R. Banach, School of Computer Science, University of Manchester, UKM. Bozzano, Fondazione Bruno Kessler, FBK-IRST, Trento, Italy
11. FSAP and the Model Checking Approachto FT Extraction.
1
An overview of the algorithms for fault tree generation available in FSAP.
Algorithms based on model checking techniques.
• In this tutorial: focus on BDD-based routines.
• SAT-based routines exist as well.
R. Banach, School of Computer Science, University of Manchester, UKM. Bozzano, Fondazione Bruno Kessler, FBK-IRST, Trento, Italy
Model Checking
Automated technique to verify a formal system model against a formal specification.
• Systems typically modeled as state transition systems.
• Specifications provided as temporal logic formulae.
Model checking provides a formal guarantee that a specification is obeyed.
(A counterexample trace is produced if the specification does not hold)
• Exhaustive technique compared to testing and simulation.
Major breakthrough with the introduction of symbolic model checking:
• Idea: manipulate sets of states and transitions.
• Efficient symbolic representations for the characteristic functions of such sets.
In the rest of this chapter: model checking techniques applied to FT generation.
2
R. Banach, School of Computer Science, University of Manchester, UKM. Bozzano, Fondazione Bruno Kessler, FBK-IRST, Trento, Italy
Binary Diagrams
3
BDD = Binary Decision Diagram.
OBDD = Ordered BDD.
(Built with a specific variable order)
ROBDD = Reduced OBDD.
(Canonical form: elimination of redundancies)
(RO)BDDS are an efficient and compact
representation for Boolean formulas.
Size of the BDD depend on variable order.
Set-theoretic operations as logical operators.A BDD for the formula
(a1 ↔ a2) /\ (b1 ↔ b2) .
Dashed = false, solid = true
R. Banach, School of Computer Science, University of Manchester, UKM. Bozzano, Fondazione Bruno Kessler, FBK-IRST, Trento, Italy
BDD-based Algorithms for FTA
4
Different algorithms available:
• Forward (FWD).
• Backward (BWD).
Optimizations:
• Dynamic cone of influence (DCOI).
• Dynamic pruning (PRUN).
R. Banach, School of Computer Science, University of Manchester, UKM. Bozzano, Fondazione Bruno Kessler, FBK-IRST, Trento, Italy
Cut Sets
5
F1 ∧ F2CUT SET
Once F3
S1
S2
S3
F1
F2
O1
O2
O3
Statevariables
Failure Modevariables
Historyvariables
Once F1Once F2
F3
Permanent fault
Sporadic fault
No fault
History variables remember past failure events(Oi is true if and only if Fi is true at some point in the past)
Oi → next(Oi)
¬ Oi → (next(Oi) ↔ next(Fi))
Dual concept in the future: prophecy variables
TleTop Level Event
Tle fired
F1 fails
F2 fails
Exe
cuti
on
Tra
ce
Ro
R. Banach, School of Computer Science, University of Manchester, UKM. Bozzano, Fondazione Bruno Kessler, FBK-IRST, Trento, Italy
Forward Algorithm
6
R. Banach, School of Computer Science, University of Manchester, UKM. Bozzano, Fondazione Bruno Kessler, FBK-IRST, Trento, Italy
Forward Algorithm
7
R. Banach, School of Computer Science, University of Manchester, UKM. Bozzano, Fondazione Bruno Kessler, FBK-IRST, Trento, Italy
Forward Algorithm
8
R. Banach, School of Computer Science, University of Manchester, UKM. Bozzano, Fondazione Bruno Kessler, FBK-IRST, Trento, Italy
Forward Algorithm
9
Init
R. Banach, School of Computer Science, University of Manchester, UKM. Bozzano, Fondazione Bruno Kessler, FBK-IRST, Trento, Italy
Forward Algorithm
10
Init
R. Banach, School of Computer Science, University of Manchester, UKM. Bozzano, Fondazione Bruno Kessler, FBK-IRST, Trento, Italy
Forward Algorithm
11
Init
R. Banach, School of Computer Science, University of Manchester, UKM. Bozzano, Fondazione Bruno Kessler, FBK-IRST, Trento, Italy
Forward Algorithm
12
Init
R. Banach, School of Computer Science, University of Manchester, UKM. Bozzano, Fondazione Bruno Kessler, FBK-IRST, Trento, Italy
Forward Algorithm
13
Init
R. Banach, School of Computer Science, University of Manchester, UKM. Bozzano, Fondazione Bruno Kessler, FBK-IRST, Trento, Italy
Forward Algorithm
14
Init
Fixpoint
R. Banach, School of Computer Science, University of Manchester, UKM. Bozzano, Fondazione Bruno Kessler, FBK-IRST, Trento, Italy
Forward Algorithm
15
Init
Fixpoint
R. Banach, School of Computer Science, University of Manchester, UKM. Bozzano, Fondazione Bruno Kessler, FBK-IRST, Trento, Italy
Forward Algorithm
16
Init
Fixpoint
R. Banach, School of Computer Science, University of Manchester, UKM. Bozzano, Fondazione Bruno Kessler, FBK-IRST, Trento, Italy
Forward Algorithm
17
Init
Fixpoint
R. Banach, School of Computer Science, University of Manchester, UKM. Bozzano, Fondazione Bruno Kessler, FBK-IRST, Trento, Italy
Forward Algorithm
18
CS1
CS2
CS3
CS4
CS5
O3
0 1 1 0 1
1 1 0 1 1
1 0 1 0 1
1 0 1 1 1
0 1 1 0 0
0 1 1 1 0
0 0 1 0 1
0 0 1 0 00 1 1 1 1
1 1 1 0 1
1 0 1 0 1
S1S2S3S4S5F1F2F3O1O2
• • • •
•
••
••
•
R. Banach, School of Computer Science, University of Manchester, UKM. Bozzano, Fondazione Bruno Kessler, FBK-IRST, Trento, Italy
Forward Algorithm
19
CS1
CS2
CS3
CS4
CS5
O3
0 1 1 0 1
1 1 0 1 1
1 0 1 0 1
1 0 1 1 1
0 1 1 0 0
0 1 1 1 0
0 0 1 0 1
0 0 1 0 00 1 1 1 1
1 1 1 0 1
1 0 1 0 1
S1S2S3S4S5F1F2F3O1O2
• • • •
•
••
••
•
R. Banach, School of Computer Science, University of Manchester, UKM. Bozzano, Fondazione Bruno Kessler, FBK-IRST, Trento, Italy
Forward Algorithm
20
CS1
CS2
CS3
CS4
CS5
O3
0 1 1 1 1
1 1 1 0 1
1 0 1 0 1
S1S2S3S4S5F1F2F3O1O2
• • • •
•
••
••
•
R. Banach, School of Computer Science, University of Manchester, UKM. Bozzano, Fondazione Bruno Kessler, FBK-IRST, Trento, Italy
Forward Algorithm
21
CS1
CS2
CS3
CS4
CS5
O3
0 1 1 1 1
1 1 1 0 1
1 0 1 0 1
S1S2S3S4S5F1F2F3O1O2
• • • •
•
••
••
•
R. Banach, School of Computer Science, University of Manchester, UKM. Bozzano, Fondazione Bruno Kessler, FBK-IRST, Trento, Italy
Forward Algorithm
22
CS1
CS2
CS3
CS4
CS5
O3
S1S2S3S4S5F1F2F3O1O2
• • • •
•
••
••
•
0 1
1 0
1 0
R. Banach, School of Computer Science, University of Manchester, UKM. Bozzano, Fondazione Bruno Kessler, FBK-IRST, Trento, Italy
Forward Algorithm
23
CS1
CS2
CS3
CS4
CS5
O3
S1S2S3S4S5F1F2F3O1O2
• • • •
•
••
••
•
0 1
1 0
1 0
R. Banach, School of Computer Science, University of Manchester, UKM. Bozzano, Fondazione Bruno Kessler, FBK-IRST, Trento, Italy
Forward Algorithm
24
CS1
CS2
CS3
CS4
CS5
O3
S1S2S3S4S5F1F2F3O1O2
• • • •
•
••
••
•
0 1
1 0
1 0
MCS 1 MCS 2
R. Banach, School of Computer Science, University of Manchester, UKM. Bozzano, Fondazione Bruno Kessler, FBK-IRST, Trento, Italy
Backward Algorithm
25
R. Banach, School of Computer Science, University of Manchester, UKM. Bozzano, Fondazione Bruno Kessler, FBK-IRST, Trento, Italy
Backward Algorithm
26
R. Banach, School of Computer Science, University of Manchester, UKM. Bozzano, Fondazione Bruno Kessler, FBK-IRST, Trento, Italy
Backward Algorithm
27
R. Banach, School of Computer Science, University of Manchester, UKM. Bozzano, Fondazione Bruno Kessler, FBK-IRST, Trento, Italy
Backward Algorithm
28
Tle
R. Banach, School of Computer Science, University of Manchester, UKM. Bozzano, Fondazione Bruno Kessler, FBK-IRST, Trento, Italy
Backward Algorithm
29
Tle
R. Banach, School of Computer Science, University of Manchester, UKM. Bozzano, Fondazione Bruno Kessler, FBK-IRST, Trento, Italy
Backward Algorithm
30
Tle
R. Banach, School of Computer Science, University of Manchester, UKM. Bozzano, Fondazione Bruno Kessler, FBK-IRST, Trento, Italy
Backward Algorithm
31
Tle
R. Banach, School of Computer Science, University of Manchester, UKM. Bozzano, Fondazione Bruno Kessler, FBK-IRST, Trento, Italy
Backward Algorithm
32
Tle
R. Banach, School of Computer Science, University of Manchester, UKM. Bozzano, Fondazione Bruno Kessler, FBK-IRST, Trento, Italy
Backward Algorithm
33
Tle
Fixpoint
R. Banach, School of Computer Science, University of Manchester, UKM. Bozzano, Fondazione Bruno Kessler, FBK-IRST, Trento, Italy
Backward Algorithm
34
Tle
Fixpoint
R. Banach, School of Computer Science, University of Manchester, UKM. Bozzano, Fondazione Bruno Kessler, FBK-IRST, Trento, Italy
Backward Algorithm
35
Tle
Fixpoint
R. Banach, School of Computer Science, University of Manchester, UKM. Bozzano, Fondazione Bruno Kessler, FBK-IRST, Trento, Italy
Backward Algorithm
36
Tle
Fixpoint
R. Banach, School of Computer Science, University of Manchester, UKM. Bozzano, Fondazione Bruno Kessler, FBK-IRST, Trento, Italy
Backward Algorithm
37
Tle
Fixpoint
And so on …
R. Banach, School of Computer Science, University of Manchester, UKM. Bozzano, Fondazione Bruno Kessler, FBK-IRST, Trento, Italy
Dynamic Cone of Influence
38
Tle
R. Banach, School of Computer Science, University of Manchester, UKM. Bozzano, Fondazione Bruno Kessler, FBK-IRST, Trento, Italy
Dynamic Cone of Influence
39
Tle
Compute pre-images & restricted Kripke structures,based on dependency withTle
M0 ≤ M1 ≤ … ≤ Mn-1 ≤ Mn
– defer construction of the Kripke structure– hopefully Mn is smaller than the global M
R. Banach, School of Computer Science, University of Manchester, UKM. Bozzano, Fondazione Bruno Kessler, FBK-IRST, Trento, Italy
Dynamic Cone of Influence
40
Tle M0
Compute pre-images & restricted Kripke structures,based on dependency withTle
M0 ≤ M1 ≤ … ≤ Mn-1 ≤ Mn
– defer construction of the Kripke structure– hopefully Mn is smaller than the global M
R. Banach, School of Computer Science, University of Manchester, UKM. Bozzano, Fondazione Bruno Kessler, FBK-IRST, Trento, Italy
Dynamic Cone of Influence
41
Tle
Compute pre-images & restricted Kripke structures,based on dependency withTle
M0 ≤ M1 ≤ … ≤ Mn-1 ≤ Mn
– defer construction of the Kripke structure– hopefully Mn is smaller than the global M
M0
M1
R. Banach, School of Computer Science, University of Manchester, UKM. Bozzano, Fondazione Bruno Kessler, FBK-IRST, Trento, Italy
Dynamic Cone of Influence
42
Tle
Compute pre-images & restricted Kripke structures,based on dependency withTle
M0 ≤ M1 ≤ … ≤ Mn-1 ≤ Mn
– defer construction of the Kripke structure– hopefully Mn is smaller than the global M
M0
M1
Mn-1
R. Banach, School of Computer Science, University of Manchester, UKM. Bozzano, Fondazione Bruno Kessler, FBK-IRST, Trento, Italy
Dynamic Cone of Influence
43
Tle
Compute pre-images & restricted Kripke structures,based on dependency withTle
M0 ≤ M1 ≤ … ≤ Mn-1 ≤ Mn
– defer construction of the Kripke structure– hopefully Mn is smaller than the global M
M0
M1
Mn-1
Fixpoint
Mn
R. Banach, School of Computer Science, University of Manchester, UKM. Bozzano, Fondazione Bruno Kessler, FBK-IRST, Trento, Italy
Dynamic Pruning
44
Init
R. Banach, School of Computer Science, University of Manchester, UKM. Bozzano, Fondazione Bruno Kessler, FBK-IRST, Trento, Italy
Dynamic Pruning
45
Init At each iteration, compute a partial set of cut setsUse the partial set to prune non-minimal config.in the search space
R. Banach, School of Computer Science, University of Manchester, UKM. Bozzano, Fondazione Bruno Kessler, FBK-IRST, Trento, Italy
Dynamic Pruning
46
Init At each iteration, compute a partial set of cut setsUse the partial set to prune non-minimal config.in the search space
R. Banach, School of Computer Science, University of Manchester, UKM. Bozzano, Fondazione Bruno Kessler, FBK-IRST, Trento, Italy
Dynamic Pruning
47
Init At each iteration, compute a partial set of cut setsUse the partial set to prune non-minimal config.in the search space
R. Banach, School of Computer Science, University of Manchester, UKM. Bozzano, Fondazione Bruno Kessler, FBK-IRST, Trento, Italy
Dynamic Pruning
48
Init At each iteration, compute a partial set of cut setsUse the partial set to prune non-minimal config.in the search space
R. Banach, School of Computer Science, University of Manchester, UKM. Bozzano, Fondazione Bruno Kessler, FBK-IRST, Trento, Italy
Dynamic Pruning
49
Init At each iteration, compute a partial set of cut setsUse the partial set to prune non-minimal config.in the search space
••
R. Banach, School of Computer Science, University of Manchester, UKM. Bozzano, Fondazione Bruno Kessler, FBK-IRST, Trento, Italy
Dynamic Pruning
50
Init At each iteration, compute a partial set of cut setsUse the partial set to prune non-minimal config.in the search space
••
R. Banach, School of Computer Science, University of Manchester, UKM. Bozzano, Fondazione Bruno Kessler, FBK-IRST, Trento, Italy
Dynamic Pruning
51
Init At each iteration, compute a partial set of cut setsUse the partial set to prune non-minimal config.in the search space
••
R. Banach, School of Computer Science, University of Manchester, UKM. Bozzano, Fondazione Bruno Kessler, FBK-IRST, Trento, Italy
Dynamic Pruning
52
Init At each iteration, compute a partial set of cut setsUse the partial set to prune non-minimal config.in the search space
••
R. Banach, School of Computer Science, University of Manchester, UKM. Bozzano, Fondazione Bruno Kessler, FBK-IRST, Trento, Italy
Dynamic Pruning
53
Init At each iteration, compute a partial set of cut setsUse the partial set to prune non-minimal config.in the search space
••••
••
R. Banach, School of Computer Science, University of Manchester, UKM. Bozzano, Fondazione Bruno Kessler, FBK-IRST, Trento, Italy
Dynamic Pruning
54
Init At each iteration, compute a partial set of cut setsUse the partial set to prune non-minimal config.in the search space
••••
••
R. Banach, School of Computer Science, University of Manchester, UKM. Bozzano, Fondazione Bruno Kessler, FBK-IRST, Trento, Italy
Dynamic Pruning
55
Init
••••
••
At each iteration, compute a partial set of cut setsUse the partial set to prune non-minimal config.in the search space
R. Banach, School of Computer Science, University of Manchester, UKM. Bozzano, Fondazione Bruno Kessler, FBK-IRST, Trento, Italy
Dynamic Pruning
56
Init
••••
••
At each iteration, compute a partial set of cut setsUse the partial set to prune non-minimal config.in the search space
R. Banach, School of Computer Science, University of Manchester, UKM. Bozzano, Fondazione Bruno Kessler, FBK-IRST, Trento, Italy
Dynamic Pruning
57
Init
••••
••
••
••
•
At each iteration, compute a partial set of cut setsUse the partial set to prune non-minimal config.in the search space
R. Banach, School of Computer Science, University of Manchester, UKM. Bozzano, Fondazione Bruno Kessler, FBK-IRST, Trento, Italy
Dynamic Pruning
58
Init
Fixpoint
••••
••
••
••
•
At each iteration, compute a partial set of cut setsUse the partial set to prune non-minimal config.in the search space
R. Banach, School of Computer Science, University of Manchester, UKM. Bozzano, Fondazione Bruno Kessler, FBK-IRST, Trento, Italy
12. Retrenchment and Model Checking Compared.
We compare:
• The Retrenchment-based FT generation algorithm.
• The BDD-based backward FT generation algorithm.
(with Dynamic Cone of Influence and Dynamic Pruning)
In the general case of feedback circuits with time delays.
Strong similarities:
• Most important: backward resolution, i.e. start from the TLE.
But – several differences:
• Related to: system decomposition, search strategy, etc.
• Implementation-level but also theoretical differences.
Discussion: how to reconcile retrenchment with model checking.
59
R. Banach, School of Computer Science, University of Manchester, UKM. Bozzano, Fondazione Bruno Kessler, FBK-IRST, Trento, Italy
System Decomposition
Retrenchment-based: decomposition based on system structure.
BDD-based: decomposition based on time delays.
Consequences:
• No difference if unit delays between every block.
(e.g., adders and fanouts in the circuit example).
• In the purely combinational case – no delays:
BDD-based flattens the system – monolithic transition relation.
Reconciliation:
• Not a huge difference: BDD-based could be instructed to take system structure into account, or use “hybrid” strategies.
60
R. Banach, School of Computer Science, University of Manchester, UKM. Bozzano, Fondazione Bruno Kessler, FBK-IRST, Trento, Italy
Search Strategy
Retrenchment-based: non-deterministic, data dependency driven, search.
• Depth-first search illustrated here,
although simplified by the use of angelic non-determinism theoretically.
BDD-based: breadth-first search.
• Each step decomposing one layer of the composition.
• Efficiency of breadth-first search relies on the BDD package.
• Dynamic pruning introducing controlled depth-first aspects in the search.
Reconciliation:
• Not a huge difference: search strategy in BDD-based is flexible.
• Possibly introducing further depth-first aspects in BDD-based,
e.g. descend first in branches with a lower number of faults, and then prune.
• Mostly an implementation detail.
61
R. Banach, School of Computer Science, University of Manchester, UKM. Bozzano, Fondazione Bruno Kessler, FBK-IRST, Trento, Italy
Minimisation Rules
Retrenchment-based: minimisation rules to prune the search tree on the fly.
BDD-based: minimisation rules mimicked by the internals of the algorithm or
by the BDD package.
• Discarding non-needed subtrees → BDD package + DCOI reduction rules.
• Discarding subtrees at input-insensitive faults → BDD package.
• Discarding locally subsumed expressions → dynamic pruning.
• Subsumption checking at the subsystem level → dynamic pruning.
Reconciliation:
• Not needed.
62
R. Banach, School of Computer Science, University of Manchester, UKM. Bozzano, Fondazione Bruno Kessler, FBK-IRST, Trento, Italy
Timing and Feedback
Retrenchment-based: deals with time delays explicitly.
• Time information fully recorded.
• Different definitions of minimality may be used to turn a RT into a FT.
BDD-based: deals with time delays tacitly.
• Time information is not recorded, temporal details abstracted away,
same states with different time delays are identified.
• Directly generates the fault trees representing the minimal cut sets.
(where definition of minimality abstracts away from time)
Reconciliation:
• Soundness: we get the same results in both cases if we abstract away from time.
• Possibly introducing handling of timing information in BDD-based – but in practice may have an impact on performance. Need to deal with sets of traces rather than sets of states, in a controlled way.
63
R. Banach, School of Computer Science, University of Manchester, UKM. Bozzano, Fondazione Bruno Kessler, FBK-IRST, Trento, Italy
Initial States and Cold-Start Failures
Retrenchment-based: uses appropriate truncation of the detailed FT.
• Minimisation performed independently of initialisation.
BDD-based: truncation performed on-the-fly, reachability check built in.
• Tight coupling of initialisation and minimisation.
• Minimisation may interact with timing abstraction:
• It may discard states that have been identified because of timing abstraction.
• It may discard hot-running scenarios in favour of cold-start ones.
• Focus on computation of MCSs, rather than fault trees.
Reconciliation:
• It is possible to rule out cold-start scenarios in BDD-based, if desired.
• Possibly introducing further guidance in BDD-based to deal with hot-running and cold-start failures.
64
R. Banach, School of Computer Science, University of Manchester, UKM. Bozzano, Fondazione Bruno Kessler, FBK-IRST, Trento, Italy
Conclusions
Retrenchment-based: an idealised specification of a FT generation algorithm.
Can move it closer to the BDD-based algorithm by carefully forgetting details.
BDD-based: an implementation that does not completely conform to it.
Can move it closer to the Retrenchment-based ‘ideal’ by including more details
… but you have to watch performance in practice.
65
Top Related