A component based methodology for description of

A component based methodology for description of complex systems. An application to avionics systems Yamine Ait-Ameur ENSAE-SUPAERO 10, avenue E. Belin, BP 4025 31055 Toulouse cedex, France. [email protected] Abstract. In this paper, we present a component based methodology for the description of complex systems and its application to the field of avionics components design. Avionics design involves several engineering branches, namely physics, electronics and computational science. Three viewpoints are extracted from this context: architectural, operating and functional viewpoints. The case study we use to illustrate this paper describes the compositional design of a subsystem of an aircraft’s flight controls. We show the description and composition of multiple viewpoints, the expression of critical properties on independent viewpoints, as well as on the resulting composite system. In a second step, we discuss how existing formal specification and verification techniques can be used to achieve requirement meeting verification. An application on the case study is also provided. INTRODUCTION Due to the ever increasing complexity of systems, and to their verification and validation needs, several system description methodologies were proposed during the last decade. These approaches support different phases of the design process of a particular system. Specification, design, verification and validation are the main design process steps a methodology should support. Two categories of descriptions can be distinguished. The first one consists in generic methodologies which claim adaptability to various engineering areas. The generality of such methodologies yields reduced formal techniques support for specification, design, validation and verification stages. Moreover, these approaches are not aimed at capturing application field specific aspects of systems, resulting in the specific knowledge being hard-encoded in the descriptions. The second category is that of specific application domain targeted approaches. They

Bruno d'Ausbourg, Frédéric Boniol, Rémi Delmas, Virginie Wiels ONERA-CERT 2, avenue E. Belin, BP 4025 31055 Toulouse cedex, France. ausbourg,boniol,rdelmas,[email protected] allow precise description of systems in a given engineering context, and mostly suffer from their closure to a particular application domain. Moreover, these methodologies require the designers to have a deep and precise working knowledge of the field’s formal techniques and tools, in order to put them into practice. Nowadays, systems spread across a wide variety of engineering areas, for instance software engineering for information processing and controlcommand operations, mechanical engineering, electronics engineering, aerodynamics, physics, etc. Furthermore, when involved in critical safety applications, these systems must often meet cross discipline requirements, whose complexity must in turn be handled and mastered by the methodology. Such systems are referred to as complex systems. Description of complex systems requires the use of compositional approaches. A compositional approach enables the designer to specify multiple engineering field specific viewpoints of a single system. The final system is then built in an incremental manner, by successively composing these particular viewpoints. The safety properties the system must fulfill can be verified at different steps of the compositional process, depending on whether a property is local to a viewpoint, or is rather a global property of the composite. Last, designers may need to handle the system’s description at different abstraction levels, linked by a refinement relation. Each refinement step supplements the previous description of the system. In addition, it enables the designer to decompose property verification and system validation activities. A given property can be verified as soon as enough information is present in the current refinement, before going on to the next refinement or composition step. To sum up, an appropriate methodology for developing complex systems should gather and synthesise the necessary knowledge for describing complex systems and their properties from every application area involved, and provide the designer

with the following features:

Œ Œ Œ Œ

description of engineering field specific viewpoints of a system, various abstraction levels handling of a system through refinement relations, incremental design and component reuse thanks to high level composition operators, formalisation of system requirements into fully verifiable properties.

The methodology we propose in our paper intends to meet these four requirements, and can be instantiated into a particular application context, with the introduction of engineering field dependent viewpoints. The approach is based on a formal component composition calculus. We then depict its application to the field of avionics components design. Avionics design involves several engineering branches, namely physics, electronics and computational science. Three viewpoints were extracted from this context: architectural, operating and functional viewpoints. The case study of our paper describes the compositional design of a subsystem of airbus A380 aircraft’s flight controls. We illustrate the description and composition of multiple viewpoints, the expression of critical properties on independent viewpoints, as well as on the resulting composite system. In a second step, we discuss how existing formal specification and verification techniques can be used to achieve requirement meeting verification. An application on the case study is also provided.

CASE STUDY We illustrate our methodology on an application that serves as a base to identify the needs and test our propositions. The application is an IMA (Integrated Modular Avionics) system, its goal is to control the plane surfaces with respect to the current state of the plane and the pilot commands. ADIRS (Air Data and Inertial Reference System) computes data describing the current state of the plane from sensors information (for example altitude and speed from pressure information). FMS (Flight Management System) defines guiding commands with respect to the current state of the plane and the pilot orders. AP (Automatic Pilot) sends the commands to the flight control system. EFCS (Electrical Flight Control System) computes the angles to apply to the surfaces using the state of the plane and either AP orders or pilot orders. The functional part of the application is summarised on figure 1. In this paper we present a small example (white square of the figure), communication between ADIRS and FMS by

means of a virtual link. Cockpit

FMS

sensors

AP

ADIRS

EFCS

surfaces

Figure 1. Case study

DESCRIPTION OF A COMPONENT A component is composed of five parts: C = (A, E, F, HG, PG) A is the architectural viewpoint that describes the hardware part of the component. E is a viewpoint defining the operating system part of the component. F is the functional viewpoint, it describes the functions implemented by the component. This decomposition in three viewpoints arises from an analysis of the avionics domain. HG and PG are respectively hypotheses and properties that address the whole component or specify the links between different viewpoints. Description of a viewpoint. Each viewpoint has the same representation. It is composed of five parts: − types, − state variables, − properties, − initialisations, − operations. Operations describe the functionalities of the viewpoint, they can modify the state variables or produce results. An event ev_op is associated with each operation op. Properties characterise the viewpoint, they are of three kinds: − hypotheses, − invariants, − temporal properties. Hypotheses are properties (usually on the environment) that are supposed to be true. Invariants and temporal properties are properties that are satisfied by the viewpoint if the hypotheses are respected. Integration of the three viewpoints. When a component is composed of different viewpoints, it is necessary to be able to describe relationships between these viewpoints. These links are given by

the HG part of the component (global hypotheses). Moreover, a component may satisfy global properties concerning several viewpoints. These properties are given in the PG part of the component. Notations. C.A, C.E, C.F, C.HG, C.PG denote respectively the architectural viewpoint, the operating system viewpoint, the functional viewpoint, the global hypotheses and the global properties of a component C. C.V.H, C.V.P denote respectively the hypotheses and the properties of the viewpoint V of a component C. Consistency of a component. A component C = (A, E, F, HG, PG) is consistent if and only if 1.

Hypotheses of each viewpoint and global hypotheses are coherent, that is to say they can be satisfied:

 ¬( C.A.H 2.

C.F.H

C.HG)

Properties of each viewpoint are valid if the hypotheses are true: C.A.H

3.

C.E.H

C.A.P

C.E.H

C.E.P

C.F.H

C.F.P

Global properties are valid if viewpoint and global hypotheses are true: C.A.H

C.E.H

C.F.H

C.HG

C.PG

Examples. We give here two examples of component descriptions: a bus and a queue that will be composed in the next section to build a virtual link. A bus is a component containing only an architecture viewpoint: Bus = (A_bus,  e f, true , true). Viewpoint A_bus is described as follows:

Viewpoint A_Bus Types Real Bool State variables val_bus : Real x Real active_bus : Bool Properties Hypotheses ¬ active_bus => ¬ ev_get_bus() active_bus =>¬ ev_put_bus(v) Invariants Temporal

ev_put_bus => !