holger hermanns
play

Holger Hermanns dependable systems and software Saarland University - PowerPoint PPT Presentation

Sep 03, 2023 •743 likes •1.38k views

Holger Hermanns dependable systems and software Saarland University Saarbrcken, Germany Safety? Safety by design? Make sure hazardous situations are unreachable! Safety by design? Make sure hazardous situations are unreachable! Safety by

  1. Holger Hermanns dependable systems and software Saarland University Saarbrücken, Germany

  2. Safety?

  3. Safety by design? Make sure hazardous situations are unreachable!

  4. Safety by design? Make sure hazardous situations are unreachable!

  5. Safety by design? Why bother? Enforced by various standards: DO-178C/ED-12C for airborne systems relates to ARP4761 Functional Hazard Assessment (FHA) Preliminary System Safety Assessment (PSSA) System Safety Assessment (SSA) Fault Tree Analysis (FTA) Failure Mode and Effects Analysis (FMEA) Failure Modes and Effects Summary (FMES) Common Cause Analysis (CCA) ISO 26262 for automotive systems ... Higher/highest safety levels recommend formal methods

  6. Prelude

  7. Fault Trees 9x10 -4 5x10 -3 8x10 -3 5x10 -3 8x10 -3

  8. Fault Trees How to obtain the numbers? 1) Time-independent failure Average number of starts before failure: 200  Failure probability 0.005 9x10 -4 5x10 -3 8x10 -3 5x10 -3 8x10 -3

  9. Fault Trees How to obtain the numbers? 1) Time-independent failure Average number of starts before failure: 200  Failure probability 0.005 2) Time-dependent failure: 9x10 -4 On average once 0.00021 per Mission time : 24h Probability to fail in 24 hours: ���⋅�.����� 5x10 -3 8x10 -3 5x10 -3 8x10 -3 ... and from further models

  10. Fault Trees – Analysis Basics Calculate probability of top-level event … or overapproximation thereof 9x10 -4 5x10 -3 8x10 -3 5x10 -3 8x10 -3

  11. Fault Trees licensed at > 55% of • are often very large nuclear power plants worldwide • are very costly to maintain • are very important • are stateless • give imprecise results - too pessimistic due to stateless view + minimal cutset abstraction - too optimistic if dependencies - …

  12. Models for Safety All models are wrong, but some are useful. George E. P. Box

  13. Useful Models finite automata on? x:=0; on? x:=0; dark dark light light x==50 off!

  14. Useful Models finite automata with clocks all running at the same speed on? x:=0; on? x:=0; dark dark light light x==50 off! Timed Automata

  15. Useful Models finite automata with clocks and with costs incurred as time advances on? x:=0; on? x:=0; dark dark light light x==50 off! Priced Timed Automata

  16. Useful Models finite automata with clocks and with costs modular: composition of automata on? x:=0; y>d on? x:=0; on! y:=0; dark dark light light d:=U[5,55]; someone x==50 off! Automata Networks

  17. Useful Models 1 0,9 finite automata 0,8 0,7 0,6 with clocks 0,5 0,4 and with costs 0,3 U[5,55] Pr (“on!” > t) 0,2 Pr (“on!” > t) 0,1 modular: composition of automata 0 0 5 10 15 20 25 30 35 40 45 50 55 60 on? x:=0; y>d on? x:=0; on! y:=0; dark dark light light d:=U[5,55]; someone x==50 off! with probability distributions Stochastic Timed Automata

  18. Useful Models finite automata with clocks and with costs Exp[5] Pr (“on!” > t) modular: composition of automata on? x:=0; y>d on? x:=0; on! y:=0; dark dark light light d:= Exp[5]; someone x==50 off! with probability distributions Stochastic Timed Automata

  19. Useful Models finite automata with clocks memoryless time and with costs Exp[5] Pr (“on!” > t) modular: composition of automata on? x:=0; y>d on? x:=0; on! dark dark light light someone x==50 off! with probability distributions Markov Automata

  20. Useful Models finite automata with clocks and with costs Exp[5] Pr (“on!” > t) modular: composition of automata on? x:=0; y>d on? x:=0; on! y:=0; dark dark light light d:= Exp[5]; someone x==50 off! with probability distributions Stochastic Timed Automata

  21. Useful Models finite automata with clocks and with costs Exp[5] Pr (“on!” > t) modular: composition of automata on? x:=0; y>d on? x:=0; 98% on! 2% y:=0; dark dark light light d:= Exp[5]; someone T>85 && x==50 off! with probability distributions Stochastic Timed Automata

  22. Useful Models finite automata with clocks and with costs Exp[5] Pr (“on!” > t) modular: composition of automata on? x:=0; y>d on? x:=0; 98% on! 2% y:=0; dark dark light light d:= Exp[5]; someone T>85 && x==50 off! with probability distributions Stochastic Hybrid and continuous dynamics Automata

  24. Model based … Analysis System Model Analysis Focus possible behaviour Model Analysis Results

  25. Model based … Analysis ... Maintenance Failure ... Architecture Requirements Objectives Nominal System Model Analysis Focus possible behaviour Model Analysis Results Diagnostics Fault Trees FMEA Characteristics

  26. Model based … Analysis ... Maintenance Failure ... Architecture Requirements Objectives Nominal System Model Analysis Focus possible behaviour Model Analysis Results Diagnostics Fault Trees FMEA Characteristics

  27. Model based … Analysis ... Maintenance Failure ... Architecture Requirements Objectives Nominal System Model Analysis Focus possible behaviour Results Diagnostics Fault Trees FMEA Characteristics

  28. Model based … Analysis ... Maintenance Failure ... Architecture Requirements Objectives Nominal System Model Analysis Focus possible behaviour Model Analysis Abstraction Iteration Results Diagnostics … Fault Trees FMEA Magic Characteristics

  29. Model based … Analysis System Model Analysis Focus possible behaviour Model Analysis modestchecker.org Results A concrete, mission-critical case

  30. Embedded in Space

  31. GOMX-1 • 2U CubeSat (2 liter) • Launched in November 2013 • Payloads: • software defined receiver for aircraft signals • color camera for earth observation • Telemetry transmitted on amateur radio frequency • Massive amounts of data collected • battery voltage, temperature, solar infeed, … Runs our calibration experiments.

  32. Battery Kinetics

  33. Battery Kinetics 100 % 0 %

  34. Battery Kinetics B A Kinetic Battery Model • can represent ‘rate-capacity effect’ • can represent ‘recovery effect’  a faithful abstraction of modern battery chemistry

  35. Battery Kinetics B A Kinetic Battery Model • can represent ‘rate-capacity effect’ • can represent ‘recovery effect’  a faithful abstraction of modern battery chemistry

  36. Battery Kinetics full B A A empty B

  37. Battery Kinetics full B A A empty B

  38. Battery Kinetics full B A A empty B

  39. Battery Kinetics full B A A empty B

  40. Battery Kinetics full B A A empty B

  41. Battery Kinetics full B A A empty B

  42. Battery Kinetics full B A A empty B

  43. Battery Kinetics full B A A empty B

  44. Battery Kinetics full B A A empty B

  45. Battery Kinetics full B A A empty B

  46. Battery Kinetics full B A A empty B

  47. Concretely. Will the battery survive a one-year mission ? -62 with 5000 mAh

  48. Concretely. Will the battery survive a one-year mission ? With half the capacity? 2500 mAh

  49. Concretely. Will the battery survive a one-year mission ? With a quarter of the capacity? 1250 mAh

  50. Concretely. Will the battery survive a one-year mission ? With an eighth of the capacity ? 625 mAh

  51. Concretely. Will the battery survive a one-year mission ? With a sixteenth of the capacity ? 312.5 mAh

  52. GOMX-2 • 2U CubeSat (2 liter) • Shipped in October 2014 with Cygnus CRS-3 towards ISS • Payloads: • Optical communication experiments from NUS • Highspeed UHF and SDR receiver • Shipping failed after liftoff • Satellite was recovered from wreckage and returned to GomSpace

  53. GOMX-3 • 3U CubeSat (3 liter) • Launched from ISS in October 2015 • Payloads: • L-band communication to geostationary satellit • X-band transmitter for CNES • Highspeed UHF and SDR receiver • Can (and must) rotate in 3 dimensions

  54. GOMX-4 • Two 6U CubeSats (6 liter) • Launch expected in 2016 • Initial design in the making • Focus on support for flexible payload model • Needs strong support for dynamic load scheduling • Battery states are critical

  55. GOMX-3 mission details

  56. GOMX-3 mission planning • Very tight power budget • Needs dynamic and battery aware scheduling • What we do: • Priced Timed Automata modelling • Generate optimal schedules for 1 week or day horizon • Evaluate schedules on random KiBaM for robustness • Send to orbit, observe behaviour, update model

  57. GOMX-3 mission planning • Very tight power budget • Needs dynamic and battery aware scheduling • What we do: • Priced TA modelling with linear battery model • Generate optimal schedules for 1 week horizon • Evaluate schedules on random KiBaM for robustness • Prepare for updates of model state based on orbit data

  58. A one-day schedule (for yesterday) and its depletion risk

  59. Meeting Reality, safely

  60. You saw: Model based … Analysis System Model Analysis Focus possible behaviour Model Analysis modestchecker.org Results on a concrete, mission-critical case

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Holger Hermanns Holger Hermanns E le c tr ic Powe r Distr ibution Gr ids Pr Pr oduc e r

Holger Hermanns Holger Hermanns E le c tr ic Powe r Distr ibution Gr ids Pr Pr oduc e r

Holger Hermanns Holger Hermanns E le c tr ic Powe r Distr ibution Gr ids Pr Pr oduc e r oduc e r s s Consume r Consume r s s nuc c o a l l le a r g a s b io g a s Micro CHP la ke s Stor age Holger Hermanns Pr inc ipal

878 views • 39 slides
The Stochastic KiBaM ... or how charging probably keeps batteries alive Holger Hermanns, Jan

The Stochastic KiBaM ... or how charging probably keeps batteries alive Holger Hermanns, Jan

The Stochastic KiBaM ... or how charging probably keeps batteries alive Holger Hermanns, Jan Krl, Gilles Nies Saarland University May 5, 2015 Alpine Verification Meeting 2015 What 3 items would you take to a deserted island? 1 / 21 What

723 views • 32 slides
Continuous Optimal Timing Yuliya Butkova, Hassan Hatefi, Holger Hermanns, Jan Kr c al

Continuous Optimal Timing Yuliya Butkova, Hassan Hatefi, Holger Hermanns, Jan Kr c al

Motivation Definitions and Problem Statement Existing Algorithms Our Algorithm Empirical Evaluation Conclusion Continuous Optimal Timing Yuliya Butkova, Hassan Hatefi, Holger Hermanns, Jan Kr c al Saarland University Computer

461 views • 28 slides
Late Weak Bisimilarity for Markov Automata Christian Eisentraut 1 Jens Chr. Godskesen 2 Holger

Late Weak Bisimilarity for Markov Automata Christian Eisentraut 1 Jens Chr. Godskesen 2 Holger

Late Weak Bisimilarity for Markov Automata Christian Eisentraut 1 Jens Chr. Godskesen 2 Holger Hermanns 1 Lei Song 3 , 1 Lijun Zhang 4 , 1 Saarland University, Germany IT University of Copenhagen, Denmark Max-Planck-Institut f ur Informatik,

410 views • 30 slides
The Raspberry Pi: A Platform for Replicable Performance Benchmarks? Holger Knoche and Holger

The Raspberry Pi: A Platform for Replicable Performance Benchmarks? Holger Knoche and Holger

The Raspberry Pi: A Platform for Replicable Performance Benchmarks? Holger Knoche and Holger Eichelberger University of Kiel and University of Hildesheim November 9, 2017 @ SSP Holger Knoche and Holger Eichelberger The RasPi: Replicable

323 views • 14 slides
Union, Intersection, and Refinement Types and Reasoning about Type Disjointness for Security

Union, Intersection, and Refinement Types and Reasoning about Type Disjointness for Security

Union, Intersection, and Refinement Types and Reasoning about Type Disjointness for Security Protocol Analysis C t lin Hri cu Prof. Dr. Holger Hermanns (UdS) Dean of Math and CS Faculty Prof. Dr. Gert Smolka (UdS) Chair of Examination

1.39k views • 107 slides
Fatigue in work matters (a lot) Dr. Robbert Hermanns MFOM IOSH, Bradford 17 May 2019 1

Fatigue in work matters (a lot) Dr. Robbert Hermanns MFOM IOSH, Bradford 17 May 2019 1

Fatigue in work matters (a lot) Dr. Robbert Hermanns MFOM IOSH, Bradford 17 May 2019 1 Introduction My background: Medical University Netherlands chemical industry Specialist in Occupational Medicine Germany (SMEs)

627 views • 47 slides
Trace-based detection of lock contention in MPI one-sided communication Marc-Andr e Hermanns

Trace-based detection of lock contention in MPI one-sided communication Marc-Andr e Hermanns

Trace-based detection of lock contention in MPI one-sided communication Marc-Andr e Hermanns Bernd Mohr Felix Wolf October 4, 2016 Parallel Tools Workshop, Stuttgart Motivation The Message Passing Interface (MPI) standard De-facto

685 views • 31 slides
Continuous-time Markov Decisions based on Partial Exploration Pranav Ashok Technical University

Continuous-time Markov Decisions based on Partial Exploration Pranav Ashok Technical University

Continuous-time Markov Decisions based on Partial Exploration Pranav Ashok Technical University of Munich Highlights 2018, Berlin Joint work with Yuliya Butkova 1 , Holger Hermanns 1 and Jan Kretinsky 2 1 Saarland University, Germany 2 Technical

605 views • 22 slides
EASM 2014 Method This research consists of interviewing three groups that are very familiar

EASM 2014 Method This research consists of interviewing three groups that are very familiar

Quo Vadis Olympia? Are Olympic Games still value driven? Submitting author: Dr Holger Preuss Johannes Gutenberg-University Mainz, Mainz, 55126 Germany All authors: Holger Preuss (corresp), Benoit Seguin, Norbert Schtte, Thomas Knecke,

196 views • 3 slides
Isotropic Ornstein-Uhlenbeck Flows Holger van Bargen (joint work with Georgi Dimitroff) IRTG

Isotropic Ornstein-Uhlenbeck Flows Holger van Bargen (joint work with Georgi Dimitroff) IRTG

Stochastic Flows And Stochastic Differential Equations IBFs and IOUFs Spatial Regularity Isotropic Ornstein-Uhlenbeck Flows Holger van Bargen (joint work with Georgi Dimitroff) IRTG Summer School Disentis Holger van Bargen Isotropic

755 views • 47 slides
Bo osting Neural Net w orks pap er No Holger Sc h w enk LIMSICNRS

Bo osting Neural Net w orks pap er No Holger Sc h w enk LIMSICNRS

Bo osting Neural Net w orks pap er No Holger Sc h w enk LIMSICNRS bat BP Orsa y cedex FRANCE Y osh ua Bengio DIR O Univ ersit y of Mon tr

626 views • 19 slides
DRG und Onkologie Kleingruppenseminar Brustkrebs Dr. Holger Bunzemeier Stabsstelle

DRG und Onkologie Kleingruppenseminar Brustkrebs Dr. Holger Bunzemeier Stabsstelle

DRG und Onkologie Kleingruppenseminar Brustkrebs Dr. Holger Bunzemeier Stabsstelle Medizincontrolling des Universittsklinikums Mnster DRG-Research-Group, Universittsklinikum Mnster Betrachtung des G-DRG-Systems + Klassifikationssystem

312 views • 15 slides
Automated Testing of Debian Packages Holger Levsen debian@layer-acht.org Lucas Nussbaum

Automated Testing of Debian Packages Holger Levsen debian@layer-acht.org Lucas Nussbaum

Introduction Lintian and Linda Rebuilding packages Piuparts Structuring QA Conclusion Automated Testing of Debian Packages Holger Levsen debian@layer-acht.org Lucas Nussbaum lucas@debian.org Holger Levsen and Lucas Nussbaum Automated

1.38k views • 31 slides
Refactoring Kiekers I/O Infrastructure to Improve Scalability and Extensibility Holger Knoche

Refactoring Kiekers I/O Infrastructure to Improve Scalability and Extensibility Holger Knoche

Refactoring Kiekers I/O Infrastructure to Improve Scalability and Extensibility Holger Knoche University of Kiel November 10, 2017 @ SSP Holger Knoche Refactoring Kiekers I/O Infrastructure November 10, 2017 @ SSP 1 / 16 Agenda 1.

182 views • 16 slides
Electoral Accountability and Control in U.S. Cities Holger Sieg University of Pennsylvania and

Electoral Accountability and Control in U.S. Cities Holger Sieg University of Pennsylvania and

Electoral Accountability and Control in U.S. Cities Holger Sieg University of Pennsylvania and NBER Chamna Yoon Korea Advanced Institute of Science and Technology December 12, 2019 Optimal Retention and Dynamic Agency We study the

1.23k views • 37 slides
What Might A Science of Certification Look Like? John Rushby Computer Science Laboratory SRI

What Might A Science of Certification Look Like? John Rushby Computer Science Laboratory SRI

What Might A Science of Certification Look Like? John Rushby Computer Science Laboratory SRI International Menlo Park, California, USA John Rushby, SR I Scientific Certification: 1 Overview Some tutorial introduction Implicit vs.

774 views • 48 slides
Lecture 04 (02.11.2015) Hazard Analysis Christoph Lth Jan Peleska Dieter Hutter

Lecture 04 (02.11.2015) Hazard Analysis Christoph Lth Jan Peleska Dieter Hutter

Systeme hoher Qualitt und Sicherheit Universitt Bremen WS 2015/2016 Lecture 04 (02.11.2015) Hazard Analysis Christoph Lth Jan Peleska Dieter Hutter SSQ, WS 15/16 Where are we? 01: Concepts of Quality 02: Legal Requirements:

634 views • 26 slides
Industrial Automation Automation Industrielle Industrielle Automation Safety analysis and

Industrial Automation Automation Industrielle Industrielle Automation Safety analysis and

Industrial Automation Automation Industrielle Industrielle Automation Safety analysis and standards 9.6 Analyse de scurit et normes Sicherheitsanalyse und Normen Prof Dr. Hubert Kirrmann & Dr. B. Eschermann ABB Research Center,

799 views • 31 slides
RISK AND PLANNING FOR RISK AND PLANNING FOR MISTAKES MISTAKES Christian Kaestner With slides

RISK AND PLANNING FOR RISK AND PLANNING FOR MISTAKES MISTAKES Christian Kaestner With slides

RISK AND PLANNING FOR RISK AND PLANNING FOR MISTAKES MISTAKES Christian Kaestner With slides adopted from Eunsuk Kang Required reading: Hulten, Geoff. "Building Intelligent Systems: A Guide to Machine Learning Engineering."

1.27k views • 84 slides
Plan for Quality to Improve Patient Safety at the POC SHARON S. EHRMEYER, PH.D., MT(ASCP)

Plan for Quality to Improve Patient Safety at the POC SHARON S. EHRMEYER, PH.D., MT(ASCP)

Plan for Quality to Improve Patient Safety at the POC SHARON S. EHRMEYER, PH.D., MT(ASCP) PROFESSOR, DEPARTMENT OF PATHOLOGY AND LABORATORY MEDICINE SCHOOL OF MEDICINE AND PUBLIC HEALTH MADISON, WI = Quality Meeting the requirements or needs

834 views • 55 slides
efficient dependability analysis Fumio Machida University of Tsukuba April 8, 2019 In the 2nd

efficient dependability analysis Fumio Machida University of Tsukuba April 8, 2019 In the 2nd

Practices in model component reuse for efficient dependability analysis Fumio Machida University of Tsukuba April 8, 2019 In the 2nd Workshop on Education and Practice of Performance Engineering Outline Dependability analysis in practice

515 views • 26 slides
Structuring and potentially formalising (Assurance) Case Arguments Tim Kelly

Structuring and potentially formalising (Assurance) Case Arguments Tim Kelly

Structuring and potentially formalising (Assurance) Case Arguments Tim Kelly tim.kelly@york.ac.uk Overview Safety Cases and Safety Arguments Structured (but Informal) Arguments Considerations in Formalisation Structured

586 views • 27 slides
Exam Monday, July 26, 2010, 10-12 90 Minutes Same room: 01.11.018 Please be

Exam Monday, July 26, 2010, 10-12 90 Minutes Same room: 01.11.018 Please be

Exam Monday, July 26, 2010, 10-12 90 Minutes Same room: 01.11.018 Please be about 10 minutes early! Open book We try to be quick and give you access to your exams about a week later. Please check the web site for

633 views • 24 slides

More recommend