MATEC Web of Conferences 139, 00219 (2017) DOI: 10.

1051/matecconf/201713900219
ICMITE 2017

Model-based safety analysis of a control system using Simulink

and Simscape extended models
Nian Shao 1,2, Shuguang Zhang1,2, and Hui Liang1,2
1School of Transportation Science and Engineering, Beihang University, Beijing, China
2Airworthiness Technology Research Centre, NLAA, Beijing, China

Abstract. The aircraft or system safety assessment process is an integral part of the overall aircraft
development cycle. It is usually characterized by a very high timely and financial effort and can become a
critical design driver in certain cases. Therefore, an increasing demand of effective methods to assist the
safety assessment process arises within the aerospace community. One approach is the utilization of model-
based technology, which is already well-established in the system development, for safety assessment
purposes. This paper mainly describes a new tool for Model-Based Safety Analysis. A formal model for an
example system is generated and enriched with extended models. Then, system safety analyses are
performed on the model with the assistance of automation tools and compared to the results of a manual
analysis. The objective of this paper is to improve the increasingly complex aircraft systems development
process. This paper develops a new model-based analysis tool in Simulink/Simscape environment.

1 Introduction 115C [8] released by FAA in 2013 formally recognizes

the model-based methodology.
Safety and reliability are essential for commercial
aircraft design. The conventional safety analysis
methods became very mature after long time research 2 System safety assessment process
and development. However, with the increase of the
complexity of aircraft systems, some limitations of these 2.1. Typical system safety assessment process
methods arise.
Fenelon [1] pointed out that the design process and
the safety assessment process are usually not System
Requirements Certification
satisfactorily integrated. He used the expression “over
and Objectives
the wall” to describe the gap between design and safety
Aircraft Integration
process. In addition, conventional safety analysis
Aircraft FC&C Cross-check
methods are faced with the problem of low efficiency. FE&P
FHA
With the problems of conventional safety analysis System Integration Aircraft
methods, an increasing demand of effective methods Cross-check FTA
System
arises. One approach is the utilization of model-based FHAs FC&C FE&P
technology. The ESACS [2] project and its following up
PSSAs SSAs
project ISAAC developed some safety analysis
System System
methodology and tools in Simulink, SCADE, Statemate, FTAs FTAs
NuSMV and AltaRica [3]. In the year 2005, Joshi et al.
proposed the term “Model-Based Safety
Derived Safety System
Analysis(MBSA)” for this kind of safety analysis Requirements FMEAs
method [4]. The European project MISSA [5] was
dedicated to integrating the model-based security
assessment into the system development process Design
described by ARP4754A [6] and testing these processes
in industrial examples. In 2016, Schallert [7] established
Fig. 1. System safety assessment process described in SAE
safety analysis methods using multi-domain object-
ARP-4761.
oriented models in Modelica.
Fig.1 shows the overall safety assessment process
MBSA becomes more and more popular and
according to ARP-4761 [9]. The whole process includes
gradually gets the recognition from the authority. AC 20-
the requirements validation and the products verification.
An aircraft-level Functional Hazard Analysis (FHA) is

*
Corresponding author: [email protected]
© The Authors, published by EDP Sciences. This is an open access article distributed under the terms of the Creative Commons Attribution
License 4.0 (http://creativecommons.org/licenses/by/4.0/).
MATEC Web of Conferences 139, 00219 (2017) DOI: 10.1051/matecconf/201713900219
ICMITE 2017

initially conducted, followed by a System FHA, then modelling paradigms, which benefits the interaction
Preliminary System Safety Assessment (PSSA). During between design and safety analysis.
PSSAs, safety requirements are derived using Fault Tree Simscape is one of the undirected numerical
Analysis (FTA) and probability budgeting. This is simulation models. Undirected numerical models
usually an iterative process including the PSSA and the describe systems as networks as functional elements that
system design definition and refinement. exchange energy through their ports. The component
After the determination of the final design, the behaviour is encoded by differential algebraic equations.
compliance of the implemented products with the safety Every component is associated with some variables.
requirements are verified during the System Safety Undirected numerical models distinguish protentional
Assessment (SSA). During this process, the system (voltage, velocity, pressure, etc.) and flow variables
Failure Modes and Effects Analysis (FMEA) provides (current, force, flow rate, etc.).
for the failure probabilities of the single items. Those are
the inputs for the system-level FTA and the aircraft-level
FTA, which are conducted to verify that the systems and 3 A practicable MBSA modelling
the overall aircraft satisfy the top-level safety process using Simscape
requirements.
3.1 Modelling of the exemplar control system
2.2 Utilization of MBSA in typical safety process
The example is a simplified control system model for a
Simulation models mentioned in this article can be the control surface (see also Fig. 2.). The function of the
formal specification in a model-based development. It is system is to control the position of the control surface
also available for assistance of conventional safety (represented by the mass block m in Fig. 3.). There is a
processes. The integration work is enlighten by the qSafe control circuit providing power and transmitting control
project [10]. signals. It includes a resistor, connected with a control
In the PSSA process, the objective of MBSA is to voltage source and a fuse, as well as a motor driving the
assist the validation of system requirements. The model control surface to move. A sensor is connected to the
describes the system architecture and functional motor to detect the angular displacement.
properties. The models are based on Simscape language, Pilot Aero load
which provide the possibility for computer assistance. command
MBSA is introduced to conventional safety assessment position Control Actuation Control Position
_ computer system surface
process to assist the FTA process. MBSA can traverse all
possible failure mode connections of a system without Position
omission in a short period of time. More importantly, sensor

MBSA can generate minimal cut sets for FTA. Fig. 2. A schematic diagram of the exemplar control system.
In the SSA process, FMEA and bottom-up FTA are
applied for the verification of system implementation. The system input are the pilot commands on the
MBSA focus on the physical implementation and control column, which are simulated by a position
specific performance of components and systems. command signal in the “Pos_cmd” block. Then the
Information of failure modes and effects can be control signal is transmitted to the PI controller to
identified through simulation and analysis. MBSA is control the voltage value of the voltage source. The
utilised into the ARP-4761 [9] safety process to assist voltage source drives the electric motor, and the motor
FTA and FMEA of complex multi-domain systems in generates a torque which is applied to the control surface.
the PSSA and SSA processes.

2.3 Simscape modelling

The complete work described in the article is developed
in the MATLAB environment.
The models are built and modified in Simulink
environment. The formal system model is built with
Simscape. Simscape enables rapidly creation of physical
system models within the Simulink environment. With
Simscape, physical component models based on physical
connections that directly integrate with block diagrams
and other modeling paradigms can be easily built.
Modelling of systems like electric motors and hydraulic Fig. 3. Simscape model of the exemplar control system.
actuators can be achieved by assembling fundamental
components into a schematic. Furthermore, as the The resulting angular displacement is measured by
principle of Simscape is physical modelling, the the sensor. The purpose of the damper block is to
resulting models are intuitively comprehensible without roughly approximate the dynamic behaviour of a real
detailed knowledge of numerical simulation methods and motor. The sensor will transmit the angular displacement

2
MATEC Web of Conferences 139, 00219 (2017) DOI: 10.1051/matecconf/201713900219
ICMITE 2017

value to the controller as a negative feedback value used failure mode of a switch or an erroneous signal given by
by the controlled to track the desired position signal: a sensor (bias).
Once the command position is reached, the controller In this simplified system. There are five components
will give a constant value to the voltage source due to its with failure modes: the energy source, the resistor, the
integrating behaviour, and the position of the control fuse, the motor and the sensor. For convenience and
surface will stay at the intended position. If the current in efficiency of simulation, the motor is split into a
the circuit is too large, the fuse will cut off the circuit. mechanical part and an electrical part.

3.2 Fault modelling 3.2.2 Failure mode control

To exhaustively simulate all the combinations of failure
3.2.1 Classification of component failures modes, a way to control the failure mode must be
provided. Simscape enables customized components,
For the effectiveness and usability of a simulation model,
which means customer can modify library components
the failures should be modelled in a simple, intuitive way
or create components. Extended models are mostly
in case of very large system and numerous combinations
modified from Simscape library models. Simscape
of possible component states.
models are based on equations written in Simscape
Schallert [7] establishes a catalogue of component
language (source code). A variable named “failure
failures for system safety analysis. This catalogue limits
mode” is added to the source code of each component.
the possible failure modes of every component to three
The value of the variable will be assigned according to
basic types of behaviour. This limitation on the failure
the mode it’s intended to fail. The value of “failure
numbers intends to avoid unnecessary modelling details
mode” changes the equations of each component
and high computational effort during simulation, when
accordingly.
combinations of failure modes are considered. A
For example, the source code of the Simscape
component will have 4 states in total.
component Resistor is:
Table 1. General component failure modes. component resistor
R = { 1, 'Ohm' }; % Resistance
Mode 0 1 2 3 end
Normal Loss of Loss of Inadverten equations
State
function function1 function2 t function assert(R>=0);
v == R*i;
Table 2. Components failure modes.
end
Mode 0 1 2 3 end
Loss of Signal
A resistor can fail short or fail open. According to the
Sensor Nominal classification stated in subsection 4.2.1, the open circuit
signal bias
Motor_m Disconne state of a resistor is represented as “FM_R = 1”.
Nominal Jam Similarly, “FM_R = 2” means short circuit of a resistor.
echanical ction
Motor_el Open Short The resistor is extended by modifying the source code.
Nominal
ectrical circuit circuit The following source code represents a new component
Resistor Nominal
Open Short extended from the original resistor. The mode of this
circuit circuit new resistor can be controlled by importing different
Stuck Stuck FM_R. In this way, the failure mode of the component is
Fuse Nominal
open close controlled through the modality of its parameter. The
Power
Nominal
Loss of source code of the extended resistor equation is as
supply output follows:
if FM_R == 1
Mode 0 means the normal function or intact state of a R = Roc;
component or function. else if FM_R == 2
Mode 1 means a type of function loss, where the R = Rsc;
transducing function of a component is lost. This can be else if FM_R ==0
R = R;
an electrical O/C (i → 0) or mechanical disconnection (f
else
→ 0 or τ→ 0). For a sensor, mode 1 represents “loss of error('id:id','invalid FM_R');
end
signal”.
end
Mode 2 is also a type of function loss, where a end
transducing component is stuck in a certain state It can In similar way, failure models of a set of several
be an electrical short to ground (v → 0) or mechanical other commonly used components are built and stored in
a failure model library.
jamming (ve → 0 or ω → 0).
Mode 3 means some inadvertent activation of a
component. This can be for example the “stuck close”

3
MATEC Web of Conferences 139, 00219 (2017) DOI: 10.1051/matecconf/201713900219
ICMITE 2017

3.3 Extension of the system model control surface to position 0.2. At the 30th second, the
position command is released.
In the extend system model, the original component Fig. 5 shows the normal function of the sample
models are replaced by fault models. There are mode control system. The real position follows the control
input ports to control behaviour of all the concerned input well, and there is no bias between the detected
component models. position and the real position. Fig. 6 shows the condition
where there the sensor signal is biased: The system tends
to force the detected position to follow the command
position and there is a steady bias between the real
position and the command position.

Fig. 4. Extended exemplar control system model.

The motor is controlled by two mode input port as it

is represented by an electrical and a mechanical part
internally. The sensor also gives an additional unbiased
“real” signal to the scope for the convenience of
observation. The “heat sensor” block is designed to take
consideration of a special condition: short circuit of the Fig. 5. Nominal function display.
resistor with the fuse stuck close. In this condition, the
heat sensor will fall down from 1 to 0, which indicates
potential burning down of the circuit.

3.4 Analysis of the exemplar control system

through simulation
Partial automation of the safety analysis process can both
reduce the cost and improve the quality of the results.
The result is a form containing all combination of
failure mode numbers and corresponding FE No, which
can be analysed to identify critical combinations of
failures or even to construct the cut-sets leading to a
certain effect.

Fig. 6. Position bias display.

3.4.2 FMEA
An FMEA intends to find out single faults and their local 3.4.3 Combinations of failure modes
effects. This example model used here is quite basic and
not structured hierarchically. Therefore, the FMEA local This analysis intends to find out all failure effects caused
effects determined by the FMEA can be considered to be by the combinations of different failure modes (as there
functional failure effects on system level. might be hidden failure effects, which cannot be detected
The single failures can be simulated by simply by the single failure FMEA).
applying the respective failure mode number of To automate the simulation, two basic steps are
corresponding component. implemented. The first step is to generate a matrix
The results of the simulation are shown in Fig. 5 and contains all “combination vectors”. Each vector
Fig. 6. The positions (rad) are shown on the y-axis and represents a specific combination of the failure modes.
the time (s) is on the x-axis. There are 3 types of position For example, (1 0 0 0 2 0) means sensor “loss of signal”
signals depicted: command position given by the pilot combined with fuse “stuck close”. A total of 486
(plotted in green), the position detected by the sensor combinations is generated. After removing the
(plotted in blue and dash) and the real position (plotted conditions where more than 3 components fail at the
in red and plots). same time, 62 combinations are taking into consideration.
At first, the control surface stays at position 0. After The second step is to automatically run the simulation of
5 seconds, a command is given to the system to move the all the combinations. The values of mode input ports are
set as specific elements of the vectors. The third step is

4
MATEC Web of Conferences 139, 00219 (2017) DOI: 10.1051/matecconf/201713900219
ICMITE 2017

to plot the results and save the pictures for the analysis utilized for the partial automation of typical safety
reports. assessment tasks.
Yet it is not enough to have only the results plotted as During that process, some obvious advantages of
time traces. The next goal is to automatically analyse the model-based safety analysis became clear:
simulation results, i.e. the determination of the effects a) The ability to exhaustively explore all possible
resulting from different combinations. The analysis combinations of the components failure modes
results can also help to find out the corresponding using automated analysis tools. The quality of the
combinations leading to a specific top event (i.e. the cut- safety analysis will be therefore improved.
sets). b) The ability to automatically generate analysis
outcomes. These outcomes can be used to enhance
Table 3. Failure effect codes. or cross-check the manually created ones.
Therefore, the method lightens the work load of
FE No. 0 1 2 3 4 5
safety analysts and reduce the costs, while
Follo Posit No
Failure Nom
w
Stuc
ion
Unst
effec
simultaneously improving coverage and quality of
Effect inal k able the results.
wind bias t
c) The possibility to integrate the safety process and
A set of expected failure effects can be received from the design process
the FMEA and the simulation results. A unique failure
effect code is assigned to each failure effect (see Table References
3.).
Fig. 6 shows the “Stuck” failure effect, which is the 1. Fenelon, Peter, et al. "Towards integrated safety
consequence of motor “Jam” failure. analysis and design." ACM SIGAPP Applied
Computing Review 2.1 (1994): 21-32.
2. Bozzano, Marco, et al. "ESACS: an integrated
methodology for design and safety analysis of
complex systems." Proc. ESREL. (2003).
3. Akerlund, O., et al. "ISAAC, a framework for
integrated safety analysis of functional, geometrical
and human aspects." Proc. ERTS 2006 (2006): 1-11.
4. Joshi, Anjali, et al. "A proposal for model-based
safety analysis." Digital Avionics Systems
Conference, 2005. DASC 2005. (The 24th. Vol. 2.
IEEE, 2005).
5. European Commission. MISSA More Integrated
System Safety Assessment [EB/OL]. www.optics-
project.eu/wp-content.
Fig. 6. Failure effect “Stuck”.
6. Society of Automotive Engineers, "ARP5754A:
Guidelines for Development of Civil Aircraft and
With this form, the minimum cut sets of a specific
Systems," (SAE Aerospace, 2010).
top event can be identified, which is the essence of a
fault tree. 7. Schallert, Christian. "Integrated safety and
reliability analysis methods for aircraft system
Table 4. Combinations of failure modes and failure effects. development using multi-domain object-oriented
models." (2016).
S M_m M_e R F E FE
0 0 0 0 0 0 0 8. Federal Aviation Administration, "Advisory
1 0 0 0 0 0 4
Circular 20-115C: Airborne Software Assurance,"
2 0 0 0 0 0 3
(FAA, 2013).
0 1 0 0 0 0 1 9. Society of Automotive Engineers, "ARP4761:
1 1 0 0 0 0 1 Guidelines and Methods for Conducting the Safety
2 1 0 0 0 0 1 Assessment Process on Civil Airborne Systems and
2 2 0 0 0 0 2 Equipment," SAE International, 1996.
… … … … … … … 10. Grigoleit, Florian, et al. "The qSafe Project–
Developing a Model-based Tool for Current
Practice in Functional Safety Analysis."(2016).
4 Conclusions
This paper develops a new model-based analysis tool in
Simulink/Simscape environment. The objective is to
improve the increasingly complex aircraft systems
development process. Extended Simscape model is