Model-based dependability analysis : state-of-the-art, challenges and future outlook

Abstract: Over the past two decades, the study of model-based dependability analysis has gathered significant research interest. Different approaches have been developed to automate and address various limitations of classical dependability techniques to contend with the increasing complexity and challenges of modern safety-critical system. Two leading paradigms have emerged, one which constructs predictive system failure models from component failure models compositionally using the topology of the system. The other utilizes design models - typically state automata - to explore system behaviour through fault injection. This paper reviews a number of prominent techniques under these two paradigms, and provides an insight into their working mechanism, applicability, strengths and challenges, as well as recent developments within these fields. We also discuss the emerging trends on integrated approaches and advanced analysis capabilities. Lastly, we outline the future outlook for model-based dependability analysis

Model synchronization: a formal framework for the management of heterogeneous models

International audienceIn this article, we present the conceptual foundations and implementation principles of model synchronization, a formal framework for the management of heterogeneous models. The proposed approach relies on S2ML (System Structure Modeling Language) as a pivot language. We show, by means of a case study, that model synchronization can be used to ensure the consistency between system architecture models designed with Capella and safety models written in AltaRica 3.0

Engineering failure analysis and design optimisation with HiP-HOPS

The scale and complexity of computer-based safety critical systems, like those used in the transport and manufacturing industries, pose significant challenges for failure analysis. Over the last decade, research has focused on automating this task. In one approach, predictive models of system failure are constructed from the topology of the system and local component failure models using a process of composition. An alternative approach employs model-checking of state automata to study the effects of failure and verify system safety properties. In this paper, we discuss these two approaches to failure analysis. We then focus on Hierarchically Performed Hazard Origin & Propagation Studies (HiP-HOPS) - one of the more advanced compositional approaches - and discuss its capabilities for automatic synthesis of fault trees, combinatorial Failure Modes and Effects Analyses, and reliability versus cost optimisation of systems via application of automatic model transformations. We summarise these contributions and demonstrate the application of HiP-HOPS on a simplified fuel oil system for a ship engine. In light of this example, we discuss strengths and limitations of the method in relation to other state-of-the-art techniques. In particular, because HiP-HOPS is deductive in nature, relating system failures back to their causes, it is less prone to combinatorial explosion and can more readily be iterated. For this reason, it enables exhaustive assessment of combinations of failures and design optimisation using computationally expensive meta-heuristics. (C) 2010 Elsevier Ltd. All rights reserved

Characterizing the Identity of Model-based Safety Assessment: A Systematic Analysis

Model-based safety assessment has been one of the leading research thrusts of the System Safety Engineering community for over two decades. However, there is still a lack of consensus on what MBSA is. The ambiguity in the identity of MBSA impedes the advancement of MBSA as an active research area. For this reason, this paper aims to investigate the identity of MBSA to help achieve a consensus across the community. Towards this end, we first reason about the core activities that an MBSA approach must conduct. Second, we characterize the core patterns in which the core activities must be conducted for an approach to be considered MBSA. Finally, a recently published MBSA paper is reviewed to test the effectiveness of our characterization of MBSA

A Model based Safety Assessment for Multirotors

Unmanned Aerial Vehicles (UAVs) must be safe and reliable to prevent fatal accidents in densely populated areas. This research makes the first steps to create a framework which can integrate safety and reliability considerations in the design process. The conceptual design process should consider creating design models coupling sizing with system architecture. Additionally, the multirotor has safety challenges from the propulsor configuration. They lose flight control and show erroneous flight behaviour when propulsors fail. Hence, the design models of multirotor should also incorporate a controllability assessment method to identify and isolate uncontrollable events. For this matter, an appropriate tool should be considered to create such design models. A combination of OpenAltarica, System Analyst and Python is used to create design models of multirotor in a model-based safety assessment framework. These models are developed by integrating system architecture and controllability assessment following the etiquettes of the process. A case study is used to validate the framework and to demonstrate its ability to explore innovative designs. The reliability analysis confirms that the multirotors are fault-tolerant except quadrotor and some configurations are potentially highly reliable. The results demonstrate the feasibility of the multirotor system modelling methods in terms of reliability and pave the way to further develop the model-based safety assessment framework with sizing methodologies. The models can also be further enhanced with the addition of a component fault library, additional failure modes and implementation of diagnosability analysis, fault detection and identification analysis. Fault libraries and failure modes can help in foreseeing uncontrollable cases. In contrast, diagnosability analysis, fault detection and identification analysis can integrate detect, isolate and recover mechanisms, and ensure redundancy optimization effectively. Additionally, the framework should also be combined with multidisciplinary design optimization for sizing. Such design models can contribute to the emergence of UAVs for safety-critical applications

Automatic Generation of RAMS Analyses from Model-based Functional Descriptions using UML State Machines

In today's industrial practice, safety, reliability or availability artifacts such as fault trees, Markov models or FMEAs are mainly created manually by experts, often distinctively decoupled from systems engineering activities. Significant efforts, costs and timely requirements are involved to conduct the required analyses. In this paper, we describe a novel integrated model-based approach of systems engineering and dependability analyses. The behavior of system components is specified by UML state machines determining intended/correct and undesired/faulty behavior. Based on this information, our approach automatically generates different dependability analyses in the form of fault trees. Hence, alternative system layouts can easily be evaluated. The same applies for simple variations of the logical input-output relations of logical units such as controllers. We illustrate the feasibility of our approach with the help of simple examples using a prototypical implementation of the presented concepts

An overview of fault tree analysis and its application in model based dependability analysis

YesFault Tree Analysis (FTA) is a well-established and well-understood technique, widely used for dependability evaluation of a wide range of systems. Although many extensions of fault trees have been proposed, they suffer from a variety of shortcomings. In particular, even where software tool support exists, these analyses require a lot of manual effort. Over the past two decades, research has focused on simplifying dependability analysis by looking at how we can synthesise dependability information from system models automatically. This has led to the field of model-based dependability analysis (MBDA). Different tools and techniques have been developed as part of MBDA to automate the generation of dependability analysis artefacts such as fault trees. Firstly, this paper reviews the standard fault tree with its limitations. Secondly, different extensions of standard fault trees are reviewed. Thirdly, this paper reviews a number of prominent MBDA techniques where fault trees are used as a means for system dependability analysis and provides an insight into their working mechanism, applicability, strengths and challenges. Finally, the future outlook for MBDA is outlined, which includes the prospect of developing expert and intelligent systems for dependability analysis of complex open systems under the conditions of uncertainty

Calcul des indicateurs de sûreté par la génération automatique de chaînes de Markov partielles

Trustworthiness in systems is of paramount importance. Among safety modeling languages, Markov chains are a good tradeoff between the safety concepts that can be modeled and the ease of calculation. However, as they model the different states of the systems, they suffer from the state space explosion. This explosion has two drawbacks: it makes Markov chains very difficult to write by hand for large systems, and large Markov chain calculation is resource consuming. The first drawback is easily tackled by generating Markov chains from higher-level languages (such as AltaRica 3.0).In this thesis, we focused on the partial generation of Markov chains, to tackle the state space explosion of the models. This idea is based on the observation that even large repairable systems spent most of their times in a few number of states, that are close to the nominal state of the system. The partial generation is based on Dijkstra's algorithm and on a so-called relevance factor to generate only the most probable states of the Markov chain. The reliability indicators obtained with such a partial chain can be bounded with a slightly different Markov chain.The partial generation method is fully implemented in the AltaRica 3.0 project to automatically calculate the reliability indicators of a system modeled in AltaRica. Different experiments illustrate the practability of the method, as well as its strengths and weaknesses.La confiance dans les systèmes complexes est aujourd'hui primordiale. Parmi les langages de modélisation dysfonctionnelle des systèmes, les chaînes de Markov sont un bon compromis entre la calculabilité des modèles et le pouvoir d'expression qu'elles apportent. Cependant, comme les chaînes de Markov rendent compte des différents états du système, leur taille est confrontée à l'explosion combinatoire. Il y a deux obstacles majeurs induits par cette explosion : la difficulté d'écrire des chaînes pour les grands systèmes à la main, et les besoins en ressources calculatoires pour leur résolution. Le premier obstacle est dépassé facilement en compilant les chaînes de Markov depuis un modèle de plus haut niveau (dans ces travaux, AltaRica 3.0 est utilisé).Dans cette thèse, nous nous sommes concentrés sur la génération partielle de chaînes de Markov, afin de dépasser le problème d'explosion combinatoire. La méthode est fondée sur l'observation que les systèmes réparables, même les plus grands, passent leur temps dans un petit nombre d'états proches de l'état nominal du système. La génération partielle utilise l'algorithme de Dijkstra, auquel est combiné un facteur de pertinence, qui permet la sélection des états les plus probables du système. Il est possible d'encadrer les valeurs des indicateurs de sûreté obtenus avec la chaîne partielle grâce à l'introduction d'une chaîne partielle avec puits.La méthode de génération partielle est entièrement implémentée et fait partie du projet AltaRica 3.0. Il est ainsi possible de calculer les indicateurs de sûreté des systèmes directement depuis un modèle AltaRica. Divers expériences ont été menées pour illustrer la faisabilité de la méthode, son passage à l'échelle, ainsi que ses points forts et ses limites

Vers une Génération Efficace d’Analyses de Sûreté de Fonctionnement dans le Cadre du Déploiement de l’ISO 26262

Cars embed a steadily increasing number of Electric and Electronic Systems. The ISO 26262 standard dis-cusses at length the requirements that these systems must follow in order to guaranty their functional safety.One of the means at hand to ensure the automotive systems safety is to perform safety analyses. During these analyses, practitioners perform FTA and FMEDA in order to evaluate the “trust” that we have in a system. As big quantities of data are handled in those analyses, it would be of great help for them to have the possibility to efficiently generate a part of them and check their consistency.This manuscript is the result of a thesis led on this subject. It focuses on the formalization of the data handled during the safety analyses in order to propose an efficient methodology for their generation. It presents the different works done, from the proposition of formal models for the safety related element behavior representation to the design and implementation of a process for consistent FMEDA generation based on Fault tree patterns.La complexité et la criticité des systèmes électroniques embarqués automobiles est en augmentation constante. Un nouveau standard concernant la sûreté de fonctionnement automobile (ISO 26262) permet d'établir un cadre et de définir des exigences sur les systèmes concernés afin de garantir leur sécurité.Un des moyens permettant de vérifier la sûreté de ces systèmes consiste à effectuer des analyses dites de sureté de fonctionnement. Au cours de ces analyses, les praticiens effectuent des analyses de type FTA et FMEDA afin d’évaluer robustesse et la sûreté de ces systèmes. Lors de ces analyses, les praticiens manipulent une masse de données de plus en plus conséquente ; Ce qui a créé le besoin d’avoir un moyen de générer une partie de ces données efficacement et de vérifier leur cohérence.Dans ce manuscrit, nous détaillons les travaux que nous avons effectués sur ce sujet, en nous concentrant principalement sur la formalisation des données manipulées durant les analyses de sûreté de fonctionnement afin de proposer une méthode efficace pour leur génération. Nous y présentons les différents travaux réalisés, de la proposition de modèles formels pour la représentation du comportement dysfonctionnel « d’élément lié à la sûreté » à la conception et mise en œuvre d'un processus pour la génération de FMEDA cohérentes à partir d’arbres de défaillances

Preliminary Hazard Analysis Generation Integrated with Operational Architecture - Application to Automobile

Abstract. We are witnessing evolution of standards (as the functional safety one) and increas-ing of complexity. This implies to perform safety studies efficiently and earlier in the context of Model-Based System Engineering. So, in this article, we will propose an evolution of the Pre-liminary Hazard Analysis (PHA) method in order to comply with the overall safety require-ments in the automotive domain. To demonstrate its usefulness, we apply this method to an industrial case which concerns the hazard analysis of unintended acceleration of a vehicle