\contentsline {chapter}{\numberline {1}Introduction}{3}{chapter.1}
\contentsline {section}{\numberline {1.1}Toward an automated model-based approach to system validation}{3}{section.1.1}
\contentsline {subsection}{\numberline {1.1.1}Classical safety analysis techniques: FTA and FMEA}{4}{subsection.1.1.1}
\contentsline {subsection}{\numberline {1.1.2}Modern safety analysis techniques: MBSE and MBSA}{5}{subsection.1.1.2}
\contentsline {section}{\numberline {1.2}Automated Evaluation of Safety Temporal Conditions}{5}{section.1.2}
\contentsline {chapter}{\numberline {2}State of the art}{7}{chapter.2}
\contentsline {section}{\numberline {2.1}Modelling languages for Safety Analysis}{7}{section.2.1}
\contentsline {section}{\numberline {2.2}Safety Assessment on Temporal Properties}{8}{section.2.2}
\contentsline {section}{\numberline {2.3}Model-checking approach to safety assessment}{9}{section.2.3}
\contentsline {subsection}{\numberline {2.3.1}Tina model-checker}{10}{subsection.2.3.1}
\contentsline {chapter}{\numberline {3}A Model-Checking Approach to Analyse Temporal Failure Propagation with AltaRica}{12}{chapter.3}
\contentsline {section}{\numberline {3.1}Model-Based Safety Analysis with AltaRica}{13}{section.3.1}
\contentsline {subsection}{\numberline {3.1.1}AltaRica language and versions}{13}{subsection.3.1.1}
\contentsline {subsection}{\numberline {3.1.2}AltaRica modelling}{13}{subsection.3.1.2}
\contentsline {subsection}{\numberline {3.1.3}Time AltaRica: Adding Timing Constraints to Events}{15}{subsection.3.1.3}
\contentsline {section}{\numberline {3.2}A Definition of Fiacre Using Examples}{16}{section.3.2}
\contentsline {section}{\numberline {3.3}Example of a Failure Detection and Isolation System}{18}{section.3.3}
\contentsline {subsubsection}{Safety model of the architecture without FDI}{19}{section*.2}
\contentsline {subsubsection}{Safety model of the architecture with FDI}{21}{section*.3}
\contentsline {section}{\numberline {3.4}Compilation of AltaRica and Experimental evaluation}{22}{section.3.4}
\contentsline {subsection}{\numberline {3.4.1}Empirical evaluation}{24}{subsection.3.4.1}
\contentsline {chapter}{\numberline {4}A Case Study: FDIR in a Satellite AOCS}{26}{chapter.4}
\contentsline {section}{\numberline {4.1}An Expression of Industrial Needs and Requirements}{27}{section.4.1}
\contentsline {section}{\numberline {4.2}AOCS Case Study}{27}{section.4.2}
\contentsline {subsection}{\numberline {4.2.1}Architecture description}{28}{subsection.4.2.1}
\contentsline {subsection}{\numberline {4.2.2}AOCS mode automaton}{28}{subsection.4.2.2}
\contentsline {subsubsection}{OFF mode}{31}{section*.5}
\contentsline {subsubsection}{Acquisition \& Safe mode (ASM)}{31}{section*.6}
\contentsline {subsubsection}{Attitude Control Mode (ACM)}{31}{section*.7}
\contentsline {subsubsection}{Collision Avoidance Manœuvre (CAM)}{32}{section*.8}
\contentsline {subsubsection}{Orbit Control Mode (OCM)}{32}{section*.9}
\contentsline {subsubsection}{Formation Control Mode (FCM)}{33}{section*.10}
\contentsline {subsubsection}{Equipment}{33}{section*.11}
\contentsline {section}{\numberline {4.3}Case study modelling}{36}{section.4.3}
\contentsline {subsection}{\numberline {4.3.1}AltaRica modelling process}{37}{subsection.4.3.1}
\contentsline {subsection}{\numberline {4.3.2}Details of the model}{37}{subsection.4.3.2}
\contentsline {subsection}{\numberline {4.3.3}Empirical evaluation}{38}{subsection.4.3.3}
\contentsline {chapter}{\numberline {5}Conclusions}{41}{chapter.5}
\contentsline {section}{\numberline {5.1}Future Work}{42}{section.5.1}
\contentsline {section}{\numberline {A.1}Interpretation of AltaRica in Fiacre}{47}{section.A.1}
\contentsline {section}{\numberline {A.2}Method and translation}{51}{section.A.2}
\contentsline {subsection}{\numberline {A.2.1}Time Petri Nets}{51}{subsection.A.2.1}
\contentsline {subsubsection}{States in a TPN}{51}{section*.17}
\contentsline {subsection}{\numberline {A.2.2}From AltaRica to Tina}{52}{subsection.A.2.2}
\contentsline {subsection}{\numberline {A.2.3}Factored model of ETGTS}{52}{subsection.A.2.3}
\contentsline {subsubsection}{Semantics of a ETGTS}{53}{section*.18}
\contentsline {subsubsection}{Translation}{54}{section*.19}
\contentsline {section}{\numberline {A.3}Command line}{54}{section.A.3}