We propose a Platform-Based Methodology for aircraft electric power system design that enables compositional synthesis of system topology and control protocol. Our designprocess proceeds by subsequent refinement of design requirements using a library of available components. System specifications are expressed in terms of safety, reliabilityand performance constraints. To reason about requirements of different nature, we formulate assume-guarantee contracts at the main articulation points in the design flow.

Aircraft Electric Power System (EPS)An EPS in modern aircrafts where actuation and control are largely implemented with electrical and electronic components is complex because of Large number of hardware

subsystems More interactions with the

embedded control software

EPS Design Exploration and Contracts

Single Line Diagram from Honeywell Patent 7,439,634

Requirement Diagram

Entity Diagram Sequence Diagram

Use Case Diagram

Structure and State-Machine Diagrams functional verification (SysML Raphsody)

Topology Synthesis: start from initial low-cost SLD from MILP and add redundancy until the desired reliability is reached

Conclusion Methodology and design flow for aircraft EPS addressing complexity by composition

- Contracts formalize and propagate requirements and assumptions across different levels of abstraction

- Specialized analysis frameworks are coordinated by a background exploration routine, which handles the conjunction of contracts and enables system optimization

Implemented the modeling infrastructure for the design Future work includes automatic deployment of the proposed flow

EPS Design flow is still a derivative, heuristic process (“V-diagram”) Lack of formal specifications Inability to model interactions

between heterogeneous components Inefficient implementations, delays,

cost overruns

Contracts formalize the interfaces between models and tools and allow reasoning about

requirements of different nature

Bottom-Up Phase: build hierarchical model libraries Horizontal contracts specify legal compositions Vertical contracts define when models are faithful representations of the physical elements

Mapping: optimization problem where we search for candidate configurations that satisfy the conjunction of all contracts Topology Synthesis: generate optimal

topology that guarantees desired reliability

Control Synthesis: generate the Bus Power Control Unit (BPCU) state machine to drive contactor while guaranteeing that critical loads are always powered

Top-Down Requirement Capture and Contracts

Bottom-Up Executable Model Library Generation

Experimental Results

Continuous-time and FSM to verify real-time performance (Simulink+SimPowerSystem)

Initial (1) Intermediate (2) Final (3) Reliability

Controller Synthesis Start from switching logic synthesized from LTL specifications (TuLiP Toolbox) Add constraints on voltage and currents to define real time contracts (STL logic) Monitor simulation traces to verify and optimize controller (Breach Toolbox)

Top-Down Phase: Formalize and associate requirements to system entities (vertical contracts)

1. No AC bus shall be simultaneously powered by more than one AC source. 2. The aircraft electric power system shall provide power with the following characteristics: 115 +/- 5 V (amplitude) and 400 Hz (frequency) for AC loads and 28 +/-2V for DC loads.3. The L-AC bus shall be powered from the first available source from this ordered list (L-GEN, APU, R-GEN).4. The R-AC bus shall be powered from the first available source from this ordered list (R-GEN, APU, L-GEN).5. The failure probability at an essential load must be less than 10-9 for the duration of a mission

Managing System-Level Requirements using SysML Diagrams

Safety

Reliability

Signal Temporal Logic Formalization # STL formalization of Real Time requirements

# Vdc1 is in the required range

Vdc1_in_range := (abs(Vdc1[t]-28) < 2)

# Vdc1 error : out of range for more than tau_error seconds

Vdc1_error := alw_[0 tau_error] (not (Vdc1_in_range))

# After the transient period Vdc1 is never in error mode

Vdc1_ok := not (ev_[transient, inf] (Vdc1_error))

Real Time contract violation Quantitative contract violation

Safe clock vs. contactor delay region

safe

unsafe

Unpowered load

Start-up

A Contract-Based Methodology for Cyber-Physical System Design

Pierluigi Nuzzo, John Finn, Antonio Iannopollo, Alberto Sangiovanni-Vincentelli, Sanjit SeshiaUniversity of California, Berkeley, EECS Department

ExCAPE Annual PI Meeting June 10-11, 2013