Safety-critical systems - Arvutiteaduse instituut...safety-critical digital components, e.g. –...
Transcript of Safety-critical systems - Arvutiteaduse instituut...safety-critical digital components, e.g. –...
![Page 1: Safety-critical systems - Arvutiteaduse instituut...safety-critical digital components, e.g. – Power-by-wire: complementing the hydraulic powered flight control surfaces – Cabin](https://reader035.fdocuments.net/reader035/viewer/2022070218/6127581d9420c00a0c2edf5b/html5/thumbnails/1.jpg)
NODES workshopEstonia
Safety-critical systems
Simin Nadjm-Tehrani
www.ida.liu.se/~rtslab
Department of Computer & Information Science
Linköping University, Sweden
and
University of Luxembourg48 pages
Augustr 28, 2008
![Page 2: Safety-critical systems - Arvutiteaduse instituut...safety-critical digital components, e.g. – Power-by-wire: complementing the hydraulic powered flight control surfaces – Cabin](https://reader035.fdocuments.net/reader035/viewer/2022070218/6127581d9420c00a0c2edf5b/html5/thumbnails/2.jpg)
NODES workshopEstonia
2 of 48 August 28, 2008
Linköping group @NODES
• Real-time systems laboratory– Dependability, Distributed systems, Formal analysis – Four PhD students, 5 examined PhDs in 2005-07– Recruiting 2 PhD students and a post doc …
• Intelligent information systems laboratory – Security, P2P systems, databases & web information
systems– Five PhD students, 5 examined PhDs in 2005-07
![Page 3: Safety-critical systems - Arvutiteaduse instituut...safety-critical digital components, e.g. – Power-by-wire: complementing the hydraulic powered flight control surfaces – Cabin](https://reader035.fdocuments.net/reader035/viewer/2022070218/6127581d9420c00a0c2edf5b/html5/thumbnails/3.jpg)
NODES workshopEstonia
3 of 48 August 28, 2008
Dependability
• How can we produce computer systems that do their job, and how to prove or measure how well they do their jobs?
![Page 4: Safety-critical systems - Arvutiteaduse instituut...safety-critical digital components, e.g. – Power-by-wire: complementing the hydraulic powered flight control surfaces – Cabin](https://reader035.fdocuments.net/reader035/viewer/2022070218/6127581d9420c00a0c2edf5b/html5/thumbnails/4.jpg)
NODES workshopEstonia
4 of 48 August 28, 2008
Engineers: Fool me once, shame on you – fool me twice, shame on me
![Page 5: Safety-critical systems - Arvutiteaduse instituut...safety-critical digital components, e.g. – Power-by-wire: complementing the hydraulic powered flight control surfaces – Cabin](https://reader035.fdocuments.net/reader035/viewer/2022070218/6127581d9420c00a0c2edf5b/html5/thumbnails/5.jpg)
NODES workshopEstonia
5 of 48 August 28, 2008
Software developers: Fool me N times, who cares, this is complex and anyway no one expects software to work...
![Page 6: Safety-critical systems - Arvutiteaduse instituut...safety-critical digital components, e.g. – Power-by-wire: complementing the hydraulic powered flight control surfaces – Cabin](https://reader035.fdocuments.net/reader035/viewer/2022070218/6127581d9420c00a0c2edf5b/html5/thumbnails/6.jpg)
NODES workshopEstonia
6 of 48 August 28, 2008
FT - June 16, 2004
• "If you have a problem with your Volkswagen the likelihood that it was a software problem is very high. Software technology is not something that we as car manufacturers feel comfortable with.”
Bernd Pischetsrieder, chief executive of Volkswagen
![Page 7: Safety-critical systems - Arvutiteaduse instituut...safety-critical digital components, e.g. – Power-by-wire: complementing the hydraulic powered flight control surfaces – Cabin](https://reader035.fdocuments.net/reader035/viewer/2022070218/6127581d9420c00a0c2edf5b/html5/thumbnails/7.jpg)
NODES workshopEstonia
7 of 48 August 28, 2008
October 2005
• “Automaker Toyota announced a recall of 160,000 of its Prius hybrid vehicles following reports of vehicle warning lights illuminating for no reason, and cars' gasoline engines stalling unexpectedly.”
Wired 05-11-08
• The problem was found to be an embedded software bug
![Page 8: Safety-critical systems - Arvutiteaduse instituut...safety-critical digital components, e.g. – Power-by-wire: complementing the hydraulic powered flight control surfaces – Cabin](https://reader035.fdocuments.net/reader035/viewer/2022070218/6127581d9420c00a0c2edf5b/html5/thumbnails/8.jpg)
NODES workshopEstonia
8 of 48 August 28, 2008
February 2, 2004
• Angel Eck, driving a 1997 Pontiac Sunfire found her car racing at high speed and accelerating on Interstate 70 for 45 minutes, heading toward Denver
• ... with no effect from trying the brakes, shifting to neutral, and shutting offthe ignition.
![Page 9: Safety-critical systems - Arvutiteaduse instituut...safety-critical digital components, e.g. – Power-by-wire: complementing the hydraulic powered flight control surfaces – Cabin](https://reader035.fdocuments.net/reader035/viewer/2022070218/6127581d9420c00a0c2edf5b/html5/thumbnails/9.jpg)
NODES workshopEstonia
9 of 48 August 28, 2008
Driver support: Volvo cars
Collision warning system with brake support
2006Intelligent Driver Information System (IDIS)
2003
Adaptive Cruise Control (ACC)
2006Roll Stability Control (RSC)
2002
Active Bi-Xenon lights
2006Dynamic Stability and Traction Control (DSTC)
1998
Blind Spot Information system (BLIS)
2004ABS Anti-lock Braking System
1984
![Page 10: Safety-critical systems - Arvutiteaduse instituut...safety-critical digital components, e.g. – Power-by-wire: complementing the hydraulic powered flight control surfaces – Cabin](https://reader035.fdocuments.net/reader035/viewer/2022070218/6127581d9420c00a0c2edf5b/html5/thumbnails/10.jpg)
NODES workshopEstonia
10 of 48 August 28, 2008
Early space and avionics
• During 1955, 18 air carrier accidents in the USA (when only 20% of the public was willing to fly!)
• Today’s complexity many times higher
![Page 11: Safety-critical systems - Arvutiteaduse instituut...safety-critical digital components, e.g. – Power-by-wire: complementing the hydraulic powered flight control surfaces – Cabin](https://reader035.fdocuments.net/reader035/viewer/2022070218/6127581d9420c00a0c2edf5b/html5/thumbnails/11.jpg)
NODES workshopEstonia
11 of 48 August 28, 2008
Airbus 380
• Integrated modular avionics (IMA), with safety-critical digital components, e.g.
– Power-by-wire: complementing the hydraulic powered flight control surfaces
– Cabin pressure control (implemented with a TTP operated bus)
![Page 12: Safety-critical systems - Arvutiteaduse instituut...safety-critical digital components, e.g. – Power-by-wire: complementing the hydraulic powered flight control surfaces – Cabin](https://reader035.fdocuments.net/reader035/viewer/2022070218/6127581d9420c00a0c2edf5b/html5/thumbnails/12.jpg)
NODES workshopEstonia
12 of 48 August 28, 2008
What is safety?
• IFIP WG 10.4 definition:Safety: Absence of catastrophic consequences on the user(s) and the environment
[Avizienis et al]
• Freedom from exposure to danger, or exemption from hurt, injury or loss
[Bowen and Stavridou]
![Page 13: Safety-critical systems - Arvutiteaduse instituut...safety-critical digital components, e.g. – Power-by-wire: complementing the hydraulic powered flight control surfaces – Cabin](https://reader035.fdocuments.net/reader035/viewer/2022070218/6127581d9420c00a0c2edf5b/html5/thumbnails/13.jpg)
NODES workshopEstonia
13 of 48 August 28, 2008
Programs are always safe!
• According to these definitions software can only contribute to unsafe behaviour
• Safety is a system level property, and can be claimed/assured at system level
• Differs from reliability
• Closely related to risk
![Page 14: Safety-critical systems - Arvutiteaduse instituut...safety-critical digital components, e.g. – Power-by-wire: complementing the hydraulic powered flight control surfaces – Cabin](https://reader035.fdocuments.net/reader035/viewer/2022070218/6127581d9420c00a0c2edf5b/html5/thumbnails/14.jpg)
NODES workshopEstonia
14 of 48 August 28, 2008
System safety & Hazards
• Safety: achieved by anticipating accidents, and eliminating their causes
• Hazards are potential causes of accidents
Conditions in a system which together with other factors in the environment inevitably cause accidents.
![Page 15: Safety-critical systems - Arvutiteaduse instituut...safety-critical digital components, e.g. – Power-by-wire: complementing the hydraulic powered flight control surfaces – Cabin](https://reader035.fdocuments.net/reader035/viewer/2022070218/6127581d9420c00a0c2edf5b/html5/thumbnails/15.jpg)
NODES workshopEstonia
15 of 48 August 28, 2008
Fault to Accident
• Fault• Error• Failure• Hazard• Accident
![Page 16: Safety-critical systems - Arvutiteaduse instituut...safety-critical digital components, e.g. – Power-by-wire: complementing the hydraulic powered flight control surfaces – Cabin](https://reader035.fdocuments.net/reader035/viewer/2022070218/6127581d9420c00a0c2edf5b/html5/thumbnails/16.jpg)
NODES workshopEstonia
16 of 48 August 28, 2008
Safety & risk management
• Means anticipating accidents…• hence anticipating hazards …• which means quantifying/classifying the
potential ... • Must reduce risks which are not
tolerable!• Result: construction of Safety Case
![Page 17: Safety-critical systems - Arvutiteaduse instituut...safety-critical digital components, e.g. – Power-by-wire: complementing the hydraulic powered flight control surfaces – Cabin](https://reader035.fdocuments.net/reader035/viewer/2022070218/6127581d9420c00a0c2edf5b/html5/thumbnails/17.jpg)
NODES workshopEstonia
17 of 48 August 28, 2008
Structure of SC systems
Protection system
Safety functions Safety functions
Equipment under control (EUC)
Control system Protection system
IEC 61508
![Page 18: Safety-critical systems - Arvutiteaduse instituut...safety-critical digital components, e.g. – Power-by-wire: complementing the hydraulic powered flight control surfaces – Cabin](https://reader035.fdocuments.net/reader035/viewer/2022070218/6127581d9420c00a0c2edf5b/html5/thumbnails/18.jpg)
NODES workshopEstonia
18 of 48 August 28, 2008
Overall safety lifecycle
1 Concept
2 Overall scope definition
3 Hazard and risk analysis
4 Overall safety requirements
5 Safety requirements allocation
D
![Page 19: Safety-critical systems - Arvutiteaduse instituut...safety-critical digital components, e.g. – Power-by-wire: complementing the hydraulic powered flight control surfaces – Cabin](https://reader035.fdocuments.net/reader035/viewer/2022070218/6127581d9420c00a0c2edf5b/html5/thumbnails/19.jpg)
NODES workshopEstonia
19 of 48 August 28, 2008
D
Overall planning of:6
O & M7
Safetyvalidation
8Installation &
Commissioning
Realisation of:
9Safety-related
E/E/PES
10Other technicalsafety-related
systems
11External risk
reductionfacilities
overall installation& commissioning
12
Overall safety validation13
Overall modification
& retrofit15
Overall operation,maintenance & repair14
Decommissioningor disposal16
![Page 20: Safety-critical systems - Arvutiteaduse instituut...safety-critical digital components, e.g. – Power-by-wire: complementing the hydraulic powered flight control surfaces – Cabin](https://reader035.fdocuments.net/reader035/viewer/2022070218/6127581d9420c00a0c2edf5b/html5/thumbnails/20.jpg)
NODES workshopEstonia
20 of 48 August 28, 2008
But how does this fit in classical (software) systems development process?
![Page 21: Safety-critical systems - Arvutiteaduse instituut...safety-critical digital components, e.g. – Power-by-wire: complementing the hydraulic powered flight control surfaces – Cabin](https://reader035.fdocuments.net/reader035/viewer/2022070218/6127581d9420c00a0c2edf5b/html5/thumbnails/21.jpg)
NODES workshopEstonia
21 of 48 August 28, 2008
Violation of safety
Patterns for safety analysis?
![Page 22: Safety-critical systems - Arvutiteaduse instituut...safety-critical digital components, e.g. – Power-by-wire: complementing the hydraulic powered flight control surfaces – Cabin](https://reader035.fdocuments.net/reader035/viewer/2022070218/6127581d9420c00a0c2edf5b/html5/thumbnails/22.jpg)
NODES workshopEstonia
22 of 48 August 28, 2008
Traditional Safety Analysis
Fault
Tree
Analysis
(FTA)
Top event
![Page 23: Safety-critical systems - Arvutiteaduse instituut...safety-critical digital components, e.g. – Power-by-wire: complementing the hydraulic powered flight control surfaces – Cabin](https://reader035.fdocuments.net/reader035/viewer/2022070218/6127581d9420c00a0c2edf5b/html5/thumbnails/23.jpg)
NODES workshopEstonia
23 of 48 August 28, 2008
Traditional Safety analysis
Failure modes and events analysis (FMEA):
• What are the consequences of some particular component’s failure?
.
...
.
...
.
...
…Duplicate sensors
Sensor Malfunction
?Value Failure
Sensor
…ActionsCause of failure
Effects of failure
Failure Mode
Subsystem
![Page 24: Safety-critical systems - Arvutiteaduse instituut...safety-critical digital components, e.g. – Power-by-wire: complementing the hydraulic powered flight control surfaces – Cabin](https://reader035.fdocuments.net/reader035/viewer/2022070218/6127581d9420c00a0c2edf5b/html5/thumbnails/24.jpg)
NODES workshopEstonia
24 of 48 August 28, 2008
Example
• Adaptive Cruise Controller (ACC)• Extension to a traditional cruise control
– adapts vehicles speed to the speed and distance of the vehicle in front
• Identify the hazards and their risks
dact
ddes vlead v
![Page 25: Safety-critical systems - Arvutiteaduse instituut...safety-critical digital components, e.g. – Power-by-wire: complementing the hydraulic powered flight control surfaces – Cabin](https://reader035.fdocuments.net/reader035/viewer/2022070218/6127581d9420c00a0c2edf5b/html5/thumbnails/25.jpg)
NODES workshopEstonia
25 of 48 August 28, 2008
Collision
No output signal
Faulty output signal
+
ACC enabled ACC disabled
+
Undesired output signal
+ + +
Fault tree analysis
![Page 26: Safety-critical systems - Arvutiteaduse instituut...safety-critical digital components, e.g. – Power-by-wire: complementing the hydraulic powered flight control surfaces – Cabin](https://reader035.fdocuments.net/reader035/viewer/2022070218/6127581d9420c00a0c2edf5b/html5/thumbnails/26.jpg)
NODES workshopEstonia
26 of 48 August 28, 2008
No output signal
No output signal
ACC enabled
+
+
Communicationfailure
Logicerror
Physicalfault
Faulty sensorinput
Absent sensorinput
…
…
![Page 27: Safety-critical systems - Arvutiteaduse instituut...safety-critical digital components, e.g. – Power-by-wire: complementing the hydraulic powered flight control surfaces – Cabin](https://reader035.fdocuments.net/reader035/viewer/2022070218/6127581d9420c00a0c2edf5b/html5/thumbnails/27.jpg)
NODES workshopEstonia
27 of 48 August 28, 2008
Undesired output signal
ACC disabled
Undesired output signal
+
Communicationfailure
Logicerror Physical
fault
…
![Page 28: Safety-critical systems - Arvutiteaduse instituut...safety-critical digital components, e.g. – Power-by-wire: complementing the hydraulic powered flight control surfaces – Cabin](https://reader035.fdocuments.net/reader035/viewer/2022070218/6127581d9420c00a0c2edf5b/html5/thumbnails/28.jpg)
NODES workshopEstonia
28 of 48 August 28, 2008
Growing complexity
FTA:Top event
Software/Digital hardware
![Page 29: Safety-critical systems - Arvutiteaduse instituut...safety-critical digital components, e.g. – Power-by-wire: complementing the hydraulic powered flight control surfaces – Cabin](https://reader035.fdocuments.net/reader035/viewer/2022070218/6127581d9420c00a0c2edf5b/html5/thumbnails/29.jpg)
NODES workshopEstonia
29 of 48 August 28, 2008
Focus on safety
• Faults that are probable and may cause failures that lead to hazards are in focus
• The system should be shown to avoid hazardous failures even in presence of these faults
![Page 30: Safety-critical systems - Arvutiteaduse instituut...safety-critical digital components, e.g. – Power-by-wire: complementing the hydraulic powered flight control surfaces – Cabin](https://reader035.fdocuments.net/reader035/viewer/2022070218/6127581d9420c00a0c2edf5b/html5/thumbnails/30.jpg)
NODES workshopEstonia
30 of 48 August 28, 2008
Pattern: Functional verification
Formal Verification bench
ComponentOutIn
EnvironmentOutIn
Observer Alarm
![Page 31: Safety-critical systems - Arvutiteaduse instituut...safety-critical digital components, e.g. – Power-by-wire: complementing the hydraulic powered flight control surfaces – Cabin](https://reader035.fdocuments.net/reader035/viewer/2022070218/6127581d9420c00a0c2edf5b/html5/thumbnails/31.jpg)
NODES workshopEstonia
31 of 48 August 28, 2008
Pattern: Fault mode analysis
Formal Verification bench
ComponentOutIn
In
Fault mode signals
EnvironmentOutIn
Out
Safety
Observer
Alarm
![Page 32: Safety-critical systems - Arvutiteaduse instituut...safety-critical digital components, e.g. – Power-by-wire: complementing the hydraulic powered flight control surfaces – Cabin](https://reader035.fdocuments.net/reader035/viewer/2022070218/6127581d9420c00a0c2edf5b/html5/thumbnails/32.jpg)
NODES workshopEstonia
32 of 48 August 28, 2008
• A fault library can be created in design tools
• Fault mode classification:• Value faults• Omission faults• Commission faults
0
Fault Modelling
0
input
Faulttrigger
outputM
Examples of faults
• Stuck-at• Bit-flips
![Page 33: Safety-critical systems - Arvutiteaduse instituut...safety-critical digital components, e.g. – Power-by-wire: complementing the hydraulic powered flight control surfaces – Cabin](https://reader035.fdocuments.net/reader035/viewer/2022070218/6127581d9420c00a0c2edf5b/html5/thumbnails/33.jpg)
NODES workshopEstonia
33 of 48 August 28, 2008
Adding components (upgrades)
The pattern works if :
• The system is developed in one organisation
• All source code (all models) are available
• Formal analysis of the composition is not prohibitive (size, time)
ComponentIn
Fault
Environment Out
Safety
ObserverAlarm
ComponentComponent
Component
![Page 34: Safety-critical systems - Arvutiteaduse instituut...safety-critical digital components, e.g. – Power-by-wire: complementing the hydraulic powered flight control surfaces – Cabin](https://reader035.fdocuments.net/reader035/viewer/2022070218/6127581d9420c00a0c2edf5b/html5/thumbnails/34.jpg)
NODES workshopEstonia
34 of 48 August 28, 2008
Component-based Development
• CBD is an emerging trend in software systems
• Problem: no component models address safety properties!
C1 C2
C3
C4
C´4
C6 C7
C5
![Page 35: Safety-critical systems - Arvutiteaduse instituut...safety-critical digital components, e.g. – Power-by-wire: complementing the hydraulic powered flight control surfaces – Cabin](https://reader035.fdocuments.net/reader035/viewer/2022070218/6127581d9420c00a0c2edf5b/html5/thumbnails/35.jpg)
NODES workshopEstonia
35 of 48 August 28, 2008
C
Components & Interfaces
• Software component Interfaces provide all information needed for composition
M is a model of the behavior of the component
M
I is the interface of the component
I
• How should the interface look like in order to capture safety?
![Page 36: Safety-critical systems - Arvutiteaduse instituut...safety-critical digital components, e.g. – Power-by-wire: complementing the hydraulic powered flight control surfaces – Cabin](https://reader035.fdocuments.net/reader035/viewer/2022070218/6127581d9420c00a0c2edf5b/html5/thumbnails/36.jpg)
NODES workshopEstonia
36 of 48 August 28, 2008
Safety and CBD
• A safety property ϕ is typically defined at system-level
• Our approach:– Interface captures information about behavior of
component in presence of faults in the system
ϕS
M2
M1
⇒⇒
⇒
ϕ+
![Page 37: Safety-critical systems - Arvutiteaduse instituut...safety-critical digital components, e.g. – Power-by-wire: complementing the hydraulic powered flight control surfaces – Cabin](https://reader035.fdocuments.net/reader035/viewer/2022070218/6127581d9420c00a0c2edf5b/html5/thumbnails/37.jpg)
NODES workshopEstonia
37 of 48 August 28, 2008
ACC example
• φ : When the ACC is in ACC-Mode, the speed is higher than 50 km/h and there is a vehicle in front closer than 50 m, the ACC should not accelerate
![Page 38: Safety-critical systems - Arvutiteaduse instituut...safety-critical digital components, e.g. – Power-by-wire: complementing the hydraulic powered flight control surfaces – Cabin](https://reader035.fdocuments.net/reader035/viewer/2022070218/6127581d9420c00a0c2edf5b/html5/thumbnails/38.jpg)
NODES workshopEstonia
38 of 48 August 28, 2008
Safety Interface
MSIφ
C
How do single and double faults in the environment of Maffect the safety property φ?
For a given set of faults
M is a model of the behavior of the component
• Formal definition: C = ⟨SIφ, M⟩
• Given a set of faults F, a safety property φ,and a model M, the safety interface SIφdescribes the single and double faults in F that M is resilient to
![Page 39: Safety-critical systems - Arvutiteaduse instituut...safety-critical digital components, e.g. – Power-by-wire: complementing the hydraulic powered flight control surfaces – Cabin](https://reader035.fdocuments.net/reader035/viewer/2022070218/6127581d9420c00a0c2edf5b/html5/thumbnails/39.jpg)
NODES workshopEstonia
39 of 48 August 28, 2008
Environment Abstraction
• Dilemma with CBD:– The fewer assumptions about the environment
the more useful the notion of component– In order to guarantee something, assumptions must be
made
• Solution: include some assumptions about the environment in the safety interface SIφ
C = ⟨SIφ, M⟩SIφ = ⟨ Eφ , single, double ⟩ wheresingle = ⟨ ⟨F1
s, A1s⟩, …, ⟨Fm
s, Ams⟩ ⟩ and
double = ⟨ ⟨F1d, A1
d⟩, …, ⟨Fkd, Ak
d⟩ ⟩
![Page 40: Safety-critical systems - Arvutiteaduse instituut...safety-critical digital components, e.g. – Power-by-wire: complementing the hydraulic powered flight control surfaces – Cabin](https://reader035.fdocuments.net/reader035/viewer/2022070218/6127581d9420c00a0c2edf5b/html5/thumbnails/40.jpg)
NODES workshopEstonia
40 of 48 August 28, 2008
And …
• Provide help in generating them!
![Page 41: Safety-critical systems - Arvutiteaduse instituut...safety-critical digital components, e.g. – Power-by-wire: complementing the hydraulic powered flight control surfaces – Cabin](https://reader035.fdocuments.net/reader035/viewer/2022070218/6127581d9420c00a0c2edf5b/html5/thumbnails/41.jpg)
NODES workshopEstonia
41 of 48 August 28, 2008
Environment Generation Algorithm
• Support for computing the Interface implemented in SCADE
![Page 42: Safety-critical systems - Arvutiteaduse instituut...safety-critical digital components, e.g. – Power-by-wire: complementing the hydraulic powered flight control surfaces – Cabin](https://reader035.fdocuments.net/reader035/viewer/2022070218/6127581d9420c00a0c2edf5b/html5/thumbnails/42.jpg)
NODES workshopEstonia
42 of 48 August 28, 2008
Environment Abstraction
C = ⟨SIφ , M⟩SIφ = < Eφ , single, double>
Eφ is the weakest environment in which C will be “safe” with no
faults
Eφ || M ϕ
![Page 43: Safety-critical systems - Arvutiteaduse instituut...safety-critical digital components, e.g. – Power-by-wire: complementing the hydraulic powered flight control surfaces – Cabin](https://reader035.fdocuments.net/reader035/viewer/2022070218/6127581d9420c00a0c2edf5b/html5/thumbnails/43.jpg)
NODES workshopEstonia
43 of 48 August 28, 2008
Environment Abstractions
C = ⟨SIφ , M⟩SIφ = < Eφ , single, double> wheresingle = ⟨ ⟨F1
s, A1s⟩, …, ⟨Fm
s, Ams⟩ ⟩ and
double = ⟨ ⟨F1d, A1
d⟩, …, ⟨Fkd, Ak
d⟩ ⟩
?MSIφ
C
Abstraction of the environment in which
C will tolerate the double fault Fkd
Fis is a single fault
Fid is a pair of faults
EAbstraction of
the environment in
which C will tolerate the
single fault Fms
![Page 44: Safety-critical systems - Arvutiteaduse instituut...safety-critical digital components, e.g. – Power-by-wire: complementing the hydraulic powered flight control surfaces – Cabin](https://reader035.fdocuments.net/reader035/viewer/2022070218/6127581d9420c00a0c2edf5b/html5/thumbnails/44.jpg)
NODES workshopEstonia
44 of 48 August 28, 2008
Component-Based Safety Analysis
M1C1
M2C2
MnCn
?
SI1φ = ⟨ Eφ , single, double ⟩
single = ⟨F1s, A1
s⟩, …, ⟨Fms, Am
s⟩double = ⟨⟨F1
d,A1d⟩, …, ⟨Fk
d,Akd⟩⟩
F
If F3 appears in single, then it suffices to prove that the environment of M1 is more constrained than A3– However, infeasible to compose all
components and check M2 || … || Mm ≤ A3
– Solution: Assume-Guarantee reasoning
≤A3
MnCn
F3
F3 is a fault that affects C1
![Page 45: Safety-critical systems - Arvutiteaduse instituut...safety-critical digital components, e.g. – Power-by-wire: complementing the hydraulic powered flight control surfaces – Cabin](https://reader035.fdocuments.net/reader035/viewer/2022070218/6127581d9420c00a0c2edf5b/html5/thumbnails/45.jpg)
NODES workshopEstonia
45 of 48 August 28, 2008
Assume-Guarantee reasoning
M1C1
M2C2
MnCn
?
F
F3
For all j: Mj || Ejφ ≤ A3
MnCn
For all j: A3 ◦ F3 || M1 ≤ Ejφ
To show that environment of M1 is more specific than A3 , show that:
− individual components and their weakestenvironments are more specific than A3
− C1 with the fault F3 at its input still satisfies environment requirement of every other component
![Page 46: Safety-critical systems - Arvutiteaduse instituut...safety-critical digital components, e.g. – Power-by-wire: complementing the hydraulic powered flight control surfaces – Cabin](https://reader035.fdocuments.net/reader035/viewer/2022070218/6127581d9420c00a0c2edf5b/html5/thumbnails/46.jpg)
NODES workshopEstonia
46 of 48 August 28, 2008
Resilience to double faults
• At system level is proved similarly
• Proof rules that take account of:– Double faults in one component– Two single faults affecting two different
components
![Page 47: Safety-critical systems - Arvutiteaduse instituut...safety-critical digital components, e.g. – Power-by-wire: complementing the hydraulic powered flight control surfaces – Cabin](https://reader035.fdocuments.net/reader035/viewer/2022070218/6127581d9420c00a0c2edf5b/html5/thumbnails/47.jpg)
NODES workshopEstonia
47 of 48 August 28, 2008
Workflow
Safety analysis
result
Safety analysis
using SIφ
C = ⟨SIφ , M⟩
System integratorSafety engineer
Component
modeling
feedback
EGA
Generating safety interfaces
Component developers
![Page 48: Safety-critical systems - Arvutiteaduse instituut...safety-critical digital components, e.g. – Power-by-wire: complementing the hydraulic powered flight control surfaces – Cabin](https://reader035.fdocuments.net/reader035/viewer/2022070218/6127581d9420c00a0c2edf5b/html5/thumbnails/48.jpg)
NODES workshopEstonia
48 of 48 August 28, 2008
ACC: Safety Analysis Result
• Of the 20 fault modes considered the ACC is resilient to:– 8 single faults– 2 double faults
• Parts of safety analysis from one fault can be reused later
• However: safety analysis is not finished here!