Checking Fault Tolerance in Safety and Security-Critical Systems - PowerPoint PPT Presentation
1 / 11
Title: Checking Fault Tolerance in Safety and Security-Critical Systems
1
Checking Fault Tolerance in Safety and
Security-Critical Systems
2
Aim To Predict the Effects of Component Failures
The problem
The solution
ie, automatic Failure Modes and Effect Analysis
(FMEA)
3
Step 1 Identify the Safety/Security Requirements
Safety and Security Requirements
Formalised Temporal Logic Formulae
Identified unsafe behaviours
Th1 Uncommanded closing Plunger should not
start falling without the operator pressing the
button. Th2 Motor on below PONR The motor
should not turn on when the plunger is falling
below the PONR. Th3 Loss of abort If the
plunger is falling above the PONR and the
operator releases the button, the motor should
turn on. Th4 Plunger falling before reaching
the top The motor should not turn off unless
the plunger is at the top.
Automatic Model Checking
System Model with Injected Component Fault Modes
Either
System Model
Or
Verification that the Injected Component
Faults do not lead to unsafe behaviour
Component Fault Modes
4
Step 2 Formalise the Safety/Security Requirements
th1 THEOREM behavior - G((plungerplunger_at_to
p AND operatoroperator_released_button) gt
(electric_Motorelectric_Motor_on)) th2
THEOREM behavior - G((plungerplunger_falling_fas
t) gt (electric_Motorelectric_Motor_off)) th3
THEOREM behavior - G(F(plungerplunger_falling_f
ast)) gt G((plungerplunger_falling_slow AND
operatoroperator_released_button) gt
U(plungerplunger_falling_slow,
electric_Motorelectric_Motor_on)) th4
THEOREM behavior - G(NOT((plungerplunger_rising_
below_PONR OR plungerplunger_rising_above_PONR)
AND (electric_Motorelectric_Motor_off)))
Safety and Security Requirements
Formalised Temporal Logic Formulae
Identified unsafe behaviours
Th1 Uncommanded closing Plunger should not
start falling without the operator pressing the
button. Th2 Motor on below PONR The motor
should not turn on when the plunger is falling
below the PONR. Th3 Loss of abort If the
plunger is falling above the PONR and the
operator releases the button, the motor should
turn on. Th4 Plunger falling before reaching
the top The motor should not turn off unless
the plunger is at the top.
Automatic Model Checking
System Model with Injected Component Fault Modes
Either
System Model
Or
Verification that the Injected Component
Faults do not lead to unsafe behaviour
Component Fault Modes
5
Step 3 Model the System Behaviour
Safety and Security Requirements
Formalised Temporal Logic Formulae
Identified unsafe behaviours
th1 THEOREM behavior - G((plungerplunger_at_to
p AND operatoroperator_released_button) gt
(electric_Motorelectric_Motor_on)) th2
THEOREM behavior - G((plungerplunger_falling_fas
t) gt (electric_Motorelectric_Motor_off)) th3
THEOREM behavior - G(F(plungerplunger_falling_f
ast)) gt G((plungerplunger_falling_slow AND
operatoroperator_released_button) gt
U(plungerplunger_falling_slow,
electric_Motorelectric_Motor_on)) th4
THEOREM behavior - G(NOT((plungerplunger_rising_
below_PONR OR plungerplunger_rising_above_PONR)
AND (electric_Motorelectric_Motor_off)))
Th1 Uncommanded closing Plunger should not
start falling without the operator pressing the
button. Th2 Motor on below PONR The motor
should not turn on when the plunger is falling
below the PONR. Th3 Loss of abort If the
plunger is falling above the PONR and the
operator releases the button, the motor should
turn on. Th4 Plunger falling before reaching
the top The motor should not turn off unless
the plunger is at the top.
Automatic Model Checking
System Model with Injected Component Fault Modes
Either
System Model
Or
Verification that the Injected Component
Faults do not lead to unsafe behaviour
Component Fault Modes
6
Step 4 Model the Component Fault
Safety and Security Requirements
Formalised Temporal Logic Formulae
Identified unsafe behaviours
th1 THEOREM behavior - G((plungerplunger_at_to
p AND operatoroperator_released_button) gt
(electric_Motorelectric_Motor_on)) th2
THEOREM behavior - G((plungerplunger_falling_fas
t) gt (electric_Motorelectric_Motor_off)) th3
THEOREM behavior - G(F(plungerplunger_falling_f
ast)) gt G((plungerplunger_falling_slow AND
operatoroperator_released_button) gt
U(plungerplunger_falling_slow,
electric_Motorelectric_Motor_on)) th4
THEOREM behavior - G(NOT((plungerplunger_rising_
below_PONR OR plungerplunger_rising_above_PONR)
AND (electric_Motorelectric_Motor_off)))
Th1 Uncommanded closing Plunger should not
start falling without the operator pressing the
button. Th2 Motor on below PONR The motor
should not turn on when the plunger is falling
below the PONR. Th3 Loss of abort If the
plunger is falling above the PONR and the
operator releases the button, the motor should
turn on. Th4 Plunger falling before reaching
the top The motor should not turn off unless
the plunger is at the top.
Automatic Model Checking
System Model with Injected Component Fault Modes
Either
System Model
Or
Verification that the Injected Component
Faults do not lead to unsafe behaviour
Component Fault Modes
7
Fault injection is automatic
Safety and Security Requirements
Formalised Temporal Logic Formulae
Identified unsafe behaviours
th1 THEOREM behavior - G((plungerplunger_at_to
p AND operatoroperator_released_button) gt
(electric_Motorelectric_Motor_on)) th2
THEOREM behavior - G((plungerplunger_falling_fas
t) gt (electric_Motorelectric_Motor_off)) th3
THEOREM behavior - G(F(plungerplunger_falling_f
ast)) gt G((plungerplunger_falling_slow AND
operatoroperator_released_button) gt
U(plungerplunger_falling_slow,
electric_Motorelectric_Motor_on)) th4
THEOREM behavior - G(NOT((plungerplunger_rising_
below_PONR OR plungerplunger_rising_above_PONR)
AND (electric_Motorelectric_Motor_off)))
Th1 Uncommanded closing Plunger should not
start falling without the operator pressing the
button. Th2 Motor on below PONR The motor
should not turn on when the plunger is falling
below the PONR. Th3 Loss of abort If the
plunger is falling above the PONR and the
operator releases the button, the motor should
turn on. Th4 Plunger falling before reaching
the top The motor should not turn off unless
the plunger is at the top.
Automatic Model Checking
System Model with Injected Component Fault Modes
Either
System Model
Or
Verification that the Injected Component
Faults do not lead to unsafe behaviour
Component Fault Modes
8
The Tool checks whether the Safety Requirement is
met
Safety and Security Requirements
Formalised Temporal Logic Formulae
Identified unsafe behaviours
th1 THEOREM behavior - G((plungerplunger_at_to
p AND operatoroperator_released_button) gt
(electric_Motorelectric_Motor_on)) th2
THEOREM behavior - G((plungerplunger_falling_fas
t) gt (electric_Motorelectric_Motor_off)) th3
THEOREM behavior - G(F(plungerplunger_falling_f
ast)) gt G((plungerplunger_falling_slow AND
operatoroperator_released_button) gt
U(plungerplunger_falling_slow,
electric_Motorelectric_Motor_on)) th4
THEOREM behavior - G(NOT((plungerplunger_rising_
below_PONR OR plungerplunger_rising_above_PONR)
AND (electric_Motorelectric_Motor_off)))
Th1 Uncommanded closing Plunger should not
start falling without the operator pressing the
button. Th2 Motor on below PONR The motor
should not turn on when the plunger is falling
below the PONR. Th3 Loss of abort If the
plunger is falling above the PONR and the
operator releases the button, the motor should
turn on. Th4 Plunger falling before reaching
the top The motor should not turn off unless
the plunger is at the top.
Automatic Model Checking
System Model with Injected Component Fault Modes
Either
System Model
Or
Verification that the Injected Component
Faults do not lead to unsafe behaviour
Component Fault Modes
9
Example Violation of Safety Requirement
Motor turned on while plunger falling past point
of no return
Faulty Sensor
Result Motor may explode, Operator in danger
10
The Tool identifies an Unsafe Behaviour
Safety and Security Requirements
Formalised Temporal Logic Formulae
Identified unsafe behaviours
th1 THEOREM behavior - G((plungerplunger_at_to
p AND operatoroperator_released_button) gt
(electric_Motorelectric_Motor_on)) th2
THEOREM behavior - G((plungerplunger_falling_fas
t) gt (electric_Motorelectric_Motor_off)) th3
THEOREM behavior - G(F(plungerplunger_falling_f
ast)) gt G((plungerplunger_falling_slow AND
operatoroperator_released_button) gt
U(plungerplunger_falling_slow,
electric_Motorelectric_Motor_on)) th4
THEOREM behavior - G(NOT((plungerplunger_rising_
below_PONR OR plungerplunger_rising_above_PONR)
AND (electric_Motorelectric_Motor_off)))
Th1 Uncommanded closing Plunger should not
start falling without the operator pressing the
button. Th2 Motor on below PONR The motor
should not turn on when the plunger is falling
below the PONR. Th3 Loss of abort If the
plunger is falling above the PONR and the
operator releases the button, the motor should
turn on. Th4 Plunger falling before reaching
the top The motor should not turn off unless
the plunger is at the top.
Automatic Model Checking
Hazard has occurred
Either
System Model with Injected Component Fault Modes
System Model
Or
Verification that the Injected Component
Faults do not lead to unsafe behaviour
Component Fault Modes
11
In summary Predicting Effects of Component
Failures
- Identify impact of component faults
- Identify paths leading to unsafe behaviour
- Automates Failure Mode and Effect Analysis (FMEA)
Recommended
CrystalGraphics Presentations
