integrating systems: models and fault modes sesam-möte, 19 oktober, 2005 jonas elmqvist real-time...
TRANSCRIPT
Integrating Systems: models and fault modesSESAM-möte, 19 Oktober, 2005
Jonas Elmqvist
Real-Time Systems LaboratoryDepartment of Computer and Information Science
Linköpings universitetSweden
Integrating Systems: models and fault modesSESAM-möte
2 of 15October 19, 2005
People involved
• Simin Nadjm-Tehrani – RTSLAB, Linköpings universitet
• Jonas Elmqvist – RTLSAB, Linköpings universitet
• Marius Minea – “Politehnica” University of Timisoara, Romania
• Master thesis students:
– Jerker Hammarberg: High-Level Development and Formal Verification of Reconfigurable Hardware
– Anders Granh: Code Generation from High-level Models of Reactive and Security-intrinsic Systems
– Andreas Eriksson: Model Based Development of an Airbag Software
– Markus Nilsson: A tool for automatic formal analysis of fault tolerance
Integrating Systems: models and fault modesSESAM-möte
3 of 15October 19, 2005
Verification bench
ComponentOutIn
EnvironmentOut In
Observer Alarm
property p
Pattern: Functional verification
Model of the system
Model of the environment
Checks if property p is
satisfied
Integrating Systems: models and fault modesSESAM-möte
4 of 15October 19, 2005
Non-occurence of catastrophic events
Patterns for safety analysis?
Integrating Systems: models and fault modesSESAM-möte
5 of 15October 19, 2005
Traditional FTA/FMEA
• FTA:
• FMEA: What are the consequences of some particular component’s failure?
Top event
Subsystem Failure Mode Effects of failure Cause of failure … Actions …
Sensor Value Failure Sensor Malfunction … Duplicate sensors …
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Software/Digital hardware
Integrating Systems: models and fault modesSESAM-möte
6 of 15October 19, 2005
Verification bench
ComponentOutIn
EnvironmentOut In
Observer Alarm
property p
Pattern: Fault mode modellingModel of a fault
Fault mode
signals
Integrating Systems: models and fault modesSESAM-möte
7 of 15October 19, 2005
Case study: Hydraulic leakage detection system
Verification bench
H-ECU PLD1
PLD2 Valve
Valve
Observer
HS1B_Closed
HS1C_Closed
Alarm
HS2B_Closed
HS2C_Closed
HS1Sensors
ShutOffLow
HS2Sensors
Valve
Valve
Integrating Systems: models and fault modesSESAM-möte
8 of 15October 19, 2005
Automatic Fault Tree Generation
Digital components
?
Faults?
Automatic
generation
Integrating Systems: models and fault modesSESAM-möte
9 of 15October 19, 2005
Verification bench
ComponentOutIn
EnvironmentOut In
Observer Alarm
property p
Pattern: Fault mode modelling
Upgrades?
Fault mode
signals
Integrating Systems: models and fault modesSESAM-möte
10 of 15October 19, 2005
Building Systems from Components
• Component-Based Development (CBD) is an emerging trend in system development:– develop systems out of software components
(COTS) and hardware components
• Problem: no component models address safety!
C1 C2
C3
C4
C´4
C6 C7
C5
Integrating Systems: models and fault modesSESAM-möte
11 of 15October 19, 2005
Components & Interfaces
• A component is an independent entity (SW or HW) that communicates through well-defined interfaces
• Interfaces should provide all information needed for composition
• How should the analytical interface look like in order to capture safety?
MI
C M is a model of the behavior of the component
I is the interface of the component
Integrating Systems: models and fault modesSESAM-möte
12 of 15October 19, 2005
Safety Analysis and CBD
• Traditional safety analysis is performed on the composed system• Our approach:
– Interfaces captures information about the behaviour of the components in presence of faults in the system
pS
C2
C1
+ p? ?
satisifies
satisifies
Integrating Systems: models and fault modesSESAM-möte
13 of 15October 19, 2005
Current work
• Techniques for component-based safety analysis using safety-interfaces– Methods for generating safety interfaces– Methods for using safety interfaces for safety analysis– Case studies?!
Integrating Systems: models and fault modesSESAM-möte
14 of 15October 19, 2005
Related Publications
• J. Elmqvist, S. Nadjm-Tehrani and M. Minea, “Safety Interfaces for Component-Based Systems”, 24th International Conference on Computer Safety, Reliability and Security (SAFECOMP05), September, 2005.
• J. Elmqvist and S. Nadjm-Tehrani, “Intents, Upgrades and Assurance in Model-Based Development”, 2nd RTAS Workshop on Model-Driven Embedded Systems (MoDES’04), May, 2004
• J. Elmqvist and S. Nadjm-Tehrani, “Intents and Upgrades in Component-Based High-Assurance Systems”, in Model-driven Software Development, Volume II of Research and Practice in Software Engineering, Springer-Verlag.
– Jerker Hammarberg, “High-Level Development and Formal Verification of Reconfigurable Hardware”, 2003
– Jonas Elmqvist, “Analysis of Intent Specification and System Upgrade Traceability”, 2004
– Anders Granh, “Code Generation from High-level Models of Reactive and Security-intrinsic Systems”, 2004
– Andreas Eriksson, “Model Based Development of an Airbag Software”, 2004
– Markus Nilsson, “A tool for automatic formal analysis of fault tolerance”, 2005
Integrating Systems: models and fault modesSESAM-möte
15 of 15October 19, 2005
Questions?
Integrating Systems: models and fault modesSESAM-möte
16 of 15October 19, 2005
Airbag Software• Characteristics
– Porting from 16 bit (128kb ROM) processor to 32 bit processor (256kb ROM)
– Current code not portable, design not documented
• Studied tools:
– Rhapsody in C, Interrupt driven framework
• MISRA compatible
• Code size roughly twice as big as the hand written C
– Scade
• Useful for algorithmic parts of the model, e.g. Crash detection
• Assurance aided by formal verification
Integrating Systems: models and fault modesSESAM-möte
17 of 15October 19, 2005
Tiger XS
• Characteristics– Security intrinsic communication platform– Secure applications to run on multiple hardware (PDA, phone,
…)– Security assurance via inspections of generated code– Multiple OS, preferably no system calls
• Studied tools– Rhapsody
• Heavy duty• Not suitable for integration with legacy
– Visual state• Cumbersome to define user defined data types
Integrating Systems: models and fault modesSESAM-möte
18 of 15October 19, 2005
Tool chain
Possible now
Perhaps in future
SCADE
LustreState Machines
Simulink
SimulinkGateway
Properties
Model
Model DesignVerifier
NuSMV
TheoremProver