Safety critical systems are becoming more complex, both in the type of functionality they provide and in the way they are demanded to interact with their environment. Such growing complexity requires an adequate increase in the capability of safety engineers to assess system safety, including analyzing the bahaviour of a system in degraded situations. Formal verification

Failure Mode and Effect Analysis (FMEA) is a method for assessing cause-consequence relations between component faults and hazards that may occur during the lifetime of a system. The analysis is typically time intensive and informal, and for this reason FMEA has been extended with traditional model checking support. Such support does not take into account the probabilities associated with a component fault occurring, yet such information is crucial to developing hazard reduction strategies for a system. In this paper we propose a method for FMEA which makes use of probabilistic fault injection and probabilistic model checking. Based on this approach safety engineers are able to formally identify if a failure mode occurs with a probability higher than its tolerable hazard rate.

Abstract—Failure mode and effects analysis (FMEA) is a technique to reason about possible system hazards that result from system or system component failures. Traditionally, FMEA does not take the probabilities with which these failures may occur into account. Recently, this shortcoming was addressed by integrating stochastic model checking techniques into the FMEA process. A further improvement is the integration of techniques for the generation of counterexamples for stochastic models, which we propose in this paper. Counterexamples facilitate the redesign of a potentially unsafe system by providing information which components contribute most to the failure of the entire system. The usefulness of this novel approach to the FMEA process is illustrated by applying it to the case study of an airbag system provided by our industrial partner, the TRW Automotive GmbH. I.

Abstract. Fault tree analysis is a traditional and well-established technique for analyzing system design and robustness. Its purpose is to identify sets of basic events, called cut sets, which can cause a given top level event, e.g. a system malfunction, to occur. Generating fault trees is particularly critical in the case of reactive systems, as hazards can be the result of complex interactions involving the dynamics of the system and of the faults. Recently, there has been a growing interest in model-based fault tree analysis using formal methods, and in particular symbolic model checking techniques. In this paper we present a broad range of algorithmic strategies for efficient fault tree analysis, based on binary decision diagrams (BDDs). We describe different algorithms encompassing different directions (forward or backward) for reachability analysis, using dynamic cone of influence techniques to optimize the use of the finite state machine of the system, and dynamically pruning of the frontier states. We evaluate the relative performance of the different algorithms on a set of industrial-size test cases. 1

Time pressure and quality issues bring new challenges for developing web-based systems. The ability to analyze quality early in the development life cycle is crucial. Among the techniques suggested by the literature, few of them actually support early quality activities when little information about the system is available. We take robustness as a critically important quality attribute, and present a framework for performing robustness assessment during the analysis and architecture design stages. Firstly we use Jacobson’s analysis method to decompose a web-based system into subsystems, which then are partitioned into software modules. Then for each module, we apply a simplified FMEA method to find robustness-related failure modes, possible causes, their effects, and furthermore, we identify possible ways to prevent or reduce robustness failures. In the end, we illustrate the proposed method through an example from a simple web-based Internet Bookstore system. 1.

Abstract. In the ForMoSA project [17] an integrated approach for safety analysis of critical, embedded systems has been developed. The approach brings together the best of engineering practice, formal methods and mathematics: traditional safety analysis, temporal logics and verification, and statistics and optimization. These three orthogonal techniques cover three different aspects of safety: fault tolerance, functional correctness and quantitative analysis. The For-MoSA approach combines these techniques to answer these safety relevant question in a structured and formal way. Furthermore, the tight combination of methods from different analysis domains yields results which can not be produced by any single technique. The methodology was applied in case studies to different industrial domains. One of them is the height control of the Elbtunnel in Hamburg [16] from the domain of electronic traffic control, which we present as an illustrating example. Key words: fault tree analysis, dependability, optimization, safety analysis, embedded systems 1

Abstract. For large systems, the manual construction of fault trees is errorprone, encouraging automated techniques. In this paper we show how the retrenchment approach to formal system model evolution can be developed into a versatile structured approach for the mechanical construction of fault trees. The system structure and the structure of retrenchment concessions interact to generate fault trees with appropriately deep nesting. The same interactions fuel a structural approach to hierarchical fault trees, allowing a system and its faults to be viewed at multiple levels of abstraction. We show how this approach can be extended to deal with minimisation, thereby diminishing the post-hoc subsumption workload and potentially rendering some infeasible cases feasible. The techniques we describe readily generalise to encompass timing, allowing glitches and other transient errors to be properly described. Lastly, a mild generalisation to cope with cyclic system descriptions allows the timed theory to encompass systems with feedback. 1

System safety analysis techniques are well established and are used extensively during the design of safety-critical systems. Despite this, most of the techniques are highly subjective and dependent on the skill of the practitioner. Since these analyses are usually based on an informal system model, it is unlikely that they will be complete, consistent, and error free. In fact, the lack of precise models of the system architecture and its failure modes often forces the safety analysts to devote much of their effort to gathering architectural details about the system behavior from several sources and embedding this information in the safety artifacts such as the fault trees. This report describes Model-Based Safety Analysis, an approach in which the system and safety engineers share a common system model created using a model-based development process. By extending the system model with a fault model as well as relevant portions of the physical system to be controlled, automated support can be provided for much of the safety analysis. We believe that by using a common model for both system and safety engineering and automating parts of the safety analysis, we can both reduce the cost and improve the quality of the safety analysis. Here we present our vision of model-based safety analysis and discuss the advantages

Standards for critical avionics software development, such as DO178B, place a strong emphasis on process issues: ensuring traceability between different development artifacts and proper configuration management of these artifacts. Certification Management (CM) systems formalize many of the relationships between different artifacts and hold the promise of both streamlining the management of the artifacts and ensuring that relationships between the artifacts are formally justified. However, to be useful in an industrial context, the definition and scope of CM systems must be better understood, and several open issues must be addressed. This paper describes issues and potential uses of CM systems in industrial practice. 1.

Abstract—With rapid developments in science and technology, we now see the ubiquitous use of different types of safety-critical systems in our daily lives such as in avionics, consumer electronics, and medical systems. In such systems, unintentional design faults might result in injury or even death to human beings. To make sure that safety-critical systems are really safe, there is a need to verify them formally. However, the verification of such systems is getting more and more difficult because designs are becoming very complex. To cope with high design complexity, currently, model-driven architecture design is becoming a well-accepted trend. However, existing methods of testing and standards conformance are restricted to implementation code, so they do not fit very well with model-based approaches. To bridge this gap, we propose a model-based formal verification technique for safety-critical systems. In this work, the model-checking paradigm is applied to the Safecharts model, which was used for modeling but not yet used for verification. Our contributions listed are as follows: First, the safety constraints in Safecharts are mapped to semantic equivalents in timed automata for verification. Second, the theory for safety constraint verification is proven and implemented in a compositional model checker (that is, the State-Graph Manipulator (SGM)). Third, prioritized and urgent transitions are implemented in SGM to model the risk semantics in Safecharts. Finally, it is shown that the priority-based approach to mutual exclusion of resource usage in the original Safecharts is unsafe and corresponding solutions are proposed here. Application examples show the feasibility and benefits of the proposed model-driven verification of safety-critical systems. Index Terms—Safety-critical systems, model checking, Safecharts, extended timed automaton. Ç 1