A framework of safety analysis with temporal feature based on MBSA and case study for ACC system

The safety of automotive Adaptive Cruise Control (ACC) system is of great significance to prevent fatigue driving, improve driving comfort, reduce accident rate and promote the development of intelligent transportation and autonomous driving technology. However, the current safety analysis of ACC lacks consideration of the temporal dynamic property, so it is necessary to establish a set of safety analysis methods to consider the temporal characteristics. This paper proposes a new safety analysis method based on MBSA framework and introduces temporal features. Altarica3.0 is a high-level modeling language for safety analysis, and its basic mathematical form is Guardian Transformation System (GTS). In this paper, we outline an analysis approach that converts failure behavioral models (GTS) to temporal fault trees (TFTs), which can be analyzed using Pandora a recent technique for introducing temporal logic to fault trees. However, like classical fault tree analysis, TFT analysis requires a lot of manual effort, which makes it time consuming and expensive. In order to improve the safety of the system, the proposal extends Bayesian Networks with Pandora and results to dependability analysis with temporal relationships to provide more reliable basis for safety design. As a typical case study, the safety analysis method proposed in this paper is applied to the safety analysis of adaptive cruise system, and the results show the effectiveness of the proposed method. Furthermore, it also provides new technologies for the automation and intelligence of safety analysis for smart internet of vehicle.

for Basic Requirements of Software Safety Assurance), GB/T34590.10-201 (Functional Safety of Road Vehicles), ARP4761 (Criteria and Methods for safety Assessment process of civil airborne systems and equipment) [2], etc. Strict compliance with safety standards at all stages of system design can greatly reduce the probability of system failure.
In the process of System Safety Assessment, the main steps include Functional Hazard Analysis (FHA) [3], Preliminary System Safety Assessment (PSSA) [4], and System Safety Assessment (SSA) [5]. Traditional safety analysis methods mainly include fault tree analysis (FTA) [6], Markov analysis (MA) [7], failure mode and effect analysis (FMEA) [8] and common cause analysis (CCA), etc. But with the passage of time, the traditional methods of risk assessment of excessive dependence on low level form of modeling, system specification and related models between cannot match very well, when very small changes in the system specification, the relevant safety model also need to conduct a comprehensive assessment, a lot of manpower and material resources, at the same time.
When the analyst converts the actual physical model into the corresponding fault tree, there is a great subjective influence, and there may be the consequence of inaccurate modeling.
To solve these problems, a model-based safety analysis (MBSA) method is proposed. It is actually the reliability Engineering branch of Model-based System Engineering (MBSE) [9,10]. Model-based system safety analysis can be divided into two steps: system modeling and related safety analysis for the model. To be specific, the first step is to write the system model in the high-level modeling form, which can completely express the function and structure of the original system. The second step is to evaluate the model directly, or compile the model into a low-level model for evaluation, such as FTA, MA, etc.
AltaRica is a kind of safety for fault modeling language, to the guard conversion system (GTS) as the core [11][12][13]; the use of reusable object-oriented language description node and fault through the node connected to the interface between embedded systems describes the interaction between the node and system information, including data flow elements support interaction between components, there are dependencies between components.
AltaRica3.0 is a new version of the AltaRica language [14]. Its new underlying mathematical model is the guardian transformation system (GTS) [15], which improves the expression ability of previous versions by introducing a fixed point mechanism to stabilize the theological value after each transition. This mechanism allows the design of causal components and the handling of systems with immediate cycles. In the framework of AltaRica3.0, this paper proposes an automatic construction method of Pandora timing fault tree based on extended fault tree model. The method is verified by modeling and simulation of typical structural model of ACC system. After that, quantitative analysis of Pandora timing fault tree was carried out. Since traditional analysis methods are prone to state explosion and fault events are interdependent, reliability analysis of Pandora temporal fault tree was carried out in this paper based on Bayesian network. The Pandora temporal fault tree analysis and probability calculation provide a more reliable basis for the safety of system and give system designers an idea where to invest more design efforts to improve safety. Finally, the design defects of the system design model are tracked by combining the verification results and traceable information model.
To elaborate on the composition of the GTS, Fig. 1 shows a graphical representation of a cooling system and its flattened model representation.
Concrete components in the cooling system are abstracted into classes: tank, pump and reactor, respectively. These classes interact with each other through variables. Tank instantiates object T outflow coolant as outflow variable of the whole system, and two instantiated objects P1 and P2 of pump have two variables, respectively: outflow from tank, pump and reactor. Inflow of input variable, inflow of reactor is the same as outflow of P1 and P2. The system has to keep at least one pump running so that the coolant can be used to cool the reactor properly, but the pump could fail or the tank could be empty, which could cause the entire system to fail.
The GTS model obtained by flattening the hierarchical information of the cooling system is shown in Fig. 2.

Pandora temporal fault tree
Pandora defines three time gates: Priority-AND gate (PAND), Priority-OR gate (POR) and Simultaneous-AND gate (SAND) to extend the classic fault tree [17]. The temporal fault tree symbols of the three gates are shown in Fig. 3. PAND gates are not new and have been used in FTA since the 1970s [18]. The symbol " < " used to represent the PAND gate in the logical expression, such as A < B represents A PAND Y, where both A and B are failure events. the Priority-OR (POR, symbol '|'), which as described earlier models a priority situation where one event must occur first and other events may or may not occur subsequently. The Simultaneous-AND (SAND, '&') gate, which represents simultaneous occurrence of events, e.g., as a result of a common trigger. In this article, we use " + " for OR gate and "." for the AND gate. Pandora allows more than one form of reduction. As well as removal of redundancies, e.g., A < B + A|B ⇔ A|B (where A and B are fault tree events), Pandora also allows reduction via the recognition and removal of contradictions and by means of 'completion'-conversion of temporal expressions into static Boolean expressions. For full details about Pandora's temporal laws, we refer the reader to [18], but four laws in particular will be useful:

Bayesian network
Bayesian network (BN) is a directed acyclic graph, which is composed of nodes and directed edges. Nodes represent variables and directed edges represent relationships between nodes. A BN model contains a qualitative and a quantitative part (see Fig. 4). Bayesian network is a directed acyclic graph representing a group of random variables and their conditional correlation [19]. The node of BN represents the random variable, and the directed arc represents the dependence or causality between nodes. In the Bayesian network, if there is an arc from node X and node Y, node X is said to be the parent node of another node Y. Has direct influence to the subsidiary to the parent node, it is defined as a Pr {Xi | parent (Xi)} to quantify the influence of the subsidiary to the parent node. A node is a root node if it has no parents, and a leaf node if it has no children. Discrete-time Bayesian network (DTBN) is a BN with N nodes is generally represented N = < < X, T n , E > , P > . The nodes X = {X 1 , …, X N } in the figure represent variables, and all phenomena such as component state values and personnel operations can be abstracted into the node variable. T n = {[t 0 , t 1 ), …, [t n − 1 , t n ), [t n , ∞} is a division of the mission, its elements represent the interval where the variable fails at the time. Directed edge E characterizes the causal relationship between node variables. In (X i , X j ), X i is the parent of X j , and X j is the child of X i . A node without a parent is a root node, and a node without children is a leaf node. Digraphs imply conditional independence. P represents conditional probability distribution (CPD). It can be seen from the implied independence assumption of the Bayesian network that the joint probability distribution including all nodes can be obtained on

A framework for automatic generation of Pandora temporal fault tree based on GTS
In general, this section gives the method framework and several steps of how to automatically generate the Pandora temporal fault tree based on the flattened GTS model of Altarica3.0 as shown in Fig. 5. The algorithm GTS to Pandora temporal fault tree (GTS2PTFTA) design involved in each step is then explained in detail: (1) Read the flattened GTS model description file and construct the corresponding GTS object. (2) The input GTS object is divided into a set of independent GTS and an independent assertion. (3) Iterate the independent GTS set to obtain the corresponding reachable graph (state machine graph) of each independent GTS, so as to facilitate the subsequent generation of event sequences with timing characteristics according to the state machine graph design algorithm. (4) Compile each reachable graph and obtain the logical formula of the independent GTS with the temporal relationship. Find all possible paths between two nodes in the reachable graph and design the algorithm to update the possible priority relationship into the path. The algorithm described in Step 4 is corresponding to the logical formula containing time sequence relation of the 3.3 sub-GTS model reachable graph. The AND gate operator is further annotated as: search all paths from state S0 to the other states of the graph. Events occurring along path π are transformed into the relationship of events. Each state of the graph is first associated with a sequence disjunction obtained through the compile path, then each pair (variable values) associated with a sequence of disjunction, including variable uses this value, secondly, traverse to search path, looking for the same end node status on different paths to share events, update priority or temporal sequence in the original sequence of disjunction, after exhaustive recursion and, at the same time, and preference or conversion between matching rules, generating a sequence of events with a temporal relationship. (5) Synchronize the independent assertions obtained by partition with the formulas obtained by compilation of each independent GTS reachable graph and obtain the set of temporal relational event sequences of the whole model, which is composed of the Pandora temporal fault tree of this GTS model.

GTS model preprocessing and partitioning
A partition operation on a GTS instance object. Considering the large scale of the system model, after the GTS instance object is obtained, in order to simplify the subsequent steps, a more efficient partition algorithm is adopted here to improve the efficiency of the algorithm, so as to cope with the large scale of the system model. The partitioning algorithm divides a model into multiple components and modules, and then processes each component and module individually. When the fault tree with time sequence relationship is finally obtained, it is processed together with the data results, which simplifies the intermediate steps of the whole algorithm framework process.

Construction of the accessibility diagram of the sub-GTS model
The corresponding reachable graphs of each independent GTS were obtained. In this step, we mainly process each independent GTS to obtain the relevant reachable chart. A reachable graph contains a set of nodes, and a node exists in the form of a set of variables, and the current system state is represented by the values of the current variables.

Algorithm for compiling reachable graph to generate temporal expression of sub-GTS model
An accessibility graph is a state machine with a finite number of states. It may change state as an event occurs, but at each moment, it is only in one state. In the previous step, the algorithm obtained the reachable graph of each GTS. To obtain a logical formula containing temporal relationships, in short, find all possible paths between two nodes in the reachable graph and design an algorithm to update the possible priority relationships to the paths. The algorithm mainly uses priority or gate (POR) to distinguish fault sequences. A gate can represent a situation in which one event takes precedence over others and must occur first, but does not specify that other events must also occur, for example, if A occurs and B does not occur, or if A occurs and B occurs but A occurs first, then POR B is true. In this step, operator "." is defined as a sequence of "and" door and operator "+" is defined as a sequence of "or" door and operator "<" is defined as a sequence of "priority-AND gate," operator "|" is defined as "priority-OR" gate and the operator "ø" represents a collection of sequences. The AND gate operator is further labeled as search all paths from state S0 to other states of the graph. Events occurring along path π are converted to and relationships of events. Each state of the graph is first associated with the sequence disjunction obtained through the compile path, then each pair (variable values) associated with a sequence of disjunction, including variable uses this value, secondly, traverse to search path, looking for the same end node status on different paths to share events, update priority or temporal sequence in the original sequence of disjunction, after exhaustive recursion and, at the same time, and preference or conversion between matching rules, Generates a sequence of events with timing relationships.

Definition 2 Reachable Graph (RG).
A reachable graph is a quadruple (S, Σ, δ, s 0 ) where: • S is a finite set of states.
• Σ is a finite set of events, such that S ∩ Σ = ∅.
• δ is a partial function: S × Σ → S, s.t. for (u, u') ∈ S 2 , and e ∈ Σ, u' = δ(u, e) iff e is incident from u to u', and we write it as: u → u'(e). • s 0 is the initial state.

Definition 3 Paths Set.
Let P be the set of all paths in the RG,

Definition 4 Forward and backward incidence sets.
For any state u ∈ S, let ΣuI (resp. ΣuJ) be the set of events incident from u (resp. incident to u),

Definition 5 Set of final states.
Let F be the set of the final states, F = {f ∈ S| ΣfI = ∅}.
The algorithm and pseudocode of compiling the accessible graph of independent GTS to obtain the time-series relation formula are as follows: Generates a set Φ of Pandora formula: Φ = {φ s |s ∈ F} one formula φ s for each final state s. These expressions can then be analyzed by Pandora. Transformation algorithms are biased toward increasingly dynamic systems. The best case complexity for checking the necessity of chronological order is O(n), and the worst case complexity is O (n 2 ), where n is the number of paths from the initial state to the final state in the reachable graph. In the best case, for each divergent path, there exists a shareable event that is related to the direct reachable state of the connection state when the path diverges. In this case, the cost of adding j to each state is the order time of an O (m 2 ) operation, where m is the degree of j.

Safety analysis of Pandora temporal fault tree based on Bayesian network
To perform quantitative analysis of temporal failure behavior, Bayesian Network has been integrated with the Pandora temporal fault Tree, a compilation of the AltaRica model-based dependability analysis process.
The primary goal of the Bayesian network-based approach is to transform the Pandora TFT into a Bayesian network for quantitative analysis of dynamic systems using BN models. The transformation from TFT to BN is done in two steps. In the first step, the TFT to BN graphic mapping is achieved by converting the base event to the root To represent sequence values, which are used in Pandora to represent sequencing among events, in this paper, the mission time T is divided into N equal intervals from t = 0 to t = T, where each interval represents a possible non-zero sequence value, during which an event occur. Initially, all components are assumed to be fully operational and therefore all events are given an initial sequence value of 0 (i.e., the component has not yet failed). This value holds until the occurrence of a component failure, i.e., if the component can survive till the end of the mission time then it will continue carrying the sequence value 0. If a component fails in interval 1, then it will have the sequence value 1, but if the component fails in any other interval i where 1 < i < N then it can have any sequence value in between 1 and i based on its relative position to its immediate predecessor. An event having a sequence value i is considered to be in State i and it has an associated probability value representing the probability of the event being in State i. As the root nodes in the BN represent different basic events, we need to define prior probability tables for the root nodes, where each entry in a prior probability table of a node represents the probability of the respective event being in a particular state. For exponentially distributed failure rate, the probability of a component being failed in the interval [t1, t2] (e.g., in State i) can be obtained by integrating the probability density function of exponential distribution, λe, λt, in the following way: Once prior probability values are assigned to each root node, conditional probability values are generated for all the intermediate nodes. Remember that Pandora represents the outcome of every gate with a sequence value, showing not only whether that gate is true or false but also the relative order in which the gates become true. This is purely deterministic: the outcome of each gate depends solely on the sequence values of its input events. Consequently, the probability of an intermediate BN node (representing a gate) being in a certain state can either be 0 or 1, depending on the state of its parent nodes. In [20], the authors have shown the translation and CPT generation process for the PAND gate, as seen in Fig. 6. The mapping of a POR gate by diving the mission time into two intervals is shown in Fig. 7. The CPT of the PAND gate resembles its temporal truth table. As seen in the CPT of the PAND gate, the PAND outcome becomes true only in one scenario when the first input (X) is in State 1 and the second input (Y) is in State 2, i.e., they occur in a sequence from left to right. In this case, the state associated with the PAND outcome is State 2 because this is the state when the last input of the PAND becomes true. Bayesian Network of the AND and OR gates are shown in Figs. 8 and 9, respectively. From the CPT of the AND gate, we can see that the AND outcome becomes true (1s in column State 1 or State 2) when the input events are either in State 1 or State 2. If any of the input event is in State 0 (logical false), then the outcome of the gate is false (1s in the column State 0). So the CPT of the POR, AND and the OR gates are of the same pattern and entries in the table are either 0 or 1, but the positions of the 0s and 1s change according to the logical specification of the gates. Once we have the Pandora TFT of the failure behavior of a system, we can translate the TFT to BN model and subsequently perform predictive reasoning on the Bayesian Network to obtain system unreliability. This is done by following the direction of the BN arcs from the root nodes toward the leaf node. In this process, failure probability data of the root nodes are used to obtain the probability of system failure, i.e., data about causes are used to obtain new belief about the effects. Using the facility of observing the status of a node, we can also perform diagnostic analysis on the BN, i.e., reasoning from effects back to their causes. If the analysts have the evidence that the system has failed, then based on this evidence the analysts belief about the failure probability of the components can be updated. That means we now have to put an observation on the leaf node of the BN and work backwards (in the opposite direction of the BN arcs) toward the root nodes to update the probability of root nodes. In order to facilitate diagnostic analysis, Bayes' theorem in Eq. (1) is used.

Description of ACC system
Typical ACC system of automobile is mainly composed of information perception unit, electronic control unit (ECU), execution unit and human-computer interaction interface, etc. This paper selects some of these structures as examples for analysis, and the basic composition is shown in Fig. 10. In the ACC system, ranging radar used to measure the vehicle and the vehicle in front of the car distance, relative velocity and relative acceleration, is one of the key equipment of adaptive cruise control system, is to determine the main components of the cost of the system, its main components including transmitting antenna and receiving antenna, DPS (digital signal processing (DSP)) processing unit, data cables, etc. The electronic control unit in ACC module is composed of large-scale integrated circuits, such as microprocessor (CPU) memory (ROM RAM) input/output interface (I/O) analog-to-digital converter (A/D) and shaping driver, as well as common single-chip microcomputer, according to its memory program and data on the air flow meter and a variety of sensor input information processing judgment, and then output instructions.
The main working principle of the ACC system is Lord radar sensors to detect the target vehicle in front of the car, and to provide the main vehicle and target vehicle electronic control unit (ECU) the relative speed between the relative distance information such as the relative azimuth Angle Electric control unit based on the pilot set the safety car distance and cruising speed, combined with radar transmit information to determine the main vehicle driving state, issue instructions to adjust throttle opening and brake control of main vehicle. The arrow in the figure indicates the direction of signal transmission.

System modeling and analysis of ACC system
Model-based analysis of system is performed in a compositional fashion. For this reason, the ACC system is divided into smaller subsystems and the subsystems are further divided into smaller subsystems to the level of components. Components are annotated with their failure behavior and their behavior are combined to obtain the behavior of the subsystem possessing them. We will use this system structure as an example to describe the different steps involved in compiling the Guard transformation system into a Pandora temporal fault tree.  The GTS, describing a ranging sensor, is given in Fig. 11 (Set as secondary redundancy component, S1 as the primary component and S2 as the backup component), automobile sensor is similar to: Monitor component modeling: The monitor is mainly used to monitor the output of the main component. If any omission or failure is detected, the backup component will be activated, as shown in Fig. 12.
The GTS, describing an electronic control unit, is given in Fig. 13. Brake pressure module and throttle opening module are the same as above. Modeling of the whole adaptive cruise system is shown in Fig. 14.
The whole system model was analyzed: First, the AltaRica3.0 model obtained was flattened; second, the reachable graph of each independent GTS was obtained according to the correlation partition algorithm, as follows: The reachable graph for the remaining components is similar to the figure above. "O-x" represents the output omission or fault of a component, "X_Failure" represents the failure event of a component, the box represents the status of the component at this time, and the line between the boxes represents the transmission of failure events. For descriptive purposes, any part symbol abbreviates the failure of the corresponding part (e.g., "M1" is denoted as "M1 failure").
The TFT of component S1 is the simplest: O − A = A (i.e., failure of A causes omission of A), as shown in Fig. 15. For the reachable graph of M1 in Fig. 16, the initial state is "WORK-ING," which means the sensor is ready to activate B. If a failure occurs in the output of S1 (for example, an output omission represented as "O-S1" in the reachable graph) and is detected, the state of M1 changes to "omission detected" (that is, B needs to be activated). However, if M1 fails after waking up S2 (because S2 takes over the functions of S1), the system can continue to operate, so the failure sequence (O-S1 first, M1 second failure) will cause the sensor to enter the "safety failure" state. Conversely, if M1 fails first (into a "premature failure" state), it will not be able to detect subsequent output omissions from S1, so the second sequence will result in a "serious failure" state (since B will not be activated, which means the system is completely faulty). The latter state represents an output omission from M1 (" O-M1 "), where errors propagate through the system (in this particular case leading to complete failure). Therefore, as you can see, from the situation in Fig. 15 O-S1 Fig. 15 Reachable graph of S1 of the sensor. One sequence can cause the system to fail, while the other gives it a chance to continue working during backup. Therefore, we will introduce Pandora gates to represent the sequence of events in the fault tree, and then the reachable graph can be transformed into a Pandora temporal fault tree without sacrificing the relevant event sequencing, which affects the outcome. So the above two sequences are converted to: If we apply this algorithm to the reachable graph of component S2, as shown in Fig. 17, we get the following fault state expression:

Generate Pandora temporal fault tree
According to the automatic generation algorithm introduced in Sect. 3, the sequence of timing fault tree is as follows: Therefore, the resulting Pandora timing fault tree is shown in Fig. 18.

Model-based analysis of the ACC system
The ACC system is analyzed based on the model to obtain the cause of failure. The temporal fault tree obtained from the analysis is shown in Fig. 18. As you can see from TFT, some basic events are shared with each other, which makes them statistically dependent. If we use an analytical approach to quantify TFT, statistical dependencies between events are ignored. However, the proposed method of converting to a Bayesian network can quantify TFT by taking these dependencies into account, resulting in more realistic results.  To conduct quantitative analysis of the TFT, the Pandora TFT is mapped to the Bayesian network model, as shown in Fig. 19. The failure rate of Pandora TFT basic events is shown in Table 1, and time changes are characterized by the failure rate of basic events.
The prior probability table of each root node of BN is filled according to the failure rate of the corresponding component. As mentioned in Sect. 4, in order to generate the prior probability value of the event, we need to define a task time and interval number (N), and divide the task time into discrete intervals. Assuming that the task time is 5000 h, the task time is divided into four intervals (N = 4), and the prior probability value of the root node of BN is calculated. The conditional probability table for each intermediate node in BN is filled according to the type of TFT gate represented.
The reliability analysis of the ACC system is carried out based on the DTBN model. Compared with the results of the Markov chain method, the results are shown in Table 2. It can be seen that the DTBN method has a high solution accuracy and Markov chains cause state explosion problems. Reliability analysis of ACC system is done by running queries on BN models. Meanwhile, using BN-based method, it can also be concluded that ACC is the most critical basic event of TFT, followed by Si (i = 1,…, 4). This gives the system designer an idea of where to put more design effort to improve the reliability of the system. For example, an event ACC corresponds to a failure of the core electronic control within the system, while Si corresponds to a failure of the ranging sensor in the system. Therefore, if the analyst wants to improve the reliability of the system, then they can consider replacing the above key components with more reliable components, or they can consider introducing redundant components along with the key components. By observing the BN node endpoint in Fig. 19, in the failed state, the system was diagnosed and analyzed. This describes a scenario in which the analyst has evidence that the most significant event of the TFT has occurred. Based on this evidence, analysts' beliefs about prior probabilities of fundamental events have been updated. Based on these updated beliefs about the failure probability of basic events, a whole new predictive analysis can be performed.
By observing the leaf node of the BN model in Fig. 19, in the failed state, the system was diagnosed and analyzed. This describes a scenario in which the analyst has evidence that the most significant event of the TFT has occurred. Based on this evidence, the belief of the analyst on the prior probability of the basic event has been updated, and the posterior failure probability of the basic event is shown in Fig. 20. Based on these updated beliefs about the failure probability of basic events, a whole new predictive analysis can be performed. A posterior failure probability curve explains the dynamics of system failure and provides updated causality between variables that may change over time.

Conclusion
In recent years, more and more attention has been paid to the research of automatic fault tree generation. However, considering the timing fault characteristics of the system, AltaRica language modeling and automatic generation of timing fault tree algorithm in the field of the Internet of vehicles has not made much progress. This paper is based on the AltaRica model and studies how to automatically generate Pandora timing fault tree according to its flattening results GTS. The algorithm in this paper is a comprehensive design and implementation. First, the independent GTS of the whole model is obtained by dividing the algorithm, and then it is stored in two ways of edge node set and variable state node set in the module to obtain the reachable graph, and then expressed by adjacency matrix. The benefit of this approach is that it is fault-tolerant and uses different storage methods to store the information in the diagram, so that it can be verified in many aspects later when facing large system models. In compiling the accessibility graph algorithm, each TFT obtained is aggregated upward and unified into a system TFT, and assertions are propagated when multiple state results have been obtained, which is much more efficient than directly analyzing a complete GTS to generate a fault tree. Then, Pandora TFTs are generated and combined with Bayesian networks for reliability analysis, so as to realize effective automation of reliability analysis of complex dynamic systems. In the following work, we will further combine the previous work with the current to build a complete system safety analysis for AltaRica3.0, and carry out a large-scale application case study in the typical field of smart Internet of vehicles.