Page 1 Outline Components and safety interfaces
advertisement
Page 1 Outline • What is safety? Components and safety interfaces • Introduction to safety analysis • Component-Based System Development Jonas Elmqvist jonel@ida.liu.se • What is a component? Jonas Elmqvist Real-Time Systems Laboratory Department of Computer and Information Science Linköpings universitet Sweden Components and safety interfaces TDDB47 • Safety Analysis of Component-Based Systems Components and safety interfaces TDDB47 1 of 11 November 18, 2005 2 of 11 November 18, 2005 What is safety? Safety Analysis • During the development process: – Identify hazards, or top level failures – Define safety properties – Identify potential faults • Standard definition: Safety is the absence of catastrophic consequences on the user and the environment • Fault Tree Analysis (FTA) – Mapping all possible causes to top-level failures • Failure Modes and Effects Analysis (FMEA) – Studying the effects of failures inside the system 1. under “normal” operation 2. when faults in the environment or in the system are present Components and safety interfaces TDDB47 3 of 11 November 18, 2005 Subsystem Failure Mode Sensor Value Failure . . . . Components and safety interfaces TDDB47 Effects of failure . . Hazard or and or and Cause of failure … Actions … Sensor Malfunction … Duplicate sensors … . . . . . . . . 4 of 11 November 18, 2005 Page 2 Example: Safety Analysis • • • • • Case study: Leakage Detection System of Jas 39 Gripen – Functionality: detect and prevent oil leakage Hazard: uncontrollable flight surfaces or not functioning landing gear Cause: no oil pressure i.e. no hydraulic power to parts of the aircraft Safety property: Two valves must not be closed simultaneously (called p) Potential faults: bit flips, short-cuts, sensor faults Check result HS1 Sensors Safety Analysis for digital systems Top event • FTA or FMEA? Sensors high side PLD1 1B Sensors low side • Formal verification! Software/Digital hardware 1C HS1 & HS2 Valve sensors H-ECU PLD2 HS2 Sensors Shut-off signals Valve blocks Shut-off high side Model of the system, including faults 2B S 5 of 11 November 18, 2005 Components and safety interfaces TDDB47 I is the interface of the component C5 C6 Components & Interfaces • A component is an independent entity (SW or HW) that communicates through well-defined interfaces • Interfaces should provide all information needed for composition C2 C4 p 6 of 11 November 18, 2005 Building Systems from Components • Component-Based Development (CBD) is an emerging trend in system development: – develop systems out of software components (COTS) and hardware components Check by using Model checker Safety property 2C Shut-off low side Components and safety interfaces TDDB47 C1 ? satisfies C I C7 M M is a model of the behavior of the component C3 • How should the analytical interface look like in order to capture safety? • Problem: no component models address safety! C´4 Components and safety interfaces TDDB47 7 of 11 November 18, 2005 Components and safety interfaces TDDB47 8 of 11 November 18, 2005 Page 3 Safety Analysis and CBD • Traditional safety analysis is performed on the composed system • Our approach: – Interfaces captures information about the behaviour of the components in presence of faults in the system C1 ? satisifies S Current work • New case study: Adaptive Cruise Control – SIMULINK/Matlab – Scade • Cooperation with Carnegie Mellon, Pittsburgh, USA ? p ⇒ + satisifies p C2 Components and safety interfaces TDDB47 9 of 11 November 18, 2005 Questions? Components and safety interfaces TDDB47 11 of 11 November 18, 2005 Components and safety interfaces TDDB47 10 of 11 November 18, 2005
