The Airbag Case Study is a common example of a reactive system. It therefor demonstrates how a system can be embedded in an environmental system and enhanced with failure modes. The system is composed of two sensors, which are validated by a central component. The information is processed further by two independent crash detectors and forwarded to a monitor who decided, whether the airbag is ignited or not.



Each system component is modeled as a SAML component, describing a state automaton of this model element. By breaking down the system into modular components, most elements are easy to express and simply aggregate states of other components to update their own state variable. In this example, almost all components only have two states for the values crash or no crash.

Besides the functional model, an environmental system is needed, to create sensor data input. The simplest possible environment is a non-deterministic component, which decides at a certain point of time, that a crash occurred. In this example, the environment also contains a car that is able to accelerate and brake. The resulting velocity has an impact on the accuracy of the sensor output.

The third part of the model contains the failure components. SAML allows for the easy and convenient creation of failure occurrence patterns. This failure pattern defines whether a certain failure occurs at a specific time or not. The behavior of the failure, e.g. what kind of impact the failure has on the model, has to be created separately. In this case study, every single component is able to fail with a certain probability. Some of the failures a transitive, meaning that the failure can be recovered. As an example, the sensors can produce a false positive failure at every time step, while at the next time step producing an accurate output. On the other side, the model also contains persistent failures, e.g. a failure that happened once will occur all following steps. As an example, the airbag can only ignite once. There is no possibility that a self-ignition can occur twice.

As hazard of this case study, we define to ignition of the airbag without an actual crash. Several type of analysis can be applied to this case study. First, it can be checked, whether the system can cause the hazard, while no failure is present. This type of analysis is called functional correctness. Additionally, a DCCA can be performed to calculate the failures that have to happen to cause the hazard (this is called the minimal cut set). The results are a valuable information for further improvements of the system. In this case study, two single point of failures can occur as well as two failure combinations. Furthermore, the probability of the Hazard to happen can be calculated. Together with the minimal cut set, it allows to discuss the overall safety of a given system.


The results of the case study show, that airbags are designed in such a way, that most likely the airbag will never ignite during driving. On the opposite side, if we assume the hazard to be a crash without the airbag to ignite, we will realize that only in two of three cases the airbag will work.

Obviously, this case study is a simplified version of a real world airbag system and hopefully is designed to work in most cases. Nevertheless the case study shows impressively, how easy it is to model a non-trivial system and how much analysis and valuable results can be extracted from this system.


Why and What? In this section we give an overview over motivation and the core features of VECS.

Read more: Product

Am Donnerstag, dem 08.09.2016 veranstaltete der Lehrstuhl für Software Engineering der Otto-von-Guericke Universität Magdeburg unter Leitung von Prof. Dr. Frank Ortmeier mit großem Erfolg den dritten Expertenworkshop zum Thema „Anwendung innovativer modellbasierter Sicherheitsanalysemethoden im Zulassungsprozess sicherheitskritischer Anwendungen“.

Read More