Download presentation
Presentation is loading. Please wait.
Published bySteven Clarke Modified over 9 years ago
1
Checking Fault Tolerance in Safety and Security-Critical Systems
2
Aim: To Predict the Effects of Component Failures Component faults Controller Sensor Button Safety / Security Violation Identify Unsafe Behaviour Model Checking The problem: The solution: ie, automatic Failure Modes and Effect Analysis (FMEA)
3
Safety and Security Requirements System Model Component Fault Modes System Model with Injected Component Fault Modes Formalised Temporal Logic Formulae Identified unsafe behaviours Automatic Model Checking Either … Or … Verification that the Injected Component Faults do not lead to unsafe behaviour Th1: Uncommanded closing: Plunger should not start falling without the operator pressing the button. Th2: Motor on below PONR: The motor should not turn on when the plunger is falling below the PONR. Th3: Loss of abort: If the plunger is falling above the PONR and the operator releases the button, the motor should turn on. Th4: Plunger falling before reaching the top: The motor should not turn off unless the plunger is at the top. Step 1: Identify the Safety/Security Requirements
4
Safety and Security Requirements System Model Component Fault Modes System Model with Injected Component Fault Modes Formalised Temporal Logic Formulae Identified unsafe behaviours Automatic Model Checking Either … Or … Verification that the Injected Component Faults do not lead to unsafe behaviour Th1: Uncommanded closing: Plunger should not start falling without the operator pressing the button. Th2: Motor on below PONR: The motor should not turn on when the plunger is falling below the PONR. Th3: Loss of abort: If the plunger is falling above the PONR and the operator releases the button, the motor should turn on. Th4: Plunger falling before reaching the top: The motor should not turn off unless the plunger is at the top. th1: THEOREM behavior |- G((plunger=plunger_at_top AND operator=operator_released_button) => (electric_Motor=electric_Motor_on)); th2: THEOREM behavior |- G((plunger=plunger_falling_fast) => (electric_Motor=electric_Motor_off)); th3: THEOREM behavior |- G(F(plunger=plunger_falling_fast)) => G((plunger=plunger_falling_slow AND operator=operator_released_button) => U(plunger=plunger_falling_slow, electric_Motor=electric_Motor_on)); th4: THEOREM behavior |- G(NOT((plunger=plunger_rising_below_PONR OR plunger=plunger_rising_above_PONR) AND (electric_Motor=electric_Motor_off))); Step 2: Formalise the Safety/Security Requirements
5
Safety and Security Requirements System Model Component Fault Modes System Model with Injected Component Fault Modes Formalised Temporal Logic Formulae Identified unsafe behaviours Automatic Model Checking Either… Or… Verification that the Injected Component Faults do not lead to unsafe behaviour th1: THEOREM behavior |- G((plunger=plunger_at_top AND operator=operator_released_button) => (electric_Motor=electric_Motor_on)); th2: THEOREM behavior |- G((plunger=plunger_falling_fast) => (electric_Motor=electric_Motor_off)); th3: THEOREM behavior |- G(F(plunger=plunger_falling_fast)) => G((plunger=plunger_falling_slow AND operator=operator_released_button) => U(plunger=plunger_falling_slow, electric_Motor=electric_Motor_on)); th4: THEOREM behavior |- G(NOT((plunger=plunger_rising_below_PONR OR plunger=plunger_rising_above_PONR) AND (electric_Motor=electric_Motor_off))); Th1: Uncommanded closing: Plunger should not start falling without the operator pressing the button. Th2: Motor on below PONR: The motor should not turn on when the plunger is falling below the PONR. Th3: Loss of abort: If the plunger is falling above the PONR and the operator releases the button, the motor should turn on. Th4: Plunger falling before reaching the top: The motor should not turn off unless the plunger is at the top. Step 3: Model the System Behaviour
6
Safety and Security Requirements System Model Component Fault Modes System Model with Injected Component Fault Modes Formalised Temporal Logic Formulae Identified unsafe behaviours Automatic Model Checking Either… Or… Verification that the Injected Component Faults do not lead to unsafe behaviour Th1: Uncommanded closing: Plunger should not start falling without the operator pressing the button. Th2: Motor on below PONR: The motor should not turn on when the plunger is falling below the PONR. Th3: Loss of abort: If the plunger is falling above the PONR and the operator releases the button, the motor should turn on. Th4: Plunger falling before reaching the top: The motor should not turn off unless the plunger is at the top. Step 4: Model the Component Fault th1: THEOREM behavior |- G((plunger=plunger_at_top AND operator=operator_released_button) => (electric_Motor=electric_Motor_on)); th2: THEOREM behavior |- G((plunger=plunger_falling_fast) => (electric_Motor=electric_Motor_off)); th3: THEOREM behavior |- G(F(plunger=plunger_falling_fast)) => G((plunger=plunger_falling_slow AND operator=operator_released_button) => U(plunger=plunger_falling_slow, electric_Motor=electric_Motor_on)); th4: THEOREM behavior |- G(NOT((plunger=plunger_rising_below_PONR OR plunger=plunger_rising_above_PONR) AND (electric_Motor=electric_Motor_off)));
7
Safety and Security Requirements System Model Component Fault Modes System Model with Injected Component Fault Modes Formalised Temporal Logic Formulae Identified unsafe behaviours Automatic Model Checking Either… Or… Verification that the Injected Component Faults do not lead to unsafe behaviour Th1: Uncommanded closing: Plunger should not start falling without the operator pressing the button. Th2: Motor on below PONR: The motor should not turn on when the plunger is falling below the PONR. Th3: Loss of abort: If the plunger is falling above the PONR and the operator releases the button, the motor should turn on. Th4: Plunger falling before reaching the top: The motor should not turn off unless the plunger is at the top. Fault injection is automatic th1: THEOREM behavior |- G((plunger=plunger_at_top AND operator=operator_released_button) => (electric_Motor=electric_Motor_on)); th2: THEOREM behavior |- G((plunger=plunger_falling_fast) => (electric_Motor=electric_Motor_off)); th3: THEOREM behavior |- G(F(plunger=plunger_falling_fast)) => G((plunger=plunger_falling_slow AND operator=operator_released_button) => U(plunger=plunger_falling_slow, electric_Motor=electric_Motor_on)); th4: THEOREM behavior |- G(NOT((plunger=plunger_rising_below_PONR OR plunger=plunger_rising_above_PONR) AND (electric_Motor=electric_Motor_off)));
8
Safety and Security Requirements System Model Component Fault Modes System Model with Injected Component Fault Modes Formalised Temporal Logic Formulae Identified unsafe behaviours Automatic Model Checking Either… Or… Verification that the Injected Component Faults do not lead to unsafe behaviour Th1: Uncommanded closing: Plunger should not start falling without the operator pressing the button. Th2: Motor on below PONR: The motor should not turn on when the plunger is falling below the PONR. Th3: Loss of abort: If the plunger is falling above the PONR and the operator releases the button, the motor should turn on. Th4: Plunger falling before reaching the top: The motor should not turn off unless the plunger is at the top. The Tool checks whether the Safety Requirement is met th1: THEOREM behavior |- G((plunger=plunger_at_top AND operator=operator_released_button) => (electric_Motor=electric_Motor_on)); th2: THEOREM behavior |- G((plunger=plunger_falling_fast) => (electric_Motor=electric_Motor_off)); th3: THEOREM behavior |- G(F(plunger=plunger_falling_fast)) => G((plunger=plunger_falling_slow AND operator=operator_released_button) => U(plunger=plunger_falling_slow, electric_Motor=electric_Motor_on)); th4: THEOREM behavior |- G(NOT((plunger=plunger_rising_below_PONR OR plunger=plunger_rising_above_PONR) AND (electric_Motor=electric_Motor_off)));
9
Example Violation of Safety Requirement Faulty Sensor Motor turned on while plunger falling past point of no return Result: Motor may explode, Operator in danger
10
Either… Automatic Model Checking Or … Verification that the Injected Component Faults do not lead to unsafe behaviour System Model with Injected Component Fault Modes Formalised Temporal Logic Formulae th1: THEOREM behavior |- G((plunger=plunger_at_top AND operator=operator_released_button) => (electric_Motor=electric_Motor_on)); th2: THEOREM behavior |- G((plunger=plunger_falling_fast) => (electric_Motor=electric_Motor_off)); th3: THEOREM behavior |- G(F(plunger=plunger_falling_fast)) => G((plunger=plunger_falling_slow AND operator=operator_released_button) => U(plunger=plunger_falling_slow, electric_Motor=electric_Motor_on)); th4: THEOREM behavior |- G(NOT((plunger=plunger_rising_below_PONR OR plunger=plunger_rising_above_PONR) AND (electric_Motor=electric_Motor_off))); Component Fault Modes Th1: Uncommanded closing: Plunger should not start falling without the operator pressing the button. Th2: Motor on below PONR: The motor should not turn on when the plunger is falling below the PONR. Th3: Loss of abort: If the plunger is falling above the PONR and the operator releases the button, the motor should turn on. Th4: Plunger falling before reaching the top: The motor should not turn off unless the plunger is at the top. Safety and Security Requirements System Model Identified unsafe behaviours The Tool identifies an Unsafe Behaviour Hazard has occurred
11
Identify impact of component faults Identify paths leading to unsafe behaviour In summary: Predicting Effects of Component Failures Automates Failure Mode and Effect Analysis (FMEA)
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.