Formal Aspects of Computing

, Volume 24, Issue 2, pp 249–266 | Cite as

Cut Set Analysis using Behavior Trees and model checking

  • Peter A. Lindsay
  • Nisansala Yatapanage
  • Kirsten Winter
Original Article


Safety analysis can be labour intensive and error prone for system designers. Moreover, even a relatively minor change to a system’s design can necessitate a complete reworking of the system safety analysis. This paper proposes the use of Behavior Trees and model checking to automate Cut Set Analysis (CSA) : that is, the identification of combinations of component failures that can lead to hazardous system failures. We demonstrate an automated incremental approach to CSA, in which models are extended incrementally and previous results incorporated in such a way as to significantly reduce the time and effort required for the new analysis. The approach is demonstrated on a case study concerning the hydraulics systems for the Airbus A320 aircraft.


Formal modelling Cut Set Analysis Automated failureanalysis Model checking Safety requirements FTA Behavior Trees 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. BAB+98.
    Bahill AT, Alford M, Bharathan K, Clymer JR, Dean DL, Duke J, Hill G, LaBudde EV, Taipale EJ, Wymore AW (1998) The design-methods comparison project. IEEE Trans Syst Man Cybern Part C Appl Rev 28(1): 80–103CrossRefGoogle Scholar
  2. BCC+03.
    Bozzano M, Cavallo A, Cifaldi M, Valacca L, Villafiorita A (2003) Improving safety assessment of complex systems: An industrial case study. In: Araki K, Gnesi S, Mandrioli D (eds) Proc. Int. Symp. of Formal Methods Europe (FME). LNCS, vol 2805. Springer, Heidelberg, pp 208–222Google Scholar
  3. BCS02.
    Bieber P, Castel C, Seguin C (2002) Combination of fault tree analysis and model checking for safety assessment of complex system. In: Grandoni F (ed) Proc. 4th European Dependable Computing Conference (EDCC). LNCS, vol 2485. Springer, Berlin, pp 19–31Google Scholar
  4. BKPS07.
    Broy M, Kruger IH, Pretschner A, Salzmann C (2007) Engineering automotive software. Proc IEEE 95(2): 356–373CrossRefGoogle Scholar
  5. BV03.
    Bozzano M, Villafiorita A (2003) Improving system reliability via model checking: the FSAP/NuSMV-SA safety analysis platform. In: Proc. Int. Conf. on Computer Safety, Reliability, and Security (SAFECOMP). LNCS, vol 2788. Springer, Berlin, pp 49–62Google Scholar
  6. BV07.
    Bozzano M, Villafiorita A (2007) The FSAP/NuSMV-SA safety analysis platform. Int J Softw Tools Technol Transf (STTT) 9: 5–24CrossRefGoogle Scholar
  7. CCGR99.
    Cimatti A, Clarke E, Giunchiglia F, Roveri M (1999) NuSMV: A new symbolic model verifier. In: Proc. Int. Conf. on Computer Aided Verfication (CAV). LNCS, vol 1633. Springer, Berlin, pp 495–499Google Scholar
  8. CG01.
    Cichocki T, Górski J (2001) Formal support for fault modelling and analysis. In: Voges U (ed) Proc. Int. Conf. on Computer Safety, Reliability and Security (SAFECOMP). LNCS, vol 2187. Springer, Berlin, pp 190–199Google Scholar
  9. CGMZ95.
    Clarke EM, Grumberg O, McMillan KL, Zhao X (1995) Efficient generation of counterexamples and witnesses in symbolic model checking. In: Proc. 32nd ACM/IEEE Design Automation Conference (DAC). ACM, New York, pp 427–432.Google Scholar
  10. CGP00.
    Clarke E, Grumberg O, Peled D (2000) Model checking. MIT Press, CambridgeGoogle Scholar
  11. CM01.
    Conmy P, McDermid J (2001) High level failure analysis for Integrated Modular Avionics. In: Proc. 6th Australian Workshop on Safety Critical Systems and Software (SCS), Australian Computer Society, Sydney, pp 13–21Google Scholar
  12. CSY+03.
    Cha S, Son H, Yoo J, Jee E, Seong PH (2003) Systematic evaluation of fault trees using real-time model checker UPPAAL. Reliab Eng Syst Saf 82(1): 11–20CrossRefGoogle Scholar
  13. dMOR+04.
    de Moura L, Owre S, Rueß H, Rushby J, Shankar N, Sorea M, Tiwari A (2004) SAL 2. In: Rajeev Alur and Doron Peled (eds) Proc. Int. Conf. on Computer-Aided Verification (CAV 2004). LNCS, vol 3114. Springer, Berlin, pp 496–500Google Scholar
  14. Dro03.
    Dromey RG (2003) From requirements to design: Formalizing the key steps. In: Proc. 1st Int. Conf. on Software Engineering and Formal Methods (SEFM), IEEE Computer Society, Washington, pp 2–13Google Scholar
  15. Dro05.
    Dromey RG (2005) Genetic design: Amplifying our ability to deal with requirements complexity. In: Scenarios: Models, Transformations and Tools. LNCS, vol 3466. Springer, Berlin, pp 95–108Google Scholar
  16. Dro06.
    Dromey RG (2006) Climbing over the “no silver bullet” brick wall. IEEE Softw 23(120): 118–119Google Scholar
  17. Eme90.
    Emerson EA (1990) Temporal and modal logic. In: Leeuwen J (eds) Handbook of Theoretical Coomputer Science, vol B. Elsevier Science Publishers, AmsterdamGoogle Scholar
  18. FMNP94.
    Fenelon P, McDermid JA, Nicholson M, Pumfrey DJ (1994) Towards integrated safety analysis and design. ACM Comput Rev 2(1): 21–32Google Scholar
  19. Gas07.
    Gasser P-M (2007) A320 hydraulics.
  20. GLYW05.
    Grunske L, Lindsay PA, Yatapanage N, Winter K (2005) An automated failure mode and effect analysis based on high-level design specification with Behavior Trees. In: Judi Romijn, Graeme Smith, and Jaco van de Pol (eds) Proc. of Int Conf. on Integrated Formal Methods (IFM 2005). LNCS, vol 3771. Springer, Berlin, pp 129–149Google Scholar
  21. HCW05.
    Heimdahl MPE, Choi Y, Whalen MW (2005) Deviation analysis: a new use of model checking. Autom Softw Eng 12(3): 321–347CrossRefGoogle Scholar
  22. HKL+98.
    Heitmeyer C, Kirby James, Labaw Bruce, Archer Myla, Bharadwaj Ramesh (1998) Using abstraction and model checking to detect safety violations in requirements specifications. IEEE Trans Softw Eng 24(11): 927–947CrossRefGoogle Scholar
  23. HNT05.
    Jerker H, Simin N-T (2005) Formal verification of fault tolerance in safety-critical reconfigurable modules. Int J Softw Tools Technol Transfer 7: 268–279CrossRefGoogle Scholar
  24. Lev95.
    Leveson NG (1995) Safeware: system safety and computers. Addison-Wesley, BostonGoogle Scholar
  25. Lin10.
    Lindsay PA (2010) Behavior trees: from systems engineering to software engineering. In: Proc. Software Eng. and Formal Methods (SEFM), Pisa. IEEE Computer Society, Washington, pp 21–30Google Scholar
  26. LWY10.
    Lindsay PA, Winter K, Yatapanage N (2010) Safety assessment using Behavior Trees and model checking. In: Proc. Software Eng. and Formal Methods (SEFM), Pisa. IEEE Computer Society, Washington, pp 181–190Google Scholar
  27. LWY11.
    Lindsay P, Winter K, Yatapanage N (2011) The A320 hydraulics case study.
  28. Mer11.
    Meriweather J (2011) A320 hydraulic and fuel controls.
  29. OS07.
    Ortmeier F, Schellhorn G (2007) Formal Fault Tree Analysis—practical experiences. Electronic Notes in Theoretical Computer Science, 185:139–151, 2007. Proc. 6th Int. Workshop on Automated Verification of Critical Systems (AVoCS 2006)Google Scholar
  30. OTSR04.
    Ortmeier F, Thums A, Schellhorn G, Reif W (2004) Combining formal methods and safety analysis: The ForMoSA approach. In: Integration of Software Specification Techniques for Applications in Engineering. Lecture Notes in Computer Science, vol 3147. Springer, Berlin, pp 474–493Google Scholar
  31. PM01.
    Papadopoulos Y, Maruhn M (2001) Model-based synthesis of fault trees from Matlab-Simulink models. In: Proc. Int. Conf. on Dependable Systems and Networks (DSN 2001). IEEE Computer Society, Washington, pp 77–82Google Scholar
  32. Pow07.
    Powell D (2007) Requirements evaluation using Behavior Trees—findings from industry. In: Industry track of Australian Software Engineering Conference (ASWEC).
  33. Rau02.
    Rauzy A (2002) Mode automata and their compilation into fault trees. Reliab Eng Syst Saf 78(1): 1–12MathSciNetCrossRefGoogle Scholar
  34. RD97.
    Rauzy A, Dutuit Y (1997) Exact and truncated computations of prime implicants of coherent and non-coherent fault trees within Aralia. Reliab Eng Syst Saf 58(2): 127–144CrossRefGoogle Scholar
  35. RL97.
    Reese JD, Leveson NG (1997) Software deviation analysis. In: Proc. 19th Int. Conf. on Software Engineering (ICSE). ACM Press, New York, pp 250–261Google Scholar
  36. RL04.
    Rae A, Lindsay P (2004) A behaviour-based method for fault tree generation. In: Int. System Safety Conference, System Safety Society, VA, pp 289–298Google Scholar
  37. Soc96a.
    Society for Automotive Engineers (1996) Certification considerations for highly-integrated or complex aircraft systems. Aerospace Recommended Practice ARP 4754Google Scholar
  38. Soc96b.
    Society for Automotive Engineers (1996) Guidelines and methods for conducting the safety assessment process on civil airborne systems and equipment. Aerospace Recommended Practice ARP 4761Google Scholar
  39. Sto96.
    Storey N (1996) Safety-critical computer systems. Addison-Wesley, BostonGoogle Scholar
  40. Ves02.
    Vesely W et al (2002) Fault Tree Handbook with Aerospace Applications. NASA,
  41. WD04.
    Wen L, Dromey RG (2004) From requirements change to design change: a formal path. In: Proc. 2nd Int. Conf. on Software Engineering and Formal Methods (SEFM). IEEE Computer Society, Washington, pp 104–113Google Scholar
  42. Yeh98.
    Yeh YC (1998) Design considerations in Boeing 777 fly-by-wire computers. In: Proc. 3rd Int. High-Assurance Systems Engineering (HASE) Symposium, IEEE, Washington, pp 64–72Google Scholar

Copyright information

© British Computer Society 2011

Authors and Affiliations

  • Peter A. Lindsay
    • 1
  • Nisansala Yatapanage
    • 2
  • Kirsten Winter
    • 1
  1. 1.School of IT&EEThe University of QueenslandBrisbaneAustralia
  2. 2.Institute for Integrated and Intelligent SystemsGriffith UniversityNathanAustralia

Personalised recommendations