![Page 1: Fakultät Verkehrswissenschaften, Institut für Luftfahrt und Logistik, Professur Technologie und Logistik des Luftverkehrs Model-based Safety Requirements](https://reader036.vdocuments.pub/reader036/viewer/2022062307/55204d7049795902118c1737/html5/thumbnails/1.jpg)
Fakultät Verkehrswissenschaften, Institut für Luftfahrt und Logistik, Professur Technologie und Logistik des Luftverkehrs
Model-based Safety Requirements Engineering
for complex ATM Systems
Dipl.- Ing. Lothar MeyerDr.-Ing. Michael Schultz
![Page 2: Fakultät Verkehrswissenschaften, Institut für Luftfahrt und Logistik, Professur Technologie und Logistik des Luftverkehrs Model-based Safety Requirements](https://reader036.vdocuments.pub/reader036/viewer/2022062307/55204d7049795902118c1737/html5/thumbnails/2.jpg)
Fakultät Verkehrswissenschaften, Institut für Luftfahrt und Logistik, Professur Technologie und Logistik des Luftverkehrs
ATM Seminar 2011
Evaluation of a virtual control tower HMI design
• Safety Assessment of a virtual control tower HMI design• Identification of information demand [1]• Substituting visual information cues by display systems• Evaluation of virtual control tower HMI design by applying
safety criteria
2Dipl.- Ing Lothar Meyer
![Page 3: Fakultät Verkehrswissenschaften, Institut für Luftfahrt und Logistik, Professur Technologie und Logistik des Luftverkehrs Model-based Safety Requirements](https://reader036.vdocuments.pub/reader036/viewer/2022062307/55204d7049795902118c1737/html5/thumbnails/3.jpg)
Fakultät Verkehrswissenschaften, Institut für Luftfahrt und Logistik, Professur Technologie und Logistik des Luftverkehrs
ATM Seminar 2011
Display Systems used for the Virtual Control Tower
Dipl.- Ing Lothar Meyer 3
Airborne Surveillance Ground surveillance
Video Surveillance
![Page 4: Fakultät Verkehrswissenschaften, Institut für Luftfahrt und Logistik, Professur Technologie und Logistik des Luftverkehrs Model-based Safety Requirements](https://reader036.vdocuments.pub/reader036/viewer/2022062307/55204d7049795902118c1737/html5/thumbnails/4.jpg)
Fakultät Verkehrswissenschaften, Institut für Luftfahrt und Logistik, Professur Technologie und Logistik des Luftverkehrs
ATM Seminar 2011
Preliminary System Safety Assessment
• Second step of the Safety Assessment [2]• Precondition is the availability of identified hazards and its
safety objectives
Dipl.- Ing Lothar Meyer 4
![Page 5: Fakultät Verkehrswissenschaften, Institut für Luftfahrt und Logistik, Professur Technologie und Logistik des Luftverkehrs Model-based Safety Requirements](https://reader036.vdocuments.pub/reader036/viewer/2022062307/55204d7049795902118c1737/html5/thumbnails/5.jpg)
Fakultät Verkehrswissenschaften, Institut für Luftfahrt und Logistik, Professur Technologie und Logistik des Luftverkehrs
ATM Seminar 2011
Preliminary System Safety Assessment
• Determining system architecture• Identification of causal events that contribute to the
probability of hazard occurrences• Identification of causal logic• Modeling fault tree for identified hazards
Dipl.- Ing Lothar Meyer 5
causes consequences
hazard
FTA ETA
true
fa lse
![Page 6: Fakultät Verkehrswissenschaften, Institut für Luftfahrt und Logistik, Professur Technologie und Logistik des Luftverkehrs Model-based Safety Requirements](https://reader036.vdocuments.pub/reader036/viewer/2022062307/55204d7049795902118c1737/html5/thumbnails/6.jpg)
Fakultät Verkehrswissenschaften, Institut für Luftfahrt und Logistik, Professur Technologie und Logistik des Luftverkehrs
ATM Seminar 2011
Performing evaluation studies were performed
• Hazard causes need to be identified with respect to the ability of the operator to detect visual information.
• Experimental design included 12 student probands and three test arrangements of the virtual tower design
• Performing tests with factorial plan
Dipl.- Ing Lothar Meyer 6
Proband
Traffic Generator Sequence
Local hazards
Procedual failures
Traffic situation
Clear traffic
Display Situation
Traffic data
Percept events
![Page 7: Fakultät Verkehrswissenschaften, Institut für Luftfahrt und Logistik, Professur Technologie und Logistik des Luftverkehrs Model-based Safety Requirements](https://reader036.vdocuments.pub/reader036/viewer/2022062307/55204d7049795902118c1737/html5/thumbnails/7.jpg)
Fakultät Verkehrswissenschaften, Institut für Luftfahrt und Logistik, Professur Technologie und Logistik des Luftverkehrs
ATM Seminar 2011
Results of the experimental cause identification
• Determining the occurrence probability of• separation minima violation by giving incorrect clearance,• runway incursion by giving incorrect clearance,• detecting events as e.g.
• Unauthorized stop bar overrun and• Animal occurrence.• Missed approach
• Sensitivity analysis of probability according to variation of design
• Interviewing probands for causes of failure and non- detection qualitatively.
• Causes were e.g.• lack of resolution on the holding points and take-off position• Redundancy of visual information• A low information density (detection time)• Loss of depth information e.g. missed approach on the ground
surveillance displayDipl.- Ing Lothar Meyer 7
![Page 8: Fakultät Verkehrswissenschaften, Institut für Luftfahrt und Logistik, Professur Technologie und Logistik des Luftverkehrs Model-based Safety Requirements](https://reader036.vdocuments.pub/reader036/viewer/2022062307/55204d7049795902118c1737/html5/thumbnails/8.jpg)
Fakultät Verkehrswissenschaften, Institut für Luftfahrt und Logistik, Professur Technologie und Logistik des Luftverkehrs
ATM Seminar 2011
Modeling in fault trees and apportionment
• Modeling perceptual lacks in the system design as causative events
• More than three fault trees were modeled
• Apportionment of safety objectives into safety requirements according to given causal logic
Dipl.- Ing Lothar Meyer 8
A/C position not detected
P=10-9
Stopp bar not localizable
Spatial recognition of A/C decreased
Lack of contrast
Resolution of A/C is unsufficent
Displayed A/C dimensions are unsufficent
Movements are not predictable
Altitude of A/C not detectable
Visual information too distributed
Used too many types ot Display systems
Too many display fields
Density of visual information insufficent
![Page 9: Fakultät Verkehrswissenschaften, Institut für Luftfahrt und Logistik, Professur Technologie und Logistik des Luftverkehrs Model-based Safety Requirements](https://reader036.vdocuments.pub/reader036/viewer/2022062307/55204d7049795902118c1737/html5/thumbnails/9.jpg)
Fakultät Verkehrswissenschaften, Institut für Luftfahrt und Logistik, Professur Technologie und Logistik des Luftverkehrs
ATM Seminar 2011
Introduction of causal network models
• Performing apportionment fault tree modeling don’t respect multidependencies of the causal events.
• Redundant allocation of causal events with safety requirements
• Performing apportionment by use of a causal network would take into account multidependencies
Dipl.- Ing Lothar Meyer 9
Parameter 1
Parameter 2
Parameter 3
Hz1Hz1
Hz2Hz2
Hz3Hz3
AccidentAccident
Major Incident
Major Incident
Case 1: simple impact Case 1: simple impact
Case 2: multi impactCase 2: multi impact
Case 3:no impactCase 3:no impact
Serious Incident (Runway Incursion)
Serious Incident (Runway Incursion)
![Page 10: Fakultät Verkehrswissenschaften, Institut für Luftfahrt und Logistik, Professur Technologie und Logistik des Luftverkehrs Model-based Safety Requirements](https://reader036.vdocuments.pub/reader036/viewer/2022062307/55204d7049795902118c1737/html5/thumbnails/10.jpg)
Fakultät Verkehrswissenschaften, Institut für Luftfahrt und Logistik, Professur Technologie und Logistik des Luftverkehrs
ATM Seminar 2011
Mathematic modeling for causal network models
Kolmogorov's axioms of unification and intersection
Dipl.- Ing Lothar Meyer 10
Hazard H1
Cause C1
Cause C2
![Page 11: Fakultät Verkehrswissenschaften, Institut für Luftfahrt und Logistik, Professur Technologie und Logistik des Luftverkehrs Model-based Safety Requirements](https://reader036.vdocuments.pub/reader036/viewer/2022062307/55204d7049795902118c1737/html5/thumbnails/11.jpg)
Fakultät Verkehrswissenschaften, Institut für Luftfahrt und Logistik, Professur Technologie und Logistik des Luftverkehrs
ATM Seminar 2011
Mathematic modeling for causal network models
• Modeling multidependency by means of linear algebraic expressions• Vectors are defined as n-tuple (one column matrix)• Nonlinear term with dependent input parameters• Generalized with • effects the multiplicative combination without repetition of
Dipl.- Ing Lothar Meyer 11
![Page 12: Fakultät Verkehrswissenschaften, Institut für Luftfahrt und Logistik, Professur Technologie und Logistik des Luftverkehrs Model-based Safety Requirements](https://reader036.vdocuments.pub/reader036/viewer/2022062307/55204d7049795902118c1737/html5/thumbnails/12.jpg)
Fakultät Verkehrswissenschaften, Institut für Luftfahrt und Logistik, Professur Technologie und Logistik des Luftverkehrs
ATM Seminar 2011
Mathematic modeling for causal network models
• Final transfer function for mapping causal probabilities to hazards probabilities.
• Safety objectives complies when hazards probabilites are equal or less then corresponding safety objectives
• With that effects the combination without repetition by means of exponentiation.
Dipl.- Ing Lothar Meyer 12
![Page 13: Fakultät Verkehrswissenschaften, Institut für Luftfahrt und Logistik, Professur Technologie und Logistik des Luftverkehrs Model-based Safety Requirements](https://reader036.vdocuments.pub/reader036/viewer/2022062307/55204d7049795902118c1737/html5/thumbnails/13.jpg)
Fakultät Verkehrswissenschaften, Institut für Luftfahrt und Logistik, Professur Technologie und Logistik des Luftverkehrs
ATM Seminar 2011
EMF – Eclipse Modelling Framework ( GMF)
Dipl.- Ing Lothar Meyer 13
![Page 14: Fakultät Verkehrswissenschaften, Institut für Luftfahrt und Logistik, Professur Technologie und Logistik des Luftverkehrs Model-based Safety Requirements](https://reader036.vdocuments.pub/reader036/viewer/2022062307/55204d7049795902118c1737/html5/thumbnails/14.jpg)
Fakultät Verkehrswissenschaften, Institut für Luftfahrt und Logistik, Professur Technologie und Logistik des Luftverkehrs
ATM Seminar 2011
Demonstration of causal networks models
• Trivial sample of the experimental identification in the virtual control tower
Dipl.- Ing Lothar Meyer 14
A/C presence not detectable (SO=10-9)
H1H1
A/C position not detectable (SO=10-9)
H2H2
Wildlife presence not detectable (SO=1.5 10-4)
H3H3
resolution too low
C2C2
contrast too low
Vision system too diversive
C3C3
C1C1
![Page 15: Fakultät Verkehrswissenschaften, Institut für Luftfahrt und Logistik, Professur Technologie und Logistik des Luftverkehrs Model-based Safety Requirements](https://reader036.vdocuments.pub/reader036/viewer/2022062307/55204d7049795902118c1737/html5/thumbnails/15.jpg)
Fakultät Verkehrswissenschaften, Institut für Luftfahrt und Logistik, Professur Technologie und Logistik des Luftverkehrs
ATM Seminar 2011
Result
• Solution space of safety requirements that comply to given safety objectives
• Sample shows boundaries of three dimensional case. • Visualization realized by Matlab 3D Plot functions
Dipl.- Ing Lothar Meyer 15
![Page 16: Fakultät Verkehrswissenschaften, Institut für Luftfahrt und Logistik, Professur Technologie und Logistik des Luftverkehrs Model-based Safety Requirements](https://reader036.vdocuments.pub/reader036/viewer/2022062307/55204d7049795902118c1737/html5/thumbnails/16.jpg)
Fakultät Verkehrswissenschaften, Institut für Luftfahrt und Logistik, Professur Technologie und Logistik des Luftverkehrs
ATM Seminar 2011
Boundary conditions
• Using ratios
• Possible weighting of technical components reliability
• Degree of exceeding safety objectives
• When J is zero, safety objectives are met perfectly• J indicates the degree of additional safety that excees mandatory
safety objectives• Virtual tower case: J=1.5 10-4 at any boundary solution
Dipl.- Ing Lothar Meyer 16
![Page 17: Fakultät Verkehrswissenschaften, Institut für Luftfahrt und Logistik, Professur Technologie und Logistik des Luftverkehrs Model-based Safety Requirements](https://reader036.vdocuments.pub/reader036/viewer/2022062307/55204d7049795902118c1737/html5/thumbnails/17.jpg)
Fakultät Verkehrswissenschaften, Institut für Luftfahrt und Logistik, Professur Technologie und Logistik des Luftverkehrs
ATM Seminar 2011
Summary
• An experimental identification hazard cause has been performed to the virtual control tower design
• Modeling of fault trees does not take into account multidependencies (redundancy of safety requirements)
• Apportionment method that is extended by use of a causal network offers the possibility to determine safety requirements that meets personalized optimization criterion
• A static transfer function has been deduced that maps causal probabilities to hazard probabilities
• A software framework has been developed that supports modeling, parameterizing and visualization of the extended apportionment method
• the method has been applied to a sample of the virtual tower and criterion and related final safety requirements has been set
• The method demands for additional validation with safety related air navigation systems.
Dipl.- Ing Lothar Meyer 17
![Page 18: Fakultät Verkehrswissenschaften, Institut für Luftfahrt und Logistik, Professur Technologie und Logistik des Luftverkehrs Model-based Safety Requirements](https://reader036.vdocuments.pub/reader036/viewer/2022062307/55204d7049795902118c1737/html5/thumbnails/18.jpg)
Fakultät Verkehrswissenschaften, Institut für Luftfahrt und Logistik, Professur Technologie und Logistik des Luftverkehrs
ATM Seminar 2011
Thank you.
www.ifl.tu-dresden.de
Dipl.- Ing Lothar Meyer 18
![Page 19: Fakultät Verkehrswissenschaften, Institut für Luftfahrt und Logistik, Professur Technologie und Logistik des Luftverkehrs Model-based Safety Requirements](https://reader036.vdocuments.pub/reader036/viewer/2022062307/55204d7049795902118c1737/html5/thumbnails/19.jpg)
Fakultät Verkehrswissenschaften, Institut für Luftfahrt und Logistik, Professur Technologie und Logistik des Luftverkehrs
ATM Seminar 2011
Bibliography
[1]L. Meyer et al. (2010), Functional Hazard Analysis of Virtual Control Towers, Valenciennes, IFAC.
[2]SAM-TF (2004), Preliminary system safety assessment, Eurocontrol, Brussels, Belgium.
[3]H. Kruegle, Ed., CCTV Surveillance: Analog and Digital Video Practices and Technology. USA: Elsevier, 2007.
Dipl.- Ing Lothar Meyer 19