Compositional synthesis of temporal fault trees from state machines

Dependability analysis of a dynamic system which is embedded with several complex interrelated components raises two main problems. First, it is difficult to represent in a single coherent and complete picture how the system and its constituent parts behave in conditions of failure. Second, the analysis can be unmanageable due to a considerable number of failure events, which increases with the number of components involved. To remedy this problem, in this paper we outline an analysis approach that converts failure behavioural models (state machines) to temporal fault trees (TFTs), which can then be analysed using Pandora -- a recent technique for introducing temporal logic to fault trees. The approach is compositional and potentially more scalable, as it relies on the synthesis of large system TFTs from smaller component TFTs. We show, by using a Generic Triple Redundant (GTR) system, how the approach enables a more accurate and full analysis of an increasingly complex system

Dynamic model-based safety analysis: from state machines to temporal fault trees

Finite state transition models such as State Machines (SMs) have become a prevalent paradigm for the description of dynamic systems. Such models are well-suited to modelling the behaviour of complex systems, including in conditions of failure, and where the order in which failures and fault events occur can affect the overall outcome (e.g. total failure of the system). For the safety assessment though, the SM failure behavioural models need to be converted to analysis models like Generalised Stochastic Petri Nets (GSPNs), Markov Chains (MCs) or Fault Trees (FTs). This is particularly important if the transformed models are supported by safety analysis tools.This thesis, firstly, identifies a number of problems encountered in current safety analysis techniques based on SMs. One of the existing approaches consists of transforming the SMs to analysis-supported state-transition formalisms like GSPNs or MCs, which are very powerful in capturing the dynamic aspects and in the evaluation of safety measures. But in this approach, qualitative analysis is not encouraged; here the focus is primarily on probabilistic analysis. Qualitative analysis is particularly important when probabilistic data are not available (e.g., at early stages of design). In an alternative approach though, the generation of combinatorial, Boolean FTs has been applied to SM-based models. FTs are well-suited to qualitative analysis, but cannot capture the significance of the temporal order of events expressed by SMs. This makes the approach potentially error prone for the analysis of dynamic systems. In response, we propose a new SM-based safety analysis technique which converts SMs to Temporal Fault Trees (TFTs) using Pandora — a recent technique for introducing temporal logic to FTs. Pandora provides a set of temporal laws, which allow the significance of the SM temporal semantics to be preserved along the logical analysis, and thereby enabling a true qualitative analysis of a dynamic system. The thesis develops algorithms for conversion of SMs to TFTs. It also deals with the issue of scalability of the approach by proposing a form of compositional synthesis in which system large TFTs can be generated from individual component SMs using a process of composition. This has the dual benefits of allowing more accurate analysis of different sequences of faults, and also helping to reduce the cost of performing temporal analysis by producing smaller, more manageable TFTs via the compositionality.The thesis concludes that this approach can potentially address limitations of earlier work and thus help to improve the safety analysis of increasingly complex dynamic safety-critical systems

Dynamic model-based safety analysis: from state machines to temporal fault trees

Finite state transition models such as State Machines (SMs) have become a prevalent paradigm for the description of dynamic systems. Such models are well-suited to modelling the behaviour of complex systems, including in conditions of failure, and where the order in which failures and fault events occur can affect the overall outcome (e.g. total failure of the system). For the safety assessment though, the SM failure behavioural models need to be converted to analysis models like Generalised Stochastic Petri Nets (GSPNs), Markov Chains (MCs) or Fault Trees (FTs). This is particularly important if the transformed models are supported by safety analysis tools. This thesis, firstly, identifies a number of problems encountered in current safety analysis techniques based on SMs. One of the existing approaches consists of transforming the SMs to analysis-supported state-transition formalisms like GSPNs or MCs, which are very powerful in capturing the dynamic aspects and in the evaluation of safety measures. But in this approach, qualitative analysis is not encouraged; here the focus is primarily on probabilistic analysis. Qualitative analysis is particularly important when probabilistic data are not available (e.g., at early stages of design). In an alternative approach though, the generation of combinatorial, Boolean FTs has been applied to SM-based models. FTs are well-suited to qualitative analysis, but cannot capture the significance of the temporal order of events expressed by SMs. This makes the approach potentially error prone for the analysis of dynamic systems. In response, we propose a new SM-based safety analysis technique which converts SMs to Temporal Fault Trees (TFTs) using Pandora — a recent technique for introducing temporal logic to FTs. Pandora provides a set of temporal laws, which allow the significance of the SM temporal semantics to be preserved along the logical analysis, and thereby enabling a true qualitative analysis of a dynamic system. The thesis develops algorithms for conversion of SMs to TFTs. It also deals with the issue of scalability of the approach by proposing a form of compositional synthesis in which system large TFTs can be generated from individual component SMs using a process of composition. This has the dual benefits of allowing more accurate analysis of different sequences of faults, and also helping to reduce the cost of performing temporal analysis by producing smaller, more manageable TFTs via the compositionality. The thesis concludes that this approach can potentially address limitations of earlier work and thus help to improve the safety analysis of increasingly complex dynamic safety-critical systems

Automatic generation of Temporal Fault Trees from AADL models

The Architecture Analysis and Design Language (AADL) is gaining growing acceptance in the aerospace, automobile and avionics industries. These industries are increasingly concerned with systems exhibiting sequence-dependent failures. About dependability (i.e. safety, reliability, availability and maintainability) analysis of AADL models, there is still a lack of techniques that can take into account the sequencing of failure events and determine minimal failure scenarios, i.e. which are made up of the relevant events causing a system to fail as a whole. In this paper, we present how we address this problem through an intelligent transformation, which captures the significant temporal ordering of faults and failures expressed by the AADL error models, to synthesise system Temporal Fault Trees (TFTs). © 2014 Taylor & Francis Group, London

A translation of state machines to temporal fault trees

State Machines (SMs) are increasingly being used to gain a better understanding of the failure behaviour of safety-critical systems. In dependability analysis, SMs are translated to other models, such as Generalized Stochastic Petri Nets (GSPNs) or combinatorial fault trees. The former does not enable qualitative analysis, whereas the second allows it but can lead to inaccurate or erroneous results, because combinatorial fault trees do not capture the temporal semantics expressed by SMs. In this paper, we discuss the problem and propose a translation of SMs to temporal fault trees using Pandora, a recent technique for introducing temporal logic to fault trees, thus preserving the significance of the temporal sequencing of faults and allowing full qualitative analysis. Since dependability models inform the design of condition monitoring and failure prevention measures, improving the representation and analysis of dynamic effects in such models can have a positive impact on proactive failure avoidance

Model transformation for analyzing dependability of AADL model by using HiP-HOPS

The Architecture Analysis and Design Language (AADL) has emerged as a potential future standard in aerospace, automobile and avionics industries for model-based development of dependability-critical systems. As AADL is relatively new, some existing analysis methods and tools are not able to accept AADL models. In this paper we show that, by using model transformation techniques, we can automatically transform AADL models into a form that is directly executable by fault-tree-based dependability analysis and optimisation tools. This model transformation opens a path by which AADL models may benefit from automatic synthesis and analysis of fault trees, temporal fault tree analysis, multiple failure mode and effects analysis and model architecture optimisation. In this paper, we present a new model transformation framework. The core of the framework is a novel transformation from a state machine-based error model to a fault-tree model. The framework has been implemented as a plug-in (AADL2HiP-HOPS) for the AADL model development tool OSATE. The plug-in may be used to transform AADL models into a state-of-the-art dependability analysis and optimisation tool: HiP-HOPS. To illustrate the transformation and subsequent HiP-HOPS analysis, an example AADL model is transformed

Model transformation for multi-objective architecture optimisation of dependable systems

The promise of model-based engineering is that by use of an integrated and coherent system model both functional and non-functional requirements may be analysed, implemented and tested in a rigorous and cost-effective manner. An important part of model-based engineering is the use of analysis and design languages. The Architecture Analysis Design Language (AADL) is a new modelling language which is increasingly being used for high dependability embedded systems development. Such languages are ideally suited to model-based engineering but the use of new languages threatens to isolate existing tools which use different languages. This is a particular problem when these tools provide an important development or analysis function. System optimization is such a function. System designers seek an optimal trade-off between high dependability and low cost. For large systems, the design space of alternatives with respect to both dependability and cost is enormous and too large to investigate manually. For this reason automation is required to produce optimal or near optimal designs. HiP-HOPS is a mature, state of the art, dependability analysis and optimisation method and tool. HiP-HOPS requires, as input, the local failure behaviour of the system components together with the inter-component failure propagation behaviour. For optimisation, component variability information is also required. The integration of tools such as HiP-HOPS into a model-based engineering environment requires that these tools have suitable access to the system model. Without proper integration, additional system information must be input at additional cost and risk of inconsistency. This paper shows how model transformation may be used to integrate a multi-objective optimization method and tool into a model-based engineering environment. To illustrate the transformation method it is applied in a case study; where, drawing from the results of the optimisation, we highlight the potential value of this work for model-based design

Model-Based Analysis and Engineering of Automotive Architectures with EAST-ADL

International audienceModern cars have turned into complex high-technology products, subject to strict safety and timing requirements , in a short time span. This evolution has translated into development processes that are not as efficient, flexible and agile as they could or should be. This paper presents the main aspects and capabilities of a rich model-based design framework, founded on EAST-ADL. EAST-ADL is an architecture description language specific to the automotive domain and complemented by a methodology compliant with the functional safety standard for the automotive domain ISO26262. The language and the methodology are used to develop an information model in the sense of a conceptual model, providing the engineer the basis for specifying the various aspects of the system. Inconsistencies, redundancies, and partly even missing system description aspects can be found automaticlally by advanced analyses and optimization capabilities to effectively improve development processes of modern cars