Dynamic SM-based Safety Analysis Clause Samples

Dynamic SM-based Safety Analysis. State Machines (SMs) have become a prevalent paradigm for the description of dynamic systems. Such models are well-suited to representing the behaviour of complex systems, including in conditions of failure, and where the order in which failures and fault events occur can affect the overall outcome (e.g. total failure of the system). For the safety assessment though, the SM failure behavioural models need to be converted to analysis models like Generalised Stochastic Petri Nets (GSPNs), Markov Chains (MCs) or Fault Trees (FTs). For instance, the conversion of SMs to GSPNs was proposed for use with AADL in [23] — AADL error models are effectively state automata showing e.g. transitions from normal to degraded and failed states [24]. Yet in this approach, it can be problematic to perform qualitative analysis, i.e. establishment of full causal relationships between causes and effects of failure, as in traditional analysis methods like FMEA. Qualitative analysis is particularly important when probabilistic data are not available, e.g. at early stages of design; decisions made at these early stages can be critical for determining the future shape of the system, and so it is important that safety can be taken into account at all stages of the design process. An alternative approach involves conversion of SMs to fault trees, e.g. as applied to AADL models [25] and to Altarica descriptions of systems [26]. Fault trees are logical networks of events that show how combinations of failures can cause a given system failure and are ideally suited for qualitative analysis. However, there are difficulties with this type of conversion; in particular, the temporal semantics of SMs (which are dynamic models) are lost in the translation to combinatorial fault trees (which are static models), and this can potentially cause serious errors/inaccuracies (e.g. when the sequencing of faults affects the outcome). There have been some efforts made to work around this issue; for example, in [26], NOT gates were incorporated into the conversion to fault trees to indicate that some events did not occur. Although this prevents a conjunction of two mutually exclusive SM paths occurring as an analysis result, it still cannot distinguish between paths that differ only in sequence – e.g. two faults which lead the system into two mutually exclusive states depending on which fault occurred first. To remedy the problem of converting dynamic models to static fault trees, an approach which consi...