safety modeling tool safeTbox - Fraunhofer IESE

safeTbox™ V3.0

We are proud to announce the release of version 3.0 of our safety modeling tool safeTbox™. In this version, the following capabilities have been added:


Visit our safeTbox Blog for further information

Modeling capabilities

Modeling capabilities

Hazard and risk assessment (HARA)

In this version, we support hazard and risk assessment according to ISO 26262. This supports the user in the following tasks:

  • Functional Hazard Analysis: For selected functions/components, the user can perform a high-level fault analysis with the help of a configurable set of guide words (e.g., Omission, Commission,…). This template allows the user to document the effects of such failures and to determine whether they are safety-critical or not. If they are, the user can also define and associate hazards with them.
  • Definition of hazardous events (HE): Given a set of hazards, the user can build hazardous events by defining in which situations these occur. Moreover, the user can also define a hazardous event’s occurrence parameters (e.g., regarding the frequency or the time domain) as well as the expected outcome (e.g., an accident). This implementation also allows the user to define their own scenarios by specifying situation groups (e.g., category Driving Location: highway (over 100 km/h), city (50 km/h),…). The current template makes a clear differentiation between driving and standing situations to simplify the analysis and configuration.
  • Definition of safety goals: Having defined the hazardous events, it is then possible to define the severity and the controllability parameters for these HE, for which the system will compute automatically the ASIL. The template allows the user to define safety goals and assumptions related to the assessment of HE.


Support for multiple realization views

One typical way to cope with complexity is separation of concerns. In our model-based solution for safety, we apply this approach by allowing the user to define their own realization views. The purpose of this functionality is to handle complex modeling scenarios by displaying only information that is meaningful for the respective stakeholder. Two typical scenarios that can be supported are:

  • Multiple Variants: In our component modeling approach, it is possible to use multiple realization views to depict several product variants. This can be achieved by showing and hiding the respective relevant modeling elements.
  • Multiple Hazards: In the area of safety analysis, it is common for a system to be analyzed in the context of several hazards. However, not all parts of the system contribute to all of them. For this reason and for the sake of keeping things simple and understandable for the analysis and review processes, it is now possible to use a realization view of a Component Fault Tree (CFT) to depict only that part of the system that is associated with a particular analyzed hazard.

Failure View Consistency

  • Maintenance and model consistency: By linking both scenarios, we get a lot of modeling power, but it also becomes more complex to keep both views consistent with each other. For this reason, we have implemented special features that allow the user to track and update the models automatically. For example, if a component is linked to a component fault tree, then adding a port to one of the component’s realization views will lead to this port being added to all instances to which this realization view is assigned, as well as in all realization views of the integrated CFT that are associated with that component’s realization view.

Failure View Consistency - Maintainance


Analysis capabilities

Common Cause Failure Analysis (CCF)

In this version, we have extended our computation capabilities with „Common Cause Failure Analysis“. CCFs can be applied to pure fault trees as well as to component fault trees. Moreover, CCFs have been integrated into the qualitative as well as the quantitative analysis. Due to the encapsulation and instantiation principle of CFTs, the definition of CCF models becomes more complex, but more powerful at the same time. This approach allows the definition of instance-specific CCF models to analyze systems with multiple homogeneous and heterogeneous redundancies.

CCF Analysis


Usability enhancements

Flexible element visualization

In order to make the visualization more flexible for end users, we have reworked the way elements and connectors can be set up. Now the user has a more flexible way to activate and deactivate the information being displayed in the diagrams Once an element or connector has been configured (visually), these visualization features allow the user to replicate its configuration to all existing elements/connectors of the same type, saving manual effort. Moreover, it is now possible to store the current configuration, so that when a new element of the given type is created, the visual configuration is automatically applied.


Model element exporter

This feature allows the user to search and filter for elements within a project (e.g., find all Basic Events). Moreover, the user can export the selected elements to MS Excel.

Model Elements Exporter


Spell checking for Description and Notes field

In this version, a spell checker has been added to the Description and Notes field within the safeTbox properties view and properties dialog. Currently, spell checking is enabled only for English. In future versions, support for other languages will be added.

Spell Checker

Minor changes


Several dialogs have been reworked to enhance usability, including show usages, show and hide portsIn order


A few changes have been made to the profile. Primary tagged values and stereotypes have been added. For the handling of shape scripts, several attributes have been renamed or removed. However, there is no need to fear model inconsistencies in the new version, since the upgrading mechanism will take care of updating these attributes properly. This mechanism works in a non-destructive way, so no meaningful information is removed from the model.