NASA OSMA SAS 02 Software Fault Tree Analysis

NASA OSMA SAS '02 Software Fault Tree Analysis Dolores R. Wallace SRS Information Services Software Assurance Technology Center http: //satc. gsfc. nasa. gov/ dwallac@pop 300. gsfc. nasa. gov Dr. Massood Townidnejad Embry-Riddle University towhid@erau. edu NASA OSMA SAS 02

The Premise • FTA applies to software (SFTA)1 • SFTA uses same tools as FTA • SFTA can apply FTA algorithms computing risk based on probability 1 Several researchers have explored SFTA to some extent, e. g. , Leveson, Lutz, Dugan, Heimdahl NASA OSMA SAS 02

Tasks • Understand the methodology, including symbology • Develop tool evaluation criteria • Identify commercial tools • Get demonstration copies • Apply tools to software NASA OSMA SAS 02

FTA Methodology • Hierarchical, graphical representation of events • Notation to represent Boolean expression recording relationships between states/ events • Qualitative: ID of design weaknesses, e. g. , single point of failure and safety critical failure combinations • Quantitative: event’s probability of occurrence to identify paths most likely to occur • Starting point (top of tree): system failure or hazard • Backward progression id’ing parallel and sequence combinations of events causing top event to occur NASA OSMA SAS 02

Probability Issue • Hardware – Large collections of historic data – Classification of failure types – Degradation • Software – Limited availability of software failure data – Classification of cause more relevant – Degradation not same for software – Probability values not available, though subject of research efforts NASA OSMA SAS 02

FTA Symbology EVENTS GATES BASIC AND CONDITIONING OR UNDEVELOPED EXCLUSIVE OR EXTERNAL PRIORITY AND INTERMEDIATE INHIBIT TRANSFERS OUT NASA OSMA SAS 02 IN 6

Tool Evaluation Criteria Categories • • • User Interface Functionality Output SFTA Model Security Operational Issues Adaptability *** Cost of Tool (consider functionality not usable by SFTA) Return on Investment NASA OSMA SAS 02

Commercial Tools • Approximately 33 • Most embody two or more analyses (e. g. , FMEA) • All compute risk with algorithms applying values of probability of failure • Many claim adaptability for SFTA • Two claimed specific use for SFTA, but … Lack of specific SFTA tools caused our redirection! NASA OSMA SAS 02

New Focus: Life Cycle Approach • Requirements – Identify weaknesses and modify, eliminate them – Identify those with direct impact on safety of system • Design – Apply to design, smaller than related code – Identify components/modules, subcomponents with direct impact on safety of system • Code – Apply only to those subcomponents already identified as having direct impact on safety of system NASA OSMA SAS 02

Application of SFTA to Software Design • The Challenge – Focus SFTA on OODs – Develop a relationship between OOD charts and diagrams to symbology of FTA • Initial Issues – – Attempt to fit activity diagram to general template Recognize loops as a feature of activity diagram Allow for concurrency found in many real-time systems Applied commercial tool- identified probable cause of failure successfully in each case • Next Steps – Generate fault trees directly from several activity diagrams NASA OSMA SAS 02

Activity Diagram Insert coins into machine Check enough money is inserted Show drink menu Choose drink Drink not available Drink available Deliver drink NASA OSMA SAS 02 11

Software Fault Tree NASA OSMA SAS 02 12

Resulting Fault Tree Analysis NASA OSMA SAS 02 13

FUTURE • Identify the general features of activity, state, and sequence diagrams as related to FTA symbology • Apply this approach to real, larger designs • Have commercial tool vendor work with us to build the interface between these OOD types and the FTA symbology Hoped for result: practical means of applying FTA to software across the life cycle! NASA OSMA SAS 02