Marc Förster

Publications

• Flexible, any-time FTA with component logic models

  Marc Förster, Daniel Schneider

  ISSRE, San Jose, CA, USA; 01/2010

  This article presents a novel approach to facilitating fault tree analysis during the development of software-controlled systems. Based on a component-oriented system model, it combines second-order probabilistic analysis and automatically generated default failure models with a level-of-detail conc... [more] This article presents a novel approach to facilitating fault tree analysis during the development of software-controlled systems. Based on a component-oriented system model, it combines second-order probabilistic analysis and automatically generated default failure models with a level-of-detail concept to ensure early and continuous analysability of system failure behaviour with optimal effort, even in the presence of incomplete information and dissimilar levels of detail in different parts of an evolving system model. The viability and validity of the method are demonstrated by means of an experiment.

• Fault tree analysis of software-controlled component systems based on second-order probabilities

  Marc Förster, Mario Trapp

  ISSRE, Mysuru, KA, India; 01/2009

  Software is still mostly regarded as a black box in the development process, and its safety-related quality ensured primarily by process measures. For systems whose lion share of service is delivered by (embedded) software, process-centred methods are seen to be no longer sufficient. Recent safety n... [more] Software is still mostly regarded as a black box in the development process, and its safety-related quality ensured primarily by process measures. For systems whose lion share of service is delivered by (embedded) software, process-centred methods are seen to be no longer sufficient. Recent safety norms (for example, ISO 26262) thus prescribe the use of safety models for both hardware and software. However, failure rates or probabilities for software are difficult to justify. Only if developers take good design decisions from the outset will they achieve safety goals efficiently. To support safety-oriented navigation of the design space and to bridge the existing gap between qualitative analyses for software and quantitiative ones for hardware, we propose a fault-tree-based approach to the safety analysis of softwarecontrolled systems. Assigning intervals instead of fixed values to events and using Monte-Carlo sampling, probability mass functions of failure probabilities are derived. Further analysis of PMF lead to estimates of system quality that enable safety managers to take an optimal choice between design alternatives and to target costefficient solutions in every phase of the design process.

• Safety concept trees

  Dominik Domis, Marc Förster, Sören Kemmann, Mario Trapp

  RAMS, Fort Worth, TX, USA; 01/2009

  The development of safety-critical systems requires the 'safe' development of a 'safe' system. Not only should the realized system fulfill specific safety goals, but for certification purposes the development process itself has to comply with safety standards. Both of these tasks are... [more] The development of safety-critical systems requires the 'safe' development of a 'safe' system. Not only should the realized system fulfill specific safety goals, but for certification purposes the development process itself has to comply with safety standards. Both of these tasks are complex and cause a lot of effort and costs that cannot be sufficiently reduced by existing safety engineering methods. To facilitate these tasks, we developed the SICMA method. SICMA guides the engineer in following safety standards in the development of a system, in developing a system design that fulfills its safety goals and in documenting that the developed system is sufficiently safe. SICMA introduces Safety Concept Trees (SCTs) as a backbone to achieve vertical and horizontal traceability between all safety information, as needed for certification purposes. SCTs represent and fully preserve the component-oriented perspective assumed by state-of-the-art development methods, facilitating the handling and maintenance of complex systems. Using SCTs, a system design and its artifacts can be rigorously analyzed on every refinement level and it can be shown that they adhere to safety and certification criteria. This will lead to significantly reduced effort and costs in the standard-compliant development of safety-critical systems.

• Probabilistic analysis of safety-critical adaptive systems with temporal dependences

  Marc Förster, Rasmus Adler, Dominik Domis, Mario Trapp

  RAMS, Las Vegas, NV, USA; 01/2008

  Dynamic adaptation means that components are reconfigured at run time. Consequently, the degree to which a system fulfils its functional and safety requirements depends on the current system configuration at run time. The probability of a violation of functional requirements in combination with an i... [more] Dynamic adaptation means that components are reconfigured at run time. Consequently, the degree to which a system fulfils its functional and safety requirements depends on the current system configuration at run time. The probability of a violation of functional requirements in combination with an importance factor for each requirement gives us a measure for reliability. In the same way, the degree of violation of safety requirements can be a measure for safety. These measures can easily be derived based on the probabilities of possible system configurations. For this purpose, we are introducing a new probabilistic analysis technique that determines configuration probabilities based on Fault trees, Binary Decision Diagrams (BDDs) and Markov chains. Through our recent work we have been able to determine configuration probabilities of systems but we neglected timing aspects [1]. Timing delays have impact on the adaptation behavior and are necessary to handle cyclic dependences. The contribution of the present article is to extend analysis towards models with timing delays. This technique builds upon the Methodologies and Architectures for Runtime Adaptive Systems (MARS) [2], a modeling concept we use for specifying the adaptation behavior of a system at design time. The results of this paper determine configuration probabilities, that are necessary to quantify the fulfillment of functional and safety requirements by adaptive systems.

• Determining configuration probabilities of safety-critical adaptive systems

  Marc Förster, Rasmus Adler, Mario Trapp

  AINA, Niagara Falls, ON, Canada; 01/2007

  This article presents a novel technique to calculate the probability that an adaptive system assumes a configuration. An important application area of dynamic adaptation is the cost-efficient development of dependable embedded systems. Dynamic adaptation exploits implicitly available redundancy, red... [more] This article presents a novel technique to calculate the probability that an adaptive system assumes a configuration. An important application area of dynamic adaptation is the cost-efficient development of dependable embedded systems. Dynamic adaptation exploits implicitly available redundancy, reducing the need for hardware redundancy, to make systems more available, reliable, survivable and, ultimately, more safe. Knowledge of configuration probabilities of a system is an essential requirement for the optimization of safety efforts in development. In perspective, it is also a prerequisite for dependability assessment. Our approach is based on a modeling language for complex reconfiguration behavior. We transform the adaptation model into a probabilistic target model that combines a compositional fault tree with Markov chains. This hybrid model can be evaluated efficiently using a modified BDD-based algorithm. The approach is currently being implemented in an existing reliability modeling tool.

• State/event fault trees—A safety analysis model for software-controlled systems

  Bernhard Kaiser, Catharina Gramlich, Marc Förster

  Reliability Engineering & System Safety. 01/2007; 92:1521.

  Safety models for software-controlled systems should be intuitive, compositional and have the expressive power to model both software and hardware behaviour. Moreover, they should provide quantitative results for failure or hazard probabilities. Fault trees are an accepted and intuitive model for sa... [more] Safety models for software-controlled systems should be intuitive, compositional and have the expressive power to model both software and hardware behaviour. Moreover, they should provide quantitative results for failure or hazard probabilities. Fault trees are an accepted and intuitive model for safety analysis, but they are incapable of expressing state dependencies or temporal order of events. We propose to combine fault trees with an explicit State/Event semantics, using a graphical notation that is similar to Statecharts. Our new model, named State/Event Fault Trees (SEFTs), subsumes both deterministic state machines suited to describe software behaviour, and Markov chains that model probabilistic failures, while keeping the visualisation of causal chains known from fault trees. We allow exponentially distributed probabilistic events, deterministic delays, and triggered events. The model provides a component concept, where components are connected by typed ports. Quantitative evaluation is achieved by translating the component models to Deterministic and Stochastic Petri Nets (DSPNs) and using an existing tool for analysis or simulation.

• Runtime adaptation in safety-critical automotive systems

  Mario Trapp, Rasmus Adler, Marc Förster, Janosch Junger

  IASTED, Innsbruck, Austria; 01/2007

  The cost-efficient development for dependable systems is one of the major future challenges of the automotive industry. Existing fault tolerance approaches are often not applicable and not sufficient. Therefore, innovative alternatives are required. A possible solution is given by dynamic adaptatio... [more] The cost-efficient development for dependable systems is one of the major future challenges of the automotive industry. Existing fault tolerance approaches are often not applicable and not sufficient. Therefore, innovative alternatives are required. A possible solution is given by dynamic adaptation. In the case of errors, dynamic adaptation can ensure that the best possible system functionality is achieved and that critical functions are kept alive (survivability). Exploiting implicitly available redundancy, dynamic adaptation provides a cost-efficient means to keep up functionalities as long as possible without requiring expensive explicit redundancy channels. Unconstrained dynamic adaptation can lead to emergent, unpredictable behavior, making it inapplicable for safety-critical systems. In this paper, we illustrate how adaptation behavior can be explicitly modeled, analyzed, and verified at design time. By this means, it is possible to use the advantages of dynamic adaptation for the realization of safe and reliable systems.

• Increased efficiency in the quantitative evaluation of state/event fault trees

  Marc Förster, Bernhard Kaiser

  12th IFAC Symposium on Information Control Problems in Manufacturing, INCOM, Saint-Etienne, France; 01/2006

  State/Event Fault Trees (SEFTs) are a new, hierarchical and state-based modelling formalism for dependability analysis. SEFT semantics are defined by mapping the model onto an equivalent Deterministic and Stochastic Petri Net, which is also used for quantitative evaluation. This state-based analysis... [more] State/Event Fault Trees (SEFTs) are a new, hierarchical and state-based modelling formalism for dependability analysis. SEFT semantics are defined by mapping the model onto an equivalent Deterministic and Stochastic Petri Net, which is also used for quantitative evaluation. This state-based analysis increases the expressive power of the model but often implies a very large state space. The present paper describes the development of a hybrid approach to avoiding state space largeness in SEFT evaluation. The basic strategy is to minimize model parts that must be evaluated using state-based methods and integrate the partial results in a combinatorial way, based on Binary Decision Diagrams. The approach is implemented in the Fault Tree Analysis framework ESSaRel, which offers SEFTs, among other models, for safety and reliability analysis.

• Modularisation of state/event fault trees

  Marc Förster

  01/2006

  Degree: Master of science

  Supervisor: Peter Liggesmeyer, Andreas Polze

• State/event fault trees—A safety analysis model for software-controlled systems

  Bernhard Kaiser, Catharina Gramlich, Marc Förster

  Reliability Engineering & System Safety.

  Safety models for software-controlled systems should be intuitive, compositional and have the expressive power to model both software and hardware behaviour. Moreover, they should provide quantitative results for failure or hazard probabilities. Fault trees are an accepted and intuitive model for sa... [more] Safety models for software-controlled systems should be intuitive, compositional and have the expressive power to model both software and hardware behaviour. Moreover, they should provide quantitative results for failure or hazard probabilities. Fault trees are an accepted and intuitive model for safety analysis, but they are incapable of expressing state dependencies or temporal order of events. We propose to combine fault trees with an explicit State/Event semantics, using a graphical notation that is similar to Statecharts. Our new model, named State/Event Fault Trees (SEFTs), subsumes both deterministic state machines suited to describe software behaviour, and Markov chains that model probabilistic failures, while keeping the visualisation of causal chains known from fault trees. We allow exponentially distributed probabilistic events, deterministic delays, and triggered events. The model provides a component concept, where components are connected by typed ports. Quantitative evaluation is achieved by translating the component models to Deterministic and Stochastic Petri Nets (DSPNs) and using an existing tool for analysis or simulation. This paper, which is an extended version of [Kaiser B, Gramlich C. State-Event-Fault-Trees—a safety analysis model for software controlled systems. Computer safety, reliability, and security. Proceedings of the 23rd international conference, SAFECOMP 2004, Potsdam, Germany, September 21st–24th. Lecture Notes in Computer Science, vol. 3219, 2004.p. 195–209], revisits the model elements and the analysis procedure and provides a small case study of a fire alarm system, completed by an outlook on our tool project ESSaRel.