MIT
ICAT
National Workshop on Aviation Software Systems:
Design for Certifiably Dependable Systems
Civil Aviation Context
Prof. R. John Hansman
MIT International Center for Air Transportation
rjhans@mit.edu 617-253-2271
MIT
ICAT
Objectives
 Define Current State of the Art
 Identify Key Issues and Needs
 Identify Promising Research Approaches
 Define Educational Needs and Approaches
MIT
ICAT
System Scope
Software
Hardware
Dependability problem can be
fairly well defined with good
specifications
Tractable with current methods
Hard
MIT
ICAT
System Scope
Environment
Software
Hardware
Environment
MIT
ICAT
System Scope
Human
Human
Software
Hardware
Environment
My Bias
MIT
ICAT
System Scope
Interactions
Human
Software
Hardware
Environment
MIT
ICAT
What is High Dependability ?
 Civil Aviation Context
 Target Level of Safety
 Equivalent Level of Safety
MIT
ICAT
MIT
ICAT
MIT
ICAT
Probability vs. Consequences
Graph AC 25.1309-1A
Catastrophic
Accident
Adverse Effect
On
Occupants
Airplane
Damage
Emergency
Procedures
Abnormal
Procedures
Nuisance
Normal
Probable
Improbable
Extremely
Improbable
MIT
ICAT
Probability
(per unit of exposure)
Descriptive Probabilities
FAR
1
JAR
Frequent
10E-3
Probable
Reasonably
Probable
10E-5
10E-7
Improbable
Remote
Extremely Remote
10E-9
Extremely
Improbable
Extremely
Improbable
What is the correct unit of exposure : Flight hour, Departure, Failure
MIT
ICAT

Level A - Anomalous behavior causes catastrophic failure






Reduced capability of aircraft (safety margins, functionality)
Reduced crew performance
Injuries or discomfort to occupants
Level D Anomalous behavior causes minor failure


Large reduction in safety margins
Inability of crew to perform
Serious or fatal injuries to small number of occupants
Level C - Anomalous behavior causes major failure


Inability to continue safe flight and landing
Level B - Anomalous behavior causes hazardous/sever-major failure


Software Criticality Levels
No significant reduction in aircraft safety
Level E - Anomalous behavior causes no-effect on aircraft operational
capability
DO-178B “Software considerations in Airborne Systems and Equipment Certification”
MIT
ICAT
Civil Aviation Applications
 Commercial Aircraft
 Fly by Wire/Light
 Flight Management Systems
 General Aviation Aircraft
 Very Light Jets
 Unmanned Air Vehicles
 Air Traffic Management




Communication
Navigation
Surveillance
Decision Support
 Integrated Air-Ground Systems
MIT
ICAT
Civil Aviation Applications
 Commercial Aircraft
 Fly by Wire/Light
 Flight Management Systems
 General Aviation Aircraft
 Very Light Jets
 Unmanned Air Vehicles
 Air Traffic Management




Communication
Navigation
Surveillance
Decision Support
 Integrated Air-Ground Systems
MIT
ICAT
Cockpit Evolution to Higher Criticality
Boeing 747-200
Electro - Mechanical
“Steam Gauge”
Boeing 747-400
CRT - LCD Displays
“Glass Cockpit”
Boeing 777
Fly by Wire/Light
MIT
ICAT
Vehicle Control Loops
Inner Loops More Critical
Pilot
Displays
CDU
MCP
Controls
Trajectory
Commands
State
Commands
Manual
Control
FMS
Autopilot
Autothrust
Flight
Control
Rate
Navigation
State
Sensors
MIT
ICAT
Fly-by-wire Systems
A-320 Example
Electrically controlled, hydraulically actuated
* Rudder
Slats
Aileron
Elevator
Flaps
* Trimmable
.
horizontal
stabilizer
Speed brakes
Roll spoilers
Ground
spoilers
* Rudder & stabilizer have back-up mechanical control
Anomalies : eg Hard Over Failures, Redundancy Architectures, Software as Single Point of Failure
MIT
Typical Redundancy Architecture
ICAT
MIT
ICAT
Human Interaction - Manual Control
Aircraft Pilot Coupling (aka PIO)
Pilot
Displays
CDU
MCP
Controls
Trajectory
Commands
State
Commands
Manual
Control
FMS
Autopilot
Autothrust
Flight
Control
Rate
Navigation
State
Sensors
MIT
ICAT
QuickTime™ and a
decompressor
are needed to see this picture.
MIT
ICAT

Mode Awareness
Mode Awareness is becoming a serious
issues in Complex Automation Systems
 automation executes an unexpected action
(commission), or fails to execute an action
(omission) that is anticipated or expected by one
or more of the pilots

Multiple accidents and incidents
 Strasbourg A320 crash: incorrect vertical mode
selection
 Orly A310 violent pitchup: flap overspeed
 B757 speed violations: early leveloff conditions

Pilot needs to
 Identify current state of automation
 Understand implications of current state
 Predict future states of automation
MIT
ICAT
Complexity and Conditional
Statements
 Used extensively in Pilot Guides
 “Through the FCU, an immediate climb/descent is initiated by
selecting the desired altitude in the ALT SEL window and either
pulling the set knob or pressing the LVL/CH P/B to engage the LVL
CHANGE mode. Pressing the LVL/CH P/B also disengages
PROFILE, however, if PROFILE is engaged, pulling the set knob
does not disengage it, rather it initiates an immediate climb/descent
to the altitude selected on the FCU. The exceptions are ...”
MIT
ICAT
Evolution (code Reuse) leads to
Lack of Underlying Model
 There does not appear to be a simple, consistent global model
of current Autoflight Systems




Not apparent in flight manuals
Flight manuals focus on crew interface and procedures
Manufacturer could not supply functional model or logic/control diagram
Hybrid Automation Model created to allow analysis
 In absence of a simple consistent model, pilots develop their
own ad-hoc models
 These models may not accurately represent AFS operation




Concern in some (future) aircraft
Individual pilot models may not be accurate
Training/Design implications
Models are created during nominal flight conditions and may not hold
during abnormal or emergency situations
Entropic Growth of Complexity
MIT
ICAT
Functional
Analysis
Operator Directed Process
Sanjay Vakill Thesis
Autom atio n M odel is der ived fr om
Fu nctional Analysis, ope rator and
exper t us er inp ut.
Iter ative Hum anCente re d Pr oto type
Evaluation Stage
Tr aining m ater ial is der ived fr om
Autom atio n M odel. Tr ainin g
Rep re sentation is cr eated.
Automation
Model
Training
Material
Spe cification change s
m us t be con siste nt w ith
Autom atio n M odel.
Softw ar e specification is
der ived fro m Tr ainin g M ater ial.
Software
Specification
Software
System is cer tifie d against
Autom atio n M odel.
Configur ation M an age m ent ver ifies and
m aintains con siste ncy w ith Au tom ation Mod el.
Certification
Configuration
Management
MIT
ICAT
New Functionality (eg Required Navigation Performance)
MIT
ICAT
New Functionality
Requires FMS
and Memory Upgrades
Cost Issues
Maintenance
MIT
ICAT
Maintenance and Capability
Expansion (eg Memory)
.
Honeywell A320 Pegasus FMS
Advanced Features
Addition of LOC/VNAV autoflight capability
GLS/MLS Precision approach
FLS (ILS like) Non Precision approach
Enhanced LOC capture
Multiple same-type RNAV Runway Approaches
Improved Offset entry and display
Mixed QNH / QFE approach capability
QNH range extended to 1100 HPA
2MB Navigation Database capability
Expandable Through Software to 12+MB
ARINC 615A Ethernet software and database loading
….
http://www.honeywell.com/sites/aero/Flight_Management_Systems
MIT
ICAT
Some Airline Comments
However we have had lots of issues with the upgrades of the FMC
software.
1. Magnetic course displays are a moving target. Each upgrade uses a
different set of Magnetic variations so we have to revise our plates so
that the FMC and the plates are in sync.
2. The vendor changes algorithms so the procedures that we or the FAA
has designed are no longer flyable. Something like this is an
unintended consequence of a "fix". Also the boxes are not regulated
nor are specifications so this type of disconnect can occur.
3. The FAA is asking us and any other carrier approved to fly RNP SAAAR
procedures to verify that the software is safe. I do not think that this is
our job. But once again this goes back to lack of regulation. They
have no way of assuring that the changes being made will be
compatible with RNP SAAAR.
Electronic Flight Bag
MIT
Information vs Navigation Requirements
ICAT
•Source: Brian Kelly, Boeing
MIT
ICAT
Civil Aviation Applications
 Commercial Aircraft
 Fly by Wire/Light
 Flight Management Systems
 General Aviation Aircraft
 Very Light Jets
 Unmanned Air Vehicles
 Air Traffic Management




Communication
Navigation
Surveillance
Decision Support
 Integrated Air-Ground Systems
MIT
ICAT
Very Light Jets
Small turbofan aircraft
Aircraft characteristics*
Eclipse500
Mustang
Adam700
Eclipse Aviation
Cessna
Adam Aircraft
Phenom-100
ProJet
D-Jet
Embraer
Avocet Aircraft
Diamond Aircraft
Epic LT
HondaJet
Safire26
Epic
Honda
Safire Aircraft
Excel Sport Jet
Spectrum 33
Eviation EV-20
 Passengers:
4 to 8
 Acquisition price:
$m 1.4 to 3.6
 Cruise speed:
340 to 390 kts
 Operating ceiling:
41,000ft to 45,000ft
 Range:
1100 to 1750 NM
 Take off field length:
2200ft to 3400ft
Orders
 Eclipse: 2300
 Adam: 75
 Mustang: 330+
* for twin-engine VLJs (excludes D-Jet)
MIT
ICAT
Eclipse 500 Cockpit
Avio Avionics Suite
MIT
ICAT
Next Generation ?
George Jetson Car
MIT
ICAT
Civil Aviation Applications
 Commercial Aircraft
 Fly by Wire/Light
 Flight Management Systems
 General Aviation Aircraft
 Very Light Jets
 Unmanned Air Vehicles
 Air Traffic Management




Communication
Navigation
Surveillance
Decision Support
 Integrated Air-Ground Systems
MIT
ICAT
Spectrum of Current UAVs
Sig Kadet II RC
Trainer – 5 lb
Aerovironment Black
Widow – 2.12 oz.
Boeing/ Insitu Scaneagle – 33 lb
Gen. Atomics – Predator B – 7,000 lb
BAE Systems
Microstar – 3.0 oz.
Boeing X-45A UCAV – 12,195 lb (est)
AAI Shadow 200 – 328 lb
NOAA
Weather
Balloon
2-6 lb
Allied Aero. LADF – 3.8 lb
Aerovironment
Pointer – 9.6 lb
Northrop-Grumman Global Hawk 25,600 lb
Bell Eagle Eye – 2,250 lb
0
1
Micro
10
Mini
100
UAV Weight (lb)
Tactical
1,000
10,000
Med Alt
High Alt / UCAV
100,000
Heavy
MIT
Historical Comparison of Accident Rates
ICAT
10000
UAVs (Average)
General Aviation
Yearly Accident Rate
(Accidents / 100,000 hr)
1000
Air Force Aviation
Commercial Airlines
100
10
1
0.1
1925
1935
1945
1955
1965
1975
1985
1995
2005
Year
Notes:
1) UAV Accident Rates are averaged for Pioneer, Hunter, and Predator UAVs from OSD UAV Reliability Study.
February 2003
2) General Aviation data from AOPA historical data, http://www.aopa.org/special/newsroom/stats/safety.html, 2006.
Flight hours unavailable from 1943-1945.
3) Commercial Aviation Accident Rates from Air Transport Association aggregated CAB and NTSB statistics. Operating
hours estimated from miles flown and average speed for 1927-1948. All air carriers operating under Part 121,
including cargo.
4) Air Force Aviation Accident Rates from Air Force Safety Center – Includes UAV Accidents
MIT
ICAT
Certification Considerations
Catastrophic
Accident
Adverse Effect
on Occupants
Airplane
Damage
Emergency
Procedures
Abnormal
Procedures
Nuisance
Normal
AC 25.1309-1A
Probable
Improbable
Extremely
Improbable
Consequences of Failure Change
for Unmanned Operation
MIT
ICAT
Predator Crash, Nogales, AZ
From Steve Swartz, FAA UAS Program Office. 2006 CERICI Workshop.
MIT
ICAT
Border Patrol Predator B Accident
NTSB Accident #CHI06MA121
Nogales, AZ
April 25, 2006, 03:41 MST
Image ©
General
Atomics
Excerpts from Preliminary Report
The flight was being flown from a ground control station (GCS) located at HFU. The GCS contains two
nearly identical consoles, pilot payload operator (PPO)-1, and PPO-2. During a routine mission, a
certified pilot controls the UAV from the PPO-1 console and the camera payload operator (typically a
U.S. Border Patrol Agent) controls the camera from PPO-2. The aircraft controls (flaps, stop/feather,
throttle, and speed lever) on PPO-1 and PPO-2 are identical. However, when control of the UAV is
being accomplished from PPO-1, the controls at PPO-2 are used to control the camera.
The pilot reported that during the flight the console at PPO-1 "locked up", prompting him to switch
control of the UAV to PPO-2. Checklist procedures state that prior to switching operational control
between the two consoles, the pilot must match the control positions on the new console to those on
the console, which had been controlling the UAV. The pilot stated in an interview that he failed to do
this. The result was that the stop/feather control in PPO-2 was in the fuel cutoff position when the switch
over from PPO-1 to PPO-2 occurred. As a result, the fuel was cut off to the UAV when control was
transferred to PPO-2.
The pilot stated that after the switch to the other console, he noticed the UAV was not maintaining
altitude but did not know why. As a result he decided to shut down the GCS so that the UAV would
enter its lost link procedure, which called for the UAV to climb to 15,000 feet above mean sea level and
to fly a predetermined course until contact could be established. With no engine power, the UAV
continued to descend below line-of-site communications and further attempts to re-establish contact
with the UAV were not successful.
From: http://www.ntsb.gov/ntsb/brief.asp?ev_id=20060509X00531&key=1
MIT
ICAT
Predator Ground Control Station
MIT
ICAT
Civil Aviation Applications
 Commercial Aircraft
 Fly by Wire/Light
 Flight Management Systems
 General Aviation Aircraft
 Very Light Jets
 Unmanned Air Vehicles
 Air Traffic Management




Communication
Navigation
Surveillance
Decision Support
 Integrated Air-Ground Systems
ATM System Level
Outer Loop Criticality
MIT
ICAT
F lig ht
S trip s
Decision
Aids
ATC
Displays
Flight Plan
Amendments
Surveillance:
Enroute: 12.0 s
Terminal: 4.2 s
ADS :
1s
Vectors
Voice
AOC:
Airline
Operations
Center
Pilot
ACARS
(Datalink)
CDU
MCP
Tra je cto ry
C omm ands
Initial
Clearances
Controls
S tate
C omm ands
F lig ht
M anagem ent
C om p ute r
Manual Control
Autop ilo t
Auto thrus t
Aircraft
S tate
N av ig atio n
Displays
MIT
ICAT
Simplified Enroute Architecture
Legacy Software Issues - JOVIAL
Host
Source: GAO/AIMD-97-30 Air Traffic Control
MIT
ICAT
TCAS
Emergent Backup
MIT
ICAT
Bob Hilb
UPS/Cargo Airline Association
ADS-B
GPS Backup Issue
MIT
ICAT
10 Year Plan
FAA
OEP and NGATS
20 Year Plan
Multi-Agency
FAA, DOD, Commerce
DHS, NASA, DOT, OSTP
MIT
ICAT
For more detail see Operational Improvement Roadmap in the Tech
Hanger section of JPDO Website www.jpdo.aero
Source: John Scardina JPDO
MIT
ICAT
Software Criticality Exposure
High Criticality
Moderate Criticality
Source: John Scardina JPDO
MIT
ICAT
Civil Aviation Applications
 Commercial Aircraft
 Fly by Wire/Light
 Flight Management Systems
 General Aviation Aircraft
 Very Light Jets
 Unmanned Air Vehicles
 Air Traffic Management




Communication
Navigation
Surveillance
Decision Support
 Integrated Air-Ground Systems
MIT
ICAT
GPS Wide Area Augmentation
System (WAAS)
•Increased Safety
•Increased Efficiency and Capacity
•Fuel and Time Savings
•Cost Savings
MIT
ICAT
Receiver
WAAS Safety Architecture
Corrections
Processor
Safety
Processor
Uplink/GEO
User
Satellite
Signals
Generates data (Level D)

Monitors
data
(Level B)
CRC protects data
Weaknesses in Current System Monitor (Safety Processor)
 At Times Safety Processor Doesn’t Monitor Data

Therefore, System Integrity Is Not Quantifiable
 Integrity Requirement Is No More Than One in 10 Million Chance of Hazardously Misleading Information (10 -7)
MIT
ICAT