NASA OSMA SAS '03
Fault Tree Analysis Application
for Safety and Reliability
Massood Towhidnejad
Embry-Riddle University
Dolores Wallace & Al Gallo
NASA Goddard, SATC
SAS 03/ GSFC/SATC-ERAU-DoC
Overview
•
•
•
•
•
•
•
FTA Background
SFTA and the System Life Cycle
SFTA Examples and Diagrams
Modeling System Behavior
Advantages & Disadvantages of SFTA
Impact of Our Research
Summary
SAS 03/ GSFC/SATC-ERAU-DoC
2
Fault Tree Analysis
• General Hazard Analysis
technique started in the
1960s
• Attributes:
– Graphical
– Top Down
– Analytical
• Qualitative
• Quantitative
• Goal: To identify all
conditions that put
system in a Hazardous
States
SAS 03/ GSFC/SATC-ERAU-DoC
• FTA applied to software
– Little work has been done
to date
– SFTA focuses on the code
and requirements
– Generally applied to “small”
projects (<2000 LOC)
• Observations:
– SFTA impractical at code
level
– Should be applied to
Systems at the early
stages of life cycle
– Need to address the
quantitative analysis
3
SFTA Applied to
System Life Cycle
• Requirements Phase
• Design Phase
.
• Highlight requirements for
Safety concerns & hazards
• Perform analysis on elements
of the design (i.e., Activity,
Sequence, and State diagram)
• Adjust design to eliminate
/mitigate hazardous states
.
..
.
.
• Coding & Test
SAS 03/ GSFC/SATC-ERAU-DoC
• Increase reviews and
walkthroughs effectiveness
• Applied only to critical code
• Adjust design to eliminate
/mitigate hazardous states
4
SFTA Road Map
Use fault tree diagrams as a graphical communication vehicle
for developers, testers, designers, managers and customers
Requirements,
Design,
Code and
Test
Fault Tree
Verify and Modify
Verify/add missing
Customer/Domain expert
Software Engineer
SAS 03/ GSFC/SATC-ERAU-DoC
5
Fault Tree Example
(Activity Diagram)
Yes
User modifies profile
Display security screen
Try > 3
User enter security data
Update priority:
Update name:
Update Address:
System validate Permission
No
Security access
denied
Valid Access
No
Mod. Accept
Reenter
Yes
Yes
System validate entry
Try <=3
System update profile
SAS 03/ GSFC/SATC-ERAU-DoC
No
6
Fault Tree Example
(Activity Diagram)
User profile
not updated
IE
1
Q=0.0 w=0.0
DB revision
process
failed
Access
granted
IE
User does
not update
data
IE
1.1
IE
1.2
1.3
Q=0.0 w=0.0
Incorrect
security data
entered > 3
IE
IE
1.2.1
SAS 03/ GSFC/SATC-ERAU-DoC
Security
screen failed
to display
Validation
process
failed
IE
1.2.2
1.2.3
Q=0.0 w=0.0
Q=0.0 w=0.0
7
Fault Tree Example
(Sequence Diagram)
: LogIn
commClient :
CommClient
connectionDialog :
ConnectionDialog
socket
: CommServer
connection :
Connection
unregisteredClients
: HashMap
<<create>>
connect( )
start loop
[connected
&&
!cancelled]
<<create>>
show( )
ipAddress := getIPAddress( )
portNum := getCSPortNum( )
<<create>>
isConnected := connect(ipAddress, portNum)
end loop
[connected &&
!cancelled]
<<connect>>
<<create>>
add(clientIP, connection)
[isConnected]:startRole(false)
SAS 03/ GSFC/SATC-ERAU-DoC
8
Fault Tree Example
(Sequence Diagram)
roleDialog :
RoleDialog
: LogIn
pilotInterface :
PilotInterface
controllerInterface :
ControllerInterface
supervisorInterface :
SupervisorInterface
<<create>>
show()
roleID := getSelectedRole( )
[roleID = pilot]PilotInterface(commClient, this )
[roleID = controller]ControllerInterface(commClient, this, isSupervisor)
[roleID = supervisor]Supervisor(commClient, this)
SAS 03/ GSFC/SATC-ERAU-DoC
9
Fault Tree Example
(Sequence Diagram)
System fail
to initialize
IE
1
Q=0.0 w=0.0
Network
Connection
failed
Network
connection
succeed
IE
IE
1.1
1.2
IP address
not
Identified
Server socket
not created
IE
IE
1.1.1
User failed
to request
connection
IE
User failed
to provide IP
IE
1.1.1.1
Failed Login
1.1.2
System
provided
corrupted IP
1.2.1
Server refuse
to establish
connection
IE
1.1.1.2
IE
Login menu
failed to be
presented
IE
1.1.1.3
IE
1.1.2.1
Q=0.0 w=0.0
# of requests
in queue
exceed size
IE
SAS 03/ GSFC/SATC-ERAU-DoC
Role is
already
assigned
IE
Invalid user
ID or
password
IE
1.2.1.1
1.2.1.2
Q=0.0 w=0.0
Q=0.0 w=0.0
1.2.1.3
Connection
limit is
reached
IE
1.1.2.1.1
1.1.2.1.2
Q=0.0 w=0.0
Q=0.0 w=0.0
10
Fault Tree Example
(State Diagram)
Source: Smart Draw
SAS 03/ GSFC/SATC-ERAU-DoC
11
Fault Tree Example
(State Diagram)
Failed to provide
proper gas
1
card entered &
validation failed
Selection Failed
Processing Failed
Pumping Failed
1.1
1.2
1.3
1.4
Card entered
Validation Failed
Validation succeeded
IE
Selection Failed
Selection succeeded
IE
1.1.1
1.1.2
HW Failure
IE
1.2.1
Authorization Failure
Validation failed
Processing failed
Processing succeeded
Pumping Failed
1.3.2
1.4.1
1.4.2
IE
1.2.2
1.3.1
Selection failed
Processing failed
IE
1.1.2.1
Out of gas
IE
1.1.2.2
SAS 03/ GSFC/SATC-ERAU-DoC
1.2.1.1
1.3.1.1
1.4.1.1
Pump HW failure
IE
1.4.2.1
1.4.2.2
12
Modeling System Behavior
• Hardware
–
–
–
–
S/W
Large sample size
Large collections of historic data
Classification of failure types
Degradation (increase failure rate)
• Software
–
–
–
–
–
Reliability
H/W
t 0 = release
Time
Limited sample size (usually one)
Limited availability of software failure data
Classification of cause more relevant
Improvement!!!! (decrease failure rate)
Probability values not available, though subject of
research efforts
SAS 03/ GSFC/SATC-ERAU-DoC
13
Assessing SFTA
• Advantages:
– Easy to learn
– Graphical Representation
– Communication vehicle
with customer
– Partial automatic
conversion possible (but
not desirable)
SAS 03/ GSFC/SATC-ERAU-DoC
• Disadvantages:
– Conversion is labor
intensive
– Automatic conversion is
not attractive
– Lack of software
reliability data
– Timing and Loops need
special attention
– No dedicated SFTA tool
14
Impact of Our Research
• Technology Transfer, Infusion, Recognition
& Commercialization
– SATC collaborating with commercial vendor of
commercial FTA tool
• Enhancing product to accommodate software uniquenesses
• Planning to build in paradigm features
– GSFC Center Director and SMA Director
tracking through center’s Tech Transfer Office
• SFTA activity and a safety-related tool
• Assisting in the collaboration / licensing
SAS 03/ GSFC/SATC-ERAU-DoC
15
Summary
• Applied Fault Tree (FT) to Object Oriented
design
• In addition to fault detection, FT can serve as a
communication medium with customer
• Lack of reliability data reduces the quantitative
analysis of the FT
• Seeking alternative sources of data for
quantitative analysis
• Collaborating with a FT tool vendor to develop
software fault tree tool
SAS 03/ GSFC/SATC-ERAU-DoC
16