nataliya yakymets - accueil - cea list · integration of safety techniques within a model-driven...
TRANSCRIPT
MODEL-DRIVEN SAFETY ANALYSIS OF CRITICAL SYSTEMS
Nataliya Yakymets
CRITICAL SYSTEM is a system whose failure may result in death or serious injury to people, or damage to equipment or environmental harm.
"
CRITICAL SYSTEMS C
opyr
ight
CEA
©
« L’accident qui s’est déroulé à Brétigny-sur-Orge (Essonne) le vendredi 12 juillet 2013 »
« Le crash de l'AF 447 devrait coûter 500 millions d'euros » Publié le 12/07/2011
福島第一原子力発電所事故 The Fukushima Daiichi nuclear disaster 11 March 2011
SAFETY STANDARDS
Generic Standard on Functional Safety of Electrical / Electronic / Programmable Electronic Safety-related Systems
Guidelines and Methods for Conducting the Safety Assessment Process on Civil Airborne Systems and Equipment
Functional Safety standard, "Road vehicles – Functional safety“
Robots and robotic devices -- Safety requirements for industrial robots
IEC 61508
ARP-4761
ISO 26262
ISO 10218 …
SYSTEM SAFETY ASSESSMENT is a systematic approach to the analysis of risks resulting from hazards that can affect humans, the environment, and mission assets.
TYPICAL SAFETY ASSESSMENT METHODS
• Hazard and Risk Analysis • Preliminary Hazard Analysis (PHA) • System Hazard Analysis (SHA) • HAZOP • ...
• Failure Mode Effects & Criticality Analysis (FMECA) • Reliability Block Diagram (RBD) • Fault Tree Analysis (FTA) • Event Tree Analysis (ETA) • Markov Analysis
SAFETY ASSESSMENT
SAFETY LIFE-CYCLE C
opyr
ight
CEA
©
PHA SHA HAZOP …
Hazard Analysis Concept & Requirements
Design & Optimization
Preliminary System Safety Assessment
Acceptance & Maintenance
Integration & Test
Implementation System Safety Assessment
SAFETY ANALYSIS
DEVELOPMENT
Validation
Validation FTA FMEA Markov Analysis RBD ETA
5
IEC 61508 generic standard on functional
safety
ISO 26262 "Road vehicles – Functional
safety“
SAFETY METHODS
SAFETY STANDARDS
…
Large usage of Model-Based approaches & techniques
Complete description of the system architecture
SYSTEM ENGINEERING
Need for safety analysis assistance! Design Engineer
Safety Engineer
PROBLEMATIC
CLASSICAL SAFETY ANALYSIS
Performed mostly manually
Time consuming, costly, high probability of errors
No strong links between system engineering and safety analysis
Cop
yrig
ht C
EA ©
UML profile for safety analysis
Own dedicated models
Uniform modeling environment for safety analysis
UML/SYSML
MODEL-BASED SAFETY ANALYSIS
Save time by modeling system before building a physical prototype
Flexible and expressive semantics
Global overview of architecture
PAPYRUS UML2 standard
Domain Specific Languages
Customizable Reuse UML concepts
Use any notations: diagrams, tables, text, symbols
Cop
yrig
ht C
EA ©
SOPHIA SAFETY LIFE-CYCLE C
opyr
ight
CEA
©
PHA [1] Requirement Eng. Hazard Analysis Concept &
Requirements
Design & Optimization
Preliminary System Safety Assessment
Acceptance & Maintenance
Integration & Test
Implementation System Safety Assessment
SAFETY ANALYSIS
DEVELOPMENT
Validation
Validation FTA [2] FMEA [3] Property Verification
Sophia targets early phases of system life-cycle
8
IEC 61508 generic standard on functional
safety
ISO/DIS 13482 safety standard for personal
care robots
[1] D. Cancila, F. Terrier, F. Belmonte, H. Dubois, H. Espinoza, S. Gerard, A. Cucurru, Sophia: a modeling language for modelbased safety engineering, in: Proc. of the 2nd Int. Workshop On Model Based Architecting And Construction Of Embedded Systems, Denver, Colorado, USA, 2009, pp. 11-26. [2] N. Yakymets, et al., Model-driven safety assessment of robotic systems, Proc. of IEEE Int. Conf. on Intelligent Robots and Systems (IROS), 2013, pp. 1137-1142. [3] Nataliya Yakymets, Yupanqui Munoz Julho, Agnes Lanusse, « Sophia framework for model-based safety analysis », Proc. of the 19th Congrès de Maîtrise des Risques et Sureté de Fonctionnement, Dijon, 2014, p. 71.
SAFETY METHODS
SAFETY STANDARDS
METHODOLOGY*
* N. Yakymets, S. Dhouib, H. Jaber, A. Lanusse, “Model-Driven Safety Assessment of Robotic Systems,” 2013 IEEE/RSJ International Conference on Intelligent Robots and Systems, IROS’2013, November 3-7, Tokyo, Japan, 2013.
Cop
yrig
ht C
EA ©
System Modeling
Safety Modeling & Annotation
Analysis Result Generation
Propagate Results to the
Model
METHODOLOGY*
* N. Yakymets, S. Dhouib, H. Jaber, A. Lanusse, “Model-Driven Safety Assessment of Robotic Systems,” 2013 IEEE/RSJ International Conference on Intelligent Robots and Systems, IROS’2013, November 3-7, Tokyo, Japan, 2013.
Cop
yrig
ht C
EA ©
System Modeling
Safety Modeling & Annotation
Analysis Result Generation
Propagate Results to the
Model
RobotML models
AltaRica formal model
Fault Tree Analysis Results
Fault Tree
FMEA Tables
Safety Annotations via Profile
Boolean expressions
State Machines
FME(C)A tables Fault Trees
…
Transformation SysML model to formal languages: AltaRica, NuSMV
Property verification
1) How to manage a hierarchy of complex systems?
• Coherence of dysfunctional behavior on different levels
• Iterative process
2) How to express dysfunctional behaviour?
• Convenience, maintainability, coherence with the formal methods
• Approaches
• Technical means
METHODOLOGICAL ISSUES
Mod
el A
nnot
atio
n
Safety A
nalysis Top Level
Finest Architectural Level
…
Flexible Safety Analysis
Keep a desired level of precision during SA process
Control a complexity of SA methods applied
Reduce time and cost required for SA
… Level 1
Level i Finest Annotation Level Basic
Component
12
1) How to manage a hierarchy of complex systems?
METHODOLOGY
13
2) How to express dysfunctional behaviour?
METHODOLOGY
ANALYTICAL EXPRESSIONS
Fast annotation
Easy to analyse
STATE MACHINES
Separate functional and dysfunctional behavior
Conform to formal languages: AltaRica, etc.
APPROACHES TO EXPRESS FAILURE BEHAVIOR
out1 = (in1 AND in2) AND NOT (Failure1 OR Failure2)
Failure1 Failure2
METHODOLOGY
ANALYTICAL EXPRESSIONS Analyzed System
Modeling Block Diagram Internal Block Diagram
Safety Analysis
For the compatibility of dysfunctional behavior on different levels only Blocks of the finest hierarchical level have an associated set of analytical expressions through dedicated profile
out1 = (in1 AND in2) OR (f1 OR f2) out2 = in3 OR f3
METHODOLOGY
STATE MACHINES Analyzed System
Block Diagram Internal Block Diagram
Annotated and Extended State Machine Diagram
Functional Behavior Dysfunctional Behavior
Blocks of the finest hierarchical level have an associated State Machine
Modeling
Safety Analysis
METHODOLOGY
MEANS OF FAILURE BEHAVIOR EXPRESSION
Profiles • EAST-ADL • DAM • Custom
Viewpoints, Diagrams • State Machines • Activity Diagrams • …
Safety comments, requirements
Model in UML/SysML/RobotML
Safety Modeling & Annotation
METHODOLOGY
SOPHIA MODULES C
opyr
ight
CEA
©
Build accident scenarios
Analyze functional causes of accidents
Fault tree generation, minimal cut sets, probaiblistic calculations
FME(C)A tables, Report generation
Verification of safety properties, Reachability analysis
Requirement classification, Report generation, Import/Export to ReqIF
Property Verification
FAILURE MODE AND EFFECTS ANALYSIS
FME(C)A is an inductive bottom up method used to analyze a system on component level and check what happens on system level
Cause→Failure→Effect
Automatic safety annotation FME(C)A Generation & display of FME(C)A tables within the model Automatic document generation Export results in excel format
SOPHIA MODULES
Sophia Modeling Environment
Sophia FME(C)A Report
Cop
yrig
ht C
EA ©
Criticality Display
FAULT TREE ANALYSIS
FTA is a deductive top-down method in which an undesired state of a system is analyzed at component level by combining a series of lower-level events using Boolean logic
Automatic safety annotation HW/SW allocation and propagation of failure behavior Automatic fault trees generation
Diagrams OpenPSA format
Qualitative FTA Minimal cut sets, dysfunctional scenarios
Quantitative FTA Minimal cut sets probabilistic analysis Sensitivity analysis Importance analysis (marginal, critical, diagnostic, risk achievement/reduce factors) Unavailability and SIL analysis
SOPHIA MODULES C
opyr
ight
CEA
©
Top Event
Logic Gate
Basic Event
importance analysis
sensitivity analysis
PROPERTY VERIFICATION
Given a model of a system, exhaustively and automatically check whether this model meets a given specification
State Machines for safety annotation Transformation from SysML to SMV state machine Verification of system properties (and safety requirements) with NuSMV Support of CTL and LTL
SOPHIA MODULES
Requirement Diagram
System property in CTL format for NuSMV
Counter Example
Cop
yrig
ht C
EA ©
Component Behavior
Provide a technology to express system requirements/hazards in
a quasi natural language
REQUIREMENT MANAGEMENT
Support requirements through system life-cycle Display requirements within modeling environment (Tables, Requirement Diagrams) Requirement classification Automatic report generation
SOPHIA MODULES
Sophia Modeling Environment Automatically Generated Requirement Report
Cop
yrig
ht C
EA ©
RESEARCH EXPERTISE VALORISATION & DEVELOPMENT
SAFETY
Automotive & Railway domain
Robotic domain
SECURITY
Energy & Smart Grids Transportation domain
Transportation domain
Energy & Smart Grids
SAFETY & SECURITY
Energy & Smart Grids
COLLABORATION C
opyr
ight
CEA
©
IMOFIS Inergy
SESAM-GRID
SOPHIA Integration of safety techniques within a model-driven engineering process Support of generic standard on functional safety design IEC61508 and ISO 13482 safety
standard (non-industrial personal care robots) Graphical and accessible modeling language (SysML and RobotML) Modelling of architecture, behaviour and failure logic Automatic document generation
CONCLUSION C
opyr
ight
CEA
©
PERSPECTIVES Sophia becomes a part of Eclipse Safety
Framework (ESF), an open-source model-based tool for safety analysis
ESF is a PolarSys project co-managed by CEA and ALL4TEC
Industrialization of Sophia in Safety Architect v 3.0
Extension of the Sophia research platform with RAMS and security
Commissariat à l’énergie atomique et aux énergies alternatives Institut Carnot CEA LIST Centre de Saclay | 91191 Gif-sur-Yvette Cedex T. +33 (0)1 69 08 32 93
Etablissement public à caractère industriel et commercial | RCS Paris B 775 685 019
Direction DRT Département DILS Laboratoire LISE
THANK YOU!