Yiannis Papadopoulos

Analysis and synthesis of the behaviour of complex programmable electronic systems in conditions of failure

This paper introduces a new method for safety analysis which modifies, automates and integrates a number of classical safety analysis techniques to address some of the problems currently encountered in complex safety assessments. The method enables the analysis of a complex programmable electronic system from the functional level through to low levels of its hardware and software implementation. In the course of the assessment, the method integrates design and safety analysis and harmonises hardware safety analysis with the hazard analysis of software architectures. It also introduces an algorithm for the synthesis of fault trees, which mechanises and simplifies a large and traditionally problematic part of the assessment, the development of fault trees. In this paper, we present the method and discuss its application on a prototypical distributed brake-by-wire system for cars. We argue that the method can help us rationalise and simplify an inherently creative and difficult task and therefore gain a consistent and meaningful picture of how a complex programmable system behaves in conditions of failure. q 2001 Elsevier Science Ltd. All rights reserved.

Hierarchically Performed Hazard Origin and Propagation Studies

This paper introduces a new method for safety analysis called HiPHOPS (Hierarchically Performed Hazard Origin and Propagation Studies). HiP-HOPS originates from a number of classical techniques such as Functional Failure Analysis, Failure Mode and Effects Analysis and Fault Tree Analysis. However, it extends, automates and integrates these techniques in order to address some of the problems currently encountered in complex safety assessments. The method enables integrated assessment of a complex system from the functional level through to the low level of component failure modes. It mechanises and simplifies a large part of the analysis, the development of fault trees, and can guarantee the consistency of results. HiP-HOPS is currently supported by a tool called the Safety Argument Manager (SAM). In this paper we introduce the method and we show how it has helped us analyse and improve the safety of a distributed brake-by-wire system for cars.

Model-Driven safety evaluation with state-event-based component failure annotations

Over the past years, the paradigm of component-based software engineering has been established in the construction of complex mission-critical systems. Due to this trend, there is a practical need for techniques that evaluate critical properties (such as safety, reliability, availability or performance) of these systems. In this paper, we review several high-level techniques for the evaluation of safety properties for component-based systems and we propose a new evaluation model (State Event Fault Trees) that extends safety analysis towards a lower abstraction level. This model possesses a state-event semantics and strong encapsulation, which is especially useful for the evaluation of component-based software systems. Finally, we compare the techniques and give suggestions for their combined usage.

Evolving car designs using model-based automated safety analysis and optimisation techniques

Development processes in the automotive industry need to evolve to address increasing demands for integration of car functions over common networked infrastructures. New processes must address cost and safety concerns and maximize the potential for automation to address the problem of increasing technological complexity. In this paper, we propose a design process in which techniques for semi-automatic safety and reliability analysis of systems models are combined with multi-objective optimisation techniques to assist the gradual development of designs that can meet reliability and safety requirements and maximise profit within pragmatic development cost constraints. The proposed process relies on tools to automate some aspects of the design that we believe could be automated and thus simplified without loss of the creative input brought in the process by designers.

Automating the failure modes and effects analysis of safety critical systems

Failure modes and effects analysis (FMEA) is a classical system safety analysis technique which is currently widely used in the automotive, aerospace and other safety critical industries. In the process of an FMEA, analysts compile lists of component failure modes and try to infer the effects of those failure modes on the system. System models, typically simple engineering diagrams, assist analysts in understanding how the local effects of component failures propagate through complex architectures and ultimately cause hazardous effects at system level. Although there is software available that assists engineers in performing clerical tasks, such as forming tables and filling in data, the intelligent part of an FMEA process remains a manual and laborious process. Thus, one of the main criticisms of FMEA is that the time taken to perform the analysis can often exceed the period of the design and development phases and therefore the analysis de facto becomes a mere deliverable to the customer and not a useful tool capable of improving the design. Difficulties naturally become more acute as systems grow in scale and complexity. To address those difficulties, a body of work is looking into the automation and simplification of FMEA (Renovell et al., 1985). To mechanically infer the effects of component failures in a system, several approaches have been proposed which use domain specific qualitative or quantitative fault simulation. These approaches are restricted to particular application domains such as the design of electrical or electronic circuits. Limitations in scope but also difficulties with the efficiency and scalability of algorithms seem to have so far limited the industrial take-up of this automated FMEA technology which is still under development. In this paper, we propose a new approach to the automatic synthesis of FMEAs which builds upon recent work towards automating fault tree analysis (Papadopoulos et al., 2001). In this approach, FMEAs are built from engineering diagrams that have been augmented with information about component failures. The proposed approach is generic, i.e. not restricted to an application domain, and potentially applicable to a range of widely used engineering models. The models that provide the basis for the analysis identify the topology of the system, i.e. the system components and the material energy and data transactions among those components. Models can also be hierarchically structured and record in different layers the decomposition of subsystems into more basic components. We should note that this type of structural models include piping and instrumentation diagrams, data flow diagrams and other models commonly used in many areas of engineering design.

Model-based system monitoring and diagnosis of failures using statecharts and fault trees

Abstract Models such as statecharts and fault trees become increasingly more available in electronic form as they progressively find more useful applications in the development of safety critical systems. As these models typically reduce in their utility after system certification, however, useful knowledge about the behaviour of the system remains unused in the operational phase of the system lifecycle. In this paper, we show that this knowledge could be exploited in the context of an on-line hazard-directed monitoring scheme in which a suitable specification derived from design models and safety analyses forms a reference monitoring model. As a practical application of this approach, we propose a generic safety monitor that can operate on statecharts and fault trees to support the on-line detection, diagnosis and control of hazardous failures in real-time. We discuss the structuring of the monitoring model, the monitoring algorithms and report on a case study performed on a model aircraft fuel system.

Modelling Support for Design of Safety-Critical Automotive Embedded Systems

This paper describes and demonstrates an approach that promises to bridge the gap between model-based systems engineering and the safety process of automotive embedded systems. The basis for this is the integration of safety analysis techniques, a method for developing and managing Safety Cases, and a systematic approach to model-based engineering --- the EAST-ADL2 architecture description language. Three areas are highlighted: (1) System model development on different levels of abstraction. This enables fulfilling many requirements on software development as specified by ISO-CD-26262; (2) Safety Case development in close connection to the system model; (3) Analysis of mal-functional behaviour that may cause hazards, by modelling of errors and error propagation in a (complex and hierarchical) system model.

The EAST-ADL architecture description language for automotive embedded software

Current trends in automotive embedded systems focus on how to manage the increasing software content, with a strong emphasis on standardization of the embedded software structure. The management of engineering information remains a critical challenge in order to support development and other stages of the life-cycle. System modelling based on an Architecture Description Language (ADL) is a way to keep these assets within one information structure. This paper presents the EAST- ADL2 modelling language, developed in the ITEA EAST-EEA project and further enhanced in the ATESST project (www.atesst.org). EAST- ADL2 supports comprehensive model-based development of embedded systems and provides dedicated constructs to facilitate variability and product line management, requirements engineering, representation of functional as well as software/hardware solutions, and timing and safety analysis.

Automatic allocation of safety integrity levels

In this paper, we describe a concept for the automatic allocation of general Safety Integrity Levels (SILs) to subsystems and components of complex hierarchical networked architectures that deliver sets of safety critical functions. The concept is generic and can be adapted to facilitate the safety engineering approach defined in several standards that employ the concept of integrity or assurance levels including ISO 26262, the emerging automotive safety standard. SIL allocation is facilitated by HiP-HOPS, an automated safety analysis tool, and can be performed in the context of development using EAST-ADL2, an automotive architecture description language. The process rationalizes complex risk allocation and leads to optimal/economic allocation of SILs.

The potential for a generic approach to certification of safety critical systems in the transportation sector

Abstract This paper investigates the potential for common treatment of certification of safety critical programmable electronic systems in the transportation industries. It contains a comparative review of new, emerging international standards that are likely to influence certification procedures in the railway, automotive and aerospace sectors in the future. These include the EUROCAE/SAE aerospace guidelines, the CENELEC railway standards and IEC-61508, the draft international standard on safety related systems. The review identifies the common and divergent requirements for certification among these standards. Based on significant commonalities, we have developed a common process model for the development, assessment and certification of safety critical programmable electronic systems which could be acceptable in the framework of each standard in consideration. The proposed model contains a system development and a safety assessment process which rationalises and unifies the common requirements among the standards in these areas. In addition, it defines a common evolutionary process for the development of the systems safety case. The safety case process determines how the evidence produced in the progression of safety assessment can be structured in order to form an overall convincing argument about the safety of the system. We conclude that it is possible to use this model as the basis of a generic method for the certification of systems across the transportation sector and outline a suitable approach to such certification.