Automated safety analysis by minimal path set detection for multi-domain object-oriented models

Figures & data

Figure 1. State space simulation of an aircraft’s rudder control and actuation system.

Figure 2. An electric voltage source (a), a voltage divider resistor (b) and a ground (c).

Figure 3. Simulation of a flight control surface deflection angle $\phi$. System operates = sysOp for ${\phi }_1$. System failure = not sysOp for ${\phi }_2$, ${\phi }_3$.

Figure 4. Exchange of power and signals across the edges in a coherent set of nodes.

Figure 5. Coherent (a), (b), (c) and incoherent sets of nodes (d), (e) in a graph.

Figure 6. Components and connections in a multi-domain object-oriented model.

Figure 7. Adjacency list AL and graph for Figure 6(b) .

Figure 8. Flow chart of minimal path set detection algorithm DMP.

Figure 9. Redundant electric heating circuit.

Figure 10. Graph (a) of electric heating circuit shown in Figure 9 and its three minimal paths (b), (c), (d) .

Table 1. Combinations tested (by simulation of system model) at initial stage of detection process.

					comb stored in simC
Row	PSprev	rn	isArt	comb	No	Yes	sysOp	nonArt
0–1	–	–	–	{1, 2, 3, 4, 5, 6, 7}	–	x	x	–

Table 2. Path set after initial stage of detection process.

PS	isMinPS	SF
{1, 2, 3, 4, 5, 6, 7}	–	–

Table 3. Combinations tested during first iteration of detection process.

					comb stored in simC
Row	PSprev	rn	isArt	comb	No	Yes	sysOp	nonArt
1–1	{1, 2, 3, 4, 5, 6, 7}	{1}	x	{2, 3}	–	x	–	{2, 3}
1–2		{1}	x	{4, 5, 6, 7}	–	x	x	{5, 7}
1–3		{2}	–	{1, 3, 4, 5, 6, 7}	–	x	x	-
1–4		{3}	–	{1, 2, 4, 5, 6, 7}	–	x	x	-
1–5		{4}	x	{1, 2, 3}	–	x	x	{2, 3}
1–6		{4}	x	{5, 6, 7}	–	x	–	{5, 7}
1–7		{5}	–	{1, 2, 3, 4, 6, 7}	–	x	x	-
1–8		{6}	x	{1, 2, 3, 4, 5}	–	x	x	{2, 3, 5}
1–9		{6}	x	{7}	–	x	–	{7}
1–10		{7}	–	{1, 2, 3, 4, 5, 6}	–	x	x	-

Figure 11. Combinations tested during first iteration of detection process.

Table 4. Combinations tested during first iteration that remove two non-articulations from PS_prev[1,:].

				comb stored in simC
Row	PSprev	rn	comb	No	Yes	sysOp
1–11		{2, 5}	{1, 3, 4, 6, 7}	–	x	x
1–12	{1, 2, 3, 4, 5, 6, 7}	{2, 7}	{1, 3, 4, 5, 6}	–	x	x
1–13		{3, 5}	{1, 2, 4, 6, 7}	–	x	–
1–14		{3, 7}	{1, 2, 4, 5, 6}	–	x	x

Figure 12. Combinations tested during first iteration that remove two non-articulations from PS_prev[1,:].

Table 5. Path set PS and combinations that cause system failure SF, as existent after first iteration of detection process.

PS	isMinPS	SF
{1, 2, 3}	–	{1, 2, 4, 6, 7}
{1, 2, 4, 5, 6}	–	{2, 3}
{1, 3, 4, 5, 6}	–	{5, 6, 7}
{1, 3, 4, 6, 7}	–
{4, 5, 6, 7}	–

Figure 13. Path set PS and combinations that cause system failure SF, as existent after first iteration of detection process.

Table 6. Combinations tested during second iteration of detection process.

					comb stored in simC
Row	PSprev	rn	isArt	comb	No	Yes	sysOp	nonArt
2–1		{1}	–	{2, 3}	$\subseteq \left\{2,3\right\}$	–	–	–
2–2	{1, 2, 3}	{2}	–	{1, 3}	–	x	–	–
2–3		{3}	–	{1, 2}	$\subseteq \left\{1,2,4,6,7\right\}$	–	–	–
2–4		{1}	x	{2}	$\subseteq \left\{1,2,4,6,7\right\}$	–	–	–
2–5		{1}	x	{4, 5, 6}	–	x	x	{5,6}
2–6		{2}	–	{1, 4, 5, 6}	–	x	x	–
2–7	{1, 2, 4, 5, 6}	{4}	x	{1, 2}	$\subseteq \left\{1,2,4,6,7\right\}$	–	–	–
2–8		{4}	x	{5, 6}	$\subseteq \left\{5,6,7\right\}$	–	–	–
2–9		{5}	–	{1, 2, 4, 6}	$\subseteq \left\{1,2,4,6,7\right\}$	–	–	–
2–10		{6}	–	{1, 2, 4, 5}	–	x	–	–
2–11		{1}	x	{3}	$\subseteq \left\{2,3\right\}$	–	–	–
2–12		{1}	x	{4, 5, 6}	Exists in simC	–	x	–
2–13		{3}	–	{1, 4, 5, 6}	Exists in simC	–	x	–
2–14	{1, 3, 4, 5, 6}	{4}	x	{1, 3}	exists in simC	–	–	–
2–15		{4}	x	{5, 6}	$\subseteq \left\{5,6,7\right\}$	–	–	–
2–16		{5}	–	{1, 3, 4, 6}	–	x	–	–
2–17		{6}	–	{1, 3, 4, 5}	–	x	–	–
2–18		{1}	x	{3}	$\subseteq \left\{2,3\right\}$	–	–	–
2–19		{1}	x	{4, 6, 7}	$\subseteq \left\{1,2,4,6,7\right\}$	–	–	–
2–20		{3}	–	{1, 4, 6, 7}	$\subseteq \left\{1,2,4,6,7\right\}$	–	–	–
2–21	{1, 3, 4, 6, 7}	{4}	x	{1, 3}	Exists in simC	–	–	–
2–22		{4}	x	{6, 7}	$\subseteq \left\{5,6,7\right\}$	–	–	–
2–23		{6}	x	{1, 3, 4}	–	x	–	{3}
2–24		{6}	x	{7}	$\subseteq \left\{5,6,7\right\}$	–	–	–
2–25		{7}	–	{1, 3, 4, 6}	Exists in simC	–	–	–
2–26		{4}	–	{5, 6, 7}	$\subseteq \left\{5,6,7\right\}$	–	–	–
2–27		{5}	–	{4, 6, 7}	$\subseteq \left\{1,2,4,6,7\right\}$	–	–	–
2–28	{4, 5, 6, 7}	{6}	x	{4, 5}	–	x	–	{4,5}
2–29		{6}	x	{7}	$\subseteq \left\{5,6,7\right\}$	–	–	–
2–30		{7}	–	{4, 5, 6}	Exists in simC	–	x	–

Table 7. Path set PS and combinations that cause system failure SF, as existent after second iteration of detection process.

PS	isMinPS	SF
{1, 2, 3}	x	{1, 2, 4, 5}
{1, 3, 4, 6, 7}	x	{1, 2, 4, 6, 7}
{4, 5, 6}	–	{1, 3, 4, 5}
		{1, 3, 4, 6}
		{2, 3}
		{5, 6, 7}

Figure 14. Path set PS and combinations that cause system failure SF, as existent after second iteration of detection process.

Table 8. Third iteration of detection process (no combinations tested).​​

					comb stored in simC
Row	PSprev	rn	isArt	comb	No	Yes	sysOp	nonArt
3–1		{4}	–	{5, 6}	$\subseteq \left\{5,6,7\right\}$	–	–	–
3–2	{4, 5, 6}	{5}	–	{4, 6}	$\subseteq \left\{1,3,4,6\right\}$	–	–	–
3–3		{6}	–	{4, 5}	$\subseteq \left\{1,2,4,5\right\}$	–	–	–

Table 9. Minimal path set detected after third iteration of the process.

PS	isMinPS
{1, 2, 3}	x
{1, 3, 4, 6, 7}	x
{4, 5, 6}	x

Table 10. Comparison of effort of minimal path set detection for three cases.

					$n_{\mathrm{s}\mathrm{i}\mathrm{m}}$
Case	System graph	E	d	PS	Monotony only	DMP
1	Figure 10(a)	8	0.381	{1, 2, 3}, {4, 5, 6, 7}	35	15
	Figure 10(a)	8	0.381	{1, 2, 3}, {4, 5, 6}, {1, 3, 4, 6, 7}	40	23
	Figure 15	10	0.476	{1, 2, 3}, {4, 5, 6}, {1, 3, 4, 6, 7}	40	34

Figure 15. An example system graph, higher density than that of Figure 10(a).