Model Based Safety Analysis (MBSA) Tool for
Avionics Systems Evaluation
Akram Amin Abdellatif
Flight System Dynamics
Technical University of Munich
Munich, Germany
akram.abdellatif@tum.de
Abstract— Model-Based Safety Analysis (MBSA) is an
approach in which the design and safety engineers share a common
system model created using a model-based development process.
MBSA intends to act as a bridge between design engineers and
safety engineers reducing the time required to verify the safety of a
new designed system. The system model can consist of the failure
behavior exclusively or along with the physical behavior of the
system and components. MBSA can be built upon qualitative
methods (Boolean formalisms such as fault trees or event trees) or
quantitative methods (Transition systems such as Markov chains
and Petri nets). Our work is based on developing a new Object-
Oriented tool utilizing the MBSA approach. The tool utilizes
various algorithms such as directional traverse algorithms,
Constraint Satisfaction Problems (CSP) Back-tracking algorithms
and Markov chains. The tool output is a definition of minimum cut
sets (failure combinations which cause the total failure of the
system). Unfortunately, most of the MBSA tools are applied and
evaluated upon more mechanical systems with such components as
pumps and valves. The aircraft avionics systems are not always
considered during the development phase. In this paper, a new
library of avionics systems’ components – such as data buses or
sensors - is built according to various standards. The library is then
used to model various types of related assemblies from a subsystem
such as a specific transmission system to a complete hierarchy of
an avionics system. The tool is then will be evaluated according to
the output failure modes or combinations. The results are
compared to the failure combinations extracted from the classical
safety analysis methods. The results will show if the developed tool
can be considered as a decent replacement of the classical safety
analysis methods.
Keywords—Safety analysis, Integrated Modular Avionics
System, Modelling
I. INTRODUCTION
Safety Analysis is one of the most critical processes especially
when related to aerospace applications where safety is a major
issue. With the introduction of more sophisticated complex
systems, classic analysis methods (such as FTA and FEMA)
became incompetent to provide dependable results. There are
various safety standards that intend to describe how an accurate
safety analysis should be executed; for example the well-
known ARP 4761 [1]. However, these standards are prone to
errors as it depends mainly on the skills of the engineer.
978-1-7281-9825-5/20/$31.00 ©2020 IEEE
Authorized licensed use limited to: Tsinghua University. Downloaded on December 19,2020 at 01:32:29 UTC from IEEE Xplore. Restrictions apply.
Florian Holzapfel
Flight System Dynamics
Technical University of Munich
Munich, Germany
florian.holzapfel@tum.de
Model-Based Safety Analysis (MBSA) is a recent approach
which intends to close up the gap between design engineers
and safety engineers. MBSA approach is defined as abstracting
a physical model into a formal model consisting of the failure
behavior of the system and its’ components. The main physical
model can be extended or an exclusive failure model may be
used. The idea comes to automating some of the required
safety analysis by a tool without depending solely on the skills
of the engineer applying them. There are some of already
developed tools with various advantages and disadvantages.
II. RELATED WORK
HiP-HOPS
Hierarchically Performed Hazard Origin and Propagation
Studies (HiP-HOPS) is a tool which enables designers to
extend system physical models with components failure
modes [2]. It’s a plug-in tool in which the model is usually
imported from a design modelling tool (such as Matlab
Simulink or Labview). Afterwards each component is
extended with a failure behavior. The tool utilizes the
information and executes a unidirectional failure propagation
algorithm to produce a fault tree for the defined top event.
The tool is user friendly and a model can be easily described
on the expense of high abstraction of the failure model. One
main disadvantage of HiP-HOPS that it considers only the one
direction (from input to output) failure direction (no loops are
allowed) which is not efficient for a usual physical system
functionality.
RODON
The model-based reasoning tool RODON provides a wide
range of analyses focusing on the failure analysis [3]. In
RODON, hierarchical models describe how the system
behaves. It has the capability to simulate the system
behavior in nominal or failure states, perform FMEA and
FTA, compute optimal designs for safety-critical systems and
generate fault trees. The main disadvantages of RODON are
that it lacks the quantitative parameters in the analysis.
Altarica
AltaRica is considered as a formal language which is used to
describe a system behavior for the aspect of safety analysis
[4]. The system model consists of nodes which are defined by
states, transitions and events. The efficiency of AltaRica to
execute safety analysis is rather good however it completely
depends on the skills of the user who built the system.
AltaRica is more of a language than a tool and building the
model requires a lot of skills and isn’t prone to errors.
Thus, the whole analysis accuracy depends mainly on the
correct description of the system model
The safety aspect of avionics systems is usually presented
using AltaRica models as in [5] [6] [7]. This gives us the
motivation to try our MBSA tool upon avionics systems and
compare the results accordingly.
III. METHODOLGY OF UITLIZED MBSA
A new methodology is introduced to give a solution with
adequate compromise between accuracy of results and
automation or user-friendly options. The new methodology
detailed specification and properties can be found in [8]. The
method uses three concepts: component failure modes,
directed graph traversal algorithms along with Constraint
Satisfaction Problem algorithms and event lists.
Failure modes
The system is defined as interconnected components. Each
component in the system by a set of parameters or models (E,
I, O, F) where;
E: the reaction/behavior model of the component according to
any upcoming failure event through an input or output port
I: the input ports of the component
O: output ports of the component
F: the failure modes of the component
The component is not only defined by its failure modes but
with also how it handles failure events happening in
interconnected components.
Figure 1: Example pumping system
Directed Graph Traversal Algorithm
Authorized licensed use limited to: Tsinghua University. Downloaded on December 19,2020 at 01:32:29 UTC from IEEE Xplore. Restrictions apply.
A graph traversal algorithm is used to find out components’
failures effects on the system. The algorithm injects failures to
certain components according to defined lists which are
defined by a Constraint Satisfaction Problem (CSP) as
explained in the next subsection. The algorithm traces the
failure propagation through interconnected components. The
failure propagation is multi-directional and goes through all
input/output ports of each component.
The failure propagation concept can be described using a
simple system as in Figure 3. The system consists of a pump,
main pipe and two redundant supply lines each with an
isolation valve and a pipe. The system is required to provide
pressure by either of those supply lines. If a failure happens at
one of the valves; Stuck at "close" failure signal for example.
The failure is propagated through both the input and output
ports. The input port should be over pressurized if it does
receive a hydraulic signal while the output pipe will have no
pressure at all.
On the other hand, if one of the valves is bursted and leaking,
the failure will be transferred through the output pipe causing
no pressure and reaching the main pipe through the input port
causing a complete leakage failure in the system. Thus, the
leakage of one valve will cause the top event and a complete
system failure.
Each component is pointed out by different markers and then
listed during a failure propagation that also prevents looping
through components more than one time. Any component
prevents the propagation of any component in other words
absorbs the failure, is added to the list of next iteration
components along with the source of the failure. Thus,
propagation of single component failures populates the list
with failure combinations for next iterations.
This method of building failure combination lists by injecting
failures has showed decent results as in [8], however with
increase system complexity it couldn’t capture redundancy
and did not have the capability to resolve large numbers of
interconnected components. Another algorithm was required
to be utilized in order to capture all failure combinations to be
injected in the system.
Constraint Satisfaction Problem (CSP) Algorithm
CSP is considered a method of solving complicated search
problems more efficiently [9], where problems are represented
by objects whose states must satisfy several constraints or
limitations. In CSPs, the entities in a problem are defined as a
collection of finite constraints over variables, which could be
solved by constraint satisfaction methods. Formally, a
constraint satisfaction problem is defined by a set of variables
X1, X2, ..Xm, a set of domains D1, D2, ... Dn and a set of
constraints C1, C2, ... Cp, where each variable X is defined by a
non-empty domain set D of possible values to be assigned to
the variable. An assignment that does not violate any
constraints is called a consistent or legal assignment. A
complete assignment is an assignment in which every variable
in the problem is assigned to a value from its domain, and a
solution is a complete assignment that satisfies all the Failure Modes of IMA Components
constraints.
The implemented CSP method is considered of a Backtracking The failure modes for the system components are as follows:
type in which a recursive function is executed by repeatedly
choosing an unassigned variable, and then trying all values in A. Switch
the domain of that variable. If an inconsistency is detected,
then the algorithm backtracks returning failure, causing the • Loss of Switch
previous call to try another value. The implementation and • Loss of Input Sensors
verification of the method can be further explained in [10]. • Loss of Input Signals

Event lists B. GPM

• Loss of Output Signal
The output is structured in form of formal lists (defined as
event lists). There is a list of components which are • Invalid Signal
considered single point of failure of the whole system, same
for the combination of two, three, etc. All these lists are C. Sensor
combined to form the Minimum Cut Sets list.
• Loss of Output Signal
• Invalid Signal
Integrated Modular Avionics (IMA) System

In Figure 3, a standard Integrated Modular Avionics (IMA) D. HF

system is used to test the feasibility of using the MBSA tool • Loss of Power Signal
for avionics systems. • Loss of/ Invalid Control Signal
The IMA system consists of three general processing modules
• Loss of Input Signal
(GPM), three remote data concentrators (RDC), and two
hosted functions (HF), all through two AFDX redundant
networks. The data acquisition from the installed sensors
In addition of the component’s failure modes, the failure
(SEN) is performed by the RDC’s. The GPM is responsible
behavior of each component is defined in the failure model.
for data processing and calculation while the HF is responsible
For example, when a switch receives failed signals from all
for data display. The switch (SW) role is to transfer data
connected sensors, it will not propagate the failure as the other
through the IMA system. The system hierarchy considers the
switch continues to receive valid signal from the other sensors.
HF1 is the pilot unit while the HF2 is the copilot unit. Sensors
Thus, in case of sensor failures, HF1 will not fail until all
3 and 4 act as backups for Sensors 1 and 2 respectively. Each
connected sensors to all switches fail.
RDC receives the data from the connected sensors and
In order to simplify the system design for this paper, each
forwards them to the GPM which forwards them to the HFs
switch will be connected to one GPM and one RDC receiving
after data processing. The system was chosen in order to
signal from one sensor. Thus, we have symmetric redundant
compare the tool results with the AltaRica model output when
system. The system will be analyzed as shown in the
executed on the same system as in [5].
following Figure 3.

Figure 3: IMA simplified design

Figure 2 Integrated Modular Avionics (IMA) System

Authorized licensed use limited to: Tsinghua University. Downloaded on December 19,2020 at 01:32:29 UTC from IEEE Xplore. Restrictions apply.
 IV. RESULTS
The system is imported from Simulink while the components’
failure modes along with their behavior are present in the tool
library.
The top event is defined as rather the failure of either HF1 or
HF2. According to the criticality of the HF1, the failure is
considered as a top event.
Figure 4: Minimum cut sets for IMA system
As seen in Figure 4, the only single point of failure in the
system is the total loss of the switch (SW1) as it will prevent
the reception of any signals to the HF1. The loss of only one
sensor will not cause a failure to HF1 as it will be provided
through the other sensor through the switch. The same goes to
the GPMs connected to the system.
V. CONCLUSION
This work in this paper presented the utilization of an
automated MBSA tool [8] [10] for safety analysis of avionics
systems. The regular usage of AltaRica models for avionics
systems requires a handful of skills for correct model
description. Thus, the accuracy of the results are highly
affected by the correct system and component description.
The research tries to increase the automation of such MBSA
tools without any loss of accurate results. An IMA system was
used for validation and it is close to the one used in [5]. The
minimum cut sets were comparable with the ones resulted from
AltaRica models especially those depending on sensors/GPM’s
redundancies connected to different switches.
The results of the tool depend on the components failure modes
and behavior and that’s why user customization is allowed. As
if a user wants to change or customize certain failure behavior,
he/she can edit the failure modes or even customize new ones.
Authorized licensed use limited to: Tsinghua University. Downloaded on December 19,2020 at 01:32:29 UTC from IEEE Xplore. Restrictions apply.
This option shall increase the reusability factor of such method.
The tool enables a design engineer to upload an interconnected
avionics system and verifies the safety factor of such system.
ACKNOWLEDGMENT
The author thanks the Technical University of Munich [TUM],
Institute of Flight System Dynamics along with the German
Aerospace Center [DLR] for supervision and support.
REFERENCES
[1] ARP 4761, Guidelines and methods for conducting the
safety assessment process on civil airborne systems and
equipment, Vol. 12, USA: SAE International, 1996.
[2] Papadopoulos, Y., and A., M. J., “Hierarchically Performed
Hazard Origin and Propagation Studies,” In: Felici M., Kanoun
K. (eds) Computer Safety, Reliability and Security.
[3] Lunde, K., Lunde, R., and Münker, B., “Model-based
failure analysis with RODON,” Frontiers in Artificial
Intelligence and Applications, Vol. 141, 2006, pp. 647.
[4] Batteux, M., Prosvirnova, T., Rauzy, A., and Kloul, L.,
“The AltaRica 3.0 project for model-based safety assessment,”
2013 11th IEEE International Conference on Industrial
Informatics (INDIN), 2013.
[5] Haiyong Dong, Qingfan Gu, Guoqing Wang, Zhengjun
Zhai, Yanhong Lu, and Miao Wang “Availability Assessment
of IMA System Based on Model-Based Safety Analysis Using
AltaRica 3.0” doi:10.3390/pr7020117.
[6] Haiyong DONG, Zhengjun ZHAI, Yanhong LU, “
Availability Assessment of Avionics Display System based on
Fault Dependent Matrix”
[7] Haiyong DONG, Fukai Zhang. “Research on Formal
Modeling and Safety Analysis Method of Head-up Display
System for Civil Aircraft Based on AltaRica” 2019 3rd
International Conference on Circuits, System and Simulation
[8] Abdellatif, A., and Holzapfel, F., “New Methodology for
Model-Based Safety Analysis,” IEEE Aerospace Conference,
2019.
[9] BARTO, L., “THE CONSTRAINT SATISFACTION
PROBLEM AND UNIVERSAL ALGEBRA,” The Bulletin of
Symbolic Logic, Vol. 21, No. 3, 2015, p. 319–337.
doi.org/10.1017/bsl.2015.25
[10] Samar Elmeadawy Akram A. Abdellatif and Florian
Holzapfel, “Utilization of Constraint Satisfaction Problem
Algorithms in Model-Based Safety Analysis [MBSA] ” AIAA
Aviation Forum 2020. doi.org/10.2514/6.2020-3215

Authorized licensed use limited to: Tsinghua University. Downloaded on December 19,2020 at 01:32:29 UTC from IEEE Xplore. Restrictions apply.