March 8, 2007 1

Dynamic Fault Treeanalysis using

Input/Output Interactive Markov Chains

Hichem Boudali, Pepijn Crouzen, and Mariëlle Stoelinga.

Formal Methods and Tools groupCS, University of Twente, NL.

March 8, 2007 2

Motivation (and setting)

Systems do fail

Example methodology:

Dynamic Fault Trees (DFT)

-- Reliability Engineering --Goal: Reduce system failure probability.

Methodology: Identify/analyze failure modes and their effects.

But:

DFTs have drawbacks

March 8, 2007 3

Outline

Dynamic fault trees (DFT). Definition, Example, Solution, Drawbacks.

Input/Output interactive Markov chains (I/O-IMC). DFT semantics in terms of I/O-IMCs. DFT compositional analysis.

Translation, || Composition, Abstraction, Aggregation.

Case studies. Summary.

March 8, 2007 4

Outline

Dynamic fault trees (DFT). Definition, Example, Solution, Drawbacks.

Input/Output interactive Markov chains (I/O-IMC). DFT semantics in terms of I/O-IMCs. DFT compositional analysis.

Translation, || Composition, Abstraction, Aggregation.

Case studies. Summary.

March 8, 2007 5

Dynamic Fault Trees (DFT)

Extend standard fault trees with dynamic gates. Enable modelling complex behaviours and

interactions between components. combination & order of failures matter.

Unreliability = Prob[System fails within T time units]

March 8, 2007 6

(dynamic) Fault trees

Upside-down tree (graph) Leaves: Basic events (BE) Nodes: Gates (complex events) BEs + Gates: Elements Arrows: Causal relations One top-node: the “root” node The top-node models system

failure Failure propagation: From

leaves to root

March 8, 2007 7

DFTs: Static gates (combination)

March 8, 2007 8

DFTs: Dynamic gates (order)

March 8, 2007 9

DFTs: Basic events (BE)

Temperature

of a BE:

Relevant when

used as a spare

BE maps to a

Basic Physical

component

March 8, 2007 10

C

A B

0.2

0.20.4

0.4

Failure rate:0.2 f/h

Failure rate:0.4 f/h

AND-gate Starting state:A is operationalB is operational

A has failedB is operational

Pr(A fails in T hours) = 1 – e-0.2•T

A’s Mean time to failure = 1/0.2 = 5 hours

A is operationalB has failed

A has failedB has failed

Convert the DFT into a Continuous-time Markov chain. Analyze CTMC using standard solution techniques. For (partially) static DFT, binary decision diagrams can be used!

DFT solution

Unreliability = Prob[Being in state ]

March 8, 2007 11

Result: System failure probability

Markov chaingeneration algorithm

Differential equations solution

Road tripfails

Mobilephone

Car fails

EngineTires fail

WSP WSPWSPWSP

Tire 1 Tire 2 Tire 3 Tire 4Spare

tire

Mobile phone fails

Engine fails

Tire 1 fails

Tire 4 fails

Tire 2 fails

Tire 3 fails

DFT exampleRoad trip fails if

mobile phone fails

BEFORE the car fails

Spare tire is cold:

It cannot fail when

not in use

State-Space

Explosion!One of the drawbacks

Although distinct modules,

CTMC generation in One shot

March 8, 2007 12

DFT drawbacks

State-space explosion. No formal syntax and semantics. Lack of modularity:

Dynamic modules (e.g. ‘Tires’ subsystem in the example) can not be reused.

Restrictions on certain inputs to gates (e.g. spare gate).

DFT-to-MC* conversion algorithm is hard to extend and/or modify.

Compositional Aggregation

DAG

Compositionality

Lift restrictions

Extension: At the element level

I/O-IMC

*: DIFTree algorithm

March 8, 2007 13

Outline

Dynamic fault trees (DFT). Definition, Example, Solution, Drawbacks.

Input/Output interactive Markov chains (I/O-IMC). DFT semantics in terms of I/O-IMCs. DFT compositional analysis.

Translation, || Composition, Abstraction, Aggregation.

Case studies. Summary.

March 8, 2007 14

Input/Output Interactive Markov Chains (I/O-IMC)

Combination of I/O automata and CTMC

Discrete state space Markovian transitions Interactive transitions Action signature

? - Input actions ! - Output actions ; - Internal actions

Input-enabled

λ

failed!

Immediate

March 8, 2007 15

Outline

Dynamic fault trees (DFT). Definition, Example, Solution, Drawbacks.

Input/Output interactive Markov chains (I/O-IMC). DFT semantics in terms of I/O-IMCs. DFT compositional analysis.

Translation, || Composition, Abstraction, Aggregation.

Case studies. Summary.

March 8, 2007 16

f(C)!f(A)?

f(B)?

f(B)?

f(A)?

f(C)!f(A)?

f(B)?

f(B)?

f(A)?

f(B)?

f(B)? f(B)?

f(A)? f(A)?

DFT semantics (DFT element to I/O-IMC)

f(A)?

f(A)?

f(A)? f(A)?

f(B)? f(B)?

f(B)?

March 8, 2007 17

DFT semantics (DFT element to I/O-IMC)

March 8, 2007 18

Outline

Dynamic fault trees (DFT). Definition, Example, Solution, Drawbacks.

Input/Output interactive Markov chains (I/O-IMC). DFT semantics in terms of I/O-IMCs. DFT compositional analysis.

Translation, || Composition, Abstraction, Aggregation.

Case studies. Summary.

March 8, 2007 19

Compositional AnalysisTranslation

C

A B

0.2 f(A)! 0.4 f(B)!

f(A)?

f(A)?f(B)?

f(B)?

f(C)!

March 8, 2007 20

Compositional AnalysisParallel Composition

f(A)?

f(A)?f(B)?

f(B)?

f(C)!

0.2 f(A)!

March 8, 2007 21

Compositional AnalysisParallel Composition

1 2 3

1

2

3

4 5

1||1

0.2 f(A)!

f(A)?

f(A)?f(B)?

f(B)?

f(C)!

0.2

f(B)?

f(B)?

f(A)!

f(C)!1||2

2||3

3||1

f(B)?

0.2

f(A)!

3||2

4||3 5||3Inputs: f(A)? and f(B)?Outputs: f(C)!

Inputs: noneOutputs: f(A)!

C

A

C||A

Synchronize on f(A)

March 8, 2007 22

f(A);

f(A);f(A)!

f(A)!

Compositional AnalysisAbstraction (hiding)

1||10.2

f(B)?

f(B)?

f(B)?

0.2

f(C)!1||2

2||3

3||1

3||2

4||3 5||3

C

A B

Abstraction (hiding):

Makes signal internal

March 8, 2007 23

f(A);

f(A);

Compositional AnalysisAggregation (weak bisimulation)

1||10.2

f(B)?

f(B)?

f(B)?

0.2

f(C)!1||2

2||3

3||1

3||2

4||3 5||3

Weak bisimulation:

Disregard internal steps

Aggregation:

Finding a smaller model

equivalent (behaviorally)

to the original

March 8, 2007 24

Compositional-Aggregation Overview

Translation Composition +

Hiding

Aggregation

(minimization)

Repeat

Aggregated system CTMC

Result: System failure probability

March 8, 2007 25

Outline

Dynamic fault trees (DFT). Definition, Example, Solution, Drawbacks.

Input/Output interactive Markov chains (I/O-IMC). DFT semantics in terms of I/O-IMCs. DFT compositional analysis.

Translation, || Composition, Abstraction, Aggregation.

Case studies. Summary.

March 8, 2007 26

Case studies

Case studyAnalysis

methodMax number of

statesMax number of

transitionsUnreliability

(T=1)

(a)

(a)

DIFTree

Comp-Agg

4113

132

24608

426

0.00135668

0.00135668

(b)

(b)

DIFTree

Comp-Agg

8

36

10

119

0.657900

0.657900

(c)

(c)

DIFTree

Comp-Agg

253

157

1383

756

2.00025 10-9

2.00025 10-9

Motors

System

PumpsCPUs

A

DC

(a) The cascaded PAND system

(b) The cardiac assist system

B CM1 CM2

S Bus

P2Mem1 Mem2Disk1 Disk2

(c) A multi-processor distributed computing system

System

P1

System

March 8, 2007 27

Outline

Dynamic fault trees (DFT). Definition, Example, Solution, Drawbacks.

Input/Output interactive Markov chains (I/O-IMC). DFT semantics in terms of I/O-IMCs. DFT compositional analysis.

Translation, || Composition, Abstraction, Aggregation.

Case studies. Summary.

March 8, 2007 28

Summary

Alleviate state-space explosion problem. Formal syntax & semantics. Enhanced DFT modularity:

Dynamic module reuse. Lifting restrictions on allowed inputs.

Readily extensible framework (extensions at the element level); e.g. repair.

Works well for highly-modular dynamic FTs.

Compositional semantics for DFTs

Gain at the modeling & analysis levels

March 8, 2007 29

References

H. Boudali, P. Crouzen, M. Stoelinga. “Dynamic Fault Tree analysis using Input/Output Interactive Markov Chains”, to appear, DSN 2007 proceedings.

H. Boudali, P. Crouzen, M. Stoelinga. “A compositional semantics for Dynamic Fault Trees in terms of Interactive Markov Chains”, Technical report, to appear.

More info: hboudali@cs.utwente.nl

The END!

March 8, 2007 30

Extra slides

March 8, 2007 31

Future work

Weaker bisimulation relation (i.e. more aggressive state reduction)

Extension to non-exponential distributions (e.g. use of phase-type distributions)

Further extensions to DFT modeling capabilities (i.e. definition of new gates and corresponding I/O-IMC)

Fully automated tool (at this point, the tool is only partially automated)

March 8, 2007 32

Parallel Composition and Hiding

March 8, 2007 33

Aggregation (Weak Bisimulation)

March 8, 2007 34

Preservation Theorem (WB is a congruence)

March 8, 2007 35

CTMC

Compositional-Aggregation Overview

Step 1: Translation

Step 2a: Parallel Composition

Step 2b: Abstraction

Step 3: Aggregation

Step 4: Repetition

Step 2a: (C||A) || B

Step 2b: Hide f(B)

Step 3: Aggregate (C||A)||B

Step 5: CTMC Analysis

C

A B

C

A B

f(A) f(B)

f(C)

DFT

IOIMC

C||A

f(C)

f(B)

f(A)

f(B)

f(C)

C||A||B

0.2

0.2

0.4

0.4

f(C)!

f(C)

IOIMC model can be reused!

Steps 2–4: Compositional Aggregation