NASA Logo, National Aeronautics and Space Administration

Safety Modeling and Analysis

The goal of safety modeling and analysis is to identify hazards to flight – conditions that can contribute to incidents or accidents, and to encapsulate these hazards such that they can be monitored and predicted.

The hazards were derived from studying incidents and accidents documented in several national databases, including those maintained by the NASA Aviation Safety Reporting System (ASRS), the National Transportation Safety Board (NTSB), the FAA Aviation Safety Information Analysis and Sharing (ASIAS) system, and from safety reports from aviation organizations, including ICAO, FAA, AOPA, etc. We constrained the hazards of interest to those hazards that have the potential to be modeled, monitored, and predicted. Thus, for example, hazards stemming from deficiencies in an airline’s training program or an airport’s regulatory oversight are not included. As shown below, the hazards were grouped into three categories: airspace hazards (e.g., diversity of traffic mix, radar coverage, inoperative equipment, etc.), environmental hazards (e.g., convective weather, bird activity, low sun angle, etc.), and human workload hazards (e.g., complexity of required tasks, communication issues, flow control restrictions, etc.).


Identifying hazards that cause unsafe events reported in incident and accident databases.

These hazards were then transformed into a set of safety metrics – quantities of interest that could be evaluated based on available data and are predictive of an unsafe event if not managed properly. For example, aircraft separation is a safety metric that constantly needs to be monitored and predicted in order to predict a loss of separation unsafe event.

The effect of hazards varies with operational context. For example, a gusty 10 kt crosswind hazard encountered on landing could lead to loss of control on the runway (LOC-Ground unsafe event) for a student pilot flying a taildragger (an aircraft with conventional tailwheel landing gear). The same hazard would be well within the capabilities of an experienced airline pilot flying a Boeing 747 aircraft. As another example, from a controller’s perspective, proximity to restricted airspace may not pose a hazard to the safety of the airspace under her control, whereas it may be of great concern to a pilot flying under visual flight rules (VFR) in a light aircraft if there is also convective weather nearby. To account for this difference in perspective and needs of each operator under a given operational context, rather than speaking of hazards, we instead speak of threats to safety.

A threat is defined by a safety metric and a threshold that specifies when the state of the NAS transitions from safe to unsafe for that operator. These thresholds are operator-customizable. For concept demonstration, they can be determined through a mix of techniques, including consultation with subject matter experts (SMEs) and extraction from historical NAS data using data mining techniques. Continuing with the loss of separation safety metric example, in a conceptual demonstration of our method, the threshold could be set to 1000 feet vertically or five miles laterally to mimic en-route ATC separation standards.

Once threats to NAS safety are determined, models of airspace operations and aircraft dynamics are developed to enable real-time monitoring and prediction. These models can have different levels of detail, depending on needed precision and available data. Typically a state-space model is used where the states x(k) describe the state of the NAS at any time-instant.

x(k+1)=f(k, x(k), u(k), v(k))
y(k)=h(x(k), u(k), n(k))

States x(k) can be speeds, position (latitude, longitude, and altitude) of each aircraft, etc. Inputs u(k) are, for example, weather, aircraft routes, etc. Outputs y(k) are measurable quantities, e.g., latitude, longitude, altitude, airspeed, etc. The process noise and sensor noise vectors are denoted by v(k) and n(k), respectively.

First Gov logo
NASA Logo -