Applicability / Compatibility of STPA with FAA Regulations & Guidance. First STAMP/STPA Workshop. Federal Aviation Administration

Similar documents
EFB Wireless Connectivity & Security Considerations

TERMS OF REFERENCE Special Committee (SC) 216 Aeronautical Systems Security (Revision 8)

Avionics Certification. Dhruv Mittal

9/16/ CHG 213 VOLUME 3 GENERAL TECHNICAL ADMINISTRATION CHAPTER 61 AIRCRAFT NETWORK SECURITY PROGRAM

D DAVID PUBLISHING. Development and Achievement of the T-50 Flight Control s Consolidated OFP. 1. Introduction. 2. Consolidated OFP s Needs

Critical Systems and Software Solutions

Multi/many core in Avionics Systems

Technical Standard Order

U.S. DEPARTMENT OF TRANSPORTATION FEDERAL AVIATION ADMINISTRATION. National Policy

Certification of Rotorcraft and FHA Process

Integrated Modular Avionics. The way ahead for aircraft computing platforms?

User Terminal certification process considerations

Glossary and Acronym List

Progressive Technology Facilitates Ground-To-Flight-Deck Connectivity

U.S. DEPARTMENT OF TRANSPORTATION FEDERAL AVIATION ADMINISTRATION National Policy

UAS OPERATIONS AS AN ECOSYSTEM

ARINC Project Initiation/Modification (APIM)

Advanced Flight Control System Failure States Airworthiness Requirements and Verification

December 8, Dear Ms. Baker:

Technical Standard Order

Federal Aviation Administration. Summary

Cyber-hijacking Airplanes:

AIRWORTHINESS ADVISORY. Airworthiness Impacts of Electronic Flight Bags

ARINC Project Initiation/Modification (APIM)

A Survey of Time and Space Partitioning for Space Avionics

Agenda Item 1.17 Wireless Avionics Intra-Communications (WAIC)

Wireless Avionics Intra- Communications (WAIC) SAE Aerospace Standards Summit Spring 2017, 25-26th April, 2017, Cologne, Germany

FLIGHT PATH FOR THE FUTURE OF MOBILITY

The organisation of the Airbus. A330/340 flight control system. Ian Sommerville 2001 Airbus flight control system Slide 1

Appendices. Introduction to Appendices

Unmanned Systems Certification

Roadmapping Breakout Session Overview

Operational Evaluation of a Flight-deck Software Application

Asia Pacific Regional Aviation Safety Team

TERMS OF REFERENCE (Revision 9) Special Committee (SC) 213 Enhanced Flight Vision Systems/Synthetic Vision Systems

CLASS SPECIFICATION 5/12/11 SENIOR AIRPORT ENGINEER, CODE 7257

CIVIL AVIATION AUTHORITY, PAKISTAN OPERATIONAL CONTROL SYSTEMS CONTENTS

TERMS OF REFERENCE Special Committee (SC) 209 Minimum Operational Performance Standards for ATCRBS/Mode S Transponder (Rev 6)

RTCA SC-216 Aeronautical Systems Security

Quality Assurance. Introduction Need for quality assurance Answer to the need of quality assurance Details on quality assurance Conclusion A B C D E

Simulator Architecture for Training Needs of Modern Aircraft. Philippe Perey Technology Director & A350 Program Director

Glass Cockpits in General Aviation Aircraft. Consequences for training and simulators. Fred Abbink

ARINC Project Initiation/Modification (APIM)

Department of Defense DIRECTIVE

Civil Aircraft System Safety and Electromagnetic Compatibility

Subject: Airworthiness and Operational Date: 7/22/16 AC No: Approval of Cockpit Voice Recorder Systems

Initial 4D Trajectory Management via SwiftBroadband Iris Event Salzberg

Avionics Qualification Test Supporting Equipment

Approach and Landing Accident Reduction Joint Safety Implementation Team

TANZANIA CIVIL AVIATION AUTHORITY AIR NAVIGATION SERVICES INSPECTORATE. Title: CONSTRUCTION OF VISUAL AND INSTRUMENT FLIGHT PROCEDURES

Gogo Connected Aircraft Services

Airport Safety Management Systems: Integrating Planning Into the Process

AIRBUS Generic Flight Test Installation

Multicore Processing in the Avionics Industry Needs and Concerns April 21, 2017 Greg Arundale Rockwell Collins

DP-7 The need for QMS controlled processes in AIS/AIM. Presentation to QMS for AIS/MAP Service Implementation Workshop Dakar, Senegal, May 2011

EROPS and Unscheduled Landings

SMS Under IOSA. (IATA Operational Safety Audit) Jehad Faqir Head of Safety & Flight Operations IATA- MENA

FAA/HSAC PART 135 SYSTEM SAFETY RISK MANAGEMENT SAFETY ELEMENT TRAINING OF FLIGHT CREWMEMBERS JOB AID Revision 1

Space Based ADS-B. ICAO SAT meeting - June 2016 AIREON LLC PROPRIETARY INFORMATION

RAAC/15-WP/14 International SUMMARY REFERENCES. A Safety

Operators may need to retrofit their airplanes to ensure existing fleets are properly equipped for RNP operations. aero quarterly qtr_04 11

Certification Memorandum. Guidance to Certify an Aircraft as PED tolerant

Subject: Automatic Dependent Surveillance-Broadcast (ADS-B) Operations and Operational Authorization

Human Factors of Remotely Piloted Aircraft. Alan Hobbs San Jose State University/NASA Ames Research Center

Hazard Analysis for Rotorcraft

EUROCAE ED-250: ROAAS MOPS

Navigation 101 Chapter 3 RNP-10

United States Aircraft Certification Standards and Guidance on ADS-B

TERMS OF REFERENCE Special Committee (SC) 186 Automatic Dependent Surveillance Broadcast (ADS-B) Revision 22

Advisory Circular. Automatic Dependent Surveillance - Broadcast

GENERAL ADVISORY CIRCULAR

Embedded System Development for Distributed Networked Computing Platforms

TABLE OF CONTENTS 1.0 INTRODUCTION...

Research Challenges Associated with Unmanned Aircraft Systems Airspace Integration

Research on Fault Tolerant Controls within GARTEUR

TERMS OF REFERENCE Special Committee (SC) 186 Automatic Dependent Surveillance Broadcast (ADS-B) Revision 18

Flight Evaluation and Validation of RNP AR/SAAAR Instrument Flight Procedures

INTERNATIONAL CIVIL AVIATION ORGANIZATION AFI REGION AIM IMPLEMENTATION TASK FORCE. (Dakar, Senegal, 20 22nd July 2011)

RNP AR APCH Approvals: An Operator s Perspective

AIRBUS FLY-BY-WIRE A TOTAL APPROACH TO DEPENDABILITY

Policy Letter (PL) Global Positioning System (GPS) Equipment and Installation Approval

Identifying and Utilizing Precursors

UAS Symposium Key Research Challenges and Opportunities

Air/Ground ATN Implementation Status ATN Seminar, Chiang Mai - 11/14 December

UNITED STATES News & Regulatory Updates

Advisory Circular (AC)

Human Factors Considerations for Rotorcraft

FAA GBAS Program Update January 29, 2010

Advisory Circular AC19-1. Test Pilot Approvals 03 July Revision 0

General Aviation Training for Automation Surprise

Safety Enhancement SE ASA Design Virtual Day-VMC Displays

ASSEMBLY 35TH SESSION PLENARY. Statements by delegations of Contracting States and of Observers INDONESIAN AIRWORTHINESS SYSTEMS

Buyer s Guide to Effective Upset Prevention & Recovery Training

Preparatory Course in Business (RMIT) SIM Global Education. Bachelor of Applied Science (Aviation) (Top-Up) RMIT University, Australia

Aviation Safety Information Analysis and Sharing ASIAS Overview PA-RAST Meeting March 2016 ASIAS Proprietary Do Not Distribute

Electrical system, HIRF and Lightning

Civil Aviation Authority of Israel; Composite Certification Activities

THE BOEING COMPANY

[Docket No. FAA ; Directorate Identifier 2008-NM-103-AD; Amendment ; AD ]

FAA Proposals for Safety Management Systems

Transcription:

Applicability / Compatibility of STPA with FAA Regulations & Guidance First STAMP/STPA Workshop Presented by: Peter Skaves, FAA Chief Scientific and Technical Advisor for Advanced Avionics

Briefing Objectives First Stamp/STPA Workshop Airplane System Design Assurance Process Evolving Aircraft Avionics Complexity Federated Systems Architecture Redundancy & Fault Handling Integrated Modular Avionics Software Versus Requirements Errors STAMP/STPA Discussion Items Requirements Allocation HW / SW and System Processes Guideline Documents System Development Lifecycle Cyber Security & ARP 4754a Applicability / Compatibility of STPA Discussion and wrap-up 2 2

Acronyms AC AEH ARP ARP 4754a BITE COTS CPU DO-178 DO-254 HW IMA NextGen FAR RAM STAMP STPA SW Advisory Circular Airborne Electronic Hardware Aerospace Recommended Practices Guidelines for Development of Civil Aircraft and Systems Built-in Test Equipment Commercial-Off-The-Shelf Central Processing Unit Software Considerations in Airborne Systems and Equipment Certification Design Assurance Guidance for AEH Hardware Integrated Modular Avionics Next Generation Air Transportation System Regulation Random Access Memory Systems Theoretic Accident Model and Processes System Theoretic Process Analysis Software 3 3

The Airplane System Design Assurance Process Examples of airplane systems certification rules and guidance FAR 25.1301 General Requirements for Intended Function FAR 25.1309 Equipment Systems and Installation AC 20-152 Invokes RTCA DO-254 Design Assurance Guidance for Airborne Electronic Hardware AC 20-115B Invokes RTCA DO-178B Software Guidance AC 20-174 Invokes ARP 4754a Guidelines for Development of Civil Aircraft and Systems ARP 4761 Guidelines and Methods for Conducting the Safety Assessment Process on Civil Airborne Systems 4 4

Evolving Aircraft Avionics Complexity & Systems Integration Issues (sheet 1 of 2) Aircraft avionics & systems integration issues Difficulties in analyzing and testing avionics systems requirements due to complexity Aircraft and systems level requirements validation & verification Transitioning from federated architectures to Integrated Modular Avionics (IMA) systems Predicting system and pilot response in the presence of failures Numerical probability limitations Software and requirements process error contributions System development and safety assessment interwoven or separate processes Aircraft integration with operating environment (e.g., NextGen) 5 5

Evolving Aircraft Avionics Complexity & Systems Integration Issues (sheet 2 of 2) The current trend in system design involves increased interaction between aircraft functions and between the digital systems and equipment that implement those functions Increased interactions increase the possibilities for errors with functions that are performed jointly across multiple systems Traditional methods of demonstrating compliance to federated system architectures, do not adequately support validation & verification of multiple complex systems Since many aircraft/system-level decisions are fundamental to the safety aspects of aircraft design and operation, additional methods to mitigate and reduce system errors are needed 6 6

Federated System Architecture Triplex Redundancy Flight Control Systems With independent Backup system Dual Redundancy Flight Management Computers Single Strand ACARS Communication System 7 7

Federated Avionics Computer Architecture Computer Architecture CPU Program Memory (e.g., Flight Control Software) RAM Memory Digital Busses (e.g., ARINC 429) Discrete I/O Variable Analog Power Supply Chassis Strengths Isolation of faults Failure analysis and fault detection are enhanced Weakness Duplication of hardware resource Dedicated airborne software program for each avionics computer 8 8

Redundancy & Fault Handling Avionics Hardware / Software Redundancy & Fault Handling: Typically dual or triple channel Voting planes are used to detect and isolate various sensors and aircraft interface inputs Built-in Test Equipment (BITE) software are used for internal computer validity checks (e.g, Memory, CPU) Common mode failure mitigation may require independent backup systems Examples of independent backup systems include Standby Flight Instruments or mechanical backup systems 9 9

IMA Notional Diagram Flight Deck Displays L Shared Hardware Resources Multiple Application Programs Example: TWO cabinets replace over 100 Federated Systems 10 10

Integrated Modular Avionics (IMA) Computer Resource Computer Architecture CPU Memory Management Units RAM Memory Digital Busses (e.g., ARINC 429) Discrete I/O Variable Analog Power Supply Chassis Strengths Shared Hardware Resources Software programs are swapped and execute concurrently on same computer platform Weakness Failure analysis, fault detection & isolation of faults are more difficult Common mode fault vulnerability 11 11

Common Mode Failure Mitigation Boeing 777 Fly-by-Wire Flight Control architecture Three digital Flight Control Computers Analog electric back-up system to mitigate generic common mode faults C-17 Cargo Airplane Fly-by-Wire Flight Control System Full Mechanical Back-up Boeing 737/747/757/767 Series Airplanes Do not require electric power for continued safe flight and landing with the exception of the battery backup bus for the Standby Flight Instruments Full mechanical backup Flight Control System 12 12

Boeing 777 Flight Deck 13 13

Software Versus Requirements Errors Airborne avionics system problems are reported as software problems, anomalies, bugs or glitches Many airborne avionics system problems are not caused during the software development process Perfect software does not mean the airborne system requirements are perfect Incomplete or incorrect requirements are the root cause of most avionics system failures Development processes for Civil Aircraft and Systems are being emphasized Robust Integration of highly complex systems at the airplane level is one of the keys to success 14 14

Validation vs. Verification VALIDATION: The determination that the requirements for a product are correct and complete. Are we building the right aircraft / system / function / item? VERIFICATION: The evaluation of an implementation of requirements to determine that they have been met. Did we build the aircraft / system / function / item right? Both validation and verification apply to every requirement 15 15

STAMP / STPA Discussion Items (sheet 1 of 2) Proposes an alternative process to current FAA safety assessment methods States that traditional approaches to safety analysis assume that accidents are caused by component failures Worked well with legacy aircraft that had simple conservative designs Does not work as well with very complex systems that are highly integrated with other systems Extensive use of software allows very complex systems to be constructed, resulting in an increased potential for accidents from unsafe interactions among non-failed components Failures resulting from unplanned behavior of software dependent systems may occur 16 16

STAMP / STPA Discussion Items (sheet 2 of 2) STAMP (and STPA) extends the safety analysis to include nonlinear, indirect, and feedback relationships among events Extends the traditional approach to consider new accidents caused by component interactions, human mistakes, management and organizational errors and software errors (particularly requirements errors) STPA recognizes that accidents result not only from system component failures but also from interactions among system components that violate system safety constraints System Safety is reformulated as a system control problem rather than a component reliability problem 17 17

Requirements Allocation 4754A Development Assurance Validates that the requirements are correct and complete Allocates requirements to software and AEH DO-178B and DO-254 Assurance Assume the requirements are correct and complete Develop the software and AEH Verify that the software and AEH meets their requirements 18 18

Requirements Allocation System A Requirements 4754A Development Assurance Validates that the requirements are correct and complete Allocates requirements to software and AEH DO-178B and DO-254 Assurance Assume the requirements are correct and complete Develop the software and AEH Verify that the software and AEH meets their requirements 19 19

Requirements Allocation System A Requirements Requirements Requirements Allocated to Software Allocated to AEH 4754A Development Assurance Validates that the requirements are correct and complete Allocates requirements to software and AEH Items DO-178B Development & Verification Processes DO-254 Development & Verification Processes DO-178B and DO-254 Assurance Assume the requirements are correct and complete Develop the software and AEH Verify that the software and AEH meets their requirements 20 20

Requirements Allocation System A Requirements Requirements Requirements Allocated to Software Allocated to AEH 4754A Development Assurance Validates that the requirements are correct and complete Allocates requirements to software and AEH Items Input DO-178B Development & Verification Processes Input DO-254 Development & Verification Processes DO-178B and DO-254 Assurance Assume the requirements are correct and complete Develop the software and AEH Verify that the software and AEH meets their requirements 21 21

Requirements Allocation System A Requirements Requirements Requirements Allocated to Software Allocated to AEH 4754A Development Assurance Validates that the requirements are correct and complete Allocates requirements to software and AEH Items Input DO-178B Development & Verification Processes Input DO-254 Development & Verification Processes DO-178B and DO-254 Assurance Assume the requirements are correct and complete Develop the software and AEH Verify that the software and AEH meets their requirements 22 22

Requirements Allocation System A Requirements Requirements Requirements Allocated to Software Allocated to AEH 4754A Development Assurance Validates that the requirements are correct and complete Allocates requirements to software and AEH Items DO-178B Development & Verification Processes DO-254 Development & Verification Processes DO-178B and DO-254 Assurance Assume the requirements are correct and complete Develop the software and AEH Verify that the software and AEH meets their requirements 23 23

HW / SW and System Processes DO-254 (HW), DO-178 (SW) and ARP 4754A (System), are all assurance processes Invoked formally by FAA advisory circulars Harmonized with International Civil Aviation Authorities Establishes confidence that the development has been accomplished in a sufficiently disciplined manner to limit the likelihood of development and requirements errors that could impact aircraft safety Assurance level establishes the level of process rigor which is commensurate with the functional failure condition They are all dependent on each other 24 24

Guideline Documents Intended Aircraft Function Safety Assessment Process Guidelines & Methods (ARP 4761) Function, Failure & Safety Information System Design Information Safety Assessment of Aircraft in Commercial Service (ARP 5150 / 5151) Aircraft & System Development Processes (ARP 4754 / ED-79) Functional System Operation Guidelines for Integrated Modular Avionics (DO-297/ED-124) Electronic Hardware Development Life-Cycle (DO-254 / ED-80) Software Development Life-Cycle (DO-178B/ED-12B) Development Phase In-Service/Operational Phase 25 25

Aircraft or System Development Lifecycle INTEGRAL PROCESSES PLANNING 3.0-5.1 SAFETY ASSESSMENT - 5.2 DEVELOPMENT ASSURANCE LEVEL ASSIGNMENT - 5.3 REQUIREMENTS CAPTURE - 5.4 REQUIREMENTS VALIDATION - 5.6 CONFIGURATION MANAGEMENT - 5.7 PROCESS ASSURANCE - 5.8 CERTIFICATION & REGULATORY AUTHORITY COORDINATION AIRCRAFT/SYSTEM DEVELOPMENT PROCESS 4.0 5.5 IMPLEMENTATION VERIFICATION CONCEPT AIRCRAFT FUNCTION DEVELOPMENT ALLOCATION OF AIRCRAFT FUNCTIONS TO SYSTEMS DEVELOPMENT OF SYSTEM ARCHITECTURE ALLOCATION OF SYSTEM REQUIREMENTS TO ITEMS SYSTEM IMPLEMENTATION 4.2 4.3 4.4 4.5 4.6 DATA & DOCUMENTATION 26 26

Aeronautical Systems Security & ARP 4754a The existing Code of Federal Regulations does not specifically address cyber security vulnerabilities Special Conditions have been Issued for certain Boeing and Airbus Airplanes Ground based Information Technology (IT) networks are able to read/write information to aircraft avionics systems RTCA SC-216 Aeronautical Systems Security is developing industry Standards Current proposals include adding cyber security requirements to the ARP 4754a development process 27 27

Possible Architecture & Infrastructure Satellite comms 1 st Officer QAR VHF/HF comms CSD, SCCM or Engineer Ethernet router Captain Antenna Wireless bridge Fileserver (optional) 802.11 ground comms Mobile device for refueller/dispatcher Wireless link at head of stand Airline Network 28 28

Applicability / Compatibility of STPA Need to identify gaps in existing FAA guidance material that STPA would address (would require review of the new ARP 4754a and proposed ARP 4761 standards) FAA needs to better understand the STPA model with respect to accident causes, tool analysis and safety constraints Need to determine how the STPA process could be used in combination with other FAA guidance material Would need to obtain consensus with industry and international Civil Aviation Authorities in the use of STPA Recommendations include implementation of STPA on a pilot certification project for fact finding purposes 29 29

Questions & Wrap-Up Send your questions to me at: peter.skaves@faa.gov Telephone (425) 917-6700 Thank you for your assistance!!! 30 30

2024 © travelsdocbox.com Privacy Policy | Terms of Service | Feedback