checking fault tolerance in safety and security-critical systems
TRANSCRIPT
Checking Fault Tolerance in Safety and Security-Critical Systems
Aim: To Predict the Effects of Component Failures
Component faultsController Sensor
Button
Safety / Security Violation
Identify Unsafe BehaviourModel Checking
The problem:
The solution:
ie, automatic Failure Modes and Effect Analysis (FMEA)
Safety and Security Requirements
System Model
Component Fault Modes
System Model with InjectedComponent Fault Modes
Formalised Temporal Logic Formulae
Identified unsafe behaviours
Automatic Model Checking Either …
Or …
Verification that theInjected Component Faultsdo not lead to unsafe behaviour
Th1: Uncommanded closing: Plunger should not start falling without the operator pressing the button.
Th2: Motor on below PONR: The motor should not turn on when the plunger is falling below the PONR. Th3: Loss of abort: If the plunger is falling above the PONR and the operator releases the button, the motor should turn on.
Th4: Plunger falling before reaching the top: The motor should not turn off unless the plunger is at the top.
Step 1: Identify the Safety/Security Requirements
Safety and Security Requirements
System Model
Component Fault Modes
System Model with InjectedComponent Fault Modes
Formalised Temporal Logic Formulae
Identified unsafe behaviours
Automatic Model Checking
Either …
Or …
Verification that theInjected Component Faultsdo not lead to unsafe behaviour
Th1: Uncommanded closing: Plunger should not start falling without the operator pressing the button.
Th2: Motor on below PONR: The motor should not turn on when the plunger is falling below the PONR. Th3: Loss of abort: If the plunger is falling above the PONR and the operator releases the button, the motor should turn on.
Th4: Plunger falling before reaching the top: The motor should not turn off unless the plunger is at the top.
th1: THEOREM behavior |- G((plunger=plunger_at_top AND operator=operator_released_button) => (electric_Motor=electric_Motor_on));
th2: THEOREM behavior |- G((plunger=plunger_falling_fast) => (electric_Motor=electric_Motor_off));
th3: THEOREM behavior |- G(F(plunger=plunger_falling_fast)) => G((plunger=plunger_falling_slow AND operator=operator_released_button) => U(plunger=plunger_falling_slow, electric_Motor=electric_Motor_on));
th4: THEOREM behavior |- G(NOT((plunger=plunger_rising_below_PONR OR plunger=plunger_rising_above_PONR) AND (electric_Motor=electric_Motor_off)));
Step 2: Formalise the Safety/Security Requirements
Safety and Security Requirements
System Model
Component Fault Modes
System Model with InjectedComponent Fault Modes
Formalised Temporal Logic Formulae
Identified unsafe behaviours
Automatic Model Checking
Either…
Or…
Verification that theInjected Component Faultsdo not lead to unsafe behaviour
th1: THEOREM behavior |- G((plunger=plunger_at_top AND operator=operator_released_button) => (electric_Motor=electric_Motor_on));
th2: THEOREM behavior |- G((plunger=plunger_falling_fast) => (electric_Motor=electric_Motor_off));
th3: THEOREM behavior |- G(F(plunger=plunger_falling_fast)) => G((plunger=plunger_falling_slow AND operator=operator_released_button) => U(plunger=plunger_falling_slow, electric_Motor=electric_Motor_on));
th4: THEOREM behavior |- G(NOT((plunger=plunger_rising_below_PONR OR plunger=plunger_rising_above_PONR) AND (electric_Motor=electric_Motor_off)));
Th1: Uncommanded closing: Plunger should not start falling without the operator pressing the button.
Th2: Motor on below PONR: The motor should not turn on when the plunger is falling below the PONR. Th3: Loss of abort: If the plunger is falling above the PONR and the operator releases the button, the motor should turn on.
Th4: Plunger falling before reaching the top: The motor should not turn off unless the plunger is at the top.
Step 3: Model the System Behaviour
Safety and Security Requirements
System Model
Component Fault Modes
System Model with InjectedComponent Fault Modes
Formalised Temporal Logic Formulae
Identified unsafe behaviours
Automatic Model Checking
Either…
Or…
Verification that theInjected Component Faultsdo not lead to unsafe behaviour
Th1: Uncommanded closing: Plunger should not start falling without the operator pressing the button.
Th2: Motor on below PONR: The motor should not turn on when the plunger is falling below the PONR. Th3: Loss of abort: If the plunger is falling above the PONR and the operator releases the button, the motor should turn on.
Th4: Plunger falling before reaching the top: The motor should not turn off unless the plunger is at the top.
Step 4: Model the Component Fault
th1: THEOREM behavior |- G((plunger=plunger_at_top AND operator=operator_released_button) => (electric_Motor=electric_Motor_on));
th2: THEOREM behavior |- G((plunger=plunger_falling_fast) => (electric_Motor=electric_Motor_off));
th3: THEOREM behavior |- G(F(plunger=plunger_falling_fast)) => G((plunger=plunger_falling_slow AND operator=operator_released_button) => U(plunger=plunger_falling_slow, electric_Motor=electric_Motor_on));
th4: THEOREM behavior |- G(NOT((plunger=plunger_rising_below_PONR OR plunger=plunger_rising_above_PONR) AND (electric_Motor=electric_Motor_off)));
Safety and Security Requirements
System Model
Component Fault Modes
System Model with InjectedComponent Fault Modes
Formalised Temporal Logic Formulae
Identified unsafe behaviours
Automatic Model Checking
Either…
Or…
Verification that theInjected Component Faultsdo not lead to unsafe behaviour
Th1: Uncommanded closing: Plunger should not start falling without the operator pressing the button.
Th2: Motor on below PONR: The motor should not turn on when the plunger is falling below the PONR. Th3: Loss of abort: If the plunger is falling above the PONR and the operator releases the button, the motor should turn on.
Th4: Plunger falling before reaching the top: The motor should not turn off unless the plunger is at the top.
Fault injection is automatic
th1: THEOREM behavior |- G((plunger=plunger_at_top AND operator=operator_released_button) => (electric_Motor=electric_Motor_on));
th2: THEOREM behavior |- G((plunger=plunger_falling_fast) => (electric_Motor=electric_Motor_off));
th3: THEOREM behavior |- G(F(plunger=plunger_falling_fast)) => G((plunger=plunger_falling_slow AND operator=operator_released_button) => U(plunger=plunger_falling_slow, electric_Motor=electric_Motor_on));
th4: THEOREM behavior |- G(NOT((plunger=plunger_rising_below_PONR OR plunger=plunger_rising_above_PONR) AND (electric_Motor=electric_Motor_off)));
Safety and Security Requirements
System Model
Component Fault Modes
System Model with InjectedComponent Fault Modes
Formalised Temporal Logic Formulae
Identified unsafe behaviours
Automatic Model Checking
Either…
Or…
Verification that theInjected Component Faultsdo not lead to unsafe behaviour
Th1: Uncommanded closing: Plunger should not start falling without the operator pressing the button.
Th2: Motor on below PONR: The motor should not turn on when the plunger is falling below the PONR. Th3: Loss of abort: If the plunger is falling above the PONR and the operator releases the button, the motor should turn on.
Th4: Plunger falling before reaching the top: The motor should not turn off unless the plunger is at the top.
The Tool checks whether the Safety Requirement is met
th1: THEOREM behavior |- G((plunger=plunger_at_top AND operator=operator_released_button) => (electric_Motor=electric_Motor_on));
th2: THEOREM behavior |- G((plunger=plunger_falling_fast) => (electric_Motor=electric_Motor_off));
th3: THEOREM behavior |- G(F(plunger=plunger_falling_fast)) => G((plunger=plunger_falling_slow AND operator=operator_released_button) => U(plunger=plunger_falling_slow, electric_Motor=electric_Motor_on));
th4: THEOREM behavior |- G(NOT((plunger=plunger_rising_below_PONR OR plunger=plunger_rising_above_PONR) AND (electric_Motor=electric_Motor_off)));
Example Violation of Safety Requirement
Faulty SensorMotor turned on while plunger falling past point of no return
Result: Motor may explode, Operator in danger
Either…
Automatic Model Checking
Or …
Verification that theInjected Component Faultsdo not lead to unsafe behaviour
System Model with InjectedComponent Fault Modes
Formalised Temporal Logic Formulae
th1: THEOREM behavior |- G((plunger=plunger_at_top AND operator=operator_released_button) => (electric_Motor=electric_Motor_on));
th2: THEOREM behavior |- G((plunger=plunger_falling_fast) => (electric_Motor=electric_Motor_off));
th3: THEOREM behavior |- G(F(plunger=plunger_falling_fast)) => G((plunger=plunger_falling_slow AND operator=operator_released_button) => U(plunger=plunger_falling_slow, electric_Motor=electric_Motor_on));
th4: THEOREM behavior |- G(NOT((plunger=plunger_rising_below_PONR OR plunger=plunger_rising_above_PONR) AND (electric_Motor=electric_Motor_off)));
Component Fault Modes
Th1: Uncommanded closing: Plunger should not start falling without the operator pressing the button.
Th2: Motor on below PONR: The motor should not turn on when the plunger is falling below the PONR. Th3: Loss of abort: If the plunger is falling above the PONR and the operator releases the button, the motor should turn on.
Th4: Plunger falling before reaching the top: The motor should not turn off unless the plunger is at the top.
Safety and Security Requirements
System Model
Identified unsafe behaviours
The Tool identifies an Unsafe Behaviour
Hazard has occurred
• Identify impact of component faults
• Identify paths leading to unsafe behaviour
In summary: Predicting Effects of Component Failures
• Automates Failure Mode and Effect Analysis (FMEA)