390 likes | 589 Views
Dynamic Fault Tree analysis using Input/Output Interactive Markov Chains. Hichem Boudali, Pepijn Crouzen, and Mari ë lle Stoelinga . Formal Methods and Tools group CS, University of Twente, NL. Motivation (and setting). Systems do fail. -- Reliability Engineering --
E N D
Dynamic Fault Treeanalysis usingInput/Output Interactive Markov Chains Hichem Boudali, Pepijn Crouzen, and Mariëlle Stoelinga. Formal Methods and Tools group CS, University of Twente, NL.
Motivation (and setting) Systems do fail -- Reliability Engineering -- Goal: Reduce system failure probability. Methodology: Identify/analyze failure modes and their effects. Example methodology: Dynamic Fault Trees (DFT) But: DFTs have drawbacks
Outline • Dynamic fault trees (DFT). • Definition, Example, Solution, Drawbacks. • Input/Output interactive Markov chains (I/O-IMC). • DFT semantics in terms of I/O-IMCs. • DFT compositional analysis. • Translation, || Composition, Abstraction, Aggregation. • Case studies. • Summary.
Outline • Dynamic fault trees (DFT). • Definition, Example, Solution, Drawbacks. • Input/Output interactive Markov chains (I/O-IMC). • DFT semantics in terms of I/O-IMCs. • DFT compositional analysis. • Translation, || Composition, Abstraction, Aggregation. • Case studies. • Summary.
Dynamic Fault Trees (DFT) • Extend standard fault trees with dynamic gates. • Enable modelling complex behaviours and interactions between components. • combination & order of failures matter. Unreliability = Prob[System fails within T time units]
Upside-down tree (graph) Leaves: Basic events (BE) Nodes: Gates (complex events) BEs + Gates: Elements Arrows: Causal relations One top-node: the “root” node The top-node models system failure Failure propagation: From leaves to root (dynamic) Fault trees
DFTs: Basic events (BE) BE maps to a Basic Physical component Temperature of a BE: Relevant when used as a spare
DFT solution Unreliability = Prob[Being in state ] Convert the DFT into a Continuous-time Markov chain. Analyze CTMC using standard solution techniques. For (partially) static DFT, binary decision diagrams can be used! A has failed B is operational C Starting state: A is operational B is operational AND-gate 0.4 0.2 A has failed B has failed 0.2 Failure rate: 0.4 f/h Failure rate: 0.2 f/h 0.4 A B A is operational B has failed Pr(A fails in T hours) = 1 – e-0.2•T A’s Mean time to failure = 1/0.2 = 5 hours
DFT example Road trip fails if mobile phone fails BEFORE the car fails Although distinct modules, CTMC generation in One shot State-Space Explosion! One of the drawbacks Spare tire is cold: It cannot fail when not in use
DFT drawbacks • State-space explosion. • No formal syntax and semantics. • Lack of modularity: • Dynamic modules (e.g. ‘Tires’ subsystem in the example) can not be reused. • Restrictions on certain inputs to gates (e.g. spare gate). • DFT-to-MC* conversion algorithm is hard to extend and/or modify. Compositional Aggregation DAG I/O-IMC Compositionality Lift restrictions Extension: At the element level *: DIFTree algorithm
Outline • Dynamic fault trees (DFT). • Definition, Example, Solution, Drawbacks. • Input/Output interactive Markov chains (I/O-IMC). • DFT semantics in terms of I/O-IMCs. • DFT compositional analysis. • Translation, || Composition, Abstraction, Aggregation. • Case studies. • Summary.
Input/Output Interactive Markov Chains (I/O-IMC) Immediate • Combination of I/O automata and CTMC • Discrete state space • Markovian transitions • Interactive transitions • Action signature • ? - Input actions • ! - Output actions • ; - Internal actions • Input-enabled λ failed!
Outline • Dynamic fault trees (DFT). • Definition, Example, Solution, Drawbacks. • Input/Output interactive Markov chains (I/O-IMC). • DFT semantics in terms of I/O-IMCs. • DFT compositional analysis. • Translation, || Composition, Abstraction, Aggregation. • Case studies. • Summary.
DFT semantics (DFT element to I/O-IMC) f(A)? f(A)? f(A)? f(B)? f(A)? f(C)! f(B)? f(A)? f(B)? f(B)? f(B)? f(A)? f(A)? f(A)? f(B)? f(A)? f(C)! f(A)? f(B)? f(B)? f(B)? f(B)?
Outline • Dynamic fault trees (DFT). • Definition, Example, Solution, Drawbacks. • Input/Output interactive Markov chains (I/O-IMC). • DFT semantics in terms of I/O-IMCs. • DFT compositional analysis. • Translation, || Composition, Abstraction, Aggregation. • Case studies. • Summary.
Compositional AnalysisTranslation f(B)? f(A)? f(C)! f(A)? f(B)? C A B f(A)! f(B)! 0.4 0.2
Compositional AnalysisParallel Composition f(B)? f(A)? f(C)! f(A)? f(B)? f(A)! 0.2
Compositional AnalysisParallel Composition 2||3 f(A)! 1||2 f(C)! f(B)? Inputs: f(A)? and f(B)? Outputs: f(C)! f(A)! 0.2 1||1 4||3 5||3 f(B)? 0.2 Synchronize on f(A) 3||2 f(B)? Inputs: none Outputs: f(A)! 3||1 C 2 f(B)? f(A)? 5 4 1 f(C)! 3 f(A)? f(B)? C||A A 3 1 2 f(A)! 0.2
Compositional AnalysisAbstraction (hiding) C 2||3 f(A)! f(A); 1||2 f(C)! f(B)? f(A)! f(A); 0.2 1||1 A B 4||3 5||3 f(B)? 0.2 3||2 f(B)? Abstraction (hiding): Makes signal internal 3||1
Compositional AnalysisAggregation (weak bisimulation) Aggregation: Finding a smaller model equivalent (behaviorally) to the original 2||3 f(A); 1||2 f(C)! f(B)? f(A); 0.2 1||1 4||3 5||3 f(B)? 0.2 Weak bisimulation: Disregard internal steps 3||2 f(B)? 3||1
Compositional-Aggregation Overview Translation Composition + Hiding Repeat Aggregation (minimization) Result: System failure probability Aggregatedsystem CTMC
Outline • Dynamic fault trees (DFT). • Definition, Example, Solution, Drawbacks. • Input/Output interactive Markov chains (I/O-IMC). • DFT semantics in terms of I/O-IMCs. • DFT compositional analysis. • Translation, || Composition, Abstraction, Aggregation. • Case studies. • Summary.
Outline • Dynamic fault trees (DFT). • Definition, Example, Solution, Drawbacks. • Input/Output interactive Markov chains (I/O-IMC). • DFT semantics in terms of I/O-IMCs. • DFT compositional analysis. • Translation, || Composition, Abstraction, Aggregation. • Case studies. • Summary.
Summary • Alleviate state-space explosion problem. • Formal syntax & semantics. • Enhanced DFT modularity: • Dynamic module reuse. • Lifting restrictions on allowed inputs. • Readily extensible framework (extensions at the element level); e.g. repair. • Works well for highly-modular dynamic FTs. Compositional semantics for DFTs Gain at the modeling & analysis levels
References • H. Boudali, P. Crouzen, M. Stoelinga. “Dynamic Fault Tree analysis using Input/Output Interactive Markov Chains”, to appear, DSN 2007 proceedings. • H. Boudali, P. Crouzen, M. Stoelinga. “A compositional semantics for Dynamic Fault Trees in terms of Interactive Markov Chains”, Technical report, to appear. • More info: hboudali@cs.utwente.nl The END!
Future work • Weaker bisimulation relation (i.e. more aggressive state reduction) • Extension to non-exponential distributions (e.g. use of phase-type distributions) • Further extensions to DFT modeling capabilities (i.e. definition of new gates and corresponding I/O-IMC) • Fully automated tool (at this point, the tool is only partially automated)
Compositional-Aggregation Overview • Step 1: Translation • Step 2a: Parallel Composition • Step 2b: Abstraction • Step 3: Aggregation • Step 4: Repetition • Step 2a: (C||A) || B • Step 2b: Hide f(B) • Step 3: Aggregate (C||A)||B • Step 5: CTMC Analysis DFT C A B IOIMC CTMC f(C) C f(C) f(C) f(C) 0.4 0.2 C||A||B C||A f(B) f(C)! f(A) f(A) 0.2 f(B) f(B) IOIMC model can be reused! A B 0.4 Steps 2–4: Compositional Aggregation