Model-based development offers many advantages such as improved maintainability, reusability, quality, and efficiency. Addressing these aspects is also possible for Safety Engineering if model-based approaches are introduced. In a four-part series of blog posts, we will give an overview of typical safety engineering methods and techniques and how they can be realized in a model-based way. In Part 1, we will start with a general definition and a presentation of the advantages and challenges of Model-Based Safety Engineering (MBSE).
What is Safety Engineering about?
When developing safety-critical systems, ensuring functional safety is essential. For this purpose, different analyses and development artifacts must be produced in accordance with the requirements of relevant standards (e.g., ISO 12100, IEC 61508, ISO 13849, EN 50128, ISO 26262, ISO 25119). In this respect, hazard analyses and risk assessments, safety analyses, safety requirements, safety concepts, and safety cases must be included. In practice, these artifacts are usually created and managed using document processing and spreadsheet tools such as Microsoft Word, Excel or Visio. As the complexity of the systems continues to increase, there are limits here, as important characteristics such as maintainability and traceability cannot be adequately guaranteed. This ultimately results in problems with the efficiency and quality of the development artifacts and, consequently, of the whole system, which in the best case only costs money and, in the worst case, human lives.
The general problem of increasing complexity is not limited to safety engineering, but applies to systems engineering in general. Over the last twenty years, the model-based development approach has established itself as a possible solution and as of now there exists an extensive and proven range of techniques (e.g., SysML and UML for systems and software modeling), methods (e.g., the V-Model ), and tools (e.g., CASE tools). The advantages are manifold, but they particularly relate to the improvement of maintainability, reusability, quality, and, more generally, efficiency. For safety engineering, addressing these aspects by introducing model-based approaches is also possible. A brief overview of this will be provided within this series of articles. After this general introduction, a small case study will gradually introduce the typical steps in a model-based safety engineering lifecycle.
What is the point? How do you approach it? How much does it cost?
In practice, keeping all documentation and specifications always up-to-date and consistent during development, and subsequently throughout the evolution of the system, is often challenging. Complex versioning can make this task even more challenging. In general, changes (as well as versions/configurations) in a system often have complex dependencies and cross-references, which are difficult to detect and manage solely on the basis of text-based specifications. Especially for example, identifying and addressing changes detected late in development can be prohibitively costly and lead to unsafe systems. Furthermore, frequent changes in safety engineering may not be adequately taken into account, which may lead to discrepancies between the developed system and its specifications, and therefore pose a significant safety risk. A model-based approach can help by formally linking elements between the different analyses and specifications. If you change something at one point, all relevant cross-references can be made directly visible and changes can be automatically propagated across the specifications.
Successfully implementing model-based safety engineering requires, of course, a suitable corporate culture and seamless integration into existing procedures and processes. In addition, adequate tool support is crucial, because this is the only way to fully exploit the advantages of model-based approaches. Consequently, the implications of the existing procedures and processes as well as the implications for the existing tool chains must always be considered.
Beyond merely tool support and process design improvement, the introduction of model-based approaches is an investment. The potentially necessary adaptation of procedures and structures, the procurement and integration of tools, the qualification of staff, and perhaps even a refactoring of existing development artifacts – all of this can quickly add up to a significant investment. This investment must be weighed against the expected savings in terms of increased efficiency, the added value of increased quality, and – ideally – the higher confidence in assuring safety.
In a comprehensive study by the Systems Engineering Research Center (SERC), the corporate culture and the staff’s MBSE knowledge were cited as the main obstacles to a successful introduction of model-based approaches. The most important positive factors were the willingness of the employees to use the approaches and the commitment of the management.
In summary, it is therefore highly dependent on the respective circumstances, and in particular on the employees of a company, whether the introduction of model-based approaches can be reasoned and whether it is worthwhile. However, as systems become increasingly more complex, it is becoming essential to provide engineers with optimal support to help them accomplish their tasks.
Dangers and risks associated with introducing Model-Based Safety Engineering
A final and very safety-specific problem is the integrity of the tools themselves and the trust that can be placed in the correctness of their output. In any case, it must be excluded that any malfunctions of the development tools may lead to a safety problem in the system to be developed. A general approach in this regard (which is also proposed by safety standards such as ISO 26262) can be broken down into the following steps:
- Where and how is the tool used in development? What are the relevant processes?
- What specific technical use cases is the tool involved in?
- What tool malfunctions are conceivable and how does each of these malfunctions affect each of the use cases?
- What is the potential impact on the safety of the system to be developed?
- What is the likelihood of detecting this impact (based on existing best-practice processes, reviews, and other measures)?
- If there is relevant impact that is unlikely to be detected, either the tool must be qualified or the framing processes and measures must be improved to ensure detection.
Of course, these considerations are not only relevant for model-based development tools, but actually for any tools used, even including those widely used, such as Microsoft Word and Excel.
Increasing system complexity, large numbers of variants, and frequent changes mean that safety engineering based on Microsoft Word, Excel, and Visio is reaching its limits. Model-Based Safety Engineering (MBSE) approaches, ideally integrated with model-based systems engineering, provide a remedy. That being said, in general, the introduction of such methods means additional effort and investment, and must therefore be carefully planned. Ultimately, the potential for savings and better-quality end products is in many cases high. In the next articles in this series, we will demonstrate with examples how typical safety engineering activities can be implemented in an MBSE approach throughout the safety engineering lifecycle. In the second article, we will therefore analyze the hazards and risks of a system to be developed and how this process can be integrated into a model-based approach. Building on this integration, in the third article we will describe how safety analysis regarding the previously identified hazards can be realized with the help of the model-based approach and component fault trees. Finally, in the fourth article, we will show how to create a model-based safety case with the required links to the development artifacts.
If you are looking for further information concerning Model-Based Safety Engineering (MBSE), please check our website.