1/15

The

Six

th N

AS

A L

angl

ey F

orm

al M

etho

ds W

orks

hop

(LF

M 2

008)

Aeronautical Regulations Should BeRigorously Developed Too!

The Sixth NASA Langley Formal Methods Workshop

Eduardo R. López Ruiz, Yves Ledru and Michel Lemoine

A Formal Framework for Modeling and Assessing Regulations

3/15

The

Six

th N

AS

A L

angl

ey F

orm

al M

etho

ds W

orks

hop

(LF

M 2

008)

Outline

Aeronautical RegulationsIntroduction

Some Case Studies

An Overview

Modeling the Regulations

Integrated Methodology

Conclusions

4/15

The

Six

th N

AS

A L

angl

ey F

orm

al M

etho

ds W

orks

hop

(LF

M 2

008)

Aeronautical Regulations - Introduction

The purview of aeronautical regulations is:

• the facilitation of civil aviation and

• the prevention of accidental events and intentional acts, which are detrimental to civil aviation

Prevention and mitigation of accidental events

Prevention of intentional acts

Safety Regulations Security Regulations

5/15

The

Six

th N

AS

A L

angl

ey F

orm

al M

etho

ds W

orks

hop

(LF

M 2

008)

Aeronautical Regulations – Some Case Studies

EDEMOI

• ICAO’s Annex 17 – Security -Safeguarding International Civil Aviation against Acts of Unlawful

• European Regulation (EC) 2320/2002 - Common rules in the field of civil aviation security

NACRE

• FAR/CS 25 - “Airworthiness standards: Transport category airplanes”

6/15

The

Six

th N

AS

A L

angl

ey F

orm

al M

etho

ds W

orks

hop

(LF

M 2

008)

Aeronautical Regulations - An Overview

THEY ARE:

• Written using (inherently ambiguous) “natural language” • Covering a wider sphere of application (interrelationships between regulations)

Regulations are validated following a "peer review" process

THEY MUST:

• Be interpreted identically (including their translations)• Be consistent both locally and globally• Consider all possible scenarios/cases (robust)• Be capable of integrating changes (technological evolutions, etc.)

7/15

The

Six

th N

AS

A L

angl

ey F

orm

al M

etho

ds W

orks

hop

(LF

M 2

008)

Aeronautical Regulations - An Overview

V 1

V 2

V 3

V 1

V 3V 1

V 2

Regulations provide an organizational makeup, which has two components:

• the horizontal (temporal) and • the vertical (hierarchical) component

Both are prone to a regression (i.e. a trend or shift toward a higher risk level)

Vertical Component:

• Must be congruous/compatible upstream

• Can be more restrictive downstream

1996

2001

2005

National

International

Local

§ 4.4.1 § 4.4.2

Screening of Originatingand Transfer Passengers and their Cabin Baggage

Screening of Transit Passenger and their

Cabin Baggage

Maintaining the “Screened” Condition

§ 4.4.3

ICAO Annex 17Amendment 11

§ 4.1.1 § 4.2.1

Proposed Revisionof Regulation

(EC) 2320/2002§ 4.1.1 § 4.3.1

Regulation(EC) 2320/2002

Legend

European

International

8/15

The

Six

th N

AS

A L

angl

ey F

orm

al M

etho

ds W

orks

hop

(LF

M 2

008)

Aeronautical Regulations - An Overview

They associate each applicability criterion to a set of safety and security requirements

Requirements

ApplicabilityCriteria

Safety/SecurityRisks Identified

Regulations

The Applicability Criteria describe:

• a general element or,• an element in a specific state

The Requirements describe the attributes, capabilities, characteristics,or qualities that have been recognized as necessary

9/15

The

Six

th N

AS

A L

angl

ey F

orm

al M

etho

ds W

orks

hop

(LF

M 2

008)

Aeronautical Regulations - An Overview

Safety/SecurityRisks Identified

Mid-air collision

Requirements

Shall be equipped with an ACAS II

ApplicabilityCriteria

Regulation

ICAO Annex 6Operation of Aircraft

- Part 1 -

ICAO Annex 6 - §6.18.2 From 1 January 2005, all turbine-engined aeroplanes of a maximum certificated take-off mass in excess of 5,700 kg or authorized to carry more than 19 passengers shall be equipped with an airborne collision avoidance system (ACAS II).

Turbine-enginedcivil aeroplane with MCTOW > 5700 kg

Turbine-enginedcivil aeroplane

authorized to carry >19 passengers

10/15

The

Six

th N

AS

A L

angl

ey F

orm

al M

etho

ds W

orks

hop

(LF

M 2

008)

Modeling the Regulations

Linguistic -> Appropriateness of the text

Readability, semantics, syntax, pragmatics…

Unambiguous

Logical -> Regulatory principle

Is it consistent? Is it robust?

Procedural-> Feasibility of the requirements

Can it be implemented?

11/15

The

Six

th N

AS

A L

angl

ey F

orm

al M

etho

ds W

orks

hop

(LF

M 2

008)

Relevant Entities

Modeling the Regulations

We have borrowed tools and techniques from software engineering,to describe the regulation’s static (structural) and dynamic aspects

Relevant Infrastructure

12/15

The

Six

th N

AS

A L

angl

ey F

orm

al M

etho

ds W

orks

hop

(LF

M 2

008)

Integrated Methodology

Identify the text essential propertiesFilter parasite words, establish key-concepts dictionaryand identify applicability criteria

UML Model of the Text StructureDelineate its Structure and (inter)link its parts

UML Model of its Elements and their EnvironmentIllustrate applicability criteria and its permutable states

Formal Model (Z – Alloy combination)

AlloyUsed as a property model checker

ZAnimating and testing targeted behaviors/situations

Original Regulatory TextRefinement

Level

1

2

3

3.a

3.b

…

13/15

The

Six

th N

AS

A L

angl

ey F

orm

al M

etho

ds W

orks

hop

(LF

M 2

008)

Integrated Methodology

REGRESSIO

NS

REPORT

REGRESSIO

NS

REPORT

Verification

1

2

3

4

Inferring Results

6Analysis of the Report

Semi formalModels

5

Rigorous Modeling Systematic Probing

Semi formalTool

Semi formalTool

FormalTool

FormalTool

Formal ModelFormal ModelSemi formalModel

Semi formalModel

Model Reconciliation

aa bb cc

dd

ModelEngineer

ModelEngineer

AviationAuthorityAviationAuthority

REG

ULATI

ON

REG

ULATI

ON

AM

MEN

DED

AM

MEN

DED

DR

AFT

DR

AFT

Test CasesTest Cases

Report

Animation/Simulation

ReportReport

Animation/SimulationAnimation/Simulation

Output

LEGEND

Trigger

Traceability

Input

Update

Output

LEGEND

Trigger

Traceability

Input

Update

14/15

The

Six

th N

AS

A L

angl

ey F

orm

al M

etho

ds W

orks

hop

(LF

M 2

008)

Conclusions

• Rigorous formal models of the affected aeronautical regulations were studied and animated to:

(1) help identify the impacts of proposed amendments of regulations and procedures, and

(2) to infer possible solutions for the incompatibilities.

• Used in NACRE project - New Aircraft Concepts REsearch • Used in EDEMOI project – Modeling Airport Security

• To be used in e-COPILOT - Commercial single-pilot aircraft• To be used in ISAP - Integrated System for Air Transport Protection• A tool in the integration of VLJ – Very Light Jets – into European Airspace

15/15

The

Six

th N

AS

A L

angl

ey F

orm

al M

etho

ds W

orks

hop

(LF

M 2

008)

Thank you for your attention

Eduardo Lopez eduardo.lopez-ruiz@onera.fr

Yves Ledru yves.ledru@imag.fr

Michel Lemoine michel.lemoine@onera.fr