Fault Trees and Failure Models and Effects Analyses are well known methods in safety and reliability engineering. Their use, however, requires a considerable amount of work, in particular when the system evolves and grows. We describe an approach that automates parts of safety design flow. First, existing architecture models can be translated to dependability and error models. Safety engineers can then adapt the models for various safety cases and finally run analysis calling a suitable tool. We demonstrate the approach within automotive domain: System is specified with domain-specific languages and the created models are translated to analysis tools. This approach provides several benefits. It helps to ensure that safety analysis is done for the intended/designed architecture. It also makes safety analysis faster as it is partly automated, reduces error-prone routine work and makes safety analysis easier to use and accessible.
3. Motivation
Safety engineering is quite expensive and tedious
– Requires considerable about of manual work
– Scales badly to larger systems
Feedback to system and software design could be
improved
– Safety engineering flows do not always acknowledge
typical iterative/incremental development approach
* Copyright: Donald M. Mattox, Management Plus, Inc.
*
4. Model-based approach supports
safety design by:
1. Utilizing existing specifications with model
transformations
– Safety design must be related to what is developed (or
planned to be developed – also at early stages)
– Usually such nominal specifications already exists
2. Applying directly safety concepts in models
– Safety standards suggest already now own terminology
3. Linking safety related models to analytical tools
– Use models created (automatically) with various analysis
tools
– Different tools for different purposes
5. 1) Utilize existing specifications
Usually some designs or specifications already exist,
e.g. logical functions, hardware specification, behavior…
Translate those models for safety (sample next slide)
7. 1) Error logic – partly generated
Analyze error propagation directly in a model
8. ISO 26262 from 10.000 feet
Define the item (functions) and preliminary architecture
Determine how the item can fail (HAZOP or FMEA)
Determine the driving scenarios that make the failures
hazardous
Determine the exposure (E) to the hazard based on
the driving scenario
Evaluate the severity (S) of the hazard
Evaluate the controllability (C) by the operator
Calculate the ASIL
Verify your E and C assumptions
9. ISO 13849-1 from 10.000 feet
Define the scope (usage, environment etc)
Identify risk sources
Estimate the risk
Evaluate the risk
Identify safety functions
Calculate risks
Use the results to reduce risks
11. Exports the error model
to HipHOPS tool
3) Link with analytical tools
Produced FTA
FMEA results
12. Scaled for larger systems
FTA/FMEA with cut sets, unavailability,
costs, failure rates, repair rates
13. 3) Different analytical tools
Same model-based approach with another analysis tool
Specification language adapted for specific needs
14. 3) Link to another analysis tool
Produced
project data
Exports the model
to Sistema tool
15. Summary
Use of model-based approach provides several benefits:
– Ensures that safety analysis is done for the
intended/designed architecture
– Makes safety analysis faster as it is partly automated
– Reduces error-prone routine work
– Makes safety analysis easier to use and accessible
The presented approach is not tied to any particular tool
Specification languages and related transformations
need to be flexible
Extend the approach by providing feedback loop back
from analysis to original source models