PROTEUS JOURNAL ISSN/eISSN: 0889-6348
Software Fault Tree Analysis for Safety Critical and Reliable Software
#1 Mr. S. P. Santhoshkumar, #2Mr. M. Praveen Kumar, #3Mr. T. Udhayakumar, #4Mr. S. Syed Shajahaan #1 Assistant Professor, Dept. of CSE, Rathinam Technical Campus, Coimbatore, Tamilnadu, India. #2,3,4 Assistant Professor, Dept. of IT, Rathinam Technical Campus, Coimbatore, Tamilnadu, India.
Abstract —— U R Rao Satellite centre is the lead centre which will bring out failure modes at the early stage of the of ISRO, for building communication, remote sensing, development cycle like software requirement specification or navigation, and inter planetary missions. Software plays software design specification. This stage is more important a major role in satellite functionalities. The complexity of as it will not allow the faults to propagate to next phase in the software is increasing from spacecraft to spacecraft. the SDLC which is expensive and time consuming. Hence Requirements has to be classified into safety critical and SFTA helps in achieving better fault tolerant systems. Soft non-safety critical. The critical software has to be emergency check and voltage control logics are used for analysed in a different way. To achieve high reliability shedding path of Thresholds. Load Shedding check is done software safety standards and guidelines has to be on the basis of comparison of battery voltage with thresholds followed strictly. The quality and reliability of the A, B, C, D, E and F. SFTA is applied to all the thresholds. software can be achieved by applying technique like For every comparison there are possible outcomes and based PHA, SFTA, SFMEA. These technique helps to bring on the outcomes set of actions are executed. Here SFTA is any fault/ failure mode at the early stage of development achieved by considering all faulty conditions that might lead cycle. Hence much of the project cost can be saved. This paper explains the application of SFTA to power safety to the total system failure. Space craft is considered to be hot logic used in onboard software. redundant comparison for both sys1 and sys2 are considered.
II SCOPE AND NECESSITY Keywords— SDLC (Software Development Life Cycle), SFMEA (Software Failure Modes Effects and Analysis), PHA (Preliminary Hazard Analysis), SDS (Software Software FTA starts with the described top event. Design Specification), FMEA (Failure Modes and Effects This event is defined through a hazard analysis which is Analysis), SRS (Software Requirements Specification), safety critical. It assumes that the system has failed due to FTA (Fault Tree Analysis), SFTA (Software Fault Tree the critical event and starts working backwards to know the Analysis), HRA (Human Reliability Analysis), FT (Fault cause for the failure by finding different paths. These paths Tree), SDD (Software Design Description), DFT are connected by gates. Events will be expanded till the (Dynamic Fault Tree), ISSS (ISRO Software Safety Standard) information is available that is till variables and constants used in the program. The tree can be completely expanded I INTRODUCTION till it is analysed. Partial SFTA can be applied to critical modules in the system that needs further analysis. High level of safety, reliability and fault tolerant critical A system-level software SFTA can be based on the features are considered for the design of spacecraft. In top-level software design and performed early in the addition to the existing standard ISSS document is software design process and detailed-level software FTA can considered for safety critical software development. Reliable be based on the software module design such as pseudo code safe and secure software plays a major role in software used for on-board, for checkout and for mission operations and applied late in the design process. Software FTA at the Developing such safe critical software is very challenging detailed level can be labour-intensive. SFTA helps to detect and has to be done through more rigorous processes. This logic errors and failure conditions involved in different can be achieved by some strategies like Preliminary Hazard safety requirements. Manual methods are used to carry out Analysis (PHAs), Failure Modes and Effects Analysis SFTA. There are graphics editor which assist in drawing the (FMEAs), Fault Tree Analysis (FTAs), Petri Net Modelling, fault trees with gates and connectors. SFMEA will aid in Event Tree Analysis (ETA) and any other analysis methods building the tree. The nodes in the tree will be mapped to
VOLUME 11 ISSUE 11 2020 http://www.proteusresearch.org/ Page No: 135 PROTEUS JOURNAL ISSN/eISSN: 0889-6348
respective source code. Later traceability will be established Stating all the immediate necessary and occurring with the requirements, design which resulted for the failure situation (sub events) causing top event condition. Connected the sub events and the top event using AND or OR gate. III PROCEDURE TO PERFORM SFTA
Carrying on in this way till the basic event in the tree is reached. The Software FTA process typically includes the following steps: All the independent paths for each event have to be • System analysis has to be carried out, top event has realized. to be identified and the objectives has to be defined • Fault tree preparation IV FTA FOR POWER SAFETY LOGIC • Identify the Cut Sets (Probability of occurrence of the event) FTA is a Top-Level undesired event. It is break down from • Fault tree analysis top level to the base level event which can cause the failure. Quantitative interpretation Each logical path in the tree is assigned with the probability Qualitative analysis of fault tree number. The path with highest probability number needs • Assess the impacts of the failure modes i.e. mitigate mitigation. Working from base level event till top event the the risk path covered is the cut set. There can be n number of cut sets • Recording the results and report generation in a tree with each cut set assigned a probability. The base events can be differentiated based on the colour assigned for Figure 1 Shows the fault tree preparation. SFMEA for probability. the system acts as first step for FTA to identify the failure modes. For each cut set the following activities will be ensured:
The basic event occurrence shall ensure the Functional Requirements occurrence of top event Specification and SFMEA Software Cut set is said to be minimal cut set when a cut Requirements set cannot be reduced without lowering its prominence as cut set The risk to be mitigated if all minimal cut sets P O W E R S A F E T Y L O G IC SOFTWARE FAULT occur at same time what is the effect on top TREE event
T h re s h o ld c h e c k 1 C u r r C h e c k T h re s h o ld c h e c k Vo lta g e c h e c k ( V C 2 ) (T C 1 ) (C C 3 ) (T C 2 ) If there is no data then assessment has to be
E EV E EV made as per guidelines V9 T h r D T h r E T h rF T h r A T h r B T h r C 7 V8 11
EV 10 The cut set with high risk what system can EV E E E E E E E E E V 4 V EV EV V1 V2 3 V5 V6 V V V 13 16 17 12 14 15 accept has higher precedence for modification
Figure 1: Fault tree preparation If data is available, it can be used for calculating the risk accompanying The FTA is top down approach, dropped to the base level. Figure 2 shows the Fault Tree Analysis carried out for Each path in the tree has the probability allocated. The path power safety logic considering the top event and middle with higher probability has to be mitigated. Cut sets has to events threshold check TH1, voltage check VC2, current be identified. Cut set is the path from the lower level event check CC3 and threshold check TC2. The cut sets are shown till the top-level event. The fault tree is constructed for the in the fault tree. power safety logic by using following steps.
Clearly defining the top event failure condition. The initial condition for the module/ the operational scenarios of the top event Upper limit/ Lower limit/ Resolution for the events in the tree
VOLUME 11 ISSUE 11 2020 http://www.proteusresearch.org/ Page No: 136 PROTEUS JOURNAL ISSN/eISSN: 0889-6348
POWER SAFETY LOGIC Some limitations of software fault tree are:
One top event is considered during analysis
Threshold check1 Curr Check Threshold check Difficult to capture time related and delay and Voltage check (VC2) (TC1) (CC3) (TC2) memory related problems Experience is required to understand the logical
E EV EV E V9 ThrD ThrE ThrF gate and develop the tree ThrA ThrB ThrC 7 V8 11
EV 10 Too many gates has to be analysed if it is a large system E EV E E E E E E E E EV EV 3 V4 V V1 V2 V5 V6 V V V 16 17 13 12 14 15 It is not appropriate for dynamic situations
Figure 2: Fault tree for power safety logic V CONCLUSION The FTA can be applied to other safety logics in onboard Preliminary Hazard Analysis was carried out before software. The failure modes and qualitative and quantitative applying FTA for power safety logic. It is very important to analysis helps to analyse the system at early stage. It can also apply PHA because the safety requirements are categorised be applied to mission and ground software where operational as catastrophic , major and minor based on the severity level. errors can be brought out. However applying to all the Table 1 shows the probability of basic events, middle event modules in the system is time consuming. When reused and and top event. The probability calculation is shown in modified modules are used it is more useful. The analysis Table2 with top event probability of 4.2 E-7. The other carried out helps to apply for new and modified minimal cut sets considered are TC1E7E9 and CC3E8E12. requirements.
Table 1: The probability of basic events ACKNOWLEDGMENT Authors deeply acknowledge the support and Event type Code Probability encouragement extended by colleagues of onboard software quality assurance division, and power system designers and Top event TE 4.7E-7 reliability and software quality assurance group staff for their Cut set E11 2E-8 valuable support throughout this activity. E12 2E-4 E15 2E-4 REFERENCES E16 3E-8 E13 2E-4 [1] W. S. Lee, ―Fault Tree Analysis, Methods, and Applications - A Review,‖ IEEE Transactions on Reliability, vol. R-34, no. 3, pp. 121– Minimal TC1 12E-8 123, 1985. cut set VC2 9E-8 [2] IEEE Std-1228, “Software Safety Plan”, Institute of Electrical and CC3 11E-8 Electronic Engineers, 1994. TC2 17E-8 [3] Towhidnejad, M., Wallace, D., Gallo, A. “Fault Tree Analysis for Software Design”, 27th Annual IEEE/NASA Software Engineering Workshop, December 2002. Table2: The probability Calculation [4] Software Considerations in Airborne Systems and Equipment Certification - RTCA/DO-178C Middle events Event code Probability [5] ISRO SOFTWARE SAFETY STANDARD (ISSS) (ISSUE – 1) - Threshold check1 ThrA 4E-8 December 2019, ISRO ThrB 4E-8 [6] NASA Software Safety Guidebook - NASA-GB-8719.13 ThrC 4E-8 [7] Probabilistic Risk Assessment and Management for Engineers TC1 12 E-8 and Scientists, E. J. Henley & H. Kumamoto, IEEE Press (2nd edition), 1996. Voltage check VC2 9E-8 [8] Fault Tree Analysis Primer, C.A. Ericson, CreateSpace, 2012 Current check CC3 11E-8 Threshold check1 ThrD 4E-8 ThrE 4E-8 ThrF 9E-8 TC2 17E-8
VOLUME 11 ISSUE 11 2020 http://www.proteusresearch.org/ Page No: 137