Architecture Modeling - SPES 2020

More documents

Recommendations

Info

Architecture Modeling be to extend the assumption of C2.1 by the temperature assumptions of C2.1-T2 and C2.1-T3 which would result in a valid entailment-link. Another option would be to assure the temperature assumptions by contracts of further neighbouring components on the technical level. This would induce that the temperature assumptions are not any more existent in the composition of all contracts on the technical perspective leading again to a valid entailment-link to C2.1. Also, the weak assumption of C2.1.2-T3 leads to a falsification. This problem can be solved analogous to the above mentioned one of the strong assumptions. 5.1.3.4 Satisfaction-Check for a Safety Contract Against a Component Implementation In this section, we elaborate on the question of how a satisfaction check for a component against its contract may be performed for the safety aspect. Satisfaction is the proof obligation for the primitive design step implementation introduced in Section 4. For this, we consider a requirement from the ARP 4761 and use the formalized contract to perform a safety analysis to ensure its satisfaction. The starting point is the FHA (Functional Hazard Analysis) where a number of failure conditions are identified for the system and classified with respect to their impact on the system and the environment (including passengers). These classifications are then used to derive safety requirements that need to be investigated during PSSA (Preliminary Systems Safety Analysis) and SSA (System Safety Analysis). Safety Contract As an example throughout this text we will investigate the following two safety requirements: • No single failure shall lead to loss of wheel braking • Loss of all wheel braking during landing or Rejected Take Off (RTO) shall be less than 5 · 10 −7 per flight. These two requirements can be rewritten as safety contracts in the following form: C3 strong assumption - weak assumption - guarantee Loss of wheel braking shall not be caused by 1 failures C4 strong assumption - weak assumption - guarantee Loss of wheel braking shall not occur during Phase = Landing or Phase = RTO with density higher than 5 · 10 −7 per flight In order to analyse whether an existing model satisfies these two contracts we first have to define the failure condition Loss of wheel braking using a functional pattern. In a simple setting such a formalisation may be done by characterising a safety-critical state (e. g. by specifying that the pressure of the blue line is above a given limit). In this context we will define a contract that implements the above requirement using a RSL (Requirement Specification Language) pattern. The most obvious way to formalise the safety requirement is to state that whenever the pilot pushes the braking pedals, either the green or the blue line have to supply pressure to the wheels subsequently. (Pedal pressed) implies ((Green pressure high) or (Blue pressure high)). 84/ 156
Architecture Modeling However this does not account for the delay that is introduced when the command is propagated through the system until it finally reaches the brake actuators. Instead, we use the following RSL pattern: whenever (Pedal pressed holds during [tr (Pedal pressed), 10 ms]) occurs tr((Green pressure high) or (Blue pressure high)) occurs during [0 ms, 10 ms] This pattern states that whenever the brake pedal is pressed for longer than 10 milliseconds the disjunction from above needs to hold after at most 10 milliseconds. We require the pedals to be pressed for at least 10 milliseconds in order to avoid situations where the pedal is pressed and released over and over again. Otherwise, we run into situations, where one of the different valves along each line is always closed thus blocking the pressure from reaching the wheels. Failure Injection In order to evaluate the system behaviour in case of failures the model has to be extended to reflect the non-nominal behaviour of the system. This is accomplished by injecting a number of (candidate) failures (i. e. failures that might occur) into the model. Again, a pattern-based approach is used to provide a list of failure-mode templates including stuck-at, delay, noise, and random failures. When the provided failure-mode patterns are insufficient, e. g. if the failure affects several model variables in a complex fashion, or the failure makes use of some internal system mode (degraded system mode), it is possible to apply user-defined failures, i. e. failures that are defined using the same modeling formalism employed to specify the nominal system behaviour. In this case, the system ensures that nominal and failure behaviour is separated by requiring the user to specify an input that triggers the failure. The behaviour specification of these failures is merged with the original system model and together they define the extended system model. In the extended model it is possible to switch individual failures on and off in any order and with any amount of time passing between their occurrences. When no failure is active the system behaviour is completely determined by the system model, whereas when one or more failures become active it is altered according to the specified failure pattern. The failure injection was applied to the braking system in the following way: Failures of the electrical and hydraulic power supplies are represented by user-defined failure-modes, since the supplies are modelled as inputs to the model. A user-defined failure-mode may also be applied to the manual mode selection thus modelling wrong behaviour of the pilot. Failures occurring inside the braking system itself are modelled using stuck-at failure modes. We defined stuck-at failure-modes for a variety of variables. Failures of each of the valves are modelled using a stuck-at failure-mode with both states (open and close) as possible values. This way, the failure-mode can force the valve to be stuck in the open position, passing the incoming hydraulic pressure, or stuck close, blocking the pressure. Similarly, the validity signals from the BSCU monitors can either be made stuck true or false. Further failure-modes were created for the braking commands computed by the two redundant BSCU units and the reference commands the monitoring units compute. Another failure-mode was created to model the failure of the switch unit inside the BSCU. Analysis After the safety requirement has been formalized and the system model has been extended with failure-modes it is now possible to perform a fault-tree analysis (FTA). The re- 85/ 156
Page 1 and 2:
Architecture Modeling ∗ Andreas B
Page 3 and 4:
Contents 1 Introduction 1 2 Quick-T
Page 5 and 6:
1 Introduction This document propos
Page 7 and 8:
Architecture Modeling allowing to m
Page 9 and 10:
Architecture Modeling creating a vi
Page 11 and 12:
Architecture Modeling the design it
Page 13 and 14:
Architecture Modeling of the logica
Page 15 and 16:
Architecture Modeling realization o
Page 17 and 18:
Architecture Modeling can usually o
Page 19 and 20:
3 The Architecture Meta-Model In Se
Page 21 and 22:
Abstraction-Levels (detail increase
Page 23 and 24:
3.2.2 Functional Perspective Archit
Page 25 and 26:
Architecture Modeling The semantics
Page 27 and 28:
Architecture Modeling expressed by
Page 29 and 30:
Architecture Modeling computing cap
Page 31 and 32:
3.2.5 Geometrical Perspective Archi
Page 33 and 34:
ShapeCompositionOperator intersecti
Page 35 and 36:
Architecture Modeling The constrain
Page 37 and 38: Architecture Modeling of particular
Page 39 and 40: Architecture Modeling Shape that de
Page 41 and 42: Architecture Modeling Conjugation o
Page 43 and 44: RichComponent Architecture Modeling
Page 45 and 46: MultiplicityElement +part 0..* Rich
Page 47 and 48: ComponentC Architecture Modeling pa
Page 49 and 50: 4 Steps in Component-Based Design T
Page 51 and 52: Architecture Modeling Assume/guaran
Page 53 and 54: Architecture Modeling When specifyi
Page 55 and 56: Architecture Modeling next selectio
Page 57 and 58: Architecture Modeling ports must ha
Page 59 and 60: established if (and only if): Archi
Page 61 and 62: 12°C < tempSelect < 35°C actTemp
Page 63 and 64: Architecture Modeling The component
Page 65 and 66: Architecture Modeling 4.3.2 Establi
Page 67 and 68: Architecture Modeling a mapping is
Page 69 and 70: Architecture Modeling Another impor
Page 71 and 72: 5 Using the Architecture Meta-Model
Page 73 and 74: Architecture Modeling Design proces
Page 75 and 76: Architecture Modeling abstraction l
Page 77 and 78: Pwr1 Pedal_Pos1 Pwr2 Pedal_Pos2 CMD
Page 79 and 80: Architecture Modeling Figure 5.4: O
Page 81 and 82: Architecture Modeling Figure 5.7: L
Page 83 and 84: Architecture Modeling Figure 5.9: T
Page 85 and 86: Architecture Modeling Figure 5.12:
Page 87: Architecture Modeling Figure 5.14:
Page 91 and 92: Architecture Modeling The considera
Page 97 and 98: Architecture Modeling tasks Command
Page 99 and 100: Architecture Modeling of the V, suc
Page 101 and 102: Architecture Modeling thus decorate
Page 103 and 104: Architecture Modeling In summary, P
Page 105 and 106: Architecture Modeling OEMs are incr
Page 107 and 108: Architecture Modeling provide effec
Page 111 and 112: Architecture Modeling patterns, cap
Page 113 and 114: Architecture Modeling 6.1 Syntax an
Page 115 and 116: 6.1.1.1.1 Attribuute Definit tion a
Page 117 and 118: Constrrain Eventts with Co ondition
Page 119 and 120: These events used in the “and the
Page 121 and 122: Formalization: whenever StartButton
Page 123 and 124: Architecture Modeling Basic bloock
Page 125 and 126: 6.1.1.1.1.3 Conditions Conditions c
Page 127 and 128: 6.1.1.1.2.2 Seammless Con ncatenati
Page 129 and 130: e3 && (clk==0) e1 idle pre e1 idle
Page 131 and 132: Pattern whenever event occurs condi
Page 133 and 134: If the brake force is above 80% for
Page 135 and 136: Pattern S3: Failure shall not be ca
Page 137 and 138: Pattern S9: failureCondition failur
Page 139 and 140:
Pattern R2: Event occurs each perio
Page 141 and 142:
idle e1 |clk:=0 e2 && (l
Page 143 and 144:
The function : allocates a singl
Page 145 and 146:
Examplees of clocks: • Run: {c=0@
Page 147 and 148:
Architecture Modeling 1. For σ ∈
Page 149 and 150:
Architecture Modeling Traces accord
Page 151 and 152:
Architecture Modeling Definition 6.
Page 153 and 154:
Architecture Modeling the one given
Page 155 and 156:
Architecture Modeling Decomposition
Page 157 and 158:
Bibliography [1] ARINC 653 - Avioni
Page 159 and 160:
Architecture Modeling [26] Holger G
show all

Architecture Modeling - SPES 2020

Create successful ePaper yourself

Delete template?

Save as template?