NASA OSMA SAS '02

1. NASA OSMA SAS '02 Software Fault Tree AnalysisDolores R. WallaceSRS Information ServicesSoftware Assurance Technology Centerhttp://satc.gsfc.nasa.gov/dwallac@pop300.gsfc.nasa.govDr. Massood TownidnejadEmbry-Riddle Universitytowhid@erau.edu NASA OSMA SAS02

2. The Premise • FTA applies to software (SFTA)1 • SFTA uses same tools as FTA • SFTA can apply FTA algorithms computing risk based on probability • 1 Several researchers have explored SFTA to some extent, e.g., Leveson, Lutz, Dugan, Heimdahl NASA OSMA SAS02

3. Tasks • Understand the methodology, including symbology • Develop tool evaluation criteria • Identify commercial tools • Get demonstration copies • Apply tools to software NASA OSMA SAS02

4. FTA Methodology • Hierarchical, graphical representation of events • Notation to represent Boolean expression recording relationships between states/ events • Qualitative: ID of design weaknesses,e.g., single point of failure and safety critical failure combinations • Quantitative: event’s probability of occurrence to identify paths most likely to occur • Starting point (top of tree): system failure or hazard • Backward progression id’ing parallel and sequence combinations of events causing top event to occur NASA OSMA SAS02

5. Probability Issue • Hardware • Large collections of historic data • Classification of failure types • Degradation • Software • Limited availability of software failure data • Classification of cause more relevant • Degradation not same for software • Probability values not available, though subject of research efforts NASA OSMA SAS02

6. FTA Symbology EVENTS GATES BASIC AND OR CONDITIONING UNDEVELOPED EXCLUSIVE OR EXTERNAL PRIORITY AND INTERMEDIATE INHIBIT TRANSFERS OUT IN NASA OSMA SAS02

7. Tool Evaluation Criteria Categories • User Interface • Functionality • Output • SFTA Model • Security • Operational Issues • Adaptability *** • Cost of Tool (consider functionality not usable by SFTA) • Return on Investment NASA OSMA SAS02

8. Commercial Tools • Approximately 33 • Most embody two or more analyses (e.g., FMEA) • All compute risk with algorithms applying values of probability of failure • Many claim adaptability for SFTA • Two claimed specific use for SFTA, but … • Lack of specific SFTA tools caused our redirection! NASA OSMA SAS02

9. New Focus: Life Cycle Approach • Requirements • Identify weaknesses and modify, eliminate them • Identify those with direct impact on safety of system • Design • Apply to design, smaller than related code • Identify components/modules, subcomponents with direct impact on safety of system • Code • Apply only to those subcomponents already identified as having direct impact on safety of system NASA OSMA SAS02

10. Application of SFTA to Software Design • The Challenge • Focus SFTA on OODs • Develop a relationship between OOD charts and diagrams to symbology of FTA • Initial Issues • Attempt to fit activity diagram to general template • Recognize loops as a feature of activity diagram • Allow for concurrency found in many real-time systems • Applied commercial tool- identified probable cause of failure successfully in each case • Next Steps • Generate fault trees directly from several activity diagrams NASA OSMA SAS02

11. Insert coins into machine Check enough money is inserted Show drink menu Choose drink Deliver drink Activity Diagram Drink not available Drink available NASA OSMA SAS02

12. Software Fault Tree NASA OSMA SAS02

13. Resulting Fault Tree Analysis NASA OSMA SAS02

14. FUTURE • Identify the general features of activity, state, and sequence diagrams as related to FTA symbology • Apply this approach to real, larger designs • Have commercial tool vendor work with us to build the interface between these OOD types and the FTA symbology • Hoped for result: practical means of applying FTA to software across the life cycle! NASA OSMA SAS02