Safety Analysis Methods for Complex Systems in Aviation

Current perspective of unmanned aerial vehicle traffic management (UTM) system

Safety Analysis Methods for Complex Systems in Aviation

Electrical Engineering and Systems Science > Systems and Control

[Submitted on 3 Aug 2022 (v1), last revised 23 Jul 2024 (this version, v2)]

Ítalo Romani de Oliveira, José Alexandre T. Guerreiro Fregnani, Gláucia Costa Balvedi, Michael L. Ulrey, Jeffery D. Musiak

Each new concept of operation and equipment generation in aviation becomes more automated, integrated and interconnected. In the case of Unmanned Aircraft Systems (UAS), this evolution allows drastically decreasing aircraft weight and operational cost, but these benefits are also realized in highly automated manned aircraft and ground Air Traffic Control (ATC) systems. The downside of these advances is overwhelmingly more complex software and hardware, making it harder to identify potential failure paths.

Although there are mandatory certification processes based on broadly accepted standards, such as ARP4754 and its family, ESARR 4 and others, these standards do not allow proof or disproof of safety of disruptive technology changes, such as GBAS Precision Approaches, Autonomous UAS, aircraft self-separation and others. In order to leverage the introduction of such concepts, it is necessary to develop solid knowledge on the foundations of safety in complex systems and use this knowledge to elaborate sound demonstrations of either safety or unsafety of new system designs. These demonstrations at early design stages will help reducing costs both on development of new technology as well as reducing the risk of such technology causing accidents when in use.

This paper presents some safety analysis methods which are not in the industry standards but which we identify as having benefits for analyzing safety of advanced technological concepts in aviation.

Subjects:	Systems and Control (eess.SY)
Cite as:	arXiv:2208.02018 [eess.SY]
	(or arXiv:2208.02018v2 [eess.SY] for this version)
	https://doi.org/10.48550/arXiv.2208.02018

Journal reference:	XV SITRAER (Air Transportation Symposium), Sao Luis do Maranhao, MA, Brazil, November 24-26, 2016

Submission history

From: Italo Romani de Oliveira [view email]
[v1] Wed, 3 Aug 2022 12:39:12 UTC (540 KB)
[v2] Tue, 23 Jul 2024 00:30:20 UTC (311 KB)

 Summary Notes

Here is a summary of the key points from the document:

• The paper discusses safety analysis methods for complex systems in aviation, focusing on newer approaches beyond traditional industry standards.
• Traditional methods like safety cases, bow-tie models, and prescriptive approaches have limitations in analyzing increasingly complex and automated aviation systems.
• The paper highlights drawbacks of current approaches, including susceptibility to narrative fallacies and difficulties handling emergent behaviors in complex systems.
• It introduces some non-standard safety analysis methods for complex systems:
• 1) Multi-Agent Dynamic Risk Models (MA-DRM)
• 2) Systems-Theoretic Accident Model and Processes (STAMP)
• The paper discusses applications demanding more advanced safety analyses:
• 1) GBAS GNSS precision landings
• 2) Unmanned Aircraft Systems (UAS)
• 3) Aircraft self-separation concepts
• It concludes that new methodologies are needed to handle the complexity of next-generation aviation systems, requiring multidisciplinary research across engineering, social sciences, and cognitive psychology.
• The goal is to develop safety analysis methods that can evaluate innovative technologies early in the design process and help define appropriate constraints.

The paper argues for expanding beyond traditional safety assessment approaches to better address the challenges of increasingly complex and autonomous aviation systems.

Conclusions and Recommendations

The document offers several important conclusions and recommendations for action regarding safety analysis in complex aviation systems:

1. Need for new methodologies:   - The paper strongly emphasizes the need for safety analysis methodologies that go beyond current industry standards to handle increasingly complex and autonomous aviation technologies.
2. Multidisciplinary approach:   - It recommends a multidisciplinary research approach involving engineering, social sciences, and cognitive psychology to capture the complexity of contemporary systems from a systemic view.
3. Early design stage focus:   - The authors suggest that new safety analysis methods should help define constraints for the design, development, and operation of systems with innovative technologies at early stages, preventing later corrective actions.
4. Complementary use of methods:   - While introducing new methods, the paper doesn't advocate abandoning current approaches entirely. Instead, it suggests using new methods to complement and enhance existing ones.
5. Regulatory adaptation:   - There's an implicit recommendation for regulatory authorities to be open to accepting new methods for demonstration towards certification or conditional approvals.
6. Simulation and prototyping:   - The paper recommends using the outcomes of safety analyses in simulations where next-generation aviation concepts can be represented in virtual environments, followed by physical prototypes.
7. Continuous development:   - There's a call for researchers to look outside their traditional areas to understand the multi-dimensional characteristics of safety in complex systems.
8. Industry-academia collaboration:   - The paper itself is a result of collaboration between Boeing Research & Technology and the University of São Paulo, implying a recommendation for such partnerships in addressing these challenges.
9. Specific focus areas:   - The paper identifies GBAS GNSS precision landings, Unmanned Aircraft Systems (UAS), and aircraft self-separation as key areas requiring advanced safety analysis methods.
10. Balancing innovation and safety:    - Particularly for UAS, there's a recommendation to find ways to balance rapid technological innovation with the need for robust safety assurance.

In conclusion, the paper calls for a proactive and innovative approach to safety analysis that can keep pace with and even guide the development of increasingly complex aviation systems. It emphasizes the need for new tools, multidisciplinary collaboration, and a shift in thinking about system safety to address the challenges posed by next-generation aviation technologies. 

Authors

The authors and institutional associations for this paper are:

From Boeing Research & Technology:

1. Ítalo Romani de Oliveira
2. José Alexandre T. Guerreiro Fregnani
3. Gláucia Costa Balvedi
4. Michael L. Ulrey
5. Jeffery D. Musiak

From Universidade de São Paulo – Escola Politécnica da USP, Grupo de Análise de Segurança (GAS):

1. Ricardo Alexandre Veiga Gimenes
2. João Batista Camargo Jr.
3. Jorge Rady de Almeida Junior

This collaboration between Boeing Research & Technology and the University of São Paulo demonstrates a partnership between industry and academia in addressing complex safety challenges in aviation.

Traditional Methods and Limitations

The traditional approaches to safety analysis in aviation and their limitations, as described in the document, include:

1. Safety Case approach:
   - Uses structured arguments supported by evidence to justify system safety
   - Often employs Goal Structuring Notation (GSN)
   - Limitations:
     - Susceptible to narrative fallacies
     - Difficulty in ensuring full consistency among all elements
     - Challenges in handling complex systems and emergent behaviors

2. Prescriptive approaches:
   - Based on standardized means of compliance for similar systems
   - Rely on official examiners and performance parameterization
   - Limitations:
     - May not be suitable for disruptive or innovative technologies
     - Testing of complex systems can never be exhaustive

3. Bow-tie model:
   - Links causes of hazards (using Fault Tree Analysis) with consequences (using Event Tree Analysis)
   - Widely used in various safety-critical industries
   - Limitations:
     - Assumes completeness of hazard list, which cannot be guaranteed
     - Difficulty in handling dependent events and common causes
     - Challenges in quantifying probabilities for complex interrelated events

4. Auxiliary methods (e.g., Markov Analysis, FMEA, Formal Methods):
   - Used to complement or substitute parts of the main approaches
   - Each has specific uses and limitations
   - For example, FMEA is limited to single-failure analysis and formal methods may have modeling power limitations

General limitations of traditional approaches:

1. Difficulty in handling increasing system complexity
2. Challenges in analyzing emergent behaviors and unforeseen interactions
3. Potential for overlooking critical hazards or failure modes
4. Limited ability to assess innovative or disruptive technologies
5. Reliance on historical data and known risks, which may not apply to new systems
6. Time-consuming and resource-intensive processes, especially for complex systems
7. Potential for cognitive biases and human errors in analysis

The document argues that these limitations become more pronounced as aviation systems become more automated, integrated, and interconnected, necessitating the development and adoption of new safety analysis methods.

New Advanced Safety Methods

The document introduces two main advanced safety methods for complex systems:

1. Multi-Agent Dynamic Risk Models (MA-DRM):

Advantages:
- Combines distributed artificial intelligence with stochastic estimation methods
- Effective for analyzing complex socio-technical systems
- Can identify hazardous event sequences missed by traditional methods
- Better handles dependencies between events and common causes
- More accurate in probability estimations for complex scenarios

Limitations:
- Requires sophisticated mathematical tools and analysis
- May be more computationally intensive

2. Systems-Theoretic Accident Model and Processes (STAMP):

Advantages:
- Focuses on constraints, control loops, and process models rather than events
- Considers interactions among human, hardware, and software components
- Helps identify non-functional interactions and incorrect models/processes
- Useful for recognizing scenarios that may lead to accidents
- Better suited for analyzing emergent properties in complex systems

Limitations:
- More qualitative and argumentative in nature
- May require a shift in thinking from traditional event-based models

General advantages of these advanced methods:

1. Better suited for analyzing complex, interconnected systems
2. Can handle emergent behaviors and unforeseen interactions
3. More effective in early design stages of innovative technologies
4. Provide a more holistic view of system safety
5. Can potentially identify risks missed by traditional methods

Potential limitations or challenges:

1. May require additional expertise or training to implement effectively
2. Could be more time-consuming or resource-intensive initially
3. May face resistance from regulatory bodies accustomed to traditional methods
4. Validation and standardization of these methods may take time
5. Integration with existing safety processes and regulations could be challenging

The document suggests that these advanced methods offer complementary views of safety and can be used alongside traditional approaches to provide a more comprehensive safety analysis. It emphasizes the need for multidisciplinary research to further develop and refine these methods to meet the challenges posed by next-generation aviation systems.

Unmanned Systems

The document discusses safety analysis for Unmanned Aircraft Systems (UAS) as one of the key applications demanding advanced safety methods. Here's a summary of the key points:

1. Regulatory Framework:
   - ICAO principles state that UAS should operate in accordance with standards for manned aircraft, plus additional standards addressing operational, legal, and safety differences.
   - EASA has proposed an operational regulatory framework for UAS, recognizing the diverse and innovative nature of the industry.
   - JARUS (Joint Authorities for Rulemaking on Unmanned Systems) is working on harmonized regulations covering all aspects of UAS operations.

2. Safety Challenges:
   - Integration of UAS into non-segregated airspace is a long-term activity requiring robust regulatory frameworks.
   - Many UAS businesses have short design-to-production cycles and may lack aviation safety experience.
   - Balancing innovation with safety requirements is a key challenge.

3. Specific Safety Initiatives:
   - EASA has created task forces to investigate issues related to small UAS operations, including:
     a) Geo-limitation to address risks of conflict with other airspace users
     b) Assessment of UAS-Aircraft collision consequences
   - JARUS Working Group 6 (Safety & Risk Assessment) has developed guidance material for system safety assessment requirements.

4. Safety Assessment Approach:
   - The document mentions that JARUS WG-6 aims to maintain the same base of manned aircraft safety assessment for RPAS (Remotely Piloted Aircraft Systems).
   - They propose additional means for showing compliance with availability and integrity requirements for RPAS systems.
   - The methodology is based on the objective that RPAS operations must be as safe as manned aircraft.

5. Challenges in Safety Analysis:
   - Lack of solid international regulations for UAS integration into non-segregated airspace.
   - Need for very high safety standards due to the responsibility over airspace.
   - Difficulty in guaranteeing that UAS will maintain the current aviation safety level.

6. Future Outlook:
   - The document suggests that more work needs to be done in safety methodology to ensure UAS safety.
   - It implies that advanced safety analysis methods, such as those discussed earlier (MA-DRM and STAMP), may be beneficial in addressing the complex challenges posed by UAS integration.

The overall message is that safety analysis for UAS is a complex and evolving field. While efforts are being made to adapt existing safety frameworks, the unique characteristics of UAS and their intended integration into shared airspace present challenges that may require new approaches to safety analysis and risk assessment.