model-based iv&v for an operation procedure · 2014-08-02 · model-based iv&v for an...
TRANSCRIPT
Model-Based IV&V Model Based IV&V for an Operation Procedure
2010 Validation and Verification Workshop@NASA IV&V Facility2010 Validation and Verification Workshop@NASA IV&V Facility
Tsutomu MATSUMOTO*1,Masakazu TAKASE*2, Yuko MIYAMOTO*1, Masa KATAHIRA*1
*1 Japan Aerospace Exploration Agency (JAXA)*2 Mitsubishi Space Software Co.,Ltd. (MSS)
September 17, 2010
1
p ,
Contents
BackgroundIV&V for an Operation Procedure in JAXAp
Target SystemActivity executionActivity execution
Work SequenceModeling and SimulationModeling and SimulationCase Example
Lessons Learned Lessons Learned Conclusion and Future Work
September 17 2010 Validation and Verification Workshop 2
BackgroundIV&V f O i P d i JAXAIV&V for an Operation Procedure in JAXA
Mission
[GOAL of proposed method]Validate consistency between
S S
Operation
previous target phase
yoperational design and system design from early development phase.
SystemRequirement
SystemTest
g p
proposed target phase
SoftwareRequirement
SoftwareTest
(1)IV&V with Operation Scenario and System Design[static check]IV&V of Operation Data File
g p
SoftwareDesign
Unit Test[dynamic check]not executed yet
(2)IV&V with Operation
(1)IV&V of Operation Scenario[static check]not executed yet
SoftwareImplementation
Procedure and Code[static check]not executed yet[dynamic check]
y[dynamic check]Executable-Model Based Verification for HTV Pressurized Environment
September 17 2010 Validation and Verification Workshop 3
Distributed Simulation of HTV Operation Control System
Controller (proposed method)
future target phase
Target System (1/2)
Spacecraft : H-II Transfer Vehicle (HTV)Component : Avionics Module / Multi-mission Control Unit (MCU)Function: Pressurized Environment Controller
September 17 2010 Validation and Verification Workshop 4
HTV
Target System (2/2)
CCSDS Data Processor Bus Interface Unit
Control of Logistics Carrier
CMDInput
TLMOutput
TLMInput
CMDOutput
<Target Function>pressurized environment TLM
I
Onb
Equ
<ISS>controller<Other Functions>caution & warningheater controllerpower estimator
Input
CMDOutput
board
ip
men
t
1553BRT
ISS formattransition
INT MDM
The function is well-defined in
Data Handling Multi Mission func.
power estimatorpropulsion FDIRLLM mode function
TLMOutput
TLMInput
The function is well-defined in early development phase and appropriate for sample case.
TLMCMD
MCU_A
Data Handling Multi Mission func.
MCU_B
MCU C
Ou pu pu
September 17 2010 Validation and Verification Workshop 5
MCU_CFunction Structure of MCU
Activity Execution (1/6)Work Sequence
Perform model-based simulation of targeted system behaviorto validate operation procedure regarding HTV MCU
Step1: Modeling of target system and its environmentSystem model is constructed based on system specification defined in system requirement phase.
System behavior is statically simulated according to the command input d th t t f i t l d land the state of environmental model.
Environmental model associated with cabin pressure is virtually constructed.If all two switches of valves are “open”, pressure value is decreased by 1kPa/sec1kPa/sec.If one of two switches of valves is “close”, pressure value remains the same.
St 2 Si l ti ith t bl d lStep2: Simulation with executable models[input] sequence of commands based on operation procedure[output] telemetry
September 17 2010 Validation and Verification Workshop 66
step3: Analyze the result of the simulation recorded in log file
Activity Execution (2/6)Modeling and Simulation
<Pressurized environment controller><Environment> <Environment>
Vent
Vent/Relief ValvePower Distribution Box(PDB)Controller of
PDB
valve status power status
Cabin PressureMonitoring
Automatic Relief
PreventiveDepressurization
Cabin PressureSensors
Controller ofunpressurized part
sensor valuesensor status Controller of
unpressurized part
Data Flow of Cabin Pressure Control in MCU
DepressurizationSensors
Environmental Model <sample>
p
System Model <sample>Environmental Model <sample>
if ( (MainPowerSourceOnOffStatus == ON)&& (SwitchOfVentReliefValve1 == OPEN)&& (SwitchOfVentReliefValve2 == OPEN) )
System Model <sample>
if( (ValueOfCabinPressureSensor1 > UpperLimit)&& (ValueOfCabinPressureSensor2 > UpperLimit) )
{{
ValueOfCabinPressureSensor1--;ValueOfCabinPressureSensor2--;ValueOfCabinPressureSensor3--;
}
PressureValue = ValueOfCabinPressureSensor3;}else {
AutomaticReliefFlag = NonExecutable;}
September 17 2010 Validation and Verification Workshop 77
}
Modeling Language : Microsoft Visual C++
}
Activity Execution (3/6)Simulation Result
① Command Sequences ⑤ Comment on the Result② Telemetry to be checked ⑥ Setting Value③ Simulation Output ⑦ Expectation Value
September 17 2010 Validation and Verification Workshop 88
③ p ⑦ p④ Comment on the Procedure
Activity Execution (4/6)Case ExampleAutomatic Cabin Air Relief
If cabin pressure goes over upper threshold, cabin air is released for depressurization by opening relief valves.
upper[Abstract of Operation Procedure]Set “Status of Cabin Pressure Monitoring (ENA/INH)” to ENA
upper
0 kP
lower
Set “Status of Cabin Pressure Sensor” to NORMALSet “Status of Automatic Cabin Air Relief (ENA/INH)” to ENAExecute “Automatic Cabin Air Relief”
0 kPa[sensor]
Monitor “Value of Air Pressure Sensor”Monitor “Status of Air Pressure Sensor”Monitor “Status of Valve (OPEN/CLOSE)”
open
Monitor “Status of Valve (OPEN/CLOSE)”
[valve]
September 17 2010 Validation and Verification Workshop 99
Activity Execution (5/6)i l ti t ti Case Example simulation
outputexpectation value
cabin pressure monitoring : ENA cabin pressure monitoring : ENA
cabin pressure sensor : NORMAL
automatic cabin air relief : ENA
automatic cabin air relief : ON
September 17 2010 Validation and Verification Workshop 1010
Activity Execution (6/6)Case Example (contd.)
simulation t t
expectation l
cabin pressure falls down continually.
outputvalue
If cabin pressure falls below lower limitIf cabin pressure falls below lower limit,valves are closed.
Remarks about the simulation resultIn this case example, system model behaved as expected
in the operation procedure.p pIf there are some inconsistencies between system model
and the operation procedure, simulation output would be different from expected values
September 17 2010 Validation and Verification Workshop 1111
different from expected values.
Lessons Learned
Modeling based on system specificationg y pAbstraction level of System Requirement Specification and Operation Procedure should be similar extent for modelling and integration.Models are easy to build for those who can use C-llanguage.
Validation of Operation ProcedureExecution Conditions of the Simulation were defined as parameter changes with time. Various failure conditions are possibly defined and Operation Procedure could be validated under the conditions
September 17 2010 Validation and Verification Workshop 12
conditions.
Conclusion and Future Work
ConclusionSimulation with Executable Model was shown to be effective way to validate consistency between operational design and system/software design from early development phase.
Future WorkValidation of Dynamic System Behaviour
Operational validation methodology should be developed with not only static model (status command and with not only static model (status, command and telemetry) but also dynamic model.
September 17 2010 Validation and Verification Workshop 13