The project involves the design, implementation, testing, and analysis of a simplified air traffic monitoring and control system (ATC) (Figure A0). A standard computer system, such as a PC or workstation, with a graphics display and accessible clock is assumed. The specifications are deliberately vague in some places, for example, in the formatting details of display output and command input. To a large extent, these depend on the particular computer and software employed; we also wish to leave some scope for design creativity.

The purpose of the ATC is to assure the safety of aircraft traversing a given airspace and to assure their efficient traversal. To achieve these goals, the ATC must track or monitor each aircraft in the space and must be able to command an aircraft to change its path or its speed.

Safety means avoiding collisions. The safety constraint is defined in terms of minimum separation - at any time, no two aircraft may be closer than a given distance from each other, say 1000 feet in elevation and 3 miles in the horizontal plane. These numbers and units, and the others that are given below, should be treated as examples that could be changed easily. We will not be too concerned with efficiency, for example, trying to maximize aircraft throughput; however, the ATC should not degrade efficient operation except when the safety constraint may be otherwise violated. For the project, this means that unless two aircraft are, or are projected to violate the minimum separation constraint, they will not be commanded to change their direction or speed.

The airspace is a three-dimensional rectangle, say 100 by 100 miles in the horizontal plane and 25,000 feet high, bounded below by a horizontal plane at 15,000 feet in elevation, i.e. above sea level (Figure A1). An aircraft enters the space flying in a horizontal plane at a constant velocity. It maintains its altitude and speed unless directed by the ATC to change. Thus aircraft do not enter from above or below the space, and fly in a horizontal plane under normal conditions. An aircraft entering the space is "handed-off" to the ATC by its controlling neighbor site. When an aircraft leaves the space, it is handed-off to a neighboring ATC.

All aircraft have radio communication that can be tuned to the ATC, allowing pilots and ATC controllers to speak directly to one another. We will not be concerned with the details of this voice communications part of the system. Almost all aircraft are equipped with "transponders" that return identification and location coordinates to radars, and with digital communications that allow sending and receiving of electronic messsages.

At the ATC site, there is a computer system with interfaces to a radar subsystem, digital communications subsystem, and display output and keyboard/mouse input for the human controller. Figure A2 illustrates the input and output interfaces provided by these subsystems.

There is also a radio communications system that is independent of the computer system. Among other uses, this voice system provides a back-up to the computer system in case there is a problem with computer communications, radar tracking, or other failures, or in case aircraft fail to correctly execute commands.

The radar subsystem scans the entire airspace periodically, say every 15 seconds, returning a list of "hits" in a buffer that can be accessed by the computer. Hits are objects "seen" by the radar. The communications subsystem allows the ATC to send and receive digital messages.

The ATC controller, a human operator, interacts with the system and aircraft by inputting commands through the keyboard and through voice on the radio. The system communicates with the controller through the output display. The display shows various views of the state of the airspace, echoes operator input, and lists electronic messages that are received.

Inputs to the ATC computer system can arrive from the radar subsystem, from the digital communications interface, and from the operator keyboard and mouse. The system outputs consist of the operator display and the communications device.

The radar input is a hit list L with the following form and meaning.

        L = size, Hit(1), Hit(2), . . . , Hit(size) .

Each hit element represents an object in the airspace. A hit Hit(i) has the structure

        Hit(i) = (aircraft_id, (x, y, z)) ,

where aircraft_id identifies the aircraft hit or seen by the radar, and (x, y, z) gives the coordinates of the aircraft in the space. If an aircraft does not have a working transponder, the radar still returns a hit but with an aircraft_id field set to "unknown". The radar buffer is locked from computer access for a short time, say 1 millisecond, near the end of the 15 second period while the hit data is copied to it.

Input messages through the communications system are either messages from individual aircraft in the space or hand-off messages from a neighboring space. In the first case, the input is either a response to an operator command or it may be a request for permission to change elevation or velocity (for example, because of unstable air in the aircraft's current flight path). A hand-off message contains an aircraft identity and projected airspace entry data, such as time, location, and velocity at entry.

Messages are received in a queue that can be read and emptied by the computer system. Each message in the queue is of the form

        (sender_id, message) .

sender_id is the name of the message sender and message is the contents of the message.

Operator input consists of commands or information requests directed either towards individual airplanes or to all objects in the space, requests for data in the ATC system, corrections or changes to data maintained by the system, and hand-off messages to be sent to a neighboring ATC site.

The operator can input any of the following commands to a designated aircraft:

• change altitude by a given positive or negative amount

• increase or decrease its speed

• change direction in its horizontal plane

• enter or leave a holding pattern.

        A holding pattern is a closed flight path. One standard pattern is an oval or racetrack.

• report its current position and velocity

 

The operator can command all aircraft with either of the following:

• enter or leave a holding pattern

• report aircraft identification, position, and velocity

 

Operator requests to read or change internal systems data that represent the state of the airspace include:

• add or delete an aircraft object

• change the position, elevation, or velocity of an aircraft

• display data record for a given aircraft

• project aircraft positions to current_time + n, where n is some integer number of seconds

ATC Outputs

The system outputs are communications output and display output. To send a message m to a receiver R over the communications subsystem, the computer system emits the command

        send(R, m) .

The receiver R can be an aircraft or an ATC site. A message m can be broadcast to any listening receivers with the command

        broadcast(m) .

send and broadcast are both asynchronous (non-blocking) - the computer system proceeds immediately after executing the command.

Hand-off messages are sent to neighboring sites. Directed and broadcast messages can be transmitted to aircraft based on input commands from the operator. Messages are also generated internally based on systems state. In particular, a potential collision notification is sent if the system detects that aircraft are about to violate the minimum separation constraints. (This is considered a back-up in case the operator fails to command aircraft to take some safety action, or in case the aircraft fail to execute the operator commands - see below.)

In its normal mode, the display shows a plan (top) view of the airspace locating each aircraft in the space. Under operator control responding to command input, more complete data on each object is displayed. All electronic messages received from other aircraft and sites is also displayed. In addition, if the separation constraint is violated, or will be violated within a given interval, say 3 minutes, a pictorial alarm such as flashing or red icons is output, along with pointers to the offending objects. Pictorial alarms are also displayed whenever an unidentified object is detected by the radar or an identified aircraft is lost (no radar hit).

The primary data structure in the ATC system is an airspace data base containing a record of all aircraft in the space at the current time. For each aircraft, there must be a structure including at least the following information:

        aircraft_id, current_position, current_velocity .

The software is responsible for performing the functions:

• Display a plan view of the space periodically, say every 5 seconds, extrapolating if necessary to show the current position of each aircraft.

• Check all objects in the airspace for separation constraint violations at current_time + n seconds, where n is an integer parameter. Display an alarm if a safety violation is found.

• Interpret and provide an initial response to all operator commands within a given time, say 2 seconds. For commands that require communications to and from aircraft, the initial response should occur after the appropriate message is sent to the communications subsystem.

• Receive and interpret input to the communications subsystem. This could be data sent from aircraft in the space or from neighboring sites.

• Maintain the airspace data base. This requires functions to add, remove, and change the data of aircraft records.

• Store the airspace state in a history file periodically, say every 60 seconds. There should be enough information in this log to generate an approximation to the history of the airspace over time.

• Handle lost or unidentified objects, for example, by first broadcasting messages such as "Where are you?" or "Please identify yourself."; and then alerting the operator who can switch to the radio and attempt voice contact.

• Detect and handle failures including missed deadlines and failure of an aircraft to respond to an operator command.