Validation and Verification Methodologies in A380 Aircraft Reliability Program

Supanee Arthasartsri, He Ren School of Aerospace, Mechanical and Manufacturing Engineering

Royal Melbourne Institute of Technology Melbourne, Australia

Abstract— Reliability Validation and Verification (V&V) has become a major issue in every industry nowadays. In the development of an embedded system, it is important to be able to determine if the system meets specifications and if its outputs are correct. This is the process of V&V. Airbus applied this V&V process in safety assessment on A380 from aircraft level to supplier level. Aircraft level safety process was implemented for the first time on a large-scale commercial aircraft. To ensure the achievement of goal reliability before entry into service, Airbus has put in more tests on A380 beyond the safety requirements from FAA. This paper presents the methodology of V&V process in A380 aircraft reliability program with the example case study of how Engine Alliance implemented this process in GP7200 design for safety and reliability.

Keywords-component; formatting; Validation and Verification, Aircraft System Safety, Reliability, Airbus A380

I. INTRODUCTION The A380 aircraft is a flagship of 21st century, which is

categorized as the Very Large Aircraft (VLA). It carries more than 500 passengers and has a maximum take-off weight (MTOW) of around 560 tons. A380 aircraft is not only the biggest civil aircraft ever built, it is also the most advanced technology aircraft in all engineering aspects. With the advanced technology that will bring the step forward in operating economics, the opportunity must also be taken to ensure that this same technology works for maintenance. It therefore, sets the new standard in aviation and opens up a new age in commercial aircraft Reliability and Maintainability (R&M) program. It is clear that availability of the aircraft, in terms of operational reliability (OR), maintenance down time, and the cost of maintenance, are the factors crucial to the success of aircraft and therefore were taken into consideration at the same level as the more traditional design objectives.

The primary objective of maintenance is clearly to maintain the highest levels of airworthiness but this is not incompatible with the requirement to achieve very high aircraft availability at the minimum practical costs. The key reliability target (in-service OR) for the A380 is a much higher target than Airbus had on its A340 series, which is 99% within two years of Entry-Into-Service (EIS) [1]. It is obvious that when Very Large Aircraft (VLA) such as the A380 gets larger and the range gets longer, it is more challenging to meet the marketing

requirements for operating economics. Therefore, the R&M has been placed high on the list of A380 design priorities [2].

Component reliability must be coherent with the maintainability and maintenance cost objectives and the policy is to place challenging targets on A380 equipment suppliers particularly for components that have under-performed in the past. Systems and component reliability are obviously critical factors in the early achievement of aircraft maturity and maturity assurance is planned through the design ‘Validation and verification’ (V&V) process and the introduction of intensive accelerated reliability testing to ‘shake out the bugs’ early enough so they can be fixed before entry into service [2].

Aircraft level safety process was implemented for the first time on a large-scale commercial aircraft [3]. It identifies aircraft level functions and associated failure conditions, decomposes them to multiple systems and places requirements on various levels of suppliers in the development of system and equipment. It has been shown that the outcome of the V&V process is the important basis on which all the critical engineering decisions to be made.

This paper presents the basic knowledge and methodology of V&V process including the objectives and framework. The implementation of V&V method in A380 safety process is gathered and discussed with the details of various analyses relating to this process. The author was able to collaborate with Airbus engineers to perform and summarize this analysis. However, due to confidential issue, the author is unable to identify the source in this paper. Lastly, this paper shows the example of how engine alliance applied V&V methodology in designing the GP7200 engine for A380 aircraft.

II. VALIDATION AND VERIFICATION METHODOLOGY APPLIED IN A380 R&M DESIGN

Airbus established top level aircraft requirement (TLAR) for operational reliability and apportioned down to the level of system, sub-systems and components. This is an iterative process and follows the evolution of the design architecture [2]. The simulation method is applied in every design process in order to achieve the optimized results. Critical engineering decisions are based on the predictions of the complicated mathematical theories. Airbus design team uses V&V process

978-1-4244-4905-7/09/$25.00©2009 IEEE 1356

against all the predictions made to determine the stability and safety of the mathematical model.

American Society of Mechanical Engineers guide to V&V [4] defines the goal of V&V process as to develop standards for assessing the correctness and credibility of modeling and simulation in computational science. The validation is a process determining whether the mathematical model describes sufficiently well the reality with respect to the decision to be made, which includes requirement validation and product validation. The purpose of Requirements Validation is to ensure that the requirements for a product are sufficiently correct and complete to achieve safety and to satisfy the needs of the customer within program constraints (e.g. cost, schedule). The Product Validation is to check if product meets the implicit needs of the customer.

However, the verification is to determine whether the computational model and the implementation result is sufficient and accurate. The Verification process ensures that the system implementation satisfies the validated requirements. The aim of Design Verification is to provide evidence that the design is compliant with the requirements. This compliance evidence is presented during design reviews and it is a key input to decisions on the choice of design solution and whether to proceed to the next stage of development. The Product Verification is to ensure the final product meets the requirement. Figure 1 shows the general view of the V&V process [5].

Figure 1. V&V Process for Airbus A380 Aircraft Design

III. V&V METHODOLOGY IN AIRWORTHINESS CERTIFICATION PROCESS

The main objective of the certification process is to make

sure that the aircraft comply with applicable airworthiness requirements. In order to meet most regulatory guidelines, aircraft manufacturer must build a safety case as a means of documenting the safety justification of a system. The safety case is a record of all safety activities associated with a system throughout its life. Validation and verification are part of the system safety certification process as shown in Figure 2.

The safety case is an important document used to support certification. It contains a set of arguments supported by analytical and experimental evidence concerning the safety of a design. In the safety case, the regulatory authority will look to see that all potential hazards have been identified, and that appropriate steps have been taken to deal with them. In addition, the safety case must also demonstrate that appropriate development methods have been adopted and that they have been performed correctly. Items that should be included in the safety case include specification of safety requirements, results of hazard and risk analysis, validation and verification strategy, and results of all validation and verification activities [6].

Validation and verification can be performed by the manufacturers who perform the design, development, and implementation but sometimes it is performed by an independent testing company. The testing methods approved include a suite of in-house procedures including static and dynamic testing techniques [6]. For example, the Engine Alliance performed the testing on their GP7200 engine with various methods which will be mentioned in the later section.

Figure 2. Aircraft functional Implementation Process [7]

IV. VALIDATION AND VERIFICATION PROCESS

The V&V process is mostly executed by comparison with measurements. This procedure assumes that the measurements are correct and useful as a reference. This assumption has to be carefully proven, because the measurements may have their own problems [8]. On the other hand, some of the measurement features are not a proof of the correctness of the

1357

numerical method. The continuous validation and verification process can be performed by [8]:

• Plausibility and experience, minimizing the probability

of wrong/erroneous results.

• Crosscheck with other methods and other tools if available and possible.

• Carefully and consequently following the rules and limitations of the applied method.

• Continuous comparison with available (reliable) measurements.

Figure 3 represents the ASME validation and verification Committee’s detailed view of the numerical modeling process that includes validation and verification.

Figure 3. ASEM Detailed Illustrating The Interaction of V&V in The

Numerical Modelling Process.

It is important for design simulation result to be tested,

checked and it should not be accepted automatically. As in Figure 3, on the left hand side are the experiments and on the right hand side are the computational models. At the lowest level of the pyramid are the simple calibration experiments. Some of them are called accreditation (certification) experiments and serve as the basis for the demonstration of compliance with regulatory requirements [9].

The comparison between the experimental data and the computed data is based on a specific metric (i.e. how the difference is measured) and the rejection criterion, which is a quantitative measure of the difference. The metric and the

criterion have to be directly related to the prediction and the decision based on it. If the criterion is larger than the given tolerance, which is related to some threshold conditions, the model will be rejected. If the model at any level of the pyramid is rejected then the model has to be changed and to pass all the lower level tests and possibly more experiments would be needed. If the model is not rejected at a certain level of the validation pyramid, then the higher level is performed [9]. This framework in figure 4 demonstrates the iteration V&V process.

Figure 4. The Validation Pyramid [9]

Figure 5. A Frameworks for iteration V&V Process

V. A380 SAFETY SYSTEM ASSESSMENT PROCESS The system assessment process includes requirements

generation and verification which supports the aircraft development activities [10]. This process is normally conducted during concept and design phases. It determines that the possible associated hazards have been addressed in the aircraft functions and systems.

V&V process plays the important part in A380 safety system assessment process. For the first time on a large-scale commercial aircraft, Airbus implemented aircraft safety process on aircraft level which is a crucial input to the iterative V&V process. Airbus has put in the great amount of testing prior to A380 EIS. In the safety and reliability (SR) analysis for A380, Airbus has performed the analysis in 3 levels; aircraft, system, and equipment. Table 1 shows the detail of the analysis

1358

in aircraft and system level for the safety process. Figure 6 shows the process of model base safety analysis for Airbus A380.

TABLE I. SAFETY ANALYSIS PERFORMED IN EACH LEVEL

Aircraft Level System Level Equipment Level Functional Hazard Analysis (FHA) Zonal Safety Analysis (ZSA) Particular Risk Analysis (PRA) Common Mode Analysis (CMA) Human Hazard Analysis (HHA)

FHA Preliminary System Safety Analysis (PSSA) Intrinsic Hazard Analysis (IHA) Environmental Condition Hazard Assessment (ECHA) System Safety Analysis (SSA) Risk Assessment of Structural Part (RASP) CMA Master Minimum Equipment List (MMEL)/ Configuration Deviation List (CDL)

Failure Mode and Effect Analysis (FMEA) Failure Mode and Effect Summary (FMES) Safety Assessment Reliability PredictionIHA + ECHA Equipment CMAs

Figure 6. Model Base Safety Analysis for A380 Aircraft

A. Functional Hazard Analysis (FHA) It is the first time Airbus has performed FHA at the aircraft

level. Moreover, this is the first time ever that an aircraft manufacturer has done one [11]. Airbus conducted this analysis at the beginning of the aircraft system development cycle. As shown in figure 6, we can see that functional hazard assessment is defined as one of the preliminary activities in the safety assessment process outlined by ARP4754 [7]. FHA is first carried out for the whole aircraft level which is working from a description of aircraft function. Then, following allocation of functions to aircraft systems, FHA is performed

again for each subsystem. FHAs carried out at these two levels use the same principles

FHA is a predictive technique that attempts to explore the effects of functional failures of parts of a system. The objective of conducting a FHA is to clearly identify hazardous function failure conditions. The working step for FHA includes;

• Identifies Aircraft functions (e.g. Deceleration on ground)

• Classification of potential failures associated with functions

• Classifies hazards associated with specific failures conditions

• Validation of objectives associated with each function

• Generates safety requirements for subsequent levels

• Forms the input for the system-level safety activities (FHA, PSSAs, etc)

• Determines Development Assurance Level (DAL) based on criticality at the System level, associated with each function

Creation of the FHA is dependent upon overall knowledge and experience of the design team and may require consultation of numerous specialists. Table 2 shows example of level functions and their associated failure conditions that may be considered.

TABLE II. EXAMPLE OF FUNCTIONS AND FAILURE CONDITION

Function Failure Condition Control Flight Path Inability to control Flight Path Control Touchdown and Roll Out Inability to control Touchdown and

Roll Out Control Thrust Inability to control Thrust Control Cabin Environment Inability to control Cabin

Environment Fire Protection Loss of Fire Protection

The failure condition could also be broken down through the use of FHAs and Fault Trees. For example with the inability to control flight path failure condition, it could be broken down into loss of trim (manual, fuel etc.), inadvertent trim, loss of hydraulics, loss of flight control and flight control malfunction. The failure conditions that affect on safety should eventually be defined together with the objectives and proposed means for demonstrating compliance.

Though FHA is an effective tool to predict aircraft functional failure and the effects of failure, it could be hard to apply at the aircraft level. FHA works best for independent functions however most of the aircraft functions are highly integrated systems which are far from independent. When aircraft-level functions are integrated by a system or combination of systems, the FHA should be re-evaluated to identify and classify failure conditions involving multiple functions. If the FHA is constructed in system-oriented sections, traceability of hazards and failure conditions between the aircraft-level and system-level is necessary [7].

1359

B. Preliminary System Safety Analysis (PSSA) A PSSA is used to examine system architecture to

determine the completeness of the failure conditions and derive S&R requirements list from the FHA. It also used as a validation of S/R requirement from FHA. The PSSA is an iterative analysis embedded within the overall system development. Airbus analyse PSSA through FTA showing the combinations of casual failure modes which can lead to the failure condition. The possible contributions factors leading to failure conditions can also be identified by using dependence diagram, Markov analysis, or other analysis methods [7].

For A380, there are 2 analysis which are performed within PSSA include;

1) Intrinsic Hazard Analysis (IHA)

2) Environment Condition Hazards Assessment (ECHA)

C. Common Cause Analysis(CCA) In early development process, implementation of the

assessment may introduce common causes for multiple aircraft failure conditions or connections between systems consequential in malfunction. CCA is necessary for systems establishing to address common cause faults. It is crucial for engineer to use a fail-safe design in aircraft system by adding redundancy to the system to increase reliability. CCA addresses the common cause fault potential across each boundary and identify the fault containment strategies to be used, along with the rational supporting the fault coverage provided [7, 10].

For A380 aircraft, Airbus sub-divided CCA into 4 categories for assessment [11];

1) Zonal Safety Analysis (ZSA): performed on each aircraft to ensure the installation and interaction within and between zones are safe. There are three phases of iteration includes Digital Mock-Up (DMU) initiation, repeating on representative mock-up, and finally analysis on aircraft.

2) Particular Risks Analyses (PRA): carried out for specific risks that potentially have on aircraft level affect. The process for each analysis includes determination of an approved risk model and a study of the repercussions associated with this model. For A380, there are 22 PRA in total.

3) Common Mode Analysis (CMA): used to provide the evidence for the functions and failure modes assumed to be independent are accurately independent. Airbus performed this analysis using FTAs, identification of CMA requirements, design analysis and safety & design process document results and feedbacks.

4) Human Hazard Analysis (HHA): used as equipment reliability potentially increases weaknesses are perceived to be more human related. Airbus adopts FMEA to identify the impact of equipment failure causes by human error and contextual analysis to present error level.

D. System Safety Assessment (SSA) The analysis process of SSA is quite similar to PSSA, but

different in the purpose. The PSSA is used to derive system and item safety requirements; whereas the SSA is used to verify that the implemented design meets those safety requirements. SSA is used to integrate the results of PSSA, together with any additional tests which may have been requested in the PSSA. The SSA analysis methods include FTA, FMEAs, Markov analysis and Dependence diagrams.

E. Verification Process Verification is the process of determining that a

computational model accurately represents the underlying mathematical model and its solution [12]. Oberkampf and Trucano [13] defined verification as the process of determining that a model implementation accurately represents the developer’s conceptual description of the model and the solution to the model. The purpose of verification is to ascertain that each level of the implementation meets its specified requirements.

The verification process ensures that the system implementation satisfies the validated requirements. Verification activities are primarily performed early in the development cycle of a computational code. However, these activities must be repeated when the code is subsequently modified or enhanced. Verification consists of inspections, reviews, analyses, tests, and service experience applied in accordance with a verification plan. Verification of FHA Failure conditions is reflected in the result of PSSA, ICMA, and SSA assessments. Fig. 7 depicts the verification process of comparing the numerical solution from the code in question with various types of highly accurate solutions.

Figure 7. Verification Process [13]

F. Validation Process Validation is the method of ensuring that all the

requirements are adequately precise and complete so the aircraft will meet the airworthiness requirements. As discussed in the AIAA Guide, validation is the process of determining the degree to which a model is an accurate representation of the real world from the perspective of the intended uses of the model [14]. Validation deals with the assessment of the

1360

comparison between sufficiently accurate computational results and the experimental data.

The objective of validation process is to ensure correctness and completeness of requirements. Errors in the definition of system requirements can arise from three primary causes: (1) ambiguity, (2) incorrect statements, or (3) incomplete statements (i.e., omissions). The validation process should adequately cover all of these potential deficiencies. Examination of requirements to ensure they are both necessary and sufficient is a key aspect of validation. A further objective of the validation process is to limit the potential for unintended functions in the system or for unintended functions to be induced in interfacing systems [7, 10].

Requirements and assumptions should be validated at each hierarchical level and also should involve all the relevant technical disciplines. This includes validation of requirements at the aircraft function, system and item levels as well as validation of the FHA. Generally, validation of requirements and assumptions at higher levels serves as a basis for validation at lower levels. The assessment is made by comparing the predictive results of the model with validation experiments. If these comparisons are satisfactory, the model is deemed validated for its intended use [12] Fig. 8 depicts the validation process of comparing the computational results of the modeling and simulation process with experimental data from various sources.

Figure 8. Validation Process [13]

VI. V&V PROCESS IN THE A380’S STRUCTURE DESIGN In aircraft design, computational solid mechanics play a big

part in designing aircraft structure. The approach includes numerical predictions and simulations. The processes of V&V in computational mechanics are intended to provide, and quantify, confidence in numerical modelling and the results from the corresponding simulations [15]. Verification is concerned with identifying and removing errors in the model by comparing numerical solutions to analytical or highly accurate benchmark solutions. Validation, on the other hand, is concerned with quantifying the accuracy of the model by comparing numerical solutions to experimental data. In short, verification deals with the mathematics associated with the model, whereas validation deals with the physics associated

with the model [16]. In this section, the example of V&V process on composite material using on the A380 is presented based on the research from Airbus team and technical publications.

For the A380 aircraft structure design, weight is the most important factor. The reduction of weight on aircraft structure without prejudice to costs and structural life is the baseline aspect for the A380 design. Airbus has approached this demand by introducing more composite materials in the major aircraft parts. The example is the utilization of CFRP in fuselage structure. Kling [17] discussed that the allowable load bearing capacity of undamaged thin-walled stringer stiffened CFRP panels loaded in compression is currently limited by its buckling load and proposed the extension to a novel stability design scenario - to permit post-buckling under ultimate load. This design process involves the simulation techniques to determine the buckling characteristic of the CFRP panels. V&V Method was used to provide the confidence in the results from simulation.

Figure 9. Phase of Modeling and Simulation [16]

Figure 9 shows the Sargent Circle [16] used to demonstrate the concept of validation and verification in relation to modeling and simulation effort. In this case, the reality experiment represents the CFRP Panel. From the real structure panel, the model building activity was conducted via FEM hence the FE Model which leads to a mathematical model. The mathematical model is derived by considering what aspects of the reality need to be described. For this instance, different kind of arc-length procedure or displacement controlled Newton-Raphson Method was used [17]. Then mathematical model is converted, via programming, into numerical algorithm, along with initial and boundary conditions, material properties and a description of the geometry form the “Computational Model.” “Verification Activities” are the checks and sample problems we use to exercise the Computational Model to provide confidence that we have converted the mathematical model into a correct computational model. This process is simplified in figure 10.

1361

Figure 10. Analysis Procedure

Prior to application of computational model, validation is the process to assure that the equation chosen is appropriate for a complex structure. To establish confidence that the modeling is right, the simulation result is compared with the experimental one as shown in figure 11.

Figure 11. Experiment VS Computation [17]

VII. V&V PROCESS IN GP7200 ENGINE Mature reliability at entry into service is one of the

requirements that world’s major airlines established to the manufacturer. Engine Alliance has followed the V&V process alongside with the design in order to achieve the target reliability of the engine before entry into service.

During detailed design stage or Phase 0 according to figure 12, the analytical in designing the GP7200 engine includes mission/propulsion cycle simulation, aerothermodynamics modeling, structural assessment and controls modeling and evaluation etc. Code verification and calculation verification was conducted in this phase and resulted in simulation outcomes. On the other side, to establish confidence that the computational modelling is appropriate, the experiments were conducted. Comparison of the computational model predictions with the results of these physical tests are the Validation Activities. The validation and certification tests demonstrate

compliance with the specification and flight safety regulations. They are ultimately the basis for customer approval.

Figure 12. GP7200 Design and Manufacturing Phase

Figure 13 shows the validation pyramid [18]. The validation process of the GP7200 was performed in different level from aircraft level to individual parts level. The Engine Alliance has made a substantial investment to conduct GP7200 component rig test as part of the reliability strategy to continually validate performance and mature technology.

Aircraft Level

Aircraft Powerplant Systems

Major Assemblies of the Powerplant

Small Components

Individual Parts

Experiments Computational Models

Figure 13. Engine Validation Pyramid

On the aircraft level, the EA validate the GP7200 endurance by performing flight tests which run on ETOPS. Additionally, Boeing 747 flying test bed was used to evaluate engine throttle response and altitudes relight characteristics, and optimize clearance control schedules. On the engine level, GP7200 was tested in wind tunnel in order to survey the mechanical stress levels in engine components and vibration etc. There are also intensive tests the major assemblies of the engine such as swept fan testing, core engine testing, HP compressor and HP turbine testing etc. Finally the individual

1362

parts validation could be done in the test lab for the stress analysis of the materials and structures.

VIII. CONCLUSION

In this paper, the Verification and Validation methodology in Airbus A380 program has been demonstrated. It showed that in V&V methodology, there are intensive analyses for safety and reliability which include the modeling approach from mathematical model, computation model and simulation techniques together with the functional hazard analysis, system safety analysis and all other validation experiment and testing. The reliability assessments also include Markov analysis, FMCA, FTA, Dependence Diagram and also other type of analysis. This V&V process was implemented in the early stage of design therefore significantly reduce the development cycle of the aircraft and provide the reliability prediction with a higher confidence level. V&V method is an iteration process and a continuous approach throughout the service life of the aircraft. This paper has shown the example of V&V method implementation on GP7200 by Engine Alliance, which the results of reliability before entry into service was exceed the expectation requirements from FAA.

With the entry into service of Airbus A380, the application of validation and verification method in safety and reliability program has been proven successful. The application in the aircraft level for the first time in commercial aircraft is not only valid to A380, but they also could be used as a reference in the new aircraft development for the outstanding safety before EIS. It could also be applied to other aerospace system design and to other industry that require the high level of safety and

REFERENCES [1] “A380 – reliability, maintainability, supportability – on target?”, Aircraft

Technology Engineering & Maintenance, February/March 2006. [2] D. Cutler et al, “A380 maintenance status report”, Airbus World FAST

Magazine, Vol. 28. [3] Airbus Homepage: www.airbus.com [4] “AIAA. guide for the verification and validation of computational fluid

dynamics simulations”, American Institute of Aeronautics and Astronautics, Reston, VA, 1998.

[5] F. Dohrmann, “A380 kabinetechnologie, integration & test”, Airbus, Hamburg, December 2006

[6] N. Storey, “Safety critical computer systems”, Harlow, England: Addison-Wesley, 1996

[7] ARP 4754, “Certification and considerations for highly-integrated or complex aircraft systems”, Systems Integration Requirements Task Group AS-1C, ASD SAE April 10, 1996

[8] G. Greving, “Advanced numerical system simulations for navaids and surveillance radar the verificationp”, 13th International Flight Inspection Symposium, Montreal, 2004

[9] I. Babuska , F. Nobile, R. Tempone, “Reliability of computational science”, Numerical Methods for Partial Differential Equations, Vol. 23, Issue 4.

[10] ARP 4761, “Guidelines and methods for conducting the safety assessment process on civil airborne systems and equipment”, S-18, Aircraft And Sys Dev And Safety Assessment Committee, SAE, December 1996

[11] B.M Lawrence, “A380 aircraft safety process”, Airbus, June 2006 [12] L.E. Schwer, “Guide for verification and validation in computational

solid mechanics”, Iacm expressions, 01/07, issue 20 [13] L. W. Oberkampf and T. G. Trucano, “ Verification and validation in

computational fluid dynamics”, Progress in AerospaceSciences Volume 38, Issue 3, April 2002, Pages 209-272

[14] Computational Fluid Dynamics Committee on Standards, “Guide for verification and validation of computational fluid dynamics simulations,” American Institute of Aeronautics and Astronautics, AIAA G-077-1998, ISBN 1-56347-285-6, January 1998.

[15] B. H. Thacker, M. C. Anderson, P. E. Senseny, E. A. Rodriguez, “The role of nondeterminism in model verification and validation”, International Journal of Materials and Product Technology, Volume 24, Issue 1, March 2006, Pages 144-163

[16] P. J. Roache, Verification and validation in computational science and engineering, Hermosa, August 1998

[17] A. Kling, R. Degenhardt, H. Klein, J. Teßmer, R. Zimmermann, “Novel stability design scenario for aircraft structures –simulation and experimental validation”, Proceedings of the 5th International Conference on Computation of Shell and Spatial Structures, June 1-4 2005, Salzburg, Austria

[18] I. Babuska, F. Nobile, R. Tempone, “Reliability of computational science”, Numerical Methods for Partial Differential Equations, Vol. 23, Issue 4.

[19] A. Ott, T. Hartmann, “Domain specific V&V strategies for aircraft applications”, Center for Computing Technology, Safe Systems, University of Bremen

[20] B. Burchell, “A380: The maintenance-friendly giant?”, Overhaul & Maintenance, May 2005.

[21] C. Benac, “A380 simulation models”, Airbus, April 2006. [22] C. Delmas, R. Broutee, “The A380 maintenance program is born!”,

Airbus World FAST Magazine, Vol. 38. [23] P. Traverse and C. Cuiller, “System validation”, Airbus, October 2007

1363