A year ago, we presented a paper at the 8th International Conference on System Reliability and Safety. In that work, we introduced a new way to bring Markov analysis closer to real engineering workflows. The motivation remains the same. Aerospace systems keep becoming more digital, more autonomous, and more dynamic. This dynamism exposes the limits of traditional safety methods. As a result, we need tools that can reason about systems that change over time.
This post revisits that work and explains the core idea behind it: a model-based, modular way to build Markov analyses directly from system architectures. The goal is simple: take a mathematically powerful method that engineers often avoid and make it usable in day-to-day safety work.
Why Markov Analysis
Safety assessments in civil aeronautics are guided by ARP4761A, which lays out methods such as FHA, FTA, FMEA, and Markov Analysis. In a typical workflow, the FHA identifies hazardous conditions and FTAs estimate their probability of occurrence, which is represented in the diagram below.
FTAs remain the industry’s preferred method because engineers know them well and can apply them easily. However, FTAs struggle when system behavior depends on sequence, timing, reconfiguration, or time-varying states. Digital and software-defined systems (such aircraft with reconfigurable avionics) are full of these behaviors. Our paper highlights that as autonomy grows, these dynamic interactions become central to safety analysis, not edge cases.
Markov Analysis (MA) handles this kind of dynamic behavior well. But many engineers find it difficult to implement and manage. Engineers avoid it not because it’s weak, but because the state space explodes. As we show in the paper, even a few components with a handful of states can generate dozens or hundreds of system-level combinations. Creating and solving those models by hand is unappealing.
So the challenge is straightforward: how do we unlock MA’s strengths without drowning engineers in combinatorics? To lower the entry barrier to this analysis for the safety engineer, we propose a model-based framework where the modeling is done following a modular approach: system by system.
Markov Analysis Model-Based, Modular Solution
Our approach is built in Capella, using ATICA’s safety extensions and an open-source Markov solver backend.
Instead of forcing the safety engineer to think in terms of global Markov states, we model each subsystem with its own familiar State Machine.
The designer thinks locally, for example:
Engine: Operating → Failed
Power Supply: Operating → Failed
Computer: Operating → Erroneous → Operating
Each of these state machines is a small, intuitive description of the subsystem. In Capella, these states and transitions are drawn visually using the standard Mode/State constructs.
The magic happens when we combine them. The framework automatically merges the subsystem states into a full system-level Markov model, generates every legal system state, constructs the transition rates, and feeds it into the Markov solver. Then engineers need to enumerate to which system-level operational state corresponds each legal system state. This “model locally, analyze globally” pattern is what makes the method practical.
Use Case
To show the workflow in action, our paper walks through a simple but representative system:
Two engines → two power supplies → a computer → a power switch.
Each component has its own small state machine, like the one shown in the previous section.
Engines and power supplies switch between Operating and Failed.
The computer has Operating, Erroneous, and Failed states, and can recover from erroneous states thanks to recovery logic.
The power switch is assumed not to fail.
Taken individually, each component is trivial. But when you combine them, their operational modes interact, and the number of possible system states rises quickly. In the use case, the framework generates 48 distinct system states.
Without the framework, an engineer would have to enumerate those states, encode transitions, track constraints, and build the Markov chain manually. With the modular approach, the software generates the model automatically.
The solver then computes the evolution of system behavior over the mission. For example, the probability of staying in the operational mode for 1000 flight hours is above 98%. The point isn’t the number, it’s that the method handles a dynamic system in a way a classic FTA could not.
Wrapping Up
Markov analysis remains one of the most powerful tools for dynamic safety assessments. Our work demonstrated that a model-based, modular approach is a practical path toward bringing Markov methods into engineering projects without overburdening engineers with mathematical complexity.
Curious to explore this further?
We’re always interested in hearing how others approach dynamic safety analysis and modular modeling.
If you have questions, want to dive deeper, or would like to try this method in your own project, feel free to reach out.
💬 Leave a comment below
📩 Or email us at aticasupport@anzenengineering.com.
Thanks for reading, and stay tuned for more updates from the Atica team!
And don’t forget to try the Atica Demo!
About the authors
Samuel García is an aeronautical engineer with experience in Safety and Reliability engineering, focusing in recent years on the model-based safety analysis.
At Anzen, Samuel is divided into two main roles: one is to lead or support industrial projects as a consultant, and the other is to participate in the activities performed in the digital engineering department, leveraging those activities and ATICA development by feeding them with actual industrial needs.
Daniel Villafañe is an aerospace engineer with expertise in avionics, systems engineering and model-based design and analysis.
At Anzen, Daniel’s work is focused on ATICA, our model-based tool for safety analysis. Daniel is in charge of building system models and applying systems engineering processes while using ATICA to improve results on safety and reliability analyses for aerospace avionics projects.
