Checking Fault Tolerance in Safety and SecurityCritical Systems

  • Slides: 11
Download presentation
Checking Fault Tolerance in Safety and Security-Critical Systems

Checking Fault Tolerance in Safety and Security-Critical Systems

Aim: To Predict the Effects of Component Failures The problem: Component faults Controller Sensor

Aim: To Predict the Effects of Component Failures The problem: Component faults Controller Sensor Safety / Security Violation Button The solution: Model Checking Identify Unsafe Behaviour ie, automatic Failure Modes and Effect Analysis (FMEA)

Step 1: Identify the Safety/Security Requirements Safety and Security Requirements Formalised Temporal Logic Formulae

Step 1: Identify the Safety/Security Requirements Safety and Security Requirements Formalised Temporal Logic Formulae Identified unsafe behaviours Th 1: Uncommanded closing: Plunger should not start falling without the operator pressing the button. Th 2: Motor on below PONR: The motor not turn Automaticshould Model Checking on when the plunger is falling below the PONR. Either … System Model with Injected System Model Component Fault Modes Th 3: Loss of abort: If the plunger is falling above the Or … PONR and the operator releases the button, the motor should turn on. Verification that the Injected Component Faults do not lead to unsafe The behaviour Th 4: Plunger falling before reaching the top: should not turn off unless the plunger is at the top. Component Fault Modes motor

Step 2: Formalise the Safety/Security Requirements th 1: THEOREM behavior |- G((plunger=plunger_at_top AND Identified

Step 2: Formalise the Safety/Security Requirements th 1: THEOREM behavior |- G((plunger=plunger_at_top AND Identified unsafe behaviours => (electric_Motor=electric_Motor_on)); Safety and Security Formalised Temporal operator=operator_released_button) Requirements Logic Formulae Th 1: Uncommanded closing: Plunger should not start falling without the operator pressing the button. Th 2: Motor on below PONR: The motor should not turn on when the plunger is falling below the PONR. th 2: THEOREM behavior |- G((plunger=plunger_falling_fast) => (electric_Motor=electric_Motor_off)); Th 3: Loss of abort: If the plunger is falling above the PONR and the operator releases the button, the motor should turn on. Th 4: Plunger falling before reaching the top: The motor should not turn off unless the plunger is at the top. System Model with Injected Automatic Model Checking Either … th 3: behavior |- G(F(plunger=plunger_falling_fast)) => System. THEOREM Model Component Fault Modes G((plunger=plunger_falling_slow AND Or … operator=operator_released_button) => U(plunger=plunger_falling_slow, electric_Motor=electric_Motor_on)); th 4: THEOREM behavior |Component Fault G(NOT((plunger=plunger_rising_below_PONR OR Modes plunger=plunger_rising_above_PONR) AND (electric_Motor=electric_Motor_off))); Verification that the Injected Component Faults do not lead to unsafe behaviour

Step 3: Model the System Behaviour Safety and Security Requirements Formalised Temporal Logic Formulae

Step 3: Model the System Behaviour Safety and Security Requirements Formalised Temporal Logic Formulae Th 1: Uncommanded closing: Plunger should not start falling without the operator pressing the button. th 1: THEOREM behavior |- G((plunger=plunger_at_top AND operator=operator_released_button ) => (electric_Motor=electric_Motor_on )); Th 2: Motor on below PONR: The motor should not turn on when the plunger is falling below the PONR. th 2: THEOREM behavior |- G((plunger=plunger_falling_fast ) => (electric_Motor=electric_Motor_off )); Th 3: Loss of abort: If the plunger is falling above the PONR and the operator releases the button, the motor should turn on. th 3: THEOREM behavior |- G(F(plunger=plunger_falling_fast )) => G((plunger=plunger_falling_slow AND operator=operator_released_button ) => U(plunger=plunger_falling_slow , electric_Motor=electric_Motor_on )); Th 4: Plunger falling before reaching the top: The motor should not turn off unless the plunger is at the top. System Model th 4: THEOREM behavior |G(NOT((plunger =plunger_rising_below_PONR OR plunger=plunger_rising_above_PONR ) AND (electric_Motor=electric_Motor_off ))); System Model with Injected Component Fault Modes Identified unsafe behaviours Automatic Model Checking Either… Or… Component Fault Modes Verification that the Injected Component Faults do not lead to unsafe behaviour

Step 4: Model the Component Fault Safety and Security Requirements Formalised Temporal Logic Formulae

Step 4: Model the Component Fault Safety and Security Requirements Formalised Temporal Logic Formulae Th 1: Uncommanded closing: Plunger should not start falling without the operator pressing the button. th 1: THEOREM behavior |- G((plunger=plunger_at_top AND operator=operator_released_button ) => (electric_Motor=electric_Motor_on )); Th 2: Motor on below PONR: The motor should not turn on when the plunger is falling below the PONR. th 2: THEOREM behavior |- G((plunger=plunger_falling_fast ) => (electric_Motor=electric_Motor_off )); Th 3: Loss of abort: If the plunger is falling above the PONR and the operator releases the button, the motor should turn on. th 3: THEOREM behavior |- G(F(plunger=plunger_falling_fast )) => G((plunger=plunger_falling_slow AND operator=operator_released_button ) => U(plunger=plunger_falling_slow , electric_Motor=electric_Motor_on )); Th 4: Plunger falling before reaching the top: The motor should not turn off unless the plunger is at the top. System Model th 4: THEOREM behavior |G(NOT((plunger =plunger_rising_below_PONR OR plunger=plunger_rising_above_PONR ) AND (electric_Motor=electric_Motor_off ))); System Model with Injected Component Fault Modes Identified unsafe behaviours Automatic Model Checking Either… Or… Component Fault Modes Verification that the Injected Component Faults do not lead to unsafe behaviour

Fault injection is automatic Safety and Security Requirements Formalised Temporal Logic Formulae Th 1:

Fault injection is automatic Safety and Security Requirements Formalised Temporal Logic Formulae Th 1: Uncommanded closing: Plunger should not start falling without the operator pressing the button. th 1: THEOREM behavior |- G((plunger=plunger_at_top AND operator=operator_released_button ) => (electric_Motor=electric_Motor_on )); Th 2: Motor on below PONR: The motor should not turn on when the plunger is falling below the PONR. th 2: THEOREM behavior |- G((plunger=plunger_falling_fast ) => (electric_Motor=electric_Motor_off )); Th 3: Loss of abort: If the plunger is falling above the PONR and the operator releases the button, the motor should turn on. th 3: THEOREM behavior |- G(F(plunger=plunger_falling_fast )) => G((plunger=plunger_falling_slow AND operator=operator_released_button ) => U(plunger=plunger_falling_slow , electric_Motor=electric_Motor_on )); Th 4: Plunger falling before reaching the top: The motor should not turn off unless the plunger is at the top. System Model th 4: THEOREM behavior |G(NOT((plunger =plunger_rising_below_PONR OR plunger=plunger_rising_above_PONR ) AND (electric_Motor=electric_Motor_off ))); System Model with Injected Component Fault Modes Identified unsafe behaviours Automatic Model Checking Either… Or… Component Fault Modes Verification that the Injected Component Faults do not lead to unsafe behaviour

The Tool checks whether the Safety Requirement is met Safety and Security Requirements Formalised

The Tool checks whether the Safety Requirement is met Safety and Security Requirements Formalised Temporal Logic Formulae Th 1: Uncommanded closing: Plunger should not start falling without the operator pressing the button. th 1: THEOREM behavior |- G((plunger=plunger_at_top AND operator=operator_released_button ) => (electric_Motor=electric_Motor_on )); Th 2: Motor on below PONR: The motor should not turn on when the plunger is falling below the PONR. th 2: THEOREM behavior |- G((plunger=plunger_falling_fast ) => (electric_Motor=electric_Motor_off )); Th 3: Loss of abort: If the plunger is falling above the PONR and the operator releases the button, the motor should turn on. th 3: THEOREM behavior |- G(F(plunger=plunger_falling_fast )) => G((plunger=plunger_falling_slow AND operator=operator_released_button ) => U(plunger=plunger_falling_slow , electric_Motor=electric_Motor_on )); Th 4: Plunger falling before reaching the top: The motor should not turn off unless the plunger is at the top. System Model th 4: THEOREM behavior |G(NOT((plunger =plunger_rising_below_PONR OR plunger=plunger_rising_above_PONR ) AND (electric_Motor=electric_Motor_off ))); System Model with Injected Component Fault Modes Identified unsafe behaviours Automatic Model Checking Either… Or… Component Fault Modes Verification that the Injected Component Faults do not lead to unsafe behaviour

Example Violation of Safety Requirement Faulty Sensor Motor turned on while plunger falling past

Example Violation of Safety Requirement Faulty Sensor Motor turned on while plunger falling past point of no return Result: Motor may explode, Operator in danger

The Tool identifies an Unsafe Behaviour Safety and Security Requirements Formalised Temporal Logic Formulae

The Tool identifies an Unsafe Behaviour Safety and Security Requirements Formalised Temporal Logic Formulae Th 1: Uncommanded closing: Plunger should not start falling without the operator pressing the button. th 1: THEOREM behavior |- G((plunger=plunger_at_top AND operator=operator_released_button ) => (electric_Motor=electric_Motor_on )); Th 2: Motor on below PONR: The motor should not turn on when the plunger is falling below the PONR. th 2: THEOREM behavior |- G((plunger=plunger_falling_fast ) => (electric_Motor=electric_Motor_off )); Th 3: Loss of abort: If the plunger is falling above the PONR and the operator releases the button, the motor should turn on. th 3: THEOREM behavior |- G(F(plunger=plunger_falling_fast )) => G((plunger=plunger_falling_slow AND operator=operator_released_button ) => U(plunger=plunger_falling_slow , electric_Motor=electric_Motor_on )); Th 4: Plunger falling before reaching the top: The motor should not turn off unless the plunger is at the top. System Model th 4: THEOREM behavior |G(NOT((plunger =plunger_rising_below_PONR OR plunger=plunger_rising_above_PONR ) AND (electric_Motor=electric_Motor_off ))); System Model with Injected Component Fault Modes Identified unsafe behaviours Automatic Model Checking Either… Hazard has occurred Or … Component Fault Modes Verification that the Injected Component Faults do not lead to unsafe behaviour

In summary: Predicting Effects of Component Failures • Identify impact of component faults •

In summary: Predicting Effects of Component Failures • Identify impact of component faults • Identify paths leading to unsafe behaviour • Automates Failure Mode and Effect Analysis (FMEA)

L15 Fault Tolerance 1 Fault Tolerance Terminology ByzantineL15 Fault Tolerance 1 Fault Tolerance Terminology Byzantine
Fault Tolerance Fault tolerance terminology n dependability extentFault Tolerance Fault tolerance terminology n dependability extent
Ch 6 Fault Tolerance Fault tolerance Process resilienceCh 6 Fault Tolerance Fault tolerance Process resilience
Fault Tolerance Fault tolerance concepts Implementation distributed agreementFault Tolerance Fault tolerance concepts Implementation distributed agreement
Fault Tolerance 12 Distributed System Fault Tolerance TwoFault Tolerance 12 Distributed System Fault Tolerance Two
Fault Tolerance Comparison Why ETERE fault tolerance isFault Tolerance Comparison Why ETERE fault tolerance is
Fault Tolerance in Distributed Systems Fault Tolerant DistributedFault Tolerance in Distributed Systems Fault Tolerant Distributed
Fault Tolerance in Distributed Systems Fault Tolerant DistributedFault Tolerance in Distributed Systems Fault Tolerant Distributed
Fault Tolerance in Distributed Systems Fault Tolerant DistributedFault Tolerance in Distributed Systems Fault Tolerant Distributed
15 440 Distributed Systems Byzantine Fault Tolerance Fault15 440 Distributed Systems Byzantine Fault Tolerance Fault