Towards an integrated SE-dependability meta-model Aalto U. – 2010 CRECOS seminar, Espoo, 19.11.10
S. DENIAUD
É. BONJOUR
J.-P. MICAËLLI
D. LOISE
M3M-INCIS
FEMTO-AS2M
ITUS – EVS
PSA
UTBM
UFC
Univ. Lyon, INSA Lyon
Towards an integrated SE-dependability metamodel
Agenda Context and motivation Systems Engineering (SE) meta-model Dependability meta-model Integrated SE-dependability meta-model Conclusion
11.11.10
Towards an integrated SE-dependability metamodel
Context and motivation Context • Functional design of powertrain at PSA Peugeot-Citroën • Hybrid powertrain • Application of Systems Engineering processes • Functional safety concept
Motivation • Better integrate the dependability analyses into the functional architecture design • Road vehicles – Functional safety standard (ISO 26262) • Define the necessary set of key concepts related to SE and dependability • BB / WB approach
11.11.10
Towards an integrated SE-dependability metamodel
SE meta-model
Source: Wikipedia about systems engineering
takes place in
realizes operates in
System
Operational situation
has
Sollicitation
generates
MEI flow
receives delivers
Interface
External scenario
Operating mode activates
transforms
triggers
Control flow
Environment
constrains
is a sequence of delivered by
delivers services satisfies
TowardsMission an integrated SE-dependability metamodel
activates, controls, triggers
generates
Constraint Performance
is quantified by
is quantified by
Service
has
is expressed as is expressed as
is activated in
Requirement
Description of mission profiles and operating modes • A system provides different services in different operational situations • A mission profile is usually modelled by means of a sequence of operating modes that correspond to stationary states of the system-of-interest • Within a specific operating mode, different (functions of) services are being activated in order to carry out the mission. Transitions from one mode to another are triggered by control flows
11.11.10
takes place in
realizes operates in
System
Operational situation
has
Sollicitation
generates
MEI flow
receives delivers
Interface
External scenario
Operating mode activates
transforms
triggers
Control flow
Environment
constrains
is a sequence of delivered by
delivers services satisfies
TowardsMission an integrated SE-dependability metamodel
activates, controls, triggers
generates
Constraint Performance
is quantified by
is quantified by
Service
has
is expressed as is expressed as
is activated in
Requirement
Description of external scenarios • External scenarios (or use scenarios, exchange scenarios) represent the answers that the system (black box) provides to sollicitations that are generated by (the entities of) the environment • These scenarios trigger control flows of the operation of the system • External scenarios are usually modelled in the form of a sequence of flows between the system and its environment according to the operational conditions • External scenarios describe the nominal operation and the degraded operation, within the phases of system lifecycle: startup, use, maintenance, etc.
11.11.10
takes place in
realizes operates in
System
Operational situation
has
Sollicitation
generates
MEI flow
receives delivers
Interface
External scenario
Operating mode activates
transforms
triggers
Control flow
Environment
constrains
is a sequence of delivered by
delivers services satisfies
TowardsMission an integrated SE-dependability metamodel
activates, controls, triggers
generates
Constraint Performance
is quantified by
is quantified by
Service
has
is expressed as is expressed as
is activated in
Requirement
Š External functional analysis • Services correspond to transformations of MEI flows (Material, Energy, Information). They are activated, controlled or triggered by control flows. They have interfaces with the environment which will be characterized by requirements of functional interfaces. • A system is scoped by defining its boundary and its interfaces; this means choosing which entities are inside the system and which are outside - part of the environment.
11.11.10
takes place in
realizes operates in
System
Operational situation
has
Sollicitation
generates
MEI flow
receives delivers
Interface
External scenario
Operating mode activates
transforms
triggers
Control flow
Environment
constrains
is a sequence of delivered by
delivers services satisfies
TowardsMission an integrated SE-dependability metamodel
activates, controls, triggers
generates
Constraint Performance
is quantified by
is quantified by
Service
has
is expressed as is expressed as
is activated in
Requirement
Definition of system requirements (or technical requirments) • The initial specifications of the system gradually are supplemented and/or translated into technical requirements. The analysis of the expected services provides functional requirements • The study of both the missions and the sollicitations also provides functional requirements (including interfaces) and nonfunctional requirements (e.g operational requirements, of physical interfaces, constraints) • In each operating mode, services are characterized by performance requirements
11.11.10
Š Internal functional analysis
Towards an integrated SE-dependability metamodel • The internal functional analysis breaks up each service (or function of service) into a tree structure of internal functions and control functions
External scenario
Operating mode
Service
is allocated to
Requirement
is decomposed in is activated in an
Internal function
Operating mode
Control function operates in
is grouped in
Internal scenario
refine
refine
triggers
Function
activates, controls, triggers
Control flow activates
transforms
is a
has
describes the behaviour
11.11.10
receives, delivers is allocated to
/s-system
is a
MEI flow
has
Interface
Functional architecture
Towards an integrated SE-dependability metamodel • Functional architecture represents the logical and temporal sequence of the internal functions that are activated/triggered/controlled by control flows. These control flows are either external (flows exchanged with external entities by considering that the system is encompassed in a larger system) or internal (flows within the system) • Each internal function transforms MEI flows and has interfaces, either with other internal functions, or with the environment • The analysis of the interfaces of the internal functions results in gathering them in subsystems. The interfaces of the subsystems are then identified
External scenario
Operating mode
Service
is allocated to
Requirement
is decomposed in is activated in an
Internal function
Operating mode
Control function operates in
is grouped in
Internal scenario
refine
refine
triggers
Function
activates, controls, triggers
Control flow activates
transforms
is a
has
describes the behaviour
11.11.10
receives, delivers is allocated to
/s-system
is a
MEI flow
has
Interface
Internal scenarios
Towards an integrated SE-dependability metamodel • Internal scenarios refine external scenarios while revealing the answers which the subsystems provide to the sollicitations generated by (the entities of) the environment and the other subsystems. These sollicitations trigger control flows of the operation of the subsystems • Internal scenarios are modelled in the form of a sequence of flow (MEI, control) between the subsystems and with the environment according to the operational conditions • Each subsystem presents various operating modes which come at the same time from a refinement of the operating modes of the system and from an enrichment that comes from the investigation of functional architectures • An ideal functional architecture then is obtained
External scenario
Operating mode
Service
is allocated to
Requirement
is decomposed in is activated in an
Internal function
Operating mode
Control function operates in
is grouped in
Internal scenario
refine
refine
triggers
Function
activates, controls, triggers
Control flow activates
transforms
is a
has
describes the behaviour
11.11.10
receives, delivers is allocated to
/s-system
is a
MEI flow
has
Interface
Design architecture
Towards an integrated SE-dependability metamodel • The granularity of the internal functions should make it possible to allocate them with one and only one component • The whole of the internal functions is analyzed and organized to highlight the operation of various components (physical resources). The physical choices may result either in defining new functions induced - or in breaking up some functions • Functional architecture is then refined and enables to design an allocated functional architecture. Each subsystem is then regarded as a dynamic fitting of internal functions and components, and is seen in its turn like a black box • All the design results obtained are used as a basis for the drafting of the specifications of each subsystem
External scenario
Operating mode
Service
Requirement
is allocated to
is decomposed in is activated in an
Internal function
Operating mode
Control function operates in
is a is a
is grouped in
is allocated to
Internal scenario
refine
refine
triggers
MEI flow
Function
activates, controls, triggers
Control flow activates
transforms
has
receives, delivers is allocated to
/s-system
has
Interface
is materialized by
describes the behaviour
Component 11.11.10
has
Port
connects
Link
TowardsMission an integrated SE-dependability metamodel
takes place in
realizes operates in
System
Operational situation
delivers services satisfies
has generates
Sollicitation
MEI flow
receives delivers
Interface
constrains
is a sequence of
activates
transforms
triggers
activates, controls, triggers
Control flow
generates
Constraint
delivered by
External scenario
Operating mode
Performance
is quantified by
is quantified by has
Service
is expressed as is expressed as is allocated to
refine
refine
is activated in is decomposed in
is activated in an
transforms
triggers
activates
Internal function
Operating mode
Control function operates in
is allocated to
Internal scenario is a is a
has
Requirement
MEI flow
Function
activates, controls, triggers is grouped in
Control flow
Environment
receives, delivers is allocated to
/s-system
has
Interface
is materialized by
describes the behaviour
Component 11.11.10
has
Port
connects
Link
Towards an integrated SE-dependability metamodel
Dependability meta-model based on ISO 26262
Towards an integrated SE-dependability metamodel
Dependability concepts Dependability Safety
Availability
requirements
Maintainability
Reliability
Diagnosticability Reparability ‌
Durability ‌
Functional architecture
Design architecture
functional safety concept
Systems Engineering
11.11.10
Towards an integrated SE-dependability metamodel
ISO 26262-2 process: safety lifecycle • Quantitative demonstration of the safety goals • Traceability of the safety requirements • Safety requirements V&V by modeling and testing
[ISO 26262-2] 11.11.10
Towards an integrated SE-dependability metamodel
Failure propagation Î Recursivity System (S)
Sub-System 1 (SS1)
F1
SS2
F2 SS4 SS3
fault
(latent error)
in F1
(effective)
error in F1
F1 failure Î interface error between F1 in F2 Î error in SS1
(latent then effective)
SS1 failure Î interface error between SS1 and SS2 Î error in SS2
oil seal
oil leakage
failure
in the turbo 11.11.10
S failure
overload
Towards an integrated SE-dependability metamodel
Conclusion
Towards an integrated SE-dependability metamodel
Conclusion
Systems Engineering
Product Process Integrated SE-Dependability (b)
(a) SysML Model-based Dependability SE
Dependability
Nonfunctional approach
Ontology
(c) SysML-based dependability 11.11.10
Object-based Modeling