Safety Critical Computer Control Systems

1
Safety Critical Computer Control Systems

• Architecture and Safety in a Future Flight
  Control System
• A JAS 39 Gripen Case Study
• 2002-10-03
• Jan Torin Chalmers

2
Outline

• Flight Control Systems, FCS, evolution 1945
  1990
• Requirements and conceptual FCS for JAS 39 Gripen
• Next generation architecture of flight control
  systems
• Future Technology for Flight Control Systems
• Distributed Architecture Analysis
• Present conclusions

3
Next generation architecture of flight control
systems
4
Project Starting point
Study how the Flight Control System of JAS 39
Gripen should be designed with technology of year
2010 and distributed control.
Sub Projects
5
(No Transcript)
6
CENTRALISERAT SYSTEM (DAGENS GRIPEN)
S
Dator
Ställdon
S
Dator
Sensorer
Dator
Ställdon
S
Styrautomat
DISTRIBUERAT SYSTEM
S
Dator
Dator
Ställdon
Sensorer
Dator
Ställdon
S
Dator
7
FÖRDELAR MED DISTRIBUERAD ARKITEKTUR

• Lägre utvecklingskostnad
• - Generiska byggblock som produceras i större
  serier
• - Digitala gränsnitt medger att en stor del av
  utprovningen
• kan ske hos underleverantören
• - Enklare systemintegration/systemtest
• Lägre underhållskostnad
• - Säkrare felutpekning
• Minskat antal utbytesenheter då samma nod
• passar på fler ställen

8
FÖRDELAR FORTSÄTTNING

• Flexibel design
• Systemet kan uppgraderas efter hand med fler
  noder utan att hårdvaran behöver omkonstrueras
• Säkrare system
• Då ingen kritisk nod finns ökar systemets
  skadetålighet
• Den fysiska separationen mellan noder gör att fel
  inte lika lätt fortplantar sig i systemet
• Tillförlitligheten hos noden ökar då redundans
  och felhantering kan byggas in
• Färre felmoder i systemet vilket minskar
  systemets komplexitet

9
Future Technologyfor Flight Control Systems

• OUTLINE
• Evolution of microelectronics
• Computer Architecture
• MicroElectroMecanical Systems
• Node Technology
• Inter Node Communication
• Conclusions

10
Forecasting

• I think there are a world market for about five
  computers, Thomas J Watson Sr, IBM, 1943
• There are no reasons for any individuals to
  have a computer in their home, Ken Olson, Dig.
  Equip., 1977
• The current rate of progress cannot continue
  much longer, various computer technologists,
  1950
• The increase in performance of microelectronics
  is doubled every 18th month, and each function is
  getting cheaper Gordon Moore, Intel, 1965
• International Technology Roadmap for
  Semiconductors
• ITRS99

11
Evolution of Commercial Microelectronics
12
Special requirements in avionics

• MATURE NOT IN TECHNOLOGY FRONT AND EXPENSIVE
• High Quality Production
• Reviews
• Life time tests
• Long procure time
• Radiation
• Reviews
• Tests
• Knowledge
• Single Event Effects, SEE
• Environmental Stress
• Increased temperature range (250 Mhz
  switching speed)
• EMC (difficult to control the level of
  interference)
• Mechanical stress

For design 2010 US 3000 250 MHz 100 times more
expensive 10 times slower
13
Computer Architecture Trends
Present proposals for future billion-transistor
computers Future embedded system computers
Desktop uniprocessors for technical
applications Multiprocessor servers for
transaction processing Large continuous
data-processing capability

• Harsh environment tolerance
• Low power dissipation
• Large temperature tolerance (no cooling)
• Fast task switching

14
Computer on a Chip

• Custom designed high performance chip
• Super PowerPC (90 M transistors, 250 MHz) I/O
• 2 MB SRAM (12 ns), 30 MB Flash

ASIC designed special purpose chip PowerPC (130
MHz), 1 Mgates logic, 1 MB SRAM, 10 MB flash
FPGA designed special purpose chip Real-time
processor (100MHz), 50 kgates, 250 kB SRAM, 2 MB
flash
15
MicroElectroMechanical Systems

• Mechanical structures, fabricated using micro
  fabrication techniques developed by semiconductor
  industry.

PERFORMS Sensing, actuating, regulation,
switching etc.
DISTINCTIONS FROM SEMICONDUCTOR FABRICATION
- Process MEMS in µm micro electronic in
nm MEMS wafers non-planar MEMS removing
material from both sides - Design
simulation tools - End-stage
production MEMS packaging allows interaction
with environment. µ-electronic packaging
sealing from environment.
16
Intelligent sensor node
17
Smart actuator node
18
Inter node communication
Q1 LOWEST FAILURE RATE Q2 LOWEST COST
-Electrical connection better than optical
connection (RF connection?)
Q3 MINIMUM NUMBER OF PATHS Q4 MINIMUM
NUMBER OF CONNECTORS
-Physical broadcast-bus superior point to point
connections
Q5 CAPACITY SUFFICIENT Q6 EMC

• -Time triggered protocol superior to event
  triggered
• Small number of continuous signals
• Deterministic
• No jitter, known delay

19
(No Transcript)
20
Conclusions

• More computing to lower price, weight and power
• Distributed control with data processing in
  sensors and actuators integrating MEMS in
  distributed nodes
• Permanent faults decrease, transient faults
  increase, less hardware redundancy, more
  sophisticated fault tolerance
• Distributed nodes with periodic communication
  over simple electrical buses
• Highlighting Distribution, Dependability,
  Maintainability, and Determinism

21
Distributed Architecture Analysis

• OUTLINE
• Design method
• Functional layout of a Distributed FCS
• System architecture
• Fault handling
• Bus scheduling
• Results

22
(No Transcript)
23
(No Transcript)
24
Control task graph
25
Task graph with different bus allocations
Actuator nodes
sensors
Primary control surfaces
26
Functional layout
27
Redundant ConfigurationsCritical Failure,
Probability 1 h mission
28
System Architecture
29
Fault handling
30
System Architecture
31
Bus scheduling
32
Structure of an Actuator node
33
Recovery principles
Replica deterministic
Eventual Replica deterministic

• Forward recovery
• Updated actuator states from a non faulty node.
• Synchronous communication
• Synchronous tasks processing in actuator nodes

Double execution Each node has allocated memory
for two sets of states. Synchronous
communication Synchronous tasks processing in
actuator nodes
Inherent recovery Continue execution of tasks
and the faulty values will eventually converge to
the correct values. Synchronous
communication Asynchronous tasks processing in
actuator nodes
34
PRESENT CONCLUSIONS
35
Results

• Technology Pred. Method
• Conceptual Design Method
• Top-Down, Holistic view
• Dependability oriented
• Cost optimized
• Distributed Architecture
• Identical actuatornodes
• Multi-control
• Time triggered communication
• Semi-Synch. Fault Handling
• Synch. Communication
• Asynch. Actuator nodes
• Eventual replica determinism
• DARES

36
Outcomes

• 9 Scientific Publications
• 2 Journal
• 7 Conf proceedings
• 1 Licentiate Thesis
• 7 Technical Reports
• 2 Patent Applications (swedish
  international)

37
Future

• Detailed Fault Handling of Sensor and Actuator
  Nodes
• Trade-off transient fault handling alt.
• Detail permanent reconfiguration
• Formally proof fault handling
• Define Time-Triggered Bus for Safety Critical
  Appl.
• Specify requirements
• Investigate commercial alt.
• Case Study for Conceptual Design Method
• Avionic system for JAS 39 Gripen