QuantUM: Quantitative Safety Analysis of UML Models

When developing a safety-critical system it is essential to obtain an assessment of different design alternatives. In particular, an early safety assessment of the architectural design of a system is desirable. In spite of the plethora of available formal quantitative analysis methods it is still difficult for software and system architects to integrate these techniques into their every day work. This is mainly due to the lack of methods that can be directly applied to architecture level models, for instance given as UML diagrams. Also, it is necessary that the description methods used do not require a profound knowledge of formal methods. Our approach bridges this gap and improves the integration of quantitative safety analysis methods into the development process. All inputs of the analysis are specified at the level of a UML model. This model is then automatically translated into the analysis model, and the results of the analysis are consequently represented on the level of the UML model. Thus the analysis model and the formal methods used during the analysis are hidden from the user. We illustrate the usefulness of our approach using an industrial strength case study.

💡 Research Summary

The paper introduces QuantUM, a framework that enables quantitative safety analysis directly on UML models, thereby bridging the gap between high‑level architectural design and formal stochastic verification. The authors observe that, although powerful quantitative methods such as probabilistic model checking exist, their adoption in everyday engineering practice is hampered by the need to translate UML designs into formal languages (e.g., PRISM) and by the expertise required to interpret formal results. QuantUM addresses these issues by extending UML with a dedicated profile that adds a set of stereotypes—most notably QUMComponent, QUMAbstractStochasticTransition, QUMFailureTransition, and QUMStateConfiguration. These stereotypes allow designers to annotate classes, components, and state‑machine transitions with failure rates, repair rates, and other stochastic parameters without leaving the UML environment.

A QUMComponent may contain one normal‑behavior state machine and an arbitrary number of failure‑pattern state machines. The normal and failure machines are automatically merged into a single hierarchical state machine that represents the component’s complete behavior. Transition stereotypes carry a name and a rate; abstract transitions obtain their concrete rate from a “Rates” list defined at the component level, enabling reuse of generic failure patterns from a repository. This modeling approach yields a clear mapping to continuous‑time Markov chains (CTMCs).

The annotated UML model is exported as XMI, parsed by the QuantUM tool, and transformed into a PRISM model together with a set of Continuous Stochastic Logic (CSL) properties. The property generation is automated in three categories: (1) the probability that a specific component reaches a failure state within a mission time, (2) the probability that any component fails, and (3) the probability of reaching a user‑defined state configuration (expressed via QUMStateConfiguration). The latter allows complex Boolean combinations of component states, supporting expressive safety queries without manual CSL scripting.

Verification is performed with PRISM and its DiPro extension, which computes probabilistic counterexamples for the specified hazard states. Counterexamples are first mapped to fault trees using a causality‑based reduction that discards non‑causal events, providing a concise representation of the root causes. To keep the analysis results within the designers’ familiar notation, the counterexamples are also transformed into UML sequence diagrams, showing the chronological interaction of components along the hazardous execution path.

An industrial case study on an automotive airbag system demonstrates the full workflow: from UML modeling with QuantUM annotations, through automatic translation and analysis, to the visualization of hazardous scenarios as sequence diagrams and fault trees. The results illustrate that QuantUM can uncover high‑risk execution paths early in the design phase, supporting informed architectural decisions.

Key contributions of the work include: (i) a UML profile that captures stochastic failure information in a way that is intuitive for system architects, (ii) a linear‑time automated translation from UML/XMI to PRISM and CSL, (iii) automatic generation of relevant safety properties, and (iv) a two‑step result presentation that hides formal models while delivering actionable visual artifacts. Limitations are acknowledged: the approach currently targets CTMC‑based analysis, so systems requiring discrete‑time or non‑Markovian models are not directly supported; scalability of the XMI parsing and model generation for very large designs may become a bottleneck; and the correctness of automatically generated CSL formulas depends on the fidelity of the UML annotations, suggesting a need for validation mechanisms.

In summary, QuantUM provides a practical, end‑to‑end solution for integrating quantitative safety analysis into UML‑centric development processes, making formal stochastic verification accessible to engineers without deep formal methods expertise, and paving the way for broader adoption of model‑based safety assessment in safety‑critical domains.