1 Model-Checking in the Early Lifecycle Zoë Stephenson.
-
Upload
derrick-blair -
Category
Documents
-
view
217 -
download
0
Transcript of 1 Model-Checking in the Early Lifecycle Zoë Stephenson.
-
Model-Checking in the Early LifecycleZo Stephenson
-
AcknowledgementsThe work presented here was conducted under the MOSAIC project, project number TP/3/DSM/6/I/15780, a collaboration between the University of York, the University of Sheffield, Rolls-Royce plc., Goodrich Engine Control Systems and Jaguar Cars Limited.
This project is co-funded by the Technology Strategy Board's Collaborative Research and Development programme, following an open competition.
The Technology Strategy Board is an executive body established by the Government to drive innovation. It promotes and invests in research, development and the exploitation of science, technology and new ideas for the benefit of business --- increasing sustainable economic growth in the UK and improving quality of life.
-
MotivationProprietary industrial data, 2000
]]]Chart3
5.2307692308
15.6923076923
5.2307692308
1.9002924995
6.2779568423
0.8027331266
10.4565274014
4.22060464
3.1778691443
1.5728339319
23.8461538462
&A
Page &P
%
]]]Chart5
0
34
34
31
&A
Page &P
]]]Sheet18
TeamRatio of effort
Systems34
Software34
STF31
&A
Page &P
]]]Chart1
4.0967.0136986301
12.539171959528.9968351562
11.015617647117.0241363636
2.34916666673.0641304348
17.256198347120.4705882353
&A
Page &P
/ SAN
/ SOME FE SAN
Activity
/SAN
]]]Sheet19
ReviewLow Level TestIntegration TestHSISTF
Cost512.0927.9374.5281.92088.0
FE311193547
MIN FE4221135755
NO FE5242122819
/ SAN4.112.511.02.317.3
/ SOME FE SAN7.029.017.03.120.5
&A
Page &P
]]]Chart2
07.1428571429
7.142857142921.4285714286
21.42857142867.1428571429
7.14285714292.5949372367
2.59493723678.5728402258
8.57284022581.0961691854
1.096169185414.2788714515
14.27887145155.7634307059
5.76343070591.260259481
1.2602594812.1477774281
2.147777428114.2857142857
14.2857142857STF
STAGE
%
HardwareSoftwareIntegration1%
SoftwareIntegration Test7%
Low Level Software Test17%
SoftwareStatic Analysis1%
SoftwareImplementation10%
SoftwareDesign3%
Reviews andInspections8%
SystemSpecification25%
Management8%
System Integration17%
OtherSoftware3%
]]]Sheet2
SystemSystemSystemSystemSoftwareSoftwareSoftwareSoftwareSoftwareSoftwareSoftware
STAGEsystemManageProduceReviewTLDCodeSstatic AnalysisLow Level TestIntegration TestHSIothertotal softwareSTFtotal
D3.010022006012009024014473104285310024012804
D4.04729428394151102515312114354721891323
D4.12344714147175011784492523494656
D4.225651154512061118759710256102717
D4.3.13366720167279610129342416336134940
D4.3.22141340106130121859
sum23214641393464169557719283758214023219286498
%367217391146123614100
]]]Chart4
00
5.23076923085.2307692308
15.692307692315.6923076923
5.23076923085.2307692308
1.90029249951.9002924995
6.27795684236.2779568423
0.80273312660.8027331266
10.456527401410.4565274014
4.220604644.22060464
3.17786914433.1778691443
1.57283393191.5728339319
23.846153846223.8461538462
STAGE
%
]]]Sheet1
SystemSystemSystemSystemSoftwareSoftwareSoftwareSoftwareSoftwareSoftwareSoftware
STAGEsystemManageProduceReviewTLDCodeSstatic AnalysisLow Level TestIntegration TestHSIothertotal softwareSTFtotal
D3.010022006012009024014473104285310029133829
D4.04729428394151102515312114354724311806
D4.123447141471750117844925234214896
D4.225651154512061118759710256233979
D4.3.133667201672796101293424163363061284
D4.3.221413401061301211980
sum2321464139346416955771928375282140232121168874
%265165261104322624100
&A
Page &P
-
MotivationReducing V&V effort should be very effective in reducing project costEspecially by addressing issues earlier in the lifecycleWe use model-checking to address V&V issues
Questions from industrial parties:Is it applicable to our systems?Does it scale?How much effort does it save?
-
OutlineEarly lifecycle characteristics
Eliciting individual properties
Demonstrating applicability
-
Early vs. Late
-
Early vs. LateEarly Lifecycle
Few stable requirements
Some experience of previous systems
Assessment targeted at technical risks novelty and concurrent designLate lifecycle
Complete requirements
Full system available to evaluate
Assessment targeted at properties of complete system
-
Property ElicitationEarly lifecycle issues are:Individual aspectsNot necessarily captured in requirementsWhere do they come from?Which ones are important?How do we know weve found all the important ones?How should we write them down?
-
Property SourceCurrent draft requirementsSketchesDocumentation and standardsExisting systemsDomain expertsTechnical risk assessmentProject prioritiesProperties that the system ought to satisfy
-
Technology-IndependenceSystem needs to satisfy properties regardless of design, implementation, V&V technologiesDifferent properties will be amenable to different types of V&V technologyProperties will need to be translated into various different formsAt the point of elicitation:Those forms are not guaranteed to be knownThose participating in elicitation may not be comfortable with those forms
-
Explicit Elicitation Process
Text
formulation
Other sources
Properties
Requirements
scoping
Scope description
elicitation
Natural-languageproperties
Model
-
Elicitation ProcessFacilitated discussionCan use a separate scribe and chairOur experiments combined these rolesSeries of prompts:stimulate discussionexplore different kinds of behaviourstart with general issues and lead on to specific issuese.g. from expectations to specific invariants
-
Typical Prompt AreasBoundary propertiesis that all that the system needs to do?CompletenessDid we cover every value/every state?Dynamic completenessevery value/state change?Feasibilityevery high-risk area?Interactionevery sequence of interactions?ExpectationDoes it behave reasonably?
-
Pilot StudiesFixed-priority scheduler implementation23 properties elicitedAround 15 checkable by model-checkingModel-checking study ongoingNew implementation of surface friction estimator12 properties, 6 checkableSmall model-checking study conducted
-
ObservationsElicited properties not always easily checkable in a model-checkerDetection time plus adjustment time to correct for the change in surface friction ought to be within 100ms.Elicited properties not always easily checkable in early lifecycleThe error in estimation for lateral friction is approximately the same across the whole friction rangeSkills of a property elicitation specialist different to those of a domain expertStrategic pedantry
-
Studies Performed
-
Throttle Resolver StudyBased on three problem reports
-
Study AimsGiven latest system specification, error definition, requirement and test case:Produce a damaged version of the system that contains the errorExpress the requirement as a property to checkModel-check the latest system and the damaged system against the propertyCurrent system should satisfy propertyDamaged system should violate propertyGenerated counterexample should be similar to test case
-
Requirements
-
Study Setup for spinLatest SpecificationTest CaseUnderlying ErrorRequirement endeec: do :: sync_eec?_; atomic {
/* account for bus fault */ mtpafault1 = (tpafault1 || busfault); mtpafault2 = (tpafault2 || busfault); mtpafault3 = (tpafault3 || busfault);
ntpafault = mtpafault1 + mtpafault2 + mtpafault3;
/* Detect movement */
/* BEGIN TRACE 24 CSS-197-149-2.3 */ /* movTPA1 = | otpa1_u - tpa1_u | > tpamovt */ if :: otpa1_u == tpa1_u -> movTPA1 = 0 :: otpa1_u - tpa1_u - 1 >= tpamovt -> movTPA1 = 1compare
CSS_Acquire Valid Throttle Reso
Object TypeIdCSS Engine/Airframe FunctionsChange StatusRationaleGuidance
Heading1 Acquire Valid Throttle Resolver angle - TRA - Measurement for A380Unchanged
Heading1.1 PurposeUnchanged
Informative TextTo provide a validated TRA signal and status for Engine control, and identify any system failures to maintenance.Unchanged
Heading1.2 System Use CaseUnchanged
Informative TextUnchanged
Heading1.3 System Architecture DiagramUnchanged
Informative TextHardwired TRA Resolver configurationUnchanged
Informative TextUnchangedECM AR-1317 - 2.2
Heading1.4 System DescriptionUnchanged
Informative TextWhen not in autothrust mode control of the Engine will be achieved by modulation of a throttle lever situated in the cockpit. Movement of the throttle lever will be detected by two, mechanically coupled resolver transducers producing electrical signals deUnchanged
Informative TextUnchanged
Informative TextEach resolver is connected to the EEC via 6 wire cables, with 2 wires for excitation and 4 wires for sine and cosine return.Unchanged
Informative TextIn addition to the two resolver TRA inputs (analogue), the EEC receives, via the AFDX network, three digital throttle angle (TPA) values sent by the PRIMs for each throttle. Each PRIM measures the throttle lever angle using a potentiometer installed on eUnchanged
Informative TextThe analogue and digital throttle lever angle inputs are respectively referred to as TRA (Throttle Resolver Angle) and TPA (Throttle Potentiometer Angle).Unchanged
Informative TextThe TPA values coming from each PRIM are identical on both EEC channels (same Virtual Link received by each EEC channel).Unchanged
Informative TextNote: Only the channel B of each PRIM will send the throttle angle measurement.Unchanged
Informative TextFor the purpose of the TRA selection logic, the EEC will also use the TCM hardwired discrete signal, (not shown in diagram). The TCM hardwired discrete is set 'true' during critical flight phases and is used if there is a TRA signal fault.Unchanged
Informative TextUnchanged
Informative TextUnchanged
Heading1.5 Reference MaterialUnchanged
Heading1.5.1 Source ReferenceUnchanged
Informative TextDNS49493Iss 10TRENT 500 FRD Airframe InputsUnchanged
Informative TextDNS53531Iss 10TRENT 500 Interface Control DocumentUnchanged
Informative TextTDR9700Iss 2RB211 - TRENT 700 FRD Airframe Inputs and Thrust SettingsUnchanged
Informative TextECM AR-1317 TRA Selection and Accommodation LogicUnchanged
Informative TextECM AR-2355SDS TRA Selection RequirementsUnchanged
Heading1.5.2 Lessons learned, HIPLs, ERMSUnchanged
Informative TextNew implementation, no applicable lessons learned.Unchanged
Heading1.6 System RequirementsUnchanged
Heading1.6.1 Pre-ConditioningUnchanged
RequirementCSS197-31-2.3Establish the validity of each resolver (TRA) signal by checking that it is within allowable range and has not been declared invalid by the OS.UnchangedSuch that the selection logic can ignore bad data.
RequirementCSS197-32-2.3Establish the validity of each AFDX input signal and select/provide a valid TPA value.UnchangedTo provide an alternative signal for resolver arbitration.
Heading1.6.2 Normal BehaviourUnchanged
RequirementCSS197-34-2.3Provide a valid Throttle Lever Angle by taking the average of the two TRA resolver signals.UnchangedFor best accuracy
Heading1.6.3 Anomalous BehaviourUnchanged
Informative TextNoneUnchanged
Heading1.6.4 Failure BehaviourUnchanged
RequirementCSS197-40-2.3If both TRA signals are valid and disagree by more than dvTRAXCTol degrees then select the TRA signal in nearest agreement with the valid TPA value (provided no TRA-TPA disagreement has been set for that signal). The rejected TRA signal shall be latched aUnchangedExclude failed signal on confirmation with AFDX signal
Informative TextIn the case of a disagreement between the two TRAs or in case of a TRA signal failure, the selected TPA signal (if valid) shall be used in this selection logic.Unchanged
RequirementCSS197-209-2.3The crosschecks between valid TRA signals and selected TPA shall only be performed when the throttle is not moving.UnchangedEliminate false detection of faults due to signal latency.
RequirementCSS197-42-2.3Throttle movement shall be determined to be in progress if two or more valid signals, out of the two TRA signals and the selected TPA signal, are changing at a rate of more than the threshold. If one signal is confirmed invalid, it shall be treated as notUnchangedTo allow detection of frozen signals.
RequirementCSS197-43-2.3The rate of change threshold of dvTPAMovDet deg/s shall be lowered to dvTPASSDet deg/s when one valid signal exceeds dvTPAMovDet deg/s; it shall return to dvTPAMovDet deg/s when all valid signals are moving at a rate of less than dvTPASSDet deg/s.UnchangedHysterysis is applied to movement detection to prevent intermittent detection.
RequirementCSS197-44-2.3Following throttle movement there shall be a confirmation period of dvTPAMovConf seconds before the movement detection become false.UnchangedTo allow signals to settle after transient.
RequirementCSS197-45-2.3The crosscheck tolerance between the TRA signals and selected TPA shall be set to dvTRATPAXCTol deg.Unchanged
RequirementCSS197-46-2.3A crosscheck failure between a TRA signal and selected TPA shall be confirmed during dvTRATPAXCConf seconds. During the confirmation time, the last valid selected TRAV shall be held.UnchangedInhibit short duration faults from latching fault.
RequirementCSS197-47-2.3If (both TRA signals are valid but disagree and the TPA selection is not valid) or (both TRA signals disagree and neither agrees with TPA) then the validated TRA shall be set to reverse idle if last good TRA < dvTRAReverseDetect degrees and Aircraft is onUnchangedIf no valid signals available select forward or reverse idle based on last good value.
RequirementCSS197-48-2.3If only one TRA is valid then it shall be selected provided it agrees with the valid TPA.UnchangedUse TPA to validate single TRA.
RequirementCSS197-49-2.3If only one TRA is valid and TPA selection is invalid, then select valid TRA if the Aircraft permission discrete is not set. If the Aircraft permission discrete is set and the remaining valid TRA value is above idle, then select forward idle, otherwise seUnchangedInhibit use of a single signal in critical flight phases.
RequirementCSS197-51-2.3If only one TRA is valid and it disagrees with a valid TPA value, then select the valid TPA value. If valid TPA value is above idle and ((the Aircraft permission discrete is set) OR (the PRIM indicates that three throttles are at idle or below and Mach nuUnchanged
RequirementCSS197-52-2.3If both TRA signals are invalid and the TPA signal is valid, then select TPA. If valid TPA value is above idle and ((the Aircraft permission discrete is set) OR (the PRIM indicates that three throttles are at Idle or below and Mach number is below 0.35)),Unchanged
RequirementCSS197-53-2.3If both TRA signals and the TPA signal are invalid then select reverse idle if last good TRA < dvTRAReverseDetect degrees and Aircraft is on ground, otherwise select a value as a function of Mach number.UnchangedIf no signals are available, Mach number is used to determine flight phase and set a 'safe' default value for that phase which will allow autothrust to be selected.
Informative TextThe Aircraft permission discrete input validation is described in A9 section TBD.Unchanged
RequirementCSS197-218-2.3The condition 'three throttles at idle or below' shall be 'true' when the bit is set by both units (A & B) on any one PRIM.Unchanged
Informative TextThe condition 'Three throttles at idle or below' shall be transmitted on AFDX by both units (A & B) of each PRIM.Unchanged
Heading1.6.5 All casesUnchanged
RequirementCSS197-55-2.3Provide a Status message indicating the status of the validated TRA value and the signal source selected.UnchangedFor use by client functions which may need to take account of signal quality and for system testing purposes.
RequirementCSS197-57-2.3Indicate any detected input signal failures to the maintenance function.UnchangedAll failures are logged in support of meeting JAR-E-510
RequirementCSS197-70-2.3All confirmation times and tolerances shall be trimmable via development variable.Unchanged
Heading1.6.6 Non Functional RequirementsUnchanged
RequirementCSS197-72-2.3Accuracy - Transient: The EEC transient processing accuracy of the TRA signal (i.e. up to a frequency of 1Hz with a maximum slew rate of 35 deg/sec), from EEC input connector to memory location conditioning, shall be 0.317 degrees of Arc.Unchanged
RequirementCSS197-74-2.3Accuracy - Steady State: The EEC steady state processing accuracy of the TRA signal (i.e. over normal range at a frequency of 0 to 1Hz with a maximum slew rate of 5 deg/sec), from EEC input connector to memory location conditioning, shall be 0.317 degreesUnchanged
RequirementCSS197-76-2.3Range: The EEC shall accept a transducer operating range of -180 to 180 degrees resolver angle.Unchanged
RequirementCSS197-219-2.3The working range of the TRA assembly is -40 to 87.6 deg.Unchanged
RequirementCSS197-78-2.3Performance:TBDUnchanged
RequirementCSS197-80-2.3There shall be no restriction on the rate of change of TLA.UnchangedThe rate of change of TLA cannot be used to detect system failures.
RequirementCSS197-82-2.3Reliability: TBD for A380-1Unchanged
Heading1.7 Sub-System RequirementsUnchanged
Heading1.7.1 Transducer/Actuator RequirementsUnchanged
RequirementCSS197-91-2.3NONE, Aircraft Part, Buyer responsibility.Unchanged
Heading1.7.2 EEC and OS RequirementsUnchanged
Heading1.7.2.1 EEC Physical & Functional DesignUnchanged
RequirementCSS197-94-2.3The EEC shall support two channels of six wire resolver interface to meet voltage, frequency, impedance and sensitivity as defined by the Buyer.UnchangedECM AR-1317 - 2.3.1
Informative TextA standard resolver interface has one primary winding and two secondary windings, One secondary has an output proportional to the sine of the resolver angle and the other has an output proportional to the cosine of the resolver angle.Unchanged
Informative TextThe three TPA signals will be received in each EEC channel on both of the two existing AFDX busses. No additional hardware requirement needed here.Unchanged
RequirementCSS197-100-2.3The OS in each channel of the EEC shall read that channels TRA resolver signals and provide a validated resolver angle to the AS in units of degrees, and at a rate compatible with the software schedule.UnchangedFor compatibility with Application Software.
RequirementCSS197-103-2.3UnchangedECM AR-1317 - 2.3.1
RequirementCSS197-105-2.3The OS in each channel shall provide the TRA angle to both EEC AS channels'.UnchangedEach AS channel needs access to both channels signals in order to detect and accommodate faults.
RequirementCSS197-106-2.3The OS shall provide a status word for each channels raw data values'.Unchanged
RequirementCSS197-107-2.3The OS shall detect failures of the TRA signal in each channel and declare them to the AS using the appropriate Status word for that channel.UnchangedTo help identify where the fault is located. Indictment of the EEC will give clear indication that the EEC needs changing. Otherwise there is a good chance the problem lies with other units, connectors or harnesses, etc..
Heading1.7.2.2 EEC Non-Functional RequirementsUnchanged
RequirementCSS197-109-2.3Accuracy - Transient: The EEC transient processing accuracy of the TRA signal (i.e. up to a frequency of 1Hz with a maximum slew rate of 35 deg/sec), from EEC input connector to memory location conditioning, shall be 19 minutes of Arc.Unchanged
RequirementCSS197-110-2.3Accuracy - Steady State: The EEC steady state processing accuracy of the TRA signal (i.e. over normal range at a frequency of 0 to 1Hz with a maximum slew rate of 5 deg/sec), from EEC input connector to memory location conditioning, shall be 19 minutes ofUnchanged
RequirementCSS197-111-2.3Range: The EEC shall accept a transducer operating range of -180 to 180 degrees resolver angle.Unchanged
RequirementCSS197-220-2.3The normal range of the TRA assembly is -40 to 87.6 degUnchanged
RequirementCSS197-114-2.3Performance:TBDUnchanged
RequirementCSS197-115-2.3There shall be no restriction on the rate of change of TLA.UnchangedThe rate of change of TLA cannot be used to detect system failures.
RequirementCSS197-116-2.3Reliability:TBD for A380-1Unchanged
Heading1.7.3 Application Software RequirementsUnchanged
Heading1.7.3.1 Pre-ConditioningUnchanged
Heading1.7.3.2 Functional BehaviourUnchanged
Heading1.7.3.2.1 TRA Fault DetectionUnchanged
RequirementCSS197-121-2.3Each TRA channel shall be declared invalid if its value is outside high or low range check limits, or if identified as invalid by the OS. The EEC shall apply a confirmation time of dvTRAFltSetInt seconds. The conditions for signal reheal are defined in CSUnchanged
RequirementCSS197-122-2.3UnchangedThe throttle stand only allow reverse thrust to be selected on inboard engines.
Informative TextUnchanged
RequirementCSS197-124-2.3A TRA cross check error between two valid TRA signals shall be confirmed when a difference of dvTRAXCTol or more is detected between TRAOwnRaw and TRAOthRaw, for dvTRAXChkInt seconds or longer. Cross checks between the two TRA signals shall be performed cUnchanged
RequirementCSS197-225-2.3During the cross check fault confirmation time, TRAV shall be set to last good value.Unchanged
Heading1.7.3.2.2 TPA ValidationUnchanged
RequirementCSS197-134-2.3Each TPA signal shall be declared invalid and excluded from the selection if the status from the AFDX function is not valid. In addition, the PRIM transmits the validity of each TPA signal through the bits Throttle1 acquisition fault, Throttle2 acquisiUnchanged
RequirementCSS197-135-2.3UnchangedThe throttle stand only allows reverse thrust to be selected on inboard engines.
RequirementCSS197-139-2.3If a TPA signal from a PRIM is declared invalid in the local channel for more than dvTPAFltSetInt seconds, then the EEC shall use the corresponding value from the other channel providing that it is valid.Unchanged
RequirementCSS197-224-2.3During the confirmation time, the last valid value shall be held.Unchanged
RequirementCSS197-142-3.5Each TPA signal shall be confirmed invalid if the same source is invalid in both channels for at least dvTPADFltSetInt seconds (Fault Integrator with dvTPAFaultDecrement seconds down), during which time the last valid value of the invalidated signal shallUnchangedThis will prevent the signal being logged as faulty if a short glitch occurs.
RequirementCSS197-143-2.3A confirmed failure of a TPA signal shall be able to clear (up to three times) if the signal is valid again for more than dvTPADFltClrInt seconds (non-cumulative time). After three times the failure shall be latched until the next EEC resetUnchanged
Heading1.7.3.2.3 TPA Cross ChecksUnchanged
RequirementCSS197-148-2.3For each of the three TPA signals, when both own and other channel TPA values are valid the own channel value shall be used for cross-checking purposes.UnchangedMore reliable and less data skew than other channel.
RequirementCSS197-149-2.3Throttle movement shall be determined to be in progress if two or more valid TPA signals are changing at a rate of more than the threshold. If one TPA signal is confirmed invalid, it shall be treated as not moving.UnchangedTwo valid signals are required to confirm throttle is moving.
RequirementCSS197-213-2.3The rate of change threshold of dvTPAMovDet deg/s shall be lowered to dvTPASSDet deg/s when one valid signal exceeds dvTPAMovDet deg/s; it shall return to dvTPAMovDet deg/s when all valid signals are moving at a rate of less than dvTPASSDet deg/s.Unchanged
RequirementCSS197-214-2.3Following throttle movement there shall be a confirmation period of dvTPAMoveConf seconds before the movement detection become false.Unchanged
RequirementCSS197-150-2.3If throttle is moving and one TPA signal (frozen signal) does not move for dvTPAFrozenConf seconds then that TPA signal shall be failed and excluded from the selection.UnchangedReject frozen signals from selection.
RequirementCSS197-151-2.3UnchangedDuring throttle there may be differences due to data skewing.
RequirementCSS197-152-2.3The TPA cross check tolerance shall be dvTPAXCTol degrees.Unchanged
RequirementCSS197-153-2.3During throttle movement the cross check tests shall be suspended and the previous result of the cross check tests shall be retained and used for TPA selection.Unchanged
RequirementCSS197-154-2.3For each cross check test, failure shall be confirmed during dvTPAXCConf seconds (non-cumulative time) prior to setting a fault.Unchanged
RequirementCSS197-155-2.3A confirmed failure shall be able to clear (up to three times) if the comparison test passes with no fault for more than one second (non-cumulative time). After three times, the failure shall be latched until the next EEC reset.Unchanged
RequirementCSS197-166-2.3To avoid a thrust transient, the reheal of TPA signals (following invalidity only) shall only occur when the incriminated signal is in agreement (tolerance dvTRATPAXCTol) with the selected TRA.Unchanged
Heading1.7.3.2.4 TPA SelectionUnchanged
RequirementCSS197-158-2.3If all three cross checks are valid the validated TPA value shall be calculated as the average of the three TPA signals.Unchanged
RequirementCSS197-159-2.3If only two cross checks are valid the validated TPA value shall be set to the value of the TPA signal which is common to the two valid cross checks.Unchanged
RequirementCSS197-160-2.3If one cross check is valid, then the validated TPA value shall be set to the average of the two TPA values in that test.Unchanged
RequirementCSS197-163-2.3If, following validity checks and cross checks, at least 2 TPA signals are not valid and in agreement, then set TPA to Forward Idle and declare it invalid.Unchanged
RequirementCSS197-164-2.3During confirmation of a TPA failure (Invalidity or cross check failure), the EEC shall use the last valid selection of TPA.Unchanged
RequirementCSS197-167-2.3A dedicated development variable trim shall be provided to allow the validity of selected TPA to be set to invalid.UnchangedAirbus Requirement
RequirementCSS197-170-2.3TRA validated (TRAV) shall be set as defined below:Unchanged
RequirementCSS197-171-3.3For detected failures TRA Validated (TRAV) shall be selected as follows:Unchanged
Informative TextUnchanged
Informative TextUnchanged
RequirementCSS197-175-2.3When indicating a Faulty LRU to maintenance, the method used to detect the fault shall be indicated.UnchangedTo support identification of failed LRU.
RequirementCSS197-176-2.3If the EEC is performing dual channel TRA fault accommodation, when one or both channels TRA become valid again, the EEC shall confirm the validity of the TRA signal for dvTRADFClrInt seconds before selecting the valid TRA.UnchangedTo prevent frequent selection of accommodation when intermittent faults occur.
RequirementCSS197-179-2.3A confirmed failure of a TRA signal (either invalidity or disagreement) shall be able to reheal upto three times when for the incriminated signal: no fault is detected and its' value lies within dvTRAXCTol degrees of TRAV, for more than dvTRAFltClrInt secUnchangedLatch intermittent signals out of selection.
RequirementCSS197-180-2.3For each TRA signal, after confirming and clearing a failure three times, any further failure shall be latched until the next EEC reset.Unchanged
RequirementCSS197-181-2.3The TRA selection and accommodation logic shall generate a selection code word (TRASELMOD) that will identify the selected TRA signal and how it was selected.Unchanged
RequirementCSS197-228-2.3Unchanged
Heading1.7.3.3 Anomalous BehaviourUnchanged
Informative TextNoneUnchanged
Heading1.7.3.4 Scheduling RequirementsUnchanged
RequirementCSS197-193-2.3TRA Iteration Rate shall be at least once every 50 ms. in all operating modes.UnchangedTo support fastest rate requirement of internal customers of the input data.
Sheet2
MBD0005FA6E.doc
Channel A
Channel B
Channel B
Channel A
Channel B
TPA-3
TPA-2
TPA-1
Resolver Signals
Channel A
PRIM 3
PRIM 2
PRIM 1
AFDX Network
(Digital Signals)
Channel B
Channel A
EEC
TPA-3
TPA-2
TRA Channel B
TRA Channel A
TPA-1
MBD0005FB48.doc
Selection Requirements
Condition
Actions
Rationale
Selection 1 - No Fault
V: Average of own and other signals
VS: Valid
CS: No Fault
Using the average improves accuracy.
Selection 2
Fault Confirmation:
CT: Trimable {1s up 150s down Fault Integrator}
V: Last Good Value
VS: Degraded
Confirmed Fault
V: TRA own
VS: Degraded
CS: Indicate Faulty LRU to maintenance
Select TRA own
Selection 3
Fault Confirmation:
CT: Trimable {1s up 150s down Fault Integrator}
V: Last Good Value
VS: Degraded
Confirmed Fault
V: TRA other
VS: Degraded
CS: Indicate Faulty LRU to maintenance
Select TRA other
Selection 4
Fault Confirmation:
CT: Trimable {1s up 150s down Fault Integrator}
V: Last Good Value
VS: Degraded
Confirmed Fault
V: Reverse Idle
VS: Invalid
CS: Indicate Faulty LRU to maintenance
Select Default based on last good value when all signals are not available.
Selection 5
Fault Confirmation:
CT: Trimable {1s up 150s down Fault Integrator }
V: Last Good Value
VS: Degraded
Confirmed Fault
V: Forward Idle
VS: Invalid
CS: Indicate Faulty LRU to maintenance
Select Default based on last good value when all signals are invalid.
Selection 6
Fault Confirmation:
CT: Trimable {1s up 150s down Fault Integrator}
V: Last Good Value
VS: Degraded
Confirmed Fault
V: TRA Own
VS: Degraded
CS: Indicate Faulty LRU to maintenance
Select remaining valid signal.
Selection 7
Fault Confirmation:
CT: Trimable {1s up 150s down Fault Integrator}
V: Last Good Value
VS: Degraded
Confirmed Fault
V: TRA Other
VS: Degraded
CS: Indicate Faulty LRU to maintenance
Select remaining valid signal.
Selection 8
Fault Confirmation:
CT: Trimable {1s up 150s down Fault Integrator}
V: Last Good Value
VS: Degraded
Confirmed Fault
V: Forward Idle
VS: Degraded
CS: Indicate Faulty LRU to maintenance
Select default value when only one source is valid and this source is in disagreement with the aircraft orders.
Selection 9
Fault Confirmation:
CT: Trimable {1s up 150s down Fault Integrator}
V: Last Good Value
VS: Degraded
Confirmed Fault
V: TPA
VS: Degraded
CS: Indicate Faulty LRU to maintenance
Select available signal to retain control.
MBD0005FB69.doc
Selection 10
Fault Confirmation:
CT: Trimable {1s up 150s down Fault Integrator}
V: Last Good Value
VS: Degraded
Confirmed Fault
V: Forward Idle
VS: Invalid
CS: Indicate Faulty LRU to maintenance
Select default value when only one source is valid and this source is in disagreement with the aircraft orders.
Selection 11
Fault Confirmation:
CT: Trimable {1s up 150s down Fault Integrator}
V: Last Good Value
VS: Degraded
Confirmed Fault
V: TRA Own
VS: Degraded
CS: Indicate Faulty LRU to maintenance
Select remaining valid signal.
Selection 12
Fault Confirmation:
CT: Trimable {1s up 150s down Fault Integrator} V: Last Good Value
VS: Degraded
Confirmed Fault
V: TRA Other
VS: Degraded
CS: Indicate Faulty LRU to maintenance
Select remaining valid signal.
Selection 13
Fault Confirmation:
CT: Trimable {1s cumulative}
V: Last Good Value
VS: Degraded
Confirmed Fault
V: Forward Idle
VS: Invalid
CS: Indicate Faulty LRU to maintenance
Select default value when only one source is valid and this source is in disagreement with the aircraft orders.
Selection 14
Fault Confirmation:
CT: Trimable {1s cumulative}
V: Last Good Value
VS: Degraded
Confirmed Fault
V: TPA
VS: Degraded
CS: Indicate Faulty LRU to maintenance
Select remaining valid signal..
Selection 15
Fault Confirmation:
CT: Trimable {1s cumulative}
V: Last Good Value
VS: Degraded
Confirmed Fault
V: Reverse Idle
VS: Invalid
CS: Indicate Faulty LRU to maintenance
Select Default based on last good value when all signals are not available.
Selection 16
Fault Confirmation:
CT: Trimable {1s cumulative}
V: Last Good Value
VS: Degraded
Confirmed Fault
V: MCL detent point
VS: Invalid
CS: Indicate Faulty LRU to maintenance
Select Default based on Mach number when all signals are invalid.
Selection 17
Fault Confirmation:
CT: Trimable {1s cumulative}
V: Last Good Value
VS: Degraded
Confirmed Fault
V: Last Good Value
VS: Invalid
CS: Indicate Faulty LRU to maintenance
Select Default based on Mach number when all signals are invalid.
Selection 18
Fault Confirmation:
CT: Trimable {1s cumulative}
V: Last Good Value
VS: Degraded
Confirmed Fault
V: Forward Idle
VS: Invalid
CS: Indicate Faulty LRU to maintenance
Select Default based on Mach number when all signals are invalid.
MBD0005FB3A.vsd
MBD0005FA62.vsd
MBD0005FA6C.vsd
-
ResultsAll properties satisfied by current modelAll properties give counterexamples in damaged modelsAll counterexamples comparable with actual test-cases used
-
Effort Profile
Interval analysis method
20
0
10
30
40
50
60
Interval library
Systematic approach TRA
Systematic approach ARC
Familiarisation TRA
Familiarisation ARC
Modelling TRA
Modelling ARC
Verification TRA
Verification ARC
Validation preparation TRA
Validation preparation ARC
Validation TRA
Validation ARC
Visualisation TRA
Visualisation ARC
15
3
7
11
23
15
57
12
16
12
19
6
7
6
8
4
hours
-
Simulink Design VerifierExtension to Verification and Validation toolboxIntegrates Prover Technology Prover plug-inAdds a new libraryContains blocks that you use to specify assumptions and propertiesAdds a new Tools sub-menuCheck model compatibilityGenerate tests (coverage)Prove propertiesOptions
-
Simulink Model
-
Study Setup for SDVLatest SpecificationTest CaseUnderlying ErrorRequirementcompare
-
ResultsAll properties satisfied by current modelAll properties give counterexamples in damaged modelsAll counterexamples comparable with actual test-cases used
-
Effort Profile
-
Observationsspin:Manual translationNo model extraction requiredTest cases can be complexTest cases in terms of Promela, not original specificationSDV:Automatic translationModel extraction required
Test cases relatively simpleTest cases in terms of original specification
-
Results from Other StudiesActive roll controlExamined for mode conflictMuch easier in spin than SDVSurface friction estimationVery difficult to check due to arithmetic involvedFixed-priority schedulerChallenging to model preemption accurately in PromelaDiscovered one interrupt-masking issue that we fed back into development cycle
-
SummaryUsed property elicitation to determine most relevant properties in the early lifecycleInvestigated model-checking tools using case-studies from industrial parties:Applicable to some parts of examined systemsSubmodel extraction needed to address scalabilityEffort profile results to be fed into cost-benefit analysis task next year