Formalization of Fault Trees in Higher-order Logic: A Deep ...

Formalization of Fault Trees in Higher-order Logic: ADeep Embedding Approach

Waqar Ahmed and Osman Hasan

System Analysis and Verification (SAVe Lab)National University of Sciences and Technology (NUST)

Islamabad, Pakistan

SETTA 2016Beijing, China

November 11, 2016

Outline

1 Introduction

2 Formalization of Fault Trees

3 Application: NextGen Air Traffic Management System with ASNGateway

4 Conclusions

W. Ahmed and O. Hasan Formalization of Fault Trees in HOL November 11, 2016 2 / 40

Failure Analysis

Study the impact of a component fault on system failure and thusmake decisions to make systems more reliable

Component ReplacementRedundancy


Fault Tree

A graphical method used to identify potential causes of system failure

A fault tree is constructed havingEvents: describing the faults of system componentsLogic Gates: representing logical relationship between events

AND, OR, NOR, NAND, NOR etc.

TOP event

First Level Contributor

to TOP Event by Logic

Gates

First Level Events

Second-level

Contributors to TOP by

Logic Gates

Second-level

Contributors

Basic Failure Events


Example: Power Supply System

Determine the overall failure probability?

Main

User

Transformer

Generator

UPS


Fault Tree Analysis

Step 1

Construct a FT and represent Top Event in terms of basic events

Main

User

Transformer

Generator

UPS

F(PS)

M T G U

pow sys fail = (M ∪ T ) ∩ G ∩ U


Fault Tree Analysis

Step 2

Evaluate probability of failure using the Probabilistic Inclusion-Exclusionprinciple

P(n⋃

i=1

Ai ) =∑

J 6=∅,J⊆1,2,...,n

(−1)|J|−1P(⋂j∈J

Aj)

P(pow sys fail) = P((M ∪ T ) ∩ G ∩ U)

= P(M ∩ G ∩ U) + P(T ∩ G ∩ U)− P(M ∩ T ∩ G ∩ U)


Fault Tree Analysis

Step 3

Using Mutual Independence property

P(pow sys fail) = P(M) ∗ P(G ) ∗ P(U) + P(T ) ∗ P(G ) ∗ P(U)−P(M) ∗ P(T ) ∗ P(G ) ∗ P(U)


Types of FT Gates

FT Gates Failure Probability Expressions

F (t) = Pr(N⋂i=2

Ai (t)) =N∏i=2

Fi (t)

F (t) = Pr(N⋃i=2

Ai (t)) = 1−N∏i=2

(1− Fi (t))

F (t) = 1− FOR(t) =N∏i=2

(1− Fi (t))

F (t)= Pr(k⋂

i=2

Ai (t) ∩N⋂j=k

Ai (t))=k∏

i=2

(1− Fi (t)) ∗N∏j=k

(Fj(t))

F (t)= Pr(A(t)B(t) ∪ A(t)B(t))

= FA(t)(1− FB(t)) + FB(t)(1− FA(t))

F (t) = Pr(A(t)) = (1− FA(t))


Fault Tree Analysis Applications

A standard technique for failure analysis in many safety-critical fields

Nuclear Power Industry (NRC NUREG0492)Civil Aerospace (NASA SAE ARP4761)Military Systems (MILHDBK338)Cross Industry (IEC 61025)


Fault Tree Analysis Techniques

Feature Paper-and-pencil Proof

SimulationTools

Model Checking TheoremProving

FT Models Paper (Ran-dom Vari-ables)

Computer Pro-gram (PseudoRandom Num-bers)

State TransitionGraph (MarkovChains)

LogicalFunction

Analysis Analytically(probabilitydistributions,PIE and MI)

NumericalMethods

State Explo-ration

Formal Rea-soning

Expressiveness X (?) X X

Accuracy X (?) X X

Automation X X




SimulationTools





LogicalFunction


NumericalMethods

State Explo-ration

Formal Rea-soning

Expressiveness X (?)

X X

Accuracy X (?)

X X

Automation

X X




SimulationTools





LogicalFunction


NumericalMethods

State Explo-ration

Formal Rea-soning

Expressiveness X (?) X

X

Accuracy X (?)

X X

Automation X

X




SimulationTools





LogicalFunction


NumericalMethods

State Explo-ration

Formal Rea-soning

Expressiveness X (?) X

X

Accuracy X (?) X

X

Automation X X




SimulationTools





LogicalFunction


NumericalMethods

State Explo-ration

Formal Rea-soning

Expressiveness X (?) X X

Accuracy X (?) X X

Automation X X


Failure Analysis using Theorem Proving

Probability Theory

J. Hurd (2002), PhD Thesis, University of CambridgeFormal Verification of Probabilistic Algorithms.

O. Hasan (2008), PhD Thesis, Concordia UniversityFormal Probabilistic Analysis using Theorem Proving.

T. Mhamdi (2011), PhD Thesis, Concorida UniversityInformation-Theoretic Analysis using Theorem Proving.

J. Holzl (2012), PhD thesis, Technical University of MunichConstruction and Stochastic Applications of Measure Spaces inHigher-Order Logic.


Failure Analysis using Theorem Proving

Component LevelCombinational Circuits (Hasan et al. JAL-2011)

Reconfigurable Memory Arrays (Hasan et al. TC-2010)

Electronic System Components (Abbasi et al. WoLLIC-2014)

System LevelFormalization of Reliability Block Diagrams (RBD) (Waqar et al.CICM-2014), (Waqar et al. JAL-2016)

Formalization of Fault Trees (FT) (Waqar et al. CICM-2015)

ApplicationsOil and Gas Pipelines using RBD (Waqar et al. CICM-2014)

WSN Transport Protocols using RBD (Waqar et al. WiMob-2015)

Satellite Solar Array using FT (Waqar et al. CICM-2015))

Virtual Data Center (Waqar et al. JAL-2016)


Limitations of the Existing Formalization of Fault Trees

Shallow Embedding

Notion of each FT gate was explicitly defined on an event list

Non-compositional

The Basic FT gates, such as AND, OR and NOT, cannot be used toformalize other FT gates

Relationship to Reliability Block Diagram is missing

This relationship is very important for reducing the complexity ofanalysis while dealing with large systems


Outline

1 Introduction



4 Conclusions


Methodology

AND

OR

NAND

NOR

Failure Expressions

)()(2

tFtFN

i

iAND

N

i

iOR tFtF2

)(11)(

1

1

)(*)(1)(k

i

N

kj

jiNAND tFtFtF

N

i

iNOR tFtF2

)(1)(

Transformation to Reliability Bock

Diagrams

System Descritption

System Failure Properties

Formal Model

Proof Goal

Theorem ProverFormally Verified Failure Properties

Fault Tree Gates HOL


Methodology

AND

OR

NAND

NOR

Failure Expressions

)()(2

tFtFN

i

iAND

N

i

iOR tFtF2

)(11)(

1

1

)(*)(1)(k

i

N

kj

jiNAND tFtFtF

N

i

iNOR tFtF2

)(1)(


Diagrams

System Descritption


Formal Model

Proof Goal




Formalization of Fault Tree Gates

Defined new datatype in HOL to model FT gates

Datatype for Gates

Hol datatype ‘gate = AND of gate list | OR of gate list |

NOT of gate | atomic of ’a event‘

Definition

`(∀p. fFTree (AND []) = Ωp) ∧(∀xs x p. fFTree (AND (x::xs)) = fFTree (x) ∩ fFTree (AND xs)) ∧(∀p.fFTree (OR []) = ) ∧(∀xs x p. fFTree (OR (x::xs)) = fFTree (x) ∪ fFTree (OR xs)) ∧(∀p a. fFTree (NOT a) = Ωp - fFTree(a)) ∧(∀p a.fFTree (atomic a) = a)


AND FT Gate

Output failure event occurs, if all of its input failure events occur

OUTPUT

A B

For output failure event occur

All of of the input events must be

occur

AND

FAND gate(t) = Pr(⋂N

i=2 Ai (t)) =∏N

i=2 Fi (t)

HOL Formalization

` ∀ p L. prob space p ∧(∀x’. MEM x’ L ⇒ x’ ∈ events p) ∧ 2 ≤ LENGTH L ∧mutual indep p L ⇒(prob p (FTree p (AND (gate list L))) =

list prod (list prob p L))W. Ahmed and O. Hasan Formalization of Fault Trees in HOL November 11, 2016 20 / 40

OR FT Gate

Output failure event occurs, if any one of its input failure event

OR

OUTPUT

A B

For output failure event occur

Any of the input event must be

occur

FOR gate(t) = Pr(⋃N

i=2 Ai (t)) = 1−∏N

i=2(1− Fi (t))

Theorem

` ∀ p L. prob space p ∧ 2 ≤ LENGTH L ∧(∀x’. MEM x’ L ⇒ x’ ∈ events p) ∧ mutual indep p L ⇒(prob p (FTree p (OR (gate list L))) =

1 - list prod (one minus list (list prob p L)))


FT Gates

FT Gates Formalization

NAND

1

n

k

` ∀ p L1 L2. NAND FT gate p L1 L2 =

FTree p (AND (gate list (compl list p L1 ++ L2)))

NOR1

n` ∀ p L. NOR FT gate p L = FTree p (NOT (OR (gate list L)))

XOR1

2

` ∀ p A B. XOR FT gate p A B =

FTree p (OR [AND [NOT A; B]; AND [A; NOT B]])

Inhibit

2

1

` ∀ p A B C. inhibit FT gate p A B C =

FTree p (AND [OR [A; B]; NOT C]])

Comp1

2

` ∀ p A B. comp FT gate p A B =

FTree p (OR [AND [A; B]; NOR FT gate p [A; B]])

m

` ∀ p X m n. major voting FT gate p X m n =

BIGUNION (IMAGE (λx. PREIMAGE X Normal (&x) ∩ p space p)

x | k ≤ x ∧ x < SUC n)


Formal Verification of FT Gates

Mathmatical Expressions Theorem’s Conclusion

FNAND(t) = Pr(k⋂

i=2

Ai (t) ∩N⋂j=k

Ai (t))

=k∏

i=2

(1− Fi (t)) ∗N∏j=k

(Fj(t))

` ∀ p L1 L2. (prob p (NAND FT gate p L1 L2) =

list prod ((list prob p (compl list p L1))) *

list prod (list prob p L2))

FNOR(t) = 1− FOR(t) =N∏i=2

(1− Fi (t))` ∀ p L. (prob p (NOR FT gate p L) =

list prod (one minus list (list prob p L)))

FXOR(t) = Pr(A(t)B(t) ∪ A(t)B(t))

= (1− FA(t))FB(t)+

FA(t)(1− FB(t))

` ∀ p A B. prob space p ∧A ∈ events p ∧ B ∈ events p

(prob p

(XOR FT gate p (atomic A) (atomic B) =

(1- prob p A)*prob p B +

prob p A*(1 - prob p B)

Finhibit(t) = Pr((A(t) ∪ B(t)) ∩ C (t))

= (1− (1− FA(t))∗(1− FB(t))) ∗ (1− FC (t))

` ∀ p A B C.

(prob p (inhibit FT gate p

(atomic A) (atomic B) (atomic C) =

(1 - (1 - prob p A) *

(1 - prob p B))*(1 - prob p C)


Formal Verification of FT Gates

Mathmatical Expressions Theorem’s Conclusion

Fcomp(t) = Pr((A(t) ∩ B(t)) ∪ (A(t) ∪ B(t)))

= (1− (1− FA(t)FB(t))∗(1− (1− FA(t)) ∗ (1− FB(t)))

` ∀ p A B C.

(prob p

(comp FT gate p (atomic A) (atomic B) =

(1 - (1 - prob p A * prob p B)*

(1 - (1 - prob p A)*(1- prob p B))

Fm|n(t) = Pr(n⋃

i=k

exactly i components are

functioning properly)

=n∑

i=m

(

(n

m

)F i (1− F )n−1)

` ∀ p n k X F

(prob p (major voting FT gate p X m n) =

sum (m, SUC n - m)

(λx. (&binomial n x)*(F pow x)*

(1- F) pow (n-x)))

FT formalization took about 2500 lines of code and 125 man-hours


Outline

1 Introduction



4 Conclusions


NextGen Air Traffic Management System with ASNGateway

A comprehensive Satellite based agile decision making suite for bettercoordination of air traffic

BenefitsDecrease in fuel consumption and carbon emissionOn time arrival and departure

Successfully operating in US and to-date has saved 11.6 billion USD


Fault Tree for the NextGen ATMS with ASN Gateway

Level 1: An aviation accident caused by the lack of appropriatecontrol, equipment, internal and external malfunctions

ED:

Equ

ipm

en

t D

efe

ct

EQ1

:Eq

uip

me

n

De

fect

no

t fo

un

dEN

1:

Envi

ron

men

tal

Effe

cts

EN3

: A

ircr

aft

Infl

ue

nce

d b

y En

viro

nm

ent

EN2

: A

ircr

aft

Dan

gero

us

Envi

ron

men

t

EN4

: En

viro

n.

Even

ts m

ay

Dam

age

Air

craf

t



Level 2: Comprises of failures related to the flight function mishap

Internal

G25

G23

G22

PD: Propagation Delay

AP: Error in AP Component

FF1

G24

Notshwn A RT



Level 3: Failure occurs if the transmission delay is too longer thanthe expected deadline

RT

G20

AL SL PD others

G21

Time

A

G19

B1 B2B3

C6

: H

ard

war

e b

/w R

TDS

and

A

SN F

ailu

re

C7

: R

TI

Soft

war

e Fa

ilure

C8

: Is

sues

are

n

ot

han

dle

d

pro

per

ly



Level 4: Failures related to the communication of messages

B1

G9

G8 G7

D1

: RTD

S fails to

sen

t Ro

ute

-m

essage

s

G5

G1

E21: A

ttacker

attack the

system

E1: Lack of Encrypt

MechanismE2: Lack of auth.

Mechanism

G6

E3: Lo

ss/Dam

age

of d

ata Storage

E4: fail to

search

d

atabase

E5: Fail to

up

date

D

atab

ase

D4

: RTD

S fails to

sen

d A

DSB

m

essage

s

G3

G2

E6: Lack o

f En

cryptio

n

Me

chan

ism

E7:Lack o

f auth

. M

ech

anism

G4

E8: Lo

ss/D

amage

of

data Sto

rage

E9: fail to

se

arch

datab

ase

E10

: fail to

up

date

d

atabase

E21


Formalization Approach

Starts by formalizing the lowest level, i.e., Level 4, and thenhierarchically go up to Level 1

HOL Definition of B1 FT at Level 4∀p t D1 D4 E1 E2 E3 E4 E5 E6 E7 E8 E9 E10 E21.

B1 FT p t D1 D4 E1 E2 E3 E4 E5 E6 E7 E8 E9 E10 E21 =

(OR [OR [atomic (fail event p D1 t);

AND [OR (gate list (fail event list p [E1; E2] t));

atomic (fail event p E21 t)];

OR (gate list (fail event list p [E3; E4; E5] t))];

OR [atomic (fail event p D4 t);

AND [OR (gate list (fail event list p [E6; E7] t));

atomic (fail event p E21 t)];

OR (gate list (fail event list p [E8; E9; E10] t))]])


Formalization of Sub-FTs

Level 3 FT formalization is based on Level 4 sub-FTs, i.e., B1 and B2

HOL Definition of A FT

A FT p t D1 D4 D7 D10 E1 E2 E3 E4 E5 E6 E7 E8 E9 E10 E11

E12 E13 E14 E15 E16 E17 E18 E19 E20 E21 C5 C6 C7 C8 =

OR [B1 FT p t D1 D4 E1 E2 E3 E4 E5 E6 E7 E8 E9 E10 E21;

B2 FT p t D7 D10 E11 E12 E13 E14 E15 E16 E17 E18 E19 E20 E21;

AND [OR (gate list (fail event list p [C5; C6; C7] t));

atomic (fail event p C8 t)]]


Formalization of NextGen ATM FT

Similarly, we formalized the complete NextGen FT in HOL

HOL Definition of NextGen FT

ASN gateway FT p t FD AP FF1 D1 D4 D7 D10 E1 ... E21

C5 C6 C7 C8 notshw AL SL PD Others time ED EQ1 EN1 EN2

EN3 EN4 human =

[AND [OR (gate list (fail event list p [FD; AP] t));

atomic (fail event p FF1 t)];

AND [OR [AND (gate list (fail event list p [ED; EQ1] t));

OR [AND(gate list (fail event list p [EN1; EN2; EN3; EN4] t));

fail event p human t];

Internal FT gate p t FD AP FF1 D1 D4 D7

D10 E1... E21 C5 C6 C7 C8 notshw AL SL PD Others time]]


Verification Approach

Traditionally Probabilistic Inclusion-exclusion has been used for failureestimationP(⋃n

i=1 Ai ) =∑

t 6=,t⊆1,2,...,n(−1)|t|+1P(⋂

j∈t Aj)

Requires significant user interaction for large FTs

A Tractable solution is to convert the given FT to its equivalent RBDconfiguration

An OR gate at the top of a FT can be transformed to a Parallel-seriesRBDAn AND gate at the top of a FT can be transformed it to aSeries-Parallel RBDNextGen FT is equivalent to a Parallel-series RBD Configuration




i=1 Ai ) =∑

t 6=,t⊆1,2,...,n(−1)|t|+1P(⋂

j∈t Aj)



An OR gate at the top of a FT can be transformed to a Parallel-seriesRBDAn AND gate at the top of a FT can be transformed it to aSeries-Parallel RBD

NextGen FT is equivalent to a Parallel-series RBD Configuration




i=1 Ai ) =∑

t 6=,t⊆1,2,...,n(−1)|t|+1P(⋂

j∈t Aj)



An OR gate at the top of a FT can be transformed to a Parallel-seriesRBDAn AND gate at the top of a FT can be transformed it to aSeries-Parallel RBDNextGen FT is equivalent to a Parallel-series RBD Configuration


Reliability Block Diagrams

1 N

M

OI

Rparallel−series(t) = Pr(⋃M

i=1

⋂Nj=1 Aij(t))= 1−

∏Mi=1(1−

∏Nj=1(Rij(t)))

Theorem

` ∀ p L. prob space p ∧ (∀z. MEM z L ⇒ vNULL z) ∧(∀x’. MEM x’ (FLAT L) ⇒ x’ ∈ events p) ∧mutual indep p (FLAT L) ⇒(prob p (rbd struct p ((parallel of

(λa. series (rbd list a))) L)) =

(1 - list prod (one minus list) of

(λa. list prod (list prob p a))) L)


NextGen FT transformed to its equivalent RBD

Lemma for NextGen FT to RBD

` ∀!p t FD AP FF1 D1 D4 D7 D10 E1...E21 C5 C6 C7 C8 notshw AL SL

PD Others time ED EQ1 EN1 EN2 EN3 EN4 human.

(ASN gateway FT p t FD AP FF1 D1 D4 D7 D10 E1 ... E21 C5 C6 C7

C8 notshw AL SL PD Others time ED EQ1 EN1 EN2 EN3 EN4 human =

rbd struct p ((parallel of (λa. series (rbd list a )))

(list fail event list p [[ED; EQ1];[EN1; EN2; EN3; EN4];[human];

[FD; FF1];[FF1; AP];[D1];[D4];[E1;E21];[E2;E21];

[E3];[E4];[E5];[E6;E21];[E7;E21];[E8];[E9];[E10];[D7];[D10];

[E11;E21];[E12;E21];[E13];[E14];[E15];[E16;E21];[E17;E21];

[E18];[E19];[E20];[C5; C8];[C6; C8];[C7; C8];[notshw];

[AL; time];[SL; time];[PD; time];[Others;time]] t))


Failure Assesment of NextGen ATM System

Theorem

` (prob p (ASN gateway FT p t FD AP FF1 D1 D4 D7 D10 E1 · · · E21

C5 C6 C7 C8 notshw AL SL PD Others time ED EQ1 EN1 · · · EN4 human)

=

1 - (list prod(one minus exp prod t

[[C ED;C EQ1];[C EN1;C EN2;C EN3;C EN4];[C E6;C E21]])) *

exp (-(t*C human)) * exp -(t*C notshw) *

... list prod(one minus exp prod t [[C AL;C time];

[C SL;C time];[C PD;C time]; [C other;C time]]))))

NextGen failure assessment took about 200 lines of HOL code within20 hours


Outline

1 Introduction



4 Conclusions


Conclusions

Accuracy of failure analysis is very important as an inaccurate failureanalysis leads to an unreliable design

Proposed method guarantees Sound and Complete failure analysisresults

More scalable and user-friendly compared to the existing formalization

Future Work

Formalize dynamic fault tree gates, like PAND, and dynamic fault treesEnhance the automation in the reasoning process by buildingspecialized tacticsBuild a GUI such that fault tree is input by a user and the theoremprover can be used in the background to provide the failure probability


Thanks!

More information: save.nust.seecs.edu.pk


Formalization of Fault Trees in Higher-order Logic: A Deep ...

Documents

Transcript of Formalization of Fault Trees in Higher-order Logic: A Deep ...