The overall objective for SAVI Version 1.0 is to develop capabilities to a level that the Virtual Integration Process (VIP) could be incorporated with manageable risk in a system development program.
Safety analyses, simple fit, and elementary behavior patterns were primary thrusts for SAVI Version 1.0A and Version 1.0B. Version 1.0C (AFE 61s2) considered integration of a more complete behavior-based example WBS system and extends behavior analyses to more realistic wheel braking systems development.
Version 1.0D seeks to build on previous SAVI work in three SAVI capabilities and adds extensions for a fourth. Safety analysis, electronic/mechanical fit analysis, and system behavior analysis will be matured with increasingly capable models and consistency analyses and the important topic of security analysis will be considered for the first time.
Task 1: MR/DEL Maturation
Extend and refine the SAVI MR/DEL model translation and data exchange capabilities developed in previous AFEs that underpin the architectural analysis of, and consistency checking between, differing model types and all actors in the VIP. This requires support for the model types used in safety, security, system architecture, electronic, mechanical, geometric, and behavioral use cases. Intellectual Property protection and initial aspects of configuration management will be demonstrated for subsets of model properties. As an exemplar, the use of data exchange based on ISO 10303-239, Product Life Cycle Support (PLCS) and the mapping of MR/DEL objects and constructs to the MoSSEC standard that was established during AFE 61S2 will be continued and refined.
Deliverables
- Demonstration of IP protection and configuration management at individual model property object level.
- Map of BOM(s) to MoSSEC.
- Server-side web services implemented.
- Updated MR/DEL Specification.
Task 2: Elaborate and Refine VIP Use Cases
Update the VIP, as captured in the VIP specification, to refine/define the process for exchanging and using architectural models (based on SysML and AADL), specification or design models in various languages (including but not limited to ECAD, MCAD, SysML, Simulink, Modelica and AADL) and other supplementary artifacts (e.g. textual requirements) to exercise and refine a System ICD provided by an OEM and refinements provided by Suppliers. Coordinate the uniform application of the VIP across the working groups. Demonstrate traceability between artifacts.
The existing Wheel Braking System (WBS) model set will be leveraged to exercise the VIP.
Deliverables
- Initial artifacts for the VIP of the WBS.
- Demonstration of controlled model exchange (including preliminary approach to IP protection in collaboration with Tasks 5 and 6).
- Demonstration of OEM-Supplier and Supplier-Supplier interaction based on model exchange.
- Demonstration of analysis using exchanged models.
- Updated VIP Specification.
- Updated Background Document for SAVI Standard.
- Registered process deviations and recommendations for future exercises.
Task 3: Fit Analysis
Under AFEs 61s1 and 61s2, SAVI explored and demonstrated consistency checking between mechanical, electrical, and system interconnect models in support of the so-called “Pin 1 Problem.” For AFE 62, the team will expand this capability to include wiring harness interconnect.
- Identify wiring harness consistency check use cases and scenarios.
- Develop a model set for the wiring harness use case(s) using refined L0 and L1 connector interfaces.
- Identify Business Objects for the wiring harness use case(s).
- Develop a “rule,” or algorithm, for performing consistency checks.
- Implement model data exchange and consistency checking in Share-A-space® and appropriate visualization tools.
- Develop video demonstration showing consistency checking across the model set.
- Exercise the SAVI VIP.
Deliverables
- Demonstration of L0 and L1 consistency checks and wiring harness consistency checks (including video capturing demonstration).
- Final report documenting Fit Analysis Use cases for this task.
- Updated Fit BOM.
Task 4: Behavior Analysis
During AFE 61s2, SAVI continued to develop a subprocess within the VIP for performing behavioral consistency checks – including comparisons between models generated by different suppliers and different domains – by extending AFE 61s1 analysis of the behavior of a very simple sliding mass model. The SAVI team also extended the AFE 61s1 groundwork for performing integrated behavioral analysis by developing a more complex WBS model with higher-fidelity physics and extension to a partitioned (IMA) architecture. Additionally this model was refactored into a more realistic and representative component-based structure that reflects the physical decomposition of an implemented system (controller, hydraulics, network components, etc…). Finally, the SAVI team defined a set of multi-domain models (SysML, AADL, Simulink, Simscape, Modelica) that provide alternate viewpoints of the system model (or portions thereof). This work provides the basis for our plans for work in AFE62.
In AFE62, the SAVI team plans to address the following:
- Modeling – Complete WBS model set: exercise incremental model development and use the SAVI Model Repository and Data Exchange Layer (MR/DEL), considering intellectual property protection.
- Modeling – Integrate SysML WBS model: Put together an overall WBS systems model in SysML that all other models within the model set tie into, including, in three phases as resources permit, hydraulic, electrical, and mechanical power systems as well as software components and signals.
- Consistency – Establish structured consistency checking: The team will exercise the model set to show how a variety of consistency check types can be evaluated under the VIP and document the procedures for carrying them out (exercise the VIP). At the current level of maturity for the VIP, the team also expects to discover and document shortcomings in tools and gaps in knowledge to make these consistency checks complete and comprehensive in the future.
- Analysis – Investigate use of formal analysis techniques. Similarly, following SAVI guiding principles, the team will seek to apply formal analysis techniques in resolving integration anomalies during both the consistency checking phase of the modeling effort and during the verification of the system itself. As these opportunities are identified and exercised during this AFE, the findings will be carefully evaluated.
- Analysis – Extend analysis of braking performance in the context of likely system development errors. The WBS model set will be exercised to predict how brakes are expected to perform under requirements and design errors in the context of integration of the system. For instance, bus overloads/failures, processor overloads/failures, timing errors, or consistency errors across interacting components can then be compared or contrasted with expected or simulated behavior to evaluate stopping performance.
- Analysis – Extend safety analysis to address a more comprehensive coverage of ARP-4761 processes. First the WBS model set will be annotated with properties that are relevant to Zonal Safety Analysis and then multi-model queries will be used to evaluate zonal separation violations. The extension of safety analysis within the VIP will continue to other ARP-4761 system safety analysis (SSA) types with additional model constructs defined across the model set to support each type.
Deliverables
- Narrated video demonstration of behavioral analysis capability and consistency checking of the extended WBS using the SAVI VIP.
- A report documenting the AFE62 WBS model set, including interaction between SysML model and balance of WBS model set.
- A report on how the behavior models are ingested and registered: relationships developed to support consistency checking.
- A report on consistency check configuration, execution, and results for the WBS across the model set.
- A report showing results for behavior analysis for at least three areas of concern, including resource allocation, system startup transients, and safe minimum stopping distance in the presence of faults. This will be accomplished using the following simulation concerns:
- Record pressure drops in hydraulic power circuits and voltage drops in the hydraulic and electrical power distribution branches at various levels of abstraction (will be used for resource verification example).
- Record the transient behavior of the power-up events for both hydraulic and electrical power to the WBS, along with behavior during typical failure conditions to help identify potential controlling software anomalies. (may be startup faults that need to be addressed here as well)
- Record predicted stopping distances for these modeled wheel braking systems and compare these predictions with results from similar WBS implementations or actual measured stopping distances. Include effects of injected faults to evaluate their effect on stopping performance at the system level.
- A report documenting impacts of increased complexity on consistency checking and behavioral analysis.
- A report on the coverage of ARP-4761 PSSA/SSA analysis types – with examples. Provide overarching assessment of the degree to which the PSSA/SSA can be addressed by the VIP and the way forward to closing gaps.
- Update of guidance documents intended to lead to a standard for the SAVI VIP.
Task 5: Security Modeling and Analysis within the SAVI VIP
This task will identify several security issues that can be discovered in models and will develop tools to discover them during the SAVI VIP. Potential issues under investigation are: execution platform configuration issue, lack of isolation, misuse of protection mechanism, and inappropriate use of shared resources. The task will identify what models can be analyzed and processed to discover security issues and propose methods and tools to automatically detect them in the SAVI VIP.
During this task, we will address the following research questions:
- What security issues can be discovered by the different models in the SAVI VIP?
- How can we specify security aspects in the SAVI VIP (for each model)?
- What is the impact of this new analysis on the SAVI VIP? Do we need to add consistency checks or relations between models?
- How to automate the discovery of security issues in the VIP?
- Do we need additional models to address other security issues?
Deliverables
- Use cases for security modeling and analysis. This will include an AADL model for each use-case annotated with security properties and constraints demonstrating rules to show the validation and verification of security requirements.
- A security analysis tool capable of being integrated with OSATE. New capabilities will include incremental variation of security requirements into architecture models and generation of assurance case.
- A technical report that details how to leverage the architecture model to detect security issues in the VIP using the integrated tool.
- A demonstration showing discovery of several security vulnerabilities in SAVI VIP. This will take the form of a video demonstrating the new security capabilities integrated with OSATE.