mbd within airbus-uk fuel systems - mathworks...confidential a mathworks aerodef'08 - mbd...

Mathworks AeroDef'08 - MBD within Airbus-UK Fuel Systems

April 2008

MBD within Airbus-UK Fuel SystemsOpportunities and Experiences

Presented by

Christopher SlackFuel Modelling SpecialistAirbus UK

April 2008Mathworks AeroDef'08 - MBD within Airbus-UK Fuel Systems Page 3©A

IRB

US

UK

LTD

. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

ry d

ocum

ent.

Systems Engineering V-Cycle

Automated

Validation

SystemRequirements

SystemRequirements

Automated

Verification

System Test(SIB)

System Test(SIB)

Unit TestUnit Test

System

Design

& Integration

Equipm

ent Design

& Im

plementation

AirbusResponsibility

Supplier’sResponsibility

Top Level Aircraft

Requirements

Top Level Aircraft

Requirements

ImplementationImplementation

Autom

ated

Testing

VALIDATION TEST

DEVELOPMENT

SystemSimulation(A/C –1)

SystemSimulation(A/C –1)

SystemSpecification

SystemSpecification

Detail DesignDetail Design

Integration Test(A/C 0)

Integration Test(A/C 0)

Aircraft Test(A/C 1,2,…)

Aircraft Test(A/C 1,2,…)


IRB

US

UK

LTD

. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

ry d

ocum

ent.

Equipment Design

Component Development

Model Based Design – Supplier Involvement

CONTROLMODEL

CONTROLMODEL

AIRBUS SUPPLIER

Environment Model

VENDORMODEL

VENDORMODEL

Environment Model

Design ValidationDesktop Simulator

“Spec In the Loop”Integrated Simulator

“H/W in the Loop”Avionics Rig

VENDORCODE

VENDORCODE

Environment Model

“S/W In the Loop”Desktop Rig

TextualRequirements

Sub-SystemRequirements


IRB

US

UK

LTD

. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

ry d

ocum

ent.

Model Based Design - In Practice

• Rapid Prototyping of Control System Requirements.�Normal and Failure Operating Modes

• Simulink/Stateflow Application�Platform Independent

�Exploits DCT

• Control Logic separated from Aircraft Environment�System Designers focus on

– Control Functions– HMI– Robustness & Validation

�Specialist Modellers focus on:– Aircraft & Environ Simulation– GUI/Panels– Auto-Test Capabilities

Environment Developed by

Modellers

Control Logic Developed by

System Designers


IRB

US

UK

LTD

. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

ry d

ocum

ent.

AFSMEAirbus Fuel System Modelling Environment

10

Flow Rates

9

Temp

8Tot Weight

7Mom Y

6Mom X

5

Mass

4Targ Cg

3XCg

2Altitude

1Jettison

Density

Vol 2 Mass

Engine Burn

APU Burn

Recirc Rate

Valve States

Transfer Mode

Tank Empty

Flow Rates

Valves_2_Flowrates

Mass

Temperature

Flow

Valves

Modes

Flight Profile

CG

Aux

Time Plotting

Volumes

Mach

Air Temp

Temperature

Temperature

Flow Rate

Leak Rate

Volume

Tank Empty

Tanks

Program AFSME 3.2 STR 465Date: Fri Jan 18 11:24:10 2002Ref: SCF/SYS/GEN/61/2623 Iss. 6

User Guide: SCF/SYS/GEN/61/2909

Leak

Leaks

[M]

[V]

[F]

[M]

[V]

[F]

Mass

Recirc_Inhibit

Engine Burn

APU Burn

Recirc Flow

Jettison

Altitude

Pitch

Roll

Mach

Air Temp

FP MuxFlight_Profile

Simulation.Temperature

Enable Temperature

Simulation.CGEnable CG Calc

Pitch

Roll

Mass

XCg

Targ_Cg

Mom X

Mom Y

Tot Weight

CG MuxCg_Calc

4Recirc Inhibit

3Auxiliary Plot

2Modes

1Valves


10

Flow Rates

9

Temp

8Tot Weight

7Mom Y

6Mom X

5

Mass

4Targ Cg

3XCg

2Altitude

1Jettison

Density

Vol 2 Mass

Engine Burn

APU Burn

Recirc Rate

Valve States

Transfer Mode

Tank Empty

Flow Rates

Valves_2_Flowrates

Mass

Temperature

Flow

Valves

Modes

Flight Profile

CG

Aux

Time Plotting

Volumes

Mach

Air Temp

Temperature

Temperature

Flow Rate

Leak Rate

Volume

Tank Empty

Tanks

Program AFSME 3.2 STR 465Date: Fri Jan 18 11:24:10 2002Ref: SCF/SYS/GEN/61/2623 Iss. 6

User Guide: SCF/SYS/GEN/61/2909

Leak

Leaks

[M]

[V]

[F]

[M]

[V]

[F]

Mass

Recirc_Inhibit

Engine Burn

APU Burn

Recirc Flow

Jettison

Altitude

Pitch

Roll

Mach

Air Temp



Enable Temperature

Simulation.CGEnable CG Calc

Pitch

Roll

Mass

XCg

Targ_Cg

Mom X

Mom Y

Tot Weight

CG MuxCg_Calc

4Recirc Inhibit

3Auxiliary Plot

2Modes

1Valves

Model Based Design - In Practice

• Statecharts control behaviour�Easier than Enabled/Triggered Subsystems

• Enhanced Validation�Statechart representation can be clearer and less ambiguous�Increases validation confidence

IRP_MODE_SELECTION

5.1.7(1)

GROUND_OPS/ 1

SURGE2

5.1.(1)

AUTO_REFUEL TRANSFER5.1.4.(1)5.1.3.(1) 5.1.2.(1)

MANUAL_REFUEL

AR_CONF

5.1.1.(1)

OFF_CONF

DF_CONF

DEFUEL SOT OFF5.1.5.(1) 5.1.6.(1)

GO_D = DELAY(d_t)function

TR_CONF

MR_CONF

[XFER&...DELAY(D_GOS)]

[~XFER ...| SOT_INITIATED]

[AR &...DELAY(D_GOS)] [(~GND_SURGE_RELIEF_ACTIVE &...

~AR) | SOT_INITIATED][DELAY(D_GOS)][((AR | XFER |...

DF | IDLE) &...~GND_SURGE_RELIEF_ACTIVE) |...

SOT_INITIATED]

[MR | FAULT]/d_i=0; [AR]/d_i=0; [~AR][~MR] [~XFER] [XFER]/d_i=0;

[DF]/d_i=0; [IDLE]/d_i=0;[~IDLE][~DF]

[~IDLE ...| FAULT | SOT_INITIATED ][~DF | SOT_INITIATED]

[SOT_INITIATED]

[Mode_Status[TR_SOT_EXIT] &...~GND_SURGE_RELIEF_ACTIVE]

[IDLE &...DELAY(D_GOS)]

[DF &...DELAY(D_GOS)]

evaluate_conditions()function 5.1.(2)

{

AR= ...IRP_MODE[IRP_AUTO_REFUEL] & ...~IRP_MODE[IRP_MANUAL_REFUEL] & ...~IRP_MODE[IRP_TRANSFER] & ...~IRP_MODE[IRP_DEFUEL] & ...~IRP_MODE[IRP_OFF] &...~SOT_INITIATED;

XFER= ...IRP_MODE[IRP_TRANSFER] & ...~IRP_MODE[IRP_MANUAL_REFUEL] & ...~IRP_MODE[IRP_AUTO_REFUEL] & ...~IRP_MODE[IRP_DEFUEL] & ...~IRP_MODE[IRP_OFF] &...~SOT_INITIATED &...~GND_SURGE_RELIEF_ACTIVE;

DF= ...IRP_MODE[IRP_DEFUEL] & ...~IRP_MODE[IRP_MANUAL_REFUEL] & ...~IRP_MODE[IRP_AUTO_REFUEL] & ...~IRP_MODE[IRP_TRANSFER] & ...~IRP_MODE[IRP_OFF] &...~SOT_INITIATED &...~GND_SURGE_RELIEF_ACTIVE;

IDLE= ...IRP_MODE[IRP_OFF] & ...~IRP_MODE[IRP_MANUAL_REFUEL] & ...~IRP_MODE[IRP_AUTO_REFUEL] & ...~IRP_MODE[IRP_TRANSFER] & ...~IRP_MODE[IRP_DEFUEL] &...~SOT_INITIATED &...~GND_SURGE_RELIEF_ACTIVE;

MR= ...IRP_MODE[IRP_MANUAL_REFUEL] & ...~IRP_MODE[IRP_DEFUEL] & ...~IRP_MODE[IRP_AUTO_REFUEL] & ...~IRP_MODE[IRP_TRANSFER] & ...~IRP_MODE[IRP_OFF] &...~SOT_INITIATED;

FAULT= ...~AR & ~XFER & ~DF & ~IDLE & ~MR;}

entry:evaluate_conditions();during:evaluate_conditions();

Fuel System Modelling EnvironmentControl Function Design


IRB

US

UK

LTD

. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

ry d

ocum

ent.

Model Development Process

When the model is the requirements, the distinction between “Model Verification” and “Requirements Validation” is somewhat blurred

Requirements MODEL

TestObjectives

TestScripts

ModelValidation

ModelVerification

Test ScriptValidation

RequirementValidation

ModelSpecification

Results &Problems

Test ObjectiveValidation

If a test fails –is model, the requirement or the test at fault?

Environment


IRB

US

UK

LTD

. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

ry d

ocum

ent.

Model & Requirement Validation

• Typical Model Development Cycle�As model matures, tends towards Requirements Validation

Statistics of Model/Requirement Validation

Time (Months)

Num

ber

of O

bser

vatio

ns

Problems Attributed to ModelProblems Attributed to Requirement


IRB

US

UK

LTD

. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

ry d

ocum

ent.

“The complexity of specification written with forma lised language raises the need for higher level specifica tion

description containing all the requirements impleme nted in the formalised specification”

Aviation Authorities View of MBD

• We need a model and textual requirements in order to sufficiently define and validate a system in compliance with ARP4754�Non-Functional Requirements difficult to model

– Performance / Integrity / Reliability

� Effectively states that a model is only an implementation of unwritten requirements.

Interpretation of ARP4754…


IRB

US

UK

LTD

. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

ry d

ocum

ent.


10

Flow Rates

9

Temp

8Tot Weight

7Mom Y

6Mom X

5

Mass

4Targ Cg

3XCg

2Altitude

1Jettison

Density

Vol 2 Mass

Engine Burn

APU Burn

Recirc Rate

Valve States

Transfer Mode

Tank Empty

Flow Rates

Valves_2_Flowrates

Mass

Temperature

Flow

Valves

Modes

Flight Profile

CG

Aux

Time Plotting

Volumes

Mach

Air Temp

Temperature

Temperature

Flow Rate

Leak Rate

Volume

Tank Empty

Tanks

Program AFSME 3.2 STR 465Date: Fri Jan 18 11:24:10 2002Ref: SCF/SYS/GEN/61/2623 Iss. 6User Guide: SCF/SYS/GEN/61/2909

Leak

Leaks

[M]

[V]

[F]

[M]

[V]

[F]

Mass

Recirc_Inhibit

Engine Burn

APU Burn

Recirc Flow

Jettison

Altitude

Pitch

Roll

Mach

Air Temp



Enable Temperature

Simulation.CG

Enable CG Calc

Pitch

Roll

Mass

XCg

Targ_Cg

Mom X

Mom Y

Tot Weight

CG MuxCg_Calc

4Recirc Inhibit

3Auxiliary Plot

2Modes

1Valves


10

Flow Rates

9

Temp

8Tot Weight

7Mom Y

6Mom X

5

Mass

4Targ Cg

3XCg

2Altitude

1Jettison

Density

Vol 2 Mass

Engine Burn

APU Burn

Recirc Rate

Valve States

Transfer Mode

Tank Empty

Flow Rates

Valves_2_Flowrates

Mass

Temperature

Flow

Valves

Modes

Flight Profile

CG

Aux

Time Plotting

Volumes

Mach

Air Temp

Temperature

Temperature

Flow Rate

Leak Rate

Volume

Tank Empty

Tanks

Program AFSME 3.2 STR 465Date: Fri Jan 18 11:24:10 2002Ref: SCF/SYS/GEN/61/2623 Iss. 6User Guide: SCF/SYS/GEN/61/2909

Leak

Leaks

[M]

[V]

[F]

[M]

[V]

[F]

Mass

Recirc_Inhibit

Engine Burn

APU Burn

Recirc Flow

Jettison

Altitude

Pitch

Roll

Mach

Air Temp



Enable Temperature

Simulation.CG

Enable CG Calc

Pitch

Roll

Mass

XCg

Targ_Cg

Mom X

Mom Y

Tot Weight

CG MuxCg_Calc

4Recirc Inhibit

3Auxiliary Plot

2Modes

1Valves

SIMULATION & TEST

Integrated Sim (A/C0 & FFS)

System Sim (DTS & A/C-1)

SIMULATION & TEST

System Sim (DTS & A/C-1)

Integrated Sim (A/C0 & FFS)

Model Re-Use – Interface Simulation

• Simulation Platforms have different interfaces�Pre-Formatted or Formatted ARINC429/AFDX/CANBUS�Includes data for simulation (e.g. Fault Injection)

• Provide Common “Core Model” with specific interfaces

GROUND_OPS/ 1


MANUAL_REFUEL

AR_CONF

5.1.1.(1)

OFF_CONF

DF_CONF

DEFUEL SOT OFF5.1.5.(1) 5.1.6.(1)


TR_CONF

MR_CONF






SOT_INITIATED]




[SOT_INITIATED]




GROUND_OPS/ 1


MANUAL_REFUEL

AR_CONF

5.1.1.(1)

OFF_CONF

DF_CONF

DEFUEL SOT OFF5.1.5.(1) 5.1.6.(1)


TR_CONF

MR_CONF






SOT_INITIATED]




[SOT_INITIATED]




GROUND_OPS/ 1


MANUAL_REFUEL

AR_CONF

5.1.1.(1)

OFF_CONF

DF_CONF

DEFUEL SOT OFF5.1.5.(1) 5.1.6.(1)


TR_CONF

MR_CONF






SOT_INITIATED]




[SOT_INITIATED]




(Control & Indication

Model

Simplified AFSME

FORMATTING

DEFORMATTING

I/F Wrapper I/F Wrapper


IRB

US

UK

LTD

. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

ry d

ocum

ent.

Model Re-Use - Simulation Platforms

• Desktop Simulator�Requirements & Environment Model�Integrated with Flight Warning & Cockpit Display Models�AutoCode using SF Coder & RTW


IRB

US

UK

LTD

. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

ry d

ocum

ent.

• Aircraft -1�Realistic Cockpit Mock-Up�Simulated Avionics�Interfaces Identical to Full Flight Simulator



IRB

US

UK

LTD

. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

ry d

ocum

ent.


• Aircraft Zero (Iron Bird)�Cockpit Avionics & Displays�Real or Simulated Avionics Equipment (Interchangeable)�Simulated Environment


IRB

US

UK

LTD

. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

ry d

ocum

ent.


• Full Flight Simulator�Fully Simulated Systems and Environment�Single model for all platforms

– Interfaces pre-configured for each platform


IRB

US

UK

LTD

. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

ry d

ocum

ent.

Simulator Model

SimulatorCode

To IntegratorsSimulator

ModelSimulator

Code

Design Teams

Multi Team Model Design Process

Engine Feed

Ground Ops

Transfer

Indication

Fuel SSRDFuel

SSRD

Fuel System C&I Model(Baseline)

Config Controller

Changed

Items

To Supplier


IRB

US

UK

LTD

. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

ry d

ocum

ent.

New Developments - Formal Methods

• MBD is not “Formal” in the mathematical sense �Once created possible to apply formal methods

• Proof Technology – Design Verifier�Mathematical analysis of the Model

– without traversing all possible scenarios

– complete in a mathematical sense• correct and desired behaviour• wrong and not desired behaviour

• Some restrictions may hinder progress�E.g. Non-Virtual Buses, Stateflow Structures

�Model may need changing to make it Validatable– May alter the intent of the requirement


IRB

US

UK

LTD

. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

ry d

ocum

ent.

New Developments - Static Analysis

• Static Code Analysis�Ability to “prove” correctness of code

- Out of bound values - Overflow/Underflow- Divide by zero - Unreachable code/modules- Infinite Loops - Square Root negative numbers

• Polyspace Model-Link�Auto Generate Code to Analyse Model


IRB

US

UK

LTD

. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

ry d

ocum

ent.

Lessons Learnt - Model Based Design

• Model build process can reveal anomalies/ambiguities�Validation for free

– Identify Assumptions separately from requirements– Identify Executable Implementation from Requirements

• Validation Testing�A test that is more complex than that being tested is probably wrong

�Easy to be caught in the trap of “Test for Success”– Testing for intentional, but not unintentional behaviour– Project managers demand simple progress metrics

• Model Architecture�Separate Requirements Model from Environment Model

�Separate real interfaces from simulator


IRB

US

UK

LTD

. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

ry d

ocum

ent.

Lessons Learnt – System Design

• System Designers focus on Designing the System�The System Model is the System Requirements

– Extra functionality required to exercise the model are not requirements

• Discontinuity between Design and Implementation�Detailed Models required for Integration Simulators

– Required before availability of equipment– Need to create models of potential implementation

• Easy for Designers can be Difficult for Simulators�Matlab Function Blocks

�M-File S-Functions�Test Harnesses

– Can break the automatic code generators


IRB

US

UK

LTD

. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

ry d

ocum

ent.

• Aircraft Life Cycle w.r.t. COTS�A/C measured in Decades – COTs measured in Months.

– Tool versions will become obsolete – so must plan it in from start• Cost of upgrading

�Installation, Training, Hardware�Rework obsolete features, Model regression testing & re-validation

• Benefit (Cost of not upgrading)�Bugs�Utilization of new features

Lessons Learnt - Migration

“Per

ceiv

ed”

Cos

t

TimeR12

R13

R14SP0

R14SP3R2006Cost

Benefit

R2007


IRB

US

UK

LTD

. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

ry d

ocum

ent.

Any Questions?


IRB

US

UK

LTD

. A

ll rig

hts

rese

rved

. Con

fiden

tial a

nd p

ropr

ieta

ry d

ocum

ent.

© AIRBUS UK LTD. All rights reserved. Confidential and proprietary document.

This document and all information contained herein is the sole property of AIRBUS UK LTD. No intellectual property rights are granted by the delivery of this document or the disclosure of its content. This document shall not be reproduced or disclosed to a third party without the express written consent of AIRBUS UK LTD. This document and its content shall not be used for any purpose other than that for which it is supplied.

The statements made herein do not constitute an offer. They are based on the mentioned assumptions and are expressed in good faith. Where the supporting grounds for these statements are not shown, AIRBUS UK LTD will be pleased to explain the basis thereof.

AIRBUS, its logo, A300, A310, A318, A319, A320, A321, A330, A340, A350, A380, A400M are registered trademarks.

mbd within airbus-uk fuel systems - mathworks...confidential a mathworks aerodef'08 - mbd...

Documents