ebook img

Efficient Anytime Techniques for Model-Based Safety Analysis PDF

17 Pages·2016·0.77 MB·English
by  
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Efficient Anytime Techniques for Model-Based Safety Analysis

Efficient Anytime Techniques for Model-Based Safety Analysis MarcoBozzano,AlessandroCimatti,AlbertoGriggio,andCristianMattarei FondazioneBrunoKessler,Trento,Italy Abstract. Safetyanalysisinvestigatessystembehaviorunderfaultyconditions. Itisafundamentalstepinthedesignofcomplexsystems,thatisoftenmandated bycertificationprocedures.Safetyanalysisincludestwokeysteps:theconstruc- tion of all minimal cut sets (MCSs) for a given property (i.e. the sets of basic faultsthatmaycauseafailure),andthecomputationofthecorrespondingproba- bility(givenprobabilitiesforthebasicfaults). Model-basedSafetyAnalysisreliesonformalverificationtocarryoutthesetasks. However,theavailabletechniquessufferfromscalabilityproblems,andareun- abletoprovideusefulresultsifthecomputationdoesnotcomplete. Inthispaper,weinvestigateandevaluateafamilyofIC3-basedalgorithmsfor MCSscomputation.Weworkunderthemonotonicityassumptionofsafetyanal- ysis(i.e.anadditionalfaultcannotpreventtheviolationoftheproperty).Wespe- cializeIC3-basedroutinesforparametersynthesisbyoptimizingthecounterex- amplegeneralization,byorderingtheexplorationofMCSsbasedonincreasing cardinality,andbyexploitingtheinductiveinvariantsbuiltbyIC3toaccelerate convergence. Other enhancements yield an “anytime” algorithm, able to produce an increas- inglypreciseprobabilityestimateasthediscoveryofMCSsproceeds,evenwhen thecomputationdoesnotterminate. Athoroughexperimentalevaluationclearlydemonstratesthesubstantialadvances resultingfromtheproposedmethods. Keywords: Formalmethods,SafetyAnalysis,FaultTree,IC3,ParameterSyn- thesis 1 Introduction Safety analysis [1,2,3] is an essential step for the design of critical systems. Safety analysis activities aim at demonstrating that a given system meets the conditions that are required for its deployment and use in the presence of faults. In many application domains, such activities are mandatory to obtain system certification. Safety analysis includestwokeysteps: (i)theconstructionofallminimalcutsets(MCSs),i.e.(min- imal)setsoffaultsthatleadtoatoplevelevent (TLE),suchasthelossofadesirable functionality; and (ii) the computation of the corresponding fault probability (i.e. the probabilityofreachingtheTLE),givenprobabilitiesforthebasicfaults. In recent years, there has been a growing interest in model-based safety analysis (MBSA) [4,5,6,7,8,3,9]. Its purpose is to automate the most tedious and error-prone activitiesthattodayarecarriedoutmanually.Thisisdonebyanalyzingmodelswhere selected variables represent the occurrence of faults. Cut sets are assignments to such variables that lead to the violation of the property. Formal verification tools, notably thosebasedonmodelchecking[8,10]havebeenextendedtoautomatetraditionalsafety analysisactivities,suchasthegenerationofminimalcutsets,andtoperformprobabilis- ticevaluation. The practical application of MBSA in an industrial setting poses two key prob- lems.Thefirstoneisscalability.Inadditiontothesheersizeofthemodels,aspecific factor is the possibly huge number of relevant MCSs, corresponding to different fault combinations. The second problem is to support the state of the practice. In manual safetyanalysis,theexplorationoftenproceedsaccordingtotheimportanceandlikeli- hood of fault configurations: MCSs of lower cardinality, that are typically associated withhigherprobability,areexploredbeforetheoneswithhighercardinality.Whenthe analysis is considered to be sufficiently thorough, over-approximation techniques are usedtoassesstheweightoftheunexploredMCSs. Inthispaper,weinvestigateandevaluateafamilyofefficientalgorithmsforsafety analysis. We work under the monotonicity assumption, commonly adopted in safety analysis,thatanadditionalfaultcannotpreventtheviolationoftheproperty.Wespe- cializeIC3-basedroutinesforparametersynthesisbyoptimizingthegeneralizationof counterexamples, and by ordering the exploration of MCSs based on increasing car- dinality.Wealsoproposeawaytoaccelerateconvergencebyexploitingtheinductive invariantsbuiltbyIC3. The practical applicability of our approach is enhanced by proposing a method to preciselycomputetheunder-andover-approximatedprobabilityoffailure.Thistech- niqueproducesanincreasinglypreciseestimationasthediscoveryofMCSsproceeds, withtheadvantageofprovidingan“anytime”algorithm. The described approach was implemented within the XSAP platform for safety analysis [11,12], extending and integrating the model checking routines of the under- lyingNUXMVmodelchecker[13].Wecarriedoutathoroughexperimentalevaluation onanumberofbenchmarksfromvarioussources.Theresultsclearlydemonstratethe substantialadvancesresultingfromtheproposedmethods.First,wecancompletethe computation of all MCSs more efficiently, and for much larger problems than previ- ouslypossible.Second,evenwhenthecomputationfailstoterminateduetothenumber ofMCSs,thealgorithmsproduceintermediateapproximationsofincreasingprecision at the growth of the available computation resources. Furthermore, although here we concentrate on invariant properties of finite-state systems, our techniques can be eas- ilyextendedtoconsideralsoarbitraryLTLpropertiesandinfinite-statemodels(where faultsarestillexpressedwithpropositionalvariables). RelatedWork. ThefieldofMBSAisreceivingincreasingattention[14].Manyworks coveraspectsofmodeling(seeforexample[15,16,10,11]),andproposededicatedmech- anismsforthedescriptionoffaults,alsoinprobabilisticsettings.Here,weworkwithin assumptionsderivedfrompracticalindustrialexperience.Inparticular,weassumethat thefaultsarespecifiedasdiscretevariablesinaqualitativetransitionsystem,andthat probabilitiesareattachedtothebasicfaultsafterMCSshavebeencomputed. The ESACS project [16] pioneered the idea of model-based safety assessment by means of model checking techniques. The work in [17] proposes an algorithmic ap- proachtotheautomaticconstructionoffaulttrees.Theapproachreliesonthestructure ofthesystem,anddoesnotapplymodelcheckingtechniques. In this paper, we focus on the fully automated construction of MCSs for a given transition system. There are relatively few works addressing the problem [18,8,19]. Theysharetwokeydifferenceswithrespecttotheworkpresentedhere.First,theydo not rely on recent IC3 [20] techniques; second, none of them tackles the problem of anytime techniques. Specifically, the approach in [18] proposes the idea of layering oftheexplorationintermsofcardinalityofMCSs.TheapproachisSAT-based,using boundedmodelchecking;itdoesnotdirectlydiscusstheproblemofreachingconver- gence, likely adopting an induction-based approach. [16] investigates the generation of orders between faulty events, using a BDD-based approach. Automated fault tree analysisinprobabilisticsettingsiscoveredin[21].In[8],anapproachbasedonBDDs anddynamicconeofinfluenceisproposed.Theapproachdoesnotscalewellformod- elscontainingmanyvariables.In[19],techniquesbasedonSAT-basedboundedmodel checkingarecombinedwithBDD-basedtechniquesinordertoachievecompleteness. The approach is shown to substantially outperform the engines used in a proprietary industrialtool. TheworkonIC3-basedparametersynthesis[22]caninprincipleaddresstheprob- lemtackledinthispaper.Hereweproposeseveralenhancementsbasedonthespecific featuresoftheproblem,withdramaticimprovementsintermsofscalability. Structure of the paper. The rest of this paper is structured as follows. In Section 2 we overview SA, and in Section 3 we formally characterize the problem of MBSA. In Section 4 we discuss the available baseline, and in Section 5 we present our new algorithmsforMCScomputation.InSection6wediscusstheanytimeapproximation. InSection7weexperimentallyevaluatetheapproach,andinSection8wedrawsome conclusionsandpresentdirectionsforfuturework. 2 SafetyAnalysis TraditionaltechniquesforsafetyanalysisincludeFaultTreeAnalysis(FTA)andFailure Mode and Effects Analysis (FMEA) [23,24]. FTA is a deductive technique, whereby anundesiredstate(thesocalledtoplevelevent–TLE)isspecified,andthesystemis analyzedforthepossiblefaultconfigurations(setsoffaults,a.k.a.basicevents)thatmay causethetopeventtooccur.Faultconfigurationsarearrangedinatree,whichmakesuse oflogicalgatestodepictthelogicalinterrelationshipslinkingsucheventswiththeTLE, andwhichcanbeevaluatedquantitatively,todeterminetheprobabilityoftheTLE.Of particular importance in safety analysis is the list of minimal fault configurations, i.e. theMinimalCutSets(MCSs). FMEAworksinabottom-upfashion,andaimsatproducingatabularrepresentation (calledFMEAtable)thatrepresentsthecausalityrelationshipsbetween(setsof)faults andalistofproperties(representingundesiredstates,asinthecaseofFTs).Although FMEAisdifferentinspiritfromFTA,generationofMCSscanalsobeusedasabuilding blockforcomputingFMEAtables,inparticularundertheassumptionofmonotonicity (i.e.,anysuper-setofaMCSwillstillcausetheTLE)[3,25]. Morespecifically,acutsetisasetoffaultsthatrepresentsanecessary,butnotsuf- ficient, condition that may cause a system to reach an unwanted state/behaviour. For instance, the cut set {battery1 failure, battery2 failure} may cause the safety hazard “fuelpumpmalfunctioning”ina2-redundantelectricalsystem.Moreover,minimality impliesthateverypropersuper-setofitcannotpreventthepossibilitytohavethemal- function. When the safety hazard is reachable without triggering of any fault, the FT collapsestotrue,representingtheemptycutset(whichisevidentlyminimal). AnimportantaspectofsafetyassessmentisthequantitativeevaluationofFTs,i.e. the association of FT nodes with probabilities. In particular, the determination of the probabilityoftheTLEisusedtoestimatethelikelihoodofthesafetyhazarditrepre- sents.Suchcomputationcanbecarriedoutbyevaluatingtheprobabilityofthelogical formulagivenbythedisjunctionoftheMCSs(eachMCS,inturn,beingtheconjunc- tionofitsconstituentfaults).Itisstandardpractice,inparticularforcomplexsystems, toconsideronlycutsetsuptoamaximumcardinality–inordertosimplifythecom- putation.Thisapproachisjustifiedbythefactthat,inpracticalcases,cutsetswithhigh cardinality have low probabilities, and may be “safely” ignored. However, it is essen- tialtohavecriteriatoestimatetheerrorwhichisinherentinsuchapproximation,since under-approximatingtheprobabilityofahazardwouldnotbeacceptable. 3 Model-BasedSafetyAnalysis 3.1 MinimalCutSetComputation Werepresentaplantusingatransitionsystem,asfollows.Atransitionsystemisatuple S = (cid:104)V,F,I,T(cid:105),whereV isthesetofstatevariables,F ⊆ V isasetofparameters, thefailuremodevariables;I istheinitialformulaoverV;T isthetransitionformula overV andV(cid:48)(V(cid:48)beingthenextversionofthestatevariables).Astates(resp.s(cid:48))isan assignmenttothestatevariablesV (V(cid:48)).AtraceofS isasequenceπ =s ,s ,...,s 0 1 n ofstatessuchthats satisfiesI andforeachk,1≤k ≤n,(cid:104)s ,s (cid:105)satisfiesT. 0 k−1 k Acutsetisformallydefinedasfollows[8]. Definition1 (Cut set). Let S = (cid:104)V,F,I,T(cid:105) be a transition system, FC ⊆ F a fault configuration,andTLEaformulaoverV (thetoplevelevent).WesaythatFC isacut set of TLE, written cs(FC,TLE) if there exists a trace s ,s ,...,s for S such that: 0 1 k i)s |=TLE;ii)∀f ∈F f ∈FC ⇐⇒ ∃i∈{0,...,k}(s |=f). k i Intuitively,acutsetisafaultconfigurationwhosefaultsareactiveatsomepointalonga tracewitnessingtheoccurrenceofthetoplevelevent.Insafetyanalysis,itisimportant toidentifythefaultconfigurationsthatareminimalintermsoffailuremodevariables – as they represent simpler explanations for the top level event, and they have higher probability,undertheassumptionofindependentfaults.Minimalconfigurations,called minimalcutsets,aredefinedasfollows. Definition2 (Minimal Cut Sets). Let S = (cid:104)V,F,I,T(cid:105) be a transition system and FConf = 2F be the set of all fault configurations, and TLE a top level event. We definethesetofcutsetsandminimalcutsetsofTLEasfollows: CS(TLE) ={FC ∈FConf |cs(FC,TLE)} MCS(TLE)={cs∈CS(TLE)|∀cs(cid:48) ∈CS(TLE)(cs(cid:48) ⊆cs⇒cs(cid:48) =cs)} ThepreviousdefinitionofMCSisbasedontheassumptionthatfaultconfigurations are monotonic, i.e. activating additional faults cannot prevent triggering the top level event. This is an assumption that is commonly applied in practice, considering that it leadstoaconservativeover-approximationoftheunreliability(probabilityofTLE).In cases where this is not desirable, the notion of MCS can be generalized to the more general one of prime implicant [26] i.e., with no monotonicity assumption. However, thisisnotconsideredhere. 3.2 Computingfaultsprobability Algorithm1:Probabilitycomputation. Input:BDD(n),Probabilitymap(P),Hashtable(cache) Result:Probability 1 ifnincachethen 2 returncache[n]; 3 ifn=(cid:62)then 4 return1.0; 5 ifn=⊥then 6 return0.0; 7 pthen=Probability computation(get then node(n),P,cache); 8 pelse=Probability computation(get else node(n),P,cache); 9 pcur=P(get var(n)); 10 cache[n]=pcur·pthen+(1.0−pcur)·pelse; 11 returncache[n]; GivenasetofMCSsandamappingP givingtheprobabilityforthebasicfaults,it is possible to compute the probability of the occurrence of the top-level event. Under theassumptionthatbasicfaultsareindependent1,theprobabilityofasingleMCSσ is givenbytheproductoftheprobabilitiesofitsbasicfaults: (cid:89) P(σ)= P(f ). i fi∈σ ForasetofMCSsS,theprobabilitycanbecomputedusingtheaboveandthefollowing recursiveformula: P(S ∪S )=P(S )+P(S )−P(S ∩S ). 1 2 1 2 1 2 InterpretingthesetofMCSsasadisjuctionofpartialassignmentstothefaultvari- ables,thenitispossibletorepresentedsuchformulausingaBinaryDecisionDiagram, a simple and efficient way of computing its probability is shown in Algorithm 1. The algorithmexploitsthefollowingfacts: 1Specifictechniquesforthecaseofcommoncauseanalysisareoutofthescopeofthispaper. (i) theprobabilityoftwodisjointsetsissimplythesumofthetwoprobabilities;and (ii) the two children t and e of a BDD node with variable v correspond to the two disjointsetsofassignmentsfortheformulaev∧tand¬v∧erespectively; (iii) if the variable v does not occur in the formula f, then f is independent from v, andsoP(v∧f)=P(v)·P(f); (iv) P(¬v)=1−P(v)bydefinition. 4 BasicalgorithmsforMCScomputation BDD-based algorithms. The work in [8] presents a series of symbolic algorithms for thecomputationofMCSsusingBDDs.Thealgorithmsarebasedonareachabilityanal- ysisonthesymbolictransitionsystemextendedwithhistoryvariablesforfaultevents. Intuitively, each state is decorated with the faults that have occurred in its history; at theendofthereachability,eachstateisthusassociatedwiththesetofcutsetsthatare requiredtoreachit.MCSsareextractedbyprojectingthereachablestatesoverthehis- toryvariablesandthenminimizingtheresult,usingstandardroutinesprovidedbyBDD packages. ExploitingBMC. AnimprovedversionoftheBDD-basedroutinesispresentedin[19], by exploiting Bounded Model Checking (BMC) as a preprocessing step. Essentially, theideaistorunBMCuptoamaximum(user-defined)depthk tochecktheinvariant property stating that the top level event can never be reached. Whenever a counterex- ampletraceisfound,acutsetcs(notnecessarilyminimal)isextractedfromit,andthe modelisstrengthenedwithconstraintsexcludingallthesupersetsofcs.Whennomore counterexamplesoflengthatmostk arefound,aBDD-basedalgorithmisinvokedon thestrengthenedmodel,inordertodiscovertheremainingcutsetsnotyetcovered. The approach can be generalized to completely avoid the use of BDDs. The idea is to use the BMC engine incrementally to enumerate cut sets, and combine it with a generic “black box” procedure for checking invariant properties, invoked periodically (e.g. before increasing the BMC bound k) to check whether all the MCSs have been enumerated. MCSviaparametersynthesis. Theworkin[22]presentsanefficientextensionofthe IC3algorithm(calledParamIC3)thatallowstocompute,givenamodelM depending onsomeparametersP,thesetofallvaluesofP suchthatthemodelsatisfiesagiven invariantproperty.Thealgorithmworksbycomplement,constructingthesetof“good” parametersbyincrementallyblocking“bad”assignmentsextractedfromcounterexam- pletracesgeneratedbyIC3. ThetechniquecanbeimmediatelyexploitedalsoforMCScomputationasfollows. First,themodelisextendedwithhistoryvariablesforfaultevents,asin[8].Theparam- etersynthesisalgorithmistheninvokedontheextendedmodel,consideringthehistory variablesasparameters,andcheckingthepropertythatthetopleveleventisnevertrig- gered. Each “bad” assignment blocked by ParamIC3 (see [22]) corresponds to a fault configurationreachingthetoplevelevent.Whenthealgorithmterminates,theMCSset canbeextractedbysimplydroppingthesubsumedbadassignments. 5 EfficientalgorithmsforMCScomputation In practice, the BDD-based routines of [8] show rather poor scalability, and are typi- cally not applicable to problems of realistic size. Using BMC as a preprocessing step helps significantly [19], but ultimately also this technique is limited by the scalability problems of BDD-based approaches. The technique of [22], being based on the very- efficient IC3 algorithm, is much more promising. However, in the basic formulation given in the previous section, its performance is extremely poor when the number of possiblefaultconfigurationsleadingtothetopleveleventislarge.InthisSection,we show how the situation can be dramatically improved by exploiting the monotonicity assumptiononfaultsunderwhichweareoperating. 5.1 Monotonicparametersynthesis Thefirst(trivial)improvementexploitsthedefinitionofmonotonicitytogeneralizethe setof“bad”parameterstobeblockedwheneverIC3generatesacounterexampletrace. This idea is similar to the dynamic pruning optimization of [8] for BDD-based com- putation.ThemonotonicityassumptionensuresthatifasetoffaultsF issufficientto generatethetoplevelevent,sodoesanysetS ⊇ F.Therefore,anyassignmenttothe (parameterscorrespondingtothe)faultvariablesγ = {f ,...,f }∪{¬f ,...,¬f } j k i h extracted from an IC3 counterexample trace can be immediately generalized to γ(cid:48) = {f ,...,f },bydroppingallthevariablesassignedtofalse. j k The above optimization prevents the algorithm from explicitly considering all cut setsthataresubsumedbytheonejustfound,i.e.F = {f ,...,f }.However,F itself j k mightnotbeminimal.Inthiscase,IC3wouldlaterhavetofindanotherconfiguration G⊂F,andtheeffortspentinblockingF wouldhavebeenwasted. WeaddressthisbymodifyingthebranchingheuristicoftheSATsolverusedbyIC3. Inthemodifiedheuristic,(SATvariablescorrespondingto)faultsareinitiallyassigned tofalse,andtheyhavehigherprioritythantheothervariables,sothatnoothervariable isassignedbyaSATdecisionbeforeallthefaultvariablesareassigned.Thisensures thatfaultvariablesareassignedtotrueonlywhennecessarytosatisfytheconstraints. TheaboveideaisverysimpletoimplementandintegrateintheIC3-basedalgorithm (in total, it requires about 20 lines of code), and it provides a significant performance boost (as we will show in Section 7). However, it is still not sufficient to ensure that noredundantcutsetsaregenerated.Thereasonisthat,bythenatureofIC3,ParamIC3 enumerates counterexample traces in an increasing order of length k, so that it only considers traces of length k +1 when all the traces of length ≤ k have already been excluded.2 This means that, if the shortest trace that leads to the top level event from asetF offaultsisk,butthereexistsanothersetoffaultsS ⊃ F thatleadstothetop leveleventinh < k steps,thenS willnecessarilybeblockedbyParamIC3beforeF. Insomeextremecases,thismightmaketheheuristiccompletelyineffective. 2ForreadersfamiliarwithIC3,strictlyspeakingthisisnotfullyaccurate:iftheIC3implemen- tationusesapriorityqueueformanagingcounterexamplestoinduction[20],somecounterex- amplesoflengthh>kmaybegeneratedbeforeallthoseoflength≤kareblocked.However, theargumentstillholdsinthiscase,sotheissuecanbeignoredforsimplicity. 5.2 EnumeratingonlyMCS Algorithm2:BasicMCSenumerationwithParamIC3 Input:Model(M=(cid:104)I,T(cid:105)),Toplevelevent(TLE),Faults(F) Result:MCS 1 bound=1; 2 MCS=⊥; 3 whileTruedo 4 c=make atmost(F,bound); 5 region=ParamIC3(I∧¬MCS,T ∧¬MCS,(¬TLE∨¬c),F); 6 MCS=MCS∨¬region; 7 done=IC3(I∧¬MCS,T ∧¬MCS,¬TLE); 8 ifdonethen 9 returnMCS 10 else 11 bound=bound+1; Weaddresstheproblembyincorporatinginouralgorithmasolutionoriginallypro- posedin[18].Theideaistoforcethealgorithmtoproceedbylayering,byforcingthe searchtocomputethecutssetsofincreasingcardinality,insteadofanalyzingtracesof increasing length. Thepseudo-code for the basic versionis shown in Algorithm 2.At eachiterationofthemainloop,thealgorithmusesan“atmost”constraintctolimitthe cardinality of the cut sets generated, by relaxing the invariant property to check from ¬TLEto(¬TLE∨¬c).Theterminationcheckisperformedbyinvokingthe“regular” versionofIC3onthemodelstrengthenedtoexcludethealready-computedcutsets,to checkwhetherthereareotherfaultconfigurationsthatcanreachthetoplevelevent.It iseasytoseethatAlgorithm2enumeratesonlytheMCSs,andthusitavoidstheexpo- nentialblow-upsufferedfromParamIC3onthemodelofExample1.However,itdoes soatasignificantprice,sinceitneedstwoIC3callsperiteration.Onlesspathological examples,theoverheadintroducedmightlargelyoutweighthepotentialbenefits. Algorithm 2 can be improved by exploiting the capability of IC3 (and so also of ParamIC3)ofgeneratingaproofforverifiedpropertiesintheformofaninductivein- variantentailingthepropertyP.Inourspecificcase,theinductiveinvariantψproduced by ParamIC3 on line 5 of Algorithm 2 would satisfy the following: (i) I ∧¬MCS∧ region |= ψ; (ii) ψ ∧T ∧¬MCS∧region |= ψ(cid:48); and (iii) ψ ∧¬MCS∧region |= (¬TLE ∨ ¬c). The first improvement is based on the observation that the inductive invariantcanbefedbacktoParamIC3atthenextiterationofthemainloop,thusavoid- ing the need of restarting the search from scratch. The second improvement, instead, exploitsthecomputedinvarianttocheckwhetheralltheMCSshavebeenenumerated, thusavoidingthesecondinvocationofIC3ofline7.Thisisdonebycheckingwitha SATsolverwhetherthecurrentinvariantψ isstrongenoughtoprovethatthetoplevel eventcannotbereachedbyanyfaultconfigurationnotcoveredbythealready-computed cutsets.Notethatthisdoesnotaffectcompleteness,sinceintheworstcasetheatmost constraintssimplifiestotrueafter|F|iterationsoftheloop.However,thehopeisthat Algorithm3:EnhancedMCSenumerationwithParamIC3 Input:Model(M=(cid:104)I,T(cid:105)),Toplevelevent(TLE),Faults(F) Result:MCS 1 bound=1; 2 MCS=⊥; 3 invar=(cid:62); 4 whileTruedo 5 c=make atmost(F,bound); 6 region,invar=ParamIC3(I∧¬MCS∧invar,T ∧¬MCS∧invar, (¬TLE∨¬c),F); 7 MCS=MCS∨¬region; 8 done=check unsat(¬MCS∧invar∧TLE); 9 ifdonethen 10 returnMCS 11 else 12 bound=bound+1; inpracticetheinductiveinvariantwillallowtoexittheloopmuchearlier.Theenhanced algorithmisshowninAlgorithm3,wheretheimprovementsaredisplayedinred. Example1. Considerthefollowingexample,usingthesyntaxofNUXMV[13]. 1 MODULE main 2 IVAR 3 fault_1 : boolean; 4 ... 5 fault_N : boolean; 6 7 DEFINE fault_count:=fault_1 + ... + fault_N; 8 9 VAR counter : 1 .. N; 10 status : boolean; 11 12 ASSIGN 13 init(counter) := 1; 14 next(counter) :=counter = 10 ? 1 : counter + 1; 15 16 TRANS (fault_count = 0) | (fault_count> (N−counter)); 17 18 ASSIGN 19 init(status) :=TRUE; 20 next(status) := (fault_count = 0); There are N fault variables, and suppose the top level event occurs when the status variable becomes false, i.e., whenever at least one fault occurs. Therefore, the MCSs forthismodelaretheN singletonsetscontainingonefaultvariableeach.However,the TRANS constraint forces an inverse dependency between the number of steps to reach the top level event and the cardinality of the smallest cut sets needed: for k steps, the smallest cut sets have cardinality N −k, and there are (cid:0)N(cid:1) of them. Therefore, even k with the branching heuristic described above, ParamIC3 will generate an exponential numberofcounterexamples(since(cid:80)N (cid:0)N(cid:1)=2N −1)beforefindingtheMCSs. (cid:5) k=1 k 6 Anytimeapproximation An additional benefit of Algorithm 3 compared to the other algorithms of Sections 4 and 5 is that it provides an “anytime” approximation behaviour on the set of MCSs, in the sense that at any point during its execution, the candidate solution is a subset of all the MCSs. As pointed out in Section 2, however, such underapproximation is usefulonlyifitispossibletoestimateitserrorintermsoffailureprobability.Here,we showasimplebuteffectiveprocedureforestimatingtheapproximationerroronthefly, during the execution of Algorithm 3. This allows to consider a bound on the error as analternativestoppingcriterionforthealgorithm,whichmightbeusefulincaseswhen thefullcomputationofalltheMCSswouldbetooexpensive. The idea is to keep two running bounds for the probability x of reaching the top- level event, such that at any point in the execution of the algorithm P (TLE) ≤ x ≤ L P (TLE). Initially, we set P (TLE) = 0 and P (TLE) = 1. When a minimal cut U L U set m is found, P (TLE) is incremented by computing the probability of the fault 1 L configurationsrepresentedbym thatarenotcoveredbythealready-computedMCSs. 1 This can be done by constructing the BDD for the formula m ∧ ¬MCS, and then 1 computingitsprobabilitywithAlgorithm1.3 ForupdatingtheupperboundP (TLE),instead,weexploitfactthatAlgorithm3 U proceedsbylayersofincreasingcardinality.Moreprecisely,whenParamIC3returnsat line 7, we know that all the fault configurations of cardinality smaller or equal to the currentboundthatarenotincludedinMCSwilldefinitelynotcausethetop-levelevent. TheprobabilityP oftheseconfigurationscanbecomputedwithAlgorithm1by excluded constructingtheBDDfortheformula¬make atmost(F,bound)∧¬MCS.Withthis,the newvalueofP (TLE)isgivenby1−P .Anillustrationofthisideaisshownin U excluded Figure1.Theredarearepresentstheminimalcutsetsfoundwithinaspecificcardinality, and the blue one shows all the supersets of those cut sets. The white area denotes the configurationsthatcannotcausetheTLE,whereasthegrayonerepresentstheunknown part.Figure2showsinsteadanexampleoftheevolutionoftheerrorboundsduringthe execution of Algorithm 3 for one instance of our benchmark set: P (TLE) becomes L non-zero after the first cut set found, and then grows continuously at every cut set, whereasP (TLE)decreasesinsteps,wheneveranindividualcardinalityhasbeenfully U explored. 7 ExperimentalEvaluation WehaveimplementedthealgorithmsdescribedintheprevioussectionsintheXSAP[11,12] platform for model-based safety analysis. In this Section, we experimentally evaluate their performance and effectiveness. The benchmarks and executables for reproduc- ing the results are available at https://es-static.fbk.eu/people/mattarei/ dist/FTA2015/. 3Forperformancereasons,itmightmakesensetoperformthiscomputationforclustersofcut setsratherthanforindividualones,tradinggranularityforefficiency.

Description:
Safety analysis investigates system behavior under faulty conditions. Model-based Safety Analysis relies on formal verification to carry out these tasks. analysis activities, such as the generation of minimal cut sets, and to perform . over V and V (V being the next version of the state variables
See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.