r. Matthias Bretschneider amburg - Dept. Safety Fehleranalyse mit Hilfe von Model Checkern

Similar documents
Bounded Model Checking with SAT/SMT. Edmund M. Clarke School of Computer Science Carnegie Mellon University 1/39

Ranking Verification Counterexamples: An Invariant guided approach

Abstractions and Decision Procedures for Effective Software Model Checking

Integrating Induction and Deduction for Verification and Synthesis

IC3 and Beyond: Incremental, Inductive Verification

SAT-Based Verification with IC3: Foundations and Demands

Nonlinear Control as Program Synthesis (A Starter)

Risk Analysis of Highly-integrated Systems

Verifying Temporal Properties of Reactive Systems: A STeP Tutorial *

MODEL CHECKING. Arie Gurfinkel

Safety analysis and standards Analyse de sécurité et normes Sicherheitsanalyse und Normen

Scalable and Accurate Verification of Data Flow Systems. Cesare Tinelli The University of Iowa

Algorithmic verification

Understanding IC3. Aaron R. Bradley. ECEE, CU Boulder & Summit Middle School. Understanding IC3 1/55

Proving Safety Properties of the Steam Boiler Controller. Abstract

Joint work with Marie-Aude Esteve, Joost-Pieter Katoen, Bart Postma and Yuri Yushtein.

Deductive Verification

Formal Verification Techniques. Riccardo Sisto, Politecnico di Torino

Software Verification

Lecture 2: Symbolic Model Checking With SAT

Ivy: Safety Verification by Interactive Generalization

Linear Temporal Logic and Büchi Automata

Computation Tree Logic (CTL) & Basic Model Checking Algorithms

Software Verification using Predicate Abstraction and Iterative Refinement: Part 1

Overview. Discrete Event Systems Verification of Finite Automata. What can finite automata be used for? What can finite automata be used for?

Topics in Model-Based Reasoning

Scenario Graphs and Attack Graphs

Predicate logic. Predicates and Boolean Expressions. V =100 I expresses a relationship between quantities identified

PLEASE DO NOT REMOVE THIS PAGE

A systematic strategy to perform quantitative safety assessment of Simulink diagrams using Prism - Technical Report

SAT-based Model Checking: Interpolation, IC3, and Beyond

SAT-Solving: From Davis- Putnam to Zchaff and Beyond Day 3: Recent Developments. Lintao Zhang

Lecture 03: Duration Calculus I

FAULT-TOLERANT CONTROL OF CHEMICAL PROCESS SYSTEMS USING COMMUNICATION NETWORKS. Nael H. El-Farra, Adiwinata Gani & Panagiotis D.

Model Checking: An Introduction

REAL-TIME control systems usually consist of some

Temporal Logic. M φ. Outline. Why not standard logic? What is temporal logic? LTL CTL* CTL Fairness. Ralf Huuck. Kripke Structure

Alan Bundy. Automated Reasoning LTL Model Checking

Predicate Abstraction: A Tutorial

The State Explosion Problem

3-Valued Abstraction-Refinement

Automata-based Verification - III

A Short Introduction to Hoare Logic

Model Checking, Theorem Proving, and Abstract Interpretation: The Convergence of Formal Verification Technologies

Reasoning with Quantified Boolean Formulas

Revisiting Synthesis of GR(1) Specifications

Optimal Metric Planning with State Sets in Automata Representation [3]

Methods for Software Verification. Andrea Corradini Gian Luigi Ferrari. Second Semester 6 CFU

The TLA + proof system

COEN6551: Formal Hardware Verification

12 - The Tie Set Method

Solving SAT Modulo Theories

Reliability of Technical Systems

An introduction to Uppaal and Timed Automata MVP5 1

Introduction to Logic in Computer Science: Autumn 2006

Automata-based Verification - III

Program Analysis Part I : Sequential Programs

Safety and Reliability of Embedded Systems. (Sicherheit und Zuverlässigkeit eingebetteter Systeme) Fault Tree Analysis Obscurities and Open Issues

Logic in Automatic Verification

Requirements Validation. Content. What the standards say (*) ?? Validation, Verification, Accreditation!! Correctness and completeness

Theorem Proving for Verification

Evaluation and Validation

Propositional Calculus - Hilbert system H Moonzoo Kim CS Division of EECS Dept. KAIST

DVClub Europe Formal fault analysis for ISO fault metrics on real world designs. Jörg Große Product Manager Functional Safety November 2016

Model Checking. Temporal Logic. Fifth International Symposium in Programming, volume. of concurrent systems in CESAR. In Proceedings of the

Introduction Algorithms Applications MINISAT. Niklas Sörensson Chalmers University of Technology and Göteborg University

Chapter 18 Section 8.5 Fault Trees Analysis (FTA) Don t get caught out on a limb of your fault tree.

A Brief Introduction to Model Checking

AP1000 European 19. Probabilistic Risk Assessment Design Control Document

Model-Based Safety Assessment with AltaRica 3.0

Section 3.1: Direct Proof and Counterexample 1

Linking Duration Calculus and TLA

Proving Real-time Properties of Embedded Software Systems 0-0

Active Fault Diagnosis for Uncertain Systems

Verification. Arijit Mondal. Dept. of Computer Science & Engineering Indian Institute of Technology Patna

Interpolant-based Transition Relation Approximation

Lecture 16: Computation Tree Logic (CTL)

Chapter 4: Computation tree logic

Counterexamples in Probabilistic LTL Model Checking for Markov Chains

Property Checking of Safety- Critical Systems Mathematical Foundations and Concrete Algorithms

- Introduction to propositional, predicate and higher order logics

Lecture Notes: Axiomatic Semantics and Hoare-style Verification

Notes. Corneliu Popeea. May 3, 2013

Model checking, verification of CTL. One must verify or expel... doubts, and convert them into the certainty of YES [Thomas Carlyle]

Hoare Logic and Model Checking

RISK-INFORMED OPERATIONAL DECISION MANAGEMENT (RIODM): RISK, EVENT TREES AND FAULT TREES

Inductive Theorem Proving

Reliability Analysis of Electronic Systems using Markov Models

Learning Abstractions for Model Checking

Stéphane Lafortune. August 2006

Helsinki University of Technology Laboratory for Theoretical Computer Science Research Reports 66

Introduction to Model Checking. Debdeep Mukhopadhyay IIT Madras

Probabilistic Model Checking and Strategy Synthesis for Robot Navigation

The Mechanical Generation of Fault Trees for State Transition Systems

Automata-Theoretic Model Checking of Reactive Systems

Propositions. c D. Poole and A. Mackworth 2010 Artificial Intelligence, Lecture 5.1, Page 1

CHAPTER 4 SOME METHODS OF PROOF

Automatic Generation of Safe Handlers for Multi-Task Systems

Bounded Model Checking

Real-Time Reactive System - CCS with Time Delays

Transcription:

r. Matthias Bretschneider amburg - Dept. Safety Fehleranalyse mit Hilfe von Model Checkern

otivation: Design of safe embedded systems X y Sensor(s) Controller Actuator Design Phase Study the effect of failures on system behaviour Objective: fault-tolerance no single failure may lead to catastrophic effects Approach Use formal models Apply model checker (do formal verification)

verview 1. Formal Models 2. Formal Verification 3. Failure Analysis 4. Case Study

ormal (dynamic) Models X System y x x(1), x(2), x(t-1),x(t),.. y(1), y(2),..,y(t),.. y Step t Output y(t) depends on previous inputs (State) Examples: y(t) = x(t) - x(t-1) y(t) = if x(t) then y(t-1) else y(t-2) Typically, X and Y are vectors. Switch Non-linear

roperties X SM Y System Example 1: Y > X Example 2: Whenever X(t)=true, then Y(t+2)=true (delayed reaction) X Y For each step t, a property P is either true or false. Its value is denoted by PO. X Y P PO Interfaces of property

erification of Properties P PO X SM Y Proof Obligation ( Claim ): For all valuations of input sequence (X(t),t=1,2,3, ), the output sequence yields PO= (true,true,true,..). Universal quantification over valuations and steps is made. Compare AG PO in temporal logics Existential quantification not considered here. The proof obligation is either true ( valid ) or false ( falsifiable ):

roof Obligation: Interpretation Step 1 2 3 4 5... X 0 0 0 0 0... PO true true true true true true Step 1 2 3 4 5... X 0 5 0 0 0... PO true true true true true true Step 1 2 3 4 5... X * * * * *... PO true true true true true true Arbitrary Input X Whatever the input X, the output PO is true The property always holds.

alsification by means of Counter-Examples P PO Y = X 2 P := (Y>X) X SM Y The property P is falsified by the following valuation: X(1) 0.5 Y(1) 0.25 PO(1) false Counter-Example has length 1.

ounter-examples (dynamic) - principle P PO X SM Y X(1) v 1, X(2) v 2,... X(t) v t, (sequence of length t ) PO(1)= PO(2) =..= PO(t-1)= true, and PO(t) = false Example 2: Whenever X(t)=true, then Y(t+2)=true (delayed reaction) X Y

roof Obligation - Strategies Proof Obligation ( Claim ): conjecture Valid? Use Prove Strategy Falsifiable? Use Debug Strategy search for Counter-Examples of length less than N steps Fast algorithm

rove Strategy Temporal Induction 1 Claim: property PO(t) always true (all inputs, all steps) Idea: Consider K consecutive steps of the automaton Base Case Initial State: z(0) = z 0, Steps t = 1, 2,, K Show: For all inputs x(t) I: PO(t) = true true? true? true? true? true? true? true? true? PO 1 2 K t When proof of Base Case fails Counter-Example

rove Strategy Temporal Induction 2 Induction Step K Steps: t = n, n+1,, n+k-1, n arbitrary y true true true true true true true? n n+1 n+k-1 t Initial State: z(n) Z ( free variable ) Assumption: For all steps t = n,, n+k-1, all x(t) I : PO(t) = true Prove: PO(n+K) = true When Induction Step fails, set k k+1

rove Strategy Temporal Induction 3 When base case and induction step are proved then you know: PO(t) = true holds for all t=1,2,3,. for all input sequences x(t) I Note: The analysis starts with K=1 Tool: Sat-Solver (Prover Technology, Stockholm) Algorithm works for finite state systems and some infinite state systems (Presburger Arithmetic, )

verview 1. Formal Models 2. Formal Verification 3. Failure Analysis 4. Case Study

ailure Analysis: Objectives SM 1 X 1 X 2 Task: Inject component failures Compute the propagation Determine effect on (Safety) Property U Y

njection of Failure Mode (principle) ilure Mode ontrol variable F F Failure On/Off Par switch Failure Model V F F=True Y U Nominal Behaviour V N F=False

etermine failure effect on Property Design variables Failure Mode variables X FM 1... FM L ESM Y P PO Failure On/Off Proof Obligation ( extended ) For all valuations of input sequence (X(t),FM(t), t=1,2,3, ), PO= (true,true,true,..) holds. Free variables: Failure ON/OFF

roof Obligation ( extended ) : Interpretation Step 1 2 3 4 5... X * * * * *... FM false true false false false... PO true true true true true true Step 1 2 3 4 5... X * * * * *... FM * * * * *... PO true true true true true true Arbitrary values Whatever the design input X, and whenever the Failure Modes occur, the property PO is true

xtended System Model (ESM) detailed analysis Output: Proof obligation is valid: Each Failure Mode has no impact on Requirement falsified: Some Failure Modes have an impact analyse counter-example: Analysis step by step: Restrict the number M of failure modes that can be triggered: M=0 : valid fault-free system satisfies property P M=1 : valid system tolerates single failures (w.r.t. P) M=2 : valid system tolerates double failures (w.r.t. P) New Concept Dynamic Cut Sets O

nalysis of Counterexample 1 dynamic cut set Counter example: sequence of values X Boolean vector true false FM 3 true false FM 2 Reduction of information 1 0 DCS {FM 1, FM 2 } true false Property P is violated FM 1 Forget: X input ordering duration 1

utput of Failure Analysis Scenarios showing when these failure occur (ordering, dependency on system state) List of (all) single, double, triple failures (if any) that violate the (safety) property P. From this the design engineer learns what he has to do to make his/her system fault-tolerant. Tool Fault Tree Manager (Prover Technology, Stockholm), developed within European research project ISAAC

ailure Analysis vs. Simulation Simulation The failure modes are triggered by hand. This is based on a decision when the failures become active (per step) how long the test sequence is No complexity problem Critical scenario might be overlooked. ( N.B. failure effect depends on system state) Failure Analysis based on model checking All scenarios will be considered (with respect to user-defined set of failure modes) Potential complexity problem (computation does not terminate)

verview 1. Formal Models 2. Formal Verification 3. Failure Analysis 4. Case Study

xample - Pressurized Air Ducts Valve Duct Overheat sensing element

solation Procedure in case of valve failure Pressurized air Valve failed open Leakage Close valve Pressurized air Isolation Procedure is implemented by Valve Control Logic

afety Requirements R1 R3 R1 Leaking sections shall be isolated from pressurized air sources. R2 This shall be possible with a single valve failed open. R3 Isolation shall be possible within time T C.

ummary Objective: Utilize Design Models to support traditional safety and reliability analysis techniques (FMEA, FTA). Approach. Use model checkers for exhaustive analysis ( find all critical scenarios ) By means of simulation you will find some scenarios. Limitation: state explosion problem Further information: EU research project ISAAC: Improvement of Safety Activities on Aeronautical Complex systems http://www.cert.fr/isaac/

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback