Workshops
0830-1200 Workshop 1 – Modelling for safety critical systems |
Automating safety engineering with model-based techniques Juha-Pekka Tolvanen, MetaCase Fault Trees and Failure Models and Effects Analyses are well known methods in safety and reliability engineering. Their use requires a considerable amount of work, in particular when the system evolves and grows. This talk demonstrates an approach to automate parts of safety design flow. First, existing architecture models can be translated to dependability and error models. Safety engineers can then adapt the models for various safety cases and run analysis calling the suitable tool. In the talk we demonstrate the benefits of the approach with various tools within automotive domain. Models are created with domain-specific languages (MetaEdit+) and translated to analysis tools (HiPHOPS, Sistema). This approach provides several benefits, including:
AUTO-CAAS: Model-Based Fault Prediction and Diagnosis of Automotive Software Mohammad Mousavi, Halmstad University In this presentation, we provide an overview of the AUTO-CAAS project, an ongoing collaboration among ArcCore AB, Halmstad University, and Quviq AB. The aim of the project is to exploit the formal models of the automotive standard AUTOSAR, which were developed by the industrial partner of the project Quviq AB, in order to predict possible future failures in concrete implementations based on AUTOSAR components that may possibly exhibit deviations from the standard. We use a model-based technique to align the actual behaviour of component with their interface models. We then exploit the result of this analysis in order to generate targeted test-cases to push the components towards predicted failures. We also exploit this information to diagnose failures that are detected otherwise and trace them back to the model-based analysis results. We will discuss the results of the project up to date.
QuickCheck your simulations! John Hughes, Quviq AB/Chalmers QuickCheck is a testing tool which generates random tests from a specification, then when a test fails, reduces it to a minimal failing test case which is easy to debug. It has been applied to find bugs in a wide variety of software, including more than 200 problems in AUTOSAR basic software used in vehicles. Now it is being extended to test Simulink models, which are used to develop many safety critical applications. This talk presents some initial results, including surprising behaviour in the cruise controller distributed together with Simulink.
Using Domain-Specific Modeling for Design and Verification of Cyber Physical Systems Juha-Pekka Tolvanen, MetaCase Growing size and complexity of cyber-physical systems increase the development and verification effort. Developers and verification experts don’t always master the domain knowledge and on the other hand experts in the domain are not familiar with development and verification tools. We present an approach in which domain-specific models using directly the concepts of the domain are used to design and verify the system. The approach is demonstrated with a case of industrial process plant design in which domain-specific models are used to improve collaboration within development team through integrated models. The same models can be then used also for verification to identify defects in the design and automatically generate test vectors with requirement-to-test traceability. |
0830-1200 Workshop 3 - Analysis techniques for safety systems |
Expert vs. layman in risk assessment We have run risk assessment of two industrial systems with experts (the CompSoft proejct) and with NTNU students in order to compare the results given as a required SIL level for the safety system. The presentation will contain system descriptions, experiment lay-out, data analysis and some conclusions. A Comprehensive Safety Engineering Approach for Software-Intensive Systems Based on STPA Asim Abdulkhaleq, University of Stuttgart Software’s safety becomes a critical aspect in the development process of modern systems. However, safety is a system property and, hence, needs to be analyzed in a system context to identify all potential hazardous software behaviors. The complexity of software makes defining appropriate software safety requirements with traditional safety analysis techniques difficult. STPA (Systems-Theoretic Processes Analysis) is a unique safety analysis approach which has been developed to identify system hazards, including the software-related hazards as well. Formal verification and testing are complementary approaches which are used in the development process to verify the functional correctness of software. However, the correctness of software cannot ensure the safe operation of safety-critical software systems. The software must be verified against its safety requirements which are identified by safety analysis to ensure potential hazardous causes cannot occur. We propose a comprehensive safety engineering approach based on STPA including software testing and model checking approaches for the purpose of developing a safe software. The proposed approach can be embedded within a defined software engineering process or applied on existing software systems to help software and safety engineers to recognize the software risks. The application of the proposed approach is illustrated with an automotive software controller. How to use generic information to get an early start on safety analysis Tor Stålhane, NTNU The presentation – which should be part of a workshop – discusses the following topic: It is important to get the safety analysis started before we make too many decisions. On the other hand, at an early stage of a project, we have only high-level information about the system and its environment. One way to get an early start is to use domain-specific generic information to identify relevant information such as generic failure modes, generic fault trees and ontologies. Since the architecture has a strong influence on our choice of safety barriers, it is also important to use architectural patterns to get an early start. It is important to involve all stakeholder groups in the process, thus the methods applied must also be simple to learn and use. Software complexity metrics in general and in the context of ISO 26262 software verification requirements Miroslaw Staron, Chalmers / University of Gothenburg The introduction of the ISO 26262 standard (Road vehicles – functional safety) formalized the requirements on software verification processes in automotive software development. Compared to the previous state-of-the-art the standard introduces requirements of calculations of test coverage metrics and also introduces the requirements on methods used to test, verify and validate software. In this talk we present the requirements of ISO 26262 for the verification processes for automotive software development to establish the baseline for what needs to be tested and how. Based on these requirements we also present the metrics used to assess the quality of the automotive software and show the limitations of these methods and metrics. We also review the state-of-the-art of software complexity and coverage metrics in software engineering and propose which metrics could be used in order to increase the confidence of the testers that the software is essentially safe |
1300-1700 Workshop 4 - Run-Time verus De-sign-Time analysis of safety in systems-of-systems |
What does it mean to have a dynamic safety case? Tim Kelly, University of York This talk will explore the meaning of what it is to have a dynamic safety case by presenting a range of possible interpretations of the concept. In particular, the talk will describe different ways in which the argumentation of a safety case may be challenged, revised, updated and generated in step with a system in operation. Safety rules synthesis for run-time monitoring of autonomous systems Jeremie Guiochet, LAAS-CNRS/ University of Toulouse Autonomous systems operating in the vicinity of humans are critical in that they potentially harm humans. In these systems, fault removal is not sufficient given the command complexity and their interactions with an unstructured environment. By a fault tolerance approach, we consider a safety monitor separated from the main command and able to observe and intervene on the system. The monitor behavior is specified by safety rules that must both ensure safety and permit the system to carry out its tasks in absence of hazard. We propose a systematic method to obtain these safety rules. The hazards, determined by a risk analysis, are formally modeled, then an algorithm synthesizes safe and permissive rules. The method is tooled both for modeling and synthesis by use of the model-checker NuSMV. Method and tools are applied to the industrial use case of a robotic co-worker. Dynamic risk assessment for highly automated vehicles Lars Svensson, KTH Assessing all the possible risks that may appear in complex road traffic environment at design time looks to be less and less feasible in current development of highly automated vehicles. The hypothesis for this work is that a dynamic assessment of risk and path planning that optimizes traffic flow under constraints of maximal allowed risk is necessary for realization of highly automated vehicles. The strategy for the work is to develop algorithms that through probabilistic estimation methods provide a dynamic risk field as a basis for trajectory planning. Risk information production and what you can do with it! Pernilla Ulfvengren, KTH Increase safety by reducing uncertainty with enhanced risk knowledge both for real-time operations and long-term system change. (Individual performance, Incentives, safety management and system (re-)design) |
1300-1700 Workshop 5 - Technical support for safety critical systems |
Virtualization as a means to isolate applications of different criticality in a multicore system. Joakim Nilsson, Nohau Solutions AB The increasing complexity of software applications and the requirements of safety standards are a tough challenge for most projects. Khronos Open Standard APIs for Safety Critical Applications Erik Noreke, Khronos Group The rapid advances in modern systems have created a need for a new generation of safety critical standards. The Khronos Group released OpenGL® SC 1.0 in 2005 and OpenGL® SC 1.0.1 in 2009 – open standard APIs designed for systems needing to meet DO178. In 2015, the Khronos Safety Critical working group resumed work on the next version of the graphics API for safety critical applications. The working group is also looking ahead at additional safety critical APIs for graphics, compute, and vision. Deterministic Ethernet for Safety-Critical Applications Paul Pop, Technical University of Denmark Ethernet, although it is low cost and has high speeds, is known to be unsuitable for real-time and safety-critical applications. Several extensions have been proposed to make Ethernet suitable for safety-critical systems, such as TTEthernet, standardized by SAE. This talk will present the current developments under the umbrella of "Deterministic Ethernet", which are a set of standards developed by the IEEE Time-Sensitive Networking Task Group. We will cover time synchronization, quality of service, traffic shaping and scheduled traffic. The talk will also present the current state-of-the-art in methods and tools for the analysis and optimization of Deterministic Ethernet. |
1300-1700 Workshop 6 - Managing safety development |
Lessons learned: Introducing safety in organizations Henrik Thane, Safety Integrity AB To introduce safety management into organizations has proven to be quite a challenge in practice. In this presentation Dr. Henrik Thane, Independent Safety Assessor, and Safety Management consultant, at Safety Integrity AB will convey his experience, and lessons learned from introducing ISO26262, EN-ISO13849, EN62061, and EN50128 into large and small organizations both from a safety management perspective as well as from an Assessor’s perspective. ISO 26262 Supplier management Tord Wullt, Addalot The presentation discusses the challenges and experiences of buying 26262 compliant development. Suppliers are often not mature in the application of 26262 which require special consideration. An approach together with experiences for follow up and to push the suppliers maturity is discussed. Planning for Safety Demonstration Vikash Katta, Institute for Energy Technology, Norway The presentation gives an overview of the work being done in the PLANS (Planning Safety Demonstration) project. PLANS aims to provide detailed guidance on safety demonstration planning for digital instrumentation and control systems in nuclear power plants. More often, submittals to regulators consist of vast amount of documentation without providing any explicit argumentation/explanation on how this documentation supports safety demonstration. In addition, there is a lack of planning at the early stages of the project on how to perform safety demonstration, and utility/suppliers plans for achieving safety are not being communicated to the regulators. PLANS addresses some of the challenges of safety demonstration by improving guidance on safety demonstration planning. Ongoing work involves detailing a multidisciplinary approach for safety demonstration planning covering the entire development lifecycle and identifying development artefacts that could be used as evidence to justify the claims on safety of a system. Automotive Industry Approach to Functional Safety Fredrik Törner , Volvo Cars Innovation in the automotive industry is driven by introduction of electronics and software. Many of the new features and functions may be safety related; hence, it is necessary to mitigate risks with SW and HW to enable safe cars. The automotive industry has, during the past decade, joined forces to define an industry wide common approach, the ISO26262, a risk based standard based on the approach of IEC 61508. This speech intends to provide an overview of safety related automotive E/E systems and ISO26262s structure, content and an update from the ongoing revision activities. |