Behavioral fault modeling and model composition for Model-Based Safety Analysis

System safety analysis, performed as a part of the development of safety-critical systems, provides assurance that the system satisfies certain safety constraints even in the presence of certain failures. Safety analysis techniques, such as fault tree analysis, are well established and are used extensively during the design of safety-critical systems. Despite this, most of the techniques are highly subjective and dependent on the skill of the practitioner. These analyses are performed almost entirely manually based on informal system requirements and design, and may, consequently be incomplete, inconsistent, and erroneous. In fact, the lack of precise models of the system architecture and its failure modes often forces the safety analysts to devote much of their effort to finding undocumented details of the system behavior and embedding this information in the safety artifacts.;To address issues related to the informal nature of the current safety analysis process, this dissertation presents Model-Based Safety Analysis , a behavioral, model-based approach to safety analysis. Model-based safety analysis is an extension to the existing model-based development process, where various development activities are based on a central (formal) model of the system under development. Starting from the system models created by systems engineers during model-based development, model-based safety analysis incorporates additional information required specifically for the system safety analysis. This additional information is in the form of (1) the system components that were not considered in model-based development, but are required to complete the system nominal (non-failure) model for system safety analysis, and (2) the system fault behaviors that are required to analyze the system behavior in presence of subsystem faults and failures. Based on the modeled system nominal and fault behaviors, model-based safety analysis aims to automate parts of the safety analysis and, consequently, both reduce the cost and improve the quality of the safety analysis.;System fault behaviors can be quite varied and complex. Incorporating these complex fault behaviors directly into the nominal system model complicates and clutters the model to the point of obscuring the system's nominal functionality. This additional complexity makes model development, inspection, and maintenance difficult. Furthermore, in the absence of tool-support, the incorporation of the fault behaviors is performed manually, leading to error-prone model extension. Current modeling notations and tools do not provide support for modeling and composing fault behaviors.;Providing language and tool support for flexible modeling of fault behaviors and their composition is crucial for achieving realistic safety analysis, and is the focus of this dissertation. We present LustreFM, a domain-specific fault modeling language as an extension to the formal specification language, Lustre. LustreFM enables the engineers to specify realistic behavioral faults with the help of specialized constructs. We have developed a prototype tool, LustreFMWeaver, to automatically weave the fault behaviors specified in LustreFM into a nominal model specified in Lustre to generate an extended Lustre model that can now be used for safety analysis. We demonstrate the feasibility of the presented behavioral fault modeling language and automatic model composition tool using an aircraft wheel brake system example.