## Improving system reliability via model checking: The FSAP/NuSMV-SA safety analysis platform (2003)

Citations: | 29 - 1 self |

### BibTeX

@MISC{Bozzano03improvingsystem,

author = {Marco Bozzano and Adolfo Villafiorita},

title = {Improving system reliability via model checking: The FSAP/NuSMV-SA safety analysis platform },

year = {2003}

}

### Years of Citing Articles

### OpenURL

### Abstract

Safety critical systems are becoming more complex, both in the type of functionality they provide and in the way they are demanded to interact with their environment. Such growing complexity requires an adequate increase in the capability of safety engineers to assess system safety, including analyzing the bahaviour of a system in degraded situations. Formal verification

### Citations

1367 |
Symbolic Model Checking
- McMillan
- 1993
(Show Context)
Citation Context ...engine of FSAP/NuSMV-SA is an extension of the model checking tool NuSMV2 [10], a BDD-based symbolic model-checker developed at ITC-IRST, originated from a re-engineering and re-implementation of SMV =-=[28]-=-. NuSMV2 is a well-structured, open, flexible and well-documented platform for model checking, and it has been designed to be robust and close to industrial standards [11]. Typically, system specifica... |

1350 | The model checker SPIN
- Holzmann
- 1997
(Show Context)
Citation Context ...shed method for formally verifying temporal properties of finite-state concurrent systems. It has been applied for the formal verification of a number of real-world safety-critical industrial systems =-=[22, 23, 10]-=-. In particular, the engine of FSAP/NuSMV-SA is an extension of the model checking tool NuSMV2 [10], a BDD-based symbolic model-checker developed at ITC-IRST, originated from a re-engineering and re-i... |

937 | Symbolic Boolean Manipulation with Ordered Binary-Decision Diagrams
- Bryant
- 1992
(Show Context)
Citation Context ...ned to be robust and close to industrial standards [11]. Typically, system specifications are written as temporal logic formulas, and efficient symbolic algorithms (based on data structures like BDDs =-=[7]-=-) are used to traverse the model and check if the specification holds or not. Being an extension of NuSMV2, FSAP/NuSMV-SA provides all the functionality of NuSMV2. Below, however, we will focus on the... |

762 | Symbolic Model Checking without BDDs
- Biere, Cimatti, et al.
- 1999
(Show Context)
Citation Context ...g the FSAP/NuSMV-SA platform, we are currently working on further improving user interaction (e.g., by working on pattern-based inputing of top level events) and experimenting on SAT based techniques =-=[3, 2]-=- for fault tree construction. The FSAP/NuSMV-SA platform is available for evaluation purposes from http://sra.itc.it/tools/FSAP (the download is currently password protected; the password can be obtai... |

546 | UPPAAL in a nutshell
- Larsen, Pettersson, et al.
- 1997
(Show Context)
Citation Context ...shed method for formally verifying temporal properties of finite-state concurrent systems. It has been applied for the formal verification of a number of real-world safety-critical industrial systems =-=[22, 23, 10]-=-. In particular, the engine of FSAP/NuSMV-SA is an extension of the model checking tool NuSMV2 [10], a BDD-based symbolic model-checker developed at ITC-IRST, originated from a re-engineering and re-i... |

525 | The theory of hybrid automata
- Henzinger
- 1996
(Show Context)
Citation Context ...e NuSMV models used so far are discrete, finite-state transition models. In order to allow for more realistic models, we are considering an extension of NuSMV with hybrid dynamics, along the lines of =-=[19, 20]-=-. This would allow both to model more complex variable dynamics, and also a more realistic modeling of time (which, currently, is modeled by an abstract transition step). Furthermore, we need to exten... |

384 | H.: HYTECH: A model checker for hybrid systems
- Henzinger, Ho, et al.
- 1997
(Show Context)
Citation Context ...e NuSMV models used so far are discrete, finite-state transition models. In order to allow for more realistic models, we are considering an extension of NuSMV with hybrid dynamics, along the lines of =-=[19, 20]-=-. This would allow both to model more complex variable dynamics, and also a more realistic modeling of time (which, currently, is modeled by an abstract transition step). Furthermore, we need to exten... |

256 | NUSMV2: An open-source tool for symbolic model checking
- Cimatti, Clarke, et al.
- 2002
(Show Context)
Citation Context ... being developed at ITC-IRST. FSAP/NuSMV-SA is based on two main components: FSAP (Formal Safety Analysis Platform), that provides a graphical front-end to the user, and NuSMV-SA, based on the NuSMV2 =-=[10]-=- model checker, that provides an engine to perform safety assessment. The main functionality of FSAP/NuSMV-SA include: support for model construction (e.g., failure mode definition based on a library ... |

247 |
A Specifier’s Introduction to Formal Methods
- Wing
- 1990
(Show Context)
Citation Context ...34], that rely on the ability of the safety engineer to understand and to foresee the system behaviour, are not ideal when dealing with highly complex systems. Emerging techniques like formal methods =-=[35]-=- are increasingly being used for the development of critical systems (see, e.g., [12, 9, 8, 21]). Formal methods allow a more thorough verification of the system’s correctness with respect to the requ... |

128 | NUSMV: A new symbolic model checker
- Cimatti, Clarke, et al.
- 2000
(Show Context)
Citation Context ...and re-implementation of SMV [28]. NuSMV2 is a well-structured, open, flexible and well-documented platform for model checking, and it has been designed to be robust and close to industrial standards =-=[11]-=-. Typically, system specifications are written as temporal logic formulas, and efficient symbolic algorithms (based on data structures like BDDs [7]) are used to traverse the model and check if the sp... |

120 |
22 “Fault Tree Handbook
- Vesely, Goldberg, et al.
- 1981
(Show Context)
Citation Context ...s an adequate increase in the capability of safety engineers to assess system safety. Current informal methodologies, like manual fault tree analysis (FTA) and failure mode and effect analysis (FMEA) =-=[34]-=-, that rely on the ability of the safety engineer to understand and to foresee the system behaviour, are not ideal when dealing with highly complex systems. Emerging techniques like formal methods [35... |

82 | A SAT Based Approach for Solving Formulas over Boolean and Linear Mathematical Propositions
- Audemard, Bertoli, et al.
- 2002
(Show Context)
Citation Context ...g the FSAP/NuSMV-SA platform, we are currently working on further improving user interaction (e.g., by working on pattern-based inputing of top level events) and experimenting on SAT based techniques =-=[3, 2]-=- for fault tree construction. The FSAP/NuSMV-SA platform is available for evaluation purposes from http://sra.itc.it/tools/FSAP (the download is currently password protected; the password can be obtai... |

72 | Implicit and incremental computation of primes and essential primes of boolean functions
- Coudert, Madre
- 1992
(Show Context)
Citation Context ...or cut set and prime implicant computation described in Section 2.4 are based on classical procedures for minimization of boolean functions, specifically on the implicit-search procedure described in =-=[15, 16]-=-, which is based on Binary Decision Diagrams (BDDs) [7]. This choice was quite natural, given that the NuSMV model checker makes a pervasive use of BDD data structures. The ordering analysis procedure... |

43 | The Galileo fault tree analysis tool
- Sullivan, Dugan, et al.
- 1999
(Show Context)
Citation Context ...hms (we refer the reader to [5] for a discussion of the related literature). Explicit-search and SAT-based techniques for computation of prime implicants are described, e.g., in [26]. We also mention =-=[25, 33]-=-, which describe DIFTree (Dynamic Innovative Fault Tree), a methodology supporting (however, still at the manual level) fault tree construction and allowing for different kinds of analyses of sub-tree... |

23 | Combining various solution techniques for dynamic fault tree analysis of computer systems
- Manian, Dugan, et al.
- 1998
(Show Context)
Citation Context ...hms (we refer the reader to [5] for a discussion of the related literature). Explicit-search and SAT-based techniques for computation of prime implicants are described, e.g., in [26]. We also mention =-=[25, 33]-=-, which describe DIFTree (Dynamic Innovative Fault Tree), a methodology supporting (however, still at the manual level) fault tree construction and allowing for different kinds of analyses of sub-tree... |

20 | Improving safety assessment of complex systems: An industrial case study
- Bozzano, Cavallo, et al.
- 2003
(Show Context)
Citation Context ... a more extensive discussion about the use of model checking for safety analysis, the tool usage experience, and for a more realistic example of application of the methodology, we refer the reader to =-=[4]-=-.s12 M. Bozzano and A. Villafiorita Concerning the works on dynamic reliability cited in Section 4, the most notable difference between our approach and the works mentioned there is that we present au... |

16 |
Risk assessment for dynamic systems: An overview, Reliability Engineering and System Safety 43
- Siu
- 1994
(Show Context)
Citation Context ...ated in our framework.sThe FSAP/NuSMV-SA Safety Analysis Platform 11 A large amount of work has been done in the area of probabilistic safety assessment (PSA) and in particular on dynamic reliability =-=[31]-=-. Dynamic reliability is concerned with extending the classical event or fault tree approaches to PSA by taking into consideration the mutual interactions between the hardware components of a plant an... |

15 |
M.: Improving System Reliability with Automatic Fault Tree Generation. FTCS '98
- Liggesmeyer, Rothfelder
- 1998
(Show Context)
Citation Context ...ich are more specific to the safety analysis process.sThe FSAP/NuSMV-SA Safety Analysis Platform 7 Fig. 4. A fault tree generated for the adder model Fault Tree Construction Fault Tree Analysis (FTA) =-=[34, 24, 30]-=- is a safety assessment strategy which is complementary with respect to exhaustive property verification. It is a deductive, top-down method to analyze system design and robustness. It usually involve... |

14 | Integrating Fault Tree Analysis with Event Ordering Information
- Bozzano, Villafiorita
- 2003
(Show Context)
Citation Context ...ilure Ordering Analysis A further functionality of the FSAP/NuSMV-SA platform is the so-called event ordering analysis. For further information on the material of this section, we refer the reader to =-=[5]-=-, which describes the algorithm for ordering analysis, its implementation and applications in detail. In traditional FTA, cut sets are simply flat collections (i.e, conjunctions) of events which can t... |

12 |
et al. ESACS: An Integrated Methodology for Design and Safety Analysis of Complex Systems
- Bozzano, Villafiorita
- 2003
(Show Context)
Citation Context ...r not. The repository thus provides traceability capabilities and makes reuse and evolution of safety cases easier. The FSAP/NuSMV-SA platform has been and is being developed within the ESACS project =-=[6]-=- (Enhanced Safety Assessment for Complex Systems, see http://www.esacs.org), an European-Union-sponsored project in the area of safety analysis, involving several research institutions and leading com... |

11 |
Computer-assisted markov failure modeling of process control systems
- Aldemir
- 1987
(Show Context)
Citation Context ...(i.e., failure of a component to intervene), and also the ordering of events during accident propagation. Different approaches to dynamic reliability include, e.g., state transitions or Markov models =-=[1, 29]-=-, the dynamic event tree methodology [14], and direct simulation via Monte Carlo analysis [32, 27]. Concerning ordering analysis (see Section 2.4), the work which is probably closer to ours is [14], w... |

11 | Fault Tree Analysis: 1020 Prime Implicants and Beyond
- Coudert, Madre
- 1993
(Show Context)
Citation Context ...or cut set and prime implicant computation described in Section 2.4 are based on classical procedures for minimization of boolean functions, specifically on the implicit-search procedure described in =-=[15, 16]-=-, which is based on Binary Decision Diagrams (BDDs) [7]. This choice was quite natural, given that the NuSMV model checker makes a pervasive use of BDD data structures. The ordering analysis procedure... |

8 |
The reliability and safety assessment of protection systems by the use of dynamic event trees. The DYLAM-TRETA Package
- Cojazzi, Meléndez, et al.
- 1992
(Show Context)
Citation Context ... and also the ordering of events during accident propagation. Different approaches to dynamic reliability include, e.g., state transitions or Markov models [1, 29], the dynamic event tree methodology =-=[14]-=-, and direct simulation via Monte Carlo analysis [32, 27]. Concerning ordering analysis (see Section 2.4), the work which is probably closer to ours is [14], which describes dynamic event trees as a c... |

8 |
A Concept Paper on Dynamic Reliability via Monte Carlo Simulation
- Marseguerra, Zio, et al.
- 1998
(Show Context)
Citation Context ...the classical event or fault tree approaches to PSA by taking into consideration the mutual interactions between the hardware components of a plant and the physical evolution of its process variables =-=[27]-=-. Examples of scenarios taken into consideration are, e.g., human intervention, expert judgment, the role of control/protection systems, the so-called failures on demand (i.e., failure of a component ... |

8 | Fault Tree Analysis: 10 Prime Implicants and Beyond - Coudert, Madre - 1993 |

6 |
Markovian Reliability Analysis of Dynamic Systems
- Papazoglou
- 1994
(Show Context)
Citation Context ...(i.e., failure of a component to intervene), and also the ordering of events during accident propagation. Different approaches to dynamic reliability include, e.g., state transitions or Markov models =-=[1, 29]-=-, the dynamic event tree methodology [14], and direct simulation via Monte Carlo analysis [32, 27]. Concerning ordering analysis (see Section 2.4), the work which is probably closer to ours is [14], w... |

6 |
Probabilistic Reactor Dynamics II. A Monte-Carlo Study of a Fast Reactor Transient
- Smidts, Devooght
- 1992
(Show Context)
Citation Context ...agation. Different approaches to dynamic reliability include, e.g., state transitions or Markov models [1, 29], the dynamic event tree methodology [14], and direct simulation via Monte Carlo analysis =-=[32, 27]-=-. Concerning ordering analysis (see Section 2.4), the work which is probably closer to ours is [14], which describes dynamic event trees as a convenient means to represent the timing and order of inte... |

5 |
Probabilistic dynamics: the mathematical and computing problems ahead
- Devooght, Smidts
- 1994
(Show Context)
Citation Context ...bilistic estimates to basic events and evaluating the resulting fault trees is straightforward. However, more work needs to be done in order to support more complex probabilistic dynamics (see, e.g., =-=[17]-=-). We also want to overcome the current limitation to permanent failures. Concerning the FSAP/NuSMV-SA platform, we are currently working on further improving user interaction (e.g., by working on pat... |

5 | Models and Algorithms for Computing Minimum-Size Prime Implicants
- Manquinho, Oliveira, et al.
- 1998
(Show Context)
Citation Context ...s use of these algorithms (we refer the reader to [5] for a discussion of the related literature). Explicit-search and SAT-based techniques for computation of prime implicants are described, e.g., in =-=[26]-=-. We also mention [25, 33], which describe DIFTree (Dynamic Innovative Fault Tree), a methodology supporting (however, still at the manual level) fault tree construction and allowing for different kin... |

5 |
Automatic Fault Tree Generation - Missile Defence System Case Study
- Rae
- 2000
(Show Context)
Citation Context ...ich are more specific to the safety analysis process.sThe FSAP/NuSMV-SA Safety Analysis Platform 7 Fig. 4. A fault tree generated for the adder model Fault Tree Construction Fault Tree Analysis (FTA) =-=[34, 24, 30]-=- is a safety assessment strategy which is complementary with respect to exhaustive property verification. It is a deductive, top-down method to analyze system design and robustness. It usually involve... |

2 | Formal Specification and Development of a SafetyCritical Train Management
- Chiappini, Cimatti, et al.
- 1999
(Show Context)
Citation Context ... system behaviour, are not ideal when dealing with highly complex systems. Emerging techniques like formal methods [35] are increasingly being used for the development of critical systems (see, e.g., =-=[12, 9, 8, 21]-=-). Formal methods allow a more thorough verification of the system’s correctness with respect to the requirements, by using automated and hopefully exhaustive verification procedures. In particular, m... |

2 | Industrial applications of model checking
- Cimatti
- 2001
(Show Context)
Citation Context ... system behaviour, are not ideal when dealing with highly complex systems. Emerging techniques like formal methods [35] are increasingly being used for the development of critical systems (see, e.g., =-=[12, 9, 8, 21]-=-). Formal methods allow a more thorough verification of the system’s correctness with respect to the requirements, by using automated and hopefully exhaustive verification procedures. In particular, m... |

2 | Formal Specification and validation of a Vital Communication Protocol
- Cimatti, Pieraccini, et al.
- 1999
(Show Context)
Citation Context ... system behaviour, are not ideal when dealing with highly complex systems. Emerging techniques like formal methods [35] are increasingly being used for the development of critical systems (see, e.g., =-=[12, 9, 8, 21]-=-). Formal methods allow a more thorough verification of the system’s correctness with respect to the requirements, by using automated and hopefully exhaustive verification procedures. In particular, m... |

2 | Formal speci and development of a safety-critical train management system - Chiappini, Cimatti, et al. - 1999 |

2 | Formal speci and validation of a vital communication protocol - Cimatti, Pieraccini, et al. - 1999 |

1 | Towards Integrated Integrated Safety Analysis and Design
- Fenelon, McDermid, et al.
(Show Context)
Citation Context ...are applied, the information linking the design and the safety assessment phases is often carried out informally. The link between design and safety analysis may be seen as an “over the wall process” =-=[18]-=-. In this paper we present the FSAP/NuSMV-SA platform, which is being developed at ITC-IRST. FSAP/NuSMV-SA is based on two main components: FSAP (Formal Safety Analysis Platform), that provides a grap... |