dsn 2006 workshop on architecting dependable systems (wads ... · • to achieve fail-safe...
TRANSCRIPT
EADS Corporate Research Centre Germany
Page 1 Stefan Schneele June 2006
DSN 2006
Workshop on Architecting Dependable Systems(WADS)
Fault-tolerant Smart Sensor Architecture for Integrated Modular Avionics
Stefan Schneele, Klaus Echtle, Josef Schalk
June 27th, 2006
EADS Corporate Research Centre Germany
Page 2 Stefan Schneele June 2006
DECOS – Application Aerospace
SP6-Approach: Electronically Synchronized FlapsA (time-triggered) bus system will be used between the flap panels instead of the mechanical shaftA System Control Unit (SCU) has to control and monitor the time-triggered communication, instead of the Central Motor UnitFor redundancy reason each flap panel will be powered by 2 MotorsCross Shaft Brake to hold systemDevelopment and usage of new, smart sensors, interfaces and gateways supporting TTA
Rotary Actuator
Cross Shaft
Cross Shaft Brake
Load Zylinder Motor
EADS Corporate Research Centre Germany
Page 3 Stefan Schneele June 2006
Application Aerospace - Work Share
EADS Corporate Research Centre Germany
Page 4 Stefan Schneele June 2006
The Challenge• Build a smart sensor that meets:
• Functional Requirements– Reliable– Higher Resolution (90° ±0,1° ( 6 ‘) )– New Single-Turn coverage– Built-In Test capability
• Project Requirements– Use DECOS Tools & Methods– Integrate DECOS design approach– Use DECOS Hardware
• Industrial Requirements– Efficient (costs, weight, size, Integration, complexity)– Airworthy
EADS Corporate Research Centre Germany
Page 5 Stefan Schneele June 2006
Proof of Airworthiness I
• Reliability Modeling and Analysis of fault tolerant Flap Control System based on the to be developed DECOS technology– HW, SW and communication components– Fault tolerant structures: redundancies for fault diagnosis
and reconfiguration purposes– Signal diversity for highly fault tolerant flap control system– Reliability analysis and evaluation of flap control system
models based on different top events– Probabilities: top events satisfied / not satisfied– Degraded system states:
• ‘fail ^n -operational’ capabilities• probabilities of degraded system states
EADS Corporate Research Centre Germany
Page 6 Stefan Schneele June 2006
Proof of Airworthiness II
• Redundancy Management of fault tolerant Flap Control System based on the to-be-developed DECOS technology– Redundancy Management: Assessment of different
reconfiguration processes based on a hybrid system model (reliability block diagram and finite state machine).
Identify benefits & risks of system evolution by using DECOS technology
EADS Corporate Research Centre Germany
Page 7 Stefan Schneele June 2006
Safety Requirements
• The US Federal Aviation Regulations and the European Joint Aviation
Requirements provide detailed system safety regulations:
• degraded positioning rate of a specific control surface as consequence of one failed
channel.
• The second failure case of our interest is loss of operation of a specific control
surface as consequence of failures in both channels.
• fault regions SFRx:
EADS Corporate Research Centre Germany
Page 8 Stefan Schneele June 2006
Evolution of System – Federated Architecture
EADS Corporate Research Centre Germany
Page 9 Stefan Schneele June 2006
The Tool - Syrelan
• Developed by Dominick Rehage, University Hamburg-Harbug
• Supports: – Reliability Block Diagram (RBD)– Concurrent Finite State Machine (CFSM)
• For:– Reliability Analysis– Degradation Analysis
CPIOM 3 CPIOM 4CPIOM 1 CPIOM 2 CPIOM 5 CPIOM 6
QuerruderSpoilerHöhenruderTHSSeitenruder
CPIOM 1 P2
CPIOM 4 P4
CPIOM 3 P3CPIOM 2 P1
1.00E-06 1.00E-04aktiv aktivaktiv
aktiv- eissh aktiv- eissh
a ha a a h h h h hhh
1.00E-06 1.00E-04aktiv aktivaktiv
1.00E-06 1.00E-04aktivaktiv passiv- altk
a ka k k
aktivpassiv-kalt
1.00E-06 1.00E-04aktivaktiv
1.00E-05aktiv
1.00E-05passiv-kalt
1.00E-05passiv-kalt
1.00E-07aktiv
1.00E-04aktiv
1.00E-04aktiv
2.10E-05aktiv
2.10E-05aktiv
1.00E-07aktiv
1.00E-06 1.00E-04
passiv- altka ha h k
aktiv- eissh
aktiv1.00E-04
isoliert
1.00E-06isoliert
i i i a a a a a a
isoliert
i i i i i a a a a
aktiv-heiss
a aa a haktiv- eissh
1.00E-04
isoliert
i i i i i i a a a 1.00E-04
1.00E-05isoliert
1.00E-05aktiv
aktiv-heiss
a aa a aaktiv
1.00E-04aktiv
isoliertisoliert
1.00E-06isoliert
1.00E-04aktiv isoliert
isoliert
1.00E-04
aktiv
i ai a aaktiv
isoliert
i ii i a
isoliert1.00E-04
isoliert
isoliert1.00E-04
isoliert
1.00E-05isoliert
1.00E-05aktiv
aktiv1.00E-04
aktiv
isoliert
aktiv
isoliert
1.00E-06isoliert
1.00E-04aktiv
isoliertisoliert
1.00E-04aktiv
isoliertisoliert
isoliert1.00E-04
isoliert
1.00E-05isoliert
1.00E-07isoliert
1.00E-04isoliert
1.00E-04isoliert
2.10E-05isoliert
2.10E-05isoliert
1.00E-07isoliert
EADS Corporate Research Centre Germany
Page 10 Stefan Schneele June 2006
Failure Modes of Conventional Sensor
• Failure Rates of components:
EADS Corporate Research Centre Germany
Page 11 Stefan Schneele June 2006
Evolution of System – Integrated Architecture
EADS Corporate Research Centre Germany
Page 12 Stefan Schneele June 2006
Design Rules for Smart Sensors –Common Cause Failures
Although the structural reliability numbers of smart sensors can meet the ones conventional systemsadditional failure modes are introduced to the system (COMPLEXITY). Risk of common modes. For worst-case consideration, the β-Factor - representing the chance of common cause failures in different channels – is set to 0.4.
Do not receive any data,very few numbers of operational modessuitable simple composition of componentsEverything should be made as simple as possible, but not simpler.
EADS Corporate Research Centre Germany
Page 13 Stefan Schneele June 2006
Smart Sensor - Components
EADS Corporate Research Centre Germany
Page 14 Stefan Schneele June 2006
Position Pick-Off Unit – Software Design
• To achieve fail-safe behavior, usually failure masking with n-out-of-m failure masking
is used efficiency constraints
• The presented architecture can only provide two different values. Therefore an
approach is selected, which is based on an online selftest for failure detection.
EADS Corporate Research Centre Germany
Page 15 Stefan Schneele June 2006
DECOS - Integrated Distributed Execution Platform
• Specification of Requirements and Design of:
Communication infrastructure
taylored to a DAS(TT or ET)
Core Services (DAS-Indep.)C1 Predictable Message
TransportC2 Fault-Tolerant Clock
SynchronizationC3 Strong Fault IsolationC4 Consistent Diagnosis of
Failing Nodes
Hiding of implementation details from the application, thereby extending the range of implementation choices
Time-Triggered Base Architecture
Core Services for Interfacing the Time-Triggered (TT) Physical Network
of the Base Architecture
Communication infrastructure
taylored to a DAS(TT or ET)
High-Level Services (DAS-Specific)...
Virtual Network ServiceGateway Service
Safety-Critical Subsystem
Job JobJob Job
Non Safety-Critical Subsys
Job Job Application Code
App. MW (e.g., CAN)
PI
Job Job
Encapsulated Execution Environment Virtual Communication Links and GatewaysPlatform Interface Layer
DECOS = Dependable Embedded Systems and Components
EADS Corporate Research Centre Germany
Page 16 Stefan Schneele June 2006
DECOS - Methods and Tools
• Specification of the Platform Independent Model (PIM)– PIM Metamodel, – Design methodology
• Specification of the Resource Layer– Hardware specification model
• Software-Hardware Integration– Specification of PSM
development tool
Platform Independent Model (PIM)
Distributed Application Subsystem (DAS)
Integrated HW/SW System (PSM) SYS
Platform Interface (PI)
Platform
DAS: Distributed Application SubsystemPIM: Platform Independent ModelPSM: Platform Specific ModelPI(L):Platform Interface
• Modeling Distributed Application Subsystems
EADS Corporate Research Centre Germany
Page 17 Stefan Schneele June 2006
µ-Controller – single point of failure
• Modern µ-Controllers provide suitable operation life-time of up
• to 20 years in controlled temperature racks. • Concerning the use in extremely harsh environment with
high amplitudeof temperature and pressure chances, we expect:
• Self-checks on power-on can be interpreted as frequent maintenance intervals, making this failure rate plausible.
• This maintenance interval should be equal to the mission time.
• Redundancy cause of efficiency constraints not a suitable approach for smart sensing devices
EADS Corporate Research Centre Germany
Page 18 Stefan Schneele June 2006
• Failure Rates of components:
Failure Modes of Smart Sensor - Hardware
More states because of Initialization
EADS Corporate Research Centre Germany
Page 19 Stefan Schneele June 2006
Benefit of DECOS Technology
• For Reliability Analysis, Smart Sensor must fulfill:– Fail-safe behavior– appearance as an atomic unit– No failure propagation
Guaranteed by DECOS node design (to be proofed)
• Minimization of Design faults and handling of complexityAddressed by Model based and Hardware Independent system design approach
• Partitioning in time and space domainAddressed by Encapsulated Execution Environment and
Time-Triggered Protocol
EADS Corporate Research Centre Germany
Page 20 Stefan Schneele June 2006
Conclusion
• the novel DECOS architecture is applied to a smart sensor design.
• The justification of the sensor concept was given on a structural level.– sensor design meets the reliability constraints
• a remarkably small subset of components can fulfill both efficiency and reliability constraints
• This concept is implemented inreal hardware, and evaluated on a realistic test-
bench.
EADS Corporate Research Centre Germany
Page 21 Stefan Schneele June 2006
Thank you !