Model-Based Safety Analysis

Method Purpose Short description of the method's purpose and main benefits

Method description A detailed description of the method

Safety analysis techniques are well established and are used extensively during the design of safety-critical systems. Despite this, most of the techniques are highly subjective and dependent on the skill of the practitioner. Since analyses are based usually on an informal system model, it is unlikely that they will be complete, consistent, and error free. The lack of precise models of the system architecture and its failure modes often forces the safety analysts to devote much of their effort to gathering architectural details about the system behaviour from several sources and embedding this information in the safety artefacts such as the fault trees.

Model-Based Safety Analysis (MBSA) is an approach in which the system and safety engineers share a common system model created using a model-based development process. By extending the system model with a fault model as well as relevant portions of the physical system to be controlled, automated support can be provided for much of the safety analysis.

MBSA enables deductive as well as inductive hazards analysis towards automated or semi-automatic generation of artefacts that are necessary for arguing about HARA (Hazards analysis and Risk Assessment) for certification-aware domains. Failure Mode Effects Analysis (FMEA) and the Fault Tree Analysis (FTA) are the two classical safety analyses considered in the proposed approach.

The FMEA is a “bottom-up” analysis based on a single-failure approach and executed on each system item or functional block, according to the following main steps:

Identification of credible failure modes
Evaluation of each single failure mode effects at various levels up to system level
Evaluation of severity of the failure effects consequences
Identification of failure detection methods
Assignment of the failure mode rate based on item reliability and apportionment criteria

An FTA is a model that graphically and logically represents the combinations of failures occurring in a system that leads to a hazardous condition. FTA uses a “top-down” approach, in order to identify all potential causes of a particular undesired top event. Starting from the Top Event (identified as a possible safety violation of interest), the analysis systematically determines all possible causes, both single fault and combination of faults, at the subsequent lower levels until a Basic Event is encountered. A Basic Event is defined as an event that is no further developed into a lower level of detail. If a basic event is attributed to items failures, it can be extracted from item failure modes analysed in FMEA.

Model-Based Safety Analysis builds upon methodologies to analyse the propagation of faults such as Failure Logic Analysis (FLA), with the intent to unify as well as (partially) automatize existing traditional dependability analysis approaches (e.g., Fault Tree Analysis, and Failure Modes and Effects Analysis). Similar to Failure Propagation Transform Logic (FPTC) [MSA1, MSA2], FLA [MSA3, MSA4, MSA5, MSA6] automatically calculates the failure behaviour of an entire system from the failure behaviour of its individual components. Failure behaviour of individual components, established by studying the components in isolation, is expressed by a set of logical expression rules that relate output failures (occurring on output ports) to combinations of input failures (occurring on input ports).

Model-Based Safety Analysis is based on the realization of a unique graphical model, defined using SysML, which defines both the functional and architectural characteristics and the aspects related to the system's behaviour in the presence of malfunctions. The use of the SysML model of the system and the FLA technique for the automatic calculation of the anomalous behaviour of the whole system starting from the anomalous behaviour of its individual functions and components, allows designers to perform automated safety analysis, with derivation of consistent safety analysis artefacts, such as FMEA and FTA, to support the safety assessment process, and have a quick response for the systems' decisions during the system design phase.

Using a common model for both system and safety engineering and automating parts of the safety analysis, we can both reduce the cost and improve the quality of the results.

Another embodiment of the Model-Based Safety Analysis methodology is based on the automatic injection of faults into the nominal model (i.e., without faults) of the system of interest. In this approach, model extension is performed to enrich the nominal model with a library-based specification of the possible faults that may affect the behaviour of the system. The library of faults provides a specification of the most common failure patterns, and it is user-extensible. The extended model (including faults) of the system of interest can be analysed by means of exhaustive techniques based on model checking and produce artefacts such as FTs and FMEA tables. Both the nominal model and the extended model are specified using the SMV language. Translations into SMV are available from (variants of) the AADL architectural language and are available (or are targeted be implemented) from fragments of other languages, e.g., Simulink. In addition to safety assessment techniques such as FTA and FMEA, Model-Based Failure Safety Analysis also includes techniques to design and analyse the fault detection, isolation and recovery capabilities of a system of interest.

Fault injection for safety analysis.png

Method Strengths A listof the strengths of the method

Improves the communication between the system engineer and safety experts, by facilitating understanding of the logic and the eventual failures of the system
Achieves a systematic and comprehensive safety assessment that allows to early identify the greatest number of possible critical problems related to the impact of failures on the functionality of the system
Makes it easier to keep the system design aligned with the safety assessment
Carries out the main safety analyses (FMEA, FTA) in semi-automatic mode, thus receiving rapid feedback, with a consequent immediate impact on the design
Since the anomalous behaviour of the system is calculated from components, the impact of modifying a component is easier to define, and the derived incremental safety analysis is cheaper, therefore reducing the costs of system maintenance and reuse.
Developed from collaborative efforts in prior projects, e.g. CHESS (http://www.chess-project.org/), CONCERTO (http://www.concerto-project.org/), and AMASS (https://www.amass-ecsel.eu/).
Part of the CHESS Eclipse project

Method Limitations The limitations of the method

FMEAgeneration is not automated, while FT generation may be subjected to a node explosion problem for large systems.
The failure propagation algorithm is not optimized for large systems, impacting FMEA and FT generation.

Method References Bibliography references to papers about the method.

[MSA1] Wallace, Modular Architectural Representation and Analysis of Fault Propagation and Transformation, in proceedings of 2nd International Workshop on Formal Foundations of Embedded Software and Component-Based Software Architectures (FESCA 2005).
[MSA2] R. F. Paige, L. M. Rose, X. Ge, D. S. Kolovos, and P. J. Brooke. FPTC: automated safety analysis for domain-specific languages. In Models in Software Engineering, M. R. Chaudron (Ed.). Lecture Notes In Computer Science, Vol. 5421. Springer-Verlag, Berlin, Heidelberg, pp. 229-242, 2009Space Product Assurance: Software product assurance, id. ECSS-Q-ST-80 issue C, 06.03.2009.
[MSA3] B. Gallina and S. Punnekkat, “FI4FA: A Formalism for Incompletion, Inconsistency, Interference and Impermanence Failures Analysis,” in Proc. of EUROMICRO, ser. SEAA ’11. IEEE Computer Society, 2011, pp. 493–500.
[MSA4] B. Gallina, M. A. Javed, F. U. Muram, and S. Punnekkat, “Model-driven dependability analysis method for component-based architectures,” in Euromicro-SEAA Conference. IEEE Computer Society, 2012.
[MSA5] Gallina, B., Sefer, E., and Refsdal, A. (2014). Towards safety risk assessment of socio-technical systems via failure logic analysis. In Proceedings of the 2014 IEEE International Symposium on Software Reliability Engineering Workshops, pages 287–292.
[MSA6] B. Gallina and Z. Haider, A. Carlsson, S. Mazzini S. Puri, “Multi‐concern Dependability‐centered Assurance for Space Systems via ConcertoFLA”, International Conference on Reliable Software Technologies- Ada-Europe 2018, Lisbon, June 2018
[MSA7] Mazzini S., J. Favaro, S. Puri, L. Baracchi., “CHESS: an open source methodology and toolset for the development of critical systems”, 2nd International Workshop on Open Source Software for Model Driven Engineering (OSS4MDE), Saint-Malo, October 2016.
[MSA8] CHESS Dependability Guide – FLA (https://www.eclipse.org/chess/publis/CHESS_DependabilityGuide.pdf)

Method Dimensions

Evaluation Environment Type Type of environment where the method is applied. It can be more than one type of environment. (Dimension 1)

Evaluation Type Type of evaluation performed with that method. If a method is hybrid, more than one type can be selected. (Dimension 2)

Type of Component Under Evaluation Type of components that can be evaluated with that method. It can be more than one type. (Dimension 3)

Evaluation Stage The evaluation stage where the method is used. (Dimension 5)

Purpose of the Component Under Evaluation The type of purpose that can be evaluated by a method. It can be more than one type. (Dimension 6)

Type of Requirement Under Evaluation The type of requirements that a method is able to evaluate. It can be more than one type. (Dimension 7)

Evaluation Performance Indicator The type of evaluation criteria or KPI that a method is able to improve. It can be more than one type. (Dimension 8)

Relations

Related Methods A method could be related to other methods.

Tools A method can use zero or more tools.

Part Method A method (when it is a combination: Combination of method artefact that is a specialization of a V&V Method) could be composed of a set of V&V Methods.

Test Case or Verification and Validation activity Test Case or V&V activity performed in a Use Case. We will link to the method to the test cases where the method is used.

Standards A method can be linked with standards.

Context

Workflow

Contents

There are currently no items in this folder.