Formal Safety Assessment via Contract-Based Design

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8837)


Safety Assessment (SA) is an engineering discipline aiming at the analysis of systems under faults. According to industrial practice and standards, SA is based on the construction of complex artifacts such as Fault Trees, which describe how certain faults may cause some top-level events. SA is intended to mirror the hierarchical design of the system focusing on the safety aspects.

In this paper, we propose a formal approach where the nominal specification of a hierarchically decomposed system is automatically extended to encompass faults. The approach is based on a contract-based design paradigm, where components at different levels of abstraction are characterized in terms of the properties that they have to guarantee and the assumptions that must be satisfied by their environment. The framework has several distinguishing features. First, the extension is fully automated, and requires no human intervention, based on the idea that intermediate events are failures to fulfill the contracts. Second, it can be applied stepwise, and provides feedback in the early phases of the design process. Finally, it efficiently produces hierarchically organized fault trees.


Model Check Safety Assessment Fault Tree Brake System Fault Injection 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Abdelwahed, S., Karsai, G., Mahadevan, N., Ofsthun, S.C.: Practical Implementation of Diagnosis Systems Using Timed Failure Propagation Graph Models. IEEE T. Instrumentation and Measurement 58(2), 240–247 (2009)Google Scholar
  2. 2.
    Abrial, J.R.: The B-book: Assigning Programs to Meanings. Cambridge Univ. Press (1996)Google Scholar
  3. 3.
    ARP4754A Guidelines for Development of Civil Aircraft and Systems. SAE (December 2010)Google Scholar
  4. 4.
    ARP4761 Guidelines and Methods for Conducting the Safety Assessment Process on Civil Airborne Systems and Equipment. SAE (December 1996)Google Scholar
  5. 5.
    Banach, R., Bozzano, M.: The Mechanical Generation of Fault Trees for Reactive Systems via Retrenchment II: Clocked and Feedback Circuits. FAC 25(4), 609–657 (2013)MathSciNetGoogle Scholar
  6. 6.
    Bate, I., Hawkins, R., McDermid, J.A.: A Contract-based Approach to Designing Safe Systems. In: SCS 2000, pp. 25–36 (2003)Google Scholar
  7. 7.
    Benveniste, A., Caillaud, B., Ferrari, A., Mangeruca, L., Passerone, R., Sofronis, C.: Multiple Viewpoint Contract-Based Specification and Design. In: de Boer, F.S., Bonsangue, M.M., Graf, S., de Roever, W.-P. (eds.) FMCO 2007. LNCS, vol. 5382, pp. 200–225. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  8. 8.
    Biere, A., Cimatti, A., Clarke, E.M., Zhu, Y.: Symbolic model checking without BDDs. In: Cleaveland, W.R. (ed.) TACAS 1999. LNCS, vol. 1579, pp. 193–207. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  9. 9.
    Bozzano, M., Cimatti, A., Katoen, J.P., Nguyen, V.Y., Noll, T., Roveri, M.: Safety, dependability and performance analysis of extended AADL models. The Computer Journal 54(5), 754–775 (2011)CrossRefGoogle Scholar
  10. 10.
    Bozzano, M., Cimatti, A., Lisagor, O., Mattarei, C., Mover, S., Roveri, M., Tonetta, S.: Symbolic Model Checking and Safety Assessment of Altarica models. ECEASST 46 (2011)Google Scholar
  11. 11.
    Bozzano, M., Cimatti, A., Tapparo, F.: Symbolic fault tree analysis for reactive systems. In: Namjoshi, K.S., Yoneda, T., Higashino, T., Okamura, Y. (eds.) ATVA 2007. LNCS, vol. 4762, pp. 162–176. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  12. 12.
    Bozzano, M., Villafiorita, A.: The FSAP/NuSMV-SA Safety Analysis Platform. STTT 9(1), 5–24 (2007)CrossRefGoogle Scholar
  13. 13.
    Bozzano, M., Villafiorita, A.: Design and Safety Assessment of Critical Systems. CRC Press (Taylor and Francis), an Auerbach Book (2010)Google Scholar
  14. 14.
    Broy, M.: Towards a Theory of Architectural Contracts: - Schemes and Patterns of Assumption/Promise Based System Specification. In: Software and Systems Safety - Specification and Verification, pp. 33–87. IOS Press (2011)Google Scholar
  15. 15.
    Cimatti, A., Dorigatti, M., Tonetta, S.: OCRA: A Tool for Checking the Refinement of Temporal Contracts. In: ASE, pp. 702–705. IEEE (2013)Google Scholar
  16. 16.
    Cimatti, A., Roveri, M., Tonetta, S.: Requirements validation for hybrid systems. In: Bouajjani, A., Maler, O. (eds.) CAV 2009. LNCS, vol. 5643, pp. 188–203. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  17. 17.
    Cimatti, A., Tonetta, S.: A property-based proof system for contract-based design. In: SEAA, pp. 21–28 (2012)Google Scholar
  18. 18.
    Clarke, E.M., Emerson, E.A., Sistla, A.P.: Automatic verification of finite-state concurrent systems using temporal logic specifications. ACM TOPLAS 8(2), 244–263 (1986)CrossRefzbMATHGoogle Scholar
  19. 19.
    Damm, W., Hungar, H., Josko, B., Peikenkamp, T., Stierand, I.: Using contract-based component specifications for virtual integration testing and architecture design. In: DATE, pp. 1023–1028 (2011)Google Scholar
  20. 20.
    McKelvin Jr., M.L., Eirea, G., Pinello, C., Kanajan, S., Sangiovanni-Vincentelli, A.: A formal approach to fault tree synthesis for the analysis of distributed fault tolerant systems. In: EMSOFT, pp. 237–246. ACM (2005)Google Scholar
  21. 21.
    The MISSA Project,
  22. 22.
    nuXmv: a new eXtended model verifier,
  23. 23.
    Pinello, C., Carloni, L.P., Sangiovanni-Vincentelli, A.: Fault-tolerant deployment of embedded software for cost-sensitive real-time feedback-control applications. In: DATE, p. 21164. IEEE Computer Society (2004)Google Scholar
  24. 24.
    Pnueli, A.: The temporal logic of programs. In: Foundations of Computer Science (FOCS 1977), pp. 46–57. IEEE Computer Society Press (1977)Google Scholar
  25. 25.
    Siddiqi, S.A., Huang, J.: Hierarchical Diagnosis of Multiple Faults. In: IJCAI, pp. 581–586 (2007)Google Scholar
  26. 26.
    Vesely, W., Stamatelatos, M., Dugan, J., Fragola, J., Minarick III, J., Railsback, J.: Fault Tree Handbook with Aerospace Applications. Technical report, NASA (2002)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2014

Authors and Affiliations

  1. 1.Fondazione Bruno KesslerTrentoItaly

Personalised recommendations