## Improving safety assessment of complex systems: An industrial case study (2003)

Venue: | Proceedings of Formal Methods 2003 (LNCS 2805 |

Citations: | 20 - 4 self |

### BibTeX

@INPROCEEDINGS{Bozzano03improvingsafety,

author = {Marco Bozzano and Antonella Cavallo and Massimo Cifaldi and Itc-irst Alenia and Aeronatica Società and Italiana Avionica and Laura Valacca and Adolfo Villafiorita and Società Italiana and Avionica Itc-irst and Marco Bozzano and Antonella Cavallo and Massimo Cifaldi and Laura Valacca and Adolfo Villafiorita},

title = {Improving safety assessment of complex systems: An industrial case study},

booktitle = {Proceedings of Formal Methods 2003 (LNCS 2805},

year = {2003},

pages = {208--222},

publisher = {Springer-Verlag}

}

### Years of Citing Articles

### OpenURL

### Abstract

Abstract. The complexity of embedded controllers is steadily increasing. This trend, stimulated by the continuous improvement of the computational power of hardware, demands for a corresponding increase in the capability of design and safety engineers to maintain adequate safety levels. The use of formal methods during system design has proved to be effective in several practical applications. However, the development of certain classes of applications, like, for instance, avionics systems, also requires the behaviour of a system to be analysed under certain degraded situations (e.g., when some components are not working as expected). The integration of system design activities with safety assessment and the use of formal methods, although not new, are still at an early stage. These goals are addressed by the ESACS project, a European-Union-sponsored project grouping several industrial companies from the aeronautic field. The ESACS project is developing a methodology and a platform the ESACS platform that helps safety engineers automating certain phases of their work. This paper reports on the application of the ESACS methodology and on the use of the ESACS platform to a case study, namely, the Secondary Power System of the Eurofighter Typhoon aircraft.

### Citations

2408 | Model Checking - Clarke, Grumberg, et al. - 1999 |

1108 | Temporal and Modal Logic
- Emerson
- 1990
(Show Context)
Citation Context ...r will verify thesImproving Safety Assessment of Complex Systems: An industrial case study 5 system either by writing directly the system requirements using some formal notation (e.g., temporal logic =-=[Eme90]-=-) or by loading the basic safety requirements of a safety critical system from a so-called Generic Safety Requirement Library (GSRL). Model Analysis This is the phase in which the behaviour of a syste... |

876 | Symbolic Boolean manipulation with ordered binary-decision diagrams
- Bryant
- 1992
(Show Context)
Citation Context ...2.1 are based on classical procedures for minimization of boolean functions, specifically on the implicit-search procedure described in [CM92, CM93], which is based on Binary Decision Diagrams (BDDs) =-=[Bry92]-=-. This choice was quite natural, given that the NuSMV model checker [CCG+02] makes a pervasive use of BDD data structures. The ordering analysis procedure mentioned in Section 2.1 also makes use of th... |

705 | Symbolic model checking without BDDs
- Biere, Cimatti, et al.
- 1999
(Show Context)
Citation Context ...plosion, which is partly due to the current use of discretized integer variables. Another direction of research that we are investigating is the use of SAT-based modelchecking verification techniques =-=[BCCZ99]-=-, which have been shown to be extremely efficient for model debugging and bug hunting [ABC+02, ACKS02]. In the near future, we plan to use these techniques both for interactive fault tree generation a... |

482 | The theory of hybrid automata - Henzinger - 1996 |

356 | HyTech: A Model Checker for Hybrid Systems - Henzinger, Ho, et al. - 1997 |

230 | NuSMV 2: An OpenSource Tool for Symbolic Model Checking - CIMATTI, CLARKE, et al. - 2002 |

116 | VIS: A system for Verification and Synthesis - Brayton, Hachtel, et al. |

104 |
Fault Tree Handbook
- Vesely, Goldberg, et al.
- 1981
(Show Context)
Citation Context ... be violated. During this activity, safety engineers produce, e.g., fault trees, that are compact representations of the combination of failures leading to the violation of a given safety requirement =-=[VGRH81]-=-. System certification typically requires the probability of such combination of failures to be below a given threshold. The traditional safety verification process, that relies on the ability of the ... |

78 | A SAT based approach for solving formulas over Boolean and linear mathematical propositions - Audemard, Bertoli, et al. - 2002 |

68 | Implicit and Incremental Computation of Primes and Essential Primes of Boolean Functions - Coudert, Madre - 1992 |

64 | A tutorial on Stålmarck’s proof procedure for propositional logic
- Sheeran, Stålmarck
- 1999
(Show Context)
Citation Context ...figuration (http://sra.itc.it/tools/FSAP), based on the NuSMV2 model checker [CCG+02], the SCADE configuration, based on the SCADE tool (http://www.esterel-technologies.com) and on the PROVER plug-in =-=[SS00]-=-, and the Statemate configuration, based on the Statemate tool (http://www.ilogix.com) and on the VIS model checker [BHS+96]. All the configurations of the ESACS platform share the same architectural ... |

41 | Bounded model checking for timed systems - Audemard, Cimatti, et al. - 2002 |

40 | The Galileo Fault Tree Analysis Tool - Sullivan, Dugan, et al. - 1999 |

39 |
The AltaRica Formalism for Describing Concurrent Systems
- Arnold, Point, et al.
(Show Context)
Citation Context ...atform supports and automates the application of the methodology described in the previous subsection. The ESACS platform is shipped in four possible configurations, namely the Altarica configuration =-=[AGPR00]-=-, based on the Cecilia-OCAS tool, the FSAP/NuSMV-SA configuration (http://sra.itc.it/tools/FSAP), based on the NuSMV2 model checker [CCG+02], the SCADE configuration, based on the SCADE tool (http://w... |

21 | Combining various solution techniques for dynamic fault tree analysis of computer systems - Manian, Dugan, et al. - 1998 |

19 | Combination of Fault Tree Analysis and Model Checking for Safety Assessment of Complex System
- Bieber, Castel, et al.
(Show Context)
Citation Context ...of the Airbus A340 High Lift System. 4. Hydraulic System A320, related to the hydraulic system of the Airbus A320. The work carried out using the Altarica and (partly, FSAP-NuSMV-SA), is described in =-=[BCS02]-=-. FSAP/NuSMV-SA Configuration Concerning the NuSMV-based configuration, the safety analysis capabilities provided by this platform include traditional fault tree generation [VGRH81] together with form... |

15 | Improving System Reliability with Automatic Fault Tree Generation - Liggesmeyer, Rothfelder - 1998 |

15 |
Risk Assessment for Dynamic Systems: An Overview. Reliability Engineering and System Safety
- Siu
- 1994
(Show Context)
Citation Context ...s to be integrated in our framework. Probabilistic Safety Assessment A large amount of work has been done in the area of probabilistic safety assessment (PSA) and in particular on dynamic reliability =-=[Siu94]-=-. Dynamic reliability is concerned with extending the classical event or fault tree approaches to PSA by taking into consideration the mutual interactions between the hardware components of a plant an... |

14 | Integrating Fault Tree Analysis with Event Ordering Information
- Bozzano, Villafiorita
- 2003
(Show Context)
Citation Context ...as quite natural, given that the NuSMV model checker [CCG+02] makes a pervasive use of BDD data structures. The ordering analysis procedure mentioned in Section 2.1 also makes use of these algorithms =-=[BV03]-=-.sImproving Safety Assessment of Complex Systems: An industrial case study 13 Fault Tree Computation The ESACS Platform can compute fault trees using algorithms based on formal methods techniques. Rel... |

11 | Fault Tree Analysis: 1020 Prime Implicants and Beyond - Coudert, Madre - 1993 |

9 | Computer-assisted Markov Failure Modeling of Process Control Systems - Aldemir - 1987 |

8 |
A Concept Paper on Dynamic Reliability via Monte Carlo Simulation
- Marseguerra, Zio, et al.
- 1998
(Show Context)
Citation Context ...the classical event or fault tree approaches to PSA by taking into consideration the mutual interactions between the hardware components of a plant and the physical evolution of its process variables =-=[MZDL98]-=-. Examples of scenarios taken into consideration are, e.g., human intervention, expert judgment, the role of control/protection systems, the so-called failures on demand (i.e., failure of a component ... |

7 |
The Reliability and Safety Assessment of Protection Systems by the Use of Dynamic Event Trees. The DYLAM-TRETA Package
- Cojazzi, Izquierdo, et al.
- 1992
(Show Context)
Citation Context ...o the ordering of events during accident propagation. Different approaches to dynamic reliability include, e.g., state transitions or Markov models [Ald87, Pap94 ], the dynamic event tree methodology =-=[CIMP92]-=-, and direct simulation via Monte Carlo analysis [SD92, MZDL98]. 6. Conclusions and Future Work In this paper we have presented the ESACS safety analysis platform and methodology. The ESACS platform c... |

6 |
Markovian Reliability Analysis of Dynamic Systems
- Papazoglou
- 1994
(Show Context)
Citation Context ...automatic techniques, based on model checking, for both fault tree generation and ordering analysis, whereas traditional works on dynamic reliability rely on manual analysis (e.g., Markovian analysis =-=[Pap94]-=-) or simulation (e.g., Monte Carlo simulation [MZDL98], the TRETA package of [CIMP92]). Current work is focusing on some improvements and extensions in order to make the methodology competitive with e... |

6 | Probabilistic Reactor Dynamics II. A Monte-Carlo Study of a Fast Reactor Transient - Smidts, Devooght - 1992 |

5 | Automatic Fault Tree Generation - Missile Defence System Case Study - Rae - 2000 |

4 |
Probabilistic Dynamics; The Mathematical and Computing Problems Ahead
- Devooght, Smidts
- 1994
(Show Context)
Citation Context ...bilistic estimates to basic events and evaluating the resulting fault trees is straightforward. However, more work needs to be done in order to support more complex probabilistic dynamics (see, e.g., =-=[DS94]-=-). We also want to overcome the current limitation to permanent failures. As far as FSAP/NuSMV-SA is concerned, the models used so far are discrete, finite-state transition models. In order to allow f... |

2 |
Towards Integrated Safety Analysis and Design
- unknown authors
- 1994
(Show Context)
Citation Context ... to the safety engineer is still transmitted by means of informal specifications and the communication between system design and safety assessment activities can be seen as an “over the wall process” =-=[FMPN94]-=-. A solution to these issues is to perform the safety assessment analysis in some automated way, directly from the formal system model coming from the design engineer. This approach is being developed... |