Abstract
The use of robotics systems is increasingly widespread and spans a variety of application areas. From healthcare, to manufacturing, to space missions, these systems are typically conceived to perform dangerous or critical tasks. The nature of such tasks (e.g., surgery operations or radioactive waste clean-up) places high demands on the dependability of robotics systems. Fault tree analysis is among the most often used dependability assessment techniques in various domains of robotics. However, fault tree analysis of cost-effective fault tolerant robotics systems requires compositional synthesis of fault trees extended with the expressive power to allow analyzing the sequential dependencies among the components. Thereafter, a relevant experience from the automotive domain is presented. This consists mainly of a suitable synthesis approach that computes expressions of global failure conditions from the dysfunctional behavior local to the components. The benefits of the approach to dependability analysis of robotics architectures are highlighted by using a fault-tolerant example system.
TopIntroduction
The use of robotics systems is widespread and spans a variety of application areas. From healthcare, to manufacturing, to nuclear power plants, to space missions, these systems are typically conceived to perform difficult, dangerous or critical tasks. The nature of such tasks (e.g., surgery operations, radioactive waste clean-up or space mining) places high demands on the dependability of robotics systems.
The preoccupations in the dependability of robotics systems are not new. Fault Tree Analysis (FTA; Vesely, 1981) and Failure Modes and Effects Analysis (FMEA; IEEE Std.352, 1987) are among the most often used techniques in various domains of robotics. For instance, Visinsky, Walker, and Cavallaro (1993) describe the use of FTA for robots operating in remote and hazardous environments. Other fields of application include industrial robots like in Karbasian, Mehr, and Agharajabi (2012), and modular and swarm robots like in Murray, Liu, Winfield, Timmis, and Tyrrell (2012).
The widespread use of FTA in the dependability assessment of complex systems is mainly due to the flexibility and ease of use of the fault trees. These are static (i.e., ‘pure’ Boolean) models, and therefore enable the use of efficient Boolean calculus in the elimination of component failures that are irrelevant to the total failure of the system. This logical reduction (known as qualitative analysis) simplifies the process to produce overall probabilities of system hazards (i.e., quantitative analysis). Nevertheless, such convenience comes with the loss of the significance of the sequencing of failure events—i.e., the dynamic features often exhibited by modern systems cannot be captured by combinatorial models like this type of fault trees.
Robotics systems are certainly not an exception when it comes to sequence-dependent failures. For example, preclusion of the dynamic aspects due to the use of static fault trees in the analysis of modular robotic systems is clearly noted in Murray et al. (2012). To overcome such drawback, an alternative can be the utilization of fault trees that are extended with capabilities to capture the dynamic features. A well-known example is the Dynamic Fault Tree (DFT) approach (Dugan, Bavuso, & Boyd, 1992). This method was primarily conceived for quantitative analysis, which is often state-based (i.e., Markov analysis which is based on state transition diagrams [Markov models] is the DFT most prominent solving technique). That is, the full power of the Boolean methods was sacrificed here, especially when it comes to analyzing the dynamic parts of the system at the level of the fault tree (i.e., reducing the DFT).
Theoretically, some later research efforts have provided workarounds to the question of FTA with dynamic aspects. To deal with it, a technique which is relevant to this article consists of extending the Boolean methods with temporal logic calculus. In this connection, a set of temporal laws that enable qualitative analysis of fault trees extended with dynamic features can be found in Walker and Papadopoulos (2009). In the same vein, the algebraic formalism in Merle, Roussel, Lesage, and Bobbio (2010) proposes formal descriptions of dynamic behaviors and provides proofs of a number of theorems useful for the qualitative analysis of this type of fault trees. The latter approach also deals with the corresponding probabilistic algebraic analysis.
In practice, automation of such advanced FTA as part of integrated dependability and systems engineering processes requires an automated generation and synthesis of these fault trees from failure behavioral models that are linked to the system specifications. The work in Mahmud, Walker, and Papadopoulos (2012) describes a suitable approach to generating and synthesizing fault trees that preserve the significance of the event-order from hierarchical models. Application areas for this approach include the automotive domain (Chen, Mahmud, Walker, Feng, Lönn, & Papadopoulos, 2013). More details about integration in an extended FTA through a Model-Based development process can be found in Kolagari et al. (2015).
Key Terms in this Chapter
EAST-ADL: EAST-ADL is an Electronic Architecture and Software Technology Architecture Description Language for automotive embedded systems, which was developed by a consortium of universities and automotive companies. The language was further refined within the framework of the Model-based Analysis & Engineering of Novel Architectures for Dependable Electric Vehicles (MAENAD) EU FP7 project. Aspects covered by EAST-ADL include vehicle features, functions, requirements, variability, dependability, software components, hardware components and communication.
AADL: AADL is an Architecture Analysis and Design Language standardized in 2004 by the Society of Automotive Engineers. It is used in the specification and analysis of the software and hardware architecture of real time embedded systems. AADL is mainly devoted to performance-critical aerospace and automotive systems.
Dynamic Fault Tree: Dynamic Fault Tree (DFT) was invented in response to a shortage in modelling sequence-dependent failures by using standard combinatorial fault trees. It thus added capabilities for capturing the dynamic aspects exhibited by modern complex systems. The DFT is designed primarily for quantitative analysis, in general by using Markov techniques. However, there has been less focus on qualitative analysis at the level of the DFT, i.e. determination of its (minimal) cut-sequences.
Failure Mode and Effects Analysis: Failure Mode and Effects Analysis (FMEA) is commonly known (and often used) as a bottom-up analysis technique. It proceeds by analyzing the system components individually, or sometimes collectively, to inductively derive the consequences of their failures on the system. FMEA aims at addressing those effects and the technique is widely practiced in reliability engineering in high-hazard industries.
Fault Tree Analysis: Fault Tree Analysis (FTA) postulates a hazard (top event of the fault tree) which must be avoided. It then reasons backward to identify all logical combinations of events which could lead the system to that hazard. FTA can be quantitative by combining figures for component failure rates to calculate overall probabilities of system hazards. It can also be qualitative by eliminating the component failures that are irrelevant to the total failure of the system, and thereby attempting to produce minimal failure scenarios. FTA is widely practiced in reliability engineering and in high-hazard industries.
Fault-Tolerance Systems: Fault-tolerance enables a system to continue its intended operation in the event of faults in some parts of it. Fault-tolerance systems rely typically on redundant units. The redundant components can be active and operating in parallel, or passive but switched into active use upon failure of the primary units. They can also be designed to be shared by a number of functionally identical systems.
State Automata to Fault Trees: State Automata to Fault trees with Order-dependent behaviors (SAFORA) is a top-down deductive synthesis approach that computes expressions of global failure conditions from the dysfunctional behavior local to the components of the system (described as hierarchical state machines). The purpose is to accurately analyze the reliability of architectures and the technique is suitable for complex systems featuring dynamic aspects.