Verification and Fault Analysis based on Combination of AADL and Modelica

CPS is a multidimensional complex system that can realize the interaction between computing process and physical process. Aiming at the problems of fault occurrence and uncertain behavior, this paper proposes the fault analysis stochastic hybrid automata as a formal model, the attributes of randomness and fault analysis are added through AADL behavior attachment to expand the attributes of hybrid automata, and applies the extended automata to the embedded system for system description and fault analysis. The model is used to model the fire control system, and AADL, Modelica and fault tree are combined to form a new model. The behavior is analyzed, and the conversion algorithm and conversion example are given.


Introduction
Cyber-Physical System [1] is a next generation intelligent system based on embedded system, computer network and wireless sensor network, etc. For the in-depth analysis and research of CPS, preliminary modeling is essential. In the current research field, semiformal modeling tools include AADL, Modelica and so on. AADL [2] is a modeling language, which is widely used in the modeling of key application system models in aerospace industry. In practical application, Due to the limitations of AADL, it needs to be extended. The purpose of extending AADL language is to better support the modeling and analysis of CPS system architecture, through the extension of AADL behavior attachment, it supports the discrete behavior of CPS. Modelica [3] is an open, object-oriented and equation based computer language, which can span different fields and conveniently realize the modeling of complex physical systems. It can well describe the continuous behavior of CPS. The system can not meet the development requirements of complex key systems, which makes software safety accidents occur frequently. The reliability [4] of the system has become the focus of embedded system development. In recent years, scholars have made further research on CPS. Reference [5] proposed a modeling form of dynamic network of stochastic hybrid automata, which allows natural modeling of concepts. By extending finite state automata, reference [6] improved stochastic hybrid automata (SHA) and proposed a method to represent complex systems. Reference [7] proposed an uncertainty analysis method to evaluate the reliability of the system, and applied the fault tree [8] to evaluate the reliability and importance of performance. In this paper, the discrete and continuous behavior of the system is described by using the characteristics of hybrid automata, the information system is described by IOP Publishing doi: 10.1088/1742-6596/2261/1/012014 2 AADL, the physical system is described by Modelica, and the CPS system is formally modeled. The two attributes of randomness and fault analysis are extended on the AADL behavior attachment, the fault analysis stochastic hybrid automata is proposed, the transformation rules and algorithms of the model are given by combining AADL and Modelica, and the correctness of the transformation rules is verified by bisimulation equivalence [9] [10]. This chapter introduces the relevant background and work. The second chapter will introduce the combination of fault analysis stochastic AADL and Modelica. The third chapter will introduce the rule algorithm of transforming AADL and Modelica into automata. The fourth chapter will introduce case study, converts AADL and Modelica into automata, and combines them into automata, and carries out fault analysis. The fifth chapter makes a summary.

Fault analysis stochastic behavior properties
CPS is closely related to people's daily life, which may have uncertain behavior, run-time failures and other issues. This paper introduces AADL behavior attachments, Modelica and fault tree analysis [11] to model and describe. AADL behavior attachments are sublanguages of AADL and it can be connected to AADL components such as subroutines, threads. To clarify how to use fault analysis stochastic behavior attachments, we model the internal behavior of components in the form of state machines using AADL behavior attachments. Fault -analysis stochastic behavior attachment language is mainly composed of variables, states, faultStates and transitions.
FASBA :: = { ** variables states faultStates transitions **} where • variables defines a local variable within an attachment to an analytic stochastic behavior that describes the nature of the component at a given time. • states defines the normal state that occurs in the system, including the set of states that exist in the system and the initial state of the system. The syntax of the state is defined as follows: states :: = {states, initial_states}; • faultStates defines the failure state that occurs in the system. • transitions defines the transition relationship of states in a system. When a system is in a state, it jumps to the corresponding subsequent state when the corresponding conditions are met. The definition of transition relationship is as follows: transitions :: = {state-[guard] -> state{action, resetVariables}},guard is a jump guard that can enter the next state when there is a state that meets the requirements. It can be a Boolean expression of a variable in the current state or an input or output action performed by the current state. The syntax of guard is defined as follows: guard :: = data_expression | input/output_action data_expression :: = data_communication input/output_action :: = action where data_ communications cause state transition because the values of variables within a state satisfy predicate conditional constraints. Actions represent actions of input and output, triggering conditions and changing states when actions occur. ResetVariables is an assignment expression for reset variables whose state has been migrated. The syntax of resetVariables is defined as follows: resetVariables :: = variable = k, where k is a real constant. Considering the practical problems of CPS, in this paper, two attributes, randomness and fault analysis, are added to the transition state. AADL behavior attachments can be used to describe the attributes of uncertainty behavior and failure probability in the process of state transition, respectively. The fault IOP Publishing doi:10.1088/1742-6596/2261/1/012014 3 analysis stochastic transition (FAStransitions) process syntax is defined as follows: FAStransitions :: = {state-[guard] -> stacho, weight{state{action, resetVariables}}} where stacho is the probability of randomness in the process of state transition, stacho∈[0, 1].∑ =1, where i is a fixed state, that is, the target state, and j is an arbitrary state. Weight is the weight of fault occurrence probability in state transition, which is determined by the transition.

Extending the attribute sets corresponding to the Modelica element on AADL
In CPS, there are not only discrete state transitions, but also continuous changes of variables in each state. These continuous changes of variables usually occur in physical system and described by differential equations or flow conditions. The elements between AADL and Modelica [12] do not correspond one to one. To solve this problem, this section uses the AADL built-in data type aadlstring to extend the attribute set in the AADL attribute set Modelica_property add variables, initial values, constants, constant values, equations and other attributes to property, and then add the extended attribute set to the hardware component through the 'applies to' clause. The extended AADL attribute sets are as shown in table 1: Table 1. The extend AADL attribute.

Fault analysis stochastic hybrid automata
This paper extend the two attributes of fault analysis and randomness on the basis of traditional hybrid automata. A new automata is proposed, which is defined as follows: the starting point and target of arc k, respectively e is the event connecting the arc, G is the guard condition of state x in s ′ , R is the reset function of x in s ′ state; (7) A c : X × S → (ℝ + → ℝ) is the 'activity' function, which is associated with X × S element is associated and is a function defined on ℝ + and adopts; (8) : = [p ] a matrix of discrete probability distributions, where p is the discrete distribution of probability from s i state to s l state p(s | s ,e); For example, let e q be the same event that defines the transition from discrete state s to discrete state s 1 , s 2 ,· · · , s (therefore, there are j conversion conflicts, and the bottom layer of FSA is not deterministic), making p 1 is the probability of transition from state s to state s 1 , p 2 is the probability of transition from state 1 + 2 +· · · + =1; (9) W: weighted label function S×A×S ′ →R, add weights for each fault state; (10) s 0 , x 0 and P 0 respectively correspond to the initial discrete state, the initial value of the continuous state vector in the discrete initial state and the initial distribution of the transition probability; Bisimulation equivalence is that two systems can imitate each other's behavior and reflect the relationship between the behaviors of the two systems in the objective world from a certain side. The above conversion algorithm is based on the proof of mutual simulation equivalence relationship, which ensures the correctness of the model and keeps the behavior unchanged.

Case study
Fire control system is a complete set of equipment to control the aiming and firing of artillery, artillery group or missile launcher. It guides the aircraft to the target area, searches, approaches, identifies and tracks the target, measures the motion parameters of the target and the carrier aircraft, carries out fire control calculation, controls the firing mode, quantity and fuse setting of weapons.  As shown in Figure 1, this section chooses to study the target tracking and detection system in the fire control system.

The physics component modeled by Modelica
The ranging sensor, azimuth meter, sensing gyroscope, velocity sensor, accelerometer and other equipment in the target detection and tracking system are regarded as the physical system in CPS. The constants d, pos, v and raw defined in this example represent the distance between the target and the weapon carrier, the position, speed and range change rate of the target respectively. When the system is running, the control system starts calculation and completes a series of aiming, calculation, strike and so on. Firstly, set the parameters, set d, pos, pit and other parameters to 0 or null respectively, set an acceleration constant a, bring the speed into the whole calculation program, and get the desired result through a series of operations. As shown in table 3 below, Modelica models the physical part.

Transition from Modelica and AADL to FASHA
The Modelica model is converted to the component of AADL that extends the attribute set. The Modelica model is converted to the hardware device in AADL: the device enters the device through the data detected from the external environment in data port, and then is processed and sent to the controller in the form of out data port for data calculation. Variables, initial variable values, constants, constant values, and equations in Modelica are converted to the extended attribute set in AADL. The converted components are shown in table 4. The fault tree [13] is introduced into the hybrid automata, as shown in Figure 1: this figure is an example of FASHA. The automata is simply established based on the process of gun launched missile launch system. The branches in the error state, the fault tree after fault tree analysis and randomness attribute addition, are simply presented. The three fault states are launching-system-error, combat-unit-error and main-unit-error. Where p 1 , p 2 , p 3 is the probability of stochastic occurrence of the behavior; ω is the weight of failure during state transition, indicating the probability of failure during state transition, e.g: ω =p 1 × p .F 1 ，F 2 ，F 3 is the combination of fault state variables. The accidental ignition fault of the launch system includes three forms of fault problems, namely primer fault, ignition fault and launch fault, F , F , F respectively corresponds to the variable combinations of the above three states, and different combinations of variables cause different faults. The accidental ignition fault of the launch system and fuse fault are introduced in detail in Fig. 2(a) indicates normal operation of the system, X 5 indicates that the equipment operates normally, and the combination of these variables leads to failure. F =(X 6 ⊕ X 7 ) • (¬X 8 +X 9 ), where X 6 indicates that the needle striking safety mechanism is normal, X 7 indicates that the slider safety mechanism is normal, X 8 indicates that the fuse components are normal, X 9 indicates detonation sequence failure. Table 4. Transition from Modelica and AADL to FASHA.

Fault analysis
In engineering practice, fault mode [14] and normal working mode analysis is an important work for multi-component complex systems. Fault tree analysis is recognized as a good method to analyze the safety and reliability of complex systems. We quote the calculation formulas of importance and probability in reference [15], and conduct fault tree analysis based on Figure 2. The failure probability table is shown in table 5, which P x represents the probability of failure.  Detonation sequence failure 3 10 −3

Conclusion
In this paper, the definition of AADL fault analysis stochastic behavior attachment is proposed, and the attribute of AADL attachment is extended to generate the corresponding Modelica extended attribute set. Due to the limitations of semiformal language, this paper combines fault tree with AADL and Modelica, proposes a formal model, analyzes errors, randomly hybrid automata, gives a model conversion algorithm, and proves the correctness of model conversion through bisimulation. In the future work, we hope to deeply analyze and confirm the algorithm based on the existing formal model.