Integrating Systems: models and fault modes SESAM-möte, 19 Oktober, 2005 Jonas Elmqvist Real-Time Systems Laboratory Department of Computer and Information Science Linköpings universitet Sweden People involved • • • Simin Nadjm-Tehrani – RTSLAB, Linköpings universitet Jonas Elmqvist – RTLSAB, Linköpings universitet Marius Minea – “Politehnica” University of Timisoara, Romania • Master thesis students: – Jerker Hammarberg: High-Level Development and Formal Verification of Reconfigurable Hardware – Anders Granh: Code Generation from High-level Models of Reactive and Security-intrinsic Systems – Andreas Eriksson: Model Based Development of an Airbag Software – Markus Nilsson: A tool for automatic formal analysis of fault tolerance Integrating Systems: models and fault modes SESAM-möte 2 of 15 October 19, 2005 Pattern: Functional verification Model of the environment Model of the system Verification bench Component Out In Checks if property p is satisfied Integrating Systems: models and fault modes SESAM-möte Environment Out In Observer property p Alarm 3 of 15 October 19, 2005 Non-occurence of catastrophic events Patterns for safety analysis? Integrating Systems: models and fault modes SESAM-möte 4 of 15 October 19, 2005 Traditional FTA/FMEA • FTA: Top event Software/Digital hardware • FMEA: What are the consequences of some particular component’s failure? Subsystem Failure Mode Sensor Value Failure . . . . Effects of failure . . Integrating Systems: models and fault modes SESAM-möte Cause of failure … Actions … Sensor Malfunction … Duplicate sensors … . . . . . . . . 5 of 15 October 19, 2005 Pattern: Fault mode modelling Model of a fault Fault mode signals Verification bench Component Out In Environment Out In Observer property p Integrating Systems: models and fault modes SESAM-möte Alarm 6 of 15 October 19, 2005 Case study: Hydraulic leakage detection system Verification bench H-ECU PLD1 HS1B_Closed Valve HS1C_Closed Valve HS1Sensors Observer HS2Sensors Alarm PLD2 ShutOffLow Integrating Systems: models and fault modes SESAM-möte Valve HS2B_Closed Valve HS2C_Closed 7 of 15 October 19, 2005 Automatic Fault Tree Generation ? Digital components Faults? Integrating Systems: models and fault modes SESAM-möte 8 of 15 October 19, 2005 Pattern: Fault mode modelling Fault mode signals Verification bench Component Out In Environment Out In Observer property p Alarm Upgrades? Integrating Systems: models and fault modes SESAM-möte 9 of 15 October 19, 2005 Building Systems from Components • Component-Based Development (CBD) is an emerging trend in system development: – develop systems out of software components (COTS) and hardware components C2 C1 C5 C6 C4 C7 C3 • Problem: no component models address safety! C´4 Integrating Systems: models and fault modes SESAM-möte 10 of 15 October 19, 2005 Components & Interfaces • A component is an independent entity (SW or HW) that communicates through well-defined interfaces • Interfaces should provide all information needed for composition I is the interface of the component C I M M is a model of the behavior of the component • How should the analytical interface look like in order to capture safety? Integrating Systems: models and fault modes SESAM-möte 11 of 15 October 19, 2005 Safety Analysis and CBD • Traditional safety analysis is performed on the composed system • Our approach: – Interfaces captures information about the behaviour of the components in presence of faults in the system C1 satisifies S ? ? p + satisifies p C2 Integrating Systems: models and fault modes SESAM-möte 12 of 15 October 19, 2005 Current work • Techniques for component-based safety analysis using safety-interfaces – Methods for generating safety interfaces – Methods for using safety interfaces for safety analysis – Case studies?! Integrating Systems: models and fault modes SESAM-möte 13 of 15 October 19, 2005 Related Publications • • • J. Elmqvist, S. Nadjm-Tehrani and M. Minea, “Safety Interfaces for Component-Based Systems”, 24th International Conference on Computer Safety, Reliability and Security (SAFECOMP05), September, 2005. J. Elmqvist and S. Nadjm-Tehrani, “Intents, Upgrades and Assurance in Model-Based Development”, 2nd RTAS Workshop on Model-Driven Embedded Systems (MoDES’04), May, 2004 J. Elmqvist and S. Nadjm-Tehrani, “Intents and Upgrades in Component-Based HighAssurance Systems”, in Model-driven Software Development, Volume II of Research and Practice in Software Engineering, Springer-Verlag. – Jerker Hammarberg, “High-Level Development and Formal Verification of Reconfigurable Hardware”, 2003 – Jonas Elmqvist, “Analysis of Intent Specification and System Upgrade Traceability”, 2004 – Anders Granh, “Code Generation from High-level Models of Reactive and Security-intrinsic Systems”, 2004 – Andreas Eriksson, “Model Based Development of an Airbag Software”, 2004 – Markus Nilsson, “A tool for automatic formal analysis of fault tolerance”, 2005 Integrating Systems: models and fault modes SESAM-möte 14 of 15 October 19, 2005 Questions? Integrating Systems: models and fault modes SESAM-möte 15 of 15 October 19, 2005 Airbag Software • Characteristics – Porting from 16 bit (128kb ROM) processor to 32 bit processor (256kb ROM) – Current code not portable, design not documented • Studied tools: – Rhapsody in C, Interrupt driven framework • MISRA compatible • Code size roughly twice as big as the hand written C – Scade • Useful for algorithmic parts of the model, e.g. Crash detection • Assurance aided by formal verification Integrating Systems: models and fault modes SESAM-möte 16 of 15 October 19, 2005 Tiger XS • Characteristics – Security intrinsic communication platform – Secure applications to run on multiple hardware (PDA, phone, …) – Security assurance via inspections of generated code – Multiple OS, preferably no system calls • Studied tools – Rhapsody • Heavy duty • Not suitable for integration with legacy – Visual state • Cumbersome to define user defined data types Integrating Systems: models and fault modes SESAM-möte 17 of 15 October 19, 2005 Tool chain Simulink Gateway Simulink NuSMV SCADE Model Lustre Theorem Prover State Machines Model Design Verifier Properties Possible now Perhaps in future Integrating Systems: models and fault modes SESAM-möte 18 of 15 October 19, 2005
© Copyright 2026 Paperzz