Approches outillées pour le développement de systèmes interactifs intégrant les aspects sûreté de fonctionnement et utilisabilité

Since the Airbus A380 and with the introduction of ARINC 661 standard, the glass cockpits are being replaced by interactive cockpits, by allowing the crew to control aircraft systems through display unit by using keyboard and cursor control unit (KCCU). Currently only secondary aircraft systems which are non-critical are managed using such interactive cockpits. To be able to generalize such features to critical aircraft system, the main question remains to understand how to match dependability requirements for such systems while preserving usability properties. To reach the goal of using such interactive techniques within safety critical aircraft systems, our research work has followed three main directions. The first approach is to tend to zero default design, by realizing the precise and unambiguous description of software components of interactive system, using formal description technique. The second approach consists in the use of fault tolerant mechanisms, to treat design residual fault, physical fault or environmental fault. These fault tolerant mechanisms enable the continuity of service despite the occurrence of fault. The third approach is the clarification of the impact of different fault tolerant mechanisms on the usability of the interactive system. This clarification is done by using and analyzing task models, describing the user activity of the systemDepuis l'A380 et avec l'introduction du standard ARINC 661, les systèmes d'affichage et de contrôle des cockpits sont passés d'un rôle de simple afficheur, à celui d'un système interactif permettant à l'équipage d'interagir sur les écrans grâce à l'utilisation d'un ensemble clavier/dispositif de pointage appelé KCCU. L'utilisation de cette nouvelle capacité d'interaction est à ce jour limitée à des interactions avec des systèmes avions non critiques. Pour envisager son extension à des systèmes critiques il faut se poser la question du respect d'exigences de sureté de fonctionnement imposées à de tels systèmes sans pour autant diminuer son niveau d'utilisabilité. Dans cette optique, nous proposons dans le cadre de nos travaux de recherche, différentes approches pour contribuer au développement d'un tel système interactif critique. La première approche est de tendre vers une conception zéro défaut, en réalisant une description précise et non ambigüe des composants logiciels du système interactif en utilisant une technique de description formelle. La seconde approche est l'utilisation de techniques de tolérance aux fautes car il existe toujours des fautes résiduelles de conception, des fautes matérielles ou venant de l'environnement. Dans ce cas, l'utilisation de technique de tolérance aux fautes permet au système de continuer à remplir ses fonctions en dépit de l'occurrence de fautes. La troisième approche est l'explicitation de l'impact des différentes approches de tolérance aux fautes sur l'utilisabilité du système interactif. Cette explicitation est faite au travers de la réalisation et de l'analyse des modèles de tâche, décrivant l'activité de l'utilisateur du système

Approches outillées pour le développement des systèmes interactifs intégrant les aspects sûreté de fonctionnement et utilisabilité

Depuis l'A380 et avec l'introduction du standard ARINC 661, les systèmes d'affichage et de contrôle des cockpits sont passés d'un rôle de simple afficheur, à celui d'un système interactif permettant à l'équipage d'interagir sur les écrans grâce à l'utilisation d'un ensemble clavier/dispositif de pointage appelé KCCU. L'utilisation de cette nouvelle capacité d'interaction est à ce jour limitée à des interactions avec des systèmes avions non critiques. Pour envisager son extension à des systèmes critiques il faut se poser la question du respect d'exigences de sureté de fonctionnement imposées à de tels systèmes sans pour autant diminuer son niveau d'utilisabilité. Dans cette optique, nous proposons dans le cadre de nos travaux de recherche, différentes approches pour contribuer au développement d'un tel système interactif critique. La première approche est de tendre vers une conception zéro défaut, en réalisant une description précise et non ambigüe des composants logiciels du système interactif en utilisant une technique de description formelle. La seconde approche est l'utilisation de techniques de tolérance aux fautes car il existe toujours des fautes résiduelles de conception, des fautes matérielles ou venant de l'environnement. Dans ce cas, l'utilisation de technique de tolérance aux fautes permet au système de continuer à remplir ses fonctions en dépit de l'occurrence de fautes. La troisième approche est l'explicitation de l'impact des différentes approches de tolérance aux fautes sur l'utilisabilité du système interactif. Cette explicitation est faite au travers de la réalisation et de l'analyse des modèles de tâche, décrivant l'activité de l'utilisateur du système.Since the Airbus A380 and with the introduction of ARINC 661 standard, the glass cockpits are being replaced by interactive cockpits, by allowing the crew to control aircraft systems through display unit by using keyboard and cursor control unit (KCCU). Currently only secondary aircraft systems which are non-critical are managed using such interactive cockpits. To be able to generalize such features to critical aircraft system, the main question remains to understand how to match dependability requirements for such systems while preserving usability properties. To reach the goal of using such interactive techniques within safety critical aircraft systems, our research work has followed three main directions. The first approach is to tend to zero default design, by realizing the precise and unambiguous description of software components of interactive system, using formal description technique. The second approach consists in the use of fault tolerant mechanisms, to treat design residual fault, physical fault or environmental fault. These fault tolerant mechanisms enable the continuity of service despite the occurrence of fault. The third approach is the clarification of the impact of different fault tolerant mechanisms on the usability of the interactive system. This clarification is done by using and analyzing task models, describing the user activity of the system

An Approach for Assessing both Usability and Dependability of Interactive Systems: Application to Interactive Cockpits

International audienceA cockpit is an interactive environment of an aircraft which enables both pilot and first officer to monitor the aircraft systems and to control them. Allowing the crew to control aircraft systems through display unit by using keyboard and cursor control unit is one of the main novelties in the new generation cockpits based on ARINC 661 standard. Currently only secondary aircraft systems are managed using such interactive cockpits. Generalisation to other aircraft systems would require introducing mechanisms aiming at ensuring the fault-tolerance of such interaction in cockpits. Such mechanisms would allow designers to take into account the new functions’ safety requirement. However, it is possible that such mechanisms may have consequences on the crew activities. This paper reports studies that have been performed on fault-tolerance mechanisms in the domain of ARINC 661 interactive cockpits. More precisely this paper focuses on interactive systems, showing how these fault-tolerance mechanisms (mainly redundancy as segregation and diversity are not dealt with here) could affect the usability of the interactive system, making both the tasks of the crew members and their training more complex. We propose a generic approach to analyse the tradeoffs between dependability and usability in a software interactive cockpit environment

Approches outillées pour le développement des systèmes interactifs intégrant les aspects sûreté de fonctionnement et utilisabilité

TOULOUSE3-BU Sciences (315552104) / SudocSudocFranceF

Self-Checking Widgets for Interactive Cockpits

International audienceIn the last few years, glass cockpits are being replaced by interactive cockpits to provide a much higher level of integration. Due to their event driven nature, interactive systems offer more display and control features but also more unpredictable side effects. Exhaustive testing being impossible, fault tolerant techniques have to be considered. This paper proposes a model-based approach for adding fault-tolerance mechanisms to interactive cockpits. The contribution is focused on the implementation of self-checking widgets, being the basis for interactive cockpits

Interactive Cockpits Applications: Specification, Prototyping and Validation using a Petri-nets based Formalism

International audienceThe purpose of ARINC 661 specification is to define interfaces to a Cockpit Display System (CDS) which is used in many types of aircrafts cockpits such as A380 from Airbus, B787 from Boeing or Falcon 2000D from Dassault Aviation. ARINC 661 provides precise information for communication protocol between application (called User Applications) and user interface elementary components (called widgets). It also provides a detailed description of the widgets themselves (attributes, events …). However, in ARINC 661, very little information is given about the behaviour of these widgets and about the behaviour of an application made up of a set of such widgets. This paper presents a quick overview of the formal description technique called Interactive Cooperative Objects (ICOs) and its application for modelling the various elements of ARINC 661 specification. This formal description technique defines (in a precise and non-ambiguous way) all the elements of an interactive application compliant with ARINC 661 specification and especially their behavioural aspects which is definitively overlooked in the standard. The application of the formal description technique is shown on an interactive application to be used in an interactive cockpit. This application supports pilots' activities while cooperating with Air Traffic Controllers (ATC) using a Data-Link (DL) communication technology. Such communication must follow a predefined protocol called CPDLC (Control-Pilot Data Link Communication). Using this application as a case study, we present how ICOs are used for modelling Interactive Widgets, User Applications and User Interface servers (in the ARINC 661 specification context). Lastly, we present briefly how such models can be exploited for verification and validation purposes of interactive cockpits applications

Self-Checking Components for Dependable Interactive Cockpits Using Formal Description Techniques

International audienceIn the last few years, glass cockpits are being replaced by interactive cockpits to provide a higher level of integration of both command and information display. Due to their event driven nature, interactive systems offer more display and control capabilities but they require specific error detection and fault tolerance techniques to reach a high level of dependability. This paper proposes a model-based approach for adding fault tolerance mechanisms to interactive cockpits. While several mechanisms are considered and presented, the contribution is focused on the formal description of self-checking widgets, being the basis for interactive cockpits

Interactive Cockpits Applications: Modelling and Validation using a Petri-net based Formalism

International audienc