How to Keep Consistency between System Architecture and Their Fault Trees: A Lightweight Approach

FTA (Fault Tree Analysis) is one of prominent safety analysis techniques in the automotive industry partly because of its graphical representation and partly because of cut-set analysis. Especially because FTA is a practical solution for analyzing multiple-points faults, it is extensively used for items assigned with ASIL C or D safety goals. Our experience shows that, for successful application of FTA, the consistency between system architecture and its fault tree is essential. Unfortunately, as system size grows, and development time shortens, it is becoming difficult to keep this consistency manually. In this paper, we propose a light-weight approach for this consistency systematically. Our idea stems from the ‘reflexion model' proposed in software architecture recovery research: firstly, we assume that a functional block diagram (FBD) describes system architecture. Based on this assumption, we define fault tree modeling conventions for attaching structural information to fault tree events. Then, we develop an algorithm for deducing an FBD from fault trees. Finally, the comparison of the deduced FBD to the original shows inconsistencies between system architecture and its fault trees. To illustrate the effectiveness of our approach, we will explain the experience of our proposal in an industrial product.