Upload File

model of an adiru in aadl - openaadl.org · model of an adiru in aadl revisiting boeing 777-2h6er...

  • Home
  • Documents
  • Model of an ADIRU in AADL - openaadl.org · Model of an ADIRU in AADL Revisiting Boeing 777-2H6ER ADIRU bug Jérôme HUGUES, ... alignment of memory segments,
8
Institut Supérieur de l’Aéronautique et de l’Espace Model of an ADIRU in AADL Revisiting Boeing 777-2H6ER ADIRU bug Jérôme HUGUES, ISAE With support from MS EMS’13 and EMS’15 students

Upload: hoangtruc

Post on 03-Jun-2018

226 views

Category:

Documents


1 download

Report

TRANSCRIPT

Page 1: Model of an ADIRU in AADL - openaadl.org · Model of an ADIRU in AADL Revisiting Boeing 777-2H6ER ADIRU bug Jérôme HUGUES, ... alignment of memory segments,

Institut Supérieur de l’Aéronautique et de l’Espace

Model of an ADIRU in AADL Revisiting Boeing 777-2H6ER ADIRU bug

Jérôme HUGUES, ISAE

With support from MS EMS’13 and EMS’15 students

Page 2: Model of an ADIRU in AADL - openaadl.org · Model of an ADIRU in AADL Revisiting Boeing 777-2H6ER ADIRU bug Jérôme HUGUES, ... alignment of memory segments,

>  One fault instance of an ADIRU (Air Data Inertial Reference Unit) on-board a Boeing 777-2H6ER caused an hazardous accident to Malaysian Air flight 124 in 2005,

>  Key question is: could we avoid similar scenario in future system design? How? Associated cost? »  Failure has been (partially) described in publically available

reports by NTSB, and Vanderbilt University, used for study

Introduction

Agenda 1. How to capture architecture key elements

•  Real-time architecture, ARINC653 patterns, etc. 2. Link them to implementation artifacts

•  Simulation through code generation 3. Trace them w.r.t safety analysis objectives

AADL Tutorial -- MODELS'15 2

Page 3: Model of an ADIRU in AADL - openaadl.org · Model of an ADIRU in AADL Revisiting Boeing 777-2H6ER ADIRU bug Jérôme HUGUES, ... alignment of memory segments,

>  (from ATSB report 200503722)

About Boeing 777-2H6ER ADIRU

n  Multiple levels of redundancy. n  work without maintenance with

one fault in each FCA. AADL Tutorial -- MODELS'15 3

Page 4: Model of an ADIRU in AADL - openaadl.org · Model of an ADIRU in AADL Revisiting Boeing 777-2H6ER ADIRU bug Jérôme HUGUES, ... alignment of memory segments,

>  See ISIS-11-101 TR from Vanderbilt University »  Four modules »  Two types of ports

The Model in ARINC 653 Architecture

AADL Tutorial -- MODELS'15 4

Page 5: Model of an ADIRU in AADL - openaadl.org · Model of an ADIRU in AADL Revisiting Boeing 777-2H6ER ADIRU bug Jérôme HUGUES, ... alignment of memory segments,

>  Regular modeling process » Define sub-system boundaries, interfaces, configuration » Mixing text, graphics, property editor to manage model

complexity

Modeling of the ADIRU with AADL

AADL Tutorial -- MODELS'15 5

Page 6: Model of an ADIRU in AADL - openaadl.org · Model of an ADIRU in AADL Revisiting Boeing 777-2H6ER ADIRU bug Jérôme HUGUES, ... alignment of memory segments,

Overview of the AADL model

AADL Tutorial -- MODELS'15 6

Page 7: Model of an ADIRU in AADL - openaadl.org · Model of an ADIRU in AADL Revisiting Boeing 777-2H6ER ADIRU bug Jérôme HUGUES, ... alignment of memory segments,

>  AADL default semantics check » Containment hierarchy, applicability of configuration parameters

(units, types, etc), types of message exchanged, port connection, etc.

>  ARINC 653 verification plugs-ins » Part of rich AADL eco-system: OSATE, MASIW, Ocarina, … » Check connections » Validity of ARINC653 Configuration parameters: Major Frame

Correctness, Properties of Memory Components, Dimensioning of Memory Components, Partitions Bindings, Partitions Executions, Separation of Memory

» Additional checks: constraints set by RTOS vendors, e.g. alignment of memory segments, max number of threads, etc.

First level of analysis: core and plug-ins

AADL Tutorial -- MODELS'15 7

Page 8: Model of an ADIRU in AADL - openaadl.org · Model of an ADIRU in AADL Revisiting Boeing 777-2H6ER ADIRU bug Jérôme HUGUES, ... alignment of memory segments,

>  AADL is for architectural description, period >  Not to be compared with UML suites »  Behavior, types, link with source code is not required

>  Keep in mind models support an objective »  For now, it is just a high-level view of the design

>  In the next sections, we will complete the models with »  Properties to model in details ARINC653 elements »  Elements to generate actual implementation »  Information on fault propagation, detection, etc.

A few words on AADL usage

AADL Tutorial -- MODELS'15 8


Safety Analysis with AADL - openaadl.org · Early in system engineering ... reliability and safety design evaluations ... Largest analysis of satellite to date consists of 26,000

uoissnojaj OQ - AADL

Quickie QXi AADL

Berlin Ballet - AADL

~ssiah - AADL

Ruggiero Ricci - AADL

Schedulability Analysis of AADL Modelslee/09cis480/lec-AADL-ACSR-wpdrts06.pdf · Embedded system architectures ... AADL – ADL for embedded systems • Architecture Analysis and

Volunteer Handbook - AADL

m~ssiQh - AADL

Isaac Stern - AADL

Aulos Ensemble - AADL

AADL : about code generation - openaadl.org pivot notation based on a unique notation ... One binary, no source code ... Code generation patterns Each functional framework relies on

rgus eyes - AADL

Data-Driven Dependability Analysis Using AADL for …aadl.sei.cmu.edu/aadl/documents/Eatonaadl_Sensornet_Jan2007.pdf · Data-Driven Dependability Analysis Using AADL for ... Bus z

Marcel Marceau - AADL

Chanticleer - AADL

Song Recital - AADL

The Takacs Quartet - AADL

Part1 Introducing Aadl

Pianist - AADL

ADVERTIHIW KATES. - AADL

LAURA - AADL

Open Source AADL Tool Environment (OSATE)aadl.sei.cmu.edu/aadl/documents/d1_1500_Osate.pdf · © 2005 by Carnegie Mellon University Open Source AADL Tool Environment (OSATE) Peter

ANN ARBO - AADL

Model of an ADIRU in AADL

m~ssiah - AADL

Oakland Ballet - AADL

LondonP ilharnl - AADL

Yehudi Menuhin - AADL

Efoe - AADL

AADL for ICE Apps and Device Interfaces. AADL MOTIVATION

tfntetfiatipqal - AADL

AADL C3 SDS.doc

Shue - AADL

Philharmonia Orchestra - AADL