Model-Based Safety Analysis

Abstract System safety analysis techniques are well established and are used extensively during the design of safety-critical systems. Despite this, most of the techniques are highly subjective and dependent on the skill of the practitioner. Since these analyses are usually based on an informal system model, it is unlikely that they will be complete, consistent, and error free. In fact, the lack of precise models of the system architecture and its failure modes often forces the safety analysts to devote much of their effort to gathering architectural details about the system behavior from several sources and embedding this information in the safety artifacts such as the fault trees. This report describes Model-Based Safety Analysis, an approach in which the system and safety engineers share a common system model created using a model-based development process. By extending the system model with a fault model as well as relevant portions of the physical system to be controlled, automated support can be provided for much of the safety analysis. We believe that by using a common model for both system and safety engineering and automating parts of the safety analysis, we can both reduce the cost and improve the quality of the safety analysis. Here we present our vision of model-based safety analysis and discuss the advantages and challenges in making this approach practical.

[1]  Marco Bozzano,et al.  Improving System Reliability via Model Checking: The FSAP/NuSMV-SA Safety Analysis Platform , 2003, SAFECOMP.

[2]  M. Bozzano,et al.  Integrating Fault Tree Analysis with Event Ordering Information ∗ , 2003 .

[3]  William G. Griswold,et al.  An Overview of AspectJ , 2001, ECOOP.

[4]  Cristina V. Lopes,et al.  Aspect-oriented programming , 1999, ECOOP Workshops.

[5]  Stephan Merz,et al.  Model Checking , 2000 .

[6]  Marco Bozzano,et al.  Improving Safety Assessment of Complex Systems: An Industrial Case Study , 2003, FME.

[7]  David Coppit,et al.  Developing a high-quality software tool for fault tree analysis , 1999, Proceedings 10th International Symposium on Software Reliability Engineering (Cat. No.PR00443).

[8]  Mats Per Erik Heimdahl,et al.  Proving the shalls , 2003, International Journal on Software Tools for Technology Transfer.

[9]  Gregor Kiczales,et al.  Aspect-oriented programming , 2001, ESEC/FSE-9.

[10]  Carl E. Landwehr,et al.  Basic concepts and taxonomy of dependable and secure computing , 2004, IEEE Transactions on Dependable and Secure Computing.

[11]  Michael W. Whalen,et al.  A formal semantics for RSML- e , 2000 .

[12]  Thomas L. Harman,et al.  Mastering Simulink , 2003 .

[13]  John Rushby,et al.  A Less Elementary Tutorial for the PVS Specification and Verification System , 1996 .

[14]  Pascal Raymond,et al.  The synchronous data flow programming language LUSTRE , 1991, Proc. IEEE.

[15]  Nancy G. Leveson,et al.  Safeware: System Safety and Computers , 1995 .

[16]  Nancy G. Leveson,et al.  Designing specification languages for process control systems: lessons learned and steps to the future , 1999, ESEC/FSE-7.

[17]  J-C. Laprie,et al.  DEPENDABLE COMPUTING AND FAULT TOLERANCE : CONCEPTS AND TERMINOLOGY , 1995, Twenty-Fifth International Symposium on Fault-Tolerant Computing, 1995, ' Highlights from Twenty-Five Years'..

[18]  Joanne Bechta Dugan,et al.  DIFtree: a software package for the analysis of dynamic fault tree models , 1997, Annual Reliability and Maintainability Symposium.

[19]  David Coppit,et al.  The Galileo fault tree analysis tool , 1999, Digest of Papers. Twenty-Ninth Annual International Symposium on Fault-Tolerant Computing (Cat. No.99CB36352).

[20]  Amnon Naamad,et al.  Statemate: a working environment for the development of complex reactive systems , 1988, ICSE '88.

[21]  Nancy G Leveson,et al.  Software safety: why, what, and how , 1986, CSUR.

[22]  Andreas Schäfer,et al.  Combining Real-Time Model-Checking and Fault Tree Analysis , 2003, FME.

[23]  Brian Randell,et al.  On Failures and Faults , 2003, FME.

[24]  Pierre Bieber,et al.  Combination of Fault Tree Analysis and Model Checking for Safety Assessment of Complex System , 2002, EDCC.

[25]  John A. McDermid,et al.  Hierarchically Performed Hazard Origin and Propagation Studies , 1999, SAFECOMP.

[26]  James B. Dabney,et al.  Mastering Simulink 4 , 2001 .

[27]  Peter Liggesmeyer,et al.  Improving system reliability with automatic fault tree generation , 1998, Digest of Papers. Twenty-Eighth Annual International Symposium on Fault-Tolerant Computing (Cat. No.98CB36224).

[28]  Steven P. Miller,et al.  Software safety analysis of a flight guidance system , 2002, Proceedings. The 21st Digital Avionics Systems Conference.

[29]  Mats Per Erik Heimdahl,et al.  Model-Based Safety Analysis of Simulink Models Using SCADE Design Verifier , 2005, SAFECOMP.

[30]  Martin Törngren,et al.  FAR EAST : Modeling an automotive software architecture using the EAST ADL , 2004, ICSE 2004.

[31]  Olivier Coudert,et al.  Fault tree analysis: 10/sup 20/ prime implicants and beyond , 1993, Annual Reliability and Maintainability Symposium 1993 Proceedings.

[32]  Olivier Coudert,et al.  Fault Tree Analysis: 1020 Prime Implicants and Beyond , 1993 .

[33]  Sylvain Metge,et al.  Safety assessment with AltaRica - Lessons learnt based on two aircraft system studies , 2004, IFIP Congress Topical Sessions.

[34]  Hoyt Lougee,et al.  SOFTWARE CONSIDERATIONS IN AIRBORNE SYSTEMS AND EQUIPMENT CERTIFICATION , 2001 .

[35]  W E Vesely,et al.  Fault Tree Handbook , 1987 .