Download - People involved

Integrating Systems: models and fault modesSESAM-möte, 19 Oktober, 2005

Jonas Elmqvist

Real-Time Systems LaboratoryDepartment of Computer and Information Science

Linköpings universitetSweden

Integrating Systems: models and fault modesSESAM-möte

2 of 15October 19, 2005

People involved

• Simin Nadjm-Tehrani – RTSLAB, Linköpings universitet

• Jonas Elmqvist – RTLSAB, Linköpings universitet

• Marius Minea – “Politehnica” University of Timisoara, Romania

• Master thesis students:

– Jerker Hammarberg: High-Level Development and Formal Verification of Reconfigurable Hardware

– Anders Granh: Code Generation from High-level Models of Reactive and Security-intrinsic Systems

– Andreas Eriksson: Model Based Development of an Airbag Software

– Markus Nilsson: A tool for automatic formal analysis of fault tolerance


3 of 15October 19, 2005

Verification bench

ComponentOutIn

EnvironmentOut In

Observer Alarm

property p

Pattern: Functional verification

Model of the system

Model of the environment

Checks if property p is

satisfied


4 of 15October 19, 2005

Non-occurence of catastrophic events

Patterns for safety analysis?


5 of 15October 19, 2005

Traditional FTA/FMEA

• FTA:

• FMEA: What are the consequences of some particular component’s failure?

Top event

Subsystem Failure Mode Effects of failure Cause of failure … Actions …

Sensor Value Failure Sensor Malfunction … Duplicate sensors …

.

.

.

.

.

.

.

.

.

.

.

.

.

.

Software/Digital hardware


6 of 15October 19, 2005

Verification bench

ComponentOutIn

EnvironmentOut In

Observer Alarm

property p

Pattern: Fault mode modellingModel of a fault

Fault mode

signals


7 of 15October 19, 2005

Case study: Hydraulic leakage detection system

Verification bench

H-ECU PLD1

PLD2 Valve

Valve

Observer

HS1B_Closed

HS1C_Closed

Alarm

HS2B_Closed

HS2C_Closed

HS1Sensors

ShutOffLow

HS2Sensors

Valve

Valve


8 of 15October 19, 2005

Automatic Fault Tree Generation

Digital components

?

Faults?

Automatic

generation


9 of 15October 19, 2005

Verification bench

ComponentOutIn

EnvironmentOut In

Observer Alarm

property p

Pattern: Fault mode modelling

Upgrades?

Fault mode

signals


10 of 15October 19, 2005

Building Systems from Components

• Component-Based Development (CBD) is an emerging trend in system development:– develop systems out of software components

(COTS) and hardware components

• Problem: no component models address safety!

C1 C2

C3

C4

C´4

C6 C7

C5


11 of 15October 19, 2005

Components & Interfaces

• A component is an independent entity (SW or HW) that communicates through well-defined interfaces

• Interfaces should provide all information needed for composition

• How should the analytical interface look like in order to capture safety?

MI

C M is a model of the behavior of the component

I is the interface of the component


12 of 15October 19, 2005

Safety Analysis and CBD

• Traditional safety analysis is performed on the composed system• Our approach:

– Interfaces captures information about the behaviour of the components in presence of faults in the system

pS

C2

C1

+ p? ?

satisifies

satisifies


13 of 15October 19, 2005

Current work

• Techniques for component-based safety analysis using safety-interfaces– Methods for generating safety interfaces– Methods for using safety interfaces for safety analysis– Case studies?!


14 of 15October 19, 2005

Related Publications

• J. Elmqvist, S. Nadjm-Tehrani and M. Minea, “Safety Interfaces for Component-Based Systems”, 24th International Conference on Computer Safety, Reliability and Security (SAFECOMP05), September, 2005.

• J. Elmqvist and S. Nadjm-Tehrani, “Intents, Upgrades and Assurance in Model-Based Development”, 2nd RTAS Workshop on Model-Driven Embedded Systems (MoDES’04), May, 2004

• J. Elmqvist and S. Nadjm-Tehrani, “Intents and Upgrades in Component-Based High-Assurance Systems”, in Model-driven Software Development, Volume II of Research and Practice in Software Engineering, Springer-Verlag.

– Jerker Hammarberg, “High-Level Development and Formal Verification of Reconfigurable Hardware”, 2003

– Jonas Elmqvist, “Analysis of Intent Specification and System Upgrade Traceability”, 2004

– Anders Granh, “Code Generation from High-level Models of Reactive and Security-intrinsic Systems”, 2004

– Andreas Eriksson, “Model Based Development of an Airbag Software”, 2004

– Markus Nilsson, “A tool for automatic formal analysis of fault tolerance”, 2005


15 of 15October 19, 2005

Questions?


16 of 15October 19, 2005

Airbag Software• Characteristics

– Porting from 16 bit (128kb ROM) processor to 32 bit processor (256kb ROM)

– Current code not portable, design not documented

• Studied tools:

– Rhapsody in C, Interrupt driven framework

• MISRA compatible

• Code size roughly twice as big as the hand written C

– Scade

• Useful for algorithmic parts of the model, e.g. Crash detection

• Assurance aided by formal verification


17 of 15October 19, 2005

Tiger XS

• Characteristics– Security intrinsic communication platform– Secure applications to run on multiple hardware (PDA, phone,

…)– Security assurance via inspections of generated code– Multiple OS, preferably no system calls

• Studied tools– Rhapsody

• Heavy duty• Not suitable for integration with legacy

– Visual state• Cumbersome to define user defined data types


18 of 15October 19, 2005

Tool chain

Possible now

Perhaps in future

SCADE

LustreState Machines

Simulink

SimulinkGateway

Properties

Model

Model DesignVerifier

NuSMV

TheoremProver