Skip to main content
SpringerLink
Log in

Cut Set Analysis using Behavior Trees and model checking

  • Original Article
  • Published:
Formal Aspects of Computing

Abstract

Safety analysis can be labour intensive and error prone for system designers. Moreover, even a relatively minor change to a system’s design can necessitate a complete reworking of the system safety analysis. This paper proposes the use of Behavior Trees and model checking to automate Cut Set Analysis (CSA) : that is, the identification of combinations of component failures that can lead to hazardous system failures. We demonstrate an automated incremental approach to CSA, in which models are extended incrementally and previous results incorporated in such a way as to significantly reduce the time and effort required for the new analysis. The approach is demonstrated on a case study concerning the hydraulics systems for the Airbus A320 aircraft.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  1. Bahill AT, Alford M, Bharathan K, Clymer JR, Dean DL, Duke J, Hill G, LaBudde EV, Taipale EJ, Wymore AW (1998) The design-methods comparison project. IEEE Trans Syst Man Cybern Part C Appl Rev 28(1): 80–103

    Article  Google Scholar 

  2. Bozzano M, Cavallo A, Cifaldi M, Valacca L, Villafiorita A (2003) Improving safety assessment of complex systems: An industrial case study. In: Araki K, Gnesi S, Mandrioli D (eds) Proc. Int. Symp. of Formal Methods Europe (FME). LNCS, vol 2805. Springer, Heidelberg, pp 208–222

  3. Bieber P, Castel C, Seguin C (2002) Combination of fault tree analysis and model checking for safety assessment of complex system. In: Grandoni F (ed) Proc. 4th European Dependable Computing Conference (EDCC). LNCS, vol 2485. Springer, Berlin, pp 19–31

  4. Broy M, Kruger IH, Pretschner A, Salzmann C (2007) Engineering automotive software. Proc IEEE 95(2): 356–373

    Article  Google Scholar 

  5. Bozzano M, Villafiorita A (2003) Improving system reliability via model checking: the FSAP/NuSMV-SA safety analysis platform. In: Proc. Int. Conf. on Computer Safety, Reliability, and Security (SAFECOMP). LNCS, vol 2788. Springer, Berlin, pp 49–62

  6. Bozzano M, Villafiorita A (2007) The FSAP/NuSMV-SA safety analysis platform. Int J Softw Tools Technol Transf (STTT) 9: 5–24

    Article  Google Scholar 

  7. Cimatti A, Clarke E, Giunchiglia F, Roveri M (1999) NuSMV: A new symbolic model verifier. In: Proc. Int. Conf. on Computer Aided Verfication (CAV). LNCS, vol 1633. Springer, Berlin, pp 495–499

  8. Cichocki T, Górski J (2001) Formal support for fault modelling and analysis. In: Voges U (ed) Proc. Int. Conf. on Computer Safety, Reliability and Security (SAFECOMP). LNCS, vol 2187. Springer, Berlin, pp 190–199

  9. Clarke EM, Grumberg O, McMillan KL, Zhao X (1995) Efficient generation of counterexamples and witnesses in symbolic model checking. In: Proc. 32nd ACM/IEEE Design Automation Conference (DAC). ACM, New York, pp 427–432.

  10. Clarke E, Grumberg O, Peled D (2000) Model checking. MIT Press, Cambridge

    Google Scholar 

  11. Conmy P, McDermid J (2001) High level failure analysis for Integrated Modular Avionics. In: Proc. 6th Australian Workshop on Safety Critical Systems and Software (SCS), Australian Computer Society, Sydney, pp 13–21

  12. Cha S, Son H, Yoo J, Jee E, Seong PH (2003) Systematic evaluation of fault trees using real-time model checker UPPAAL. Reliab Eng Syst Saf 82(1): 11–20

    Article  Google Scholar 

  13. de Moura L, Owre S, Rueß H, Rushby J, Shankar N, Sorea M, Tiwari A (2004) SAL 2. In: Rajeev Alur and Doron Peled (eds) Proc. Int. Conf. on Computer-Aided Verification (CAV 2004). LNCS, vol 3114. Springer, Berlin, pp 496–500

  14. Dromey RG (2003) From requirements to design: Formalizing the key steps. In: Proc. 1st Int. Conf. on Software Engineering and Formal Methods (SEFM), IEEE Computer Society, Washington, pp 2–13

  15. Dromey RG (2005) Genetic design: Amplifying our ability to deal with requirements complexity. In: Scenarios: Models, Transformations and Tools. LNCS, vol 3466. Springer, Berlin, pp 95–108

  16. Dromey RG (2006) Climbing over the “no silver bullet” brick wall. IEEE Softw 23(120): 118–119

    Google Scholar 

  17. Emerson EA (1990) Temporal and modal logic. In: Leeuwen J (eds) Handbook of Theoretical Coomputer Science, vol B. Elsevier Science Publishers, Amsterdam

    Google Scholar 

  18. Fenelon P, McDermid JA, Nicholson M, Pumfrey DJ (1994) Towards integrated safety analysis and design. ACM Comput Rev 2(1): 21–32

    Google Scholar 

  19. Gasser P-M (2007) A320 hydraulics. http://pmgasser.ch/airbus_memos/downloads/A320_HYD.pdf

  20. Grunske L, Lindsay PA, Yatapanage N, Winter K (2005) An automated failure mode and effect analysis based on high-level design specification with Behavior Trees. In: Judi Romijn, Graeme Smith, and Jaco van de Pol (eds) Proc. of Int Conf. on Integrated Formal Methods (IFM 2005). LNCS, vol 3771. Springer, Berlin, pp 129–149

  21. Heimdahl MPE, Choi Y, Whalen MW (2005) Deviation analysis: a new use of model checking. Autom Softw Eng 12(3): 321–347

    Article  Google Scholar 

  22. Heitmeyer C, Kirby James, Labaw Bruce, Archer Myla, Bharadwaj Ramesh (1998) Using abstraction and model checking to detect safety violations in requirements specifications. IEEE Trans Softw Eng 24(11): 927–947

    Article  Google Scholar 

  23. Jerker H, Simin N-T (2005) Formal verification of fault tolerance in safety-critical reconfigurable modules. Int J Softw Tools Technol Transfer 7: 268–279

    Article  Google Scholar 

  24. Leveson NG (1995) Safeware: system safety and computers. Addison-Wesley, Boston

    Google Scholar 

  25. Lindsay PA (2010) Behavior trees: from systems engineering to software engineering. In: Proc. Software Eng. and Formal Methods (SEFM), Pisa. IEEE Computer Society, Washington, pp 21–30

  26. Lindsay PA, Winter K, Yatapanage N (2010) Safety assessment using Behavior Trees and model checking. In: Proc. Software Eng. and Formal Methods (SEFM), Pisa. IEEE Computer Society, Washington, pp 181–190

  27. Lindsay P, Winter K, Yatapanage N (2011) The A320 hydraulics case study. http://www.itee.uq.edu.au/~dccs/CSA

  28. Meriweather J (2011) A320 hydraulic and fuel controls. http://www.meriweather.com/320/over/hydfuel.html

  29. Ortmeier F, Schellhorn G (2007) Formal Fault Tree Analysis—practical experiences. Electronic Notes in Theoretical Computer Science, 185:139–151, 2007. Proc. 6th Int. Workshop on Automated Verification of Critical Systems (AVoCS 2006)

  30. Ortmeier F, Thums A, Schellhorn G, Reif W (2004) Combining formal methods and safety analysis: The ForMoSA approach. In: Integration of Software Specification Techniques for Applications in Engineering. Lecture Notes in Computer Science, vol 3147. Springer, Berlin, pp 474–493

  31. Papadopoulos Y, Maruhn M (2001) Model-based synthesis of fault trees from Matlab-Simulink models. In: Proc. Int. Conf. on Dependable Systems and Networks (DSN 2001). IEEE Computer Society, Washington, pp 77–82

  32. Powell D (2007) Requirements evaluation using Behavior Trees—findings from industry. In: Industry track of Australian Software Engineering Conference (ASWEC). http://www.behaviorengineering.org

  33. Rauzy A (2002) Mode automata and their compilation into fault trees. Reliab Eng Syst Saf 78(1): 1–12

    Article  MathSciNet  Google Scholar 

  34. Rauzy A, Dutuit Y (1997) Exact and truncated computations of prime implicants of coherent and non-coherent fault trees within Aralia. Reliab Eng Syst Saf 58(2): 127–144

    Article  Google Scholar 

  35. Reese JD, Leveson NG (1997) Software deviation analysis. In: Proc. 19th Int. Conf. on Software Engineering (ICSE). ACM Press, New York, pp 250–261

  36. Rae A, Lindsay P (2004) A behaviour-based method for fault tree generation. In: Int. System Safety Conference, System Safety Society, VA, pp 289–298

  37. Society for Automotive Engineers (1996) Certification considerations for highly-integrated or complex aircraft systems. Aerospace Recommended Practice ARP 4754

  38. Society for Automotive Engineers (1996) Guidelines and methods for conducting the safety assessment process on civil airborne systems and equipment. Aerospace Recommended Practice ARP 4761

  39. Storey N (1996) Safety-critical computer systems. Addison-Wesley, Boston

    Google Scholar 

  40. Vesely W et al (2002) Fault Tree Handbook with Aerospace Applications. NASA, http://www.hq.nasa.gov/office/codeq/doctree/fthb.pdf

  41. Wen L, Dromey RG (2004) From requirements change to design change: a formal path. In: Proc. 2nd Int. Conf. on Software Engineering and Formal Methods (SEFM). IEEE Computer Society, Washington, pp 104–113

  42. Yeh YC (1998) Design considerations in Boeing 777 fly-by-wire computers. In: Proc. 3rd Int. High-Assurance Systems Engineering (HASE) Symposium, IEEE, Washington, pp 64–72

Download references

Author information

Authors and Affiliations

  1. School of IT&EE, The University of Queensland, Brisbane, Qld, 4072, Australia

    Peter A. Lindsay & Kirsten Winter

  2. Institute for Integrated and Intelligent Systems, Griffith University, Nathan, Qld, 4111, Australia

    Nisansala Yatapanage

Authors
  1. Peter A. Lindsay
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Nisansala Yatapanage
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Kirsten Winter
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Peter A. Lindsay.

Additional information

José Fiadeiro, Stefania Gnesi and Tom Maibaum

Rights and permissions

Reprints and permissions

About this article

Cite this article

Lindsay, P.A., Yatapanage, N. & Winter, K. Cut Set Analysis using Behavior Trees and model checking. Form Asp Comp 24, 249–266 (2012). https://doi.org/10.1007/s00165-011-0181-8

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s00165-011-0181-8

Keywords

Search

Navigation