses the second of those factors.
* I am a bit out of touch now with people and developments in avionics (John Rushby, Paul Miner, Kevin Driscoll and co) and more in touch with rail and automobile people. The problems commercial aviation had, mildly, with digital avionics two decades ago are now beginning in spades with cars, but they are not the same issues. It turns out to be hard to specialise in both.

But I'll think about it.

PBL

Right. This is the reason we're having this discussion. Technically I agree with the "may" bit too as it covers probabilities down to "unlikely, even during the total lifespan of the universe". What Alf & I have been saying is that the aviation industry and regulators, using available data, are satisfied that TCAS provides the best protection in a very short-term conflict, if the commands are followed.

Great play is made of the "third aircraft" at Überlingen. After a quick skim through the report and voice transcripts, all I can find in terms of direct evidence is a call from the controller to the Tu-154: "...we have traffic at your... 2 o’clock", whereas radar replays show the traffic to have been at 10 o'clock. The Tu-154 would have been roughly at 2 o'clock, viewed from the 757, so from someone under stress, watching two blips on his radar merging into one, it's understandable that he got it the wrong way round. The report shows that both parties had been seen by each other some time before the collision, so the "third aircraft" conjecture was moot by then.

If you look at the hard evidence, this radio call is the only indication for the three aircraft situation in the heads of the TU154 crew. But even the BFU investigating the accident assumed, that the TU154 crew was searching for traffic in the wrong sector.

FullWings,

I notice that you still haven't addressed my main point:

Why is my modified scenario so different from Ueberlingen that it can be discounted as "extremely unlikely"?


The only reason I can imagine for your reluctance to address it is that you feel Ueberlingen was a fluke, it is considered that low "acceptable risk", and nothing needs to be done about it.

Is that it?


Bernd

1 in 10 million ?
 

Alf5071h :
I remember clearly the FAA initial “ marketing” speeches when introducing TCAS in the very early 80s: No safety case as we know today was made, it was a political decision that mandated TCAS in the USA , not a rational one.
An initial independent paper showed that in 100 encounters, TCAS will solve X number of cases , would not make any difference in X number but in 4 cases it “ could induce a collision “
But the system was judged extremely beneficial and it was mandated.

If you look carefully at the official TCAS II training manual you will find in a general text mentioning something like : “in rare cases the system might induce collisions “ ( I am overseas at the moment , with no access to my archives for correct text /references )
4% is far from 1 in 10 million , but to be fair the percentages were calculated with version 5.0, since then we had 6.0, 6.04, 6.04A and now 7.0, so the percentage should be (much) lower hopefully by now, but I do not know of any scientific study with new figures on the recent versions.

Bsieker :
I think you are correct in your assumption.Fullwings is unfortunately not the only one who believe this.
Whereas Ueberlingen ended in a real collision , there are many more Ueberlingen –type incidents on record , both before and after 2002.
Some were heavily mediatized ( like the JAL/JAL case in Japan ) most others were not.
A very recent one is a carbon copy but with Climb RA +ATC instruction to climb to teh other. Aircraft missed mostly because one of the aircraft was powerful and outclimbed the other one . As it has been said here already, it is extremely difficult to make 2 aircraft collide , even if you intend to . (Ask any Military interception controller about it ) It is not because there is actually no accident that we can disregard the issues. Believing that the problem dramatically illustrated in Uberlingen is unique is wishful thinking.

Bernd, I still believe that there are weaknesses in the development of your scenario (#101).
In particular the omission of the overall time frame, and I believe, a biased rational for the controller’s choice of action. Yes it can happen but is it realistic - probabilities?

Re your “But we know that at Ueberlingen they did collide, and what makes my hypothetical setup sufficiently different from Ueberlingen that everyone seems to be confident it would not be a problem?”
I don’t think that anyone is saying that they are confident it is not a problem just that it appears to be sufficiently improbable. The analogy is that aircraft are certificated as being safe to fly, but some crash, more often with human involvement. ATC Watcher, asked if Ueberlingen could happen again (#1), I replied yes.

I sense that I could become the focus of a pincer move between you and ATC Watcher; thus having identified conflicting traffic (in an uncontrolled environment), I now deviate from my flight path! :)

Peter, ATC Watcher, my description of safety certification was somewhat simplistic and is more related to aircraft certification and installed systems. In these instances the certification ‘does’ show the appropriate probability. However, for a combined ATC/TCAS system I would struggle to find any such rigorous analysis; and perhaps it is this aspect which is causing concern. Therefore in this discussion I believe the ‘safer’ option is for me to withdraw all numerical examples.
However, for Bernd’s scenario and Peter’s 3 aircraft problem, perhaps looking at such things as a probability density function for the risk of collision might identify non-perfect solutions but ones with acceptable risk?

Being sceptical of independent papers and manuals, I would ask if the rare case actually induced a collision or a only a flight path conducive to a collision, i.e. a change in the level of risk (relative vs absolute). Similarly, the ‘rare case’ would in my way of thinking require an associated probability.

The increasing concern may be heightened by ‘near miss’ reports and crew error in TCAS operation. Near misses are interesting, particularly if viewed from different areas. For ATC, anything less than 5nm and 1000ft is a cause for concern, whereas a pilot, 1nm of 500ft may appear safe, and more recently anything that does not result in a TA. So ATC quite rightly ask questions about the overall system, and pilots are currently happy with TCAS's anti collision qualities. ( I caution myself to be aware of “ a threat to safe operation, which … people did not believe existed (numerically), or did not whish to believe posed a significant risk” (#87))
I am not writing this problem off, nor would I be surprised to learn that the ATC/TCAS safety case was accepted directly from N America without proof, and perhaps it is only now that we find weaknesses or at least difficulties in providing data (probabilities) for proving a level of safety.
Of course the problem might actually be in the process of determining the safety level, what is the required value and how is such a system, with its many human contributions, to be certificated? ... Automation?

Is there a specific reason the rate of descent for an RA is 1500'/min?

Reason I ask, many commercial operators in regular arrival descents from cruise descend at 2500-3500 feet per minute depending, and I've seen 737NG's give 5500-6000'/min when asked to increase rate of descent to clear traffic.

So my obvious question since an RA means two airplanes are too close to each other, why not move in the appropriate direction as fast as safely possible, I mean passenger comfort is one thing, but I think they'd prefer a little upset stomach to the possible alternative?

Also scenario (Assume structured airspace):

Airplane 1 Proceeding AAA-BBB at FL360
Airplane 2 Proceeding AAA-BBB at FL350
Airplane 3 Proceeding AAA-BBB at FL340
(All three airplanes are vertically stacked on top of each other)

Airplane 4 Proceeding BBB-AAA at FL350

How would TCAS re-act to this scenario? Also what if the offending airplane has an older version of TCAS...

alf,

I was hoping for someone to point me to them.

Well, I assume the same timing as at Ueberlingen.

As to the controllers choices of action: I guess he could have chosen lateral manoeuvering as well. Is that likely if the FL below the collision course is clear, also considering that a turn takes longer to initiate than a dive or a climb?

Is my notion about a preference for descend over climb correct? I figured, particularly at high altitudes, descending was quicker and more easily achieved for some aircraft than climbing.

I'm glad you put the smiley there. I don't think it's likely to happen. I was looking forward to your answer, as you appear interested in a meaningful discussion and are not just defending a position of "you must always follow TCAS!". As I have indicated I lack inside information about TCAS algorithms. I rephrased my call for comments on my hypothetical(?) setup in an increasingly aggressive tone to provoke a reaction. I thank you, Joern and ATC Watcher for finally taking the bait :)

I think without data mining through huge data spaces (and I'm talking a lot more than the 2-day data set that Eurocontrol used; more like a year or two) we will not be able confidently to put a figure on the probability.


(and now for something completely different ...)

It is probably a compromise between (a) safely clearing your conflicting traffic by a comfortable margin on the one hand, and (b1) avoiding the creation of additional conflicts plus (b2) maintaining passenger comfort on the other hand.

A descent rate of, say, 6000ft/min would bust one flight level every 10 seconds! Sounds like an ATC nightmare in dense traffic.


Bernd

:hmm:Normally yes, but if I ask for "A good rate of descent" and get 6000'/min, it's not my ears and guts that are bothering me...

Because it is not necessary. Enough time is given that you don't need to make abrupt manouvers. That is why on an initial RA you have 5 seconds just to start you evasive action at only 1/4 g added or subtracted to your load factor. Abrupt pullups at cruise altitude can be dangerous.
Going against the RA was not rational and a lot of people died because of it.

Given that there is a good argument in the public domain as to why it was rational, would you care to share both your reasons for thinking it was not, as well as show us the mistake in the argument?

Can you solve the decision problem that I posed?

PBL

We have already been through this. Please read or re-read post #50 from myself.
I find it amazing that a specialist on aircraft safety is telling us that if we end up in a similar scenerio as the one over Germany that night that we should ignore the RA and in fact go against it.

Please read more about sometimes trying to out-think the TCAS as you advocate.

http://www.asasi.org/papers/2005/Hir...in%20Japan.pdf

I read it when you wrote it and decided that you were confused and had not understood the problem.

Which specialist would that be? I don't know of one.

PBL

I find it amazing that you make this statement.

Would you mind showing us the post where someone said that, when confronted with the Ueberlingen scenario, one should ignore the RA and go against it?

What I (and others) said was that the choice taken by the Bashkirian crew was (one of several) rational choices in the given situation. Namely assuming two intruders, one they can see, and one they cannot see, and being given ATC instructions before receiving the RA.

Rational choice means it can be defended as being thought through: Looking at the individual pieces of information presented to them, evaluating them and making an informed decision on the course of action.

That the choice to follow ATC instead of TCAS was a rational choice does not mean:

- that it was the only choice or
- that it was the only rational choice or
- that the crew actually decided rationally
[edit]
- it doesn't even mean that it was necessarily (in hindsight) the best choice
[/edit]

I second PBL's call to show us exactly why you think the choice made by the Tupolev crew was not rational.

-----
(And now for something completely different.)

Disclaimer: I do not have a degree in psychology or similar training, so I'm really asking this question out of curiosity.

As to the chances of avoiding traffic visually:

There is a phenomenon, well-known to Rally-drivers, that, if you're a proficient driver, you tend to steer towards the object that you look at. It seems that if you look at a tree, you're more likely to hit it than if you deliberately look beside it. Driving becomes completely skill-based, and without thinking you follow your eyes.

The effect can be observed even in a rally (or other racing) simulation on a computer.

I actually have no idea how much of this is applicable to aviation. Just a random thought.


Bernd

And now, For something completely different ...
 

Bsieker :Indeed , one can even try this on a bicycle .And this remark is very relevant in the case of Ueberlingen. I always thought that should both a/c had been IMC they most probably had missed. Looking at the last seconds on the FDR of the TU154 could confirm this. But I speculate and this is outside the TCAS debate.

But being also a glider pilot, I can confirm that visual avoidance do work in the air most of the time ! ( even last minute visual avoidance, mostly by turning sharply away from intruder ).
But we are far slower and far more manoeuvrable than a passenger jet.

O.K., here is my rational response based on this accident report. It is nightime, I am cruising along at high altitude in airspace where all aircraft are required to have transponders and most that do have transponders have two of them in case one fails. It is fairly quiet on the radio. My aircraft is equipped with an updated version of TCAS and I have been trained in how it works.
Therefore I know that they communicate with each other and in the event of a RA in my aircraft, the conflicting aircraft's TCAS will not give instructions to do the same evasive manouver. Because I follow aircraft incidents on PPrune and other forums, I am well aware that manouvering to follow an ATC instruction against the RA nearly caused the world's worst aviation disaster over Japan 18 months previously(link provided in my last post).

All of a sudden I get a TA with the TCAS display showing traffic at my altitude and converging from the left. Moments later ATC says traffic at two o'clock, descend immediately and nearly simultaneously, I get a RA saying to climb. There is no other traffic displayed on my TCAS display. I do the rational thing and follow the RA and everyone survives this conflict.

I know.......Maybe there is some military flight out there that has an emergency which just happens to be affecting his transponder at the very exact time that I am getting an RA. I'm sure there are all kinds of obscure scenarios that can be thought of. Conspiracy theorists do it all the time.
By the way, if in this scenario there actually was an intruder at my two o'clock with no altitude given as pointed out by ATC(perhaps due to mode C not working), I would not go opposite to the RA.

P.S. Sorry for calling you an aviation safety specialist. That was an error on my part.