1 / 49

Model-Based Safety Analysis Overview

Model-Based Safety Analysis Overview. Dr. Steven P. Miller Dr. Mats P. E. Heimdahl Advanced Computing Systems Rockwell Collins 400 Collins Road NE, MS 108-206 Cedar Rapids, Iowa 52498 spmiller@rockwellcollins.com. Outline of Presentation. Motivation Proposed Approach Demonstration

ivory-wilkinson
Download Presentation

Model-Based Safety Analysis Overview

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Model-Based Safety AnalysisOverview Dr. Steven P. Miller Dr. Mats P. E. Heimdahl Advanced Computing Systems Rockwell Collins 400 Collins Road NE, MS 108-206 Cedar Rapids, Iowa 52498 spmiller@rockwellcollins.com

  2. Outline of Presentation Motivation Proposed Approach Demonstration Analysis What’s Next

  3. Motivation Requirements and Design Documents Safety Analyst A Safety Analyst B System Safety Analysis is - Based on Informal Specifications - Highly Dependent on Skill of the Analyst

  4. Model-Based Development Why Not the Safety Analysis? We Base the Entire Development Cycle Around the Model

  5. Model-Based Safety Analysis Green Pump Blue Pump Isolation Valve Isolation Valve Power A System A Selector Valve Pedal 1 Shut Normal A Accumulator N Plant System L O Valve Feed back T R M E Accumulator A System B Pedal 2 R Pump L N Power B AntiSkid A Meter Valve Mechanical Command T Pedal E Braking + Meter Fault Tolerant Meter AntiSkid Valve Valve Braking System Command Control Unit Plant Model ( BSCU ) • Add Fault Model for Physical System • Model the Digital Controller Architecture and the Physical System and Digital Controller Architecture • Integrates System and Safety Engineering About a Common Model • Automation Enables “What-If” Consideration of System Designs

  6. Advantages • Common Model for Both System and Safety Engineering • Safety Analysis Based on a Formal System Model • Facilitates Consistency in Safety Analysis • Facilitates Completeness of Safety Analysis • Reduced Manual Effort in Error-prone Areas • Automated Support for Safety Analysis • Explore Various Failure Scenarios • Focus on Review on Assumptions in the Models • Is the System Model Correct? • Is the Fault Model Complete? • Assume the (Automated) Analysis is Trustworthy

  7. Outline of Presentation Motivation Proposed Approach Demonstration Analysis What’s Next

  8. Traditional Safety Analysis Process Safety analysis performed as an integral part of theiterative system development process (Requirements, Architecture, Design) Verify that the implemented system satisfies the safety requirements and develop certification documents

  9. Model-Based Safety Analysis Incremental development of the system model. Automated replay of safety analysis as the system is changed. Support for automated safety analysis. Safety analysis performed as an integral part of theiterative system development process (Requirements, Architecture, Design) Verify that the implemented system satisfies the safety requirements and develop certification documents

  10. Creation of Nominal System Model Library of Common Mechanical Components Green Pump Blue Pump Model of the Digital System Isolation Valve Isolation Valve Power A Power A System A Selector Valve Pedal 1 Pedal 1 Shut Normal A Accumulator N Plant Plant System L O Valve Feed back Feed back T R M E Accumulator A System B System B Pedal 2 Pedal 2 R Pump L N Power B Power B AntiSkid A Meter Valve Mechanical Command T Pedal E Braking + Meter Fault Tolerant Fault Tolerant Meter AntiSkid Valve Valve Braking System Braking System Command Control Unit Control Unit Plant Model ( BSCU ) ( BSCU ) Model of the Digital System + Model of the Mechanical System Verify safety properties of the nominal digital system Verify safety properties of the nominal system

  11. Creation of the Fault Model Green Pump Blue Pump Library of Common Failure Modes Isolation Valve Isolation Valve Power A System A Selector Valve Pedal 1 Shut Normal A Accumulator N Plant System L O Valve Feed back T R M E Accumulator A System B Pedal 2 R Pump L N Power B AntiSkid A Meter Valve Mechanical Command T Pedal E Braking + Meter Fault Tolerant Meter AntiSkid Valve Valve Braking System Command Control Unit Plant Model ( BSCU ) System Architecture Fault Model

  12. Automated Safety Analysis Green Pump Blue Pump Isolation Valve Isolation Valve Formalized Safety Requirements + Power A System A Selector Valve Pedal 1 Shut Normal A Accumulator N Plant System L O Valve Feed back T R M E Accumulator Simulation A System B Pedal 2 R Pump L N Power B AntiSkid A Meter Valve Mechanical Command T Pedal E Braking + Meter Fault Tolerant Meter AntiSkid Valve Valve Braking System Command Control Unit Plant Model ( BSCU ) Auto-generation of Fault Trees Proofs of Safety Properties

  13. Auto-generation of Fault Trees • Easy to Generate Two-Level Fault Trees • Minimal Cut Sets of Events that Can Cause a Hazard • Two Levels Deep and a Mile Wide • Harder to Generate Useful Fault Trees • Intermediate Levels Reflect System Architecture • Essential for Acceptance by Safety Engineers

  14. Proof of Safety Properties • Mathematical Proof • Avoids Mile Wide Problem with Fault Trees • User Guides the Proof Structure to Reflect the System Architecture • Used For Backward Search • Proof will Expose All Minimal Cut Sets of Events • Extend Fault Model to Rule Out Acceptable Minimal Cut Sets • Repeat Until Proof is Completed

  15. Correspondence Between Fault Trees and Proof Trees Complements w.r.t. each other

  16. Summary – Model-Based Safety Analysis • Integrates System and Safety Engineering About a Common Model • Automated Analysis of System Safety Properties • Makes Safety Analysis More Systematic and Repeatable • Shifts Focus from Component to Architectural Models • Reduces the Workload of Safety Engineers • Automates More of the Safety Analysis • Eliminates the Need to Review the Analysis • Focus on Review of the System Model and the Fault Model

  17. Challenges for Future Research • Fault Models • What is a Fault Model? How Do We Represent It? • Merging the Fault Model and the Nominal Model • Aspect Orientation and Aspect Weaving? • Stating Safety Properties • Simple Safety Properties are Often Difficult to State Formally • Do We Need a New Language for Safety Properties? • Presentation of the Analysis • Fault Trees Need to Reflect the System Architecture • Scalability • Analysis of Complex, Asynchronous, System Models • Technology Transfer • Need a Gradual Evolution from Existing Practices

  18. Model-Based Safety AnalysisDemonstration Dr. Mats P. E. Heimdahl University of Minnesota heimdahl@cs.umn.edu Dr. Steven P. Miller Advanced Computing Systems Rockwell Collins spmiller@rockwellcollins.com

  19. Outline of Presentation Motivation Proposed Approach Demonstration Analysis What’s Next

  20. Model-Based Safety Analysis Green Pump Blue Pump Isolation Valve Isolation Valve Power A System A Selector Valve Pedal 1 Shut Normal A Accumulator N Plant System L O Valve Feed back T R M E Accumulator A System B Pedal 2 R Pump L N Power B AntiSkid A Meter Valve Mechanical Command T Pedal E Braking + Meter Fault Tolerant Meter AntiSkid Valve Valve Braking System Command Control Unit Plant Model ( BSCU ) • Add Fault Model for Physical System • Model the Digital Controller Architecture and the Physical System and Digital Controller Architecture • Integrates System and Safety Engineering About a Common Model • Automation Enables “What-If” Consideration of System Designs

  21. Automated Safety Analysis Green Pump Blue Pump Isolation Valve Isolation Valve Formalized Safety Requirements + Power A System A Selector Valve Pedal 1 Shut Normal A Accumulator N Plant System L O Valve Feed back T R M E Accumulator Simulation A System B Pedal 2 R Pump L N Power B AntiSkid A Meter Valve Mechanical Command T Pedal E Braking + Meter Fault Tolerant Meter AntiSkid Valve Valve Braking System Command Control Unit Plant Model ( BSCU ) Auto-generation of Fault Trees Proofs of Safety Properties

  22. Wheel Brake System (WBS) Example ARP 4761 • Proof of Concept • Concrete Demonstration of Main Ideas • Modeling and Analysis Using Existing Tools • Simulink for Modeling the System • NuSMV, Prover, and PVS for Analyzing the System • Why the Wheel Brake System? • ARP 4761 - Guidelines and Methods for Conducting the Safety Assessment Process on Civil Airborne Systems and Equipment • Familiar Example to Safety Engineers • Benchmark our Results Against ARP-4761 Safety Analysis • Small but Complex Enough to Capture Interesting Behaviors

  23. Wheel Brake System WBS is Composed of • Two Redundant Hydraulic Lines : Normal & Alternate • Hydraulic Pumps • Number of Hydraulic Valves • Braking System Control Unit (BSCU) BSCU is Composed of • Two Command Units Compute Braking and Antiskid Commands • Two Monitors Check Validity of the Associated Command Units • BSCU is Valid if One of the Command Unit is Valid Figure borrowed from ARP 4761

  24. Normal & Alternate Hydraulic Lines • Normal Hydraulic line • Main System Supplying Braking Pressure to the Wheel • BSCU Provides Braking and Antiskid Commands • Alternate Hydraulic Line • Braking Achieved Manually Via Mechanical Pedal • BSCU Provides Antiskid Command • Switch-over from Normal to Alternate Line When • Green Pump or Any Component along Normal Line Fails or • BSCU Becomes Invalid • Selector and Isolation Valves Used for the Switch-over • Alternate Line Stays Active Until WBS System is Reset

  25. Add WBS Failure Modes to Nominal Model Manually Extended the Nominal Model with Failure Modes • Hydraulic Failure Modes • Pumps • Pressure Below Threshold (X) • Valves • Stuck at Closed/Open (S) • Digital System Failure Modes • Monitor Unit • Output Inverted (I) • Command Unit • Output Stuck (O) • Power Failure • Loss of Power (L) L L X X I I S S S X O O S S S

  26. Outline of Presentation Motivation Proposed Approach Demonstration Analysis What’s Next

  27. WBS Model-Based Safety Analysis

  28. Verified Safety Properties in Nominal Model • Safety Requirement from ARP 4761 • Loss of All Wheel Braking (Unannunciated or Annunciated) During Landing or RTO Shall Be Less Than 5*10-7 Per Flight • Revised Safety Requirement • When the Pedal Is Pressed, Then Either the Normal or the Alternate Pressure Shall Be Above Threshold • Formalized in NuSMV as DEFINE Pedal_Pressed = (PedalPos > 0 & PedalPos < 5) SPEC AG (Pedal_Pressed -> (Normal_Pressure > 0 | Alternate_Pressure > 0)) • Second Revised Safety Requirement • When the Pedal Is Pressed and There Is No Skidding, Then Either the Normal or the Alternate Pressure Should Be Above Threshold • Formalized in NuSMV as DEFINE Pedal_Pressed = (PedalPos > 0 & PedalPos < 5) SPEC AG ((Pedal_Pressed & !Skid) -> (Normal_Pressure > 0 | Alternate_Pressure > 0)) • Verified on the Nominal Simulink Model Using NuSMV

  29. Safety Properties • Example Safety Property If There Is One Failure and the Pedal Is Pressed in Absence of Skidding, Then Either the Normal Pressure or the Alternate Pressure Shall Be Above the Threshold • Transient Failures • Failures May Last an Arbitrary Time Before Recovery of the Component • Failures Triggers Are Non-deterministic Inputs and Inherently Transient • Permanent Failures • Failures Are Permanent, a Failed Component Never Recovers • Latch Fault Trigger Inputs to Simulate Permanent Failure • Simultaneous Failures • Count the Number of Active Fault Triggers

  30. Fault Tolerance Verification Green Pump Blue Pump Isolation Valve Isolation Valve Power A System A Selector Valve Pedal 1 Shut Normal A Accumulator N Plant System L O Valve Feed back T R M E Accumulator A System B Pedal 2 R Pump L N Power B AntiSkid A Meter Valve Mechanical Command T Pedal E Braking + Meter Fault Tolerant Meter AntiSkid Valve Valve Braking System Command Control Unit Plant Model ( BSCU ) Transient Failures • If There Is One Failure and the Pedal Is Pressed in Absence of Skidding, Then Either the Normal Pressure or the Alternate Pressure Shall Be Above the Threshold SPEC AG((NumFails = 1 & Pedal_Pressed & !Skid) -> (Normal_Pressure > 0 | Alternate_Pressure > 0)) • Several Steps May be Needed to Detect and Respond to Some Failures SPEC AG((NumFails = 1 & Pedal_Pressed & !Skid) –> AX((NumFails = 1 & Pedal_Pressed & ! Skid) –> AX ((NumFails = 1 & Pedal_Pressed & !Skid) -> (Normal_Pressure > 0 | Alternate_Pressure > 0)))) X X

  31. Fault Tolerance Verification Green Pump Blue Pump Isolation Valve Isolation Valve Power A System A Selector Valve Pedal 1 Shut Normal A Accumulator N Plant System L O Valve Feed back T R M E Accumulator A System B Pedal 2 R Pump L N Power B AntiSkid A Meter Valve Mechanical Command T Pedal E Braking + Meter Fault Tolerant Meter AntiSkid Valve Valve Braking System Command Control Unit Plant Model ( BSCU ) Permanent Failures • Holds for One Permanent Failure SPEC AG((NumFails = 1 & Pedal_Pressed & !Skid) –> AX((NumFails = 1 & Pedal_Pressed & ! Skid) –> AX ((NumFails = 1 & Pedal_Pressed & !Skid) -> (Normal_Pressure > 0 | Alternate_Pressure > 0))))

  32. Fault Trees and Proof Trees Revisited Complements w.r.t. each other

  33. WBS PVS Proof Tree Green Pump Blue Pump Isolation Valve Isolation Valve Power A System A Selector Valve Pedal 1 Shut Normal A Accumulator N Plant System L O Valve Feed back T R M E Accumulator A System B Pedal 2 R Pump L N Power B AntiSkid A Meter Valve Mechanical Command T Pedal E Braking + Meter Fault Tolerant Meter AntiSkid Valve Valve Braking System Command Control Unit Plant Model ( BSCU ) Prop : {-1} 0 < PedalPos1(s!1) |------- {1} Skid(s!1) {2} 0 < FM_WBS_Ext_BSCU_Node_Fault.Normal_Pressure(s!1) {3} 0 < FM_WBS_Ext_BSCU_Node_Fault.Alternate_Pressure(s!1) X X Prop.1.1 : [-1] Alt_Meter_2_Fail(s!1) [-2] Alt_Meter_2_Fail(s!1) {-3} FM_WBS_Ext_BSCU_Node.Alternate_Pressure(s!1) = 0 [-4] Nor_Meter_Fail(s!1) [-5] FM_WBS_Ext_BSCU_Node.Normal_Pressure(s!1) = 0 [-6] 0 < PedalPos1(s!1) |------- [1] Alt_Meter_2_Stuck_Val(s!1) [2] Alt_Meter_2_Stuck_Val(s!1) [3] Nor_Meter_Stuck_Val(s!1) [4] Skid(s!1) [5] 0 < FM_WBS_Ext_BSCU_Node_Fault.Normal_Pressure(s!1) [6] 0 < FM_WBS_Ext_BSCU_Node_Fault.Alternate_Pressure(s!1)

  34. PVS/Fault Tree Challenges • Difficult Proofs • Completing Proofs is Still a Time Consuming Process • Level of Detail in Proofs • Current Proofs are Low Level, Fault Trees Must be High Level • Proofs Performed at Detailed Behavioral Level • Fault Trees Must be Presented at an Architectural Level • Proof Structure • Proof Structure Appropriate for Fault Tree Generation Must be Obtained • May or May Not be the Most Natural Way to Pursue the Proof

  35. Demonstration/Analysis Summary • Simulation and Visualization of Software, Digital, and Analog Failures • Simulink Models of Nominal System Coupled with Fault Models Enable Flexible Simulation • Model Checking Techniques Enable Flexible Analysis • Verification of Correctness Under Normal Conditions • Verification of Desirable Fault-tolerance Properties • Theorem Proving Holds Promise as Powerful Fault Tree Generation Tool • Open Issues Still Remain

  36. Outline of Presentation Motivation Proposed Approach Demonstration Analysis What’s Next

  37. What’s Next • Improving Modeling Process • Ease of Analysis • Presentation of Analysis Results • Scalability

  38. Improving the Modeling Process • Building Extended Model is a Manual Process • Difficult to Keep Nominal & Extended Model in Sync. • Fault Triggers are Added as New Inputs • Handle Transient and Permanent Faults Differently • Fault Model Clutters Nominal Model

  39. Improving the Modeling Process Adding Faults Clutters the Nominal Model

  40. Improving the Modeling Process • Modeling the Mechanical System • Need Libraries of Common Components • Creating the Fault Model • What Exactly is a Fault Model? • What is part of nominal system? • What goes in fault model? • Types of Faults, Interactions Between Faults, and Fault Locations • Auto generate the Extended System Model • Use Tools to Merge Nominal and Fault Model

  41. Improving the Modeling Process Aspect-Oriented Modeling • Specify Faults as Aspects of System Components • Automatically Weave Faults into Nominal Model • Nominal and Extended Model Always in Sync • Reduces Potential for Human Error • Hide Fault Trigger Inputs during Simulation

  42. Ease of Analysis • Safety Properties Can be Awkward to Specify: • Usually, Properties are Conceptually Simple • Complexity Comes From Mapping Simple Conceptual Ideas to Formal Specification Antecedent = ((pre (pre (pre ((NumFails = 1) and FailRec4Step))) and pre (pre ((AllPedNoSkid and not (Changed)))) and pre ((AllPedNoSkid and not (Changed))) and (AllPedNoSkid and not (Changed)))) ; Consequent = (pre (pre (SomePressure)) or pre (SomePressure) or SomePressure) ; Prop_MultiStepSingleFail4 =fby( Implies(Antecedent, Consequent), 4, true);

  43. Ease of Analysis • Many Safety Properties are Stylized • Given n failures (or all failure combinations whose combined probability is >10-k), is it possible that the system will fail? • Failure condition is usually straightforward to specify • Property complexity arises when considering recovery time and fault propagation • Create a Property Builder to Assist Specification of Safety Properties

  44. Presentation of Analysis Results • Currently: Proof or Counterexample • We Want Something Acceptable To Safety Engineers

  45. Fault Trees using Model Checker • FSAP Defines Flat Fault Trees • We Can do Better by Encoding Architecture of System Into Fault Tree

  46. Proof Trees and Fault Trees Complements w.r.t. each other

  47. PVS Proof Trees Green Pump Blue Pump Isolation Valve Isolation Valve Power A System A Selector Valve Pedal 1 Shut Normal A Accumulator N Plant System L O Valve Feed back T R M E Accumulator A System B Pedal 2 R Pump L N Power B AntiSkid A Meter Valve Mechanical Command T Pedal E Braking + Meter Fault Tolerant Meter AntiSkid Valve Valve Braking System Command Control Unit Plant Model ( BSCU ) Prop : {-1} 0 < PedalPos1(s!1) |------- {1} Skid(s!1) {2} 0 < FM_WBS_Ext_BSCU_Node_Fault.Normal_Pressure(s!1) {3} 0 < FM_WBS_Ext_BSCU_Node_Fault.Alternate_Pressure(s!1) X X Prop.1.1 : [-1] Alt_Meter_2_Fail(s!1) [-2] Alt_Meter_2_Fail(s!1) {-3} FM_WBS_Ext_BSCU_Node.Alternate_Pressure(s!1) = 0 [-4] Nor_Meter_Fail(s!1) [-5] FM_WBS_Ext_BSCU_Node.Normal_Pressure(s!1) = 0 [-6] 0 < PedalPos1(s!1) |------- [1] Alt_Meter_2_Stuck_Val(s!1) [2] Alt_Meter_2_Stuck_Val(s!1) [3] Nor_Meter_Stuck_Val(s!1) [4] Skid(s!1) [5] 0 < FM_WBS_Ext_BSCU_Node_Fault.Normal_Pressure(s!1) [6] 0 < FM_WBS_Ext_BSCU_Node_Fault.Alternate_Pressure(s!1)

  48. PVS/Fault Tree Challenges • Difficult Proofs • Completing Proofs is Still a Time Consuming Process • Level of Detail in Proofs • Current Proofs are Low Level, Fault Trees Must be High Level • Proofs performed at detailed behavioral level • Fault trees must be presented at an architectural level • Proof Structure • Proof Structure Appropriate for Fault Tree Generation Must be Obtained • May or may not be the most natural way to pursue the proof

  49. Future Research Goals • Investigate – • Fault Models • Relationship between fault model and nominal system • What is a reasonable and flexible fault model? • Automate Fault Injection Into the Nominal Model • Aspect orientation and aspect weaving? • Flexible Notation for Capturing Safety Properties • Safety modeling language? • Automate Fault Tree Generation • Fault trees acceptable for safety-engineers and acceptable for certification • Safety Analysis Methodology • Who will build the fault model? • Who performs what analysis?

More Related