Page 1
Systems Theoretic Process Analysis Applied to Air Force Acquisition Technical Requirements Development
by
Sarah E. Summers Major, United States Air Force
B.S. Aerospace Engineering, Oklahoma State University, 2005
B.S. Mechanical Engineering, Oklahoma State University, 2005 M.S. Aeronautical Engineering, Air Force Institute of Technology, 2011
M.S. Flight Test Engineering, Air Force Test Pilot School, 2014
Submitted to the System Design and Management Program in Partial Fulfillment of the Requirements for the Degree of
Master of Science in Engineering and Management
at the
Massachusetts Institute of Technology
February 2018
ã 2018 Sarah E. Summers All rights reserved
The author hereby grants to MIT permission to reproduce and to distribute publicly paper and electronic copies of this thesis document in whole or in part
in any medium now known or hereafter created.
Signature of Author_____________________________________________________________
Sarah E. Summers System Design and Management Program
December 1, 2017 Certified by____________________________________________________________________
Nancy G. Leveson, Ph.D., Professor Department of Aeronautics and Astronautics
Thesis Supervisor
Accepted by___________________________________________________________________ Joan Rubin
Executive Director, System Design and Management Program
Page 2
2
This Page Intentionally Left Blank
Page 3
3
Disclaimer The views expressed in this document are those of the author and do not reflect the official
position or policies of the United States Air Force, Department of Defense, or Government.
Page 4
4
This Page Intentionally Left Blank
Page 5
5
In memory of all of those who have given their life for our country, in particular:
Jolly 38:
Captain Gregg Lewis Captain Philip Miller
Master Sergeant Matthew Sturtevant Staff Sergeant Keven Brunelle Staff Sergeant Kenneth Eaglin Senior Airman Jesse Stewart
Jolly 39:
Lieutenant Colonel William Milton Captain Carl Youngblood
Second Lieutenant Michael Harwell Technical Sergeant Jeffrey Armour
Senior Airman Adam Stewart Senior Airman Justin Wotasik
and
Captain Michael Geragosian
“These things we do that others may live”
Also in memory of Major Lee Berra.
Page 6
6
This Page Intentionally Left Blank
Page 7
7
SystemsTheoreticProcessAnalysisAppliedtoAirForceAcquisitionTechnicalRequirementsDevelopment
By
SarahE.SummersMajor,UnitedStatesAirForce
SubmittedtotheSystemDesignandManagementProgramon1December2017inpartialfulfillmentoftherequirementsforthedegreeofMasterofScienceinEngineeringand
Management
AbstractTheAirForceexperienced12ClassAaviationmishapsin2016,whichresultedin16fatalitiesand9destroyedaircraft.Sofarin2017,TheAirForcehasagainexperienced12ClassAmishapswith5fatalitiesand7destroyedaircraft.(1)Inadditiontothesemishaps,developmentofnewaircraftormodificationstoaircraftoftentakewellovertheplannedduration.Developmentaltestidentifiesdesigndeficienciesthatmustbeaddressedbeforetheaircraftisfielded,whichrequiresexpensiveandlengthyredesigncycles.Asystemsapproachtodesignwithhumansincludedaspartofthesystemcanimproveboththedevelopmentprocessandaviationsafety.SuchanapproachwascreatedbyProfessorNancyLevesonatMITandiscalledSystemsTheoreticProcessAnalysis(STPA).STPAisshowntobeapplicabletotheAirForceacquisitionsprocessthroughouttheproductlifecycle.STPAisalsocompliantwiththeairworthinesshandbook,MIL-HDBK-516C,andSTPAdocumentationisbeneficialtotheairworthinesscertificationinspectors.STPAisappliedtotwousecases.OneisaconceptualJSTARSaircraft,andtheotherisanunmannedaerialvehicle(UAV)thatwasmodifiedfromageneralaviationaircraft.TheAirForceiscurrentlyinsourceselectionforareplacementtotheJSTARSaircraft.Thehigh-levelSTPAanalysisisforafunctionalreplacementtotheJSTARSaircraft,aswouldbeneededearlyintheacquisitionsprocess.Additionally,accidents,hazards,andasafetycontrolstructurearedevelopedfortheJSTARSsupportsystem.TheUAVanalysisismoredetailed,andprovidesinformationthatisnecessaryduringtheTechnologyMaturation&RiskReductionphaseofanacquisitionprocess.ThesisSupervisor:NancyG.LevesonTitle:ProfessofAeronauticsandAstronauticsandEngineeringSystems
Page 8
8
This Page Intentionally Left Blank
Page 9
9
AcknowledgementsIwouldliketoacknowledgeProfessorNancyLevesonfortakingmeonasathesisadvisee.Ihavelearnedanincredibleamountinthelast18months,andIamappreciativeofyourtimeandsupport.IwouldalsoliketothankDr.JohnThomasandtherestoftheSystemEngineeringResearchLab.Yourhelpandinsightsduringthisjourneyhasbeenincredible.ThankyoutotheSDMfacultyandstaffforthisamazingopportunitytocometoMITandlearnwhatitmeanstobeasystemsthinker.Thisprogramhasopenedmyeyestoabiggerpictureandgivenmethetoolstounderstanditandmakeadifference.TheSDM2016CohorthastaughtmejustasmuchastheMITfaculty.ThankyoutoallthosethathavesharedtheirknowledgeandmadethisexperienceatMITevenbetter.Thankyoutoallthosewhoarecurrentlyservinginharm’sway.Theselflessnessandprofessionalismofmyfellowservicemembersinspiremetodomybesteveryday.Thankyoutomyfamilyandfriendswhohavesupportedmethroughoutmylife.You’vecheeredmeonduringlife’sgoodtimesandgivenmeashoulderduringthehardtimes.Youstimulatemycreativityandencouragemetocontinuetoquestionandlearn.Mostofall,thankyoutomywonderfulwife.ThankyouforstickingbymysidewhileIdragyoufromcoasttocoast(tocoast).Yourendlesssupporthasenabledmetosucceedinthisendeavor.EverydayIstrivetobethepersonyoudeserve,andIamabetterpersonforit.IlookforwardtomanymoreadventureswithyouwherevertheAirForcesendsus.
Page 10
10
This Page Intentionally Left Blank
Page 11
11
ContentsAbstract.................................................................................................................................7
Acknowledgements................................................................................................................9
TableofFigures.....................................................................................................................13
TableofTables......................................................................................................................13
Introduction..........................................................................................................................14Motivation.....................................................................................................................................14Objectives......................................................................................................................................14ThesisStructure.............................................................................................................................14
HazardAnalysisMethods......................................................................................................15FaultTreeAnalysis.............................................................................................................................15FailureModesandEffectAnalysis(FMEA)........................................................................................16HAZOP................................................................................................................................................18DrawbacksofTraditionalHazardAnalyses........................................................................................20STAMP...............................................................................................................................................22
AirForceAcquisitionsandSystemsSafety.............................................................................30AirForceAcquisitionsProcess........................................................................................................30STPAImplementationwithintheAirForceAcquisitionProcess......................................................34
STPAintheAcquisitionsProcess.......................................................................................................34STPAStudyExecutionandPersonnelComposition...........................................................................35
SystemSafetyProcess....................................................................................................................37AirForceAirworthinessProcess.....................................................................................................39STPAandAirworthiness.................................................................................................................40ReliabilityandRedundancy............................................................................................................42Riskmatrices..................................................................................................................................43SystemsThinkingintheAF:Effects-BasedApproachtoOperations...............................................43
JSTARSAnalysis.....................................................................................................................46JSTARSSystemDefinition...............................................................................................................46JSTARSSystemMishaps,Hazards,andHigh-LevelSafetyConstraints.............................................46JSTARSSafetyControlStructure.....................................................................................................47JSTARSStep1:UCAGeneration......................................................................................................47JSTARSStep2:ScenarioGeneration...............................................................................................51JSTARSSTPASummary...................................................................................................................51JSTARSSupportSTAMPAnalysis.....................................................................................................52
JSTARSSupportMishaps...................................................................................................................52JSTARSSupportHazards....................................................................................................................52JSTARSSupportSafetyControlStructure..........................................................................................52
UAVSTPAAnalysis................................................................................................................54UAVSystemDefinition...................................................................................................................54UAVAccidents,Hazards,andHigh-LevelSafetyConstraints............................................................54UAVSafetyControlStructure.........................................................................................................55
Page 12
12
STPAStep1:UCAGeneration.........................................................................................................57STPAStep2:ScenarioGeneration.................................................................................................61UAVSTPASummary.......................................................................................................................64
Conclusions...........................................................................................................................69
AcronymListing.....................................................................................................................70
Appendix1:JSTARSSTPAAnalysis.........................................................................................72
Appendix2:UAVSTPAAnalysis............................................................................................85
Appendix3:STPACompliancewithMIL-HDBK-516C...........................................................163
Bibliography........................................................................................................................183
Page 13
13
TableofFiguresFigure1FaultTreeforPowertotheFirePump(2)......................................................................16Figure2FMEAExampleConceptualDesignReviewforFlightControlSystem(3)......................17Figure3FMEAExamplePreliminaryDesignReviewforFlightControlSystem(3)......................18Figure4TheHAZOPStudyProcedure(5).....................................................................................20Figure5HazardAnalysisTimeline................................................................................................21Figure6ExampleofaHierarchicalSafetyControlStructure(7)..................................................23Figure7SimpleControlStructure(7)...........................................................................................24Figure8ControlFlawsLeadingtoHazards(7).............................................................................25Figure9AnExampleofSTPAStep2:ScenarioGeneration(7)....................................................28Figure10STPATopDownAnalysis..............................................................................................29Figure11AcquisitionsProcess(9)................................................................................................30Figure12SEActivitiesinMaterielSolutionAnalysisPhase(10)..................................................31Figure13SEActivitiesinTechnologyMaturationandRiskReductionPhase(10).......................32Figure14SEActivitiesinEngineeringandManufacturingDevelopmentPhase(10)..................32Figure15SEActivitiesinProductionandDeploymentPhase(10)..............................................33Figure16AcquisitionsProcesswithSTPA....................................................................................34Figure17RiskAssessmentMatrix(14).........................................................................................38Figure18UpdatedRiskMatrix(18)..............................................................................................40Figure19JSTARSSafetyControlStructure...................................................................................47Figure20SimpleJSTARSSupportSafetyControlStructure.........................................................53Figure21UAVSafetyControlStructure.......................................................................................56Figure22ScenarioTypesonControlStructure............................................................................62Figure23Safety-guideddesign(7)...............................................................................................68
TableofTablesTable1BasicGuidewords(5).......................................................................................................19Table2ExampleUCATable(8)....................................................................................................27Table3JSTARSUCAs....................................................................................................................48Table4JSTARSUCAsandSafetyConstraints...............................................................................49Table5UAVOperatorUCAs.........................................................................................................57Table6UAVVMSUCAs................................................................................................................60Table7ExampleofSafetyConstraintsDerivedfromUCAs.........................................................60Table8JSTARSScenarios.............................................................................................................72Table9UAVOperatorSafetyConstraints....................................................................................85Table10UAVVMSSafetyConstraints.........................................................................................90Table11UAVOperatorScenarios................................................................................................93Table12UAVVMSScenarios.....................................................................................................144
Page 14
14
IntroductionMotivationOn2September,1998,twelvemembersofthe66thRescueSquadron,flyingwiththecallsignsJolly38andJolly39,werekilledinamidaircollisionatNellisAirForceBase.Myfatherwastheirsquadroncommander.Onthatday,aweekaftermy16thbirthday,IdecidedtojointheAirForcewhenIturned18.TheAirForcerescuemottois“Thesethingswedothatothersmaylive”.WhileIamnotamemberoftherescuecommunity,Iservewiththatmottoandthosethathavediedlivingthatmottoinmyheart.Thesafetyofourmenandwomenthatserveincombatisthemotivationbehindmyserviceandthisthesis–thatothersmaylive.Aslongasthereisarmedconflict,therewillbemilitarymenandwomenthatdieincombat.Everydeathisatragedytofamily,friends,andtheirfellowservicemembers.Thosemenandwomenwhoarekilledincombatmadeachoicetoserveandtheirsacrificeshouldbehonored.Servicemembersarealsooftenkilledduringnoncombatincidents.Theseincidentshaveanadditionalelementoftragedyinthattheyaremostoftenpreventable.Militarymembersshouldnotdiebecausetheirequipmentdoesnotoperateasintendedortheoperatinginstructionsdonotprovidecorrectinformation.Asaflighttestengineer,Itestednewaircraftandmodificationstoexistingaircrafttoensurethatthefieldedproductissafetooperateandoperatesasdesigned.Weoftenfindinteractionsbetweentheoperatorandproductorbetweenthemodificationsandbaseaircraftaredeficientforuseinthefield.SystemsTheoreticProcessAnalysis(STPA)hasthepotentialtopredicttheseinteractionsduringthedevelopmentprocessinordertodesignouttheflawsthatcanleadtoaccidents.IbelievethatSTPAcanalsosavethelivesofflighttestprofessionalsandourmenandwomenwhoutilizethesesystemsincombat.ObjectivesTheobjectiveofthisthesisistodeterminethefeasibilityofimplementingSTPAwithintheAirForceacquisitionsprocess.Therearetwomaincomponentsofthethesis.OneistoconductcasestudiestoillustratethepoweroftheSTPAanalysistoimplementcomponentsoftheacquisitionprocess.ThesecondcomponentistoinvestigatehowtheSTPAprocesscanbestbeintegratedintocurrentAirForceacquisitionprocesses.ThesisStructureTraditionalhazardanalysismethodswillberesearched,followedbyanexplanationofSTAMPandSTPA.ThehazardanalysissectionisfollowedbyexplaininghowSTPAcouldbeimplementedintotheAFacquisitionandairworthinessprocessesandconclusions.Then,twocasesstudiesusingSTPAarepresented.ThefirstcasestudyisanexampleofaJSTARSusedtomanagebattlesthatincludesgroundandairforces.ThesecondcasestudyisofageneralaviationaircraftmodifiedtobecomeaUAV.
Page 15
15
HazardAnalysisMethodsFaultTreeAnalysisFaulttreeanalysis(FTA)isatopdownrootcausehazardanalysistoolthatcanbeusedforprobabilisticriskassessments.Faulttreeanalysiswasdesignedintheearly1960sforuseontheMinutemansystem,andhasbeenadoptedbyseveralindustriesoverthelast50yearsincludingaerospace,nuclear,chemicalprocessing,andsoftware.FTAcanbeusedthroughoutthedesignandlifecycleofthesystemtoinformdesign,operations,andmodificationstothesystem.Theanalysisbeginswithanundesiredevent,andafaulttreeisdevelopedtodeterminewhatlower-levelevents(failuresorfaults)orcombinationofeventscouldcausetheundesiredevent.Therelationshipbetweenthelower-leveleventsaredefinedusinglogicgates.Oncethemodelisdeveloped,probabilitiesofeacheventarecombinedusingBooleanlogicandsimplereliabilitycalculationstocomputethesystemreliability.(2)Themodelalsoutilizescutsets,whichareauniquesubsetofallthelower-leveleventsthatwouldcausetheundesiredeventtotakeplace.Theremaybeseveralcutsetsforeachundesiredevent,andevaluatingeachallowsthedesignertofocusonspecificdesignchangestoavoidtheundesiredeventalongwithcalculatingaprobabilityforeachcutset.Becausethefocusisonprobabilityandreliability,thedesignchangessuggestedofteninvolveaddingredundancysothatthereliabilitycalculationsareincreased.AnexampleofFTAisshowninFigure1.TheFTAisforafirepump,whichprovideswatertofiresprinklersystems.ThequestionthatnecessitatedtheFTAbelowiswhetherornotthefirepumprequiresemergencypower,suchasagenerator,orifitcanusepowerfromtheutilityprovider.(3)
Page 16
16
Figure1FaultTreeforPowertotheFirePump(3)
AtthetopoftheexampleinFigure1,theundesiredeventis‘nopowertofirepump’.Thiscouldoccuriftheutilitypowerandgeneratorfails,oriftheautomatictransferswitch(ATS)fails.Therearetwopathsbelowtheutilitypowerandgeneratorfailelementforeachpowersource,andbasiceventsthatwouldcauseeachpathtofailarelistedinthebottomblock.Probabilitiesforeachbasiceventareestimated,whichallowstheusertodeterminetheprobabilityoftheundesiredevent.FTAisapowerfultoolthatcanallowanalysisofsystemreliabilitybyevaluatingcomponentfailures,howevernotallundesiredeventsoccurduetoacomponentfailure.Humanandsoftware-relatedsysteminteractionswillnotbecapturedusingFTA,norcanprobabilitiesbeassignedtosuchcases.Additionally,thistypeofanalysisassumesthateachofthefailuresareindependentfromeachother.Thisassumptionmaynotalwaysbeappropriate,andtheresultsoftheanalysiswillbeinaccurateiftheassumptionismadewhenitshouldnotbe.FailureModesandEffectAnalysis(FMEA)FMEAisabottomuphazardanalysistool.Ratherthanstartwithanundesiredevent,aswithFTA,theanalysisbeginswithacomponent.Eachcomponentorsubsystemisanalyzedforpotentialfailures.Theeffectofthefailuremustbedetermined,andfailuredetectionmethods
Page 17
17
andmitigationsaredetermined.(4)Componentfailuresmaybedeterminedbyengineeringjudgementorstatisticalanalysis.AnexampleofFMEAisshowninthefigurebelow.
Figure2FMEAExampleConceptualDesignReviewforFlightControlSystem(4)
Ascanbeseenfromthefigure,thetableisbrokenintosystems,inthiscasethepitchcontrolsystem,andfurtherbrokendownbyfunction,whichismechanicallinkagefunctionforpilotinputcontrolmotions.Differentpossiblefailuresarethenlistedforeachfunction,alongwithwhatmightcausethefailure(assumedfailurecase),effectonthesystem,effectontheaircraft,anyactionsduringflighttocompensateforthefailure,andfinallythefailureclasswithIbeingthemostdangerous.Thefailurescanthenbemitigatedthroughdesignchanges.Thefigurebelowshowsthesamesystematpreliminarydesignreview.
Page 18
18
Figure3FMEAExamplePreliminaryDesignReviewforFlightControlSystem(4)
InFigure3,thefirst4columnsarethesame,butnoweffectonsystem,effectonaircraft,compensatingprovisionshaveallchanged.Additionally,thefailureclassesforallofthefailuretypeshasbeenreducedtoIIorIII.ThemaindrawbacktoFMEAisthatitrequirestheengineertoexamineeverycomponentandpotentialfailuretodetermineifthereisasafetyhazardassociatedwiththatfailure.Itcanbecomeincrediblytimeconsumingcomparedtoothermethods.Additionally,justaswithFTA,onlysinglecomponentfailuresareconsideredinthisanalysis.FTAconsiderscomponentinteractiontosomedegree,howeverFMEAdoesnotatall.Thecasewheretwofailuresarerequiredtoproduceaneffectarenotincluded.Theoreticallytheycouldbe,buttheamountofeffortinvolvedwouldbeprohibitiveexceptfortheverysimplestofsystems.Additionally,thisanalysisdoesnotconsiderthehuman,excepttoassumethehumancanenactthecompensatingprovisionsduringflight,asseeninFigure1forthebrokenfeelspring.HAZOPHazardandoperabilitystudy(HAZOP)wasdevelopedinthe1960sbyImperialChemicalIndustries.(5p.1)itis“astructuredanalysisofasystem,process,oroperationforwhichdetaileddesigninformationisavailable,carriedoutbyamultidisciplinaryteam.”(5p.2)HAZOPsystematicallygoesthrougheachofthesystemparametersandusesasetof
Page 19
19
guidewordstodeterminewhetheroranotadeviationoftheparameterwouldleadtoasafetyhazard.Studiesarecarriedoutwithaclientandafacilitator.(5p.44)ThefacilitatorisanexpertinHAZOP,andtheclientisanexpertintheparticularsystemthattobestudied.AccordingtotheBritishStandardonHAZOP,thekeyfeaturesofaHAZOPanalysisare:
- Theexaminationisacreativeprocess- Theexaminationiscarriedoutundertheguidanceofatrainedandexperiencedstudy
leader- Theexaminationreliesonspecialistsfromvariousdisciplines- Theexaminationshouldbecarriedoutinaclimateofpositivethinkingandfrank
discussion- Solutionstoidentifiedproblemsarenotaprimaryobjective(6)
TheHAZOPprocess,asshowninFigure4,isbrokenintofourmainsteps.DefinitionandPreparationaresimilarstepsforanygroupbasedactivity.Step3,Examination,beginswithdividingthesystemintoparts.ThedivisionallowstheHAZOPteamtomorespecificallydefinethedesignintentofeachpart.Accordingtothestandard,themorecomplexthesystem,andthehigherthestandard,thesmallerthedividedpartswillbe.Eachpartisthenbrokenintoelements,whichcanrangefromstepsorprocessstagestocomponents.(6)Theelementsallhavecharacteristicsassociatedwiththem,suchasmaterialproperties,rates,orinformation.Eachelementisthenexaminedusingguidewords.ThegenericlistofguidewordsareshowninTable1.
Table1BasicGuidewords(6)
Theseguidewordsareusedtoencouragethestudyparticipantstothinkcreativelyabouttheelementsandpartsunderexamination.
Page 20
20
Figure4TheHAZOPStudyProcedure(6)
DrawbacksofTraditionalHazardAnalysesOnedrawbacktoHAZOP,FaultTrees,andFMEA,isthesystemmustalreadyhaveadetaileddesign(6).Ifhazardsareidentified,significantdesignreworkmayberequiredtomitigateoreliminatethehazards.Reworkcoststimeandmoney,andthereisapossibilitythatprogramslackingoneorbothofthosemaychoosenottoimplementallofthemitigations.Additionally,
Page 21
21
solutionstohazardsarenotidentifiedintheseanalyses,whichmeansaseconddesignstudywouldberequiredtodeterminethebestwaytomitigateorreducetheidentifiedhazards.Theseanalysesalsofocusoncomponentfailure,whichisnottheonlycauseofmishaps.ManymishapssuchastheEuropeanSpaceAgency’sSchiaparellimishaponMars,arenotcausedbycomponentfailure,butratherbysoftwareinteractionsduetodesignerrors.(7)Othermishapsarecausedduetohumaninteractionwithinthesystemduetopoordesign.Noneoftheseanalyseswillidentifythesetypesofmishapcauses.Theanalysesonlylookatdeviationsfromdesignintent,whichassumesthatdesignintentissafe.Asdiscussedintheparagraphabovethisassumptionmaynotbevalid,leadingtounidentifiedhazardsassociatedwiththedesignintentitselfthatwillgointoproduction.Thereasontheseanalysesaredeficientformoderntechnologiesisbecausetheywerecreatedduringatimewhensystemsweremainlyelectromechanicalsystemswithnosignificantcomputersorsoftware.AsthetimelineinFigure5shows,thetraditionalhazardanalyseswereallcreatedbeforeManwalkedonthemoon.Sincethen,humanityhasexperiencedagiantleapindigitaltechnologies.Effortstoadapttraditionalmethodstoidentifyhazardsnotcausedbyacomponentfailurecannotbesuccessful,astheunderlyingtheoryfortheseanalyseswerenotbasedonmoderntechnologies.
Figure5HazardAnalysisTimeline
1949-FM
EA
1962-FTA
1963-HA
ZOP
1969–Ap
ollo11
1974–F-16FirstFlight
1997–F-22FirstFlight
2003-STAM
P2006–F-35AFirstFligh
t
1943–FirstDigitalC
omputer1940 19601950 2000199019801970 2010
Page 22
22
Anewhazardanalysisisneededthatisdesignedtocapturebothfailurerelatedandnon-failurerelatedhazards.Theanalysisshouldbeabletoconsiderhumansandsoftwareaspartofthesysteminadditiontotheelectromechanicalcomponentstraditionallyevaluated.STAMPSystems-TheoreticAccidentModelandProcess(STAMP)isbuiltonunderlyingsystemstheoryandthreeconcepts,“safety,constraints,ahierarchicalsafetycontrolstructure,andprocessmodels.”Systemsare‘viewedasinterrelatedcomponentskeptinastateofdynamicequilibriumbyfeedbackcontrolloops.”(8)Accidentsoccur,therefore,duetoaviolationofthesafetyconstraints.Safetyconstraintsareinitiallydefinedatthesystemlevel,andarethenbrokendownto“sub-requirements”asthedesignprogressesandsubsystemsandcomponentsaredeveloped.Thenextconcept,hierarchicalsafetycontrolstructure,isbasedoffofhierarchicalstructuresinsystemstheory.Thelowerlevelsareconstrainedbycontrolprocessesfromthehigherlevels.Inturn,thelowerlevelsprovidefeedbacktothehigherlevels“abouthoweffectivelytheconstraintsarebeingsatisfied.”(8)AnexampleofahierarchicalsafetycontrolstructureisshowninFigure6.Theleftsideissystemdevelopment,andtherightsideisoperations.Thisparticularsafetycontrolstructurehasalargescopethatincludeslegalbodies,regulators,andcompanymanagement.Safetycontrolstructurescanbescopedbasedontheobjectivesoftheanalysis.Animportanttakeawayfromthisparticularsafetycontrolstructureisthatamishapmayoccurwithintheoperatingprocess(bottomrightcornerofthefigure),howevertheinadequatesafetyconstraintsthatledtothemishapcouldbewelloutsideofthesmalloperatingprocessscope.Inadequate(missing,inappropriate,orunenforced)safetyregulations,forexample,couldbeafactorinamishap.Noneoftheotherhazardanalysesdescribedinthissectionexaminehazardsthatarisefromoutsideofthesystemunderdesign.Thecontextinwhichthesystemoperatesshouldbeinputintothedesign.Contextcanincludeoperatingenvironment,companyobjectivesandoperatingpractices,orregulatoryrequirements.Ifthesecontextualinputschange,astheycertainlywillthroughoutthelifecycleofaproduct,theassumptionsthatwentintothedesignarenolongervalid.Asystemthatmayhavebeensafewhenitwasfirstfieldedbecomesunsafe.ThisiswhyLeveson’ssixthnewassumptionis:“Systemswilltendtomigratetowardsstatesofhigherrisk.”(8)Ifthecontextwasnotincludedasaninputtothedesign,thesystemmaybeunsafefromthestart.Becausethecontextofadesignedsystemwillchangethroughoutitslifecycle,feedbackinFigure6isjustasimportantastheconstraintsthatareappliedtothelowerlevels.Forexample,problemreportsprovidedbythecontrollersmustbereportedtoboththesystemdevelopmentandsystemoperationschains.Theoperationsmanagementmayhavetoalterworkinstructionsorsendouttemporarynoticesregardingtheproblemreports.Theprojectmanagerswillevaluatetheproblemreportsandtakeactiontoresolvetheproblem.
Page 23
23
Figure6ExampleofaHierarchicalSafetyControlStructure(8)
Oftenproblemsarenotreportedforavarietyofreasons.Theresultisasystemthatisnotoperatingasitshould,operatorscreatingworkaroundsbythemselvesoroverlookingtheproblem,nohazardanalysistounderstandthesafetyimplicationsoftheproblem,andnosystemredesign.Feedback,therefore,isessentialtothesafetyofthesystemalongwiththesafetyconstraints.
Page 24
24
ThelastmajorcomponentofSTAMPisprocessmodels.Thepurposeoffeedbackistoinformthecontrollerofthestateoftheprocess,whichisacomponentoftheprocessmodel.Theprocessmodel,asdescribedbyLeveson,isa“modelusedtodeterminewhatcontrolactionsareneeded,anditisupdatedthroughvariousformsoffeedback.”Forexample,anautopilotissettomaintainaheading.Theautopilotmustreceivethecurrentheading,aircraftattitude,andailerondeflections.Figure7illustratestheprocessmodelwithinacontrolstructure.Thecontrollerthenusestheprocessmodeltodeterminethecontrolaction.
Figure7SimpleControlStructure(8)
Evenwithaccurateandadequatefeedback,thecontrollerstillmaynotprovideasafecontrolaction.Therefore,asLevesonsaid,“processmodelsplayanimportantrole(1)inunderstandingwhyaccidentsoccurandwhyhumansprovideinadequatecontroloversafety-criticalsystemsand(2)indesigningsafersystems.”Levesonstatesthat“systemsareviewedasinterrelatedcomponentskeptinastateofdynamicequilibriumbyfeedbackcontrolloops.”Safetyisthen“achievedwhenappropriateconstraintsonthebehaviorofthesystemanditscomponentsaresatisfied.”(8)Accidentsoccurwhenthoseconstraintsareviolated.Theviolationsareoneormoreof:
1. Thesafetyconstraintswerenotenforcedbythecontroller.a. Thecontrolactionsnecessarytoenforcetheassociatedsafetyconstraintateach
levelofthesociotechnicalcontrolstructureforthesystemwerenotprovided.b. Thenecessarycontrolactionswereprovidedbutatthewrongtime(tooearlyor
toolate)orstoppedtoosoon.c. Unsafecontrolactionswereprovidedthatcausedaviolationofthesafety
constraints.2. Appropriatecontrolactionswereprovidedbutnotfollowed.(8)
LevesonillustratescontrolflawswithrespecttothesafetycontrolstructureinFigure8below.
Page 25
25
Figure8ControlFlawsLeadingtoHazards(8)
Therearegenerallymultiplecontrollersineachhierarchicalcontrolstructuresthateitherprovidecontrolinputstolowerlevelcontrollers(1),orprovidecontrolactionstothecontrolledprocessitself(controller2).Withinthecontrolledprocess(4),componentfailureswillbeidentified.Feedbackandcontrolactionscanbedisruptedoralteredbyphysicalfailuresaswell(suchasactuatororsensorfailures).Thesetypesoffailuresarewhatotherhazardanalysespreviouslydescribedmayidentify.Thereare,however,manyothercausalfactorsbeyondcomponentfailuresinFigure8thatwillnotbeidentifiedbythetraditionalhazardanalysistechniques.STPA(SystemTheoreticProcessAnalysis)isahazardanalysistechniquebuiltontheSTAMPfoundation.Itstartswithdefining“accidentsorlosses,hazards,safetyrequirementsandconstraints,andthesafetycontrolstructure.”(8)
Page 26
26
Anaccident(ormishapinmilitaryterminology)isdefinedas“Anundesiredorunplannedeventthatresultsinalossincludinglossofhumanlifeorhumaninjury,propertydamage,environmentalpollution,missionloss,etc”(8)Theprojectstakeholdershoulddeterminewhattherelevantlossesarefortheparticularsystembeingdesigned.Ahazardisdefinedas“Asystemstateorsetofconditionsthat,togetherwithaparticularsetofworst-caseenvironmentalconditions,willleadtoanaccident(loss).”(8)Eachhazardshouldtracetoanaccident.Asanexample,ananalysisofanewaircraftwilllikelyincludetheaccidentof“lossoflife”.Ahazardmightbe“aircraftviolatesminimumseparationrequirements.”Ifanaircraftviolatesminimumseparationrequirements,itcouldcauseamidaircollision,whichwouldpossiblyresultinlossoflife.Therefore,thehazardwouldtracetotheaccidentlossoflife.Next,safetyrequirementsaredevelopedfromthehazards.Inthecaseoftheexampleabove,therequirementmaybe“aircraftmustnotviolateminimumseparationrequirements.”Oncethehigh-levelconstraintshavebeendeveloped,thesafetycontrolstructureiscreated.Thecontrolstructuremustbedesignedbasedontherequirementspreviouslydefined,alongwithanyotherconstraintsassociatedwiththeorganizationsthataredesigningandoperatingthesystem,operationalconstruct,andlogisticssupport.STPAhastwosteps.Thefirststepistoidentifyunsafecontrolactions(UCAs).Thesafetycontrolstructureidentifieseachcontrollerandtheirassociatedcontrolactions.Eachcontrolactionisthenevaluatedtodetermineunderwhatcircumstancesthatcontrolactionmayleadtoahazardousstate.InSTAMP,UCAshappenbecause:
1. Acontrolactionrequiredforsafetyisnotprovidedornotfollowed.2. Anunsafecontrolactionisprovided.3. Apotentiallysafecontrolactionisprovidedtooearlyortoolate,atthewrongtimeorin
thewrongsequence.4. Acontrolactionrequiredforsafetyisstoppedtoosoonorfortoolong.(8)
TheseUCAsareoftenputintoatablewiththecontrolactioninthefirstcolumnandthefourtypesofUCAsinthenext4columns.AnexampleoftheUCAtablecanbeseenbelow.
Page 27
27
Table2ExampleUCATable(9)
Inthetableabove,thecontrolactionis“opentraindoors”.NotethattherearenoUCAsinthe“Stoppedtoosoonorappliedtoolong”category,whichonlyappliestocontinuousactions.DiscreteactionswillnothaveUCAsinthiscolumn.ThesecondstepisdetermininghowtheUCAmightoccur.Thisistypicallyaccomplishedbyevaluatingthecontrollooprelatedtotheparticularcontrollerandcontrolactionthatisbeingexamined.Thecausalscenariosthataregeneratedinthisstepwillprovideinformationnecessarytoeliminatethehazard,orifeliminationisimpossibletocontrolthehazard.Thisinformationiswrittenasasafetyrequirementorconstraintthatshouldbeincludedindesignrequirementsoroperationalprocedures.LevesongivesanexampleofhowtodothisinEngineeringaSaferWorld,whichcanbeseeninFigure9.Figure9isamodifiedversionofFigure8forahigh-powerinterlock.Theinterlockshouldcausethepowertobedisruptedwhenadoorisopen,sothatsomeonecanworkintheareawithoutbeingshocked.Whenthedoorisclosed,powerflowstothesystemagain.
Page 28
28
Figure9AnExampleofSTPAStep2:ScenarioGeneration(8)
Figure9showsgeneralscenarios,suchas“detectiondelayed.”Thesescenariosarenotyetdetailedenoughtodeterminehowtoeliminatethehazard.Onemustdeterminewhythedetectionisdelayed.Maybevibrationsintheenvironmentcausesthesensitivedetectortogivefalsedooropenfeedback,sothesensorisprogrammedtoonlyprovidefeedbackoncethedetectorindicatesthedoorisopencontinuouslyforacertainperiodoftime.Ifthisisthecase,thesafetyconstraintmightread“Thedetectormustprovidedooropenfeedbackwithin0.1secondsofopening”,asanexample.“Spuriousfeedback”isanothergeneralscenario.Alongthelinesofthepreviousexample,themoredetailedinformationmightread“Thedetectorissensitiveanddetectssmallmovementsofthedoor,sendingfalseopendoorfeedback.”Asafetyconstraintmaybe“Thedetectormustonlydetectthedooropening,notdoormovementwhilestillintheclosedposition.”Now,designengineerscanevaluatehowtosolvethespuriousfeedback,whichwillinturnsolvetheneedforadelayindetectionfeedback.Whilethismayseemobvioustothereader,systemdesignsareoftenadjustedto‘fix’issuesbyresolvingthesymptomsoftheissueratherthancorrectingaflaweddesign.Thefinaldesignbecomesapatchworkof‘solutions’,insteadofathoughtfulandcohesivedesign.Theauthorhaspersonallyseenthistypeofpatchworkengineeringresultinmishapscostingtensofmillionsofdollars.STPAisatopdownanalysis,meaningthatitstartswithahigh-levelgoal(accidentsthatneedtobeprevented),andtheanalysisprogressesdownintolow-leveldetails.Thetopdownnatureof
Page 29
29
STPAcanbeseeninFigure10.Ahandfulofhigh-levelaccidentsarefollowedbyaslightlylargernumberofhazardsthatcaneachbetracedtooneormoreaccidents.Oncethesafetycontrolstructureiscreated,andthecontrolactionsinthesystemareunderstood,theUCAscanbeexamined.EachUCAisalsotraceabletooneormorehazards.ScenariosforeachUCAarethencreated.Becausetheanalysisbeginsatthetop,onlyscenariosthatcanactuallycauseanaccidentareinvestigated.Additionally,bystartingwithhigh-levelaccidentsandhazardsandworkingdownintothedetail,onecanmoreeasilytellifanaccidentorhazardismissing.Largelistsofhazardsarenearlyimpossibletoinspectforcompleteness.
Figure10STPATopDownAnalysis
Thetraceabilityofananalysisisakeycomponentofanysystemapproach.Thetraceabilityprovidesmultiplefunctions.First,whentheanalysisyieldsasafetyconstraintitisveryeasytounderstandtheoriginoftheconstraintandtheeffectiftheconstraintisnotconsideredinthedesign.Traceability,therefore,servestodocumenttheanalysisandjustifythefindings.Thisallowstheanalysistobequicklyunderstoodbyothers,andprovidesdocumentationofthesafetyapproachwhenthesystemrequiressafetycertification.Second,ifthedesign,associatedsupportsystem,oroperationalcontextchanges,updatingtheanalysisbecomesmucheasier.
Page 30
30
AirForceAcquisitionsandSystemsSafetyAirForceAcquisitionsProcessAsimplifiedversionoftheAirForceacquisitionsprocessisshowninFigure11.Theprocessconsistsof6phases.
Figure11AcquisitionsProcess(10)
ThefirstphaseistheMaterialSolutionAnalysisphase.Inthisphase,anAnalysisofAlternativesisconductedtodeterminetheconcept,ormaterielsolution,forthesystem.TheactivitiesinMSAanddocumentsareshowninFigure12.
Page 31
31
Figure12SEActivitiesinMaterielSolutionAnalysisPhase(11)
ThesecondphaseistheTechnologyMaturationandRiskReductionphase.Thisphase’spurposeisto“reducetechnology,engineering,integration,andlifecyclecostrisktothepointthatadecisiontocontractforEngineeringandManufacturingDevelopment(EMD)canbemadewithconfidenceinsuccessfulprogramexecutionfordevelopment,production,andsustainment.”(12)TheactivitiesassociatedwiththisphaseareshowninFigure13.
Page 32
32
Figure13SEActivitiesinTechnologyMaturationandRiskReductionPhase(11)
Duringthisphase,tradestudiestoexploredesignoptionsandreduceprogramriskareconducted.TheCapabilityDevelopmentDocument,SystemsEngineeringPlan,SystemRequirementsDocument,TestandEvaluationMasterPlan,RequestforProposalandotherdocumentsaredrafted.Thesedocumentsarecontinuallyrefinedthroughouttheacquisitionsprocess.Thepreliminarysystemdesignisdevelopedinthisphase,andsafetyengineersconductaFMECAstudyonthedesign.NeartheendofthephasethePreliminaryDesignReviewwilltakeplace.PDRistypicallyrequiredtoproceedtoMilestoneBandentertheEngineeringandManufacturingDevelopmentphase.DuringEMD,thedesignisfurtheradvancedandintegrated,andthemanufacturingprocessisdeveloped.TheCriticalDesignReviewoccursduringthisphase.AttheCDR,thePOdetermineswhetherornotthedesignmeetsrequirements,ifitisreadytobuildtestarticles,andifitisreadyforDTtobegin.TheseactivitiesareillustratedinFigure14.
Figure14SEActivitiesinEngineeringandManufacturingDevelopmentPhase(11)
Page 33
33
Duringthisphase,theairworthinesscertificationbasis,whichconsistsofthesuitableMIL-HDBK-516Ccriteria,mustbeapprovedbytheTAA.Additionally,priortoDT,theTAAwillapprovethemilitaryexperimentalflightrelease(13).NeartheendofEMD,theProductionReadinessReviewisconductedtodetermineifthesystemisreadyforproduction.AftertheMilestoneCreview,theprogramenterstheProductionandDeploymentphase.Inthisphase,low-rateproductionbeginsandDTandOTperformthemajorityoftheirtesting.TheFullRateProductionDecisionismadeinthisphase,whichwillmarkthebeginningoffullproduction,asshowninFigure15.InitialOperationalCapabilityistypicallydeclaredduringthisphase,whichindicatesthatthesystemhasreachedaminimumoperationalcapability.TheMilitaryTypeCertificate,issuedbytheTAA,mustbeobtainedbeforeOT&Ebeginsorbeforethefirstdeliveryofaircraftforoperationaluse.
Figure15SEActivitiesinProductionandDeploymentPhase(11)
ThelongestphaseoftheacquisitionsprocessisOperationsandSupport.Inthisphase,FullOperationalCapabilityisdeclared,indicatingthattheoperationalunitshavereceivedthesystemandareabletooperateandmaintainthesystem.Ifthesystemrequiresupgradedcapabilities,theacquisitionsprocesswillbeinitiatedfortheoperationalrequirement.TheairworthinessprocessisrepeatedforsystemupgradesoranyothermodificationtoincludeissuinganupdatedMEFRfortestingandMTCforfielding.ThelastphaseistheDisposalphasewhenthesystem.Thisphaseincludesdemilitarizingtheaircraft(removingweaponsandhazardousmaterials),andeitherstoringordestroyingthem.
Page 34
34
STPAImplementationwithintheAirForceAcquisitionProcessSTPAintheAcquisitionsProcessSTPAcaneasilyfitintothisacquisitionsprocessasitiscurrentlyconducted.Figure16showstheacquisitionsprocessagain,withnumbersindicatingwhereanSTPAanalysiswouldfitintotheprocess.Belowisadiscussionofeachnumber.
Figure16AcquisitionsProcesswithSTPA
(1)DuringtheMSA,conceptoptionscanbeevaluatedusingSTPA.Theconceptofoperationsisoneoftheaspectsoftheconceptstobeevaluatedandwillincludetheoverarchingfunctionandtheoperationalcontext,whichareinputstoanSTPAanalysis.STPAwouldgeneratesafetyconstraintsforeachoftheconceptoptions.Thesafetyconstraints,coupledwithotheraspectsoftheAoAwillbeusedtosupporttheMilestoneAdecision.(2)AfterMilestoneA,intheTechnologyMaturationandRiskReductionphase,thesystemisfurtherdefinedinmoredetail.TechnicalrequirementsfortheRFParedeveloped,andsourceselectionbegins.Asthetechnicalrequirementsforthesystemaredetermined,soshouldthesafetyrequirements.ContinuingtheSTPAanalysiswillprovidehigh-levelsafetyconstraintsforinputintotheRFP.STPAwillalsoprovideinputstotheTEMP,SRD,andSEPduringthisphase.(3)Onceacontractisawardedandthecontractorbeginsthedesignprocess,theywillcontinuetheSTPAanalysisforthesystemandguidethedesign.ThePOshouldalsobeginSTPAanalysisonsupportfunctions,suchasmaintenance,logistics,infrastructure,technicalorders,andtraining.Currentairworthinessstandardsrequirethatthesupportfunctionsdonotdetractfromthesafetyoftheairframe,thereforethesefunctionsshouldalsoundergotheanalysis.Theseanalyseswillalsobecontinuouslyrefinedasthebasing,maintenance,andlogisticconstructsaredetermined.(4)InEMD,asthesystemisintegrated,designstoachievesafetyconstraintsidentifiedbySTPAwillbeverifiedbytest.Someconstraintsmaybetestedinlabenvironments,suchassoftwareinthelooporhardwareintheloopfacilities.However,becausethesafetyconstraintsarebasedonthesystemasawhole,someconstraintswillrequiretheintegratedsystem,andmayevenrequirethesystemintheoperationalenvironmentforverification.Thismeansthatasthetestplanisdeveloped,eachconstraintwillneedtobecategorizedbyhowitwillbeverified.Optionsforthesecategorizationsmayinclude:inspectionofdesign,softwareintheloop,
Page 35
35
hardwareintheloop,groundtesting,developmentalflighttesting,oroperationalflighttesting.Ifasafetyconstraintisverifiedearlyinthedevelopment,suchasinasoftwareintheloopfacility,thecontractormustensurethatfurtherdesignchangesdonotaffectthesafetyconstraint,otherwisethetestingwillhavetoberedone.Asthedesignischanged,theSTPAanalysismustbeupdatedtoensurethatconstraintsarestillvalidandidentifynewconstraintsassociatedwiththedesignchange.(5)STPAcanalsobeusedtoassistinmanufacturingplanningtoensurethatthedesigncanbesafelymanufactured,butalsotoensurethatthecommunicationbetweenthemanufacturingteamanddesignteamisadequate.(6)InProductionandDeployment,thedesignisfixedunlessDTorOTfindsunacceptabledeficiencies.Shouldsuchdeficienciesbeidentified,thedeficienciesshouldbeaddedintheSTPAanalysis,whichwillhelpguidetheredesign.(7)OncetheprogramreachestheOperationsandSupportphaseandthesystemisFOC,theMAJCOMswillrequestcapabilityupgradesordecidetousethesysteminnewenvironmentsorindifferentwaysthandesigned.ThePOwillmaintaintheSTPAproductsandwillmodifytheanalysiswiththeupgradestoguidethedesign.TheSTPAanalysiscanalsobemodifiedwiththedifferentenvironmentorutilizationinformationtoensurecontinuedsystemsafety.(8)IfamishapoccursduringO&S,itmeansthatasafetyconstraintwaseithermissingornotenforced.MishapinvestigatorscanusetheSTPAanalysisonthesystem,alongwithevidencefromthemishap,todeterminewhatconstraintsweremissingorunenforcedandmakechangesasappropriate.Thistypeofinvestigationismorepowerfulthancurrentsafetyinvestigations,asitnotonlypreventstheparticularmishapfromreoccurring,butitalsoupdatesthesafetyconstraintstoavoidmishapsingeneral.Methodologytodothisalreadyexists.LevesonbuiltuponSTAMPtocreateCausalAnalysisbasedonSTAMP,whichisusedtoinvestigatemishapsfromasystemsperspectiveandimplementconstraintstoavoidfuturemishaps.(8)IntegratingtheSTPAanalysisperformedduringdesignwithmishapinvestigationanalysiswouldallowtheAirForce,whichalreadyhasanoutstandingsafetyrecord,topreventevenmoremishapsfromoccurring.Applyingmoreresourcestothecurrentsafetypracticeswillhaveminimalreturns–thesafetyrecordisasgoodasitcangetwithoutsubstantialchange.Asystemtheory-basedapproachshouldbethatchange.InadditiontothefactthatSTPAcoversmorescenariosthanjustcomponentfailure,STPAisrelativelylowcostandtakeslesstimecomparedtotraditionalhazardanalyses.IfSTPAreplacesFMECAinthedevelopmentprocesstheprogramwillsavetimeandmoneyandimprovesafety.STPAStudyExecutionandPersonnelCompositionSTPAstudieswillvaryslightlybythepurposeofthestudyandphaseoftheprogram.ThedescriptionbelowisfortheMSAandTMRRphasesbeforethecontractorsareinvolved.
Page 36
36
AnSTPAstudycanbeperformedsimilartotheHAZOPstudywithafacilitatorandaclient.MembersofAFLCMC,whethertheycomefromairworthiness(AFLCMC/EZ),orsystemsafety(AFLCMC/SES),shouldbetrainedontheSTPAprocessandactasfacilitators.ThesefacilitatorswouldchairtheSTPAstudyandguidetheSTPAprocessforprogramswithinLCMC.Theprogramofficeswouldactastheclient.ThemembersthatshouldtakepartintheSTPAstudyare:
- Engineersfromeachrelevantengineeringdiscipline- Systemsafetyengineers- Systemoperators(eitherfromwithinthePO,orfromtheMAJCOM)- RepresentativesfromDT- RepresentativesfromOT- Airworthinessengineers- Supportfunctions,suchasmaintenance,logistics,facilities,etc
Thestudyshouldbebrokenintothefollowingcomponents:
- Projectpreparation:o Facilitatorassignedo POdevelopsaccidentlistswithcustomer
- Studyintroductiono IntroductiontoSTPAbyfacilitatoro POintroducesproject
- Hazarddevelopmento Facilitatorleadsgrouptodevelophazards
- Safetycontrolstructuredevelopmento Groupwillcreateahigh-levelsafetycontrolstructureo Safetycontrolstructurewillinclude:
§ Operationalcontext§ Systemfunction§ High-levelsysteminteractions(e.g.othersystemsitwillinterfacewith)
- UCAdevelopmento GroupwillcreateUCAtablebasedonsafetycontrolstructure
- UCAscenarioso Initialmeetingstartsscenariogenerationeffortasagroupo Eachleadreviewsscenariosaftertheinitialmeetingtoensurecoverageand
determineassociatedconstraintso Conductafinalmeetingtoensureeveryoneagreeswiththescenariosandsafety
constraints- STPAOutbrief
o DuringMSA,summaryofsafetyconstraintsforeachalternativeshouldbepresentedalongwithrecommendations
o DuringTMRR,thesafetyconstraintswillbeincludedintheRFP§ Resolveanysafetyconstraintsthatconflictwithtechnicalrequirements
Page 37
37
WhiletheSTPAanalysissetuptobelinear,itisofteniterative—asthestudyproceeds,thegroupmayfindthattheyneedtoupdatetheirhazardlist,safetycontrolstructure,orUCAsaftertheyhavefinishedthatparticularportionofthestudy.Additionalmeetingsmayberequiredasnecessarytoupdatepreviouslycompletedsteps.Oncethecontractisawarded,thecontractorwillberesponsibleforcontinuedanalysisofthesystem.Theyshouldtakethehigh-levelanalysiscomposedbythePOanddevelopitfurtherduringtheirdesignprocess.SystemSafetyProcessSystemsafetyisdefinedas“applicationofengineeringandmanagementprinciples,criteriaandtechniquestoachieveacceptableriskwithintheconstraintsofoperationaleffectivenessandsuitability,timeandcostthroughoutallphasesofthesystemlifecycle.”(14)AFI91-202,TheUSAirForceMishapPreventionProgram,mandatesthateachprogramofficemustinitiateandmaintainaSystemSafetyProgramthattrackshazards,mitigaterisks,andformallyacceptsresidualrisks.(14)ThedocumentthatdefinesthesystemsafetyprocessisMIL-STD-882E,DoDStandardPracticeforSystemSafety.MIL-STD-882E“identifiestheDepartmentofDefense(DoD)SystemsEngineering(SE)approachtoeliminatinghazards,wherepossible,andminimizingriskswherethosehazardscannotbeeliminated.”(15)MIL-STD-882Eidentifieseightelementswithinthesystemsafetyprocess(15):
1. DocumenttheSystemSafetyApproach2. IdentifyandDocumentHazards3. AssessandDocumentRisk4. IdentifyandDocumentRiskMitigationMeasures5. ReduceRisk6. Verify,ValidateandDocumentRiskReduction7. AcceptRiskandDocument8. ManageLife-CycleRisk
Thesystemsafetyapproachconsistsofdescribingtheriskmanagementeffortandhowitisintegratedintotheprogrammanagementstructure.Additionally,ahazardtrackingsystemisdeveloped.(15)Hazardsareidentifiedanddocumentedinthehazardtrackingsysteminthesecondelementoftheprocess.Thestandardstatesthat“Hazardsareidentifiedthroughasystematicanalysisprocessthatincludessystemhardwareandsoftware,systeminterfaces(toincludehumaninterfaces),andtheintendeduseorapplicationandoperationalenvironment.”Itgoesontosaythat“mishapdata;relevantenvironmentalandoccupationalhealthdata;userphysicalcharacteristics;userknowledge,skills,andabilities;andlessonslearnedfromlegacyandsimilarsystems”canalsobeusedtoinformthehazardidentification.Hazardsarethencategorizedbyrisk,whichisdefinedbyseverityandprobability.RisksarethenassessedusingtheRiskAssessmentMatrix,asshowninthefigurebelow.
Page 38
38
Figure17RiskAssessmentMatrix(15)
Elementfourinvolvesidentifyingpotentialriskeliminationormitigationoptionsforeachidentifiedhazardusingsystemsafetydesignorder.Oncepotentialoptionsareidentified,elementfiveistoselectandimplementtheriskeliminationormitigationoptionsforeachhazard.Next,theriskmitigationisverifiedanddocumentedinelementsix,andanyresidualriskleftoverisacceptedanddocumentedinelementseven.Finally,theprogramofficeshouldcontinuetomanagetheriskthroughoutthelifecycleofthefielded.Withineachoftheseelementsthereareasetoftasks,whichmustbecompletedtobeincompliancewiththestandard.Task201fallsunderelementtwo,“IdentifyandDocumentHazards”.ItrequiresthecompilationofaPreliminaryHazardList(PHL)shortlyafterthematerielsolutionanalysisbegins.ThePHLisbasedonhistoricalandsimilarsystems,andthesystemconcept.Task202isPreliminaryHazardAnalysis(PHA).ThePHAconsistsofidentifyinghazards,assessingtheinitialrisks,andidentifyingpotentialmitigationmeasures.(15)TheriskmatrixshowninFigure17isusedwhencompletingthistask.Recently,LevesonwroteapapershownhowSTPAiscomplaintwithMIL-STD-882E.Inherconclusion,shestates“STPAistotallycompliantwithMIL-STD-882and,infact,wascreatedexplicitlytosupportthetasksinvolvinganalysisinthisstandard.”ShegoesontosaythatSTPA“isatop-down,systemhazardanalysisthatcanbeusedforthehazardanalysistasks(Tasks201-209).”(16)
Page 39
39
ItisimportanttonotethatwhileMIL-STD-882Eprescribesaprocesstoconductsystemsafety,itdoesnotprescribewhattoolsormethodstousetoaccomplishthetasks.MIL-STD-882Edoescallforprobabilisticriskassessments,whichSTPAdoesnotdo.Therearehazardsthatareimpossibletoprovideaprobabilityofoccurrence.Forinstance,arecentF-16Cmishapwascausedbyanimproperlyassembledengine.Twocomponentsweremissingfromtheenginewhenitwasbuiltupatthemaintenancedepot.(17)Thereissimplynowaytoassesstheprobabilitythatsuchaneventmayoccur.Additionally,theprobability,ifevaluatedbasedonhistoricaldata,maybesosmallthatitisdiscountedorgivenalowerriskassessmentthatisacceptedratherthanmitigated.However,anSTPAanalysisofthemaintenanceorganizationandprocessesmayhavedeterminedthepotentialhazardofimproperlyassemblingtheengine,anddesignedthesafetycontrolstructuretoavoidthehazard.Theairworthinessprocessisasubsetofthesystemssafetyprocess,andisdiscussedinfurtherdetailinthenextsection.
AirForceAirworthinessProcessAirworthinessisdefinedas“theverifiedanddocumentedcapabilityofanairsystemconfigurationtosafelyattain,sustain,andterminateflightinaccordancewith(IAW)theapprovedaircraftusageandoperatinglimits.”(13)TheAirForceairworthinessprocessisdeterminedbybothAirForceInstruction(AFI)62-601andAirForcePolicyDirective(AFPD)62-6.ThesedocumentsestablishaTechnicalAirworthinessAuthority(TAA)appointedbytheAirForceMaterielCommander.(18)ThispositionisresponsibleforissuingMilitaryTypeCertificates(MTC),MilitaryExperimentalFlightReleases(MEFR),MilitaryRestrictedFlightReleases(MRFR),andspecialflightreleases.MTCsareissuedwhencomplianceofthecertificationcriteriaaremet.MEFRsareissuedtoallowdevelopmentalflighttestwithinaspecifiedtimeperiodandflightenvelope.MRFRsareissuedforparticularaircraftunderspecificconditionswhenthereisacompellingmilitaryneedandtheAFcannotobtaindesigninformationinordertoconductanairworthinessassessment.(13)Specialflightreleasesareissuedwhenthecertificationcriteriaarenotmet,buttheprogrammanagersprovethattheaircraftisrequiredforoperationalpurposes.TheTAAchairstheAirworthinessBoard(AB),whichiscomprisedof“seniorengineeringfunctionalorganizationrepresentatives,anAirForceSafetyCenter(AFSC)representative,andarepresentativefromtheowningAFMCengineeringorganizations(asrequestedbytheTAA).”(13)TheboardisresponsibleforprovidingairworthinessadviceandrecommendationstotheTAA.Theprogramofficeisresponsibleforensuringthatthesystemmeetsairworthinesscriteria.AirworthinessplanningisincludedintheLifeCycleManagementPlan,SystemEngineeringPlan,andIntegratedMasterPlan.(13)inadditiontoprovidingcertification,theTAAprovidestheguidanceandstandardprocessestotheprogramofficesforairworthiness.MilitaryHandbook516C(MIL-HDBK-516C),maintainedbyairworthinessoffice,containstheairworthinesscriteriathatmustbemetinordertobeissuedtheMTC.Programofficesdohave
Page 40
40
thelatitudetotailorwhichcriteriaapplytotheirsystembyapplyingforanexemptionfromthecriteriathatarenotapplicable.(13)EachmajorsectionofMIL-HDBK-516Ccoversaspecificdiscipline,suchassystemsengineering,structures,propulsion,avionics,maintenance,andothers.TheriskmatricesinMIL-STD-882EandMIL_HDBK-516Cwereupdatedinanairworthinessbulletin(AWB-150)forairworthinessassessments.(19)TheupdatedriskmatrixisshowninFigure18.
Figure18UpdatedRiskMatrix(19)
PriortoAWB-150,thereweredifferentprobabilityscaleswithdifferentexposureperiods,whichgreatlyalteredtheseveritycategoryassignedtothehazard.Thestandardizedexposureperiodswillensurethattheprobabilisticriskassessmentsrepresentthesameamountofriskinallprograms,whichinturnensuresthattheresidualriskisacceptedattheappropriateleadershiplevel.JustaswithSTAMP,inordertoperformanairworthinessassessment,engineersmustunderstandthesystembeinganalyzedandthecontextinwhichthesystemwillperform.Thecontextmayincludeflightenvelope,operatinglocationssuchasimprovedorunimprovedrunways,andlogisticssupport.Aninitialairworthinessassessmentwillbeprovidedtoaprogramforanewsystem,howeverasthesystemisupgradedoroperationalcontextchanges,sowilltheassessment.Airworthinessisthereforenotaone-timedeterminationofthesafetyoftheaircraft,butrathercontinuouslyevolving.STPAandAirworthinessSTPAprovidesaprocessthatcomplieswiththesystemsengineeringandsystemssafetyprocessesasdefinedinMIL-HDBK-516C.Itisanapproachthatachievesthe‘completesystems
Page 41
41
view’andcoversarangeofcriteriaandexpectations.AnanalysisofSTPA’scompliancewithChapters4and14ofMIL-HDBK-516CcanbefoundAppendix3:STPACompliancewithMIL-HDBK-516C.Thissectionreviewstheoverarchingideasandconclusionsfromtheanalysis.Throughoutthehandbook,theverificationofmethodofcomplianceislistedas“inspection.”STPAprovidesastep-by-stepprocessforanalysisthatwillaidtheinspectionprocess.Otherwise,itisnotpossibletodeterminewhetheraninspectionprocessiscompleteoradequate.Whethertheinspectioniscompleteandadequateisbasedonengineeringjudgementorchecklistsestablishedbypreviousexperience,whichmaybeincorrectbasedontheexperienceoftheengineerwiththeparticularsystemthatisundergoinganairworthinesscertification.Additionally,newairframesormodificationsmaybedifferentenoughfromlegacysystemsthatbasinginspectiononhistoricdatadoesnotproduceacompletesafetyanalysisorinspection.Whilethisdocumentonlycoverssystemsengineeringandsystemssafety,STPAprovidesdatafortheentiretyofthesystem.Itprovidesaconstructwithinwhichtoconductspecifictechnicalsafetyanalysessuchasmaterialsorelectromagneticinterferencetesting.STPAwillnottelladesignerthatamaterialisappropriateforaparticularcomponent,butitwillguidethedesignertofocustheirenergiesonflightsafetycriticalcomponentsandprovidesafetyconstraintsasaninputtothecomponentorsubsystemdesign.Itgivessystemdesignerstheabilitytoevaluatetheirsystemasawholeduringthedesignphaseandeliminatehazardsthatotherwisemaynotbeidentifieduntilintegrationandtesting.STPAwillalsoprovidesafetyconstraintsnotassociatedwithcomponentfailuresatall,butratherhowthehumanandsoftwarecontrollersinteractwiththesystem.Animportantaspectofairworthinesscertificationisthatitmustbemaintainedthroughoutthelifecycleofthesystem,astheoperationalemploymentofthesystemchangesandmodificationsaremadetothesystem.STPAprovidesaconstructtoevaluatechangesandensuretheydonotintroducehazardstothesystem.Ifsafetyconcernsareintroducedbythemodification,STPAwillprovidesafetyconstraintsforthedesignofthemodificationandintegrationwiththebaselinesystem.STPAalsocoversthesupportstructureassociatedwiththesystemtoensurethathazardsarenotintroducedbyfactorsoutsideofthesystemdesign.System-basedanalysisallowstheusertodefinescopeofthesystem:itmaybethespecificaircraftbeingdesigned,theoperationalenvironmentwhereitwillbefielded,themaintenancedepotthatconductsprogrammedmaintenance,orotheroptions.Theusercan‘zoom’intospecificsubsystemsand‘zoom’outtolookathowthesystemwillfitintothecurrentoperationalandsupportstructure.Thesystemanalysisismeanttostarthigh-levelandworkdeeperintodetail.WhenaprogramofficeisdeterminingtechnicalrequirementstobeincludedinanRFP,ahigh-levelSTPAmaybecompletedtoprovidehigh-levelsafetyconstraintsthatmustbeincludedinthedesign.Oncethecontractbidisawardedandthedesignprocessbegins,theSTPAshouldbeconductedaspartofthedesignprocesstoassistindecision-makingaboutsafety.Asthedesignbecomes
Page 42
42
moredetailed,sodoestheSTPAanalysis.Theresultisasystemdesignthatwasguidedbysafetyanddocumentationtoshowtheairworthinesscertificationinspectorsthattheaircraftissafetooperate.ReliabilityandRedundancyOftenwhenminimizingtheriskassociatedwithacomponentfailure,redundanciesareaddedsuchthatevenifonecomponentfailstheotherwillperformthesafetycriticalfunction.Takeforexampleacomponentthathasa20%probabilityoffailureoveraperiodoftime.Thereliabilityofthatcomponentis:
𝑅 = 1 − 𝐹WhereRistheprobabilitythecomponentwillnotfail,andFistheprobabilityoffailure.Therefore,Ris80%.Ifthecomponentisflightcritical,thedesignteammayelecttouseredundancytoincreasereliability.Inthiscase,reliabilityis:
𝑅 = 1 − (𝐹')(𝐹))Whichbringsreliabilityupto96%.Whilethisappearsonthesurfacetobealogicalandstraightforwardmethodology,onemustconsidertheassumptionsthatgointothisanalysis.Inparticular,theassumptionofindependence:thecomponentsmustbecompletelyindependentofeachotherinorderfortheanalysistobevalid.Theauthorflewonatestmissionwhenahydraulicpumpfailedinflight.Theparticularaircrafthadtwohydraulicsystemsthatwereusuallytiedtogetherandincludesfourenginedrivenpumps.Thesystemscanbeisolatedwhenrequired.Thehydraulicpump’sfailurecouldcausemetalcontaminationofthehydraulicsystem;therefore,thesystemswereisolatedinresponsetothefailuretopreventtheadditionalpumpsfromfailing.Inthiscase,thepumpsarenottrulyindependent,asthepilotsmusttakeactiontopreventthefailureofonepumpfromcausingtheotherpumpstofail.Thereareotherdependenciesbetweenthepumpsaswell.thesystemwasservicedbythesamehydraulicmule,whichifcontaminated,wouldaffectallthepumps.Thesamemaintenancepersonnelinspect,repair,andreplacethepumps,thereforeifthereisadeficiencyinthemaintenancepracticesallpumpscouldbeatrisk.Ifthecomponentsareexposedtoharshenvironmentssuchashumidity,sand,orsaltwatertheywillalldeteriorate.Finally,ifthereisamanufacturingdefectorincorrectspecificationbeingused,allcomponentsfromtheaffectedlotsmayhavethesameproblem.So,infact,thereliabilitywouldnotbe96%inthecaseshownabove,butrathersomethingless.Whatthatsomethingiswouldbedifficultifnotimpossibletoquantify,asmaintenanceerrors,manufacturingdefects,andotherdependenciesarenotprobabilisticallydetermined.Therefore,usingFMEAorFMECAcutsetstodeterminetheprobabilityofafailurewillnotyieldaccurateinformation.Ifdesigndecisionsaremadebasedontheprobabilisticassessmenttheywillmostlikelybeflawed.STPA,ontheotherhanddoesnotrelyonprobabilities,makingtheresultsofSTPAmoreactionable.
Page 43
43
Inaddition,softwareflawsaredesignerrors.Redundancyofflaweddesignsorsoftwarecreatedfromthesameflawedrequirementsisnotgoingtoimproveeitherreliabilitynorsafety.Whataircrafttodayarenotbuiltwithextensivesoftwarecomponents?Itshouldbenotedthatredundancycanbeusedtocreateasafedesign,howeveritcanbeperformedinmorepowerfulwayssuchasdissimilarredundancies(i.e.powerthroughbatteriesandanalternator),moreaccuratelyensuringtrueindependenceofthecomponents,andbynotassumingthatthereliabilitycalculationsabovewillyieldanaccurateanswerthatcanbeusedtodeterminetherisklevelofthesystem.Butalloftheseapproachesapplyonlytohardwareandignorethesoftwareandthehumansinthedesign.Softwarediversitydoesnotwork.(20)AnSTPAanalysisofthedesignwillyieldsafetyconstraintsthatwillminimizehazardsassociatedwithcomponentfailure,andalsothosecreatedthroughdesignflawsandbyunsafeinteractionsamongcomponentsthathavenotfailed.RiskmatricesThetwocomponentsofriskmatricesareprobabilityofoccurrenceandseverity.Thesectionabovediscusseswaysinwhichprobabilityofoccurrenceisnotcorrectforredundantcomponents.Thereareotherreasonswhyprobabilityofoccurrenceisimpossibletopredict:componentinteractionsthatarenotfailures,softwarerelatederrors,andhumaninteractionrelatederrorsallcannotbedeterminedprobabilistically.Theyaredependentonthequalityofrequirementsdevelopment,howwellthecomponentsaredesignedtoworktogether,andhowwellthesystemisdesignedforhumaninteraction.ThisiswhySTPAissoimportant–itprovidessafetyconstraintstobetterinformrequirementsanddesign.WhatmakesSTPAunpalatableforsomedecisionmakersisthereisnowaytoquantifyresidualriskthatisacceptedaspartofthesystemdesign.Peopleintechnicalfieldssuchasengineeringandacquisitionsdesirequantitativemethodstomakedecisions.However,ifthecalculatedvaluesarewrongandleadtomisunderstoodresidualrisk,thedecisionwillnotresultinasafesystem.UsingSTPAratherthanriskmatriceswillrequireaparadigmshift,butitwillresultinamoreaccurateunderstandingofthehazardsassociatedwiththedesign.SystemsThinkingintheAF:Effects-BasedApproachtoOperationsThegreatestbenefitofSTPAisprovidingasystematicframeworkforevaluatingtheproblemathandthat,ifdoneright,iscompleteandconsiderstheproblemasawhole.Itcannotbereduceddowntoachecklist.DoingsowillnegativelyaffectthebenefitsofSTPA,anditwillnotwork.ThismeansthatconductingSTPAacrossalarge,diverse,anddynamicworkforceindozensofdifferentprogramofficespresentsachallenge.WhenthinkingabouthowthatchallengecanbeaddressedintheAirForce,itwasrealizedthatsystemsthinkingalreadyexistsintheAirForceintheformofEBAO.EBAOprovidesasystematicframeworktoconsidertheproblemofdesigningcombatstrategies.Annex3-0OperationsandPlanningdiscussesEBAO.Intheopeningparagraph,inboldletters,
Page 44
44
thedocumentstates,“EBAOisnotaplanningmethodology;itisawayofthinkingaboutoperationsthatprovidesguidancefordesign,planning,execution,andassessmentasanintegralwhole.”(21)STPAinthisregard“providestheinformationanddocumentationnecessarytoensurethesafetyconstraintsareenforcedinsystemdesign,development,manufacturing,andoperations,includingthenaturalchangesintheseprocessesthatwilloccurovertime.”(8)Safetyisanexampleofanemergentproperty.(22)Justbecausetwocomponentsbythemselvesappearsafe,doesnotmeanthatwhenyouputthetwotogetheraspartofasystemtheirinteractionwillbesafe.Strategistsunderstandtheconceptofemergentproperties.Anemergentpropertyisapropertythat“arisefromtheinteractionsamongthecomponents.”(22)Annex3-0referstothisconceptas‘additivity’andsays,“Additivitymeansthatthewholeequalsthesumofitsparts,butthisisnottrueoflivingsystems,whicharemorecomplexandoftengreaterinoutputthanthesumoftheircomponents,justasthejointforceworkingasanintegratedwholeismoreeffectivethanitscomponentsworkingindependently(“synergy”).Thebehaviorofinteractivelycomplexsystemsoftendependsmoreuponthelinkagesbetweencomponentsthanuponthecomponentsthemselves.Infact,system-widebehavioroftencannotbededucedfromanalysisofthecomponentparts.”Annex3-0states,“Reductionismisthecommonscientificmethodofanalyzingsystems,by“pullingthemapart”conceptuallyandexamininghoweachcomponentoperatesseparatelytodetermineoverallsystembehavior.Ithasbeenthemaintechniquebehindmachinedesignforcenturies,aswellas“nodal”methodsof“systemsanalysis.”However,reductionistmethodsmayyieldlessinsightthanwaysofexaminingsystemsasawhole—analyzinghowthesystembehavesinrelationtoothersystemsinitsenvironment,aswellashowcomponentsofthesysteminteract,andthentryingtoanticipatehowtheinteractionofthesesystemsmaycausecertaintypesofbehavior,orallownewbehaviorstoemerge.Breakingacomplexproblemintoconstituent,structurallycomplexpartsandsolvingeachpartwillnotnecessarilysolvetheoverarchingproblem,justaswinningeverybattledoesnotguaranteewinningawar.”ThedesignersofEBAOalsorecognizedthatlinearcauseandeffectrelationshipscannotbeappliedtostrategicplanning,stating“However,causesandeffectsareoftenhardtotraceandhardertodemonstrate,sincecommon“linear”rulesfrequentlydonotapply—especiallyincasesinvolvinghumanwill”(21)Similarly,inEngineeringaSaferWorld,ProfessorLevesonsaysofreduction,“Thisassumptioninturnimpliesthatthecomponentsoreventsarenotsubjecttofeedbackloopsandothernonlinearinteractionsandthatthebehaviorofthecomponentsisthesamewhenexaminedsinglyaswhentheyareplayingtheirpartinthewhole.”(8)Therefore,whenreductionandlinearcauseandeffectanalysesareusedtoanalyzeacomplexsystem,suchasanaircraft,componentinteractionsaremissed,whichmeanssafetyconstraints
Page 45
45
forthesystemarenotcomplete.STPAwaspurposelydesignedtoanalyzeemergentproperties.AnothercommonalitybetweenEBAOandSTPAisthat“EBAOfocusesonbehavior,notjustphysicalchanges.”(21)Inotherwords,theanalysismustbebasedonfunctionality.StrategiststhatemployEBAOseektoaffectthefunctionofopposingforces,justasSTPAseekstocontrolthebehaviorofadesignwithinspecificsafetyconstraints.Thesesystems-basedideasencompassingEBAOareacceptedthroughoutalllevelsofAirForceleadership,andaretaughttoallofficersinAirForceprofessionaleducation.EBAOisanintegralcomponentofAirForcestrategy,andaffectsthewaytheAirForcetrainsandexecutescombatoperations.SystemengineeringmethodsareusedbyPOsandcontractorstodesignforemergentproperties,suchassafety,performance,reliability,ormaintainability.YettheAFstillspendsadecadeormoreofdevelopmentaltestingsimplytounderstandwhatwebuilt,whichcausesscheduledelays,costoverruns,andoccasionallytragiclossoflife.Theprogramofficesfindthemselvesinafly-fix-flyloopuntiltheaircraftperformsinamannerthatisdeemedacceptableenoughtobefielded.ThisindicatesthatthereismoretobedoneinthewaythattheAFappliessystemsengineeringwithinprograms.ThepowerofSTPAisthatitcanleadtoatransformationofhowacquisitionsprofessionalsthinkabouttheirsystems,justasEBAOtransformedthewaytheAirForcetargetsenemyforces.Systemengineerscannotbetheonlypeopleinaprogramthatthinkoftheproductandrelatedsupportstructureassystems.Otherengineersdon’tnecessarilyneedtobeformallyeducatedinSE,buttheydoneedtolearnSEconceptsinordertomakethoughtfuldesigndecisionsthatconsidertheirprogramasawhole.Theyshouldalsounderstandhowemergentpropertiesarisefromthedesign–andmoreimportantlyinformthedesigntocreatetheweaponsystemrightthefirsttime.InordertodemonstratetheuseofSTPAintheacquisitionsprocess,twoexamplesareprovidedofSTPAanalysisalongwithdescriptionsofhowtheinformationobtainedcanbeusedinacquisitions.Thefirstexampleisofahigh-levelJSTARSanalysisasmightbecompletedduringconceptdevelopment.ThesecondisofaUAVfurtherinthedesignphaseinTM&RR.
Page 46
46
JSTARSAnalysisJSTARSSystemDefinitionTheE-8CJSTARS,orJointSurveillanceTargetAttackRadarSystemprovidesmultiplefunctions,toincludeairbornebattlemanagement,commandandcontrol,intelligence,surveillance,andreconnaissance.(23)AccordingtotheUSAF’sfactsheet,theprimarymissionoftheJSTARSis“toprovidetheatergroundandaircommanderswithgroundsurveillancetosupportattackoperationsandtargetingthatcontributestothedelay,disruptionanddistractionofenemyforces.”(23)TheJSTARSisequippedanAN/APY-7sensorthatincludesaside-looking,phasedarrayradar,movingtargetindicator,andsyntheticapertureradarmodes.(24)TheJSTARScollectsdatausingthissensor,andthenprovidesthatdatatogroundpersonnelandaircraftsupportingthegroundwar.TheUSAFiscurrentlyintheprocessofrecapitalizingthefleet,astheE-8CsareagingBoeing707-basedaircraft.Theintentistoacquireanaircraftthatfunctionallyreplacesthecurrentfleet,butwithmoderntechnologiesthatwillreduceoperationalcost.(25)Thisanalysisthereforeexaminesafunctionthatisthesameasthecurrentaircraft.JSTARSSystemMishaps,Hazards,andHigh-LevelSafetyConstraintsThemishapsassociatedwiththissystemare:M1.LossoflifeM2.LossofpropertyM3.LossofmissionThehazardsforthesystem,whicharealltraceablebacktoamishap,are:H1.Aircraftviolateminimumseparationrequirements(M1,M2)H2.Friendlygroundtroopstargeted(M1,M2)H3.Unacceptablecollateraldamage(M1)H4.Friendlyforcesnotprovidedactionabledata(M3)H5.Aircraftengagedbyenemydefenses(M1,M2,M3)H6.Aircraftviolatesminimumaltituderequirements(M1,M2)H7.Supportaircraftcannotprovidesupporttogroundtroops(M1,M3)Eachhazardhasanassociatedsafetyconstraint:SC1.AircraftmustnotviolateminimumseparationrequirementsSC2AircraftandgroundtroopsmustnottargetfriendlygroundtroopsSC3.AircraftandgroundtroopsmustnotcauseunacceptablecollateraldamageSC4.JSTARSmustprovideactionabledataSC5.AircraftmustnotbeengagedbyenemydefensesSC6.Aircraftmustnotviolateminimumaltituderequirements
Page 47
47
SC7.SupportaircraftmustprovidesupporttogroundtroopsJSTARSSafetyControlStructureThesafetycontrolstructureisbasedonthefunctionalitydiscussedinthesystemdescription.
Figure19JSTARSSafetyControlStructure
TheAirOperationsCenter(AOC)isresponsibleforplanningtheairwarandprovidingairassetswiththeirtasking,knownasanAirTaskingOrder(ATO).JSTARSandotherassetscanprovidefeedbacktotheAOCinorderfortheAOCtounderstandtheeffectivenessoftheirplanningandadjustasnecessary.TheJSTARS,aspreviouslydescribed,providestargetcoordinatesandairspacedeconflictiontothesupportaircraftintheJSTARSareaofresponsibility.ThesupportaircraftconfirmsthemessagesreceivedfromtheJSTARSandwillengagetargetsasdirected.Groundtroopswillrequesttargetinformation,andusetargetinformationprovidedbytheJSTARStoengagetheenemy.JSTARSStep1:UCAGenerationThecommandsshowninthesafetycontrolstructurearethenusedtotheUCAtableshownbelow.
Page 48
48
Table3JSTARSUCAs
JSTARSNotProvidingCausesHazard
ProvidingCausesHazard IncorrectTiming/Order
StoppedTooSoon/AppliedTooLong
TargetCoordinatestoSupportAircraft
JSTARSdoesnotprovidetargetcoordinatestosupportaircraftwhenthetargetneedstobeengaged(H4)
JSTARSprovidestargetcoordinates,butthecoordinatesarenotwheretheenemyislocated(H2,H3)JSTARSprovidestargetcoordinatestosupportaircraftthatarewithincontestedairspace(H6)
JSTARSprovidestargetcoordinatesbeforetheenemyforcesareseparatedfromcivilians(H3)JSTARSprovidestargetcoordinatesaftertheenemyleavesthetargetlocation(H2,H3)JSTARSprovidestargetcoordinatestosupportaircraftafterfriendlyforceshavemovedtowardsandengagedenemyforces(H2)JSTARSprovidestargetcoordinatestosupportaircraftaftersupportaircraftexpendsweapons(H7) N/A
AirspaceDeconfliction
JSTARSdoesnotprovideairspacedeconflictionwhensupportaircraftareco-altitudeinthesameairspace(H1)
JSTARSprovidessupportaircraftdeconflictioninstructionsthatcreateaconflict(H1)JSTARSprovidesairspacedeconflictionwhentheinstructioncausestheaircrafttoflytooclosetoterrain(H5)JSTARSprovidesairspacedeconflictionwhentheinstructioncausestheaircrafttoenterintocontestedairspace(H6)
JSTARSprovidesaircraftdeconflictionbeforesupportaircraftchangesradiofrequencytoJSTARSfrequency(H1)JSTARSprovidesaircraftdeconflictioninstructionsafteramidaircollision(H1)
JSTARSprovidespartialaircraftdeconflictioninstructions(H1)
Page 49
49
TargetCoordinatestoGroundTroops
JSTARSdoesnotprovidetargetcoordinatestogroundtroopswhenatargetneedstobeengaged(H4)
JSTARSprovidestargetcoordinates,buttheyarenotwheretheenemyislocated(H2,H3)
JSTARSprovidestargetcoordinatesaftertheenemyleavesthetargetlocation(H2,H3)JSTARSprovidestargetcoordinatestogroundtroopsafterfriendlyforceshavemovedtowardsandengagedenemyforces(H2) N/A
OncetheUCAsaregenerated,safetyconstraintscanbedevelopedtopreventthehazards.Table4JSTARSUCAsandSafetyConstraints
UCADesignator UCA Hazards Constraint
J1
JSTARSdoesnotprovidetargetcoordinatestosupportaircraftwhenthetargetneedstobeengaged(H4) H4
JSTARSmustprovidetargetcoordinatestosupportaircraftwhenthetargetneedstobeengaged
J2
JSTARSprovidestargetcoordinates,butthecoordinatesarenotwheretheenemyislocated(H2,H3) H2,H3
JSTARSmustprovidetargetcoordinateswheretheenemyislocated
J3
JSTARSprovidestargetcoordinatestosupportaircraftthatarewithincontestedairspace(H6) H6
JSTARSmustnotprovidetargetcoordinatesthatarewithincontestedairspace
J4
JSTARSprovidestargetcoordinatesbeforetheenemyforceshaveseparatedfromcivilians(H3) H3
JSTARSmustnotprovidetargetcoordinatesiftheenemyisincloseproximitywithcivilians
J5
JSTARSprovidestargetcoordinatesaftertheenemyleavesthetargetlocation(H2,H3) H2,H3
JSTARSmustnotprovidetargetcoordinatesaftertheenemyleavesthetargetlocation
J6
JSTARSprovidestargetcoordinatestosupportaircraftafterfriendlyforceshavemovedtowardsandengagedenemyforces(H2) H2,H3
JSTARSmustnotprovidetargetcoordinatestosupportaircraftafterfriendlyforceshavemovedwithincloseproximityofenemyforces
Page 50
50
J7
JSTARSprovidestargetcoordinatestosupportaircraftaftersupportaircraftexpendsweapons(H7) H7
JSTARSmustprovidetargetcoordinatestosupportaircraftwiththeappropriateweaponspayload
J8
JSTARSdoesnotprovideairspacedeconflictionwhensupportaircraftareco-altitudeinthesameairspace(H1) H1
JSTARSmustprovideairspacedeconflictionwhensupportaircraftareco-altitudeinthesameairspace
J9
JSTARSprovidessupportaircraftdeconflictioninstructionsthatcreateaconflict(H1) H1
JSTARSmustnotprovidedeconflictioninstructionsthatcreateaconflict
J10
JSTARSprovidesairspacedeconflictionwhentherouteistooclosetoterrain(H5) H5
JSTARSmustnotprovideairspacedeconflictionwhentherouteistooclosetoterrain
J11
JSTARSprovidesairspacedeconflictionwhenthenewrouteisthroughcontestedairspace(H6) H6
JSTARSmustnotprovideairspacedeconflictionwhenthenewrouteisthroughcontestedairspace
J12
JSTARSprovidesaircraftdeconflictionbeforesupportaircraftchangesradiofrequencytoJSTARSfrequency(H1) H1
JSTARSmustnotprovideaircraftdeconflictionbeforesupportaircraftchangesradiofrequencytoJSTARSfrequency
J13
JSTARSprovidesaircraftdeconflictioninstructionsafteramidaircollision(H1) H1
JSTARSmustprovideaircraftdeconflictiontoaircraftwhentheaircrafthastimetotakeaction
J14JSTARSprovidespartialaircraftdeconflictioninstructions(H1) H1
JSTARSmustprovidecompletedeconflictioninstructions
J15
JSTARSdoesnotprovidetargetcoordinatestogroundtroopswhenatargetneedstobeengaged(H4) H4
JSTARSmustprovidetargetcoordinatestogroundtroopswhenatargetneedstobeengaged
J16
JSTARSprovidestargetcoordinates,buttheyarenotwheretheenemyislocated(H2,H3) H2,H3
JSTARSmustprovidetargetcoordinateswheretheenemyislocated
J17
JSTARSprovidestargetcoordinatesaftertheenemyleavesthetargetlocation(H2,H3) H2,H3
JSTARSmustnotprovidetargetcoordinatesaftertheenemyleavesthetargetlocation
Page 51
51
J18
JSTARSprovidestargetcoordinatestogroundtroopsafterfriendlyforceshavemovedtowardsandengagedenemyforces(H2) H2
JSTARSmustnotprovidetargetcoordinatestosupportaircraftafterfriendlyforceshavemovedwithincloseproximityofenemyforces
JSTARSStep2:ScenarioGenerationFinally,thescenariosforeachUCAaredeveloped.ThetableofallscenarioscanbefoundinAppendix1.SeveralsafetyconstraintsidentifytheneedforinteroperabilitybetweenJSTARS,supportaircraft,andgroundtroops.Interoperabilityamongstjointforceshasbeenanissueinpreviousprogramacquisitions,thereforehighlightinginteroperabilityearlyisincrediblyimportant,especiallyforaprogramsuchasJSTARS.OtherscenariosindicatedtheneedfordatathatJSTARSitselfmaynotbeabletodetect,suchaslocationofallaircraftwithintheareaofresponsibility,andlocationofenemythreats.Thedatawouldthenhavetocomefromothersources.ThesesourcesmustbeidentifiedearlysothattheinputsintotheJSTARSsystemarewellunderstoodandincorporatedintothedesign.AnotherimportantsafetyconstraintthatwasdiscoveredistheneedforcommunicationwithintheJSTARSaircrew.Atthisearlystageofdevelopment,thenumberandfunctionofaircrewlikelyhasnotbeendecided.Criticalcrewcommunicationconstraintsmustbeconsideredinthedesignofthesystemanddeterminationofaircrewcomplement.JSTARSSTPASummaryThisanalysiswascompletedwithaconceptoffunctionandoperationalcontext.Thereisnodetailabouttheactualsystemunderdesign.ThistypeofanalysiswouldoccurduringconceptdevelopmentintheMSAphaseoftheacquisitionsprocess.ItcanalsobeusedtoprovidesafetyconstraintstobeincludedintheRFPintheTMRRphase.Recently,itwasannouncedthattheJSTARSRecapitalizationprogrammaynotgoforwardasexpected.TheAirForceisconsideringwhetherornotwereallyneedanaircrafttodothismissionatall,orifitcouldbeaccomplishedthroughadistributednetworkofsensorswiththebattlemanagerslocatedawayfromthewar.(26)TheAirForceisconcernedthatJSTARSwouldnotsurviveinalarge-scalewaragainstanenemywithsignificantanti-aircapabilities.AlargeaircraftsuchastheJSTARSmaynotsurvivehighlycontestedairspace,whereasotheraircraftaredesignedforsurvivabilityincontestedenvironments.TheAirForceisattemptingtodetermineif,ratherthanputanexpensiveassetwithrelativelyfewnumbersinharm’sway,anon-airborneJSTARSreplacementsystemcouldreceivedatafromairborneassetsandperformthefunctionofthecurrentJSTARS.Theanalysisperformedaboveismostlyagnostictosuchdecisions.ItdoesnotmatteriftheJSTARSisairborneintheaterorinabuildinglocatedintheUS.Thefunctionwillremainthesame.Whereonefindsadifferencebetweenairborneand
Page 52
52
non-airborneanalysesisinthescenarios.Forinstance,non-airborneJSTARSreplacementwouldbeentirelydependentonassetsexternaltotheJSTARSsystemforsensordataandcommunications.AirborneJSTARSmissionsarelimitedindurationbasedonfuelandcrewdutydayandlimitedinrangebytheairfieldlocationandenemythreats.Scenariosbasedonthesedifferencescouldbedevelopedtodeterminewhatconstraintsarerequiredgiventhetwooptions.Inthisway,differentconceptsoralternativesmaybeevaluatedearlyintheacquisitionprocess.JSTARSSupportSTAMPAnalysisEarlyintheacquisitionprocess,theprogramofficewillbegindeterminingthesupportstructurerequiredforthefieldedsystem.Thiswillincludethemaintenanceandsupplystructure,requiredgroundequipment,suitableairbasestobaseoperations,aircrewandmaintenanceproceduresandtraining,technicalordersupport,andothers.STPAcansupportthisdecisionaswell.JSTARSSupportMishapsM1.LossoflifeM2.LossofJSTARSorotherpropertyM3.LossofmissionJSTARSSupportHazardsH1.JSTARSisnotmissioncapable(M3)H2.JSTARSmaintenanceproceduresareunsafe(M1,M2,M3)H3.JSTARSoperationalproceduresareunsafe(M1,M2,M3)H4.JSTARSaircraftdoesnotmeetoperationalrequirements(M3)JSTARSSupportSafetyControlStructureThesafetycontrolstructureshowninFigure20isnotallinclusive,butitgivesthereaderanideaofwhatthesupportstructuremightlooklikefortheJSTARS.
Page 53
53
Figure20SimpleJSTARSSupportSafetyControlStructure
Therearecriticaldecisionswithinthissupportstructurethattheprogramofficemustdecideupon.Forinstance,whoisresponsibleforrepairingunserviceableparts?ItcouldbeatasustainmentcenterbyAirForcepersonnel,oritcouldbeacontractedservice.Whowillberesponsibleforansweringengineeringtechnicalrequestsandmaintainingtechnicaldata?Again,itcouldbeAirForceengineersorthecontractor.Eachdecisionhasramificationstomaintainingthesafetyofthesystem,andanSTPAanalysisofsafetycontrolstructuresdefinedbythepotentialchoicesassiststheprogrammanagerinthedecision.Anysafetyconstraintsidentifiedbytheanalysisofthewinningsolutionmustbeincorporatedintoprogramplanning.STPAStep1and2werenotcompletedforthisexample,asthepurposewastoillustratehowSTPAisusedindecision-makingbeyondthedesignofthesystemitself.
Page 54
54
UAVSTPAAnalysisUAVSystemDefinitionRecently,agroupmodifiedageneralaviationaircrafttocreateanunmannedaerialvehicle(UAV).Themodificationsincludedavehiclemanagementsystem(VMS)withautopilotlinkedtoactuatorswhichcontroltheenginethrottleandcontrolsurfaces,anenginecontrolmodule,alternators,alipstickcameratoallowtheoperatortoseeinfrontoftheUAV,andradioandpayloadadditions.TheoperationalcontextfortheUAVisatakeoff,climb,andcruiseataltitudeforseveralhoursbeforereturningtotheairfield.AgroundstationattheairfieldcontrolstheUAVusinglineofsight(LOS)communications.OncetheUAVisatcruise,thegroundstationoperatorwilltransitiontheUAVtobeyondlineofsight(BLOS)communications.TheBLOSgroundstationisnotlocatedattheairfield,andcommunicateswiththeUAVviasatellite.TheUAVdoesnottaxiduringgroundoperations.Itistowedtotheenginerun-uparea,totherunwayfortake-off,andofftherunwaytoparkingafterlanding.LostlinkproceduresaresetsuchthatwhenthelinkislosttheUAVwillcontinuealongthepathforacertainperiodoftime.Ifthelinkisnotreestablished,theUAVwillreturntotheairfieldviathelatestlostlinkprocedureprovidedtotheUAV.UAVAccidents,Hazards,andHigh-LevelSafetyConstraintsTheaccidentsfortheUAVoperationare:A1.Lossoflife/injuryA2.LossofordamagetoUAVaircraftA3.LossofmissionThehazardsfortheUAVoperationare:H1.UAVtooclosetoground/building/person(A1,A2)H2.UAVviolatesminimumseparationrequirements(A1,A2)H3.UAVdoesnotcompletemission(A3)H4.UAVdepartscontrolledflight(A1,A2)H5.UAVdepartsapron,taxiway,orrunwayduringgroundoperations(A1,A2)H6.LossofUAVairframeintegrity(A1,A2)Eachhazardistraceablebacktoanaccident.Eachhazardhasanassociatedhigh-levelsafetyconstraint:SC1.UAVaircraftmustnotcollidewiththeground,buildings,orpeople(H1)SC2.UAVaircraftmustnotviolateminimumseparationrequirementswithotheraircraft(H2)SC3.UAVmustcompleteassignedmission(H3)SC4.UAVmustnotdepartcontrolledflight(H4)
Page 55
55
SC5.UAVmustnotdeparttheapron,taxiway,orrunwayduringgroundoperations(H5)SC6.UAVmustnotloseairframeintegrity(H6)Eachofthesehigh-levelsafetyconstraintswillbeachievediflowerlevelsafetyconstraintsareachieved.ThelowerlevelsafetyconstraintswillbeexploredduringStep1andStep2ofSTPA.UAVSafetyControlStructureTheUAVsafetycontrolstructureisshowninFigure21.Thegroundstationconsistsoftheoperatorandtheuserinterface(UI).Theuserinterfaceisloadedontoacomputer,andcommunicateswiththeUAVviaradios.TheoperatorprovidescommandsthroughinteractionwiththeUI.FeedbackregardingthestateoftheUAVisdisplayedontheUI.
Page 56
56
Figure21UAVSafetyControlStructure
TheaircraftconsistsoftheVMS,payloads,controlsurfaces,engine,andairdatasystem.TheVMSisapassthroughforthepayloadpowerandenginestart/stopcommands:itprovidesthecommandwhentheoperatorsendsthecommandtotheVMS.Thepitch,roll,yaw,andthrottlesettingcommandsaredeterminedbytheVMSbasedontheGPSwaypointaltitude,andairspeedcommandsgivenbytheoperator.TheVMSuseslocationdata,engineparameterdata,andairspeedandaltitudedatatodeterminetheappropriatepitch,roll,yaw,andthrottlecommands.
Page 57
57
STPAStep1:UCAGenerationThefirststepoftheanalysisistodefinetheUCAsandtheassociatedrequirements.Asstatedpreviously,controlactionsarehazardousif:
1. Acontrolactionrequiredforsafetyisnotprovidedornotfollowed.2. Anunsafecontrolactionisprovided.3. Apotentiallysafecontrolactionisprovidedtooearlyortoolate,atthewrongtimeorin
thewrongsequence.4. Acontrolactionrequiredforsafetyisstoppedtoosoonorfortoolong.(8)
TheUAVUCAsweredividedintooperatorUCAsandaircraftUCAs.TheUCAsarenotwritteninsentenceformatinTable5andTable6,buttheycanbewritteninsentenceformatusingtheinformationinthetable.Forinstance,thefirstUCAinrow2,column2inTable5iswrittenas“TheoperatordoesnotprovidetheGPSwaypointsduringprelaunchoperations.”Table5UAVOperatorUCAs
OperatorNotProvidingCausesHazard
ProvidingCausesHazard
IncorrectTiming/Order
StoppedTooSoon/AppliedTooLong
GPSWaypoints
…duringprelaunchoperations(H3)…whenmissionchanges(H3)
…whenGPSwaypointsdonotalignwiththemission(H3)…whenthewaypointspresentaconflictwithotheraircraft(H2)…whentheroutelengthexceedsthefuelonboard(H4)...whentherouteisoutsideofLOSradiusandBLOSisnotbeingused(H3,H4)
…afterLOSislost,butbeforeBLOSradiolinkisestablished(H3,H4)…aftertheUAVreachesbingofuel(H4)
…whenthenumberofwaypointsexceedthestoragecapacityoftheautopilot(H3)…whenthelistofwaypointsisnotcompletefortheentiremission(H3)
Page 58
58
Altitude
…whentheGPSwaypointsareupdated(H1,H2,H3)
…whenthealtitude,coupledwiththeprogrammedwaypointsarenotaboveminimumobstacleclearancealtitude(MOCA)(H1)…whenthealtitudeconflictswithothertraffic'saltitudeblocks(H2)…whenthealtitudeisaboveicinglevelandtheUAVfliesthroughclouds(H4)
…afterLOSislostduetoterrainmasking,butbeforeBLOSradiolinkisestablished(H3)
…whenthealtitudeassignmentsexceedthenumberofGPSwaypoints(H3)…whentherearefeweraltitudeassignmentsthanwaypointsanditdoesnotincludetheentiremission(H3)
Airspeed
…duringachangeinflightorenvironmentalconditions(H1,H4,H6)
…whentheairspeedprovidedisatorbelowstallspeed(H4)…whentheairspeedisaboveVNE(H6)…whenflightplanningfueldurationwasbasedonauto(maxendurance)airspeed,butahigherairspeedisset(H3,H4)…withanairspeedvaluethatwillcreateaconflictwithotheraircraft(H2)
…aftertheUAVstalledduetoslowflight(H4)…afterstructuraldamagefromflyingaboveVNE(H6)
…whentheairspeedassignmentsexceedthenumberofGPSwaypoints(H3)…whentheairspeedassignmentsarefewerthanthenumberofGPSwaypoints(H3)
EngineStart
…duringprelaunchenginerun-up(H3)…duringbeforetakeoffprocedure(H3)…whentheenginefailsinflightandtheengineneedstoberestarted(H4)
…whengroundpersonnelarenearthepropellers(H1)
…whentheenginefailsinflight,butaftertheUAViscommittedtolanding(H1) N/A
Page 59
59
LaunchNow
…duringtakeoff(H3)
…whentherunwayisnotclear(H2)…whentheUAVisnotontherunway(H5)
…beforegroundpersonnelhaveclearedthearea(H1)…aftertheUAVisairborne(H4) N/A
LandNow
…whentheUAVisinthepatternandatminimumfuel(H4)…whentheUAVisattheairfieldandotheraircraftareattemptingtoenterthepattern(H2)
…whentherunwayisnotclear(H2)…whentheUAVisnotattheairfield(H1)
…beforetheUAVcompletestheairfieldarrivalprocedure(H1,H2) N/A
LostLinkProcedure
…duringflightoperations(H1,H2)
…whenthelostlinkprocedurewaypointsconflictwithotheraircraft(H2)…whenthelostlinkprocedureisnotatoraboveMOCA(H1)
…beforeterrain,conflictingtraffic,orweathernecessitatealostlinkprocedureupdate(H1,H2)
…whenthewaypointsexceedthestoragecapacityoftheautopilot(H1,H2)
PayloadPowerOn
…whenUAVisoverthetargetarea(H3)
…whenthealternatorfails(H4) N/A N/A
PayloadPowerOff
…whenthealternatorfails(H4)
…whentheUAVisoverthetargetarea(H3) N/A N/A
Page 60
60
Table6UAVVMSUCAs
VehicleManagementSystem
NotProvidingCausesHazard
ProvidingCausesHazard
IncorrectTiming/Order
StoppedTooSoon/AppliedTooLong
Roll,Pitch,Yaw
…whentheUAVisoffcourse(H1,H2,H3)
…whentheroll,yaw,orpitchcommandexceedsaircraftattitudelimits(H4)…whentheroll,pitch,yawcommandsteerstheUAVoffcourse(H1,H2,H3)
…whenthethrottleisreducedinordertodescend,butthesubsequentpitchdowncommandisdelayed(H4)…whenthethrottleisincreasedforaclimb,butthesubsequentnoseupcommandisdelayed(H6)
…theactuatordisplacementisnotbroughtbacktoneutralwhentheaircraftreachesthetargetheading/descent/ascent(H1,H2,H3)…theactuatordisplacementisbroughtbacktoneutralbeforetheUAVreachesthetargetheading/descent/ascent(H1,H2,H3)
ThrottleSetting
…whenenvironmentalconditionschange(H4,H6)…whentheUAVisinasustainedturn,whichreduceslift(H1,H2)
…whenthethrottlesettingisnotenoughtomaintainanairspeedabovestallspeed(H4)…whenthethrottlesettingacceleratestheaircraftaboveVNE(H6)
…reducesthrottletoolateaftertheUAVflaresforlanding(H1,H5)
…whentheacceleratestoatargetspeed,butthethrottleisnotreducedbeforereachingVNE(H6)…whentheUAVdeceleratestoatargetspeed,butthethrottleisnotincreasedbeforereachingstallspeed(H4)
OncetheUCAtablesarepopulated,safetyconstraintstopreventeachoftheUCAsmustbeidentified.AnexampleofthesafetyconstraintsfortheGPSwaypointscontrolactionareshowninTable7.TheentiretableofsafetyconstraintscanbefoundinAppendix2.Table7ExampleofSafetyConstraintsDerivedfromUCAs
UCADesignator UCA Hazards Constraint
C1TheoperatordoesnotprovidetheGPSwaypointsduringprelaunch
operationsH3
TheoperatormustprovideGPSwaypointsduringprelaunchoperations
Page 61
61
C2 TheoperatordoesnotprovideupdatedGPSwaypointswhenmission
changes
H3
TheoperatormustprovideGPSwaypointsduringthemissionwhenthemission
changes
C3TheoperatorprovidestheGPS
waypointswhentheydonotalignwiththemission
H3Theoperatormustnot
provideGPSwaypointsthatdonotalignwiththemission
C4 TheoperatorprovidestheGPSwaypointswhentheypresenta
conflictwithotheraircraft
H2
TheoperatormustnotprovideGPSwaypointsthatpresentaconflictwithother
aircraft
C5 TheoperatorprovidesGPSwaypointsandtheroutelengthexceedsthefuel
onboard
H4
TheoperatormustnotprovideGPSwaypointsforaroutethatexceedsthefuel
onboard
C6 TheoperatorprovidesGPSwaypointsthatcreatearouteoutsideofLOSradiusandBLOSisnotbeingused
H3,H4
TheoperatormustnotprovideGPSwaypointsthatcreatearouteoutsideLOSradiusifBLOSisnotbeing
used
C7TheoperatorprovidesGPSwaypointsafterLOSislost,butbeforeBLOS
radiolinkisestablishedH3,H4
TheoperatormustprovidewaypointswhiletheUAVisin
LOS
C8 TheoperatorprovidesGPSwaypointsaftertheUAVreachesbingofuel
H4
TheoperatorprovidesGPSwaypointstobringtheUAVbacktotheairfieldbeforethe
UAVreachesbingofuel
C9 TheoperatorprovidesGPSwaypointsandthenumberofwaypointsexceedthestoragecapacityoftheautopilot
H3
TheoperatormustnotprovideGPSwaypointsforaroutethatexceedsthefuel
onboardSTPAStep2:ScenarioGenerationThesecondstepofSTPAistogeneratethescenarios.Themajorityoftheactionabledatathatcanbeimplementedintothesystemdesignwillcomefromthisstep.Itisnotenoughtojustunderstandwhatcanhappen,buttounderstandhowitcouldhappen.Oncethe‘how’isknown,constraintsaredevelopedtopreventthehazardfromoccurring.ThescenariosweregeneratedusinganewmethodrecentlydevelopedbyDr.JohnThomas.Themethoddividesthescenariosintotypesbytheirlocationonthesafetycontrolstructure.Thefourtypesare:
1. Commandnotfollowedorfollowedinadequately
Page 62
62
2. Inappropriatedecision3. Inadequatefeedbackorotherinputs4. Inadequateprocessbehavior(27)
Figure22ScenarioTypesonControlStructure
Previously,whengeneratingscenarios,aperson(orpeople)wouldexaminethesafetycontrolstructureandcomeupwithscenarios,inabrainstormingtypeofmanner.Whilethisproducesgoodresults,itdoesnotnecessarilyensurecoverageoftheentirecontrolstructure.JustasbucketingUCAsintofourcategoriesensureseachtypeofUCAisconsidered,bucketingscenariosensurescoverageacrossthecontrolstructure.ThetypeofscenarioandcorrespondinglocationonthecontrolstructureisshowninFigure22.UCAV2states,“TheVMSprovidesroll,pitch,oryawwhenthecommandexceedsaircraftattitudelimits.”ThehazardassociatedwiththisUCAisH4“UAVdepartscontrolledflight.”Thefollowingscenariosweregeneratedusingthenewprocedure: V.2.1TheVMSdoesnotprovidetheroll,pitch,oryawcommand,buttheaileron,
elevator,andrudderreceivethecommand.Ashortedwireprovidespowertotheactuatorcausingtheaileron,elevator,orruddertomove.Theaileron,elevator,andrudderreceivethecommandeventhoughtheVMSdidnotcommandit.(Type1)
V.2.2TheVMSprovidestheroll,pitch,oryawcommandandexceedlimitsforthecurrentflightcondition.TheVMSwasprogrammedwithonesetofattitudelimits,ratherthanasetofattitudelimitsfordifferentflightconditions(altitude&speed).Thecommanddidnotexceedtheprogrammedlimits,butitdidexceedactuallimitsforthatparticularflightcondition.(Type2)
V.2.3TheVMSprovidesaroll,pitch,oryawcommandthatitbelieveswillresultinanattitudewithinlimits,howevertheattitudeisactuallyoutoflimits.Theaeromodelling
Page 63
63
ofthesystemwasnotvalidated,andthemagnitudeofthecommandistoolarge.Thecommandedattitudeisactuallyoutoflimits.(Type2)
V.2.4TheVMSprovidesaroll,yaw,orpitchinputtocorrectaninvalidattitudeindicationitisreceivingandexceedsattitudelimits.Theinvalidfeedbackisduetoavacuumpumpfailurethatrenderstheattitudeindicatorinoperative.Thecommandexceedsattitudelimits,buttheVMSdoesnotrecognizetheexceedenceduetotheinvalidattitudeindication.(Type3)
V.2.5TheVMSprovidesaroll,pitch,oryawcommandthatisappropriateforstayingwithintheUAVattitudelimits.Theactuatorwasconnectedtothecablesbackwards,andtheVMSinputhastheoppositeeffect(rollleftinputrollsUAVright).TheVMScontinuestocommandinthesamedirectioninanattempttocorrecttheattitudeeventuallyexceedingaircraftlimits.(Type4)
Notethat,justaswithUCAs,therecanbemorethanonescenarioforeachtype.Infact,thatshouldbeexpected.Intheexamplesabovetheitalicizedfontistherefinedscenarioandtheregularfontisthegeneralscenario.Thescenariotypeinformsthegeneralscenario.Therefinedscenarioisbasedonknowledgeofthesystemandtheoperationalcontext.Theremaybemorethanonerefinedscenariopergeneralscenario.DividingupthescenariosassistsfacilitationofanSTPAanalysis.AnSTPAexpertcanderivethegeneralscenarios,thenworkwiththesystemandoperationalexpertstodeterminetherefinedscenariosthatareapplicabletothespecificuseofthesystem.ThisprocessalsorevealsadditionalhazardsassociatedwiththeUCAsthatmightnotbeapparentduringUCAdevelopment.Intheexampleabove,theUCAisassociatedwiththehazardH4.ScenarioV.2.5isassociatedwithanadditionalhazard,H5,“UAVdepartsapron,taxiway,orrunwayduringgroundoperations.”In1995,amishapsimilartothisscenariooccurred.Thelongitudinalandlateralcontrolswerecrossed,resultinginpitchinputscausingrolloutputs.(28)Theaircraftwasunabletotakeoff,andranofftherunway,killingthepilot.Thescenariogenerationprocessservestohelpstimulateideaswhendevelopingscenarios,resultinginmorescenariosandcoverageacrossthecontrolstructure.TherestofthescenariosarefoundinAppendix2.Oncethescenariosaregenerated,safetyconstraintsmustbeidentifiedtopreventthescenariofromoccurring.Thesescenariosprovideactionableinformationthatcanbeimplementedintothesystemdesignoroperations/maintenanceprocedures.Thesafetyconstraintsforthescenariosshownaboveareasfollows:
SC.V.2.1Wiringmustbedesignedtowithstandtheflightenvironment,andinspectedbeforeflight.SC.V.2.2TheVMSmustbeprogrammedwithlimitsatallflightconditions.SC.V.2.3Theaeromodelmustbevalidatedfortheentireflightenvelopeandflightconfigurationstoincludeabnormalconfigurations
Page 64
64
SC.V.2.4AsecondaryattitudeindicatormustbeincludedintheUAVdesignasabackuptothemainattitudeindicator.TheVMSmustreceivefeedbackofavacuumpumpfailuresothatitcanswitchtothesecondaryattitudefeedbackSC.V.2.5Afteranycontrolsurfacerelatedmaintenance,acontrolscheckmustbeaccomplished.Acontrolscheckmustalsobeaccomplishedduringpreflight.Considerdifferentconnectorsforthedifferentdirectionssothatitcannotphysicallybeconnectedbackwards.
UAVSTPASummaryTheSTPAanalysisontheUAVresultedin211scenariosandassociatedsafetyconstraintsfortheoperator,and65scenariosandsafetyconstraintsfortheVMSforatotalof276scenarios.Severalofthesafetyconstraintsareapplicabletomorethanonescenario.Manyofthesafetyconstraintsarealsoalreadyimplementedintheprogramthroughoperationalproceduresordesigndecisions.Constraints,alongwiththeirassociatedUCAandscenario,thatmaybeofinteresttotheprogram.Thesescenariosarehighlightedtoillustratecoverageacrossdesign,testing,maintenance,andoperations.Designconstraints:V12.TheVMSprovidesareducedthrottlesettingtoolateaftertheUAVflaresforlanding. ScenarioV.12.3.TheVMSprovidedthecommandlateduetoincorrectsystem
feedback.Thelaseraltimeterismalfunctioningandprovidingincorrectaltitudedata.TheVMSbelievestheUAVistoohighforareducedthrottlesetting.
SafetyConstraintSC.V.12.3.TheUAVmustbedesignedtodetectlaseraltimetermalfunctions.Thelaseraltimetermustbeinspectedregularlyforproperfunction,andtheexteriormustbecleanbeforeflight.
V14.TheVMSprovidesathrottlesettingtodeceleratetoatargetspeed,butthethrottleisnotincreasedbeforereachingstallspeed. ScenarioV.14.5.TheVMSprovidedthecommandtoincreasethethrottleoncetarget
airspeedwasreached,howeverthethrottlewasnotincreased.Thepowersystemdidnotprovidepowertotheactuatorduetoapowersystemfailure.
SafetyconstraintSC.V.14.5.Flightcriticalcomponentssuchasactuatorsmusthavebackuppowersothattheaircraftmaybelandedafterapowersystemfailure.
TheUAVprogramhasexperiencedtwomishapsassociatedwithpowerloss.Thefirstmishapwasduetoanalternatorbeltfailure.TheUAVwasredesignedwithtwoalternatorstoprovideredundantpowerafterthemishap.Thesecondmishapwasduetoawiringerror.BothalternatorswerewiredtoasupplywirethatconnectedtotheVMS.Thesupplywireeitherbroke,orhadalooseconnectorwhichresultedinVMSpowerloss.TheUAVhasbeensinceredesignedagaintoprovideasupplywirefromeachalternatortotheVMS,andthebatterystoresenoughpowerfor5hoursofflightwithonlyflightessentialsystemspoweredon.Whilethisscenariodoesn’tdirectlydiscussthesespecificdesignissues,itdoescoverensuringthatflightcriticalcomponentsarepowered.Asthedetaileddesignisdeveloped,theSTPAanalysiswouldalsobecomemoredetailedandaddressthesespecificissues.
Page 65
65
Testingconstraints:V6.TheVMSprovidesaroll,pitch,oryawcommand,buttheaileron,elevator,orrudderisnotbroughtbacktoneutralwhentheaircraftreachesthetargetheading/descent/ascent ScenarioV.6.2.TheVMSprovidesacommandtoreturntheaileron,elevator,orrudder
backtoneutral,howevertheaeromodelisincorrectandtheaircraftdidnottakeaslongasexpectedtoreachthedesiredheading/descent/ascent.
SafetyconstraintSC.V.6.2.Theaeromodelmustbevalidatedfortheentireflightenvelopeandflightconfigurationstoincludeabnormalconfigurations.
ThemostrecentUAVmishapwasduetoanenginefailureaftertakeoff.TheUAVwasatanaltitudethatallowedtheoperatortoturntheUAVbacktowardstheairfieldforadeadsticklanding.Theautopilotdidnotaccountforthelackofthrustandwascommandingthrust(eventhoughthrustcommandshadnoeffect).Deadstickflightwasnevertested,thereforetheaeromodelwasnotvalidated.TheUAVlandedhard,resultinginrepairabledamage.Engineoutaeromodellingwasnevervalidatedbecauseoftheriskassociatedwiththetest.Itisrecommendedthatabnormalconditionsaretestedexactlybecauseoftheassociatedrisk.Itismuchbettertofindoutthattheaeromodelisincorrectincontrolledtestconditionsratherthanabusyoperationalairfieldwherethepotentialtostrikepeopleandequipmentisgreater.Itisnotnecessarytolandtheaircraftinanengineoutcondition.Rather,thetestshouldoccurhigheraltitudessothattheenginemayberestartedbeforelanding.Ifthereareotherabnormalconditionsthatwerenotvalidateditisrecommendedthattheprogramvalidatesthoseconditions.C11.TheoperatordoesnotprovidealtitudewhentheGPSwaypointsareupdated ScenarioC.11.4.TheoperatorprovidesanewaltitudeassignmentwiththeupdatedGPS
waypoints.ThealtitudeisnotattainedbytheUAV,howeverbecausetheadditionalalternatorsreducemaxengineRPM,thusdecreasingtheservicealtitudeoftheUAV.
SafetyconstraintSC.C.11.4.Simulationandflighttestmustbeaccomplishedtovalidatethelimitationsofthebaselineaircraftorvalidatenewlimitationsduetomodifications
Maintenanceconstraints:V6.TheVMSprovidesaroll,pitch,oryawcommand,buttheaileron,elevator,orrudderisnotbroughtbacktoneutralwhentheaircraftreachesthetargetheading/descent/ascent. ScenarioV.6.1.TheVMSprovidesacommandtoreturntheaileron,elevator,orrudder
backtoneutral,howeverthecommandwasnotreceivedduetoapowersystemfault.Wiringorconnectionstotheactuatorarebroken,keepingtheactuatorfromreceivingthesignal.Or,asystempowerfailure(suchasanalternatorfailure)occurs,andtheactuatorsarenotonbatterypower.
SafetyconstraintSC.V.6.1Wiringmustbeinspectedduringpreflightandmustbedesignedtowithstandvibrationsassociatedwithflight.Thepowersystemmustbedesignedsuchthatapowersystemfailuredoesnotresultinlossofactuatorpower
Page 66
66
Ifahazardisnotcontrolledbydesign,itmustbecontrolledthroughoperationsormaintenanceprocedures.Hence,anyflightcriticalcomponentssuchaswiringmustbeinspectedbeforeflight. ScenarioV.6.4.TheVMSprovidedacommandtoreturnthecontrolsurfaceactuatorto
neutral,howeverthecontrolsurfacedidnotmoveasexpected.Theactuatorlinkageorcableisbroken,andtheaileron,elevator,orrudderisnolongercontrollable
SafetyconstraintSC.V.6.4.Actuatorsandcablelinkagesmustbeinspectedonaregularbasisandduringpreflightinspections.
Operationalconstraints:C1.TheoperatordoesnotprovidetheGPSwaypointsduringprelaunchoperations. ScenarioC.1.1.TheoperatorprovidestheGPSwaypoints.AsecondUAVsortieis
beginningatthesametime,andtheGPSwaypointsaresenttothewrongUAV.TheintendedUAVdoesnotreceivethewaypoints
SafetyconstraintSC.C.1.1.EitherUAVoperationsshouldbedeconflicted,orproceduresputinplacetoensurethecontrolstationislinkedtothecorrectaircraft.Ifanincorrectlinktakesplacealldatamustbeverifiedtoensureitiscorrect.
Currentoperationsmaynotbeofahighenoughtempothatmorethanoneaircraftisoperatedatatime,howeverconsiderationsforhighertempooperationsareimportanttoidentifyinordertoeasilyandsafelyscaleupifitisrequired.Theinterferencemayalsocomefromanaircraftorgroundstationundergoingmaintenancecheckoutsortraining,sothoseoperationsmustalsobeaccountedfor.Additionally,otherUAVprogramsusingsimilarequipmentmayinterferewiththisUAV’soperation.Currently,theoperatorverifiesthattheyarelinkedtothecorrectUAVbyusingautopilotidentification.Therefore,theprogrammustalsoconsiderthepossibilityofmaintenancereplacingtheautopilot,orswitchingittoanotheraircraftfortroubleshooting,andnotdocumentingitcorrectly.C31.Theoperatorprovidesenginestartcommandwhentheenginefailsinflight,butafterthe
UAViscommittedtolanding. ScenarioC.31.3.Theenginequitsbecausetheoperatordoesnotswitchfueltanks,and
thecurrentlyselectedfueltankisempty.Theoperatorattemptstorestarttheengine,butisunsuccessful.Duringthelandingsequence,theoperatorrealizesthefuelfeederror,switchestanks,andsuccessfullyrestartstheengine.However,theUAVistooclosetotheground,andtheautopilotdoesnottransitionsafelyfromengineoffperformancetoengineonperformance.
SafetyconstraintSC.C.31.3.TheoperatormustverifyfuelstateandswitchtanksduringenginefailureemergencyproceduresiftheUAVisabovesaferestartaltitude.TheUAVautopilotmustbedesignedtotransitionsmoothlybetweenengineoffandengineonperformance.
Inmostgeneralaviationaircraftthatrequirethepilottoswitchbetweentanks,engineoutemergencyprocedurescallforswitchingthefueltanktoensurethatfuelstarvationwasnota
Page 67
67
causeoftheenginefailure.ThisUAV’smanualdoesnothaveasuchastep.Itisrecommendedthattheprograminvestigatesaddingthesteptotheiremergencychecklist. ScenarioC.31.4.Theoperatorattemptstorestarttheengine,buttheenginedoesnot
restart.Theoperatorcontinuestoattemptarestartastimepermits,inaccordancewiththechecklist.TheUAVisflyingfarfromtheairfield,andtheexactheightabovegroundisnotknown.Theoperatorcontinuestoattemptrestartandfinallydoesrestarttheengine,buttheUAVdescendedtoolowandimpactsterrain
SafetyconstraintSC.C.31.4.Duringmissionplanning,operatorsmustdetermineminimumrestartattemptaltitudesforeachlegoftheroutethatisbasedonasafepressurealtitude,sinceexactaltitudeabovegroundmaynotbeknown.Thelaseraltimetermustbeonbatterypowerforusetodetermineheightaboveterrain.
TheemergencyproceduresappeartoassumethattheoperatorwillalwaysbeawareoftheUAV’sheightabovethegroundinordertomakeadeterminationofwhethertocontinuetorestarttheengine,orbeginditching/landingoraerodynamicterminationprocedures.However,whentheUAVisoveruneventerrain,suchashillsormountains,farawayfromtheairfieldthatinformationmightnotalwaysbereadilyavailable.Therefore,itisrecommendedthatduringmissionplanningtheoperatorschoosesomeminimumaltitudewheretheywillstopattemptingarestartforeachlegoftheroute.Thealtitudewouldbebasedonthehighestobstaclewithintheparticularleg.
C41.Theoperatordoesnotprovidelostlinkproceduresduringflightoperations. ScenarioC.42.2Theoperatordoesnotbelievethatthelostlinkprocedureneedstobe
updatedbecausetheprocedurewasrecentlyupdatedperaregularschedule.However,terrain,weather,orconflictingtrafficbetweentheUAVandairfieldhavechangedalongtheroutesincethescheduleupdate.Theoperatordoesnotprovidethelostlinkproceduresbecauseitisn’ttime,yet.
SafetyConstraintSC.42.2.ThelostlinkproceduresmustbeupdatedbasedonrouteoftravelandobstaclesbetweentheUAVandtheairfieldratherthantiming.Iftimingremainsthepreferredmethod,considercontinuingtherouteofflighttoapointknowntobefreeofobstaclesandthenreturntotheairfield–timingforlostlinkupdates&timingforreturntobasedoesn’twork.Oneneedstobebasedongeography/obstacles.
Thecurrentproceduresrequiretheoperatortoupdatelostlinkproceduresatregulartimeintervals.IftheUAVisflyingoveruniformlylowterrainfortheentireflightwithnootherobstaclessuchasconflictingtrafficorweatherbetweentheUAVandtheairfield,timeintervalsmaybeappropriate.However,foranysituationwhereterrain,traffic,andweatherareconsiderationsforlostlinkproceduresitisnotappropriate.Recommendreevaluatinglostlinkflightplanningproceduresbasedonthesafetyconstraintabove.AfulllistofthesafetyconstraintsisfoundinAppendix2.
Page 68
68
ThisUAVusecaseillustrateshowSTPAwouldbeusedduringsystemdesign.Thesafetycontrolstructuredoesnotcontainallthedetailsofafinishedproduct,yetasignificantofamountinformationwasgenerated.Safetyconstraintscoveredareassuchasmaintenance,operations,design,andtest.Werethisprogramstillinthedesignphase,theconstraintswouldbeincorporatedinthesystemdesign,andtestandoperationsplanning.Oncethenextlevelofdesigndetailiscreated,theSTPAanalysisisextendedtoincludethatdetail.InEngineeringaSaferWorld,Levesonreferstothisprocessassafetyguideddesign.(8)Figure23showsthatdesigndecisionsfeedintothehazardanalysis,whichinturnfeedsbacksafetyconstraintstobeimplementedinthedesign.
Figure23Safety-guideddesign(8)
Themoretightlycoupledthisfeedbackloopis,thefasterdesignerswillidentifysafetyconstraintsthatmustbeincorporatedinthedesignrequiringlessrework.
Page 69
69
ConclusionsThisthesisshowsthatSTPAisnotonlyuseful,butthatamoredevelopedsystems-basedsafetyprocessisnecessarytoensurethatthesystemsprovidedtothewarfighteraresafe.Asystems-basedprocesstiesthesafetyanalysistogetherthroughtheentirelifecycleofthesystemfromconceptdevelopmenttooperations.Theprocessalsonotonlyinformsthedesignofthephysicalsystem,butalsooftheentiresystemtoincludesupportandoperationsconstructs.IfSTPAistohaveameaningfulimpactonaircraftsafetyintheAirForce,itcannotsimplybeimplementedontopofcurrentsafetyprocesses.Programofficesdonotneedmorework,astheyareverybusyasitis.Whattheyneedisacohesivesystems-basedsafetystrategythatpromotesthoughtfulsystemdesignandmaintainssafetythroughoutthelifecycleofthesystem.Initialadoptionmayprovechallenging.ItmaybedifficulttoconvinceAFLCMCtoswitchfromcurrentprobabilisticassessmentstoSTPA.Likely,STPAwillinitiallybedoneinconjunctionwithcurrentprocessesonatrialbasis.Intheshort-term,thismeansmoreworkforthePOthatdecidestotrySTPA.Inthelong-term,oncethenewapproachtosafetyisproven,thenworkloadwilldecrease.Infact,incomparisonswithfaulttrees,FMEAs,andothertraditionalhazardanalysistechniques,STPAhasbeenfoundineverycasetobeordersofmagnitudecheaper.OnemethodtointroduceSTPAtotheacquisitionsprocessisthroughairworthiness.Thesystemsafetyprocessflowsfromairworthinesscertificationrequirements.IftheairworthinessofficeacceptsSTPA,systemsafetyprocesseswilladjusttomatchthenewcertificationstandard.Infact,theFAAiscurrentlylookingintoallowingSTPAtobeusedasanalternativemethodtotheSAEARPstandards.Itisoftenthoughtthatsafetyisatoddswithdesignandprogramefficiency.However,thisisnotthecasewithSTPAbecauseitisasystems-basedanalysis.NotonlyisSTPAcheapertoperformthancurrenthazardanalysistechniques,butusingSTPAduringthedesignprocesswillsavesystemprogramofficestimeandmoneyinreworkthatisdiscoveredafterthedesignprocessiscompleteduringdevelopmentaltesting.
Page 70
70
AcronymListing AF–AirForceAoA–AnalysisofAlternativesBLOS–BeyondLineofSightCAST–CausalAnalysisbasedonSTAMPCDR–CriticalDesignReviewCOTS–CommercialofftheshelfDT–DevelopmentalTestEBAO–Effects-BasedApproachtoOperationsEMD–Engineering,Manufacturing,andDevelopmentFMEA–FailureModesandEffectsAnalysisFMECA–FailureMode,Effects,andCriticalityAnalysisFOC–FullOperationalCapabilityFTA–FaultTreeAnalysisGPS–GlobalPositioningSystemHAZOP–HazardandOperabilityStudyJSTARS–JointSurveillanceTargetAttackRadarSystemLOS–LineofSightLRIP–Low-RateInitialProductionMAJCOM–MajorCommandMEFR–MilitaryFlightReleaseMOCA–MinimumObstacleClearanceAltitudeMRFR–MilitaryRestrictedFlightReleaseMTC–MilitaryTypeCertificateOT–OperationalTestO&S–OperationsandSupportOT&E–OperationalTestandEvaluationPM–ProgramManagerPO–ProgramOfficeRFP–RequestforProposalSE–SystemsEngineeringSEP–SystemEngineeringPlanSRD–SystemRequirementsDocumentSTAMP–Systems-TheoreticAccidentModelandProcessesSTPA–SystemTheoreticProcessAnalysisTAA–TechnicalAirworthinessAuthorityTEMP–TestEvaluationMasterPlanTO–TechnicalOrderUAV–UnmannedAerialVehicleUCA–UnsafeControlActionUI–UserInterfaceVMS–VehicleManagementSystem
Page 71
71
VNE–VelocityNottoExceed
Page 72
72
Appendix1:JSTARSSTPAAnalysis Table8JSTARSScenarios
UCA Hazards Number Main Scenario Description Safety Constraint
JSTARS does not provide target coordinates to support aircraft when the target needs to be engaged (H4)
H4 J.1.1
JSTARS provides target coordinates, but the support aircraft did not receive them. The communication was jammed by enemy forces
JSTARS must be able to overcome communications jamming by enemy forces
J.1.2
JSTARS provides target coordinates, but the support aircraft did not receive them. The support aircraft does not have compatible communications capabilities
JSTARS must be designed to communicate with all potential support aircraft
J.1.3
JSTARS does not provide target coordinates to the support aircraft because JSTARS does not believe the target needs to be engaged. The JSTARS believes either the enemy does not currently pose a threat to friendly forces.
JSTARS must be able to determine threats to friendly forces and provide target coordinates to support aircraft to prevent the enemy from engaging friendly ground troops
J.1.4
JSTARS does not provide target coordinates to the support aircraft. The JSTARS does not know that the support aircraft has the appropriate munitions to engage the target
JSTARS must be provided weapons stores information for support aircraft in the area
Page 73
73
J.1.5
JSTARS does not provide target coordinates to the support aircraft. The JSTARS does not know that the support aircraft is in the area
JSTARS must be aware of support aircraft in the area
J.1.6
JSTARS does not provide target coordinates to the support aircraft. JSTARS cannot detect the location of enemy forces
The JSTARS must be able to detect enemy forces and determine their location
J.1.7
Ground troops requested that the target be engaged to the JSTARS controller coordinating with ground troops, but that message was not relayed to the controller coordinating with support aircraft
JSTARS must be designed to provide coordination between ground troops and support aircraft
J.1.8
JSTARS provides target coordinates, but the support aircraft does not engage the enemy. The support aircraft detects enemy air defenses that the JSTARS does not, and decides not to engage
JSTARS must either detect all enemy air defenses, or receive air defense data from other sources. JSTARS must then provide target coordinates to the support aircraft outside enemy air defense capabilities
JSTARS provides target coordinates, but the coordinates are not where the enemy is located (H2, H3)
H2, H3 J.2.1
The JSTARS provided accurate target coordinates via a datalink to the support aircraft, however enemy forces were able to corrupt the transmission
The JSTARS datalinks must be secured from enemy disruption
Page 74
74
J.2.2
JSTARS provides coordinates, but they are not were the enemy is located. JSTARS is unable to differentiate between enemy forces, friendly forces, and civilians in the area.
JSTARS must either be able to differentiate between enemy, friendly, and civilians or use other sources to provide target differentiation
J.2.3
The JSTARS sensor data is inaccurate, and the coordinates provided do not match the actual location of the enemy
JSTARS sensor data must be accurate in order to determine the location of the enemy
J.2.4
The JSTARS provided coordinates of an area to avoid, due to presence of civilians or friendly forces, but the support aircraft believed these were target coordinates
JSTARS must be able to provide areas to avoid without those areas being misinterpreted as target coordinates
JSTARS provides target coordinates to support aircraft that are within contested airspace (H6)
H6 J.3.1
The target is located on the edge of enemy air defenses. JSTARS provides coordinates and a vector to the target that will avoid the defenses, however the vector is 180 degrees off, causing the support aircraft to travel through contested airspace
JSTARS must ensure that vectors to target coordinates are such that the support aircraft will not travel through contested airspace
J.3.2
JSTARS provides target coordinates to support aircraft that are within contested airspace. JSTARS does not believe the radius of the air defenses is large enough to endanger support aircraft that engage the target
JSTARS must have accurate information regarding enemy capabilities
Page 75
75
J.3.3
JSTARS does not detect the enemy air defenses, and therefore does not recognize that the target coordinates are within contest airspace
JSTARS must either be able to detect enemy air defenses or be provided enemy air defense data prior to the operation
J.3.4
The air defenses were supposed to be disrupted, however they were not. JSTARS did not receive feedback that efforts to destroy/disrupt the defenses were unsuccessful and provided target coordinates to the support aircraft that are within contested airspace
Feedback must be provided to the JSTARS if efforts to disrupt enemy air defenses are unsuccessful
JSTARS provides target coordinates before the enemy forces have separated from civilians (H3)
H3 J.4.1
JSTARS provides target coordinates to a support aircraft with instructions to wait until the civilians are no longer in proximity of the enemy forces. The communication is disrupted, and the instruction to delay was not received
JSTARS must have undisrupted communications with support aircraft
J.4.2
JSTARS misinterprets the rules of engagement and believes that the collateral damage is acceptable and does not wait for the civilians to no longer be in proximity of enemy forces
JSTARS must understand the rules of engagement and must communicate questions regarding the rules to AOC if there are concerns regarding civilian safety
J.4.3
JSTARS is not aware of civilian presence, and therefore does not know to wait until enemy and civilians are not longer in proximity
JSTARS must either be able to detect a civilian presence near enemy forces or be provided the data from other sources
Page 76
76
J.4.4
After JSTARS provides target coordinates civilians move into proximity with civilian forces. JSTARS does not have time to call off the attack
JSTARS must monitor area around enemy forces and be able to determine if civilians may move into the area (for instance, driving on a road in the direction of enemy forces)
J.4.5
JSTARS provides target coordinates to a support aircraft, however that aircraft is unable to engage the target. The aircraft's wingman engages the target instead. The first aircraft had smaller munitions that would result in more localized damage, but the second aircraft had larger munitions with a larger effective radius that included the civilian position
If the original aircraft is unable to engage the target and a second aircraft is utilized, JSTARS must determine the suitability of the second aircraft's weapons before allowing the engagement to continue
JSTARS provides target coordinates after the enemy leaves the target location (H2, H3)
H2, H3 J.5.1
JSTARS provides target coordinates after the enemy leaves the target location. The JSTARS does not detect that the enemy has moved away from the target coordinates.
The JSTARS must be able to detect enemy forces and determine their location
J.5.2
JSTARS provides target coordinates while the enemy is still in the location, however the support aircraft is delayed in engaging the target due to maintenance issues.
JSTARS must be able to track target and provide the support aircraft with updated coordinates as the target moves
Page 77
77
JSTARS provides target coordinates to support aircraft after friendly forces have moved towards and engaged enemy forces (H2)
H2, H3 J.6.1
JSTARS provides target coordinates through datalink system. Due to the high volume of traffic across the links, the message was queued and receipt was delayed by the support aircraft
JSTARS must have capability to handle large amounts of communication traffic such that all messages are sent as soon as possible or prioritize high value information.
J.6.2
JSTARS cannot detect the movement of friendly forces, and does not recognize that they are within close proximity of enemy forces
JSTARS must be able to track friendly forces
J.6.3
JSTARS provides target coordinates before friendly forces have engaged the enemy, however the support aircraft is delayed in engaging the target due to maintenance issues
JSTARS must be informed of or able to track friendly positions and provide the support aircraft with updated instructions
JSTARS provides target coordinates to support aircraft after support aircraft expends weapons (H7)
H7 J.7.1
JSTARS does not receive feedback on weapons status of support aircraft, and does not realize that the support aircraft tasked to engage the enemy has expended weapons
JSTARS must receive feedback when support aircraft are out of weapons
J.7.2
The support aircraft has some weapons onboard, but not weapons that are appropriate for the task. JSTARS does not receive feedback on type of weapons loaded on the aircraft
JSTARS must receive feedback indicating what type of weapons the support aircraft are carrying
Page 78
78
JSTARS does not provide airspace deconfliction when support aircraft are co-altitude in the same airspace (H1)
H1 J.8.1 JSTARS provides deconfliction instructions to the support aircraft, however the communications are disrupted
JSTARS communications with support aircraft must be secure and not able to be disrupted
J.8.2
JSTARS believes that even though the aircraft are co-altitude, they are horizontally deconflicted. However their orbits intersect
If aircraft are in holding patterns awaiting instructions, those patterns must not intersect. JSTARS must be designed to assist JSTARS controllers with deconfliction
J.8.3 JSTARS does not receive feedback regarding the location and altitude of support aircraft
JSTARS must receive feedback regarding location and altitude of support aircraft in order to deconflict them
J.8.4
JSTARS provides deconfliction instructions to separate the aircraft at different altitudes, however one of the aircraft has not switched from airfield altimeter setting to the current altimeter setting in theater and the aircraft are still co-altitude
JSTARS must provide a standard altimeter setting for all aircraft that are in the JSTARS area of responsibility
JSTARS provides support aircraft deconfliction instructions that create a conflict (H1)
H1 J.9.1
JSTARS provides deconfliction instructions that do not conflict with other traffic, however the support aircraft aircrew either mishear or misread the instructions and fly a different route than instructed that causes a conflict
JSTARS must require instruction feedback to ensure oral instructions are understood. If instructions are given via a datalink the JSTARS must be designed to provide the data such that it can be directly input into the support aircraft system
Page 79
79
J.9.2
JSTARS provides support aircraft deconfliction instructions to one aircraft that puts it in conflict with another aircraft. Aircrew on the JSTARS are responsible for controlling different support aircraft and have no way of deconflicting instructions
JSTARS must be designed so to ensure mission deconfliction among multiple JSTARS controllers for both air assets and ground assets
J.9.3
JSTARS is not aware of all aircraft in the vicinity, and deconflicts support aircraft, but puts support aircraft in conflict with other aircraft
JSTARS must be aware of all aircraft in the area
J.9.4
JSTARS provides deconfliction instructions that do not conflict with other traffic, however the support aircraft also receive instructions from other controllers such as AWACS or ground controllers and follow those instructions
JSTARS must be designed to operate with other controlling functions to prevent conflicting instructions to support aircraft
JSTARS provides airspace deconfliction when the route is too close to terrain (H5)
H5 J.10.1 JSTARS does not provide a route too close to terrain, but the support aircraft receives the route from another source.
JSTARS must be designed such that communication between JSTARS and support aircraft is secure.
J.10.2 JSTARS is not provided with detailed terrain data, and does not realized that the route is too close to terrain
JSTARS must be designed to provide terrain data to controllers and warn controllers if a proposed route is too close to terrain
Page 80
80
J.10.3
JSTARS provides deconfliction instructions that are above the terrain, however the standard altimeter setting provided to the support aircraft was incorrect resulting in a lower altitude above ground than intended
JSTARS must provide a standard altimeter setting that is appropriate given the atmospheric conditions of the area at the time. The setting must be updated when conditions change
JSTARS provides airspace deconfliction when the new route is through contested airspace (H6)
H6 J.11.1 JSTARS does not provide a route through contested airspace, but the support aircraft receives the route from another source.
JSTARS must be designed such that communication between JSTARS and support aircraft is secure
J.11.2
JSTARS does not detect the enemy air defenses, and therefore does not recognize that the new route is through contest airspace
JSTARS must either be able to detect enemy air defenses or be provided enemy air defense data prior to the operation
J.11.3
JSTARS provides a route that is not through contested airspace, however the support aircraft's navigation is inaccurate or disrupted, causing the support aircraft to fly into contested airspace
JSTARS must either be able to detect the location of aircraft relative to contested airspace or be provided the information in order to correct the support aircraft's heading before it enters contested airspace
JSTARS provides aircraft deconfliction before support aircraft changes radio frequency to JSTARS frequency (H1)
H1 J.12.1
JSTARS instructed an aircraft to maintain an orbit near the entry point into the JSTARS controlled airspace. The incoming aircraft is being handed off to the JSTARS and switching frequencies when the deconfliction call is made
JSTARS must not instruct an aircraft to maintain an orbit near an identified entry point into the airspace.
Page 81
81
J.12.2
The combat operation is very busy, and JSTARS is overtasked. The JSTARS provides the deconfliction to the aircraft that just entered the airspace, but does not receive a response from the aircraft. Due to the high volume of radio calls, JSTARS does not realize they did not get a response from the aircraft
JSTARS must receive confirmation of instructions. The JSTARS must be designed to ensure safety-critical tasks such as airspace deconfliction are not overlooked
JSTARS provides aircraft deconfliction instructions after a midair collision (H1)
H1 J.13.1
JSTARS provides deconfliction instructions before the aircraft is involved in a midair, but communications were disrupted and the aircraft did not receive the instructions
JSTARS communications with support aircraft must be secure and not able to be disrupted
J.13.2
JSTARS did not recognize that in order for a support aircraft to engage a target it would travel through another aircraft's orbit until the aircraft was in proximity of the other aircraft
JSTARS must be designed to assist the controllers with airspace deconfliction and warn controllers when one aircraft's route will intersect with another aircraft's route or orbit
J.13.3
JSTARS provides aircraft deconfliction instructions to aircraft after it is involved in a midair collision. JSTARS does not receive timely positon reports from aircraft within the area of responsibility
JSTARS must receive real-time or near real-time feedback of support aircraft position and altitude
JSTARS provides partial aircraft deconfliction instructions (H1)
H1 J.14.1
JSTARS provides complete deconfliction instructions, however the communication is disrupted and the aircraft does not receive the entire procedure
JSTARS communications with support aircraft must be secure and not able to be disrupted
Page 82
82
J.14.2
JSTARS controllers are not aware of all aircraft within the airspace, and believe that just altitude or vectors are required to deconflict the aircraft, but both are actually needed due to multiple conflicting aircraft
JSTARS must be aware of all aircraft in the area
J.14.3
JSTARS controllers provide complete aircraft deconfliction instructions, however the support aircraft only comply with part of the instructions. The support aircraft pilot is unable to comply with the entire procedure
JSTARS must be designed to provide controllers with aircraft location information so that if an aircraft does not follow deconfliction instructions the JSTARS controllers may correct the situation
JSTARS does not provide target coordinates to ground troops when a target needs to be engaged (H4)
H4 J.15.1
JSTARS provides the target coordinates to ground troops, however the communication is disrupted or the ground troops do not have interoperable communications capability
JSTARS must communicate with ground troops, and the communication must be secure and not able to be disrupted
J.15.2
One JSTARS controller coordinates with ground troops and another coordinates with support aircraft. The ground troop controller believed that the support aircraft controller would have a support aircraft engage the target
JSTARS must be designed to provide communication and coordination between controllers
J.15.3
JSTARS does not provide target coordinates to ground troops when a target needs to be engaged. The JSTARS does not receive ground troop request for target coordinates
JSTARS must be designed to receive ground troops requests
Page 83
83
J.15.4
JSTARS provides target coordinates to ground troops, but they do not engage the enemy. They do not have capability to engage the enemy at the current distance
JSTARS must be aware of ground troops capability
JSTARS provides target coordinates to ground troops, but they are not where the enemy is located (H2, H3)
H2, H3 J.16.1 JSTARS provides accurate target coordinates, but the communication is disrupted and the ground troops receive incorrect data
JSTARS communication must be secure and not able to be disrupted
J.16.2
JSTARS detects personnel presence and determines the personnel are enemy forces, but misinterprets location data. JSTARS provides the information to ground forces, however the coordinates are incorrect
JSTARS must be designed to provide accurate coordinate information
J.16.3
JSTARS sensors detect personnel presence and movement, but cannot determine whether they are civilians, enemy forces, or friendly forces
JSTARS must be able to determine if personnel present are civilians, enemies, or friendlies, or JSTARS must be provided that data from other sources
J.16.4
JSTARS provides accurate target coordinates, but the ground troops misinterpret the coordinates and target a different location
JSTARS must be designed to provide target coordinates consistent with ground troop procedures and equipment so that they do not have to translate the data. JSTARS should be able to communicate directly with ground troop equipment.
Page 84
84
JSTARS provides target coordinates after the enemy leaves the target location (H2, H3)
H2, H3 J.17.1
JSTARS provides the target coordinates to ground troops, however the communication is disrupted and delayed until after the enemy has moved
JSTARS communication must be secure and not able to be disrupted
J.17.2
JSTARS does not detect enemy movement, either due to the sensor scan rate or sensitivity of sensor, and therefore believes that the original target location is still accurate
JSTARS sensors must be able to detect enemy movement
J.17.3
JSTARS provides the target coordinates before the enemy leaves the target location, however the ground troops delay engagement of the enemy. JSTARS does not continue to monitor the enemy location due to other sensor requests and does not provide ground troops with updated information
JSTARS must be designed to be able to monitor known enemy locations while performing other sensor functions
JSTARS provides target coordinates to ground troops after friendly forces have moved towards and engaged enemy forces (H2)
H2 J.18.1
JSTARS provides target coordinates to ground troops before friendly troops have engaged enemy forces, however the communication is disrupted. JSTARS troubleshoots the problem and resends the coordinates, but by this time friendly forces have moved within close proximity of the enemy
JSTARS communication must be secure and not able to be disrupted. If communication is disrupted, JSTARS must have procedures in place to determine whether or not the commands are still appropriate once communications are reestablished
Page 85
85
J.18.2
JSTARS recognizes that friendly forces are moving towards the enemy forces in order to engage the enemy, but still provides target coordinates to the ground troops. JSTARS believes that the friendly forces are far enough away from the enemy to allow the ground troops to attack the enemy
JSTARS must be aware of ground ordnance radius and ensure friendly troops are not within that radius.
J.18.3
JSTARS provides target coordinates to ground troops after friendly forces have engaged the enemy. The friendly forces do not provide feedback to either JSTARS or the ground troops in contact with JSTARS indicating they are in proximity of enemy forces
JSTARS must be designed to detect friendly forces in order to prevent providing target coordinates that result in friendly fire. In addition, procedures must be in place to ensure ground troops inform JSTARS of troop movements.
Appendix2:UAVSTPAAnalysisTable9UAVOperatorSafetyConstraints
UCADesignator UCA Hazards Constraint
C1TheoperatordoesnotprovidetheGPSwaypointsduringprelaunchoperations
H3TheoperatormustprovideGPSwaypointsduringprelaunchoperations
C2TheoperatordoesnotprovideupdatedGPSwaypointswhenmissionchanges
H3TheoperatormustprovideGPSwaypointsduringthemissionwhenthemissionchanges
C3TheoperatorprovidestheGPSwaypointswhentheydonotalignwiththemission
H3TheoperatormustnotprovideGPSwaypointsthatdonotalignwiththemission
C4TheoperatorprovidestheGPSwaypointswhentheypresentaconflictwithotheraircraft
H2TheoperatormustnotprovideGPSwaypointsthatpresentaconflictwithotheraircraft
Page 86
86
C5
TheoperatorprovidesGPSwaypointsandtheroutelengthexceedsthefuelonboard
H4 TheoperatormustnotprovideGPSwaypointsforaroutethatexceedsthefuelonboard
C6
TheoperatorprovidesGPSwaypointsthatcreatearouteoutsideofLOSradiusandBLOSisnotbeingused
H3,H4
TheoperatormustnotprovideGPSwaypointsthatcreatearouteoutsideLOSradiusifBLOSisnotbeingused
C7
TheoperatorprovidesGPSwaypointsafterLOSislost,butbeforeBLOSradiolinkisestablished
H3,H4TheoperatormustprovidewaypointswhiletheUAVisinLOS
C8TheoperatorprovidesGPSwaypointsaftertheUAVreachesbingofuel
H4TheoperatorprovideGPSwaypointstobringtheUAVbacktotheairfieldbeforetheUAVreachesbingofuel
C9
TheoperatorprovidesGPSwaypointsandthenumberofwaypointsexceedthestoragecapacityoftheautopilot
H3 TheoperatormustnotprovideGPSwaypointsforaroutethatexceedsthefuelonboard
C10
TheoperatorprovidesGPSwaypoint,butthelistofwaypointsisnotcompletefortheentiremission
H3 TheoperatormustprovideacompletesetofGPSwaypointsfortheentiremission
C11TheoperatordoesnotprovidealtitudewhentheGPSwaypointsareupdated
H1,H2,H3
TheoperatormustprovideupdatedaltitudeassignmentswhentheGPSwaypointsareupdated
C12
Theoperatorprovidesaltitudewhenthealtitude,coupledwiththeprogrammedwaypointsarenotaboveminimumobstacleclearancealtitude(MOCA)
H1
TheoperatormustnotprovidealtitudesthatarebelowtheMOCA
C13
Theoperatorprovidesaltitudewhenthealtitudeconflictswithothertraffic'saltitudeblocks
H2 Theoperatormostnotprovidealtitudeassignmentsthatconflictwithotheraircraft
C14
TheoperatorprovidesaltitudewhenthealtitudeisaboveicinglevelandtheUAVfliesthroughclouds
H4 TheoperatormustnotprovideanaltitudeabovetheicingleveliftheUAVfliesthroughclouds
Page 87
87
C15
TheoperatorprovidesaltitudeafterLOSislostduetoterrainmasking,butbeforeBLOSradiolinkisestablished
H3 TheoperatormustprovideanaltitudeassignmentbeforeLOSislost
C16
TheoperatorprovidesaltitudewhenthealtitudeassignmentsexceedthenumberofGPSwaypoints
H3 Theoperatormustprovidethesamenumberofaltitudeassignmentsaswaypoints
C17
Theoperatorprovidesaltitudewhentherearefeweraltitudeassignmentsthanwaypointsanditdoesnotincludetheentiremission
H3 Theoperatormustprovidethesamenumberofaltitudeassignmentsaswaypoints
C18Theoperatordoesnotprovideairspeedduringachangeinflightconditionorenvironmentalconditions
H1,H4,H6 Theoperatormustprovideairspeed
duringachangeinflightphaseorenvironment
C19
Theoperatorprovidesairspeedwhentheairspeedprovidedisatorbelowstallspeed
H4 Theoperatormustnotprovideanairspeedbelowstallspeed
C20TheoperatorprovidesairspeedwhentheairspeedisaboveVNE
H6 TheoperatormustnotprovideanairspeedaboveVNE
C21
Theoperatorprovidesairspeedwhenflightplanningfueldurationwasbasedonauto(maxendurance)airspeed,butahigherairspeedisset
H3,H4
Theoperatormustmonitorthefuelstateandnotprovideairspeedsignificantlydifferentthantheflightplannedairspeedforsubstantialportionsofthecruisephase
C22Theoperatorprovidesanairspeedvaluethatwillcreateaconflictwithotheraircraft
H2Theoperatormustnotprovideanairspeedvaluethatconflictswithotheraircraft
C23TheoperatorprovidesairspeedaftertheUAVstalledduetoslowflight
H4TheoperatormustprovideanairspeedabovestallspeedbeforetheUAVdepartscontrolledflight
Page 88
88
C24 TheoperatorprovidesairspeedafterstructuraldamagefromflyingaboveVNE
H6
TheUAVairspeedmustneverexceedVNE.IfthereisanexcursionaboveVNE,theoperatormustprovideanairspeedbelowVNEassoonaspossibleandreturntobase.
C25
TheoperatorprovidesairspeedwhenthenumberofairspeedassignmentsexceedthenumberofGPSwaypoints
H3 Theoperatormustprovidethesamenumberofairspeedassignmentsaswaypoints
C26
TheoperatorprovidesairspeedwhenthenumberofairspeedassignmentsarefewerthanthenumberofGPSwaypoints
H3 Theoperatormustprovidethesamenumberofaltitudeassignmentsaswaypoints
C27Theoperatordoesnotprovideenginestartduringprelaunchenginerun-up
H3Theoperatormustprovidetheenginestartcommandduringprelaunchenginerun-up
C28Theoperatordoesnotprovideenginestartduringbeforetakeoffprocedure
H3Theoperatormustprovideenginestartcommandduringbeforetakeoffprocedure
C29
Theoperatordoesnotprovideenginestartcommandwhentheenginefailsinflightandtheengineneedstoberestarted
H4 Theoperatormustprovideenginestartcommandwhentheenginefailsinflight
C30
Theoperatorprovidestheenginestartcommandwhengroundpersonnelarenearthepropellers
H1 Theoperatormustnotprovidetheenginestartcommandwhengroundpersonnelarenearthepropellers
C31
Theoperatorprovidesenginestartcommandwhentheenginefailsinflight,butaftertheUAViscommittedtolanding
H1TheoperatormustnotprovidetheenginestartcommandwhentheenginefailsiftheUAViscommittedtolanding
C32Theoperatordoesnotprovidethelaunchnowcommandduringtakeoff
H3Theoperatormustprovidethelaunchnowcommandduringtakeoff
C33Theoperatorprovidesthelaunchnowcommandwhentherunwayisnotclear
H2Theoperatormustnotprovidethelaunchnowcommandiftherunwayisnotclear
Page 89
89
C34TheoperatorprovidesthelaunchnowcommandwhentheUAVisnotontherunway
H5TheoperatormustnotprovidethelaunchnowcommandwhentheUAVisnotontherunway
C35
Theoperatorprovidesthelaunchnowcommandbeforegroundpersonnelhaveclearedthearea
H1
Theoperatormustnotprovidethelaunchnowcommandbeforegroundpersonnelhaveclearedthearea
C36TheoperatorprovidesthelaunchnowcommandaftertheUAVisairborne
H4TheoperatormustnotprovidethelaunchnowcommandaftertheUAVisairborne
C37
TheoperatordoesnotprovidethelandnowcommandwhentheUAVisinthepatternandatminimumfuel
H4
TheoperatormustprovidethelandnowcommandwhentheUAVisabovetheairfieldandatminimumfuel
C38TheoperatordoesnotprovidethelandnowcommandwhentheUAVisattheairfieldandotheraircraftareattemptingtoenterthepattern
H2
TheoperatormustprovidethelandnowcommandwhentheUAVmustprovidethelandnowcommandwhentheUAVisinthepatternandotheraircraftareattemptingtoenterthepattern
C39Theoperatorprovidesthelandnowcommandwhentherunwayisnotclear
H2Theoperatormustnotprovidethelandnowcommandwhentherunwayisnotclear
C40TheoperatorprovidesthelandnowcommandwhentheUAVisnotattheairfield
H1TheoperatormustnotprovidethelandnowcommandwhentheUAVisnotattheairfield
C41
TheoperatorprovidesthelandnowcommandbeforetheUAVcompletestheairfieldarrivalprocedure
H1,H2
TheoperatormustnotprovidethelandnowcommandbeforetheUAVhascompletedtheairfieldarrivalprocedure
C42Theoperatordoesnotprovidelostlinkproceduresduringflightoperations
H1,H2Theoperatormustprovidethelostlinkproceduresduringflightoperations
C43
Theoperatorprovideslostlinkprocedure,andthelostlinkprocedurewaypointsconflictwithotheraircraft
H2 Theoperatormustnotprovidelostlinkproceduresthatareinconflictwithotheraircraft
Page 90
90
C44
Theoperatorprovideslostlinkprocedures,andthelostlinkprocedureisnotatoraboveMOCA
H1 TheoperatormustnotprovidelostlinkproceduresthatarebelowtheMOCA
C45
Theoperatorprovideslostlinkproceduresbeforeterrain,conflictingtraffic,orweathernecessitatealostlinkprocedureupdate
H1,H2Theoperatormustnotprovideupdatedlostlinkproceduresbeforeterrainandairspacechangesnecessitatetheupdate
C46
Theoperatorprovideslostlinkprocedureswhenthewaypointsexceedthestoragecapacityoftheautopilot
H1,H2 Theoperatormustnotprovidelostlinkproceduresthatcontainmorewaypointsthanthestoragecapacity
C47
TheVMSdoesnotprovidethepayloadpoweroncommandwhenUAVisoverthetargetarea
H3 TheVMSmustprovidepayloadpoweroncommandwhenUAVisoverthetargetarea
C48 TheVMSprovidesthepayloadpoweroncommandwhenthealternatorfails
H4
TheVMSmustnotprovidepoweroncommandwhenthereisnotenoughpowerforpayloadandVMSoperation
C49 TheVMSdoesnotprovidethepayloadpoweroffcommandwhenthealternatorfails
H4
TheVMSmustprovidepayloadpoweroffcommandwhenthereisnotenoughpowerforboththepayloadandVMS
C50TheVMSprovidesthepayloadpoweroffcommandwhentheUAVisoverthetargetarea
H3TheVMSmustprovidethepoweroffcommandwhentheUAVisoverthetargetarea
Table10UAVVMSSafetyConstraints
UCADesignator UCA Hazards Constraint
V1TheVMSdoesnotprovideroll,pitch,oryawcommandswhentheUAVisoffcourse
H1,H2,H3
TheVMSmustprovideroll,pitch,oryawcommandstocorrecttheUAVcoursewhenitisoffcourse
V2TheVMSprovidesroll,pitch,oryawwhenthecommandexceedsaircraftattitudelimits
H4TheVMSmustnotprovideroll,pitch,oryawcommandsthatexceedattitudelimits
Page 91
91
V3TheVMSprovidesroll,pitch,oryawwhenthecommandsteerstheUAVoffcourse
H1,H2,H3
TheVMSmustnotprovideroll,pitch,oryawcommandsthatsteertheUAVoffcourse
V4
TheVMSprovidesthepitchdowncommandwhenthethrottleisreducedinordertodescend,butthecommandisdelayed
H4TheVMSmustprovidethepitchdowncommandafterthethrottleisreducedforadescentbeforetheUAVdeceleratestostallspeed
V5
TheVMSprovidesapitchupcommandwhenthethrottleisincreasedforaclimb,butthecommandisdelayed
H6
TheVMSmustprovidethepitchupcommandafterthethrottleisincreasedforaclimbbeforetheUAVacceleratestoVNE
V6
TheVMSprovidesaroll,pitch,oryawcommand,buttheaileron,elevator,orrudderisnotbroughtbacktoneutralwhentheaircraftreachesthetargetheading/descent/ascent
H1,H2,H3
TheVMSmustprovidearoll,pitch,oryawcommandtoreturntoneutralsuchthattheaircraftattainsthetargetattitude
V7
TheVMSprovidesaroll,pitch,oryawcommand,buttheaileron,elevator,orrudderisnotbroughtbacktoneutralbeforetheUAVreachesthetargetheading/descent/ascent
H1,H2,H3
TheVMSmustprovidearoll,pitch,oryawcommandtoreturntoneutralsuchthattheaircraftattainsthetargetattitude
V8
TheVMSdoesnotprovideathrottlesettingcommandwhenenvironmentalconditionschange
H4,H6 TheVMSmustprovideathrottlesettingwhentheenvironmentalconditionschange
V9
TheVMSdoesnotprovideahigherthrottlesettingwhentheUAVisinasustainedturn,whichreduceslift
H1,H2 TheVMSmustprovideahigherthrottlesettingduringsustainedturnstomaintaintargetaltitude
V10
TheVMSprovidesathrottlesetting,butthethrottlesettingisnotenoughtomaintainanairspeedabovestallspeed
H4 TheVMSmustprovideathrottlesettinghighenoughtomaintainanairspeedabovestallspeed
V11TheVMSprovidesathrottlesettingthatacceleratestheaircraftaboveVNE
H6TheVMSmustprovideathrottlesettinglowenoughtomaintainanairspeedbelowVNE
Page 92
92
V12TheVMSprovidesareducedthrottlesettingtoolateaftertheUAVflaresforlanding
H1,H5TheVMSmustnotprovideareducedthrottlesettingtoolateaftertheUAVflaresforlanding
V13
TheVMSprovidesathrottlesettingtoacceleratetoatargetspeed,butthethrottleisnotreducedbeforereachingVNE
H6 TheVMSmustreducethethrottlesettingbeforereachingVNEduringanacceleration
V14
TheVMSprovidesathrottlesettingtodeceleratetoatargetspeed,butthethrottleisnotincreasedbeforereachingstallspeed
H4 TheVMSmustincreasethethrottlesettingbeforereachingstallspeedwhendecelerating
Page 93
93
Table11UAVOperatorScenarios
UCA Hazard Number MainScenarioDescription SafetyConstraint
TheoperatordoesnotprovidetheGPSwaypointsduringprelaunchoperations
H3 C.1.1
TheoperatorprovidestheGPSwaypoints.AsecondUAVsortieisbeginningatthesametime,andtheGPSwaypointsaresenttothewrongUAV.TheintendedUAVdoesnotreceivethewaypoints
EitherUAVoperationsshouldbedeconflicted,orproceduresputinplacetoensurethecontrolstationislinkedtothecorrectaircraft.Ifanincorrectlinktakesplacealldatamustbeverifiedtoensureitiscorrect
C.1.2
TheoperatorprovidestheGPSwaypointstotheUAV.Asignalinterfereswiththecommand,andtheUAVdoesnotreceiveit.
UAVoperatorsmustbeawareofEMusageinoperatingareaanddeconflictoperationstoavoidinterference.
C.1.3
TheoperatordoesnotsendtheGPSwaypointseventhoughtheyareneedtocarryoutthesortie.Theoperatoristoldthatanewcustomerrouterequestisforthcoming,andtheoperatordecidestowaitforthewaypointsandcontinueonwiththepreflight.TheoperatorforgetsthattheGPSwaypointswereneverprovidedtotheUAVafterthepreflightiscomplete.
Theoperatormusteitherdelaythesortieifnewcustomerrequirementsareexpected,orprovidethecurrentGPSwaypointswithaplantoupdatethemoncethenewrequestisprovided
C.1.4
TheoperatordoesnotsendtheGPScoordinates.TheoperatorreceiveswarningsfromtheUAVindicatingthereisaproblem.Thewarningsareinaccurate,andthesystemsareoperatingcorrectly,buttheoperatorstopsprelaunchoperationstotroubleshoottheproblem.
TheUAVmustnotprovidenuisancewarnings
Page 94
94
H2 C.1.5
TheoperatorsendstheGPSwaypointstotheUAV.Theywerenotsavedbytheautopilot,andolderwaypointsalreadyloadedwerenotoverwritten.
TheautopilotmustsavetheGPSwaypointsreceivedbytheUAV
TheoperatordoesnotprovideupdatedGPSwaypointswhenmissionchanges
H3 C.2.1TheoperatorprovidestheGPSwaypoints,buttheUAVdoesnotreceivethewaypointsduetointerferencealongtherouteofflight
UAVoperatorsmustbeawareofEMusageinoperatingareaanddeconflictoperationstoavoidinterference.
C.2.2
Theoperatorreceivesaccuratefuelstatefeedback,butincorrectlybelievesthefuelstateoftheUAVwillnotallowforthenewroutebecausetheoperatormiscalculatedthecurrentUAVfueldurationormiscalculatedthedurationoftheupdatedroute.TheoperatordoesnotprovidetheGPSwaypointstotheUAVtoavoidrunningoutoffuel.
Theoperatormustbeabletoquicklyandaccuratelycalculatefueldurationandroutedurationtomakethecorrectdeterminationforroutechangesinflight
H2 C.2.3
Thecustomerrequestforaroutechangeduringthesortiewasnotbroughttotheoperatoratthegroundstation.Therequestwasdeliveredtotheoperator'sunit,whichisnotcollocatedwiththegroundstation.TheoperatordoesnotprovidetheGPSwaypointstotheUAVbecausetheoperatorisunawareofthemissionchange
Customerchangerequestsduringthemissionmustbedeliveredasquicklyaspossible.Considerhavingthechangerequestsdelivereddirectlytothegroundstation
H2 C.2.4
TheoperatorsendstheGPSwaypointstotheUAV.Theywerenotsavedbytheautopilot,andolder
TheautopilotmustsavetheGPSwaypointsreceivedbytheUAV
Page 95
95
waypointsalreadyloadedwerenotoverwritten.
TheoperatorprovidestheGPSwaypointswhentheydonotalignwiththemission
H3 C.3.1
TheoperatordoesnotprovideGPSwaypoints.Thestepisaccidentallyskippedduringpreflight.GPSwaypointsfromthelastsortiearestoredinthememoryandtheUAVusesthose
TheGPSwaypointsstoredintheautopilotmustbeverifiedwiththemissionplan
H2 C3.2
TheoperatorsendstheGPSwaypointstotheUAVhowevertheydonotalignwiththemission.Duringmissionplanningtherequestedroutewaschanged,howeverthatinformationdidnotmakeittothemissionplanners.
Customerchangerequestsduringthemissionmustbedeliveredasquicklyaspossibletomissionplanners
H2 C.3.3
TheoperatorsendstheGPSwaypointstotheUAVhowevertheydonotalignwiththemission.Themissionplannerscopyanoldmissionplanandupdateit,howevertheymissthewaypointupdates
Theoperatormustverifythemissionplanwiththecustomerrequest
H1,H2,H3 C.3.4
Theoperatorprovidedcoordinatesthatalignedwiththemission,butaBLOSoperatordoingagroundstationcheckoutaccidentallylinkedwiththeUAVandsentnewcoordinates.Thesecoordinatesoverrodethepreviouscoordinatesanddidnotalignwiththemission
GroundstationchecksmustbeeitherdeconflictedwiththeUAVflyingschedule,orbeconductedwithradiosofftoavoidtransmittingcommands
H1,H2,H3 C.3.5
TheoperatorprovidedGPSwaypointsthatalignedwiththemission,howevertheUAVdidnotflythewaypoints.TheGPSsolutionalongtherouteissuchthatthenavigationisnotaccurate
TheoperatormustreceivefeedbackwhentheaccuracyoftheGPSsolutionisbelowaminimumthreshold,additionallyothernavigationsolutions
Page 96
96
suchasINSorVORshouldbeconsideredasabackupsystem
TheoperatorprovidestheGPSwaypointswhentheypresentaconflictwithotheraircraft
H2 C.4.1
TheoperatorprovidesGPSwaypointsthatdonotconflictwithothertraffic,butthereisinterferencealongtheroute.ThewaypointsarenotreceivedbytheUAV,andautopilotuseswaypointsfromtheprevioussortie,whichconflictwithpresenttraffic
UAVoperatorsmustbeawareofEMusageinoperatingareaanddeconflictoperationstoavoidinterference.
H3 C.4.2
TheoperatorprovideswaypointstotheUAV.Theoperatorormissionplannersusedanoldflightplanasatemplateforthecurrentmission,butdidnotcopyoverallthedata.,Thewaypointsdonotmatchtheapprovedroutefromtheairspacetrafficoperator(ATC).
TheoperatormustverifythemissionplanwiththecustomerrequestandapproveATCroute
C.4.3
Theoperatorprovideswaypointswhichdonotconflictwithairtraffic,butthewaypointsarefarapartfromeachother,andtravelbetweenthewaypointsdopresentaconflictwithotheraircraft
WaypointsmustbesufficientlyclosetogethertocontrolthebehavioroftheUAVandpreventitfromconflictingwithothertraffic
C.4.4
Theoperatorprovideswaypointswhichdonotconflictwiththeairtrafficasreportedbytheairtrafficoperator,howevertheairtrafficchangesafterplanningorduringthesortie.Theoperatordoesnotreceivetheupdatedinformationinorder
TheoperatormustbeprovidedwithandairtrafficchangestoensuretheUAVisproperlydeconflictingfromothertraffic
Page 97
97
toprovideadifferentsetofwaypoints
C.4.5
TheoperatorsendstheGPSwaypointstotheUAV.Theywerenotsavedbytheautopilot,andolderwaypointsalreadyloadedwerenotoverwritten.
TheautopilotmustsavetheGPSwaypointsreceivedbytheUAV
TheoperatorprovidesGPSwaypointsandtheroutelengthexceedsthefuelonboard
H4 C.5.1
TheoperatordoesnotprovideGPSwaypoints.Thestepisaccidentallyskippedduringpreflight.GPSwaypointsfromthelastsortiearestoredinthememoryandtheUAVusesthose.Theprevioussortiewaslonger,andtheUAVwasfueledwithmorefuel.
TheGPSwaypointsstoredintheautopilotmustbeverifiedwiththemissionplan
C.5.2
TheoperatorprovidestheGPSwaypointsandtheroutelengthexceedsthefuelonboard.TheoperatorfatfingeredaGPSwaypointresultingintheUAVflyingfurtherfromtheairfieldthananticipated.TheerrorwasnotdiscovereduntiltheUAVtraveledsignificantlyoffcourseandnolongerhadthefueltoreturntotheairfield
TheGPSwaypointsstoredintheautopilotmustbeverifiedwiththemissionplan
C.5.3
TheoperatorprovidesGPSwaypointstocreatearoutebasedonalargerthanstandardtakeofffuelweightoftheaircraft,howevergroundpersonnelfueledtheaircraftthestandardamount.
Theoperatormustprovidenonstandardfuelrequeststothegroundpersonnel,andgroundpersonnelmustdocumentthefuelstatusoftheaircraftfor
Page 98
98
Therewasnotenoughfueltocompletethesortie.
theoperatortoverifyduringpreflight
C.5.4
TheoperatorprovidedtheGPSwaypointsandbelievedbasedonthereportedfuelstatethattheUAVthatthesortiedurationwasappropriate,howeverthefuelstatefeedbackwasincorrectduetofuelsystemmodifications
TheUAVmustprovideaccuratefuelstatefeedbacktotheoperator
C.5.5
TheoperatorprovidedtheGPSwaypointsbasedontheexpectedfuelconsumption,however,thefuelconsumptionwashigherthanexpected.Theoperatormonitorsthefuelconsumptionandrecognizesthatthatthedurationofthesortiewillbelongerthanfueldurationandprovidesanewsetofwaypoints,butthefuelstateistoolowtomakeitbacktotheairfield
Theoperatormusthavejokerandbingofuelstatesthatcanbeadjustedifthefuelisconsumedfasterthanexpectedtoensuretheaircraftcanreturntotheairfieldbeforerunningoutoffuel
TheoperatorprovidesGPSwaypointsthatcreatearouteoutsideofLOSradiusandBLOSisnotbeingused
H3,H4 C.6.1TheoperatorsentGPSwaypoints,howeverthewaypointswerenotreceivedduetointerferenceandtheUAVusedpreviouslystoredwaypointsforaBLOSsortie
UAVoperatorsmustbeawareofEMusageinoperatingareaanddeconflictoperationstoavoidinterference.
Page 99
99
C.6.2
TheoperatorsentGPSwaypointsthatarewithintheLOSradioradius,howeverterrainbetweentheantennaandtheaircraftmasksthesignal.Theoperatordidnotrecognizethatareasofhighterrainintheareacouldmaskthesignal,LOSislost
UAVoperatorsusinganLOSgroundstationmustresearchpotentialterrainmaskingareasintheareaofoperationsandflightplanaccordingly
C.6.3
TheoperatorprovidesGPSwaypointsthatareknowntobeoutsideLOS,butbelievedthatradiosignalrepeaterswouldcarrythesignaltotheUAVbeyondgroundstationLOS.Therepeatersarenotfunctioning,andthestatusoftherepeaterswasnotverifiedduringpreflightoperations.OncetheUAVwasoutsideofthegroundstation'sLOSradius,itlostthelink
UAVoperatorsusingLOSgroundstationsandrepeatersmustincluderepeatersstatusduringpreflightchecks
C.6.4
TheoperatorprovidesGPSwaypointswithinLOSradius.ThelostlinkprocedureswerenotupdatedfromapreviousBLOSsortie,andlostlinkoccursresultingintheaircrafttodepartingtheLOSradius.
Lostlinkproceduresmustbeupdatedpriortoeveryflight
TheoperatorprovidesGPSwaypointsafterLOSislost,butbeforeBLOSradiolinkisestablished
H3,H4 C.7.1
TheGPSwaypointswereprovidedbytheoperatorafterLOSislost,butbeforeBLOSradiolinkisestablished.TheoperatorprovidedGPSwaypointsjustbeforetheLOStransitiontoBLOSneartheLOSradiuslimit,howeverthelimitwaslessthanexpectedduetoterrain,atmospherics,orothereffectsandtheLOSwaslostbeforetheBLOStransition.
LOS/BLOStransitionmustoccurwellwithinLOSradiustoensurethetransitionoccursbeforetheUAVlosescommunicationwiththeLOSgroundstation.
Page 100
100
H2 C.7.2
TheoperatorprovidestheGPSwaypointslateoutsideoftheLOSradius,buthasnotcompletedBLOStransition.HeaviertrafficthannormalcausesseveralchangestothedepartureproceduresfortheUAV,andtheoperatorgetsbehindcreatingthenewflightplananduploadingittotheUI.BYthetimethenewflightplanisreadyforupload,theUAVisoutsidetheLOSradius.
TheUImustprovidefeedbacktotheLOSoperatorwhentheUAVisneartheLOSradiuslimitifBLOShasnotyetbeenestablished.TheoperatormusthaveestablishedprocedureswithATCtokeeptheUAVintheLOSradiusofBLOSisnotestablishedasplanned
C.7.3
TheoperatordoesnotrecognizethatLOSwaslost,andbelievestheUIstillhasalinktotheUAV.Theoperatorprovideswaypoints,buttheyarenotreceivedduetothelostlink.
TheUImustprovidefeedbacktotheoperatorwhenthelinkislost.
H1,H2,H3 C.7.4
TheoperatorprovidesGPSwaypointstotheUAV,howevertheUAVdoesnotflythewaypointsprovided.SignificantwindspushtheUAVoffcourse,andtheUAVdoesnotadjusttheheadingtomaintainthecorrectgroundtrack
TheUAVmustadjustthetargetheadingtoaccountforwindstomaintainasafegroundtrack.
TheoperatorprovidesGPSwaypointsaftertheUAVreachesbingofuel
H4 C.8.1
TheoperatorprovidesGPSwaypointstoupdatetherouteaftertheUAVreachesbingofuel.TheoperatorrecognizesthattheUAVisnearingbingofuel,andprovidesGPScoordinates,butlostlinkoccursandtheUAVdoesnotreceivethecoordinates.Perlostlinkprocedures,theUAVcontinuestoflythelastrouteprovided.Whenthelinkisreestablished,theoperatorprovideswaypointstoreturn
Theoperatormustnotwaituntilbingotoreplantheflight.OncetheUAVreachesjoker,replanningmustbegin
Page 101
101
totheairfield,buttheUAVispastbingoandnolongerhasenoughfueltoreturn.
C.8.2
TheoperatorprovidesGPSwaypointsaftertheUAVreachesbingofuel.TheoperatorbelievedbasedonthefuelstateanddistancethattheUAVcouldmakeitbacktotheairfieldwithlessfuelthanbingo.However,headwindscausethereturntriptotakelongerthanexpected
Theoperatormustconsiderwindswhenconductingflightplanning
C.8.3
TheoperatorprovidesGPSwaypointsaftertheUAVreachesbingofuel.Theoperatordidnotrecognizethatthefuelstatewasatbingountilreviewingthefuelstateattheregularstatuscheck.TheoperatorimmediatelyprovidesGPScoordinatestoreturntotheairfield,buttheUAVnolongerhasenoughfueltoreturnhome.
TheoperatormustenterjokerandbingofuelstatesintheUI,andtheUImustalerttheoperatorwhentheUAVisatjokerandbingo
C.8.4
TheoperatorprovidesGPSwaypointstoreturnhomebeforetheUAVreachedbingo,howeverthewaypointswerenotsavedintheautopilot,andtheUAVcontinuedtotravelontheoriginalroute.BythetimetheoperatorrecognizedthattheUAVwasnotreturningtotheairfield,theUAVwaspastbingoanddidnothaveenoughfueltoreturnhome.
TheGPSwaypointsstoredintheautopilotmustbeverifiedwiththemissionplan
Page 102
102
TheoperatorprovidesGPSwaypointsandthenumberofwaypointsexceedthestoragecapacityoftheautopilot
H3 C.9.1
Theoperatorprovideswaypointsthatwerewithinthestoragecapacityoftheautopilot.ThemessagereceivedbytheUAVisdelimitedincorrectlyduetotranslationfromtheUItotheradiostotheUAV,whichexceedsstoragecapacity
Thegroundstationradiosmustsendcommandsaccurately
C.9.2
TheoperatorprovidesalargenumberofwaypointstoensurethattheUAVfliesaroutethatalignswiththemission,howevertheoperatorusestoomanywaypointsthatexceededthestorage
Theoperatormustsendanumberofwaypointsthatarelessthantheautopilotstorage.Theautopilotstoragemustbelargeenoughtostoreenoughwaypointsforthelengthofmission
C.9.3
Theoperatorprovidesthewaypoints,butdoesnotreceivefeedbackthatthewaypointswerereceived,sotheoperatorprovidesthewaypointsagain.Thesecondsetofwaypointsareconcatenatedratherthanreplacingthefirstsetofwaypoints
TheUAVmustprovidefeedbackthatthewaypointswerereceived,andtheautopilotmustreplaceoldwaypointswithnewwaypoints
H1,H2 C.9.4
Theoperatorprovideswaypointsthatwerewithinthestoragecapacityoftheautopilot,butthewaypointsaredelimitedincorrectlytakingupmorestoragespacethantheautopilot'scapacity
TheUAVmustsaveprovidedwaypointsintotheautopilotaccurately
TheoperatorprovidesGPSwaypoint,butthelistofwaypointsisnotcompletefortheentiremission
H3 C.10.1
TheoperatorprovidedacompletesetofGPSwaypoints,howeverthetransmissionwascutshortduetoagroundstationradiopowerfailure,andtheUAVdidnotreceivetheentiresetofwaypoints.
Thegroundstationandassociatedequipmentmustbeconnectedtoemergencypower,andthegroundstationpowermusttransitionwithoutdelaytoemergencypowerifthemainpowersupplyiscut
Page 103
103
C.10.2
Theoperatorprovidesanincompletesetofwaypointsthatdidnotincludetheentiremission.TheoperatordoesnottranslatetheflightplancompletelyintotheUIduetodistractionorotherfactorsduringthepreflightpreparations.Theoperatordoesnotverifythewaypointsafterenteringthem,sotheerrorwasnotcaught
TheGPSwaypointsstoredintheautopilotmustbeverifiedwiththemissionplan
C.10.3
Theoperatorprovidesanincompletesetofwaypointsthatdidnotincludetheentiremission.Thecustomerrequestwasincomplete,andthecustomerisnotrequiredtoapprovethemissionplan,thereforetheincompleteplanwasnotcaught
Thecustomermustprovideacompleterequesttotheoperator,andmustreviewtheplantoensureitalignswiththemission
C.10.4
Theoperatorprovidesacompletesetofwaypoints,howevertheautopilotdidnotsaveallofthewaypoints.
TheGPSwaypointsstoredintheautopilotmustbeverifiedwiththemissionplan
TheoperatordoesnotprovidealtitudewhentheGPSwaypointsareupdated
H1,H2,H3 C.11.1
TheoperatorprovidesthealtitudeafterassigningnewGPSwaypoints,buttheUAVbeginsaturntothenextwaypointcausingaircraftmaskingandthealtitudesarenotreceivedbytheaircraft.
Theoperatormustensurethataltitudecommandsareaccepted,monitoraltitude,andcorrectaltitudeasneeded
C.11.2
TheoperatorbelievesthatthepreviouslyassignedaltitudeswouldbesafewiththenewGPScoordinates.Theoperatormisreadsthesectional,andthepreviousaltitudesarenotaboveMOCA.
TheUImustbeprogrammedtoincludeterraindata(atleasthighestobstacleineachsection),andprovidefeedbackiftheUAVwillflybelowMOCA
Page 104
104
C.11.3
Theoperatorreceivesanairtrafficbriefingandbelievesthatthepreviouslyassignedaltitudewillbedeconflictedfromotherairtraffic.Theairtrafficbriefingisoutdated,andtherearenowairtrafficconflictswiththepreviouslyassignedaltitude.
TheoperatormustconfirmwithATCthatthealtitudeblockisdeconflictedifGPSwaypointsareupdated
C.11.4
TheoperatorprovidesanewaltitudeassignmentwiththeupdatedGPSwaypoints.ThealtitudeisnotattainedbytheUAV,howeverbecausetheadditionalalternatorsreducemaxengineRPM,thusdecreasingtheservicealtitudeoftheUAV.
Simulationandflighttestmustbeaccomplishedtovalidatethelimitationsofthebaselineaircraftorvalidatenewlimitationsduetomodifications
Theoperatorprovidesaltitudewhenthealtitude,coupledwiththeprogrammedwaypointsarenotaboveminimumobstacleclearancealtitude(MOCA)
H1 C.12.1
TheoperatorprovidesanaltitudeabovetheMOCAastheUAVfliestowardsmountainousterrain,howeverthelinkislostduetoterrainoraircraftmaskingduringmaneuveringandtheUAVdoesnotreceivethealtitudeassignment
TheoperatormustprovidesafealtitudeaspartoftheentireflightplansuchthatiflostlinkoccurstheUAVwillnotcollidewithterrain
C.12.2TheoperatormisreadsthesectionalchartsandprovidesanaltitudethattheoperatorbelievesisaboveMOCA,butitisactuallynot
TheUImustbeprogrammedtoincludeterraindata(atleasthighestobstacleineachsection),andprovidefeedbackiftheUAVwillflybelowMOCA
Page 105
105
C.12.3
Theoperatorreceivesincorrectoroutdatedsectionalcharts,andassignedanaltitudethatwasabovetheMOCAonthechartbutthereareobstacleshigherthanlistedonthechart
Theoperatormustensurechartsareupdatedduringmissionplanningandobtainupdatedinformationpriortoflight
C.12.4
TheoperatorprovidesanaltitudeabovetheMOCA,howevertheregionofflighthasasignificantlydifferentpressurecomparedtothefield,andtheUAVisflyinganaltitudelowerrelativetotheground
Theoperatormustreceiveambientpressurereportsthroughouttherouteofflightandupdatethealtimeterasappropriate
Theoperatorprovidesaltitudewhenthealtitudeconflictswithothertraffic'saltitudeblocks
H2 C.13.1Theoperatorprovidesanaltitudethatdeconflictswithtraffic,howeverthecommandisnotreceivedduetomasking
Theoperatormustensurethataltitudecommandsareaccepted,monitoraltitude,andcorrectaltitudeasneeded
C.13.2
TheoperatorbelievesthatthetrafficwillnolongerbeinconflictbythetimetheUAVarrivesatthatwaypoint,howevertheconflictingtrafficstaysintheairspaceforlongerthanexpected
TheoperatormustrequestupdatedinformationastheUAVprogressesthroughrouteofflighttoensuretrafficdeconfliction
C.13.3
Theoperatorreceivesinformationthatconflictingtrafficisataparticularaltitude,sotheoperatorclimbsordescendstodeconflict.Thetraffichasanaltitudeblockwithinwhichitcanmaneuver,andwhiletheUAVisaboveorbelowthecurrentposition,itisnotoutsidethemaneuveringblock
Theoperatormustconfirmtheassignedaltitudeisoutsideofthealtitudeblockofconflictingaircraft
Page 106
106
C.13.4
Theoperatorprovidesanaltitudethatisdeconflicted,howeverthepitot-staticsystemispartiallyblockedresultingintheaircraftflyingadifferentaltitudethanassigned
Thepitotstaticsystemmustberegularlyinspectedandthepitottubeshouldbeclearofobstructionsbeforelaunch
TheoperatorprovidesaltitudewhenthealtitudeisaboveicinglevelandtheUAVfliesthroughclouds
H4 C.14.1
TheoperatorrecognizesbyviewingtheonboardcamerathattheUAVisheadingtowardsacloudandprovidesachangeinaltitudetostaybelowthecloudsandicinglevel,butthemessageisnotreceivedduetointerferenceormasking
Theoperatormustmonitoraltitudetomakesurecommandsareacceptedandreattemptcommandasneeded
C.14.2
Theoperatorknowsthatthereareicingconditionsforecastedandknowstheicinglevel,butassignsanaltitudeabovetheicinglevelanywaytoavoidterrain.Theoperatorbelievesthatbyusingthecameratheoperatorcanavoidthecloudsandthereforenotflythroughicingconditions,howeverthecloudsaretoothickalongtheroute,andtheoperatorcannotstayoutoftheclouds
Theoperatormustflybelowtheicinglevelasterrainpermitsandconsiderreturningtotheairfieldifthecloudsaretoothicktoflyataltitude
C.14.3
Theoperatorisawareoftheicingforecast,butintendstostayoutoftheclouds,howevertheonboardcamerafailsandtheoperatorcannolongerdetectwhetherornottheUAVisflyingthroughclouds
Iftheweatherissuchthatcamerauseisrequiredforsafety,andthecamerafails,theUAVmustreturntotheairfieldoranothercloserairfieldbelowtheicinglayerifterrainpermits
Page 107
107
C.14.4
Theicingforecastwasincorrect,andtheicinglevelwaslowerthanpredicted,sotheoperatorintendedtostaybelowthelevel,butinfactwasabovethelevel.Thecloudsarenotverythick,sotheyarehardtoseetoavoid
TheUAVoperatormustmonitorindicationsoficinganytimeicingconditionsarepossible,andremovetheUAVoutoftheconditionsassoonastheyaredetected
C.14.5
Theoperatorprovidedaltitudesthatwerebelowtheicinglevel,howevertheUAVflewabovetheicinglevel.TheoperatorprovidedthecorrectaltitudesandtheUAVproperlystoredthem,howeverthepitotstaticsystemfailedresultingininaccurateinformationsenttotheVMSandtheUAVdifferentaltitudesthanplanned
Thepitotstaticsystemmustberegularlyinspectedandthepitottubeshouldbeclearofobstructionsbeforelaunch
TheoperatorprovidesaltitudeafterLOSislostduetoterrainmasking,butbeforeBLOSradiolinkisestablished
H3 C.15.1
Thedeparturerouteincludestraveloverarisingterrainthatmasksthegroundstationantennasignal.TheoperatorrecognizedthattheterrainwouldmaskthesignalcausingtheUAVtoloseLOSlinkearlierthannormalandprovidedahigheraltitudecommand,butthelinkwaslostbeforethecommandwasreceived.
TerrainmaskingfromtheLOSgroundstationmustbeidentifiedduringsiteplanningandincorporatedinflightplanningforeachsortie
C.15.2
TheoperatorrecognizesthattheUAVflightpathwillputterrainbetweenthegroundstationandtheUAV,butprovidesanaltitudeperthenormalclimbprocedures.Theoperatorbelievesthattheterrainisnothighenoughtomaskthesignal.TheUAVlosesthelinkanddoesnot
TerrainmaskingfromtheLOSgroundstationmustbeidentifiedduringsiteplanningandincorporatedinflightplanningforeachsortie
Page 108
108
receivethecommandtocontinuetheclimb.
C.15.3
HeaviertrafficcausedATCtoprovidetheoperatorwithanabnormaldepartureroute.TheoperatordoesnotrecognizethatthenewroutehasrisingterrainthatwouldmasktheLOSsignal,andtheoperatorsenttheclimbaltitudeatthenormaltime,buttheLOSlinkwaslost.
TheUAVmustprovidealtitudefeedbackrelativetogroundfortakeoff/climbandlandingflightphases
H1 C.15.4
TheoperatorrecognizestherisingterrainandprovidesanaltitudetoensurethattheterraindoesnotmasktheLOSsignaluntiltheBLOStransition.However,theUAVdoesnotflytheassignedaltitude.Thealtimeterwasnotsettoairfieldaltitude,andtheUAVflieslowerthanitshould.
Thealtimetermustbesettotheairfieldaltitudeduringpreflightandverifiedbeforelaunch.
TheoperatorprovidesaltitudewhenthealtitudeassignmentsexceedthenumberofGPSwaypoints
H3 C.16.1
TheoperatorprovidesmorealtitudeassignmentsthanGPSwaypoints.Theinitialmessagecontainingaltitudeassignmentswascutoffduetolostlink.Theoperatorresendsthealtitudeassignments,butratherthanreplacetheincompletemessage,thesecondmessageisaddedontoit.
Theautopilotmustreplacepreviouslyprovidedaltitudeswiththemostrecentlyprovidedaltitudes.
Page 109
109
C.16.2
Duringmissionplanningtheoperatorcreatestoomanyaltitudeassignments,anddoesnotrealizethattherearemorealtitudeassignmentsthanwaypointassignments.
Themissionplanningprocessmustprovidefeedbacktotheoperatorwhennumberofwaypointsandaltitudeassignmentsdonotmatch
C.16.3
Theoperatoraccidentallyinputsone(ormore)altitudestwiceintotheUI.TheUIdoesnotprovidefeedbacktoindicatethatthenumberofaltitudeassignmentsisdifferentfromthenumberofwaypointassignments.TheUIassignsanincorrectaltitudeforeachofthesubsequentwaypointsaftertheduplication,andneverassignsthealtitudesthatdonothaveacorrespondingwaypoint.
TheUImustprovidefeedbackwhenthenumberofaltitudeandwaypointsdonotmatch.
H1,H2 C.16.4
Theoperatorprovidesthesamenumberofaltitudesaswaypoints,buttheUAVdoesnotflythealtitudesmatchedwitheachwaypoint.Thealtimeterisincorrect,andtheUAVdoesnotflytheassignedaltitude.
ThealtimetermustbesetinflightbasedonatmosphericconditionsreportedbyATC.
Theoperatorprovidesaltitudewhentherearefeweraltitudeassignmentsthanwaypointsanditdoesnotincludetheentiremission
H3 C.17.1Theoperatorprovidesthesamenumberofaltitudeassignmentsaswaypoints,butthemessageiscutoffduetolostlink.
Iflostlinkoccursaftertheoperatorprovidesacommand,theoperatormustresendthecommandwhenthelinkisestablishedtoensurethatcommandwasreceived
Page 110
110
C.17.2Theoperatorprovidesthesamenumberofaltitudeassignmentsaswaypoints,buttherearetoomanywaypoints,andnotallthealtitudeassignmentsarenotsavedbecausetheautopilotrunsoutofstoragecapacity.
Theoperatormustknowhowmanywaypointsandassociatedaltitudeandairspeedassignmentstheautopilotcanstoreandprovidelessthanthatamount.Additionally,theautopilotmustbeabletostoreenoughdatafortheoperatortoprovidetheentireflightplan
C.17.3
TheoperatormissesanairspeedwheninputtingthealtitudesfromthemissionplanintotheUI.TheUIdoesnotprovidefeedbacktoindicatethatthenumberofaltitudeassignmentsisdifferentfromthenumberofwaypointassignments.TheUIassumesthatthelastaltitudeassignmentinthelististhealtitudeassignmentfortheremainderoftheflight.
Themissionplanningprocessmustprovidefeedbacktotheoperatorwhennumberofwaypointsandaltitudeassignmentsdonotmatch
H1,H2 C.17.4
Theoperatorprovidesthesamenumberofaltitudesaswaypoints,buttheUAVdoesnotflythealtitudesmatchedwitheachwaypoint.Thealtimeterisincorrect,andtheUAVdoesnotflytheassignedaltitude.
ThealtimetermustbesetinflightbasedonatmosphericconditionsreportedbyATC.
Theoperatordoesnotprovideairspeedduringachangeinflightconditionorenvironmentalconditions
H1,H4,H6 C.18.1
Theoperatorprovidestheairspeed,butitisnotreceivedduetointerferencewithnearbyUAVoperations.
UAVoperatorsmustbeawareofEMusageinoperatingareaanddeconflictoperationstoavoidinterference.
Page 111
111
C.18.2
Theoperatordoesnotprovidetheairspeedcommandbecausetheoperatorbelievesthatthecurrentairspeedisappropriateforthenewsituation.Theoperatorisnearanairspeedlimit,andthenewconditionsreducethelimitsuchthattheUAVhasexceededairspeedlimits
Theoperatormustknowtheeffectsofflightconditionsontheairspeedlimitsandadjustairspeedwhencommandingaclimbordescentasappropriate
C.18.3
Theoperatordoesnotrecognizethechangeinflightcondition.TheUAVisprogrammedtoautomaticallydescentandclimbpertheflightplan,andtheUAVoperatordoesnotreceivefeedbackthattheclimbordescentwillcausetheUAVtoexceedairspeedlimits.
TheUImustprovidefeedbackwhenclimbingordescending,andprovidefeedbackifcurrentlyassignedairspeedwillviolatealimitatthenewaltitude
C.18.4
Theoperatordoesnotrecognizethechangeinenvironmentalconditions.GustscausetheUAVtoexceedairspeedlimits,howevertheoperatordoesnotreceiveadequatefeedbacktorealizethattheUAVisingustyconditions.
TheUAVmustbeabletodetectgustyconditionsandprovidefeedbacktotheoperator.
C.18.5
Theoperatorprovidesanairspeedappropriateforgusty,turbulentconditions,howevertheconditionsarevariablewithvariousgustspeedsanddirection.TheUAVreceivesvariableairspeedfeedbackfromthepitotstaticsystemduetothewinds,andisconstantlyprovidingthrottlesettingstomaintaintheprovidedairspeed.TheUAV'sreactiontochangesinairspeedcause
Whenflyingingusty,turbulentconditionstheUAVmustnot'chase'theprovidedairspeedsoaggressivelythatitexceedsanairspeedlimit.
Page 112
112
theUAVtoexceedairspeedlimits.
Theoperatorprovidesairspeedthatisatorbelowstallspeed
H4 C.19.1
Theoperatorprovidedanairspeedabovestallspeed,buttheUAVdidnotreceivethecommand.TheUAVisonfinalapproachwhentheoperatorhastoabortthelandingduetoanobstructionontheairfield.Theoperatorimmediatelyprovidesacommandtoleveloffatthecurrentaltitude.TheUAVthrottlesettingislow,andtheoperatorsendsacommandtoincreaseairspeed,howeverthecommandisnotreceivedduetomaskingatthelowaltitude
TheUImustbedesignedwithanabortprocedurethatsendsaltitudeandairspeedcommandssimultaneously.Additionally,thegroundstationandassociatedantennasmustbelocatedsuchthattheyhaveclearLOStotheUAVduringlandingandtakeoffphases
C.19.2
Theoperatorprovidesaslowairspeedabovestalltomaintainaslowgroundtrackinanorbitaroundthetargetarea.Theinitialportionoftheorbithasasignificantheadwind,butwhentheUAVturnstheheadwindbecomesatailwindreducingairspeedbelowstallspeed
Theoperatormustaccountforheadwindsduringslowflightandadjusttheairspeedaccordingly
Page 113
113
C.19.3
Theoperatorprovidesanairspeedbelowstallspeedbyaccidentallyinputtingthewrongnumbers(fatfingering).TherewasnofeedbackthattheairspeedtheoperatorinputintotheUIwasoutoflimits,andtheincorrectairspeedwassenttotheUAV
TheUImustprovidefeedbacktotheoperatoriftheoperatorentersacommandthatisoutsideofUAVlimits
C.19.4
Theoperatorprovidesairspeedthathigherthanstallspeed,buttheenginefailsinflight.TheoperatordoesnotimmediatelyrecognizethestateoftheUAV,andtheUAVautopilotisprogrammedtomaintainaltitude,suchthatairspeedbleedsoffbelowstallspeed.
TheUAVmustprovideengineindicatorstotheoperator,andtheUImustbeprogrammedtoalerttheoperatorwhentheengineisnotfunctioningproperlyorhasfailed
C.19.5
Theoperatorprovidesanairspeedabovestallspeed,howeverthepitot-staticsystemmalfunctions,andtheactualairspeeddecreases.TheoperatorrecognizesthattheUAVisdeceleratingbasedonthegroundtrackandexpectedwaypointtiming,butcannotintervenebydirectlycommandingathrottlesetting.
Theoperatormusthavetheabilitytodirectlycommandathrottlesetting
TheoperatorprovidesairspeedthatisaboveVNE
H6 C.20.1
TheoperatorcommandsanairspeednearVNE,andtheUAVentersairspacewithgustywindconditions.TheoperatorrecognizesthattheairspeedshouldbereducedtoensurethattheairspeeddoesnotexceedVNE.Theoperatorcommandsalowerairspeed,butthecommandisnotreceivedduetomaskingorinterference.
TheoperatormustnotcommandairspeednearVNEifgustyconditionsareforecastedorexpected.
Page 114
114
C.20.2
TheoperatorprovidesanairspeedthatisjustbelowVNE,howeverthewindconditionsarevariablewithsignificantgusts.AwindgustcausestheairspeedexceedVNE
Ingustyconditions,theoperatormustassignanairspeedfarenoughbelowVNEthatthewindswillnotcausetheUAVtoexceedVNE
C.20.3
Theoperatorprovidedanairspeedthatiswithinlimitsatloweraltitudes,buttheUAVthenclimbsandviolatestheairspeedlimit.
TheUImustbeprogrammedtoidentifychangesinlimitsbasedonflightconditionsandalerttheoperator.
C.20.4
TheoperatorprovidesanairspeedaboveVNEbyaccidentallyinputtingthewrongnumbers(fatfingering).TherewasnofeedbackthattheairspeedtheoperatorinputintotheUIwasoutoflimits,andtheairspeedissenttotheUAV
TheUImustprovidefeedbackwhentheoperatorprovidesanairspeedoutsideofthelimits.
C.20.5
TheoperatorprovidesanairspeedbelowVNE,howeverthepitot-staticsystemmalfunctions,andtheautopilotcommandsahigherthrottlesettingtomaintaintheairspeed,causingtheUAVtoexceedVNE
TheUAVautopilotmusthaveasecondarymethodofmeasuringairspeedincaseofapitot-staticsystemfailure,suchasGPS
Theoperatorprovidesairspeedwhenflightplanningfueldurationwasbasedonauto(maxendurance)airspeed,butahigherairspeedisset
H3,H4 C.21.1
TheoperatorcommandsahigherairspeedforafixeddurationthatwillgettheUAVtothetargetareafaster.Afterthedurationtheoperatorprovidesanairspeedtoauto(maxendurance)command,howeveritisnotreceivedbytheUAVduetointerferenceormasking
TheoperatormustcommandareturntomaxenduranceairspeedearlyenoughthatifthecommandisnotreceivedimmediatelytheUAVwillstillhaveenoughfuelendurancetocompletethesortie
Page 115
115
C.21.2
Theoperatorprovidesacruiseairspeedhigherthanmaxendurance,whichwastheflightplanningairspeed.TheUAVtookofflate,andtheoperatorwantstomakeuptimebycruisingatafasterairspeedtogetbackontheoriginalflightplan.TheoperatorbelievesthereisenoughfuelintheUAVtoflytheroutewithahigherairspeed(andthereforehigherfuelflow),butdoesnotdothecalculationstoverify.
Theoperatormustverifywithnewflightplancalculationsiftheairspeedwilldiffersignificantlyfrommaxenduranceairspeed
C.21.3
Theoperatorprovidesacruiseairspeedhigherthanmaxendurance,whichwastheflightplanningairspeed.TheUAVtookofflate,andtheoperatorwantstomakeuptimebycruisingatafasterairspeedtogetbackontheoriginalflightplan.TheoperatorusesthefuelflowratefeedbackprovidedbytheUAVtocalculatetheenduranceoftheUAVatthehighercruisealtitude,howeverthefuelflowrateisinaccurate
TheUAVflightmanualmustincludefuelconsumptionchartsfortheoperatortocalculateUAVendurance
C.21.4
Theoperatorcommandsairspeedonauto(max-endurance),howeverthepitot-staticsystemmalfunctionsandtheUAVactuallyfliesfaster,burningfuelatafasterrate
TheUAVautopilotmusthaveasecondarymethodofmeasuringairspeedincaseofapitot-staticsystemfailure,suchasGPS
Page 116
116
Theoperatorprovidesanairspeedvaluethatwillcreateaconflictwithotheraircraft
H2
C.22.1
Theoperatorprovidesanairspeedcommandtodeconflictwiththetraffic,buttheairspeedchangewasnotsufficienttoavoidthetraffic.
Theoperatormustcommandachangeinairspeedthatissufficienttodeconflictwithtraffic
C.22.2
Theoperatorprovidesanairspeedcommandtoaccelerateinordertoavoidtraffic.Theotheraircraftalsoaccelerates,resultinginacontinuedconflict.
TheoperatormustcommunicatedeconflictionactionswithATCortheaircrewoftheaircraftInconflict.Otherwise,deconflictionactionsmustbestandardizedtoallowdeconflictionactionswithoutcommunication
C.22.3
TheoperatorreceivesfeedbackfromATCthatthetrafficisnolongerinconflict,andresumesmaxendurancespeed.Thefeedbackwasbasedoncurrentrateofspeed,butthenewairspeedcausesaconflict.
Theoperatormustturnoffenginestartcommandwhentheenginestartcommanddoesnotworkuntiltheoperatorisreadytotryagain.
C.22.4
Theoperatorprovidesanairspeed,butthewindschange,causingtheairspeedtochangeandnolongerdeconflictwiththetraffic.
Theoperatormustconsiderwindswhenconductingflightplanninganddeconflictingwithtraffic
TheoperatorprovidesairspeedaftertheUAVstalledduetoslowflight
H4 C.23.1
TheoperatorrecognizesthattheUAVisabouttostall,andprovidesahigherairspeedsothattheUAVwillaccelerate.Thelinkislost,andtheUAVdoesnotreceivetheairspeedcommand.Theoperatorprovideshigherairspeedwhenthelinkisreestablished,buttheUAVhasalreadystalled.
TheUAVmustnotflynearstallspeedduringappropriatephasesofflight,suchastouchdown
Page 117
117
C.23.2
Theoperatorprovidesanairspeedthatisabovestallspeed,butatailwindordecreasedheadwindresultsinastall.Theoperatordoesnotimmediatelyrecognizethattheaircraftisinastall,anddelayscommandingahigherairspeed.
TheUImustprovidefeedbacktotheoperatorwhentheairspeedapproachesstallspeed.TheUAVmustbeprogrammedwithastallrecoveryprocedure.
C.23.3
Theoperatorprovidesanairspeedbelowstallspeedduetoapitot-staticsystemmalfunction.Theairspeedfeedbackishigherthanactualairspeed.Theoperatorcommandsanairspeedthatisabovestallspeed,buttheresultingspeedislessthanstallspeed.Theoperatorreceivesattitudefeedbackindicatingastall,andcommandsahigherairspeed,butaircrafthasalreadystalled.
Thepitotstaticsystemmustberegularlyinspectedandthepitottubeshouldbeclearofobstructionsbeforelaunch
C.23.4
Theoperatorprovidesanairspeedthatisabovestallspeed,howeveratailwindcausestheairspeedtodecreaseandtheUAVtostall.Theoperatorprovidesanairspeedcommand,buttheaircrafthasalreadystalled.
Theoperatormustflyanairspeedhighenoughabovestallspeedtoavoidastalliftheheadwind/tailwindchangesoccur
C.23.5
Theoperatorprovidesanairspeedthatisabovestallspeed,howevertheenginefails,andtheUAVdoesnotadjusttheUAVattitudetostopthedecelerationbelowstallspeed.Theoperatorrestartstheengineandcommandsahigherairspeed,buttheUAVhasalreadystalled.
TheUAVmustrecognizewhentheenginehasfailedandflyanattitudethatresultsinanairspeedabovestallspeed
Page 118
118
TheoperatorprovidesairspeedafterstructuraldamagefromflyingaboveVNE
H6 C.24.1
TheoperatorrecognizesthattheUAVisabouttoexceedVNEandprovidesalowerairspeed.Thelinkislost,andtheUAVdoesnotreceivetheairspeedcommand.Theoperatorprovideshigherairspeedwhenthelinkisreestablished,buttheUAValreadyexceededVNE.
TheUAVmustnotflynearVNE.
C.24.2
TheoperatorprovidesanairspeedthatisbelowVNE,butadecreasedtailwindoranincreasedheadwindresultsinexceedingVNE.TheoperatordoesnotimmediatelyrecognizethattheaircrafthasexceededVNEbecausetheoperatorwasnotonthemainUIpage,anddelayscommandingalowerairspeed.
TheUAVmustnotflynearVNE.Safetycriticalalerts,suchasnearinganairspeedlimitmustbeprovidedtotheoperatorregardlessofwhatUIscreentheoperatorison.
C.24.3
TheoperatorprovidesanairspeedthatisaboveVNEduetoapitot-staticsystemmalfunction.Theairspeedfeedbackislowerthantheactualairspeed.TheoperatorcommandsanairspeedthatisbelowVNE.ThereisnofeedbackotherthanairspeedtoindicatetheVNEexceedanceuntiltheUAVairframeintegrityislost.
Thepitotstaticsystemmustberegularlyinspectedandthepitottubeshouldbeclearofobstructionsbeforelaunch
C.24.4
TheoperatorprovidesanairspeedthatisbelowVNE,howeveraheadwindcausestheairspeedtoincreaseaboveVNE.Theoperatorcommandsalowerairspeed,buttheUAValreadyexceededVNE.
TheUAVmustnotflynearVNE.
Page 119
119
TheoperatorprovidesairspeedwhenthenumberofairspeedassignmentsexceedthenumberofGPSwaypoints
H3 C.25.1
TheoperatorprovidesmoreairspeedassignmentsthanGPSwaypoints.Theinitialmessagecontainingairspeedassignmentswascutoffduetolostlink.Theoperatorresendstheairspeedassignments,butratherthanreplacetheincompletemessage,thesecondmessageisaddedontoit.
Theautopilotmustreplacepreviouslyprovidedairspeedswiththemostrecentlyprovidedairspeeds.
C.25.2
Duringmissionplanningtheoperatorcreatestoomanyairspeedassignments,anddoesnotrealizethattherearemoreairspeedassignmentsthanwaypointassignments.
Themissionplanningprocessmustprovidefeedbacktotheoperatorwhennumberofwaypointsandairspeedassignmentsdonotmatch
C.25.3
TheoperatoraccidentallyinputsoneairspeedtwiceintotheUI.TheUIdoesnotprovidefeedbacktoindicatethatthenumberofairspeedassignmentsisdifferentfromthenumberofwaypointassignments.TheUIassignsanincorrectairspeedforeachofthesubsequentwaypointsaftertheduplication,andneverassignstheairspeedsthatdonothaveacorrespondingwaypoint.
TheUImustprovidefeedbackwhenthenumberofairspeedandwaypointsdonotmatch.
H4,H6 C.25.4
Theoperatorprovidesthesamenumberofairspeedsaswaypoints,buttheUAVdoesnotflytheassignedairspeeds.Apitot-staticsystemmalfunctioncausestheUAVtoflydifferentairspeedsthanassigned.
Thepitotstaticsystemmustberegularlyinspectedandthepitottubeshouldbeclearofobstructionsbeforelaunch
Page 120
120
TheoperatorprovidesairspeedwhenthenumberofairspeedassignmentsarefewerthanthenumberofGPSwaypoints
H3 C.26.1
Theoperatorprovidesthesamenumberofairspeedassignmentsaswaypoints,butthemessageiscutoffduetolostlink.
Iflostlinkoccursaftertheoperatorprovidesacommand,theoperatormustresendthecommandwhenthelinkisestablishedtoensurethatcommandwasreceived
C.26.2Theoperatorprovidesthesamenumberofairspeedassignmentsaswaypoints,buttherearetoomanywaypoints,andnotalltheairspeedassignmentsarenotsavedbecausetheautopilotrunsoutofstoragecapacity.
Theoperatormustknowhowmanywaypointsandassociatedaltitudeandairspeedassignmentstheautopilotcanstoreandprovidelessthanthatamount.Additionally,theautopilotmustbeabletostoreenoughdatafortheoperatortoprovidetheentireflightplan
C.26.3
TheoperatormissesanairspeedwheninputtingtheairspeedsfromthemissionplanintotheUI.TheUIdoesnotprovidefeedbacktoindicatethatthenumberofairspeedassignmentsisdifferentfromthenumberofwaypointassignments.TheUIassumesthatthelastairspeedassignmentinthelististheairspeedassignmentfortheremainderoftheflight.
Themissionplanningprocessmustprovidefeedbacktotheoperatorwhennumberofwaypointsandairspeedassignmentsdonotmatch
Page 121
121
H4,H6 C.26.4
Theoperatorprovidesthesamenumberofairspeedsaswaypoints,buttheUAVdoesnotflytheassignedairspeeds.Apitot-staticsystemmalfunctioncausestheUAVtoflydifferentairspeedsthanassigned.
Thepitotstaticsystemmustberegularlyinspectedandthepitottubeshouldbeclearofobstructionsbeforelaunch
Theoperatordoesnotprovideenginestartduringprelaunchenginerun-up
H3 C.27.1 Theoperatorprovidestheenginerestartcommand,howeverthebatteryiseitherdepletedornotproducingenoughpowertorestarttheengine.
Thebatterymustprovideenoughpowertostarttheengineduringenginerun-up.Thebatterychargemustbecheckedduringpreflight,andexternalpowermustbeusedtostarttheengineasneeded.
C.27.2
TheoperatorclicksontheenginestarticonontheUI,howevertheenginestartcommandisnotsentbecausetheoperatorclickedjustoutsidetheareathatsendsthecommand.
Theoperatormustbeabletoclickanywhereonanicontosendacommand.
C.27.3
Theoperatordoesnotprovidetheenginestartcommandbecausetheoperatorbelievesthattherearepeopleinthepropellerarea.Thegroundpersonnelareactuallyclearofthearea,butdidnotannouncetheywereclear.
Thegroundpersonnelmustprovideanallclearcallwhenpersonnelareoutofthepropellerarea.
C.27.4
Theoperatorprovidesthecommand,buttheenginedoesnotstart.Theengineunderwentmaintenance,andthewiringwasdisconnectedformaintenance,butnotreconnectedpostmaintenance.
Themaintenancepersonnelmustperformapostmaintenanceenginerun-upafterenginemaintenance.Additionally,aftermaintenancetheworkareamustbeinspectedtoensuretheUAVhas
Page 122
122
beenreturnedtoaflightreadystate.
Theoperatordoesnotprovideenginestartduringbeforetakeoffprocedure
H3 C.28.1
Theoperatorprovidestheenginerestartcommand,howeverthebatteryiseitherdepletedornotproducingenoughpowertorestarttheengine.
Groundpowermustbeavailabletostarttheengineasrequired.Ifbatteryisnotcharging,theflightmustbecancelled.
C.28.2
TheoperatorclicksontheenginestarticonontheUI,howevertheenginestartcommandisnotsentbecausetheoperatorclickedjustoutsidetheareathatsendsthecommand.
Theoperatormustbeabletoclickanywhereonanicontosendacommand.
C.28.3
Theoperatorreceivesinaccurateenginefeedbackindicatingthattheengineshouldnotbestarted.Theoperatorprovidestheinformationtothegroundcrew,whotroubleshoottheproblem,delayingtheflight.
Theenginehealthfeedbackparametersmustbecalibratedandregularlymaintainedtoensureaccuracy.
C.28.4
Theoperatorprovidesthecommand,buttheenginedoesnotstart.Theenginestartwirewasloose,andwhentheaircraftwastaxiedtotheenginerun-uparea,thewirebecamecompletelydisconnected.
Wiringandconnectionsmustbecheckedduringpreflightandshouldbedesignedtowithstandvibrationsassociatedwithflight
Page 123
123
Theoperatordoesnotprovideenginestartcommandwhentheenginefailsinflightandtheengineneedstoberestarted
H4 C.29.1 Theoperatorprovidestheenginerestartcommand,howeverthebatteryiseitherdepletedornotproducingenoughpowertorestarttheengine.
Thebatterymustprovideenoughpowertorestarttheengineiftheenginefailsinflight.
C.29.2
Theoperatorattemptstorestarttheengine,buttheUAVisabovetherestartairspeedlimit.Theaircraftattitudeissuchthattheairspeeddoesnotdecreasebelowthelimit,andtheengineisnotrestarted.
TheUAVmustbeflownatanairspeedbelowtheenginerestartlimitbeforeenginerestartisattempted.
C.29.3Theoperatorprovidestherestartenginecommand,howevertheairspeedfeedbackisincorrectandtheUAVisstillabovetherestartairspeedlimitanddoesnotrestart.
IfairspeedfeedbackisincorrecttheUAVmustbeabletoflyattitude/throttlesettingcombinationstoachieveasafeairspeed.AirspeederrorsmustbedetectedinorderfortheUAVtoupdatethemethodofcontrollingflight.
C.29.4
Theoperatorprovidestherestartenginecommand,buttheenginedoesnotrestart.Theenginehasfailedsuchthatitcannotberestarted,ortheengineisnolongerreceivingfuel.
Theoperatormustattempttocyclefueltanksbeforeenginerestartattempt.Ifthereareindicationsthatanenginerestartisnotpossible,theoperatormustimmediatelybeginpreparationforlanding
Page 124
124
Theoperatorprovidestheenginestartcommandwhengroundpersonnelarenearthepropellers
H1 C.30.1
Theoperatordoesnotprovidetheenginestartcommand,howevertheUAVreceivesanenginestartcommandfromasecondgroundstationwhilegroundpersonnelwerenearthepropellers
EitherUAVoperationsmustbedeconflicted,orproceduresputinplacetoensurethecontrolstationislinkedtothecorrectaircraft.
C.30.2
Theoperatordoesnotprovidetheenginestartcommandbecausetherearepeopleinthepropellerarea.TheUAVisconfiguredtostartengines,buttheoperatoriswaitingforanareaclearcall.TheoperatorputsthemouseovertheenginestartbuttonontheUIandwaitsfortheallclearcall.Themouseisaccidentallyclickedbeforetheallclearcallstartingtheengine.
Theoperatormustnotputthemouseoverasafetycriticalcommanduntilthecommandissafetoperform.Additionally,considerasecondarypromptforsafetycriticalcommandsorotherdesignstopreventaccidentallysendingcommand.
C.30.3
Theoperatoristoldthatgroundpersonnelareclearofthepropellerarea,butatechnicianreenterstheareabecausetheindividualseesanissuethatmustbecorrectedbeforeenginestart
Thegroundpersonnelmustinformtheoperatorifpersonnelreenterthepropellerareaaftertheclearsignal
H5 C.30.4
Theoperatorprovidestheenginestartcommand,howeverthebrakesfailedanddidnotkeeptheaircraftfrommoving,andittaxistowardsthepersonnel
GroundpersonnelmuststandinapositionsuchthatiftheUAVdoesinadvertentlytaxiafterenginestartitdoesnothitanyone.
Theoperatorprovidesenginestartcommandwhentheenginefailsinflight,butaftertheUAV
H1 C.31.1
Theoperatorattemptstorestarttheengine,buttheenginestartcommandisnotreceivedbytheUAVduetoterrainmaskingasitdescends.Theoperatorbeginstroubleshootingthelostlinkandleavestheenginestartcommandon.Whenthe
Theoperatormustturnoffenginestartcommandwhentheenginestartcommanddoesnotworkuntiltheoperatorisreadytotryagain.
Page 125
125
iscommittedtolanding
linkisestablishedtheUAVreceivestheenginerestartcommandandrestartstheengine.
C.31.2
Theoperatorattemptstorestarttheengine,buttheenginedoesnotrestart.Theoperatorthenbeginschecklistactionsforlanding.Theoperatordoesnotdisablethestarter,andtheenginestartsneartouchdown
Theoperatormustturnoffenginestartcommandwhentheenginestartcommanddoesnotworkuntiltheoperatorisreadytotryagain.
C.31.3
Theenginequitsbecausetheoperatordoesnotswitchfueltanks,andthecurrentlyselectedfueltankisempty.Theoperatorattemptstorestarttheengine,butisunsuccessful.Duringthelandingsequencetheoperatorrealizesthefuelfeederror,switchestanks,andsuccessfullyrestartstheengine.However,theUAVistooclosetotheground,andtheautopilotdoesnottransitionsafelyfromengineoffperformancetoengineonperformance.
TheoperatormustverifyfuelstateandswitchtanksduringenginefailureemergencyproceduresiftheUAVisabovesaferestartaltitude.TheUAVautopilotmustbedesignedtotransitionsmoothlybetweenengineoffandengineonperformance.
Page 126
126
C.31.4
Theoperatorattemptstorestarttheengine,buttheenginedoesnotrestart.Theoperatorcontinuestoattemptarestartastimepermits,inaccordancewiththechecklist.TheUAVisflyingfarfromtheairfield,andtheexactheightabovegroundisnotknown.Theoperatorcontinuestoattemptrestartandfinallydoesrestarttheengine,buttheUAVdescendedtoolowandimpactsterrain
Duringmissionplanning,operatorsmustdetermineminimumrestartattemptaltitudesforeachlegoftheroutethatisbasedonasafepressurealtitude,sinceexactaltitudeabovegroundmaynotbeknown.Thelaseraltimetermustbeonbatterypowerforusetodetermineheightaboveterrain.
C.31.5
Theoperatordeterminesbasedonthealtitudethatanenginerestartisnotappropriateandbeginschecklistactionsforlanding.Aloosewireprovidespowertotheenginestarter,andtheenginerestartswithouttheenginestartcommand
Wiringandconnectionsmustbecheckedduringpreflightandshouldbedesignedtowithstandvibrationsassociatedwithflight
Theoperatordoesnotprovidethelaunchnowcommandduringtakeoff
H3 C.32.1
Theoperatorprovidedthelaunchnowcommand,howeverthecommandwasnotreceivedduetointerferencewithconcurrentUAVoperations
UAVoperatorsmustbeawareofEMusageinoperatingareaanddeconflictoperationstoavoidinterference.
C.32.2 TheoperatordoesnotprovidethelaunchnowcommandbecausetheoperatordidnotreceiveATC'sclearfortakeoffcall
ThegroundstationmustbeequippedtocommunicatewithATC,andradioandinternalcommunicationsmustbekepttoaminimumduringlaunchoperationstoensureallATCinstructionsarereceived
Page 127
127
C.32.3
Theoperatordoesnotprovidethelaunchnowcommandbecausethecontrollerreceivesincorrectengineparameterfeedbackandbelievestheengineisnotoperatingwithinlimits.Theoperatorabortsthetakeofftoallowgroundpersonneltotowtheaircraftbacktoparkandtroubleshoottheproblem.
Theenginehealthfeedbackparametersmustbecalibratedandregularlymaintainedtoensureaccuracy.
C.32.4
Theoperatorprovidesthelaunchnowcommand,whichwasreceivedbytheUAV,howevertheUAVdidnotlaunch.TheUIlaunchsequenceisnotprogrammedcorrectly,andtheUAVdoesnotaccelerateenoughtorotateandtakeoff
TheUIlaunchsequencemustbeverifiedbeforeflightandadjustedforatmosphericconditionsattheairfield.
Theoperatorprovidesthelaunchnowcommandwhentherunwayisnotclear
H2 C.33.1 Theoperatordoesnotprovidethelaunchnowcommand,howeveranotherLOSgroundstationonsiteisconductingchecksanddoesprovidethelaunchcommand
EitherUAVoperationsshouldbedeconflicted,orproceduresputinplacetoensurethecontrolstationislinkedtothecorrectaircraft.Ifanincorrectlinktakesplacealldatamustbeverifiedtoensureitiscorrect
H1 C.33.2
TheoperatorreceivesaclearfortakeoffcallfromATC,butthegroundpersonneldidnotprovideapersonnelclearcall.TheoperatorcommandslaunchnowaftertheATCcall.
TheoperatormustnotprovidethelaunchnowcommanduntiltheoperatorreceivescallsfrombothATCandgroundpersonnel
Page 128
128
H1 C.33.3
TheoperatoriswaitingonaclearfortakeoffcallfromATC,andreststhemousecursoroverthelaunchnowbuttonontheUI.Whilewaiting,theoperatororanotherpersoninthegroundstationaccidentallyclicksthemouse,launchingtheUAV.
Theoperatormustnotputthemouseoverasafetycriticalcommanduntilthecommandissafetoperform.Additionally,considerasecondarypromptforsafetycriticalcommandsorotherdesignstopreventaccidentallysendingcommand.
C.33.4
TheoperatorreceivesaclearfortakeoffcallfromATCandapersonnelclearcallfromthegroundpersonnelsupportingthelaunch.Visibilityislow,andthetowercannotseetheentirerunway.Thelipstickcameraalsodoesnotprovideaviewoftheentirerunwayduetolowvisibility.ThereiseitheranaircraftoravehicleontherunwaythatcannotbeseenbyATC,groundpersonnel,ortheUAVoperator.
TheUAVmustbeabletoabortalaunchattemptoncetheoperatorrecognizesthattherunwayisnotclear.
H5 C.33.5
Theoperatordoesnotprovidethelaunchnowcommand,howevertheparkingbrakefailsandtheUAVtravelsdowntherunway.
TheUAVshouldmaintainanidleornearidlethrottlesettinguntilthelaunchcommandisprovided.Additionally,theUAVmustbeabletoquicklystopiftheUAVmovesinadvertently
TheoperatorprovidesthelaunchnowcommandwhentheUAVisnotontherunway
H5 C.34.1
Theoperatordoesnotprovidethelaunchnowcommand,howeveranotherLOSgroundstationonsiteisconductingchecksanddoesprovidethelaunchcommand
EitherUAVoperationsshouldbedeconflicted,orproceduresputinplacetoensurethecontrolstationislinkedtothecorrectaircraft.Ifanincorrectlinktakesplacealldatamustbe
Page 129
129
verifiedtoensureitiscorrect
C.34.2
Duringtheenginerun-up,theoperatoraccidentallyclicksthelaunchnowbuttonontheUI.ThethrustovercomestheparkingbrakeandtheUAVtravelsoverthechocks.
Asecondarypromptforsafetycriticalcommandsorotherdesignstopreventaccidentallysendingcommand.
C.34.3
TheoperatorprovidesthelaunchnowcommandwhentheUAVisontherunway,howevertheUAVrunsofftherunwayduringthelaunchprocedure.Thecrosswindsareoutoflimits,howeverthelatestweatherreportindicatedcrosswindswerewithinlimits.
TheweathersupportorganizationmustprovideuptodateweatherinformationandalerttheUAVoperatorifthewindisoutoflimitsduringthebeforetakeoffprocedures.
C.34.4
TheoperatorprovidesthelaunchnowcommandwhentheUAVisontherunway,howevertheUAVrunsofftherunwayduringthelaunchprocedure.TheUAVdoesnotcompensateforthecrosswinds.
TheUAVmustbedesignedtocompensateforcrosswindsduringtakeoff.
Theoperatorprovidesthelaunchnowcommandbeforegroundpersonnelandequipmentareclearofthearea
H1 C.35.1 Theoperatordoesnotprovidethelaunchnowcommand,howeveranotherLOSgroundstationonsiteisconductingchecksanddoesprovidethelaunchcommand
EitherUAVoperationsshouldbedeconflicted,orproceduresputinplacetoensurethecontrolstationislinkedtothecorrectaircraft.Ifanincorrectlinktakesplacealldatamustbeverifiedtoensureitiscorrect
Page 130
130
C.35.2
TheoperatorreceivedatakeoffclearancefromATCanddidnotseeanyonethroughthecamera.Theoperatorassumedtherunwaywasclearandprovidedthelaunchnowcommand
Theoperatormustreceiveanareaclearmessagefromthegroundpersonnelbeforeprovidingthelaunchnowcommand
C.35.3
Thegroundpersonnelstatethattheareaisclear,howeveritisnotactuallyclear.ThegroundpersonnelarestillwalkingoutofthepathoftheUAVandbelievetheyhavetimetocleartheareabeforelaunch.
Theareaclearcallmustonlybegivenwhenallpersonnelareoutofthepathoftheaircraft
C.35.4
Thegroundpersonnelstatethattheareaisclear,andbelievethegroundequipmentisoutofthepathoftheaircraft,howevertheequipmentisstillwithinthepathoftheaircraft.
Allgroundequipmentusedtotowtheaircrafttotherunwaymustbecompletelyofftherunwaybeforetakeoff
H5 C.35.5
Thegroundpersonnelandequipmentaretothesideoftheaircraftoutofthepath,howeverwhentheaircraftlaunches,itdoesnotmoveinastraightlinedowntherunway,andinsteadrollstowardsthegroundpersonnelandequipment
Allpersonnelandgroundequipmentmustbeplacedbehindtheaircrafttoavoidbeinghitbytheaircraftifthelaunchisnotsuccessful
TheoperatorprovidesthelaunchnowcommandaftertheUAVisairborne
H4 C.36.1 Theoperatordoesnotprovidethelaunchnowcommand,howeveranotherLOSgroundstationonsiteisconductingchecksanddoesprovidethelaunchcommand
EitherUAVoperationsshouldbedeconflicted,orproceduresputinplacetoensurethecontrolstationislinkedtothecorrectaircraft.Ifanincorrectlinktakesplacealldatamustbeverifiedtoensureitiscorrect
Page 131
131
C.36.2
Theoperatoraccidentallyclicksthelaunchnowbutton.Theoperatorintendedtoclickadifferentbutton.TheUAVimmediatelyreducesthrottletothestartingthrottlepositionduringthelaunchsequence,causingtheUAVtostall.
Asecondarypromptforsafetycriticalcommandsorotherdesignstopreventaccidentallysendingcommand.
C.36.3
Theoperatorprovidesthelaunchnowcommand,butthepitotstaticsystemisnotworking.TheUAVacceleratesandgoesairborne,buttheoperatorbelievesthecommandwasnotreceivedandprovidesthelaunchnowcommandagain.
Theoperatormustusevisualconfirmationoflaunch,eitherfromthecameraorfromgroundpersonnel.AdditionallyiftheUAVdoesnotappeartoworkingasexpected,thelaunchorsortiemustbeabortedandtheissueresolvedbeforecontinuingthemission.
C.36.4
Theoperatorprovidesthelaunchnowcommand.AheadwindgustcausestheUAVtobecomeairborneearlierthanexpected,andwhenthegustorgroundeffectendstheUAVnolongerhasenoughlifttomaintainflightandlandsbackontherunway.
Duringtakeoffingustyconditions,therotatespeedmustbeincreased,ifrunwaylengthallows,topreventearlyrotation.
TheoperatordoesnotprovidethelandnowcommandwhentheUAVisinthepatternandatminimumfuel
H4 C.37.1 Theoperatorprovidesthelandnowcommand,buttheUAVdoesnotreceivethecommand.InterferencefromanotherUAVpreventsthesignalreception.
EitherUAVoperationsshouldbedeconflicted,orproceduresputinplacetoensurethecontrolstationislinkedtothecorrectaircraft.Ifanincorrectlinktakesplacealldatamustbeverifiedtoensureitiscorrect
Page 132
132
C.37.2
TheoperatorbelievesthattheUAVhasenoughfueltolastuntillanding,eventhoughtheUAVisfuelstateislow.TheoperatordecidestowaitfortheUAV'sturntolandratherthandeclaringafuelemergencyandlandingassoonaspossible.
Theoperatormustdeclareafuelemergencywhenthefuelstateislowinordertolandassoonaspossible
C.37.3
TheUAVprovidesinaccuratefuelstatedataandtheoperatorbelievesthattheUAVhasmorefuelthanitactuallyhas.ThereareotheraircraftinthepatternaheadoftheUAV,andtheUAVwaitstolandinsteadofdeclaringanemergencyinordertolandaheadoftheotheraircraft.
TheUAVmustprovideaccuratefuelstatefeedbacktotheoperator
H1 C.37.4
Theoperatorrecognizesthatthefuelislowanddeclaresanemergency.Theoperatorthenprovidesthelandnowcommand,butittakeslongertolandthanexpectedduetotrafficandwinds.TheUAVrunsoutoffuelandcrashlandsofftherunway.
Theoperatormustincludewindsandthetimeittakestodeconflicttrafficwhendeterminingwhentodeclareanemergency
TheoperatordoesnotprovidethelandnowcommandwhentheUAVisattheairfieldandotheraircraftareattemptingtoenterthepattern
H2 C.38.1Theoperatorprovidesthelandnowcommand,buttheUAVdoesnotreceivethecommand.InterferencefromanotherUAVpreventsthesignalreception.
EitherUAVoperationsshouldbedeconflicted,orproceduresputinplacetoensurethecontrolstationislinkedtothecorrectaircraft.Ifanincorrectlinktakesplacealldatamustbeverifiedtoensureitiscorrect
Page 133
133
C.38.2
Theoperatordoesnotprovidethelandnowcommand.Theoperatorbelievesthatthewindsareoutoflimitsforlanding,anddecidestoremaininthepatterntoseeifthewindsdecreaseinordertoland.Thereareotheraircraftwithhigherwindlimitsthatareattemptingtolandatthesametime,andthepatternisbusy.
IftheUAVcannotland,butotheraircraftcanenterthepatternandlandtheUAVmustmaintainaholdawayfromthepatterntoavoidtrafficcongestion
C.38.3
TheoperatordoesnothearthecleartolandcallfromATC.TheoperatoriscoordinatingwiththegroundpersonnelforthetowandprovidingaircraftstatusinformationwhenATC'scallwasmade.
Duringcriticalphasesofflight,suchastakeoff,climb,andlanding,thegroundstationmustbeclearofnonessentialpersonnelandtheoperatormustmaintaina'sterilecockpit'environment.
H1 C.38.4 Theoperatorprovidesthelandnowcommand,buttheGPSsolutionisnotaccurate,andtheUAVdoesnotflythepatternaspublishedorlandontherunway
TheVMSmustreceivefeedbackwhentheaccuracyoftheGPSsolutionisbelowaminimumthreshold,additionallyothernavigationsolutionssuchasINSorVORshouldbeconsideredasabackupsystem
Theoperatorprovidesthelandnowcommandwhentherunwayisnotclear
H2 C.39.1
Theoperatordoesnotprovidethelandnowcommand,buttheUAVexecutesthelandingprocedure.AnothergroundstationprovidesthelandnowcommandforanotherUAVinthepattern,butbothUAVsreceivethecommand.
EitherUAVoperationsshouldbedeconflicted,orproceduresputinplacetoensurethecontrolstationislinkedtothecorrectaircraft.Ifanincorrectlinktakesplacealldatamustbeverifiedtoensureitiscorrect
Page 134
134
C.39.2
TheoperatorheardATCprovidealandingclearancetoanotheraircraftandmistakenlythoughttheclearancewasfortheoperator'sUAV.Theoperatorreadsbacktheclearanceatthesametimeastheotherpilot,andATConlyhearsthereadbackforthecorrectaircraft.Theoperatorprovidesthelandnowcommandastheotheraircraftislanding.
Duringcriticalphasesofflight,suchastakeoff,climb,andlanding,thegroundstationmustbeclearofnonessentialpersonnelandtheoperatormustmaintaina'sterilecockpit'environment.
C.39.3
ATCprovidesalandingclearanceeventhoughanaircraftisontherunwaybecausethecontrollerbelievesthattheaircraftwillbeofftherunwaybythetimetheUAVlands.Theaircraftontherunwayisnotabletocleartherunwayintime,andtheUAVlandsontherunwaywhiletheotheraircraftisalsoontherunway.
Theoperatormustbeabletoabortthelandingprocedureifthelandingisnotlongerconsideredsafe.Groundpersonnelmustprovidefeedbackifthereisanaircraftontherunway,astheUAVoperatormaynotseetherunwaythroughthecamera.
H5 C.39.4
Theoperatorprovidesthelandnowcommand,buttheUAVdoesnotcompensateforcrosswindsduringfinalapproachanddoesnotlandontherunway
TheUAVmustbedesignedtocompensateforcrosswindsduringlanding
TheoperatorprovidesthelandnowcommandwhentheUAVisnotattheairfield
H1 C.40.1 Thelandnowcommandisnotprovided,buttheUAVreceivesalandcommandfromadifferentgroundcontrolstation
EitherUAVoperationsshouldbedeconflicted,orproceduresputinplacetoensurethecontrolstationislinkedtothecorrectaircraft.Ifanincorrectlinktakesplacealldatamustbeverifiedtoensureitiscorrect
Page 135
135
C.40.2
Theoperatordoesnotintendtoclickthelandnowbutton.Thebuttonisnearanotherbuttonthattheoperatormeanttopress.TheoperatordoesnotimmediatelyrealizethattheUAVistryingtoland,anddoesnotrecovertheaircraftbeforeitfliesintoterrain.
Asecondarypromptforsafetycriticalcommandsorotherdesignstopreventaccidentallysendingcommand.
H2 C.40.3 TheUAVprovidesaGPSpositionindicatingthattheUAVisinthepattern,howevertheGPSsolutionisinaccurateandtheUAVisnotinthepattern.
TheVMSmustreceivefeedbackwhentheaccuracyoftheGPSsolutionisbelowaminimumthreshold,additionallyothernavigationsolutionssuchasINSorVORshouldbeconsideredasabackupsystem
C.40.4
Theoperatorprovidesthelandnowcommand,butprovidesaGPSlandingwaypointthatisnotattheairfield.Thelandingpointwasforanemergencyofffieldlanding,andwasmistakenlyprovidedtotheUAVpriortolanding.
TheUImustprovidefeedbackifthelandingwaypointisnotattherunway.
TheoperatorprovidesthelandnowcommandbeforetheUAVcompletestheairfieldarrivalprocedure
H1,H2 C.41.1 Thelandnowcommandisnotprovided,buttheUAVreceivesalandcommandfromadifferentgroundcontrolstation
EitherUAVoperationsshouldbedeconflicted,orproceduresputinplacetoensurethecontrolstationislinkedtothecorrectaircraft.Ifanincorrectlinktakesplacealldatamustbeverifiedtoensureitiscorrect
C.41.2
Theoperatorsetsupthelandingprocedure,andplacesthemouseoverthelandnowbutton.Theoperatoraccidentallypressesthe
Asecondarypromptforsafetycriticalcommandsorotherdesignstoprevent
Page 136
136
mouse,commandingtheUAVtoland.
accidentallysendingcommand.
C.41.3
TheoperatorreceivesincorrectGPSlocationandbelievestheUAVhasfinishedtheapproach.
TheVMSmustreceivefeedbackwhentheaccuracyoftheGPSsolutionisbelowaminimumthreshold,additionallyothernavigationsolutionssuchasINSorVORshouldbeconsideredasabackupsystem
C.41.4
Theoperatorprovidesthecommand,whichistobeexecutedoncethearrivaliscomplete,butinsteadtheUAVexecutesthelandingprocedureassoonasthecommandisreceived.Thecommandoverwritesthecurrentflightplan.
Thelandingsequencemustnotoverwritethecurrentplan,orthelandingsequencemustnotbeprovideduntiltheUAVisinapositiontoland.
Theoperatordoesnotprovidelostlinkproceduresduringflightoperations
H1,H2 C.42.1
Theoperatorprovidesthelostlinkprocedure,butitisnotreceivedduetointerferenceormasking.Theprocedureisthennotupdatedasterrain,weather,orconflictingtrafficchangesalongtherouteofflight
TheUAVmostprovidefeedbackindicatingthelostlinkprocedureswerereceived.Ifthefeedbackisnotreceivedbytheoperator,theoperatormustresendtheprocedures
C.42.2
Theoperatordoesnotbelievethatthelostlinkprocedureneedstobeupdatedbecausetheprocedurewasrecentlyupdatedperaregularschedule,anddoesnotprovideupdatedlostlinkprocedure.However,terrain,weather,orconflictingtraffichavechangedalongtheroutesincethescheduleupdate.
ThelostlinkproceduresshouldbeupdatedbasedonrouteoftravelandobstaclesbetweentheUAVandtheairfieldratherthantiming.
Page 137
137
C.42.3 TheoperatordoesnotprovideanupdatedlostlinkprocedurebecausetheoperatorwasnotawarethattheairspacethattheUAVwouldflythroughifalostlinkoccurredisnolongersafe.
ATCmustprovidetheoperatorwithuptodateinformationifairspaceisnolongersafe.TheoperatormustalsoprovideATCwiththecurrentlostlinkproceduresothatiflostlinkshouldoccurATCcanensureotheraircraftareclearofthepath.
C.42.4 Theoperatorprovideslostlinkprocedures,butthesamesignalthatisjammingcommunicationsalsojamstheGPSsignal,andtheUAVfliesoffcourse
TheUAVmustbeabletodetectwhentheGPSsignalislostandusebackupnavigationmethods.Additionally,thecommunicationssystemmusthaveabackupsystemthatisfullyindependentofthemaincommunicationssystem.
Theoperatorprovideslostlinkprocedure,andthelostlinkprocedurewaypointsconflictwithotheraircraft
H2 C.43.1
Lostlinkproceduresareupdatedbyanothergroundstation.TheprocedureswereintendedforanotherUAV.
EitherUAVoperationsshouldbedeconflicted,orproceduresputinplacetoensurethecontrolstationislinkedtothecorrectaircraft.Ifanincorrectlinktakesplacealldatamustbeverifiedtoensureitiscorrect
C.43.2
Theoperatorisawarethatthereareotheraircraftintheairspace,butprovidesthelostlinkprocedureanyway.Theoperatorbelievesthatshouldlostlinkoccur,theoperatorcanupdateATCsothattheycandeconflicttheotheraircraft.However,thelostlinkisduetocommunicationsfailureatthegroundstation,
Theoperatormustnotprovidealostlinkprocedurethatconflictswithothertraffic.
Page 138
138
andtheoperatorcannotinformATCofthelostlink.
C.43.3
TheoperatordoesnotreceivefeedbackfromATCthattheairspacetheUAVwillflythroughiflostlinkoccursisnowoccupiedbyaircraft.
ATCmustprovidetheoperatorwithuptodateinformationifairspaceisnolongersafe.TheoperatormustalsoprovideATCwiththecurrentlostlinkproceduresothatiflostlinkshouldoccurATCcanensureotheraircraftareclearofthepath.
C.43.4
Thelostlinkproceduresdonotconflictwithothertraffic,butwindsblowtheUAVoffcourse,andtheUAVdoesnotcorrectthecoursedeviation
TheUAVmustcompensateforwindsandmaintainthecoursebetweenwaypoints.
Theoperatorprovideslostlinkprocedures,andthelostlinkprocedureisnotatoraboveMOCA
H1 C.44.1 Lostlinkproceduresareupdatedbyanothergroundstation.TheprocedureswereintendedforanotherUAVthatisflyingoverlowerterrain.
EitherUAVoperationsshouldbedeconflicted,orproceduresputinplacetoensurethecontrolstationislinkedtothecorrectaircraft.Ifanincorrectlinktakesplacealldatamustbeverifiedtoensureitiscorrect
C.44.2
ThelostlinkproceduresarebasedoffofthecurrentpositionoftheUAV,butwhentheUAVlosesthelinklaterintheflightthereishigherterrainbetweentheairfieldandtheUAV.
Iflostlinkproceduresareprovidedbasedontimingratherthanexpectedterrain,thelostlinkproceduremustbesafefortheentiretimeuntilthenext
Page 139
139
scheduledlostlinkupdate.
C.44.3
Theoperatorhasinaccuratecharts,andbelievesthatthelostlinkprocedureissafe,butthealtitudeisactuallytoolowcomparedtotheterrain.
Theoperationssupportorganizationmustprovideupdatedandaccuratecharts.
C.44.4
Thelostlinkproceduresareofanappropriatealtitudeforthecourse,howeverthewindsblowtheUAVoffcourse,anditdoesnotcorrectthecoursedeviation.
TheUAVmustbeprogrammedtocorrectcoursedeviations.
Theoperatorprovideslostlinkproceduresbeforelostlinkproceduresneededtobeupdated
H1,H2 C.45.1
Itisalmosttimetoupdatethelostlinkprocedures,sotheoperatordecidestogoaheadandsendtheupdate.Shortlyaftertheupdate,theUAVexperiencesalostlinkandexecutestheproceduresfortheupcominglegratherthanthecurrentleg.
ThelostlinkprocedureupdatemustnotbeprovideduntiltheUAVisflyingthelegassociatedwiththeupdatedprocedure
C.45.2
TheoperatorreceivedpositionfeedbackthatindicatedtheUAVwasatthenextleg,sotheoperatorprovidedthelostlinkprocedure.Thepositionfeedbackwasincorrect,andtheupdatewasnotyetneeded.
OncetheUAVhasenteredthelegassociatedwiththeupdatedlostlinkprocedure,theoperatormustsendtheprocedure.
Theoperatorprovideslostlinkprocedureswhenthewaypointsexceedthestorage
H1,H2 C.46.1
Theoperatorprovideslostlinkproceduresthatwerewithinthestoragecapacityoftheautopilot.ThemessagereceivedbytheUAVisdelimitedincorrectlyduetotranslationfromtheUItotheradiostotheUAV,whichexceedsstoragecapacity
Thegroundstationradiosmustsendcommandsaccurately
Page 140
140
capacityoftheautopilot
C.46.2
TheoperatorprovidesalargenumberoflostlinkwaypointstoensurethattheUAVfliesasaferoute,howevertheoperatorusestoomanywaypointsthatexceededthestorage
Theoperatormustsendanumberofwaypointsthatarelessthantheautopilotstorage.Theautopilotstoragemustbelargeenoughtostoreenoughwaypointsforthelengthofmission
C.46.3
Theoperatorprovidesthelostlinkprocedures,butdoesnotreceivefeedbackthattheprocedureswerereceived,sotheoperatorprovidesthemagain.Thesecondsetofproceduresareconcatenatedratherthanreplacingthefirstsetofprocedures
TheUAVmustprovidefeedbackthattheprocedurearereceived,andtheautopilotmustreplaceoldprocedureswithnewprocedures
C.46.4
Theoperatorprovideslostlinkproceduresthatarewithinthestoragecapacityoftheautopilot,buttheproceduresaredelimitedincorrectlytakingupmorestoragespacethantheautopilot'scapacity
TheUAVmustsaveproceduresintotheautopilotaccurately
TheoperatordoesnotprovidethepayloadpoweroncommandwhenUAVisoverthetargetarea
H3
C.47.1
Theoperatorprovidedthepayloadpoweroncommand,howeverthesignalisjammed,andtheUAVdoesnotreceivethecommand.
TheoperatormustprovidepayloadpoweronearlytoensurethatthecommandisreceivedbeforetheUAVisoverthetargetarea
Page 141
141
C.47.2
TheoperatordoesnotprovidethepayloadoncommandbecausetheoperatormisinterpretedtheflightplananddidnotbelievetheUAVwasoverthetargetarea
TheUImustprovidefeedbackindicatingwhentheUAVisoverthetargetarea
H1,H2
C.47.3
TheoperatordoesnotprovidethepayloadoncommandbecausetheoperatorbelievestheUAVisnotatthetargetarea.AGPSnavigationmalfunction,inaccuratesolution,orjammingofthenavigationsignalcausestheoperatortogetincorrectornopositionfeedback.
TheGPSmustprovidefeedbackwhenthesolutionisbelowtheminimumaccuracythreshold.Additionally,asecondarynavigationalsystemsuchasVORorINSmustbeconsideredinthedesign
C.47.4
TheoperatorprovidesthepoweroncommandwhentheUAVisoverthetargetarea,howeverthepayloaddoesnotturnon.Thepayloadwasinstalledbeforetheflight,andthewiringwasnotinstalledtoprovidethepayloadwithpower
Afterconductingpayloadmaintenance,thepayloadmustundergoafunctionalcheckouttoensureitworksasexpected
Theoperatorprovidesthepayloadpoweroncommandwhenthealternatorfails
H4
C.48.1
Theoperatordoesnotprovidethepayloadpoweroncommandbecausetheoperatorrecognizesthatthereisanalternatorfailure,andtheUAVisoperatingonbatterypower.Ashortedwireprovidesthepayloadpower,anyway,drainingthebattery.
Wiringmustbecheckedduringpreflightandshouldbedesignedtowithstandvibrationsassociatedwithflight
C.48.2
Theoperatorrecognizesthatthealternatorhasfailed,buttheaircraftisheadingtowardstheairfield(onareturnleg),andtheoperatorbelievesthatthereisenoughpowerforthepayloadtobeturnedonforashorttime.
Thepayloadmustnotbepoweredonifthealternatorisnotfunctioning
Page 142
142
C.48.3
TheoperatordoesnotreceivepowersystemfeedbackfromtheUAV,anddoesnotrecognizethatthealternatorhasfailed.Theoperatorisusingamainscreen,andunlesstheoperatorcheckstheelectricpowerstatusscreenisunawareofthepowersystemstate.
SubsystemfaultsmustbedisplayedontheUIregardlessofwhatscreentheoperatorisactivelylookingat.Additionally,consideranelectricalsystemscreencheckpriortoturningonthepayload.
C.48.4
Theoperatorprovidesthepayloadpoweroncommand.Thepayloadusesmorepowerthanexpected,causingthebatterytodrain.Thealternatorfails,butthereisnobatterypowertopowertheUAV
Thepayloadmustnotconsumeanymorepowerthanwhatthealternatorprovides
Theoperatordoesnotprovidethepayloadpoweroffcommandwhenthealternatorfails
H4
C.49.1
Theoperatorcannotturnthepayloadpoweroffwhenthealternatorfailsbecausetheradioisnotonbatterypower.TheUAVexecuteslostlinkprocedures,butisnotprogrammedtoturnoffthepayloadpoweranddoesnothaveenoughbatterypowertoreturnhome.
Theradiomustbeonbatterypowerincaseofanalternatorfailure.Incaseoflostlink,theVMSmustbeprogrammedtoturnoffthepayloadpowerifthealternatorfailsorwiringmustbedesignedtopreventemergencypowertothepayload.
C.49.2
Theoperatorrecognizesthatthealternatorisnotproducingpower,buttheUAVisoverthetargetarea,andtheoperatordecidestocontinueoperatingthepayloaduntiltheUAVhasleftthetargetarea
Theoperatormustpoweroffthepayloadandreturntotheairfieldifthealternatorfails.
C.49.3
Theoperatorrecognizesthatthealternatorisnotproducingpower,theoperatorsendsacommandtoturnthepoweroff,howeverthepowersystemfeedback
SubsystemfaultsmustbedisplayedontheUIregardlessofwhatscreentheoperatorisactivelylookingat.Additionally,consideranalerttoensurethat
Page 143
143
wasdelayed,andthebatteryissignificantlydepleted
theoperatorseesthefeedbackassoonasitisprovided.
C.49.4
TheoperatorrecognizesthatthealternatorisnotproducingpowerandclicksthebuttonontheUItoturnoffthepayload.Theoperatorclickedjustoutsidethebutton,andtheoperatordidnotnoticethatthecommandtothepayloadpowerwasnotsent.
Thestatusofthepayloadpowermustbedistinguishablebetweenonandoff.
C.49.5
Theoperatorprovidesthepayloadpoweroffcommandtoconservepoweroncethealternatorfails,howeverevenwiththepayloadpowerofftheUAVdoesnothaveenoughbatterypowertoreturntobase
Thebatterymusthaveenoughpowertoreturntobasesafely
TheoperatorprovidesthepayloadpoweroffcommandwhentheUAVisoverthetargetarea
H3
C.50.1
Theoperatorprovidesthepayloadpoweroncommand,howeveranothergroundstationisbeingusedforapostmaintenancecheckortraining,andthegroundstationsendsapayloadpoweroffsignalthattheUAVreceives,andtheUAVturnsoffpayloadpower.
Groundstationsmustnotsendsignalsoutwhentheyarenotactivelycontrollinganaircraft.
C50.2
Theoperatormisinterpretstheflightplan,andbelievesthattheUAVhasexitedthetargetarea.TheoperatorturnsthepayloadpoweroffwhiletheUAVisstilloverthetargetarea.
TheUImustprovidefeedbackindicatingwhentheUAVisoverthetargetarea
Page 144
144
C.50.2
TheoperatorbelievestheUAVhasleftthetargetarea.AGPSnavigationmalfunction,inaccuratesolution,orjammingofthenavigationsignalcausestheoperatortogetincorrectornopositionfeedbackandprovidethepayloadpoweroffcommand
IftheoperatorisunsureofthepositionoftheUAV,theoperatormustnotprovidethepayloadoffcommand
C50.3
Theoperatordoesnotprovidethepayloadpoweroffcommand,howeverthepayloadwasnotdesignedfortheflightenvironmentitisbeingsubjectedto,andfailsinflight
ThepayloadsmustbedesignedandtestedfortheUAVflightconditions
Table12UAVVMSScenarios
UCA Hazard ScenarioDesignator MainScenarioDescription SafetyConstraint
TheVMSdoesnotprovideroll,pitch,oryawcommandswhentheUAVisoffcourse
H1,H2,H3
V.1.1
TheVMSprovidestheroll,pitch,oryaw,howevertheactuatordoesnotreceivethecommand.Abrokenwireorconnectionpreventsthesignalfromgettingtotheactuator.
Wiringmustbecheckedduringpreflightandshouldbedesignedtowithstandvibrationsassociatedwithflight
V.1.2
TheVMSknowsthepositionoftheaircraftrelativetothewaypoint,howeveritdoesnotcommandroll,pitch,oryawinordertoflytothewaypoint.WindsareblowingtheUAVoffcourse.Thewaypointsarespreadout,andtheUAVautopilotisprogrammedtoflytothenextwaypoint,notmaintain
TheUAVmustflythedesiredcourse.Inwindyconditions,thewaypointsmayhavetobeclosertogethertomaintainthetrack.Or,theUAVmustbeprogrammedtofollowthecourse,notjustflytothewaypointfrompresentposition
Page 145
145
thecoursefromthepreviouswaypoint.
V.1.3
TheVMSreceivesincorrectUAVpositionfeedback,andthereforedoesnotrecognizethatitneedstoprovideroll,pitch,oryawcommandstoflytothewaypoint.ThepositionisinaccuratebecausetheGPSnavigationmalfunctionsorhasaninaccuratesolution.
TheVMSmustreceivefeedbackwhentheaccuracyoftheGPSsolutionisbelowaminimumthreshold,additionallyothernavigationsolutionssuchasINSorVORshouldbeconsideredasabackupsystem
H4
V.1.4
TheVMSprovidestheroll,pitch,oryaw,butthecontrolsurfacedoesnotdeflect.Anactuatororcablelinkageisbrokennotallowingtheaircraftroll,pitchoryaw
Actuatorsandcablelinkagesmustbeinspectedbeforeeachflight.Acontrolcheckshouldalsobeperformedduringpreflight.
Page 146
146
TheVMSprovidesroll,pitch,oryawwhenthecommandexceedsaircraftattitudelimits
H4
V.2.1
TheVMSdoesnotprovidetheroll,pitch,oryawcommand,buttheaileron,elevator,andrudderreceivethecommand.Ashortedwireprovidespowertotheactuatorcausingtheaileron,elevator,orruddertomove.Theaileron,elevator,andrudderreceivethecommandeventhoughtheVMSdidnotcommandit.
Wiringmustbedesignedtowithstandtheflightenvironment,andinspectedbeforeflight.
V.2.2
TheVMSprovidestheroll,pitch,oryawcommandandexceedlimitsforthecurrentflightcondition.TheVMSwasprogrammedwithonesetofattitudelimits,ratherthanasetofattitudelimitsfordifferentflightconditions(altitude&speed).Thecommanddidnotexceedtheprogrammedlimits,butitdidexceedactuallimitsforthatparticularflightcondition
TheVMSmustbeprogrammedwithlimitsatallflightconditions
V.2.3
TheVMSprovidesaroll,pitch,oryawcommandthatitbelieveswillresultinanattitudewithinlimits,howevertheattitudeisactuallyoutoflimits.Theaeromodellingofthesystemwasnotvalidated,andthemagnitudeofthecommandistoolarge.Thecommandedattitudeisactuallyoutoflimits.
Theaeromodelmustbevalidatedfortheentireflightenvelopeandflightconfigurationstoincludeabnormalconfigurations
Page 147
147
V.2.4
TheVMSprovidesaroll,yaw,orpitchinputtocorrectaninvalidattitudeindicationitisreceivingandexceedsattitudelimits.Theinvalidfeedbackisduetoavacuumpumpfailurethatrenderstheattitudeindicatorinoperative.Thecommandexceedsattitudelimits,buttheVMSdoesnotrecognizetheexceedenceduetotheinvalidattitudeindication.
AsecondaryattitudeindicatormustbeincludedintheUAVdesignasabackuptothemainattitudeindicator.TheVMSmustreceivefeedbackofavacuumpumpfailuresothatitcanswitchtothesecondaryattitudefeedback
H5
V.2.5
TheVMSprovidesaroll,pitch,oryawcommandthatisappropriateforstayingwithintheUAVattitudelimits.Theactuatorwasconnectedtothecablesbackwards,andtheVMSinputhastheoppositeeffect(rollleftinputrollsUAVright).TheVMScontinuestocommandinthesamedirectioninanattempttocorrecttheattitudeeventuallyexceedingaircraftlimits.
Afteranycontrolsurfacerelatedmaintenance,acontrolscheckmustbeaccomplished.Acontrolscheckmustalsobeaccomplishedduringpreflight.Considerdifferentconnectorsforthedifferentdirectionssothatitcannotphysicallybeconnectedbackwards.
TheVMSprovidesroll,pitch,oryawwhenthecommandsteerstheUAVoffcourse
H1,H2,H3
V.3.1
TheVMSprovidedtheroll,pitch,oryawcorrectlytomaintainthecourse,howeverthecommandwasreceivedincorrectly.Thewiringtotheactuatorwasbackwards,commandingtheUAVtomoveintheoppositedirection.
Afteranycontrolsurfacerelatedmaintenance,acontrolscheckmustbeaccomplished.Acontrolscheckmustalsobeaccomplishedduringpreflight.Considerdifferentwiringconnectorssothatitisimpossible
Page 148
148
towiretheactuatorbackwards
H5
V.3.2
TheUAVprovidesaroll,pitch,oryawcommandthatisinsufficienttomaintainthecourse.Thecontrolalgorithmisdesignedtomakesmall,slowcorrectionstoavoidovercontrol.Thecorrectionsaretoosmalltocorrectcoursedeviations,andtheUAVfliesoffcourse
Thecontrolalgorithmintheautopilotmustbedesignedtomakebothsmallcorrectionswhendeviationsaresmall,andlargercorrectionsforgreaterdeviations.
H5
V.3.3
TheUAVprovidesroll,pitch,oryawcommandthatsteerstheUAVoffcourse.TheUAVreceivesincorrectpositiondataindicatingthattheUAVisoffcourse.TheUAVcommandsroll,pitch,oryawtoreturntothecourse,butactuallycausestheUAVtogooffcourse
TheGPSmustprovidefeedbackwhenthesolutionisbelowtheminimumaccuracythreshold.Additionally,asecondarynavigationalsystemsuchasVORorINSmustbeconsideredinthedesign
V.3.4
TheUAVdoesnotprovideroll,pitch,oryawcommand,buttheUAVgoesoffcourse.WindblowstheUAVoffcourse,andtheVMSisprogrammedtoflytowardsawaypoint,notmaintainacourse.
TheautopilotmustbeprogrammedtomaintainthecoursebetweenwaypointstoavoidairspaceconflictsorCFIT
Page 149
149
TheVMSprovidesthepitchdowncommandwhenthethrottleisreducedinordertodescend,butthecommandisdelayed
H4
V.4.1
TheVMSprovidedthepitchcommand,howevertheactuatordidnotreceivethecommandattheappropriatetime.Anintermittentwiringissuedelaysthecommandtotheactuator
Wiringandconnectionsmustbecheckedduringpreflightandshouldbedesignedtowithstandvibrationsassociatedwithflight
V.4.2
TheVMSprovidedthepitchcommandlate.Theautopilotwasprogrammedincorrectlywithtoolongofadelaybetweenthrottleandelevatorcommands
Theautopilotmustbeprogrammedtominimizedelaybetweentwocorrelatedcontrolsurfaceorthrottlecommands
V.4.3
TheVMSreceivedincorrectfeedbackwhichresultedindelayingthepitchcommand.TheVMSdidnotreceivefeedbackthatthethrottlewasreducedthereforeitdidnotcommandthenosedowntoavoidanoverspeed
TheVMSmustreceiveaccuratefeedbackofthethrottleposition
V.4.4
TheVMSreceivedincorrectfeedbackwhichresultedindelayingthepitchcommand.TheVMSreceivedincorrectfeedbackthattheelevatorwasalreadyattheappropriateposition
TheVMSmustreceiveaccuratefeedbackofthecontrolsurfacedeflections
V.4.5
TheVMSprovidedthecontrolsurfaceactuatorcommandcorrectly,buttheelevatordidnotdeflectasexpected.Theactuatorlinkageorcableisbroken,andtheelevatorisnolongercontrollable
Actuatorsandcablelinkagesmustbeinspectedregularlybeforeflight
Page 150
150
V.4.6
TheVMSprovidedthepitchcommandcorrectly,butthecontrolsurfacedidnotdeflectasexpected.Thepowersystemdidnotprovidepowertotheactuatorduetoapowersystemfailure
Flightcriticalcomponentssuchasactuatorsmusthavebackuppowersothattheaircraftmaybelandedafterapowersystemfailure
TheVMSprovidesapitchupcommandwhenthethrottleisincreasedforaclimb,butthecommandisdelayed
H6
V.5.1
TheVMSprovidedthepitchcommand,howevertheactuatordidnotreceivethecommandattheappropriatetime.Anintermittentwiringissuedelaysthecommandtotheactuator
Wiringandconnectionsmustbecheckedduringpreflightandshouldbedesignedtowithstandvibrationsassociatedwithflight
V.5.2
TheVMSprovidedthepitchcommandlate.Theautopilotwasprogrammedincorrectlywithtoolongofadelaybetweenthrottleandelevatorcommands
Theautopilotmustbeprogrammedtominimizedelaybetweentwocorrelatedcontrolsurfaceorthrottlecommands
V.5.3
TheVMSreceivedincorrectfeedbackwhichresultedindelayingthepitchcommand.TheVMSdidnotreceivefeedbackthatthethrottlewasincreasedthereforeitdidnotcommandthenoseuptoavoidastall
TheVMSmustreceiveaccuratefeedbackofthethrottlesetting
V.5.4
TheVMSreceivedincorrectfeedbackwhichresultedindelayingthepitchcommand.TheVMSreceivedincorrectfeedbackthattheelevatorwasalreadyattheappropriateposition
Actuatorsandcablelinkagesmustbeinspectedregularlybeforeflight
Page 151
151
H4
V.5.5
TheVMSprovidedthecontrolsurfaceactuatorcommandcorrectly,buttheelevatordidnotdeflectasexpected.Theactuatorlinkageorcableisbroken,andtheelevatorisnolongercontrollable
Actuatorsandcablelinkagesmustbeinspectedregularlybeforeflight
H4
V.5.6
TheVMSprovidedthepitchcommandcorrectly,butthecontrolsurfacedidnotdeflectasexpected.Thepowersystemdidnotprovidepowertotheactuatorduetoapowersystemfailure
Flightcriticalcomponentssuchasactuatorsmusthavebackuppowersothattheaircraftmaybelandedafterapowersystemfailure
TheVMSprovidesaroll,pitch,oryawcommand,buttheaileron,elevator,orrudderisnotbroughtbacktoneutralwhentheaircraftreachesthetargetheading/descent/ascent
H1,H2,H3
V.6.1
TheVMSprovidesacommandtoreturntheaileron,elevator,orrudderbacktoneutral,howeverthecommandwasnotreceivedduetoapowersystemfault.Wiringorconnectionstotheactuatorarebroken,keepingtheactuatorfromreceivingthesignal.Or,asystempowerfailure(suchasanalternatorfailure)occurs,andtheactuatorsarenotonbatterypower.
Wiringmustbeinspectedduringpreflightandmustbedesignedtowithstandvibrationsassociatedwithflight.Thepowersystemmustbedesignedsuchthatapowersystemfailuredoesnotresultinlossofactuatorpower
H4
V.6.2
TheVMSprovidesacommandtoreturntheaileron,elevator,orrudderbacktoneutral,howevertheaeromodelisincorrectandtheaircraftdidnottakeaslongasexpectedtoreachthedesiredheading/descent/ascent
Theaeromodelmustbevalidatedfortheentireflightenvelopeandflightconfigurationstoincludeabnormalconfigurations
Page 152
152
H4
V.6.3
TheVMSreceivedincorrectattitudedata,andbelievedthattheaileron,elevator,orrudderneededtostaydeflectedforlongerthanactuallyneededtoattainthedesiredheading/descent/ascent
Attitudeindicatorsmustbeinspectedduringpreflight,andmustbeflighttestedtoensureaccuracy
H4
V.6.4
TheVMSprovidedacommandtoreturnthecontrolsurfaceactuatortoneutral,howeverthecontrolsurfacedidnotmoveasexpected.Theactuatorlinkageorcableisbroken,andtheaileron,elevator,orrudderisnolongercontrollable
Actuatorsandcablelinkagesmustbeinspectedonaregularbasisandduringpreflightinspections
TheVMSprovidesaroll,pitch,oryawcommand,buttheaileron,elevator,orrudderisbroughtbacktoneutralbeforetheUAVreachesthetargetheading/descent/ascent
H1,H2,H3
V.7.1
TheVMSdoesnotprovideacommandtoreturntheaileron,elevator,orrudderbacktoneutral,howeverthecommandwasreceivedduetoapowersystemfault.Wiringorconnectionstotheactuatorarebroken,removingpowertotheactuatorandcausingtheaileron,rudder,orelevatortoreturntoneutral.
Wiringmustbeinspectedduringpreflightandmustbedesignedtowithstandvibrationsassociatedwithflight.
Page 153
153
H4
V.7.2
TheVMSprovidesacommandtoreturntheaileron,elevator,orruddertoneutral,buttheUAVhasnotyetachievedthedesiredheading/descent/ascent.Theaeromodelwasincorrect,andaircrafttooklongerthanexpectedtoreachthedesiredheading/descent/ascent.
Theaeromodelmustbevalidatedfortheentireflightenvelopeandflightconfigurationstoincludeabnormalconfigurations
H4
V.7.3
TheVMSreceivesincorrectattitudedata,andbelievesthattheaileron,elevator,orrudderdoesnotneedtostaydeflectedtoattainthedesiredheading/descent/ascent
Attitudeindicatorsmustbeinspectedduringpreflight,andmustbeflighttestedtoensureaccuracy
H4
V.7.4
TheVMSdoesnotprovideacommandtoreturntheaileron,elevator,orruddertoneutral,butitreturnedanyway.Theactuatorlinkageorcableisbroken,andtheaileron,elevator,orrudderisfreefloating
Actuatorsandcablelinkagesmustbeinspectedonaregularbasisandduringpreflightinspections
TheVMSdoesnotprovideathrottlesettingcommandwhenenvironmentalconditionschange(turbulence,gusts)
H4,H6
V.8.1
TheVMSprovidesathrottlesetting,buttheenginethrottledoesnotreceivethecommand.Thewiresorconnectorstothethrottleactuatorarebroken
Wiringmustbeinspectedduringpreflightandmustbedesignedtowithstandvibrationsassociatedwithflight.
Page 154
154
V.8.2
TheVMSreceivesverticalspeedandairspeeddatathatindicatetheUAVisinanareaofturbulenceorgusts,howeveritisnotprogrammedtochangethethrottlesetting.
TheVMSmustbeabletoeitherdeterminewhenenvironmentalconditionschange,orprovidefeedbacktotheoperatorsuchthatthethrottlecanbesetforasafeairspeedintheconditions
V.8.3
TheVMSdoesnotreceiveverticalspeedfeedback,anddoesnotrecognizethattheUAVisinturbulentconditions
TheVMSmustreceivefeedbacktodeterminewhenitisinturbulentorgustyconditionssothatitcansetasafeairspeed
V.8.4
TheVMSrecognizesthattheUAVisflyingthroughgustyconditions,andcommandsthethrottlelowertheairspeedtolessthanmaximumsafevelocityinroughair(VNO).Thethrottlesettingdoesnotchange.Thecableoractuatorconnectionisbroken,andthethrottleisnolongercontrollable
Actuatorsandcablelinkagesmustbeinspectedonaregularbasisandduringpreflightinspections
TheVMSdoesnotprovideahigherthrottlesettingwhentheUAVisinasustainedturn,whichreduceslift
H1,H2
V.9.1
TheVMSprovidesathrottlesetting,buttheenginethrottledoesnotreceivethecommand.Thewiresorconnectorstothethrottleactuatorarebroken
Wiringmustbeinspectedduringpreflightandmustbedesignedtowithstandvibrationsassociatedwithflight.
Page 155
155
V.9.2
TheVMSentersaturnandtheairspeedsubsequentlydecreases.TheVMScommandsahigherthrottlesettingtomaintainairspeed,whichinturnincreasestheturnradius,causingtheaircrafttonolongerbeoncourse.TheVMSrespondsbyincreasingbankangle,whichagainnecessitatesanincreasedthrottlesettingcausingtheturnradiustoincreaseagain.ThiscycleoccursuntiltheUAVreachesthebankanglelimit,causingthepayloadtopointawayfromthetargetareatheUAVisorbiting
TheUAVmustbeprogrammedtopitchupinanorbittomaintaintheturnradiuswiththehigherthrottlesetting.
H4
V.9.3
TheVMSentersaturnandtheairspeedsubsequentlydecreases.TheVMScommandsahigherthrottlesettingtomaintainairspeed,whichinturnincreasestheturnradius,causingtheaircrafttonolongerbeoncourse.TheVMSrespondsbyincreasingbankangle,whichagainnecessitatesanincreasedthrottlesettingcausingtheturnradiustoincreaseagain.Thiscyclecontinues,butattitudeindicatorsareinoperative,andtheUAVexceedsattitudelimits
TheUAVmusthaveasecondaryattitudeindicator,andtheprimaryattitudeindicatormustprovidefeedbackwhenitisinoperative
Page 156
156
H4
V.9.4
TheVMSrecognizesthattheUAVisdescendingintheturnandcommandsanincreasedthrottlesetting.Thethrottlesettingdoesnotchange.Thecableoractuatorconnectionisbroken,andthethrottleisnolongercontrollable
Actuatorsandcablelinkagesmustbeinspectedonaregularbasisandduringpreflightinspections
TheVMSprovidesathrottlesetting,butthethrottlesettingisnotenoughtomaintainanairspeedabovestallspeed
H4
V.10.1
TheVMSdidnotprovideathrottlesettingbelowstallspeed,howeverashortinthewiringprovidedthecommandtotheactuator,andthethrottlesettingdecreased
Wiringmustbeinspectedduringpreflightandmustbedesignedtowithstandvibrationsassociatedwithflight.
V.10.2
TheUAVprovidesathrottlesettingforaslowairspeedabovetheprogrammedstallspeed.Theprogrammedstallspeedisincorrect:itisforloweraltitudes,butathigheraltitudesthestallspeedincreases.Thehigherstallspeedisnotprogrammedintotheautopilot,andtheUAVisactuallybelowstallspeed
TheVMSmustbeprogrammedwithlimitsatallflightconditions
V.10.3
TheUAVreceivesinaccuratethrottlefeedbackandbelievesthatthethrottleisinanappropriatepositiontomaintainanairspeedabovestall.Theactuatorwasreplaced,andnotcalibratedtoensurethepositionfeedbackiscorrect.
Afteranythrottlerelatedmaintenance,anenginerunmustbeaccomplished,toincludecalibratingthepositionoftheactuatorwiththethrottlesetting
Page 157
157
V.10.4
TheUAVprovidedathrottlesettingthatshouldhaveresultedinahigherairspeed,buttheairspeedisbelowstall.Slackinthecablescausedthethrottletonotreachathecommandedsetting
Cablesmustbeinspectedonaregularbasis,andduringthepreflightinspection
TheVMSprovidesathrottlesettingthatacceleratestheaircraftaboveVNE
H6
V.11.1
TheVMSdidnotprovideathrottlesettingbelowstallspeed,howeverashortinthewiringprovidedthecommandtotheactuator,andthethrottlesettingincreased
Wiringmustbeinspectedduringpreflightandmustbedesignedtowithstandvibrationsassociatedwithflight.
V.11.2
TheUAVprovidesathrottlesettingforahighairspeedjustunderVNETheprogrammedVNEspeedisincorrect:itisforloweraltitudes,butathigheraltitudesVNEdecreasesThelowerVNEspeedisnotprogrammedintotheautopilot,andtheUAVisactuallyaboveVNE
TheVMSmustbeprogrammedwithlimitsatallflightconditions
V.11.3
TheUAVreceivesinaccuratethrottlefeedbackandbelievesthatthethrottleisinanappropriatepositiontomaintainanairspeedbelowVNE.Theactuatorwasreplaced,andnotcalibratedtoensurethepositionfeedbackiscorrect.
Afteranythrottlerelatedmaintenance,anenginerunmustbeaccomplished,toincludecalibratingthepositionoftheactuatorwiththethrottlesetting
Page 158
158
V.11.4
TheUAVprovidedathrottlesettingthatshouldhaveresultedinalowerairspeed,buttheairspeedisaboveVNE.Cablemaintenanceresultedinaninitialthrottlesettingataneutralactuatorpositionthatishigherthandesigned.Therefore,whenthethrottleincreasedtheactualthrottlesettingwashigherthanexpected
Afteranythrottlerelatedmaintenance,anenginerunmustbeaccomplished,toincludecalibratingthepositionoftheactuatorwiththethrottlesetting
TheVMSprovidesareducedthrottlesettingtoolateaftertheUAVflaresforlanding
H1,H5
V.12.1
TheVMSprovidedthethrottlecommandattherighttime,buttheactuatorreceivedthecommandlate.Anintermittentwiringissuedelaysthecommandtotheactuator
Wiringmustbeinspectedduringpreflightandmustbedesignedtowithstandvibrationsassociatedwithflight.
V.12.2
TheVMSprovidedthecommandlateduetoincorrectprogramming.TheUAVisprogrammedtowaitacertainamountoftimeaftertheflaretoreducetheairspeed,howeverflightconditionsrequiredanearlierthrottlereduction
TheVMSautopilotmustbeprogrammedtolandusingairspeedandaltitudefeedbackratherthantiming.TheUAVmustbetestedinnominalandoffnominalconditions
V.12.3
TheVMSprovidedthecommandlateduetoincorrectsystemfeedback.Thelaseraltimeterismalfunctioningandprovidingincorrectaltitudedata.TheVMSbelievestheUAVistoohighforareducedthrottlesetting
TheUAVmustbedesignedtodetectlaseraltimetermalfunctions.Thelaseraltimetermustbeinspectedregularlyforproperfunction,andtheexteriormustbecleanbeforeflight
Page 159
159
V.12.4
TheVMSprovidedthecommandlateduetoincorrectsystemfeedback.Thepitotstaticsystemismalfunctioning,andtheVMSbelievestheUAVisslowerthanitactuallyis.
Thepitotstaticsystemmustberegularlyinspectedandthepitottubeshouldbeclearofobstructionsbeforelaunch
V.12.5
TheVMSprovidedthecommand,buttheactuatorperformedthethrottlereductionlate.Amechanicalmalfunctionoftheactuator,suchasajam,preventedthethrottleactuatorfromoperatingatthecommandedtime.
Actuatorsandcablelinkagesmustbeinspectedregularlybeforeflight.Additionally,thereshouldbenolooseitems,oritemsthatcouldbecomelooseinflight,leftintheaircraftthatcouldinterferewithoperationoftheUAV
TheVMSprovidesathrottlesettingtoacceleratetoatargetspeed,butthethrottleisnotreducedbeforereachingVNE
H6
V.13.1
TheVMSprovidesthecommandtoreducethethrottle,howeveritisnotreduced.ThewiringtothethrottleactuatorfromtheVMSisbroken,preventingtheactuatorfromreceivingcommands
Wiringandconnectionsmustbecheckedduringpreflightandshouldbedesignedtowithstandvibrationsassociatedwithflight
V.13.2
TheVMSrecognizedthatthetargetairspeedwasreached,howeveritdidnotprovidethecommandtoreducethethrottle.Theautopilotisprogrammedwithalargedeadbandaroundtargetairspeedtoavoidovercontrolandtheassociatedinducedoscillations,howeverthetargetairspeedisnearVNE,andthedeadband
Iftargetairspeedisnottightlycontrolled,thetargetairspeedmustbesufficientlybelowVNEtoavoidoverspeeds
Page 160
160
allowstheUAVtoexceedVNE
V.13.3
TheVMSreceivedincorrectairspeedfeedbackduetoapitot-staticsystemfaultanddidnotrecognizethattargetairspeedwasreached
Thepitotstaticsystemmustberegularlyinspectedandthepitottubeshouldbeclearofobstructionsbeforelaunch
H4
V.13.4
TheVMSprovidedthecommandtoreducethethrottleoncetargetairspeedwasreached,howeverthethrottlewasnotreduced.Theactuatorlinkageorcableisbroken,andthethrottleisnolongercontrollable
Actuatorsandcablelinkagesmustbeinspectedregularlybeforeflight
V.13.5
TheVMSprovidedthecommandtoreducethethrottleoncetargetairspeedwasreached,howeverthethrottlewasnotreduced.Thepowersystemdidnotprovidepowertotheactuatorduetoapowersystemfailure
Flightcriticalcomponentssuchasactuatorsmusthavebackuppowersothattheaircraftmaybelandedafterapowersystemfailure
TheVMSprovidesathrottlesettingtodeceleratetoatargetspeed,butthethrottleisnotincreasedbeforereachingstallspeed
H4
V.14.1
TheVMSprovidesthecommandtoincreasedthethrottle,howeveritisnotincreased.ThewiringtothethrottleactuatorfromtheVMSisbroken,preventingtheactuatorfromreceivingcommands
Wiringandconnectionsmustbecheckedduringpreflightandshouldbedesignedtowithstandvibrationsassociatedwithflight
Page 161
161
V.14.2
TheVMSrecognizedthatthetargetairspeedwasreached,howeveritdidnotprovidethecommandtoreducethethrottle.Theautopilotisprogrammedwithalargedeadbandaroundtargetairspeedtoavoidovercontrolandtheassociatedinducedoscillations,howeverthetargetairspeedisnearstallspeed,andthedeadbandallowstheUAVtodeceleratebelowstallspeed
Iftargetairspeedisnottightlycontrolled,thetargetairspeedshouldbesufficientlyabovestallspeedtoavoidstalls
V.14.3
TheVMSreceivesincorrectairspeedfeedbackduetoapitot-staticsystemfaultanddoesnotrecognizethattargetairspeedwasreached
Thepitotstaticsystemmustberegularlyinspectedandthepitottubeshouldbeclearofobstructionsbeforelaunch
V.14.4
TheVMSprovidedthecommandtoincreasethethrottleoncetargetairspeedwasreached,howeverthethrottlewasnotincreased.Theactuatorlinkageorcableisbroken,andthethrottleisnolongercontrollable
Actuatorsandcablelinkagesmustbeinspectedregularlybeforeflight
V.14.5
TheVMSprovidedthecommandtoincreasethethrottleoncetargetairspeedwasreached,howeverthethrottlewasnotincreased.Thepowersystemdidnotprovidepowertotheactuatorduetoapowersystemfailure
Flightcriticalcomponentssuchasactuatorsmusthavebackuppowersothattheaircraftmaybelandedafterapowersystemfailure
Page 162
162
V.14.6
TheVMSprovidedthecommandtoincreasethethrottleoncetargetairspeedwasreached,howeverthethrottlewasnotincreased.Enginefailureoccurred,notallowingtheaircrafttoaccelerate
Ifenginefailureoccurs,theVMSmustrecognizethefailureandprovideattitudecommandstoavoidastall
Page 163
163
Appendix3:STPACompliancewithMIL-HDBK-516CChapter4ofMIL-HDBK-516Cdiscussesthesystemsengineeringcriteriaforairworthinesscertification.ThispaperexamineshowSTPAwouldprovidetheinformationrequiredforeachoftheSEairworthinesscriterialistedinthehandbook,andmoreimportantlyensureasafeaircraftdesign.4.1Designcriteria.4.1.1Requirementsallocation.Criterion:Verifythatthedesigncriteria,includingrequirementsandgroundrules,adequatelyaddressairworthinessandsafetyformissionusage,fullpermissibleflightenvelope,dutycycle,interfaces,inducedandnaturalenvironment,inspectioncapability,andmaintenancephilosophy.Standard:Allocatedhighlevelairworthinessandsafetyrequirementsdownthroughthedesignhierarchyaredefined.Allocateddesigncriteriaforallsystemelementsandcomponentsresultinrequiredlevelsofairworthinessandsafetythroughoutthedefinedoperationalflightenvelope,environment,usageandlife.MethodofCompliance:Inspectionofprocessdocumentationverifiesallocationofairworthinessandsafetyrequirementsanddesigncriteria.Traceabilityisdocumentedamongrequirements,designcriteria,designandverification.Consistencybetweendesigncriteriaandairworthinessandsafetyrequirementsisconfirmedbyinspectionofdocumentation.
OneoftheinputsintoanSTPAanalysisisthecontextwithinwhichthesystemoperates.Thecontextincludesmissionset,flightphases,operatingenvironment,andmaintenanceandlogisticssupport.Oncethecontextisdetermined,therequirementsgeneratedbySTPAforsafeoperationwithinthatcontextflowfromhighlevelrequirementstothesubsystemandcomponentlevels.TraceabilityisakeycomponentofSTPAandflowsthroughtheanalysisandproductstooperations.ThistraceabilitycoupledwiththesystematicapproachofSTPAalsoensuresthatcriticalsafetyrequirementsarenotmissedduringtheairworthinesscertificationinspection.4.1.2Safetycriticalhardwareandsoftware.Criterion:Verifythatairworthinessandsafetydesigncriteriaareadequatelyaddressedatcomponent,subsystemandsystemlevels,includinginterfaces,latencies,softwareandinformationassurance.Standard:Safetycriticalsoftwareandhardware(includingCriticalSafetyItems(CSIs))areidentified.Designcriteriaandcriticalcharacteristicsofsafetycriticalsoftwareandhardwarearedefined,substantiatedanddocumentedinsufficientdetailtoprovidefor“form,fit,functionandinterface”replacementwithoutdegradingsystemairworthiness.Designcriteriaandcriticalcharacteristicsofsafetycriticalsoftwareandhardwareincorporaterelevantsecurityrequirementsandmitigationtechniquesneededtoensuresafetyofflight.MethodofCompliance:Inspectionofdocumentationverifiesthataprocessisinplacetoadequatelyidentifysafetycriticalsoftwareandhardware,CSIs,andassociateddesigncriteriaandcriticalcharacteristicsatthecomponent,subsystemandsystemlevels.Inspectionofdocumentationverifiesthatsafetycriticalsoftwareandhardware,CSIs,andassociateddesigncriteriaandcriticalcharacteristicsresultingfromthisprocessaredocumented.InspectionofdocumentationverifiesthatsecurityrequirementsandmitigationtechniquesthataffectflightsafetyareincorporatedintosafetycriticalsoftwareandhardwareandCSIs.
CriticalsafetyitemsareeasiertoidentifywithSTPAbecauseofthetop-downapproach.Ratherthanlookingatallcomponentstodeterminewhichonesaresafetycritical,STPAstartswiththeaccidentsandassociatedhazardsandgeneratesthescenariosthatcouldcausethehazardousstatetooccur.Thesescenarioswouldillustratewhichcomponentsorsubsystemsaremostsafetycritical.Additionally,anSTPAanalysisprovidesinformationregardingtheinterfacesbetweenthecomponentandotherelementsinthesystem.Ifthesafetyconstraintsareimplementedinthedesign,thesystemwillbesafe.Aslongasthenewcomponentmeetsthe
Page 164
164
samesafetyconstraintsasthepreviouscomponent,thecomponentwillnotdegradeairworthiness.Ifthenewcomponentprovidesupgradedfunctionality,theoriginalSTPAanalysiscanbemodifiedtodeterminesafetyoftheupgradedcomponent.STPAcanalsobeusedforsoftwareandinformationassurance.Anotherimportantandoftenoverlookedinterfaceisbetweentheoperatorandtheautomation.STPAisdesignedtoaccountforhumanandsoftwareinteractionsaswellascomponent-levelinteractions.4.1.3Commercialderivativeaircraft.Criterion:Verifythat,forcommercialderivativeairvehicles,theairvehicle'scertificationbasisaddressesalldesigncriteriaappropriatefortheplannedmilitaryusage.Standard:Commercialderivativeaircrafthasbeenassessedforitssuitabilityfortheintendedmilitaryapplicationanddeterminedtobeairworthyandsafe.Limitationsappropriatetotheintendedmilitaryusageandenvironmentareidentified.MethodofCompliance:Inspectionofcertificationdataandanalysessubstantiatesthatthemilitaryairvehicleisairworthyandsafeforitsintendedmilitaryusageandenvironments.Militaryairvehicleairworthinesscertificationdataaddressesallequipment,usage,andenvironmentsnotcoveredbythecommercialcertification.
AnSTPAanalysiscanbecompletedusingthecommercialaircraftwithinthenewoperationalcontext.Inaddition,theanalysiswilldeterminethesafetyoftheintegrateddesignofthecommercialairframewithmilitarymissionsystems.Militarymissionsareusuallymuchmorestressfulontheaircraftandinvolvepushingtheenvelopemorethanthemissionsforwhichcommercialaircraftarecertified.Theexpectedenvironmentandstressesusedduringthecommercialcertificationprocessmaybedifferentthanthatformilitarymissions.STPAwouldconsiderthechangeinoperationsintheanalysis.Inaddition,commercialairworthinessstandardslikeSAEARP4761assumethatpilotsandmaintainersdotherightthinganddonotconsidertheimplicationsofhumanerroronthedesignoftheaircraftitself(notjusttheinterfacebetweentheaircraftandthehumans).STPAincludeshumanbehaviorinairworthinesscertification.4.1.4Failureconditions.Criterion:Verifythatsafetyofflightrelatedfailureconditionshavebeenadequatelyaddressedinthedesigncriteria.Standard:Safetyofflightfailureconditions(includingapplicablesinglepointfailures)havebeenidentified.Nosinglesafetyofflightfailureconditionresultsina"Catastrophic"severity(i.e.,death,permanenttotaldisability,monetarylossequaltoorexceeding$10millionorlossofairvehicle)withafrequencygreaterthan"improbable"(i.e.,arateoflessthanoneeventperonemillionflighthours).MethodofCompliance:Inspectionofthehazardanalysisverifiesthatsafetycriticalhazardshavebeenidentifiedandthatcatastrophicfailuresarenomorefrequentthanimprobable.Analysisofthedesignverifiesthattherequiredlevelofsafetyisachieved.Operatinglimitationsaredefined.Theanalysisincludesgroundrulesandassumptions.
WhileSTPAdoesnotassignprobabilitiestosafetyconditions,ifalloftherequirementsandconstraintsfoundviatheanalysisareimplemented,eitherthroughsystemdesignoroperationalrequirements,thesafetyofflightrelatedfailureconditionsisadequatelyaddressed.Mishapsmayoccurwhenmultiplefailureconditionsexist.Inaddition,particularlywhensoftwareisinvolved,mishapsmayresultwhennothinghasfailedandinsteadunsafe
Page 165
165
interactionsoccuramongfunctioningcomponents.Commercialaircraftcertificationstandards(suchasSAEARP4761)donotincludesuchconsiderations.STPAdoes.4.1.5Operatingenvironment.Criterion:Verifythattheairsystemisdesignedtooperateinthenaturalandinducedenvironmentsforwhichitisintended.Standard:Theairsystemdesigncriteriaincludestheintendednaturalandinducedenvironments.Theairsystem,includingtheairvehicleandcontrolstationequipment,isqualifiedtooperateintheintendednaturalandinducedenvironments(e.g.,temperature,humidity,precipitation,icing,fungus,saltfog,particulateandliquidcontamination,shockandvibration,andexplosiveatmosphere).MethodofCompliance:Inspectionofdocumentationverifiesthattheairsystemintendednaturalandinducedenvironmentsaredocumented.Analysis,demonstrationandtestverifythatequipmentprovidesrequiredfunctionandperformancewithintheenvelopeofintendednaturalandinducedenvironmentswithoutimposingasafetyofflightrisk.Inspectionofqualificationtestresultsverifiesthatequipmentisqualifiedforitsintendedenvironments.
STPAprovidesaprocedureforidentifyingtheoperationalcontextofthesystemandidentifyingthesafetyconstraintsassociatedwiththatenvironment.Additionally,STPAprovidesinformationtodeterminedesigntradeoffsastheremaybesomecompetinginterestssuchasenginetakeoffpowerandcruiseperformanceorthelocationofdisplays.WithSTPA,thesafetyconsiderationsforthedecisionareevaluatedandonceadecisionismade,STPAcanbeusedtominimizeanyinducedsafetyconcerns.4.1.6Flightandsafetycriticalfunctions.Criterion:Verifythattheairsystemsdesigncriteriaidentifyflightandsafetycriticalfunctions,andtheirdegradedandfailedmodesandstates.Verifythattheairsystemandairvehicledetectandrespondappropriately,predictably,safelyandinatimelymannertoflightandsafetycriticalfunctiondegradedstatesorfailures.Standard:Thedesigncriteriaidentifyflightandsafetycriticalfunctions,modesandstatesfortheairsystem,includingtheairvehicle.Theairsystemdesigncriteriaidentifyflightandsafetycriticalfunctiondegradedstatesandfailures.Theairsystemdetectsandrespondsappropriately,predictably,safelyandinatimelymannertoflightorsafetycriticalfunctiondegradedstatesorfailures.Theairvehicledetectsandrespondsappropriately,predictably,safelyandinatimelymannertoairvehicleflightorsafetycriticalfunctiondegradedstatesorfailures,withorwithoutoperatorintervention.Theairvehicledetectsandrespondsappropriately,predictably,safelyandinatimelymannertolossofflightandsafetycriticalcommandandcontroldatalink(s)betweentheoperatorandairvehicle.Theairvehicleresponsetolossofcommandandcontroldatalinkisappropriateandsafefortheairspaceinwhichtheairsystemwillbeoperated.Theairsystemdetectsandrespondsappropriately,predictably,safelyandinatimelymannertothesenseandavoidfunctionfortheairspaceinwhichtheairsystemwillbeoperated,withorwithoutoperatorintervention.Theairsystem(includingairvehicle)responsestoflightandsafetycriticalfunctionnormalanddegradedstatesorfailures,andlossofflightandsafetycriticalcommandandcontroldatalink(s):a.Activateappropriatelyandinatimelymanner,b.Activateonlywhenneeded,c.Safelytransitiontopre-determinedmodesandstates(seealso6.2.2.4ofthisdocument),d.Activatepre-determinedprocedure(s)forrestoringfunctionality,e.Alertairspacecontrolorairtrafficcontrol,asnecessary,andf.Prevententryintopre-definedkeep-outairspaceorover-flightofpre-definedsurfaceregions(seealso11.1.1.5ofthisdocument).(Forinformation,seealso6.2;8.3.10;11.1.1and11.2.3;Section15;and17.2.9ofthisdocument.)MethodofCompliance:Verificationmethodsincludeanalysis,test,simulation,demonstration,andinspectionofdocumentation.Inspectionofdocumentationverifiesthatdesigncriteriaandprocessesidentifyflightandsafetycriticalfunctions,modesandstates;flightandsafetycriticalfunctionsdegradedstatesandfailures;andlossofflightandsafetycriticalcommandandcontroldatalink(s).Inspectionofdocumentationverifiesthatdesigncriteriaandprocessesensureairsystemresponsesareappropriatefortheintendedairspace.Analysisverifiesthatflightandsafetycriticalfunctions,modesandstatesfortheairsystem,includingtheairvehicle,areidentified.Analysisverifiesthatflightandsafetycriticalfunctiondegradedstatesandfailuresareidentified.Acombinationofgroundtestingandsimulationverifiesthattheairsystem(includingairvehicle)detectsandrespondsappropriately,predictably,safelyandinatimelymannerto:(1)flightorsafetycriticalfunctionnormalanddegradedstatesorfailures,withorwithoutoperatorintervention,(2)lossofflightandsafetycriticalcommandandcontroldatalink(s),and(3)senseandavoidfunction,withorwithoutoperatorintervention.Thistestingandsimulationverifiesthattheairsystem(includingairvehicle)responses:a.Activateappropriatelyandinatimelymanner,
Page 166
166
b.Activateonlywhenneeded,c.Safelytransitiontopre-determinedmodesandstates,d.Activatepre-determinedprocedure(s)forrestoringfunctionality,e.Alertairspacecontrolorairtrafficcontrol,asnecessary,andf.Prevententryintopre-definedkeep-outairspaceorover-flightofpre-definedsurfaceregions.
Asaircraftsystemsbecomemorecomplex,itismoredifficulttofullyunderstandallofthehundredsorthousandsofpotentialfailurestatesthatarepossible.Thismeansthatdesigninganaircrafttodetectandappropriatelyrespondtothesefailurestatesisequallydifficult.STPAwasdesignedforjustthisproblem.STPAallowsthedesignerstoevaluatetheemergentpropertiesofthesystemastheydesignittoeliminatefailurestatesorminimizethehazardousconditionassociatedwithsystemfailures.Thisairworthinesscriteriondoesnotaccountforhazardousaircraftstatesthatdonotresultfromacomponentfailurebutrather,forexample,missingcasesormissingrequirementsorsystemengineeringdeficiencies.Thesepropertiesarenotidentifiedbycurrentbottomuphazardanalysistechniques,buttheyareidentifiedusingSTPA.Additionally,flightandsafety-criticalfunctionsareidentifiedbySTPA,andinformationfromtheSTPAanalysiswillfeedintotheverificationprocessforthesafety-criticalfunctions.4.1.7Flightterminationsystem.Criterion:Verifythattheflightterminationfunction,ifincorporatedintothedesign,issafe,secureandreliable.Standard:Designcriteriaensurethattheflightterminationfunctionoperatesreliablyandinatimelymannerwhencommanded.Theflightterminationfunctionresultsinadefinedairvehicleflightstate(e.g.,zerolift,zerothrust).Thelikelihoodofuncommandedflightterminationisremote.Aminimumoftwooperatoractionsisrequiredtoexecutetheflightterminationfunction.MethodofCompliance:Inspectionofdocumentationverifiesthatdesigncriteriaareinplacetoensurethattheflightterminationfunctionoperatesreliablyandappropriately,andonlywhenrequired.Inspectionoftestandsimulationdataverifiesthattheflightterminationfunctionoperatesappropriately,onlywhenrequired,andresultsintheexpecteddefinedflightstate(s).Inspectionofanalysisdocumentationindicatesthattheflightterminationfunctionoperatesreliably.
AnSTPAanalysisoftheflightterminationfunctionprovidessafetyconstraintstoensuresafefunction,whichwouldincludeuncommandedflightterminationandaccidentalflightterminationbytheoperator.STPAdoesnotdeterminelikelihoodofanuncommandedflighttermination,howeveritwouldprovideinformationtodesignaflightterminationsystemwithdesignconstraintstopreventanuncommandedflighttermination.Theanalysiswillalsoverifytheeffectivenessofthetwo-operatoractionrequirement.AnSTPAanalysisprovidesdatatothedevelopmentaltestorganizationinordertoproperlytestthefunctionalityoftheflightterminationsystem.Theanalysiswouldalsoconsiderunintentionalflighttermination(commandedbypilotoroperator,butdidnotintendto)andprovidesafetyconstraintstopreventsuchanoccurrence.4.2Toolsanddatabases.4.2.1Toolanddatabaseprocesses.Criterion:Verifythatalltools,methods,anddatabasesusedintherequirementsmanagement,design,riskcontrolandassessmentsofsafetyareappliedappropriatelyandexhibitaccuracycommensuratewiththeirapplication.Standard:Processesareinplacetoensurethatallanalysis,modelingandsimulationtoolsanddatabasesareofappropriateaccuracyandfidelity,arevalidatedfortheintendedapplications,andareconfigurationcontrolled.Requirementsdefinition/traceability,designandperformanceanalysistools,predictionmethods,modelsandsimulationsareappliedappropriately,andexhibitaccuracycommensuratewiththeirapplications.
Page 167
167
MethodofCompliance:Inspectionofdocumentationverifiesthatprocessesareinplacetoensurethattoolsanddatabasesarevalidatedandunderconfigurationcontrol.Inspectionofdocumentationverifiesthatanalysistools,models,simulationsanddatabasesareappliedappropriately.Inspectionofdocumentationverifiesthatanalysis,modelingandsimulationtoolsanddatabasesareofappropriateaccuracyandfidelityfortheintendedapplications.Inspectionofdocumentationverifiesthevalidationbasisofdesignanalysis,modelsandsimulationsissubstantiatedandbasedonactualhardware/softwaretestdata.Inspectionofdocumentationverifiesthatthedesignanalysis,modelingandsimulationtoolsaresubstantiatedbyandbasedonactualtestdata(whenavailable).Actualsystemverificationresultsarecomparedwithdesignanalysis,modelingandsimulationtoolresultsanddatabasesforvalidationpurposes.
AnSTPAanalysisofthetoolsandmethodsensuresthatthecorrectinformationisprovidedtothesystemdesigners.Additionally,STPAwillensurethatsafetyrequirementsdefinitionandtraceabilityareappropriateandaccurate.4.3Materialsselection.4.3.1Selectionofmaterials.Criterion:ForArmyandNavyairsystems,verifythatthematerialselectionprocessusesvalidatedandconsistentmaterialpropertiesdata,includingdesignmechanicalandphysicalpropertiessuchasmaterialdefects,andcorrosionandenvironmentalprotectionrequirements(seealsoSection19,Materials;Section5,Structures;andSection7,Propulsion;Section8,AirVehicleSubsystemsofthisdocument).Standard:Materialselectionprocessusesmaterialscoveredbyanindustryspecification,governmentspecification(MilitaryorFederal)orotherspecificationsasapprovedbytheprocuringagency.MethodofCompliance:Inspectionofdocumentationconfirmsthatmaterialsareadequatelycoveredbyeither:a.AnAerospaceMaterialsSpecification(AMS)issuedbytheSAEAerospaceMaterialsDivision,b.AnASTMstandardpublishedbyASTMInternational(formerlytheAmericanSocietyforTestingandMaterials),c.Agovernment(MilitaryorFederal)specification,ord.Otherspecificationsasapprovedbytheprocuringagency.Ifanapprovedspecificationfortheproductisnotavailable,anacceptabledraftspecificationhasbeenprepared.
AnSTPAanalysisdoesnotdirectlyaffectthisrequirement,howeveranSTPAanalysismaydeterminethecriticalareasformaterialsthatrequiremoreattention.4.4Manufacturingandquality.4.4.1Keycharacteristics.Criterion:Verifythatkeyproductcharacteristics(includingcriticalcharacteristics)havebeenidentified.Standard:Physicalcharacteristicswhicharekeytothesuccessfulfunctionofcriticalsafetyitems(CSIs)andflightcriticalcomponentsaredefinedanddocumented.Toleranceallowancesforeachcharacteristicandtraceabilitythroughthedesignhierarchyaredefined,andtheeffectsofadversetoleranceaccumulationathigher(e.g.,abovetheCSI)levelsofproductassemblyareanalyzedandreflectedinthedesigndocumentation.MethodofCompliance:Keyproductcharacteristic(includingcriticalcharacteristics)andtolerancedefinitionsareverifiedbyinspectionandanalysisofprogramdesigndocumentationattheapplicablelevelsoftheproducthierarchy.ManufacturingprocesscontrolsforspecifickeyproductcharacteristicsidentifiedasCriticaltoSafety(CTS)andmanufacturingprocessparametersnecessarytoachieveandmaintainacceptableprocessindicesareverifiedbyinspectionandanalysisofmanufacturingprocesscontroldocumentationfortheapplicablestagesofmanufactureandassembly.
STPAwillnotdeterminethetolerances,butitwilldeterminecriticalsafetyitemsandflightcriticalcomponents.Additionally,STPAconstraintswillfeeddirectlyintothemanufacturingprocessrequirements.4.4.2Criticalprocesses.Criterion:Verifythatallcriticalprocesscapabilitiesexisttomeetkeyproductcharacteristicrequirements(includingcriticalcharacteristics).Standard:Allkeycharacteristics(includingcriticalcharacteristics)aremappedtocorrespondingcriticalprocesses.Criticalprocesscapabilitiesarecharacterized,processcapabilityindices(Cpk)arecalculatedandacceptablelimitsestablished.Processcontrolplansforcriticalprocessesaredefinedandimplementedthroughoutthesupplychain.ForArmyandNavyonly,qualitycontrolproceduresforcriticalprocessesaredefinedandimplementedthroughoutthesupplychain.
Page 168
168
MethodofCompliance:Criticalprocesscapabilitiesandcontrolplansareverifiedbyinspectionofdesigndocumentationandprocesscontroldocumentationandifapplicable,on-siteauditdocumentation,throughoutthesupplychain.
Thesystem’skeyproductcharacteristicrequirementscanbeanalyzedviaSTPAtoensurethattheprocessesareadequatetomaintainsafety.4.4.3Criticalprocesscontrols.Criterion:Verifythatallcriticalprocesscontrolsexisttoassurekeyproductcharacteristicrequirements(includingcriticalcharacteristics)aremet.Standard:Workandinspectioninstructionsaredefined,documentedandimplementedforallcriticalmanufacturingprocesses.Aprocesscapabilityindex(Cpk)ofatleast1.67ismaintainedforprocessesCriticaltoSafety(CTS)orprocessesthatproduceCriticalSafetyItems(CSI).Quantitativeproductqualitycriteria(i.e.,productacceptancecriteria)aredefinedandusedforproductacceptanceatalllevelsoftheproducthierarchyuptoandincludingtheairsystemlevel.MethodofCompliance:Workandproductinspectioninstructions,productacceptancecriteriaareverifiedbyinspection.Cpkisverifiedbyanalysisandinspectionofdesigndocumentationandmanufacturingprocesscapabilitydata.Designconformance(i.e.,"asbuilt"configurationisinaccordancewithdesignrequirements)isverifiedbyfirstarticleinspectionsorfirstarticletests,reviewofmanufacturingprocesscontroldata,and/orperiodichardwarequalityaudits.4.4.4Qualitysystem.Criterion:Verifythattheas-builtconfigurationmatchestheas-designedconfiguration.Standard:Thequalitysystemiseffectiveinassuringconformancetoproductdesignandrealization,includingproductionallowancesandtolerances.Thequalitysystemaddressesdefectpreventionandachievingstable,capableprocesses.Thequalitysystememploysmethodssufficientforconductingrootcauseanalysesandimplementingeffectivecorrectiveactions.MethodofCompliance:ComplianceisdeterminedbyinspectionoftheQualitySystem'spolicies,processesandproceduresandexamplesofMaterialReviewBoardrecords.
TheoutputofanSTPAanalysisareprocesscontrols.STPAcanbeusedtoensurethatprocesscontrolsareadequatetomaintainsafety.4.4.5Nondestructiveinspections.Criterion:Verifythatnondestructiveinspection(NDI)processeshavebeenvalidatedtoassureconformingparts.Standard:Nondestructiveinspection(NDI)methodsandequipmenthavebeenqualifiedtosuitablestandardsandmeettherequirementsoftheapplicablespecificationandapplication.Thespecificationbeingusedensuresanynon-conformanceadverselyaffectingthepartwillbedetected.Acceptandrejectcriteriaforsafetyandflightcriticalhardwarearebasedonvalidatedmodelsanddata.MethodofCompliance:ComplianceisdeterminedbyinspectionofNDIprocess,selectioncriteria,operatorcertificationandmethodvalidationdocumentation.Fornewapplicationsofspecifications,testandinspectiondataconfirmstheinspectionmethodisvalidfortheapplication.
TheSTPAanalysiswillfeedintotheNDIprocesses.ItwillidentifyflightcriticalhardwareandwillbeusedtoensurethattheNDIprocessesprovidetheadequatefeedbacktomaintainflightsafety.Specificmethodsandequipmentmaybeidentifiedbasedoffofthesafetyconstraints.4.4.6ControlofSafety-RelatedArticles.Criterion:Verifythatsafety-relateditems(CriticalSafetyItems,flightcriticalcomponents,andcomponentscontainingcriticalcharacteristicsthatimpactsafety)conformtotheirapproveddesign.Standard:Thequalityofsafety-relateditems,whetherfurnishedbytheprimecontractor,supplier,orsustainmentorganization,iscontrolledtoensureconformancewithdesign.Themanufacturersoftheitemshaveinstitutedmanufacturingprocesscontrolsinspections,andtestingprocedurestoensureeachsafety-relatedproductorpartconformstoitsapproveddesign.MethodofCompliance:Forsafety-relateditems,initialdesignconformanceisverifiedbyinspectionofFirstArticleInspectionreports,FirstArticleTestreports,andothermanufacturingrecordsthatprovedesignconformance.Controlsforensuringthequalityofsafety-relateditemsareverifiedbyinspectingmanufacturingprocesscontrolplans(includingworkinstructions)andinspectionandtestprocedures.
Page 169
169
AnSTPAanalysisofthemanufacturingprocesswillidentifyappropriatecontrolsandensurethattheyareinplaceandthatthecommunicationbetweenthedesignteamandthemanufacturerisadequatetomakesurethatthemanufacturerhasthecorrecttechnicaldata.TheSTPAanalysiswillalsoanalyzefeedbackchannelsfromthemanufacturertothedesignteam.4.5Operator’sandmaintenancemanual/technicalorders.4.5.1Proceduresandlimitations.Criterion:Verifythatprocessesareinplacetoidentifyanddocumentnormalandemergencyprocedures,limitations,restrictions,warnings,cautionsandnotes.Standard:Operatorhandbooksormanualsidentifyallnormalandemergencyprocedures,limitations,restrictions,warnings,cautionsandnotes.Warnings,cautionsandnotesareidentifiedinsuchamannerastoattractattentionandsetthemapartfromnormaltext.Whenanunsafeconditionisdetectedandannunciated,theoperator'smanualhasclearandprecisecorrectiveproceduresforhandlingthecondition.MethodofCompliance:Inspectionofoperatorhandbooksormanualsprocessdocumentationdescribesproceduresfordevelopingnormalandemergencyprocedures,limitations,restrictions,warnings,cautionsandnotesfromsystemtechnicaldata.Processdescriptionsincludemethodsforupdatingthisinformationasneeded.ForArmyandNavy,inspectionofoperatinghandbooksandmanualsverifiesthattheyincludeallnormalandemergencyprocedures,limitations,restrictions,warnings,cautionsandnotes.TheUSAFconfirmsoperatormanualaccuracyandcompletenessthroughothersectionscontainedwithinthisdocument.
STPAprovidesinputstothetechnicalorders(TOs)forthesystem.Ifapotentialsafetyhazardisnotdesignedoutofthesystem,STPAcanprovideoperationalormaintenanceconstraintsthatwouldbeincludedintheTOasaprocedureorasacaution/warning.4.5.3Maintenanceofsafety.Criterion:Verifythatproceduresareinplaceforestablishingandmaintainingairsystemflightsafety,asaffectedbyproductdesignchanges,safetyissues,changesinoperations,maintenance,transportationorstorage.Standard:Processesaredefined,documented,andimplementedtoestablishandaccomplishtimelyupdatestooperatorandmaintenancemanualsasmadenecessarybyproductdesignchanges,identifiedsafetyissues(e.g.,CategoryIDeficiencyReports),changesinoperationalconcepts,usage,maintenanceconcepts,transportation,orstorage.Currentupdatedtechnicaldataareusedtoeffecttechnicalmanualrevisions.Maximumtimelinestoincorporatechangesinmanualsarebasedontheeffectofthechangeandtheseverityoftheidentifiedhazard.MethodofCompliance:Theadequacyofestablishmentandchangeprocessesforoperatorandmaintenancemanualsisverifiedbyinspectionofprocessdocumentation.Inspectionofexamplesofrevisedoperatorandmaintenancemanuals(i.e.,changepages)verifiestraceabilitytochangeevents.
Allsystemsthatareinoperationforasignificantamountoftimeundergochangeseithertothesystemitselfortothecontextinwhichitoperates.Thesechanges,withoutanaccompanyingchangetothesafetycontrolstructure,canleadtoaccidents.Anorganizationalsafetycontrolstructurefortheoperationalphasewillmodelthesupportsystem,butmustbeupdatedtoensurecontinuedcontrol.AnSTPAanalysisofthesupportsystemwillverifythattheproceduresinplaceformaintainingflightsafetyareappropriate.Aschangesaremadetoeitherthesystemitself(upgrades)ortotheoperationalenvironment(newmissionset,newoperatinglocation)theanalysiswillbemodifiedtoensurethatthesafetycontrolsarestilladequate,ordeterminenewsafetyconstraintstomeettheupdatedneedsofthesystem.ThetraceabilityinherentintheSTPAprocessassistswithidentifyingthesafetyimpactsofchanges.AnotheroutputofSTPAisanoperationalsafetymanagementplan.Thisplan“isusedtoguidetheoperationalcontrolofsafety”.
Page 170
170
Additionally,STPAhasbeenusedtoidentifyleadingindicatorsofincreasinglyriskybehaviorsothattheyaremonitoredandusedtoavoidmishapsaschangesoccur.4.6Configurationmanagement(CM).4.6.1Functionalbaseline.Criterion:Verifythatthefunctionalbaselineisestablishedandunderconfigurationcontroltoprecludeunauthorizedchanges.Standard:Thefunctionalbaselineisproperlydocumented,approvedandbroughtundercontrolbyaConfigurationManagementProcess.MethodofCompliance:TheConfigurationManagementPlan(CMP)isdefinedandimplementedinaccordancewiththecontract.Inspectionofdocumentationverifiesthatthefunctionalbaselinehasbeendocumentedandapproved.
TheSTPAanalysiswouldbecontrolledthroughtheCMPalongwithallothermodels.AnSTPAanalysiscanprovidedatatotheCMPtoensurethattheconfigurationisproperlycontrolled.4.6.2Allocatedbaseline.Criterion:Verifythattheallocatedbaselineisestablishedandunderconfigurationcontroltoprecludeunauthorizedchanges.Standard:Theallocatedbaselineisproperlydocumented,approvedandbroughtundercontrolbyaConfigurationManagementProcess.MethodofCompliance:TheConfigurationManagementPlanisdefinedandimplementedinaccordancewiththecontract.Inspectionofdocumentationverifiesthattheallocatedbaselinehasbeendocumentedandapproved.Inspectionoftheengineeringreleasedocumentationverifiesadequatecaptureoftheallocatedbaseline.
TheSTPAanalysiswouldbecontrolledthroughtheCMPalongwithallothermodels.AnSTPAanalysiscanprovidedatatotheCMPtoensurethattheconfigurationisproperlycontrolled.4.6.3Productbaseline.Criterion:Verifythattheproductbaselineisestablishedandunderconfigurationcontroltoprecludeunauthorizedchanges.Standard:Theproductbaselineisproperlydocumented,approvedandbroughtundercontrolbyaConfigurationManagementProcess.MethodofCompliance:TheConfigurationManagementPlanisdefinedandimplementedinaccordancewiththecontract.Inspectionofdocumentationverifiesthattheproductbaselinehasbeendocumentedandapproved.Inspectionoftheapprovedengineeringdocumentationandengineeringreleasesystemverifiesadequatecaptureoftheproductbaseline.
AnSTPAanalysisoftheConfigurationManagementProcesswillidentifyiftheprocessisadequatetocontroltheconfigurationofthesystem.Additionally,theSTPAmodelsshouldbecontrolledbytheCMP.4.6.4Safetycriticalitemconfigurationmanagement.Criterion:Verifythatallsafety-criticalitemsaretrackedandunderconfigurationcontrol.Standard:Aconfigurationstatusaccounting(CSA)systemisadequatelydocumentedandmaintainedandtrackstheconfigurationofsafety-criticalitems.MethodofCompliance:CSAprocessdocumentationisverifiedbyinspection.InspectionofCSArecordsandreportsforCI/CSCIsverifiesaccuracyoftheconfigurationstatusaccountingsystemandthatthesystemisabletotrackandrecordchangestotheconfiguration.
STPAcanbeusedtoidentifysafety-criticalitems.Anychangestotheitemsorhowtheyareusedintheaircraftsystemcanbeeasilyanalyzedwithupdateddatatoensurethattheresultsofthechangesarefullyunderstoodandthatthesafetycontrolstructurestilladequatelycontrolssystemsafety.
Page 171
171
Chapter14ofMIL-HDBK-516Ccoverssystemsafety.14.1.1Systemsafetyprocess.Criterion:Verifythataneffectivesystemsafetyprogramisimplementedthatmitigatesrisks/hazardsattributedtohardware,software,andhumansystemintegrationandthatthesafetyprogramdocumentsandtrackstherisks/hazardsofthedesign/modification.Standard:ThesystemsafetyprogrammeetstheminimummandatoryrequirementsofMIL-STD-882(e.g.,systemsafetyapproachhasbeendocumented;hazardshavebeenidentified;hazardshavebeenassessed;hazardshavebeenmitigated;residualrisksareatanacceptablelevel;residualriskhasbeenacceptedbyappropriateauthority;andhazardsandresidualriskhavebeentracked),andthesystemsafetyrequirementsareincorporatedintothetechnicalandprogrammaticdocuments.TheProgrammaticEnvironmentalSafetyandHealthEvaluation(PESHE)includesallhazardsidentifiedfortheprogram.MethodofCompliance:Verificationmethodincludesinspectionofdocumentation.Effectivenessofthesystemsafetyprogramisverifiedbyinspectionoftechnicalandprogrammaticdocumentstoverify:systemsafetyapproachhasbeendocumented;hazardshavebeenidentified;hazardshavebeenassessed;hazardshavebeenmitigated;residualrisksarereduced;residualriskhasbeenacceptedbyappropriateauthority;andhazardsandresidualriskhavebeentracked.InclusionofEnvironmentalSafetyandOccupationalHealth(ESOH)hazardsinPESHEisverifiedbyinspection.
STPAdocumentationwouldprovidetheinspectoralloftheinformationneededtoensurecompliancewiththesystemsafetyprocess.Additionally,theinspectorwouldabletotellquicklythatappropriatehazardshavebeenidentifiedbecauseSTPArefineshazardsfromasmallsetofhigh-levelhazards(comparedtodozensorhundredsofhazardsthatarefoundinsomeanalyses)sothatreviewisoptimized.STPAhasbeenshowntocomplywithMIL-STD-882and,infact,wascreatedwiththatgoalinmind.14.1.1.1Systemsafetyrequirements.Criterion:Verifythatthesystemsafetyprogramincorporatessystemsafetyintoallaspectsofsystemsengineeringthroughoutallacquisitionphases.Standard:Systemsafetyrequirementsareincorporatedintothesystemtechnicalandprogrammaticdocuments.Systemsafetyrequirements,analyses,timelinesandothermilestonesareinsynchronizationwiththerestoftheprogramschedules.MethodofCompliance:Verificationmethodincludesinspectionofdocumentation.Incorporationofsystemsafetyrequirementsintothesystemstechnicaldocuments,programmaticdocumentsandoperatingproceduresisverifiedbyinspection.Integrationofsystemsafetyrequirements,
Ahigh-levelSTPAanalysisonaproposednewsystemcanbeconductedbytheprogramofficeandthatinformationshouldbeincorporatedintosystemrequirementsalongwiththetechnicalrequirements.Thelower-levelanalysescanbesynchronizedwiththelower-leveldesignofthesystemoncethecontracthasbeenawardedandthecontractordevelopsthesystem.Thetimelinesofthesafetyanalysiswouldthereforematchthedesigntimelines.AsstatedpreviouslyintheanalysisofChapter4,anoutputofSTPAisasetofoperationalconstraints(safetyrequirements)thatwillaffectoperatingprocedures.Additionally,anyknownoperatingproceduresshouldfeedintothescenariogenerationportionofSTPA,verifyingthesafetyofthoseprocedures.Forinstance,anewrefuelingaircraftmostlikelywillbeexpectedtoconductproceduressimilartorefuelingaircraftcurrentlyintheinventory.14.1.1.2Systemsafetyanalysisandassessment.Criterion:Verifythatappropriatesystemsafetyanalysisandassessmenttasksareaccomplishedforallprograms,includingtemporaryandpermanentmodifications.Standard:System,subsystem,componentandsoftwaresafetyanalysesandassessmentsareaccomplishedforallprograms,includingtemporaryandpermanentmodifications.Designandoperational/maintenanceproceduresdonothaveanunacceptablenegativeeffectonsystemsafetyoronthemishapriskbaseline.MethodofCompliance:Verificationmethodincludesinspectionofdocumentation.Accomplishmentofappropriatesystem,subsystem,componentandsoftwaresafetyanalysesandassessmentsforallprograms,includingtemporaryandpermanentmodificationsisverifiedbyinspection,andanychange
Page 172
172
STPAworksverywellformodificationstothesystemandforoperationalandmaintenanceprocedures.AcompletedSTPAanalysiscanbeupdatedforsystemmodificationsinordertounderstandtheeffectsofthemodificationonthesystemanddesignthemodificationtoavoidintroducinghazardstothesystem.IfamodificationisaCOTSproduct,theintegrationoftheproductwiththeairframewillbeanalyzedtoensurethatitissafe.TheproductitselfmostlikelywillnotberedesignedbasedontheSTPAresults,butsafetyconstraintsfortheintegrationorfortheairframewillbeidentified.Additionally,ifPOdoesnotwanttoimplementthesafetyconstraints,theymaydeterminethattheCOTSproductisunsuitableandlookforotheroptions.14.1.1.3Hazard/risktrackingandriskacceptance.Criterion:Verifythathazards/risksaretrackedandresidualrisksdocumented.Standard:Hazard/risktrackingandresidualriskdocumentationandacceptanceareplanned,documentedandaccomplishedinaccordancewithMIL-STD-882.Risksarepresentedandacceptedattheappropriatelevelandriskacceptancesaredocumentedinahazardtrackingsystem.MethodofCompliance:Evidenceoftheclosedloophazardtrackingsystem
AhazardlististhesecondstepofaSTAMPanalysis.Furtheranalysisbuildsoffofthehazardlist.IncurrentAFpractice,thelevelofriskacceptanceisbasedonresidualrisklevel(low,medium,high).STPAdoesnotprovideprobabilityofoccurrence,thereforeriskacceptancelevelmustbeaddresseddifferently.Ifthesafetyconstraintsforanassociatedhazardareaddressed,thehazardwillbeappropriatelymitigated.14.1.1.4.1Flightsafety.Criterion:Verifythatthesystemsafetyprogramaddressesflightsafety.Standard:Singlepointfailuresthatresultinlossofaircraftorsystemdonotoccuratanunacceptablerate(e.g.,improbableorlowerprobabilitiesinaccordancewithMIL-STD-882).Safetydesigndeficienciesuncoveredduringflightmishapinvestigationsorindeficiencyreports(e.g.,MaterielDeficiencyReports(MDRs),QualityDeficiencyReports(QDRs))areassessedandresidualrisksidentified.Flighthazardrisksforthesystemdonotexceedthresholdlimitsthatareestablishedfortheprogram.MethodofCompliance:Verificationmethodsincludeanalysisandinspectionofdocumentation.Evidenceofaflightsafetyprocessisverifiedby:reviewofallhazardsassociatedwithsinglepointfailurestodocumenttheireliminationorreductionofriskstoanacceptablelevel;byinspectionofdesigndeficienciesidentifiedinflightsafetyreportsanddeficiencyreports(e.g.,MDRs,QDRs)toassuretheyareassessedandresolutionactionsaretrackedtoclosure;byanalysisthatactualflightmishapratescomplywithpre-setprogramthresholdlimits.
STPAinherentlyaddressflightsafety.Singlepointfailureswillbeidentifiedintheanalysisandeliminatedwithsafetyconstraints.DeficiencyreportsmustfeedbackintotheSTPAanalysis.Thesereportsmayprovideadditionalscenariosthatwerenotconsideredintheoriginalanalysis,orevenahazardthatwasnotoriginallyincluded.Theanalysismustbemodifiedtoincludethedeficienciesdiscoveredduringflighttestoroperationsoncethesystemisfielded.STPAwillidentifymorethansinglepointfailuresandevenhazardsthatdonotarisefromcomponentfailuresbutfromunsafeinteractionsamongcomponents.14.1.1.4.2ForeignObjectDamage(FOD)prevention.Criterion:Verifythatthesystemsafetyprogramaddressesground/industrialsafety(foreignobjectdamageprevention).Standard:Ground/IndustrialsafetyrequirementsareestablishedforactivitiesattheplanttominimizetheriskofForeignObjectDamage(FOD)orundetecteddamagetotheassembledairvehicleandallrequiredsupportequipment.
Page 173
173
MethodofCompliance:Verificationmethodincludesinspectionofdocumentation.EvidenceofanestablishedFODpreventionprogramisverifiedbyreviewofFODprogramdocumentsandinspectionofreports,oron-sitecertificationbytheDefenseContractManagementAgency(DCMA)thatanacceptableFODprogramexists.
AnSTPAanalysisoftheFODprogrammayyieldadditionalsafetyconstraintstopreventFOD.Additionally,theSTPAanalysisontheaircraftshouldconsiderFODinthescenariostoensurethatifanaircraftisdamagedbyFOD,thedamagedoesnotresultinanaccident.14.1.1.4.3Explosivesandordnancesafety;non-nuclearmunitions.Criterion:Verifythatthesystemsafetyprogramaddressesexplosivesandordnancesafety;non-nuclearmunitions.Standard:RequirementsforsystemsafetyprocessesandanalysesareestablishedinaccordancewithMIL-STD-882tosupportweaponstesting,certification,andobtainmentofexplosivehazardclassifications.MethodofCompliance:Verificationmethodincludesinspectionofdocumentation.Safetyprogramrequirementsforexplosivesandordnancesafetyareverifiedbyinspectionofsystemsafetyprogramanalysisdata.
STPAdoesnotdirectlysupportexplosivessafety,howeveranSTPAanalysisoftheexplosivessafetyprogrammayprovideadditionalconstraintstopreventanaccident.14.1.1.4.4Rangesafety.Criterion:Verifythatthesystemsafetyprogramaddressesrangesafety.Standard:Thesystemsafetyprogramisresponsivetotestrangesafetyrequirementsandofficialrequestsforsafetyanalysisinformation.MethodofCompliance:Systemsafetyprogramsupportforrangesafetyisverifiedbyinspectionofsystemsafetyprocessdocumentation.
STPAcanincluderangesafetyrequirementsasaninputintotheanalysis.STPAwillprovideadditionalconstraintsasnecessarytopreventanaccident.14.1.1.4.5Nuclearsafety.Criterion:Verifythatthesystemsafetyprogramaddressesnuclearsafety.Standard:ThenuclearsafetyprogramadherestothefourkeyDoDNuclearWeaponSystemSafetyDesignStandardsforhardwareandsoftware.MethodofCompliance:Verificationmethodincludesinspectionofdocumentation.Evidencethataprocessisinplacetoincorporatethefourkeynuclearsafetydesignrequirementsintothesafetyanalyses,programfunctionalbaselinesandotherdesignrequirementsisverifiedbyinspectionofprogramsafetydocumentsandfunctionalbaselines.
STPAstartsfromhazardsandsystembehavioralconstraints,whichcanbethefournuclearsafetystandards.TheserequirementsarethenadirectpartoftheSTPAanalysis.14.1.1.4.6Radiation/LASER(lightamplificationbystimulatedemissionofradiation)safety.Criterion:Verifythatthesystemsafetyprogramaddressesradiation/lasersafety.Standard:Keydesignrequirementsforradiation/lasersafetyareestablishedincluding:protectivehousing;safetyinterlocks;remoteinterlockconnector;keycontrol/armingdevice;emissionindicator;beamstop/attenuator;locationofcontrols;viewingoptics;scanningsafeguard;manualreset;labelingrequirements;laserclassification;hazardevaluation;protectiveeyewear;laserareacontrol;andinformationalrequirements.MethodofCompliance:Verificationmethodincludesinspectionofdocumentation.Evidenceofaprocesstoestablishthekeysafetydesignrequirementsforradiation/lasersafetyisverifiedbyinspectionofsafetyanalyses,designspecificationsandprogramfunctionalbaselines.
STPAcanincluderadiationandlaserdesignrequirementsintheanalysis.Theeffectivenessofthedesignrequirementswillalsobeevaluated,andadditionalconstraintsmaybefound.
Page 174
174
14.1.1.4.7Testsafetyandsupport.Criterion:Verifythatthesystemsafetyprogramaddressestestsafetyandsupport.Standard:Systemsafetyorganizationactivelyparticipatesintestplanningandpost-testreviewstoanalyzealltest-relatedhazardsandrecommendedcorrectiveactionstoensurehazardcloseoutormitigation.Appropriatesystemsafetyrequirementscriteriaareincorporatedintothetestprogramforvalidationandverification.MethodofCompliance:Verificationmethodincludesinspectionofdocumentation.Systemsafetysupportofthetestandevaluationprocessandincorporationofsafetyrequirementscriteriaareverifiedbyinspectionofthesystemsafetyprogramplan,test-relatedhazardanalysesandtheTestandEvaluationMasterPlan(TEMP).
TheSTPAresultsdirectlyapplytotestsafetyplanning.Additionally,thedevelopmentaltestprogramwillverifythatthesafetyconstraintsidentifiedaremetbythedesignedsystem.AnysafetyfindingswillbeprovidedtothedesignerstoupdatetheSTPAanalysis.TheAirForceTestCenteriscurrentlyundergoingatrialusingSTPAfortestplanning.UtilizingSTPAinthedesignprocessanddevelopmentaltestwillprovidesynergytotheentireacquisitionsdevelopmentprocess.14.1.1.4.8Softwaresafety.Criterion:Verifythatthesystemsafetyprogramaddressessoftwaresafety.Standard:See14.3(thisdocument)andsubparagraphs.MethodofCompliance:MethodsofComplianceforSoftwareSafetyarecontainedin14.3(thisdocument)andsubparagraphs.
Mostsoftwaresafetyprogramsfocusonassuranceoftheimplementationofthesoftwarerequirements.However,virtuallyallaccidentsinvolvingsoftwarestemfromflawed(unsafe)requirementsandnotfromtheimplementation.STPAidentifiesthesafety-criticalsoftwarerequirementsthatneedtobeimplementedinthesoftware.See14.3below.14.1.1.4.9Materialchanges/deficiencies.Criterion:Verifythatthesystemsafetyprogramaddressesmaterials.Standard:Risksassociatedwithuseofnew/alternate/substituted/hazardousmaterialsormaterialdeficienciesdonotexceedthehazardbaselinesetfortheprogram.MethodofCompliance:Verificationmethodincludesinspectionofdocumentation.Evidenceofamaterialsafetyprocessisverifiedbyinspectionofprogramsafetydocumentationandsafetyanalyses.Cumulativerisksofidentifiedhazardsdonotexceedtheprogram'shazardbaseline.
STPAdoesnotdirectlyaddressmaterials,asexplainedinthediscussionof4.3,buttheanalysiswouldidentifycriticalsafetycomponentsthatrequirespecificattention.14.1.1.4.10FailureModesandEffectsTesting(FMET)andBuilt-In-Test(BIT).Criterion:VerifythatthesystemsafetyprogramaddressesFMETandBIT.Standard:Systemsafetyparticipatesinalltests/testplanningonpartsandassembliesthatestablishfailuremodesandrates,andconductssafetyanalysesonallbuilt-intestequipmenttoassurethatintegrationintoasystemdoesnotinducehazardswhichexceedthehazardbaselinesetfortheprogram.MethodofCompliance:Verificationmethodincludesinspectionofdocumentation.EvidenceofsystemsafetysupportofFMETandBITevaluationsisverifiedbyinspectionofthesystemsafetyprogramdocuments,testdocumentsandthehazardtrackingdatabase.
Complexsystemsoftenhavemorepotentialfailuremodesthancanbetestedinatimelymanner,andnotallfailuremodeswillbeunderstoodduringthedesignphase,meaningtheycannotbetesteduntiltheyarediscovered.Discoverymaynotoccuruntilthesystemisfieldedandhasbeenoperatingforasignificantamountoftime.Theundiscoveredfailuremode(often
Page 175
175
calledan“unknownunknown”)maycauseanaccidentresultinginlossoflifeandproperty.Thelatediscoverymayalsoresultinstandingthesystemdownuntilthefailureisinvestigatedandexpensivemodificationstopreventfuturemishaps.STPAwillprovidesafetyconstraintstodesignthesystemsuchthatifafailureoccursitdoesnotresultintherealizationofahazard.Thesafetyconstraintswillalsomitigatepotentialfailures.STPAessentiallyprovidesawaytodiscover“unknownunknowns”duringthedevelopmentprocess.ThesafetyconstraintsprovidedbySTPAwillalsobeaninputintotheFMETprocedures.Systemfailureswillbetestedandsafetyconstraintsverified.STPAscenarioswillalsoconsiderBITinthesystemdesignandprovidesafetyconstraintstopreventBITfrominducinghazards.14.1.1.4.11Fail-safedesign.Criterion:Verifythatthesystemsafetyprogramaddressesfail-safedesign.Standard:Designensuresthatthesystemremainsinherentlysafe.Asinglefailurecausesthesystemtoreverttoastatewhichwillnotcauseamishap.Flighthazardrisksforthesystemdonotexceedthresholdlimitsthatareestablishedfortheprogram.MethodofCompliance:Verificationmethodincludesinspectionofdocumentation(e.g.,safetyanalyses,technicaldocumentation,testingdocumentation,hazardtrackingdatabase).Designdocumentationverifies:inherentsystemsafety;thatasinglefailurewillnotcausethesystemtoreverttoastatewhichwillresultinunacceptableriskofamishap;andthatflighthazardrisksforthesystemdonotexceedthethresholdlimitsestablishedfortheprogram.
STPAwillprovidesafetyconstraintstoreduceoreliminatesystemstatesthatresultinahazard.TheSTPAdocumentationwillprovidetheairworthinessinspectorwiththeinformationrequiredtoverifycompliance.STPAalsoevaluateshazardsthatoccurwithoutafailure.Manyincidentsoccurwhenthesystemoperatesasdesigned–STPAshouldbeusedduringthedesignprocesstoensurethatitisdesignedtooperatesafely.14.1.1.4.12Safetyassessmentofsupportequipment.Criterion:Verifythatthesystemsafetyprogramaddressessupportequipment.Standard:Designrelatedhazardsandinterfacesofsupportequipmentwithaircraftandcontrolstationsareincludedinsystemsafetyanalyses.Identifiedsafetyhazardsareresolvedorrisksreducedtoanacceptablelevelbeforefirsttestuseorfirstoperationaluseofthesupportequipment.MethodofCompliance:Verificationmethodincludesinspectionofdocumentation.Theincorporationofdesignsafetyrequirementsforsupportequipmentintotechnicaldocumentbaselines/safetydocumentsandtheeliminationorcontroloftheirassociatedsafetyrisksisverifiedbyinspectionoftechnicaldocumentsbaselines,safetyprocessdocumentation,safetyanalysesandtheclosedloophazardtrackingsystem.
ThesupportstructurecanbeanalyzedusingSTPAtoincludesupportequipment,maintenanceandlogisticspractices.Justaswiththeactualsystemunderdesign,testresultsregardingthesupportequipmentmustbefedbacktotheprogramofficetoensurethesupportequipmentissafeandmeetstherequirementsforthesystem.14.2Safetydesignrequirements.14.2.1Hazardidentification/control/resolutionprocess
Page 176
176
Criterion:Verifythatasystematicprocessisemployedthatprovidesforhazardidentification,hazardcontrolrequirementgenerationandimplementation,andresidualriskassessment.Standard:Aprocessisinplacetoidentifyandcharacterizehazards,devisecorrectiveactions,andassessresidualrisks.ASystemSafetyGroupisestablishedtoimplementtheprocessMethodofCompliance:Verificationmethodincludesinspectionofdocumentation.Evidenceofahazardidentification/control/resolutionprocessisverifiedbyinspectionofsafetyprocessdocumentationandreviewofsafetyanalysesandsystemsafetygroupproceedings.
STPAisasystematicprocessthatidentifieshazardsanddevisescorrectiveactions(safetyconstraints).Residualriskisnotcalculated,butifaconstraintisnotimplementedtherewillberiskinherentinthedesign.14.2.2Mitigationofmishaprisks.Criterion:Verifythatthedesignisfreefromunacceptablemishaprisk,includingriskstothirdparties.Standard:UnacceptableriskstopersonnelorequipmentareeliminatedorcontrolledinaccordancewithMIL-STD-882.Mishapriskdetermination,includingrisktothirdparties,reflectsthecurrentconfigurationandmaturityofthesystem.Mishapriskacceptabilityisbasedontheintendedairspaceoperations,includingrulesandrestrictionsforsuchairspaces.MethodofCompliance:Verificationmethodincludesinspectionofdocumentation.Evidenceofaprocesstomitigatehazardswith"unacceptable"mishapriskisverifiedbyinspectionofsystemsafetydocuments,technicaldocuments,testdocuments,programmaticdocuments,safetyhazardtrackingdatabaseandtheresidualriskacceptanceprocess.
STPAwillidentifyrisksbasedonintendedoperationsandsystemdesign.Ratherthanprovideaprobability,STPAgeneratesthecausalscenariosleadingtoamishapsothattheycanbeeliminatedorcontrolledinaccordancewithgoodsafetyengineeringpractices(andMIL-STD-882).Probabilitiesdonotprovidetheinformationneededtoeliminateorcontrolhazards.“Unacceptable”riskismostlikelydeterminedbyprobabilisticriskassessment,whichisnotacomponentofSTPA.However,anyscenariothatisfoundbySTPAmustberesolvedotherwisethereisresidualriskassociatedwiththedesign.TheinspectorwouldusetheSTPAdocumentationtoverifythesafetyofthedesign.Thereisnoway,withanyhazardanalysismethod,toverifythatthesystemiscompletelyfreefrommishaprisk,howeverSTPAwillprovidemorecompletecoverageacrosspotentialmishapriskssuchascomponentfailure,softwarerequirementsandinteractions,humaninteraction,andsupportstructure.14.2.3Singlepointfailureassessment.Criterion:Verifythatnosingle-pointfailureunacceptablyaffectsthesafetyofthesystem.Standard:Therisksofallhazardsassociatedwithsinglepointfailuresdonotexceedthehazardbaselinesetfortheprogram.ResidualriskisacceptedinaccordancewithMIL-STD-882.MethodofCompliance:Verificationmethodincludesinspectionofdocumentation.Evidencethattherisksofallsinglepointfailurehazardsdonotexceedthehazardbaselinesetfortheprogramandthattheresidualriskhasbeenacceptedisverifiedbyinspectionofthesafetyanalysesforsinglepointfailuresandtherelevantdataintheclosedloophazardtrackingsystem.
AnSTPAanalysisincludescomponentfailures,andwouldidentifypotentialscenariosforasinglepointfailuretocauseahazard.Thescenarioswouldthenbeusedtodeterminesafetyconstraintstopreventthehazard.However,STPAhandlesmorethanjustsingle-pointfailures.14.2.4Subsystemprotection.Criterion:Verifythatthedesignadequatelyprotectsthepowersources,controls,andcriticalcomponentsofredundantsubsystems.Standard:Powersources,controls,andcriticalcomponentsofredundantsubsystemsareseparated/shieldedperthegeneralsafetyrequirementsofMIL-STD-882.
Page 177
177
MethodofCompliance:Verificationmethodincludesinspectionofdocumentation.Inspectionofsafetyanalyses/assessmentsandassociateddocumentationverifiesthatpowersources,controls,andcriticalcomponentsofredundantsubsystemsareseparated/shieldedperthegeneralsafetyrequirementsofMIL-STD-882.
STPAexaminescomponentandsubsysteminteractions.Theanalysiswillidentifyanyhazardsassociatedwithpowersources,controls,orredundantsubsystems.Theanalysiswillalsoassistindetermininghowthesubsystemsshouldbedesignedforredundancy,orifothermethodologiestoprotectthesubsystemsareappropriate.14.2.5Humanfactors.Criterion:Verifythatallaspectsofhumanfactorsareaddressedandunacceptablehumanfactorssafetyissues/risksareresolvedinthedesignprocess.Standard:EstablishhumanfactorsdesignrequirementsinterfacewithsystemsafetytominimizetheprobabilityofhumanerrorandsatisfytheintentofMIL-STD-882.MethodofCompliance:Verificationmethodincludesinspectionofdocumentation.Thestandardtoestablishhumanfactorsrequirementsandidentifysafetyissues/risksrelatedtohumanfactorsandreducethemtoanacceptablelevelisverifiedbyinspectionofsafetydocumentation,safetyanalysesandprogramfunctionalbaselines.
STPAprovideshumanfactorssafetyconstraints.Humanoperatorsareincludedintheanalysissothatthesystemisdesignedforthehumanoperatortoprovidesafecommandsandreceiveaccurateandadequatefeedbackinordertodeterminewhatcommandsaresafe.14.2.6Humanerror.Criterion:Verifythatthesystemisproduced/manufacturedensuringriskreductionoffailuresorhazardspotentiallycreatedbyhumanerrorduringtheoperationandsupportofthesystem.Standard:Systemdesignminimizesriskcreatedbyhumanerrorintheoperationandsupportofthesystem.MethodofCompliance:Verificationmethodincludesinspectionofdocumentation.Evidencethataprocessisinplacetoreducethemishaprisksassociatedwithhumanerrortoacceptablelevelsisverifiedbyinspectionofsafetydocumentsandanalysesandreviewoftheclosedloophazardtrackingsystem.
ThehumanfactorssafetyconstraintsprovidedbySTPAwouldreducethepotentialforhumanerrortocauseahazard.14.2.7Environmentalconditions.Criterion:Verifythatthesystemdesigniswithinacceptableriskboundsoverworst-caseenvironmentalconditions.Standard:Safetyrisksduetosystemexposure/operationinrequiredenvironmentalconditionsaredefinedandverifiedtobewithinacceptablelimits.MethodofCompliance:Verificationmethodincludesinspectionofdocumentation.Evidencethatthesafetyriskminimizationprocessaddresseseffectsofworst-caseenvironmentalconditionsonthedesignisverifiedbyreviewofsafetyanalysesandenvironmental/climatictestresults/reports.
STPAconsidersthecontextofthesystem,whichincludeshowthesystemistobeoperatedandtheoperationalenvironment.Theanalysiswillensurethattheenvironmentallimitsareappropriateandifthesystemisexposedtosevereorworstcaseenvironmentalconditions,theresultisnotamishap.Iftheenvironmentofthesystemchanges,forinstanceitdeploystoanareaoftheworldnotinitiallyintended,arevisedanalysisconsideringthenewenvironmentalchangesshouldbeconducted.
Page 178
178
14.2.8Assembly/installationhazards.Criterion:Verifythatpersonnelexposuretohazardsduringtheinstallationprocess,includinghazardsduetolocationsofsystemsintheairvehicle,isatanacceptablerisklevel.Standard:Asafetyprocessisinplacetopreventerrorsinassembly,installation,orconnectionswhichcouldresultinasafetyhazardormishapforthesystem.MethodofCompliance:Verificationmethodincludesinspectionofdocumentation.Designandproceduralsafetyrequirementsacceptabilityisverifiedbyinspectionandapprovalofsystemsafetydocumentationandrequirements.Evidenceofacceptability/approvalisprovidedbyinspectionofequipmentinstallation,operationandmaintenanceprocessdocumentation.
STPAcanbedirectlyappliedtothemanufacturing,operation,andmaintenanceofasystem.Thesystemdesigncanprovideasaferprocessformanufacturing,operationandmaintenance.Additionallyananalysisoftheorganizationalstructuresurroundingthedesign,manufacturing,operation,andmaintenancefunctionswillensurethattheinteractionsbetweenthefunctionsaresafe.14.2.9Safetydesignprocess.Criterion:Verifythatthesystemdesignisolateshazardoussubstances,components,andoperationsfromotheractivities,areas,personnel,andincompatiblematerial.Standard:Asafetydesignprocessisinplacetoisolatehazardoussubstances,components,andoperationsfromotheractivities,areas,personnel,andincompatiblematerials.MethodofCompliance:Verificationmethodincludesinspectionofdocumentation.Thestandardtoassurethathazardoussubstances,componentsandoperationshavebeenidentifiedandcorrectivemeasurestaken(e.g.,separation,shielding,isolation),and/orrisksreducedtoanacceptablelevelfortheprogram,isverifiedbyreviewofsafetyanalysesandprogramtechnicaldocumentation.
STPAanalysiswouldprovidesafetyconstraintstomeetthiscriterion.Exposuretohazardoussubstancesorprocesseswouldbeconsideredahazardintheanalysisandsafetyconstraintsidentifiedtopreventthehazard.14.2.10Analysisofchangesormodifications.Criterion:Verifythatasystemsafetychangeanalysisisaccomplishedonchangedormodifiedequipmentorsoftware.Standard:Allchanges/modificationstoexistingsystemsdonot:a.createnewhazards;b.affectahazardthathadpreviouslybeenresolved;c.increasetheriskofanyexistinghazards;d.adverselyaffectanysafety-criticalcomponent.MethodofCompliance:Verificationmethodincludesinspectionofdocumentation.Inspectionsofsystemsafetychangeanalysesonchangedormodifiedequipmentorsoftware.Verifythatnochanges/modificationstoexistingsystemswillcauseanyofthefollowing:a.createnewhazards;b.affectahazardthathadpreviouslybeenresolved;c.increasetheriskofanyexistinghazards;d.adverselyaffectanysafety-criticalcomponent.
STPAcanbeusedtodesignthemodificationtopreventintroducingnewhazardstothesystem.Ifthemodificationisalreadydesigned(suchasaCOTSproduct),ananalysisofthemodificationwilldetermineifitintroducessafetyhazardsandprovideinterfaceorsystemredesignrecommendationstomitigatethehazard.ThetraceabilityinherentintheSTPAresultswillminimizetheamountofefforttoanalyzechangesandmodifications.14.2.11Assesssafetyofoperationalcontingencies.Criterion:Verifythatthesystemprovidesandimplementsoperationalcontingenciesintheeventofcatastrophic,criticalandmarginalfailuresoremergenciesinvolvingthesystem.Standard:Intheeventofcatastrophic,criticalandmarginalfailuresoremergenciesthesystemprovidesandimplementsoperationalcontingenciesbytransitioningtoapre-determinedandexpectedstateandmode.
Page 179
179
MethodofCompliance:Verificationmethodincludesinspectionofdocumentation.Inspectionsofsafetyanalysesverifywhichcatastrophic,critical,marginalfailures,andothersystememergenciesrequireoperationalcontingencies.Inspectionsofdesigndocumentationverifythat,intheeventoftheidentifiedfailuresoremergencies,thesystemprovidesandimplementsoperationalcontingenciesbytransitioningtoapre-determinedandexpectedstateandmode.Inspectionofsystemsafetydocumentationverifiesthatoperationalcontingencieshavebeenapproved.
AnSTPAanalysisofthetransitiontobackupmodesduringsystememergenciescanensuresafecontinuedoperationofthesystemduringcontingencies.Itwillincludemorethanjustfailures,i.e.,italsoconsidersdesignerrors.Implementingsafetyconstraintsduringthesystemdesignwillthereforeminimizetheoccurrenceofsystememergencies.14.2.12Safetyassuranceforspecialmilitarymodesofoperation.Criterion:VerifythatspecialmilitarymodesofoperationwheninactivedonotreducetheUASbelowthresholdsafetylevels.Standard:SpecialmilitarymodesofoperationofUAS(e.g.,weaponsorstoresarmingandreleaseoroperationofelectromagneticspectrumemitters)wheninactive(e.g.,ajammerinstandbymode)meetprobabilityoffailureanddesignanddevelopmentassurancerequirementsthroughphysical/functionalsegregationanddesign.MethodofCompliance:Verificationmethodincludesinspectionofdocumentation.Inspectionsofprogrammatic,systemsafetyandsoftwaresafetydocuments.Criterion:VerifythatspecialmilitarymodesofoperationofUAS(e.g.,weaponsorstoresarmingandreleaseoroperationofelectromagneticspectrumemitters)wheninactive(e.g.,ajammerinstandbymode)meetprobabilityoffailureanddesignanddevelopmentassurancerequirementsthroughphysical/functionalsegregationanddesign.
STPAwillidentifysafetyhazardsassociatedwithmilitarymodesonUASandprovidesafetydesignconstraintstomitigatethehazards.14.3.1Comprehensiveapproachtosoftwaresafety.Criterion:Verifythatacomprehensivesoftwaresafetyprogramisintegratedintotheoverallsystemsafetyprogram.Standard:Acomprehensivesoftwaresafetyprogramisintegratedintothesystemsafetyprogrambyensuringthefollowing:a.Adequateplanningforsoftwaresafetytasks;b.Adequateplanningforanalysis,traceabilityandtestingisdocumentedinsafetymanagementplansandtestplans;c.Activeparticipationofsoftwaresafetyinengineeringprocesses/events(i.e.,peerreview,changeboards,deviationprocessingetc.);d.Inclusionofsoftwaresafetyinthesoftwaredevelopmentprocessandproducts;e.Systemsafetyallocatessafetyrequirementstosoftwaresafetyinatimelymanner;f.System/softwarehazardanalysessubstantiatethatnosinglepointfailurecausedbysoftwareresultsinlossofaircraftorsystem;g.Softwarecausesofandmitigationsforthesystemhazardsareidentifiedandintegratedintothesystemsafetyprocess(i.e.,hazardreports,hazardtrackingsystemetc.);h.Softwaresafetyrecommendssystemsafetyrequirementstosystemsafetyinatimelymanner;i.Systemsengineeringreceivesthefinalsoftwaresafetyinputfromsystemsafetyinatimelymanner;j.Softwareintegritylevelsareestablishedandenforcedfortheprograminaccordancewithprescribedindustrystandards;k.Safetydesignatedfunctionsandtheirassociatedsafetydesignatedsoftwareareidentifiedandanalyzed;l.Testplansandproceduresincludetestingofsoftwaresafetyfunctionalrequirementsanddesignrequirements.NOTE:Theprecedingshouldnotbeconsideredtobeanall-encompassingexclusivelist,andmaybeexpandeddependingonprogramscopeandcomplexity.MethodofCompliance:Verificationmethodincludesinspectionofdocumentation.Verifybyinspectionofprogramsafety,softwaresafety,andsoftwaredocumentationthatthecomprehensivesoftwaresafetyprogramhasbeenintegratedintothesystemsafetyprograminamannerwhichmeetsthestandard.
STPAprovidessoftwaresafetyrequirements.TheserequirementsaretraceableandtheSTPAartifactsserveasdocumentationoftheanalysis.Thedatafromtheanalysisshouldfeedintotestplans.TheSTPAsoftwaresafetyrequirementswillbedeterminedduringtheanalysisalongwithallothersafetyrequirementsandmeetcriteriasuchasreducingsinglepointfailures,andtrackingsoftwarehazardsrecommendingsafetyrequirements.
Page 180
180
STPAdoesnotdifferentiatebetweenhardwareandsoftwarehazards,andinfacttheyarerelatedasthesoftwareoftencontrolshardware.Treatinghardwarehazardsandsoftwarehazardsastwodifferentproblemstosolvereducesthelikelihoodofsolvingsoftware/hardwareinteractionhazards.14.3.2Planning/accomplishingsoftwaresafetyanalysesandassessments.Criterion:Verifythatthesoftwaresafetyprogramrequiresthatappropriatesoftwaresafety-designatedanalysesbeperformedaspartofthesoftwaredevelopmentprocessandverifyaccomplishmentofrelatedassessmenttasks.Standard:Atailoredsetofanalysesandassessments(orequivalent)requiredbythereferencesof14.3(thisdocument)isplannedforandaccomplished.MethodofCompliance:Verificationmethodincludesinspectionofdocumentation.Verifybyinspectionofsystemsafety,softwaresafety,andsoftwaredocumentationthatthetailoredsetofanalysesandassessments(orequivalent)requiredbythereferencesof14.3(thisdocument)areplannedforandaccomplished.
TheSTPAartifactswillprovidedocumentationthatasoftwaresafetyanalysisisaccomplished.14.3.2.1Performanceofsoftwaresafetyanalyses.Criterion:Verifythattherequiredsoftwaresafetyanalysespreparationisaccomplished.Standard:Thetypesandquantitiesofrequiredsoftwaresafetyanalysesarepreparedandprovidedinaccordancewithplanningforsoftwaresafety.Softwaresafetyanalysesandassessmentsincludethetailoreddocumentationrequiredbythereferencesof14.3(thisdocument).MethodofCompliance:Verificationmethodincludesinspectionofdocumentation.Criterion:Verifybyinspectionthatthedeliveredsoftwaresafetyanalysesfortheprogramhaveacompletesystemsview,includingidentificationofsoftwarehazards,andassociatedsoftwarerisks.
AnanalysisusingSTPAwillbeincompliancewiththiscriterion.Additionally,STPAartifactswillprovidedocumentationfortheairworthinesscertificationinspectortoverifythattheprogramisincompliance.14.3.2.2Performanceofsoftwaresafetytraceabilityanalyses.Criterion:Verifythattherequiredsoftwaresafetytraceabilityanalysesareaccomplished.Standard:Systemsafetyrequirementsallocatedtosoftwarearerefinedusingappropriateanalysestoallocatethesystemsafetyrequirementstothesoftwarerequirements,andbi-directionaltraceabilitytotheidentifiedhazard(s)isaccomplished.Appropriateanalysesincludethetailoreddocumentationrequiredbythereferencesof14.3(thisdocument).MethodofCompliance:Verificationmethodincludesinspectionofdocumentation.Verifybyinspectionofsystemsafety,softwaresafetyandprogramdocumentationthatthebi-directionalsoftwaresafetytraceabilityanalysesamongstrequirements,design,implementation,verification,andhazardhavebeenaccomplished.
AkeycomponentofSTPAistraceability.Eachsafetyconstraintisdirectlytiedtoahazardandisdocumentedintheanalysis.TraceabilityinSTPAgoesfromthesystem-levelhazardsdowntothespecificdesigntechniquesusedtomitigatethosehazards.14.3.3Evaluationofsoftwareforeliminationofhazardousevents.Criterion:Verifythatthedesign/modificationsoftwareisevaluatedtoensurecontrolledormonitoredfunctionsdonotinitiatehazardouseventsormishapsineithertheonoroff(powered)state.Standard:Thesoftwareasdesignedorasmodifieddoesnotinitiatehazardouseventsineithertheonoroff(powered)state.MethodofCompliance:Verificationmethodsincludeanalysis,test,andinspectionofdocumentation.Verifythatasystemsafetyassessmentisaccomplishedwhichincludesevaluationofsoftwareandidentificationofanomaloussoftwarecontrol/monitoringbehaviortoassurethesoftwareasdesignedorasmodifieddoesnotinitiaterelevanthazardousevents.
ThiscriteriondescribeswhatSTPAisdesignedtodo:identifyhazardsandcontrolthefunctionofthesystemtoavoidthosehazards.
Page 181
181
14.3.4Commercialoff-the-shelfsoftwareintegritylevelconfirmation.Criterion:VerifythatCommercialOff-the-Shelf(COTS)andreusesoftware(whichincludesapplicationsoftwareandoperatingsystems)aredevelopedtothenecessarysoftwareintegritylevel.Standard:ThesoftwarecriticalitylevelforCOTSandreusesoftwarefunctionshasbeendeterminedandtheirdevelopmenthasbeenconfirmedtobeattherequiredsoftwareintegritylevelasdefinedbysoftwareand/orsafetyplanning.MethodofCompliance:Verificationmethodsincludeinspectionofdocumentation.Verifybyinspectionofprogram,systemsafety,softwaresafetyandsoftwareengineeringdocumentationthatthesoftwarecriticalitylevelforCOTSandreusesoftwarebyfunctionisdetermined.Verifythatthesoftwareisdevelopedtotherequiredsoftwareintegritylevelasdefinedbysoftwareand/orsafetyplanning.
STPAdoesnotsupportconfirmationofCOTSsoftwareintegritylevel.Infact,softwarecomponentsarenotsafeorunsafe;theycanbeeitherdependingonthesystemdesigninwhichtheyareused.Therefore,softwareintegritylevelhasnorelationtosafety.14.3.5Identificationofsafetydesignated/significantsoftware.Criterion:Verifythatsoftwareelementswhichperformfunctionsrelatedtosystemhazardshavebeenidentifiedandhandledassafetydesignated/significantsoftware.Standard:Safetyfunctionsidentifiedassystemhazardsareallocatedtosoftwarefunctions.Softwareelements(e.g.,CSCI,CSC,CSU,data,interfaces)relatedtoeachofthosesoftwarefunctionsareidentifiedandassignedanappropriatesafetycriticalityasdefinedbythesystemsafetyplanningdocumentation.Thesoftwareelementsarehandled(labeled,tracked,implemented,tested,etc.)asdefinedbythesystemsafetyplanningdocumentation.MethodofCompliance:Verificationmethodincludesinspectionofdocumentation.Verifybyinspectionofsystemsafetyandsoftwaresafetydocumentationthatsafetyrelatedsoftwarefunctionshavebeenidentified.Verifybyinspectionofprogram,systemsafetyandsoftwaresafetydocumentationthattheidentifiedsafetyrelatedsoftwareelementsarehandled(labeled,tracked,implemented,tested,etc.)asrequiredbysoftware/safetyplanningbasedontheirsafetycriticalitylevels.
ThroughthescenariosgeneratedbySTPA,safetycriticalsystemsandsoftwarewillbeidentified.14.3.5.1Assignmentofcriticalitylevels.Criterion:Verifythateachsafetydesignatedsoftwarefunctionisassignedanappropriatecriticalitylevel.Standard:Foreachofthesoftwareelements(e.g.,CSCI,CSC,CSU,data,interfaces),thesoftwarefunctionsimplementingthoseelementsareassignedanappropriatecriticalitylevel.Ifasoftwarefunctioncontainsmultiplesoftwareelements,thefunctionisassignedacriticalitylevelequaltothecriticalitylevelofthehighestelement.MethodofCompliance:Verificationmethodincludesanalysisandinspectionofdocumentation.Verifythattheappropriatelevelofcriticalityisassignedtoeachsoftwarefunction.
STPAwillnotdirectlyassigncriticalitylevels,howeverbyidentifyingsafetycriticalsystemstheanalysismayhelpdeterminetheselevels.14.3.5.2Testingtocriticalitylevels.Criterion:Verifythateachsafetydesignatedsoftwarefunctionistestedcommensuratewithitsassignedcriticalitylevel.Standard:Eachsafetydesignatedsoftwarefunctionistestedtothelevelrequiredbyitsassignedcriticalitylevel.Thetestingrequirementsforthesoftwarecriticalitylevelsaredocumentedinthesystemsafetyplanningdocuments.MethodofCompliance:Verificationmethodincludesinspectionofdocumentation.Verifythattheappropriateleveloftestingfordesignatedsafetysoftwarehasbeenperformedandrequiredresultswereachieved.
STPAwillprovidesafetyconstraintswhichcanbeusedasaninputtotesting.HazardscanbeprioritizedinSTPA,howeverSTPAtreatsallhazardsandassociatedsafetyconstraintsthesame.14.3.6Softwaresafetytestanalyses.Criterion:Verifythattheappropriatesoftwaresafetytestanalyseshavebeenplannedandperformed.
Page 182
182
Standard:Softwaresafetytestanalyses(e.g.,nominalandfunctionalrequirementsbasetesting/analysis,structuralcoverageanalysis,hazardmitigationtestinganalysis,failuremodesandeffectstestinganalysis)planningandotherdocumentationareformallydocumentedandarekeptunderconfigurationmanagementcontrol.Softwaresafetytestanalysesactivitiesarealsoexecuted;resultsarerecordedusingformalproceduresandarekeptunderconfigurationcontrol.MethodofCompliance:Verificationmethodincludesinspectionofdocumentation.Verifybyinspectionofthesafetyplansthatsoftwaresafetytestingandtestanalyseshavebeenadequatelydocumentedandplanned.Verifybyanalysisofthedocumentedhazardsthatthehazardsassociatedwithsoftwareandcomputercomponentshavebeeneliminatedorcontrolledtotheacceptablelevelofriskasrequiredbythesystem/softwaresafetyplan.Verifybyinspectionofthetestreportsthatthesoftwaresafetytestresultshavebeenanalyzedandapproved/accepted.
STPAprovidessafetyconstraintsthatshouldbeusedasaninputintothetestplan,justastechnicalrequirementsareevaluatedduringdevelopmentaltest.14.3.7Structuralcoverageanalysis.Criterion:Verifythatsoftwaresafetyplanningadequatelyplansforstructuralcoverageanalysisandthattheplannedanalysisisaccomplished.Standard:Adequatestructuralcoverageanalysisforthesoftwarecriticalitylevelisaccomplished;resultsarerecordedusingformalproceduresandarekeptunderconfigurationmanagement.MethodofCompliance:Verificationmethodincludesinspectionofdocumentation.Verifybyinspectionofthetestplansthatadequatestructuralcoverageanalysisisplannedforanddocumented.Verifybyinspectionofstructuralcoverageanalysisresultsthatadequatestructuralcoveragetestingandanalysiswereachieved.
IfthesafetyconstraintsdeterminedbySTPAareverified,thetestingshouldbecompletefromasafetyperspective.
Page 183
183
Bibliography1.AirForceSafetyCenter.AviationStatistics.AirForceSafetyCenter.[Online]2017.[Cited:1127,2017.]http://www.safety.af.mil/Portals/71/documents/Aviation/End%20of%20Year%20statistics/FY17.pdf.2.FaultTreeAnalysis.Ericson,Clifton.Orlando:SystemSafetyConference,1999.3.ReliabilityAnalysisforPowertoFirePumpUsingFaultTreeandRBD.Anthony,Michael,etal.2,s.l.:IEEE,March/April2013,IEEETransactionsonIndustryApplications,Vol.49.4.FailureModeandEffectAnalysis:APowerfulEngineeringTookforComponentandSystemOptimization.Arnzen,Harry.ForestPark:SymposiumonDeepSubmergencePropulsionandMarineSystems.5.Crawley,FrankandTyler,Brian.HAZOP:GuidetoBestPractice.3rd.s.l.:Elsevier,2015.6.Institution,BritishStandards.BSIEC61882:2001HazardandOperabilityStudies(HAZOPStudies)-ApplicationGuide.2001.7.Tolker-Nielsen,Toni.EXOMARS2016-SchiaparelliAnomalyInquiry.s.l.:EuropeanSpaceAgency,2017.8.Leveson,Nancy.EngineeringaSaferWorld:SystemsThinkingAppliedtoSafety.Cambridge:TheMITPress,2011.9.Thomas,John.ExtendingandAutomatingaSystems-TheroeticHazardHanalysisforRequirementsGenerationandAnalysis.2013.10.AcquisitionsProcess.AcqNotes.[Online]85,2017.[Cited:1113,2017.]http://acqnotes.com/acqnote/acquisitions/acquisition-process-overview.11.DepartmentofDefense.DefenseAcquisitionGuide.2017.12.DefenseAcquisitionGlossary.TechnologyMaturationandRiskReduction(PhaseoftheDefenseAcquisitionSystem).[Online][Cited:1114,2017.]https://www.dau.mil/glossary/pages/3193.aspx.13.AFI62-601.USAFAirworthiness.11June2010.14.AFI91-202.TheUSAirForceMishapPreventionProgram.24June2015.15.MIL-STD-882ESystemSafety.s.l.:DepartmentofDefense,2012.16.Leveson,Nancy.STPACompliancewithArmySafetyStandardsandComparisonwithSAEARP4761.2017.17.Losey,Stephen.AirForcereportfindsfaultyengineassemblycausedF-16crashinApril.AirForceTimes.[Online]October26,2017.[Cited:November2,2017.]https://www.airforcetimes.com/news/your-air-force/2017/10/26/air-force-report-finds-faulty-engine-assembly-caused-f-16-crash-in-april/.18.AFPD62-6.USAFAirworthiness.11June2010.19.USAFAirworthinessOffice.USAFAirworthinessBulletin(AWB)-150.Memorandum.Wright-PattersonAFB,OH:s.n.,2017.20.ALargeScaleExperimentinN-VerionProgramming.Knight,J.andLeveson,N.AnnArbor,MI:s.n.,1985.FifteenthInternationalSymposiumonFault-TolerantComputing.21.Annex3-0OperationsandPlanningTheEffects-BasedApproachtoOperations.CurtisE.LemayCenterforDoctrineDevelopmentandEducation.MaxwellAFB:UnitedStatesAirForce,2016.
Page 184
184
22.Leveson,Nancy.Rasmussen'sLegacy:AParadigmChangeinEngineeringforSafety.23.AirCombatCommand.E-8CJointStarsFactSheet.[Online]923,2015.[Cited:1118,2017.]http://www.af.mil/About-Us/Fact-Sheets/Display/Article/104507/e-8c-joint-stars/.24.NorthropGrumman.JointStars.NorthrupGrumman.[Online]2012.[Cited:1118,2017.]http://www.northropgrumman.com/Capabilities/JointSTARSReCap/Documents/MissionDocs/A_GlimpseJSTARS.pdf.25.GeneralServicesAdministration.FederalBusinessOpportunities.JSTARSRecapitalization-EMD.[Online]113,2017.[Cited:1118,2017.]https://www.fbo.gov/index?s=opportunity&mode=form&id=fe71ff06a1af42be5ee7e63cef761151&tab=core&_cview=1.26.Insinna,Valerie.FutureofJSTARSrecapprograminquestionasAirForceexplorsotheroptions.DefenseNews.[Online]September12,2017.[Cited:November18,2017.]https://www.defensenews.com/air/2017/09/12/future-of-jstars-recap-program-in-question-as-air-force-explores-other-options/.27.AProcessforSTPA.Thomas,John.2017.28.Tillery,Jackie.Accountability:Inconsistent,SituationDependentandSubjective.MaxwellAFB:AirWarCollege,1997.
![Speaker Diarization Features: The UPM Contribution to the ...oa.upm.es/11896/2/INVE_MEM_2011_107717.pdfinformation theoretic approach [3]. Speaker diarization was first applied to](https://static.documents.pub/doc/80x56/6108d4707ed87922b15b2c82/speaker-diarization-features-the-upm-contribution-to-the-oaupmes118962invemem2011.jpg)