System integrated fault-tree analysis methods (SIFTAN)

US 4,870,575 A
Filed: 10/01/1987
Issued: 09/26/1989
Est. Priority Date: 10/01/1987
Status: Expired due to Term

First Claim

Patent Images

1. A method of performing integrated fault-tree analysis on a software controlled system, said software controlled system employing a specific hardware configuration which hardware configuration is selectively operated by means of programmed software comprising the steps performed by a computer of:

predicting a critical system output condition manifesting a top-level-event,determining from that predicted condition a set of prior system conditions which caused said event,modifying the system response upon detection of an unblocked patch to said event according to said set of prior system conditions.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The subject invention employs a system integrated fault-tree analysis (SIFTAN) which has the unique ability to detect all latent hardware and software design defects that could cause unanticipated critical failure of a complex software controlled electronic system. This new approach modifies and then integrates two existing system analysis techniques-namely, hardware fault-tree analysis (HFTA) and software fault-tree analysis (SFTA). The resultant integrated technique is identified as SIFTAN for system integrated fault-tree analysis. Through its integrated hardware/software scope and its critical failure focus, SIFTAN has unique potential to solve the essential analytical limitation behind the software reliability problem. The system exceeds the scope of all current system analysis techniques by providing a system free from all potential critical specification hardware or software design errors. The system accomplishes the above-noted objects by performing fault tree analysis with respect to the contents of a dynamic "stack of contradiction parameters" and then superimposing the modified hardware and software fault trees onto each other. The super position is accomplished by automatically branching from the software to a specified fault tree hardware whenever hardware could result in a critical system output. It is important to indicate that the SIFTAN system is applied with great advantages to early conceptual levels of system design in addition to its certification of the final design implementation.

Citations

25 Claims

1. A method of performing integrated fault-tree analysis on a software controlled system, said software controlled system employing a specific hardware configuration which hardware configuration is selectively operated by means of programmed software comprising the steps performed by a computer of:
- predicting a critical system output condition manifesting a top-level-event,determining from that predicted condition a set of prior system conditions which caused said event,modifying the system response upon detection of an unblocked patch to said event according to said set of prior system conditions.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 23)
- - 2. The method according to claim 1, wherein the step of determining includes tracking backward operation from said top-level-event to a first condition prior to said event and then to a second condition prior to said first condition and so on until all conditions in a descending order have been determined.
  - 3. The method according to claim 2, wherein the step of determining in descending order includes the step of superimposing hardware and software fault trees onto each other by branching from software to a specified hardware fault tree analysis wherever a specific hardware output could assume said prior condition, and initializing said hardware fault tree analysis with the specific parameters of said hardware output prior condition.
  - 4. The method according to claim 1, wherein the step of predicting said top-level-event includes:
    - forming a system design flow chart employing a program design language and using said design flow chart to predict said top-level-event by providing a software fault tree.
  - 5. The method according to claim 4, wherein said step of predicting said top-level-event further includes forming an upper level block diagram of the hardware configuration to provide a hardware fault tree and predicting said top-level-event by employing both said hardware and software trees.
  - 6. The method according to claim 4, wherein said program design language is ADA.
  - 7. The method according to claim 1, wherein the step of determining said set of prior system conditions includes the step of:
    - algorithmically parsing a code indicative of final system design andsearching said parsed code for a specified set of program formats according to a given contradiction search algorithm.
  - 8. The method according to claim 2, wherein the step of predicting said critical system output condition includes:
    - initializing a critical system output to be searched,obtaining a Stack of Contradiction Parameters indicative of conditions necessary to make said critical output a fault condition, andthen the step of determining the said set of prior conditions by comparing said conditions to said stack of contradiction parameters to determine if any contradictions exist between said prior conditions and any elements in said stack, andthen the further step of determining said set of prior conditions through examination of each prior condition itself for logical contradictions internal to said set of prior conditions without respect to said contradiction parameters.
  - 9. The method according to claim 2, further including the step of certifying said modification through reapplication of the analysis according to claim 1 and 2.
  - 23. The method according to claim 8 further including the step of terminating the steps of determining of prior conditions upon detection of either of the two types of said contradictions.

10. A method of performing an integrated fault-tree analysis on a digital software controlled system said software controlled system employing a specific hardware configuration which hardware configuration is selected to operate under control of programmed software comprising the steps performed by a computer of:
- defining a critical system output condition specifying a top-level-system event,forming a set of contradiction parameters indicative of the other top-level-system conditions,parsing the system software for a program statement which sets the defined top level system event,retrieving a generic fault-tree template for said program statement to identify which inputs to said program statement sets said top-level-event,examining said fault tree for contradictions according to said set of formed contradiction parameters to determine which inputs do not lead to said top-level-event, and which inputs do lead to said top-level-event,eliminating all inputs found which do not lead to said event,replacing all inputs which lead to said event for defining a new top-level-event and continuing said steps commencing with said step of parsing the system software until all inputs are eliminated.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18, 21, 22, 24, 25)
- - 11. The method according to claim 10, wherein the step of examining said fault tree includes the steps of determining two types of contradictions with a first type being internal contradictions indicative of paths within said fault tree which do not lead to said program statement and with the second time being external contradictions indicative of a discrepancy between a fault tree statement and an element in said set of contradiction parameters.
  - 12. The method according to claim 10, wherein the step of defining said critical output condition includes ANDing a combination of system events with a system output condition indicative of said top-level-event.
  - 13. The method according to claim 10, further including the steps of revising said system by modifying said hardware configuration as controlled by said software when all paths are not eliminated and then implementing the steps of claim 10 after said revision.
  - 14. The method according to claim 10, further including the step of initiating a hardware fault-tree analysis each time said retrieved generic fault tree is examined for contradictions which depend on hardware inputs and employing said new top-level-event for said hardware fault-tree analysis.
  - 15. The method according to claim 14, including the step of terminating said hardware fault-tree analysis when all inputs are prime events of known probability.
  - 16. The method according to claim 15, wherein said known probability is calculated based on an assigned reliability threshold.
  - 17. The method according to claim 10, wherein the step of retrieving said generic fault-tree template includes storing a plurality of said generic fault-tree templates in memory and accessing said memory for retrieving one of said stored plurality generic fault-tree templates.
  - 18. The method according to claim 10, wherein the step of examining includes ANDing together combinations of simultaneously occurring events in said set of contradiction parameters, and analyzing said AND'"'"'ed combinations together,
  - 21. The method according to claim 10, wherein said digital software controlled system is a digital defense electronic system.
  - 22. The method according to claim 10, wherein said digital software controlled system is a digital automatic flight control system.
  - 24. The method according to claim 11 further including the steps of adding said prior conditions to the set of contradiction parameters upon detection of neither of the two types of said contradictions.
  - 25. The method according to claim 11 wherein, upon indication that a path to said top-level-event exists completely through the software without being blocked by one of the two types of said contradictions, an output is generated indicating that the top-level-event can occur, and the further step of outputting an indication of the location in the software where the said one blocked path residue in order to facilitate corrective modification of the system under analysis.

19. ORing other parameters in said set with other simultaneously occurring events, and

20. separately analyzing said OR'"'"'ed combinations apart from said AND'"'"'ed combinations.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
ITT Corporation (ITT, Inc.)
Original Assignee
ITT Corporation (ITT, Inc.)
Inventors
Rutenberg, Mark R.
Primary Examiner(s)
SAFAVI, MICHAEL

Application Number

US07/103,628
Time in Patent Office

726 Days
Field of Search

364/200, 364/300, 364/900
US Class Current

716/136
CPC Class Codes

G06F 11/00   Error detection; Error corr...

G06F 2117/02   Fault tolerance, e.g. for t...

G06F 30/20   Design optimisation, verifi...

System integrated fault-tree analysis methods (SIFTAN)

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

System integrated fault-tree analysis methods (SIFTAN)

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links