Towards a Comprehensive Model-Based Safety Assessment: A STPA-Informed Approach

With the rapidly increasing complexity of the modern safety-critical system, the "model-based'' approach has gained much traction for safety assurance, thanks to advancements in computation capability and computational techniques. We have seen many model-based applications in the industry, for example, using models to automatically generate software code and using models as 3D drawings directly for manufacture. Similarly, Model-based Safety Assessment (MBSA) has been an important research topic in the safety engineering community over the past two decades. Numerous modeling languages and verification platforms are developed to automatically translate the safety model directly from the design model for faster and more integrated safety assessment. These models have a critical role for safety assurance because safety-critical decisions are derived directly from them, and they are at the center of the evidence chain for regulation compliance. Therefore, they need to be validated before they can be used in any MBSA analysis. Unfortunately, the current MBSA literature falls short in this regard. In general, MBSA literature focuses on verifying properties and automating safety assessment, but there is relatively little focus on making sure the model that is used for the analysis is valid (i.e., free from design errors that may lead to ``false assurance'' of the verification program) in the first place.

Therefore, there is a gap between MBSA and safety assurance caused by validation rather than verification. Although "model validation'' has been around probably since simulation was introduced into engineering or even as far back as the scientific revolution, our problem is different and potentially more challenging because, in MBSA (or Engineering Design in a more general sense), there is no existing system to extract data from to validate the model in the first place.

This dissertation is motivated to bridge this gap. First, because MBSA is a loosely defined concept, a comprehensive investigation is conducted in the literature to find the defining features and notable patterns of MBSA, and more importantly, to provide evidence that there is indeed a lack of validation for the model of current MBSA approaches. Second, a safety-guided design methodology, named STPA+ (based on STPA, a well-received hazard analysis methodology), is proposed to develop at the methodology level the requirements for the system design activity (not the system being designed) that, if fulfilled in the specific design application, will lead to a valid set of system specifications that are ready to be translated into the model in the target MBSA language. Finally, a case study is conducted on a new Urban Air Mobility (UAM) concept to demonstrate the effectiveness of the proposed methodology.