Model based safety analysis overview l.jpg
This presentation is the property of its rightful owner.
Sponsored Links
1 / 49

Model-Based Safety Analysis Overview PowerPoint PPT Presentation


  • 437 Views
  • Updated On :
  • Presentation posted in: General

Model-Based Safety Analysis Overview. Dr. Steven P. Miller Dr. Mats P. E. Heimdahl Advanced Computing Systems Rockwell Collins 400 Collins Road NE, MS 108-206 Cedar Rapids, Iowa 52498 [email protected] Outline of Presentation. Motivation Proposed Approach Demonstration

Download Presentation

Model-Based Safety Analysis Overview

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Model based safety analysis overview l.jpg

Model-Based Safety AnalysisOverview

Dr. Steven P. Miller

Dr. Mats P. E. Heimdahl

Advanced Computing Systems

Rockwell Collins

400 Collins Road NE, MS 108-206

Cedar Rapids, Iowa 52498

[email protected]


Outline of presentation l.jpg

Outline of Presentation

Motivation

Proposed Approach

Demonstration

Analysis

What’s Next


Motivation l.jpg

Motivation

Requirements and

Design Documents

Safety

Analyst A

Safety

Analyst B

System Safety Analysis is

- Based on Informal Specifications

- Highly Dependent on Skill of the Analyst


Model based development l.jpg

Model-Based Development

Why Not the

Safety Analysis?

We Base the Entire

Development Cycle

Around the Model


Model based safety analysis l.jpg

Model-Based Safety Analysis

Green Pump

Blue Pump

Isolation Valve

Isolation Valve

Power A

System

A

Selector Valve

Pedal 1

Shut

Normal

A

Accumulator

N

Plant

System

L

O

Valve

Feed back

T

R

M

E

Accumulator

A

System

B

Pedal 2

R

Pump

L

N

Power B

AntiSkid

A

Meter

Valve

Mechanical

Command

T

Pedal

E

Braking

+

Meter

Fault Tolerant

Meter

AntiSkid

Valve

Valve

Braking System

Command

Control Unit

Plant

Model

( BSCU )

  • Add Fault Model for Physical System

  • Model the Digital Controller Architecture

and the Physical System

and Digital Controller Architecture

  • Integrates System and Safety Engineering About a Common Model

  • Automation Enables “What-If” Consideration of System Designs


Advantages l.jpg

Advantages

  • Common Model for Both System and Safety Engineering

  • Safety Analysis Based on a Formal System Model

    • Facilitates Consistency in Safety Analysis

    • Facilitates Completeness of Safety Analysis

  • Reduced Manual Effort in Error-prone Areas

    • Automated Support for Safety Analysis

    • Explore Various Failure Scenarios

  • Focus on Review on Assumptions in the Models

    • Is the System Model Correct?

    • Is the Fault Model Complete?

    • Assume the (Automated) Analysis is Trustworthy


Outline of presentation7 l.jpg

Outline of Presentation

Motivation

Proposed Approach

Demonstration

Analysis

What’s Next


Traditional safety analysis process l.jpg

Traditional Safety Analysis Process

Safety analysis performed as an integral part of theiterative system development process (Requirements, Architecture, Design)

Verify that the implemented system satisfies the safety requirements and develop certification documents


Model based safety analysis9 l.jpg

Model-Based Safety Analysis

Incremental development

of the system model.

Automated replay of

safety analysis as

the system is changed.

Support for automated

safety analysis.

Safety analysis performed as an integral part of theiterative system development process (Requirements, Architecture, Design)

Verify that the implemented system satisfies the safety requirements and develop certification documents


Creation of nominal system model l.jpg

Creation of Nominal System Model

Library of Common Mechanical Components

Green Pump

Blue Pump

Model of the Digital System

Isolation Valve

Isolation Valve

Power A

Power A

System

A

Selector Valve

Pedal 1

Pedal 1

Shut

Normal

A

Accumulator

N

Plant

Plant

System

L

O

Valve

Feed back

Feed back

T

R

M

E

Accumulator

A

System

B

System

B

Pedal 2

Pedal 2

R

Pump

L

N

Power B

Power B

AntiSkid

A

Meter

Valve

Mechanical

Command

T

Pedal

E

Braking

+

Meter

Fault Tolerant

Fault Tolerant

Meter

AntiSkid

Valve

Valve

Braking System

Braking System

Command

Control Unit

Control Unit

Plant

Model

( BSCU )

( BSCU )

Model of the Digital System +

Model of the Mechanical System

Verify safety properties of the nominal digital system

Verify safety properties of the nominal system


Creation of the fault model l.jpg

Creation of the Fault Model

Green Pump

Blue Pump

Library of Common Failure Modes

Isolation Valve

Isolation Valve

Power A

System

A

Selector Valve

Pedal 1

Shut

Normal

A

Accumulator

N

Plant

System

L

O

Valve

Feed back

T

R

M

E

Accumulator

A

System

B

Pedal 2

R

Pump

L

N

Power B

AntiSkid

A

Meter

Valve

Mechanical

Command

T

Pedal

E

Braking

+

Meter

Fault Tolerant

Meter

AntiSkid

Valve

Valve

Braking System

Command

Control Unit

Plant

Model

( BSCU )

System Architecture

Fault Model


Automated safety analysis l.jpg

Automated Safety Analysis

Green Pump

Blue Pump

Isolation Valve

Isolation Valve

Formalized

Safety Requirements

+

Power A

System

A

Selector Valve

Pedal 1

Shut

Normal

A

Accumulator

N

Plant

System

L

O

Valve

Feed back

T

R

M

E

Accumulator

Simulation

A

System

B

Pedal 2

R

Pump

L

N

Power B

AntiSkid

A

Meter

Valve

Mechanical

Command

T

Pedal

E

Braking

+

Meter

Fault Tolerant

Meter

AntiSkid

Valve

Valve

Braking System

Command

Control Unit

Plant

Model

( BSCU )

Auto-generation of Fault Trees

Proofs of Safety Properties


Auto generation of fault trees l.jpg

Auto-generation of Fault Trees

  • Easy to Generate Two-Level Fault Trees

    • Minimal Cut Sets of Events that Can Cause a Hazard

    • Two Levels Deep and a Mile Wide

  • Harder to Generate Useful Fault Trees

    • Intermediate Levels Reflect System Architecture

    • Essential for Acceptance by Safety Engineers


Proof of safety properties l.jpg

Proof of Safety Properties

  • Mathematical Proof

    • Avoids Mile Wide Problem with Fault Trees

    • User Guides the Proof Structure to Reflect the System Architecture

  • Used For Backward Search

    • Proof will Expose All Minimal Cut Sets of Events

    • Extend Fault Model to Rule Out Acceptable Minimal Cut Sets

    • Repeat Until Proof is Completed


Correspondence between fault trees and proof trees l.jpg

Correspondence Between Fault Trees and Proof Trees

Complements w.r.t. each other


Summary model based safety analysis l.jpg

Summary – Model-Based Safety Analysis

  • Integrates System and Safety Engineering About a Common Model

  • Automated Analysis of System Safety Properties

  • Makes Safety Analysis More Systematic and Repeatable

  • Shifts Focus from Component to Architectural Models

  • Reduces the Workload of Safety Engineers

    • Automates More of the Safety Analysis

    • Eliminates the Need to Review the Analysis

    • Focus on Review of the System Model and the Fault Model


Challenges for future research l.jpg

Challenges for Future Research

  • Fault Models

    • What is a Fault Model? How Do We Represent It?

  • Merging the Fault Model and the Nominal Model

    • Aspect Orientation and Aspect Weaving?

  • Stating Safety Properties

    • Simple Safety Properties are Often Difficult to State Formally

    • Do We Need a New Language for Safety Properties?

  • Presentation of the Analysis

    • Fault Trees Need to Reflect the System Architecture

  • Scalability

    • Analysis of Complex, Asynchronous, System Models

  • Technology Transfer

    • Need a Gradual Evolution from Existing Practices


Model based safety analysis demonstration l.jpg

Model-Based Safety AnalysisDemonstration

Dr. Mats P. E. Heimdahl

University of Minnesota

[email protected]

Dr. Steven P. Miller

Advanced Computing Systems

Rockwell Collins

[email protected]


Outline of presentation19 l.jpg

Outline of Presentation

Motivation

Proposed Approach

Demonstration

Analysis

What’s Next


Model based safety analysis20 l.jpg

Model-Based Safety Analysis

Green Pump

Blue Pump

Isolation Valve

Isolation Valve

Power A

System

A

Selector Valve

Pedal 1

Shut

Normal

A

Accumulator

N

Plant

System

L

O

Valve

Feed back

T

R

M

E

Accumulator

A

System

B

Pedal 2

R

Pump

L

N

Power B

AntiSkid

A

Meter

Valve

Mechanical

Command

T

Pedal

E

Braking

+

Meter

Fault Tolerant

Meter

AntiSkid

Valve

Valve

Braking System

Command

Control Unit

Plant

Model

( BSCU )

  • Add Fault Model for Physical System

  • Model the Digital Controller Architecture

and the Physical System

and Digital Controller Architecture

  • Integrates System and Safety Engineering About a Common Model

  • Automation Enables “What-If” Consideration of System Designs


Automated safety analysis21 l.jpg

Automated Safety Analysis

Green Pump

Blue Pump

Isolation Valve

Isolation Valve

Formalized

Safety Requirements

+

Power A

System

A

Selector Valve

Pedal 1

Shut

Normal

A

Accumulator

N

Plant

System

L

O

Valve

Feed back

T

R

M

E

Accumulator

Simulation

A

System

B

Pedal 2

R

Pump

L

N

Power B

AntiSkid

A

Meter

Valve

Mechanical

Command

T

Pedal

E

Braking

+

Meter

Fault Tolerant

Meter

AntiSkid

Valve

Valve

Braking System

Command

Control Unit

Plant

Model

( BSCU )

Auto-generation of Fault Trees

Proofs of Safety Properties


Wheel brake system wbs example arp 4761 l.jpg

Wheel Brake System (WBS) Example ARP 4761

  • Proof of Concept

    • Concrete Demonstration of Main Ideas

  • Modeling and Analysis Using Existing Tools

    • Simulink for Modeling the System

    • NuSMV, Prover, and PVS for Analyzing the System

  • Why the Wheel Brake System?

    • ARP 4761 - Guidelines and Methods for Conducting the Safety Assessment Process on Civil Airborne Systems and Equipment

    • Familiar Example to Safety Engineers

    • Benchmark our Results Against ARP-4761 Safety Analysis

    • Small but Complex Enough to Capture Interesting Behaviors


Wheel brake system l.jpg

Wheel Brake System

WBS is Composed of

  • Two Redundant Hydraulic Lines : Normal & Alternate

  • Hydraulic Pumps

  • Number of Hydraulic Valves

  • Braking System Control Unit (BSCU)

    BSCU is Composed of

  • Two Command Units Compute Braking and Antiskid Commands

  • Two Monitors Check Validity of the Associated Command Units

  • BSCU is Valid if One of the Command Unit is Valid

Figure borrowed from ARP 4761


Normal alternate hydraulic lines l.jpg

Normal & Alternate Hydraulic Lines

  • Normal Hydraulic line

    • Main System Supplying Braking Pressure to the Wheel

    • BSCU Provides Braking and Antiskid Commands

  • Alternate Hydraulic Line

    • Braking Achieved Manually Via Mechanical Pedal

    • BSCU Provides Antiskid Command

  • Switch-over from Normal to Alternate Line When

    • Green Pump or Any Component along Normal Line Fails or

    • BSCU Becomes Invalid

  • Selector and Isolation Valves Used for the Switch-over

  • Alternate Line Stays Active Until WBS System is Reset


Add wbs failure modes to nominal model l.jpg

Add WBS Failure Modes to Nominal Model

Manually Extended the Nominal Model with Failure Modes

  • Hydraulic Failure Modes

    • Pumps

      • Pressure Below Threshold (X)

    • Valves

      • Stuck at Closed/Open (S)

  • Digital System Failure Modes

    • Monitor Unit

      • Output Inverted (I)

    • Command Unit

      • Output Stuck (O)

    • Power Failure

      • Loss of Power (L)

L

L

X

X

I

I

S

S

S

X

O

O

S

S

S


Outline of presentation26 l.jpg

Outline of Presentation

Motivation

Proposed Approach

Demonstration

Analysis

What’s Next


Wbs model based safety analysis l.jpg

WBS Model-Based Safety Analysis


Verified safety properties in nominal model l.jpg

Verified Safety Properties in Nominal Model

  • Safety Requirement from ARP 4761

    • Loss of All Wheel Braking (Unannunciated or Annunciated) During Landing or RTO Shall Be Less Than 5*10-7 Per Flight

  • Revised Safety Requirement

    • When the Pedal Is Pressed, Then Either the Normal or the Alternate Pressure Shall Be Above Threshold

  • Formalized in NuSMV as

    DEFINE Pedal_Pressed = (PedalPos > 0 & PedalPos < 5)

    SPEC AG (Pedal_Pressed ->

    (Normal_Pressure > 0 | Alternate_Pressure > 0))

  • Second Revised Safety Requirement

    • When the Pedal Is Pressed and There Is No Skidding, Then Either the Normal or the Alternate Pressure Should Be Above Threshold

  • Formalized in NuSMV as

    DEFINE Pedal_Pressed = (PedalPos > 0 & PedalPos < 5)

    SPEC AG ((Pedal_Pressed & !Skid) ->

    (Normal_Pressure > 0 | Alternate_Pressure > 0))

  • Verified on the Nominal Simulink Model Using NuSMV


Safety properties l.jpg

Safety Properties

  • Example Safety Property

    If There Is One Failure and the Pedal Is Pressed in Absence of Skidding, Then Either the Normal Pressure or the Alternate Pressure Shall Be Above the Threshold

  • Transient Failures

    • Failures May Last an Arbitrary Time Before Recovery of the Component

    • Failures Triggers Are Non-deterministic Inputs and Inherently Transient

  • Permanent Failures

    • Failures Are Permanent, a Failed Component Never Recovers

    • Latch Fault Trigger Inputs to Simulate Permanent Failure

  • Simultaneous Failures

    • Count the Number of Active Fault Triggers


Fault tolerance verification l.jpg

Fault Tolerance Verification

Green Pump

Blue Pump

Isolation Valve

Isolation Valve

Power A

System

A

Selector Valve

Pedal 1

Shut

Normal

A

Accumulator

N

Plant

System

L

O

Valve

Feed back

T

R

M

E

Accumulator

A

System

B

Pedal 2

R

Pump

L

N

Power B

AntiSkid

A

Meter

Valve

Mechanical

Command

T

Pedal

E

Braking

+

Meter

Fault Tolerant

Meter

AntiSkid

Valve

Valve

Braking System

Command

Control Unit

Plant

Model

( BSCU )

Transient Failures

  • If There Is One Failure and the Pedal Is Pressed in Absence of Skidding, Then Either the Normal Pressure or the Alternate Pressure Shall Be Above the Threshold

    SPEC AG((NumFails = 1 & Pedal_Pressed & !Skid) ->

    (Normal_Pressure > 0 | Alternate_Pressure > 0))

  • Several Steps May be Needed to Detect and Respond to Some Failures

    SPEC AG((NumFails = 1 & Pedal_Pressed & !Skid) –>

    AX((NumFails = 1 & Pedal_Pressed & ! Skid) –>

    AX ((NumFails = 1 & Pedal_Pressed & !Skid) ->

    (Normal_Pressure > 0 | Alternate_Pressure > 0))))

X

X


Fault tolerance verification31 l.jpg

Fault Tolerance Verification

Green Pump

Blue Pump

Isolation Valve

Isolation Valve

Power A

System

A

Selector Valve

Pedal 1

Shut

Normal

A

Accumulator

N

Plant

System

L

O

Valve

Feed back

T

R

M

E

Accumulator

A

System

B

Pedal 2

R

Pump

L

N

Power B

AntiSkid

A

Meter

Valve

Mechanical

Command

T

Pedal

E

Braking

+

Meter

Fault Tolerant

Meter

AntiSkid

Valve

Valve

Braking System

Command

Control Unit

Plant

Model

( BSCU )

Permanent Failures

  • Holds for One Permanent Failure

    SPEC AG((NumFails = 1 & Pedal_Pressed & !Skid) –>

    AX((NumFails = 1 & Pedal_Pressed & ! Skid) –>

    AX ((NumFails = 1 & Pedal_Pressed & !Skid) ->

    (Normal_Pressure > 0 | Alternate_Pressure > 0))))


Fault trees and proof trees revisited l.jpg

Fault Trees and Proof Trees Revisited

Complements w.r.t. each other


Wbs pvs proof tree l.jpg

WBS PVS Proof Tree

Green Pump

Blue Pump

Isolation Valve

Isolation Valve

Power A

System

A

Selector Valve

Pedal 1

Shut

Normal

A

Accumulator

N

Plant

System

L

O

Valve

Feed back

T

R

M

E

Accumulator

A

System

B

Pedal 2

R

Pump

L

N

Power B

AntiSkid

A

Meter

Valve

Mechanical

Command

T

Pedal

E

Braking

+

Meter

Fault Tolerant

Meter

AntiSkid

Valve

Valve

Braking System

Command

Control Unit

Plant

Model

( BSCU )

Prop :

{-1} 0 < PedalPos1(s!1)

|-------

{1} Skid(s!1)

{2} 0 < FM_WBS_Ext_BSCU_Node_Fault.Normal_Pressure(s!1)

{3} 0 < FM_WBS_Ext_BSCU_Node_Fault.Alternate_Pressure(s!1)

X

X

Prop.1.1 :

[-1] Alt_Meter_2_Fail(s!1)

[-2] Alt_Meter_2_Fail(s!1)

{-3} FM_WBS_Ext_BSCU_Node.Alternate_Pressure(s!1) = 0

[-4] Nor_Meter_Fail(s!1)

[-5] FM_WBS_Ext_BSCU_Node.Normal_Pressure(s!1) = 0

[-6] 0 < PedalPos1(s!1)

|-------

[1] Alt_Meter_2_Stuck_Val(s!1)

[2] Alt_Meter_2_Stuck_Val(s!1)

[3] Nor_Meter_Stuck_Val(s!1)

[4] Skid(s!1)

[5] 0 < FM_WBS_Ext_BSCU_Node_Fault.Normal_Pressure(s!1)

[6] 0 < FM_WBS_Ext_BSCU_Node_Fault.Alternate_Pressure(s!1)


Pvs fault tree challenges l.jpg

PVS/Fault Tree Challenges

  • Difficult Proofs

    • Completing Proofs is Still a Time Consuming Process

  • Level of Detail in Proofs

    • Current Proofs are Low Level, Fault Trees Must be High Level

      • Proofs Performed at Detailed Behavioral Level

      • Fault Trees Must be Presented at an Architectural Level

  • Proof Structure

    • Proof Structure Appropriate for Fault Tree Generation Must be Obtained

      • May or May Not be the Most Natural Way to Pursue the Proof


Demonstration analysis summary l.jpg

Demonstration/Analysis Summary

  • Simulation and Visualization of Software, Digital, and Analog Failures

    • Simulink Models of Nominal System Coupled with Fault Models Enable Flexible Simulation

  • Model Checking Techniques Enable Flexible Analysis

    • Verification of Correctness Under Normal Conditions

    • Verification of Desirable Fault-tolerance Properties

  • Theorem Proving Holds Promise as Powerful Fault Tree Generation Tool

    • Open Issues Still Remain


Outline of presentation36 l.jpg

Outline of Presentation

Motivation

Proposed Approach

Demonstration

Analysis

What’s Next


What s next l.jpg

What’s Next

  • Improving Modeling Process

  • Ease of Analysis

  • Presentation of Analysis Results

  • Scalability


Improving the modeling process l.jpg

Improving the Modeling Process

  • Building Extended Model is a Manual Process

  • Difficult to Keep Nominal & Extended Model in Sync.

  • Fault Triggers are Added as New Inputs

  • Handle Transient and Permanent Faults Differently

  • Fault Model Clutters Nominal Model


Improving the modeling process39 l.jpg

Improving the Modeling Process

Adding Faults Clutters the Nominal Model


Improving the modeling process40 l.jpg

Improving the Modeling Process

  • Modeling the Mechanical System

    • Need Libraries of Common Components

  • Creating the Fault Model

    • What Exactly is a Fault Model?

      • What is part of nominal system?

      • What goes in fault model?

    • Types of Faults, Interactions Between Faults, and Fault Locations

  • Auto generate the Extended System Model

    • Use Tools to Merge Nominal and Fault Model


Improving the modeling process41 l.jpg

Improving the Modeling Process

Aspect-Oriented Modeling

  • Specify Faults as Aspects of System Components

  • Automatically Weave Faults into Nominal Model

  • Nominal and Extended Model Always in Sync

  • Reduces Potential for Human Error

  • Hide Fault Trigger Inputs during Simulation


Ease of analysis l.jpg

Ease of Analysis

  • Safety Properties Can be Awkward to Specify:

  • Usually, Properties are Conceptually Simple

  • Complexity Comes From Mapping Simple Conceptual Ideas to Formal Specification

Antecedent = ((pre (pre (pre ((NumFails = 1) and FailRec4Step))) and

pre (pre ((AllPedNoSkid and not (Changed)))) and

pre ((AllPedNoSkid and not (Changed))) and

(AllPedNoSkid and not (Changed)))) ;

Consequent = (pre (pre (SomePressure)) or pre (SomePressure) or SomePressure) ;

Prop_MultiStepSingleFail4 =fby( Implies(Antecedent, Consequent), 4, true);


Ease of analysis43 l.jpg

Ease of Analysis

  • Many Safety Properties are Stylized

    • Given n failures (or all failure combinations whose combined probability is >10-k), is it possible that the system will fail?

      • Failure condition is usually straightforward to specify

      • Property complexity arises when considering recovery time and fault propagation

  • Create a Property Builder to Assist Specification of Safety Properties


Presentation of analysis results l.jpg

Presentation of Analysis Results

  • Currently: Proof or Counterexample

  • We Want Something Acceptable To Safety Engineers


Fault trees using model checker l.jpg

Fault Trees using Model Checker

  • FSAP Defines Flat Fault Trees

  • We Can do Better by Encoding Architecture of System Into Fault Tree


Proof trees and fault trees l.jpg

Proof Trees and Fault Trees

Complements w.r.t. each other


Pvs proof trees l.jpg

PVS Proof Trees

Green Pump

Blue Pump

Isolation Valve

Isolation Valve

Power A

System

A

Selector Valve

Pedal 1

Shut

Normal

A

Accumulator

N

Plant

System

L

O

Valve

Feed back

T

R

M

E

Accumulator

A

System

B

Pedal 2

R

Pump

L

N

Power B

AntiSkid

A

Meter

Valve

Mechanical

Command

T

Pedal

E

Braking

+

Meter

Fault Tolerant

Meter

AntiSkid

Valve

Valve

Braking System

Command

Control Unit

Plant

Model

( BSCU )

Prop :

{-1} 0 < PedalPos1(s!1)

|-------

{1} Skid(s!1)

{2} 0 < FM_WBS_Ext_BSCU_Node_Fault.Normal_Pressure(s!1)

{3} 0 < FM_WBS_Ext_BSCU_Node_Fault.Alternate_Pressure(s!1)

X

X

Prop.1.1 :

[-1] Alt_Meter_2_Fail(s!1)

[-2] Alt_Meter_2_Fail(s!1)

{-3} FM_WBS_Ext_BSCU_Node.Alternate_Pressure(s!1) = 0

[-4] Nor_Meter_Fail(s!1)

[-5] FM_WBS_Ext_BSCU_Node.Normal_Pressure(s!1) = 0

[-6] 0 < PedalPos1(s!1)

|-------

[1] Alt_Meter_2_Stuck_Val(s!1)

[2] Alt_Meter_2_Stuck_Val(s!1)

[3] Nor_Meter_Stuck_Val(s!1)

[4] Skid(s!1)

[5] 0 < FM_WBS_Ext_BSCU_Node_Fault.Normal_Pressure(s!1)

[6] 0 < FM_WBS_Ext_BSCU_Node_Fault.Alternate_Pressure(s!1)


Pvs fault tree challenges48 l.jpg

PVS/Fault Tree Challenges

  • Difficult Proofs

    • Completing Proofs is Still a Time Consuming Process

  • Level of Detail in Proofs

    • Current Proofs are Low Level, Fault Trees Must be High Level

      • Proofs performed at detailed behavioral level

      • Fault trees must be presented at an architectural level

  • Proof Structure

    • Proof Structure Appropriate for Fault Tree Generation Must be Obtained

      • May or may not be the most natural way to pursue the proof


Future research goals l.jpg

Future Research Goals

  • Investigate –

    • Fault Models

      • Relationship between fault model and nominal system

      • What is a reasonable and flexible fault model?

    • Automate Fault Injection Into the Nominal Model

      • Aspect orientation and aspect weaving?

    • Flexible Notation for Capturing Safety Properties

      • Safety modeling language?

    • Automate Fault Tree Generation

      • Fault trees acceptable for safety-engineers and acceptable for certification

    • Safety Analysis Methodology

      • Who will build the fault model?

      • Who performs what analysis?


  • Login