Illustrating the AADL error modeling annex (v.2) using a simple safety-critical medical device

Abstract

Developing and certifying safety-critical and highly reliable systems almost always includes significant emphasis on hazard analysis and risk assessment. There have been substantial improvements in automation and formalization of other aspects of critical system engineering including model-driven development, analysis of source code and models, and verification techniques. However, hazard analysis and risk assessment are still largely manual and informal activities, tool support is limited (which for both development and auditing, increases time and effort and reduces accuracy and correctness), and artifacts are not integrated with architectural descriptions, system interfaces, high-level behavioral descriptions or code. The Error Model annex of the Architecture Analysis and Design Language (AADL) provides formal and automated support for a variety of forms of hazard analysis and risk assessment activities. Specifically, it enables engineers to formally specify errors, error propagation, error mitigation -- using annotations that are integrated with formal architecture and behavioral descriptions written in AADL. Plug-ins to the Open-Source AADL Tool Environment (OSATE) process these annotations to provide various forms of (semi)-automated support for reliability predication and tasks necessary to support common hazard analysis and risk assessment techniques such as Failure Modes and Effects Analysis (FMEA), Fault Tree Analysis (FTA), and Functional Hazard Analysis (FHA). In this paper, we illustrate basic aspects of Error Modeling in AADL using a simple safety-critical medical system -- an infant incubator called "Isolette". We summarize standard tasks involved in FMEA and FTA, we illustrate the principal steps involved in AADL Error Modeling for the Isolette, and we describe how those steps relate to FMEA and FTA. We give a brief survey of emerging automated analysis tools implemented as plug-ins to the AADL OSATE environment that process error modeling annotations. We believe this introduction to Error Modeling in AADL can expose engineers of high-integrity systems to techniques and tools that can provide a more rigorous, automated, and integrated approach to important risk management activities.