Figure 1 - uploaded by Ricky W. Butler
Content may be subject to copyright.
Source publication
This document summarizes the safety analysis performed on a Flight Guidance System (FGS) requirements model. In particular, the safety properties desired of the FGS model are identified and the presence of the safety properties in the model is formally verified. Chapter 1 provides an introduction to the entire project, while Chapter 2 gives a brief...
Contexts in source publication
Context 1
... aviation domain provides a number of excellent candidates and the avionics system of a typical regional jet aircraft was chosen because of its safety critical nature and its inherent complexity. As shown in Figure 1, the avionics architecture is comprised of many individual subsystems. Featured in this diagram are the Flight Control System (FCS) and Flight Management System (FMS). ...
Context 2
... Rockwell Collins has described an extension to the four-variable model that provides guidance on how to organize the software so that it traces clearly and directly to both the system (REQ) requirements and the hardware (IN and OUT) requirements, [5]. This is done by stretching the SOFT relation into the relations IN', REQ', and OUT' as shown in Figure 10. This conceptual view creates a virtual image of the MON and the CON variables in software, MON' and CON', an approach often advocated in object-oriented design methods. ...
Context 3
... safety-critical applications, the existence of these differences must be taken into account. However, if they are well within the tolerances of the system, the paradigm of Figure 10 provides a natural conceptual model relating the system and the software requirements. ...
Context 4
... FTA is presented as a visual, tree-like structure where the various factors that contribute to a high level event are linked together. Typical FTA symbology is defined in Figure 11. As shown, the highest level event (hazard) is traced backward through various contributing events until the base event -the most fundamental thing that can go wrong -is identified. ...
Context 5
... use of formal methods in assessing safety involves four steps as shown in Figure 12. First, the system itself must be specified, or modeled, in a formal language. ...
Context 6
... FTA will therefore map each hazard into finer and finer levels of contributing events until one of the functional categories identified in Table 11, or its equivalent in a non-FGS element, has been reached. The top levels of the FTA for the hazard Incorrect Guidance are shown in Figure 13. The fault tree first splits into "Incorrect AP Guidance" and "Incorrect FD Guidance" because the AP and the FD both receive guidance values from the FGS, but are implemented independently of one another. ...
Context 7
... lower levels of the FTA are shown in Figure 14. Recall that in the actual system two identical FGS units are in operation at any time, Section 2.1.3. ...
Context 8
... a first step, we created a requirements document in DOORS for the English statements of the FGS requirements. We then added within DOORS a corresponding statement in the syntax of SMV, Figure 15. This provided complete traceability for all requirements. ...
Similar publications
Functional validation of digital hardware components is an important problem. Actually detecting bugs early in the design cycle is crucial for both economic and methodological reasons. Even though formal methods have emerged as a successful approach to ensure the correctness of hardware their use is still quite limited due to scalability problems....
Formal techniques for guaranteeing software correctness have made tremendous progress in recent decades. However, applying these techniques to real-world safety-critical systems remains challenging in practice. Inspired by goals set out in prior work, we report on a large-scale case study that applies modern verification techniques to check safety...
In this study, an efficient methodology capable of systematically constructing an aircraft design database is developed and its application is discussed. The database focuses on fighter and attack aircraft because their design is a particular challenge compared with the design of other types of aircraft. For small conventional aircraft, historical...
This paper presents a SysML system-level modeling method and the evaluation of parametric constraints using an analysis tool for a case of low-level motion systems. To this end, we create separately system-level design models based on the SysML constructs by defining the structure of the system. For engineering analysis, we apply the SysML parametr...
In this paper we report on experiences gained and lessons learned by the use of the Timed OTS/CafeOBJ method in the formal verification of TESLA source authentication protocol. These experiences can be a useful guide for the users of the OTS/ CafeOBJ, especially when dealing with such complex systems and protocols.
Citations
... These requirements capture how safe and reliable the system is. The Table 3.4 shows the ABT-18 UAV autopilot system safety requirements which can be seen in Appendix E. [22] ...
... These requirements capture is essential and is required to extend the operating life of the aircraft with advancement in the technology in airport traffic management system. The Table 3.5 shows the ABT-18 UAV autopilot operating environment requirements which can be seen in Appendix F. [22] ...
... This describes the typical safety assessment process and the functional hazard assessment performed on the ABT-18 UAV autopilot functions. [22] 3. ...
The dynamic behavior of the aircraft can be simulated if an appropriate model of the aircraft is generated with a view to predicting the amount of force required by the actuators that would control the surfaces and make the aircraft stable from a disturbance. The dynamic stability of a light aircraft called the Air Beetle (ABT- 18) was investigated where the geometry of the aircraft was inputted in Athena Vortex Lattice (AVL) Software using X downstream, Y outright wing and Z up coordinates to investigate how stable the aircraft will be on the longitudinal and lateral directions respectively. A model of the aircraft was created with dimensionless aerodynamic coefficients based on trim flight condition. The aircraft specifications were inputted in AVL and aerodynamic stability coefficients were produced. The simulation was carried out in the graphic environment of MATLAB Simulink, where block models of the aircraft were formed. Thereafter, transfer functions were obtained from the solutions of the light aircraft equations of motions. Pole placement method was used to test the stability of the Aircraft. Aerospace, Control, Avionics Students and Designers will find this book useful.
... As the strength of a safety analysis methodology is intimately dependent on the associated fault model (or experience of the analyst), and while fault models for hardware components are well understood and measurable, the number of ways which software can produce faulty behavior is a debated subject in industry [6] and academia [4] [5], owning most of the discussion to the interpretation and semantics of the possible faults to consider under analysis. ...
ISO26262 mandates safety analysis to be performed at software architectural level, albeit without specifying concrete methods to fulfill it. This preliminary work identifies a method for which industrial and academic guidelines are readily available and demonstrates how the method fulfills ISO26262's requirements for a systematic safety analysis on software components.
... . 소프트웨 어 개발 프로세스 변천은 Fig. 1과 같다 [2] . MIL-STD- 5가지 소프트웨어 레벨과 충족시켜야 할 객체 수와 체계 설계에 적용하는 고장 위험도 레벨은 Table 1과 같다 [5] . [8] . ...
Mission Equipment Package(MEP) system is a collection of avionic components that are integrated to perform the mission of the Korean Utility Helicopter(KUH). MEP system development is classified mission-critical embedded system but KUH MEP system developed including flight-critical data implementation. It is important to establish the good development and verification process for the successful system development. This paper describe the development and verification process in each phase for the KUH MEP system. MEP system design is verified through the qualification test, system failure test and compatibility test in System Integration Laboratory(SIL).
... Synchronous data flow languages, such as Esterel [2], Lustre [3], SCR [14], and RSML -e [24] seem to be particularly well suited to this task, and commercial versions of these tools such as SCADE [11] and Simulink [9] are growing in popularity among designers of safety critical systems. At the same time, advances in formal analysis tools have made it practical to formally verify important properties of these models [4], [5], [6], [12], [16], [19], [25], [26]. ...
... Synchronous data flow languages, such as Esterel [2], Lustre [3], [16], SCR [18], and RSML -e [36] are particularly well suited to this task, and commercial versions of these tools such as SCADE [12] and Simulink [10] are growing in popularity among designers of safety critical systems, largely due to their ability to automatically generate code from the models. At the same time, advances in formal analysis tools have made it practical to formally verify important properties of these models to ensure that design defects are identified and corrected early in the lifecycle [4], [5], [6], [20], [34], [35]. ...
... For a synchronous system where the requirements are specified as "shall" statements over system inputs and outputs, this process is relatively straightforward 2 . In [24], [25], and [35], we described the process of translating these informal statements into safety properties in more detail. ...
Recent advances in modeling languages have made it feasible to formally specify and analyze the behavior of large system components. Synchronous data flow languages, such as Lustre, SCR, and RSML -e are particularly well suited to this task, and commercial versions of these tools such as SCADE and Simulink are growing in popularity among designers of safety critical systems, largely due to their ability to automatically generate code from the models. At the same time, advances in formal analysis tools have made it practical to formally verify important properties of these models to ensure that design defects are identified and corrected early in the lifecycle. This report describes how these tools have been applied to the ADGS-2100 Adaptive Display and Guidance Window Manager being developed by Rockwell Collins Inc. The Window Manager acts as "switchboard" between display applications and physical displays. It is also responsible for ensuring that critical information is displayed to pilots even in the presence of application and hardware failures. In this effort, the majority of the functional behavior of the window manager, with over 16,000 primitive Simulink blocks organized into over 4,000 subsystem instances, was verified against the high-level requirements expressed as 563 temporal logic properties. As a result, 98 errors in the high-level requirements and Simulink models were found and corrected. This work demonstrates how formal methods can be easily and cost-efficiently used to remove defects early in the design cycle.
The dynamic stability of a light aircraft is very crucial at all phases of flight. This may include takeoff, climb, cruise, loiter, descend and landing where the aircraft is subjected to intense pressure from aerodynamic forces and moments. Control surfaces and flight control systems are therefore, used to control and pilot the aircraft to safe flight. The dynamic behavior of the aircraft can be simulated if an appropriate model of the aircraft is generated with a view to predicting the amount of force required to control the actuators that would actuate the control surfaces and make the aircraft stable from a disturbance. In this research paper, the dynamic stability of a light aircraft called the Air Beetle (ABT- 18) was investigated where the geometry of the aircraft was inputted in Athena Vortex Lattice (AVL) Software using X downstream, Y outright wing and Z up coordinates. The objective was to investigate how stable the aircraft will be on the longitudinal and lateral directions respectively. A model of the aircraft was created with dimensionless aerodynamic coefficients based on trim flight condition of cruise speed 51.4m/s at 12,000ft altitude. The aircraft airframe configuration and specification was inputted in AVL and aerodynamic stability coefficients were produced. The simulation was carried out in the graphic environment of Matlab Simulink, where block models of the aircraft were formed. Thereafter, transfer functions were obtained from the solutions of the light aircraft equations of motions. Pole placement method was used to test the dynamic stability of the aircraft and it was found to be laterally stable on the longitudinal axis and longitudinally stable on the lateral axis. Thus, the dynamic stability controls of the aircraft were achieved in autopilot design by implementing PID controllers’ successive loops and it was found that the ABT-18 aircraft had satisfied the conditions necessary for longitudinal and lateral stabilities.
The major elements of avionics system architecture are requirements, Real Time Operating System, message communication, memory, and data format etc. Herein describes a state-of-the-art development trend for the avionics system architecture, system requirements and data bus among the major elements of avionics system. While, domestic technology has been tried to Integrated Modular Avionics(IMA) system based on the Avionics Full Duplex Switched Ethernet(AFDX) technology during Light Attack Helicopter(LAH) project in Korea, but not yet proved as the product case in Full Scale Development Phase. The avionics system architecture considering the domestic inexperience of the IMA system architecture are suggested for the Next-generation Corps Unmanned Aircraft System.
This paper aims at presenting a method to assist reverse integration of Software Failure Modes and Effects Analysis (SFMEA) and Software Fault Tree Analysis (SFTA). Reverse integration of SFMEA and SFTA is an integrated approach to analyzing reliability and safety of software, which can make up the defects of SFMEA and SFTA when they are used alone. However the approach also brings some problems: complex analysis process and no analysis clue. In this paper we present an improved method that uses software functional structure diagram, software control flow diagram (CFD) and software data flow diagram (DFD) to assist reverse integration of SFMEA and SFTA. These assistive methods provide analysis clues for establishing fault tree and tracing effects of failure modes in SFMEA. With these assistive methods, we can reduce the workloads and difficulties of reverse integration of SFMEA and SFTA.
http://www.doria.fi/handle/10024/103605
The manual construction of fault trees for complex systems is an error-prone and time-consuming activity, encouraging automated techniques. In this paper we show how the retrenchment approach to formal system model evolution can be developed into a versatile structured approach for the mechanical construction of fault trees. The system structure and the structure of retrenchment concessions interact to generate fault trees with appropriately deep nesting. We show how this approach can be extended to deal with minimisation, thereby diminishing the post hoc subsumption workload and potentially rendering some infeasible cases feasible.
