Safety-critical software must be analyzed and checked carefully. Each potential error, failure, or defect must be considered and evaluated before you release a new product. For example, if you are producing a quadcopter drone, you would like to know the probability of engine failure to evaluate the system's reliability. Safety analysis is hard. Standards such as ARP4761 mandate several analyses, such as Functional Hazard Assessment (FHA) and Failure Mode and Effect Analysis (FMEA). One popular type of safety analysis is Fault Tree Analysis (FTA), which provides a graphical representation of all contributors to a failure (e.g., error events and propagations). In this blog post, I present the concepts of the FTA and introduce a new tool to design and analyze fault trees.

Fault-Tree Analysis Notation

FTA is a top-down safety analysis method. Unlike FMEA, which is a bottom-up method that shows the impact of every failure throughout the architecture, FTA defines a tree. The failure under analysis is the tree's root node and all related contributing factors are its leaf nodes.

FTA's logic includes gates that show the logical relationship (AND, OR) between error events in the tree. This representation captures the fact that a fault depends on several failures. For example, a redundant system with two sensors will fail if both sensors are not working.

Figure 1 shows an FTA that represents the condition of a failure of a computer. The computer crashes if one of the following conditions is triggered (that is, the error events act as an OR gate):

1. unhandled interrupt
2. broken device
3. software error

Software error (failure condition 3) is then refined into sub-events. A software error occurs if both of the following conditions are triggered (that is, the error events act as an AND gate):

• The program attempts to divide by zero
• There is no recovery handler

This type of failure model is helpful for manually analyzing system safety and computing the probability of a failure according to all of its contributors.

Figure 1 - Example of a fault tree

Shortcoming of Existing Tools

Several FTA tools are currently on the market. Unfortunately, most of them are released under a commercial license, which reduce their accessibility and evaluation to the research community. Licensing commercial tools is often expensive and beyond the budget for many researchers, so we wanted to create an open-source tool that was freely available to software developers of safety-critical systems. While some open-source FTA projects do exist, they have limited capabilities and are not actively maintained, so that old bugs were not fixed and these program might not work on new operating systems

We wanted to make an FTA tool that is open-source, easy to use, available on most popular platforms (such as Windows, Mac OS and Linux), and that can be easily integrated in OSATE, our AADL modeling environment. These reasons motivated us to write our own FTA editor: EMFTA, which is written using the Eclipse Modeling Framework (EMF) framework, the Sirius graphical framework, and Java code. Thanks to the Sirius framework the tool provides a different set of visualization and analysis capabilities than other current FTA tools. Finally, EFTA is completely integrated into the Eclipse platform and can be easily interfaced with the OSATE modeling framework.

The EMFTA Editor

EMFTA editor uses two major components of the Eclipse platform: the Eclipse Modeling Framework (EMF) for defining an FTA meta-model and Sirius, a framework to auto-generate graphical representation from EMF models. The EMFTA tool is currently integrated stable release of the Architecture Analysis and Design Language (AADL) tool environment, OSATE. The source code for EMFTA is released under the BSD license and is openly accessible on the SEI github repository.

Tree and Table Representations

EMFTA provides several different ways to visualize and represent a fault tree model, including a tree diagram and a table representation that is convenient for editing. Figure 2 shows the table representation of the graphic diagram of the FTA that appeared in Figure 1.

The tool automatically synchronizes the different representations of the model. A value modified in the table is automatically updated in the tree, and vice-versa.

Figure 2 - Table View of the Fault Tree

Analysis Capabilities

EMFTA provides three ways to analyze and check fault trees.

1. Probability consistency checking. EMFTA browses the tree and checks that all probabilities are consistent with the tree hierarchy. EMFTA also verifies that the probability of an error event is consistent with its leaves and their underlying conditions.
2. Automatically computing the probabilities of all error events. To enable this type of checking, engineers must specify the probabilities of all of the leaves in the fault tree. EMFTA then automatically computes the probabilities of all other error events up to the root node of the tree.
3. Automatically computing the number of events to trigger a specific error. EMFTA provides all combinations of errors that are sufficient to trigger the failure of the root node. Figure 3 shows the cut set for the FTA that was illustrated in Figure 1. Three combinations of failures are sufficient to trigger the root failure. The tool also gives the probability for each cut set.

Figure 3 - Cut set of the computer system

EMFTA includes optimization features that automatically remove useless error events--for example, if they are referenced in several parts of the tree hierarchy. It can even refactor the tree by re-organizing shared events with respect to their fault logic.

Such capabilities are especially useful when working on important fault trees because manual analysis is prone to error and very time consuming. By automating these capabilities, we increase confidence in the probabilities produced and reduce analysis time.

Wrapping Up

FTA is a major component of system analysis and is prescribed by safety standards, such as ARP4761. Previous tool support was mostly commercial and therefore less accessible, which reduced opportunities to use such analysis for research and educational projects. By creating EMFTA and making it available it to the public via the open source software community, we hope to bridge this gap and provide opportunities for members of the research and academic communities to learn and use FTA.

Beyond the EMFTA editor, we also hope to automatically generate fault trees from architecture models designed with AADL. We did this during our previous work on the AADL Error-Model annex. Since EMFTA was not available at that time, we had to rely on older, unsupported tools. We updated our FTA generator and are now generating fault trees that can be visualized and edited with EMFTA. We plan to present all of these new features in an upcoming tutorial at the ESweek conference on October 2, 2016.

Resources

• EMFTA github repository: https://github.com/cmu-sei/emfta
• OSATE download: https://osate.org/