Safety and Reliability of Embedded Systems. (Sicherheit und Zuverlässigkeit eingebetteter Systeme) Fault Tree Analysis Obscurities and Open Issues

Similar documents
Safety and Reliability of Embedded Systems

Improving the Efficiency of Dynamic Fault Tree Analysis by Considering Gate FDEP as Static

Dynamic Fault Tree Analysis Based On The Structure Function

arxiv: v1 [cs.lo] 7 Dec Department of Electrical and Computer Engineering,

Probabilistic Algebraic Analysis of Fault Trees With Priority Dynamic Gates and Repeated Events

On Qualitative Analysis of Fault Trees Using Structurally Persistent Nets

12 - The Tie Set Method

Chapter 5. System Reliability and Reliability Prediction.

Assessing system reliability through binary decision diagrams using bayesian techniques.

Quantification of Temporal Fault Trees Based on Fuzzy Set Theory

Stochastic Petri Net. Ben, Yue (Cindy) 2013/05/08

The Applications of Inductive Method in the Construction of Fault Trees MENG Qinghe 1,a, SUN Qin 2,b

Causal & Frequency Analysis

Formal Fault Tree Semantics

The d-or Gate Problem in Dynamic Fault Trees and its Solution in Markov Analysis

Risk Analysis of Highly-integrated Systems

Quantitative Safety Analysis of Non-Deterministic System Architectures

Dependable Computer Systems

Knowledge representation DATA INFORMATION KNOWLEDGE WISDOM. Figure Relation ship between data, information knowledge and wisdom.

Reliability of Technical Systems

Joint work with Marie-Aude Esteve, Joost-Pieter Katoen, Bart Postma and Yuri Yushtein.

Quantitative Reliability Analysis

Quantitative evaluation of Dependability

Modeling Common Cause Failures in Diverse Components with Fault Tree Applications

RISK-INFORMED OPERATIONAL DECISION MANAGEMENT (RIODM): RISK, EVENT TREES AND FAULT TREES

MODELLING DYNAMIC RELIABILITY VIA FLUID PETRI NETS

System Reliability Analysis. CS6323 Networks and Systems

Software Testing Lecture 5. Justin Pearson

Simple Neural Nets for Pattern Classification: McCulloch-Pitts Threshold Logic CS 5870

A New 3-CNF Transformation by Parallel-Serial Graphs 1

Stéphane Lafortune. August 2006

Basing Decisions on Sentences in Decision Diagrams

Model-Based Safety Assessment with AltaRica 3.0

Introduction to Temporal Logic. The purpose of temporal logics is to specify properties of dynamic systems. These can be either

Multi-State Availability Modeling in Practice

Lecture 05: High-Level Design with SysML. An Introduction to SysML. Where are we? What is a model? The Unified Modeling Language (UML)

Reliability Analysis of Power Substation with Common Cause Failure

Propositional Logic: Models and Proofs

Requirements Validation. Content. What the standards say (*) ?? Validation, Verification, Accreditation!! Correctness and completeness

Propositional Logic. Spring Propositional Logic Spring / 32

Model Checking: An Introduction

Module No. # 03 Lecture No. # 11 Probabilistic risk analysis

SAT Solvers: Theory and Practice

Failures in Process Industries

Data Mining and Machine Learning

Chapter 1 Introduction to System Dynamics

The Strength of Multilinear Proofs

Uncertainty and Bayesian Networks

A brief introduction to Logic. (slides from

Packet #1: Logic & Proofs. Applied Discrete Mathematics

Fuzzy Temporal Fault Tree Analysis of Dynamic Systems

Analytical Calculation of Failure Probabilities in Dynamic Fault Trees including Spare Gates

Algebraic modelling of Dynamic Fault Trees, contribution to qualitative and quantitative analysis

Propositional natural deduction

Two-Valued Logic Programs

UNIVERSITY OF MASSACHUSETTS Dept. of Electrical & Computer Engineering. Fault Tolerant Computing ECE 655

LOGIC PROPOSITIONAL REASONING

First Order Logic: Syntax and Semantics

Reliable Computing I

Introduction Phased mission system (PMS) consists of consecutive, non-overlapping time periods, called phases during which the system conguration, suc

Logic As Algebra COMP1600 / COMP6260. Dirk Pattinson Australian National University. Semester 2, 2017

Decision Procedures for Satisfiability and Validity in Propositional Logic

Section 2.1: Introduction to the Logic of Quantified Statements

Georg Frey ANALYSIS OF PETRI NET BASED CONTROL ALGORITHMS

Reliability Analysis of an Anti-lock Braking System using Stochastic Petri Nets

Overview. Discrete Event Systems Verification of Finite Automata. What can finite automata be used for? What can finite automata be used for?

Introduction to Artificial Intelligence Propositional Logic & SAT Solving. UIUC CS 440 / ECE 448 Professor: Eyal Amir Spring Semester 2010

Quantitative evaluation of Dependability

Topic 1: Propositional logic

Stochastic Simulation.

CS357: CTL Model Checking (two lectures worth) David Dill

Hardware Design I Chap. 2 Basis of logical circuit, logical expression, and logical function

Today s Lecture. Lecture 4: Formal SE. Some Important Points. Formal Software Engineering. Introduction to Formal Software Engineering

Unit 1. Propositional Logic Reading do all quick-checks Propositional Logic: Ch. 2.intro, 2.2, 2.3, 2.4. Review 2.9

Fault Tolerant Computing CS 530 Software Reliability Growth. Yashwant K. Malaiya Colorado State University

6.1 Dependability Modeling. General Rules. Analysis

The TLA + proof system

Boolean decision diagrams and SAT-based representations

Safety analysis and standards Analyse de sécurité et normes Sicherheitsanalyse und Normen

Conjunction: p q is true if both p, q are true, and false if at least one of p, q is false. The truth table for conjunction is as follows.

Lecture 2. Logic Compound Statements Conditional Statements Valid & Invalid Arguments Digital Logic Circuits. Reading (Epp s textbook)

An Independence Relation for Sets of Secrets

STOCHASTIC MODELS FOR RELIABILITY, AVAILABILITY, AND MAINTAINABILITY

Dependability Analysis

Logic Propositional logic; First order/predicate logic

Modal Dependence Logic

From Causality, Second edition, Contents

Chapter 18 Section 8.5 Fault Trees Analysis (FTA) Don t get caught out on a limb of your fault tree.

Part 3: Fault-tolerance and Modeling

On the Sizes of Decision Diagrams Representing the Set of All Parse Trees of a Context-free Grammar

Propositions and Proofs

Introduction to Theoretical Computer Science

ASTRA 3.0: LOGICAL AND PROBABILISTIC ANALYSIS METHODS

Description Logics. Deduction in Propositional Logic. franconi. Enrico Franconi

Application of the Cause-Consequence Diagram Method to Static Systems

COMP2411 Lecture 10: Propositional Logic Programming. Note: This material is not covered in the book. Resolution Applied to Horn Clauses

Designing and Evaluating Generic Ontologies

Last Time. Inference Rules

CS1021. Why logic? Logic about inference or argument. Start from assumptions or axioms. Make deductions according to rules of reasoning.

Improving the analysis of dependable systems by mapping fault trees into Bayesian networks

Transcription:

(Sicherheit und Zuverlässigkeit eingebetteter Systeme) Fault Tree Analysis Obscurities and Open Issues

Content What are Events? Examples for Problematic Event Semantics Inhibit, Enabler / Conditioning Events, The Use of NOT Generalization vs. Causation Gates Issues about Decomposition Deficiencies of Classical Module Concept Component Fault Trees Temporal Functions / Temporal Relations between Events Dependencies Repeated Events Spares and Spare Pools Integration with Other Models FTA for Software Formal Semantics for FTA 2

What are Events? In probability theory, everything that is true with a certain probability is called event In software / systems engineering (and in common language), an event is something occurring at a given point in time In FTA, events can be All of them may be useful, but specify clearly what you mean Sudden events ("Bolt breaks") States or conditions ("Valve is blocked") (Informal) propositions ("Fire is not detected by supervisor") Note the differences regarding probabilities States / propositions have a probability (at a given time) Events have a probability density or rate (Out-dated) DIN 25424 features appropriate formulas for probability and probability density 3

Examples for Problematic Event Semantics Priority AND: Output event occurs when all input events occur in a specific order If FT events are sudden events: When does output event occur? E.g. simultaneously to the last of the input events If output event is a logical proposition: The proposition is true (all the time!), if the input events do occur in the right order But can input events also be propositions then? How can then Input 1 occur before Input 2? If FT events are states / conditions / predicates that can be true or false at given times Input 1 can become true before Input 2 Output condition is true upon the time when the last input condition is true 4 Safety and Reliability of Embedded Systems

Inhibit, Enabler / Conditioning Events Inhibit: Output event occurs when input event occurs and inhibit event is not true Inhibit event has state / condition semantics Sometimes enabler events (states) are distinguished from initiator events (trigger semantics) Separate symbols are available Basic Event / Initiator Conditioning Event / Enabler 5

The Use of NOT A FT without NOT is called "coherent" "A system can never get better if more components fail" Some NOTs are virtual (e.g. in transcriptions of voter, XOR,...) If FT events are sudden events How can their occurrence be negated? In this case, NOT makes no sense If FT events are states / conditions / predicates / logical propositions Negation makes sense BDD algorithm can handle negated variables MCS based probability calculation is not suitable for negated events! Minimal cut sets Prime implicants (may contain negated events) cf. John Andrews: To Not or not to Not 6 Safety and Reliability of Embedded Systems

Generalization vs. Causation Gates Sometimes gates suggest causality Electrical short circuit OR defective gas tube fire Sometimes gates suggest generalization / decomposition Engine defective OR tire defective = car defective In original FT standards no distinction, some researchers do distinction Sometimes, two pairs of AND / OR are proposed [Gorski] Some say that AND means causation and OR means decomposition [FT Handbook] Whether or not FTs express causality at all can be discussed... 7 Safety and Reliability of Embedded Systems

Issues about Decomposition transfer 1 e1 = + e2 e1 transfer 1 e2 e3 e4 e3 e4 FTs are hierarchical by nature Traditionally, FTs are decomposed by modules (independent sub-trees) Each module is replaced by a single event with the same probability Each module can be analyzed independently Alternatively, partitioning into pages by transfer symbols 8

FT Decomposition by Modules System Sub-Component1 Modules are independent sub-trees e1 FT Module But: Technical components often influence each other e2 e3 e4 Technical components are not always modules! 9

Deficiencies of Classical Module Concept Module borders may be orthogonal to component borders Attachment of (partial) fault trees to components is not possible if components have external influences Division of labor (e.g. supplier/integrator) is not possible Modeling of some component by other models than fault trees is not possible Partitioning of fault trees into pages (using transfer ports) is a solution to some degree, but still no division of labor or reuse 10

Recent Approach: Component Fault Trees System Component1 Sub-Component1 System.out1 Comp1.out1 e1 p=0.4 = System.e1 p=0.4 Sub- Component1 : Component1 + e2 P=0.3 Comp1.in1 Comp1.e1 P=0.3 e3 P=0.1 e4 p=0.2 System.e2 P=0.1 System.e3 p=0.2 Here, component" means technical unit. Components are connected by ports like in architectural models. New paradigm: Components represent Boolean formulas 11

Temporal Functions Events can be understood as propositions that are true or false at each given point of time Supplying time functions instead of constant probabilities allows to plot reliability/availability function for the complete system Events can be exponentially distributed, Weibull distributed etc. Useful in combination with Markov analysis Mission time for each event or sub-component specifies time Important special case: Exponential distribution P(t) = 1- e - t, : Failure rate; P: Probability, that component has failed OR leads to an exponential function as gate output, but AND does not! Attention when representing events by their occurrence rate: Output function is not always exponential! 12 Safety and Reliability of Embedded Systems

Temporal Relations between Events Standard FTA is based on Boolean logic and cannot handle temporal sequences Priority AND expresses probability that event 1 occurs before event 2 Only useful if time functions (and not static probabilities) are used Probability of system failure before t is probability that E1 occurs before some intermediate point of time and E2 occurs after that point, accumulated for all points of time between 0 and t P ( t) E1 E2 failed 2 2 1 1 1 0 0 t f ( t ) t 2 f ( t ) dt dt 2 13

Dependencies Stochastic independence is an important assumption for combinatorial approaches Repeated events as special case of dependency can be handled by restructuring the Boolean formula For special cases (e.g. spares), there are solutions When probabilities are small, errors may be negligible if dependencies are not taken into account Correct calculation in presence of arbitrary dependency is only possible by statebased models Functional dependency gate in DFT allows to express secondary faults 14

Elimination of Repeated Events A A F A = 0,000199 1 1 E 1 E 2 E 2 E 3 F 1 = 0,01 F 2 = 0,01 F 3 = 0,01 E 1 F 1 = 0,01 E 3 E 2 F 3 = 0,01 F 2 = 0,01 By restructuring the Boolean formula, repeated events can be avoided 15

Repeated Events: Tree vs. DAG brake failure brake failure >=1 >=1 >=1 >=1 hose broken hose broken hose broken hose broken pressure supply failure Repeated event pressure supply failure Unique event pressure supply failure Not repeated, but same name Directed Acyclic Graphs (instead of trees) eliminate repeated events A namespace concept is desirable (implemented in Component Fault Trees) 16

Spares and Spare Pools A special case of dependency is the usage of spares System fails if primary unit fails and spare also fails or has already failed before While the primary unit is operating, spares fail not at all cold spare at a reduced rate (specified by a factor) warm spare at the normal rate (hot spare) Special spare gates have been proposed Spare pool: Not only one spare unit, but n spare units with identical failure rate 17 Safety and Reliability of Embedded Systems

Explicit Dependencies 18

Other ways to deal with dependencies Functional Dependency Gate (in some packages) Output event occurs necessarily if input occurs Output event can also occur spontaneously Many attempts have been made to bring special cases of dependency into FTA. At a certain point, state-based models (e.g. Markov chains) are a better fit (but analysis is usually much slower!) 19 Safety and Reliability of Embedded Systems

Integration with other models Fault trees can and should be integrated with Markov chains: to describe basic events in presence of dependencies Event trees: to describe consequences of the top-event Fault trees can and should be used in conjunction with FMEA other hazard analysis models (Preliminary Hazard Analysis, Common Cause Analysis,...) general systems and software modeling techniques Formal integration with software / systems modeling is desirable, but not yet achieved to a satisfactory degree 20 Safety and Reliability of Embedded Systems

FTA for Software FTA stems from an era when (at least) safety critical systems were purely electrical / mechanical They have "working/failed" semantics They cannot natively capture the dynamic nature of software There have been several attempts to apply FTA to software or to derive FTs from software partly based on source code statements partly based on statecharts or formal methods Applying FTA to software controlled systems is still an issue 21 Safety and Reliability of Embedded Systems

Is there a formal semantics for FTA? FTs are intuitive, but unclear semantics is an issue when constructing FTs automatically integrating FTs with other kinds of models using dynamic extensions Some recent research work about formalizing FTA formalizing the meaning of gates proving that FT is complete and consistent Different formalisms used Z (algebraic specification) Interval Temporal Logic, Duration Calculus (temporal/real time logic) Translation into Markov chains and different kinds of probabilistic Petri nets Formalization is not agreed upon. Different researchers use different approaches 22 Safety and Reliability of Embedded Systems

Literature Component Fault Trees Kaiser, B., Liggesmeyer, P., Mäckel, O.: A New Component Concept for Fault Trees. Proceedings of the 8th Australian Workshop on Safety Critical Systems and Software (SCS'03), Canberra Conferences in Research and Practice in Information Technology, Vol. 33. P. Lindsay T. Cant, Eds. Usage of Not Andrews J.D. "The Use of not Logic in Fault Tree Analysis", proceedings of the 14th ARTS, Advances in Reliability Technology Symposium, Manchester, Nov 2000 Priority AND, Dynamic Fault Trees, State-Event Fault Trees On The Quantitative Analysis Of Priority AND Failure Logic, IEEE Transactions On Reliability (R-25 No 5), 1976, p324-326, JB Fussell EF Aber RG Rahl Manian, R., Dugan, J. B., Coppit, D., and Sullivan, K. J. Combining various solution techniques for dynamic fault tree analysis of computer systems. In 3rd IEEE International High-Assurance Systems Engineering Symposium (1998), IEEE Computer Society, pp. 21-28. Kaiser, B., Gramlich, C.: State-Event-Fault-Trees - A Safety Analysis Model for Software Controlled Systems. Safecomp 2004, September 21-24 2004, Potsdam, Germany 23 Safety and Reliability of Embedded Systems

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback