Embed Size (px)
Citation preview
P
atr
ice
Mic
ou
in –
Ce
rtifi
catio
n T
og
eth
er,
To
ulo
use
, O
cto
be
r 2
01
0
A/C System Requirement & Design Engineering:
Implementing Airworthiness Requirements
Dr Patrice MICOUIN
MICOUIN Consulting
LSIS, Arts et Métiers Paris’Tech,
P
atr
ice
Mic
ou
in –
Ce
rtifi
catio
n T
og
eth
er,
To
ulo
use
, O
cto
be
r 2
01
0
Purpose
To provide a development framework as consistent and complete as possible:1.Contributing to the definition of an A/C Model Based System Engineering
2. Dealing with certification requirements
3. Integrating tightly development and safety assessment activities
4. Consistent with the ARP 4754 standard.
P
atr
ice
Mic
ou
in –
Ce
rtifi
catio
n T
og
eth
er,
To
ulo
use
, O
cto
be
r 2
01
0
Requirement & Design Engineering Statements
Requirement & Design Engineering deals with three kinds of statements
• Epistemic statements
• Deontic statements
• Design choice statements
P
atr
ice
Mic
ou
in –
Ce
rtifi
catio
n T
og
eth
er,
To
ulo
use
, O
cto
be
r 2
01
0
Epistemic statements
• Examples
Record knowledge itemsUnder the control of the nature, social agreement, .. Designers use epistemic statements as lever in the design process
AC29.1309 EXTREMELY IMPROBABLE: “A probability on the order of 10-9 or less is assigned to this classification.”
AC25.11A Table 5
Failure Condition Hazard
ClassificationQualitative Probability
Loss of all barometric altitude displays, including standby display Catastrophic Extremely
Improbable
Display of misleading barometric altitude information on one primary display combined with a standby failure (loss of altitude or incorrect altitude)
Catastrophic Extremely
Improbable
AC29.1309 Catastrophic Failure conditions : Failure conditions which would prevent a safe landing.
P
atr
ice
Mic
ou
in –
Ce
rtifi
catio
n T
og
eth
er,
To
ulo
use
, O
cto
be
r 2
01
0
1. 2. When condition equipment .MTTR 30 mn
Deontic statements
• Examples
Constitute obligations or prohibitions Under the control of authorities, acquirer, .. Designers have to comply with deontic statements
1. The equipment shall be easy to repair
Text BasedRequirement
Property BasedRequirement
InterpretativeMaterial
P
atr
ice
Mic
ou
in –
Ce
rtifi
catio
n T
og
eth
er,
To
ulo
use
, O
cto
be
r 2
01
0
Design choice statements
The flow path will be allocated to the following physical processors: o Static probeo Transducero Air Data Computero Flight Display
Constitute choices among various possibilities Under the control of designer Designers have to select design options relying on relevant epistemic statements and complying with deontic statements
The flow path named « Provide an A/C vertical Position Indication » will be designed as a sequence including the following processes:
o « To acquire the static pressure »o « To sense the static pressure »o « To converte the static pressure »
o « To compute the Vertical Position »o « To compare computed Vertical Positions »o « To display the Vertical Position »
The process « To compare computed Vertical Positions » will be allocated to the Flight Display processors
• Examples
P
atr
ice
Mic
ou
in –
Ce
rtifi
catio
n T
og
eth
er,
To
ulo
use
, O
cto
be
r 2
01
0
Property Based Requirement
• A PBR is a constraint on a property of an object [kind] that shall be held [when a condition is met].
• Formal expressionPBR : [When Condition =>] val (Object.Property) D
Patrice Micouin, Toward a property based requirements theory: System requirements structured as a semilatticeINCOSE Journal of Systems Engineering, Volume 11, Issue 3 (August 2008)
• Requirement determination is a process that interprets Text Based Requirements (expectations) in one or more Property Based Requirements (PBR)
• Two relationships among PBRs related to an object kind :• PBR-1 is more stringent than PBR-2 : PBR-1 PBR-2• Conjunction of PBRs : PBR-1 PBR-2 is a PBR
P
atr
ice
Mic
ou
in –
Ce
rtifi
catio
n T
og
eth
er,
To
ulo
use
, O
cto
be
r 2
01
0
CS 29.1303 Flight and navigation instrumentsThe following are required flight and navigational instruments:.. (b) A sensitive altimeter
Example 1 : Specific Certification Requirement 1303.b
AC29.1303 refers TSO C10b that refers AS 392C (canceled) and replaced by AS 8002A (Air Data Computers) or AS 8009B (other altimeters)
What is a “sensitive altimeter »?
--| PBR from CS29.1303(b)When Avionics.Power_on val (Avionics.AC-Vertical-Position.Status) =OperativeWhen AC.Altitude [0ft,5000ft] val (Avionics. AC-Vertical-Position.Accuracy) ≤25ftWhen AC.Altitude ]5000ft,8000ft] val (Avionics. AC-Vertical-Position.Accuracy) ≤30ftWhen AC.Altitude ]8000ft,11000ft] val (Avionics.AC-Vertical-Position.Accuracy) ≤35ftWhen AC.Altitude ]11000ft,..ft] ..
Interpretative material
P
atr
ice
Mic
ou
in –
Ce
rtifi
catio
n T
og
eth
er,
To
ulo
use
, O
cto
be
r 2
01
0
AC29.1309- Failure conditions catastrophic : Failure conditions which would prevent a safe landing :
What is a “failure condition which would prevent the continued safe flight and landing »?
ED79/ARP4754:AC25.11A Table 5:
CS 29.1309 Equipment, systems, and installations(b) The rotorcraft systems and associated components, considered separately and in relation to other systems, must be designed so that –(2) For Category A rotorcraft:(i) The occurrence of any failure condition which would prevent the continued safe flight and landing of the rotorcraft is extremely improbable; and
Example 2 : General Certification Requirement 1309.(b).(2).(i)
--| PBR from CS29.1309(b)(2)(i)When In_Flight => Prob(Avionics.AC-Vertical-Position-Indication.Status=Loss) ≤10-9/fhWhen In_Flight => Prob(Avionics.AC-Vertical-Position-Indication.Status=Misleading) ≤10-9/fhAvionics.DAL=A
Interpretative material
Failure Condition Hazard
ClassificationQualitative Probability
Loss of all barometric altitude displays, including standby display Catastrophic Extremely
Improbable
Display of misleading barometric altitude information on one primary display combined with a standby failure (loss of altitude or incorrect altitude)
Catastrophic Extremely
Improbable
Failure Condition Classification System Development Level
Catastrophic A
What about vertical position indication?AC29.1309-EXTREMELY IMPROBABLE: “A probability on the order of 10-9 or less is assigned to this classification.”
What does mean “extremely improbable »?
P
atr
ice
Mic
ou
in –
Ce
rtifi
catio
n T
og
eth
er,
To
ulo
use
, O
cto
be
r 2
01
0
Requirement & DesignProcess Framework
ARP 4754 § 4.4.3“While there is no specific recommended process for systems development, ageneric development model is described in Appendix A to assist in establishingcommon terminology and understanding. The specific development processselected should be described in sufficient detail to achieve mutual understanding of the key elements and their relationships.”
Req
uir
emen
t D
efin
itio
n
So
luti
on
Def
init
ion
SystemTechnical
Requirements
trace to
LogicalSolution
Representations
TechnicalDerived
Requirements
PhysicalSolution
Representations
DESIGNSOLUTION
assigned toassigned to
assigned to
assigned to
drive
drive
Source de
SPECIFIEDREQUIREMENTS
Specified by
High levelSafety
Requirements
SystemTechnical
Requirements
trace to
Failure Conditions&
Categorization
SafetyAssessment
Representationsassigned to
drive
EIA 632 Process Framework
Extended FrameworkThe meaning of « derived requirement » (DR) is not the one generally used by the aeronautical community. However, it is consistent interpretation of the ARP 4754 definition of DRs. J. Scott develops this approach of DRs.
Specified Requirements are validated iff System Technical
Requirements Specified Requirements
AcquirerRequirements
OtherStakeholder
Requirementstrace to
trace to
P
atr
ice
Mic
ou
in –
Ce
rtifi
catio
n T
og
eth
er,
To
ulo
use
, O
cto
be
r 2
01
0
Atmosphere
Corrections
Pilot
Log
ica
l So
lutio
n
To acquire the static pressure
To compute the Vertical
Position
To display the Vertical Position
To correct the
reference static
pressure
Vertical-Position-Indication
Req
uire
men
t
Avionics shall provide a A/C vertical Position Indication
Requirement 1303.b logical implementation
Source Flow path Sink
Atmosphere Provide a A/C vertical Position Indication Vertical Position Indication
P
atr
ice
Mic
ou
in –
Ce
rtifi
catio
n T
og
eth
er,
To
ulo
use
, O
cto
be
r 2
01
0
Log
ica
l So
lutio
n R
epre
sent
atio
nAvionics shall provide the A/C vertical Position IndicationRequirement
Vertical-Position-Indication.Loss
Saf
ety
Ass
essm
ent
repr
ese
ntat
ion
Air DataComputer .los
s
Fli ghtDisplay .loss
Transducer.loss
Staticprobe .loss
Probabilty of loss=p
p1 p2 p3 p4
p=p1+p2+p3+p4OR
Atmosphere
Pilot
Corrections
Air DataComputer
Staticprobe
Transducer
Phy
sica
l Sol
utio
nR
epre
sent
atio
n Baro
Fli ghtDisplay
Vertical-Position-Indication
Redundancy = 1
AtmosphereTo acquire
the static pressure
To compute the Vertical
Position
To display the Vertical Position
Vertical-Position-Indication
Corrections
Pilot To correct the reference static pressure
To keyboard
the correction
To recordthe
correction
To sensethe static pressure
To convertethe static pressure
P
atr
ice
Mic
ou
in –
Ce
rtifi
catio
n T
og
eth
er,
To
ulo
use
, O
cto
be
r 2
01
0
Requirement 1309.b logical implementation
--| PBR from CS29.1309(b)(2)(i)When In_Flight => Prob(Avionics.AC-Vertical-Position-Indication.Status=Loss) ≤10-9/fhWhen In_Flight => Prob(Avionics.AC-Vertical-Position-Indication.Status=Misleading) ≤10-9/fhAvionics.DAL=A
Atmosphere
Log
ica
l So
lutio
n
To acquire the static pressure
To compute the Vertical
Position
To display the Vertical
PositionVertical-Position-Indication
With this minimal flow path, the occurrence of loss or misleading vertical position indication has a probability greater than 10-9/fh.
Prob(Avionics.AC-Vertical-Position-Indication.Status=Loss) >>10-9/fhProb(Avionics.AC-Vertical-Position-Indication. Status=Misleading)>> 10-9/fh
--| PBRVal(Provide-AC-Vertical-Position.redundancy) 3Val(Provide-AC-Vertical-Position.similarity) 2
To prevent such CAT FCs, the following safety requirement is raised:Provide-AC-Vertical-Position flow path shall be triplicated to allow a comparison mechanism with at least one dissimilar path
AtmosphereTo acquire the static pressure
To compute the Vertical
Position
To display the Vertical Position
Vertical-Position-Indication
AtmosphereTo acquire the static pressure
To compute the Vertical
Position
To display the Vertical Position
Vertical-Position-Indication
AtmosphereTo acquire the static pressure
To compute the Vertical
Position
To display the Vertical Position
Vertical-Position-Indication
To compare computed Vertical Position
To compare computed Vertical Position
P
atr
ice
Mic
ou
in –
Ce
rtifi
catio
n T
og
eth
er,
To
ulo
use
, O
cto
be
r 2
01
0
Avionics
AC-Vertical-Position-Indication
Req-S : Val (Avionics.DAL) = A
DAL Requirement Derivation• Requirement derivation is a substitution that replaces a level-n
requirement by the conjunction of level-n+1 requirements under the assumption that design choices will be actually implemented.
• Example
Portion Backup
Portion Primary
Design pattern 5, ARP 4754 Table 4 dReq-B : Val (Avionics.Backup.DAL) C
dReq-P :Val (Avionics.Primary.DAL) = A
Atmosphere
When ARP4754. Design pattern 5 => Val (Avionics.DAL) = A ≤ Val (Primary.DAL) = A Val (Backup.DAL) C
P
atr
ice
Mic
ou
in –
Ce
rtifi
catio
n T
og
eth
er,
To
ulo
use
, O
cto
be
r 2
01
0
Logical Solution Representation
AtmosphereTo acquire the static pressure
To compute the Vertical
Position
To display the Vertical Position
Vertical-Position-Indication
AtmosphereTo acquire the static pressure
To compute the Vertical
Position
To display the Vertical Position
Vertical-Position-Indication
AtmosphereTo acquire the static pressure
To compute the Vertical
Position
To display the Vertical Position
Vertical-Position-Indication
To compare computed Vertical Position
To compare computed Vertical Position
P
atr
ice
Mic
ou
in –
Ce
rtifi
catio
n T
og
eth
er,
To
ulo
use
, O
cto
be
r 2
01
0
Physical Solution Representation
P
atr
ice
Mic
ou
in –
Ce
rtifi
catio
n T
og
eth
er,
To
ulo
use
, O
cto
be
r 2
01
0
Safety Assessment Representation
P
atr
ice
Mic
ou
in –
Ce
rtifi
catio
n T
og
eth
er,
To
ulo
use
, O
cto
be
r 2
01
0
Conclusion
The PBR theory and the Requirement & Design process framework described hereabove are suitable to address an A/C Model Based System Engineering
1. Dealing with all categories of requirements including certification requirements and safety requirements,
2. Integrating tightly development and safety assessment activities
3. Consistent with the ARP 4754 standard.
P
atr
ice
Mic
ou
in –
Ce
rtifi
catio
n T
og
eth
er,
To
ulo
use
, O
cto
be
r 2
01
0
The latest version of this presentation will be available here :
http://www.micouin.com/archives.html
More information: about Property Based Requirement Theory:
Patrice Micouin, Toward a property based requirements theory: System requirements structured as a semilattice INCOSE Journal of Systems Engineering, Volume 11, Issue 3 (August 2008)
Derived requirements:JACKSON Scott, Systems engineering for commercial aircraft, Ashgate Publisher, 1997
McDERMID, John & NICHOLSON, Mark, Extending PSSA for Complex Systems, ISSC Ottawa, August 2003
Model Based EngineeringSAE-AS5506A, Architecture Analysis & Design Language (AADL) , 2009-01OMG Systems Modeling Language, (OMG SysML™) Version 1.2, June 2010
EIA 632 :James Martin, Processes for Engineering a System, in The Avionics Handbook edited by C. Spitzer, CRC Press, 2007
ANSI/EIA 632: Processes for Engineering a System, GEIA, Arlington, VA, 2003.
