A Framework for Qualitative and Quantitative Formal Model-Based Safety Analysis

In model-based safety analysis both qualitative aspects i.e. what must go wrong for a system failure) and quantitative aspects (i.e. how probable is a system failure) are very important. For both aspects methods and tools are available. However, until now for each aspect new and independent models must be built for analysis. This paper proposes the SAML framework as a formal foundation for both qualitative and quantitative formal model-based safety analysis. The main advantage of SAML is the combination of qualitative and quantitative formal semantics which allows different analyses on the same model. This increases the confidence in the analysis results, simplifies modeling and is less error-prone. The SAML framework is tool-independent. As proof-of-concept, we present sound transformation of the formalism into two state of the art model-checking notations. Prototypical tool support for the sound transformation of SAML into PRISM and MRMC for probabilistic analysis as well as different variants of the SMV model checker for qualitative analysis is currently being developed.

[1]  Paul S. Nelson,et al.  A STAMP ANALYSIS OF THE LEX COMAIR 5191 ACCIDENT , 2008 .

[2]  Hung Vo,et al.  SOFTWARE TESTABILITY MEASURE FOR SAE ARCHITECTURE ANALYSIS AND DESIGN LANGUAGE (AADL)SOFTWARE TESTABILITY MEASURE FOR SAE ARCHITECTURE ANALYSIS AND DESIGN LANGUAGE (AADL) , 2012 .

[3]  Martin Walker,et al.  Engineering failure analysis and design optimisation with HiP-HOPS , 2011 .

[4]  Joost-Pieter Katoen,et al.  Counterexample Generation in Probabilistic Model Checking , 2009, IEEE Transactions on Software Engineering.

[5]  John A. McDermid,et al.  Hierarchically Performed Hazard Origin and Propagation Studies , 1999, SAFECOMP.

[6]  Terence Parr The Definitive ANTLR Reference: Building Domain-Specific Languages , 2007 .

[7]  Marta Z. Kwiatkowska,et al.  Stochastic Model Checking , 2007, SFM.

[8]  Michael Huth,et al.  Comparing CTL and PCTL on labeled Markov chains , 1998, PROCOMET.

[9]  Frank Ortmeier,et al.  Quantitative Model-Based Safety Analysis: A Case Study , 2010, Sicherheit.

[10]  Lars Grunske,et al.  Specification patterns for probabilistic quality properties , 2008, 2008 ACM/IEEE 30th International Conference on Software Engineering.

[11]  Makis Stamatelatos,et al.  Fault tree handbook with aerospace applications , 2002 .

[12]  Jean-Jacques Lesage,et al.  Analytical Calculation of Failure Probabilities in Dynamic Fault Trees including Spare Gates , 2010 .

[13]  Gerard Le Lann The Ariane 5 Flight 501 Failure - A Case Study in System Engineering for Computing Systems , 1996 .

[14]  Frank Ortmeier,et al.  Failure-Sensitive Specification A formal method for finding failure modes , 2004 .

[15]  Parosh Aziz Abdulla,et al.  Designing Safe, Reliable Systems Using Scade , 2004, ISoLA.

[16]  Nancy G. Leveson,et al.  A new accident model for engineering safer systems , 2004 .

[17]  Frank Ortmeier,et al.  Formal Safety Analysis of a Radio-Based Railroad Crossing Using Deductive Cause-Consequence Analysis (DCCA) , 2005, EDCC.

[18]  Dragan Bosnacki,et al.  Efficient Probabilistic Model Checking on General Purpose Graphics Processors , 2009, SPIN.

[19]  Frank Ortmeier,et al.  Safety optimization: a combination of fault tree analysis and optimization techniques , 2004, International Conference on Dependable Systems and Networks, 2004.

[20]  Marco Pistore,et al.  NuSMV 2: An OpenSource Tool for Symbolic Model Checking , 2002, CAV.

[21]  Hoyt Lougee,et al.  SOFTWARE CONSIDERATIONS IN AIRBORNE SYSTEMS AND EQUIPMENT CERTIFICATION , 2001 .

[22]  Nancy G. Leveson,et al.  An investigation of the Therac-25 accidents , 1993, Computer.

[23]  Jean-Jacques Lesage,et al.  Probabilistic Algebraic Analysis of Fault Trees With Priority Dynamic Gates and Repeated Events , 2010, IEEE Transactions on Reliability.

[24]  R. F. Griffiths,et al.  HAZOP and HAZAN: Notes on the identification and assessment of hazards : by T.A. Kletz, Institution of Chemical Engineers, Rugby, 1983, ISBN 0-85295-165-5, 81 pages, paperback, £8.00 incl. postage and packing. , 1984 .

[25]  Frank Ortmeier,et al.  Design and construction of organic computing systems , 2007, 2007 IEEE Congress on Evolutionary Computation.

[26]  Joost-Pieter Katoen,et al.  Safety, Dependability and Performance Analysis of Extended AADL Models , 2011, Comput. J..

[27]  Holger Hermanns,et al.  A Markov Chain Model Checker , 2000, TACAS.

[28]  Frank Ortmeier,et al.  FORMAL FAILURE MODELS , 2007 .

[29]  D. Hickey Distritrack: Automated Average-Case Analysis , 2007 .

[30]  Nancy G. Leveson,et al.  A systems-theoretic approach to safety in software-intensive systems , 2004, IEEE Transactions on Dependable and Secure Computing.

[31]  Lars Grunske,et al.  Generalizable safety annotations for specification of failure patterns , 2010, Softw. Pract. Exp..

[32]  Frank Ortmeier,et al.  Interactive Verification of Statecharts , 2004, SoftSpez Final Report.

[33]  Alain Griffault,et al.  The Mec 5 Model-Checker , 2004, CAV.

[34]  Lubos Brim,et al.  ProbDiVinE-MC: Multi-core LTL Model Checker for Probabilistic Systems , 2008, 2008 Fifth International Conference on Quantitative Evaluation of Systems.

[35]  Frank Ortmeier,et al.  Safety and Dependability Analysis of Self-Adaptive Systems , 2006, Second International Symposium on Leveraging Applications of Formal Methods, Verification and Validation (isola 2006).

[36]  Yiannis Papadopoulos,et al.  EFFECTIVE MULTICRITERIA REDUNDANCY ALLOCATION VIA MODEL-BASED SAFETY ANALYSIS , 2007 .

[37]  Leslie Lamport,et al.  Proving the Correctness of Multiprocess Programs , 1977, IEEE Transactions on Software Engineering.

[38]  Jean-Claude Laprie,et al.  Dependable computing: concepts, limits, challenges , 1995 .

[39]  Thomas Peikenkamp,et al.  Model Based Importance Analysis for Minimal Cut Sets , 2008, ATVA.

[40]  Monika Maidl,et al.  The Common Fragment of CTL and LTL , 2000, FOCS.

[41]  Frank Ortmeier,et al.  Deductive cause-consequence analysis (DCCA) , 2005 .

[42]  Vivien Automatic heuristic-based generation of MTBDD variable orderings for PRISM models Internship report , 2009 .

[43]  Nancy G. Leveson,et al.  High-pressure steam engines and computer software , 1992, Computer.

[44]  Gerhard Schellhorn,et al.  Formal Fault Tree Semantics , 2002 .

[45]  B. Becker,et al.  Analysis of Large Safety-Critical Systems : A quantitative Approach ? , 2006 .

[46]  Frank Ortmeier,et al.  ProMoSA - Probabilistic Models for Safety Analysis , 2010, MBEES.

[47]  Pascal Raymond,et al.  The synchronous data flow programming language LUSTRE , 1991, Proc. IEEE.

[48]  Marco Bozzano,et al.  Improving System Reliability via Model Checking: The FSAP/NuSMV-SA Safety Analysis Platform , 2003, SAFECOMP.

[49]  Frank Ortmeier,et al.  Formal Fault Tree Analysis - Practical Experiences , 2007, Electron. Notes Theor. Comput. Sci..

[50]  T. Kelly,et al.  The Illusion of Method : Challenges of Model-Based Safety Assessment , 2010 .

[51]  D. Pumfrey,et al.  Towards a Practicable Process for Automated Safety Analysis , 2006 .

[52]  Peter B. Ladkin Causal Reasoning about Aircraft Accidents , 2000, SAFECOMP.

[53]  Borut Mavko,et al.  A dynamic fault tree , 2002, Reliab. Eng. Syst. Saf..

[54]  Peter B. Ladkin,et al.  An Overview of IEC 61508 on E / E / PE Functional Safety , 2008 .

[55]  Fred Kröger,et al.  Temporal Logic of Programs , 1987, EATCS Monographs on Theoretical Computer Science.

[56]  Frank Ortmeier,et al.  Combining Formal Methods and Safety Analysis - The ForMoSA Approach , 2004, SoftSpez Final Report.

[57]  S. Brown Overview of IEC 61508 , 2002 .

[58]  Joost-Pieter Katoen,et al.  A Markov reward model checker , 2005, Second International Conference on the Quantitative Evaluation of Systems (QEST'05).

[59]  Pierre Bieber,et al.  ISAAC, a framework for integrated safety analysis of functional, geometrical and human aspects , 2006 .

[60]  Thomas A. Henzinger,et al.  Model checking discounted temporal properties , 2005, Theor. Comput. Sci..

[61]  Joost-Pieter Katoen,et al.  Model-Based Codesign of Critical Embedded Systems , 2009, ACES-MB@MoDELS.

[62]  Myron Hecht,et al.  A Tool Set for Integrated Software and Hardware Dependability Analysis Using the Architecture Analysis and Design Language (AADL) and Error Model Annex , 2011, 2011 16th IEEE International Conference on Engineering of Complex Computer Systems.

[63]  Steven J Pereira,et al.  A System-Theoretic Hazard Analysis Methodology for a Non-advocate Safety Assessment of the Ballistic Missile Defense System , 2006 .

[64]  Edmund M. Clarke,et al.  Model Checking , 1999, Handbook of Automated Reasoning.

[65]  Marta Z. Kwiatkowska,et al.  Probabilistic symbolic model checking with PRISM: a hybrid approach , 2004, International Journal on Software Tools for Technology Transfer.

[66]  Håkan L. S. Younes Ymer: A Statistical Model Checker , 2005, CAV.

[67]  Frank Ortmeier,et al.  Towards model-driven safety analysis , 2011, 2011 3rd International Workshop on Dependable Control of Discrete Systems.

[68]  Christian Müller-Schloer,et al.  Organic computing: on the feasibility of controlled emergence , 2004, CODES+ISSS '04.

[69]  Kenneth L. McMillan,et al.  Symbolic model checking , 1992 .

[70]  Frank Ortmeier,et al.  Probabilistic Model-Based Safety Analysis , 2010, QAPL.

[71]  Frank Ortmeier Formale Sicherheitsanalyse , 2006 .

[72]  Roslyn M. Sinnamon,et al.  Improved efficiency in qualitative fault tree analysis , 1997 .

[73]  Bengt Jonsson,et al.  A logic for reasoning about time and reliability , 1990, Formal Aspects of Computing.

[74]  Frank Ortmeier,et al.  Formal Modeling and Verification of Systems with Self-x Properties , 2006, ATC.

[75]  Frank Ortmeier,et al.  A Universal Self-Organization Mechanism for Role-Based Organic Computing Systems , 2009, ATC.

[76]  Michael R. Beauregard,et al.  The Basics of FMEA , 1996 .

[77]  Lijun Zhang,et al.  Safety Verification for Probabilistic Hybrid Systems , 2010, Eur. J. Control.

[78]  R. BurchJ.,et al.  Symbolic model checking , 1992 .

[79]  John Thomas,et al.  Modeling and Hazard Analysis Using Stpa , 2010 .

[80]  Kirsten Winter,et al.  Probabilistic Model-Checking Support for FMEA , 2007 .

[81]  Yiannis Papadopoulos,et al.  PANDORA 2: THE TIME OF PRIORITY-OR GATES , 2007 .

[82]  G. Schellhorn,et al.  Formal Safety Analysis in Transportation Control , 2002 .

[83]  Richard F. Paige,et al.  Probabilistic Failure Propagation and Transformation Analysis , 2009, SAFECOMP.

[84]  Wolfgang Reif,et al.  A Formal Framework for Compositional Verification of Organic Computing Systems , 2010, ATC.

[85]  Malcolm Wallace,et al.  Modular Architectural Representation and Analysis of Fault Propagation and Transformation , 2005, FESCA@ETAPS.

[86]  Guillaume Merle,et al.  Algebraic modelling of Dynamic Fault Trees, contribution to qualitative and quantitative analysis , 2010 .

[87]  Marco Pistore,et al.  Nusmv version 2: an opensource tool for symbolic model checking , 2002, CAV 2002.

[88]  Marco Bozzano,et al.  ESACS: an integrated methodology for design and safety analysis of complex systems , 2003 .

[89]  Amnon Naamad,et al.  The STATEMATE semantics of statecharts , 1996, TSEM.