The Role of Architectural Model Checking in Conducting Preliminary Safety Assessment

Preliminary safety assessment is an important activity in safety systems development since it provides insight into the proposed system’s ability to meet its safety requirements. Because preliminary safety assessment is conducted before the system is implemented, developers rely on high-level designs of the system to assess safety in order to reduce the risk of finding issues later in the process. Since system architecture is the first design artefact developers produce, developers invest considerable time in assessing the architecture’s impact on system safety. Typical safety standards require developers to show that a plan of safety activities, chosen from recommended options or alternatives, meets a set of objectives. More specifically, the automotive safety standard ISO 26262 recommends formally verifying the software architecture to show that it “complies” with safety requirements. In this paper, we apply an architecture-based verification technique for Architecture Analysis and Design Language (AADL) specifications to an architectural design for a fuel level estimation system to validate certain architectural properties. Subsequently, we build part of the conformance argument to show how the model checking can satisfy some ISO 26262 obligations. Furthermore, we show how the method could be used as a part of preliminary safety assessments and how it can be upheld by the later implementations beside of the other recommend methods.