A hyb rid discrete/continuous simulation tool, CONFIG, has been developed to support evaluation of the operability life support systems. CON FIG simulates operations scenarios in which flows and pressures change continuously while system reconfigurations occur as discrete events. In simulations, intelligent control software can interact dynamically with hardware system models. CONFIG simulations have been used to evaluate control software and intelligent agents for automating life support systems operations. A CON FIG model of an advanced biological water recovery system has been developed to interact with intelligent control software that is being used in a water system test at NASA Johnson Space Center.
INTRODUCTIONThere has been significant progress in development of object-oriented and graphical modeling and simulation tools that can be used for analysis of environmental control and life support systems [9,12,13,14]. In these tools, system models are composed of a set of connected component models. Simulation is typically used to support sizing and optimization of system performance. CONFIG is a hybrid discrete/continuous simulation tool that, in addition t.o these more traditional uses, has been designed to support evaluation of system safety, operability, and operations.CONFIG has been used for testing control software by interactive simulation. This provides a means of evaluating the software's responses to simulated failures Jane T. Malin
NASA Johnson Space Center
Luis FloresLockheed Martin Space Operations
Land FlemingHernandez Engineering, Inc.
David ThroopThe Boeing Company or off-nominal system states that would be too costly, dangerous, or otherwise infeasible to induce in the real hardware system for test purposes. In simulation , we have uncovered deficiencies in software function and requirements definition that went unnoticed even after thorough testing by more conventional means [9]. In this evaluation , unanticipated system configurations were uncovered as the simulation interacted dynam ically with the control software.In reviewing designs or testing code, humans depend on the ir own mental models of the system. Mental models may be incomplete or incompletely recalled at some critical juncture in design , implementation , or testing. This is especially a problem when the adverse consequences of a software action are either spatially or temporally remote from the immediate object of the action. For example, a designer may verify that, given the appropriate sensor data, the software will properly command a normally closed valve to open to permit flow into a tank. However, it may not account for a second normally open valve, also on the path of flow that, in some scenarios, may have previously been commanded closed. It must also be commanded open, in order for flow to commence. In a system accident [6], such an oversight might not be discovered until the tank has reached a critically low level and some serious failure has occurred in a device being fed by the tank. It is preferable to un...