=Paper=
{{Paper
|id=Vol-1507/dx15paper21
|storemode=property
|title=Methodology and Application of Meta-Diagnosis on Avionics Test Benches
|pdfUrl=https://ceur-ws.org/Vol-1507/dx15paper21.pdf
|volume=Vol-1507
|dblpUrl=https://dblp.org/rec/conf/safeprocess/CosseBPDG15
}}
==Methodology and Application of Meta-Diagnosis on Avionics Test Benches==
https://ceur-ws.org/Vol-1507/dx15paper21.pdf
Proceedings of the 26th International Workshop on Principles of Diagnosis
Methodology and Application of Meta-Diagnosis on Avionics Test Benches
R. Cossé1,2 , D. Berdjag2 , S. Piechowiak2 , D. Duvivier2 , C. Gaurel1
1
AIRBUS HELICOPTERS, Marseille International Airport, 13725 Marignane France
{ronan.cosse, christian.gaurel}@airbus.com
2
LAMIH UMR CNRS 8201, University of Valenciennes, 59313 Valenciennes France
{denis.berdjag, sylvain.piechowiak, david.duvivier}@univ-valenciennes.fr
Abstract we call a meta-diagnosis.
Many diagnosis approaches have been proposed to deal with
This paper addresses Model Based Diagnosis for specific avionics problems. Two different classes of repre-
the test of avionics systems that combines aero- sentation are applied: data-based diagnosis or model-based
nautic computers with simulation software. Just diagnosis. The first one, as studied by Berdjag et al. [3] is
like the aircraft, those systems are complex since used to recognize faulty behaviors of an Inertial Reference
additional tools, equipments and simulation soft- System (IRS) thanks to normal or faulty categories of in-
ware are needed to be consistent with the test re- put/output data. In this work, data fusion of outputs sensors
quirements. We propose a structural diagnostic is computed to eliminate faulty sources. In [2], the time
framework based on the lattice concept to reduce dependency is introduced in data of failure messages to im-
the time of unscheduled maintenance when the prove problems detection.
tests cannot be performed. Here, we also describe In Model Based Diagnosis (MBD), Kuntz et al. [4] have
a diagnosis algorithm that is based on the formal studied an avionics system using minimal cuts notions. Be-
lattice description and designed for test systems. lard et al. have defined a new approach based on the MBD
The benefits is to capture the system structure and hypotheses called Meta-Diagnosis in [5] dealing with mod-
communication specificities to diagnose the con- els issues. Berdjag et al. [6] present an algebraic decompo-
figuration, the equipments, the connections, and sition of the model to reduce the complexity of the required
the simulation software. model-based diagnosers. Giap [7] has proposed a formalism
of an iterative process to give a solution when models are not
1 Introduction complete but it lacks of applications on more complex in-
dustrial systems. Nevertheless, it gives clues for an iterative
Avionics systems are complex since tens of subsystems and
diagnosis. Another diagnostic software has been developed
components interact to achieve required functions. Exist-
by Pulido et al. in [8] to perform consistency-based diagno-
ing devices for aircraft fault monitoring are based on ded-
sis of dynamic system simulating diagnosis scenarios. The
icated avionics functions but the existing solutions are in-
architecture is quite novel and is applied to the three-tank
sufficiently flexible for test systems and can be improved.
system.
In [1], the framework of an health management algorithms
Structural approaches as graph theory are also popular
for maintenance is described and implemented on an air-
for MBD to describe the structure of the system as with
craft. In [2], the diagnostic of avionics equipments is per-
Bayesian Networks in [9]. They enable us to incorporate
formed through dynamic fault trees. To prevent important
the system complexity as with the lattice concept to inte-
failures on the aircraft, avionics systems are checked on rigs
grate the sub-models dependencies. For example, in [10],
called Avionics Test Bench (ATB) composed of the avionics
the lattice model represents fault modes to compute testable
equipments and flight simulation software.
subsystems from redundancy equations. We want to get the
The environment of the ATB needs to be compliant with the
main ideas that will serve our proposal. To our knowledge,
configuration of the avionics equipments. Faults of the ATB
there is no method for the diagnostic of test systems based
can concern the avionics equipments, their configurations,
on embedded softwares behaviour. Moreover, our proposi-
or the ATB itself i.e the movable connections and the simu-
tion has been adapted from embedded systems to the ATB
lation software. Since it does not exist monitoring functions
behaviour. Its complexity is relevant to the objectives of
of the ATB itself, a new method needs to be applied to pre-
the avionics embedded systems certification, as for exam-
vent long periods of unavailability. In fact, during the devel-
ple high levels of safety requirements, or the simulation of
opment of embedded softwares, its architecture and the test
specific test conditions. In our model, we must consider the
environment surrounding the ATB are redesigned by adapt-
fact that our representation must put forward the ATB be-
ing the test means to the specification’s requirements. Since
haviour in case of failures concerning embedded systems,
the ATB is a test system, and the main knowledge are based
connections, communications, simulation softwares and all
on its embedded systems, we need a new approach to deal
settings to configure the test. Considering those features, the
with the ATB issues. As the embedded systems are already
high number of needed ATB reconfigurations, it is proposed
tested on the ATB, and the test results are used to focus on
a structural representation associated with hierarchical ver-
the ATB issues thanks to a new representation based on the
ifications that reduce the faulty candidates. The motiva-
model of the test system, the diagnosis of the ATB is what
159
� Proceedings of the 26th International Workshop on Principles of Diagnosis
tion of the proposed meta-diagnosis approach was presented 2.2 Diagnostic function
in [11]. Here, we propose an extended diagnosis methodol- A basic diagnostic function is defined to help the diagno-
ogy originally defined by De Kleer, Williams [12], [13] and sis: the check function. Depending on the granularity, the
Davis [14] and we present a software implementation run- check function is applied on a component, a subsystem or
ning on a real ATB. It differs from the Belard et al.’s meta- a partition. First, the checkC function is used to deter-
diagnosis definition because the ATB is still defined as the mine if a component is faulty or not. However, we do not
main system under study. Here, we extend the diagnostic- know precisely how a unique component behaves regarding
world tools for a specific system and due to the lack of a fault. So we need to define the checkS function of a sub-
knowledge and data in case of issues, our proposal is based system. The behaviour of a faulty subsystem may also not
on a MBD representation with a structural and functional be sufficient to explain a fault. In fact, subsystems are inter-
decomposition without fault models. connected making the system structure and the partitioning
First, we describe the diagnostic framework, the lattice- concept allows us to focus on different levels of abstrac-
based representation used to model the ATB system and the tion that we call granularities. In our study, we only focus
diagnostic algorithm. In the third section, we provide a de- on faults with observable and measurable symptoms. These
scription of the ATB and the application of the lattice con- faults can only be localized by testing a functionality on a
cept. In the fourth section, we illustrate the approach with a specific architecture. That is why, functional and structural
case study of the ATB. In the final section, we describe the partitions are used to decompose the system into testable
development of a software application to perform automati- partitions.
cally the ATB diagnosis.
Definition 3. The checkC function of a component ci is
defined by:
2 Diagnostic framework checkC : COM P S → {0, 1, −1} s.a checkC(c) = 0 if
the component c is faulty, checkC(c) = 1 if the component
2.1 System representation c is unfaulty and checkC(c) = −1 if the component state is
unknown.
The system is composed of several subsystems that inter-
Definition 4. The checkP function of a partition P is de-
act together to achieve a global function. The decomposi-
fined by:
tions into subsystems is guided by the communication be-
checkP : P → {0, 1, −1} s.a checkP (P ) = 1 ⇔
tween components to fulfill this goal. Partitions are used
∀σi ∈ P, checkS(σi ) = 1, checkP (P ) = 0 ⇔ ∃σi ∈
to decompose the system into functional and communica-
P, checkS(σi ) = 0, and checkP (P ) = −1 ⇔ the checked
tions categories. So, there are two classes of partitions: the
value is unknown.
partitions that represent the structure and the connections of
Some partitions cannot be checked. The set of pos-
the system; and the partitions that represent the functions of
sible checked partitions is Cons. It defined a con-
the system. As an example, P1 is associated with a func-
straint. A constraint Cons is a subset of P s.a: ∀P ∈
tionality of the system P1 = {σ1 ; σ2 }, σ1 = {C1 } and
Cons, checkP (P ) 6= −1.
σ2 = {C2 , C3 }. If a problem appears, i.e the functionality
is not performed, then a fault is detected for this partition P Once the checkP value of a partition is known, we have
and symptoms are seen and linked to subsystems σ. to define the checkS function of subsystems that are not sin-
In the following paragraphs, we use the following notation: gletons σi 6= {ci }. If the partition is faulty, either it exists
P for a partition, σ for a subsystem and ci for a compo- a component ci ∈ σi such as checkC(ci ) = 0, or the com-
nent. S = {ci , i ∈ [1, n]} is the set of all the n components munication between the components in σi is faulty. This
of a system. We note Σ the set of all subsystems, i.e the is modeled by checkCom(σi ) = 0. If the partition is un-
power set of components. A partition P is a set of np sub- faulty, then all communications between the components in
systems σi ∈ Σ: P = {σi , i ∈ [1, np ]|∀i 6= j; σi ∩ σj = σi 6= {ci } are unfaulty and all singletons σi = {ci } are
n
Sp unfaulty.
∅, and σi = S}. We note P the set of all partitions.
i=1 Definition 5. The checkCom function of a subsystem σi ⊆
We recall the definition 1 of inclusion relation between par- COM P S is defined by:
titions and the definition 2 of multiplication. checkCom : Σ → {0, 1, −1} s.a checkCom(σi ) = 1 ⇔
the communication between components in σi is unfaulty;
Definition 1. Two partitions P1 and P1 are said to be in checkCom(σi ) = 0 ⇔
inclusion relation P1 ⊆ P2 if and only if every subsystems the communications between components in σi is faulty.
of P1 is contained in a subsystem of P2 . The relation ⊆
means that P1 is a sub-partition of P2 . To help the diagnosis of the system, we decompose it
into subsystems and we introduce the checkS function of a
Definition 2. The subsystems σk of the multiplication of two subsystem σi ⊆ COM P S defined by:
partitions P = {σi , i ∈ [1, np ]} and Q = {σj , i ∈ [1, nq ]}
are defined by: ∀σk ∈ P × Q, ∃σi ∈ P, ∃σj ∈ Q, σk = Definition 6. checkS : Σ → {0, 1, −1} s.a checkS(σi ) =
σi ∩ σj . 1 ⇔ ∀ci ∈ σi , checkC(ci ) = 1 ∧ checkCom(σi ) =
This operation is used to order subsystems with respect to 1 ; checkS(σi ) = 0 ⇔ ∃ci ∈ σi , checkC(ci ) = 0 ∨
the proposed diagnostic algorithm. The inclusion relation ⊆ checkCom(σi ) = 0 and checkS(σi ) = −1 ⇔ ∃ci ∈
is used to organize the components with the lattice concept σi , checkC(ci ) = −1 ∧ checkCom(σi ) = −1.
L (Σ, ⊆) with a partial ordering relation. It is different from With the above definitions, it is now time to define the
the concept of partially ordered set (poset) because the ar- diagnosis problem. Given a system representation with the
rangement of elements is not based on sets but on partitions. lattice concept L (Σ, ⊆) and the set of constraints Cons =
160
� Proceedings of the 26th International Workshop on Principles of Diagnosis
{P ∈ P, checkP (P ) 6= −1}, the problem is defined by Algorithm 1: DIAG(L (Σ, ⊆))
the consistency between L (Σ, ⊆) that contains the system
representation, and Cons that describes system issues. Input: d = {pi , i ∈ [1, n]}, Cons = {consi }
Output: ∆(Diagnosis)
Definition 7. The problem formulation is to find the faulty Global variables: End
components whose current state may explain the con- Fc (f aulty components), Uc (unf aulty components),
straints. It is defined as a function DIAG(L (Σ, ⊆)) under Σ− (f aulty subsystems), Σ+ (unf aulty subsystems),
the constraints Cons. P − (f aulty partitions), P + (unf aulty partitions)
There are two kinds of faults: the fault of a component ∆, Fc , Uc , P + , P − , Σ− , Σ+ ← {}; End ← f alse;
Ci modeled with checkC(Ci ) = 0, and the communica- N Cons ← {};
tion fault of a subsystem σi = {Ci , Cj , ...} modeled with while ¬End do
checkCom(σi ) = 0. With the P1 partition, suppose that C2 F indF aultySubsystems(d, Cons);
and C3 are linked with an ARINC 429 link that is not work- V erif ication(Fc , Σ− );
ing. The constraint is checkP (P1 ) = 0 because the global if ¬End then
function is broken. The reason is that checkCom(σ2 ) = 0. foreach pi ∈ N Cons do
Knowing that checkCom(σ2 ) = 0 for the P1 functionality GET checkP (pi )
is giving the information to fix the system. Cons ← Cons ∪ {pi }
2.3 Diagnostic algorithm
It is now necessary to introduce a diagnostic method whose
aim is to solve the above problem. The algorithm is based on
the following proposition that extends the verification from Algorithm 2: F indF aultyElements
the multiplication of partitions to partitions, see Proposi- Input: d = {pi }, Cons = {consi }
tion 1. Then, a functional verification is propagated from Outputs: Fc , P − , Σ− , Σ+
partitions to subsystems, and from subsystems to compo- foreach (pj , pk ) ∈ P 2 : pi 6= pj do
nents. pmult ← pj × pk
if pmult ∈ Cons then
Proposition 1. ∀P, Q ∈ P 2 , checkP (P × Q) = 0 ⇒ if checkP (pmult ) = 0 then
checkP (P ) = 0 ∧ checkP (Q) = 0.
P − ← P − ∪ {pi }
In order to increase the readability of the algorithm, it has foreach σi ∈ pi do
been split into three: DIAG(L (Σ, ⊆)) is the main algo- foreach ck ∈ Uc do
rithm, it initializes the framework with the partitions of the σi ← σi \ {ck }
system {pi , i ∈ [1, n]} and the constraints Cons = {P ∈ if σi = {ci } then
P, checkP (P ) 6= x}. Fc ← Fc ∪ σi
F indF aultyElements checks the partitions that are de-
fined as a constraint. If the checked value of a partition else if σi ∈
/ Σ+ then
pmult is faulty (resp. unfaulty), we add it to the faulty (resp. Σ ← Σ− ∪ {σi }
−
unfaulty) partitions set P − (resp. P + ), and every subsystem
σi of the partition is possibly faulty (resp. unfaulty), we add if checkP (pmult ) = 1 then
it in Σ+ , (resp. Σ− ). If another partition pmult can help to P + ← P + ∪ {pi }
get more faulty or unfaulty components, a new constraint is foreach σi ∈ pi do
proposed and added to N Cons. if σi = {ci } then
Uc ← Uc ∪ σi
V erif ication is used to check the possible components that
may be faulty, i.e include in Fc with the checkC function, else
and the communication of the subsystems in Σ− with the Σ+ ← Σ+ ∪ {σi }
checkCom function.
Two functions have been introduced: the checkP (pi ) if pmult ∈/ Cons then
value of a partition pi and the CheckCom(σi ) of a subsys- if ∃{ci } ∈ pmult then
tem. Their values can be automatically computed thanks to a if ¬(ci ∈ Uc ∪ Fc ) then
program developed on the system to automate the diagnosis. N Cons ← N Cons ∪ {pmult }
This is performed by the GET function whose purpose is to
model the computation of checkP (pi ) or CheckCom(σi ).
2.4 Formal example
In order to illustrate the problem formulation and the diag- function is introduced to choose the next topology and the
nostic algorithm, a formal example is provided. It is com- next functionality to be tested. It is guided by the minimum
posed of eight components {Ci , i ∈ [1, 8]} organized into of tests to perform in order to fix the system. For a set of
three partitions: partitions P, we define Choose : {P} → P × P.
P1 = { {C1 ,C2 , C3 ,C4 }, {C5 ,C6 , C7 ,C8 }}, As the two functionalities are modeled by P1 and P2 , and
P2 = { {C1 ,C2 }, {C3 ,C4 ,C5 ,C6 ,C7 ,C8 }}, the the topology is modeled by P3 , we have two possi-
P3 ={{C1 }, {C2 ,C4 ,C6 ,C8 }, {C3 ,C5 ,C7 }}. bilities. We assume that P2 is prior to P1 , the first itera-
P3 describes the topology of the system. P1 and P2 describe tion is defined with Choose(P)=(P1 , P3 ). We begin with
functionalities. We set the C2 component as faulty. The idea checkP (P1 ×P3 ) = 0, s.a P1 × P3 = { { C1 }, {C2 ,C4 },
is to combine the topology of the system with its function- {C3 }, {C6 ,C8 }, {C5 ,C7 }}. The possible faulty component
alities to find the faulty component or subsystem. A choice are C1 and C3 . We check the C1 and C3 components and
161
� Proceedings of the 26th International Workshop on Principles of Diagnosis
Algorithm 3: V erif ication Components CheckC
C1 1
Inputs: Fc C2 0
Outputs: ∆ Fc , Uc , End C3 1
Initialization: σ+ , σ− ← I;
C4 −1
foreach ci ∈ Fc do
C5 −1
if checkC(ci ) = 0 then
∆ ← ∆ ∪ {ci } C6 −1
End ← true C7 −1
else C8 −1
Fc ← Fc \ {ci }
Uc ← Uc ∪ {ci } Table 2: Diagnostic results for components in P2 × P3
foreach Σi ∈ Σ− do
GET checkCom(Σi ) more than twelve national customers in over twenty dif-
if checkCom(Σi ) = 0 then ferent basic helicopter configurations. The NH90 Avionics
∆ ← ∆ ∪ {Σi } System consists of two major subsystems: the CORE Sys-
End ← true tem and the MISSION System. A computer is the bus con-
else troller and manages each subsystem communications: the
Σ− ← Σ− \ {Σi } Core Management Computer (CMC) for the CORE Sys-
Σ+ ← Σ+ ∪ {Σi } tem and the Mission Tactical Computer (MTC) for the MIS-
SION System. Each computer is connected to one or both
subsystems via a multiplex data bus (MIL-STD-1553), point
to point connections (ARINC429) and serial RS-485 lines.
find them as unfaulty, see Tables 1. The possible faulty sub- Additional redundant computers are used as backup. One
systems are {C2 , C4 }, {C6 , C8 } and {C5 , C7 } and they are of the two CMC is the Bus Controller (BC) of the CORE
unfaulty. The diagnosis is not sufficient, we must relax the multiplex data bus. The avionics system of the ATB is
constraint P2 × P3 . composed of fourteen computers and the above connec-
The second iteration is defined with Choose(P)=(P2 , P3 ), tions: two CMC: c1 = CM C1 and c2 = CM C2; two
s.a P2 × P3 = {{C1 }, {C2 }, {C4 ,C6 ,C8 }, {C3 ,C5 ,C7 }}. Plant Management Computer (PMC): c3 = P M C1 and
We get checkP (P2 × P3 ) = 0, the possible faulty compo- c4 = P M C2; five Multifunction Display (MFD): c5 =
nents are C1 and C2 but C1 has already been checked in the M F D1, c6 = M F D2, c7 = M F D3, c8 = M F D4,
previous iteration. So, the possible faulty subsystems are c9 = M F D5; two Display and Keyboard Unit (DKU):
{C3 ,C5 ,C7 } and {C4 ,C6 ,C8 }. We check the C2 component c10 = DKU 1, c11 = DKU 2; two IRS: c12 = IRS1,
and find it as faulty. For this example, the computed faulty c13 = IRS2; one Radio Altimeter (RA): c14 = RA. For-
or unfaulty components is, see Table 2, C2 in P2 × P3 . mally, COM P SAT B = {ci , i ∈ [1, 14]}.
If no components has been found faulty, the upper topo- The avionics system under test COM P SSU T is a sub-
logical level is treated i.e subsystems: {C2 ,C4 }, {C6 ,C8 }, system of COM P SAT B . It is described Figure 1.
{C5 ,C7 }, {C4 ,C6 ,C8 } and {C3 ,C5 ,C7 }}. Here, they are COM P SSU T = {c1 , c2 , c3 , c4 , c5 , c10 , c12 , c14 }. For the
unfaulty. rest of the article, COM P SSU T will be the primary system
under study.
Components CheckC
C1 1
C2 −1
C3 1
C4 −1
C5 −1
C6 −1
C7 −1
C8 −1
Table 1: Diagnostic results for components in P1 × P3 Figure 1: Architecture of the avionics subsystem
The method has permitted to detect quickly the faulty
component using functional partition and a structural par- From To Messages Subsystems
titioning. Thanks to this result, possible faults regarding ei- DKU 1 CM C1 Mode on σSerial1
ther the topology or the functionality are checked. CM C1 IRS1 Mode on σM IL
IRS1 RA Mode on σN AV ; σARIN C
RA IRS1 Alert σN AV ; σARIN C
3 The Automatic Test Benchmark
IRS1 CM C1 Alert σM IL ; σN AV
3.1 Avionics system CM C1 DKU 1 Alert σSerial1 ; σN AV
The avionics system of the NH90 helicopter is designed Table 3: Messages
to support multiple hardware and software platforms from
162
� Proceedings of the 26th International Workshop on Principles of Diagnosis
The PMC is used to monitor the status of all the avion-
ics computers. It displays the alert informations on the
MFD. We define the performances partition pP ERF =
{σP ERF ,σ¬P ERF } with:
σP ERF = {P M C1,P M C2,RA,IRS1,M F D1}
σ¬P ERF = {CM C1,CM C2,DKU 1} and the navigation Figure 2: Navigation func- Figure 3: Performance
partition pN AV = {σN AV ,σ¬N AV } with: tion decomposition with function decomposition
σN AV = { RA,IRS1,M F D1} dprotocol with dprotocol
σ¬N AV = {CM C1,CM C2,DKU 1,P M C1,P M C2}.
The test consists in the simulation of a high roll. Normally
the RA should be deactivated above the value of forty de- DKU 1}; {P M C1, P M C2}; {M F D1, IRS1, RA}};
grees. The procedure contains the following actions: en- pN AV.ARIN C = pN AV × pARIN C = {{M F D1, IRS1,
gage the RA with the DKU 1; simulating a roll of 50 de- RA}; {CM C1, CM C2, P M C1, P M C2}; {DKU 1}}.
grees; check that the RA functionality is deactivated on the The performance function can give insights about the
DKU 1. Several messages are sent to achieve this func- fault. We compute the partitions with this functionality:
tionality, see Table 3, defining a data-flow for two mes- pP ERF.M IL = pP ERF ×pM IL = { {M F D1,RA};
sages : "Mode on" and "Alert" messages: from DKU 1 {DKU 1}; {CM C1,CM C2}; {P M C1,P M C2,IRS1} }
to CM C1 via serial communication to activate the radioal- pP ERF.Serial =pP ERF ×pSerial = { {CM C1,CM C2,
timeter’s specific mode ("Mode on" message); from CM C1 DKU 1}; {P M C1,P M C2}; {M F D1,IRS1,RA} }
to IRS1 via MIL-STD-1553 communication to relay the pP ERF.ARIN C = pP ERF ×pARIN C = { { P M C1, P M C2,
activation information; from IRS1 to RA via ARINC com- M F D1, IRS1, RA};{CM C1, CM C2}; {DKU 1} }.
munication to send a request to the RA to get the roll angle; Those partitions will serve to improve the diagnosis.
from RA to IRS1 via ARINC communication to send the 3.3 Outlooks about the decompositions
response to the IRS that compute the angle; from IRS1 to
CM C1 via ARINC communication, from CM C to DKU We describe an iterative method to update the diagnostic re-
via serial communication to display the alert and disable the sult by providing new topologies of the system. We need to
functionality ("Alert" message). get precise observations to find the faulty components. The
subsystems are computed with the framework of the previ-
3.2 System Under Test (SUT) decomposition ous section.
Given the components, the messages sent between them,
The ATB is used to perform the realization of the avionics and the protocol of these messages, we can obtain an
functions with the necessary equipments and a simulated en- overview of the system decomposition: pSU T can be
vironment needed to check the system specification. decomposed into dprotocol = {pSU T × pM IL ; pSU T ×
The ATB is described as a structural decomposition with pSerial ; pSU T × pARIN C }. This hierarchical structure is
components subsets. These sets provide partitions of the provided with a dependency graph, see Figures 2 and 3.
whole system. We define subsystems σi and the partitions The following partitions are used:
pi with regards to the connections of the avionics system of σcom1 = {{DKU 1, CM C1, IRS1, RA}};
Figure 1, the serial communication: σ¬com1 = {{M F D1, CM C2, P M C1, P M C2}};
σSerial1 = {CM C1, CM C2, DKU 1} pcom1 = {σcom1 , σ¬com1 }.
σSerial2 = {P M C1, P M C2} The path of the informations "RA mode on" and "RA
σ¬Serial = {M F D1, IRS1, RA} alert" on copilot side defines another decomposition: σcom2
pSerial = {σSerial1 ; σSerial2 ; σ¬Serial } = {{CM C2, IRS1, RA, DKU 1}}; σ¬com2 = {{M F D1,
the ARINC communications: CM C1, P M C1, P M C2}}; pcom2 = {σcom2 , σ¬com2 }.
σARIN C = {CM C1,CM C2,P M C1,P M C2,
M F D1,IRS1,RA} We describe the decomposition dcom = {pcom1 , pcom2 }
σ¬ARIN C = {DKU 1} on Figures 4 and 5. We compute partitions with the
pARIN C = {σARIN C ; σ¬ARIN C } navigability functionality and this structural decomposition:
the MIL-STD-1553 communications: pN AV.com1 = pN AV × pcom1 = {{RA, IRS1}; {M F D1};
σM IL = {CM C1, CM C2, P M C1, P M C2, IRS1} {CM C1, DKU 1}; {CM C2, P M C1, P M C2}};
σ¬M IL = {M F D1, DKU 1, RA} pN AV.com2 = pN AV × pcom2 = {{RA, IRS1}; {DKU 1,
pM IL = {σM IL ; σ¬M IL } CM C2}; {M F D1}; {CM C1, P M C1, P M C2}};
The above partitions describe the topology of the problem. pP ERF.com1 = pP ERF × pcom1 = {{RA, IRS1};
We classify the partitions into two categories: functional {CM C2}; {CM C1, DKU 1}; {M F D1, P M C1,
partitions and communication partitions. The functional P M C2}};
partitions contain the subsystems that compute and send pP ERF.com2 = pP ERF × pcom2 = {{RA, IRS1}; {DKU 1,
the informations. The communication partitions contain the CM C2}; {CM C1}; {M F D1, P M C1, P M C2}}.
subsystems that relay these informations. In our example,
the navigation functionality is tested. Functional partition 4 Illustration of the Meta-Diagnostic
are: {pN AV ,pP ERF }, connection partitions are: {pM IL , Approach
pSerial , pARIN C }. We need to define additional partitions
that can be checked with the check function on the system 4.1 Application of the meta-diagnosis approach
thanks to this representation: An iterative approach is very helpful in this case of dis-
pN AV.M IL = pN AV × pM IL = {{M F D1,RA};{IRS1}; tributed systems since diagnosis can use new subsys-
{CM C1,CM C2,P M C1,P M C2};{DKU 1}}; tems and partitions. The results of the diagnosis are
pN AV.Serial = pN AV × pSerial = {{CM C1, CM C2, re-injected in the upper system to refine the results.
163
� Proceedings of the 26th International Workshop on Principles of Diagnosis
pi checkP (pi ) Uc Fc
pN AV.com1 0 {DKU 1, {RA,
IRS1} M F D1}
pN AV.com2 1 {DKU 1, {RA}
IRS1,
M F D1}
Figure 4: Navigation func- Figure 5: Performance
tion decomposition with function decomposition
dcom with dcom Table 7: Iterations of CheckM ultiplicationP artition
with dcom
The first symptom is the misbehavior of the navigation
functionality. We describe the iterations of the algo- Subsystems checkCom Partition
rithms with two topologies. We have launched the meta- {RA, IRS1} 1 pN AV.com1
diagnostic algorithm with the topology: dN AV.protocol = {CM C1, DKU 1} 1 pN AV.com1
{pN AV.M IL ,pN AV.ARIN C ,pN AV.SERIAL } and dN AV.com {CM C2, P M C1, P M C2} 1 pN AV.com1
= {pN AV.com1 , pN AV.com2 }. The constraint is CON S =
{checkP (pi ), ∀pi ∈ dN AV.protocol ∪ dN AV.com }. The iter- Table 8: Diagnostic results of subsystems with pN AV.com1
ations of the algorithms are described in Tables 4, and 5.
pi checkP (pi ) Uc Fc faults. Thanks to the impacted functionality, we know that
pN AV.ARIN C 0 ∅ {DKU 1} only messages concerning the IRS roll are concerned. At
pN AV.SERIAL 1 ∅ {DKU 1} this stage, the simulation of the message or the bad connec-
pN AV.M IL 0 ∅ {IRS1, tion of the IRS are the two main solutions.
DKU 1}
4.2 Application with updated constraints
We describe a new problem: the navigation func-
Table 4: Iterations of CheckM ultiplicationP artition tionality and the performance function do not be-
with dprotocol have normally. The new constraint is CON S =
{checkP (pi ), ∀ pi ∈ dN AV.protocol ∪ dN AV.com ∪
The third step gives a state of the components in Fc set dP ERF.protocol ∪ dP ERF.com }. The algorithm is loaded
that can be faulty: DKU 1 and IRS1 in Table 5. If the com- from CheckM ultiplicationP artition with the decompo-
ponents are faulty, this may explain the system behavior and sition dcom . The algorithm iterations are described in Ta-
the algorithm ends. At the same time, the communications ble 9. Once checkP (pP ERF.com2 ) = 1, we deduce that
of subsystems in Σ− can be faulty. They are checked in CM C1 is not faulty.We continue with dprotocol knowing
Table 6. the CM C1 is not faulty in Table 10. We deduce that we
ci checkC(ci ) Fc Uc have to check DKU 1 and CM C2.
DKU 1 1 {IRS1} {DKU 1}
pi checkP (pi ) Uc Fc
IRS1 0 {IRS1} {DKU 1}
pP ERF.com1 0 ∅ {CM C2}
pP ERF.com2 1 {CM C1} {CM C2}
Table 5: Iterations of the CheckComponents with
dprotocol Table 9: Algorithm 2’s iterations with dcom
Subsystems checkCom Partition
{M F D1, RA} 1 pN AV.ARIN C pi checkP (pi ) Uc Fc
{CM C1, CM C2, 1 pN AV.ARIN C pP ERF.ARIN C 0 {CM C1} {DKU 1,
P M C1, P M C2} CM C2}
pP ERF.SERIAL 1 {CM C1} {DKU 1
Table 6: Diagnostic results for subsystems CM C2}
pP ERF.M IL 0 {CM C1} {DKU 1,
CM C2}
The IRS1 is not faulty, the algorithm is relaunched
with Uc = {DKU 1, IRS1} and the other decomposition
dcom = {pN AV.com1 , pN AV.com2 }. The algorithm itera- Table 10: Iterations of CheckM ultiplicationP artition
tions are described in Tables 7 and 8. with dprotocol
Once checkP (pN AV.com2 ) = 1, we deduce that M F D1
is not faulty, see Table 7. At this step, the unfaulty com- At this state, we check the components on the system.
ponents are {DKU 1, IRS1, M F D1}, and the diagnosis is Since the reparation of CM C2 has fixed the problem, we
{RA}. conclude that CM C2 has been faulty. We also check the
Here the RA is faulty with pN AV.com1 , and the algorithm DKU 1 configuration, and find nothing. The diagnosis is
ends. The solution is RA for pN AV.com1 . The data flow ∆ = {CM C2}.
of the messages are checked as the impacted connections, The evolution of the number of faulty and unfaulty com-
wiring and, routing. The system specificities of the com- ponents is reviewed on figure 6. As expected, the number of
munication modeled with com1 five clues of the possible unfaulty components is increasing with new tests, i.e tests
164
� Proceedings of the 26th International Workshop on Principles of Diagnosis
Figure 6: Evolution of the number of faulty and unfaulty
components
of partitions. It reveals that the algorithm is converging to a
solution because the number of components is limited.
Figure 10: State of the con-
5 Software implementation straints
5.1 Diagnostic software architecture Figure 9: Initial state of the
The algorithms are implemented in a spy software of AR- diagnosis
INC and MIL-STD-1553 buses, see Figure 7. They are de-
veloped using C++ for effective diagnosis, and to be im-
plemented in the AIRBUS software. The user interfaces are initialStateP anel panel, Figure 9 defines the status of
developed with Java 1.7 and the Swing Graphical User Inter- equipments before launching the diagnosis and a button the
face (GUI) widget toolkit. The architecture of the diagnostic run the algorithm. The check values computed by the al-
gorithm defined in the Controller are provided to the oper-
ator in Figure 11. The constraintsPanel panel lets to edit
and update constraints, see Figure 10. The result of the di-
agnostic algorithm is provided on Figures 11. It gives the
faulty components (observation equal to zero) and the im-
pacted functionality. If a component is suspected, the data
Figure 7: Data flow of the diagnosis software
framework has been adapted to the ATB specificities as de-
scribed with the Model-View-Controller (MVC) paradigm
on Figure 8. Three main objects are defined for the Model:
the Component, the Set, and the Partition objects. Four main
objects are defined in the View to define specific panels: the
diagnosisPanel, the constraintsPanel, the initialStatePanel
and the resultsPanel objects. The model is implemented
with the ArrayList class. It is used to define the list of com-
ponents, the subsystems and the list of partitions. eXtensible
Markup Language (XML) files have been used to describe
the system structure. The Controller dispatches the user re-
quests and selects the panels for presentation. The diagnosis
algorithm is implemented in it. A GUI is provided for han-
dling user inputs such as partitions check values and com-
ponents observations values.
Figure 11: Diagnosis results
flow of the functional chain described by the partition must
be checked. As described in the case study, it gives insights
about the possible connections, wiring and, routing that can
be wrong.
We compute the results ∆ = { IRS1, DKU 1, CM C2,
RA } and display them on Figure 11. If some components
are unfaulty, we can update their status in Figure 9. The al-
gorithm is relaunched using the "GO" button in Figure 9.
The good diagnosis rate is evaluated on Figure 12. It is de-
Figure 8: Architecture of the diagnosis software fined by the number of faulty components that the operator
has to fix over the number of proposed faulty components.
5.2 User interfaces 5.3 Discussion
The panels are displayed one after the others for each We have proposed a solution for the diagnosis of a complex
step of the algorithm defined in the Controller. The system in aeronautics based on the MBD paradigm and the
165
� Proceedings of the 26th International Workshop on Principles of Diagnosis
equipment based on dynamic fault tree. In Proceed-
ings of the IFAC-CEA conference, October 2007.
[3] Denis Berdjag, Jérôme Cieslak, and Ali Zolghadri.
Fault detection and isolation of aircraft air data/inertial
system. pages 317–332. EDP Sciences, 2013.
[4] Fabien Kuntz, Stéphanie Gaudan, Christian San-
Figure 12: Good diagnosis rate nino, Éric Laurent, Alain Griffault, and Gérald Point.
Model-based diagnosis for avionics systems using
minimal cuts. DX 2011 22nd International Workshop
lattice concept. It is an other solution for the meta-diagnosis on Principles of Diagnosis, 2011.
problem as described in [5] since we consider the test sys- [5] Nuno Belard, Yannick Pencole, and Michel Comba-
tem environment as the main system. Belard has extended
cau. A theory of meta-diagnosis: reasoning about
the framework, here we use the original one with the lat-
diagnostic systems. In Proceedings of the Twenty-
tice concept to represent the system description. It is also
Second international joint conference on Artificial In-
provided a diagnostic algorithm implemented on the system
telligence, IJCAI’11, pages 731–737, Barcelona, Cat-
to evaluate our method. Since hundreds of diagnosis are
alonia, Spain, 2011.
possible on the ATB, since it is not possible to check all
those possibilities, we have introduced a methodology for [6] Denis Berdjag, Vincent Cocquempot, Cyrille
the ATB diagnosis that reduce the number of iterations to get Christophe, Alexey Shumsky, and Alexey Zhirabok.
the diagnosis. We have upgraded the applications of MBD Algebraic approach for model decomposition:
for avionics systems evaluated in [4] and [2]. It is proposed Application for fault detection and isolation in
the integration and evaluation of a diagnostic algorithm for discrete-event systems. International Journal of
an ATB, taking the test systems environment into account. Applied Mathematics and Computer Science (AMCS),
It differs from other applications of MBD like [8] because 21(1):109–125, March 2011.
the model decomposition is driven by the test systems speci- [7] Quang-Huy Giap, Stephane Ploix, and Jean-Marie
ficities that are represented with the lattice concept. Flaus. Managing Diagnosis Processes with Interac-
tive Decompositions. In Artificial Intelligence Appli-
6 Conclusion cations and Innovations III, IFIP International Federa-
This paper extends the MBD approach to propose a diagnos- tion for Information Processing, pages 407–415. 2009.
tic software that is developed for the diagnosis of test sys- [8] Belarmino Pulido, Carlos Alonso-González, Anibal
tems. The current framework is based on the lattice decom- Bregon, Alberto Hernández Cerezo, and David Ru-
position and is used to model a test system. First, the lat- bio. DXPCS: A software tool for consistency-based di-
tice decomposition has been used to decompose the system agnosis of dynamic systems using Possible Conflicts.
into its functionalities and connections. The second contri- 25st Annual Workshop Proceedings, DX-14, 2014.
bution consists in the proposal of an algorithm that reduce [9] Veronique Delcroix, Mohamed-Amine Maalej, and
the diagnostic ambiguity. The lattice description has been
Sylvain Piechowiak. Bayesian Networks versus Other
implemented with JAVA native packages. The software ar-
Probabilistic Models for the Multiple Diagnosis of
chitecture and diagnostic iterations are provided for a formal
Large Devices. International Journal on Artificial In-
example and an industrial case study. The diagnostic algo-
telligence Tools, 16(3):417–433, 2007.
rithm has shown to reduce the number of faulty candidates.
The results is either faulty equipment or a group of equip- [10] Mattias Krysander, Jan Aslund, and Erik Frisk. A
ments with the associated system functionality that is unable Structural Algorithm for Finding Testable Sub-models
to meet its goal. Together, they are sufficient to point out the and Multiple Fault Isolability Analysis. 21st Annual
reparations that will fix the system. The tests on the Avion- Workshop Proceedings, DX-10, 2010.
ics Test Systems in AIRBUS HELICOPTERS have shown [11] Ronan Cossé, Denis Berdjag, David Duvivier, Sylvain
good results. The development of models may confront our Piechowiak, and Christian Gaurel. Meta-Diagnosis for
solution to many others real problems. In future works, al- a Special Class of Cyber-Physical Systems: the Avion-
gorithms will be improved with adaptable decompositions ics Test Benches. In The 28th International Confer-
and automatic tests. Furthermore, as the method is generic, ence on Industrial, Engineering & Other Applications
we want to demonstrate the validity of our method for others of Applied Intelligent Systems, [Accepted], IEA/AIE
test systems used in AIRBUS HELICOPTERS. 2015, Seoul, Corea, 2015.
[12] Johan de Kleer and B.C. Williams. Diagnosing multi-
References ple faults. Artificial Intelligence, 32(1):97–130, 1987.
[1] Canh Ly, Kwok Tom, Carl S. Byington, Romano
[13] Johan de Kleer, Alan K. Mackworth, and Raymond
Patrick, and George J. Vachtsevanos. Fault Diagno-
Reiter. Characterizing diagnoses and systems. Artifi-
sis and Failure Prognosis for Engineering Systems: A
cial Intelligence, 56(2-3):197–222, 1992.
Global Perspective. In Proceedings of the Fifth An-
nual IEEE International Conference on Automation [14] Randall Davis and Walter C. Hamscher. Model-Based
Science and Engineering, CASE’09, pages 108–115, Reasoning: Troubleshooting. pages 297–346, July
Piscataway, NJ, USA, 2009. IEEE Press. 1988. San Francisco, CA, USA.
[2] Arnaud Lefebvre, Zineb Simeu-Abazi, Jean-Pierre
Derain, and Mathieu Glade. Diagnostic of the avionic
166
�