Analyzing safety and fault tolerance using time Petri nets

The application of time Petri net modelling and analysis techniques to safety-critical real-time systems is explored and procedures described which allow analysis of safety, recoverability, and fault tolerance. These procedures can be used to help determine software requirements, to guide the use of fault detection and recovery procedures, to determine conditions which require immediate miti gating action to prevent accidents, etc. Thus it is possible to establish important properties duing the synthesis of the system and software design instead of using guesswork and costly a posteriori analysis

A methodology for the requirements analysis of critical real-time systems

PhD ThesisThis thesis describes a methodology for the requirements analysis of critical real-time systems. The methodology is based on formal methods, and provides a systematic way in which requirements can be analysed and specifications produced. The proposed methodology consists of a framework with distinct phases of analysis, a set oftechniques appropriate for the issues to be analysed at each phase of the framework, a hierarchical structure of the specifications obtained from the process of analysis, and techniques to perform quality assessment of the specifications. The phases of the framework, which are abstraction levels for the analysis of the requirements, follow directly from a general structure adopted for critical real-time systems. The intention is to define abstraction levels, or domains, in which the analysis of requirements can be performed in terms of specific properties of the system, thus reducing the inherent complexity of the analysis. Depending on the issues to be analysed in each domain, the choice of the appropriate formalism is determined by the set of features, related to that domain, that a formalism should possess. In this work, instead of proposing new formalisms we concentrate on identifying and enumerating those features that a formalism should have. The specifications produced at each phase of the framework are organised by means of a specification hierarchy, which facilitates our assessment of the quality of the requirements specifications, and their traceability. Such an assessment should be performed by qualitative and quantitative means in order to obtain high confidence (assurance) that the level of safety is acceptable. In order to exemplify the proposed methodology for the requirements analysis of critical real-time systems we discuss a case study based on a crossing of two rail tracks (in a model railway), which raises safety issues that are similar to those found at a traditional level crossing (i.e. rail-road)CAPES/Ministry of Education (Brazil

Advanced flight control system study

A fly by wire flight control system architecture designed for high reliability includes spare sensor and computer elements to permit safe dispatch with failed elements, thereby reducing unscheduled maintenance. A methodology capable of demonstrating that the architecture does achieve the predicted performance characteristics consists of a hierarchy of activities ranging from analytical calculations of system reliability and formal methods of software verification to iron bird testing followed by flight evaluation. Interfacing this architecture to the Lockheed S-3A aircraft for flight test is discussed. This testbed vehicle can be expanded to support flight experiments in advanced aerodynamics, electromechanical actuators, secondary power systems, flight management, new displays, and air traffic control concepts

DESIGN OF OPTIMAL PROCEDURAL CONTROLLERS FOR CHEMICAL PROCESSES MODELLED AS STOCHASTIC DISCRETE EVENT SYSTEMS

This thesis presents a formal method for the the design of optimal and provably correct procedural controllers for chemical processes modelled as Stochastic Discrete Event Systems (SDESs). The thesis extends previous work on Procedural Control Theory (PCT) [1], which used formal techniques for the design of automation Discrete Event Systems (DESs). Many dynamic processes for example, batch operations and the start-up and shut down of continuous plants, can be modelled as DESs. Controllers for these systems are typically of the sequential type. Most prior work on characterizing the behaviour of DESs has been restricted to deterministic systems. However, DESs consisting of concurrent interacting processes present a broad spectrum of uncertainty such as uncertainty in the occurrence of events. The formalism of weighted probabilistic Finite State Machine (wp-FSM) is introduced for modelling SDESs and pre-de ned failure models are embedded in wp-FSM to describe and control the abnormal behaviour of systems. The thesis presents e cient algorithms and procedures for synthesising optimal procedural controllers for such SDESs. The synthesised optimal controllers for such stochastic systems will take into consideration probabilities of events occurrence, operation costs and failure costs of events in making optimal choices in the design of control sequences. The controllers will force the system from an initial state to one or more goal states with an optimal expected cost and when feasible drive the system from any state reached after a failure to goal states. On the practical side, recognising the importance of the needs of the target end user, the design of a suitable software implementation is completed. The potential of both the approach and the supporting software are demonstrated by two industry case studies. Furthermore, the simulation environment gPROMS was used to test whether the operating speci cations thus designed were met in a combined discrete/continuous environment

Perfomance Analysis and Resource Optimisation of Critical Systems Modelled by Petri Nets

Un sistema crítico debe cumplir con su misión a pesar de la presencia de problemas de seguridad. Este tipo de sistemas se suele desplegar en entornos heterogéneos, donde pueden ser objeto de intentos de intrusión, robo de información confidencial u otro tipo de ataques. Los sistemas, en general, tienen que ser rediseñados después de que ocurra un incidente de seguridad, lo que puede conducir a consecuencias graves, como el enorme costo de reimplementar o reprogramar todo el sistema, así como las posibles pérdidas económicas. Así, la seguridad ha de ser concebida como una parte integral del desarrollo de sistemas y como una necesidad singular de lo que el sistema debe realizar (es decir, un requisito no funcional del sistema). Así pues, al diseñar sistemas críticos es fundamental estudiar los ataques que se pueden producir y planificar cómo reaccionar frente a ellos, con el fin de mantener el cumplimiento de requerimientos funcionales y no funcionales del sistema. A pesar de que los problemas de seguridad se consideren, también es necesario tener en cuenta los costes incurridos para garantizar un determinado nivel de seguridad en sistemas críticos. De hecho, los costes de seguridad puede ser un factor muy relevante ya que puede abarcar diferentes dimensiones, como el presupuesto, el rendimiento y la fiabilidad. Muchos de estos sistemas críticos que incorporan técnicas de tolerancia a fallos (sistemas FT) para hacer frente a las cuestiones de seguridad son sistemas complejos, que utilizan recursos que pueden estar comprometidos (es decir, pueden fallar) por la activación de los fallos y/o errores provocados por posibles ataques. Estos sistemas pueden ser modelados como sistemas de eventos discretos donde los recursos son compartidos, también llamados sistemas de asignación de recursos. Esta tesis se centra en los sistemas FT con recursos compartidos modelados mediante redes de Petri (Petri nets, PN). Estos sistemas son generalmente tan grandes que el cálculo exacto de su rendimiento se convierte en una tarea de cálculo muy compleja, debido al problema de la explosión del espacio de estados. Como resultado de ello, una tarea que requiere una exploración exhaustiva en el espacio de estados es incomputable (en un plazo prudencial) para sistemas grandes. Las principales aportaciones de esta tesis son tres. Primero, se ofrecen diferentes modelos, usando el Lenguaje Unificado de Modelado (Unified Modelling Language, UML) y las redes de Petri, que ayudan a incorporar las cuestiones de seguridad y tolerancia a fallos en primer plano durante la fase de diseño de los sistemas, permitiendo así, por ejemplo, el análisis del compromiso entre seguridad y rendimiento. En segundo lugar, se proporcionan varios algoritmos para calcular el rendimiento (también bajo condiciones de fallo) mediante el cálculo de cotas de rendimiento superiores, evitando así el problema de la explosión del espacio de estados. Por último, se proporcionan algoritmos para calcular cómo compensar la degradación de rendimiento que se produce ante una situación inesperada en un sistema con tolerancia a fallos

Tools and Algorithms for the Construction and Analysis of Systems

This book is Open Access under a CC BY licence. The LNCS 11427 and 11428 proceedings set constitutes the proceedings of the 25th International Conference on Tools and Algorithms for the Construction and Analysis of Systems, TACAS 2019, which took place in Prague, Czech Republic, in April 2019, held as part of the European Joint Conferences on Theory and Practice of Software, ETAPS 2019. The total of 42 full and 8 short tool demo papers presented in these volumes was carefully reviewed and selected from 164 submissions. The papers are organized in topical sections as follows: Part I: SAT and SMT, SAT solving and theorem proving; verification and analysis; model checking; tool demo; and machine learning. Part II: concurrent and distributed systems; monitoring and runtime verification; hybrid and stochastic systems; synthesis; symbolic verification; and safety and fault-tolerant systems

Supervisory Control and Analysis of Partially-observed Discrete Event Systems

Nowadays, a variety of real-world systems fall into discrete event systems (DES). In practical scenarios, due to facts like limited sensor technique, sensor failure, unstable network and even the intrusion of malicious agents, it might occur that some events are unobservable, multiple events are indistinguishable in observations, and observations of some events are nondeterministic. By considering various practical scenarios, increasing attention in the DES community has been paid to partially-observed DES, which in this thesis refer broadly to those DES with partial and/or unreliable observations. In this thesis, we focus on two topics of partially-observed DES, namely, supervisory control and analysis. The first topic includes two research directions in terms of system models. One is the supervisory control of DES with both unobservable and uncontrollable events, focusing on the forbidden state problem; the other is the supervisory control of DES vulnerable to sensor-reading disguising attacks (SD-attacks), which is also interpreted as DES with nondeterministic observations, addressing both the forbidden state problem and the liveness-enforcing problem. Petri nets (PN) are used as a reference formalism in this topic. First, we study the forbidden state problem in the framework of PN with both unobservable and uncontrollable transitions, assuming that unobservable transitions are uncontrollable. For ordinary PN subject to an admissible Generalized Mutual Exclusion Constraint (GMEC), an optimal on-line control policy with polynomial complexity is proposed provided that a particular subnet, called observation subnet, satisfies certain conditions in structure. It is then discussed how to obtain an optimal on-line control policy for PN subject to an arbitrary GMEC. Next, we still consider the forbidden state problem but in PN vulnerable to SD-attacks. Assuming the control specification in terms of a GMEC, we propose three methods to derive on-line control policies. The first two lead to an optimal policy but are computationally inefficient for large-size systems, while the third method computes a policy with timely response even for large-size systems but at the expense of optimality. Finally, we investigate the liveness-enforcing problem still assuming that the system is vulnerable to SD-attacks. In this problem, the plant is modelled as a bounded PN, which allows us to off-line compute a supervisor starting from constructing the reachability graph of the PN. Then, based on repeatedly computing a more restrictive liveness-enforcing supervisor under no attack and constructing a basic supervisor, an off-line method that synthesizes a liveness-enforcing supervisor tolerant to an SD-attack is proposed. In the second topic, we care about the verification of properties related to system security. Two properties are considered, i.e., fault-predictability and event-based opacity. The former is a property in the literature, characterizing the situation that the occurrence of any fault in a system is predictable, while the latter is a newly proposed property in the thesis, which describes the fact that secret events of a system cannot be revealed to an external observer within their critical horizons. In the case of fault-predictability, DES are modeled by labeled PN. A necessary and sufficient condition for fault-predictability is derived by characterizing the structure of the Predictor Graph. Furthermore, two rules are proposed to reduce the size of a PN, which allow us to analyze the fault-predictability of the original net by verifying that of the reduced net. When studying event-based opacity, we use deterministic finite-state automata as the reference formalism. Considering different scenarios, we propose four notions, namely, K-observation event-opacity, infinite-observation event-opacity, event-opacity and combinational event-opacity. Moreover, verifiers are proposed to analyze these properties

Measurements, Models, Systems and Design

531 s.