ABSTRACT. Throughout the safety assessment process of a critical system, the probability of system failure within its mission time is one of the most crucial reliability indicator. Based on this indicator, safety related design and certification decisions are made. Various types of models propose solutions to compute this probability of failure. However, there are always some epistemic uncertainties on the behavior of the system components, leading to some variance of the computed probability of failure regardless of the model. We consider here the epistemic uncertainty on the input distribution parameters and analyse their impact on the failure probability with variance based sensitivity indices. For that purpose we develop a multiple importance sampling estimate to evaluate these indices at a low computational cost in this safety context. We apply this methodology on different AltaRica 3.0 use cases and illustrate the efficiency and limits of the proposed sensitivity analysis.

ABSTRACT. Ensuring safe operation of safety-critical complex systems interacting with their environment poses significant challenges, particularly when the system's world model relies on machine learning algorithms to process the perception input. A comprehensive safety argumentation requires knowledge of how faults or functional insufficiencies propagate through the system and interact with external factors, to manage their safety impact. While statistical analysis approaches can support the safety assessment, associative reasoning alone is neither sufficient for the safety argumentation nor for the identification and investigation of safety measures. A causal understanding of the system and its interaction with the environment is crucial for safeguarding safety-critical complex systems. It allows to transfer and generalize knowledge, such as insights gained from testing, and facilitates the identification of potential improvements. This work explores using causal Bayesian networks to model the system's causalities for safety analysis, and proposes measures to assess causal influences based on Pearl's framework of causal inference. We compare the approach of causal Bayesian networks to the well-established fault tree analysis, outlining advantages and limitations. In particular, we examine importance metrics typically employed in fault tree analysis as foundation to discuss suitable causal metrics. An evaluation is performed on the example of a perception system for automated driving. Overall, this work presents an approach for causal reasoning in safety analysis that enables the integration of data-driven and expert-based knowledge to account for uncertainties arising from complex systems operating in open environments.

ABSTRACT. Most cases of functional errors that are encountered in the verification process of a system under design are attributed to inaccurate interpretation of the system requirements. Therefore, the consistent reading of requirements, mapping each of them to an unambiguous interpretation is of paramount importance. The process of requirements formalization aims to capture a requirement written in natural language by one or more logical properties. In this process, one comes across the problem of consistently interpreting requirements, which stems from the varied use of natural language among engineers and the inherent ambiguities in the use of natural language. This paper introduces solutions to problems related to requirements formalization. The proposed solutions have been tested to demonstrate their effectiveness and utility. A set of templates - called boilerplates - for the specification of requirements in natural language is employed. Boilerplate-based requirements are then formalized into a logic language using an automated algorithm that eliminates ambiguity and ensures semantic consistency.

ABSTRACT. Dependent failures are an important concern in safety engineering. If such dependencies remain undetected important assumptions, which constitute the foundations for safety concept and safety argumentation, might be invalid. Dependent failure analysis (DFA) is an approach to detect such dependencies. However, there is a lack of concrete methods and techniques to conduct a DFA in a systematic and efficient way. In this paper, we introduce a model-based DFA approach describing the corresponding process, modeling concepts as well as interfaces to other model-based safety engineering techniques.

ABSTRACT. The integration of cloud software into safety-critical railway applications introduces new challenges in ensuring availability and reliability. Traditional modeling tech-niques may not adequately capture the distinction between safety-critical and non-safety-critical software components in cloud-based architectures. This research explores the integration of safety criticality into Petri net modeling for availability analysis of cloud-based railway applications. Two Petri net models are developed and compared: a traditional non-colored model and an advanced colored model that explicitly represents the safety-critical aspects. The comparative analysis quantifies the differences in availability and reliability metrics between the two modeling approaches. The findings demonstrate the im-portance of integrating safety criticality, as the colored Petri net model provides more accurate insights into the availability of safety-critical components. The results contribute to the knowledge on availability modeling for cloud-based railway systems and provide practical implications for designing and maintaining these critical infrastructures to meet safety and reliability requirements.

ABSTRACT. Safety studies are carried out on increasingly complex systems, pushing traditional methods like Fault Tree Analysis (FTA) to their limits. The Model-Based Safety Analysis (MBSA) is a method which brings a solution to those difficulties, also allowing a better representation of a complex system’s dysfunctional behavior.

As of now, MBSA users embed a subsystem’s behavior to a higher level system, enabling a more realistic model. However, sharing MBSA models in the extended enterprise context is not currently a widespread technique due to unsolved risks. This paper addresses four of these risks.

First, by sharing their model, a supplier risks to expose their architecture to a third party. A masking process shall be applied to a shared model, to protect the intellectual property.

Second, merging sub-models involves risks from a size point of view: if the model is too large it can be difficult to compute. Suppliers need to simplify large models without losing essential information.

Third, the usual MBSA tools are missing some aspects to mitigate the risks of model sharing and integration. Hence the need to update some of their functionalities.

Finally, sharing a model without a proper documentation involves a risk of losing traceability. This can be addressed through effective communication throughout the V-cycle project lifecycle.

By exploring solutions to these risks, this research aims to facilitate the exchange of MBSA models, ultimately enhancing collaboration and efficiency in the development of complex systems.

ABSTRACT. Critical systems in automotive and other domains demand the justification of their safety and component reliability. Assurance cases provide a means for justifying/assessing confidence in system dependability with explicit and implicit references to design, safety, and reliability artifacts. Fault Tree Analysis (FTA) is one of the most popular safety analysis techniques, which is an integral part of Model-Based Safety Assessment. However, the open and adaptive nature of autonomous systems, demands a paradigm shift from design-time to runtime system assurance. Although the Structured Assurance Case Metamodel (SACM) standard and visual notation and its patterns extensions provide the foundations for runtime system assurance enabling the traceability between assurance cases and fault trees, which are part of Executable Digital Dependability Identities (EDDIs) of cyber-physical system components, is still a challenge. In this paper, we introduce ACEditor tool for specifying SACM assurance case patterns with traceability to fault trees, which are part of a component EDDI, as another step towards system assurance demonstration at runtime.

ABSTRACT. Climate change, increasing environmental pollution and rising resource consumption implicate sustainable and also reliable solutions to ensure a livable and safe future for generations to come. Significant opportunities for savings lie in the field of business and industry, particularly by improving production processes. In this paper, we summarize our ongoing research from the AI4Green project funded by INTERREG Bayern-Österreich. We outlines challenges and opportunities for reliable resource optimizations in challenging domains such as agriculture, robotics and production processes using artificial intelligence. We conclude that the optimization potential is high and provide an outlook of our future research activities to develop safe and reliable resource-optimal industrial AI-based solutions.

ABSTRACT. Ensuring the safety of systems like truck platoons remains a significant challenge, especially when formal models of system behavior are unavailable or difficult to construct. In this work-in-progress, we explore an approach that uses automata learning to infer models from observed system executions, which can then be analyzed through model checking. The goal of this approach is to enable safety analysis without relying on manually specified models. We are investigating the feasibility of this idea through a Truck Platooning case study—an increasingly relevant scenario in intelligent transportation systems where safety is critical. While this approach is still under development, early steps suggest potential for combining learning-based modeling with formal verification to support safety analysis in both simulated and physical settings.

ABSTRACT. Abstract. The rise of machine learning in safety-critical systems has paralleled advancements in quantum computing, leading to the emerg- ing field of Quantum Machine Learning (QML). While safety monitoring has progressed in classical ML, existing methods are not directly appli- cable to QML due to fundamental differences in quantum computation. Given the novelty of QML, dedicated safety mechanisms remain underde- veloped. This paper introduces Q-SafeML, a safety monitoring approach for QML. The method builds on SafeML, a recent method that utilizes statistical distance measures to assess model accuracy and provide confi- dence in the reasoning of an algorithm. An adapted version of Q-SafeML incorporates quantum-centric distance measures, aligning with the prob- abilistic nature of QML outputs. Q-SafeML detects distances between operational and training data addressing the concept drifts in the con- text of QML. Experiments on QCNN and VQC Models show that this enables informed human oversight, enhancing system transparency and safety.

ABSTRACT. The design of complex systems requires a careful consideration of the possible hazards and failure conditions that may affect system functions, possibly compromising system reliability and safety. Complex systems must be able to detect components faults and isolate them before they can propagate and cause system failures. To this aim, Preliminary Safety Assessment analyzes failure conditions and allocate safety requirements to components and subsystems, based on a candidate system architecture. A modern way to conduct this analysis is via the use of fault propagation models, i.e. formal representations linking the occurrence of basic faults to their effects on other components and subsystems. Examples of such models include Timed Failure Propagation Graphs (TFPG), Finite Degradation Models (FDM) and Propagation Graphs over Finite Degradation Structures (PGFDS).

In this paper, we generalize previous models for fault propagation. We define a general formalism, called Unifying Propagation Graphs (UPG) which encompasses, and is strictly more expressive of, previous notations, and we formally define its syntax and semantics. We discuss the integration of UPG into the xSAP safety analysis platform, and the generalization of existing routines for fault propagation analysis to the complete fragment of UPG. Finally, as a first contribution, we extend the existing engine for computation of minimal cut sets of PGFDS to support interval timings, and we experimentally evaluate its performance on a set of benchmarks.

ABSTRACT. The increasing adoption of Unmanned Aerial Vehicles (UAVs) in various operations introduces new safety risks to people on ground and airspace users. As a result, EU regulations require the demonstration of safety for UAV-based operations, necessitating comprehensive hazard analyses that capture diverse event and failure contributions. This paper presents a generic, model-based approach for assessing UAV system safety, leveraging layered failure propagation models from the literature. Our twofold contribution includes: (1) a detailed exposition of each failure propagation layer’s implementation in Altarica and their interconnections, and (2) the analysis of this layered model using associated Altarica tools to generate certification artefacts. A thorough case study on a fixed-wing UAV use-case illustrates our modelling methodology and its analysis capabilities.

ABSTRACT. Model-Based Safety Assessment is a cornerstone of modern safety-critical system design, providing formal verification techniques to ensure compliance with stringent safety requirements. The AltaRica 3.0 modeling language offers a structured approach to model system behavior and failures. The associated tools support qualitative and probabilistic risk analysis. In addition, the language semantics and the simulator integrate timing constraints associated with the probability of event occurrence. In this work, we explore the potentialities of AltaRica’s semantics and tools to express and analyze the timed properties of critical safety systems. To evaluate this approach, a case study involving two autonomous drones performing an obstacle avoidance maneuver is used. Our findings shed light on the strengths and limitations of using AltaRica for time-sensitive verification and provide insights into its applicability for real-world, time-critical safety assessments.

ABSTRACT. In EDF’s probabilistic safety assessment (PSA) studies, sequence of events diagrams represent all scenarios identified during qualitative analysis following an initiating event. These diagrams trace all possible paths involving successful or failed missions of backup systems or human actions. System missions identified in reliability studies are modeled using fault trees, generated with an MBSA expert system-based tool [3]. A key challenge for analysts is the complex modeling of systems from mechanical diagrams, often in difficult formats. [1] and [4] present a tool (CONFLUENT) capable of reading data from multiple sources (electrical, hydraulic, and control) while managing system boundaries through path definitions. It supports compression of control, hydraulic, and electrical systems helping reduce EPS model complexity, especially in the context of zoomable EPS [2]. Finally, the tool enables topological mapping of complex networks by displaying attributes like location, altitude, function, or support structures, which aids in redundancy analysis at the support level (e.g., panels). This article is a continuation of this work aimed at automating the generation of fault trees with low complexity by directly utilizing design data specification and PSA mission specifications of backup systems. Two main objectives were pursued: first, to minimize the complexity of the fault tree as much as possible, and second, to streamline communication between the system designer and the safety analysis engineer. An algorithm has been developed to partition the system into optimal subsets in order to minimize the complexity of the fault trees linkd to missions specifications based on three criteria: system scope, operational configurations, and the tested effect, such as ensuring proper water circulation. The input data and visualizations at both the CONFLUENT and algorithm levels are strictly those provided by the system designer, which helps facilitate communication.

[1] Romain ROY, Jean-Christophe HOUBEDINE, Mohamed HIBTI, Récupération automatique des données de conception des systèmes pour les études de fiabilité, LAMBDA-MU 23, SACLAY [2] HIBTI M., HASSENI M. & VILLATTE N., Zooming over PSA models: reducing psa models without loss of generality, 18th International Probabilistic Safety Assessment and Analysis (PSA 2023) Knoxville, TN, 2023. [3] Bannelier, M., Bouissou, M., Villatte, N., & Bouhadana, H. (1991). Knowledge modeling and reliability processing: presentation of the figaro language and associated tools. SAFECOMP'91, Trondheim. [4] Romain Roy, Jean-Christophe Houbedine, Mohamed Hibti. Illustration d'exemples de récupération automatique de données de conception pour les études de sûreté avec représentation compressée et/ou par attribut et/ou par multi configuration. Congrès Lambda Mu 24 « Les métiers du risque : clés de la réindustrialisation et de la transition écologique », Institut pour la Maîtrise des Risques (IMdR), Oct 2024, BOURGES, France.

ABSTRACT. Different safety engineering processes of automated driving systems (ADS), such as hazard identification and risk assessment (HARA) or SOTIF analyses, require a model of the system’s operational environment. Environment taxonomies like ISO 34503 and the "PEGASUS Six-Layer Model" can serve as a basis to derive such models. To ensure comprehensive coverage applicable for different ADS and operational design domains, these taxonomies must be defined at a generic abstract level. However, creating effective environment models relies on the engineer’s ability to adapt a base taxonomy for a specific system, operational design domain, and safety analysis scope.

This study examines how a base environment taxonomy can be tailored to enhance a specific safety engineering process. Our proposed method involves deriving guide questions from the process's quality requirements. Engineers then use these questions to systematically refine a given taxonomy for use in the safety process.

We applied this method in a case study, adapting the ISO 34503 taxonomy to improve HARA quality for an autonomous last-mile delivery vehicle in urban intersection scenarios. The tailored taxonomy was compared with the generic baseline in identifying relevant situation elements for HARA. Industry experts interviewed post-study reported that the tailored taxonomy better structured the situation space exploration than the generic baseline. The detailed guide questions also revealed critical situation elements not identified with the generic taxonomy alone.

This paper argues that the developed taxonomy tailoring method improves the quality of safety engineering processes. The case study confirmed the hypotheses that engineers profit from a guided analysis approach especially in complex situation spaces and that, in consequence, critical situation elements can be identified with less dependence on the engineer's experience. Thus, we conclude that although the approach cannot guarantee a complete coverage of the situation space, it evidently improves the quality of safety engineering processes.