automation for system safety analysis: executive briefing jane t. malin, principal investigator...
Post on 22-Dec-2015
213 Views
Preview:
TRANSCRIPT
Automation for System Safety Analysis: Executive Briefing
Jane T. Malin, Principal Investigator
Project: Automated Tool and Method for System Safety Analysis
Software Assurance SymposiumSeptember, 2007
Complex systems typically fail because of the unintended consequences of their design, the things they do that were not intended to be done.
- M. Griffin, System Engineering and the “Two Cultures” of Engineering, March 28, 2007
SAS 07 Automation for System Safety Analysis Malin 2
Problem• Need early evaluation of software
requirements and design– Assess test and validation plans for software-
system interaction risks– Identify requirements gaps– Perform virtual system integration tests prior to
software-hardware integration
• Benefits– Reduce software-system integration risks and
requirements-induced errors early– Improve efficiency and repeatability of analysis– Reduce contention for software-hardware
integration laboratory resources
SAS 07 Automation for System Safety Analysis Malin 3
Technical ApproachSystematic semi-automated analysis for early
evaluation and rapid update– Capture model of the controlled system architecture
• Abstract physical architecture models extracted directly from requirements and design text and data
– Capture risks and hazards in model• Constraints, hazards, risks from requirements and design • Risk and failure libraries
– Analyze model and risk data to identify relevant risks and constraints
• Analyze and simulate risk propagation in the system• Use operational and off-nominal scenarios and
configurations– Identify possible test scenarios for virtual system
integration testing
SAS 07 Automation for System Safety Analysis Malin 4
Relevance to NASA
• This work leverages component tools that have been used in NASA applications
• Goal: Integrate and enhance these tools for software assurance early, during requirements and design phases
• Project test case is NASA Constellation Launch Abort System (LAS)
SAS 07 Automation for System Safety Analysis Malin 5
Extend and Integrate Existing Technology
Requirements and Constraints Text
Risks & Mitigations
Physical/Functional Architecture Models
Discrete Time Simulation Model
Extraction Tool:
Model Parts, Interfaces, Risks, Scenarios
Library
Components, Connections, States & Risks
Functional Diagrams
Aerospace Ontology Taxonomy, Thesaurus, Classes, Synonyms
Modeling Tool:
- Map
-Connect
- Visualize
- Embed problems and states
Analyze and Simulate:
- Identify interaction-risk pairs
- Estimate severity in nominal and fault scenarios
- Investigate influence of timing
ReportsPairs, Paths, Risky Scenarios,Test Cases for Virtual System Integration Testing
Virtual System Integration Lab (VSIL)
Inputs Extraction Modeling Analysis Simulation Testing
Interaction Model
SAS 07 Automation for System Safety Analysis Malin 6
Extraction Tool and Nomenclature
• Reconciler Extractor– Extract models from requirements text and threat/risk
analysis– Uses semantic parsing and word/phrase classification
• Aerospace Systems Library and Ontology – Taxonomy of model elements– Extensive problem taxonomy and thesaurus with
hazard types from Constellation HA handbook
• Current NASA use: Semantic text mining for trend analysis of JSC Discrepancy Reports– Mechanical, electrical, software and process
discrepancies in NASA-furnished equipment
SAS 07 Automation for System Safety Analysis Malin 7
Model-Based Safety Analysis Case
• Model extraction and hazard analysis were demonstrated in 2005– Case: Generic unmanned spacecraft;
concerns about transmitter noise– Reconciler tool: Extracted from SpecTRM
requirements and DDP risks – Hazard Identification Tool: Models and path
analysis– CONFIG tool: Timed discrete event simulation
SAS 07 Automation for System Safety Analysis Malin 8
Modeler: Architecture Model and Visualization of a Set of Requirements
[C.1] Telecommunication Subsystem• [C.1.1] The CDHC sends the TeleSub a compressed
picture. [FG.1] [TeleSub C.1.4]• [C.1.2] The CDHC sends the TeleSub telemetry. [FG.2]
[FR.1] [FR.5] [TeleSub C.1.5] • [C.1.3] The CDHC sends In View of Ground alerts to the
TeleSub. [DP.5.6] [TeleSub C.1.6]• [C.1.4] The CDHC receives plan files from the TeleSub.
[FR.3] [TeleSub C.1.3]• [C.1.5] The CDHC receives ground commands from the
TeleSub. [FR.3] [TeleSub C.1.2]
• [C.1.6] The CDHC receives the TeleSub operating state
from the TeleSub. [DP.5.5] [TeleSub C.1.1] …
[C.2] Camera Subsystem• [C.2.1] The CDHC sends the Camera a "take picture"
command. [FG.2] [FR.1] [FR.3] • [C.2.2] The CDHC sends the Camera x, y and z gimballing
coordinates. [FG.2] [FR.1] [FR.3] • [C.2.3] The CDHC sends a turn on command to the
Camera. [DP.5.3] [H Constraint 1.1.4]• [C.2.4] The CDHC sends a turn off command to the
Camera. [DP.5.3] • [C.2.5] The CDHC receives a compressed picture file from
the Camera. [FG.1] [FG.2] [FR.1]
…
[C.4] Attitude Determination Subsystem• [C.4.1] The CDHC receives an In View of Ground alert from
the ADS. [DP.5.6] [ADS]• [C.4.2] The CDHC receives the ADS operating state from
the ADS. [DP.5.5] [ADS] Physical/Functional Architecture Model
SAS 07 Automation for System Safety Analysis Malin 9
Path Analyzer: Find Potential Interaction Problems
1. Find matching pairs of components (hazard source-vulnerable sink)
2. Find system interaction paths with hazards
3. Estimate local and integrated system hazard impact severity
SAS 07 Automation for System Safety Analysis Malin 10
Simulator: CONFIG Simulation Tool to Assess Timed Scenarios
NASA experience with CONFIG hybrid discrete event simulation tool: Used for software virtual validation testing for 1997 90-day manned Lunar Life Support Test
• Software: Intelligent control for gas storage and transfer • Testing: Simulated failures and imbalances that would
not be tested in hardware-software integration• Too slow to develop, too expensive, too destructive
• Results: Identified software requirements deficiencies
SAS 07 Automation for System Safety Analysis Malin 11
Virtual System Integration Lab
• Triakis has used VSIL in >25 avionics verification projects
• Models and problem configurations for new tests and test suite models
Models and Test Definitions
SAS 07 Automation for System Safety Analysis Malin 12
Accomplishments: First 9 Months
• Drafted Concept of Operations
• Enhanced tools for SA use
• Completed a simple integration of tool functions, inputs and outputs
• Selected Constellation Launch Abort System Case– Gained access to ICE materials 9/07
SAS 07 Automation for System Safety Analysis Malin 13
Potential Applications
• Visualize integrated requirements
• Evaluate completeness and consistency of requirements and risk
• Quickly reanalyze each revision of requirements and risk
• Validate FMEA and fault trees
• Validate and test early with low-fidelity simulation
SAS 07 Automation for System Safety Analysis Malin 14
Next Steps• Complete first version of Launch Abort System
case and evaluate– Text extraction from requirements and risks – Model construction and visualization– Model analysis to identify interaction risks and test
configurations for virtual software integration testing
• Complete Concept of Operations• Enhance tool suite capabilities, integration and
user interfaces to reach TRL 6 and prepare for other uses for Constellation software assurance
top related