Overview
Avionic systems are becoming more and more complex. They incorporate heterogeneous components, perform a large number of functions and interact with operators through advanced interfaces. As a consequence, it is becoming harder to manage all the aspects of safety assessment and to maintain the safety levels required by societal needs.
A previous FP5 project, ESACS (Enhanced Safety Assessment for Complex Systems), has shown the benefit of using formal techniques to assess aircraft safety.
In particular ESACS investigated how to use 'design tools' for defining a common reference model for describing both the functional (design aspect) and dysfunctional modes (safety aspect) of a complex system. It has also been investigated how the formal verification techniques can be used to express safety properties (requirements) and how to use these techniques to help the safety analysis process.
In this way, the proposed methodology enables a common environment for both designers and safety engineers. ISAAC builds upon and extends the results of ESACS to go a step further into the improvement and integration of safety activities of aeronautical complex systems.
The overall objective of the ISAAC project was to increase the capability and efficiency for safety and systems engineers to perform safety assessment resulting in safe systems.
A goal of ISAAC was to extend the scope of the shared environment in a number of dimensions. It took into account results from well established tools used in performing particular risk and zonal safety analysis and used this information to identify and inject unintended interactions with 'intended-functionality' - independent but co-located systems. It evaluated the relationship between the human and the machine and offers a complex human, complex machine interaction model.
Another ISAAC goal was to expand the scope of the scientific knowledge that can then be incorporated in the environment.
A number of different techniques intended to give an indication of levels of safety that the temporal behaviour of a system achieves have been investigated in previous efforts, such as dynamic fault trees (static fault trees incorporating sequencing information), sequence diagrams, even history charts with meaningful colours and line thickness. All of these methods are good tools to present the sequencing or temporal behaviour of a system. None have, in their current state, produced a clear indicator that represents the level of safety a system upholds in terms of its temporal or sequencing behaviour. ISAAC therefore extends the current effort enough to define a new metric, process and presentation to represent the level of safety that the temporal or sequential behaviour that a system achieves, hence time-safety-metric.
To reach ISAAC's goals, the work followed detailed technical and scientific objectives organised into three complementary dimensions, which are in turn structured into basic topics:
1. First dimension: Consolidation
This job was dedicated to direct needs emerging from the results of the ESACS project. It comprised the following topics:
- integration with higher level notations for requirements;
- extension of traditional techniques to timing aspects, and quantitative analysis;
- further development of platform/tools already started in ESACS.
The ESACS approach suggested using formal notations for safety analysis. Because safety specific tasks may increase considerably the modelling effort, ISAAC investigates higher level notations, such as UML, to ease such overhead, by allowing safety engineers to express more easily safety requirements, mode logic, and patterns of safety architectures that allow both the designers and safety engineers to work on the validation of a preliminary aircraft system model with respect to safety requirements. ESACS took advantage of the expressiveness of the formal notation that permits to represent and assess the safety of dynamic systems. ISAAC develops more the timing aspects by developing methods/metrics to deal with this aspect. Finally, ISAAC enhances the ESACS platform with all improvements, extensions to the methodology, and analyses mentioned above.
2. Second dimension: Extension
The core of basic tools of the ESACS platform offers also a good starting point to investigate safety-related topics not covered by the ESACS project. The second dimension of the ISAAC project thus aims at providing methodologies, techniques and tools to support the following activities related to the safety assessment of a system:
- Human Error;
- Common Cause Analysis;
- Mission Analysis; and
- Testability.
Human error analysis is becoming more and more important. A dominant factor contributing to human errors is the so-called 'clumsy' automation, which leads to 'automation surprises', where the electronic systems behave differently from what the pilot expects. What is important is the way pilot and controller of the aircraft interact.
Common Cause Analysis (CCA) is a well-established means of taking into account events or failures that bypass or invalidate redundancy or independence. Even though this process is intended to ensure that common cause
Funding
Results
Key results include:
- A system model that includes fault models;
- Behavioural models and associated tools for safety assessment;
- Behavioural models for specialised analysis;
- Coupling behavioural models of complex system and geometric models for particular risk analysis;
- Coupling behavioural models of complex system and pilot models for human error analysis.
Case studies were extracted from existing aircraft systems. Sequences of failures were analysed by the ISAAC tools, which can deal automatically with numerous detailed failure modes. The tools can also provide more details about the temporal order between events that lead to a top level event.
The set of case studies is a significant sample of safety critical embedded system. It includes not only command systems that control aircraft mechanical components (e.g. flight control or landing gear systems) but also systems that provide resources for the others (e.g. hydraulic and electrical power generation and distribution).
Technical Implications
The ISAAC approach eases the dialogue between safety engineers and system designers. The method also appears to be applicable for a wide range of systems embedded not only in aircrafts but also on board cars, trains or space craft.
The new methods are being promoted by ISAAC partners towards the authorities as applicable means of compliance for Certification purposes. For civil aircraft, the Certification process requires evidence that the safety requirements and objectives are satisfied by means of safety assessment analyses that are performed during all system development cycles.
Usually Fault Trees, etc. constitute the main elements for this evidence. ISAAC proposes formal models and the associated tools as additional means of compliance; these means are not yet referred to in the Aerospace Recommended Practice documents.
New steps in the certification process have been defined and agreed both by European and American certification authorities.