Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Safe Allocation of Avionics Shared Resources Gérard Bel, Pierre Bieber, Frédéric Boniol, Charles Castel, Laurent Sagaspe.

Published byBerniece Small Modified over 8 years ago

Similar presentations

Presentation on theme: "1 Safe Allocation of Avionics Shared Resources Gérard Bel, Pierre Bieber, Frédéric Boniol, Charles Castel, Laurent Sagaspe."— Presentation transcript:

1 1 Safe Allocation of Avionics Shared Resources Gérard Bel, Pierre Bieber, Frédéric Boniol, Charles Castel, Laurent Sagaspe

2 2 Overview Integrated Modular Avionics (IMA) –Potential benefits and drawbacks –Terrain Following/Terrain Avoidance Function IMA Resource Allocation Process –Failure Propagation Modelling –Safety Requirements Validation –Independence Constraint Identification –Allocation Constraint Solving Multi-domain Resource Allocation –Real-Time Performances –ElectroMagnetic Interference

3 3 Integrated Modular Avionics – 1/2 Computing and Communicating resources shared by several avionics applications –Civilian aircrafts: B777, A380, B787,... Standards : ARINC 664 (AFDX), ARINC 653 (Real-time OS) –Military aircrafts : F22, Gripen, A400M,... Standards: ASAAC –Potential Benefits Decrease weight of aircraft, maintenance simplification,... –Potential Drawbacks One shared resource failure could lead to the failure of several applications Development is more complex as new teams participate in it

4 4 Integrated Modular Avionics – 2/2 Resource Allocation Process Application Designer IMA team Safety Analyst Can we implement these functions on the IMA architecture and enforce their requirements ? This is an allocation of resources to your functions such that their requirements are enforced Can we implement these functions on this architecture and enforce these requirements ? The functions can be implemented on the architecture and enforce their requirements provided that these allocation constraints are enforced Failure Propagation Model Safety Requirement Validation Independence Constraints Identification Allocation Constraint Solving

5 5 Terrain Following/Terrain Avoidance Computation of –Vertical acceleration –Climb alarm –Consolidated Roll angle Navigation in the vertical plane

6 6 Function and Architecture Description Terrain Following/Terrain Avoidance Function Tasks and Data flows Attributes –Worst Case Transmission/Execution Time, Period –Failure Mode, Severity –… Avionics architecture Interconnected resources –Virtual Communication and Computing resources –Real Bus, Switch, CPU, … –Zones and routes in the Aircraft

7 7 Overview Integrated Modular Avionics (IMA) –Potential benefits and drawbacks –Terrain Following/Terrain Avoidance Function IMA Resource Allocation Process –Failure Propagation Modelling –Safety Requirements Validation –Independence Constraint Identification –Allocation Constraint Solving Multi-domain Resource Allocation –Real-Time Performances –ElectroMagnetic Interference

8 8 Failure Propagation Modeling in AltaRica What is Altarica ? AltaRica model is a set of interconnected nodes Node has 3 parts : variable declarations, transitions and assertions code drawing equivalent automaton Node block flow A,R : bool : in; I : {ok,erroneous,lost} : in; O : {ok,erroneous,lost} : out; state S : {ok,erroneous,lost}; event loss, error; trans S=ok |- loss -> S := lost; S=ok |- error -> S := erroneous; assert O = case{S=ok and R and A: I, S=erroneous and R and A :erroneous, else: lost}; init S := ok; law extern =«constant 1e-4» =«constant 1e-5» edon loss (constant 1e-4) S=ok O = if {R and A } then I else lost S=lost O = lost S=erroneous O = erroneous error (constant 1e-5)

9 9 Failure Propagation Model – 2/2 TF/TA model was built using predefined nodes in an Altarica Library OCAS Tool (Dassault Système) –Model Edition –Interactive Simulation –Safety Tools –Used for Falcon 7X certification

10 10 Safety Requirements – 1/2 Qualitative Safety Requirement: –« No single failure shall cause an undetected erroneous vertical acceleration » In the TF/TA model, an erroneous vertical acceleration is undetected if: VertAccel.O=erroneous and ClimbAlarm=false We are interested in cases where it remains undetected during three consecutive time steps: FC = VertAccel.O=erroneous and ClimbAlarm=false and X (VertAccel.O=erroneous and ClimbAlarm=false) and X X (VertAccel.O=erroneous and ClimbAlarm=false) The TF/TA model should enforce: (F FC) => at_least_ 2_failures

11 11 Safety Requirements - 2/2 Safety Assessment Techniques –OCAS Fault-Tree generation The fault tree can be exported to other tools (Simtree, Arbor,...) to compute minimal cut sets and probabilities –OCAS Sequence Generator Automatic generation of sequence of failure that lead to the violation of Safety Requirements Limit on the number of failures to be considered –Cadence Labs SMV Model-checker Translation from Altarica to SMV Requirement proved by SMV model-checker or Counter-example generated Each technique has an application domain Fault Tree generation: static systems and instantaneous failure conditions Sequence generation: dynamic systems and instantaneous failure conditions Model-checking: dynamic systems and temporal failure conditions

12 12 Independence Assumptions 1/2 Assumptions are needed to prove that Safety Requirements hold The proof is split into two parts Scenario Search: F FC => Scenarii Assumptions: Independence_Assumptions => at_least_2_failures –Scenarii : (F VertAccCmp.fail_error & F ClAlarmCmp.fail_lost) or (F Radar.fail_error & F ClAlarmCmp.fail_lost) or... –Independence_Assumptions: (F VertAccCmp.fail_error & F ClAlarmCmp.fail_lost) => at_least_2_failures and (F Radar.fail_error & F ClAlarmCmp.fail_lost) => at_least_2_failures and...

13 13 Independence Assumptions - 2/2 Segregation constraints are extracted from the independence assumptions: –Example: tasks VertAccCmp and ClAlarmCmp shall fail independently. They shall not share computation resources. –Example: Dataflows VerAcc and Alarm should fail independently. They should not share communication resources Alternative approach for identification of segregation constraints: –Use safety architecture patterns: Command and Monitor architecture Command channel : Navigation,Radar, TFTAPanel, VertAccelComp Monitor channel: RA, Navigation, Emergency Command and Monitor channels shall be segregated: " Navigation,Radar, TFTAPanel, VertAccelComp" and " RA, Navigation, Emergency" should fail independently.

14 14 Allocation Constraints Formalisation of allocation constraints –{0,1} linear inequalities. Variables : –allotc(task,cpu) : {0,1} –allodb(data,bus) : {0,1} –connected(cpu,bus) or connected(bus,cpu) : {0,1} Inequalities –Any task has to be allocated to one and only cpu allotc(t,c1) +…+ allotc(t,cn) = 1 –Two independent tasks should not be allocated to the same cpu allotc(t1,c) + allotc(t2,c) + indep(t1,t2) < 2 allod(t1,c)  allod(t2,c) si indep(t1,t2) = 1 –A connection (C,B) is used if there exists a data flow D and its producing task T such D is allocated to B and T is allocated to C. Criterion –Minimise the number of used connections

15 15 Tool Support for Constraint Solving Generation of constraints Call to solvers (ILOG solver, satzoo) Visualisation of allocations Goal= 8

16 16 Overview Integrated Modular Avionics (IMA) –Potential benefits and drawbacks –Terrain Following/Terrain Avoidance Function IMA Resource Allocation Process –Failure Propagation Modelling –Safety Requirements Validation –Independence Constraint Identification –Allocation Constraint Solving Multi-domain Resource Allocation –Real-Time Performances –ElectroMagnetic Interference

17 17 Multi-Domain Resource Allocation Resource Allocation Process Application Designer IMA team Safety Analyst Allocation Constraint Solving functions, requirements functions, requirements architecture allocation constraints allocation Real-Time Engineer EMI specialist

18 18 Real-Time Performance Viewpoint Scheduling constraints are extracted: –« allocation of tasks to the resources shall not overload the resources » –« allocation of data-flows to communication resources shall enforce end-to-end latencies » Schedulability Analysis (holistic model, worst case ), ILOG solver Discrete Event Simulation (generalized model), Hyperformix Tasks : execution delays for individual tasks (period enforcement) and for groups of tasks (end-to-end latency) Resources: use indicators Schedulabilty Analysis, example: Necessary Condition :  i C i /T i < 1 Sufficient Condition for RMA:  i C i /T i < 0.69

19 19 ElectroMagnetic Interference Viewpoint Quantitative Requirement: –« The probability that dataflow D is lost/erroneous due to ElectroMagnetic Perturbation Is smaller than 10 -x » Place and routing constraints are extracted: –“Communication resource Bus1 should be routed in routes that have less that Y abstract EMI perturbation units” Abstract stochastic model of electromagnetic interference --> computation of an additive measure of EMI perturbation for each zone and route

20 20 Conclusion The proposed approach is consistent with industrial practices –New safety analysis required for IMA design –allocation generation is not used by now Further Work –The approach could also be applied to integrate several applications into a common avionics architecture Associate constraints with each application –Model reuse Use libraries of components and patterns to limit the time/effort to produce viewpoint models Use standard modelling notations: COTRE, AADL,…

Download ppt "1 Safe Allocation of Avionics Shared Resources Gérard Bel, Pierre Bieber, Frédéric Boniol, Charles Castel, Laurent Sagaspe."

Similar presentations

Model-Based Testing with Smartesting Jean-Pierre Schoch Sogetis Second Testing Academy 29 April 2009.

Model-Based Testing with Smartesting Jean-Pierre Schoch Sogetis Second Testing Academy 29 April 2009.
Simulation of Feedback Scheduling Dan Henriksson, Anton Cervin and Karl-Erik Årzén Department of Automatic Control.

Simulation of Feedback Scheduling Dan Henriksson, Anton Cervin and Karl-Erik Årzén Department of Automatic Control.
Avionics Panel Go For Luna Landing! Graham ONeil United Space Alliance March 2008.

Avionics Panel Go For Luna Landing! Graham ONeil United Space Alliance March 2008.
Ch:8 Design Concepts S.W Design should have following quality attribute: Functionality Usability Reliability Performance Supportability (extensibility,

Ch:8 Design Concepts S.W Design should have following quality attribute: Functionality Usability Reliability Performance Supportability (extensibility,
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
1 Translation Validation: From Simulink to C Michael RyabtsevOfer Strichman Technion, Haifa, Israel Acknowledgement: sponsored by a grant from General.

1 Translation Validation: From Simulink to C Michael RyabtsevOfer Strichman Technion, Haifa, Israel Acknowledgement: sponsored by a grant from General.
AltaRica A Formal Language for Event Oriented Modeling A. Rauzy IML/CNRS & ARBoost Technologies Marseilles, France.

AltaRica A Formal Language for Event Oriented Modeling A. Rauzy IML/CNRS & ARBoost Technologies Marseilles, France.
Timed Automata.

Timed Automata.
Department of Computer Science and Engineering University of Washington Brian N. Bershad, Stefan Savage, Przemyslaw Pardyak, Emin Gun Sirer, Marc E. Fiuczynski,

Department of Computer Science and Engineering University of Washington Brian N. Bershad, Stefan Savage, Przemyslaw Pardyak, Emin Gun Sirer, Marc E. Fiuczynski,
Design Concepts and Principles

Design Concepts and Principles
Software system modeling

Software system modeling
Dagstuhl Intro Mike Whalen. 2 Mike Whalen My main goal is to reduce software verification and validation (V&V) cost and increasing.

Dagstuhl Intro Mike Whalen. 2 Mike Whalen My main goal is to reduce software verification and validation (V&V) cost and increasing.
Software Fault Injection for Survivability Jeffrey M. Voas & Anup K. Ghosh Presented by Alison Teoh.

Software Fault Injection for Survivability Jeffrey M. Voas & Anup K. Ghosh Presented by Alison Teoh.
Background information Formal verification methods based on theorem proving techniques and model­checking –to prove the absence of errors (in the formal.

Background information Formal verification methods based on theorem proving techniques and model­checking –to prove the absence of errors (in the formal.
SSP Re-hosting System Development: CLBM Overview and Module Recognition SSP Team Department of ECE Stevens Institute of Technology Presented by Hongbing.

SSP Re-hosting System Development: CLBM Overview and Module Recognition SSP Team Department of ECE Stevens Institute of Technology Presented by Hongbing.
Software Fault Tolerance – The big Picture RTS April 2008 Anders P. Ravn Aalborg University.

Software Fault Tolerance – The big Picture RTS April 2008 Anders P. Ravn Aalborg University.
©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 23 Slide 1 Software testing.

©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 23 Slide 1 Software testing.
Design of Fault Tolerant Data Flow in Ptolemy II Mark McKelvin EE290 N, Fall 2004 Final Project.

Design of Fault Tolerant Data Flow in Ptolemy II Mark McKelvin EE290 N, Fall 2004 Final Project.
Software Engineering for Safety : A Roadmap Presentation by: Manu D Vij CS 599 Software Engineering for Embedded Systems.

Software Engineering for Safety : A Roadmap Presentation by: Manu D Vij CS 599 Software Engineering for Embedded Systems.
Architecture and Real Time Systems Lab University of Massachusetts, Amherst An Application Driven Reliability Measures and Evaluation Tool for Fault Tolerant.

Architecture and Real Time Systems Lab University of Massachusetts, Amherst An Application Driven Reliability Measures and Evaluation Tool for Fault Tolerant.

Similar presentations

Ads by Google