INTEGRATED METHOD UTILIZING GRAPH THEORY AND FUZZY LOGIC FOR SAFETY AND RELIABILITY ASSESSMENT OF AIRBORNE SYSTEMS

This paper presents integrated algorithm for airborne system safety and reliability assessment. In general aviation (mostly up to EASA CS-23) and non-military unmanned aerial vehicles industry, safety and reliability assessment process still relays almost exclusively on human judgment. Recommended practices define processes for system modelling and safety assessing are based on analyst understanding of a particular system. That is difficult and time-consuming process. Commercial computation aids are extremely expensive with restricted (or closed) access to the solution algorithms. Together with this problem, rapid development of modern airborne systems, their increasing complexity, elevates level of interconnection. Therefore, safety and reliability analyses have to continuously evolve and adapt to the extending complexity. Growing expansion brings in the field of unnamed aerial vehicles systems which consist of items without relevant reliability testing. Presented algorithm utilizes graph theory and fuzzy logic in order to develop integrated computerized mean for reliability analysis of sophisticated, highly interconnected airborne systems. Through the usage of graph theory, it is possible to create model of particular systems and its sub-systems in the form of universal data structure. Algorithm is conceived as fuzzy expert system, that emulates decision making of a human expert. That brings opportunity to partially quantify system attributes and criticality. Criticality evaluation increases level of assessment correlation with real state of system and its attributes.


INTRODUCTION
Airplane is highly developed, interconnected and sophisticated system.It has to perform dozens of functions at once just to sustain at flight.Modern airplanes combine heterogeneous system with different characteristic and requirements.Therefore, reliability assessment in the field of modern aviation is long extensively complex process involving analysis of vast number of mutually connected elements of different system.Each system affects other systems in diverse ways.However, safety assessment process still relays almost exclusively on human judgment.Recommended practices for system modelling and safety assessing are based on analyst understanding of a particular system.Review of system components, assemblies, elements function is followed by assessing of each failure modes and their resulting effects on the system is at least complicated process.
Easily accessible data structure should make safety and reliability process more effective.Developed integrated method of safety and reliability assessment utilizes powerful mathematical tool-a graph theory in order to represent complex system.It is natural step to represent system by drawing a graph.A set consisting of points along with lines joining pars of these points represent particular system and its interconnection.
Rapid development of general aviation airborne system and unamend aerial systems increases necessity and scope reliability analysis of these systems.In these cases, there is insufficiency of input reliability data.Integrated methods adopt criticality assessment partially substitute input reliability data.Fuzzy systems are used as a mean how to establish criticality.Concept of item criticality is enhanced in order to achieve higher level of correlation with real state of system and its attributes.
Standard criticality number used in safety and reliability analysis of airborne system is defined as a relative measure of the consequences a failure mode and its frequency of occurrence according to Military standard MIL-STD-1629A.Integrated method extended this definition to the wider level.It uses term Extended criticality to distinguish between standard criticality and criticality developed in this doctoral thesis.

INTEGRATED METHOD ARCHITECTURE
The main idea is established mean, how to combine particular instruments of safety and reliability assessment into unified effective process (see Figure 1).Function-oriented system model in the form of directed graph serves as a universal platform for the whole assessment process.Analysis decompose aircraft into various systems, a subsystems consisting of items.Each system structure is designed to provide specific function or functions.Items are connected by different types of interconnection (mechanical, electrical supply, electrical control, data, indication, etc.) to achieve intended function.Integrated method evaluates various functionality influences.Specific failure modes have different severity of their influence in relation to the main safety objective (explained in following chapter).Method provides knowledge database, which contains preliminary failure classification related to the main functions, support function and additional function (explained in following chapter), usually applied remedies and extended criticality evaluation inputs.They occur in with different probability and with deferent possibility of detection.

Process
Assessed system is at first functionally evaluated.Main and support functions are established.Integrated method provides airborne systems knowledge database.It enables to separate aircraft to the particular system according to the ATA 100 (Spec 100: Manufacturers' Technical Data) chapters and sections.Further, it gives guidance to establish function identification, pre-defined potential failure modes, their possible effected and preliminary evaluate severity for fuzzy criticality evaluation.This database is accessible and modifiable during aircraft development.
After functional description of system physical parts (items) and their interconnection are established.Integrated method provides another knowledge database which contains available reliability data (or preliminary failure modes occurrence levels).
System is modelled as an interconnection of particular items in the form of graph.Function-based modelling allows analyst to establish required complex failure mode fault tree utilizing graph theory tools.
Items extended criticality and system robustness evaluation concept is way how to handle expert knowledge summarized in critical reviews.Extended criticality analysis is a procedure by which each potential failure mode is ranked according to the combined influences [1].Robustness evaluation handles system physical realization, protection against ambient influences, items maturity or isolation

Function-based Modelling
Concept of aviation safety is based on most essential safety objective-the ability to sustain at flight and land safely.Integrated method names this-Main Safety Objective (MSO).Airplane and its functions are designed, developed and tested to fulfil and ensure the MSO.These complex airborne system functions could be arranged into fixed hierarchy.Functions are than ranked above (or at same level) each other according to their influence to the MSO.Safety influence is possible to express in form of degree of decisive importance with respect to the crucial outcome in relation to the main safety objective.Functions with direct influence on main safety objective provision are labelled as Main function (MF).MF implement main safety objective.Functions which are designed to facilitate or support main function are labelled as Support function(SF).Support function could be taken as means to ensure higher functions.
Function without relation to the main safety objective or not significantly contributing to the supply function performance are labelled as Additional functions (AF).Unlike traditional modelling methods, integrated method uses function-oriented modelling.Event-oriented models usually used in reliability analysis (for instance fault trees) are designed to identify combination of events (usually a failure) causing particular failure and it is possible to estimate probability of this failure.Each model describes combination of events for single case (failure).It does not describe complexity or connectivity of system items and functions.Suggested function-oriented modelling adopts graph theory principles to describe system interconnection.System items are mutually interconnected to ensure particular function; these connections are modelled as direct vertices between parent and child nodes (items) in direction to the function.For example, electric generator provides electrical power, then it is distributed through sequence of relays and buses to the electrical loads.Function oriented model allows to describe interconnection between various system (electrical, avionics, etc.) in relation to the particular function.
In standard safety and reliability studies are usually used another special graphs-reliability block diagrams (RBD) and fault trees (FTA).Block diagram is a kind of pseudo graph.It is used for modelling of a system with assumption that system will operate if any sequence of components operates.The fault trees are used to represents important failure modes identified by the functional hazard assessment.However, both techniques (RBD, FTA) require extensive calculation for just one failure mode.Also, there is only a poor correlation between real system and its representation.

Graph theory application
Applied function-oriented approach basically models system design.System consists of various items and their interconnection in order to assure intended functionality.Unlike design scheme, function base modelling represents sequence of function provided by items.Item is represented by node (vertices).For each node, there are various basic attributes like type, system participation, zone, occurrence, detectability, severity and extended criticality.Function interaction is represented by edge.For each edge, there are also various basic attributes type, system participation, occurrence and zone.Set of attributed could be extended or reduced for particular application.One of the key elements of integrated method architecture is to identify interconnection between items on the wide level.To adopt outlook of global level.Items are usually associated with multiple functions on system or local level.However, multiple of them is associated with many more function on the global level.
It is essential to distinguish between particular types of connections in order to organized model to precise operational mode-complex system like avionics or electrical could be reconfigured for different mode like engine start or generator loss.These modes reflect system configuration in particular situation.Operational modes selection based on expert knowledge of analysis and system designers.

Selected Graph theory application benefits
System data structure in the form of graph allows to easily assess particular items, systems or function interconnection.

Predecessors
Predecessors are defined a set of nodes (vertices) coming before a given node in a directed path.This trivial attribute of graph is actually quite useful and illustrative.The Figure 3 shows example of set nodes preceding a given node.The node represents R MAIN electrical bus of case study application.It is quite obvious, that R MAIN (right main bus of two channel electric system) functionality (ability to provide electrical power to its loads) is conditional to functionality of various items.Logically, system function is influence by many others factors (like control unit setting, engine regimes, operation modes).However, presented mean is highly useful for the analysis purposes or system study itself.

Successors
The other side of a coin is a successor.It is set of nodes coming after a given node in direct path.Continuing using the same example, the case study R MAIN is used as initial to whom other succeeds.Electric power is supplied to left axillary bus (AVION LAX), directly to the elevator trim fuse and possible to the main bus from right main bus.
Than the electrical power is distributed through various buses and fuses to particular loads.These items provide particular function.Combination of support functions provides intended high function resulting in Main Function

Centrality
It is a structural (geometrically related) property of network.For these network measures, centrality refers to the geometric center or the level of importance.For simplicity purposes all graphs in this sections are undirected and simple.

 Betweenness centrality (BC)
This measure identifies and favours nodes that join separated systems (for instance electrical with avionics, electrical with engine control, etc.), dense subnetworks respectively, rather than nodes inside particular system.Betweenness centrality ranking determine item importance on the wider (global level).

 Closeness centrality (CC)
Unlike betweenness centrality, closeness centrality is a measure of how particular functions are tied together through the function of particular item or items.Closeness centrality ranking determines node importance due to function concentration.

 Subgraph centrality (SC)
It is a mean for characterizing nodes in network according to the number or closed walks starting and ending at the node.Close walks are appropriately weighted such that their influence on the centrality decreases as the order of the walk increases. Centroid value (CV) Particular sub-system or item is functionally capable to influence other system and modules.Thus, item with high centroid value, compared to the average centroid value of the network, will be possibly involved coordinating the functionality of other highly connected items.A network with a very high average centroid value is more likely influencing functional units or modules.It is useful to compare centroid value to other means detecting dense regions in graph.Node topology parameter (NTP) serves as one of the inputs to the fuzzy extended criticality assessment described in following chapters.It reflects node influence on local and global level based on graph theory evaluation.It is based on previously defined and described parameters (BC, SC, CV) which reflect node position in the network.To determine relative importance of node it is used Metfessel allocation.In this case analyst has to quantitatively evaluate importance of parameters based on their influence on airplane systems.In the set of parameters, not all elements of the set Pai have the same relative importance in relation to the particular problem under consideration.This relative significance or importance is simply referred to as a weight parameter Wi.The analyst evaluates the it parameter with value bi, if it lies in the scale, e.g., bi <0, 100>.The more important the parameter is, the higher its score is.While the scoring method requires the user to provide quantitative evaluation of indicators, it also allows for a more differentiated expression of subjective preferences than in, e.g., the ranking method. [2] Where   weight assigned to each parameter,   is the number of assigned points,  is the number of all considered parameters,   parameter,  index of the parameter,   -the total number of points assigned to all parameters.The resulted weights, determined from expert assessments.[2] Node parameters-betweenness centrality, subgraph centrality and centroid volume processed using described Metfessel allocation.Resulting node topology parameter is computed by following equation.
Where,   is between preference,   node processed betweenness centrality,   processed subgraph centrality,   node centrality,   centroid volume preference and   processed node centroid volume.

Item extended criticality evaluation
Extended criticality level (and number) is generally descriptive attribute of item contribution to system (airplane, high level function) state of being critical to the MSO (to sustain at flight and safely land).Integrated method intends to extend criticality level concept by combining different influences based on precise critical review.
Several aspects influence item extended criticality.These influences are projected in to set of inputs.
There are four inputs in to the fuzzy criticality evaluation (see Table 1).Severity, occurrence, detectability and system topology are those inputs.

FUZZY EXTENDED CRITICALITY EVALUATION INPUTS Type: Input evaluates: High-level Severity
Severity as the consequences of a failure mode.It considers the worst potential consequences of a failure, determined by the degree of influence to the MSO.It is related to the main and support functions (MF, SF).

Node topology parameter
Node topology parameter express node interconnection in the system.NPT reflects node influence on local and global level.It is based on previously defined and describe parameters.

Detectability
It establishes change of failure mode detection using the expert knowledge expressed in form of linguistic terms and score tables.

Occurrence
Complementary measure to quantify system reliability-ability to perform its function.Occurrence levels are used as strong inputs to the fuzzy extended criticality assessment representing probability of occurrence in the case of absence of relevant reliability data.

Fuzzy systems
Fuzzy systems are used to evaluated extended criticality and robustness.It is a process of evaluating inputs to an output through these fuzzy sets.The most used fuzzy inference technique is Mamdani.Developed by Professor Ebrahim Mamdani of London university in 1975.Process consist of four main steps-fuzzification process (particular inputs used in integrated method are presented above), fuzzy inference rules evaluation, aggregation of rule outputs and de-fuzzification.
Expert knowledge enters fuzzy system as a crisp inputs a numerical volumes of discourse.Each type of input has special range of the discourse.Crisp inputs are fuzzified against the appropriate fuzzy set.Fuzzification express level of member ship in particular sets (for instance severity is partially medium and high). .Fuzzy rules consist of antecedent (expressed IF) and consequent (implication, expressed THAN).Antecedent part could consist of multiple parts, which are expressed in the configuration of fuzzy operators (AND, OR).
Fuzzified inputs are applied to the antecedents of the fuzzy rule base to obtain single that represents the result of rule antecedents.Resulting number is applied in consequent part of fuzzy rule.Fuzzy rule base contains number of particular rules.Therefore, process of aggregation is used.It is a process of unification of the outputs of all rules.Each rule (clipped and scaled) consequents are combined into a single fuzzy set.Resulting number has to deffuzzified to obtain a crisp number expressing output (critically, robustness).It is a process of aggregation of fuzzy set into this single crisp output.Based on [3]

Inference rules
It is a platform for abstracting information based on linguistic terms (expert´s judgment).. "It presence the way of thinking, that then we know something (hypothesis, premises) then we are able to infer or derive to the conclusion (consequent fact).Fuzzy base rule concept is most effective in the case of complex system modelling, when the system is observed by people because it makes use of linguistic variables can be naturally represented by fuzzy sets and logical of these sets.Rules are based on natural language representations and models, which are themselves based on fuzzy sets and fuzzy logic.[

De-fuzzification
De-fuzzification is done in the order to gain the fuzzy process single scalar quantity output.It processes to obtain crisps ranking from fuzzy conclusion set.Ranking represents the extended criticality level of the failure mode for potential corrective or remedial action.The de-fuzzification process requires, decipher the meaning of the fuzzy conclusion and their membership and resolve conflict between results.
It is used centroid technique, probably the most used defuzzification technique.It finds where vertical line would slice the aggregate set into two equal masses.

Resulting extended criticality
Fuzzy inference process results in extended criticality number for any given item of evaluated system.This number corresponds with extended criticality level (see following table ).

SAFETY-CRITICAL
An item/ is directly influences MF implementation and threaten MSO execution.It is indispensable to continue control safe flight and landing.

CRITICAL
An item/ subsystem influences MF implementation.However, it is not directly critical to the MSO.Low level of occurrence level, high failure detectability reduces extended criticality number.

MODERATE
An item/ subsystem does not influence MF implementation nor MSO execution.It partially influences AF implementation.

NOT CRITICAL
An item/ subsystem does not influence AF, MF implementation nor MSO execution.

System robustness evaluation
Integrated method has to implement expert system parameters definition into a process of system evaluation.Every particular system has its own characteristics.System items should be separated avoiding common cause failure.In case of essential system (related to the high-level function) required redundancy has to be ensured.
Item maturity, process of design, complexity and previous experiences with its usage in similar condition has to be taken under consideration.It ensures items meets environmental and software technical condition necessary for aviation application.Environmental requirements ensure that item is not vulnerable against changing temperature, humidity, attitude, inflected vibration, voltage spikes and many more.For integrated method development IEC 61508 [5] questionnaire is significantly modified for airborne system application.Each system parameter category (Separation/ Segregation, Diversity, Redundancy, etc.) is adjusted for basic types of system-mechanically based, electrically based, electronically based, hydraulics.Evaluation of questionnaire answers is newly designed for aviation application.Answer evaluation uses fuzzy logic to express expert knowledge (using fuzzy four fuzzy sets-No, Rather no, Rather no and Yes).Output of system parameters evaluation is robustness numbers for particular category.This numbers express property of system being strong and resistant in constitution.
Evaluation of robustness numbers is same as process of fuzzy criticality evaluating.However, it adopts different membership inputs function, fuzzy inference rules and output membership function are adjusted for the purpose of robustness evaluation.

FUZZY ROBUSTNESS EVALUATION CLASSESS Category:
Class evaluates: Separation/ Segregation Functional/ physical separation/ segregation of particular system.Logic parts and interconnection.Establishes environmental protection of essential parts.It also covers ambient influences and collateral system effects.

Diversity/ Redundancy
Diversity of technology employment, Different physical principle employment, protection against common cause failures.

Complexity/ Maturity
Complexity and maturity, experience with hardware usage in similar environment Procedures/ maintenance Maintenance type, time intervals between inspections, etc.

Environmental influences
Ambient effects of environment (temperature, altitude-pressure variation, vibrations, etc.)     Following figure shows graph theory based model potential.System model could be filtered in order to highlight important item or interconnection.Engine indication system is a typical example how system functionality could be related to main item (controlling item).In this case data acquisition unit collect engine parameter in order to provide indication.Size of a node on figure corresponds with item local importance base on subgraph centrality.

Figure 2 :
Figure 2: Function based modelling example Example in the Figure 2 describes fundamental difference between physical interconnection provided by drawing or scheme and function oriented model.Item u represents engine.Items w, x represents two channels of electric supply from airborne batteries or cross-feed (alternate generator).Item v represents changeover switch (flight crew selected one or other way to start the engine based on a given scenario).Physically, items w, v and x are not connected.However, their functions are inherently connected.Function based modelling is in integrated method based on so called function propagation.Items functions are interconnected to the chain in order to provide function.

Figure 3 :
Figure 3: Case study R MAIN bus predecessor example

Figure 5 :
Figure 5: Case study electrical system

Figure 6 :
Figure 6: Case study engine indication system (node sizes corresponds with Subgraph centrality)

Table 4 : Robustness evaluation classes 3 CASE STUDY 3.1 Definition As
a primary case study was chosen Institute of Aerospace Engineering VUT 486-DX4.It is a testing platform used for maintenance, safety and reliability analysis and advanced airborne diagnostic methods development application.It was developed on BUT Institute of Aerospace Engineering.The testing platform is used in several doctoral theses to demonstrate effectiveness of particular system engineering technique.It consist of 39 nodes and 40 edges.There are 11 multi edges pairs (that indicates complex interaction).Main items of integrated avionics units (GTN 1/2).Elevatortrim system (TRIM)-It consist of 13 nodes and 14 edges.It is designed as electromechanical system.Sources of trim movement are actuators connected to trim by mechanical levers. Engine indication system (ENGIND)-It consist of 26 nodes and 28 edges.It is designed to collect measured engine parameters in order to indicated its status provide cautions and warnings.
 Pitot-static system (PTST)-It consist of 6 nodes and 8 edges.System is design to provide static and stagnation pressure to the avionics system.

Table 5 : Global model evaluation
Table provides just a short version of these importance lists.Analyst could evaluate system only on local level or on a global level (interconnection between several systems).Extended criticality list identifies most critical items based on their probability of occurrence, likelihood of failure detection, severity of its allocated functions and item topology parameter.