Automated Failure-modes-and-effects Analysis of … Systems & Qualitative Reasoning Group of the Technical University of Munich Struss SHM11 SW FMEA - 1 Automated Failure-modes-and-effects

Model-Based Systems & Qualitative Reasoning

Group of the Technical University of Munich


Group of the Technical University of Munich Struss SHM11 SW FMEA - 1

Automated Failure-modes-and-effects Analysis

of Embedded Software

Peter Struss

Technische Universität München

[email protected]





Preliminaries

Disclaimer

Software FMEA – but

– not a software-centered perspective

FMEA of embedded systems –

– not a general proposal for SW FMEA

Solid foundation and some experiments

– But still work in progress (early stage)

Claim

Reason for feasibility and strength of the approach

– not a software-centered perspective

– not a general proposal for SW FMEA

Different from other approaches to FMEA of embedded

systems (e.g. Snooke-Price RAMS 2011)





FMEA of Embedded Systems - Idea

Contexts?

Granularity?

Output distinctions?

What the software does (wrong)

– is irrelevant!

– unless affecting the behavior of the physical system

Software





The Physical System Dictates the Software Analysis

Which contexts?

Which granularity?

Which output distinctions?

Software

Physical system

– determines and restricts the context

– Determines relevant distinctions

FMEA

– purely qualitative

– provides finite set of relevant effects

Physical System





Outline

Model-based FMEA – Foundations

Models for FMEA of a Braking System

FMEA of Cyber-physical Systems





Model-based FMEA - Foundations




Group of the Technical University of Munich - 7

The FMEA Task

Stuck-

closed

BEHAVIOR/

GOALS

?

Task:

During design phase:

Determine of the effects of (classes of) component faults

under different operating conditions

- 7 Struss SHM11 SW FMEA





FMEA Table – Simple Example

Manual composition of a FMEA

Case: Pipe 1

A qualitative analysis!

ITEM FAILURE

MODE

LOCAL

EFFECT Next Higher

Level Effect

END

EFFECT

Mission

Phase

Pipe 1 Big

Leakage

Descent

(cmd=1)

Expected

flow not

produced

No pressure

generation

No

Extension

Function

Transport

fluid

Main hydraulic Actuactor Main

pump

Check valve 1

Pipe 1

Extension cmd cmd=1




Group of the Technical University of Munich - 9

The FMEA Task

Stuck-

closed

BEHAVIOR/

GOALS

?

Task:

During design phase:

Determine of the effects of (classes of) component faults

under different operating conditions

- 9 Struss SHM11 SW FMEA



Model-based FMEA

Stuck-

closed

Task:

Given a blue print

Predict the behavior

of a model of the faulty system

BEHAVIOR/

GOALS MODEL





The Core Of The Task

Model

Failure Mode

Scenario

Effect





Checking Consistency, Entailment

Model

Failure Mode

Scenario

Effect

Effect entailed? consistent?





Failure mode included in effect: effect will definitely occur:

FM1 S E1

Model-based Computation of Effects

Scenario relation S

Failure mode relation FM1

Effect relations E1 , E2 , and E3

Failure mode under scenario:

FM1 S

Intersection empty: effect does not occur:

FM1 S E2 =

Otherwise, effect may occur: E3

E1

FM1

OK S E3

E2 S





FMEA: Analysis of Qualitative Deviations

Deviations

Dx := [xact - xref] Model Fragments

DQ1 + DQ2= 0 Equations

Q1 + Q2 = 0

D(x + y) = Dx + Dy

D(x - y) = Dx - Dy

D(x * y) = xact * Dy + yact * Dx - Dx * Dy

D(x / y) = (yact * Dx - xact * Dy) / (yact * ( yact * Dy))

y = f(x) monotonic Dx = Dy

Reference can be unspecified!





Models for FMEA of a Braking System





Demonstrator: Standard Braking System (BMW)





Model – Actuator Part

PA_P1 PA_C1 PA_P2 PA_C2

VI

11 J1

VI

21

VI

12 J5

Struss SHM11 SW FMEA - 17





Model – Wheel Brake Part

VI

11 J1

VI

21

J2 VO

11

VO

21

WB

11

J4

J3

WB

21

J9

Reservoir

J5 VI

12

VI

22

J6

VO

22 J8

J7 VO

12

WB

12

WB

22






Modeling of Hydraulic Components – Modeling Goal

Qualitative model

capturing the initial response

in terms of deviations

Three p values: 0, (+), +

Constraints on

– Magnitude

– Deviations

– Integration

– Persistence

Details in [Struss-Fraracci QR 11]





Modeling of Hydraulic Components – Initial Response

Vol

j+1

Valve

j+1

Vol

3

Valve

j

Vol

2

Valve

2

Vol

1

Valve

1

P Q P Q P Q P

S0 (+) 0 +

S1 (+) (+) (+)





Elements of the Model – Base Model

Valve Volume

Base model T1.Q = A* (T1.P-T2.P)

T1.Q = -T2.Q

T1.Q = ∂P





Elements of the Model – Base Model and Integration

Valve Volume


T1.Q = -T2.Q

T1.Q = ∂P

Continuity

Integration

Persistence

Q0 ∂Q Q

- * -

0 - -

0 0 0

0 + +

+ * +

P0 ∂P P

0 0 0

0 + (+)

(+) * (+)

+ - (+)

+ 0 +





Elements of the Model –Derivative Layer

Valve Volume


T1.Q = -T2.Q

T1.Q = ∂P

Continuity

Integration

Persistence

Q0 ∂Q Q

- * -

0 - -

0 0 0

0 + +

+ * +

P0 ∂P P

0 0 0

0 + (+)

(+) * (+)

+ - (+)

+ 0 +

Base model

derivative

T1. ∂Q = A* (T1. ∂P-T2. ∂P)

T1. ∂Q = -T2. ∂Q





Elements of the Model – Base Model and Deviation Model

Valve Volume


T1.Q = -T2.Q

T1.Q = ∂P

Deviation

model

T1.∆Q = ∆A*Pdiff + A*∆Pdiff

- A*∆Pdiff

Pdiff =T1.P-T2.P

T1.∆Q = -T2.∆Q

T1.∆Q =∆∂P

Integration

Deviation

Ti. ∆∂Q = Ti. ∆Q ∆P = ∆∂P





Sample Inference (Simplified)

PA_P1 PA_C1 PA_P2 PA_C2

VI

11 J1

VI

12 J5

VI

21

VI 11

not properly open (e.g. stuck-closed)

∆A= -

∆Q= -

…

∆P= -

WB 11 underbraked






BMW Demonstrator - Results

C:/Users/struss/Struss TUM/Projects/BMW FMEA/tables v39/table ABS build-up pressure.doc






Sensor Failures





Limitations for Systems with Embedded Software

Sensor failures cannot be analyzed

– Affects system only via software

Failures of crucial components: software

extend FMEA to embedded software

ECU





Propagating Sensor Failures

E.g. sensor signal too low

ValveControl_ij OK model

∆cmd= - ∆s

InletValve_ij OK model

∆A= - ∆cmd

Valve

Control_ij

Speed

sensor_ij

Inlet

Valve_ij

∆s= - ∆cmd= + ∆A= -

WB_ij

underbraked






Software Failures





Effect of Software Failures

E.g. ValveControl untimely signal

– E.g. threshold too high

– Permanent signal

Fault model (single fault)

∆cmd= +

Or ∆cmd= - ∆s +

Valve

Control_ij

Speed

sensor_ij

Inlet

Valve_ij

∆s= 0 ∆cmd= + ∆A= -

WB_ij

underbraked






Refined Analysis





Decomposing Software Functions

Including plausibility check

Comparison with other wheel speeds

Replacement of value

Plausibility

Check

Speed

sensor_ij

Valve

Control_ij

s_ij=*, ∆s_ij= * ∆ s_ij = 0

S_kl=*, ∆s_kl= *






Interacting and Communicating Systems





Interaction of Subsystems

Propagation of ∆s

Late/missing signals

E.g. engine ECU: amount of injected fuel too high …

… due to electrical short in left mirror …

System_x

Subsystem_x

System_y

Subsystem_y





Summary and Discussion





Integrated Analysis - Dichotomy

ECU

Physical components:

Model: actual behavior

Determined by physics

Finite space of faults

Software:

Model: desired behavior

Determined by design

Design faults

Implementation faults …

… infinite ….





FMEA of Embedded Software

ECU

Note:

– Not testing!

– Not debugging!

FMEA: (worst-case) qualitative analysis of impact

on overall behavior of physical system

Well-defined interface software – physical system:

– Sensor signals, actuator commands (I O)

Numerical distinctions qualitative abstraction

Metric time qualitative abstraction

Abstract, qualitative functional model

Including finite set of faults





Key Issue: Modeling

ECU

Requirement: cheap modeling

compositional modeling

libraries with re-usable model fragments

Feasible?

ValveControl_ij: instance of generic function:

signal/state change based on threshold

Possible due to level of abstraction

How to obtain models?

Used as building blocks in analysis/spec.

Automatic abstraction from requirements

Automatic abstraction from code

Documents

Automated Failure-modes-and-effects Analysis of … Systems & Qualitative Reasoning Group of the Technical University of Munich Struss SHM11 SW FMEA - 1 Automated Failure-modes-and-effects