Revised 22 August 2002; pictures added 24.10.2002
I describe the ACAS system and its operation. In so doing, I point
out its significant weaknesses in dealing with some three-aircraft
conflicts; indeed, it cannot resolve certain three-aircraft conflicts.
I argue that this makes it impossible to devise uniform procedures
for crew to react to ACAS Resolution Advisories. In particular, I
note that in the Southern German midair collision on 1 July, 2002,
a simple cognitive mistake put one participating crew into a
cognitive situation that they could not reasonably resolve; indeed,
in which it may have been rational to act contrary to international
recommendations. Whether or not this actually happened, the scenario
highlights a flaw in ACAS, in that one mistake by a non-participant
in the RA engenders an irresoluble cognitive model in one crew.
In Volume 22, Issue 18 of the Forum on Risks to the Public in Computers and Related Systems, Bob Morell discusses the midair collision on July 1 2002 over Southern Germany, in which a Bakshirian Airlines Tupolov 154, operating as BTC 2937, collided with a DHL Boeing 757-200, operating as DHX 611, although both were using ACAS II-compliant collision-avoidance systems, namely Honeywell TCAS II Version 7 systems , Morell says
I think more comment is due on the collision of a cargo plane and
a Russian airliner, which could have been prevented if the
Russian Pilot had trusted the computerized collision avoidance
system (TCAS) rather than the human air controller. .......
Western pilots, it was reported (NPR I believe), are trained to
trust the TCAS over the human controller, Russian aviators the
reverse, so it appears that the pilot was following his training,
rather than deciding on the spur of the moment who to
believe. Russian trainers are no doubt rethinking this
Morell is right in saying that more comment is due on this accident. I believe it is much too early to be able to draw many firm conclusions about the accident itself. However, there are some issues concerning ACAS II operation which have arisen, based only on the public information so far, as well as some misunderstandings of ACAS, its operation, and its operational effectiveness, which I think it worthwhile to alleviate.
Morell speculates whether the crew of BTC 2937 (BTC CRW) made a "mistake" or not, and suggests that the descent decision and action "if the reports on the Russian training are correct, was not, technically speaking, a mistake on the pilot's part...."
His line of reasoning is erroneous: operational procedures in response to an ACAS Resolution Advisory (RA) are determined solely by German aviation law in German airspace, and that is where one looks to determine if BTC CRW violated any operational procedures, not to "Russian training".
Generally I feel such speculation about possible pilot error without a careful analysis of the interactions in the cockpits, as contained on the cockpit voice recorder (CVR), is unwarranted. As of writing (7 August 2002), transcripts of the cockpit conversations were not available. The cockpit voice recorder transcripts are often the only means of assessing the quality of CRW decision making, and in this menage a trois equipes in which four of the five participants are deceased I think such analysis is essential. For example, Morell speaks of "the pilot", apparently meaning the pilot in command (PIC). There were two pilots in each CRW (and up to four CRW in the case of the Tupolev ). The German BFU has not yet said (as of 7 August 2002 ) whether the pilot in command of BTC AC was also the pilot flying the aircraft (PF), or whether the first officer was PF and the PIC was the Pilot Not Flying (PNF). Knowing that situation is crucial for assessing the decision making, and the actions taken, in a cockpit.
Morell says, astoundingly, that "TCAS is a highly tested system with a flawless record", apparently not counting this midair as a failure. On the contrary, the TCAS avionics were a causal factor in this accident: had neither aircraft been so equipped, the accident would not have happened. The collision happened at Flight Level 354, and 600 feet below the cleared FL 360 of DHL 611, which would have maintained FL 360 as cleared had DHL CRW not received a TCAS RA and acted upon it.
I also find it misleading to suggest that such a complex system could have a "flawless record", as Morell does of TCAS; most complex systems have infelicities of various degrees of gravity that must be addressed by further development, and TCAS is no exception. Eurocontrol training material say, quite clearly, that TCAS "... cannot eliminate all risks of collision. Additionally, as in any predictive system, it might itself induce a risk of collision" [22, p17]. The Eurocontrol ACAS Operational Evaluation indicates a substantial history of false positives ("unnecessary RAs")  and the latest version, Version 7, shows a "40% reduction in unnecessary RAs" .
False positives in RAs are not merely a nuisance; in dense traffic areas, which is where RAs are most likely to be generated, manoeuvres in accordance with RAs disrupt ATC planning and generate immediately an unanticipated higher workload for a controller, which can be a safety risk when a controller is operating near the limits of hisher capacities. There has been quite a high rate of "nuisance" advisories, and one can anticipate pilots' reactions to the system crying "wolf" too often. It has been reported by Lincoln Labs that that over 50% of Resolution Advisories (in which CRW receive an advisory to take avoiding action; see below) occurring in U.S: airspace are ignored [20, Section 5.3, p19].
Facts already available concerning the July 1 midair collision highlight certain difficulties with ACAS operation, namely that ACAS does not handle three-aircraft conflicts flawlessly; indeed, when one aircraft is a "ghost" aircraft to RA participants, it is not clear that such apparently intuitive recommendations as not to manoeuvre contrary to the sense of an RA are uniformly valid. This paper will discuss that situation.
Such discussion should not be seen as an attempt to "second-guess" the accident. Any possible scenarios which arise should be handled by ACAS requirement specification. Any that are not so handled arguably represent flaws. Such a consideration of possibilities is the basis of any requirements analysis and any technical safety case for the deployment of such a system. Stumbling upon deficiencies while considering variants of a scenario is standard fare for safety analysts. It is not merely valuable, but unavoidable [Footnote 1].
The avionics part of ACAS II (Airborne Collision Avoidance System), as it is known internationally, is an advisory system for CRW, warning of possible conflict with other traffic ("Traffic Advisories", TAs) and issuing manoeuvring advisories for resolving close conflicts ("Resolution Advisories", RAs). ACAS II is a requirement for systems; TCAS II Version 7 is an actual design which is ACAS II-compliant; the previous versions of TCAS II, such as 6.02, 6.04 and 6.04a, are not. Honeywell makes TCAS II Version 7 systems and is working on enhancements .
Interest in automated help with collision avoidance was awakened almost half a century ago by the midair collision of two scheduled airliners over the Grand Canyon in 1956. The current system was first developed in the U.S. from 1974 as BCAS ("Beacon-based Collision Avoidance System), and was renamed as TCAS (Traffic Alert and Collision Avoidance System) by the FAA in 1981. Congress mandated the FAA to require TCAS systems on board all commercial airline passenger aircraft after the collision on approach to LAX between an Aeromexico DC-9 and a private plane in 1986 .
There are two main versions of TCAS avionics. TCAS I uses a visual display of traffic and issues no RAs. TCAS II issues TAs and RAs both visually and aurally (by means of synthesised voice) and employs "resolution algorithms" to issue RAs. I will deal technically with TCAS II.
There is a schematic diagram of TCAS II avionics components in [22, p6]. TCAS II avionics works in concert with a Mode S transponder. This document also contains good reproductions of the TCAS visual displays [22, pp8-9], and a list of the aural warnings [22, p8} which readers unfamiliar with the details may prefer to my verbal description.
A transponder is a device which responds to radio interrogation signals at a frequency of 1090MHz with a signal which it transmits at 1030MHz. 1090MHz is used by ground-based Secondary Surveillance Radar (SSR). A Mode S transponder transmits upon interrogation an aircraft's "squawk code", a 4-digit octal number assigned by ATC for identification in local airspace; also the airplane's "pressure altitude" [Footnote 2]; and possibly a message. Air traffic control (ATC) utilises the squawk code and Flight Level information. TCAS II utilises the Mode S message capability to coordinate Resolution Advisories between ACAS II-compliant aircraft in a conflict.
The cockpit visual display of TCAS shows, inter alia, other responding aircraft within a certain range, in a plan-like format (it shows the surrounding airspace from above, and the positions of other aircraft within it). With the 10 nautical mile (nm) range setting, sensitivity is said to be +/-10 degrees in bearing, and +/-1nm in range [22, p7]. The apparatus may display from 4nm to 30nm radius ahead of the installed aircraft [22, p7], and current equipment displays to 40nm ahead .
ACAS system logic triggers advisories based upon threshold values (the alert threshold) of certain parameters [23, p11]:
The alert thresholds (predicted time-to-go to CPA) above FL 200 are 48 secs for a TA and 35 secs for an RA, whether TCAS II Version 6.04a or Version 7 [22, p16]
Two tests are used to determine the values of the parameters, the Range Test for the horizontal plane and the Altitude Test for the vertical dimension [23, p11]. TCAS II versions utilise the same DMOD thresholds, but differ on the absolute proximaty values for the Altitude Test.
Time-to-go for the Range Test is obtained by dividing separation (relative distance between the aircraft) by rate of closure [23, p11]. The DMOD for the Range Test above FL 200 is 1.3nm separation for TAs and 1.1nm separation for RAs.
Time-to-go for the Altitude Test is calculated by dividing relative altitude between the aircraft by relative vertical speed [23, p11]. The absolute proximity threshold for TCAS II Version 7 is 850 ft relative altitude (altitude difference between participants) for TAs and 700 ft for RAs. For TCAS V6.04a, the threshold is 1200 ft for TAs and 800 ft for RAs.
The resolution algorithms are based on standardised manoeuvres with specified accelerations and specified target rates of climb/descent, and result in a target miss distance of at least 700 ft for V7 and at least 800 ft for V6.04a [23, p15].
Issuing an RA requires a handshake between the ACAS avionics on the involved aircraft (AC), and in the case of two AC issues to one an aural warning of "climb, climb" and to the other a warning of "descend, descend", as well as annunciating on the visual display. The initial RA is based on a pilot reaction time of 5 seconds and an escape manoeuvre acceleration of g/4; subsequent advisories on a pilot reaction time of 2.5 seconds . RAs give guidance in the vertical dimension only; no horizontal manoeuvres are considered.
The ACAS avionics generates pure advisories. It does not by itself affect operation of the aircraft. For the system to be more effective than nothing at all, the CRW have to assimilate the information and act on it. The question might arise: why not automate such manoeuvres?
There are a number of reasons for not automating manoeuvres. Primary amongst them must be that automatic radical manoeuvres lead to an unanticipated departure from ATC clearances. Such unanticipated effects of automation can themselves be dangerous; as in thee balloon-climb loss-of-separation incident between an A330 and A340 over the North Atlantic on 2 October 2000 . An ATC clearance is a commitment by ATC to maintain the designated airspace clear of other traffic for the cleared aircraft. A departure from clearance means entry into airspace that is not held clear and may well contain other aircraft.
Second amongst those reasons is the proportion of "nuisance" advisories. An extensive discussion of nuisance advisories, primarily in European airspace, may be found in . Two examples may be given here. Europe has implemented Reduced Vertical Separation Minima (RVSM) from 24 January 2002. RVSM provides Flight Levels every thousand feet for traffic from FL 290 to FL 410 inclusive . RVSM has been in trials over North Atlantic airspace (NAT) since 27 March, 1997 . The alert threshold for absolute vertical proximity in TCAS Version 6.04a is 1200 ft for TAs and 800 ft for RAs. Clearly, two aircraft passing each other at adjacent FLs in RVSM will generate a nuisance TA with Version 6.04a which does not lead to an RA [23, Section 5.2, pp22-3]. Not so well known is that this can also happen with TCAS Version 7 and its reduced absolute vertical proximity threshold of 850 ft for TAs and 70 ft for RAs [23, Section 5.3.4 Vertical Offset, pp24-5]. The ideal situation is illustrated in Figure 1. Two aircraft pass each other with 1,000 ft vertical separation, flying exactly level at the assigned flight level with no error.
Figure 1. The Ideal Situation
However, aircraft indicated pressure altitude and actual pressure altitude may differ up to 65 ft and still be RVSM compatible. Pressure altitude is reported by aircraft transponders and TCAS equipment either in 100 ft increments, or in 25 ft increments. Consider two aircraft passing each other in level flight at adjacent RVSM FLs, say FL 300 and FL 310. Nominally separated by 1000ft, suppose that the lower aircraft is 64 ft high, and the upper more than 50 ft low; and that the upper aircraft reports altitude in 100 ft increments. Then the lower aircraft is actually flying at 30,064 ft pressure altitude, and the upper aircraft is reporting 30,900 ft pressure altitude (since it is flying more than 50 ft lower then FL 310, and reported pressure altitude is rounded). The difference between them in pressure altitude is 846 ft, which is lower than the 850 ft required in Version 7 to trigger a nuisance TA. This situation is illustrated in Figure 2.
Figure 2. With allowed altimetry and reporting errors
An RA will not be triggered, since 846 ft is the minimum altitude difference permitted under RVSM in this scenario, which is greater than the 700 ft required to trigger an RA.
Nuisance TAs can also be triggered by aircraft oscillation about assigned FL; by the effects of turbulence, and by climbing or descending aircraft performing a level-off manoeuvre at their assigned FL, 1000ft away from another aircraft. This situation is illustrated in Figures 3 and 4.
Figure 3. Oscillations under turbulence
Figure 4. Rapid climb from below triggering an advisory
Nuisance TAs are distracting, but are inconsequential for automation, since the recommended flight control action for TAs is nothing. However, nuisance RAs also occur, and these would be occurrences that would trigger a flight control response from the automation that would have to be countered by the pilot. Turbulence can trigger "pop-ip" RAs [23, p34], as can non-smooth level-off actions [23, p37]. In short, there remain many ways in which false positives (nuisance advisories) can be generated, even between aircraft equipped with ACAS II equipment.
Third, problems with ACAS II "operational acceptability" in dense airspace are known although not necesarily public [24J. In a conflict avoidance manoeuvre consistent with an RA, there are two aircraft, not one, departing from clearance. If there are other aircraft 1000ft above and below the aircraft involved in an RA manoeuvre, the pilots of the manoeuvring aircraft might not want to engage in altitude deviations of that order of magnitude (recall the values of "normal displacement", above). The OpEval suggests that a "normal displacement" due to an RA can be defined as less than 500ft below FL295, and less than 1000 ft above FL 295 [20, p37]; nevertheless, large deviations were common in TCAS versions previous to Version 7 (15% of the total) [20, p37]. The mean deviation is apparently around 650 ft [22, p11]. In Southern Germany, DHL was 600 ft below assigned altitude when following its RA, at the collision point. Besides, even small deviation, say 300ft, will most probably trigger RAs in the other aircraft, since altitude reporting is not exact (depending on the transponder, it is in 100 ft increments, or 25 ft increments), and aircraft instruments are calibrated such that with RVSM approved equipment there may be up to 65 ft difference between indicated altitude and actual pressure altitude [23, p25]. So in a dense traffic situation, following an RA can well trigger two more conflicts, involving four aircraft, and one can well imagine that these might trigger more, in a chain reaction. One such scenario has already happened in Switzerland, in which a sequence of "nuisance advisories" led to an airprox  [Footnote 6]. It does not stretch the imagination to imagine some such scenario happening in a "hold stack" over a major airport, in which aircraft fly an identical oval race-track pattern above and below each other at increments of 1000ft, entering at the top and being cleared for landing when they reach the bottom.
In such situations in which the airspace above and below the cleared airspace is not free of traffic, a pilot might want to go sideways to avoid a conflict - but which way? ACAS avionics currently provide no help. The resolution algorithms used by ACAS avionics also work preferably with only two aircraft in the vicinity - see below - but they are most likely to be triggered, and to be of use, in dense airspace.
The TCAS Version 7 avionics on board both accident aircraft [1,3] "is supposed to reverse the command if it detects that the other airplane is taking the wrong action" , as illustrated in [22, p19, Figure 11]. According to the information from the BFU, the DHL system did not reverse the descent instruction, but it did strengthen the advisory to both ("Increase climb, increase climb"; "Increase descent, increase descent"). Both actions are possible [22, Section 4.2 and Figure 11, p19]. I do not yet know if this represents correct design behavior or correct intended behavior of ACAS II in the accident scenario. One could argue that it would have been preferable had a command reversal occurred.
There are two misunderstandings of ACAS which the midair accident on July 1 2002 has brought to light.
First is an impression, shared apparently by Eurocontrol's PR department , that pilots "must" follow a "Resolution Advisory" [Footnote 3]. This is false, as far as I know. Both U.S. and British regulations require the pilot-in-command to deviate from any other regulation to the extent required to assure safety of the aircraft and occupants [13,14]. German air law governs this accident, since the participants were in German airspace. In Germany, pilots-in-command have decision authority over all aspects of the flight (LuftVO §3 (1)) as in British and US law, but they are also responsible for ensuring that aviation law is adhered to (LuftVO §3 (2))  [Footnote 7].
ACAS is an advisory system only, and is explicitly recognised to be so both in the requirements for TCAS Version 6 , and in the ICAO PANS-OPS . Apparently, there is no ICAO-recommended procedure to require pilots to respond to an ACAS advisory, or even to give precedence to it . The ICAO recommendation in PANS-OPS is that "nothing... shall prevent pilots-in-command from exercising their best judgement and full authority in the choice of the best course of action to resolve a conflict" [5, quoted on 22, p10]
Similarly, the Joint Aviation Regulations, which in part are incorporated into German aviation law, say that a pilot in command shall initiate immediate corrective action to establish safe separation, but does not say in what this action shall consist, neither is the action otherwise constrained than by the need to ensure safe separation  [Footnote 8].
There is a good reason for this. As phrased by the "Practical Remarks in the section on Operational Use in the Eurocontrol ACAS Training Manual, "Due to its limitations, TCAS II is not infallible" [22, p11]. This does not mean that the avionics are not reliable. It points rather to the second misunderstanding, as follows.
Second, from a systems point of view, the ACAS avionics in a airplane is only part of the ACAS system. ACAS avionics by itself does nothing; the system only differentiates itself behaviorally from its absence if one or both CRWs react with a manoeuvre. A successful ACAS event with two aircraft involves four major participants coordinating their actions: two independent avionics systems (one on each aircraft; one RA instructing its crew to climb, and the other to descend), and two independent cockpit crews. Furthermore, each CRW consists of two active pilots, and possibly others. Particularly if the PIC is not the PF, intra-CRW communication is needed for a manoeuvring response to an RA. The PF must do what the PIC decides, and the PIC must ensure that the PF does what heshe decides, whether verbally or not. Focusing on the avionics alone is a mistake.
Consideration of the scenario at the end of this paper shows that analysis of the role of the controller in interaction with an ACAS system operating in controlled airspace is crucial, because of the presumed ability to "paint" aircraft that ACAS display devices may not see, and give advisories (or misleading advisories). One might even consider the controller to be a legitimate part of the ACAS system, under the following reasoning.
A system has a boundary: some objects and behavior are considered to be part of the system, and some are not. When analysing a system (as opposed to manufacturing one, say), one draws the boundary at a suitable place. Two considerations that weigh strongly when determining where a system boundary may reasonable lie are, first, which phenomena can one reasonably hope to control?; and, second, does as much as reasonably possible of the system interactions take place inside the boundary? Since ACAS depends for any behavior at all on actions of the CRW, the system cannot reasonably be considered to consist of the avionics alone.
Third, and most importantly, it is not clear to me that any uniform advice can be given to pilots on what to do on receiptt of an ACAS II RA. The scenario considerea at the end of this paper will make this clear.
From a systems point of view, the function of the ACAS system is to initiate coordinated manoeuvres of all aircraft involved in a conflict that result in the aircraft not colliding. A successful two-aircraft ACAS operation thus involves at least four major components, all of whom have to cooperate: two AC crews, and two ACAS avionics systems. There are two behaviors which need to be considered: that of a TA, and that of an RA.
Response to a TA is to look at the screen, to determine where the conflict aircraft is (it is - they are - indicated), to consider what to do, and to take appropriate action (heshe is advised by ICAO PANS OPS not to manoeuvre on the basis of a TA [5, cited in 22, p10]; however, heshe should "prepare for" an RA and presumably look out the window!).
Consider two cruising aircraft at the same Flight Level, Aircraft A heading due north and Aircraft B heading due west, on a collision course. A TA will be generated at 48 seconds before predicted collision. Aircraft A's display shows Aircraft B at the 2 o'clock bearing (60 degrees to the right of straight ahead, +/- 10 degrees display error) and Aircraft B's display shows Aircraft A at the 10 o'clock bearing (60 degrees to the left of straight ahead). Simple collision geometry determines that each plane remains at the same bearing on the other's display, but would be seen to be coming closer: a straight line drawn between two moving objects on a collision course has constant bearing, as pilots know. On the other hand, this phenomenon cannot be relied upon in the display: "The information is basic [meaning crude PBL] and only shows the approximate relative position of adjacent aircraft, and the risk of misinterpretation is great" [22, p11].
In a two-aircraft conflict, for a true positive RA to work as intended, the avionics systems must resolve correctly, and issue RAs in opposite senses. If both crews follow their opposing RAs, the aircraft will miss each other. If one crew follows its RA and the other does not deviate, the aircraft will miss each other. (In the case of the accident on July 1, DHL descended 600 ft before collision. That was enough to miss substantially, had BTC not also descended: that altitude deviation represents 60% of normal vertical separation under RVSM.) If one CRW follows its RA, and the other manoeuvres against its RA, the aircraft are manoeuvring in the same vertical sense and they very well may maintain a collision profile (as apparently happened, with disastrous consequences, in the accident on July 1 ).
ACAS is optimal for two-aircraft conflicts. ACAS gives RAs in the vertical dimension, and there are only two directions in one dimension: up and down. Consider two aircraft cruising at the same FL. The FL is a mathematical "surface" that divides airspace into two disjoint pieces: that space below the FL and that space above. Complementary RAs advise one aircraft to enter one piece, and the other to enter the other. Since the two spaces are disjoint, the aircraft's trajectories cannot intersect, and a collision is avoided.
Similar considerations allow trajectories to be calculated for all two-airplane RAs, using the following parameters. Standard acceleration in manoeuvres is taken to be 0.25 g. Pilot reaction times are taken to be 5 seconds for the initial RA, and 2.5 seconds for subsequent RAs. Target rate-of-climb/descent for initial climb and descent RAs is 1500 ft/minute, and for strengthened (increase-climb / increase-descent) RAs of 2500 ft/min. RA sense reversals are also possible (reversal-climb/reversal-descent). There are weakening RAs (adjust-vertical-speed) in both ascent and descent. A certain amount of time is taken to accelerate to follow a target rate of climb/descent. 1500 ft/min is 25 ft/sec, 0.25 g is an acceleration of 8 ft/sec/sec, and it takes just over three seconds at this constant acceleration to achieve a velocity of 25 ft/sec. Given that the pull or push has to be initiated, from 0 up to 0.25 g, if would be reasonsble to expect 4 seconds to attain a target 1500 ft/min vertical speed. Similarly, to attain 2500 ft/min from 1500 ft/min, a change in velocity of 1000 ft/min, approximately 16 ft/sec, is required, and this may be attained with constant 0.25 g in 2 seconds; with onset maybe 3 seconds.
These constructions can be used to construct a "spline" (a sequence of simple curves or lines, connected together) for each aircraft, such that the trajectories defined by those splines avoid each other by the target minimal distance. Such a spline looks like a succession of straight lines joined by curves, the curves representing the transition between two regimes (straight-and-level to 1500 ft/min, 1500 ft/min to 2500 ft/min, and so on).
The question is then: can two aircraft on a collision course be separated by such splines? The answer, and the justification behind the TCAS logic, is: yes. Some informal examples of different situations are contained in the Eurocontrol Training Manual [22, Section 4, pp18-20].
The qualitative reasoning above does not help with all three-aircraft conflicts. The question is the same. For every encounter, can splines be constructed using the basic RAs such that the trajectories that follow these splines do not intersect? I consider a number of scenarios, and the possible construction of splines to resolve them.
It is important to remember the difference between splines, which are mathematical curves generated by the TCAS logic, and the actual behavior of aircraft attempting to follow RAs which correspond ideally with the splines. It is one thing to solve a problem mathematically, and another thing to encourage crew behavior that attempts to emulate the splines. Thus a solution adequate in principle may be operationally unacceptable due to its sensitivity to the precision with which its corresponding RAs are followed. It makes sense to attempt only a qualitative geometric construction of splines, and not to set too much store by quantitative assessments, except when these are seen to be relatively insensitive to the numbers used.
In all the scenarios, I will consider three converging aircraft, Aircraft A, Aircraft B and Aircraft C.
In analysing Scenario 1, I found I needed to use quantitative assessment in order to attain the qualitative result I was seeking. Accordingly, I give the parameters first
I will assume that an adjust-vertical-speed RA results in a reduction to 1500 ft/min from 2500 ft/min, and a reduction to level flight from 1500 ft/min. Similarly, an increase-climb/descend RA increases climb from 1500 ft/min to 2500 ft/min. Transition times of a few seconds (3 or 4, as above) are required.
A transition from 0 ft/min to 1500 ft/min or the reverse results in 36 ft altitude difference from previous trajectory (assuming constant 0.25 g for 3 seconds); from 1500 ft/min to 2500 ft/min or the reverse results in 16 ft difference (0.25 g for 2 seconds). 1500 ft/min is 25 ft/sec; 2500 ft/min is approximately 40 ft/sec.
Now for the scenario. Aircraft A, B and C are flying level at the same Flight Level FL, and are predicted to collide all at the same point and time. They will all reach the alert threshold at the same time; I will assume issuance of RAs is simultaneous. There are only two RAs that can be issued, a climb RA and a descend RA, so two aircraft will receive the same. Without loss of generality (WLOG) let Aircraft A receive a descend RA and Aircraft B and C a climb RA.
FL splits space into two half-spaces, above FL and below FL Aircraft A enters the lower half-space and is out of conflict, since the trajectories of Aircraft B and C lie in the upper half-space. The situation is illustrated in Figure 5.
Figure 5. Scenario 1 before the second RA
Aircraft B and C remain in conflict in the upper half-space. This conflict is sensed by the logic, which evaluates continuously. Since both RAs were identical and simultaneous, we may assume that both aircraft are at the same altitude. An increase-climb advisory can be issued WLOG to Aircraft B, and an adjust-vertical-speed advisory to Aircraft C. The qualitative result is illustrated in Figure 6.
Figure 6. Scenario 1 with a second RA
From that point, allowing for a pilot reaction time of 2.5 seconds, the altitudes of the Aircraft begin to diverge, at a rate of just over 40 ft/sec (2500 ft/min) after the transition time of 4 seconds for Aircraft C.
The arithmetic for Aircraft B and C is as follows. The calculation assumes that time-to-go until horizontal intersection remains constant, which it will not do, because aircraft which are climbing lose horizontal speed.
RA is issued with 35 secconds time-to-go (TTG); 5 seconds pilot reaction time (PRT) plus 4 seconds transition time (TT) for each aircraft; 5 seconds TCAS logic evaluation time (LogEval) before issuance of second RA; 2.5 seconds PRT and 4 seconds TT for Aircraft C (3 secs for Aircraft B): leaves 14.5 seconds TTG at 40 ft/sec separation, amounting to some 580 ft vertical separation at 0 TTG (potential collision point). In addition, Aircraft C's transition leaves it some 36 ft below its former trajectory (counting just 0.25 g for 3 seconds); Aircraft B's transition some 16 ft above its (identical) former trajectory, for a total of 52ft more. All in all, a separation of 600 ft vertically can be achieved with this sequence, assuming a time between issuance of the subsequent RA to Aircraft B and C (LogEval) of only 5 seconds. Increasing LogEval to 10 seconds leads to a separation of 432 ft using the same type of calculation. Collision avoidance is thus critically dependent on LogEval for Aircraft B and C.
Another possibility is that the subsequent RA issues an increase-climb advisory to Aircraft B and a reverse-sense advisory to Aircraft C. This is illustrated in Figure 7.
Figure 7. An alternative outcome to Scenario 1
Aircraft C receives this RA at 18.5 TTG with 5 LogEval, as before. At 18.5 TTG, Aircraft A is (36 + (7.5 x 25)) ft = 187.5 ft below FL. At 18.5 TTG, Aircraft C is similarly 187.5 ft above FL, since their manoeuvres were symmetric. Separation at 18.5 TTG is thus 375 ft. Aircraft C requires 8 seconds to transition from 1500 ft/min up to 1500 ft/min down (1500 ft/min to 0, followed by 0 to 1500 ft/min down) and ends up at the same altitude at which it started, at 10.5 TTG. Aircraft C has further descended by 200 ft these 8 seconds, so Aircraft A and C are pursuing parallel descending courses with a separation of 575 ft, and maintain this until 0 TTG. With a LogEval of 10, that is 5 seconds more of (2 x 25 ft/sec) separation, giveing 250 ft more separation for a totla of 825 ft between Aircraft A and C at 0 TTG
So TCAS logic, based on multiple successive RAs, may indeed be able to handle Scenario 1.
Aircraft C is at the same FL as Aircraft A and B, but they do not all reach alert threshold simultaneously. Suppose first that an RA is issued for Aircraft A and B. Suppose WLOG that Aircraft B climbs and Aircraft A descends. This situation is illustrated in Figure 8.
Figure 8. Scenario 2 after the first RA
Let us suppose WLOG that an RA is next triggered between Aircraft B and Aircraft C. Aircraft B will get an increase-climb RA, Aircraft C will get a descend RA, as illustrated in Figure 9.
Figure 9. Scenario 2 with a second RA
Although Aircraft A and C are now moving in the same direction, they are separated at point of action by the altitude d = (36 + 25x) ft, where x is the number of seconds to point of action of Aircraft C since Aircraft A acted on its RA with Aircraft B. In the 4 seconds of acceleration until Aircraft C reaches the same vertical speed as Aircraft A, Aircraft C will have descended a further 36 ft and Aircraft A a further 4.25 ft = 100 ft, so the separation will thereby have increased by 64 ft. In the worst case, Aircraft A will have acted on its first RA with Aircraft B with 5 seconds delay, and Aircraft C on its with Aircraft A with no delay, so if Y is the time between the two RAs, the separation will be (36 + 25.(Y-5) + 64) ft = 25.(Y-1) ft. This is 650 ft when Y is 15 seconds. Since Aircraft B is in the upper half-space, there is no further conflict with either Aircraft A or C. If an RA is triggered between Aircraft A and C, since both are descending and Aircraft C is above Aircraft A, Aircraft A will receive an increase-descent RA and Aircraft C an adjust-vertical-speed RA and the vertical distance between them will begin to increase, as illustrated in Figure 10. Intersection is avoided. Aircraft B stays in the upper half-space and Aircraft A and C in the lower half-space until clear of conflict, so no further RA will be triggered between Aircraft B and the other aircraft.
Figure 10. Scenario 2 with a second RA
Consider three aircraft in level flight converging, but at different TTGs. Suppose WLOG that Aircraft A and Aircraft B are at Flight Level FL, and that they trigger an RA first. Scenarios 2 has considered the cases in which Aircraft C is at FL, so WLOG let us assume that Aircraft C is above FL. Let us also suppose WLOG that Aircraft B receives a climb RA, and Aircraft A a descend RA. Aircraft A will escape.
A subsequent conflict is generated between Aircraft B and C. When Aircraft C is level or moderately descending, this can be handled in the TCAS logic by issuing a "non-crossing" RA [22, Figure 9, p18]: the RA flattens the climb of Aircraft B and advises Aircraft C to arrest descent if descending, or to climb if level. It is clear qualitatively that if a non-crossing RA can be issued, the three aircraft attain the required vertical separation.
If a non-crossing RA cannot be issued, the RA will advise Aircraft B to increase climb and Aircraft C to increase descent, so that their altitudes "cross". Aircraft C and Aircraft A may at this point already be within the threshold for an RA, or they may not be.
Figure 11 illustrates the case in which Aircraft A and C are not yet within an alert threshold when the crossing RA is issued to Aircraft B and C.
Figure 11. Scenario 3 with a crossing RA, outside the alert threshold of Aircraft A
TCAS should be able to issue a subsequent RA to Aircraft A and C, if necessary, that will ensure separation. TCAS is able to handle convergence rates of up to 1200 knots and up to 10,000 ft/min. We are assuming that Aircraft A is descending at 1500 ft/min, so to violate this limit would require Aircraft C to be descending at more than 11,500 ft/min when the alert threshold is reached, which would imply that Aircraft C would be out of control, in which case talk of TCAS logic is moot. We may thus assume that if Aircraft A and C are not within each other's alert threshold when the encounter between Aircraft B and C occurs, all encounters are adequately handled by the TCAS logic.
However, consider the situation in which Aircraft A and C are already within the alert threshold when the crossing RA between Aircraft B and C is issued. This situation is illustrated in Figure 12.
Figure 12. Scenario 3 with a crossing RA, inside the alert threshold of Aircraft A
I do not see any line of reasoning which will tell me in this case what RAs can be issued and whether they ensure separation. Actions consistent with an RA only ensure separation when they are followed upon issuance at the alert threshold, and not within this threshold. This scenario, in which Aircraft B and C are issued a crossing RA after the initial RA issued to Aircraft A and B, remains a potential problem.
Other scenarios are symmetric to these. One may consider coordinates relative to the plane formed by the original unaccelerated motions of Aircraft A and B. This will not in general be horizontal, and so the "vertical distance" in the third dimension will no longer be normal to this plane, but slanted. However, the same qualitative geometric considerations obtain if one works with a slanted vertical and so these three scenatios cover many more situations that they initially appear to. Let us call such scenarios with slanted verticals "geometrically similar".
We have seen that Scenarios geometrically similar to Scenario 3 pose problems for the TCAS logic.
The Eurocontrol ACAS Training Manual contains an example of processing of multiple threats. The example involves three aircraft at different FLs, and a chain reaction, that is, successive RAs [22, p13]. The authors argue qualitatively that the trajectories of the participating aircraft do not intersect. Such a situation is said to be "very rare" [op. cit.].
However, the Training Manual also says that "TCAS is able to handle multi-threat sitations either by attempting to resolve the situation with a single RA, which will maintain safe vertical distance from each of the threat aircraft, or be selecting an RA that is a composite of non-contradictory climb and descend restrictions" [22, p20]. Given the considerations above, in particular Scenario 4 and its geometrically similar scenarios, I do not see that the TCAS logic as explained can do What Eurocontrol claims in the Training Manual.
Consider a system, which we may call ACAS-X, which resolves multi-aircraft conflicts. Let N be the number of ACAS-X equipped aircraft. Then each such aircraft has on board two major components: one avionics suite and one CRW. The number of major components involved in a general ACAS-X manoeuvre is at least (N x 2) + (number of non-TCAS-equipped AC). Simple one-dimensional sense information cannot suffice to determine non-conflicting trajectories. Such trajectories must be calculated and advised in three dimensions, which would involve something such as coupling ACAS to the flight director, which can indicate to the pilots a trajectory to follow. But operationally acceptable resolution algorithms for trajectories are a long way off.
A scenario which causes difficulty for ACAS arises from consideration of the known events of 1 July, 2002. We may assume that BTC and DHL knew that there were only two ACAS-equipped aircraft involved in the conflict. This information would be displayed; BTC CRW would see DHL at their 10 o'clock position. However, at 23:25:03, 7 seconds after the first RA, BTC CRW were informed by ATC that there was conflicting traffic at their 2 o'clock position. This AC was not on their display - indeed was not there; the controller's advisory was a cognitive mistake. BTC CRW is now faced with the following situation: there is a three-way conflict with traffic painted at their 10 o'clock and non-painted traffic at their 2 o'clock positions. Their "cognitive model" poses a complicated situation.
The importance of this scenario does not depend on what did or did not happen in the accident on July 1. We may find out, or we may not, what BTC CRW's cognitive model actually was [Footnote 5]. The importance lies in that it is an ACAS scenario whose components have actually occurred, and therefore it must be analysed as part of a safety assessement of ACAS.
Let me use "Aircraft A" for the DHL-similar aircraft, "Aircraft B" for the BTC-similar aircraft, and "Aircraft C" for the "ghost" aircraft at Aircraft B's 2 o'clock position. Since TCAS is not painting Aircraft C, Aircraft B CRW can suppose that Aircraft C will not be involved in any RAs. It is hard to say what cognitive model Aircraft A CRW have, since they might not have heard or assimilated the controller's mistaken advisory to Aircraft B CRW. So I shall not consider their cognitive model. Aircraft B CRW do not know whether the controller is in contact with Aircraft C or not, although it might be reasonable to suppose so. ATC has issued a descent instruction to Aircraft B to take Aircraft B out of conflict with Aircraft C. Further, Aircraft B have received an RA to climb. They can conclude that the RA was negotiated with Aircraft A, since their TCAS display is painting Aircraft A as the "intruder", and that Aircraft A has received a descent RA.
There is no clear strategy for Aircraft B CRW to follow in this situation. ONe way Aircraft B CRW can resolve the conflict it to accept the controller's advisory to clear Aircraft C, and attempt to use the TCAS display information to acquire Aircraft A visually and avoid it. They could also reduce speed to give more time-to-go until conflict with Aircraft A.
It seems worthwhile to note that not even this meagre strategy is available to Aircraft B CRW if they are in IMC.
But suppose now that the controller's advisory concerning Aircraft C conflicts with the sense of the RA. Then strategy violates the oft-repeated advice to pilots not to manoeuvre contrary to an RA. For this reason, I suggest that this advice is also not universally applicable. Indeed, the benefit of ACAS in this situation to Aircraft B is in knowing roughly where Aircraft A is; a benefit provided equally well by TCAS I.
I believe this situation shows that it is illusory to imagine that better or more uniform training will resolve ACAS operability problems. Before solutions can be trained, we first need a solution, and I doubt there is one for this case, for example, based upon ACAS II technology.
[Footnote 1]: As a systems safety analyst, I thus cannot agree with those, including many pilots, who deride such considerations as "speculation". They are a necessary part of my trade. That said, those uncomfortable with the semantics of such conditionals are welcome not to read sentences involving them.
[Footnote 2}: Pressure altitude is the altitude in an ISO "standard atmosphere" corresponding to the measured air pressure where the aircraft is flying. The ISO standard atmosphere is based upon a sea level pressure of 1013 hectopascals and a standard fall-off of pressure with altitude. The actual atmosphere will differ from a standard atmosphere almost all the time, but for aircraft operating at cruising levels, where terrain avoidance is not an issue, it is only necessary that they all measure altitude the same way. Flight Levels are based upon pressure altitude and represent hundreds of feet in pressure altitude; for example Flight Level 360, FL360, is the mathematical surface above the earth which is at a constant pressure altitude of 36,000 feet.
[Footnote 3]: Both Switzerland and Germany are both members of Eurocontrol, the European Organisation for the Safety of Air Navigation, which has 31 member states . Eurocontrol claims to provide "unmatched technical insight and expertise to the European air industry and air operations" . Their press release  states that "the pilot must obey this [ACAS avoidance manoeuvring] instruction" . The principle that a pilot in command is required to do whatever heshe deems necessary for the safety of the aircraft and occupants, even if it violates other applicable regulations, is a time-honored and well-validated principle of aviation.
[Footnote 4]: One frequent choice of suitable boundary in engineering will be to distinguish things over which you have control from those over which you do not. So, typically, an aircraft, crew, and air traffic control may be regarded as components of the air traffic system, but the weather through which an aircraft flies is not so considered. Another suitable choice would be to include as much as possible of frequent or crucial interactions inside the system boundary, so that relatively few crucial interactions occur across the boundary. This does presuppose, though, that one can do this effectively. Although the weather interacts intensely with an aircraft in flight, it is no practical help in analysis to include the weather as part of the system, even though one microburst could ruin your whole day. Systems which retain significant interaction with their envrinoment (i.e., that which is not considered part of the system) are generally called "open" systems.
[Footnote 5]: Crews, especially competent crews, do not always verbalise the problems they are solving, especially when the problem is clear to both. See, for example, the transcripts of the A330 test flight accident in Toulouse in June 1984 . The importance of the scenario lies in its potential occurrence.
[Footnote 6]: An airprox is an incident in which two or more airplanes flew closer to each other than the legally required horizontal and vertical separation. In this incident, an "air miss" was reported by a pilot of one of two aircraft who were flying head-on to each other, and separated by 400ft vertically and 2.9nm horihzontally. I am grateful to Michael Steiner for bringing this incident to my attention. For comparison, the UK Airprox Board reported 82 airprox incidents involving commercial aircraft in 2001 (down from almost 100 in each of the previous four years), 14 of which involved a risk of collision. However, there has not been a midair collision involving a commercial aircraft in the UK in a long while.
[Footnote 7]: LuftVO §3 states the rights and responsibilities
of the pilot in command ("verantwortlicher Luftfahrzeugführer").
The law includes legal concepts denoted by technical terms. One should
also note that German law is structured and functions somewhat differently
from what one used to British or US law might expect. I thus leave the
(1) Der Luftfahrzeugführer hat das Entscheidungsrecht über die
Fü:hrung des Luftfahrzeugs. Er hat die wä:hrend des Flugs, bei
Start und Landund und beim Rollen aus Gründen der Sicherheit
notwendigen Massnahmen zu treffen.
(2) Der Luftfahrzeugführer hat dafür zu sorgen, dass die Vorschriften dieser Verordnung und sonstiger Verordnungen über den Betrieb von Luftfahrzeugen sowie die in Ausübung der Luftaufsicht zur Durchführung des Flugs ergangenen Verfügungen eingehalten werden.
[Footnote 8]: FAR-OPS 1.398, Use of Airborne Collision Avoidance System
....... (b) when undue proximity to another aircraft (RA) is detected by ACAS, the commander or the pilot to whom conduct of the flight has been delegated shall ensure that corrective action is initiated immediately to establish safe separation unless the intruder has been visually identified and has been determined not to be a threat.
 Bundesstelle fuer Flugunfalluntersuchung, Presseinformation, Zusamme nstoss am Bodensee (available also in English), reviewed July 28th, 2002, http://www.bfu-web.de/aktuinfo-d28.htm
 Aeropuertos espanoles y navegacion aerea, Division de Informacion Aeronautica, AIC 13, 17 Novembre 1996, Airborne Collision Avoidance System, (in English) http://ais.aena.es/aipeng/aic_internacional/96AicIn13_eng.htm
 Jens Flottau, "TCAS, Human Factors At Center of Midair Probe", Aviation Week and Space Technology, July 15, 2002, p33, also available to non-subscribers at http://www.aviationnow.com (search for "midair").
 U.S. 14 CFR 91.113: Right-of-way rules: Except water operations, 7(c): Converging, http://www.access.gpo.gov/nara/cfr/cfrhtml_00/Title_14/14cfr91_00.html (go to paragraph 113).
 International Civil Aviation Organisation (ICAO) PANS-OPS (Document 8168), especially Volume 1, PArt VIII, Chapter 3, Operation of ACAS Equipment.
 ICAO PANS-ATM (formerly PANS-RAC), Chapter 12, Phraseologies.
 ICAO PANS-ATM (formerly PANS-RAC), Chapter 15, Section 15.6.3, Procedures in regard to aircraft equipped with airborne collision avoidance systems (ACAS).
 ICAO Annex 10, Attachment A to Volume IV, Guidance material related to airborne collision avoidance system (ACAS), 3: Considerations on Technical Implementation, 3.5, Collision avoidance algorithms.
 Mitre Corporation, Center for Advanced Aviation System Development (CAASD), Traffic Alert and Collision Avoidance System, http://www.caasd.org/proj/tcas/
 Andres Zellweger, private communication, 23 July 2002.
 Nancy Leveson, private communication, 15 July 2002.
 Eurocontrol, Press Release, Midaid Collision Over Germany, 2 July 2002, http://www.eurocontrol.int/dgs/press/en/index.html -> 02/07/2002 (note European date format DD-MM-YYYY), brought to my attention by Alexander McClellan.
 U.S. 14 CFR 91 paragraph 3: Responsibility and Authority of the Pilot In Command, http://www.access.gpo.gov/nara/cfr/cfrhtml_00/Title_14/14cfr91_00.html and go to 91.3.
 U.K. Air Navigation Order 1985, Article 64, Rule 2. Explained in U.K. CAA publication CAP 85, a summary of the ANO for private pilots.
 Air Kazakhstan, Fleet description, T154, http://en.airkaz.com/fleet/tu-154.htm
 U.K. Air Accidents Investigation Branch, AAIB Bulletin 6/2001, Ref. EW/C2000/10/2, http://www.aaib.dft.gov.uk/bulletin/jun01/cggwd.htm
 Definitions for Hardware and Software Safety Engineers, Meine van der Meulen, Springer-Verlag London Limited, 2000.
 The A330 FLight Test Accident in Toulouse, in the compendium Computer-Related Accidents and Incidents with COmmercial Aircraft, available from http://www.rvs.uni-bielefeld.de
 Bob Morell, Re: Listen to TCAS, not the, controller, Risks 22.18, at http://catless.ncl.ac.uk/Risks/22.18.html#subj13
 Eurocontrol Experimental Center, European ACAS Operational Evaluation, Final Report, Eurocontrol Experimental Centar Report No. 316, July 1997, available at http://www.eurocontrol.fr -> Documents -> (Search) Final Report 316 -> Reports for the Year 1997 -> 316.
 Honeywell, Inc. Advanced Collision Avoidance Systems, at http://www.honeywelltcas.com
 Eurocontrol, ACAS II Training Manual, Version 2, available from http://www.eurocontrol.int -> Projects -> ACAS -> Training Materials -> Training Manual Version 2, May 2000.
 Eurocontrol, ACAS II Operations in the European RVSM Environment, Project ACTOR, available from http://www.eurocontrol.int -> Projects -> ACAS -> Training Materials -> Brochure f11, 2 August 2001.
 Chris Johnson, personal communication, 31 July 2002.
 The Official Web Site for the European Reduced Vertical Separation Minima Programme, http://www.eur-rvsm.org
 U.S. Federal Aviation Administration, Reduced Vertical Separation Minimum, North Atlantic RVSM, http://www.faa.gov/ats/ato/north_atlantic.htm
 Swiss Federal Department of the Environment, Transport, Energy and Communications, Final Repor of the Aircraft Accident Investigation Board concerning the incident (Airprox) between THY1944, BAG4608, IBE3514 and AZA467 on 13th September 2000, UIR Switzerland near TRA, Report No. A024, available from http://www.bfu.admin.ch/common/pdf/A024e.pdf
 Luftverkehrs-Ordnung (LuftVO). Available from http://www.luftrecht-online.de
 JAR-OPS 1: Commercial Air Transportation (Aeroplanes), available from http://www.jaa.nl → JARs → JAR-OPS 1.