HAL Id: hal-02078279
https://hal.archives-ouvertes.fr/hal-02078279
Submitted on 25 Mar 2019
HAL is a multi-disciplinary open access archive for the deposit and dissemination of sci- entific research documents, whether they are pub- lished or not. The documents may come from teaching and research institutions in France or abroad, or from public or private research centers.
L’archive ouverte pluridisciplinaire HAL, est destinée au dépôt et à la diffusion de documents scientifiques de niveau recherche, publiés ou non, émanant des établissements d’enseignement et de recherche français ou étrangers, des laboratoires publics ou privés.
A BACKBONE MODEL FOR SAFETY ASSESSMENT OF THE AIR TRANSPORT SYSTEM
Pierre Bieber, J. Morio, F Kaakai, M. Morel, S Metge, M Llobet, L Carbo
To cite this version:
Pierre Bieber, J. Morio, F Kaakai, M. Morel, S Metge, et al.. A BACKBONE MODEL FOR SAFETY
ASSESSMENT OF THE AIR TRANSPORT SYSTEM. LambdaMu 21 - Congrès de Maitrise des
Risques et de Sûreté de Fonctionnement, Oct 2018, Reims, France. �hal-02078279�
UN MODELE FEDERATEUR POUR EVALUER LA SECURITE DU SYSTEME DE TRANSPORT AERIEN
A BACKBONE MODEL FOR SAFETY ASSESSMENT OF THE AIR TRANSPORT SYSTEM
P. Bieber, J. Morio F. Kaakai, M. Morel S. Metge M. LLobet, L. Carbo
ONERA Thales Thales Airbus Eurocontrol
2 av. E. Belin, Land & Air Operations S.A.S Experimental
Toulouse Systems France Center
+33 5 62 25 26 41 Pierre.Bieber@onera.fr
Résumé
Une approche pour l’analyse globale de la sécurité du système de transport aérien a été proposée par les partenaires du projet de recherche européen Future Sky Safety P4 «Total Aviation System Risk Assessment ». Elle est fondée sur un modèle fédérateur qui permet d’analyser les contributions des différents domaines qui composent le système de transport aérien. Les domaines considérés par le projet sont la gestion de l’espace aérien, la construction aéronautique et les opérations aériennes liées au transport de passagers. Dans cette communication nous présentons l’approche de modélisation développée et nous l’illustrons sur un cas d’étude portant sur la collision entre aéronefs lors la phase de croisière.
Summary
An approach to globally assess the safety of the air transport system was proposed by the partners of the European Project Future Sky Safety P4 «Total Aviation System Risk Assessment». It is based on a Backbone model that enables the assessment of the contributions of the various domains of the air transport system. The domains that were considered by this project are the air traffic management, aircraft manufacturing and airline operations related with passenger air transportation. In this paper we describe the modelling approach and we illustrate it on a case study on Mid-Air Collision En Route.
Introduction
The Future Sky Safety (FSS) project aims at developing a prototype Risk Observatory (RO) that will support the safety assessment of the total aviation transport system (Verstraeten et al., 2016). The Risk Observatory is based on the interaction between safety models covering various domains of the aviation transport system.
In the paper we first detail the role of the Risk Observatory.
Secondly, we introduce the notion of the Backbone model that federates domain specific models. We illustrate this notion with the Backbone model developed to assess the possible risk of Mid Air Collision En Route (MAC-ER) resulting from combinations of generic contributors and influencing factors. Then we explain how to integrate domain specific models (ATM ground system model, Aircraft airborne systems model) into the backbone model.
Finally, we describe the implementation of the Backbone model and present the preliminary quantitative results obtained.
Context
The Risk Observatory (RO) will acquire, merge and structure safety data and translate it into actionable safety information that should help to identify the combination of the most significant contributors involved in serious incident and accident, and highlight where effort should be put to reduce their probability of occurrence. The core of the risk observatory is formed by a risk assessment framework that integrates safety models covering various domains of the aviation transport system: Aircraft, Air Traffic Management and Airline Operation. The framework is fed by different data inputs: e.g. operational data from aircraft operators domain (e.g. from Flight Data Monitoring (FDM)) and from ANSP (Air Navigation Service Providers) domain, but also occurrences data. The risk observatory will offer important insights in safety performance to RO users, which can be used in the risk assessment of new aircraft operations and innovative system architectures as well as in safety assurance by identifying safety trends, key risk areas, and efficient mitigation measures.
Several use cases were defined during the first stage of the project, two of are described hereafter:
• Risk Summary: The RO is used to assess the probability of occurrence and at a certain time the trend over time of a given risk such as Mid Air Collision or Runway Excursion. In addition, the RO is used to assess the importance of the elements contributing to this risk. An Aircraft manufacturer could use the RO in order to check whether the combination of aircraft-related contributors with contributors from other domains and also external factors can lead to unacceptable risks. The aircraft manufacturer could monitor the sensitivity of contributors from other domains to a given risk in order to check that the assumptions made to assess the aircraft design are realistic ones, i.e. not underestimated, and can be actually used to validate the outcomes of the Aircraft Safety Models.
• What-if scenario: The RO is used to estimate the impact of changes (such as the introduction of new procedures or new systems) on the assessment of a given safety event. This functionality could be used by ANSPs to support them on deciding which, from a set of changes, are to be implemented in their operations based on a comparison of their potential safety impact (individually or per clusters) with current baseline in which no change is implemented. In this case, the ratio of the two probabilities (baseline and system including changes) is more relevant than the exact values of each of these probabilities.
Method 1. A Hierarchical Model
The Backbone model manages consistently and hierarchically the contributors and influencing factors leading to a risk such as Mid Air Collision - En-Route. The backbone model used for MAC-ER is based on the IRP–
Integrated Risk Picture Model (Eurocontrol, 2006), (Perrin, 2006). The model shown on the next figure describes a sequence of precursors (depicted by yellow ovals) that can lead to the MAC risk (the red circle) if the barriers (depicted
by blue/green rectangles) are inoperative. Precursors are hazardous situations that are caused by technical or human problems combined with the failure of barriers.
Barriers represent safety principles that were put in place in order to prevent or limit the occurrence of mid-Air collision.
Figure 1 : MAC-ER Precursors and Barriers
The MAC-ER model contains barriers such as planning and coordination of flights (34) or the management of aircraft trajectories by Air Traffic Controllers (ATC) (37). In barrier “ATC Collision prevention” (32), the ATC monitor aircraft separation and prevent potential collisions by devising collision avoidance maneuvers and by communicating instructions to the aircraft crew. If this barrier does not work, then the distance between aircraft decreases and there is an imminent collision risk. In barrier
“Airborne Collision Avoidance” (31), the crew uses embedded systems on board the aircraft to avoid collisions.
This barrier avoids that an imminent collision leads to a collision. In that case, both aircraft that might collide imminently should perform predefined collision avoidance maneuvers called Resolution Advisory (RA). If this barrier does not work then both aircraft do not necessarily collide but if there is no providence then there is a risk of mid-air collision. The scenario leading to a mid-air collision can be described by the following fault-tree.
A fault-tree is associated with each safety barrier in the MAC-ER backbone model. It describes combinations of contributors leading to the failure of the safety barrier. At this level of modelling contributors are generic, they can cover technical factors and human factors in all the domains of the aviation transport system.
The following fault-tree describes the combinations of generic contributors leading to a failure of barrier 31 (Airborne collision avoidance). Generic contributors 31.1, 31.2 or 31.4 can lead to an ineffective Resolution Advisory.
Contributor 31.1 describes situations where the embedded system does not provide in time a Resolution Advisory that could be used by the crew to avoid the collision.
Contributor 31.2 describes situations where the crew does not follow the instructions provided by the Resolution Advisory and Contributor 31.4 describes situations where the other aircraft does not perform the predefined maneuvers. Contributor 31.3 describes situations where the crew cannot visually detect the conflicting aircraft and avoid it using his own piloting skills.
Figure 2 : MAC-ER Backbone Model – “Airborne Collision Avoidance” View
The fault-tree in figure 4 describes the combinations of generic contributors leading to the failure of barrier 32 (ATC collision prevention). This fault-tree is a little bit more complex as it involves 9 generic contributors. At the first level, we find 4 causes that lead to this situation. Either the detection by the ATC of the loss of separation is ineffective, or the instruction provided by the ATC is not appropriate (32.4) or there are communications issues when the instruction is transmitted or the other aircraft does not perform according to the instructions provided by the ATC (32.9).
Figure 3 : MAC-ER Backbone Model – Top Level View
Figure 4 : MAC-ER Backbone Model – “ATC Collision Prevention” View Several generic contributors can cause a communication
issue: generic contributor 32.6 represents technical problems on the ground communication equipment, generic contributor 32.5 represents technical problems on the airborne communication equipment, and generic contributor 32.7 represents human problems in the communication between ATC and the flight crew. Several generic contributors are involved in the ineffective ATC detection of the loss of separation: contributor 32.3 represents human contribution to this situation whereas 32.8, 32.2 and 32.1 are technical contributors.
When a probability is assigned to each generic contributor then the backbone model can be used to compute the probability of Mid-Air Collision. Other probabilities can also be computed using the backbone model. In particular, the probability of intermediate nodes of the fault-tree representing precursors such as “Tactical Conflict to be solved”, “Separation Minima infringement to be prevented”
and “imminent collision to be avoided”. The probabilities of generic contributors are mainly established through the analysis of accidents and serious incidents that have to be reported to national authorities and also to EASA.
According to EASA Annual Safety Review published in 2017, 3 non-fatal Mid-Air Collisions accidents occurred in the period from 2012 to 2016. The precursors are much more frequent than Mid-Air Collision. According to EASA Annual Safety Review, 2667 separation incidents were reported in the same period. It should be possible to compute contributor probabilities from a detailed analysis of these reported separation incidents.
2. Influencing Factors
The notion of Influencing Factor (IF’s) has been introduced in the backbone model. IF’s are elements that vary the probability of occurrence an event, precursors in this case, due to their influence on the contributing factors relevant to this event. Examples of Influencing Factors are ‘Fatigue’
and ‘Lack of experience’, they both have a negative effect on contributors related with human activities. They can both be applicable to the ATC and the flight crew. In the backbone fault-tree, “Flight crew fatigue” influences contributors such as “31.2 - Inappropriate crew response to RA”, “31.4 - Avoidance invalidated by other aircraft” and
“32.9 - Avoidance not implemented or invalidated by other aircraft”. It influences a total of 8 contributors related with 5 safety barriers. Similarly, “ATC Experience Level”
influences contributors such as “32.3 - No detection by ATCo” and “32.4 - Inappropriate (collision prevention) instruction provided by ATC”. It influences 9 contributors related with 5 safety barriers.
In the frame of the Future Sky Safety project, we have built a list of Influencing Factors that can be used in the risk models. Some of these IF’s are inherent to a specific risk like for example the IF ‘Runway surface quality’ that is used in the risk modelling of the runway excursion. Other IF’s
are applicable to various risks as for instance ‘Wind shear/
Turbulences’. This IF can indeed lead to unstable aircraft in final approach (a situation that increases the risk of Runway excursion) but it can also cause a sudden unexpected aircraft vertical position change in a given volume of airspace and thus lead to a loss of separation minima (precursor to a risk of MAC-ER). IF’s have been grouped into clusters and they have been mapped onto all the contributors they can influence. The following list gives the 5 clusters of Influencing Factors applicable to MAC-ER, we also provide one or two IF examples for each cluster and briefly explain which contributors are influenced by the IF:
• OPERATIONAL ENVIRONMENT : Airspace complexity: the complexity of the sectors and traffic flows managed by the ATC influences contributors related with safety barriers “34 – Traffic Planning and Coordination” and “35 – Airspace Infringement Management”;
• SYSTEM PERFORMANCE : STCA Coverage: a low level of detection of conflicts by the STCA system influences contributor “32.2 -No STCA alert or provided late”; TCAS Equipage: a low percentage of aircraft equipped with the latest version of TCAS influences contributor “31.1 - No ACAS RA or provided late”
• ATC WORKLOAD: Overload score: An
overloaded sector influences contributors related with the safety barriers involving ATC (all barriers from 32 to 37).
• WEATHER/ENVIRONMENT: Storm clouds along route: the presence of storm clouds influences contributors “36.1 - Pilot action induces deviation” and “36.2 - ATC action / information induces deviation”;
• HUMAN PERFORMANCE: Flight Crew fatigue, ATC experience level.
We have associated each IF with a limited number of discrete values (generally three values). For instance, we have considered three “ATC Experience Levels” based on the percentage of the personnel that has more than 1 year experience on a sector: HIGH when this percentage is greater than 95%, MEDIUM when the percentage is between 85% and 95% and LOW when the percentage is below 85%.
For each value of the IF, an occurrence rate can be deduced from lessons learnt, statistics coming from local databases of flight data or national/ international databases related to major safety risk in aeronautics. For instance, typical occurrence rates for the “ATC Experience Levels”
are 5% for HIGH, 90% for MEDIUM and 5% for LOW.
However this distribution can vary depending on the
considered ANSP (Air Navigation Service Provider), this is why each ANSP may want to consider another distribution of this IF.
For each value of the IF, a weight was defined in order to model the influence. For example, the weight of IF « ATC Experience Levels », could be 1 for HIGH, it is 1.2 for MEDIUM and 2 for LOW. The probabilities of all contributors influenced by an IF are multiplied by a rectified weight that is equal to the sum of all the values obtained multiplying weight for each IF by the corresponding rate.
For instance, the rectified weight for IF “ATC Experience Levels” would be equal to:
rate(HIGH)*weight(HIGH) + rate(MEDIUM)*weight(MEDIUM) +
rate(LOW)*weight(LOW) = 0,05*1 + 0,9*1,2 + 0,05*2 = 1,23.
3. Integration of Domain Specific Models into the Backbone Model
Each domain of the Air Transport System develops its safety model in line with the Safety Management System (SMS) requirements applicable to its domain. These models are based on specific contributors that belong to the domain. They could be technical contributors (e.g.
airborne or ground equipment failure) and human contributors (e.g. flight crew, controller, ground operator errors). Fault-Trees were used to develop the risk model of the ground equipment components of the ATM domain. In the aircraft manufacturing domain, the Model Based Safety Assessment (MBSA) approach (Morel, 2016) was used in order to analyze jointly technical failures of airborne equipment and flight crew errors.
Domain specific models provide qualitative and quantitative information that can be integrated in the backbone model in order to compute probabilities of the precursors in the MAC-ER backbone. A domain specific model can generally be viewed as a fault-tree detailing combinations of specific contributors leading to a generic contributor. For instance, in the following figure we can see the combinations of contributors from the ATM Ground domain leading to generic contributor “No STCA alert or provided late” (32.2).
This fault-tree exclusively contains contributors that can be related with technical failures of the equipment involved in the Short Term Conflict Alert (STCA) system. In that case it is very easy to integrate the domain specific model into the backbone model. It is sufficient to connect the domain specific fault-tree directly to the generic contributor in the backbone fault-tree.
Figure 5 : Domain Specific Model for “No STCA alert or provided late”
When the domain specific models are developed using specific language like the case of AltaRica (Arnold et alter 2000) the integration in the backbone model needs some additional steps. First, the relevant generic contributors are added as observer nodes into the AltaRica model.
Relevant generic nodes for the aircraft manufacturer domain are: “31,1 - No ACAS RA or provided late”, “32,5 - Communication issues - technical airborne”, “33,1 -
Inappropriate traffic data information – airborne”, “36,4 - Aircraft technical failure induces deviation“. Then a fault- tree is automatically generated, it contains combinations of domain specific contributors that lead to the generic contributor. To improve the readability of the names of specific contributors they were renamed before integrating these automatically produced fault-trees into the backbone model The conversion of specific units
Figure 6 : Aircraft Manufacturer Model for “No ACAS RA or provided late”
4. Conversion Rules
Each domain should provide the probability of occurrence for its specific contributors. Domains may use different units to measure occurrence probabilities. In the aircraft manufacturer domain the probability is measured per Flight Hour whereas in the ATM domain it is measured per Controlled Flight Hour and an airline might measure the probability per flight.
At the Backbone model level, all the quantitative values coming from various domain specific models must be expressed with the same reference unit, called ‘target reference unit’ in order to make the backbone homogenous. The three previously mentioned units can be used as target reference units. The conversion of specific units into the target one will be made at the Backbone model level using the following conversion functions:
• P[per flight hour] = P[per flight]/Tf where Tf = average flight duration measured in hour
• P[per controlled flight hour] = P[per flight hour]
* Nac * Xt/60 where Nac is the average number of aircraft controlled by one Air Traffic sector and Xt is the average number of minutes of flight duration in the sector. Nac is a number of A/C but it should be interpreted as the capacity of the sector during one hour of control (i.e. a number of flights per hour sector capacity).
Typical values for Tf would be 2 hours for a short-haul flight and 10 hours for a long-haul flight. An average value of Tf can be computed using information about the flights in one geographical area or the flights operated by an airline.
Let’s take an example of Nac and Xt values by considering the use case of ED-161 (ed 2009, §. A.4.2.2 Traffic Characteristics, page 77) related to En route airspace for High density traffic. The longitudinal separation between 2 successive aircraft on the same track is assumed to be in average equal to 5 min. So during 1 hour, we could have 12 groups of 5 aircraft entering at the same time in the sector, so Nac would be equal to 60. The figure below represents this traffic with the extra assumption that Xt = 6.
In the En Route High Density case, we would have Nac = 60 and Xt = 6 so P[per controlled flight hour] = P[per flight hour] * 60 * 6/60 = P[per flight hour] * 6
Figure 7: Conversion functions
Figure 8: Implementation in the Risk Observatory
Results 5. Implementation
A first prototype of the backbone model was developed using Excel spreadsheets. More recently, a second prototype was developed using fault-tree tool such as ArbreAnalyste (Clément et alter, 2014). The backbone and the domain specific fault-trees are described using the Open Initiative for Next Generation of Probabilistic Safety Assessment (Open-PSA) syntax (Open-PSA, 2015). This second implementation prepares the integration of the Backbone model in the Risk Observatory, described in figure 8.
The figure shows two streams of activities of the RO. The bottom stream relates to collected data (FDM data, incident data) and an occurrence dashboard. The upper stream relates to the results of domain specific risk models with Risk index computation and visualization in the RO.
This implementation is based on several inputs such as: a library of predefined Backbone models (label 1) described as Open-PSA files; results from the domain specific models (label 2) also described as open PSA files, information needed to perform unit conversion (Tf, Nac, Xt) should also be provided by the domain specific models; influencing factors parameters (label 3) such as weight, probabilities and values of an IF. Optionally, the implementation could use the probability of some generic contributors directly computed from collected data (label 4). The first function of this implementation is the Data Integration Engine (label 5)
that integrates the backbone and specific models and prepares all the inputs needed by the Risk Index Engine.
The Risk Index Engine (label 6) takes as input the fault-tree prepared by the Data Integration Engine and computes risk index in the form of probabilities of occurrence and importance factors. Finally the Graphical Engine (label 7) displays the fault-tree for the validation of the Backbone.
The main outputs of this implementation are the results from the computations performed by the integrated risk assessment (label 8) that are sent to the RO in order to be displayed.
6. Preliminary Quantitative Assessments
We have used the first and second implementations described in the previous section in order to perform several computations using either the standalone backbone model or the integration of domain specific models into the backbone model.
Eurocontrol provided probability figures for all the generic contributors. These figures are realistic but they were not necessarily derived from an analysis of real occurrence data. They are meant to help the validation of the model.
No conclusions on the actual level of safety of the European airspace should be drawn from the computations we have performed. We used the first implementation to compute the probabilities of MAC-ER risk and its main precursors (Mid Air Collision, Imminent Collision, …).
Precursor BB Fat. Exp. CC Int.
Mid Air
Collision 5,0E-9 6,2E-9 9,2E-9 7.5e-9 4.3e-9 Imminent
Collision to be avoided
4,2E-5 4,5E-5 7,7E-5 6.0e-5 4.4e-5 Imminent
Collision to be prevented
6,9E-5 7,2E-5 9,1E-5 8.8e-5 8.2e-5 Tactical
Conflict to be solved
3,3E-2 3,3E-2 3,4E-2 3,4E-2 3.0e-2
Table 1 Probabilities of MAC-ER main precursors
We also performed experiments related with Influence Factors. In the previous table, the column labelled BB gives the probabilities computed using the backbone model, the columns labelled “Fatigue” and “Experience”
show the influence of IF’s “Flight Crew Fatigue” and “ATC Experience Level” that both have a rectified weight of 1,23. It is interesting to see that the overall probability is multiplied by 1,3 when the probabilities of contributors influenced by “ATC Experience Level” are multiplied by 1,23 whereas the overall probability if multiplied by 1,2 when the probabilities of contributors influenced by “Flight Crew Fatigue” are multiplied by the same rectified weight.
This means that the IF “ATC Experience Level” has a stronger influence on the MAC-ER risk than IF “Flight Crew Fatigue”.
We performed a sensitivity analysis based on the estimation of Sobol indices (Sobol, 1993) in order to determine the most important contributors of the backbone model. Sobol indices enable to determine which part of the MAC-ER risk probability variance is due to the different contributor probabilities. The Sobol first-order indices were estimated in practice with 1000 Monte Carlo simulations (Saltelli, 2002). To apply this approach we first had to define a probability density function over the contributor probabilities that model their uncertainty. We assumed that the contributor probabilities follow independent uniform distribution whose support depends on the initial contributor probability value. If pi is the probability of contributor i without uncertainty, then the corresponding input follows a uniform distribution on the support [pi/5, pi*5]
if pi<10-3 , on the support [pi/2, pi*2] if 10-3<pi<0,5, on the support [pi*0.9, max(1,pi*1.1)] if pi>0.5. We assume here that that the error order of magnitude is greater for low probabilities. These assumptions are based on subjective expert opinions and can be easily modified. The most influent contributor probabilities are given in the following table. Contributor probabilities whose Sobol index is greater than 5% have to be estimated with caution. An error on their estimation could lead to a very inaccurate MAC probability.
Ref Contributor Sobol Ind.
- Providence 22.4%
- Pre-tactical conflict 19.5%
34.3 Inadequate Planning 13%
32.3 No detection by ATCo 8.7%
31.2 Inappropriate crew 7.8%
33.9 No time to provide 7%
Table 2 The most influent Contributing Factor for the MAC- ER Risk
We studied the impact of common causes on the Backbone model. Several contributors are related with communication issues, in the Backbone they are modelled as independent failures. But in the aircraft, the same equipment is used for all communications consequently the failure of this equipment will lead to the simultaneous occurrence of several contributors such as
“32.6 – Communication issues – technical airborne”, “33.5 – Communication issues – technical airborne” and “37.3 - Communication issues – technical airborne”. So these contributors should be treated as a common cause group.
We have modified the backbone model in order to deal with these common causes and we used Arbre-analyste to compute the probabilities, they are reported in column CC of table 1. We noticed an increase of the MAC-ER risk that can be limited when we take into account the actual probabilities of the loss of airborne and ground based communication equipment that are smaller than the figure used in the Backbone model.
Finally, we have also built a model that integrates into the backbone model, the domain specific models for ATM Ground equipment and Airborne systems. The results obtained with this integrated model are reported in the column labelled “Integrated” of Table 1. The probabilities tend not to differ from the one computed with the standalone backbone model.
Conclusion
Two backbone models were developed by the Future Sky Safety P4 project according to the principles that have been presented in this paper. Two backbone models were developed: the mid-air collision model described here and another model for runway excursion. Evidence collected show that this approach could be applicable to a broad range of aviation risks such as the ones currently modelled in Eurocontrol Risk Models, NLR CATS (Ale et alter, 2008) or FAA ISAM (Borener, 2016). With the two prototype implementations several preliminary quantitative were performed testing: influencing factors, sensitivity analysis, common causes and the use of domain specific models. That is, the kind of safety related assessments that a Risk Observatory user would be interested to perform.
The next step that should be achieved by the Future Sky Safety P4 project is to develop a Risk Observatory prototype that follows the principles of figure 8 where a number of users could use the Backbone models and perform safety assessments either using predefined contributor probabilities or using their own sets of contributor probabilities.
A further perspective for our work would to use data collected by airline companies or organizations in charge of ATC in order to continuously feed the Backbone models with probabilities of generic and specific contributors. If we are able to achieve this then it would be possible to use the Backbone models in order to permanently monitor the safety of the total aviation transport system.
Ac k n o w l e d g e m e n t s
This project has received funding from the European Union’s Horizon 2020 Research and Innovation Programme under Grant Agreement No 640597.
R e f e r e n c e s
B. Ale, L. Bellamy, R. Cooke, M. Duyvis, D. Kurowicka, C.
Lin, O. Morales, A. Roelen, and J. Spouge,(2008) Causal model for air transport safety. Ministerie van Verkeer en Waterstaat, Directoraat-Generaal Luchtvaart en Maritieme Zaken, 2008.
Arnold, A. Griffault, G. Point, A. Rauzy (2000). The AltaRica formalism for describing concurrent systems. In:
Fundamenta Informaticae p109-124
P. Bieber, S. Metge, M. Morel, J. Plé, Aircraft safety model development and integration in a risk observatory, in proceedings of the 7th EASN International Conference on Innovation in European Aeronautics Research, 26-29 September 2017, Warsaw, Poland
S. S. Borener, V. S. Guzhva, I. Crook, and R.
Fraga,(2016) “Safety assessment of implemented nextgen operational improvements,” Transportation Research Procedia, vol. 14, no. Supplement C, pp. 3731 – 3740, 2016, transport Research Arena TRA2016 E. Clément, Antoine B. Rauzy, T. Thomas, Arbre-Analyste:
un outil d'arbres de défaillances respectant le standard Open-PSA et utilisant le moteur XFTA - Congrès Lambda- Mu 19 de Maîtrise des Risques et de Sûreté de Fonctionnement (Octobre 2014)
EUROCAE (2009) ED-161 - Safety and Performance and Interoperability Requirements Document for ADS-B-RAD Application.
EUROCONTROL (2006). Main report for the 2005/2012 Integrated Risk Picture for Air Traffic Management in Europe, EEC Note No. 05/06, Eurocontrol Experimental Centre, Brétigny-sur-Orge, France.
EUROCONTROL (2017) Network Manager Operational Safety Study: TCAS RA not Followed, Edition 1.0 September 2017
S. Noh and J. Shortle, Application of Common Cause Failure Methodology to Aviation Safety Assessment Model, ICRAT 2016
Open-PSA model exchange format version 2.0d : https://github.com/open-psa 2015
M. Morel, G. de Brito,(2016), Approche basée « modèle
» pour l'analyse Safety de systèmes avioniques critiques et des erreurs humaines, in proceedings of Congrès Lambda Mu 20 de Maîtrise des Risques et de Sûreté de Fonctionnement, Saint-Malo, 2016
E. Perrin, B. Kirwan, and R. Stroup,(2006) “A systematic model of ATM safety: the integrated risk picture,” in Proceedings of the Conference on Risk Analysis and Safety Performance in Aviation, 2006
A. Saltelli, Making best use of model evaluation to compute sensitivity indices, Computer Physics Communication, vol. 145, pp. 280–297, 2002.
I. Sobol and S. Kuchereko, Sensitivity estimates for non- linear mathematical models, Mathematical Modelling and Computationnal Experiments, vol. 1, pp. 407–414, 1993.
Verstraeten, J., Van Baren, G.,Wever, R.. (2016). The Risk Observatory: Developing an Aviation Safety Information Sharing Platform in Europe. Journal of Safety Studies. 2. 91. 10.5296/jss.v2i2.10443
