May 9, 2008IPA Lentedagen, Rhenen1 Dynamic Fault Tree analysis using Input/Output Interactive Markov Chains Hichem Boudali 1, Pepijn Crouzen 2, and Mariëlle.

Slides:

Advertisements

Similar presentations

Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Introduction An overview of formal methods for hardware.

Advertisements

March 8, Dynamic Fault Tree analysis using Input/Output Interactive Markov Chains Hichem Boudali, Pepijn Crouzen, and Mariëlle Stoelinga. Formal.

Performance Model Checking Scenario-Aware Dataflow Bart Theelen, Marc Geilen, Jeroen Voeten.

Distributed Markov Chains P S Thiagarajan School of Computing, National University of Singapore Joint work with Madhavan Mukund, Sumit K Jha and Ratul.

1 Fault-Tolerant Computing Systems #6 Network Reliability Pattara Leelaprute Computer Engineering Department Kasetsart University

COE 444 – Internetwork Design & Management Dr. Marwan Abu-Amara Computer Engineering Department King Fahd University of Petroleum and Minerals.

Verification of Hybrid Systems An Assessment of Current Techniques Holly Bowen.

Presented by: Thabet Kacem Spring Outline Contributions Introduction Proposed Approach Related Work Reconception of ADLs XTEAM Tool Chain Discussion.

Background information Formal verification methods based on theorem proving techniques and modelchecking –to prove the absence of errors (in the formal.

Anna Philippou Department of Computer Science University of Cyprus Joint work with Mauricio Toro Department of Comp. Sc. EAFIT University Christina Kassara.

Automated creation of verification models for C-programs Yury Yusupov Saint-Petersburg State Polytechnic University The Second Spring Young Researchers.

Coral: a tool for Compositional Reliability and Availability analysis † Hichem Boudali 1, Pepijn Crouzen 2, and Mari ë lle Stoelinga 1. 1 Formal Methods.

Markov Reward Models By H. Momeni Supervisor: Dr. Abdollahi Azgomi.

Gossiping with IOIMCs Pepijn Crouzen Saarland University.

Model checking dynamic states in GROOVE Arend Rensink Formal Methods and Tools University of Twente.

1 Ivan Lanese Computer Science Department University of Bologna Roberto Bruni Computer Science Department University of Pisa A mobile calculus with parametric.

21-February-2003cse Architecture © 2003 University of Washington1 Architecture CSE 403, Winter 2003 Software Engineering

Design of Fault Tolerant Data Flow in Ptolemy II Mark McKelvin EE290 N, Fall 2004 Final Project.

Models of Computation for Embedded System Design Alvise Bonivento.

1 IFM 2005 – November 30, 2005 EXP.OPEN 2.0 A flexible tool integrating partial order, compositional, and on-the-fly verification methods Frédéric Lang.

NSF Foundations of Hybrid and Embedded Software Systems UC Berkeley: Chess Vanderbilt University: ISIS University of Memphis: MSI A New System Science.

1 Ivan Lanese Computer Science Department University of Bologna Italy Concurrent and located synchronizations in π-calculus.

CSC 402, Fall Requirements Analysis for Special Properties Systems Engineering (def?) –why? increasing complexity –ICBM’s (then TMI, Therac, Challenger...)

An algebra of Connectors for modeling CommUnity with Tiles joint work with Roberto Bruni Ugo Montanari Dipartimento di Informatica Università di Pisa Ivan.

Formal verification Marco A. Peña Universitat Politècnica de Catalunya.

Chess Review November 21, 2005 Berkeley, CA Edited and presented by Coupled Interface Modules for Heterogeneous Composition Ethan Jackson ISIS, Vanderbilt.

02/06/05 “Investigating a Finite–State Machine Notation for Discrete–Event Systems” Nikolay Stoimenov.

Model-Driven User Requirements Specification using SysML Authors: Michel dos Santos Soares, Jos Vrancken Source: Journal of Software(JSW), Vol. 3, No.

Relex Reliability Software “the intuitive solution

An Introduction to Programming and Object-Oriented Design Using Java By Jaime Niño and Fred Hosch Slides by Darwin Baines and Robert Burton.

Ketan Patel, Igor Markov, John Hayes {knpatel, imarkov, University of Michigan Abstract Circuit reliability is an increasingly important.

DNA Computing on a Chip Mitsunori Ogihara and Animesh Ray Nature, vol. 403, pp Cho, Dong-Yeon.

A. BobbioBertinoro, March 10-14, Dependability Theory and Methods 2. Reliability Block Diagrams Andrea Bobbio Dipartimento di Informatica Università.

Benjamin Gamble. What is Time?  Can mean many different things to a computer Dynamic Equation Variable System State 2.

CSE 219 Computer Science III Program Design Principles.

Lecture 2: Combinatorial Modeling CS 7040 Trustworthy System Design, Implementation, and Analysis Spring 2015, Dr. Rozier Adapted from slides by WHS at.

UHD::3320::CH121 DESIGN PHASE Chapter 12. UHD::3320::CH122 Design Phase Two Aspects –Actions which operate on data –Data on which actions operate Two.

Daniel Kroening and Ofer Strichman 1 Decision Procedures An Algorithmic Point of View BDDs.

Natallia Kokash (Accepted for PACO’2011) ACG, 31/05/ Input-output conformance testing for channel-based connectors 1.

Submodule construction in logics 1 Gregor v. Bochmann, University of Ottawa Using First-Order Logic to Reason about Submodule Construction Gregor v. Bochmann.

Fault-Tolerant Parallel and Distributed Computing for Software Engineering Undergraduates Ali Ebnenasir and Jean Mayo {aebnenas, Department.

Decision-Theoretic Planning with Asynchronous Events Håkan L. S. Younes Carnegie Mellon University.

Multi-state System (MSS) Basic Concepts MSS is able to perform its task with partial performance “all or nothing” type of failure criterion cannot be.

Testing OO software. State Based Testing State machine: implementation-independent specification (model) of the dynamic behaviour of the system State:

Modeling the ODP Computational Viewpoint with UML 2.0: The Templeman Library Example José Raúl Romero, Antonio Vallecillo Universidad de Málaga, Spain.

2 April, 2008AADL/UML workshop - Belfast1 Arcade: A formal, extensible, model-based dependability evaluation framework Hichem Boudali 1, Pepijn Crouzen.

What’s Ahead for Embedded Software? (Wed) Gilsoo Kim

Software Quality and Safety Pascal Mbayiha.  software engineering  large, complex systems  functionality, changing requirements  development difficult.

Instructor: Spyros Reveliotis IE7201: Production & Service Systems Engineering Fall 2009 Closure.

From Use Cases to Implementation 1. Structural and Behavioral Aspects of Collaborations  Two aspects of Collaborations Structural – specifies the static.

T imed Languages for Embedded Software Ethan Jackson Advisor: Dr. Janos Szitpanovits Institute for Software Integrated Systems Vanderbilt University.

Interacting Discrete Event Systems: Modelling, Verification, and Supervisory Control Sherif S. Abdelwahed February 4, 2002.

Overwiew of Various System Reliability Analysis Methods Kim Hyoung Ju 1.

From Use Cases to Implementation 1. Mapping Requirements Directly to Design and Code  For many, if not most, of our requirements it is relatively easy.

Process of Diagnosing a Dynamic System Lab Seminar June 19th, 2007 Seung Ki Shin.

LOGO Combining Fault Trees and Event Trees Seung Ki, Shin.

Adding Dynamic Nodes to Reliability Graph with General Gates using Discrete-Time Method Lab Seminar Mar. 12th, 2007 Seung Ki, Shin.

Object-Oriented Database Management System (ODBMS)

System Design and Modeling

Parallel Programming By J. H. Wang May 2, 2017.

Stochastic Activity Networks

Implementing Language Extensions with Model Transformations

Object-Oriented Knowledge Representation

Need for the subject.

Dynamic Modeling Lecture # 37.

State Abstraction Techniques for the Verification of Reactive Circuits

Implementing Language Extensions with Model Transformations

Program correctness Model-checking CTL

Area Coverage Problem Optimization by (local) Search

From Use Cases to Implementation

Presentation transcript:

May 9, 2008IPA Lentedagen, Rhenen1 Dynamic Fault Tree analysis using Input/Output Interactive Markov Chains Hichem Boudali 1, Pepijn Crouzen 2, and Mariëlle Stoelinga 1. 1 Formal Methods and Tools group CS, University of Twente, NL. 2 Dependable Systems and Software group, CS, Saarland University, Germany

May 9, 2008IPA Lentedagen, Rhenen2 Introduction: Dependability Dependability: The trustworthiness of a computer system such that reliance can justifiably be placed upon the service it delivers. Reliability: The probability that a computer system does not fail within a given time bound.

May 9, 2008IPA Lentedagen, Rhenen3 Introduction: Formal dependability  Continuous-time Markov chains (CTMC)  States and Markovian transitions  Probability of traversing a λ- transition within t time-units is: 1-e -λt  Tools: Reachability analysis (among others) λ μ μ λ

May 9, 2008IPA Lentedagen, Rhenen4 Introduction: CTMC characteristics  CTMCs describe probability distributions (phase-type distributions)  Phase-type distributions can approximate any arbitrary distribution arbitrarily closely  Goal: Find a CTMC which describes the probability of system failure within t time- units (i.e. the unreliability of the system)  Problem: Difficult to find the CTMC that models a large system λ μ μ λ

May 9, 2008IPA Lentedagen, Rhenen5 Introduction: Engineering dependability  Fault Trees (1960’s)  Graphical  Easy to use  Syntax:  Basic events  Gates  Semantics: logical formula  Problem: Not expressive enough Mem1 fails CPU fails Workstation fails OR AND Mem1 fails

May 9, 2008IPA Lentedagen, Rhenen6 Introduction: Engineering dependability  Dynamic Fault Trees (1992)  Extension of classic fault trees  Additions:  Use of spares  Dependencies  Order-based failure  Tools:  Convert to CTMC P2P2 System failure P1P1 SPARE OR S

May 9, 2008IPA Lentedagen, Rhenen7 But… DFT Drawbacks  Scalability  Ambiguous syntax and semantics  Lack of modularity:  Dynamic modules can not be reused  Restrictions on spares and dependencies  Existing analysis technique is hard to extend or modify

May 9, 2008IPA Lentedagen, Rhenen8 Outline  Case study: FTPP system  DFT approach  Formalizing DFTs  DFT semantics in I/O-IMCs  Deep compositionality  Extending the DFT formalism  Conclusion  Future work

May 9, 2008IPA Lentedagen, Rhenen9 Case study: FTPP A D C B A D C B ADCB ADCB NE1 NE3 NE2NE2 NE4NE4  16 processors divided into 4 groups  4 network elements connect the processors  Per group 2 processors must be operational  Different configurations are possible

May 9, 2008IPA Lentedagen, Rhenen10 D D D D S S S S C B AA C B A B C C A B NE1 NE3 NE2NE2 NE4NE4 Case study: FTPP  16 processors divided into 4 groups  4 network elements connect the processors  Per group 2 processors must be operational  Different configurations are possible  Dynamic redundancy management is possible How reliable is each configuration?

May 9, 2008IPA Lentedagen, Rhenen11 FTPP DFT S S S S C B AA C B A B C C A B NE1 NE3 NE2NE2 NE4NE4

May 9, 2008IPA Lentedagen, Rhenen12 C AB Failure rate: 0.2 f/h Failure rate: 0.4 f/h AND-gate Starting state: A is operational B is operational A has failed B is operational Pr(A fails in T hours) = 1 – e -0.2T A’s Mean time to failure = 1/0.2 = 5 hours A is operational B has failed A has failed B has failed  For static fault trees binary decision diagrams can be used!  Otherwise: Convert the DFT into a CTMC.  Analyze CTMC using standard solution techniques. Existing DFT analysis [Dugan et al. 1992] Unreliability = Prob[Reaching in time T] But…  State space explosion: CTMC grows exponentially  FTPP difficult to analyze

May 9, 2008IPA Lentedagen, Rhenen13 FTPP Results Group 1 Failure 2/3 S CBA Group 2 Failure 2/3 S CBA Group 3 Failure 2/3 S CBA Group 4 Failure 2/3 S CBA System Failure FDEP NE1 AAAA FDEP NE2 BBBB FDEP NE3 CCCC FDEP NE4 SSSS Analysis method Max number of states Max number of transitions Unreliability (T=10) Standard · Compositional · S S S S C B AA C B A B C C A B NE1 NE3 NE2NE2 NE4NE4

May 9, 2008IPA Lentedagen, Rhenen14 What’s behind it?  Model local behavior  We need compositional Markov chains  Combination of LTS and CTMC, with I/O automata features  Markovian transitions (CTMC)  Interactive transitions (LTS)  Action signature (IOA)  ? - Input actions  ! - Output actions  ; - Internal actions λ failed! I/O-IMC for Basic event Input/Output Interactive Markov Chains (I/O-IMC)

May 9, 2008IPA Lentedagen, Rhenen15  Properties of IMCs:  Combines stochastic behavior and interactive behavior orthogonally  CSP-style synchronization + interleaving semantics  Maximal progress for internal transitions  Properties of IOIMCs:  Unique outputs  Input enabledness  Outputs cannot be blocked!  Maximal progress for output transitions Input/Output Interactive Markov Chains λ τ

May 9, 2008IPA Lentedagen, Rhenen16 f(C)! f(A)? f(B)? f(A)? f(C)! f(A)? f(B)? DFT semantics DFT gate to I/O-IMC

May 9, 2008IPA Lentedagen, Rhenen17 What is deep compositionality? Group 1 Failure 2/3 S CBA  Semantics of a DFT arises naturally as composition of the semantics of its building blocks  But: This may lead to huge models. f(G1) f(NE1)f(NE4)… f(NE1)f(NE4) f(G1) f(NE2)f(NE3)

May 9, 2008IPA Lentedagen, Rhenen18 Why use deep compositionality?  Formally define semantics  Many useful techniques  Combining models: Composition  Refining models: Hiding  Minimizing models: Bisimulation  Reusing models: Renaming  Well supported by CADP toolset (VASY/INRIA) Combat State-space explosion

May 9, 2008IPA Lentedagen, Rhenen19 Compositional Aggregation Translation Composition + Abstraction Aggregation (minimization) Repeat Aggregated system CTMC (CTMDP) Result: System failure probability Analysis

May 9, 2008IPA Lentedagen, Rhenen20 Compositional Aggregation Example f(C)! f(A)? f(B)? f(A)? Failure rate: 0.2 f/h Failure rate: 0.4 f/h f(A)! 0.2 f(B)! 0.4

May 9, 2008IPA Lentedagen, Rhenen21 Compositional Aggregation Parallel Composition ||1 0.2 f(A)! f(A)? f(B)? f(C)! 0.2 f(B)? f(A)! f(C)! 1||2 2||3 3||1 f(B)? 0.2 f(A)! 3||2 4||35||3 Inputs: f(A)? and f(B)? Outputs: f(C)! Inputs: none Outputs: f(A)! C A C||A Synchronize on f(A)

May 9, 2008IPA Lentedagen, Rhenen22 f(A); f(A)! Compositional Aggregation Abstraction (hiding) 1||1 0.2 f(B)? 0.2 f(C)! 1||2 2||3 3||1 3||2 4||35||3 C AB Abstraction (hiding): Makes signal internal

May 9, 2008IPA Lentedagen, Rhenen23 f(A); Compositional Aggregation Aggregation (weak bisimulation) 1||1 0.2 f(B)? 0.2 f(C)! 1||2 2||3 3||1 3||2 4||35||3 Weak bisimulation: Disregard internal steps Aggregation: Finding a smaller model equivalent (behaviorally) to the original

May 9, 2008IPA Lentedagen, Rhenen24 Compositional Aggregation Example (continued) ||1 0.2 f(B)! 0.2 f(B)? f(C)! ||1 1|| ||2 C||A B C||A||B f(B)! 4||3 3||3 0.2 f(C)! 5||3

May 9, 2008IPA Lentedagen, Rhenen25 Compositional Aggregation Example (continued) C||A||B f(C)!

May 9, 2008IPA Lentedagen, Rhenen26 DFT extensions  Extensions:  Inhibition  Repair-policies  Complex spares  Complex dependencies ……  Adding extensions in the compositional framework is easy:  Modify translation of DFT building blocks  Compositional aggregation algorithm is unaltered Free! DSN07

May 9, 2008IPA Lentedagen, Rhenen27 Extension: Repair f(C)! f(A)? f(B)? f(A)? r(C)! r(A)? r(B)? r(C)! r(A)? r(B)? r(A)? λ f(A)! µ r(A)! AND-gate C Basic event A

May 9, 2008IPA Lentedagen, Rhenen28 Conclusion: How we tackled drawbacks  State-space explosion.  Ambiguous syntax and semantics.  Lack of modularity:  Dynamic modules can not be reused.  Restrictions on spares and dependencies.  Existing analysis technique is hard to extend and/or modify. Compositional Aggregation DAG Extensions at the lowest level I/O-IMC Formal translation Renaming! Lifted!

May 9, 2008IPA Lentedagen, Rhenen29 Future work  Fully automated tool (CORAL)  More aggressive state reduction  Recent work: specialized acyclic algorithm  Apply deep compositionality to more advanced engineering formalisms! (see Boudali et al., DSN08)  Extend DFT formalism  Repair  Failure modes  Non-exponential failure distributions  Sophisticated dependencies

May 9, 2008IPA Lentedagen, Rhenen30 The end! Questions?