SMT-based Analysis of Reli liability Architectures Alessandro Cimatti Fondazione Bruno Kessler, Trento, Italy Joint work with Marco Bozzano and Cristian Mattarei
Safety Critical Systems “a system whose safety cannot be shown solely by test, whose logic is difficult to comprehend without the aid of analytical tools… …and that might directly or indirectly contribute to put human lives at risk, damage the environment, or cause big economical losses” [SAE ARP4754] 2
Power system: …in a perfect world + Engine - 3
Power system: …in real world 4
Reliability Improvement • How to improve reliability? • Redundancy is one of the fundamental solutions • Multiple replicas of components • Can act as backup • Adopted in many critical system design such as: • Computer and communication systems • Electric power transmission and distribution system • Rail and Road transportation systems • Water, Oil and Gas distribution
A classification of Redundancy • Hot stand-by : redundant components are powered and completely functional at the same time • Warm stand-by : redundant components are in an idle state, and they become functional only when it is necessary • Cold stand-by : similar to warm stand-by, but redundant components are turned off rather than being idle
Our goal • Given a selected form of redundancy, what are its features? • How to quantify reliability? • In practice, many forms of redundancy are possible • Which one is best? • Currently, this is a manual process! • In this talk: • SMT-based analysis of redundancy architectures
Outline • Architectural Design in Critical Systems • Redundant Systems • Reliability Analysis • Automated Approaches • EUF modeling and Fault Tree Analysis • Efficient Analysis via Predicate Abstraction • Conclusion 8
Redundant systems definition: TMR [Abraham74] Nominal architecture Redundant architecture • Increase reliability for critical design • Usage of redundant scheme (e.g. Triple Modular Redundancy) • Hard to analyze and optimize system reliability 9
Triple Modular Redundancy: Possible Patterns 1 voter 2 voters 3 voters 10
TMR: Linear Structures M M M V
TMR: Linear Structures M M M V M M M V
TMR: Linear Structures M M M V M M M V M M M V M M M V
TMR: Linear Structures M M M M M M V V M M M M M M > V V ? < M M M M M M V V V M M M M M M V V V V
TMR: Linear Structures M M M M M M M M M M M M V V V V V V V V M M M M M M M M M M M M > > > V V V V V V V ? ? ? < < < M M M M M M M M M M M M V V V V V V V V M M M M M M M M M M M M V V V V V V V V
Reliability analysis: manual approach [Hamamatsu10] Triple Redundant Module comparison (1 voter) 16
Reliability analysis: manual approach • Manual approach to reliability computation: • Slow, expensive and error prone • Limited expressiveness • Support only for linear structures • no general approach also for Tree- and DAG-shaped • Needs space discretization
Outline • Architectural Design in Critical Systems • Redundant Systems • Reliability Analysis • Automated Approaches • EUF modeling and Fault Tree Analysis • Efficient Analysis via Predicate Abstraction • Conclusion 18
Automated Analysis of Reliability Architecture 1. Model the extended system with uninterpreted functions 19
Modeling of the extended system 20
Modeling of the extended system 21
Automated Analysis of Reliability Architecture 1. Model the extended system with uninterpreted functions 2. Perform Fault Tree Analysis 22
SAT-Based Fault Tree Analysis
SAT-Based Fault Tree Analysis
Fault Tree Analysis: equivalence check 25
Fault Tree Analysis: equivalence check 26
Automated Analysis of Reliability Architecture 1. Model the extended system with uninterpreted functions 2. Perform Fault Tree Analysis 3. Extract Reliability Function, from BDD representation of Fault Tree 27
Reliability Function Extraction BDD representation of the Fault Tree 28
Reliability Function Extraction BDD representation of the Fault Tree 29
Reliability Function Extraction BDD representation of the Fault Tree 30
Reliability Function Extraction BDD representation of the Fault Tree 31
Reliability Function Extraction BDD representation of the Fault Tree 32
Reliability Function Extraction BDD representation of the Fault Tree 33
Automated Analysis of Reliability Architecture 1. Model the extended system with uninterpreted functions 2. Perform Fault Tree Analysis 3. Extract Reliability Function, from BDD representation of Fault Tree 4. Evaluate the results with analytical tools (Octave/Matlab) 34
Automated Analysis of Reliability Architecture Triple Redundant Module comparison (1 voter) e d c 1-Rm b a 1-Rv 35
Uniform probability analysis 1 voter patterns comparison 1 voter patterns comparison (2D) (3D) 36
Uniform probability analysis 1 vs 2 voters comparison 1 vs 2 voters comparison (2D) (3D) 37
Uniform probability analysis 38
Not uniform probability analysis 39
Automated Analysis of Reliability Architectures • Full automated technique for the Analysis of Reliability Architecture • Symbolic technique • generates the closed form of Reliability function • Allows for the reusability of analysis results • generation of Reliability Functions Libraries • Useful to explore the design space • Bottleneck: • the AllSMT computation is monolithic • Hard to deal with big systems (> 10 stages)
Outline • Architectural Design in Critical Systems • Redundant Systems • Reliability Analysis • Automated Approaches • EUF modeling and Fault Tree Analysis • Efficient Analysis via Predicate Abstraction • Conclusion 41
Counter-Example Guided Abstraction-Refinement (CEGAR)
Predicate abstraction not P 0 P 0 Ψ 0 (X) 00 01 000 001 P 2 Ψ 2 (X) not P 1 101 100 not P 2 State vars X Abstract State vars P P 1 I(X) AI (P) R(X, X') Ψ 1 (X) 010 011 10 AR(P,P') 11
CEGAR with Predicate abstraction
Computing Abstractions • Given concrete model CI(X), CR(X, X') • Given set of predicates Ψ i (X) each associated to abstract variable P i • Obtain the corresponding abstract model • AR(P, P') is defined by ∃ X X'.(CR(X, X') ⋀ ⋀ i P i ↔ Ψ i (X) ⋀ ⋀ i P i ' ↔ Ψ i (X') ) • Existential quantification as AllSMT • SMT solver extended to generate all satisfying assignment
Modular Abstraction for Safety Assessment • Compose the whole system using the abstraction of each single module • Preserve the cut-set generation i.e. provide the same results by means of modular abstract state space • Generate a pure Boolean model, and abstract SMT formulas • Compute the results via BDD based engine with known variable ordering
Combinatorial System: Generic Component
Combinatorial System: Abstractor and Concretizer
Combinatorial System: Sequential composition
Combinatorial System: Parallel Composition
Combinatorial System: Reduction and Parallel Equivalence
Combinatorial System: Modular Abstraction Equivalence
Modular Abstraction Boolean Data 68
Modular Abstraction … … = = … … = = V … … 69
Modular Abstraction 70
Experimental Evaluation: Concrete vs Abstraction • Redundant network description: • Linear TMR structures with 1, 2 and 3 voters. Single (triplicated) input and output ports • Tree and DAG like structures randomly generated with 1, 2 and 3 voters; 1, 2 and 3 (triplicated) input ports; single (Tree) or double (DAG) output ports • Fault Tree Analysis with equivalence check: perfect vs redundant (and faulty) circuit • Engines detail • MathSAT5 ( EUF ) for concrete case • NuSMV3 with BDD-based engine for modular abstraction
DAG like example with 60 modules 72
Concrete vs Abstraction: linear
Concrete vs Abstraction: Tree and DAG (< 15 modules)
Abstraction: Tree and DAG
Outline • Architectural Design in Critical Systems • Redundant Systems • Reliability Analysis • Manual Reliability techniques • Automated Approaches • EUF modeling and Fault Tree Analysis • Efficient Analysis via Predicate Abstraction • Conclusion 76
Conclusion • Automated technique for the analysis of reliability architectures • Management of linear, Tree and DAG like structures • Efficient analysis of large systems (> 140 modules) via predicate abstraction • Take-away • SMT view crucial to devise novel solutions! • Efficiency does not come for free… 77
Thanks for your attention!
Recommend
More recommend
