Short Paper Proc. of Int. Colloquiums on Computer Electronics Electrical Mechanical and Civil 2011
A Processor in Loop Test Method for Life Critical Systems Divyesh Divakar1, Ashwini K G2 1, 2
Lecturer, Dept. of Electrical Engineering, Canara Engineering College, Mangalore, India divyesh_divakar@rediffmail.com, ashwini_shenoy@rediffmail.com engineering software for such systems: Firstly, process engineering and management. Secondly, select the appropriate tool and environment for the system. This allows the system developer to effectively test the system by emulation and observe its effectiveness. Thirdly, address any legal and regulatory requirements, such as FAA requirements for aviation. By setting a standard for which a system is required to be developed under, it forces the designers to stick to the requirements. The avionics industry has succeeded in producing standard methods for producing life-critical avionics software. The standard approach is to carefully code, inspect, document, test, verify and analyse the system [2]. In model based verification process, the models are manually transformed into code or with the use of autocode generators. The code is compiled and executed on the PC or on target boards and the outputs checked to ensure that they match the simulated model output [3]. Extensive testing is required for any safety critical system [4]. But failures still happen in flight controls. Used with Real-Time Workshop Embedded Coder, Embedded IDE Link provides PIL Co-simulation. A PIL testing environment from the developed model, serves as the dataexchange interface between the host simulation and the object code executing on the target. This is the existing method and is demonstrated for a basic On Delay control block, developed using Simulink for required delay. The constraints of existing concept are discussed. The proposed method is PIL testing using RTDX feature.
Abstract— Aviation safety has come a long way in over one hundred years of implementation. Avionics industry is now a billion-dollar industry in its own right, and made safety a major selling point realizing that a poor safety record in the aviation industry is a threat to corporate survival. As a first step, an attempt is made to simulate developed safety critical control blocks within a specified simulation time. For this, the blocks developed will be utilized to test in Simulink environment. To be precise and efficacious, high-fidelity test scenarios are to be explored. Processor in the Loop (PIL) test method is used for checking the functional differences between the model and the generated and compiled object code to identify any potential deviations in the performance introduced by the compilation process. . This paper suggests a development workflow starting with a model created in Simulink and proceeding through generating verified and profiled code for the processor. Index Terms— Embedded software, MATLAB, Safety critical system, Software, Software safety.
I. NOMENCLATURE FAA MEX PIL
- Federal Aviation Administration - MATLAB Executable - Processor in loop II. INTRODUCTION
Modern electronic systems increasingly make use of embedded computer systems to add functionality, increase flexibility, controllability and performance. This can lead to new and different failure modes which cannot be addressed with traditional fault tolerance techniques [1]. This is especially significant in Life/Safety critical system. Safety critical systems are those systems whose failure could result in loss of life, significant property damage, or damage to the environment. Safety-critical systems are increasingly computer-based and their development has traditionally been pioneered within the avionics and automotive industries. Software safety is a fast growing field since modern systems functionality are increasingly being put under control of software. An obvious example of a safety critical system is an aircraft fly by wire control system, where the pilot inputs commands to the control computer using a joystick, and the computer manipulates the actual aircraft controls. The lives of hundreds of passengers are totally dependent upon the continued correct operation of such a system.Software engineering for safety critical systems is particularly difficult. There are three aspects which can be applied to aid the © 2011 ACEEE DOI: 02.CEMC.2011.01. 529
III. SIMULINK MODELS Safety-critical systems include control models that work together to achieve the safety-critical mission. These may include input sensors, digital data devices, hardware, peripherals, drivers, actuators, the controlling software, and other interfaces. Their development requires rigorous analysis and comprehensive design and test. A. Second Order Filter The Simulink model for Second Order Filter was developed from following requirements and is shown in fig.1.
124
If init > 0 o Set all previous values of output and input to input. o Set output equal to input Else o Compute using the following equation
Short Paper Proc. of Int. Colloquiums on Computer Electronics Electrical Mechanical and Civil 2011
Out = Nz(1)*inp + Nz(2)*pri + Nz(3)*ppri – Dz(2)*pro – Dz(3)*ppro; Where, inp is the input, pri is the previous input, ppri is the previous to previous input, pro is the previous output and ppro is the previous to previous output. End Filters are dynamic elements of a control system. They are very important to a stability of system. In model based approach, they can be easily tested with a step change at the input. Normally the filter output and the filter states are initialized to the input. This ensures that the filter output is constant for a constant input. Second order filters are normally used as notch filters to cut out unwanted frequencies.
Fig. 1. Simulink model for Second Order Filter
B. On Delay
the actual target processor selected for the application and this is the existing concept. Embedded IDE Link lets to perform component-based testing using Simulink as a test harness. Used with RealTime Workshop Embedded Coder, Embedded IDE Link creates a PIL testing environment from Simulink model that serves as the data-exchange interface between the host simulation and the object code executing on the target. The original Simulink model can then be used as an embedded test harness to verify the execution of the code on the target while data is automatically transferred between the code on the target and the model in Simulink. While using Embedded IDE Link software, the following options for PIL co-simulation are available: Top-model PIL simulation mode: a complete model can be run as a PIL simulation on target processor or instruction set simulator. Model block PIL simulation mode: PIL co-simulation is used for a model reference component. PIL block: PIL block can be created from one of several Simulink components including a model, a subsystem in a model, or subsystem in a library. Fig.3 shows this approach for a developed On Delay block. The build PIL block runs the MATLAB generated C code on a selected simulator. Here TMS320C2000 processor board is used as the simulator and all handling was established using code composer studio features. When a subsystem from a model for PIL is built, the process creates a PIL block optimized for PIL co-simulation. While running the simulation, the PIL block acts as the interface between the model and the PIL application running on the processor. The PIL block inherits the shape and signal names from the source subsystem in your model, as shown in the following example. Inheritance is convenient for copying the PIL block into the model to replace the original subsystem for cosimulation. Here, normal operation of the block is tested by setting the required conditions and the result is shown in Fig.4.
Fig. 2. Simulink model for On Delay
In safety critical systems it is very important to trap wire cuts, sensor failures etc. If such failures persist for a finite period of time, it is to be identified to take proper remedial measures. An On Delay block, as we named, can be used for the purpose. This is shown in fig. 2. Many such blocks where designed and each block is identified and determined to have separate functionality and its use is limited to the right system. IV. PIL CO-SIMULATION The Target Support Package product of MATLAB supports PIL co-simulation, a technique that is designed to evaluate how well a candidate control system operates on
© 2011 ACEEE DOI: 02.CEMC.2011.01. 529
Fig. 3. PIL Co-simulation for code verification
125
Short Paper Proc. of Int. Colloquiums on Computer Electronics Electrical Mechanical and Civil 2011 processor architecture. It is the last integration level which allows debugging during tests in a cheap and manageable way. PIL builds and uses a MEX function to run the PIL simulation block. The idea is to simulate model (requirement) in parallel with handwritten code running on a specified target or simulator, subjected to same inputs (test cases). A. Working with RTDX RTDX stands for real time data Exchange. RTDX offers continuous bi-directional data exchange in real time with minimal perturbation on the application. Basically it is Texas Instrument’s DSP analysis technology. RTDX provides continuous visibility into the way target applications operate in the real world. This helps us to get a realistic view of how the system will work. RTDX and Embedded IDE link CC provide a communication channel that enables to exchange data in real time between MATLAB and target simulator while target application is running. System level test benches can be used to compare performance and results of code with the original reference model. Embedded IDE link CC utilizes the in process communication and data transfer technology in CCS. As a result, application can read and write large data sets faster and quickly from and to the target. It supports PIL simulation with C2000, C55xx, C6000 processors using the same MATLAB and Simulink test vectors for system design and verification. RTDX forms a 2 way data pipe between a target application and host client via a combination of hardware and software components as represented in fig. 5. RTDX provides the RTDX Configuration Control as a Code Composer plug-in to configure and control RTDX graphically. The RTDX Channel Viewer Control is an ActiveX control that automatically detects target-declared channels and adds them to the viewable list. The RTDX Channel Viewer Control also allows removing or re-adding target-declared channels to the viewable list, and enabling or disabling channels on the list. Host buffer size is the size in K-bytes of the RTDX Host Library’s main buffer. The main buffer stores one message from the target application. This buffer must be larger than the largest message from the target application. All data to be sent to the host is first recorded into a circular buffer declared within the RTDX Target Library. The principle used is non-blocking read, a type of read request that does not wait for the data to arrive. Instead, control is immediately returned to the target application after sending the read request to the host. The advantage of non-blocking reads is that the target application can perform other tasks while the data is being received from the host. This is what is known as asynchronous behavior. The channel returns to the idle state only after the data arrives. Any attempt to issue successive read requests on an input channel that is already busy returns a failure to the target application.
Fig. 4 PIL co-simulation of On Delay
A. Constraints The above mentioned PIL co-simulation method has many limitations. Few of them are listed below: This method can be used for verifying auto generated code only. Auto generated code in turn verifies output of PIL simulation mode. Thus, test engineer does not have any control over the process once it begins. Continuous sample times are not supported. This method does not check the Real-Time Workshop error status of the generated code under test. This error status flags exceptional conditions during execution of the generated code. It is a limitation that PIL cannot check this error status and report back errors. Scope blocks, and all types of run-time display, such as the display of port values and signal values, have no effect when you specify them in models executing in PIL mode. The result during simulation is the same as if the constructs did not exist. It does not support Callbacks. PIL requires a code interface description file, which is generated during the code generation process for the component under test. If the code interface description file is missing, the PIL simulation cannot proceed and you see an error reporting that the file does not exist. The S-function scheduling mechanism that the software uses to execute the PIL component always set direct feed through as true. PIL does not correctly transfer “double” data types between host and target, and co-simulation errors occur. This forces to use the “single” data type in Simulink rather than “double”. These limitations mean that existing PIL method can introduce algebraic loops that do not exist in normal simulation leading to incorrect results. V. PIL USING RTDX Tests on PIL level are important because they can reveal faults that are caused by the target compiler or by the © 2011 ACEEE DOI: 02.CEMC.2011.01. 529
126
Short Paper Proc. of Int. Colloquiums on Computer Electronics Electrical Mechanical and Civil 2011
PIL testing using RTDX yields more confident results at a low level of integration testing. The process was carried out on C5xx cycle accurate simulator. Most of the control system blocks like filters cannot be checked by injecting random signals as they consider it as noise and reject them. One method is to inject sinusoidal waveforms with their parameters like frequency, amplitude; phase and bias are selected randomly. Fig. 7 shows the simulation result of Second Order Filter obtained with sinusoidal input. This is important and useful for several reasons: 1) if the input to a linear circuit is a sinusoid, then the output will be a sinusoid at the same frequency, though its amplitude and phase may have changed, 2) any time domain signal can be decomposed via Fourier analysis into a series of sinusoids. Therefore if there is an easy way to analyze circuits with sinusoidal inputs, the results can be generalized to study the response to any input. Error is found to be negligible and is in the order of 10-7 to 10-5. The error can’t be exactly numerical zero for floating point results due to factors such as variations in floating point math library implementation. In many safety critical blocks inputs are maintained as a structure during low level testing process. In the proposed PIL verification method, it is even possible to send data to the host in the form of a structure. This means that data of various lengths can be sent to the host in groups. The only difference is in declaring the inputs and the way its send to host. PIL tests do not run in real time, as Simulink controls the execution of the PIL code on the instruction set simulator. The simulation halts during each sample period while data is transferred to the instruction set simulator. Once the object code completes executing on the simulator, the data is transferred back to the host to resume the host simulation. Through this approach, the functional differences between the model and the generated and compiled object code can be checked to identify any potential deviations in the performance introduced by the compilation process.
Fig. 5. Two way data pipe
For PIL testing, the Simulink model is an embedded test harness to verify the execution of the code on the target simulator. Thus, the functionality of developed Simulink model for Second Order Filter by following the requirements mentioned, was thoroughly studied before getting into the testing. The set up for verification is as per PIL testing Process and is as shown in fig. 6. Communicate with target via RTDX block has a construct under the mask as shown in fig. 7. RTDX Read and RTDX Write are user-definable blocks written using the MATLAB S-Function Application Program Interface. It is required to specify the name of an M-File containing a MATLAB S-Function and comma-separated list of parameters for these blocks. RTDX Write block uses specified RTDX channel to read data from the running target while RTDX Read uses specified RTDX channel to write data to the running target.
Fig. 7 PIL test method for Second Order Filter
Fig. 6. Parallel simulation for PIL testing
Š 2011 ACEEE DOI: 02.CEMC.2011.01. 529
127
Short Paper Proc. of Int. Colloquiums on Computer Electronics Electrical Mechanical and Civil 2011
It is worth to make a note that the applications run more slowly on the simulator than on real hardware. As a result, there exists an increased latency between messages that are received. Care is taken that client application is carefully construct to deal with these timing issues. Also, in the present RTDX simulator implementation, there is no target buffering of messages. Therefore, there is no need to reconfigure the buffer to accommodate different message sizes.
testing. In future, the PIL test method has to be extended for a processor board taking into consideration the real world inputs and noise in quantization. REFERENCES [1] Embedded software design for safety critical systems, Knowledge transfer network electronics, Nov. 2009. [2] Divyesh Divakar, Hariram Selvamurugan, Yogananda Jeppu, Nagaraj Murthy, Manjunath L, Shreesha Chokkadi, “Randomized Testing to Describe the Behaviour of Safety Critical Control Blocks”, National Conference on Information Systems, 2011. “unpublished” [3] Divyesh Divakar, K. Samatha, A. V. Veena Rani, Hariram Selvamurugan, Yogananda Jeppu, Nagaraj Murthy and Shreesha Chokkadi, “Optimization of Test case and Coverage Analysis for Model Based Design”, 34 TH National systems conference on System Solutions for Global Challenges: Energy, Environment and Security,10-12 December 2010. “unpublished” [4] Johnson, C. W.; Holloway, C. M. “The Dangers of Failure Masking in Fault-Tolerant Software: Aspects of a Recent InFlight Upset”, Event NASA Center: Langley Research Center Publication Year 2007, Document ID: 20070034017.
VI. CONCLUSION The basic control blocks of any safety critical system/ test specimen was developed and tested using random test cases. A C code was developed for the control blocks. The generated code from developed model was verified using PIL co-simulation, a lower level of integration testing process. A generalized test method for ensuring the efficacy of code as per the model based development process is proposed. This is PIL test method using RTDX for low level testing/ debugging in comparatively easier and faster way. Harnessing the method can enlighten the field of safety critical control
© 2011 ACEEE DOI: 02.CEMC.2011.01. 529
128