A framework for model-based safety analysis of complex engineered systems


2012 May 21-24; Dubrovnik, Croatia.


Tolga Kurtoglu
Peter Bunus

A framework for model-based safety analysis of complex engineered systems

Identifying the detrimental effect of environmental factors and subsystem interactions are historically one of the most challenging aspects of early hazard assessment in the design of complex avionic systems. Therefore, a complete understanding of potential failure effects before and even after a catastrophe happens is a very difficult task. This paper proposes a model-based hazard analysis procedure for early identification of potential safety issues caused by unexpected environmental factors and subsystem interactions within a complex avionic system. The proposed methodology maps hazard and vulnerability modes to specific components in the system and analyzes the hazard propagation paths for risk control and protection strategies. Hazard and vulnerability identification is supported by the construction of a hazard-ontology for each system design problem. This hazard-ontology is created by considering the type of environment that the system is intended for and taking into account the susceptibility of the system components to environmental impacts and subsystem interactions. The proposed technique is applied to a SUV Power Subsystem using the System Modeling Language (SysML). SysML is a particularly effective in specifying system requirements, system structure, and the functional behavior of the system in the early stages of the design process. In this paper, SysML is used to capture and integrate the design and safety requirements in a hierarchical fashion from the system to the sub-systems while focusing on the functionality and structure of the system. From the taxonomy of SysML diagrams, the requirement and block definition models are used to construct safety requirements and component-connection models for identifying and investigating system functions, threats, and safeguards. The requirement diagram enables designers to construct a system and safety requirement model from a text-based safety requirement specification document, while the block definition diagram is used to connect components and define their properties, operations, relationships, hazards, vulnerabilities, and transmitted risks. Although, the analysis of the constructed block definition diagram identifies the source of hazards and susceptible components in design of the system, it does not verify safety violation. Since the threats introduced to the system by a hazard source may propagate from the source of hazard to the vulnerable components via components and connections that might mitigate the effect of this threat. Therefore, the path analyzer procedure is proposed to compare the hazard type with the specification of each component. If the component cannot mitigate the effect of the hazard, it is propagated to the next component or connection. While, if the component can eliminate the threat caused by the hazard, the proposed path analyzer deems that the specific hazard does not result in a safety violation. The proposed path analyzer is based on block definition diagram that is further transformed to a XML Metadata Interchange (XMI) file to enable quick and easy hazard path analysis through a java-based application called XMISearch. The proposed methodology helps designers of complex systems perform risk analysis in the early stages of the design and development of the system which in turns allows them to identify and mitigate hazardous interactions between subsystems.

Additional information

Focus Areas

Our work is centered around a series of Focus Areas that we believe are the future of science and technology.

Licensing & Commercialization Opportunities

We’re continually developing new technologies, many of which are available for¬†Commercialization.


PARC scientists and staffers are active members and contributors to the science and technology communities.