Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
Formalization of Fault Trees in Higher-order Logic: ADeep Embedding Approach
Waqar Ahmed and Osman Hasan
System Analysis and Verification (SAVe Lab)National University of Sciences and Technology (NUST)
Islamabad, Pakistan
SETTA 2016Beijing, China
November 11, 2016
Outline
1 Introduction
2 Formalization of Fault Trees
3 Application: NextGen Air Traffic Management System with ASNGateway
4 Conclusions
W. Ahmed and O. Hasan Formalization of Fault Trees in HOL November 11, 2016 2 / 40
Failure Analysis
Study the impact of a component fault on system failure and thusmake decisions to make systems more reliable
Component ReplacementRedundancy
W. Ahmed and O. Hasan Formalization of Fault Trees in HOL November 11, 2016 3 / 40
Failure Analysis
Study the impact of a component fault on system failure and thusmake decisions to make systems more reliable
Component ReplacementRedundancy
W. Ahmed and O. Hasan Formalization of Fault Trees in HOL November 11, 2016 3 / 40
Fault Tree
A graphical method used to identify potential causes of system failure
A fault tree is constructed havingEvents: describing the faults of system componentsLogic Gates: representing logical relationship between events
AND, OR, NOR, NAND, NOR etc.
TOP event
First Level Contributor
to TOP Event by Logic
Gates
First Level Events
Second-level
Contributors to TOP by
Logic Gates
Second-level
Contributors
Basic Failure Events
W. Ahmed and O. Hasan Formalization of Fault Trees in HOL November 11, 2016 4 / 40
Example: Power Supply System
Determine the overall failure probability?
Main
User
Transformer
Generator
UPS
W. Ahmed and O. Hasan Formalization of Fault Trees in HOL November 11, 2016 5 / 40
Fault Tree Analysis
Step 1
Construct a FT and represent Top Event in terms of basic events
Main
User
Transformer
Generator
UPS
F(PS)
M T G U
pow sys fail = (M ∪ T ) ∩ G ∩ U
W. Ahmed and O. Hasan Formalization of Fault Trees in HOL November 11, 2016 6 / 40
Fault Tree Analysis
Step 1
Construct a FT and represent Top Event in terms of basic events
Main
User
Transformer
Generator
UPS
F(PS)
M T G U
pow sys fail = (M ∪ T ) ∩ G ∩ U
W. Ahmed and O. Hasan Formalization of Fault Trees in HOL November 11, 2016 6 / 40
Fault Tree Analysis
Step 2
Evaluate probability of failure using the Probabilistic Inclusion-Exclusionprinciple
P(n⋃
i=1
Ai ) =∑
J 6=∅,J⊆1,2,...,n
(−1)|J|−1P(⋂j∈J
Aj)
P(pow sys fail) = P((M ∪ T ) ∩ G ∩ U)
= P(M ∩ G ∩ U) + P(T ∩ G ∩ U)− P(M ∩ T ∩ G ∩ U)
W. Ahmed and O. Hasan Formalization of Fault Trees in HOL November 11, 2016 7 / 40
Fault Tree Analysis
Step 3
Using Mutual Independence property
P(pow sys fail) = P(M) ∗ P(G ) ∗ P(U) + P(T ) ∗ P(G ) ∗ P(U)−P(M) ∗ P(T ) ∗ P(G ) ∗ P(U)
W. Ahmed and O. Hasan Formalization of Fault Trees in HOL November 11, 2016 8 / 40
Types of FT Gates
FT Gates Failure Probability Expressions
F (t) = Pr(N⋂i=2
Ai (t)) =N∏i=2
Fi (t)
F (t) = Pr(N⋃i=2
Ai (t)) = 1−N∏i=2
(1− Fi (t))
F (t) = 1− FOR(t) =N∏i=2
(1− Fi (t))
F (t)= Pr(k⋂
i=2
Ai (t) ∩N⋂j=k
Ai (t))=k∏
i=2
(1− Fi (t)) ∗N∏j=k
(Fj(t))
F (t)= Pr(A(t)B(t) ∪ A(t)B(t))
= FA(t)(1− FB(t)) + FB(t)(1− FA(t))
F (t) = Pr(A(t)) = (1− FA(t))
W. Ahmed and O. Hasan Formalization of Fault Trees in HOL November 11, 2016 9 / 40
Fault Tree Analysis Applications
A standard technique for failure analysis in many safety-critical fields
Nuclear Power Industry (NRC NUREG0492)Civil Aerospace (NASA SAE ARP4761)Military Systems (MILHDBK338)Cross Industry (IEC 61025)
W. Ahmed and O. Hasan Formalization of Fault Trees in HOL November 11, 2016 10 / 40
Fault Tree Analysis Techniques
Feature Paper-and-pencil Proof
SimulationTools
Model Checking TheoremProving
FT Models Paper (Ran-dom Vari-ables)
Computer Pro-gram (PseudoRandom Num-bers)
State TransitionGraph (MarkovChains)
LogicalFunction
Analysis Analytically(probabilitydistributions,PIE and MI)
NumericalMethods
State Explo-ration
Formal Rea-soning
Expressiveness X (?) X X
Accuracy X (?) X X
Automation X X
W. Ahmed and O. Hasan Formalization of Fault Trees in HOL November 11, 2016 11 / 40
Fault Tree Analysis Techniques
Feature Paper-and-pencil Proof
SimulationTools
Model Checking TheoremProving
FT Models Paper (Ran-dom Vari-ables)
Computer Pro-gram (PseudoRandom Num-bers)
State TransitionGraph (MarkovChains)
LogicalFunction
Analysis Analytically(probabilitydistributions,PIE and MI)
NumericalMethods
State Explo-ration
Formal Rea-soning
Expressiveness X (?)
X X
Accuracy X (?)
X X
Automation
X X
W. Ahmed and O. Hasan Formalization of Fault Trees in HOL November 11, 2016 11 / 40
Fault Tree Analysis Techniques
Feature Paper-and-pencil Proof
SimulationTools
Model Checking TheoremProving
FT Models Paper (Ran-dom Vari-ables)
Computer Pro-gram (PseudoRandom Num-bers)
State TransitionGraph (MarkovChains)
LogicalFunction
Analysis Analytically(probabilitydistributions,PIE and MI)
NumericalMethods
State Explo-ration
Formal Rea-soning
Expressiveness X (?) X
X
Accuracy X (?)
X X
Automation X
X
W. Ahmed and O. Hasan Formalization of Fault Trees in HOL November 11, 2016 11 / 40
Fault Tree Analysis Techniques
Feature Paper-and-pencil Proof
SimulationTools
Model Checking TheoremProving
FT Models Paper (Ran-dom Vari-ables)
Computer Pro-gram (PseudoRandom Num-bers)
State TransitionGraph (MarkovChains)
LogicalFunction
Analysis Analytically(probabilitydistributions,PIE and MI)
NumericalMethods
State Explo-ration
Formal Rea-soning
Expressiveness X (?) X
X
Accuracy X (?) X
X
Automation X X
W. Ahmed and O. Hasan Formalization of Fault Trees in HOL November 11, 2016 11 / 40
Fault Tree Analysis Techniques
Feature Paper-and-pencil Proof
SimulationTools
Model Checking TheoremProving
FT Models Paper (Ran-dom Vari-ables)
Computer Pro-gram (PseudoRandom Num-bers)
State TransitionGraph (MarkovChains)
LogicalFunction
Analysis Analytically(probabilitydistributions,PIE and MI)
NumericalMethods
State Explo-ration
Formal Rea-soning
Expressiveness X (?) X X
Accuracy X (?) X X
Automation X X
W. Ahmed and O. Hasan Formalization of Fault Trees in HOL November 11, 2016 11 / 40
Failure Analysis using Theorem Proving
Probability Theory
J. Hurd (2002), PhD Thesis, University of CambridgeFormal Verification of Probabilistic Algorithms.
O. Hasan (2008), PhD Thesis, Concordia UniversityFormal Probabilistic Analysis using Theorem Proving.
T. Mhamdi (2011), PhD Thesis, Concorida UniversityInformation-Theoretic Analysis using Theorem Proving.
J. Holzl (2012), PhD thesis, Technical University of MunichConstruction and Stochastic Applications of Measure Spaces inHigher-Order Logic.
W. Ahmed and O. Hasan Formalization of Fault Trees in HOL November 11, 2016 12 / 40
Failure Analysis using Theorem Proving
Component LevelCombinational Circuits (Hasan et al. JAL-2011)
Reconfigurable Memory Arrays (Hasan et al. TC-2010)
Electronic System Components (Abbasi et al. WoLLIC-2014)
System LevelFormalization of Reliability Block Diagrams (RBD) (Waqar et al.CICM-2014), (Waqar et al. JAL-2016)
Formalization of Fault Trees (FT) (Waqar et al. CICM-2015)
ApplicationsOil and Gas Pipelines using RBD (Waqar et al. CICM-2014)
WSN Transport Protocols using RBD (Waqar et al. WiMob-2015)
Satellite Solar Array using FT (Waqar et al. CICM-2015))
Virtual Data Center (Waqar et al. JAL-2016)
W. Ahmed and O. Hasan Formalization of Fault Trees in HOL November 11, 2016 13 / 40
Failure Analysis using Theorem Proving
Component LevelCombinational Circuits (Hasan et al. JAL-2011)
Reconfigurable Memory Arrays (Hasan et al. TC-2010)
Electronic System Components (Abbasi et al. WoLLIC-2014)
System LevelFormalization of Reliability Block Diagrams (RBD) (Waqar et al.CICM-2014), (Waqar et al. JAL-2016)
Formalization of Fault Trees (FT) (Waqar et al. CICM-2015)
ApplicationsOil and Gas Pipelines using RBD (Waqar et al. CICM-2014)
WSN Transport Protocols using RBD (Waqar et al. WiMob-2015)
Satellite Solar Array using FT (Waqar et al. CICM-2015))
Virtual Data Center (Waqar et al. JAL-2016)
W. Ahmed and O. Hasan Formalization of Fault Trees in HOL November 11, 2016 13 / 40
Failure Analysis using Theorem Proving
Component LevelCombinational Circuits (Hasan et al. JAL-2011)
Reconfigurable Memory Arrays (Hasan et al. TC-2010)
Electronic System Components (Abbasi et al. WoLLIC-2014)
System LevelFormalization of Reliability Block Diagrams (RBD) (Waqar et al.CICM-2014), (Waqar et al. JAL-2016)
Formalization of Fault Trees (FT) (Waqar et al. CICM-2015)
ApplicationsOil and Gas Pipelines using RBD (Waqar et al. CICM-2014)
WSN Transport Protocols using RBD (Waqar et al. WiMob-2015)
Satellite Solar Array using FT (Waqar et al. CICM-2015))
Virtual Data Center (Waqar et al. JAL-2016)
W. Ahmed and O. Hasan Formalization of Fault Trees in HOL November 11, 2016 13 / 40
Limitations of the Existing Formalization of Fault Trees
Shallow Embedding
Notion of each FT gate was explicitly defined on an event list
Non-compositional
The Basic FT gates, such as AND, OR and NOT, cannot be used toformalize other FT gates
Relationship to Reliability Block Diagram is missing
This relationship is very important for reducing the complexity ofanalysis while dealing with large systems
W. Ahmed and O. Hasan Formalization of Fault Trees in HOL November 11, 2016 14 / 40
Limitations of the Existing Formalization of Fault Trees
Shallow Embedding
Notion of each FT gate was explicitly defined on an event list
Non-compositional
The Basic FT gates, such as AND, OR and NOT, cannot be used toformalize other FT gates
Relationship to Reliability Block Diagram is missing
This relationship is very important for reducing the complexity ofanalysis while dealing with large systems
W. Ahmed and O. Hasan Formalization of Fault Trees in HOL November 11, 2016 14 / 40
Limitations of the Existing Formalization of Fault Trees
Shallow Embedding
Notion of each FT gate was explicitly defined on an event list
Non-compositional
The Basic FT gates, such as AND, OR and NOT, cannot be used toformalize other FT gates
Relationship to Reliability Block Diagram is missing
This relationship is very important for reducing the complexity ofanalysis while dealing with large systems
W. Ahmed and O. Hasan Formalization of Fault Trees in HOL November 11, 2016 14 / 40
Outline
1 Introduction
2 Formalization of Fault Trees
3 Application: NextGen Air Traffic Management System with ASNGateway
4 Conclusions
W. Ahmed and O. Hasan Formalization of Fault Trees in HOL November 11, 2016 15 / 40
Methodology
AND
OR
NAND
NOR
Failure Expressions
)()(2
tFtFN
i
iAND
N
i
iOR tFtF2
)(11)(
1
1
)(*)(1)(k
i
N
kj
jiNAND tFtFtF
N
i
iNOR tFtF2
)(1)(
Transformation to Reliability Bock
Diagrams
System Descritption
System Failure Properties
Formal Model
Proof Goal
Theorem ProverFormally Verified Failure Properties
Fault Tree Gates HOL
W. Ahmed and O. Hasan Formalization of Fault Trees in HOL November 11, 2016 16 / 40
Methodology
AND
OR
NAND
NOR
Failure Expressions
)()(2
tFtFN
i
iAND
N
i
iOR tFtF2
)(11)(
1
1
)(*)(1)(k
i
N
kj
jiNAND tFtFtF
N
i
iNOR tFtF2
)(1)(
Transformation to Reliability Bock
Diagrams
System Descritption
System Failure Properties
Formal Model
Proof Goal
Theorem ProverFormally Verified Failure Properties
Fault Tree Gates HOL
W. Ahmed and O. Hasan Formalization of Fault Trees in HOL November 11, 2016 17 / 40
Methodology
AND
OR
NAND
NOR
Failure Expressions
)()(2
tFtFN
i
iAND
N
i
iOR tFtF2
)(11)(
1
1
)(*)(1)(k
i
N
kj
jiNAND tFtFtF
N
i
iNOR tFtF2
)(1)(
Transformation to Reliability Bock
Diagrams
System Descritption
System Failure Properties
Formal Model
Proof Goal
Theorem ProverFormally Verified Failure Properties
Fault Tree Gates HOL
W. Ahmed and O. Hasan Formalization of Fault Trees in HOL November 11, 2016 18 / 40
Formalization of Fault Tree Gates
Defined new datatype in HOL to model FT gates
Datatype for Gates
Hol datatype ‘gate = AND of gate list | OR of gate list |
NOT of gate | atomic of ’a event‘
Definition
`(∀p. fFTree (AND []) = Ωp) ∧(∀xs x p. fFTree (AND (x::xs)) = fFTree (x) ∩ fFTree (AND xs)) ∧(∀p.fFTree (OR []) = ) ∧(∀xs x p. fFTree (OR (x::xs)) = fFTree (x) ∪ fFTree (OR xs)) ∧(∀p a. fFTree (NOT a) = Ωp - fFTree(a)) ∧(∀p a.fFTree (atomic a) = a)
W. Ahmed and O. Hasan Formalization of Fault Trees in HOL November 11, 2016 19 / 40
Formalization of Fault Tree Gates
Defined new datatype in HOL to model FT gates
Datatype for Gates
Hol datatype ‘gate = AND of gate list | OR of gate list |
NOT of gate | atomic of ’a event‘
Definition
`(∀p. fFTree (AND []) = Ωp) ∧(∀xs x p. fFTree (AND (x::xs)) = fFTree (x) ∩ fFTree (AND xs)) ∧(∀p.fFTree (OR []) = ) ∧(∀xs x p. fFTree (OR (x::xs)) = fFTree (x) ∪ fFTree (OR xs)) ∧(∀p a. fFTree (NOT a) = Ωp - fFTree(a)) ∧(∀p a.fFTree (atomic a) = a)
W. Ahmed and O. Hasan Formalization of Fault Trees in HOL November 11, 2016 19 / 40
Formalization of Fault Tree Gates
Defined new datatype in HOL to model FT gates
Datatype for Gates
Hol datatype ‘gate = AND of gate list | OR of gate list |
NOT of gate | atomic of ’a event‘
Definition
`(∀p. fFTree (AND []) = Ωp) ∧(∀xs x p. fFTree (AND (x::xs)) = fFTree (x) ∩ fFTree (AND xs)) ∧(∀p.fFTree (OR []) = ) ∧(∀xs x p. fFTree (OR (x::xs)) = fFTree (x) ∪ fFTree (OR xs)) ∧(∀p a. fFTree (NOT a) = Ωp - fFTree(a)) ∧(∀p a.fFTree (atomic a) = a)
W. Ahmed and O. Hasan Formalization of Fault Trees in HOL November 11, 2016 19 / 40
Formalization of Fault Tree Gates
Defined new datatype in HOL to model FT gates
Datatype for Gates
Hol datatype ‘gate = AND of gate list | OR of gate list |
NOT of gate | atomic of ’a event‘
Definition
`(∀p. fFTree (AND []) = Ωp) ∧(∀xs x p. fFTree (AND (x::xs)) = fFTree (x) ∩ fFTree (AND xs)) ∧(∀p.fFTree (OR []) = ) ∧(∀xs x p. fFTree (OR (x::xs)) = fFTree (x) ∪ fFTree (OR xs)) ∧(∀p a. fFTree (NOT a) = Ωp - fFTree(a)) ∧(∀p a.fFTree (atomic a) = a)
W. Ahmed and O. Hasan Formalization of Fault Trees in HOL November 11, 2016 19 / 40
Formalization of Fault Tree Gates
Defined new datatype in HOL to model FT gates
Datatype for Gates
Hol datatype ‘gate = AND of gate list | OR of gate list |
NOT of gate | atomic of ’a event‘
Definition
`(∀p. fFTree (AND []) = Ωp) ∧(∀xs x p. fFTree (AND (x::xs)) = fFTree (x) ∩ fFTree (AND xs)) ∧(∀p.fFTree (OR []) = ) ∧(∀xs x p. fFTree (OR (x::xs)) = fFTree (x) ∪ fFTree (OR xs)) ∧(∀p a. fFTree (NOT a) = Ωp - fFTree(a)) ∧(∀p a.fFTree (atomic a) = a)
W. Ahmed and O. Hasan Formalization of Fault Trees in HOL November 11, 2016 19 / 40
AND FT Gate
Output failure event occurs, if all of its input failure events occur
OUTPUT
A B
For output failure event occur
All of of the input events must be
occur
AND
FAND gate(t) = Pr(⋂N
i=2 Ai (t)) =∏N
i=2 Fi (t)
HOL Formalization
` ∀ p L. prob space p ∧(∀x’. MEM x’ L ⇒ x’ ∈ events p) ∧ 2 ≤ LENGTH L ∧mutual indep p L ⇒(prob p (FTree p (AND (gate list L))) =
list prod (list prob p L))W. Ahmed and O. Hasan Formalization of Fault Trees in HOL November 11, 2016 20 / 40
AND FT Gate
Output failure event occurs, if all of its input failure events occur
OUTPUT
A B
For output failure event occur
All of of the input events must be
occur
AND
FAND gate(t) = Pr(⋂N
i=2 Ai (t)) =∏N
i=2 Fi (t)
HOL Formalization
` ∀ p L. prob space p ∧(∀x’. MEM x’ L ⇒ x’ ∈ events p) ∧ 2 ≤ LENGTH L ∧mutual indep p L ⇒(prob p (FTree p (AND (gate list L))) =
list prod (list prob p L))W. Ahmed and O. Hasan Formalization of Fault Trees in HOL November 11, 2016 20 / 40
OR FT Gate
Output failure event occurs, if any one of its input failure event
OR
OUTPUT
A B
For output failure event occur
Any of the input event must be
occur
FOR gate(t) = Pr(⋃N
i=2 Ai (t)) = 1−∏N
i=2(1− Fi (t))
Theorem
` ∀ p L. prob space p ∧ 2 ≤ LENGTH L ∧(∀x’. MEM x’ L ⇒ x’ ∈ events p) ∧ mutual indep p L ⇒(prob p (FTree p (OR (gate list L))) =
1 - list prod (one minus list (list prob p L)))
W. Ahmed and O. Hasan Formalization of Fault Trees in HOL November 11, 2016 21 / 40
OR FT Gate
Output failure event occurs, if any one of its input failure event
OR
OUTPUT
A B
For output failure event occur
Any of the input event must be
occur
FOR gate(t) = Pr(⋃N
i=2 Ai (t)) = 1−∏N
i=2(1− Fi (t))
Theorem
` ∀ p L. prob space p ∧ 2 ≤ LENGTH L ∧(∀x’. MEM x’ L ⇒ x’ ∈ events p) ∧ mutual indep p L ⇒(prob p (FTree p (OR (gate list L))) =
1 - list prod (one minus list (list prob p L)))
W. Ahmed and O. Hasan Formalization of Fault Trees in HOL November 11, 2016 21 / 40
FT Gates
FT Gates Formalization
NAND
1
n
k
` ∀ p L1 L2. NAND FT gate p L1 L2 =
FTree p (AND (gate list (compl list p L1 ++ L2)))
NOR1
n` ∀ p L. NOR FT gate p L = FTree p (NOT (OR (gate list L)))
XOR1
2
` ∀ p A B. XOR FT gate p A B =
FTree p (OR [AND [NOT A; B]; AND [A; NOT B]])
Inhibit
2
1
` ∀ p A B C. inhibit FT gate p A B C =
FTree p (AND [OR [A; B]; NOT C]])
Comp1
2
` ∀ p A B. comp FT gate p A B =
FTree p (OR [AND [A; B]; NOR FT gate p [A; B]])
m
` ∀ p X m n. major voting FT gate p X m n =
BIGUNION (IMAGE (λx. PREIMAGE X Normal (&x) ∩ p space p)
x | k ≤ x ∧ x < SUC n)
W. Ahmed and O. Hasan Formalization of Fault Trees in HOL November 11, 2016 22 / 40
Formal Verification of FT Gates
Mathmatical Expressions Theorem’s Conclusion
FNAND(t) = Pr(k⋂
i=2
Ai (t) ∩N⋂j=k
Ai (t))
=k∏
i=2
(1− Fi (t)) ∗N∏j=k
(Fj(t))
` ∀ p L1 L2. (prob p (NAND FT gate p L1 L2) =
list prod ((list prob p (compl list p L1))) *
list prod (list prob p L2))
FNOR(t) = 1− FOR(t) =N∏i=2
(1− Fi (t))` ∀ p L. (prob p (NOR FT gate p L) =
list prod (one minus list (list prob p L)))
FXOR(t) = Pr(A(t)B(t) ∪ A(t)B(t))
= (1− FA(t))FB(t)+
FA(t)(1− FB(t))
` ∀ p A B. prob space p ∧A ∈ events p ∧ B ∈ events p
(prob p
(XOR FT gate p (atomic A) (atomic B) =
(1- prob p A)*prob p B +
prob p A*(1 - prob p B)
Finhibit(t) = Pr((A(t) ∪ B(t)) ∩ C (t))
= (1− (1− FA(t))∗(1− FB(t))) ∗ (1− FC (t))
` ∀ p A B C.
(prob p (inhibit FT gate p
(atomic A) (atomic B) (atomic C) =
(1 - (1 - prob p A) *
(1 - prob p B))*(1 - prob p C)
W. Ahmed and O. Hasan Formalization of Fault Trees in HOL November 11, 2016 23 / 40
Formal Verification of FT Gates
Mathmatical Expressions Theorem’s Conclusion
Fcomp(t) = Pr((A(t) ∩ B(t)) ∪ (A(t) ∪ B(t)))
= (1− (1− FA(t)FB(t))∗(1− (1− FA(t)) ∗ (1− FB(t)))
` ∀ p A B C.
(prob p
(comp FT gate p (atomic A) (atomic B) =
(1 - (1 - prob p A * prob p B)*
(1 - (1 - prob p A)*(1- prob p B))
Fm|n(t) = Pr(n⋃
i=k
exactly i components are
functioning properly)
=n∑
i=m
(
(n
m
)F i (1− F )n−1)
` ∀ p n k X F
(prob p (major voting FT gate p X m n) =
sum (m, SUC n - m)
(λx. (&binomial n x)*(F pow x)*
(1- F) pow (n-x)))
FT formalization took about 2500 lines of code and 125 man-hours
W. Ahmed and O. Hasan Formalization of Fault Trees in HOL November 11, 2016 24 / 40
Formal Verification of FT Gates
Mathmatical Expressions Theorem’s Conclusion
Fcomp(t) = Pr((A(t) ∩ B(t)) ∪ (A(t) ∪ B(t)))
= (1− (1− FA(t)FB(t))∗(1− (1− FA(t)) ∗ (1− FB(t)))
` ∀ p A B C.
(prob p
(comp FT gate p (atomic A) (atomic B) =
(1 - (1 - prob p A * prob p B)*
(1 - (1 - prob p A)*(1- prob p B))
Fm|n(t) = Pr(n⋃
i=k
exactly i components are
functioning properly)
=n∑
i=m
(
(n
m
)F i (1− F )n−1)
` ∀ p n k X F
(prob p (major voting FT gate p X m n) =
sum (m, SUC n - m)
(λx. (&binomial n x)*(F pow x)*
(1- F) pow (n-x)))
FT formalization took about 2500 lines of code and 125 man-hours
W. Ahmed and O. Hasan Formalization of Fault Trees in HOL November 11, 2016 24 / 40
Outline
1 Introduction
2 Formalization of Fault Trees
3 Application: NextGen Air Traffic Management System with ASNGateway
4 Conclusions
W. Ahmed and O. Hasan Formalization of Fault Trees in HOL November 11, 2016 25 / 40
NextGen Air Traffic Management System with ASNGateway
A comprehensive Satellite based agile decision making suite for bettercoordination of air traffic
BenefitsDecrease in fuel consumption and carbon emissionOn time arrival and departure
Successfully operating in US and to-date has saved 11.6 billion USD
W. Ahmed and O. Hasan Formalization of Fault Trees in HOL November 11, 2016 26 / 40
Fault Tree for the NextGen ATMS with ASN Gateway
Level 1: An aviation accident caused by the lack of appropriatecontrol, equipment, internal and external malfunctions
ED:
Equ
ipm
en
t D
efe
ct
EQ1
:Eq
uip
me
n
De
fect
no
t fo
un
dEN
1:
Envi
ron
men
tal
Effe
cts
EN3
: A
ircr
aft
Infl
ue
nce
d b
y En
viro
nm
ent
EN2
: A
ircr
aft
Dan
gero
us
Envi
ron
men
t
EN4
: En
viro
n.
Even
ts m
ay
Dam
age
Air
craf
t
W. Ahmed and O. Hasan Formalization of Fault Trees in HOL November 11, 2016 27 / 40
Fault Tree for the NextGen ATMS with ASN Gateway
Level 2: Comprises of failures related to the flight function mishap
Internal
G25
G23
G22
PD: Propagation Delay
AP: Error in AP Component
FF1
G24
Notshwn A RT
W. Ahmed and O. Hasan Formalization of Fault Trees in HOL November 11, 2016 28 / 40
Fault Tree for the NextGen ATMS with ASN Gateway
Level 3: Failure occurs if the transmission delay is too longer thanthe expected deadline
RT
G20
AL SL PD others
G21
Time
A
G19
B1 B2B3
C6
: H
ard
war
e b
/w R
TDS
and
A
SN F
ailu
re
C7
: R
TI
Soft
war
e Fa
ilure
C8
: Is
sues
are
n
ot
han
dle
d
pro
per
ly
W. Ahmed and O. Hasan Formalization of Fault Trees in HOL November 11, 2016 29 / 40
Fault Tree for the NextGen ATMS with ASN Gateway
Level 4: Failures related to the communication of messages
B1
G9
G8 G7
D1
: RTD
S fails to
sen
t Ro
ute
-m
essage
s
G5
G1
E21: A
ttacker
attack the
system
E1: Lack of Encrypt
MechanismE2: Lack of auth.
Mechanism
G6
E3: Lo
ss/Dam
age
of d
ata Storage
E4: fail to
search
d
atabase
E5: Fail to
up
date
D
atab
ase
D4
: RTD
S fails to
sen
d A
DSB
m
essage
s
G3
G2
E6: Lack o
f En
cryptio
n
Me
chan
ism
E7:Lack o
f auth
. M
ech
anism
G4
E8: Lo
ss/D
amage
of
data Sto
rage
E9: fail to
se
arch
datab
ase
E10
: fail to
up
date
d
atabase
E21
W. Ahmed and O. Hasan Formalization of Fault Trees in HOL November 11, 2016 30 / 40
Formalization Approach
Starts by formalizing the lowest level, i.e., Level 4, and thenhierarchically go up to Level 1
HOL Definition of B1 FT at Level 4∀p t D1 D4 E1 E2 E3 E4 E5 E6 E7 E8 E9 E10 E21.
B1 FT p t D1 D4 E1 E2 E3 E4 E5 E6 E7 E8 E9 E10 E21 =
(OR [OR [atomic (fail event p D1 t);
AND [OR (gate list (fail event list p [E1; E2] t));
atomic (fail event p E21 t)];
OR (gate list (fail event list p [E3; E4; E5] t))];
OR [atomic (fail event p D4 t);
AND [OR (gate list (fail event list p [E6; E7] t));
atomic (fail event p E21 t)];
OR (gate list (fail event list p [E8; E9; E10] t))]])
W. Ahmed and O. Hasan Formalization of Fault Trees in HOL November 11, 2016 31 / 40
Formalization of Sub-FTs
Level 3 FT formalization is based on Level 4 sub-FTs, i.e., B1 and B2
HOL Definition of A FT
A FT p t D1 D4 D7 D10 E1 E2 E3 E4 E5 E6 E7 E8 E9 E10 E11
E12 E13 E14 E15 E16 E17 E18 E19 E20 E21 C5 C6 C7 C8 =
OR [B1 FT p t D1 D4 E1 E2 E3 E4 E5 E6 E7 E8 E9 E10 E21;
B2 FT p t D7 D10 E11 E12 E13 E14 E15 E16 E17 E18 E19 E20 E21;
AND [OR (gate list (fail event list p [C5; C6; C7] t));
atomic (fail event p C8 t)]]
W. Ahmed and O. Hasan Formalization of Fault Trees in HOL November 11, 2016 32 / 40
Formalization of NextGen ATM FT
Similarly, we formalized the complete NextGen FT in HOL
HOL Definition of NextGen FT
ASN gateway FT p t FD AP FF1 D1 D4 D7 D10 E1 ... E21
C5 C6 C7 C8 notshw AL SL PD Others time ED EQ1 EN1 EN2
EN3 EN4 human =
[AND [OR (gate list (fail event list p [FD; AP] t));
atomic (fail event p FF1 t)];
AND [OR [AND (gate list (fail event list p [ED; EQ1] t));
OR [AND(gate list (fail event list p [EN1; EN2; EN3; EN4] t));
fail event p human t];
Internal FT gate p t FD AP FF1 D1 D4 D7
D10 E1... E21 C5 C6 C7 C8 notshw AL SL PD Others time]]
W. Ahmed and O. Hasan Formalization of Fault Trees in HOL November 11, 2016 33 / 40
Verification Approach
Traditionally Probabilistic Inclusion-exclusion has been used for failureestimationP(⋃n
i=1 Ai ) =∑
t 6=,t⊆1,2,...,n(−1)|t|+1P(⋂
j∈t Aj)
Requires significant user interaction for large FTs
A Tractable solution is to convert the given FT to its equivalent RBDconfiguration
An OR gate at the top of a FT can be transformed to a Parallel-seriesRBDAn AND gate at the top of a FT can be transformed it to aSeries-Parallel RBDNextGen FT is equivalent to a Parallel-series RBD Configuration
W. Ahmed and O. Hasan Formalization of Fault Trees in HOL November 11, 2016 34 / 40
Verification Approach
Traditionally Probabilistic Inclusion-exclusion has been used for failureestimationP(⋃n
i=1 Ai ) =∑
t 6=,t⊆1,2,...,n(−1)|t|+1P(⋂
j∈t Aj)
Requires significant user interaction for large FTs
A Tractable solution is to convert the given FT to its equivalent RBDconfiguration
An OR gate at the top of a FT can be transformed to a Parallel-seriesRBDAn AND gate at the top of a FT can be transformed it to aSeries-Parallel RBD
NextGen FT is equivalent to a Parallel-series RBD Configuration
W. Ahmed and O. Hasan Formalization of Fault Trees in HOL November 11, 2016 34 / 40
Verification Approach
Traditionally Probabilistic Inclusion-exclusion has been used for failureestimationP(⋃n
i=1 Ai ) =∑
t 6=,t⊆1,2,...,n(−1)|t|+1P(⋂
j∈t Aj)
Requires significant user interaction for large FTs
A Tractable solution is to convert the given FT to its equivalent RBDconfiguration
An OR gate at the top of a FT can be transformed to a Parallel-seriesRBDAn AND gate at the top of a FT can be transformed it to aSeries-Parallel RBDNextGen FT is equivalent to a Parallel-series RBD Configuration
W. Ahmed and O. Hasan Formalization of Fault Trees in HOL November 11, 2016 34 / 40
Reliability Block Diagrams
1 N
M
OI
Rparallel−series(t) = Pr(⋃M
i=1
⋂Nj=1 Aij(t))= 1−
∏Mi=1(1−
∏Nj=1(Rij(t)))
Theorem
` ∀ p L. prob space p ∧ (∀z. MEM z L ⇒ vNULL z) ∧(∀x’. MEM x’ (FLAT L) ⇒ x’ ∈ events p) ∧mutual indep p (FLAT L) ⇒(prob p (rbd struct p ((parallel of
(λa. series (rbd list a))) L)) =
(1 - list prod (one minus list) of
(λa. list prod (list prob p a))) L)
W. Ahmed and O. Hasan Formalization of Fault Trees in HOL November 11, 2016 35 / 40
NextGen FT transformed to its equivalent RBD
Lemma for NextGen FT to RBD
` ∀!p t FD AP FF1 D1 D4 D7 D10 E1...E21 C5 C6 C7 C8 notshw AL SL
PD Others time ED EQ1 EN1 EN2 EN3 EN4 human.
(ASN gateway FT p t FD AP FF1 D1 D4 D7 D10 E1 ... E21 C5 C6 C7
C8 notshw AL SL PD Others time ED EQ1 EN1 EN2 EN3 EN4 human =
rbd struct p ((parallel of (λa. series (rbd list a )))
(list fail event list p [[ED; EQ1];[EN1; EN2; EN3; EN4];[human];
[FD; FF1];[FF1; AP];[D1];[D4];[E1;E21];[E2;E21];
[E3];[E4];[E5];[E6;E21];[E7;E21];[E8];[E9];[E10];[D7];[D10];
[E11;E21];[E12;E21];[E13];[E14];[E15];[E16;E21];[E17;E21];
[E18];[E19];[E20];[C5; C8];[C6; C8];[C7; C8];[notshw];
[AL; time];[SL; time];[PD; time];[Others;time]] t))
W. Ahmed and O. Hasan Formalization of Fault Trees in HOL November 11, 2016 36 / 40
Failure Assesment of NextGen ATM System
Theorem
` (prob p (ASN gateway FT p t FD AP FF1 D1 D4 D7 D10 E1 · · · E21
C5 C6 C7 C8 notshw AL SL PD Others time ED EQ1 EN1 · · · EN4 human)
=
1 - (list prod(one minus exp prod t
[[C ED;C EQ1];[C EN1;C EN2;C EN3;C EN4];[C E6;C E21]])) *
exp (-(t*C human)) * exp -(t*C notshw) *
... list prod(one minus exp prod t [[C AL;C time];
[C SL;C time];[C PD;C time]; [C other;C time]]))))
NextGen failure assessment took about 200 lines of HOL code within20 hours
W. Ahmed and O. Hasan Formalization of Fault Trees in HOL November 11, 2016 37 / 40
Failure Assesment of NextGen ATM System
Theorem
` (prob p (ASN gateway FT p t FD AP FF1 D1 D4 D7 D10 E1 · · · E21
C5 C6 C7 C8 notshw AL SL PD Others time ED EQ1 EN1 · · · EN4 human)
=
1 - (list prod(one minus exp prod t
[[C ED;C EQ1];[C EN1;C EN2;C EN3;C EN4];[C E6;C E21]])) *
exp (-(t*C human)) * exp -(t*C notshw) *
... list prod(one minus exp prod t [[C AL;C time];
[C SL;C time];[C PD;C time]; [C other;C time]]))))
NextGen failure assessment took about 200 lines of HOL code within20 hours
W. Ahmed and O. Hasan Formalization of Fault Trees in HOL November 11, 2016 37 / 40
Outline
1 Introduction
2 Formalization of Fault Trees
3 Application: NextGen Air Traffic Management System with ASNGateway
4 Conclusions
W. Ahmed and O. Hasan Formalization of Fault Trees in HOL November 11, 2016 38 / 40
Conclusions
Accuracy of failure analysis is very important as an inaccurate failureanalysis leads to an unreliable design
Proposed method guarantees Sound and Complete failure analysisresults
More scalable and user-friendly compared to the existing formalization
Future Work
Formalize dynamic fault tree gates, like PAND, and dynamic fault treesEnhance the automation in the reasoning process by buildingspecialized tacticsBuild a GUI such that fault tree is input by a user and the theoremprover can be used in the background to provide the failure probability
W. Ahmed and O. Hasan Formalization of Fault Trees in HOL November 11, 2016 39 / 40
Conclusions
Accuracy of failure analysis is very important as an inaccurate failureanalysis leads to an unreliable design
Proposed method guarantees Sound and Complete failure analysisresults
More scalable and user-friendly compared to the existing formalization
Future Work
Formalize dynamic fault tree gates, like PAND, and dynamic fault treesEnhance the automation in the reasoning process by buildingspecialized tacticsBuild a GUI such that fault tree is input by a user and the theoremprover can be used in the background to provide the failure probability
W. Ahmed and O. Hasan Formalization of Fault Trees in HOL November 11, 2016 39 / 40