holger hermanns
play

Holger Hermanns dependable systems and software Saarland University - PowerPoint PPT Presentation

Sep 03, 2023 •743 likes •1.38k views

Holger Hermanns dependable systems and software Saarland University Saarbrcken, Germany Safety? Safety by design? Make sure hazardous situations are unreachable! Safety by design? Make sure hazardous situations are unreachable! Safety by

  1. Holger Hermanns dependable systems and software Saarland University Saarbrücken, Germany

  2. Safety?

  3. Safety by design? Make sure hazardous situations are unreachable!

  4. Safety by design? Make sure hazardous situations are unreachable!

  5. Safety by design? Why bother? Enforced by various standards: DO-178C/ED-12C for airborne systems relates to ARP4761 Functional Hazard Assessment (FHA) Preliminary System Safety Assessment (PSSA) System Safety Assessment (SSA) Fault Tree Analysis (FTA) Failure Mode and Effects Analysis (FMEA) Failure Modes and Effects Summary (FMES) Common Cause Analysis (CCA) ISO 26262 for automotive systems ... Higher/highest safety levels recommend formal methods

  6. Prelude

  7. Fault Trees 9x10 -4 5x10 -3 8x10 -3 5x10 -3 8x10 -3

  8. Fault Trees How to obtain the numbers? 1) Time-independent failure Average number of starts before failure: 200  Failure probability 0.005 9x10 -4 5x10 -3 8x10 -3 5x10 -3 8x10 -3

  9. Fault Trees How to obtain the numbers? 1) Time-independent failure Average number of starts before failure: 200  Failure probability 0.005 2) Time-dependent failure: 9x10 -4 On average once 0.00021 per Mission time : 24h Probability to fail in 24 hours: ���⋅�.����� 5x10 -3 8x10 -3 5x10 -3 8x10 -3 ... and from further models

  10. Fault Trees – Analysis Basics Calculate probability of top-level event … or overapproximation thereof 9x10 -4 5x10 -3 8x10 -3 5x10 -3 8x10 -3

  11. Fault Trees licensed at > 55% of • are often very large nuclear power plants worldwide • are very costly to maintain • are very important • are stateless • give imprecise results - too pessimistic due to stateless view + minimal cutset abstraction - too optimistic if dependencies - …

  12. Models for Safety All models are wrong, but some are useful. George E. P. Box

  13. Useful Models finite automata on? x:=0; on? x:=0; dark dark light light x==50 off!

  14. Useful Models finite automata with clocks all running at the same speed on? x:=0; on? x:=0; dark dark light light x==50 off! Timed Automata

  15. Useful Models finite automata with clocks and with costs incurred as time advances on? x:=0; on? x:=0; dark dark light light x==50 off! Priced Timed Automata

  16. Useful Models finite automata with clocks and with costs modular: composition of automata on? x:=0; y>d on? x:=0; on! y:=0; dark dark light light d:=U[5,55]; someone x==50 off! Automata Networks

  17. Useful Models 1 0,9 finite automata 0,8 0,7 0,6 with clocks 0,5 0,4 and with costs 0,3 U[5,55] Pr (“on!” > t) 0,2 Pr (“on!” > t) 0,1 modular: composition of automata 0 0 5 10 15 20 25 30 35 40 45 50 55 60 on? x:=0; y>d on? x:=0; on! y:=0; dark dark light light d:=U[5,55]; someone x==50 off! with probability distributions Stochastic Timed Automata

  18. Useful Models finite automata with clocks and with costs Exp[5] Pr (“on!” > t) modular: composition of automata on? x:=0; y>d on? x:=0; on! y:=0; dark dark light light d:= Exp[5]; someone x==50 off! with probability distributions Stochastic Timed Automata

  19. Useful Models finite automata with clocks memoryless time and with costs Exp[5] Pr (“on!” > t) modular: composition of automata on? x:=0; y>d on? x:=0; on! dark dark light light someone x==50 off! with probability distributions Markov Automata

  20. Useful Models finite automata with clocks and with costs Exp[5] Pr (“on!” > t) modular: composition of automata on? x:=0; y>d on? x:=0; on! y:=0; dark dark light light d:= Exp[5]; someone x==50 off! with probability distributions Stochastic Timed Automata

  21. Useful Models finite automata with clocks and with costs Exp[5] Pr (“on!” > t) modular: composition of automata on? x:=0; y>d on? x:=0; 98% on! 2% y:=0; dark dark light light d:= Exp[5]; someone T>85 && x==50 off! with probability distributions Stochastic Timed Automata

  22. Useful Models finite automata with clocks and with costs Exp[5] Pr (“on!” > t) modular: composition of automata on? x:=0; y>d on? x:=0; 98% on! 2% y:=0; dark dark light light d:= Exp[5]; someone T>85 && x==50 off! with probability distributions Stochastic Hybrid and continuous dynamics Automata

  24. Model based … Analysis System Model Analysis Focus possible behaviour Model Analysis Results

  25. Model based … Analysis ... Maintenance Failure ... Architecture Requirements Objectives Nominal System Model Analysis Focus possible behaviour Model Analysis Results Diagnostics Fault Trees FMEA Characteristics

  26. Model based … Analysis ... Maintenance Failure ... Architecture Requirements Objectives Nominal System Model Analysis Focus possible behaviour Model Analysis Results Diagnostics Fault Trees FMEA Characteristics

  27. Model based … Analysis ... Maintenance Failure ... Architecture Requirements Objectives Nominal System Model Analysis Focus possible behaviour Results Diagnostics Fault Trees FMEA Characteristics

  28. Model based … Analysis ... Maintenance Failure ... Architecture Requirements Objectives Nominal System Model Analysis Focus possible behaviour Model Analysis Abstraction Iteration Results Diagnostics … Fault Trees FMEA Magic Characteristics

  29. Model based … Analysis System Model Analysis Focus possible behaviour Model Analysis modestchecker.org Results A concrete, mission-critical case

  30. Embedded in Space

  31. GOMX-1 • 2U CubeSat (2 liter) • Launched in November 2013 • Payloads: • software defined receiver for aircraft signals • color camera for earth observation • Telemetry transmitted on amateur radio frequency • Massive amounts of data collected • battery voltage, temperature, solar infeed, … Runs our calibration experiments.

  32. Battery Kinetics

  33. Battery Kinetics 100 % 0 %

  34. Battery Kinetics B A Kinetic Battery Model • can represent ‘rate-capacity effect’ • can represent ‘recovery effect’  a faithful abstraction of modern battery chemistry

  35. Battery Kinetics B A Kinetic Battery Model • can represent ‘rate-capacity effect’ • can represent ‘recovery effect’  a faithful abstraction of modern battery chemistry

  36. Battery Kinetics full B A A empty B

  37. Battery Kinetics full B A A empty B

  38. Battery Kinetics full B A A empty B

  39. Battery Kinetics full B A A empty B

  40. Battery Kinetics full B A A empty B

  41. Battery Kinetics full B A A empty B

  42. Battery Kinetics full B A A empty B

  43. Battery Kinetics full B A A empty B

  44. Battery Kinetics full B A A empty B

  45. Battery Kinetics full B A A empty B

  46. Battery Kinetics full B A A empty B

  47. Concretely. Will the battery survive a one-year mission ? -62 with 5000 mAh

  48. Concretely. Will the battery survive a one-year mission ? With half the capacity? 2500 mAh

  49. Concretely. Will the battery survive a one-year mission ? With a quarter of the capacity? 1250 mAh

  50. Concretely. Will the battery survive a one-year mission ? With an eighth of the capacity ? 625 mAh

  51. Concretely. Will the battery survive a one-year mission ? With a sixteenth of the capacity ? 312.5 mAh

  52. GOMX-2 • 2U CubeSat (2 liter) • Shipped in October 2014 with Cygnus CRS-3 towards ISS • Payloads: • Optical communication experiments from NUS • Highspeed UHF and SDR receiver • Shipping failed after liftoff • Satellite was recovered from wreckage and returned to GomSpace

  53. GOMX-3 • 3U CubeSat (3 liter) • Launched from ISS in October 2015 • Payloads: • L-band communication to geostationary satellit • X-band transmitter for CNES • Highspeed UHF and SDR receiver • Can (and must) rotate in 3 dimensions

  54. GOMX-4 • Two 6U CubeSats (6 liter) • Launch expected in 2016 • Initial design in the making • Focus on support for flexible payload model • Needs strong support for dynamic load scheduling • Battery states are critical

  55. GOMX-3 mission details

  56. GOMX-3 mission planning • Very tight power budget • Needs dynamic and battery aware scheduling • What we do: • Priced Timed Automata modelling • Generate optimal schedules for 1 week or day horizon • Evaluate schedules on random KiBaM for robustness • Send to orbit, observe behaviour, update model

  57. GOMX-3 mission planning • Very tight power budget • Needs dynamic and battery aware scheduling • What we do: • Priced TA modelling with linear battery model • Generate optimal schedules for 1 week horizon • Evaluate schedules on random KiBaM for robustness • Prepare for updates of model state based on orbit data

  58. A one-day schedule (for yesterday) and its depletion risk

  59. Meeting Reality, safely

  60. You saw: Model based … Analysis System Model Analysis Focus possible behaviour Model Analysis modestchecker.org Results on a concrete, mission-critical case

Recommend

Holger Hermanns Holger Hermanns E le c tr ic Powe r Distr ibution Gr ids Pr Pr oduc e r

Holger Hermanns Holger Hermanns E le c tr ic Powe r Distr ibution Gr ids Pr Pr oduc e r

Holger Hermanns Holger Hermanns E le c tr ic Powe r Distr ibution Gr ids Pr Pr oduc e r oduc e r s s Consume r Consume r s s nuc c o a l l le a r g a s b io g a s Micro CHP la ke s Stor age Holger Hermanns Pr inc ipal

878 views • 39 slides
The Stochastic KiBaM ... or how charging probably keeps batteries alive Holger Hermanns, Jan

The Stochastic KiBaM ... or how charging probably keeps batteries alive Holger Hermanns, Jan

The Stochastic KiBaM ... or how charging probably keeps batteries alive Holger Hermanns, Jan Krl, Gilles Nies Saarland University May 5, 2015 Alpine Verification Meeting 2015 What 3 items would you take to a deserted island? 1 / 21 What

723 views • 32 slides
Continuous Optimal Timing Yuliya Butkova, Hassan Hatefi, Holger Hermanns, Jan Kr c al

Continuous Optimal Timing Yuliya Butkova, Hassan Hatefi, Holger Hermanns, Jan Kr c al

Motivation Definitions and Problem Statement Existing Algorithms Our Algorithm Empirical Evaluation Conclusion Continuous Optimal Timing Yuliya Butkova, Hassan Hatefi, Holger Hermanns, Jan Kr c al Saarland University Computer

461 views • 28 slides
Late Weak Bisimilarity for Markov Automata Christian Eisentraut 1 Jens Chr. Godskesen 2 Holger

Late Weak Bisimilarity for Markov Automata Christian Eisentraut 1 Jens Chr. Godskesen 2 Holger

Late Weak Bisimilarity for Markov Automata Christian Eisentraut 1 Jens Chr. Godskesen 2 Holger Hermanns 1 Lei Song 3 , 1 Lijun Zhang 4 , 1 Saarland University, Germany IT University of Copenhagen, Denmark Max-Planck-Institut f ur Informatik,

410 views • 30 slides
The Raspberry Pi: A Platform for Replicable Performance Benchmarks? Holger Knoche and Holger

The Raspberry Pi: A Platform for Replicable Performance Benchmarks? Holger Knoche and Holger

The Raspberry Pi: A Platform for Replicable Performance Benchmarks? Holger Knoche and Holger Eichelberger University of Kiel and University of Hildesheim November 9, 2017 @ SSP Holger Knoche and Holger Eichelberger The RasPi: Replicable

323 views • 14 slides
Union, Intersection, and Refinement Types and Reasoning about Type Disjointness for Security

Union, Intersection, and Refinement Types and Reasoning about Type Disjointness for Security

Union, Intersection, and Refinement Types and Reasoning about Type Disjointness for Security Protocol Analysis C t lin Hri cu Prof. Dr. Holger Hermanns (UdS) Dean of Math and CS Faculty Prof. Dr. Gert Smolka (UdS) Chair of Examination

1.39k views • 107 slides
Fatigue in work matters (a lot) Dr. Robbert Hermanns MFOM IOSH, Bradford 17 May 2019 1

Fatigue in work matters (a lot) Dr. Robbert Hermanns MFOM IOSH, Bradford 17 May 2019 1

Fatigue in work matters (a lot) Dr. Robbert Hermanns MFOM IOSH, Bradford 17 May 2019 1 Introduction My background: Medical University Netherlands chemical industry Specialist in Occupational Medicine Germany (SMEs)

627 views • 47 slides
Trace-based detection of lock contention in MPI one-sided communication Marc-Andr e Hermanns

Trace-based detection of lock contention in MPI one-sided communication Marc-Andr e Hermanns

Trace-based detection of lock contention in MPI one-sided communication Marc-Andr e Hermanns Bernd Mohr Felix Wolf October 4, 2016 Parallel Tools Workshop, Stuttgart Motivation The Message Passing Interface (MPI) standard De-facto

685 views • 31 slides
Continuous-time Markov Decisions based on Partial Exploration Pranav Ashok Technical University

Continuous-time Markov Decisions based on Partial Exploration Pranav Ashok Technical University

Continuous-time Markov Decisions based on Partial Exploration Pranav Ashok Technical University of Munich Highlights 2018, Berlin Joint work with Yuliya Butkova 1 , Holger Hermanns 1 and Jan Kretinsky 2 1 Saarland University, Germany 2 Technical

605 views • 22 slides
EASM 2014 Method This research consists of interviewing three groups that are very familiar

EASM 2014 Method This research consists of interviewing three groups that are very familiar

Quo Vadis Olympia? Are Olympic Games still value driven? Submitting author: Dr Holger Preuss Johannes Gutenberg-University Mainz, Mainz, 55126 Germany All authors: Holger Preuss (corresp), Benoit Seguin, Norbert Schtte, Thomas Knecke,

196 views • 3 slides
Isotropic Ornstein-Uhlenbeck Flows Holger van Bargen (joint work with Georgi Dimitroff) IRTG

Isotropic Ornstein-Uhlenbeck Flows Holger van Bargen (joint work with Georgi Dimitroff) IRTG

Stochastic Flows And Stochastic Differential Equations IBFs and IOUFs Spatial Regularity Isotropic Ornstein-Uhlenbeck Flows Holger van Bargen (joint work with Georgi Dimitroff) IRTG Summer School Disentis Holger van Bargen Isotropic

755 views • 47 slides
Bo osting Neural Net w orks pap er No Holger Sc h w enk LIMSICNRS

Bo osting Neural Net w orks pap er No Holger Sc h w enk LIMSICNRS

Bo osting Neural Net w orks pap er No Holger Sc h w enk LIMSICNRS bat BP Orsa y cedex FRANCE Y osh ua Bengio DIR O Univ ersit y of Mon tr

626 views • 19 slides
DRG und Onkologie Kleingruppenseminar Brustkrebs Dr. Holger Bunzemeier Stabsstelle

DRG und Onkologie Kleingruppenseminar Brustkrebs Dr. Holger Bunzemeier Stabsstelle

DRG und Onkologie Kleingruppenseminar Brustkrebs Dr. Holger Bunzemeier Stabsstelle Medizincontrolling des Universittsklinikums Mnster DRG-Research-Group, Universittsklinikum Mnster Betrachtung des G-DRG-Systems + Klassifikationssystem

312 views • 15 slides
Automated Testing of Debian Packages Holger Levsen debian@layer-acht.org Lucas Nussbaum

Automated Testing of Debian Packages Holger Levsen debian@layer-acht.org Lucas Nussbaum

Introduction Lintian and Linda Rebuilding packages Piuparts Structuring QA Conclusion Automated Testing of Debian Packages Holger Levsen debian@layer-acht.org Lucas Nussbaum lucas@debian.org Holger Levsen and Lucas Nussbaum Automated

1.38k views • 31 slides
Refactoring Kiekers I/O Infrastructure to Improve Scalability and Extensibility Holger Knoche

Refactoring Kiekers I/O Infrastructure to Improve Scalability and Extensibility Holger Knoche

Refactoring Kiekers I/O Infrastructure to Improve Scalability and Extensibility Holger Knoche University of Kiel November 10, 2017 @ SSP Holger Knoche Refactoring Kiekers I/O Infrastructure November 10, 2017 @ SSP 1 / 16 Agenda 1.

182 views • 16 slides
Electoral Accountability and Control in U.S. Cities Holger Sieg University of Pennsylvania and

Electoral Accountability and Control in U.S. Cities Holger Sieg University of Pennsylvania and

Electoral Accountability and Control in U.S. Cities Holger Sieg University of Pennsylvania and NBER Chamna Yoon Korea Advanced Institute of Science and Technology December 12, 2019 Optimal Retention and Dynamic Agency We study the

1.23k views • 37 slides
Electoral Accountability and Control in U.S. Cities Holger Sieg University of Pennsylvania and

Electoral Accountability and Control in U.S. Cities Holger Sieg University of Pennsylvania and

Electoral Accountability and Control in U.S. Cities Holger Sieg University of Pennsylvania and NBER Chamna Yoon Korea Advanced Institute of Science and Technology December 12, 2019 Optimal Retention and Dynamic Agency We study the

278 views • 23 slides
How a free software developer self sustains or money can't buy your love Holger Levsen

How a free software developer self sustains or money can't buy your love Holger Levsen

How a free software developer self sustains or money can't buy your love Holger Levsen International Conference on Open Source (ICOS) Taipeh, Taiwan, September 26 th 2009 Outline Who am I or how I became what I am What I do in/for/with

884 views • 42 slides
debian-community.org Holger Levsen June 23 rd 2007 Outline some bits about me & my

debian-community.org Holger Levsen June 23 rd 2007 Outline some bits about me & my

debian-community.org Holger Levsen June 23 rd 2007 Outline some bits about me & my inspiriation for this basic ideas: email, planets, t-shirts more goals, i18n simple code of conduct debian endorsement status, timeline

572 views • 31 slides
Protg-OWL and the Semantic Web 8 th Int. Protg Conference, Madrid, July 2005 Holger

Protg-OWL and the Semantic Web 8 th Int. Protg Conference, Madrid, July 2005 Holger

Protg-OWL and the Semantic Web 8 th Int. Protg Conference, Madrid, July 2005 Holger Knublauch agent The Semantic Web Vision Standards Technology Example Scenario Traditional Web Architecture Submission Forms Query Interfaces

842 views • 24 slides
From Programs to Program Spaces: Programming by Optimisation Holger H. Hoos BETA Lab Department

From Programs to Program Spaces: Programming by Optimisation Holger H. Hoos BETA Lab Department

From Programs to Program Spaces: Programming by Optimisation Holger H. Hoos BETA Lab Department of Computer Science University of British Columbia Canada 45th CREST Open Workshop on Genetic Improvement London, UK, 2016/01/26 The age of

714 views • 38 slides
Collaborations: Tsampikos Kottos (Wesleyan) Holger Schanz (Gottingen) Swarnali Bandopadhyay

Collaborations: Tsampikos Kottos (Wesleyan) Holger Schanz (Gottingen) Swarnali Bandopadhyay

The conductance of small mesoscopic disordered rings Doron Cohen, Ben-Gurion University Collaborations: Tsampikos Kottos (Wesleyan) Holger Schanz (Gottingen) Swarnali Bandopadhyay (BGU) Yoav Etzioni (BGU) Tal Peer (BGU) Rangga Budoyo

530 views • 12 slides
WTO Law Class 4: Tariffs Quotas Ferrara 2018 Dr. Holger Hestermeyer Shell Reader in

WTO Law Class 4: Tariffs Quotas Ferrara 2018 Dr. Holger Hestermeyer Shell Reader in

WTO Law Class 4: Tariffs Quotas Ferrara 2018 Dr. Holger Hestermeyer Shell Reader in Interna;onal Dispute Resolu;on, Kings College London Today s Program Structure of the GATT Quantitative Restrictions Tariff Bindings

746 views • 16 slides
Algorithm Configuration for Portfolio-based Parallel SAT-Solving Holger Hoos 1 , Kevin

Algorithm Configuration for Portfolio-based Parallel SAT-Solving Holger Hoos 1 , Kevin

Algorithm Configuration for Portfolio-based Parallel SAT-Solving Holger Hoos 1 , Kevin Leyton-Brown 1 , Torsten Schaub 2 , Marius Schneider 2 1 Department of Computer Science University of British Columbia Vancouver, BC, Canada 2 Institute of

511 views • 15 slides

More recommend