See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/306025195

Flight Control System Modeling with SysML to Support Validation,

Qualification and Certification

Article · December 2016

DOI: 10.1016/j.ifacol.2016.07.076

CITATION READS

1 753

4 authors, including:

Faïda Mhenni Jean-Yves Choley

Supméca - Institut supérieur de mécanique de Paris Supméca - Institut supérieur de mécanique de Paris
37 PUBLICATIONS 170 CITATIONS 109 PUBLICATIONS 360 CITATIONS

SEE PROFILE SEE PROFILE

Nga Nguyen
Ecole Internationale des Sciences du Traitement de lInformation
45 PUBLICATIONS 139 CITATIONS

SEE PROFILE

Some of the authors of this publication are also working on these related projects:

Ontology for mechatronic design View project

PIPS Compiler View project

All content following this page was uploaded by Nga Nguyen on 26 January 2018.

The user has requested enhancement of the downloaded file.

14-th
14-th IFAC
IFAC Symposium
Symposium onon Control
Control in
in Transportation
Transportation Systems
Systems
May
14-th18-20,
May 18-20, 2016.
2016. Istanbul,
IFAC Symposium
Symposium on Turkey
Istanbul, Control in
Turkey in Transportation
Transportation Systems
Systems
14-th IFAC on Control
May
May 18-20,
18-20, 2016.
2016. Istanbul,
Istanbul, Turkey
Turkey
Available online at www.sciencedirect.com

ScienceDirect
IFAC-PapersOnLine 49-3 (2016) 453–458
Flight Control System Modeling with
Flight
Flight Control System Modeling with
SysML toControl
SupportSystem Modeling
Validation, with
Qualification
SysML to Support
SysML to Support Validation, Qualification
Validation, Qualification
and Certification
and Certification
and Certification
∗ ∗
∗ Nga Nguyen ∗∗
Faida
Mhenni
Mhenni ∗∗ Jean-Yves
Faida Jean-Yves CholeyCholey∗∗∗ Nga Nguyen ∗∗
∗
∗ Nga Nguyen ∗∗
Faida
Mhenni
Faida Jean-Yves
∗Christophe
Mhenni Christophe Choley
Frazza
Jean-Yves FrazzaCholey Nga Nguyen ∗∗
∗∗∗
Christophe Frazza
Christophe Frazza ∗∗∗ ∗∗∗
∗
∗ Quartz (EA7393), SUPMECA, Saint-Ouen, France (e-mail:
∗
Quartz (EA7393), SUPMECA, Saint-Ouen, France (e-mail:
∗ Quartz faida.mhenni,
(EA7393), SUPMECA, Saint-Ouen, France
Quartz
∗∗
(EA7393),
faida.mhenni, [email protected]).
SUPMECA, Saint-Ouen,
[email protected]). France (e-mail:
(e-mail:
∗∗ Quartz
Quartzfaida.mhenni,
(EA7393),
faida.mhenni,
(EA7393), [email protected]).
EISTI, Cergy Pontoise,
[email protected]).
EISTI, Cergy Pontoise, France
France (e-mail:
(e-mail:
∗∗
∗∗ Quartz (EA7393),[email protected])
Quartz ∗∗∗ EISTI,
EISTI, Cergy
Cergy Pontoise,
(EA7393),[email protected]) Pontoise, France
France (e-mail:
(e-mail:
∗∗∗ DGA-TA
DGA-TA [email protected])
SIE, Balma,
Balma, France
[email protected])
SIE, France (e-mail:
(e-mail:
∗∗∗
∗∗∗ DGA-TA SIE,
SIE, Balma,
Balma, France
France (e-mail:
[email protected])
DGA-TA
[email protected]) (e-mail:
[email protected])
[email protected])
Abstract:
Abstract: TheThe introduction
introduction of of new
new technologies
technologies to to build
build ‘More
‘More Electric
Electric Aircraft’
Aircraft’ induces
induces new
new
Abstract:
challenges
Abstract:for
challenges The
for
The introduction
both the design
introduction
both of new
and
the designofand technologies
safety
newsafety analysis
technologies toof build
new
analysistoofbuild ‘More Electric
aircraft.
new ‘More A Aircraft’
Aircraft’ induces
model-based
Electric
aircraft. A model-based approach
induces
approachnew
newis
is
challenges
needed for
challenges
needed for
both
for for both
bothboth the
design design
and
theand
design design and
validationsafety
and safety
validation analysis
processes in
analysis
processes of
ordernew
of new
in order to aircraft.
manage
to aircraft. A
themodel-based
complexity
A model-based
manage the approach
and
complexity and is
validate
approach is
validate
needed
the
needed
the for
for both
both design
conformance
conformance design
to and
to safety
safety validation
validation processes
requirements.
andrequirements. In this in
in order
this paper,
processes
In paper,
order to
to manage
manage the
aa SysML-based
SysML-based complexity
approach
theapproach
complexity and
and validate
merging
merging MBSE
validate
MBSE
the
the conformance
and
and MBSA
MBSA is
conformance to
to safety
is presented.
presented. requirements.
safety This approach In
approach
requirements.
This is this
is
In this paper,
applied to aa SysML-based
to
paper,
applied Flight Controlapproach
Flight Control
SysML-based System merging
System (FCS)
approach MBSE
mergingboth
(FCS) MBSE
both for
for
and
the MBSA
design
and design
the MBSAand is
and presented.
the
is presented. This
validation approach
processes.
Thisprocesses.
the validation approach A Ais applied
parallel
is parallel to
is a
made
applied istomade Flight
to
a Flight Control
compare System
the
Control the
to compare models
System
models(FCS)
used
(FCS) both
in
usedboth for
each
for
in each
the
of
the design
these
design and
and the
processes.
the validation
This
validation processes.
comparison led
processes. A
to
A parallel
parallel is
suggestions
is made
of
made to compare
improvements
to compare the
both
the models
for
models
of these processes. This comparison led to suggestions of improvements both for the design and used
the in
design
used in each
and
each
of
of these
these processes.
verification This
This comparison
and validation
validation
processes.
verification and approaches.
comparison
approaches. led
led to
to suggestions
suggestions of of improvements
improvements both
both for
for the
the design
design and
and
verification
verification and
and validation
validation approaches.
approaches.
© 2016, IFAC (International Federation of Automatic Control) Hosting by Elsevier Ltd. All rights reserved.
Keywords:
Keywords: Safety,
Safety, Systems
Systems Engineering,
Engineering, Flight
Flight Control
Control System
System (FCS),
(FCS), SysML,
SysML, AltaRica.
AltaRica.
Keywords:
Keywords: Safety,
Safety, Systems
Systems Engineering,
Engineering, Flight
Flight Control System (FCS),
Control System (FCS), SysML, AltaRica.
SysML, AltaRica.
1.
1. INTRODUCTION
INTRODUCTION qualification
qualification activities.
activities. Indeed,
Indeed, certification
certification is is currently
currently
1.
1. INTRODUCTION
INTRODUCTION qualification
based on
qualification
based huge activities.
set
on hugeactivities. of Indeed,
documents certification
provided
Indeed, certification
set of documents provided by is by is
thecurrently
the aircraft
currently
aircraft
Most based on
manufacturers. huge set of
Separate documents
documents provided
are usedby the
to aircraft
describe
Most of of the
the actuation
actuation systems
systems in in the
the aircraft
aircraft areare supplied
supplied based on huge set of documents provided
manufacturers. Separate documents are used to describe by the aircraft
Most
by of the
hydraulic actuation
power systems
characterized in the
withaircraft
a poor are supplied
global effi- manufacturers.
the system and
manufacturers.
the system andSeparate detaildocuments
to detail
Separate
to resultsare
the results
documents
the ofused
areof safety
used
safety to describe
analyses
to analyses
describe
Most
by of the actuation
hydraulic systems in the
power characterized withaircraft
a poorare supplied
global effi-
by hydraulic
ciency, and power
frequent characterized
maintenance with a
operations. poorTo global
cope effi-
with the
the system
(i.e.
(i.e. Functional
system
Functional and to
to detail
and Hazard
Hazard the
the results
detailAssessment
resultsand
Assessment of
of safety
and Systemanalyses
System
safety Safety
analyses
Safety
by hydraulic
ciency, power maintenance
and frequent characterizedoperations.
with a poor Toglobal
cope with effi-
ciency, and (i.e. Functional
Assessment). Hazard Assessment and System Safety
the
ciency,
the and frequent
drawbacks
drawbacks frequent
of themaintenance
of the use of
of hydraulic
maintenance
use operations.
hydraulic
operations. To
To cope
technology,
technology, cope with
research
with
research (i.e. Functional Hazard Assessment and System Safety
Assessment).
the Assessment).
the drawbacks
works
works are
are focused
drawbacks focusedof
of theon use
on
the ‘More
use
‘Moreof
of hydraulic
Electric
hydraulic technology,
Electric Aircraft’
technology,
Aircraft’ (see research
(see Derrien
research
Derrien Assessment).
During
During the the design
design stage,
stage, safety
safety analyses
analyses aim aim at at providing
providing
works
(2012),
works are
(2012), are focused
Reysset
focused
Reysset on
(2015)). ‘More
on ‘More
(2015)). In Electric
this scope,
Electric
In this scope,Aircraft’
the
Aircraft’ (see
Flight Derrien
Control
(see Control
the Flight Derrien During the design stage, safety analyses aim at
(2012),
safety requirements
Duringrequirements
safety the design stage, that shall be met
safetybeanalyses
that shall by
met by aim the at providing
design
the design team.
providing
team.
(2012), Reysset
Systems
Systems (FCS) are
Reysset
(FCS) (2015)).
are
(2015)). In
In this
progressively
progressivelythis scope,
relyingthe
scope,
relying on Flight
the
on electricControl
Flight
electric energy
Control
energy safety
As requirements
systems
safety
As are getting
requirements
systems are gettingthat shall
more
thatmore be
be met
met by
complex,
shallcomplex, it the
byit design
becomes
the team.
almost
designalmost
becomes team.
Systems
to replace
Systems
to replace (FCS)
(FCS)all or
all are
or progressively
part
arepart of the
progressively
of relying
relying on
the hydraulic
hydraulic electric
systems
onsystems energy
for
electric for the
energy
the As
to As systems
impossible
systems for
impossible are
areaagetting
for single more
single
getting safetycomplex,
safety
more expert
expert to
complex, toit becomes
it have
becomes
have aa deepalmost
almost
deep un-
un-
to replace
actuation
replace of
actuation ofall or
allthe
the part
or flight of
of the
part control
flight hydraulic
the surfaces.
control hydraulicThe
surfaces. systems
The for
for the
introduction
systems
introduction the impossible
derstanding
impossible for
derstanding for
of a single
the
of athe whole
single
whole safety
system
safety
system expert
and
expert
and to to
all have
the
all have a deep
technologies
a deep un-
the technologies un-
actuation
of such
such new
actuation
of new of the
the flight
of FCS
FCS implies
flight
implies control
the
the use
control surfaces.
use of
of new The
The introduction
new technologies
surfaces. introduction
technologies with
with derstanding of
of
involved.
derstanding
involved. of the
Instead,
Instead, theaawhole
whole system
system and
multi-disciplinary
multi-disciplinaryand all team
all
team the
theis istechnologies
needed
needed for
technologies for
of such
new
newsuch new
new FCS
actuators
actuators FCSandimplies
and on-board
implies
on-board the use
use of
the controlof new
control unit.
new
unit.technologies
This will
This with
will result
technologies result
with involved.
safety
involved.
safety andInstead,
and reliability
Instead,
reliability aa multi-disciplinary
analyses and
multi-disciplinary
analyses thisteam
and this teamis
team
team needed
shall
isshall
needed for
collab-
for
collab-
new
in
newnew
in actuators
failure and
failure
actuators
new modes
and
modes on-board
that
that are
on-board control
not
control
are unit.
unit. This
not mastered
mastered will
will result
This because
because of
result
of safety and reliability analyses and this team shall
in
the new
lack failure
of modes
feedback that
from are not
experience. mastered
New because
challenges of
are
orate
safety with
orate and the
with designers
reliability
the designers to
to meet
analyses andthe
meet this
the safety
safety shall collab-
teamrequirements. collab-
requirements.
in new
the lack failure
of feedbackmodesfrom thatexperience.
are not mastered becauseare
New challenges of orate
A
A system
orate
system with the
the designers
withmodel
model is then to
is then
designers meet
needed
to the
the safety
meet around
needed around which
safety
which requirements.
the
the multi-
requirements.
multi-
the
the lack
then
then faced
lack
facedof
of feedback
in
in the
the design
feedback from
from experience.
design as
as well
well as
experience. as New
in thechallenges
in the
New verification,
challenges
verification, are
are A system
disciplinary model
team is then
shall needed
collaborate. around
This which
model the multi-
should be
then A system model
disciplinary teamisshall thencollaborate.
needed around This which
model the multi-
should be
then faced
validation
facedand
validation andin the
the design
design as
qualification
in qualification well
well as
of these
as
of these in
in the
systems
as
systems inverification,
thein compliance
verification,
compliance disciplinary
built
disciplinary
built in team
team shall
in aa general
general system
shall
system collaborate. This
This model
model should
language understandable
collaborate.
language understandable by all
should
by be
all
be
validation
with
validation
with and
and qualification
aeronautics
aeronautics safety
qualification of
of these
safety standards
standards systems
thesesuch
such as
as the
systems in
in compliance
the ARP
ARP 4761
compliance4761 built in
with aeronautics safety
the in aa general
builtteam.
the team. general system
system language
language understandable
understandable by by allall
SAE-Aerospace
with aeronautics(1996).
SAE-Aerospace safety standards such as the ARP 4761
(1996). standards such as the ARP 4761 the team.
the the
team.
SAE-Aerospace
SAE-Aerospace (1996).
(1996).Engineering (MBSE) is becoming At
At validation and
the validation and qualification
qualification stage,
stage, aa systemsystem modelmodel
Model-Based Systems
Model-Based Systems Engineering (MBSE) is becoming At the validation
Model-Based Systems Engineering
is also
the built,
Atalso
is validation
built, with and
with and qualification
different tools
qualification
different in stage,
tools in order
order to
stage, aa system
to validatemodel
validate
system that
model
that
compulsory
Model-Basedfor
compulsory for the
the design
Systems of
of such
Engineering
design complex is
such (MBSE)
complex
(MBSE) becoming
issystems
becoming
systems to
to is
thealso built,
safety
is also
the with
requirements
built,
safety different
with different
requirements are tools
well in
met
toolsmet
are well order
and
in order
and thatto
that validate
the
to validate that
designed
the designed that
compulsory
help in
compulsory
help better
in better for the design
understanding
for understanding
the design of and of such
and complex
mastering
such mastering systems
complex systemsthese
these new newto
to the
help the safety
system
systemsafety requirements
complies with
requirements
complies are
are well
with safety
safety well met
met and
standards.
standards. and Inthat
that
In the
this designed
thepaper,
this designed
paper, an
an
help inin better
technologies.
betterIt
technologies. It understanding
also helps
helps in
understanding
also in and
making
and
makingmastering
the design
mastering
the these
design new
more
these morenew system
system complies
integrated
integrated design with
complies
design with safety
approach standards.
including
safetyincluding
approach standards. In
In this
safety
safety this paper,
analysis
paper,
analysis using
usingan
an
technologies.
efficient,
technologies.
efficient, easierIt
easier Itand
andalso helps
alsofaster
helpsand
faster and in asmaking
in as a the
the design
a consequence,
making
consequence, design more
reducing
more
reducing integrated design
efficient,
design timeeasier
and and
cost. faster and
Integrating as a consequence,
safety aspects as reducing
early
SysML
integrated
SysML language
designis
language isapproach
presented.
approach
presented. including
This safety
safety analysis
This approach
including approach is testedusing
is tested
analysis in
in a
using a
efficient,
design timeeasier
andandcost.faster and as safety
Integrating a consequence, early as
aspects asreducing as SysML
SysML language
validation
validation and is
is presented.
and qualification
language presented.
qualification This
This approach
process.
process. The
The different
approach is
is tested
different models
tested
modelsin
in a
a
design
design time
possible
possible in
in the
time and
the cost.
cost. Integrating
anddesign
design process
process helps
Integrating safety
helps in aspects
aspects as
in reducing
safety reducing early
asrisks as
early(see
risks as
(see validation and qualification process.
possible etin al.the design process
earlyhelps in
used
used in
in each
validation each andprocess are
are compared.
qualification
process process.A
compared. ATheflightdifferent
flight
The control models
control
different system
models
system
Berres
possibleet
Berres inal. (2015)).
the designThe
(2015)). The
process
early helps in reducing
integration
integrationreducing
of risks
of safety
safety
risksinin(see
the
(see
the used
is used
used
is used in each
as
in as
eachanprocess
an example
process
example aretocompared.
aretocompared.
illustrate A
A flight
illustrate this
this work.
flight
work. control
control system
system
Berres
Berres et
design
design et al.
al. (2015)).
process
process is
is made
(2015)).made The
The early
early integration
possible
possible by
by extending
integration
extendingof
of safety
the
safety in
in the
the system
systemthe is used as an example to illustrate this work.
design
models process
with is
safety made possible
aspects by extending
facilitating the the
generationsystem of is used
This paper as an
paper is example
is organized to
organized as illustrate
as follows. this
follows. First, work.
First, aa statestate of of the
the
design process
models with safety is made possible
aspects by extending
facilitating the system
the generation of This
models
safety with
analysis
modelsanalysis
safety safety
with safetyartifacts
artifactsaspects
and
aspects facilitating
reducing
facilitating
and reducing thethe
gap
thethe generation
between
gapgeneration
between the of
the
of This
art
Thisabout
art paper
about the
paperthe is organized
organized as
integration
is integration of follows.
as
of the MBSE-MBSA
follows.
the First,
First, aa state
MBSE-MBSA state
is of
of the
is given
given in
the
in
safety
safety analysis
design
design and safety
analysis
and artifacts
safety and
analyses.
artifacts reducing
Such
andSuch
analyses. the
the gap
extended
reducing
extended model
gap
modelbetween the
is useful
between
is useful
the art
art about
section
about
section 2. the
2. Then,
the
Then, integration
the
the FCS
integrationFCSof the
ofused
used MBSE-MBSA
the as aa case
MBSE-MBSA
as studyis
case study given
given in
is example
example in
design
both
both forand
designforandthesafety
the designanalyses.
design
safety and
and for Such
for the
analyses. Such
the extended
extended model
verification,
verification, validation
model
validationis
is useful
and
useful
and section
is
section
is 2.
2. Then,
described
described in
Then, the
the FCS
in section
section FCS3. used
3. Both as
Both
used theaa validation
the
as case
case study
validation example
study approach
example
approach
both for the design and for the verification,
both for the design and for the verification, validation and validation and is
is described
described in in section
section 3. 3. Both
Both thethe validation
validation approach approach
Copyright
2405-8963 ©
Copyright 2016 IFAC
© 2016,
2016 IFAC 453 Hosting by Elsevier Ltd. All rights reserved.
IFAC (International Federation of Automatic Control)
453
Copyright
Peer review©
Copyright 2016
©under IFAC
2016 responsibility
IFAC 453
of International Federation of Automatic
453Control.
10.1016/j.ifacol.2016.07.076
IFAC CTS 2016
454
May 18-20, 2016. Istanbul, Turkey Faida Mhenni et al. / IFAC-PapersOnLine 49-3 (2016) 453–458

applied in the DGA-TA and SafeSysE are respectively
presented in section 4 and section 5. A discussion with
improvements suggestion for both approaches is given in
section 7. The paper is finally concluded in section 8.
2. RELATED WORK
Model Based Safety Analysis (MBSA) aims to provide a
model-based approach to perform safety analyses while
seeking a tighter integration between safety artifacts and
design models. In this approach, system and safety en-
gineers share a common system model created using a
model-based development process. Joshi et al. (2006) pro-
posed to augment the nominal system behavior captured
in Simulink model-based development with the fault be-
havior of the system. To illustrate the process, they studied
the Wheel Brake System as described in ARP 4761 Ap-
pendix L (SAE-Aerospace, 1996). The fault model consists
of different component failures, i.e. digital and mechanical
failure modes. Fault tolerance verification is carried out by
using additional variables and real-time temporal logic op-
erators to investigate if the system can handle some fixed
number of faults. Informal safety requirements are formal-
ized by temporal logic, and the model checker NuSMV is
used to validate these requirements. Nevertheless, research
challenges must be addressed on the choice of languages
and tools, as well as the scalability of the analysis tool to
cope with realistic systems.
AltaRica (Point, 2000) is an event-based modeling lan-
guage which is designed to specify the behavior of complex
systems. Mathematically based on Guarded Transition
Systems, an AltaRica model is composed of nodes that are
characterized by their reachable states, in and out flows,
events, transitions and assertions. Once a system model is
specified in the AltaRica language, it can be compiled into
a lower level formalism such as finite-state machines, fault
trees, stochastic Petri Nets or Markov chains (Cherfi et al.,
2014; Mortada et al., 2104). The language is widely used
for safety assessment of automotive, avionic and transport
applications. It is supported by industrial tools such as
Simfia, Cecilia OCAS and open source tools like OpenAl-
taRica (OpenAltaRica, 2015) with a graphical interface to
design models, to inject failures and to simulate models.
In Morel (2014), a model-based safety approach for early
validation of avionics architectures is proposed. The model
building contains four different levels: the Functional Haz-
ard Analysis (FHA) view, the functional view, the physical
view and the allocation. However, there are still some
issues concerning the validation and the completeness of
the allocation of functions in the functional view to hard-
ware modules in the physical view. Model-based systems
engineering with SysML can facilitate this task by building
an allocation matrix since the early design phases.
Algorithms and translation rules allowing transformation
from SysML diagrams to AltaRica Data Flow language
have been proposed in different research works (Cressent
et al., 2011; Ruin et al., 2012; Yakymets et al., 2013).
Cressent et al. (2011) proposed a mapping between SysML
models and AltaRica Data Flow (ADF) language, based on
the MéDISIS framework. The first step is the translation
of the SysML model to obtain the ADF description of
the functional view of the system. The second step is the
modeling of the dysfunctional view using the Dysfunc-
tional Behavior Database built and updated via different
safety analyses such as Failure Mode and Effects Analysis
(FMEA). Via AltaRica, existing tools to quantify relia-
bility indicators such as the global failure rate, the mean
time to failure, etc. can be used directly on the failure
modes identified in different steps of MéDISIS. However,
a complete automation of the translation between SysML
and ADF language is not possible if some strict SysML
construction rules such as expressive allocations between
the modeling elements are not applied. As mentioned
by the authors, some divergent declaration philosophies
between the two languages (although sharing the object-
oriented paradigm) impose complicated translation rules.
3. CASE STUDY DESCRIPTION
In this paper, we will study the flight control system
(FCS) in civil aircraft. The flight controls of an aircraft
typically include primary controls that govern the pitch,
yaw and roll attitudes and the trajectory of the airplane
as well as secondary controls dedicated to control the lift
of the wings. The flight control surfaces of the civil aircraft
Airbus A380 are illustrated in Fig. 1.
Fig. 1. A380 Flight Control System Architecture (Van den
Bossche (2006))
The architecture of the flight control system is given by
Fig. 2. The number of actuators per surface, as well
as the number and distribution of power sources and
flight control computers, are mainly imposed by safety
considerations.
The FCS is made up of the actuators, sensors and on-
board calculators. The flight control surfaces are actuated
with different kinds of actuators powered by two different
hydraulic circuits (Green circuit G and Yellow circuit
Y) and two different electric circuits (E1 and E2). Each
surface is actuated with one or two actuators powered
by separate power sources. For instance, each side of the
aircraft contains three ailerons O/B, M and I/B. The outer
aileron (O/B) is actuated with two servocontrols powered
by the Green and Yellow circuits respectively. The middle
aileron (M) is actuated with a sevocontrol and an Electro-
Hydrostatic Actuator (EHA) powered respectively with
the Green hydraulic circuit and the E2 electric circuit.
The inner aileron (I/B) is actuated by a servocontrol and
an EHA powered respectively with the Yellow circuit and
the E1 electric circuit.
The flight control surfaces are considered outside the
system. The power sources i.e. hydraulic and electric power

454
IFAC CTS 2016
May 18-20, 2016. Istanbul, Turkey Faida Mhenni et al. / IFAC-PapersOnLine 49-3 (2016) 453–458
Fig. 2. Flight Control Surfaces of the A380 Aircraft (Van den Bossche (2006))
sources are also not part of the system since they are
shared with other systems.
4. CERTIFICATION AND QUALIFICATION
PROCESSES
This work was performed together with the Direction
Générale de l’Armement - Techniques Avancées (DGA-
TA) which is a french expertise center for ground tests of
aeronautics systems and equipment. Among its missions,
the DGA-TA is charged of the certification of civil aircraft
in collaboration with the Direction Générale de l’Aviation
Civile (DGAC) and the European Aviation Safety Agency
(EASA). The SIE division of the DGA-TA is charged with
the qualification and certification of critical systems and
embedded software based on its expertise in the domain.
For its validation, qualification and certification activities,
the DGA-TA uses model-based approaches with formal
tools/languages such as AltaRica to assess the dysfunc-
tional aspects. The AltaRica models represent the system
in four different but consistent views:
• Undesired events view: this view contains the unde-
sired events. An undesired event corresponds to the
loss of one or several functions (i.e. one or several
function that are no longer performed). The unde-
sired events view contains state observers for some
functions of the functional view.
• Functional view: this view contains the system func-
tions achieved by the system and their breakdown
into sub-functions. These functions are presented in
a hierarchical way including logical operators to link a
function at a certain level to the functions of the level
below. Through these logical operators, the functional
view also contains the failures propagation logic. Each
function can have one of three states: ‘Nominal’,
‘Degraded’ or ‘Loss’. The low-level functions are allo-
cated to components from the component view.
• Structural view: the structural view models the in-
teractions and the propagation logic of the failures
among structural elements. Two levels of abstrac-
tion of the structural elements can be distinguished:
455
455
equipment level and component level. An equipment
is made up of a set of components. An equipment
has the same intrinsic states as a function and can
be either in ‘Nominal’, ‘Degraded’ or ‘Loss’ state. A
component can be either in a ‘Nominal’ state, a ‘Loss’
state (if it does not emit any signal or if it is detected
to be erroneous) or a ‘Misleading’ state (erroneous
but undetected state). Components failures can be
simulated to assess their propagation and their effect
at the system level. Each component is assigned to
one of the airplane zones represented in the zonal
view.
• Zonal view: the zonal view delimits the different air-
plane zones. Partitioning the airplane into different
zones allows an additional safety measure by dis-
tributing the critical redundant components in dif-
ferent locations since some external threats such as
electromagnetic radiation, or other internal accidents
such as engine explosion can damage an entire zone of
the aircraft. The zonal view helps in distributing the
critical components in such a way that, the damage
of one zone does not prevent to the fulfillment of any
critical function.
Once the model for the system is built, a series of sim-
ulations is performed to assess the safety requirements.
Component failures are progressively selected from the
list of failures of each component, and the simulation
propagates these failures to show their effects and if they
induce any of the undesired events in the model. Fault
trees can be generated from this model and minimal cut-
sets and reliability studies can then be performed with
appropriate tools.
This model-based approach allows a rigorous testing of
the system behavior in presence of faults and allows a
thorough validation of the safety requirements needed for
the certification and qualification of the system/equipment
in question. However, building the model is very long
since it is based on descriptive documents provided by the
airplane manufacturer. The provided documentation does
not facilitate the understanding of the system. Indeed,
textual descriptions are error prone and may have different
IFAC CTS 2016
456
May 18-20, 2016. Istanbul, Turkey Faida Mhenni et al. / IFAC-PapersOnLine 49-3 (2016) 453–458
interpretations. They also may have inconsistencies as
the same system may be described at more than one
sections and the updates do not necessarily cover all
the citations. Thus, the DGA-TA wishes to evaluate an
integrated MBSE/MBSA methodology. A system model
with a systems engineering dedicated language will help
in having a better understanding of the system, prior to
the safety assessment.
5. OVERVIEW OF THE INTEGRATED MBSE/MBSA
PROCESS
This section gives an overview of the integrated process of
systems engineering and safety analysis called SafeSysE.
This integrated process is intended for the integration of
safety analysis since the early design stages. For this, it
extends a SysML-based systems engineering methodology
presented in Mhenni et al. (2014) with safety analysis
processes. The early integration of safety aspects influences
the decisions taken during the design and avoids late
design changes that are very costly and time consuming.
SafeSysE is described in Fig. 3 detailing the sequencing
of the different processes of this approach (represented
by SysML activities) as well as the exchanges between
them. Data stores are used to model the storage of the
different artifacts issued from each activity. Swim-lanes
(columns) are used to make a distinction between systems
engineering and safety analysis processes. For more detail
about SafeSysE, please refer to Mhenni (2014).
Fig. 3. SafeSysE Integrated Process
6. FLIGHT CONTROL SYSTEM MODELING USING
SYSML
In this section, the SafeSysE approach will be applied
for the FCS. The focus will be mainly on the systems
engineering part of the model in order to see how this can
be helpful for the validation and certification processes.
This study consists in reverse engineering since it is applied
to an already existing system.
In a top-down design process, the system design begins
with an external view, also called black box view of the
system. In this phase, the system is considered as a black-
box and the focus is on its external behavior and inter-
actions. The aim of this part is to thoroughly define the
456
system specifications before moving to the second phase,
where the white-box view is considered during the progres-
sive definition of the solution. Each of the external and
internal views contains structure, behavior and require-
ments representations. The resulting system model with
all these views and aspects provide means to understand
both the behavior and structure of the system and to link
them together with their respective requirements. Having
such a model instead of or in addition to the description
documents provided for the certification team will be of
a great help for the good understanding of the system
and will reduce the inconsistencies and ambiguity of the
natural language text document. However, as the intent of
this methodology is mainly the design of the system, some
views may contain irrelevant data for the validation and
certification phase.
In the following, the system model for the FCS system will
be given. The focus will be only on the useful views for the
validation/certification phase. The first step in modeling a
system is to define the system boundary. For this purpose,
a Block Definition Diagram (BDD) in SysML is used to
model the system context that describes the system as a
black-box and its interactions with the different external
elements. The context diagram of the FCS is given in Fig.
4 and shows the different external elements (represented as
actors in SysML with the stick-man symbol) that interact
with the system and their roles with regard to the system
and/or the role of the system with regard to external
elements. As an example, this diagram shows that the
‘Control Surfaces’ are controlled by the system (first role)
and provide their position to the system (second role). It
also shows that there are several types of ‘Control Surfaces’
such as ‘Left Spoiler 1’, ‘Rudder’, ‘THS’ etc.
Fig. 4. Flight Control System Context
SysML offers a means to model the functional breakdown
of the system. The first level functions of the FCS and
their interactions are given in the activity diagram in
Fig. 5. This diagram shows how the different external
input flows (received by the external actors represented
in the context diagram) are progressively transformed
to provide the required output flows. Each sub-function
can also be detailed in an activity diagram containing
its sub-functions. A hierarchical representation can also
be generated from this breakdown in a BDD as the one
IFAC CTS 2016
May 18-20, 2016. Istanbul, Turkey Faida Mhenni et al. / IFAC-PapersOnLine 49-3 (2016) 453–458 457

in Fig. 6. This representation can be done for as many of the composition BDD, focused on the components that
levels as the model contains. However, this diagram is actuate the Trimmable Horizontal Stabilizer (THS) is
simplified by giving only the first-level breakdown for a given in Fig. 8. The functions allocated to each component
better readability. are mentioned in a compartment of the component block.

Fig. 8. Extract of the System Components and Functional

Allocation
The interactions among the components are then modeled
Fig. 5. Activity Diagram - Flight Control System Func- in an Internal Block Diagram (IBD). The interactions
tions among components help in determining the error propaga-
tion through the components. However, unlike the compo-
nents view in the AltaRica model, it does not include any
logic operator for error propagation modeling. An extract
of the IBD for the FCS is given in Fig. 9.

Fig. 6. Flight Control System: First Level Functional

Breakdown
The breakdown of the ‘S09 - Control the surfaces’ function Fig. 9. Extract of the IBD for the THS related Components
is given in Fig. 7.
7. DISCUSSION

This paper presents the results of an internship aiming at

testing SafeSysE on a real industrial example in the DGA-
TA and comparing it with the current methods used for
safety analysis. The focus was given on the different models
on which the safety analyses will be based. In SafeSysE,
safety artifacts are generated from SysML models while in
the DGA-TA AltaRica models are built for this purpose.
As a result of this work, some improvements to both
approaches are identified.
Fig. 7. Function - S09 Breakdown • Improvements for SafeSysE: As noticed through the
different views presented earlier, the SysML-based
After the functional architecture is defined, components modeling in SafeSysE does not provide any zonal
are chosen and allocated to the identified functions. A view or any information about the location of the
BDD is then used to show the system composition (i.e. components within the whole system. The introduc-
the different components of which the system is made tion of such information is very important for safety
up). The allocations can be represented either in an analysis and shall be considered for the improvement
allocation matrix or in the mentioned BDD. An extract of SafeSysE. In SafeSysE approach, the undesired

457
IFAC CTS 2016
458
May 18-20, 2016. Istanbul, Turkey Faida Mhenni et al. / IFAC-PapersOnLine 49-3 (2016) 453–458
events are not clearly classified in the model. Only the
undesirable system level effects caused by functions
or components failures, and identified in the FMEA
process are stored as an attribute linked to the failure
modes of each function or component respectively.
This point shall also be considered. The third im-
portant point is the integration of logical operators
to describe the functional as well as dysfunctional
logic of exchanges between the system functions or
components. This will help to introduce more dy-
namic aspects in the fault tree generation based on
the functional system structure.
• Improvements for the DGA approach: On the other
hand, some of the system views given by SafeSysE are
missing in the current approach applied in the DGA-
TA and, if provided, would help in a deeper and faster
understanding of the system. As mentioned earlier,
the documents provided by the aircraft manufacturers
do not provide any global view of the system compo-
nents nor of the system functions. The hierarchical
views at the functional and structural levels given
in SafeSysE are very useful to make sure of having
the exhaustive list of functions and components with
a clear allocation relationships between both. This
will also avoid the inconsistencies and incompleteness
in the names or descriptions of the functions and
components that can be found in document-based
description.
8. CONCLUSION
This study aims at evaluating the use of SysML language
in the validation, qualification and certification process
for aircraft systems, such as the flight control system. At
DGA-TA, the implementation of the under development
SysML-based MBSE-MBSA methodology called SafeSysE,
has shown that some SysML structural diagrams (context,
functions and components structures) may improve the
whole understanding of the studied system as well as the
consistency of its modeling, prior to the system safety-
oriented analysis usually performed with AltaRica lan-
guage. On the other hand, the simulation capability as well
as some views in the AltaRica model could be integrated
in SafeSysE to enhance the safety analysis part of this
approach.
In addition, this study confirms the usefulness of sharing
system models, using a common general purpose language
such as SysML, between the aircraft manufacturers and
their providers all along the design process. Indeed, this
may help performing a thorough and consistent qualifi-
cation and certification when they are made available to
certifying entities such as DGA-TA.
ACKNOWLEDGEMENTS
The authors would like to thank Aline AUSSEDAT for her
thorough work in modeling a FCS and evaluating SafeSysE
during her internship in the Systèmes Informatiques Em-
barqués (SIE) service of DGA-TA (Balma, France).
REFERENCES
Berres, A., Schumann, H., and Spangenberg, H. (2015).
Concurrent safety analysis: A method for information
458
View publication stats
exchange between systems and safety engineers. In
Safety and Reliability of Complex Engineerd Systems.
Cherfi, A., Rauzy, A., and Leeman, M. (2014). AltaR-
ica 3 based models for iso 26262 automotive safety
mechanisms. In Model-Based Safety and Assessment
- 4th International Symposium, IMBSA 2014, Munich,
Germany.
Cressent, R., David, P., Idasiak, V., and Kratz, F. (2011).
Dependability analysis activities merged with system
engineering, a real case study feedback. In Advances
in Safety, Reliability and Risk Management: ESREL.
Derrien, J.C. (2012). Electromechanical actuator (EMA)
advanced technologies for flight controls. In 28th Inter-
national Congress of The Aeronautical Sciences, ICAS
2012.
Joshi, A., Heimdahl, M.P.E., Miller, S.P., and Whalen,
M.W. (2006). Model-based safety analysis. Contractor
reportcecilia haskins, Nasa Langley Research Center.
Mhenni, F. (2014). Safety Analysis Integration in a
Systems Engineering Approach for Mechatronic Systems
Design. Ph.D. thesis, Ecole Centrale de Paris.
Mhenni, F., Choley, J.Y., Penas, O., Plateaux, R., and
Hammadi, M. (2014). A sysml-based methodology for
mechatronic systems architectural design. Advanced
Engineering Informatics, 28(3), 218 – 231.
Morel, M. (2014). Model-based safety approach for early
validation of integrated and modular avionics architec-
tures. In Model-Based Safety and Assessment - 4th
International Symposium, IMBSA 2014, Munich, Ger-
many, 57–69.
Mortada, H., Prosvirnova, T., and Rauzy, A. (2104).
Safety assessment of an electrical system with AltaRica
3.0. In Model-Based Safety and Assessment - 4th Inter-
national Symposium, IMBSA 2014, Munich, German.
OpenAltaRica (2015). URL http://openaltarica.fr/.
Point, G. (2000). Alta-Rica: Contribution à l’unification
des méthodes formelles et de la sûreté de fonction-
nement. Ph.D. thesis, Université de Bordeaux I.
Reysset, A. (2015). Conception préliminaire d’actionneurs
électromécaniques - outils d’aide à la spécification et à
la génération de procédures de dimensionnement pour
l’optimisation. Ph.D. thesis, Université de Toulouse.
Ruin, T., Levrat, E., and Iung, B. (2012). Modeling frame-
work based on SysMl and AltaRica data flow languages
for developing models to support complex maintenance
program quantification. In 2nd IFAC Workshop on
Advanced Maintenance Engineering, Service and Tech-
nology, A-Mest 12, Nov 2012, Sevilla, Spain.
SAE-Aerospace (1996). Guidelines and methods for con-
ducting the safety assessment process on civil airborne
systems and equipment. ARP-4761.
Van den Bossche, D. (2006). The A380 flight control
electrohydrostatic actuators, achievements and lessons
learnt. In 25th International Congress of The Aeronau-
tical Sciences, ICAS 2006.
Yakymets, N., Jaber, H., and Lanusse, A. (2013). Model-
based system engineering for fault tree generation and
analysis. In S. Hammoudi, L.F. Pires, J. Filipe, and R.C.
das Neves (eds.), Proceedings of the 1st International
Conference on Model-Driven Engineering and Software
Development, Barcelona, Spain, 210–214.