Hazard analysis is an indispensable task during the specification and development of safety-critical, technical systems, particularly, their software-intensive control parts. There is a lack of methods supporting an effective and integrated way to carry through such analyses for these systems in the context of software quality assurance. Crucial issues are to properly (i) encode safety-relevant domain knowledge, (ii) identify and assess all relevant hazards as well as (iii) preprocess this information and make it easily accessible for adjacent safety and systems engineering activities. This work contributes a framework for qualitative modelling and hazard analysis. The approach is exemplified by the investigation of a commercial road vehicle in its operational context.


Safety risks hazard analysis system modelling safety engineering requirements specification interdisciplinary control design 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Abrial, J.-R.: Train Systems. In: Butler, M., Jones, C.B., Romanovsky, A., Troubitsyna, E. (eds.) Fault-Tolerant Systems. LNCS, vol. 4157, pp. 1–36. Springer, Heidelberg (2006)Google Scholar
  2. 2.
    Baier, C., Katoen, J.-P.: Principles of Model Checking. The MIT Press (May 2008)Google Scholar
  3. 3.
    Beizer, B.: Software Testing Techniques, 2nd edn. Thomson (1990)Google Scholar
  4. 4.
    Biehl, M., DeJiu, C., Törngren, M.: Integrating safety analysis into the model-based development tool chain of automotive embedded systems. In: LCTES 2010, Stockholm, Sweden (April 2010)Google Scholar
  5. 5.
    Börcsök, J.: Funktionale Sicherheit: Grundzüge sicherheitstechnischer Systeme, 3rd edn. VDE-Verlag (May 2011)Google Scholar
  6. 6.
    Braun, P., Phillips, J., Schätz, B., Wagner, S.: Model-based safety cases for software-intensive systems. Position paper (2008)Google Scholar
  7. 7.
    Breitling, M.: Modellierung und Beschreibung von Soll/Ist-Abweichungen. In: Spies, K., Schätz, B. (eds.) FBT, pp. 35–44. Herbert Utz Verlag (1999)Google Scholar
  8. 8.
    Breitling, M.: Formale Fehlermodellierung für verteilte reaktive Systeme. Dissertation, Technische Universität München (2001)Google Scholar
  9. 9.
    Broy, M.: A functional rephrasing of the assumption/commitment specification style. Formal Methods in System Design 13(1), 87–119 (1998)CrossRefGoogle Scholar
  10. 10.
    Broy, M.: Service-oriented Systems Engineering: Specification and Design of Services and Layered Architectures – The Janus Approach. In: Broy, M. (ed.) Engineering Theories of Software Intensive Systems, pp. 47–81. Springer (2005)Google Scholar
  11. 11.
    Broy, M., Stølen, K.: Specification and Development of Interactive Systems: Focus on Streams, Interfaces, and Refinement. Springer (2001)Google Scholar
  12. 12.
    Buys, J., Clark, J.: Events and Causal Factors (ECF) Analysis. Technical Research and Analysis Center, SCIENTECH Inc. (1995)Google Scholar
  13. 13.
    Chen, D., Johansson, R., Lönn, H., Papadopoulos, Y., Sandberg, A., Törner, F., Törngren, M.: Modelling Support for Design of Safety-Critical Automotive Embedded Systems. In: Harrison, M.D., Sujan, M.-A. (eds.) SAFECOMP 2008. LNCS, vol. 5219, pp. 72–85. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  14. 14.
    Chillarege, R., Bhandari, I., Chaar, J., Halliday, M., Moebus, D., Ray, B., Wong, M.: Orthogonal defect classification – a concept for in-process measurements. IEEE Transactions on Software Engineering 18(11), 943–956 (1992)CrossRefGoogle Scholar
  15. 15.
    Cockburn, A.: Writing Effective Use Cases. Crystal Series for Software Development. Addison-Wesley Longman, Amsterdam (2000)Google Scholar
  16. 16.
    Damm, W., Peikenkamp, T.: Model-based safety analysis. Presentation Slides. Lecture series for “Model-based Development” at HU Berlin (July 2004)Google Scholar
  17. 17.
    Damm, W., Pnueli, A., Ruah, S.: Herbrand Automata for Hardware Verification. In: Sangiorgi, D., de Simone, R. (eds.) CONCUR 1998. LNCS, vol. 1466, pp. 67–83. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  18. 18.
    Das, S., Banerjee, A., Dasgupta, P.: Early analysis of critical faults: An approach to test generation from formal specifications. IEEE Trans. on CAD of Integrated Circuits and Systems 31(3), 447–451 (2012)CrossRefGoogle Scholar
  19. 19.
    Dugan, J., Bavuso, S., Boyd, M.: Dynamic fault-tree models for fault-tolerant computer systems. IEEE Transactions on Reliability 41(3), 363–377 (1992)zbMATHCrossRefGoogle Scholar
  20. 20.
    Dulac, N.: A Framework for Dynamic Safety and Risk Management Modeling in Complex Engineering Systems. PhD thesis, Massachusetts Institute of Technology, Cambridge, MA (2007)Google Scholar
  21. 21.
    Dwyer, M.B., Avrunin, G.S., Corbett, J.C.: Patterns in property specifications for finite-state verification. In: ICSE 1999, pp. 411–420 (1999),
  22. 22.
    Ericson, C.A.: Hazard Analysis Techniques for System Safety. John Wiley and Sons, Hoboken (2005)CrossRefGoogle Scholar
  23. 23.
    Forejt, V., Kwiatkowska, M., Norman, G., Parker, D.: Automated Verification Techniques for Probabilistic Systems. In: Bernardo, M., Issarny, V. (eds.) SFM 2011. LNCS, vol. 6659, pp. 53–113. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  24. 24.
    Gleirscher, M.: Hazard-based Selection of Test Cases. In: Proc. 6th ICSE Workshop on Automation of Software Test, AST 2011 (May 2011)Google Scholar
  25. 25.
    Gleirscher, M.: Ein Kaffeevollautomat – Fallstudie für modellbasierte Spezifikation zur Vorlesung “Requirements Engineering” im Sommersemester 2011. Technical Report I-125, Technische Universität München (May 2012) (in German)Google Scholar
  26. 26.
    Goddard, P.L.: Software FMEA Techniques. In: Proc. Ann. Reliability and Maintainability Symposium (RAMS), pp. 118–123. IEEE (2000)Google Scholar
  27. 27.
    Hopkins, A.: Lessons from Longford: The Esso Gas Plant Explosion. CCH, Sydney (2000)Google Scholar
  28. 28.
    Howden, W.: Weak mutation testing and completeness of test sets. IEEE Transactions on Software Engineering (4), 371–379 (1982)Google Scholar
  29. 29.
    Illes, T., Paech, B.: An analysis of use case based testing approaches based on a defect taxonomy. Software Engineering Techniques: Design for Quality, 211–222 (2007)Google Scholar
  30. 30.
    Jackson, M.: Problem Frames: Analysing & Structuring Software Development Problems. Addison-Wesley (2001)Google Scholar
  31. 31.
    Johnsen, S.O., Bjørkli, C., Steiro, T., Fartum, H., Haukenes, H., Ramberg, J., Skriver, J.: CRIOP: A scenario method for Crisis Intervention and Operability analysis. Technical Report A4312, SINTEF, Trondheim, Norway (March 2011)Google Scholar
  32. 32.
    Kelly, T.P.: Arguing Safety – A Systematic Approach to Safety Case Management. PhD thesis, University of York, Dept. of Computer Science (1998)Google Scholar
  33. 33.
    Kumamoto, H., Henley, E.J.: Probabilistic risk assessment and management for engineers and scientists, 2nd edn. John Wiley and Sons, New York (2000)CrossRefGoogle Scholar
  34. 34.
    Lamport, L.: Specifying Systems. Addison Wesley (2002)Google Scholar
  35. 35.
    Leszak, M., Perry, D., Stoll, D.: A case study in root cause defect analysis. In: Proc. International Conference on Software Engineering (ICSE), pp. 428–437. IEEE (2000)Google Scholar
  36. 36.
    Leveson, N.: A new accident model for engineering safer systems. Safety Science 42(4), 237–270 (2004)CrossRefGoogle Scholar
  37. 37.
    Leveson, N.G.: Engineering a Safer World: Systems Thinking Applied to Safety. Engineering Systems. MIT Press (January 2012)Google Scholar
  38. 38.
    McDermid, J.: Software Safety: Where’s the Evidence?. In: Australian Workshop on Industrial Experience with Safety Critical Systems and Software (2001)Google Scholar
  39. 39.
    Mehrpouyan, H.: Model-based hazard analysis of undesirable environmental and components interaction. Master’s thesis, Linköpings universitet (2011)Google Scholar
  40. 40.
    Papadopoulos, Y., Maruhn, M.: Model-based synthesis of fault trees from matlab-simulink models. In: International Conference on Dependable Systems and Networks (DSN), pp. 77–82 (2001)Google Scholar
  41. 41.
    Papadopoulos, Y., McDermid, J.A.: Hierarchically Performed Hazard Origin and Propagation Studies. In: Felici, M., Kanoun, K., Pasquini, A. (eds.) SAFECOMP 1999. LNCS, vol. 1698, pp. 139–152. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  42. 42.
    Papadopoulos, Y., McDermid, J.A., Sasse, R., Heiner, G.: Analysis and synthesis of the behaviour of complex programmable electronic systems in conditions of failure. Reliability Engineering and System Safety 71(3), 229–247 (2001)CrossRefGoogle Scholar
  43. 43.
    Parnas, D., Madey, J.: Functional Documentation for Computer Systems. Science of Computer Programming 25, 41–61 (1995)CrossRefGoogle Scholar
  44. 44.
    Pister, M.: Integration formaler Fehlereinflussanalyse in die Funktionsentwicklung bei der Automobilindustrie. Dissertation, Technische Universität München (2008)Google Scholar
  45. 45.
    Rasmussen, J.: Risk management in a dynamic society: a modelling problem. Safety Science 27(23), 183–213 (1997)CrossRefGoogle Scholar
  46. 46.
    Rasmussen, J.: The concept of human error: Is it useful for the design of safe systems? Safety Science Monitor 3 (Special Edition), 1–3 (1999)Google Scholar
  47. 47.
    Shappell, S., Wiegmann, D.: The human factors analysis and classification system – HFACS. Technical Report DOT/FAA/AM-00/7, Office of Aviation Medicine, Civil Aeromedical Institute, Oklahoma City, OK (2000)Google Scholar
  48. 48.
    Snooke, N., Price, C.: Model-driven Automated Software FMEA. In: Ann. Proc. Reliability and Maintainability Symp. (RAMS), pp. 1–6. IEEE (2011)Google Scholar
  49. 49.
    Stringfellow, M.V.: Accident Analysis And Hazard Analysis For Human And Organizational Factors. PhD thesis, Massachusetts Institute of Technology (2010)Google Scholar
  50. 50.
    Struss, P., Fraracci, A.: FMEA of a Braking System – A Kingdom for a Qualitative Valve Model. In: 25th Intl. Workshop on Qualitative Reasoning, Barcelona, Spain (2011)Google Scholar
  51. 51.
    Svedung, I., Rasmussen, J.: Graphic representation of accident scenarios: Mapping system structure and the causation of accidents. Safety Science 40, 397–417 (2002)CrossRefGoogle Scholar
  52. 52.
    Tietjen, T., Müller, D.H.: FMEA Praxis: Das Komplettpaket für Training und Anwendung, 3rd edn. Hanser (2011)Google Scholar
  53. 53.
    Van Lamsweerde, A.: Requirements Engineering: From System Goals to UML Models to Software Specifications. Wiley (2009)Google Scholar
  54. 54.
    Wagner, S.: Defect classification and defect types revisited. In: Proc. Workshop on Defects in Large Software Systems (DEFECTS 2008), pp. 39–40. ACM, New York (2008)CrossRefGoogle Scholar
  55. 55.
    Watson, G.S., Leadbetter, M.R.: Hazard analysis. I. Biometrika 51(1-2), 175 (1964)MathSciNetzbMATHCrossRefGoogle Scholar
  56. 56.
    Wikipedia. Internationale Bewertungsskala für nukleare Ereignisse — Wikipedia, Die freie Enzyklopädie (June 27, 2012)Google Scholar
  57. 57.
    Winter, S., Winter, S., Sârbu, C., Suri, N., Murphy, B.: The impact of fault models on software robustness evaluations. In: Taylor, R.N., Gall, H., Medvidovic, N. (eds.) ICSE, pp. 51–60. ACM Press, New York (2011)Google Scholar
  58. 58.
    World Health Organization (WHO). International Classification for Patient Safety (ICPS) (June 27, 2012),
  59. 59.
    Wu, B.-G., Tang, R.-Z.: Study on Software FMEA Techniques. Mechanical & Electrical Engineering Magazine 21(3) (March 2004)Google Scholar
  60. 60.
    Zhang, H., Li, W., Chen, W.: Model-based hazard analysis method on automotive programmable electronic system. In: 3rd Intl. Conf. on Biomedical Engineering and Informatics, BMEI (2010)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2013

Authors and Affiliations

  • Mario Gleirscher
    • 1
  1. 1.Institut für InformatikTechnische Universität MünchenGermany

Personalised recommendations