Date of Award


Document Type


Degree Name

Doctor of Philosophy (PhD)


School of Computing

Committee Member

John D. McGregor, Committee Chair

Committee Member

Brian Malloy

Committee Member

Amy Apon

Committee Member

Murali Sitaraman


Safety-critical systems need specific activities in the software development life cycle to ensure that the system will operate safely. The objective of this dissertation is to develop a new safety analysis method to identify hazards. The method uses error propagation information and the internal structure rather than the interfaces of a system. We propose development procedures to augment STPA (System-Theoretic Process Analysis) with error propagation information derived from the architecture description of a system represented in the AADL (Architecture Analysis Design Language). We will focus on how the AADL error ontology can be used to assist in identifying errors, how those errors propagate among components, and whether the errors lead to hazards in the system. Our research shows that tracing error propagation leads to the discovery of hazards and additional information that other methods miss. The new safety analysis method, Architecture Safety Analysis Method (ASAM), by augmenting STPA with early design information, is able to find more hazards, unsafe control actions, safety constraints and causes of the unsafe control actions than by using STPA alone. Our method leaves more false positives than STPA, but in safety analysis having false positive is preferred over missing actual hazards. We use the AADL error ontology to rigorously describe system component errors and how they propagate among components. We illustrate this rigorous description through several examples and we demonstrate that it yields hazards that an STPA analysis of the example did not find. In addition, we provide a mathematical notation and expressions so that formal analysis and verification of the hazards can be done to ensure that all causes of the hazards have been identified and that any developed safety constraints fully mitigate the hazards, through the use of compositional reasoning.



To view the content in your browser, please download Adobe Reader or, alternately,
you may Download the file to your hard drive.

NOTE: The latest versions of Adobe Reader do not support viewing PDF files within Firefox on Mac OS and if you are using a modern (Intel) Mac, there is no official plugin for viewing PDF files within the browser window.