Formal Hazard Analysis of Hybrid Systems in cTLA

Hybrid systems like computer-controlled chemical plants are typical safety critical distributed systems. In present practice, the safety of hybrid systems is guaranteed by hazard analysis which is performed according to procedures (e.g., HazOp) where experts discuss a series of informal argumentations. Each argumentation considers a specific required system property. Formal property proofs can increase the reliability. They, however, have often to deal with very complex hybrid systems. Therefore, methods are needed which structure and decompose formal verification tasks into manageable substasks. With respect to this, our approach achieves a relatively direct translation of informal argumentations into formal proofs. Since the informal argumentations mostly do not refer to the system as a whole but do only address specific parts and aspects, the formal proofs also can deal with partial, less complex system models. In result, even very complex systems can be verified in wellmanageable subtasks. The direct translation is supported by the characteristics of the specification technique applied. The temporal logic based technique cTLA supports the modular description of hybrid process systems. In particular, one can model a system as a composition of behavior constraints. Properties which are implied by a subsystem of constraints also are properties of the system as a whole. Therefore a subsystem can correspond to the parts and aspects addressed by an informal argumentation. We outline cTLA and introduce the formalization of hazard analysis argumentations by means of an hybrid example system. Additionally, we sketch a framework of specification modules and theorems which supports the formal hazard analysis of