c e s i c c e s i c 2014-2015 Le mardi, de 17h à 19h Série de Conférences Ingénierie des systèmes embarqués critiques 1- 27/1/2015: Architecture de systèmes embarqués aérospatiaux JP. Blanquart (Airbus Defence and Space) and P. Traverse (Airbus) 2- 10/3/2015: Obsolescence matériel / logiciel A. Brahmi, JM. Dautelle, P. Pons, J. Toulze (Airbus) 3- 17/3/2015: Les systèmes automobiles H. Foligné (Continental) Plus d’information à http://asso-cisec.org
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
cesic cesic 2014-2015 Le mardi, de 17h à 19h
Série de Conférences Ingénierie des systèmes embarqués critiques
1- 27/1/2015: Architecture de systèmes embarqués aérospatiaux JP. Blanquart (Airbus Defence and Space) and P. Traverse (Airbus) 2- 10/3/2015: Obsolescence matériel / logiciel A. Brahmi, JM. Dautelle, P. Pons, J. Toulze (Airbus) 3- 17/3/2015: Les systèmes automobiles H. Foligné (Continental)
Fault prevention (prévention des fautes) Fault tolerance (tolérance aux fautes) Fault removal (élimination des fautes) Fault forecasting (prévision des fautes)
Fault tolerance: on-board automatic mechanism in charge of “Fault Detection, Isolation and Recovery” (FDIR)
CISEC - SEC Conferences Series - Aero-Space systems -
This
doc
umen
t is
the
prop
erty
of A
striu
m. I
t sha
ll no
t be
com
mun
icat
ed t
o th
ird p
artie
s w
ithou
t pr
ior
writ
ten
agre
emen
t. Its
con
tent
sha
ll no
t be
dis
clos
ed.
Page 17
Dependable architecture
Basic principle: Redundancy
Information Error detection/Correction codes
Structure
Fault tolerant architecture
CISEC - SEC Conferences Series - Aero-Space systems -
This
doc
umen
t is
the
prop
erty
of A
striu
m. I
t sha
ll no
t be
com
mun
icat
ed t
o th
ird p
artie
s w
ithou
t pr
ior
writ
ten
agre
emen
t. Its
con
tent
sha
ll no
t be
dis
clos
ed.
Page 18
Cold standby redundancy architecture
Monitoring and Reconfiguration Unit
Most often used for space systems
Most reliable as the failure rate of an unpowered element is generally significantly lower than of a powered one (about one tenth)
Context Memory Element A Element B
ON OFF
CISEC - SEC Conferences Series - Aero-Space systems -
This
doc
umen
t is
the
prop
erty
of A
striu
m. I
t sha
ll no
t be
com
mun
icat
ed t
o th
ird p
artie
s w
ithou
t pr
ior
writ
ten
agre
emen
t. Its
con
tent
sha
ll no
t be
dis
clos
ed.
Page 19
Hot standby redundancy
CISEC - SEC Conferences Series - Space systems - JP. Blanquart - Astrium Satellites
(A way to select the active outputs may be necessary) Lower long-term reliability May be used if the backup cannot be activated in case of failure
E.g., TC receivers, TC decoders Or for equipment for which no interruption of service is tolerated (ex :
flight control OBC of Ariane V launcher)
Context Memory
Monitoring and Reconfiguration Unit
Element A Element B
ON OFF ON
This
doc
umen
t is
the
prop
erty
of A
striu
m. I
t sha
ll no
t be
com
mun
icat
ed t
o th
ird p
artie
s w
ithou
t pr
ior
writ
ten
agre
emen
t. Its
con
tent
sha
ll no
t be
dis
clos
ed.
Page 20
Warm standby redundancy
For equipment with a long start-up time (e.g., computers)
Ensure very short reconfiguration times
More complex to manage (periodic backup and upload of context, alarm watchdog & reconfiguration)
Context Memory
Monitoring and Reconfiguration Unit
Element A Element B
ON OFF Stand by
CISEC - SEC Conferences Series - Aero-Space systems -
This
doc
umen
t is
the
prop
erty
of A
striu
m. I
t sha
ll no
t be
com
mun
icat
ed t
o th
ird p
artie
s w
ithou
t pr
ior
writ
ten
agre
emen
t. Its
con
tent
sha
ll no
t be
dis
clos
ed.
Page 21
Fault-masking using majority voting
Basic approaches (triplex architecture)
Computation
Computation
Computation Vote
Computation Vote
Computation Vote
Computation Vote
CISEC - SEC Conferences Series - Aero-Space systems -
This
doc
umen
t is
the
prop
erty
of A
striu
m. I
t sha
ll no
t be
com
mun
icat
ed t
o th
ird p
artie
s w
ithou
t pr
ior
writ
ten
agre
emen
t. Its
con
tent
sha
ll no
t be
dis
clos
ed.
Page 22
Assembly of self-checking components
Self-checking components
self-checking component (for a given set of faults): for each considered fault, all input configurations leads to either a correct output or a detected error
Self-checking component (for a given set of faults): for each considered fault, at least one configuration of inputs leads to a detected error
Both: totally self-checking component
Function
Check
Outputs
Error
Inputs
CISEC - SEC Conferences Series - Aero-Space systems -
This
doc
umen
t is
the
prop
erty
of A
striu
m. I
t sha
ll no
t be
com
mun
icat
ed t
o th
ird p
artie
s w
ithou
t pr
ior
writ
ten
agre
emen
t. Its
con
tent
sha
ll no
t be
dis
clos
ed.
From fail-stop building blocks To dependable aircraft architecture
• « Airbus COM/MON » architecture
Page 23 CISEC - SEC Conferences Series - Aero-Space systems -
Function
Check
Outputs
Error
Inputs
Relay
Lightning, EMI and voltage protection
Processor RAM ROM I/O
Power supply Watchdog
Control Lane
Processor RAM ROM I/O
Power supply Watchdog
Monitor Lane
28V DC
Critical outputs (e.g., actuators)
This
doc
umen
t is
the
prop
erty
of A
striu
m. I
t sha
ll no
t be
com
mun
icat
ed t
o th
ird p
artie
s w
ithou
t pr
ior
writ
ten
agre
emen
t. Its
con
tent
sha
ll no
t be
dis
clos
ed.
Fly-by-Wire (Airbus)
Page 24
ELAC1Control
Monitor
SEC1Control
Monitor
ELAC2Control
Monitor
SEC2Control
Monitor
THS
Elevators
Left side stick (co-pilot)
Right side stick (pilot)
Mechanical trim
THS: Trimmable Horizontal Stabilizer
Mechanical link
CISEC - SEC Conferences Series - Aero-Space systems -
This
doc
umen
t is
the
prop
erty
of A
striu
m. I
t sha
ll no
t be
com
mun
icat
ed t
o th
ird p
artie
s w
ithou
t pr
ior
writ
ten
agre
emen
t. Its
con
tent
sha
ll no
t be
dis
clos
ed.
Page 25
Dependable space system
Architecture
Collection of chains with self-tests
When needed or possible, some variations
Procedures
Explicit detection and reconfiguration
When needed or possible, some variations
CISEC - SEC Conferences Series - Aero-Space systems -
This
doc
umen
t is
the
prop
erty
of A
striu
m. I
t sha
ll no
t be
com
mun
icat
ed t
o th
ird p
artie
s w
ithou
t pr
ior
writ
ten
agre
emen
t. Its
con
tent
sha
ll no
t be
dis
clos
ed.
Page 26
Launcher (Ariane 5)
CISEC - SEC Conferences Series - Space systems - JP. Blanquart - Astrium Satellites
This
doc
umen
t is
the
prop
erty
of A
striu
m. I
t sha
ll no
t be
com
mun
icat
ed t
o th
ird p
artie
s w
ithou
t pr
ior
writ
ten
agre
emen
t. Its
con
tent
sha
ll no
t be
dis
clos
ed.
Page 27
Launchers: other solutions
Simplex architecture N-modular redundancy
Zenit, Proton Delta 4: RIFCA
CISEC - SEC Conferences Series - Aero-Space systems -
This
doc
umen
t is
the
prop
erty
of A
striu
m. I
t sha
ll no
t be
com
mun
icat
ed t
o th
ird p
artie
s w
ithou
t pr
ior
writ
ten
agre
emen
t. Its
con
tent
sha
ll no
t be
dis
clos
ed.
Page 28
Manned launchers
Hermes quadruplex architecture substituted to launcher’s one CTV: adapted launcher architecture with improved computer failure detection
coverage
BFout2
Reset / Alimentation
1553
TM1
BFout1
TM2
Alimentation
BC
Bfin BFin
USRRT/OBS
Reset / Alimentation
OBC 2RT/OBS
OBC 1Contexte / RepriseContrôle commande
IPN
GNC2 Bus GNC3 Bus GNC4 Bus
Communication Busses
GNC2
BC
RT
IPC
GNC3
BC
RT
IPC
NAPMIOP
GNC4
BAP
RT
SIORPBC IPC
RT
GNC1 Bus
GNC1
BC
RT
IPC
RT RTRT
CISEC - SEC Conferences Series - Aero-Space systems -
This
doc
umen
t is
the
prop
erty
of A
striu
m. I
t sha
ll no
t be
com
mun
icat
ed t
o th
ird p
artie
s w
ithou
t pr
ior
writ
ten
agre
emen
t. Its
con
tent
sha
ll no
t be
dis
clos
ed.
Page 29
Classical satellite architecture (1/2)
OBC N
Eqt N Eqt N Eqt N Eqt N
OBC R
Eqt R Eqt R Eqt R Eqt R COLD
MRE
Reminder: Launcher
CISEC - SEC Conferences Series - Aero-Space systems -
This
doc
umen
t is
the
prop
erty
of A
striu
m. I
t sha
ll no
t be
com
mun
icat
ed t
o th
ird p
artie
s w
ithou
t pr
ior
writ
ten
agre
emen
t. Its
con
tent
sha
ll no
t be
dis
clos
ed.
Page 30
ATV: Nominal + Safety chains
DPU2
ALB
Bus A
Avionics System Bus B
Avionics System Bus C
Avionics System Bus D
Avionics System
FML
AVI MSU DPU3DPU4DPU1
CISEC - SEC Conferences Series - Aero-Space systems -
FAR (US regulations) & CS (European regulations) are requirements, part of the A/C specification. Certification is encompassing process, not only product. Guidance provided (SAE ARP 4754A – EUROCAE ED79A “certification considerations for highly-integrated or complex systems”)
REQUIREMENT CAPTURE
Airworthiness regulation: another set of requirements to be cascaded & complied
- Develop an executable model of a consistent part of the final product (e.g. take-off mode of a flight control law)
- Load it in a flight simulator and test it with end-users (e.g. pilots – test & instructors) as soon as it is reasonably working; Developers of the model are participating to the test
- At the end of the test, decide together what are the most pressing issues to solve and iterate quickly
- Produce final software, based on this model (not from a re-formulation of the model)
- Note that this is not a “pure” agile development: - part of the validation of the control laws is made without the
end-users (analysis of the stability margins for example). - There is a global development plan (e.g. features of the
control laws that are sizing the primary structure are defined earlier than those that are “just” on the software critical development path) that is steering the iteration cycles
- Specifications are captured in parallel to formalize validation and avoid future regression
With an agile-like touch
Are the needs
acceptable?
Validation of the final product versus customer needs
Requirements validation
Assumptions validation
Verification: Get the assurance that the product is compliant to its specification
• « FAILURE CONDITION » DEFINITION FROM CS 25 1309
• A « Failure Condition » is defined at each system level by its effects on the functioning of the system. It is characterised by its effects on the other systems and on the
aircraft.
All single failures or combination of failures including failures of other systems that have the same effect on the considered system are grouped together in the same
FIA: Function Implantation Analysis IHA/ECHA: Intrinsic/Environment
hazard Analysis
11-Airworthiness
monitoring
12-Lessons learned
Aircraft certification
Aircraft in service
√
√
Safety & Reliability method and process - Research, - Standards, - Processes, - Methods, - Guidelines, - Tools, - In service follow up - S/R Rules and recom. - Regulation
Multi disciplinary activities Multi program, multi disciplinary activities
FIA: Function Implantation Analysis IHA/ECHA: Intrinsic/Environment
hazard Analysis
11-Airworthiness
monitoring
12-Lessons learned
Aircraft certification
Aircraft in service
√
√
Safety & Reliability method and process - Research, - Standards, - Processes, - Methods, - Guidelines, - Tools, - In service follow up - S/R Rules and recom. - Regulation
Multi disciplinary activities Multi program, multi disciplinary activities
FIA: Function Implantation Analysis IHA/ECHA: Intrinsic/Environment
hazard Analysis
11-Airworthiness
monitoring
12-Lessons learned
Aircraft certification
Aircraft in service
√
√
Safety & Reliability method and process - Research, - Standards, - Processes, - Methods, - Guidelines, - Tools, - In service follow up - S/R Rules and recom. - Regulation
Multi disciplinary activities Multi program, multi disciplinary activities
Certification major objective is to ensure safety 25.1309, 25.xyz, ARP4754/ED79, DO178/ED12, ED.zyx, … “Business” margins are taken on top of certification requirements Assumptions Operational reliability
Safety margins are taken too, based on each manufacturer unique history. Confidence in the safety case: meaning of 10-9, what is a single failure,
coverage of tests etc. Not a pure mathematical demonstration Rigorous analysis with independent checks
“arrangements with judicial authorities shall respect the independence of the safety investigation authority and allow the technical investigation to be conducted diligently and efficiently.”
“all statements taken from persons by the safety investigation authority in the course of the safety investigation shall not be used for purposes other than safety investigation”
Other supporting processes : Certification coordination, Configuration management, Process Assurance, Reviews, Supplier monitoring…
Specify the
equipment
Specify the installation & wiring
Develop, Verify the
equipment
The project, definition: unique process, consisting of • a set of coordinated and controlled activities • with start and finish dates, • undertaken to achieve an objective • conforming to specific requirements, including the constraints of time, cost and resources.
• Stringent economical & industrial objectives for new aircraft types (A380, A400M, A350) Minimize Development & Maintenance Costs Reduce Development Life Cycle Cost Harmonize design of aircraft avionics Manage obsolescence of hardware and evolutions of
functions Ensure Safety and Reliability
• Chosen way to fulfil these objectives Provide data communication capabilities
–Avionics Data Communication Network (ADCN) Provide centralised computing capabilities
• Consistent erroneous attitude information displayed in the cockpit is classified as potentially Catastrophic
• Consequently, undetected erroneous attitude information shall not result of a single failure within ADCN Attitude information from independent sources to
independent display units shall use independent routing within ADCN
• Undetected erroneous fuel quantity information may lead to fuel imbalance and is classified as potentially Catastrophic
• As a consequence, undetected erroneous fuel quantity information shall not result from a single failure within IMA Fuel System based on Command - Monitoring architecture Command lane within one IMA equipment - Monitoring lane
within another IMA equipment
IMA-based Fuel Quantity & Management Command lane
IMA-based Fuel Quantity & Management Monitoring lane
Hydromechanical system Power: centralized hydraulic systems and servocontrols Help: yaw damper, trim, auto-pilot (speed, altitude), protections against
excessive structural loads. Devices moving the mechanical control.
P. Goupil. AIRBUS State of the Art and Practices on FDI and FTC in Flight Control System. Control Engineering Practice 19 (2011), pp. 524-539 DOI information: 10.1016/j.conengprac.2010.12.009
Alleviation of structure sizing cases (manoeuvre, gust, failure cases)
SF is the achieved Safety Factor Loads to be considered can be due to a design gust, when a
Load Alleviation System is unavailable (SF = Ultimate loads / loads due to manoeuvre, gust, … not alleviated) or the sum of loads due to a continuing failure (surface oscillation) and of all design loads
λ is the probability per flight hour of the failure T is an exposure time during which loads are not alleviated
PROOF Of PROGRAM – MODEL CHECKING (Airbus FbW practice) At SYSTEM level: current Airbus state of the art is mainly as a way to debug complex logic. From a formal model of the system, a “model checker” lists all possible states, then looks for some particular states (those that do not satisfy a “property” ) . Example:
-Formal model: SCADE logic that determines if the ground spoilers must be deployed - Particular state: ground spoilers are deployed in flight
At SOFTWARE level: partial proof (with credit for A380 certification) of FbW software
-Unit verification by automated formal proof (deductive method and theorem proving) - Safe maximum stack usage (statistical analysis by abstract interpretation) - Worst case execution time computation (statistical analysis by abstract interpretation)
-PROOF Of PROGRAM – MODEL CHECKING Comparison with test & simulation
- Static check – no execution - pros: exhaustivity when the model satisfies the property; allow to detect very complex errors when models do not satisfy the property - cons:
- state explosion – system (model + property) may be too complex for the model checker - properties formalisation (what means “in flight”?)
How to cope with states explosion: -By simplifying the model while keeping the properties (“abstract interpretation”) - By valuing the states graph (probability of states)
ULTIMATE BACK-UP - Continued safe flight while crew restore computers - Expected to be Extremely Improbable - No credit for certification - From mechanical (A320) to electrical (A380, A400M …)
Club Inter-associations Systèmes Embarqués Critiques - CISEC
• Association Aéronautique et Astronautique de France • Société de l’électricité, de l’Electronique et des Technologies de l’information et de la communication • Société des Ingénieurs de l’Automobile
This document and all information contained herein is the sole property of AIRBUS S.A.S. No intellectual property rights are granted by the delivery of this document and the disclosure of its content. This document shall not be reproduced or disclosed to a third party without the express written consent of AIRBUS S.A.S. This document and its content shall not be used for any purpose other than that for which it is supplied. The statements made herein do not constitute an offer. They are based on the mentioned assumptions and are expressed in good faith. Where the supporting grounds for these statements are not shown, AIRBUS S.A.S. will be pleased to explain the basis thereof.
January 2015 Embedded systems Architecture - Fly-by-Wire
Page 5
FAR (US regulations) & CS (European regulations) are requirements, part of the A/C specification. Certification is encompassing process, not only product. Guidance provided (SAE ARP 4754A – EUROCAE ED79A “certification considerations for highly-integrated or complex systems”)
REQUIREMENT CAPTURE
Airworthiness regulation: another set of requirements to be cascaded & complied with
January 2015 Embedded systems Architecture - Fly-by-Wire
Page 7
Mostly waterfall-type development
REQUIREMENT CAPTURE
- Develop an executable model of a consistent part of the final product (e.g. take-off mode of a flight control law)
- Load it in a flight simulator and test it with end-users (e.g. pilots – test & instructors) as soon as it is reasonably working; Developers of the model are participating to the test
- At the end of the test, decide together what are the most pressing issues to solve and iterate quickly
- Produce final software, based on this model (not from a re-formulation of the model)
- Note that this is not a “pure” agile development: - part of the validation of the control laws is made without the
end-users (analysis of the stability margins for example). - There is a global development plan (e.g. features of the
control laws that are sizing the primary structure are defined earlier than those that are “just” on the software critical development path) that is steering the iteration cycles
- Specifications are captured in parallel to formalize validation and avoid future regression
With an agile-like touch
Are the needs
acceptable?
Validation of the final product versus customer needs
Requirements validation
Assumptions validation
Verification: Get the assurance that the product is compliant to its specification
January 2015 Embedded systems Architecture - Fly-by-Wire
We got the Type Certificate! • All hardware has been specified, then designed, qualified • All software is written and tested • All hazards have been taken into account
• Failure, software error, engine rotor burst, maintenance error … • All item have been integrated • The airplane has been flown with multiple pilots, human factor
specialists were involved
• Your experts, your management and yourself are justifiably confident, Aviation Safety Agencies have delivered the Type Certificate
• This is the end! Let start a new product! And highly disruptive!
Page 11
Reminder: Innovation is funded by the profit made on units delivered to customers (provided customer support and manufacturing disruption are not eating all the margin).
January 2015 Embedded systems Architecture - Fly-by-Wire
A few Quality basics • Engineers have produced a “definition” of the airplane
• Set of drawings • Lines of code … • (Flight Crew Manual, Maintenance Procedure …)
Page 12
Configuration management and manufacturing quality are basic processes, supported by the Engineering work.
Errors in the manufacturing process will occur. Hence a Quality process is in place: Rigorous configuration management,
• from top level requirements, then to the definition and down to the inspected work orders
Rigorous assembly and inspection process • Compliance to segregation rules between redundant resources, no damage to wires, equipment ...
Test of the installation • Proper wires connection, no leakage in pipes …
Note: • It is: check that the right software is loaded in the right computer; check the actual distance between 2 items • It is not: run again the software tests done for type certification; compute the needed distance
January 2015 Embedded systems Architecture - Fly-by-Wire
The airplane is compliant to the definition … at the end
• The airplane is compliant when it is finished • But then time is very expensive (all costs are paid by the manufacturer but the airline will pay the
price only after delivery) • Some checks are no more possible (area are closed …)
Page 13
Confidence in the airplane is built all along the manufacturing process, on very diverse evidences.
Compliance checks (inspection, test) cannot wait for airplane completion but are spread all along the manufacturing process, the earlier the better √ A sequence of filters ( … supplier of equipment … installation in plane … flight test before delivery) √ Sufficient coverage by the combined filters and despite mishaps that occur between them
Inspections & tests have to be adapted to an exotic configuration √ Wiring is installed but not the computer √ Airplane is powered from factory power (neither airport power nor airplane power system) √ Airplane is on jacks (neither ground nor flight) √ …..
January 2015 Embedded systems Architecture - Fly-by-Wire
Personnel Safety • Safety for regular passengers flight is not sufficient
• Workers are everywhere in the airplane (intervening on electrical power
system …) and around the airplane (beware of moving parts: rudder, aileron …)
• The airplane doesn’t behave exactly like in airline operation • Airplane on jacks … • Missing parts, equipment not fully qualified • The airplane is flown from one plant to another without some
components (passengers cabin item).
Page 14
Systems logics and tests have to be adapted to each configuration of the airplane in the assembly line.
January 2015 Embedded systems Architecture - Fly-by-Wire
Line disruption
• Any disruption (equipment delivered late or found faulty, time to fix the issue …) is delaying the assembly line. Financial cost associated to late delivery Customer (airline) dissatisfaction Financial deal may be time-limited
• Computers are able to send internal data to support trouble shouting. • Components are protected. • A support from design office is located in the assembly line
Page 16
In term of quality of the design, Assembly line is (almost) as important as an airline.
Structural Assembly Systems equip & test & Cabin Pre-customisation
• They are designed so that confidence can be justifiably placed on them by: • Airlines & passengers • Aviation safety agencies (EASA, FAA …) • The manufacturer (Airbus and its employees)
• They are also designed to be manufactured. A set of requirements as challenging as safety or performance