Workshops

Michale Kieviet, Innotec, will start off with a description of how to analyze safety in collaborating systems where there are several independent actors including humans. These so called Cyber-Physical Systems (CPS) are placed in the same manner like sociological aspects for the collaboration between the human being and the machineries. Due to the fact, that accesses from anywhere to safety functions brings a lot of new risks under IT-security and functional safety aspects, also the aspects of flexibility adaption and collaboration will bring a new handling of risks. The focus in this scenario is the overlay (or I call it super-position) of safety functions, if CPS systems work together in an ad hoc workspace.

Tor Stålhane, NTNU, will discuss safety risk analysis, where important inputs are;

• Environment description – where will the system operate
• Functional description – what shall the system achieve
• High-level system diagram – which components are the system composed of and how do they interact?

Based on this simple, generic solutions is presented using;

• Domain-specific hazard lists and generic fault trees – available for a wide range of domains.
• FMEA (what can go wrong), IF-FMEA (how does errors propagate) and functional FMEA (consequences for the system’s services) based on generic failure modes.

Finally Tord Wullt, Addalot will talk about Limitation risk management    

The presentation deals with the challenge to understand the risks by fault free behaviour of a function. To analyse the risks at hand under fault free condition, is to understand limitations of the function that can create a risk in a specific situation or scenario when the function is used. Traditionally the focus for analysis is the behaviour of a function when there is a fault, making the function deviate from the expected behaviour.

However, to understand risks in the fault free behaviour is also important and sometimes also required. As an example, the EU regulation for Advanced Emergency Braking requires the organization to state the safe function under fault free behaviour. To understand risks with fault free behaviour gets more important as the functionality gets more complicated.

The presentation describes an approach that can be used, and the Stop&Go addition to Adaptive Cruise Control is used as an example.

Objective for the presentation is to share an approach that has been used, and to discuss the challenge to identify function limitations that can cause risks or hazards.

Rickard Svenningsson, SP, will start out with a presentation of the HEAVENS research project sponsored by Vinnova. The Heavens project will identify security vulnerabilities in software-intensive automotive systems and define methodologies along with tools for performing software security testing. A common way of assessing security will improve the industry’s ability to deliver safe and secure vehicles. The results can be used, for instance, when doing a comparison of different systems with each other, when creating profiles to find vulnerabilities in systems, when specifying requirements to suppliers or when estimating safety properties of a system.

Nicolas Martin-Vivaldi, Addalot, will compare popular Security standards like ISO 27000, SSAE 16, Cybertrust, CMM-I extensions and Microsoft SDL with Safety standards to look at similarities and differences. He will address questions like:

• How can we combine the Safety and Security processes into our standard processes?
• What are the overlaps and unique parts?
• Will the standards cover the same type of systems?

Phyto Michael, Black Duck, will talk about the security aspects of OSS.

While ever-increasing adoption of Open Source Software means lower acquisition costs, faster time to market, and other proven benefits. The community development model presents developers, integrators, and deployers with a set of accompanying challenges. Most recently, with multiple highly publicized threats to Open Source Software, security has joined these legal issues.

This presentation will:

• Highlight Open Source Software adoption trends across IT, especially as those trends impact system and application security.
• Review recent vulnerabilities and exploits of key OSS components.
• Examine OSS security challenges, including community expertise and oversight of vulnerabilities, and version proliferation.
• Present best practices in OSS management to promote application security.

Finally Pierre Wettergren, CCG Europe AB,  will present the Federal Risk and Authorization Management Program (FedRAMP), a government wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. To comply with these requirements delayed the GDSS major release 8 months, but being compliant makes our business with governments much easier. (GDSS = Group Decision Support System). We will share the lessons learned from this journey

At the end of the workshop Pierre will lead an interactive and dynamic session by using the cloud service that he will first present. With all the competence gathered in our workshop we will create a lot of value adding material. It takes roughly 45 minutes to go from brainstorm to having an action plan with all results, all diagrams, result tables, in a pdf report delivered to the mailbox of the participants.

The Culture and education workshop will be divided into two parts

Part one will focus on the industrial training program PROMPT lead by Kristina Forsberg from Saab, Malin Rosqvist and Hans Hansson from MDH.

The PROMPT initiative is offering university courses on advanced levels, directed towards Swedish industry, both to companies and to individual employees. The courses are largely web based and can be followed independent by time and room. The courses are given at a pace of 25% (7.5 hp credits over a full semester), and are tailored to fit in combination with work. They result in university credits and are free of charge for both the student and the company.

Courses starting in January 2015:

• Agile and Lean Development of Software-intensive products, 7,5 hp
• Functional Safety 7.5 hp
• Software Testing 7.5 hp
• Project course 7.5 hp

This part of the workshop will be structured as follows:

• A short introduction of PROMPT
• An example from one of the courses
• Discussion on how to combine work and study
• Prerequisite for entering the course
• Different requirements from students, universities and companies.
• Market needs

This discussion and input is important for the further development of PROMPT.

Part two will be an interactive workshop on Safety Culture lead by Örjan Askerdal and Jenny Gorner from Knowit.

Safety cannot only rely upon roles, processes and tools. Safety culture (sometimes safety climate is used in the same context) is a frequently occurring concept used to define the “glue” of an organization. However, what is meant by safety culture is not unambiguous. In this workshop we will present some different interpretations, but also utilize and collect the participants’ knowledge, by discussing prepared questions in smaller groups. The results of the small group discussions will then be presented to all participants to enhance learning and trigger further discussions.

A collaborative workshop organized by Martin Törngren, Slava Izosimov and Sagar Behere (KTH) and Phil Koopman, CMU.

As mass-produced consumer products evolve towards autonomy, ensuring and proving their safety is becoming more and more challenging. These products (for example, self-driving cars) are in a markedly different category from the safety critical machines found in domains like aerospace or aviation. The differences span factors like unit cost, development timeframes, operator expertise, maintenance schedules etc.

The growth of autonomous functionality cannot be traded off with systems safety. There is thus an increased need for cost effective, efficient and rapid methods to analyze and assure system safety for autonomous systems. However, getting there is challenging since autonomy implies more sophisticated functionalities and systems, with a larger set of faults and failures, and where the interactions with non-deterministic environments precludes exhaustive testing and even full understanding of such interactions.

This workshop gathers leading researchers as well as industrial practitioners in the field to present case studies and engage in cross-domain learning. World café style discussions will be conducted to identify and illuminate the principal problem areas and potential solutions.

Preliminary agenda:

• Workshop introduction
• Challenges in Autonomous systems safety, KTH
• CMU contribution
• Experiences and strategies for autonomous vehicles wrt safety, industrial presentation
• Experiences and strategies for autonomous vehicles wrt safety, industrial presentation
• Discussions (possibly divided into groups depending on no. of participants and time)

The certification workshop will contain 4 presentations with intermixed discussions.

Tor Stålhane, NTNU, will start off with a broader view on certification where he will bring up the following suggestions:

• Certification should focus more on “what” – what has been achieved – and less on “how” – the process has been used.
• The IMO (International Maritime Organization) model should be used. Here the assessor or the assessor’s organization is a broker between the standard’s goals – what should be achieved – and the development organization’s process – we have done so and so in order to achieve this goal in the standard.
• The IEC 61508, part 7 contains goals for all the requirements set forth in IEC 61508, part 3 , appendix A and B. Using the achievement of these goals instead of the required processes would present a big step in the direction of a goal based version of IEC 61508, part 3.

Ola Örsmark, Comentor, will present practical aspects from lessons learned and how to put the theory into practice - in particular for the product argument part of the safety case and the safety culture. If we choose ISO 26262 as the basis (where most of our experience comes from) the general situation is that first time adopters of the standard have now created their first safety cases and their projects and products have been assessed, also for the first time. A discussion on best practice in the automotive would therefore be relevant, potentially by comparison with more mature industries in regard to safety cases and assessments. (Certification is not a necessity with respect to ISO 26262 but assessment is nevertheless required.)

Some ideas on what will be discussed in the workshop:

• The safety case contribution (significance) from safety culture, process and product, respectively
• The stakeholders of a safety case (document) and potential implications
• Complex distributed development (with distributed safety cases)
• How to ensure that safety arguments and evidence are produced during the development and not invented in retrospect

Then Barbara Gallina, MDH, will expand on her presentation from day 1 with a more practical example of how to use MDSafeCer for ISO26262. MDSafeCer is a model-driven safety certification method to derive safety arguments as goal structures given in Goal Structuring Notation from process models given in compliance with Software Process Engineering Meta-model 2.0. The method is illustrated by generating process based arguments in the context of ISO 26262. The purpose of this work is to reduce the time and cost of creating safety cases.

Finally Irfan Sljivo, MDH, will focus on the need for reuse within certification of safety-critical systems, the related issues and a possible solution that can help in resolving this problem. More specifically:

• Due to increasing size and complexity of software in safety-critical systems and the requirement to comply with domain-specific safety standards, the cost of achieving safety certification is a significant part of the overall development costs of safety-critical systems. Reuse of components within safety-critical systems is not sufficient without reuse of safety certification artefacts together with the components being reused.
• Since what is safety relevant in one system does not necessarily have to be safety relevant in another, it is difficult to reuse safety information. There is need for identifying when particular information is relevant.
• Safety contracts are defined as assumption/guarantee pairs that capture safety-relevant information and can be supported by different safety (certification) artefacts. Safety contracts can be used to identify which safety-relevant information and the supporting artefacts are relevant from the perspective of hazard analysis of a particular system.

We think that this workshop will provide a good overview of the certification area, form the more philosophical start, through the practical experiences to the more research oriented two last presentations.

Björn Möller, Atlas Copco, will present their approach to achieving the architecture, design and traceability requirements for ASPICE. Safety standards and ASPICE have similar requirements on the architecture and component design and traceability.  The situation was that they had a large legacy product that did not fulfill the ASPICE requirements, i.e. the documentation was patchy and partly outdated, there were limited traceability from requirements and between architecture and component design. He will describe both how they worked with this, as well as the final result. He will also describe what mechanism they have put in place to ensure that the documentation is kept up to date in the future. We hope to get some feedback on our approach, and ideas for further improvements.

Quentin Ochem, AdaCore, will expand on his presentation from day one, and give further insight into how modern programming languages such as Ada 2012 can help managing the challenges of defensive code, by allowing developers to move defensive code from the implementation of the function to the function specification. We will show how these specifications can be the basis of static analysis, with the final objective of identifying and removing unnecessary defensive code in the application. We will conclude with a word of common sense, re-stating that Ada will help improve software engineering in this regard but can still be used incorrectly, as some well-known industrial catastrophes still painfully remind us, for example of the well-known Ariane 5 issue. There will also be time for questions and discussions related to this topic.

Martin Süsskraut, SIListra Systems will present SIListra’s vision to enable the use of cost effective unreliable commodity hardware in safety critical systems. To achieve our vision, we extend the limited failure detection capabilities of commodity hardware with the help of software. In addition to a more sophisticated failure detection, system architects can apply well known toleration approaches to mask SDCs. Our approach works well with retries, fail-over, and graceful degradation.

The SIListra technology developed in the Systems Engineering research group uses arithmetic codes to recognize erroneous program executions. For detecting errors, processed data is encoded using an arithmetic code. These codes facilitate detection of errors during data storage, transport, and processing.

The presentation will cover:

• Introduction into SIListra Safety Transformer with an example
• Explanation and discussion of experimental results (including fault injection technology)
• Extended Q&A

Finally Mahnaz Malekzadeh, MDH, will present an approach based on As Low As Reasonably Practicable (ALARP) safety principle to make a decision of sufficient testing in the context of worst-case timing properties of systems.

Response-Time Analysis (RTA) techniques are traditionally based on simplified assumptions of systems and need an exact Worst-Case Execution Time (WCET) of each task to be determined. However, such a deterministic RTA does not apply in a real system with complex control flow behaviour of tasks. In contrast, our approach is based around a convergence algorithm that makes no assumption concerning Worst-Case Response Time (WCRT) analysis techniques for which the testing information is used e.g., no exact knowledge of WCET is needed. The convergence algorithm informs the tester when it is believed that testing for longer is unlikely to reveal further useful information i.e., any significant increase in observed WCRT needs a disproportionate amount of testing time."

Erwin Petry from Kugler-Maag will present how the automotive industry is combining agility and safety.

Automotive is a regulated industry, e.g., standards such as Automotive SPICE® and functional safety (ISO 26262) are mandatory for the business – this leads to detailed and almost rigid planning and control of software and systems development up to explicit requirements on organizational roles, tools, methods and practices. At the same time competitiveness and market pressure require a more flexible and agile approach to the whole development organization.  An increasing number of companies pilot agile development while few have transitioned their entire development organization.

Based on the results from two surveys “Agile in Automotive” – first performed in 2013 and repeated in 2014 (ongoing) and based on experience from customers’ projects we present and discuss ways on how agility and functional safety could be combined, where the limitations are, and how a realistic agile transition could be performed.

Even-André Karlsson, Addalot, will then give a presentation on how the safety activities can be incorporated in a real agile project. Many adaptations of agile and safety are trying to put some agility into the waterfall influenced safety models, but doing most of the analysis and safety design up front. This is not very much in line with the agile ideas. However in this presentation Even looks at the intention of the safety activities, and shows how they can be integrated in a fully agile Scrum development without compromising the agile principles.

Jaana Nyfjord, SICS, will in her presentation reflect over some recent workshops where the combination of safety and agility has been discussed, and also outline the major findings and challenges from these workshops.

Jaana will at the end present the EU project application ALDES that despite very good review comments were not accepted in the final rounds. We will conclude the session with a mini workshop on how the proposal can be enhanced, and also discuss possible new participants for a renewed application at a later stage. This session will conclude the workshop, and hopefully lead to ideas for future co-operation.