Dependability analysis and evolutionary design optimisation with HiP-HOPS
Dr Yiannis Papadopoulos
Department of Computer Science
University of Hull, U.K.
Fraunhofer IESE May 4th 2011
Fraunhofer IESE May 4th 2011 Yiannis Papadopoulos
Motivation of work on System Dependability Analysis
• Increasing safety concerns:
Computer controlled safety critical systems emerge in areas such as automotive, shipping, medical applications, industrial processes, etc.
• Reliability & availability concern a broader class of systems
• Increasing complexity of systems & reduced product development times & budgets cause difficulties in classical manual analyses
p 2
Fraunhofer IESE May 4th 2011 Yiannis Papadopoulos
Why is automation needed?
System Design ModelSystem Design Model
If a component fault develops here
On the outputs?
What effect does the fault have?What effect does the fault have?
3
p 3
Fraunhofer IESE May 4th 2011 Yiannis Papadopoulos
In the University of Hull we develop:
• A method and tool that simplify dependability analysis and architecture optimisation by partly automating the process
• Known as Hierachically Performed - Hazard Origin and Propagation Studies (HiP-HOPS)
p 4
Fraunhofer IESE May 4th 2011 Yiannis Papadopoulos
HiP-HOPS
p 5
Global view of failure:Failure annotations =of components
System Model +
Fault TreeSynthesisAlgorithm
System failures
Component failures
Fraunhofer IESE May 4th 2011 Yiannis Papadopoulos
Valve Malfunctions Failure mode Description Failure rate Blocked e.g. by debris 1e - 6 partiallyBlocked e.g. by debris 5e - 5 stuckClosed Mechanically stuck 1.5e - 6 stuckOpen Mechanically stuck 1.5e - 5 Deviations of Flow at Valve Output Output Deviation
Description Causes
Omission - b Omission of flow Blocked or stuckClosed or Omission - a or Low - control
Commission - b Commission of flow stuckOpen or Commission - a or High-control
Low - b L ow flow partiallyBlocked or Low - a High-b High flow High-a Early - b Early flow Early - a or Early - control Late - b Late flow Late - a or Late - control
a b
control
b
Component Failure Annotations
p 6
Fraunhofer IESE May 4th 2011 Yiannis Papadopoulos
Hierarchical analysis
Assessment of conditions that affect whole architectures, e.g. of common cause failures / combined HW-SW analysis
p 7
System / Hardware
Components / Allocated Software
Analysis of conditions that affect whole system / effects of Hardware failure
Local Safety Analyses of Components/Propagation of failure through software
Fraunhofer IESE May 4th 2011 Yiannis Papadopoulos
• Notions of Failure Classes (user defined), Input/Output Ports & Parameters
• Failure Logic: Boolean logic, recently enhanced with new temporal operators and a temporal logic. Concept for state-sensitive analysis
• Includes generalisation operators and iterators:
e.g. any input failure propagates to all outputs
• Can be used for specification of reusable, inheritable, composable, failure patterns
Language for Error Modelling
p 8
Fraunhofer IESE May 4th 2011 Yiannis Papadopoulos
Tool Interface
p 9
Fraunhofer IESE May 4th 2011 Yiannis Papadopoulos
Tool support (Example Steer-by-Wire)
Simulink model: steer-by-wire system
Synthesised Fault TreesSynthesised FMEA
p 10
Fraunhofer IESE May 4th 2011 Yiannis Papadopoulos
Tool Maturity
• Tool has public interfaces (XML, DLL) which enable linking
to modelling or drawing tools
• Has advanced capabilities for qualitative/probabilistic
analysis (common causes, zonal analysis, supports a
variety of probabilistic models)
• ITI GmbH has used the public interface to link its
“Simulation X” modelling tool to the HiP-HOPS tool. Others
(ALL4TEC, VECTOR) also interface
• Commercial launch of HiP-HOPS extension to Simulation X
in 2011
p 11
Fraunhofer IESE May 4th 2011 Yiannis Papadopoulos
Further difficulties in dependability engineering and tool extension to support architecture optimisation
• How can system dependability be improved?
Substitute components & sub-systems, increase frequency of maintenance, replicate
• Which solution achieves minimal cost?
• People evaluate a few options.
This leads to unnecessary design iterations and sub-optimal solutions.
p 12
Fraunhofer IESE May 4th 2011 Yiannis Papadopoulos
Work on Multi-objective Design Optimisation
• Hard optimisation problem that can only be addressed effectively with automation
• Objectives
Dependability, Cost, Weight, …
• Objectives are conflicting
(e.g. dependability and cost)
p 13
Fraunhofer IESE May 4th 2011 Yiannis Papadopoulos
Multi-objective optimisation problem
• Find a solution x (element of solution space X),
which satisfies a set of constrains and optimizes a vector of objective functions
f(x)= [f1(x),f2(x),f3(x),…,fn(x)].
• Search for Pareto Optimal (i.e. Non-dominated) Solutions
A solution x1 dominates another solution x2 if x1
matches or exceeds x2 in all objectives.
p 14
Fraunhofer IESE May 4th 2011 Yiannis Papadopoulos
Pareto Optimality
Cost
Reliability
3
1
3
1
11
1
1
3
2
4
59
5
Paret
o Fro
nt
p 15
Fraunhofer IESE May 4th 2011 Yiannis Papadopoulos
Optimisation concept
Genetic Algorithm
HiP-HOPSModelling Tool Model,
VariantsFailure
data
parser
analysis
pareto front
Set of Models
representing optimal
tradeoffs
p 16
Fraunhofer IESE May 4th 2011 Yiannis Papadopoulos
1
2
Primary
Standby
Genetic Algorithm: Making design variations
p 17
1
1 Cost: 2Reliability: 5Cost: 3Reliability: 7Cost: 4Reliability: 9Cost: 3Reliability: 8
Fraunhofer IESE May 4th 2011 Yiannis Papadopoulos
Fuel System Example
p 18
• Provide model, variants, failure data
Cost: 511Unavailability: 0.108366
Fraunhofer IESE May 4th 2011 Yiannis Papadopoulos
Fuel System Example
p 19
• Let tool find optimal solutions
Fraunhofer IESE May 4th 2011 Yiannis Papadopoulos
Fuel System Example
p 20
• Choose and get optimised design
Cost: 834Unavailability: 0.044986
Fraunhofer IESE May 4th 2011 Yiannis Papadopoulos
Optimisation in Action
p 21
Fraunhofer IESE May 4th 2011 Yiannis Papadopoulos
Work on Temporal Safety Analysis
Cutsets of a Classical fault tree
I + A.B.C + A.S1 + A.B.S2 + D
1. No input at I
2. Failure of all of A, B, and C
3. Failure of A and S1
4. Failure of A, B, and S2
5. Failure of D
I
p 22
Fraunhofer IESE May 4th 2011 Yiannis Papadopoulos
• PAND-ORA: Hour or “time” (ORA [ώρα] in Greek) of PAND gates
• Uses Priority-AND (<, or “before”), Priority-OR (|) and Simultaneous-AND (&, or “at the same time”) operators to express temporal ordering of events
• Relative temporal relations between events can be expressed: X<Y, X&Y, and Y<X
• New Temporal Laws can be used to simplify fault trees and calculate Minimal Cut-sequencesMinimal Cut-sequences
The PANDORA Logic
p 23
Fraunhofer IESE May 4th 2011 Yiannis Papadopoulos
• Sequence Values
• A number indicating the order in which an event becomes true
• Events with the same sequence value are simultaneous
• Temporal Truth Tables (TTT)
– Like Boolean truth tables but
extended to use Sequence
Values
– Can be used to prove
temporal laws
– e.g. X.Y = X<Y + X&Y + Y<X
Temporal Truth Tables
p 24
Fraunhofer IESE May 4th 2011 Yiannis Papadopoulos
Minimal Cut-sequences
• I
• D
• [S1<A]
• [S1&A]
• [B<A]
• [B&A]
• [A<B].C
• A.[S2&B]
• A.[S2<B]
• Show that the “triply redundant” system is not triply redundant.
• Give a more refined and correct view of failure
I
D
A.S1
A.B.C
A.B.S2
I
p 25
Fraunhofer IESE May 4th 2011 Yiannis Papadopoulos
Current Work• ADLs: ADLs: Input to EAST-ADL automotive ADL in MAENAD FP7
project. Work towards harmonisation with AADL
• Dynamic Analysis: Dynamic Analysis: Synthesis of Temporal Fault Trees from State
Machines
• Separation of Concerns: Separation of Concerns: Multi-perspective HiP-HOPS. Analysis of
diagrams (SW-HW) linked with allocations
• Automatic allocation of safety requirements:Automatic allocation of safety requirements: E.g. in the form of
SILs (Safety Integrity levels)
• OptimisationOptimisation: More objectives, More model transformations
• Link to Model-CheckersLink to Model-Checkers
p 26
Fraunhofer IESE May 4th 2011 Yiannis Papadopoulos
Relation to the state-of-the-art
• One of more advanced compositional safety analysescompositional safety analyses • Less automated than formal safety analyses & formal safety analyses & does not do
formal verification. • However, uses simple algorithmssimple algorithms and scales upscales up well.
Deductive analysis & good performance have enabled : • Multiple failure mode FMEAs• Architecture optimisation with greedy meta-heuristics• Top-down allocation of safety requirements (SILs)
• Can complement other formal techniques• Synthesis of State-Machines –> Input for Model Checker• Additional functionalities (optimisation, SIL allocation,
advanced probabilistic analyses)
p 27
Fraunhofer IESE May 4th 2011 Yiannis Papadopoulos
Summary
• Shorter life-cycles, economic pressures, increasing complexity demand cost effective dependability engineering.
• HiP-HOPS simplifies aspects of this process.
• Can complement formal techniques. Can be used in conjunction with emerging ADLs.
• Supported by mature commercially available tool.
• Strong interest in automotive & shipping. Growing interest in aerospace. Applications by Germanischer Lloyd, Volvo, VW, Delphi, Fiat, Continental, Toyota/Denso, et al
p 28