Advanced Multi-System Simulation Capabilities with AltaRica
نویسنده
چکیده
Recently, AIRBUS and ONERA were involved in the ESACS (Enhanced Safety Assessment for Complex Systems) European project. The aim of this project was to investigate new safety assessment techniques based on the use of formal design languages and associated tools. Two case-studies based on AIRBUS aircraft were used to validate the approach. Both a complete hydraulic system and an electric system were modelled. We also built a model depicting the two systems and their interconnections and performed a safety analysis focusing on failure propagation. In this paper, we report how the combination of these two medium sized models was assessed and analysed with the AltaRica language. With respect to analysis, we explain how we used Cecilia OCAS, developed by Dassault Aviation, a French aircraft manufacturer. Simulation was first performed interactively with graphical views of the system that help to understand precisely how failures propagate inside a system as well as between systems. Then we used a model checker that performs symbolically an exhaustive simulation of the system. As a main result, we found out that these tools and the underlying safety approach were very efficient to assess whether qualitative safety requirements are fulfilled by a system design or not. Introduction During the last three years, AIRBUS and ONERA were involved in the ESACS (Enhanced Safety Assessment for Complex Systems) European project. This project aimed at developing safety assessment techniques based on the use of formal specification languages and associated tools. So called formal models are traditionally used to specify the expected normal behaviors of software based system. ESACS partners investigated first how to generalize such models to deal with faulty behaviors of various kinds of systems. Then they proposed new tools or new uses of existing tools to check whether the generalized formal models met qualitative safety requirements. These tools provide not only interactive simulation capabilities but also take advantage of formal language features to support advanced capabilities such as model-checking or fault tree generation. The approach was validated on some existing aircraft systems. In this paper we present how AIRBUS France and ONERA tackled modeling and assessment of two aircraft systems using the AltaRica language and a subset of the associated tools. ESACS approach (ref. 1) raised two main issues. The first issue is to get formal system models meaningful for safety analysis? ESACS partners are interested in failure propagations in complex dynamic systems. So they consider formal notations for reactive systems, used to support system design such as Statechart (models are automata), Scade (models are equations between synchronous data flows) or dedicated to safety such as AltaRica (models mixing automata and equation concepts). To cope with failure propagations, system models can either be produced by system designers and then extended with failure modes specified by safety engineers, or can directly be produced by safety specialists using libraries. It is worth noting that formal models of failure propagations should have the correct granularity level to ease model exploitation. On one hand, advanced simulation capabilities have good performances when the analyzed model does not go into detailed arithmetic computations. On the other hand, a correct granularity is reached when the scenarios, leading to a failure condition, extracted by the tools are similar to what safety analysts would have envisioned if they had to design a fault tree. In order to get the appropriate granularity at first shot, we chose to define libraries of AltaRica components that focus on failure mode propagation and abstract details of nominal behaviors. The second issue is related to the choice of the adequate techniques for assessing qualitative safety requirement of complex dynamic systems. Interactive simulation facilities enable to perform a preliminary bottom up analysis since failures can be injected and their effects computed not only locally but at system or even aircraft level. This will be detailed later on. Top down analyses are guided by qualitative requirements such as “no single failure leads to the system loss”. We propose to use model-checkers to assess such kind of requirements. They perform “exhaustive” simulation to check whether a requirement is always met. Moreover, they can distinguish subtle temporal situations such as a transient loss of a function (during a recovery phase for instance) from a permanent one. Two case-studies based on AIRBUS aircraft were used to validate the approach. Both a complete hydraulic system and an electric system were modeled and assessed. Then, another system depicting the two systems and their interconnections was built and analyzed. The paper has the following structure. First section describes the studied aircraft systems and focuses on their safety requirements and architecture. Section 2 introduces the AltaRica language through examples. We explain the modeling philosophy used to build the hydraulic and electric libraries at a satisfying granularity level. Section 3 deals with the benefit of advanced simulation capabilities to assess qualitative safety requirements on dynamic models. We show how the models were analyzed using interactive simulation facilities of Cecilia OCAS and SMV (Symbolic Model Verifier) model-checker. The following section is dedicated to problems related with the combination of systems regarding modeling and safety assessment point of view. We illustrate our proposals with the combination of the hydraulic and electric systems. Last section presents a conclusion of our work and the lessons learnt so far. Case-studies Presentation Both systems studied in this paper produce and provide the aircraft systems with power. The role of the hydraulic system is to supply hydraulic power to devices which ensure aircraft control in flight like the flaps, slats, or spoilers as well as devices which are used on ground like the braking system. The role of the electrical system is to deliver AC/DC power to all loads of the aircraft such as displays, motors, or computers. As the loss of devices powered by these systems could lead to the loss of aircraft control, both systems share the same main safety requirement: total loss of (hydraulic or electrical) power is considered to be catastrophic. The probability of occurrence of this failure condition should be smaller than 10 per flight hour and no single failure should lead to this failure condition. Hydraulic Generation and Distribution System: The hydraulic system is mainly composed of three independent subsystems which generate and transmit the hydraulic power to the consumers. Three kinds of pumps were used in the model of an A320-like hydraulic system. The first one is the Electric Motor Pump (EMP) which is powered by the electric system, the second one is the Engine Driven Pump (EDP) that is powered by one of the two aircraft engines and the last one is the RAT pump that is powered by the Ram Air Turbine. The hydraulic system also contains other types of components such as tanks, valves and gauges. To meet its main safety requirement, the system is constituted of three channels: Green, Blue and Yellow. The Blue channel is made of one electric pump EMPb, one RAT pump and two distribution lines: prioritary (Pdistb) and nonprioritary (NPdistb). When priority valve PVb is closed consumers connected to Npdistb do not receive hydraulic power. The Green system is made of one pump driven by engine 1 EDPg and two distribution lines Pdistg and NPdistg. The Yellow system is made of one pump driven by engine 2 EDPy, one electric pump EMPy and two distribution lines Pdisty and NPdisty. Moreover a reversible Power Transfer Unit (PTU) transmits pressure between green and yellow channels as soon as the differential pressure between both channels exceeds a given threshold. These components are controlled by crew actions and reconfiguration logics. The RAT is automatically activated in flight when both engines are lost. The EMPb is automatically activated when the aircraft is in flight or on ground when one engine is running. EMPy is activated by the pilot on ground. We assumed that EDPy, EDPg were activated whenever the corresponding engine was started. Figure 1 − Hydraulic System Architecture Electrical Generation and Distribution System: The electrical system includes generators, bus bars, contactors, circuit breakers, Transformers/Rectifiers Units (TRU) and junctions. To meet its main safety requirements the electrical system of an A320-like aircraft is organized in two sub-systems: nominal electrical system and emergency system. The nominal system is composed of 2 main generators GEN1 powered by engine 1, GEN 2 powered by engine 2 and an auxiliary power unit APU. The emergency system is composed of an emergency generator CSM_G powered by the Ram Air Turbine, automatically deployed in case of main generators loss. Electricity is supplied to the electrical loads through four distribution bus bars in the normal system: ACside1, DCside1, ACside2, DCside2 and two essential bus bars in the emergency system: ACess and DCess. The AC to DC conversion is performed by transformers TR1, TR2 and TRess. The system contains several circuit breakers to limit the propagation of short circuits. Figure 2 − Electrical System Architecture Contactors are controlled in order to implement various reconfigurations. For instance, all nominal generators (GEN1, GEN2 or APU) can be used to provide electricity to any distribution bus bar in the normal system or in the emergency system when one or two generators are not available. Other reconfiguration rules apply to the loss of transformers TR1 and TR2. When all nominal generators are lost, the emergency generator only provides power to essential bus bars. System Modeling in AltaRica The AltaRica Language: AltaRica (ref. 2) is a formal language developed at LaBRI (Laboratoire Bordelais de Recherche en Informatique) for modeling both functional and dysfunctional behaviours of systems. Thanks to the eng2 EDPy
منابع مشابه
The AltaRica data-flow language in use: modeling of production availability of a multi-state system
This article presents an application of the AltaRica Data-Flow language to the assessment of the average production of a production line throughout a period of time. Its contribution is twofold. The problem is described. Modelling difficulties are pointed out. Solutions are proposed via the use of the AltaRica Data-Flow language. The ability of this language to represent complex systems is demo...
متن کاملPerspective of MAS in Power System via a Fuzzy Framework
Multi agent systems (MAS) are popularly used in practice, however; a few studies have looked at MAS capabilities from the power engineering perspective. This paper presents the results of an investigation concerning the compatibility of MAS capabilities in different power engineering categories. Five MAS capabilities and seven power system categories are established. A framework for applying MA...
متن کاملHierarchical Modeling and Verification of Timed Systems in Timed AltaRica
In this paper we present a timed extension of the AltaRica language, Timed AltaRica, and describe the architecture of a compiler from Timed AltaRica to timed automata. We present the features of the language, namely modularity, hierarchical modeling and reuse of components during the specification phase, on an avionics example. Then, we use the compiler from Timed AltaRica to Timed Automata to ...
متن کاملGénération du Simulator Stochastique à Partir de la Description du Système
Stochastic simulation is an approach usually used in system dependability studies when systems are too large or too complex to be solved by analytical methods. By using states/transitions formalisms (transitions systems, Markov chains, Petri nets, etc.) for modeling, analytical methods are hardly accessible due to the state space explosion problem and simulation seems to be the most effective w...
متن کاملGraphXica: a Language for Graphical Animation of Models
The objective of this article is to present GraphXica – a Domain Specific Language (DSL) for graphical animation of models. GraphXica enables to describe graphical representations of models and their animations. Given a graphical representation and animation description of the model, different kinds of Graphical User Interfaces (GUIs) can be generated to simulate it, for example a web based int...
متن کامل