dependability analysis and evolutionary design optimisation with hip-hops

Dependability analysis and evolutionary design optimisation with HiP-HOPS

Dr Yiannis Papadopoulos

Department of Computer Science

University of Hull, U.K.

Fraunhofer IESE May 4th 2011

Fraunhofer IESE May 4th 2011 Yiannis Papadopoulos

Motivation of work on System Dependability Analysis

• Increasing safety concerns:

Computer controlled safety critical systems emerge in areas such as automotive, shipping, medical applications, industrial processes, etc.

• Reliability & availability concern a broader class of systems

• Increasing complexity of systems & reduced product development times & budgets cause difficulties in classical manual analyses

p 2


Why is automation needed?

System Design ModelSystem Design Model

If a component fault develops here

On the outputs?

What effect does the fault have?What effect does the fault have?

3

p 3


In the University of Hull we develop:

• A method and tool that simplify dependability analysis and architecture optimisation by partly automating the process

• Known as Hierachically Performed - Hazard Origin and Propagation Studies (HiP-HOPS)

p 4


HiP-HOPS

p 5

Global view of failure:Failure annotations =of components

System Model +

Fault TreeSynthesisAlgorithm

System failures

Component failures


Valve Malfunctions Failure mode Description Failure rate Blocked e.g. by debris 1e - 6 partiallyBlocked e.g. by debris 5e - 5 stuckClosed Mechanically stuck 1.5e - 6 stuckOpen Mechanically stuck 1.5e - 5 Deviations of Flow at Valve Output Output Deviation

Description Causes

Omission - b Omission of flow Blocked or stuckClosed or Omission - a or Low - control

Commission - b Commission of flow stuckOpen or Commission - a or High-control

Low - b L ow flow partiallyBlocked or Low - a High-b High flow High-a Early - b Early flow Early - a or Early - control Late - b Late flow Late - a or Late - control

a b

control

b

Component Failure Annotations

p 6


Hierarchical analysis

Assessment of conditions that affect whole architectures, e.g. of common cause failures / combined HW-SW analysis

p 7

System / Hardware

Components / Allocated Software

Analysis of conditions that affect whole system / effects of Hardware failure

Local Safety Analyses of Components/Propagation of failure through software


• Notions of Failure Classes (user defined), Input/Output Ports & Parameters

• Failure Logic: Boolean logic, recently enhanced with new temporal operators and a temporal logic. Concept for state-sensitive analysis

• Includes generalisation operators and iterators:

e.g. any input failure propagates to all outputs

• Can be used for specification of reusable, inheritable, composable, failure patterns

Language for Error Modelling

p 8


Tool Interface

p 9


Tool support (Example Steer-by-Wire)

Simulink model: steer-by-wire system

Synthesised Fault TreesSynthesised FMEA

p 10


Tool Maturity

• Tool has public interfaces (XML, DLL) which enable linking

to modelling or drawing tools

• Has advanced capabilities for qualitative/probabilistic

analysis (common causes, zonal analysis, supports a

variety of probabilistic models)

• ITI GmbH has used the public interface to link its

“Simulation X” modelling tool to the HiP-HOPS tool. Others

(ALL4TEC, VECTOR) also interface

• Commercial launch of HiP-HOPS extension to Simulation X

in 2011

p 11


Further difficulties in dependability engineering and tool extension to support architecture optimisation

• How can system dependability be improved?

Substitute components & sub-systems, increase frequency of maintenance, replicate

• Which solution achieves minimal cost?

• People evaluate a few options.

This leads to unnecessary design iterations and sub-optimal solutions.

p 12


Work on Multi-objective Design Optimisation

• Hard optimisation problem that can only be addressed effectively with automation

• Objectives

Dependability, Cost, Weight, …

• Objectives are conflicting

(e.g. dependability and cost)

p 13


Multi-objective optimisation problem

• Find a solution x (element of solution space X),

which satisfies a set of constrains and optimizes a vector of objective functions

f(x)= [f1(x),f2(x),f3(x),…,fn(x)].

• Search for Pareto Optimal (i.e. Non-dominated) Solutions

A solution x1 dominates another solution x2 if x1

matches or exceeds x2 in all objectives.

p 14


Pareto Optimality

Cost

Reliability

3

1

3

1

11

1

1

3

2

4

59

5

Paret

o Fro

nt

p 15


Optimisation concept

Genetic Algorithm

HiP-HOPSModelling Tool Model,

VariantsFailure

data

parser

analysis

pareto front

Set of Models

representing optimal

tradeoffs

p 16


1

2

Primary

Standby

Genetic Algorithm: Making design variations

p 17

1

1 Cost: 2Reliability: 5Cost: 3Reliability: 7Cost: 4Reliability: 9Cost: 3Reliability: 8


Fuel System Example

p 18

• Provide model, variants, failure data

Cost: 511Unavailability: 0.108366


Fuel System Example

p 19

• Let tool find optimal solutions


Fuel System Example

p 20

• Choose and get optimised design

Cost: 834Unavailability: 0.044986


Optimisation in Action

p 21


Work on Temporal Safety Analysis

Cutsets of a Classical fault tree

I + A.B.C + A.S1 + A.B.S2 + D

1. No input at I

2. Failure of all of A, B, and C

3. Failure of A and S1

4. Failure of A, B, and S2

5. Failure of D

I

p 22


• PAND-ORA: Hour or “time” (ORA [ώρα] in Greek) of PAND gates

• Uses Priority-AND (<, or “before”), Priority-OR (|) and Simultaneous-AND (&, or “at the same time”) operators to express temporal ordering of events

• Relative temporal relations between events can be expressed: X<Y, X&Y, and Y<X

• New Temporal Laws can be used to simplify fault trees and calculate Minimal Cut-sequencesMinimal Cut-sequences

The PANDORA Logic

p 23


• Sequence Values

• A number indicating the order in which an event becomes true

• Events with the same sequence value are simultaneous

• Temporal Truth Tables (TTT)

– Like Boolean truth tables but

extended to use Sequence

Values

– Can be used to prove

temporal laws

– e.g. X.Y = X<Y + X&Y + Y<X

Temporal Truth Tables

p 24


Minimal Cut-sequences

• I

• D

• [S1<A]

• [S1&A]

• [B<A]

• [B&A]

• [A<B].C

• A.[S2&B]

• A.[S2<B]

• Show that the “triply redundant” system is not triply redundant.

• Give a more refined and correct view of failure

I

D

A.S1

A.B.C

A.B.S2

I

p 25


Current Work• ADLs: ADLs: Input to EAST-ADL automotive ADL in MAENAD FP7

project. Work towards harmonisation with AADL

• Dynamic Analysis: Dynamic Analysis: Synthesis of Temporal Fault Trees from State

Machines

• Separation of Concerns: Separation of Concerns: Multi-perspective HiP-HOPS. Analysis of

diagrams (SW-HW) linked with allocations

• Automatic allocation of safety requirements:Automatic allocation of safety requirements: E.g. in the form of

SILs (Safety Integrity levels)

• OptimisationOptimisation: More objectives, More model transformations

• Link to Model-CheckersLink to Model-Checkers

p 26


Relation to the state-of-the-art

• One of more advanced compositional safety analysescompositional safety analyses • Less automated than formal safety analyses & formal safety analyses & does not do

formal verification. • However, uses simple algorithmssimple algorithms and scales upscales up well.

Deductive analysis & good performance have enabled : • Multiple failure mode FMEAs• Architecture optimisation with greedy meta-heuristics• Top-down allocation of safety requirements (SILs)

• Can complement other formal techniques• Synthesis of State-Machines –> Input for Model Checker• Additional functionalities (optimisation, SIL allocation,

advanced probabilistic analyses)

p 27


Summary

• Shorter life-cycles, economic pressures, increasing complexity demand cost effective dependability engineering.

• HiP-HOPS simplifies aspects of this process.

• Can complement formal techniques. Can be used in conjunction with emerging ADLs.

• Supported by mature commercially available tool.

• Strong interest in automotive & shipping. Growing interest in aerospace. Applications by Germanischer Lloyd, Volvo, VW, Delphi, Fiat, Continental, Toyota/Denso, et al

p 28

dependability analysis and evolutionary design optimisation with hip-hops

Documents