Mr. Peter Hermle today works as an independent engineer and aerospace consultant.
From May 2016 until March 2017 he was the CEO of Dornier Seawings, a Chinese-German joint venture (JV) located at Oberpfaffenhofen Airfield which designs and produces the 12-seater twin-engine Dornier Seastar CD2 amphibious aircraft.
Previous positions include SILVER ATENA, a supplier for safety-critical systems and engineering services, TechSAT, a company focusing on avionics test systems, and Engenuity Technologies Inc. (today Presagis Inc.), a software tool company for avionics development.
Mr. Hermle graduated in aeronautical engineering from Technical University of Munich in 1995 where he did research on synthetic vision and pilot interaction using touchscreens. He also holds a commercial pilot’s license for aircraft and helicopters.
A Development Guardrail from Regulatory and Customer Requirements to Certified Safety-Critical Embedded Systems
Development projects for safety-critical embedded systems in the aerospace, automotive and industrial domain are governed by many norms, standards and regulations forming the regulatory requirements that in addition to the customer requirements have to be considered in order to create a certified product. A smooth integration between pre-defined development processes and actual projects providing the customer requirements (product specification) can establish a guardrail to speed up development towards certification.
A model-based approach using UML and SysML to pre-define the development processes according to the regulatory requirements in “Enterprise Architect” from Sparx Systems is presented that facilitates traceability from the regulatory and customer requirements to the very concrete process activities that have to be completed during development. This approach was customized by CUONICS GmbH in order to establish an avionics development process satisfying the regulatory requirements for system, hardware and software up to ‘DAL A’. Templates defining the basic structure of the necessary avionics life cycle documents are also provided.
The process model can be customized to satisfy regulatory requirements of different domains and also extended to include new requirements e.g. from security standards that are absolutely vital for highly networked applications like IoT.
Dr. rer. nat. John De Roche has over 14 years industrial experience. He is a leading expert in the application of functional safety within the automotive and industrial sectors and an expert in the development and industrialisation of state-of-the-art electric power-trains as well as advanced energy storage systems.
A case study - Legal Implications of High Voltage Battery - Safety within the Automotive Industry
In response to intense socio-political pressure, in next few years all automotive manufacturers must rapidly transition to the mass production of high voltage battery systems for electric and hybrid vehicles.
This transition will bring many legal as well as technical risks. The timely introduction in 2011 of the E/E functional safety standard - ISO 26262 - has helped in reducing technical risks associated with safety critical electric / electronic systems. However, the standard does not tackle risks in other areas such as work place safety, product liabitiliy, and OEM to supplier risk management.
This talk intends in form of a case study to discuss the possible product liabilities associated high voltage battery systems within the context of the automotive industry. Hence, similar principles could be applied to other safety critical electric / electronic systems.
After his studies in computer science at the University of Kaiserslautern (Germany), Mr. Rüdiger Lunde worked 8 years as a software developer at R.O.S.E-Informatik GmbH in Heidenheim. In 2006, he obtained his Ph.D in natural sciences at the University of Hamburg. Since 2006, he is a professor of software engineering and database at the Ulm University of Applied Sciences.
SmartIflow – A new Approach to Model-Based Safety Analysis
When designing models for safety analysis in early stages of the product development “less is more” is often true. But what is essential to cover relevant safety-related effects? A combination of qualitative abstraction with some kind of order-of-magnitude reasoning promises a workable solution. In this talk, our experience with the design of the new modeling language smartIflow will be discussed. smartIflow combines concepts from existing approaches with new features (e.g. an abstract mechanism for message exchange) and is especially targeted to safety analysis of products in early development stages. An implementation exists which can check safety requirements formulated in CTL based on model checking. The applicability of the approach has been tested based on case studies, including an innovative radio controlled railroad crossing. Practical results of these case studies will be presented and discussed.
Mr. Fons-Stankiewicz has over 25 years of cross-industry professional experience in Aerospace, Automotive, Railway, IT/Data Center, Network and Telecommunication with focus on system engineering, safety and reliability as well as on project management. Since 2012 he works as a freelance safety manager and consultant for RAMS in various international rail projects.
Borderless safety in the borderless railway network - a method or a miracle?
Travelling by rail across Europe, the passengers have no reason to doubt that they use one of the safest means of transportation. Apart from the occasional delays, their journeys are smooth and seamless, even while crossing several country borders. However, are these properties inherent to the railway? Certainly not. A set of standards, rules and regulations is available and agreed to be followed by manufacturers, railway undertakings and infrastructure operators. The work to create these rules and standards had to consider different, sometimes incompatible or contradicting approaches each participating country developed in course of the years and combine them with new requirements arising from the technological progress and today’s expectations of various stakeholder groups. This presentation shall give an overview about this more and more successful but still not finalised work.
Mr. Jürg Suter is a Doctor of Engineering and has over 25 years professional experience in the public transport. He worked during 10 years as a station manager at the regional traffic Mittelland AG and 1 year as a project manager at the regional transport Mittelland AG. From 2007 until 2013, he was a scientific collaborator and Deputy Section Head at the Federal Office of Transport (FOT). Since 2016, Mr. Suter works as Department Leader at Bär Bahnversicherung. Furthermore, he led lots of projetcs in public transport and in quality and safety management system.
The importance of human factors in the increasing automated railway systems
The lecture is about the interfaces between humans and railway systems, in particular the effects of human factors in areas which have not been automated yet, like train drivers. The automation of trains is regarded as the next step in railway automation. First tests of autonomous trains operations are currently being prepared in Switzerland. Whilst the technical level seems sufficient to operate trains on non-dependent railways from a sensory and tele-communicational point of view, some tasks of the locomotive drivers, in particular failure case management still have to be performed by human operators remotely. A deep understanding of typical human behavior patterns and their effects is therefore necessary. Aim of those studies is to demonstrate that the investigation of human factors within the railway system comply with the requirements of current safety standards and rules. In particular the EU-regulation about common methods of risk assessment (EU 402/2013) specifying the relevant interfaces between humans and machines and the resulting technical system requirements, and the norm specifying reliability, availability, maintainability and safety of railway applications (EN 50126:1999) have to be taken into account if doing RAMS-investigations including human factors. Human factors in railway systems operation often cannot be completely assessed by quantitative methods only. The interactions in such complex systems are too diverse and therefore can only be sufficiently understood and optimized by simulation and application of statistical methods. The DESM association is performing case studies to analyze failure scenarios applying amongst others the model of the “situational awareness”. The results will help to define risk minimizing measures for the development of technical safety components and operation processes.
Mr. Dominik Waeckerlin has over 20 years airline work experience. He began as a technical pilot during 9 years. Then, he had many experiences as Quality&Safety Manager in Business Aviation. At the moment, he works as a Safety&Compliance Manager at Jet Aviation and is also the associate Director Standards of this company.
SAFETY MANAGEMENT SYSTEMS IN AVIATION
IMPLEMENTATION OF PERFORMANCE BASED SAFETY MANAGEMENT – BASIC PRINCIPLES AND FIRST EXPERIENCES
Safety and Compliance Management in Aviation is confronted with an ever increasing level of documented compliance and measured safety performance. This development leads into overregulation and protection without taking human factors into account. Adding performance based principles can allow to simplify and specify performance indicators to mitigate overregulation. Today the industry is in a initial learning phase and has started with the application of performance based safety and compliance management. This presentation shall give an insight of the principles applied and their first experience.
From 2004 until 2010 Mr. Kränzle was responsible for the Software Engineering in various projects. Since 2011, Mr. Kränzle works as a Safety Expert at the TÜV NORD Systems (Germany). His areas of expertise include especially assesment and certification projets in eletronics and software, Software Quality, execute Engineering and management/trainings on Safety Standards.
Fail Safe - Fail Operational - Fault Tolerance - ISO 26262: Fail Operational E/E System Concepts for Future Application in ADAS and Autonomous Driving
A methodology is presented for the design of safety critical system as well as their evaluation in the context of the ISO 26262. This paper describes the effect of fail operational requirements on the E/E system design and how the these systems design patterns can be evaluated with regard to the architectural metrics (SPFM, LFM) and system failure rate in the context of ISO 26262. Further discussion will cover interference between safety requirements and fail operational requirements in HW-SW architecture. These aspects will be considered also in the context of assessment and compliance to the standard.
Mr. Christian Arbinger has a Dipl.-Ing. in Aerospace Engineering from the Technical University of Munich and has over 20 years professional experience in this area. From 2006 until 2015, he was the DLR Galileo Project Manager at the Galileo Control Center (Germany). Since 2008, he works at DLR GfR mbH as Company Authorized Officer and he is now the Head of Navigation Services at this company. Mr. Arbinger is also lecturer for Space Systems Engineering at the University of Applied Sciences in Aachen and lecturer for Spaceflight Operations at the University of Applied Sciences in Augsburg.
The Roadmap towards a European Space Traffic Control: Challenges and Solutions
There are high expectations for a globally growing market of commercial space travel which is likely to turn in the next 10 to 20 years into a multi-billion Euro business. Advances in electric propulsion and spacecraft design helped to significantly reduce launch costs, so that space exploitation becomes affordable for the first time also to the private sector. Several key players in space business get ready to serve the commercial manned and unmanned spaceflight market by developing their own ballistic reusable space vehicles which shall carry humans and cargo payload into suborbital and LEO space. Single stage to orbit concepts even target for commercial manned point to point mass transportation, similar to today’s travel through airspace, but with much shorter flight times. All these developments will likely stimulate demands for launch sites and spaceports, where commercial aviation and space vehicles will have to be safely managed and controlled in parallel granting easy access to potential customers. Without doubt, space and airspace will move closer together in the next decade, which is why Space Traffic Management is expected to become a global undertaking. Within this presentation, DLR GfR indicates the challenges to be mastered and addresses solutions for safe air and space travel focusing on the aspect of Space Traffic Control.
Ulrich Hachmann is a promoted mechanical engineer with almost 30 years of industry experience. After his work at MAN and the successor companies (AEG, Adtranz) from 1989-2000, he took over from 2000-2014 the function of the CEO of LogoMotive GmbH, where he has been working as CTO (Chief Technical Officer) since 2014.
Evaluation of Safety of Railway Vehicles with CSM
Safety or railway vehicles is assessed today by using the common safety method (CSM.). The three basic columns of the CSM are explained. The explicit risk estimation will be shown by using the FMECA. This includes the structuring (definition of subsystems) of the considered system, the definitions of functions of the subsystems, an analysis of potential errors (causes, types and consequences), a risk assessment and proposals for prioritized risks (high risk priorities), prevention and detection measures as well as a residual risk assessment. The application of FMECA is based on a formally specified process. However, it is important to note that there are different approaches and assessments, which can be applied to the relevant standards (for example EN50126ff and IEC 61508), in particular for the assessment of the causes of faults, types of faults and the sequence of faults and their risk assessment. Since the actual residual risk cannot depend on the type of procedure, comprehensive system knowledge is recommended, as well as the exact consistency of the boundary conditions in the later operation of the vehicle with the prescribed test conditions.
In various examples, an assessment of the risk assessment with a view to the later operation of the vehicle as well as changes in the system environment (for example, the organization and responsibilities of the vehicle operator, audit authorities, maintenance) are presented with regard to the system behavior and changing conditions.
Mr. Axel Firsching is a worldwide respected key player in all Ariworthiness aspects of aviation powerplants and their installations. He was the long-standing very experienced Head of the Airworthiness Office of a global aviation group. He graduated in 1985 with Prof. Dr.-Ing. Kappler and MTU AeroEngines. From 1991 until 2017 he worked for Rolls Royce Germany Ltd & Co KG. In 2017 he founded the AF Aviation Consulting.
Safety and Reliability in Civil Aviation
This presentation is intended to provide a short overview over a number of subjects linked with safety and reliability in civil aviation. Following a short introduction of the speaker the legal background of civil aviation will be explained. On the example of four aircraft accidents it will be shown what can go wrong and why. This will set the scene for the applicable safety regulations and an example how to satisfy these requirements. Some special attention will be given to ETOPS (Extended Twin-Engine Operations) and EDTO (Extended Diversion Times Operations), and what is necessary to meet these requirements. Finally some “extreme” safety cases will be shown.
Mr. Parsa is currently completing his PhD in Systems Engineering at the University of Queensland on Abnormal Situation Management, modelling alarm system vs human situational awareness and providing guest lecturing on system safety engineering and systems engineering. As a result of his study there is a patent about alarm management system.
He is a qualified Control, Safety and Systems Engineer with a background in Automation, Control and Safety Instrumented Systems (SIS) across a range of Oil/Gas, Refineries and Petrochemical plants as well as Manufacturing and Railways for about 15 years.
He also has experience in Process Safety, Functional Safety and Functional Security including qualitative and quantitative reliability analysis, RAMS engineering, systems modelling, risk mitigation and operations optimization, HAZOP, HAZID, LOPA, SIL study and specification, Formal Safety Assessments, Design and Operations Performance Standard Development, Safety Barriers Condition Evaluation and Report, Cyber threat studies and Safety Case development.
Abnormal Situation Management vs Situation Awareness
Abnormal situations still cause huge production losses and safety incidents in many operations and particularly in process controls. To improve operational control and safety, alarm systems are implemented to detect abnormal situations and alert operators that they need to intervene in order to keep the operation productive and safe. Alarm systems are usually designed by identifying the operational abnormal o hazardous states which cannot be addressed by the pre-programed logic, and then defining the alarms to helpoperators address the failures in a timely manner. However, incidents keep occurring and investigations have reported flaws in alarm management as one of the major contributors to some incidents. Poor alarm system design can result in alarm floods, loss of situational awareness and poor decision-making, often leading to safety incidents or unnecessary shutdowns which are main part of this talk.
Jean-Roland Schuler is professor at the University of Applied Sciences of Western Switzerland in Fribourg (HEIA-FR). He is the leader of the IT Security Team. He received his diploma from the Swiss Federal Institute of Technology (EPFL), Lausanne Switzerland. He worked 10 years in different companies as development engineer and software manager. Since 1998 he is professor at HEIA-FR, his main research domains are IT Security, Smart Grid Security and embedded systems. He is member of the EE-ISAC (European Energy-Information Sharing & Analysis Center).
IEC-61850, Inter-substation communication: Optimal signed-crypted R-GOOSE and R-Sampled Values on IP-Multicast networks
The R-GOOSE and R-Sampled Values (R-SV) inter-substations communications (IEC 61850-90-5) should be, for IT security reasons, signed and optionally encrypted.
The signature and the encryption must be very fast fir these time critical messages. These operations use symmetric, asymmetric and hash functions which are unfortunately relatively slow on the processors used by the IEDs.
In recent years, new cipher algorithms have been developed which are very secure and faster than traditional algorithms like AES, RSA, SHA2, etc. These algorithms are beginning to be used by the IoT (Internet of Things) and are adapted for small-medium processors.
Because the latency of the R-GOOSE and R-SV messages is very short (3ms), it is necessary to develop a realistic and optimal architecture which can be integrated on IEDs.