Prof. Dr.-Ing. Axel Hahn
System engineering shows that models are suitable to support the engineering process as well they provide a valuable basis for validation and verification of the system under development e.g. for safety assessment.
This can be done formally by analysing the model of the system and informally by using simulation tools. That requires that the models are sufficiently formal and executable. In addition the test environment has to be defined (modelled) as well. Therefore we split the simulation environment HAGGIS in a modelling and formal analysis toolset and a co-simulation environment.
Modelling and Formal Analysis
The general approach for modelling and formal analysis is shown in Figure 1.
For the safety analysis of new eNavigation Systems (e.g. like a new Integrated Navigation System on for bridges) a ground research is done by analysis guidelines, accidents reports, nautical manoeuvres etc. we use a Generic Hazard List to identify potential harming issues to the system. Process models are used to describe the activities (e.g. operations) and they are enriched by by defining information availability and requirements and generic hazards. B bridge system can be analysed whether it allows the required situation awareness of the crew, which are potential risks by using formal model checking technology and how big are they by using automatically generated fault trees.
The analysis results in quantitative or qualitative risks / safety assessments.
To support this assessments a number of tools are available: MOPhisTO – Maritime Operation Planning TOol, ASA - Analysis of Situation Awareness on Ship Bridges and FTA – Fault Tree Analysis. This toolset is accompanied by EMOD – Environment MODelling tool for defining the system environment for analysis by simulations.
- EMOD – Environment MODelling: EMOD is a generic modelling tools to describe the environment of the system especially for the simulation.
- MOPhisTO – Maritime Operation Planning TOol: MOPhisTo enables maritime domain experts to graphically model processes of the operations defined for their field of expertise. The process models are enriched by linking them to required information supply and demand as well as hazards from the generic hazard list. These information are used for information gap and automatic risk analysis (see 3.1.3 and 3.1.4). Additional benefit for the models is the option to use them for training and documentation purposes. MOPhisTo can make references to the data modelled with EMOD. MOPhisTo supports the description of normative behaviour for maritime personnel (e.g. individual tasks of an officer) and maritime machinery (e.g. behaviour of an adaptive display).
- ASA - Analysis of Situation Awareness on Ship Bridges: The formal description of normative processes with mentioned annotation of information elements is used for an analysis of situation awareness by verification of the accessibility of information elements. Normalized metrics enable for comparison between systems.
- FTA – Fault Tree Analysis: MOPhisTO is used for formal description of normative processes and the annotation of hazards and failures. The FTA tool performs an automatic fault tree construction by using the modelled hazards and failures. Resulting fault trees are the basis for a formal quantitative and qualitative risk assessment. The tool enables a graphical presentation of generated fault trees to the user as well as manual construction of fault trees. Additionally, they are used for automatic generation of textual risk assessment results e.g. to construct HSE plans. Since identification of hazards and failures is important in early project phases, the tool supports users by suggesting hazards and failures modelled in the past. Therefore, it comes with a formal approach to learn data from performed analyses for later reusability of modelled hazard/failure combinations.
The definied process models and the environment models are used an simulation Envrionment as shown in Figure 2.
The Generic Hazard List and the process models are used to define the normative behavior and provide a basis for to identify critical situations during simulation. For human behavior a cognitive simulation is used. The general architecture of the co-simulation is shown in Figure 4. Input are normative behavior and environment models. A maritime traffic simulator and a n-body simulator provide the required environment of the the e-Navigation experiments. Agents are brought to live by MASCAS in case they perform as specified and CASCAS is a cognitive simulation that implements the real human behavior by performing designated tasks. Implementation done by using HLA with data specification in OMT files and Wrapper for fast simulator integration. All data exchanged by the simulators is defined by semantic model. A simulation control tool runs simulations automatically and support the detection and provocation of rare events in combination with observer components for the simulation states. Latter are automatically generated.
- Maritime Traffic Simulator: The MTS is a flexible usable traffic simulation for implementing, executing and observing the behaviour of multiple vessels in a realistic context. It simulates maritime traffic and provides all necessary data about the traffic situation and staticial analysis.
- N-Body Simulator: The N-Body Simulator simulates the physics of a system and includes a simulation of sensoric elements as well. I allows checking for constraints like man under the cargo, man overboard, displacement of cargo and the field of view of agents. Errors can be triggered in sensors, actuators and environmental factors.
- MASCAS: MASCAS is a agent simulation reads the process modes defined by using MOPhisTO and controls avatars in the N-Body Simulator or Maritime Traffic Simulator.
- CASCAS: CASCAS is a cognitive simulator that implements natural human behavior in an empirical model. CASCAS covers effects like fatique etc..
- Simulation Control: The simulation control uses observers to evaluate the system state and the logical or physical distance to error / hazardous situations. It identifies minima in this distances and guides the simulation in the direction of critical situations to find rare events and to reduce the required number of simulation runs.