Model based safety analysis for an Unmanned Aerial System

This paper aims at describing safety architectures of autonomous systems by using Event-B formal method. The autonomous systems combine various activities which can be organised in layers. The Event-B formalism well supports the rigorous design of this kind of systems. Its refinement mechanism allows a progressive modelling by checking the correctness and the relevance of the models by discharging proof obligations. The application of the Event-B method within the framework of layered architecture specification enables the emergence of desired global properties with relation to layer interactions. The safety objectives are derived in each layer and they involve static and dynamic properties such as an independence property, a redundant property or a sequential property. The originality of our approach is to consider a refinement process between two layers in which the abstract model is the model of the lower layer. In our modelling, we distinguish nominal behaviour and abnormal behaviour in order to well establish failure propagation in our architecture

Improving FDIR of Spacecraft Systems with Advanced Tools and Concepts

International audienceFaults in spacecraft systems are an important problem, mainly because of the cost of downtime, and because their remoteness makes maintenance more difficult. This is why automated handling of faults can greatly enhance the system overall performance. This automated fault management relies on dedicated functions for fault detection, identification, and recovery (FDIR), that are often interleaved with the system, which makes it difficult to guarantee tolerance with respect to a particular anomaly, and makes the system difficult to maintain as well. On the other hand, several advanced computational tools exist that are known to support the tasks of FDIR. In this paper, starting from the current state of affairs in spacecraft system development, we develop and test several options for enhancing the quality of FDIR functions. First, we use software validation and verification tools to prove that the FDIR functions meet some functional quality goals. A second option we explore is to re-implement FDIR functions by Model-Based Reasoning algorithms, that are guaranteed to produce exact results with respect to a model of the system’s behaviour. In each option, we use and compare several software tools, we compare the effort required to adapt, integrate and use them, and estimate the overall benefits theyprovide

Analyse de sécurité de systèmes autonomes: formalisation et évaluation en Event-B

Cet article présente une partie de l'étude d'architectures de sécurité de systèmes autonomes s'appuyant sur l'utilisation de la méthode formelle Event-B. Le formalisme Event-B supporte bien la conception rigoureuse de ces systèmes qui combinent diverses activités que l'on peut structurer en couches. Sa technique de raffinement permet une modélisation progressive en vérifiant la correction et la pertinence des modèles par décharge de preuves. L'application de la méthode Event-B dans le cadre de la spécification d'architectures en couches garantit l'émergence de propriétés globales attendues, telles que les propriétés de sécurité, lorsque l'on s'assure du respect de propriétés au niveau des relations entre les couches. Cet article se situe au début de cette nouvelle étude. Il présente les principes de la modélisation Event-B d'un système de contrôle de drone simplifié. Il caractérise le concept d'architecture en couches utilisée pour cette modélisation. Il décrit ensuite une première modélisation d'une couche avant de conclure sur l'intérêt de cette modélisation pour la validation de systèmes autonomes par rapport aux objectifs de sécurité fixés

Toward a methodology for the AltaRica modelling of multi-physical systems

Numerous works deal with the use of the formal language AltaRica to improve the safety as-sessment process of industrial systems. In this context, the paper aims at describing and applying a common methodology to model physical systems. The example of a mechanical system and a hydro-mechanical system will be taken

Toward a validation process for model based safety analysis

Today, Model Based processes become more and more widespread to achieve the analysis of a system. However, there is no formal testing approach to ensure that the formal model is compliant with the real system. In the paper, we choose to study AltaRica model. We present a general process to well construct and validate an AltaRica formal model. The focus is made on this validation phase, i.e. verifying the compliance between the model and the real system. For it, the proposed process recommends to build a specification for the AltaRica model. Then, the validation process is transformed to a classical verification problem between an implementation and a specification

Model Based Risk Assessment of Procedures and Systems for Aircraft Trajectory Management

International audienceModern Air Traffic Management (ATM) concepts of operation require a strong interaction between agents such as human operators (pilots, air traffic controllers) and information technology systems (either on-ground or on-board). Although risks shall jointly be managed by all these agents, current risk assessment techniques are usually dedicated to only one class ofagents (either human operators or IT systems). This paper addresses this issue. It proposes to extend Model Based Safety Assessment (MBSA) techniques originally developed to assess complex systems. This MBSA extension enables to assess how risk can be jointly managed by procedures and systems. The paper shows the methodology used and it presents lessons learnt from an aircraft trajectory management case study

Model based system assessment: formalisation et évaluation de systèmes autonomes en Event-B

Cet article vise à décrire une architecture de sécurité de systèmes autonomes à l’aide de la méthode formelle Event-B. Le formalisme Event-B supporte une conception rigoureuse de ces systèmes. La technique de raffinement permet une modélisation progressive en vérifiant la correction et la pertinence des modèles par décharge de preuves. L’application de la méthode Event-B présente un intérêt dans la formalisation des relations entre couches qui assurent la cohérence d’un fonctionnement sûr ainsi que le respect des exigences de sécurité concernées par notre analyse. Par conséquent, la modélisation autour de ces relations fait apparaître en permanence un comportement nominal associé à des comportements en présence de fautes sous l’hypothèse d’une architecture intégrant des mécanismes de tolérance aux fautes

Fiabilité opérationnelle des avoins (Approche basée sur les modèles et cas d'étude)

Lors de la conception des avions, il est courant que les constructeurs évaluent la sûreté de fonctionnement en utilisant des modèles stochastiques, mais l'évaluation de la fiabilité opérationnelle à l aide de modèles en ligne, pendant la réalisation des missions, reste rarement effectuée. Souvent, l'évaluation stochastique concerne la sécurité des avions. Cette thèse porte sur la modélisation de la fiabilité opérationnelle des avions, pour aider à la planification des activités de maintenance et des missions, ainsi qu à la bonne réalisation de ces dernières. Nous avons développé une approche de modélisation, basée sur un méta-modèle qui sert de base i) de structuration des informations nécessaires à l évaluation de la fiabilité opérationnelle d un avion et ii) pour la construction de modèles stochastiques pouvant être mis à jour dynamiquement. La mise à jour concerne l'état courant des systèmes avion, un profil de mission et les moyens de maintenance disponibles dans les diverses escales incluses dans le profil de la mission. L'objectif est de permettre l'évaluation de la fiabilité opérationnelle en ligne. Deux cas d études, basés sur des sous-systèmes avion, sont considérés à titre d'illustration. Nous présentons des exemples de résultats qui montrent le rôle important de l évaluation de la fiabilité opérationnelle pendant une mission d avionDependability assessment, by system manufacturer, during aircraft design, based on stochastic modeling, is of common practice, but model based operational dependability assessment online, during missions' achievement, is seldom done. Usually, the stochastic assessment addresses aircraft safety.This thesis addresses aircraft operational dependability modeling to support mission and maintenance planning, as well as the achievement of the missions. We develop a modeling approach, based on a meta-model that is used as a basis i) to structure the information needed to assess aircraft operational reliability and ii) to build a stochastic model that can be updated dynamically. The update concerns the current state of the aircraft system, a mission profile and the maintenance facilities available at the flight stop locations involved in the mission. The aim is to enable operational reliability assessment online. Two case studies, based on aircraft subsystems, are considered for illustration. We present examples of evaluation results that show the valuable role of operational dependability assessment during aircraft missionTOULOUSE-INSA-Bib. electronique (315559905) / SudocSudocFranceF

Handling consistency between safety and system models

Safety analyses are of paramount importance for the development of embedded systems. In order to perform these analyses, safety engineers use different modeling techniques, such as, for instance, Fault Trees or Reliability Block Diagrams. One of the industrial development process challenges today is to ensure the consistency between safety models and system architectures. Model Based Safety Analysis (MBSA) is one of the newest modeling methods, which promises to ease the exchange of information between safety engineers and system designers. The aim of this article is to discuss an approach to manage the consistency between MBSA models and system architectures.NOur study is based on the experimentation of the co-design of an RPAS (Remotely Piloted Aircraft System) involving system design and safety teams during the early conception phases of an industrial development process. We simulate the process of exchange between the system design and the safety assessment with the constraint of creating safety models close to system architecture. We identify significant exchange points between these two activities. We also discuss the encountered problems and perspectives on the possibility to ensure the consistency between safety and system models

Performing Safety Analyses with AADL and AltaRica

AADL and AltaRica languages can be used to support the safety assessments of system architectures. These languages were defined with different concerns and this paper aims at presenting their principles and how they can be related. A translator from AADL to AltaRica is proposed and its prototype is applied to a simplified flight control system of a UAV. The resulting AltaRica model has been analyzed with the AltaRica safety tools and the experimental results are discussed