If there’s one sure bet in this world it is that pilots and controllers will disagree about TCAS. Controllers believe it is an invention of the devil, pilots love it, if it is u/s, they feel naked. It is a remarkable technical achievement. I remember several UK CAA briefings in the very early 80s which declared flatly that an airborne collision avoidance system was just impossible, so it was something of a surprise to find working prototypes within a few years. The first versions were very limited in their ability to adjust the advisory, and would quickly announce ‘TCAS Invalid’ if the original RA no longer suited the situation.
Pilots vetoed that, and the first operational version was vastly more capable, with the ability to upgrade, downgrade, or even reverse the advisory. Later versions improved the coordination logic. The basic collision avoidance algorithm, however, is still recognisable, based on ‘tau’ (range/range rate) criteria.
Before TCAS entry, I took part in a number of controller briefing sessions. People came up with all sorts of ingenious scenarios that they were convinced TCAS could not handle. Almost without exception TCAS passed those tests. But there is a flaw in TCAS that those controllers, and to be honest most of us working closely on the project, either ignored or under appreciated. It is the boring old problem of the human in the loop.
Some warning signs were there from the beginning, I remember reading one FAA document that claimed the TCAS RA manoeuvre was just another pilot manoeuvre and, moreover, imperceptible. Where on earth did they get that idea? TCAS normal response requires ¼ g, far more than airline pilots are used to applying (particularly in the negative sense). What is more, no one seemed to have thought how easy or hard it would be to achieve the desired reaction. Actually it isn’t particularly difficult, but you do have to think about it, and train it, otherwise it just won’t happen. Sadly there is ample evidence that the right response rates are still not being achieved, with both under and over reactions common. Does this matter? Too right it does. In the Uberlingen accident, everyone knows that the Tu 154 went the wrong way, but how many people have looked and learnt from the reaction of the 757? Yes, it was in the correct sense, but a look at the data in the BFU’s accident report (fig 1) reveals that it took about 13 seconds for its vertical speed to reach 1500 ft/minute versus about 5 the designers and the CAS logic assumed, enough to have given it another 2-300 ft clearance, and to convert a collision into a near miss. Other HFs were soon to surface.
About two years into the equipage program, a number of disconcerting incidents occurred which involved incorrect flying of a ‘crossing’ manoeuvre. A ‘crossing’ means that TCAS has decided that in the particular geometry the best vertical separation will be achieved if the two aircraft involved continue through each others current levels. That might sound counterintuitive, but it typically happens when both aircraft are converging at high vertical speeds. This scenario is a common feature of two aircraft approaching two levels correctly separated by 1000ft (see fig 2), TCAS is of course unaware of the intent to level off. At first, on receiving their RAs, both pilots involved would likely be quite content, the RA only told the pilots to continue what they were already doing, No problem… until one or other reached their initial cleared altitude. Now at this point, if the RA was still active they should have simply continued their climb and descent until clear of conflict, but the temptation to level off at the ‘correct’ altitude is pretty irresistible. If both levelled off, it would be benign even if not what TCAS had intended, but if only one did so, there is an immediate problem.
At this point you might have thought the reversal logic should have taken over, but it won’t if both aircraft were TCAS equipped. In the initial design reversals were not allowed once the encounters had been coordinated. The fix was to alter a basic TCAS principle, that of always choosing the sense, up or down, giving the greater vertical miss distance. The new design simply asked if it could achieve adequate clearance by choosing the non crossing sense; if it could, good, if not, it waited until the separation got to the point where it was obvious that the other side was not going to level off. The reason this surfaced after a couple of years is simply that it wasn’t until quite high equipage rates were achieved that a significant number of encounters became coordinated. The UK’s TCAS expert, the Magus of Malvern, had correctly anticipated that problems related to the coordination would surface at this time, but no one knew what they would be. Perhaps we should have realised that they would be human in nature.
One human characteristic we might have anticipated was our natural reluctance to challenge authority, which means we find it hard not to comply with the controller’s instructions. Two years after Uberlingen, when you might have thought that the ‘follow the TCAS’ lesson had been learnt, a perilously near miss between a BA A320 and a US B767 (both TCAS equipped) over northern France showed that it hadn’t. Due to a control room misunderstanding, both aircraft were cleared to FL290. The error was spotted and the 767 was cleared to climb to FL300, but unfortunately not before TCAS had decided it should descend. We never did find out just what went on in the 767 flight deck, but what happened next is shown in fig 3. The A320 received an Increase Climb advisory – and boy, did he climb, finishing at over 4000 ft/min. This was no unthinking over-reaction, the final miss distance was only about 200ft / 0.3 miles. At the very last moment the 767 guys must have figured out where they were going wrong, and started down, you can just see from the trace how he must have banked to help the descent without imposing a large negative g on the passengers.
So TCAS isn’t perfect, but we always knew that. Before it could be certificated in the UK NATS commissioned a safety study. I cannot find the original now (someone must still have it) but I think it showed that TCAS would be effective and safe with a risk ratio (number of accidents after /before) of 11%, leaving about 10% unresolved, and, crucially, only inducing about 1%. I believe this result came from consideration of the reliability of the equipment and the collision avoidance logic, but not the human element. A later study under the ACASA banner in 2001 around the time of the EU mandate looked more closely at the HF issues (particularly slow responses), and concluded that the risk ratio in EU airspace was nearer 30%. Experience is even less reassuring, though this is of course based on only one accident, and as the safety engineers will tell you, a one in a million chance can still happen tomorrow…
One could argue at length over the reliability of studies such as ACASA, but there is a more fundamental issue and it is to do with prevention of very rare events. Consider the following paradox: – Let’s say you have a very good health screening programme for some rare disease. Suppose that it is 99% correct, only 1% of its diagnoses are false positives (the subject doesn’t have the disease but the test says they do), and for sake of argument there are no false negatives (test says they are OK, but they aren’t). Suppose that the incidence of the disease in the population is 1 in 1000. Now you take the test, and it is positive. What are the chances you don’t have the disease? Do I hear 1%?. Actually it is 90%! Why? Because of every 1000 people, only 1 actually has the disease, but the test shows up 10, so you have a 9 in 10 chance of being in the healthy group. The numbers can easily be worse for even rarer conditions and less accurate tests. Now, what about mid air collisions? Those involving civil air transports occur about once every 5 to 10 years, say one in 100 million flights, while TCAS continues to throw up resolution advisories about once in every 200 flights. So there are a lot of false positives out there. It doesn’t take much to turn those false positives into actual tragedies if, due to incompetence, the advisories are badly followed. The numbers are not on our side, and it wouldn’t take a big change in the HF assumptions to increase the modest 30% ratio to >100%.
Does this mean that TCAS should never have happened? I guess there are a lot of people on one side of the pilot/controller fence that would say amen to that, but I am not certain. What is sure is that training standards need to be adequate for the task. Now that an extension of the mandate to cover ever smaller aircraft, including GA, is in progress, the training question needs to be up there in lights. As they say, if you are looking for a needle in a haystack, it doesn’t make sense to increase the number of haystacks.