Download-Deliverables-NGISS-NG-ISS architecture studies
WP511-D5-1-1 NG-ISS architecture studies

EXECUTIVE SUMMARY:
This document is the compilation of the results of four NG-ISS architecture studies for the target product of the FLYSAFE NG-ISS, which is foreseen for the timeframe 2020, which were all performed within FLYSAFE WP511. In line with the system development standards for complex avionics (SAE ARP 4176)The NG-ISS system architecture solutions are assessed in terms of conceivable hazards that can be identified with respect to failure conditions scenarios at system level, consistent with the ones identified at aircraft function level, as well as those related to Human Factors. Also the feasibility of retrofitting the NG-ISS in current aircraft is explored.

sFHA
First the system level Functional Hazard Analysis (sFHA) recollected the most significant outcomes and failure conditions, together with safety requirements of the preliminary FHA (pFHA) conducted as part of WP 1.3.2. The pFHA has been complemented by assessment of functions of the NG-ISS, not previously assessed, though featuring significant failure conditions and critical effects. Candidate architectures for implementation of NG-ISS functions were first introduced, and assessment of new failure conditions was conducted, e.g. assessing total loss of all or part of NG-ISS functions. A summary of most significant failure conditions and their classifications is then proposed, together with a set of safety requirements, both qualitative and quantitative.

PSSA
Next a Preliminary System Safety Assessment (PSSA) has been initiated. The PSSA is one of the safety processes that have to be undertaken during the design of a complex avionics system, to ensure that the avionics product becomes sufficiently safe. The scope is limited to NG-ISS internal failures (non intentional behaviour) only, and the effects of these on the safety of flight. The effect of external hazards on the safety of flight is subject to other studies that could consider the NG-ISS as a means to mitigate external effects. The PSSA is based on the current FLYSAFE NG-ISS functional design and on the outcomes of the pFHA and sFHA. A typical PSSA only considers only those failure conditions with possible hazardous or catastrophic effects at occurrence. Due to the critical nature only tactical NG-ISS alerting failures are considered. Obviously, failures in the processing of strategic alerts may lead to dangerous situations but as time passes and the threat is not resolved, its nature will become tactical and the NG-ISS tactical safety net will mitigate the danger. As no other WP in FLYSAFE was tasked with the design of a system architecture for the NG-ISS, a number of different architectures was designed, which were the input of the PSSA. As a result of the PSSA limitation to critical failures conditions, in this safety study these architectures focus only on that part of NG-ISS that deals with tactical surveillance alerting and guidance. For each of the architectures the safety properties were captured in generic risk formulas and associated fault trees were constructed for each of the aforementioned critical failure conditions.

Due to the absence of a more definite architecture design, which involves much more aspects than only safety and the fact that there are no risk figures for many novel parts in the FLYSAFE architecture, the PSSA could not be used as a thorough safety check of such an architecture. Nevertheless and more interestingly, the PSSA could be used as a design means to allocate safety requirements to the subsystems of the NG-ISS (e.g. the FLYSAFE TAM, DAM and SDC functions) for each of these architectures. As very high safety requirements to (sub)systems may complicate the design, deteriorate performance and availability or even make design impracticable, the specific purpose was to identify those sets of safety requirement allocations that appear to be least demanding to implement. Taken the FLYSAFE functional architecture as a starting point, it appears that a single lane NG-ISS architecture results in very severe safety requirements for a number of sub systems. Hence, implementation seems to be very difficult.

In summary, the allocated safety requirements are least restrictive for two types of dual redundant architectures with limited complexity and these two architectures are recommended for further NG-ISS development.

HFRA
A Human Factors Risk Analysis complements the aforementioned safety studies, by examining an example of a NG-ISS alerting novelty on potential risk due to Human Factors. This was done through the instantiation of a new Human Factors Risks Analysis method, developed by DEDALE, AIRBUS and DASSAULTAVIATION upon a contract of the French civil aviation administration DGAC for the purpose to answer partly to the CS25.1302 requirement and which found its foundations in Erik Hollnagel’s works [CREAM]. After this first version, the method has been still working under development in order to better answer to and fit the EASA requirements. Its implementation was used for the Falcon 7X certification for new features introduced into the cockpit.

Retrofit feasibility
Finally, this document provides tracks for identifying the main issues to be solved for a retro-fit or forward fit of an NG-ISS implemented on current aircraft generation such as A320 or equivalent and Dassault FALCON EASY. The NG-ISS will have internal TCAS, TAWS and Mode-S transponder functions. Thus, it must be considered whether the consolidated equipment should be replaced or if the NG-ISS will be an addition. Most likely, for a forward-fit, the NG-ISS could replace the current equipment but for a retrofit this might not be the most economical solution. Here, an addition might be the most economical way.

After a reminder about current configurations, there is a discussion about the integration for the main functions proposed in FLYSAFE. It will be noted that in some cases, the discussion should be resumed with a better knowledge of some functions. The result is that such an implementation involves a significant effort (and cost). However, the effort should be assessed versus some gains like better efficiency (improved flight management thanks to a better anticipation) and safety (less easy to quantify).
 
For further information please contact:
Mr. Martijn Stuip: stuip@nlr.nl
or Mr. Michael Jirsch: Michael.Jirsch@diehl-aerospace.de






news

THALES coordinates final FLYSAFE project review
THALES coordinated the final formal review of the FLYSAFE project on 16 and 17 June 2009 at the...
Read on

The Final FLYSAFE EC review is planned for 16th and 17th of June
Thales will coordinate the Final FLYSAFE EC review at the 16th and 17th of June in Toulouse. All...
Read on
magnolia - for content managementhomeCORDIS FP6