Guest Editors' Introduction

The Federal AviationAdministration's

Advanced AutomationProgram

Valerio R. Hunt, US Department of Transportation, FAA

Gregory V. Kloster, Knowlex Technology Corporation

Engineering theworld's largestcommand and controlsystem is a complexundertaking. Thisissue communicatesthe authors' experi-ences in the design ofthe next-generation airtraffic control system.

14

W e started working on this issuewith the objective of capturing

'VV our collective experiences inadapting and innovating modern comput-er science and system engineering tech-niques and methods to the problem of airtraffic control systems design. We recog-nize that the Advanced Automation Pro-gram is a complex technological under-taking that requires government andindustry to address issues and problems insystem safety, reliability, long system life,architecture design, software engineering,and man-machine interface, or MMI, de-sign in very new and innovative ways. Welook at this special issue as a vehicle fortechnology transfer to readers that are

concerned not only with the developmentof a safe air traffic control system, butwith the technologies used in the design,development, and implementation oflarge complex, highly available, andinteractive systems.Computer automation was introduced

into en-route and terminal radar air trafficcontrol centers in the early to mid-1970's.In the en-route centers flight data andradar data processing represent the keyautomation functions operating on IBM9020 computers. Automated radar dataprocessing and limited flight data readoutand input capabilities are operational insystems known as automated radar ter-minal systems, or ARTS, II and III. The

0018-9162/87/020-0014501.00 © 1987 IEEE COMPUTER

ARTS II system was implemented on Bur-roughs computers and the ARTS III/IIIAsystems operate on Sperry Univaccomputers.The Advanced Automation Program

consists of two major Federal AviationAdministration, or FAA, system acquisi-tions. The first is the host program, whichinvolves the replacement of current IBM9020 computer systems at all en-route airtraffic control centers. This acquisitionwas awarded (after a design competition)to IBM in July 1985. The second is theAdvanced Automation System, or AAS,which replaces both the en-route andterminal approach control air traffic con-trol, or ATC, computer systems over thenext decade. The AAS Will provide thecomputers, software, and controller work-stations (called sector suites) for integrateden-route and terminal radar ATC. TheAAS will also include a tower control com-puter complex for use by the controllers inthe tower cabs. This new system willreplace the en-route and terminal ATCcomputers, flight strip printers and displayequipment, and the backup radar displaysystem.The AAS program consists of a two-

phased government acquisition where thefirst phase includes a competitive designand prototype "fly-off" between two in-dustrial teams lead by GM-Hughes Air-craft and IBM. The second phase consistsof a winner-take-all production and im-plementation contract. (Because of thenature of the design competition we havetaken great pains to avoid publication oftechnical data that might compromise thecompetition and proprietary rights of thecompetitors.) All of the articles in thisspecial issue, with the exception of one,deal with the AAS program.The FAA has accumulated a legacy of

experiences in both ATC operations andsoftware maintenance and test. The con-sensus has been that the new advancedATC automation system must

* provide a time-responsive set of ATCservices (to the controller) that are highlyavailable and feature inherent protectionmechanisms to detect, contain, andrecover from faults;

* provide for evolution in ATC func-tions and capabilities without affectingsafety and required redesign of the basicsystem; and

* provide a user/computer interfacethat facilitates the evolution of the systemand accommodates the basic manner inwhich the controller performs his or herATC information processing tasks today.

Based on our past experiences and thisconsensus, we feel that risks that mightresult in either unsafe, unsuitable opera-tions or costly high-risk technology areboth real and must be eliminated or greatlyreduced. We recognize that the AAS posesseveral challenges to the engineer anddesigner.

Since the inception of the AAS re-quirements definition effort over the pastsix years, significant progress has beenmade in MMI (also termed computer-human interface) design and human engi-neering methods; computer workstationdisplay technology; software engineeringpractices; tools; computer system perfor-mance modeling; and computer systemnfault tolerance. We have felt strongly thatthese practices, tools, and methods mustbe used in order to mitigate the criticaltechnical risks associated with either a sys-tem design that inhibits system evolutionor a user interface that is not acceptable toair traffic controllers.Of paramount concern is the develop-

ment of a safe system architecture thatprovides adequate coverage and protec-tion from faults. In response to this latterconcern theFAA has not only levied on theAAS stringent reliability and availabilityrequirements, but has adopted standardsand practices I aimed at the developmentof a highly reliable system.The strategy selected by FAA to meet

these unique requirements resulted in ex-tensive focus on precontract requirementsdefinition activities (prior to the designcompetition phase award) and prime con-tractor system design in the early part ofthe program. The articles in this issue ad-dress many of those activities undertakenprior to the start of the AAS Design Com-petition Phase in August 1984. Postcon-tract award activities have been describedin the AAS Statement of Work. 2 Some ofthese efforts represent further refinementand implementation of FAA initiatives inMMI requirements engineering and con-troller workstation design. Others requirethe prime contractors to refine and devel-op innovative approaches to engineering afault-tolerant computer architecture anddistributed software processes.

Background andoverview of the AASprogram

the challenges and hurdles faced by

government engineers and industry devel-opers. In this article, TheFAA'sAdvancedAutomation System: StrategiesforFutureAir Traffic Control Systems, ValerioHunt and Andres Zellweger describe thesystem acquisition and transition strat-egies for the FAA's Advanced Auto-nmation Program. The article also providesa background discussion (in vignetteform) of the US air traffic control systemto familiarize the reader with this applica-tion. In particular, the authors examinethe technological demands that the AASrequirements place on the system designer.The investment in time and money

(estimated $2-3 billion) to design and im-plement such a system dictates balancingthe factors of safety, reliability, and longsystem life. The current ATC automationsystems will have been in service over 20years when they are replaced by the Ad-vanced Automation System, and there isno reason to suspect that the basic AASsystem design and software will not have a20-to 30-year life span.Such factors place difficult demands on

the system designer. The functions to beperformed by the computer system (and,therefore, the man-machine interface), theexternal data sources (aircraft surveillancesystems, weather sensors, navigation sys-tems, etc.), as well as the traffic levels, airfleet niix, aircraft performance charac-teristics, and avionic capabilities allchange over time. The AAS designersmust ensure that this evolution can be ac-commodated at a reasonable cost andwithout detrimental impact on systemreliability (hardware and software) and onthe critical man-machine interface design.A second demand on the system de-

signer that stems from the long system lifeexpectancy is the need to accommodate,without significant system perturbation,upgrades of hardware technology. This re-quirement stems from the fact that today'scomputer generation for large commercialsystems are 4-7 years and even less in therapidly expanding microprocessor area.Government and industry experience inthe last decade has shown that cost-effective computing, from a total life cyclecost viewpoint, is best achieved by a well-defined capacity management programthat permits upgrades as demand increasesor as a hardware generation is superseded.Without anAAS design that permits hard-ware upgrades, the initial computer hard-ware installed only have to be sized tohandle the largest projected demand fortraffic and functional growth throughoutthe system life. Maintenance cost would be

February 1987 15

unacceptably high by the end of the sys-tem's life since it would represent a 20- to30-year-old technology.Following the above strategy and apply-

ing computer science and software engi-neering principles of the 1980's will helpachieve the extensibility characteristicsnecessary for a successful long system life,but this is not enough. If a system with thestringent performance and reliability char-acteristics of the ATC system is to evolve ina cost-effective manner, the systemdesigner must be able to anticipate themost likely course of evolution and thenature of the changes that can be ex-pected. For example, the input/outputstructure should anticipate future systeminterfaces and the data structures shouldanticipate data attributes that mightbecome important as more of the ATCdecision-making responsibility is shiftedto the computer. The problem for the sys-tem designer arises from the fact that nofirm requirements for the system inter-faces of functions anticipated for the1990's and beyond exist at this time.To help add the proper evolutionary

characteristics to the system design, FAAhas developed a functional and perfor-mance description of what, to the best ofour current knowledge, a highly auto-mated ATC system would be.3 Thisdescription places particular emphasis onhow the advanced functions might inter-face with the ATC computer system thatwill actually be built by the AAS contrac-tors and that will form the starting pointfor future evolution. The AAS systemdesigners are required by contract to showFAA, at various stages of system designand development, how their particulardesign can be extended to accommodatethese likely future functions.

Air traffic controlsystem architecture

In the second article, Evaluating Pro-posed Architectures for the FAA's Ad-vanced Automfation System, Jean-MarcGarot, Thomas Hawker, and DelbertWeathers examine the fundamentalmethods used by the FAA to evaluatecomplex distributed system architectures.This article examines the complex issuesinvolved in architecture design, citeslessons learned from other programs, anddescribes the approach used to evaluatesystem architectures. This process shouldprove useful to those interested in both the

development and design validation ofcomplex systems. Because of the nature ofthe AAS design competition, this articlehas avoided mentioning specifics concern-ing each prime contractor's architecture.What is noteworthy is that the applicationof a formal evaluation process is essentialto determining that the system design (asproposed) satisfies AAS requirements.

Clearly the basic system design, in termsof both hardware and software structure,will have to remain intact for the total sys-tem life. So an important evaluationmethod must qualitatively examine howthe system is expected to be augmentedand modified as the system evolves. Tomake this possible, FAA has required thatthe system be designed around a localcommunications network (with the requi-site reliability characteristics) based onlocal area network technology and indus-try-accepted protocol standards. This willallow the introduction of new hardwaretechnology without major system pertur-bations. To complement the hardwarestrategy, software will be functionally dis-tributed and, perhaps more importantly,developed in a single high-order language(such as Ada) that permits easy migrationfrom one processor to another. An impor-tant criterion in the evaluation of pro-posed architectures will be the impact ofchange on system stability since the ATCapplication cannot tolerate degradation insystem reliability and availability duringand after a change.

Controller MMI andoperational su-itabilityAn operative phrase used in connection

with the AAS is "operational suitability. "While the value of accurately capturinguser knowledge and infusing this knowl-edge into the AAS system developmentprocess is clear enough, the process ofdoing this can be quite a bit more complexthan it may seem. Users may be biased bytheir own limited experience with particu-lar design features, peculiarities of theiroperations at a given air traffic sector, orthe interaction techniques they employwhen using the system. Users also tend tooffer isolated "fixes" to perceived prob-lems, rather than to regard functions in thecontext of system design decisions thatrespond to functional and performancerequirements. Lastly, user terminologyoften differs from engineering terminol-ogy. This results in fertile ground formisinterpretation of requirements on both

ends. It is for these and other reasons thatothers have previously noted that noncriti-cal acceptance of user inputs may consti-tute the first step in the design process thatwill most assuredly result in an operation-ally unsuitable design.The FAA's Advanced Automation Pro-

gram Office and Air Traffic Service havesuccessfully implemented a program ofclose cooperation and involvement by"users" in the full cycle of AAS engi-neering ahd development. There has beena certain amount of concern that the AASend-product (in terms of the MMI soft-ware and controller workstation) mightnot be acceptable to the air traffic con-troller. Also, there was the concern, giventhe complexity of the controller's job, thatthere was significant risk in misinterpret-ing and developing incomplete require-ments. The difficulty lies in attempting todevelop a system with a new man-machineinterface that is expected to be available inthe early 1990's. This risk has been miti-gated with the formation in 1983 of theFAA's sector suite requirements valida-tion team, or SSRVT, and the subsequentapplication of comprehensive MMI designand human factors methods. So impor-tant is this undertaking two articles in thisissue address it.

In the third article, Engineering theMan-Machine Interface for Air TrafficControl, Gregory Kloster and AndresZellweger not only examine the processused to formulate MMI requirements, butdescribe the life cycle involvement of theSSRVT in that process. Of note are discus-sion and examples that show how thismethod was used to formulate an opera-tions concept for the AAS man-machineinterface, derive MMI functional re-quirements for the controller interfacelanguage, and determine requirements forthe controller workstation. The origins ofthis method were developed at the TRWDefense Systems Group and refined atComputer Technology Associates, Inc.4This we feel represents a dramatic depar-ture from the way systems are typically ac-quired by the government. The article alsodescribes prime contractor activities afterthe design comnpetition phase contractaward in August 1984.

In the fourth article, The Quantificationof Operational Suitability, Mark Phillipsdescribes how the SSRVT and the FAAboth derive user requirements and assessthe operational suitability of the emergingMMI designs during the design competi-tion phase. This process does not merelyconsider the users to be passive partici-

COMPUTER16

pants or make attempts at identifying re-quirements that are "likely" to result in a"user friendly" design, but shares infor-mation on how a team of users and humanfactors specialists made a joint commit-ment to ensure the significant and sus-tained involvement of a representativegroup of actively working air traffic con-trollers. Again, one cannot underestimatethe importance of applying evaluationmethods that offer both quantitative andqualitative evaluations of ergonomicquality. It is here that we offer a compre-hensive look at how complex MMI designscan be evaluated in terms of operationalsuitability and ergonomic quality metrics.

FAA computer capacitymanagement

In the fifth article, Capacity Manage-ment of Air Traffic Control ComputerSystems, Sandra Bleistein, RobertGoettge, Frank Petroski, and RobertWiseman describe how performancemodeling and analysis is integral to theFAA's strategy of computer capacitymanagement for the current 9020 en-routecomputer system, host computer system,and the future AAS. Capacity manage-ment of these three generations ofcomputer systems consists of five commonelements:

(1) specification of performance re-quirements in terms of computer re-sponsiveness;

(2) projection of air traffic workloads;(3) development of performance and

workload measurement capabili-ties;

(4) modeling and prediction of perfor-mance; and

(5) development of a program and re-lated procedures for capacity man-agement.

Each of these elements is discussed in thearticle. The evolution from basic capabili-ties in the 9020 system to the anticipatedAAS capabilities is described. Resultsfrom each system and their influence onthe capabilities of the succeeding systemare presented.

AAS dependabilityIn the last article, On the Achievement

of a Highly Dependable and Fault-Tolerant Air Traffic Control System, AlAvizienis and Dan Ball describe the evolu-tion of the AAS reliability, maintainabil-

ity, and availability (RMA) requirementsand discuss issues and concerns in achiev-ing a highly reliable AAS. The authorscontrast the reliability problems of theexisting system and goals for the newAAS. Of particular interest is a discussionon the evolution of the AAS RMA re-quirements and the FAA's strategy forachieving a highly reliable AAS. The arti-cle concludes with lessons learned so farand guidelines for future acquisitions ofcomplex fault-tolerant systems.

he significance and scope of theFAA's modernization programs

.TE for air traffic control should not beunderestimated. The technology fallout ofthe Advanced Automation Program hasimplications for government, industrial,and commercial organizations engaged inreal-time systems, distributed computing,design of fault-tolerant software, designof complex interactive user interfaces,testing, capacity management, and use ofnew software development tools and Ada.Innovative tools, techniques, and methodswill continue to be developed by the FAA,its support contractors, and prime con-tractors as the AAS moves into the acqui-sition phase of full-scale development,production, and test. Our view is thatadditional technical contributions will beforthcoming in this magazine and otherIEEE publications. It is in the spirit ofpro-moting technology transfer and communi-cating our collective experiences that wehope to improve the management and de-velopment of complex ultra-reliablesystems. ]G

AcknowledgmentThe authors in this special issue extend to

C. V. Ramamoorthy their thanks for hisguidance and helpful comments.

ReferencesI.Department of Defense, Military Stan-

dard-Defense System SoftwareDevelopment, DOD-STD-2167, June1985.

2. Department of Transportation/FederalAviation Administration, AdvancedAutomation System Statement ofWork-Design Competition Phase, FAA-ER-130-005F, May 1985.

3. Department of Transportation/FederalAviation Administration, AdvancedAutomation System System LevelSpecification-Design CompetitionPhase, FAA-ER-130-005F, May 1985.

4. G. V. Kloster and J. J. Rosati, MMIDesign Guidebook, third draft, TRW In-dependent Research and DevelopmentReport Number 81006201, TRW, Redon-do Beach, Calif., January 1983.

Valerio R. Hunt served as the director of theFederal Aviation Administration's AdvancedAutomation Program Office from its creationin 1981 until August 1986. He organized andstaffed the office, directed all of the planningand start-up activities leading to the establish-ment of a technical approach, schedules, finan-cial management plans, budgets, selection ofcontractors, and management of contractors'work. Currently Hunt is an independent con-tractor in Bethesda, Maryland, providing con-sulting services to the government and in-dustrial community.Hunt received his BS from Lehigh University

in 1949 and completed advanced studies incomputer science and communications net-working in 1957. Honors include Phi EtaSigma, Phi Beta Kappa, and Tau Beta Pi. Hiscurrent interests are in the design and manage-ment of large computer-based systems.

Gregory V. Iloster is currently chairman of theFAA's Advanced Automation System's technicaladvisorygroup, orATAG. TheATAGprovidesspecific high-level industry and university com-puter science expertise to the FAA in the areasof relability, maintainability, and availabilityand system architecture. Prior to this assign-ment, he was responsible (while at ComputerTechnology Associates, Inc.) for the technicalmanagement ofan FAA project that applied anMMI design methodology to engineer the airtraffic controller user interface and sector suiteworkstation requirements.

Kloster holds an MS in management sciencefrom West Coast University. He has been presi-dent of Knowlex Technology Corp. since 1984.His current interests are in development oftoolsfor system and software engineers. Before thathe was an associate and program manager withComputer Technology Associates and an assis-tant project manager with TRW DefenseSystems Group.

Readers can write to Kloster at KnowlexTechnology Corp., 301 Dexter St., Denver, CO80220.

February 1987 17