B.H. Far

Transcription

1 SENG 637 Dependability, Reliability & Testing of Software Systems Chapter 3: System Reliability Department of Electrical & Computer Engineering, University of Calgary B.H. Far 1

2 Dependability Models Dependability models capture conditions that make a system fail in terms of the structural relationships between the system components Dependability models Reliability Graph Fault Tree model Reliability Block Diagram far@ucalgary.ca 2

3 System Reliability /1 A system usually consists of components Each component consists of sub-components Components may have Different reliability Different dependencies between them System reliability is a function of the reliabilities of the (sub-) components and of the relationships between the components far@ucalgary.ca 3

4 Complexity Concerns For a system consisting of n components Every component can be in one of the two conditions: working or failed How many possible combinations of the status of these n components? How do you calculate the reliability of the system given the probability of each component tbeing working (or failed)? Reliability Block Diagram can help! 4

5 Reliability Block Diagram (RBD) Reliability Block Diagram (RBD) is a graphical representation of how the components of a system are connected from reliability point of view. RBD is used to model the various series-parallel and complex block combinations (paths) that result in system success. Reliability of the system is derived in terms of reliabilities of its individual components. The most common configurations of an RBD are the series and parallel configurations. A system is usually composed of combinations of serial and parallel configurations. RBD analysis is essential for determining reliability, availability and down time of the system. far@ucalgary.ca 5

6 Reliability Block Diagram (RBD) Reliability Block Diagram helps reliability analysis using a functional diagram to portray and analyze the reliability relationship of components in a system. Each element of a system is represented by a block that is in some way interconnected with or through the other blocks of the system at a desired level of assembly. The basic relationship between components are depicted as lines that may be: Serial: if a single failure results in entire assembly or system failure Parallel: l if all redundant d units failure causes system failure Or a combination of these two SENG637 (Winter 2008) far@ucalgary.ca 6

7 Reliability Block Diagram (RBD) In a serial system configuration, the elements must all work for the system to work and the system fails if one of the components fails. The overall reliability of a serial system is lower than the reliability of its individual components. In parallel configuration, the components are considered to be redundant and the system will still cease to work if all the parallel components fail. The overall reliability of a parallel system is higher than the reliability of its individual components. far@ucalgary.ca 7

8 Reliability Block Diagram (RBD) In developing the reliability block diagram, a complete understanding of a system ss mission definition and service use profile is required. In addition, the system is broken down into subsystems/ functions that are necessary for mission success. Each essential function is represented as a separate block in the diagram, and blocks are grouped according to series/parallel combinations. Lines are drawn connecting the blocks in a logical order for mission success. RBD can be used to Calculate system reliability Possible single point of failure (SPF) far@ucalgary.ca 8

9 RBD: Process Steps 1. Define boundary of the system for analysis 2. Break system into functional components 3. Determine serial-parallel combinations 4. Represent each components as a separate block in the diagram 5. Draw lines connecting the blocks in a logical order for mission i success far@ucalgary.ca 9

10 Serial System Reliability /1 No redundancy ALL component of the system are needed to make the system function properly If any one of the components fails, the system fails Example ram block diagr System b Power Unit Processor Monitor far@ucalgary.ca 10

11 Serial System Reliability /2 Reliability Block Diagram System is composed of n independent d serially connected components. Failure of any component has a cross system effect, i.e., results in failure of the whole system. Example Power Unit R 1 / 1 R 2 / 2... Processor Monitor R1 /1 R2 /2 R3 /3 far@ucalgary.ca 11

12 Combining Reliabilities /1 Serial system reliability can be calculated from component reliabilities, if the components fail independently of each other. For serial systems: R Q p R k Qp number of components Rk component reliability k 1 Components reliabilities (Rk) must be expressed with respect to a common interval. A serial system has always smaller reliability than its components (because Rk 1). far@ucalgary.ca 12

13 Example: Serial System A system is composed of 3 independent serially connected components R1 = 0.95 R2 = 0.87 R3 = 0.82 Note: all Rs must be given for a common duration, e.g., 10 hours of operation. Rsystem = = Serial system reliability is smaller than any individual reliability of the components far@ucalgary.ca 14

14 Parallel System Reliability /1 System with Redundancy da Only ONE out of N (identical) components is needed to make the system function properly If ALL of the components fail, the system fil fails Example System block diagram Server 1 Server 2 far@ucalgary.ca 15

15 Parallel System Reliability /2 System is composed of n independent components connected in parallel. Failure of all components results in the failure of the whole system (principle of active redundancy). Unreliabil ity F n p (t) () Fi(t) () i1 n Reliability Rp (t) 1 F i(t) 1 n i1 i1.. i (1-R (t)). R 1 /1 R 2 /2 far@ucalgary.ca 16

16 Parallel System Example The system is composed of 2 identical servers connected in parallel R1 = R2 = Server 1 Rs1 /s1 Server 2 Rs2 /s2 Rsystem = 1 (( ) ( )) = Parallel system reliability is greater than any individual reliability of the components far@ucalgary.ca 17

17 Sequential System Reliability When one component fails, the next one is assigned to fulfill the job (e.g., tl telephone switching ithi circuits) it) This is done in sequence until no components left Reliability for such system: C 1 C 2 λ t C i C C n R sys (t) n1 i0 λit i! i e i far@ucalgary.ca 18

18 Mixed System Reliability /1 System with Redundancy da Only ONE out of N set of components is needed to make the system function properly If ALL sets of components fail, the system fil fails Example System block diagram Power Unit Power Unit Processor Monitor Processor Monitor far@ucalgary.ca 19

19 Mixed System Example Reliability Block Diagram Server 1 Rs1 /s1 System level Component level Server 2 Rs2 /s2 Power Unit Processor Monitor R1 /1/ R2 /2/ R3 /3/ Power Unit Processor Monitor R1 /1 R2 /2 R3 /3 far@ucalgary.ca 20

20 Various Configurations /1 Parallel-Series configuration Power Unit Power Unit Processor Processor Monitor Monitor 21

21 Various Configurations /2 Reliability Block Diagram for Parallel-Series configuration Power Unit Processor Monitor R1 /1 / R2 /2 / R3 /3 / Power Unit Processor Monitor R1 /1 R2 /2 R3 /3 far@ucalgary.ca 22

22 Parallel-Series System R 11 R 12 R 1j R 1n path R 21 R 22 R 2j R 2n R i1 R i2 R ij R in R m1 R m2 R mj R mn Path reliability Ri Rij System reliability R n j1 m 1 (1-R i) 1 m i1 i1 (1- n j1 R ij) far@ucalgary.ca 23

23 Various Configurations /3 Series-Parallel configuration Bus 1 Power Unit 1 Processor 1 Monitor 2 Bus 2 Power Unit 2 Processor 1 Monitor 2 far@ucalgary.ca 24

24 Various Configurations /4 Reliability Block Diagram for Series-Parallel configuration Power Unit Processor Monitor R1 /1 R2 /2 R3 /3 Power Unit Processor Monitor R1 /1 R2 /2 R3 /3 25

25 Series-Parallel System R 11 R 12 R 1j R 1n R 21 R 22 R 2j R 2n R i1 R i2 R ij R in R m1 R m2 R mj R mn subsystem Subsystem reliability R System reliability R j 1 m i1 (1-R ij ) n n m R 1 j1 1 i (1-R ij) j ) j 1 far@ucalgary.ca 26

26 Active Redundancy Employs parallel systems. All components are active at the same time. Each component is able to meet the functional requirements of the system. Each component satisfies the minimum reliability condition for the system. Only one component is required to meet the functional requirements of the system. System only fails if all components fail. 28

27 m out of n System System has n components. At least m components need to R work correctly for the system to function properly (m n). m=n: serial ilsystem m=1: parallel system e.g.: airplane with 4 engines es can fly with only 2 engines. R 1 R 2 R i R n m/n Assumption: R sys (t) 1 All components have the same reliability. m1 i0 n R(t) i i (1 R(t)) ni n n! i i! (n i)! far@ucalgary.ca 29

28 RBD: Example /1 Possible single point of failure (SPF) 30

29 RBD: Example /2 Possible over redundancy 31

30 SPF: How to Avoid? Adopt redundancy Use dissimilar methods consider common-cause vulnerability Adopt a fundamental design change Use equipment which his extremely reliable/robust b Perform frequent Preventive Maintenance/ Replacement t repair before failure happens Reduce or eliminate service and/or environmental stresses extreme stress leads to failure far@ucalgary.ca 32

31 RBD: When and How When to use RBD? When reliability of a complex system must be calculated l and the reliability-wise weaknesses of the system must be identified. How to use RBD? Draw the RDB diagram. Calculate the system reliability using the RBD diagram. Perform calculation such as availability and downtime. There e are a number of automated ated tools, integrated with the other methods, such as Fault Tree Analysis (FTA), to generate the diagram and to analyze it. far@ucalgary.ca 33

32 RBD: Benefits & Limitations RBD is the simplest way of visualizing the reliability of the complex systems. The benefits of the RBD are: Establishes reliability goals; Evaluates component failure impact on overall system safety; Provides a basis for what if analysis; Allocates component reliability by calculating system MTBF; Provides cost savings in large system trouble-shooting; Estimates system reliability; Analyzes various system configurations in trade-off studies; Identifies potential design problems; Determines system sensitivity to component failures Disadvantages are that some complex constructs, such as standby, branching and load sharing, etc., cannot be clearly l represented using the traditional RBD constructs. far@ucalgary.ca 34

33 RBD: Conclusion Restricting assumptions: Statistical independence Failures independence d Repairs independence d far@ucalgary.ca 35

34 Example 1 In reliability prediction for an assembled system we usually use a bottoms-up approach by estimating the failure rate for each subsystem and then combining the failure rates for the entire assembly. The following figure illustrates a system in which the subsystems A, B, C, and D are in a serial configuration. Each subsystem is composed of several parts which are connected as serial or parallel as shown. far@ucalgary.ca 36

35 Example 1 (cont d) The failure rates of serial parts 1, 2, and 3 are 0.1, 0.3, and 0.5 per hour, respectively. Determine the failure rate and MTTF for subsystem A. A A failures per hour 1 1 MTTF A 1.11 hours 0.9 far@ucalgary.ca 37

36 Example 1 (cont d) The failure rates of parallel parts 4, 5, and 6 in subsystem B are 0.2, 0.4, and 0.25 per hour, respectively. Determine the failure rate and MTTF for subsystem B. Bt R e 1 (1 R )(1 R )(1 R ) B R e e e e R B B e B t (1 )(1 )(1 ) t B = B failures per hour 1 MTTF B hours B far@ucalgary.ca 38

37 Example 1 (cont d) The failure rate of parallel parts 7 is constant and is 0.2 per hour. Determine the failure rate and MTTF for subsystem C in which at least 2 out of 3 items must be working. m1 n i ni 0.2 RC 1 R7 1 R7 R7 e i0 i RC 1 R7 (1 R7) R7 (1 R7) 1 (1 R7) 3 R7(1 R7) R 1 ( ) ( ) C = t RC e =1.004 C failures per hour 1 MTTF C hours C far@ucalgary.ca 39

38 Example 1 (cont d) The failure rates of parallel parts 8 and 9 in subsystem D are and d per hour, respectively. Determine the failure rate and MTTF for subsystem D. R e 1 (1 R )(1 R ) D D t 8 9 t D R e 1 (1 e )(1 e ) D Dt R D e = D failures per hour 1 MTTFD hours D far@ucalgary.ca 40

39 Example 1 (cont d) Determine the overall failure rate and MTTF for the whole system system A B C D system MTTF failures per hour system 1 system hours far@ucalgary.ca 41

40 Example 2 For the mixed mode system composed of serial and parallel components shown below, calculate the overall system reliability. The numbers are reliability for each module. SENG521 (Fall 2004) far@ucalgary.ca 42

41 Example 2 (cont d) R1 = 1 (1 0.9)(1 0.8)(1 0.9) = R2 = 1 (1 0.9)(1 0.95) = R3 = 1 (1 0.9)(1 0.9) = R4 = x x 0.99 = R5 = 0.95 x 0.99 x 0.95 = Rsystem = 1 ( )( ) = SENG521 (Fall 2004) far@ucalgary.ca 43

42 Example 3 The fastening of two mechanical parts in an automobile brake system should be reliable. It is done by means of two flanges which are pressed together with 4 bolt and nut pairs E1 to E4 placed 90 degrees to each other. Experience shows that the fastening holds when at least two opposing bolt and nut pairs work. E3 E1 E2 E4

43 Example 3 (cont d) a) Draw the reliability block diagram (RBD) for this fixation of the system.

44 Example 3 (cont d) b) Compute reliability of the fixation described in (a) if all bolt and nut pairs have the reliability of R=0.90. R1 = R2 = = 0.81 Rsystem = 1 (1 R1) (1 R2) =1 (1 0.81) (1 0.81) =

45 Example 3 Q1 (cont d) c) Name the redundancy type if only any two of the bolt and nuts were sufficient for the required function. Two-out-of-four redundancy.

46 Example 3 (cont d) d) Compute reliability for case (c) if all bolt and nut pairs have the reliability of R=0.90. R

47 Hazard Analysis A common mistake in engineering, is to put too much confidence in software. There seems to be a feeling among non-software professionals that software will not or cannot fail, which leads to complacency and over reliance on computer functions. Nancy G. Leveson Leveson, N.G., Safeware System Safety and Computers, Addison-Wesley, far@ucalgary.ca 49

48 Hazard Analysis Goal Identify events that may eventually lead to accidents Identify individual elements/operations within a system that render it vulnerable (Single Point Failures) Determine impact on system Techniques FMEA: Failure Modes and Effects Analysis FMECA: Failure Modes, Effects and Criticality Analysis ETA: Event Tree Analysis FTA: Fault Tree Analysis HAZOP: HAZard and OPerability studies far@ucalgary.ca 50

49 FMEA FMEA is a technique to identify and prioritize how items fail, and identify the effects of failure. FMEA is used when Designing products or processes, to identify and avoid failure-prone designs. Investigating why existing systems have failed and to identify possible causes. Investigating possible solutions, to help select one with an acceptable risk. Planning actions, in order to identify risks in the plan and hence identify countermeasures. far@ucalgary.ca 51

50 FMEA: Usage Industries that frequently use FMEA: Consumer products: toys/home appliances/home electronics Automotive industry Aero/space: Boeing, NASA Defence industry: DoD Process industries, e.g., oil and gas, chemical plants industrial control systems Software industry? not quite popular yet 52

51 FMEA: When? FMEA cannot be done until design has proceeded to the point that system elements have been selected at the level the analysis is to explore in software system after software architecture is finalized (requirement volatility kills FMEA!) FMEA can be done anytime in the system lifetime, from initial design onward 53

52 FMEA: Process /1 Define the system to be analyzed, and obtain necessary drawings, charts, descriptions, diagrams, component lists. Know exactly what you re analyzing; is it an area, activity, equipment? all of it, or part of it? What targets are to be considered? What mission phases are included? Break the system down into convenient and logical elements. System breakdown can be either functional (according to what the System elements do ), or geographic/architectural (i.e., according to where the system elements are ), or both (i.e., functional within the geographic, or vice versa). Establish a coding system to identify system elements. Analyze (FMEA) the elements. far@ucalgary.ca 54

53 FMEA: Process /2 FMEA Outputs Spreadsheet documenting each failure mode possible causes possible consequences ces possible remedies Usually computer records kept 55

54 FMEA Questions Identification: How ( i.e., in what ways) can this element fail (failure modes)? Ramification: What will happen to the system and its environment if this element does fail in each of the ways available to it (failure effects)? Prevention: What needs to be done to prevent or mitigate the problem? far@ucalgary.ca 56

55 FMEA: How to /1 Interface matrix Reflects how components of the system are connected & function together Components Components 57

56 FMEA: How to /2 58

57 FMEA Template Sample FMEA template N o. Part Name Part No. Function Failure Mode Mechanisms & Causes of Failure Effect(s) of Failure Current Control P.R.A. P S D R Recommended Corrective Action Action Taken 1 Position Controller Receive a demand position Loose cable connection Incorrect demand Wear and tear Operator error Motor fails to move Position controller breakdown Replace faulty wire QC checked Intensive training for signal in a long-run operators. P = Probabilities (chance) of occurrences S = Seriousness of failure D = Likelihood that the defect will reach the customer R = Risk priority measure (P x S x D) 1 = very low or none 2 = low or minor 3 = moderate or significant 4 = high 5 = very high or catastrophic far@ucalgary.ca 59

58 FMEA: Benefits Discover potential single-point failures. Assesses risk (FMECA) for potential, single-element failures for each identified target, within each mission phase. Knowing these things helps to: Optimize i reliability, hence mission i accomplishment. Guide design evaluation and improvement. Guide design of system to fail safe or crash softly. Guide design of system to operate satisfactorily using equipment of low reliability. Guide component/manufacturer selection. far@ucalgary.ca 60

59 FMEA: Limitations FMEA will find and summarize system vulnerability in terms of SPFs, and dit requires lots of ftime, money, and effort to do so. What if several SPFs are identified? Developing SPF paranoia leading to total system redundification! But SPFs are abundant and we encounter them daily, yet continue to function. Most system nastiness failures come from complex threats, not from SPFs don t ignore SPFs, just keep them in perspective. far@ucalgary.ca 61

60 FMEA: Summary Method: from known or predicted failure modes of components, determine possible effects on system Good for hazard identification early in development, by considering possible failures of system functions: loss of function (omission failure) function performed incorrectly function performed when not required (commission failure) No good for concurrent multiple failures No good when requirements change 62

61 Fault Tree Analysis (FTA) Fault tree analysis is a graphical representation of the major faults or critical failures associated with a product, the causes for the faults, and potential countermeasures. FTA helps identify areas of concern for new system design or for improvement of existing systems. It also helps identify corrective actions to correct or mitigate problems. FTA can also be defined as a graphic model of the pathways within a system that can lead to a foreseeable, undesirable event. The pathways interconnect contributory events and conditions, using standard logic symbols. Fault tree analysis is useful both in designing new systems, products or services or in dealing with identified problems in existing products/services. As part of process improvement, it can be used to help identify root causes of trouble and to design remedies and countermeasures. far@ucalgary.ca 63

62 Steps in FTA FMEA (Failure Modes and Effects Analysis) determines the failure modes that are likely to cause failure events. Then it determines what single or multiple l point failures could produce those top level l events. FMEA asks the question, What can go wrong? even if the product meets specification. In order to perform FTA one first needs to perform FMEA. far@ucalgary.ca 65

63 FTA: Example 1 far@ucalgary.ca 66

64 FTA: Example 2 Tank overflow AND Inlet Valve B Outlet closed Inlet valve failed Inlet open OR Wrong control to inlet valve OR Controller X Y Outlet Valve A Controller failed Sensor X fails AND Sensor Y fails far@ucalgary.ca 67

65 FTA: Benefits & Limitations Benefits: The primary advantages of fault tree analyses are the meaningful ldata they produce which h allow evaluation and improvement of the overall reliability of the system. It also evaluates the effectiveness of and need for redundancy. Limitation: The undesired event evaluated must be foreseen and all significant contributors to the failure must be anticipated. This effort may be very time consuming and expensive. Finally, the overall success of the process depends on the skill of the analyst tinvolved. far@ucalgary.ca 68

66 FTA: Summary Method: trace faults stepwise back through system design to possible causes a tree with a top event at the root logic gates at branches, linking each event with its immediate causes initiating faults at leaves (eventually) Good for tracing system hazards to component failures, and allocating safety requirements Good for systems with multiple failures Good for checking completeness of safety requirements Can be difficult, time-consuming, hard to maintain far@ucalgary.ca 69

67 70