Model-based safety analysis of a control system using Simulink and Simscape extended models

. The aircraft or system safety assessment process is an integral part of the overall aircraft development cycle. It is usually characterized by a very high timely and financial effort and can become a critical design driver in certain cases. Therefore, an increasing demand of effective methods to assist the safety assessment process arises within the aerospace community. One approach is the utilization of model-based technology, which is already well-established in the system development, for safety assessment purposes. This paper mainly describes a new tool for Model-Based Safety Analysis. A formal model for an example system is generated and enriched with extended models. Then, system safety analyses are performed on the model with the assistance of automation tools and compared to the results of a manual analysis. The objective of this paper is to improve the increasingly complex aircraft systems development process. This paper develops a new model-based analysis tool in Simulink/Simscape environment.


Introduction
Safety and reliability are essential for commercial aircraft design. The conventional safety analysis methods became very mature after long time research and development. However, with the increase of the complexity of aircraft systems, some limitations of these methods arise.
Fenelon [1] pointed out that the design process and the safety assessment process are usually not satisfactorily integrated. He used the expression "over the wall" to describe the gap between design and safety process. In addition, conventional safety analysis methods are faced with the problem of low efficiency.
With the problems of conventional safety analysis methods, an increasing demand of effective methods arises. One approach is the utilization of model-based technology. The ESACS [2] project and its following up project ISAAC developed some safety analysis methodology and tools in Simulink, SCADE, Statemate, NuSMV and AltaRica [3]. In the year 2005, Joshi et al. proposed the term "Model-Based Safety Analysis(MBSA)" for this kind of safety analysis method [4]. The European project MISSA [5] was dedicated to integrating the model-based security assessment into the system development process described by ARP4754A [6] and testing these processes in industrial examples. In 2016, Schallert [7] established safety analysis methods using multi-domain objectoriented models in Modelica.
MBSA becomes more and more popular and gradually gets the recognition from the authority. AC 20-  Fig. 1. System safety assessment process described in SAE ARP-4761. initially conducted, followed by a System FHA, then Preliminary System Safety Assessment (PSSA). During PSSAs, safety requirements are derived using Fault Tree Analysis (FTA) and probability budgeting. This is usually an iterative process including the PSSA and the system design definition and refinement.
After the determination of the final design, the compliance of the implemented products with the safety requirements are verified during the System Safety Assessment (SSA). During this process, the system Failure Modes and Effects Analysis (FMEA) provides for the failure probabilities of the single items. Those are the inputs for the system-level FTA and the aircraft-level FTA, which are conducted to verify that the systems and the overall aircraft satisfy the top-level safety requirements.

Utilization of MBSA in typical safety process
Simulation models mentioned in this article can be the formal specification in a model-based development. It is also available for assistance of conventional safety processes. The integration work is enlighten by the qSafe project [10].
In the PSSA process, the objective of MBSA is to assist the validation of system requirements. The model describes the system architecture and functional properties. The models are based on Simscape language, which provide the possibility for computer assistance. MBSA is introduced to conventional safety assessment process to assist the FTA process. MBSA can traverse all possible failure mode connections of a system without omission in a short period of time. More importantly, MBSA can generate minimal cut sets for FTA.
In the SSA process, FMEA and bottom-up FTA are applied for the verification of system implementation. MBSA focus on the physical implementation and specific performance of components and systems. Information of failure modes and effects can be identified through simulation and analysis. MBSA is utilised into the ARP-4761 [9] safety process to assist FTA and FMEA of complex multi-domain systems in the PSSA and SSA processes.

Simscape modelling
The complete work described in the article is developed in the MATLAB environment.
The models are built and modified in Simulink environment. The formal system model is built with Simscape. Simscape enables rapidly creation of physical system models within the Simulink environment. With Simscape, physical component models based on physical connections that directly integrate with block diagrams and other modeling paradigms can be easily built. Modelling of systems like electric motors and hydraulic actuators can be achieved by assembling fundamental components into a schematic. Furthermore, as the principle of Simscape is physical modelling, the resulting models are intuitively comprehensible without detailed knowledge of numerical simulation methods and modelling paradigms, which benefits the interaction between design and safety analysis.
Simscape is one of the undirected numerical simulation models. Undirected numerical models describe systems as networks as functional elements that exchange energy through their ports. The component behaviour is encoded by differential algebraic equations. Every component is associated with some variables. Undirected numerical models distinguish protentional (voltage, velocity, pressure, etc.) and flow variables (current, force, flow rate, etc.).

Modelling of the exemplar control system
The example is a simplified control system model for a control surface (see also Fig. 2.). The function of the system is to control the position of the control surface (represented by the mass block m in Fig. 3.). There is a control circuit providing power and transmitting control signals. It includes a resistor, connected with a control voltage source and a fuse, as well as a motor driving the control surface to move. A sensor is connected to the motor to detect the angular displacement. The system input are the pilot commands on the control column, which are simulated by a position command signal in the "Pos_cmd" block. Then the control signal is transmitted to the PI controller to control the voltage value of the voltage source. The voltage source drives the electric motor, and the motor generates a torque which is applied to the control surface. value to the controller as a negative feedback value used by the controlled to track the desired position signal: Once the command position is reached, the controller will give a constant value to the voltage source due to its integrating behaviour, and the position of the control surface will stay at the intended position. If the current in the circuit is too large, the fuse will cut off the circuit.   Mode 2 is also a type of function loss, where a transducing component is stuck in a certain state It can be an electrical short to ground (v → 0) or mechanical jamming (ve → 0 or ω → 0). Mode 3 means some inadvertent activation of a component. This can be for example the "stuck close" failure mode of a switch or an erroneous signal given by a sensor (bias). In this simplified system. There are five components with failure modes: the energy source, the resistor, the fuse, the motor and the sensor. For convenience and efficiency of simulation, the motor is split into a mechanical part and an electrical part.

Failure mode control
To exhaustively simulate all the combinations of failure modes, a way to control the failure mode must be provided. Simscape enables customized components, which means customer can modify library components or create components. Extended models are mostly modified from Simscape library models. Simscape models are based on equations written in Simscape language (source code). A variable named "failure mode" is added to the source code of each component. The value of the variable will be assigned according to the mode it's intended to fail. The value of "failure mode" changes the equations of each component accordingly. For

Extension of the system model
In the extend system model, the original component models are replaced by fault models. There are mode input ports to control behaviour of all the concerned component models. Fig. 4. Extended exemplar control system model.
The motor is controlled by two mode input port as it is represented by an electrical and a mechanical part internally. The sensor also gives an additional unbiased "real" signal to the scope for the convenience of observation. The "heat sensor" block is designed to take consideration of a special condition: short circuit of the resistor with the fuse stuck close. In this condition, the heat sensor will fall down from 1 to 0, which indicates potential burning down of the circuit.

Analysis of the exemplar control system through simulation
Partial automation of the safety analysis process can both reduce the cost and improve the quality of the results.
The result is a form containing all combination of failure mode numbers and corresponding FE No, which can be analysed to identify critical combinations of failures or even to construct the cut-sets leading to a certain effect.

FMEA
An FMEA intends to find out single faults and their local effects. This example model used here is quite basic and not structured hierarchically. Therefore, the FMEA local effects determined by the FMEA can be considered to be functional failure effects on system level.
The single failures can be simulated by simply applying the respective failure mode number of corresponding component.
The results of the simulation are shown in Fig. 5 and Fig. 6. The positions (rad) are shown on the y-axis and the time (s) is on the x-axis. There are 3 types of position signals depicted: command position given by the pilot (plotted in green), the position detected by the sensor (plotted in blue and dash) and the real position (plotted in red and plots).
At first, the control surface stays at position 0. After 5 seconds, a command is given to the system to move the control surface to position 0.2. At the 30th second, the position command is released. Fig. 5 shows the normal function of the sample control system. The real position follows the control input well, and there is no bias between the detected position and the real position. Fig. 6 shows the condition where there the sensor signal is biased: The system tends to force the detected position to follow the command position and there is a steady bias between the real position and the command position.

Combinations of failure modes
This analysis intends to find out all failure effects caused by the combinations of different failure modes (as there might be hidden failure effects, which cannot be detected by the single failure FMEA).
To automate the simulation, two basic steps are implemented. The first step is to generate a matrix contains all "combination vectors". Each vector represents a specific combination of the failure modes. For example, (1 0 0 0 2 0) means sensor "loss of signal" combined with fuse "stuck close". A total of 486 combinations is generated. After removing the conditions where more than 3 components fail at the same time, 62 combinations are taking into consideration. The second step is to automatically run the simulation of all the combinations. The values of mode input ports are set as specific elements of the vectors. The third step is to plot the results and save the pictures for the analysis reports.
Yet it is not enough to have only the results plotted as time traces. The next goal is to automatically analyse the simulation results, i.e. the determination of the effects resulting from different combinations. The analysis results can also help to find out the corresponding combinations leading to a specific top event (i.e. the cutsets). A set of expected failure effects can be received from the FMEA and the simulation results. A unique failure effect code is assigned to each failure effect (see Table  3.). Fig. 6 shows the "Stuck" failure effect, which is the consequence of motor "Jam" failure. With this form, the minimum cut sets of a specific top event can be identified, which is the essence of a fault tree.

Conclusions
This paper develops a new model-based analysis tool in Simulink/Simscape environment. The objective is to improve the increasingly complex aircraft systems development process. Extended Simscape model is utilized for the partial automation of typical safety assessment tasks. During that process, some obvious advantages of model-based safety analysis became clear: a) The ability to exhaustively explore all possible combinations of the components failure modes using automated analysis tools. The quality of the safety analysis will be therefore improved. b) The ability to automatically generate analysis outcomes. These outcomes can be used to enhance or cross-check the manually created ones. Therefore, the method lightens the work load of safety analysts and reduce the costs, while simultaneously improving coverage and quality of the results. c) The possibility to integrate the safety process and the design process