Fakultät Verkehrswissenschaften, Institut für Luftfahrt und Logistik, Professur Technologie und...

Fakultät Verkehrswissenschaften, Institut für Luftfahrt und Logistik, Professur Technologie und Logistik des Luftverkehrs

Model-based Safety Requirements Engineering

for complex ATM Systems

Dipl.- Ing. Lothar MeyerDr.-Ing. Michael Schultz


ATM Seminar 2011

Evaluation of a virtual control tower HMI design

• Safety Assessment of a virtual control tower HMI design• Identification of information demand [1]• Substituting visual information cues by display systems• Evaluation of virtual control tower HMI design by applying

safety criteria

2Dipl.- Ing Lothar Meyer


ATM Seminar 2011

Display Systems used for the Virtual Control Tower

Dipl.- Ing Lothar Meyer 3

Airborne Surveillance Ground surveillance

Video Surveillance


ATM Seminar 2011

Preliminary System Safety Assessment

• Second step of the Safety Assessment [2]• Precondition is the availability of identified hazards and its

safety objectives



ATM Seminar 2011

Preliminary System Safety Assessment

• Determining system architecture• Identification of causal events that contribute to the

probability of hazard occurrences• Identification of causal logic• Modeling fault tree for identified hazards


causes consequences

hazard

FTA ETA

true

fa lse


ATM Seminar 2011

Performing evaluation studies were performed

• Hazard causes need to be identified with respect to the ability of the operator to detect visual information.

• Experimental design included 12 student probands and three test arrangements of the virtual tower design

• Performing tests with factorial plan


Proband

Traffic Generator Sequence

Local hazards

Procedual failures

Traffic situation

Clear traffic

Display Situation

Traffic data

Percept events


ATM Seminar 2011

Results of the experimental cause identification

• Determining the occurrence probability of• separation minima violation by giving incorrect clearance,• runway incursion by giving incorrect clearance,• detecting events as e.g.

• Unauthorized stop bar overrun and• Animal occurrence.• Missed approach

• Sensitivity analysis of probability according to variation of design

• Interviewing probands for causes of failure and non- detection qualitatively.

• Causes were e.g.• lack of resolution on the holding points and take-off position• Redundancy of visual information• A low information density (detection time)• Loss of depth information e.g. missed approach on the ground

surveillance displayDipl.- Ing Lothar Meyer 7


ATM Seminar 2011

Modeling in fault trees and apportionment

• Modeling perceptual lacks in the system design as causative events

• More than three fault trees were modeled

• Apportionment of safety objectives into safety requirements according to given causal logic


A/C position not detected

P=10-9

Stopp bar not localizable

Spatial recognition of A/C decreased

Lack of contrast

Resolution of A/C is unsufficent

Displayed A/C dimensions are unsufficent

Movements are not predictable

Altitude of A/C not detectable

Visual information too distributed

Used too many types ot Display systems

Too many display fields

Density of visual information insufficent


ATM Seminar 2011

Introduction of causal network models

• Performing apportionment fault tree modeling don’t respect multidependencies of the causal events.

• Redundant allocation of causal events with safety requirements

• Performing apportionment by use of a causal network would take into account multidependencies


Parameter 1

Parameter 2

Parameter 3

Hz1Hz1

Hz2Hz2

Hz3Hz3

AccidentAccident

Major Incident

Major Incident

Case 1: simple impact Case 1: simple impact

Case 2: multi impactCase 2: multi impact

Case 3:no impactCase 3:no impact

Serious Incident (Runway Incursion)

Serious Incident (Runway Incursion)


ATM Seminar 2011

Mathematic modeling for causal network models

Kolmogorov's axioms of unification and intersection


Hazard H1

Cause C1

Cause C2


ATM Seminar 2011


• Modeling multidependency by means of linear algebraic expressions• Vectors are defined as n-tuple (one column matrix)• Nonlinear term with dependent input parameters• Generalized with • effects the multiplicative combination without repetition of



ATM Seminar 2011


• Final transfer function for mapping causal probabilities to hazards probabilities.

• Safety objectives complies when hazards probabilites are equal or less then corresponding safety objectives

• With that effects the combination without repetition by means of exponentiation.



ATM Seminar 2011

EMF – Eclipse Modelling Framework ( GMF)



ATM Seminar 2011

Demonstration of causal networks models

• Trivial sample of the experimental identification in the virtual control tower


A/C presence not detectable (SO=10-9)

H1H1

A/C position not detectable (SO=10-9)

H2H2

Wildlife presence not detectable (SO=1.5 10-4)

H3H3

resolution too low

C2C2

contrast too low

Vision system too diversive

C3C3

C1C1


ATM Seminar 2011

Result

• Solution space of safety requirements that comply to given safety objectives

• Sample shows boundaries of three dimensional case. • Visualization realized by Matlab 3D Plot functions



ATM Seminar 2011

Boundary conditions

• Using ratios

• Possible weighting of technical components reliability

• Degree of exceeding safety objectives

• When J is zero, safety objectives are met perfectly• J indicates the degree of additional safety that excees mandatory

safety objectives• Virtual tower case: J=1.5 10-4 at any boundary solution



ATM Seminar 2011

Summary

• An experimental identification hazard cause has been performed to the virtual control tower design

• Modeling of fault trees does not take into account multidependencies (redundancy of safety requirements)

• Apportionment method that is extended by use of a causal network offers the possibility to determine safety requirements that meets personalized optimization criterion

• A static transfer function has been deduced that maps causal probabilities to hazard probabilities

• A software framework has been developed that supports modeling, parameterizing and visualization of the extended apportionment method

• the method has been applied to a sample of the virtual tower and criterion and related final safety requirements has been set

• The method demands for additional validation with safety related air navigation systems.



ATM Seminar 2011

Thank you.

www.ifl.tu-dresden.de

[email protected]



ATM Seminar 2011

Bibliography

[1]L. Meyer et al. (2010), Functional Hazard Analysis of Virtual Control Towers, Valenciennes, IFAC.

[2]SAM-TF (2004), Preliminary system safety assessment, Eurocontrol, Brussels, Belgium.

[3]H. Kruegle, Ed., CCTV Surveillance: Analog and Digital Video Practices and Technology. USA: Elsevier, 2007.


Fakultät Verkehrswissenschaften, Institut für Luftfahrt und Logistik, Professur Technologie und...

Documents

Transcript of Fakultät Verkehrswissenschaften, Institut für Luftfahrt und Logistik, Professur Technologie und...