Automation for System Safety Analysis: Executive Briefing

Jane T. Malin, Principal Investigator

Project: Automated Tool and Method for System Safety Analysis

Software Assurance SymposiumSeptember, 2007

Complex systems typically fail because of the unintended consequences of their design, the things they do that were not intended to be done.

- M. Griffin, System Engineering and the “Two Cultures” of Engineering, March 28, 2007

SAS 07 Automation for System Safety Analysis Malin 2

Problem• Need early evaluation of software

requirements and design– Assess test and validation plans for software-

system interaction risks– Identify requirements gaps– Perform virtual system integration tests prior to

software-hardware integration

• Benefits– Reduce software-system integration risks and

requirements-induced errors early– Improve efficiency and repeatability of analysis– Reduce contention for software-hardware

integration laboratory resources

SAS 07 Automation for System Safety Analysis Malin 3

Technical ApproachSystematic semi-automated analysis for early

evaluation and rapid update– Capture model of the controlled system architecture

• Abstract physical architecture models extracted directly from requirements and design text and data

– Capture risks and hazards in model• Constraints, hazards, risks from requirements and design • Risk and failure libraries

– Analyze model and risk data to identify relevant risks and constraints

• Analyze and simulate risk propagation in the system• Use operational and off-nominal scenarios and

configurations– Identify possible test scenarios for virtual system

integration testing

SAS 07 Automation for System Safety Analysis Malin 4

Relevance to NASA

• This work leverages component tools that have been used in NASA applications

• Goal: Integrate and enhance these tools for software assurance early, during requirements and design phases

• Project test case is NASA Constellation Launch Abort System (LAS)

SAS 07 Automation for System Safety Analysis Malin 5

Extend and Integrate Existing Technology

 

Requirements and Constraints Text

 

     

     

     

     

     

Risks & Mitigations

Physical/Functional Architecture Models

Discrete Time Simulation Model

Extraction Tool:

Model Parts, Interfaces, Risks, Scenarios

Library

Components, Connections, States & Risks

Functional Diagrams

Aerospace Ontology Taxonomy, Thesaurus, Classes, Synonyms

Modeling Tool:

- Map

-Connect

- Visualize

- Embed problems and states

Analyze and Simulate:

- Identify interaction-risk pairs

- Estimate severity in nominal and fault scenarios

- Investigate influence of timing

ReportsPairs, Paths, Risky Scenarios,Test Cases for Virtual System Integration Testing

Virtual System Integration Lab (VSIL)

Inputs Extraction Modeling Analysis Simulation Testing

Interaction Model

SAS 07 Automation for System Safety Analysis Malin 6

Extraction Tool and Nomenclature

• Reconciler Extractor– Extract models from requirements text and threat/risk

analysis– Uses semantic parsing and word/phrase classification

• Aerospace Systems Library and Ontology – Taxonomy of model elements– Extensive problem taxonomy and thesaurus with

hazard types from Constellation HA handbook

• Current NASA use: Semantic text mining for trend analysis of JSC Discrepancy Reports– Mechanical, electrical, software and process

discrepancies in NASA-furnished equipment

SAS 07 Automation for System Safety Analysis Malin 7

Model-Based Safety Analysis Case

• Model extraction and hazard analysis were demonstrated in 2005– Case: Generic unmanned spacecraft;

concerns about transmitter noise– Reconciler tool: Extracted from SpecTRM

requirements and DDP risks – Hazard Identification Tool: Models and path

analysis– CONFIG tool: Timed discrete event simulation

SAS 07 Automation for System Safety Analysis Malin 8

Modeler: Architecture Model and Visualization of a Set of Requirements

[C.1] Telecommunication Subsystem• [C.1.1] The CDHC sends the TeleSub a compressed

picture. [FG.1] [TeleSub C.1.4]• [C.1.2] The CDHC sends the TeleSub telemetry. [FG.2]

[FR.1] [FR.5] [TeleSub C.1.5] • [C.1.3] The CDHC sends In View of Ground alerts to the

TeleSub. [DP.5.6] [TeleSub C.1.6]• [C.1.4] The CDHC receives plan files from the TeleSub.

[FR.3] [TeleSub C.1.3]• [C.1.5] The CDHC receives ground commands from the

TeleSub. [FR.3] [TeleSub C.1.2] 

• [C.1.6] The CDHC receives the TeleSub operating state

from the TeleSub. [DP.5.5] [TeleSub C.1.1] …

[C.2] Camera Subsystem• [C.2.1] The CDHC sends the Camera a "take picture"

command. [FG.2] [FR.1] [FR.3] • [C.2.2] The CDHC sends the Camera x, y and z gimballing

coordinates. [FG.2] [FR.1] [FR.3]  • [C.2.3] The CDHC sends a turn on command to the

Camera. [DP.5.3] [H Constraint 1.1.4]• [C.2.4] The CDHC sends a turn off command to the

Camera. [DP.5.3] • [C.2.5] The CDHC receives a compressed picture file from

the Camera. [FG.1] [FG.2] [FR.1]

…

[C.4] Attitude Determination Subsystem• [C.4.1] The CDHC receives an In View of Ground alert from

the ADS. [DP.5.6] [ADS]• [C.4.2] The CDHC receives the ADS operating state from

the ADS. [DP.5.5] [ADS] Physical/Functional Architecture Model

SAS 07 Automation for System Safety Analysis Malin 9

Path Analyzer: Find Potential Interaction Problems

1. Find matching pairs of components (hazard source-vulnerable sink)

2. Find system interaction paths with hazards

3. Estimate local and integrated system hazard impact severity

SAS 07 Automation for System Safety Analysis Malin 10

Simulator: CONFIG Simulation Tool to Assess Timed Scenarios

NASA experience with CONFIG hybrid discrete event simulation tool: Used for software virtual validation testing for 1997 90-day manned Lunar Life Support Test

• Software: Intelligent control for gas storage and transfer • Testing: Simulated failures and imbalances that would

not be tested in hardware-software integration• Too slow to develop, too expensive, too destructive

• Results: Identified software requirements deficiencies

SAS 07 Automation for System Safety Analysis Malin 11

Virtual System Integration Lab

• Triakis has used VSIL in >25 avionics verification projects

• Models and problem configurations for new tests and test suite models

Models and Test Definitions

SAS 07 Automation for System Safety Analysis Malin 12

Accomplishments: First 9 Months

• Drafted Concept of Operations

• Enhanced tools for SA use

• Completed a simple integration of tool functions, inputs and outputs

• Selected Constellation Launch Abort System Case– Gained access to ICE materials 9/07

SAS 07 Automation for System Safety Analysis Malin 13

Potential Applications

• Visualize integrated requirements

• Evaluate completeness and consistency of requirements and risk

• Quickly reanalyze each revision of requirements and risk

• Validate FMEA and fault trees

• Validate and test early with low-fidelity simulation

SAS 07 Automation for System Safety Analysis Malin 14

Next Steps• Complete first version of Launch Abort System

case and evaluate– Text extraction from requirements and risks – Model construction and visualization– Model analysis to identify interaction risks and test

configurations for virtual software integration testing

• Complete Concept of Operations• Enhance tool suite capabilities, integration and

user interfaces to reach TRL 6 and prepare for other uses for Constellation software assurance