Integrated application of compositional and behavioural safety analysis

To address challenges arising in the safety assessment of critical engineering systems, research has recently focused on automating the synthesis of predictive models of system failure from design representations. In one approach, known as compositional safety analysis, system failure models such as fault trees and Failure Modes and Effects Analyses (FMEAs) are constructed from component failure models using a process of composition. Another approach has looked into automating system safety analysis via application of formal verification techniques such as model checking on behavioural models of the system represented as state automata. So far, compositional safety analysis and formal verification have been developed separately and seen as two competing paradigms to the problem of model-based safety analysis. This thesis shows that it is possible to move forward the terms of this debate and use the two paradigms synergistically in the context of an advanced safety assessment process. The thesis develops a systematic approach in which compositional safety analysis provides the basis for the systematic construction and refinement of state-automata that record the transition of a system from normal to degraded and failed states. These state automata can be further enhanced and then be model-checked to verify the satisfaction of safety properties. Note that the development of such models in current practice is ad hoc and relies only on expert knowledge, but it being rationalised and systematised in the proposed approach – a key contribution of this thesis. Overall the approach combines the advantages of compositional safety analysis such as simplicity, efficiency and scalability, with the benefits of formal verification such as the ability for automated verification of safety requirements on dynamic models of the system, and leads to an improved model-based safety analysis process. In the context of this process, a novel generic mechanism is also proposed for modelling the detectability of errors which typically arise as a result of component faults and then propagate through the architecture. This mechanism is used to derive analyses that can aid decisions on appropriate detection and recovery mechanisms in the system model. The thesis starts with an investigation of the potential for useful integration of compositional and formal safety analysis techniques. The approach is then developed in detail and guidelines for analysis and refinement of system models are given. Finally, the process is evaluated in three cases studies that were iteratively performed on increasingly refined and improved models of aircraft and automotive braking and cruise control systems. In the light of the results of these studies, the thesis concludes that integration of compositional and formal safety analysis techniques is feasible and potentially useful in the design of safety critical systems

Advanced flight control system study

The architecture, requirements, and system elements of an ultrareliable, advanced flight control system are described. The basic criteria are functional reliability of 10 to the minus 10 power/hour of flight and only 6 month scheduled maintenance. A distributed system architecture is described, including a multiplexed communication system, reliable bus controller, the use of skewed sensor arrays, and actuator interfaces. Test bed and flight evaluation program are proposed

An integrated methodology for the performance and reliability evaluation of fault-tolerant systems

Thesis (Ph. D.)--Massachusetts Institute of Technology, Dept. of Electrical Engineering and Computer Science, 2007.Includes bibliographical references (leaves 220-224).This thesis proposes a new methodology for the integrated performance and reliability evaluation of embedded fault-tolerant systems used in aircraft, space, tactical, and automotive applications. This methodology uses a behavioral model of the system dynamics, similar to the ones used by control engineers when designing the control system, but incorporates additional artifacts to model the failure behavior of the system components. These artifacts include component failure modes (and associated failure rates) and how those failure modes affect the dynamic behavior of the component. The methodology bases the system evaluation on the analysis of the dynamics of the different configurations the system can reach after component failures occur. For each of the possible system configurations, a performance evaluation of its dynamic behavior is carried out to check whether its properties, e.g., accuracy, overshoot, or settling time, which are called performance metrics, meet system requirements. Markov chains are used to model the stochastic process associated with the different configurations that a system can adopt when failures occur.(cont.) Reliability and unreliability measures can be quantified, as well as probabilistic measures of performance, by merging the values of the performance metrics for each configuration and the system configuration probabilities yielded by the corresponding Markov model. This methodology is not only used for system evaluation, but also for guiding the design process, and further optimization. Thus, within the context of the new methodology, we define new importance measures to rank the contributions of model parameters to system reliability and performance. In order to support this methodology, we developed a MATLAB/SIMULINK® tool, which also provides a common environment with a common language for control engineers and reliability engineers to develop fault-tolerant systems. We illustrate the use of the methodology and the capabilities of the tool with two case-studies. The first one corresponds to the lateral-directional control system of an advanced fighter aircraft. This case-study shows how the methodology can identify weak points in the system design; and point out possible solutions to eliminate them; compare different architecture alternatives from different perspectives; and test different failure detection, isolation, and reconfiguration (FDIR) techniques.(cont.) This case-study also shows the effectiveness of the MATLAB/SIMULINK® tool to analyze large and complex systems. The second case-study compares two very different solutions to achieve fault-tolerance in a steer-by-wire (SbW) system. The first solution is based on the replication of components; and the introduction of failure detection, isolation, and reconfiguration mechanisms. In the second solution, a dissimilar backup mechanism called brake-actuated steering (BAS), is used to achieve fault-tolerance rather than replicating each component within the system. This case-study complements the flight control system one by showing how the performance and MATLAB/SIMULINK® tool can be used to compare very different architectural approaches to achieve fault-tolerance; and therefore, how the methodology can be used to choose the best design in terms of performance and reliability.by Alejandro D. Domínguez-García.Ph.D

[Advanced Development for Space Robotics With Emphasis on Fault Tolerance Technology]

This report describes work developing fault tolerant redundant robotic architectures and adaptive control strategies for robotic manipulator systems which can dynamically accommodate drastic robot manipulator mechanism, sensor or control failures and maintain stable end-point trajectory control with minimum disturbance. Kinematic designs of redundant, modular, reconfigurable arms for fault tolerance were pursued at a fundamental level. The approach developed robotic testbeds to evaluate disturbance responses of fault tolerant concepts in robotic mechanisms and controllers. The development was implemented in various fault tolerant mechanism testbeds including duality in the joint servo motor modules, parallel and serial structural architectures, and dual arms. All have real-time adaptive controller technologies to react to mechanism or controller disturbances (failures) to perform real-time reconfiguration to continue the task operations. The developments fall into three main areas: hardware, software, and theoretical

Shuttle Ground Operations Efficiencies/Technologies (SGOE/T) study. Volume 2: Ground Operations evaluation

The Ground Operations Evaluation describes the breath and depth of the various study elements selected as a result of an operational analysis conducted during the early part of the study. Analysis techniques used for the evaluation are described in detail. Elements selected for further evaluation are identified; the results of the analysis documented; and a follow-on course of action recommended. The background and rationale for developing recommendations for the current Shuttle or for future programs is presented

Electronic/electric technology benefits study

The benefits and payoffs of advanced electronic/electric technologies were investigated for three types of aircraft. The technologies, evaluated in each of the three airplanes, included advanced flight controls, advanced secondary power, advanced avionic complements, new cockpit displays, and advanced air traffic control techniques. For the advanced flight controls, the near term considered relaxed static stability (RSS) with mechanical backup. The far term considered an advanced fly by wire system for a longitudinally unstable airplane. In the case of the secondary power systems, trades were made in two steps: in the near term, engine bleed was eliminated; in the far term bleed air, air plus hydraulics were eliminated. Using three commercial aircraft, in the 150, 350, and 700 passenger range, the technology value and pay-offs were quantified, with emphasis on the fiscal benefits. Weight reductions deriving from fuel saving and other system improvements were identified and the weight savings were cycled for their impact on TOGW (takeoff gross weight) and upon the performance of the airframes/engines. Maintenance, reliability, and logistic support were the other criteria

Heterogeneous and hybrid control with application in automotive systems

Control systems for automotive systems have acquired a new level of complexity. To fulfill the requirements of the controller specifications new technologies are needed. In many cases high performance and robust control cannot be provided by a simple conventional controller anymore. In this case hybrid combinations of local controllers, gain scheduled controllers and global stabilisation concepts are necessary. A considerable number of state-of-the-art automotive controllers (anti-lock brake system (ABS), electronic stabilising program (ESP)) already incorporate heterogeneous and hybrid control concepts as ad-hoc solutions. In this work a heterogeneous/hybrid control system is developed for a test vehicle in order to solve a clearly specified and relevant automotive control problem. The control system will be evaluated against a state-of-the-art conventional controller to clearly show the benefits and advantages arising from the novel approach. A multiple model-based observer/estimator for the estimation of parameters is developed to reset the parameter estimate in a conventional Lyapunov based nonlinear adaptive controller. The advantage of combining both approaches is that the performance of the controller with respect to disturbances can be improved considerably because a reduced controller gain will increase the robustness of the approach with respect to noise and unmodelled dynamics. Several alternative resetting criteria are developed based on a control Lyapunov function, such that resetting guarantees a decrease in the Lyapunov function. Since ABS systems have to operate on different possibly fast changing road surfaces the application of hybrid methodologies is apparent. Four different model based wheel slip controllers will be presented: two nonlinear approaches combined with parameter resetting, a simple linear controller that has been designed using the technique of simultaneously stabilising a set of linear plants as well as a sub-optimal linear quadratic (LQ)-controller. All wheel slip controllers operate as low level controllers in a modular structure that has been developed for the ABS problem. The controllers will be applied to a real Mercedes E-class passenger car. The vehicle is equipped with a brake-by-wire system and electromechanical brake actuators. Extensive real life tests show the benefits of the hybrid approaches in a fast changing environment