Safety Assessment ICAS 2010

Transcription

1 Preliminary Design of Future Reconfigurable IMA Platforms Safety Assessment ICAS 2010 Pierre Bieber, Julien Brunel, Eric Noulard, Claire Pagetti,Thierry Planche, Frédéric Vialard and all the Scarlett partners September 23 th, 2010

2 Outline 1. Reconfiguration for IMA-2G 1. Novelties of IMA-2G 2. Goals of IMA-2G Reconfiguration 3. SCARLETT Reconfiguration Architecture 2. Safety Assessment 1. Goals and Methodology of the assessment 2. Hazard Assessment 3. Model based Safety Assessment Page 2

3 IMA-1G cpiom-3 IOM C1 C2 IOM A429 AFDX A AFDX B cpiom-1 A1 A2 A3 cpiom-1 A1 A2 A3 Cpiom-5 E1 E2 cpiom-7 L1 G1 G2 L2 C1 L3 C2 R3 R2 cpiom-7 R1 G1 G2 Cpiom-5 E1 E2 Avionics world cpiom-2 B1 B2 B3 cpiom-2 B1 B2 B3 IOM cpiom-4 D1 D2 D3 D4 cpiom-4 D1 D2 D3 D4 IOM SCI SCI Open world Page 3

4 IMA-2G Novelties IMA-2G Will separate I/O (RDC) from computing resource (CPM) Will bring enhanced performance enabling a greater number of applications to be hosted on the same module Will allow the reconfiguration on some applications Page 4

5 Scarlett Platform Architecture Principles Avionics world RDC RDC E1 E2 C1 C2 B1 B2 B3 A1 A2 A3 SCI F1 F2 L1 G1 G2 L2 D1 D2 D3 D4 C4 C2 C1 L3 C2 R3 R2 Cabinet 1 R1 D1 D2 D3 D4 SCI G1 G2 A1 A2 A3 Cpm C3 E1 E2 B1 B2 B3 RDC RDC IMA 2G glossary: DME = Distributed Modular electronics RDC = Remote Data Concentrator RPC = Remote Power Controller REU = Remote Electronic Unit CPM = Computing Processing Module Spare = application free resource Open world Page 5

6 Reconfiguration purpose Reconfiguration should not necessarily improve the safety, but it shall not have a negative impact on it Reconfiguration shall improve the operational reliability Limit the number of flight delays, cancellations, diversions caused by a suspected or confirmed fault of a CPM (including the time spent to detect and to correct the fault). Focus on faults of CPM that host applications whose loss has an impact on operational reliability according to the (Minimum Equipment List) MEL Equipment Number for nominal mode Number of failures Condition and limitation Pilot action CPIOM One may be inoperative provided alarm 1 is not raised. CPIOM May be inoperative Switch 8 6 May be inoperative provided alarm 2 is not raised, alarm 3 is not raised. GO IF GO GO IF Other CPIOM not mentioned NO GO Page 6

7 Reconfiguration Architecture Reconfiguration Supervisor 4 Config. Selector Centralised Maintenance SystemS Cabinet Manager Fault Detection Module Test Deactivate CPM 10 Reconf. Sequencer Activate SPR Reconf Monitor Load Network Load SPR 9 Conf Checker Data Loading CPM SPR Network Cabinet Platform Reconfiguration Supervisor a new function which is responsible for taking reconfiguration decision, applying the best reconfiguration and managing reconfiguration information offline (i.e. design time) : elaboration of possible reconfigurations online (operational part) : selection of the best reconfiguration. Page 7

8 Reconfiguration execution overview RS module-3 module-1 C1 C2 A1 A2 A3 4 Config. Selector Reconf. Sequencer CM1 module-8 H1 H2 CM2 module-1 module-9 I1 I2 I3 A1 A2 A3 MEL module-5: NO GO try a reconfiguration 1. Failure detection 2. Selection of a valid configuration 3. Execution of a reconfiguration 4. Verification activities module-5 E1 E2 module-2 B1 B2 B3 module-7 D G1 G2 D D D D D spare-1 D module-7 D G1 G2 module-5 module-8 module-2 E1 E2 B1 B2 B3 CM3 module-4 D1 D2 D3 D4 module-4 D1 D2 D3 D4 CM4 2 3 Module Test Deactivate CPM 5 8 Activate SPR Reconf Monitor CMS 1 Diagnostic agent 6 7 Load Network Load SPR 9 Conf Checker DL The platform reaches a new configuration and all functions execute Page 8

9 Outline 1. Reconfiguration for IMA-2G 1. Novelties of IMA-2G 2. Goals of IMA-2G Reconfiguration 3. SCARLETT Reconfiguration Architecture 2. Safety Assessment 1. Goals and Methodology of the assessment 2. Hazard Assessment 3. Model based Safety Assessment Page 9

10 Safety Assessment Methodology Goal : study and evaluate the impact of the behaviour of the system when functions and CPM fail Safety Assessment WP1.5 Aircraft level requirements WP1.1 High level safety requirements Define Safety requirements for the reconfiguration FHA (functional hazard analysis) systems, hazards safety requirements System level requirements WP1.2 Hazard assessment Study for each function (CMS_fault_detection, CM_module_test, ) the impact on reconfiguration of their misbehaviour Preliminary system safety assessment PSSA (preliminary system safety assessment) Functions allocation safety assessment Preliminary DME architecture WP1.3 Formal model based approach Modelling in AltaRica Exhaustive minimal cut sets Automatic tool (Cecilia OCAS) Page 10

11 Functional Hazard Analysis Safety requirements Loss of reconfiguration: Applications hosted by the faulty CPM are not hosted by a Spare Module (No Safety Effect). Erroneous reconfiguration: Applications hosted by the faulty CPM provide incorrect output due to the reconfiguration (Hazardous to Catastrophic) Hazard Assessment For each function, study the effect on reconfiguration of its loss (no output is computed when it is needed) and its erroneous behaviour (an incorrect output is computed). For function faults that lead to erroneous reconfiguration, study mitigation functions that would limit the impact of these faults. Function Mode Effect Mitigation Fault Detection lost lost Not needed err err Module Test Module Test lost lost Not needed err lost Not needed Page 11

12 Model based approach 1/3 Formal model using AltaRica AltaRica is an automata based approach. Language developed by University of Bordeaux/Labri in the 90s. Numerous tools support AltaRica: OCAS (Dassault Aviation), RAMSES (Airbus), AltaTools (LABRI), Applicable techniques: simulation, sequence generation, fault tree generation, stochastic simulation, Petri nets, Reconfiguration Functions Platform Observers Page 12

13 Model-based approach 2/3 1. Define Component Interfaces num_failed_cpm faulty CPM identity CMS fault detection i1,,i5 Health Status treated CPM fault treated 2. Define Nominal Behaviour 3. Define Dysfunctional Behaviour node CMS_fault_detection node flownode CMS_fault_detection flow num_failed_cpm:0..5:out; flow num_failed_cpm:0..5:out; i1,..,i5:{ok, lost, silent}:in; i1,..,i5:{ok, treated:bool:in; i1,..,i5:{ok, lost, silent}:in; lost, silent}:in; treated:bool:in; state state ds: state {ok, lost, erroneous}; s:{idle, detect, failed}; a: a: 0..5; 0..5; event event event to_idle, trans to detect, to_failed, fail_loss, fail_err; trans trans ij ij = = assert lost and s = idle - to_detect -> -> s s := := detect, a a := := j; j; s s = = detect and treated and not (ij (ij =lost) - - to_idle to_idle -> -> s:= s:= idle, idle, a :=0; a :=0; s s = = init detect and treated and ij ij =lost - -to_failed -> -> s:=failed, s:=failed, a:=0; a:=0; assert ds= ok - fail_loss -> ds := lost; num_cpm_failed ds= extern ok - fail_err = -> a; ds := erroneous; init assert s,a:= num_cpm_failed edon idle,0; = case { extern ds=ok : a, law ds=lost (<event : 0, to_idle>) = "Dirac(0)"; law ds=erroneous (<event to_failed>) and a=0 = "Dirac(0)"; : 0, law ds=erroneous (<event to_detect>) and a=5 = :"Dirac(0)"; 1, edon else a+1 }; init ds:= ok; s,a:= idle,0; extern law (<event to_idle>) = "Dirac(0)"; law (<event to_failed>) = "Dirac(0)"; law (<event to_detect>) = "Dirac(0)"; edon Page 13

14 Model based approach 3/3 Simulation Nominal mode => see demo1 Loss of reconfiguration => see demo2 Sequence generation Example of failure condition: «the reconfiguration system does not impact an healthy platform, meaning that a failure (a series of failures) of the reconfiguration system does not transform a GO situation into a NOGO one» Coding of an observer See demo3 Page 14

15 Results Preliminary Safety Assessment Results Based on the generation of combination of function and equipments faults leading to the selected Failure Conditions Verification of Qualitative Safety Requirements e.g.«no single failure shall lead to the loss of Reconfiguration» Feedback for the Designers Need to address Inadvertent Deactivation of CPM Improve interaction between Module test and Deactivate CPM Off-line configurations Enumeration of the number of configurations Depending on the reconfiguration capabilities (local, reconfigurable spare ) Pierre Bieber, Eric Noulard, Claire Pagetti, Thierry Planche and François Vialard. Preliminary Design of Future Reconfigurable IMA Platforms. In 2nd Workshop on Adaptive and Reconfigurable Embedded Systems (APRES'09), Grenoble, October SIGBED Review, Volume 6, Number 3. Page 15

16 Reconfiguration policy Generic rules for the reconfiguration (defined off-line). Policy 1: no priority among avionics applications. Once a spare has been occupied, no other application can be hosted on this spare. If a spare fails, the hosted applications are not reconfigured. Policy 2: priority level assigned to the applications. Once a spare has been occupied, no other application can be hosted on this spare. A spare is also reconfigurable. Page 16

17 Number of configurations module level reconfiguration Local reconfiguration: a module can only be reconfigured in the same cabinet, with the policy 1 C 0 k sm k k bm Asm c configurations For c=4, bm=5, sm=1 => 1296 configurations Distant reconfiguration: a module can only be reconfigured in the any cabinet, with the policy 1 0 k ( c sm) C c A k bm k c sm configurations For c=4, bm=5, sm=1 => configurations Page 17

18 Perspectives Work in progress Investigation of Segregation Requirements and DAL Way forward Deal with other reconfiguration scenarios (multi-cabinet, in-flight, ) Investigate the impact of network failures THANK YOU FOR YOUR ATTENTION Page 18