model-driven safety analysis of critical systems
advertisement
MODEL-DRIVEN SAFETY ANALYSIS OF CRITICAL SYSTEMS Nataliya Yakymets CRITICAL SYSTEMS CRITICAL SYSTEM is a system whose failure may result in death or serious injury to people, or damage to equipment or environmental harm. « L’accident qui s’est déroulé à Brétigny-surOrge (Essonne) le vendredi 12 juillet 2013 » " « Le crash de l'AF 447 devrait coûter 500 millions d'euros » Copyright CEA © Publié le 12/07/2011 福島第一原子力発電所事故 The Fukushima Daiichi nuclear disaster 11 March 2011 SAFETY STANDARDS IEC 61508 Generic Standard on Functional Safety of Electrical / Electronic / Programmable Electronic Safety-related Systems ARP-4761 Guidelines and Methods for Conducting the Safety Assessment Process on Civil Airborne Systems and Equipment ISO 26262 Functional Safety standard, "Road vehicles – Functional safety“ ISO 10218 Robots and robotic devices -- Safety requirements for industrial robots … SAFETY ASSESSMENT SYSTEM SAFETY ASSESSMENT is a systematic approach to the analysis of risks resulting from hazards that can affect humans, the environment, and mission assets. TYPICAL SAFETY ASSESSMENT METHODS • Hazard and Risk Analysis • • • • • • • • • Preliminary Hazard Analysis (PHA) System Hazard Analysis (SHA) HAZOP ... Failure Mode Effects & Criticality Analysis (FMECA) Reliability Block Diagram (RBD) Fault Tree Analysis (FTA) Event Tree Analysis (ETA) Markov Analysis SAFETY LIFE-CYCLE SAFETY STANDARDS IEC 61508 generic standard on functional safety SAFETY SAFETY METHODS ANALYSIS PHA SHA HAZOP Hazard Analysis DEVELOPMENT Concept & Requirements Validation Acceptance & Maintenance … … Copyright CEA © ISO 26262 "Road vehicles – Functional safety“ FTA FMEA Markov Analysis RBD ETA Preliminary System Safety Assessment Design & Optimization System Safety Assessment Validation Integration & Test Implementation 5 PROBLEMATIC SYSTEM ENGINEERING Copyright CEA © Design Engineer Large usage of Model-Based approaches & techniques Complete description of the system architecture CLASSICAL SAFETY ANALYSIS Performed mostly manually Time consuming, costly, high probability of errors No strong links between system engineering and safety analysis Need for safety analysis assistance! Safety Engineer MODEL-BASED SAFETY ANALYSIS UML/SYSML Flexible and expressive semantics UML profile for safety analysis Global overview of architecture Own dedicated models Uniform modeling environment for safety analysis Copyright CEA © PAPYRUS UML2 standard Domain Specific Languages Customizable Reuse UML concepts Use any notations: diagrams, tables, text, symbols Save time by modeling system before building a physical prototype SOPHIA SAFETY LIFE-CYCLE SAFETY STANDARDS IEC 61508 generic standard on functional safety ISO/DIS 13482 safety standard for personal care robots SAFETY SAFETY METHODS ANALYSIS PHA [1] Requirement Eng. FTA [2] FMEA [3] Property Verification Hazard Analysis Preliminary System Safety Assessment DEVELOPMENT Concept & Requirements Design & Optimization Copyright CEA © System Safety Assessment Acceptance & Maintenance Validation Validation Integration & Test Implementation Sophia targets early phases of system life-cycle [1] D. Cancila, F. Terrier, F. Belmonte, H. Dubois, H. Espinoza, S. Gerard, A. Cucurru, Sophia: a modeling language for modelbased safety engineering, in: Proc. of the 2nd Int. Workshop On Model Based Architecting And Construction Of Embedded Systems, Denver, Colorado, USA, 2009, pp. 11-26. [2] N. Yakymets, et al., Model-driven safety assessment of robotic systems, Proc. of IEEE Int. Conf. on Intelligent Robots and Systems (IROS), 2013, pp. 1137-1142. [3] Nataliya Yakymets, Yupanqui Munoz Julho, Agnes Lanusse, « Sophia framework for model-based safety analysis », Proc. of the 19th Congrès de Maîtrise des Risques et Sureté de Fonctionnement, Dijon, 2014, p. 71. 8 METHODOLOGY* System Modeling Copyright CEA © Propagate Results to the Model Result Generation Safety Modeling & Annotation Analysis * N. Yakymets, S. Dhouib, H. Jaber, A. Lanusse, “Model-Driven Safety Assessment of Robotic Systems,” 2013 IEEE/RSJ International Conference on Intelligent Robots and Systems, IROS’2013, November 3-7, Tokyo, Japan, 2013. METHODOLOGY* Boolean expressions System Modeling Property verification Propagate Results to the Model RobotML models FMEA Tables Result Generation Copyright CEA © AltaRica formal model Fault Tree Analysis Results Safety Modeling & Annotation Analysis Transformation SysML model to formal languages: AltaRica, NuSMV State Machines Fault Tree Safety Annotations via Profile Fault Trees … FME(C)A tables * N. Yakymets, S. Dhouib, H. Jaber, A. Lanusse, “Model-Driven Safety Assessment of Robotic Systems,” 2013 IEEE/RSJ International Conference on Intelligent Robots and Systems, IROS’2013, November 3-7, Tokyo, Japan, 2013. METHODOLOGICAL ISSUES 1) How to manage a hierarchy of complex systems? • Coherence of dysfunctional behavior on different levels • Iterative process 2) How to express dysfunctional behaviour? • Convenience, maintainability, coherence with the formal methods • Approaches • Technical means METHODOLOGY Top Level Level 1 … Finest Annotation Level Level i … Safety Analysis Model Annotation 1) How to manage a hierarchy of complex systems? Flexible Safety Analysis Keep a desired level of precision during SA process Control a complexity of SA methods applied Reduce time and cost required for SA Basic Component Finest Architectural Level 12 METHODOLOGY 2) How to express dysfunctional behaviour? 13 METHODOLOGY APPROACHES TO EXPRESS FAILURE BEHAVIOR ANALYTICAL EXPRESSIONS Failure2 Failure1 Fast annotation Easy to analyse out1 = (in1 AND in2) AND NOT (Failure1 OR Failure2) STATE MACHINES Separate functional and dysfunctional behavior Conform to formal languages: AltaRica, etc. METHODOLOGY ANALYTICAL EXPRESSIONS Analyzed System Modeling Block Diagram Internal Block Diagram Safety Analysis out1 = (in1 AND in2) OR (f1 OR f2) out2 = in3 OR f3 For the compatibility of dysfunctional behavior on different levels only Blocks of the finest hierarchical level have an associated set of analytical expressions through dedicated profile METHODOLOGY STATE MACHINES Analyzed System Modeling Internal Block Diagram Block Diagram Safety Analysis Blocks of the finest hierarchical level have an associated State Machine Annotated and Extended State Machine Diagram Functional Behavior Dysfunctional Behavior METHODOLOGY MEANS OF FAILURE BEHAVIOR EXPRESSION Safety comments, requirements Profiles • • • EAST-ADL DAM Custom Safety Modeling & Annotation Viewpoints, Diagrams • • • State Machines Activity Diagrams … Model in UML/SysML/RobotML SOPHIA MODULES Build accident scenarios Requirement classification, Report generation, Import/Export to ReqIF Analyze functional causes of accidents Copyright CEA © Property Verification Verification of safety properties, Reachability analysis FME(C)A tables, Report generation Fault tree generation, minimal cut sets, probaiblistic calculations SOPHIA MODULES FAILURE MODE AND EFFECTS ANALYSIS FME(C)A is an inductive bottom up method used to analyze a system on component level and check what happens on system level Cause→Failure→Effect Sophia Modeling Environment Automatic safety annotation FME(C)A Generation & display of FME(C)A Copyright CEA © tables within the model Automatic document generation Export results in excel format Criticality Display Sophia FME(C)A Report SOPHIA MODULES FAULT TREE ANALYSIS FTA is a deductive top-down method in which an undesired state of a system is analyzed at component level by combining a series of lower-level events using Boolean logic Top Event Automatic safety annotation HW/SW allocation and propagation of Logic Gate failure behavior Automatic fault trees generation Diagrams OpenPSA format Qualitative FTA Copyright CEA © Basic Event Minimal cut sets, dysfunctional scenarios Quantitative FTA Minimal cut sets probabilistic analysis Sensitivity analysis Importance analysis (marginal, critical, importance analysis diagnostic, risk achievement/reduce factors) Unavailability and SIL analysis sensitivity analysis SOPHIA MODULES PROPERTY VERIFICATION Given a model of a system, exhaustively and automatically check whether this model meets a given specification State Machines for safety annotation Transformation from SysML to SMV state machine Verification of system properties (and safety requirements) with NuSMV Support of CTL and LTL Requirement Diagram Provide a technology to express Counter Example system requirements/hazards in a quasi natural language Copyright CEA © Component Behavior System property in CTL format for NuSMV SOPHIA MODULES REQUIREMENT MANAGEMENT Support requirements through system life-cycle Display requirements within modeling environment (Tables, Requirement Diagrams) Requirement classification Automatic report generation Copyright CEA © Sophia Modeling Environment Automatically Generated Requirement Report COLLABORATION RESEARCH Automotive & Railway domain EXPERTISE VALORISATION & DEVELOPMENT Robotic domain SAFETY IMOFIS Inergy Energy & Smart Grids SECURITY Transportation domain Copyright CEA © Energy & Smart Grids SAFETY & SECURITY SESAM-GRID Energy & Smart Grids Transportation domain CONCLUSION SOPHIA Integration of safety techniques within a model-driven engineering process Support of generic standard on functional safety design IEC61508 and ISO 13482 safety standard (non-industrial personal care robots) Graphical and accessible modeling language (SysML and RobotML) Modelling of architecture, behaviour and failure logic Automatic document generation Copyright CEA © PERSPECTIVES Sophia becomes a part of Eclipse Safety Framework (ESF), an open-source model-based tool for safety analysis ESF is a PolarSys project co-managed by CEA and ALL4TEC Industrialization of Sophia in Safety Architect v 3.0 Extension of the Sophia research platform with RAMS and security THANK YOU! Commissariat à l’énergie atomique et aux énergies alternatives Institut Carnot CEA LIST Centre de Saclay | 91191 Gif-sur-Yvette Cedex T. +33 (0)1 69 08 32 93 Etablissement public à caractère industriel et commercial | RCS Paris B 775 685 019 Direction Département Laboratoire DRT DILS LISE
