METHOD AND APPARATUS FOR PROVIDING A SAFE OPERATION OF A TECHNICAL SYSTEM

Abstract

A method and an apparatus for providing a safe operation of a technical system including a plurality of system components. The method includes the steps of: a) providing a safety analysis model matured by knowledge about former implementations of the respective system components in different context, b) whereby system components' dependencies are modeled by connecting inports with outports of the respective system components and/or vice versa, c) whereby at least one or a plurality of such in and/or outports are associated with input failure modes and/or output failure modes, d) characterized in automatically uncovering inconsistencies caused by at least one system component to be integrated in connection with at least another system component whereby the input and/or output failure mode of the system component carries the knowledge from another implementation into the context.

Claims

1. A method for providing a safe operation of a technical system comprising a plurality of system components, the method comprising: a) providing a safety analysis model matured by knowledge about former implementations of the respective system components in different context; b) whereby dependencies of the system components are modeled by connecting inports with outports of the respective system components and/or vice versa; c) whereby at least one or a plurality of such inports and/or outports are associated with input failure modes and/or output failure modes; d) wherein automatically uncovering inconsistencies caused by at least one system component to be integrated in connection with at least another system component whereby the input failure modes and/or output failure modes of the system component carries the knowledge from another implementation into the context.

2. The method according to claim 1, wherein maturation of the safety analysis model is effected when a system component is reused.

3. The method according to claim 1, wherein the safety analysis model is represented by a component fault tree comprising a plurality of component fault tree elements, whereby each component fault tree element comprises at least one component fault tree mode element representing a failure mode of the system component which is represented by the component fault tree element.

4. The method according to claim 1, wherein such inconsistencies are detected at the inports and outports of the respective system components.

5. The method according to claim 1, wherein for a system component to be integrated into an existing technical system, the failure modes which require integration and unconnected failure modes of this system component are identified, whereby existing knowledge of the system component are transferred into a new technical system where the component is reused.

6. The method according to claim 1, wherein for a system component to be integrated into an existing technical system, unconnected failure modes of this system component are identified, whereby existing knowledge of the existing system is transferred back to the reused component of the system, whereby existing instances of the component in other systems or implementations are reviewed.

7. The method according to claim 1, wherein the knowledge from former implementation is stored in a repository.

8. An apparatus for providing a safe operation of a technical system comprising a plurality of system components, comprising: a) a modeling unit for providing a safety analysis model matured by knowledge about former implementations of the respective system components in different context; b) whereby dependencies of system components dependencies are modeled by connecting inports with outports of the respective system components and/or vice versa; c) whereby at least one or a plurality of such inports and/or outports are associated with input failure modes and/or output failure modes; d) an analysis unit for automatically uncovering inconsistencies caused by at least one system component to be integrated in connection with at least another system component whereby the input failures modes and/or output failure modes of the system component carries the knowledge from another implementation into the context.

9. The apparatus according to claim 8, wherein maturation of the safety analysis model is effected when a system component is reused.

10. The apparatus according to claim 1, wherein the safety analysis model is represented by a component fault tree comprising a plurality of component fault tree elements, whereby each component fault tree element comprises at least one component fault tree mode element representing a failure mode of the system component which is represented by the component fault tree element.

11. The apparatus according to claim 8, wherein such inconsistencies are detected at the inports and outports of the respective system components.

12. The apparatus according to claim 1, wherein for a system component to be integrated into an existing technical system, the failure modes which require integration and unconnected failure modes of this system component are identified, whereby existing knowledge of the system component into a new technical system are transferred where the component is reused.

13. The apparatus according to claim 1, wherein for a system component to be integrated into an existing technical system, unconnected failure modes of this system component are identified, whereby existing knowledge of the existing system is transferred back to the reused component of the system, whereby existing instances of the component in other systems or implementations are review.

14. The apparatus according to claim 1, wherein said knowledge from former implementation is stored in a repository.

15. A computer program product directly loadabie into the internal memory of a computer, comprising software code portions for performing the steps of claim 7 when said computer program product is running on a computer.

Description

BRIEF DESCRIPTION

[0040] Some of the embodiments will be described in detail, with reference to the following figures, wherein like designations denote like members, wherein

[0041] FIG. 1 depicts a block diagram of a possible exemplary embodiment of an apparatus;

[0042] FIG. 2 shows an example of a system comprising components represented by interconnected component fault tree elements as employed by the method and apparatus;

[0043] FIG. 3 illustrates a cyber-physical system as an area of application, in accordance with embodiments of the present invention;

[0044] FIG. 4 schematically shows a Classic Fault Tree; and

[0045] FIG. 5 schematically shows a Component Fault Tree (CFT) illustrating the operation of the method and apparatus, in accordance with embodiments of the present invention.

DETAILED DESCRIPTION

[0046] The component fault tree CFT is a Boolean data model associated to system development elements such as components. The component fault tree CFT has the same expressive power as a classic fault tree. FIG. 4 shows an example of a classic conventional fault tree and FIG. 5 shows an example of a component fault tree CFT. As classic fault trees, also component fault trees can be used to model failure behavior of a safety critical system. This failure behavior is used to document that the respective system is safe and can also be used to identify drawbacks of the system design. In component fault trees, a separate component fault tree element is related to the respective component c of the safety critical system, SCS. Failures that are visible at the outport of a component are modeled using output failure modes (OFM), which are related to the specific outport of the component fault tree CFT element. For modeling how specific failures propagate from an import e.g. i1 of a component c to an outport, input failure modes (IFM) are used. The inner failure behavior that also influences the output failure modes is modeled using gates such as a NOT gate, an AND gate or an OR gate, and so-called basic events, as also illustrated in FIG. 5. Every component fault tree CFT can be transformed to a classic fault tree by removing the input and output failure mode elements. FIG. 4 shows a classic fault tree and FIG. 5 shows a component fault tree. In both trees, the top events or output events TE1 and TE2 are modeled. The component fault tree CFT model allows, additionally to the Boolean formulae that are also modeled within the classic fault tree, to associate the specific top events to the corresponding ports where the failures can appear. For example, in FIG. 5, the top event TE1 appears at outport o1. When using component fault trees, a component fault tree element is related to a component. Failures that are visible at a specific outport of a component are modeled using Output Failure Modes. Failure modes that are relevant at the inports of a component are modeled using input failure modes as depicted using triangles in FIG. 5). Input failure modes and internal failure modes, so-called basic events, are combined using Boolean logic to model the occurrence of output failure modes (failure propagation). The traceability between structural model elements and component fault tree elements is for example beneficial for an increased maintainability of the safety analysis model. Every component fault tree can easily be transformed to

a classic fault tree by removing the input and output failure mode elements. This step is typically done to analyze a network of component fault trees, since for classic fault tree analysis, the structural elements such as ports are no longer required. For any output failure mode, a fault tree can be synthesized from a CFT network in general. This involves the extraction of the Boolean failure propagation from any CFT contributing to the analyzed output failure mode by using the traces from input failure modes of a component's import over the port connection between components to output failure modes of another component's outports. This process is called CFT synthesis. If a classic fault tree can be composed for every output failure mode, the component fault tree network is called complete.

[0047] To show how CFTs can be used to foster model maturation in a component-based analysis. Let the System S consist of a set of components C={c.sub.1, . . . , c.sub.n}. Each component c∈C includes a set of inports IN(c)={in.sub.1, . . . in.sub.p} and a set of outports OUT(c)={out.sub.1, . . . , out.sub.q}. The information flow between the outport of a component c.sub.i∈C and the import of another component c.sub.j∈C is represented be a set of connections

CON={(out.sub.x, in.sub.y)|out.sub.x∈OUT(c.sub.i), in.sub.y∈IN(c.sub.j}

[0048] Each component fault tree element cft.sub.i of a component c.sub.i∈C may have input failure modes IFM(in.sub.k)={if m.sub.1, . . . , if m.sub.s} which are related to the import in.sub.k∈IN (c.sub.i) as well as output failure modes OFM(out.sub.l)={of m.sub.1, . . . , of m.sub.t} which are related to an outport out.sub.l∈OUT(c.sub.i). Additionally, each component fault tree element has an internal Boolean logic that is used to model how input failure modes arriving at a component propagate in combination with internal causes to the output failure modes.

[0049] The CFT element of a component can be reused in different implementations. Where cft.sup.tis defined as the CFT element cft at time t with cft.sup.0 is the initially created CFT element of the component c. Each time the CFT element is used in a different situation, it is cft.sup.t.fwdarw.cft.sup.t+1.

In the following, cases are focused where the CFT element is modified when reused in a new context, more precisely, if the new situation requires an adaptation. This circumstance relates to the following implications:

##STR00001##

[0050] The modification of a component implies the modification of the CFT element, but not vice versa, since it is a safety analysis model.

[0051] Since component fault trees are addressing structural model elements such as components and their dependencies modeled by inports and outports, structural changes of the system model can influence CFT elements. Possible modifications Δ.sub.c:c.sup.t.fwdarw.c.sup.t+1 of a single component c∈C with IN(c.sub.i.sup.t).fwdarw.IN(c.sub.i.sup.t+1) or OUT (c.sub.i.sup.t).fwdarw.OUT (c.sub.i.sup.t+1) can be

the addition of inports with IN (c.sub.i.sup.t)⊂IN(c.sub.i.sup.t+1),
the removal of inports with IN (c.sub.i.sup.t)⊃IN (c.sub.i.sup.t+1)
the addition of outports with OUT(c.sub.i.sup.t)⊂OUT(c.sub.i.sup.t+1)
the removal of outports with OUT(c.sub.i.sup.t)⊃OUT(c.sub.i.sup.t+1)

[0052] These modifications typically result in changes in the corresponding CFT element by adding or removing input or output failure modes. But not only structural changes during the reuse of a component can influence its safety analysis model. Also new failure modes that are related to the new situation require adaptation. Similar to the changes of in- and outports as described above, the set of input and output failure modes of a component c∈C change over time with IFM

IFM(in.sup.t).fwdarw.IFM(in.sup.t+1), in.sup.t∈IN(c.sup.t), in.sup.t+1∈IN(c.sup.t+1) and

OFM(out.sup.t).fwdarw.OFM(out.sup.t+1), out.sup.t∈OUT(c.sup.t), out.sup.t+1∈OUT(c.sup.t+1).

[0053] If there are

additional input failure modes, it is IFM(in.sup.t)⊂IFM(in.sup.t+1)
additional output failure modes, it is OFM(out.sup.t)⊂OFM(out.sup.t+1)
removed input failure modes, it is IFM(in.sup.t)⊃IFM(in.sup.t+1)
removed output failure modes, it is OFM(out.sup.t)⊃OFM(out.sup.t+1).

[0054] If during the synthesis of a fault tree from a component fault tree network there are input failure modes that have no corresponding output failure mode, the CFT network is incomplete and the synthesis of classic fault trees for analysis fails for some output failure modes. If a component is reused in a new system and the corresponding CFT element is not the reason for an incomplete CFT network, the component is called integrated. If a failed integration of a component is to identify where the old context of a situation does not match the new context, the following inconsistencies result in a failed integration:

[0055] FIG. 2 shows different types of inconsistencies when integration a component fault tree of component c into a network of existing components u and d. [0056] not all existing output failure modes can be connected to input failure modes of the component to be integrated (see example A in FIG. 2), [0057] not all existing input failure modes can be connected to output failure modes of the component to be integrated (see example B in FIG. 2), [0058] not all output failure modes of the component to be integrated can be connected to existing input failure modes (see example C in FIG. 2), or [0059] not all input failure modes of the component to be integrated can be connected to existing output failure modes (see example D in FIG. 2).

[0060] The input and output failure modes responsible for these inconsistencies can be identified automatically to help the engineer integrating a component. If the component to be integrated has a mature CFT model, its input and output failure modes carry the experience from other implementations into the new system.

[0061] Let cft∈CFT be such a component fault tree element of a component c∈C to be integrated into an existing network of component fault trees. Let {u.sub.1, . . . , u.sub.n}=U⊂C be the set of components from which a component c∈C receives inputs. This set is called the upstream components of c. Let cft.sub.1.sup.u, . . . , cft.sub.n.sup.u to be their component fault tree elements accordingly. Let {d.sub.1, . . . , d.sub.m}∈D⊃C be the set of components to which c.sub.1∈C propagates outputs to. This set is called the downstream components of c. Let cft.sub.1.sup.d, . . . , cft.sub.m.sup.d be their component fault tree elements accordingly.

[0062] A modification of a CFT element Δ.sub.cft leads to inconsistencies in context with the other CFT elements of the system when composing the safety artifacts in order to perform a safety analysis. These inconsistencies can automatically be detected at the in- and outports of the component c to be integrated using

forward (c)={fm|fm∈0FM(U)∪IFM(D), ∃fm.sub.c∈OFM(c)∪IFM(c): (fm.fwdarw.fm.sub.c)ν(fm.sub.c.fwdarw.fm)}

[0063] Using the previously defined sets forward(c) and backward(c) for a component c to be integrated into an existing system, the failure modes which require integration can be identified. The set forward(c) identifies unconnected failure modes of the component to be integrated and thereby transfers existing knowledge of the component into the new system where the component is reused (left side with examples A and B of FIG. 2). The set backward/c) contains unconnected failure modes of the existing system where c is to be integrated. This set transfers knowledge about the existing system back to the reused component (right side with examples C and D of FIG. 2). The information can be used to review the existing instances of c in other systems or implementations. So, solving the inconsistencies when reusing safety analysis models is beneficial for the system where such models are reused, but can also be beneficial to uncover safety issues in existing systems. Compositional safety analysis techniques, such as component fault trees, enable the general reuse of building blocks in this way.

[0064] FIG. 3 shows some possible participants in a loosely cyber-physical system. All participants Embedded Systems A,B,C and Systems D, E, F can possibly interact with each other for example via cable or wireless connection and execute the same function on different hardware. If one of these functions is reused in another system, e.g. system B uses autonomous driving from system D, it might require a recertication of the safety analysis model on the different hardware. If the information is present which part of the function of system D runs on which parts of the hardware of system B, the safety analysis models form B and D can be combined using the above described method to certify if the resulting system is performing its function the required quality in terms of functional safety. Furthermore, if a running system detects some faults for components that are also active in a different system, the afore mentioned method can be used to anticipate these faults in all existing instances of systems where the component is used in.

[0065] FIG. 1 illustrates a possible exemplary embodiment of an apparatus 1 adapted to provide a safe operation of a technical system, SCS, having a plurality of system components c. The functional safety behavior of each component c is represented by an associated component fault tree element which can be stored in a library or in a database.

[0066] As can be seen in FIG. 1, the apparatus 1 in the illustrated embodiment comprises a modeling unit 2 having the functionality to provide a safety analysis model matured by knowledge about former implementations of the respective system components in different context. The apparatus 1 further comprises an analysis unit having the functionality to uncover automatically inconsistencies caused by at least one system component to be integrated in context with at least another system component whereby the input and/or output failure mode of said system component carries the knowledge from former implementation into said context.

[0067] In order to uncover inconsistencies of the above mentioned type the component fault tree of the respective system components is analysed according to the above mentioned method.

[0068] It is to be understood that the elements and features recited in the appended claims may be combined in different ways to produce new claims that likewise fall within the scope of embodiments of the present invention. Thus, whereas the dependent claims appended below depend from only a single independent or dependent claim, it is to be understood that these dependent claims may, alternatively, be made to depend in the alternative from any preceding or following claim, whether independent or dependent, and that such new combinations are to be understood as forming a part of the present specification.

[0069] Although the present invention has been disclosed in the form of preferred embodiments and variations thereon, it will be understood that numerous additional modifications and variations could be made thereto without departing from the scope of the invention.

[0070] For the sake of clarity, it is to be understood that the use of “a” or “an” throughout this application does not exclude a plurality, and “comprising” does not exclude other steps or elements.