Model-Driven Development of Safety Architectures

We describe the use of model-driven development for safety assurance of a pioneering NASA flight operation involving a fleet of small unmanned aircraft systems (sUAS) flying beyond visual line of sight. The central idea is to develop a safety architecture that provides the basis for risk assessment and visualization within a safety case, the formal justification of acceptable safety required by the aviation regulatory authority. A safety architecture is composed from a collection of bow tie diagrams (BTDs), a practical approach to manage safety risk by linking the identified hazards to the appropriate mitigation measures. The safety justification for a given unmanned aircraft system (UAS) operation can have many related BTDs. In practice, however, each BTD is independently developed, which poses challenges with respect to incremental development, maintaining consistency across different safety artifacts when changes occur, and in extracting and presenting stakeholder specific information relevant for decision making. We show how a safety architecture reconciles the various BTDs of a system, and, collectively, provide an overarching picture of system safety, by considering them as views of a unified model. We also show how it enables model-driven development of BTDs, replete with validations, transformations, and a range of views. Our approach, which we have implemented in our toolset, AdvoCATE, is illustrated with a running example drawn from a real UAS safety case. The models and some of the innovations described here were instrumental in successfully obtaining regulatory flight approval.

[1]  Ewen Denney,et al.  Assuring ground-based detect and avoid for UAS operations , 2014, 2014 IEEE/AIAA 33rd Digital Avionics Systems Conference (DASC).

[2]  Ewen Denney,et al.  Architecting a Safety Case for UAS Flight Operations , 2016 .

[3]  Ewen Denney,et al.  Tool support for assurance case development , 2017, Automated Software Engineering.

[4]  Mauricio A. Saca Refactoring improving the design of existing code , 2017, 2017 IEEE 37th Central America and Panama Convention (CONCAPAN XXXVII).

[5]  Frank Budinsky,et al.  EMF: Eclipse Modeling Framework 2.0 , 2009 .

[6]  Marcus Johnson,et al.  UAS Traffic Management (UTM) Concept of Operations to Safely Enable Low Altitude Flight Operations , 2016 .

[7]  Ewen Denney,et al.  Automating the Assembly of Aviation Safety Cases , 2014, IEEE Transactions on Reliability.

[8]  Ewen Denney,et al.  Modeling the Safety Architecture of UAS Flight Operations , 2017, SAFECOMP.

[9]  Martin Fowler,et al.  Refactoring - Improving the Design of Existing Code , 1999, Addison Wesley object technology series.

[10]  Ewen Denney,et al.  Safety considerations for UAS ground-based detect and avoid , 2016, 2016 IEEE/AIAA 35th Digital Avionics Systems Conference (DASC).

[11]  Martin S. Feather,et al.  Model based mission assurance: NASA's assurance future , 2016, 2016 Annual Reliability and Maintainability Symposium (RAMS).

[12]  Ewen Denney,et al.  ARgument-based airworthiness assurance of small UAS , 2015, 2015 IEEE/AIAA 34th Digital Avionics Systems Conference (DASC).

[13]  Reece A. Clothier,et al.  Structuring the safety case for unmanned aircraft system operations in non-segregated airspace , 2015 .

[14]  Nijs Jan Duijm,et al.  Safety-barrier diagrams as a safety management tool , 2009, Reliab. Eng. Syst. Saf..

[15]  Frank Ortmeier,et al.  A Framework for Qualitative and Quantitative Formal Model-Based Safety Analysis , 2010, 2010 IEEE 12th International Symposium on High Assurance Systems Engineering.

[16]  Martin S. Feather,et al.  Model Based Mission Assurance ( MBMA ) : NASA ’ s Assurance Future , 2015 .

[17]  D.L. Mathias,et al.  Simulation assisted risk assessment applied to launch vehicle conceptual design , 2008, 2008 Annual Reliability and Maintainability Symposium.