11. FSAP and the Model Checking Approach to FT Extraction

R. Banach, School of Computer Science, University of Manchester, UKM. Bozzano, Fondazione Bruno Kessler, FBK-IRST, Trento, Italy

11. FSAP and the Model Checking Approachto FT Extraction.

1

An overview of the algorithms for fault tree generation available in FSAP.

Algorithms based on model checking techniques.

• In this tutorial: focus on BDD-based routines.• SAT-based routines exist as well.


Model Checking

Automated technique to verify a formal system model against a formal specification.• Systems typically modeled as state transition systems.• Specifications provided as temporal logic formulae.

Model checking provides a formal guarantee that a specification is obeyed.(A counterexample trace is produced if the specification does not hold)

• Exhaustive technique compared to testing and simulation.

Major breakthrough with the introduction of symbolic model checking:• Idea: manipulate sets of states and transitions.• Efficient symbolic representations for the characteristic functions of such sets.

In the rest of this chapter: model checking techniques applied to FT generation.

2


Binary Diagrams

3

BDD = Binary Decision Diagram.OBDD = Ordered BDD.

(Built with a specific variable order)ROBDD = Reduced OBDD.

(Canonical form: elimination of redundancies)

(RO)BDDS are an efficient and compactrepresentation for Boolean formulas.

Size of the BDD depend on variable order.

Set-theoretic operations as logical operators.A BDD for the formula(a1 ↔ a2) /\ (b1 ↔ b2) .

Dashed = false, solid = true


BDD-based Algorithms for FTA

4

Different algorithms available:• Forward (FWD).• Backward (BWD).

Optimizations:• Dynamic cone of influence (DCOI).• Dynamic pruning (PRUN).


Cut Sets

5

F1 ∧ F2CUT SET

Once F3

S1S2

S3F1

F2

O1O2

O3

Statevariables

Failure Modevariables

Historyvariables

Once F1Once F2

F3

Permanent fault

Sporadic fault

No fault

History variables remember past failure events(Oi is true if and only if Fi is true at some point in the past) Oi → next(Oi)¬ Oi → (next(Oi) ↔ next(Fi))

Dual concept in the future: prophecy variables

TleTop Level Event

Tle fired

F1 fails

F2 fails

Exec

utio

n Tr

ace

Ro


Forward Algorithm

6


Forward Algorithm

7


Forward Algorithm

8


Forward Algorithm

9

Init


Forward Algorithm

10

Init


Forward Algorithm

11

Init


Forward Algorithm

12

Init


Forward Algorithm

13

Init


Forward Algorithm

14

Init

Fixpoint


Forward Algorithm

15

Init

Fixpoint


Forward Algorithm

16

Init

Fixpoint


Forward Algorithm

17

Init

Fixpoint


Forward Algorithm

18

CS1

CS2

CS3

CS4

CS5

O3

0 1 1 0 11 1 0 1 11 0 1 0 11 0 1 1 10 1 1 0 00 1 1 1 00 0 1 0 10 0 1 0 00 1 1 1 11 1 1 0 11 0 1 0 1

S1S2S3S4S5F1F2F3O1O2

• • • ••

••••

•


Forward Algorithm

19

CS1

CS2

CS3

CS4

CS5

O3

0 1 1 0 11 1 0 1 11 0 1 0 11 0 1 1 10 1 1 0 00 1 1 1 00 0 1 0 10 0 1 0 00 1 1 1 11 1 1 0 11 0 1 0 1


• • • ••

••••

•


Forward Algorithm

20

CS1

CS2

CS3

CS4

CS5

O3

0 1 1 1 11 1 1 0 11 0 1 0 1


• • • ••

••••

•


Forward Algorithm

21

CS1

CS2

CS3

CS4

CS5

O3

0 1 1 1 11 1 1 0 11 0 1 0 1


• • • ••

••••

•


Forward Algorithm

22

CS1

CS2

CS3

CS4

CS5

O3


• • • ••

••••

•

0 11 01 0


Forward Algorithm

23

CS1

CS2

CS3

CS4

CS5

O3


• • • ••

••••

•

0 11 01 0


Forward Algorithm

24

CS1

CS2

CS3

CS4

CS5

O3


• • • ••

••••

•

0 11 01 0

MCS 1 MCS 2


Backward Algorithm

25


Backward Algorithm

26


Backward Algorithm

27


Backward Algorithm

28

Tle


Backward Algorithm

29

Tle


Backward Algorithm

30

Tle


Backward Algorithm

31

Tle


Backward Algorithm

32

Tle


Backward Algorithm

33

Tle

Fixpoint


Backward Algorithm

34

Tle

Fixpoint


Backward Algorithm

35

Tle

Fixpoint


Backward Algorithm

36

Tle

Fixpoint


Backward Algorithm

37

Tle

Fixpoint

And so on …


Dynamic Cone of Influence

38

Tle



39

Tle

Compute pre-images & restricted Kripke structures,based on dependency withTle

M0 ≤ M1 ≤ … ≤ Mn-1 ≤ Mn

– defer construction of the Kripke structure– hopefully Mn is smaller than the global M



40

Tle M0


M0 ≤ M1 ≤ … ≤ Mn-1 ≤ Mn




41

Tle


M0 ≤ M1 ≤ … ≤ Mn-1 ≤ Mn


M0

M1



42

Tle


M0 ≤ M1 ≤ … ≤ Mn-1 ≤ Mn


M0

M1

Mn-1



43

Tle


M0 ≤ M1 ≤ … ≤ Mn-1 ≤ Mn


M0

M1

Mn-1

Fixpoint

Mn


Dynamic Pruning

44

Init


Dynamic Pruning

45

Init At each iteration, compute a partial set of cut setsUse the partial set to prune non-minimal config.in the search space


Dynamic Pruning

46



Dynamic Pruning

47



Dynamic Pruning

48



Dynamic Pruning

49


••


Dynamic Pruning

50


••


Dynamic Pruning

51


••


Dynamic Pruning

52


••


Dynamic Pruning

53


••••••


Dynamic Pruning

54


••••••


Dynamic Pruning

55

Init

••••••

At each iteration, compute a partial set of cut setsUse the partial set to prune non-minimal config.in the search space


Dynamic Pruning

56

Init

••••••

At each iteration, compute a partial set of cut setsUse the partial set to prune non-minimal config.in the search space


Dynamic Pruning

57

Init

••••••••

••

•At each iteration, compute a partial set of cut setsUse the partial set to prune non-minimal config.in the search space


Dynamic Pruning

58

Init

Fixpoint

••••••••

••

•At each iteration, compute a partial set of cut setsUse the partial set to prune non-minimal config.in the search space


12. Retrenchment and Model Checking Compared.

We compare:• The Retrenchment-based FT generation algorithm.• The BDD-based backward FT generation algorithm. (with Dynamic Cone of Influence and Dynamic Pruning)In the general case of feedback circuits with time delays.

Strong similarities:• Most important: backward resolution, i.e. start from the TLE.But – several differences:• Related to: system decomposition, search strategy, etc.• Implementation-level but also theoretical differences.

Discussion: how to reconcile retrenchment with model checking.

59


System Decomposition

Retrenchment-based: decomposition based on system structure.BDD-based: decomposition based on time delays.

Consequences:• No difference if unit delays between every block.

(e.g., adders and fanouts in the circuit example).• In the purely combinational case – no delays: BDD-based flattens the system – monolithic transition relation.

Reconciliation: • Not a huge difference: BDD-based could be instructed to take system structure

into account, or use “hybrid” strategies.

60


Search Strategy

Retrenchment-based: non-deterministic, data dependency driven, search.• Depth-first search illustrated here,

although simplified by the use of angelic non-determinism theoretically.BDD-based: breadth-first search.• Each step decomposing one layer of the composition.• Efficiency of breadth-first search relies on the BDD package.• Dynamic pruning introducing controlled depth-first aspects in the search.

Reconciliation:• Not a huge difference: search strategy in BDD-based is flexible.• Possibly introducing further depth-first aspects in BDD-based,

e.g. descend first in branches with a lower number of faults, and then prune.• Mostly an implementation detail.

61


Minimisation Rules

Retrenchment-based: minimisation rules to prune the search tree on the fly.BDD-based: minimisation rules mimicked by the internals of the algorithm or

by the BDD package.• Discarding non-needed subtrees → BDD package + DCOI reduction rules.• Discarding subtrees at input-insensitive faults → BDD package.• Discarding locally subsumed expressions → dynamic pruning.• Subsumption checking at the subsystem level → dynamic pruning.

Reconciliation:• Not needed.

62


Timing and Feedback

Retrenchment-based: deals with time delays explicitly.• Time information fully recorded.• Different definitions of minimality may be used to turn a RT into a FT.BDD-based: deals with time delays tacitly.• Time information is not recorded, temporal details abstracted away,

same states with different time delays are identified.• Directly generates the fault trees representing the minimal cut sets.

(where definition of minimality abstracts away from time)

Reconciliation:• Soundness: we get the same results in both cases if we abstract away from time.• Possibly introducing handling of timing information in BDD-based – but in practice

may have an impact on performance. Need to deal with sets of traces rather than sets of states, in a controlled way.

63


Initial States and Cold-Start Failures

Retrenchment-based: uses appropriate truncation of the detailed FT.• Minimisation performed independently of initialisation.BDD-based: truncation performed on-the-fly, reachability check built in.• Tight coupling of initialisation and minimisation.• Minimisation may interact with timing abstraction:

• It may discard states that have been identified because of timing abstraction.• It may discard hot-running scenarios in favour of cold-start ones.• Focus on computation of MCSs, rather than fault trees.

Reconciliation:• It is possible to rule out cold-start scenarios in BDD-based, if desired.• Possibly introducing further guidance in BDD-based to deal with hot-running and

cold-start failures.

64


Conclusions

Retrenchment-based: an idealised specification of a FT generation algorithm.Can move it closer to the BDD-based algorithm by carefully forgetting details.

BDD-based: an implementation that does not completely conform to it.Can move it closer to the Retrenchment-based ‘ideal’ by including more details

… but you have to watch performance in practice.

65

Documents

11. FSAP and the Model Checking Approach to FT Extraction