Aeronautical Regulations Should BeRigorously Developed Too!
The Sixth NASA Langley Formal Methods Workshop
Eduardo R. López Ruiz, Yves Ledru and Michel Lemoine
A Formal Framework for Modeling and Assessing Regulations
3/15
The
Six
th N
AS
A L
angl
ey F
orm
al M
etho
ds W
orks
hop
(LF
M 2
008)
Outline
Aeronautical RegulationsIntroduction
Some Case Studies
An Overview
Modeling the Regulations
Integrated Methodology
Conclusions
4/15
The
Six
th N
AS
A L
angl
ey F
orm
al M
etho
ds W
orks
hop
(LF
M 2
008)
Aeronautical Regulations - Introduction
The purview of aeronautical regulations is:
• the facilitation of civil aviation and
• the prevention of accidental events and intentional acts, which are detrimental to civil aviation
Prevention and mitigation of accidental events
Prevention of intentional acts
Safety Regulations Security Regulations
5/15
The
Six
th N
AS
A L
angl
ey F
orm
al M
etho
ds W
orks
hop
(LF
M 2
008)
Aeronautical Regulations – Some Case Studies
EDEMOI
• ICAO’s Annex 17 – Security -Safeguarding International Civil Aviation against Acts of Unlawful
• European Regulation (EC) 2320/2002 - Common rules in the field of civil aviation security
NACRE
• FAR/CS 25 - “Airworthiness standards: Transport category airplanes”
6/15
The
Six
th N
AS
A L
angl
ey F
orm
al M
etho
ds W
orks
hop
(LF
M 2
008)
Aeronautical Regulations - An Overview
THEY ARE:
• Written using (inherently ambiguous) “natural language” • Covering a wider sphere of application (interrelationships between regulations)
Regulations are validated following a "peer review" process
THEY MUST:
• Be interpreted identically (including their translations)• Be consistent both locally and globally• Consider all possible scenarios/cases (robust)• Be capable of integrating changes (technological evolutions, etc.)
7/15
The
Six
th N
AS
A L
angl
ey F
orm
al M
etho
ds W
orks
hop
(LF
M 2
008)
Aeronautical Regulations - An Overview
V 1
V 2
V 3
V 1
V 3V 1
V 2
Regulations provide an organizational makeup, which has two components:
• the horizontal (temporal) and • the vertical (hierarchical) component
Both are prone to a regression (i.e. a trend or shift toward a higher risk level)
Vertical Component:
• Must be congruous/compatible upstream
• Can be more restrictive downstream
1996
2001
2005
National
International
Local
§ 4.4.1 § 4.4.2
Screening of Originatingand Transfer Passengers and their Cabin Baggage
Screening of Transit Passenger and their
Cabin Baggage
Maintaining the “Screened” Condition
§ 4.4.3
ICAO Annex 17Amendment 11
§ 4.1.1 § 4.2.1
Proposed Revisionof Regulation
(EC) 2320/2002§ 4.1.1 § 4.3.1
Regulation(EC) 2320/2002
Legend
European
International
8/15
The
Six
th N
AS
A L
angl
ey F
orm
al M
etho
ds W
orks
hop
(LF
M 2
008)
Aeronautical Regulations - An Overview
They associate each applicability criterion to a set of safety and security requirements
Requirements
ApplicabilityCriteria
Safety/SecurityRisks Identified
Regulations
The Applicability Criteria describe:
• a general element or,• an element in a specific state
The Requirements describe the attributes, capabilities, characteristics,or qualities that have been recognized as necessary
9/15
The
Six
th N
AS
A L
angl
ey F
orm
al M
etho
ds W
orks
hop
(LF
M 2
008)
Aeronautical Regulations - An Overview
Safety/SecurityRisks Identified
Mid-air collision
Requirements
Shall be equipped with an ACAS II
ApplicabilityCriteria
Regulation
ICAO Annex 6Operation of Aircraft
- Part 1 -
ICAO Annex 6 - §6.18.2 From 1 January 2005, all turbine-engined aeroplanes of a maximum certificated take-off mass in excess of 5,700 kg or authorized to carry more than 19 passengers shall be equipped with an airborne collision avoidance system (ACAS II).
Turbine-enginedcivil aeroplane with MCTOW > 5700 kg
Turbine-enginedcivil aeroplane
authorized to carry >19 passengers
10/15
The
Six
th N
AS
A L
angl
ey F
orm
al M
etho
ds W
orks
hop
(LF
M 2
008)
Modeling the Regulations
Linguistic -> Appropriateness of the text
Readability, semantics, syntax, pragmatics…
Unambiguous
Logical -> Regulatory principle
Is it consistent? Is it robust?
Procedural-> Feasibility of the requirements
Can it be implemented?
11/15
The
Six
th N
AS
A L
angl
ey F
orm
al M
etho
ds W
orks
hop
(LF
M 2
008)
Relevant Entities
Modeling the Regulations
We have borrowed tools and techniques from software engineering,to describe the regulation’s static (structural) and dynamic aspects
Relevant Infrastructure
12/15
The
Six
th N
AS
A L
angl
ey F
orm
al M
etho
ds W
orks
hop
(LF
M 2
008)
Integrated Methodology
Identify the text essential propertiesFilter parasite words, establish key-concepts dictionaryand identify applicability criteria
UML Model of the Text StructureDelineate its Structure and (inter)link its parts
UML Model of its Elements and their EnvironmentIllustrate applicability criteria and its permutable states
Formal Model (Z – Alloy combination)
AlloyUsed as a property model checker
ZAnimating and testing targeted behaviors/situations
Original Regulatory TextRefinement
Level
1
2
3
3.a
3.b
…
13/15
The
Six
th N
AS
A L
angl
ey F
orm
al M
etho
ds W
orks
hop
(LF
M 2
008)
Integrated Methodology
REGRESSIO
NS
REPORT
REGRESSIO
NS
REPORT
Verification
1
2
3
4
Inferring Results
6Analysis of the Report
Semi formalModels
5
Rigorous Modeling Systematic Probing
Semi formalTool
Semi formalTool
FormalTool
FormalTool
Formal ModelFormal ModelSemi formalModel
Semi formalModel
Model Reconciliation
aa bb cc
dd
ModelEngineer
ModelEngineer
AviationAuthorityAviationAuthority
REG
ULATI
ON
REG
ULATI
ON
AM
MEN
DED
AM
MEN
DED
DR
AFT
DR
AFT
Test CasesTest Cases
Report
Animation/Simulation
ReportReport
Animation/SimulationAnimation/Simulation
Output
LEGEND
Trigger
Traceability
Input
Update
Output
LEGEND
Trigger
Traceability
Input
Update
14/15
The
Six
th N
AS
A L
angl
ey F
orm
al M
etho
ds W
orks
hop
(LF
M 2
008)
Conclusions
• Rigorous formal models of the affected aeronautical regulations were studied and animated to:
(1) help identify the impacts of proposed amendments of regulations and procedures, and
(2) to infer possible solutions for the incompatibilities.
• Used in NACRE project - New Aircraft Concepts REsearch • Used in EDEMOI project – Modeling Airport Security
• To be used in e-COPILOT - Commercial single-pilot aircraft• To be used in ISAP - Integrated System for Air Transport Protection• A tool in the integration of VLJ – Very Light Jets – into European Airspace
15/15
The
Six
th N
AS
A L
angl
ey F
orm
al M
etho
ds W
orks
hop
(LF
M 2
008)
Thank you for your attention
Eduardo Lopez [email protected]
Yves Ledru [email protected]
Michel Lemoine [email protected]
Top Related