COMPUTER-IMPLEMENTED METHOD FOR GENERATING A COMPONENT FAULT AND DEFICIENCY TREE OF A MULTI-COMPONENT SYSTEM COMPRISING A PLURALITY OF COMPONENTS

Abstract

Provided is a computer-implemented method for generating a Component Fault and Deficiency Tree of a multi-component system the method including: a. modeling the multi-component system using a Component Fault and Deficiency Tree, b. the Component Fault and Deficiency Tree includes a plurality of component fault and deficiency tree elements associated with the respective components; c. each component fault and deficiency tree element includes at least one inport and at least one outport; d. each component fault and deficiency tree element includes at least two events as internal fault tree logic; e. at least one gate, f. each component fault and deficiency tree element includes at least one mitigation logic; g. at least one Boolean AND-Gate, configured to connect the internal fault tree logic and the at least one mitigation logic; and h. providing the generated Component Fault and Deficiency Tree of the multi-component system as output.

Claims

1. A computer-implemented method for generating a Component Fault and Deficiency Tree of a multi-component system comprising a plurality of components, wherein each component of the plurality of components of the multi-component system is a hardware component, a software component, or a hardware and software component, the method comprising: a. modeling the multi-component system using a Component Fault and Deficiency Tree, wherein b. the Component Fault and Deficiency Tree comprises a plurality of component fault and deficiency tree elements associated with the respective components of the multi-component system; and interconnections between the component fault and deficiency tree elements associated with respective functional dependencies between the components; wherein c. each component fault and deficiency tree element comprises at least one inport and at least one outport; wherein each component fault and deficiency tree element comprises at least one output failure mode, connected to the at least one outport; wherein each component fault and deficiency tree element comprises at least one input failure mode, connected to the at least one inport; wherein d. each component fault and deficiency tree element comprises at least two events as internal fault tree logic; wherein one event of the at least two events is associated with at least one failure and the other event of the at least two events is associated with at least one deficiency of the component; e. at least one gate, configured to connect the at least two events; f. each component fault and deficiency tree element comprises at least one mitigation logic; wherein the at least one mitigation logic is configured to mitigate the at least one failure and/or at least one deficiency by means of a mitigation measure; g. at least one Boolean AND-Gate, configured to connect the internal fault tree logic and the at least one mitigation logic; and h. providing the generated Component Fault and Deficiency Tree of the multi-component system as output.

2. The computer-implemented method according to claim 1, wherein each component fault and deficiency tree element comprises at least one additional internal fault tree logic; wherein the at least one additional internal fault tree logic is an event, a gate or a transfer.

3. The computer-implemented method according to claim 1, wherein the at least one mitigation logic is an event.

4. The computer-implemented method according to claim 3, wherein the mitigation measure is a measure selected from the group comprising: adapting the multi-component system; adapting at least one component of the multi-component system; extending the multi-component system with at least one additional component; and adapting at least one input data set and/or at least one output data set of at least one component of the multi-component system.

5. The computer-implemented method according to claim 4, wherein the adaptation of the at least one input data set and/or at least one output data set of the at least one component of the multi-component system, comprises the step: adapting a training data set and/or a validation data set of at least one software component, desirably at least one Machine-Learning model or at least one Artificial Intelligence model to adapt the resulting predictions of the model and/or adapting at least one Machine-Learning model or at least one Artificial Intelligence model.

6. A computing unit for performing the method steps according to claim 1.

7. A computer program product, comprising a computer readable hardware storage device having computer readable program code stored therein, said program code executable by a processor of a computer system to implement a method directly loadable into an internal memory of a computer, comprising software code portions for performing the steps according to claim 1 when the computer program product is running on a computer.

Description

BRIEF DESCRIPTION

[0052] Some of the embodiments will be described in detail, with reference to the following figures, wherein like designations denote like members, wherein:

[0053] FIG. 1 shows a schematic diagram of the method according to an embodiment of the invention;

[0054] FIG. 2 shows a schematic diagram of the failures and deficiencies assigned to the internal fault tree logic according to an embodiment of the invention; and

[0055] FIG. 3 shows a schematic representation of the Component Fault and Deficiency Tree (CFDT) of a multi-component system according to an embodiment of the invention.

DETAILED DESCRIPTION

[0056] FIG. 1 illustrates a flowchart of the method according to embodiments of the invention with the method steps S1 to S2. In the first step S1, the multi-component system is modeled using a Component Fault and Deficiency Tree (CFDT) 1.

[0057] The CFDT 1 comprises respective component fault and deficiency tree elements 10. The elements 10 each comprise at least one internal fault tree logic 20 and at least one mitigation logic 30. Thereby, the internal fault tree logic 20 is designed as event, which is associated with at least one failure 22 and at least one deficiency 24 of the component. This is in contrast to conventional art, since, in other words, deficiencies are incorporated in the CFDT 1. The mitigation logic 30 is configured to mitigate the at least one failure 22 and/or at least one deficiency 24 by means of a mitigation measure.

[0058] In the last step S2, the Component Fault and Deficiency Tree (CFDT) 1 is provided.

[0059] According to an embodiment, the Component Fault and Deficiency Tree (CFDT) can be defined as a superset of a CFT (CFDT D CFT) which consists of a set of CFDT elements where each CFDT element is defined by the tuple CFDT=(IFM, OFM, B, D, M, G, SubCFDT, C′). While the definition of IFMs, OFMs, basic events B, and gates G, are the same as in CFTs, the aforementioned definition for CFTs can be extended as follows: [0060] a set of deficiencies D={d.sub.1, d.sub.t}, which describe functional deficiencies of the component [0061] a set of measures M={M.sub.1, . . . , M.sub.u}, which describe mitigation measures defined either for functional deficiencies or for failures [0062] a set of sub-CFDT elements SubCFDT which is define by the tuple SubCFDT=(IN, OUT, cfdt.sub.i), where IN={in.sub.1, . . . , in.sub.a} is a set of input failure mode, OUT={out.sub.i, . . . , out.sub.b} a set of output failure modes and cf dt.sub.i∈CFDT a mapping to a another CFDT element [0063] a set of directed edges C′ with C′.Math.(IFM UB∪D∪M∪G. out∪SubCFDT. OUT)×(OFM∪G.IN∪SubCFDT.IN)

[0064] FIG. 2 shows the failures 22 and deficiencies 24 assigned to the internal fault tree logic 20. The failures 22 and/or deficiencies 24 can lead to a malfunction or malfunctioning behavior within the system which may further lead to a potential hazard at the system boundary, as already explained further above.

[0065] An exemplary CFDT 1 element 10 is shown in FIG. 3. The CFDT element 10 comprises the event 22 “internal HW failure” which represents an internal failure of the component indicated with a circle (F) and the event “deficiencies of ML algorithm” 24 which represents a deficiency indicated with a circle (D). The two events are connected via a Boolean OR-Gate.

[0066] Moreover, the CFDT element 10 comprises the mitigation logic 30 tree logic “runtime robustness detection” 30 indicated with a circle (M). The internal fault tree logic 20 and mitigation logic 30 are connected via a Boolean AND-Gate, the input failure modes are indicated with triangles.

[0067] The CFDT allows for [0068] 1. Qualitative analysis: By describing the cause-effect-relationships for functional deficiencies it is possible to conduct an FMEA-like analysis and to generate an overview table which shows if measures are defined for each deficiency of each component which would otherwise lead to a potentiation hazards (DEA, Deficiency and Effect Analysis). [0069] Moreover, it is possible to conduct an analysis similar to qualitative Fault Tree Analysis (Minimal Cut Set Analysis) to show which combinations of deficiencies (cut sets) can lead to a specific hazard. [0070] 2. Quantitative analysis: Similar to the basic events in CFTs, also deficiencies can be annotated using probabilities which allow the quantitative or probabilistic Fault Tree Analysis using known algorithms to calculate the probability that a specific hazard occurs. [0071] Moreover, measures can be annotated with a “Diagnostic Coverage (DC)” value (similar to FMEDA). Hence, an FMEDA-like analysis (the so-called DEDA— Deficiency, Effect and Diagnosis Analysis) can be conducted to determine the residual risk that a hazard will occur. [0072] 3. Common Cause Deficiencies analysis: The CFDT methodology allows the definition of so-called Common Cause Deficiencies (CCDs) analogous to CCFs. Hence, the CFDT model can also be used to determine the CCDs of a system design.

[0073] Use Cases:

[0074] Traffic signs such as stop signs must be identified by an ML algorithm in a dependable way, otherwise this could result in a potential crash. The wrong classification of a stop sign is a deficiency of the ML algorithm and not a failure of the system itself. This deficiency must be mitigated in order to avoid hazardous situations, e.g., by extension of the training data w.r.t. potential wrong images or by providing an architecture with a second redundant data source (e.g., a second camera).

[0075] Although the present invention has been disclosed in the form of preferred embodiments and variations thereon, it will be understood that numerous additional modifications and variations could be made thereto without departing from the scope of the invention.

[0076] For the sake of clarity, it is to be understood that the use of “a” or “an” throughout this application does not exclude a plurality, and “comprising” does not exclude other steps or elements.