637605main Day 1-Michael Aguilar PDF

Presenter

Michael Aguilar
Date
January 24, 2012
Fault Management Using Model Based System

Engineering (MBSE) Tools and Techniques
NASA Engineering and Safety Center (NESC)
Michael Aguilar (GSFC)

NASA Technical Fellow in Software
NESC Software Discipline
January 24, 2012
This briefing is for status only and does not represent complete engineering data analysis 1
JWST ISIM C&DH Core Flight SoHware (FSW)
IntegraLon of the JWST ISIM C&DH Core Flight SoHware (FSW)
development at GSFC and the Science Instrument FSW applicaLons
developed by the following teams.
–  European Space Agency (ESA) -‐ NIRSpec Instrument Control Electronics Flight
SoHware
–  Canadian Space Agency (CSA) and EMS Technologies -‐ Fine Guider Subsystem
(FGS) Flight SoHware
–  University of Arizona and Lockheed MarLn ATC -‐ NIRCam Instrument ICE and
FPE Flight SoHware
–  GSFC Subsystem SoHware Support -‐ NIRSpec FPE Flight SoHware and the
Micro-‐ShuXer Array (MSA) Flight SoHware
–  JPL/European ConsorLum (EC) -‐ MIRI FPE and ICE FSW applicaLons and Cooler
Control Electronics (CCE) Flight SoHware
Instrument mechanisms func/onal ONLY when operated at 39Kelvin!
This briefing is for status only and does not represent complete engineering data analysis 2
James Webb Space Telescope
This briefing is for status only and does not represent complete engineering data analysis
3
How do you integrate and test FM
on a system that cannot be
assembled and tested as one
system?
4
JWST FSW RaLonal Rose RT State
Diagram Structure Diagram
l  Public ports communicate with
the other subsystem components"
l  Private ports communicate with
the local capsules"
l  256 Relative Timed Sequences
(RTS) and 4 Absolute Timed
Sequences (ATS) execute in
parallel "
l  Code Generation"
n  Task distribution"
n  Message distribution"
5
Support of Distributed Development
Analysis, EvaluaLon, IntegraLon, and Test
•  SoHware SimulaLon can be copied and
distributed as soHware-‐only integraLon lab SYSTEM INTEGRATION LAB
•  Flight SoHware with COTS Hardware Interfaces
promotes iniLal soHware interface verificaLon
and support through external subsystem tesLng,
including environmental tests
•  Ground System / Ops ApplicaLons with COTS
interfaces supporLng uplink and downlink
environment
Test Bed Export

NASA In-House Integration and Test
Subsystem
Import
•  JWST has 12 integraLon labs (strings) running to
support SW development, SW Test NASA Out-of-House Integration and Test
development, and SW Test runs
–  6 for GSFC, 2 for JPL, 2 for CSA, 2 for ESA
–  Exported IntegraLon Labs provided soHware
development environment and Ground System idenLcal Out of House Out of House
to NASA Test Bed Test Bed
–  Hardware interfaces were flight-‐like
•  JWST integraLon at instrument subsystem level
not possible due to environments required by
instruments
•  JWST miLgated risks at soHware interface, Out of House
hardware interface, ground system interface Test Bed
–  Exported integraLon labs provided consistent ground
system development from developer, through
integraLon, and into operaLons
6
Can paper documentaLon be
“executed” to verify FM behavior
on a system that cannot be
assembled and tested as one
system?
7
ConstellaLon Program L2 and L3 imported to executable models
to verify ICD correctness & completeness
•  CxP focused on ICD documents, not ICD models

•  What is an ICD in CxP? – different views of the same model
–  ICD documents focus on networking & informaLon encoding, packets &
protocols: CxP 70091, 70180, 70187, 70189, 70190
–  CxP 70078 (CSADD) focuses on high-‐level descripLon & analysis of the
systems-‐of-‐systems interacLons
•  CxP 70078 (CSADD) & L2 SAVIO model
–  A good but labor-‐intensive example of using standards (SysML, DODAF)
IntegraLon of Vehicle System Manager (VSM)
and Mission Timeline
Enterprise Architect UML models of the VSM (e.g., Stateflow RepresentaLon of
acLvity diagrams, state charts, use cases) the VSM models
(Non-‐Executable) (Executable) 9
This briefing is for status only and does not represent complete engineering data analysis
Catching Errors in VSM Design
Missing guard, causing unwanted entry
into launch delay state
Now
There
let’s
is ae pxecute
roblem.
the

Can you see it now?
Can design…
you see it?
Enterprise Architect UML RepresentaLon of Stateflow RepresentaLon of VSM

VSM NavigaLon State Chart NavigaLon State Chart
(Non-‐Executable) (Executable) 10
Similar Errors Found through Modeling
Brief examples of errors found

Found by Tool
Vehicle
Diagram does not have any active states prior to “Power
applied to PDCU 1 and 2”
Vehicle.Prelaunch
All returns from Launch_Hold are TBD
Vehicle.Abort
No default state. Suggest adding default state as
“Abort_Standby”
FSS, MPS, Guidance, Navigation, Control, and Steering
No default state, suggest adding “Standby” or “Idle”
Navigation
After Gyrocompassing, the Navigation will automatically enter
the Launch_Delay state. If this is unintended, suggest placing
guard to prevent this.
RINU and RGA
Both RINU and RGA use “PowerApplied” ,“OffCommand”,
“PerfomCBIT”, and “gyrocompass” to transition between
states.
FSS, US_TVC,
Unclear as to which are OR conditions and which are AND
conditions
CTC and Imaging
Does not enter “Off” state if power is removed.
Ares-‐Orion CommunicaLon During
Abort
Communication Link
Ares
Orion
Command
Input
DocumentaLon of Ares-‐Orion Stateflow RepresentaLon of Ares-‐Orion

CommunicaLon During Abort CommunicaLon During Abort
(Non-‐Executable) (Executable)
Conversion from Tabular Form to Stateflow Example
ARES ORION
Trace through “Nominal” Abort InteracLon
ARES ORION
Pre-‐Abort Recommenda/on:

-‐ Ares: All command states “idle” except for
“abort manager”, which is in the “operaLonal”
state
-‐ Orion: All command states “idle” except for
“crew enable auto abort”, which is in the This briefing is for status only and
enabled state does not represent complete
engineering data analysis 14
ARES ORION
Ares sends Abort Recommenda/on:

-‐ Ares: Abort RecommendaLon command state transiLons from
“idle” to “send abort recommendaLon” and waits for Orion
response. All other command states remain “idle”
-‐ Orion: Ares recommends abort command state transiLons from
“idle” to “send abort recommendaLon receipt” upon receipt of
abort recommendaLon
This briefing is for status only
-‐ Ares: The abort recommendaLon state transiLons from “send and does not represent
abort recommendaLon” to “abort recommendaLon receipt “ complete engineering data
analysis 15
ARES ORION
Orion Requests Auto-‐safe Authority:

-‐ Orion: Orion requests auto-‐safe authority aHer an
Ares abort recommendaLon is received and waits
for Ares to send an Auto-‐safe authority handoff
receipt.
-‐ Ares: Ares receives the auto-‐safe authority request This briefing is for status only
from Orion and sends a handoff receipt and and does not represent
conLnues to monitor condiLons. complete engineering data
analysis 16
ARES ORION
Ares Abort Condi/on Exceeds Auto-‐safing Threshold

Orion Approves Auto-‐safe Authority Pass-‐back Request:

-‐ Ares: Abort condiLon exceeds the auto-‐safing threshold. Because
Orion has the auto-‐safe authority, Ares sends an “auto-‐safe
authority pass-‐back request” and waits for Orion to send receipt.
-‐ Orion: Orion receives the auto-‐safe authority pass-‐back request
and decides whether to approve or deny it. Orion approves the
pass-‐back request.
This briefing is for status only
-‐ Ares: Upon receipt of the posiLve authority pass-‐back response, and does not represent
Ares performs safing acLons. complete engineering data
analysis 17
Trace through InteracLon Loss of Comm.
Scenario
ARES ORION
APer Orion Requests Auto-‐Safe Authority, Communica/on

between Orion and Ares is Lost and Ares Exceeds Auto-‐Safe
Threshold:

-‐ Ares: Abort condiLon exceeds the auto-‐safing threshold. Because
Orion has the auto-‐safe authority, Ares sends an “auto-‐safe
authority pass-‐back request” and waits for Orion to send receipt.
(Same as in “nominal” scenario)
Model Answers What -‐ Orion: Because communicaLon is severed between Ares and
Orion, Orion is not aware of the auto-‐safe authority request and
if Scenario remains in prior states. This briefing is for status only
and does not represent
-‐ Ares: Ares can NOT perform safing acLons. complete engineering data
analysis 18
Can models of major system
interfaces allow tesLng and
verificaLon of the systems and
reduce the complexity of
verificaLon labs?
19
ShuXle Avionics IntegraLon Lab
(SAIL) Mission Capability
20
SAIL FuncLonal Test
ConfiguraLon
21
Constellation Avionics Integration Lab
(CAIL) R&R in Avionics & Software V&V Plan
LEGEND
System / O&C CEV requirements verified
CM, SM, LAS requirements verified
Testing Subsystem rqmts verified (Sec 3.2 Avionics, Prop, ECLSS)
Subsystem rqmts verified (Sec 3.7 C&DH, Flt S/W)
SPACECRAFT LEVEL TEST MVP- VI
Box/Partition requ’ts verified (VMC)
(QUAL, NON-RECURRING TESTS AT SITE)
Board/CSU requ’ts verified
NO PROCEDURE IRUN Crosshatch: Demonstration of requirement
AT QUAL/SITE WHICH
JSC
B361 HAS NOT BEEN RUN @ CAIL
R100
EEST
System Verification (CAIL, ESTL)
MVP- VI Module/
RISK System I&T
MITIGATION
LM EDL
EXPLORATION DEVELOPMENT LAB
EPS SUBSYSTEM PROCEDURES C&DH C&T, D&C, FLT S/W SIM SW DATA EGSE EGSE CEV CONSTELLATION
S GN&C BASE SW SIM
SIMS SUBSYSTEM INTEGRATED SUBSYSTEM ISS SIM
SW
TESTING ST H/W S/W QUAL TESTING
LCC SIM
PROPULSION
ECLSS MCC SIM
MECHANICAL BOX QUAL BQ PARTITION TEST EGSE QUAL
CLV SIM
ETC
BOARD TESTING BT CSCI TESTING RACK TESTING
PART TESTING PT CSU TESTING BOARD TESTING

Subsystem
I&T
MVP-II, III MVP-All MVP- V MVP- V MVP-V MVP- V MVP-V, MVP- VIII MVP-V
MVP-VIII
HW/FW Flight SW EGSE Sim/DB/HW/SW

AV/SW Verification Aligns With CEV Verification Flow Reflected In Master Verification Plan (MVP)
22 is for status only and does not represent complete engineering data analysis
This briefing
22
CAIL Test Rig Design
Legend CAIL High Level Rig Block Diagram 10/9/07 *** Preliminary *** Lab
Misc Flight Cabling management
distribution
Vehicle Control Network
Real time data
Flight Control Network
distribution
Lab Flight I/F Cabling Mission To MCC / Lab Bird’s Eye
To ESTL
Systems OTF Management I/F View
To DSIL
Flight Hardware Emulator
Patch Network
External Emulators Panel From Timing To all
other Distribution nodes
Flt System Emulators CAIL DSILIU requiring
Fiber Rigs C&T RF Test
Image Generation lab time
Modem Emulator Set CAIL
Simulation
Simulation System
Star Centerline
Camera VNS Image VNS CM S-Band SM S-Band
Lab Support Equip Tracker Camera
Emulator Generator Emulator Antenna UHF Antenna Antenna Switch DSILIU
Emulator Image To DSIL
EGSE Electronics Switch Assembly Network
LIDAR
ST 1 VNS 1 Optical
Star ST 2 VPU 1
BP / Transponder 1 SM X/Ka-Band To ESTL
BP / Transponder 2 UHF Dissimilar Patch
Tracker VNS 2 Antenna
Star
Stimulator VPU 3 S-Band BP / Voice Transceiver Electronics Panel
Tracker3 From
Centerline Transponder 3
X Band BP / other
Camera ACU 1
Transceiver CAIL
Actuator Fiber
Rigs*
Controller 2 Modem
VMC GSE
CLV Emulator
GPS/INS
Emulator CLV Umbilical
GPS Combiner / LNA 1 SIGI 1 VMC 1 SDBI 1 LCC CLV

GPS Combiner / LNA 2 SIGI 2 VMC 2 SDBI 2
GPS/INS GPS Combiner / LNA 3 SIGI 3 Data SM RIU 1 / SDBI 1 Gateway
Stimulator Star Data Bus BFCS Recorder
SM RIU 2 / SDBI 2
GPS VMC 3
Combiner / SIGI 4 Isolator 3 SM RIU 3 /
SM
Front LNA 4 SDBI 3
I/O Pump
Window
Display
LAS ACM Controller 1 Solar Array

MBSU 1
Emulator ACM LPTU / SPTU 1 MBSU 2 RCU 1 Micro RIU 1 RIU 1
MBSU / BCU / RCU 1 Emulator
Controller 2 LSAM / Station RCU 2 Micro RIU 2 RIU 2
MBSU / BCU / RCU 2
Power Transfer MBSU 3 Micro RIU 3
ISS / LSAM RCU 3 Micro RIU 4 RIU 3 MBSU / BCU /
Unit 2 Micro RIU 5 SM Load
Hardwired RCU 3
Micro RIU 6
To DSIL DSILIU
Connections
Micro RIU 7 Emulation
Network
KSC
Message LCC GSE
ISS ICCA Bus Simulation
Emulator
Display 1
Display 2
CIU 1 UIP 1
RF CIU 2 UIP 2 Diplay 3 Cockpit Controls LCC GSE
Speaker Based on CEV606
DSILIU CIU 3 UIP 3
and Indicators Gateway
CIU 4 UIP 4 Display 4 T0 Interface Rev A POD
ISS Emulation CIU 5 UIP 5
LCC Avionics and SDR
CIU 6 UIP 6
Application Version of CEV-T-
UIP 7
EDS LSAM Server 082. Flight LRU
Emulator Emulator Crew quantities shown
Module Service To LCC / DSIL Net
are TBR.
APAS Module
LCC Note: Each block
LRU x
Display on this diagram
LRU x Vehicle Vehicle
LRU x
EVA Suit & EVA Battery CM Load Data CM Pyro RCS Server does not imply a
Power Interface LCC CEV
LRU x Support Emulator (6 Emulator Emulation Recording I/O Pump Test Set Test Set separate rack or
Unit Unit Gateway
Equipment ports) separate piece of
equipment.
*CLV to ESTL
Command Network Telemetry EGSE Network
interface may only
& Control Management Processing Attached
be on high fidelity
Server Server Server Storage
CLV emulator
Can models of exisLng soHware
provide adequate and effecLve
analysis of the soHware and
hardware system?
24
Toyota Camry Source Code
•  Source Code Language: C (originally Bell Labs, 1972)

–  Code is directly readable, comments are in Japonese
•  Code Size: Over 280,000 lines of code
•  Number of Modules: Over 100
•  Number of files: Over 2500
•  RTOS used: OSEK Compatable OperaLng System (NEC)
•  Compiler used: Greenhills C Compiler (USA)
–  Code was compiled and executed during study
•  Target Microcontrollers: NEC and DENSO ASIC designs
25
SoHware Algorithm Design Process
1.  IdenLfy and model the Camry algorithms from source code
2.  IdenLfy and model scheduling and Lming of the Camry algorithms
3.  Build executable math models that behave idenLcally to the Camry
algorithms, but can be executed within a Matlab environment on a PC
4.  SLmulate models using input data of interest
5.  Examine outputs of model for further analysis
6.  ConLnuously upgrade and verify model against vehicle hardware
7.  Support the development of final test sequences for test upon Camry
vehicles

26
SoHware Algorithm Models
Modeling Process
C Source
S-function
Code
27
Simulink Model Analysis
Accelerator Sensor Voltage @ 0 deg [V]

Nominal Accelerator Sensor
Sensor Voltage [V] (Nominal)
Experimental Data Accelerator Sensor
3
4 VPA1
2.5
VPA2
2
2
VPA1 1.5
VPA2 1
0
0 20 40 60 80 100 120 0.5
Accelerator Pedal Angle [deg] 3 3.5 4 4.5 5 5.5
Supplied Voltage [V] (Experimental)
Throttle Sensor Voltage @ 0 deg [V]

Sensor Voltage [V] (Nominal)
Experimental Data Accelerator Sensor

4
VTA1
4
3 VTA2
2 2
VTA1
VTA2 1
0
0 10 20 30 40 50 60 70 80 90 100 3 3.5 4 4.5 5 5.5
Throttle Position [deg] Supplied Voltage [V] (Experimental)
80
Fault Code True = 1, Fault Code False = 0

Accelerator Angle [deg]
1
VPA1 P2120
60 VPA2 0.8 P2122
P2123
P2125
40 0.6
P2127
P2128
0.4 P2138
20
P2121
0.2
0
3 3.5 4 4.5 5 5.5 0
3 3.5 4 4.5 5 5.5
Supplied Voltage [V] (Experimental) Supplied Voltage [V] (Experimental)
80
Fault Code True = 1, Fault Code False = 0
VTA1
Throttle Angle [deg]
60 1 P0120
VTA2 P0122
40 0.8 P0123
P0220
0.6 P0222
20
P0223
0.4 P0135
0 P0121
0.2
-20
3 3.5 4 4.5 5 5.5
0
Supplied Voltage [V] (Experimental) 3 3.5 4 4.5 5 5.5
Supplied Voltage [V] (Experimental)
28
Simulink Models Studied
•  FuncLonal Document Derived ETC Models Completed
–  Pedal Learning Algorithm
–  ThroXle Learning Algorithms
–  DiagnosLc Codes
–  Pedal and ThroXle Sensor CharacterisLcs
–  Pedal Angle to ThroXle Commanded Angle Conversion
–  ThroXle Valve Motor PID controller
–  Cruise Control
–  Idle Speed Control Module
•  Enhanced Model Fidelity
–  Toyota C-‐code compiled within models to increase fidelity
•  FuncLonal Analysis without Modeling
–  Vehicle Stability Control Torque Limit Checking
–  Transmission Control Switch DiagnosLcs
29
Spin Logic Analysis
•  Various Focused Camry Models

–  Spin Accelerator Pedal PosiLon Learning Algorithm analysis iniLated
–  Spin and C-‐code Accelerator Pedal PosiLon Learning Algorithm analysis
iniLated
•  Logical Model of Camry SoHware
–  Conversion of the Stateflow models into verifiable Spin models, to allow
exhausLve analysis of the key properLes
–  Increased fidelity of Stateflow model for further Spin analysis

30
Spin Logic Analysis Conclusions
Model Type Conclusion
Interrupt Enable/ ComputaLon Verified
Disable Pairing
Accelerator Pedal ComputaLon Inconclusive

Learning
Sensor Input I/O PotenLal Issue

Motor Drive IC ComputaLon Verified
Port Register Input I/O Verified
PWM FuncLonality ComputaLon PotenLal Issue
31
SoHware Timing Performance Analysis Results
•  StaLsLcal Analysis
–  Toyota provided sample sets of soHware task performance
•  250 samples per second, 900,000 samples per hour
•  Test bed configured at 6000 rpm, 8000 rpm, and 9000 rpm
–  The data analysis should sufficient margin under these maximal and
stressed rpm configuraLons.
•  Worst Case ExecuLon Time (WCET) Analysis

–  StaLc Analysis using aiT Tool
•  V850 Model Processor used as closest model
•  Source code “executed” within aiT Tool
•  Worst Case ExecuLon Time determined in staLc test
–  Recursion issues prevented complete analysis
32
On-‐Ramps?
•  IdenLficaLon and scope of changes/tradeoffs in
system behavior.
•  Interfaces protocol requirements verificaLon.
•  Failure modes / safing / fault management.
•  Boot up / Abort sequencing.
•  Subsystem verificaLon / system verificaLon.
•  Test bed support, operaLons and maintenance
support.
•  DocumentaLon consistency.
33

637605main Day 1-Michael Aguilar PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

637605main Day 1-Michael Aguilar PDF

Uploaded by

Copyright:

Available Formats

Presenter

Fault Management Using Model Based System

NASA Engineering and Safety Center (NESC)

Michael Aguilar (GSFC)

Instrument mechanisms func/onal ONLY when operated at 39Kelvin!

Test Bed Export

• CxP focused on ICD documents, not ICD models

Enterprise Architect UML RepresentaLon of Stateﬂow RepresentaLon of VSM

Brief examples of errors found

DocumentaLon of Ares-­‐Orion Stateﬂow RepresentaLon of Ares-­‐Orion

Ares sends Abort Recommenda/on:

Orion Requests Auto-­‐safe Authority:

Ares Abort Condi/on Exceeds Auto-­‐saﬁng Threshold

APer Orion Requests Auto-­‐Safe Authority, Communica/on

PART TESTING PT CSU TESTING BOARD TESTING

HW/FW Flight SW EGSE Sim/DB/HW/SW

GPS Combiner / LNA 1 SIGI 1 VMC 1 SDBI 1 LCC CLV

LAS ACM Controller 1 Solar Array

• Source Code Language: C (originally Bell Labs, 1972)

Accelerator Sensor Voltage @ 0 deg [V]

Throttle Sensor Voltage @ 0 deg [V]

Experimental Data Accelerator Sensor

Fault Code True = 1, Fault Code False = 0

• Various Focused Camry Models

Accelerator Pedal ComputaLon Inconclusive

Sensor Input I/O PotenLal Issue

PWM FuncLonality ComputaLon PotenLal Issue

• Worst Case ExecuLon Time (WCET) Analysis

You might also like

•  CxP focused on ICD documents, not ICD models

DocumentaLon of Ares-‐Orion Stateﬂow RepresentaLon of Ares-‐Orion

Orion Requests Auto-‐safe Authority:

Ares Abort Condi/on Exceeds Auto-‐saﬁng Threshold

APer Orion Requests Auto-‐Safe Authority, Communica/on

•  Source Code Language: C (originally Bell Labs, 1972)

•  Various Focused Camry Models

•  Worst Case ExecuLon Time (WCET) Analysis