Académique Documents
Professionnel Documents
Culture Documents
Overview
Dr. Steven P. Miller Dr. Mats P. E. Heimdahl Advanced Computing Systems Rockwell Collins 400 Collins Road NE, MS 108-206 Cedar Rapids, Iowa 52498 spmiller@rockwellcollins.com
Slide 1
Outline of Presentation
Demonstration
Analysis Whats Next
Advanced Technology Center Slide 2
Motivation
Requirements and Design Documents
Safety Analyst A
Safety Analyst B
Not Shown Error in FCL Selection Logic FCL Generates Incorrect Guidance Values
Slide 3
Model-Based Development
Reuse
Requirements
Autotest
Modeling
Autocode
Simulation
Automated Analysis
Isolation Valve Isolation Valve Power A Pedal 1 Plant Feed back Pedal 2 Power B
System A
Shut Normal System
N O R M A L
Selector Valve A Accumulator L Valve T E Accumulator R Pump N Meter A Valve Mechanical T Pedal E Meter Valve
Meter Valve
SelValve Stuck
System B
AntiSkid Command Fault Tolerant Braking System Control Unit ( BSCU ) Braking+ AntiSkid Command
Blue Fails
Acc Fails
Plant Model
Model the Digital Controller Architecture and the Physical System Add Fault Model for Physical System and Digital Controller Architecture Integrates System and Safety Engineering About a Common Model Automation Enables What-If Consideration of System Designs
Slide 5
Advantages
Common Model for Both System and Safety Engineering Safety Analysis Based on a Formal System Model Facilitates Consistency in Safety Analysis Facilitates Completeness of Safety Analysis Reduced Manual Effort in Error-prone Areas Automated Support for Safety Analysis Explore Various Failure Scenarios Focus on Review on Assumptions in the Models Is the System Model Correct? Is the Fault Model Complete? Assume the (Automated) Analysis is Trustworthy
Advanced Technology Center Slide 6
Outline of Presentation
Demonstration
Analysis Whats Next
Advanced Technology Center Slide 7
Certification
Aircraft FHA
FC&C
System FHAs
FC&C
Aircraft FTA
FE&P
PSSAs
System FTAs
SSAs
System FTAs
System FMEAs
Safety analysis performed as an integral part of the iterative system development process (Requirements, Architecture, Design)
Design
Verify that the implemented system satisfies the safety requirements and develop certification documents
Slide 8
Certification
Aircraft FHA
FC&C
System FHAs
FC&C
Aircraft FTA
FE&P
Incremental development of the system model. Support for automated safety analysis.
PSSAs
System FTAs
SSAs
System FTAs
System FMEAs
Safety analysis performed as an integral part of the iterative system development process (Requirements, Architecture, Design)
Design
Verify that the implemented system satisfies the safety requirements and develop certification documents
Slide 9
System A
Plant
Feed back Pedal 2 Power B
System B
Green Pump
Blue Pump
Isolation Valve Isolation Valve Fault Tolerant Braking System Control Unit ( BSCU )
Power A
Pedal 1 Selector Valve Shut Normal System
N O R M A L
System B
AntiSkid Command
Braking + AntiSkid Command Meter Valve
Plant Model
Isolation Valve Isolation Valve Power A Pedal 1 Plant Feed back Pedal 2 Power B
System Architecture
System A
System B
Meter Valve
Meter Valve
Plant Model
Fault Model
Component (or Component Type)
Green Pump, Blue Pump :Pump
Failure Mode
Pressure below threshold
Type of Failure
Permanent
Additional constraints
-
Permanent
Transient
Propagate to all components connected to the Power supply Simultaneous failure on all outputs of BSCU
Inverted signal
Transient
Slide 11
Isolation Valve Isolation Valve Power A Pedal 1 Plant Feed back Pedal 2 Power B
System A
System B
Simulation
Proof Tree for P P
Meter Valve
Meter Valve
Plant Model
A is ok
E is ok
E1 is ok
E3 is ok
E2 is ok
Easy to Generate Two-Level Fault Trees Minimal Cut Sets of Events that Can Cause a Hazard Two Levels Deep and a Mile Wide Harder to Generate Useful Fault Trees Intermediate Levels Reflect System Architecture Essential for Acceptance by Safety Engineers
Advanced Technology Center Slide 13
A is ok
E is ok
E1 is ok
E3 is ok
E2 is ok
Slide 14
E1
A1 c1,2
c1,3 A3 c2,3 E3
E2
A2
A fails
E fails
A is ok
E is ok
E1 fails
E3 fails
E2 fails
E1 is ok
E3 is ok
E2 is ok
Slide 15
Integrates System and Safety Engineering About a Common Model Automated Analysis of System Safety Properties Makes Safety Analysis More Systematic and Repeatable Shifts Focus from Component to Architectural Models
Reduces the Workload of Safety Engineers Automates More of the Safety Analysis Eliminates the Need to Review the Analysis Focus on Review of the System Model and the Fault Model
Slide 16
Slide 18
Outline of Presentation
Demonstration
Analysis Whats Next
Advanced Technology Center Slide 19
Isolation Valve Isolation Valve Power A Pedal 1 Plant Feed back Pedal 2 Power B
System A
Shut Normal System
N O R M A L
Selector Valve A Accumulator L Valve T E Accumulator R Pump N Meter A Valve Mechanical T Pedal E Meter Valve
Meter Valve
SelValve Stuck
System B
AntiSkid Command Fault Tolerant Braking System Control Unit ( BSCU ) Braking+ AntiSkid Command
Blue Fails
Acc Fails
Plant Model
Model the Digital Controller Architecture and the Physical System Add Fault Model for Physical System and Digital Controller Architecture Integrates System and Safety Engineering About a Common Model Automation Enables What-If Consideration of System Designs
Slide 20
Isolation Valve Isolation Valve Power A Pedal 1 Plant Feed back Pedal 2 Power B
System A
System B
Simulation
Proof Tree for P P
Meter Valve
Meter Valve
Plant Model
A is ok
E is ok
E1 is ok
E3 is ok
E2 is ok
Slide 22
Switch-over from Normal to Alternate Line When Green Pump or Any Component along Normal Line Fails or BSCU Becomes Invalid
Selector and Isolation Valves Used for the Switch-over Alternate Line Stays Active Until WBS System is Reset
Advanced Technology Center Slide 24
S O O S
Monitor Unit Output Inverted (I) Command Unit Output Stuck (O)
Power Failure Loss of Power (L)
Slide 25
Outline of Presentation
Demonstration
Analysis Whats Next
Advanced Technology Center Slide 26
System FMEAs
Formal Model
Fault Model
Automated Fault Tolerance Verification Safety requirement in presence of n faults formalized and verified in NuSMV
Safety requirement Formalized basic formalized and verified in failure modes in NuSMV Simulink
Slide 27
Revised Safety Requirement When the Pedal Is Pressed, Then Either the Normal or the Alternate
Pressure Shall Be Above Threshold
Formalized in NuSMV as
DEFINE Pedal_Pressed = (PedalPos > 0 & PedalPos < 5) SPEC AG (Pedal_Pressed -> (Normal_Pressure > 0 | Alternate_Pressure > 0))
Second Revised Safety Requirement When the Pedal Is Pressed and There Is No Skidding, Then Either the
Normal or the Alternate Pressure Should Be Above Threshold
Formalized in NuSMV as
DEFINE Pedal_Pressed = (PedalPos > 0 & PedalPos < 5) SPEC AG ((Pedal_Pressed & !Skid) -> (Normal_Pressure > 0 | Alternate_Pressure > 0))
Safety Properties
Example Safety Property
If There Is One Failure and the Pedal Is Pressed in Absence of Skidding, Then Either the Normal Pressure or the Alternate Pressure Shall Be Above the Threshold
Transient Failures
Failures May Last an Arbitrary Time Before Recovery of the Component Failures Triggers Are Non-deterministic Inputs and Inherently Transient
Permanent Failures
Failures Are Permanent, a Failed Component Never Recovers Latch Fault Trigger Inputs to Simulate Permanent Failure
System A
Pedal 2
Power B
System B
A Accumulator L Valve T E Accumulator R Pump N Meter A Valve Mechanical T Pedal E Meter Valve
X
Meter Valve
Plant Model
Slide 30
Isolation Valve
System A
Shut Normal System
N O R M A L
Selector Valve
A L T E R N A T E
Plant
Accumulator Valve
System B
AntiSkid Command Fault Tolerant Braking System Control Unit ( BSCU ) Braking + AntiSkid Command
Accumulator Pump
Meter Valve
Mechanical Pedal
Meter Valve
Meter Valve
Plant Model
Slide 31
Is P satisfied?
E1
A1 c1,2
c1,3 A3 c2,3 E3
E2
A2
A fails
E fails
A is ok
E is ok
E1 fails
E3 fails
E2 fails
E1 is ok
E3 is ok
E2 is ok
Slide 32
System A
Selector Valve
Shut Normal System
N O R M A L
System B
AntiSkid Command
Braking + AntiSkid Command
X Valve X Meter
Plant Mod el
Prop.1.1 : [-1] Alt_Meter_2_Fail(s!1) [-2] Alt_Meter_2_Fail(s!1) {-3} FM_WBS_Ext_BSCU_Node.Alternate_Pressure(s!1) = 0 [-4] Nor_Meter_Fail(s!1) [-5] FM_WBS_Ext_BSCU_Node.Normal_Pressure(s!1) = 0 [-6] 0 < PedalPos1(s!1) |------[1] Alt_Meter_2_Stuck_Val(s!1) [2] Alt_Meter_2_Stuck_Val(s!1) [3] Nor_Meter_Stuck_Val(s!1) [4] Skid(s!1) [5] 0 < FM_WBS_Ext_BSCU_Node_Fault.Normal_Pressure(s!1) [6] 0 < FM_WBS_Ext_BSCU_Node_Fault.Alternate_Pressure(s!1)
Slide 33
Level of Detail in Proofs Current Proofs are Low Level, Fault Trees Must be
High Level
Proofs Performed at Detailed Behavioral Level Fault Trees Must be Presented at an Architectural Level
May or May Not be the Most Natural Way to Pursue the Proof
Slide 34
Demonstration/Analysis Summary
Simulation and Visualization of Software, Digital, and Analog Failures Simulink Models of Nominal System Coupled with Fault Models
Enable Flexible Simulation
Model Checking Techniques Enable Flexible Analysis Verification of Correctness Under Normal Conditions Verification of Desirable Fault-tolerance Properties
Theorem Proving Holds Promise as Powerful Fault Tree Generation Tool Open Issues Still Remain
Slide 35
Outline of Presentation
Motivation Proposed Approach Demonstration
Analysis
Whats Next
Advanced Technology Center Slide 36
Whats Next
Ease of Analysis
Presentation of Analysis Results
Scalability
Slide 37
Slide 38
Blue Pump
Green Pump_Fail
Blue Pump_Fail
[Blue_Tag] [Alt_Active]
PipePressure PipePressure ValveShut ValveShut
Pressure_Out
Stuck_Flag
Stuck_at_Val
Valve_Shut
Pressure
Stuck_Flag
Stuck_at_Val
[GI_Fail]
[BI_Fail]
Out1
ValidPower
Pwr1
[V_Fail] [Pwr1_Fail]
Pwr_Fail PwrOut Pwr1
Nor_Pressure
Sel_Alt
Alt_Pressure_Out
ValidPower
Pwr2
Nor_Pressure_Out
Alt_Pressure
Power_Fail
SelectorOff
SelectorValve 1 PedalPos1
Pedal1
[Acc_P]
[Pwr2_Fail]
Pwr_Fail PwrOut
Pwr2
Sel_Alt
Inverted
[S_Fail]
[S_Val]
Nor_In
Stuck_at_Val
Stuck_Flag
1 PedalPos1
Pedal1
Sel_Active
Alt_In
Power_Fail1
Out1
Valve_Shut
Pressure
Pressure_Out
Nor_Out
Selector_Stuck
[Acc_Tag]
2 PedalPos2
Pedal2
PipePressure PipePressure_Out ResPressure AltActive
Pedal2
Alt_Out
[Acc_Meter_Fail]
PedalPos2
4 AutoBrake
AutoBrakeOn
4 AutoBrake
AutoBrakeOn
PipePressure
ReservePressure
AccumulatorValve
Nor_Cmd
Nor_Cmd
[NorValveCmd] AccumulatorValve_Stuck
[NorValveCmd]
5 DecRate
DecRate
DecRate
AC_Speed
7 AC_Speed
AC_Speed
1 z
Pressure_Out
DecRate
Stuck_Flag
Stuck_Val
Pump_Fail2
AltActive
1 z
[AltP_Feedback]
6 Skid
Skid
[AS_AM_Val] [NorP_Feedback]
Nor_Pressure Alt_Cmd
PipePressure_In
CmdPos
Nor_Pressure Alt_Cmd
[AltValveCmd]
AS MeterValve
[AltP_Feedback]
Alt_Pressure
AS Meter_Stuck [Green_Tag]
Green_Pressure
[NorValveCmd] [Green_P]
Green_Pressure
PipePressure_In PipePressure_In CmdPos CmdPos
Cmd
Pos
3 MechPedal
[Blue_Tag]
Blue_Pressure
[NM_Val]
[NorValveCmd]
MechanicalPedal
[NM_Fail] [AM2_Val]
Cmd Pos
Out1
[AltP_Feedback]
Alt_Pressure
Stuck_at_Val
Stuck_Flag
Pressure
Cmd
[NorP_Feedback]
PipePressure_Out
[AltValveCmd]
[AS_AM_Fail]
[AltValveCmd]
3 MechPedal
PipePressure_Out
PipePressure_Out
[Blue_P]
Blue_Pressure
CMD/AS MeterValve
Manual MeterValve
[Acc_Tag]
Acc_Pressure Sy stemMode
MechanicalPedal [AM2_Fail]
Stuck_Flag
[Acc_P]
Acc_Pressure
Sy stemMode
[Nor_Out]
Out_NorP
Alternate_Pressure 2 [Nor_Out]
Out_NorP
BSCU
CMD/AS Meter_Stuck
Stuck_at_Val
Meter_Stuck
Stuck_at_Val
Stuck_Flag
Pressure
Out1
Out1
Pressure
Cmd
Cmd
Alternate_Pressure 2 Normal_Pressure 1
[Nor_Out]
1 z [Nor_Out]
System_Mode 3
Slide 39
Creating the Fault Model What Exactly is a Fault Model? What is part of nominal system? What goes in fault model? Types of Faults, Interactions Between Faults, and Fault
Locations
Auto generate the Extended System Model Use Tools to Merge Nominal and Fault Model
Advanced Technology Center Slide 40
Slide 41
Ease of Analysis
Safety Properties Can be Awkward to Specify:
Antecedent = ((pre (pre (pre ((NumFails = 1) and FailRec4Step))) and pre (pre ((AllPedNoSkid and not (Changed)))) and pre ((AllPedNoSkid and not (Changed))) and (AllPedNoSkid and not (Changed)))) ; Consequent = (pre (pre (SomePressure)) or pre (SomePressure) or SomePressure) ; Prop_MultiStepSingleFail4 =fby( Implies(Antecedent, Consequent), 4, true);
Ease of Analysis
Many Safety Properties are Stylized Given n failures (or all failure combinations
whose combined probability is >10-k), is it possible that the system will fail?
Failure condition is usually straightforward to specify Property complexity arises when considering recovery time and fault propagation
Slide 43
1 1 1 1 1 1 1
1 1 1 0 1 1 1
0 0 1 1 1 1 1
1 1 1 1 1 0 1
0 0 1 0 0 1 1
1 1 1 0
1 0 1 1
3 1 1 0
3 0 1 1
1 1 1 0
Safety Requirements
FSAP/ NuSMV-SA
Fault Tree
Failure Modes
FSAP Defines Flat Fault Trees We Can do Better by Encoding Architecture of System Into Fault Tree
Slide 45
E1
A1 c1,2
c1,3 A3 c2,3 E3
E2
A2
A fails
E fails
A is ok
E is ok
E1 fails
E3 fails
E2 fails
E1 is ok
E3 is ok
E2 is ok
Slide 46
System A
Selector Valve
Shut Normal System
N O R M A L
System B
AntiSkid Command
Braking + AntiSkid Command
X Valve X Meter
Plant Mod el
Prop.1.1 : [-1] Alt_Meter_2_Fail(s!1) [-2] Alt_Meter_2_Fail(s!1) {-3} FM_WBS_Ext_BSCU_Node.Alternate_Pressure(s!1) = 0 [-4] Nor_Meter_Fail(s!1) [-5] FM_WBS_Ext_BSCU_Node.Normal_Pressure(s!1) = 0 [-6] 0 < PedalPos1(s!1) |------[1] Alt_Meter_2_Stuck_Val(s!1) [2] Alt_Meter_2_Stuck_Val(s!1) [3] Nor_Meter_Stuck_Val(s!1) [4] Skid(s!1) [5] 0 < FM_WBS_Ext_BSCU_Node_Fault.Normal_Pressure(s!1) [6] 0 < FM_WBS_Ext_BSCU_Node_Fault.Alternate_Pressure(s!1)
Slide 47
Level of Detail in Proofs Current Proofs are Low Level, Fault Trees Must be
High Level
Proofs performed at detailed behavioral level Fault trees must be presented at an architectural level
May or may not be the most natural way to pursue the proof
Slide 48
Safety Analysis Methodology Who will build the fault model? Who performs what analysis?
Advanced Technology Center Slide 49