Building safety into the conceptual design of complex systems. An aircraft systems perspective.

Safety is a critical consideration during the design of an aircraft, as it constrains how primary functions of the system can be achieved. It is essential to include safety considerations from early design stages to avoid low-performance solutions or high costs associated with the substantial redesign that is commonly required when the system is found not to be safe at late stages of the design. Additionally, safety is a crucial element in the certification process of aircraft, which requires compliance with safety requirements to be demonstrated. Existing methods for safety assessment are limited in their ability to inform architectural decisions from early design stages. Current techniques often require large amounts of manual work and are not well integrated with other system engineering tools, which translates into increased time to synthesise and analyse architectures, thus reducing the number of alternative architectures that can be studied. This lack of timely safety assessment also results in a situation where safety models evolve at a different pace and become outdated with respect to the architecture definition, which limits their ability to provide valuable feedback. Within this context, the aim is to improve the efficiency and effectiveness of design for safety as an integral part of the systems architecting process. Three objectives are proposed to achieve the stated aim: automate and integrate the hazard assessment process with the systems architecting process; facilitate the interactive introduction of safety principles; and enable a faster assessment of safety and performance of architectures. The scope is restricted to the earlier (conceptual) design stages, the use of model-based systems engineering for systems architecting (RFLP paradigm) and steady-state models for rapid analysis. Regarding the first objective, an enabler to support the generation of safety requirements through hazard assessment was created. The enabler integrates the RFLP architecting process with the System-Theoretic Process Analysis to ensure consistency of the safety assessment and derived safety requirements more efficiently. Concerning the second objective, interactive enablers were developed to support the designer when synthesizing architectures featuring a combination of safety principles such as physical redundancy, functional redundancy, and containment. To ensure consistency and reduce the required amount of work for adding safety, these methods leverage the ability to trace dependencies within the logical view and between the RFLP domains of the architecture. As required by the third objective, methods were developed to automate substantial parts of the creation process of analysis models. In particular, the methods enable rapid obtention of models for Fault Tree Analysis and subsystem sizing considering advanced contextual information such as mission, environment, and system configurations. To evaluate this research, the methods were implemented into AirCADia Architect, an object-oriented architecting tool. The methods were verified and evaluated through their applications to two aircraft-related use cases. The first use case involves the wheel brake systems and the second one involves several subsystems. The results of this study were presented to a group of design specialists from a major airframe manufacturer for evaluation. The experts concluded that the proposed framework allows architects to define and analyse safe architectures faster, thus enabling a more effective and efficient design space exploration during conceptual design.PhD in Aerospac

STPA enabled safety assessment in the architecting of complex systems

STPA is a hazard assessment technique that represents systems as hierarchical control structures composed of feedback control loops. Existing computational support focuses on creating the diagrams that depict these hierarchies. However, the elements in the loops and the signals exchanged must be determined manually. This impedes safety assessment, thus reducing the number of designs that can potentially be explored. Furthermore, the manual approach does not guarantee the correct update of the architecture with changes resulting from safety assessment, which can make the architecture inconsistent with the safety assessment. To overcome these limitations, proposed for the first time are two methods that automate the creation of: (1) hierarchical control structures and (2) detailed control loops. The methods create STPA models by analysing the architecture, which is modelled as a graph. The concept is illustrated with a representative example of a wheel brake system. The resulting models are compared with those obtained manually by the authors of STPA. The automation is shown to significantly reduce the required time and effort. It was also found to ensure consistency among the safety analysis and the architecture definition as it requires safety features to be included in the architecture before being considered in STPA analysis

Managing assumption-driven design change via margin allocation and trade-offs

Assumptions are commonly introduced to fill gaps in knowledge during the engineering design process. However, the uncertainty inherent in these assumptions constitutes a risk that ought to be mitigated. That is, assumptions can negatively impact the system if they turn out to be invalid. Adverse effects may include system failure, violation of requirements, or budget and schedule overruns. In this paper, the relationships between assumptions and margins are made explicit, with the purpose of aiding risk mitigation, as well as accommodating future opportunities such as product evolvability. To this end, a novel assumption management framework is proposed, which consists of a taxonomy of margins, an algorithm for change absorber localisation, and an interactive approach for margin trade-off. The proposed framework is demonstrated with a conceptual aircraft design use case, which shows that the most relevant margins can be identified, given a revision of a set of assumptions. It is also demonstrated that the application of the method allowed the margins to be adjusted according to the confidence in the assumptions, while maintaining satisfaction of all design constraints, without unacceptable compromise of system performance

Data Supporting "Managing Assumption-Driven Design Change via Margin Allocation and Trade-offs"

Results of design of experiment study produced in "Managing Assumption-Driven Design Change via Margin Allocation and Trade-offs". Presented as Figures 16, 17, and 18 in the paper