model-based iv&v for an operation procedure · 2014-08-02 · model-based iv&v for an...

Model-Based IV&V Model Based IV&V for an Operation Procedure

2010 Validation and Verification Workshop@NASA IV&V Facility2010 Validation and Verification Workshop@NASA IV&V Facility

Tsutomu MATSUMOTO*1,Masakazu TAKASE*2, Yuko MIYAMOTO*1, Masa KATAHIRA*1

*1 Japan Aerospace Exploration Agency (JAXA)*2 Mitsubishi Space Software Co.,Ltd. (MSS)

September 17, 2010

1

p ,

Contents

BackgroundIV&V for an Operation Procedure in JAXAp

Target SystemActivity executionActivity execution

Work SequenceModeling and SimulationModeling and SimulationCase Example

Lessons Learned Lessons Learned Conclusion and Future Work

September 17 2010 Validation and Verification Workshop 2

BackgroundIV&V f O i P d i JAXAIV&V for an Operation Procedure in JAXA

Mission

[GOAL of proposed method]Validate consistency between

S S

Operation

previous target phase

yoperational design and system design from early development phase.

SystemRequirement

SystemTest

g p

proposed target phase

SoftwareRequirement

SoftwareTest

(1)IV&V with Operation Scenario and System Design[static check]IV&V of Operation Data File

g p

SoftwareDesign

Unit Test[dynamic check]not executed yet

(2)IV&V with Operation

(1)IV&V of Operation Scenario[static check]not executed yet

SoftwareImplementation

Procedure and Code[static check]not executed yet[dynamic check]

y[dynamic check]Executable-Model Based Verification for HTV Pressurized Environment


Distributed Simulation of HTV Operation Control System

Controller (proposed method)

future target phase

Target System (1/2)

Spacecraft : H-II Transfer Vehicle (HTV)Component : Avionics Module / Multi-mission Control Unit (MCU)Function: Pressurized Environment Controller


HTV

Target System (2/2)

CCSDS Data Processor Bus Interface Unit

Control of Logistics Carrier

CMDInput

TLMOutput

TLMInput

CMDOutput

<Target Function>pressurized environment TLM

I

Onb

Equ

<ISS>controller<Other Functions>caution & warningheater controllerpower estimator

Input

CMDOutput

board

ip

men

t

1553BRT

ISS formattransition

INT MDM

The function is well-defined in

Data Handling Multi Mission func.

power estimatorpropulsion FDIRLLM mode function

TLMOutput

TLMInput

The function is well-defined in early development phase and appropriate for sample case.

TLMCMD

MCU_A

Data Handling Multi Mission func.

MCU_B

MCU C

Ou pu pu


MCU_CFunction Structure of MCU

Activity Execution (1/6)Work Sequence

Perform model-based simulation of targeted system behaviorto validate operation procedure regarding HTV MCU

Step1: Modeling of target system and its environmentSystem model is constructed based on system specification defined in system requirement phase.

System behavior is statically simulated according to the command input d th t t f i t l d land the state of environmental model.

Environmental model associated with cabin pressure is virtually constructed.If all two switches of valves are “open”, pressure value is decreased by 1kPa/sec1kPa/sec.If one of two switches of valves is “close”, pressure value remains the same.

St 2 Si l ti ith t bl d lStep2: Simulation with executable models[input] sequence of commands based on operation procedure[output] telemetry


step3: Analyze the result of the simulation recorded in log file

Activity Execution (2/6)Modeling and Simulation

<Pressurized environment controller><Environment> <Environment>

Vent

Vent/Relief ValvePower Distribution Box(PDB)Controller of

PDB

valve status power status

Cabin PressureMonitoring

Automatic Relief

PreventiveDepressurization

Cabin PressureSensors

Controller ofunpressurized part

sensor valuesensor status Controller of

unpressurized part

Data Flow of Cabin Pressure Control in MCU

DepressurizationSensors

Environmental Model <sample>

p

System Model <sample>Environmental Model <sample>

if ( (MainPowerSourceOnOffStatus == ON)&& (SwitchOfVentReliefValve1 == OPEN)&& (SwitchOfVentReliefValve2 == OPEN) )

System Model <sample>

if( (ValueOfCabinPressureSensor1 > UpperLimit)&& (ValueOfCabinPressureSensor2 > UpperLimit) )

{{

ValueOfCabinPressureSensor1--;ValueOfCabinPressureSensor2--;ValueOfCabinPressureSensor3--;

}

PressureValue = ValueOfCabinPressureSensor3;}else {

AutomaticReliefFlag = NonExecutable;}


}

Modeling Language : Microsoft Visual C++

}

Activity Execution (3/6)Simulation Result

① Command Sequences ⑤ Comment on the Result② Telemetry to be checked ⑥ Setting Value③ Simulation Output ⑦ Expectation Value


③ p ⑦ p④ Comment on the Procedure

Activity Execution (4/6)Case ExampleAutomatic Cabin Air Relief

If cabin pressure goes over upper threshold, cabin air is released for depressurization by opening relief valves.

upper[Abstract of Operation Procedure]Set “Status of Cabin Pressure Monitoring (ENA/INH)” to ENA

upper

0 kP

lower

Set “Status of Cabin Pressure Sensor” to NORMALSet “Status of Automatic Cabin Air Relief (ENA/INH)” to ENAExecute “Automatic Cabin Air Relief”

0 kPa[sensor]

Monitor “Value of Air Pressure Sensor”Monitor “Status of Air Pressure Sensor”Monitor “Status of Valve (OPEN/CLOSE)”

open

Monitor “Status of Valve (OPEN/CLOSE)”

[valve]


Activity Execution (5/6)i l ti t ti Case Example simulation

outputexpectation value

cabin pressure monitoring : ENA cabin pressure monitoring : ENA

cabin pressure sensor : NORMAL

automatic cabin air relief : ENA

automatic cabin air relief : ON


Activity Execution (6/6)Case Example (contd.)

simulation t t

expectation l

cabin pressure falls down continually.

outputvalue

If cabin pressure falls below lower limitIf cabin pressure falls below lower limit,valves are closed.

Remarks about the simulation resultIn this case example, system model behaved as expected

in the operation procedure.p pIf there are some inconsistencies between system model

and the operation procedure, simulation output would be different from expected values


different from expected values.

Lessons Learned

Modeling based on system specificationg y pAbstraction level of System Requirement Specification and Operation Procedure should be similar extent for modelling and integration.Models are easy to build for those who can use C-llanguage.

Validation of Operation ProcedureExecution Conditions of the Simulation were defined as parameter changes with time. Various failure conditions are possibly defined and Operation Procedure could be validated under the conditions


conditions.

Conclusion and Future Work

ConclusionSimulation with Executable Model was shown to be effective way to validate consistency between operational design and system/software design from early development phase.

Future WorkValidation of Dynamic System Behaviour

Operational validation methodology should be developed with not only static model (status command and with not only static model (status, command and telemetry) but also dynamic model.


model-based iv&v for an operation procedure · 2014-08-02 · model-based iv&v for an...

Documents