Tom P. Huck,Yuvaraj Selvaraj,Constantin Cronrath,Christoph Ledermann,Martin Fabian,Bengt Lennartson,Torsten Kröger

DOI: https://doi.org/10.48550/arXiv.2209.12560

2022-09-26

Abstract:Safety critical systems are typically subjected to hazard analysis before commissioning to identify and analyse potentially hazardous system states that may arise during operation. Currently, hazard analysis is mainly based on human reasoning, past experiences, and simple tools such as checklists and spreadsheets. Increasing system complexity makes such approaches decreasingly suitable. Furthermore, testing-based hazard analysis is often not suitable due to high costs or dangers of physical faults. A remedy for this are model-based hazard analysis methods, which either rely on formal models or on simulation models, each with their own benefits and drawbacks. This paper proposes a two-layer approach that combines the benefits of exhaustive analysis using formal methods with detailed analysis using simulation. Unsafe behaviours that lead to unsafe states are first synthesised from a formal model of the system using Supervisory Control Theory. The result is then input to the simulation where detailed analyses using domain-specific risk metrics are performed. Though the presented approach is generally applicable, this paper demonstrates the benefits of the approach on an industrial human-robot collaboration system.

Robotics

Nikolas Martelaro,Carol J. Smith,Tamara Zilovic

DOI: https://doi.org/10.48550/arXiv.2203.15628

2022-03-29

Software Engineering

Abstract:Embedding artificial intelligence into systems introduces significant challenges to modern engineering practices. Hazard analysis tools and processes have not yet been adequately adapted to the new paradigm. This paper describes initial research and findings regarding current practices in AI-related hazard analysis and on the tools used to conduct this work. Our goal with this initial research is to better understand the needs of practitioners and the emerging challenges of considering hazards and risks for AI-enabled products and services. Our primary research question is: Can we develop new structured thinking methods and systems engineering tools to support effective and engaging ways for preemptively considering failure modes in AI systems? The preliminary findings from our review of the literature and interviews with practitioners highlight various challenges around integrating hazard analysis into modern AI development processes and suggest opportunities for exploration of usable, human-centered hazard analysis tools.

Vivek Nigam,Alexander Pretschner,Harald Ruess

DOI: https://doi.org/10.48550/arXiv.1810.04866

2018-10-11

Logic in Computer Science

Abstract:By exploiting the increasing surface attack of systems, cyber-attacks can cause catastrophic events, such as, remotely disable safety mechanisms. This means that in order to avoid hazards, safety and security need to be integrated, exchanging information, such as, key hazards/threats, risk evaluations, mechanisms used. This white paper describes some steps towards this integration by using models. We start by identifying some key technical challenges. Then we demonstrate how models, such as Goal Structured Notation (GSN) for safety and Attack Defense Trees (ADT) for security, can address these challenges. In particular, (1) we demonstrate how to extract in an automated fashion security relevant information from safety assessments by translating GSN-Models into ADTs; (2) We show how security results can impact the confidence of safety assessments; (3) We propose a collaborative development process where safety and security assessments are built by incrementally taking into account safety and security analysis; (4) We describe how to carry out trade-off analysis in an automated fashion, such as identifying when safety and security arguments contradict each other and how to solve such contradictions. We conclude pointing out that these are the first steps towards a wide range of techniques to support Safety and Security Engineering. As a white paper, we avoid being too technical, preferring to illustrate features by using examples and thus being more accessible.

Lin Liu,Zheng Zeng,Yufeng Long,Hongji Yang

DOI: https://doi.org/10.1109/dsa56465.2022.00064

2022-01-01

Abstract:Hazard analysis is challenging, due to its highly contextual nature and the complexity of the real world. There are well-established hazard analysis procedures and approaches, such as, PHA, HAZOP, FMEA, Fault-Tree, LOPA, etc. Together with safety assurance guidelines and regulations of a particular industrial sector, these approaches can help improve the state of the practice. However, the evaluation of safety risks for a given situation, and the effective identification of the potential threat sources still rely on the imaginative composition of hazardous scenarios by the analysts based on his personal experience and expertise in the domain. In this paper, we define the conceptual model required for such story composition activity, and aims to provide an integrated approach to compose and comprehend the textual narratives based on images in-situ, hence the quality of the scenario description can be ensured and checked. We use historical safety hazard cases and safety training exercises to illustrate and evaluate the feasibility of the proposed approach.

Klaus Müller,Bernhard Rumpe

DOI: https://doi.org/10.48550/arXiv.1406.6834

2014-06-26

Abstract:Impact analysis is concerned with the identification of consequences of changes and is therefore an important activity for software evolution. In modelbased software development, models are core artifacts, which are often used to generate essential parts of a software system. Changes to a model can thus substantially affect different artifacts of a software system. In this paper, we propose a modelbased approach to impact analysis, in which explicit impact rules can be specified in a domain specific language (DSL). These impact rules define consequences of designated UML class diagram changes on software artifacts and the need of dependent activities such as data evolution. The UML class diagram changes are identified automatically using model differencing. The advantage of using explicit impact rules is that they enable the formalization of knowledge about a product. By explicitly defining this knowledge, it is possible to create a checklist with hints about development steps that are (potentially) necessary to manage the evolution. To validate the feasibility of our approach, we provide results of a case study.

Software Engineering

Kai Hoefig,Andreas Joanni,Marc Zeller,Francesco Montrone,Martin Rothfelder,Rakshith Amarnath,Peter Munk,Arne Nordmann

DOI: https://doi.org/10.48550/arXiv.2105.15015

2021-05-31

Software Engineering

Abstract:The importance of mission or safety critical software systems in many application domains of embedded systems is continuously growing, and so is the effort and complexity for reliability and safety analysis. Model driven development is currently one of the key approaches to cope with increasing development complexity, in general. Applying similar concepts to reliability, availability, maintainability and safety (RAMS) analysis activities is a promising approach to extend the advantages of model driven development to safety engineering activities aiming at a reduction of development costs, a higher product quality and a shorter time-to-market. Nevertheless, many model-based safety or reliability engineering approaches aim at reducing the analysis complexity but applications or case studies are rare. Therefore we present here a large scale industrial case study which shows the benefits of the application of component fault trees when it comes to complex safety mechanisms. We compare the methodology of component fault trees against classic fault trees and summarize benefits and drawbacks of both modeling methodologies.

M. Schäfer,A. Berres,O. Bertram

DOI: https://doi.org/10.1007/s13272-022-00631-0

2022-12-20

CEAS Aeronautical Journal

Abstract:Integrating new functions into the aircraft can, for example, increase performance or reduce fuel consumption. Since the installation of such additional functions increases the overall aircraft complexity, it is crucial to adapt methods and tools that support the development and ensure traceability, consistency, and verifiability. In this context, model-based systems engineering and the associated Systems Modeling Language (SysML) have been established as a standard methodology. This paper presents an overview of a system development and modeling process with SysML at the concept design stage using a position-variable shock control bumps system as an example. In addition to the system modeling, safety and reliability analyses have to be considered during the design process. To keep both, the model and the associated safety assessment consistent, this work introduces an extension of SysML to enable the execution of a functional hazard assessment (FHA) according to the ARP4754A and ARP 4761 guidelines. This is the first step in conducting a model-based safety assessment. Furthermore, a modeling process with concepts management methods is performed. In summary, the presented modeling process consists of three main parts: the system modeling, functional hazard assessment and concept management.

Peter Braun,Jan Philipps,Bernhard Schätz,Stefan Wagner

DOI: https://doi.org/10.1016/j.entcs.2009.09.007

2018-06-13

Abstract:Safety cases become increasingly important for software certification. Models play a crucial role in building and combining information for the safety case. This position paper sketches an ideal model-based safety case with defect hypotheses and failure characterisations. From this, open research issues are derived.

Software Engineering

Stefano M. Nicoletti,Marijn Peppelman,Christina Kolb,Mariëlle Stoelinga

DOI: https://doi.org/10.48550/arXiv.2106.06272

2023-10-23

Abstract:We survey the state-of-the-art on model-based formalisms for safety and security joint analysis, where safety refers to the absence of unintended failures, and security to absence of malicious attacks. We conduct a thorough literature review and - as a result - we consider fourteen model-based formalisms and compare them with respect to several criteria: (1) Modelling capabilities and Expressiveness: which phenomena can be expressed in these formalisms? To which extent can they capture safety-security interactions? (2) Analytical capabilities: which analysis types are supported? (3) Practical applicability: to what extent have the formalisms been used to analyze small or larger case studies? Furthermore, (1) we present more precise definitions for safety-security dependencies in tree-like formalisms; (2) we showcase the potential of each formalism by modelling the same toy example from the literature and (3) we present our findings and reflect on possible ways to narrow highlighted gaps. In summary, our key findings are the following: (1) the majority of approaches combine tree-like formal models; (2) the exact nature of safety-security interaction is still ill-understood and (3) diverse formalisms can capture different interactions; (4) analyzed formalisms merge modelling constructs from existing safety- and security-specific formalisms, without introducing ad hoc constructs to model safety-security interactions, or (5) metrics to analyze trade offs. Moreover, (6) large case studies representing safety-security interactions are still missing.

Cryptography and Security

Sebastiano MARASCO,Ali ZAMANI NOORI,Omar KAMMOUH,Gian Paolo CIMELLARO

2018-01-01

Abstract:Multi-hazard engineering is increasingly recognized as a serious worldwide concern. In this paper, the principle of multi-hazard is applied to an essential steel structure (a hospital) located in California, US. The studied structure is assumed to be exposed to a sequence of three different cascading hazards (earthquake, blast, and fire). First, non-linear time-history analyses are performed and the seismic response of the structure is evaluated. The seismic input is assumed to cause damage to the hospital’s power supply which it turns to generate an explosion. The probability of explosion is estimated accounting for the probabilities of fuel leakage, fuel concentration, and ignition. A set of twelve blast intensity levels is considered in the analysis, corresponding to the different quantity of fuel content inside the tank. Afterward, a fire hazard is generated following the explosion, whose intensity level is evaluated using the compartmental heat flux. The effect of the fire is translated into an increase in the steel’s temperature, and damage is consequently evaluated. A methodology is proposed to accumulate the cascading damage caused by multi-hazard based on the conditional probability of occurrence. This method is capable of predicting the damage severity of the structural and non-structural components with a high accuracy. The proposed multi-hazard method is considered a significant step in improving the accuracy of loss estimation and in providing risk mitigation measures within the resilience-based environment. The results obtained in this paper verify the effectiveness and the practicality of the proposed method.

Mario Gleirscher,Stefan Kugele

DOI: https://doi.org/10.48550/arXiv.1802.08327

2018-02-22

Software Engineering

Abstract:Vehicle safety depends on (a) the range of identified hazards and (b) the operational situations for which mitigations of these hazards are acceptably decreasing risk. Moreover, with an increasing degree of autonomy, risk ownership is likely to increase for vendors towards regulatory certification. Hence, highly automated vehicles have to be equipped with verified controllers capable of reliably identifying and mitigating hazards in all possible operational situations. To this end, available methods for the design and verification of automated vehicle controllers have to be supported by models for hazard analysis and mitigation. In this paper, we describe (1) a framework for the analysis and design of planners (i.e., high-level controllers) capable of run-time hazard identification and mitigation, (2) an incremental algorithm for constructing planning models from hazard analysis, and (3) an exemplary application to the design of a fail-operational controller based on a given control system architecture. Our approach equips the safety engineer with concepts and steps to (2a) elaborate scenarios of endangerment and (2b) design operational strategies for mitigating such scenarios.

Hayder Thabit Al Hudaib,Richard P. Ray,,

DOI: https://doi.org/10.30880/ijie.2023.15.07.017

2023-12-05

International Journal of Integrated Engineering

Abstract:The idea of multi-hazard interactions and risk assessment, particularly in relation to both natural hazards and hazards triggered by anthropogenic processes, has been widely used, especially in recent decades. Numerous areas worldwide, as well as various sectors, face exposure to multiple hazards. These hazards encompass natural phenomena like floods, earthquakes, hurricanes, and more. In comparison, the human-induced or anthropogenic processes associated with infrastructure development, along with other potential human activities such as, land and cover use change, contribute to the overall hazard landscape. Both natural hazards and anthropogenic-induced directly led to infrastructure collapse and loss of functionality with other consequences for human lives, economy, beside the environment impacts. Limited studies have been conducted on the implementation of the comprehensive multi-hazard interaction approach, which is globally or regionally required, along with detailed studies on the interaction between different multi-hazard sources and their interrelationships in short-term or long-term scenarios. The current research aims to review previous literature and studies on the multi-hazard interaction approach, methodologies of visualization and classification, as well as explores the potential of multi-hazard associated with road networks, infrastructures, and dams. The research utilizes simulation various models and tools such as, Geographic Information System (GIS) beside Remote Sensing (Rs) techniques. The current study concludes that using multi-hazard maps, hazard matrix, and fragility curves represents highly valuable and very useful and flexible tools for implementing and visualization hot spot areas exposure by multi-hazard consequences and vulnerability analysis for short and long-term scenarios. In addition, the current review highlighted for development a holistic conceptual framework for multi-hazard and risk assessment associated with hydraulic structures such as dams, road networks and infrastructures with hazard exposure analysis to be used as tools for a decision support system (DSS) in order to develop urban resilience, risk management and hazard mitigations.

Dario Rodriguez-Aseretto,Christian Schaerer,Daniele de Rigo

DOI: https://doi.org/10.48550/arXiv.1409.7966

2014-09-29

Abstract:Demands on the disaster response capacity of the European Union are likely to increase, as the impacts of disasters continue to grow both in size and frequency. This has resulted in intensive research on issues concerning spatially-explicit information and modelling and their multiple sources of uncertainty. Geospatial support is one of the forms of assistance frequently required by emergency response centres along with hazard forecast and event management assessment. Robust modelling of natural hazards requires dynamic simulations under an array of multiple inputs from different sources. Uncertainty is associated with meteorological forecast and calibration of the model parameters. Software uncertainty also derives from the data transformation models (D-TM) needed for predicting hazard behaviour and its consequences. On the other hand, social contributions have recently been recognized as valuable in raw-data collection and mapping efforts traditionally dominated by professional organizations. Here an architecture overview is proposed for adaptive and robust modelling of natural hazards, following the Semantic Array Programming paradigm to also include the distributed array of social contributors called Citizen Sensor in a semantically-enhanced strategy for D-TM modelling. The modelling architecture proposes a multicriteria approach for assessing the array of potential impacts with qualitative rapid assessment methods based on a Partial Open Loop Feedback Control (POLFC) schema and complementing more traditional and accurate a-posteriori assessment. We discuss the computational aspect of environmental risk modelling using array-based parallel paradigms on High Performance Computing (HPC) platforms, in order for the implications of urgency to be introduced into the systems (Urgent-HPC).

Computational Engineering, Finance, and Science

Marc Zeller,Daniel Ratiu,Kai Hoefig

DOI: https://doi.org/10.48550/arXiv.2106.02273

2021-06-04

Software Engineering

Abstract:Model-based engineering promises to boost productivity and quality of complex systems development. In the context of safety-critical systems, a traditionally highly regulated and conservative domain, the use of models gained importance in the recent years. In this paper, we present a set of practical challenges in developing safety-critical systems with the help of several examples of development projects that belong to different application domains. Following this, we show how could the adoption of model-based engineering for the development of safety-critical systems cope with these challenges.

Simon József Nagy,Bence Graics,Kristóf Marussy,András Vörös

DOI: https://doi.org/10.48550/arXiv.2004.13290

2020-04-28

Software Engineering

Abstract:Systems engineering approaches use high-level models to capture the architecture and behavior of the system. However, when safety engineers conduct safety and reliability analysis, they have to create formal models, such as fault-trees, according to the behavior described by the high-level engineering models and environmental/fault assumptions. Instead of creating low-level analysis models, our approach builds on engineering models in safety analysis by exploiting the simulation capabilities of recent probabilistic programming and simulation advancements. Thus, it could be applied in accordance with standards and best practices for the analysis of a critical automotive system as part of an industrial collaboration, while leveraging high-level block diagrams and statechart models created by engineers. We demonstrate the applicability of our approach in a case study adapted from the automotive system from the collaboration.

Mei Liu,Pinchao Liao

DOI: https://doi.org/10.1061/9780784483848.005

2021-01-01

Abstract:Practitioners identify and control hazards in complex construction environment. However, few studies provided an efficient means of identifying and prioritizing hazards from the perspective of system deviations. This study aims to assess construction safety performance by taking into account the occurrence of hazards and rectification efficiency of management from the perspective of energy dissipation. First, we theorized the onsite construction system as an open subsystem with energy dissipation. Then, catastrophe theory was utilized to calculate the hazard occurrence as the positive entropy, whereas the hazard rectification was then incorporated as the negative entropy. Finally, we applied the analytical model to seven construction projects and compared the safety performance with the established methods of industrial practices. The proposed model reveals the complexity in safety assessment under the dynamic environment. Practically, it effectively enhances proactive warning ability of safety assessment and facilitates the development of hazard real-time warning and control strategies in construction informatization.

Ashutosh Tewari,Antonio R. Paiva

DOI: https://doi.org/10.48550/arXiv.2205.00894

2022-05-02

Applications

Abstract:Identifying and mitigating safety risks is paramount in a number of industries. In addition to guidelines and best practices, many industries already have safety management systems (SMSs) designed to monitor and reinforce good safety behaviors. The analytic capabilities to analyze the data acquired through such systems, however, are still lacking in terms of their ability to robustly quantify risks posed by various occupational hazards. Moreover, best practices and modern SMSs are unable to account for dynamically evolving environments/behavioral characteristics commonly found in many industrial settings. This article proposes a method to address these issues by enabling continuous and quantitative assessment of safety risks in a data-driven manner. The backbone of our method is an intuitive hierarchical probabilistic model that explains sparse and noisy safety data collected by a typical SMS. A fully Bayesian approach is developed to calibrate this model from safety data in an online fashion. Thereafter, the calibrated model holds necessary information that serves to characterize risk posed by different safety hazards. Additionally, the proposed model can be leveraged for automated decision making, for instance solving resource allocation problems -- targeted towards risk mitigation -- that are often encountered in resource-constrained industrial environments. The methodology is rigorously validated on a simulated test-bed and its scalability is demonstrated on real data from large maintenance projects at a petrochemical plant.

Lei CHEN,Jian JIAO,Tingdi ZHAO

DOI: https://doi.org/10.3969/j.issn.1001-506X.2017.06.16

2017-01-01

Abstract:The ultimate goal of model-based safety analysis (MBSA) is to implement the automated safety analysis based on semi-formal and formal models of the complex safety-critical system.There are many MBSA methods which contain all the relevant theory, techniques, tools and language used for modelling, safety verification and analysis.Implementation approaches of MBSA could be divided into two categories according to different models used in the safety analysis which means the different relationship between safety models and system models.One of the MBSA approach is based on the extended system model (ESM) and the other one is based on the failure logic modelling (FLM).The implementation of each approach is described.Advantages and boundedness of each approach are analyzed and indicated.Finally, the improvements for each way which could be carried out in the future are proposed.

Annarita Drago,Stefano Marrone,Nicola Mazzocca,Roberto Nardone,Annarita Tedesco,Valeria Vittorini

DOI: https://doi.org/10.1007/s10270-016-0572-7

2016-12-26

Abstract:Modern physical protection systems integrate a number of security systems (including procedures, equipments, and personnel) into a single interface to ensure an adequate level of protection of people and critical assets against malevolent human actions. Due to the critical functions of a protection system, the quantitative evaluation of its effectiveness is an important issue that still raises several challenges. In this paper we propose a model-driven approach to support the design and the evaluation of physical protection systems based on (a) UML models representing threats, protection facilities, assets, and relationships among them, and (b) the automatic construction of a Bayesian Network model to estimate the vulnerability of different system configurations. Hence, the proposed approach is useful both in the context of vulnerability assessment and in designing new security systems as it enables what-if and cost–benefit analyses. A real-world case study is further illustrated in order to validate and demonstrate the potentiality of the approach. Specifically, two attack scenarios are considered against the depot of a mass transit transportation system in Milan, Italy.

computer science, software engineering

Floarea Baicu,Maria Alexandra Baches

DOI: https://doi.org/10.48550/arXiv.1303.1663

2013-03-07

Abstract:In this paper are presented methods of impact analysis on informatics system security accidents, qualitative and quantitative methods, starting with risk and informational system security definitions. It is presented the relationship between the risks of exploiting vulnerabilities of security system, security level of these informatics systems, probability of exploiting the weak points subject to financial losses of a company, respectively impact of a security accident on the company. Herewith are presented some examples concerning losses caused by excesses within informational systems and depicted from the study carried out by CSI.

General Finance,Computers and Society