Introduction to System Dependability · • ARP4754A[SAE10],ARP4761[SAE96]foraeronautic systems 21....
Transcript of Introduction to System Dependability · • ARP4754A[SAE10],ARP4761[SAE96]foraeronautic systems 21....
![Page 2: Introduction to System Dependability · • ARP4754A[SAE10],ARP4761[SAE96]foraeronautic systems 21. Whenshouldweperformsafety activities? 21. SafetyProcess(Complete) SafetyProcess](https://reader033.fdocuments.us/reader033/viewer/2022050608/5faf8b90d4a3be454439c04e/html5/thumbnails/2.jpg)
General overview
Specification of functional, logical and physicalarchitectures with SysML
Life CycleArchitectures
FunctionalArchitectures
Logical Ar-chitectures
PhysicalArchitectures
Altarica(Cecilia)
Figure 1: Dysfunctional analysis in development process 2
![Page 3: Introduction to System Dependability · • ARP4754A[SAE10],ARP4761[SAE96]foraeronautic systems 21. Whenshouldweperformsafety activities? 21. SafetyProcess(Complete) SafetyProcess](https://reader033.fdocuments.us/reader033/viewer/2022050608/5faf8b90d4a3be454439c04e/html5/thumbnails/3.jpg)
Goal of this lesson
Check if an autonomous system canbe used safely to perform a mission in
a given context
2
![Page 4: Introduction to System Dependability · • ARP4754A[SAE10],ARP4761[SAE96]foraeronautic systems 21. Whenshouldweperformsafety activities? 21. SafetyProcess(Complete) SafetyProcess](https://reader033.fdocuments.us/reader033/viewer/2022050608/5faf8b90d4a3be454439c04e/html5/thumbnails/4.jpg)
Some definitions are mandatory tounderstand labs (what a surprise)
= slides preparing computer lab= reminder (should be)
Be careful !
2
![Page 5: Introduction to System Dependability · • ARP4754A[SAE10],ARP4761[SAE96]foraeronautic systems 21. Whenshouldweperformsafety activities? 21. SafetyProcess(Complete) SafetyProcess](https://reader033.fdocuments.us/reader033/viewer/2022050608/5faf8b90d4a3be454439c04e/html5/thumbnails/5.jpg)
Interactive course ahead
Numerous exercises during classBe active !
2
![Page 6: Introduction to System Dependability · • ARP4754A[SAE10],ARP4761[SAE96]foraeronautic systems 21. Whenshouldweperformsafety activities? 21. SafetyProcess(Complete) SafetyProcess](https://reader033.fdocuments.us/reader033/viewer/2022050608/5faf8b90d4a3be454439c04e/html5/thumbnails/6.jpg)
Preliminary concepts
![Page 7: Introduction to System Dependability · • ARP4754A[SAE10],ARP4761[SAE96]foraeronautic systems 21. Whenshouldweperformsafety activities? 21. SafetyProcess(Complete) SafetyProcess](https://reader033.fdocuments.us/reader033/viewer/2022050608/5faf8b90d4a3be454439c04e/html5/thumbnails/7.jpg)
Introduction to System Dependability
What is a system?
2
![Page 8: Introduction to System Dependability · • ARP4754A[SAE10],ARP4761[SAE96]foraeronautic systems 21. Whenshouldweperformsafety activities? 21. SafetyProcess(Complete) SafetyProcess](https://reader033.fdocuments.us/reader033/viewer/2022050608/5faf8b90d4a3be454439c04e/html5/thumbnails/8.jpg)
What is a system ?
Definition (System)A system is a set of interacting items, forming an integratedwhole
Example (System)examples of various complexity: air traffic control, aircraft +pilot, flight-control system, computers, sensors, actuators,. . .
3
![Page 9: Introduction to System Dependability · • ARP4754A[SAE10],ARP4761[SAE96]foraeronautic systems 21. Whenshouldweperformsafety activities? 21. SafetyProcess(Complete) SafetyProcess](https://reader033.fdocuments.us/reader033/viewer/2022050608/5faf8b90d4a3be454439c04e/html5/thumbnails/9.jpg)
Use the drone shepherd as example toillustrate safety assessment.
= slides preparing computer labBe careful !
3
![Page 10: Introduction to System Dependability · • ARP4754A[SAE10],ARP4761[SAE96]foraeronautic systems 21. Whenshouldweperformsafety activities? 21. SafetyProcess(Complete) SafetyProcess](https://reader033.fdocuments.us/reader033/viewer/2022050608/5faf8b90d4a3be454439c04e/html5/thumbnails/10.jpg)
Case study: Drone shepherd
![Page 11: Introduction to System Dependability · • ARP4754A[SAE10],ARP4761[SAE96]foraeronautic systems 21. Whenshouldweperformsafety activities? 21. SafetyProcess(Complete) SafetyProcess](https://reader033.fdocuments.us/reader033/viewer/2022050608/5faf8b90d4a3be454439c04e/html5/thumbnails/11.jpg)
Drone shepherd: Mission
Main mission Drone monitors flock and prevents bear attack
Drone main features are• monitor autonomously the flock (no
operator interventions),• prevent bear attack,• send data to ground station.
Flock monitored by the droneGround station receives data from drone and transmits
requests from operatorOperator initiates/aborts drone mission
4
![Page 12: Introduction to System Dependability · • ARP4754A[SAE10],ARP4761[SAE96]foraeronautic systems 21. Whenshouldweperformsafety activities? 21. SafetyProcess(Complete) SafetyProcess](https://reader033.fdocuments.us/reader033/viewer/2022050608/5faf8b90d4a3be454439c04e/html5/thumbnails/12.jpg)
Drone shepherd: Mission
Main mission Drone monitors flock and prevents bear attackDrone main features are
• monitor autonomously the flock (nooperator interventions),
• prevent bear attack,• send data to ground station.
Flock monitored by the droneGround station receives data from drone and transmits
requests from operatorOperator initiates/aborts drone mission
4
![Page 13: Introduction to System Dependability · • ARP4754A[SAE10],ARP4761[SAE96]foraeronautic systems 21. Whenshouldweperformsafety activities? 21. SafetyProcess(Complete) SafetyProcess](https://reader033.fdocuments.us/reader033/viewer/2022050608/5faf8b90d4a3be454439c04e/html5/thumbnails/13.jpg)
Drone shepherd: Mission
Main mission Drone monitors flock and prevents bear attackDrone main features are
• monitor autonomously the flock (nooperator interventions),
• prevent bear attack,• send data to ground station.
Flock monitored by the droneGround station receives data from drone and transmits
requests from operatorOperator initiates/aborts drone mission
4
![Page 14: Introduction to System Dependability · • ARP4754A[SAE10],ARP4761[SAE96]foraeronautic systems 21. Whenshouldweperformsafety activities? 21. SafetyProcess(Complete) SafetyProcess](https://reader033.fdocuments.us/reader033/viewer/2022050608/5faf8b90d4a3be454439c04e/html5/thumbnails/14.jpg)
Drone shepherd: Context
flock
forbidden zone evolution zone
Figure 2: Overview of the system
5
![Page 15: Introduction to System Dependability · • ARP4754A[SAE10],ARP4761[SAE96]foraeronautic systems 21. Whenshouldweperformsafety activities? 21. SafetyProcess(Complete) SafetyProcess](https://reader033.fdocuments.us/reader033/viewer/2022050608/5faf8b90d4a3be454439c04e/html5/thumbnails/15.jpg)
Introduction to System Dependability
What is dependability?
5
![Page 16: Introduction to System Dependability · • ARP4754A[SAE10],ARP4761[SAE96]foraeronautic systems 21. Whenshouldweperformsafety activities? 21. SafetyProcess(Complete) SafetyProcess](https://reader033.fdocuments.us/reader033/viewer/2022050608/5faf8b90d4a3be454439c04e/html5/thumbnails/16.jpg)
What is dependability?
Definition (Dependability [ALRL04])The ability of the system to deliver service that can justifiablybe trusted.
Some vocabulary about dependability:
failure occurrence of the deviation of the delivered servicefrom expected service
failure rate probability of failure per unit of time of items inoperation
failure mode characterization of the way a system/item fails
6
![Page 17: Introduction to System Dependability · • ARP4754A[SAE10],ARP4761[SAE96]foraeronautic systems 21. Whenshouldweperformsafety activities? 21. SafetyProcess(Complete) SafetyProcess](https://reader033.fdocuments.us/reader033/viewer/2022050608/5faf8b90d4a3be454439c04e/html5/thumbnails/17.jpg)
Drone shepherd
Nominal function Monitor drone stateFailure UAV unables to provide a reliable state estimation
Failure modes
• the UAV does not provide any stateestimation
• the UAV provides an erroenous estimation ofits state
7
![Page 18: Introduction to System Dependability · • ARP4754A[SAE10],ARP4761[SAE96]foraeronautic systems 21. Whenshouldweperformsafety activities? 21. SafetyProcess(Complete) SafetyProcess](https://reader033.fdocuments.us/reader033/viewer/2022050608/5faf8b90d4a3be454439c04e/html5/thumbnails/18.jpg)
More vocabulary
System/items behaviors depend on
• control/observation interface• internal states (not always distinguishable)
• nominal functioning modes• error states part of the total state of a system/item that
may lead to its subsequent failure• fault = hypothesized or adjudged cause of an error state
Fault propagation paths:
fault ⇒ error ⇒ failure
8
![Page 19: Introduction to System Dependability · • ARP4754A[SAE10],ARP4761[SAE96]foraeronautic systems 21. Whenshouldweperformsafety activities? 21. SafetyProcess(Complete) SafetyProcess](https://reader033.fdocuments.us/reader033/viewer/2022050608/5faf8b90d4a3be454439c04e/html5/thumbnails/19.jpg)
Drone shepherd
Failure mode the UAV provides an erroneous estimation of itsstate
Error state memory storing the state estimation is corruptedFault
• Primary (intrinsic) cause: memory chip failure• Secondary cause (extrinsic): corruption due
to cosmic rays
Observability Detectable if ECC or bit parity is available forstate estimation data
9
![Page 20: Introduction to System Dependability · • ARP4754A[SAE10],ARP4761[SAE96]foraeronautic systems 21. Whenshouldweperformsafety activities? 21. SafetyProcess(Complete) SafetyProcess](https://reader033.fdocuments.us/reader033/viewer/2022050608/5faf8b90d4a3be454439c04e/html5/thumbnails/20.jpg)
Failure can lead to harmful eventsso-called hazards
What are the hazards here ?
9
![Page 21: Introduction to System Dependability · • ARP4754A[SAE10],ARP4761[SAE96]foraeronautic systems 21. Whenshouldweperformsafety activities? 21. SafetyProcess(Complete) SafetyProcess](https://reader033.fdocuments.us/reader033/viewer/2022050608/5faf8b90d4a3be454439c04e/html5/thumbnails/21.jpg)
Possible hazards
System Environment
hazards
adversary conditions
Possible hazards :
• Hurt the flock• Collision with vehicle (road)
Possible adversary conditions:
• Wind or Rain ⇒ drone can’t fly• Poor GNSS signal ⇒ drone can’t locate itself
10
![Page 22: Introduction to System Dependability · • ARP4754A[SAE10],ARP4761[SAE96]foraeronautic systems 21. Whenshouldweperformsafety activities? 21. SafetyProcess(Complete) SafetyProcess](https://reader033.fdocuments.us/reader033/viewer/2022050608/5faf8b90d4a3be454439c04e/html5/thumbnails/22.jpg)
Possible hazards
System Environment
hazards
adversary conditions
Possible hazards :
• Hurt the flock• Collision with vehicle (road)
Possible adversary conditions:
• Wind or Rain ⇒ drone can’t fly• Poor GNSS signal ⇒ drone can’t locate itself
10
![Page 23: Introduction to System Dependability · • ARP4754A[SAE10],ARP4761[SAE96]foraeronautic systems 21. Whenshouldweperformsafety activities? 21. SafetyProcess(Complete) SafetyProcess](https://reader033.fdocuments.us/reader033/viewer/2022050608/5faf8b90d4a3be454439c04e/html5/thumbnails/23.jpg)
Possible hazards
System Environment
hazards
adversary conditions
Possible hazards :
• Hurt the flock• Collision with vehicle (road)
Possible adversary conditions:
• Wind or Rain ⇒ drone can’t fly• Poor GNSS signal ⇒ drone can’t locate itself
10
![Page 24: Introduction to System Dependability · • ARP4754A[SAE10],ARP4761[SAE96]foraeronautic systems 21. Whenshouldweperformsafety activities? 21. SafetyProcess(Complete) SafetyProcess](https://reader033.fdocuments.us/reader033/viewer/2022050608/5faf8b90d4a3be454439c04e/html5/thumbnails/24.jpg)
Concretely, how to evaluate dependability?
10
![Page 25: Introduction to System Dependability · • ARP4754A[SAE10],ARP4761[SAE96]foraeronautic systems 21. Whenshouldweperformsafety activities? 21. SafetyProcess(Complete) SafetyProcess](https://reader033.fdocuments.us/reader033/viewer/2022050608/5faf8b90d4a3be454439c04e/html5/thumbnails/25.jpg)
Math corner: Dependability measures
Definition (Reliability(R))Ability of a system S to ensure continuity of correct service:
R(t)= p(S non faulty over [0,t])
Definition (Availability(A))Ability of a system S to deliver a correct service at a given time:
A(t)= p(S non faulty at t)
Definition (Maintainability(M))Ability of a system S to undergo modifications and repair
M(t)= 1−p(S non repaired over [0,t])11
![Page 26: Introduction to System Dependability · • ARP4754A[SAE10],ARP4761[SAE96]foraeronautic systems 21. Whenshouldweperformsafety activities? 21. SafetyProcess(Complete) SafetyProcess](https://reader033.fdocuments.us/reader033/viewer/2022050608/5faf8b90d4a3be454439c04e/html5/thumbnails/26.jpg)
Math corner: Dependability measures
Definition (Failure Rate (Λ))Probability of a system S to fail at t +dt knowing it has notfailed over [0,t]:
Λ(t)= limdt→0
p(S fails during [t ,t +dt])dt
1R(t)
Relation with R:R(t)= e−
∫ t0 Λ(u)du
12
![Page 27: Introduction to System Dependability · • ARP4754A[SAE10],ARP4761[SAE96]foraeronautic systems 21. Whenshouldweperformsafety activities? 21. SafetyProcess(Complete) SafetyProcess](https://reader033.fdocuments.us/reader033/viewer/2022050608/5faf8b90d4a3be454439c04e/html5/thumbnails/27.jpg)
Math corner: Bath curve failure rate
Assume items used during constant failure rate phase
Λ(t)=λ; R(t)= e−λt ; MTTF = 1λ
13
![Page 28: Introduction to System Dependability · • ARP4754A[SAE10],ARP4761[SAE96]foraeronautic systems 21. Whenshouldweperformsafety activities? 21. SafetyProcess(Complete) SafetyProcess](https://reader033.fdocuments.us/reader033/viewer/2022050608/5faf8b90d4a3be454439c04e/html5/thumbnails/28.jpg)
Math corner: Computation approximation
Definition (Rare failure assumptions)When λt ∼ 0 (usually λt < .1) use Taylor expansion forcomputations:
1−R(t)= 1−e−λt ∼0λt
Definition (Independence & pessimism assumption)If two components C1 and C2 have independent failures withfailure rate λ1 and λ2
p(both fail) =independent
p(C1 fails)p(C2 fails)=λ1λ2t2
p(one fails) = p(C1 fails)+p(C2 fails)−p(both fail)=
pessimismp(C1 fails)+p(C2 fails)
14
![Page 29: Introduction to System Dependability · • ARP4754A[SAE10],ARP4761[SAE96]foraeronautic systems 21. Whenshouldweperformsafety activities? 21. SafetyProcess(Complete) SafetyProcess](https://reader033.fdocuments.us/reader033/viewer/2022050608/5faf8b90d4a3be454439c04e/html5/thumbnails/29.jpg)
Risk acceptability
The question is:
What happens if
drone shepherd fails
?
• Trajectory of the drone is not controlled• Possible collision with vehicle• Depending on the obstacle and aircraft speed, injury or
death of passengers.
15
![Page 30: Introduction to System Dependability · • ARP4754A[SAE10],ARP4761[SAE96]foraeronautic systems 21. Whenshouldweperformsafety activities? 21. SafetyProcess(Complete) SafetyProcess](https://reader033.fdocuments.us/reader033/viewer/2022050608/5faf8b90d4a3be454439c04e/html5/thumbnails/30.jpg)
Risk acceptability
The question is:
What happens if drone shepherd fails?
• Trajectory of the drone is not controlled• Possible collision with vehicle• Depending on the obstacle and aircraft speed, injury or
death of passengers.
15
![Page 31: Introduction to System Dependability · • ARP4754A[SAE10],ARP4761[SAE96]foraeronautic systems 21. Whenshouldweperformsafety activities? 21. SafetyProcess(Complete) SafetyProcess](https://reader033.fdocuments.us/reader033/viewer/2022050608/5faf8b90d4a3be454439c04e/html5/thumbnails/31.jpg)
Risk acceptability
The question is:
What happens if drone shepherd fails?
• Trajectory of the drone is not controlled• Possible collision with vehicle• Depending on the obstacle and aircraft speed, injury or
death of passengers.
15
![Page 32: Introduction to System Dependability · • ARP4754A[SAE10],ARP4761[SAE96]foraeronautic systems 21. Whenshouldweperformsafety activities? 21. SafetyProcess(Complete) SafetyProcess](https://reader033.fdocuments.us/reader033/viewer/2022050608/5faf8b90d4a3be454439c04e/html5/thumbnails/32.jpg)
Risk acceptability
New question:
Knowing the severity of the failure, what is an acceptablefrequency of such failure?
Another general definition of dependability:
"ability to avoid service failures that are frequent and moresevere than acceptable"
What does service failure, severe, frequent, acceptable mean?⇒ Regulatory texts : let us consider civil aircraft
16
![Page 33: Introduction to System Dependability · • ARP4754A[SAE10],ARP4761[SAE96]foraeronautic systems 21. Whenshouldweperformsafety activities? 21. SafetyProcess(Complete) SafetyProcess](https://reader033.fdocuments.us/reader033/viewer/2022050608/5faf8b90d4a3be454439c04e/html5/thumbnails/33.jpg)
Classification of failures
![Page 34: Introduction to System Dependability · • ARP4754A[SAE10],ARP4761[SAE96]foraeronautic systems 21. Whenshouldweperformsafety activities? 21. SafetyProcess(Complete) SafetyProcess](https://reader033.fdocuments.us/reader033/viewer/2022050608/5faf8b90d4a3be454439c04e/html5/thumbnails/34.jpg)
Risk acceptability for civil aircraft
When considering safety of civil aircraft:
Failure Condition (FC) kind of service failures that:• has an effect on the aircraft and its
occupants, both direct and consequential,• caused by one or more failures, considering
relevant adverse operational or environmentalconditions.
Severity Failure Condition is classified in accordance to theseverity of its effects as defined .
17
![Page 35: Introduction to System Dependability · • ARP4754A[SAE10],ARP4761[SAE96]foraeronautic systems 21. Whenshouldweperformsafety activities? 21. SafetyProcess(Complete) SafetyProcess](https://reader033.fdocuments.us/reader033/viewer/2022050608/5faf8b90d4a3be454439c04e/html5/thumbnails/35.jpg)
Risk acceptability for civil aircraft
severity class effects description acceptable fre-quency
catastrophic prevent continuous safe flightand landing: aircraft loss andloss of crew and passengers
< 10−9 per flighthour and no singlefailure leads to theFC
hazardous large reduction in safety marginsor functional capabilities or phys-ical distress or high crew work-load or serious or fatal injuriesto a relatively small number ofpassengers
< 10−7 per flighthour
18
![Page 36: Introduction to System Dependability · • ARP4754A[SAE10],ARP4761[SAE96]foraeronautic systems 21. Whenshouldweperformsafety activities? 21. SafetyProcess(Complete) SafetyProcess](https://reader033.fdocuments.us/reader033/viewer/2022050608/5faf8b90d4a3be454439c04e/html5/thumbnails/36.jpg)
Risk acceptability for civil aircraft
severity class effects description acceptable fre-quency
major significant reduction in safetymargin or functional capabilitiesor significant increase in crewworkload or discomfort to occu-pants possibly including injuries
< 10−5 per flighthour
minor no significant reduction in air-craft safety.
< 10−3 per flighthour
no safety effect
19
![Page 37: Introduction to System Dependability · • ARP4754A[SAE10],ARP4761[SAE96]foraeronautic systems 21. Whenshouldweperformsafety activities? 21. SafetyProcess(Complete) SafetyProcess](https://reader033.fdocuments.us/reader033/viewer/2022050608/5faf8b90d4a3be454439c04e/html5/thumbnails/37.jpg)
Risk acceptability for civil aircraft
Example (Severity & objectives)"Total loss of drone shepherd " is classified
Catastrophic
, so
• the probability rate of this failure condition shall be lessthan 10−9 /FH and
• No single event shall lead to this failure condition
Warnings:
• The regulation is not the same for military aircraft• The regulation for civil UAV is still in discussion• A generic agreed classification is an open question for a lot
of domains
20
![Page 38: Introduction to System Dependability · • ARP4754A[SAE10],ARP4761[SAE96]foraeronautic systems 21. Whenshouldweperformsafety activities? 21. SafetyProcess(Complete) SafetyProcess](https://reader033.fdocuments.us/reader033/viewer/2022050608/5faf8b90d4a3be454439c04e/html5/thumbnails/38.jpg)
Risk acceptability for civil aircraft
Example (Severity & objectives)"Total loss of drone shepherd " is classified Catastrophic, so
• the probability rate of this failure condition shall be lessthan 10−9 /FH and
• No single event shall lead to this failure condition
Warnings:
• The regulation is not the same for military aircraft• The regulation for civil UAV is still in discussion• A generic agreed classification is an open question for a lot
of domains
20
![Page 39: Introduction to System Dependability · • ARP4754A[SAE10],ARP4761[SAE96]foraeronautic systems 21. Whenshouldweperformsafety activities? 21. SafetyProcess(Complete) SafetyProcess](https://reader033.fdocuments.us/reader033/viewer/2022050608/5faf8b90d4a3be454439c04e/html5/thumbnails/39.jpg)
How to apply these concepts to builda complex dependable system?
20
![Page 40: Introduction to System Dependability · • ARP4754A[SAE10],ARP4761[SAE96]foraeronautic systems 21. Whenshouldweperformsafety activities? 21. SafetyProcess(Complete) SafetyProcess](https://reader033.fdocuments.us/reader033/viewer/2022050608/5faf8b90d4a3be454439c04e/html5/thumbnails/40.jpg)
Dependability process: focus onaeronautic process
![Page 41: Introduction to System Dependability · • ARP4754A[SAE10],ARP4761[SAE96]foraeronautic systems 21. Whenshouldweperformsafety activities? 21. SafetyProcess(Complete) SafetyProcess](https://reader033.fdocuments.us/reader033/viewer/2022050608/5faf8b90d4a3be454439c04e/html5/thumbnails/41.jpg)
Process based approach
Main steps:
• Identify dependability requirements• Specify a system architecture to ensure these properties• Assess whether the proposed specification fulfills the
dependability requirement• If OK, refine the system design and iterate
Guidelines tuned according to the system kind:
• ISO 26262 [ISO10] for automotive systems• ECSS Q-ST 40 for space systems• ARP 4754A [SAE10], ARP 4761 [SAE96] for aeronautic
systems21
![Page 42: Introduction to System Dependability · • ARP4754A[SAE10],ARP4761[SAE96]foraeronautic systems 21. Whenshouldweperformsafety activities? 21. SafetyProcess(Complete) SafetyProcess](https://reader033.fdocuments.us/reader033/viewer/2022050608/5faf8b90d4a3be454439c04e/html5/thumbnails/42.jpg)
When should we perform safetyactivities?
21
![Page 43: Introduction to System Dependability · • ARP4754A[SAE10],ARP4761[SAE96]foraeronautic systems 21. Whenshouldweperformsafety activities? 21. SafetyProcess(Complete) SafetyProcess](https://reader033.fdocuments.us/reader033/viewer/2022050608/5faf8b90d4a3be454439c04e/html5/thumbnails/43.jpg)
Safety Process (Complete)
Safety ProcessDesign Process
Aircraft LevelFunctional HazardAnalysis (FHA)
System Level FHA
Preliminary Sys-tem Safety As-
sessment (PSSA)
System SafetyAssessment (SSA)
Aircraft SafetySynthesis
Aircraft LevelRequirements
Allocation of aircraftfunctions to systems
Development ofsystem architecture
Allocation of re-quirements to
hardware and software
System im-plementation
Certification
CommonCauseAnalysis(CCA)
Failure conditions, safety objectivesFunctional Interactions
Failure conditions,safety objectives
Item requirements,safety objectives, anal-yses required
Results
Failureconditionsand effects
Separationrequire-ments
Separation verification
Physical system
Aircraft functions
System functions
Architectural requirements
System architecture
Implementation
22
![Page 44: Introduction to System Dependability · • ARP4754A[SAE10],ARP4761[SAE96]foraeronautic systems 21. Whenshouldweperformsafety activities? 21. SafetyProcess(Complete) SafetyProcess](https://reader033.fdocuments.us/reader033/viewer/2022050608/5faf8b90d4a3be454439c04e/html5/thumbnails/44.jpg)
When should we identify and classifyFailure Conditions?
22
![Page 45: Introduction to System Dependability · • ARP4754A[SAE10],ARP4761[SAE96]foraeronautic systems 21. Whenshouldweperformsafety activities? 21. SafetyProcess(Complete) SafetyProcess](https://reader033.fdocuments.us/reader033/viewer/2022050608/5faf8b90d4a3be454439c04e/html5/thumbnails/45.jpg)
Safety Process (FHA)
Safety ProcessDesign Process
Aircraft LevelFunctional HazardAnalysis (FHA)
System Level FHA
Preliminary Sys-tem Safety As-
sessment (PSSA)
System SafetyAssessment (SSA)
Aircraft SafetySynthesis
Aircraft LevelRequirements
Allocation of aircraftfunctions to systems
Development ofsystem architecture
Allocation of re-quirements to
hardware and software
System im-plementation
Certification
CommonCauseAnalysis(CCA)
Failure conditions, safety objectivesFunctional Interactions
Failure conditions,safety objectives
Item requirements,safety objectives, anal-yses required
Results
Failureconditionsand effects
Separationrequire-ments
Separation verification
Physical system
Aircraft functions
System functions
Architectural requirements
System architecture
Implementation
23
![Page 46: Introduction to System Dependability · • ARP4754A[SAE10],ARP4761[SAE96]foraeronautic systems 21. Whenshouldweperformsafety activities? 21. SafetyProcess(Complete) SafetyProcess](https://reader033.fdocuments.us/reader033/viewer/2022050608/5faf8b90d4a3be454439c04e/html5/thumbnails/46.jpg)
Functional breakdown
Drone Sheepherd
Start SystemControl flightduring mission
Avoid bearapproach
Monitor Data ParameterMission
Figure 3: Functional breakdown (cf SysML lesson)
Risks : trouble in flight during mission ⇒ refine decompositionon Control flight during mission
24
![Page 47: Introduction to System Dependability · • ARP4754A[SAE10],ARP4761[SAE96]foraeronautic systems 21. Whenshouldweperformsafety activities? 21. SafetyProcess(Complete) SafetyProcess](https://reader033.fdocuments.us/reader033/viewer/2022050608/5faf8b90d4a3be454439c04e/html5/thumbnails/47.jpg)
Functional breakdown
Control flightduring mission
Maintaintrajectory inevolution zone
Maintain in flight Monitordrone state
Abort Flight
Figure 4: Functional breakdown
FHA : assess the consequences and the criticality of the loss ormisapplication of each function in a given context
25
![Page 48: Introduction to System Dependability · • ARP4754A[SAE10],ARP4761[SAE96]foraeronautic systems 21. Whenshouldweperformsafety activities? 21. SafetyProcess(Complete) SafetyProcess](https://reader033.fdocuments.us/reader033/viewer/2022050608/5faf8b90d4a3be454439c04e/html5/thumbnails/48.jpg)
FHA by the example
Function Failure Context Consequences Criticality
Maintain trajectoryin evolution zone
loss cannot abort flight
Crash outside evo-lution zone, possi-ble collision withvehicules
Catastrophic
Maintain in flight loss can maintain in evolution zone Crash in evolutionzone, possible hurtflock
Hazardous
Abort Flight loss can maintain in evolution zone Drone behavesproperly ⇒ Nosafety effect
NSE
Table 1: FHA example
26
![Page 49: Introduction to System Dependability · • ARP4754A[SAE10],ARP4761[SAE96]foraeronautic systems 21. Whenshouldweperformsafety activities? 21. SafetyProcess(Complete) SafetyProcess](https://reader033.fdocuments.us/reader033/viewer/2022050608/5faf8b90d4a3be454439c04e/html5/thumbnails/49.jpg)
FHA by the example
Function Failure Context Consequences Criticality
Maintain trajectoryin evolution zone
loss cannot abort flight Crash outside evo-lution zone, possi-ble collision withvehicules
Catastrophic
Maintain in flight loss can maintain in evolution zone Crash in evolutionzone, possible hurtflock
Hazardous
Abort Flight loss can maintain in evolution zone Drone behavesproperly ⇒ Nosafety effect
NSE
Table 1: FHA example
26
![Page 50: Introduction to System Dependability · • ARP4754A[SAE10],ARP4761[SAE96]foraeronautic systems 21. Whenshouldweperformsafety activities? 21. SafetyProcess(Complete) SafetyProcess](https://reader033.fdocuments.us/reader033/viewer/2022050608/5faf8b90d4a3be454439c04e/html5/thumbnails/50.jpg)
FHA by the example
Function Failure Context Consequences Criticality
Maintain trajectoryin evolution zone
loss cannot abort flight Crash outside evo-lution zone, possi-ble collision withvehicules
Catastrophic
Maintain in flight loss can maintain in evolution zone
Crash in evolutionzone, possible hurtflock
Hazardous
Abort Flight loss can maintain in evolution zone Drone behavesproperly ⇒ Nosafety effect
NSE
Table 1: FHA example
26
![Page 51: Introduction to System Dependability · • ARP4754A[SAE10],ARP4761[SAE96]foraeronautic systems 21. Whenshouldweperformsafety activities? 21. SafetyProcess(Complete) SafetyProcess](https://reader033.fdocuments.us/reader033/viewer/2022050608/5faf8b90d4a3be454439c04e/html5/thumbnails/51.jpg)
FHA by the example
Function Failure Context Consequences Criticality
Maintain trajectoryin evolution zone
loss cannot abort flight Crash outside evo-lution zone, possi-ble collision withvehicules
Catastrophic
Maintain in flight loss can maintain in evolution zone Crash in evolutionzone, possible hurtflock
Hazardous
Abort Flight loss can maintain in evolution zone Drone behavesproperly ⇒ Nosafety effect
NSE
Table 1: FHA example
26
![Page 52: Introduction to System Dependability · • ARP4754A[SAE10],ARP4761[SAE96]foraeronautic systems 21. Whenshouldweperformsafety activities? 21. SafetyProcess(Complete) SafetyProcess](https://reader033.fdocuments.us/reader033/viewer/2022050608/5faf8b90d4a3be454439c04e/html5/thumbnails/52.jpg)
FHA by the example
Function Failure Context Consequences Criticality
Maintain trajectoryin evolution zone
loss cannot abort flight Crash outside evo-lution zone, possi-ble collision withvehicules
Catastrophic
Maintain in flight loss can maintain in evolution zone Crash in evolutionzone, possible hurtflock
Hazardous
Abort Flight loss can maintain in evolution zone
Drone behavesproperly ⇒ Nosafety effect
NSE
Table 1: FHA example
26
![Page 53: Introduction to System Dependability · • ARP4754A[SAE10],ARP4761[SAE96]foraeronautic systems 21. Whenshouldweperformsafety activities? 21. SafetyProcess(Complete) SafetyProcess](https://reader033.fdocuments.us/reader033/viewer/2022050608/5faf8b90d4a3be454439c04e/html5/thumbnails/53.jpg)
FHA by the example
Function Failure Context Consequences Criticality
Maintain trajectoryin evolution zone
loss cannot abort flight Crash outside evo-lution zone, possi-ble collision withvehicules
Catastrophic
Maintain in flight loss can maintain in evolution zone Crash in evolutionzone, possible hurtflock
Hazardous
Abort Flight loss can maintain in evolution zone Drone behavesproperly ⇒ Nosafety effect
NSE
Table 1: FHA example
26
![Page 54: Introduction to System Dependability · • ARP4754A[SAE10],ARP4761[SAE96]foraeronautic systems 21. Whenshouldweperformsafety activities? 21. SafetyProcess(Complete) SafetyProcess](https://reader033.fdocuments.us/reader033/viewer/2022050608/5faf8b90d4a3be454439c04e/html5/thumbnails/54.jpg)
FHA by the example: Failure conditions
Failure condition Combination of functional failures thathave an effect an system’s safety
Function Failure Context Consequences Criticality
CAT_SOL cannot maintain trajectory in evolution zone andcannot abort flight
HAZ_SOL cannot maintain in flight
27
![Page 55: Introduction to System Dependability · • ARP4754A[SAE10],ARP4761[SAE96]foraeronautic systems 21. Whenshouldweperformsafety activities? 21. SafetyProcess(Complete) SafetyProcess](https://reader033.fdocuments.us/reader033/viewer/2022050608/5faf8b90d4a3be454439c04e/html5/thumbnails/55.jpg)
FHA by the example: Failure conditions
Failure condition Combination of functional failures thathave an effect an system’s safety
Function Failure Context Consequences Criticality
Maintain trajectoryin evolution zone
loss cannot abort flight Crash outside evo-lution zone, possi-ble collision withvehicules
Catastrophic
CAT_SOL cannot maintain trajectory in evolution zone andcannot abort flight
HAZ_SOL cannot maintain in flight
27
![Page 56: Introduction to System Dependability · • ARP4754A[SAE10],ARP4761[SAE96]foraeronautic systems 21. Whenshouldweperformsafety activities? 21. SafetyProcess(Complete) SafetyProcess](https://reader033.fdocuments.us/reader033/viewer/2022050608/5faf8b90d4a3be454439c04e/html5/thumbnails/56.jpg)
FHA by the example: Failure conditions
Failure condition Combination of functional failures thathave an effect an system’s safety
Function Failure Context Consequences Criticality
Maintain trajectoryin evolution zone
loss cannot abort flight Crash outside evo-lution zone, possi-ble collision withvehicules
Catastrophic
CAT_SOL cannot maintain trajectory in evolution zone andcannot abort flight
HAZ_SOL cannot maintain in flight
27
![Page 57: Introduction to System Dependability · • ARP4754A[SAE10],ARP4761[SAE96]foraeronautic systems 21. Whenshouldweperformsafety activities? 21. SafetyProcess(Complete) SafetyProcess](https://reader033.fdocuments.us/reader033/viewer/2022050608/5faf8b90d4a3be454439c04e/html5/thumbnails/57.jpg)
FHA by the example: Failure conditions
Failure condition Combination of functional failures thathave an effect an system’s safety
Function Failure Context Consequences Criticality
Maintain in flight loss can maintain in evolution zone Crash in evolutionzone, possible hurtflock
Hazardous
CAT_SOL cannot maintain trajectory in evolution zone andcannot abort flight
HAZ_SOL cannot maintain in flight
27
![Page 58: Introduction to System Dependability · • ARP4754A[SAE10],ARP4761[SAE96]foraeronautic systems 21. Whenshouldweperformsafety activities? 21. SafetyProcess(Complete) SafetyProcess](https://reader033.fdocuments.us/reader033/viewer/2022050608/5faf8b90d4a3be454439c04e/html5/thumbnails/58.jpg)
FHA by the example: Failure conditions
Failure condition Combination of functional failures thathave an effect an system’s safety
Function Failure Context Consequences Criticality
Maintain in flight loss can maintain in evolution zone Crash in evolutionzone, possible hurtflock
Hazardous
CAT_SOL cannot maintain trajectory in evolution zone andcannot abort flight
HAZ_SOL cannot maintain in flight
27
![Page 59: Introduction to System Dependability · • ARP4754A[SAE10],ARP4761[SAE96]foraeronautic systems 21. Whenshouldweperformsafety activities? 21. SafetyProcess(Complete) SafetyProcess](https://reader033.fdocuments.us/reader033/viewer/2022050608/5faf8b90d4a3be454439c04e/html5/thumbnails/59.jpg)
FHA by the example: Failure conditions
Failure condition Combination of functional failures thathave an effect an system’s safety
Function Failure Context Consequences Criticality
Abort Flight loss can maintain in evolution zone Drone behavesproperly ⇒ Nosafety effect
NSE
CAT_SOL cannot maintain trajectory in evolution zone andcannot abort flight
HAZ_SOL cannot maintain in flight
27
![Page 60: Introduction to System Dependability · • ARP4754A[SAE10],ARP4761[SAE96]foraeronautic systems 21. Whenshouldweperformsafety activities? 21. SafetyProcess(Complete) SafetyProcess](https://reader033.fdocuments.us/reader033/viewer/2022050608/5faf8b90d4a3be454439c04e/html5/thumbnails/60.jpg)
FHA by the example: Safety objectives
Safety objectives bounds over indicators commensurate withfailure condition criticality
Example (Safety objectives)What are the safety objectives for CAT_SOL ?
minimal number of failures ≥ 2 and probability ≤ 10−7
28
![Page 61: Introduction to System Dependability · • ARP4754A[SAE10],ARP4761[SAE96]foraeronautic systems 21. Whenshouldweperformsafety activities? 21. SafetyProcess(Complete) SafetyProcess](https://reader033.fdocuments.us/reader033/viewer/2022050608/5faf8b90d4a3be454439c04e/html5/thumbnails/61.jpg)
FHA by the example: Safety objectives
Safety objectives bounds over indicators commensurate withfailure condition criticality
Example (Safety objectives)What are the safety objectives for CAT_SOL ?
minimal number of failures ≥ 2 and probability ≤ 10−7
28
![Page 62: Introduction to System Dependability · • ARP4754A[SAE10],ARP4761[SAE96]foraeronautic systems 21. Whenshouldweperformsafety activities? 21. SafetyProcess(Complete) SafetyProcess](https://reader033.fdocuments.us/reader033/viewer/2022050608/5faf8b90d4a3be454439c04e/html5/thumbnails/62.jpg)
When should we check dependabilityrequirements?
28
![Page 63: Introduction to System Dependability · • ARP4754A[SAE10],ARP4761[SAE96]foraeronautic systems 21. Whenshouldweperformsafety activities? 21. SafetyProcess(Complete) SafetyProcess](https://reader033.fdocuments.us/reader033/viewer/2022050608/5faf8b90d4a3be454439c04e/html5/thumbnails/63.jpg)
Safety Process (PSSA)
Safety ProcessDesign Process
Aircraft LevelFunctional HazardAnalysis (FHA)
System Level FHA
Preliminary Sys-tem Safety As-
sessment (PSSA)
System SafetyAssessment (SSA)
Aircraft SafetySynthesis
Aircraft LevelRequirements
Allocation of aircraftfunctions to systems
Development ofsystem architecture
Allocation of re-quirements to
hardware and software
System im-plementation
Certification
CommonCauseAnalysis(CCA)
Failure conditions, safety objectivesFunctional Interactions
Failure conditions,safety objectives
Item requirements,safety objectives, anal-yses required
Results
Failureconditionsand effects
Separationrequire-ments
Separation verification
Physical system
Aircraft functions
System functions
Architectural requirements
System architecture
Implementation
29
![Page 64: Introduction to System Dependability · • ARP4754A[SAE10],ARP4761[SAE96]foraeronautic systems 21. Whenshouldweperformsafety activities? 21. SafetyProcess(Complete) SafetyProcess](https://reader033.fdocuments.us/reader033/viewer/2022050608/5faf8b90d4a3be454439c04e/html5/thumbnails/64.jpg)
PSSA: Example
Functional architecture
Failure conditions
Refined functional (logical) architecture
Maintain in flightMaintain
trajectory inevolution zone
Monitordrone state
Abort flight
Mapping
CAT_SOL HAZ_SOL
Mapping
Monitor DroneState
Acquire Data (rain,wind, attitude,
altitude, GPS, energy)
Apply safetyprocedures
ControlTrajectory
Abort flight
control mode
trajectory state
Figure 5: Failure conditions and functional architectures30
![Page 65: Introduction to System Dependability · • ARP4754A[SAE10],ARP4761[SAE96]foraeronautic systems 21. Whenshouldweperformsafety activities? 21. SafetyProcess(Complete) SafetyProcess](https://reader033.fdocuments.us/reader033/viewer/2022050608/5faf8b90d4a3be454439c04e/html5/thumbnails/65.jpg)
Functional architecture
Monitor DroneState
Acquire Data (rain,wind, attitude,
altitude, GPS, energy)
Apply safetyprocedures
ControlTrajectory
Abort flight
control mode
trajectory state
Acquire Data each data acquired by independent function,failure modes are:
• erroneous: send inconsistent data,• lost: stop sending data.
31
![Page 66: Introduction to System Dependability · • ARP4754A[SAE10],ARP4761[SAE96]foraeronautic systems 21. Whenshouldweperformsafety activities? 21. SafetyProcess(Complete) SafetyProcess](https://reader033.fdocuments.us/reader033/viewer/2022050608/5faf8b90d4a3be454439c04e/html5/thumbnails/66.jpg)
Functional architecture
Monitor DroneState
Acquire Data (rain,wind, attitude,
altitude, GPS, energy)
Apply safetyprocedures
ControlTrajectory
Abort flight
control mode
trajectory state
Monitor drone state each data is checked by independentand perfect alarms (neglected failures in the Labbut not in real life !!!).
32
![Page 67: Introduction to System Dependability · • ARP4754A[SAE10],ARP4761[SAE96]foraeronautic systems 21. Whenshouldweperformsafety activities? 21. SafetyProcess(Complete) SafetyProcess](https://reader033.fdocuments.us/reader033/viewer/2022050608/5faf8b90d4a3be454439c04e/html5/thumbnails/67.jpg)
Functional architecture
Monitor DroneState
Acquire Data (rain,wind, attitude,
altitude, GPS, energy)
Apply safetyprocedures
ControlTrajectory
Abort flight
control mode
trajectory state
Apply safety procedures according to alarms, select controlmode.
33
![Page 68: Introduction to System Dependability · • ARP4754A[SAE10],ARP4761[SAE96]foraeronautic systems 21. Whenshouldweperformsafety activities? 21. SafetyProcess(Complete) SafetyProcess](https://reader033.fdocuments.us/reader033/viewer/2022050608/5faf8b90d4a3be454439c04e/html5/thumbnails/68.jpg)
Apply safety procedures
Control mode is selected according to following rules:
1. attitude or trajectory not OK ⇒ flight termination,2. rain or wind or altitude or energy not OK ⇒ landing,3. loss of GNSS or localization ⇒ hovering,4. No regression rule: Once degraded mode selected, next
modes cannot be "less degraded".
Mission<Hovering < Landing < Flight Termination
5. Pessimism Rule: several modes can be selected⇒ most degraded mode must be chosen
34
![Page 69: Introduction to System Dependability · • ARP4754A[SAE10],ARP4761[SAE96]foraeronautic systems 21. Whenshouldweperformsafety activities? 21. SafetyProcess(Complete) SafetyProcess](https://reader033.fdocuments.us/reader033/viewer/2022050608/5faf8b90d4a3be454439c04e/html5/thumbnails/69.jpg)
Functional architecture
Monitor DroneState
Acquire Data (rain,wind, attitude,
altitude, GPS, energy)
Apply safetyprocedures
ControlTrajectory
Abort flight
control mode
trajectory state
Control Trajectory navigation and pilot functions computingactuators commands from flight parameters andcontrol mode. Each function can be:
• erroneous: compute incorrect commands,• lost: stop computing any command.
35
![Page 70: Introduction to System Dependability · • ARP4754A[SAE10],ARP4761[SAE96]foraeronautic systems 21. Whenshouldweperformsafety activities? 21. SafetyProcess(Complete) SafetyProcess](https://reader033.fdocuments.us/reader033/viewer/2022050608/5faf8b90d4a3be454439c04e/html5/thumbnails/70.jpg)
Functional architecture
Monitor DroneState
Acquire Data (rain,wind, attitude,
altitude, GPS, energy)
Apply safetyprocedures
ControlTrajectory
Abort flight
control mode
trajectory state
Abort Flight function cutting motors power supply if flighttermination mode selected, failure modes are :
• failed_permanent: untimely triggering offlight termination,
• failed_lost: ignore flight termination request.
36
![Page 71: Introduction to System Dependability · • ARP4754A[SAE10],ARP4761[SAE96]foraeronautic systems 21. Whenshouldweperformsafety activities? 21. SafetyProcess(Complete) SafetyProcess](https://reader033.fdocuments.us/reader033/viewer/2022050608/5faf8b90d4a3be454439c04e/html5/thumbnails/71.jpg)
How to check dependabilityrequirements?
⇒ several complementary methods
36
![Page 72: Introduction to System Dependability · • ARP4754A[SAE10],ARP4761[SAE96]foraeronautic systems 21. Whenshouldweperformsafety activities? 21. SafetyProcess(Complete) SafetyProcess](https://reader033.fdocuments.us/reader033/viewer/2022050608/5faf8b90d4a3be454439c04e/html5/thumbnails/72.jpg)
Failure propagation: The Fault Tree
Legend
or
Intermediate Event 2Intermediate Event 1
and
and
or
Failure condition
Intermediate Event 3
PE1 PE2PE3PE3PE2
e primary event
e copy of primary event
e Intermediate event
gate37
![Page 73: Introduction to System Dependability · • ARP4754A[SAE10],ARP4761[SAE96]foraeronautic systems 21. Whenshouldweperformsafety activities? 21. SafetyProcess(Complete) SafetyProcess](https://reader033.fdocuments.us/reader033/viewer/2022050608/5faf8b90d4a3be454439c04e/html5/thumbnails/73.jpg)
Failure propagation: Reliability Block Diagram
Alternative notation for fault trees (analogy withserial-parallel electrical circuits)
S
PE3
PE1
and
orPE2
PE1
PE2P
38
![Page 74: Introduction to System Dependability · • ARP4754A[SAE10],ARP4761[SAE96]foraeronautic systems 21. Whenshouldweperformsafety activities? 21. SafetyProcess(Complete) SafetyProcess](https://reader033.fdocuments.us/reader033/viewer/2022050608/5faf8b90d4a3be454439c04e/html5/thumbnails/74.jpg)
How do we use these representations?
38
![Page 75: Introduction to System Dependability · • ARP4754A[SAE10],ARP4761[SAE96]foraeronautic systems 21. Whenshouldweperformsafety activities? 21. SafetyProcess(Complete) SafetyProcess](https://reader033.fdocuments.us/reader033/viewer/2022050608/5faf8b90d4a3be454439c04e/html5/thumbnails/75.jpg)
Failure propagation
Incorrect actuators commandsAborted Flight
HAZ_SOL
FTS Requestedfail_perm
Incorrect Data Acquisition
Incorrect Data Acquisition
Control law failure
false alarm
Figure 6: Incomplete fault tree of HAZ_SOL
39
![Page 76: Introduction to System Dependability · • ARP4754A[SAE10],ARP4761[SAE96]foraeronautic systems 21. Whenshouldweperformsafety activities? 21. SafetyProcess(Complete) SafetyProcess](https://reader033.fdocuments.us/reader033/viewer/2022050608/5faf8b90d4a3be454439c04e/html5/thumbnails/76.jpg)
How to perform safety assessment outof fault trees?
39
![Page 77: Introduction to System Dependability · • ARP4754A[SAE10],ARP4761[SAE96]foraeronautic systems 21. Whenshouldweperformsafety activities? 21. SafetyProcess(Complete) SafetyProcess](https://reader033.fdocuments.us/reader033/viewer/2022050608/5faf8b90d4a3be454439c04e/html5/thumbnails/77.jpg)
Minimal Cutsets
Fault tree ⇔ formula ϕ describing the failurecombinations leading to a failure condition
Definition (Minimal cutsets (MCS))A cutset C = {f1, · · · , fn} ∈MCS iff :
• if all f ∈C occurs then ϕ is true;• it does not exist another cutset C ′ satisfying the previous
properties and such that C ′ ⊂C
40
![Page 78: Introduction to System Dependability · • ARP4754A[SAE10],ARP4761[SAE96]foraeronautic systems 21. Whenshouldweperformsafety activities? 21. SafetyProcess(Complete) SafetyProcess](https://reader033.fdocuments.us/reader033/viewer/2022050608/5faf8b90d4a3be454439c04e/html5/thumbnails/78.jpg)
Minimal Cutsets
Incorrect actuators commandsAborted Flight
HAZ_SOL
FTS Requestedfail_perm
Incorrect Data Acquisition
Incorrect Data Acquisition
Control law failure
false alarm
Figure 7: Incomplete fault tree of HAZ_SOL
41
![Page 79: Introduction to System Dependability · • ARP4754A[SAE10],ARP4761[SAE96]foraeronautic systems 21. Whenshouldweperformsafety activities? 21. SafetyProcess(Complete) SafetyProcess](https://reader033.fdocuments.us/reader033/viewer/2022050608/5faf8b90d4a3be454439c04e/html5/thumbnails/79.jpg)
MCS Order
Definition (Order)Order of an FC is the minimal number of failures leading to FC .Formally, let MCS be the minimal cutsets for FC , then theorder is the minimal cardinality of MCS:
order(FC)= minc∈MCSFC
(|c |)
Example (Order)For MCSFC = {{a,b}, {c}} we have:
order(FC) = minc∈MCSFC
(|c |)= min(|{a,b}|, |{c}|)= 1
42
![Page 80: Introduction to System Dependability · • ARP4754A[SAE10],ARP4761[SAE96]foraeronautic systems 21. Whenshouldweperformsafety activities? 21. SafetyProcess(Complete) SafetyProcess](https://reader033.fdocuments.us/reader033/viewer/2022050608/5faf8b90d4a3be454439c04e/html5/thumbnails/80.jpg)
Approximate probability computation
Let MCS be the minimal cutsets for FC , and p(event)probability of failure for primary events:
p(FC)= ∑cut∈MCS
∏event∈cut
p(event)
Example (Approximate computation)Let MCS={{a,b}, {c}} be the minimal cutsets for FC :
papprox (FC)= p(a)p(b)+p(c)
43
![Page 81: Introduction to System Dependability · • ARP4754A[SAE10],ARP4761[SAE96]foraeronautic systems 21. Whenshouldweperformsafety activities? 21. SafetyProcess(Complete) SafetyProcess](https://reader033.fdocuments.us/reader033/viewer/2022050608/5faf8b90d4a3be454439c04e/html5/thumbnails/81.jpg)
Safety objectives (Reminder)
criticality qualitative requirement quantitative requirement
Catastrophic order ≥ 2 p ≤ 10−9/flight hourHazardous order ≥ 1 p ≤ 10−7/flight hourMajor order ≥ 1 p ≤ 10−5/flight hourMinor order ≥ 1 p ≤ 10−3/flight hour
Table 2: Acceptability matrix
Definition (Order)The order is the minimal cardinality of MCS
Example (Order)The order of MCS = {{a,b}, {c}} is 1
44
![Page 82: Introduction to System Dependability · • ARP4754A[SAE10],ARP4761[SAE96]foraeronautic systems 21. Whenshouldweperformsafety activities? 21. SafetyProcess(Complete) SafetyProcess](https://reader033.fdocuments.us/reader033/viewer/2022050608/5faf8b90d4a3be454439c04e/html5/thumbnails/82.jpg)
Requirements verification
B We assume that primary events are independent
1. Determine the failure conditions and their criticality (fromFHA)
2. Build the fault trees for each failure condition3. Compute the minimal cutsets4. Qualitative verification : Compute the order and compare
it to the required bound5. Quantitative verification : Compute the probability and
compare it to the required bound
45
![Page 83: Introduction to System Dependability · • ARP4754A[SAE10],ARP4761[SAE96]foraeronautic systems 21. Whenshouldweperformsafety activities? 21. SafetyProcess(Complete) SafetyProcess](https://reader033.fdocuments.us/reader033/viewer/2022050608/5faf8b90d4a3be454439c04e/html5/thumbnails/83.jpg)
Requirements verification
Example (Verification)Let MCSFC = {{a,b}, {c}} with p(a)= p(b)= p(c)= 10−4.Is it acceptable if FC criticality is Hazardous ?
order(FC) = minc∈MCSFC
(|c |)= 1⇒OK
p(FC) = p(a)p(b)+p(c)' 10−4 > 10−5 ⇒KO
46
![Page 84: Introduction to System Dependability · • ARP4754A[SAE10],ARP4761[SAE96]foraeronautic systems 21. Whenshouldweperformsafety activities? 21. SafetyProcess(Complete) SafetyProcess](https://reader033.fdocuments.us/reader033/viewer/2022050608/5faf8b90d4a3be454439c04e/html5/thumbnails/84.jpg)
Requirements verification
Example (Verification)Let MCSFC = {{a,b}, {c}} with p(a)= p(b)= p(c)= 10−4.Is it acceptable if FC criticality is Hazardous ?
order(FC) = minc∈MCSFC
(|c |)= 1⇒OK
p(FC) = p(a)p(b)+p(c)' 10−4 > 10−5 ⇒KO
46
![Page 85: Introduction to System Dependability · • ARP4754A[SAE10],ARP4761[SAE96]foraeronautic systems 21. Whenshouldweperformsafety activities? 21. SafetyProcess(Complete) SafetyProcess](https://reader033.fdocuments.us/reader033/viewer/2022050608/5faf8b90d4a3be454439c04e/html5/thumbnails/85.jpg)
Wait we didn’t completely built thefault tree, how to deal with the
reconfiguration ?
46
![Page 86: Introduction to System Dependability · • ARP4754A[SAE10],ARP4761[SAE96]foraeronautic systems 21. Whenshouldweperformsafety activities? 21. SafetyProcess(Complete) SafetyProcess](https://reader033.fdocuments.us/reader033/viewer/2022050608/5faf8b90d4a3be454439c04e/html5/thumbnails/86.jpg)
Limitation of fault trees
Monitor DroneState
Acquire Data (rain,wind, attitude,
altitude, GPS, energy)
Apply safetyprocedures
ControlTrajectory
Abort flight
control mode
trajectory state
With fault trees enroll reconfiguration steps yourself⇒ time-consuming, tedious and error-prone
With altarica encode directly reconfiguration and let toolanalyze system for you
47
![Page 87: Introduction to System Dependability · • ARP4754A[SAE10],ARP4761[SAE96]foraeronautic systems 21. Whenshouldweperformsafety activities? 21. SafetyProcess(Complete) SafetyProcess](https://reader033.fdocuments.us/reader033/viewer/2022050608/5faf8b90d4a3be454439c04e/html5/thumbnails/87.jpg)
What’s Altarica ?
Next lesson ! Now a recap
47
![Page 88: Introduction to System Dependability · • ARP4754A[SAE10],ARP4761[SAE96]foraeronautic systems 21. Whenshouldweperformsafety activities? 21. SafetyProcess(Complete) SafetyProcess](https://reader033.fdocuments.us/reader033/viewer/2022050608/5faf8b90d4a3be454439c04e/html5/thumbnails/88.jpg)
General overview
Specification of functional, logical and physicalarchitectures with SysML
Life CycleArchitectures
FunctionalArchitectures
Logical Ar-chitectures
PhysicalArchitectures
Altarica(Cecilia)
Figure 8: Dysfunctional analysis in development process 48
![Page 89: Introduction to System Dependability · • ARP4754A[SAE10],ARP4761[SAE96]foraeronautic systems 21. Whenshouldweperformsafety activities? 21. SafetyProcess(Complete) SafetyProcess](https://reader033.fdocuments.us/reader033/viewer/2022050608/5faf8b90d4a3be454439c04e/html5/thumbnails/89.jpg)
Today’s lesson in 30”
Perform safety assessment is:
1. Define system mission and operational context2. Identify the risks3. Determine for each high level function the criticality of its
failure and deduce failure conditions4. Build fault tree (or other representations) for each failure
condition5. Compute MCS and probability and compare it to the
safety objectives.
49
![Page 90: Introduction to System Dependability · • ARP4754A[SAE10],ARP4761[SAE96]foraeronautic systems 21. Whenshouldweperformsafety activities? 21. SafetyProcess(Complete) SafetyProcess](https://reader033.fdocuments.us/reader033/viewer/2022050608/5faf8b90d4a3be454439c04e/html5/thumbnails/90.jpg)
Bibliography i
Algirdas Avizienis, J-C Laprie, Brian Randell, and CarlLandwehr.Basic concepts and taxonomy of dependable andsecure computing.IEEE transactions on dependable and secure computing,1(1):11–33, 2004.
ISO.ISO-26262 -Road vehicles – Functional safety, 2010.
50
![Page 91: Introduction to System Dependability · • ARP4754A[SAE10],ARP4761[SAE96]foraeronautic systems 21. Whenshouldweperformsafety activities? 21. SafetyProcess(Complete) SafetyProcess](https://reader033.fdocuments.us/reader033/viewer/2022050608/5faf8b90d4a3be454439c04e/html5/thumbnails/91.jpg)
Bibliography ii
SAE.Aerospace Recommended Practices 4761 -guidelines and methods for conducting the safetyassessment process on civil airborne systems andequipment, 1996.
SAE.Aerospace Recommended Practices 4754a -Development of Civil Aircraft and Systems, 2010.
51
![Page 92: Introduction to System Dependability · • ARP4754A[SAE10],ARP4761[SAE96]foraeronautic systems 21. Whenshouldweperformsafety activities? 21. SafetyProcess(Complete) SafetyProcess](https://reader033.fdocuments.us/reader033/viewer/2022050608/5faf8b90d4a3be454439c04e/html5/thumbnails/92.jpg)
Thank you
51
![Page 93: Introduction to System Dependability · • ARP4754A[SAE10],ARP4761[SAE96]foraeronautic systems 21. Whenshouldweperformsafety activities? 21. SafetyProcess(Complete) SafetyProcess](https://reader033.fdocuments.us/reader033/viewer/2022050608/5faf8b90d4a3be454439c04e/html5/thumbnails/93.jpg)
Deal with dependencies
![Page 94: Introduction to System Dependability · • ARP4754A[SAE10],ARP4761[SAE96]foraeronautic systems 21. Whenshouldweperformsafety activities? 21. SafetyProcess(Complete) SafetyProcess](https://reader033.fdocuments.us/reader033/viewer/2022050608/5faf8b90d4a3be454439c04e/html5/thumbnails/94.jpg)
Requirements verification
B We assume that primary events are independent
1. Determine the failure conditions and their criticality (fromFHA)
2. Build the fault trees for each failure condition3. Compute the minimal cutsets4. Qualitative verification : Compute the order and compare
it to the required bound5. Quantitative verification : Compute the probability and
compare it to the required bound
52
![Page 95: Introduction to System Dependability · • ARP4754A[SAE10],ARP4761[SAE96]foraeronautic systems 21. Whenshouldweperformsafety activities? 21. SafetyProcess(Complete) SafetyProcess](https://reader033.fdocuments.us/reader033/viewer/2022050608/5faf8b90d4a3be454439c04e/html5/thumbnails/95.jpg)
What if some primary events are notindependent (tire burst, engine
burst,...)?
52
![Page 96: Introduction to System Dependability · • ARP4754A[SAE10],ARP4761[SAE96]foraeronautic systems 21. Whenshouldweperformsafety activities? 21. SafetyProcess(Complete) SafetyProcess](https://reader033.fdocuments.us/reader033/viewer/2022050608/5faf8b90d4a3be454439c04e/html5/thumbnails/96.jpg)
Deal with dependencies
What could cause the simultaneous failure of severalcomponents?
• Adversary conditions: overheat, electromagneticperturbations, . . .
• Destruction of a whole zone: engine burst, in-flight fire,. . .• But also: implementation common mode (functions
depending on the same equipments), specification errors,systematic development errors,. . .
What are the consequences?
• Possible violation of safety objective⇒ Identify and analyze common mode during theCommon Cause Analysis (CCA)
53
![Page 97: Introduction to System Dependability · • ARP4754A[SAE10],ARP4761[SAE96]foraeronautic systems 21. Whenshouldweperformsafety activities? 21. SafetyProcess(Complete) SafetyProcess](https://reader033.fdocuments.us/reader033/viewer/2022050608/5faf8b90d4a3be454439c04e/html5/thumbnails/97.jpg)
Deal with dependencies
Example (Dependencies impact)Minimal cut C = {a,b,c} for a catastrophic FC, if a and b arenot independent (triggered by d):
⇒ C → {d ,c}
⇒ Order goes from 3 to 2B System does not fulfil requirements
54
![Page 98: Introduction to System Dependability · • ARP4754A[SAE10],ARP4761[SAE96]foraeronautic systems 21. Whenshouldweperformsafety activities? 21. SafetyProcess(Complete) SafetyProcess](https://reader033.fdocuments.us/reader033/viewer/2022050608/5faf8b90d4a3be454439c04e/html5/thumbnails/98.jpg)
Deal with dependencies
Event in MCS shall be independent to avoid that theirimplementation introduces a common mode reducing the size ofthe MCS under the order requirement.
⇓Define the segregation requirements to ensure
independence
Req 1: distg, disty anddistb need indepen-dence
Cut 1
Req 2: three functions outof EDPy, EMPg EDPg anddistb must be independent
Cut 2
disty.f
distg.f
distb.f EDPg.f
EMPg.fdistb.f
EDPyOrder requirement (3)
Figure 9: Independence requirements for Total hydraulic systemloss
55
![Page 99: Introduction to System Dependability · • ARP4754A[SAE10],ARP4761[SAE96]foraeronautic systems 21. Whenshouldweperformsafety activities? 21. SafetyProcess(Complete) SafetyProcess](https://reader033.fdocuments.us/reader033/viewer/2022050608/5faf8b90d4a3be454439c04e/html5/thumbnails/99.jpg)
Limitation of fault trees
What could cause the simultaneous failure of severalcomponents?
• Adversary conditions: overheat, electromagneticperturbations, . . .
⇒ Random faults
• Destruction of a whole zone: engine burst, in-flightfire,. . .
⇒ Random faults
• But also: implementation common mode (functionsdepending on the same equipments), specification errors,systematic development errors,. . .
⇒ Systematic faults
Acceptability cannot be based on probability assessment !⇒ ensure a level of confidence in developmentcorrectness
56
![Page 100: Introduction to System Dependability · • ARP4754A[SAE10],ARP4761[SAE96]foraeronautic systems 21. Whenshouldweperformsafety activities? 21. SafetyProcess(Complete) SafetyProcess](https://reader033.fdocuments.us/reader033/viewer/2022050608/5faf8b90d4a3be454439c04e/html5/thumbnails/100.jpg)
Limitation of fault trees
What could cause the simultaneous failure of severalcomponents?
• Adversary conditions: overheat, electromagneticperturbations, . . .⇒ Random faults
• Destruction of a whole zone: engine burst, in-flightfire,. . .⇒ Random faults
• But also: implementation common mode (functionsdepending on the same equipments), specification errors,systematic development errors,. . . ⇒ Systematic faults
Acceptability cannot be based on probability assessment !⇒ ensure a level of confidence in developmentcorrectness
56
![Page 101: Introduction to System Dependability · • ARP4754A[SAE10],ARP4761[SAE96]foraeronautic systems 21. Whenshouldweperformsafety activities? 21. SafetyProcess(Complete) SafetyProcess](https://reader033.fdocuments.us/reader033/viewer/2022050608/5faf8b90d4a3be454439c04e/html5/thumbnails/101.jpg)
Design Assurance Level
![Page 102: Introduction to System Dependability · • ARP4754A[SAE10],ARP4761[SAE96]foraeronautic systems 21. Whenshouldweperformsafety activities? 21. SafetyProcess(Complete) SafetyProcess](https://reader033.fdocuments.us/reader033/viewer/2022050608/5faf8b90d4a3be454439c04e/html5/thumbnails/102.jpg)
Limitation of fault trees
DAL Development Assurance Level (ARP4754) is thelevel (from E to A) of rigor of developmentassurance tasks performed on functions and items(software, hardware) whose fault result
Warning:
• DAL can be associated with• Functions: FDAL• Items: IDAL
• For each DAL level, assurance activities are listed in:• ARP4754 for FDAL• DO178 (SW) and DO254 (HW) for IDAL
57
![Page 103: Introduction to System Dependability · • ARP4754A[SAE10],ARP4761[SAE96]foraeronautic systems 21. Whenshouldweperformsafety activities? 21. SafetyProcess(Complete) SafetyProcess](https://reader033.fdocuments.us/reader033/viewer/2022050608/5faf8b90d4a3be454439c04e/html5/thumbnails/103.jpg)
Assurance Activities Examples
Objective Applicability
Description Ref A B C D
1 Software high-level requirementscomply with system requirements.
6.3.1a I I R R
2 High-level requirements are accu-rate and consistent.
6.3.1b I I R R
3 High-level requirements are com-patible with target computer.
6.3.1c R R
• High DAL level ⇒ great number of assurance activities⇒ costly⇒ minimize the DAL of software and hardware
58
![Page 104: Introduction to System Dependability · • ARP4754A[SAE10],ARP4761[SAE96]foraeronautic systems 21. Whenshouldweperformsafety activities? 21. SafetyProcess(Complete) SafetyProcess](https://reader033.fdocuments.us/reader033/viewer/2022050608/5faf8b90d4a3be454439c04e/html5/thumbnails/104.jpg)
DAL Allocation: Basic Allocation
Based on the severities of the FCs that function faultcontributes to.
Sev(FC) DAL(FC)
CAT AHAZ BMAJ CMIN DNSE E
Table 3: Link between severity and DAL
59
![Page 105: Introduction to System Dependability · • ARP4754A[SAE10],ARP4761[SAE96]foraeronautic systems 21. Whenshouldweperformsafety activities? 21. SafetyProcess(Complete) SafetyProcess](https://reader033.fdocuments.us/reader033/viewer/2022050608/5faf8b90d4a3be454439c04e/html5/thumbnails/105.jpg)
What does "the severities of the FCsthat function fault f contributes to"
mean?
⇒ the severities of the FCs whoseMCS contains f
59
![Page 106: Introduction to System Dependability · • ARP4754A[SAE10],ARP4761[SAE96]foraeronautic systems 21. Whenshouldweperformsafety activities? 21. SafetyProcess(Complete) SafetyProcess](https://reader033.fdocuments.us/reader033/viewer/2022050608/5faf8b90d4a3be454439c04e/html5/thumbnails/106.jpg)
DAL Allocation: Basic Allocation
Context • Let fc1 (resp fc2) be a failure condition ofseverity HAZ (resp. MAJ)
• Let MCS1 = {{f1, f2, f4}, {f3}} andMCS2 = {{f1, f3}}
Question What is the basic DAL of f1?
Answer f1 contained in MCS1 and MCS2 so DAL(f1)=worst(DAL(fc1),DAL(fc2))=DAL(HAZ )=B
Question What is the basic DAL of f2?Answer f2 contained only in MCS1 so
DAL(f2)=worst(DAL(fc1))=DAL(HAZ )=B
60
![Page 107: Introduction to System Dependability · • ARP4754A[SAE10],ARP4761[SAE96]foraeronautic systems 21. Whenshouldweperformsafety activities? 21. SafetyProcess(Complete) SafetyProcess](https://reader033.fdocuments.us/reader033/viewer/2022050608/5faf8b90d4a3be454439c04e/html5/thumbnails/107.jpg)
DAL Allocation: Basic Allocation
Context • Let fc1 (resp fc2) be a failure condition ofseverity HAZ (resp. MAJ)
• Let MCS1 = {{f1, f2, f4}, {f3}} andMCS2 = {{f1, f3}}
Question What is the basic DAL of f1?Answer f1 contained in MCS1 and MCS2 so DAL(f1)=
worst(DAL(fc1),DAL(fc2))=DAL(HAZ )=BQuestion What is the basic DAL of f2?
Answer f2 contained only in MCS1 soDAL(f2)=worst(DAL(fc1))=DAL(HAZ )=B
60
![Page 108: Introduction to System Dependability · • ARP4754A[SAE10],ARP4761[SAE96]foraeronautic systems 21. Whenshouldweperformsafety activities? 21. SafetyProcess(Complete) SafetyProcess](https://reader033.fdocuments.us/reader033/viewer/2022050608/5faf8b90d4a3be454439c04e/html5/thumbnails/108.jpg)
DAL Allocation: Basic Allocation
Context • Let fc1 (resp fc2) be a failure condition ofseverity HAZ (resp. MAJ)
• Let MCS1 = {{f1, f2, f4}, {f3}} andMCS2 = {{f1, f3}}
Question What is the basic DAL of f1?Answer f1 contained in MCS1 and MCS2 so DAL(f1)=
worst(DAL(fc1),DAL(fc2))=DAL(HAZ )=BQuestion What is the basic DAL of f2?Answer f2 contained only in MCS1 so
DAL(f2)=worst(DAL(fc1))=DAL(HAZ )=B
60
![Page 109: Introduction to System Dependability · • ARP4754A[SAE10],ARP4761[SAE96]foraeronautic systems 21. Whenshouldweperformsafety activities? 21. SafetyProcess(Complete) SafetyProcess](https://reader033.fdocuments.us/reader033/viewer/2022050608/5faf8b90d4a3be454439c04e/html5/thumbnails/109.jpg)
DAL Allocation: Degradation rules
Designer can downgrade the basic DAL basic of a functionusing independence, the allocation must fulfill the followingrules:
Rule 1 basic can be degraded at most by two levelsRule 2 For all cuts {f1, · · · , fn} ∈MCSfc where f1, · · · , fn are
independent, either:• Option 1: it exists fi such that
DAL(fi)= basic• Option 2: it exists fi , fj such that
DAL(fi)=DAL(fj)= basic −1
61
![Page 110: Introduction to System Dependability · • ARP4754A[SAE10],ARP4761[SAE96]foraeronautic systems 21. Whenshouldweperformsafety activities? 21. SafetyProcess(Complete) SafetyProcess](https://reader033.fdocuments.us/reader033/viewer/2022050608/5faf8b90d4a3be454439c04e/html5/thumbnails/110.jpg)
DAL Allocation: Degradation rules
Suppose f1, f2, f3 and f4 are independent and cost : DAL A =20, DAL B = 15, DAL C = 5, DAL D = 4, DAL E = 0
basic DAL cuts DAL Option
f1 f2 f3 f4
B{f1, f2, f4} ≥ B ≥ D - ≥ D 1
{f3} - - ≥ B - -
C {f1, f3} ≥ C - ≥ E - 1
Result ≥ B ≥ D ≥ B ≥ D
Cost 38
62
![Page 111: Introduction to System Dependability · • ARP4754A[SAE10],ARP4761[SAE96]foraeronautic systems 21. Whenshouldweperformsafety activities? 21. SafetyProcess(Complete) SafetyProcess](https://reader033.fdocuments.us/reader033/viewer/2022050608/5faf8b90d4a3be454439c04e/html5/thumbnails/111.jpg)
DAL Allocation: Degradation rules
Suppose f1, f2, f3 and f4 are independent and cost : DAL A =20, DAL B = 15, DAL C = 5, DAL D = 4, DAL E = 0
basic DAL cuts DAL Option
f1 f2 f3 f4
B{f1, f2, f4} ≥ B ≥ D - ≥ D 1
{f3} - - ≥ B - -
C {f1, f3} ≥ C - ≥ E - 1
Result ≥ B ≥ D ≥ B ≥ D
Cost 38
62
![Page 112: Introduction to System Dependability · • ARP4754A[SAE10],ARP4761[SAE96]foraeronautic systems 21. Whenshouldweperformsafety activities? 21. SafetyProcess(Complete) SafetyProcess](https://reader033.fdocuments.us/reader033/viewer/2022050608/5faf8b90d4a3be454439c04e/html5/thumbnails/112.jpg)
DAL Allocation: Degradation rules
Suppose f1, f2, f3 and f4 are independent and cost : DAL A =20, DAL B = 15, DAL C = 5, DAL D = 4, DAL E = 0
basic DAL cuts DAL Option
f1 f2 f3 f4
B{f1, f2, f4} ≥ B ≥ D - ≥ D 1
{f3} - - ≥ B - -
C {f1, f3} ≥ C - ≥ E - 1
Result ≥ B ≥ D ≥ B ≥ D
Cost 38
62
![Page 113: Introduction to System Dependability · • ARP4754A[SAE10],ARP4761[SAE96]foraeronautic systems 21. Whenshouldweperformsafety activities? 21. SafetyProcess(Complete) SafetyProcess](https://reader033.fdocuments.us/reader033/viewer/2022050608/5faf8b90d4a3be454439c04e/html5/thumbnails/113.jpg)
DAL Allocation: Degradation rules
Suppose f1, f2, f3 and f4 are independent and cost : DAL A =20, DAL B = 15, DAL C = 5, DAL D = 4, DAL E = 0
basic DAL cuts DAL Option
f1 f2 f3 f4
B{f1, f2, f4} ≥ B ≥ D - ≥ D 1
{f3} - - ≥ B - -
C {f1, f3} ≥ C - ≥ E - 1
Result ≥ B ≥ D ≥ B ≥ D
Cost 38
62
![Page 114: Introduction to System Dependability · • ARP4754A[SAE10],ARP4761[SAE96]foraeronautic systems 21. Whenshouldweperformsafety activities? 21. SafetyProcess(Complete) SafetyProcess](https://reader033.fdocuments.us/reader033/viewer/2022050608/5faf8b90d4a3be454439c04e/html5/thumbnails/114.jpg)
DAL Allocation: Degradation rules
Suppose f1, f2, f3 and f4 are independent and cost : DAL A =20, DAL B = 15, DAL C = 5, DAL D = 4, DAL E = 0
basic DAL cuts DAL Option
f1 f2 f3 f4
B{f1, f2, f4} ≥ B ≥ D - ≥ D 1
{f3} - - ≥ B - -
C {f1, f3} ≥ C - ≥ E - 1
Result ≥ B ≥ D ≥ B ≥ D
Cost 38
62
![Page 115: Introduction to System Dependability · • ARP4754A[SAE10],ARP4761[SAE96]foraeronautic systems 21. Whenshouldweperformsafety activities? 21. SafetyProcess(Complete) SafetyProcess](https://reader033.fdocuments.us/reader033/viewer/2022050608/5faf8b90d4a3be454439c04e/html5/thumbnails/115.jpg)
Is it the cheapest option?
⇒ Let’s try again!
62
![Page 116: Introduction to System Dependability · • ARP4754A[SAE10],ARP4761[SAE96]foraeronautic systems 21. Whenshouldweperformsafety activities? 21. SafetyProcess(Complete) SafetyProcess](https://reader033.fdocuments.us/reader033/viewer/2022050608/5faf8b90d4a3be454439c04e/html5/thumbnails/116.jpg)
DAL Allocation: Degradation rules
Suppose f1, f2, f3 and f4 are independent and cost : DAL A =20, DAL B = 15, DAL C = 5, DAL D = 4, DAL E = 0
basic DAL cuts DAL Option
f1 f2 f3 f4
B{f1, f2, f4} ≥ C ≥ C - ≥ D 2
{f3} - - ≥ B - -
C {f1, f3} ≥ E - ≥ C - 1
Result ≥ C ≥ C ≥ B ≥ D
Cost 29
63
![Page 117: Introduction to System Dependability · • ARP4754A[SAE10],ARP4761[SAE96]foraeronautic systems 21. Whenshouldweperformsafety activities? 21. SafetyProcess(Complete) SafetyProcess](https://reader033.fdocuments.us/reader033/viewer/2022050608/5faf8b90d4a3be454439c04e/html5/thumbnails/117.jpg)
DAL Allocation: Degradation rules
Suppose f1, f2, f3 and f4 are independent and cost : DAL A =20, DAL B = 15, DAL C = 5, DAL D = 4, DAL E = 0
basic DAL cuts DAL Option
f1 f2 f3 f4
B{f1, f2, f4} ≥ C ≥ C - ≥ D 2
{f3} - - ≥ B - -
C {f1, f3} ≥ E - ≥ C - 1
Result ≥ C ≥ C ≥ B ≥ D
Cost 29
63
![Page 118: Introduction to System Dependability · • ARP4754A[SAE10],ARP4761[SAE96]foraeronautic systems 21. Whenshouldweperformsafety activities? 21. SafetyProcess(Complete) SafetyProcess](https://reader033.fdocuments.us/reader033/viewer/2022050608/5faf8b90d4a3be454439c04e/html5/thumbnails/118.jpg)
DAL Allocation: Degradation rules
Suppose f1, f2, f3 and f4 are independent and cost : DAL A =20, DAL B = 15, DAL C = 5, DAL D = 4, DAL E = 0
basic DAL cuts DAL Option
f1 f2 f3 f4
B{f1, f2, f4} ≥ C ≥ C - ≥ D 2
{f3} - - ≥ B - -
C {f1, f3} ≥ E - ≥ C - 1
Result ≥ C ≥ C ≥ B ≥ D
Cost 29
63
![Page 119: Introduction to System Dependability · • ARP4754A[SAE10],ARP4761[SAE96]foraeronautic systems 21. Whenshouldweperformsafety activities? 21. SafetyProcess(Complete) SafetyProcess](https://reader033.fdocuments.us/reader033/viewer/2022050608/5faf8b90d4a3be454439c04e/html5/thumbnails/119.jpg)
DAL Allocation: Degradation rules
Suppose f1, f2, f3 and f4 are independent and cost : DAL A =20, DAL B = 15, DAL C = 5, DAL D = 4, DAL E = 0
basic DAL cuts DAL Option
f1 f2 f3 f4
B{f1, f2, f4} ≥ C ≥ C - ≥ D 2
{f3} - - ≥ B - -
C {f1, f3} ≥ E - ≥ C - 1
Result ≥ C ≥ C ≥ B ≥ D
Cost 29
63
![Page 120: Introduction to System Dependability · • ARP4754A[SAE10],ARP4761[SAE96]foraeronautic systems 21. Whenshouldweperformsafety activities? 21. SafetyProcess(Complete) SafetyProcess](https://reader033.fdocuments.us/reader033/viewer/2022050608/5faf8b90d4a3be454439c04e/html5/thumbnails/120.jpg)
DAL Allocation: Degradation rules
Suppose f1, f2, f3 and f4 are independent and cost : DAL A =20, DAL B = 15, DAL C = 5, DAL D = 4, DAL E = 0
basic DAL cuts DAL Option
f1 f2 f3 f4
B{f1, f2, f4} ≥ C ≥ C - ≥ D 2
{f3} - - ≥ B - -
C {f1, f3} ≥ E - ≥ C - 1
Result ≥ C ≥ C ≥ B ≥ D
Cost 29
63
![Page 121: Introduction to System Dependability · • ARP4754A[SAE10],ARP4761[SAE96]foraeronautic systems 21. Whenshouldweperformsafety activities? 21. SafetyProcess(Complete) SafetyProcess](https://reader033.fdocuments.us/reader033/viewer/2022050608/5faf8b90d4a3be454439c04e/html5/thumbnails/121.jpg)
Whoopsie, f1 and f3 are notindependent
⇒ Any impact on last allocation?
63
![Page 122: Introduction to System Dependability · • ARP4754A[SAE10],ARP4761[SAE96]foraeronautic systems 21. Whenshouldweperformsafety activities? 21. SafetyProcess(Complete) SafetyProcess](https://reader033.fdocuments.us/reader033/viewer/2022050608/5faf8b90d4a3be454439c04e/html5/thumbnails/122.jpg)
DAL Allocation: Degradation rules
f1, f3 not independent ⇒ replace them by a new function failuref1,3.
basic DAL cuts DAL Option
f1 f2 f3 f4
B{f1,3, f2, f4} ≥ C ≥ C - ≥ D 2
{f1,3} - - ≥ B - -
C {f1,3} ≥ C - ≥ C - -
Result ≥ C ≥ C ≥ B ≥ D
Cost 29
64
![Page 123: Introduction to System Dependability · • ARP4754A[SAE10],ARP4761[SAE96]foraeronautic systems 21. Whenshouldweperformsafety activities? 21. SafetyProcess(Complete) SafetyProcess](https://reader033.fdocuments.us/reader033/viewer/2022050608/5faf8b90d4a3be454439c04e/html5/thumbnails/123.jpg)
DAL Allocation: Degradation rules
f1, f3 not independent ⇒ replace them by a new function failuref1,3.
basic DAL cuts DAL Option
f1 f2 f3 f4
B{f1,3, f2, f4} ≥ C ≥ C - ≥ D 2
{f1,3} - - ≥ B - -
C {f1,3} ≥ C - ≥ C - -
Result ≥ C ≥ C ≥ B ≥ D
Cost 29
64
![Page 124: Introduction to System Dependability · • ARP4754A[SAE10],ARP4761[SAE96]foraeronautic systems 21. Whenshouldweperformsafety activities? 21. SafetyProcess(Complete) SafetyProcess](https://reader033.fdocuments.us/reader033/viewer/2022050608/5faf8b90d4a3be454439c04e/html5/thumbnails/124.jpg)
DAL Allocation: Degradation rules
f1, f3 not independent ⇒ replace them by a new function failuref1,3.
basic DAL cuts DAL Option
f1 f2 f3 f4
B{f1,3, f2, f4} ≥ C ≥ C - ≥ D 2
{f1,3} - - ≥ B - -
C {f1,3} ≥ C - ≥ C - -
Result ≥ C ≥ C ≥ B ≥ D
Cost 29
64
![Page 125: Introduction to System Dependability · • ARP4754A[SAE10],ARP4761[SAE96]foraeronautic systems 21. Whenshouldweperformsafety activities? 21. SafetyProcess(Complete) SafetyProcess](https://reader033.fdocuments.us/reader033/viewer/2022050608/5faf8b90d4a3be454439c04e/html5/thumbnails/125.jpg)
DAL Allocation: Degradation rules
f1, f3 not independent ⇒ replace them by a new function failuref1,3.
basic DAL cuts DAL Option
f1 f2 f3 f4
B{f1,3, f2, f4} ≥ C ≥ C - ≥ D 2
{f1,3} - - ≥ B - -
C {f1,3} ≥ C - ≥ C - -
Result ≥ C ≥ C ≥ B ≥ D
Cost 29
64
![Page 126: Introduction to System Dependability · • ARP4754A[SAE10],ARP4761[SAE96]foraeronautic systems 21. Whenshouldweperformsafety activities? 21. SafetyProcess(Complete) SafetyProcess](https://reader033.fdocuments.us/reader033/viewer/2022050608/5faf8b90d4a3be454439c04e/html5/thumbnails/126.jpg)
DAL Allocation: Degradation rules
f1, f3 not independent ⇒ replace them by a new function failuref1,3.
basic DAL cuts DAL Option
f1 f2 f3 f4
B{f1,3, f2, f4} ≥ C ≥ C - ≥ D 2
{f1,3} - - ≥ B - -
C {f1,3} ≥ C - ≥ C - -
Result ≥ C ≥ C ≥ B ≥ D
Cost 29
64
![Page 127: Introduction to System Dependability · • ARP4754A[SAE10],ARP4761[SAE96]foraeronautic systems 21. Whenshouldweperformsafety activities? 21. SafetyProcess(Complete) SafetyProcess](https://reader033.fdocuments.us/reader033/viewer/2022050608/5faf8b90d4a3be454439c04e/html5/thumbnails/127.jpg)
Your turn! Allocate the DAL of greensystem.
64
![Page 128: Introduction to System Dependability · • ARP4754A[SAE10],ARP4761[SAE96]foraeronautic systems 21. Whenshouldweperformsafety activities? 21. SafetyProcess(Complete) SafetyProcess](https://reader033.fdocuments.us/reader033/viewer/2022050608/5faf8b90d4a3be454439c04e/html5/thumbnails/128.jpg)
DAL Allocation: Exercise
Assume FC is Major, all independent except EMP and eng1,and DAL cost for EDP and elec is twice the initial cost.
basic DAL cuts DAL Option
dist rsv EMP EDP eng1 elec
?
{dist} ≥ ? - - - - - ?{rsv } - ≥ ? - - - - ?
{EMP ,EDP} - - ≥ ? ≥ ? - - ?{EMP ,eng1} - - ≥ ? - ≥ ? - ?{elec ,EDP} - - - ≥ ? - ≥ ? ?{elec ,eng1} - - - - ≥ ? ≥ ? ?
Result ≥ ? ≥ ? ≥ ? ≥ ? ≥ ? ≥ ?
Cost ?65
![Page 129: Introduction to System Dependability · • ARP4754A[SAE10],ARP4761[SAE96]foraeronautic systems 21. Whenshouldweperformsafety activities? 21. SafetyProcess(Complete) SafetyProcess](https://reader033.fdocuments.us/reader033/viewer/2022050608/5faf8b90d4a3be454439c04e/html5/thumbnails/129.jpg)
DAL Allocation: Exercise
Assume FC is Major, all independent except EMP and eng1,and DAL cost for EDP and elec is twice the initial cost.
basic DAL cuts DAL Option
dist rsv EMP EDP eng1 elec
C
{dist} ≥ C - - - - - -{rsv } - ≥ C - - - - -
{fEMP ,eng1,EDP} - - ≥ C ≥ E - - 1{fEMP ,eng1} - - ≥ C - ≥ C - -{elec ,EDP} - - - ≥ D - ≥ D 2
{elec , fEMP ,eng1} - - - - ≥ C ≥ E 1
Result ≥ C ≥ C ≥ C ≥ D ≥ C ≥ D
Cost 36
66
![Page 130: Introduction to System Dependability · • ARP4754A[SAE10],ARP4761[SAE96]foraeronautic systems 21. Whenshouldweperformsafety activities? 21. SafetyProcess(Complete) SafetyProcess](https://reader033.fdocuments.us/reader033/viewer/2022050608/5faf8b90d4a3be454439c04e/html5/thumbnails/130.jpg)
What about IDAL?
66
![Page 131: Introduction to System Dependability · • ARP4754A[SAE10],ARP4761[SAE96]foraeronautic systems 21. Whenshouldweperformsafety activities? 21. SafetyProcess(Complete) SafetyProcess](https://reader033.fdocuments.us/reader033/viewer/2022050608/5faf8b90d4a3be454439c04e/html5/thumbnails/131.jpg)
DAL Allocation: IDAL
• IDAL is derivated from the FDAL of the functionsimplemented by the item
• Same rules as FDAL but cannot downgrade DAL twice (infunction and item)
67
![Page 132: Introduction to System Dependability · • ARP4754A[SAE10],ARP4761[SAE96]foraeronautic systems 21. Whenshouldweperformsafety activities? 21. SafetyProcess(Complete) SafetyProcess](https://reader033.fdocuments.us/reader033/viewer/2022050608/5faf8b90d4a3be454439c04e/html5/thumbnails/132.jpg)
Why should we avoid doubledowngrade?
67
![Page 133: Introduction to System Dependability · • ARP4754A[SAE10],ARP4761[SAE96]foraeronautic systems 21. Whenshouldweperformsafety activities? 21. SafetyProcess(Complete) SafetyProcess](https://reader033.fdocuments.us/reader033/viewer/2022050608/5faf8b90d4a3be454439c04e/html5/thumbnails/133.jpg)
DAL Allocation: IDAL
• Let FC be a CAT and MCSfc = {{f1, f2, f3}} where fi aremutually independent.
• Each fi needs at least one item i fii and all items areindependent.
• What is the IDAL of i fii without no double downgrade rule?
• Apply option 1 on FDAL ⇒FDAL(f1)=B,FDAL(f2)=B,FDAL(f3)=C
• Apply option 1 on IDAL ⇒IDAL(i f11 )=C , IDAL(i f12 )=C , · · ·
Functions contributing to highly critical FC (Cat) implementedby low development assurance level items (Major)
68
![Page 134: Introduction to System Dependability · • ARP4754A[SAE10],ARP4761[SAE96]foraeronautic systems 21. Whenshouldweperformsafety activities? 21. SafetyProcess(Complete) SafetyProcess](https://reader033.fdocuments.us/reader033/viewer/2022050608/5faf8b90d4a3be454439c04e/html5/thumbnails/134.jpg)
DAL Allocation: IDAL
• Let FC be a CAT and MCSfc = {{f1, f2, f3}} where fi aremutually independent.
• Each fi needs at least one item i fii and all items areindependent.
• What is the IDAL of i fii without no double downgrade rule?• Apply option 1 on FDAL ⇒
FDAL(f1)=B,FDAL(f2)=B,FDAL(f3)=C• Apply option 1 on IDAL ⇒
IDAL(i f11 )=C , IDAL(i f12 )=C , · · ·
Functions contributing to highly critical FC (Cat) implementedby low development assurance level items (Major)
68
![Page 135: Introduction to System Dependability · • ARP4754A[SAE10],ARP4761[SAE96]foraeronautic systems 21. Whenshouldweperformsafety activities? 21. SafetyProcess(Complete) SafetyProcess](https://reader033.fdocuments.us/reader033/viewer/2022050608/5faf8b90d4a3be454439c04e/html5/thumbnails/135.jpg)
DAL Allocation: IDAL
• Let FC be a CAT and MCSfc = {{f1, f2, f3}} where fi aremutually independent.
• Each fi needs at least one item i fii and all items areindependent.
• What is the IDAL of i fii without no double downgrade rule?• Apply option 1 on FDAL ⇒
FDAL(f1)=B,FDAL(f2)=B,FDAL(f3)=C• Apply option 1 on IDAL ⇒
IDAL(i f11 )=C , IDAL(i f12 )=C , · · ·
Functions contributing to highly critical FC (Cat) implementedby low development assurance level items (Major)
68
![Page 136: Introduction to System Dependability · • ARP4754A[SAE10],ARP4761[SAE96]foraeronautic systems 21. Whenshouldweperformsafety activities? 21. SafetyProcess(Complete) SafetyProcess](https://reader033.fdocuments.us/reader033/viewer/2022050608/5faf8b90d4a3be454439c04e/html5/thumbnails/136.jpg)
Now a Recap
68
![Page 137: Introduction to System Dependability · • ARP4754A[SAE10],ARP4761[SAE96]foraeronautic systems 21. Whenshouldweperformsafety activities? 21. SafetyProcess(Complete) SafetyProcess](https://reader033.fdocuments.us/reader033/viewer/2022050608/5faf8b90d4a3be454439c04e/html5/thumbnails/137.jpg)
Today’s lesson in 30”
Deal with dependencies
During design Trace independence assumptions duringassessment ⇒ became requirements duringimplementation
During verification Identify the potential sources ofdependencies & integrate them in safetyassessment
69
![Page 138: Introduction to System Dependability · • ARP4754A[SAE10],ARP4761[SAE96]foraeronautic systems 21. Whenshouldweperformsafety activities? 21. SafetyProcess(Complete) SafetyProcess](https://reader033.fdocuments.us/reader033/viewer/2022050608/5faf8b90d4a3be454439c04e/html5/thumbnails/138.jpg)
Today’s lesson in 30”
Emphasis on systematic errors:
• Currently, avoid systematic faults with design assurancelevel (DAL)
• DAL allocation depends on:• criticality of functions/items failures,• independence between them,• cost of DAL related activities.
You understand highlighted terms⇒ congratulations you’ve got the idea
Otherwise check out the slides !
70
![Page 139: Introduction to System Dependability · • ARP4754A[SAE10],ARP4761[SAE96]foraeronautic systems 21. Whenshouldweperformsafety activities? 21. SafetyProcess(Complete) SafetyProcess](https://reader033.fdocuments.us/reader033/viewer/2022050608/5faf8b90d4a3be454439c04e/html5/thumbnails/139.jpg)
Let’s talk about the (your) future!
70
![Page 140: Introduction to System Dependability · • ARP4754A[SAE10],ARP4761[SAE96]foraeronautic systems 21. Whenshouldweperformsafety activities? 21. SafetyProcess(Complete) SafetyProcess](https://reader033.fdocuments.us/reader033/viewer/2022050608/5faf8b90d4a3be454439c04e/html5/thumbnails/140.jpg)
What are the new safety challenges?
Let’s have a quick (andnon-exhaustive) overview!
70
![Page 141: Introduction to System Dependability · • ARP4754A[SAE10],ARP4761[SAE96]foraeronautic systems 21. Whenshouldweperformsafety activities? 21. SafetyProcess(Complete) SafetyProcess](https://reader033.fdocuments.us/reader033/viewer/2022050608/5faf8b90d4a3be454439c04e/html5/thumbnails/141.jpg)
What are the new safety challenges?
Let’s have a quick (andnon-exhaustive) overview!
70
![Page 142: Introduction to System Dependability · • ARP4754A[SAE10],ARP4761[SAE96]foraeronautic systems 21. Whenshouldweperformsafety activities? 21. SafetyProcess(Complete) SafetyProcess](https://reader033.fdocuments.us/reader033/viewer/2022050608/5faf8b90d4a3be454439c04e/html5/thumbnails/142.jpg)
From I to AI
Trend Huge trend to automate complex tasks preformedby operators (professional or not)
Breakdown New technologies involving complex sensor fusionor image processing
What are the risks related to the massive adoption of suchsystems?
An Example Automotive anti-collision systemhttps://youtu.be/ZMFbMV5QNzk?t=81
71
![Page 143: Introduction to System Dependability · • ARP4754A[SAE10],ARP4761[SAE96]foraeronautic systems 21. Whenshouldweperformsafety activities? 21. SafetyProcess(Complete) SafetyProcess](https://reader033.fdocuments.us/reader033/viewer/2022050608/5faf8b90d4a3be454439c04e/html5/thumbnails/143.jpg)
From I to AI
Trend Huge trend to automate complex tasks preformedby operators (professional or not)
Breakdown New technologies involving complex sensor fusionor image processing
What are the risks related to the massive adoption of suchsystems?
An Example Automotive anti-collision systemhttps://youtu.be/ZMFbMV5QNzk?t=81
71
![Page 144: Introduction to System Dependability · • ARP4754A[SAE10],ARP4761[SAE96]foraeronautic systems 21. Whenshouldweperformsafety activities? 21. SafetyProcess(Complete) SafetyProcess](https://reader033.fdocuments.us/reader033/viewer/2022050608/5faf8b90d4a3be454439c04e/html5/thumbnails/144.jpg)
Challenge 1: Trust Me I Am Autonomous
• Classical software correctness demonstrated by:1. validation: the specification breakdown is sound,
complete and testable (ABS example)2. verification: the implementation is compliant to the
specification (Offshore example)• V&V achieved thanks to testing, traceability and formal
verification
What is the specification breakdown of an AI-based pedestriandetection system?
How to provide confidence on safety integrity for criticalfunction based on AI?
72
![Page 145: Introduction to System Dependability · • ARP4754A[SAE10],ARP4761[SAE96]foraeronautic systems 21. Whenshouldweperformsafety activities? 21. SafetyProcess(Complete) SafetyProcess](https://reader033.fdocuments.us/reader033/viewer/2022050608/5faf8b90d4a3be454439c04e/html5/thumbnails/145.jpg)
Challenge 1: Trust Me I Am Autonomous
• Classical software correctness demonstrated by:1. validation: the specification breakdown is sound,
complete and testable (ABS example)2. verification: the implementation is compliant to the
specification (Offshore example)• V&V achieved thanks to testing, traceability and formal
verification
What is the specification breakdown of an AI-based pedestriandetection system?
How to provide confidence on safety integrity for criticalfunction based on AI?
72
![Page 146: Introduction to System Dependability · • ARP4754A[SAE10],ARP4761[SAE96]foraeronautic systems 21. Whenshouldweperformsafety activities? 21. SafetyProcess(Complete) SafetyProcess](https://reader033.fdocuments.us/reader033/viewer/2022050608/5faf8b90d4a3be454439c04e/html5/thumbnails/146.jpg)
Challenge 2: Taking into account new failures
• Safety impact of hardware failure addressed in safetycritical systems (redundancy, mutual checks, lock-step)
What is the safety impact of an hardware failure executingAI-based software?
Can we detect & manage this failure?
ANITI PhD proposal: We are seeking for answers, perhapsfrom you!
73
![Page 147: Introduction to System Dependability · • ARP4754A[SAE10],ARP4761[SAE96]foraeronautic systems 21. Whenshouldweperformsafety activities? 21. SafetyProcess(Complete) SafetyProcess](https://reader033.fdocuments.us/reader033/viewer/2022050608/5faf8b90d4a3be454439c04e/html5/thumbnails/147.jpg)
Challenge 2: Taking into account new failures
• Safety impact of hardware failure addressed in safetycritical systems (redundancy, mutual checks, lock-step)
What is the safety impact of an hardware failure executingAI-based software?
Can we detect & manage this failure?
ANITI PhD proposal: We are seeking for answers, perhapsfrom you!
73
![Page 148: Introduction to System Dependability · • ARP4754A[SAE10],ARP4761[SAE96]foraeronautic systems 21. Whenshouldweperformsafety activities? 21. SafetyProcess(Complete) SafetyProcess](https://reader033.fdocuments.us/reader033/viewer/2022050608/5faf8b90d4a3be454439c04e/html5/thumbnails/148.jpg)
Challenge 2: Taking into account new failures
• Safety impact of hardware failure addressed in safetycritical systems (redundancy, mutual checks, lock-step)
What is the safety impact of an hardware failure executingAI-based software?
Can we detect & manage this failure?
ANITI PhD proposal: We are seeking for answers, perhapsfrom you!
73
![Page 149: Introduction to System Dependability · • ARP4754A[SAE10],ARP4761[SAE96]foraeronautic systems 21. Whenshouldweperformsafety activities? 21. SafetyProcess(Complete) SafetyProcess](https://reader033.fdocuments.us/reader033/viewer/2022050608/5faf8b90d4a3be454439c04e/html5/thumbnails/149.jpg)
Challenge 3: Safe integration of tomorrow aircrafts
• Various applicative domains can benefit from new aircraftconcepts (VTOL, UAV, . . . )
• Infrastructure inspection (SCNF, ERDF, . . . )• Package delivery (Amazon, CDiscount, La Poste, . . . )• Flying taxi (Airbus’ Vahana project, Boeing, Uber, . . . )
What are the new risks related to the integration of suchaircraft in the flight traffic?
How to adapt safety analyses to take into account distributedprocedures, autonomous avoidance systems?
74
![Page 150: Introduction to System Dependability · • ARP4754A[SAE10],ARP4761[SAE96]foraeronautic systems 21. Whenshouldweperformsafety activities? 21. SafetyProcess(Complete) SafetyProcess](https://reader033.fdocuments.us/reader033/viewer/2022050608/5faf8b90d4a3be454439c04e/html5/thumbnails/150.jpg)
Challenge 3: Safe integration of tomorrow aircrafts
• Various applicative domains can benefit from new aircraftconcepts (VTOL, UAV, . . . )
• Infrastructure inspection (SCNF, ERDF, . . . )• Package delivery (Amazon, CDiscount, La Poste, . . . )• Flying taxi (Airbus’ Vahana project, Boeing, Uber, . . . )
What are the new risks related to the integration of suchaircraft in the flight traffic?
How to adapt safety analyses to take into account distributedprocedures, autonomous avoidance systems?
74
![Page 151: Introduction to System Dependability · • ARP4754A[SAE10],ARP4761[SAE96]foraeronautic systems 21. Whenshouldweperformsafety activities? 21. SafetyProcess(Complete) SafetyProcess](https://reader033.fdocuments.us/reader033/viewer/2022050608/5faf8b90d4a3be454439c04e/html5/thumbnails/151.jpg)
ONERA Master Intership proposals
Join us to work on:
• pilot/UAV interactions :https://w3.onera.fr/stages/sites/w3.onera.fr.stages/files/dtis-2020-23.pdf
• assessment of on-ground collision probabilityhttps://w3.onera.fr/stages/sites/w3.onera.fr.stages/files/dtis-2020-31.pdf
75
![Page 152: Introduction to System Dependability · • ARP4754A[SAE10],ARP4761[SAE96]foraeronautic systems 21. Whenshouldweperformsafety activities? 21. SafetyProcess(Complete) SafetyProcess](https://reader033.fdocuments.us/reader033/viewer/2022050608/5faf8b90d4a3be454439c04e/html5/thumbnails/152.jpg)
76