CIS 890: High-Assurance Systems

Similar documents
Illustrating the AADL Error Modeling Annex (v. 2) Using a Simple Safety-Critical Medical Device

SAE AADL Error Model Annex: Discussion Items

AEROSPACE STANDARD. SAE Architecture Analysis and Design Language (AADL) Annex Volume 3: Annex E: Error Model Annex RATIONALE

SAE AADL Error Model Annex: An Overview

AEROSPACE STANDARD. SAE Architecture Analysis and Design Language (AADL) Annex Volume 3: Annex E: Error Model Annex RATIONALE

AADL Fault Modeling and Analysis Within an ARP4761 Safety Assessment

CIS 890: Safety-Critical Systems

CIS 771: Software Specifications. Lecture: Alloy Whirlwind Tour (part A)

Error Model Annex Revision

Analytical Architecture Fault Models

Dependability Modeling Based on AADL Description (Architecture Analysis and Design Language)

AADL Requirements Annex Review

AADL v2.1 errata AADL meeting Sept 2014

Improving Quality Using Architecture Fault Analysis with Confidence Arguments

OSATE Analysis Support

CIS 771: Software Specifications. Lecture: Alloy Logic (part D)

ExCuSe A Method for the Model-Based Safety Assessment of Simulink and Stateflow Models

Automatic Generation of Static Fault Trees from AADL Models

Software Model Checking: Theory and Practice

Test and Evaluation of Autonomous Systems in a Model Based Engineering Context

Functional Safety and Safety Standards: Challenges and Comparison of Solutions AA309

Software Model Checking: Theory and Practice

State-Based Testing Part B Error Identification. Generating test cases for complex behaviour

Distributed Systems (ICE 601) Fault Tolerance

Architecture Analysis and Design Language (AADL) Part 2

Chapter 11, Testing. Using UML, Patterns, and Java. Object-Oriented Software Engineering

A System Dependability Modeling Framework Using AADL and GSPNs

Update on AADL Requirements Annex

TSW Reliability and Fault Tolerance

22c:181 / 55:181 Formal Methods in Software Engineering

Fault Propagation and Transformation: A Safety Analysis. Malcolm Wallace

Error Model Meta Model and Plug-in

Chapter 8 Fault Tolerance

Deriving safety requirements according to ISO for complex systems: How to avoid getting lost?

Contract-based design, model checking, and model-based safety assessment

COMPASS. COMPASS Tutorial. Correctness, Modeling, and Performance of Aerospace Systems. Version 3.0

AADL Webinar. Carnegie Mellon University Notices Architecture Analysis with AADL The Speed Regulation Case-Study... 4

COMPASS: FORMAL METHODS FOR SYSTEM-SOFTWARE CO-ENGINEERING

Modeling the Implementation of Stated-Based System Architectures

Fault Tolerance. Chapter 7

Model-based Architectural Verification & Validation

CIS 890: Safety Critical Systems

HART Temperature Transmitter for up to SIL 2 applications

Distributed Systems COMP 212. Lecture 19 Othon Michail

COMPASS GRAPHICAL MODELLER

Rationale and Architecture Principles for Medical Application Platforms

Chapter 8 Fault Tolerance

Failure Tolerance. Distributed Systems Santa Clara University

Last Class: Clock Synchronization. Today: More Canonical Problems

CprE Fault Tolerance. Dr. Yong Guan. Department of Electrical and Computer Engineering & Information Assurance Center Iowa State University

CIS 771: Software Specifications. Lecture 4: More Alloy Basics

Fault Tolerance. Distributed Software Systems. Definitions

Fault Tolerance. Distributed Systems. September 2002

Motivation State Machines

CIS 771: Software Specifications. Lecture 14: Advanced OCL Expressions

SOFTWARE ENGINEERING DECEMBER. Q2a. What are the key challenges being faced by software engineering?

Complexity-Reducing Design Patterns for Cyber-Physical Systems. DARPA META Project. AADL Standards Meeting January 2011 Steven P.

Pattern-Based Analysis of an Embedded Real-Time System Architecture

Architecture-led Diagnosis and Verification of a Stepper Motor Controller

CIS 890: Safety Critical Systems

CIS 771: Software Specifications

DATA ITEM DESCRIPTION

HART Temperature Transmitter for up to SIL 2 applications

Software Verification and Validation (VIMMD052) Introduction. Istvan Majzik Budapest University of Technology and Economics

CSE 5306 Distributed Systems. Fault Tolerance

Fault Tolerance. Basic Concepts

SySTEMA. SYstem & Safety Tool for Executing Model-based Analyses

The Calibration of Smart Instrumentation A Better Way

An Information Model for High-Integrity Real Time Systems

A Multi-Modal Composability Framework for Cyber-Physical Systems

Contemporary Design. Traditional Hardware Design. Traditional Hardware Design. HDL Based Hardware Design User Inputs. Requirements.

Integrating Cyber Security and Safety Systems Engineering Disciplines with a common Code of Practice

Methods and Tools for Embedded Distributed System Timing and Safety Analysis. Steve Vestal Honeywell Labs

SOFTWARE TOOL FOR AUTOMATED FAILURE MODES AND EFFECTS ANALYSIS (FMEA) OF HYDRAULIC SYSTEMS

Test Driven Development Building a fortress in a greenfield (or fortifying an existing one) Dr. Hale University of Nebraska at Omaha

DATA ITEM DESCRIPTION

CS SOFTWARE ENGINEERING QUESTION BANK SIXTEEN MARKS

Safety and Reliability of Embedded Systems. (Sicherheit und Zuverlässigkeit eingebetteter Systeme) Safety and Reliability Analysis Models: Overview

Failure Modes, Effects and Diagnostic Analysis

Knowledge-based Systems for Industrial Applications

CS:5810 Formal Methods in Software Engineering

Safety and Reliability of Software-Controlled Systems Part 14: Fault mitigation

Module 8 Fault Tolerance CS655! 8-1!

Lecture 5 STRUCTURED ANALYSIS. PB007 So(ware Engineering I Faculty of Informa:cs, Masaryk University Fall Bühnová, Sochor, Ráček

Report. Certificate Z Rev. 00. SIMATIC Safety System

The PCA Interlock App in AADL!

Distributed Systems Fault Tolerance

Module 8 - Fault Tolerance

Temperature and humidity module DHT11 Product Manual

Dep. Systems Requirements

Statechart to C++ Mapping

CSE380 - Operating Systems

Syllabus Instructors:

Myron Hecht, Alex Lam, Chris Vogl, Presented to 2011 UML/AADL Workshop Las Vegas, NV. April, 2011

Investigation of System Timing Concerns in Embedded Systems: Tool-based Analysis of AADL Models

IEC/TR : (E)

Unified Modeling Language 2

Introduction to Software Fault Tolerance Techniques and Implementation. Presented By : Hoda Banki

Fault Tolerance Part I. CS403/534 Distributed Systems Erkay Savas Sabanci University

Dependability Modelling using AADL and the AADL Error Model Annex

Transcription:

CIS 890: High-Assurance Systems Hazard Analysis Lecture: Error Modeling Annex Version 2 - Introduction Copyright 2016, John Hatcliff, Hariharan Thiagarajan. The syllabus and all lectures for this course are copyrighted materials and may not be used in other course settings outside of Kansas State University in their current form or modified form without the express written permission of one of the copyright holders. During this course, students are prohibited from selling notes to or being paid for taking notes by any person or commercial firm without the express written permission of one of the copyright holders. CIS 890 -- Isolette Example

Motivation Why learn EMV2?! Hands on experience with Hazard Analysis! Based on existing modeling language (AADL)! Can discuss various safety issues in Medical devices (Isolette)! Safety Documents can be generated (FTA, FMEA, STPA)

What is EMV2?! AADL annex to support hazard analysis Why to use EMV2?! Quantitative and qualitative assessment of system dependability! Architecture fault modeling! Alternate system architecture can be explored! Changes are consistently propagated and reflected! Hazard analysis can be incrementally performed

Motivating Scenario System as composition of components! Virtual integration Early identification of assumption mismatch: Temperature in Celsius vs Temperature in Fahrenheit Isolette Nurse Operator Interface Incorrect Temperature Reading Temperature Sensor Current Temperature Operator Settings Operator Feedback Incorrect control Thermostat Control Source Air Harm Infant

Terminologies Abstract Error Type Refined types may be: Low Reading - less than the expected value High Reading Greater than the expected value Nurse Error Flow Isolette Operator Interface Incorrect Temperature Reading Temperature Sensor Current Temperature Operator Settings Operator Feedback Incorrect control Thermostat Control Source Error Source Air Harm Error Propagation Infant

Design change to mitigate error! Errors can be eliminated by alternate design Nurse What if both sensors produces incorrect reading at the same time? Redundant sensor to mitigate incorrect reading Incorrect Temperature Reading Isolette Temperature Sensor 1 Temperature Sensor 2 Current Temperature Operator Interface Operator Settings Thermostat Air Operator Feedback Control Thermostat ignores inconsistent sensor readings Source EMV2 allows specifying the how probable for both sensors to fail at the same time. Two different Temperature reading Infant Thermostat acts as a sink and safely ignores the error

Language Concepts in EMV2! Error Type system! Flexible error type system! Pre-declared error type hierarchies! Three levels of architecture fault modeling! Fault Propagation! Component Error Behavior! Composite Error Behavior

Error Type : Identification Software Bug Hardware Bug No data High Value Late Value Current Temperature Thermostat Control Bad control No Service Deterioration Cosmic Ray! Different ways in which a component may fail! How faults in one component can impact other components

Error Type! An error type represents! Category of faults arising in a certain component! Category of error being propagated! Category of error represented by error behavior state! Ability to organize these errors! Error type library! Error Hierarchy! Predefined set of error types as starting point Similar to object-oriented languages with inheritance

Error Type : Custom Error Library! Create custom error type to a particular domain / application! Completely new hierarchy! Extend existing hierarchy! Rename pre-defined types EMV2 Custom Error definitions for Isolette New Error type Extending existing error type Renames a error type to Isolette

Annotation Model with Error Types Late Component C ValueError p1 p2 Late Error Propagation port! Error propagation and containment are associated with interaction points eg: ports, bus, binding points etc.! Error source: component in which error originates! Error path and sink specifies how components respond to incoming errors

Error Propagation! Error propagation is like a error contract for a component! It specifies the set of errors a particular port can handle Port P1 can handle NoData Port P2 can handle BadValue and NoData but not LateData

Error Propagation : Isolette Port with in/out specifies the direction of information flow Error Propagation: Specifies the set of errors a port can handle Error Sink: Specifies OutOfRange error is detected and suppressed ie. Not further propagated Error Path: Specifies how an incoming error is transformed into outgoing error

Component Fault and Recovery Behavior Component Temperature sensor ValueError Operational Failed Error Propagation port State Event Transistion Propagation condition! Fault occurrences and failure modes within a component! Event or incoming error may trigger transitions! Three types of Events! Error event! Recovery event! Repair event! Propagation condition specifies at which mode a component may produce error or transform error

Error State Machines! Define error state machines in Error Library! Use them in components! use behavior Isolette_Errors::FailStop; fail working failed

Composite Behavior Complex Temperature Sensor TS1 Operational Failed TS1.Failed and TS2.Failed -> Failed Operational Failed Operational TS2 Failed Complex Temperature Sensor! Error behavior of a system in terms of its subsystem behavior! Abstract the sub-component behavior

Composite Behavior! Similar to component error states, define states in error library! Use it to define the error behavior of a system/component! In terms of its sub-components Subcomponents of temperature sensor

Summary! Architecture-centric hazard analysis! Incremental design and evaluation! Error Types! Error Propagation! Component and Composite behavior

Terminologies Abstract Error Type Refined types may be: Low Reading - less than the expected value High Reading Greater than the expected value Nurse Error Flow Isolette Operator Interface Incorrect Temperature Reading Temperature Sensor Current Temperature Operator Settings Operator Feedback Incorrect control Thermostat Control Source Error Source Air Harm Error Propagation Infant

Fault Propagation! Error propagation and containment are associated with interaction points eg: ports, bus, binding points etc.! Error types are the different faults being propagated! Error source: component in which error originates! Error path and sink specifies how components respond to incoming errors

Language Concepts in EMV2! Error Type system! Error types to characterize faults (source of error)! Predefined set of error types! Extendable and flexible to adapt! Fault Propagation! Propagation of faults and their impact between components, systems and environment! Component Behavior! Error states and transitions! Error trigger events! Error propagation and transformation! Consistency between various HAT(FTA, FHA, FMEA)! Alternate system architecture can be explored! Changes are consistently propagated and reflected! Hazard analysis can be incrementally performed

Isolette Model Nurse Isolette Operator Interface Operator Settings Operator Feedback Temperature Sensor Current Temperature Thermostat Control Source Air Infant AADL-integrated STPA for ICE Apps

vs STPA AADL:EMV2 STPA! AADL Architecture! Connections! Error Types! Control Structure! Control Action! Hazard Causes AADL-integrated STPA for ICE Apps

EMV2 Definitions Fault Error Failure Actual cause of a hazard Difference in state from the correct state Deviation in behavior from a nominal specification AADL-integrated STPA for ICE Apps

Error Type System EMV2 provides a flexible and hierarchical type system Different hierarchical error types! Value Errors! Timing Errors! Service Errors AADL-integrated STPA for ICE Apps

Error Type System! Error is defined as the difference in state from the correct state.! In EMV2 Error types are treated as a type set with a single element type Service! A service S is defined as a sequence of n service items si with n > 0! A service item si is a pair (vi, di), where! vi is the value of the service and! di is the delivery time of the service AADL-integrated STPA for ICE Apps

No Error! A service item(si) is defined as correct when! vi Vi and di Di, where! Vi is the correct range of values for vi, and! Di is the correct range of delivery time for di! Challenge is knowing the correct values for a service item! For analysis: Assume there exist an oracle/application domain function providing correct values for si! Implementation: Redundant systems to identify correct values! Note: There is no EMV2 type for No Error, the empty error typeset represents the absence of error AADL-integrated STPA for ICE Apps

Value Error Hierarchy Value Error Detectable Value Error Undetectable Value Error OutOfBound OutOfRange BelowRange AboveRange! Value Error: s i S v i V i! OutOfRange: Values that are outside of a component s specification! OutOfBound: The current item s value is above or below the acceptable range of values AADL-integrated STPA for ICE Apps

Custom Error Types! Custom error types can be created in EMV2! To provide meaningful errors with respect to a component! Eg. HotAir vs AboveRange for Thermometer! Three ways to create custom error types in EMV2! Completely new hierarchy! Extending an existing hierarchy! Renaming an existing error type TimingError: type; EarlyDelivery: type extends TimingError; LateDelivery: type extends TimingError; ValueError: type; UndetectableValueError: type extends ValueError; BenignValueError: type extends ValueError; OutOfRange: type extends BenignValueError; OutOfBounds: type extends BenignValueError; BelowRange: type extends OutOfRange; AboveRange: type extends OutOfRange; AADL-integrated STPA for ICE Apps New error types by extending existing type

Component Error Propagation! Error propagation is like a error contract for the component! It specifies the set of errors a particular port can handle Port P1 can handle NoData Port P2 can handle BadValue and NoData but not LateData AADL-integrated STPA for ICE Apps

Component Error Propagation! Informs the set of possible incoming and outgoing errors! It doesn t matter where the error originates! Observing only at the boundary of a component! In practice the there are derived from device specification Port P1 can handle NoData annex EMV2 {** use types ErrorLibrary; error propagations P1: in propagation {NoData} ; P2: out propagation {NoData, BadValue}; P2: not out propagation {LateData}; end propagations; **}; Port P2 can handle BadValue and NoData but not LateData AADL-integrated STPA for ICE Apps

Consistency in Error Propagation! To integrate two components A and B! If there exist a connection from port A.P1 to port B.P2, then e ErrorSet(A.P1) e ErrorSet(B.P2)! Eg: Temperature sensor produces error OutOfBound and UndetectableValueError! Also part of in propagation of Thermostat, therefore it is consistent Unspecified Unspecified Unspecified Outgoing Propagation Not propagated Not propagated Propagated Propagated Propagated Component A P2 P1 Incoming Propagation Not propagated Propagated Propagated Not propagated Unspecified Component B Unspecified Component Temperature sensor Current_temperature Current_temperature Component Thermostat OutOfRange OutOfRange UndetectableValueError UndetectableValueError AADL-integrated STPA for ICE Apps

Error Flow! Specifies the relation between input and output ports! It captures the error flow within a component! Error flow can be! Source Origin of an error! Sink Containment / Suspension of error! Path Transmission of error through component Flow mode Port Error Type Set AADL-integrated STPA for ICE Apps

Error Flow : Path! Describes the flow of error through a component! Propagation : Error A from in port is passed to out port! Transformation : Error A from in port is modified to error B and passed to out port All three path represents transformation AADL-integrated STPA for ICE Apps

Component Error Behavior! Error flow of dependents on the state of the component! Error flow may be constrained based on the component state! Three types of Behaviors:! Error behavior! Repair/mitigation behavior! Recovery behavior! State transitions are triggered by error events and incoming error! Similarly outgoing errors can be specified in terms of current state and incoming error! Detected errors are mapped to a specific logging port with a error message/code AADL-integrated STPA for ICE Apps

Component Error Behavior! Error behavior FailStop used in Isolette error detection mechanism Behavior name Exactly one state acts as the initial state Error Events! FailStop behavior :! When the component is in Working state the fail even may trigger state transition to failed state AADL-integrated STPA for ICE Apps

Component Error Detection! When an error is detected, the system may raise alarm or log error! Component error behavior is used to specify detection condition The above specifies, when the component is in failed state, sends out an event through internal_failure port to raise alarm AADL-integrated STPA for ICE Apps

Composite Behavior! Component s error behavior is specified in terms of its subcomponent Error states of the component Isolette Error Types Composite behavior: a constraint on the subcomponent s states to decide the component s state AADL-integrated STPA for ICE Apps

AADL-integrated STPA for ICE Apps

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback