Abstract. Fault tree analysis is a traditional and well-established technique for analyzing system design and robustness. Its purpose is to identify sets of basic events, called cut sets, which can cause a given top level event, e.g. a system malfunction, to occur. Generating fault trees is particularly critical in the case of reactive systems, as hazards can be the result of complex interactions involving the dynamics of the system and of the faults. Recently, there has been a growing interest in model-based fault tree analysis using formal methods, and in particular symbolic model checking techniques. In this paper we present a broad range of algorithmic strategies for efficient fault tree analysis, based on binary decision diagrams (BDDs). We describe different algorithms encompassing different directions (forward or backward) for reachability analysis, using dynamic cone of influence techniques to optimize the use of the finite state machine of the system, and dynamically pruning of the frontier states. We evaluate the relative performance of the different algorithms on a set of industrial-size test cases. 1

this paper.

Abstract. As safety critical systems increase in size and complexity, the need for efficient tools to verify their reliability grows. In this paper we present a tool that helps engineers design safe and reliable systems. Systems are reliable if they keep operating safely when components fail. Our tool is at the core of the Scade Design Verifier integrated within Scade, a product developed by Esterel Technologies. Scade includes a graphical interface to build formal models in the synchronous data-flow language Lustre. Our tool automatically extends Lustre models by injecting faults, using libraries of typical failures. It allows to perform Failure Mode and Effect Analysis, which consists of verifying whether systems remain safe when selected components fail. The tool can also compute minimal combinations of failures breaking systems ’ safety, which is similar to Fault Tree Analysis. The paper includes successful verifications of examples from the aeronautics industry. 1

Abstract. For large systems, the manual construction of fault trees is errorprone, encouraging automated techniques. In this paper we show how the retrenchment approach to formal system model evolution can be developed into a versatile structured approach for the mechanical construction of fault trees. The system structure and the structure of retrenchment concessions interact to generate fault trees with appropriately deep nesting. The same interactions fuel a structural approach to hierarchical fault trees, allowing a system and its faults to be viewed at multiple levels of abstraction. We show how this approach can be extended to deal with minimisation, thereby diminishing the post-hoc subsumption workload and potentially rendering some infeasible cases feasible. The techniques we describe readily generalise to encompass timing, allowing glitches and other transient errors to be properly described. Lastly, a mild generalisation to cope with cyclic system descriptions allows the timed theory to encompass systems with feedback. 1

The manual construction of fault trees for complex systems is an error-prone and time-consuming activity, encouraging automated techniques. In this paper we show how the retrenchment approach to formal system model evolution can be developed into a versatile structured approach for the mechanical construction of fault trees. The system structure and the structure of retrenchment concessions interact to generate fault trees with appropriately deep nesting. The same interactions fuel a structural approach to hierarchical fault trees, allowing a system and its faults to be viewed at multiple levels of abstraction. We show how this approach can be extended to deal with minimisation, thereby diminishing the post-hoc subsumption workload and potentially rendering some infeasible cases feasible.

Dependable LQNS is a software tool for modeling and evaluating performability of fault-tolerant layered distributed applications that use a separate architecture for failure detection and reconfiguration. It takes into account the effects of management architecture, application software architecture, failure of management and application components in the dependability computation. It uses a combination of minpath algorithms, AND-OR graphs, noncoherent fault trees and Layered Queueing modeling in the analysis. 1.

We present a taxonomy of the heuristic analyses of boolean formulas that are used in BDD-based verifications of circuits and fault trees. This systematic characterization of known analyses gives greater insight into the nature of the problem and clearly indicates several opportunities for investigation. It also provides a formal basis for a novel software architecture for useful and extensible optimization tools for boolean formulas. 1 Introduction Building efficient BDD-based tools for circuit verification, reliability analysis, and model-checking critically depends on techniques for finding good variable orders: poor orders lead to intractably large BDD that are impossible to compute. Between a good and a poor variable order can lie an exponential factor in BDD size[Bry86, Bry91]. Efficiently building efficient tools requires intelligent heuristic analyses that work consistently for a given problem domain. Boolean formulas from different domains have different structural prop...

Dependable-LQNS is a software tool for modeling and evaluating performability of fault-tolerant layered distributed applications that use a separate architecture for failure detection and reconfiguration. It takes into account the effects of management architecture, application software architecture, failure of management and application components in the dependability computation. It uses a combination of minpath algorithms, AND-OR graphs, non-coherent fault trees and Layered Queueing modeling in the analysis.