improvement of safety activities on aeronautical complex systems · improvement of safety...

1Presentation at Aerodays 2006, Vienna 20-06-2006

IImprovement of SSafety AActivities onAAeronautical CComplex systems

a research project of the Sixth Framework Programme

1st February 2004 - 31st January 2007

www.isaac-fp6.org

Antonella Cavallo, Alenia Aeronautica


Thematic area “Aeronautics and Space”Top objective “Improve Aircraft Safety and Security”

reduction of the accident rate by 50% and 80% in the short and long term respectivelyto obtain 100% capability for avoiding or recovering from human errors.

Technical domains

Human Machine InterfaceAccident PreventionNew Aircraft Concepts


Project Coordinator:


Contents

Introduction

ISAAC Framework

Applicability

Follow-on

Conclusion


Introduction

Background

Project objectives

Project output


Background

The complexity of certain classes of high-tech application belonging to different fields of transportation industry is steadily increasing.

In the Aerospace field, the so called safety criticalsystems, like avionic systems, are required to be operated in highly demanding scenarios as air traffic is constantly increasing.

Considering the above, it is even more important to have means to maintain adequate safety levels.


Background

A key point is to intervene already during the system design with innovative means able to detect potential weak points.

The application of these means, especially in the early development phases, would allow the identification of design modification/improvements keeping their implication on costs still acceptable.


ISAAC goal is to answer to the identified needs by:

improving the capability and efficiency for design and safety engineers in analysing complex systems

considering all aspects that may have an impact on the aircraft safety, like human errors, installation, testability, operational aspects

Project objectives


Project output

An integrated environment including:

methodologies and

software tools

to support the “safety” and “design” processes involved in the Safety Assessment analyses required by the standards.

(Ref. ARP 4754 Certification Considerations for Highly-Integrated or Complex Aircraft Systems)


Aircraft LevelRequirements

Allocation ofAircraft Functions

to Systems

Developmentof System

Architecture

Allocation ofRequirements to

Hardware &Software

SystemImplementation

Certification

System Development ProcessSafety Assessment Process

Aircraft

Functions

System

Functions

Failure Condition, Effects,Classification, Safety Objectives

Failure Condition, Effects,Classification, Safety

System

Architecture

Item Requirements

Aircraft LevelFHA

System LevelFHA Sections

PSSAs Architectural

Requirements

CCAs

Functional Interactions

FailureConditions& Effects

Separation

Requirement

SSAs

Implementation

Results

SeparationVerification

Item RequirementsSafety Objectives,

Analyses Required

Physical System

Objectives

SAE ARP 4754

ISAAC environment offers a basis to share and exchange information among safety and design, so to increase the effectiveness of the overall development process.


ISAAC Framework

Framework

Some applications:

Human Errors Analysis Common Cause Analysis


The framework relies on the use of models normally generated along the product design phases.

They are representative of nominal and failure behaviours:

functional modelsgeometrical modelsrisk modelscognitive pilot modelsfailures models

Framework

These models are combined with environment models and are elaborated by means of formal verification and simulation techniques to automatically derive safety analyses for the verification of the requirements.


Customer Req.Regulations Req.Safety Req.Testability Req.Reliability Req.Installation Req.

Fault Trees

FMEA Tables

Trajectories

Counterexamples

ISAAC Framework

Failures

Results

Requirements

ModelsGeometricFunctional Cognitive

Planned MissionM0 starts

M1

M2.2

M2

M2.1

Environment

• Formal Verification

• Simulation

• Interference analysis


The process is iterative where the results of the analysis may influence the design, e.g. identifying design alternatives and/or low level requirements.

The modified/improved requirements can be verified again by iteratively using the ISAAC framework.

Framework


Is it possible for afault to

occur undetected?

Testability

Operational Reliability

Is it possible to continue mission in a failed configuration?

Human Error Analysis

Will an erroneous procedure lead

to a safety requirement violation?

Is it possible to violate a certain

safety requirement?

Safety

Common Cause AnalysisWill a list of impacted

items violate independency assumptions

of a functional model?

Safety related aspects

Some example of questions that will be possible to address:


Human Errors Analysis

Common Cause Analysis

Some applications


Objective: To develop a tool-supported methodology to improve the consideration of human errors in early phases of design of complex aeronautical system.Challenges:

– To predict psychological plausible pilot errors potentially induced by system design features relevant to human-machine interaction

– To analyse the safety impact of predicted pilot errors– To consider the dynamics of pilot-aircraft interaction in realistic

scenarios– To improve results from traditional safety analysis techniques while

maintaining consistency


Key point of ISAAC development is a modular and executable cognitive architecture capable to generate pilot errors.


Human Error AnalysisVISIONVISION

Operator knowledgeOperator knowledge

ScenariosProcedures

Flight simulator software

Formal system modelPilot model

PROCESSINGPROCESSING

MOTORMOTOR

PLANNINGPLANNING


Modified procedures

Fault Trees Simulation traces



Objective:

To develop methods for the identification and investigation of events (e.g. wheel tyre burst) or

installation aspects (e.g. proximity to hot pipes) that may invalidate or bypass redundancy or independence assumptions for the aircraft items.



Fault Trees including Common CausesCritical Trajectories in Geometry

Violation ofRequirement

Safety Analysis in Functional ModelEngine Disk Burst in 3D CAD Model

Hit List

extractionCom

mon C

ause

Failu

re in

jectio

n



Preliminary design

Assembly of Architecture Patterns

Representation of requirements and Scenario

Preliminary architecture/layoutSub-systems specificationsEquipment specifications

Fault Tree Analysis, Failure Mode/Effect An.

Common CausesDetect invalidation of redundancy or independence

Operational aspectsMission Reliability Analysis

Testability aspectsFault Detection & Isolation

Human ErrorsDetect pilot errors

Design assessment

Test specificationsAcceptance

Certification

Installation Req.sReliability Req.sTestability Req.sSafety Req.sRegulations Req.sCustomer Req.s

SystemSpecification &

Architecture

SystemSpecification

Requirements Specification

Document

Analysis

Modeling

Test

Iterative Prototype

Design consolidation

Models: Functional,Geometric, Cognitive, Environment Models

Applicability


Follow-on

The activities on going in ISAAC have the potential for follow-on research activities.

They are in line with VISION 2020 and SRA.

Some example are provided in the following.


Follow-on

Main areas:

Improvement of the aircraft systems development process

Extension of ISAAC framework to include other aspects

Improvement in the identification and analysis of the human errors aspects

Application of ISAAC method to other context


Improvement of the aircraft/systems development process :

Introduction of ISAAC methods in standards for safety activities (e.g. Aerospace Recommended Practice ARPs)

Integration of ISAAC methods in the industrial process in view of a comprehensive environment including methods, tools, databases with requirements, analysis reports and other documentation, i.e. all the information and means that can support the development of a project

Follow-on


Extension of ISAAC framework to include other aspects:

Extension of the Common Cause Analysis frame in order to integrate new facilities for the verification of Maintainability, Accessibility, Ergonomics and Personnel Safety Requirements

Extension to allow the consideration of “dynamic-energy-material” aspects relevant to risks impacting on safety (e.g. fire propagation, etc.). This implies the integration of other kind of models.

Follow-on


Improvements in the identification and analysis of the human errors:

Extension of cognitive architecture to be more comprehensive in allowing the consideration of several “mechanisms” that may induce the generation of pilot errors

Creation of a cognitive model kernel allowing to easily add components relevant to different cognitive mechanisms

Follow-on


Application of ISAAC method in other context:

Application of the ISAAC methods to other fields dealing with critical systems (e.g. automotive, railways, nuclear).

Follow-on


ISAAC results:

To improve the safety assessment process by ensuring awareness of safety-related aspects since the early development phases.

To facilitate the identification and verification of design modification/improvements with benefit on cost implication.

To influence the standards for safety activities.

To be further developed and also transferred to other fields dealing with critical systems.

Conclusion


ISAAC Team Members

will be pleased to meet you

at Stand number 28


© 2006 Alenia Aeronautica S.p.A.

The contents of this document are the intellectual property of Alenia Aeronautica. Apart from those contractually-agreed user rights, any copying or communication of this document in any form is forbidden without the written authorisation of Alenia Aeronautica.

improvement of safety activities on aeronautical complex systems · improvement of safety...

Documents