Safety Analysis of Integrated Modular Avionics System Based on FTGPN Method

Compared with federated avionic architecture, the integrated modular avionic (IMA) system architecture in the aircraft can provide more sophisticated and powerful avionic functionality, and meanwhile, it becomes structurally dynamic, variably interconnected, and highly complex. The traditional approach such as fault tree analysis (FTA) becomes neither convenient nor su ﬃ cient in making safety analysis of the IMA system. In order to overcome the limitations, the approach that FTA combines with generalized stochastic petri net (GSPN) is proposed. First, FTA is used to establish the static model for the top level of the IMA system, while GSPN is used to build a dynamic model for each cell system. Finally, the combination model is generated, which is called the FTGPN model. Moreover, the FTGPN model is made safety analysis with the PIPE2 tool. According to the simulation result, corresponding measures are taken to meet the safety requirements of the IMA system.


Introduction
IMA system is evolving to provide more functionality with lesser parts, weight, and cost, while it is also meeting all the reliability and safety constraints [1][2][3][4].To cope efficiently with the high level of complexity, a novel and structured development methodology is required [5][6][7].As known to all, FTA is widely used for safety analysis of the system, but it has some limitations.One of such limitation is that it can only evaluate the safety of static systems.However, the IMA system gives rise to a variety of dynamic failure characteristics such as functional dependencies between events and priorities of failure events [8].
Model-Based safety analysis (MBSA) utilizes software automation and integrates with design models to simplify the safety analysis of complex systems [9].Among these MBSA methods, the HiP-HOPS focuses on the automatic construction of predictive system failure analyses [10][11][12][13][14][15][16][17].Meanwhile, the languages such as Architecture Analysis and Design Language (AADL) and AltaRica are used, auto-matically analyzing potential failures in a system model.AADL provides a standardized textual and graphical notation for describing software and hardware system architectures and their functional interfaces [18,19].Therefore, the IMA system is proposed to model based on AADL [20][21][22][23][24][25][26].However, its disadvantage is that it cannot directly perform safety analysis and needs to be converted to other safety analysis methods such as Petri net and HiP-HOPS [16,17].In addition, AltaRica [27] is high-level modelling language dedicated to safety analysis.Based on the AltaRica, there is a commercial tool called Simfia, which is the modelling platform for Airbus A380.
The two methods that GSPN and Fault tree driven Markov processes (FTDMP) are compared in [28].Then, it points out that GSPN is at a higher level in modelling formalism and shows a superior modelling capacity compared to FTDMP.A conceptual framework, which incorporates the Semi-Markov Process (SMP) based complex behavior to HiP-HOPS for modelling of complex system is proposed in [29].Although the quantitative analysis results obtained through this SMP [30,31] is much more precise than the results from GSPN analysis, the safety model in GSPN is more intuitive.Moreover, in order to reduce the computation for GSPN analysis, many mature simulation software tools such as GreatSPN [32] and PIPE2 [33,34] are developed.
The hybrid method that GSPN is used with these cell systems and the FTA process is applied to the upper-level system is validated effectively [35].Then, it gained a clear view of the relationship between the failure of subsystems and the failure of the system.However, it also lacks the further safety evaluation for the whole system.In addition, GSPN in some works [36][37][38][39][40][41][42][43] have been used to build a safety model for a single dynamic system.But the model cannot illustrate its interactions with other systems.
Within this broader context, the smaller novelties include: (1) According to the working principle, the IMA system is simplified in order to make the safety model more easily (2) The proposed FTGPN method not only builds static safety analysis for the top level of the IMA system but also establishes the dynamic safety model for cell systems (3) FTGPN model for the IMA system is simulated with PIPE2 tool and corresponding parameters can be adjusted to meet the safety requirements easily FTGPN method solves the problem of being unable to conduct a comprehensive and accurate safety model for complex IMA system.Moreover, FTGPN provides an effective safety analysis method for the IMA system.
The section of this paper is organized as follows: Section 2 introduces some preliminary knowledge mainly about the IMA system and the FTGPN method.Section 3 establishes the FTGPN model with FTA and GSPN for the IMA system.Section 4 makes the safety analysis for the FTGPN model.Section 5 depicts the capabilities and limitations of the FTGPN.Section 6 draws the conclusions.

Preliminary
In this section, the first IMA system is introduced.Then, an interview of the GSPN is given.
2.1.Integrated Modular Avionics.IMA architectures provide a general platform for hosting avionics in the aircraft.IMA platform includes the shared processing system, shared data network, and shared I/O system.The shared platform is an efficient means for implementing avionic functionality since it greatly reduces the electronic box and wire count in the aircraft.Therefore, the IMA system enables a great reduction in the size, weight, and power for a suite of avionic systems.
The IMA architecture is shown in Figure 1 [44].The ARINC-653 standard is a common implementation of software partitioning [45].It can guarantee each application's memory space and temporal execution environment so that they will not be affected by other applications.
The shared network replaces many dedicated communication lines with a shared backbone network.A common network implementation today is defined by the ARINC-664p7 standard [46].ARINC-664p7 also includes the concept of partitioning through the use of Virtual Links (VLs) to ensure that communications from one application cannot affect the contents or impact the temporal characteristics of the message delivery (not-to-exceed data latency is guaranteed).The shared Input/Output (I/O) system acts as a gateway to transfer I/O between many separate sources and the shared network.This makes the I/O available to all network-connected devices without having to run dedicated wiring in the aircraft.Since many sources of data are concentrated onto a common network, these devices are typically referred to as "Remote Data Concentrators (RDCs)" [47].
In order to model the IMA system, the simplified topology of the IMA system is attained and shown in Figure 2.These include the RDC, the General Processing Module (GPM), and the shared communication data network using the ARINC664 standard.The terminal AFDX has two independent communication interfaces, which are channels A and B, respectively.The software and hardware of the operating system for each GPM are the same while the software applications of the GPM are different [2].
The IMA system works as a converter and all communication signals are processed in the system.First, the non-AINC664 signal is converted to the ARINC664 signal.Second, the signal goes through RDC.Third, it is transmitted to the GPM through channel A or B. After the signal is being processed, it is output through channel A or B from GPM.Finally, the signal is changed to the corresponding non-ARINC664 signal at RDC.This whole process is the simplified work theory of the IMA system.The following sections will make a safety analysis for the IMA system based on its simplified structure.

Overview of GSPN.
GSPN is consisted by places (circular), transitions (rectangular bars), directed arcs, and tokens (black bullets).The directed arcs connect input places to transitions or transitions to input places.The places "P" represent the state or condition of a component.The transition "T" describes the change in state from input to output place.However, the direction of the flow of tokens is determined by the directed arcs.Each arc has a multiplicity, which depicts the token migration capacity of the arc.The transition can only fire if the input place has an equal number of tokens or more as the arc multiplicity [48][49][50].
In stochastic petri net (SPN), if a transition is fired, the token waits until the firing delay (which helps to stop the token).Once the firing delay ends, the migration of tokens takes place from initial to final place, and the number of tokens migrating depends upon the input and output functions.Then, SPN was extended to GSPN.Besides SPN features, two new features are added which are immediate transition firing and inhibitor arcs (used to disable the transition when a token is present in input places) [51,52].The definitions of the GSPN are introduced as follows.
A GSPN is a 6-tuple (P, T, F, W, M 0 , λ) where: (1) is a finite set of timed transitions which is associated with a random delay time between enabling and firing; T 2 = ft m+1 , t m+2 , ⋯, t n g is a finite set of immediate transitions which can be fired randomly and the delay is zero.
(3) F ⊆ ðP × TÞ ∩ ðT × PÞ is a set of arcs There exist inhibitor arcs that can only form places to transitions and make the enable conditions to be disenabled.
(4) W is a weight function of arcs (5) M 0 : P → f0, 1, 2, 3, ⋯g is initial marking where ðP × TÞ = φ ∩ ðT × PÞ = φ (6) λ = fλ 1 , λ 2 , ⋯, λ n g is a set of the firing rates corresponding to the timed transitions M i is from M 0 .For example, as shown in Figure 3, M is represented by fP1, P2, P3g.M 0 is {1,0,0}.A new marking M 1 f0, 1, 0g is reached when timed transitions T1 is enabled.M 1 marking is Vanishing state because the immediate transition T2 is enabled at once.Meanwhile, the Tangible state M 2 f0, 0, 1g is reached.M 0 , M 1 , and M 2 are the reachability sets for the simple system.M 0 and M 2 are Tangible states, while M 1 is Vanishing state.That is Vanishing state can change to a new Tangible state immediately.

Proposed FTGPN Method
Traditional safety analysis methods (such as fault trees, reliability block diagrams, binary decision diagrams, and Markov process models) cannot effectively simulate the dynamic behaviour of the system.However, GSPN is suitable for modelling the dynamic behaviour of the system [50].3 International Journal of Aerospace Engineering Therefore, the FTGPN approach is developed to combine fault trees and GSPN in a new way.And FTGPN is used to make safety analysis for the IMA system in this paper.FTGPN approach is applied in the following steps.First, the fault tree is used to clearly identify the cell systems' sequence with the deductive logic and establish the top level of the system.Second, the GSPN model for each cell systems is built.Third, the GSPN of cell systems are constructed according to the architecture of the fault tree.Finally, the FTGPN model for the whole system is formed and it can be made the safety analysis with the PIPE2 tool.And how to establish the FTGPN model for the IMA system will be introduced in detail in the following sections.
3.2.FTA Modelling.Generally, in order to ensure that the FTGPN model is correct and effective for application, some restrictions need to be made.It is assumed that the following conditions are true: Assumption 1.Each component of the system has only two states, which are failed and operational.
Assumption 2. Each component in the system fails independently, and no more than two components will fail at the same time.
Assumption 3. The maintenance equipment is sufficient, and the component is repaired in time after failed, and the repaired component is new as before.
Assumption 4. The failure rate of component is λ.
Assumption 5.The repair rate of component is μ.
Figure 5 shows the fault tree analysis for the architecture of the IMA system.The failure of RDC is represented by B. Meanwhile channel A of ARINC664 network is C1 and channel B of ARINC664 network is C2.Then, both of them lead to the failure of ARINC664 network represented as C. In addition, CPU is D, memory is E, RTOS is H, and the software of end system is G. Therefore, that one of them is failure will lead to the failure of GPM represented as M.Moreover, the relationship among the RDC, the ARINC664 network, and the GPM is combined with "OR".

FTGPN Modelling.
Based on the module theory, the GSPN model for GPM and ARINC664 network are established firstly.Finally, the top level of the FTGPN model for the IMA system is synthesized.

GPM Model.
The GSPN of GPM model is illustrated in Figure 6, and model descriptions are presented in Tables 1  and 2. The working process for GPM is as follows.It is operational normally at first.After a random time, CPU changes from P dw to the P df and the marks in P mw is empty (the number of marks in P mn is 1, and it is used to prohibit the failure of other components in GPM), then the immediate transition T mf is triggered, and the GPM changes from P mw to P mf .A random time later, it is assumed that the CPU in the GPM is repaired, and it changes from P df to P dw (the marks of P df and P mn disappear).Then, the CPU changes from P mf to P mw , and it indicates that CPU is operational.

ARINC664 Network
Model.The GSPN model of the ARINC664 network is depicted in Figure 7, and the model descriptions are presented in Tables 3 and 4. The working Fault tree Figure 4: FTGPN is illustrated with a simple example.International Journal of Aerospace Engineering process for the ARINC664 network is as follows.It is operational normally at first.After a random time, ARINC664 network channel A changes from P c1w to P c1f , and the number of marks in P cw becomes 1, then the number of marks in P cn is 1.When the number of marks in P cw becomes 0 and the number of marks in P cn becomes 2, the immediate transition T cf is triggered, and the ARINC664 network changes to P cf .A random time later, ARINC664 network channel A changes from P c1f to P c1w , and the ARINC664 network system recovers to P cw .

FTGPN Model.
The FTGPN model of the IMA system is shown in Figure 8, and the model descriptions are presented in Tables 5 and 6.The working process for the IMA system is as follows.The IMA system works normally at first.After a random time, the transition T bf is triggered and the IMA system changes to P af .A random time later, the RDC recovers to operational, and the transition T br is triggered next.Meanwhile, the mark of P af disappears, and the IMA system recovers to operational.Finally, according to top level of FTA model for the IMA system, the GSPN models for the cell systems such as GPM and ARINC664 network are combined to the FTGPN model.Additionally, the safety analysis is made for the IMA system in the following sections.

Results and Discussion
The tool PIPE2 [33,34] is used to make analysis for the FTGPN model of the IMA system.PIPE2 is an open-source tool that supports creating and analyzing Petri nets and has an easy-to-use graphical user interface that allows a user to establish stochastic petri net models.Additionally, the analysis environment in this tool includes different modules such as steady-state analysis, reachability/coverability graph analysis, and GSPN analysis [37].8.Then, the analysis results in Tables 7 and 8 can be obtained through GSPN analysis.As depicted in Table 7, the IMA system's operational states are M0, M5, and M6, and the number of tokens in P af is 0.Moreover, the total value of M0, M5, and M6 is 0.89213.It equals to the probability of P af when the number of tokens is 0 (μ = 0) in Table 8.Therefore, the conclusion is that the probability of the IMA system in operational state is 0.89213.
Figure 9 illustrates the reachability graph of the FTGPN model for the IMA system.Each of the graph node acts as one of the IMA system states, and the initial state is node S0.It is known that S0 = f0, 0, 0, 0, 1, 0, 1, 0, 0, 2, 0, 1, 0, 1, 0, 1, 0, 1, 0, 0, 1g, which is represented by the number of tokens in each place.Also, S0 is corresponding to M0 in Table 7.In addition, the Tangible state is presented in red color, while the blue color is for Vanishing state.Therefore, the marking of the Tangible state is corresponding to the marking in Table 7.
As shown in Figure 9, the states are changed by firing the transitions.For instance, state S0ðM0Þ is fired by transition T c1f and then becomes S6ðM6Þ.Meanwhile, state S0ðM0Þ is fired by transition T c2f and then becomes S5ðM5Þ.These can all be referred to in Table 7.The number of marks is changing in the corresponding transitions such as P c1f , P c1w , P c2f , and P c2w .Meanwhile, S7ðM1Þ, S8ðM2Þ, S9ðM3Þ, and S10ðM4Þ can be found in the corresponding states in Table 7.The states in Table 7 match with the Tangible state with red color one by one in Figure 9.Although the results can be attained manually from Figure 7, the whole reachability graph for a complex system is got fast and accurate with the PIP2 tool.
In addition, every small part of the reachability graph is a closed loop.For instance, first, S6ðM6Þ is fired by transition T df and becomes S18.Second, S18 is fired by transition T mf and becomes S27.Third, S27 is fired by transition T dr and becomes S29.Finally, S29 is fired by transition T mr and returns to S6ðM6Þ.The whole process is a circle which is depicted in purple color in Figure 9.And the reachability graph is composed of many circles.These indicate all the Tangible states and Vanishing states for the IMA system.Moreover, according to the reachability graph, further research for quantitative analysis can be made in the future.
The different initial random firings have been implemented for the simulation of the FTGPN model.The token distribution has been updated by 100, 500, and 1000 random firings, which are shown in Figure 10.
The graph in Figure 10 shows that the three lines almost coincide.The highest point is P cw , and the average number of tokens is close to 2, while the lowest points are P bf , P bw , and P cf .The value of P bw is not our expectation.Therefore, corresponding countermeasures should be developed to increase its value and make it get to 1. Obviously, the simulation for the FTGPN model allows users to analyze the failure behavior of IMA systems in a more intuitive way.In fact, the above simulations are used to explain the application to the FTGPN model of the IMA system.However, it does not correspond to the real case in the aircraft.For example, there is no repair for the IMA system when the FTGPN model is based on the flight.Although the FTGPN method for modelling the IMA system is verified effectively, further quantitative analysis should be made in the future.

Capabilities and Limitations of the FTGPN
Some of the capabilities and limitations (limitation in making accurate quantitative analysis for the IMA system) of the FTGPN are discussed in this section.
5.1.Capabilities of the FTGPN.The FTGPN offers the following capabilities.
(1) First, the architecture of the IMA system is simplified according to the work theory.And this is a very important step to build the FTA model for the top level of the system (2) The FTGPN method establishes the top level of the IMA system with FTA in the static model, while the cell systems are built with GSPN in a dynamic model.In addition, the dependency and interactions among the IMA system are depicted intuitively by the FTGPN model (3) PIPE2 tool is chosen to make a simulation for the FTGPN model of the IMA system.The results are not only the Tangible states but also the probability of the IMA system in operational.In addition, the  T br RDC goes from failed to operational 0.001 7 International Journal of Aerospace Engineering reachability graph which depicts all the states can be attained automatically.Moreover, the number of tokens is illustrated clearly in each place.Therefore, the corresponding measures can be taken according to the simulation 5.2.Limitations of the FTGPN.The FTGPN has the following limitations.All will be resolved is our future works.
(1) The simplified IMA system is used in this paper.
However, it is known that simplifying the complex      (3) Comparing with the existing approaches [12,[29][30][31][32], the FTGPN method is better in establishing the safety model clearly and directly.However, quantitative analysis for FTGPN is not accurate.Therefore, the quantitative analysis of the FTGPN should be optimized and verified with the Aircraft fuel distribution system.Making optimization for quantitative analysis is my further work (4) In this paper, the PIPE2 tool is chosen to make the simulation.Because of the limitations of the tool, the safety analysis is inadequate.Therefore, the functions for the tool should be extended especially in quantitative analysis

Conclusion
FTGPN model is proposed for dynamic safety analysis of the IMA system.First, FTA is introduced to make a static model for the top level of the IMA system, and then GSPN is employed to construct a dynamic model for cell systems.It represents an advancement model for safety analysis and allows faster, automatic analysis of dynamic systems using GSPN.The FTGPN model has combined the advanced features of FTA with GSPN.The integration for the two safety analysis methods is a potential tool to make the safety analysis for the complex and interactive IMA system.The conclusions of this paper are as follows: (1) The complex IMA system is simplified properly which makes the rest work such as establishing the FTGPN model more easily (2) The FTGPN method for combining the FTA and GSPN and applying in the IMA system not only shows the relationship between cell systems but also simulates the dynamic interactions in each cell system (3) PIPE2 is used to simulate the FTGPN model of the IMA system.All the parameters that we need are shown to us obviously.Then, we can adjust them to meet the safety requirements conveniently However, for the large system including thousands of components, it is difficult to build the FTGPN model.It is better to develop a tool that can establish the FTGPN model and make safety analysis for it automatically.

Figure 2 :Figure 3 :
Figure 2: The simplified topology of the IMA system.

3. 1 .
Brief Description of FTGPN.FTGPN is depicted clearly with a simple example in Figure4.The failure of component Z1 is represented by "Z1", while the failure of component Z2 is represented by "Z2".Fault tree uses λ z1 and μ z1 as the failure and repair rates of component Z1 for quantitative analysis.If the component Z1 has failed, the FTGPN would use a GSPN model to represent the failure behaviour of Z1.

Figure 5 :
Figure 5: The FTA model of the IMA system.

Figure 9 :
Figure 9: Reachability graph of the FTGPN model for the IMA system.

Figure 10 :
Figure 10: Token distribution of different number of firings.

9
International Journal of Aerospace Engineering which can generate the model automatically should be developed

Table 1 :
Places in the GSPN model for GPM.

Table 2 :
Transitions in GSPN model for GPM.

Table 3 :
Places in GSPN model for ARINC664 network.

Table 4 :
Transitions in GSPN model for ARINC664 network.

Table 5 :
Places in GSPN model for RDC and IMA system.

Table 6 :
Transitions in the GSPN model for RDC.

Table 7 :
GSPN steady-state analysis results set of Tangible states.
system is difficult.Therefore, we should develop a new method to generate the FTA automatically.This work should be done in the future (2) It takes much time to establish the FTGPN model.In addition, it is very easy to make mistakes in building model manually.Therefore, a software