SLIDE 1
Roadmap
- Formal Model Based Safety Assessment
- Formal Safety Assessment
– Current approach – Automated Fault Extension
- NuSMV3 formal verification framework
- Next challenges
Formal Model Based Safety Assessment Marco Bozzano, Roberto Cavada, - - PowerPoint PPT Presentation
Formal Model Based Safety Assessment Marco Bozzano, Roberto Cavada, - - PowerPoint PPT Presentation
NuSMV3: a framework for Formal Model Based Safety Assessment Marco Bozzano, Roberto Cavada, Alessandro Cimatti, Cristian Mattarei Fondazione Bruno Kessler, Trento (Italy) Roadmap Formal Model Based Safety Assessment Formal Safety
SLIDE 2
SLIDE 3
Requirements
3
Architecture Integration System
Implementation
System Verification and Testing Integration Verification and Testing
Model Based Safety Assessment
SLIDE 4
Requirements
Model Based Safety Assessment
4
Architecture Integration System
Implementation
System Verification and Testing Integration Verification and Testing
FHA
Preliminary SA
System SA System SA
System Fault Tree Analysis Architecture FTA and FMEA tables
SLIDE 5
Requirements
Model Based Safety Assessment
5
Architecture Integration System
Implementation
System Verification and Testing Integration Verification and Testing
FHA
Preliminary SA
System SA System SA
System Fault Tree Analysis Architecture FTA and FMEA tables
SLIDE 6
Model Based Safety Assessment
Model the system (nominal) Check if the model satisfies the requirements Model the system (nominal and faulty) Check if the model satisfies the safety requirements Counter examples Fault Trees FMEA tables
6
SLIDE 7
Model Based Safety Assessment
Model the system (nominal) Check if the model satisfies the requirements Model the system (nominal and faulty) Check if the model satisfies the safety requirements Counter examples Fault Trees FMEA tables
7
SLIDE 8
Model Based Safety Assessment
Model the system (nominal) Check if the model satisfies the requirements Model the system (nominal and faulty) Check if the model satisfies the safety requirements Counter examples Fault Trees FMEA tables
8
SLIDE 9
Roadmap
- Formal Model Based Safety Assessment
- Formal Safety assessment
– Current approach – Automated Fault Extension
- NuSMV3 formal verification framework
- Next challenges
SLIDE 10
Fault Extension: the idea
Formal model (nominal) Faulty model (extended)
10
SLIDE 11
Manual Extension
11
SLIDE 12
Manual Extension
PROS
- Highly expressive
- Does not need extra tools
CONS
- Error prone
- Not traceable process
- Time consuming
12
SLIDE 13
Fault Injection
13
SLIDE 14
Fault Injection
Nominal behavior
14
SLIDE 15
Fault Injection
Nominal behavior Faulty behavior
1
15
SLIDE 16
Fault Injection
Nominal behavior Faulty behavior Mode selector
1
16
SLIDE 17
Fault Injection
PROS
- Keeps nominal and fault model disjoint
- Traceable process
- Automatic technique
- “Once and for all” validation
CONS
- Needs functional modeling
17
SLIDE 18
Fault Injection (FSAP)
Nominal behavior Faulty behavior Mode selector
1
18
SLIDE 19
Manual extension Fault Injection
19
Fault Extension approaches Library Based FI
FSAP NuSMV3
SLIDE 20
Library Based Fault Injection
Nominal behavior
n
20
Faulty behavior 1 Faulty behavior 2 Faulty behavior n Mode selector
1 2
…
m m' m' m' m' m'
SLIDE 21
- Effects model library
One effect model describes the effects on the
associated nominal component when a fault occurs
e.g.: stuck at a value, invert a value, a value ramps down, …
- Local dynamics model library
One local dynamic model describes the behavior of
the fault
e.g.: a permanent or transient fault, self repair after 10 seconds, …
Faults Libraries
21
SLIDE 22
- Support for complex behavior
– hybrid and discrete semantics – multiple input support – global dynamics interaction
- Easily extendable library definition
– effects model and local dynamics
- User friendly and aided approach
– human readable files definition – guided extension via GUI
Library Based Fault Injection
22
SLIDE 23
Flow of the Fault Extension
Extension Manager
Fault libraries Nominal model Extension info
Model Extender
Extended model
23
SLIDE 24
Nominal Model Local Dynamics Library Effects Model Library em
1
ld1
em
2
ld2
em
n
ldn
fm1 fm2 fmn
…
fm2 fmn fm1
N
Extension Info
Nom Comp Nom Comp Nom Comp
Flow of the Fault Extension
24
SLIDE 25
Roadmap
- Formal Model Based Safety Assessment
- Formal Safety assessment
– Current approach – Automated Fault Extension
- NuSMV3 formal verification framework
- Next challenges
SLIDE 26
Flow of Formal MBSA
Extension Manager
Fault libraries Nominal model Extension info Fault Tree
Model Extender
Extended model Temporal property FMEA table Counter example
Fault Extension Formal Verification
26
SLIDE 27
NuSMV3: Architecture
Altarica
Addons
Model Extender Safety Assessment
NuSMV 2
CUDD MiniSAT
MathSAT5
HyDI
Matlab Simulink AADL
Altarica2HyDI MatlabSL2HyDI AADL2SMV
…
NuSMV3
27
SLIDE 28
Adder Example
28
SLIDE 29
Adder example: Nominal Model
random1 random2 bit1 bit2 adder 29
SLIDE 30
Adder example: components may fail
random1 random2 bit1 bit2 adder
Components Effect Model Local Dynamics bit1, bit2 StuckAt(0) Permanent bit1, bit2 StuckAt(1) Permanent bit1, bit2 Inverted Transient
30
SLIDE 31
Adder example: components may fail
random1 random2 bit1 bit2 adder
Components Effect Model Local Dynamics bit1, bit2 StuckAt(0) Permanent bit1, bit2 StuckAt(1) Permanent bit1, bit2 Inverted Transient adder StuckAt(0) Permanent adder StuckAt(1) Permanent
31
SLIDE 32
Example: bits fault model composition
StuckAt(0) Permanent
fm1 fm2 fm1 N
StuckAt(1) Permanent
fm2
Inverted Transient
fm3 fm3 global dynamics
32
SLIDE 33
Analysis Results
33
SLIDE 34
Example: Fault Tree Analysis
Top Level Event:
random1 = 0 & random2 = 0 & adder.output != 0 (check when 0 + 0 != 0)
34
SLIDE 35
Example: FMEA tables
FMEA TABLE ORDER 1 Id.Nr. Failure Mode Failure Effects 1 bit1.output inverted ((random1=0 & random2 = 0) & adder.output !=0) 2 bit1.output stuck_at_1 ((random1=0 & random2 = 0) & adder.output !=0) 3 bit2.output inverted ((random1=0 & random2 = 0) & adder.output !=0) 4 bit2.output stuck_at_1 ((random1=0 & random2 = 0) & adder.output !=0) 5 adder.output stuck_at_1 ((random1=0 & random2 = 0) & adder.output !=0) FMEA TABLE ORDER 2
Id.Nr. Failure Mode Failure Effects 1 bit1.output inverted ((random1=0 & random2 = 0) & adder.output !=0) 2 bit1.output stuck_at_1 ((random1=0 & random2 = 0) & adder.output !=0) 3 bit2.output inverted ((random1=0 & random2 = 0) & adder.output !=0) 4 bit2.output stuck_at_1 ((random1=0 & random2 = 0) & adder.output !=0) 5 adder.output stuck_at_1 ((random1=0 & random2 = 0) & adder.output !=0) 6 bit1.output inverted & bit1.output stuck_at_0 ((random1=0 & random2 = 0) & adder.output !=0) 7 bit1.output inverted & bit1.output stuck_at_1 ((random1=0 & random2 = 0) & adder.output !=0) 8 bit1.output inverted & bit2.output inverted ((random1=0 & random2 = 0) & adder.output !=0) 9 bit1.output inverted & bit2.output stuck_at_0 ((random1=0 & random2 = 0) & adder.output !=0) 10 bit1.output inverted & bit2.output stuck_at_1 ((random1=0 & random2 = 0) & adder.output !=0) 11 bit1.output inverted & adder.output stuck_at_1 ((random1=0 & random2 = 0) & adder.output !=0) 12 …
35
SLIDE 36
Library based fault extension
- Highly Expressive
- Automated technique
- Time saving
- Traceable process
Next challenges
- Extension of expressiveness for library
based fault injection
- Integration with industrial design tools
Conclusion
36
SLIDE 37