Safety Analysis Using Petri Nets

Similar documents
Time Petri Nets. Miriam Zia School of Computer Science McGill University

NONBLOCKING CONTROL OF PETRI NETS USING UNFOLDING. Alessandro Giua Xiaolan Xie

On Qualitative Analysis of Fault Trees Using Structurally Persistent Nets

Safety and Reliability of Embedded Systems

ELE 491 Senior Design Project Proposal

Time(d) Petri Net. Serge Haddad. Petri Nets 2016, June 20th LSV ENS Cachan, Université Paris-Saclay & CNRS & INRIA

DVClub Europe Formal fault analysis for ISO fault metrics on real world designs. Jörg Große Product Manager Functional Safety November 2016

Fault Tolerance. Dealing with Faults

Degradable Agreement in the Presence of. Byzantine Faults. Nitin H. Vaidya. Technical Report #

Stochastic Petri Net. Ben, Yue (Cindy) 2013/05/08

Dependable Computer Systems

Multi-State Availability Modeling in Practice

CSC501 Operating Systems Principles. Deadlock

Time and Timed Petri Nets

Methods for the specification and verification of business processes MPB (6 cfu, 295AA)

A Canonical Contraction for Safe Petri Nets

CS 453 Operating Systems. Lecture 7 : Deadlock

Overview. Discrete Event Systems Verification of Finite Automata. What can finite automata be used for? What can finite automata be used for?

Who needs a spotter? AGENDA Role of a Spotter Circle of Safety Parking Practices

Georg Frey ANALYSIS OF PETRI NET BASED CONTROL ALGORITHMS

Clocks in Asynchronous Systems

Reliability of Technical Systems

Hazard Communica tion

Why fault tolerant system?

The State Explosion Problem

Terminology and Concepts

Overview of Control System Design

Evaluation and Validation

Information-Theoretic Lower Bounds on the Storage Cost of Shared Memory Emulation

9. Reliability theory

AGREEMENT PROBLEMS (1) Agreement problems arise in many practical applications:

SAFETY GUIDED DESIGN OF CREW RETURN VEHICLE IN CONCEPT DESIGN PHASE USING STAMP/STPA

Chapter 12. Spurious Operation and Spurious Trips

UNIVERSITY OF MASSACHUSETTS Dept. of Electrical & Computer Engineering. Fault Tolerant Computing ECE 655

INSTALLATION INSTRUCTIONS ATV PLOW ACCESSORY Plow Mounting Kit:Warn PN Application:2002 and newer+ Suzuki Eiger 400

Coloured Petri Nets Based Diagnosis on Causal Models

Computation Tree Logic (CTL) & Basic Model Checking Algorithms

INSTALLATION INSTRUCTIONS ATV SNOW PLOW Mounting Kit: PN Application: HONDA MODELS: 450S AND 450ES

Time Dependent Analysis with Common Cause Failure Events in RiskSpectrum

Do we have a quorum?

INSTALLATION INSTRUCTIONS ATV SNOW PLOW Mounting Kit: PN Application: HONDA 300

FOURIER-MOTZKIN METHODS FOR FAULT DIAGNOSIS IN DISCRETE EVENT SYSTEMS

6.852: Distributed Algorithms Fall, Class 24

Towards optimal synchronous counting

Reliability Analysis of an Anti-lock Braking System using Stochastic Petri Nets

Fail-Safe Testing of Safety-Critical Systems

Specification models and their analysis Petri Nets

LIGHTNING SAFETY #24 CONSTRUCTION SAFETY EDUCATION PROGRAM

Testing Safety-critical Discrete- State Systems Mathematical Foundations and Concrete Algorithms

A Practical Implementation of Maximum Likelihood Voting *

Service Information Letter SIL # 017

Process Safety. Process Safety and Hazard Assessment Avoiding Incidents in the Lab and in the Plant

Safety and Reliability of Embedded Systems. (Sicherheit und Zuverlässigkeit eingebetteter Systeme) Fault Tree Analysis Obscurities and Open Issues

PRODUCT SPECIFICATION FREQUENCY COMPONENTS. ZTB Series CERAMIC RESONATOR SPECIFICATION. MOBICON HOLDINGS LTD. Prepared By Sign.

THE simulation of a continuous or discrete time system

Coordination. Failures and Consensus. Consensus. Consensus. Overview. Properties for Correct Consensus. Variant I: Consensus (C) P 1. v 1.

A hybrid Markov system dynamics approach for availability analysis of degraded systems

Instruction. Vacuum Circuit Breaker Operator Module. Type 3AH 4.16kV to 38kV. Power Transmission & Distribution

7. Queueing Systems. 8. Petri nets vs. State Automata

B.H. Far

Lamp and Control Panel (Lamp Panel)

Safety analysis and standards Analyse de sécurité et normes Sicherheitsanalyse und Normen

Efficient diagnosability assessment via ILP optimization: a railway benchmark

Quantitative evaluation of Dependability

Automatic Generation of Polynomial Invariants for System Verification

CHAPTER 3 ANALYSIS OF RELIABILITY AND PROBABILITY MEASURES

State-Space Exploration. Stavros Tripakis University of California, Berkeley

Evaluation criteria for reliability in computer systems

HHPS WHMIS. Rules MSDS Hazard Codes Systems. Biology based. Chemistry based. Safety Symbols. Safety in the Lab. Lab Equipment

Safety Instrumented Systems & Functional safety of safety-related systems. A substantial new opportunity for Pfannenberg Signaling products

Evaluation and Validation

Lecture 1: Contraction Algorithm

Type B xxx/60. Snowplough // USER MANUAL Version 1.0 EN. Art.Nr.:

R E A D : E S S E N T I A L S C R U M : A P R A C T I C A L G U I D E T O T H E M O S T P O P U L A R A G I L E P R O C E S S. C H.

See if you can find these 10 saw words in the puzzle below. To double the fun, each one appears twice.

Synchronisation and Cancellation in Workflows based on Reset nets

Mean fault time for estimation of average probability of failure on demand.

Quantification of the safety level of a safety-critical control system K. Rástočný 1, J. Ilavský 1

Zone-based Synthesis of Timed Models with Strict Phased Fault Recovery

INSTALLATION INSTRUCTIONS ATV SNOW PLOW Mounting Kit: PN Application: HONDA 400

Service Call: Rotation Bearing Deflection Test. Dial Indicator with Magnetic Base Maintenance Manual for the Unit Being Tested

WARNING. INJURY HAZARD Failure to observe these instructions could lead to severe injury or death.

AS STANDARD

Reliability of Safety-Critical Systems 5.4 Petrinets

CS505: Distributed Systems

INSTALLATION INSTRUCTIONS FRONT PLOW MOUNT KIT Part Number: Application: Polaris Sportsman 400, 500, 800

Derating of the MOSFET Safe Operating Area Outline:

M2 SERIES THERMOSTATS 0 F to 240 F, Narrow Differential, Hermetically Sealed ½

Petri nets. s 1 s 2. s 3 s 4. directed arcs.

Reliability of Technical Systems

Formal Specification and Verification of Task Time Constraints for Real-Time Systems

ANALYSIS OF INDEPENDENT PROTECTION LAYERS AND SAFETY INSTRUMENTED SYSTEM FOR OIL GAS SEPARATOR USING BAYESIAN METHODS

c 2014 Vijayalakshmi Deverakonda

Reliability of Technical Systems. Advanced Methods for Systems Modelling and Simulation I : Petri Nets

Class Note #20. In today s class, the following four concepts were introduced: decision

Alternating Current (AC): Alternating Current is electric current that reverses directions at regular intervals.

1 Introduction. 1.1 The Problem Domain. Self-Stablization UC Davis Earl Barr. Lecture 1 Introduction Winter 2007

Complete Model-based Testing in Practise

A Review of Petri Net Modeling of Dynamical Systems

EXCEPTIONAL CLOSURES - CHECKLIST FOR GOOSTREY COMMUNITY PRIMARY SCHOOL

Transcription:

Safety Analysis Using Petri Nets IEEE Transactions on Software Engineering (1987) Nancy G. Leveson and Janice L. Stolzy Park, Ji Hun 2010.06.21

Introduction Background Petri net Time petri net Contents Safety analysis Adding failure to the analysis Example of safety analysis Conclusion Discussion 2 / 27

Motivation Introduction Safety is important especially when it involves serious danger to human life and property Software safety should be considered as a whole system including hardware and human, and they can be represented by Petri net In real-time safety critical system, timing information is very important Goal of this paper Suggest how to identify high-risk states and eliminate them Suggest how to analyze failure using Petri net 3 / 27

Background (1/3) Petri net Places P Transitions T Input functions I Output functions O Initial marking 0 enabled (firable) enabled (firable) T I( t I( t I( t { t 0 1 2 3 1 1, t 2 P1 P2 P { P, P 2, t ) { P} 1 ) { P } 2 ) { P } 3 t2 } t1, P } 3 {1,0,0} 3 O( t O( t O( t 1 2 3 P3 t3 ) { P 2 ) {} ) {} enabled (firable), P } 3 4 / 27

Background (2/3) Petri net(cont d) Reachability graph Next-state function P1 t1 P2P3 1 2 P1 t3 t2 3 4 P2 P3 t1 P3 t2 t3 P2 5 t2 t3 ( 1, t1) 2, t3) 2, t2) ( 2 3 ( 4... 5 / 27

Background (3/3) Time petri net Places P Transitions T Input functions I Output functions O Initial marking 0 Reachability graph Next state function Min and Max When the transition Must wait at least during If wait more than t i Max( t i is enabled, ) Min( t i ), It should be fired Can t be fired Firable Must be fired P1 enabled Min ( t i ) Max( t i ) t1 P3 enabled P2 t2 t3 enabled Max( t2) Min( t3) 6 / 27

Mishap and hazard Safety analysis (1/6) Mishap : An unplanned event or series of events that results in death, injury or damage to property or equipment Hazard : A set of conditions which could cause a mishap Properties of hazard Severity : High-risk and low-risk Probability : Not considered in this paper 7 / 27

Safety analysis (2/6) Example of safety-critical system Approach P1 t1 Before Crossing P2 P5 t4 P9 P11 Up t2 P6 t6 t7 Within P3 t3 P7 P10 P12 Railroad Crossing Gate Down P8 Past P4 Train Computer t5 Hazardous and high-risk when both P3 and P11 have tokens : Gate is up when the train is passing 8 / 27

Safety analysis (3/6) Rechability graph P1P6P11 t1 t2 P2P5P6P11 t4 P3P5P6P11 P2P7P9P11 t4 t2 t7 t3 P4P5P6P8P11 P3P7P9P11 P2P7P12 t4 t3 t7 t2 P4P7P8P9P11 P3P7P12 t5 t7 t3 P4P6P9P10P11 P4P7P8P12 t7 P4P6P10P12 t6 P4P6P11 t5 : Hazardous state 9 / 27

Safety analysis (4/6) Identifying high-risk state Problem of creating full reachability graph Size of the graph is impractically large for a complex system Backward analysis Testing whether the high-risk states are reachable Using Inverse Petri net which is inversed each transition s input places with output places Problem of Backward analysis Useful only considering small number of high-risk states Possibly as large as or even larger than original graph The author s solution Using particular type of state named critical state Don t need entire backward reachability graph

Critical states Algorithm Safety analysis (5/6) Low-risk states which has both transitions toward highrisk states and low-risk states By selecting for low-risk states way, high-risk states can be avoided Get possible prior states of high-risk states Get possible descending states of prior states Identifying critical states Critical state P3P10P12* Critical state P2P11* t3 t6 t2 t7 P4P8P10P12* Low-risk state P3P11* High-risk state P2P12* Low-risk state 11 / 27

Safety analysis (6/6) Eliminating high-risk state Inter lock One event always precedes another events Time constraint Max t ) Min( ( 2 t1 Determined using reachability graph ) Example using interlock t1 I t2 P1P6P11 t1 P2P5P6P11 t4 t2 P2P7P9P11 t7 IP2P7P12 No hazardous state!! P3P7P12 t3 P4P7P8P12 t5 P4P6P10P12 t6 P4P6P11

Adding failures to the analysis (1/9) Type of control failures A required event that does not occur An undesired event An incorrect sequence of required events Timing failures in event sequences IEEE definition of failure (IEEE Std1633-2008) The inability of a system or system component to perform a required function within specified limits 13 / 27

Adding failures to the analysis (2/9) Representation of control failure Previous work Loss of tokens Hard to know circumstance of the failure Author s suggestion Failure transition and place Legal transition( T ) and Failure transition( ) L TF Legal place( ) and Failure place( ) P L P F Counter place t1 t f t 1 t f fault Desired event does not occur Undesired event occurs 14 / 27

Adding failures to the analysis (3/9) Representation of control failure(cont d) Legal and faulty state Legal state is legal state, iff from initial state path( sequence of transition ) s, s TL*, Faulty state is faulty state, iff from initial state t f T f and t f s 0 *(, s) path( sequence of transition ) s, *(, s), Fault reachability graph 0 0 0 Initial state Faulty state t f t f Legal state Faulty state t f 15 / 27

Adding failures to the analysis (4/9) Qualities of design associated with failure Recoverability After failure, the control of process is not lost and will return to normal execution within an acceptable amount of time Fault-tolerance The system continues to provide full performance and functional capabilities in the presence of faults Fail-safe The system limits the amount of damage caused by failure and functional requirement could be not satisfied 16 / 27

Adding failures to the analysis (5/9) Recoverability Definition Number of faulty states are finite There are no terminal faulty node There are no directed loops including only faulty states The sum of maximum times on all paths from the failure transition to correct state is less than a predefined acceptable amount of time Problem Once a permanent failure has occurred, the state cannot return to normal unless some repair action has taken place Normal state(with spare tire) Failure(flat tire) Recovered but not normal (no spare tire)

Adding failures to the analysis (6/9) Correct behavior path Definition Path in reachability graph which contains no failure transition Fault-tolerant Definition ( 1 i, ti) i, for i 1.. n and A correct behavior path is a subsequence of every path from initial to any terminal state Sum of maximum times on all paths is less than predefined acceptable amount of time for path t... 1 tn from 0 Max( t j ) T acceptable to, for j n t i 1... n T L 18 / 27

Adding failures to the analysis (7/9) Fault-tolerant(cont d) Correct behavior path : Initial to final path : t t t t t 1 2 4 8 10 t t t t t t t 1 f 2 R 4 8 10 Takes time no more than Tacceptable Meaning of Fault-tolerant Even if some initial to terminal path has failure transition, the system should be recovered and perform adequately Even if there is failure transition, sum of execution times is less than predefined time 19 / 27

Adding failures to the analysis (8/9) Example of fault-tolerant system t2 t f P3 t3 When failure occurs, R could fire then it puts token in P1 t1 P2 F W P1 R P4 t4 R is firable any time after firing of t1 Time constraint is needed Min( R) Max( t2) Max( t3) Max( t4) 20 / 27

Adding failures to the analysis (9/9) Fail-safe Definition All paths from a failure F contain only low-risk states sequence Property f and sequences s 2 s 1 and high risk states *( The system may never get back to a legal state h such that *(, s F) 0 1 f f, s 2 ) h Possible way to design the system The system may be n-fault-tolerant and n+1 fail-safe The system may be fault-tolerant but not fail-safe 21 / 27

Example of safety analysis (1/3) Analysis approach Consider only those failures with the most serious consequences Add fault-detection and recovery devices to minimize the risk of a mishap (fault-tolerant) If risk can not be lowered, (e.g., unacceptable probability it fails or uncontrollable variables such as human error involved) Add hazard-detection and risk-minimization mechanisms (fail-safe)

Example of safety analysis (2/3) Adding failure example Gate failure : premature gate raising Human failure : ignoring warning signal Program failure: Fake signal from controlling computer 23 / 27

Example of safety analysis (3/3) Failure analysis example with recovery transition P1 P5 t4 t1 P9 P2 t2 P6 R2 R1 t6 P11 Up t7 R1 : lower gate when it should be down P3 P4 t3 P7 P8 t5 P10 f5 P12 Down R2 : ignore spurious control signal Train P14 I Computer Counter for failure 24 / 27

Contribution Conclusion Suggest critical state algorithm eliminating high-risk states without generating whole reachability graph Suggest model to analysis failure using Petri net Future work Considering probability of hazard occurring not only its severity Verifying formally whether the algorithm really generate high-risk free design 25 / 27

Limitation Discussion Because of the time, the meaning of each words are little bit different In the failure analysis, how to represent of timeassociated failure is not suggested There is no example of fail-safe mechanism Lack of formal verification 26 / 27

About author She was a computer science professor of UC Irvine, University of Washington Now she is professor of MIT Authority on software safety(safety critical real time system) [safe ware : System safety and computers] is published 1995 28 / 27

Failure Definition of terms Nonperformance or inability of the system or component to perform its intended function for a specified time under specified environmental conditions Accident An undesired and unplanned event that result in a specified level of loss Hazard A state or set of conditions of a system that will lead inevitably to an accident(loss event) From Safeware(1995, NG. Leveson)

Recoverability Formal definition Number of states are finite Recoverability cardinality( F ) There are no terminal faulty node for F, t T suchthat (, ti) ' There are no directed loops including only faulty states sequence (, t i i ) i 1 t... t 1 n such that for The sum of maximum times on all paths from the failure transition to correct state is less than a predefined acceptable amount of time Max( t i 1 for i 1.. n 1 and for path ( t1... tn) from 1 F to 2 j ) T acceptable for j 1.. n F, n 1 L 30 / 27

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback