ingeniería de sistemas - eurocontrol · ingeniería de sistemas background ... easa cs 25.1309 –...

Eurocontrol Safety R&D Seminar, Munich, 21_22-10-2009

1

IsdefeIngeniería de Sistemas

Eurocontrol Safety R&D Seminar

Date: 21/10/2009

By:

Jorge Bueno ([email protected])

Marga Martín ([email protected])

SOFIA

Safe AutOmatic Flight Back and LandIng ofAircraft


2


SOFIA Overall Data

Budget: 4,997,984 €

Duration: 36 months

Start date: 1st September, 2006

Web Site: www.sofia.isdefe.es

SOFIA Consortium:


3


SOFIA’s Operational Concept

Enabling the safe and automatic Enabling the safe and automatic return to ground of an airplane in return to ground of an airplane in

the event of the event of onboard onboard hostile actionshostile actions


4


Background

• SOFIA is a response to the challenge of developing concepts and techniques enabling the safe and automatic return to ground of an airplane in the event of hostile actions.

• SOFIA is proposed as a continuation of a part of the SAFEE project. SAFEE focused in the development and validation of a concept that detects and evaluates on-board threats using the Threats Assessment and Management System (TARMS) and enables the Emergency Avoidance System (EAS) to autonomously flight the aircraft to a secure point. SOFIA develops the system (FRF) that, from that secure point, takes control of the airplane and safely returns it to ground.

• Both projects are mainly related to the Research Domain 3.d “aircraft security” of the FP6-2005-AERO-1, Research Area 3 “Improving safety and security”.


5


SOFIA Scope

ATC

• EAS ACTIVE• FRF ARMED

1THREAT

• EAS ARMED• FRF IDLE

2

• EAS IDLE• FRF IDLE

3

Collision Course

4

5

• EAS ACTIVE• FRF IDLE

6

• EAS ARMED• FRF ACTIVE

• EAS AVOIDANCE• FRF IDLE


6


SOFIA Core: the FRF

•The Flight Reconfiguration Function (FRF) is SOFIA´s core.

•It creates and executes without any command from ground, a new flight plan towards a secure airport, taking the control of the aircraft and managing its safe landing at the selected airport.

•Three different solutions are proposed and developed:

– Solution 1: Flight Planning without negotiation: FLPN is generated by the FRF system.

– Solution 2: Flight Planning with negotiation: FLPN is generated on ground and up-linked to the airplane. FRF system checks its feasibility.

– Solution 3: Military A/C Relay: FLPN is transmitted from a a military aircraft.


7


• The flight plan can be created:

1. Integrally by the FRF system

2. By an Authority on Groundand negotiated with the FRF system

3. In a military airplane and transmitted to the aircraft

• The execution of the new flight plan is autonomously performed by FRF

SOFIA Core: the FRF (2/2)

It means to create and execute without any control from ground, a new flight plan towards a secure airport and landing the airplane at it


8


SOFIA Solutions

Three different solutions for the FRF are considered:

• Solution 1: Flight Planning without negotiation: FLPN is generated by the FRF system.

• Solution 2: Flight Planning with negotiation:FLPN is generated on ground and up-linked to the airplane. FRF system checks its feasibility.

• Solution 3: Military A/C Relay: FLPN is transmitted from a a military aircraft.


9


Trajectory Generation by FRFThe Trajectory is generated by FRF considering:

• Destination airport according to the threat

• Jeppessen data

• Weather, terrain, obstacles, restricted areas and PSA (ProhibitedSecurity Areas)

• Fuel

• Aircraft performances

FRF enables Trajectory updates due to:

• ATC messages (e.g. change in destination airfield)

• Weather

• Traffic

• Obstacles, PSA


10


FRF FunctionsDecision Centre Function (DCF)• Manages FRF capabilities and controls events

Health Monitoring System Interface (HMS)• Monitors for external systems failures critical to FRF

Route Planning and Static Flight Monitoring (RPL)• Generates a suitable flight path to a secure airfield

Guidance Management and Leg Management (GLM)• Performs flight guidance

Route Re-planning (RRP)• Performs re-routing due to a conflict

Dynamic Flight Monitoring (DFM)• Monitors aircraft performances and resolves conflicts

External Communication (COM)• Processes the information to be exchanged with the GSDS

Display Management (DSM)• Manages displays when FRF is active


11


Validation Process

FlightTrials

GroundSimulations

Preliminary Validation(Implementation)

Final Validation

FRF Version 1

FRF Version 2

IoAAircraft

DAI Aircraft

THA Airlab

GAL ATENA

DFS ATC

DFS

ATC


12


SOFIA Safety Issues


13


Why?

1. Assess how safe the FRF design is…

2. Are we compromising current levels of safety?

3. Refine FRF specification and design

4. Mitigate potential SAFETY RISK early in the design


14


What?

Safety Assessment at two levels…

Aircraft level– Goal: Ensure that FRF design achieves acceptable levels of risk – Requirements: EASA CS 25.1309– Methodology: SAE ARP 4761 – Focus: Inside the aircraft (FRF System � on-board equipment)

Integration on airspace levels– Goal: Ensure that the SOFIA operational concept achieves acceptable levels of risk

– Requirements: ESARR4 – Methodology: EUROCONTROL EATMP Safety Assessment Methodology (SAM),

– Focus: Outside the aircraft (ATM � operations)


15


15

Selected Approach

PSSAPSSA

Airspace (ATM) PSSAAircraft PSSA

FHAFHA

Airspace (ATM) FHA

Aircraft FHA

A/C Level FHA FRF Level FHA

First CriticalityAssessment

Preliminary

System Safety

Assessment

Final System

Safety Assessment

FTA

OperationalIssues

Functionallocation

Initial FRF Design

FMEA Identify Causes

Derive Safety Requirements

DBs Requirements

Final FRF Architecture


16


16

ARP 4761 Approach

Id Function Phase FailureCondition

FailureEffect

Class.

A/C

1.1.

Reconfigure flight andland

HP, DES, APP, LND

FRF Malfunctionunder thepresence ofsec. threat

Hull Loss CAT

A/C

1.2


HP, DES, APP, LND

FRF Malfunctionwhen no securitythreat ispresent.

No effecton safety

NSE

Aircraft FHA

Loss of A/C resulting from FRF failure

Aircraft FTAs

Untimely switchingNo FPLN created

Erroneous switching out of ARMED

Failure to switch fromARMED to ACTIVE

ACTIV

E M

ODE

ARM

ED M

ODE

Id Function Phase FailureCondition

FailureEffect

Class.

FRF

1.1.

ManageFRF modes

HP Failure toswitch fromARMED toACTIVE

Hull Loss CAT

FRF

1.2


HP, DES, APP, LND

FRF Malfunctionwhen no securitythreat ispresent.

No effecton safety

NSE

FRF System FHA

Failure to switch from ARMED to ACTIVE

PSSA FTAs

Loss of function 3Loss of Function 1 Loss of Function 2

Basic Causal Events


17


17

Results

– Understand the logic that contributes to produce mostsevere failures

– Important contributors to failure– Safety requirements on:

• On-board equipment:– Conventional A/C Systems (e.g. Sources ofinformation to generate a FPLN, FMS/AP Coupling)

– FRF System– Security Systems (TARMS, EAS)

• Operations:– Ground personnel (ATCOs)– Procedures– Ground equipment


18


Recomendations

• Need for better statistics on likeliness of occurrence for security scenarios

• Need to adjust safety criteria to account for security scenarios

• Redefine certain avionic functions design which count on the pilot as safety net (i.e. navigation, flight controls, etc)

• Identification of FRF functions that need to be developed to high safety assurance levels:

– Mode management

– Exchange of data with critical systems like FMS or TARMS. (e.g. Airfield and route verification)


19


Recomendations

• At least to information rounds are needed to create the flight plan: one once the A/C leaves the holding pattern, the second when approachin the airport

• FRF shall be informed about ATIS failures

• Having up to date information from ground is critical

• Weather at selected airport has to be part of the criteria for airport selection

• In solution 2 flight plan acceptance shall be confirmed


20


Recomendations

• Spurious activation of the FRF during normal operation doesnot present (a priori) a major risk for safety for two reasons:

1) The FRF is intended to automatically land an aircraft at a secured airport. In the absence of any critical failures thisoperation can be considered safe.

2) The FRF is not designed to remove control away from theflight crew. Once the flight crew detects the spuriousactivation (without a threat on-board), they are still capableof reverting the system back to normal.

If there is a threat (security scenario), protection measuresare considered within the scope of SAFEE project.


21


THAK YOU VERY MUCHFOR YOUR ATTENTION

ANY QUESTION, PLEASE?

ingeniería de sistemas - eurocontrol · ingeniería de sistemas background ... easa cs 25.1309 –...

Documents