Causality and Temporal Dependencies in the Design of Fault Management Systems

Reasoning about causes and effects naturally arises in the engineering of safety-critical systems. A classical example is Fault Tree Analysis, a deductive technique used for system safety assessment, whereby an undesired state is reduced to the set of its immediate causes. The design of fault management systems also requires reasoning on causality relationships. In particular, a fail-operational system needs to ensure timely detection and identification of faults, i.e. recognize the occurrence of run-time faults through their observable effects on the system. Even more complex scenarios arise when multiple faults are involved and may interact in subtle ways. In this work, we propose a formal approach to fault management for complex systems. We first introduce the notions of fault tree and minimal cut sets. We then present a formal framework for the specification and analysis of diagnosability, and for the design of fault detection and identification (FDI) components. Finally, we review recent advances in fault propagation analysis, based on the Timed Failure Propagation Graphs (TFPG) formalism.Comment: In Proceedings CREST 2017, arXiv:1710.0277

Many-to-Many Information Flow Policies

Information flow techniques typically classify information according to suitable security levels and enforce policies that are based on binary relations between individual levels, e.g., stating that information is allowed to flow from one level to another. We argue that some information flow properties of interest naturally require coordination patterns that involve sets of security levels rather than individual levels: some secret information could be safely disclosed to a set of confidential channels of incomparable security levels, with individual leaks considered instead illegal; a group of competing agencies might agree to disclose their secrets, with individual disclosures being undesired, etc. Motivated by this we propose a simple language for expressing information flow policies where the usual admitted flow relation between individual security levels is replaced by a relation between sets of security levels, thus allowing to capture coordinated flows of information. The flow of information is expressed in terms of causal dependencies and the satisfaction of a policy is defined with respect to an event structure that is assumed to capture the causal structure of system computations. We suggest applications to secret exchange protocols, program security and security architectures, and discuss the relation to classic notions of information flow control

Fault Trees from Data: Efficient Learning with an Evolutionary Algorithm

Cyber-physical systems come with increasingly complex architectures and failure modes, which complicates the task of obtaining accurate system reliability models. At the same time, with the emergence of the (industrial) Internet-of-Things, systems are more and more often being monitored via advanced sensor systems. These sensors produce large amounts of data about the components' failure behaviour, and can, therefore, be fruitfully exploited to learn reliability models automatically. This paper presents an effective algorithm for learning a prominent class of reliability models, namely fault trees, from observational data. Our algorithm is evolutionary in nature; i.e., is an iterative, population-based, randomized search method among fault-tree structures that are increasingly more consistent with the observational data. We have evaluated our method on a large number of case studies, both on synthetic data, and industrial data. Our experiments show that our algorithm outperforms other methods and provides near-optimal results.Comment: This paper is an extended version of the SETTA 2019 paper, Springer-Verla

Causality Analysis and Fault Ascription in Component-Based Systems

This article introduces a general framework for fault ascription, which consists in identifying, within a multi-component system, the components whose faulty behavior has caused the failure of said system. Our framework uses configuration structures as a general semantical model to handle truly concurrent executions, partial and distributed observations in a uniform way. We define a set of expected properties for counterfactual analysis, and present a refined analysis that conforms to our requirements. This contrasts with current practice of evaluating definitions of counterfactual causality a posteriori on a set of toy examples. As an early study of the behavior of our analysis under abstraction we establish its monotony under refinement.Cet article introduit un cadre général pour l’attribution de fautes qui consiste à identifier, dans un système à composants, les composants dont le comportement incorrect a causé le dysfonctionnement du système. Nous définissons un ensemble de propriétés attendues de l’analyse contrefactuelle, et nous présentons une analyse raffinée qui satisfait ces besoins. Ceci contraste avec la pratique courante d’évaluer les définitions de causalité contrefactuelle a posteriori sur un ensemble d’exemples jouets. Nous établissons la monotonie de notre analyse sous différentes notions de raffinement

RiskStructures : A Design Algebra for Risk-Aware Machines

Machines, such as mobile robots and delivery drones, incorporate controllers responsible for a task while handling risk (e.g. anticipating and mitigating hazards; and preventing and alleviating accidents). We refer to machines with this capability as risk-aware machines. Risk awareness includes robustness and resilience, and complicates monitoring (i.e., introspection, sensing, prediction), decision making, and control. From an engineering perspective, risk awareness adds a range of dependability requirements to system assurance. Such assurance mandates a correct-by-construction approach to controller design, based on mathematical theory. We introduce RiskStructures, an algebraic framework for risk modelling intended to support the design of safety controllers for risk-aware machines. Using the concept of a risk factor as a modelling primitive, this framework provides facilities to construct, examine, and assure these controllers. We prove desirable algebraic properties of these facilities, and demonstrate their applicability by using them to specify key aspects of safety controllers for risk-aware automated driving and collaborative robots

Dagstuhl-Workshop MBEES:

modellbasierte automobile Steuergeräteentwicklun

Probabilistic Fault Tree Synthesis using Causality Computation

Abstract. In recent years, several approaches to generate probabilistic counterexamples have been proposed. The interpretation of probabilistic counterexamples, however, continues to be problematic since they have to be represented as sets of paths, and the number of paths in this set may be very large. Fault trees (FTs) are a well-established industrial technique to represent causalities for possible system hazards resulting from system or system component failures. In this paper we extend the structural equation approach by Pearl and Halpern, which is based on Lewis counterfactuals, so that it can be applied to reason about causalities in a state-action trace model induced by a probabilistic counterexample. The causality relationships derived by the extended structural equation model are then mapped onto fault trees. We demonstrate the usefulness of our approach by applying it to a selection of case studies known from literature.