0830-1200              Workshop 1 – Modelling for safety critical systems

Automating safety engineering with model-based techniques                 

Juha-Pekka Tolvanen, MetaCase

Fault Trees and Failure Models and Effects Analyses are well known methods in safety and reliability engineering. Their use requires a considerable amount of work, in particular when the system evolves and grows. This talk demonstrates an approach to automate parts of safety design flow. First, existing architecture models can be translated to dependability and error models. Safety engineers can then adapt the models for various safety cases and run analysis calling the suitable tool. In the talk we demonstrate the benefits of the approach with various tools within automotive domain. Models are created with domain-specific languages (MetaEdit+) and translated to analysis tools (HiPHOPS, Sistema). This approach provides several benefits, including:
• Ensures that safety analysis is done for the intended/designed architecture
• Makes safety analysis faster as it is partly automated
• Reduces error-prone routine work
• Makes safety analysis easier to use and accessible


AUTO-CAAS: Model-Based Fault Prediction and Diagnosis of Automotive Software        

Mohammad Mousavi, Halmstad University

In this presentation, we provide an overview of the AUTO-CAAS project, an ongoing collaboration among ArcCore AB, Halmstad University, and Quviq AB. The aim of the project is to exploit the formal models of the automotive standard AUTOSAR, which were developed by the industrial partner of the project Quviq AB, in order to predict possible future failures in concrete implementations based on AUTOSAR components that may possibly exhibit deviations from the standard. We use a model-based technique to align the actual behaviour of component with their interface models. We then exploit the result of this analysis in order to generate targeted test-cases to push the components towards predicted failures. We also exploit this information to diagnose failures that are detected otherwise and trace them back to the model-based analysis results. We will discuss the results of the project up to date.


QuickCheck your simulations!                       

John Hughes, Quviq AB/Chalmers

QuickCheck is a testing tool which generates random tests from a specification, then when a test fails, reduces it to a minimal failing test case which is easy to debug. It has been applied to find bugs in a wide variety of software, including more than 200 problems in  AUTOSAR basic software used in vehicles. Now it is being extended to test Simulink models, which are used to develop many safety critical applications. This talk presents some initial results, including surprising behaviour in the cruise controller distributed together with Simulink.


Using Domain-Specific Modeling for Design and Verification of Cyber Physical Systems

Juha-Pekka Tolvanen, MetaCase

Growing size and complexity of cyber-physical systems increase the development and verification effort. Developers and verification experts don’t always master the domain knowledge and on the other hand experts in the domain are not familiar with development and verification tools. We present an approach in which domain-specific models using directly the concepts of the domain are used to design and verify the system.  The approach is demonstrated with a case of industrial process plant design in which domain-specific models are used to improve collaboration within development team through integrated models. The same models can be then used also for verification to identify defects in the design and automatically generate test vectors with requirement-to-test traceability.


0830-1200              Workshop 2 - Combining safety and other disciplines

Reconciling the ISO 26262-compliant and the agile documentation/process management in the Swedish context          

Barbara Gallina, Mälardalen University (MDH)

Documentation/process management represents a relevant and mandatory activity according to ISO 26262. The same activity tends to be considered as a waste according to the agile manifesto. Thus, agile and ISO 26262-compliant documentation/process management styles seem to form an odd couple. When this couple is located in the Swedish cultural context, reconciliation and negotiation within it represent a true challenge. In this paper, based on the state of practice in industrial settings, we report about our findings and propose our envisioned solution to face this challenge and get a balance. Finally, conclusion and perspectives for future work are also drawn.

Remark: This presentation’s is based on a research paper, accepted at CARS-2015.
B. Gallina, M. Nyberg. Reconciling the ISO 26262-compliant and the Agile Documentation Management in the Swedish Context. Proceedings of the third Workshop on Critical Automotive applications: Robustness & Safety, joint event of EDCC-2015, Paris, France, September 8th, 2015.


Traceability in agile development                 

Even-André Karlsson, Addalot

Most safety standards have tough requirements on traceability. We have been working with clients who both want to work agile and comply with the traceability requirements. Instead of doing the "normal" manual traceability, we have built our traceability approach on the fine granularity of the implemented tasks that are connected to requirements through stories, epics and personas. We then use the versioning system to support the required traceability into documents, test and code. In this presentation we will present our approach, how it supports the different traceability requirements, and our experiences. In the workshop we will show more practical examples of how this is done, and have more time for discussion.


To be safe you need to be secure                 

Hans Hansson, SICS Västerås

Security is an increasingly important issue also in safety assurance, as the open interconnected nature of emerging systems makes them susceptible to security threats at a much higher degree than existing more confined products. Already today there is a lack of integration of safety and security work, as they have separate standards and independent processes. Specifically, security concerns are not covered in any detail in safety standards, potentially resulting in successfully safety-certified systems that are still open for security threats which may jeopardize safety. This talk will shed some light on the risks of neglecting security in safety work.


Benefits of Security-informed Safety-oriented Process Lines                    

Barbara Gallina, Mälardalen University (MDH)

Nowadays, given the growing connectivity of safety-critical systems, security-informed safety is crucial.  To certify aircrafts/trains as well as to self-assess cars/trucks, safety as well as security standards need to be taken into consideration. In this context, a process engineer has to succeed in mastering the growing complexity of the standards interplay. To support process engineers, we propose to: first, consider a common terminological framework, aimed at reconciling security and safety within dependability; then identify and systematize commonalities and variabilities between the processes. To enable this systematization we present Security-informed Safety-oriented Process Line Engineering (SiSoPLE), which extends SoPLE to address security concerns. To
show the effectiveness and benefits of SiSoPLE, we apply this new process line engineering to two aerospace standards, SAE ARP 4761 (Safety) and RTCA DO-326A (Security) centered. We then provide our lessons learned and concluding remarks. Finally, we sketch some perspectives for future investigation.

This presentation¹s is based on and extend the work accepted at DASC-34.

B.Gallina, L. Fabre. Benefits of Security-informed Safety-oriented Process Line Engineering. IEEE 34th Digital Avionics Systems Conference (DASC-34), Prague, Czech Republic, September 13-17, 2015.


0830-1200              Workshop 3 - Analysis techniques for safety systems

Expert vs. layman in risk assessment          

Tor Stålhane, NTNU               

We have run risk assessment of two industrial systems with experts (the CompSoft proejct) and with NTNU students in order to compare the results given as a required SIL level for the safety system.

The presentation will contain system descriptions, experiment lay-out, data analysis and some conclusions.

A Comprehensive Safety Engineering Approach for Software-Intensive Systems Based on STPA

Asim Abdulkhaleq, University of Stuttgart  

Software’s safety becomes a critical aspect in the development process of modern systems. However, safety is a system property and, hence, needs to be analyzed in a system context to identify all potential hazardous software behaviors. The complexity of software makes defining appropriate software safety requirements with traditional safety analysis techniques difficult. STPA (Systems-Theoretic Processes Analysis) is a unique safety analysis approach which has been developed to identify system hazards, including the software-related hazards as well. Formal verification and testing are complementary approaches which are used in the development process to verify the functional correctness of software. However, the correctness of software cannot ensure the safe operation of safety-critical software systems. The software must be verified against its safety requirements which are identified by safety analysis to ensure potential hazardous causes cannot occur. We propose a comprehensive safety engineering approach based on STPA including software testing and model checking approaches for the purpose of developing a safe software. The proposed approach can be embedded within a defined software engineering process or applied on existing software systems to help software and safety engineers to recognize the software risks. The application of the proposed approach is illustrated with an automotive software controller.

How to use generic information to get an early start on safety analysis

Tor Stålhane, NTNU

The presentation – which should be part of a workshop – discusses the following topic: It is important to get the safety analysis started before we make too many decisions. On the other hand, at an early stage of a project, we have only high-level information about the system and its environment. One way to get an early start is to use domain-specific generic information to identify relevant information such as generic failure modes, generic fault trees and ontologies. Since the architecture has a strong influence on our choice of safety barriers, it is also important to use architectural patterns to get an early start. It is important to involve all stakeholder groups in the process, thus the methods applied must also be simple to learn and use.     

Software complexity metrics in general and in the context of ISO 26262 software verification requirements             

Miroslaw Staron, Chalmers / University of Gothenburg

The introduction of the ISO 26262 standard (Road vehicles – functional safety) formalized the requirements on software verification processes in automotive software development. Compared to the previous state-of-the-art the standard introduces requirements of calculations of test coverage metrics and also introduces the requirements on methods used to test, verify and validate software.

In this talk we present the requirements of ISO 26262 for the verification processes for automotive software development to establish the baseline for what needs to be tested and how. Based on these requirements we also present the metrics used to assess the quality of the automotive software and show the limitations of these methods and metrics. We also review the state-of-the-art of software complexity and coverage metrics in software engineering and propose which metrics could be used in order to increase the confidence of the testers that the software is essentially safe


1300-1700              Workshop 4 - Run-Time verus De-sign-Time analysis of safety in systems-of-systems

What does it mean to have a dynamic safety case?

Tim Kelly, University of York

This talk will explore the meaning of what it is to have a dynamic safety case by presenting a range of possible interpretations of the concept.  In particular, the talk will describe different ways in which the argumentation of a safety case may be challenged, revised, updated and generated in step with a system in operation.

Safety rules synthesis for run-time monitoring of autonomous systems

Jeremie Guiochet, LAAS-CNRS/ University of Toulouse

Autonomous systems operating in the vicinity of humans are critical in that they potentially harm humans. In these systems, fault removal is not sufficient given the command complexity and their interactions with an unstructured environment. By a fault tolerance approach, we consider a safety monitor separated from the main command and able to observe and intervene on the system. The monitor behavior is specified by safety rules that must both ensure safety and permit the system to carry out its tasks in absence of hazard. We propose a systematic method to obtain these safety rules. The hazards, determined by a risk analysis, are formally modeled, then an algorithm synthesizes safe and permissive rules. The method is tooled both for modeling and synthesis by use of the model-checker NuSMV. Method and tools are applied to the industrial use case of a robotic co-worker.

Dynamic risk assessment for highly automated vehicles

Lars Svensson, KTH

Assessing all the possible risks that may appear in complex road traffic environment at design time looks to be less and less feasible in current development of highly automated vehicles. The hypothesis for this work is that a dynamic assessment of risk and path planning that optimizes traffic flow under constraints of maximal allowed risk is necessary for realization of highly automated vehicles. The strategy for the work is to develop algorithms that through probabilistic estimation methods provide a dynamic risk field as a basis for trajectory planning.

Risk information production and what you can do with it!

Pernilla Ulfvengren, KTH

Increase safety by reducing uncertainty with enhanced risk knowledge both for real-time operations and long-term system change. (Individual performance, Incentives, safety management and system (re-)design)


1300-1700              Workshop 5 - Technical support for safety critical systems

Virtualization as a means to isolate applications of different criticality in a multicore system.

Joakim Nilsson, Nohau Solutions AB

The increasing complexity of software applications and the requirements of safety standards are a tough challenge for most projects.
Multicore processors offer more processing power. We can now mix Android with Autosar and hard real-time chores,  but how do we best organize the software to optimize execution budget while maintaining a simple architecture that allows us to pass safety certification for 26262, 61508, 50128, 62304 etc?
This presentation focus on technologies for virtualization of software applications and tasks of different criticality levels. We will discuss how different tasks can be effectively isolated for safety and security.

Khronos Open Standard APIs for Safety Critical Applications                    

Erik Noreke, Khronos Group

The rapid advances in modern systems have created a need for a new generation of safety critical standards. The Khronos Group released OpenGL® SC 1.0 in 2005 and OpenGL® SC 1.0.1 in 2009 – open standard APIs designed for systems needing to meet DO178. In 2015, the Khronos Safety Critical working group resumed work on the next version of the graphics API for safety critical applications. The working group is also looking ahead at additional safety critical APIs for graphics, compute, and vision.
This talk will explore design constrains of developing an open standard API for safety critical systems and how Khronos members work to provide the industry with needed functionality that meets the criteria for  safety critical systems in avionics, automotive, medical and other safety critical industries. We will also take a look at some of the features which may be incorporated in the next generation of OpenGL® SC.

Deterministic Ethernet for Safety-Critical Applications     

Paul Pop, Technical University of Denmark

Ethernet, although it is low cost and has high speeds, is known to be unsuitable for real-time and safety-critical applications. Several extensions have been proposed to make Ethernet suitable for safety-critical systems, such as TTEthernet, standardized by SAE. This talk will present the current developments under the umbrella of "Deterministic Ethernet", which are a set of standards developed by the IEEE Time-Sensitive Networking Task Group. We will cover time synchronization, quality of service, traffic shaping and scheduled traffic. The talk will also present the current state-of-the-art in methods and tools for the analysis and optimization of Deterministic Ethernet.


1300-1700              Workshop 6 - Managing safety development

Lessons learned: Introducing safety in organizations        

Henrik Thane, Safety Integrity AB                 

To introduce safety management into organizations has proven to be quite a challenge in practice. In this presentation Dr. Henrik Thane, Independent Safety Assessor, and Safety Management consultant, at Safety Integrity AB will convey his experience, and lessons learned from introducing ISO26262, EN-ISO13849, EN62061, and EN50128 into large and small organizations both from a safety management perspective as well as from an Assessor’s perspective.

ISO 26262 Supplier management                 

Tord Wullt, Addalot               

The presentation discusses the challenges and experiences of buying 26262 compliant development. Suppliers are often not mature in the application of 26262 which require special consideration. An approach together with experiences for follow up and to push the suppliers maturity is discussed.

Planning for Safety Demonstration             

Vikash Katta, Institute for Energy Technology, Norway     

The presentation gives an overview of the work being done in the PLANS (Planning Safety Demonstration) project. PLANS aims to provide detailed guidance on safety demonstration planning for digital instrumentation and control systems in nuclear power plants. More often, submittals to regulators consist of vast amount of documentation without providing any explicit argumentation/explanation on how this documentation supports safety demonstration. In addition, there is a lack of planning at the early stages of the project on how to perform safety demonstration, and utility/suppliers plans for achieving safety are not being communicated to the regulators. PLANS addresses some of the challenges of safety demonstration by improving guidance on safety demonstration planning. Ongoing work involves detailing a multidisciplinary approach for safety demonstration planning covering the entire development lifecycle and identifying development artefacts that could be used as evidence to justify the claims on safety of a system.

Automotive Industry Approach to Functional Safety

Fredrik Törner                          , Volvo Cars

Innovation in the automotive industry is driven by introduction of electronics and software. Many of the new features and functions may be safety related; hence, it is necessary to mitigate risks with SW and HW to enable safe cars. The automotive industry has, during the past decade, joined forces to define an industry wide common approach, the ISO26262, a risk based standard based on the approach of IEC 61508. This speech intends to provide an overview of safety related automotive E/E systems and ISO26262s structure, content and an update from the ongoing revision activities.