Presentation is loading. Please wait.

Presentation is loading. Please wait.

Synthesis of Model-Based Dependability Analysis and Bio-inspired Metaheuristics in the Design of Complex Systems Professor Yiannis Papadopoulos School.

Published byDana Webster Modified over 6 years ago

Similar presentations

Presentation on theme: "Synthesis of Model-Based Dependability Analysis and Bio-inspired Metaheuristics in the Design of Complex Systems Professor Yiannis Papadopoulos School."— Presentation transcript:

1 Synthesis of Model-Based Dependability Analysis and Bio-inspired Metaheuristics in the Design of Complex Systems Professor Yiannis Papadopoulos School of Engineering & Computer Science University of Hull SCSC – London – 28/09/2017

2 Context and Motivation
Dependability: Safety, Reliability, Availability, Maintainability, Data Integrity, Security, Privacy Increasing concerns about new systems Increasing complexity of systems, rapid technological change, reduced product development times & budgets cause difficulties in classical dependability analyses Automation of dependability analyses is part of the solution

3 Vast research in the area
Model-based Dependability Analysis: Fault propagation models, Automata and Model checking Formal methods, verification of correctness of specifications and software Automated testing AI exploration of design spaces for more dependable architectures Model-based & data-driven monitoring, diagnosis, correction of failures – machine learning, agents and distributed AI

4 The Need to Support Dependability Analysis
What effect does the fault have? If a component fault develops here On the outputs?

5 In the University of Hull we develop:
A method and tool that simplify dependability analysis and optimisation of systems by partly automating the process Known as Hierachically Performed - Hazard Origin and Propagation Studies (HiP-HOPS) I will use HiP-HOPS as a case study of research on new methods for dependability that attempt synthesis of bio- and logic- inspired techniques

6 Scope of HiP-HOPS all processes model-based and largely automated
V Scope of HiP-HOPS all processes model-based and largely automated System Certification Operational monitoring Top-down Safety-driven design Safety requirements allocated to sub- systems and components during refinement Optimisation of system architectures and maintenance with respect to safety, reliability, cost ... Bottom up safety analysis and verification of requirements

7 HiP-HOPS: Dependability Analysis
System Model + Failure logic of components = Global view of failure: System failures Component failures No-out = No-in or failed Computerised Algorithms

8 Component Failure Annotations in HiP-HOPS
Valve Malfunctions Failure mode Description Failure rate Blocked e.g. by debris 1e - 6 partiallyBlocked 5e 5 stuckClosed Mechanically stuck 1.5e stuckOpen Mechanically stuck Deviations of Flow at Valve Output Output Deviation Causes Omission b Omission of flow or a Low control Commission Commission of flow High-control L ow flow High-b High flow High-a Early Early flow Late Late flow

9 Fault Tree Synthesis via traversal of the model and its annotations

10 Synthesis of FMEAs in HiP-HOPS
The network of interconnected fault trees is reduced into a table of direct relationships between component and system failures

11 Resultant Analyses Identify weak points in a design, i.e.
Components that represent single points of failure Hazardous dependencies between functions Can be used to establish system reliability, availability Have some advantages over manual analyses: FMEA records the effect of combinations of failures Produced with less effort Produced from system model, evolve with the model, and ensure consistency between design and analysis.

12 Architecture Optimisation
How can system dependability be improved when requirements not met? Substitute components & sub-systems, replicate, increase frequency of maintenance Which solution achieves minimal cost? Hard multi-objective optimisation problem. Conflicting objectives

13 Multi-objective optimisation problem
Find a design solution x within space of possible designs which optimizes a vector of objective functions f(x)= [safety(x), reliability(x), cost(x), …, weight(x)]. Search for Pareto Optimal (i.e. Non-dominated) Solutions A solution x1 dominates another solution x2 if x1 matches or exceeds x2 in all objectives.

14 Pareto Optimality Cost Reliability 3 1 2 4 5 9 Pareto Front

15 Evolutionary Design Optimisation Algorithms
SAFEDOR Last modified: YYYY-MM-DDLast modified: 200y-mm-dd Evolutionary Design Optimisation Algorithms Model, Variants Cost, Weight Failure data HiP-HOPS Genetic Algorithm Pareto frontier Dependability analysis Cost analysis Weight Set of Optimised models SAFEDOR-P-WP.SP.TK-YYYY-MM-DD-ORG-for-your-use-rev-X

16 Optimisation in Action (video)

17 A New Rationale about Safety in Modern Safety Standards
Why wait for a detailed design to assess whether safety requirements have been met? Why risk failing and need to redesign? Why not have a top-down safety-driven design process in which safety requirements can be optimally allocated to subsystems and components during refinement? Many standards like IEC61508, APR4754, ISO26262 define similar process to achieve this goal

18 Modern Standards Use the concept of safety requirements in the centre of a process where safety is a controlled attribute. They start with elicitation and then move to progressive allocation of the system safety requirement to the architecture during its design refinement

19 Requirements as Safety Integrity Levels (SILs)
Requirement allocation facilitated by the concept of SIL SILs are classification levels indicating safety requirements Used by IEC and other safety standards including ISO (Automotive SILs or ASILs) Five levels: SIL0 - SIL zero - strictest Standards define failure probability targets and define sets of techniques to apply to meet different levels

20 SILs: how they are used SILs are assigned to system-level safety functions via risk analysis Allocated to elements of the system architecture. Decomposed: a process in which architectural elements can be assigned lower SILs that combined can fulfil the SIL of their parent function, as in fault tolerant architectures

21 ASIL (automotive) allocation rules
If a function F is delivered by components C(i) in series, i.e. any component failure causes system failure, then For all (i), ASIL C(i) = ASIL F If a function F is delivered by components C(i) in parallel, i.e. all must fail for system to fail, then For all (i), ∑ ASIL C(i)=ASIL F

22 Simple ASIL Allocation & Decomposition Example
Actuator Safety Element Sensor Low Risk Element ECU2 Calculation ECU1 Function 4 4 4 4 4 4 4 4

23 Simple ASIL Allocation & Decomposition Example
Calculation 4 4 ECU2 3 Safety Element 2 1 Safety Element 1 ? A Sensor A Actuator Const ECU1 Low Risk Element

24 Why worth automating this process of allocation?
Allocation is hard when multiple safety functions are delivered over complex networked architectures Decomposition creates options that have different costs. These multiply combinatorially. Process can be automated, making it possible to find cost-optimal SIL allocations.

25 Example System “S” provides two functions “F1, F2”
Each Function has two malfunctions: - O (Omission or Loss of function) - C (Commission or inadvertent delivery of function) F1 (O) F1( C) S F2 (O) F2(C)

26 Hazards & SILs Hazard analysis has determined the SILs that must be assigned in relation to each malfunction: F1(O) = 4 F1(C) = 1 F2(O) = 3 F2(C) = 1 F1 (O)=4 F1( C)=1 S F2 (O)=3 F2(C)=1

27 Question: How do we proceed ?
Would it be right to say that the SIL of S = 4, and thus all components of S should be designed at SIL 4? S F1 (O)=4 F1( C)=1 F2 (O)=3 F2(C)=1

28 Alternative way of allocation
More economical allocation can be achieved if we try a more refined assignment of SILs For example, elements that contribute only to F1(C) with SIL 1 can be allocated SIL 1 To establish the contribution of failures of elements to system malfunctions we can use fault trees These fault trees can be produced from models by HiP- HOPS

29 Hierachically Performed - Hazard Origin and Propagation Studies (HiP-HOPS)
Global view of failure Local Failure Logic = of components System Model + Fault Tree Synthesis Algorithm System failures Component failures

30 Automatic SIL allocation process
Each element of the architecture is examined for plausible errors E(i) at outputs. For each E(i): assume one collective internal cause c(i) examine plausible errors E(j) received at inputs determine how E(i) is caused by a logical expression connecting c(i) and E(j) This local failure logic reflects the design intention. Fault trees are constructed and SIL allocation follows examining cut-sets and applying the allocation rules of the standard

31 Architecture of “S” and Failure Modeling
F1(O) = 4 F1(C) = 1 F2(O) = 3 F2(C) = 1 E6 E3 E5 E4 E2 E1 O=o+E2(O) C=c+E2(C) O=o+E2(O)+E5(O) C=c+E2(C)+ E5(C) O-all=o+E3(O).E4(O) C-all=c+E3(C)+E4(C) O=o+E4(O) C=c+E4(C) O=o C=c Input error Internal cause Output error

32 Fault propagation: HiP-HOPS fault trees
Fault trees for the four functional failures & their cut sets F1(O)= E1o + E2o + E3o . E4o [1] ASIL=4 F1(C)= E1c + E2c + E3c + E4c [2] ASIL=1 F2(O)= E6o + E2o + E4o + E5o [3] ASIL=3 F2(C)= E6c + E2c + E3c + E4c + E5c [4] ASIL=1

33 Allocation of SILs F1(O)= E1o + E2o + E3o.E4o [1] ASIL=4
F1(C)= E1c + E2c + E3c + E4c [2] ASIL=1 F2(O)= E6o + E2o + E4o + E5o [3] ASIL=3 F2(C)= E6c + E2c + E3c + E4c + E5c [4] ASIL=1 [1] => E1=4, E2=4, [E3,E4] = [4,0] or [1,3] or [2,2] or [3,1] or [0,4] [5] [2] => E1=1, E2=1, E3=1, E4= [6] [5],[6] => E1=4, E2=4, [E3,E4] = [1,3] or [2,2] or [3,1] [7] [3] => E2=3, E4=3, E5=3, E6= [8] [7],[8]=> E1=4, E2=4, E3=1, E4=3, E5=3, E6= [9] [4] => E2=1, E3=1, E4=1, E5=1, E6=1 [10] [9],[10]=>E1=4, E2=4, E3=1, E4=3, E5=3, E6=3

34 Allocation of SILs to elements
F1(O) = 4 F1(C) = 1 F2(O) = 3 F2(C) = 1 E6 E2 E3 E5 E4 1 4 3 Process is automated via heuristics including Genetic Algorithms & Tabu Search that find cost optimal allocations SILs can be allocated to functions of an element. The element can be seen as a system. The process can be iterated over a supply chain

35 (derived via risk analysis)
HiP-HOPS Supports refinement of design via cost-optimal automatic allocation of system safety requirements (SILs, ASILs, DALs). System Requirements (derived via risk analysis) allocated/decomposed Subsystem Requirements allocated/decomposed Component Requirements

36 This automatic process provided a basis for automating the partial creation of Safety Cases
SC System Meets Safety Reqs derived through exhaustive risk analysis Subsystems meet correctly allo-cated Integrity Requirements and all model assumptions are met. Components meet correctly allocated Integrity Requirements and all model assumptions are met Evidence for the above

37 Safety argument example
Initial architecture (failure logic shown) Component A 3 AND 4 Component B 1

38 Safety argument example
The argument will be automatically updated C Architecture modification failure logic shown) Component B Component A AND Component C OR 3 4 1 4

39 Potential Benefits Less effort for maintaining safety cases
Better electronic assessment of safety cases by OEMs, suppliers and certifiers Avoidance of errors caused in manual processes

40 HiP-HOPS Tool

41 HiP-HOPS tool functionalities
Fault Tree synthesis and analysis, minimal cut-set calculation, quantitative reliability and availability analysis Multiple failure mode FMEA (Failure Modes and Effects Analysis) synthesis Architecture optimisation – component & subsystem selection and replication to meet dependability with minimal costs Cost-optimal allocation of safety requirements in the form of SILs, DALs etc

42 HiP-HOPS is Easily Connected to Design Tools
… other ? ITI’s Simulation X Model transformation from another language: SysML, AADL, EAST-ADL PRODUCT 1 Simulink XML SCHEMA HiP-HOPS Analysis & Optimisation Engine Metacase … other ?

43 Key commercial collaborations
HiP-HOPS Dependability Analysis & Optimisation Tool: Safety Designer Tool: New Experimental Projects on Dependability Tooling with SEI-intelligence and  Metacase (video)

44 Technology transfer with global reach
SAFEDOR Last modified: YYYY-MM-DDLast modified: 200y-mm-dd Technology transfer with global reach Taken up by Honda, Toyota, Continental, Fiat, Volvo Embraer, Honeywell, DNV - GL SAFEDOR-P-WP.SP.TK-YYYY-MM-DD-ORG-for-your-use-rev-X 44

45 Next: Penguins guard safety in smart cars
BBC ARTICLE DAILY MAIL EE Journal   Automotive IQ BBC RADIO INTERVIEW    C C A B ASIL D D

46 Summary Shorter life-cycles, increasing complexity, demand effective and cost effective dependability engineering Model-based engineering can help rationalise and simplify this process HiP-HOPS is an example of how to simplify aspects of the V-lifecycle Can complement other design & verification tools in the context of an advanced safety engineering process Automation needs to be part of addressing new challenges in the context of open Systems of Systems

47 References Literature review on model-based techniques for dependability analysis Sharvia S., Kabir S., Walker M., Papadopoulos Y. (2015) Model-based Dependability Analysis: State-of-the-art, Challenges, and Future Outlook, in Mistrik I. et al., Software Quality Assurance for Large Scale Systems, pp , Elsevier, ISBN: An overview of work on HiP-HOPS with pointers to key papers Papadopoulos Y., Walker M., Parker D., Sharvia S., Bottaci L., Kabir S., Azevedo L., Sorokos I. (2016) A Synthesis of Logic and Bio-inspired techniques in the Design of Dependable Systems, Annual Reviews in Control, 41: , Elsevier, ISSN: (extension of plenary paper at IFAC- DCDS'15).

Download ppt "Synthesis of Model-Based Dependability Analysis and Bio-inspired Metaheuristics in the Design of Complex Systems Professor Yiannis Papadopoulos School."

Similar presentations

Integra Consult A/S Safety Assessment. Integra Consult A/S SAFETY ASSESSMENT Objective Objective –Demonstrate that an acceptable level of safety will.

Integra Consult A/S Safety Assessment. Integra Consult A/S SAFETY ASSESSMENT Objective Objective –Demonstrate that an acceptable level of safety will.
Dependability analysis and evolutionary design optimisation with HiP-HOPS Dr Yiannis Papadopoulos Department of Computer Science University of Hull, U.K.

Dependability analysis and evolutionary design optimisation with HiP-HOPS Dr Yiannis Papadopoulos Department of Computer Science University of Hull, U.K.
Ch:8 Design Concepts S.W Design should have following quality attribute: Functionality Usability Reliability Performance Supportability (extensibility,

Ch:8 Design Concepts S.W Design should have following quality attribute: Functionality Usability Reliability Performance Supportability (extensibility,
SAFe Automotive aRchItecture SAFARI. SAFARI_Presentation_Short_v1.ppt 2 / /P. Cuenot/ 2009.09.03 © Continental AG ARTEMIS/Call2 R&D Project Proposal Project.

SAFe Automotive aRchItecture SAFARI. SAFARI_Presentation_Short_v1.ppt 2 / /P. Cuenot/ © Continental AG ARTEMIS/Call2 R&D Project Proposal Project.
Mahmut Ali GÖKÇEIndustrial Systems Engineering Lecture 2 System Identification ISE102 Spring 2007.

Mahmut Ali GÖKÇEIndustrial Systems Engineering Lecture 2 System Identification ISE102 Spring 2007.
Software Modeling SWE5441 Lecture 3 Eng. Mohammed Timraz

Software Modeling SWE5441 Lecture 3 Eng. Mohammed Timraz
©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 24 Slide 1 Critical Systems Validation 2.

©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 24 Slide 1 Critical Systems Validation 2.
Presented by: Thabet Kacem Spring 2010. Outline Contributions Introduction Proposed Approach Related Work Reconception of ADLs XTEAM Tool Chain Discussion.

Presented by: Thabet Kacem Spring Outline Contributions Introduction Proposed Approach Related Work Reconception of ADLs XTEAM Tool Chain Discussion.
SBSE Course 3. EA applications to SE Analysis Design Implementation Testing Reference: Evolutionary Computing in Search-Based Software Engineering Leo.

SBSE Course 3. EA applications to SE Analysis Design Implementation Testing Reference: Evolutionary Computing in Search-Based Software Engineering Leo.
The Architecture Design Process

The Architecture Design Process
CSC 402, Fall 20001 Requirements Analysis for Special Properties Systems Engineering (def?) –why? increasing complexity –ICBM’s (then TMI, Therac, Challenger...)

CSC 402, Fall Requirements Analysis for Special Properties Systems Engineering (def?) –why? increasing complexity –ICBM’s (then TMI, Therac, Challenger...)
End-to-End Design of Embedded Real-Time Systems Kang G. Shin Real-Time Computing Laboratory EECS Department The University of Michigan Ann Arbor, MI 48019-2122.

End-to-End Design of Embedded Real-Time Systems Kang G. Shin Real-Time Computing Laboratory EECS Department The University of Michigan Ann Arbor, MI
ES305: Virtual Tools in Engineering Design: The Eng. Design Process James Carroll, Associate Professor Electrical and Computer Engineering.

ES305: Virtual Tools in Engineering Design: The Eng. Design Process James Carroll, Associate Professor Electrical and Computer Engineering.
Software Process and Product Metrics

Software Process and Product Metrics
Engineering Systems of.

Engineering Systems of.
Romaric GUILLERM Hamid DEMMOU LAAS-CNRS Nabil SADOU SUPELEC/IETR ESM'2009, October 26-28, 2009, Holiday Inn Leicester, Leicester, United Kingdom.

Romaric GUILLERM Hamid DEMMOU LAAS-CNRS Nabil SADOU SUPELEC/IETR ESM'2009, October 26-28, 2009, Holiday Inn Leicester, Leicester, United Kingdom.
Romaric GUILLERM Hamid DEMMOU LAAS-CNRS Nabil SADOU SUPELEC/IETR.

Romaric GUILLERM Hamid DEMMOU LAAS-CNRS Nabil SADOU SUPELEC/IETR.
Chapter 6 System Engineering - Computer-based system - System engineering process - “Business process” engineering - Product engineering (Source: Pressman,

Chapter 6 System Engineering - Computer-based system - System engineering process - “Business process” engineering - Product engineering (Source: Pressman,
CLEANROOM SOFTWARE ENGINEERING.

CLEANROOM SOFTWARE ENGINEERING.
Requirements Engineering

Requirements Engineering

Similar presentations

Ads by Google