The importance of safety-critical systems in many application domains of embedded systems, such as aerospace, railway, health care, automotive and industrial automation is continuously growing. Thus, along with the growing system complexity, also the need for safety assurance as well as its effort is increasing in order to guarantee the high quality demands in these application domains. The aim of safety assurance is to ensure that systems do not lead to hazardous situations which may harm people or endanger the environment. In the application domains of safety-critical systems, the safety assurance is defined by the means of standards, see, e.g. the International Electrotechnical Commission (IEC) 61508 “Functional safety of electrical/electronic/programmable electronic safety related systems” (1998).
Traditionally, the assessment of a system in terms of safety is based on a bottom-up safety analysis approach, such as Failure Mode and Effect Analysis (FMEA), see IEC 60812 “Analysis Techniques for System Reliability—Procedure for Failure Mode and Effects Analysis (FMEA)” (1991). Alternatively, the assessment of a system according to reference implementations is based on top-down approaches such as the Fault Tree Analysis (FTA), see, e.g Vesely, W. E., Goldberg, F. F., Roberts, N. H., Haasl, D. F.: Fault Tree Handbook. US Nuclear Regulatory Commission (1981). By such techniques, it is possible to identify system failure states, their causes, and effects with impact on the system safety.
However, in such approaches it can be difficult to identify dormant system failure states. A dormant system failure state (sometimes also referred to as hidden system failure state) corresponds to a failure of the system—i.e., of one or more components of the system—that requires specific diagnostic actions to be identified. The dormant system failure state is a failure that is not immediately evident to operations and maintenance personnel. Dormant system failure states are, e.g., described in International Standard ISO 14224 (Dec. 15, 2006); section C.6.
For example, in reference implementations, dormant system failure states are typically identified manually based on information on the system design, e.g., circuit diagrams of a rolling stock. However, such reference implementations face certain restrictions and drawbacks. Since the complexity of today's systems is continuously growing, the effort required to identify the dormant system failure states is increasing drastically. Furthermore, manually identifying dormant system failure states can be error-prone. Furthermore, diagnostic measures to mitigate the dormant system failure states are typically required to be specified manually, which is also error-prone and may require significant efforts.
WO 2015/151014 A1 discloses a fault tree analysis tool that can access one or more tree structures. Each tree structure may be a fault tree associated with, for example, a control system or subsystem of an aircraft. The fault tree analysis tool can output one or more lists based on the tree structures. The lists can include event lists that define events and probabilities of each of the events for the tree structure. Risk calculations may be performed.
US 2012/166082 discloses a system and method for diagnosing one or more faults or one or more potential faults in a machine. An expert system module having a fault tree is guided through only a truncated portion of the fault tree based upon output from a fold recognition module.
US 2015/067400 A1 discloses a system that discards unneeded elements when generating a fault tree of an object to be analyzed. Configuration information identifies a plurality of functional blocks comprised by the object and a plurality of signal lines that connect the functional blocks and logical relationships. Exclusion target information identifies a signal line that may be excluded from the plurality of signal lines without loss of information.
Yang, Zong-Xiao, et al. “Fuzzy fault diagnostic system based on fault tree analysis.” Fuzzy Systems, 1995. International Joint Conference of the Fourth IEEE International Conference on Fuzzy Systems and The Second International Fuzzy Engineering Symposium., Proceedings of 1995 IEEE Int. Vol. 1. IEEE, 1995. discloses a method for process fault diagnosis using information from fault tree analysis and uncertainties/imprecision of data. Fault tree analysis provides a procedure for identifying failures within a process.
Therefore, a need exists for advanced techniques of analyzing safety-critical systems. In particular, a need exists for techniques which facilitate identifying dormant system failure states.