System Hazard Analysis FTA Evaluation Graphical format helps in understanding system and relationship between events Can be useful in tracing hazards to software interface and identifying potentially hazardous software behavior Cuts sets denote weak points of a complex design Dependencies(common-cause failure points)not easy to see Requires a detailed knowledge of design, construction, and operation of system System Hazard Analysis FTA Evaluation(2) A simplified representation of a complex process sometimes too simplified. Tends to concentrate on failures Quantitative evaluation may be misleading On U.s. space programs where FTA (and FMEA) were used extensively, 35%of actual in-flight malfunctions were not identified or were not identified as credible\System Hazard Analysis FTA Evaluation Leveson − 143 c operation of system. Requires a detailed knowledge of design, construction, and Dependencies (common−cause failure points) not easy to see. Graphical format helps in understanding system and relationship between events. identifying potentially hazardous software behavior. Can be useful in tracing hazards to software interface and Cuts sets denote weak points of a complex design. c Leveson − 144 \System Hazard Analysis sometimes FTA Evaluation (2) A simplified representation of a complex process too simplified. Tends to concentrate on failures. Quantitative evaluation may be misleading. On U.S. space programs where FTA (and FMEA) were used extensively, 35% of actual in−flight malfunctions were not identified or were not identified as credible