Upload
esteban-philson
View
218
Download
1
Tags:
Embed Size (px)
Citation preview
March 8, 2007 1
Dynamic Fault Treeanalysis using
Input/Output Interactive Markov Chains
Hichem Boudali, Pepijn Crouzen, and Mariëlle Stoelinga.
Formal Methods and Tools groupCS, University of Twente, NL.
March 8, 2007 2
Motivation (and setting)
Systems do fail
Example methodology:
Dynamic Fault Trees (DFT)
-- Reliability Engineering --Goal: Reduce system failure probability.
Methodology: Identify/analyze failure modes and their effects.
But:
DFTs have drawbacks
March 8, 2007 3
Outline
Dynamic fault trees (DFT). Definition, Example, Solution, Drawbacks.
Input/Output interactive Markov chains (I/O-IMC). DFT semantics in terms of I/O-IMCs. DFT compositional analysis.
Translation, || Composition, Abstraction, Aggregation.
Case studies. Summary.
March 8, 2007 4
Outline
Dynamic fault trees (DFT). Definition, Example, Solution, Drawbacks.
Input/Output interactive Markov chains (I/O-IMC). DFT semantics in terms of I/O-IMCs. DFT compositional analysis.
Translation, || Composition, Abstraction, Aggregation.
Case studies. Summary.
March 8, 2007 5
Dynamic Fault Trees (DFT)
Extend standard fault trees with dynamic gates. Enable modelling complex behaviours and
interactions between components. combination & order of failures matter.
Unreliability = Prob[System fails within T time units]
March 8, 2007 6
(dynamic) Fault trees
Upside-down tree (graph) Leaves: Basic events (BE) Nodes: Gates (complex events) BEs + Gates: Elements Arrows: Causal relations One top-node: the “root” node The top-node models system
failure Failure propagation: From
leaves to root
March 8, 2007 7
DFTs: Static gates (combination)
March 8, 2007 8
DFTs: Dynamic gates (order)
March 8, 2007 9
DFTs: Basic events (BE)
Temperature
of a BE:
Relevant when
used as a spare
BE maps to a
Basic Physical
component
March 8, 2007 10
C
A B
0.2
0.20.4
0.4
Failure rate:0.2 f/h
Failure rate:0.4 f/h
AND-gate Starting state:A is operationalB is operational
A has failedB is operational
Pr(A fails in T hours) = 1 – e-0.2•T
A’s Mean time to failure = 1/0.2 = 5 hours
A is operationalB has failed
A has failedB has failed
Convert the DFT into a Continuous-time Markov chain. Analyze CTMC using standard solution techniques. For (partially) static DFT, binary decision diagrams can be used!
DFT solution
Unreliability = Prob[Being in state ]
March 8, 2007 11
Result: System failure probability
Markov chaingeneration algorithm
Differential equations solution
Road tripfails
Mobilephone
Car fails
EngineTires fail
WSP WSPWSPWSP
Tire 1 Tire 2 Tire 3 Tire 4Spare
tire
Mobile phone fails
Engine fails
Tire 1 fails
Tire 4 fails
Tire 2 fails
Tire 3 fails
DFT exampleRoad trip fails if
mobile phone fails
BEFORE the car fails
Spare tire is cold:
It cannot fail when
not in use
State-Space
Explosion!One of the drawbacks
Although distinct modules,
CTMC generation in One shot
March 8, 2007 12
DFT drawbacks
State-space explosion. No formal syntax and semantics. Lack of modularity:
Dynamic modules (e.g. ‘Tires’ subsystem in the example) can not be reused.
Restrictions on certain inputs to gates (e.g. spare gate).
DFT-to-MC* conversion algorithm is hard to extend and/or modify.
Compositional Aggregation
DAG
Compositionality
Lift restrictions
Extension: At the element level
I/O-IMC
*: DIFTree algorithm
March 8, 2007 13
Outline
Dynamic fault trees (DFT). Definition, Example, Solution, Drawbacks.
Input/Output interactive Markov chains (I/O-IMC). DFT semantics in terms of I/O-IMCs. DFT compositional analysis.
Translation, || Composition, Abstraction, Aggregation.
Case studies. Summary.
March 8, 2007 14
Input/Output Interactive Markov Chains (I/O-IMC)
Combination of I/O automata and CTMC
Discrete state space Markovian transitions Interactive transitions Action signature
? - Input actions ! - Output actions ; - Internal actions
Input-enabled
λ
failed!
Immediate
March 8, 2007 15
Outline
Dynamic fault trees (DFT). Definition, Example, Solution, Drawbacks.
Input/Output interactive Markov chains (I/O-IMC). DFT semantics in terms of I/O-IMCs. DFT compositional analysis.
Translation, || Composition, Abstraction, Aggregation.
Case studies. Summary.
March 8, 2007 16
f(C)!f(A)?
f(B)?
f(B)?
f(A)?
f(C)!f(A)?
f(B)?
f(B)?
f(A)?
f(B)?
f(B)? f(B)?
f(A)? f(A)?
DFT semantics (DFT element to I/O-IMC)
f(A)?
f(A)?
f(A)? f(A)?
f(B)? f(B)?
f(B)?
March 8, 2007 17
DFT semantics (DFT element to I/O-IMC)
March 8, 2007 18
Outline
Dynamic fault trees (DFT). Definition, Example, Solution, Drawbacks.
Input/Output interactive Markov chains (I/O-IMC). DFT semantics in terms of I/O-IMCs. DFT compositional analysis.
Translation, || Composition, Abstraction, Aggregation.
Case studies. Summary.
March 8, 2007 19
Compositional AnalysisTranslation
C
A B
0.2 f(A)! 0.4 f(B)!
f(A)?
f(A)?f(B)?
f(B)?
f(C)!
March 8, 2007 20
Compositional AnalysisParallel Composition
f(A)?
f(A)?f(B)?
f(B)?
f(C)!
0.2 f(A)!
March 8, 2007 21
Compositional AnalysisParallel Composition
1 2 3
1
2
3
4 5
1||1
0.2 f(A)!
f(A)?
f(A)?f(B)?
f(B)?
f(C)!
0.2
f(B)?
f(B)?
f(A)!
f(C)!1||2
2||3
3||1
f(B)?
0.2
f(A)!
3||2
4||3 5||3Inputs: f(A)? and f(B)?Outputs: f(C)!
Inputs: noneOutputs: f(A)!
C
A
C||A
Synchronize on f(A)
March 8, 2007 22
f(A);
f(A);f(A)!
f(A)!
Compositional AnalysisAbstraction (hiding)
1||10.2
f(B)?
f(B)?
f(B)?
0.2
f(C)!1||2
2||3
3||1
3||2
4||3 5||3
C
A B
Abstraction (hiding):
Makes signal internal
March 8, 2007 23
f(A);
f(A);
Compositional AnalysisAggregation (weak bisimulation)
1||10.2
f(B)?
f(B)?
f(B)?
0.2
f(C)!1||2
2||3
3||1
3||2
4||3 5||3
Weak bisimulation:
Disregard internal steps
Aggregation:
Finding a smaller model
equivalent (behaviorally)
to the original
March 8, 2007 24
Compositional-Aggregation Overview
Translation Composition +
Hiding
Aggregation
(minimization)
Repeat
Aggregated system CTMC
Result: System failure probability
March 8, 2007 25
Outline
Dynamic fault trees (DFT). Definition, Example, Solution, Drawbacks.
Input/Output interactive Markov chains (I/O-IMC). DFT semantics in terms of I/O-IMCs. DFT compositional analysis.
Translation, || Composition, Abstraction, Aggregation.
Case studies. Summary.
March 8, 2007 26
Case studies
Case studyAnalysis
methodMax number of
statesMax number of
transitionsUnreliability
(T=1)
(a)
(a)
DIFTree
Comp-Agg
4113
132
24608
426
0.00135668
0.00135668
(b)
(b)
DIFTree
Comp-Agg
8
36
10
119
0.657900
0.657900
(c)
(c)
DIFTree
Comp-Agg
253
157
1383
756
2.00025 10-9
2.00025 10-9
Motors
System
PumpsCPUs
A
DC
(a) The cascaded PAND system
(b) The cardiac assist system
B CM1 CM2
S Bus
P2Mem1 Mem2Disk1 Disk2
(c) A multi-processor distributed computing system
System
P1
System
March 8, 2007 27
Outline
Dynamic fault trees (DFT). Definition, Example, Solution, Drawbacks.
Input/Output interactive Markov chains (I/O-IMC). DFT semantics in terms of I/O-IMCs. DFT compositional analysis.
Translation, || Composition, Abstraction, Aggregation.
Case studies. Summary.
March 8, 2007 28
Summary
Alleviate state-space explosion problem. Formal syntax & semantics. Enhanced DFT modularity:
Dynamic module reuse. Lifting restrictions on allowed inputs.
Readily extensible framework (extensions at the element level); e.g. repair.
Works well for highly-modular dynamic FTs.
Compositional semantics for DFTs
Gain at the modeling & analysis levels
March 8, 2007 29
References
H. Boudali, P. Crouzen, M. Stoelinga. “Dynamic Fault Tree analysis using Input/Output Interactive Markov Chains”, to appear, DSN 2007 proceedings.
H. Boudali, P. Crouzen, M. Stoelinga. “A compositional semantics for Dynamic Fault Trees in terms of Interactive Markov Chains”, Technical report, to appear.
More info: [email protected]
The END!
March 8, 2007 30
Extra slides
March 8, 2007 31
Future work
Weaker bisimulation relation (i.e. more aggressive state reduction)
Extension to non-exponential distributions (e.g. use of phase-type distributions)
Further extensions to DFT modeling capabilities (i.e. definition of new gates and corresponding I/O-IMC)
Fully automated tool (at this point, the tool is only partially automated)
March 8, 2007 32
Parallel Composition and Hiding
March 8, 2007 33
Aggregation (Weak Bisimulation)
March 8, 2007 34
Preservation Theorem (WB is a congruence)
March 8, 2007 35
CTMC
Compositional-Aggregation Overview
Step 1: Translation
Step 2a: Parallel Composition
Step 2b: Abstraction
Step 3: Aggregation
Step 4: Repetition
Step 2a: (C||A) || B
Step 2b: Hide f(B)
Step 3: Aggregate (C||A)||B
Step 5: CTMC Analysis
C
A B
C
A B
f(A) f(B)
f(C)
DFT
IOIMC
C||A
f(C)
f(B)
f(A)
f(B)
f(C)
C||A||B
0.2
0.2
0.4
0.4
f(C)!
f(C)
IOIMC model can be reused!
Steps 2–4: Compositional Aggregation