Principles of AltaRica Language and tools for system safety - - PowerPoint PPT Presentation

principles of altarica language and tools for system
SMART_READER_LITE
LIVE PREVIEW

Principles of AltaRica Language and tools for system safety - - PowerPoint PPT Presentation

Oct 01, 2023 268 likes •529 views

Principles of AltaRica Language and tools for system safety assessment January 2016 Pierre.Bieber@onera.fr, Christel.Seguin@onera.fr Outline System Safety Assessment AltaRica Basics AltaRica Data Flow Language Fault tree

slide-1
SLIDE 1

Principles of AltaRica Language and tools for system safety assessment

January 2016 Pierre.Bieber@onera.fr, Christel.Seguin@onera.fr

slide-2
SLIDE 2

Outline

  • System Safety Assessment
  • AltaRica Basics
  • AltaRica Data Flow Language
  • Fault tree generation
  • DAL Allocation
slide-3
SLIDE 3

System safety analysis and limits of current approaches

slide-4
SLIDE 4

Hydraulic System

  • Safety architecture: 3 independent lines
  • About 20 components of 8 classes: reservoir, pumps, pipes, valves

eng2 EDPy EMPy EMPb elec1 RAT Pdistg eng1 EDPg PVg NPdistg PVy PVb NPisty NPdistb Pdisty PTU Pdistb elec2 rsvg rsvy rsvb green yellow blue Engine Driven Pump Priority distribution Non-Priority distribution Priority Valve Power Transfer Unit Reservoir Engine #1 From electrical system side #1 Electrical Motor Pump Ram Air Turbine

slide-5
SLIDE 5

ARP 4754 Safety Assessment Process

Aircraft Level requirements Allocation of aircraft Functions to systems Development of system architecture Allocation of requirements to hardware and software

System implementation

Certification System Development Process Safety Assessment Process

Aircraft Functions System Functions Failure Condition, Effects, Classification, Safety Objectives

Failure Condition, Effects, Classification, Safety

System Architecture Item Requirements

Aircraft Level FHA System Level FHA Sections

PSSAs

Architectural Requirements

CCAs

Functional Interactions Failure Conditions & Effects Separation Requirement

SSAs

Implementation Results Separation Verification Item Requirements Safety Objectives, Analyses Required Physical System

Objectives

Aircraft Safety Synthesis

FHA: Functional Hazard Analysis PSSA: Preliminary System Safety Assessment CCA: Common Cause Analysis

slide-6
SLIDE 6
  • Failure mode and effect analysis (FMEA)

– Model: from a local failure to its system effects / natural languages

  • Fault tree analysis (FTA)

–Model: from a system failure

to its root causes / boolean formulae

–Computation: minimal cut sets /

probability of occurrence of top event

Classical failure propagation models and safety assessment techniques (cf ARP 4761)

Functional FMEA template FT unannunciated loss of wheel braking

slide-7
SLIDE 7

Drawbacks of the classical Safety Assessment Approaches

  • Fault Tree, FMEA

Give failure propagation paths without referring explicitly to a commonly agreed system architecture / nominal behavior => – Misunderstanding between safety analysts and designers – Potential discrepancies between working hypothesis

  • Manual exhaustive consideration of all failure propagations become

more and more difficult, due to:

increased interconnection between systems,

integration of multiple functions in a same equipment

dynamic system reconfiguration

slide-8
SLIDE 8

Model based safety assessment rationales

  • Goals

Propose formal failure propagation models closer to design models

Develop tools to

  • Assist model construction
  • Analyze automatically complex models

For various purposes

  • FTA, FMEA, Common Cause Analysis, Human Error Analysis, …
  • since the earlier phases of the system development
  • Approaches

Extend design models (Simulink,

SysML, AADL...) with failure modes Build dedicated failure propagation models (Figaro, AltaRica, Slim...)

slide-9
SLIDE 9

Basics of AltaRica dataflow language

slide-10
SLIDE 10

AltaRica language at a glance

  • Language designed in late 90's at University of Bordeaux
  • for modelling both combinatorial and dynamic aspects of failure propagation
  • in a hierarchical and modular way
  • formally.
  • Typical content of a basic AltaRica node

Input flows Output flows fault occurrence event Transitions Assertion

  • utput = f (inputs, states)

nominal state error state nominal event

slide-11
SLIDE 11

A leading example: the basic reliability block

  • Let be a basic system component Block that
  • receives
  • one Boolean input I,
  • an activation signal A and
  • a resource signal R.
  • produces
  • a Boolean output O
  • Block performs nominally the following transfer law
  • O is true iff I, A and R are true.
  • Block may fail.
  • In this case, the output O is false.
  • Initially, the block performs the nominal function

Block I fail A O R

Component interfaces Component name 2 internal states:

  • 1 ok
  • 1 not ok

Failure mode definition Nominal mode definition

slide-12
SLIDE 12

AltaRica basic block

node Block flow O:Bool:out; I, A, R :Bool: in; state

  • k: Bool;

event fail; init

  • k:= true;

trans

  • k |- fail -> ok := false;

assert O = (I and A and R and ok); edon

Ok=true Ok=false Block.fail O= (I and A and R and Ok); O A R I Component interfaces Component internal states Transitions: Automata part Assertion: Combinatorial part

From concepts to a concrete syntax:

Observable event

slide-13
SLIDE 13

AltaRica semantics

From AltaRica code to mode automata

Ok=true Ok=false Block.fail O= (I and A and R and Ok); O A R I

  • k=true

O=(I and A and R)

  • k=false

O=false fail

slide-14
SLIDE 14

Internal operations on mode automata

  • Interconnection : mapping an input of an automaton with an output of

another automaton

  • preserves all states, variables, transitions, assertions
  • Introduces new assertions: Block2.I = Block1.O for all pairs of connected

interfaces

  • interleaving parallelism (only one transition at a time)
  • ! allowed only if variables are not circularly defined
  • Ex:

block1.ok=block2.ok=true block1.O=block2.I= (block1.I and block1.A and block1.R) block2.O=(block2.I and block2.A and block2.R) block1.ok=false, block2.ok=true block1.O=block2.I=false block2.O=false fail1 fail1 block1.ok=true, block2.ok=false block1.O=block2.I= (block1.I and block1.A and block1.R) block2.O=false block1.ok=block2.ok=false block1.O=block2.I=false block2.O=false fail2 fail2

Block 1 Block 2

slide-15
SLIDE 15

AltaRica Model of the Hydraulic System

slide-16
SLIDE 16

Safety assessment tools

slide-17
SLIDE 17

Formal Requirement Modeling

Example of safety requirement

  • Requirement : "Total loss of hydraulic power is classified Catastrophic, the

probability rate of this failure condition shall be less than 10-9 /FH. No single event shall lead to this failure condition " (SSA ATA29)

  • Extended qualitative requirements could be added to reveal architecture

design concerns:

“if up to N individual failures occur then failure condition FC should not occur”, with N= 0, 1, 2 if FC is Minor, Major or Hazardous, Catastrophic.

Observer nodes are added into the model to detect requirement violation

slide-18
SLIDE 18

Fault-Tree generation

  • A pair (output variable, target value) is selected
  • A Fault Tree of faults leading to this situation is generated
  • The fault tree can be exported to other tools (e.g. Arbor,...) to

compute of minimal cut sets

slide-19
SLIDE 19

Principles of Fault-Tree computation

  • To compute a fault-tree for a

Failure Condition (FC) from an AltaRica Model:

1.

Generate the model automaton

2.

Select states where the FC holds

3.

Compute event paths that leads from the initial state to the selected states

19

init s1 s2 s3 s4 f1 f2 f3 f4 f5 FC State=s3 State=s4 Path_to_s3_by_s1 Path_to_s3_by_s2 Path_to_s4_by_s2 f1 f3 f2 f4 f2 f5

slide-20
SLIDE 20

Verification of Qualitative Requirements

  • Generate Minimal cut sets from the Fault Tree
  • Loss of Green Hydraulic : {{distg.fail}, {rsvg.fail}, {empg.fail, edpg.fail},

{empg.fail, eng1.fail}, {elec.fail, edpg.fail}, {elec.fail, eng1.fail}}

  • The size of minimal cut sets for a FC in Sev should be greater or

equal to NSev. Size Safety Results

f1 f2 f0 f6 f1 f4 f5 f3 f4 f5

NSev

unacceptable

Sev MIN MAJ HAZ CAT NSev 1 2 2 3

slide-21
SLIDE 21

! Classes of model

  • Static/Dynamic Model
  • Static Model: the order of the events in the sequence as no

influence on the current configuration

  • Dynamic Model : the last property is not verified => use sequence

generation rather than fault tree generation

  • k, idle
  • k, started
  • k,idle

go fail lost, started

  • k, started

go fail

slide-22
SLIDE 22

DAL

slide-23
SLIDE 23

Development Assurance Level

  • DAL
  • DAL ranges from E to A
  • The DAL is the level of rigor of development assurance tasks

performed on functions and items (software, hardware)

  • DAL allocation
  • DAL of a function depends on the severity of the most severe

Failure Condition that this function fault contributes to.

  • A Qualitative analysis of the Minimal Cut Sets of the system

has to be performed

slide-24
SLIDE 24

f1 f2 f3 f1 f2 f3 f1 f2 f3

DAL Allocation

Sev(FC)=HAZ DAL(FC) =B

CAT HAZ MAJ MIN A B C D Sev DAL f1 f2 f3

No independence

f1 f2 f3

Independence + Option 1

f1 f2 f3

Independence + Option 2

  • Basic Allocation rule
  • If f1 appears in a MCS for of FC with severity HAZ

then the DAL of f1 is B

  • DAL downgrading rules
  • If f1 appears in a MCS in combination with f2 and f3 then the DAL of f1 could

be downgraded if there is independence between f1, f2 and f3.

slide-25
SLIDE 25

AltaRica Tools available

  • Cecilia OCAS from Dassault Aviation
  • Used for the first time for certification of flight control system of Falcon 7X in

2004

  • Tested by contributors of ARP 4761 (cf MBSA appendix)
  • AltaRica free suite from Labri
  • compatible with data flow restriction, http://altarica.labri.fr/wp/
  • Other tools
  • Safety Designer from Dassault System, Simfia from APSYS Airbus group,

RAMSES from Airbus, AltaRica 3.0 (under development at IRT Systemix)

  • And plugins to independent tools
  • NU-SMV (FBK Trento), MOCA-RP (Satodev Bordeaux), Arc (LaBri

Bordeaux), EPOCH (ONERA)….

  • DAL allocation
  • DALculator (ONERA)