Skip to main content

Improvement of Safety Activities on Aeronautical Complex systems (ISAAC)

Final Report Summary - ISAAC (Improvement of Safety Activities on Aeronautical Complex systems (ISAAC))

The ISAAC project aimed to increase the capability and efficiency for safety and systems engineers to perform safety assessment resulting in safe systems. The proposed methodology, built on formal method techniques, is an integrated part in a model based development process where safety and reliability aspects are examined in early steps of development.

The project pursued goals as:
- to consolidate the enhanced safety assessment for complex systems (ESACS) results by improving analysis for dynamic aspects like sequencing or temporal behaviour;
- to extend the scope of the integrated environment among designers and safety / reliability engineers;
- to take into account results from tools used in performing particular risk and zonal safety analysis and to use this information to inject unintended interactions within 'intended-functionality' - independent but collocated systems;
- to evaluate the relationship between the human and the machine offering a complex human - complex machine interaction model;
- to automate the analyses to determine the impact of degraded situations on system operating modes and over pre-defined missions;
- to exploit the use of ESACS formal verification techniques to deal with testability aspects.

To reach the above goals, the ISAAC work has followed detailed technical and scientific objectives organised into three complementary dimensions, which are structured into basic topics:

First dimension: Consolidation of ESACS work, including the following topics: integration with higher level notations for requirements, extension of traditional techniques to timing aspects and quantitative analysis, further development of platform / tools already started in ESACS.

Second dimension: Extension to other safety related aspects, including the following topics: human errors, common cause analysis, mission analysis and testability.

Third dimension: Commonalities common methodological recommendations and common tools and libraries that facilitate exchanges among tools will be identified in order to provide a more comprehensive tool-supported coverage of the safety process.

Methodologies and tools were developed according to the identified requirements and applied to the case studies identified by the industrial partners. A comprehensive environment including methodologies supported by tools for performing the analyses taking into account the various aspects related to the safety. The ISAAC framework relies on the use of models normally generated along the product design phases. These models are combined with environment models and are elaborated by means of formal verification and simulation techniques to automatically derive safety analyses for the verification of the requirements.

The project developed methodologies, models and extracted results in the following topics:

- ESACS platform consolidation (EPC). The main objective of the EPC theme was to integrate new analyses into the existing integration lines and update the methodology developed during ESACS to the additional objectives set out for ISAAC. This entails both the further development of the existing methodology / themes and the necessary work to adapt the implementation lines to the new themes of ISAAC.

- High level representation (HLR). In ESACS, it was observed that often one of the main problems is to create a consistent definition of the safety analysis task. There exist a large number of techniques for this purpose but often they suffer from one the following limitations. Either they are easy to understand and apply but are not expressive enough to specify complex properties, or they are very powerful (e.g. temporal logic formulas) but require intensive training before they can be used productively. In the HLR theme, this problem was addressed and provided the possibility to use sequence diagrams for the specification of top-level events.

- Safety architecture patterns (SAP). In brief the SAP purpose is to: provide means to quickly prototype system safety architectures; assist the allocation of safety requirements to the system components; validate the formal safety requirements allocation. To fulfil these objectives, the methodology proposed capitalising expert know-how by SAP that are pre-proved and can be safely reused. To do this, engineers must have at their disposal SAP libraries associated with safety properties fulfilled under specified conditions, a methodology to build a SAP-based model and a structure to memorise the choice made during design process.

- Timing and quantitative analysis (TQA). The TQA theme intentions stem from the ESACS project where the possibility to perform analyses addressing temporal system behaviour was demonstrated. In ISAAC, the main objective has been to explore new analysis techniques taking temporal aspects into account. Several techniques are proposed to investigate various temporal properties related to safety and reliability of dynamic systems. It is not yet possible to automatically deduce all temporal aspects of safety analysis on a system-wide level. It is, however, possible to investigate temporal aspects on the level of individual cut sets and failure events. This makes it possible for safety engineers to better understand the temporal properties of failure scenarios.

- Common cause analysis (CCA). The CCA theme has delivered a method and tools to account for external events in a systems development seamlessly from a particular risk analysis (PRA) through to the safety analysis, and then back to the geometric environment where the results are presented and additional tools (allowing to perform customised measures) are used to determine what options there are for actions to be taken. These additional tools can also be used to support zonal safety analysis (ZSA) in order to examine each physical zone and to ensure that equipment installation and potential physical interference with adjacent systems do not violate the independence requirements of the systems.

- Human error analysis (HEA). The main objective of the HEA theme in ISAAC was to adapt the ESACS methodology to the requirements of an industrial human error analysis. The general target of human error analysis in aeronautics is to identify potential pilot errors and the safety impact on flight. The most general requirement for the HEA theme was 'to provide a tool-supported methodology for performing the HE analysis directly on extended formal system models taking into account cognitive limits of the pilot'. Instrumental to this requirement was a cognitive architecture developed by OFFIS in previous studies and provided to the ISAAC project. This model was used as the basis to fulfil the requirement 'to set-up an environment to simulate the pilot interaction between pilot model and design model in different operational scenarios'.

- Mission reliability analysis (MRA). Mission analysis target is to determine the impact of degraded situations on the system operational modes and over pre-defined missions that define the scenarios in which the system being developed will be used. ISAAC approach is to find extension of the techniques set-up in a previous Fifth Framework Programme project (ESACS) to open the possibility of automating such analyses, e.g. helping in compiling a minimum equipment list in the first aircraft / system development phase, then supporting specific operational mission failure and mission reliability analysis. The advantages of this activity is the possibility of using a uniform methodology and environment to conduct tasks and analyses that are currently carried out using different tools, manual analyses, etc. with the potential benefits of a better integration of the various activities and analyses that are part of the engineering process of complex systems.

- System testability / diagnosability (TDS). The target of the TDS theme is to extend the formal verification techniques and the methodology developed in ESACS (and improved in ISAAC) to deal with aspects related to testability of complex systems. This theme thus widens the scope of the ESACS platform by extending the applicability field of the platform to new disciplines related to the system design and analysis process. The topics investigated within the TDS theme can be divided into two broad areas, namely testability analysis and diagnosability analysis.

Main benefit was that activities of designing and doing analysis can now be performed more easily in an iterative manner resulting in a more effective development process, where the results of the analysis can influence the design in short period of time. Moreover, the traceability of safety issues and of relevant design changes is improved enhancing the visibility in the perspective of the certification process.

The public results are available in the project web site http://www.isaac-fp6.org.