Post on 17-Aug-2020
transcript
Formal Availability Analysis using Theorem Proving
Waqar Ahmed and Osman Hasan
System Analysis and Verification (SAVe Lab)National University of Sciences and Technology (NUST)
Islamabad, Pakistan
ICFEM 2016Tokyo, Japan
November 17, 2016
Outline
1 Introduction
2 Proposed Methodology
3 Formalization Details
4 Case Study: DFH-3 Satellite’s Solar Arrays
5 Conclusions
W. Ahmed and O. Hasan Formal Availability Analysis in HOL November 17, 2016 2 / 41
Your service is NOT Available!
Amazon.com suffered 30 minute downtime in 2013 resulting in a Lossof $66,240 per Minute
Recently a 20 minutes downtime
The impact of unavailability could be greater in safety-criticalengineering systems
W. Ahmed and O. Hasan Formal Availability Analysis in HOL November 17, 2016 3 / 41
Your service is NOT Available!
Amazon.com suffered 30 minute downtime in 2013 resulting in a Lossof $66,240 per Minute
Recently a 20 minutes downtime
The impact of unavailability could be greater in safety-criticalengineering systems
W. Ahmed and O. Hasan Formal Availability Analysis in HOL November 17, 2016 3 / 41
Your service is NOT Available!
Amazon.com suffered 30 minute downtime in 2013 resulting in a Lossof $66,240 per Minute
Recently a 20 minutes downtime
The impact of unavailability could be greater in safety-criticalengineering systems
W. Ahmed and O. Hasan Formal Availability Analysis in HOL November 17, 2016 3 / 41
Availability
The ability of a system to deliver services when required
Instantaneous Availability - Probability that the system is functioningat a given time instant tSteady-state Availability - Long-term availability as limt→∞
Availability Analysis
Identify and assess the causes and frequencies of system failuresGoal: To reduce the unavailability probability of the given system underthe given constraints
Component ReplacementRedundancy
W. Ahmed and O. Hasan Formal Availability Analysis in HOL November 17, 2016 4 / 41
Availability
The ability of a system to deliver services when required
Instantaneous Availability - Probability that the system is functioningat a given time instant tSteady-state Availability - Long-term availability as limt→∞
Availability Analysis
Identify and assess the causes and frequencies of system failuresGoal: To reduce the unavailability probability of the given system underthe given constraints
Component ReplacementRedundancy
W. Ahmed and O. Hasan Formal Availability Analysis in HOL November 17, 2016 4 / 41
System Availability Analysis
Selection of Availability Modeling Technique
Selection of Availability Analysis Technique
Availability Block Diagram (ABD) Unavailability Fault Tree (UFT) Markov Chains
Analytical Simulation Formal Methods
Component Level
System Level
Conceptual Behavioural Model of the System
Availability Calculation
Start
W. Ahmed and O. Hasan Formal Availability Analysis in HOL November 17, 2016 5 / 41
System Availability Analysis
Selection of Availability Modeling Technique
Selection of Availability Analysis Technique
Availability Block Diagram (ABD) Unavailability Fault Tree (UFT) Markov Chains
Analytical Simulation Formal Methods
Component Level
System Level
Conceptual Behavioural Model of the System
Availability Calculation
Start
W. Ahmed and O. Hasan Formal Availability Analysis in HOL November 17, 2016 5 / 41
System Availability Analysis
Selection of Availability Modeling Technique
Selection of Availability Analysis Technique
Availability Block Diagram (ABD) Unavailability Fault Tree (UFT) Markov Chains
Analytical Simulation Formal Methods
Component Level
System Level
Conceptual Behavioural Model of the System
Availability Calculation
Start
W. Ahmed and O. Hasan Formal Availability Analysis in HOL November 17, 2016 5 / 41
Availability of a Component
Modeled using a sequence of two random variables, i.e., Xi = Ti +Di
Ti : Working Time in the i th periodDi : RepairTime in the i th period
Availability = A0(t) = P(t < T0)
Availability = A1(t) = P(X0 ≤ t < X0 + T1)
Availability = Ak+1(t) = P(Sk ≤ t < Sk + Tk+1)
Overall Availability = A(t) =P(⋃k−1
i=0 (Si ≤ t < Si + Ti+1))
W. Ahmed and O. Hasan Formal Availability Analysis in HOL November 17, 2016 6 / 41
Availability of a Component
Modeled using a sequence of two random variables, i.e., Xi = Ti +Di
Ti : Working Time in the i th periodDi : RepairTime in the i th period
T0 D0 T1
X0
First Available PeriodX0 + T1
Sk <= t < Sk + Tk
kth Available Period
t
Working period
Repair period
Availability = A0(t) = P(t < T0)
Availability = A1(t) = P(X0 ≤ t < X0 + T1)
Availability = Ak+1(t) = P(Sk ≤ t < Sk + Tk+1)
Overall Availability = A(t) =P(⋃k−1
i=0 (Si ≤ t < Si + Ti+1))
W. Ahmed and O. Hasan Formal Availability Analysis in HOL November 17, 2016 6 / 41
Availability of a Component
Modeled using a sequence of two random variables, i.e., Xi = Ti +Di
Ti : Working Time in the i th periodDi : RepairTime in the i th period
T0 D0 T1
X0
First Available PeriodX0 + T1
Sk <= t < Sk + Tk
kth Available Period
t
Working period
Repair period
Availability = A0(t) = P(t < T0)
Availability = A1(t) = P(X0 ≤ t < X0 + T1)
Availability = Ak+1(t) = P(Sk ≤ t < Sk + Tk+1)
Overall Availability = A(t) =P(⋃k−1
i=0 (Si ≤ t < Si + Ti+1))
W. Ahmed and O. Hasan Formal Availability Analysis in HOL November 17, 2016 6 / 41
Availability of a Component
Modeled using a sequence of two random variables, i.e., Xi = Ti +Di
Ti : Working Time in the i th periodDi : RepairTime in the i th period
Availability = A0(t) = P(t < T0)
T0 D0 T1
X0
First Available PeriodX0 + T1
Sk <= t < Sk + Tk
kth Available Period
t
Working period
Repair period
Availability = A1(t) = P(X0 ≤ t < X0 + T1)
Availability = Ak+1(t) = P(Sk ≤ t < Sk + Tk+1)
Overall Availability = A(t) =P(⋃k−1
i=0 (Si ≤ t < Si + Ti+1))
W. Ahmed and O. Hasan Formal Availability Analysis in HOL November 17, 2016 6 / 41
Availability of a Component
Modeled using a sequence of two random variables, i.e., Xi = Ti +Di
Ti : Working Time in the i th periodDi : RepairTime in the i th period
Availability = A0(t) = P(t < T0)
Availability = A1(t) = P(X0 ≤ t < X0 + T1)
T0 D0 T1
X0
First Available PeriodX0 + T1
Sk <= t < Sk + Tk
k
k
ik XS0
kth Available Period
t
Working period
Repair period
Availability = Ak+1(t) = P(Sk ≤ t < Sk + Tk+1)
Overall Availability = A(t) =P(⋃k−1
i=0 (Si ≤ t < Si + Ti+1))
W. Ahmed and O. Hasan Formal Availability Analysis in HOL November 17, 2016 6 / 41
Availability of a Component
Modeled using a sequence of two random variables, i.e., Xi = Ti +Di
Ti : Working Time in the i th periodDi : RepairTime in the i th period
Availability = A0(t) = P(t < T0)
Availability = A1(t) = P(X0 ≤ t < X0 + T1)
T0 D0 T1
X0
First Available PeriodX0 + T1
Sk <= t < Sk + Tk
k
k
ik XS0
kth Available Period
t
Working period
Repair period
Availability = Ak+1(t) = P(Sk ≤ t < Sk + Tk+1)
Overall Availability = A(t) =P(⋃k−1
i=0 (Si ≤ t < Si + Ti+1))
W. Ahmed and O. Hasan Formal Availability Analysis in HOL November 17, 2016 6 / 41
Availability of a Component
Modeled using a sequence of two random variables, i.e., Xi = Ti +Di
Ti : Working Time in the i th periodDi : RepairTime in the i th period
Availability = A0(t) = P(t < T0)
Availability = A1(t) = P(X0 ≤ t < X0 + T1)
Availability = Ak+1(t) = P(Sk ≤ t < Sk + Tk+1)
T0 D0 T1
X0
First Available PeriodX0 + T1
Sk <= t < Sk + Tk
k
k
ik XS0
kth Available Period
t
Working period
Repair period
Overall Availability = A(t) =P(⋃k−1
i=0 (Si ≤ t < Si + Ti+1))
W. Ahmed and O. Hasan Formal Availability Analysis in HOL November 17, 2016 6 / 41
Availability Modeling TechniquesAvailability Block Diagrams
Model the availability relationship of system components as adiagram of sub-blocks and connectors (ABD)
1 N
M
I O
System is unavailable if all the paths for successful execution fail
Add more parallelism to meet the availability goals
W. Ahmed and O. Hasan Formal Availability Analysis in HOL November 17, 2016 7 / 41
Availability Modeling TechniquesAvailability Block Diagrams
Model the availability relationship of system components as adiagram of sub-blocks and connectors (ABD)
1 N
M
I O
System is unavailable if all the paths for successful execution fail
Add more parallelism to meet the availability goals
W. Ahmed and O. Hasan Formal Availability Analysis in HOL November 17, 2016 7 / 41
Types of Availability Block Diagrams
ABDs Mathematical Expressions
1 N OI O limt→∞
Pr(N⋂i=1
Ainsti (t)) =N∏i=1
(µi
µi + λi)
1
M
I O limt→∞
Pr(N⋃i=1
Ainsti (t)) = 1−N∏i=1
(1− µiµi + λi
)
1 N
M
OI limt→∞
Pr(M⋃i=1
N⋂j=1
Aij(t)) = 1−M∏i=1
(1−N∏j=1
µijµij + λij
)
1 N
M
I O limt→∞
Pr(N⋂i=1
M⋃j=1
Ainstij (t)) =N∏i=1
(1−M∏j=1
(1−µij
µij + λij))
W. Ahmed and O. Hasan Formal Availability Analysis in HOL November 17, 2016 8 / 41
Availability Block DiagramsExample: Power Supply System
Main
User
Transformer
Generator
UPS
Waqar requires continuous supply of power for his Lab PC
The UPS can support the load during a switch from the main supply tothe generator
Wants to determine the availability of power supply system
W. Ahmed and O. Hasan Formal Availability Analysis in HOL November 17, 2016 9 / 41
Availability Block DiagramsExample: Power Supply System
Main
User
Transformer
Generator
UPS
Power Supply ABD
Transformer(T)
Main(M)
Generator(G)
UPS(U)
Step 1
Construct an ABD Model
pow sys abd = (M ∩ T) ∪ G ∪ U
W. Ahmed and O. Hasan Formal Availability Analysis in HOL November 17, 2016 10 / 41
Availability Block DiagramsExample: Power Supply System
Step 2
Determine the instantaneous and steady-state availability of eachcomponent
λ: Failure Rate
µ: Repair Rate
Ainst(t) =µ
µ+ λ+
λ
µ+ λe−(λ+µ)t
Asteady = limt→∞ Ainst(t) =µ
µ+ λ
W. Ahmed and O. Hasan Formal Availability Analysis in HOL November 17, 2016 11 / 41
Availability Block DiagramsExample: Power Supply System
Step 3
Evaluate the overall availability using the individual componentsavailability and the ABD relationship
A(pow sys abd) = limt→∞ P((M ∩ T) ∪ G ∪ U)(t)
= 1− (1− A(M) ∗ A(T)) ∗ (1− A(G)) ∗ (1− A(U))
W. Ahmed and O. Hasan Formal Availability Analysis in HOL November 17, 2016 12 / 41
Availability Modeling TechniquesUnavailability Fault Trees
A graphical method used to identify potential causes of systemunavailableA unavailability fault tree is constructed having
Events: describing the unavailability of system componentsLogic Gates: representing logical relationship between events
AND, OR, NOR, NAND, NOR etc.
TOP event
First Level Contributor
to TOP Event by Logic
Gates
First Level Events
Second-level
Contributors to TOP by
Logic Gates
Second-level
Contributors
Basic Failure Events
W. Ahmed and O. Hasan Formal Availability Analysis in HOL November 17, 2016 13 / 41
Availability Modeling TechniquesUnavailability Fault Trees
A graphical method used to identify potential causes of systemunavailableA unavailability fault tree is constructed having
Events: describing the unavailability of system componentsLogic Gates: representing logical relationship between events
AND, OR, NOR, NAND, NOR etc.
TOP event
First Level Contributor
to TOP Event by Logic
Gates
First Level Events
Second-level
Contributors to TOP by
Logic Gates
Second-level
Contributors
Basic Failure Events
W. Ahmed and O. Hasan Formal Availability Analysis in HOL November 17, 2016 13 / 41
Types of UFT Gates
UFT Gates Unavailability Expressions
limt→∞
AAND(t)) =N∏i=2
λiλi + µi
limt→∞
ANOR(t) = 1− limt→∞
AOR(t) =N∏i=2
(1− λiλi + µi
)
limt→∞
ANOR(t) = 1− limt→∞
AOR(t) =N∏i=2
(1− λiλi + µi
)
limt→∞
ANAND(t) = limt→∞
Pr(k⋂
i=2
Ai (t) ∩N⋂j=k
Ai (t))
=k∏
i=2
(1− µiµi + λi
) ∗N∏j=k
λiµi + λi
W. Ahmed and O. Hasan Formal Availability Analysis in HOL November 17, 2016 14 / 41
Types of FT Gates
UFT Gates Unavailability Expressions
limt→∞
AXOR(t) = limt→∞
Pr(A(t)B(t) ∪ A(t)B(t))
= (1− λ1
λ1 + µ1) ∗ λ2
λ2 + µ2+
λ1
λ1 + µ1∗ (1− λ2
λ2 + µ2)
limt→∞
ANOT (t) = Pr(A(t)) = (1− λ
λ+ µ)
W. Ahmed and O. Hasan Formal Availability Analysis in HOL November 17, 2016 15 / 41
Unavailability Fault Trees
Example: Power Supply System
Determine the overall unavailability ?
Main
User
Transformer
Generator
UPS
W. Ahmed and O. Hasan Formal Availability Analysis in HOL November 17, 2016 16 / 41
Unavailability Fault TreesExample: Power Supply System
Step 1
Construct a UFT to represent the top event (unavailability of the wholesystem) in terms of the unavailability of individual components
Main
User
Transformer
Generator
UPS
F(PS)
M T G U
pow sys fail = (M ∪ T ) ∩ G ∩ U
W. Ahmed and O. Hasan Formal Availability Analysis in HOL November 17, 2016 17 / 41
Unavailability Fault TreesExample: Power Supply System
Step 2
Determine the instantaneneous and steady-state unavailability of eachcomponent
Ainst(t) =λ
µ+ λ− λ
µ+ λe−(λ+µ)t
Asteady (t) =λ
µ+ λ
W. Ahmed and O. Hasan Formal Availability Analysis in HOL November 17, 2016 18 / 41
Unavailability Fault TreesExample: Power Supply System
Step 3
Evaluate unavailability using the Probabilistic Inclusion-Exclusion principle
P(n⋃
i=1
Ai ) =∑
J 6={},J⊆{1,2,...,n}
(−1)|J|−1P(⋂j∈J
Aj)
limt→∞
A(pow sys unavail)(t) = A((M ∪ T ) ∩ G ∩ U)
= A(M ∩ G ∩ U) + A(T ∩ G ∩ U)
− A(M ∩ T ∩ G ∩ U)
W. Ahmed and O. Hasan Formal Availability Analysis in HOL November 17, 2016 19 / 41
Availability Analysis Techniques
Feature Paper-and-pencil Proof
SimulationTools
Model Checking Higher-order-LogicTheoremProving
Models Paper (Ran-dom Vari-ables)
Computer Pro-gram (PseudoRandom Num-bers)
State TransitionGraph (MarkovChains)
LogicalFunction
Analysis Analytically(probabilitydistributions,Expressionsfor ABD andUFTs, PIEand MI)
NumericalMethods
State Explo-ration
Formal Rea-soning
Expressiveness X (?) X X
Accuracy X (?) X X
Automation X X
W. Ahmed and O. Hasan Formal Availability Analysis in HOL November 17, 2016 20 / 41
Availability Analysis Techniques
Feature Paper-and-pencil Proof
SimulationTools
Model Checking Higher-order-LogicTheoremProving
Models Paper (Ran-dom Vari-ables)
Computer Pro-gram (PseudoRandom Num-bers)
State TransitionGraph (MarkovChains)
LogicalFunction
Analysis Analytically(probabilitydistributions,Expressionsfor ABD andUFTs, PIEand MI)
NumericalMethods
State Explo-ration
Formal Rea-soning
Expressiveness X (?)
X X
Accuracy X (?)
X X
Automation
X X
W. Ahmed and O. Hasan Formal Availability Analysis in HOL November 17, 2016 20 / 41
Availability Analysis Techniques
Feature Paper-and-pencil Proof
SimulationTools
Model Checking Higher-order-LogicTheoremProving
Models Paper (Ran-dom Vari-ables)
Computer Pro-gram (PseudoRandom Num-bers)
State TransitionGraph (MarkovChains)
LogicalFunction
Analysis Analytically(probabilitydistributions,Expressionsfor ABD andUFTs, PIEand MI)
NumericalMethods
State Explo-ration
Formal Rea-soning
Expressiveness X (?) X
X
Accuracy X (?)
X X
Automation X
X
W. Ahmed and O. Hasan Formal Availability Analysis in HOL November 17, 2016 20 / 41
Availability Analysis Techniques
Feature Paper-and-pencil Proof
SimulationTools
Model Checking Higher-order-LogicTheoremProving
Models Paper (Ran-dom Vari-ables)
Computer Pro-gram (PseudoRandom Num-bers)
State TransitionGraph (MarkovChains)
LogicalFunction
Analysis Analytically(probabilitydistributions,Expressionsfor ABD andUFTs, PIEand MI)
NumericalMethods
State Explo-ration
Formal Rea-soning
Expressiveness X (?) X
X
Accuracy X (?) X
X
Automation X X
W. Ahmed and O. Hasan Formal Availability Analysis in HOL November 17, 2016 20 / 41
Availability Analysis Techniques
Feature Paper-and-pencil Proof
SimulationTools
Model Checking Higher-order-LogicTheoremProving
Models Paper (Ran-dom Vari-ables)
Computer Pro-gram (PseudoRandom Num-bers)
State TransitionGraph (MarkovChains)
LogicalFunction
Analysis Analytically(probabilitydistributions,Expressionsfor ABD andUFTs, PIEand MI)
NumericalMethods
State Explo-ration
Formal Rea-soning
Expressiveness X (?) X X
Accuracy X (?) X X
Automation X X
W. Ahmed and O. Hasan Formal Availability Analysis in HOL November 17, 2016 20 / 41
Outline
1 Introduction
2 Proposed Methodology
3 Formalization Details
4 Case Study: DFH-3 Satellite’s Solar Arrays
5 Conclusions
W. Ahmed and O. Hasan Formal Availability Analysis in HOL November 17, 2016 21 / 41
Methodology
System Descritption
System Availability Properties
Formal Model
Proof Goal
Theorem ProverFormally Verified
Availability Properties
HOL
Series
Parallel
Parallel-Series
Series-Parallel
Mathematical Expressions
)())(Pr(lim11
ttAN
i ii
i
N
i
instt i
N
i ii
iN
i
instt
tAPi
11
)1(1))((lim
)1(1))((lim1
111
M
i
N
kj ijij
ijN
j
ij
M
it
tAP
))1(1())((lim1 111
N
i
M
j ijij
ijM
j
inst
N
it
tAPij
Availability Block Diagrams
AND
OR
NAND
NOR
Failure ExpressionsUnavailabilityFault Tree Gates
N
i ii
iN
i
instt
tAi
21
))(Pr(lim
N
i ii
iN
i
instt
tAPi
21
)1(1))((lim
k
i
N
kj jj
j
ii
iNAND
ttA
2
*)1()(lim
N
i ii
iNOR
ttA
2
)1()(lim
)()1())((
{}},..,1{
1||
1
ti
i
tnI
tN
i
i APtAP
Probabilistic Inclusion-Exclusion
W. Ahmed and O. Hasan Formal Availability Analysis in HOL November 17, 2016 22 / 41
Methodology
System Descritption
System Availability Properties
Formal Model
Proof Goal
Theorem ProverFormally Verified
Availability Properties
HOL
Series
Parallel
Parallel-Series
Series-Parallel
Mathematical Expressions
)())(Pr(lim11
ttAN
i ii
i
N
i
instt i
N
i ii
iN
i
instt
tAPi
11
)1(1))((lim
)1(1))((lim1
111
M
i
N
kj ijij
ijN
j
ij
M
it
tAP
))1(1())((lim1 111
N
i
M
j ijij
ijM
j
inst
N
it
tAPij
Availability Block Diagrams
AND
OR
NAND
NOR
Failure ExpressionsUnavailabilityFault Tree Gates
N
i ii
iN
i
instt
tAi
21
))(Pr(lim
N
i ii
iN
i
instt
tAPi
21
)1(1))((lim
k
i
N
kj jj
j
ii
iNAND
ttA
2
*)1()(lim
N
i ii
iNOR
ttA
2
)1()(lim
)()1())((
{}},..,1{
1||
1
ti
i
tnI
tN
i
i APtAP
Probabilistic Inclusion-Exclusion
W. Ahmed and O. Hasan Formal Availability Analysis in HOL November 17, 2016 22 / 41
Methodology
System Descritption
System Availability Properties
Formal Model
Proof Goal
Theorem ProverFormally Verified
Availability Properties
HOL
Series
Parallel
Parallel-Series
Series-Parallel
Mathematical Expressions
)())(Pr(lim11
ttAN
i ii
i
N
i
instt i
N
i ii
iN
i
instt
tAPi
11
)1(1))((lim
)1(1))((lim1
111
M
i
N
kj ijij
ijN
j
ij
M
it
tAP
))1(1())((lim1 111
N
i
M
j ijij
ijM
j
inst
N
it
tAPij
Availability Block Diagrams
AND
OR
NAND
NOR
Failure ExpressionsUnavailabilityFault Tree Gates
N
i ii
iN
i
instt
tAi
21
))(Pr(lim
N
i ii
iN
i
instt
tAPi
21
)1(1))((lim
k
i
N
kj jj
j
ii
iNAND
ttA
2
*)1()(lim
N
i ii
iNOR
ttA
2
)1()(lim
)()1())((
{}},..,1{
1||
1
ti
i
tnI
tN
i
i APtAP
Probabilistic Inclusion-Exclusion
W. Ahmed and O. Hasan Formal Availability Analysis in HOL November 17, 2016 22 / 41
Outline
1 Introduction
2 Proposed Methodology
3 Formalization Details
4 Case Study: DFH-3 Satellite’s Solar Arrays
5 Conclusions
W. Ahmed and O. Hasan Formal Availability Analysis in HOL November 17, 2016 23 / 41
Formalization of Availability
Availability Event at time period k (Sk ≤ t < Sk + Tk) where
Sk =∑k−1
i=1 Xi
` ∀ p L k t. avail event p L k t =
{x | SIGMA (λi. FST (EL a L) x + SND (EL a L) x) (count k) ≤ t∧t < SIGMA (λi. FST (EL a L) x + SND (EL a L) x) (count k) +
FST (EL k L) x} ∩ p space p
Overall Availability in all working intervals
` ∀ p L t. union avail events p L t =
BIGUNION (IMAGE (λn. avail event p L n t) (count (LENGTH L)))
Unavailability Events
`∀ p L t. union unavail events p L t =
p space p DIFF union avail events p L t
W. Ahmed and O. Hasan Formal Availability Analysis in HOL November 17, 2016 24 / 41
Formalization of Availability
Availability Event at time period k (Sk ≤ t < Sk + Tk) where
Sk =∑k−1
i=1 Xi
` ∀ p L k t. avail event p L k t =
{x | SIGMA (λi. FST (EL a L) x + SND (EL a L) x) (count k) ≤ t∧t < SIGMA (λi. FST (EL a L) x + SND (EL a L) x) (count k) +
FST (EL k L) x} ∩ p space p
Overall Availability in all working intervals
` ∀ p L t. union avail events p L t =
BIGUNION (IMAGE (λn. avail event p L n t) (count (LENGTH L)))
Unavailability Events
`∀ p L t. union unavail events p L t =
p space p DIFF union avail events p L t
W. Ahmed and O. Hasan Formal Availability Analysis in HOL November 17, 2016 24 / 41
Formalization of Availability
Availability Event at time period k (Sk ≤ t < Sk + Tk) where
Sk =∑k−1
i=1 Xi
` ∀ p L k t. avail event p L k t =
{x | SIGMA (λi. FST (EL a L) x + SND (EL a L) x) (count k) ≤ t∧t < SIGMA (λi. FST (EL a L) x + SND (EL a L) x) (count k) +
FST (EL k L) x} ∩ p space p
Overall Availability in all working intervals
` ∀ p L t. union avail events p L t =
BIGUNION (IMAGE (λn. avail event p L n t) (count (LENGTH L)))
Unavailability Events
`∀ p L t. union unavail events p L t =
p space p DIFF union avail events p L t
W. Ahmed and O. Hasan Formal Availability Analysis in HOL November 17, 2016 24 / 41
Series Availability Block Diagram
Available at time instant t only if all of its components are availableat time t
1 N OI O
Series Availability Block Diagram
` (∀ p. series struct p [] = p space p) ∧(∀ p h t. series struct p (h::t) = h ∩ series struct p t)
W. Ahmed and O. Hasan Formal Availability Analysis in HOL November 17, 2016 25 / 41
Series Availability Block Diagram
Available at time instant t only if all of its components are availableat time t
1 N OI O
Series Availability Block Diagram
` (∀ p. series struct p [] = p space p) ∧(∀ p h t. series struct p (h::t) = h ∩ series struct p t)
W. Ahmed and O. Hasan Formal Availability Analysis in HOL November 17, 2016 25 / 41
Formal Verification of Series ABD
1 N OI O
Series Availability Block Diagram:
limt→∞ Pr(⋂N
i=1 Ainsti (t)) =∏N
i=1(µi
µi + λi)
` ∀ p M L. prob space p ∧(∀z. MEM z M ⇒ 0 < FST z ∧ 0 < SND z) ∧(LENGTH L = LENGTH M) ∧(∀t’. ¬NULL (union avail event list p L (&t’)) ∧(∀z t’. MEM z (union avail event list p L (&t’)) ⇒
z ∈ events p) ∧(∀ t’.mutual indep p (union avail event list p L (&t’))) ∧inst avail exp list p L M ⇒(lim (λt.
prob p (series struct p (union avail event list p L (&t)))) =
list prod (steady state avail list M))
W. Ahmed and O. Hasan Formal Availability Analysis in HOL November 17, 2016 26 / 41
Formal Verification of Series ABD
1 N OI O
Series Availability Block Diagram:
limt→∞ Pr(⋂N
i=1 Ainsti (t)) =∏N
i=1(µi
µi + λi)
` ∀ p M L. prob space p ∧(∀z. MEM z M ⇒ 0 < FST z ∧ 0 < SND z) ∧(LENGTH L = LENGTH M) ∧(∀t’. ¬NULL (union avail event list p L (&t’)) ∧(∀z t’. MEM z (union avail event list p L (&t’)) ⇒
z ∈ events p) ∧(∀ t’.mutual indep p (union avail event list p L (&t’))) ∧inst avail exp list p L M ⇒(lim (λt.
prob p (series struct p (union avail event list p L (&t)))) =
list prod (steady state avail list M))
W. Ahmed and O. Hasan Formal Availability Analysis in HOL November 17, 2016 26 / 41
HOL Formalization of ABDs
ABDs HOL Definitions
1
M
I O
` (parallel struct [] = {}) ∧(∀ h t. parallel struct (h::t) =
h ∪ parallel struct t)
1 N
M
OI` ∀ p L. parallel series struct p L =
(parallel struct p of series struct) L
1 N
M
I O` ∀ p L. series parallel struct p L =
(series struct p of parallel struct) L
W. Ahmed and O. Hasan Formal Availability Analysis in HOL November 17, 2016 27 / 41
Formally Verified Expressions
Mathematical Expressions HOL Verification
Aparallel = limt→∞
Pr(N⋃i=1
Ainsti (t)) =
= 1−N∏i=1
(1− µiµi + λi
)
` ∀p L M.
(lim (λt. prob p (parallel struct p
(union avail event list p L (&t)))) =
1 - list prod
(one minus list (steady state avail list M))
Aparallel−series = limt→∞
Pr(M⋃i=1
N⋂j=1
Aij(t))
= 1−M∏i=1
(1−N∏j=1
µijµij + λij
)
` ∀p L M.
(lim (λt.
prob p (parallel series struct p
(list union avail event list p L (&t)))) =
1 - list prod (one minus list (MAP
(λa. steady state avail a) M)))
Aseries−parallel = limt→∞
Pr(N⋂i=1
M⋃j=1
Ainstij (t))
=N∏i=1
(1−M∏j=1
(1−µij
µij + λij))
` ∀p L M.
(lim (λt.
prob p (series parallel struct p
(list union avail event list p L (&t)))) =
list prod (one minus list (MAP
(λa. compl steady state avail a) M)))
W. Ahmed and O. Hasan Formal Availability Analysis in HOL November 17, 2016 28 / 41
Commonly used Unavailability Fault Tree Gates
Unavail.FT Gates HOL Formalization
` ∀ p L t. OR unavail FT gate p L t =
union list (union unavail event list p L t)
NAND
1
n
k ` ∀p L1 L2 t. NAND unavail FT gate p L1 L2 t =
inter list p (compl list p (union unavail event list p L1 t)) ∩inter list p (union unavail event list p L2 t)
NOR1
n` ∀ p L t. NOR unavail FT gate p L t =
p space p DIFF union list (union unavail event list p L t)
XOR1
2
` ∀ p A B. XOR FT unavail gate p A B =
((p space p DIFF A ∩ B) ∪ (A ∩ p space p DIFF B))
` ∀ p A. NOT unavail FT gate p A = (p space p DIFF A)
W. Ahmed and O. Hasan Formal Availability Analysis in HOL November 17, 2016 29 / 41
Formal Verification of UFT Gates
Unavailability FT Gates Conclusions of Theorems
limt→∞
AOR(t) = limt→∞
Pr(N⋃i=1
Ainsti (t))
= 1−N∏i=2
(1− λiλi + µi
)
lim (λt. prob p
(OR unavail FT gate p L &t) =
1 - list prod (one minus list
(steady state unavail list M)))
limt→∞
ANOR(t) = 1− limt→∞
AOR(t)
=N∏i=2
(1− λiλi + µi
)
(lim (λt. prob p
(NOR unavail FT gate p L &t)) =
list prod (one minus list
(steady state unavail list M
limt→∞
ANAND(t) =
limt→∞
Pr(k⋂
i=2
Ai (t) ∩N⋂j=k
Ai (t)) =
k∏i=2
(1− µiµi + λi
) ∗N∏j=k
λiµi + λi
(lim (λt. prob p
(NAND unavail FT gate p L1 L2 t) =
list prod (steady state avail M1) *
list prod (steady state unavail list M2
W. Ahmed and O. Hasan Formal Availability Analysis in HOL November 17, 2016 30 / 41
Formal Verification of UFT Gates
Unavailability FT Gates Conclusions of Theorems
limt→∞
AXOR(t)
= limt→∞
Pr(A(t)B(t) ∪ A(t)B(t)) =
(1− λ1
λ1 + µ1) ∗ λ2
λ2 + µ2+
λ1
λ1 + µ1∗
(1− λ2
λ2 + µ2)
(lim (λt. prob p
(XOR unavail FT gate p A B &t)) =
(1 - (steady state unavail M1))∗(steady state unavail M2) +
(steady state unavail M1)∗(1 - (steady state unavail M2))
limt→∞
ANOT (t) = Pr(A(t))
= (1− λ
λ+ µ)
lim (λt.
prob p (NOT FT gate p A &t) =
FST m / (FST m + SND m)
Formalization took about more than 9000 lines of code and 350 man-hours
W. Ahmed and O. Hasan Formal Availability Analysis in HOL November 17, 2016 31 / 41
Formal Verification of UFT Gates
Unavailability FT Gates Conclusions of Theorems
limt→∞
AXOR(t)
= limt→∞
Pr(A(t)B(t) ∪ A(t)B(t)) =
(1− λ1
λ1 + µ1) ∗ λ2
λ2 + µ2+
λ1
λ1 + µ1∗
(1− λ2
λ2 + µ2)
(lim (λt. prob p
(XOR unavail FT gate p A B &t)) =
(1 - (steady state unavail M1))∗(steady state unavail M2) +
(steady state unavail M1)∗(1 - (steady state unavail M2))
limt→∞
ANOT (t) = Pr(A(t))
= (1− λ
λ+ µ)
lim (λt.
prob p (NOT FT gate p A &t) =
FST m / (FST m + SND m)
Formalization took about more than 9000 lines of code and 350 man-hours
W. Ahmed and O. Hasan Formal Availability Analysis in HOL November 17, 2016 31 / 41
Outline
1 Introduction
2 Proposed Methodology
3 Formalization Details
4 Case Study: DFH-3 Satellite’s Solar Arrays
5 Conclusions
W. Ahmed and O. Hasan Formal Availability Analysis in HOL November 17, 2016 32 / 41
Case Study: DFH-3 Satellite’s Solar Arrays
Launched by the China on May 12, 1997
Solar arrays supply continuous source of power
Availability of the solar array is essential for success of the mission
(a) (b)
W. Ahmed and O. Hasan Formal Availability Analysis in HOL November 17, 2016 33 / 41
Availability Block Diagram of the DFH-3 Solar Array
the electric detonator
(ED)
the electric detonator
(ED)
the cutting knife (CK)
the starting spring (SS)
the starting spring (SS)
the hing bearing
(HB)
the hing bearing
(HB)
the hing of locking
mechanism (HL)
the hing of locking
mechanism (HL)
Availability Model of the DFH-3 Solar Array
` ∀p X ED X CK X SS X HB X HL t.
RO ABD p X ED X CK X SS X HB X HL t =
series parallel struct p
(list union avail event list ([[X ED;X ED];[X CK];
[X SS;X SS];[X HB];[X HB];[X HL;X HL]]) t)
W. Ahmed and O. Hasan Formal Availability Analysis in HOL November 17, 2016 34 / 41
Availability Analysis of the DFH-3 Solar Array
ASA = (1− (1− µEDµED + λED
)2 ∗ µCKµCK + λCK
∗ (1− (1− µSSµSS + λSS
)∗
((µHB
µHB + λHB)2) ∗ (1− (1− µHL
µHL + λHL)2)))
Steady State Availability of the DFH-3 Solar Array
` ∀p X ED X CK X SS X HB X HL.
(lim (λt. prob p ( SA ABD p X ED X CK X SS X HB X HL &t)) =
(1 - (1 - steady state avail ED) pow 2) * steady state avail CK *
(1 - (1 - steady state avail SS) pow 2) *
((steady state avail HB) pow 2) *
(1 - (1 - steady state avail HL) pow 2)
W. Ahmed and O. Hasan Formal Availability Analysis in HOL November 17, 2016 35 / 41
Unavailability Fault Tree for the DFH-3 Solar Array
W. Ahmed and O. Hasan Formal Availability Analysis in HOL November 17, 2016 36 / 41
Unavailability of the he DFH-3 Solar Array
Unavailability Fault Tree for the DFH-3 Solar Array
` ∀ p x1 x2 x3 x4 x5 x6 x7 x8 x9 x10 x11 x12 x13 x14 t.
Solar unavail FT p x1 x2 x3 x4 x5 x6 x7 x8 x9 x10 x11 x12 x13 x14
t =
OR unavail FT gate
[OR unavail FT gate (union avail event list p
[x1; x2; x3; x4] t);
AND unavail FT gate p (union avail event list p [x5; x6] t);
OR unavail FT gate
(union avail event list p
[x7; x8; x9; x10; x11; x12; x13; x14] t)]
W. Ahmed and O. Hasan Formal Availability Analysis in HOL November 17, 2016 37 / 41
Unavailability of the DFH-3 Solar Array
ASA = 1− ((λc5
λc5 + µc5) ∗ (
λx6
λc6 + µc6)∗
(1− (1− λc1
λc1 + µc1) ∗ (1− λc2
λc2 + µc2) ∗ · · · ∗ (1− λc14
λc14 + µc14)))
Steady State Unavailability of the he DFH-3 Solar Array
` ∀ p x1 x2 x3 x4 x5 x6 x7 x8 x9 x10 x11 x12 x13 x14.
(lim(λt.Solar unavail FT p x1 x2 x3 x4 x5 x6 x7 x8 x9 x10 x11 x12 x13
x14 &t)) =
1 - (list prod (steady state unavail list [c5;c6]) *
(1 - list prod (one minus list (steady state unavail list
[c1;c2;c3;c4;c6;c7;c8;c9;c10;c11;c12;c13;c14]))))
About 100 lines of code
A set of SML scripts have been developed to automatically evaluatethe availability/unavailability of the system for specific failure andrepair rates
W. Ahmed and O. Hasan Formal Availability Analysis in HOL November 17, 2016 38 / 41
Unavailability of the DFH-3 Solar Array
ASA = 1− ((λc5
λc5 + µc5) ∗ (
λx6
λc6 + µc6)∗
(1− (1− λc1
λc1 + µc1) ∗ (1− λc2
λc2 + µc2) ∗ · · · ∗ (1− λc14
λc14 + µc14)))
Steady State Unavailability of the he DFH-3 Solar Array
` ∀ p x1 x2 x3 x4 x5 x6 x7 x8 x9 x10 x11 x12 x13 x14.
(lim(λt.Solar unavail FT p x1 x2 x3 x4 x5 x6 x7 x8 x9 x10 x11 x12 x13
x14 &t)) =
1 - (list prod (steady state unavail list [c5;c6]) *
(1 - list prod (one minus list (steady state unavail list
[c1;c2;c3;c4;c6;c7;c8;c9;c10;c11;c12;c13;c14]))))
About 100 lines of code
A set of SML scripts have been developed to automatically evaluatethe availability/unavailability of the system for specific failure andrepair rates
W. Ahmed and O. Hasan Formal Availability Analysis in HOL November 17, 2016 38 / 41
Outline
1 Introduction
2 Proposed Methodology
3 Formalization Details
4 Case Study: DFH-3 Satellite’s Solar Arrays
5 Conclusions
W. Ahmed and O. Hasan Formal Availability Analysis in HOL November 17, 2016 39 / 41
Conclusions
Accuracy of availability analysis is very important while working withsafety-critical systems
The proposed method provides a considerably Sound and Completeavailability analysis results compared to the existing alternatives
Future Work
Formalize dynamic ABDs and UFT gatesEnhance the automation in the reasoning process by buildingspecialized tacticsDevelop a GUI based formal availability analysis tool that acceptsABDs and UFTs as input and uses formally verified theorems tocompute the overall availability of the system
W. Ahmed and O. Hasan Formal Availability Analysis in HOL November 17, 2016 40 / 41
Conclusions
Accuracy of availability analysis is very important while working withsafety-critical systems
The proposed method provides a considerably Sound and Completeavailability analysis results compared to the existing alternatives
Future Work
Formalize dynamic ABDs and UFT gatesEnhance the automation in the reasoning process by buildingspecialized tacticsDevelop a GUI based formal availability analysis tool that acceptsABDs and UFTs as input and uses formally verified theorems tocompute the overall availability of the system
W. Ahmed and O. Hasan Formal Availability Analysis in HOL November 17, 2016 40 / 41
Thanks!
More information: save.nust.seecs.edu.pk
W. Ahmed and O. Hasan Formal Availability Analysis in HOL November 17, 2016 41 / 41