查看文章

In safety-critical domains, such as the automotive, railway, and avionics domains, failure or malfunction of a safety-critical system may result in death or serious injuries to people, as well as severe damage to equipment. Manufacturers in those domains are expected to deliver continuously-safe products. From the end of 2009 to start of 2010, Toyota recalled millions of vehicles that were potentially prone to uncontrolled acceleration. Toyota announced that the company could face losses around US $2 billion from lost sales worldwide [10]. In July 2011, two high-speed trains collided on a viaduct in the suburbs of Wenzhou, Zhejiang province, China. In total 40 people were killed, at least 192 were injured, 12 of which suffered severe injuries. This accident was caused by a faulty signal system which failed to warn the second train of the stationary first train on the same track [13].

With the increasing complexity of software-intensive safety-critical embedded systems, more and more effort is needed to ensure their safety. Over the last two decades, a number of international functional safety standards have been developed to provide development guidelines and keep the risk at an acceptable level [36], such as IEC 61508 (multiple domains)[11], ISO 26262 (automotive domain)[12], DO 178C (avionic domain)[14], CENELEC railway standards (railway domain)[45][47][46], etc. Those standards are typically large documents containing a huge number of requirements for system development. The safety standards describe generalized approaches to identifying hazards and risks, design life-cycles, and analysis and design techniques. Therefore, when …