DSN 2006 Workshop on Architecting Dependable Systems (WADS) - - PowerPoint PPT Presentation

EADS Corporate Research Centre Germany Page 1 Stefan Schneele June 2006

DSN 2006 Workshop on Architecting Dependable Systems (WADS) Fault-tolerant Smart Sensor Architecture for Integrated Modular Avionics Stefan Schneele, Klaus Echtle, Josef Schalk June 27th, 2006

EADS Corporate Research Centre Germany Page 2 Stefan Schneele June 2006

DECOS – Application Aerospace

SP6-Approach: Electronically Synchronized Flaps

A (time-triggered) bus system will be used between the flap panels instead

• f the mechanical shaft

A System Control Unit (SCU) has to control and monitor the time-triggered communication, instead of the Central Motor Unit For redundancy reason each flap panel will be powered by 2 Motors Cross Shaft Brake to hold system Development and usage of new, smart sensors, interfaces and gateways supporting TTA

Rotary Actuator Cross Shaft Cross Shaft Brake Load Zylinder Motor

EADS Corporate Research Centre Germany Page 3 Stefan Schneele June 2006

Application Aerospace - Work Share

EADS Corporate Research Centre Germany Page 4 Stefan Schneele June 2006

The Challenge

• Build a smart sensor that meets:
• Functional Requirements

– Reliable – Higher Resolution (90° ±0,1° ( 6 ‘) ) – New Single-Turn coverage – Built-In Test capability

• Project Requirements

– Use DECOS Tools & Methods – Integrate DECOS design approach – Use DECOS Hardware

• Industrial Requirements

– Efficient (costs, weight, size, Integration, complexity) – Airworthy

EADS Corporate Research Centre Germany Page 5 Stefan Schneele June 2006

Proof of Airworthiness I

• Reliability Modeling and Analysis of fault

tolerant Flap Control System based on the to be developed DECOS technology

– HW, SW and communication components – Fault tolerant structures: redundancies for fault diagnosis and reconfiguration purposes – Signal diversity for highly fault tolerant flap control system – Reliability analysis and evaluation of flap control system models based on different top events – Probabilities: top events satisfied / not satisfied – Degraded system states:

• ‘fail ^n -operational’ capabilities
• probabilities of degraded system states

EADS Corporate Research Centre Germany Page 6 Stefan Schneele June 2006

Proof of Airworthiness II

• Redundancy Management of fault tolerant

Flap Control System based on the to-be- developed DECOS technology

– Redundancy Management: Assessment of different reconfiguration processes based on a hybrid system model (reliability block diagram and finite state machine).

Identify benefits & risks of system evolution by using DECOS technology

EADS Corporate Research Centre Germany Page 7 Stefan Schneele June 2006

Safety Requirements

• The US Federal Aviation Regulations and the European Joint Aviation

Requirements provide detailed system safety regulations:

• degraded positioning rate of a specific control surface as consequence of one failed

channel.

• The second failure case of our interest is loss of operation of a specific control

surface as consequence of failures in both channels.

• fault regions SFRx:

EADS Corporate Research Centre Germany Page 8 Stefan Schneele June 2006

Evolution of System – Federated Architecture

EADS Corporate Research Centre Germany Page 9 Stefan Schneele June 2006

The Tool - Syrelan

• Developed by Dominick Rehage,

University Hamburg-Harbug

• Supports:

– Reliability Block Diagram (RBD) – Concurrent Finite State Machine (CFSM)

• For:

– Reliability Analysis – Degradation Analysis

CPIOM 3 CPIOM 4 CPIOM 1 CPIOM 2 CPIOM 5 CPIOM 6 Querruder Spoiler Höhenruder THS Seitenruder

CPIOM 1 P2 CPIOM 4 P4 CPIOM 3 P3 CPIOM 2 P1

1.00E-06 1.00E-04 aktiv aktiv aktiv aktiv- eiss h aktiv- eiss h

1.00E-06 1.00E-04 aktiv aktiv aktiv 1.00E-06 1.00E-04 aktiv aktiv passiv- alt k

aktiv passiv-kalt 1.00E-06 1.00E-04 aktiv aktiv 1.00E-05 aktiv 1.00E-05 passiv-kalt 1.00E-05 passiv-kalt 1.00E-07 aktiv 1.00E-04 aktiv 1.00E-04 aktiv 2.10E-05 aktiv 2.10E-05 aktiv 1.00E-07 aktiv 1.00E-06 1.00E-04 passiv- alt k

aktiv- eiss h aktiv 1.00E-04 isoliert 1.00E-06 isoliert

isoliert

aktiv-heiss

aktiv- eiss h 1.00E-04 isoliert

1.00E-04 1.00E-05 isoliert 1.00E-05 aktiv aktiv-heiss

aktiv 1.00E-04 aktiv isoliert isoliert 1.00E-06 isoliert 1.00E-04 aktiv isoliert isoliert 1.00E-04 aktiv

aktiv isoliert

isoliert 1.00E-04 isoliert isoliert 1.00E-04 isoliert 1.00E-05 isoliert 1.00E-05 aktiv aktiv 1.00E-04 aktiv isoliert aktiv isoliert 1.00E-06 isoliert 1.00E-04 aktiv isoliert isoliert 1.00E-04 aktiv isoliert isoliert isoliert 1.00E-04 isoliert 1.00E-05 isoliert 1.00E-07 isoliert 1.00E-04 isoliert 1.00E-04 isoliert 2.10E-05 isoliert 2.10E-05 isoliert 1.00E-07 isoliert

EADS Corporate Research Centre Germany Page 10 Stefan Schneele June 2006

Failure Modes of Conventional Sensor

• Failure Rates of components:

EADS Corporate Research Centre Germany Page 11 Stefan Schneele June 2006

Evolution of System – Integrated Architecture

EADS Corporate Research Centre Germany Page 12 Stefan Schneele June 2006

Design Rules for Smart Sensors – Common Cause Failures

Although the structural reliability numbers of smart sensors can meet the ones conventional systems

additional failure modes are introduced to the system

(COMPLEXITY).

Risk of common modes. For worst-case consideration, the β-Factor - representing

the chance of common cause failures in different channels – is set to 0.4.

Do not receive any data, very few numbers of operational modes suitable simple composition of components Everything should be made as simple as

possible, but not simpler.

EADS Corporate Research Centre Germany Page 13 Stefan Schneele June 2006

Smart Sensor - Components

EADS Corporate Research Centre Germany Page 14 Stefan Schneele June 2006

Position Pick-Off Unit – Software Design

• To achieve fail-safe behavior, usually failure masking with n-out-of-m failure masking

is used efficiency constraints

• The presented architecture can only provide two different values. Therefore an

approach is selected, which is based on an online selftest for failure detection.

EADS Corporate Research Centre Germany Page 15 Stefan Schneele June 2006

DECOS - Integrated Distributed Execution Platform

• Specification of Requirements and Design of:

Communication infrastructure taylored to a DAS (TT or ET) Core Services (DAS-Indep.) C1 Predictable Message Transport C2 Fault-Tolerant Clock Synchronization C3 Strong Fault Isolation C4 Consistent Diagnosis of Failing Nodes Hiding of implementation details from the application, thereby extending the range of implementation choices Time-Triggered Base Architecture Core Services for Interfacing the Time-Triggered (TT) Physical Netw ork

• f the Base Architecture

Communication infrastructure taylored to a DAS (TT or ET) High-Level Services (DAS-Specific)

...

Virtual Network Service Gateway Service

Safety-Critical Subsystem

Job Job Job Job

Non Safety-Critical Subsys

Job Job

Application Code

• App. MW (e.g., CAN)

PI Job Job

Encapsulated Execution

Environment

Virtual Communication Links

and Gateways

Platform Interface Layer

• DECOS = Dependable Embedded

Systems and Components

EADS Corporate Research Centre Germany Page 16 Stefan Schneele June 2006

DECOS - Methods and Tools

• Specification of the Platform

Independent Model (PIM)

– PIM Metamodel, – Design methodology

• Specification of the

Resource Layer

– Hardware specification model

• Software-Hardware

Integration

– Specification of PSM development tool

Platform Independent Model (PIM) Distributed Application Subsystem (DAS)

Integrated HW/SW System (PSM)

SYS Platform Interface (PI) Platform

DAS: Distributed Application Subsystem PIM: Platform Independent Model PSM: Platform Specific Model PI(L):Platform Interface

• Modeling Distributed Application Subsystems

EADS Corporate Research Centre Germany Page 17 Stefan Schneele June 2006

µ-Controller – single point of failure

• Modern µ-Controllers provide suitable operation life-time of

up

• to 20 years in controlled temperature racks.
• Concerning the use in extremely harsh environment with

high amplitude

• f temperature and pressure chances, we expect:
• Self-checks on power-on can be interpreted as frequent

maintenance intervals, making this failure rate plausible.

• This maintenance interval should be equal to the mission

time.

• Redundancy cause of efficiency constraints not a

suitable approach for smart sensing devices

EADS Corporate Research Centre Germany Page 18 Stefan Schneele June 2006

• Failure Rates of components:

Failure Modes of Smart Sensor - Hardware

More states because of Initialization

EADS Corporate Research Centre Germany Page 19 Stefan Schneele June 2006

Benefit of DECOS Technology

• For Reliability Analysis, Smart Sensor must fulfill:

– Fail-safe behavior – appearance as an atomic unit – No failure propagation Guaranteed by DECOS node design (to be proofed)

• Minimization of Design faults and handling of

complexity Addressed by Model based and Hardware Independent system design approach

• Partitioning in time and space domain

Addressed by Encapsulated Execution Environment and Time-Triggered Protocol

EADS Corporate Research Centre Germany Page 20 Stefan Schneele June 2006

Conclusion

• the novel DECOS architecture is applied to a

smart sensor design.

• The justification of the sensor concept was given
• n a structural level.

– sensor design meets the reliability constraints

• a remarkably small subset of components can

fulfill both efficiency and reliability constraints

• This concept is implemented in

real hardware, and evaluated on a realistic test- bench.

EADS Corporate Research Centre Germany Page 21 Stefan Schneele June 2006

Thank you !