Risk identification and safety assessment of human-computer interaction in integrated avionics based on STAMP

doi:10.23919/JSEE.2024.000031

Journal of Systems Engineering and Electronics ›› 2024, Vol. 35 ›› Issue (3): 689-706.doi: 10.23919/JSEE.2024.000031

• SYSTEMS ENGINEERING • Previous Articles

Risk identification and safety assessment of human-computer interaction in integrated avionics based on STAMP

Changxiao ZHAO¹(), Hao LI²(), Wei ZHANG¹(), Jun DAI¹(), Lei DONG³^,*()

¹ School of Safety Science and Engineering, Civil Aviation University of China, Tianjin 300300, China
² Shenzhen Dajiang Innovation Technology Co., Ltd., Shenzhen 518057, China
³ Key Laboratory of Civil Aircraft Airworthiness Technology, Civil Aviation Administration of China, Tianjin 300300, China

Received:2022-08-25 Online:2024-06-18 Published:2024-06-19
Contact: Lei DONG E-mail:cxzhao@cauc.edu.cn;damienleeh@foxmail.com;wzhang_7154@163.com;171542305@cauc.edu.cn;dlcauc@126.com
About author:
ZHAO Changxiao was born in 1989. He received his Ph.D. degree from Behang University, Beijing, China, in 2013. He is currently an associate professor in Civil Aviation university of China. His research interests are safety assessment of the integrated modular avionics.E-mail: cxzhao@cauc.edu.cn

LI Hao was born in 1995. He received his M.S. degree from Civil Aviation University of China, Tianjin, China, in 2020. He is working in Shenzhen Dajiang Innovation Technology Co., Ltd. His research interests are risk identification of the human-computer interaction and safety analysis. E-mail: damienleeh@foxmail.com

ZHANG Wei was born in 1998. He received his M.S. degree from Civil Aviation University of China, Tianjin, China, in 2023. His research interest is safety assessment of the integrated modular avionics. E-mail: wzhang_7154@163.com

DAI Jun was born in 1999. He received his B.E. degree from Civil Aviation University of China, Tianjin, China, in 2021. He is currently pursuing his Ph.D. degree in Civil Aviation University of China. His research interest is airborne network safety assessment. E-mail: 171542305@cauc.edu.cn

DONG Lei was born in 1983. He received his Ph.D. degree from Behang University, Bejing, China, in 2013. He is currently an associate professor in Civil Aviation University of China. His research interest is airworthiness certification of the complex avionics. E-mail: dlcauc@126.com
Supported by:
This work was supported by the National Key Research and Development Program of China (2021YFB1600601), the Joint Funds of the National Natural Science Foundation of China and the Civil Aviation Administration of China (U1933106), the Scientific Research Project of Tianjin Educational Committee (2019KJ134), and the Natural Science Foundation of Tianjin, Intelligent Civil Aviation Program (21JCQNJC00900).

Abstract

Abstract:

To solve the problem of risk identification and quantitative assessment for human-computer interaction (HCI) in complex avionics systems, an HCI safety analysis framework based on system-theoretical process analysis (STPA) and cognitive reliability and error analysis method (CREAM) is proposed. STPA-CREAM can identify unsafe control actions and find the causal path during the interaction of avionics systems and pilot with the help of formal verification tools automatically. The common performance conditions (CPC) of avionics systems in the aviation environment is established and a quantitative analysis of human failure is carried out. Taking the head-up display (HUD) system interaction process as an example, a case analysis is carried out, the layered safety control structure and formal model of the HUD interaction process are established. For the interactive behavior “Pilots approaching with HUD”, four unsafe control actions and 35 causal scenarios are identified and the impact of common performance conditions at different levels on the pilot decision model are analyzed. The results show that HUD’s HCI level gradually improves as the scores of CPC increase, and the quality of crew member cooperation and time sufficiency of the task is the key to its HCI. Through case analysis, it is shown that STPA-CREAM can quantitatively assess the hazards in HCI and identify the key factors that impact safety.

Key words: avionics, human-computer interaction (HCI), safety assessment, system-theoretic accident model and process, human reliability analysis

Changxiao ZHAO, Hao LI, Wei ZHANG, Jun DAI, Lei DONG. Risk identification and safety assessment of human-computer interaction in integrated avionics based on STAMP[J]. Journal of Systems Engineering and Electronics, 2024, 35(3): 689-706.

Figures/Tables 21

Fig 1

Table 1

Fig 2

Table 2

Fig 3

Table 3

Fig 4

Fig 5

Table 4

Fig 6

Fig 7

Table 5

Table 6

Fig 8

Table 7

Table 8

Table 9

Fig 9

Table 10

Fig 10

Table 11

References 31

1	SINGH S, KUMAR R, KUMAR U Modelling factors affecting human operator failure probability in railway maintenance tasks: an ISM-based analysis. International Journal of System Assurance Engineering and Management, 2015, 6 (2): 129- 138.
2	ZHANG F K, DONG H Y. Research on formal modeling and safety analysis method of head-up display system for civil aircraft based on AltaRica. Proc. of the 3rd International Conference on Circuits, System and Simulation, 2019. DOI: 10.1109/CIRSYSSIM.2019.8935566.
3	WATKINS C B, NILSON C, TAYLOR S, et al. Development of touchscreen displays for the gulfstream g500 and g600 symmctry^TM flight deck. Proc. of the IEEE/AIAA 37th Digital Avionics Systems Conference, 2018. DOI: 10.1109/DASC.2018.8569532.
4	MENZENSKI J. Enhancing cognitive assistants with low-cost computer vision. Proc. of the IEEE/AIAA 37th Digital Avionics Systems Conference, 2018. DOI: 10.1109/DASC/DASC.2018.8569224.
5	CARROLL M, REBENSKY S, WILT D, et al Integrating uncertified information from the electronic flight bag into the aircraft panel: impacts on pilot response. International Journal of Human-Computer Interaction, 2020, 37 (7): 1- 12.
6	YANG H Y, SUN Y C, LI L B, et al. Safety analysis of integrated modular avionics system based on FTGPN method. International Journal of Aerospace Engineering, 2020, 2020: 8811565.
7	PENG Q B, ZHANG H L Model-based requirements analysis method for manned space engineering. Systems Engineering and Electronics, 2023, 45 (11): 3532- 3543.
8	SHARVIA S, PAPADOPOULOS Y Integrating model checking with HiP-HOPS in model-based safety analysis. Reliability Engineering System Safety, 2015, 135, 64- 80. doi: 10.1016/j.ress.2014.10.025
9	LIU X F, AN S Q. Failure propagation analysis of aircraft engine systems based on complex network. Procedia Engineering, 2014, 80: 506−521.
10	DONG H Y, CAO Z Y, ZHAI Z J, et al. Availability assessment of avionics display system based on MBSA using fault dependent matrix. IOP Conference Series: Materials Science and Engineering, 2020, 751: 012076.
11	HAN S, WANG T F, CHEN J Q, et al Towards the human–machine interaction: strategies, design, and human reliability assessment of crews’ response to daily cargo ship navigation tasks. Sustainability, 2021, 13 (15): 8173- 8190. doi: 10.3390/su13158173
12	THOMAS P R Performance, characteristics, and error rates of cursor control devices for aircraft cockpit interaction. International Journal of Human-Computer Studies, 2018, 109, 41- 53. doi: 10.1016/j.ijhcs.2017.08.003
13	LEVESON N. Engineering a safer world: systems thinking applied to safety. Cambridge: MIT Press, 2011.
14	LI Y H, GAO Y Safety analysis for civil aircraft system based on STPA-ANP mode. Systems Engineering and Electronics, 2022, 44 (9): 2986- 2994. doi: 10.3390/app10217400
15	HU J B, LEI Z, XU S K Safety analysis of wheel brake system based on STAMP/STPA and Monte Carlo simulation. Journal of Systems Engineering and Electronics, 2018, 29 (6): 1327- 1339. doi: 10.21629/JSEE.2018.06.20
16	CASTILHO D S, URBINA L, ANDRADE D D STPA for continuous controls: a flight testing study of aircraft crosswind takeoffs. Safety Science, 2018, 108, 129- 139. doi: 10.1016/j.ssci.2018.04.013
17	ZHAO C X, LI H, DONG L. Safety analysis and evaluation of airborne HUD system based on STPA-bayes model. Systems Engineering and Electronics 2020, 42(5): 1083–1092.
18	PAN X, WANG H X, LIN Y, et al HEP quantification strategy based on modified CREAM. Journal of Systems Engineering and Electronics, 2019, 30 (4): 815- 822.
19	AKYUZ E, CELIK M Application of CREAM human reliability model to cargo loading process of LPG tankers. Journal of Loss Prevention in the Process Industries, 2015, 34, 39- 48. doi: 10.1016/j.jlp.2015.01.019
20	AHN S I, KURT R E Application of a CREAM based framework to assess human reliability in emergency response to engine room fires on ships. Ocean Engineering, 2020, 216, 108078. doi: 10.1016/j.oceaneng.2020.108078
21	ZHOU Q, WONG Y D, HUI S L, et al A fuzzy and Bayesian network CREAM model for human reliability analysis–the case of tanker shipping. Safety Science, 2018, 105, 149- 157. doi: 10.1016/j.ssci.2018.02.011
22	ZHANG S, HE W P, CHEN D K, et al A dynamic human reliability assessment approach for manned submersibles using PMV-CREAM. International Journal of Naval Architecture and Ocean Engineering, 2019, 11 (2): 782- 795. doi: 10.1016/j.ijnaoe.2019.03.002
23	XI Z, MATTHEW L B, CHRISTOPHERR D, et al The development of a next-generation human reliability analysis: systems analysis for formal pharmaceutical human reliability. Reliability Engineering & System Safety, 2020, 202, 106327.
24	LI H. Research on safety analysis method of airborne display system based on the STAMP theory. Tianjin: Civil Aviation University of China, 2020. (in Chinese)
25	BAUMGART S, FROBERG J, PUNNEKKAT S. A state-based extension to STPA for safety-critical system-of-systems. Proc. of the 4th International Conference on System Reliability and Safety, 2019: 246−254.
26	HOLLNAGEL E. Cognitive reliability and error analysis method. Oxford: Elsevier Science Ltd, 1998.
27	LIU J C, DONG L, ZHAO C X, et al Simulation and verification of DIMA dynamic reconfiguration based on formal method. Systems Engineering and Electronics, 2022, 44 (4): 1282- 1290. doi: 10.3390/electronics10040503
28	JIANG Q, ZHU C L, WANG S Q Qualitative analysis for state/event fault trees using formal model checking. Journal of Systems Engineering and Electronics, 2019, 30 (5): 959- 973. doi: 10.1016/j.procs.2020.09.149
29	DAVID A, LARSEN K G, LEGAY A, et al UPPAAL SMC tutorial. International Journal on Software Tools for Technology Transfer, 2015, 17, 397- 415. doi: 10.1007/s10009-014-0361-y
30	SUN M S, SANG H L, SEUNG S K, et al STPA-based hazard and importance analysis on NPP safety I&C systems focusing on human–system. Reliability Engineering and System Safety, 2021, 213, 107698. doi: 10.1016/j.ress.2021.107698
31	ZHANG X, SUN Y C, ZHANG Y J, et al Multi-agent modelling and situational awareness analysis of human-computer interaction in the aircraft cockpit: a case study. Simulation Modelling Practice and Theory, 2021, 111, 102355. doi: 10.1016/j.simpat.2021.102355

Generic failure type	Basic human error probability	Basic human error probability
Observe	O_FMEA_1: wrong object	1.0E−3
	O_FMEA_2: wrong identification	7.0E−2
	O_FMEA_3: missed observation	7.0E−2
Interpretation	I_FMEA_1: faulty diagnosis or incomplete diagnosis	2.0E−1
	I_FMEA_2: decision error or incomplete decision	1.0E−2
	I_FMEA_3: delayed interpretation	1.0E−2
Planning	P_FMEA_1: priority error P_FMEA_2: inadequate plan or inappropriate plan	1.0E−2 1.0E−2
Execution	E_FMEA_1: action of wrong type	3.0E−3
	E_FMEA_2: action on wrong object	5.0E−4
	E_FMEA_3: action with wrong sequence	3.0E−3
	E_FMEA_4: incomplete action or missed action	3.0E−2
	E_FMEA_5: action at the wrong time	3.0E−3

Step of original STPA method	Step of STPA-CREAM method
Define purpose of the analysis	(i) Define purpose of the analysis (ii) HCI tasks identification and decomposition
Model control structure	(i) Model control structure integrated with CREAM (ii) UPPAAL modeling integrated with CREAM
Identify UCA	(i) Identify UCA (ii) Verify UCA with UPPAAL
Identify loss scenario	Identify loss scenario by UPPAAL
/	Perform UCA quantitative analysis

Number	Level	Effect	Weighting factor of cognitive function (base value)
Number	Level	Effect	Observe	Interpretation	Planning	Execution
1	Very efficient	Increase	1.0	1.0	0.8	0.8
	Efficient	Neutral	1.0	1.0	1.0	1.0
	Inefficient	Decrease	1.0	1.0	1.2	1.2
	Deficient	Decrease	1.0	1.0	2.0	2.0
2	Advantageous	Increase	0.8	0.8	1.0	0.8
	Compatible	Neutral	1.0	1.0	1.0	1.0
	Incompatible	Decrease	2.0	2.0	1.0	2.0
3	Very efficient	Increase	0.5	1.0	1.0	0.5
	Efficient	Neutral	1.0	1.0	1.0	1.0
	Inefficient	Neutral	1.0	1.0	1.0	1.0
	Deficient	Decrease	5.0	1.0	1.0	5.0
4	Advantageous	Increase	0.8	1.0	0.5	0.8
	Compatible	Neutral	1.0	1.0	1.0	1.0
	Incompatible	Decrease	2.0	1.0	5.0	2.0
5	Advantageous	Increase	1.0	1.0	1.0	1.0
	Compatible	Neutral	1.0	1.0	1.0	1.0
	Incompatible	Decrease	2.0	2.0	5.0	2.0
6	Advantageous	Increase	0.5	0.5	0.5	0.5
	Compatible	Neutral	1.0	1.0	1.0	1.0
	Incompatible	Decrease	5.0	5.0	5.0	5.0
7	Advantageous	Increase	0.8	0.5	0.5	0.8
	Compatible	Neutral	1.0	1.0	1.0	1.0
	Incompatible	Decrease	2.0	5.0	5.0	2.0
8	Very efficient	Increase	0.5	0.5	0.5	0.5
	Efficient	Neutral	1.0	1.0	1.0	1.0
	Inefficient	Neutral	1.0	1.0	1.0	1.0
	Deficient	Decrease	2.0	2.0	2.0	5.0
9	Day	Neutral	1.0	1.0	1.0	1.0
9	Night	Decrease	1.2	1.2	1.2	1.2

Number	Cognitive activity	Basic cognitive function
Number	Cognitive activity	Observe	Interpretation	Planning	Execution
1	Operate HCU				*
2	Calibrate HCU				*
3	Input runway				*
4	Confirm runway	*
5	Input altitude				*
6	Confirm altitude	*
7	Input glide angle				*
8	Confirm glide angle	*
9	Input display mode				*
10	Confirm display mode	*
11	Decide		*

Variable	Meaning
HCP_s	Status of HCP
HCU_s	Status of HCU
operation_s	Output status of operating
input_s	Output status of inputting and confirming
decide_s	Output status of deciding
PFohcu_s	Status of putting down HCU
PFchcu_s	Status of calibrating HCU
PNFirw_s	Status of inputting runway
PFcrw_s	Status of confirming runway
PNFial_s	Status of inputting altitude
PFcal_s	Status of confirming altitude
PNFiga_s	Status of inputting glide angle
PFcga_s	Status of confirming glide angle
PNFidm_s	Status of inputting display mode
PFcdm_s	Status of confirming display mode
PFdec_s	Status of deciding

Risk identification and safety assessment of human-computer interaction in integrated avionics based on STAMP

RichHTML

PDF (PC)

Knowledge

Abstract

Cite this article

Share this article

Figures/Tables 21

References 31

Related Articles 5

Recommended Articles

Metrics

Comments

Type	UCA description
Not providing causes hazard	(UCA-1) When the HUD system is operating normally, the pilot decides not to use the HUD for the approach
Providing causes hazard	(UCA-2) When the HUD system is not operating normally, the pilot decides to use the HUD for the approach
Too early, too late, out of order	(UCA-3) When the HUD system is operating normally, the pilot decides to use the HUD for the approach too late (UCA-4) When the HUD system is not operating normally, the pilot decides not to use the HUD for the approach too late
Stop too soon, applied too long	N/A

Category	HCP_s and HCU_s	operation_s	Input_s	Decide_s
01	Correctly executed	Incorrectly executed	Correctly executed	Incorrectly executed
02	Correctly executed	Incorrectly executed	Incorrectly executed	Incorrectly executed
03	Correctly executed	Correctly executed	Incorrectly executed	Incorrectly executed

Case	PF put down HCU (PFohcu_s)	PF calibrate HCU (PFchcu_s)
01	Correctly executed	Not executed
02	Incorrectly executed	Correctly executed
03	Incorrectly executed	Not executed

Case	PNFirw_s and PFcrw_s	PNFial_s and PFcal_s	PNFiga_s and PFcga_s	PNFidm_s and PFcdm_s
01	Not executed	Not executed/correctly executed/incorrectly executed	Not executed/correctly executed/incorrectly executed	Not executed/correctly executed/incorrectly executed
02	Incorrectly executed	Not executed/correctly executed/incorrectly executed	Not executed/correctly executed/incorrectly executed	Not executed/correctly executed/incorrectly executed
03	Not executed/correctly executed/incorrectly executed	Not executed	Not executed/correctly executed/incorrectly executed	Not executed/correctly executed/incorrectly executed
04	Not executed/correctly executed/incorrectly executed	Incorrectly executed	Not executed/correctly executed/incorrectly executed	Not executed/correctly executed/incorrectly executed
05	Not executed/correctly executed/incorrectly executed	Not executed/correctly executed/incorrectly executed	Incorrectly executed	Not executed/correctly executed/incorrectly executed
06	Not executed/correctly executed/incorrectly executed	Not executed/correctly executed/incorrectly executed	Not executed	Not executed/correctly executed/incorrectly executed
07	Not executed/correctly executed/incorrectly executed	Not executed/correctly executed/incorrectly executed	Not executed/correctly executed/incorrectly executed	Incorrectly executed
08	Not executed/correctly executed/incorrectly executed	Not executed/correctly executed/incorrectly executed	Not executed/correctly executed/incorrectly executed	Not executed

Role	Cognitive activity	Failure mode	Basic human error probability	Corrected failure probability with different CPC (1−8) initial scores
Role	Cognitive activity	Failure mode	Basic human error probability	40	60	80	90
PNF	Input runway	E_FMEA_1	3.0E−3	4.32E−3	3.6E−3	7.908E−4	1.8432E−4
	Input runway	E_FMEA_4	3.0E−2	4.32E−2	3.6E−2	7.908E−3	1.8432E−3
	Input altitude	E_FMEA_1	3.0E−3	4.32E−3	3.6E−3	7.908E−4	1.8432E−4
	Input altitude	E_FMEA_4	3.0E−2	4.32E−2	3.6E−2	7.908E−3	1.8432E−3
	Input glide angle	E_FMEA_1	3.0E−3	4.32E−3	3.6E−3	7.908E−4	1.8432E−4
	Input glide angle	E_FMEA_4	3.0E−2	4.32E−2	3.6E−2	7.908E−3	1.8432E−3
	Input display mode	E_FMEA_1	3.0E−3	4.32E−3	3.6E−3	7.908E−4	1.8432E−4
	Input display mode	E_FMEA_4	3.0E−2	4.32E−2	3.6E−2	7.908E−3	1.8432E−3
PF	Operate HCU	E_FMEA_1	3.0E−3	4.32E−3	3.6E−3	7.908E−4	1.8432E−4
	Calibration HCU	E_FMEA_4	3.0E−2	4.32E−2	3.6E−2	7.908E−3	1.8432E−3
	Confirm runway	O_FMEA_1	1.0E−3	1.2E−3	1.2E−3	2.929E−4	0.768E−4
	Confirm runway	O_FMEA_3	7.0E−2	8.4E−2	8.4E−2	2.0503E−2	5.376E−3
	Confirm altitude	O_FMEA_1	1.0E−3	1.2E−3	1.2E−3	2.929E−4	0.768E−4
	Confirm altitude	O_FMEA_3	7.0E−2	8.4E−2	8.4E−2	2.0503E−2	5.376E−3
	Confirm glide angle	O_FMEA_1	1.0E−3	1.2E−3	1.2E−3	2.929E−4	0.768E−4
	Confirm glide angle	O_FMEA_3	7.0E−2	8.4E−2	8.4E−2	2.0503E−2	5.376E−3
	Confirm display mode	O_FMEA_1	1.0E−3	1.2E−3	1.2E−3	2.929E−4	0.768E−4
	Confirm display mode	O_FMEA_3	7.0E−2	8.4E−2	8.4E−2	2.0503E−2	5.376E−3
	Decide	I_FMEA_2	1.0E−2	1.2E−2	1.2E−2	3.467E−3	1.2E−3
	Decide	I_FMEA_3	1.0E−2	1.2E−2	1.2E−2	3.467E−3	1.2E−3

CPC grade	Probability of UCA-2	Control mode
CPC grade	Probability of UCA-2	Strategic	Tactical	Opportunistic	Scrambled
40	0.072372704	0	14	86	0
60	0.062440184	0	20	80	0
80	0.012772005	0	89	11	0
90	0.003264311	49	51	0	0

[1]	Changyi XU, Yiman DUAN, Chao ZHANG. Formal management-specifying approach for model-based safety assessment [J]. Journal of Systems Engineering and Electronics, 2023, 34(6): 1589-1601.
[2]	Jianbo HU, Lei ZHENG, Shukui XU. Safety analysis of wheel brake system based on STAMP/STPA and Monte Carlo simulation [J]. Journal of Systems Engineering and Electronics, 2018, 29(6): 1327-1339.
[3]	Zhiqiang Sun, Erling Gong, Zhengyi Li, Yingjie Jiang, and Hongwei Xie. Bayesian estimator of human error probability based on human performance data [J]. Journal of Systems Engineering and Electronics, 2013, 24(2): 242-249.
[4]	Tianran Zhou, Huagang Xiong, and Zhen Zhang. Hierarchical resource allocation for integrated modular avionics systems [J]. Journal of Systems Engineering and Electronics, 2011, 22(5): 780-787.
[5]	Jiuping Xu and Lei Xu. Health management based on fusion prognostics for avionics systems [J]. Journal of Systems Engineering and Electronics, 2011, 22(3): 428-436.