Model-Based Safety Analysis

Define the requirements that a system has to fulfil, along with the procedures that have to be developed, in order to ensure a consistent safety level during the overall system lifecycle; analyse the failure propagation phenomena and evaluate their consequences in terms of safety and reliability, based on a formal model of the system of interest.

Safety analysis techniques are well established and are used extensively during the design of safety-critical systems. Despite this, most of the techniques are highly subjective and dependent on the skill of the practitioner. Since analyses are based usually on an informal system model, it is unlikely that they will be complete, consistent, and error free. The lack of precise models of the system architecture and its failure modes often forces the safety analysts to devote much of their effort to gathering architectural details about the system behaviour from several sources and embedding this information in the safety artefacts such as the fault trees.

Model-Based Safety Analysis (MBSA) is an approach in which the system and safety engineers share a common system model created using a model-based development process. By extending the system model with a fault model as well as relevant portions of the physical system to be controlled, automated support can be provided for much of the safety analysis.

MBSA enables deductive as well as inductive hazards analysis towards automated or semi-automatic generation of artefacts that are necessary for arguing about HARA (Hazards analysis and Risk Assessment) for certification-aware domains. Failure Mode Effects Analysis (FMEA) and the Fault Tree Analysis (FTA) are the two classical safety analyses considered in the proposed approach.

The FMEA is a “bottom-up” analysis based on a single-failure approach and executed on each system item or functional block, according to the following main steps:

  1. Identification of credible failure modes
  2. Evaluation of each single failure mode effects at various levels up to system level
  3. Evaluation of severity of the failure effects consequences
  4. Identification of failure detection methods
  5. Assignment of the failure mode rate based on item reliability and apportionment criteria

An FTA is a model that graphically and logically represents the combinations of failures occurring in a system that leads to a hazardous condition. FTA uses a “top-down” approach, in order to identify all potential causes of a particular undesired top event. Starting from the Top Event (identified as a possible safety violation of interest), the analysis systematically determines all possible causes, both single fault and combination of faults, at the subsequent lower levels until a Basic Event is encountered. A Basic Event is defined as an event that is no further developed into a lower level of detail. If a basic event is attributed to items failures, it can be extracted from item failure modes analysed in FMEA.

Model-Based Safety Analysis builds upon methodologies to analyse the propagation of faults such as Failure Logic Analysis (FLA), with the intent to unify as well as (partially) automatize existing traditional dependability analysis approaches (e.g., Fault Tree Analysis, and Failure Modes and Effects Analysis). Similar to Failure Propagation Transform Logic (FPTC) [MSA1, MSA2], FLA [MSA3, MSA4, MSA5, MSA6] automatically calculates the failure behaviour of an entire system from the failure behaviour of its individual components. Failure behaviour of individual components, established by studying the components in isolation, is expressed by a set of logical expression rules that relate output failures (occurring on output ports) to combinations of input failures (occurring on input ports).

Model-Based Safety Analysis is based on the realization of a unique graphical model, defined using SysML, which defines both the functional and architectural characteristics and the aspects related to the system's behaviour in the presence of malfunctions. The use of the SysML model of the system and the FLA technique for the automatic calculation of the anomalous behaviour of the whole system starting from the anomalous behaviour of its individual functions and components, allows designers to perform automated safety analysis, with derivation of consistent safety analysis artefacts, such as FMEA and FTA, to support the safety assessment process, and have a quick response for the systems' decisions during the system design phase.

Using a common model for both system and safety engineering and automating parts of the safety analysis, we can both reduce the cost and improve the quality of the results.

Another embodiment of the Model-Based Safety Analysis methodology is based on the automatic injection of faults into the nominal model (i.e., without faults) of the system of interest. In this approach, model extension is performed to enrich the nominal model with a library-based specification of the possible faults that may affect the behaviour of the system. The library of faults provides a specification of the most common failure patterns, and it is user-extensible. The extended model (including faults) of the system of interest can be analysed by means of exhaustive techniques based on model checking and produce artefacts such as FTs and FMEA tables. Both the nominal model and the extended model are specified using the SMV language. Translations into SMV are available from (variants of) the AADL architectural language and are available (or are targeted be implemented) from fragments of other languages, e.g., Simulink. In addition to safety assessment techniques such as FTA and FMEA, Model-Based Failure Safety Analysis also includes techniques to design and analyse the fault detection, isolation and recovery capabilities of a system of interest.

Fault injection for safety analysis.png

  • Improves the communication between the system engineer and safety experts, by facilitating understanding of the logic and the eventual failures of the system
  • Achieves a systematic and comprehensive safety assessment that allows to early identify the greatest number of possible critical problems related to the impact of failures on the functionality of the system
  • Makes it easier to keep the system design aligned with the safety assessment
  • Carries out the main safety analyses (FMEA, FTA) in semi-automatic mode, thus receiving rapid feedback, with a consequent immediate impact on the design
  • Since the anomalous behaviour of the system is calculated from components, the impact of modifying a component is easier to define, and the derived incremental safety analysis is cheaper, therefore reducing the costs of system maintenance and reuse.
  • Developed from collaborative efforts in prior projects, e.g. CHESS (http://www.chess-project.org/), CONCERTO (http://www.concerto-project.org/), and AMASS (https://www.amass-ecsel.eu/).
  • Part of the CHESS Eclipse project
  • FMEAgeneration is not automated, while FT generation may be subjected to a node explosion problem for large systems.
  • The failure propagation algorithm is not optimized for large systems, impacting FMEA and FT generation.
  • [MSA1] Wallace, Modular Architectural Representation and Analysis of Fault Propagation and Transformation, in proceedings of 2nd International Workshop on Formal Foundations of Embedded Software and Component-Based Software Architectures (FESCA 2005).
  • [MSA2] R. F. Paige, L. M. Rose, X. Ge, D. S. Kolovos, and P. J. Brooke. FPTC: automated safety analysis for domain-specific languages. In Models in Software Engineering, M. R. Chaudron (Ed.). Lecture Notes In Computer Science, Vol. 5421. Springer-Verlag, Berlin, Heidelberg, pp. 229-242, 2009Space Product Assurance: Software product assurance, id. ECSS-Q-ST-80 issue C, 06.03.2009.
  • [MSA3] B. Gallina and S. Punnekkat, “FI4FA: A Formalism for Incompletion, Inconsistency, Interference and Impermanence Failures Analysis,” in Proc. of EUROMICRO, ser. SEAA ’11. IEEE Computer Society, 2011, pp. 493–500.
  • [MSA4] B. Gallina, M. A. Javed, F. U. Muram, and S. Punnekkat, “Model-driven dependability analysis method for component-based architectures,” in Euromicro-SEAA Conference. IEEE Computer Society, 2012.
  • [MSA5] Gallina, B., Sefer, E., and Refsdal, A. (2014). Towards safety risk assessment of socio-technical systems via failure logic analysis. In Proceedings of the 2014 IEEE International Symposium on Software Reliability Engineering Workshops, pages 287–292.
  • [MSA6] B. Gallina and Z. Haider, A. Carlsson, S. Mazzini S. Puri, “Multi‐concern Dependability‐centered Assurance for Space Systems via ConcertoFLA”, International Conference on Reliable Software Technologies- Ada-Europe 2018, Lisbon, June 2018
  • [MSA7] Mazzini S., J. Favaro, S. Puri, L. Baracchi., “CHESS: an open source methodology and toolset for the development of critical systems”, 2nd International Workshop on Open Source Software for Model Driven Engineering (OSS4MDE), Saint-Malo, October 2016.
  • [MSA8] CHESS Dependability Guide – FLA (https://www.eclipse.org/chess/publis/CHESS_DependabilityGuide.pdf)
Method Dimensions
In-the-lab environment
Analytical - Semi-Formal
Hardware, Model, Software
Requirement Analysis, Concept, Detail Design, Risk analysis, System Design, Architecture Design
Thinking, Acting, Sensing
Non-Functional - Safety, Functional, Non-Functional - Security
V&V process criteria, SCP criteria
Relations
Contents

There are currently no items in this folder.