Ingeniería de Sistemas filetakes control of the airplane and safely returns it to ground. • Both...
Transcript of Ingeniería de Sistemas filetakes control of the airplane and safely returns it to ground. • Both...
Eurocontrol Safety R&D Seminar, Munich, 21_22-10-2009
1
IsdefeIngeniería de Sistemas
Eurocontrol Safety R&D Seminar
Date: 21/10/2009
By:
Jorge Bueno ([email protected])
Marga Martín ([email protected])
SOFIA
Safe AutOmatic Flight Back and LandIng ofAircraft
Eurocontrol Safety R&D Seminar, Munich, 21_22-10-2009
2
IsdefeIngeniería de Sistemas
SOFIA Overall Data
Budget: 4,997,984 €
Duration: 36 months
Start date: 1st September, 2006
Web Site: www.sofia.isdefe.es
SOFIA Consortium:
Eurocontrol Safety R&D Seminar, Munich, 21_22-10-2009
3
IsdefeIngeniería de Sistemas
SOFIA’s Operational Concept
Enabling the safe and automatic Enabling the safe and automatic return to ground of an airplane in return to ground of an airplane in
the event of the event of onboard onboard hostile actionshostile actions
Eurocontrol Safety R&D Seminar, Munich, 21_22-10-2009
4
IsdefeIngeniería de Sistemas
Background
• SOFIA is a response to the challenge of developing concepts and techniques enabling the safe and automatic return to ground of an airplane in the event of hostile actions.
• SOFIA is proposed as a continuation of a part of the SAFEE project. SAFEE focused in the development and validation of a concept that detects and evaluates on-board threats using the Threats Assessment and Management System (TARMS) and enables the Emergency Avoidance System (EAS) to autonomously flight the aircraft to a secure point. SOFIA develops the system (FRF) that, from that secure point, takes control of the airplane and safely returns it to ground.
• Both projects are mainly related to the Research Domain 3.d “aircraft security” of the FP6-2005-AERO-1, Research Area 3 “Improving safety and security”.
Eurocontrol Safety R&D Seminar, Munich, 21_22-10-2009
5
IsdefeIngeniería de Sistemas
SOFIA Scope
ATC
• EAS ACTIVE• FRF ARMED
1THREAT
• EAS ARMED• FRF IDLE
2
• EAS IDLE• FRF IDLE
3
Collision Course
4
5
• EAS ACTIVE• FRF IDLE
6
• EAS ARMED• FRF ACTIVE
• EAS AVOIDANCE• FRF IDLE
Eurocontrol Safety R&D Seminar, Munich, 21_22-10-2009
6
IsdefeIngeniería de Sistemas
SOFIA Core: the FRF
•The Flight Reconfiguration Function (FRF) is SOFIA´s core.
•It creates and executes without any command from ground, a new flight plan towards a secure airport, taking the control of the aircraft and managing its safe landing at the selected airport.
•Three different solutions are proposed and developed:
– Solution 1: Flight Planning without negotiation: FLPN is generated by the FRF system.
– Solution 2: Flight Planning with negotiation: FLPN is generated on ground and up-linked to the airplane. FRF system checks its feasibility.
– Solution 3: Military A/C Relay: FLPN is transmitted from a a military aircraft.
Eurocontrol Safety R&D Seminar, Munich, 21_22-10-2009
7
IsdefeIngeniería de Sistemas
• The flight plan can be created:
1. Integrally by the FRF system
2. By an Authority on Groundand negotiated with the FRF system
3. In a military airplane and transmitted to the aircraft
• The execution of the new flight plan is autonomously performed by FRF
SOFIA Core: the FRF (2/2)
It means to create and execute without any control from ground, a new flight plan towards a secure airport and landing the airplane at it
Eurocontrol Safety R&D Seminar, Munich, 21_22-10-2009
8
IsdefeIngeniería de Sistemas
SOFIA Solutions
Three different solutions for the FRF are considered:
• Solution 1: Flight Planning without negotiation: FLPN is generated by the FRF system.
• Solution 2: Flight Planning with negotiation:FLPN is generated on ground and up-linked to the airplane. FRF system checks its feasibility.
• Solution 3: Military A/C Relay: FLPN is transmitted from a a military aircraft.
Eurocontrol Safety R&D Seminar, Munich, 21_22-10-2009
9
IsdefeIngeniería de Sistemas
Trajectory Generation by FRFThe Trajectory is generated by FRF considering:
• Destination airport according to the threat
• Jeppessen data
• Weather, terrain, obstacles, restricted areas and PSA (ProhibitedSecurity Areas)
• Fuel
• Aircraft performances
FRF enables Trajectory updates due to:
• ATC messages (e.g. change in destination airfield)
• Weather
• Traffic
• Obstacles, PSA
Eurocontrol Safety R&D Seminar, Munich, 21_22-10-2009
10
IsdefeIngeniería de Sistemas
FRF FunctionsDecision Centre Function (DCF)• Manages FRF capabilities and controls events
Health Monitoring System Interface (HMS)• Monitors for external systems failures critical to FRF
Route Planning and Static Flight Monitoring (RPL)• Generates a suitable flight path to a secure airfield
Guidance Management and Leg Management (GLM)• Performs flight guidance
Route Re-planning (RRP)• Performs re-routing due to a conflict
Dynamic Flight Monitoring (DFM)• Monitors aircraft performances and resolves conflicts
External Communication (COM)• Processes the information to be exchanged with the GSDS
Display Management (DSM)• Manages displays when FRF is active
Eurocontrol Safety R&D Seminar, Munich, 21_22-10-2009
11
IsdefeIngeniería de Sistemas
Validation Process
FlightTrials
GroundSimulations
Preliminary Validation(Implementation)
Final Validation
FRF Version 1
FRF Version 2
IoAAircraft
DAI Aircraft
THA Airlab
GAL ATENA
DFS ATC
DFS
ATC
Eurocontrol Safety R&D Seminar, Munich, 21_22-10-2009
12
IsdefeIngeniería de Sistemas
SOFIA Safety Issues
Eurocontrol Safety R&D Seminar, Munich, 21_22-10-2009
13
IsdefeIngeniería de Sistemas
Why?
1. Assess how safe the FRF design is…
2. Are we compromising current levels of safety?
3. Refine FRF specification and design
4. Mitigate potential SAFETY RISK early in the design
Eurocontrol Safety R&D Seminar, Munich, 21_22-10-2009
14
IsdefeIngeniería de Sistemas
What?
Safety Assessment at two levels…
Aircraft level– Goal: Ensure that FRF design achieves acceptable levels of risk – Requirements: EASA CS 25.1309– Methodology: SAE ARP 4761 – Focus: Inside the aircraft (FRF System � on-board equipment)
Integration on airspace levels– Goal: Ensure that the SOFIA operational concept achieves acceptable levels of risk
– Requirements: ESARR4 – Methodology: EUROCONTROL EATMP Safety Assessment Methodology (SAM),
– Focus: Outside the aircraft (ATM � operations)
Eurocontrol Safety R&D Seminar, Munich, 21_22-10-2009
15
IsdefeIngeniería de Sistemas
15
Selected Approach
PSSAPSSA
Airspace (ATM) PSSAAircraft PSSA
FHAFHA
Airspace (ATM) FHA
Aircraft FHA
A/C Level FHA FRF Level FHA
First CriticalityAssessment
Preliminary
System Safety
Assessment
Final System
Safety Assessment
FTA
OperationalIssues
Functionallocation
Initial FRF Design
FMEA Identify Causes
Derive Safety Requirements
DBs Requirements
Final FRF Architecture
Eurocontrol Safety R&D Seminar, Munich, 21_22-10-2009
16
IsdefeIngeniería de Sistemas
16
ARP 4761 Approach
Id Function Phase FailureCondition
FailureEffect
Class.
A/C
1.1.
Reconfigure flight andland
HP, DES, APP, LND
FRF Malfunctionunder thepresence ofsec. threat
Hull Loss CAT
A/C
1.2
Reconfigure flight andland
HP, DES, APP, LND
FRF Malfunctionwhen no securitythreat ispresent.
No effecton safety
NSE
Aircraft FHA
Loss of A/C resulting from FRF failure
Aircraft FTAs
Untimely switchingNo FPLN created
Erroneous switching out of ARMED
Failure to switch fromARMED to ACTIVE
ACTIV
E M
ODE
ARM
ED M
ODE
Id Function Phase FailureCondition
FailureEffect
Class.
FRF
1.1.
ManageFRF modes
HP Failure toswitch fromARMED toACTIVE
Hull Loss CAT
FRF
1.2
Reconfigure flight andland
HP, DES, APP, LND
FRF Malfunctionwhen no securitythreat ispresent.
No effecton safety
NSE
FRF System FHA
Failure to switch from ARMED to ACTIVE
PSSA FTAs
Loss of function 3Loss of Function 1 Loss of Function 2
Basic Causal Events
Eurocontrol Safety R&D Seminar, Munich, 21_22-10-2009
17
IsdefeIngeniería de Sistemas
17
Results
– Understand the logic that contributes to produce mostsevere failures
– Important contributors to failure– Safety requirements on:
• On-board equipment:– Conventional A/C Systems (e.g. Sources ofinformation to generate a FPLN, FMS/AP Coupling)
– FRF System– Security Systems (TARMS, EAS)
• Operations:– Ground personnel (ATCOs)– Procedures– Ground equipment
Eurocontrol Safety R&D Seminar, Munich, 21_22-10-2009
18
IsdefeIngeniería de Sistemas
Recomendations
• Need for better statistics on likeliness of occurrence for security scenarios
• Need to adjust safety criteria to account for security scenarios
• Redefine certain avionic functions design which count on the pilot as safety net (i.e. navigation, flight controls, etc)
• Identification of FRF functions that need to be developed to high safety assurance levels:
– Mode management
– Exchange of data with critical systems like FMS or TARMS. (e.g. Airfield and route verification)
Eurocontrol Safety R&D Seminar, Munich, 21_22-10-2009
19
IsdefeIngeniería de Sistemas
Recomendations
• At least to information rounds are needed to create the flight plan: one once the A/C leaves the holding pattern, the second when approachin the airport
• FRF shall be informed about ATIS failures
• Having up to date information from ground is critical
• Weather at selected airport has to be part of the criteria for airport selection
• In solution 2 flight plan acceptance shall be confirmed
Eurocontrol Safety R&D Seminar, Munich, 21_22-10-2009
20
IsdefeIngeniería de Sistemas
Recomendations
• Spurious activation of the FRF during normal operation doesnot present (a priori) a major risk for safety for two reasons:
1) The FRF is intended to automatically land an aircraft at a secured airport. In the absence of any critical failures thisoperation can be considered safe.
2) The FRF is not designed to remove control away from theflight crew. Once the flight crew detects the spuriousactivation (without a threat on-board), they are still capableof reverting the system back to normal.
If there is a threat (security scenario), protection measuresare considered within the scope of SAFEE project.
Eurocontrol Safety R&D Seminar, Munich, 21_22-10-2009
21
IsdefeIngeniería de Sistemas
THAK YOU VERY MUCHFOR YOUR ATTENTION
ANY QUESTION, PLEASE?