Use of automated tools for analyzing the propagation of failures in aircraft system

. One of the problems of modern aviation is the saturation of software equipment and electronics. Safety Architect is an automated tool for reliability analysis using functional flow architectural models. This article introduces Safety Architect technology for building fault propagation models and a fault tree. After the analysis, conclusions were drawn about the flaws of this tool: the failure propagation model is built only on the basis of the architectural model of functional flows without taking into account the various operating modes of the system and the transitions between them. The basic principles for developing a new failure propagation model were derived.


Introduction
Systems engineering (SE) is a scientific and methodological discipline that studies the design, creation and operation of structurally complex, large-scale, human-machine and sociotechnical systems, and also offers principles, methods and tools for their development. When developing and designing such systems, as a rule, problems arise that relate not only to the properties of their constituent parts (elements, subsystems and connections), but also to the laws of functioning of the system object as a whole and ensuring its life cycle (general system problems), as well as a wide a range of specific tasks, such as determining the overall structure of the system, organizing interaction between subsystems and elements, taking into account the influence of the external environment, choosing optimal operating modes, optimal system control, related technological processes, and so on. Model-based systems engineering methodology has been one of the most important developments in the design of complex hardware and software systems over the past two decades. For example: Airbus has been working in the field of SE since the early 2000s [1]. By 2016, based on the open software platform MBSE Papyrus, its own FAST MBSE software environment was developed. Boeing has been active in the MBSE area since the beginning of 2000 [2]. A set of software tools is used. The main one is the commercial base product of the American company Vitech. This software is only sold to NATO countries.The main focus of work is to support model-based security assessment. Thales from 2001 to 2009, based on the generally accepted methodology of SE, developed its own methodology based on models and the Capella tool [3]. In 2010, Thales published the Capella methodology. Thales is the creator of both the Capella workbench and the Arcadia methodology. Rolls Royce has been using Capella to develop model based systems since 2016. The main focus of the work is to support model-based safety assessment.
The main problem in the development of the modern aircraft is the delay and uncontrolled growth of project budgets due to errors and inconsistencies caused by: 1. actively growing complexity of aviation systems; 2. actively growing level of systems integration; 3. heterogeneity of aircraft systems (mechanical, electrical, computer, etc.). The main reason for the serious exacerbation of the first two of these factors is the saturation of aircraft systems with software and electronics.
As proof, INCOSE statistics [4]: if in 1960 software was responsible for 8% of the functions of military aircraft, then by 2000 its share had increased to 80%. As a result, there was a need for an architecture model that would reflect all the functional relationships of various aviation systems. The MBSE-based reliability and security method is to determine the functional architecture of the system to identify security threats [4]. In this approach, most of the information is captured directly in the system model, and this information is maintained throughout the life cycle. Based on the obtained architecture model, a failure propagation model (FPM). This model allows you to assess the degree of influence of various errors on the process and identify those parts of the process that need to be changed. After the FPM, fault trees are built, which are logical connections of random events leading to errors, failures, violations, etc. with a guarantee of completeness of the analysis. A fault tree provides a static "picture" of the combination of failures that can lead to a main event.
This paper considers such a safety risk analysis tool as Safety Architect, which implements the MBSE approach. The described the technology for building a fault propagation model and fault tree using Safety Architect, as well as methods for evaluating critical systems. During the work, found of flaws and made proposals for their exception and future development.

Failure propagation model in safety architect
Safety Architect is a risk analysis tool for complex systems using functional or physical architectures from common modeling tools such as SysML or UMLbased tools [5]. Safety Architect facilitates risk analysis of complex systems by automatically generating FMEAs and fault trees. The failure propagation model, an example of which is shown in Fig. 1, is a set of blocks: low-level, high-level system components and a subject outside the system, which are connected by data transmission channels.
The black box in Fig. 2 is considered the lowest level component of the system. It is not possible to change its internal structure, but input and output ports can be added. By default, a black box is created with input and output ports. The behavior can be changed using the application settings. There are four types of black box: universal, physical, logical, functional.
The source of the distribution channel (an example is shown in Fig. 3) can be: the failure mode of the input / output port of the barrier or the outgoing distribution channel, a system event or a local event, logical elements. The target of a distribution channel can be: output/output port or incoming distribution channel failure mode, logic elements.   Activity Explorer guides the user through the analysis process. It describes each step of the security analysis and allows you to directly perform the actions. The Action Explorer consists of five functions: Workflow, System Modeling, Hazard Analysis, Failure Mode Analysis, and Safety Element Identification.
On this page of the program provides a big picture of all the actions that you can perform in Safety Architect. The flow of activities is top-down, but can be performed iteratively.

System Modeling
This action allows the user to define and model the system under analysis. On the left side, the user can create new model architecture diagrams or a white box. On the right side of the Diagram Viewer, all diagrams already created are listed, sorted by viewpoint and by diagram type.

Hazard Analysis
With this action, the user can determine the risks for the analyzed system. Concern events and families of concern events can be created on the left side and then displayed in the viewer on the right side.

Failure Mode Analysis
This action allows the user to identify faults in the system by assigning specific equations to each black box block and associating fault modes with hazardous events or families of hazardous events.

Identification of security items
This action allows the user to identify the security elements in the distribution tree by running the distribution wizard. Once propagation trees are created, they will be displayed in the viewer located on the right side.

Building a fault tree in Safety Architect
The more complex the system, the greater the need for a deep analysis method to identify all possible combinations of failures that can lead to a loss of system integrity. One such technique is Fault Tree Analysis (FTA). FTA is a top-down approach that analyzes an event or failure mode and works downwards to uncover the true cause of the failure and determine risk management measures [6].
The methodology for automatically generating FMECA and fault trees using Safety Architect consists of 6 main steps: 1 Import: Create or import a functional system model for analysis. 2 Modeling: allows you to create or complete a display. 3 Local analysis: local failure definitions for each end block in the system. This means linking the failure modes of the block's outputs to the failure modes of its inputs, or to its local events. This step is performed manually by the analyst. 4 Global analysis: performed automatically by the distribution engine.
5 Report: Provides model information with Distribution Tree Report, FMECA Report, Critical Blocks Report, and Critical Flows Report.
6 Export: Extend models into other tools, such as tree work, etc.
To create a fault tree, you must use the global analysis function on the toolbar, select a viewpoint, propagation restrictions, and an investigation method. Once a distribution tree has been created, an example of which is shown in Fig. 5, it can be viewed during a global analysis using the standard fault tree editor. However, this representation is not easy to understand and difficult to read for large fault trees. To do this, a graphical representation of a set of distribution trees in Fig. 6 is created, the user can freely place its graphic elements at his discretion.

Falws of Safety Architect technology and future development
When analysing the work of Safety Architect, a falws were found. The failure propagation model is built only on the basis of the architectural model of functional flows without taking into account the various modes of operation of the system and the transitions between them. This limit the analysis of the search for events leading to systemic disruption.
In this regard, the principles of future development of the failure propagation model were developed in terms of taking into account the operating modes of the system: 1. In addition to the architectural model of functional flows, in order to build an extended failure propagation model, it is necessary to have (build) an architectural model of transitions between modes of operation. 2. Then each internal function failure and each function port failure condition must be related to one or more modes of operation/functions.
3. Each mode transition must be associated with one or more function flows (between functions) in the function flow model. 4. The logic of failure propagation within a function from failures of input ports and internal failures to failures of output ports, that is, a local model of failure propagation within a independent function should be built taking into account the modes of operation to which these failures and failure states belong.
Then, based on this extended fault propagation model, a fault tree will be built for each individual mode related to the failure, which is the top (analyzed) event. This development of the failure propagation model will significantly improve the accuracy of the safety analysis, since previously the safety analysis implicitly took into account the modes of operation (functioning) of the system.
To implement these requirements for the model, suggest using the Matlab System Composer package. The workflow in System Composer involves translating stakeholder needs into system-level requirements and then using them to drive architectural design using behaviors. With System Composer can [7]: 1. Draw an architecture model with components, ports, and connectors. 2. Extend the modeling language to capture metadata and style architectural elements using stereotypes.
3. Define a data interface, physical or client-server interface for ports and use connectors to describe how components interact.
4. Create architecture views using filters based on elements or property values. 5. Present your system in a sequence diagram to describe the behavior of the system as a sequence of interactions.
6. Establish directional relationships between functional, logical, and physical architecture using distributions.
The new methodology for building an extended failure propagation model based on Matlab System Composer (in Fig. 7) is : 1. Building an architectural functional system using the Allocation function to establish traceable and directional relationships between architectural elements, modes.
2. Building a failure propagation model. 3. Based on the selected event in the failure propagation model, building a failure tree.

Conclusion
In this paper, considered the possibilities of creating a failure propagation model for reliability and safety analysis in the Safety Architect application. With its help, built a failure propagation model based on the architectural model in order to exclude such problems of modern aircraft as the saturation of systems with software equipment, which makes it difficult to conduct expert safety analysis. Based on the obtained model, we built a graphical representation of the fault tree to ensure the completeness of the analysis of finding the risks that cause the main event.
Despite the methods implemented in Safety Architect to search for functional threats that lead to failures, we have identified a number of flaws, one of which is the lack of consideration of modes. Established principles for future improvement and new methodology building a failure propagation model for accurate risk analysis.