1 Dr. rer. nat. Lars Grunske, Boeing Postdoctoral Research Fellow, School of ITEE, ARC Centre for Complex Systems An Automated Failure Mode and Effect.

Slides:

Advertisements

Similar presentations

1 Verification by Model Checking. 2 Part 1 : Motivation.

Advertisements

2009 – E. Félix Security DSL Toward model-based security engineering: developing a security analysis DSML Véronique Normand, Edith Félix, Thales Research.

SAFe Automotive aRchItecture SAFARI. SAFARI_Presentation_Short_v1.ppt 2 / /P. Cuenot/ © Continental AG ARTEMIS/Call2 R&D Project Proposal Project.

Conformance Testing of MOST based Applications Towards Effective System Testing André Baresel, Michael Schmidt - DaimlerChrysler AG Contact:

Introducing Formal Methods, Module 1, Version 1.1, Oct., Formal Specification and Analytical Verification L 5.

1 Model checking. 2 And now... the system How do we model a reactive system with an automaton ? It is convenient to model systems with Transition systems.

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

Model Checker In-The-Loop Flavio Lerda, Edmund M. Clarke Computer Science Department Jim Kapinski, Bruce H. Krogh Electrical & Computer Engineering MURI.

Verification/Simulati on –GUI for simulation and formal verification –Simulator: Exploration of dynamic behavior Checking.

® IBM Software Group © 2014 IBM Corporation Innovation for a smarter planet MBSE for Complex Systems Development Dr. Bruce Powel Douglass, Ph.D. Chief.

Automated creation of verification models for C-programs Yury Yusupov Saint-Petersburg State Polytechnic University The Second Spring Young Researchers.

AndroidCompiler. Layout Motivation Literature Review AndroidCompiler Future Works.

©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 8 Slide 1 System models.

Software Fault Tolerance – The big Picture RTS April 2008 Anders P. Ravn Aalborg University.

Model Checking. Used in studying behaviors of reactive systems Typically involves three steps: Create a finite state model (FSM) of the system design.

Software Engineering for Safety : A Roadmap Presentation by: Manu D Vij CS 599 Software Engineering for Embedded Systems.

1 Static vs dynamic SAGAs Ivan Lanese Computer Science Department University of Bologna/INRIA Italy.

Modeling State-Dependent Objects Using Colored Petri Nets

Modified from Sommerville’s originalsSoftware Engineering, 7th edition. Chapter 8 Slide 1 System models.

1/31 CS 426 Senior Projects Chapter 1: What is UML? Chapter 2: What is UP? [Arlow and Neustadt, 2005] January 22, 2009.

© Copyright Eliyahu Brutman Programming Techniques Course.

CSC 402, Fall Requirements Analysis for Special Properties Systems Engineering (def?) –why? increasing complexity –ICBM’s (then TMI, Therac, Challenger...)

Supplement 02CASE Tools1 Supplement 02 - Case Tools And Franchise Colleges By MANSHA NAWAZ.

Safety Assessment (Fault Trees) ITV Model-based Analysis and Design of Embedded Software Techniques and methods for Critical Software Anders P. Ravn Aalborg.

1 Formal Engineering of Reliable Software LASER 2004 school Tutorial, Lecture1 Natasha Sharygina Carnegie Mellon University.

High Level: Generic Test Process (from chapter 6 of your text and earlier lesson) Test Planning & Preparation Test Execution Goals met? Analysis & Follow-up.

Testing safety-critical software systems

Basic Concepts The Unified Modeling Language (UML) SYSC System Analysis and Design.

Formal Methods 1. Software Engineering and Formal Methods  Every software engineering methodology is based on a recommended development process  proceeding.

Cheng/Dillon-Software Engineering: Formal Methods Model Checking.

Quality in Product and Process Design Pertemuan 13-14

© Siemens AG, CT SE 1, Dr. A. Ulrich C O R P O R A T E T E C H N O L O G Y Research at Siemens CT SE Software & Engineering Development Techniques.

DOPROPC: a domain property pattern system helping to specify control system requirements Fan WuHehua ZhangMing Gu School of Software, Tsinghua University.

On the Formal Specification of Automata- based Programs via Specification Patterns Spring/Summer Young Researchers' Colloquium on Software Engineering.

ECE 720T5 Winter 2014 Cyber-Physical Systems Rodolfo Pellizzoni.

©Ian Sommerville 2000 Software Engineering, 6th edition. Chapter 7 Slide 1 System models l Abstract descriptions of systems whose requirements are being.

Chapter 4 System Models A description of the various models that can be used to specify software systems.

System models Abstract descriptions of systems whose requirements are being analysed Abstract descriptions of systems whose requirements are being analysed.

 Dipl.-Ing. Lars Grunske, 1 Hasso-Plattner-Institute for Software System Engineering at the University of Potsdam Department of Software Engineering and.

Benjamin Gamble. What is Time?  Can mean many different things to a computer Dynamic Equation Variable System State 2.

Reliable Design of Safety Critical Systems Dr. Abhik Roychoudhury School of Computing

©Ian Sommerville 1995/2000 (Modified by Spiros Mancoridis 1999) Software Engineering, 6th edition. Chapter 7 Slide 1 System models l Abstract descriptions.

SOFTWARE DESIGN.

Intent Specification Intent Specification is used in SpecTRM

Checking Fault Tolerance in Safety and Security-Critical Systems.

Chapter 7 System models.

System models l Abstract descriptions of systems whose requirements are being analysed.

Pertemuan 19 PEMODELAN SISTEM Matakuliah: D0174/ Pemodelan Sistem dan Simulasi Tahun: Tahun 2009.

Modified by Juan M. Gomez Software Engineering, 6th edition. Chapter 7 Slide 1 Chapter 7 System Models.

Software Engineering, 8th edition Chapter 8 1 Courtesy: ©Ian Somerville 2006 April 06 th, 2009 Lecture # 13 System models.

Sommerville 2004,Mejia-Alvarez 2009Software Engineering, 7th edition. Chapter 8 Slide 1 System models.

1 Introduction to Software Engineering Lecture 1.

Software Testing and Quality Assurance Software Quality Assurance 1.

Haptic Interfaces and Force-Control Robotic Application in Medical and Industrial Contexts Applicants Prof. Doo Yong Lee, KAIST Prof. Rolf Johansson,

Model Checking and Model-Based Design Bruce H. Krogh Carnegie Mellon University.

CIS 842: Specification and Verification of Reactive Systems Lecture 1: Course Overview Copyright 2001, Matt Dwyer, John Hatcliff, and Radu Iosif. The.

1 Introduction to Software Testing. Reading Assignment P. Ammann and J. Offutt “Introduction to Software Testing” ◦ Chapter 1 2.

©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 9 Slide 1 Critical Systems Specification 1.

1 Checking Interaction Consistency in MARMOT Component Refinements Yunja Choi School of Electrical Engineering and Computer Science Kyungpook National.

Toulouse, September 2003 Page 1 JOURNEE ALTARICA Airbus ESACS  ISAAC.

SAFEWARE System Safety and Computers Chap18:Verification of Safety Author : Nancy G. Leveson University of Washington 1995 by Addison-Wesley Publishing.

Software Quality Assurance and Testing Fazal Rehman Shamil.

Yu, et al.’s “A Model-Driven Development Framework for Enterprise Web Services” In proceedings of the 10 th IEEE Intl Enterprise Distributed Object Computing.

1 Software Testing and Quality Assurance Lecture 38 – Software Quality Assurance.

© 2009 Artisan Software Tools. All rights reserved. Testing Solutions with UML/SysML Andrew Stuart, Matthew Hause.

CEA LIST Expression of interest: dt-fof

Abstract descriptions of systems whose requirements are being analysed

Review and comparison of the modeling approaches and risk analysis methods for complex ship system. Author: Sunil Basnet.

Presentation transcript:

1 Dr. rer. nat. Lars Grunske, Boeing Postdoctoral Research Fellow, School of ITEE, ARC Centre for Complex Systems An Automated Failure Mode and Effect Analysis based on High-Level Design Specification with Behavior Trees Lars Grunske, Peter Lindsay, Nisansala Yatapanage, Kirsten Winter ARC Centre for Complex Systems School of Information Technology and Electrical Engineering, University of Queensland, Brisbane, QLD 4072,

2 Dr. rer. nat. Lars Grunske, Boeing Postdoctoral Research Fellow, School of ITEE, ARC Centre for Complex Systems Agenda  Problem description/context  Preliminaries  Behavior Trees  Automated Hazard Analysis  Procedure Overview  Generation of Design Behavior Trees  Generation of Fault View BTs  Identification and Specification of Hazard Conditions  Model Checking (SAL Toolkit)  Generation of FMEA-tables  Case-Study  Industrial Metal Press  Conclusion

3 Dr. rer. nat. Lars Grunske, Boeing Postdoctoral Research Fellow, School of ITEE, ARC Centre for Complex Systems Motivation  Problem Context  Safety-critical software-intensive systems  Automotive electronics, aviation, industrial process control and medical applications  Problem  Increasing complexity  Goal  Model and analyze safety-critical behaviors early in the development lifecycle  Systematic and integrated approach for safety analysis  Automate Failure Modes and Effects Analysis (FMEA)  Tool support that automates the tedious and error-prone aspects of FMEA

4 Dr. rer. nat. Lars Grunske, Boeing Postdoctoral Research Fellow, School of ITEE, ARC Centre for Complex Systems Preliminaries

5 Dr. rer. nat. Lars Grunske, Boeing Postdoctoral Research Fellow, School of ITEE, ARC Centre for Complex Systems Behavior Trees  Behavior Tree  Graphical notation to capture the functional requirements  Textual requirements are translated into individual requirements trees  These individual requirement trees are merged into one integrated requirements tree  Stepwise, structured approach,  Semi automatic  Early error detection  Literature:  Dromey, R.G.: From requirements to design: Formalizing the key steps. In: Int. Conference on Software Engineering and Formal Methods (SEFM 2003), IEEE Computer Society (2003)  GSE: Genetic Software Engineering:

6 Dr. rer. nat. Lars Grunske, Boeing Postdoctoral Research Fellow, School of ITEE, ARC Centre for Complex Systems Behavior Tree Syntax (1)  Basic Syntax Elements  Reversion, Synchronisation ^ =

7 Dr. rer. nat. Lars Grunske, Boeing Postdoctoral Research Fellow, School of ITEE, ARC Centre for Complex Systems Behavior Tree Syntax (2)  Control flow in Behavior Trees

8 Dr. rer. nat. Lars Grunske, Boeing Postdoctoral Research Fellow, School of ITEE, ARC Centre for Complex Systems Generation of Design Behavior Trees  Goal  Decomposition of the integrated requirements BT into component BTs.  Interactions are modeled by message passing (BT events)  Process (semi-automatic)  Identify controller, sensor, and actuator components and the environment (Following the usual architecture of reactive systems)  Each component forms a thread in the overall system  Parallel composition of the components and environment  Literature  Wen, L., Dromey, R.G.: From requirements change to design change: A formal path. In: Int. Conference on Software Engineering and Formal Methods (SEFM 2004), IEEE Computer Society (2004)

9 Dr. rer. nat. Lars Grunske, Boeing Postdoctoral Research Fellow, School of ITEE, ARC Centre for Complex Systems Automated Hazard Analysis An Automated Failure Mode and Effect Analysis based on High-Level Design Specification with Behavior Trees

10 Dr. rer. nat. Lars Grunske, Boeing Postdoctoral Research Fellow, School of ITEE, ARC Centre for Complex Systems Procedure Overview  Precondition  Design BT  Description of the hazard conditions  Component fault specification  Procedure  Inject faults into the design BT  fault view BT  Translate the fault view BT to SAL code  Identify LTL-formulas for the hazard conditions  Model-check the system

11 Dr. rer. nat. Lars Grunske, Boeing Postdoctoral Research Fellow, School of ITEE, ARC Centre for Complex Systems Generation of Fault View BTs  A Fault View BT describes the behavior of the system when it is affected by one or more component faults.  Fault injection  Prune the design BT (Omission Failure)  Add failure behavior (Commission Failure)  Example Failure: component C is unable to reach state c:  Tree is pruned at C ??c?? branch Fault View BT Original BT

12 Dr. rer. nat. Lars Grunske, Boeing Postdoctoral Research Fellow, School of ITEE, ARC Centre for Complex Systems Translating Fault View BTs to SAL Code  Generating SAL action systems  Procedure  Generate variables (component state variables, messages)  Internal vs. external variables  Split BTs into transitions.  Identification of atomic actions  Each condition or event starts a new action  Each branching point starts a new action  Create sequence of actions (using a program counter (PC) concept)  Each action increases the actual PC value  Reversion  Set back the PC  New Process  New PC  Translation Scheme (contains 8 translation rules)  More details in the paper

13 Dr. rer. nat. Lars Grunske, Boeing Postdoctoral Research Fellow, School of ITEE, ARC Centre for Complex Systems Identification and Specification of Hazard Conditions  Hazard identification  Not the scope of this project  Bidirectional search  cause-consequence relationships  Traditional techniques can be used  Hazard Specification  LTL formula  Safety Patterns (Natural Language Templates for Specifying LTL/CTL)  Bitsch, F.: Safety patterns - the key to formal specification of safety requirements. In: Int. Conference on Computer Safety, Reliability and Security (SAFECOMP2001). Volume 2187 of LNCS., Springer- Verlag (2001)  M. B. Dwyer, G. S. Avrunin, and J. C. Corbett. Patterns in Property Specifications for Finite-State Verification. In 21st International Conference on Software Engineering, Los Angeles, May 1999.

14 Dr. rer. nat. Lars Grunske, Boeing Postdoctoral Research Fellow, School of ITEE, ARC Centre for Complex Systems Model Checking & Generation of FMEA-tables  LTL model checker of the SAL Toolkit (  We check, if the model of the fault view BT is able to reach a state in which the hazard conditions (LTL formula) is true.  If yes, we receive a counter example  Trace: initial state  hazardous state  Fault propagation  Hint for design changes  If no, the injected fault(s) does not produce a hazard  Generation of FMEA table  Based on the model checking results  Including the counter examples (illustrated)

15 Dr. rer. nat. Lars Grunske, Boeing Postdoctoral Research Fellow, School of ITEE, ARC Centre for Complex Systems Case Study Industrial Metal Press

16 Dr. rer. nat. Lars Grunske, Boeing Postdoctoral Research Fellow, School of ITEE, ARC Centre for Complex Systems Industrial Metal Press Source: McDermid, J., Kelly, T.: Industrial press: Safety case. Technical report, High Integrity Systems Engineering Group, University of York (1996)

17 Dr. rer. nat. Lars Grunske, Boeing Postdoctoral Research Fellow, School of ITEE, ARC Centre for Complex Systems Industrial Metal Press Behaviour Description  Press main functions:  Raise plunger to top (open the press)  Release plunger (close the press)  Abort operation (stop closing & reopen the press)  System-level requirements/operational concept:  Upon start-up, press will open fully  If button is pushed while press is fully open, press will start to close  Upon closing, press will automatically reopen  If safe to do so, closing can be aborted by releasing the button  Safe = above Point of No Return (PoNR)

18 Dr. rer. nat. Lars Grunske, Boeing Postdoctoral Research Fellow, School of ITEE, ARC Centre for Complex Systems Design Behavior Tree Industrial Metal Press (complete and small )

19 Dr. rer. nat. Lars Grunske, Boeing Postdoctoral Research Fellow, School of ITEE, ARC Centre for Complex Systems Safety Requirements (Negated Hazard Conditions) HC1. If the plunger is at the top and the operator is not pushing the button, the motor should remain on. G ((plunger = attop  operator = releasebutton)  (motor = on)) HC2. If the plunger is falling below the PONR, known as falling fast, the motor should remain off. G ((plunger = fallingfast)  (motor = off )) HC3. If the plunger is falling above the PONR, known as falling slow, and the operator releases the button, the motor should eventually turn on, before the plunger changes state. G ((plunger = fallingslow  operator = releasebutton)  (plunger = fallingslow U motor = on)) HC4. The motor should never turn off while the plunger is rising. G (  (plunger = risingbelowPONR  plunger = risingabovePONR)  (motor = off )))

20 Dr. rer. nat. Lars Grunske, Boeing Postdoctoral Research Fellow, School of ITEE, ARC Centre for Complex Systems Results HC1. If the plunger is at the top and the operator is not pushing the button, the motor should remain on. HC2. If the plunger is falling below the PONR, known as falling fast, the motor should remain off. HC3. If the plunger is falling above the PONR, known as falling slow, and the operator releases the button, the motor should eventually turn on, before the plunger changes state. HC4. The motor should never turn off while the plunger is rising.

21 Dr. rer. nat. Lars Grunske, Boeing Postdoctoral Research Fellow, School of ITEE, ARC Centre for Complex Systems Tool Support BTE & BTFail

22 Dr. rer. nat. Lars Grunske, Boeing Postdoctoral Research Fellow, School of ITEE, ARC Centre for Complex Systems Open Problems and Future Work  Modelling and Checking of failure at any time during system operation  Probabilistic model-checking  Aim: determine the probability that a failure mode leads to a Hazard  Timing Analysis  Aim: investigate timing failures (too early and too late)

23 Dr. rer. nat. Lars Grunske, Boeing Postdoctoral Research Fellow, School of ITEE, ARC Centre for Complex Systems Conclusion  Contribution:  Automation of FMEA  Automatic Fault Injection + Model Checking  Benefits:  Tool support that automates the tedious and error- prone aspects of FMEA  Systematic and integrated approach for safety analysis  Thanks!  Questions?