Comparison of model checking and simulation to examine aircraft system behavior
Gelman, Gabriel E.
MetadataShow full item record
Automation surprises are examples of poor Human-Machine Interaction (HMI) where pilots were surprised by actions of the automation, which lead to dangerous situations during which pilots had to counteract the autopilot. To be able to identify problems that may arise between pilots and automation before implementation, methods are needed that can uncover potentially dangerous HMI early in the design process. In this work, two such methods, simulation and model checking, have been combined and compared to leverage the benefits of both. In the past, model checking has been successful at uncovering known automation surprises. Simulation, on the other hand, has been successful in the aviation domain and human factor issues. To be able to compare these two approaches, this work focused on a common case study involving a known automation surprise. The automation surprise that was examined, is linked to the former Airbus speed protection logic that caused aircraft on approach to change the flight mode, resulting in a sudden climb. The results provided by the model checking with SAL (Symbolic Analysis Laboratory) in a previous work, have been used to provide input for simulation. In this work, this automation surprise was simulated with the simulation platform WMC (Work Models that Compute) and compared to the corresponding results from SAL. By using the case study, this work provides a method to examine system behavior, such as automation surprises, using model checking and simulation in conjunction to leverage the benefits of both.