Safety Evaluation with AADLv2

Transcription

1 Safety Evaluation with AADLv2 Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Julien Delange 09/24/2013

2 Agenda Overview of AADL Error-Model Annex Approach for Safety Evaluation Support of Safety Evaluation with AADL Case-Study On-Going Work Discussion 2

3 Agenda Overview of AADL Error-Model Annex Approach for Safety Evaluation Support of Safety Evaluation with AADL Case-Study On-Going Work Discussion 3

4 Error-Model Annex within the AADL ecosystem Reliability Performance Evaluation Code Generation System Validation System Configuration Security Safety ARINC653 Requirements description 4

5 Overview of Error-Model Annex Extension of AADL for fault description: error events, propagations, etc. Integration with current models by extending existing components Draft document to be proposed as a standard annex Support for Safety Evaluation and Analysis 5

6 Error Types and propagations Error types: error classification ValueError Extensions and renaming OutOfRange Inconsistent Error propagations across components Associate errors with system connections Define error sources, sinks and containment Error Source Sink for ValueError & Error Sink of ValueError source for NoData for NoData Sensor ValueError Processing NoData Actuator 6

7 Error behavior States machines Error-related transitions Propagation rules Use of error types Failure (BadData) Normal Failed Recover Failed (NoValue) Composite behavior Define system states according to its parts ex: I am failing if one of my component is failing Subsystem 1 (Normal) Subsystem 2 (Normal) Subsystem 1 (Normal) Subsystem 2 (Failing) 7

8 Specific Error-Model Properties Severity, likelihood, error description Support for generating validation documentation Tailoring for safety standards (ARP4761, MIL-STD-882) 8

9 Agenda Overview of AADL Error-Model Annex Approach for Safety Evaluation Analysis of System Safety with AADL Case-Study On-Going Work Discussion 9

10 Safety Analyses Aircraft-Level FHA Define aircraft failure conditions Allocate failure to system functions Preliminary System Safety Assessment System Functional Hazard Analysis (FHA) System Fault-Tree Analysis (FTA) System Safety Assessment Failure Mode and Effect Analysis Refined FTA with Quantitative Failures Rates System Development Cycle 10

11 Functional Hazard Analysis ARP4761, section 3 Identify and classify functions failure conditions Aircraft or System Level Aircraft, High-Level View Refinement at System Level Input for safety requirements specification Description and specification in FTA, DD or MA Reference of Aircraft Low-Level to System FHA Spreadsheet with reference to functions failures description 11

12 Fault-Tree Analysis ARP4761, section 4.1 Relationship of failure effects and failure modes Initial Failure Mode Reference to system hierarchy Support with Open-Source and Commercial Tools Failure Mode Fault Occurrence 12

13 Markov Chain ARP4761, section 4.1 Evaluation of system behavior over time Probability of being in particular states Analysis and evaluation of fault states Support with Commercial and Open-Source Tools 13

14 Failure Mode and Effect Analysis ARP4761, section 4.2 Impact of Fault at a Higher Levels Start from Function Level to System/Aircraft Level Spreadsheet/textual document 14

15 Agenda Overview of AADL Error-Model Annex Approach for Safety Evaluation Support of Safety Evaluation with AADL Case-Study On-Going Work Discussion 15

16 AADL & Safety Evaluation Tool Overview FHA Spreadsheet FTA CAFTA OpenFTA Markov Chain PRISM FMEA Spreadsheet Use error propagations Use composite behavior Error flows Use error flow Error behavior Error behavior Propagations 16

17 Safety Analysis & AADL Preliminary System Safety Assessment (PSSA) support High-level component, interfaces from the OEM Automatic generation of validation materials (FHA, FTA) System Safety Assessment (SSA) support Use refined models from suppliers Enhancement of error specifications Support of quantitative safety analysis (FTA, FMEA, MA) System Development Cycle 17

18 Evolution of Safety Analysis process with AADL Preliminary System Safety Assessment Component types (system interfaces) Component implementation Validation Materials (FHA, FTA) Check PSSA and SSA consistencies Validation with quantitative fault rates (FMEA, FTA, DD, MA) Refinement & development evolution System Safety Assessment 18

19 Functional Hazard Analysis Support Use of component error behavior Error propagations rules Internal error events FHA Specify initial failure mode Define error description and related information Create spreadsheet containing FHA elements To be reused by commercial or open-source tools 19

20 Fault-Tree Analysis Support Use of composite error behavior FTA nodes FTA Use of component error behavior Incoming error events Walk through the components hierarchy Generate the complete fault-tree Focus on specific AADL subcomponents Export to several tools Commercial: CAFTA Open-Source: OpenFTA 20

21 Markov-Chain Support Use of component error behavior Error propagations rules Error transitions Markov Chain Map states and error types into specific values Tool-specific approach Ability to evaluate system state over time What is the probability my system is failing within 30 days? Export to open-source tools, PRISM 21

22 Failure Mode and Effects Support Use of component error behavior Error propagations rules (source, sink, etc.) Internal error events FMEA Traverse all error paths Record impact over the components hierarchy Use error description and related information Create spreadsheet containing FHA elements To be reused by commercial or open-source tools 22

23 Reliability Block Diagram aka ARP4761 Dependence Diagram (DD) Use of composite error behavior Error propagations rules (source, sink, etc.) Internal error events RDB Compute reliability of the Dependence Diagram Use of recover and failure events Overall probability of system failure Support in OSATE (built-in) 23

24 Agenda Overview of AADL Error-Model Annex Approach for Safety Evaluation Support of Safety Evaluation with AADL Case-Study On-Going Work Discussion 24

25 Wheel Brake System Development of a public model Use of Error-Model and ARINC annexes Relevance for the avionics community Reuse for SAVI Provide support for the AFE61 demo Apply the technology/toolset on a known example Generation of FHA, FTA, MA & FMEA 25

26 AADL model root system NoService NoPower NoPressure InvalidReport Software and/or RuntimeError 26

27 AADL model, BSCU variations 27

28 FHA of the root system 28

29 FTA of the root system Focus on a specific AADL subcomponent 29

30 FTA of the BSCU subcomponent 30

31 FMEA of the root system Current State Out propagation Propagation path Out propagation or error containment Component 1 Component 2 31

32 Agenda Overview of AADL Error-Model Annex Approach for Safety Evaluation Support of Safety Evaluation with AADL Case-Study On-Going Work Discussion 32

33 Consistency Checks Consistency at integration time Consistency between models from different suppliers Strengthen the Virtual Integration promoted by SAVI Consistency of the internal model ex: Can I propagate this error according to my actual state? Consistency across error models specifications Component Error Behavior with Composite Error Behavior Correctness of a state according to subcomponents Error information with Behavior information 33

34 Providing Modeling Guidance Improve tooling aspects Help engineers to use the toolset Enhance tool support & functions Release documentation Technical report, webinar or other media Modeling best practices & AADL patterns Guidance for using tools To be published in 2013 Customer training, consulting services for specific needs 34

35 Agenda Overview of AADL Error-Model Annex Approach for Safety Evaluation Support of Safety Evaluation with AADL Case-Study Case-Study Discussion 35

36 Contact Presenter / Point of Contact Dr. Julien Delange Telephone: jdelange@sei.cmu.edu U.S. Mail Software Engineering Institute Customer Relations 4500 Fifth Avenue Pittsburgh, PA USA Web Customer Relations info@sei.cmu.edu Telephone: SEI Phone: SEI Fax:

37 Copyright 2013 Carnegie Mellon University This material is based upon work funded and supported by the Department of Defense under Contract No. FA C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center. NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN AS-IS BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT. This material has been approved for public release and unlimited distribution. This material may be reproduced in its entirety, without modification, and freely distributed in written or electronic form without requesting formal permission. Permission is required for any other use. Requests for permission should be directed to the Software Engineering Institute at permission@sei.cmu.edu. DM