Timed Discrete-Event Simulation of Aviation Scenarios
Hai Nguyen Van, Frédéric Boulanger, Burkhart Wolff

To cite this version:
Hai Nguyen Van, Frédéric Boulanger, Burkhart Wolff. Timed Discrete-Event Simulation of Aviation Scenarios. SNE Simulation Notes Europe, ArgeSIM, 2020, 30 (2), pp.51-60. 10.11128/sne.30.tn.10512. hal-02881889

HAL Id: hal-02881889
https://hal-centralesupelec.archives-ouvertes.fr/hal-02881889
Submitted on 26 Jun 2020

HAL is a multi-disciplinary open access archive for the deposit and dissemination of scientific research documents, whether they are published or not. The documents may come from teaching and research institutions in France or abroad, or from public or private research centers.

L’archive ouverte pluridisciplinaire HAL, est destinée au dépôt et à la diffusion de documents scientifiques de niveau recherche, publiés ou non, émanant des établissements d’enseignement et de recherche français ou étrangers, des laboratoires publics ou privés.
Timed Discrete-Event Simulation of Aviation Scenarios

Hai Nguyen Van*, Frédéric Boulanger**, Burkhart Wolff**

Université Paris-Saclay, CNRS, LRI, 91405 Orsay, France; *ORCID 0000-0002-0585-1651; **firstname.lastname@lri.fr


Abstract. Ensuring systems behave as they are expected is unavoidable in the context of critical environments. In the aviation industry, certification standards provide rules and protocols to ensure correct maneuvers with respect to logical or timed events. These are targeted to computer-intensive systems as well as to human flight crews. In this setting, we are interested in the modeling and simulation of event-driven and time-driven behaviors at a high level. This study focuses on the TESL language [9] that provides a logical framework for timed behaviors with monitoring and testing features. In particular, we model various aviation scenarios and focus our study on fault monitoring.

Introduction

In past years, an increase in modeling and simulation in industry has emerged to assist engineers and designers of various process levels. In a broader way, this has been ensured by the emergence of Model-Based Design that allows the differentiation of stages and components composing large systems. These large systems consist of modeled components of various nature and form a multi-paradigm environment where each part is modeled with its own semantics of execution: this is commonly called heterogeneous modeling [23]. For instance in control systems, mode switches can be modeled with finite-state machines, and sensor data processors with dataflow models. Recent advances have proved that these submodels could be unified to form a supermodel. Figure 1 highlights this idea where each submodel is described by a different paradigm, then they are coordinated as a supermodel.

Complementary to modeling, the increased demand of automatic validation relates to the critically-large models where sole human analysis no longer suffices. The addition of mathematics and logics to the understanding of modeling and computing problems at a larger scale is named formal methods. The problem is two-fold. On one side, heterogeneous modeling raises the question of the adaptability of paradigms. Indeed, each modeling paradigm comes with a specific model of computation detailing a precise semantics of execution for each submodel. On the other side, validation demands a unified environment for safety property verification or test generation for these various paradigms. In the last decades, several multi-paradigm frameworks have appeared and attempt to address these issues, e.g., Ptolemy II [32, 13], ModHel’X [8], BCool [37].

Our study focuses on TESL [9] which has been introduced as the inner language of the ModHel’X framework. Similarly to intermediate programming languages in compiler theory, models in ModHel’X are coordinated using TESL. Indeed, it is a specification language that describes discrete-events with time annotations (tags). This flavor of chronometric time is nec-
ecessary to compose modeled systems where events are described with respect to chronometric time durations, instead of logical time as would be found in temporal logics [31].

In this paper, we highlight the application of this language to aeronautical systems. We are interested in modeling standard scenarios used by common aircrafts, and validated by airworthiness authorities (ICAO Annex 8 [1], EASA AIR OPS [2]). Our goal is to exhibit a unified modeling framework suited for validation and verification by means of:

- multi-level model specification;
- generation of execution traces for simulation purposes;
- real-time testing and system monitoring.

In the heterogeneous context, our framework allows to abstract from programming details in order to reason on high-level behaviors. We believe this is particularly useful for aviation-related systems. Indeed, software in current airborne systems are usually certified for the highest Design Assurance Level as defined by RTCA/DO-178C [14, 33]. This certification is known to provide guidance for software life-cycle processes, and emphasizes on verifying the relation between high-level requirements and low-level implementation. The testing topic of this certification is especially focused on requirements. Our work precisely targets this problem by providing a specification-based testing/monitoring framework. For these reasons, we believe our study addresses several current Flight Control Systems (FCS): Multi-pilot aircrafts. The Airbus A320 aircraft family is a well-known system made of fault-tolerant components based on redundancy and dissimilarity. Traverse [36, 35] reported that the aircraft primary control surface computers were designed by different design analysts on independent architectures. This case of heterogeneity clearly exhibits how a multi-paradigm environment needs to be unified in order to be validated at a higher-level.

Unmanned aircrafts. Furthermore, recent advances in unmanned aircrafts [39, 15] make the topic of verification and validation even more crucial due to the need of safe, reliable and fully automated software-intensive systems [19, 24] where, accordingly, design and test procedures tend to be fully automated.

1 The TESL Language

The core language of our study is the TESL language. It is inspired from the CCSL language [25, 7] and the Tagged Signal Model [21]. It lies at the heart of the ModHel’X modeling and simulation framework and serves as an intermediate representation for simulation solvers. In our setting, events are described and specified by clocks. A clock that ticks means that the associated event is occurring. Theses entities are ruled by three kinds of modality:

- Event-driven implications. An occurring event can trigger another one: “If clock $K_1$ ticks, then clock $K_2$ will tick under conditions”.
- Time-driven implications. An occurring event triggers another one after a chronometric time delay measured on the time scale of a specific clock. Remark that this delay is a duration expressed as a difference between two tags, and not as a number of ticks.
- Tag relations. By default, clocks live in independent time islands. The purpose of tag relations is to link these different time scales, e.g., time expressed in seconds and minutes admits an arithmetic relation stating that time flows 60 times as fast in seconds than in minutes. This does not mean that the seconds clock ticks 60 times more than the minutes clock, but simply that their tag annotation satisfies this arithmetic relation.

To provide a glimpse of the core features of TESL, we present a brief grammar of the language:

- tag relation $|K_1, K_2| \in R$
  The time frames of clocks $K_1$ and $K_2$ are related by the arithmetic relation $R$.
- $K_{evt}$ sporadic $\tau$ on $K_{meas}$
  Some event will occur on clock $K_{evt}$ at timestamp $\tau$ measured on clock $K_{meas}$.
- $K_{master}$ implies $K_{slave}$
  At every instant, if $K_{master}$ ticks, then $K_{slave}$ instantaneously ticks.
- $K_{master}$ sustained from $K_{begin}$ to $K_{end}$ implies $K_{slave}$
  In the interval between a tick on clock $K_{begin}$ and a tick on clock $K_{end}$, $K_{master}$ implies $K_{slave}$ as previously (scoped implication).
Whenever the master clock $K_{\text{master}}$ ticks, the time tag on the measuring clock $K_{\text{meas}}$ is measured and delayed by duration $\tau$ to yield the date of a future instant at which clock $K_{\text{slave}}$ will tick.

Any event occurring on $K_2$ is preceded in the strict past by a distinct event occurring on $K_1$.

2 The Takeoff Scenario

To illustrate how time scales can be constructed in TESL, we are interested in modeling the takeoff procedure of a small single engine aircraft with basic parameters: time, airspeed and altitude. We assume usual atmospheric conditions and specifically chose to model performance parameters extracted from the Cessna 172 aircraft [10, 22]. The rotation speed $V_R$ specifies when the pilot should move the pitch control backwards to generate lift.

<table>
<thead>
<tr>
<th>Speed</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>$V_R = 55$ kt</td>
<td>Rotation speed</td>
</tr>
</tbody>
</table>

Table 1: Extract of $V$-speeds of the Cessna 172

In the next subsections, we first introduce an execution trace to provide intuitions for our case study. Then, we will exhibit the TESL specification for this scenario.

2.1 Clocks and execution traces

To define the basic quantities and events in which we are interested, we define clocks that describe the timeline of events. These are embedded with time tag annotations that rule how quantities and units are related. Each clock denotes a quantity with a specific unit:

\[
\begin{align*}
\text{rational-clock} & \quad \text{time-S} & \quad \text{in} \ [\text{s}] \\
\text{rational-clock} & \quad \text{time-MIN} & \quad \text{in} \ [\text{min}] \\
\text{rational-clock} & \quad \text{speed-MPS} & \quad \text{in} \ [\text{m.s}^{-1}] \\
\text{rational-clock} & \quad \text{speed-KT} & \quad \text{in} \ [\text{kt}] \\
\text{rational-clock} & \quad \text{altitude-FT} & \quad \text{in} \ [\text{ft}] \\
\end{align*}
\]

Moreover, the specification is augmented with three clocks for the events of our interest:

- $VR$-reach: speed reaches $V_R$;
- liftoff: the aircraft is airborne;
- flaps-retract: flaps are retracted.

The TESL language is a specification language that allows to describe traces. Figure 3 depicts a minimal execution trace with three instants. At the first instant, time is just 0 s. Then at the second instant, speed has reached $V_R = 55$ kt at 12.2 s. Hence, clock $VR$-reach is triggered, and so is liftoff consequently: they are said to be ticking synchronously. Then at the third instant, flaps-retract ticks at the altitude of 400 ft at 27.2 s.

Remark. The above trace depicts a minimal run. It illustrates an observation. Other instants may exist in between those mentioned, where none of our events occur. These instants are simply not “observed”.

Figure 2: Airspeed indicator and altimeter (courtesy of Laminar Research)

Figure 3: Execution trace when performing takeoff
2.2 Causality and Timestamp Relations

Units
In the next paragraphs, we use TESL to describe the above potential behavior.

// Unit conversion between [s] and [min]
tag relation time-S = 60.0 * time-MIN
// ... and between [m.s^{-1}] and [kt]
tag relation speed-KT = \frac{3600}{1852} * speed-MPS

Clocks time-S and time-MIN respectively express time given in seconds and minutes. Clocks speed-MPS and speed-KT respectively denote speeds in meters per second and knots (as given by the airspeed indicator). We use tag relations to describe unit conversions between such quantities. In particular, tags on clocks time-S and time-MIN shall satisfy the arithmetic relation that one minute is equivalent to sixty seconds. Likewise, one knot is equivalent to \frac{3600}{1852} m.s^{-1}. In our context, the notion of time lies under tag annotations. Compared to temporal logics where time is purely logical, we precisely capture chronometric durations.

Acceleration and liftoff
Tag relations also allow to describe how quantities are related and can define the acceleration profile of the modeled aircraft. Here we consider the uniform acceleration of a light aircraft gaining speed at 4.5 kt.sec^{-1}:

<table>
<thead>
<tr>
<th>Speed</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>V_1</td>
<td>118 kt</td>
</tr>
<tr>
<td>V_R</td>
<td>126 kt</td>
</tr>
</tbody>
</table>

As depicted in Figure 4, decision speed V_1 defines the speed limit at which the pilot in command is allowed to reject takeoff (RTO). Then V_R is the rotation speed as previously described, and lift off occurs 3s after. Should the pilot decide to reject after V_1, the aircraft would brake on a too short remaining runway, and hence overrun.

3.1 Acceleration and Speed Thresholds
We define speed thresholds as previously and also add a precedence constraint. This emphasizes on the fact that reaching V_R must have been preceded by reaching V_1 prior.

Flaps retraction
To quickly reach the desired altitude, the pilot controls the pitch (longitudinal axis) to maintain the airspeed at fixed value V_y while climbing. This approximately corresponds to a vertical speed of 1200 ft.min^{-1}. The relation is written:

Finally, the aircraft reaches the altitude for flaps retraction at 400 ft.

liftoff time delayed by 400. on altitude-FT implies flaps-retract

3 The Autobrake System
In this section, we explore more complex specifications by employing a mix of event and time-triggered events, and the usage of sequential and asynchronous operators. We are interested in modeling the takeoff procedure of a transport-category aircraft with takeoff rejection components such as the Airbus A320 [3, 20]. As said earlier, decision, rotation and lift off do not necessarily coincide (depending on the aircraft performance category). As a matter of fact, the manufacturer distinguishes and specifies the following speed thresholds as illustrated in Table 2.

<table>
<thead>
<tr>
<th>Speed</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>V_1</td>
<td>Decision speed</td>
</tr>
<tr>
<td>V_R</td>
<td>Rotation speed</td>
</tr>
</tbody>
</table>

As depicted in Figure 4, decision speed V_1 defines the speed limit at which the pilot in command is allowed to reject takeoff (RTO). Then V_R is the rotation speed as previously described, and lift off occurs 3s after. Should the pilot decide to reject after V_1, the aircraft would brake on a too short remaining runway, and hence overrun.

3.1 Acceleration and Speed Thresholds
We define speed thresholds as previously and also add a precedence constraint. This emphasizes on the fact that reaching V_R must have been preceded by reaching V_1 prior.

V1-reach strictly precedes VR-reach
V1-reach sporadic 118.0 on speed-KT
VR-reach sporadic 126.0 on speed-KT

Again, to define a specification independently from the aircraft performance, the precedence operator is
VR-reach time delayed by 3. on time-S implies liftoff

3.2 Rejecting Takeoff with Autobrake

One of the aircraft braking systems is named Autobrake [3], and opposes to manual pedal braking. Its usage is preferable as:

- The number of brake pressure is minimized, reducing brake wear;
- A symmetrical brake pressure is applied ensuring an equal braking effect on gear wheels, especially on wet runways.

The system is activated whenever the following conditions are met:

1. Ground spoilers ARMED
2. Auto brake ARMED
3. Speed exceeds 72 kt
4. Accelerate-stop with THRUST on IDLE
These above conditions are written as:

<table>
<thead>
<tr>
<th>SPLR-arm strictly precedes AUTOBRK-active</th>
</tr>
</thead>
<tbody>
<tr>
<td>AUTOBRK-arm strictly precedes AUTOBRK-active</td>
</tr>
<tr>
<td>AUTOBRK-active sporadic 72.0 on speed-KT</td>
</tr>
</tbody>
</table>

Finally in the event of takeoff rejection (RTO), the system applies brakes if autobrakes were in an active state.

| RTO sustained from AUTOBRK-active to AUTOBRK-inactive implies BRK-apply |

Event Death Killing a clock allows to prevent it from ticking, i.e. from having further event occurrences. This mechanism can be used to describe different forms of race conditions. Likewise, we can specify that reaching $V_1$ will prevent the event of rejecting takeoff. Conversely, applying brakes prevents from reaching $V_1$.

| V1-reach kills RTO |
| BRK-apply kills V1-reach |

3.3 Simulation

Two situations that satisfy the above specification are depicted in Figure 4. The first execution trace in Figure 4a shows the Go situation where the pilot normally proceeds to aircraft takeoff. In the first instant, the pilot arms ground spoilers and autobrake. Consequently, autobrake is activated when speed exceeds 72 kt. There is no takeoff rejection (clock RTO), and the aircraft keeps on accelerating by reaching $V_1$ and $VR$ speeds until being airborne (clock liftoff) after a delay of 3s.

On the other side, a No Go situation is illustrated in Figure 4b where speed has exceeded 72 kt but takeoff rejection has been declared at 20s when the speed is 90kt, which immediately triggers brakes. This prevents from reaching $V_1$ and consequently $VR$ and aircraft liftoff.

4 Towards Hybrid Systems: Accelerate-Stop Distance

Our language also addresses the modeling of hybrid systems. This is exhibited by the ability to define differential equations in tag relations. In our case study, we can refine our specification to take into account differential quantities. In the case of a takeoff rejection, it is necessary to ensure that the two-stage acceleration-deceleration ensures that the aircraft does not overrun, and remains within the limits of the runway. To provide a good abstraction level to the reader, we chose to deliberately simplify the definition of the Accelerate-Stop Distance and not take into account the recognition and decision time as specified by airworthiness authorities ([2], CAT.POL.A.205 Take-off).

**Acceleration** To compute these distances, we need to express instantaneous distance with respect to current time and speed. If we denote $x$ as the distance of the running aircraft, provided time $t$ and speed $v$, we have

$$dx = v \, dt$$

In our setting, this is straightforwardly expressed as

| tag relation (d distance-M) = speed-MPS * (d time-S) |

where distance-M is the quantity denoting the run distance during acceleration phase.

**Deceleration** As done previously, we need to define how deceleration is expressed and accordingly the run distance. To proceed so, we will define new clocks for this deceleration stage: speed-MPS-DECEL, speed-KT-DECEL and distance-M-DECEL. Likewise, to keep our model simple enough but still relevant, we will assume a uniform deceleration of $-3kt.s^{-1}$. In TESL, this would be expressible as a linear tag relation as previously, or equivalently with a differential equation between speed and time:

| tag relation (d speed-KT-DECEL) = -3.0 * (d time-S) |

Finally, distance during deceleration relates to the following tag relation:

| tag relation (d distance-M-DECEL) = speed-MPS-DECEL * (d time-S) |

To run our specification with a concrete example, let us assume that takeoff rejection has been declared at 20s. Figure 6 illustrates this process where the aircraft has approximately reached 520m at 20s. Finally, the aircraft reaches speed zero at 50s with a final run distance of approximately 1159m.

**Remark.** The precision of the differential calculus lies in the ODE solver in use. In this example, we
used the simple first-order forward Euler with an integration step of 2.5s. Our language is agnostic to this design choice and potentially admits any other relevant ODE solver. It aims at bridging gaps between different paradigms generally found for modeling complex systems.

5 Formal methods

5.1 Testing and Monitoring

In the previous sections, we have observed that the TESL language specifies execution traces. These can be constructively generated with a solver named Heron [27]. It is a multicore-aware solver made of approximately 4,000 lines of Standard ML [26] code compiled with MPL [40]/MLton [38]. It solves TESL specifications by exhaustively constructing execution traces as illustrated in the previous paragraphs. In particular, this allows to exhaustively test and monitor systems to the extent of the system observation interfaces. Our solver fetches observations provided by an external driver and filters out irrelevant execution trace branches. By keeping the only satisfying runs of the specification combined with those compliant with the observation of the system, the solver keeps exploring exhaustive possibilities. Whenever the solver faces an unwanted behavior, it will finally filter out all branches and remain in an inconsistent state, meaning that the system has produced a violating behavior.

For this purpose, it is possible to suggest a scenario to the solver and request a simulation trace (if it exists). From the specification of the Autobrake in Section 3 and its corresponding satisfying execution traces in Figure 4, we can specify an additional directive to the solver and request a run where the clock RTO is the only one allowed to tick at instant 3. This is written

@scenario strict 3 RTO

The Heron solver will find no possibly satisfying run as it is not possible for RTO to tick alone without BRK-apply to tick as well. After successfully generating 2 instants, it will eventually fail and output the following:

### ERROR: No further state found.

The solver, its source code and all mentioned examples in this paper are provided at github.com/heron-solver/heron.

5.2 Formalized Semantics

In an effort to fully validate our language and its logical foundations, a fragment of the TESL language, which consists of core formulae, has been proved to enjoy good and formal properties ensuring its well-foundedness. It has been formalized with two kinds of logical semantics providing an accurate meaning of language terms and how they are supposed to behave:

- a denotational semantics [28] mathematically describes the set of execution traces denoted by the language;
- an operational semantics [27] describes how the languages behaves/executes to generate traces.

The solver, source code and all mentioned examples in this paper are provided at github.com/heron-solver/heron.
These two semantics have been proved to be equivalent in the Isabelle/HOL proof assistant [29, 30]. This ensures that the language qualifies for two key properties:

**compositionality** The semantic composition of two models yields the semantics of the supermodel. This is notably emphasized by the property of **stuttering-invariance** which shows that the addition of observation instants does not “break” a run and preserves specification satisfiability.

**executability** The specification is constructive and allows the derivation of execution traces. This allows for trace generation for testing and simulation purposes.

6 Related Work

The aim of our study and its purpose to the aviation community is similar to the goal of the real-time on-board Fault Detection and Diagnosis introduced by Goupil et al. [16] but differs in the scope of their study. Their study focuses on numerical aspects of signals and emphasizes on the link between academic and industrial R&D. Our research work aims at bringing new knowledge regarding timed aspects of discrete-event models.

Chhaya et al. [11] introduced the Aviation Scenario Definition Language (ASDL) which provides a Domain-Specific Language for scenarios of the same kind of our study. They provide an extensive framework to design aviation-related procedures. On the mathematical side, specifications consider only logical time and are translated into finite-state machines which employ traditional model-checking for verification purposes. Compared to our approach, our language aims at remaining a general-purpose and multi-level coordination framework, combined with the ability of specifying constraints containing chronometric time and physical quantities.

On a system-oriented level, Lustre/SCADE [17] is a well-known asset for the development of critical embedded systems. It has been qualified for DO-178B and is used for specifying flight control systems onboard the Airbus A340-600 and A380 [6]. Lustre/SCADE considers a unique and global driving clock for all specified components, whereas our framework allows to specify independent time islands where no global clock may exist. Moreover, time in SCADE is purely logical and does not consider chronometric time. In the problem we attempt to address, it may be necessary to consider the latter while designing and specifying real-time systems. Indeed, time delay constraints are crucial for closed loop controls of FCSs as time lags may exist due to computing, latency or storage [6].

Dealing with test oracles [12], our framework rightfully determines correctness on the outputs of a system. Indeed, the previously mentioned semantics allows to exhaustively generate execution traces that are correct with respect to specifications. The test oracle consists in filtering out generated branches which no longer satisfy the current outputs. The test oracle detects a violation whenever all possibly-satisfying branches have been filtered out.

7 Future Work

The permissive nature of the language allows to leave time relations between different quantities unspecified by default. Time related clocks can be gathered and are said to live in time islands. Leaving them unrelated means that they live independently. This feature is particularly interesting for distributed computing as it is not always possible to determine how time flows in one computing unit relatively to another. Yet, it has to be made sure that any computation is completed eventually. A similar synchronization mechanism can be found, for instance, in the Airbus A380 [34].
8 Conclusion

Our study highlights the TESL specification language as a unified environment for modeling and validation along the different stages of (1) designing models, (2) running their simulation, and (3) monitoring their runtime-compliance. We have presented a case study of fundamental operational scenarios found in the aviation industry, with high-level models addressing large-scale systems. In particular, our language and its associated high-level specifications are agnostic to concrete hardware implementations, providing a suitable framework for testing and monitoring systems similarly to black-box testing. We believe our framework also addresses the current trend for distributed computing [18] which is increasingly finding its way in critical embedded systems.

References


