Probabilistic Model-Based Safety Analysis

Model-based safety analysis approaches aim at finding critical failure combinations by analysis of models of the whole system (i.e. software, hardware, failure modes and environment). The advantage of these methods compared to traditional approaches is that the analysis of the whole system gives more precise results. Only few model-based approaches have been applied to answer quantitative questions in safety analysis, often limited to analysis of specific failure propagation models, limited types of failure modes or without system dynamics and behavior, as direct quantitative analysis is uses large amounts of computing resources. New achievements in the domain of (probabilistic) model-checking now allow for overcoming this problem. This paper shows how functional models based on synchronous parallel semantics, which can be used for system design, implementation and qualitative safety analysis, can be directly re-used for (model-based) quantitative safety analysis. Accurate modeling of different types of probabilistic failure occurrence is shown as well as accurate interpretation of the results of the analysis. This allows for reliable and expressive assessment of the safety of a system in early design stages

Analysis of a Technical Description of the Airbus A320 Braking System

. We analyse the description of the operation of the Airbus A320 braking systems contained in the Flight Crew Operating Manual. We use the predicate-action diagrams of Lamport to express and to complete the description, and give reasons why such a more rigorous expression is preferable. 1. Introduction On September 14th, 1993, an Airbus A320 landed at Warsaw Airport in Poland in a thunderstorm. It overran the end of the runway, surmounted an earth bank, and came to rest on the other side. Two people died and others were injured in this accident [FI.93a, FI.93b, FI.93c, FI.93d, FI.93e]. This paper analyses the specification of the A320 braking system contained in the Flight Crew Operating Manual [FCOM]. Airplanes are procedurally-oriented machines. Manufacturers devise ways in which they shall be flown as part of the certification process, and descriptions of these methods, as well as descriptions of the system design, are required documentation on every aircraft that flies [FAR, Part ..

EMI, TWA 800 and Swissair 111

We refute Elaine Scarry’s contentions, published in the New York Revie

1 The Accident The Crash of AA587: A Guide

some wake turbulence from a preceding aircraft on climb out of JFK New York airport in 2001. During the second wake turbulence encounter, the rudder experienced 5 full deflections in opposite senses in about 7 seconds, and the vertical stabiliser (the fin at the back of the aircraft) broke off at its root due to overload. Control of the aircraft was immediately lost and it crashed into houses in the Belle Harbor area of New York City, in the borough of Queens, killing over 250 people on board and five people on the ground. The US National Transportation Safety Board (NTSB) public hearing on the crash of AA587 on November 12, 2001, was held on October 26, 2004. Such a public hearing consists more or less of a presentation of a draft of the final report, in particular the conclusions (Findings, determination of probable cause and contributing factors, Recommendations), and comments from attendees. The NTSB’s preparatory work and presentations at the hearing were summarised in [DF04, Fio04]. This note considers some of the technical and sociotechnical aspects of th

Using The Temporal Logic of Actions: A Tutorial on TLA Verification

Buffer with Operations How does this fit together? The concrete buffer simulates the abstract buffer, and we shall prove that. Simulation means that ffl they start in `equivalent' states ffl every action of the concrete buffer corresponds either to an action or to a non-action of the abstract buffer ffl when the concrete buffer is sufficiently `live', then the abstract buffer actually does some desired action This method of state machine simulation is common to many verification methods, for example ffl TLA of Lamport ffl the Input/Output machines of Tuttle, Lynch, Vaandrager (e.g. [Vaa]) ffl the method of Lam and Shankar (e.g. [LS84]) which is also TL-based An alternative is to have actions only---then the operation of the system is an abstract machine simulation, but not a state machine simulation, since one doesn't have state. This is the set-up in process algebra. But one ends up with state anyway - most process algebras have a way of defining state. How does one specify the ..

Airbus A320 Braking as Predicate-Action Diagrams

We use the Predicate-Action Diagrams of Lamport to express the description of the operation of the Airbus A320 braking systems contained in the Flight Crew Operating Manual. This helps identify ambiguities and incompleteness. 1 Introduction On September 14th, 1993, a Lufthansa Airbus A320 landed at Warsaw Airport in Poland in a thunderstorm. It overran the end of the runway, surmounted an earth bank, and came to rest on the other side. Two people died and others were injured in this accident, which began to interest us and others in the design of the A320 braking system [FI.93a, FI.93b, FI.93c]. This paper analyses the specification of the A320 braking system contained in the Flight Crew Operating Manual [FCOM], and rewrites it in Predicate-Action Diagrams of Lamport [Lam94b]. A fuller version of this work containing an analysis is [Lad95]. Flight crew should have a complete, accurate high-level specification of system operation from which to work. This may be provided using predicate..