SUN Jianxiang,XU Chuanming,An Zhanxin,Wang Xiaoling
Beijing Aerospace Automatic Control Institute,Beijing 100854
Abstract: At present,the number,scale and complexity of launch vehicle software systems have increased dramatically.Software is no longer a simple stack of independent configuration items,but a tightly integrated complex distributed software system.How to improve the safety of complex launch vehicle software systems has become a new topic under launch vehicle development.This paper introduces in detail the contents and processes of software system safety analysis based on use case of the Long March 5B launch vehicle with innovations including analysis methods for key sequences,key events,failure modes and countermeasures.
Key words: launch vehicle,software system,safety analysis
With the development of computer technology,the number,scale and complexity of launch vehicle software systems have increased sharply.Software development accounts for an increasingly large share of the development of a launch vehicle.Software is no longer a simple stack of independent configuration items,but a tightly integrated complex distributed system.Compared to the LM-3B launch vehicle,the software code size for the LM-5B launch vehicle has increased by about 2.5 times,as shown in Figure 1.
Figure 1 Number of software configuration items and code lines
In a complex software system,all software configuration items not only need to complete their own functionality,but also need to operate efficiently with other software and hardware in the launch vehicle system to ensure overall safety.However,the previous software safety analysis approach focused on the safety analysis itself and design of software configuration items,while less consideration was given to the safety requirements of the overall external system environment.
This shortcoming made the safety analysis and design of complex software systems more difficult.It was necessary to adopt the approach of systems engineering to conduct safety analysis and design of software systems layer by layer,emphasizing the safety design requirements from the top down,and to form a closed loop through the safety design,testing and system verification of software configuration items from the bottom up.
In general,there are two types of safety requirements:imposed by standards and regulations;from the technically requirements specific to a project and its operating environment[1].This paper describes the contents and processes of the second type of safety requirement analysis.System-level safety requirements for software are defined as part of the specification of system requirements allocated to software[2],as shown in Figure 2.National Aeronautics and Space Administration(NASA) analyzed software faults within a certain range and over a certain period of time and found that requirements account for 34.71% of all known faults,as shown in Figure 3.
Figure 2 Software dependability and safety framework [2]
Figure 3 Software dominating fault types [6]
The use case technique is a good way to capture a system’s behavioral requirements with the addition of a detailed scenario[3].Each use case in a use case model presents a functional module,with a corresponding sequence diagram[4].Sequence diagrams have been introduced as one of the interaction models in UML and are drawn to show various objects that will collaborate with each other and various messages that will be exchanged among them during the execution of a selected scenario[5].
Launch vehicles have exactly such characteristics: their test,launch and flight control are composed of different sequences,each sequence includes different events,and each event is coordinated by different software and hardware to complete the predetermined functions.Therefore,in the safety analysis of the LM-5B software system,starting from the analyses of key sequences and key events,designers used sequence diagrams to analyze the participants of each key event,collaborative operating processes,various failure modes and the impact of each failure link,so as to design preventive measures for each failure mode and propose safety requirements for the design and verification of subsystems and software configuration items.
The safety analysis of a launch vehicle software system should be carried out layer by layer,as shown in Figure 4,from top to bottom,from the overall software system to subsystem software systems.The analysis process is as follows: 1) Conduct the safety analysis and design of the overall launch vehicle software system during the design and analysis phases of the launch vehicle,nominating safety requirements for each subsystem of the launch vehicle,while clarifying the safety verification environment requirements and design in the appropriate compatibility test and factory test;2) Carry out subsystem software system safety analysis and design in the subsystem analysis and design phases,proposing safety requirements for each software configuration item,and clarifying the safety verification environment requirements while designing in the necessary subsystem comprehensive validation;3) Conduct software safety analysis and design during the software analysis and design phases,clarifying the design requirements for a safe testing environment in software testing;4) Verify the safety design through comprehensive testing,compatibility testing and factory testing of subsystems.
Figure 4 Analysis process
This paper introduces in detail the processes and main contents of safety analysis of the overall launch vehicle software system and subsystem software systems.
Safety analysis of the overall launch vehicle software system were performed according to the overall task requirements of China Space Station,the preliminary hazard analysis of the system and the preliminary analysis and design of the overall launch vehicle software system.The analysis results were reflected in the task description issued to each subsystem group under the overall system design department.Safety analysis for each subsystem and design of subsystem software systems were performed according to the safety requirements in the software development task description issued to each subsystem,where the requirements for function,performance,reliability and safety of the software system were specified.The preliminary analysis and design of the software system clarified the structure topology,subsystem composition and main information flow among subsystems of the overall launch vehicle software system.The preliminary hazard analysis of the system defined key sequences related to the software system.
The safety analysis process for the overall launch vehicle software system is shown in Figure 5,including the following main tasks: key sequence analysis,key event analysis,failure mode analysis,preventive measure design,and proposals for the requirements for verification and test environment construction.
Figure 5 Safety analysis process of the overall launch vehicle software system
Subsystem software system safety analysis was performed according to the task requirements,preliminary hazard analysis and software system preliminary analysis and design of subsystems.The analysis results were reflected in the task description issued to each software configuration item within a subsystem.The safety analysis of the corresponding software configuration items was carried out according to the safety requirements in the task description,where the requirements for the subsystem software system function,performance,reliability,safety,interface were specified.
The subsystem software system preliminary analysis and design clarified the structure topology,the composition of software configuration items and the main information flow between each configuration item.The preliminary hazard analysis of the subsystem identified key sequences related to the subsystem software system.
The safety analysis process of a subsystem software system not only followed the safety analysis process of the overall launch vehicle software system,but also determined the critical software configuration items for the final stage,as shown in Figure 6.
Figure 6 Safety analysis process of the subsystem software system
The key sequences determined by the preliminary hazard analysis were analyzed and the key events related to the software system were identified.During the safety analysis of the overall launch vehicle software system,the events that each subsystem needed to complete in sync with other subsystems were mainly determined.During the safety analysis of a subsystem software system,it determined the events related to each software configuration items of the subsystem,including the events related to the subsystem determined under the safety analysis of the overall launch vehicle software system and the events independently completed within the subsystem.Figure 7 shows the pre-launch and flight sequence analysis results which were determined during the safety analysis of the overall launch vehicle software system,which identified the events that need to be completed by each subsystem.
Figure 7 Pre-launch and flying sequences
The events determined during the key sequence analysis were analyzed in detail with the help of the sequence diagram,the event completion process,the subsystem or software configuration items involved,so the interface and the cooperative relationship were determined.In the safety analysis of the overall launch vehicle software system,a subsystem was considered the basic unit for the completion of an event,while in the safety analysis of a subsystem software system,a software configuration item was the basic unit.
Figure 8 shows the process of completing an aiming event,the participating subsystems,the main information flow and the interface in the pre-launch sequence determined during the safety analysis of the overall launch vehicle software system.
Figure 8 Sequence diagram of aiming event
The failure mode and failure consequence of each link of the event were analyzed,and the failure level of each failure mode and related subsystems or software configuration items were determined.The definition of the failure level is shown in Table 1.Generally,events of failure level I and II are listed as critical events,so the preventive measures design,testing and experimental verification was focused.
Table 1 Failure level definition of launch vehicles
During the safety analysis of the overall launch vehicle software system,the failure modes of each link in the completion of critical events were analyzed,generally focusing on the failure modes of software and hardware compatibility and interfaces between subsystems.In the safety analysis of subsystem software systems,failure modes of the hardware environment,interfaces,software configuration item interaction,transmission links,and actuators were mainly analyzed.Examples of failure modes determined during the safety analysis of the overall launch vehicle software system the preventive measures designed for six types of failure modes are shown in Table 2.
Table 2 Failure modes and preventive measures
To formulate corresponding preventive measures for various failure modes,in addition to ensuring the effectiveness and reliability of preventive measures,the feasibility of project implementation and the convenience of software testing and verification were also be considered.
The verification and environmental construction requirements were proposed according to the designed preventive measures.Validation can take the forms of testing,experimentation and review.The verification requirements for software configuration items were completed through unit tests,assembly tests,configuration item tests,third party tests and subsystem comprehensive tests during the process of configuration item development.The verification requirements for subsystem software systems were identified during compatibility test and factory test.
In system design,the requirements for verifying software to enable a safe system design were established through the construction of a verification environment.This enabled the conditions of verifying the software system for a safe design during the comprehensive test,compatibility test and factory test,such as the design of equivalent device capable of fault injection.
During the safety analyses of subsystem software systems,key software configuration items were determined according to analysis results,and the quality of development,safety design and verification of key software configuration items.The division principle of critical and non-critical software configuration items was determined according to the mission requirements.Generally,software configuration items that may lead to launch failures,flight failures or accuracy losses were listed as critical software configuration items.
Through safety analyses of the overall launch vehicle software system and subsystems,software designers identified 12 key sequences and 69 key events,isolated 168 possible failure modes,adopted 231 preventive measures,and identified 103 critical software configuration items.In the process of software configuration items,development,the preventive measures were implemented in design and implementation of software configuration items,while the failure modes were simulated in tests and the verification processes to verify the correctness and effectiveness of the preventive measures.In the acceptance process,focus was given to the development quality of critical software configuration items,the safety design and verification.
The safety analysis of the top-level software system in the early stage of LM-5B launch vehicle development played the following roles:
1) The failure modes and failure effects of key events in the key sequences of the system were analyzed,the preventive measures for each failure mode were determined,and the safety requirements for subsystems and software configuration items were clarified.
2) In addition to completing the general safety analyses and design of various of software,the software configuration item developer carried out safety analysis and design work according to the safety requirements for the launch vehicle software system.3) In the early stage of the LM-5B launch vehicle development,the requirements of the software system safety verification,and the requirements of software testing,comprehensive testing,compatibility and factory testing environment were determined,and the system design requirements were clarified,so that safety testing and verification could be performed in the subsequent software testing and various tests under different conditions.
Safety analysis of the LM-5B software system was carried out.Through the system safety analysis,software designers proposed the requirements for the software system safety design,testing and verification environment.In addition to the realization of software functions,software designers carried out targeted safety design according to the system safety requirements.In the process of comprehensive tests,compatbility tests and simulation tests,the software system passed the comprehensive fault injection verification,strength test,and the operation of the system was established.The comprehensiveness and effectiveness of the safety analysis and design methods,which improve the safety of each software configuration item operating with other software configuration items were confirmed in the system environment.The rocket safety analysis and design methods here have become the standards for the safety analysis in other projects.