Safe Allocation of Avionics Shared Resources - PowerPoint PPT Presentation

Loading...

PPT – Safe Allocation of Avionics Shared Resources PowerPoint presentation | free to download - id: f322b-ZGE0Y



Loading


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation
Title:

Safe Allocation of Avionics Shared Resources

Description:

Safe Allocation of Avionics Shared Resources ... Integrated Modular Avionics 1/2. Computing and Communicating resources shared by several avionics applications ... – PowerPoint PPT presentation

Number of Views:183
Avg rating:3.0/5.0
Slides: 21
Provided by: rennesS
Learn more at: http://www.rennes.supelec.fr
Category:

less

Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: Safe Allocation of Avionics Shared Resources


1
Safe Allocation of Avionics Shared Resources
  • Gérard Bel, Pierre Bieber, Frédéric Boniol,
    Charles Castel, Laurent Sagaspe

2
Overview
  • Integrated Modular Avionics (IMA)
  • Potential benefits and drawbacks
  • Terrain Following/Terrain Avoidance Function
  • IMA Resource Allocation Process
  • Failure Propagation Modelling
  • Safety Requirements Validation
  • Independence Constraint Identification
  • Allocation Constraint Solving
  • Multi-domain Resource Allocation
  • Real-Time Performances
  • ElectroMagnetic Interference

3
Integrated Modular Avionics 1/2
  • Computing and Communicating resources shared by
    several avionics applications
  • Civilian aircrafts B777, A380, B787,...
  • Standards ARINC 664 (AFDX), ARINC 653
    (Real-time OS)
  • Military aircrafts F22, Gripen, A400M, ...
  • Standards ASAAC
  • Potential Benefits
  • Decrease weight of aircraft, maintenance
    simplification, ...
  • Potential Drawbacks
  • One shared resource failure could lead to the
    failure of several applications
  • Development is more complex as new teams
    participate in it

4
Integrated Modular Avionics 2/2
  • Resource Allocation Process

Can we implement these functions on this
architecture and enforce these requirements ?
Can we implement these functions on the IMA
architecture and enforce their requirements ?
This is an allocation of resources to your
functions such that their requirements are
enforced
The functions can be implemented on the
architecture and enforce their requirements
provided that these allocation constraints are
enforced
Allocation Constraint Solving
5
Terrain Following/Terrain Avoidance
  • Computation of
  • Vertical acceleration
  • Climb alarm
  • Consolidated Roll angle
  • Navigation in the vertical plane

6
Function and Architecture Description
  • Terrain Following/Terrain Avoidance Function
  • Tasks and Data flows
  • Attributes
  • Worst Case Transmission/Execution Time, Period
  • Failure Mode, Severity

7
Overview
  • Integrated Modular Avionics (IMA)
  • Potential benefits and drawbacks
  • Terrain Following/Terrain Avoidance Function
  • IMA Resource Allocation Process
  • Failure Propagation Modelling
  • Safety Requirements Validation
  • Independence Constraint Identification
  • Allocation Constraint Solving
  • Multi-domain Resource Allocation
  • Real-Time Performances
  • ElectroMagnetic Interference

8
Failure Propagation Modeling in AltaRica
  • What is Altarica ?
  • AltaRica model is a set of interconnected nodes
  • Node has 3 parts variable declarations,
    transitions and assertions
  • code drawing
    equivalent automaton

Node block flow A,R bool in I
ok,erroneous,lost in O ok,erroneous,lost
out state S ok,erroneous,lost event
loss, error trans Sok - loss -gt S lost
Sok - error -gt S erroneous
assert O caseSok and R and A I,
Serroneous and R and A erroneous,
else lost init S
ok law extern ltevent lossgtconstant
1e-4 ltevent errorgtconstant 1e-5 edon
Sok O if R and A then I else lost
loss (constant 1e-4)
error (constant 1e-5)
Serroneous O erroneous
Slost O lost
9
Failure Propagation Model 2/2
  • TF/TA model was built using predefined nodes in
    an Altarica Library
  • OCAS Tool (Dassault Système)
  • Model Edition
  • Interactive Simulation
  • Safety Tools
  • Used for Falcon 7X certification

10
Safety Requirements 1/2
  • Qualitative Safety Requirement
  • No single failure shall cause an undetected
    erroneous vertical acceleration
  • In the TF/TA model, an erroneous vertical
    acceleration is undetected if
    VertAccel.Oerroneous and ClimbAlarmfalse
  • We are interested in cases where it remains
    undetected during three consecutive time steps
  • FC VertAccel.Oerroneous and ClimbAlarmfalse
    and
  • X (VertAccel.Oerroneous and ClimbAlarmfalse)
    and
  • X X (VertAccel.Oerroneous and ClimbAlarmfalse)
  • The TF/TA model should enforce
  • (F FC) gt at_least_ 2_failures

11
Safety Requirements - 2/2
  • Safety Assessment Techniques
  • OCAS Fault-Tree generation
  • The fault tree can be exported to other tools
    (Simtree, Arbor,...) to compute minimal cut sets
    and probabilities
  • OCAS Sequence Generator
  • Automatic generation of sequence of failure that
    lead to the violation of Safety Requirements
  • Limit on the number of failures to be considered
  • Cadence Labs SMV Model-checker
  • Translation from Altarica to SMV
  • Requirement proved by SMV model-checker or
    Counter-example generated
  • Each technique has an application domain
  • Fault Tree generation static systems and
    instantaneous failure conditions
  • Sequence generation dynamic systems and
    instantaneous failure conditions
  • Model-checking dynamic systems and temporal
    failure conditions

12
Independence Assumptions 1/2
  • Assumptions are needed to prove that Safety
    Requirements hold
  • The proof is split into two parts
  • Scenario Search F FC gt Scenarii
  • Assumptions Independence_Assumptions gt
    at_least_2_failures
  • Scenarii
  • (F VertAccCmp.fail_error F ClAlarmCmp.fail_lost)
  • or (F Radar.fail_error F ClAlarmCmp.fail_lost)
  • or ...
  • Independence_Assumptions
  • (F VertAccCmp.fail_error F ClAlarmCmp.fail_lost)
    gt at_least_2_failures
  • and (F Radar.fail_error F ClAlarmCmp.fail_lost)
    gt at_least_2_failures
  • and ...

13
Independence Assumptions - 2/2
  • Segregation constraints are extracted from the
    independence assumptions
  • Example
  • tasks VertAccCmp and ClAlarmCmp shall fail
    independently. They shall not share computation
    resources.
  • Example
  • Dataflows VerAcc and Alarm should fail
    independently. They should not share
    communication resources
  • Alternative approach for identification of
    segregation constraints
  • Use safety architecture patterns Command and
    Monitor architecture
  • Command channel Navigation,Radar, TFTAPanel,
    VertAccelComp
  • Monitor channel RA, Navigation, Emergency
  • Command and Monitor channels shall be segregated
    " Navigation,Radar, TFTAPanel, VertAccelComp" and
    " RA, Navigation, Emergency" should fail
    independently.

14
Allocation Constraints
  • Formalisation of allocation constraints
  • 0,1 linear inequalities.
  • Variables
  • allotc(task,cpu) 0,1
  • allodb(data,bus) 0,1
  • connected(cpu,bus) or connected(bus,cpu) 0,1
  • Inequalities
  • Any task has to be allocated to one and only cpu
  • allotc(t,c1) allotc(t,cn) 1
  • Two independent tasks should not be allocated to
    the same cpu
  • allotc(t1,c) allotc(t2,c) indep(t1,t2) lt 2
  • allod(t1,c) ? allod(t2,c) si indep(t1,t2) 1
  • A connection (C,B) is used if there exists a data
    flow D and its producing task T such D is
    allocated to B and T is allocated to C.
  • Criterion
  • Minimise the number of used connections

15
Tool Support for Constraint Solving
  • Generation of constraints
  • Call to solvers (ILOG solver, satzoo)
  • Visualisation of allocations

Goal 8
16
Overview
  • Integrated Modular Avionics (IMA)
  • Potential benefits and drawbacks
  • Terrain Following/Terrain Avoidance Function
  • IMA Resource Allocation Process
  • Failure Propagation Modelling
  • Safety Requirements Validation
  • Independence Constraint Identification
  • Allocation Constraint Solving
  • Multi-domain Resource Allocation
  • Real-Time Performances
  • ElectroMagnetic Interference

17
Multi-Domain Resource Allocation
  • Resource Allocation Process

functions, requirements architecture
functions , requirements
Safety Analyst
allocation constraints
allocation
Allocation Constraint Solving
18
Real-Time Performance Viewpoint
Schedulabilty Analysis, example Necessary
Condition Si Ci/Ti lt 1 Sufficient Condition for
RMA Si Ci/Ti lt 0.69
Tasks execution delays for individual tasks
(period enforcement) and for groups of tasks
(end-to-end latency) Resources use indicators
  • Schedulability Analysis (holistic model, worst
    case ), ILOG solver
  • Discrete Event Simulation (generalized model),
    Hyperformix
  • Scheduling constraints are extracted
  • allocation of tasks to the resources shall not
    overload the resources
  • allocation of data-flows to communication
    resources shall enforce end-to-end latencies

19
ElectroMagnetic Interference Viewpoint
  • Quantitative Requirement
  • The probability that dataflow D is
    lost/erroneous due to ElectroMagnetic
    Perturbation Is smaller than 10-x
  • Abstract stochastic model of electromagnetic
    interference
  • --gt computation of an additive measure of EMI
    perturbation for each zone and route
  • Place and routing constraints are extracted
  • Communication resource Bus1 should be routed in
    routes that have less that Y abstract EMI
    perturbation units

20
Conclusion
  • The proposed approach is consistent with
    industrial practices
  • New safety analysis required for IMA design
  • allocation generation is not used by now
  • Further Work
  • The approach could also be applied to integrate
    several applications into a common avionics
    architecture
  • Associate constraints with each application
  • Model reuse
  • Use libraries of components and patterns to limit
    the time/effort to produce viewpoint models
  • Use standard modelling notations COTRE, AADL,
About PowerShow.com