advanced technology center slide 1 model-based safety analysis overview dr. steven p. miller dr....

Advanced Technology Center Slide 1

Model-Based Safety AnalysisModel-Based Safety AnalysisOverviewOverview

Dr. Steven P. Miller

Dr. Mats P. E. Heimdahl

Advanced Computing Systems

Rockwell Collins

400 Collins Road NE, MS 108-206

Cedar Rapids, Iowa 52498

[email protected]


Outline of PresentationOutline of Presentation

Motivation

Proposed Approach

Demonstration

Analysis

What’s Next


MotivationMotivation

Error in FCLSelection Logic

Active FGSSends Incorrect

Guidance Values

Inactive FGSSends Incorrect

Guidance Values

Error Internalto AP

Error Internalto FD

Incorrect GuidanceValues Received

From FGS

IncorrectGuidance

FCL GeneratesIncorrect Guidance

Values

Error in FGSInputs

Error in FCLAlgorithm

Not Shown




Guidance Values


Guidance Values

Inactive FGSSends Incorrect

Guidance Values

Error Internalto AP

Error Internalto AP

Error Internalto FD

Error Internalto FD


From FGS


From FGS

IncorrectGuidanceIncorrectGuidance


Values

Error in FGSInputs



Values


Values

Error in FGSInputs

Error in FGSInputs



Not Shown

Requirements and

Design Documents

Safety

Analyst A

System Safety Analysis is

- Based on Informal Specifications

- Highly Dependent on Skill of the Analyst

Safety

Analyst B


Model-Based DevelopmentModel-Based Development

Requirements

Modeling

Simulation

AutomatedAnalysis

Autocode

Autotest

Reuse

We Base the Entire Development CycleAround the Model

Why Not theSafety Analysis?


Model-Based Safety AnalysisModel-Based Safety Analysis

Add Fault Model for Physical System

Power A

Pedal 1

Feed back

Plant

Fault Tolerant

Control Unit

( BSCU )

Braking System

System A

Power B

Pedal 2 System B

Plant Model

AntiSkid Command

Braking + AntiSkid

Command

Green Pump Blue Pump

Isolation ValveIsolation Valve

Shut Normal System

NORMAL

ALTERNATE

Accumulator Pump

Meter Valve

Meter Valve

Meter Valve

Accumulator Valve

Mechanical Pedal

Selector Valve

Loss AllBraking

Normal SysLoss

Green PumpLoss

Meter ValveLoss

BSCU Lossof Command

PowerSupplies

Fail

BSCU SelectSignal

Inverted

Alt SysLoss

Acc/AS/MechMeter Fails

Both PumpsFail

Blue Fails Acc Fails

SelValveStuck

Model the Digital Controller Architecture

Automation Enables “What-If” Consideration of System Designs

and Digital Controller Architecture Integrates System and Safety Engineering About a Common Model

and the Physical System


AdvantagesAdvantages

Common Model for Both System and Safety Engineering

Safety Analysis Based on a Formal System Model – Facilitates Consistency in Safety Analysis

– Facilitates Completeness of Safety Analysis

Reduced Manual Effort in Error-prone Areas– Automated Support for Safety Analysis

– Explore Various Failure Scenarios

Focus on Review on Assumptions in the Models– Is the System Model Correct?

– Is the Fault Model Complete?

– Assume the (Automated) Analysis is Trustworthy



Motivation

Proposed Approach

Demonstration

Analysis

What’s Next


PSSAs SSAs

System Requirements andObjectives

Aircraft FHA

System FHAs

System FTAs

Derived SafetyRequirements

Design

System FMEAs

Aircraft FTA

System FTAs

Certification

Aircraft Integration Cross-check

System Integration Cross-check

FC&C

FC&C

FE&P

FE&P

Verify that the implemented system satisfies the safety requirements and develop certification documents

Safety analysis performed as an integral part of the iterative system development process (Requirements, Architecture, Design)

Traditional Safety Analysis ProcessTraditional Safety Analysis Process


PSSAs SSAs

System Requirements andObjectives

Aircraft FHA

System FHAs

System FTAs

Derived SafetyRequirements

Design

System FMEAs

Aircraft FTA

System FTAs

Certification

Aircraft Integration Cross-check

System Integration Cross-check

FC&C

FC&C

FE&P

FE&P

Verify that the implemented system satisfies the safety requirements and develop certification documents

Safety analysis performed as an integral part of the iterative system development process (Requirements, Architecture, Design)


Incremental development of the system model.

Support for automatedsafety analysis.

Automated replay ofsafety analysis asthe system is changed.


Creation of Nominal System ModelCreation of Nominal System Model

Power A

Pedal 1

Feed back

Plant

Fault Tolerant

Control Unit

( BSCU )

Braking System

System A

Power B

Pedal 2 System B

Model of the Digital System Verify safety properties of the nominal digital

system

Library of Common Mechanical Components

Verify safety properties of the nominal system

Plant Model

AntiSkid Command

Braking + AntiSkid

Command



Shut Normal System

NORMAL

ALTERNATE

Accumulator Pump

Meter Valve

Meter Valve

Meter Valve

Accumulator Valve

Mechanical Pedal

Selector Valve

Power A

Pedal 1

Feed back

Plant

Fault Tolerant

Control Unit

( BSCU )

Braking System

Power B

Pedal 2 System B

Model of the Digital System + Model of the Mechanical System


Creation of the Fault Model Creation of the Fault Model

Plant Model

AntiSkid Command

Braking + AntiSkid

Command



Shut Normal System

NORMAL

ALTERNATE

Accumulator Pump

Meter Valve

Meter Valve

Meter Valve

Accumulator Valve

Mechanical Pedal

Selector Valve

Power A

Pedal 1

Feed back

Plant

Fault Tolerant

Control Unit

( BSCU )

Braking System

System A

Power B

Pedal 2 System B

Library of Common Failure Modes

Fault Model

System Architecture

Component (or Component Type)

Failure Mode Type of Failure

Additional constraints

Isolation Valve, Meter Valve : Valve

Stuck at Open or Closed

Permanent -

Power Supply Value not in range

Transient Propagate to all components connected to the Power supply

Braking System Control Unit

Inverted signal Transient Simultaneous failure on all outputs of BSCU

Green Pump, Blue Pump :Pump

Pressure below threshold

Permanent -


Auto-generation of Fault Trees

Automated Safety AnalysisAutomated Safety Analysis

FormalizedSafety

Requirements+

Plant Model

AntiSkid Command

Braking + AntiSkid

Command



Shut Normal System

NORMAL

ALTERNATE

Accumulator Pump

Meter Valve

Meter Valve

Meter Valve

Accumulator Valve

Mechanical Pedal

Selector Valve

Power A

Pedal 1

Feed back

Plant

Fault Tolerant

Control Unit

( BSCU )

Braking System

System A

Power B

Pedal 2 System B

Proof Tree for P

P

A is ok

ComponentsA1, A2, A3 all

work asexpected

Connectionsc1,2,c1,3,c2,3are all ok

E1 isok

E2 isok

E3 isok

E is ok

Proofs of Safety Properties

Simulation


Auto-generation of Fault TreesAuto-generation of Fault Trees

Easy to Generate Two-Level Fault Trees– Minimal Cut Sets of Events that Can Cause a Hazard

– Two Levels Deep and a Mile Wide

Harder to Generate Useful Fault Trees – Intermediate Levels Reflect System Architecture

– Essential for Acceptance by Safety Engineers


Proof of Safety PropertiesProof of Safety Properties

Mathematical Proof– Avoids Mile Wide Problem

with Fault Trees– User Guides the Proof

Structure to Reflect the System Architecture

Used For Backward Search– Proof will Expose All Minimal

Cut Sets of Events– Extend Fault Model to Rule

Out Acceptable Minimal Cut Sets

– Repeat Until Proof is Completed

Proof Tree for P

P

A is ok


work asexpected


E1 isok

E2 isok

E3 isok

E is ok


Correspondence Between Correspondence Between Fault Trees and Proof TreesFault Trees and Proof Trees

A

A1

A2

A3

c2,3

c1,3E1

E2

E3

Is P satisfied?

c1,2

Fault Tree for !P

TLE for !P

A fails

E1fails

E2fails

E3failsOne or more

ComponentsA1, A2, A3 fail

One or moreConnectionsc1,2,c1,3,c2,3

fail

E fails

Proof Tree for P

P

A is ok


work asexpected


E1 isok

E2 isok

E3 isok

E is ok

Complements w.r.t. each other


Summary – Model-Based Safety AnalysisSummary – Model-Based Safety Analysis

Integrates System and Safety Engineering About a Common Model

Automated Analysis of System Safety Properties

Makes Safety Analysis More Systematic and Repeatable

Shifts Focus from Component to Architectural Models

Reduces the Workload of Safety Engineers – Automates More of the Safety Analysis

– Eliminates the Need to Review the Analysis

– Focus on Review of the System Model and the Fault Model


Challenges for Future ResearchChallenges for Future Research

Fault Models– What is a Fault Model? How Do We Represent It?

Merging the Fault Model and the Nominal Model– Aspect Orientation and Aspect Weaving?

Stating Safety Properties– Simple Safety Properties are Often Difficult to State Formally– Do We Need a New Language for Safety Properties?

Presentation of the Analysis – Fault Trees Need to Reflect the System Architecture

Scalability– Analysis of Complex, Asynchronous, System Models

Technology Transfer– Need a Gradual Evolution from Existing Practices


Model-Based Safety AnalysisModel-Based Safety AnalysisDemonstrationDemonstration

Dr. Mats P. E. Heimdahl

University of Minnesota

[email protected]

Dr. Steven P. Miller

Advanced Computing Systems

Rockwell Collins

[email protected]



Motivation

Proposed Approach

Demonstration

Analysis

What’s Next



Add Fault Model for Physical System

Power A

Pedal 1

Feed back

Plant

Fault Tolerant

Control Unit

( BSCU )

Braking System

System A

Power B

Pedal 2 System B

Plant Model

AntiSkid Command

Braking + AntiSkid

Command



Shut Normal System

NORMAL

ALTERNATE

Accumulator Pump

Meter Valve

Meter Valve

Meter Valve

Accumulator Valve

Mechanical Pedal

Selector Valve

Loss AllBraking

Normal SysLoss

Green PumpLoss

Meter ValveLoss

BSCU Lossof Command

PowerSupplies

Fail

BSCU SelectSignal

Inverted

Alt SysLoss

Acc/AS/MechMeter Fails

Both PumpsFail

Blue Fails Acc Fails

SelValveStuck

Model the Digital Controller Architecture

Automation Enables “What-If” Consideration of System Designs

and Digital Controller Architecture Integrates System and Safety Engineering About a Common Model

and the Physical System


Auto-generation of Fault Trees

Automated Safety AnalysisAutomated Safety Analysis

FormalizedSafety

Requirements+

Plant Model

AntiSkid Command

Braking + AntiSkid

Command



Shut Normal System

NORMAL

ALTERNATE

Accumulator Pump

Meter Valve

Meter Valve

Meter Valve

Accumulator Valve

Mechanical Pedal

Selector Valve

Power A

Pedal 1

Feed back

Plant

Fault Tolerant

Control Unit

( BSCU )

Braking System

System A

Power B

Pedal 2 System B

Proof Tree for P

P

A is ok


work asexpected


E1 isok

E2 isok

E3 isok

E is ok

Proofs of Safety Properties

Simulation


Wheel Brake System (WBS) Example Wheel Brake System (WBS) Example ARP 4761ARP 4761

Proof of Concept– Concrete Demonstration of Main Ideas

Modeling and Analysis Using Existing Tools– Simulink for Modeling the System

– NuSMV, Prover, and PVS for Analyzing the System

Why the Wheel Brake System? – ARP 4761 - Guidelines and Methods for Conducting the Safety

Assessment Process on Civil Airborne Systems and Equipment

– Familiar Example to Safety Engineers

– Benchmark our Results Against ARP-4761 Safety Analysis

– Small but Complex Enough to Capture Interesting Behaviors


Wheel Brake SystemWheel Brake System

WBS is Composed of– Two Redundant Hydraulic Lines :

Normal & Alternate

– Hydraulic Pumps

– Number of Hydraulic Valves

– Braking System Control Unit (BSCU)

BSCU is Composed of– Two Command Units Compute

Braking and Antiskid Commands

– Two Monitors Check Validity of the Associated Command Units

– BSCU is Valid if One of the Command Unit is ValidFigure borrowed from ARP 4761


Normal & Alternate Hydraulic LinesNormal & Alternate Hydraulic Lines

Normal Hydraulic line– Main System Supplying Braking Pressure to the Wheel

– BSCU Provides Braking and Antiskid Commands

Alternate Hydraulic Line– Braking Achieved Manually Via Mechanical Pedal

– BSCU Provides Antiskid Command

Switch-over from Normal to Alternate Line When– Green Pump or Any Component along Normal Line Fails or

– BSCU Becomes Invalid

Selector and Isolation Valves Used for the Switch-over

Alternate Line Stays Active Until WBS System is Reset


Add WBS Failure Modes Add WBS Failure Modes to Nominal Modelto Nominal Model

Hydraulic Failure Modes

– Pumps • Pressure Below Threshold (X)

– Valves• Stuck at Closed/Open (S)

Digital System Failure Modes

– Monitor Unit • Output Inverted (I)

– Command Unit • Output Stuck (O)

– Power Failure• Loss of Power (L)

I

X X

X

S S

S

S

S S

O O

I

LL

Manually Extended the Nominal Model with Failure Modes



Motivation

Proposed Approach

Demonstration

Analysis

What’s Next


WBS Model-Based Safety AnalysisWBS Model-Based Safety Analysis

Formal Model

System FMEAsDerived Safety Requirements

Automated Requirements Verification

Fault Model

Formal Model with Failures

Automated Fault Tolerance Verification

“Loss of all wheel braking”

Nominal Wheel Brake System in Simulink

Safety requirement formalized and verified in

NuSMV

Formalized basic failure modes in

Simulink

Extended Wheel Brake System in Simulink

Safety requirement in presence of n faults

formalized and verified in NuSMV

“NO Loss of all wheel braking”

Manual Model Extension

System Hazard Analysis


Verified Safety Properties Verified Safety Properties in Nominal Modelin Nominal Model

Safety Requirement from ARP 4761– Loss of All Wheel Braking (Unannunciated or Annunciated) During Landing or

RTO Shall Be Less Than 5*10-7 Per Flight

Revised Safety Requirement– When the Pedal Is Pressed, Then Either the Normal or the Alternate Pressure

Shall Be Above Threshold

Formalized in NuSMV asDEFINE Pedal_Pressed = (PedalPos > 0 & PedalPos < 5)

SPEC AG (Pedal_Pressed -> (Normal_Pressure > 0 | Alternate_Pressure > 0))

Second Revised Safety Requirement – When the Pedal Is Pressed and There Is No Skidding, Then Either the Normal

or the Alternate Pressure Should Be Above Threshold

Formalized in NuSMV asDEFINE Pedal_Pressed = (PedalPos > 0 & PedalPos < 5) SPEC AG ((Pedal_Pressed & !Skid) ->

(Normal_Pressure > 0 | Alternate_Pressure > 0))

Verified on the Nominal Simulink Model Using NuSMV


Safety PropertiesSafety Properties

Example Safety PropertyIf There Is One Failure and the Pedal Is Pressed in Absence of Skidding, Then Either the Normal Pressure or the Alternate Pressure Shall Be Above the Threshold

Transient Failures– Failures May Last an Arbitrary Time Before Recovery of the Component

– Failures Triggers Are Non-deterministic Inputs and Inherently Transient

Permanent Failures– Failures Are Permanent, a Failed Component Never Recovers

– Latch Fault Trigger Inputs to Simulate Permanent Failure

Simultaneous Failures– Count the Number of Active Fault Triggers


Fault Tolerance VerificationFault Tolerance Verification

Transient Failures– If There Is One Failure and the Pedal Is Pressed in Absence of Skidding, Then

Either the Normal Pressure or the Alternate Pressure Shall Be Above the ThresholdSPEC AG((NumFails = 1 & Pedal_Pressed & !Skid) -> (Normal_Pressure > 0 | Alternate_Pressure > 0))

– Several Steps May be Needed to Detect and Respond to Some FailuresSPEC AG((NumFails = 1 & Pedal_Pressed & !Skid) –>

AX((NumFails = 1 & Pedal_Pressed & ! Skid) –>

AX ((NumFails = 1 & Pedal_Pressed & !Skid) -> (Normal_Pressure > 0 | Alternate_Pressure > 0))))

Plant Model

AntiSkid Command

Braking + AntiSkid

Command



Shut Normal System

NORMAL

ALTERNATE

Accumulator Pump

Meter Valve

Meter Valve

Meter Valve

Accumulator Valve

Mechanical Pedal

Selector Valve

Power A

Pedal 1

Feed back

Plant

Fault Tolerant

Control Unit

( BSCU )

Braking System

System A

Power B

Pedal 2 System B

X X


Fault Tolerance VerificationFault Tolerance Verification

Permanent Failures– Holds for One Permanent Failure

SPEC AG((NumFails = 1 & Pedal_Pressed & !Skid) –> AX((NumFails = 1 & Pedal_Pressed & ! Skid) –>

AX ((NumFails = 1 & Pedal_Pressed & !Skid) -> (Normal_Pressure > 0 | Alternate_Pressure > 0))))

Plant Model

AntiSkid Command

Braking + AntiSkid

Command



Shut Normal System

NORMAL

ALTERNATE

Accumulator Pump

Meter Valve

Meter Valve

Meter Valve

Accumulator Valve

Mechanical Pedal

Selector Valve

Power A

Pedal 1

Feed back

Plant

Fault Tolerant

Control Unit

( BSCU )

Braking System

System A

Power B

Pedal 2 System B


Fault Trees and Proof Trees RevisitedFault Trees and Proof Trees Revisited

A

A1

A2

A3

c2,3

c1,3E1

E2

E3

Is P satisfied?

c1,2

Fault Tree for !P

TLE for !P

A fails

E1fails

E2fails

E3failsOne or more



fail

E fails

Proof Tree for P

P

A is ok


work asexpected


E1 isok

E2 isok

E3 isok

E is ok



WBS PVS Proof TreeWBS PVS Proof Tree

Prop.1.1 :

[-1] Alt_Meter_2_Fail(s!1)[-2] Alt_Meter_2_Fail(s!1){-3} FM_WBS_Ext_BSCU_Node.Alternate_Pressure(s!1) = 0[-4] Nor_Meter_Fail(s!1)[-5] FM_WBS_Ext_BSCU_Node.Normal_Pressure(s!1) = 0[-6] 0 < PedalPos1(s!1) |-------[1] Alt_Meter_2_Stuck_Val(s!1)[2] Alt_Meter_2_Stuck_Val(s!1)[3] Nor_Meter_Stuck_Val(s!1)[4] Skid(s!1)[5] 0 < FM_WBS_Ext_BSCU_Node_Fault.Normal_Pressure(s!1)[6] 0 < FM_WBS_Ext_BSCU_Node_Fault.Alternate_Pressure(s!1)

Plant Mod

el

AntiSkid Command

Braking + AntiSkid

Command



Shut Normal System

NORMAL

ALTERNATE

Accumulator Pump

Meter Valve

Meter Valve

Meter Valve

Accumulator Valve

Mechanical Pedal

Selector Valve

Power A

Pedal 1

Feed back Plant

Fault Tolerant

Control Unit

( BSCU )

Braking System

System A

Power B

Pedal 2 System B

X X

Prop :

{-1} 0 < PedalPos1(s!1) |-------{1} Skid(s!1){2} 0 < FM_WBS_Ext_BSCU_Node_Fault.Normal_Pressure(s!1){3} 0 < FM_WBS_Ext_BSCU_Node_Fault.Alternate_Pressure(s!1)


PVS/Fault Tree ChallengesPVS/Fault Tree Challenges

Difficult Proofs– Completing Proofs is Still a Time Consuming Process

Level of Detail in Proofs– Current Proofs are Low Level, Fault Trees Must be

High Level• Proofs Performed at Detailed Behavioral Level

• Fault Trees Must be Presented at an Architectural Level

Proof Structure– Proof Structure Appropriate for Fault Tree Generation

Must be Obtained• May or May Not be the Most Natural Way to Pursue the Proof


Demonstration/Analysis SummaryDemonstration/Analysis Summary

Simulation and Visualization of Software, Digital, and Analog Failures– Simulink Models of Nominal System Coupled with Fault Models

Enable Flexible Simulation

Model Checking Techniques Enable Flexible Analysis– Verification of Correctness Under Normal Conditions– Verification of Desirable Fault-tolerance Properties

Theorem Proving Holds Promise as Powerful Fault Tree Generation Tool– Open Issues Still Remain



Motivation

Proposed Approach

Demonstration

Analysis

What’s Next


What’s NextWhat’s Next

Improving Modeling Process

Ease of Analysis

Presentation of Analysis Results

Scalability


Improving the Modeling ProcessImproving the Modeling Process

Nominal System Model

Extended System Model

# of Inputs 7 27

# of Signals 45 65

Changed/Added Blocks 13

Building Extended Model is a Manual Process

Difficult to Keep Nominal & Extended Model in Sync.

Fault Triggers are Added as New Inputs

Handle Transient and Permanent Faults Differently

Fault Model Clutters Nominal Model



3

System_Mode

2

Alternate_Pressure

1

Normal_Pressure

z

1

z

1

z

1

Stu

ck_F

lag

Stu

ck_at_

Val

Sel_

Active

Nor_

In

Alt_In

Nor_

Out

Alt_O

utSelector_Stuck

Pump_Fail2

Pwr_FailPwrOut

Power_Fail1

Pwr_FailPwrOut

Power_Fail

Stu

ck_F

lag

Stu

ck_at_

Val

Pre

ssure

Cm

d

Out1

Meter_Stuck

PosCmd

MechanicalPedal

NOT

Inverted

Green Pump_Fail

Stu

ck_F

lag

Stu

ck_at_

Val

Valv

e_S

hut

Pre

ssure

Out1

Green PumpIsolation_Stuck

[Green_Tag]

[Nor_Out]

[Alt_Active]

[AltP_Feedback][NorP_Feedback]

[NorValveCmd]

[AltValveCmd]

[Acc_Tag]

[Blue_Tag]

[GP_Fail]

[V_Fail]

[AltP_Feedback]

[Nor_Out]

[Alt_Active]

[NorP_Feedback]

[Acc_Stuck_Val]

[Acc_Meter_Fail]

[Green_Tag]

[Pwr2_Fail]

[AM2_Val]

[Pwr1_Fail]

[NorValveCmd]

[AM2_Fail]

[S_Val][S_Fail]

[BI_Fail]

[BI_Val][GI_Val]

[GI_Fail]

[AltValveCmd]

[AS_AM_Val]

[AS_AM_Fail]

[NM_Val]

[NM_Fail]

[AP_Fail]

[BP_Fail]

[Acc_Tag]

[Blue_Tag]

Stu

ck_F

lag

Stu

ck_at_

Val

Pre

ssure

Cm

d

Out1

CMD/AS Meter_Stuck

Blue Pump_Fail

Stu

ck_F

lag

Stu

ck_at_

Val

Valv

e_S

hut

Pre

ssure

Out1

Blue PumpIsolation_Stuck

Pwr1

Pwr2

Pedal1

Pedal2

AutoBrakeOn

DecRate

AC_Speed

Skid

Nor_Pressure

Alt_Pressure

Green_Pressure

Blue_Pressure

Acc_Pressure

Out_NorP

Sel_Alt

Nor_Cmd

Alt_Cmd

SystemMode

BSCU

Pip

eP

ressure

Reserv

eP

ressure

AltA

ctive

Stu

ck_F

lag

Stu

ck_V

al

Pre

ssure

_O

ut

AccumulatorValve_Stuck

Stu

ck_F

lag

Stu

ck_at_

Val

Pre

ssure

Cm

d

Out1

ASMeter_Stuck

7

AC_Speed

6

Skid

5

DecRate

4

AutoBrake

3

MechPedal

2

PedalPos2

1

PedalPos1

3

System_Mode

2

Alternate_Pressure

1

Normal_Pressure

z

1

z

1

z

1

Unit Delay

Sel

ecto

rOff

Nor

_Pre

ssur

e

Alt_

Pre

ssur

e

Nor

_Pre

ssur

e_O

ut

Alt_

Pre

ssur

e_O

ut

SelectorValve

ValidPower

ValidPower

PosCmd

MechanicalPedal

Pip

ePre

ssur

e_In

Cm

dPos

Pip

ePre

ssur

e_O

ut

ManualMeterValve

NOT

Val

veS

hut

Pip

ePre

ssur

e

Pre

ssur

e_O

utGreen PumpIsolationValve

GreenPump

[Green_P]

[Acc_P]

[Alt_Active]

[AltP_Feedback][NorP_Feedback]

[NorValveCmd]

[AltValveCmd]

[Nor_Out]

[Blue_P]

[Nor_Out]

[Acc_P]

[Alt_Active]

[AltP_Feedback]

[NorP_Feedback]

[NorValveCmd]

[AltValveCmd]

[Green_P]

[Blue_P]

Pip

ePre

ssur

e_In

Cm

dPos

Pip

ePre

ssur

e_O

ut

CMD/ASMeterValve

Val

veS

hut

Pip

ePre

ssur

e

Pre

ssur

e_O

utBlue PumpIsolationValve

BluePump

Pwr1

Pwr2

Pedal1

Pedal2

AutoBrakeOn

DecRate

AC_Speed

Skid

Nor_Pressure

Alt_Pressure

Green_Pressure

Blue_Pressure

Acc_Pressure

Out_NorP

Sel_Alt

Nor_Cmd

Alt_Cmd

Sy stemMode

BSCU

Pip

ePre

ssur

e

Res

Pre

ssur

e

AltA

ctiv

e

Pip

ePre

ssur

e_O

utAccumulatorValve

Accumulator Pump

Pip

ePre

ssur

e_In

Cm

dPos

Pip

ePre

ssur

e_O

ut

ASMeterValve

7

AC_Speed

6

Skid

5

DecRate

4

AutoBrake

3

MechPedal

2

PedalPos2

1

PedalPos1

Adding Faults Clutters the Nominal Model



Modeling the Mechanical System– Need Libraries of Common Components

Creating the Fault Model– What Exactly is a Fault Model?

• What is part of nominal system?

• What goes in fault model?

– Types of Faults, Interactions Between Faults, and Fault Locations

Auto generate the Extended System Model– Use Tools to Merge Nominal and Fault Model



Aspect-Oriented Modeling

Specify Faults as Aspects of System Components

Automatically Weave Faults into Nominal Model

Nominal and Extended Model Always in Sync

Reduces Potential for Human Error

Hide Fault Trigger Inputs during Simulation


Ease of AnalysisEase of Analysis

Safety Properties Can be Awkward to Specify:

Usually, Properties are Conceptually Simple

Complexity Comes From Mapping Simple Conceptual Ideas to Formal Specification

Antecedent = ((pre (pre (pre ((NumFails = 1) and FailRec4Step))) and

pre (pre ((AllPedNoSkid and not (Changed)))) and

pre ((AllPedNoSkid and not (Changed))) and

(AllPedNoSkid and not (Changed)))) ;

Consequent = (pre (pre (SomePressure)) or pre (SomePressure) or SomePressure) ;

Prop_MultiStepSingleFail4 =fby( Implies(Antecedent, Consequent), 4, true);


Ease of AnalysisEase of Analysis

Many Safety Properties are Stylized– Given n failures (or all failure combinations

whose combined probability is >10-k), is it possible that the system will fail?• Failure condition is usually straightforward to specify

• Property complexity arises when considering recovery time and fault propagation

Create a Property Builder to Assist Specification of Safety Properties


Presentation of Analysis ResultsPresentation of Analysis Results

Currently: Proof or Counterexample

We Want Something Acceptable To Safety Engineers

TIMES 1 2 3 4 5

INPUTSChg_Coupled_Side 1 1 0 1 0SYNC_Switch 1 1 0 1 0GA_Switch 1 1 1 1 1LAPPR_Capture 1 0 1 1 0HDG_Switch 1 1 1 1 0VAPPR_Capture 1 1 1 0 1SPD_Switch 1 1 1 1 1

OUTPUTSLAT_Mode 1 1 3 3 1LAT_Sync_Out 1 0 1 0 1VER_Mode 1 1 1 1 1VER_Sync_Out 0 1 0 1 0


Fault Trees using Model CheckerFault Trees using Model Checker

FSAP Defines Flat Fault Trees

We Can do Better by Encoding Architecture of System Into Fault Tree

Formal System Model

Safety Requirements

Failure Modes

FSAP/NuSMV-SA

Fault Tree


Proof Trees and Fault TreesProof Trees and Fault Trees

A

A1

A2

A3

c2,3

c1,3E1

E2

E3

Is P satisfied?

c1,2

Fault Tree for !P

TLE for !P

A fails

E1fails

E2fails

E3failsOne of more



fail

E fails

Proof Tree for P

P

A is ok


work asexpected


E1 isok

E2 isok

E3 isok

E is ok



PVS Proof TreesPVS Proof Trees

Prop.1.1 :

[-1] Alt_Meter_2_Fail(s!1)[-2] Alt_Meter_2_Fail(s!1){-3} FM_WBS_Ext_BSCU_Node.Alternate_Pressure(s!1) = 0[-4] Nor_Meter_Fail(s!1)[-5] FM_WBS_Ext_BSCU_Node.Normal_Pressure(s!1) = 0[-6] 0 < PedalPos1(s!1) |-------[1] Alt_Meter_2_Stuck_Val(s!1)[2] Alt_Meter_2_Stuck_Val(s!1)[3] Nor_Meter_Stuck_Val(s!1)[4] Skid(s!1)[5] 0 < FM_WBS_Ext_BSCU_Node_Fault.Normal_Pressure(s!1)[6] 0 < FM_WBS_Ext_BSCU_Node_Fault.Alternate_Pressure(s!1)

Plant Mod

el

AntiSkid Command

Braking + AntiSkid

Command



Shut Normal System

NORMAL

ALTERNATE

Accumulator Pump

Meter Valve

Meter Valve

Meter Valve

Accumulator Valve

Mechanical Pedal

Selector Valve

Power A

Pedal 1

Feed back Plant

Fault Tolerant

Control Unit

( BSCU )

Braking System

System A

Power B

Pedal 2 System B

X X

Prop :

{-1} 0 < PedalPos1(s!1) |-------{1} Skid(s!1){2} 0 < FM_WBS_Ext_BSCU_Node_Fault.Normal_Pressure(s!1){3} 0 < FM_WBS_Ext_BSCU_Node_Fault.Alternate_Pressure(s!1)


PVS/Fault Tree ChallengesPVS/Fault Tree Challenges

Difficult Proofs– Completing Proofs is Still a Time Consuming Process

Level of Detail in Proofs– Current Proofs are Low Level, Fault Trees Must be

High Level• Proofs performed at detailed behavioral level

• Fault trees must be presented at an architectural level

Proof Structure– Proof Structure Appropriate for Fault Tree Generation

Must be Obtained• May or may not be the most natural way to pursue the proof


Future Research GoalsFuture Research Goals

Investigate –– Fault Models

• Relationship between fault model and nominal system

• What is a reasonable and flexible fault model?

– Automate Fault Injection Into the Nominal Model• Aspect orientation and aspect weaving?

– Flexible Notation for Capturing Safety Properties• Safety modeling language?

– Automate Fault Tree Generation • Fault trees acceptable for safety-engineers and acceptable for

certification

– Safety Analysis Methodology• Who will build the fault model?

• Who performs what analysis?