A Hierarchical HAZOP-Like Safety Analysis for Learning-Enabled Systems

TL;DR

This paper introduces HILLS, a hierarchical HAZOP-like safety analysis method tailored for Learning-Enabled Systems, addressing the unique challenges posed by ML components through system stratification and causal analysis.

Contribution

It presents a novel hierarchical approach that extends traditional HAZOP to effectively analyze complex LESs with ML components, including new nodes and guide words.

Findings

HILLS successfully identifies hazards and causes in LESs.

The method links and propagates causal relationships across system levels.

Case study demonstrates HILLS's effectiveness in autonomous underwater vehicles.

Abstract

Hazard and Operability Analysis (HAZOP) is a powerful safety analysis technique with a long history in industrial process control domain. With the increasing use of Machine Learning (ML) components in cyber physical systems--so called Learning-Enabled Systems (LESs), there is a recent trend of applying HAZOP-like analysis to LESs. While it shows a great potential to reserve the capability of doing sufficient and systematic safety analysis, there are new technical challenges raised by the novel characteristics of ML that require retrofit of the conventional HAZOP technique. In this regard, we present a new Hierarchical HAZOP-Like method for LESs (HILLS). To deal with the complexity of LESs, HILLS first does "divide and conquer" by stratifying the whole system into three levels, and then proceeds HAZOP on each level to identify (latent-)hazards, causes, security threats and mitigation (with new nodes and guide words). Finally, HILLS attempts at linking and propagating the causal relationship among those identified elements within and across the three levels via both qualitative and quantitative methods. We examine and illustrate the utility of HILLS by a case study on Autonomous Underwater Vehicles, with discussions on assumptions and extensions to real-world applications. HILLS, as a first HAZOP-like attempt on LESs that explicitly considers ML internal behaviours and its interactions with other components, not only uncovers the inherent difficulties of doing safety analysis for LESs, but also demonstrates a good potential to tackle them.