Click here to load reader

A Framework for Formal Dynamic Dependability Analysis ...hvg.ece. · PDF file Formal Dynamic Dependability Analysis Framework 109 based on the failure distribution of the basic events

  • View
    2

  • Download
    0

Embed Size (px)

Text of A Framework for Formal Dynamic Dependability Analysis ...hvg.ece. · PDF file Formal Dynamic...

  • A Framework for Formal Dynamic Dependability Analysis Using HOL

    Theorem Proving

    Yassmeen Elderhalli(B), Osman Hasan, and Sofiène Tahar

    Electrical and Computer Engineering, Concordia University, Montréal, Canada {y elderh,o hasan,tahar}@ece.concordia.ca

    Abstract. Dependability analysis is an essential step in the design pro- cess of safety-critical systems, where the causes of failure and some other metrics, such as reliability, should be identified at an early design stage. The dynamic failure characteristics of real-world systems are usually cap- tured by various dynamic dependability models, such as continuous time Markov chains (CTMCs), dynamic fault trees (DFTs) and dynamic reli- ability block diagrams (DRBDs). In order to conduct the formal depend- ability analysis of systems that exhibit dynamic failure behaviors, these models need to be captured formally. In this paper, we describe recent developments towards this direction along with a roadmap on how to be able to develop a framework for formal reasoning support for DFTs, DRBDs and CTMCs in a higher-order-logic theorem prover.

    Keywords: Dynamic dependability analysis · Dynamic fault trees · Dynamic reliability block diagrams · Continuous time Markov chains · HOL theorem proving

    1 Introduction

    Dependability is a general concept that encompasses many attributes, such as reliability, availability, security and safety [1]. Reliability is the ability of a sys- tem to provide a correct service within a given period of time [1] and it is quantified by evaluating the probability of delivering such service. On the other hand, availability is the probability of a system or component to provide its correct service at a given moment of time [1]. Many real-world systems exhibit sequential failures and dependencies among system components that cannot be captured using traditional dependability models, such as static fault trees (SFTs) and static reliability block diagrams (SRBDs). Therefore, dynamic dependabil- ity models are used to capture the dynamic failure behavior of these systems. These models include Continuous time Markov chains (CTMCs) [2], dynamic fault trees (DFTs) [3] and dynamic reliability block diagrams (DRBDs) [4].

    Dynamic dependability analysis identifies the sequences of failure of system components and their effect on the overall system behavior. This helps devising

    c© Springer Nature Switzerland AG 2020 C. Benzmüller and B. Miller (Eds.): CICM 2020, LNAI 12236, pp. 105–122, 2020. https://doi.org/10.1007/978-3-030-53518-6_7

    http://crossmark.crossref.org/dialog/?doi=10.1007/978-3-030-53518-6_7&domain=pdf https://doi.org/10.1007/978-3-030-53518-6_7

  • 106 Y. Elderhalli et al.

    solutions to enhance the overall system dependability. Therefore, this analysis process should be handled carefully in a sound environment to produce accurate results. Traditionally, dependability models are analyzed using paper-and-pencil based proof methods or using simulation. The former provides a flexible way to model and analyze systems, but it is prone to human errors. On the other hand, simulation provides an easy automated method to conduct the analysis, which justifies its common use in analyzing a wide range of applications. However, due to the high computational cost of simulation, only part of the space could be analyzed, and thus the results cannot be termed as accurate or complete.

    Formal methods, such as model checking [5] and theorem proving [6], have been used for the analysis of dependability models, to overcome the inaccuracy limitations of the above-mentioned techniques. For example, the STORM model checker [7] has been successfully used in the safety analysis of a vehicle guidance system [8] using DFTs. Although probabilistic model checkers (PMCs) provide an automatic way to conduct the analysis of dependability models, the state space explosion problem often limits its scope especially when analyzing complex systems. Moreover, the reduction algorithms embedded in these tools are usually not formally verified, which questions the accuracy of the reduced models [9]. This becomes an issue when analyzing safety-critical systems, where the smallest error cannot be tolerated. More importantly, PMCs inherently assume the fail- ures to be exponentially distributed for system components [10], and thus cannot capture, for example, their aging factor. Although higher-order logic (HOL) the- orem proving has been used in the analysis of traditional (static) dependability models, such as SFTs [11] and SRBDs [12], these models cannot capture the dynamic aspects of real-world systems and thus cannot fulfill the objective of the projected work. However, using a theorem prover in the analysis allows hav- ing verified, within a sound environment, generic expressions of dependability that are independent of the distribution of system components. Thus, the results are not limited to exponential distributions as with PMCs.

    In this paper, we describe an ongoing project for building a complete frame- work to formally analyze dynamic dependability models using HOL theorem proving. The project had started at the Hardware Verification Group of Concor- dia University in 2017 with a clear roadmap. In this regard, we formalized DFTs in the HOL4 theorem prover [13], which allows formally verifying generic expres- sions of the probability of failure of DFTs [14] and thus can be used to conduct formal dynamic dependability analysis. Furthermore, we proposed a novel alge- bra to analyze DRBDs with certain structures and verified their mathematical foundations using the HOL4 theorem prover [15]. On the other hand, a formal- ization for general CTMCs [16] is available in Isabelle/HOL [17]. However, this formalization has not been used in the context of dynamic dependability anal- ysis. Therefore, we plan to develop a CTMC formalization to be used in this context. The present paper mainly summarizes our developed formalization and shares our plans for the development of a complete framework for the formal dependability analysis of real-world systems using a theorem prover.

  • Formal Dynamic Dependability Analysis Framework 107

    The rest of the paper is structured as follows: Sect. 2 presents our proposed framework for the formal dynamic dependability analysis. Section 3 provides a brief description of our formalization of DFTs. In Sect. 4, we present DRBDs and our developed DRBD algebra. Section 5 presents the required mathematical foundations of the CTMC dependability analysis. We report the current status of the project and the remaining milestones in Sect. 6. Finally, Sect. 7 concludes the paper.

    2 Proposed Framework

    Figure 1 shows an overview of our proposed framework for formal dynamic dependability analysis. This framework provides verified generic expressions of dependability in the HOL4 theorem prover using DFTs, DRBDs and CTMCs. The analysis starts by having a system description with some dependability requirements, such as a certain expression of reliability. The dependability of this system can be modeled using a DFT, DRBD or CTMC model according to its description. For the case of the DFTs and DRBDs, we need, respectively, a library of formalized DFT gates and DRBD constructs besides their simplifica- tion theorems and verified probabilistic behavior. For the CTMC formal analysis, it is required to have both formal transient and steady state analyses. The formal DFT and DRBD models can be analyzed qualitatively or quantitatively. In the former, the sources of vulnerabilities of the system are verified by identifying the cut sets and cut sequences. In the latter, we prove generic failure and reliability expressions of DFT and DRBD based systems, respectively. It is worth men- tioning that unlike PMC approaches, the formally verified generic expressions of DFT and DRBD are independent of the probability distributions of the system

    Fig. 1. Overview of the formal dependability analysis framework

  • 108 Y. Elderhalli et al.

    (a) AND (b) OR (c) PAND (d) FDEP (e) SPARE

    Fig. 2. DFT gates

    components. For CTMC based models, the proposed framework formally ana- lyzes availability and reliability metrics by proving generic expressions of these dependability metrics that are independent of the failure rates of system com- ponents. We choose HOL4 in the development of the formalization of dynamic dependability models as this would facilitate using some of the available theories, such as the probabilistic PIE [18], Lebesgue integral [19] and probability [20].

    Our ultimate goal in this project is to develop a tool that accepts the depend- ability model in either a graphical or simple textual format. Then, using a parser, the tool creates the HOL formal models of these formats that can be used in the formal analysis using a HOL theorem prover. The aim of this tool is to reduce the user interaction with the theorem proving environment, which would facilitate the usage of this framework by users who are not familiar with HOL theorem proving or the underlying mathematical foundations of the dependabil- ity models. This requires invoking several techniques, such as machine learning, to automatically (to a certain extent) verify the required expressions. Therefore, this proposed framework will allow conducting the dynamic dependability anal- ysis of many real-world systems to provide generic expressions. We highlight the details of the proposed framework in the following sections including the current status of the formalization and provide some insights about the remaining steps.

    3 Dynamic Fault Trees

    Dynamic fault trees (DFTs) [3] model the failure dependencies among system components that cannot be captured using tradition

Search related