“…To create a FG automatically, every analysis step has to be linked and the results formalized. This was not the case for the LS description in the previous analysis implementation [11], [12], where only textual rationals were used to document the LSs in the UCA elements. To formalize the LSs, the textual rationals were extracted from the UCA elements and a separate LS element type was created.…”
Section: Foundation and Creation Of Failure Graphsmentioning
confidence: 98%
“…This analysis focus is particular interesting for complex, software-intensive systems [7]. During previous work, a formalized STPA version, first introduced in [21], was integrated in a MBSE environment [11]. Formalization is achieved by using SysML stereotypes with precisely defined relationships that can be mapped to every part of the STPA.…”
Section: B Formalized Model-based Stpamentioning
confidence: 99%
“…Safety analysis formalization not only allows SACA support as presented in this paper, but enables a lot of helpful features. Other automatable examples include the creation of safety artifacts, the execution of verification activities [11] and the tracing of design changes towards safety artifacts [23]. It is therefore possible that the FG analysis summaries can enable a lot of functionality additional to the SACA-related support that was presented in this paper.…”
Section: B Failure Graph Interpretationmentioning
confidence: 99%
“…This is achieved by applying a formalized and model-based STPA version on a system architecture modeled with the Systems Modeling Language (SysML) [10]. Previous work already demonstrated how a formalized STPA can be integrated into SysML [11], [12]. By slightly extending this approach, we demonstrate automated extraction of Failure Graphs (FG), i.e., formalized analysis summaries, from the model-based safety analysis.…”
Urban Air Mobility introduces safety-related challenges for future avionics systems. The associated need for increased autonomy demands novel functions based on highperformance algorithms. To provide such functionality in future air vehicles of all sizes, the trend is towards centralized and powerful computing platforms. That turns avionics into a complex, integrated, and software-intensive aircraft system. Simultaneously, this increases the need for adapted safety analyses. The System-Theoretic Process Analysis is a promising approach to analyze the safety of software-intensive systems. It enables consideration of interaction and specification issues additional to component failures. However, even when using state-of-the-art analyses such as STPA, claiming the sufficiency of the safety analysis efforts is a challenging tasks for systems with everincreasing complexity. To address this issue, this paper extends the coverage analysis concepts known from the software development to safety analyses. This is achieved with the utilization of failure graphs, i.e., formalized analysis summaries that can be automatically created during the safety analysis. Failure graphs have two advantages: they provide the possibility for visual analysis state indication and can be used to calculate various statistical metrics. Thereby, they allow to improve the knowledge about the depth, breadth, and state of the safety analysis. Both visual and statistical consideration complement each other to enhance the safety analysis coverage assessment for future avionic systems. To show all capabilities, the analysis of a flight assistance system serves as demonstrator.
“…To create a FG automatically, every analysis step has to be linked and the results formalized. This was not the case for the LS description in the previous analysis implementation [11], [12], where only textual rationals were used to document the LSs in the UCA elements. To formalize the LSs, the textual rationals were extracted from the UCA elements and a separate LS element type was created.…”
Section: Foundation and Creation Of Failure Graphsmentioning
confidence: 98%
“…This analysis focus is particular interesting for complex, software-intensive systems [7]. During previous work, a formalized STPA version, first introduced in [21], was integrated in a MBSE environment [11]. Formalization is achieved by using SysML stereotypes with precisely defined relationships that can be mapped to every part of the STPA.…”
Section: B Formalized Model-based Stpamentioning
confidence: 99%
“…Safety analysis formalization not only allows SACA support as presented in this paper, but enables a lot of helpful features. Other automatable examples include the creation of safety artifacts, the execution of verification activities [11] and the tracing of design changes towards safety artifacts [23]. It is therefore possible that the FG analysis summaries can enable a lot of functionality additional to the SACA-related support that was presented in this paper.…”
Section: B Failure Graph Interpretationmentioning
confidence: 99%
“…This is achieved by applying a formalized and model-based STPA version on a system architecture modeled with the Systems Modeling Language (SysML) [10]. Previous work already demonstrated how a formalized STPA can be integrated into SysML [11], [12]. By slightly extending this approach, we demonstrate automated extraction of Failure Graphs (FG), i.e., formalized analysis summaries, from the model-based safety analysis.…”
Urban Air Mobility introduces safety-related challenges for future avionics systems. The associated need for increased autonomy demands novel functions based on highperformance algorithms. To provide such functionality in future air vehicles of all sizes, the trend is towards centralized and powerful computing platforms. That turns avionics into a complex, integrated, and software-intensive aircraft system. Simultaneously, this increases the need for adapted safety analyses. The System-Theoretic Process Analysis is a promising approach to analyze the safety of software-intensive systems. It enables consideration of interaction and specification issues additional to component failures. However, even when using state-of-the-art analyses such as STPA, claiming the sufficiency of the safety analysis efforts is a challenging tasks for systems with everincreasing complexity. To address this issue, this paper extends the coverage analysis concepts known from the software development to safety analyses. This is achieved with the utilization of failure graphs, i.e., formalized analysis summaries that can be automatically created during the safety analysis. Failure graphs have two advantages: they provide the possibility for visual analysis state indication and can be used to calculate various statistical metrics. Thereby, they allow to improve the knowledge about the depth, breadth, and state of the safety analysis. Both visual and statistical consideration complement each other to enhance the safety analysis coverage assessment for future avionic systems. To show all capabilities, the analysis of a flight assistance system serves as demonstrator.
“…Pétin et al [3] present a methodology how to use formal methods on top of SysML models to formally prove safety properties of heterogeneous safety-critical systems involving software, mechanical, electrical, and pneumatic components. Ahlbrecht and Durak [4] present a holistic application of Model-Based Systems Engineering, System-Theoretic Process Analysis, and formal methods in the area of Urban Air Mobility. The overall goal is to guarantee safety-by-construction within an agile development process.…”
The European Railway Traffic Management System (ERTMS) is intended to replace incompatible national rail traffic management systems in Europe and thus simplify cross-border rail traffic. A part of ERTMS is the European Train Control System (ETCS). ETCS is an automatic train protection system and can collaborate with an automatic train operation system (ATO). ATO can control and monitor the braking, traction and door system of a train. This collaboration is called ATO over ETCS. In this paper we describe the experiences gained in the integrated application of the model-based systems and architecture engineering method ARCADIA and the formal method Event-B to the system requirements of ATO over ETCS. A central part of the system requirements is related to the operational modes, mode transitions and mode properties of the ATO onboard unit (ATO-OB). Mode properties are system requirements that must be satisfied whenever the ATO-OB enters a mode or stays within a mode. Especially modes, in which the ATO-OB automatically drives the train, are of utter importance. The main goal of the analysis was to check consistency and completeness of the system requirements related to modes, mode transitions and mode properties. Within the ARCADIA phase "System Analysis" a socalled "Mode/State Model", a special ARCADIA model, was systematically derived from the system requirements. In order to guarantee consistency, especially to guarantee that mode properties will not be violated by mode transitions, a formal Event-B specification was derived and formally analyzed. This analysis approach identified several critical inconsistencies of the system requirements.
Developing a solar‐powered High‐Altitude Platform is a challenging endeavor. These aircraft are able to remain airborne for extremely long time periods, since they harvest all necessary energy from the sun. This is only possible if the design can handle all operating conditions with minimal margins. The systems therefore need to be well matched, which can be more efficiently facilitated by utilizing model‐based engineering. This paper shows how a SysML profile can be used to conduct verification and validation planning within such a large project. Key benefits are the development of a single source of truth, better overview from a management point of view, unified processes and document styles within the project, improved change management as well as reduced workloads when generating readable export documents.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.