Safety Supervisory Control, Model-Based Hazard Monitoring, and Temporal Logic: Dynamic Risk-Informed Safety Interventions and Accident Prevention
Favaro, Francesca Margherita M
MetadataShow full item record
Accident prevention and system safety are important considerations for many industries, especially large-scale hazardous ones such as the nuclear, the chemical, and the aerospace industries. Limitations in the current tools and approaches to risk assessment and accident prevention are broadly recognized in the risk research community. Furthermore, as new technologies and systems are developed, new failure modes can emerge and new patterns by which accidents unfold. A safety gap is growing between the software-intensive technological capabilities of present systems and the still “too much hardware oriented” current approaches for handling risk assessment and safety issues. To overcome these limitations, a novel framework and analytical tools for model-based system safety, or safety supervisory control, is developed to guide safety interventions and support a dynamic approach to risk assessment and accident prevention. This integrated approach rests on two basic pillars: (i) the use of state-space models and state variables (from Control Theory) to capture the dynamics of hazard escalation, and to both model and monitor “danger indices” in a system; and (ii) the adoption of Temporal Logic (TL, from Software Engineering) to model and verify system safety properties (or their violations, hence identify vulnerabilities in a system). The verification of whether the system satisfies or violates the TL safety properties along with the monitoring of emerging hazards provide important feedback for designers and operators to recognize the need for, rank, and trigger safety interventions. In so doing, the proposed approach augments the current perspective of traditional risk assessment with its reliance on probabilities as the basic modeling ingredient with the notion of temporal contingency, a novel dimension here proposed by which hazards are dynamically prioritized and ranked based on the temporal vicinity of their associated accident(s) to being released. Additionally, the online application of the proposed tools and the ensuing insights can support situational awareness and help inform decision-making during emerging hazardous situations. The integrated framework is implemented in Simulink and is capable of combining hardware, software, and operators’ control actions and responses within a single analysis tool, as examined through its detailed application to runway overrun scenarios during rejected takeoffs (RTO). New insights are enabled by the use of temporal logic in conjunction with model-based system safety. For example, new metrics and diagnostic tools to support pilots’ go/no-go decisions and to inform safety guidelines are derived. Limitations exists in the current recommended practice that advises pilots to initiate RTOs only before the decision speed V1 is reached, as suggested by current statistics regarding RTOs accidents and as recognized by aircraft manufacturers. The new proposed metrics are capable of accounting for both situations in which RTOs are initiated below the traditional decision speed V1 and still result in an accident, and situations for which RTOs are initiated above V1 that do not. Moreover, within the context of a detailed case study, a new TL safety constraint is proposed to overcome an identified latent error in the logic of the Full Authority Digital Engine Control (FADEC) at takeoff, which in this case escalated a hazardous condition into a fatal crash. In short, by leveraging tools that are not traditionally employed in risk assessment, the framework and tools proposed offers novel capabilities, complementary to the traditional approaches to risk assessment, and rich possibilities for informing safety interventions (by design and in real-time during operations) and towards improved accident prevention.