Search Results

This paper aims at discussing the use of dissimilar hardware architecture to mitigate DESIGN ERRORS in a flight control system application, as one of the possible design techniques that, combined with the usage of development processes, will satisfy the safety objectives for airborne systems. To accomplish its purpose, the paper starts by understanding the origins of DESIGN ERRORS in micro-coded devices and the concerns of airworthiness certification authorities (or simply certification authorities from now on). After that, an overview of the aeronautical industry efforts in terms of development processes and certification requirements to mitigate DESIGN ERRORS will be presented. At this point, the dissimilar architecture is proposed as an effective mean to mitigate the problem of DESIGN ERRORS. Finally, a Flight Control System application using dissimilar architecture is proposed as a case study.

In this work we discuss the fault avoidance and the fault tolerance approaches for increasing the reliability of aerospace and automotive systems. This includes: the basic definitions/concepts (reliability, maintainability, availability, redundancy, etc.), and characteristics (a priori analysis, a posteriori analysis, physical/hardware redundancy, analytical/software redundancy, etc.) of both approaches, their mathematical background and models (exponential, Weilbull, etc.), their basic theory, their methods and techniques (fault trees, dependence diagrams, Markov chains, etc.), some of their standards (SAE-ARP4761, AC 25.1309, etc.) and simulation environments (Cafta, etc.), and their applications to the reliability analysis and reliability improvement of aerospace and automotive vehicles. This is illustrated by some examples driven from the aerospace and automotive industries.

This paper presents the preliminary results of an "a posteriori" exercise of application of a Requirements Traceability Automation Tool (RT tool) to a set of documents. The documents have been prepared according to established Space System Engineering methodologies and with attention to text quality, but without attention to requirements traceability because the processes and methodologies used during their preparation predates the emergence of the processes and methodologies developed by Requirements Engineering (RE). This study is intended to determine some of the benefits of using a RT tool when compared with the previously used processes and methodologies. The set of documents under scrutiny have been prepared in the frame of the development of the CBERS-3 satellite (China-Brazil Earth Resources Satellite) and is composed of system, subsystem and equipment specification and covering documents related to the Electrical Power Subsystem (EPS) of the satellite.

This paper presents some techniques for fault diagnosis in aerospace and automotive systems. A diagnosis technique is an algorithm to detect and isolate fault components in a dynamic process, such as sensor biases, actuator malfunctions, leaks and equipment deterioration. Fault diagnosis is the first step to achieve fault tolerance, but the redundancy has to be included in the system. This redundancy can be either by hardware or software. In situations in which it is not possible to use hardware redundancy only the analytical redundancy approach can be used to design fault diagnosis systems. Methods based on analytical redundancy need no extra hardware, since they are based on mathematical models of the system.

On several engineering applications high Reliability is one of the most wanted features. The aspects of Reliability play a key role in design projects of aircraft, spacecraft, automotive, medical, bank systems, and so, avoiding loss of life, property, or costly recalls. The highly reliable systems are designed to work continuously, even upon external threats and internal Failures. Very convenient is the fact that the term 'Failure' may have its meaning tailored to the context of interesting, as its general definition refers to it as "any deviation from the specified behavior of a system". The above-mentioned 'deviation' may refer to: performance degradation, operational misbehavior, deviation of environmental qualification levels, Safety hazards, etc. Nevertheless, Reliability is not the only requirement for a modern system. Other features as Availability, Integrity, Security and Safety are always part of the same technical specification, in a same level of importance.

Computer systems aboard aerospace vehicles have become more and more distributed in an attempt to solve “real-life” problems such as commonality and longevity of components and subsystems. On the other hand, distributed systems pose a much bigger challenge in system design than traditional, “monolithic” systems, whereby functions are performed by a single component combining hardware and software. “Determinism” (predictability in the occurrence of events), “causality” (temporal ordination of occurrence of events) and “synchronism” (simultaneousness in the occurrence of events) can be pointed out as major challenges in system design. This paper shall survey methods of analyzing determinism in network communications in distributed computer systems aboard aerospace vehicles in different network topologies using a representative model.

Modeling and Simulation (M&S) of dynamic systems based on computers is a multidisciplinary field that involves several knowledge areas and tools, and is broadly used in all development areas of space industry such as rocket and satellite design and construction. Once space systems are divided into several subsystems for ease of engineering, their models are divided the same way for the same reason. Such models may be done using different computational tools that are based on either physical flows, informational flows, or hybrid flows, depending on the subsystem nature. This is specially true for a satellite propulsion subsystem, and its physical (volume, mass, energy, enthalpy, entropy, linear momentum, etc.) flows. This paper presents the modeling and simulation of a satellite propulsion subsystem by physical and signal flows. To accomplish this task, two different computational tools were used: AMESim and MatLab.

Control systems that can switch between control or plant modes have the advantage of being simpler to design than an equivalent system with a single mode. However, the transition between these modes can introduce steps or overshootings in the state variables, and this can degrade the performance or even damage the system. This is can be of extreme importance in fields such as aerospace and automobilistic, as the switching between manual and autopilot modes or the switching of gears In this work, we will use integral criteria in original ways, to determine a coefficient on the system which should optimize the trajectory of the control signal, during the switching between two modes. Effectively, each transition will be done by a subsystem specific for it, according to the selected criterion. The simulations will be made in MATRIXx, MatLab or both, using models chosen from aerospace or automobilistic fields.

A major trend in modern aerospace and automotive systems is to integrate computing, communication and control into different levels of the vehicle and/or its supervision. A well fitted architecture adopted by this trend is the Common Bus Network Architecture. A Networked Control System (NCS) is called when the control loop is closed through a communication network. The presence of this communication network introduces new characteristics (sharing bus, delays, jitter etc.) to be considered at design time of a control system. This work focuses on the influences of data bus protocols on an aircraft Fly-By-Wire (FBW) networked control system. We intent to show, through simulations, the influences of sharing bus on a real time control system. To compare effects, we choose the CAN Bus protocol where the medium access control is event driven; and the TTP protocol where the medium access control is time driven.

This works presents the generation and customization of real time code for embedded controllers using a modeling and simulation environment. When the controller model is considered satisfactory, the developers can use a code generation tool to build a real time source code capable to be migrated to an embedded target processor. The code generation tool used is capable to generate real time code in ANSI C or ADA 95 languages. This process can be customized to adequate to a target processor and/or a Real Time Operating System (RTOS). The code customization can be achieved using a specific Template Programming Language (TPL) that specifies how the code will be generated. This technique makes it possible the instantiation of real time embedded controllers code using the same controller model to a wide variety of target processors and/or RTOSs.

Eigenstructure techniques allow to detect and isolate faulty components in a dynamic process, such as sensor biases, actuator malfunctions, changes in dynamic parameters due to leaks and deterioration. Fault detection is the first step to achieve fault tolerance, but for this the redundancy has to be included in the system. This redundancy can be either by hardware or by software. In situations in which it is not possible to use hardware redundancy only the software redundancy can be used. Therefore using eigenstructure techniques, for the fault detection and isolation, the tests can be done through the angle between the residue vector direction and the fault direction vector. By this way, we can reduce false alarm and the alarm loss rates due to the noise and changes in system parameters.

This paper presents the first of four parts of the academic design of an Attitude Control System (ACS) for the Multi-Mission Platform (MMP) and its migration to a Real Time Operating System. The MMP is a three axis stabilized artificial satellite now under development at the National Institute for Space Research (INPE). Such design applied some software engineering concepts as: 1)visual modeling; 2)automatic code generation; 3)automatic code migration; 4)soft real time simulation; and 5)hard real time simulation. A block diagram based modeling and a virtual time simulation of the MMP ACS in its nominal operational mode were built in the MatrixX 7.1 environment satisfying the three axis pointing and stabilization requirements. After that, its AutoCode module was used to generate C ANSI code representing the block diagram model. Time characteristics were added to the ACS generated code to make it the real time control software of MMP nominal operational mode.

In this work we discuss current trends driving the aerospace and automotive systems architectures. This includes trends as: 1) pos-globalization and regionalization; 2) the formation of knowledge oligopolies; 3) commonality, standardization and even synergy (of components, tools, development process, certification agents, standards); 4) reuse and scalability; 5) synergy of knowledge and tools convergence; 6) time, cost and quality pressures and innovation speed; 7) environmental and safety issues; and 8) abundance of new technologies versus scarcity of skilled manpower to apply them.

Many control systems switch between control modes according to necessity. That is often simpler than designing a full control to all situations. However, this creates new problems, as determining the composed system stability and the transient during switching. The latter, while temporary, may introduce overshooting that degrade performance and damage the plant. This is particularly true for the MultiMission Platform (MMP), a generic service module currently under design at INPE. Its control system can be switched among nine main Modes of Operation and other submodes, according to ground command or information coming from the control system, mainly alarms. It can acquire one and three axis stabilization in generic attitudes, with actuators including magnetotorquers, thrusters and reaction wheels.

A constant challenge for the mobility engineering is to build correctly, the right product at the right time, cost and quality. This challenge gives opportunities to adopt new paradigms in system development, especially in generation, migration and tests of controller codes. This work presents the automatic generation, migration, and tests of real time code to an embedded controller. This is part of the Attitude and Orbit Control System (AOCS) for the Multi-Mission Platform (MMP) of the National Institute for Space Research (INPE). The modeling and simulation paradigm associated with automatic code generation makes possible the migration of a real time embedded controller code to a wide variety of target processors and/or Real Time Operating Systems (RTOS) using the same controller model. The MATRIXx (XMath/SystemBuild/AutoCode/DocumentIt) modeling and simulation environment was used to analyze and design the controller and generate its real time code.

This paper presents the automatic code generation process of the academic design of an Attitude Control System (ACS) for the Multi-Mission Platform (MMP). The MMP is a three axis stabilized artificial satellite now under development at the National Institute for Space Research (INPE). Such design applied some software engineering concepts as: 1)visual modeling; 2)automatic code generation; 3)automatic code migration; 4)soft real time simulation; and 5)hard real time simulation. A block diagram based modeling and a virtual time simulation of the MMP ACS in its nominal operational mode were built in the MatrixX 7.1 environment satisfying the three axis pointing and stabilization requirements. After that, its AutoCode module was used to generate C ANSI code representing the block diagram model. Four operating systems were used for code migration: 1)Windows 2000; 2)Mandrake Linux 10.1; 3)RedHawk Linux 2.1; and 4)RTEMS 4.6.2.

The Multimission Platform (MMP) is a generic service module currently in Project at INPE. In the 2001 version, its control system can be switched between nine main Operation Modes and other submodes, according to information from satellite sensors and ground commands. The Nominal Mode stabilizes the MMP in three axes and takes it to a nominal attitude, using three reaction wheels. Each wheel has coarse and fine acquisition submodes. The use of multiple modes of control for specific situations frequently is simpler than projecting a single controller for all cases. However, besides being harder to warrant its general stability, the mere switching between these submodes generates bumps, which can reduce the performance and even damage the actuator or plant. In this work, we present an application of diverse methods to smooth the transition between control submodes of the Nominal Mode of the MMP.

This work presents the first part of the analysis, design and simulation of the reconfigurable control architecture for the Multi-Mission Platform (MMP), a generic service module currently under design at INPE. Its control system can be switched among nine main Modes of Operation. The implementation followed the specifications when they were found, otherwise it was designed. The manager block of the control system was implemented as a finite state machine. The tests were based in simulations with the MatriX/SystemBuild software. They focused mainly on the worst cases that the satellite is supposed to endure in its mission.

This work presents the analysis, design and simulation of the reconfigurable control architecture for the contingency mode of the MultiMission Platform (MMP). The MMP is a generic service module currently under design at INPE. Its control system can be switched among nine main Modes of Operation and other Sub-Modes, according to ground command or information coming from the control system, mainly alarms. The implementation followed the specifications when they were found, otherwise it was designed. They cover operations from detumbling after launcher separation and solar acquisition, to achieving payload nominal attitude and orbital corrections maneuvers. The manager block of the control system was implemented as a finite state machine. The tests are based in simulations with the MatriX/SystemBuild software. They focused mainly on the worst cases that the satellite is supposed to endure in its mission, be it during modes or transitions between modes and submodes.

Real-time critical systems are those whose failures may cause loss of transactions/data, missions/batches, vehicles/properties, or even people/human life. Accordingly, some regulations prescribe their maximum acceptable probability of failures to range from about 10−4 to 10−10 failures per hour. Examples of such systems are the ones involving nuclear plants, aircrafts, satellites, automobiles, or traffic controls. They are becoming increasingly complex and/or highly integrated as prescribed by the SAE-ARP-4754A Standard. Those systems include, most of the time, real time critical software that must be specified, designed, implemented, validated, verified and accredited (VVA). To do that, models, specially the V-Model, are frequently adopted, together with methods and tools which perform software VVA to ensure compliance (of correctness, reliability, robustness, etc.) of software to several specific standards such as DO178-B/DO-178C (aviation) or IEC 26262 (automotive) among others.