Flexible, any-time fault tree analysis with component logic models
Marc Förster, Daniel Schneider
Fraunhofer-Institut für Experimentelles Software-Engineering (IESE)
Fraunhoferplatz 1
67663 Kaiserslautern, Germany
{marc.foerster | daniel.schneider}@iese.fraunhofer.de
Abstract—This article presents a novel approach to facilitating fault
tree analysis during the development of software-controlled
systems. Based on a component-oriented system model, it combines
second-order probabilistic analysis and automatically generated
default failure models with a level-of-detail concept to ensure early
and continuous analysability of system failure behaviour with
optimal effort, even in the presence of incomplete information and
dissimilar levels of detail in different parts of an evolving system
model. The viability and validity of the method are demonstrated
by means of an experiment.
Embedded systems, fault tree analysis, model-based development,
safety, software
ACRONYMS & ABBREVIATIONS
CFT Component fault tree
CLM Component logic model
FM(EA) Failure mode(s and effects analysis)
FT(A) Fault tree (analysis)
IS Interface specification
LOD Level of detail
PMF Probability mass function
RC Realisation composition
RI Realisation interface
SM Service mode
TF Transfer function
TS Transfer specification
I. INTRODUCTION
In the development of software-intensive and safety-critical
embedded systems, fault tree analysis (FTA) plays an important
role, which is emphasised by safety norms requiring the
application of safety models and analyses for both hardware and
software [14] [18]. FTA, however, is (in)famous for being
labour intensive and inflexible and is therefore often used only
in late phases where it is of little use for optimising a system’s
design in a dependability-oriented manner.
Since every design decision on one level critically determines
the range of choices available on all subordinated hierarchy
levels, most of them have to be made in the face of uncertainty.
In early phases, the component structure of a software system—
its architecture—will not be definite; functions and the
reliability required of them will be clear only on a coarse level
of detail. Furthermore, a typical development process will
mostly include a variety of approaches as well as changing
models and artefacts on different levels of granularity and
maturity. Parts of a system may be built bottom up from
preexisting components, while others require more or less
thorough adaptation and still others are completely new, top-
down developments. Some failure models may be derived with
tool support from functional models, while others are the result
of purely human effort, their quality and detailedness highly
dependent on the experience of the engineers involved. Fault
tree models may state a generic value error as top or basic event;
others may include a specification as detailed as “Signal value
exceeds expected value by more than 10%”.
How, then, can we integrate such diverse and often uncertain
and evolving information in one coherent dependability model?
This article introduces a lightweight, FTA-like and component-
oriented approach to performing this task, extending concepts
that were presented in [10]. We combine them with a flexible
dependability modelling framework featuring multimodal
modelling on different levels of detail, the facilitation of
quantitative analyses under uncertainty, and any-time
analysability as soon as component and service failure modes
have been determined. Instead of building a fault tree from
scratch, we propose proceeding in the opposite direction:
starting with an automatically generated, complete, worst-case
characterisation of a system’s failure behaviour and pruning it
until analysis shows it to be satisfying.
Section II defines basic aspects of the model that forms the
basis for the proposed analyses. Section III explains principles
of modelling and analysis. Section IV validates the approach by
means of an experiment. Section V reviews related work, while
Section VI concludes and gives an outlook on future work.
II. THE
COMPONENT LOGIC MODEL
Component fault trees (CFT) [16] have been around for some
time. Since they are still an evolving concept with emerging
variants [6] [7], it is in order to take a snapshot and describe in
more detail the concepts and some extensions of CFT which
constitute the component logic model (CLM).
A. Basic CFT & CLM concepts
The rationale behind the introduction of CFT was the difficulty
to manage fault trees in practice and the desire to associate fault
tree models with components and artefacts of modern
component-based software engineering (CBSE). Traditional
fault tree models of complex systems tend to assume wallpaper
dimensions and are not compositional. They lack support for
separation of concerns, division of labour, and reuse, and are
thus hard, if not impossible, to integrate with models and
2010 21st International Symposium on Software Reliability Engineering
1071-9458/10 $26.00 © 2010 IEEE
DOI 10.1109/ISSRE.2010.47
51
2010 IEEE 21st International Symposium on Software Reliability Engineering
1071-9458/10 $26.00 © 2010 IEEE
DOI 10.1109/ISSRE.2010.47
51