Defining and characterizing model-based safety assessment: A review

Model-based safety assessment (MBSA) has been one of the major research thrusts of the System Safety Engineering community for about three decades. It has attracted attention in many safety-critical industries, such as aviation, mining, and nuclear power. However, there is still a lack of consensus on what MBSA is. For example, how is MBSA different from the traditional safety analysis approach? How one MBSA approach is different from another? The ambiguity in the identity of MBSA poses significant challenges to the advancement of MBSA as an active research area. To answer these questions, we conducted a systematic review of the MBSA literature. Overall, 134 articles were selected for review from a total of 864 papers. We found four core activities that an MBSA approach must perform. Based on how each core activity was conducted, we were able to define (i.e., setting MBSA apart from other safety analysis approaches) and characterize (i.e., setting one MBSA approach apart from another) MBSA. As a result, an MBSA approach must at least (1) model component faults and fault propagation, (2) support the automatic computation of the desired safety analysis, (3) ensure the consistency between the design model and the safety model at the architecture level, and (4) demonstrate the safety risk due to component faults are acceptable. In addition to the insights and implications we identified for each core activity, we presented at the end of the paper a pressing issue of MBSA that multiple articles pointed out over the years: model validity. Without ensuring the validity of the safety model, it will be very challenging to utilize MBSA to its full potential for safety assurance.