Model-Based Safety Assessment: How to improve

results exploitation ?

Fault tree generation from a list of minimal cutsets

Julien NIOL, Laurent SAGASPE and Jean-Pierre HECKMANN

IMBSA 2014 October 29th 2014

Aeronautical Context

• CS 25.1309: Certification Specification for large aircrafts

• Requirements any Aircraft shall comply to get Type Certificate

• AMC 25.1309: Accepted Mean of Compliance to CS 25.1309

• Examples: ARP 4754, ARP 4761, DO178C…

• ARP 4761 : Recommended Practices for Safety Assessment

• MBSA is partially covered by ARP 4761 (only as Appendix)

IMBSA 2014 2 Oct, 29th 2014

Aeronautical Context

• MBSA in aeronautics:

• AltaRica Data Flow models built with Cecilia-OCAS and derivatives

• Output: List of generated cutsets

• Major drawbacks

• The list of MCS is not directly linked to system functional architecture

• The list of MCS is hardly usable for V&V and consequently for

certification

• Solution: Transform the MCS list in fault tree, a common and widely

accepted format

• APSYS prototype tool (Sirocco)

IMBSA 2014 3 Oct, 29th 2014

Example

• Simple system with two independent channels

• Failure Condition: Loss of both channels

IMBSA 2014 4 Oct, 29th 2014

Equipment 1A Equipement 2A

Channel A

Equipment 1B Equipement 2B

Channel B

Fault Tree

• A Fault Tree is a representation of safety engineer understanding of

the dysfunctional behavior of the system

• Built from a top-down and deductive approach

IMBSA 2014 5 Oct, 29th 2014

1A 2A 1B 2B

Loss of

Channel A

Loss of

Channel B

Model construction

• Built from a bottom-up and inductive approach

• No global knowledge, only local knowledge

IMBSA 2014 6 Oct, 29th 2014

Equipment 1A Equipement 2A

Equipment 1B Equipement 2B

Minimal cutsets list

IMBSA 2014 7 Oct, 29th 2014

• Results of cutsets generation (by computer):

• 1A and 1B

• Or 1A and 2B

• Or 2A and 1B

• Or 2A and 2B

• Equivalent “fault tree”:

1A

CS1 CS2 CS3

1B 1A 2B 2A 1B

FC

CS4

2A 2B

Step 1: Factorization

• 1st step: Factorization using a binary tree

• Resulting fault tree

IMBSA 2014 8 Oct, 29th 2014

1A

1B 2B 1B 2B

FC

2A

Step 2: Pattern Recognition

• 2nd step: Identifying patterns (subtree representing intermediate

failure condition) for substitution

IMBSA 2014 9 Oct, 29th 2014

1A

1B 2B 1B 2B

FC

2A

Loss of

Channel B

Step 2: Pattern Recognition

• After substitution

• Repetitive post-processing

IMBSA 2014 10 Oct, 29th 2014

1A

FC

2A Loss of channel B Loss of channel B

Further steps

• After 2nd factorization

• After 2nd substitution

IMBSA 2014 11 Oct, 29th 2014

1A

Loss of channel B

2A Loss of

Channel A

FC

Loss of channel A Loss of channel B

Resulting fault tree

IMBSA 2014 12 Oct, 29th 2014

1A 2A 1B 2B

Loss of channel B Loss of channel A

• Expanding the reduced fault tree

Sirocco

• Currently implemented in Sirocco

• Results import as list of minimal cutsets

• Tree factorization fully automated

• Pattern recognition by manual definition: user can select an

intermediate gate to set up his pattern

IMBSA 2014 13 Oct, 29th 2014

Conclusion

• MBSA can be a powerful method, but it must be an accepted mean

of compliance to get widely used in aeronautics.

• Next step: How to automatize pattern recognition ?

IMBSA 2014 14 Oct, 29th 2014

The reproduction, distribution and utilization of this document as well as

the communication of its contents to others without express authorization

is prohibited. Offenders will be held liable for the payment of damages.

All rights reserved in the event of the grant of a patent, utility model or design.

Thank you for your attention!

IMBSA 2014 15 Oct, 29th 2014

Questions ?