Abstract. Over the past years, the paradigm of component-based software engineering has been established in the construction of complex mission-critical systems. Due to this trend, there is a practical need for techniques that evaluate critical properties (such as safety, reliability, availability or performance) of these systems. In this paper, we review several high-level techniques for the evaluation of safety properties for component-based systems and we propose a new evaluation model (State Event Fault Trees) that extends safety analysis towards a lower abstraction level. This model possesses a state-event semantics and strong encapsulation, which is especially useful for the evaluation of component-based software systems. Finally, we compare the techniques and give suggestions for their combined usage.
Introduction
Safety critical systems are systems that pose potential hazards for people and the environment. Recently though, the ability to implement cost effectively complex functions in software has yielded a plethora of computer controlled safety critical systems in areas that include automotive electronics, aviation, industrial process control and medical applications. The safety assessment of such systems is currently performed using a range of classical techniques, which include Fault Tree Analysis (FTA), Failure Modes and Effects Analysis (FMEA) and Hazard and Operability Studies (HAZOPS) (for a review of these techniques the reader is referred to [2, 17 ,28] ). During the safety assessment process, a team of analysts manually applies a combination of these techniques to identify possible hazards, analyze the risk associated with these hazards, and devise strategies to mitigate the level of risk where this is necessary.
Although there are many commercial tools that automate the quantitative, mathematical analysis of such models, the construction of evaluation models and the overall application of hazard and safety analysis techniques remain manual processes, which are performed by expert analysts. For relatively simple systems, safety and reliability analysis is a manageable process, although fault trees and other analyses can rapidly become very elaborate [2] . With increasing system complexity however, manual analysis becomes laborious, error prone and questions are therefore asked as to its applicability to complex technologies.
New computer-based systems deliver increased functionality on increasingly more powerful electronic units and networks. Such systems introduce new complex failure modes, which did not arise in older electromechanical designs. Such failure modes, for instance, include commission failures, i.e. conditions in which functions are being provided in the wrong context of operation (e.g. inadvertent and wrong application of brakes in a vehicle control system). As the density of implementation per electronic unit increases over time in such systems, and as functions are being distributed on networks of embedded components, the possibility of common cause failure and unpredicted dependent failure of critical functions caused by malfunction of non-critical functions also become greater concerns. Beyond those new safety concerns, difficulties are also caused by increasing scale and complexity. To deal with the complexity, new assessment processes are needed in the context of which composability and reuse of component safety analyses in the construction of system safety cases will be possible [25] . Such processes are also demanded by modern standards. The CENELEC railway standards [5] , for example, introduce the concept of composable safety cases, according to which the safety case (i.e. the collective evidence of safety) of a system is composed of the safety cases of its subsystems or components, which in theory could be certified independently. This type of composability in safety analysis is expected to bring similar benefits to those introduced by well-tested and trusted software components in general software engineering [25] . A body of work is already developing looking into techniques for specification and application-level reuse of component-based safety analyses. This paper reviews this work and proposes a new component-based safety evaluation model (State Event Fault Trees), which is appropriate for the representation and analysis of components and systems that exhibit probabilistic and deterministic behavior.
The rest of the paper is organized as follows: In Section 2, recently proposed techniques for safety analysis of component-based systems are reviewed. In Section 3, we introduce State Event Fault Trees (SEFTs), a new model for safety analysis and describe the proceeding of a component-based safety analysis with these SEFTs. The case study of a fire alarm system in Section 4 demonstrates application of SEFTs. Finally, we discuss the benefits, limitations and differences of the proposed techniques in Section 5, and we conclude and describe relevant future work in section 6.
Safety Evaluation for Component-Based Systems: Earlier models
To place the proposed work in context, this section reviews earlier work on safety evaluation of component-based systems. To deal with the modular nature of componentbased systems, safety evaluation models also need to be modular and should be capable of describing the failure behavior of components with respect to all possible environments. A number of models have been proposed to meet these requirements. In this section, we examine three models, which we believe will help to illustrate the principle and value of modular safety analysis as well as the limitations of current work in this area. These models are: Failure Propagation and Transformation Notation (FPTN), tabular failure annotations in Hierarchically Performed Hazard Origin and Propagation Studies (HiP-HOPS) and Component Fault Trees (CFT).
Failure Propagation and Transformation Notation (FPTN)
The Failure Propagation and Transformation Notation (FPTN) described in [9] is the first approach that introduces modular concepts for the specification of the failure behavior of components.
The basic entity of the FPTN is a FPTN-Module. This FPTN-Module contains a set of standardized sections. In the first section (the header section) for each FPTN-module an identifier (ID), a name and a criticality level (SIL) are given. The second section specifies the propagation of failures, transformation of failures, generation of internal failures and detection of failures in the component. Therefore, this section enumerates all failures in the environment that can affect the component and all failures of the component that can effect the environment. These failures are denoted as incoming and outgoing failures and are classified by the failure categorization of Bondavalli and Simoncini [3] (reaction too late(tl), reaction too early(te), value failure(v), commission(c) and omission(o)). In the example which is given in Fig. 1 For this, it is necessary to specify a failure cause or a failure handling mechanism and a probability. FPTN-Modules can also be nested hierarchically. Thus, FPTN is a hierarchical notation, which allows the decomposition of the evaluation model based upon the system architecture. If a FPTN-module contains embedded FPTN-modules the incoming failures of one module can be connected with the outgoing failures of another module. Such a connection can be semantically interpreted as failure propagation between these two modules. [18] has been proposed as a means of deriving such failure annotations. Analysts will typically apply this technique on components to identify plausible output failures such as the omission, commission, value (hi, low) or timing (early, late) failures at each output and then to determine the local causes of such events as combinations of internal component malfunctions and input failures. Once this analysis has been inserted into the model, the structure of the model is then used to automatically determine how the local failures specified in failure annotations propagate through connections in the model and cause functional failures at the outputs of the system. This global view of failure is captured in a set of fault trees, which are automatically constructed by traversing the model and by evaluating the local failure expressions encountered during the traversal. In HiP-HOPS, synthesized fault trees form a directed acyclic graph sharing branches and basic events that arise from dependencies in the model, e.g. common inputs. Thus, qualitative or quantitative analysis can be automatically performed on the graph to establish whether the system meets its safety or reliability requirements. In recent work [20] , the authors also showed that the graph can be automatically reduced into a simple table, which is equivalent to a classical FMEA.
Component Fault Trees (CFT)
Component Fault Trees (CFTs) [12] are an extension of basic Fault Trees (FTs) [11 ,26] to analyze complex component-based systems. This extension allows arbitrarily defining partial FT that corresponds to the actual technical components.
CFTs can be modeled and archived independently from each other, because they are encapsulated entities using input and output ports to connect the components. CFTs are treated as a set of propositional formulas describing the truth-values of each output failure port as a function of the input failure ports and the internal events. CFTs are acyclic graphs with one or more output ports. Each component constitutes a namespace and hides all internal failure events from the environment. Components may be instantiated several times and can be reused in other projects. Thus, all necessary preconditions for an application of safety analysis to component-based systems are fulfilled. Apart from the component and port concepts, CFTs are ordinary FTs and provide the same expressive power and analysis techniques. Fig. 2 gives an example of a CFT and the hierarchical decomposition. The left CFT describes the failure behavior of the system, i.e. an instance of the top-level componentclass C1. The system incorporates two instances Sub1 and Sub2 of another component type C2 as its subcomponents. On the higher hierarchy level, subcomponents are represented as black boxes that show only the ports, representing the external interface of the embedded CFT. As in UML, colons are used to separate instances from classes, e.g. Sub1:C2 denotes that Sub1 is a component (instance) of component-class C2. Note that the internal events Sub1.E1 and Sub2.E1 within the two subcomponents (not visible on top system level) are two distinct instances of: C2.E1 and thus independent events, while System.E1 is another distinct event and a common failure cause to both subcomponents. 
Fig. 2. Example of a Component Fault Tree
The application of CFTs for component-based systems is described in [10] . This includes the annotation of CFTs to components and a model-based construction algorithm of system-level CFTs (safety cases) based on the structure specification and the component fault trees of the used components. This construction algorithm is similar to the generation of fault trees in HiP-HOPS.
State Event Fault Trees
While the preceding section describes established and industry-proven component-based safety analysis techniques, this section presents a very recent technique, the State-EventFault-Trees (SEFTs). We first give an informal introduction and briefly describe the syntax and semantics of SEFTs. Then we summarize how to analyze hazard probabilities with SEFTs and present the application to component-based systems.
Informal Introduction and Syntax of SEFT
SEFTs are a visual model that integrates elements from discrete state-based models with FTs. The principal distinction from standard FTs is that states (that last over a period of time) are distinguished from events (sudden phenomena, in particular state transitions). The graphical elements are adopted from traditional FTA and from Statecharts (or derived notations like ROOMcharts [24] or UML 2.0 State Diagrams) that are widely used in industry. An explicit event symbol is introduced and causal edges show cause-effect relations, connected by logical gates, as usual in FTA.
State transitions occur due to three different reasons: either the state changes deterministically when a certain sojourn time in a state has elapsed, or it changes stochastically according to an exponential distribution of the sojourn time, or it changes because some other event caused, or triggered the state change. The latter relation between two events is denoted by a causal edge, which can be graphically distinguished from a temporal edge that denotes the predecessor/successor relation between states and events.
As in FTA, gates add logical connectors to the causal paths. The fundamental gates are AND, OR and NOT in their different variants. Semantically, SEFTs are an extended state-machine model and no longer a purely combinatorial model as standard FTs are. Consequently, SEFT gates are typed in the sense that they have different semantics depending on whether they are applied to state terms or to event triggering relations. The shift from a combinatorial model towards a state-based model enables new kinds of gates (e.g. Duration gate, History-AND) and allows for a more formal definition of gates that have traditionally been used in FTA (e.g. Priority-AND, Inhibit). Similar to CFTs, SEFTs also extend the plain tree structure to Directed Acyclic Graphs (the same cause triggers multiple effects) and deal with repeated events or states correctly. Causal cycles without explicit delay are not allowed, because this would raise some semantic problems during analysis. SEFTs are structured by components. Components are defined as types (component classes) that can be instantiated as subcomponents in other components. Subcomponents appear as black boxes on the next higher level where only the ports are visible. This results in a component hierarchy, of which the topmost component is the system to be examined. Ports achieve information flow between components across hierarchical levels. To enforce consistency, we distinguish input from output ports and type ports as state ports and event ports. Examples can be found in the case study in section 4. Event ports transfer triggering relations from one component to another, without backward consequences and without forcing synchronization of both components. The semantics of a state port is that the destination component has access to the information whether or not the state in the source component is active, again without the possibility to backward influence this state. A main difference to standard FTs is that states and events that appear in the model are not necessary failures; normal operational states can, in conjunction with other states or events, become safety issues upstream in the causal chain. The following figure sums up the graphical elements of SEFTs.
Fig. 3. Syntactic Elements of SEFT

Transformational Semantics and Analysis of SEFT with DSPNs
To analyze a traditional Fault Tree, the underlying Boolean formula is converted into a Binary Decision Diagram (BDD) [4] . Due to the state-based nature, SEFTs cannot be evaluated this way. Instead we propose a translation to Deterministic and Stochastic Petri Nets (DSPNs) [1] since DSPNs are a concurrent model possessing all needed kinds of transitions and provide analysis techniques for the properties we are interested in. Assuming some basic knowledge about Petri Nets we briefly point out the main features of DSPNs: DSPNs are a timed variant of Petri Nets, i.e. the (deterministic or probabilistic) time that a transition waits before firing after becoming enabled is explicitly specified in the model. There are three kinds of transition that differ by their way of firing: immediately after activation, after a deterministic delay (specified by an annotated time parameter) or after an exponentially distributed random delay (specified by an annotated rate parameter). Firing of transitions is atomic and takes no time. In the graphical representation, black bars depict immediate transitions, empty rectangles depict transitions with exponentially distributed firing time, and black filled rectangles depict transitions with deterministic firing time. Transitions are joined to places by input arcs, output arcs or inhibitor arcs. The latter forbid firing as long as the corresponding place is marked; whereas the other arcs are as in standard Petri Nets. Priorities can be attached to immediate transitions to resolve conflicts: the transition with the highest priority number wins. Alternatively, weights can be assigned to decide conflicts probabilistically. Places can have a capacity of more then one token and arcs can have a multiplicity of greater than one, but we currently do not exploit this property. We assume the underlying time scale to be continuous. Analysis of DSPNs has been described in [6] and several tools are available to apply it. We are using the tool TimeNET [29] from Technische Universität Berlin for analysis and/or simulation.
The translation of SEFT states and events to DSPN places and transitions is straightforward: each state is mapped to a place and each event to a transition. For ports and trigger relations, special DSPN structures are applied that inhibit backward influence. SEFT gates are translated as a whole by looking up the corresponding DSPN structure in a dictionary that has been introduced in [14] . An excerpt is given in Fig. 4 . This figure also exemplifies the meaning of typed gates: the AND joining two states is distinct from the AND joining a state and an event, and so on. The graphical symbols for both the State/Event-AND and the State-AND are identical to the AND gate from traditional FTA, but a confusion is impossible due to the different type of one input port. This is comparable to method overloading in OO programming languages, where the arguments passed decide which actual function need to be executed. A central feature of SEFTs is that, in contrast to standard FTs, all events can occur more often than once, and repair or reset can be modeled. This is reflected in the DSPN structures chosen as gate equivalents.
In the figure, dashed places or transitions signify import places/transitions, i.e. references to places/transitions in other partial DSPNs. During flattening (integration of the partial nets), the import elements are merged with corresponding export elements by resolving a reference table. After states and events have been translated to places and arcs and after the partial DSPNs corresponding to the gates, the remaining steps of the translation are simplification, flattening and parameter translation. Flattening turns the hierarchical DSPN (due to the component structure) into one flat DSPN. Flattening is an automatic procedure, based on the unique IDs of the ports. This enables creating semi-automatic safety cases for component-based systems. The resulting flat DSPN can be stochastically analyzed and/or simulated with the tool TimeNET. The requested measure (e.g. average probability of a state term that is connected to an output port) must be translated into a measure that can be determined by the DSPN analysis tool (e.g. the marking probability for a place that corresponds to the system state of interest). Currently we start the analysis manually, but we are working towards an integrated solution, started from the GUI of our own tool ESSaRel [7] .
A Safety Evaluation Method with SEFTs
The last two sections introduced SEFTs and gave a brief overview of their syntax, semantics and analyzability. Based on the foundation of SEFT we want to describe a methodology for model-based hazard analysis for component-based software systems. The underlying model is the architecture specification, which could be specified with an architectural description language (e.g., AADL [8] or MetaH [27] ) or with the UML 2.0. This architecture specification is the basic construction plan of the system. It describes how the system or a component is decomposed into smaller components and which of them interact during the runtime of the system as well as which software components are deployed on which hardware platform.
The methodology for hazard analysis with SEFT can be structured into three phases. In the first phase, a SEFT must be manually constructed for each component-class instantiated in the architecture. This SEFT describes the behavior of the component on a lowlevel, i.e. referring to detailed states and events. This behavioral model can be derived from the model for the normal functional behavior, as specified in the system design phase. However, it is not the same as a functional model: it is reduced by details that are not relevant to safety and on the other hand, it may be extended by potential faulty behavior, which is of course not part of a functional model.
In the second phase, a SEFT is constructed for the entire architecture. All necessary details for this construction are contained in the architectural model and the SEFTs of the subcomponents. The algorithm for the construction first instantiates recursively all SEFTs of the subcomponents and connects the ports of two SEFT (in ports with out ports), if there is a dependency between the relating components. Then the algorithm creates ports in the SEFT if there is an unconnected port in the SEFT of a subcomponent.
The result of the previous phases is a SEFT for the complete system. This SEFT can be analyzed quantitatively to determine the probability of the relevant system failures or hazards. To do so, the analyst must further specify which output ports or which combinations of output failures lead to a hazard, which is preferably done using the Fault Tree modeling elements. Some output states or events are marked as the critical ones (hazards or system failures), of which the probability has to be calculated. Quantitative analysis is performed on the underlying DSPN. If the calculated hazard probabilities are lower than the tolerable hazard probabilities defined in the requirements specification, the system fulfils its safety requirements.
The benefit of this methodology is the tight coupling between the architectural model and the hazard analysis. Once the architecture or a SEFT of a used component is changed, a new SEFT for the complete system can be constructed and a new hazard analysis can be applied.
Case-Study
We exemplify the usage of SEFTs for safety analyses of component-based systems by the case study of a fire alarm system. We start our example by introducing the system components and environment and finally present the system model that shows the architecture and specify the hazard to be examined. For brevity, we do not explain the analysis of the example; this step can be found in [13, 14] .
The system consists of a software-implemented controller unit, a smoke sensor and a sprinkler. The hazard to be examined is the case that a fire breaks out and the sprinkler is not turned on within a given delay. The fire is an event that occurs in the environment; it is a particularity of the new SEFT method that system and environment are described in the same modeling technique and thus failure-on-demand situations can be modeled easily. The hardware components of the fire alarm system can fail; therefore, inspection and repair is foreseen on a regular basis and a hardware watchdog restarts the controller on a periodical basis.
The first component to be modeled is the sensor (Fig. 5, left side) . It is modeled as a system with two states (ready and defect), one event input and one event output. If the input fire breaks out is triggered while the sensor is in state ready, the output detect smoke is triggered. If the sensor is in state defect while the fire breaks out, nothing happens at the output. The transition from the state ready to the state defect occurs probabilistically with a constant rate of 1/10 7 hours. Like all figures in this example, this is a fictitious number; In reality, one would have to insert a number that has been derived from failure statistics, experiments or mathematical models. The way back from the state defect to the state ready corresponds to repair, which is also modeled by a constant rate as well, corresponding to the periodical visits of a service technician.
The sprinkler (Fig. 5 , right side) is a component with three states: ready, sprinkling, defect. In this component, deterministic behavior (triggering) is mixed with probabilistic behavior (going to state defect). Again, failure and repair are modeled by constant rates. The transitions from ready to sprinkling and back are triggered transitions: it is the controller that commands start and stop of the sprinkling. The two event inputs sprinkler on and sprinkler off are technical interfaces in the sense that these are actually the spots, where the controller interacts with the sprinkler, e.g. via an electrical line. The state output sprinkling is an interface to the environment; it does not correspond to a technical interface but represents the fact that sprinkling is obviously visible to an outside observer.
Fig. 5. SEFT of the Sensor and Sprinkler
The next part of the system is the controller; witch is designed with software and hardware. The hardware has two states, working and defect. The transition from working to defect is again probabilistic with constant rate; it triggers the event output hardware fails that causes the software to enter the state of unavailability (off). The transition of the hardware back to state working is this time not a probabilistic one, but is triggered by a reset input that will later be connected to the reset output of a separate watchdog component. A reset of the hardware immediately triggers the reboot of the software. The software is modeled with three states: off, ready and alarm. Alarm is the state when the sprinkler is turned on. Entrance to this state triggers the sprinkler on output, leaving this state triggers the sprinkler off output. This state alarm is entered when the detect smoke input (connected to the sensor output) is triggered. The sprinkler operation is limited by the software controller to 120 seconds. This is denoted by a deterministic delay transition. There are self-transitions from the state ready and alarm that produces output I am alive! if the input are you alive? is received. The OR connection at the event output taken from the FT notation and means the component can send the output I am alive! in booth states.
The last technical component to be considered is the watchdog (Fig. 7 , left side) -usually a highly reliable separate hardware timer. It is modeled as a component with two states, ready and awaiting reply, failure of the watchdog is so rare that it does not have to be modeled. Every 10 seconds the watchdog sends an event are you alive? to an output which will be connected to the input of the controller software with the same name. If the response I am alive! arrives from the software, the watchdog goes back to ready state for another 10 seconds. If the response does not arrive within 1 second, the watchdog triggers a reset of the controller hardware. The environment is modeled in Fig. 7 , right side. It has just one state, which has no name. It signifies that probabilistically, with an assumed rate of once per year, a fire breaks out. The event output means that the beginning of the fire can be noticed by other components, particularly the sensor in our example.
The overall scenario including the FT for the hazard to be examined is shown in Fig.  8 . The system components are connected to each other according to matching port names (not shown in the figure). In the upper part of the figure, the fault tree elements describe the hazard scenario: The hazard is the state that is present if the sprinkler is not enabled 10 seconds upon a fire breaks out. The probability of the hazard has to be calculated. The evaluation is as described in [14] : Translation of all components to a Deterministic and Stochastic Petri Net (DSPN), flattening of the component hierarchy and analysis and/or simulation using one of the existing DSPN tools. They all have in common that they reflect hierarchical component and system structures and allow composing of the system safety case out of the safety models of the components. All of them allow probabilistic estimation of failure frequencies. CFTs are closest to the traditional FTA technique. They introduce the port concept (input and output ports) and thus allow arbitrarily cutting a system into components and reusing the component models. Standard combinatorial FTs cannot handle time dependencies and order of events and durations (in contrast to SEFTs). The FT events can be low-level events or faulty states of components, but also general propositions on a higher level. CFTs by themselves do not provide help in finding appropriate failure categories.
HiP-HOPS and FPTN share the component and port oriented view of the system that CFTs offer. Both techniques offer guide words to failure identification and are focused on data flows, in particular the flow of failures. They also are unsuitable to model timing issues directly, but among the proposed failure classifications are keywords like "too early" and "too late" that allow expressing timing faults. While FPTNs are a graphical notation, failure propagation tables of HiP-HOPS are a tabular notation. Note, that this is merely an ergonomical issue: graphical notations are often easier to capture for humans, but large amounts of data are better collected and reviewed in tables. There are other differences between the two techniques. In FPTN, a failure specification is developed in parallel to the system model while in HiP-HOPS failure annotations are only added to that model. Thus, in FPTN, special arrows are used to represent the explicit failure propagation between FPTN modules while in HiP-HOPS specified component failures propagate implicitly through deviations of material, energy or data flows in the model. In FPTN a number of predefined failure classes are only examined (provision, timing and value failures) while in HiP-HOPS analysts are free to define their own failure classes. To simplify the analysis and capture common causes of failure, HiP-HOPS also allows simultaneous hierarchical annotation of the model at subsystem and component levels. Apart from these differences, in their basic form FPTN and HiP-HOPS can be considered equivalent and can thus be applied in combination. A combination with CFTs is also possible, as CFTs could be used explain the different failure modes and their relations, provided that the failure inputs and outputs are named according to the FPTN / HiP-HOPS specifications.
SEFTs are a new and quite different approach, because they model the system on a lower level. They introduce a more precise semantics and distinguish states from events. They mix fault tree notation elements with state-based modeling elements; their overall semantics is state-based. Thus they can model low-level behavior of (especially software) components well and can be seen as a contribution to fill the gap between safety analysis techniques and formal methods. The main difference to the former techniques is that SEFTs do not model failures and hazards, but behavior in general (although the analyst preferably models only those aspects of the behavior that have an influence on systemlevel failures or hazards). For instance, SEFTs do not express that an event occurs too late, but rather the time when it occurs. Only on a high level, upstream in the tree, the occurrence time of an event is compared to an acceptable delay or to another event and if the acceptable delay is exceeded, this constitutes a failure.
In summary, SEFTs work on a lower abstraction level and model more details, but this richness in detail can be a drawback when it comes to analysis performance (state explosion problem). Moreover, many of the needed detail information is only present at design or implementation stage of the system, while more informal considerations can be conducted from the earliest development phases. In practice, it is not possible to model very complex systems in all detail. A possible recipe for practitioners is to apply FPTN or HiP-HOPS on system level and to apply SEFTs on component level where the origin of some relevant behavior must be explained. For instance, an SEFT output indicating that some event occurs later than expected provides the probability of the "too late" failure mode in a FPTN.
Conclusion and Future Work
Hazard analysis techniques for safety critical systems are concerned with (1) identifying the causal relationships between elementary failure modes (causes) and system level hazards (effects) and (2) with a quantitative or qualitative evaluation of these relationships [9, 15, 22, 28] . Both tasks are currently performed using a range of classical techniques, which include Fault Tree Analysis (FTA), Failure Modes and Effects Analysis (FMEA) and Hazard and Operability Studies (HAZOPS). However, these techniques are not suitable to analyze component-based systems, because the underlying evaluation models lack of composability and the evaluation methods cannot deal with hierarchical component structures. New evaluation models (FPTN, tabular failure annotations in HiP-HOPS, CFT) have been proposed to allow hazard analysis for component-based systems. The semantics of these techniques is concerned with failure propagation or failure flow between components. These techniques are suitable to analyze high-level system structures at an abstract level. In this paper, we presented a new evaluation model called State Event Fault Trees, which has state-event semantics and is suitable to describe the stochastic behavior of a component on a low level, i.e. referring to detailed states and events. The state event semantics allows expressing facts that cannot be expressed in standard Fault Trees and many other safety analysis techniques (e.g. temporal order of events or duration). The state-event semantics is similar to the one used in behavioral modeling techniques in the design phase of software and hardware systems. Due to this compatible semantics, it is possible to integrate SEFTs with behavioral models of a component or even to derive them automatically. Additionally SEFT are strongly encapsulated (providing. information hiding and strict interfaces) and typed (SEFT-components). As a result, safety cases can be composed hierarchically according to the component structure of complex systems.
For the techniques CFT and HiP-HOPS, tools are already available on a prototype level (e.g. UWG3 [7] supports CFTs or an extension of Matlab-Simulink support HiP-HOPS [21] ). The integration of SEFTs into a usable tool is part of our current research. The platform is the project ESSaRel [7] , a user-friendly Windows-based tool encompassing different modeling techniques has already been built within this project. In the end, we are working towards an integrated tool chain for safety and reliability analysis of embedded systems that enable the model-based hazard analysis. For further integration of safety analysis and systems modeling, we plan a filter to import models from CASETools that can be integrated into SEFTs. As SEFTs are a state-based technique, performance issues have to be resolved in the future using suitable reduction and abstraction techniques. All mentioned techniques have been tried out in industrial environment, but a large body of experience is not yet available.
