Towards anintegrated SE-dependability meta-model

S. DENIAUD É. BONJOUR J.-P. MICAËLLI D. LOISE

M3M-INCIS FEMTO-AS2M ITUS – EVS PSA

UTBM UFC Univ. Lyon, INSA Lyon

Aalto U. – 2010 CRECOS seminar, Espoo, 19.11.10

Towards an integrated SE-dependability metamodel

Agenda

Context and motivation

Systems Engineering (SE) meta-model

Dependability meta-model

Integrated SE-dependability meta-model

Conclusion

11.11.10

Towards an integrated SE-dependability metamodel

Context and motivation

Context• Functional design of powertrain at PSA Peugeot-Citroën

• Hybrid powertrain

• Application of Systems Engineering processes

• Functional safety concept

Motivation• Better integrate the dependability analyses into the functional architecture

design

• Road vehicles – Functional safety standard (ISO 26262)

• Define the necessary set of key concepts related to SE and dependability

• BB / WB approach

11.11.10

Towards an integrated SE-dependability metamodel

SE meta-model

Source: Wikipedia about systems engineering

Towards an integrated SE-dependability metamodel

Description of mission profiles and operating modes• A system provides different services in different operational situations

• A mission profile is usually modelled by means of a sequence of operating modes that correspond to stationary states of the system-of-interest

• Within a specific operating mode, different (functions of) services are being activated in order to carry out the mission. Transitions from one mode to another are triggered by control flows

11.11.10

Operational situation

activates, controls,triggers

Mission

Operatingmode

Sollicitation

Control flow

Environment

System

Service

MEI flow

transforms

is activated in

del

iver

s ser

vice

ssa

tisfie

s

triggersactivates

del

iver

ed b

y

realizes

Interface

has

is quantified by

Constraint

Performance

constrains

generates

Requirement

has

receivesdelivers

is expressed as

External scenario

is a sequence of

operates in

is quanti-fied by

is expressed as

takes place in

generates

Towards an integrated SE-dependability metamodel

Description of external scenarios• External scenarios (or use scenarios, exchange scenarios) represent the answers that the system (black

box) provides to sollicitations that are generated by (the entities of) the environment

• These scenarios trigger control flows of the operation of the system

• External scenarios are usually modelled in the form of a sequence of flows between the system and its environment according to the operational conditions

• External scenarios describe the nominal operation and the degraded operation, within the phases of system lifecycle: startup, use, maintenance, etc.

11.11.10

Operational situation

activates, controls,triggers

Mission

Operatingmode

Sollicitation

Control flow

Environment

System

Service

MEI flow

transforms

is activated in

del

iver

s ser

vice

ssa

tisfie

s

triggersactivates

del

iver

ed b

y

realizes

Interface

has

is quantified by

Constraint

Performance

constrains

generates

Requirement

has

receivesdelivers

is expressed as

External scenario

is a sequence of

operates in

is quanti-fied by

is expressed as

takes place in

generates

Towards an integrated SE-dependability metamodel

External functional analysis• Services correspond to transformations of MEI flows (Material, Energy, Information). They are activated,

controlled or triggered by control flows. They have interfaces with the environment which will be characterized by requirements of functional interfaces.

• A system is scoped by defining its boundary and its interfaces; this means choosing which entities are inside the system and which are outside - part of the environment.

11.11.10

Operational situation

activates, controls,triggers

Mission

Operatingmode

Sollicitation

Control flow

Environment

System

Service

MEI flow

transforms

is activated in

del

iver

s ser

vice

ssa

tisfie

s

triggersactivates

del

iver

ed b

y

realizes

Interface

has

is quantified by

Constraint

Performance

constrains

generates

Requirement

has

receivesdelivers

is expressed as

External scenario

is a sequence of

operates in

is quanti-fied by

is expressed as

takes place in

generates

Towards an integrated SE-dependability metamodel

Definition of system requirements (or technical requirments)

• The initial specifications of the system gradually are supplemented and/or translated into technical requirements. The analysis of the expected services provides functional requirements

• The study of both the missions and the sollicitations also provides functional requirements (including interfaces) and nonfunctional requirements (e.g operational requirements, of physical interfaces, constraints)

• In each operating mode, services are characterized by performance requirements

Operational situation

activates, controls,triggers

Mission

Operatingmode

Sollicitation

Control flow

Environment

System

Service

MEI flow

transforms

is activated in

del

iver

s ser

vice

ssa

tisfie

s

triggersactivates

del

iver

ed b

y

realizes

Interface

has

is quantified by

Constraint

Performance

constrains

generates

Requirement

has

receivesdelivers

is expressed as

External scenario

is a sequence of

operates in

is quanti-fied by

is expressed as

takes place in

generates

11.11.10

Towards an integrated SE-dependability metamodel

11.11.10

Internal functional analysis• The internal functional analysis breaks up each service

(or function of service) into a tree structure of internal functions and control functions

is allocated to

Operatingmode

Service

Operating mode /s-system

Function

is gr

oup

ed in

Interfacehas

activates, controls, triggersControl flow

transformsMEI flow

is activated in an

is decomposed in

Requirementis allocated to

refin

e has

Internal function

Control function

is a

Internalscenario

External scenario

refin

etriggers

operates in

is a

describes the behaviour

activates receives, delivers

Towards an integrated SE-dependability metamodel

11.11.10

Functional architecture• Functional architecture represents the logical and temporal sequence of the internal functions that are

activated/triggered/controlled by control flows. These control flows are either external (flows exchanged with external entities by considering that the system is encompassed in a larger system) or internal (flows within the system)

• Each internal function transforms MEI flows and has interfaces, either with other internal functions, or with the environment

• The analysis of the interfaces of the internal functions results in gathering them in subsystems. The interfaces of the subsystems are then identified

is allocated to

Operatingmode

Service

Operating mode /s-system

Function

is gr

oup

ed in

Interfacehas

activates, controls, triggersControl flow

transformsMEI flow

is activated in an

is decomposed in

Requirementis allocated to

refin

e has

Internal function

Control function

is a

Internalscenario

External scenario

refin

etriggers

operates in

is a

describes the behaviour

activates receives, delivers

Towards an integrated SE-dependability metamodel

11.11.10

Internal scenarios• Internal scenarios refine external scenarios while revealing the answers which the subsystems provide

to the sollicitations generated by (the entities of) the environment and the other subsystems. These sollicitations trigger control flows of the operation of the subsystems

• Internal scenarios are modelled in the form of a sequence of flow (MEI, control) between the subsystems and with the environment according to the operational conditions

• Each subsystem presents various operating modes which come at the same time from a refinement of the operating modes of the system and from an enrichment that comes from the investigation of functional architectures

• An ideal functional architecture then is obtained

is allocated to

Operatingmode

Service

Operating mode /s-system

Function

is gr

oup

ed in

Interfacehas

activates, controls, triggersControl flow

transformsMEI flow

is activated in an

is decomposed in

Requirementis allocated to

refin

e has

Internal function

Control function

is a

Internalscenario

External scenario

refin

etriggers

operates in

is a

describes the behaviour

activates receives, delivers

Towards an integrated SE-dependability metamodelDesign architecture• The granularity of the internal functions should make it possible to allocate them with one and only one

component

• The whole of the internal functions is analyzed and organized to highlight the operation of various components (physical resources). The physical choices may result either in defining new functions -induced - or in breaking up some functions

• Functional architecture is then refined and enables to design an allocated functional architecture. Each subsystem is then regarded as a dynamic fitting of internal functions and components, and is seen in its turn like a black box

• All the design results obtained are used as a basis for the drafting of the specifications of each subsystem

Component Port Linkhas connects

is a

lloca

ted

to

is materialized by

is allocated to

Operatingmode

Service

Operating mode /s-system

Function

is gr

oup

ed in

Interfacehas

activates, controls, triggersControl flow

transformsMEI flow

is activated in an

is decomposed in

Requirementis allocated to

refin

e has

Internal function

Control function

is a

Internalscenario

External scenario

refin

etriggers

operates in

is a

describes the behaviour

activates receives, delivers

11.11.10

Towards an integrated SE-dependability metamodel

Component Port Linkhas connects

is a

lloca

ted

to

is materialized by

is allocated to

Operational situation

activates, controls,triggers

Mission

Operatingmode

Sollicitation

Control flow

Environment

System

Service

MEI flow

transforms

is activated in

del

iver

s ser

vice

ssa

tisfie

s

triggersactivates

del

iver

ed b

y

realizes

Interface

has

is quantified by

Constraint

Performance

constrains

generates

Operating mode /s-system

Function

is gr

oup

ed in

Interfacehas

activates, controls, triggersControl flow

transformsMEI flow

is activated in an

is decomposed inRequirementis allocated to

refin

e

has

receivesdelivers

is expressed as

has

Internal function

Control function

is a

Internalscenario

External scenario

is a sequence of

refin

e

triggers

operates in

operates in

is a

describes the behaviour

activates

is quanti-fied by

receives, delivers

is expressed as

takes place in

generates

11.11.10

Towards an integrated SE-dependability metamodel

Dependability meta-model

based on ISO 26262

Towards an integrated SE-dependability metamodel

Dependability concepts

11.11.10

Dependability

ReliabilityMaintainabilityAvailabilitySafety

Diagnosticability Reparability…

Durability …

Systems Engineering

Functional architecture Design architecture

Safety Availability

DiagnosticabilityReparability…

requirements

functional safety concept

Towards an integrated SE-dependability metamodel

ISO 26262-2 process: safety lifecycle

11.11.10

• Quantitative demonstration

of the safety goals

• Traceability of the safety requirements

• Safety requirements V&V

by modeling and testing

[ISO 26262-2]

Towards an integrated SE-dependability metamodel

Failure propagation Recursivity

11.11.10

F1 F2SS2

SS4SS3

Sub-System 1 (SS1) System (S)

oil leakage

in the turbooverload

oil seal

failure

fault(latent error)

in F1

(effective)errorin F1

F1 failureinterface error

between F1 in F2 error in SS1

(latent then effective)

SS1 failureinterface error

between SS1 and SS2 error in SS2

S failure

Towards an integrated SE-dependability metamodel

Conclusion

Towards an integrated SE-dependability metamodel

Conclusion

Systems Engineering

Dependability Object-based Modeling

ProductProcess

Non-functionalapproach

Ontology

Model-based Dependability

SE

(a) SysMLIntegrated SE-Dependability (b)

(c)SysML-based dependability

11.11.10