model-based safety assessment: how to ... - ag cse ovgu · fault tree • a fault tree is a...
TRANSCRIPT
Model-Based Safety Assessment: How to improve
results exploitation ?
Fault tree generation from a list of minimal cutsets
Julien NIOL, Laurent SAGASPE and Jean-Pierre HECKMANN
IMBSA 2014 October 29th 2014
Aeronautical Context
• CS 25.1309: Certification Specification for large aircrafts
• Requirements any Aircraft shall comply to get Type Certificate
• AMC 25.1309: Accepted Mean of Compliance to CS 25.1309
• Examples: ARP 4754, ARP 4761, DO178C…
• ARP 4761 : Recommended Practices for Safety Assessment
• MBSA is partially covered by ARP 4761 (only as Appendix)
IMBSA 2014 2 Oct, 29th 2014
Aeronautical Context
• MBSA in aeronautics:
• AltaRica Data Flow models built with Cecilia-OCAS and derivatives
• Output: List of generated cutsets
• Major drawbacks
• The list of MCS is not directly linked to system functional architecture
• The list of MCS is hardly usable for V&V and consequently for
certification
• Solution: Transform the MCS list in fault tree, a common and widely
accepted format
• APSYS prototype tool (Sirocco)
IMBSA 2014 3 Oct, 29th 2014
Example
• Simple system with two independent channels
• Failure Condition: Loss of both channels
IMBSA 2014 4 Oct, 29th 2014
Equipment 1A Equipement 2A
Channel A
Equipment 1B Equipement 2B
Channel B
Fault Tree
• A Fault Tree is a representation of safety engineer understanding of
the dysfunctional behavior of the system
• Built from a top-down and deductive approach
IMBSA 2014 5 Oct, 29th 2014
1A 2A 1B 2B
Loss of
Channel A
Loss of
Channel B
Model construction
• Built from a bottom-up and inductive approach
• No global knowledge, only local knowledge
IMBSA 2014 6 Oct, 29th 2014
Equipment 1A Equipement 2A
Equipment 1B Equipement 2B
Minimal cutsets list
IMBSA 2014 7 Oct, 29th 2014
• Results of cutsets generation (by computer):
• 1A and 1B
• Or 1A and 2B
• Or 2A and 1B
• Or 2A and 2B
• Equivalent “fault tree”:
1A
CS1 CS2 CS3
1B 1A 2B 2A 1B
FC
CS4
2A 2B
Step 1: Factorization
• 1st step: Factorization using a binary tree
• Resulting fault tree
IMBSA 2014 8 Oct, 29th 2014
1A
1B 2B 1B 2B
FC
2A
Step 2: Pattern Recognition
• 2nd step: Identifying patterns (subtree representing intermediate
failure condition) for substitution
IMBSA 2014 9 Oct, 29th 2014
1A
1B 2B 1B 2B
FC
2A
Loss of
Channel B
Step 2: Pattern Recognition
• After substitution
• Repetitive post-processing
IMBSA 2014 10 Oct, 29th 2014
1A
FC
2A Loss of channel B Loss of channel B
Further steps
• After 2nd factorization
• After 2nd substitution
IMBSA 2014 11 Oct, 29th 2014
1A
Loss of channel B
2A Loss of
Channel A
FC
Loss of channel A Loss of channel B
Resulting fault tree
IMBSA 2014 12 Oct, 29th 2014
1A 2A 1B 2B
Loss of channel B Loss of channel A
• Expanding the reduced fault tree
Sirocco
• Currently implemented in Sirocco
• Results import as list of minimal cutsets
• Tree factorization fully automated
• Pattern recognition by manual definition: user can select an
intermediate gate to set up his pattern
IMBSA 2014 13 Oct, 29th 2014
Conclusion
• MBSA can be a powerful method, but it must be an accepted mean
of compliance to get widely used in aeronautics.
• Next step: How to automatize pattern recognition ?
IMBSA 2014 14 Oct, 29th 2014
The reproduction, distribution and utilization of this document as well as
the communication of its contents to others without express authorization
is prohibited. Offenders will be held liable for the payment of damages.
All rights reserved in the event of the grant of a patent, utility model or design.
Thank you for your attention!
IMBSA 2014 15 Oct, 29th 2014
Questions ?