Reiner Heilmann

ALFRED: A Methodology to Enable Component Fault Trees for Layered Architectures

Identifying drawbacks or insufficiencies in terms of safety is important also in early development stages of safety critical systems. In industry, development artefacts such as components or units, are often reused from existing artefacts to save time and costs. When development artefacts are reused, their existing safety analysis models are an important input for an early safety assessment for the new system, since they already provide a valid model. Component fault trees support such reuse strategies by a compositional horizontal approach. But current development strategies do not only divide systems horizontally, e.g., By encapsulating different functionality into separate components and hierarchies of components, but also vertically, e.g. Into software and hardware architecture layers. Current safety analysis methodologies, such as component fault trees, do not support such vertical layers. Therefore, we present here a methodology that is able to divide safety analysis models into different layers of a systems architecture. We use so called Architecture Layer Failure Dependencies to enable component fault trees on different layers of an architecture. These dependencies are then used to generate safety evidence for the entire system and over all different architecture layers. A case study applies the approach to hardware and software layers.

Component fault tree analysis resolves complexity: dependability confirmation for a railway brake system

In 2006 Siemens Transportation systems had to obtain an operating license for the brake system of a newly developed train. Therefore a safety analysis for the brake system had to be performed to show that the probability of a failure of the brakes is sufficiently small, less than specified limits. The safety analysis was performed by Siemens Corporate Technology. The probability of a failure of the brake system was calculated using hierarchical fault tree analysis. The large number of different combinations of subsystems contributing to failure scenarios was managed by a specially developed program for automatic generation of combinatorial fault trees. The most important result was the proof of the quantitative safety targets of the brake system to the regulating body.