QuantUM: Quantitative Safety Analysis of UML Models

When developing a safety-critical system it is essential to obtain an assessment of different design alternatives. In particular, an early safety assessment of the architectural design of a system is desirable. In spite of the plethora of available formal quantitative analysis methods it is still difficult for software and system architects to integrate these techniques into their every day work. This is mainly due to the lack of methods that can be directly applied to architecture level models, for instance given as UML diagrams. Also, it is necessary that the description methods used do not require a profound knowledge of formal methods. Our approach bridges this gap and improves the integration of quantitative safety analysis methods into the development process. All inputs of the analysis are specified at the level of a UML model. This model is then automatically translated into the analysis model, and the results of the analysis are consequently represented on the level of the UML model. Thus the analysis model and the formal methods used during the analysis are hidden from the user. We illustrate the usefulness of our approach using an industrial strength case study.Comment: In Proceedings QAPL 2011, arXiv:1107.074

MATrA: meta-modelling approach to traceability for avionics

PhD ThesisTraceability is the common term for mechanisms to record and navigate relationships between artifacts produced by development and assessment processes. Effective management of these relationships is critical to the success of projects involving the development of complex aerospace products. Practitioners use a range of notations to model aerospace products (often as part of a defined technique or methodology). Those appropriate to electrical and electronic systems (avionics) include Use Cases for requirements, Ada for development and Fault Trees for assessment (others such as PERT networks support product management). Most notations used within the industry have tool support, although a lack of well-defined approaches to integration leads to inconsistencies and limits traceability between their respective data sets (internal models). Conceptually, the artifacts produced using such notations populate four traceability dimensions. Of these, three record links between project artifacts (describing the same product), while the fourth relates artifacts across different projects (and hence products), and across product families within the same project. The scope of this thesis is to define a meta-framework that characterises traceability dimensions for aerospace projects, and then to propose a concrete framework capturing the syntax and semantics of notations used in developing avionics for such projects which enables traceability across the four dimensions. The concrete framework is achieved by exporting information from the internal models of tools supporting these notations to an integrated environment consisting of. i) a Workspace comprising a set of structures or meta-models (models describing models) expressed in a common modelling language representing selected notations (including appropriate extensions reflecting the application domain); ii) well-formedness constraints over these structures capturing properties of the notations (and again, reflecting the domain); and iii) associations between the structures. To maintain consistency and identify conflicts, elements of the structures are verified against a system model that defines common building blocks underlying the various notations. The approach is evaluated by (partial) tool implementation of the structures which are populated using case study material derived from actual commercial specifications and industry standards

Integrated application of compositional and behavioural safety analysis

To address challenges arising in the safety assessment of critical engineering systems, research has recently focused on automating the synthesis of predictive models of system failure from design representations. In one approach, known as compositional safety analysis, system failure models such as fault trees and Failure Modes and Effects Analyses (FMEAs) are constructed from component failure models using a process of composition. Another approach has looked into automating system safety analysis via application of formal verification techniques such as model checking on behavioural models of the system represented as state automata. So far, compositional safety analysis and formal verification have been developed separately and seen as two competing paradigms to the problem of model-based safety analysis. This thesis shows that it is possible to move forward the terms of this debate and use the two paradigms synergistically in the context of an advanced safety assessment process. The thesis develops a systematic approach in which compositional safety analysis provides the basis for the systematic construction and refinement of state-automata that record the transition of a system from normal to degraded and failed states. These state automata can be further enhanced and then be model-checked to verify the satisfaction of safety properties. Note that the development of such models in current practice is ad hoc and relies only on expert knowledge, but it being rationalised and systematised in the proposed approach – a key contribution of this thesis. Overall the approach combines the advantages of compositional safety analysis such as simplicity, efficiency and scalability, with the benefits of formal verification such as the ability for automated verification of safety requirements on dynamic models of the system, and leads to an improved model-based safety analysis process. In the context of this process, a novel generic mechanism is also proposed for modelling the detectability of errors which typically arise as a result of component faults and then propagate through the architecture. This mechanism is used to derive analyses that can aid decisions on appropriate detection and recovery mechanisms in the system model. The thesis starts with an investigation of the potential for useful integration of compositional and formal safety analysis techniques. The approach is then developed in detail and guidelines for analysis and refinement of system models are given. Finally, the process is evaluated in three cases studies that were iteratively performed on increasingly refined and improved models of aircraft and automotive braking and cruise control systems. In the light of the results of these studies, the thesis concludes that integration of compositional and formal safety analysis techniques is feasible and potentially useful in the design of safety critical systems

A rigorous approach to combining use case modelling and accident scenarios

Nearly all serious accidents, in the past twenty years, in which software has been involved can be traced to requirements flaws. Accidents related to or involving safety-critical systems often lead to significant damage to life, property, and environment in which the systems operate. This thesis explores an extension to use case modelling that allows safety concerns to be modelled early in the systems development process. This motivation comes from interaction with systems and safety engineers who routinely rely upon use case modelling during the early stages of defining and analysing system behaviour. The approach of embedded formal methods is adopted. That is, we use one discipline of use case modelling to guide the development of a formal model. This enables a greater precision and formal assurance when reasoning about concerns identified by system and safety engineers as well as the subsequent changes made at the level of use case modelling. The chosen formal method is Event-B, which is re nement based and has consequently enabled the approach to exploit a natural abstractions found within use case modelling. This abstraction of the problem found within use cases help introduce their behaviour into the Event-B model via step-wise re nement. The central ideas underlying this thesis are implemented in, UC-B, a tool support for modelling use cases on the Rodin platform (an eclipse-based development environment for Event-B). UC-B allows the specification of the use cases to be detailed with both informal and formal notation, and supports the automatic generation of an Event-B model given a formally specified use case. Several case studies of use cases with accident cases are provided, with their formalisation in Event-B supported by UC-B tool. An examination of the translation from use cases to Event-B model is discussed, along with the subsequent verification provided by Event-B to the use case model

Development of a human factors hazard model for use in system safety analysis

2021 Fall.Includes bibliographical references.Traditional methods for Human Reliability Analysis (HRA) have been developed with specific applications or industries in mind. Additionally, these methods are often complicated, time consuming, costly to apply, and are not suitable for direct comparison amongst themselves. The proposed Human Factors Hazard Model (HFHM) utilizes the established and time-tested probabilistic analysis tools of Fault Tree Analysis (FTA) and Event Tree Analysis (ETA), and integrates them with a newly developed Human Error Probability (HEP) predictive tool. This new approach is developed around Performance Shaping Factors (PSFs) relevant to human behavior, as well as specific characteristics unique to a system architecture and its corresponding operational behavior. This updated approach is intended to standardize, simplify, and automate the approach to modeling the likelihood of a mishap due to a human-system interaction during a hazard event. The HFHM is exemplified and automated within a commercial software tool such that trade and sensitivity studies can be conducted and validated easily. The analysis results generated by the HFHM can be used as a standardized guide to SE analysts as a well as design engineers with regards to risk assessment, safety requirements, design options, and needed safety controls within the system architecture. Verification and evaluation of the HFHM indicate that it is an effective tool for HRA and system safety with results that accurately predict HEP values that can guide design efforts with respect to human factors. In addition to the development and automation of the HFHM, application within commonly used system safety Hazard Analysis Techniques (HATs) is established. Specific utilization of the HFHM within system or subsystem level FTA and Failure Mode and Effects Analysis (FMEA) is established such that human related hazards can more accurately be accounted for in system design safety analysis and lifecycle management. Lastly, integration of the HFHM within Model-Based System Engineering (MBSE) emphasizing an implementation into the System Modeling Language (SysML) is established using a combination of existing hazard analysis libraries and custom designed libraries within the Unified Modeling Language (UML). The FTA / ETA components of the hazard model are developed within SysML partially utilizing the RAAML (Risk Analysis and Assessment Modeling Language) currently under development by the Object Management Group (OMG), as well as a unique recursive analysis library. The SysML model successfully replicates the probabilistic calculation results of the HFHM as generated by the native analytical model. The SysML profiles developed to implement HFHM have application in integration of conventional system safety analysis as well as requirements engineering within lifecycle management

SAFE-FLOW : a systematic approach for safety analysis of clinical workflows

The increasing use of technology in delivering clinical services brings substantial benefits to the healthcare industry. At the same time, it introduces potential new complications to clinical workflows that generate new risks and hazards with the potential to affect patients’ safety. These workflows are safety critical and can have a damaging impact on all the involved parties if they fail.Due to the large number of processes included in the delivery of a clinical service, it can be difficult to determine the individuals or the processes that are responsible for adverse events. Using methodological approaches and automated tools to carry out an analysis of the workflow can help in determining the origins of potential adverse events and consequently help in avoiding preventable errors. There is a scarcity of studies addressing this problem; this was a partial motivation for this thesis.The main aim of the research is to demonstrate the potential value of computer science based dependability approaches to healthcare and in particular, the appropriateness and benefits of these dependability approaches to overall clinical workflows. A particular focus is to show that model-based safety analysis techniques can be usefully applied to such areas and then to evaluate this application.This thesis develops the SAFE-FLOW approach for safety analysis of clinical workflows in order to establish the relevance of such application. SAFE-FLOW detailed steps and guidelines for its application are explained. Then, SAFE-FLOW is applied to a case study and is systematically evaluated. The proposed evaluation design provides a generic evaluation strategy that can be used to evaluate the adoption of safety analysis methods in healthcare.It is concluded that safety of clinical workflows can be significantly improved by performing safety analysis on workflow models. The evaluation results show that SAFE-FLOW is feasible and it has the potential to provide various benefits; it provides a mechanism for a systematic identification of both adverse events and safeguards, which is helpful in terms of identifying the causes of possible adverse events before they happen and can assist in the design of workflows to avoid such occurrences. The clear definition of the workflow including its processes and tasks provides a valuable opportunity for formulation of safety improvement strategies

Fujaba days 2009 : proceedings of the 7th international Fujaba days, Eindhoven University of Technology, the Netherlands, November 16-17, 2009

Fujaba is an Open Source UML CASE tool project started at the software engineering group of Paderborn University in 1997. In 2002 Fujaba has been redesigned and became the Fujaba Tool Suite with a plug-in architecture allowing developers to add functionality easily while retaining full control over their contributions. Multiple Application Domains Fujaba followed the model-driven development philosophy right from its beginning in 1997. At the early days, Fujaba had a special focus on code generation from UML diagrams resulting in a visual programming language with a special emphasis on object structure manipulating rules. Today, at least six rather independent tool versions are under development in Paderborn, Kassel, and Darmstadt for supporting (1) reengineering, (2) embedded real-time systems, (3) education, (4) specification of distributed control systems, (5) integration with the ECLIPSE platform, and (6) MOF-based integration of system (re-) engineering tools. International Community According to our knowledge, quite a number of research groups have also chosen Fujaba as a platform for UML and MDA related research activities. In addition, quite a number of Fujaba users send requests for more functionality and extensions. Therefore, the 7th International Fujaba Days aimed at bringing together Fujaba developers and Fujaba users from all over the world to present their ideas and projects and to discuss them with each other and with the Fujaba core development team

Fujaba days 2009 : proceedings of the 7th international Fujaba days, Eindhoven University of Technology, the Netherlands, November 16-17, 2009

Fujaba is an Open Source UML CASE tool project started at the software engineering group of Paderborn University in 1997. In 2002 Fujaba has been redesigned and became the Fujaba Tool Suite with a plug-in architecture allowing developers to add functionality easily while retaining full control over their contributions. Multiple Application Domains Fujaba followed the model-driven development philosophy right from its beginning in 1997. At the early days, Fujaba had a special focus on code generation from UML diagrams resulting in a visual programming language with a special emphasis on object structure manipulating rules. Today, at least six rather independent tool versions are under development in Paderborn, Kassel, and Darmstadt for supporting (1) reengineering, (2) embedded real-time systems, (3) education, (4) specification of distributed control systems, (5) integration with the ECLIPSE platform, and (6) MOF-based integration of system (re-) engineering tools. International Community According to our knowledge, quite a number of research groups have also chosen Fujaba as a platform for UML and MDA related research activities. In addition, quite a number of Fujaba users send requests for more functionality and extensions. Therefore, the 7th International Fujaba Days aimed at bringing together Fujaba developers and Fujaba users from all over the world to present their ideas and projects and to discuss them with each other and with the Fujaba core development team

Model-based Safety and Security Co-analysis: a Survey

We survey the state-of-the-art on model-based formalisms for safety and security analysis, where safety refers to the absence of unintended failures, and security absence of malicious attacks. We consider ten model-based formalisms, comparing their modeling principles, the interaction between safety and security, and analysis methods. In each formalism, we model the classical Locked Door Example where possible. Our key finding is that the exact nature of safety-security interaction is still ill-understood. Existing formalisms merge previous safety and security formalisms, without introducing specific constructs to model safety-security interactions, or metrics to analyze trade offs

Software architectural risk assessment

Risk assessment is an essential part of the software development life cycle. Performing risk analysis early in the life cycle enhances resource allocation decisions, enables us to compare alternative software architectural designs and helps in identifying high-risk components in the system. As a result, remedial actions to control and optimize the process and improve the quality of the software product can be taken. In this thesis we investigate two types of risk---reliability-based and performance-based risk. The reliability-based risk assessment takes into account the probability of the failures and the severity of failures. For the reliability-based risk analysis we use UML models of the software system, available early in the life cycle to come up with the risk factors of the scenarios and use cases. For each scenario we construct a Markov model to assess the risk factors of the scenarios and its risk distribution among the various classes of severity. Then we investigate both independent use cases and use cases with relationships, while obtaining the system-level risk factors. (Abstract shortened by UMI.)