An Integrated Process for FDIR Design in Aerospace

An Integrated Process for FDIR Design in
Aerospace
Fondazione Bruno Kessler, Trento, Italy
Benjamin Bittner, Marco Bozzano, Alessandro Cimatti,
Marco Gario
Thales Alenia Space,France
Regis de Ferluc
Thales Alenia Space,Italy
Andrea Guiotto
European Space Agency, ESA-ESTEC,
Noordwijk - The Netherlands
Yuri Yushtein
IMBSA 2014; October 29, 2014; Munich, Germany
Outline
1
Background and Motivations
2
The FAME Project
3
The FAME Process
4
Tool Support
5
Industrial Evaluation
6
Conclusions
FAME: An Integrated Process for FDIR Design in Aerospace
IMBSA 2014
2/41
Outline
1
Background and Motivations
2
The FAME Project
3
The FAME Process
4
Tool Support
5
Industrial Evaluation
6
Conclusions
FAME: An Integrated Process for FDIR Design in Aerospace
IMBSA 2014
3/41
Domain: Highly Dependable Systems
Aircraft: safety
Very complex system: HW/SW
interaction, fly-by-wire, etc.
Complex safety critical system:
‘a system whose safety cannot be
shown solely by test, whose logic is
difficult to comprehend without the
aid of analytical tools . . . and that
might directly or indirectly
contribute to put human lives at
risk, damage the environment, or
cause big economical losses’ [SAE
ARP4754]
FAME: An Integrated Process for FDIR Design in Aerospace
IMBSA 2014
4/41
Domain: Highly Dependable Systems
ExoMars Rover: autonomy, availability
4 to 21 min. for radio latency to earth
infrequent communication opportunities
(one or two short sessions per Martian day)
Autonomous Transfer Vehicle (ATV):
autonomy and safety
fully-automated navigation and docking to ISS
human-rated requirements for safety (of ISS)
⇒ multi-failure tolerance (1 MLOC of control code)
FAME: An Integrated Process for FDIR Design in Aerospace
IMBSA 2014
5/41
Extreme Dependability!
Requirements
Correct system operation increasingly relies on the ability
to detect and recover from faults
Faults are costly and may severely damage reputations:
Ariane 5 crash in 1996 due to arithmetic overflow
Launch failure of recent Phobos-Grunt sample return
mission
FAME: An Integrated Process for FDIR Design in Aerospace
IMBSA 2014
6/41
Extreme Dependability!
Requirements
Correct system operation increasingly relies on the ability
to detect and recover from faults
Faults are costly and may severely damage reputations:
Ariane 5 crash in 1996 due to arithmetic overflow
Launch failure of recent Phobos-Grunt sample return
mission
Challenges
Rigorous design support and analysis techniques are needed
Bugs must be found as early as possible in the design process
Effectiveness and coverage of Fault Detection, Isolation and Recovery
(FDIR) measures must be ensured
FAME: An Integrated Process for FDIR Design in Aerospace
IMBSA 2014
6/41
The COMPASS Project (2008-2011)
COMPASS Consortium
Funded by the European Space Agency
Consortium: RWTH Aachen Univ., FBK, Thales Alenia Space France
FAME: An Integrated Process for FDIR Design in Aerospace
IMBSA 2014
7/41
The COMPASS Project (2008-2011)
COMPASS Consortium
Funded by the European Space Agency
Consortium: RWTH Aachen Univ., FBK, Thales Alenia Space France
The COMPASS Goal in a Nutshell
Develop a model-based approach to system-software co-engineering while
focusing on a coherent set of modeling and analysis techniques for
evaluating system-level correctness, safety, dependability, and performance
of on-board computer-based aerospace systems
FAME: An Integrated Process for FDIR Design in Aerospace
IMBSA 2014
7/41
The COMPASS Project (2008-2011)
COMPASS Consortium
Funded by the European Space Agency
Consortium: RWTH Aachen Univ., FBK, Thales Alenia Space France
The COMPASS Goal in a Nutshell
Develop a model-based approach to system-software co-engineering while
focusing on a coherent set of modeling and analysis techniques for
evaluating system-level correctness, safety, dependability, and performance
of on-board computer-based aerospace systems
COMPASS Contributions
Modeling formalism: variant of AADL called SLIM
System-Level Integrated Modeling Language)
Verification methodology based on state-of-the-art formal methods
Toolset supporting the analysis of AADL models
FAME: An Integrated Process for FDIR Design in Aerospace
IMBSA 2014
7/41
Outline
1
Background and Motivations
2
The FAME Project
3
The FAME Process
4
Tool Support
5
Industrial Evaluation
6
Conclusions
FAME: An Integrated Process for FDIR Design in Aerospace
IMBSA 2014
8/41
The FAME Project
FAME
FDIR Development and Verification and Validation Process
FAME: An Integrated Process for FDIR Design in Aerospace
IMBSA 2014
9/41
The FAME Project
FAME
FDIR Development and Verification and Validation Process
Funding & Supervision
European Space Agency
FAME: An Integrated Process for FDIR Design in Aerospace
IMBSA 2014
9/41
The FAME Project
FAME
FDIR Development and Verification and Validation Process
Funding & Supervision
European Space Agency
Consortium
Thales Alenia Space Italy, Thales Alenia Space France, FBK
FAME: An Integrated Process for FDIR Design in Aerospace
IMBSA 2014
9/41
The FAME Project
FAME
FDIR Development and Verification and Validation Process
Funding & Supervision
European Space Agency
Consortium
Thales Alenia Space Italy, Thales Alenia Space France, FBK
Timeline: FBK participation in ESA Projects
FAME: An Integrated Process for FDIR Design in Aerospace
IMBSA 2014
9/41
Fault Detection, Isolation and Recovery
FDIR
The FDIR (Fault Detection, Isolation and Recovery) sub-system is an
essential block of safety-critical systems
It runs online, in parallel with the system
The FDIR block must be able to detect, and recover from,
malfunctions
Needed to ensure fault tolerance of the system, and prevent the
occurrence of safety hazards
FAME: An Integrated Process for FDIR Design in Aerospace
IMBSA 2014
10/41
Fault Detection, Isolation and Recovery
FDIR
The FDIR (Fault Detection, Isolation and Recovery) sub-system is an
essential block of safety-critical systems
It runs online, in parallel with the system
The FDIR block must be able to detect, and recover from,
malfunctions
Needed to ensure fault tolerance of the system, and prevent the
occurrence of safety hazards
Goals of FDIR
Fault detection: identify malfunctions
Fault isolation: precisely identify the fault responsible for a
malfunction
Fault recovery: recover after a fault has occurred, e.g. reconfiguring
the system or switching operational mode
FAME: An Integrated Process for FDIR Design in Aerospace
IMBSA 2014
10/41
Fault Detection, Isolation and Recovery
Challenges of FDIR Design
Complexity of the underlying system
Number of possible faults
Dynamics of faults and their interaction
FAME: An Integrated Process for FDIR Design in Aerospace
IMBSA 2014
11/41
Fault Detection, Isolation and Recovery
Challenges of FDIR Design
Complexity of the underlying system
Number of possible faults
Dynamics of faults and their interaction
Limitations of Existing FDIR Designs
Ad-hoc solutions, based on experience and past projects
Developed late in the design process, when systems RAMS analyses
(e.g. FTA and FMEA) become available
Poorly phased: they do not cover full FDIR lifecycle
FAME: An Integrated Process for FDIR Design in Aerospace
IMBSA 2014
11/41
FAME
The FAME Goal in a Nutshell
Develop a comprehensive and coherent FDIR design methodology and
process, able to deal with limitations and shortcomings of existing practices
FAME: An Integrated Process for FDIR Design in Aerospace
IMBSA 2014
12/41
FAME
The FAME Goal in a Nutshell
Develop a comprehensive and coherent FDIR design methodology and
process, able to deal with limitations and shortcomings of existing practices
FAME Contributions
Dedicated and coherent FDIR development methodology
FDIR Development and V&V Process encompassing the full FDIR
lifecycle, and enabling a consistent and timely FDIR conception,
development, V&V
Dedicated formalisms for modeling failure propagation:
Timed Failure Propagation Graphs (TFPGs)
FAME Environment: a tool – based on COMPASS – implementing
the methodology and process
Demonstration and evaluation of the approach on case studies
FAME: An Integrated Process for FDIR Design in Aerospace
IMBSA 2014
12/41
Timed Failure Propagation Graphs
An Example TFPG
FAME: An Integrated Process for FDIR Design in Aerospace
IMBSA 2014
13/41
Outline
1
Background and Motivations
2
The FAME Project
3
The FAME Process
4
Tool Support
5
Industrial Evaluation
6
Conclusions
FAME: An Integrated Process for FDIR Design in Aerospace
IMBSA 2014
14/41
The FAME Process
FAME Process – Instantiation onto ESA ECSS Standards
FAME: An Integrated Process for FDIR Design in Aerospace
IMBSA 2014
15/41
The FAME Process
FAME Process – Flow View
Process Steps
Analyze User Requirements
Define Partitioning /
Allocation
Define FDIR Objectives and
Strategies
Perform Timed Fault
Propagation Analysis
Design
Implement FDIR, V&V
FAME: An Integrated Process for FDIR Design in Aerospace
IMBSA 2014
16/41
The FAME Process
Analyze User Requirements
FAME Process – Flow View
Collection and analysis of user
requirements, e.g. RAMS and
autonomy
Classification of failures,
identification of FDIR levels
and components to be re-used
Derivation of FDIR objectives
and FDIR strategies
Building of Mission Phase /
Spacecraft Operational Mode
matrix
FAME: An Integrated Process for FDIR Design in Aerospace
IMBSA 2014
17/41
The FAME Process
FAME Process – Flow View
Define Partitioning / Allocation
Allocation of requirements per
Mission Phase / Spacecraft
Operational Mode
Modeling of the FDIR
architecture
Definition of functional
decomposition, HW/SW
partitioning, redundancy
needs, integration of existing
components
FAME: An Integrated Process for FDIR Design in Aerospace
IMBSA 2014
18/41
The FAME Process
FAME Process – Flow View
Define FDIR Objectives and
Strategies
Specification of FDIR
objectives (required behavior
in presence of failures)
Specification of FDIR
strategies (functional steps to
be performed)
FAME: An Integrated Process for FDIR Design in Aerospace
IMBSA 2014
19/41
The FAME Process
FAME Process – Flow View
Perform Timed Fault
Propagation Analysis
TFPG modeling / synthesis
Analyze completeness of the
TFPG wrt the system model
(behavioral validation)
Analyze suitability of TFPG as
a model for diagnosis
(effectiveness validation)
FAME: An Integrated Process for FDIR Design in Aerospace
IMBSA 2014
20/41
The FAME Process
FAME Process – Flow View
Design
Definition of the detailed FDIR
implementation, e.g. FDIR
parameters to be monitored,
ranges, isolation and
reconfiguration actions
Define detailed SW
specification
FAME: An Integrated Process for FDIR Design in Aerospace
IMBSA 2014
21/41
The FAME Process
FAME Process – Flow View
Implement FDIR, V&V
Implementation of FDIR in
HW/SW
V&V via testing campaign at
different levels
FAME: An Integrated Process for FDIR Design in Aerospace
IMBSA 2014
22/41
Outline
1
Background and Motivations
2
The FAME Project
3
The FAME Process
4
Tool Support
5
Industrial Evaluation
6
Conclusions
FAME: An Integrated Process for FDIR Design in Aerospace
IMBSA 2014
23/41
The FAME Environment
The FAME Environment
Built on top of the COMPASS toolset
Modeling in SLIM
Formal verification based on model checking
FAME: An Integrated Process for FDIR Design in Aerospace
IMBSA 2014
24/41
The FAME Environment
The FAME Environment
Built on top of the COMPASS toolset
Modeling in SLIM
Formal verification based on model checking
Technical Solutions
Routines implemented in FBK model checking tools:
TFPG validation and synthesis
Synthesis of FD using techniques for belief exploration
Synthesis of FR using techniques for model-based planning
FAME: An Integrated Process for FDIR Design in Aerospace
IMBSA 2014
24/41
The FAME Environment: Main Functionality
Mission and FDIR Specification
Definition of mission phases and operational modes
Definition of spacecraft configurations
Definition of FD and FR requirements (alarms and recovery targets)
FAME: An Integrated Process for FDIR Design in Aerospace
IMBSA 2014
25/41
The FAME Environment: Main Functionality
Mission and FDIR Specification
Definition of mission phases and operational modes
Definition of spacecraft configurations
Definition of FD and FR requirements (alarms and recovery targets)
Fault Propagation Analysis
Modeling of TFPGs
Behavioral validation of TFPGs
Effectiveness validation of TFPGs
Synthesis of TFPGs
FAME: An Integrated Process for FDIR Design in Aerospace
IMBSA 2014
25/41
The FAME Environment: Main Functionality
Mission and FDIR Specification
Definition of mission phases and operational modes
Definition of spacecraft configurations
Definition of FD and FR requirements (alarms and recovery targets)
Fault Propagation Analysis
Modeling of TFPGs
Behavioral validation of TFPGs
Effectiveness validation of TFPGs
Synthesis of TFPGs
FDIR Synthesis
Synthesis of FD from a TFPG
Synthesis of FR
FAME: An Integrated Process for FDIR Design in Aerospace
IMBSA 2014
25/41
The FAME Environment: Flow
FAME: An Integrated Process for FDIR Design in Aerospace
IMBSA 2014
26/41
The FAME Environment: Support for FAME Process
The FAME Environment supports the FAME Process
FAME: An Integrated Process for FDIR Design in Aerospace
IMBSA 2014
27/41
Licensing
Licensing
FAME tool
Freely available for ESA member states
Released under variant of GPL (GNU Public License) – restriction to
ESA member states + some backends released under FBK’s
Additional Components License
Needs ESA approval for export outside ESA member states
Tool Download
http://es.fbk.eu/projects/fame
FAME: An Integrated Process for FDIR Design in Aerospace
IMBSA 2014
28/41
Outline
1
Background and Motivations
2
The FAME Project
3
The FAME Process
4
Tool Support
5
Industrial Evaluation
6
Conclusions
FAME: An Integrated Process for FDIR Design in Aerospace
IMBSA 2014
29/41
Case Study
Case Study: EXOMARS Trace Gas Orbiter (TGO)
Will be launched in 2016 and will arrive at Mars 9 month later
Rich mission
During transit to Mars : provide services to the Entry Descent Module
Atmosphere entry / Orbit Insertion after EDM ejection
Science and data acquisition
2018 : new Rover support
Complex mission = Complex FDIR
Autonomy
Mission phase dependent
Fail Operational / Fail Safe
strategies
Hot / Cold redundancies
FAME: An Integrated Process for FDIR Design in Aerospace
IMBSA 2014
30/41
Case Study Evaluation: Safety Analysis
FAME: An Integrated Process for FDIR Design in Aerospace
IMBSA 2014
31/41
Case Study Evaluation: TFPG Modeling and
Validation
FAME: An Integrated Process for FDIR Design in Aerospace
IMBSA 2014
32/41
Case Study Evaluation: FDIR Requirements
FAME: An Integrated Process for FDIR Design in Aerospace
IMBSA 2014
33/41
Case Study Evaluation: FDIR Specification
FAME: An Integrated Process for FDIR Design in Aerospace
IMBSA 2014
34/41
Case Study Evaluation: Synthesis of FD and FR
FAME: An Integrated Process for FDIR Design in Aerospace
IMBSA 2014
35/41
Case Study Evaluation Results: Process
Plus
Process suitable for industrial usage, coherent with standards and
lifecycle
Benefits in early phases, when FDIR is not yet defined
Formal models clarify design and prevent misinterpretations
Synthesized FDIR models as a good starting point to implement
HW/SW
FDIR specification similar to the one developed in the ExoMars
project; FAME produced richer results in terms of fault propagation
Minus
Need to consolidate approach when analyzing multiple failures
FAME: An Integrated Process for FDIR Design in Aerospace
IMBSA 2014
36/41
Case Study Evaluation Results: Technology
Plus
Good characterization of the system in SLIM
TFPG formalism adequate to model fault propagation
Timing information in TFPGs well understood
Minus
Notion of modes in TFPGs to be further investigated
State-space explosion may hinder tool applicability – suggestion to
explore contract-based design
FAME: An Integrated Process for FDIR Design in Aerospace
IMBSA 2014
37/41
Case Study Evaluation Results: Environment
Plus
FAME environment adequately supports the FAME process
Structure of synthesized TFPG identical to the manually designed one
Minus
Traceability of requirements desired
Model translation from existing formalisms into SLIM desired
FAME: An Integrated Process for FDIR Design in Aerospace
IMBSA 2014
38/41
Outline
1
Background and Motivations
2
The FAME Project
3
The FAME Process
4
Tool Support
5
Industrial Evaluation
6
Conclusions
FAME: An Integrated Process for FDIR Design in Aerospace
IMBSA 2014
39/41
Summary and Future Work
Summary
FAME provides a novel, model-based, dedicated process for FDIR
development, V&V, that can be integrated with the existing FDIR
lifecycle
FAME methodology and process enable a consistent and timely FDIR
conception, development, V&V
Formal methods ensure a high level of rigor and consistency
The FAME process and tool have been successfully evaluated in an
industrial context
FAME: An Integrated Process for FDIR Design in Aerospace
IMBSA 2014
40/41
Summary and Future Work
Summary
FAME provides a novel, model-based, dedicated process for FDIR
development, V&V, that can be integrated with the existing FDIR
lifecycle
FAME methodology and process enable a consistent and timely FDIR
conception, development, V&V
Formal methods ensure a high level of rigor and consistency
The FAME process and tool have been successfully evaluated in an
industrial context
Future Work
Specification and synthesis of FDIR for decentralized or distributed
architectures – requires coordination between different FDIR
sub-components
Hierarchical decomposition of TFPGs into multiple models
FAME: An Integrated Process for FDIR Design in Aerospace
IMBSA 2014
40/41
References
COMPASS
(Bozzano et. al, Computer Journal 2011)
Industrial evaluation
(Bozzano et. al, RESS 2014 - to appear)
AADL model checker
(Bozzano et. al, CAV 2010)
Our variant of AADL
(Bozzano et. al, MEMOCODE 2009)
FAME tool (Tutorial)
(Bittner et. al, IMBSA 2014)
TFPGs
(Karsai, Abdelwahed, Biswas, AIAA-GNC 2003)
Formal Framework for FDI
FAME: An Integrated Process for FDIR Design in Aerospace
(Bozzano et. al, TACAS 2014)
IMBSA 2014
41/41

Download Report