Deductive safety analysis

The deductive safety analysis is accordingly describes as top-down approach, which examines the unknown causes of failure from known failure effects. ISO 26262 lists Eault-Tree-Analysis (ETA) and Reliability-Block-Diagrams (RBD) as examples for deductive methods. 

A second topic of inductive and deductive safety analysis, we also differentiate between qualitative and quantitative safety analysis. The quantitative safety analysis should also consider the frequency of failures, but for both the fault modes and effecting errors need to be analyzed. Generally, the norm says of course that the quantitative safety analysis is used to fulfill the quantitative metrics from part 5, Chaps. 8 and 9. 

In the deductive safety analysis all possible variances and consequently the entire specifiable space should be analyzed. In the inductive safety analysis the specified elements are considered at the respective horizontal abstraction level and the possible error influences or impacts are evaluated. As a result a systematic falsification of the specified space could lead to completeness regarding possible error behavior. Influences and combinations, which the developer cannot imagine or not systematically evaluate, are also not verifiable. The characteristics of the product should be ensured at the end of such horizontal development activities after their verification. 

See Deductive Safety Analysis and Inductive Reasoning for additional related information. 

The FTA is a diagrammatic analytical technique that is used for ReUabiUty, Maintainability and Safety Analysis. It is a top-down (deductive) analysis, proceeding through successively more detailed (i.e. lower) levels of the design until the probability of occurrence of the top event (the feared event) can be predicted in the context of its enviromnent and operation. 

For this paper we treat hazard assessment as a combination of two interrelated concepts hazard identification, in which the possible hazardous events at the system boundary are discovered, and hazard analysis, in which the likelihood, consequences and severity of the events are determined. The hazard identification process is based on a model of the way in which parts of a system may deviate fi om their intended behaviour. Examples of such analysis include Hazard and Operability Studies (HAZOP, Kletz 1992), Fault Propagation and Transformation Calculus (Wallace 2005), Function Failure Analysis (SAE 1996) and Failure Modes and Effects Analysis (Villemeur 1992). Some analysis approaches start with possible deviations and determine likely undesired outcomes (so-called inductive approaches) while others start with a particular unwanted event and try to determine possible causes (so-called deductive approaches). The overall goal may be safety analysis, to assess the safety of a proposed system (a design, a model or an actual product) or accident analysis, to determine the likely causes of an incident that has occurred. 

Methods and techniques for measurement, sampling, and analysis Types, sources, and characteristics of hazards, threats, and vulnerabilities Hazard analysis, job safety analysis and task analysis methods Qualitative, quantitative, deductive, and inductive risk assessment methods Risk-based decision-making Risk-based decision-making tools... 

In part 9 there is only one indication for the differentiation of the deductive and inductive safety analysis. The inductive safely analysis is described as bottom-up approach. It is considered that known causes of failure and their unknown failure effect are examined. ISO 26262 mentions Failure-Mode-and-Effect-Analysis... 

Basically, the inductive and deductive safety analyses are invoked in the architecture related chapters of ISO 26262, in which the inductive analysis is often demanded for all ASBL requirements and the deductive analysis only for ASIL C and D safety requirements. 

The inductive safety analysis is described as a bottom-up method. It investigates unknown failure effects starting with known failure causes. Today the FMEA is the basic analysis method at all. It has been developed for almost twenty years in different ways. The classical form sheet analysis (blank table form analysis) can be called a truly inductive safety analysis, whereas the cause in this context is often also determined deductively. This means that potentially unknown causes are examined. AU new FMEA methods start with the function, a task or characteristics of the basic parts and search for potential causes, which could lead to malfunction, wrong tasks or to deviations of required characteristics of the basic parts. The next step is the determination of error propagations so that the failure effect can be determined. 

Chapter 7, part 4 addresses the system design, the technical safety concept and their verification, which should be derived from the functional and technical safety requirements. Therefore, in requirement 7.4.3.1 the inductive (for all ASILs) and deductive (for the higher ASILs) safety analysis is required. In this context of product development on system level it is primarily a matter of the analysis of systematic failure. In one indication (note 1) it says that a quantitative analysis can support the results. 

However, the model-based safety analysis should first be seen as addition for the classic analysis methods. It would be worth considering seeing the model-based safety analysis preferably as deductive analysis and the classic FMEA further on as inductive analysis. Therefore, the systematic approach of consistent system engineering can again be applied from the vehicle level all the way down to the silicon stmcmres and the software development. 

FTA is a safety analysis technique that develops an FT diagram that logically models and graphically represents the various combinations of possible system events that can lead to a UE, such as a mishap. The analysis is deductive in nature, in that it transverses from the general problem to the specific causes. The FT develops the logical fault paths from the UE at the top, to all of the... 

See Deductive Reasoning and Inductive Safety Analysis for additional information. 

Figure 21.2 illustrates how the starting point, the directions and the scope of each method fit into the accident-analysis framework of Chapter 6. Two of the methods. Fault tree analysis and Comparison analysis are deductive in that they start with the unwanted event. They proceed by analysing the underlying incidents and deviations (Fault tree analysis) or contributing factors (Comparison analysis). Several of the methods are mainly inductive in that they start with a deviation and proceed by studying the effects of this deviation. This applies to HAZOP, Failure mode and effect analysis. Event tree analysis and CRIOP, although they also have a component of causal analysis. Coarse analysis and Job-safety analysis start with the hazard and use a combination of inductive and deductive analyses. 

This approach is based on a safety analysis, often used for safety critical systems. The safety analysis performed at each stage of the system development is intended to identify all possible hazards with their relevant causes. Traditional safety analysis methods include, e.g. Functional Hazard Analysis (FHA) [1], Failure Mode and Effect Analysis (FMEA) [2] and Fault Tree Analysis (FTA). FMEA is a bottom-up method since it starts with the failure of a component or subsystem and then looks at its effect on the overall system. First, it lists all the components comprising a system and their associated failure modes. Then, the effects on other components or subsystems are evaluated and listed along with the consequence on the system for each component s failure modes. FTA, in particular, is a deductive method to analyze system design and robustness. Within this approach we can determine how a system failure can occur. It also allows us to propose countermeasures with a higher coverage or having wider dimension. 

In most civil aviation System Safety Assessments, this event originates from a Function Hazard Analysis (FHA, see Chapter 3), but it can also come from any other hazard identification technique (e.g. ZS A or PRA). An FTA is a deductive approach (i.e. top down) that determines how a given state (i.e. the undesired event) can occur. It does not identify all failures in a system in a way that inductive tproaches (such as an FMEA) would. 

Fault tree analysis is a technique by which the system safety engineer can rigorously evaluate specific hazardous events. It is a type of logic tree that is developed by deductive logic from a top undesired event to all subevents that must occur to cause it. It is primarily used as a qualitative technique for studying hazardous events in systems, subsystems, components, or operations involving command paths. It can also be used for quantitatively evaluating the probability of the top event and all subevent occurrences when sufficient and accurate data are available. Quantitative analyses shall be performed only when it is reasonably certain that the data for part/component failures and human errors for the operational environment exist. 

Fault Tree Analysis (FTA) is a well known and widely used safety tool, implementing a deductive, top down approach. It starts with a top level hazard, which has to be known in advance and "works the way down" through all causal factors of this hazard, combined with Boolean Logic (mainly AND and OR gates). It can consider hardware, software and human errors and identifies both single and multiple points of failure. Both a quantitative and qualitative analysis is possible. 

---