Towards establishing a self-management architecture for dynamic risk management in ‘intelligent’ Aero-Engine control

In the past, intelligent adaptive controllers have been proposed and shown to achieve performance and safety objectives when operating within complex and highly dynamic problem domains such as Gas-Turbine Aero Engine control. The behaviour of control functions in safety critical software systems is typically bounded to prevent the occurrence of known system level hazards. These bounds are typically derived through safety analyses and can be implemented through the use of necessary design features. However, the unpredictability of real world problems can result in changes in the operating context that may invalidate the behavioural bounds themselves, for example, unexpected hazardous operating contexts as a result of failures or degradation. For highly complex problems it may be infeasible to determine the precise desired behavioural bounds of a function that addresses or minimises risk for hazardous operation cases prior to deployment. This paper presents an overview of the safety challenges associated with such a problem and how such problems might be addressed using self-* systems. The safety assurance goals can be used to influence the design of a self-management architecture that performs on-line risk management.