Safety Analysis Methodology for ADS-B Based Surveillance Applications

Transcription

1 Analysis Methodology for ADS-B Based Surveillance Applications Jonathan Hammer, The MITRE corporation Gilles Caligaris, EUROCONTROL Marta Llobet, EGIS Avia (Sofréavia)

2 Content. ADS-B background and safety. Joint US/Europe Assessment Methodology for ADS-B. Case Study: ADS-B-NRA Assessment. Conclusion

3 ADS-B B Applications & Background Applications Air-to-Air: Parallel runways Spacing & Merging Air-to-air / Airport Surface Situational Awareness Air-to-ground: Non-Radar Areas Radar Areas Airport Areas Package : A set of ADS-B applications, Internationally agreed Internationally agreed frameworks TCAS data link communications services. Techniques not directly applicable to ADS-B applications ADS-B safety work done in US and Europe independently Need for joint safety effort RFG: OSEDS, and Performance Requirements (SPR) FAA, EUROCONTROL, RTCA, EUROCAE, AirServices Australia, Japan

4 RFG Assessment Methodology Joint US/Europe Focuses on ADS-B applications. Applies to surveillance components but also to other CNS/ATM system elements Mainly based on: ED78A/DO6 EUROCONTROL SAM FAA SMS ( Management System) Process Aimed at delivering safety requirements for the standard

5 Main Steps OSED: Operational Services & Environment Definition Process: A: Operational Hazard Identification and Assessment AR: Allocation of Objectives and Requirements Performance requirements Operational requirements Interoperability requirements Requirements SPR document

6 AR Assessment Overview Application Description OSED Environmental Conditions A Basic Causes detected Obj. Target Op.Effect Sev. Basic Causes Internal Mitigation Means undetected External Mitigation Means Op.Effect Sev.5

7 A Process. Hazard Identification Step Step Step Step SC (ST, Pe) SC (ST, Pe) =min SC (ST, Pe) (STi/Nmax,i/Pei) SC (ST, Pe) Identify Allocate Determine Assign Hazard Severity Classes Probability Pe Objective Brainstorming sessions with operational experts: air-traffic controllers Pilots experts Hazards identified between causes and operational effects level. Detected and Undetected hazards are identified

8 A Process. Severity Class Allocation Step Step Step Step SC (ST, Pe) SC (ST, Pe) =min SC (ST, Pe) (STi/Nmax,i/Pei) SC (ST, Pe) Identify Allocate Determine Assign Hazard Severity Classes Probability Pe Objective

9 A Process. Determine Probability Pe Step Step Step Step SC (ST, Pe) SC (ST, Pe) =min SC (ST, Pe) (STi/Nmax,i/Pei) SC (ST, Pe) Identify Allocate Determine Assign Hazard Severity Classes Probability Pe Objective Equivalent probability Pe: conditional probability which expresses the probability that the occurrence of a hazard will results in a specific operational effect. Pe, OE SC OE SC OE SC OE SC Mitigation Means External Mitigation Means

10 A Process ATM Risk budget apportionment Step Step Step Step SC (ST, Pe) SC (ST, Pe) =min SC (ST, Pe) (STi/Nmax,i/Pei) SC (ST, Pe) Identify Allocate Determine Assign Hazard Severity Classes Probability Pe Objective ATM Operational Effects Targets Budgeting Targets ADS-B Application ADS-B Application CPDLC Application ADS-B Application ADS-B Targets Targets Targets Application ADS-B Application Targets Targets

11 A Process. Objective Assignment Step Step Step Step SC (ST, Pe) SC (ST, Pe) =min SC (ST, Pe) (STi/Nmax,i/Pei) SC (ST, Pe) Identify Allocate Determine Assign Hazard Severity Classes Probability Pe Objective Calculation of the quantitative Objective for each hazard = Specify the maximum acceptable frequency of the hazard. Formula applied: j = min i (ST i / N max,i / Pe ij ), i.e. it takes from the most demanding pair (effect, frequency).

12 AR Process Step 7 SR list Step 6 (BC, aportion ) (BC, aportion ) (BC, aportion ) BC BC BC Step 5 (from A Step ) (IMM, aportionimm ) IMM Requirements Derivation Objective Allocation Fault Trees Development undetected detected Internal Mitigation Means s Causes related to actions and functions Mitigation means related causes Technical Environmental Human Procedural Basic Causes

13 AR Process 6. Objective Allocation Step 7 SR list Requirements Derivation Step 6 (BC, aportion ) (BC, aportion ) (BC, aportion ) (IMM, aportionimm ) Objective Allocation BC BC BC IMM Step 5 Fault Trees Development (from A Step ) undetected Objective detected Internal Mitigation Means s Apportion Apportion Apportion Apportion Basic Cause Basic Cause Basic Cause Basic Cause

14 AR Process 7. Derive Requirements Step 7 SR list Requirements Derivation Step 6 (BC, aportion ) (BC, aportion ) (BC, aportion ) (IMM, aportionimm ) Objective Allocation BC BC BC IMM Step 5 Fault Trees Development (from A Step ) Objective undetected detected Internal Mitigation Means s Apportion Apportion Apportion Apportion Basic Cause Basic Cause Basic Cause Basic Cause

15 AR Process 7. Derive Requirements Step 7 SR list Requirements Derivation Step 6 (BC, aportion ) (BC, aportion ) (BC, aportion ) (IMM, aportionimm ) Objective Allocation BC BC BC IMM Step 5 Fault Trees Development (from A Step ) Apportion Apportion Apportion Apportion Basic Cause Basic Cause Basic Cause Basic Cause List of requirements The system has to included detection means List of requirements The system has to included detection means List of requirements The system has to included detection means List of requirements The system has to included detection means Requirements Training must be provided Training must be provided Training must be provided Training must be provided The availability of the system must be x% The availability of the system must be x% The availability of the system must be x% The availability of the system must be x% The probability that An incorrect information is provided by the system shall be no more than E-05fh. The probability that An incorrect information is provided by the system shall be no more than E-05fh. The probability that An incorrect information is provided by the system shall be no more than E-05fh. The probability that An incorrect information is provided by the system shall be no more than E-05fh. People Procedures Equipment

16 AR Assessment Overview Application Description OSED Environmental Conditions A Basic Causes detected Target Obj. Op.Effect Sev. Basic Causes Internal Mitigation Means undetected External Mitigation Means Op.Effect Sev.5 Requirements To meet the assigned to the hazard Requirements To mitigate the effects of the hazard

17 Case Study ED6/DO0 Enhanced Air Traffic Services in Non-Radar Areas using ADS-B surveillance

18 Functional description of the system

19 ADS-B NRA identified Hazards Examples of Hazards Controller loses position for one AC Incorrect position information for multiple AC is displayed to controller Hazards identified at this level

20 Hazard and Basic Causes: example Undetected Incorrect Position (position source failure) for one AC is provided to ATCO Undetected Incorrect Position (corruption) for one AC is provided to ATCO

21 Corrupted Position Information Mid-air Collision Pe Undetected Incorrect Position (corruption) for one AC is provided to ATCO

22 Fault Tree Corruption is < 50 NM Corrupted inf ormation prov ided to ATC Q=5.00e-9 Corrupted inf ormation prov ided to ATC Q= Q=.50e- Q=.00e-5 Ground system corrupts positi on AC domain corrupts position Q=.00e-5 5 r=e- 005 Q=.00e-5 Undetected Incorrect Position (corruption) for one AC is provided to ATCO ATC Processing or display corrupts position 6 r=5e-006 Q=5.00e-6 ADS-B receiv e subsy stem corrupts position 7 r=5e-006 Q=5.00e-6

23 Basic Causes Corruption is < 50 NM Corrupted inf ormation prov ided to ATC Q=5.00e-9 Corrupted inf ormation prov ided to ATC Q= Q=.50e- Q=.00e-5 Ground system corrupts positi on AC domain corrupts position Q=.00e-5 5 r=e- 005 Q=.00e-5 ATC Processing or display corrupts position ADS-B receiv e subsy stem corrupts position 6 r=5e-006 Q=5.00e-6 7 r=5e-006 Q=5.00e-6

24 Basic Causes Corruption is < 50 NM Corrupted inf ormation prov ided to ATC Q=5.00e-9 Corrupted inf ormation prov ided to ATC Q= Q=.50e- Q=.00e-5 Ground system corrupts positi on AC domain corrupts position Q=.00e-5 5 r=e- 005 Q=.00e-5 ATC Processing or display corrupts position ADS-B receiv e subsy stem corrupts position 6 r=5e-006 Q=5.00e-6 7 r=5e-006 Q=5.00e-6

25 Requirements Corruption is < 50 NM Corrupted inf ormation prov ided to ATC Q=5.00e-9 Corrupted inf ormation prov ided to ATC Q= Q=.50e- Q=.00e-5 Requirements on airborne AND ground elements, as an input to (for local implementation): design assurance level for equipment design configuration etc. ATC Processing or display corrupts position 6 r=5e-006 Q=5.00e-6 Ground system corrupts positi on Q=.00e-5 ADS-B receiv e subsy stem corrupts position 7 r=5e-006 Q=5.00e-6 AC domain corrupts position 5 r=e- 005 Q=.00e-5

26 Conclusions Joint process between US and Europe End to end safety process covering airborne and ground domains, operational and technical part Used on NRA DO 0/ED 6 and will ultimately contribute to aircraft certification and deployment for ADS-B The approach is expected to be re-used in local implementations Will be used (and refined) for next to come ADS-B standards to be delivered by RFG

27 A Process ATM Risk budget apportionment Units Step Step Step Step SC (ST, Pe) SC (ST, Pe) =min SC (ST, Pe) (STi/Nmax,i/Pei) SC (ST, Pe) Identify Allocate Determine Assign Hazard Severity Classes Probability Pe Objective ST ATM [fh] or [flight] [ATSUh] en route [ATSUh] TMA Nmax per SC [ATSUh] en route [ATSUh] TMA E-08 E-07 E E-09 5E-00 E-05 E-0 E-05 5 E-06 E-07 E-0 E-0 E-0 5 E-05 E-06 E-0 E-0 E-0 5 E-0 E-0 ATM Application Risk Apportionment