Sy
ste
m
Su
pe
rvi
so
ry
Co
ntr
ol
Co
mp
ute
r
Int
erf
ac
e
Di
sp
lay
Co
ntr
ol
Se
nsor
s
Di
rec
t O
bs
erv
ati
on
16.422 Alerting Systems
Prof. R.
John
Hansman
Acknowledgements to Jim Kuchar
Sy
ste
m
Su
pe
rvi
so
ry
Co
ntr
ol
Co
mp
ute
r
Int
erf
ac
e
Di
sp
lay
Co
ntr
ol
Se
nsor
s
Di
rec
t O
bs
erv
ati
on
Consider Sensor System
System
Threshold
Display
Or
Alert
Sensor
�y
Radar
�y
Engine Fire Detection
�y
Other
Sy
ste
m
Su
pe
rvi
so
ry
Co
ntr
ol
Co
mp
ute
r
Int
erf
ac
e
Di
sp
lay
Co
ntr
ol
Se
nsor
s
Di
rec
t O
bs
erv
ati
on
Decision-Aiding / Alerting
System
Architecture
Sensors
Displays
Human
Actuator
Sensors
Automation
Actuator
Environment
P
r
o
c
e
s
s
Information Transduction
Decision Making
Control / Actuation
Interface
Courtesy: Jim Kuchar
Sy
ste
m
Su
pe
rvi
so
ry
Co
ntr
ol
Co
mp
ute
r
Int
erf
ac
e
Di
sp
lay
Co
ntr
ol
Se
nsor
s
Di
rec
t O
bs
erv
ati
on
Fundamental Tradeoff in
Alerting Decisions
�y
When to alert?
�?
Too earl
y
�o�
Unnecessar
y
Alert
�?
Operator would have avoided hazard without alert
�?
Leads to distrust of s
y
stem, dela
y
ed response
�?
Too late
�o
Missed Detection
�?
Incident occurs even with the alerting s
y
stem
�y
Must balance Unnecessary
Al
erts and Missed Detections
Hazard
Uncertain
Future Trajectory
Uncertain
current state
x
1
x
2
Courtesy: Jim Kuchar
Sy
ste
m
Su
pe
rvi
so
ry
Co
ntr
ol
Co
mp
ute
r
Int
erf
ac
e
Di
sp
lay
Co
ntr
ol
Se
nsor
s
Di
rec
t O
bs
erv
ati
on
The Alerting Decision
�y
Examine consequences of alerting / not alerting
�?
Alert is not issued: Nominal Trajector
y (N)
�?
Alert is issued: Avoidance Trajector
y (A)
A
Hazard
A
Current State
Hazard
N
Compute probabilit
y of Incident along each trajector
y
Courtesy: Jim Kuchar
Sy
ste
m
Su
pe
rvi
so
ry
Co
ntr
ol
Co
mp
ute
r
Int
erf
ac
e
Di
sp
lay
Co
ntr
ol
Se
nsor
s
Di
rec
t O
bs
erv
ati
on
Threshold Placement
0.0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
.
0
0.0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1.
0
Probability of False Alarm
P(FA)
Probability of Successful Alert
P(SA)
Example Alerting
Threshold Locations
Ideal Alerting System
1
2
Courtesy: Jim Kuchar
Sy
ste
m
Su
pe
rvi
so
ry
Co
ntr
ol
Co
mp
ute
r
Int
erf
ac
e
Di
sp
lay
Co
ntr
ol
Se
nsor
s
Di
rec
t O
bs
erv
ati
on
Courtesy: Jim Kuchar
Sy
ste
m
Su
pe
rvi
so
ry
Co
ntr
ol
Co
mp
ute
r
Int
erf
ac
e
Di
sp
lay
Co
ntr
ol
Se
nsor
s
Di
rec
t O
bs
erv
ati
on
Engine Fire Alerting
207.7
+10c
LBS X
1000
TOTAL
FUELTEMP
FIRE ENG R
1,250
1,380
CRZ
723394
1,250
1,380
723394
EPR
N
1
EGT
TAT
+15c
�y
C(F
A
)
high on takeoff
�y
A
l
erts suppressed during
TO
No
w
let’s take
a quick look at non-normal checklists.
T
he 777 EICAS message list
is similar to other Boeing EICAS airplanes.
[
For 747-400 o
perators
: It doesn’t use the “caret” s
y
mbol to indicate
a chec
klist
w
i
t
h
no QRH items, like the 747-
400s do.]
But it has an additio
nal featur
e, called t
he “c
hecklist ico
n”. T
he icon is displayed ne
xt to an EICAS message
w
h
enev
er
there i
s
an EC
L checklist that
needs to be c
o
mpleted.
Once the chec
klist is full
y
c
o
mplete, the icon is removed fr
om
displ
ay
next to the message.
T
h
is helps
the cre
w
k
eep t
r
ack of w
h
ic
h c
hecklists remai
n
to be completed.
W
015.
8
Sy
ste
m
Su
pe
rvi
so
ry
Co
ntr
ol
Co
mp
ute
r
Int
erf
ac
e
Di
sp
lay
Co
ntr
ol
Se
nsor
s
Di
rec
t O
bs
erv
ati
on
Crew Alerting Levels
Non-Normal Procedures
Time
Critical
Operational condition that requires immediate cre
w aw
areness an
d
i
mmediate
action
Warning
Operatio
n
al or sy
stem con
d
itio
n th
at
requires immediate crew
a
w
a
r
e
n
ess
and
definite correcti
ve or
compensatory
action
Ca
ution
Operatio
n
al or sy
stem con
d
itio
n th
at
requires immediate crew
a
w
a
r
e
n
ess
and
possible correcti
v
e
or compensatory
action
Ad
viso
ry
Operatio
n
al or sy
stem con
d
itio
n th
at
requires cre
w
a
wareness an
d
p
ossible
correcti
v
e
or compensatory
action
Alternate Normal Procedures
Comm
A
l
erts cre
w to incoming datalink communication
Memo
Cre
w
r
e
minders of the current state
of certain manually
selected
normal
conditions
Source: Brian Kelly Boe
ing
Don’t hav
e time to discuss these levels.
Important thing
to kno
w
is that
w
e
ri
goro
usl
y
define a
nd def
end these l
e
vel
s
We appl
y them
across all the
s
y
stems.
T
he indications
are consistent
for all alerts at each lev
el.
T
hus the pilots instantl
y
kno
w
the criticalit
y a
nd nature of an
alert even bef
ore the
y
k
n
o
w
w
h
at the prob
l
e
m is
Sy
ste
m
Su
pe
rvi
so
ry
Co
ntr
ol
Co
mp
ute
r
Int
erf
ac
e
Di
sp
lay
Co
ntr
ol
Se
nsor
s
Di
rec
t O
bs
erv
ati
on
Boeing Color Use Guides
Red
Warnings, warning level limitations
Amber
Cautions, caution level limitations
White
C
urrent status information
Green
Pilot selected data, mode annunciations
Magenta
Target information
Cyan
Background data
Again,
w
e
don’
t have time to describe these
definiti
ons in detail.
T
he important thing to note is
t
hat our phi
losophy
is definite, and as simple
as practical.
It fits on one
p
a
g
e
,
in bi
g
font no less.
Sy
ste
m
Su
pe
rvi
so
ry
Co
ntr
ol
Co
mp
ute
r
Int
erf
ac
e
Di
sp
lay
Co
ntr
ol
Se
nsor
s
Di
rec
t O
bs
erv
ati
on
Access To Non-Normal
Checklists
�y
Prevents choosing w
r
ong
checklist
FIR
E E
N
G R
FIRE ENG R
When an al
ert message is d
i
s
p
la
ye
d, the pilo
t simpl
y
p
u
she
s the CHKL but
ton and the cor
rect non-nor
m
a
l checklist is di
spla
ye
d.
T
his prevents the cr
e
w
from acc
identall
y
choosi
ng the
w
r
ong check
list.
T
he non-norm
al checkl
ists have
p
riorit
y
over
the normal ch
ecklists.
Sy
ste
m
Su
pe
rvi
so
ry
Co
ntr
ol
Co
mp
ute
r
Int
erf
ac
e
Di
sp
lay
Co
ntr
ol
Se
nsor
s
Di
rec
t O
bs
erv
ati
on
Non-Normal Checklists
W
015.
12
NORM
AL
ITEM
OVRD
NOTES
CHKL
OVRD
CHKL
RESET
Fire is detected in the right engi
ne.
RIGHT AUTO
THROTTLE ARM SWITCH . . . . . . . . .
.
. OFF
RIGHT THRUST LEVER . . . . . . . . . . . . . . . . . . . . . .CLOSERIGHT FUEL CONTROL SWITCH . . . . . . . . . . . . .
C
UTOFF
RIGHT ENGINE FI
RE SWITCH . . . . . . . . . . . . . . . . . .
P
ULL
If FIRE ENG R m
e
ssage remains displayed:
NORM
AL M
E
NU
RESETS
NON-NORM
AL M
E
NU
�9 �9�9�9
FIRE ENG R
RIGHT ENGINE FIRE SWITCH .
. . . . . . . . . . . . ROT
ATE
Rotate to the stop a
n
d
ho
ld fo
r 1
secon
d.
�9
3 2 1
�y
Checklist specific to left or right side
�y
Exact s
w
itch
specified
�y
Memory items already complete
�y
Closed-loop conditional item
�y
Page bar
T
h
is is
w
hat a typical normal c
hecklist looks like.
T
h
is is the
Preflight check
i
s
t.
T
here are t
w
o
kinds of line items,
w
hic
h
w
e
c
a
ll open-l
oop and
closed-loop
items.
T
he open-loop
items
have
a gray
check-box in front of
them.
T
hese are items that the airplane
s
y
stems cannot sense.
T
he pilot determines
w
h
ether the items have bee
n completed and clicks the CC
D thumbs
w
i
tch
w
hen eac
h item
is
complete.
Close
d-lo
op ite
ms are for s
w
it
ches and se
lec
tors that are sensed b
y
the
air
plan
e s
y
stems.
T
h
e
y
automat
icall
y
turn gr
ee
n
w
h
en th
e s
w
i
tch has been positioned correctl
y
.
If the
cre
w
actuates the
w
r
ong s
w
itc
h,
the closed-l
oop item
w
i
l
l
not
turn green and the crew
w
i
ll c
a
tch their error.
In this exampl
e, th
e procedur
e
w
a
s
alre
ad
y
complete, so th
e last t
w
o
items are sho
w
n
in gree
n as soon as the che
cklist is displ
a
yed.
that has been i
n
tention
all
y
ov
erridd
en b
y
the
cre
w
us
ing the
IT
EM
OVRD button. In this e
x
am
ple, the flig
ht is dispatchi
n
g
w
i
t
h
au
tobr
ak
es
inop
erative,
so the cre
w
h
a
s
overridden the
AUT
OBRAKE i
t
em. Overriding the item allow
s
the checklis
t to be completed.
T
h
e
w
hite curr
ent line item b
o
x
le
ads
the pi
lo
t through the checklist an
d pr
ev
ents accid
en
tall
y
sk
ipp
ing a
line item.
Color is us
ed to indic
ate lin
e i
t
em status.
Incomplete items
ar
e disp
la
ye
d w
h
ite an
d com
plete items are
displa
ye
d gre
e
n. C
y
an (
or b
l
ue) indicates an inapplic
abl
e i
t
em, or an item
Sy
ste
m
Su
pe
rvi
so
ry
Co
ntr
ol
Co
mp
ute
r
Int
erf
ac
e
Di
sp
lay
Co
ntr
ol
Se
nsor
s
Di
rec
t O
bs
erv
ati
on
Internal vs External Threat
Systems
�y
Internal
�?
S
ystem normall
y
well defined
�?
Logic relatively
static
�?
Simple ROC approach
valid
�?
Examples (Oil Pressure, Fire, Fuel, ...)
�y
External
�?
External environment ma
y not be well defined
�?
Stochastic elements
�?
Controlled s
y
stem trajector
y
m
a
y
be important
�?
Human response
�?
Need ROC like approach which considers entire s
y
s
t
em
�?
S
ystem Operating Characteristic (SOC) approach of Kuchar
�?
Examples (Traffic, Terrain, Weather, …)
Enhanced GPWS Impro
v
es Terrain/Situational Aw
a
r
eness
+ 2,000-ft high density
(50%
)
red
+ 1,000-ft high density
(50%
)
y
ellow
Referen
ce altitud
e
-
250/-500-ft medium density
(25
%
)
y
e
llow
-
1
,000-ft medium densit
y
(25
%
)
green
-
2
,000-ft medium densit
y
(12.5
%
) green
EFIS map display color legend
W002W.14
Sy
ste
m
Su
pe
rvi
so
ry
Co
ntr
ol
Co
mp
ute
r
Int
erf
ac
e
Di
sp
lay
Co
ntr
ol
Se
nsor
s
Di
rec
t O
bs
erv
ati
on
Aircraft Collision Avoidance
human
ai
rc
ra
ft
sen
s
ors
ex
peri
ence,
t
r
ai
ni
n
g
ot
he
r
i
n
f
o
.
(e.g. w
i
ndo
w
v
i
e
w
)
hu
m
an s
e
nses
diagnosis and
control
con
t
rol
s
GPW
S
alert and
decis
ion aid
c
a
ut
i
o
n:
"
t
e
r
r
a
i
n
"
automation
w
a
rni
n
g:
"
p
ul
l
up"
d
i
sp
la
ys
a
l
t
i
tude
a
nd al
ti
t
u
de ra
t
e
ot
h
e
r sensor
i
n
form
ati
on
t
e
rr
ai
n dat
a
Sy
ste
m
Su
pe
rvi
so
ry
Co
ntr
ol
Co
mp
ute
r
Int
erf
ac
e
Di
sp
lay
Co
ntr
ol
Se
nsor
s
Di
rec
t O
bs
erv
ati
on
Conflict Detection and
Resolution Framework
Environment
Dynamic Model
Conflict Detection
Conflict Resolution
Current States
Projected
States
Metrics
Human Operator
State Estimation
Intent
Metric
Definition
Courtesy: Jim Kuchar
Sy
ste
m
Su
pe
rvi
so
ry
Co
ntr
ol
Co
mp
ute
r
Int
erf
ac
e
Di
sp
lay
Co
ntr
ol
Se
nsor
s
Di
rec
t O
bs
erv
ati
on
Trajectory Modeling Methods
Nominal
Worst-case
Probabilistic
Courtesy: Jim Kuchar
Sy
ste
m
Su
pe
rvi
so
ry
Co
ntr
ol
Co
mp
ute
r
Int
erf
ac
e
Di
sp
lay
Co
ntr
ol
Se
nsor
s
Di
rec
t O
bs
erv
ati
on
Nominal Trajectory Prediction-
Based Alerting
�y
Alert w
h
e
n
projected trajectory
encounters hazard
�y
Look ahead time and trajector
y
model are design parameters
�y
Examples: TCAS, GPWS, AILS
hazard
system state
predicted nominal trajectory
Courtesy: Jim Kuchar
Sy
ste
m
Su
pe
rvi
so
ry
Co
ntr
ol
Co
mp
ute
r
Int
erf
ac
e
Di
sp
lay
Co
ntr
ol
Se
nsor
s
Di
rec
t O
bs
erv
ati
on
Airborne Information for Lateral Spacing
(AILS)
(nominal trajectory
prediction-based)
Endangered aircraft
vectored away
Alert
occurs with prediction
of near miss in given time interval
Courtesy: Jim Kuchar
Sy
ste
m
Su
pe
rvi
so
ry
Co
ntr
ol
Co
mp
ute
r
Int
erf
ac
e
Di
sp
lay
Co
ntr
ol
Se
nsor
s
Di
rec
t O
bs
erv
ati
on
Alert Trajectory Prediction-
Based Alerting
�y
Alert is issued as soon as
safe escape path is threatened
�y
A
t
tempt to ensure minimum lev
el of safety
�y
Some loss of control ov
er false alarms
�y
Example: Probabilistic parallel approach logic (Carpe
nter & Kuchar)
hazard
system state
predicted escape path
(alert trajectory)
n
o
m
i
n
a
l
t
r
a
j
e
c
t
o
r
y
Courtesy: Jim Kuchar
Sy
ste
m
Su
pe
rvi
so
ry
Co
ntr
ol
Co
mp
ute
r
Int
erf
ac
e
Di
sp
lay
Co
ntr
ol
Se
nsor
s
Di
rec
t O
bs
erv
ati
on
Monte Carlo Simulation
Structure
Monte Carlo
Simulation Engine
Protected Zone size
Uncertainties
(probability density functions)
Current
states
Along- and cross-track error
Maneuvering
characteristics
Confidence in intent information
Current state information
(position, velocity)
Intent information: Waypoints (2D, 3D, 4D) Target heading Target speed Target altitude Target altitude rate Maneuvering limitations
Probability of conflict
Implemented in real-time simulation studies at NASA AmesComputational time on the order of 1 sec
Courtesy: Jim Kuchar
Sy
ste
m
Su
pe
rvi
so
ry
Co
ntr
ol
Co
mp
ute
r
Int
erf
ac
e
Di
sp
lay
Co
ntr
ol
Se
nsor
s
Di
rec
t O
bs
erv
ati
on
Example State Uncertainty
Propagation
Computed via Monte Carlo
-50
0
50
0 50 100 150
Nautical Miles
Nautical Miles
t = 2 min
t = 5 min
t = 10 min t = 15 min
t = 20 min
along-track
�V
= 15 kt
cross-track
�V
= 1 nmi
(from NASA
Ames)
Courtesy: Jim Kuchar
Sy
ste
m
Su
pe
rvi
so
ry
Co
ntr
ol
Co
mp
ute
r
Int
erf
ac
e
Di
sp
lay
Co
ntr
ol
Se
nsor
s
Di
rec
t O
bs
erv
ati
on
Generating the System Operating
Characteristic Curve
0.0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
.
0
0.0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1.
0
Probability of False Alarm
P(FA)
Probability of Successful Alert
P(SA)
Example Alerting
Threshold Locations
Ideal Alerting System
1
2
Courtesy: Jim Kuchar
Sy
ste
m
Su
pe
rvi
so
ry
Co
ntr
ol
Co
mp
ute
r
Int
erf
ac
e
Di
sp
lay
Co
ntr
ol
Se
nsor
s
Di
rec
t O
bs
erv
ati
on
Multiple Alerting System
Disonance
?
Already occurred
w
i
t
h
on-board aler
t
i
ng s
ystem & air
traf
f
i
c controller
mid-air
collision
and
sev
eral near
misses
Ger
m
an
y
,
Jul
y
1
st
,2002; Zurich, 19
99; Japan, 2001
?
Potential for automation/automation dissona
nce is gro
w
ing
Sy
ste
m
Su
pe
rvi
so
ry
Co
ntr
ol
Co
mp
ute
r
Int
erf
ac
e
Di
sp
lay
Co
ntr
ol
Se
nsor
s
Di
rec
t O
bs
erv
ati
on
Example: Russian (TU154) and a DHL (B757) collide over Germany On July 1
st
, 2002
B757T-50 seconds
T-50 seconds
collision
TCAS“traffic”
T=0
TU154
T-43
ATC
“descen
d”
TCAS
“descen
d”
T-36
T-36TCAS
“climb”
ATC
“expedite
descent”
T-29
T-22
TCAS
“increase
descent”
T-8
TCAS
“increase
climb”
TCAS“traffic”
TCAS: on-board collis
ion avoidance system
ATC: Air Traffic Controller
Sy
ste
m
Su
pe
rvi
so
ry
Co
ntr
ol
Co
mp
ute
r
Int
erf
ac
e
Di
sp
lay
Co
ntr
ol
Se
nsor
s
Di
rec
t O
bs
erv
ati
on
Dissonance
�y
Indicated Dissonance: mismatch of information bet
w
een alerting s
ystems
�?
alert stage
�?
resolution command
�y
Indicated dissonance may not be perceived as dissonance
�?
Human operator knows
w
h
y dissonance is indicated
?
Indicated consonance may be perceived as dissonance
Sy
ste
m
Su
pe
rvi
so
ry
Co
ntr
ol
Co
mp
ute
r
Int
erf
ac
e
Di
sp
lay
Co
ntr
ol
Se
nsor
s
Di
rec
t O
bs
erv
ati
on
Causes of Indicated Dissonance
�y
Different alerting threshold and/or resolution logic
�y
Different sensor error or sensor co
v
e
rage
,
Alerting
Thresholds
Resolution
Logic
Attention-getting and
urgency
Resolution commands or
guidance
i
y
?
i
y
?
i
R
i
T
i
a
i
c
filter
i
n
i
y
?
i
y
i
G
x
Sensor systems
Sy
ste
m
Su
pe
rvi
so
ry
Co
ntr
ol
Co
mp
ute
r
Int
erf
ac
e
Di
sp
lay
Co
ntr
ol
Se
nsor
s
Di
rec
t O
bs
erv
ati
on
Example Perceived
Dissonance
System 1
System 2
No threat
caution
warning
?
I
nfluenced by other factors
(system dynamics, trend data, nominal information, human mental model, etc.)
Sy
ste
m
Su
pe
rvi
so
ry
Co
ntr
ol
Co
mp
ute
r
Int
erf
ac
e
Di
sp
lay
Co
ntr
ol
Se
nsor
s
Di
rec
t O
bs
erv
ati
on
Current Mitigation Methods
Prioritization
Alerting s
ystem
for traffic
Alerting s
ystem
for terrain
prioritize
The alert for traffic is inhibited
or onl
y
displa
y
ed passivel
y
Procedures for responding to dissonance
Human operator can be trained to know how the alerting s
ystems
work and how to deal with dissonanceTraining ma
y
be inadequate
2 B-757 accidents in 1996, dissonant alertfrom airspeed data s
y
stems
Sy
ste
m
Su
pe
rvi
so
ry
Co
ntr
ol
Co
mp
ute
r
Int
erf
ac
e
Di
sp
lay
Co
ntr
ol
Se
nsor
s
Di
rec
t O
bs
erv
ati
on
Terrain Alerting
TAWS Look-Ahead Alerts
(Terrain Database)
“Caution Terrain”
approx 45 sec
“Terrain, Terrain, Pull Up...”
approx
22 sec.
Basic GPWS modes (radar altitude)
Courtesy: Brian Kelly, Boeing
Sy
ste
m
Su
pe
rvi
so
ry
Co
ntr
ol
Co
mp
ute
r
Int
erf
ac
e
Di
sp
lay
Co
ntr
ol
Se
nsor
s
Di
rec
t O
bs
erv
ati
on
TAWS Look-ahead
Warning
�y
Threat terrain is sho
w
n
in solid red
�y
“Pull up” light or PFD message
�y
Colored terrain on na
v
i
gation displa
y
Courtesy: Brian Kelly, Boeing
Sy
ste
m
Su
pe
rvi
so
ry
Co
ntr
ol
Co
mp
ute
r
Int
erf
ac
e
Di
sp
lay
Co
ntr
ol
Se
nsor
s
Di
rec
t O
bs
erv
ati
on
Current Mitigation Methods
(2)
Modify procedures to av
oid dissonance
AILS alert
turn cli
mb
,
turn cli
m
b….
A
B
C
TCAS com
mand
descend,
descend,….
AILS --
-
A
irborne Infor
mation for
Lateral Spacing parallel approach
Special aler
ting s
ystem for
closel
y-
spaced r
u
n
w
a
y
approaches
TCAS --
-
T
raffic alert and
Collision Avoidance Sy
stem
W
a
rns the pilots to an immediate collision with other aircraft
Modify
air traffic control procedures to reduce the likelihood of
a simultaneous TCAS alert and parallel traffic alert
Changing operation pr
ocedure ma
y largel
y reduce the efficiency
of the airspace around the airport
Sy
ste
m
Su
pe
rvi
so
ry
Co
ntr
ol
Co
mp
ute
r
Int
erf
ac
e
Di
sp
lay
Co
ntr
ol
Se
nsor
s
Di
rec
t O
bs
erv
ati
on
Multiple Alerting System
Representation
Un
certainties
�[
Process
F
exp
erience
,
training, etc.
System 1
Hu
man
x
G
1
y
1
T
1
D
1
z
1
H
1
,
a
R
1
c
1
System 2
G
2
y
2
D
2
Al
erting
threshold
Resolution
logic
Attention-getting
and urgency
Resolution
commands
or guidance
Displays
filter
filter
1
n
2
n
1
?
y
1
?
y
T
2
2
,
a
R
2
c
2
2
?
y
2
?
y
y
nom
D
nom
G
nom
z
nom
nominal
informati
on sources
e
Control
u
x
�
�3
z
2
Sensor systems
Sy
ste
m
Su
pe
rvi
so
ry
Co
ntr
ol
Co
mp
ute
r
Int
erf
ac
e
Di
sp
lay
Co
ntr
ol
Se
nsor
s
Di
rec
t O
bs
erv
ati
on
SIMPLE REPRESENTATION OF
CONFORMANCE MONITORING
-3 -2 -1
0 1 2 3
0
1
02
03
04
05
0
Cross-track deviation (nm)
Time
(mins
)
-3 -2 -1
0 1 2 3
0
1
0
2
0
3
04
05
0
Cross-track deviation (nm)
Time (mins)
A320
(1990s)
B737-200
(1960s)
NON-
CONFORMING
A
I
RCRA
FT
Clearance
e.g. assigned trajectory,
heading v
ector, altitude, etc.
Observ
ed behav
ior
Conformance Region
CONFORMING
A
I
RCRA
FT
Non-Conformance Region
Sy
ste
m
Su
pe
rvi
so
ry
Co
ntr
ol
Co
mp
ute
r
Int
erf
ac
e
Di
sp
lay
Co
ntr
ol
Se
nsor
s
Di
rec
t O
bs
erv
ati
on
CORE RESEARCH APPROACH
�y
Conformance Monitoring as “fault detection”
�?
Aircraft non-conformance a “fault” in ATC s
y
stem needing to be detected
�?
Existing fault detection techniques can be used for new application
MODEL OF
SYSTEM
Resi
dual
Generation
Schem
e
Decision-
Making
Scheme
CO
MMAND
IN
PU
T
ACT
UAL
SYSTEM
FAULT DETECTIO
N FUNCTIO
NS
Observ
ed state
behav
iors
Expected state
behav
iors
Sy
ste
m
Su
pe
rvi
so
ry
Co
ntr
ol
Co
mp
ute
r
Int
erf
ac
e
Di
sp
lay
Co
ntr
ol
Se
nsor
s
Di
rec
t O
bs
erv
ati
on
CONFORMANCE MONITORING
ANALYSIS FRAMEWORK
�y
Fault detection frame
w
ork tailored for conformance monitoring
Ob
se
rv
e
d
st
at
e
b
e
ha
v
i
ors
Expect
ed
state
be
ha
v
i
o
r
s
A/
C
INTENT
CONTROL
SY
ST
E
M
AI
R
C
R
AF
T
DY
NA
MI
C
S
A
C
TUA
L
S
YSTE
M
R
EPR
ESE
NTA
TI
O
N
P
o
si
tion
V
e
l
o
city
Accel.
CO
N
F
O
R
M
A
NC
E M
O
N
I
TO
RI
N
G
M
O
DE
L
CON
FOR
MA
NC
E MONITORIN
G
FUN
CTIONS
Ex
t
e
rn
al d
i
s
t
urba
nc
es
,
e.g. w
i
nd
s
Ext
er
na
l
di
st
ur
ba
n
c
e
m
o
d
e
l
PI
LO
T
IN
T
E
N
T
A/
C
IN
T
E
N
T
MODE
L
C
O
NTROL
S
YSTEM
MODE
L
A
I
RC
RA
FT
D
Y
NA
M
I
CS
MODE
L
PI
LO
T
INTENTMOD
EL
Target
states
Gu
i
d
an
ce
mod
e
Nav.
ac
curacy
e.g. AN
P
Co
nt
ro
l
surf
ac
e
in
pu
ts
A/c
property
e.g
.
w
e
ight
SURVEILLA
NCE
Tr
aj
ec
to
ry
D
e
stin
atio
n
SU
RVEILLA
NCE MODEL
Conf
orm
a
nc
e
Re
sidua
l
G
e
ne
r
a
t
i
on
Scheme
Decision-
Making
Scheme
CONFORMA
NCE
BA
SIS
Sy
ste
m
Su
pe
rvi
so
ry
Co
ntr
ol
Co
mp
ute
r
Int
erf
ac
e
Di
sp
lay
Co
ntr
ol
Se
nsor
s
Di
rec
t O
bs
erv
ati
on
INTENT REPRESENTATION
IN ATC
�y
Intent formalized in “Surv
e
i
llance State Vector”
�y
Accuratel
y
m
imics intent communication & execution in ATC
�° �° �° �°�? �°�° �° �°�? �?
�° �° �° �°�ˉ �°�° �° �°�? �-
D(t)
states,
n
Destinatio
T(t)
states,
trajectory
Planned
C(t)
states,
target
Current
A(t)
states,
on
Accelerati
V(t)
states,
Velocity
P(t)
states,
Position
Traditional dynamic
states
Defined intent
states
Surveillance State
Vector,
X(t)
=
C
u
rre
nt
target state, C(t)
Planned
trajectory, T(t)
Destination, D(t)
MCP
FMS
PILOT
Sy
ste
m
Su
pe
rvi
so
ry
Co
ntr
ol
Co
mp
ute
r
Int
erf
ac
e
Di
sp
lay
Co
ntr
ol
Se
nsor
s
Di
rec
t O
bs
erv
ati
on
DECISION-MAKING SCHEME
�y
Consider e
v
i
dence in Conformance Residual to make best
determination of conformance status of aircraft
�y
Simple/common appr
oach uses threshold(s) on Conformance
Residuals
Exam
ple
threshold
States ob
serv
ed
from no
minal
system
opera
tion
State
x
1
State
x
2
Time
Conform
ance
R
esidua
l
Exampl
e
threshol
d
No
n-confor
m
i
ng
re
gio
n
Co
nfor
m
i
ng
reg
ion
Co
nfor
m
i
ng
re
gio
n
Non-
con
for
m
i
n
g
regi
on
Scalar residual
V
ector residual
Sy
ste
m
Su
pe
rvi
so
ry
Co
ntr
ol
Co
mp
ute
r
Int
erf
ac
e
Di
sp
lay
Co
ntr
ol
Se
nsor
s
Di
rec
t O
bs
erv
ati
on
FIGURE OF MERIT TRADEOFFS
�y
Use “figures of merit” to examine trade-offs applicable to application
�?
Time-To-Detection (TTD) of alert of true non-conformance
�?
False Alarms (FA) of alert w
hen actuall
y conforming
�?
FA/TTD tradeoff analogous to inverse S
ystem Operating Characteristic curve
0
0 1
Time-To-Detection (TTD) of
true non-conformance
of a particular type
P(False alarm (FA ) of
non-conformance)
Ideal oper
ati
n
g
point
Increasing
decision threshold
Im
pr
ov
i
n
g
performance
Sy
ste
m
Su
pe
rvi
so
ry
Co
ntr
ol
Co
mp
ute
r
Int
erf
ac
e
Di
sp
lay
Co
ntr
ol
Se
nsor
s
Di
rec
t O
bs
erv
ati
on
OPERATIONAL DATA EVALUATION
�y
Boeing 737-400 test aircraft
�?
Collaboration with Boeing ATM
�?
T
w
o test flights over N
W
USA
�?
Experimental configuration notrepresentative of production model
�y
A
r
chi
v
e
d
A
RINC 429 aircraft states
�?
Latitude/longitude (
I
RU & GPS)
�?
Altitude (barometric & GPS)
�?
Heading, roll, pitch angles
�?
Speed
s (ground, true air, vertical, ...)
�?
Selected FMS states (desired track,distance-
to-go,
bearing-t
o
-wa
ypoint)
�y
A
r
chi
v
ed F
A
A
Host ground states
�?
Radar latitude/longitude
�?
Mode C transponder altitude
�?
Radar-derived heading & speed
�?
Controller
assigned altitude
�?
Flight plan route (textual)
F
L
IGH
T 1
FLIGHT 2
WASHI
NGTO
N
OREGON
I
DAHO
M
O
NTANA
CALIFORNIA
NEVADA
WASHI
NGTO
N
OREGON
I
DAHO
M
O
NTANA
CALIFORNIA
NEVADA
Longitude
L
a t
i t u
d
e
Sy
ste
m
Su
pe
rvi
so
ry
Co
ntr
ol
Co
mp
ute
r
Int
erf
ac
e
Di
sp
lay
Co
ntr
ol
Se
nsor
s
Di
rec
t O
bs
erv
ati
on
LATERAL DEVIATION TEST
SCENARIO
Flight
Plan
Route
Recov
ery
�O
Nominal
fl
ight
�M
�N
Dev
iation
Time (secs)
Cross-track
error (nm)
Heading angle
(degs)
Roll an gle
( d egs)
�O
�M
�N
Nomina
l
flig
ht
De
v
i
ation
R
e
c
o
v
ery
Time (secs)
Cross-track
error (nm)
Heading angle
(degs)
Roll an gle
( d egs)
�O
�M
�N
Nomina
l
flig
ht
De
v
i
ation
R
e
c
o
v
ery
Databus
data (0.1 sec)
GPS data (1 sec)
Radar data (12 sec)
Sy
ste
m
Su
pe
rvi
so
ry
Co
ntr
ol
Co
mp
ute
r
Int
erf
ac
e
Di
sp
lay
Co
ntr
ol
Se
nsor
s
Di
rec
t O
bs
erv
ati
on
LATERAL DEVIATION
DECISION-MAKING
Time relativ
e to start of dev
iation (secs)
Conformance
Residual
Conform ance
Residual
Aircraft data
Time relativ
e to start of dev
iation (secs)
Radar d
a
ta
False alarm
region
Time-to-detection
region
False alarm
region
Time-to-detection
region
Sy
ste
m
Su
pe
rvi
so
ry
Co
ntr
ol
Co
mp
ute
r
Int
erf
ac
e
Di
sp
lay
Co
ntr
ol
Se
nsor
s
Di
rec
t O
bs
erv
ati
on
LATERAL DEVIATION FALSE
ALARM / TIME-TO-DETECTION (2)
T
i
m
e
-T
o
-
D
e
te
c
t
io
n
(s
e
c
s
)
Observ ed Probability of False Alarm
R
adar
C
R
L
�(p
o
s
itio
n
&
h
e
a
d
in
g
)
A
i
rcra
ft
C
R
L
��I
(
p
os
i
t
i
o
n
,
headi
n
g
&
r
o
l
l
)
A
i
rcra
ft
C
R
L
�(
p
os
i
t
i
on &
headi
ng)
I
d
ea
l
oper
a
t
i
n
g
poi
nt
R
adar
C
R
L
(p
o
s
itio
n
)
A
i
rcra
ft
C
R
L
(p
o
s
itio
n
)
Note: results are for a simple de
viation
from straight flight under autopilot control.Shifted cur
ves w
o
uld result for different
operating modes and en
vironments:
demonstrated through extensiv
e simulation
studies in thesis
Sy
ste
m
Su
pe
rvi
so
ry
Co
ntr
ol
Co
mp
ute
r
Int
erf
ac
e
Di
sp
lay
Co
ntr
ol
Se
nsor
s
Di
rec
t O
bs
erv
ati
on
LATERAL TRANSITION
NON-
CONFORMANCE
SCENARIO
Flight test
trajectory
Fillet toincorrect route
Fillet to
correct route
A
p
p
r
o
x
.
1
0
°
h
e
a
d
i
ng
n
o
n
-
c
on
f
o
r
m
a
n
c
e
Incorrect
route
Correct
route
Sy
ste
m
Su
pe
rvi
so
ry
Co
ntr
ol
Co
mp
ute
r
Int
erf
ac
e
Di
sp
lay
Co
ntr
ol
Se
nsor
s
Di
rec
t O
bs
erv
ati
on
LATERAL TRANSITION FALSE ALARM / TIME-TO-DETECTION
Ti
me-
T
o-
D
e
t
e
ct
i
o
n (secs)
Observ ed Probability of False Alarm
Ideal operating
point
10
°
non-
c
o
nf
or
manc
e
duri
ng
t
r
ansit
i
o
n
(m
e
d
iu
m
fid
e
lity
C
M
M
)
10° non-
conf
or
mance
dur
i
ng tr
ansi
t
i
on
(lo
w
fid
e
lity
C
M
M
)
10°no
n-con
forma
nce
froms
traigh
tfligh
t
(lowf
idelity
CMM)
Sy
ste
m
Su
pe
rvi
so
ry
Co
ntr
ol
Co
mp
ute
r
Int
erf
ac
e
Di
sp
lay
Co
ntr
ol
Se
nsor
s
Di
rec
t O
bs
erv
ati
on
Design Principles for
Alerting and Decision-Aiding Systems
for Automobiles
James K. Kuchar
Departme
nt
of
A
e
ronautics and A
s
tronautics
Massachu
setts Institute of Tech
n
o
l
o
gy
Sy
ste
m
Su
pe
rvi
so
ry
Co
ntr
ol
Co
mp
ute
r
Int
erf
ac
e
Di
sp
lay
Co
ntr
ol
Se
nsor
s
Di
rec
t O
bs
erv
ati
on
Kinematics
�y
A
l
ert time: t
alert
= (r -
d)/
v
t
alert
= 0
�J
braking must begin immediately
t
alert
=
�W
�J
alert is issued
�W
seconds before braking is required
�y
Determine P(UA
) and P(S
A) a
s
function of t
alert
Vehicle
Hazard
r
Alert Issue
d
d
Total
Braking Distance
Response
Latency
Braking Distance
v
�W
Sy
ste
m
Su
pe
rvi
so
ry
Co
ntr
ol
Co
mp
ute
r
Int
erf
ac
e
Di
sp
lay
Co
ntr
ol
Se
nsor
s
Di
rec
t O
bs
erv
ati
on
Example Human Response Time
Distribution
0
0.05
0.1
0.15
0.2
0.25
0.3
0.35
0.4
0.45
012
34
5
Time (s)
Lognormal distribution (mode = 1.07 s, dispersion = 0.49) [Najm et al.]
Sy
ste
m
Su
pe
rvi
so
ry
Co
ntr
ol
Co
mp
ute
r
Int
erf
ac
e
Di
sp
lay
Co
ntr
ol
Se
nsor
s
Di
rec
t O
bs
erv
ati
on
Case 3: Add Response Delay
Uncertainty
0
0.2 0.4 0.6 0.8
1
0
0.2
0.4
0.6
0.8
1
P(UA)
P(SA)
?
0.0
0.5
1.0
1.5
2.0
2.5
3.0
3.5
4.0
t
alert
Sy
ste
m
Su
pe
rvi
so
ry
Co
ntr
ol
Co
mp
ute
r
Int
erf
ac
e
Di
sp
lay
Co
ntr
ol
Se
nsor
s
Di
rec
t O
bs
erv
ati
on
Case 4: Add Deceleration
Uncertainty
0
0.2 0.4 0.6 0.8
1
0
0.2
0.4
0.6
0.8
1
P(UA)
P(SA)
4.
0
3.5
3.0
2.5
2.0
1.5
1.0
0.5
? 0.0
t
alert
�V
a
= 3 ft/s
2
Sy
ste
m
Su
pe
rvi
so
ry
Co
ntr
ol
Co
mp
ute
r
Int
erf
ac
e
Di
sp
lay
Co
ntr
ol
Se
nsor
s
Di
rec
t O
bs
erv
ati
on
Conformance Monitoring for
Internal and Collision Alerting
�y
Simple Sensor Based Collision Alerting S
ystems Do Not Pro
v
ide
Adequate Alert Performance due to Kinematics
�?
SOC Curve Anal
y
s
is
�?
P(FA), P(MD) Performance
�y
Enhanced Collision Alerting Sy
s
t
ems Require Inference or
Measurement of Higher Order Intent States
�?
Automatic Dependent Surveillance (Broadcast)
�?
Environment Inferencing
�?
Observed States
Sy
ste
m
Su
pe
rvi
so
ry
Co
ntr
ol
Co
mp
ute
r
Int
erf
ac
e
Di
sp
lay
Co
ntr
ol
Se
nsor
s
Di
rec
t O
bs
erv
ati
on
SURVEILLANCE STATE VECTOR
�y
Aircraft Sur
v
eillance State Vector,
X
(
t
)
containing unce
rtainty & errors
�G
X
(
t
)
is given b
y
:
�?
Traditional d
y
namic states
�?
Intent and goal states
��
X(t)
�
P
osition,
R(t)
Velocity,
V(t)
Acceleration,
A(t)
Intent,
I(t)
Goals,
G(t)
�
�-
�
�?� �°��°��°��°��ˉ� �°��°��°��°�
�?
�
�?� �°��°��°��°��?� �°��°��°��°�
,
�
�G
X
(
t
)
�
�G
R
(t)
�G
V
(t)
�G
A
(t)
�G
I
(t)
�G
G(t)
�
�-
�
�?� �°��°��°��°��ˉ� �°��°��°��°�
�?
�
�?� �°��°
�
�°��°��?� �°��°
�
�°��°�
Sy
ste
m
Su
pe
rvi
so
ry
Co
ntr
ol
Co
mp
ute
r
Int
erf
ac
e
Di
sp
lay
Co
ntr
ol
Se
nsor
s
Di
rec
t O
bs
erv
ati
on
INTENT STATE VECTOR
�y
Intent State Vector can be separated into current target states and subsequent states
I
(
t
)
�
Current target states
Subsequent planned trajectory
�-
�
�?��ˉ�
�?
�
�?��?�
(Eqn. 3)
Sy
ste
m
Su
pe
rvi
so
ry
Co
ntr
ol
Co
mp
ute
r
Int
erf
ac
e
Di
sp
lay
Co
ntr
ol
Se
nsor
s
Di
rec
t O
bs
erv
ati
on
Automobile Lateral Tracking Loop
Vehicle
Goal
Selection
Route
Selection
Lane/
Li
ne
Selection
Lane/
Li
ne
Tracki
ng
External Environment
-
Default
-
O
p
e
n Loop
-
O
ptimized
-
C
ommande
d
-
P
rior
Hi
stor
y
-I
n
s
t
r
u
c
t
e
d
-W
a
n
d
e
r
Route
DesiredLi
ne
SteeringComm
and
Ve
h
i
c
l
e
States
-B
e
s
t
L
i
n
e
-
L
a
n
e Sw
itching
-
T
r
a
ffi
c
-S
p
e
e
d
Goal
Whee
l Posit
io
n
(forc
e)
A
c
c
eleratio
n
Velocity
Positi
on
Ha
za
rd
Monitoring
Threats
D
i
s
t
u
r
ba
nce
s
Strategi
c
Fa
cto
r
s
X = (Goal, Subsequent Planned Trajectory
, Cur
rent Ta
rget State,
A
c
celeration, Velocity
, Position)
Sy
ste
m
Su
pe
rvi
so
ry
Co
ntr
ol
Co
mp
ute
r
Int
erf
ac
e
Di
sp
lay
Co
ntr
ol
Se
nsor
s
Di
rec
t O
bs
erv
ati
on
Intent Observability States
�y
Road
w
a
y
�y
Indicator Lights
�?
Break Lights
�?
Turn Signals
�?
Stop Lights
�y
A
c
c
e
leration States
�y
GPS Routing
�y
Head Position
�y
Dynamic History
�y
Tracking Beha
v
ior
Sy
ste
m
Su
pe
rvi
so
ry
Co
ntr
ol
Co
mp
ute
r
Int
erf
ac
e
Di
sp
lay
Co
ntr
ol
Se
nsor
s
Di
rec
t O
bs
erv
ati
on
Fatal Accident Causes
Sy
ste
m
Su
pe
rvi
so
ry
Co
ntr
ol
Co
mp
ute
r
Int
erf
ac
e
Di
sp
lay
Co
ntr
ol
Se
nsor
s
Di
rec
t O
bs
erv
ati
on
Prototype MIT Terrain
Alerting Displays
Sy
ste
m
Su
pe
rvi
so
ry
Co
ntr
ol
Co
mp
ute
r
Int
erf
ac
e
Di
sp
lay
Co
ntr
ol
Se
nsor
s
Di
rec
t O
bs
erv
ati
on
Alerting System Research
�y
Kuchar, 1995
�?
Method for setting alert thresholds to balance False Alarms and Missed Detections
�y
Yang, 2000
�?
Use of d
y
namic models to drive alerting criteria
�y
Tomlin, 1998
�?
H
y
brid control for conflict resolution
�y
L
ynch and Le
veson, 1997
�?
Formal Verification of conflict resolution algorithm
�y
Pritchett and Hansman, 1997
�?
Dissonance
between human mental model and alerting s
y
stem
Information that suggests different timing of alerts and actions
to
resolve the hazard
�?
Suggested displa
y
formats to reduce dissonance
Human Supervisory Control of Automated Systems(人类监控自动化系统):040804alertsys_1
| 课件名称: | Human Supervisory Control of Automated Systems(人类监控自动化系统) |
| 课件分类: | 航空航天 |
| 课件类型: | 教学课件 |
| 文件大小: | 12.47MB |
| 下载次数: | 0 |
| 评论次数: | 0 |
| 用户评分: | 0 |
- 2. Human Supervisory Control of Automated Systems(人类监控自动化系统):020504hmancenter
- 3. Human Supervisory Control of Automated Systems(人类监控自动化系统):021004taskanalys
- 4. Human Supervisory Control of Automated Systems(人类监控自动化系统):021904_memory
- 5. Human Supervisory Control of Automated Systems(人类监控自动化系统):030204classdecis
- 6. Human Supervisory Control of Automated Systems(人类监控自动化系统):030404signdetect
- 7. Human Supervisory Control of Automated Systems(人类监控自动化系统):030904juduncstel
- 8. Human Supervisory Control of Automated Systems(人类监控自动化系统):031104nadecision
- 9. Human Supervisory Control of Automated Systems(人类监控自动化系统):031604wloadsitua
- 10. Human Supervisory Control of Automated Systems(人类监控自动化系统):040604coop_decis
- 11. Human Supervisory Control of Automated Systems(人类监控自动化系统):040804alertsys_1
- 12. Human Supervisory Control of Automated Systems(人类监控自动化系统):040804alertsys_2
- 13. Human Supervisory Control of Automated Systems(人类监控自动化系统):041504_unmanned
- 14. Human Supervisory Control of Automated Systems(人类监控自动化系统):042204autosystem
- 15. Human Supervisory Control of Automated Systems(人类监控自动化系统):050404nucprocont
- 16. Human Supervisory Control of Automated Systems(人类监控自动化系统):050604socimplica