3. TCAS II design failures
• TCAS II V6.02 – Dangerous in level offs
• TCAS II V6.04a’
– “Marginally operationally acceptable”
– “Don’t climb” heard as “climb”
– Multi-aircraft logic
• TCAS II V7.0
– SA01
– “Adjust Vertical Speed”
– What engineers thought was correct
• 2-second imprecise recordings
• State of the art design ()
• Documentation based on ICAO ()
• Training is an issue.
4. TCAS Validation Updates
• Clapham Junction Rail Accident Inquiry – go
beyond immediate cause
• Encounter models (fast time simulations for
validation) were updated with each iteration
of TCAS.
• Safety standards gradually improved
– Event models
– SAM Safety methodology
– HAZOP
• Software standards DO178C
– Arguably too rigorous
5. Failure Analysis
• Failure Mode and Effects Analysis (FMEA) is only
part of a good safety analysis – prior to
implementation.
• “Failure analysis is the process of collecting and
analysing data to determine the cause of a
failure.” Post implementation. E.g. Air Accident
Investigation Board
• Monitoring to detect failures before they become
catastrophic. E.g. European Voluntary ATM
Incident Reporting (EVAIR).
6. Common Requirements
• Multiple implementations
• Multiple teams
• Trials
• Formal methods – at least for assessment
• Emphasis on consensus decision making
7. Conclusion
• Design failures should lead to re-evaluation of
– The design and
– The development process