Peter Munk,Arne Nordmann

DOI: https://doi.org/10.1007/s10270-020-00782-w

2020-02-26

Abstract:Mastering the complexity of safety assurance for modern, software-intensive systems is challenging in several domains, such as automotive, robotics, and avionics. Model-based safety analysis techniques show promising results to handle this challenge by automating the generation of required artifacts for an assurance case. In this work, we adapt prominent approaches and propose to augment of SysML models with component fault trees (CFTs) to support the fault tree analysis and the failure mode and effects analysis. While most existing approaches based on CFTs are only targeting the system topology, e. g., UML class diagrams, we propose an integration of CFTs with SysML internal block diagrams as well as SysML activity diagrams. We realized our approach in a prototypical tool. We conclude with best practices and lessons learned that emerged from our case studies with an electronic power steering system and a boost recuperation system.

computer science, software engineering

Kai Hoefig,Andreas Joanni,Marc Zeller,Francesco Montrone,Martin Rothfelder,Rakshith Amarnath,Peter Munk,Arne Nordmann

DOI: https://doi.org/10.48550/arXiv.2105.15015

2021-05-31

Software Engineering

Abstract:The importance of mission or safety critical software systems in many application domains of embedded systems is continuously growing, and so is the effort and complexity for reliability and safety analysis. Model driven development is currently one of the key approaches to cope with increasing development complexity, in general. Applying similar concepts to reliability, availability, maintainability and safety (RAMS) analysis activities is a promising approach to extend the advantages of model driven development to safety engineering activities aiming at a reduction of development costs, a higher product quality and a shorter time-to-market. Nevertheless, many model-based safety or reliability engineering approaches aim at reducing the analysis complexity but applications or case studies are rare. Therefore we present here a large scale industrial case study which shows the benefits of the application of component fault trees when it comes to complex safety mechanisms. We compare the methodology of component fault trees against classic fault trees and summarize benefits and drawbacks of both modeling methodologies.

Rongyao Cai,Xiao Xv,Zhengming Lu,Kexin Zhang,Yong Liu

DOI: https://doi.org/10.1109/isas61044.2024.10552597

2024-01-01

Abstract:Fault tree analysis is the most commonly used methodology in industrial safety analysis to predict the probability or frequency of system failure. Although fault tree analysis has been proposed for more than six decades, the assumptions used in most commercial fault tree analysis codes have not changed significantly, which limits the ability of the method to represent design, operation, and maintenance characteristics in the context of the increasing complexity and specialization of modern industrial systems. The basic setup of traditional fault trees is unable to include dependencies between events, time-varying failures, and repair rate realities to explain complex maintenance strategies. To address the above shortcomings, we propose a fusion tree model combining fault tree and attack tree, and simplify the causal structure of the fusion tree by modularization, and utilize the dynamic Markov model to represent the complex coupling relationship between components or nodes. Finally, we demonstrate the calculation process of fusion tree in pressure vessel systems with temporal control.

Yue Li,Yian Zhu,Chunyan Ma,Meng Xu

DOI: https://doi.org/10.1007/978-3-642-23496-5_18

2011-01-01

Abstract:System safety analysis based on fault tree has been widely used for providing assurance to the stringent safety requirement of safety-critical systems. Generating fault trees from models described in AADL, a promising standard language for modeling complicated embedded system, would realize the automation of system safety analysis which is traditionally performed manually. This paper proposes a whole method for constructing fault trees from AADL models, whose main idea is to extract fault information from AADL models by dynamically tracing the possible fault sources of the specified fault objective, store them into a proposed database structure, and then construct fault trees based on the extracted fault information in the database structure. Further, the challenge posed by the common problems of deadlock and fault tree sharing is resolved by one algorithm called Sharing_Label in our method. We prove the correctness of the whole method theoretically.

Sebastian Reiter,Marc Zeller,Kai Hoefig,Alexander Viehl,Oliver Bringmann,Wolfgang Rosenstiel

DOI: https://doi.org/10.48550/arXiv.2106.03368

2021-06-07

Software Engineering

Abstract:The growing complexity of safety-relevant systems causes an increasing effort for safety assurance. The reduction of development costs and time-to-market, while guaranteeing safe operation, is therefore a major challenge. In order to enable efficient safety assessment of complex architectures, we present an approach, which combines deductive safety analyses, in form of Component Fault Trees (CFTs), with an Error Effect Simulation (EES) for sanity checks. The combination reduces the drawbacks of both analyses, such as the subjective failure propagation assumptions in the CFTs or the determination of relevant fault scenarios for the EES. Both CFTs and the EES provide a modular, reusable and compositional safety analysis and are applicable throughout the whole design process. They support continuous model refinement and the reuse of conducted safety analysis and simulation models. Hence, safety goal violations can be identified in early design stages and the reuse of conducted safety analyses reduces the overhead for safety assessment.

Xiongpeng Hu,Jing Liu,Hui Dou,HongTao Chen,Yuhong Zhang

DOI: https://doi.org/10.1109/qrs60937.2023.00060

2023-01-01

Abstract:Safety analysis is a crucial process in developing safety-critical systems, allowing the identification of potential design issues that may lead to hazards. Automation of this process has become the focus of research in the critical system domain due to the growing complexity of systems. This paper proposes a Component Fault Trees (CFTs) based Failure Mode and Effects Analysis approach for Architecture Analysis and Design Language (AADL) models. First, we propose a methodology for directly generating CFTs from AADL models to display the overall failure behavior of the system. Then we extend the Error Model Annex Version 2 (EMV2) with DFMEA property to express the assessment criteria of error formally, and conduct Design Failure Mode and Effects Analysis (DFMEA) whose core step is guided by CFTs. We discuss our approach with its tool support and evaluate its applicability in driving the design of safety-critical systems through a case study.

Changyong Chu,Weikang Yang,Yajun Chen

DOI: https://doi.org/10.3390/s24186021

IF: 3.9

2024-09-19

Sensors

Abstract:As embedded systems become increasingly complex, traditional reliability analysis methods based on text alone are no longer adequate for meeting the requirements of rapid and accurate quantitative analysis of system reliability. This article proposes a method for automatically generating and quantitatively analyzing dynamic fault trees based on an improved system model with consideration for temporal characteristics and redundancy. Firstly, an "anti-semantic" approach is employed to automatically explore the generation of fault modes and effects analysis (FMEA) from SysML models. The evaluation results are used to promptly modify the system design to meet requirements. Secondly, the Profile extension mechanism is used to expand the SysML block definition diagram, enabling it to describe fault semantics. This is combined with SysML activity diagrams to generate dynamic fault trees using traversal algorithms. Subsequently, parametric diagrams are employed to represent the operational rules of logic gates in the fault tree. The quantitative analysis of dynamic fault trees based on probabilistic models is conducted within the internal block diagram of SysML. Finally, through the design and simulation of the power battery management system, the failure probability of the top event was obtained to be 0.11981. This verifies that the design of the battery management system meets safety requirements and demonstrates the feasibility of the method.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

M. Schäfer,A. Berres,O. Bertram

DOI: https://doi.org/10.1007/s13272-022-00631-0

2022-12-20

CEAS Aeronautical Journal

Abstract:Integrating new functions into the aircraft can, for example, increase performance or reduce fuel consumption. Since the installation of such additional functions increases the overall aircraft complexity, it is crucial to adapt methods and tools that support the development and ensure traceability, consistency, and verifiability. In this context, model-based systems engineering and the associated Systems Modeling Language (SysML) have been established as a standard methodology. This paper presents an overview of a system development and modeling process with SysML at the concept design stage using a position-variable shock control bumps system as an example. In addition to the system modeling, safety and reliability analyses have to be considered during the design process. To keep both, the model and the associated safety assessment consistent, this work introduces an extension of SysML to enable the execution of a functional hazard assessment (FHA) according to the ARP4754A and ARP 4761 guidelines. This is the first step in conducting a model-based safety assessment. Furthermore, a modeling process with concepts management methods is performed. In summary, the presented modeling process consists of three main parts: the system modeling, functional hazard assessment and concept management.

Yiping Wang,Tiantian Wang,Xinglong Li,Xianghu Wu,K. Y. Liu

DOI: https://doi.org/10.1117/12.3026535

2024-01-01

Abstract:This paper proposes an extension of the SysML safety semantic approach to address the lack of safety and reliability semantics and the support for safety and reliability analysis of the model in SysML. On this basis, fault tree generation and analysis are performed. The method first adds semantic information about fault tree and redundant module to the model using the Stereotype extension mechanism, integrating design data and safety data through an extended configuration file in the SysML model. Secondly, sub-mode decomposition of Internal Block Diagram is conducted, and fault mode recognition is described in relation to fault tree mapping. Based on this, a search is conducted on the SysML model to obtain necessary information for fault tree generation, followed by an analysis of the generated fault tree.

Ahlbrecht, Alexander,Sprockhoff, Jasper,Durak, Umut

DOI: https://doi.org/10.1007/s10270-024-01209-6

2024-09-13

Software & Systems Modeling

Abstract:The complexity of safety-critical systems is continuously increasing. To create safe systems despite the complexity, the system development requires a strong integration of system design and safety activities. A promising choice for integrating system design and safety activities are model-based approaches. They can help to handle complexity through abstraction, automation, and reuse and are applied to design, analyze, and assure systems. In practice, however, there is often a disconnect between the model-based design and safety activities. At the same time, there is often a delay until recent approaches are available in model-based frameworks. As a result, the advantages of the models are often not fully utilized. Therefore, this article proposes a framework that integrates recent approaches for system design (model-based systems engineering), safety analysis (system-theoretic process analysis), and safety assurance (goal structuring notation). The framework is implemented in the systems modeling language (SysML), and the focus is placed on the connection between the safety analysis and safety assurance activities. It is shown how the model-based integration enables tool assistance for the systematic creation, analysis, and maintenance of safety artifacts. The framework is demonstrated with the system design, safety analysis, and safety assurance of a collision avoidance system for aircraft. The model-based nature of the design and safety activities is utilized to support the systematic generation, analysis, and maintenance of safety artifacts.

computer science, software engineering

Omar el Ariss,Dianxiang Xu,W. Eric Wong,Yuting Chen,Yann-Hang Lee

DOI: https://doi.org/10.1109/compsac.2008.19

2008-01-01

Abstract:As software systems are encompassing a wide range of fields and applications, software reliability becomes a crucial step. The need for safety analysis and test cases that have high probability to uncover plausible faults are necessities in proving software quality. System models that represent only the operational behavioral of a system are incomplete sources for deriving test cases and performing safety analysis before the implementation process. Therefore, a system model that encompasses faults is required. This paper presents a technique that formalizes a safety model through the incorporation of faults with system specifications. The technique focuses on introducing semantic faults through the integration of fault trees with system specifications or statechart. The method uses a set of systematic transformation rules that tries to maintain the semantics of both fault trees and statechart representations during the transformation of fault trees into statechart notations.

Marc Zeller,Kai Hoefig,Jean-Pascal Schwinn

DOI: https://doi.org/10.48550/arXiv.2105.15002

2021-05-31

Software Engineering

Abstract:The growing size and complexity of software in embedded systems poses new challenges to the safety assessment of embedded control systems. In industrial practice, the control software is mostly treated as a black box during the system's safety analysis. The appropriate representation of the failure propagation of the software is a pressing need in order to increase the accuracy of safety analyses. However, it also increase the effort for creating and maintaining the safety analysis models (such as fault trees) significantly. In this work, we present a method to automatically generate Component Fault Trees from Continuous Function Charts. This method aims at generating the failure propagation model of the detailed software specification. Hence, control software can be included into safety analyses without additional manual effort required to construct the safety analysis models of the software. Moreover, safety analyses created during early system specification phases can be verified by comparing it with the automatically generated one in the detailed specification phased.

Simon József Nagy,Bence Graics,Kristóf Marussy,András Vörös

DOI: https://doi.org/10.48550/arXiv.2004.13290

2020-04-28

Software Engineering

Abstract:Systems engineering approaches use high-level models to capture the architecture and behavior of the system. However, when safety engineers conduct safety and reliability analysis, they have to create formal models, such as fault-trees, according to the behavior described by the high-level engineering models and environmental/fault assumptions. Instead of creating low-level analysis models, our approach builds on engineering models in safety analysis by exploiting the simulation capabilities of recent probabilistic programming and simulation advancements. Thus, it could be applied in accordance with standards and best practices for the analysis of a critical automotive system as part of an industrial collaboration, while leveraging high-level block diagrams and statechart models created by engineers. We demonstrate the applicability of our approach in a case study adapted from the automotive system from the collaboration.

Raffaela Groner,Thomas Witte,Alexander Raschke,Sophie Hirn,Irdin Pekaric,Markus Frick,Matthias Tichy,Michael Felderer

DOI: https://doi.org/10.1007/978-3-031-40923-3_9

2023-09-19

Abstract:Joint safety and security analysis of cyber-physical systems is a necessary step to correctly capture inter-dependencies between these properties. Attack-Fault Trees represent a combination of dynamic Fault Trees and Attack Trees and can be used to model and model-check a holistic view on both safety and security. Manually creating a complete AFT for the whole system is, however, a daunting task. It needs to span multiple abstraction layers, e.g., abstract application architecture and data flow as well as system and library dependencies that are affected by various vulnerabilities. We present an AFT generation tool-chain that facilitates this task using partial Fault and Attack Trees that are either manually created or mined from vulnerability databases. We semi-automatically create two system models that provide the necessary information to automatically combine these partial Fault and Attack Trees into complete AFTs using graph transformation rules.

Cryptography and Security,Formal Languages and Automata Theory,Software Engineering

Jiashuo Zhang,Derong Chen,Peng Gao,Zepeng Wang,Jingang Zhang

DOI: https://doi.org/10.3390/pr12122826

IF: 3.5

2024-12-10

Processes

Abstract:Ensuring user safety has become increasingly essential, especially for safety-critical systems (SCSs) that are vital to human life or significant property. However, the prevailing design-for-testability (DFT) model, which relies on dependencies, overlooks safety-related faults and lacks adequate metrics for evaluating system safety. Consequently, the current dependency model is insufficient in effectively assessing system safety. To address this issue, this study has developed a comprehensive DFT model that integrates system safety considerations, known as the safety-related fault model (SRFM). SRFM uses internal block diagrams (IBDs) as a means, employs a nine-tuple model to create a static automatic fault tree, and establishes mapping relationships. Sensitivity analysis is utilized to quantify system safety factors, resulting in a safety-related dependency matrix. Two crucial concepts, design safety sensitivity (DSS) and theoretical safety sensitivity (TSS), are introduced to quantify system safety loss after a fault occurs. Additionally, two new safety-related testability metrics—test advantage of safety assessment on probability (TASAP) and test advantage of safety assessment on number (TASAN)—are developed for a robust evaluation of system safety. To validate the effectiveness of SRFM, it is applied to an electronic safety and arming device (ESA), demonstrating superior performance in TASAP and TASAN compared to existing models, with a negligible impact on expected test cost (ETC).

engineering, chemical

Marc Zeller,Francesco Montrone

DOI: https://doi.org/10.1109/ICSRS.2018.8688854

2021-06-01

Abstract:Fault Tree analysis is a widely used failure analysis methodology to assess a system in terms of safety or reliability in many industrial application domains. However, with Fault Tree methodology there is no possibility to express a temporal sequence of events or state-dependent behavior of software-controlled systems. In contrast to this, Markov Chains are a state-based analysis technique based on a stochastic model. But the use of Markov Chains for failure analysis of complex safety-critical systems is limited due to exponential explosion of the size of the model. In this paper, we present a concept to integrate Markov Chains in Component Fault Tree models. Based on a component concept for Markov Chains, which enables the association of Markov Chains to system development elements such as components, complex or software-controlled systems can be analyzed w.r.t. safety or reliability in a modular and compositional way. We illustrate this approach using a case study from the automotive domain.

Software Engineering

Ashish Bhagavatula,Jun Tao,Sarah Dunnett,Paul Bell

DOI: https://doi.org/10.1080/09617353.2016.1219934

2016-04-02

Safety and Reliability

Abstract:During the design stage of the development of a new system, automated fault tree construction would produce results a lot sooner than the manual process and hence be highly beneficial in order to modify the system design based on identified weakest areas. Although much work has been performed in this area, the construction of fault trees is still generally done manually. In this paper, a new methodology of constructing fault trees from a system description is proposed. Multi-state input/output tables are introduced, which have the capability to capture output deviations during the normal operation of a component as well as under the influence of abnormality or failure. Two libraries, namely, a component library and a mark library, are introduced. The former stores component models and the latter stores a range of marks. The main purpose of a mark is to identify a certain feature of the system, such as a feedback loop or multiple redundancies. These two libraries are used to redraw the system in a graphical environment where the designer can witness the system come together and also input the necessary failure data for each component. An algorithm has been developed, that uses input/output tables and marks, to automatically construct fault trees for failure modes of interest. In order to demonstrate this methodology, it is applied to an automotive emission control system, and a fault tree is generated using the algorithm developed in this work.

Charles Dickerson,Rosmira Roslan,Siyuan Ji

DOI: https://doi.org/10.1109/TR.2018.2849013

2018-05-01

Abstract:Fault analysis and resolution of faults should be part of any end-to-end system development process. This paper is concerned with developing a formal transformation method that maps control flows modeled in UML Activities to semantically equivalent Fault Trees. The transformation method developed features the use of propositional calculus and probability theory. Fault Propagation Chains are introduced to facilitate the transformation method. An overarching metamodel comprised of transformations between models is developed and is applied to an understood Traffic Management System of Systems problem to demonstrate the approach. In this way, the relational structure of the system behavior model is reflected in the structure of the Fault Tree. The paper concludes with a discussion of limitations of the transformation method and proposes approaches to extend it to object flows, State Machines and functional allocations.

Software Engineering

Liangxian Gu

2008-01-01

Abstract:Missile weapon system(MWS) is a high reliability system,so the reliability is an important performance index of MWS and also the base of effectiveness analysis for MWS. Because of the limit of the physical simulation,the computer simulation becomes an efficient approach for reliability research of MWS. First the paper introduces a simulation method in common use――fault tree analysis (FTA)method in brief , establishes a fault tree analysis (FTA) model of MWS based on FTA method and makes the Monte Carlo simulation, and gets the unit concernment degree and mode concernment degree of the system components. Through analysis of the simulation results a conclusion is got: for the MWS, rectifying the reliability of the system elements with non-configuration would not improve the whole system reliability in use.

Wolfgang Weber,Heidemarie Tondok,Michael Bachmayer

DOI: https://doi.org/10.1007/978-3-540-39878-3_23

2003-01-01

Abstract:The fault tree analysis is a well established method in system safety and reliability assessment. We transferred the principles of this technique to an assembler code analysis, regarding any incorrect output of the software as the undesired top-level event. Starting from the instructions providing the outputs and tracing back to all instructions contributing to these outputs a hierarchical system of references is generated that may graphically be represented as a fault tree. To cope with the large number of relations in the code, a tool suite has been developed, which automatically creates these references and checks for unfulfilled preconditions of instructions. The tool was applied to the operational software of an inertial measurement unit, which provides safety critical signals for artificial stabilization of an aircraft. The method and its implementation as a software tool is presented and the benefits, surprising results, and limitations we have experienced are discussed.