Flight Safety from a Reality-based Systems Approach

Johansson, Tomas

January 2021

Traditionella metoder för Safety Management har bidragit till en exceptionellt hög flygsäkerhet. Händelser inom flygindustrin och ökande systemkomplexitet har dock aktualiserat att systemteori kan ge kompletterande perspektiv och bidra till flygsäkerhet. Syftet med studien var att beskriva och förstå piloters och chefers erfarenheter av flygsäkerhet, risk och anpassning av arbetssätt. Kvalitativa intervjuer genomfördes med fem piloter och fem flygchefer/Safety Managers i civila flygbolag och Flygvapnet. En induktiv tematisk analysmetod användes. Resultaten identifierade teman för konflikter och motsägelser i de studerade systemen. Resulterande konfliktteman var mellan produktion och säkerhet, ett starkt system och individens roll, standardisering och piloters beslutsutrymme, efterlevnad och flexibilitet, förtroende och avstånd, samt flygsäkerhetskultur och flygsäkerhetsmätning. Systemen som undersöktes uppvisade komplexa egenskaper, vilket visade på en risk för systemolyckor och gjorde systemkonflikter svårare att lösa. Olösta konflikter mellan till exempel produktion och säkerhet var kopplade till organisatorisk och praktisk glidning/avdrift, ibland förvärrad av hemlighållande. Konflikterna uppträdde olika i olika organisationer. Studiens resultat visar på vikten av att använda kvalitativa data för att få flera olika perspektiv, öka systemanpassningsförmågan och övervaka balansen mellan produktion och säkerhet. Storleken på piloternas beslutsutrymme bör medvetet hanteras och tillägg av ytterligare traditionella säkerhetsbarriärer bör utvärderas utifrån påverkan på systemets transparens och komplexitet. / Traditional aviation safety management methods have contributed to exceptional aviation safety. Recent aviation events and increasing system complexity has actualised that a systems theory approach could provide complementary perspectives and contribute to aviation safety. The purpose of the study was to describe and understand pilots’ and managers’ experiences of flight safety, risk and adaptations of work practises. Qualitative interviews were performed with five pilots and five managers/safety managers in civil airlines and an air force. An inductive thematic analysis method was used. The results identified themes of conflicts and contradictions inherent in the aviation systems studied. The conflict themes were production and safety, a strong system and role of the individual, standardisation and discretionary space, compliance and flexibility, trust and distance, and safety culture and safety measurement. The systems studied showed complex characteristics, making them liable to systems accidents and making system conflicts more difficult to solve. Unresolved conflicts such as between production and safety was connected to organisational and practical drift, in some cases compounded by secrecy. The conflicts appeared differently in different organisations. The study results highlight the importance of using qualitative data to gain a multitude of perspectives, increase system adaptability, and monitor the balance between production and safety. The size of the pilots’ discretionary space should be deliberately managed and added traditional safety barriers should be evaluated by their effect on system opaqueness and complexity.

Flight safety

systems safety

qualitative interview

inductive thematic analysis

Flygsäkerhet

systemsäkerhet

kvalitativ intervju

induktiv tematisk analys

Psychology

Psykologi

Mitigating Emergent Safety and Security Incidents of CPS by a Protective Shell

Wagner, Leonard

07 November 2023

In today's modern world, Cyber-Physical Systems (CPS) have gained widespread prevalence, offering tremendous benefits while also increasing society's dependence on them. Given the direct interaction of CPS with the physical environment, their malfunction or compromise can pose significant risks to human life, property, and the environment. However, as the complexity of CPS rises due to heightened expectations and expanded functional requirements, ensuring their trustworthy operation solely during the development process becomes increasingly challenging. This thesis introduces and delves into the novel concept of the 'Protective Shell' – a real-time safeguard actively monitoring CPS during their operational phases. The protective shell serves as a last line of defence, designed to detect abnormal behaviour, conduct thorough analyses, and initiate countermeasures promptly, thereby mitigating unforeseen risks in real-time. The primary objective of this research is to enhance the overall safety and security of CPS by refining, partly implementing, and evaluating the innovative protective shell concept. To provide context for collaborative systems working towards higher objectives — common within CPS as system-of-systems (SoS) — the thesis introduces the 'Emergence Matrix'. This matrix categorises outcomes of such collaboration into four quadrants based on their anticipated nature and desirability. Particularly concerning are outcomes that are both unexpected and undesirable, which frequently serve as the root cause of safety accidents and security incidents in CPS scenarios. The protective shell plays a critical role in mitigating these unfavourable outcomes, as conventional vulnerability elimination procedures during the CPS design phase prove insufficient due to their inability to proactively anticipate and address these unforeseen situations. Employing the design science research methodology, the thesis is structured around its iterative cycles and the research questions imposed, offering a systematic exploration of the topic. A detailed analysis of various safety accidents and security incidents involving CPS was conducted to retrieve vulnerabilities that led to dangerous outcomes. By developing specific protective shells for each affected CPS and assessing their effectiveness during these hazardous scenarios, a generic core for the protective shell concept could be retrieved, indicating general characteristics and its overall applicability. Furthermore, the research presents a generic protective shell architecture, integrating advanced anomaly detection techniques rooted in explainable artificial intelligence (XAI) and human machine teaming. While the implementation of protective shells demonstrate substantial positive impacts in ensuring CPS safety and security, the thesis also articulates potential risks associated with their deployment that require careful consideration. In conclusion, this thesis makes a significant contribution towards the safer and more secure integration of complex CPS into daily routines, critical infrastructures and other sectors by leveraging the capabilities of the generic protective shell framework.:1 Introduction 1.1 Background and Context 1.2 Research Problem 1.3 Purpose and Objectives 1.3.1 Thesis Vision 1.3.2 Thesis Mission 1.4 Thesis Outline and Structure 2 Design Science Research Methodology 2.1 Relevance-, Rigor- and Design Cycle 2.2 Research Questions 3 Cyber-Physical Systems 3.1 Explanation 3.2 Safety- and Security-Critical Aspects 3.3 Risk 3.3.1 Quantitative Risk Assessment 3.3.2 Qualitative Risk Assessment 3.3.3 Risk Reduction Mechanisms 3.3.4 Acceptable Residual Risk 3.4 Engineering Principles 3.4.1 Safety Principles 3.4.2 Security Principles 3.5 Cyber-Physical System of Systems (CPSoS) 3.5.1 Emergence 4 Protective Shell 4.1 Explanation 4.2 System Architecture 4.3 Run-Time Monitoring 4.4 Definition 4.5 Expectations / Goals 5 Specific Protective Shells 5.1 Boeing 737 Max MCAS 5.1.1 Introduction 5.1.2 Vulnerabilities within CPS 5.1.3 Specific Protective Shell Mitigation Mechanisms 5.1.4 Protective Shell Evaluation 5.2 Therac-25 5.2.1 Introduction 5.2.2 Vulnerabilities within CPS 5.2.3 Specific Protective Shell Mitigation Mechanisms 5.2.4 Protective Shell Evaluation 5.3 Stuxnet 5.3.1 Introduction 5.3.2 Exploited Vulnerabilities 5.3.3 Specific Protective Shell Mitigation Mechanisms 5.3.4 Protective Shell Evaluation 5.4 Toyota 'Unintended Acceleration' ETCS 5.4.1 Introduction 5.4.2 Vulnerabilities within CPS 5.4.3 Specific Protective Shell Mitigation Mechanisms 5.4.4 Protective Shell Evaluation 5.5 Jeep Cherokee Hack 5.5.1 Introduction 5.5.2 Vulnerabilities within CPS 5.5.3 Specific Protective Shell Mitigation Mechanisms 5.5.4 Protective Shell Evaluation 5.6 Ukrainian Power Grid Cyber-Attack 5.6.1 Introduction 5.6.2 Vulnerabilities in the critical Infrastructure 5.6.3 Specific Protective Shell Mitigation Mechanisms 5.6.4 Protective Shell Evaluation 5.7 Airbus A400M FADEC 5.7.1 Introduction 5.7.2 Vulnerabilities within CPS 5.7.3 Specific Protective Shell Mitigation Mechanisms 5.7.4 Protective Shell Evaluation 5.8 Similarities between Specific Protective Shells 5.8.1 Mitigation Mechanisms Categories 5.8.2 Explanation 5.8.3 Conclusion 6 AI 6.1 Explainable AI (XAI) for Anomaly Detection 6.1.1 Anomaly Detection 6.1.2 Explainable Artificial Intelligence 6.2 Intrinsic Explainable ML Models 6.2.1 Linear Regression 6.2.2 Decision Trees 6.2.3 K-Nearest Neighbours 6.3 Example Use Case - Predictive Maintenance 7 Generic Protective Shell 7.1 Architecture 7.1.1 MAPE-K 7.1.2 Human Machine Teaming 7.1.3 Protective Shell Plugin Catalogue 7.1.4 Architecture and Design Principles 7.1.5 Conclusion Architecture 7.2 Implementation Details 7.3 Evaluation 7.3.1 Additional Vulnerabilities introduced by the Protective Shell 7.3.2 Summary 8 Conclusion 8.1 Summary 8.2 Research Questions Evaluation 8.3 Contribution 8.4 Future Work 8.5 Recommendation

info:eu-repo/classification/ddc/006

ddc:006

Development of an Improved Dissipative Passive Haptic Display

Reed, Matthew Robert

25 November 2003

This project focuses on the design and modeling of a two degree-of-freedom dissipative passive haptic display. Haptic displays are man-machine interfaces that transmit forces to the human operator. A dissipative passive haptic display is one that may only remove energy from the system using actuators such as brakes and dampers, thus ensuring the safety of the human operator. These devices may be used to implement virtual constraints such as desired paths and obstacles. Traditional friction brakes have previously been used as dissipative and coupling elements in a two degree-of-freedom parallel manipulator, resulting in undesired effects such as vibration, stiction, and slow response times. Alternatively, the new robot is actuated by rheological brakes, which feature fast response times and smooth application of torque. This approach aims to improve upon the accuracy and feel of the previous design. A commercial magnetorheological (MR) fluid brake was selected and put through an extensive series of tests. The data was used to develop a model that characterizes MR fluid behavior in low speed braking applications. A parallel five bar linkage was designed and built that has separate configurations corresponding to 3-brake and 4-brake operation. The length of each arm was chosen by means of a geometrical optimization that weighs the size and area of the workspace and actuator effects. A simulation was then developed by incorporating the brake model into the equations of motion of the robot. Next, two forms of path following velocity control were devised and tested in simulation. Finally, the accuracy, workload, and smoothness of both controllers and both configurations were examined in preliminary tests with human operators.

ER

MR

Robot

Passive

Electrorheological

Magnetorheological

Human

Modeling

Simulation

Fluid

Brakes

Haptics

Control

Testing

Robots Control systems Safety measures

Brakes Control systems

Ein Beitrag zur ganzheitlichen Sicherheitsbetrachtung des Bahnsystems

Anders, Enrico

07 November 2008

Im Rahmen der Arbeit wird der Begriff Sicherheit aus verschiedenen Blickwinkeln beleuchtet, Randbedingungen aus Theorie und Praxis zielorientiert strukturiert und ein Vorschlag für eine Integration betrieblicher Aspekte in Sicherheitsanalysen dargelegt. Dazu werden zunächst die normativ verankerten Lebenszyklusphasen des Bahnsystems und die darin festgelegten Verantwortlichkeiten vorgestellt. Darauf aufbauend erfolgt die beispielhafte Beschreibung einer neuen Analysemethode in Verfügbarkeits-Sicherheits-Diagrammen für betriebliche Szenarien des Bahnsystems. Die Arbeit endet mit der Vorstellung des Modells zur ganzheitlichen Sicherheitsbetrachtung des Bahnsystems, welches die zuvor gewonnenen Erkenntnisse integriert und die Grundlage für das Zulassungsverfahren von Bahnanlagen mit betrieblichem Sicherheitsnachweis legt. / This thesis deals with the detailed analysis of the term safety from different points of view. The main target of the document is the integration of operational aspects within technical solutions for railway systems. Operational use-cases have been analyzed using the availability-safety-diagram. The document concludes with the introduction of a model for holistic safety-related consideration of railway systems.

info:eu-repo/classification/ddc/620

ddc:620

info:eu-repo/classification/ddc/380

ddc:380

Systems and Safety Engineering in Hybrid-Electric and Semi-Autonomous Vehicles

Trask, Simon J.

29 August 2019

No description available.

Electrical Engineering

Engineering

Mechanical Engineering

human factors

SAE level 3

SAE level-3

semi-autonomous

automotive

systems engineering

systems safety

safety engineering

automated manual transmission

diagnostic

structural analysis

hybrid vehicles

electrification

automated driving

On Safety Assessment of Automated Driving Systems Using Simulation-based Testing and Formal Methods

Saraoglu, Mustafa

03 June 2024

Automated vehicles are assumed to play an important role in the future of mobility, but their operation must be provably safe. They consist of automated driving systems (ADSs) that perform various automated driving tasks without the active participation of a human driver. These automated driving tasks can be mainly categorized as perception, decision-making, and motion control. These tasks must be accomplished by the components of an ADS, which must be seamlessly integrated to ensure safety. The complexity of the ADS architecture makes the safety assessment rather challenging. This complexity is further exacerbated when automated vehicles need to interact in different traffic situations. Design, verification, and testing of ADSs as simulation models provide a safer and cost-efficient early development opportunity compared to real-world testing. To this end, a capable simulation framework that incorporates the simulation models of ADSs must be developed for designing, implementing, and testing these models in a traffic simulation. The main contributions of this thesis are denoted as (i), (ii), and (iii). Safety assessment of ADS can be done either experimentally by (i) simulation-based testing in (ii) a simulation framework or theoretically (iii) using formal methods. Simulation-based testing requires two components: (i) efficient testing strategies for different ADS components and (ii) a simulation framework containing the models of ADS components for applying these testing strategies. Simulation-based testing alone cannot prove or guarantee safety. In order to complement the safety assessment process, whenever applicable, (iii) formal methods must be utilized to derive theoretical safety proofs for certain types of systems for a set of assumptions. Formal methods for synthesis include methods such as correct-by-construction of control protocols and reachability analysis for dynamic systems, which can be used to design provably safe decision-making and control algorithms. The correct-by-construction synthesis of discrete control protocols can be used as safety filters for decision-making algorithms, such as autonomous intersection management algorithms, to verify the safety of taken actions. The reachability analysis is useful for predicting trajectories for possible maneuvers in a finite time horizon for an automated vehicle on a highway. By over-approximating these ego vehicle trajectories, safety verification of possible maneuvers can be done by comparing them to the possible trajectories of other vehicles. A game-theoretical decision-making approach, such as minimax, can augment safety in maneuver planning by considering the worst-case situations up to a finite time horizon. Such an online maneuver planning algorithm reconsiders the maneuvers at each planning cycle in a receding horizon fashion. However, to apply formal methods, certain assumptions must be made about complex parts of ADSs, and therefore, simulation-based testing is still needed to check the validity of these assumptions in simulation models. Safety assessment with a holistic approach is presented that combines the previously mentioned contributions of this thesis (i), (ii), and (iii) into a workflow of modeling, design/synthesis, and testing. Such an approach is essential for developing safe algorithms for ADSs in a simulation framework.:Kurzfassung v Abstract vii Contents ix 1 Introduction 1 1.1 Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 1.2 Scope of the Thesis . . . . . . . . . . . . . . . . . . . . . . . 1 1.3 Research Questions . . . . . . . . . . . . . . . . . . . . . . . 2 1.4 Structure of the Thesis . . . . . . . . . . . . . . . . . . . . . 3 2 Safety Assessment of Automated Driving Systems - State of the Art 5 2.1 State of the Art . . . . . . . . . . . . . . . . . . . . . . . . . 5 2.1.1 Definition of ADS . . . . . . . . . . . . . . . . . . . . 5 2.1.2 Meaning of Safety for ADS . . . . . . . . . . . . . . . 8 2.1.3 Testing for Safety . . . . . . . . . . . . . . . . . . . . 12 2.1.4 Simulation Frameworks for ADSs and AVs . . . . . . 14 2.1.5 Roles of Formal Methods . . . . . . . . . . . . . . . . 16 2.2 Challenges and Contributions . . . . . . . . . . . . . . . . . 18 2.2.1 Challenges in the State-of-the-Art . . . . . . . . . . . 18 2.2.2 The Contributions . . . . . . . . . . . . . . . . . . . 21 3 Simulation-based Testing using Fault Injection 23 3.1 Related Work and Preliminaries . . . . . . . . . . . . . . . . 24 3.1.1 Fault Injection . . . . . . . . . . . . . . . . . . . . . 24 3.1.2 Fault Types and Parameters . . . . . . . . . . . . . . 27 3.1.3 Testing for ADS safety using FI . . . . . . . . . . . . 30 3.1.4 Metrics and Specifications for Safety Evaluation . . . 33 3.1.5 Simulative Error Propagation Analysis . . . . . . . . 35 3.2 Developing a Testing Strategy using Fault Injection . . . . . 36 3.2.1 Automated Testing . . . . . . . . . . . . . . . . . . . 37 3.2.2 Using Domain-specific Knowledge . . . . . . . . . . . 40 3.2.3 Smart Testing Strategy . . . . . . . . . . . . . . . . . 41 3.3 Application of Testing Strategies . . . . . . . . . . . . . . . 42 3.3.1 Testing of ACC Systems for Fault Tolerance using Fault Injection . . . . . . . . . . . . . . . . . . . . . . . . . 43 3.3.2 Discovering Fault Parameter Space using Smart Testing Strategy . . . . . . . . . . . . . . . . . . . . . . . 48 3.4 General Functionalities for Efficient Tools . . . . . . . . . . . 52 3.5 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 4 A Framework for Simulating Automated Driving Systems in Traffic 55 4.1 Related Work . . . . . . . . . . . . . . . . . . . . . . . . . . 56 4.1.1 Levels of Detail in Traffic Simulation . . . . . . . . . 56 4.1.2 Traffic Simulations and Scenario-based Testing . . . . 59 4.1.3 Generic ADS Architecture . . . . . . . . . . . . . . . 64 4.2 Preliminaries and Definitions . . . . . . . . . . . . . . . . . . 65 4.2.1 Map and Path Planning . . . . . . . . . . . . . . . . 66 4.2.2 Decision Making and Trajectories . . . . . . . . . . . 67 4.2.3 Vehicle Motion Control . . . . . . . . . . . . . . . . . 68 4.3 Mapping the ADS structure into a Simulation Model . . . . 72 4.3.1 Sensor-based Perception . . . . . . . . . . . . . . . . 72 4.3.2 V2X Communication . . . . . . . . . . . . . . . . . . 73 4.3.3 Global Path Planner . . . . . . . . . . . . . . . . . . 75 4.3.4 Behavioral Planner/Maneuver Planner . . . . . . . . 78 4.3.5 Longitudinal and Lateral Motion Control . . . . . . . 80 4.4 Interfaces and Layering between Modules . . . . . . . . . . . 81 4.4.1 Relations between Discrete Decision-Making and Continuous Control . . . . . . . . . . . . . . . . . . . . . 82 4.4.2 Vehicles and the Infrastructure - Autonomous Intersection Management . . . . . . . . . . . . . . . . . . . . 83 4.5 Instantiating a Model-based Traffic Simulation . . . . . . . . 86 4.5.1 Traffic Simulation Environment Architecture . . . . . 88 4.5.2 Road Network and the Map Format . . . . . . . . . . 91 4.5.3 Scenario-based Traffic Simulation as Test Cases . . . 95 4.5.4 Overview of the Simulation Framework with Fault Injection . . . . . . . . . . . . . . . . . . . . . . . . . . 97 4.6 Case Studies . . . . . . . . . . . . . . . . . . . . . . . . . . . 101 4.6.1 Urban Traffic Simulations . . . . . . . . . . . . . . . 101 4.6.2 Fault-Error-Failure Chain Analysis for Safety Assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . 103 4.7 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108 5 Using Formal Methods for Safe Algorithms Design 111 5.1 Control Protocol Synthesis . . . . . . . . . . . . . . . . . . . 111 5.1.1 Related Work and Preliminaries . . . . . . . . . . . . 111 5.1.1.1 Finite State Transition Systems . . . . . . . 112 5.1.1.2 Linear Temporal Logic and Büchi Automaton 113 5.1.1.3 Correct-by-Construction Control Protocol Synthesis . . . . . . . . . . . . . . . . . . . 114 5.1.2 Application in an Autonomous Intersection Management Algorithm . . . . . . . . . . . . . . . . . . . . . 116 5.1.2.1 Modeling the Intersection and the Behaviors of the Vehicles . . . . . . . . . . . . . . . . 116 5.1.2.2 Specifications for Synthesis . . . . . . . . . 120 5.1.2.3 Algorithm for Safe Decision-Making for AIM 122 5.2 Game-Theoretical Decision-Making and Trajectory Verification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125 5.2.1 Related Work and Preliminaries . . . . . . . . . . . . 125 5.2.1.1 Game-Theoretical Minimax Decision-Making 126 5.2.1.2 Reachability Analysis for Trajectory Generation . . . . . . . . . . . . . . . . . . . . . . 127 5.2.1.3 Motion in Frenet Coordinates . . . . . . . . 130 5.2.1.4 Modeling of AVs and Maneuvers . . . . . . 132 5.2.2 Application in a Safe Maneuver Planning Algorithm . 137 5.2.2.1 Fixed Abstraction and the Over- Approximation of Trajectories . . . . . . . . 138 5.2.2.2 Safety Quantification of Maneuvers . . . . . 140 5.2.2.3 Minimax Decision-Making for Safe Maneuver Planning . . . . . . . . . . . . . . . . . . . 143 5.3 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148 6 Safety Assessment with a Holistic Approach 151 6.1 Overview and the Application of the Approach . . . . . . . . 152 6.2 Case Studies . . . . . . . . . . . . . . . . . . . . . . . . . . . 154 6.2.1 Case Study 1: Safety of an Autonomous Intersection Management Algorithm . . . . . . . . . . . . . . . . 155 6.2.1.1 Modeling . . . . . . . . . . . . . . . . . . . 155 6.2.1.2 Design/Synthesis . . . . . . . . . . . . . . . 157 6.2.1.3 Testing and Results . . . . . . . . . . . . . 159 6.2.1.4 Conclusion . . . . . . . . . . . . . . . . . . 161 6.2.2 Case Study 2: Safety of a Maneuver Planning Algorithm for Highway Driving . . . . . . . . . . . . . . . 162 6.2.2.1 Modeling . . . . . . . . . . . . . . . . . . . 163 6.2.2.2 Design/Synthesis . . . . . . . . . . . . . . . 163 6.2.2.3 Testing and Results . . . . . . . . . . . . . 167 6.2.2.4 Conclusion . . . . . . . . . . . . . . . . . . 175 7 Conclusions 177 7.1 Main Findings . . . . . . . . . . . . . . . . . . . . . . . . . . 178 7.2 Answers to the Research Questions . . . . . . . . . . . . . . 179 7.3 Possible Future Directions . . . . . . . . . . . . . . . . . . . 181 Appendix A Additional Details 185 A.1 Rigid Bodies of the Vehicles . . . . . . . . . . . . . . . . . . 185 A.2 Collision Detection . . . . . . . . . . . . . . . . . . . . . . . 186 A.3 Trajectory Tracking in Frenet Coordinates . . . . . . . . . . 187 References 189

info:eu-repo/classification/ddc/380

ddc:380

info:eu-repo/classification/ddc/620

ddc:620

info:eu-repo/classification/ddc/004

ddc:004