MODEL-DRIVEN SAFETY ANALYSIS OF CRITICAL SYSTEMS

Nataliya Yakymets

CRITICAL SYSTEM is a system whose failure may result in death or serious injury to people, or damage to equipment or environmental harm.

"

CRITICAL SYSTEMS C

opyr

ight

CEA

©

« L’accident qui s’est déroulé à Brétigny-sur-Orge (Essonne) le vendredi 12 juillet 2013 »

« Le crash de l'AF 447 devrait coûter 500 millions d'euros » Publié le 12/07/2011

福島第一原子力発電所事故 The Fukushima Daiichi nuclear disaster 11 March 2011

SAFETY STANDARDS

Generic Standard on Functional Safety of Electrical / Electronic / Programmable Electronic Safety-related Systems

Guidelines and Methods for Conducting the Safety Assessment Process on Civil Airborne Systems and Equipment

Functional Safety standard, "Road vehicles – Functional safety“

Robots and robotic devices -- Safety requirements for industrial robots

IEC 61508

ARP-4761

ISO 26262

ISO 10218 …

SYSTEM SAFETY ASSESSMENT is a systematic approach to the analysis of risks resulting from hazards that can affect humans, the environment, and mission assets.

TYPICAL SAFETY ASSESSMENT METHODS

• Hazard and Risk Analysis • Preliminary Hazard Analysis (PHA) • System Hazard Analysis (SHA) • HAZOP • ...

• Failure Mode Effects & Criticality Analysis (FMECA) • Reliability Block Diagram (RBD) • Fault Tree Analysis (FTA) • Event Tree Analysis (ETA) • Markov Analysis

SAFETY ASSESSMENT

SAFETY LIFE-CYCLE C

opyr

ight

CEA

©

PHA SHA HAZOP …

Hazard Analysis Concept & Requirements

Design & Optimization

Preliminary System Safety Assessment

Acceptance & Maintenance

Integration & Test

Implementation System Safety Assessment

SAFETY ANALYSIS

DEVELOPMENT

Validation

Validation FTA FMEA Markov Analysis RBD ETA

5

IEC 61508 generic standard on functional

safety

ISO 26262 "Road vehicles – Functional

safety“

SAFETY METHODS

SAFETY STANDARDS

…

Large usage of Model-Based approaches & techniques

Complete description of the system architecture

SYSTEM ENGINEERING

Need for safety analysis assistance! Design Engineer

Safety Engineer

PROBLEMATIC

CLASSICAL SAFETY ANALYSIS

Performed mostly manually

Time consuming, costly, high probability of errors

No strong links between system engineering and safety analysis

Cop

yrig

ht C

EA ©

UML profile for safety analysis

Own dedicated models

Uniform modeling environment for safety analysis

UML/SYSML

MODEL-BASED SAFETY ANALYSIS

Save time by modeling system before building a physical prototype

Flexible and expressive semantics

Global overview of architecture

PAPYRUS UML2 standard

Domain Specific Languages

Customizable Reuse UML concepts

Use any notations: diagrams, tables, text, symbols

Cop

yrig

ht C

EA ©

SOPHIA SAFETY LIFE-CYCLE C

opyr

ight

CEA

©

PHA [1] Requirement Eng. Hazard Analysis Concept &

Requirements

Design & Optimization

Preliminary System Safety Assessment

Acceptance & Maintenance

Integration & Test

Implementation System Safety Assessment

SAFETY ANALYSIS

DEVELOPMENT

Validation

Validation FTA [2] FMEA [3] Property Verification

Sophia targets early phases of system life-cycle

8

IEC 61508 generic standard on functional

safety

ISO/DIS 13482 safety standard for personal

care robots

[1] D. Cancila, F. Terrier, F. Belmonte, H. Dubois, H. Espinoza, S. Gerard, A. Cucurru, Sophia: a modeling language for modelbased safety engineering, in: Proc. of the 2nd Int. Workshop On Model Based Architecting And Construction Of Embedded Systems, Denver, Colorado, USA, 2009, pp. 11-26. [2] N. Yakymets, et al., Model-driven safety assessment of robotic systems, Proc. of IEEE Int. Conf. on Intelligent Robots and Systems (IROS), 2013, pp. 1137-1142. [3] Nataliya Yakymets, Yupanqui Munoz Julho, Agnes Lanusse, « Sophia framework for model-based safety analysis », Proc. of the 19th Congrès de Maîtrise des Risques et Sureté de Fonctionnement, Dijon, 2014, p. 71.

SAFETY METHODS

SAFETY STANDARDS

METHODOLOGY*

* N. Yakymets, S. Dhouib, H. Jaber, A. Lanusse, “Model-Driven Safety Assessment of Robotic Systems,” 2013 IEEE/RSJ International Conference on Intelligent Robots and Systems, IROS’2013, November 3-7, Tokyo, Japan, 2013.

Cop

yrig

ht C

EA ©

System Modeling

Safety Modeling & Annotation

Analysis Result Generation

Propagate Results to the

Model

METHODOLOGY*

* N. Yakymets, S. Dhouib, H. Jaber, A. Lanusse, “Model-Driven Safety Assessment of Robotic Systems,” 2013 IEEE/RSJ International Conference on Intelligent Robots and Systems, IROS’2013, November 3-7, Tokyo, Japan, 2013.

Cop

yrig

ht C

EA ©

System Modeling

Safety Modeling & Annotation

Analysis Result Generation

Propagate Results to the

Model

RobotML models

AltaRica formal model

Fault Tree Analysis Results

Fault Tree

FMEA Tables

Safety Annotations via Profile

Boolean expressions

State Machines

FME(C)A tables Fault Trees

…

Transformation SysML model to formal languages: AltaRica, NuSMV

Property verification

1) How to manage a hierarchy of complex systems?

• Coherence of dysfunctional behavior on different levels

• Iterative process

2) How to express dysfunctional behaviour?

• Convenience, maintainability, coherence with the formal methods

• Approaches

• Technical means

METHODOLOGICAL ISSUES

Mod

el A

nnot

atio

n

Safety A

nalysis Top Level

Finest Architectural Level

…

Flexible Safety Analysis

Keep a desired level of precision during SA process

Control a complexity of SA methods applied

Reduce time and cost required for SA

… Level 1

Level i Finest Annotation Level Basic

Component

12

1) How to manage a hierarchy of complex systems?

METHODOLOGY

13

2) How to express dysfunctional behaviour?

METHODOLOGY

ANALYTICAL EXPRESSIONS

Fast annotation

Easy to analyse

STATE MACHINES

Separate functional and dysfunctional behavior

Conform to formal languages: AltaRica, etc.

APPROACHES TO EXPRESS FAILURE BEHAVIOR

out1 = (in1 AND in2) AND NOT (Failure1 OR Failure2)

Failure1 Failure2

METHODOLOGY

ANALYTICAL EXPRESSIONS Analyzed System

Modeling Block Diagram Internal Block Diagram

Safety Analysis

For the compatibility of dysfunctional behavior on different levels only Blocks of the finest hierarchical level have an associated set of analytical expressions through dedicated profile

out1 = (in1 AND in2) OR (f1 OR f2) out2 = in3 OR f3

METHODOLOGY

STATE MACHINES Analyzed System

Block Diagram Internal Block Diagram

Annotated and Extended State Machine Diagram

Functional Behavior Dysfunctional Behavior

Blocks of the finest hierarchical level have an associated State Machine

Modeling

Safety Analysis

METHODOLOGY

MEANS OF FAILURE BEHAVIOR EXPRESSION

Profiles • EAST-ADL • DAM • Custom

Viewpoints, Diagrams • State Machines • Activity Diagrams • …

Safety comments, requirements

Model in UML/SysML/RobotML

Safety Modeling & Annotation

METHODOLOGY

SOPHIA MODULES C

opyr

ight

CEA

©

Build accident scenarios

Analyze functional causes of accidents

Fault tree generation, minimal cut sets, probaiblistic calculations

FME(C)A tables, Report generation

Verification of safety properties, Reachability analysis

Requirement classification, Report generation, Import/Export to ReqIF

Property Verification

FAILURE MODE AND EFFECTS ANALYSIS

FME(C)A is an inductive bottom up method used to analyze a system on component level and check what happens on system level

Cause→Failure→Effect

Automatic safety annotation FME(C)A Generation & display of FME(C)A tables within the model Automatic document generation Export results in excel format

SOPHIA MODULES

Sophia Modeling Environment

Sophia FME(C)A Report

Cop

yrig

ht C

EA ©

Criticality Display

FAULT TREE ANALYSIS

FTA is a deductive top-down method in which an undesired state of a system is analyzed at component level by combining a series of lower-level events using Boolean logic

Automatic safety annotation HW/SW allocation and propagation of failure behavior Automatic fault trees generation

Diagrams OpenPSA format

Qualitative FTA Minimal cut sets, dysfunctional scenarios

Quantitative FTA Minimal cut sets probabilistic analysis Sensitivity analysis Importance analysis (marginal, critical, diagnostic, risk achievement/reduce factors) Unavailability and SIL analysis

SOPHIA MODULES C

opyr

ight

CEA

©

Top Event

Logic Gate

Basic Event

importance analysis

sensitivity analysis

PROPERTY VERIFICATION

Given a model of a system, exhaustively and automatically check whether this model meets a given specification

State Machines for safety annotation Transformation from SysML to SMV state machine Verification of system properties (and safety requirements) with NuSMV Support of CTL and LTL

SOPHIA MODULES

Requirement Diagram

System property in CTL format for NuSMV

Counter Example

Cop

yrig

ht C

EA ©

Component Behavior

Provide a technology to express system requirements/hazards in

a quasi natural language

REQUIREMENT MANAGEMENT

Support requirements through system life-cycle Display requirements within modeling environment (Tables, Requirement Diagrams) Requirement classification Automatic report generation

SOPHIA MODULES

Sophia Modeling Environment Automatically Generated Requirement Report

Cop

yrig

ht C

EA ©

RESEARCH EXPERTISE VALORISATION & DEVELOPMENT

SAFETY

Automotive & Railway domain

Robotic domain

SECURITY

Energy & Smart Grids Transportation domain

Transportation domain

Energy & Smart Grids

SAFETY & SECURITY

Energy & Smart Grids

COLLABORATION C

opyr

ight

CEA

©

IMOFIS Inergy

SESAM-GRID

SOPHIA Integration of safety techniques within a model-driven engineering process Support of generic standard on functional safety design IEC61508 and ISO 13482 safety

standard (non-industrial personal care robots) Graphical and accessible modeling language (SysML and RobotML) Modelling of architecture, behaviour and failure logic Automatic document generation

CONCLUSION C

opyr

ight

CEA

©

PERSPECTIVES Sophia becomes a part of Eclipse Safety

Framework (ESF), an open-source model-based tool for safety analysis

ESF is a PolarSys project co-managed by CEA and ALL4TEC

Industrialization of Sophia in Safety Architect v 3.0

Extension of the Sophia research platform with RAMS and security

Commissariat à l’énergie atomique et aux énergies alternatives Institut Carnot CEA LIST Centre de Saclay | 91191 Gif-sur-Yvette Cedex T. +33 (0)1 69 08 32 93

Etablissement public à caractère industriel et commercial | RCS Paris B 775 685 019

Direction DRT Département DILS Laboratoire LISE

THANK YOU!