Safety-Critical Systems

Similar documents
Total failure of the. on its maiden flight. Ian Sommerville 2001 CS 365 Ariane 5 launcher failure Slide 1

ARIANE 5. Flight 501 Failure

The organisation of the Airbus. A330/340 flight control system. Ian Sommerville 2001 Airbus flight control system Slide 1

Development of FTL for commercial air transport operations of emergency medical services by aeroplanes and helicopters NPA Number NPA

Spaceflight Requirements & Safety Considerations when Operating from UK Spaceport(s)

Appendix B. Comparative Risk Assessment Form

Hazard Analysis for Rotorcraft

Degraded Modes of Operations in Software Engineering

Prospect ATCOs Branch & ATSS Branch response to CAP Terminal Air Navigation Services (TANS) contestability in the UK: Call for evidence

MULTIDISCIPLINARYMEETING REGARDING GLOBAL TRACKING

Multi/many core in Avionics Systems

Sensitivity Analysis for the Integrated Safety Assessment Model (ISAM) John Shortle George Mason University May 28, 2015

Determining Acceptable risk: What do we mean by Risk? Determining Acceptable Risk. To the average person risk means.

The regulatory challenges facing industry EASA-Thales TAC Watchkeeper Airworthiness Analysis of TAC meetings outcomes Tuesday 24 th March 4 th 2015

NETWORK MANAGER - SISG SAFETY STUDY

Best Practices in Safety Investigations

Enter here your Presentation Title 1

NOTE TO INQUIRY BACKGROUND CRASH RATE DEFINITIONS. TRUDY AUTY, BSc, ARCS FOR LAAG

Missions, Operations & Ground Infrastructure

UNITED KINGDOM AERONAUTICAL INFORMATION CIRCULAR

MAXIMUM LEVELS OF AVIATION TERMINAL SERVICE CHARGES that may be imposed by the Irish Aviation Authority ISSUE PAPER CP3/2010 COMMENTS OF AER LINGUS

TEXT OF AMENDMENT 36 TO THE INTERNATIONAL STANDARDS AND RECOMMENDED PRACTICES OPERATION OF AIRCRAFT

1. Title: Instrumental development of the fire service for disaster prevention and technical rescue

ADQ Regulators Working Group

Part 77 CAA Consolidation 1 April 2014 Objects and Activities Affecting Navigable Airspace

Helicopter Performance. Performance Class 1. Jim Lyons

Evidence Based Training For Airline Pilots

CANSO Workshop on Operational Performance. LATCAR, 2016 John Gulding Manager, ATO Performance Analysis Federal Aviation Administration

ITALIAN MINISTRY OF DEFENCE Secretariat General for Defence - National Armaments Directorate AIR ARMAMENTS DIRECTORATE

Navigation Data Chain Certification

Spacecraft Avionics. Lecture #26 December 2, 2014 Avionics overview Shuttle systems Constellation systems MARYLAND U N I V E R S I T Y O F

National Association of Rocketry Level 3 High Power Certification Requirements

Dave Allanby GM Operations SOUTH AFRICAN EXPRESS

Navigation event 28 km north-west of Sydney Airport, NSW 11 January 2007

Figure 3.1. Foreign Airport Assessment Aid

April 16, Erik Larson

Supplementary airfield projects assessment

FIJI ISLANDS AERONAUTICAL INFORMATION CIRCULAR

All-Weather Operations Training Programme

SPACEPORT UK A NEW FRONTIER FOR GROWTH & ENTERPRISE

Head-up Guidance & Vision Technologies Enabling Safer and More Efficient Airline Operations

Applicability / Compatibility of STPA with FAA Regulations & Guidance. First STAMP/STPA Workshop. Federal Aviation Administration

AMC RPAS.1309 Issue 2

Monitoring and data acquisition for the safety related traffic information services

Review of the Scottish National Tourism Strategy

Form 91 Application for Approval of an EFB System

Airspace Infringement

Glass Cockpits in General Aviation Aircraft. Consequences for training and simulators. Fred Abbink

DEMORPAS Project. Final Dissemination Forum. 10th March 2016, World ATM Congress, Madrid

Sven Kaltenhäuser, Frank Morlang, Dirk-Roger Schmitt German Aerospace Center DLR

Notice of Intent to File an Application to Impose and Use a Passenger Facility Charge at Fort Lauderdale-Hollywood International Airport

Crosswind-based wake avoidance system approved by the FAA for operational use. Clark Lunsford (MITRE) & Dr. Edward Johnson May 15-16, 2013

Evaluation of Alternative Aircraft Types Dr. Peter Belobaba

Optimizing trajectories over the 4DWeatherCube

A Simulation Approach to Airline Cost Benefit Analysis

AIR CANADA REPORTS 2010 THIRD QUARTER RESULTS; Operating Income improved $259 million or 381 per cent from previous year s quarter

Evidence - Based Training: A walk through the data

No Hard Analysis. A critique by HACAN of the recently-published

Civil and military integration in the same workspace

Ski / Sled tracks as an expression of avalanche risk Jordy Hendrikx 1 & Jerry Johnson 2,1 1.

Civil Aircraft System Safety and Electromagnetic Compatibility

Chapter 12. HS2/HS1 Connection. Prepared by Christopher Stokes

Workshop. SESAR 2020 Concept. A Brief View of the Business Trajectory

OVERSEAS TERRITORIES AVIATION REQUIREMENTS (OTARs)

Appendix B Ultimate Airport Capacity and Delay Simulation Modeling Analysis

Aboriginal and Torres Strait Islander Life Expectancy and Mortality Trend Reporting

March 2016 Safety Meeting

Revision of the Third Air Package

Appendix 12. HS2/HS1 Connection. Prepared by Christopher Stokes

AIRWORTHINESS ADVISORY. Airworthiness Impacts of Electronic Flight Bags

Requirement for bonding and other forms of security

Quality of service and reliability

Advisory Circular. 1.1 Purpose Applicability Description of Changes... 2

Analyzing Risk at the FAA Flight Systems Laboratory

CIVIL AVIATION AUTHORITY, PAKISTAN OPERATIONAL CONTROL SYSTEMS CONTENTS

Enhancing Capabilities and Reducing Workload in UAV Operations. Zahar Prasov NDIA Human Systems Conference February 09-10, 2016

sdrftsdfsdfsdfsdw Comment on the draft WA State Aviation Strategy

Go-Around Procedure. Flight Instructor Seminar / Miami, May 24 th and 25 th, 2011

E190 REPLACEMENT & FLEET UPDATE JULY 11, 2018

CHAPTER 5 AEROPLANE PERFORMANCE OPERATING LIMITATIONS

The Dangers of Interaction with Modular and Self-Healing Avionics Applications: Redundancy Considered Harmful

Route Causes. The largest percentage of European helicopter. For helicopters, the journey not the destination holds the greatest risk.

Safety and Airspace Regulation Group

REPORT 2014/111 INTERNAL AUDIT DIVISION. Audit of air operations in the United Nations Operation in Côte d Ivoire

European Aviation Safety Agency 1 Sep 2008 OPINION NO 03/2008. of 1 September 2008

Civil Approach Procedural Controller Military Terminal Radar Controller

PASSENGER SHIP SAFETY. Damage stability of cruise passenger ships: Monitoring and assessing risk from operation of watertight doors

Saighton Camp, Chester. Technical Note: Impact of Boughton Heath S278 Works upon the operation of the Local Highway Network

NATMAC INFORMATIVE INTRODUCTION OF STANSTED TRANSPONDER MANDATORY ZONE (TMZ)

Mr. Randall Fiertz Director, Airport Compliance and Field Operations Federal Aviation Administration 800 Independence Ave, SW Washington, DC 20591

Hotels SPECIALIST HOTEL SERVICES

CAA consultation on its Environmental Programme

Operational Evaluation of a Flight-deck Software Application

Ryannair Holdings plc. Sample 8

All Door Boarding Title VI Service Fare Analysis. Appendix P.3

AEROSPACE & ELECTRONICS BRENDAN CURRAN PRESIDENT

NZQA registered unit standard version 2 Page 1 of 9. Demonstrate flying skills for an airline transport pilot licence (aeroplane)

Frequently Asked Questions

TAKEOFF SAFETY ISSUE 2-11/2001. Flight Operations Support & Line Assistance

FOREST SERVICE AVALANCHE CENTER SAFETY: EXAMINING CURRENT PRACTICE. USDA Forest Service National Avalanche Center, Bozeman, MT, USA 2

Transcription:

Safety-Critical Systems Prof. Chris Johnson School of Computing Science, University of Glasgow. johnson@dcs.gla.ac.uk http://www.dcs.gla.ac.uk/~johnson

Terminology and the Ariane V Mishap Prof. Chris Johnson, School of Computing Science, University of Glasgow. johnson@dcs.gla.ac.uk http://www.dcs.gla.ac.uk/~johnson

Terminology and the Arian 5 Case Study Introduction. Terminology. Accidents. Ariane 5 Case Study.

Overview Open assessment. 30% on a practical exercise. Closed assessment. Nancy Leveson's, Safeware: System safety and computers, Addison-Wesley, ISBN 0-201-11972-2. http://www.dcs.gla.ac.uk/~johnson/book

Terminology What is `Safety? Nothing bad will happen? Is this sufficient? System will not endanger human life or the environment (Storey, p.2). Freedom from accidents or losses (Leveson, p.181)

Terminology What is `Safety'? An absolute or relative term? Does it form a continuum? Can we ever be `absolutely' SAFE?

Terminology Is `Safety' Relative? Depends on individual view of risk. Risk = frequency x cost. But cost or utility is subjective... Psychometric Risk Assessments. Biases, risk equity, target levels of risk

Terminology What is `Safety'? Part of wider dependability? Ability to deliver a trusted service. J.C. Laprie's Diversity for Dependability

Terminology Ack: J.C. Laprie

Terminology What is `Safety'? Must also consider failures of safety. Freedom from accidents or Losses (Leveson). So what is an accident?

Terminology Taken from Reason, Managing the Risks of Organisational Failure, Ashgate Publishing, 1997.

Terminology Accidents have multiple causes. Some are latent. Triggered by catalytic events. We should expect failure. Perrows' Normal Accidents?

Normal Accidents

Terminology What is `Safety'? Is it an emmergent property? SYSTEMS continually change. So level of safety changes. For instance, ABS braking?

Some Key Ideas As Low As Reasonably Practicable (ALARP). A risk is ALARP when it has been demonstrated that the cost of any further Risk Reduction, where the cost includes the loss of defence capability as well as financial or other resource costs, is grossly disproportionate to the benefit obtained from that Risk Reduction. (UK MOD Def Stan 00-56 Issue 4)

Some Key Ideas As Low As Reasonably Achievable (ALARA) US military doctrine, cost less of a factor? Minimum Endogenous Mortality (MEM): Used in Germany etc do not introduce hazards that significantly increase death rate beyond that from disease, congenital mortality etc All are heuristics and hard to demonstrate

The Ariane 5 Case Study

The Ariane 5 Case Study Variable exceeds it's range... e) At 36.7 seconds after H0 (approx. 30 seconds after lift-off) the computer within the back-up inertial reference system, which was working on stand-by for guidance and attitude control, became inoperative. This was caused by an internal variable related to the horizontal velocity of the launcher exceeding a limit which existed in the software of this computer.

The Ariane 5 Case Study Defences in depth' failed... f) Approx. 0.05 seconds later the active inertial reference system, identical to the back-up system in hardware and software, failed for the same reason. Since the backup inertial system was already inoperative, correct guidance and attitude information could no longer be obtained and loss of the mission was inevitable.

The Ariane 5 Case Study Error stemmed from redundant code! m) The inertial reference system of Ariane 5 is essentially common to a system which is presently flying on Ariane 4. The part of the software which caused the interruption in the inertial system computers is used before launch to align the inertial reference system and, in Ariane 4, also to enable a rapid realignment of the system in case of a late hold in the countdown. This realignment function, which does not serve any purpose on Ariane 5, was nevertheless retained for commonality reasons and allowed, as in Ariane 4, to operate for approx. 40 seconds after lift-off.

The Ariane 5 Case Study Problems in requirements/safety analysis. n) During design of the software of the inertial reference system used for Ariane 4 and Ariane 5, a decision was taken that it was not necessary to protect the inertial system computer from being made inoperative by an excessive value of the variable related to the horizontal velocity, a protection which was provided for several other variables of the alignment software. When taking this design decision, it was not analysed or fully understood which values this particular variable might assume when the alignment software was allowed to operate after lift-off.

The Ariane 5 Case Study Failed to understand system change? o) In Ariane 4 flights using the same type of inertial reference system there has been no such failure because the trajectory during the first 40 seconds of flight is such that the particular variable related to horizontal velocity cannot reach, with an adequate operational margin, a value beyond the limit present in the software. p) Ariane 5 has a high initial acceleration and a trajectory which leads to a build-up of horizontal velocity which is five times more rapid than for Ariane 4. The higher horizontal velocity of Ariane 5 generated, within the 40-second timeframe, the excessive value which caused the inertial system computers to cease operation

The Ariane 5 Case Study It has been stated to the Board that not all the conversions were protected because a maximum workload target of 80% had been set for the SRI computer. To determine the vulnerability of unprotected code, an analysis was performed on every operation which could give rise to an exception, including an Operand Error. In particular, the conversion of floating point values to integers was analysed and operations involving seven variables were at risk of leading to an Operand Error. This led to protection being added to four of the variables, evidence of which appears in the Ada code. However, three of the variables were left unprotected. No reference to justification of this decision was found directly in the source code. Given the large amount of documentation associated with any industrial application, the assumption, although agreed, was essentially obscured, though not deliberately, from any external review. Section 2.2 COMMENTS ON THE FAILURE SCENARIO, paragraph 2

Conclusions Safety is: freedom from accidents/losses. Accidents are: complex multi-causal events; (almost) impossible to predict. Therefore hard to maintain safety. This course tries to show you how...

Any Questions

2024 © travelsdocbox.com Privacy Policy | Terms of Service | Feedback