AUTOGEF Process and Enviroment
AUTOGEF has followed a model-based approach to achieve the automated model generation for FDIR sub-system development. This approach is compatible with the modelling and analyses provided by the COMPASS (Correctness, Modelling and Performance of Aerospace System) environment using SLIM (System-Level Integrated Modelling) formalism, as well as with the current FDIR architectures and strategies. AUTOGEF project has developed the Automated Model Generation Toolset for FDIR (AUTOGEF) implementing the defined synthesis approach as an add-on to the COMPASS Toolset.
The AUTOGEF toolset generates FDIR subsystem(s)/component(s) automatically based on:
- COMPASS extended model. It is generated automatically by COMPASS when the System/RAMS Engineer loads the SLIM models (nominal and error) and defines one or more fault injections. The nominal model shall include:
- The set of system observables. The System/RAMS Engineer shall identify the set of parameters that are accessible by the FDIR component(s).
- The set of recovery actions.
Both the observables and recovery actions are specified in the nominal model but this information is also represented in the extended model.
- COMPASS dependability and safety analyses (i.e., FTA and FMEA). The results of these analyses provide information to extract the list of faults.
- Mission specification: Mission characteristics such as mission phases, operational modes and spacecraft configurations.
- FDIR specification: operational objectives, target system dependability (safety) characteristics and architectural requirements. These data are also specified by the System/RAMS Engineer and loaded through the AUTOGEF GUI.
Figure below depicts the integration of AUTOGEF within COMPASS context graphically. A star highlights the inputs, outputs and tools developed by AUTOGEF project. Pink boxes represent the inputs that the System/RAMS Engineer has to load. Below are summarized the steps of the FDIR development process following AUTOGEF methodology using AUTOGEF toolset. It includes the whole actions that the System/RAMS Engineer has to perform (including the COMPASS ones) to generate the FDIR model.
- Design system nominal and error models (SLIM language).
- Specify observable attributes in the nominal model (observable keyword).
- Load nominal and error models (‘Model’ window of COMPASS tool).
- Specification of one or more fault injections (‘Model’ window of COMPASS tool). Then, COMPASS generates the Extended Model automatically. By default, faults are extracted from the fault injections which are enabled.
- Specification of the mission. The mission specification provides additional model characteristics, namely: mission phases, operational modes, and spacecraft configurations.
- Definition of properties (‘Properties’ window of COMPASS tool) to be verified during Fault Tree and FMEA analyses.
- Generation of FTA (‘Safety-Fault Tree Generation’ window of COMPASS tool):
- Selection of those properties to be analysed.
- Generation of FTA which shows how the state of the property is reached expressed in terms of fault events in the SLIM language.
- Generation of FMEA tables (‘Safety-Failure Mode Effect Analysis’ window of COMPASS tool):
- Selection of those properties to be analysed.
- Selection of the cardinality.
- Generation of FMEA which shows the failure modes and effects.
- Load FDIR specification (AUTOGEF GUI).
- Start AUTOGEF execution (AUTOGEF GUI).
FDIR diagnosis and controllers are synthesized generating FDIR model in SLIM language. The controllers are compliant with the FDIR specification. FDIR component(s) identifies the attributes that represent the detection means for the system properties. When a fault is detected, FDIR model triggers the recovery actions defined in the nominal model.
The methodology and the toolset have been demonstrated in the context of the FDIR development process lifecycle, taking advantage of a case study implementing a sub-set of the Trace Gas Orbiter (TGO) of the EXOMARS project.
A set of metrics were defined providing different criteria to check their adequacy in terms of applicability, scalability, usability, and performance for its use in the context of critical on-board space systems and software development. The relationship and impact of AUTOGEF methodology and toolset on the current industrial practices and processes in the context of the corresponding ECSS standards have also been assessed.
The AUTOGEF toolset and methodology guide the FDIR engineer in the different steps of the FDIR design process. On one hand, the modelling of the nominal system allows to identify system architecture, system data and behaviour, and to verify the correctness of this model against the real system by means of simulation and model checking.
In a second step, the top down feared event analysis, and the bottom up Failure mode analysis allows to identify the set of errors that can lead to a system failure, or to the loss of a function. COMPASS toolset allows analysing the “extended” model composed of the nominal model with injected faults. Fault trees can be generated, and if needed, mitigation means can be added in the system design to improve its robustness and safety.
Looking at the operational analysis, the FDIR engineer can then capture thanks to AUTOGEF the mission phases and operational modes of the project. This is useful to identify FDIR requirements per phase/mode, and to start identifying recovery objectives. When all these activities are completed, AUTOGEF can be used to formalize FDIR specification in terms of Fault detection requirements, and fault recovery requirements.
Synthesis routines of AUTOGEF are then used to generate a FDIR design compliant with input specification. This design, back-translated in SLIM, is combined with the nominal model, and COMPASS analysis allows the FDIR engineer to evaluate the correctness and efficiency of the synthesised elements.