Dependability Modelling and Assessment of Avionics Systems with - - PowerPoint PPT Presentation

dependability modelling and assessment of avionics
SMART_READER_LITE
LIVE PREVIEW

Dependability Modelling and Assessment of Avionics Systems with - - PowerPoint PPT Presentation

Dec 11, 2022 243 likes •452 views

Dependability Modelling and Assessment of Avionics Systems with Altarica. P. Bieber, Ch. Castel, G. Durrieu, Ch. Seguin, C. Pagetti, L. Sagaspe 1 General Problem Avionics are complex systems A380 (safety critical avionics): +100

slide-1
SLIDE 1

1

Dependability Modelling and Assessment

  • f Avionics Systems with Altarica.
  • P. Bieber, Ch. Castel, G. Durrieu, Ch. Seguin, C. Pagetti, L. Sagaspe
slide-2
SLIDE 2

2

General Problem

  • Avionics are complex systems

– A380 (safety critical avionics):

  • +100 computers connected to the main Aicraft network,
  • ~10 000 data flows transmitted over the network
  • Structured Design

– Modular design

  • Systems : Flight Control, Flight Management, Flight parameters, …

– Layered design

  • functional architecture/allocation/ hardware architecture
  • Complex Design Process

– Several actors:

  • System designers -> functional architecture
  • Platform designers -> hardware architecture
  • Integrator -> allocation
slide-3
SLIDE 3

3

General Goal

  • Support the safety assessment of avionics systems

– using Altarica models – and taking into account the current design process

  • Apply the approach on case-studies

– Dassault Mirage Terrain Following/Terrain Avoidance – Airbus systems (ADIRS, Fuel On Board,…) – Astrium ATV (Automatic Transfer Vehicle)

slide-4
SLIDE 4

4

Overview

  • Avionics Platform Design

– Functional and hardware description – Allocation

  • Safe Resource Allocation Process

– Failure Propagation Modelling – Safety Requirements Validation – Independence requirement derivation

  • Advanced Topics

– Allocation Generation by Constraint Solving – Installation related risks – Automatical production of Altarica models – Middleware Modelling

slide-5
SLIDE 5

5

Functional Architecture

  • Function and Data flows

– ADIRU: x3 – SEC: x6 – VL : x18

ADIRU SEC VL

slide-6
SLIDE 6

6

Hardware Architecture

Interconnected resources

– Bus, Switch, CPU, …

slide-7
SLIDE 7

7

Allocation

  • Described as tables

– well formalized at detailed design stages – but often missing at earlier design stages

VL_ADIRU1_SEC3A : ADIRU_Hard_1,AFDX_SW- 1,AFDX_SW-1,AFDX_SW- 9,SEC3A

slide-8
SLIDE 8

8

Overview

  • Avionics Platform Design

– Functional and hardware description – Allocation

  • Safe Resource Allocation Process

– Failure Propagation Modelling – Safety Requirements Validation – Independence requirement derivation

  • Advanced Topics

– Allocation Generation by Constraint Solving – Installation related risks – Automatical production of Altarica models – Middleware Modelling

slide-9
SLIDE 9

9

Functional Architecture Safety Model

  • Failure Propagation Model built using

predefined nodes in an Altarica Library

  • Qualitative Safety Requirement:

– « No double failure of dataflows between ADIRU and SEC shall cause the loss of all SEC functions » – « No double failure of dataflows between ADIRU and SEC shall cause the undetected erroneous behaviour of all SEC functions »

slide-10
SLIDE 10

10

Safety Requirement Assessment

  • Automatic Generation of the fault-tree from the model

– Generation of minimal cut sets – Computation of probabilities

3.0 e-24 2.0 e-24 Proba 9720 8000 Total 8 9 216 8 972 1944 7 8748 5832 6 5 4 3 2 1 Erroneous Loss Size

VL_ADIRU1_ADR_SEC1A.fail_erroneous, VL_ADIRU2_ADR_SEC1A.fail_erroneous VL_ADIRU1_ADR_SEC1B.fail_erroneous VL_ADIRU2_ADR_SEC1B.fail_erroneous VL_ADIRU1_ADR_SEC2A.fail_erroneous VL_ADIRU2_ADR_SEC2A.fail_erroneous

slide-11
SLIDE 11

11

Hardware + Allocation models

  • Hardware model

– very basic model

  • Allocation model

– Common cause failure – Use Broadcast to group failure event of the resource with failure events of all supported functions and data flows

F1 F2 F3 Res

slide-12
SLIDE 12

12

Impact of allocation on Safety requirements

  • Allocation of shared resources to functions and data-

flows creates Common Mode Failures.

  • Compare before/after allocation:
  • Decrease size of minimal cut sets,
  • increase probability of FC occurrence
  • Is this impact acceptable ?

VL_ADIRU1_ADR_SEC1A.fail_erroneous, VL_ADIRU2_ADR_SEC1A.fail_erroneous VL_ADIRU1_ADR_SEC1B.fail_erroneous VL_ADIRU2_ADR_SEC1B.fail_erroneous VL_ADIRU1_ADR_SEC2A.fail_erroneous VL_ADIRU2_ADR_SEC2A.fail_erroneous

Allocate

(SEC1A,1B connected to Switch1, SEC2A connected to Switch2) Switch1.fail_erroneous Switch2.fail_erroneous

slide-13
SLIDE 13

13

Derivation of Segregation Requirements

  • Extract segregation requirements from the safety assessment

results in order to avoid allocation common mode failures

Size Minimal Cut Sets Safety Objective 3 Data-flows shall be segregated 3 Data-flows out of 5 shall be segregated

slide-14
SLIDE 14

14

Overview

  • Avionics Platform Design

– Function and architecture description – Allocation

  • Safe Resource Allocation Process

– Failure Propagation Modelling – Safety Requirements Validation – Independence requirement derivation

  • Advanced Topics

– Allocation Generation by Constraint Solving – Installation related risks – Automatical production of Altarica models – Middleware Modelling

slide-15
SLIDE 15

15

Allocation Generation by Constraint Solving

  • Formalisation of allocation constraints

– {0,1} linear inequalities.

  • Variables :

– allotc(task,cpu) : {0,1} – allodb(data,bus) : {0,1} – connected(cpu,bus) or connected(bus,cpu) : {0,1}

  • Inequalities

– Any task has to be allocated to one and only cpu allotc(t,c1) +…+ allotc(t,cn) = 1 – Two segregated tasks should not be allocated to the same cpu

allotc(t1,c) + allotc(t2,c) + segregated(t1,t2) < 2

– A connection (C,B) is used if there exists a data flow D and its producing task T such D is allocated to B and T is allocated to C.

  • Criterion

– Minimise the number of used connections

slide-16
SLIDE 16

16

Tool Support for Constraint Solving

  • Generation of constraints
  • Call to solvers (ILOG solver, satzoo)
  • Visualisation of allocations

Goal= 8

slide-17
SLIDE 17

17

Installation Related Assessment

  • Assess the impact of

equipment installation on Safety Requirements

  • Link functional architecture

model with Digital Aircraft mockup (CATIA, IRIS)

– Similar to the modelling of allocation of functions on hardware

  • Study the effect of tyre or

engine burst on functions

3D model Altarica model

slide-18
SLIDE 18

18

ATV Case Study

  • Software dependability oriented model:

– More detailed functional Architecture, simpler hardware model – Add a model of middleware services « between » functional view and Hardware architecture view to study new kind of failure propagations in the temporal domain Functional hardware Middleware

slide-19
SLIDE 19

19

Automated Production of Altarica models

  • Generate dependability models

– Industrial need : decrease the modelling effort – AADL (Avionics Architecture Description Language) to Altarica model transformation – AADL models structured in layers

  • Hardware and allocation : similar to Altarica, easy to transform
  • Functional architecture : more expressive, not so easy to

transform…

– AADL Error Annex

  • AADL special notation for failure propagation models
  • Adapted for Software failure propagation modelling
  • Limited tool-support (by now)
slide-20
SLIDE 20

20

Conclusion – Further work

  • Requirement driven engineering

– Organize the design activities – Define what models should be built and what analysis should be performed

  • Models for software dependability

– Model more accurately software

  • Optimise avionics architecture with respect to several

viewpoints :

– real-time performances, operational reliability, installation, Electro-magnetic Interference, …