Advertisement

The FSAP/NuSMV-SA Safety Analysis Platform

  • Marco BozzanoEmail author
  • Adolfo Villafiorita
Regular Contributions

Abstract

Safety-critical systems are becoming more complex, both in the type of functionality they provide and in the way they are demanded to interact with the environment. Such a growing complexity requires an adequate increase in the capability of safety engineers to assess system safety, including analyzing the behavior of a system in degraded situations. Formal verification techniques, like symbolic model checking, have the potential of dealing with such a complexity and are now being used more often. However, existing techniques have little tool support and therefore their use for safety analysis remains limited. In this paper, we present FSAP/NuSMV-SA, a platform which aims to improve the development cycle of complex systems by providing a uniform environment that can be used both at design time and for safety assessment. The platform makes the modeling and safety assessment of complex systems easier by providing a facility for automatically augmenting a system model with failure modes, whose definitions are retrieved from a predefined library. In this way, it is possible to assess the system safety both in nominal conditions and in user-specified degraded situations, i.e., in the presence of faults. Furthermore, the platform provides a pattern-based definition of temporal logic formulas, which simplifies the definition of safety requirements. The platform consists of a graphical user interface (FSAP) and an engine (NuSMV-SA) which is based on the NuSMV model checker. The model checking engine provides a support for system simulation and standard model checking capabilities, like property verification and the generation of counterexamples. Furthermore, algorithms have been implemented to automate the generation of artifacts that are typical of reliability analysis, e.g., fault trees. The platform can derive fault trees automatically (for both monotonic and non-monotonic systems) from the definition of the system model and of the possible faults. The interface of the platform has been designed to improve usability for people who are not expert in formal verification. The platform has been evaluated in collaboration with an industrial partner and tested on some industrial case studies.

Keywords

Failure Mode Model Check Fault Tree Hybrid Automaton Computation Tree Logic 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

References

  1. 1.
    Abdulla, P.A., Deneux, J., Stålmarck, G., Ågren, H., Åkerlund, O.: Designing safe, reliable systems using scade. In: Symposium on Leveraging Applications of Formal Methods ISoLA 2004 (2004)Google Scholar
  2. 2.
    Åkerlund, O., Bieber, P., Böede, E., Bozzano, M., Bretschneider, M., Castel, C., Cavallo, A., Cifaldi, M., Gauthier, J., Griffault, A., Lisagor, O., Lüdtke, A., Metge, S., Papadopoulos, C., Peikenkamp, T., Sagaspe, L., Seguin, C., Trivedi, H., Valacca, L.: ISAAC, a framework for integrated safety analysis of functional, geometrical and human aspects. In: Proceedings of the European Congress on Embedded Real Time Software (ERTS 2006) (2006)Google Scholar
  3. 3.
    Aldemir T. (1987). Computer-assisted Markov Failure Modeling of Process Control Systems. IEEE Trans. Reliab. R-36:133–144CrossRefGoogle Scholar
  4. 4.
    Arnold A., Griffault A., Point G., Rauzy A. (2000). The AltaRica formalism for describing concurrent systems. Fundam. Inform. 40:109–124MathSciNetGoogle Scholar
  5. 5.
    Audemard G., Bertoli P., Cimatti A., Korniłowicz A., Sebastiani R. (2002). A SAT based approach for solving formulas over boolean and linear mathematical propositions. In: Voronkov A. (eds) Proceedings Conference on Automated Deduction (CADE-18), vol 2392 of LNAI. Springer, Berlin Heidelberg New York, pp. 195–210Google Scholar
  6. 6.
    Audemard G., Bozzano M., Cimatti A., Sebastiani R. (2005). Verifying Industrial Hybrid Systems with MathSAT. Electron. Notes Theor. Comp. Sci. 119(2):17–32CrossRefGoogle Scholar
  7. 7.
    Audemard, G., Cimatti, A., Korniłowicz, A., Sebastiani, R.: Bounded Model Checking for Timed Systems. In: Peled, D.A., Vardi, M.Y. (eds.) Proceedings Conference on Formal Techniques for Networked and Distributed Systems (FORTE 2002), vol. 2529 of LNCS, pp. 243–259. Springer, Berlin Heidelberg New York (2002)Google Scholar
  8. 8.
    Bieber P., Castel C., Seguin C. (2002). Combination of fault tree analysis and model checking for safety assessment of complex system. In: Grandoni, F., Thévenod-Fosse, P. (eds.) Proceedings of the European Dependable Computing Conference (EDCC-4), vol 2485 LNCS. Springer, Berlin Heidelberg New York, pp. 19–31Google Scholar
  9. 9.
    Biere A., Cimatti A., Clarke E.M., Zhu Y. (1999). Symbolic Model Checking without BDDs. In: Cleaveland, R. (ed.) Proceedings Conference on Tools and Algorithms for Construction and Analysis of Systems (TACAS 1999), vol 1579 of LNCS. Springer, Berlin Heidelberg New York, pp. 193–207Google Scholar
  10. 10.
    Bozzano M., Bruttomesso R., Cimatti A., Junttila T., Ranise S., van Rossum P., Sebastiani R. (2005). Efficient satisfiability modulo theories via delayed theory combination. In: Etessami K., Rajamani S.K. (eds) Proceedings Conference on Computer Aided Verification (CAV 2005), vol 3576 of LNCS. Springer, Berlin Heidelberg New York, pp. 335–349Google Scholar
  11. 11.
    Bozzano, M., Bruttomesso, R., Cimatti, A., Junttila, T., Ranise, S., van Rossum, P., Sebastiani, R.: Efficient theory combination via boolean search. In: Information and Computation, Special Issue on Combining Logical Systems (2006) (in press)Google Scholar
  12. 12.
    Bozzano M., Bruttomesso R., Cimatti A., Junttila T., van Rossum P., Schulz S., Sebastiani R. (2005). An incremental and Layered Procedure for the satisfiability of linear arithmetic logic. In: Halbwachs N., Zuck L.D. (eds) Proceedings Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS 2005), vol 3440 of LNCS. Springer, Berlin Heidelberg New York, pp. 317–333Google Scholar
  13. 13.
    Bozzano, M., Bruttomesso, R., Cimatti, A., Junttila, T., van Rossum, P., Schulz, S., Sebastiani, R.: Mathsat: tight integration of SAT and mathematical decision procedures. J. Autom. Reasoning, Special Issue on SAT (2006) (in press)Google Scholar
  14. 14.
    Bozzano, M., Cavallo, A., Cifaldi, M., Valacca, L., Villafiorita, A.: Improving safety assessment of complex systems: an industrial case study. In: Araki, K., Gnesi, S., Mandrioli, D. (eds.) Proceedings of the Formal Methods Europe Symposium (FM 2003), vol. 2805 of LNCS, pp. 208–222. Springer, Berlin Heidelbreg New York (2003)Google Scholar
  15. 15.
    Bozzano, M., Villafiorita, A.: Integrating fault tree analysis with event ordering information. In: Proceedings of the European Safety and Reliability Conference (ESREL 2003), pp. 247–254. Balkema, Rotterdam (2003)Google Scholar
  16. 16.
    Bozzano, M., Villafiorita, A., åkerlund, O., Bieber, P., Bougnol, C., Böde, E., Bretschneider, M., Cavallo, A., Castel, C., Cifaldi, M., Cimatti, A., Griffault, A., Kehren, C., Lawrence, B., Lüdtke, A., Metge, S., Papadopoulos, C., Passarello, R., Peikenkamp, T., Persson, P., Seguin, C., Trotta, L., Valacca, L., Zacco, G.: ESACS: an integrated methodology for design and safety analysis of complex systems. In: Proceedings of the European Safety and Reliability Conference (ESREL 2003), pp. 237–245. Balkema, Rotterdam (2003)Google Scholar
  17. 17.
    Bryant R.E. (1992). Symbolic boolean manipulation with ordered binary decision diagrams. ACM Comput. Surv. 24(3):293–318CrossRefGoogle Scholar
  18. 18.
    Chiappini, A., Cimatti, A., Porzia, C., Rotondo, G., Sebastiani, R., Traverso, P., Villafiorita, A.: Formal specification and development of a safety-critical train management system. In: Felici, M., Kanoun, K., Pasquini, A. (eds.) Proceedings Conference on Computer Safety, Reliability and Security (SAFECOMP 1999), vol. 1698 of LNCS, pp. 410–419. Springer, Berlin Heidelberg New York (1999)Google Scholar
  19. 19.
    Ciardo, G., Jones, R.L., Miner, A.S., Siminiceanu, R.: SMART: Stochastic model analyzer for reliability and timing. In: Proceedings of the Multiconference on Measurement, Modelling and Evaluation of Computer-Communication Systems, pp. 29–34 (2001)Google Scholar
  20. 20.
    Ciardo, G., Siminiceanu, R.: Structural symbolic CTL model checking of asynchronous systems. In: Hunt Jr, W.A., Somenzi, F. (eds.) Proceedings Conference on Computer Aided Verification (CAV 2003), vol. 2725 of LNCS, pp. 40–53. Springer, Berlin Heidelberg New York (2003)Google Scholar
  21. 21.
    Cimatti, A.: Industrial applications of model checking. In: Cassez, F., Jard, C., Rozoy, B.. Ryan, M.D. (eds.) Proceedings of the Modeling and Verification of Parallel Processes (MOVEP 2000), vol. 2067 of LNCS, pp. 153–168. Springer, Berlin Heidelberg New York (2001)Google Scholar
  22. 22.
    Cimatti, A., Clarke, E.M., Giunchiglia, E., Giunchiglia, F., Pistore, M., Roveri, M., Sebastiani, R., Tacchella, A.: NuSMV2: An openSource tool for symbolic model checking. In: Brinksma, E., Larsen, K.G. (eds.) Proceedings Conference on Computer Aided Verification (CAV 2002), vol. 2404 of LNCS, pp. 359–364. Springer, Berlin Heidelberg New York (2002)Google Scholar
  23. 23.
    Cimatti A., Clarke E.M., Giunchiglia F., Roveri M. (2000). NuSMV: a new symbolic model checker. Softw. Tools Technol. Transf. 2(4):410–425CrossRefzbMATHGoogle Scholar
  24. 24.
    Cimatti A., Pieraccini P.L., Sebastiani R., Traverso P., Villafiorita A. (1999). Formal specification and validation of a vital communication protocol. In: Wing J.M., Woodcock J., Davies J. (eds) Proceedings of the World Congress on Formal Methods, (FM 1999), Vol. II, vol. 1709 of LNCS. Springer, Berlin Heidelberg New York, pp. 1584–1604Google Scholar
  25. 25.
    Clarke E.M., Grumberg O., Peled D.A. (2000). Model Checking. MIT Press, CambridgeGoogle Scholar
  26. 26.
    Cojazzi, G., Izquierdo, J.M., Meléndez, E., Perea, M.S.: The Reliability and safety assessment of protection systems by the use of dynamic event trees. The DYLAM-TRETA Package. In: Proceedings of the XVIII Annual Meeting Spanish Nucl. Soc. (1992)Google Scholar
  27. 27.
    Coudert, O., Madre, J.C.: Implicit and incremental computation of primes and essential primes of boolean functions. In: Proceedings of the Design Automation Conference (DAC 1992), pp. 36–39. IEEE Computer Society Press, (1992)Google Scholar
  28. 28.
    Coudert, O., Madre, J.C.: Fault tree analysis: 1020 prime implicants and beyond. In: Proceedings of the Annual Reliability and Maintainability Symposium (RAMS 1993), (1993)Google Scholar
  29. 29.
    Dabney J.B., Harman T.L. (2003). Mastering Simulink. Prentice Hall, Englewood Cliffs, NJGoogle Scholar
  30. 30.
    Deneux, J., åkerlund, O.: A common framework for design and safety analyses using formal methods. In: Proceedings Conference on Probabilistic Safety Assessment and Management (PSAM7/ESREL’04), (2004)Google Scholar
  31. 31.
    Devooght, J., Smidts, C.: Probabilistic dynamics: the mathematical and computing problems ahead. In: Aldemir, T., Siu, N.O., Mosleh, A., Cacciabue, P.C., Göktepe, B.G. (eds.) Reliability and Safety Assessment of Dynamic Process Systems, vol. 120 of NATO ASI Series F, pp. 85–100. Springer, Berlin Heidelberg New York (1994)Google Scholar
  32. 32.
    Doyle, S.A., Dugan, J.B.: Dependability assessment using binary decision diagrams (BDDs). In: Proceedings Symposium on Fault-Tolerant Computing (FTCS 1995), pp. 249–258. IEEE Computer Society Press (1995)Google Scholar
  33. 33.
    Dugan J.B., Trivedi K.S. (1989). Coverage modeling for dependability analysis of fault-tolerant systems. IEEE Trans. Comput. 38(6):775–787CrossRefGoogle Scholar
  34. 34.
    Dutertre, B., Sorea, M.: Modeling and verification of a fault-tolerant real-time startup protocol using calendar automata. In: Lakhnech, Y., Yovine, S. (eds.) Proceedings of the Joint Conference on Formal Modeling and Analysis of Timed Systems and Formal Techniques in Real-Time and Fault Tolerant System (FORMATS/FTRTFT 2004), vol. 3253 of LNCS, pp. 199–214. Springer, Berlin Heidelberg New York (2004)Google Scholar
  35. 35.
    Dwyer, M.B., Avrunin, G.S., Corbett, J.C.: Patterns in property specifications for finite-state verification. In: Proceedings Conference on Software Engineering (ICSE 1999), pp. 411–420. ACM Press (1999)Google Scholar
  36. 36.
    Emerson E.A. (1990). Temporal and modal logic. In: van Leeuwen J. (eds) Handbook of Theoretical Computer Science, vol B. Elsevier, Amsterdam, pp. 995–1072Google Scholar
  37. 37.
    Emerson E.A., Mok A.K., Sistla A.P., Srinivasan J. (1992). Quantitative temporal reasoning. Real-Time Syst. 4(4):331–352CrossRefGoogle Scholar
  38. 38.
    Fenelon P., McDermid J.A., Nicholson M., Pumfrey D.J. (1994). Towards integrated integrated safety analysis and design. Appl. Comput. Rev. 2(1):21–32CrossRefGoogle Scholar
  39. 39.
    The VIS Group. VIS: a system for verification and synthesis. In: Alur, R., Henzinger, T.A. (eds.) Proceedings Conference on Computer Aided Verification (CAV 1996), vol. 1102 of LNCS, pp. 428–432. Springer, Berlin Heidelberg New York (1996)Google Scholar
  40. 40.
    Henzinger, T.A.: The theory of hybrid automata. In: Proceedings Symposium on Logic in Computer Science (LICS 1996), pp. 278–292. IEEE Computer Society Press (1996)Google Scholar
  41. 41.
    Henzinger T.A. (1997). HyTech: A model checker for hybrid systems. Softw. Tools Technol. Transf. 1:110–122CrossRefzbMATHGoogle Scholar
  42. 42.
    Hinchey, M.G., Bowen, J.P.: (eds.) Industrial Strength Formal Methods in Practice. Formal Approaches to Computing and Information Technology. Springer, Berlin Heidelberg New York (1999).Google Scholar
  43. 43.
    Holzmann G.J. (1997). The model checker SPIN. IEEE Trans. Softw. Eng. 23(5):279–295CrossRefMathSciNetGoogle Scholar
  44. 44.
    Joshi, A., Heimdahl, M.P.E.: Model-based safety analysis of simulink models using SCADE design verifier. In: Winther, R., Gran, B.A., Dahll, G. (eds.) Proceedings Conference on Computer Safety, Reliability and Security (SAFECOMP 2005), vol. 3688 of LNCS, pp. 122–135. Springer, Berlin Heidelberg New York (2005)Google Scholar
  45. 45.
    Joshi, A., Miller, S.P., Whalen, M., Heimdahl, M.P.E.: A Proposal for Model-Based Safety Analysis. In: Proceedings of the AIAA/IEEE Digital Avionics Systems Conference (2005)Google Scholar
  46. 46.
    Larsen K.G., Pettersson P., Yi W. (1997). UPPAAL in a Nutshell. Softw. Tools Technol. Transf. 1(1-2):134–152CrossRefzbMATHGoogle Scholar
  47. 47.
    Liggesmeyer, P., Rothfelder, M.: Improving System Reliability with Automatic Fault Tree Generation. In: Proceedings Symposium on Fault-Tolerant Computing (FTCS 1998), pp. 90–99. IEEE Computer Society Press (1998)Google Scholar
  48. 48.
    Manian, R., Coppit, D.W., Sullivan, K.J., Dugan, J.B.: Bridging the gap between fault tree analysis modeling tools and the systems being modeled. In: Proceedings of the Annual Reliability and Maintainability Symposium (RAMS 1999), pp. 105–111 (1999)Google Scholar
  49. 49.
    Manian, R., Dugan, J.B., Coppit, D., Sullivan, K.J.: Combining various solution techniques for dynamic fault tree analysis of computer systems. In: Proceedings of the High-Assurance Systems Engineering Symposium (HASE 1998), pp. 21–28. IEEE Computer Society Press (1998)Google Scholar
  50. 50.
    Manquinho, V.M., Oliveira, A.L., Marques-Silva, J.P.: models and algorithms for computing minimum-size prime implicants. In: Proceedings of the International Workshop on Boolean Problems (IWBP 1998) (1998)Google Scholar
  51. 51.
    Marseguerra M., Zio E., Devooght J., Labeau P.E. (1998). A concept paper on dynamic reliability via Monte Carlo simulation. Math. Comput. Simulat. 47:371–382CrossRefGoogle Scholar
  52. 52.
    McMillan K.L. (1993). Symbolic Model Checking. Kluwer, NetherlandszbMATHGoogle Scholar
  53. 53.
    Miller, S.P., Tribble, A.C., Heimdahl, M.P.E.: Proving the Shalls. In: Proceedings of the Formal Methods Europe (FM 2003), vol. 2805 of LNCS, pp. 75–93. Springer, Berlin Heidelberg New York (2003)Google Scholar
  54. 54.
    Papazoglou, I.A.: Markovian reliability analysis of dynamic systems. In: Aldemir, T., Siu, N.O., Mosleh, A., Cacciabue, P.C., Göktepe, B.G. (eds.) Reliability and Safety Assessment of Dynamic Process Systems, vol. 120 of NATO ASI Series F, pp. 24–43. Springer, Berlin Heidelberg New York (1994)Google Scholar
  55. 55.
    Peikenkamp, T., Böede, E., Brückner, I., Spenke, H., Bretschneider, M., Holberg, H.-J.:Model-based safety analysis of a flap control system. In: Proceedings of the International Symposium INCOSE 2004 (2004)Google Scholar
  56. 56.
    Rae, A.:Automatic fault tree generation - missile defence system case study. Technical Report 00-36, Software Verification Research Centre, University of Queensland (2000)Google Scholar
  57. 57.
    Rauzy A. (1993). New algorithms for fault trees analysis. Reliab. Eng. Syst. Safe. 40(3):203–211CrossRefGoogle Scholar
  58. 58.
    Rauzy A., Dutuit Y. (1997). Exact and truncated computations of prime implicants of coherent and non-coherent fault trees within Aralia. Reliab. Eng. Syst. Safe. 58(2):127–144CrossRefGoogle Scholar
  59. 59.
    Schäfer, A.: Combining real-time model-checking and fault tree analysis. In: Proceedings of the Formal Methods Europe (FM 2003), vol. 2805 of LNCS, pp. 522–541. Springer, Berlin Heidelberg New York (2003)Google Scholar
  60. 60.
    Siu N.O. (1994). Risk assessment for dynamic systems: an overview. Reliab. Eng. Syst. Safe. 43:43–74CrossRefGoogle Scholar
  61. 61.
    Smidts C., Devooght J. (1992). Probabilistic reactor dynamics II. A Monte-Carlo study of a fast reactor transient. Nucl. Sci. Eng. 111(3):241–256Google Scholar
  62. 62.
    Sullivan, K.J., Dugan, J.B., Coppit, D.: The Galileo fault tree analysis tool. In: Proceedings Symposium on Fault-Tolerant Computing (FTCS 1999), pp. 232–235. IEEE Computer Society Press (1999)Google Scholar
  63. 63.
    Tang, Z., Dugan, J.B.: An integrated method for incorporating common cause failures in system analysis. In: Proceedings of the Annual Reliability and Maintainability Symposium (2004)Google Scholar
  64. 64.
    Thums, A., Schellhorn, G.: Model checking FTA. In: Proceedings of the Formal Methods Europe (FM 2003), vol. 2805 of LNCS, pp. 739–757. Springer, Berlin Heidelberg New York (2003)Google Scholar
  65. 65.
    Tribble, A.C., Lempia, D.L., Miller, S.P.: Software safety analysis of a flight guidance system. In: Proceedings AIAA/IEEE Digital Avionics Systems Conference (2002)Google Scholar
  66. 66.
    Tribble, A.C., Miller, S.P.: Software safety analysis of a flight management system vertical navigation function—a status report. In: Proceedings AIAA/IEEE Digital Avionics Systems Conference (2003)Google Scholar
  67. 67.
    Vesely, W.E., Goldberg, F.F., Roberts, N.H., Haasl, D.F.: Fault Tree Handbook. Technical Report NUREG-0492, Systems and Reliability Research Office of Nuclear Regulatory Research U.S. Nuclear Regulatory Commission (1981)Google Scholar
  68. 68.
    Wing J.M. (1990). A specifier’s introduction to formal methods. IEEE Comput. 23(9):8–24Google Scholar

Copyright information

© Springer-Verlag 2006

Authors and Affiliations

  1. 1.ITC-IRSTTrentoItaly

Personalised recommendations