Posted on by Software Architecturein
by Julien Delange Senior Member of the Technical Staff Architecture Practices Initiative
Safety-critical software must be analyzed and checked carefully. Each potential error, failure, or defect must be considered and evaluated before you release a new product. For example, if you are producing a quadcopter drone, you would like to know the probability of engine failure to evaluate the system's reliability. Safety analysis is hard. Standards such as ARP4761 mandate several analyses, such as Functional Hazard Assessment (FHA) and Failure Mode and Effect Analysis (FMEA). One popular type of safety analysis is Fault Tree Analysis (FTA), which provides a graphical representation of all contributors to a failure (e.g., error events and propagations). In this blog post, I present the concepts of the FTA and introduce a new tool to design and analyze fault trees.
Fault-Tree Analysis Notation
FTA is a top-down safety analysis method. Unlike FMEA, which is a bottom-up method that shows the impact of every failure throughout the architecture, FTA defines a tree. The failure under analysis is the tree's root node and all related contributing factors are its leaf nodes.
FTA's logic includes gates that show the logical relationship (AND, OR) between error events in the tree. This representation captures the fact that a fault depends on several failures. For example, a redundant system with two sensors will fail if both sensors are not working.
Figure 1 shows an FTA that represents the condition of a failure of a computer. The computer crashes if one of the following conditions is triggered (that is, the error events act as an OR gate):
Software error (failure condition 3) is then refined into sub-events. A software error occurs if both of the following conditions are triggered (that is, the error events act as an AND gate):
This type of failure model is helpful for manually analyzing system safety and computing the probability of a failure according to all of its contributors.
Figure 1 - Example of a fault tree
Shortcoming of Existing Tools
Several FTA tools are currently on the market. Unfortunately, most of them are released under a commercial license, which reduce their accessibility and evaluation to the research community. Licensing commercial tools is often expensive and beyond the budget for many researchers, so we wanted to create an open-source tool that was freely available to software developers of safety-critical systems. While some open-source FTA projects do exist, they have limited capabilities and are not actively maintained, so that old bugs were not fixed and these program might not work on new operating systems
We wanted to make an FTA tool that is open-source, easy to use, available on most popular platforms (such as Windows, Mac OS and Linux), and that can be easily integrated in OSATE, our AADL modeling environment. These reasons motivated us to write our own FTA editor: EMFTA, which is written using the Eclipse Modeling Framework (EMF) framework, the Sirius graphical framework, and Java code. Thanks to the Sirius framework the tool provides a different set of visualization and analysis capabilities than other current FTA tools. Finally, EFTA is completely integrated into the Eclipse platform and can be easily interfaced with the OSATE modeling framework.
The EMFTA Editor
EMFTA editor uses two major components of the Eclipse platform: the Eclipse Modeling Framework (EMF) for defining an FTA meta-model and Sirius, a framework to auto-generate graphical representation from EMF models. The EMFTA tool is currently integrated stable release of the Architecture Analysis and Design Language (AADL) tool environment, OSATE. The source code for EMFTA is released under the BSD license and is openly accessible on the SEI github repository.
Tree and Table Representations
EMFTA provides several different ways to visualize and represent a fault tree model, including a tree diagram and a table representation that is convenient for editing. Figure 2 shows the table representation of the graphic diagram of the FTA that appeared in Figure 1.
The tool automatically synchronizes the different representations of the model. A value modified in the table is automatically updated in the tree, and vice-versa.
Figure 2 - Table View of the Fault Tree
EMFTA provides three ways to analyze and check fault trees.
Figure 3 - Cut set of the computer system
EMFTA includes optimization features that automatically remove useless error events--for example, if they are referenced in several parts of the tree hierarchy. It can even refactor the tree by re-organizing shared events with respect to their fault logic.
Such capabilities are especially useful when working on important fault trees because manual analysis is prone to error and very time consuming. By automating these capabilities, we increase confidence in the probabilities produced and reduce analysis time.
FTA is a major component of system analysis and is prescribed by safety standards, such as ARP4761. Previous tool support was mostly commercial and therefore less accessible, which reduced opportunities to use such analysis for research and educational projects. By creating EMFTA and making it available it to the public via the open source software community, we hope to bridge this gap and provide opportunities for members of the research and academic communities to learn and use FTA.
Beyond the EMFTA editor, we also hope to automatically generate fault trees from architecture models designed with AADL. We did this during our previous work on the AADL Error-Model annex. Since EMFTA was not available at that time, we had to rely on older, unsupported tools. We updated our FTA generator and are now generating fault trees that can be visualized and edited with EMFTA. We plan to present all of these new features in an upcoming tutorial at the ESweek conference on October 2, 2016.