Abstract
Cyber-physical systems, used in domains such as avionics or medical devices, perform critical functions where a fault might have catastrophic consequences (mission failure, severe injuries, etc.). Their development is guided by rigorous practice standards that prescribe safety analysis methods in order to verify that failure have been correctly evaluated and/or mitigated. This laborintensive practice typically focuses system safety analysis on system engineering activities.
As reliance on software for system operation grows, embedded software systems have become a major source of hazard contributors. Studies show that late discovery of errors in embedded software system have resulted in costly rework, making up as much as 50% of the total software system cost. Automation of the safety analysis process is key to extending safety analysis to the software system and to accommodate system evolution.
In this paper we discuss three elements that are key to safety analysis automation in the context of fault tree analysis (FTA). First, generation of fault trees from annotated architecture models consistently reflects architecture changes in safety analysis results. Second, use of a taxonomy of failure effects ensures coverage of potential hazard contributors is achieved. Third, common cause failures are identified based on architecture information and reflected appropriately in probabilistic fault tree analysis. The approach utilizes the SAE Architecture Analysis & Design Language (AADL) standard and the recently published revised Error Model Annex V2 (EMV2) standard to represent annotated architecture models of systems and embedded software systems.
The approach takes into account error sources specified with an EMV2 error propagation type taxonomy and occurrence probabilities as well as direct and indirect propagation paths between system components identified in the architecture model to generate a fault graph and apply transformations into a fault tree representation to support common mode analysis, cut set determination and probabilistic analysis.
- Andrews, J. "Fault Tree Analysis." Proceedings of the 16th International Safety Conference, www. fault-tree.net/papers/andrews-fta-tutor. pdf (Stand 12/2004). 1998.Google Scholar
- Barlow, R. E. Fault Tree Analysis. John Wiley & Sons, Inc., 1973.Google Scholar
- Bieber, P., C. Castel, and C. Seguin. "Combination of Fault Tree Analysis and Model Checking for Safety Assessment of Complex Systems", in 4th European Dependable Computing Conference, 2002. Google Scholar
Cross Ref
- Delange, J., et al. "AADL Fault Modeling and Analysis within an ARP4761 Safety Assessment.", Software Engineering Institute, CMU/SEI-2014-TR-020 (2014).Google Scholar
- Ern, B., V. Y. Nguyen, T. Noll. "Characterization of Failure Effects on AADL Models." Proceedings of the 32nd International Conference on Computer Safety, Reliability and Security (SAFECOMP 2013), Volume 8153 of LNCS, Springer, 2013. Google Scholar
Digital Library
- Feiler, P., et.al. "Architecture Fault Modeling and Analysis with the Error Model Annex, Version 2", Software Engineering Institute, CMU/SEI-2016-TR-009 (2016).Google Scholar
- Feiler, P. "Challenges in Validating Safety-critical Embedded Systems." In SAE International AeroTech Congress, Nov 2009.Google Scholar
- Feiler, P., et.al. Architecture-led Diagnosis and Verification of a Stepper Motor Controller. 8th European Congress on Embedded Real Time Software & Systems (ERTS 2016). Jan 2016. http://www.erts2016.org/Google Scholar
- Ghassabani, E., A. Gacek, M. Whalen. "Efficient Generation of Inductive Validity Cores for Safety Properties." ACM SIGSOFT International Symposium on the Foundations of Software Engineering (FSE 2016), November 2016. Google Scholar
Digital Library
- Hagen, C., J. Sorenson. "Delivering Military Software Affordably." Defense AT&L. March-April 2013. http://www.dau.mil/pubscats/ATL%20Docs/Mar_Apr_2013/Hagen_Sorenson.pdfGoogle Scholar
- Hecht, M., et.al. "Using SysML to Automatically Generate of Failure Modes and Effects Analyses", INCOSE International Symposium, Volume 25, Number 1, 2015. Google Scholar
Cross Ref
- Helton, S., D. Ward. "Estimating Return on Investment for SAVI: A Model-based Virtual Integration Process." SAE International AeroTech Congress. Oct 2011.Google Scholar
- Joshi, A., S. Miller, M. Whalen, M. Heimdahl. "A Proposal for Model-based Safety Analysis." In Proceedings of the 24th Digital Avionics Systems Conference (DASC 2005), Oct 2005. Google Scholar
Cross Ref
- Joshi, A., P. Binns, S. Vestal, "Automatic Generation of Fault Trees from AADL Models", 1st International Workshop on Aerospace Software Engineering, in conjunction with International Conference on Software Engineering (ICSE), May 2007.Google Scholar
- Lauer, C., R. German, and J. Pollmer. "Fault Tree Synthesis from UML Models for Reliability Analysis at Early Design Stages." ACM SIGSOFT Software Engineering Notes 36.1 (2011): 1--8. Google Scholar
Digital Library
- National Institute of Standards and Technology (NIST). "The Economic Impacts of Inadequate Infrastructure for Software Testing" Technical report, 2002. http://www.nist.gov/director/progofc/report02-3.pdf.Google Scholar
- Paige, R., et.al. "FPTC: Automated Safety Analysis for Domain- Specific Languages." In Models in Software Engineering. Lecture Notes in Computer Science. Volume 5421. Pages 229--242. Springer-Verlag. 2009 Google Scholar
Digital Library
- Papadopoulos Y., et.al. "Engineering Failure Analysis & Design Optimisation with HiP-HOPS", Journal of Engineering Failure Analysis, Elsevier Science, 2011.Google Scholar
- Powell, D. "Failure Mode Assumptions and Assumption Coverage." In Fault-Tolerant Computing, 1992. FTCS-22.Digest of Papers, Twenty-Second International Symposium on, pages 386--395, 1992. Google Scholar
Cross Ref
- Rugina, A., K. Kanoun, and M. Kaâniche. "A System Dependability Modeling Framework Using AADL and GSPNs." In Architecting Dependable Systems IV Lecture Notes In Computer Science, Vol. 4615. Springer-Verlag. 2007. Google Scholar
Cross Ref
- Ruijters, E., and M. Stoelinga. "Fault Tree Analysis: A Survey of the State-of-the-art in Modeling, Analysis and Tools." Computer Science Review 15 (2015): 29--62. Google Scholar
Digital Library
- SAE International. ARP4761. "Guidelines and methods for conducting the safety assessment process on civil airborne systems and equipment." SAE International (1996): 1--331.Google Scholar
- SAE International. AS5506B. "Architecture Analysis and Design Language (AADL)", 2012. https://saemobilus.sae.org/content/as5506b.Google Scholar
- SAE International. AS5506/1A. "SAE Architecture Analysis and Design Language (AADL) Annex Volume1A -- Error Model Annex V2", Sept 2015, https://saemobilus.sae.org/content/as5506/1a.Google Scholar
- Vesely, W. E., et al. Fault Tree Handbook. No. NUREG-0492. Nuclear Regulatory Commission Washington DC, 1981.Google Scholar
- Walter, C.J., N. Suri. "The Customizable Fault/Error Model for Dependable Distributed Systems." Theor. Comput. Sci., Vol. 290, No. 2, pp. 1223--1251. Jan 2003. Google Scholar
Digital Library
Recommendations
Safety Validation Using AADL System Architecture Models
ISEC '18: Proceedings of the 11th Innovations in Software Engineering ConferenceMost of the embedded systems used in avionics and automotive industries are safety critical in nature. Safety validation of these systems are challenging inspite of significant advances in the field of system and software engineering. In our previous ...
A Qualitative Safety Analysis Method for AADL Model
SERE-C '14: Proceedings of the 2014 IEEE Eighth International Conference on Software Security and Reliability-CompanionFMECA (Failure Modes, Effects and Criticality Analysis) is an effective systematic process to evaluate software safety. In this paper, the safety model of embedded systems is built by integrating the AADL (Architecture Analysis and Design Language) ...
Architecture Fault Modeling with the AADL Error-Model Annex
SEAA '14: Proceedings of the 2014 40th EUROMICRO Conference on Software Engineering and Advanced ApplicationsSafety-Critical systems, as used in the automotive, avionics, or aerospace domains, are becoming increasingly software-reliant to the extent that the system cannot function without the software. On one hand the software system provides an integrated set ...






Comments