We look forward to seeing you at SafeComp 2024

Linkedin
login
Contact
Contact
Nous rejoindre
se connecter
Linkedin

MBSA Method

Any modeling is the result of the triptyc language / method / tool. An MBSA modeling method is therefore proposed, with its objectives, principles and rules. It can be adapted to suit different fields and problems. The “MBSA for professionals” training course aims to explain and implement this method, based on a generic public library and equipped with CECILIA Workshop.

Definition et objectives

MBSA approach(Model-Based Safety Assessment or Analysis) is a safety analysis based on both functional and dysfunctional failure propagation models (FPM).
In the context of aeronautical certification (and therefore to be adapted for different domains or contexts), the objectives are as follows :

  • verify the correct allocation of hardware and software DAL (Development Assurance Level)
  • verify the fail-safe principle (no single random failure or one combined with a dormant failure leading to a catastrophic Failure Condition)
  • verify the probabilities of each Failure Condition
  • contribute to common causes analyses
    • common modes (power supply, hardware or software dissimilarity, etc.)
    • zonal (fire, hydraulic leaks, etc.)
    • particular risks (lightning, engine burst, bird strike, etc.)

Input documents include functional and dysfunctional descriptions (design description, technical note, MBSE model, etc.), architecture diagrams (or even wiring diagrams) and certain safety analyses (FMEA/FMES for local component behavior, AFHA/SFHA for definition and criticality of Failure Conditions).

Modeling principles

The meta-model used is represented by 3 “high-level” views of the system: functional, organic and zonal.

The functional view presents the functions performed by the system in a hierarchical and logical manner. Each function observes one or more elements of the organic view to determine whether or not it has been fulfilled. The highest-level functions are linked to the Failure Conditions that will be targeted for computations.

The organic view includes logic components and equipment, linked together by flows of various types (data, electrical power, hydraulic power, etc.). Failure modes (development errors and/or random failures) are modeled by events within the components that make up the equipment. It is then the flows that propagate these failures throughout the model.

The zonal view groups together the different zones of the aircraft into which all the equipment is distributed. These zones are subject to threats (fire, lightning, bird strike, etc.) which are passed on to the equipment and can have an impact on its operation.

Validation and results

Step-by-step simulation enables the propagation of one or more failures. Predefined scenarios can be played out, or cuts from the results can be replayed to validate the model. This validation phase must be carried out in conjunction with the design team.

Once the model has been validated, CECILIA can be used to compute the combinations of failures and zonal threats that lead to a Failure Condition. The formal nature of the AltaRica language guarantees the completeness of these combinations.

Three types of results are obtained:

  • “global” cuts, including zonal threats which will contribute to common causes analyses,
  • “Functional Failures Set (FFS), combining hardware and software development errors, to validate the allocation of DAL (Development Assurance Level),
  • Minimal Cuts Set (MCS), a combination of random hardware failures, to verify the fail-safe principle and to compute and verify the probabilities of Failure Conditions.