Safety Critical Systems (SCS) must operate inside of their prescribed specifications, otherwise, they can cause harm to the user(s) and/or the environment. These systems are used in various domains, such as aerospace, automotive, railway and healthcare. Safety Analysis (SA) is performed on SCS to ensure that they are safe enough to be operational. Many SA techniques already exist and had proven their effectiveness; hence their use is recommended and, in some cases mandated, by industry standards and certification authorities.

This thesis aims to develop a methodology termed Model-Driven Safety Engineering (MDSE) for integrating well-established SA methods with standard and well-known tools and techniques within the Model Driven Engineering (MDE) system development process. The proposed methodology can be applied with minimal learning effort. It brings multiple benefits, such as increasing the safety and confidence level of SCS, reducing the costs in various aspects and enhancing the communication between all stakeholders.

The proposed approach follows the MDE process by modeling the system under development with the System Modeling Language (SysML), an Object Management Group (OMG) standard. The SysML model is extended with safety annotations using another OMG standard, the UML Profile for Modeling and Analysis of Real-Time Embedded Systems (MARTE), and its dependability extension, the Dependability Analysis and Modeling (DAM) profile. We propose a multi-step automatic model transformation, where a SysML model annotated with safety information is transformed into models for Fault Tree Analysis (FTA) and Failure Mode and Effects Analysis (FMEA). To guide the synthesis of fault tree models, we propose a set of failure mapping patterns, which show how model elements representing failure in the source model are mapped to the target model. The first step transforms the annotated SysML model into Component-based Fault Trees (CFT) models (one CFT per component). A second transformation composes CFTs, producing System-level Fault Trees (SFT). A third transformation feeds back the quantitative results obtained by solving the CFTs and SFTs models to the SysML model. A final transformation synthesizes an FMEA model from the system SysML model and the generated FTs, to keep the FT and FMEA models synchronized.