PROTEUS JOURNAL ISSN/eISSN: 0889-6348 Software Fault Tree Analysis for Safety Critical and Reliable Software #1 Mr. S. P. Santhoshkumar, #2Mr. M. Praveen Kumar, #3Mr. T. Udhayakumar, #4Mr. S. Syed Shajahaan #1 Assistant Professor, Dept. of CSE, Rathinam Technical Campus, Coimbatore, Tamilnadu, India. #2,3,4 Assistant Professor, Dept. of IT, Rathinam Technical Campus, Coimbatore, Tamilnadu, India. Abstract —— U R Rao Satellite centre is the lead centre which will bring out failure modes at the early stage of the of ISRO, for building communication, remote sensing, development cycle like software requirement specification or navigation, and inter planetary missions. Software plays software design specification. This stage is more important a major role in satellite functionalities. The complexity of as it will not allow the faults to propagate to next phase in the software is increasing from spacecraft to spacecraft. the SDLC which is expensive and time consuming. Hence Requirements has to be classified into safety critical and SFTA helps in achieving better fault tolerant systems. Soft non-safety critical. The critical software has to be emergency check and voltage control logics are used for analysed in a different way. To achieve high reliability shedding path of Thresholds. Load Shedding check is done software safety standards and guidelines has to be on the basis of comparison of battery voltage with thresholds followed strictly. The quality and reliability of the A, B, C, D, E and F. SFTA is applied to all the thresholds. software can be achieved by applying technique like For every comparison there are possible outcomes and based PHA, SFTA, SFMEA. These technique helps to bring on the outcomes set of actions are executed. Here SFTA is any fault/ failure mode at the early stage of development achieved by considering all faulty conditions that might lead cycle. Hence much of the project cost can be saved. This paper explains the application of SFTA to power safety to the total system failure. Space craft is considered to be hot logic used in onboard software. redundant comparison for both sys1 and sys2 are considered. II SCOPE AND NECESSITY Keywords— SDLC (Software Development Life Cycle), SFMEA (Software Failure Modes Effects and Analysis), PHA (Preliminary Hazard Analysis), SDS (Software Software FTA starts with the described top event. Design Specification), FMEA (Failure Modes and Effects This event is defined through a hazard analysis which is Analysis), SRS (Software Requirements Specification), safety critical. It assumes that the system has failed due to FTA (Fault Tree Analysis), SFTA (Software Fault Tree the critical event and starts working backwards to know the Analysis), HRA (Human Reliability Analysis), FT (Fault cause for the failure by finding different paths. These paths Tree), SDD (Software Design Description), DFT are connected by gates. Events will be expanded till the (Dynamic Fault Tree), ISSS (ISRO Software Safety Standard) information is available that is till variables and constants used in the program. The tree can be completely expanded I INTRODUCTION till it is analysed. Partial SFTA can be applied to critical modules in the system that needs further analysis. High level of safety, reliability and fault tolerant critical A system-level software SFTA can be based on the features are considered for the design of spacecraft. In top-level software design and performed early in the addition to the existing standard ISSS document is software design process and detailed-level software FTA can considered for safety critical software development. Reliable be based on the software module design such as pseudo code safe and secure software plays a major role in software used for on-board, for checkout and for mission operations and applied late in the design process. Software FTA at the Developing such safe critical software is very challenging detailed level can be labour-intensive. SFTA helps to detect and has to be done through more rigorous processes. This logic errors and failure conditions involved in different can be achieved by some strategies like Preliminary Hazard safety requirements. Manual methods are used to carry out Analysis (PHAs), Failure Modes and Effects Analysis SFTA. There are graphics editor which assist in drawing the (FMEAs), Fault Tree Analysis (FTAs), Petri Net Modelling, fault trees with gates and connectors. SFMEA will aid in Event Tree Analysis (ETA) and any other analysis methods building the tree. The nodes in the tree will be mapped to VOLUME 11 ISSUE 11 2020 http://www.proteusresearch.org/ Page No: 135 PROTEUS JOURNAL ISSN/eISSN: 0889-6348 respective source code. Later traceability will be established Stating all the immediate necessary and occurring with the requirements, design which resulted for the failure situation (sub events) causing top event condition. Connected the sub events and the top event using AND or OR gate. III PROCEDURE TO PERFORM SFTA Carrying on in this way till the basic event in the tree is reached. The Software FTA process typically includes the following steps: All the independent paths for each event have to be • System analysis has to be carried out, top event has realized. to be identified and the objectives has to be defined • Fault tree preparation IV FTA FOR POWER SAFETY LOGIC • Identify the Cut Sets (Probability of occurrence of the event) FTA is a Top-Level undesired event. It is break down from • Fault tree analysis top level to the base level event which can cause the failure. Quantitative interpretation Each logical path in the tree is assigned with the probability Qualitative analysis of fault tree number. The path with highest probability number needs • Assess the impacts of the failure modes i.e. mitigate mitigation. Working from base level event till top event the the risk path covered is the cut set. There can be n number of cut sets • Recording the results and report generation in a tree with each cut set assigned a probability. The base events can be differentiated based on the colour assigned for Figure 1 Shows the fault tree preparation. SFMEA for probability. the system acts as first step for FTA to identify the failure modes. For each cut set the following activities will be ensured: The basic event occurrence shall ensure the Functional Requirements occurrence of top event Specification and SFMEA Software Cut set is said to be minimal cut set when a cut Requirements set cannot be reduced without lowering its prominence as cut set The risk to be mitigated if all minimal cut sets P O W E R S A F E T Y L O G IC SOFTWARE FAULT occur at same time what is the effect on top TREE event T h re s h o ld c h e c k 1 C u r r C h e c k T h re s h o ld c h e c k Vo lta g e c h e c k ( V C 2 ) (T C 1 ) (C C 3 ) (T C 2 ) If there is no data then assessment has to be E EV E EV made as per guidelines V9 T h r D T h r E T h r F T h r A T h r B T h r C 7 V8 11 EV 10 The cut set with high risk what system can EV E E E E E E E E E V 4 V EV EV V1 V2 3 V5 V6 V V V 13 16 17 12 14 15 accept has higher precedence for modification Figure 1: Fault tree preparation If data is available, it can be used for calculating the risk accompanying The FTA is top down approach, dropped to the base level. Figure 2 shows the Fault Tree Analysis carried out for Each path in the tree has the probability allocated. The path power safety logic considering the top event and middle with higher probability has to be mitigated. Cut sets has to events threshold check TH1, voltage check VC2, current be identified. Cut set is the path from the lower level event check CC3 and threshold check TC2. The cut sets are shown till the top-level event. The fault tree is constructed for the in the fault tree. power safety logic by using following steps. Clearly defining the top event failure condition. The initial condition for the module/ the operational scenarios of the top event Upper limit/ Lower limit/ Resolution for the events in the tree VOLUME 11 ISSUE 11 2020 http://www.proteusresearch.org/ Page No: 136 PROTEUS JOURNAL ISSN/eISSN: 0889-6348 POWER SAFETY LOGIC Some limitations of software fault tree are: One top event is considered during analysis Threshold check1 Curr Check Threshold check Difficult to capture time related and delay and (TC1) Voltage check (VC2) (TC2) (CC3) memory related problems Experience is required to understand the logical E EV EV E V9 gate and develop the tree 11 ThrD ThrE ThrF ThrA ThrB ThrC 7 V8 EV 10 Too many gates has to be analysed if it is a large system E EV E E E E E E E E EV EV 3 V4 V V1 V2 V5 V6 V V V 16 17 13 12 14 15 It is not appropriate for dynamic situations Figure 2: Fault tree for power safety logic V CONCLUSION The FTA can be applied to other safety logics in onboard Preliminary Hazard Analysis was carried out before software. The failure modes and qualitative and quantitative applying FTA for power safety logic. It is very important to analysis helps to analyse the system at early stage. It can also apply PHA because the safety requirements are categorised be applied to mission and ground software where operational as catastrophic , major and minor based on the severity level.