Download presentation
Presentation is loading. Please wait.
1
Motivation Synthesis-based methodology for quick design space exploration enabled by automatic synthesis followed by analysis Automatic synthesis: 1) Designer specifies control algorithm, fault behavior, constraints, and selects architecture 2) Synthesis engine deduce necessary process replication, distribute each process onto architecture, and derives a fault tolerant schedule satisfying constraints Analysis: 1) Timing verification/analysis (worst case execution time, time out values) 2) Dependability analysis (i.e. mean-time-to-failure rate, sensitivity, minimal cutsets, etc.) 3) Analysis metrics provide hints to the designer Design flow is centered around Fault Tolerant Data Flow (FTDF) as the mathematical model (model of computation) Fault trees are models commonly used to analyze dependability metrics Typically generated manually from requirement documents Manual process is time consuming, difficult, and informal Increases turn-around time to analyze fault trees of different system mappings May 11, 2005 A Formal Approach to Fault Tree Synthesis for the Analysis of Distributed Fault Tolerant Systems M. McKelvin, G. Eirea C. Pinello (GMBL), S. Kanajan (GM) A. Sangiovanni- Vincentelli http://chess.eecs.berkeley.edu Revisit the Design ECU0 ECU1 ECU2 CH0 CH1 Sens Input Coarse CTRL Coarse CTRL Fine CTRL Arbiter Best Arbiter Best Output Act Mapping + Scheduling Fault behavior + Constraints Fine CTRL CoarseCT RL Sens Act Plant Input ArbiterBes t Output CH1 CH0 ECU0ECU1ECU2 Functionality (control algorithm using FTDF) Architecture Metric Scores Timing Analysis Other Analysis Techniques Dependability Analysis Fault tree synthesis Fault tree analysis Synthesis-based design flow with integrated analysis techniques to enable design exploration. Fault Tolerant Data Flow (FTDF) A mathematical formalism (model of computation) for describing periodic feedback control systems Synchronous Data Flow (SDF) variant Deterministic behavior SDF actor requires presence of all inputs to execute (fire), i.e. firing rule for a 3-input actor: U = {(*, *, *)} Statically schedulable Suitable for periodic algorithms FTDF specific Actors are typed and annotated with criticality level (i.e. sensor, input, arbiter, etc.) Communication media are one-place buffers May have fan-in (inputs) from redundant sources (replicas) Manages redundant sources and destinations An abstraction for error detection and recovery Input and Arbiter type actors may have partial firing rules, i.e. for a 3-input Arbiter actor, firing rule U = {(*,*,*), ( ┴,*,*), (*, ┴,*), (*,*, ┴ )} specifies the actor may fire if 2-out-of-3 inputs are present (Note: “ ┴ ” means not present, “*” means present) Problem Statement: Given a redundant mapped FTDF schedule, generate a fault tree using fault event logic to analyze dependability metrics of the mapped system. Assumptions: A fault event in nodes of a FTDF graph results in fail silence Fail silence: produces correct results or produces no results at all Fault events are generated due to: ECU (electronic control unit) fault Communication channel fault Actuator or sensor fault (denoted as basic events) Fault Tree Analysis Top-down approach to failure analysis using a tree model called a fault tree Static fault tree components: Top-level event: root of tree that represents an undesirable, unrecoverable system failure, as specified by designer Logic gates: define Boolean relationships amongst input and output events Basic events: leaves of tree that represents initiating events in the architecture (ECU, channel, sensor, and actuator faults) A fault tree determines all the ways the top-level event may occur in terms of basic events Common tools can be used to derive dependability metrics from a fault tree, i.e. Item Toolkit (Item Software), Galileo (Univ. of Virginia), Relex Fault Tree (Relex Software Corp), etc. Fault Tree Synthesis Fault Tree Generation Algorithm ECU0 ECU1 ECU2 CH0 CH1 Sens Input Coarse CTRL Coarse CTRL Fine CTRL Arbiter Best Arbiter Best Output Act Analysis Results* (Pendulum Case Study) Designer specified fault behavior for different mappings and dependability metrics. Minimal cutset for mapping 1. This analysis identifies the minimal combination of events that leads to a system failure. Mapped FTDF schedule of the pendulum example. Sensitivity metric (using Barlow Proschan Importance) for each basic event per mapping. Conclusions Design flow enables design space exploration Different designs can be quickly analyzed and offer hints to the designer Enables formal specification and verification of fault tolerant systems using a correct-by-construction flow Greater separation of concerns (application, architecture, fault behavior), hence model reuse * Graphical fault tree and analysis results were generated by the Item Toolkit courtesy of Rick Clemons and Joe Wysocki of Hughes Research Laboratory. specified to be the (P : 2) Missing input value (assuming fail silence) on input port ?i0 of actor c1actm0 located on ECU ecu0. (P : 2) Missing input value (assuming fail silence) on input port ?i0 of actor c1actm0 located on ECU ecu0. c1actm0(ecu0)HW_FAULT Basic event hardware failure of actuator c1actm0 located on ECU ecu0. IE c1actm0(ecu0)HW_FAULT Basic event hardware failure of actuator c1actm0 located on ECU ecu0. IE ecu0ECU_FAULT Basic event hardware failure of ECU ecu0. IE ecu0ECU_FAULT Basic event hardware failure of ECU ecu0. IE c1actm0(ecu0)Fault on ECU ecu0. c1actm0(ecu0)Fault Unable to deliver updated command to the plant from actuator driver c1actm0 on ecu0. c0ou1b(ecu2)Fault Cannot fire actor c0ou1b located on ECU ecu2. R c0ou1b(ecu2)Fault Cannot fire actor c0ou1b located on ECU ecu2. R c1actm1(ecu2)HW_FAULT Basic event hardware failure of actuator c1actm1 located on ECU ecu2. IE c1actm1(ecu2)HW_FAULT Basic event hardware failure of actuator c1actm1 located on ECU ecu2. IE ecu2ECU_FAULT Basic event hardware failure of ECU ecu2. IE R ecu2ECU_FAULT Basic event hardware failure of ECU ecu2. IE R c1actm1(ecu2)Fault Unable to deliver updated command to the plant from actuator driver c1actm1 on ecu2. c1actm1(ecu2)Fault SystemFault specified to be the failure of all actuators in model SystemFault failure of all actuators in model Input(?i0)Ofc1actm0(ecu0)Fault Top-level event: unrecoverable system failure Logic gates: define Boolean relationships amongst input and output events Basic events: initiating events Transfer gate: graphical placeholder for sub trees Sample fault generated by fault tree synthesis given in graphical format.
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.