涌现性视角下机载系统人机交互安全性分析

doi:10.16265/j.cnki.issn1003-3033.2022.11.1890

摘要/Abstract

摘要：

为解决航电系统新技术应用带来的人机交互行为风险难以被现有安全性评估方法覆盖的问题,梳理航电系统人机交互适航要求,基于涌现性视角构建机载系统层次化涌现模型,引入系统理论过程分析(STPA)方法,识别与分析不安全控制行为(UCA),形成人机交互风险安全性分析流程,以进近过程中机载平视显示系统的人机交互行为为案例,完成人机交互任务分解。结果表明:基于涌现性视角,通过构建安全控制结构可以有效地识别机载系统人机交互风险,针对各风险致因因素提出缓解措施可以在系统设计阶段有效降低风险影响。

关键词: 涌现性, 机载系统, 人机交互, 系统理论过程分析(STPA), 风险识别

Abstract:

In order to solve the problem that the risk of human-computer interaction behavior caused by the application of new technologies in avionics systems is difficult to be covered by existing safety assessment methods. The airworthiness requirements for human-computer interaction of avionics systems were sorted out. The hierarchical emergent model of airborne systems was constructed based on the emergence perspective. The STPA method was introduced to the identify and analyze the unsafe control action(UCA), and the human-computer interaction risk safety analysis process was formed. Taking the human-computer interaction behavior of airborne flat screen display system in the approaching process as an example, the human-computer interaction task decomposition is completed. The results show that based on the emergence perspective, the human-computer interaction risk of airborne systems can be effectively identified by constructing the security control structure, and the mitigation measures against various risk-causing factors can effectively reduce the risk impact in the system design stage.

Key words: emergence, airborne systems, human-computer interaction, system-theoretic process analysis(STPA), risk identification

赵长啸, 李浩, 张伟, 董磊. 涌现性视角下机载系统人机交互安全性分析[J]. 中国安全科学学报, 2022, 32(11): 113-120.

ZHAO Changxiao, LI Hao, ZHANG Wei, DONG Lei. Human-computer interaction safety analysis of airborne system from perspective of emergence[J]. China Safety Science Journal, 2022, 32(11): 113-120.

图/表 10

图1

图2

图3

图4

表1

图5

表2

表3

表4

表5

参考文献 31

[1]	马锐, 李敬, 袁修干, 等. 中国民航1980—2009年间运输飞行事故人的失误分析[J]. 航天医学与医学工程, 2011, 24(2):111-115.
	MA Rui, LI Jing, YUAN Xiugan, et al. Analysis of human error induced airline accidents in CAAC during 1980—2009[J]. Space Medicine & Medical Engineering, 2011, 24 (2):111-115.
[2]	中国民用航空局. 飞机平视显示器(HUD)发展应用路线图[R], 2012.
[3]	WATKINS C B, NILSON C, TAYLOR S, et al. Development of touchscreen displays for the gulfstream g500 and g600 symmetry^TM flight deck[C]. IEEE/AIAA 37^th Digital Avionics Systems Conference (DASC), 2018:1-10.
[4]	MENZENSKI J. Enhancing cognitive assistants with low-cost computer vision[C]. IEEE/AIAA 37^th Digital Avionics Systems Conference (DASC), 2018:1-5.
[5]	董磊, 刘嘉琛, 赵长啸, 等. 显示触控系统人为因素适航符合性验证技术[J]. 中国安全科学学报, 2021, 31(2):63-68. doi: 10.16265/j.cnki.issn 1003-3033.2021.02.009
	DONG Lei, LIU Jiachen, ZHAO Changxiao, et al. Airworthiness compliance verification technology of human factors in touch display system[J]. China Safety Science Journal, 2021, 31(2):63-68. doi: 10.16265/j.cnki.issn 1003-3033.2021.02.009
[6]	REBENSKY S, CARROLL M, BENNETT W, et al. Impact of heads-up displays on small unmanned aircraft system operator situation awareness and performance:a simulated study[J]. Journal of Navigation, 2021, 75(6):1305-1335.
[7]	LIM Y X, GARDI A, SABATINI R, et al. Avionics human-machine interfaces and interactions for manned and unmanned aircraft[J]. Progress in Aerospace Sciences, 2018, 102(11):1-46. doi: 10.1016/j.paerosci.2018.05.002
[8]	NAOR M, ALER N, PINTO G D, et al. Psychological safety in aviation new product development teams:case study of 737 MAX airplane[J]. Sustainability, 2020, 12(21):8994-9009. doi: 10.3390/su12218994
[9]	FAA. AC 00-74, Avionics human factors considerations for design and evaluation[S]. 2019.
[10]	RTCA DO-372, Addressing human factors/pilot interface issues for avionics[S]. 2017.
[11]	SAE ARP4761-1996,Guidelines and methods for conducting the safety assessment process on civil airborne systems and equipment[S].
[12]	MIL-STD-882E, System safety[S]. 2012.
[13]	崔利杰, 田宇, 丛继平, 等. STPA与ARP4761中的安全性分析方法对比研究[J]. 航空工程进展, 2020, 11(4):508-516.
	CUI Lijie, TIAN Yu, CONG Jiping, et al. A comparative study on the safety analysis methods of STPA and ARP4761[J]. Advances in Aeronautical Science and Engineering, 2020, 11(4):508-516.
[14]	吴超. 安全复杂学的学科基础理论研究:为安全科学新高地奠基[J]. 中国安全科学学报, 2021, 31(5):7-17. doi: 10.16265/j.cnki.issn1003-3033.2021.05.002
	WU Chao. Research on basic theory of safety complexity science:laying a foundation for new highland of safety science[J]. China Safety Science Journal, 2021, 31(5):7-17. doi: 10.16265/j.cnki.issn1003-3033.2021.05.002
[15]	廖秀萍, 吴超, 王秉. 安全系统涌现性模型构建及核心问题研究[J]. 中国安全科学学报, 2021, 31(2):1-8. doi: 10.16265/j.cnki.issn 1003-3033.2021.02.001
	LIAO Xiuping, WU Chao, WANG Bing. Research on modelling of safety system emergence and its key issues[J]. China Safety Science Journal, 2021, 31(2):1-8. doi: 10.16265/j.cnki.issn 1003-3033.2021.02.001
[16]	屈强, 何新华, 刘中晅. 系统涌现的要素和动力学机制[J]. 系统科学学报, 2017, 25(3):25-29.
	QU Qiang, HE Xinhua, LIU Zhongxuan. Essential factors and dynamic mechanisms of the system emergence[J]. Chinese Journal of Systems Science, 2017, 25(3):25-29.
[17]	LEVESON N. Engineering a safer world:systems thinking applied to safety[M]. Cambridge: MIT Press, 2011:211-249.
[18]	RODRÍGUEZ M, DÍAZ I. A systematic and integral hazards analysis technique applied to the process industry[J]. Journal of Loss Prevention in the Process Industries, 2016, 43:721-729. doi: 10.1016/j.jlp.2016.06.016
[19]	LEE S H, SHIN S M, HWANG J S, et al. Operational vulnerability identification procedure for nuclear facilities using STAMP/STPA[J]. IEEE Access, 2020, 8:166034-166 046.
[20]	ZHANG Shijie, TANG Tao, LIU Jintao. A hazard analysis approach for the SOTIF in intelligent railway driving assistance systems using STPA and complex network[J]. Applied Sciences, 2021, 11(16):7714-7737. doi: 10.3390/app11167714
[21]	HU Jianbo, ZHENG Lei, XU Shukui. Safety analysis of wheel brake system based on STAMP/STPA and Monte Carlo simulation[J]. Journal of Systems Engineering and Electronics, 2018, 29(6):1327-1339. doi: 10.21629/JSEE.2018.06.20
[22]	ZHAO Chaoxiao, DONG Lei, LI Hao, et al. Safety assessment of the reconfigurable integrated modular avionics based on STPA[J]. International Journal of Aerospace Engineering, 2021, 2021(1):1-14.
[23]	王洁宁, 李保燊, 冀姗姗. 基于STPA和模糊BN的AIDC移交人误研究[J]. 中国安全科学学报, 2019, 29(9):27-35. doi: 10.16265/j.cnki.issn1003-3033.2019.09.005
	WANG Jiening, LI Baoshen, JI Shanshan. Study on human error in AIDC transfer based on STPA and fuzzy BN[J]. China Safety Science Journal, 2019, 29(9):27-35. doi: 10.16265/j.cnki.issn1003-3033.2019.09.005
[24]	CCAR25-R4—2011,运输类飞机适航标准[S].
	CCAR25-R4-2011,Airworthiness standards for transport category airplanes[S].
[25]	YEH M, SWIDER C, JO Y J, et al. Human factors considerations in the design and evaluation of flight deck displays and controls[R]. Department of Transportation Federal Aviation Administration, 2016.
[26]	佟瑞鹏, 赵辉, 张娜, 等. 矿工不安全行为涌现性建模研究[J]. 矿业科学学报, 2020, 5(3):311-319.
	TONG Ruipeng, ZHAO Hui, ZHANG Na, et al. Research on emergency modeling of unsafe behavior of coal miners[J]. Journal of Minning Science and Technology, 2020, 5(3):311-319.
[27]	HOLLNAGEL E. Cognitive reliability and error analysis method (CREAM)[M]. Oxford: Elsevier Science Ltd, 1998:166-170.
[28]	吴俊杰. 航空气象[M]. 大连: 大连海事大学出版社, 2017:31-212.
[29]	ALLISON C K, REVELL K M, SEARS R, et al. Systems theoretic accident model and process (STAMP) safety modelling applied to an aircraft rapid decompression event[J]. Safety Science, 2017, 98:159-166. doi: 10.1016/j.ssci.2017.06.011
[30]	SHIN S M, LEE S H, SHIN S K, et al. STPA-based hazard and importance analysis on NPP safety I&C system focusing on human-system[J]. Reliability Engineering & System Safety, 2021,213:DOI:10.1016/j.ress.2021.107698. doi: 10.1016/j.ress.2021.107698
[31]	王鹏, 李浩, 赵长啸, 等. 基于STPA的机载平视显示系统安全性分析[J]. 电讯技术, 2019, 59(12):1469-1476.
	WANG Peng, LI Hao, ZHAO Changxiao, et al. Safety analysis of head-up display system based on STPA[J]. Telecommunication Engineering, 2019, 59(12):1469-1476.

类型	未提供控制行为	提供控制行为	控制行为过早或过晚	控制行为作用时间错误
UCA描述	(UCA-1)进近过程中,飞行员未操作HCP或不完整,HCP功能正常,导致系统不正常运行; (UCA-2)进近过程中,飞行员未操作HCP或不完整,HCP功能不正常,导致系统不正常运行	(UCA-3)进近过程中,飞行员正确操作HCP,HCP功能正常,导致系统不正常运行; (UCA-4)进近过程中,飞行员正确操作HCP,HCP功能不正常,导致系统不正常运行; (UCA-5)进近过程中,飞行员错误操作HCP,HCP功能正常,导致系统不正常运行; (UCA-6)进近过程中,飞行员错误操作HCP,HCP功能不正常,导致系统不正常运行	(UCA-7)进近过程中,飞行员过晚操作HCP,HCP功能正常,导致系统不正常运行; (UCA-8)进近过程中,飞行员过晚操作HCP,HCP功能不正常,导致系统不正常运行; (UCA-9)进近过程中,飞行员过早操作HCP,HCP功能正常,导致系统不正常运行; (UCA-10)进近过程中,飞行员过早操作HCP,HCP功能不正常,导致系统不正常运行	N/A
可能导致的危险	H1-1,H2-1,H3-1	H1-1,H2-1,H3-1	H1-1,H2-1,H3-1	N/A
可能导致的事故	A-4	A-1,A-2, A-3,A-4	A-1,A-2, A-3,A-4	N/A

UCA 编号	UCA发生的的一阶/二阶涌现因素
UCA 编号	R-规章要求	M-航空公司管理能力	P-人员能力	S-飞行运行状态能力	E-环境感知能力
UCA-1	—	—	P-1:观察能力 P-4:执行能力	—	—
UCA-4	—	M-1:运行管理 M-2:维修管理 M-3:人员管理	—	S-1:功能完整性 S-2:系统可用性 S-3:设备维修保证 S-4:操作可达性	—
UCA-5	—	—	P-1:观察能力 P-2:解释能力 P-4:执行能力	—	E-1:基本气象因素探测感知能力 E-2:航空危险天气探测感知能力

UCA 编号	UCA描述	致因原因	致因因素减缓措施(考虑E环境感知能力)
UCA 编号	UCA描述	致因原因	I类进近	II类进近	III类进近	IV类进近	V类进近
UCA-1	进近过程中飞行员未操作HCP或不完整,HCP功能正常	①未输入跑道长度/标高/下滑角且未进行校准(P1,P4); ②未进行校准以及未选择显示模式(P1,P4)	可以在HCP上添加未操作步骤提醒功能,通知飞行员,来防止飞行员的疏漏			在HCP上添加自动校准功能	添加自动选择功能
UCA-4	进近过程中,飞行员正确操作HCP,HCP功能不正常	①控制模块功能错误(S1、S3、S4);②处理模块功能错误以及显示功能错误(S1、S4); ③显示模块和反馈模块同时失效(S2、S3、S4)	提高模块可靠性	提高模块可靠性	在提高模块可靠性的同时,可以改变判断规则
UCA-5	进近过程中,飞行员错误操作HCP,HCP功能正常	①输入错误的跑道长度/标高/下滑角(P1,P4); ②错误判断决策以及选择错误的显示模式(P1,P4); ③判断延迟也会间接导致UCA-5的发生(P2)	在HCP添加数据检测与提醒功能				提醒飞行员在规定时间内作出决策