Post on 15-Oct-2020
Systems Theoretic Process Analysis Applied to Air Force Acquisition Technical Requirements Development
by
Sarah E. Summers Major, United States Air Force
B.S. Aerospace Engineering, Oklahoma State University, 2005
B.S. Mechanical Engineering, Oklahoma State University, 2005 M.S. Aeronautical Engineering, Air Force Institute of Technology, 2011
M.S. Flight Test Engineering, Air Force Test Pilot School, 2014
Submitted to the System Design and Management Program in Partial Fulfillment of the Requirements for the Degree of
Master of Science in Engineering and Management
at the
Massachusetts Institute of Technology
February 2018
ã 2018 Sarah E. Summers All rights reserved
The author hereby grants to MIT permission to reproduce and to distribute publicly paper and electronic copies of this thesis document in whole or in part
in any medium now known or hereafter created.
Signature of Author_____________________________________________________________
Sarah E. Summers System Design and Management Program
December 1, 2017 Certified by____________________________________________________________________
Nancy G. Leveson, Ph.D., Professor Department of Aeronautics and Astronautics
Thesis Supervisor
Accepted by___________________________________________________________________ Joan Rubin
Executive Director, System Design and Management Program
2
This Page Intentionally Left Blank
3
Disclaimer The views expressed in this document are those of the author and do not reflect the official
position or policies of the United States Air Force, Department of Defense, or Government.
4
This Page Intentionally Left Blank
5
In memory of all of those who have given their life for our country, in particular:
Jolly 38:
Captain Gregg Lewis Captain Philip Miller
Master Sergeant Matthew Sturtevant Staff Sergeant Keven Brunelle Staff Sergeant Kenneth Eaglin Senior Airman Jesse Stewart
Jolly 39:
Lieutenant Colonel William Milton Captain Carl Youngblood
Second Lieutenant Michael Harwell Technical Sergeant Jeffrey Armour
Senior Airman Adam Stewart Senior Airman Justin Wotasik
and
Captain Michael Geragosian
“These things we do that others may live”
Also in memory of Major Lee Berra.
6
This Page Intentionally Left Blank
7
SystemsTheoreticProcessAnalysisAppliedtoAirForceAcquisitionTechnicalRequirementsDevelopment
By
SarahE.SummersMajor,UnitedStatesAirForce
SubmittedtotheSystemDesignandManagementProgramon1December2017inpartialfulfillmentoftherequirementsforthedegreeofMasterofScienceinEngineeringand
Management
AbstractTheAirForceexperienced12ClassAaviationmishapsin2016,whichresultedin16fatalitiesand9destroyedaircraft.Sofarin2017,TheAirForcehasagainexperienced12ClassAmishapswith5fatalitiesand7destroyedaircraft.(1)Inadditiontothesemishaps,developmentofnewaircraftormodificationstoaircraftoftentakewellovertheplannedduration.Developmentaltestidentifiesdesigndeficienciesthatmustbeaddressedbeforetheaircraftisfielded,whichrequiresexpensiveandlengthyredesigncycles.Asystemsapproachtodesignwithhumansincludedaspartofthesystemcanimproveboththedevelopmentprocessandaviationsafety.SuchanapproachwascreatedbyProfessorNancyLevesonatMITandiscalledSystemsTheoreticProcessAnalysis(STPA).STPAisshowntobeapplicabletotheAirForceacquisitionsprocessthroughouttheproductlifecycle.STPAisalsocompliantwiththeairworthinesshandbook,MIL-HDBK-516C,andSTPAdocumentationisbeneficialtotheairworthinesscertificationinspectors.STPAisappliedtotwousecases.OneisaconceptualJSTARSaircraft,andtheotherisanunmannedaerialvehicle(UAV)thatwasmodifiedfromageneralaviationaircraft.TheAirForceiscurrentlyinsourceselectionforareplacementtotheJSTARSaircraft.Thehigh-levelSTPAanalysisisforafunctionalreplacementtotheJSTARSaircraft,aswouldbeneededearlyintheacquisitionsprocess.Additionally,accidents,hazards,andasafetycontrolstructurearedevelopedfortheJSTARSsupportsystem.TheUAVanalysisismoredetailed,andprovidesinformationthatisnecessaryduringtheTechnologyMaturation&RiskReductionphaseofanacquisitionprocess.ThesisSupervisor:NancyG.LevesonTitle:ProfessofAeronauticsandAstronauticsandEngineeringSystems
8
This Page Intentionally Left Blank
9
AcknowledgementsIwouldliketoacknowledgeProfessorNancyLevesonfortakingmeonasathesisadvisee.Ihavelearnedanincredibleamountinthelast18months,andIamappreciativeofyourtimeandsupport.IwouldalsoliketothankDr.JohnThomasandtherestoftheSystemEngineeringResearchLab.Yourhelpandinsightsduringthisjourneyhasbeenincredible.ThankyoutotheSDMfacultyandstaffforthisamazingopportunitytocometoMITandlearnwhatitmeanstobeasystemsthinker.Thisprogramhasopenedmyeyestoabiggerpictureandgivenmethetoolstounderstanditandmakeadifference.TheSDM2016CohorthastaughtmejustasmuchastheMITfaculty.ThankyoutoallthosethathavesharedtheirknowledgeandmadethisexperienceatMITevenbetter.Thankyoutoallthosewhoarecurrentlyservinginharm’sway.Theselflessnessandprofessionalismofmyfellowservicemembersinspiremetodomybesteveryday.Thankyoutomyfamilyandfriendswhohavesupportedmethroughoutmylife.You’vecheeredmeonduringlife’sgoodtimesandgivenmeashoulderduringthehardtimes.Youstimulatemycreativityandencouragemetocontinuetoquestionandlearn.Mostofall,thankyoutomywonderfulwife.ThankyouforstickingbymysidewhileIdragyoufromcoasttocoast(tocoast).Yourendlesssupporthasenabledmetosucceedinthisendeavor.EverydayIstrivetobethepersonyoudeserve,andIamabetterpersonforit.IlookforwardtomanymoreadventureswithyouwherevertheAirForcesendsus.
10
This Page Intentionally Left Blank
11
ContentsAbstract.................................................................................................................................7
Acknowledgements................................................................................................................9
TableofFigures.....................................................................................................................13
TableofTables......................................................................................................................13
Introduction..........................................................................................................................14Motivation.....................................................................................................................................14Objectives......................................................................................................................................14ThesisStructure.............................................................................................................................14
HazardAnalysisMethods......................................................................................................15FaultTreeAnalysis.............................................................................................................................15FailureModesandEffectAnalysis(FMEA)........................................................................................16HAZOP................................................................................................................................................18DrawbacksofTraditionalHazardAnalyses........................................................................................20STAMP...............................................................................................................................................22
AirForceAcquisitionsandSystemsSafety.............................................................................30AirForceAcquisitionsProcess........................................................................................................30STPAImplementationwithintheAirForceAcquisitionProcess......................................................34
STPAintheAcquisitionsProcess.......................................................................................................34STPAStudyExecutionandPersonnelComposition...........................................................................35
SystemSafetyProcess....................................................................................................................37AirForceAirworthinessProcess.....................................................................................................39STPAandAirworthiness.................................................................................................................40ReliabilityandRedundancy............................................................................................................42Riskmatrices..................................................................................................................................43SystemsThinkingintheAF:Effects-BasedApproachtoOperations...............................................43
JSTARSAnalysis.....................................................................................................................46JSTARSSystemDefinition...............................................................................................................46JSTARSSystemMishaps,Hazards,andHigh-LevelSafetyConstraints.............................................46JSTARSSafetyControlStructure.....................................................................................................47JSTARSStep1:UCAGeneration......................................................................................................47JSTARSStep2:ScenarioGeneration...............................................................................................51JSTARSSTPASummary...................................................................................................................51JSTARSSupportSTAMPAnalysis.....................................................................................................52
JSTARSSupportMishaps...................................................................................................................52JSTARSSupportHazards....................................................................................................................52JSTARSSupportSafetyControlStructure..........................................................................................52
UAVSTPAAnalysis................................................................................................................54UAVSystemDefinition...................................................................................................................54UAVAccidents,Hazards,andHigh-LevelSafetyConstraints............................................................54UAVSafetyControlStructure.........................................................................................................55
12
STPAStep1:UCAGeneration.........................................................................................................57STPAStep2:ScenarioGeneration.................................................................................................61UAVSTPASummary.......................................................................................................................64
Conclusions...........................................................................................................................69
AcronymListing.....................................................................................................................70
Appendix1:JSTARSSTPAAnalysis.........................................................................................72
Appendix2:UAVSTPAAnalysis............................................................................................85
Appendix3:STPACompliancewithMIL-HDBK-516C...........................................................163
Bibliography........................................................................................................................183
13
TableofFiguresFigure1FaultTreeforPowertotheFirePump(2)......................................................................16Figure2FMEAExampleConceptualDesignReviewforFlightControlSystem(3)......................17Figure3FMEAExamplePreliminaryDesignReviewforFlightControlSystem(3)......................18Figure4TheHAZOPStudyProcedure(5).....................................................................................20Figure5HazardAnalysisTimeline................................................................................................21Figure6ExampleofaHierarchicalSafetyControlStructure(7)..................................................23Figure7SimpleControlStructure(7)...........................................................................................24Figure8ControlFlawsLeadingtoHazards(7).............................................................................25Figure9AnExampleofSTPAStep2:ScenarioGeneration(7)....................................................28Figure10STPATopDownAnalysis..............................................................................................29Figure11AcquisitionsProcess(9)................................................................................................30Figure12SEActivitiesinMaterielSolutionAnalysisPhase(10)..................................................31Figure13SEActivitiesinTechnologyMaturationandRiskReductionPhase(10).......................32Figure14SEActivitiesinEngineeringandManufacturingDevelopmentPhase(10)..................32Figure15SEActivitiesinProductionandDeploymentPhase(10)..............................................33Figure16AcquisitionsProcesswithSTPA....................................................................................34Figure17RiskAssessmentMatrix(14).........................................................................................38Figure18UpdatedRiskMatrix(18)..............................................................................................40Figure19JSTARSSafetyControlStructure...................................................................................47Figure20SimpleJSTARSSupportSafetyControlStructure.........................................................53Figure21UAVSafetyControlStructure.......................................................................................56Figure22ScenarioTypesonControlStructure............................................................................62Figure23Safety-guideddesign(7)...............................................................................................68
TableofTablesTable1BasicGuidewords(5).......................................................................................................19Table2ExampleUCATable(8)....................................................................................................27Table3JSTARSUCAs....................................................................................................................48Table4JSTARSUCAsandSafetyConstraints...............................................................................49Table5UAVOperatorUCAs.........................................................................................................57Table6UAVVMSUCAs................................................................................................................60Table7ExampleofSafetyConstraintsDerivedfromUCAs.........................................................60Table8JSTARSScenarios.............................................................................................................72Table9UAVOperatorSafetyConstraints....................................................................................85Table10UAVVMSSafetyConstraints.........................................................................................90Table11UAVOperatorScenarios................................................................................................93Table12UAVVMSScenarios.....................................................................................................144
14
IntroductionMotivationOn2September,1998,twelvemembersofthe66thRescueSquadron,flyingwiththecallsignsJolly38andJolly39,werekilledinamidaircollisionatNellisAirForceBase.Myfatherwastheirsquadroncommander.Onthatday,aweekaftermy16thbirthday,IdecidedtojointheAirForcewhenIturned18.TheAirForcerescuemottois“Thesethingswedothatothersmaylive”.WhileIamnotamemberoftherescuecommunity,Iservewiththatmottoandthosethathavediedlivingthatmottoinmyheart.Thesafetyofourmenandwomenthatserveincombatisthemotivationbehindmyserviceandthisthesis–thatothersmaylive.Aslongasthereisarmedconflict,therewillbemilitarymenandwomenthatdieincombat.Everydeathisatragedytofamily,friends,andtheirfellowservicemembers.Thosemenandwomenwhoarekilledincombatmadeachoicetoserveandtheirsacrificeshouldbehonored.Servicemembersarealsooftenkilledduringnoncombatincidents.Theseincidentshaveanadditionalelementoftragedyinthattheyaremostoftenpreventable.Militarymembersshouldnotdiebecausetheirequipmentdoesnotoperateasintendedortheoperatinginstructionsdonotprovidecorrectinformation.Asaflighttestengineer,Itestednewaircraftandmodificationstoexistingaircrafttoensurethatthefieldedproductissafetooperateandoperatesasdesigned.Weoftenfindinteractionsbetweentheoperatorandproductorbetweenthemodificationsandbaseaircraftaredeficientforuseinthefield.SystemsTheoreticProcessAnalysis(STPA)hasthepotentialtopredicttheseinteractionsduringthedevelopmentprocessinordertodesignouttheflawsthatcanleadtoaccidents.IbelievethatSTPAcanalsosavethelivesofflighttestprofessionalsandourmenandwomenwhoutilizethesesystemsincombat.ObjectivesTheobjectiveofthisthesisistodeterminethefeasibilityofimplementingSTPAwithintheAirForceacquisitionsprocess.Therearetwomaincomponentsofthethesis.OneistoconductcasestudiestoillustratethepoweroftheSTPAanalysistoimplementcomponentsoftheacquisitionprocess.ThesecondcomponentistoinvestigatehowtheSTPAprocesscanbestbeintegratedintocurrentAirForceacquisitionprocesses.ThesisStructureTraditionalhazardanalysismethodswillberesearched,followedbyanexplanationofSTAMPandSTPA.ThehazardanalysissectionisfollowedbyexplaininghowSTPAcouldbeimplementedintotheAFacquisitionandairworthinessprocessesandconclusions.Then,twocasesstudiesusingSTPAarepresented.ThefirstcasestudyisanexampleofaJSTARSusedtomanagebattlesthatincludesgroundandairforces.ThesecondcasestudyisofageneralaviationaircraftmodifiedtobecomeaUAV.
15
HazardAnalysisMethodsFaultTreeAnalysisFaulttreeanalysis(FTA)isatopdownrootcausehazardanalysistoolthatcanbeusedforprobabilisticriskassessments.Faulttreeanalysiswasdesignedintheearly1960sforuseontheMinutemansystem,andhasbeenadoptedbyseveralindustriesoverthelast50yearsincludingaerospace,nuclear,chemicalprocessing,andsoftware.FTAcanbeusedthroughoutthedesignandlifecycleofthesystemtoinformdesign,operations,andmodificationstothesystem.Theanalysisbeginswithanundesiredevent,andafaulttreeisdevelopedtodeterminewhatlower-levelevents(failuresorfaults)orcombinationofeventscouldcausetheundesiredevent.Therelationshipbetweenthelower-leveleventsaredefinedusinglogicgates.Oncethemodelisdeveloped,probabilitiesofeacheventarecombinedusingBooleanlogicandsimplereliabilitycalculationstocomputethesystemreliability.(2)Themodelalsoutilizescutsets,whichareauniquesubsetofallthelower-leveleventsthatwouldcausetheundesiredeventtotakeplace.Theremaybeseveralcutsetsforeachundesiredevent,andevaluatingeachallowsthedesignertofocusonspecificdesignchangestoavoidtheundesiredeventalongwithcalculatingaprobabilityforeachcutset.Becausethefocusisonprobabilityandreliability,thedesignchangessuggestedofteninvolveaddingredundancysothatthereliabilitycalculationsareincreased.AnexampleofFTAisshowninFigure1.TheFTAisforafirepump,whichprovideswatertofiresprinklersystems.ThequestionthatnecessitatedtheFTAbelowiswhetherornotthefirepumprequiresemergencypower,suchasagenerator,orifitcanusepowerfromtheutilityprovider.(3)
16
Figure1FaultTreeforPowertotheFirePump(3)
AtthetopoftheexampleinFigure1,theundesiredeventis‘nopowertofirepump’.Thiscouldoccuriftheutilitypowerandgeneratorfails,oriftheautomatictransferswitch(ATS)fails.Therearetwopathsbelowtheutilitypowerandgeneratorfailelementforeachpowersource,andbasiceventsthatwouldcauseeachpathtofailarelistedinthebottomblock.Probabilitiesforeachbasiceventareestimated,whichallowstheusertodeterminetheprobabilityoftheundesiredevent.FTAisapowerfultoolthatcanallowanalysisofsystemreliabilitybyevaluatingcomponentfailures,howevernotallundesiredeventsoccurduetoacomponentfailure.Humanandsoftware-relatedsysteminteractionswillnotbecapturedusingFTA,norcanprobabilitiesbeassignedtosuchcases.Additionally,thistypeofanalysisassumesthateachofthefailuresareindependentfromeachother.Thisassumptionmaynotalwaysbeappropriate,andtheresultsoftheanalysiswillbeinaccurateiftheassumptionismadewhenitshouldnotbe.FailureModesandEffectAnalysis(FMEA)FMEAisabottomuphazardanalysistool.Ratherthanstartwithanundesiredevent,aswithFTA,theanalysisbeginswithacomponent.Eachcomponentorsubsystemisanalyzedforpotentialfailures.Theeffectofthefailuremustbedetermined,andfailuredetectionmethods
17
andmitigationsaredetermined.(4)Componentfailuresmaybedeterminedbyengineeringjudgementorstatisticalanalysis.AnexampleofFMEAisshowninthefigurebelow.
Figure2FMEAExampleConceptualDesignReviewforFlightControlSystem(4)
Ascanbeseenfromthefigure,thetableisbrokenintosystems,inthiscasethepitchcontrolsystem,andfurtherbrokendownbyfunction,whichismechanicallinkagefunctionforpilotinputcontrolmotions.Differentpossiblefailuresarethenlistedforeachfunction,alongwithwhatmightcausethefailure(assumedfailurecase),effectonthesystem,effectontheaircraft,anyactionsduringflighttocompensateforthefailure,andfinallythefailureclasswithIbeingthemostdangerous.Thefailurescanthenbemitigatedthroughdesignchanges.Thefigurebelowshowsthesamesystematpreliminarydesignreview.
18
Figure3FMEAExamplePreliminaryDesignReviewforFlightControlSystem(4)
InFigure3,thefirst4columnsarethesame,butnoweffectonsystem,effectonaircraft,compensatingprovisionshaveallchanged.Additionally,thefailureclassesforallofthefailuretypeshasbeenreducedtoIIorIII.ThemaindrawbacktoFMEAisthatitrequirestheengineertoexamineeverycomponentandpotentialfailuretodetermineifthereisasafetyhazardassociatedwiththatfailure.Itcanbecomeincrediblytimeconsumingcomparedtoothermethods.Additionally,justaswithFTA,onlysinglecomponentfailuresareconsideredinthisanalysis.FTAconsiderscomponentinteractiontosomedegree,howeverFMEAdoesnotatall.Thecasewheretwofailuresarerequiredtoproduceaneffectarenotincluded.Theoreticallytheycouldbe,buttheamountofeffortinvolvedwouldbeprohibitiveexceptfortheverysimplestofsystems.Additionally,thisanalysisdoesnotconsiderthehuman,excepttoassumethehumancanenactthecompensatingprovisionsduringflight,asseeninFigure1forthebrokenfeelspring.HAZOPHazardandoperabilitystudy(HAZOP)wasdevelopedinthe1960sbyImperialChemicalIndustries.(5p.1)itis“astructuredanalysisofasystem,process,oroperationforwhichdetaileddesigninformationisavailable,carriedoutbyamultidisciplinaryteam.”(5p.2)HAZOPsystematicallygoesthrougheachofthesystemparametersandusesasetof
19
guidewordstodeterminewhetheroranotadeviationoftheparameterwouldleadtoasafetyhazard.Studiesarecarriedoutwithaclientandafacilitator.(5p.44)ThefacilitatorisanexpertinHAZOP,andtheclientisanexpertintheparticularsystemthattobestudied.AccordingtotheBritishStandardonHAZOP,thekeyfeaturesofaHAZOPanalysisare:
- Theexaminationisacreativeprocess- Theexaminationiscarriedoutundertheguidanceofatrainedandexperiencedstudy
leader- Theexaminationreliesonspecialistsfromvariousdisciplines- Theexaminationshouldbecarriedoutinaclimateofpositivethinkingandfrank
discussion- Solutionstoidentifiedproblemsarenotaprimaryobjective(6)
TheHAZOPprocess,asshowninFigure4,isbrokenintofourmainsteps.DefinitionandPreparationaresimilarstepsforanygroupbasedactivity.Step3,Examination,beginswithdividingthesystemintoparts.ThedivisionallowstheHAZOPteamtomorespecificallydefinethedesignintentofeachpart.Accordingtothestandard,themorecomplexthesystem,andthehigherthestandard,thesmallerthedividedpartswillbe.Eachpartisthenbrokenintoelements,whichcanrangefromstepsorprocessstagestocomponents.(6)Theelementsallhavecharacteristicsassociatedwiththem,suchasmaterialproperties,rates,orinformation.Eachelementisthenexaminedusingguidewords.ThegenericlistofguidewordsareshowninTable1.
Table1BasicGuidewords(6)
Theseguidewordsareusedtoencouragethestudyparticipantstothinkcreativelyabouttheelementsandpartsunderexamination.
20
Figure4TheHAZOPStudyProcedure(6)
DrawbacksofTraditionalHazardAnalysesOnedrawbacktoHAZOP,FaultTrees,andFMEA,isthesystemmustalreadyhaveadetaileddesign(6).Ifhazardsareidentified,significantdesignreworkmayberequiredtomitigateoreliminatethehazards.Reworkcoststimeandmoney,andthereisapossibilitythatprogramslackingoneorbothofthosemaychoosenottoimplementallofthemitigations.Additionally,
21
solutionstohazardsarenotidentifiedintheseanalyses,whichmeansaseconddesignstudywouldberequiredtodeterminethebestwaytomitigateorreducetheidentifiedhazards.Theseanalysesalsofocusoncomponentfailure,whichisnottheonlycauseofmishaps.ManymishapssuchastheEuropeanSpaceAgency’sSchiaparellimishaponMars,arenotcausedbycomponentfailure,butratherbysoftwareinteractionsduetodesignerrors.(7)Othermishapsarecausedduetohumaninteractionwithinthesystemduetopoordesign.Noneoftheseanalyseswillidentifythesetypesofmishapcauses.Theanalysesonlylookatdeviationsfromdesignintent,whichassumesthatdesignintentissafe.Asdiscussedintheparagraphabovethisassumptionmaynotbevalid,leadingtounidentifiedhazardsassociatedwiththedesignintentitselfthatwillgointoproduction.Thereasontheseanalysesaredeficientformoderntechnologiesisbecausetheywerecreatedduringatimewhensystemsweremainlyelectromechanicalsystemswithnosignificantcomputersorsoftware.AsthetimelineinFigure5shows,thetraditionalhazardanalyseswereallcreatedbeforeManwalkedonthemoon.Sincethen,humanityhasexperiencedagiantleapindigitaltechnologies.Effortstoadapttraditionalmethodstoidentifyhazardsnotcausedbyacomponentfailurecannotbesuccessful,astheunderlyingtheoryfortheseanalyseswerenotbasedonmoderntechnologies.
Figure5HazardAnalysisTimeline
1949-FM
EA
1962-FTA
1963-HA
ZOP
1969–Ap
ollo11
1974–F-16FirstFlight
1997–F-22FirstFlight
2003-STAM
P2006–F-35AFirstFligh
t
1943–FirstDigitalC
omputer1940 19601950 2000199019801970 2010
22
Anewhazardanalysisisneededthatisdesignedtocapturebothfailurerelatedandnon-failurerelatedhazards.Theanalysisshouldbeabletoconsiderhumansandsoftwareaspartofthesysteminadditiontotheelectromechanicalcomponentstraditionallyevaluated.STAMPSystems-TheoreticAccidentModelandProcess(STAMP)isbuiltonunderlyingsystemstheoryandthreeconcepts,“safety,constraints,ahierarchicalsafetycontrolstructure,andprocessmodels.”Systemsare‘viewedasinterrelatedcomponentskeptinastateofdynamicequilibriumbyfeedbackcontrolloops.”(8)Accidentsoccur,therefore,duetoaviolationofthesafetyconstraints.Safetyconstraintsareinitiallydefinedatthesystemlevel,andarethenbrokendownto“sub-requirements”asthedesignprogressesandsubsystemsandcomponentsaredeveloped.Thenextconcept,hierarchicalsafetycontrolstructure,isbasedoffofhierarchicalstructuresinsystemstheory.Thelowerlevelsareconstrainedbycontrolprocessesfromthehigherlevels.Inturn,thelowerlevelsprovidefeedbacktothehigherlevels“abouthoweffectivelytheconstraintsarebeingsatisfied.”(8)AnexampleofahierarchicalsafetycontrolstructureisshowninFigure6.Theleftsideissystemdevelopment,andtherightsideisoperations.Thisparticularsafetycontrolstructurehasalargescopethatincludeslegalbodies,regulators,andcompanymanagement.Safetycontrolstructurescanbescopedbasedontheobjectivesoftheanalysis.Animportanttakeawayfromthisparticularsafetycontrolstructureisthatamishapmayoccurwithintheoperatingprocess(bottomrightcornerofthefigure),howevertheinadequatesafetyconstraintsthatledtothemishapcouldbewelloutsideofthesmalloperatingprocessscope.Inadequate(missing,inappropriate,orunenforced)safetyregulations,forexample,couldbeafactorinamishap.Noneoftheotherhazardanalysesdescribedinthissectionexaminehazardsthatarisefromoutsideofthesystemunderdesign.Thecontextinwhichthesystemoperatesshouldbeinputintothedesign.Contextcanincludeoperatingenvironment,companyobjectivesandoperatingpractices,orregulatoryrequirements.Ifthesecontextualinputschange,astheycertainlywillthroughoutthelifecycleofaproduct,theassumptionsthatwentintothedesignarenolongervalid.Asystemthatmayhavebeensafewhenitwasfirstfieldedbecomesunsafe.ThisiswhyLeveson’ssixthnewassumptionis:“Systemswilltendtomigratetowardsstatesofhigherrisk.”(8)Ifthecontextwasnotincludedasaninputtothedesign,thesystemmaybeunsafefromthestart.Becausethecontextofadesignedsystemwillchangethroughoutitslifecycle,feedbackinFigure6isjustasimportantastheconstraintsthatareappliedtothelowerlevels.Forexample,problemreportsprovidedbythecontrollersmustbereportedtoboththesystemdevelopmentandsystemoperationschains.Theoperationsmanagementmayhavetoalterworkinstructionsorsendouttemporarynoticesregardingtheproblemreports.Theprojectmanagerswillevaluatetheproblemreportsandtakeactiontoresolvetheproblem.
23
Figure6ExampleofaHierarchicalSafetyControlStructure(8)
Oftenproblemsarenotreportedforavarietyofreasons.Theresultisasystemthatisnotoperatingasitshould,operatorscreatingworkaroundsbythemselvesoroverlookingtheproblem,nohazardanalysistounderstandthesafetyimplicationsoftheproblem,andnosystemredesign.Feedback,therefore,isessentialtothesafetyofthesystemalongwiththesafetyconstraints.
24
ThelastmajorcomponentofSTAMPisprocessmodels.Thepurposeoffeedbackistoinformthecontrollerofthestateoftheprocess,whichisacomponentoftheprocessmodel.Theprocessmodel,asdescribedbyLeveson,isa“modelusedtodeterminewhatcontrolactionsareneeded,anditisupdatedthroughvariousformsoffeedback.”Forexample,anautopilotissettomaintainaheading.Theautopilotmustreceivethecurrentheading,aircraftattitude,andailerondeflections.Figure7illustratestheprocessmodelwithinacontrolstructure.Thecontrollerthenusestheprocessmodeltodeterminethecontrolaction.
Figure7SimpleControlStructure(8)
Evenwithaccurateandadequatefeedback,thecontrollerstillmaynotprovideasafecontrolaction.Therefore,asLevesonsaid,“processmodelsplayanimportantrole(1)inunderstandingwhyaccidentsoccurandwhyhumansprovideinadequatecontroloversafety-criticalsystemsand(2)indesigningsafersystems.”Levesonstatesthat“systemsareviewedasinterrelatedcomponentskeptinastateofdynamicequilibriumbyfeedbackcontrolloops.”Safetyisthen“achievedwhenappropriateconstraintsonthebehaviorofthesystemanditscomponentsaresatisfied.”(8)Accidentsoccurwhenthoseconstraintsareviolated.Theviolationsareoneormoreof:
1. Thesafetyconstraintswerenotenforcedbythecontroller.a. Thecontrolactionsnecessarytoenforcetheassociatedsafetyconstraintateach
levelofthesociotechnicalcontrolstructureforthesystemwerenotprovided.b. Thenecessarycontrolactionswereprovidedbutatthewrongtime(tooearlyor
toolate)orstoppedtoosoon.c. Unsafecontrolactionswereprovidedthatcausedaviolationofthesafety
constraints.2. Appropriatecontrolactionswereprovidedbutnotfollowed.(8)
LevesonillustratescontrolflawswithrespecttothesafetycontrolstructureinFigure8below.
25
Figure8ControlFlawsLeadingtoHazards(8)
Therearegenerallymultiplecontrollersineachhierarchicalcontrolstructuresthateitherprovidecontrolinputstolowerlevelcontrollers(1),orprovidecontrolactionstothecontrolledprocessitself(controller2).Withinthecontrolledprocess(4),componentfailureswillbeidentified.Feedbackandcontrolactionscanbedisruptedoralteredbyphysicalfailuresaswell(suchasactuatororsensorfailures).Thesetypesoffailuresarewhatotherhazardanalysespreviouslydescribedmayidentify.Thereare,however,manyothercausalfactorsbeyondcomponentfailuresinFigure8thatwillnotbeidentifiedbythetraditionalhazardanalysistechniques.STPA(SystemTheoreticProcessAnalysis)isahazardanalysistechniquebuiltontheSTAMPfoundation.Itstartswithdefining“accidentsorlosses,hazards,safetyrequirementsandconstraints,andthesafetycontrolstructure.”(8)
26
Anaccident(ormishapinmilitaryterminology)isdefinedas“Anundesiredorunplannedeventthatresultsinalossincludinglossofhumanlifeorhumaninjury,propertydamage,environmentalpollution,missionloss,etc”(8)Theprojectstakeholdershoulddeterminewhattherelevantlossesarefortheparticularsystembeingdesigned.Ahazardisdefinedas“Asystemstateorsetofconditionsthat,togetherwithaparticularsetofworst-caseenvironmentalconditions,willleadtoanaccident(loss).”(8)Eachhazardshouldtracetoanaccident.Asanexample,ananalysisofanewaircraftwilllikelyincludetheaccidentof“lossoflife”.Ahazardmightbe“aircraftviolatesminimumseparationrequirements.”Ifanaircraftviolatesminimumseparationrequirements,itcouldcauseamidaircollision,whichwouldpossiblyresultinlossoflife.Therefore,thehazardwouldtracetotheaccidentlossoflife.Next,safetyrequirementsaredevelopedfromthehazards.Inthecaseoftheexampleabove,therequirementmaybe“aircraftmustnotviolateminimumseparationrequirements.”Oncethehigh-levelconstraintshavebeendeveloped,thesafetycontrolstructureiscreated.Thecontrolstructuremustbedesignedbasedontherequirementspreviouslydefined,alongwithanyotherconstraintsassociatedwiththeorganizationsthataredesigningandoperatingthesystem,operationalconstruct,andlogisticssupport.STPAhastwosteps.Thefirststepistoidentifyunsafecontrolactions(UCAs).Thesafetycontrolstructureidentifieseachcontrollerandtheirassociatedcontrolactions.Eachcontrolactionisthenevaluatedtodetermineunderwhatcircumstancesthatcontrolactionmayleadtoahazardousstate.InSTAMP,UCAshappenbecause:
1. Acontrolactionrequiredforsafetyisnotprovidedornotfollowed.2. Anunsafecontrolactionisprovided.3. Apotentiallysafecontrolactionisprovidedtooearlyortoolate,atthewrongtimeorin
thewrongsequence.4. Acontrolactionrequiredforsafetyisstoppedtoosoonorfortoolong.(8)
TheseUCAsareoftenputintoatablewiththecontrolactioninthefirstcolumnandthefourtypesofUCAsinthenext4columns.AnexampleoftheUCAtablecanbeseenbelow.
27
Table2ExampleUCATable(9)
Inthetableabove,thecontrolactionis“opentraindoors”.NotethattherearenoUCAsinthe“Stoppedtoosoonorappliedtoolong”category,whichonlyappliestocontinuousactions.DiscreteactionswillnothaveUCAsinthiscolumn.ThesecondstepisdetermininghowtheUCAmightoccur.Thisistypicallyaccomplishedbyevaluatingthecontrollooprelatedtotheparticularcontrollerandcontrolactionthatisbeingexamined.Thecausalscenariosthataregeneratedinthisstepwillprovideinformationnecessarytoeliminatethehazard,orifeliminationisimpossibletocontrolthehazard.Thisinformationiswrittenasasafetyrequirementorconstraintthatshouldbeincludedindesignrequirementsoroperationalprocedures.LevesongivesanexampleofhowtodothisinEngineeringaSaferWorld,whichcanbeseeninFigure9.Figure9isamodifiedversionofFigure8forahigh-powerinterlock.Theinterlockshouldcausethepowertobedisruptedwhenadoorisopen,sothatsomeonecanworkintheareawithoutbeingshocked.Whenthedoorisclosed,powerflowstothesystemagain.
28
Figure9AnExampleofSTPAStep2:ScenarioGeneration(8)
Figure9showsgeneralscenarios,suchas“detectiondelayed.”Thesescenariosarenotyetdetailedenoughtodeterminehowtoeliminatethehazard.Onemustdeterminewhythedetectionisdelayed.Maybevibrationsintheenvironmentcausesthesensitivedetectortogivefalsedooropenfeedback,sothesensorisprogrammedtoonlyprovidefeedbackoncethedetectorindicatesthedoorisopencontinuouslyforacertainperiodoftime.Ifthisisthecase,thesafetyconstraintmightread“Thedetectormustprovidedooropenfeedbackwithin0.1secondsofopening”,asanexample.“Spuriousfeedback”isanothergeneralscenario.Alongthelinesofthepreviousexample,themoredetailedinformationmightread“Thedetectorissensitiveanddetectssmallmovementsofthedoor,sendingfalseopendoorfeedback.”Asafetyconstraintmaybe“Thedetectormustonlydetectthedooropening,notdoormovementwhilestillintheclosedposition.”Now,designengineerscanevaluatehowtosolvethespuriousfeedback,whichwillinturnsolvetheneedforadelayindetectionfeedback.Whilethismayseemobvioustothereader,systemdesignsareoftenadjustedto‘fix’issuesbyresolvingthesymptomsoftheissueratherthancorrectingaflaweddesign.Thefinaldesignbecomesapatchworkof‘solutions’,insteadofathoughtfulandcohesivedesign.Theauthorhaspersonallyseenthistypeofpatchworkengineeringresultinmishapscostingtensofmillionsofdollars.STPAisatopdownanalysis,meaningthatitstartswithahigh-levelgoal(accidentsthatneedtobeprevented),andtheanalysisprogressesdownintolow-leveldetails.Thetopdownnatureof
29
STPAcanbeseeninFigure10.Ahandfulofhigh-levelaccidentsarefollowedbyaslightlylargernumberofhazardsthatcaneachbetracedtooneormoreaccidents.Oncethesafetycontrolstructureiscreated,andthecontrolactionsinthesystemareunderstood,theUCAscanbeexamined.EachUCAisalsotraceabletooneormorehazards.ScenariosforeachUCAarethencreated.Becausetheanalysisbeginsatthetop,onlyscenariosthatcanactuallycauseanaccidentareinvestigated.Additionally,bystartingwithhigh-levelaccidentsandhazardsandworkingdownintothedetail,onecanmoreeasilytellifanaccidentorhazardismissing.Largelistsofhazardsarenearlyimpossibletoinspectforcompleteness.
Figure10STPATopDownAnalysis
Thetraceabilityofananalysisisakeycomponentofanysystemapproach.Thetraceabilityprovidesmultiplefunctions.First,whentheanalysisyieldsasafetyconstraintitisveryeasytounderstandtheoriginoftheconstraintandtheeffectiftheconstraintisnotconsideredinthedesign.Traceability,therefore,servestodocumenttheanalysisandjustifythefindings.Thisallowstheanalysistobequicklyunderstoodbyothers,andprovidesdocumentationofthesafetyapproachwhenthesystemrequiressafetycertification.Second,ifthedesign,associatedsupportsystem,oroperationalcontextchanges,updatingtheanalysisbecomesmucheasier.
30
AirForceAcquisitionsandSystemsSafetyAirForceAcquisitionsProcessAsimplifiedversionoftheAirForceacquisitionsprocessisshowninFigure11.Theprocessconsistsof6phases.
Figure11AcquisitionsProcess(10)
ThefirstphaseistheMaterialSolutionAnalysisphase.Inthisphase,anAnalysisofAlternativesisconductedtodeterminetheconcept,ormaterielsolution,forthesystem.TheactivitiesinMSAanddocumentsareshowninFigure12.
31
Figure12SEActivitiesinMaterielSolutionAnalysisPhase(11)
ThesecondphaseistheTechnologyMaturationandRiskReductionphase.Thisphase’spurposeisto“reducetechnology,engineering,integration,andlifecyclecostrisktothepointthatadecisiontocontractforEngineeringandManufacturingDevelopment(EMD)canbemadewithconfidenceinsuccessfulprogramexecutionfordevelopment,production,andsustainment.”(12)TheactivitiesassociatedwiththisphaseareshowninFigure13.
32
Figure13SEActivitiesinTechnologyMaturationandRiskReductionPhase(11)
Duringthisphase,tradestudiestoexploredesignoptionsandreduceprogramriskareconducted.TheCapabilityDevelopmentDocument,SystemsEngineeringPlan,SystemRequirementsDocument,TestandEvaluationMasterPlan,RequestforProposalandotherdocumentsaredrafted.Thesedocumentsarecontinuallyrefinedthroughouttheacquisitionsprocess.Thepreliminarysystemdesignisdevelopedinthisphase,andsafetyengineersconductaFMECAstudyonthedesign.NeartheendofthephasethePreliminaryDesignReviewwilltakeplace.PDRistypicallyrequiredtoproceedtoMilestoneBandentertheEngineeringandManufacturingDevelopmentphase.DuringEMD,thedesignisfurtheradvancedandintegrated,andthemanufacturingprocessisdeveloped.TheCriticalDesignReviewoccursduringthisphase.AttheCDR,thePOdetermineswhetherornotthedesignmeetsrequirements,ifitisreadytobuildtestarticles,andifitisreadyforDTtobegin.TheseactivitiesareillustratedinFigure14.
Figure14SEActivitiesinEngineeringandManufacturingDevelopmentPhase(11)
33
Duringthisphase,theairworthinesscertificationbasis,whichconsistsofthesuitableMIL-HDBK-516Ccriteria,mustbeapprovedbytheTAA.Additionally,priortoDT,theTAAwillapprovethemilitaryexperimentalflightrelease(13).NeartheendofEMD,theProductionReadinessReviewisconductedtodetermineifthesystemisreadyforproduction.AftertheMilestoneCreview,theprogramenterstheProductionandDeploymentphase.Inthisphase,low-rateproductionbeginsandDTandOTperformthemajorityoftheirtesting.TheFullRateProductionDecisionismadeinthisphase,whichwillmarkthebeginningoffullproduction,asshowninFigure15.InitialOperationalCapabilityistypicallydeclaredduringthisphase,whichindicatesthatthesystemhasreachedaminimumoperationalcapability.TheMilitaryTypeCertificate,issuedbytheTAA,mustbeobtainedbeforeOT&Ebeginsorbeforethefirstdeliveryofaircraftforoperationaluse.
Figure15SEActivitiesinProductionandDeploymentPhase(11)
ThelongestphaseoftheacquisitionsprocessisOperationsandSupport.Inthisphase,FullOperationalCapabilityisdeclared,indicatingthattheoperationalunitshavereceivedthesystemandareabletooperateandmaintainthesystem.Ifthesystemrequiresupgradedcapabilities,theacquisitionsprocesswillbeinitiatedfortheoperationalrequirement.TheairworthinessprocessisrepeatedforsystemupgradesoranyothermodificationtoincludeissuinganupdatedMEFRfortestingandMTCforfielding.ThelastphaseistheDisposalphasewhenthesystem.Thisphaseincludesdemilitarizingtheaircraft(removingweaponsandhazardousmaterials),andeitherstoringordestroyingthem.
34
STPAImplementationwithintheAirForceAcquisitionProcessSTPAintheAcquisitionsProcessSTPAcaneasilyfitintothisacquisitionsprocessasitiscurrentlyconducted.Figure16showstheacquisitionsprocessagain,withnumbersindicatingwhereanSTPAanalysiswouldfitintotheprocess.Belowisadiscussionofeachnumber.
Figure16AcquisitionsProcesswithSTPA
(1)DuringtheMSA,conceptoptionscanbeevaluatedusingSTPA.Theconceptofoperationsisoneoftheaspectsoftheconceptstobeevaluatedandwillincludetheoverarchingfunctionandtheoperationalcontext,whichareinputstoanSTPAanalysis.STPAwouldgeneratesafetyconstraintsforeachoftheconceptoptions.Thesafetyconstraints,coupledwithotheraspectsoftheAoAwillbeusedtosupporttheMilestoneAdecision.(2)AfterMilestoneA,intheTechnologyMaturationandRiskReductionphase,thesystemisfurtherdefinedinmoredetail.TechnicalrequirementsfortheRFParedeveloped,andsourceselectionbegins.Asthetechnicalrequirementsforthesystemaredetermined,soshouldthesafetyrequirements.ContinuingtheSTPAanalysiswillprovidehigh-levelsafetyconstraintsforinputintotheRFP.STPAwillalsoprovideinputstotheTEMP,SRD,andSEPduringthisphase.(3)Onceacontractisawardedandthecontractorbeginsthedesignprocess,theywillcontinuetheSTPAanalysisforthesystemandguidethedesign.ThePOshouldalsobeginSTPAanalysisonsupportfunctions,suchasmaintenance,logistics,infrastructure,technicalorders,andtraining.Currentairworthinessstandardsrequirethatthesupportfunctionsdonotdetractfromthesafetyoftheairframe,thereforethesefunctionsshouldalsoundergotheanalysis.Theseanalyseswillalsobecontinuouslyrefinedasthebasing,maintenance,andlogisticconstructsaredetermined.(4)InEMD,asthesystemisintegrated,designstoachievesafetyconstraintsidentifiedbySTPAwillbeverifiedbytest.Someconstraintsmaybetestedinlabenvironments,suchassoftwareinthelooporhardwareintheloopfacilities.However,becausethesafetyconstraintsarebasedonthesystemasawhole,someconstraintswillrequiretheintegratedsystem,andmayevenrequirethesystemintheoperationalenvironmentforverification.Thismeansthatasthetestplanisdeveloped,eachconstraintwillneedtobecategorizedbyhowitwillbeverified.Optionsforthesecategorizationsmayinclude:inspectionofdesign,softwareintheloop,
35
hardwareintheloop,groundtesting,developmentalflighttesting,oroperationalflighttesting.Ifasafetyconstraintisverifiedearlyinthedevelopment,suchasinasoftwareintheloopfacility,thecontractormustensurethatfurtherdesignchangesdonotaffectthesafetyconstraint,otherwisethetestingwillhavetoberedone.Asthedesignischanged,theSTPAanalysismustbeupdatedtoensurethatconstraintsarestillvalidandidentifynewconstraintsassociatedwiththedesignchange.(5)STPAcanalsobeusedtoassistinmanufacturingplanningtoensurethatthedesigncanbesafelymanufactured,butalsotoensurethatthecommunicationbetweenthemanufacturingteamanddesignteamisadequate.(6)InProductionandDeployment,thedesignisfixedunlessDTorOTfindsunacceptabledeficiencies.Shouldsuchdeficienciesbeidentified,thedeficienciesshouldbeaddedintheSTPAanalysis,whichwillhelpguidetheredesign.(7)OncetheprogramreachestheOperationsandSupportphaseandthesystemisFOC,theMAJCOMswillrequestcapabilityupgradesordecidetousethesysteminnewenvironmentsorindifferentwaysthandesigned.ThePOwillmaintaintheSTPAproductsandwillmodifytheanalysiswiththeupgradestoguidethedesign.TheSTPAanalysiscanalsobemodifiedwiththedifferentenvironmentorutilizationinformationtoensurecontinuedsystemsafety.(8)IfamishapoccursduringO&S,itmeansthatasafetyconstraintwaseithermissingornotenforced.MishapinvestigatorscanusetheSTPAanalysisonthesystem,alongwithevidencefromthemishap,todeterminewhatconstraintsweremissingorunenforcedandmakechangesasappropriate.Thistypeofinvestigationismorepowerfulthancurrentsafetyinvestigations,asitnotonlypreventstheparticularmishapfromreoccurring,butitalsoupdatesthesafetyconstraintstoavoidmishapsingeneral.Methodologytodothisalreadyexists.LevesonbuiltuponSTAMPtocreateCausalAnalysisbasedonSTAMP,whichisusedtoinvestigatemishapsfromasystemsperspectiveandimplementconstraintstoavoidfuturemishaps.(8)IntegratingtheSTPAanalysisperformedduringdesignwithmishapinvestigationanalysiswouldallowtheAirForce,whichalreadyhasanoutstandingsafetyrecord,topreventevenmoremishapsfromoccurring.Applyingmoreresourcestothecurrentsafetypracticeswillhaveminimalreturns–thesafetyrecordisasgoodasitcangetwithoutsubstantialchange.Asystemtheory-basedapproachshouldbethatchange.InadditiontothefactthatSTPAcoversmorescenariosthanjustcomponentfailure,STPAisrelativelylowcostandtakeslesstimecomparedtotraditionalhazardanalyses.IfSTPAreplacesFMECAinthedevelopmentprocesstheprogramwillsavetimeandmoneyandimprovesafety.STPAStudyExecutionandPersonnelCompositionSTPAstudieswillvaryslightlybythepurposeofthestudyandphaseoftheprogram.ThedescriptionbelowisfortheMSAandTMRRphasesbeforethecontractorsareinvolved.
36
AnSTPAstudycanbeperformedsimilartotheHAZOPstudywithafacilitatorandaclient.MembersofAFLCMC,whethertheycomefromairworthiness(AFLCMC/EZ),orsystemsafety(AFLCMC/SES),shouldbetrainedontheSTPAprocessandactasfacilitators.ThesefacilitatorswouldchairtheSTPAstudyandguidetheSTPAprocessforprogramswithinLCMC.Theprogramofficeswouldactastheclient.ThemembersthatshouldtakepartintheSTPAstudyare:
- Engineersfromeachrelevantengineeringdiscipline- Systemsafetyengineers- Systemoperators(eitherfromwithinthePO,orfromtheMAJCOM)- RepresentativesfromDT- RepresentativesfromOT- Airworthinessengineers- Supportfunctions,suchasmaintenance,logistics,facilities,etc
Thestudyshouldbebrokenintothefollowingcomponents:
- Projectpreparation:o Facilitatorassignedo POdevelopsaccidentlistswithcustomer
- Studyintroductiono IntroductiontoSTPAbyfacilitatoro POintroducesproject
- Hazarddevelopmento Facilitatorleadsgrouptodevelophazards
- Safetycontrolstructuredevelopmento Groupwillcreateahigh-levelsafetycontrolstructureo Safetycontrolstructurewillinclude:
§ Operationalcontext§ Systemfunction§ High-levelsysteminteractions(e.g.othersystemsitwillinterfacewith)
- UCAdevelopmento GroupwillcreateUCAtablebasedonsafetycontrolstructure
- UCAscenarioso Initialmeetingstartsscenariogenerationeffortasagroupo Eachleadreviewsscenariosaftertheinitialmeetingtoensurecoverageand
determineassociatedconstraintso Conductafinalmeetingtoensureeveryoneagreeswiththescenariosandsafety
constraints- STPAOutbrief
o DuringMSA,summaryofsafetyconstraintsforeachalternativeshouldbepresentedalongwithrecommendations
o DuringTMRR,thesafetyconstraintswillbeincludedintheRFP§ Resolveanysafetyconstraintsthatconflictwithtechnicalrequirements
37
WhiletheSTPAanalysissetuptobelinear,itisofteniterative—asthestudyproceeds,thegroupmayfindthattheyneedtoupdatetheirhazardlist,safetycontrolstructure,orUCAsaftertheyhavefinishedthatparticularportionofthestudy.Additionalmeetingsmayberequiredasnecessarytoupdatepreviouslycompletedsteps.Oncethecontractisawarded,thecontractorwillberesponsibleforcontinuedanalysisofthesystem.Theyshouldtakethehigh-levelanalysiscomposedbythePOanddevelopitfurtherduringtheirdesignprocess.SystemSafetyProcessSystemsafetyisdefinedas“applicationofengineeringandmanagementprinciples,criteriaandtechniquestoachieveacceptableriskwithintheconstraintsofoperationaleffectivenessandsuitability,timeandcostthroughoutallphasesofthesystemlifecycle.”(14)AFI91-202,TheUSAirForceMishapPreventionProgram,mandatesthateachprogramofficemustinitiateandmaintainaSystemSafetyProgramthattrackshazards,mitigaterisks,andformallyacceptsresidualrisks.(14)ThedocumentthatdefinesthesystemsafetyprocessisMIL-STD-882E,DoDStandardPracticeforSystemSafety.MIL-STD-882E“identifiestheDepartmentofDefense(DoD)SystemsEngineering(SE)approachtoeliminatinghazards,wherepossible,andminimizingriskswherethosehazardscannotbeeliminated.”(15)MIL-STD-882Eidentifieseightelementswithinthesystemsafetyprocess(15):
1. DocumenttheSystemSafetyApproach2. IdentifyandDocumentHazards3. AssessandDocumentRisk4. IdentifyandDocumentRiskMitigationMeasures5. ReduceRisk6. Verify,ValidateandDocumentRiskReduction7. AcceptRiskandDocument8. ManageLife-CycleRisk
Thesystemsafetyapproachconsistsofdescribingtheriskmanagementeffortandhowitisintegratedintotheprogrammanagementstructure.Additionally,ahazardtrackingsystemisdeveloped.(15)Hazardsareidentifiedanddocumentedinthehazardtrackingsysteminthesecondelementoftheprocess.Thestandardstatesthat“Hazardsareidentifiedthroughasystematicanalysisprocessthatincludessystemhardwareandsoftware,systeminterfaces(toincludehumaninterfaces),andtheintendeduseorapplicationandoperationalenvironment.”Itgoesontosaythat“mishapdata;relevantenvironmentalandoccupationalhealthdata;userphysicalcharacteristics;userknowledge,skills,andabilities;andlessonslearnedfromlegacyandsimilarsystems”canalsobeusedtoinformthehazardidentification.Hazardsarethencategorizedbyrisk,whichisdefinedbyseverityandprobability.RisksarethenassessedusingtheRiskAssessmentMatrix,asshowninthefigurebelow.
38
Figure17RiskAssessmentMatrix(15)
Elementfourinvolvesidentifyingpotentialriskeliminationormitigationoptionsforeachidentifiedhazardusingsystemsafetydesignorder.Oncepotentialoptionsareidentified,elementfiveistoselectandimplementtheriskeliminationormitigationoptionsforeachhazard.Next,theriskmitigationisverifiedanddocumentedinelementsix,andanyresidualriskleftoverisacceptedanddocumentedinelementseven.Finally,theprogramofficeshouldcontinuetomanagetheriskthroughoutthelifecycleofthefielded.Withineachoftheseelementsthereareasetoftasks,whichmustbecompletedtobeincompliancewiththestandard.Task201fallsunderelementtwo,“IdentifyandDocumentHazards”.ItrequiresthecompilationofaPreliminaryHazardList(PHL)shortlyafterthematerielsolutionanalysisbegins.ThePHLisbasedonhistoricalandsimilarsystems,andthesystemconcept.Task202isPreliminaryHazardAnalysis(PHA).ThePHAconsistsofidentifyinghazards,assessingtheinitialrisks,andidentifyingpotentialmitigationmeasures.(15)TheriskmatrixshowninFigure17isusedwhencompletingthistask.Recently,LevesonwroteapapershownhowSTPAiscomplaintwithMIL-STD-882E.Inherconclusion,shestates“STPAistotallycompliantwithMIL-STD-882and,infact,wascreatedexplicitlytosupportthetasksinvolvinganalysisinthisstandard.”ShegoesontosaythatSTPA“isatop-down,systemhazardanalysisthatcanbeusedforthehazardanalysistasks(Tasks201-209).”(16)
39
ItisimportanttonotethatwhileMIL-STD-882Eprescribesaprocesstoconductsystemsafety,itdoesnotprescribewhattoolsormethodstousetoaccomplishthetasks.MIL-STD-882Edoescallforprobabilisticriskassessments,whichSTPAdoesnotdo.Therearehazardsthatareimpossibletoprovideaprobabilityofoccurrence.Forinstance,arecentF-16Cmishapwascausedbyanimproperlyassembledengine.Twocomponentsweremissingfromtheenginewhenitwasbuiltupatthemaintenancedepot.(17)Thereissimplynowaytoassesstheprobabilitythatsuchaneventmayoccur.Additionally,theprobability,ifevaluatedbasedonhistoricaldata,maybesosmallthatitisdiscountedorgivenalowerriskassessmentthatisacceptedratherthanmitigated.However,anSTPAanalysisofthemaintenanceorganizationandprocessesmayhavedeterminedthepotentialhazardofimproperlyassemblingtheengine,anddesignedthesafetycontrolstructuretoavoidthehazard.Theairworthinessprocessisasubsetofthesystemssafetyprocess,andisdiscussedinfurtherdetailinthenextsection.
AirForceAirworthinessProcessAirworthinessisdefinedas“theverifiedanddocumentedcapabilityofanairsystemconfigurationtosafelyattain,sustain,andterminateflightinaccordancewith(IAW)theapprovedaircraftusageandoperatinglimits.”(13)TheAirForceairworthinessprocessisdeterminedbybothAirForceInstruction(AFI)62-601andAirForcePolicyDirective(AFPD)62-6.ThesedocumentsestablishaTechnicalAirworthinessAuthority(TAA)appointedbytheAirForceMaterielCommander.(18)ThispositionisresponsibleforissuingMilitaryTypeCertificates(MTC),MilitaryExperimentalFlightReleases(MEFR),MilitaryRestrictedFlightReleases(MRFR),andspecialflightreleases.MTCsareissuedwhencomplianceofthecertificationcriteriaaremet.MEFRsareissuedtoallowdevelopmentalflighttestwithinaspecifiedtimeperiodandflightenvelope.MRFRsareissuedforparticularaircraftunderspecificconditionswhenthereisacompellingmilitaryneedandtheAFcannotobtaindesigninformationinordertoconductanairworthinessassessment.(13)Specialflightreleasesareissuedwhenthecertificationcriteriaarenotmet,buttheprogrammanagersprovethattheaircraftisrequiredforoperationalpurposes.TheTAAchairstheAirworthinessBoard(AB),whichiscomprisedof“seniorengineeringfunctionalorganizationrepresentatives,anAirForceSafetyCenter(AFSC)representative,andarepresentativefromtheowningAFMCengineeringorganizations(asrequestedbytheTAA).”(13)TheboardisresponsibleforprovidingairworthinessadviceandrecommendationstotheTAA.Theprogramofficeisresponsibleforensuringthatthesystemmeetsairworthinesscriteria.AirworthinessplanningisincludedintheLifeCycleManagementPlan,SystemEngineeringPlan,andIntegratedMasterPlan.(13)inadditiontoprovidingcertification,theTAAprovidestheguidanceandstandardprocessestotheprogramofficesforairworthiness.MilitaryHandbook516C(MIL-HDBK-516C),maintainedbyairworthinessoffice,containstheairworthinesscriteriathatmustbemetinordertobeissuedtheMTC.Programofficesdohave
40
thelatitudetotailorwhichcriteriaapplytotheirsystembyapplyingforanexemptionfromthecriteriathatarenotapplicable.(13)EachmajorsectionofMIL-HDBK-516Ccoversaspecificdiscipline,suchassystemsengineering,structures,propulsion,avionics,maintenance,andothers.TheriskmatricesinMIL-STD-882EandMIL_HDBK-516Cwereupdatedinanairworthinessbulletin(AWB-150)forairworthinessassessments.(19)TheupdatedriskmatrixisshowninFigure18.
Figure18UpdatedRiskMatrix(19)
PriortoAWB-150,thereweredifferentprobabilityscaleswithdifferentexposureperiods,whichgreatlyalteredtheseveritycategoryassignedtothehazard.Thestandardizedexposureperiodswillensurethattheprobabilisticriskassessmentsrepresentthesameamountofriskinallprograms,whichinturnensuresthattheresidualriskisacceptedattheappropriateleadershiplevel.JustaswithSTAMP,inordertoperformanairworthinessassessment,engineersmustunderstandthesystembeinganalyzedandthecontextinwhichthesystemwillperform.Thecontextmayincludeflightenvelope,operatinglocationssuchasimprovedorunimprovedrunways,andlogisticssupport.Aninitialairworthinessassessmentwillbeprovidedtoaprogramforanewsystem,howeverasthesystemisupgradedoroperationalcontextchanges,sowilltheassessment.Airworthinessisthereforenotaone-timedeterminationofthesafetyoftheaircraft,butrathercontinuouslyevolving.STPAandAirworthinessSTPAprovidesaprocessthatcomplieswiththesystemsengineeringandsystemssafetyprocessesasdefinedinMIL-HDBK-516C.Itisanapproachthatachievesthe‘completesystems
41
view’andcoversarangeofcriteriaandexpectations.AnanalysisofSTPA’scompliancewithChapters4and14ofMIL-HDBK-516CcanbefoundAppendix3:STPACompliancewithMIL-HDBK-516C.Thissectionreviewstheoverarchingideasandconclusionsfromtheanalysis.Throughoutthehandbook,theverificationofmethodofcomplianceislistedas“inspection.”STPAprovidesastep-by-stepprocessforanalysisthatwillaidtheinspectionprocess.Otherwise,itisnotpossibletodeterminewhetheraninspectionprocessiscompleteoradequate.Whethertheinspectioniscompleteandadequateisbasedonengineeringjudgementorchecklistsestablishedbypreviousexperience,whichmaybeincorrectbasedontheexperienceoftheengineerwiththeparticularsystemthatisundergoinganairworthinesscertification.Additionally,newairframesormodificationsmaybedifferentenoughfromlegacysystemsthatbasinginspectiononhistoricdatadoesnotproduceacompletesafetyanalysisorinspection.Whilethisdocumentonlycoverssystemsengineeringandsystemssafety,STPAprovidesdatafortheentiretyofthesystem.Itprovidesaconstructwithinwhichtoconductspecifictechnicalsafetyanalysessuchasmaterialsorelectromagneticinterferencetesting.STPAwillnottelladesignerthatamaterialisappropriateforaparticularcomponent,butitwillguidethedesignertofocustheirenergiesonflightsafetycriticalcomponentsandprovidesafetyconstraintsasaninputtothecomponentorsubsystemdesign.Itgivessystemdesignerstheabilitytoevaluatetheirsystemasawholeduringthedesignphaseandeliminatehazardsthatotherwisemaynotbeidentifieduntilintegrationandtesting.STPAwillalsoprovidesafetyconstraintsnotassociatedwithcomponentfailuresatall,butratherhowthehumanandsoftwarecontrollersinteractwiththesystem.Animportantaspectofairworthinesscertificationisthatitmustbemaintainedthroughoutthelifecycleofthesystem,astheoperationalemploymentofthesystemchangesandmodificationsaremadetothesystem.STPAprovidesaconstructtoevaluatechangesandensuretheydonotintroducehazardstothesystem.Ifsafetyconcernsareintroducedbythemodification,STPAwillprovidesafetyconstraintsforthedesignofthemodificationandintegrationwiththebaselinesystem.STPAalsocoversthesupportstructureassociatedwiththesystemtoensurethathazardsarenotintroducedbyfactorsoutsideofthesystemdesign.System-basedanalysisallowstheusertodefinescopeofthesystem:itmaybethespecificaircraftbeingdesigned,theoperationalenvironmentwhereitwillbefielded,themaintenancedepotthatconductsprogrammedmaintenance,orotheroptions.Theusercan‘zoom’intospecificsubsystemsand‘zoom’outtolookathowthesystemwillfitintothecurrentoperationalandsupportstructure.Thesystemanalysisismeanttostarthigh-levelandworkdeeperintodetail.WhenaprogramofficeisdeterminingtechnicalrequirementstobeincludedinanRFP,ahigh-levelSTPAmaybecompletedtoprovidehigh-levelsafetyconstraintsthatmustbeincludedinthedesign.Oncethecontractbidisawardedandthedesignprocessbegins,theSTPAshouldbeconductedaspartofthedesignprocesstoassistindecision-makingaboutsafety.Asthedesignbecomes
42
moredetailed,sodoestheSTPAanalysis.Theresultisasystemdesignthatwasguidedbysafetyanddocumentationtoshowtheairworthinesscertificationinspectorsthattheaircraftissafetooperate.ReliabilityandRedundancyOftenwhenminimizingtheriskassociatedwithacomponentfailure,redundanciesareaddedsuchthatevenifonecomponentfailstheotherwillperformthesafetycriticalfunction.Takeforexampleacomponentthathasa20%probabilityoffailureoveraperiodoftime.Thereliabilityofthatcomponentis:
𝑅 = 1 − 𝐹WhereRistheprobabilitythecomponentwillnotfail,andFistheprobabilityoffailure.Therefore,Ris80%.Ifthecomponentisflightcritical,thedesignteammayelecttouseredundancytoincreasereliability.Inthiscase,reliabilityis:
𝑅 = 1 − (𝐹')(𝐹))Whichbringsreliabilityupto96%.Whilethisappearsonthesurfacetobealogicalandstraightforwardmethodology,onemustconsidertheassumptionsthatgointothisanalysis.Inparticular,theassumptionofindependence:thecomponentsmustbecompletelyindependentofeachotherinorderfortheanalysistobevalid.Theauthorflewonatestmissionwhenahydraulicpumpfailedinflight.Theparticularaircrafthadtwohydraulicsystemsthatwereusuallytiedtogetherandincludesfourenginedrivenpumps.Thesystemscanbeisolatedwhenrequired.Thehydraulicpump’sfailurecouldcausemetalcontaminationofthehydraulicsystem;therefore,thesystemswereisolatedinresponsetothefailuretopreventtheadditionalpumpsfromfailing.Inthiscase,thepumpsarenottrulyindependent,asthepilotsmusttakeactiontopreventthefailureofonepumpfromcausingtheotherpumpstofail.Thereareotherdependenciesbetweenthepumpsaswell.thesystemwasservicedbythesamehydraulicmule,whichifcontaminated,wouldaffectallthepumps.Thesamemaintenancepersonnelinspect,repair,andreplacethepumps,thereforeifthereisadeficiencyinthemaintenancepracticesallpumpscouldbeatrisk.Ifthecomponentsareexposedtoharshenvironmentssuchashumidity,sand,orsaltwatertheywillalldeteriorate.Finally,ifthereisamanufacturingdefectorincorrectspecificationbeingused,allcomponentsfromtheaffectedlotsmayhavethesameproblem.So,infact,thereliabilitywouldnotbe96%inthecaseshownabove,butrathersomethingless.Whatthatsomethingiswouldbedifficultifnotimpossibletoquantify,asmaintenanceerrors,manufacturingdefects,andotherdependenciesarenotprobabilisticallydetermined.Therefore,usingFMEAorFMECAcutsetstodeterminetheprobabilityofafailurewillnotyieldaccurateinformation.Ifdesigndecisionsaremadebasedontheprobabilisticassessmenttheywillmostlikelybeflawed.STPA,ontheotherhanddoesnotrelyonprobabilities,makingtheresultsofSTPAmoreactionable.
43
Inaddition,softwareflawsaredesignerrors.Redundancyofflaweddesignsorsoftwarecreatedfromthesameflawedrequirementsisnotgoingtoimproveeitherreliabilitynorsafety.Whataircrafttodayarenotbuiltwithextensivesoftwarecomponents?Itshouldbenotedthatredundancycanbeusedtocreateasafedesign,howeveritcanbeperformedinmorepowerfulwayssuchasdissimilarredundancies(i.e.powerthroughbatteriesandanalternator),moreaccuratelyensuringtrueindependenceofthecomponents,andbynotassumingthatthereliabilitycalculationsabovewillyieldanaccurateanswerthatcanbeusedtodeterminetherisklevelofthesystem.Butalloftheseapproachesapplyonlytohardwareandignorethesoftwareandthehumansinthedesign.Softwarediversitydoesnotwork.(20)AnSTPAanalysisofthedesignwillyieldsafetyconstraintsthatwillminimizehazardsassociatedwithcomponentfailure,andalsothosecreatedthroughdesignflawsandbyunsafeinteractionsamongcomponentsthathavenotfailed.RiskmatricesThetwocomponentsofriskmatricesareprobabilityofoccurrenceandseverity.Thesectionabovediscusseswaysinwhichprobabilityofoccurrenceisnotcorrectforredundantcomponents.Thereareotherreasonswhyprobabilityofoccurrenceisimpossibletopredict:componentinteractionsthatarenotfailures,softwarerelatederrors,andhumaninteractionrelatederrorsallcannotbedeterminedprobabilistically.Theyaredependentonthequalityofrequirementsdevelopment,howwellthecomponentsaredesignedtoworktogether,andhowwellthesystemisdesignedforhumaninteraction.ThisiswhySTPAissoimportant–itprovidessafetyconstraintstobetterinformrequirementsanddesign.WhatmakesSTPAunpalatableforsomedecisionmakersisthereisnowaytoquantifyresidualriskthatisacceptedaspartofthesystemdesign.Peopleintechnicalfieldssuchasengineeringandacquisitionsdesirequantitativemethodstomakedecisions.However,ifthecalculatedvaluesarewrongandleadtomisunderstoodresidualrisk,thedecisionwillnotresultinasafesystem.UsingSTPAratherthanriskmatriceswillrequireaparadigmshift,butitwillresultinamoreaccurateunderstandingofthehazardsassociatedwiththedesign.SystemsThinkingintheAF:Effects-BasedApproachtoOperationsThegreatestbenefitofSTPAisprovidingasystematicframeworkforevaluatingtheproblemathandthat,ifdoneright,iscompleteandconsiderstheproblemasawhole.Itcannotbereduceddowntoachecklist.DoingsowillnegativelyaffectthebenefitsofSTPA,anditwillnotwork.ThismeansthatconductingSTPAacrossalarge,diverse,anddynamicworkforceindozensofdifferentprogramofficespresentsachallenge.WhenthinkingabouthowthatchallengecanbeaddressedintheAirForce,itwasrealizedthatsystemsthinkingalreadyexistsintheAirForceintheformofEBAO.EBAOprovidesasystematicframeworktoconsidertheproblemofdesigningcombatstrategies.Annex3-0OperationsandPlanningdiscussesEBAO.Intheopeningparagraph,inboldletters,
44
thedocumentstates,“EBAOisnotaplanningmethodology;itisawayofthinkingaboutoperationsthatprovidesguidancefordesign,planning,execution,andassessmentasanintegralwhole.”(21)STPAinthisregard“providestheinformationanddocumentationnecessarytoensurethesafetyconstraintsareenforcedinsystemdesign,development,manufacturing,andoperations,includingthenaturalchangesintheseprocessesthatwilloccurovertime.”(8)Safetyisanexampleofanemergentproperty.(22)Justbecausetwocomponentsbythemselvesappearsafe,doesnotmeanthatwhenyouputthetwotogetheraspartofasystemtheirinteractionwillbesafe.Strategistsunderstandtheconceptofemergentproperties.Anemergentpropertyisapropertythat“arisefromtheinteractionsamongthecomponents.”(22)Annex3-0referstothisconceptas‘additivity’andsays,“Additivitymeansthatthewholeequalsthesumofitsparts,butthisisnottrueoflivingsystems,whicharemorecomplexandoftengreaterinoutputthanthesumoftheircomponents,justasthejointforceworkingasanintegratedwholeismoreeffectivethanitscomponentsworkingindependently(“synergy”).Thebehaviorofinteractivelycomplexsystemsoftendependsmoreuponthelinkagesbetweencomponentsthanuponthecomponentsthemselves.Infact,system-widebehavioroftencannotbededucedfromanalysisofthecomponentparts.”Annex3-0states,“Reductionismisthecommonscientificmethodofanalyzingsystems,by“pullingthemapart”conceptuallyandexamininghoweachcomponentoperatesseparatelytodetermineoverallsystembehavior.Ithasbeenthemaintechniquebehindmachinedesignforcenturies,aswellas“nodal”methodsof“systemsanalysis.”However,reductionistmethodsmayyieldlessinsightthanwaysofexaminingsystemsasawhole—analyzinghowthesystembehavesinrelationtoothersystemsinitsenvironment,aswellashowcomponentsofthesysteminteract,andthentryingtoanticipatehowtheinteractionofthesesystemsmaycausecertaintypesofbehavior,orallownewbehaviorstoemerge.Breakingacomplexproblemintoconstituent,structurallycomplexpartsandsolvingeachpartwillnotnecessarilysolvetheoverarchingproblem,justaswinningeverybattledoesnotguaranteewinningawar.”ThedesignersofEBAOalsorecognizedthatlinearcauseandeffectrelationshipscannotbeappliedtostrategicplanning,stating“However,causesandeffectsareoftenhardtotraceandhardertodemonstrate,sincecommon“linear”rulesfrequentlydonotapply—especiallyincasesinvolvinghumanwill”(21)Similarly,inEngineeringaSaferWorld,ProfessorLevesonsaysofreduction,“Thisassumptioninturnimpliesthatthecomponentsoreventsarenotsubjecttofeedbackloopsandothernonlinearinteractionsandthatthebehaviorofthecomponentsisthesamewhenexaminedsinglyaswhentheyareplayingtheirpartinthewhole.”(8)Therefore,whenreductionandlinearcauseandeffectanalysesareusedtoanalyzeacomplexsystem,suchasanaircraft,componentinteractionsaremissed,whichmeanssafetyconstraints
45
forthesystemarenotcomplete.STPAwaspurposelydesignedtoanalyzeemergentproperties.AnothercommonalitybetweenEBAOandSTPAisthat“EBAOfocusesonbehavior,notjustphysicalchanges.”(21)Inotherwords,theanalysismustbebasedonfunctionality.StrategiststhatemployEBAOseektoaffectthefunctionofopposingforces,justasSTPAseekstocontrolthebehaviorofadesignwithinspecificsafetyconstraints.Thesesystems-basedideasencompassingEBAOareacceptedthroughoutalllevelsofAirForceleadership,andaretaughttoallofficersinAirForceprofessionaleducation.EBAOisanintegralcomponentofAirForcestrategy,andaffectsthewaytheAirForcetrainsandexecutescombatoperations.SystemengineeringmethodsareusedbyPOsandcontractorstodesignforemergentproperties,suchassafety,performance,reliability,ormaintainability.YettheAFstillspendsadecadeormoreofdevelopmentaltestingsimplytounderstandwhatwebuilt,whichcausesscheduledelays,costoverruns,andoccasionallytragiclossoflife.Theprogramofficesfindthemselvesinafly-fix-flyloopuntiltheaircraftperformsinamannerthatisdeemedacceptableenoughtobefielded.ThisindicatesthatthereismoretobedoneinthewaythattheAFappliessystemsengineeringwithinprograms.ThepowerofSTPAisthatitcanleadtoatransformationofhowacquisitionsprofessionalsthinkabouttheirsystems,justasEBAOtransformedthewaytheAirForcetargetsenemyforces.Systemengineerscannotbetheonlypeopleinaprogramthatthinkoftheproductandrelatedsupportstructureassystems.Otherengineersdon’tnecessarilyneedtobeformallyeducatedinSE,buttheydoneedtolearnSEconceptsinordertomakethoughtfuldesigndecisionsthatconsidertheirprogramasawhole.Theyshouldalsounderstandhowemergentpropertiesarisefromthedesign–andmoreimportantlyinformthedesigntocreatetheweaponsystemrightthefirsttime.InordertodemonstratetheuseofSTPAintheacquisitionsprocess,twoexamplesareprovidedofSTPAanalysisalongwithdescriptionsofhowtheinformationobtainedcanbeusedinacquisitions.Thefirstexampleisofahigh-levelJSTARSanalysisasmightbecompletedduringconceptdevelopment.ThesecondisofaUAVfurtherinthedesignphaseinTM&RR.
46
JSTARSAnalysisJSTARSSystemDefinitionTheE-8CJSTARS,orJointSurveillanceTargetAttackRadarSystemprovidesmultiplefunctions,toincludeairbornebattlemanagement,commandandcontrol,intelligence,surveillance,andreconnaissance.(23)AccordingtotheUSAF’sfactsheet,theprimarymissionoftheJSTARSis“toprovidetheatergroundandaircommanderswithgroundsurveillancetosupportattackoperationsandtargetingthatcontributestothedelay,disruptionanddistractionofenemyforces.”(23)TheJSTARSisequippedanAN/APY-7sensorthatincludesaside-looking,phasedarrayradar,movingtargetindicator,andsyntheticapertureradarmodes.(24)TheJSTARScollectsdatausingthissensor,andthenprovidesthatdatatogroundpersonnelandaircraftsupportingthegroundwar.TheUSAFiscurrentlyintheprocessofrecapitalizingthefleet,astheE-8CsareagingBoeing707-basedaircraft.Theintentistoacquireanaircraftthatfunctionallyreplacesthecurrentfleet,butwithmoderntechnologiesthatwillreduceoperationalcost.(25)Thisanalysisthereforeexaminesafunctionthatisthesameasthecurrentaircraft.JSTARSSystemMishaps,Hazards,andHigh-LevelSafetyConstraintsThemishapsassociatedwiththissystemare:M1.LossoflifeM2.LossofpropertyM3.LossofmissionThehazardsforthesystem,whicharealltraceablebacktoamishap,are:H1.Aircraftviolateminimumseparationrequirements(M1,M2)H2.Friendlygroundtroopstargeted(M1,M2)H3.Unacceptablecollateraldamage(M1)H4.Friendlyforcesnotprovidedactionabledata(M3)H5.Aircraftengagedbyenemydefenses(M1,M2,M3)H6.Aircraftviolatesminimumaltituderequirements(M1,M2)H7.Supportaircraftcannotprovidesupporttogroundtroops(M1,M3)Eachhazardhasanassociatedsafetyconstraint:SC1.AircraftmustnotviolateminimumseparationrequirementsSC2AircraftandgroundtroopsmustnottargetfriendlygroundtroopsSC3.AircraftandgroundtroopsmustnotcauseunacceptablecollateraldamageSC4.JSTARSmustprovideactionabledataSC5.AircraftmustnotbeengagedbyenemydefensesSC6.Aircraftmustnotviolateminimumaltituderequirements
47
SC7.SupportaircraftmustprovidesupporttogroundtroopsJSTARSSafetyControlStructureThesafetycontrolstructureisbasedonthefunctionalitydiscussedinthesystemdescription.
Figure19JSTARSSafetyControlStructure
TheAirOperationsCenter(AOC)isresponsibleforplanningtheairwarandprovidingairassetswiththeirtasking,knownasanAirTaskingOrder(ATO).JSTARSandotherassetscanprovidefeedbacktotheAOCinorderfortheAOCtounderstandtheeffectivenessoftheirplanningandadjustasnecessary.TheJSTARS,aspreviouslydescribed,providestargetcoordinatesandairspacedeconflictiontothesupportaircraftintheJSTARSareaofresponsibility.ThesupportaircraftconfirmsthemessagesreceivedfromtheJSTARSandwillengagetargetsasdirected.Groundtroopswillrequesttargetinformation,andusetargetinformationprovidedbytheJSTARStoengagetheenemy.JSTARSStep1:UCAGenerationThecommandsshowninthesafetycontrolstructurearethenusedtotheUCAtableshownbelow.
48
Table3JSTARSUCAs
JSTARSNotProvidingCausesHazard
ProvidingCausesHazard IncorrectTiming/Order
StoppedTooSoon/AppliedTooLong
TargetCoordinatestoSupportAircraft
JSTARSdoesnotprovidetargetcoordinatestosupportaircraftwhenthetargetneedstobeengaged(H4)
JSTARSprovidestargetcoordinates,butthecoordinatesarenotwheretheenemyislocated(H2,H3)JSTARSprovidestargetcoordinatestosupportaircraftthatarewithincontestedairspace(H6)
JSTARSprovidestargetcoordinatesbeforetheenemyforcesareseparatedfromcivilians(H3)JSTARSprovidestargetcoordinatesaftertheenemyleavesthetargetlocation(H2,H3)JSTARSprovidestargetcoordinatestosupportaircraftafterfriendlyforceshavemovedtowardsandengagedenemyforces(H2)JSTARSprovidestargetcoordinatestosupportaircraftaftersupportaircraftexpendsweapons(H7) N/A
AirspaceDeconfliction
JSTARSdoesnotprovideairspacedeconflictionwhensupportaircraftareco-altitudeinthesameairspace(H1)
JSTARSprovidessupportaircraftdeconflictioninstructionsthatcreateaconflict(H1)JSTARSprovidesairspacedeconflictionwhentheinstructioncausestheaircrafttoflytooclosetoterrain(H5)JSTARSprovidesairspacedeconflictionwhentheinstructioncausestheaircrafttoenterintocontestedairspace(H6)
JSTARSprovidesaircraftdeconflictionbeforesupportaircraftchangesradiofrequencytoJSTARSfrequency(H1)JSTARSprovidesaircraftdeconflictioninstructionsafteramidaircollision(H1)
JSTARSprovidespartialaircraftdeconflictioninstructions(H1)
49
TargetCoordinatestoGroundTroops
JSTARSdoesnotprovidetargetcoordinatestogroundtroopswhenatargetneedstobeengaged(H4)
JSTARSprovidestargetcoordinates,buttheyarenotwheretheenemyislocated(H2,H3)
JSTARSprovidestargetcoordinatesaftertheenemyleavesthetargetlocation(H2,H3)JSTARSprovidestargetcoordinatestogroundtroopsafterfriendlyforceshavemovedtowardsandengagedenemyforces(H2) N/A
OncetheUCAsaregenerated,safetyconstraintscanbedevelopedtopreventthehazards.Table4JSTARSUCAsandSafetyConstraints
UCADesignator UCA Hazards Constraint
J1
JSTARSdoesnotprovidetargetcoordinatestosupportaircraftwhenthetargetneedstobeengaged(H4) H4
JSTARSmustprovidetargetcoordinatestosupportaircraftwhenthetargetneedstobeengaged
J2
JSTARSprovidestargetcoordinates,butthecoordinatesarenotwheretheenemyislocated(H2,H3) H2,H3
JSTARSmustprovidetargetcoordinateswheretheenemyislocated
J3
JSTARSprovidestargetcoordinatestosupportaircraftthatarewithincontestedairspace(H6) H6
JSTARSmustnotprovidetargetcoordinatesthatarewithincontestedairspace
J4
JSTARSprovidestargetcoordinatesbeforetheenemyforceshaveseparatedfromcivilians(H3) H3
JSTARSmustnotprovidetargetcoordinatesiftheenemyisincloseproximitywithcivilians
J5
JSTARSprovidestargetcoordinatesaftertheenemyleavesthetargetlocation(H2,H3) H2,H3
JSTARSmustnotprovidetargetcoordinatesaftertheenemyleavesthetargetlocation
J6
JSTARSprovidestargetcoordinatestosupportaircraftafterfriendlyforceshavemovedtowardsandengagedenemyforces(H2) H2,H3
JSTARSmustnotprovidetargetcoordinatestosupportaircraftafterfriendlyforceshavemovedwithincloseproximityofenemyforces
50
J7
JSTARSprovidestargetcoordinatestosupportaircraftaftersupportaircraftexpendsweapons(H7) H7
JSTARSmustprovidetargetcoordinatestosupportaircraftwiththeappropriateweaponspayload
J8
JSTARSdoesnotprovideairspacedeconflictionwhensupportaircraftareco-altitudeinthesameairspace(H1) H1
JSTARSmustprovideairspacedeconflictionwhensupportaircraftareco-altitudeinthesameairspace
J9
JSTARSprovidessupportaircraftdeconflictioninstructionsthatcreateaconflict(H1) H1
JSTARSmustnotprovidedeconflictioninstructionsthatcreateaconflict
J10
JSTARSprovidesairspacedeconflictionwhentherouteistooclosetoterrain(H5) H5
JSTARSmustnotprovideairspacedeconflictionwhentherouteistooclosetoterrain
J11
JSTARSprovidesairspacedeconflictionwhenthenewrouteisthroughcontestedairspace(H6) H6
JSTARSmustnotprovideairspacedeconflictionwhenthenewrouteisthroughcontestedairspace
J12
JSTARSprovidesaircraftdeconflictionbeforesupportaircraftchangesradiofrequencytoJSTARSfrequency(H1) H1
JSTARSmustnotprovideaircraftdeconflictionbeforesupportaircraftchangesradiofrequencytoJSTARSfrequency
J13
JSTARSprovidesaircraftdeconflictioninstructionsafteramidaircollision(H1) H1
JSTARSmustprovideaircraftdeconflictiontoaircraftwhentheaircrafthastimetotakeaction
J14JSTARSprovidespartialaircraftdeconflictioninstructions(H1) H1
JSTARSmustprovidecompletedeconflictioninstructions
J15
JSTARSdoesnotprovidetargetcoordinatestogroundtroopswhenatargetneedstobeengaged(H4) H4
JSTARSmustprovidetargetcoordinatestogroundtroopswhenatargetneedstobeengaged
J16
JSTARSprovidestargetcoordinates,buttheyarenotwheretheenemyislocated(H2,H3) H2,H3
JSTARSmustprovidetargetcoordinateswheretheenemyislocated
J17
JSTARSprovidestargetcoordinatesaftertheenemyleavesthetargetlocation(H2,H3) H2,H3
JSTARSmustnotprovidetargetcoordinatesaftertheenemyleavesthetargetlocation
51
J18
JSTARSprovidestargetcoordinatestogroundtroopsafterfriendlyforceshavemovedtowardsandengagedenemyforces(H2) H2
JSTARSmustnotprovidetargetcoordinatestosupportaircraftafterfriendlyforceshavemovedwithincloseproximityofenemyforces
JSTARSStep2:ScenarioGenerationFinally,thescenariosforeachUCAaredeveloped.ThetableofallscenarioscanbefoundinAppendix1.SeveralsafetyconstraintsidentifytheneedforinteroperabilitybetweenJSTARS,supportaircraft,andgroundtroops.Interoperabilityamongstjointforceshasbeenanissueinpreviousprogramacquisitions,thereforehighlightinginteroperabilityearlyisincrediblyimportant,especiallyforaprogramsuchasJSTARS.OtherscenariosindicatedtheneedfordatathatJSTARSitselfmaynotbeabletodetect,suchaslocationofallaircraftwithintheareaofresponsibility,andlocationofenemythreats.Thedatawouldthenhavetocomefromothersources.ThesesourcesmustbeidentifiedearlysothattheinputsintotheJSTARSsystemarewellunderstoodandincorporatedintothedesign.AnotherimportantsafetyconstraintthatwasdiscoveredistheneedforcommunicationwithintheJSTARSaircrew.Atthisearlystageofdevelopment,thenumberandfunctionofaircrewlikelyhasnotbeendecided.Criticalcrewcommunicationconstraintsmustbeconsideredinthedesignofthesystemanddeterminationofaircrewcomplement.JSTARSSTPASummaryThisanalysiswascompletedwithaconceptoffunctionandoperationalcontext.Thereisnodetailabouttheactualsystemunderdesign.ThistypeofanalysiswouldoccurduringconceptdevelopmentintheMSAphaseoftheacquisitionsprocess.ItcanalsobeusedtoprovidesafetyconstraintstobeincludedintheRFPintheTMRRphase.Recently,itwasannouncedthattheJSTARSRecapitalizationprogrammaynotgoforwardasexpected.TheAirForceisconsideringwhetherornotwereallyneedanaircrafttodothismissionatall,orifitcouldbeaccomplishedthroughadistributednetworkofsensorswiththebattlemanagerslocatedawayfromthewar.(26)TheAirForceisconcernedthatJSTARSwouldnotsurviveinalarge-scalewaragainstanenemywithsignificantanti-aircapabilities.AlargeaircraftsuchastheJSTARSmaynotsurvivehighlycontestedairspace,whereasotheraircraftaredesignedforsurvivabilityincontestedenvironments.TheAirForceisattemptingtodetermineif,ratherthanputanexpensiveassetwithrelativelyfewnumbersinharm’sway,anon-airborneJSTARSreplacementsystemcouldreceivedatafromairborneassetsandperformthefunctionofthecurrentJSTARS.Theanalysisperformedaboveismostlyagnostictosuchdecisions.ItdoesnotmatteriftheJSTARSisairborneintheaterorinabuildinglocatedintheUS.Thefunctionwillremainthesame.Whereonefindsadifferencebetweenairborneand
52
non-airborneanalysesisinthescenarios.Forinstance,non-airborneJSTARSreplacementwouldbeentirelydependentonassetsexternaltotheJSTARSsystemforsensordataandcommunications.AirborneJSTARSmissionsarelimitedindurationbasedonfuelandcrewdutydayandlimitedinrangebytheairfieldlocationandenemythreats.Scenariosbasedonthesedifferencescouldbedevelopedtodeterminewhatconstraintsarerequiredgiventhetwooptions.Inthisway,differentconceptsoralternativesmaybeevaluatedearlyintheacquisitionprocess.JSTARSSupportSTAMPAnalysisEarlyintheacquisitionprocess,theprogramofficewillbegindeterminingthesupportstructurerequiredforthefieldedsystem.Thiswillincludethemaintenanceandsupplystructure,requiredgroundequipment,suitableairbasestobaseoperations,aircrewandmaintenanceproceduresandtraining,technicalordersupport,andothers.STPAcansupportthisdecisionaswell.JSTARSSupportMishapsM1.LossoflifeM2.LossofJSTARSorotherpropertyM3.LossofmissionJSTARSSupportHazardsH1.JSTARSisnotmissioncapable(M3)H2.JSTARSmaintenanceproceduresareunsafe(M1,M2,M3)H3.JSTARSoperationalproceduresareunsafe(M1,M2,M3)H4.JSTARSaircraftdoesnotmeetoperationalrequirements(M3)JSTARSSupportSafetyControlStructureThesafetycontrolstructureshowninFigure20isnotallinclusive,butitgivesthereaderanideaofwhatthesupportstructuremightlooklikefortheJSTARS.
53
Figure20SimpleJSTARSSupportSafetyControlStructure
Therearecriticaldecisionswithinthissupportstructurethattheprogramofficemustdecideupon.Forinstance,whoisresponsibleforrepairingunserviceableparts?ItcouldbeatasustainmentcenterbyAirForcepersonnel,oritcouldbeacontractedservice.Whowillberesponsibleforansweringengineeringtechnicalrequestsandmaintainingtechnicaldata?Again,itcouldbeAirForceengineersorthecontractor.Eachdecisionhasramificationstomaintainingthesafetyofthesystem,andanSTPAanalysisofsafetycontrolstructuresdefinedbythepotentialchoicesassiststheprogrammanagerinthedecision.Anysafetyconstraintsidentifiedbytheanalysisofthewinningsolutionmustbeincorporatedintoprogramplanning.STPAStep1and2werenotcompletedforthisexample,asthepurposewastoillustratehowSTPAisusedindecision-makingbeyondthedesignofthesystemitself.
54
UAVSTPAAnalysisUAVSystemDefinitionRecently,agroupmodifiedageneralaviationaircrafttocreateanunmannedaerialvehicle(UAV).Themodificationsincludedavehiclemanagementsystem(VMS)withautopilotlinkedtoactuatorswhichcontroltheenginethrottleandcontrolsurfaces,anenginecontrolmodule,alternators,alipstickcameratoallowtheoperatortoseeinfrontoftheUAV,andradioandpayloadadditions.TheoperationalcontextfortheUAVisatakeoff,climb,andcruiseataltitudeforseveralhoursbeforereturningtotheairfield.AgroundstationattheairfieldcontrolstheUAVusinglineofsight(LOS)communications.OncetheUAVisatcruise,thegroundstationoperatorwilltransitiontheUAVtobeyondlineofsight(BLOS)communications.TheBLOSgroundstationisnotlocatedattheairfield,andcommunicateswiththeUAVviasatellite.TheUAVdoesnottaxiduringgroundoperations.Itistowedtotheenginerun-uparea,totherunwayfortake-off,andofftherunwaytoparkingafterlanding.LostlinkproceduresaresetsuchthatwhenthelinkislosttheUAVwillcontinuealongthepathforacertainperiodoftime.Ifthelinkisnotreestablished,theUAVwillreturntotheairfieldviathelatestlostlinkprocedureprovidedtotheUAV.UAVAccidents,Hazards,andHigh-LevelSafetyConstraintsTheaccidentsfortheUAVoperationare:A1.Lossoflife/injuryA2.LossofordamagetoUAVaircraftA3.LossofmissionThehazardsfortheUAVoperationare:H1.UAVtooclosetoground/building/person(A1,A2)H2.UAVviolatesminimumseparationrequirements(A1,A2)H3.UAVdoesnotcompletemission(A3)H4.UAVdepartscontrolledflight(A1,A2)H5.UAVdepartsapron,taxiway,orrunwayduringgroundoperations(A1,A2)H6.LossofUAVairframeintegrity(A1,A2)Eachhazardistraceablebacktoanaccident.Eachhazardhasanassociatedhigh-levelsafetyconstraint:SC1.UAVaircraftmustnotcollidewiththeground,buildings,orpeople(H1)SC2.UAVaircraftmustnotviolateminimumseparationrequirementswithotheraircraft(H2)SC3.UAVmustcompleteassignedmission(H3)SC4.UAVmustnotdepartcontrolledflight(H4)
55
SC5.UAVmustnotdeparttheapron,taxiway,orrunwayduringgroundoperations(H5)SC6.UAVmustnotloseairframeintegrity(H6)Eachofthesehigh-levelsafetyconstraintswillbeachievediflowerlevelsafetyconstraintsareachieved.ThelowerlevelsafetyconstraintswillbeexploredduringStep1andStep2ofSTPA.UAVSafetyControlStructureTheUAVsafetycontrolstructureisshowninFigure21.Thegroundstationconsistsoftheoperatorandtheuserinterface(UI).Theuserinterfaceisloadedontoacomputer,andcommunicateswiththeUAVviaradios.TheoperatorprovidescommandsthroughinteractionwiththeUI.FeedbackregardingthestateoftheUAVisdisplayedontheUI.
56
Figure21UAVSafetyControlStructure
TheaircraftconsistsoftheVMS,payloads,controlsurfaces,engine,andairdatasystem.TheVMSisapassthroughforthepayloadpowerandenginestart/stopcommands:itprovidesthecommandwhentheoperatorsendsthecommandtotheVMS.Thepitch,roll,yaw,andthrottlesettingcommandsaredeterminedbytheVMSbasedontheGPSwaypointaltitude,andairspeedcommandsgivenbytheoperator.TheVMSuseslocationdata,engineparameterdata,andairspeedandaltitudedatatodeterminetheappropriatepitch,roll,yaw,andthrottlecommands.
57
STPAStep1:UCAGenerationThefirststepoftheanalysisistodefinetheUCAsandtheassociatedrequirements.Asstatedpreviously,controlactionsarehazardousif:
1. Acontrolactionrequiredforsafetyisnotprovidedornotfollowed.2. Anunsafecontrolactionisprovided.3. Apotentiallysafecontrolactionisprovidedtooearlyortoolate,atthewrongtimeorin
thewrongsequence.4. Acontrolactionrequiredforsafetyisstoppedtoosoonorfortoolong.(8)
TheUAVUCAsweredividedintooperatorUCAsandaircraftUCAs.TheUCAsarenotwritteninsentenceformatinTable5andTable6,buttheycanbewritteninsentenceformatusingtheinformationinthetable.Forinstance,thefirstUCAinrow2,column2inTable5iswrittenas“TheoperatordoesnotprovidetheGPSwaypointsduringprelaunchoperations.”Table5UAVOperatorUCAs
OperatorNotProvidingCausesHazard
ProvidingCausesHazard
IncorrectTiming/Order
StoppedTooSoon/AppliedTooLong
GPSWaypoints
…duringprelaunchoperations(H3)…whenmissionchanges(H3)
…whenGPSwaypointsdonotalignwiththemission(H3)…whenthewaypointspresentaconflictwithotheraircraft(H2)…whentheroutelengthexceedsthefuelonboard(H4)...whentherouteisoutsideofLOSradiusandBLOSisnotbeingused(H3,H4)
…afterLOSislost,butbeforeBLOSradiolinkisestablished(H3,H4)…aftertheUAVreachesbingofuel(H4)
…whenthenumberofwaypointsexceedthestoragecapacityoftheautopilot(H3)…whenthelistofwaypointsisnotcompletefortheentiremission(H3)
58
Altitude
…whentheGPSwaypointsareupdated(H1,H2,H3)
…whenthealtitude,coupledwiththeprogrammedwaypointsarenotaboveminimumobstacleclearancealtitude(MOCA)(H1)…whenthealtitudeconflictswithothertraffic'saltitudeblocks(H2)…whenthealtitudeisaboveicinglevelandtheUAVfliesthroughclouds(H4)
…afterLOSislostduetoterrainmasking,butbeforeBLOSradiolinkisestablished(H3)
…whenthealtitudeassignmentsexceedthenumberofGPSwaypoints(H3)…whentherearefeweraltitudeassignmentsthanwaypointsanditdoesnotincludetheentiremission(H3)
Airspeed
…duringachangeinflightorenvironmentalconditions(H1,H4,H6)
…whentheairspeedprovidedisatorbelowstallspeed(H4)…whentheairspeedisaboveVNE(H6)…whenflightplanningfueldurationwasbasedonauto(maxendurance)airspeed,butahigherairspeedisset(H3,H4)…withanairspeedvaluethatwillcreateaconflictwithotheraircraft(H2)
…aftertheUAVstalledduetoslowflight(H4)…afterstructuraldamagefromflyingaboveVNE(H6)
…whentheairspeedassignmentsexceedthenumberofGPSwaypoints(H3)…whentheairspeedassignmentsarefewerthanthenumberofGPSwaypoints(H3)
EngineStart
…duringprelaunchenginerun-up(H3)…duringbeforetakeoffprocedure(H3)…whentheenginefailsinflightandtheengineneedstoberestarted(H4)
…whengroundpersonnelarenearthepropellers(H1)
…whentheenginefailsinflight,butaftertheUAViscommittedtolanding(H1) N/A
59
LaunchNow
…duringtakeoff(H3)
…whentherunwayisnotclear(H2)…whentheUAVisnotontherunway(H5)
…beforegroundpersonnelhaveclearedthearea(H1)…aftertheUAVisairborne(H4) N/A
LandNow
…whentheUAVisinthepatternandatminimumfuel(H4)…whentheUAVisattheairfieldandotheraircraftareattemptingtoenterthepattern(H2)
…whentherunwayisnotclear(H2)…whentheUAVisnotattheairfield(H1)
…beforetheUAVcompletestheairfieldarrivalprocedure(H1,H2) N/A
LostLinkProcedure
…duringflightoperations(H1,H2)
…whenthelostlinkprocedurewaypointsconflictwithotheraircraft(H2)…whenthelostlinkprocedureisnotatoraboveMOCA(H1)
…beforeterrain,conflictingtraffic,orweathernecessitatealostlinkprocedureupdate(H1,H2)
…whenthewaypointsexceedthestoragecapacityoftheautopilot(H1,H2)
PayloadPowerOn
…whenUAVisoverthetargetarea(H3)
…whenthealternatorfails(H4) N/A N/A
PayloadPowerOff
…whenthealternatorfails(H4)
…whentheUAVisoverthetargetarea(H3) N/A N/A
60
Table6UAVVMSUCAs
VehicleManagementSystem
NotProvidingCausesHazard
ProvidingCausesHazard
IncorrectTiming/Order
StoppedTooSoon/AppliedTooLong
Roll,Pitch,Yaw
…whentheUAVisoffcourse(H1,H2,H3)
…whentheroll,yaw,orpitchcommandexceedsaircraftattitudelimits(H4)…whentheroll,pitch,yawcommandsteerstheUAVoffcourse(H1,H2,H3)
…whenthethrottleisreducedinordertodescend,butthesubsequentpitchdowncommandisdelayed(H4)…whenthethrottleisincreasedforaclimb,butthesubsequentnoseupcommandisdelayed(H6)
…theactuatordisplacementisnotbroughtbacktoneutralwhentheaircraftreachesthetargetheading/descent/ascent(H1,H2,H3)…theactuatordisplacementisbroughtbacktoneutralbeforetheUAVreachesthetargetheading/descent/ascent(H1,H2,H3)
ThrottleSetting
…whenenvironmentalconditionschange(H4,H6)…whentheUAVisinasustainedturn,whichreduceslift(H1,H2)
…whenthethrottlesettingisnotenoughtomaintainanairspeedabovestallspeed(H4)…whenthethrottlesettingacceleratestheaircraftaboveVNE(H6)
…reducesthrottletoolateaftertheUAVflaresforlanding(H1,H5)
…whentheacceleratestoatargetspeed,butthethrottleisnotreducedbeforereachingVNE(H6)…whentheUAVdeceleratestoatargetspeed,butthethrottleisnotincreasedbeforereachingstallspeed(H4)
OncetheUCAtablesarepopulated,safetyconstraintstopreventeachoftheUCAsmustbeidentified.AnexampleofthesafetyconstraintsfortheGPSwaypointscontrolactionareshowninTable7.TheentiretableofsafetyconstraintscanbefoundinAppendix2.Table7ExampleofSafetyConstraintsDerivedfromUCAs
UCADesignator UCA Hazards Constraint
C1TheoperatordoesnotprovidetheGPSwaypointsduringprelaunch
operationsH3
TheoperatormustprovideGPSwaypointsduringprelaunchoperations
61
C2 TheoperatordoesnotprovideupdatedGPSwaypointswhenmission
changes
H3
TheoperatormustprovideGPSwaypointsduringthemissionwhenthemission
changes
C3TheoperatorprovidestheGPS
waypointswhentheydonotalignwiththemission
H3Theoperatormustnot
provideGPSwaypointsthatdonotalignwiththemission
C4 TheoperatorprovidestheGPSwaypointswhentheypresenta
conflictwithotheraircraft
H2
TheoperatormustnotprovideGPSwaypointsthatpresentaconflictwithother
aircraft
C5 TheoperatorprovidesGPSwaypointsandtheroutelengthexceedsthefuel
onboard
H4
TheoperatormustnotprovideGPSwaypointsforaroutethatexceedsthefuel
onboard
C6 TheoperatorprovidesGPSwaypointsthatcreatearouteoutsideofLOSradiusandBLOSisnotbeingused
H3,H4
TheoperatormustnotprovideGPSwaypointsthatcreatearouteoutsideLOSradiusifBLOSisnotbeing
used
C7TheoperatorprovidesGPSwaypointsafterLOSislost,butbeforeBLOS
radiolinkisestablishedH3,H4
TheoperatormustprovidewaypointswhiletheUAVisin
LOS
C8 TheoperatorprovidesGPSwaypointsaftertheUAVreachesbingofuel
H4
TheoperatorprovidesGPSwaypointstobringtheUAVbacktotheairfieldbeforethe
UAVreachesbingofuel
C9 TheoperatorprovidesGPSwaypointsandthenumberofwaypointsexceedthestoragecapacityoftheautopilot
H3
TheoperatormustnotprovideGPSwaypointsforaroutethatexceedsthefuel
onboardSTPAStep2:ScenarioGenerationThesecondstepofSTPAistogeneratethescenarios.Themajorityoftheactionabledatathatcanbeimplementedintothesystemdesignwillcomefromthisstep.Itisnotenoughtojustunderstandwhatcanhappen,buttounderstandhowitcouldhappen.Oncethe‘how’isknown,constraintsaredevelopedtopreventthehazardfromoccurring.ThescenariosweregeneratedusinganewmethodrecentlydevelopedbyDr.JohnThomas.Themethoddividesthescenariosintotypesbytheirlocationonthesafetycontrolstructure.Thefourtypesare:
1. Commandnotfollowedorfollowedinadequately
62
2. Inappropriatedecision3. Inadequatefeedbackorotherinputs4. Inadequateprocessbehavior(27)
Figure22ScenarioTypesonControlStructure
Previously,whengeneratingscenarios,aperson(orpeople)wouldexaminethesafetycontrolstructureandcomeupwithscenarios,inabrainstormingtypeofmanner.Whilethisproducesgoodresults,itdoesnotnecessarilyensurecoverageoftheentirecontrolstructure.JustasbucketingUCAsintofourcategoriesensureseachtypeofUCAisconsidered,bucketingscenariosensurescoverageacrossthecontrolstructure.ThetypeofscenarioandcorrespondinglocationonthecontrolstructureisshowninFigure22.UCAV2states,“TheVMSprovidesroll,pitch,oryawwhenthecommandexceedsaircraftattitudelimits.”ThehazardassociatedwiththisUCAisH4“UAVdepartscontrolledflight.”Thefollowingscenariosweregeneratedusingthenewprocedure: V.2.1TheVMSdoesnotprovidetheroll,pitch,oryawcommand,buttheaileron,
elevator,andrudderreceivethecommand.Ashortedwireprovidespowertotheactuatorcausingtheaileron,elevator,orruddertomove.Theaileron,elevator,andrudderreceivethecommandeventhoughtheVMSdidnotcommandit.(Type1)
V.2.2TheVMSprovidestheroll,pitch,oryawcommandandexceedlimitsforthecurrentflightcondition.TheVMSwasprogrammedwithonesetofattitudelimits,ratherthanasetofattitudelimitsfordifferentflightconditions(altitude&speed).Thecommanddidnotexceedtheprogrammedlimits,butitdidexceedactuallimitsforthatparticularflightcondition.(Type2)
V.2.3TheVMSprovidesaroll,pitch,oryawcommandthatitbelieveswillresultinanattitudewithinlimits,howevertheattitudeisactuallyoutoflimits.Theaeromodelling
63
ofthesystemwasnotvalidated,andthemagnitudeofthecommandistoolarge.Thecommandedattitudeisactuallyoutoflimits.(Type2)
V.2.4TheVMSprovidesaroll,yaw,orpitchinputtocorrectaninvalidattitudeindicationitisreceivingandexceedsattitudelimits.Theinvalidfeedbackisduetoavacuumpumpfailurethatrenderstheattitudeindicatorinoperative.Thecommandexceedsattitudelimits,buttheVMSdoesnotrecognizetheexceedenceduetotheinvalidattitudeindication.(Type3)
V.2.5TheVMSprovidesaroll,pitch,oryawcommandthatisappropriateforstayingwithintheUAVattitudelimits.Theactuatorwasconnectedtothecablesbackwards,andtheVMSinputhastheoppositeeffect(rollleftinputrollsUAVright).TheVMScontinuestocommandinthesamedirectioninanattempttocorrecttheattitudeeventuallyexceedingaircraftlimits.(Type4)
Notethat,justaswithUCAs,therecanbemorethanonescenarioforeachtype.Infact,thatshouldbeexpected.Intheexamplesabovetheitalicizedfontistherefinedscenarioandtheregularfontisthegeneralscenario.Thescenariotypeinformsthegeneralscenario.Therefinedscenarioisbasedonknowledgeofthesystemandtheoperationalcontext.Theremaybemorethanonerefinedscenariopergeneralscenario.DividingupthescenariosassistsfacilitationofanSTPAanalysis.AnSTPAexpertcanderivethegeneralscenarios,thenworkwiththesystemandoperationalexpertstodeterminetherefinedscenariosthatareapplicabletothespecificuseofthesystem.ThisprocessalsorevealsadditionalhazardsassociatedwiththeUCAsthatmightnotbeapparentduringUCAdevelopment.Intheexampleabove,theUCAisassociatedwiththehazardH4.ScenarioV.2.5isassociatedwithanadditionalhazard,H5,“UAVdepartsapron,taxiway,orrunwayduringgroundoperations.”In1995,amishapsimilartothisscenariooccurred.Thelongitudinalandlateralcontrolswerecrossed,resultinginpitchinputscausingrolloutputs.(28)Theaircraftwasunabletotakeoff,andranofftherunway,killingthepilot.Thescenariogenerationprocessservestohelpstimulateideaswhendevelopingscenarios,resultinginmorescenariosandcoverageacrossthecontrolstructure.TherestofthescenariosarefoundinAppendix2.Oncethescenariosaregenerated,safetyconstraintsmustbeidentifiedtopreventthescenariofromoccurring.Thesescenariosprovideactionableinformationthatcanbeimplementedintothesystemdesignoroperations/maintenanceprocedures.Thesafetyconstraintsforthescenariosshownaboveareasfollows:
SC.V.2.1Wiringmustbedesignedtowithstandtheflightenvironment,andinspectedbeforeflight.SC.V.2.2TheVMSmustbeprogrammedwithlimitsatallflightconditions.SC.V.2.3Theaeromodelmustbevalidatedfortheentireflightenvelopeandflightconfigurationstoincludeabnormalconfigurations
64
SC.V.2.4AsecondaryattitudeindicatormustbeincludedintheUAVdesignasabackuptothemainattitudeindicator.TheVMSmustreceivefeedbackofavacuumpumpfailuresothatitcanswitchtothesecondaryattitudefeedbackSC.V.2.5Afteranycontrolsurfacerelatedmaintenance,acontrolscheckmustbeaccomplished.Acontrolscheckmustalsobeaccomplishedduringpreflight.Considerdifferentconnectorsforthedifferentdirectionssothatitcannotphysicallybeconnectedbackwards.
UAVSTPASummaryTheSTPAanalysisontheUAVresultedin211scenariosandassociatedsafetyconstraintsfortheoperator,and65scenariosandsafetyconstraintsfortheVMSforatotalof276scenarios.Severalofthesafetyconstraintsareapplicabletomorethanonescenario.Manyofthesafetyconstraintsarealsoalreadyimplementedintheprogramthroughoperationalproceduresordesigndecisions.Constraints,alongwiththeirassociatedUCAandscenario,thatmaybeofinteresttotheprogram.Thesescenariosarehighlightedtoillustratecoverageacrossdesign,testing,maintenance,andoperations.Designconstraints:V12.TheVMSprovidesareducedthrottlesettingtoolateaftertheUAVflaresforlanding. ScenarioV.12.3.TheVMSprovidedthecommandlateduetoincorrectsystem
feedback.Thelaseraltimeterismalfunctioningandprovidingincorrectaltitudedata.TheVMSbelievestheUAVistoohighforareducedthrottlesetting.
SafetyConstraintSC.V.12.3.TheUAVmustbedesignedtodetectlaseraltimetermalfunctions.Thelaseraltimetermustbeinspectedregularlyforproperfunction,andtheexteriormustbecleanbeforeflight.
V14.TheVMSprovidesathrottlesettingtodeceleratetoatargetspeed,butthethrottleisnotincreasedbeforereachingstallspeed. ScenarioV.14.5.TheVMSprovidedthecommandtoincreasethethrottleoncetarget
airspeedwasreached,howeverthethrottlewasnotincreased.Thepowersystemdidnotprovidepowertotheactuatorduetoapowersystemfailure.
SafetyconstraintSC.V.14.5.Flightcriticalcomponentssuchasactuatorsmusthavebackuppowersothattheaircraftmaybelandedafterapowersystemfailure.
TheUAVprogramhasexperiencedtwomishapsassociatedwithpowerloss.Thefirstmishapwasduetoanalternatorbeltfailure.TheUAVwasredesignedwithtwoalternatorstoprovideredundantpowerafterthemishap.Thesecondmishapwasduetoawiringerror.BothalternatorswerewiredtoasupplywirethatconnectedtotheVMS.Thesupplywireeitherbroke,orhadalooseconnectorwhichresultedinVMSpowerloss.TheUAVhasbeensinceredesignedagaintoprovideasupplywirefromeachalternatortotheVMS,andthebatterystoresenoughpowerfor5hoursofflightwithonlyflightessentialsystemspoweredon.Whilethisscenariodoesn’tdirectlydiscussthesespecificdesignissues,itdoescoverensuringthatflightcriticalcomponentsarepowered.Asthedetaileddesignisdeveloped,theSTPAanalysiswouldalsobecomemoredetailedandaddressthesespecificissues.
65
Testingconstraints:V6.TheVMSprovidesaroll,pitch,oryawcommand,buttheaileron,elevator,orrudderisnotbroughtbacktoneutralwhentheaircraftreachesthetargetheading/descent/ascent ScenarioV.6.2.TheVMSprovidesacommandtoreturntheaileron,elevator,orrudder
backtoneutral,howevertheaeromodelisincorrectandtheaircraftdidnottakeaslongasexpectedtoreachthedesiredheading/descent/ascent.
SafetyconstraintSC.V.6.2.Theaeromodelmustbevalidatedfortheentireflightenvelopeandflightconfigurationstoincludeabnormalconfigurations.
ThemostrecentUAVmishapwasduetoanenginefailureaftertakeoff.TheUAVwasatanaltitudethatallowedtheoperatortoturntheUAVbacktowardstheairfieldforadeadsticklanding.Theautopilotdidnotaccountforthelackofthrustandwascommandingthrust(eventhoughthrustcommandshadnoeffect).Deadstickflightwasnevertested,thereforetheaeromodelwasnotvalidated.TheUAVlandedhard,resultinginrepairabledamage.Engineoutaeromodellingwasnevervalidatedbecauseoftheriskassociatedwiththetest.Itisrecommendedthatabnormalconditionsaretestedexactlybecauseoftheassociatedrisk.Itismuchbettertofindoutthattheaeromodelisincorrectincontrolledtestconditionsratherthanabusyoperationalairfieldwherethepotentialtostrikepeopleandequipmentisgreater.Itisnotnecessarytolandtheaircraftinanengineoutcondition.Rather,thetestshouldoccurhigheraltitudessothattheenginemayberestartedbeforelanding.Ifthereareotherabnormalconditionsthatwerenotvalidateditisrecommendedthattheprogramvalidatesthoseconditions.C11.TheoperatordoesnotprovidealtitudewhentheGPSwaypointsareupdated ScenarioC.11.4.TheoperatorprovidesanewaltitudeassignmentwiththeupdatedGPS
waypoints.ThealtitudeisnotattainedbytheUAV,howeverbecausetheadditionalalternatorsreducemaxengineRPM,thusdecreasingtheservicealtitudeoftheUAV.
SafetyconstraintSC.C.11.4.Simulationandflighttestmustbeaccomplishedtovalidatethelimitationsofthebaselineaircraftorvalidatenewlimitationsduetomodifications
Maintenanceconstraints:V6.TheVMSprovidesaroll,pitch,oryawcommand,buttheaileron,elevator,orrudderisnotbroughtbacktoneutralwhentheaircraftreachesthetargetheading/descent/ascent. ScenarioV.6.1.TheVMSprovidesacommandtoreturntheaileron,elevator,orrudder
backtoneutral,howeverthecommandwasnotreceivedduetoapowersystemfault.Wiringorconnectionstotheactuatorarebroken,keepingtheactuatorfromreceivingthesignal.Or,asystempowerfailure(suchasanalternatorfailure)occurs,andtheactuatorsarenotonbatterypower.
SafetyconstraintSC.V.6.1Wiringmustbeinspectedduringpreflightandmustbedesignedtowithstandvibrationsassociatedwithflight.Thepowersystemmustbedesignedsuchthatapowersystemfailuredoesnotresultinlossofactuatorpower
66
Ifahazardisnotcontrolledbydesign,itmustbecontrolledthroughoperationsormaintenanceprocedures.Hence,anyflightcriticalcomponentssuchaswiringmustbeinspectedbeforeflight. ScenarioV.6.4.TheVMSprovidedacommandtoreturnthecontrolsurfaceactuatorto
neutral,howeverthecontrolsurfacedidnotmoveasexpected.Theactuatorlinkageorcableisbroken,andtheaileron,elevator,orrudderisnolongercontrollable
SafetyconstraintSC.V.6.4.Actuatorsandcablelinkagesmustbeinspectedonaregularbasisandduringpreflightinspections.
Operationalconstraints:C1.TheoperatordoesnotprovidetheGPSwaypointsduringprelaunchoperations. ScenarioC.1.1.TheoperatorprovidestheGPSwaypoints.AsecondUAVsortieis
beginningatthesametime,andtheGPSwaypointsaresenttothewrongUAV.TheintendedUAVdoesnotreceivethewaypoints
SafetyconstraintSC.C.1.1.EitherUAVoperationsshouldbedeconflicted,orproceduresputinplacetoensurethecontrolstationislinkedtothecorrectaircraft.Ifanincorrectlinktakesplacealldatamustbeverifiedtoensureitiscorrect.
Currentoperationsmaynotbeofahighenoughtempothatmorethanoneaircraftisoperatedatatime,howeverconsiderationsforhighertempooperationsareimportanttoidentifyinordertoeasilyandsafelyscaleupifitisrequired.Theinterferencemayalsocomefromanaircraftorgroundstationundergoingmaintenancecheckoutsortraining,sothoseoperationsmustalsobeaccountedfor.Additionally,otherUAVprogramsusingsimilarequipmentmayinterferewiththisUAV’soperation.Currently,theoperatorverifiesthattheyarelinkedtothecorrectUAVbyusingautopilotidentification.Therefore,theprogrammustalsoconsiderthepossibilityofmaintenancereplacingtheautopilot,orswitchingittoanotheraircraftfortroubleshooting,andnotdocumentingitcorrectly.C31.Theoperatorprovidesenginestartcommandwhentheenginefailsinflight,butafterthe
UAViscommittedtolanding. ScenarioC.31.3.Theenginequitsbecausetheoperatordoesnotswitchfueltanks,and
thecurrentlyselectedfueltankisempty.Theoperatorattemptstorestarttheengine,butisunsuccessful.Duringthelandingsequence,theoperatorrealizesthefuelfeederror,switchestanks,andsuccessfullyrestartstheengine.However,theUAVistooclosetotheground,andtheautopilotdoesnottransitionsafelyfromengineoffperformancetoengineonperformance.
SafetyconstraintSC.C.31.3.TheoperatormustverifyfuelstateandswitchtanksduringenginefailureemergencyproceduresiftheUAVisabovesaferestartaltitude.TheUAVautopilotmustbedesignedtotransitionsmoothlybetweenengineoffandengineonperformance.
Inmostgeneralaviationaircraftthatrequirethepilottoswitchbetweentanks,engineoutemergencyprocedurescallforswitchingthefueltanktoensurethatfuelstarvationwasnota
67
causeoftheenginefailure.ThisUAV’smanualdoesnothaveasuchastep.Itisrecommendedthattheprograminvestigatesaddingthesteptotheiremergencychecklist. ScenarioC.31.4.Theoperatorattemptstorestarttheengine,buttheenginedoesnot
restart.Theoperatorcontinuestoattemptarestartastimepermits,inaccordancewiththechecklist.TheUAVisflyingfarfromtheairfield,andtheexactheightabovegroundisnotknown.Theoperatorcontinuestoattemptrestartandfinallydoesrestarttheengine,buttheUAVdescendedtoolowandimpactsterrain
SafetyconstraintSC.C.31.4.Duringmissionplanning,operatorsmustdetermineminimumrestartattemptaltitudesforeachlegoftheroutethatisbasedonasafepressurealtitude,sinceexactaltitudeabovegroundmaynotbeknown.Thelaseraltimetermustbeonbatterypowerforusetodetermineheightaboveterrain.
TheemergencyproceduresappeartoassumethattheoperatorwillalwaysbeawareoftheUAV’sheightabovethegroundinordertomakeadeterminationofwhethertocontinuetorestarttheengine,orbeginditching/landingoraerodynamicterminationprocedures.However,whentheUAVisoveruneventerrain,suchashillsormountains,farawayfromtheairfieldthatinformationmightnotalwaysbereadilyavailable.Therefore,itisrecommendedthatduringmissionplanningtheoperatorschoosesomeminimumaltitudewheretheywillstopattemptingarestartforeachlegoftheroute.Thealtitudewouldbebasedonthehighestobstaclewithintheparticularleg.
C41.Theoperatordoesnotprovidelostlinkproceduresduringflightoperations. ScenarioC.42.2Theoperatordoesnotbelievethatthelostlinkprocedureneedstobe
updatedbecausetheprocedurewasrecentlyupdatedperaregularschedule.However,terrain,weather,orconflictingtrafficbetweentheUAVandairfieldhavechangedalongtheroutesincethescheduleupdate.Theoperatordoesnotprovidethelostlinkproceduresbecauseitisn’ttime,yet.
SafetyConstraintSC.42.2.ThelostlinkproceduresmustbeupdatedbasedonrouteoftravelandobstaclesbetweentheUAVandtheairfieldratherthantiming.Iftimingremainsthepreferredmethod,considercontinuingtherouteofflighttoapointknowntobefreeofobstaclesandthenreturntotheairfield–timingforlostlinkupdates&timingforreturntobasedoesn’twork.Oneneedstobebasedongeography/obstacles.
Thecurrentproceduresrequiretheoperatortoupdatelostlinkproceduresatregulartimeintervals.IftheUAVisflyingoveruniformlylowterrainfortheentireflightwithnootherobstaclessuchasconflictingtrafficorweatherbetweentheUAVandtheairfield,timeintervalsmaybeappropriate.However,foranysituationwhereterrain,traffic,andweatherareconsiderationsforlostlinkproceduresitisnotappropriate.Recommendreevaluatinglostlinkflightplanningproceduresbasedonthesafetyconstraintabove.AfulllistofthesafetyconstraintsisfoundinAppendix2.
68
ThisUAVusecaseillustrateshowSTPAwouldbeusedduringsystemdesign.Thesafetycontrolstructuredoesnotcontainallthedetailsofafinishedproduct,yetasignificantofamountinformationwasgenerated.Safetyconstraintscoveredareassuchasmaintenance,operations,design,andtest.Werethisprogramstillinthedesignphase,theconstraintswouldbeincorporatedinthesystemdesign,andtestandoperationsplanning.Oncethenextlevelofdesigndetailiscreated,theSTPAanalysisisextendedtoincludethatdetail.InEngineeringaSaferWorld,Levesonreferstothisprocessassafetyguideddesign.(8)Figure23showsthatdesigndecisionsfeedintothehazardanalysis,whichinturnfeedsbacksafetyconstraintstobeimplementedinthedesign.
Figure23Safety-guideddesign(8)
Themoretightlycoupledthisfeedbackloopis,thefasterdesignerswillidentifysafetyconstraintsthatmustbeincorporatedinthedesignrequiringlessrework.
69
ConclusionsThisthesisshowsthatSTPAisnotonlyuseful,butthatamoredevelopedsystems-basedsafetyprocessisnecessarytoensurethatthesystemsprovidedtothewarfighteraresafe.Asystems-basedprocesstiesthesafetyanalysistogetherthroughtheentirelifecycleofthesystemfromconceptdevelopmenttooperations.Theprocessalsonotonlyinformsthedesignofthephysicalsystem,butalsooftheentiresystemtoincludesupportandoperationsconstructs.IfSTPAistohaveameaningfulimpactonaircraftsafetyintheAirForce,itcannotsimplybeimplementedontopofcurrentsafetyprocesses.Programofficesdonotneedmorework,astheyareverybusyasitis.Whattheyneedisacohesivesystems-basedsafetystrategythatpromotesthoughtfulsystemdesignandmaintainssafetythroughoutthelifecycleofthesystem.Initialadoptionmayprovechallenging.ItmaybedifficulttoconvinceAFLCMCtoswitchfromcurrentprobabilisticassessmentstoSTPA.Likely,STPAwillinitiallybedoneinconjunctionwithcurrentprocessesonatrialbasis.Intheshort-term,thismeansmoreworkforthePOthatdecidestotrySTPA.Inthelong-term,oncethenewapproachtosafetyisproven,thenworkloadwilldecrease.Infact,incomparisonswithfaulttrees,FMEAs,andothertraditionalhazardanalysistechniques,STPAhasbeenfoundineverycasetobeordersofmagnitudecheaper.OnemethodtointroduceSTPAtotheacquisitionsprocessisthroughairworthiness.Thesystemsafetyprocessflowsfromairworthinesscertificationrequirements.IftheairworthinessofficeacceptsSTPA,systemsafetyprocesseswilladjusttomatchthenewcertificationstandard.Infact,theFAAiscurrentlylookingintoallowingSTPAtobeusedasanalternativemethodtotheSAEARPstandards.Itisoftenthoughtthatsafetyisatoddswithdesignandprogramefficiency.However,thisisnotthecasewithSTPAbecauseitisasystems-basedanalysis.NotonlyisSTPAcheapertoperformthancurrenthazardanalysistechniques,butusingSTPAduringthedesignprocesswillsavesystemprogramofficestimeandmoneyinreworkthatisdiscoveredafterthedesignprocessiscompleteduringdevelopmentaltesting.
70
AcronymListing AF–AirForceAoA–AnalysisofAlternativesBLOS–BeyondLineofSightCAST–CausalAnalysisbasedonSTAMPCDR–CriticalDesignReviewCOTS–CommercialofftheshelfDT–DevelopmentalTestEBAO–Effects-BasedApproachtoOperationsEMD–Engineering,Manufacturing,andDevelopmentFMEA–FailureModesandEffectsAnalysisFMECA–FailureMode,Effects,andCriticalityAnalysisFOC–FullOperationalCapabilityFTA–FaultTreeAnalysisGPS–GlobalPositioningSystemHAZOP–HazardandOperabilityStudyJSTARS–JointSurveillanceTargetAttackRadarSystemLOS–LineofSightLRIP–Low-RateInitialProductionMAJCOM–MajorCommandMEFR–MilitaryFlightReleaseMOCA–MinimumObstacleClearanceAltitudeMRFR–MilitaryRestrictedFlightReleaseMTC–MilitaryTypeCertificateOT–OperationalTestO&S–OperationsandSupportOT&E–OperationalTestandEvaluationPM–ProgramManagerPO–ProgramOfficeRFP–RequestforProposalSE–SystemsEngineeringSEP–SystemEngineeringPlanSRD–SystemRequirementsDocumentSTAMP–Systems-TheoreticAccidentModelandProcessesSTPA–SystemTheoreticProcessAnalysisTAA–TechnicalAirworthinessAuthorityTEMP–TestEvaluationMasterPlanTO–TechnicalOrderUAV–UnmannedAerialVehicleUCA–UnsafeControlActionUI–UserInterfaceVMS–VehicleManagementSystem
71
VNE–VelocityNottoExceed
72
Appendix1:JSTARSSTPAAnalysis Table8JSTARSScenarios
UCA Hazards Number Main Scenario Description Safety Constraint
JSTARS does not provide target coordinates to support aircraft when the target needs to be engaged (H4)
H4 J.1.1
JSTARS provides target coordinates, but the support aircraft did not receive them. The communication was jammed by enemy forces
JSTARS must be able to overcome communications jamming by enemy forces
J.1.2
JSTARS provides target coordinates, but the support aircraft did not receive them. The support aircraft does not have compatible communications capabilities
JSTARS must be designed to communicate with all potential support aircraft
J.1.3
JSTARS does not provide target coordinates to the support aircraft because JSTARS does not believe the target needs to be engaged. The JSTARS believes either the enemy does not currently pose a threat to friendly forces.
JSTARS must be able to determine threats to friendly forces and provide target coordinates to support aircraft to prevent the enemy from engaging friendly ground troops
J.1.4
JSTARS does not provide target coordinates to the support aircraft. The JSTARS does not know that the support aircraft has the appropriate munitions to engage the target
JSTARS must be provided weapons stores information for support aircraft in the area
73
J.1.5
JSTARS does not provide target coordinates to the support aircraft. The JSTARS does not know that the support aircraft is in the area
JSTARS must be aware of support aircraft in the area
J.1.6
JSTARS does not provide target coordinates to the support aircraft. JSTARS cannot detect the location of enemy forces
The JSTARS must be able to detect enemy forces and determine their location
J.1.7
Ground troops requested that the target be engaged to the JSTARS controller coordinating with ground troops, but that message was not relayed to the controller coordinating with support aircraft
JSTARS must be designed to provide coordination between ground troops and support aircraft
J.1.8
JSTARS provides target coordinates, but the support aircraft does not engage the enemy. The support aircraft detects enemy air defenses that the JSTARS does not, and decides not to engage
JSTARS must either detect all enemy air defenses, or receive air defense data from other sources. JSTARS must then provide target coordinates to the support aircraft outside enemy air defense capabilities
JSTARS provides target coordinates, but the coordinates are not where the enemy is located (H2, H3)
H2, H3 J.2.1
The JSTARS provided accurate target coordinates via a datalink to the support aircraft, however enemy forces were able to corrupt the transmission
The JSTARS datalinks must be secured from enemy disruption
74
J.2.2
JSTARS provides coordinates, but they are not were the enemy is located. JSTARS is unable to differentiate between enemy forces, friendly forces, and civilians in the area.
JSTARS must either be able to differentiate between enemy, friendly, and civilians or use other sources to provide target differentiation
J.2.3
The JSTARS sensor data is inaccurate, and the coordinates provided do not match the actual location of the enemy
JSTARS sensor data must be accurate in order to determine the location of the enemy
J.2.4
The JSTARS provided coordinates of an area to avoid, due to presence of civilians or friendly forces, but the support aircraft believed these were target coordinates
JSTARS must be able to provide areas to avoid without those areas being misinterpreted as target coordinates
JSTARS provides target coordinates to support aircraft that are within contested airspace (H6)
H6 J.3.1
The target is located on the edge of enemy air defenses. JSTARS provides coordinates and a vector to the target that will avoid the defenses, however the vector is 180 degrees off, causing the support aircraft to travel through contested airspace
JSTARS must ensure that vectors to target coordinates are such that the support aircraft will not travel through contested airspace
J.3.2
JSTARS provides target coordinates to support aircraft that are within contested airspace. JSTARS does not believe the radius of the air defenses is large enough to endanger support aircraft that engage the target
JSTARS must have accurate information regarding enemy capabilities
75
J.3.3
JSTARS does not detect the enemy air defenses, and therefore does not recognize that the target coordinates are within contest airspace
JSTARS must either be able to detect enemy air defenses or be provided enemy air defense data prior to the operation
J.3.4
The air defenses were supposed to be disrupted, however they were not. JSTARS did not receive feedback that efforts to destroy/disrupt the defenses were unsuccessful and provided target coordinates to the support aircraft that are within contested airspace
Feedback must be provided to the JSTARS if efforts to disrupt enemy air defenses are unsuccessful
JSTARS provides target coordinates before the enemy forces have separated from civilians (H3)
H3 J.4.1
JSTARS provides target coordinates to a support aircraft with instructions to wait until the civilians are no longer in proximity of the enemy forces. The communication is disrupted, and the instruction to delay was not received
JSTARS must have undisrupted communications with support aircraft
J.4.2
JSTARS misinterprets the rules of engagement and believes that the collateral damage is acceptable and does not wait for the civilians to no longer be in proximity of enemy forces
JSTARS must understand the rules of engagement and must communicate questions regarding the rules to AOC if there are concerns regarding civilian safety
J.4.3
JSTARS is not aware of civilian presence, and therefore does not know to wait until enemy and civilians are not longer in proximity
JSTARS must either be able to detect a civilian presence near enemy forces or be provided the data from other sources
76
J.4.4
After JSTARS provides target coordinates civilians move into proximity with civilian forces. JSTARS does not have time to call off the attack
JSTARS must monitor area around enemy forces and be able to determine if civilians may move into the area (for instance, driving on a road in the direction of enemy forces)
J.4.5
JSTARS provides target coordinates to a support aircraft, however that aircraft is unable to engage the target. The aircraft's wingman engages the target instead. The first aircraft had smaller munitions that would result in more localized damage, but the second aircraft had larger munitions with a larger effective radius that included the civilian position
If the original aircraft is unable to engage the target and a second aircraft is utilized, JSTARS must determine the suitability of the second aircraft's weapons before allowing the engagement to continue
JSTARS provides target coordinates after the enemy leaves the target location (H2, H3)
H2, H3 J.5.1
JSTARS provides target coordinates after the enemy leaves the target location. The JSTARS does not detect that the enemy has moved away from the target coordinates.
The JSTARS must be able to detect enemy forces and determine their location
J.5.2
JSTARS provides target coordinates while the enemy is still in the location, however the support aircraft is delayed in engaging the target due to maintenance issues.
JSTARS must be able to track target and provide the support aircraft with updated coordinates as the target moves
77
JSTARS provides target coordinates to support aircraft after friendly forces have moved towards and engaged enemy forces (H2)
H2, H3 J.6.1
JSTARS provides target coordinates through datalink system. Due to the high volume of traffic across the links, the message was queued and receipt was delayed by the support aircraft
JSTARS must have capability to handle large amounts of communication traffic such that all messages are sent as soon as possible or prioritize high value information.
J.6.2
JSTARS cannot detect the movement of friendly forces, and does not recognize that they are within close proximity of enemy forces
JSTARS must be able to track friendly forces
J.6.3
JSTARS provides target coordinates before friendly forces have engaged the enemy, however the support aircraft is delayed in engaging the target due to maintenance issues
JSTARS must be informed of or able to track friendly positions and provide the support aircraft with updated instructions
JSTARS provides target coordinates to support aircraft after support aircraft expends weapons (H7)
H7 J.7.1
JSTARS does not receive feedback on weapons status of support aircraft, and does not realize that the support aircraft tasked to engage the enemy has expended weapons
JSTARS must receive feedback when support aircraft are out of weapons
J.7.2
The support aircraft has some weapons onboard, but not weapons that are appropriate for the task. JSTARS does not receive feedback on type of weapons loaded on the aircraft
JSTARS must receive feedback indicating what type of weapons the support aircraft are carrying
78
JSTARS does not provide airspace deconfliction when support aircraft are co-altitude in the same airspace (H1)
H1 J.8.1 JSTARS provides deconfliction instructions to the support aircraft, however the communications are disrupted
JSTARS communications with support aircraft must be secure and not able to be disrupted
J.8.2
JSTARS believes that even though the aircraft are co-altitude, they are horizontally deconflicted. However their orbits intersect
If aircraft are in holding patterns awaiting instructions, those patterns must not intersect. JSTARS must be designed to assist JSTARS controllers with deconfliction
J.8.3 JSTARS does not receive feedback regarding the location and altitude of support aircraft
JSTARS must receive feedback regarding location and altitude of support aircraft in order to deconflict them
J.8.4
JSTARS provides deconfliction instructions to separate the aircraft at different altitudes, however one of the aircraft has not switched from airfield altimeter setting to the current altimeter setting in theater and the aircraft are still co-altitude
JSTARS must provide a standard altimeter setting for all aircraft that are in the JSTARS area of responsibility
JSTARS provides support aircraft deconfliction instructions that create a conflict (H1)
H1 J.9.1
JSTARS provides deconfliction instructions that do not conflict with other traffic, however the support aircraft aircrew either mishear or misread the instructions and fly a different route than instructed that causes a conflict
JSTARS must require instruction feedback to ensure oral instructions are understood. If instructions are given via a datalink the JSTARS must be designed to provide the data such that it can be directly input into the support aircraft system
79
J.9.2
JSTARS provides support aircraft deconfliction instructions to one aircraft that puts it in conflict with another aircraft. Aircrew on the JSTARS are responsible for controlling different support aircraft and have no way of deconflicting instructions
JSTARS must be designed so to ensure mission deconfliction among multiple JSTARS controllers for both air assets and ground assets
J.9.3
JSTARS is not aware of all aircraft in the vicinity, and deconflicts support aircraft, but puts support aircraft in conflict with other aircraft
JSTARS must be aware of all aircraft in the area
J.9.4
JSTARS provides deconfliction instructions that do not conflict with other traffic, however the support aircraft also receive instructions from other controllers such as AWACS or ground controllers and follow those instructions
JSTARS must be designed to operate with other controlling functions to prevent conflicting instructions to support aircraft
JSTARS provides airspace deconfliction when the route is too close to terrain (H5)
H5 J.10.1 JSTARS does not provide a route too close to terrain, but the support aircraft receives the route from another source.
JSTARS must be designed such that communication between JSTARS and support aircraft is secure.
J.10.2 JSTARS is not provided with detailed terrain data, and does not realized that the route is too close to terrain
JSTARS must be designed to provide terrain data to controllers and warn controllers if a proposed route is too close to terrain
80
J.10.3
JSTARS provides deconfliction instructions that are above the terrain, however the standard altimeter setting provided to the support aircraft was incorrect resulting in a lower altitude above ground than intended
JSTARS must provide a standard altimeter setting that is appropriate given the atmospheric conditions of the area at the time. The setting must be updated when conditions change
JSTARS provides airspace deconfliction when the new route is through contested airspace (H6)
H6 J.11.1 JSTARS does not provide a route through contested airspace, but the support aircraft receives the route from another source.
JSTARS must be designed such that communication between JSTARS and support aircraft is secure
J.11.2
JSTARS does not detect the enemy air defenses, and therefore does not recognize that the new route is through contest airspace
JSTARS must either be able to detect enemy air defenses or be provided enemy air defense data prior to the operation
J.11.3
JSTARS provides a route that is not through contested airspace, however the support aircraft's navigation is inaccurate or disrupted, causing the support aircraft to fly into contested airspace
JSTARS must either be able to detect the location of aircraft relative to contested airspace or be provided the information in order to correct the support aircraft's heading before it enters contested airspace
JSTARS provides aircraft deconfliction before support aircraft changes radio frequency to JSTARS frequency (H1)
H1 J.12.1
JSTARS instructed an aircraft to maintain an orbit near the entry point into the JSTARS controlled airspace. The incoming aircraft is being handed off to the JSTARS and switching frequencies when the deconfliction call is made
JSTARS must not instruct an aircraft to maintain an orbit near an identified entry point into the airspace.
81
J.12.2
The combat operation is very busy, and JSTARS is overtasked. The JSTARS provides the deconfliction to the aircraft that just entered the airspace, but does not receive a response from the aircraft. Due to the high volume of radio calls, JSTARS does not realize they did not get a response from the aircraft
JSTARS must receive confirmation of instructions. The JSTARS must be designed to ensure safety-critical tasks such as airspace deconfliction are not overlooked
JSTARS provides aircraft deconfliction instructions after a midair collision (H1)
H1 J.13.1
JSTARS provides deconfliction instructions before the aircraft is involved in a midair, but communications were disrupted and the aircraft did not receive the instructions
JSTARS communications with support aircraft must be secure and not able to be disrupted
J.13.2
JSTARS did not recognize that in order for a support aircraft to engage a target it would travel through another aircraft's orbit until the aircraft was in proximity of the other aircraft
JSTARS must be designed to assist the controllers with airspace deconfliction and warn controllers when one aircraft's route will intersect with another aircraft's route or orbit
J.13.3
JSTARS provides aircraft deconfliction instructions to aircraft after it is involved in a midair collision. JSTARS does not receive timely positon reports from aircraft within the area of responsibility
JSTARS must receive real-time or near real-time feedback of support aircraft position and altitude
JSTARS provides partial aircraft deconfliction instructions (H1)
H1 J.14.1
JSTARS provides complete deconfliction instructions, however the communication is disrupted and the aircraft does not receive the entire procedure
JSTARS communications with support aircraft must be secure and not able to be disrupted
82
J.14.2
JSTARS controllers are not aware of all aircraft within the airspace, and believe that just altitude or vectors are required to deconflict the aircraft, but both are actually needed due to multiple conflicting aircraft
JSTARS must be aware of all aircraft in the area
J.14.3
JSTARS controllers provide complete aircraft deconfliction instructions, however the support aircraft only comply with part of the instructions. The support aircraft pilot is unable to comply with the entire procedure
JSTARS must be designed to provide controllers with aircraft location information so that if an aircraft does not follow deconfliction instructions the JSTARS controllers may correct the situation
JSTARS does not provide target coordinates to ground troops when a target needs to be engaged (H4)
H4 J.15.1
JSTARS provides the target coordinates to ground troops, however the communication is disrupted or the ground troops do not have interoperable communications capability
JSTARS must communicate with ground troops, and the communication must be secure and not able to be disrupted
J.15.2
One JSTARS controller coordinates with ground troops and another coordinates with support aircraft. The ground troop controller believed that the support aircraft controller would have a support aircraft engage the target
JSTARS must be designed to provide communication and coordination between controllers
J.15.3
JSTARS does not provide target coordinates to ground troops when a target needs to be engaged. The JSTARS does not receive ground troop request for target coordinates
JSTARS must be designed to receive ground troops requests
83
J.15.4
JSTARS provides target coordinates to ground troops, but they do not engage the enemy. They do not have capability to engage the enemy at the current distance
JSTARS must be aware of ground troops capability
JSTARS provides target coordinates to ground troops, but they are not where the enemy is located (H2, H3)
H2, H3 J.16.1 JSTARS provides accurate target coordinates, but the communication is disrupted and the ground troops receive incorrect data
JSTARS communication must be secure and not able to be disrupted
J.16.2
JSTARS detects personnel presence and determines the personnel are enemy forces, but misinterprets location data. JSTARS provides the information to ground forces, however the coordinates are incorrect
JSTARS must be designed to provide accurate coordinate information
J.16.3
JSTARS sensors detect personnel presence and movement, but cannot determine whether they are civilians, enemy forces, or friendly forces
JSTARS must be able to determine if personnel present are civilians, enemies, or friendlies, or JSTARS must be provided that data from other sources
J.16.4
JSTARS provides accurate target coordinates, but the ground troops misinterpret the coordinates and target a different location
JSTARS must be designed to provide target coordinates consistent with ground troop procedures and equipment so that they do not have to translate the data. JSTARS should be able to communicate directly with ground troop equipment.
84
JSTARS provides target coordinates after the enemy leaves the target location (H2, H3)
H2, H3 J.17.1
JSTARS provides the target coordinates to ground troops, however the communication is disrupted and delayed until after the enemy has moved
JSTARS communication must be secure and not able to be disrupted
J.17.2
JSTARS does not detect enemy movement, either due to the sensor scan rate or sensitivity of sensor, and therefore believes that the original target location is still accurate
JSTARS sensors must be able to detect enemy movement
J.17.3
JSTARS provides the target coordinates before the enemy leaves the target location, however the ground troops delay engagement of the enemy. JSTARS does not continue to monitor the enemy location due to other sensor requests and does not provide ground troops with updated information
JSTARS must be designed to be able to monitor known enemy locations while performing other sensor functions
JSTARS provides target coordinates to ground troops after friendly forces have moved towards and engaged enemy forces (H2)
H2 J.18.1
JSTARS provides target coordinates to ground troops before friendly troops have engaged enemy forces, however the communication is disrupted. JSTARS troubleshoots the problem and resends the coordinates, but by this time friendly forces have moved within close proximity of the enemy
JSTARS communication must be secure and not able to be disrupted. If communication is disrupted, JSTARS must have procedures in place to determine whether or not the commands are still appropriate once communications are reestablished
85
J.18.2
JSTARS recognizes that friendly forces are moving towards the enemy forces in order to engage the enemy, but still provides target coordinates to the ground troops. JSTARS believes that the friendly forces are far enough away from the enemy to allow the ground troops to attack the enemy
JSTARS must be aware of ground ordnance radius and ensure friendly troops are not within that radius.
J.18.3
JSTARS provides target coordinates to ground troops after friendly forces have engaged the enemy. The friendly forces do not provide feedback to either JSTARS or the ground troops in contact with JSTARS indicating they are in proximity of enemy forces
JSTARS must be designed to detect friendly forces in order to prevent providing target coordinates that result in friendly fire. In addition, procedures must be in place to ensure ground troops inform JSTARS of troop movements.
Appendix2:UAVSTPAAnalysisTable9UAVOperatorSafetyConstraints
UCADesignator UCA Hazards Constraint
C1TheoperatordoesnotprovidetheGPSwaypointsduringprelaunchoperations
H3TheoperatormustprovideGPSwaypointsduringprelaunchoperations
C2TheoperatordoesnotprovideupdatedGPSwaypointswhenmissionchanges
H3TheoperatormustprovideGPSwaypointsduringthemissionwhenthemissionchanges
C3TheoperatorprovidestheGPSwaypointswhentheydonotalignwiththemission
H3TheoperatormustnotprovideGPSwaypointsthatdonotalignwiththemission
C4TheoperatorprovidestheGPSwaypointswhentheypresentaconflictwithotheraircraft
H2TheoperatormustnotprovideGPSwaypointsthatpresentaconflictwithotheraircraft
86
C5
TheoperatorprovidesGPSwaypointsandtheroutelengthexceedsthefuelonboard
H4 TheoperatormustnotprovideGPSwaypointsforaroutethatexceedsthefuelonboard
C6
TheoperatorprovidesGPSwaypointsthatcreatearouteoutsideofLOSradiusandBLOSisnotbeingused
H3,H4
TheoperatormustnotprovideGPSwaypointsthatcreatearouteoutsideLOSradiusifBLOSisnotbeingused
C7
TheoperatorprovidesGPSwaypointsafterLOSislost,butbeforeBLOSradiolinkisestablished
H3,H4TheoperatormustprovidewaypointswhiletheUAVisinLOS
C8TheoperatorprovidesGPSwaypointsaftertheUAVreachesbingofuel
H4TheoperatorprovideGPSwaypointstobringtheUAVbacktotheairfieldbeforetheUAVreachesbingofuel
C9
TheoperatorprovidesGPSwaypointsandthenumberofwaypointsexceedthestoragecapacityoftheautopilot
H3 TheoperatormustnotprovideGPSwaypointsforaroutethatexceedsthefuelonboard
C10
TheoperatorprovidesGPSwaypoint,butthelistofwaypointsisnotcompletefortheentiremission
H3 TheoperatormustprovideacompletesetofGPSwaypointsfortheentiremission
C11TheoperatordoesnotprovidealtitudewhentheGPSwaypointsareupdated
H1,H2,H3
TheoperatormustprovideupdatedaltitudeassignmentswhentheGPSwaypointsareupdated
C12
Theoperatorprovidesaltitudewhenthealtitude,coupledwiththeprogrammedwaypointsarenotaboveminimumobstacleclearancealtitude(MOCA)
H1
TheoperatormustnotprovidealtitudesthatarebelowtheMOCA
C13
Theoperatorprovidesaltitudewhenthealtitudeconflictswithothertraffic'saltitudeblocks
H2 Theoperatormostnotprovidealtitudeassignmentsthatconflictwithotheraircraft
C14
TheoperatorprovidesaltitudewhenthealtitudeisaboveicinglevelandtheUAVfliesthroughclouds
H4 TheoperatormustnotprovideanaltitudeabovetheicingleveliftheUAVfliesthroughclouds
87
C15
TheoperatorprovidesaltitudeafterLOSislostduetoterrainmasking,butbeforeBLOSradiolinkisestablished
H3 TheoperatormustprovideanaltitudeassignmentbeforeLOSislost
C16
TheoperatorprovidesaltitudewhenthealtitudeassignmentsexceedthenumberofGPSwaypoints
H3 Theoperatormustprovidethesamenumberofaltitudeassignmentsaswaypoints
C17
Theoperatorprovidesaltitudewhentherearefeweraltitudeassignmentsthanwaypointsanditdoesnotincludetheentiremission
H3 Theoperatormustprovidethesamenumberofaltitudeassignmentsaswaypoints
C18Theoperatordoesnotprovideairspeedduringachangeinflightconditionorenvironmentalconditions
H1,H4,H6 Theoperatormustprovideairspeed
duringachangeinflightphaseorenvironment
C19
Theoperatorprovidesairspeedwhentheairspeedprovidedisatorbelowstallspeed
H4 Theoperatormustnotprovideanairspeedbelowstallspeed
C20TheoperatorprovidesairspeedwhentheairspeedisaboveVNE
H6 TheoperatormustnotprovideanairspeedaboveVNE
C21
Theoperatorprovidesairspeedwhenflightplanningfueldurationwasbasedonauto(maxendurance)airspeed,butahigherairspeedisset
H3,H4
Theoperatormustmonitorthefuelstateandnotprovideairspeedsignificantlydifferentthantheflightplannedairspeedforsubstantialportionsofthecruisephase
C22Theoperatorprovidesanairspeedvaluethatwillcreateaconflictwithotheraircraft
H2Theoperatormustnotprovideanairspeedvaluethatconflictswithotheraircraft
C23TheoperatorprovidesairspeedaftertheUAVstalledduetoslowflight
H4TheoperatormustprovideanairspeedabovestallspeedbeforetheUAVdepartscontrolledflight
88
C24 TheoperatorprovidesairspeedafterstructuraldamagefromflyingaboveVNE
H6
TheUAVairspeedmustneverexceedVNE.IfthereisanexcursionaboveVNE,theoperatormustprovideanairspeedbelowVNEassoonaspossibleandreturntobase.
C25
TheoperatorprovidesairspeedwhenthenumberofairspeedassignmentsexceedthenumberofGPSwaypoints
H3 Theoperatormustprovidethesamenumberofairspeedassignmentsaswaypoints
C26
TheoperatorprovidesairspeedwhenthenumberofairspeedassignmentsarefewerthanthenumberofGPSwaypoints
H3 Theoperatormustprovidethesamenumberofaltitudeassignmentsaswaypoints
C27Theoperatordoesnotprovideenginestartduringprelaunchenginerun-up
H3Theoperatormustprovidetheenginestartcommandduringprelaunchenginerun-up
C28Theoperatordoesnotprovideenginestartduringbeforetakeoffprocedure
H3Theoperatormustprovideenginestartcommandduringbeforetakeoffprocedure
C29
Theoperatordoesnotprovideenginestartcommandwhentheenginefailsinflightandtheengineneedstoberestarted
H4 Theoperatormustprovideenginestartcommandwhentheenginefailsinflight
C30
Theoperatorprovidestheenginestartcommandwhengroundpersonnelarenearthepropellers
H1 Theoperatormustnotprovidetheenginestartcommandwhengroundpersonnelarenearthepropellers
C31
Theoperatorprovidesenginestartcommandwhentheenginefailsinflight,butaftertheUAViscommittedtolanding
H1TheoperatormustnotprovidetheenginestartcommandwhentheenginefailsiftheUAViscommittedtolanding
C32Theoperatordoesnotprovidethelaunchnowcommandduringtakeoff
H3Theoperatormustprovidethelaunchnowcommandduringtakeoff
C33Theoperatorprovidesthelaunchnowcommandwhentherunwayisnotclear
H2Theoperatormustnotprovidethelaunchnowcommandiftherunwayisnotclear
89
C34TheoperatorprovidesthelaunchnowcommandwhentheUAVisnotontherunway
H5TheoperatormustnotprovidethelaunchnowcommandwhentheUAVisnotontherunway
C35
Theoperatorprovidesthelaunchnowcommandbeforegroundpersonnelhaveclearedthearea
H1
Theoperatormustnotprovidethelaunchnowcommandbeforegroundpersonnelhaveclearedthearea
C36TheoperatorprovidesthelaunchnowcommandaftertheUAVisairborne
H4TheoperatormustnotprovidethelaunchnowcommandaftertheUAVisairborne
C37
TheoperatordoesnotprovidethelandnowcommandwhentheUAVisinthepatternandatminimumfuel
H4
TheoperatormustprovidethelandnowcommandwhentheUAVisabovetheairfieldandatminimumfuel
C38TheoperatordoesnotprovidethelandnowcommandwhentheUAVisattheairfieldandotheraircraftareattemptingtoenterthepattern
H2
TheoperatormustprovidethelandnowcommandwhentheUAVmustprovidethelandnowcommandwhentheUAVisinthepatternandotheraircraftareattemptingtoenterthepattern
C39Theoperatorprovidesthelandnowcommandwhentherunwayisnotclear
H2Theoperatormustnotprovidethelandnowcommandwhentherunwayisnotclear
C40TheoperatorprovidesthelandnowcommandwhentheUAVisnotattheairfield
H1TheoperatormustnotprovidethelandnowcommandwhentheUAVisnotattheairfield
C41
TheoperatorprovidesthelandnowcommandbeforetheUAVcompletestheairfieldarrivalprocedure
H1,H2
TheoperatormustnotprovidethelandnowcommandbeforetheUAVhascompletedtheairfieldarrivalprocedure
C42Theoperatordoesnotprovidelostlinkproceduresduringflightoperations
H1,H2Theoperatormustprovidethelostlinkproceduresduringflightoperations
C43
Theoperatorprovideslostlinkprocedure,andthelostlinkprocedurewaypointsconflictwithotheraircraft
H2 Theoperatormustnotprovidelostlinkproceduresthatareinconflictwithotheraircraft
90
C44
Theoperatorprovideslostlinkprocedures,andthelostlinkprocedureisnotatoraboveMOCA
H1 TheoperatormustnotprovidelostlinkproceduresthatarebelowtheMOCA
C45
Theoperatorprovideslostlinkproceduresbeforeterrain,conflictingtraffic,orweathernecessitatealostlinkprocedureupdate
H1,H2Theoperatormustnotprovideupdatedlostlinkproceduresbeforeterrainandairspacechangesnecessitatetheupdate
C46
Theoperatorprovideslostlinkprocedureswhenthewaypointsexceedthestoragecapacityoftheautopilot
H1,H2 Theoperatormustnotprovidelostlinkproceduresthatcontainmorewaypointsthanthestoragecapacity
C47
TheVMSdoesnotprovidethepayloadpoweroncommandwhenUAVisoverthetargetarea
H3 TheVMSmustprovidepayloadpoweroncommandwhenUAVisoverthetargetarea
C48 TheVMSprovidesthepayloadpoweroncommandwhenthealternatorfails
H4
TheVMSmustnotprovidepoweroncommandwhenthereisnotenoughpowerforpayloadandVMSoperation
C49 TheVMSdoesnotprovidethepayloadpoweroffcommandwhenthealternatorfails
H4
TheVMSmustprovidepayloadpoweroffcommandwhenthereisnotenoughpowerforboththepayloadandVMS
C50TheVMSprovidesthepayloadpoweroffcommandwhentheUAVisoverthetargetarea
H3TheVMSmustprovidethepoweroffcommandwhentheUAVisoverthetargetarea
Table10UAVVMSSafetyConstraints
UCADesignator UCA Hazards Constraint
V1TheVMSdoesnotprovideroll,pitch,oryawcommandswhentheUAVisoffcourse
H1,H2,H3
TheVMSmustprovideroll,pitch,oryawcommandstocorrecttheUAVcoursewhenitisoffcourse
V2TheVMSprovidesroll,pitch,oryawwhenthecommandexceedsaircraftattitudelimits
H4TheVMSmustnotprovideroll,pitch,oryawcommandsthatexceedattitudelimits
91
V3TheVMSprovidesroll,pitch,oryawwhenthecommandsteerstheUAVoffcourse
H1,H2,H3
TheVMSmustnotprovideroll,pitch,oryawcommandsthatsteertheUAVoffcourse
V4
TheVMSprovidesthepitchdowncommandwhenthethrottleisreducedinordertodescend,butthecommandisdelayed
H4TheVMSmustprovidethepitchdowncommandafterthethrottleisreducedforadescentbeforetheUAVdeceleratestostallspeed
V5
TheVMSprovidesapitchupcommandwhenthethrottleisincreasedforaclimb,butthecommandisdelayed
H6
TheVMSmustprovidethepitchupcommandafterthethrottleisincreasedforaclimbbeforetheUAVacceleratestoVNE
V6
TheVMSprovidesaroll,pitch,oryawcommand,buttheaileron,elevator,orrudderisnotbroughtbacktoneutralwhentheaircraftreachesthetargetheading/descent/ascent
H1,H2,H3
TheVMSmustprovidearoll,pitch,oryawcommandtoreturntoneutralsuchthattheaircraftattainsthetargetattitude
V7
TheVMSprovidesaroll,pitch,oryawcommand,buttheaileron,elevator,orrudderisnotbroughtbacktoneutralbeforetheUAVreachesthetargetheading/descent/ascent
H1,H2,H3
TheVMSmustprovidearoll,pitch,oryawcommandtoreturntoneutralsuchthattheaircraftattainsthetargetattitude
V8
TheVMSdoesnotprovideathrottlesettingcommandwhenenvironmentalconditionschange
H4,H6 TheVMSmustprovideathrottlesettingwhentheenvironmentalconditionschange
V9
TheVMSdoesnotprovideahigherthrottlesettingwhentheUAVisinasustainedturn,whichreduceslift
H1,H2 TheVMSmustprovideahigherthrottlesettingduringsustainedturnstomaintaintargetaltitude
V10
TheVMSprovidesathrottlesetting,butthethrottlesettingisnotenoughtomaintainanairspeedabovestallspeed
H4 TheVMSmustprovideathrottlesettinghighenoughtomaintainanairspeedabovestallspeed
V11TheVMSprovidesathrottlesettingthatacceleratestheaircraftaboveVNE
H6TheVMSmustprovideathrottlesettinglowenoughtomaintainanairspeedbelowVNE
92
V12TheVMSprovidesareducedthrottlesettingtoolateaftertheUAVflaresforlanding
H1,H5TheVMSmustnotprovideareducedthrottlesettingtoolateaftertheUAVflaresforlanding
V13
TheVMSprovidesathrottlesettingtoacceleratetoatargetspeed,butthethrottleisnotreducedbeforereachingVNE
H6 TheVMSmustreducethethrottlesettingbeforereachingVNEduringanacceleration
V14
TheVMSprovidesathrottlesettingtodeceleratetoatargetspeed,butthethrottleisnotincreasedbeforereachingstallspeed
H4 TheVMSmustincreasethethrottlesettingbeforereachingstallspeedwhendecelerating
93
Table11UAVOperatorScenarios
UCA Hazard Number MainScenarioDescription SafetyConstraint
TheoperatordoesnotprovidetheGPSwaypointsduringprelaunchoperations
H3 C.1.1
TheoperatorprovidestheGPSwaypoints.AsecondUAVsortieisbeginningatthesametime,andtheGPSwaypointsaresenttothewrongUAV.TheintendedUAVdoesnotreceivethewaypoints
EitherUAVoperationsshouldbedeconflicted,orproceduresputinplacetoensurethecontrolstationislinkedtothecorrectaircraft.Ifanincorrectlinktakesplacealldatamustbeverifiedtoensureitiscorrect
C.1.2
TheoperatorprovidestheGPSwaypointstotheUAV.Asignalinterfereswiththecommand,andtheUAVdoesnotreceiveit.
UAVoperatorsmustbeawareofEMusageinoperatingareaanddeconflictoperationstoavoidinterference.
C.1.3
TheoperatordoesnotsendtheGPSwaypointseventhoughtheyareneedtocarryoutthesortie.Theoperatoristoldthatanewcustomerrouterequestisforthcoming,andtheoperatordecidestowaitforthewaypointsandcontinueonwiththepreflight.TheoperatorforgetsthattheGPSwaypointswereneverprovidedtotheUAVafterthepreflightiscomplete.
Theoperatormusteitherdelaythesortieifnewcustomerrequirementsareexpected,orprovidethecurrentGPSwaypointswithaplantoupdatethemoncethenewrequestisprovided
C.1.4
TheoperatordoesnotsendtheGPScoordinates.TheoperatorreceiveswarningsfromtheUAVindicatingthereisaproblem.Thewarningsareinaccurate,andthesystemsareoperatingcorrectly,buttheoperatorstopsprelaunchoperationstotroubleshoottheproblem.
TheUAVmustnotprovidenuisancewarnings
94
H2 C.1.5
TheoperatorsendstheGPSwaypointstotheUAV.Theywerenotsavedbytheautopilot,andolderwaypointsalreadyloadedwerenotoverwritten.
TheautopilotmustsavetheGPSwaypointsreceivedbytheUAV
TheoperatordoesnotprovideupdatedGPSwaypointswhenmissionchanges
H3 C.2.1TheoperatorprovidestheGPSwaypoints,buttheUAVdoesnotreceivethewaypointsduetointerferencealongtherouteofflight
UAVoperatorsmustbeawareofEMusageinoperatingareaanddeconflictoperationstoavoidinterference.
C.2.2
Theoperatorreceivesaccuratefuelstatefeedback,butincorrectlybelievesthefuelstateoftheUAVwillnotallowforthenewroutebecausetheoperatormiscalculatedthecurrentUAVfueldurationormiscalculatedthedurationoftheupdatedroute.TheoperatordoesnotprovidetheGPSwaypointstotheUAVtoavoidrunningoutoffuel.
Theoperatormustbeabletoquicklyandaccuratelycalculatefueldurationandroutedurationtomakethecorrectdeterminationforroutechangesinflight
H2 C.2.3
Thecustomerrequestforaroutechangeduringthesortiewasnotbroughttotheoperatoratthegroundstation.Therequestwasdeliveredtotheoperator'sunit,whichisnotcollocatedwiththegroundstation.TheoperatordoesnotprovidetheGPSwaypointstotheUAVbecausetheoperatorisunawareofthemissionchange
Customerchangerequestsduringthemissionmustbedeliveredasquicklyaspossible.Considerhavingthechangerequestsdelivereddirectlytothegroundstation
H2 C.2.4
TheoperatorsendstheGPSwaypointstotheUAV.Theywerenotsavedbytheautopilot,andolder
TheautopilotmustsavetheGPSwaypointsreceivedbytheUAV
95
waypointsalreadyloadedwerenotoverwritten.
TheoperatorprovidestheGPSwaypointswhentheydonotalignwiththemission
H3 C.3.1
TheoperatordoesnotprovideGPSwaypoints.Thestepisaccidentallyskippedduringpreflight.GPSwaypointsfromthelastsortiearestoredinthememoryandtheUAVusesthose
TheGPSwaypointsstoredintheautopilotmustbeverifiedwiththemissionplan
H2 C3.2
TheoperatorsendstheGPSwaypointstotheUAVhowevertheydonotalignwiththemission.Duringmissionplanningtherequestedroutewaschanged,howeverthatinformationdidnotmakeittothemissionplanners.
Customerchangerequestsduringthemissionmustbedeliveredasquicklyaspossibletomissionplanners
H2 C.3.3
TheoperatorsendstheGPSwaypointstotheUAVhowevertheydonotalignwiththemission.Themissionplannerscopyanoldmissionplanandupdateit,howevertheymissthewaypointupdates
Theoperatormustverifythemissionplanwiththecustomerrequest
H1,H2,H3 C.3.4
Theoperatorprovidedcoordinatesthatalignedwiththemission,butaBLOSoperatordoingagroundstationcheckoutaccidentallylinkedwiththeUAVandsentnewcoordinates.Thesecoordinatesoverrodethepreviouscoordinatesanddidnotalignwiththemission
GroundstationchecksmustbeeitherdeconflictedwiththeUAVflyingschedule,orbeconductedwithradiosofftoavoidtransmittingcommands
H1,H2,H3 C.3.5
TheoperatorprovidedGPSwaypointsthatalignedwiththemission,howevertheUAVdidnotflythewaypoints.TheGPSsolutionalongtherouteissuchthatthenavigationisnotaccurate
TheoperatormustreceivefeedbackwhentheaccuracyoftheGPSsolutionisbelowaminimumthreshold,additionallyothernavigationsolutions
96
suchasINSorVORshouldbeconsideredasabackupsystem
TheoperatorprovidestheGPSwaypointswhentheypresentaconflictwithotheraircraft
H2 C.4.1
TheoperatorprovidesGPSwaypointsthatdonotconflictwithothertraffic,butthereisinterferencealongtheroute.ThewaypointsarenotreceivedbytheUAV,andautopilotuseswaypointsfromtheprevioussortie,whichconflictwithpresenttraffic
UAVoperatorsmustbeawareofEMusageinoperatingareaanddeconflictoperationstoavoidinterference.
H3 C.4.2
TheoperatorprovideswaypointstotheUAV.Theoperatorormissionplannersusedanoldflightplanasatemplateforthecurrentmission,butdidnotcopyoverallthedata.,Thewaypointsdonotmatchtheapprovedroutefromtheairspacetrafficoperator(ATC).
TheoperatormustverifythemissionplanwiththecustomerrequestandapproveATCroute
C.4.3
Theoperatorprovideswaypointswhichdonotconflictwithairtraffic,butthewaypointsarefarapartfromeachother,andtravelbetweenthewaypointsdopresentaconflictwithotheraircraft
WaypointsmustbesufficientlyclosetogethertocontrolthebehavioroftheUAVandpreventitfromconflictingwithothertraffic
C.4.4
Theoperatorprovideswaypointswhichdonotconflictwiththeairtrafficasreportedbytheairtrafficoperator,howevertheairtrafficchangesafterplanningorduringthesortie.Theoperatordoesnotreceivetheupdatedinformationinorder
TheoperatormustbeprovidedwithandairtrafficchangestoensuretheUAVisproperlydeconflictingfromothertraffic
97
toprovideadifferentsetofwaypoints
C.4.5
TheoperatorsendstheGPSwaypointstotheUAV.Theywerenotsavedbytheautopilot,andolderwaypointsalreadyloadedwerenotoverwritten.
TheautopilotmustsavetheGPSwaypointsreceivedbytheUAV
TheoperatorprovidesGPSwaypointsandtheroutelengthexceedsthefuelonboard
H4 C.5.1
TheoperatordoesnotprovideGPSwaypoints.Thestepisaccidentallyskippedduringpreflight.GPSwaypointsfromthelastsortiearestoredinthememoryandtheUAVusesthose.Theprevioussortiewaslonger,andtheUAVwasfueledwithmorefuel.
TheGPSwaypointsstoredintheautopilotmustbeverifiedwiththemissionplan
C.5.2
TheoperatorprovidestheGPSwaypointsandtheroutelengthexceedsthefuelonboard.TheoperatorfatfingeredaGPSwaypointresultingintheUAVflyingfurtherfromtheairfieldthananticipated.TheerrorwasnotdiscovereduntiltheUAVtraveledsignificantlyoffcourseandnolongerhadthefueltoreturntotheairfield
TheGPSwaypointsstoredintheautopilotmustbeverifiedwiththemissionplan
C.5.3
TheoperatorprovidesGPSwaypointstocreatearoutebasedonalargerthanstandardtakeofffuelweightoftheaircraft,howevergroundpersonnelfueledtheaircraftthestandardamount.
Theoperatormustprovidenonstandardfuelrequeststothegroundpersonnel,andgroundpersonnelmustdocumentthefuelstatusoftheaircraftfor
98
Therewasnotenoughfueltocompletethesortie.
theoperatortoverifyduringpreflight
C.5.4
TheoperatorprovidedtheGPSwaypointsandbelievedbasedonthereportedfuelstatethattheUAVthatthesortiedurationwasappropriate,howeverthefuelstatefeedbackwasincorrectduetofuelsystemmodifications
TheUAVmustprovideaccuratefuelstatefeedbacktotheoperator
C.5.5
TheoperatorprovidedtheGPSwaypointsbasedontheexpectedfuelconsumption,however,thefuelconsumptionwashigherthanexpected.Theoperatormonitorsthefuelconsumptionandrecognizesthatthatthedurationofthesortiewillbelongerthanfueldurationandprovidesanewsetofwaypoints,butthefuelstateistoolowtomakeitbacktotheairfield
Theoperatormusthavejokerandbingofuelstatesthatcanbeadjustedifthefuelisconsumedfasterthanexpectedtoensuretheaircraftcanreturntotheairfieldbeforerunningoutoffuel
TheoperatorprovidesGPSwaypointsthatcreatearouteoutsideofLOSradiusandBLOSisnotbeingused
H3,H4 C.6.1TheoperatorsentGPSwaypoints,howeverthewaypointswerenotreceivedduetointerferenceandtheUAVusedpreviouslystoredwaypointsforaBLOSsortie
UAVoperatorsmustbeawareofEMusageinoperatingareaanddeconflictoperationstoavoidinterference.
99
C.6.2
TheoperatorsentGPSwaypointsthatarewithintheLOSradioradius,howeverterrainbetweentheantennaandtheaircraftmasksthesignal.Theoperatordidnotrecognizethatareasofhighterrainintheareacouldmaskthesignal,LOSislost
UAVoperatorsusinganLOSgroundstationmustresearchpotentialterrainmaskingareasintheareaofoperationsandflightplanaccordingly
C.6.3
TheoperatorprovidesGPSwaypointsthatareknowntobeoutsideLOS,butbelievedthatradiosignalrepeaterswouldcarrythesignaltotheUAVbeyondgroundstationLOS.Therepeatersarenotfunctioning,andthestatusoftherepeaterswasnotverifiedduringpreflightoperations.OncetheUAVwasoutsideofthegroundstation'sLOSradius,itlostthelink
UAVoperatorsusingLOSgroundstationsandrepeatersmustincluderepeatersstatusduringpreflightchecks
C.6.4
TheoperatorprovidesGPSwaypointswithinLOSradius.ThelostlinkprocedureswerenotupdatedfromapreviousBLOSsortie,andlostlinkoccursresultingintheaircrafttodepartingtheLOSradius.
Lostlinkproceduresmustbeupdatedpriortoeveryflight
TheoperatorprovidesGPSwaypointsafterLOSislost,butbeforeBLOSradiolinkisestablished
H3,H4 C.7.1
TheGPSwaypointswereprovidedbytheoperatorafterLOSislost,butbeforeBLOSradiolinkisestablished.TheoperatorprovidedGPSwaypointsjustbeforetheLOStransitiontoBLOSneartheLOSradiuslimit,howeverthelimitwaslessthanexpectedduetoterrain,atmospherics,orothereffectsandtheLOSwaslostbeforetheBLOStransition.
LOS/BLOStransitionmustoccurwellwithinLOSradiustoensurethetransitionoccursbeforetheUAVlosescommunicationwiththeLOSgroundstation.
100
H2 C.7.2
TheoperatorprovidestheGPSwaypointslateoutsideoftheLOSradius,buthasnotcompletedBLOStransition.HeaviertrafficthannormalcausesseveralchangestothedepartureproceduresfortheUAV,andtheoperatorgetsbehindcreatingthenewflightplananduploadingittotheUI.BYthetimethenewflightplanisreadyforupload,theUAVisoutsidetheLOSradius.
TheUImustprovidefeedbacktotheLOSoperatorwhentheUAVisneartheLOSradiuslimitifBLOShasnotyetbeenestablished.TheoperatormusthaveestablishedprocedureswithATCtokeeptheUAVintheLOSradiusofBLOSisnotestablishedasplanned
C.7.3
TheoperatordoesnotrecognizethatLOSwaslost,andbelievestheUIstillhasalinktotheUAV.Theoperatorprovideswaypoints,buttheyarenotreceivedduetothelostlink.
TheUImustprovidefeedbacktotheoperatorwhenthelinkislost.
H1,H2,H3 C.7.4
TheoperatorprovidesGPSwaypointstotheUAV,howevertheUAVdoesnotflythewaypointsprovided.SignificantwindspushtheUAVoffcourse,andtheUAVdoesnotadjusttheheadingtomaintainthecorrectgroundtrack
TheUAVmustadjustthetargetheadingtoaccountforwindstomaintainasafegroundtrack.
TheoperatorprovidesGPSwaypointsaftertheUAVreachesbingofuel
H4 C.8.1
TheoperatorprovidesGPSwaypointstoupdatetherouteaftertheUAVreachesbingofuel.TheoperatorrecognizesthattheUAVisnearingbingofuel,andprovidesGPScoordinates,butlostlinkoccursandtheUAVdoesnotreceivethecoordinates.Perlostlinkprocedures,theUAVcontinuestoflythelastrouteprovided.Whenthelinkisreestablished,theoperatorprovideswaypointstoreturn
Theoperatormustnotwaituntilbingotoreplantheflight.OncetheUAVreachesjoker,replanningmustbegin
101
totheairfield,buttheUAVispastbingoandnolongerhasenoughfueltoreturn.
C.8.2
TheoperatorprovidesGPSwaypointsaftertheUAVreachesbingofuel.TheoperatorbelievedbasedonthefuelstateanddistancethattheUAVcouldmakeitbacktotheairfieldwithlessfuelthanbingo.However,headwindscausethereturntriptotakelongerthanexpected
Theoperatormustconsiderwindswhenconductingflightplanning
C.8.3
TheoperatorprovidesGPSwaypointsaftertheUAVreachesbingofuel.Theoperatordidnotrecognizethatthefuelstatewasatbingountilreviewingthefuelstateattheregularstatuscheck.TheoperatorimmediatelyprovidesGPScoordinatestoreturntotheairfield,buttheUAVnolongerhasenoughfueltoreturnhome.
TheoperatormustenterjokerandbingofuelstatesintheUI,andtheUImustalerttheoperatorwhentheUAVisatjokerandbingo
C.8.4
TheoperatorprovidesGPSwaypointstoreturnhomebeforetheUAVreachedbingo,howeverthewaypointswerenotsavedintheautopilot,andtheUAVcontinuedtotravelontheoriginalroute.BythetimetheoperatorrecognizedthattheUAVwasnotreturningtotheairfield,theUAVwaspastbingoanddidnothaveenoughfueltoreturnhome.
TheGPSwaypointsstoredintheautopilotmustbeverifiedwiththemissionplan
102
TheoperatorprovidesGPSwaypointsandthenumberofwaypointsexceedthestoragecapacityoftheautopilot
H3 C.9.1
Theoperatorprovideswaypointsthatwerewithinthestoragecapacityoftheautopilot.ThemessagereceivedbytheUAVisdelimitedincorrectlyduetotranslationfromtheUItotheradiostotheUAV,whichexceedsstoragecapacity
Thegroundstationradiosmustsendcommandsaccurately
C.9.2
TheoperatorprovidesalargenumberofwaypointstoensurethattheUAVfliesaroutethatalignswiththemission,howevertheoperatorusestoomanywaypointsthatexceededthestorage
Theoperatormustsendanumberofwaypointsthatarelessthantheautopilotstorage.Theautopilotstoragemustbelargeenoughtostoreenoughwaypointsforthelengthofmission
C.9.3
Theoperatorprovidesthewaypoints,butdoesnotreceivefeedbackthatthewaypointswerereceived,sotheoperatorprovidesthewaypointsagain.Thesecondsetofwaypointsareconcatenatedratherthanreplacingthefirstsetofwaypoints
TheUAVmustprovidefeedbackthatthewaypointswerereceived,andtheautopilotmustreplaceoldwaypointswithnewwaypoints
H1,H2 C.9.4
Theoperatorprovideswaypointsthatwerewithinthestoragecapacityoftheautopilot,butthewaypointsaredelimitedincorrectlytakingupmorestoragespacethantheautopilot'scapacity
TheUAVmustsaveprovidedwaypointsintotheautopilotaccurately
TheoperatorprovidesGPSwaypoint,butthelistofwaypointsisnotcompletefortheentiremission
H3 C.10.1
TheoperatorprovidedacompletesetofGPSwaypoints,howeverthetransmissionwascutshortduetoagroundstationradiopowerfailure,andtheUAVdidnotreceivetheentiresetofwaypoints.
Thegroundstationandassociatedequipmentmustbeconnectedtoemergencypower,andthegroundstationpowermusttransitionwithoutdelaytoemergencypowerifthemainpowersupplyiscut
103
C.10.2
Theoperatorprovidesanincompletesetofwaypointsthatdidnotincludetheentiremission.TheoperatordoesnottranslatetheflightplancompletelyintotheUIduetodistractionorotherfactorsduringthepreflightpreparations.Theoperatordoesnotverifythewaypointsafterenteringthem,sotheerrorwasnotcaught
TheGPSwaypointsstoredintheautopilotmustbeverifiedwiththemissionplan
C.10.3
Theoperatorprovidesanincompletesetofwaypointsthatdidnotincludetheentiremission.Thecustomerrequestwasincomplete,andthecustomerisnotrequiredtoapprovethemissionplan,thereforetheincompleteplanwasnotcaught
Thecustomermustprovideacompleterequesttotheoperator,andmustreviewtheplantoensureitalignswiththemission
C.10.4
Theoperatorprovidesacompletesetofwaypoints,howevertheautopilotdidnotsaveallofthewaypoints.
TheGPSwaypointsstoredintheautopilotmustbeverifiedwiththemissionplan
TheoperatordoesnotprovidealtitudewhentheGPSwaypointsareupdated
H1,H2,H3 C.11.1
TheoperatorprovidesthealtitudeafterassigningnewGPSwaypoints,buttheUAVbeginsaturntothenextwaypointcausingaircraftmaskingandthealtitudesarenotreceivedbytheaircraft.
Theoperatormustensurethataltitudecommandsareaccepted,monitoraltitude,andcorrectaltitudeasneeded
C.11.2
TheoperatorbelievesthatthepreviouslyassignedaltitudeswouldbesafewiththenewGPScoordinates.Theoperatormisreadsthesectional,andthepreviousaltitudesarenotaboveMOCA.
TheUImustbeprogrammedtoincludeterraindata(atleasthighestobstacleineachsection),andprovidefeedbackiftheUAVwillflybelowMOCA
104
C.11.3
Theoperatorreceivesanairtrafficbriefingandbelievesthatthepreviouslyassignedaltitudewillbedeconflictedfromotherairtraffic.Theairtrafficbriefingisoutdated,andtherearenowairtrafficconflictswiththepreviouslyassignedaltitude.
TheoperatormustconfirmwithATCthatthealtitudeblockisdeconflictedifGPSwaypointsareupdated
C.11.4
TheoperatorprovidesanewaltitudeassignmentwiththeupdatedGPSwaypoints.ThealtitudeisnotattainedbytheUAV,howeverbecausetheadditionalalternatorsreducemaxengineRPM,thusdecreasingtheservicealtitudeoftheUAV.
Simulationandflighttestmustbeaccomplishedtovalidatethelimitationsofthebaselineaircraftorvalidatenewlimitationsduetomodifications
Theoperatorprovidesaltitudewhenthealtitude,coupledwiththeprogrammedwaypointsarenotaboveminimumobstacleclearancealtitude(MOCA)
H1 C.12.1
TheoperatorprovidesanaltitudeabovetheMOCAastheUAVfliestowardsmountainousterrain,howeverthelinkislostduetoterrainoraircraftmaskingduringmaneuveringandtheUAVdoesnotreceivethealtitudeassignment
TheoperatormustprovidesafealtitudeaspartoftheentireflightplansuchthatiflostlinkoccurstheUAVwillnotcollidewithterrain
C.12.2TheoperatormisreadsthesectionalchartsandprovidesanaltitudethattheoperatorbelievesisaboveMOCA,butitisactuallynot
TheUImustbeprogrammedtoincludeterraindata(atleasthighestobstacleineachsection),andprovidefeedbackiftheUAVwillflybelowMOCA
105
C.12.3
Theoperatorreceivesincorrectoroutdatedsectionalcharts,andassignedanaltitudethatwasabovetheMOCAonthechartbutthereareobstacleshigherthanlistedonthechart
Theoperatormustensurechartsareupdatedduringmissionplanningandobtainupdatedinformationpriortoflight
C.12.4
TheoperatorprovidesanaltitudeabovetheMOCA,howevertheregionofflighthasasignificantlydifferentpressurecomparedtothefield,andtheUAVisflyinganaltitudelowerrelativetotheground
Theoperatormustreceiveambientpressurereportsthroughouttherouteofflightandupdatethealtimeterasappropriate
Theoperatorprovidesaltitudewhenthealtitudeconflictswithothertraffic'saltitudeblocks
H2 C.13.1Theoperatorprovidesanaltitudethatdeconflictswithtraffic,howeverthecommandisnotreceivedduetomasking
Theoperatormustensurethataltitudecommandsareaccepted,monitoraltitude,andcorrectaltitudeasneeded
C.13.2
TheoperatorbelievesthatthetrafficwillnolongerbeinconflictbythetimetheUAVarrivesatthatwaypoint,howevertheconflictingtrafficstaysintheairspaceforlongerthanexpected
TheoperatormustrequestupdatedinformationastheUAVprogressesthroughrouteofflighttoensuretrafficdeconfliction
C.13.3
Theoperatorreceivesinformationthatconflictingtrafficisataparticularaltitude,sotheoperatorclimbsordescendstodeconflict.Thetraffichasanaltitudeblockwithinwhichitcanmaneuver,andwhiletheUAVisaboveorbelowthecurrentposition,itisnotoutsidethemaneuveringblock
Theoperatormustconfirmtheassignedaltitudeisoutsideofthealtitudeblockofconflictingaircraft
106
C.13.4
Theoperatorprovidesanaltitudethatisdeconflicted,howeverthepitot-staticsystemispartiallyblockedresultingintheaircraftflyingadifferentaltitudethanassigned
Thepitotstaticsystemmustberegularlyinspectedandthepitottubeshouldbeclearofobstructionsbeforelaunch
TheoperatorprovidesaltitudewhenthealtitudeisaboveicinglevelandtheUAVfliesthroughclouds
H4 C.14.1
TheoperatorrecognizesbyviewingtheonboardcamerathattheUAVisheadingtowardsacloudandprovidesachangeinaltitudetostaybelowthecloudsandicinglevel,butthemessageisnotreceivedduetointerferenceormasking
Theoperatormustmonitoraltitudetomakesurecommandsareacceptedandreattemptcommandasneeded
C.14.2
Theoperatorknowsthatthereareicingconditionsforecastedandknowstheicinglevel,butassignsanaltitudeabovetheicinglevelanywaytoavoidterrain.Theoperatorbelievesthatbyusingthecameratheoperatorcanavoidthecloudsandthereforenotflythroughicingconditions,howeverthecloudsaretoothickalongtheroute,andtheoperatorcannotstayoutoftheclouds
Theoperatormustflybelowtheicinglevelasterrainpermitsandconsiderreturningtotheairfieldifthecloudsaretoothicktoflyataltitude
C.14.3
Theoperatorisawareoftheicingforecast,butintendstostayoutoftheclouds,howevertheonboardcamerafailsandtheoperatorcannolongerdetectwhetherornottheUAVisflyingthroughclouds
Iftheweatherissuchthatcamerauseisrequiredforsafety,andthecamerafails,theUAVmustreturntotheairfieldoranothercloserairfieldbelowtheicinglayerifterrainpermits
107
C.14.4
Theicingforecastwasincorrect,andtheicinglevelwaslowerthanpredicted,sotheoperatorintendedtostaybelowthelevel,butinfactwasabovethelevel.Thecloudsarenotverythick,sotheyarehardtoseetoavoid
TheUAVoperatormustmonitorindicationsoficinganytimeicingconditionsarepossible,andremovetheUAVoutoftheconditionsassoonastheyaredetected
C.14.5
Theoperatorprovidedaltitudesthatwerebelowtheicinglevel,howevertheUAVflewabovetheicinglevel.TheoperatorprovidedthecorrectaltitudesandtheUAVproperlystoredthem,howeverthepitotstaticsystemfailedresultingininaccurateinformationsenttotheVMSandtheUAVdifferentaltitudesthanplanned
Thepitotstaticsystemmustberegularlyinspectedandthepitottubeshouldbeclearofobstructionsbeforelaunch
TheoperatorprovidesaltitudeafterLOSislostduetoterrainmasking,butbeforeBLOSradiolinkisestablished
H3 C.15.1
Thedeparturerouteincludestraveloverarisingterrainthatmasksthegroundstationantennasignal.TheoperatorrecognizedthattheterrainwouldmaskthesignalcausingtheUAVtoloseLOSlinkearlierthannormalandprovidedahigheraltitudecommand,butthelinkwaslostbeforethecommandwasreceived.
TerrainmaskingfromtheLOSgroundstationmustbeidentifiedduringsiteplanningandincorporatedinflightplanningforeachsortie
C.15.2
TheoperatorrecognizesthattheUAVflightpathwillputterrainbetweenthegroundstationandtheUAV,butprovidesanaltitudeperthenormalclimbprocedures.Theoperatorbelievesthattheterrainisnothighenoughtomaskthesignal.TheUAVlosesthelinkanddoesnot
TerrainmaskingfromtheLOSgroundstationmustbeidentifiedduringsiteplanningandincorporatedinflightplanningforeachsortie
108
receivethecommandtocontinuetheclimb.
C.15.3
HeaviertrafficcausedATCtoprovidetheoperatorwithanabnormaldepartureroute.TheoperatordoesnotrecognizethatthenewroutehasrisingterrainthatwouldmasktheLOSsignal,andtheoperatorsenttheclimbaltitudeatthenormaltime,buttheLOSlinkwaslost.
TheUAVmustprovidealtitudefeedbackrelativetogroundfortakeoff/climbandlandingflightphases
H1 C.15.4
TheoperatorrecognizestherisingterrainandprovidesanaltitudetoensurethattheterraindoesnotmasktheLOSsignaluntiltheBLOStransition.However,theUAVdoesnotflytheassignedaltitude.Thealtimeterwasnotsettoairfieldaltitude,andtheUAVflieslowerthanitshould.
Thealtimetermustbesettotheairfieldaltitudeduringpreflightandverifiedbeforelaunch.
TheoperatorprovidesaltitudewhenthealtitudeassignmentsexceedthenumberofGPSwaypoints
H3 C.16.1
TheoperatorprovidesmorealtitudeassignmentsthanGPSwaypoints.Theinitialmessagecontainingaltitudeassignmentswascutoffduetolostlink.Theoperatorresendsthealtitudeassignments,butratherthanreplacetheincompletemessage,thesecondmessageisaddedontoit.
Theautopilotmustreplacepreviouslyprovidedaltitudeswiththemostrecentlyprovidedaltitudes.
109
C.16.2
Duringmissionplanningtheoperatorcreatestoomanyaltitudeassignments,anddoesnotrealizethattherearemorealtitudeassignmentsthanwaypointassignments.
Themissionplanningprocessmustprovidefeedbacktotheoperatorwhennumberofwaypointsandaltitudeassignmentsdonotmatch
C.16.3
Theoperatoraccidentallyinputsone(ormore)altitudestwiceintotheUI.TheUIdoesnotprovidefeedbacktoindicatethatthenumberofaltitudeassignmentsisdifferentfromthenumberofwaypointassignments.TheUIassignsanincorrectaltitudeforeachofthesubsequentwaypointsaftertheduplication,andneverassignsthealtitudesthatdonothaveacorrespondingwaypoint.
TheUImustprovidefeedbackwhenthenumberofaltitudeandwaypointsdonotmatch.
H1,H2 C.16.4
Theoperatorprovidesthesamenumberofaltitudesaswaypoints,buttheUAVdoesnotflythealtitudesmatchedwitheachwaypoint.Thealtimeterisincorrect,andtheUAVdoesnotflytheassignedaltitude.
ThealtimetermustbesetinflightbasedonatmosphericconditionsreportedbyATC.
Theoperatorprovidesaltitudewhentherearefeweraltitudeassignmentsthanwaypointsanditdoesnotincludetheentiremission
H3 C.17.1Theoperatorprovidesthesamenumberofaltitudeassignmentsaswaypoints,butthemessageiscutoffduetolostlink.
Iflostlinkoccursaftertheoperatorprovidesacommand,theoperatormustresendthecommandwhenthelinkisestablishedtoensurethatcommandwasreceived
110
C.17.2Theoperatorprovidesthesamenumberofaltitudeassignmentsaswaypoints,buttherearetoomanywaypoints,andnotallthealtitudeassignmentsarenotsavedbecausetheautopilotrunsoutofstoragecapacity.
Theoperatormustknowhowmanywaypointsandassociatedaltitudeandairspeedassignmentstheautopilotcanstoreandprovidelessthanthatamount.Additionally,theautopilotmustbeabletostoreenoughdatafortheoperatortoprovidetheentireflightplan
C.17.3
TheoperatormissesanairspeedwheninputtingthealtitudesfromthemissionplanintotheUI.TheUIdoesnotprovidefeedbacktoindicatethatthenumberofaltitudeassignmentsisdifferentfromthenumberofwaypointassignments.TheUIassumesthatthelastaltitudeassignmentinthelististhealtitudeassignmentfortheremainderoftheflight.
Themissionplanningprocessmustprovidefeedbacktotheoperatorwhennumberofwaypointsandaltitudeassignmentsdonotmatch
H1,H2 C.17.4
Theoperatorprovidesthesamenumberofaltitudesaswaypoints,buttheUAVdoesnotflythealtitudesmatchedwitheachwaypoint.Thealtimeterisincorrect,andtheUAVdoesnotflytheassignedaltitude.
ThealtimetermustbesetinflightbasedonatmosphericconditionsreportedbyATC.
Theoperatordoesnotprovideairspeedduringachangeinflightconditionorenvironmentalconditions
H1,H4,H6 C.18.1
Theoperatorprovidestheairspeed,butitisnotreceivedduetointerferencewithnearbyUAVoperations.
UAVoperatorsmustbeawareofEMusageinoperatingareaanddeconflictoperationstoavoidinterference.
111
C.18.2
Theoperatordoesnotprovidetheairspeedcommandbecausetheoperatorbelievesthatthecurrentairspeedisappropriateforthenewsituation.Theoperatorisnearanairspeedlimit,andthenewconditionsreducethelimitsuchthattheUAVhasexceededairspeedlimits
Theoperatormustknowtheeffectsofflightconditionsontheairspeedlimitsandadjustairspeedwhencommandingaclimbordescentasappropriate
C.18.3
Theoperatordoesnotrecognizethechangeinflightcondition.TheUAVisprogrammedtoautomaticallydescentandclimbpertheflightplan,andtheUAVoperatordoesnotreceivefeedbackthattheclimbordescentwillcausetheUAVtoexceedairspeedlimits.
TheUImustprovidefeedbackwhenclimbingordescending,andprovidefeedbackifcurrentlyassignedairspeedwillviolatealimitatthenewaltitude
C.18.4
Theoperatordoesnotrecognizethechangeinenvironmentalconditions.GustscausetheUAVtoexceedairspeedlimits,howevertheoperatordoesnotreceiveadequatefeedbacktorealizethattheUAVisingustyconditions.
TheUAVmustbeabletodetectgustyconditionsandprovidefeedbacktotheoperator.
C.18.5
Theoperatorprovidesanairspeedappropriateforgusty,turbulentconditions,howevertheconditionsarevariablewithvariousgustspeedsanddirection.TheUAVreceivesvariableairspeedfeedbackfromthepitotstaticsystemduetothewinds,andisconstantlyprovidingthrottlesettingstomaintaintheprovidedairspeed.TheUAV'sreactiontochangesinairspeedcause
Whenflyingingusty,turbulentconditionstheUAVmustnot'chase'theprovidedairspeedsoaggressivelythatitexceedsanairspeedlimit.
112
theUAVtoexceedairspeedlimits.
Theoperatorprovidesairspeedthatisatorbelowstallspeed
H4 C.19.1
Theoperatorprovidedanairspeedabovestallspeed,buttheUAVdidnotreceivethecommand.TheUAVisonfinalapproachwhentheoperatorhastoabortthelandingduetoanobstructionontheairfield.Theoperatorimmediatelyprovidesacommandtoleveloffatthecurrentaltitude.TheUAVthrottlesettingislow,andtheoperatorsendsacommandtoincreaseairspeed,howeverthecommandisnotreceivedduetomaskingatthelowaltitude
TheUImustbedesignedwithanabortprocedurethatsendsaltitudeandairspeedcommandssimultaneously.Additionally,thegroundstationandassociatedantennasmustbelocatedsuchthattheyhaveclearLOStotheUAVduringlandingandtakeoffphases
C.19.2
Theoperatorprovidesaslowairspeedabovestalltomaintainaslowgroundtrackinanorbitaroundthetargetarea.Theinitialportionoftheorbithasasignificantheadwind,butwhentheUAVturnstheheadwindbecomesatailwindreducingairspeedbelowstallspeed
Theoperatormustaccountforheadwindsduringslowflightandadjusttheairspeedaccordingly
113
C.19.3
Theoperatorprovidesanairspeedbelowstallspeedbyaccidentallyinputtingthewrongnumbers(fatfingering).TherewasnofeedbackthattheairspeedtheoperatorinputintotheUIwasoutoflimits,andtheincorrectairspeedwassenttotheUAV
TheUImustprovidefeedbacktotheoperatoriftheoperatorentersacommandthatisoutsideofUAVlimits
C.19.4
Theoperatorprovidesairspeedthathigherthanstallspeed,buttheenginefailsinflight.TheoperatordoesnotimmediatelyrecognizethestateoftheUAV,andtheUAVautopilotisprogrammedtomaintainaltitude,suchthatairspeedbleedsoffbelowstallspeed.
TheUAVmustprovideengineindicatorstotheoperator,andtheUImustbeprogrammedtoalerttheoperatorwhentheengineisnotfunctioningproperlyorhasfailed
C.19.5
Theoperatorprovidesanairspeedabovestallspeed,howeverthepitot-staticsystemmalfunctions,andtheactualairspeeddecreases.TheoperatorrecognizesthattheUAVisdeceleratingbasedonthegroundtrackandexpectedwaypointtiming,butcannotintervenebydirectlycommandingathrottlesetting.
Theoperatormusthavetheabilitytodirectlycommandathrottlesetting
TheoperatorprovidesairspeedthatisaboveVNE
H6 C.20.1
TheoperatorcommandsanairspeednearVNE,andtheUAVentersairspacewithgustywindconditions.TheoperatorrecognizesthattheairspeedshouldbereducedtoensurethattheairspeeddoesnotexceedVNE.Theoperatorcommandsalowerairspeed,butthecommandisnotreceivedduetomaskingorinterference.
TheoperatormustnotcommandairspeednearVNEifgustyconditionsareforecastedorexpected.
114
C.20.2
TheoperatorprovidesanairspeedthatisjustbelowVNE,howeverthewindconditionsarevariablewithsignificantgusts.AwindgustcausestheairspeedexceedVNE
Ingustyconditions,theoperatormustassignanairspeedfarenoughbelowVNEthatthewindswillnotcausetheUAVtoexceedVNE
C.20.3
Theoperatorprovidedanairspeedthatiswithinlimitsatloweraltitudes,buttheUAVthenclimbsandviolatestheairspeedlimit.
TheUImustbeprogrammedtoidentifychangesinlimitsbasedonflightconditionsandalerttheoperator.
C.20.4
TheoperatorprovidesanairspeedaboveVNEbyaccidentallyinputtingthewrongnumbers(fatfingering).TherewasnofeedbackthattheairspeedtheoperatorinputintotheUIwasoutoflimits,andtheairspeedissenttotheUAV
TheUImustprovidefeedbackwhentheoperatorprovidesanairspeedoutsideofthelimits.
C.20.5
TheoperatorprovidesanairspeedbelowVNE,howeverthepitot-staticsystemmalfunctions,andtheautopilotcommandsahigherthrottlesettingtomaintaintheairspeed,causingtheUAVtoexceedVNE
TheUAVautopilotmusthaveasecondarymethodofmeasuringairspeedincaseofapitot-staticsystemfailure,suchasGPS
Theoperatorprovidesairspeedwhenflightplanningfueldurationwasbasedonauto(maxendurance)airspeed,butahigherairspeedisset
H3,H4 C.21.1
TheoperatorcommandsahigherairspeedforafixeddurationthatwillgettheUAVtothetargetareafaster.Afterthedurationtheoperatorprovidesanairspeedtoauto(maxendurance)command,howeveritisnotreceivedbytheUAVduetointerferenceormasking
TheoperatormustcommandareturntomaxenduranceairspeedearlyenoughthatifthecommandisnotreceivedimmediatelytheUAVwillstillhaveenoughfuelendurancetocompletethesortie
115
C.21.2
Theoperatorprovidesacruiseairspeedhigherthanmaxendurance,whichwastheflightplanningairspeed.TheUAVtookofflate,andtheoperatorwantstomakeuptimebycruisingatafasterairspeedtogetbackontheoriginalflightplan.TheoperatorbelievesthereisenoughfuelintheUAVtoflytheroutewithahigherairspeed(andthereforehigherfuelflow),butdoesnotdothecalculationstoverify.
Theoperatormustverifywithnewflightplancalculationsiftheairspeedwilldiffersignificantlyfrommaxenduranceairspeed
C.21.3
Theoperatorprovidesacruiseairspeedhigherthanmaxendurance,whichwastheflightplanningairspeed.TheUAVtookofflate,andtheoperatorwantstomakeuptimebycruisingatafasterairspeedtogetbackontheoriginalflightplan.TheoperatorusesthefuelflowratefeedbackprovidedbytheUAVtocalculatetheenduranceoftheUAVatthehighercruisealtitude,howeverthefuelflowrateisinaccurate
TheUAVflightmanualmustincludefuelconsumptionchartsfortheoperatortocalculateUAVendurance
C.21.4
Theoperatorcommandsairspeedonauto(max-endurance),howeverthepitot-staticsystemmalfunctionsandtheUAVactuallyfliesfaster,burningfuelatafasterrate
TheUAVautopilotmusthaveasecondarymethodofmeasuringairspeedincaseofapitot-staticsystemfailure,suchasGPS
116
Theoperatorprovidesanairspeedvaluethatwillcreateaconflictwithotheraircraft
H2
C.22.1
Theoperatorprovidesanairspeedcommandtodeconflictwiththetraffic,buttheairspeedchangewasnotsufficienttoavoidthetraffic.
Theoperatormustcommandachangeinairspeedthatissufficienttodeconflictwithtraffic
C.22.2
Theoperatorprovidesanairspeedcommandtoaccelerateinordertoavoidtraffic.Theotheraircraftalsoaccelerates,resultinginacontinuedconflict.
TheoperatormustcommunicatedeconflictionactionswithATCortheaircrewoftheaircraftInconflict.Otherwise,deconflictionactionsmustbestandardizedtoallowdeconflictionactionswithoutcommunication
C.22.3
TheoperatorreceivesfeedbackfromATCthatthetrafficisnolongerinconflict,andresumesmaxendurancespeed.Thefeedbackwasbasedoncurrentrateofspeed,butthenewairspeedcausesaconflict.
Theoperatormustturnoffenginestartcommandwhentheenginestartcommanddoesnotworkuntiltheoperatorisreadytotryagain.
C.22.4
Theoperatorprovidesanairspeed,butthewindschange,causingtheairspeedtochangeandnolongerdeconflictwiththetraffic.
Theoperatormustconsiderwindswhenconductingflightplanninganddeconflictingwithtraffic
TheoperatorprovidesairspeedaftertheUAVstalledduetoslowflight
H4 C.23.1
TheoperatorrecognizesthattheUAVisabouttostall,andprovidesahigherairspeedsothattheUAVwillaccelerate.Thelinkislost,andtheUAVdoesnotreceivetheairspeedcommand.Theoperatorprovideshigherairspeedwhenthelinkisreestablished,buttheUAVhasalreadystalled.
TheUAVmustnotflynearstallspeedduringappropriatephasesofflight,suchastouchdown
117
C.23.2
Theoperatorprovidesanairspeedthatisabovestallspeed,butatailwindordecreasedheadwindresultsinastall.Theoperatordoesnotimmediatelyrecognizethattheaircraftisinastall,anddelayscommandingahigherairspeed.
TheUImustprovidefeedbacktotheoperatorwhentheairspeedapproachesstallspeed.TheUAVmustbeprogrammedwithastallrecoveryprocedure.
C.23.3
Theoperatorprovidesanairspeedbelowstallspeedduetoapitot-staticsystemmalfunction.Theairspeedfeedbackishigherthanactualairspeed.Theoperatorcommandsanairspeedthatisabovestallspeed,buttheresultingspeedislessthanstallspeed.Theoperatorreceivesattitudefeedbackindicatingastall,andcommandsahigherairspeed,butaircrafthasalreadystalled.
Thepitotstaticsystemmustberegularlyinspectedandthepitottubeshouldbeclearofobstructionsbeforelaunch
C.23.4
Theoperatorprovidesanairspeedthatisabovestallspeed,howeveratailwindcausestheairspeedtodecreaseandtheUAVtostall.Theoperatorprovidesanairspeedcommand,buttheaircrafthasalreadystalled.
Theoperatormustflyanairspeedhighenoughabovestallspeedtoavoidastalliftheheadwind/tailwindchangesoccur
C.23.5
Theoperatorprovidesanairspeedthatisabovestallspeed,howevertheenginefails,andtheUAVdoesnotadjusttheUAVattitudetostopthedecelerationbelowstallspeed.Theoperatorrestartstheengineandcommandsahigherairspeed,buttheUAVhasalreadystalled.
TheUAVmustrecognizewhentheenginehasfailedandflyanattitudethatresultsinanairspeedabovestallspeed
118
TheoperatorprovidesairspeedafterstructuraldamagefromflyingaboveVNE
H6 C.24.1
TheoperatorrecognizesthattheUAVisabouttoexceedVNEandprovidesalowerairspeed.Thelinkislost,andtheUAVdoesnotreceivetheairspeedcommand.Theoperatorprovideshigherairspeedwhenthelinkisreestablished,buttheUAValreadyexceededVNE.
TheUAVmustnotflynearVNE.
C.24.2
TheoperatorprovidesanairspeedthatisbelowVNE,butadecreasedtailwindoranincreasedheadwindresultsinexceedingVNE.TheoperatordoesnotimmediatelyrecognizethattheaircrafthasexceededVNEbecausetheoperatorwasnotonthemainUIpage,anddelayscommandingalowerairspeed.
TheUAVmustnotflynearVNE.Safetycriticalalerts,suchasnearinganairspeedlimitmustbeprovidedtotheoperatorregardlessofwhatUIscreentheoperatorison.
C.24.3
TheoperatorprovidesanairspeedthatisaboveVNEduetoapitot-staticsystemmalfunction.Theairspeedfeedbackislowerthantheactualairspeed.TheoperatorcommandsanairspeedthatisbelowVNE.ThereisnofeedbackotherthanairspeedtoindicatetheVNEexceedanceuntiltheUAVairframeintegrityislost.
Thepitotstaticsystemmustberegularlyinspectedandthepitottubeshouldbeclearofobstructionsbeforelaunch
C.24.4
TheoperatorprovidesanairspeedthatisbelowVNE,howeveraheadwindcausestheairspeedtoincreaseaboveVNE.Theoperatorcommandsalowerairspeed,buttheUAValreadyexceededVNE.
TheUAVmustnotflynearVNE.
119
TheoperatorprovidesairspeedwhenthenumberofairspeedassignmentsexceedthenumberofGPSwaypoints
H3 C.25.1
TheoperatorprovidesmoreairspeedassignmentsthanGPSwaypoints.Theinitialmessagecontainingairspeedassignmentswascutoffduetolostlink.Theoperatorresendstheairspeedassignments,butratherthanreplacetheincompletemessage,thesecondmessageisaddedontoit.
Theautopilotmustreplacepreviouslyprovidedairspeedswiththemostrecentlyprovidedairspeeds.
C.25.2
Duringmissionplanningtheoperatorcreatestoomanyairspeedassignments,anddoesnotrealizethattherearemoreairspeedassignmentsthanwaypointassignments.
Themissionplanningprocessmustprovidefeedbacktotheoperatorwhennumberofwaypointsandairspeedassignmentsdonotmatch
C.25.3
TheoperatoraccidentallyinputsoneairspeedtwiceintotheUI.TheUIdoesnotprovidefeedbacktoindicatethatthenumberofairspeedassignmentsisdifferentfromthenumberofwaypointassignments.TheUIassignsanincorrectairspeedforeachofthesubsequentwaypointsaftertheduplication,andneverassignstheairspeedsthatdonothaveacorrespondingwaypoint.
TheUImustprovidefeedbackwhenthenumberofairspeedandwaypointsdonotmatch.
H4,H6 C.25.4
Theoperatorprovidesthesamenumberofairspeedsaswaypoints,buttheUAVdoesnotflytheassignedairspeeds.Apitot-staticsystemmalfunctioncausestheUAVtoflydifferentairspeedsthanassigned.
Thepitotstaticsystemmustberegularlyinspectedandthepitottubeshouldbeclearofobstructionsbeforelaunch
120
TheoperatorprovidesairspeedwhenthenumberofairspeedassignmentsarefewerthanthenumberofGPSwaypoints
H3 C.26.1
Theoperatorprovidesthesamenumberofairspeedassignmentsaswaypoints,butthemessageiscutoffduetolostlink.
Iflostlinkoccursaftertheoperatorprovidesacommand,theoperatormustresendthecommandwhenthelinkisestablishedtoensurethatcommandwasreceived
C.26.2Theoperatorprovidesthesamenumberofairspeedassignmentsaswaypoints,buttherearetoomanywaypoints,andnotalltheairspeedassignmentsarenotsavedbecausetheautopilotrunsoutofstoragecapacity.
Theoperatormustknowhowmanywaypointsandassociatedaltitudeandairspeedassignmentstheautopilotcanstoreandprovidelessthanthatamount.Additionally,theautopilotmustbeabletostoreenoughdatafortheoperatortoprovidetheentireflightplan
C.26.3
TheoperatormissesanairspeedwheninputtingtheairspeedsfromthemissionplanintotheUI.TheUIdoesnotprovidefeedbacktoindicatethatthenumberofairspeedassignmentsisdifferentfromthenumberofwaypointassignments.TheUIassumesthatthelastairspeedassignmentinthelististheairspeedassignmentfortheremainderoftheflight.
Themissionplanningprocessmustprovidefeedbacktotheoperatorwhennumberofwaypointsandairspeedassignmentsdonotmatch
121
H4,H6 C.26.4
Theoperatorprovidesthesamenumberofairspeedsaswaypoints,buttheUAVdoesnotflytheassignedairspeeds.Apitot-staticsystemmalfunctioncausestheUAVtoflydifferentairspeedsthanassigned.
Thepitotstaticsystemmustberegularlyinspectedandthepitottubeshouldbeclearofobstructionsbeforelaunch
Theoperatordoesnotprovideenginestartduringprelaunchenginerun-up
H3 C.27.1 Theoperatorprovidestheenginerestartcommand,howeverthebatteryiseitherdepletedornotproducingenoughpowertorestarttheengine.
Thebatterymustprovideenoughpowertostarttheengineduringenginerun-up.Thebatterychargemustbecheckedduringpreflight,andexternalpowermustbeusedtostarttheengineasneeded.
C.27.2
TheoperatorclicksontheenginestarticonontheUI,howevertheenginestartcommandisnotsentbecausetheoperatorclickedjustoutsidetheareathatsendsthecommand.
Theoperatormustbeabletoclickanywhereonanicontosendacommand.
C.27.3
Theoperatordoesnotprovidetheenginestartcommandbecausetheoperatorbelievesthattherearepeopleinthepropellerarea.Thegroundpersonnelareactuallyclearofthearea,butdidnotannouncetheywereclear.
Thegroundpersonnelmustprovideanallclearcallwhenpersonnelareoutofthepropellerarea.
C.27.4
Theoperatorprovidesthecommand,buttheenginedoesnotstart.Theengineunderwentmaintenance,andthewiringwasdisconnectedformaintenance,butnotreconnectedpostmaintenance.
Themaintenancepersonnelmustperformapostmaintenanceenginerun-upafterenginemaintenance.Additionally,aftermaintenancetheworkareamustbeinspectedtoensuretheUAVhas
122
beenreturnedtoaflightreadystate.
Theoperatordoesnotprovideenginestartduringbeforetakeoffprocedure
H3 C.28.1
Theoperatorprovidestheenginerestartcommand,howeverthebatteryiseitherdepletedornotproducingenoughpowertorestarttheengine.
Groundpowermustbeavailabletostarttheengineasrequired.Ifbatteryisnotcharging,theflightmustbecancelled.
C.28.2
TheoperatorclicksontheenginestarticonontheUI,howevertheenginestartcommandisnotsentbecausetheoperatorclickedjustoutsidetheareathatsendsthecommand.
Theoperatormustbeabletoclickanywhereonanicontosendacommand.
C.28.3
Theoperatorreceivesinaccurateenginefeedbackindicatingthattheengineshouldnotbestarted.Theoperatorprovidestheinformationtothegroundcrew,whotroubleshoottheproblem,delayingtheflight.
Theenginehealthfeedbackparametersmustbecalibratedandregularlymaintainedtoensureaccuracy.
C.28.4
Theoperatorprovidesthecommand,buttheenginedoesnotstart.Theenginestartwirewasloose,andwhentheaircraftwastaxiedtotheenginerun-uparea,thewirebecamecompletelydisconnected.
Wiringandconnectionsmustbecheckedduringpreflightandshouldbedesignedtowithstandvibrationsassociatedwithflight
123
Theoperatordoesnotprovideenginestartcommandwhentheenginefailsinflightandtheengineneedstoberestarted
H4 C.29.1 Theoperatorprovidestheenginerestartcommand,howeverthebatteryiseitherdepletedornotproducingenoughpowertorestarttheengine.
Thebatterymustprovideenoughpowertorestarttheengineiftheenginefailsinflight.
C.29.2
Theoperatorattemptstorestarttheengine,buttheUAVisabovetherestartairspeedlimit.Theaircraftattitudeissuchthattheairspeeddoesnotdecreasebelowthelimit,andtheengineisnotrestarted.
TheUAVmustbeflownatanairspeedbelowtheenginerestartlimitbeforeenginerestartisattempted.
C.29.3Theoperatorprovidestherestartenginecommand,howevertheairspeedfeedbackisincorrectandtheUAVisstillabovetherestartairspeedlimitanddoesnotrestart.
IfairspeedfeedbackisincorrecttheUAVmustbeabletoflyattitude/throttlesettingcombinationstoachieveasafeairspeed.AirspeederrorsmustbedetectedinorderfortheUAVtoupdatethemethodofcontrollingflight.
C.29.4
Theoperatorprovidestherestartenginecommand,buttheenginedoesnotrestart.Theenginehasfailedsuchthatitcannotberestarted,ortheengineisnolongerreceivingfuel.
Theoperatormustattempttocyclefueltanksbeforeenginerestartattempt.Ifthereareindicationsthatanenginerestartisnotpossible,theoperatormustimmediatelybeginpreparationforlanding
124
Theoperatorprovidestheenginestartcommandwhengroundpersonnelarenearthepropellers
H1 C.30.1
Theoperatordoesnotprovidetheenginestartcommand,howevertheUAVreceivesanenginestartcommandfromasecondgroundstationwhilegroundpersonnelwerenearthepropellers
EitherUAVoperationsmustbedeconflicted,orproceduresputinplacetoensurethecontrolstationislinkedtothecorrectaircraft.
C.30.2
Theoperatordoesnotprovidetheenginestartcommandbecausetherearepeopleinthepropellerarea.TheUAVisconfiguredtostartengines,buttheoperatoriswaitingforanareaclearcall.TheoperatorputsthemouseovertheenginestartbuttonontheUIandwaitsfortheallclearcall.Themouseisaccidentallyclickedbeforetheallclearcallstartingtheengine.
Theoperatormustnotputthemouseoverasafetycriticalcommanduntilthecommandissafetoperform.Additionally,considerasecondarypromptforsafetycriticalcommandsorotherdesignstopreventaccidentallysendingcommand.
C.30.3
Theoperatoristoldthatgroundpersonnelareclearofthepropellerarea,butatechnicianreenterstheareabecausetheindividualseesanissuethatmustbecorrectedbeforeenginestart
Thegroundpersonnelmustinformtheoperatorifpersonnelreenterthepropellerareaaftertheclearsignal
H5 C.30.4
Theoperatorprovidestheenginestartcommand,howeverthebrakesfailedanddidnotkeeptheaircraftfrommoving,andittaxistowardsthepersonnel
GroundpersonnelmuststandinapositionsuchthatiftheUAVdoesinadvertentlytaxiafterenginestartitdoesnothitanyone.
Theoperatorprovidesenginestartcommandwhentheenginefailsinflight,butaftertheUAV
H1 C.31.1
Theoperatorattemptstorestarttheengine,buttheenginestartcommandisnotreceivedbytheUAVduetoterrainmaskingasitdescends.Theoperatorbeginstroubleshootingthelostlinkandleavestheenginestartcommandon.Whenthe
Theoperatormustturnoffenginestartcommandwhentheenginestartcommanddoesnotworkuntiltheoperatorisreadytotryagain.
125
iscommittedtolanding
linkisestablishedtheUAVreceivestheenginerestartcommandandrestartstheengine.
C.31.2
Theoperatorattemptstorestarttheengine,buttheenginedoesnotrestart.Theoperatorthenbeginschecklistactionsforlanding.Theoperatordoesnotdisablethestarter,andtheenginestartsneartouchdown
Theoperatormustturnoffenginestartcommandwhentheenginestartcommanddoesnotworkuntiltheoperatorisreadytotryagain.
C.31.3
Theenginequitsbecausetheoperatordoesnotswitchfueltanks,andthecurrentlyselectedfueltankisempty.Theoperatorattemptstorestarttheengine,butisunsuccessful.Duringthelandingsequencetheoperatorrealizesthefuelfeederror,switchestanks,andsuccessfullyrestartstheengine.However,theUAVistooclosetotheground,andtheautopilotdoesnottransitionsafelyfromengineoffperformancetoengineonperformance.
TheoperatormustverifyfuelstateandswitchtanksduringenginefailureemergencyproceduresiftheUAVisabovesaferestartaltitude.TheUAVautopilotmustbedesignedtotransitionsmoothlybetweenengineoffandengineonperformance.
126
C.31.4
Theoperatorattemptstorestarttheengine,buttheenginedoesnotrestart.Theoperatorcontinuestoattemptarestartastimepermits,inaccordancewiththechecklist.TheUAVisflyingfarfromtheairfield,andtheexactheightabovegroundisnotknown.Theoperatorcontinuestoattemptrestartandfinallydoesrestarttheengine,buttheUAVdescendedtoolowandimpactsterrain
Duringmissionplanning,operatorsmustdetermineminimumrestartattemptaltitudesforeachlegoftheroutethatisbasedonasafepressurealtitude,sinceexactaltitudeabovegroundmaynotbeknown.Thelaseraltimetermustbeonbatterypowerforusetodetermineheightaboveterrain.
C.31.5
Theoperatordeterminesbasedonthealtitudethatanenginerestartisnotappropriateandbeginschecklistactionsforlanding.Aloosewireprovidespowertotheenginestarter,andtheenginerestartswithouttheenginestartcommand
Wiringandconnectionsmustbecheckedduringpreflightandshouldbedesignedtowithstandvibrationsassociatedwithflight
Theoperatordoesnotprovidethelaunchnowcommandduringtakeoff
H3 C.32.1
Theoperatorprovidedthelaunchnowcommand,howeverthecommandwasnotreceivedduetointerferencewithconcurrentUAVoperations
UAVoperatorsmustbeawareofEMusageinoperatingareaanddeconflictoperationstoavoidinterference.
C.32.2 TheoperatordoesnotprovidethelaunchnowcommandbecausetheoperatordidnotreceiveATC'sclearfortakeoffcall
ThegroundstationmustbeequippedtocommunicatewithATC,andradioandinternalcommunicationsmustbekepttoaminimumduringlaunchoperationstoensureallATCinstructionsarereceived
127
C.32.3
Theoperatordoesnotprovidethelaunchnowcommandbecausethecontrollerreceivesincorrectengineparameterfeedbackandbelievestheengineisnotoperatingwithinlimits.Theoperatorabortsthetakeofftoallowgroundpersonneltotowtheaircraftbacktoparkandtroubleshoottheproblem.
Theenginehealthfeedbackparametersmustbecalibratedandregularlymaintainedtoensureaccuracy.
C.32.4
Theoperatorprovidesthelaunchnowcommand,whichwasreceivedbytheUAV,howevertheUAVdidnotlaunch.TheUIlaunchsequenceisnotprogrammedcorrectly,andtheUAVdoesnotaccelerateenoughtorotateandtakeoff
TheUIlaunchsequencemustbeverifiedbeforeflightandadjustedforatmosphericconditionsattheairfield.
Theoperatorprovidesthelaunchnowcommandwhentherunwayisnotclear
H2 C.33.1 Theoperatordoesnotprovidethelaunchnowcommand,howeveranotherLOSgroundstationonsiteisconductingchecksanddoesprovidethelaunchcommand
EitherUAVoperationsshouldbedeconflicted,orproceduresputinplacetoensurethecontrolstationislinkedtothecorrectaircraft.Ifanincorrectlinktakesplacealldatamustbeverifiedtoensureitiscorrect
H1 C.33.2
TheoperatorreceivesaclearfortakeoffcallfromATC,butthegroundpersonneldidnotprovideapersonnelclearcall.TheoperatorcommandslaunchnowaftertheATCcall.
TheoperatormustnotprovidethelaunchnowcommanduntiltheoperatorreceivescallsfrombothATCandgroundpersonnel
128
H1 C.33.3
TheoperatoriswaitingonaclearfortakeoffcallfromATC,andreststhemousecursoroverthelaunchnowbuttonontheUI.Whilewaiting,theoperatororanotherpersoninthegroundstationaccidentallyclicksthemouse,launchingtheUAV.
Theoperatormustnotputthemouseoverasafetycriticalcommanduntilthecommandissafetoperform.Additionally,considerasecondarypromptforsafetycriticalcommandsorotherdesignstopreventaccidentallysendingcommand.
C.33.4
TheoperatorreceivesaclearfortakeoffcallfromATCandapersonnelclearcallfromthegroundpersonnelsupportingthelaunch.Visibilityislow,andthetowercannotseetheentirerunway.Thelipstickcameraalsodoesnotprovideaviewoftheentirerunwayduetolowvisibility.ThereiseitheranaircraftoravehicleontherunwaythatcannotbeseenbyATC,groundpersonnel,ortheUAVoperator.
TheUAVmustbeabletoabortalaunchattemptoncetheoperatorrecognizesthattherunwayisnotclear.
H5 C.33.5
Theoperatordoesnotprovidethelaunchnowcommand,howevertheparkingbrakefailsandtheUAVtravelsdowntherunway.
TheUAVshouldmaintainanidleornearidlethrottlesettinguntilthelaunchcommandisprovided.Additionally,theUAVmustbeabletoquicklystopiftheUAVmovesinadvertently
TheoperatorprovidesthelaunchnowcommandwhentheUAVisnotontherunway
H5 C.34.1
Theoperatordoesnotprovidethelaunchnowcommand,howeveranotherLOSgroundstationonsiteisconductingchecksanddoesprovidethelaunchcommand
EitherUAVoperationsshouldbedeconflicted,orproceduresputinplacetoensurethecontrolstationislinkedtothecorrectaircraft.Ifanincorrectlinktakesplacealldatamustbe
129
verifiedtoensureitiscorrect
C.34.2
Duringtheenginerun-up,theoperatoraccidentallyclicksthelaunchnowbuttonontheUI.ThethrustovercomestheparkingbrakeandtheUAVtravelsoverthechocks.
Asecondarypromptforsafetycriticalcommandsorotherdesignstopreventaccidentallysendingcommand.
C.34.3
TheoperatorprovidesthelaunchnowcommandwhentheUAVisontherunway,howevertheUAVrunsofftherunwayduringthelaunchprocedure.Thecrosswindsareoutoflimits,howeverthelatestweatherreportindicatedcrosswindswerewithinlimits.
TheweathersupportorganizationmustprovideuptodateweatherinformationandalerttheUAVoperatorifthewindisoutoflimitsduringthebeforetakeoffprocedures.
C.34.4
TheoperatorprovidesthelaunchnowcommandwhentheUAVisontherunway,howevertheUAVrunsofftherunwayduringthelaunchprocedure.TheUAVdoesnotcompensateforthecrosswinds.
TheUAVmustbedesignedtocompensateforcrosswindsduringtakeoff.
Theoperatorprovidesthelaunchnowcommandbeforegroundpersonnelandequipmentareclearofthearea
H1 C.35.1 Theoperatordoesnotprovidethelaunchnowcommand,howeveranotherLOSgroundstationonsiteisconductingchecksanddoesprovidethelaunchcommand
EitherUAVoperationsshouldbedeconflicted,orproceduresputinplacetoensurethecontrolstationislinkedtothecorrectaircraft.Ifanincorrectlinktakesplacealldatamustbeverifiedtoensureitiscorrect
130
C.35.2
TheoperatorreceivedatakeoffclearancefromATCanddidnotseeanyonethroughthecamera.Theoperatorassumedtherunwaywasclearandprovidedthelaunchnowcommand
Theoperatormustreceiveanareaclearmessagefromthegroundpersonnelbeforeprovidingthelaunchnowcommand
C.35.3
Thegroundpersonnelstatethattheareaisclear,howeveritisnotactuallyclear.ThegroundpersonnelarestillwalkingoutofthepathoftheUAVandbelievetheyhavetimetocleartheareabeforelaunch.
Theareaclearcallmustonlybegivenwhenallpersonnelareoutofthepathoftheaircraft
C.35.4
Thegroundpersonnelstatethattheareaisclear,andbelievethegroundequipmentisoutofthepathoftheaircraft,howevertheequipmentisstillwithinthepathoftheaircraft.
Allgroundequipmentusedtotowtheaircrafttotherunwaymustbecompletelyofftherunwaybeforetakeoff
H5 C.35.5
Thegroundpersonnelandequipmentaretothesideoftheaircraftoutofthepath,howeverwhentheaircraftlaunches,itdoesnotmoveinastraightlinedowntherunway,andinsteadrollstowardsthegroundpersonnelandequipment
Allpersonnelandgroundequipmentmustbeplacedbehindtheaircrafttoavoidbeinghitbytheaircraftifthelaunchisnotsuccessful
TheoperatorprovidesthelaunchnowcommandaftertheUAVisairborne
H4 C.36.1 Theoperatordoesnotprovidethelaunchnowcommand,howeveranotherLOSgroundstationonsiteisconductingchecksanddoesprovidethelaunchcommand
EitherUAVoperationsshouldbedeconflicted,orproceduresputinplacetoensurethecontrolstationislinkedtothecorrectaircraft.Ifanincorrectlinktakesplacealldatamustbeverifiedtoensureitiscorrect
131
C.36.2
Theoperatoraccidentallyclicksthelaunchnowbutton.Theoperatorintendedtoclickadifferentbutton.TheUAVimmediatelyreducesthrottletothestartingthrottlepositionduringthelaunchsequence,causingtheUAVtostall.
Asecondarypromptforsafetycriticalcommandsorotherdesignstopreventaccidentallysendingcommand.
C.36.3
Theoperatorprovidesthelaunchnowcommand,butthepitotstaticsystemisnotworking.TheUAVacceleratesandgoesairborne,buttheoperatorbelievesthecommandwasnotreceivedandprovidesthelaunchnowcommandagain.
Theoperatormustusevisualconfirmationoflaunch,eitherfromthecameraorfromgroundpersonnel.AdditionallyiftheUAVdoesnotappeartoworkingasexpected,thelaunchorsortiemustbeabortedandtheissueresolvedbeforecontinuingthemission.
C.36.4
Theoperatorprovidesthelaunchnowcommand.AheadwindgustcausestheUAVtobecomeairborneearlierthanexpected,andwhenthegustorgroundeffectendstheUAVnolongerhasenoughlifttomaintainflightandlandsbackontherunway.
Duringtakeoffingustyconditions,therotatespeedmustbeincreased,ifrunwaylengthallows,topreventearlyrotation.
TheoperatordoesnotprovidethelandnowcommandwhentheUAVisinthepatternandatminimumfuel
H4 C.37.1 Theoperatorprovidesthelandnowcommand,buttheUAVdoesnotreceivethecommand.InterferencefromanotherUAVpreventsthesignalreception.
EitherUAVoperationsshouldbedeconflicted,orproceduresputinplacetoensurethecontrolstationislinkedtothecorrectaircraft.Ifanincorrectlinktakesplacealldatamustbeverifiedtoensureitiscorrect
132
C.37.2
TheoperatorbelievesthattheUAVhasenoughfueltolastuntillanding,eventhoughtheUAVisfuelstateislow.TheoperatordecidestowaitfortheUAV'sturntolandratherthandeclaringafuelemergencyandlandingassoonaspossible.
Theoperatormustdeclareafuelemergencywhenthefuelstateislowinordertolandassoonaspossible
C.37.3
TheUAVprovidesinaccuratefuelstatedataandtheoperatorbelievesthattheUAVhasmorefuelthanitactuallyhas.ThereareotheraircraftinthepatternaheadoftheUAV,andtheUAVwaitstolandinsteadofdeclaringanemergencyinordertolandaheadoftheotheraircraft.
TheUAVmustprovideaccuratefuelstatefeedbacktotheoperator
H1 C.37.4
Theoperatorrecognizesthatthefuelislowanddeclaresanemergency.Theoperatorthenprovidesthelandnowcommand,butittakeslongertolandthanexpectedduetotrafficandwinds.TheUAVrunsoutoffuelandcrashlandsofftherunway.
Theoperatormustincludewindsandthetimeittakestodeconflicttrafficwhendeterminingwhentodeclareanemergency
TheoperatordoesnotprovidethelandnowcommandwhentheUAVisattheairfieldandotheraircraftareattemptingtoenterthepattern
H2 C.38.1Theoperatorprovidesthelandnowcommand,buttheUAVdoesnotreceivethecommand.InterferencefromanotherUAVpreventsthesignalreception.
EitherUAVoperationsshouldbedeconflicted,orproceduresputinplacetoensurethecontrolstationislinkedtothecorrectaircraft.Ifanincorrectlinktakesplacealldatamustbeverifiedtoensureitiscorrect
133
C.38.2
Theoperatordoesnotprovidethelandnowcommand.Theoperatorbelievesthatthewindsareoutoflimitsforlanding,anddecidestoremaininthepatterntoseeifthewindsdecreaseinordertoland.Thereareotheraircraftwithhigherwindlimitsthatareattemptingtolandatthesametime,andthepatternisbusy.
IftheUAVcannotland,butotheraircraftcanenterthepatternandlandtheUAVmustmaintainaholdawayfromthepatterntoavoidtrafficcongestion
C.38.3
TheoperatordoesnothearthecleartolandcallfromATC.TheoperatoriscoordinatingwiththegroundpersonnelforthetowandprovidingaircraftstatusinformationwhenATC'scallwasmade.
Duringcriticalphasesofflight,suchastakeoff,climb,andlanding,thegroundstationmustbeclearofnonessentialpersonnelandtheoperatormustmaintaina'sterilecockpit'environment.
H1 C.38.4 Theoperatorprovidesthelandnowcommand,buttheGPSsolutionisnotaccurate,andtheUAVdoesnotflythepatternaspublishedorlandontherunway
TheVMSmustreceivefeedbackwhentheaccuracyoftheGPSsolutionisbelowaminimumthreshold,additionallyothernavigationsolutionssuchasINSorVORshouldbeconsideredasabackupsystem
Theoperatorprovidesthelandnowcommandwhentherunwayisnotclear
H2 C.39.1
Theoperatordoesnotprovidethelandnowcommand,buttheUAVexecutesthelandingprocedure.AnothergroundstationprovidesthelandnowcommandforanotherUAVinthepattern,butbothUAVsreceivethecommand.
EitherUAVoperationsshouldbedeconflicted,orproceduresputinplacetoensurethecontrolstationislinkedtothecorrectaircraft.Ifanincorrectlinktakesplacealldatamustbeverifiedtoensureitiscorrect
134
C.39.2
TheoperatorheardATCprovidealandingclearancetoanotheraircraftandmistakenlythoughttheclearancewasfortheoperator'sUAV.Theoperatorreadsbacktheclearanceatthesametimeastheotherpilot,andATConlyhearsthereadbackforthecorrectaircraft.Theoperatorprovidesthelandnowcommandastheotheraircraftislanding.
Duringcriticalphasesofflight,suchastakeoff,climb,andlanding,thegroundstationmustbeclearofnonessentialpersonnelandtheoperatormustmaintaina'sterilecockpit'environment.
C.39.3
ATCprovidesalandingclearanceeventhoughanaircraftisontherunwaybecausethecontrollerbelievesthattheaircraftwillbeofftherunwaybythetimetheUAVlands.Theaircraftontherunwayisnotabletocleartherunwayintime,andtheUAVlandsontherunwaywhiletheotheraircraftisalsoontherunway.
Theoperatormustbeabletoabortthelandingprocedureifthelandingisnotlongerconsideredsafe.Groundpersonnelmustprovidefeedbackifthereisanaircraftontherunway,astheUAVoperatormaynotseetherunwaythroughthecamera.
H5 C.39.4
Theoperatorprovidesthelandnowcommand,buttheUAVdoesnotcompensateforcrosswindsduringfinalapproachanddoesnotlandontherunway
TheUAVmustbedesignedtocompensateforcrosswindsduringlanding
TheoperatorprovidesthelandnowcommandwhentheUAVisnotattheairfield
H1 C.40.1 Thelandnowcommandisnotprovided,buttheUAVreceivesalandcommandfromadifferentgroundcontrolstation
EitherUAVoperationsshouldbedeconflicted,orproceduresputinplacetoensurethecontrolstationislinkedtothecorrectaircraft.Ifanincorrectlinktakesplacealldatamustbeverifiedtoensureitiscorrect
135
C.40.2
Theoperatordoesnotintendtoclickthelandnowbutton.Thebuttonisnearanotherbuttonthattheoperatormeanttopress.TheoperatordoesnotimmediatelyrealizethattheUAVistryingtoland,anddoesnotrecovertheaircraftbeforeitfliesintoterrain.
Asecondarypromptforsafetycriticalcommandsorotherdesignstopreventaccidentallysendingcommand.
H2 C.40.3 TheUAVprovidesaGPSpositionindicatingthattheUAVisinthepattern,howevertheGPSsolutionisinaccurateandtheUAVisnotinthepattern.
TheVMSmustreceivefeedbackwhentheaccuracyoftheGPSsolutionisbelowaminimumthreshold,additionallyothernavigationsolutionssuchasINSorVORshouldbeconsideredasabackupsystem
C.40.4
Theoperatorprovidesthelandnowcommand,butprovidesaGPSlandingwaypointthatisnotattheairfield.Thelandingpointwasforanemergencyofffieldlanding,andwasmistakenlyprovidedtotheUAVpriortolanding.
TheUImustprovidefeedbackifthelandingwaypointisnotattherunway.
TheoperatorprovidesthelandnowcommandbeforetheUAVcompletestheairfieldarrivalprocedure
H1,H2 C.41.1 Thelandnowcommandisnotprovided,buttheUAVreceivesalandcommandfromadifferentgroundcontrolstation
EitherUAVoperationsshouldbedeconflicted,orproceduresputinplacetoensurethecontrolstationislinkedtothecorrectaircraft.Ifanincorrectlinktakesplacealldatamustbeverifiedtoensureitiscorrect
C.41.2
Theoperatorsetsupthelandingprocedure,andplacesthemouseoverthelandnowbutton.Theoperatoraccidentallypressesthe
Asecondarypromptforsafetycriticalcommandsorotherdesignstoprevent
136
mouse,commandingtheUAVtoland.
accidentallysendingcommand.
C.41.3
TheoperatorreceivesincorrectGPSlocationandbelievestheUAVhasfinishedtheapproach.
TheVMSmustreceivefeedbackwhentheaccuracyoftheGPSsolutionisbelowaminimumthreshold,additionallyothernavigationsolutionssuchasINSorVORshouldbeconsideredasabackupsystem
C.41.4
Theoperatorprovidesthecommand,whichistobeexecutedoncethearrivaliscomplete,butinsteadtheUAVexecutesthelandingprocedureassoonasthecommandisreceived.Thecommandoverwritesthecurrentflightplan.
Thelandingsequencemustnotoverwritethecurrentplan,orthelandingsequencemustnotbeprovideduntiltheUAVisinapositiontoland.
Theoperatordoesnotprovidelostlinkproceduresduringflightoperations
H1,H2 C.42.1
Theoperatorprovidesthelostlinkprocedure,butitisnotreceivedduetointerferenceormasking.Theprocedureisthennotupdatedasterrain,weather,orconflictingtrafficchangesalongtherouteofflight
TheUAVmostprovidefeedbackindicatingthelostlinkprocedureswerereceived.Ifthefeedbackisnotreceivedbytheoperator,theoperatormustresendtheprocedures
C.42.2
Theoperatordoesnotbelievethatthelostlinkprocedureneedstobeupdatedbecausetheprocedurewasrecentlyupdatedperaregularschedule,anddoesnotprovideupdatedlostlinkprocedure.However,terrain,weather,orconflictingtraffichavechangedalongtheroutesincethescheduleupdate.
ThelostlinkproceduresshouldbeupdatedbasedonrouteoftravelandobstaclesbetweentheUAVandtheairfieldratherthantiming.
137
C.42.3 TheoperatordoesnotprovideanupdatedlostlinkprocedurebecausetheoperatorwasnotawarethattheairspacethattheUAVwouldflythroughifalostlinkoccurredisnolongersafe.
ATCmustprovidetheoperatorwithuptodateinformationifairspaceisnolongersafe.TheoperatormustalsoprovideATCwiththecurrentlostlinkproceduresothatiflostlinkshouldoccurATCcanensureotheraircraftareclearofthepath.
C.42.4 Theoperatorprovideslostlinkprocedures,butthesamesignalthatisjammingcommunicationsalsojamstheGPSsignal,andtheUAVfliesoffcourse
TheUAVmustbeabletodetectwhentheGPSsignalislostandusebackupnavigationmethods.Additionally,thecommunicationssystemmusthaveabackupsystemthatisfullyindependentofthemaincommunicationssystem.
Theoperatorprovideslostlinkprocedure,andthelostlinkprocedurewaypointsconflictwithotheraircraft
H2 C.43.1
Lostlinkproceduresareupdatedbyanothergroundstation.TheprocedureswereintendedforanotherUAV.
EitherUAVoperationsshouldbedeconflicted,orproceduresputinplacetoensurethecontrolstationislinkedtothecorrectaircraft.Ifanincorrectlinktakesplacealldatamustbeverifiedtoensureitiscorrect
C.43.2
Theoperatorisawarethatthereareotheraircraftintheairspace,butprovidesthelostlinkprocedureanyway.Theoperatorbelievesthatshouldlostlinkoccur,theoperatorcanupdateATCsothattheycandeconflicttheotheraircraft.However,thelostlinkisduetocommunicationsfailureatthegroundstation,
Theoperatormustnotprovidealostlinkprocedurethatconflictswithothertraffic.
138
andtheoperatorcannotinformATCofthelostlink.
C.43.3
TheoperatordoesnotreceivefeedbackfromATCthattheairspacetheUAVwillflythroughiflostlinkoccursisnowoccupiedbyaircraft.
ATCmustprovidetheoperatorwithuptodateinformationifairspaceisnolongersafe.TheoperatormustalsoprovideATCwiththecurrentlostlinkproceduresothatiflostlinkshouldoccurATCcanensureotheraircraftareclearofthepath.
C.43.4
Thelostlinkproceduresdonotconflictwithothertraffic,butwindsblowtheUAVoffcourse,andtheUAVdoesnotcorrectthecoursedeviation
TheUAVmustcompensateforwindsandmaintainthecoursebetweenwaypoints.
Theoperatorprovideslostlinkprocedures,andthelostlinkprocedureisnotatoraboveMOCA
H1 C.44.1 Lostlinkproceduresareupdatedbyanothergroundstation.TheprocedureswereintendedforanotherUAVthatisflyingoverlowerterrain.
EitherUAVoperationsshouldbedeconflicted,orproceduresputinplacetoensurethecontrolstationislinkedtothecorrectaircraft.Ifanincorrectlinktakesplacealldatamustbeverifiedtoensureitiscorrect
C.44.2
ThelostlinkproceduresarebasedoffofthecurrentpositionoftheUAV,butwhentheUAVlosesthelinklaterintheflightthereishigherterrainbetweentheairfieldandtheUAV.
Iflostlinkproceduresareprovidedbasedontimingratherthanexpectedterrain,thelostlinkproceduremustbesafefortheentiretimeuntilthenext
139
scheduledlostlinkupdate.
C.44.3
Theoperatorhasinaccuratecharts,andbelievesthatthelostlinkprocedureissafe,butthealtitudeisactuallytoolowcomparedtotheterrain.
Theoperationssupportorganizationmustprovideupdatedandaccuratecharts.
C.44.4
Thelostlinkproceduresareofanappropriatealtitudeforthecourse,howeverthewindsblowtheUAVoffcourse,anditdoesnotcorrectthecoursedeviation.
TheUAVmustbeprogrammedtocorrectcoursedeviations.
Theoperatorprovideslostlinkproceduresbeforelostlinkproceduresneededtobeupdated
H1,H2 C.45.1
Itisalmosttimetoupdatethelostlinkprocedures,sotheoperatordecidestogoaheadandsendtheupdate.Shortlyaftertheupdate,theUAVexperiencesalostlinkandexecutestheproceduresfortheupcominglegratherthanthecurrentleg.
ThelostlinkprocedureupdatemustnotbeprovideduntiltheUAVisflyingthelegassociatedwiththeupdatedprocedure
C.45.2
TheoperatorreceivedpositionfeedbackthatindicatedtheUAVwasatthenextleg,sotheoperatorprovidedthelostlinkprocedure.Thepositionfeedbackwasincorrect,andtheupdatewasnotyetneeded.
OncetheUAVhasenteredthelegassociatedwiththeupdatedlostlinkprocedure,theoperatormustsendtheprocedure.
Theoperatorprovideslostlinkprocedureswhenthewaypointsexceedthestorage
H1,H2 C.46.1
Theoperatorprovideslostlinkproceduresthatwerewithinthestoragecapacityoftheautopilot.ThemessagereceivedbytheUAVisdelimitedincorrectlyduetotranslationfromtheUItotheradiostotheUAV,whichexceedsstoragecapacity
Thegroundstationradiosmustsendcommandsaccurately
140
capacityoftheautopilot
C.46.2
TheoperatorprovidesalargenumberoflostlinkwaypointstoensurethattheUAVfliesasaferoute,howevertheoperatorusestoomanywaypointsthatexceededthestorage
Theoperatormustsendanumberofwaypointsthatarelessthantheautopilotstorage.Theautopilotstoragemustbelargeenoughtostoreenoughwaypointsforthelengthofmission
C.46.3
Theoperatorprovidesthelostlinkprocedures,butdoesnotreceivefeedbackthattheprocedureswerereceived,sotheoperatorprovidesthemagain.Thesecondsetofproceduresareconcatenatedratherthanreplacingthefirstsetofprocedures
TheUAVmustprovidefeedbackthattheprocedurearereceived,andtheautopilotmustreplaceoldprocedureswithnewprocedures
C.46.4
Theoperatorprovideslostlinkproceduresthatarewithinthestoragecapacityoftheautopilot,buttheproceduresaredelimitedincorrectlytakingupmorestoragespacethantheautopilot'scapacity
TheUAVmustsaveproceduresintotheautopilotaccurately
TheoperatordoesnotprovidethepayloadpoweroncommandwhenUAVisoverthetargetarea
H3
C.47.1
Theoperatorprovidedthepayloadpoweroncommand,howeverthesignalisjammed,andtheUAVdoesnotreceivethecommand.
TheoperatormustprovidepayloadpoweronearlytoensurethatthecommandisreceivedbeforetheUAVisoverthetargetarea
141
C.47.2
TheoperatordoesnotprovidethepayloadoncommandbecausetheoperatormisinterpretedtheflightplananddidnotbelievetheUAVwasoverthetargetarea
TheUImustprovidefeedbackindicatingwhentheUAVisoverthetargetarea
H1,H2
C.47.3
TheoperatordoesnotprovidethepayloadoncommandbecausetheoperatorbelievestheUAVisnotatthetargetarea.AGPSnavigationmalfunction,inaccuratesolution,orjammingofthenavigationsignalcausestheoperatortogetincorrectornopositionfeedback.
TheGPSmustprovidefeedbackwhenthesolutionisbelowtheminimumaccuracythreshold.Additionally,asecondarynavigationalsystemsuchasVORorINSmustbeconsideredinthedesign
C.47.4
TheoperatorprovidesthepoweroncommandwhentheUAVisoverthetargetarea,howeverthepayloaddoesnotturnon.Thepayloadwasinstalledbeforetheflight,andthewiringwasnotinstalledtoprovidethepayloadwithpower
Afterconductingpayloadmaintenance,thepayloadmustundergoafunctionalcheckouttoensureitworksasexpected
Theoperatorprovidesthepayloadpoweroncommandwhenthealternatorfails
H4
C.48.1
Theoperatordoesnotprovidethepayloadpoweroncommandbecausetheoperatorrecognizesthatthereisanalternatorfailure,andtheUAVisoperatingonbatterypower.Ashortedwireprovidesthepayloadpower,anyway,drainingthebattery.
Wiringmustbecheckedduringpreflightandshouldbedesignedtowithstandvibrationsassociatedwithflight
C.48.2
Theoperatorrecognizesthatthealternatorhasfailed,buttheaircraftisheadingtowardstheairfield(onareturnleg),andtheoperatorbelievesthatthereisenoughpowerforthepayloadtobeturnedonforashorttime.
Thepayloadmustnotbepoweredonifthealternatorisnotfunctioning
142
C.48.3
TheoperatordoesnotreceivepowersystemfeedbackfromtheUAV,anddoesnotrecognizethatthealternatorhasfailed.Theoperatorisusingamainscreen,andunlesstheoperatorcheckstheelectricpowerstatusscreenisunawareofthepowersystemstate.
SubsystemfaultsmustbedisplayedontheUIregardlessofwhatscreentheoperatorisactivelylookingat.Additionally,consideranelectricalsystemscreencheckpriortoturningonthepayload.
C.48.4
Theoperatorprovidesthepayloadpoweroncommand.Thepayloadusesmorepowerthanexpected,causingthebatterytodrain.Thealternatorfails,butthereisnobatterypowertopowertheUAV
Thepayloadmustnotconsumeanymorepowerthanwhatthealternatorprovides
Theoperatordoesnotprovidethepayloadpoweroffcommandwhenthealternatorfails
H4
C.49.1
Theoperatorcannotturnthepayloadpoweroffwhenthealternatorfailsbecausetheradioisnotonbatterypower.TheUAVexecuteslostlinkprocedures,butisnotprogrammedtoturnoffthepayloadpoweranddoesnothaveenoughbatterypowertoreturnhome.
Theradiomustbeonbatterypowerincaseofanalternatorfailure.Incaseoflostlink,theVMSmustbeprogrammedtoturnoffthepayloadpowerifthealternatorfailsorwiringmustbedesignedtopreventemergencypowertothepayload.
C.49.2
Theoperatorrecognizesthatthealternatorisnotproducingpower,buttheUAVisoverthetargetarea,andtheoperatordecidestocontinueoperatingthepayloaduntiltheUAVhasleftthetargetarea
Theoperatormustpoweroffthepayloadandreturntotheairfieldifthealternatorfails.
C.49.3
Theoperatorrecognizesthatthealternatorisnotproducingpower,theoperatorsendsacommandtoturnthepoweroff,howeverthepowersystemfeedback
SubsystemfaultsmustbedisplayedontheUIregardlessofwhatscreentheoperatorisactivelylookingat.Additionally,consideranalerttoensurethat
143
wasdelayed,andthebatteryissignificantlydepleted
theoperatorseesthefeedbackassoonasitisprovided.
C.49.4
TheoperatorrecognizesthatthealternatorisnotproducingpowerandclicksthebuttonontheUItoturnoffthepayload.Theoperatorclickedjustoutsidethebutton,andtheoperatordidnotnoticethatthecommandtothepayloadpowerwasnotsent.
Thestatusofthepayloadpowermustbedistinguishablebetweenonandoff.
C.49.5
Theoperatorprovidesthepayloadpoweroffcommandtoconservepoweroncethealternatorfails,howeverevenwiththepayloadpowerofftheUAVdoesnothaveenoughbatterypowertoreturntobase
Thebatterymusthaveenoughpowertoreturntobasesafely
TheoperatorprovidesthepayloadpoweroffcommandwhentheUAVisoverthetargetarea
H3
C.50.1
Theoperatorprovidesthepayloadpoweroncommand,howeveranothergroundstationisbeingusedforapostmaintenancecheckortraining,andthegroundstationsendsapayloadpoweroffsignalthattheUAVreceives,andtheUAVturnsoffpayloadpower.
Groundstationsmustnotsendsignalsoutwhentheyarenotactivelycontrollinganaircraft.
C50.2
Theoperatormisinterpretstheflightplan,andbelievesthattheUAVhasexitedthetargetarea.TheoperatorturnsthepayloadpoweroffwhiletheUAVisstilloverthetargetarea.
TheUImustprovidefeedbackindicatingwhentheUAVisoverthetargetarea
144
C.50.2
TheoperatorbelievestheUAVhasleftthetargetarea.AGPSnavigationmalfunction,inaccuratesolution,orjammingofthenavigationsignalcausestheoperatortogetincorrectornopositionfeedbackandprovidethepayloadpoweroffcommand
IftheoperatorisunsureofthepositionoftheUAV,theoperatormustnotprovidethepayloadoffcommand
C50.3
Theoperatordoesnotprovidethepayloadpoweroffcommand,howeverthepayloadwasnotdesignedfortheflightenvironmentitisbeingsubjectedto,andfailsinflight
ThepayloadsmustbedesignedandtestedfortheUAVflightconditions
Table12UAVVMSScenarios
UCA Hazard ScenarioDesignator MainScenarioDescription SafetyConstraint
TheVMSdoesnotprovideroll,pitch,oryawcommandswhentheUAVisoffcourse
H1,H2,H3
V.1.1
TheVMSprovidestheroll,pitch,oryaw,howevertheactuatordoesnotreceivethecommand.Abrokenwireorconnectionpreventsthesignalfromgettingtotheactuator.
Wiringmustbecheckedduringpreflightandshouldbedesignedtowithstandvibrationsassociatedwithflight
V.1.2
TheVMSknowsthepositionoftheaircraftrelativetothewaypoint,howeveritdoesnotcommandroll,pitch,oryawinordertoflytothewaypoint.WindsareblowingtheUAVoffcourse.Thewaypointsarespreadout,andtheUAVautopilotisprogrammedtoflytothenextwaypoint,notmaintain
TheUAVmustflythedesiredcourse.Inwindyconditions,thewaypointsmayhavetobeclosertogethertomaintainthetrack.Or,theUAVmustbeprogrammedtofollowthecourse,notjustflytothewaypointfrompresentposition
145
thecoursefromthepreviouswaypoint.
V.1.3
TheVMSreceivesincorrectUAVpositionfeedback,andthereforedoesnotrecognizethatitneedstoprovideroll,pitch,oryawcommandstoflytothewaypoint.ThepositionisinaccuratebecausetheGPSnavigationmalfunctionsorhasaninaccuratesolution.
TheVMSmustreceivefeedbackwhentheaccuracyoftheGPSsolutionisbelowaminimumthreshold,additionallyothernavigationsolutionssuchasINSorVORshouldbeconsideredasabackupsystem
H4
V.1.4
TheVMSprovidestheroll,pitch,oryaw,butthecontrolsurfacedoesnotdeflect.Anactuatororcablelinkageisbrokennotallowingtheaircraftroll,pitchoryaw
Actuatorsandcablelinkagesmustbeinspectedbeforeeachflight.Acontrolcheckshouldalsobeperformedduringpreflight.
146
TheVMSprovidesroll,pitch,oryawwhenthecommandexceedsaircraftattitudelimits
H4
V.2.1
TheVMSdoesnotprovidetheroll,pitch,oryawcommand,buttheaileron,elevator,andrudderreceivethecommand.Ashortedwireprovidespowertotheactuatorcausingtheaileron,elevator,orruddertomove.Theaileron,elevator,andrudderreceivethecommandeventhoughtheVMSdidnotcommandit.
Wiringmustbedesignedtowithstandtheflightenvironment,andinspectedbeforeflight.
V.2.2
TheVMSprovidestheroll,pitch,oryawcommandandexceedlimitsforthecurrentflightcondition.TheVMSwasprogrammedwithonesetofattitudelimits,ratherthanasetofattitudelimitsfordifferentflightconditions(altitude&speed).Thecommanddidnotexceedtheprogrammedlimits,butitdidexceedactuallimitsforthatparticularflightcondition
TheVMSmustbeprogrammedwithlimitsatallflightconditions
V.2.3
TheVMSprovidesaroll,pitch,oryawcommandthatitbelieveswillresultinanattitudewithinlimits,howevertheattitudeisactuallyoutoflimits.Theaeromodellingofthesystemwasnotvalidated,andthemagnitudeofthecommandistoolarge.Thecommandedattitudeisactuallyoutoflimits.
Theaeromodelmustbevalidatedfortheentireflightenvelopeandflightconfigurationstoincludeabnormalconfigurations
147
V.2.4
TheVMSprovidesaroll,yaw,orpitchinputtocorrectaninvalidattitudeindicationitisreceivingandexceedsattitudelimits.Theinvalidfeedbackisduetoavacuumpumpfailurethatrenderstheattitudeindicatorinoperative.Thecommandexceedsattitudelimits,buttheVMSdoesnotrecognizetheexceedenceduetotheinvalidattitudeindication.
AsecondaryattitudeindicatormustbeincludedintheUAVdesignasabackuptothemainattitudeindicator.TheVMSmustreceivefeedbackofavacuumpumpfailuresothatitcanswitchtothesecondaryattitudefeedback
H5
V.2.5
TheVMSprovidesaroll,pitch,oryawcommandthatisappropriateforstayingwithintheUAVattitudelimits.Theactuatorwasconnectedtothecablesbackwards,andtheVMSinputhastheoppositeeffect(rollleftinputrollsUAVright).TheVMScontinuestocommandinthesamedirectioninanattempttocorrecttheattitudeeventuallyexceedingaircraftlimits.
Afteranycontrolsurfacerelatedmaintenance,acontrolscheckmustbeaccomplished.Acontrolscheckmustalsobeaccomplishedduringpreflight.Considerdifferentconnectorsforthedifferentdirectionssothatitcannotphysicallybeconnectedbackwards.
TheVMSprovidesroll,pitch,oryawwhenthecommandsteerstheUAVoffcourse
H1,H2,H3
V.3.1
TheVMSprovidedtheroll,pitch,oryawcorrectlytomaintainthecourse,howeverthecommandwasreceivedincorrectly.Thewiringtotheactuatorwasbackwards,commandingtheUAVtomoveintheoppositedirection.
Afteranycontrolsurfacerelatedmaintenance,acontrolscheckmustbeaccomplished.Acontrolscheckmustalsobeaccomplishedduringpreflight.Considerdifferentwiringconnectorssothatitisimpossible
148
towiretheactuatorbackwards
H5
V.3.2
TheUAVprovidesaroll,pitch,oryawcommandthatisinsufficienttomaintainthecourse.Thecontrolalgorithmisdesignedtomakesmall,slowcorrectionstoavoidovercontrol.Thecorrectionsaretoosmalltocorrectcoursedeviations,andtheUAVfliesoffcourse
Thecontrolalgorithmintheautopilotmustbedesignedtomakebothsmallcorrectionswhendeviationsaresmall,andlargercorrectionsforgreaterdeviations.
H5
V.3.3
TheUAVprovidesroll,pitch,oryawcommandthatsteerstheUAVoffcourse.TheUAVreceivesincorrectpositiondataindicatingthattheUAVisoffcourse.TheUAVcommandsroll,pitch,oryawtoreturntothecourse,butactuallycausestheUAVtogooffcourse
TheGPSmustprovidefeedbackwhenthesolutionisbelowtheminimumaccuracythreshold.Additionally,asecondarynavigationalsystemsuchasVORorINSmustbeconsideredinthedesign
V.3.4
TheUAVdoesnotprovideroll,pitch,oryawcommand,buttheUAVgoesoffcourse.WindblowstheUAVoffcourse,andtheVMSisprogrammedtoflytowardsawaypoint,notmaintainacourse.
TheautopilotmustbeprogrammedtomaintainthecoursebetweenwaypointstoavoidairspaceconflictsorCFIT
149
TheVMSprovidesthepitchdowncommandwhenthethrottleisreducedinordertodescend,butthecommandisdelayed
H4
V.4.1
TheVMSprovidedthepitchcommand,howevertheactuatordidnotreceivethecommandattheappropriatetime.Anintermittentwiringissuedelaysthecommandtotheactuator
Wiringandconnectionsmustbecheckedduringpreflightandshouldbedesignedtowithstandvibrationsassociatedwithflight
V.4.2
TheVMSprovidedthepitchcommandlate.Theautopilotwasprogrammedincorrectlywithtoolongofadelaybetweenthrottleandelevatorcommands
Theautopilotmustbeprogrammedtominimizedelaybetweentwocorrelatedcontrolsurfaceorthrottlecommands
V.4.3
TheVMSreceivedincorrectfeedbackwhichresultedindelayingthepitchcommand.TheVMSdidnotreceivefeedbackthatthethrottlewasreducedthereforeitdidnotcommandthenosedowntoavoidanoverspeed
TheVMSmustreceiveaccuratefeedbackofthethrottleposition
V.4.4
TheVMSreceivedincorrectfeedbackwhichresultedindelayingthepitchcommand.TheVMSreceivedincorrectfeedbackthattheelevatorwasalreadyattheappropriateposition
TheVMSmustreceiveaccuratefeedbackofthecontrolsurfacedeflections
V.4.5
TheVMSprovidedthecontrolsurfaceactuatorcommandcorrectly,buttheelevatordidnotdeflectasexpected.Theactuatorlinkageorcableisbroken,andtheelevatorisnolongercontrollable
Actuatorsandcablelinkagesmustbeinspectedregularlybeforeflight
150
V.4.6
TheVMSprovidedthepitchcommandcorrectly,butthecontrolsurfacedidnotdeflectasexpected.Thepowersystemdidnotprovidepowertotheactuatorduetoapowersystemfailure
Flightcriticalcomponentssuchasactuatorsmusthavebackuppowersothattheaircraftmaybelandedafterapowersystemfailure
TheVMSprovidesapitchupcommandwhenthethrottleisincreasedforaclimb,butthecommandisdelayed
H6
V.5.1
TheVMSprovidedthepitchcommand,howevertheactuatordidnotreceivethecommandattheappropriatetime.Anintermittentwiringissuedelaysthecommandtotheactuator
Wiringandconnectionsmustbecheckedduringpreflightandshouldbedesignedtowithstandvibrationsassociatedwithflight
V.5.2
TheVMSprovidedthepitchcommandlate.Theautopilotwasprogrammedincorrectlywithtoolongofadelaybetweenthrottleandelevatorcommands
Theautopilotmustbeprogrammedtominimizedelaybetweentwocorrelatedcontrolsurfaceorthrottlecommands
V.5.3
TheVMSreceivedincorrectfeedbackwhichresultedindelayingthepitchcommand.TheVMSdidnotreceivefeedbackthatthethrottlewasincreasedthereforeitdidnotcommandthenoseuptoavoidastall
TheVMSmustreceiveaccuratefeedbackofthethrottlesetting
V.5.4
TheVMSreceivedincorrectfeedbackwhichresultedindelayingthepitchcommand.TheVMSreceivedincorrectfeedbackthattheelevatorwasalreadyattheappropriateposition
Actuatorsandcablelinkagesmustbeinspectedregularlybeforeflight
151
H4
V.5.5
TheVMSprovidedthecontrolsurfaceactuatorcommandcorrectly,buttheelevatordidnotdeflectasexpected.Theactuatorlinkageorcableisbroken,andtheelevatorisnolongercontrollable
Actuatorsandcablelinkagesmustbeinspectedregularlybeforeflight
H4
V.5.6
TheVMSprovidedthepitchcommandcorrectly,butthecontrolsurfacedidnotdeflectasexpected.Thepowersystemdidnotprovidepowertotheactuatorduetoapowersystemfailure
Flightcriticalcomponentssuchasactuatorsmusthavebackuppowersothattheaircraftmaybelandedafterapowersystemfailure
TheVMSprovidesaroll,pitch,oryawcommand,buttheaileron,elevator,orrudderisnotbroughtbacktoneutralwhentheaircraftreachesthetargetheading/descent/ascent
H1,H2,H3
V.6.1
TheVMSprovidesacommandtoreturntheaileron,elevator,orrudderbacktoneutral,howeverthecommandwasnotreceivedduetoapowersystemfault.Wiringorconnectionstotheactuatorarebroken,keepingtheactuatorfromreceivingthesignal.Or,asystempowerfailure(suchasanalternatorfailure)occurs,andtheactuatorsarenotonbatterypower.
Wiringmustbeinspectedduringpreflightandmustbedesignedtowithstandvibrationsassociatedwithflight.Thepowersystemmustbedesignedsuchthatapowersystemfailuredoesnotresultinlossofactuatorpower
H4
V.6.2
TheVMSprovidesacommandtoreturntheaileron,elevator,orrudderbacktoneutral,howevertheaeromodelisincorrectandtheaircraftdidnottakeaslongasexpectedtoreachthedesiredheading/descent/ascent
Theaeromodelmustbevalidatedfortheentireflightenvelopeandflightconfigurationstoincludeabnormalconfigurations
152
H4
V.6.3
TheVMSreceivedincorrectattitudedata,andbelievedthattheaileron,elevator,orrudderneededtostaydeflectedforlongerthanactuallyneededtoattainthedesiredheading/descent/ascent
Attitudeindicatorsmustbeinspectedduringpreflight,andmustbeflighttestedtoensureaccuracy
H4
V.6.4
TheVMSprovidedacommandtoreturnthecontrolsurfaceactuatortoneutral,howeverthecontrolsurfacedidnotmoveasexpected.Theactuatorlinkageorcableisbroken,andtheaileron,elevator,orrudderisnolongercontrollable
Actuatorsandcablelinkagesmustbeinspectedonaregularbasisandduringpreflightinspections
TheVMSprovidesaroll,pitch,oryawcommand,buttheaileron,elevator,orrudderisbroughtbacktoneutralbeforetheUAVreachesthetargetheading/descent/ascent
H1,H2,H3
V.7.1
TheVMSdoesnotprovideacommandtoreturntheaileron,elevator,orrudderbacktoneutral,howeverthecommandwasreceivedduetoapowersystemfault.Wiringorconnectionstotheactuatorarebroken,removingpowertotheactuatorandcausingtheaileron,rudder,orelevatortoreturntoneutral.
Wiringmustbeinspectedduringpreflightandmustbedesignedtowithstandvibrationsassociatedwithflight.
153
H4
V.7.2
TheVMSprovidesacommandtoreturntheaileron,elevator,orruddertoneutral,buttheUAVhasnotyetachievedthedesiredheading/descent/ascent.Theaeromodelwasincorrect,andaircrafttooklongerthanexpectedtoreachthedesiredheading/descent/ascent.
Theaeromodelmustbevalidatedfortheentireflightenvelopeandflightconfigurationstoincludeabnormalconfigurations
H4
V.7.3
TheVMSreceivesincorrectattitudedata,andbelievesthattheaileron,elevator,orrudderdoesnotneedtostaydeflectedtoattainthedesiredheading/descent/ascent
Attitudeindicatorsmustbeinspectedduringpreflight,andmustbeflighttestedtoensureaccuracy
H4
V.7.4
TheVMSdoesnotprovideacommandtoreturntheaileron,elevator,orruddertoneutral,butitreturnedanyway.Theactuatorlinkageorcableisbroken,andtheaileron,elevator,orrudderisfreefloating
Actuatorsandcablelinkagesmustbeinspectedonaregularbasisandduringpreflightinspections
TheVMSdoesnotprovideathrottlesettingcommandwhenenvironmentalconditionschange(turbulence,gusts)
H4,H6
V.8.1
TheVMSprovidesathrottlesetting,buttheenginethrottledoesnotreceivethecommand.Thewiresorconnectorstothethrottleactuatorarebroken
Wiringmustbeinspectedduringpreflightandmustbedesignedtowithstandvibrationsassociatedwithflight.
154
V.8.2
TheVMSreceivesverticalspeedandairspeeddatathatindicatetheUAVisinanareaofturbulenceorgusts,howeveritisnotprogrammedtochangethethrottlesetting.
TheVMSmustbeabletoeitherdeterminewhenenvironmentalconditionschange,orprovidefeedbacktotheoperatorsuchthatthethrottlecanbesetforasafeairspeedintheconditions
V.8.3
TheVMSdoesnotreceiveverticalspeedfeedback,anddoesnotrecognizethattheUAVisinturbulentconditions
TheVMSmustreceivefeedbacktodeterminewhenitisinturbulentorgustyconditionssothatitcansetasafeairspeed
V.8.4
TheVMSrecognizesthattheUAVisflyingthroughgustyconditions,andcommandsthethrottlelowertheairspeedtolessthanmaximumsafevelocityinroughair(VNO).Thethrottlesettingdoesnotchange.Thecableoractuatorconnectionisbroken,andthethrottleisnolongercontrollable
Actuatorsandcablelinkagesmustbeinspectedonaregularbasisandduringpreflightinspections
TheVMSdoesnotprovideahigherthrottlesettingwhentheUAVisinasustainedturn,whichreduceslift
H1,H2
V.9.1
TheVMSprovidesathrottlesetting,buttheenginethrottledoesnotreceivethecommand.Thewiresorconnectorstothethrottleactuatorarebroken
Wiringmustbeinspectedduringpreflightandmustbedesignedtowithstandvibrationsassociatedwithflight.
155
V.9.2
TheVMSentersaturnandtheairspeedsubsequentlydecreases.TheVMScommandsahigherthrottlesettingtomaintainairspeed,whichinturnincreasestheturnradius,causingtheaircrafttonolongerbeoncourse.TheVMSrespondsbyincreasingbankangle,whichagainnecessitatesanincreasedthrottlesettingcausingtheturnradiustoincreaseagain.ThiscycleoccursuntiltheUAVreachesthebankanglelimit,causingthepayloadtopointawayfromthetargetareatheUAVisorbiting
TheUAVmustbeprogrammedtopitchupinanorbittomaintaintheturnradiuswiththehigherthrottlesetting.
H4
V.9.3
TheVMSentersaturnandtheairspeedsubsequentlydecreases.TheVMScommandsahigherthrottlesettingtomaintainairspeed,whichinturnincreasestheturnradius,causingtheaircrafttonolongerbeoncourse.TheVMSrespondsbyincreasingbankangle,whichagainnecessitatesanincreasedthrottlesettingcausingtheturnradiustoincreaseagain.Thiscyclecontinues,butattitudeindicatorsareinoperative,andtheUAVexceedsattitudelimits
TheUAVmusthaveasecondaryattitudeindicator,andtheprimaryattitudeindicatormustprovidefeedbackwhenitisinoperative
156
H4
V.9.4
TheVMSrecognizesthattheUAVisdescendingintheturnandcommandsanincreasedthrottlesetting.Thethrottlesettingdoesnotchange.Thecableoractuatorconnectionisbroken,andthethrottleisnolongercontrollable
Actuatorsandcablelinkagesmustbeinspectedonaregularbasisandduringpreflightinspections
TheVMSprovidesathrottlesetting,butthethrottlesettingisnotenoughtomaintainanairspeedabovestallspeed
H4
V.10.1
TheVMSdidnotprovideathrottlesettingbelowstallspeed,howeverashortinthewiringprovidedthecommandtotheactuator,andthethrottlesettingdecreased
Wiringmustbeinspectedduringpreflightandmustbedesignedtowithstandvibrationsassociatedwithflight.
V.10.2
TheUAVprovidesathrottlesettingforaslowairspeedabovetheprogrammedstallspeed.Theprogrammedstallspeedisincorrect:itisforloweraltitudes,butathigheraltitudesthestallspeedincreases.Thehigherstallspeedisnotprogrammedintotheautopilot,andtheUAVisactuallybelowstallspeed
TheVMSmustbeprogrammedwithlimitsatallflightconditions
V.10.3
TheUAVreceivesinaccuratethrottlefeedbackandbelievesthatthethrottleisinanappropriatepositiontomaintainanairspeedabovestall.Theactuatorwasreplaced,andnotcalibratedtoensurethepositionfeedbackiscorrect.
Afteranythrottlerelatedmaintenance,anenginerunmustbeaccomplished,toincludecalibratingthepositionoftheactuatorwiththethrottlesetting
157
V.10.4
TheUAVprovidedathrottlesettingthatshouldhaveresultedinahigherairspeed,buttheairspeedisbelowstall.Slackinthecablescausedthethrottletonotreachathecommandedsetting
Cablesmustbeinspectedonaregularbasis,andduringthepreflightinspection
TheVMSprovidesathrottlesettingthatacceleratestheaircraftaboveVNE
H6
V.11.1
TheVMSdidnotprovideathrottlesettingbelowstallspeed,howeverashortinthewiringprovidedthecommandtotheactuator,andthethrottlesettingincreased
Wiringmustbeinspectedduringpreflightandmustbedesignedtowithstandvibrationsassociatedwithflight.
V.11.2
TheUAVprovidesathrottlesettingforahighairspeedjustunderVNETheprogrammedVNEspeedisincorrect:itisforloweraltitudes,butathigheraltitudesVNEdecreasesThelowerVNEspeedisnotprogrammedintotheautopilot,andtheUAVisactuallyaboveVNE
TheVMSmustbeprogrammedwithlimitsatallflightconditions
V.11.3
TheUAVreceivesinaccuratethrottlefeedbackandbelievesthatthethrottleisinanappropriatepositiontomaintainanairspeedbelowVNE.Theactuatorwasreplaced,andnotcalibratedtoensurethepositionfeedbackiscorrect.
Afteranythrottlerelatedmaintenance,anenginerunmustbeaccomplished,toincludecalibratingthepositionoftheactuatorwiththethrottlesetting
158
V.11.4
TheUAVprovidedathrottlesettingthatshouldhaveresultedinalowerairspeed,buttheairspeedisaboveVNE.Cablemaintenanceresultedinaninitialthrottlesettingataneutralactuatorpositionthatishigherthandesigned.Therefore,whenthethrottleincreasedtheactualthrottlesettingwashigherthanexpected
Afteranythrottlerelatedmaintenance,anenginerunmustbeaccomplished,toincludecalibratingthepositionoftheactuatorwiththethrottlesetting
TheVMSprovidesareducedthrottlesettingtoolateaftertheUAVflaresforlanding
H1,H5
V.12.1
TheVMSprovidedthethrottlecommandattherighttime,buttheactuatorreceivedthecommandlate.Anintermittentwiringissuedelaysthecommandtotheactuator
Wiringmustbeinspectedduringpreflightandmustbedesignedtowithstandvibrationsassociatedwithflight.
V.12.2
TheVMSprovidedthecommandlateduetoincorrectprogramming.TheUAVisprogrammedtowaitacertainamountoftimeaftertheflaretoreducetheairspeed,howeverflightconditionsrequiredanearlierthrottlereduction
TheVMSautopilotmustbeprogrammedtolandusingairspeedandaltitudefeedbackratherthantiming.TheUAVmustbetestedinnominalandoffnominalconditions
V.12.3
TheVMSprovidedthecommandlateduetoincorrectsystemfeedback.Thelaseraltimeterismalfunctioningandprovidingincorrectaltitudedata.TheVMSbelievestheUAVistoohighforareducedthrottlesetting
TheUAVmustbedesignedtodetectlaseraltimetermalfunctions.Thelaseraltimetermustbeinspectedregularlyforproperfunction,andtheexteriormustbecleanbeforeflight
159
V.12.4
TheVMSprovidedthecommandlateduetoincorrectsystemfeedback.Thepitotstaticsystemismalfunctioning,andtheVMSbelievestheUAVisslowerthanitactuallyis.
Thepitotstaticsystemmustberegularlyinspectedandthepitottubeshouldbeclearofobstructionsbeforelaunch
V.12.5
TheVMSprovidedthecommand,buttheactuatorperformedthethrottlereductionlate.Amechanicalmalfunctionoftheactuator,suchasajam,preventedthethrottleactuatorfromoperatingatthecommandedtime.
Actuatorsandcablelinkagesmustbeinspectedregularlybeforeflight.Additionally,thereshouldbenolooseitems,oritemsthatcouldbecomelooseinflight,leftintheaircraftthatcouldinterferewithoperationoftheUAV
TheVMSprovidesathrottlesettingtoacceleratetoatargetspeed,butthethrottleisnotreducedbeforereachingVNE
H6
V.13.1
TheVMSprovidesthecommandtoreducethethrottle,howeveritisnotreduced.ThewiringtothethrottleactuatorfromtheVMSisbroken,preventingtheactuatorfromreceivingcommands
Wiringandconnectionsmustbecheckedduringpreflightandshouldbedesignedtowithstandvibrationsassociatedwithflight
V.13.2
TheVMSrecognizedthatthetargetairspeedwasreached,howeveritdidnotprovidethecommandtoreducethethrottle.Theautopilotisprogrammedwithalargedeadbandaroundtargetairspeedtoavoidovercontrolandtheassociatedinducedoscillations,howeverthetargetairspeedisnearVNE,andthedeadband
Iftargetairspeedisnottightlycontrolled,thetargetairspeedmustbesufficientlybelowVNEtoavoidoverspeeds
160
allowstheUAVtoexceedVNE
V.13.3
TheVMSreceivedincorrectairspeedfeedbackduetoapitot-staticsystemfaultanddidnotrecognizethattargetairspeedwasreached
Thepitotstaticsystemmustberegularlyinspectedandthepitottubeshouldbeclearofobstructionsbeforelaunch
H4
V.13.4
TheVMSprovidedthecommandtoreducethethrottleoncetargetairspeedwasreached,howeverthethrottlewasnotreduced.Theactuatorlinkageorcableisbroken,andthethrottleisnolongercontrollable
Actuatorsandcablelinkagesmustbeinspectedregularlybeforeflight
V.13.5
TheVMSprovidedthecommandtoreducethethrottleoncetargetairspeedwasreached,howeverthethrottlewasnotreduced.Thepowersystemdidnotprovidepowertotheactuatorduetoapowersystemfailure
Flightcriticalcomponentssuchasactuatorsmusthavebackuppowersothattheaircraftmaybelandedafterapowersystemfailure
TheVMSprovidesathrottlesettingtodeceleratetoatargetspeed,butthethrottleisnotincreasedbeforereachingstallspeed
H4
V.14.1
TheVMSprovidesthecommandtoincreasedthethrottle,howeveritisnotincreased.ThewiringtothethrottleactuatorfromtheVMSisbroken,preventingtheactuatorfromreceivingcommands
Wiringandconnectionsmustbecheckedduringpreflightandshouldbedesignedtowithstandvibrationsassociatedwithflight
161
V.14.2
TheVMSrecognizedthatthetargetairspeedwasreached,howeveritdidnotprovidethecommandtoreducethethrottle.Theautopilotisprogrammedwithalargedeadbandaroundtargetairspeedtoavoidovercontrolandtheassociatedinducedoscillations,howeverthetargetairspeedisnearstallspeed,andthedeadbandallowstheUAVtodeceleratebelowstallspeed
Iftargetairspeedisnottightlycontrolled,thetargetairspeedshouldbesufficientlyabovestallspeedtoavoidstalls
V.14.3
TheVMSreceivesincorrectairspeedfeedbackduetoapitot-staticsystemfaultanddoesnotrecognizethattargetairspeedwasreached
Thepitotstaticsystemmustberegularlyinspectedandthepitottubeshouldbeclearofobstructionsbeforelaunch
V.14.4
TheVMSprovidedthecommandtoincreasethethrottleoncetargetairspeedwasreached,howeverthethrottlewasnotincreased.Theactuatorlinkageorcableisbroken,andthethrottleisnolongercontrollable
Actuatorsandcablelinkagesmustbeinspectedregularlybeforeflight
V.14.5
TheVMSprovidedthecommandtoincreasethethrottleoncetargetairspeedwasreached,howeverthethrottlewasnotincreased.Thepowersystemdidnotprovidepowertotheactuatorduetoapowersystemfailure
Flightcriticalcomponentssuchasactuatorsmusthavebackuppowersothattheaircraftmaybelandedafterapowersystemfailure
162
V.14.6
TheVMSprovidedthecommandtoincreasethethrottleoncetargetairspeedwasreached,howeverthethrottlewasnotincreased.Enginefailureoccurred,notallowingtheaircrafttoaccelerate
Ifenginefailureoccurs,theVMSmustrecognizethefailureandprovideattitudecommandstoavoidastall
163
Appendix3:STPACompliancewithMIL-HDBK-516CChapter4ofMIL-HDBK-516Cdiscussesthesystemsengineeringcriteriaforairworthinesscertification.ThispaperexamineshowSTPAwouldprovidetheinformationrequiredforeachoftheSEairworthinesscriterialistedinthehandbook,andmoreimportantlyensureasafeaircraftdesign.4.1Designcriteria.4.1.1Requirementsallocation.Criterion:Verifythatthedesigncriteria,includingrequirementsandgroundrules,adequatelyaddressairworthinessandsafetyformissionusage,fullpermissibleflightenvelope,dutycycle,interfaces,inducedandnaturalenvironment,inspectioncapability,andmaintenancephilosophy.Standard:Allocatedhighlevelairworthinessandsafetyrequirementsdownthroughthedesignhierarchyaredefined.Allocateddesigncriteriaforallsystemelementsandcomponentsresultinrequiredlevelsofairworthinessandsafetythroughoutthedefinedoperationalflightenvelope,environment,usageandlife.MethodofCompliance:Inspectionofprocessdocumentationverifiesallocationofairworthinessandsafetyrequirementsanddesigncriteria.Traceabilityisdocumentedamongrequirements,designcriteria,designandverification.Consistencybetweendesigncriteriaandairworthinessandsafetyrequirementsisconfirmedbyinspectionofdocumentation.
OneoftheinputsintoanSTPAanalysisisthecontextwithinwhichthesystemoperates.Thecontextincludesmissionset,flightphases,operatingenvironment,andmaintenanceandlogisticssupport.Oncethecontextisdetermined,therequirementsgeneratedbySTPAforsafeoperationwithinthatcontextflowfromhighlevelrequirementstothesubsystemandcomponentlevels.TraceabilityisakeycomponentofSTPAandflowsthroughtheanalysisandproductstooperations.ThistraceabilitycoupledwiththesystematicapproachofSTPAalsoensuresthatcriticalsafetyrequirementsarenotmissedduringtheairworthinesscertificationinspection.4.1.2Safetycriticalhardwareandsoftware.Criterion:Verifythatairworthinessandsafetydesigncriteriaareadequatelyaddressedatcomponent,subsystemandsystemlevels,includinginterfaces,latencies,softwareandinformationassurance.Standard:Safetycriticalsoftwareandhardware(includingCriticalSafetyItems(CSIs))areidentified.Designcriteriaandcriticalcharacteristicsofsafetycriticalsoftwareandhardwarearedefined,substantiatedanddocumentedinsufficientdetailtoprovidefor“form,fit,functionandinterface”replacementwithoutdegradingsystemairworthiness.Designcriteriaandcriticalcharacteristicsofsafetycriticalsoftwareandhardwareincorporaterelevantsecurityrequirementsandmitigationtechniquesneededtoensuresafetyofflight.MethodofCompliance:Inspectionofdocumentationverifiesthataprocessisinplacetoadequatelyidentifysafetycriticalsoftwareandhardware,CSIs,andassociateddesigncriteriaandcriticalcharacteristicsatthecomponent,subsystemandsystemlevels.Inspectionofdocumentationverifiesthatsafetycriticalsoftwareandhardware,CSIs,andassociateddesigncriteriaandcriticalcharacteristicsresultingfromthisprocessaredocumented.InspectionofdocumentationverifiesthatsecurityrequirementsandmitigationtechniquesthataffectflightsafetyareincorporatedintosafetycriticalsoftwareandhardwareandCSIs.
CriticalsafetyitemsareeasiertoidentifywithSTPAbecauseofthetop-downapproach.Ratherthanlookingatallcomponentstodeterminewhichonesaresafetycritical,STPAstartswiththeaccidentsandassociatedhazardsandgeneratesthescenariosthatcouldcausethehazardousstatetooccur.Thesescenarioswouldillustratewhichcomponentsorsubsystemsaremostsafetycritical.Additionally,anSTPAanalysisprovidesinformationregardingtheinterfacesbetweenthecomponentandotherelementsinthesystem.Ifthesafetyconstraintsareimplementedinthedesign,thesystemwillbesafe.Aslongasthenewcomponentmeetsthe
164
samesafetyconstraintsasthepreviouscomponent,thecomponentwillnotdegradeairworthiness.Ifthenewcomponentprovidesupgradedfunctionality,theoriginalSTPAanalysiscanbemodifiedtodeterminesafetyoftheupgradedcomponent.STPAcanalsobeusedforsoftwareandinformationassurance.Anotherimportantandoftenoverlookedinterfaceisbetweentheoperatorandtheautomation.STPAisdesignedtoaccountforhumanandsoftwareinteractionsaswellascomponent-levelinteractions.4.1.3Commercialderivativeaircraft.Criterion:Verifythat,forcommercialderivativeairvehicles,theairvehicle'scertificationbasisaddressesalldesigncriteriaappropriatefortheplannedmilitaryusage.Standard:Commercialderivativeaircrafthasbeenassessedforitssuitabilityfortheintendedmilitaryapplicationanddeterminedtobeairworthyandsafe.Limitationsappropriatetotheintendedmilitaryusageandenvironmentareidentified.MethodofCompliance:Inspectionofcertificationdataandanalysessubstantiatesthatthemilitaryairvehicleisairworthyandsafeforitsintendedmilitaryusageandenvironments.Militaryairvehicleairworthinesscertificationdataaddressesallequipment,usage,andenvironmentsnotcoveredbythecommercialcertification.
AnSTPAanalysiscanbecompletedusingthecommercialaircraftwithinthenewoperationalcontext.Inaddition,theanalysiswilldeterminethesafetyoftheintegrateddesignofthecommercialairframewithmilitarymissionsystems.Militarymissionsareusuallymuchmorestressfulontheaircraftandinvolvepushingtheenvelopemorethanthemissionsforwhichcommercialaircraftarecertified.Theexpectedenvironmentandstressesusedduringthecommercialcertificationprocessmaybedifferentthanthatformilitarymissions.STPAwouldconsiderthechangeinoperationsintheanalysis.Inaddition,commercialairworthinessstandardslikeSAEARP4761assumethatpilotsandmaintainersdotherightthinganddonotconsidertheimplicationsofhumanerroronthedesignoftheaircraftitself(notjusttheinterfacebetweentheaircraftandthehumans).STPAincludeshumanbehaviorinairworthinesscertification.4.1.4Failureconditions.Criterion:Verifythatsafetyofflightrelatedfailureconditionshavebeenadequatelyaddressedinthedesigncriteria.Standard:Safetyofflightfailureconditions(includingapplicablesinglepointfailures)havebeenidentified.Nosinglesafetyofflightfailureconditionresultsina"Catastrophic"severity(i.e.,death,permanenttotaldisability,monetarylossequaltoorexceeding$10millionorlossofairvehicle)withafrequencygreaterthan"improbable"(i.e.,arateoflessthanoneeventperonemillionflighthours).MethodofCompliance:Inspectionofthehazardanalysisverifiesthatsafetycriticalhazardshavebeenidentifiedandthatcatastrophicfailuresarenomorefrequentthanimprobable.Analysisofthedesignverifiesthattherequiredlevelofsafetyisachieved.Operatinglimitationsaredefined.Theanalysisincludesgroundrulesandassumptions.
WhileSTPAdoesnotassignprobabilitiestosafetyconditions,ifalloftherequirementsandconstraintsfoundviatheanalysisareimplemented,eitherthroughsystemdesignoroperationalrequirements,thesafetyofflightrelatedfailureconditionsisadequatelyaddressed.Mishapsmayoccurwhenmultiplefailureconditionsexist.Inaddition,particularlywhensoftwareisinvolved,mishapsmayresultwhennothinghasfailedandinsteadunsafe
165
interactionsoccuramongfunctioningcomponents.Commercialaircraftcertificationstandards(suchasSAEARP4761)donotincludesuchconsiderations.STPAdoes.4.1.5Operatingenvironment.Criterion:Verifythattheairsystemisdesignedtooperateinthenaturalandinducedenvironmentsforwhichitisintended.Standard:Theairsystemdesigncriteriaincludestheintendednaturalandinducedenvironments.Theairsystem,includingtheairvehicleandcontrolstationequipment,isqualifiedtooperateintheintendednaturalandinducedenvironments(e.g.,temperature,humidity,precipitation,icing,fungus,saltfog,particulateandliquidcontamination,shockandvibration,andexplosiveatmosphere).MethodofCompliance:Inspectionofdocumentationverifiesthattheairsystemintendednaturalandinducedenvironmentsaredocumented.Analysis,demonstrationandtestverifythatequipmentprovidesrequiredfunctionandperformancewithintheenvelopeofintendednaturalandinducedenvironmentswithoutimposingasafetyofflightrisk.Inspectionofqualificationtestresultsverifiesthatequipmentisqualifiedforitsintendedenvironments.
STPAprovidesaprocedureforidentifyingtheoperationalcontextofthesystemandidentifyingthesafetyconstraintsassociatedwiththatenvironment.Additionally,STPAprovidesinformationtodeterminedesigntradeoffsastheremaybesomecompetinginterestssuchasenginetakeoffpowerandcruiseperformanceorthelocationofdisplays.WithSTPA,thesafetyconsiderationsforthedecisionareevaluatedandonceadecisionismade,STPAcanbeusedtominimizeanyinducedsafetyconcerns.4.1.6Flightandsafetycriticalfunctions.Criterion:Verifythattheairsystemsdesigncriteriaidentifyflightandsafetycriticalfunctions,andtheirdegradedandfailedmodesandstates.Verifythattheairsystemandairvehicledetectandrespondappropriately,predictably,safelyandinatimelymannertoflightandsafetycriticalfunctiondegradedstatesorfailures.Standard:Thedesigncriteriaidentifyflightandsafetycriticalfunctions,modesandstatesfortheairsystem,includingtheairvehicle.Theairsystemdesigncriteriaidentifyflightandsafetycriticalfunctiondegradedstatesandfailures.Theairsystemdetectsandrespondsappropriately,predictably,safelyandinatimelymannertoflightorsafetycriticalfunctiondegradedstatesorfailures.Theairvehicledetectsandrespondsappropriately,predictably,safelyandinatimelymannertoairvehicleflightorsafetycriticalfunctiondegradedstatesorfailures,withorwithoutoperatorintervention.Theairvehicledetectsandrespondsappropriately,predictably,safelyandinatimelymannertolossofflightandsafetycriticalcommandandcontroldatalink(s)betweentheoperatorandairvehicle.Theairvehicleresponsetolossofcommandandcontroldatalinkisappropriateandsafefortheairspaceinwhichtheairsystemwillbeoperated.Theairsystemdetectsandrespondsappropriately,predictably,safelyandinatimelymannertothesenseandavoidfunctionfortheairspaceinwhichtheairsystemwillbeoperated,withorwithoutoperatorintervention.Theairsystem(includingairvehicle)responsestoflightandsafetycriticalfunctionnormalanddegradedstatesorfailures,andlossofflightandsafetycriticalcommandandcontroldatalink(s):a.Activateappropriatelyandinatimelymanner,b.Activateonlywhenneeded,c.Safelytransitiontopre-determinedmodesandstates(seealso6.2.2.4ofthisdocument),d.Activatepre-determinedprocedure(s)forrestoringfunctionality,e.Alertairspacecontrolorairtrafficcontrol,asnecessary,andf.Prevententryintopre-definedkeep-outairspaceorover-flightofpre-definedsurfaceregions(seealso11.1.1.5ofthisdocument).(Forinformation,seealso6.2;8.3.10;11.1.1and11.2.3;Section15;and17.2.9ofthisdocument.)MethodofCompliance:Verificationmethodsincludeanalysis,test,simulation,demonstration,andinspectionofdocumentation.Inspectionofdocumentationverifiesthatdesigncriteriaandprocessesidentifyflightandsafetycriticalfunctions,modesandstates;flightandsafetycriticalfunctionsdegradedstatesandfailures;andlossofflightandsafetycriticalcommandandcontroldatalink(s).Inspectionofdocumentationverifiesthatdesigncriteriaandprocessesensureairsystemresponsesareappropriatefortheintendedairspace.Analysisverifiesthatflightandsafetycriticalfunctions,modesandstatesfortheairsystem,includingtheairvehicle,areidentified.Analysisverifiesthatflightandsafetycriticalfunctiondegradedstatesandfailuresareidentified.Acombinationofgroundtestingandsimulationverifiesthattheairsystem(includingairvehicle)detectsandrespondsappropriately,predictably,safelyandinatimelymannerto:(1)flightorsafetycriticalfunctionnormalanddegradedstatesorfailures,withorwithoutoperatorintervention,(2)lossofflightandsafetycriticalcommandandcontroldatalink(s),and(3)senseandavoidfunction,withorwithoutoperatorintervention.Thistestingandsimulationverifiesthattheairsystem(includingairvehicle)responses:a.Activateappropriatelyandinatimelymanner,
166
b.Activateonlywhenneeded,c.Safelytransitiontopre-determinedmodesandstates,d.Activatepre-determinedprocedure(s)forrestoringfunctionality,e.Alertairspacecontrolorairtrafficcontrol,asnecessary,andf.Prevententryintopre-definedkeep-outairspaceorover-flightofpre-definedsurfaceregions.
Asaircraftsystemsbecomemorecomplex,itismoredifficulttofullyunderstandallofthehundredsorthousandsofpotentialfailurestatesthatarepossible.Thismeansthatdesigninganaircrafttodetectandappropriatelyrespondtothesefailurestatesisequallydifficult.STPAwasdesignedforjustthisproblem.STPAallowsthedesignerstoevaluatetheemergentpropertiesofthesystemastheydesignittoeliminatefailurestatesorminimizethehazardousconditionassociatedwithsystemfailures.Thisairworthinesscriteriondoesnotaccountforhazardousaircraftstatesthatdonotresultfromacomponentfailurebutrather,forexample,missingcasesormissingrequirementsorsystemengineeringdeficiencies.Thesepropertiesarenotidentifiedbycurrentbottomuphazardanalysistechniques,buttheyareidentifiedusingSTPA.Additionally,flightandsafety-criticalfunctionsareidentifiedbySTPA,andinformationfromtheSTPAanalysiswillfeedintotheverificationprocessforthesafety-criticalfunctions.4.1.7Flightterminationsystem.Criterion:Verifythattheflightterminationfunction,ifincorporatedintothedesign,issafe,secureandreliable.Standard:Designcriteriaensurethattheflightterminationfunctionoperatesreliablyandinatimelymannerwhencommanded.Theflightterminationfunctionresultsinadefinedairvehicleflightstate(e.g.,zerolift,zerothrust).Thelikelihoodofuncommandedflightterminationisremote.Aminimumoftwooperatoractionsisrequiredtoexecutetheflightterminationfunction.MethodofCompliance:Inspectionofdocumentationverifiesthatdesigncriteriaareinplacetoensurethattheflightterminationfunctionoperatesreliablyandappropriately,andonlywhenrequired.Inspectionoftestandsimulationdataverifiesthattheflightterminationfunctionoperatesappropriately,onlywhenrequired,andresultsintheexpecteddefinedflightstate(s).Inspectionofanalysisdocumentationindicatesthattheflightterminationfunctionoperatesreliably.
AnSTPAanalysisoftheflightterminationfunctionprovidessafetyconstraintstoensuresafefunction,whichwouldincludeuncommandedflightterminationandaccidentalflightterminationbytheoperator.STPAdoesnotdeterminelikelihoodofanuncommandedflighttermination,howeveritwouldprovideinformationtodesignaflightterminationsystemwithdesignconstraintstopreventanuncommandedflighttermination.Theanalysiswillalsoverifytheeffectivenessofthetwo-operatoractionrequirement.AnSTPAanalysisprovidesdatatothedevelopmentaltestorganizationinordertoproperlytestthefunctionalityoftheflightterminationsystem.Theanalysiswouldalsoconsiderunintentionalflighttermination(commandedbypilotoroperator,butdidnotintendto)andprovidesafetyconstraintstopreventsuchanoccurrence.4.2Toolsanddatabases.4.2.1Toolanddatabaseprocesses.Criterion:Verifythatalltools,methods,anddatabasesusedintherequirementsmanagement,design,riskcontrolandassessmentsofsafetyareappliedappropriatelyandexhibitaccuracycommensuratewiththeirapplication.Standard:Processesareinplacetoensurethatallanalysis,modelingandsimulationtoolsanddatabasesareofappropriateaccuracyandfidelity,arevalidatedfortheintendedapplications,andareconfigurationcontrolled.Requirementsdefinition/traceability,designandperformanceanalysistools,predictionmethods,modelsandsimulationsareappliedappropriately,andexhibitaccuracycommensuratewiththeirapplications.
167
MethodofCompliance:Inspectionofdocumentationverifiesthatprocessesareinplacetoensurethattoolsanddatabasesarevalidatedandunderconfigurationcontrol.Inspectionofdocumentationverifiesthatanalysistools,models,simulationsanddatabasesareappliedappropriately.Inspectionofdocumentationverifiesthatanalysis,modelingandsimulationtoolsanddatabasesareofappropriateaccuracyandfidelityfortheintendedapplications.Inspectionofdocumentationverifiesthevalidationbasisofdesignanalysis,modelsandsimulationsissubstantiatedandbasedonactualhardware/softwaretestdata.Inspectionofdocumentationverifiesthatthedesignanalysis,modelingandsimulationtoolsaresubstantiatedbyandbasedonactualtestdata(whenavailable).Actualsystemverificationresultsarecomparedwithdesignanalysis,modelingandsimulationtoolresultsanddatabasesforvalidationpurposes.
AnSTPAanalysisofthetoolsandmethodsensuresthatthecorrectinformationisprovidedtothesystemdesigners.Additionally,STPAwillensurethatsafetyrequirementsdefinitionandtraceabilityareappropriateandaccurate.4.3Materialsselection.4.3.1Selectionofmaterials.Criterion:ForArmyandNavyairsystems,verifythatthematerialselectionprocessusesvalidatedandconsistentmaterialpropertiesdata,includingdesignmechanicalandphysicalpropertiessuchasmaterialdefects,andcorrosionandenvironmentalprotectionrequirements(seealsoSection19,Materials;Section5,Structures;andSection7,Propulsion;Section8,AirVehicleSubsystemsofthisdocument).Standard:Materialselectionprocessusesmaterialscoveredbyanindustryspecification,governmentspecification(MilitaryorFederal)orotherspecificationsasapprovedbytheprocuringagency.MethodofCompliance:Inspectionofdocumentationconfirmsthatmaterialsareadequatelycoveredbyeither:a.AnAerospaceMaterialsSpecification(AMS)issuedbytheSAEAerospaceMaterialsDivision,b.AnASTMstandardpublishedbyASTMInternational(formerlytheAmericanSocietyforTestingandMaterials),c.Agovernment(MilitaryorFederal)specification,ord.Otherspecificationsasapprovedbytheprocuringagency.Ifanapprovedspecificationfortheproductisnotavailable,anacceptabledraftspecificationhasbeenprepared.
AnSTPAanalysisdoesnotdirectlyaffectthisrequirement,howeveranSTPAanalysismaydeterminethecriticalareasformaterialsthatrequiremoreattention.4.4Manufacturingandquality.4.4.1Keycharacteristics.Criterion:Verifythatkeyproductcharacteristics(includingcriticalcharacteristics)havebeenidentified.Standard:Physicalcharacteristicswhicharekeytothesuccessfulfunctionofcriticalsafetyitems(CSIs)andflightcriticalcomponentsaredefinedanddocumented.Toleranceallowancesforeachcharacteristicandtraceabilitythroughthedesignhierarchyaredefined,andtheeffectsofadversetoleranceaccumulationathigher(e.g.,abovetheCSI)levelsofproductassemblyareanalyzedandreflectedinthedesigndocumentation.MethodofCompliance:Keyproductcharacteristic(includingcriticalcharacteristics)andtolerancedefinitionsareverifiedbyinspectionandanalysisofprogramdesigndocumentationattheapplicablelevelsoftheproducthierarchy.ManufacturingprocesscontrolsforspecifickeyproductcharacteristicsidentifiedasCriticaltoSafety(CTS)andmanufacturingprocessparametersnecessarytoachieveandmaintainacceptableprocessindicesareverifiedbyinspectionandanalysisofmanufacturingprocesscontroldocumentationfortheapplicablestagesofmanufactureandassembly.
STPAwillnotdeterminethetolerances,butitwilldeterminecriticalsafetyitemsandflightcriticalcomponents.Additionally,STPAconstraintswillfeeddirectlyintothemanufacturingprocessrequirements.4.4.2Criticalprocesses.Criterion:Verifythatallcriticalprocesscapabilitiesexisttomeetkeyproductcharacteristicrequirements(includingcriticalcharacteristics).Standard:Allkeycharacteristics(includingcriticalcharacteristics)aremappedtocorrespondingcriticalprocesses.Criticalprocesscapabilitiesarecharacterized,processcapabilityindices(Cpk)arecalculatedandacceptablelimitsestablished.Processcontrolplansforcriticalprocessesaredefinedandimplementedthroughoutthesupplychain.ForArmyandNavyonly,qualitycontrolproceduresforcriticalprocessesaredefinedandimplementedthroughoutthesupplychain.
168
MethodofCompliance:Criticalprocesscapabilitiesandcontrolplansareverifiedbyinspectionofdesigndocumentationandprocesscontroldocumentationandifapplicable,on-siteauditdocumentation,throughoutthesupplychain.
Thesystem’skeyproductcharacteristicrequirementscanbeanalyzedviaSTPAtoensurethattheprocessesareadequatetomaintainsafety.4.4.3Criticalprocesscontrols.Criterion:Verifythatallcriticalprocesscontrolsexisttoassurekeyproductcharacteristicrequirements(includingcriticalcharacteristics)aremet.Standard:Workandinspectioninstructionsaredefined,documentedandimplementedforallcriticalmanufacturingprocesses.Aprocesscapabilityindex(Cpk)ofatleast1.67ismaintainedforprocessesCriticaltoSafety(CTS)orprocessesthatproduceCriticalSafetyItems(CSI).Quantitativeproductqualitycriteria(i.e.,productacceptancecriteria)aredefinedandusedforproductacceptanceatalllevelsoftheproducthierarchyuptoandincludingtheairsystemlevel.MethodofCompliance:Workandproductinspectioninstructions,productacceptancecriteriaareverifiedbyinspection.Cpkisverifiedbyanalysisandinspectionofdesigndocumentationandmanufacturingprocesscapabilitydata.Designconformance(i.e.,"asbuilt"configurationisinaccordancewithdesignrequirements)isverifiedbyfirstarticleinspectionsorfirstarticletests,reviewofmanufacturingprocesscontroldata,and/orperiodichardwarequalityaudits.4.4.4Qualitysystem.Criterion:Verifythattheas-builtconfigurationmatchestheas-designedconfiguration.Standard:Thequalitysystemiseffectiveinassuringconformancetoproductdesignandrealization,includingproductionallowancesandtolerances.Thequalitysystemaddressesdefectpreventionandachievingstable,capableprocesses.Thequalitysystememploysmethodssufficientforconductingrootcauseanalysesandimplementingeffectivecorrectiveactions.MethodofCompliance:ComplianceisdeterminedbyinspectionoftheQualitySystem'spolicies,processesandproceduresandexamplesofMaterialReviewBoardrecords.
TheoutputofanSTPAanalysisareprocesscontrols.STPAcanbeusedtoensurethatprocesscontrolsareadequatetomaintainsafety.4.4.5Nondestructiveinspections.Criterion:Verifythatnondestructiveinspection(NDI)processeshavebeenvalidatedtoassureconformingparts.Standard:Nondestructiveinspection(NDI)methodsandequipmenthavebeenqualifiedtosuitablestandardsandmeettherequirementsoftheapplicablespecificationandapplication.Thespecificationbeingusedensuresanynon-conformanceadverselyaffectingthepartwillbedetected.Acceptandrejectcriteriaforsafetyandflightcriticalhardwarearebasedonvalidatedmodelsanddata.MethodofCompliance:ComplianceisdeterminedbyinspectionofNDIprocess,selectioncriteria,operatorcertificationandmethodvalidationdocumentation.Fornewapplicationsofspecifications,testandinspectiondataconfirmstheinspectionmethodisvalidfortheapplication.
TheSTPAanalysiswillfeedintotheNDIprocesses.ItwillidentifyflightcriticalhardwareandwillbeusedtoensurethattheNDIprocessesprovidetheadequatefeedbacktomaintainflightsafety.Specificmethodsandequipmentmaybeidentifiedbasedoffofthesafetyconstraints.4.4.6ControlofSafety-RelatedArticles.Criterion:Verifythatsafety-relateditems(CriticalSafetyItems,flightcriticalcomponents,andcomponentscontainingcriticalcharacteristicsthatimpactsafety)conformtotheirapproveddesign.Standard:Thequalityofsafety-relateditems,whetherfurnishedbytheprimecontractor,supplier,orsustainmentorganization,iscontrolledtoensureconformancewithdesign.Themanufacturersoftheitemshaveinstitutedmanufacturingprocesscontrolsinspections,andtestingprocedurestoensureeachsafety-relatedproductorpartconformstoitsapproveddesign.MethodofCompliance:Forsafety-relateditems,initialdesignconformanceisverifiedbyinspectionofFirstArticleInspectionreports,FirstArticleTestreports,andothermanufacturingrecordsthatprovedesignconformance.Controlsforensuringthequalityofsafety-relateditemsareverifiedbyinspectingmanufacturingprocesscontrolplans(includingworkinstructions)andinspectionandtestprocedures.
169
AnSTPAanalysisofthemanufacturingprocesswillidentifyappropriatecontrolsandensurethattheyareinplaceandthatthecommunicationbetweenthedesignteamandthemanufacturerisadequatetomakesurethatthemanufacturerhasthecorrecttechnicaldata.TheSTPAanalysiswillalsoanalyzefeedbackchannelsfromthemanufacturertothedesignteam.4.5Operator’sandmaintenancemanual/technicalorders.4.5.1Proceduresandlimitations.Criterion:Verifythatprocessesareinplacetoidentifyanddocumentnormalandemergencyprocedures,limitations,restrictions,warnings,cautionsandnotes.Standard:Operatorhandbooksormanualsidentifyallnormalandemergencyprocedures,limitations,restrictions,warnings,cautionsandnotes.Warnings,cautionsandnotesareidentifiedinsuchamannerastoattractattentionandsetthemapartfromnormaltext.Whenanunsafeconditionisdetectedandannunciated,theoperator'smanualhasclearandprecisecorrectiveproceduresforhandlingthecondition.MethodofCompliance:Inspectionofoperatorhandbooksormanualsprocessdocumentationdescribesproceduresfordevelopingnormalandemergencyprocedures,limitations,restrictions,warnings,cautionsandnotesfromsystemtechnicaldata.Processdescriptionsincludemethodsforupdatingthisinformationasneeded.ForArmyandNavy,inspectionofoperatinghandbooksandmanualsverifiesthattheyincludeallnormalandemergencyprocedures,limitations,restrictions,warnings,cautionsandnotes.TheUSAFconfirmsoperatormanualaccuracyandcompletenessthroughothersectionscontainedwithinthisdocument.
STPAprovidesinputstothetechnicalorders(TOs)forthesystem.Ifapotentialsafetyhazardisnotdesignedoutofthesystem,STPAcanprovideoperationalormaintenanceconstraintsthatwouldbeincludedintheTOasaprocedureorasacaution/warning.4.5.3Maintenanceofsafety.Criterion:Verifythatproceduresareinplaceforestablishingandmaintainingairsystemflightsafety,asaffectedbyproductdesignchanges,safetyissues,changesinoperations,maintenance,transportationorstorage.Standard:Processesaredefined,documented,andimplementedtoestablishandaccomplishtimelyupdatestooperatorandmaintenancemanualsasmadenecessarybyproductdesignchanges,identifiedsafetyissues(e.g.,CategoryIDeficiencyReports),changesinoperationalconcepts,usage,maintenanceconcepts,transportation,orstorage.Currentupdatedtechnicaldataareusedtoeffecttechnicalmanualrevisions.Maximumtimelinestoincorporatechangesinmanualsarebasedontheeffectofthechangeandtheseverityoftheidentifiedhazard.MethodofCompliance:Theadequacyofestablishmentandchangeprocessesforoperatorandmaintenancemanualsisverifiedbyinspectionofprocessdocumentation.Inspectionofexamplesofrevisedoperatorandmaintenancemanuals(i.e.,changepages)verifiestraceabilitytochangeevents.
Allsystemsthatareinoperationforasignificantamountoftimeundergochangeseithertothesystemitselfortothecontextinwhichitoperates.Thesechanges,withoutanaccompanyingchangetothesafetycontrolstructure,canleadtoaccidents.Anorganizationalsafetycontrolstructurefortheoperationalphasewillmodelthesupportsystem,butmustbeupdatedtoensurecontinuedcontrol.AnSTPAanalysisofthesupportsystemwillverifythattheproceduresinplaceformaintainingflightsafetyareappropriate.Aschangesaremadetoeitherthesystemitself(upgrades)ortotheoperationalenvironment(newmissionset,newoperatinglocation)theanalysiswillbemodifiedtoensurethatthesafetycontrolsarestilladequate,ordeterminenewsafetyconstraintstomeettheupdatedneedsofthesystem.ThetraceabilityinherentintheSTPAprocessassistswithidentifyingthesafetyimpactsofchanges.AnotheroutputofSTPAisanoperationalsafetymanagementplan.Thisplan“isusedtoguidetheoperationalcontrolofsafety”.
170
Additionally,STPAhasbeenusedtoidentifyleadingindicatorsofincreasinglyriskybehaviorsothattheyaremonitoredandusedtoavoidmishapsaschangesoccur.4.6Configurationmanagement(CM).4.6.1Functionalbaseline.Criterion:Verifythatthefunctionalbaselineisestablishedandunderconfigurationcontroltoprecludeunauthorizedchanges.Standard:Thefunctionalbaselineisproperlydocumented,approvedandbroughtundercontrolbyaConfigurationManagementProcess.MethodofCompliance:TheConfigurationManagementPlan(CMP)isdefinedandimplementedinaccordancewiththecontract.Inspectionofdocumentationverifiesthatthefunctionalbaselinehasbeendocumentedandapproved.
TheSTPAanalysiswouldbecontrolledthroughtheCMPalongwithallothermodels.AnSTPAanalysiscanprovidedatatotheCMPtoensurethattheconfigurationisproperlycontrolled.4.6.2Allocatedbaseline.Criterion:Verifythattheallocatedbaselineisestablishedandunderconfigurationcontroltoprecludeunauthorizedchanges.Standard:Theallocatedbaselineisproperlydocumented,approvedandbroughtundercontrolbyaConfigurationManagementProcess.MethodofCompliance:TheConfigurationManagementPlanisdefinedandimplementedinaccordancewiththecontract.Inspectionofdocumentationverifiesthattheallocatedbaselinehasbeendocumentedandapproved.Inspectionoftheengineeringreleasedocumentationverifiesadequatecaptureoftheallocatedbaseline.
TheSTPAanalysiswouldbecontrolledthroughtheCMPalongwithallothermodels.AnSTPAanalysiscanprovidedatatotheCMPtoensurethattheconfigurationisproperlycontrolled.4.6.3Productbaseline.Criterion:Verifythattheproductbaselineisestablishedandunderconfigurationcontroltoprecludeunauthorizedchanges.Standard:Theproductbaselineisproperlydocumented,approvedandbroughtundercontrolbyaConfigurationManagementProcess.MethodofCompliance:TheConfigurationManagementPlanisdefinedandimplementedinaccordancewiththecontract.Inspectionofdocumentationverifiesthattheproductbaselinehasbeendocumentedandapproved.Inspectionoftheapprovedengineeringdocumentationandengineeringreleasesystemverifiesadequatecaptureoftheproductbaseline.
AnSTPAanalysisoftheConfigurationManagementProcesswillidentifyiftheprocessisadequatetocontroltheconfigurationofthesystem.Additionally,theSTPAmodelsshouldbecontrolledbytheCMP.4.6.4Safetycriticalitemconfigurationmanagement.Criterion:Verifythatallsafety-criticalitemsaretrackedandunderconfigurationcontrol.Standard:Aconfigurationstatusaccounting(CSA)systemisadequatelydocumentedandmaintainedandtrackstheconfigurationofsafety-criticalitems.MethodofCompliance:CSAprocessdocumentationisverifiedbyinspection.InspectionofCSArecordsandreportsforCI/CSCIsverifiesaccuracyoftheconfigurationstatusaccountingsystemandthatthesystemisabletotrackandrecordchangestotheconfiguration.
STPAcanbeusedtoidentifysafety-criticalitems.Anychangestotheitemsorhowtheyareusedintheaircraftsystemcanbeeasilyanalyzedwithupdateddatatoensurethattheresultsofthechangesarefullyunderstoodandthatthesafetycontrolstructurestilladequatelycontrolssystemsafety.
171
Chapter14ofMIL-HDBK-516Ccoverssystemsafety.14.1.1Systemsafetyprocess.Criterion:Verifythataneffectivesystemsafetyprogramisimplementedthatmitigatesrisks/hazardsattributedtohardware,software,andhumansystemintegrationandthatthesafetyprogramdocumentsandtrackstherisks/hazardsofthedesign/modification.Standard:ThesystemsafetyprogrammeetstheminimummandatoryrequirementsofMIL-STD-882(e.g.,systemsafetyapproachhasbeendocumented;hazardshavebeenidentified;hazardshavebeenassessed;hazardshavebeenmitigated;residualrisksareatanacceptablelevel;residualriskhasbeenacceptedbyappropriateauthority;andhazardsandresidualriskhavebeentracked),andthesystemsafetyrequirementsareincorporatedintothetechnicalandprogrammaticdocuments.TheProgrammaticEnvironmentalSafetyandHealthEvaluation(PESHE)includesallhazardsidentifiedfortheprogram.MethodofCompliance:Verificationmethodincludesinspectionofdocumentation.Effectivenessofthesystemsafetyprogramisverifiedbyinspectionoftechnicalandprogrammaticdocumentstoverify:systemsafetyapproachhasbeendocumented;hazardshavebeenidentified;hazardshavebeenassessed;hazardshavebeenmitigated;residualrisksarereduced;residualriskhasbeenacceptedbyappropriateauthority;andhazardsandresidualriskhavebeentracked.InclusionofEnvironmentalSafetyandOccupationalHealth(ESOH)hazardsinPESHEisverifiedbyinspection.
STPAdocumentationwouldprovidetheinspectoralloftheinformationneededtoensurecompliancewiththesystemsafetyprocess.Additionally,theinspectorwouldabletotellquicklythatappropriatehazardshavebeenidentifiedbecauseSTPArefineshazardsfromasmallsetofhigh-levelhazards(comparedtodozensorhundredsofhazardsthatarefoundinsomeanalyses)sothatreviewisoptimized.STPAhasbeenshowntocomplywithMIL-STD-882and,infact,wascreatedwiththatgoalinmind.14.1.1.1Systemsafetyrequirements.Criterion:Verifythatthesystemsafetyprogramincorporatessystemsafetyintoallaspectsofsystemsengineeringthroughoutallacquisitionphases.Standard:Systemsafetyrequirementsareincorporatedintothesystemtechnicalandprogrammaticdocuments.Systemsafetyrequirements,analyses,timelinesandothermilestonesareinsynchronizationwiththerestoftheprogramschedules.MethodofCompliance:Verificationmethodincludesinspectionofdocumentation.Incorporationofsystemsafetyrequirementsintothesystemstechnicaldocuments,programmaticdocumentsandoperatingproceduresisverifiedbyinspection.Integrationofsystemsafetyrequirements,
Ahigh-levelSTPAanalysisonaproposednewsystemcanbeconductedbytheprogramofficeandthatinformationshouldbeincorporatedintosystemrequirementsalongwiththetechnicalrequirements.Thelower-levelanalysescanbesynchronizedwiththelower-leveldesignofthesystemoncethecontracthasbeenawardedandthecontractordevelopsthesystem.Thetimelinesofthesafetyanalysiswouldthereforematchthedesigntimelines.AsstatedpreviouslyintheanalysisofChapter4,anoutputofSTPAisasetofoperationalconstraints(safetyrequirements)thatwillaffectoperatingprocedures.Additionally,anyknownoperatingproceduresshouldfeedintothescenariogenerationportionofSTPA,verifyingthesafetyofthoseprocedures.Forinstance,anewrefuelingaircraftmostlikelywillbeexpectedtoconductproceduressimilartorefuelingaircraftcurrentlyintheinventory.14.1.1.2Systemsafetyanalysisandassessment.Criterion:Verifythatappropriatesystemsafetyanalysisandassessmenttasksareaccomplishedforallprograms,includingtemporaryandpermanentmodifications.Standard:System,subsystem,componentandsoftwaresafetyanalysesandassessmentsareaccomplishedforallprograms,includingtemporaryandpermanentmodifications.Designandoperational/maintenanceproceduresdonothaveanunacceptablenegativeeffectonsystemsafetyoronthemishapriskbaseline.MethodofCompliance:Verificationmethodincludesinspectionofdocumentation.Accomplishmentofappropriatesystem,subsystem,componentandsoftwaresafetyanalysesandassessmentsforallprograms,includingtemporaryandpermanentmodificationsisverifiedbyinspection,andanychange
172
STPAworksverywellformodificationstothesystemandforoperationalandmaintenanceprocedures.AcompletedSTPAanalysiscanbeupdatedforsystemmodificationsinordertounderstandtheeffectsofthemodificationonthesystemanddesignthemodificationtoavoidintroducinghazardstothesystem.IfamodificationisaCOTSproduct,theintegrationoftheproductwiththeairframewillbeanalyzedtoensurethatitissafe.TheproductitselfmostlikelywillnotberedesignedbasedontheSTPAresults,butsafetyconstraintsfortheintegrationorfortheairframewillbeidentified.Additionally,ifPOdoesnotwanttoimplementthesafetyconstraints,theymaydeterminethattheCOTSproductisunsuitableandlookforotheroptions.14.1.1.3Hazard/risktrackingandriskacceptance.Criterion:Verifythathazards/risksaretrackedandresidualrisksdocumented.Standard:Hazard/risktrackingandresidualriskdocumentationandacceptanceareplanned,documentedandaccomplishedinaccordancewithMIL-STD-882.Risksarepresentedandacceptedattheappropriatelevelandriskacceptancesaredocumentedinahazardtrackingsystem.MethodofCompliance:Evidenceoftheclosedloophazardtrackingsystem
AhazardlististhesecondstepofaSTAMPanalysis.Furtheranalysisbuildsoffofthehazardlist.IncurrentAFpractice,thelevelofriskacceptanceisbasedonresidualrisklevel(low,medium,high).STPAdoesnotprovideprobabilityofoccurrence,thereforeriskacceptancelevelmustbeaddresseddifferently.Ifthesafetyconstraintsforanassociatedhazardareaddressed,thehazardwillbeappropriatelymitigated.14.1.1.4.1Flightsafety.Criterion:Verifythatthesystemsafetyprogramaddressesflightsafety.Standard:Singlepointfailuresthatresultinlossofaircraftorsystemdonotoccuratanunacceptablerate(e.g.,improbableorlowerprobabilitiesinaccordancewithMIL-STD-882).Safetydesigndeficienciesuncoveredduringflightmishapinvestigationsorindeficiencyreports(e.g.,MaterielDeficiencyReports(MDRs),QualityDeficiencyReports(QDRs))areassessedandresidualrisksidentified.Flighthazardrisksforthesystemdonotexceedthresholdlimitsthatareestablishedfortheprogram.MethodofCompliance:Verificationmethodsincludeanalysisandinspectionofdocumentation.Evidenceofaflightsafetyprocessisverifiedby:reviewofallhazardsassociatedwithsinglepointfailurestodocumenttheireliminationorreductionofriskstoanacceptablelevel;byinspectionofdesigndeficienciesidentifiedinflightsafetyreportsanddeficiencyreports(e.g.,MDRs,QDRs)toassuretheyareassessedandresolutionactionsaretrackedtoclosure;byanalysisthatactualflightmishapratescomplywithpre-setprogramthresholdlimits.
STPAinherentlyaddressflightsafety.Singlepointfailureswillbeidentifiedintheanalysisandeliminatedwithsafetyconstraints.DeficiencyreportsmustfeedbackintotheSTPAanalysis.Thesereportsmayprovideadditionalscenariosthatwerenotconsideredintheoriginalanalysis,orevenahazardthatwasnotoriginallyincluded.Theanalysismustbemodifiedtoincludethedeficienciesdiscoveredduringflighttestoroperationsoncethesystemisfielded.STPAwillidentifymorethansinglepointfailuresandevenhazardsthatdonotarisefromcomponentfailuresbutfromunsafeinteractionsamongcomponents.14.1.1.4.2ForeignObjectDamage(FOD)prevention.Criterion:Verifythatthesystemsafetyprogramaddressesground/industrialsafety(foreignobjectdamageprevention).Standard:Ground/IndustrialsafetyrequirementsareestablishedforactivitiesattheplanttominimizetheriskofForeignObjectDamage(FOD)orundetecteddamagetotheassembledairvehicleandallrequiredsupportequipment.
173
MethodofCompliance:Verificationmethodincludesinspectionofdocumentation.EvidenceofanestablishedFODpreventionprogramisverifiedbyreviewofFODprogramdocumentsandinspectionofreports,oron-sitecertificationbytheDefenseContractManagementAgency(DCMA)thatanacceptableFODprogramexists.
AnSTPAanalysisoftheFODprogrammayyieldadditionalsafetyconstraintstopreventFOD.Additionally,theSTPAanalysisontheaircraftshouldconsiderFODinthescenariostoensurethatifanaircraftisdamagedbyFOD,thedamagedoesnotresultinanaccident.14.1.1.4.3Explosivesandordnancesafety;non-nuclearmunitions.Criterion:Verifythatthesystemsafetyprogramaddressesexplosivesandordnancesafety;non-nuclearmunitions.Standard:RequirementsforsystemsafetyprocessesandanalysesareestablishedinaccordancewithMIL-STD-882tosupportweaponstesting,certification,andobtainmentofexplosivehazardclassifications.MethodofCompliance:Verificationmethodincludesinspectionofdocumentation.Safetyprogramrequirementsforexplosivesandordnancesafetyareverifiedbyinspectionofsystemsafetyprogramanalysisdata.
STPAdoesnotdirectlysupportexplosivessafety,howeveranSTPAanalysisoftheexplosivessafetyprogrammayprovideadditionalconstraintstopreventanaccident.14.1.1.4.4Rangesafety.Criterion:Verifythatthesystemsafetyprogramaddressesrangesafety.Standard:Thesystemsafetyprogramisresponsivetotestrangesafetyrequirementsandofficialrequestsforsafetyanalysisinformation.MethodofCompliance:Systemsafetyprogramsupportforrangesafetyisverifiedbyinspectionofsystemsafetyprocessdocumentation.
STPAcanincluderangesafetyrequirementsasaninputintotheanalysis.STPAwillprovideadditionalconstraintsasnecessarytopreventanaccident.14.1.1.4.5Nuclearsafety.Criterion:Verifythatthesystemsafetyprogramaddressesnuclearsafety.Standard:ThenuclearsafetyprogramadherestothefourkeyDoDNuclearWeaponSystemSafetyDesignStandardsforhardwareandsoftware.MethodofCompliance:Verificationmethodincludesinspectionofdocumentation.Evidencethataprocessisinplacetoincorporatethefourkeynuclearsafetydesignrequirementsintothesafetyanalyses,programfunctionalbaselinesandotherdesignrequirementsisverifiedbyinspectionofprogramsafetydocumentsandfunctionalbaselines.
STPAstartsfromhazardsandsystembehavioralconstraints,whichcanbethefournuclearsafetystandards.TheserequirementsarethenadirectpartoftheSTPAanalysis.14.1.1.4.6Radiation/LASER(lightamplificationbystimulatedemissionofradiation)safety.Criterion:Verifythatthesystemsafetyprogramaddressesradiation/lasersafety.Standard:Keydesignrequirementsforradiation/lasersafetyareestablishedincluding:protectivehousing;safetyinterlocks;remoteinterlockconnector;keycontrol/armingdevice;emissionindicator;beamstop/attenuator;locationofcontrols;viewingoptics;scanningsafeguard;manualreset;labelingrequirements;laserclassification;hazardevaluation;protectiveeyewear;laserareacontrol;andinformationalrequirements.MethodofCompliance:Verificationmethodincludesinspectionofdocumentation.Evidenceofaprocesstoestablishthekeysafetydesignrequirementsforradiation/lasersafetyisverifiedbyinspectionofsafetyanalyses,designspecificationsandprogramfunctionalbaselines.
STPAcanincluderadiationandlaserdesignrequirementsintheanalysis.Theeffectivenessofthedesignrequirementswillalsobeevaluated,andadditionalconstraintsmaybefound.
174
14.1.1.4.7Testsafetyandsupport.Criterion:Verifythatthesystemsafetyprogramaddressestestsafetyandsupport.Standard:Systemsafetyorganizationactivelyparticipatesintestplanningandpost-testreviewstoanalyzealltest-relatedhazardsandrecommendedcorrectiveactionstoensurehazardcloseoutormitigation.Appropriatesystemsafetyrequirementscriteriaareincorporatedintothetestprogramforvalidationandverification.MethodofCompliance:Verificationmethodincludesinspectionofdocumentation.Systemsafetysupportofthetestandevaluationprocessandincorporationofsafetyrequirementscriteriaareverifiedbyinspectionofthesystemsafetyprogramplan,test-relatedhazardanalysesandtheTestandEvaluationMasterPlan(TEMP).
TheSTPAresultsdirectlyapplytotestsafetyplanning.Additionally,thedevelopmentaltestprogramwillverifythatthesafetyconstraintsidentifiedaremetbythedesignedsystem.AnysafetyfindingswillbeprovidedtothedesignerstoupdatetheSTPAanalysis.TheAirForceTestCenteriscurrentlyundergoingatrialusingSTPAfortestplanning.UtilizingSTPAinthedesignprocessanddevelopmentaltestwillprovidesynergytotheentireacquisitionsdevelopmentprocess.14.1.1.4.8Softwaresafety.Criterion:Verifythatthesystemsafetyprogramaddressessoftwaresafety.Standard:See14.3(thisdocument)andsubparagraphs.MethodofCompliance:MethodsofComplianceforSoftwareSafetyarecontainedin14.3(thisdocument)andsubparagraphs.
Mostsoftwaresafetyprogramsfocusonassuranceoftheimplementationofthesoftwarerequirements.However,virtuallyallaccidentsinvolvingsoftwarestemfromflawed(unsafe)requirementsandnotfromtheimplementation.STPAidentifiesthesafety-criticalsoftwarerequirementsthatneedtobeimplementedinthesoftware.See14.3below.14.1.1.4.9Materialchanges/deficiencies.Criterion:Verifythatthesystemsafetyprogramaddressesmaterials.Standard:Risksassociatedwithuseofnew/alternate/substituted/hazardousmaterialsormaterialdeficienciesdonotexceedthehazardbaselinesetfortheprogram.MethodofCompliance:Verificationmethodincludesinspectionofdocumentation.Evidenceofamaterialsafetyprocessisverifiedbyinspectionofprogramsafetydocumentationandsafetyanalyses.Cumulativerisksofidentifiedhazardsdonotexceedtheprogram'shazardbaseline.
STPAdoesnotdirectlyaddressmaterials,asexplainedinthediscussionof4.3,buttheanalysiswouldidentifycriticalsafetycomponentsthatrequirespecificattention.14.1.1.4.10FailureModesandEffectsTesting(FMET)andBuilt-In-Test(BIT).Criterion:VerifythatthesystemsafetyprogramaddressesFMETandBIT.Standard:Systemsafetyparticipatesinalltests/testplanningonpartsandassembliesthatestablishfailuremodesandrates,andconductssafetyanalysesonallbuilt-intestequipmenttoassurethatintegrationintoasystemdoesnotinducehazardswhichexceedthehazardbaselinesetfortheprogram.MethodofCompliance:Verificationmethodincludesinspectionofdocumentation.EvidenceofsystemsafetysupportofFMETandBITevaluationsisverifiedbyinspectionofthesystemsafetyprogramdocuments,testdocumentsandthehazardtrackingdatabase.
Complexsystemsoftenhavemorepotentialfailuremodesthancanbetestedinatimelymanner,andnotallfailuremodeswillbeunderstoodduringthedesignphase,meaningtheycannotbetesteduntiltheyarediscovered.Discoverymaynotoccuruntilthesystemisfieldedandhasbeenoperatingforasignificantamountoftime.Theundiscoveredfailuremode(often
175
calledan“unknownunknown”)maycauseanaccidentresultinginlossoflifeandproperty.Thelatediscoverymayalsoresultinstandingthesystemdownuntilthefailureisinvestigatedandexpensivemodificationstopreventfuturemishaps.STPAwillprovidesafetyconstraintstodesignthesystemsuchthatifafailureoccursitdoesnotresultintherealizationofahazard.Thesafetyconstraintswillalsomitigatepotentialfailures.STPAessentiallyprovidesawaytodiscover“unknownunknowns”duringthedevelopmentprocess.ThesafetyconstraintsprovidedbySTPAwillalsobeaninputintotheFMETprocedures.Systemfailureswillbetestedandsafetyconstraintsverified.STPAscenarioswillalsoconsiderBITinthesystemdesignandprovidesafetyconstraintstopreventBITfrominducinghazards.14.1.1.4.11Fail-safedesign.Criterion:Verifythatthesystemsafetyprogramaddressesfail-safedesign.Standard:Designensuresthatthesystemremainsinherentlysafe.Asinglefailurecausesthesystemtoreverttoastatewhichwillnotcauseamishap.Flighthazardrisksforthesystemdonotexceedthresholdlimitsthatareestablishedfortheprogram.MethodofCompliance:Verificationmethodincludesinspectionofdocumentation(e.g.,safetyanalyses,technicaldocumentation,testingdocumentation,hazardtrackingdatabase).Designdocumentationverifies:inherentsystemsafety;thatasinglefailurewillnotcausethesystemtoreverttoastatewhichwillresultinunacceptableriskofamishap;andthatflighthazardrisksforthesystemdonotexceedthethresholdlimitsestablishedfortheprogram.
STPAwillprovidesafetyconstraintstoreduceoreliminatesystemstatesthatresultinahazard.TheSTPAdocumentationwillprovidetheairworthinessinspectorwiththeinformationrequiredtoverifycompliance.STPAalsoevaluateshazardsthatoccurwithoutafailure.Manyincidentsoccurwhenthesystemoperatesasdesigned–STPAshouldbeusedduringthedesignprocesstoensurethatitisdesignedtooperatesafely.14.1.1.4.12Safetyassessmentofsupportequipment.Criterion:Verifythatthesystemsafetyprogramaddressessupportequipment.Standard:Designrelatedhazardsandinterfacesofsupportequipmentwithaircraftandcontrolstationsareincludedinsystemsafetyanalyses.Identifiedsafetyhazardsareresolvedorrisksreducedtoanacceptablelevelbeforefirsttestuseorfirstoperationaluseofthesupportequipment.MethodofCompliance:Verificationmethodincludesinspectionofdocumentation.Theincorporationofdesignsafetyrequirementsforsupportequipmentintotechnicaldocumentbaselines/safetydocumentsandtheeliminationorcontroloftheirassociatedsafetyrisksisverifiedbyinspectionoftechnicaldocumentsbaselines,safetyprocessdocumentation,safetyanalysesandtheclosedloophazardtrackingsystem.
ThesupportstructurecanbeanalyzedusingSTPAtoincludesupportequipment,maintenanceandlogisticspractices.Justaswiththeactualsystemunderdesign,testresultsregardingthesupportequipmentmustbefedbacktotheprogramofficetoensurethesupportequipmentissafeandmeetstherequirementsforthesystem.14.2Safetydesignrequirements.14.2.1Hazardidentification/control/resolutionprocess
176
Criterion:Verifythatasystematicprocessisemployedthatprovidesforhazardidentification,hazardcontrolrequirementgenerationandimplementation,andresidualriskassessment.Standard:Aprocessisinplacetoidentifyandcharacterizehazards,devisecorrectiveactions,andassessresidualrisks.ASystemSafetyGroupisestablishedtoimplementtheprocessMethodofCompliance:Verificationmethodincludesinspectionofdocumentation.Evidenceofahazardidentification/control/resolutionprocessisverifiedbyinspectionofsafetyprocessdocumentationandreviewofsafetyanalysesandsystemsafetygroupproceedings.
STPAisasystematicprocessthatidentifieshazardsanddevisescorrectiveactions(safetyconstraints).Residualriskisnotcalculated,butifaconstraintisnotimplementedtherewillberiskinherentinthedesign.14.2.2Mitigationofmishaprisks.Criterion:Verifythatthedesignisfreefromunacceptablemishaprisk,includingriskstothirdparties.Standard:UnacceptableriskstopersonnelorequipmentareeliminatedorcontrolledinaccordancewithMIL-STD-882.Mishapriskdetermination,includingrisktothirdparties,reflectsthecurrentconfigurationandmaturityofthesystem.Mishapriskacceptabilityisbasedontheintendedairspaceoperations,includingrulesandrestrictionsforsuchairspaces.MethodofCompliance:Verificationmethodincludesinspectionofdocumentation.Evidenceofaprocesstomitigatehazardswith"unacceptable"mishapriskisverifiedbyinspectionofsystemsafetydocuments,technicaldocuments,testdocuments,programmaticdocuments,safetyhazardtrackingdatabaseandtheresidualriskacceptanceprocess.
STPAwillidentifyrisksbasedonintendedoperationsandsystemdesign.Ratherthanprovideaprobability,STPAgeneratesthecausalscenariosleadingtoamishapsothattheycanbeeliminatedorcontrolledinaccordancewithgoodsafetyengineeringpractices(andMIL-STD-882).Probabilitiesdonotprovidetheinformationneededtoeliminateorcontrolhazards.“Unacceptable”riskismostlikelydeterminedbyprobabilisticriskassessment,whichisnotacomponentofSTPA.However,anyscenariothatisfoundbySTPAmustberesolvedotherwisethereisresidualriskassociatedwiththedesign.TheinspectorwouldusetheSTPAdocumentationtoverifythesafetyofthedesign.Thereisnoway,withanyhazardanalysismethod,toverifythatthesystemiscompletelyfreefrommishaprisk,howeverSTPAwillprovidemorecompletecoverageacrosspotentialmishapriskssuchascomponentfailure,softwarerequirementsandinteractions,humaninteraction,andsupportstructure.14.2.3Singlepointfailureassessment.Criterion:Verifythatnosingle-pointfailureunacceptablyaffectsthesafetyofthesystem.Standard:Therisksofallhazardsassociatedwithsinglepointfailuresdonotexceedthehazardbaselinesetfortheprogram.ResidualriskisacceptedinaccordancewithMIL-STD-882.MethodofCompliance:Verificationmethodincludesinspectionofdocumentation.Evidencethattherisksofallsinglepointfailurehazardsdonotexceedthehazardbaselinesetfortheprogramandthattheresidualriskhasbeenacceptedisverifiedbyinspectionofthesafetyanalysesforsinglepointfailuresandtherelevantdataintheclosedloophazardtrackingsystem.
AnSTPAanalysisincludescomponentfailures,andwouldidentifypotentialscenariosforasinglepointfailuretocauseahazard.Thescenarioswouldthenbeusedtodeterminesafetyconstraintstopreventthehazard.However,STPAhandlesmorethanjustsingle-pointfailures.14.2.4Subsystemprotection.Criterion:Verifythatthedesignadequatelyprotectsthepowersources,controls,andcriticalcomponentsofredundantsubsystems.Standard:Powersources,controls,andcriticalcomponentsofredundantsubsystemsareseparated/shieldedperthegeneralsafetyrequirementsofMIL-STD-882.
177
MethodofCompliance:Verificationmethodincludesinspectionofdocumentation.Inspectionofsafetyanalyses/assessmentsandassociateddocumentationverifiesthatpowersources,controls,andcriticalcomponentsofredundantsubsystemsareseparated/shieldedperthegeneralsafetyrequirementsofMIL-STD-882.
STPAexaminescomponentandsubsysteminteractions.Theanalysiswillidentifyanyhazardsassociatedwithpowersources,controls,orredundantsubsystems.Theanalysiswillalsoassistindetermininghowthesubsystemsshouldbedesignedforredundancy,orifothermethodologiestoprotectthesubsystemsareappropriate.14.2.5Humanfactors.Criterion:Verifythatallaspectsofhumanfactorsareaddressedandunacceptablehumanfactorssafetyissues/risksareresolvedinthedesignprocess.Standard:EstablishhumanfactorsdesignrequirementsinterfacewithsystemsafetytominimizetheprobabilityofhumanerrorandsatisfytheintentofMIL-STD-882.MethodofCompliance:Verificationmethodincludesinspectionofdocumentation.Thestandardtoestablishhumanfactorsrequirementsandidentifysafetyissues/risksrelatedtohumanfactorsandreducethemtoanacceptablelevelisverifiedbyinspectionofsafetydocumentation,safetyanalysesandprogramfunctionalbaselines.
STPAprovideshumanfactorssafetyconstraints.Humanoperatorsareincludedintheanalysissothatthesystemisdesignedforthehumanoperatortoprovidesafecommandsandreceiveaccurateandadequatefeedbackinordertodeterminewhatcommandsaresafe.14.2.6Humanerror.Criterion:Verifythatthesystemisproduced/manufacturedensuringriskreductionoffailuresorhazardspotentiallycreatedbyhumanerrorduringtheoperationandsupportofthesystem.Standard:Systemdesignminimizesriskcreatedbyhumanerrorintheoperationandsupportofthesystem.MethodofCompliance:Verificationmethodincludesinspectionofdocumentation.Evidencethataprocessisinplacetoreducethemishaprisksassociatedwithhumanerrortoacceptablelevelsisverifiedbyinspectionofsafetydocumentsandanalysesandreviewoftheclosedloophazardtrackingsystem.
ThehumanfactorssafetyconstraintsprovidedbySTPAwouldreducethepotentialforhumanerrortocauseahazard.14.2.7Environmentalconditions.Criterion:Verifythatthesystemdesigniswithinacceptableriskboundsoverworst-caseenvironmentalconditions.Standard:Safetyrisksduetosystemexposure/operationinrequiredenvironmentalconditionsaredefinedandverifiedtobewithinacceptablelimits.MethodofCompliance:Verificationmethodincludesinspectionofdocumentation.Evidencethatthesafetyriskminimizationprocessaddresseseffectsofworst-caseenvironmentalconditionsonthedesignisverifiedbyreviewofsafetyanalysesandenvironmental/climatictestresults/reports.
STPAconsidersthecontextofthesystem,whichincludeshowthesystemistobeoperatedandtheoperationalenvironment.Theanalysiswillensurethattheenvironmentallimitsareappropriateandifthesystemisexposedtosevereorworstcaseenvironmentalconditions,theresultisnotamishap.Iftheenvironmentofthesystemchanges,forinstanceitdeploystoanareaoftheworldnotinitiallyintended,arevisedanalysisconsideringthenewenvironmentalchangesshouldbeconducted.
178
14.2.8Assembly/installationhazards.Criterion:Verifythatpersonnelexposuretohazardsduringtheinstallationprocess,includinghazardsduetolocationsofsystemsintheairvehicle,isatanacceptablerisklevel.Standard:Asafetyprocessisinplacetopreventerrorsinassembly,installation,orconnectionswhichcouldresultinasafetyhazardormishapforthesystem.MethodofCompliance:Verificationmethodincludesinspectionofdocumentation.Designandproceduralsafetyrequirementsacceptabilityisverifiedbyinspectionandapprovalofsystemsafetydocumentationandrequirements.Evidenceofacceptability/approvalisprovidedbyinspectionofequipmentinstallation,operationandmaintenanceprocessdocumentation.
STPAcanbedirectlyappliedtothemanufacturing,operation,andmaintenanceofasystem.Thesystemdesigncanprovideasaferprocessformanufacturing,operationandmaintenance.Additionallyananalysisoftheorganizationalstructuresurroundingthedesign,manufacturing,operation,andmaintenancefunctionswillensurethattheinteractionsbetweenthefunctionsaresafe.14.2.9Safetydesignprocess.Criterion:Verifythatthesystemdesignisolateshazardoussubstances,components,andoperationsfromotheractivities,areas,personnel,andincompatiblematerial.Standard:Asafetydesignprocessisinplacetoisolatehazardoussubstances,components,andoperationsfromotheractivities,areas,personnel,andincompatiblematerials.MethodofCompliance:Verificationmethodincludesinspectionofdocumentation.Thestandardtoassurethathazardoussubstances,componentsandoperationshavebeenidentifiedandcorrectivemeasurestaken(e.g.,separation,shielding,isolation),and/orrisksreducedtoanacceptablelevelfortheprogram,isverifiedbyreviewofsafetyanalysesandprogramtechnicaldocumentation.
STPAanalysiswouldprovidesafetyconstraintstomeetthiscriterion.Exposuretohazardoussubstancesorprocesseswouldbeconsideredahazardintheanalysisandsafetyconstraintsidentifiedtopreventthehazard.14.2.10Analysisofchangesormodifications.Criterion:Verifythatasystemsafetychangeanalysisisaccomplishedonchangedormodifiedequipmentorsoftware.Standard:Allchanges/modificationstoexistingsystemsdonot:a.createnewhazards;b.affectahazardthathadpreviouslybeenresolved;c.increasetheriskofanyexistinghazards;d.adverselyaffectanysafety-criticalcomponent.MethodofCompliance:Verificationmethodincludesinspectionofdocumentation.Inspectionsofsystemsafetychangeanalysesonchangedormodifiedequipmentorsoftware.Verifythatnochanges/modificationstoexistingsystemswillcauseanyofthefollowing:a.createnewhazards;b.affectahazardthathadpreviouslybeenresolved;c.increasetheriskofanyexistinghazards;d.adverselyaffectanysafety-criticalcomponent.
STPAcanbeusedtodesignthemodificationtopreventintroducingnewhazardstothesystem.Ifthemodificationisalreadydesigned(suchasaCOTSproduct),ananalysisofthemodificationwilldetermineifitintroducessafetyhazardsandprovideinterfaceorsystemredesignrecommendationstomitigatethehazard.ThetraceabilityinherentintheSTPAresultswillminimizetheamountofefforttoanalyzechangesandmodifications.14.2.11Assesssafetyofoperationalcontingencies.Criterion:Verifythatthesystemprovidesandimplementsoperationalcontingenciesintheeventofcatastrophic,criticalandmarginalfailuresoremergenciesinvolvingthesystem.Standard:Intheeventofcatastrophic,criticalandmarginalfailuresoremergenciesthesystemprovidesandimplementsoperationalcontingenciesbytransitioningtoapre-determinedandexpectedstateandmode.
179
MethodofCompliance:Verificationmethodincludesinspectionofdocumentation.Inspectionsofsafetyanalysesverifywhichcatastrophic,critical,marginalfailures,andothersystememergenciesrequireoperationalcontingencies.Inspectionsofdesigndocumentationverifythat,intheeventoftheidentifiedfailuresoremergencies,thesystemprovidesandimplementsoperationalcontingenciesbytransitioningtoapre-determinedandexpectedstateandmode.Inspectionofsystemsafetydocumentationverifiesthatoperationalcontingencieshavebeenapproved.
AnSTPAanalysisofthetransitiontobackupmodesduringsystememergenciescanensuresafecontinuedoperationofthesystemduringcontingencies.Itwillincludemorethanjustfailures,i.e.,italsoconsidersdesignerrors.Implementingsafetyconstraintsduringthesystemdesignwillthereforeminimizetheoccurrenceofsystememergencies.14.2.12Safetyassuranceforspecialmilitarymodesofoperation.Criterion:VerifythatspecialmilitarymodesofoperationwheninactivedonotreducetheUASbelowthresholdsafetylevels.Standard:SpecialmilitarymodesofoperationofUAS(e.g.,weaponsorstoresarmingandreleaseoroperationofelectromagneticspectrumemitters)wheninactive(e.g.,ajammerinstandbymode)meetprobabilityoffailureanddesignanddevelopmentassurancerequirementsthroughphysical/functionalsegregationanddesign.MethodofCompliance:Verificationmethodincludesinspectionofdocumentation.Inspectionsofprogrammatic,systemsafetyandsoftwaresafetydocuments.Criterion:VerifythatspecialmilitarymodesofoperationofUAS(e.g.,weaponsorstoresarmingandreleaseoroperationofelectromagneticspectrumemitters)wheninactive(e.g.,ajammerinstandbymode)meetprobabilityoffailureanddesignanddevelopmentassurancerequirementsthroughphysical/functionalsegregationanddesign.
STPAwillidentifysafetyhazardsassociatedwithmilitarymodesonUASandprovidesafetydesignconstraintstomitigatethehazards.14.3.1Comprehensiveapproachtosoftwaresafety.Criterion:Verifythatacomprehensivesoftwaresafetyprogramisintegratedintotheoverallsystemsafetyprogram.Standard:Acomprehensivesoftwaresafetyprogramisintegratedintothesystemsafetyprogrambyensuringthefollowing:a.Adequateplanningforsoftwaresafetytasks;b.Adequateplanningforanalysis,traceabilityandtestingisdocumentedinsafetymanagementplansandtestplans;c.Activeparticipationofsoftwaresafetyinengineeringprocesses/events(i.e.,peerreview,changeboards,deviationprocessingetc.);d.Inclusionofsoftwaresafetyinthesoftwaredevelopmentprocessandproducts;e.Systemsafetyallocatessafetyrequirementstosoftwaresafetyinatimelymanner;f.System/softwarehazardanalysessubstantiatethatnosinglepointfailurecausedbysoftwareresultsinlossofaircraftorsystem;g.Softwarecausesofandmitigationsforthesystemhazardsareidentifiedandintegratedintothesystemsafetyprocess(i.e.,hazardreports,hazardtrackingsystemetc.);h.Softwaresafetyrecommendssystemsafetyrequirementstosystemsafetyinatimelymanner;i.Systemsengineeringreceivesthefinalsoftwaresafetyinputfromsystemsafetyinatimelymanner;j.Softwareintegritylevelsareestablishedandenforcedfortheprograminaccordancewithprescribedindustrystandards;k.Safetydesignatedfunctionsandtheirassociatedsafetydesignatedsoftwareareidentifiedandanalyzed;l.Testplansandproceduresincludetestingofsoftwaresafetyfunctionalrequirementsanddesignrequirements.NOTE:Theprecedingshouldnotbeconsideredtobeanall-encompassingexclusivelist,andmaybeexpandeddependingonprogramscopeandcomplexity.MethodofCompliance:Verificationmethodincludesinspectionofdocumentation.Verifybyinspectionofprogramsafety,softwaresafety,andsoftwaredocumentationthatthecomprehensivesoftwaresafetyprogramhasbeenintegratedintothesystemsafetyprograminamannerwhichmeetsthestandard.
STPAprovidessoftwaresafetyrequirements.TheserequirementsaretraceableandtheSTPAartifactsserveasdocumentationoftheanalysis.Thedatafromtheanalysisshouldfeedintotestplans.TheSTPAsoftwaresafetyrequirementswillbedeterminedduringtheanalysisalongwithallothersafetyrequirementsandmeetcriteriasuchasreducingsinglepointfailures,andtrackingsoftwarehazardsrecommendingsafetyrequirements.
180
STPAdoesnotdifferentiatebetweenhardwareandsoftwarehazards,andinfacttheyarerelatedasthesoftwareoftencontrolshardware.Treatinghardwarehazardsandsoftwarehazardsastwodifferentproblemstosolvereducesthelikelihoodofsolvingsoftware/hardwareinteractionhazards.14.3.2Planning/accomplishingsoftwaresafetyanalysesandassessments.Criterion:Verifythatthesoftwaresafetyprogramrequiresthatappropriatesoftwaresafety-designatedanalysesbeperformedaspartofthesoftwaredevelopmentprocessandverifyaccomplishmentofrelatedassessmenttasks.Standard:Atailoredsetofanalysesandassessments(orequivalent)requiredbythereferencesof14.3(thisdocument)isplannedforandaccomplished.MethodofCompliance:Verificationmethodincludesinspectionofdocumentation.Verifybyinspectionofsystemsafety,softwaresafety,andsoftwaredocumentationthatthetailoredsetofanalysesandassessments(orequivalent)requiredbythereferencesof14.3(thisdocument)areplannedforandaccomplished.
TheSTPAartifactswillprovidedocumentationthatasoftwaresafetyanalysisisaccomplished.14.3.2.1Performanceofsoftwaresafetyanalyses.Criterion:Verifythattherequiredsoftwaresafetyanalysespreparationisaccomplished.Standard:Thetypesandquantitiesofrequiredsoftwaresafetyanalysesarepreparedandprovidedinaccordancewithplanningforsoftwaresafety.Softwaresafetyanalysesandassessmentsincludethetailoreddocumentationrequiredbythereferencesof14.3(thisdocument).MethodofCompliance:Verificationmethodincludesinspectionofdocumentation.Criterion:Verifybyinspectionthatthedeliveredsoftwaresafetyanalysesfortheprogramhaveacompletesystemsview,includingidentificationofsoftwarehazards,andassociatedsoftwarerisks.
AnanalysisusingSTPAwillbeincompliancewiththiscriterion.Additionally,STPAartifactswillprovidedocumentationfortheairworthinesscertificationinspectortoverifythattheprogramisincompliance.14.3.2.2Performanceofsoftwaresafetytraceabilityanalyses.Criterion:Verifythattherequiredsoftwaresafetytraceabilityanalysesareaccomplished.Standard:Systemsafetyrequirementsallocatedtosoftwarearerefinedusingappropriateanalysestoallocatethesystemsafetyrequirementstothesoftwarerequirements,andbi-directionaltraceabilitytotheidentifiedhazard(s)isaccomplished.Appropriateanalysesincludethetailoreddocumentationrequiredbythereferencesof14.3(thisdocument).MethodofCompliance:Verificationmethodincludesinspectionofdocumentation.Verifybyinspectionofsystemsafety,softwaresafetyandprogramdocumentationthatthebi-directionalsoftwaresafetytraceabilityanalysesamongstrequirements,design,implementation,verification,andhazardhavebeenaccomplished.
AkeycomponentofSTPAistraceability.Eachsafetyconstraintisdirectlytiedtoahazardandisdocumentedintheanalysis.TraceabilityinSTPAgoesfromthesystem-levelhazardsdowntothespecificdesigntechniquesusedtomitigatethosehazards.14.3.3Evaluationofsoftwareforeliminationofhazardousevents.Criterion:Verifythatthedesign/modificationsoftwareisevaluatedtoensurecontrolledormonitoredfunctionsdonotinitiatehazardouseventsormishapsineithertheonoroff(powered)state.Standard:Thesoftwareasdesignedorasmodifieddoesnotinitiatehazardouseventsineithertheonoroff(powered)state.MethodofCompliance:Verificationmethodsincludeanalysis,test,andinspectionofdocumentation.Verifythatasystemsafetyassessmentisaccomplishedwhichincludesevaluationofsoftwareandidentificationofanomaloussoftwarecontrol/monitoringbehaviortoassurethesoftwareasdesignedorasmodifieddoesnotinitiaterelevanthazardousevents.
ThiscriteriondescribeswhatSTPAisdesignedtodo:identifyhazardsandcontrolthefunctionofthesystemtoavoidthosehazards.
181
14.3.4Commercialoff-the-shelfsoftwareintegritylevelconfirmation.Criterion:VerifythatCommercialOff-the-Shelf(COTS)andreusesoftware(whichincludesapplicationsoftwareandoperatingsystems)aredevelopedtothenecessarysoftwareintegritylevel.Standard:ThesoftwarecriticalitylevelforCOTSandreusesoftwarefunctionshasbeendeterminedandtheirdevelopmenthasbeenconfirmedtobeattherequiredsoftwareintegritylevelasdefinedbysoftwareand/orsafetyplanning.MethodofCompliance:Verificationmethodsincludeinspectionofdocumentation.Verifybyinspectionofprogram,systemsafety,softwaresafetyandsoftwareengineeringdocumentationthatthesoftwarecriticalitylevelforCOTSandreusesoftwarebyfunctionisdetermined.Verifythatthesoftwareisdevelopedtotherequiredsoftwareintegritylevelasdefinedbysoftwareand/orsafetyplanning.
STPAdoesnotsupportconfirmationofCOTSsoftwareintegritylevel.Infact,softwarecomponentsarenotsafeorunsafe;theycanbeeitherdependingonthesystemdesigninwhichtheyareused.Therefore,softwareintegritylevelhasnorelationtosafety.14.3.5Identificationofsafetydesignated/significantsoftware.Criterion:Verifythatsoftwareelementswhichperformfunctionsrelatedtosystemhazardshavebeenidentifiedandhandledassafetydesignated/significantsoftware.Standard:Safetyfunctionsidentifiedassystemhazardsareallocatedtosoftwarefunctions.Softwareelements(e.g.,CSCI,CSC,CSU,data,interfaces)relatedtoeachofthosesoftwarefunctionsareidentifiedandassignedanappropriatesafetycriticalityasdefinedbythesystemsafetyplanningdocumentation.Thesoftwareelementsarehandled(labeled,tracked,implemented,tested,etc.)asdefinedbythesystemsafetyplanningdocumentation.MethodofCompliance:Verificationmethodincludesinspectionofdocumentation.Verifybyinspectionofsystemsafetyandsoftwaresafetydocumentationthatsafetyrelatedsoftwarefunctionshavebeenidentified.Verifybyinspectionofprogram,systemsafetyandsoftwaresafetydocumentationthattheidentifiedsafetyrelatedsoftwareelementsarehandled(labeled,tracked,implemented,tested,etc.)asrequiredbysoftware/safetyplanningbasedontheirsafetycriticalitylevels.
ThroughthescenariosgeneratedbySTPA,safetycriticalsystemsandsoftwarewillbeidentified.14.3.5.1Assignmentofcriticalitylevels.Criterion:Verifythateachsafetydesignatedsoftwarefunctionisassignedanappropriatecriticalitylevel.Standard:Foreachofthesoftwareelements(e.g.,CSCI,CSC,CSU,data,interfaces),thesoftwarefunctionsimplementingthoseelementsareassignedanappropriatecriticalitylevel.Ifasoftwarefunctioncontainsmultiplesoftwareelements,thefunctionisassignedacriticalitylevelequaltothecriticalitylevelofthehighestelement.MethodofCompliance:Verificationmethodincludesanalysisandinspectionofdocumentation.Verifythattheappropriatelevelofcriticalityisassignedtoeachsoftwarefunction.
STPAwillnotdirectlyassigncriticalitylevels,howeverbyidentifyingsafetycriticalsystemstheanalysismayhelpdeterminetheselevels.14.3.5.2Testingtocriticalitylevels.Criterion:Verifythateachsafetydesignatedsoftwarefunctionistestedcommensuratewithitsassignedcriticalitylevel.Standard:Eachsafetydesignatedsoftwarefunctionistestedtothelevelrequiredbyitsassignedcriticalitylevel.Thetestingrequirementsforthesoftwarecriticalitylevelsaredocumentedinthesystemsafetyplanningdocuments.MethodofCompliance:Verificationmethodincludesinspectionofdocumentation.Verifythattheappropriateleveloftestingfordesignatedsafetysoftwarehasbeenperformedandrequiredresultswereachieved.
STPAwillprovidesafetyconstraintswhichcanbeusedasaninputtotesting.HazardscanbeprioritizedinSTPA,howeverSTPAtreatsallhazardsandassociatedsafetyconstraintsthesame.14.3.6Softwaresafetytestanalyses.Criterion:Verifythattheappropriatesoftwaresafetytestanalyseshavebeenplannedandperformed.
182
Standard:Softwaresafetytestanalyses(e.g.,nominalandfunctionalrequirementsbasetesting/analysis,structuralcoverageanalysis,hazardmitigationtestinganalysis,failuremodesandeffectstestinganalysis)planningandotherdocumentationareformallydocumentedandarekeptunderconfigurationmanagementcontrol.Softwaresafetytestanalysesactivitiesarealsoexecuted;resultsarerecordedusingformalproceduresandarekeptunderconfigurationcontrol.MethodofCompliance:Verificationmethodincludesinspectionofdocumentation.Verifybyinspectionofthesafetyplansthatsoftwaresafetytestingandtestanalyseshavebeenadequatelydocumentedandplanned.Verifybyanalysisofthedocumentedhazardsthatthehazardsassociatedwithsoftwareandcomputercomponentshavebeeneliminatedorcontrolledtotheacceptablelevelofriskasrequiredbythesystem/softwaresafetyplan.Verifybyinspectionofthetestreportsthatthesoftwaresafetytestresultshavebeenanalyzedandapproved/accepted.
STPAprovidessafetyconstraintsthatshouldbeusedasaninputintothetestplan,justastechnicalrequirementsareevaluatedduringdevelopmentaltest.14.3.7Structuralcoverageanalysis.Criterion:Verifythatsoftwaresafetyplanningadequatelyplansforstructuralcoverageanalysisandthattheplannedanalysisisaccomplished.Standard:Adequatestructuralcoverageanalysisforthesoftwarecriticalitylevelisaccomplished;resultsarerecordedusingformalproceduresandarekeptunderconfigurationmanagement.MethodofCompliance:Verificationmethodincludesinspectionofdocumentation.Verifybyinspectionofthetestplansthatadequatestructuralcoverageanalysisisplannedforanddocumented.Verifybyinspectionofstructuralcoverageanalysisresultsthatadequatestructuralcoveragetestingandanalysiswereachieved.
IfthesafetyconstraintsdeterminedbySTPAareverified,thetestingshouldbecompletefromasafetyperspective.
183
Bibliography1.AirForceSafetyCenter.AviationStatistics.AirForceSafetyCenter.[Online]2017.[Cited:1127,2017.]http://www.safety.af.mil/Portals/71/documents/Aviation/End%20of%20Year%20statistics/FY17.pdf.2.FaultTreeAnalysis.Ericson,Clifton.Orlando:SystemSafetyConference,1999.3.ReliabilityAnalysisforPowertoFirePumpUsingFaultTreeandRBD.Anthony,Michael,etal.2,s.l.:IEEE,March/April2013,IEEETransactionsonIndustryApplications,Vol.49.4.FailureModeandEffectAnalysis:APowerfulEngineeringTookforComponentandSystemOptimization.Arnzen,Harry.ForestPark:SymposiumonDeepSubmergencePropulsionandMarineSystems.5.Crawley,FrankandTyler,Brian.HAZOP:GuidetoBestPractice.3rd.s.l.:Elsevier,2015.6.Institution,BritishStandards.BSIEC61882:2001HazardandOperabilityStudies(HAZOPStudies)-ApplicationGuide.2001.7.Tolker-Nielsen,Toni.EXOMARS2016-SchiaparelliAnomalyInquiry.s.l.:EuropeanSpaceAgency,2017.8.Leveson,Nancy.EngineeringaSaferWorld:SystemsThinkingAppliedtoSafety.Cambridge:TheMITPress,2011.9.Thomas,John.ExtendingandAutomatingaSystems-TheroeticHazardHanalysisforRequirementsGenerationandAnalysis.2013.10.AcquisitionsProcess.AcqNotes.[Online]85,2017.[Cited:1113,2017.]http://acqnotes.com/acqnote/acquisitions/acquisition-process-overview.11.DepartmentofDefense.DefenseAcquisitionGuide.2017.12.DefenseAcquisitionGlossary.TechnologyMaturationandRiskReduction(PhaseoftheDefenseAcquisitionSystem).[Online][Cited:1114,2017.]https://www.dau.mil/glossary/pages/3193.aspx.13.AFI62-601.USAFAirworthiness.11June2010.14.AFI91-202.TheUSAirForceMishapPreventionProgram.24June2015.15.MIL-STD-882ESystemSafety.s.l.:DepartmentofDefense,2012.16.Leveson,Nancy.STPACompliancewithArmySafetyStandardsandComparisonwithSAEARP4761.2017.17.Losey,Stephen.AirForcereportfindsfaultyengineassemblycausedF-16crashinApril.AirForceTimes.[Online]October26,2017.[Cited:November2,2017.]https://www.airforcetimes.com/news/your-air-force/2017/10/26/air-force-report-finds-faulty-engine-assembly-caused-f-16-crash-in-april/.18.AFPD62-6.USAFAirworthiness.11June2010.19.USAFAirworthinessOffice.USAFAirworthinessBulletin(AWB)-150.Memorandum.Wright-PattersonAFB,OH:s.n.,2017.20.ALargeScaleExperimentinN-VerionProgramming.Knight,J.andLeveson,N.AnnArbor,MI:s.n.,1985.FifteenthInternationalSymposiumonFault-TolerantComputing.21.Annex3-0OperationsandPlanningTheEffects-BasedApproachtoOperations.CurtisE.LemayCenterforDoctrineDevelopmentandEducation.MaxwellAFB:UnitedStatesAirForce,2016.
184
22.Leveson,Nancy.Rasmussen'sLegacy:AParadigmChangeinEngineeringforSafety.23.AirCombatCommand.E-8CJointStarsFactSheet.[Online]923,2015.[Cited:1118,2017.]http://www.af.mil/About-Us/Fact-Sheets/Display/Article/104507/e-8c-joint-stars/.24.NorthropGrumman.JointStars.NorthrupGrumman.[Online]2012.[Cited:1118,2017.]http://www.northropgrumman.com/Capabilities/JointSTARSReCap/Documents/MissionDocs/A_GlimpseJSTARS.pdf.25.GeneralServicesAdministration.FederalBusinessOpportunities.JSTARSRecapitalization-EMD.[Online]113,2017.[Cited:1118,2017.]https://www.fbo.gov/index?s=opportunity&mode=form&id=fe71ff06a1af42be5ee7e63cef761151&tab=core&_cview=1.26.Insinna,Valerie.FutureofJSTARSrecapprograminquestionasAirForceexplorsotheroptions.DefenseNews.[Online]September12,2017.[Cited:November18,2017.]https://www.defensenews.com/air/2017/09/12/future-of-jstars-recap-program-in-question-as-air-force-explores-other-options/.27.AProcessforSTPA.Thomas,John.2017.28.Tillery,Jackie.Accountability:Inconsistent,SituationDependentandSubjective.MaxwellAFB:AirWarCollege,1997.