1. No category

Safety Analysis with AADL and EMV2

Safety Evaluation with AADLv2
Software Engineering Institute
Carnegie Mellon University
Pittsburgh, PA 15213
Julien Delange
09/24/2013
© 2013 Carnegie Mellon University
Agenda
Overview of AADL Error-Model Annex
Approach for Safety Evaluation
Support of Safety Evaluation with AADL
Case-Study
On-Going Work
Discussion
AADL & Error-Model Annex
Julien Delange – September 24 2013
© 2013 Carnegie Mellon University
2
Agenda
Overview of AADL Error-Model Annex
Approach for Safety Evaluation
Support of Safety Evaluation with AADL
Case-Study
On-Going Work
Discussion
AADL & Error-Model Annex
Julien Delange – September 24 2013
© 2013 Carnegie Mellon University
3
Error-Model Annex within the AADL ecosystem
Reliability
Performance
Evaluation
Code Generation
System Validation
System
Configuration
Security
Safety
ARINC653
Requirements
description
AADL & Error-Model Annex
Julien Delange – September 24 2013
© 2013 Carnegie Mellon University
4
Overview of Error-Model Annex
Extension of AADL for fault description: error events, propagations, etc.
Integration with current models by extending existing components
Draft document to be proposed as a standard annex
Support for Safety Evaluation and Analysis
AADL & Error-Model Annex
Julien Delange – September 24 2013
© 2013 Carnegie Mellon University
5
Error Types and propagations
Error types: error classification
ValueError
Extensions and renaming
OutOfRange
Inconsistent
Error propagations across components
Associate errors with system connections
Define error sources, sinks and containment
Sink for ValueError &
Error Source
source for NoData
of ValueError
ValueError
NoData
Sensor
Processing
Error Sink
for NoData
Actuator
AADL & Error-Model Annex
Julien Delange – September 24 2013
© 2013 Carnegie Mellon University
6
Error behavior
States machines
Error-related transitions
Propagation rules
Use of error types
Normal
Failure
(BadData)
Recover
Failed
Failed
(NoValue)
Composite behavior
Define system states according to its parts
ex: “I am failing if one of my component is failing”
Subsystem 1
(Normal)
Subsystem 2
(Normal)
Subsystem 1
(Normal)
Subsystem 2
(Failing)
AADL & Error-Model Annex
Julien Delange – September 24 2013
© 2013 Carnegie Mellon University
7
Specific Error-Model Properties
Severity, likelihood, error description
Support for generating validation documentation
Tailoring for safety standards (ARP4761, MIL-STD-882)
AADL & Error-Model Annex
Julien Delange – September 24 2013
© 2013 Carnegie Mellon University
8
Agenda
Overview of AADL Error-Model Annex
Approach for Safety Evaluation
Analysis of System Safety with AADL
Case-Study
On-Going Work
Discussion
AADL & Error-Model Annex
Julien Delange – September 24 2013
© 2013 Carnegie Mellon University
9
Aircraft-Level FHA
Define aircraft failure conditions
Allocate failure to system functions
Preliminary System Safety Assessment
System Functional Hazard Analysis (FHA)
System Fault-Tree Analysis (FTA)
System Safety Assessment
Failure Mode and Effect Analysis
Refined FTA with Quantitative Failures Rates
System Development Cycle
Safety Analyses
AADL & Error-Model Annex
Julien Delange – September 24 2013
© 2013 Carnegie Mellon University
10
ARP4761, section 3
Functional Hazard Analysis
Identify and classify functions failure conditions
Aircraft or System Level
Aircraft, High-Level View
Refinement at System Level
Input for safety requirements specification
Description and specification in FTA, DD or MA
Reference of Aircraft Low-Level to System FHA
Spreadsheet with reference to functions failures description
AADL & Error-Model Annex
Julien Delange – September 24 2013
© 2013 Carnegie Mellon University
11
Fault-Tree Analysis
ARP4761, section 4.1
Relationship of failure effects and failure modes Initial Failure Mode
Reference to system hierarchy
Support with Open-Source
and Commercial Tools
Failure Mode
Fault Occurrence
AADL & Error-Model Annex
Julien Delange – September 24 2013
© 2013 Carnegie Mellon University
12
Markov Chain
ARP4761, section 4.1
Evaluation of system behavior over time
Probability of being in particular states
Analysis and evaluation of fault states
Support with Commercial and Open-Source Tools
AADL & Error-Model Annex
Julien Delange – September 24 2013
© 2013 Carnegie Mellon University
13
Failure Mode and Effect Analysis
ARP4761, section 4.2
Impact of Fault at a Higher Levels
Start from Function Level to System/Aircraft Level
Spreadsheet/textual document
AADL & Error-Model Annex
Julien Delange – September 24 2013
© 2013 Carnegie Mellon University
14
Agenda
Overview of AADL Error-Model Annex
Approach for Safety Evaluation
Support of Safety Evaluation with AADL
Case-Study
On-Going Work
Discussion
AADL & Error-Model Annex
Julien Delange – September 24 2013
© 2013 Carnegie Mellon University
15
AADL & Safety Evaluation – Tool Overview
FTA
FHA
•
Spreadsheet
•
Use error
propagations
•
•
•
CAFTA
OpenFTA
Use composite
behavior
Markov Chain
FMEA
•
PRISM
•
Spreadsheet
•
Use error flow
•
Error behavior
•
Error behavior
•
Propagations
Error flows
AADL & Error-Model Annex
Julien Delange – September 24 2013
© 2013 Carnegie Mellon University
16
Preliminary System Safety Assessment (PSSA) support
High-level component, interfaces from the OEM
Automatic generation of validation materials (FHA, FTA)
System Safety Assessment (SSA) support
Use refined models from suppliers
Enhancement of error specifications
Support of quantitative safety analysis (FTA, FMEA, MA)
System Development Cycle
Safety Analysis & AADL
AADL & Error-Model Annex
Julien Delange – September 24 2013
© 2013 Carnegie Mellon University
17
Preliminary System Safety Assessment
Component
types
(system interfaces)
Validation
Materials
(FHA, FTA)
Check PSSA and SSA
consistencies
Component
implementation
Validation with
quantitative fault rates
(FMEA, FTA, DD, MA)
Refinement & development evolution
Evolution of Safety Analysis process with AADL
System Safety Assessment
AADL & Error-Model Annex
Julien Delange – September 24 2013
© 2013 Carnegie Mellon University
18
Functional Hazard Analysis Support
Use of component error behavior
Error propagations rules
Internal error events
FHA
Specify initial failure mode
Define error description and related information
Create spreadsheet containing FHA elements
To be reused by commercial or open-source tools
AADL & Error-Model Annex
Julien Delange – September 24 2013
© 2013 Carnegie Mellon University
19
Fault-Tree Analysis Support
Use of composite error behavior
FTA nodes
FTA
Use of component error behavior
Incoming error events
Walk through the components hierarchy
Generate the complete fault-tree
Focus on specific AADL subcomponents
Export to several tools
Commercial: CAFTA
Open-Source: OpenFTA – http://www.openfta.com
AADL & Error-Model Annex
Julien Delange – September 24 2013
© 2013 Carnegie Mellon University
20
Markov-Chain Support
Use of component error behavior
Error propagations rules
Error transitions
Markov Chain
Map states and error types into specific values
Tool-specific approach
Ability to evaluate system state over time
What is the probability my system is failing within 30 days ?
Export to open-source tools, PRISM http://www.prismmodelchecker.org/
AADL & Error-Model Annex
Julien Delange – September 24 2013
© 2013 Carnegie Mellon University
21
Failure Mode and Effects Support
Use of component error behavior
Error propagations rules (source, sink, etc.)
Internal error events
FMEA
Traverse all error paths
Record impact over the components hierarchy
Use error description and related information
Create spreadsheet containing FHA elements
To be reused by commercial or open-source tools
AADL & Error-Model Annex
Julien Delange – September 24 2013
© 2013 Carnegie Mellon University
22
Reliability Block Diagram
aka ARP4761 Dependence Diagram (DD)
Use of composite error behavior
Error propagations rules (source, sink, etc.)
Internal error events
RDB
Compute reliability of the Dependence Diagram
Use of recover and failure events
Overall probability of system failure
Support in OSATE (built-in)
AADL & Error-Model Annex
Julien Delange – September 24 2013
© 2013 Carnegie Mellon University
23
Agenda
Overview of AADL Error-Model Annex
Approach for Safety Evaluation
Support of Safety Evaluation with AADL
Case-Study
On-Going Work
Discussion
AADL & Error-Model Annex
Julien Delange – September 24 2013
© 2013 Carnegie Mellon University
24
Wheel Brake System
Development of a public model
https://wiki.sei.cmu.edu/aadl/index.php/ARP4761_-_Wheel_Brake_System_%28WBS%29_Example
Use of Error-Model and ARINC annexes
Relevance for the avionics community
Reuse for SAVI
Provide support for the AFE61 demo
Apply the technology/toolset on a known example
Generation of FHA, FTA, MA & FMEA
AADL & Error-Model Annex
Julien Delange – September 24 2013
© 2013 Carnegie Mellon University
25
AADL model
root system
NoService
NoPower
NoPressure
InvalidReport
Software and/or
RuntimeError
AADL & Error-Model Annex
Julien Delange – September 24 2013
© 2013 Carnegie Mellon University
26
AADL model, BSCU variations
AADL & Error-Model Annex
Julien Delange – September 24 2013
© 2013 Carnegie Mellon University
27
FHA of the root system
AADL & Error-Model Annex
Julien Delange – September 24 2013
© 2013 Carnegie Mellon University
28
FTA of the root system
Focus on a specific
AADL subcomponent
AADL & Error-Model Annex
Julien Delange – September 24 2013
© 2013 Carnegie Mellon University
29
FTA of the BSCU subcomponent
AADL & Error-Model Annex
Julien Delange – September 24 2013
© 2013 Carnegie Mellon University
30
FMEA of the root system
Propagation path
Current
State
Component 1
Out
propagation
Out propagation
or error containment
Component 2
AADL & Error-Model Annex
Julien Delange – September 24 2013
© 2013 Carnegie Mellon University
31
Agenda
Overview of AADL Error-Model Annex
Approach for Safety Evaluation
Support of Safety Evaluation with AADL
Case-Study
On-Going Work
Discussion
AADL & Error-Model Annex
Julien Delange – September 24 2013
© 2013 Carnegie Mellon University
32
Consistency Checks
Consistency at integration time
Consistency between models from different suppliers
Strengthen the Virtual Integration promoted by SAVI
Consistency of the internal model
ex: Can I propagate this error according to my actual state ?
Consistency across error models specifications
Component Error Behavior with Composite Error Behavior
Correctness of a state according to subcomponents
Error information with Behavior information
AADL & Error-Model Annex
Julien Delange – September 24 2013
© 2013 Carnegie Mellon University
33
Providing Modeling Guidance
Improve tooling aspects
Help engineers to use the toolset
Enhance tool support & functions
Release documentation
Technical report, webinar or other media
Modeling best practices & AADL patterns
Guidance for using tools
To be published in 2013
Customer training, consulting services for specific needs
AADL & Error-Model Annex
Julien Delange – September 24 2013
© 2013 Carnegie Mellon University
34
Agenda
Overview of AADL Error-Model Annex
Approach for Safety Evaluation
Support of Safety Evaluation with AADL
Case-Study
Case-Study
Discussion
AADL & Error-Model Annex
Julien Delange – September 24 2013
© 2013 Carnegie Mellon University
35
Contact
Presenter / Point of Contact
Dr. Julien Delange
Telephone: +1 412-268-9652
Email: [email protected]
U.S. Mail
Software Engineering Institute
Customer Relations
4500 Fifth Avenue
Pittsburgh, PA 15213-2612
USA
Web
www.aadl.info
www.sei.cmu.edu
www.sei.cmu.edu/contact.cfm
Customer Relations
Email: [email protected]
Telephone:
+1 412-268-5800
SEI Phone:
+1 412-268-5800
SEI Fax:
+1 412-268-6257
AADL & Error-Model Annex
Julien Delange – September 24 2013
© 2013 Carnegie Mellon University
36
Copyright 2013 Carnegie Mellon University
This material is based upon work funded and supported by the Department of Defense under Contract No. FA8721-05-C-0003 with
Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development
center.
NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIAL IS
FURNISHED ON AN “AS-IS” BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER
EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR
PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE
MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT,
TRADEMARK, OR COPYRIGHT INFRINGEMENT.
This material has been approved for public release and unlimited distribution.
This material may be reproduced in its entirety, without modification, and freely distributed in written or electronic form without
requesting formal permission. Permission is required for any other use. Requests for permission should be directed to the Software
Engineering Institute at [email protected].
DM-0000087
AADL & Error-Model Annex
Julien Delange – September 24 2013
© 2013 Carnegie Mellon University
37

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2026 Paperzz