Safety analyses

By kdelmas, 5 June, 2025

Simulation of the FAZER model — Fig-1: Simulation of a physical communication failure on the FAZER

Altarica Model of the FAZER

The safety analyses of the FAZER is based on a multi-layer model encoding the failure propagation in Altarica. The conceptual description of this modelling process can be found in Bieber, P., Delmas, K., Pizziol, S., Prosvirnova, T., Seguin, C.: A generic approach for safety assessment of medium-risk drones. Engineering Proceedings 90(1) (2025).

The actual implementation of these concepts on the FAZER use case are currently submitted to the IMBSA 2025 conference. The model has been developped using the Cecilia-Workshop tool and is available here.

This model can be opened and inspected thanks to the Cecilia-Reader that can be freely downloaded here. In this tool the user can perform simulations to valide the specified failure propagation model. For instance, Figure 1 illustrates the impact of a telemetry failure (due to a failure of embedded tranceivers). The effects on the functional architecture and the final outcome w.r.t. safety strategy are automatically infered from the model. In our case this loss lead to land as soon as practicable that is in a pre-defined controlled landing area.

Probable Failure Qualitative Assessment (PFQA)

The SORA may require a Probable Failure Qualitative Assessment (PFQA). An acceptable approach to fulfill this requirement involves conducting an enriched Failure Mode, Effect and Criticality Analysis (FMECA) on the UAV’s physical architecture. Specifically, for each probable failure mode of the physical architecture’s components that is likely to occur at least once in the UAV’s lifetime, the applicant must provide:

the means of detecting the effects of the failure mode, whether direct or indirect, if such detection exists;
the recovery actions in place to mitigate the effects of the failure mode, if applicable;
the high level failure condition that the resulting situation contributes to;
the criticality of this failure condition.

To streamline the creation of the PFQA table, we use the FMECA generation tool provided by Cecilia-Workshop. This tools takes as input a set of failure events to triggers and observation points (i.e. variables of the model). For each failure event, the tool computes the values of the observation points and stores the results in an XML file. To facilitate analysis, we created a processing tool that converts the XML file generated by Cecilia-Workshop into a CSV table. This translation process utilizes supplementary information, including the names of Altarica variables for each category (e.g. detection, recovery).

The tool is available and the analyses on the FAZER made by Cecilia are available directly as a dedicated test in the Dalculator tool available on its public github. The MBSA model of the FAZER from which the FMEA are generated in available here.