improvement of safety activities on aeronautical complex systems · improvement of safety...
TRANSCRIPT
1Presentation at Aerodays 2006, Vienna 20-06-2006
IImprovement of SSafety AActivities onAAeronautical CComplex systems
a research project of the Sixth Framework Programme
1st February 2004 - 31st January 2007
www.isaac-fp6.org
Antonella Cavallo, Alenia Aeronautica
2Presentation at Aerodays 2006, Vienna 20-06-2006
Thematic area “Aeronautics and Space”Top objective “Improve Aircraft Safety and Security”
reduction of the accident rate by 50% and 80% in the short and long term respectivelyto obtain 100% capability for avoiding or recovering from human errors.
Technical domains
Human Machine InterfaceAccident PreventionNew Aircraft Concepts
4Presentation at Aerodays 2006, Vienna 20-06-2006
Contents
Introduction
ISAAC Framework
Applicability
Follow-on
Conclusion
5Presentation at Aerodays 2006, Vienna 20-06-2006
Introduction
Background
Project objectives
Project output
6Presentation at Aerodays 2006, Vienna 20-06-2006
Background
The complexity of certain classes of high-tech application belonging to different fields of transportation industry is steadily increasing.
In the Aerospace field, the so called safety criticalsystems, like avionic systems, are required to be operated in highly demanding scenarios as air traffic is constantly increasing.
Considering the above, it is even more important to have means to maintain adequate safety levels.
7Presentation at Aerodays 2006, Vienna 20-06-2006
Background
A key point is to intervene already during the system design with innovative means able to detect potential weak points.
The application of these means, especially in the early development phases, would allow the identification of design modification/improvements keeping their implication on costs still acceptable.
8Presentation at Aerodays 2006, Vienna 20-06-2006
ISAAC goal is to answer to the identified needs by:
improving the capability and efficiency for design and safety engineers in analysing complex systems
considering all aspects that may have an impact on the aircraft safety, like human errors, installation, testability, operational aspects
Project objectives
9Presentation at Aerodays 2006, Vienna 20-06-2006
Project output
An integrated environment including:
methodologies and
software tools
to support the “safety” and “design” processes involved in the Safety Assessment analyses required by the standards.
(Ref. ARP 4754 Certification Considerations for Highly-Integrated or Complex Aircraft Systems)
10Presentation at Aerodays 2006, Vienna 20-06-2006
Aircraft LevelRequirements
Allocation ofAircraft Functions
to Systems
Developmentof System
Architecture
Allocation ofRequirements to
Hardware &Software
SystemImplementation
Certification
System Development ProcessSafety Assessment Process
Aircraft
Functions
System
Functions
Failure Condition, Effects,Classification, Safety Objectives
Failure Condition, Effects,Classification, Safety
System
Architecture
Item Requirements
Aircraft LevelFHA
System LevelFHA Sections
PSSAs Architectural
Requirements
CCAs
Functional Interactions
FailureConditions& Effects
Separation
Requirement
SSAs
Implementation
Results
SeparationVerification
Item RequirementsSafety Objectives,
Analyses Required
Physical System
Objectives
SAE ARP 4754
ISAAC environment offers a basis to share and exchange information among safety and design, so to increase the effectiveness of the overall development process.
11Presentation at Aerodays 2006, Vienna 20-06-2006
ISAAC Framework
Framework
Some applications:
Human Errors Analysis Common Cause Analysis
12Presentation at Aerodays 2006, Vienna 20-06-2006
The framework relies on the use of models normally generated along the product design phases.
They are representative of nominal and failure behaviours:
functional modelsgeometrical modelsrisk modelscognitive pilot modelsfailures models
Framework
These models are combined with environment models and are elaborated by means of formal verification and simulation techniques to automatically derive safety analyses for the verification of the requirements.
13Presentation at Aerodays 2006, Vienna 20-06-2006
Customer Req.Regulations Req.Safety Req.Testability Req.Reliability Req.Installation Req.
Fault Trees
FMEA Tables
Trajectories
Counterexamples
ISAAC Framework
Failures
Results
Requirements
ModelsGeometricFunctional Cognitive
Planned MissionM0 starts
M1
M2.2
M2
M2.1
Environment
• Formal Verification
• Simulation
• Interference analysis
14Presentation at Aerodays 2006, Vienna 20-06-2006
The process is iterative where the results of the analysis may influence the design, e.g. identifying design alternatives and/or low level requirements.
The modified/improved requirements can be verified again by iteratively using the ISAAC framework.
Framework
15Presentation at Aerodays 2006, Vienna 20-06-2006
Is it possible for afault to
occur undetected?
Testability
Operational Reliability
Is it possible to continue mission in a failed configuration?
Human Error Analysis
Will an erroneous procedure lead
to a safety requirement violation?
Is it possible to violate a certain
safety requirement?
Safety
Common Cause AnalysisWill a list of impacted
items violate independency assumptions
of a functional model?
Safety related aspects
Some example of questions that will be possible to address:
16Presentation at Aerodays 2006, Vienna 20-06-2006
Human Errors Analysis
Common Cause Analysis
Some applications
17Presentation at Aerodays 2006, Vienna 20-06-2006
Objective: To develop a tool-supported methodology to improve the consideration of human errors in early phases of design of complex aeronautical system.Challenges:
– To predict psychological plausible pilot errors potentially induced by system design features relevant to human-machine interaction
– To analyse the safety impact of predicted pilot errors– To consider the dynamics of pilot-aircraft interaction in realistic
scenarios– To improve results from traditional safety analysis techniques while
maintaining consistency
Human Error Analysis
Key point of ISAAC development is a modular and executable cognitive architecture capable to generate pilot errors.
18Presentation at Aerodays 2006, Vienna 20-06-2006
Human Error AnalysisVISIONVISION
Operator knowledgeOperator knowledge
ScenariosProcedures
Flight simulator software
Formal system modelPilot model
PROCESSINGPROCESSING
MOTORMOTOR
PLANNINGPLANNING
Human Error Analysis
Modified procedures
Fault Trees Simulation traces
19Presentation at Aerodays 2006, Vienna 20-06-2006
Common Cause Analysis
Objective:
To develop methods for the identification and investigation of events (e.g. wheel tyre burst) or
installation aspects (e.g. proximity to hot pipes) that may invalidate or bypass redundancy or independence assumptions for the aircraft items.
20Presentation at Aerodays 2006, Vienna 20-06-2006
Common Cause Analysis
Fault Trees including Common CausesCritical Trajectories in Geometry
Violation ofRequirement
Safety Analysis in Functional ModelEngine Disk Burst in 3D CAD Model
Hit List
extractionCom
mon C
ause
Failu
re in
jectio
n
Common Cause Analysis
21Presentation at Aerodays 2006, Vienna 20-06-2006
Preliminary design
Assembly of Architecture Patterns
Representation of requirements and Scenario
Preliminary architecture/layoutSub-systems specificationsEquipment specifications
Fault Tree Analysis, Failure Mode/Effect An.
Common CausesDetect invalidation of redundancy or independence
Operational aspectsMission Reliability Analysis
Testability aspectsFault Detection & Isolation
Human ErrorsDetect pilot errors
Design assessment
Test specificationsAcceptance
Certification
Installation Req.sReliability Req.sTestability Req.sSafety Req.sRegulations Req.sCustomer Req.s
SystemSpecification &
Architecture
SystemSpecification
Requirements Specification
Document
Analysis
Modeling
Test
Iterative Prototype
Design consolidation
Models: Functional,Geometric, Cognitive, Environment Models
Applicability
22Presentation at Aerodays 2006, Vienna 20-06-2006
Follow-on
The activities on going in ISAAC have the potential for follow-on research activities.
They are in line with VISION 2020 and SRA.
Some example are provided in the following.
23Presentation at Aerodays 2006, Vienna 20-06-2006
Follow-on
Main areas:
Improvement of the aircraft systems development process
Extension of ISAAC framework to include other aspects
Improvement in the identification and analysis of the human errors aspects
Application of ISAAC method to other context
24Presentation at Aerodays 2006, Vienna 20-06-2006
Improvement of the aircraft/systems development process :
Introduction of ISAAC methods in standards for safety activities (e.g. Aerospace Recommended Practice ARPs)
Integration of ISAAC methods in the industrial process in view of a comprehensive environment including methods, tools, databases with requirements, analysis reports and other documentation, i.e. all the information and means that can support the development of a project
Follow-on
25Presentation at Aerodays 2006, Vienna 20-06-2006
Extension of ISAAC framework to include other aspects:
Extension of the Common Cause Analysis frame in order to integrate new facilities for the verification of Maintainability, Accessibility, Ergonomics and Personnel Safety Requirements
Extension to allow the consideration of “dynamic-energy-material” aspects relevant to risks impacting on safety (e.g. fire propagation, etc.). This implies the integration of other kind of models.
Follow-on
26Presentation at Aerodays 2006, Vienna 20-06-2006
Improvements in the identification and analysis of the human errors:
Extension of cognitive architecture to be more comprehensive in allowing the consideration of several “mechanisms” that may induce the generation of pilot errors
Creation of a cognitive model kernel allowing to easily add components relevant to different cognitive mechanisms
Follow-on
27Presentation at Aerodays 2006, Vienna 20-06-2006
Application of ISAAC method in other context:
Application of the ISAAC methods to other fields dealing with critical systems (e.g. automotive, railways, nuclear).
Follow-on
28Presentation at Aerodays 2006, Vienna 20-06-2006
ISAAC results:
To improve the safety assessment process by ensuring awareness of safety-related aspects since the early development phases.
To facilitate the identification and verification of design modification/improvements with benefit on cost implication.
To influence the standards for safety activities.
To be further developed and also transferred to other fields dealing with critical systems.
Conclusion
29Presentation at Aerodays 2006, Vienna 20-06-2006
ISAAC Team Members
will be pleased to meet you
at Stand number 28
30Presentation at Aerodays 2006, Vienna 20-06-2006
© 2006 Alenia Aeronautica S.p.A.
The contents of this document are the intellectual property of Alenia Aeronautica. Apart from those contractually-agreed user rights, any copying or communication of this document in any form is forbidden without the written authorisation of Alenia Aeronautica.