Contract based design of avionics systems

Transcription

Contract based design of avionics systems
Contract based design of avionics systems
Erik Herzog, Ph.D., SAAB Technical Fellow
erik.herzog@saabgroup.com
SAAB Aeronautics
Presentation outline
Application of
SPEEDS
SPEEDS
Case
Lessons learned
Way ahead
Sweden & SAAB SE reality
What is SAAB?
What is a SAAB?
Sweden and the Swedes
What about the Swedes?
(some) Good Engineers
Consensus seeking
Conflict avoidance
Not very talkative
We are experts in creating
unresolved issues and
ambiguities!
The SE state of practise as SAAB
A tradition in waterfall-development
A lot of emphasis is placed on requirements
Requirements capture and traceability
We tend to prioritise documentation of requirements over design
The result is documentation (used for communication) which does
not explicitly convey design
Each SE has to create a local mental picture of the design prior
to implementation
Needless to say we spend a lot of time fixing problems found late in
the integration and verification phase
SAAB SE Reality
Substantial dynamics in subsystem properties throughout development
Extensive communication required between systems
and in System/Subsystem relationships
System Properties
Weight
A system will be characterised by a set of
properties
Some will be mandated and stable
Some mandated but unstable
Some not mandated but set early in the
design process
Some not mandated and set late in the
process
Cost
Behaviour
Question: How can we make sure that the complete set of relevant system
properties are identified and managed?
The SPEEDS project
EU 6th Framework Project in
Embedded Systems Development
May 1, 2006 – March 31st,
2010
SAAB’s role is mainly in
Identifying user requirements
Execution of validation projects
www.speeds.eu.com
SPEEDS technology overview
Focus on formalism, interfaces and requirements,
SysML provides an excellent base
Define
The Component (Component Based Engineering)
Requirements (Promises) what the component under development will provide
to the environement
Assumptions made on the environment that must hold in order to fulfill the
promises
Formalise Assumptions and Promises (where required)
Integrate
Form and Evaluate Contracts in order to expose integration problems
Simulate
Hosted simulation
Verify
Apply formal verification methods on contract statements
Assumptions, Promises & Contracts
C1
sensor reading
latency < 2 ms
P11
A11
A21
Quality factor > 0,7
95% of time
Quality factor > 0,8
A12
K1
K2
P12
A21
C2
P21
The Case
Integration of a podded subsystem onto the Gripen aircraft
Pod power supply
Pod cooling
Pod control
Air
Power
Signal inf
Model samples
«block»
Reconnaissance function
1 itsSU_MSS:SU MSS
SPKData:
1
1
MIL_STD_1553B
1 itsSPK39:SPK39
SPKDataMSS:
DataMSS:
MSSData:
SPKDataWES:
DataWES:
DataWES:
«blo ck»
Reconnaissance function
itsSU_WES:SU WES
1
1 itsSU_WES:SU WES
SPKData:
1 itsSU_GES:SU GES
itsSU_HMI:SU HMI
Coll ingAirValveStatus:
1 itsSU_TDP:SU TDP
BusTrafficStatus:
PowerData:
PodConf:
StatusMSS:
HMIData:
PowerStatus:
PowerStatusSPK:
ACTime:
ManEventCreated:
BusTrafficStatus:
WESData:
HMIData:
GESData:
1
i tsSU_MSS:SU MSS
PowerStatus:
1 itsSU_CDL:SU CDL
DestData:
1 itsSU_TAC:SU TAC
TDPData:
DestData:
CDLData:
TACData:
PFDData:
MDMData:
1 itsSU_PFD:SU PFD
FlightData:
LogReport:
Missi onIdentity:
Missi onDataFile:
TestResul t:
1 itsSU_MDM:SU MDM
DestData:
MissionData:
LogReportSPK:
1 itsSU_DSR:SU DSR
MissionDataFileSPK:
TestResul tMSS:
1 i tsSU_RTE:SU RTE
Missi onData:
1 i tsSU_TEM:SU TEM
Adding assumptions and promises
«block»
Reconnaissance function
1 itsSU_MSS:SU MSS
SPKData:
1
MIL_STD_1553B
1 itsSPK39:SPK39
SPKDataMSS:
DataMSS:
MSSData:
SPKDataWES:
DataWES:
DataWES:
«blo ck»
Reconnaissance function
1
1 itsSU_WES:SU WES
1
itsSU_HMI:SU HMI
itsSU_WES:SU WES
SPKData:
1 itsSU_GES:SU GES
Coll ingAirValveStatus:
1 itsSU_TDP:SU TDP
BusTrafficStatus:
PowerData:
PodConf:
StatusMSS:
HMIData:
PowerStatus:
PowerStatusSPK:
DestData:
WESData:
HMIData:
GESData:
1
i tsSU_MSS:SU MSS
PowerStatus:
1 itsSU_CDL:SU CDL
ACTime:
ManEventCreated:
BusTrafficStatus:
1 itsSU_TAC:SU TAC
TDPData:
DestData:
CDLData:
TACData:
PFDData:
MDMData:
1 itsSU_PFD:SU PFD
FlightData:
LogReport:
Missi onDataFile:
TestResul t:
Missi onIdentity:
1 itsSU_MDM:SU MDM
DestData:
MissionData:
LogReportSPK:
1 itsSU_DSR:SU DSR
MissionDataFileSPK:
TestResul tMSS:
1 i tsSU_RTE:SU RTE
Missi onData:
1 i tsSU_TEM:SU TEM
Lessons learned
Natural for engineers to capture assumptions – once the dedicated placeholder is
available
Capturing assumptions (even without contracts) improve communication between
engineers
Traditionally we have a poor track record in capturing the assumptions made
during design
Additional focus on system interfaces
Encourges working on requirements in parallel with design
Allow for engineers to proceed with design instead of waiting for guiding information to
be made available
Results in richer specifications
Focus is on what is important for stakeholders
Expected to be of high value over time
Decreases the distance between requirements and design
Easy to locate impact of updates made
Easy to record status of each contract
What about tool integration, formal methods and simulation?
The case we have worked on is to a large extent a legacy system
built using propritary languages
Difficult to insert new analysis tools in the loop
Costly to take assertions from natural to formal language
We are not sure we understand what we have asserted
formally
And not sure if it is what we really want to assert
Exploitation outlook
SysML intro
A/P editor
Informal contracts
HRC support
Hosted simulation
Formal contracts & analyses
2010
2011
2012
Way ahead
Further introduction of the method within the SAAB group
Method and tool fine tuning
Need to establish a proper integration between DOORS and the
SysML modelling tools
Improve the support of capturing contracts within SysML
Include support for contracts in Activity daigrams
Potential for introduction in SysML version 2
Potential: Assumptions/Promises in activity diagrams
su GES:SU GES
su WES:SU WES
su HMI:SU HMI
su MSS:SU MSS
PowerAllowedOn
sendPowerS
tatus
PowerAllowedOn
AvailablePower
SPK39:SPK39
receivePowerS
tatus
AvailablePower
PowerOnOff
sendPowerOnOff
PowerOnOff
sendSPKI
dentified
Identified
receviveWESD
ata
Identified
AvailablePower
sendAvailable
Power
AvailablePower
[else]
[PowerOnOff = Off AND
PowerAllowedOnMSS = true AND
(AvailablePower = 2 or 5) AND
PowerAllowedOn = true AND
Identified = true AND
FMStatus = NoFailure]
receivePowerO
nReq
PowerOnReq
PowerOnReq
receivepowerR
eqOn
PowerReqOn
PowerReqOn
sendPowerOnOff
PowerOnOff
PowerOnOff
receivePower
Off
PowerOnOff
PowerOnOff
receivePowerOn
sendPower
OnReq
sendPower
ReqOn
receivePowerO
nOff
sendPowerOn
Off
[PowerOnOff = On]
PowerOn
sendPowerOn
PowerOn
receiveAvailableP
ower
Thank you for your attention
Questions?
Contact {erik.herzog, henric.andersson @saabgroup.com}