Combining Real-Time Model-Checking and Fault Tree Analysis

Size: px

Start display at page:

Download "Combining Real-Time Model-Checking and Fault Tree Analysis"

Chester Ferguson
5 years ago
Views:

1 Combining Real-Time and Fault Tree Analysis Andreas Schäfer MC University of Oldenburg Real-Time and Fault Tree Analysis p.1/17

2 Contents What is Fault Tree Analysis (FTA)? Duration Calculus with Liveness Fault Tree Fault Trees Fault Tree guided MC Real-Time and Fault Tree Analysis p.2/17

3 Fault Tree Analysis Afternoon-Session exceeds 1.5h 1 One talk takes more than 30min Technical Problems & 1 Too many slides Watch defective Video projector failure Notebook failure MC Real-Time and Fault Tree Analysis p.3/17

4 Fault Tree Analysis Afternoon-Session exceeds 1.5h 1 One talk takes more than 30min Technical Problems & 1 Too many slides Watch defective Video projector failure Notebook failure MC But not based on rigid formal semantics Real-Time and Fault Tree Analysis p.3/17

5 Verifying: Fault Tree is constructed properly, e.g. every cause is covered Fault Tree guided MC Real-Time and Fault Tree Analysis p.4/17

6 Logic: Duration Calculus with Liveness () (Skakkebæk, 1994) Extending DC with expanding modalities,, L, L to express liveness properties. Example: L session >90 session time > 90 MC Real-Time and Fault Tree Analysis p.5/17

7 for Fault Trees MC Based on a Duration Calculus (Reif, Schellhorn, Thums, 2000) Events formalised by Duration Calculus with Liveness formulae For each gate two proof obligations sufficiency (the sub-events always cause the event to happen) necessity (no possible cause is forgotten) Fault Tree semantics: Conjunction of all proof obligations. Real-Time and Fault Tree Analysis p.6/17

8 Gate-types Additional to normal gate-types AND-Gate & OR-Gate 1 MC Real-Time and Fault Tree Analysis p.7/17

9 Gate-types Additional to normal gate-types AND-Gate & OR-Gate 1 gate-types for cause-consequence relationships asynchronous OR-gate 1 CC asynchronous AND-gate & CC synchronous AND-gate & SCC MC Real-Time and Fault Tree Analysis p.7/17

10 Gate-types Additional to normal gate-types AND-Gate & OR-Gate 1 gate-types for cause-consequence relationships asynchronous OR-gate 1 CC asynchronous AND-gate & CC synchronous AND-gate & SCC MC Real-Time and Fault Tree Analysis p.7/17

11 for OR-gates E 1 E 1. E n MC ( n i=1 E E i ) E OR-gate: sufficient condition ( n i=1 ) E i OR-gate: necessary condition Real-Time and Fault Tree Analysis p.8/17

12 for other gates MC OR-acc-gate necessary condition ( ) n ( E i { L /});E{ L /} i=1 AND-acc-gate necessary condition ( ) n ( E i { L /});E{ L /} i=1 AND-scc-gate: necessary condition ( ) n ( E i { L /});E{ L /} i=1 Real-Time and Fault Tree Analysis p.9/17

13 is undecidable Decidable subset: Phase Automata (Tapken, 2001) Model-Checker MobyDC checks if set of automata has common run. Not closed under complementation start_timer MC empty or rupture fill or full (0,60] tank_timer Real-Time and Fault Tree Analysis p.10/17

14 Event-pattern Restriction to three common event types (Gorski, 1994) Formalisation in : L ( π b l) L L π L ( π ; π ) L ( π 1 b 1 l e 1 ;...; π n b n l e n ) where π i π j false for i j reachable state final state state sequence MC Effectively construct Phase Automata for these patterns Class is closed under complementation Real-Time and Fault Tree Analysis p.11/17

15 Fault Trees Formal system model in terms of Phase Automata MC Real-Time and Fault Tree Analysis p.12/17

Fault Trees start_21_1 start_21_4 pswitch_closed_le_60 pswitch_closed (0,60] pswitch_open not pswitch_closed pswitch_not_closed not (pswitch_closed and (switch_closed or k1_closed)) pswitch_closed_60

16 Fault Trees start_21_1 start_21_4 pswitch_closed_le_60 pswitch_closed (0,60] pswitch_open not pswitch_closed pswitch_not_closed not (pswitch_closed and (switch_closed or k1_closed)) pswitch_closed_60 pswitch_closed and (k1_closed or switch_closed) [60,60] phase_21_8 not k1_closed and not switch_closed and (pswitch_closed and (k1_closed or switch_closed)) wait1 (0,w) Formal system model in terms of Phase Automata start_20_4 k2_emf_at_coil k2emf (60,w] wait2 pswitch_closed (pswitch_closed and (k1_closed or switch_closed)) (0,60) phase_21_9 not k1_closed and not switch_closed and not (pswitch_closed and (k1_closed or switch_closed)) wait1 (0,w) start_38_4 phase k1_cl tank_obs ==== obs tank : (empty, fill, full, rupture); obs pipe : (flow,noflow); empty noflow and empty start_tank start_timer timer fill or full (0,60] fill flow and fill full flow and full idle empty or rupture tank_timer rupture flow and rupture tank start_pump MC k2_obs ==== obs k2: (k2_closed, k2_open); obs k2power: (k2emf,k2noemf); k2open k2closed not k2emf and not k2_closed k2emf and k2_closed pumping flow and k2_closed idle not flow and not k2_closed failure not flow and k2_closed pswitch_obs ==== obs pswitch : (pswitch_closed, pswitch_open); pump switch_obs ==== obs switch: (switch_closed,switch_open); k2poweroff not ((switch_closed or k1_closed) and (pswitch_closed)) and not k2emf Real-Time and Fault Tree Analysis p.12/17 start_19_3 k2poweron (switch_closed or k1_closed)

17 Fault Trees Formal system model in terms of Phase Automata For every event (based on pattern): Translation: Duration Calculus Formula Phase Automaton Construction of the Complement Automaton MC Real-Time and Fault Tree Analysis p.12/17

18 Fault Trees Formal system model in terms of Phase Automata For every event (based on pattern): Translation: Duration Calculus Formula Phase Automaton Construction of the Complement Automaton start_a start_neg_a (0,w) session (90,w] A not session session (0,90] Automaton for A A start_a start_neg_a (0,w) session (90,w] not session session (0,90] neg_a Automaton for A 1 start_a start_neg_a start_a start_neg_a MC Automaton for B start_a session (0,w) (90,w] Automaton for B (0,w) session (90,w] start_neg_a not session session (0,90] neg_a A not session session (0,90] B (0,w) C start_a session (90,w] (0,w) session (90,w] start_neg_a not session session (0,90] neg_a A not session session (0,90] Automaton for C Automaton for C Real-Time and Fault Tree Analysis p.12/17

19 Fault Trees Formal system model in terms of Phase Automata For every event (based on pattern): Translation: Duration Calculus Formula Phase Automaton Construction of the Complement Automaton Checking all proof obligations by emptiness tests MC Real-Time and Fault Tree Analysis p.12/17

20 Example Afternoon-Session exceeds 1.5h 1 One talk takes more than 30min Technical problems MC Real-Time and Fault Tree Analysis p.13/17

21 Example Afternoon-Session exceeds 1.5h 1 One talk takes more than 30min Technical problems Formalisation of system by set M of Phase Automata MC Real-Time and Fault Tree Analysis p.13/17

22 Example Afternoon-Session exceeds 1.5h 1 One talk takes more than 30min Technical problems MC Formalisation of system by set M of Phase Automata Formalisation of events by formulae. Real-Time and Fault Tree Analysis p.13/17

23 Example Afternoon-Session exceeds 1.5h A L session > One talk takes more than 30min Technical problems B L talk 30 L Tech_ERR C MC Formalisation of system by set M of Phase Automata Formalisation of events by formulae. Real-Time and Fault Tree Analysis p.13/17

24 Example A L session >90 1 B L talk 30 L Tech_ERR C MC Formalisation of system by set M of Phase Automata Formalisation of events by formulae. Phase Automata A A and A A for event A Real-Time and Fault Tree Analysis p.13/17

25 Example A L session >90 start_a start_neg_ 1 (0,w) session (90,w] A not session start_a start_neg_a B L talk 30 L Tech_ERR C (0,w) session (90,w] not session session (0,90] neg_a MC Formalisation of system by set M of Phase Automata Formalisation of events by formulae. Phase Automata A A and A A for event A Real-Time and Fault Tree Analysis p.13/17

26 Example A L session >90 start_a start_neg_ 1 (0,w) session (90,w] A not session start_a start_neg_a B L talk 30 L Tech_ERR C (0,w) session (90,w] not session session (0,90] neg_a MC Formalisation of system by set M of Phase Automata Formalisation of events by formulae. Phase Automata A A and A A for event A and A B, A B, A C, A C for events B and C Real-Time and Fault Tree Analysis p.13/17

27 Example continued Necessary condition M (A (B C)) iff M A A A B A C = /0 Sufficient condition M (A (B C)) iff MC M A A (A B A C ) = /0 Real-Time and Fault Tree Analysis p.14/17

28 Fault Tree guided Case Study Single-Track-Line-Segment MC Real-Time and Fault Tree Analysis p.15/17

29 Fault Tree guided Case Study Single-Track-Line-Segment B 9 S11 S12 S22 B 6 L1 S21 B 2 RCX B 1 IR RCX B 5 L2 B 8 S31 distributed controller RCX B 3 B 4 train RCX S32 B 7 MC Real-Time and Fault Tree Analysis p.15/17

30 Fault Tree guided To verify: No collision of trains on single track MC Real-Time and Fault Tree Analysis p.15/17

31 Fault Tree guided To verify: No collision of trains on single track Typical approach: Checking the whole system with Uppaal (Timed Automata) But too complex for Uppaal. MC Real-Time and Fault Tree Analysis p.15/17

32 Fault Tree guided Fault Tree guided Fault Tree Analysis leads to set of basic events MC Real-Time and Fault Tree Analysis p.16/17

33 Fault Tree guided Fault Tree guided Fault Tree Analysis leads to set of basic events FT-Verification shows: All necessary conditions hold. ( 10 sec for each gate) MC Real-Time and Fault Tree Analysis p.16/17

34 Fault Tree guided Fault Tree guided Fault Tree Analysis leads to set of basic events FT-Verification shows: All necessary conditions hold. ( 10 sec for each gate) Verifying with Uppaal: Basic events can not occur (about 1 h for the hardest one) MC Real-Time and Fault Tree Analysis p.16/17

35 Fault Tree guided Fault Tree guided Fault Tree Analysis leads to set of basic events FT-Verification shows: All necessary conditions hold. ( 10 sec for each gate) Verifying with Uppaal: Basic events can not occur (about 1 h for the hardest one) Collision impossible MC Real-Time and Fault Tree Analysis p.16/17

36 Tool support Further evaluation: Different patterns are needed? Increased model-checking performance? Fault Tree completion from counter examples Considering probabilities MC Real-Time and Fault Tree Analysis p.17/17

Lecture 2. Decidability and Verification

Lecture 2. Decidability and Verification model temporal property Model Checker yes error-trace Advantages Automated formal verification, Effective debugging tool Moderate industrial success In-house groups: