Improving Safety-Critical Systems by Visual Analysis

Improving Safety-Critical Systems by Visual Analysis Yi Yang1 , Patric Keller1 , Yarden Livnat2 , and Peter Liggesmeyer1 1 2 Software Eningeering: Dependability Group University of Kaiserslautern, Germany {yang,pkeller,liggesmeyer}@cs.uni-kl.de Scientific Computing and Imaging Institute University of Utah, USA Abstract The importance analysis provides a means of analyzing the contribution of potential low-level system failures to identify and assess vulnerabilities of safety-critical systems. Common approaches attempt to enhance the system safety by addressing vulnerabilities using an iterative analysis process, while considering relevant constraints, e.g., cost, for optimizing the improvements. Typically, data regarding the analysis process is presented across several views with few interactive associations among them. Consequently, this hampers the identification of meaningful information supporting the decision making process. In this paper, we propose a visualization system that visually supports engineers in identifying proper solutions. The visualization integrates a decision tree with a plot representing the cause-effect relationship between the improvement ideas of vulnerabilities and the resulting risk reduction of system. Associating a component fault tree view with the plot allows to maintain helpful context information. The introduced visualization approach enables system and safety engineers to identify and analyze optimal solutions facilitating the improvement of the overall system safety. 1998 ACM Subject Classification B.4.5 Reliability, Testing, and Fault-Tolerance, I.3.8 Applications, D.2.4 Software/Program Verification Keywords and phrases fault tree analysis, importance and sensitivity analysis, information visualization, decision tree, safety analysis Digital Object Identifier 10.4230/OASIcs.VLUDS.2011.43 1 Introduction Fault tree analysis is a widely used technique for the identification of vulnerabilities of safety-critical systems. This analysis uses a graphical model called fault tree to logically relate undesired failures at the system level (called top event) with failures at the component level (named basic events). A component fault tree is an advanced modularization concept supporting the fault tree analysis of complex systems. This allows to extend the regular fault tree model by decomposing it according to the architecture of the system under investigation into a hierarchical representation where each component is represented by an extended fault tree. The fault tree analysis provides a basis of the importance analysis and sensitivity analysis of those failure relations. It mainly focuses on the risk contributions of individual basic events to a top event. The important basic events represent the critical vulnerabilities of a system. Sensitivity analysis is applied to investigate relations between changes of basic events and the resulting impacts on a top event. © Yi Yang, Patric Keller, Yarden Livnat, Peter Liggesmeyer; licensed under Creative Commons License ND Proceedings of IRTG 1131 – Visualization of Large and Unstructured Data Sets Workshop 2011. Editors: Christoph Garth, Ariane Middel, Hans Hagen; pp. 43–58 OpenAccess Series in Informatics Schloss Dagstuhl – Leibniz-Zentrum für Informatik, Dagstuhl Publishing, Germany 44 Improving Safety-Critical Systems by Visual Analysis In order to improve the system safety, engineers usually carry out an iterative risk reduction approach consolidating importance and sensitivity analysis. As a result of the approach, engineers may identify an improvement solution consisting of a group of modifications with respect to system design. By a solution, the failure probability of top event is reduced to an acceptable level. In many cases, engineers may identify multiple possible solutions by various alternative design modifications in the analysis process. Thus, the safety improvement process consists of the determination of modifications and the review of solutions by taking the essential questions into account: Aspects of modifications: What are the most important basic events contributing to a system failure? What are possible modifications of the system design? What are the impacts of the modifications regarding system safety? Which modifications are optimal taking certain constraints into consideration? Aspects of solutions: How good are the improvement solutions? What is the best solution? Usually, the data related to the questions is separated across individual views having various representation forms, e.g., fault trees, tables, histograms, plots, and decision trees. However, there are few interactive associations among the views. Mostly, engineers need to frequently switch views for accessing meaningful data during the analysis process. Additionally, there is no sufficient context information when engineers focus on a specific view. For example, modifications are organized using a decision tree and the detailed data of the queried modification is represented in a separate table. When focusing on the table of detail information, the context with respect to the overview of modifications may be lost. Furthermore, when analyzing the basic event corresponding to this modification, engineers need to manually locate the basic event in the fault tree view because the decision tree does not provide this information. Engineers spend more additional efforts for switching views and identifying significant information. In this paper, we propose a visualization system that effectively integrates data which is essential for the analysis of the safety improvement process. To support the information access within different contexts, we additionally provide suitable interaction possibilities. The proposed visualization system facilitates to identify and analyze vulnerabilities of safetycritical systems, as well as determine the optimal/appropriate solution(s) by simulating system design modifications on an abstract level. The remainder of the paper is organized as follows: Section 2 describes the basic principles of the (component) fault tree analysis, importance and sensitivity analysis, as well as the related representation concepts. We introduce our visualization system in Section 3. We review the proposed methods on the basis of a short application example in Section 4. The conclusion is subject to Section 5. 2 Background 2.1 Safety Analysis The term safety often refers to a state of a system where the danger of a personal injury or property damage lies within an acceptable level [15, 13, 4, 24]. A failure is defined as an inconsistent behavior that deviates from the given specification of a system or a component Y. Yang, P.Keller, Y.Livnat, and P. Liggesmeyer (a) Fault tree 45 (b) Component fault tree Figure 1 Fault tree and component fault tree. (a) A fault tree consisting of four basic events connected by an AND-gate and two OR-gates. (b) The component fault tree model based on t (...truncated)