|0830-1200 Workshop 1 – Modelling for safety critical systems|
Automating safety engineering with model-based techniques
Juha-Pekka Tolvanen, MetaCase
Fault Trees and Failure Models and Effects Analyses are well known methods in safety and reliability engineering. Their use requires a considerable amount of work, in particular when the system evolves and grows. This talk demonstrates an approach to automate parts of safety design flow. First, existing architecture models can be translated to dependability and error models. Safety engineers can then adapt the models for various safety cases and run analysis calling the suitable tool. In the talk we demonstrate the benefits of the approach with various tools within automotive domain. Models are created with domain-specific languages (MetaEdit+) and translated to analysis tools (HiPHOPS, Sistema). This approach provides several benefits, including:
AUTO-CAAS: Model-Based Fault Prediction and Diagnosis of Automotive Software
Mohammad Mousavi, Halmstad University
In this presentation, we provide an overview of the AUTO-CAAS project, an ongoing collaboration among ArcCore AB, Halmstad University, and Quviq AB. The aim of the project is to exploit the formal models of the automotive standard AUTOSAR, which were developed by the industrial partner of the project Quviq AB, in order to predict possible future failures in concrete implementations based on AUTOSAR components that may possibly exhibit deviations from the standard. We use a model-based technique to align the actual behaviour of component with their interface models. We then exploit the result of this analysis in order to generate targeted test-cases to push the components towards predicted failures. We also exploit this information to diagnose failures that are detected otherwise and trace them back to the model-based analysis results. We will discuss the results of the project up to date.
QuickCheck your simulations!
John Hughes, Quviq AB/Chalmers
QuickCheck is a testing tool which generates random tests from a specification, then when a test fails, reduces it to a minimal failing test case which is easy to debug. It has been applied to find bugs in a wide variety of software, including more than 200 problems in AUTOSAR basic software used in vehicles. Now it is being extended to test Simulink models, which are used to develop many safety critical applications. This talk presents some initial results, including surprising behaviour in the cruise controller distributed together with Simulink.
Using Domain-Specific Modeling for Design and Verification of Cyber Physical Systems
Juha-Pekka Tolvanen, MetaCase
Growing size and complexity of cyber-physical systems increase the development and verification effort. Developers and verification experts don’t always master the domain knowledge and on the other hand experts in the domain are not familiar with development and verification tools. We present an approach in which domain-specific models using directly the concepts of the domain are used to design and verify the system. The approach is demonstrated with a case of industrial process plant design in which domain-specific models are used to improve collaboration within development team through integrated models. The same models can be then used also for verification to identify defects in the design and automatically generate test vectors with requirement-to-test traceability.
|0830-1200 Workshop 2 - Combining safety and other disciplines|
Reconciling the ISO 26262-compliant and the agile documentation/process management in the Swedish context
Documentation/process management represents a relevant and mandatory activity according to ISO 26262. The same activity tends to be considered as a waste according to the agile manifesto. Thus, agile and ISO 26262-compliant documentation/process management styles seem to form an odd couple. When this couple is located in the Swedish cultural context, reconciliation and negotiation within it represent a true challenge. In this paper, based on the state of practice in industrial settings, we report about our findings and propose our envisioned solution to face this challenge and get a balance. Finally, conclusion and perspectives for future work are also drawn.
Traceability in agile development
Even-André Karlsson, Addalot
Most safety standards have tough requirements on traceability. We have been working with clients who both want to work agile and comply with the traceability requirements. Instead of doing the "normal" manual traceability, we have built our traceability approach on the fine granularity of the implemented tasks that are connected to requirements through stories, epics and personas. We then use the versioning system to support the required traceability into documents, test and code. In this presentation we will present our approach, how it supports the different traceability requirements, and our experiences. In the workshop we will show more practical examples of how this is done, and have more time for discussion.
To be safe you need to be secure
Hans Hansson, SICS Västerås
Security is an increasingly important issue also in safety assurance, as the open interconnected nature of emerging systems makes them susceptible to security threats at a much higher degree than existing more confined products. Already today there is a lack of integration of safety and security work, as they have separate standards and independent processes. Specifically, security concerns are not covered in any detail in safety standards, potentially resulting in successfully safety-certified systems that are still open for security threats which may jeopardize safety. This talk will shed some light on the risks of neglecting security in safety work.
Benefits of Security-informed Safety-oriented Process Lines
Barbara Gallina, Mälardalen University (MDH)
Nowadays, given the growing connectivity of safety-critical systems, security-informed safety is crucial. To certify aircrafts/trains as well as to self-assess cars/trucks, safety as well as security standards need to be taken into consideration. In this context, a process engineer has to succeed in mastering the growing complexity of the standards interplay. To support process engineers, we propose to: first, consider a common terminological framework, aimed at reconciling security and safety within dependability; then identify and systematize commonalities and variabilities between the processes. To enable this systematization we present Security-informed Safety-oriented Process Line Engineering (SiSoPLE), which extends SoPLE to address security concerns. To
|0830-1200 Workshop 3 - Analysis techniques for safety systems|
Expert vs. layman in risk assessment
We have run risk assessment of two industrial systems with experts (the CompSoft proejct) and with NTNU students in order to compare the results given as a required SIL level for the safety system.
The presentation will contain system descriptions, experiment lay-out, data analysis and some conclusions.
A Comprehensive Safety Engineering Approach for Software-Intensive Systems Based on STPA
Asim Abdulkhaleq, University of Stuttgart
Software’s safety becomes a critical aspect in the development process of modern systems. However, safety is a system property and, hence, needs to be analyzed in a system context to identify all potential hazardous software behaviors. The complexity of software makes defining appropriate software safety requirements with traditional safety analysis techniques difficult. STPA (Systems-Theoretic Processes Analysis) is a unique safety analysis approach which has been developed to identify system hazards, including the software-related hazards as well. Formal verification and testing are complementary approaches which are used in the development process to verify the functional correctness of software. However, the correctness of software cannot ensure the safe operation of safety-critical software systems. The software must be verified against its safety requirements which are identified by safety analysis to ensure potential hazardous causes cannot occur. We propose a comprehensive safety engineering approach based on STPA including software testing and model checking approaches for the purpose of developing a safe software. The proposed approach can be embedded within a defined software engineering process or applied on existing software systems to help software and safety engineers to recognize the software risks. The application of the proposed approach is illustrated with an automotive software controller.
How to use generic information to get an early start on safety analysis
Tor Stålhane, NTNU
The presentation – which should be part of a workshop – discusses the following topic: It is important to get the safety analysis started before we make too many decisions. On the other hand, at an early stage of a project, we have only high-level information about the system and its environment. One way to get an early start is to use domain-specific generic information to identify relevant information such as generic failure modes, generic fault trees and ontologies. Since the architecture has a strong influence on our choice of safety barriers, it is also important to use architectural patterns to get an early start. It is important to involve all stakeholder groups in the process, thus the methods applied must also be simple to learn and use.
Software complexity metrics in general and in the context of ISO 26262 software verification requirements
Miroslaw Staron, Chalmers / University of Gothenburg
The introduction of the ISO 26262 standard (Road vehicles – functional safety) formalized the requirements on software verification processes in automotive software development. Compared to the previous state-of-the-art the standard introduces requirements of calculations of test coverage metrics and also introduces the requirements on methods used to test, verify and validate software.
In this talk we present the requirements of ISO 26262 for the verification processes for automotive software development to establish the baseline for what needs to be tested and how. Based on these requirements we also present the metrics used to assess the quality of the automotive software and show the limitations of these methods and metrics. We also review the state-of-the-art of software complexity and coverage metrics in software engineering and propose which metrics could be used in order to increase the confidence of the testers that the software is essentially safe
|1300-1700 Workshop 4 - Run-Time verus De-sign-Time analysis of safety in systems-of-systems|
What does it mean to have a dynamic safety case?
Tim Kelly, University of York
This talk will explore the meaning of what it is to have a dynamic safety case by presenting a range of possible interpretations of the concept. In particular, the talk will describe different ways in which the argumentation of a safety case may be challenged, revised, updated and generated in step with a system in operation.
Safety rules synthesis for run-time monitoring of autonomous systems
Jeremie Guiochet, LAAS-CNRS/ University of Toulouse
Autonomous systems operating in the vicinity of humans are critical in that they potentially harm humans. In these systems, fault removal is not sufficient given the command complexity and their interactions with an unstructured environment. By a fault tolerance approach, we consider a safety monitor separated from the main command and able to observe and intervene on the system. The monitor behavior is specified by safety rules that must both ensure safety and permit the system to carry out its tasks in absence of hazard. We propose a systematic method to obtain these safety rules. The hazards, determined by a risk analysis, are formally modeled, then an algorithm synthesizes safe and permissive rules. The method is tooled both for modeling and synthesis by use of the model-checker NuSMV. Method and tools are applied to the industrial use case of a robotic co-worker.
Dynamic risk assessment for highly automated vehicles
Lars Svensson, KTH
Assessing all the possible risks that may appear in complex road traffic environment at design time looks to be less and less feasible in current development of highly automated vehicles. The hypothesis for this work is that a dynamic assessment of risk and path planning that optimizes traffic flow under constraints of maximal allowed risk is necessary for realization of highly automated vehicles. The strategy for the work is to develop algorithms that through probabilistic estimation methods provide a dynamic risk field as a basis for trajectory planning.
Risk information production and what you can do with it!
Pernilla Ulfvengren, KTH
Increase safety by reducing uncertainty with enhanced risk knowledge both for real-time operations and long-term system change. (Individual performance, Incentives, safety management and system (re-)design)
|1300-1700 Workshop 5 - Technical support for safety critical systems|
Virtualization as a means to isolate applications of different criticality in a multicore system.
Joakim Nilsson, Nohau Solutions AB
The increasing complexity of software applications and the requirements of safety standards are a tough challenge for most projects.
Khronos Open Standard APIs for Safety Critical Applications
Erik Noreke, Khronos Group
The rapid advances in modern systems have created a need for a new generation of safety critical standards. The Khronos Group released OpenGL® SC 1.0 in 2005 and OpenGL® SC 1.0.1 in 2009 – open standard APIs designed for systems needing to meet DO178. In 2015, the Khronos Safety Critical working group resumed work on the next version of the graphics API for safety critical applications. The working group is also looking ahead at additional safety critical APIs for graphics, compute, and vision.
Deterministic Ethernet for Safety-Critical Applications
Paul Pop, Technical University of Denmark
Ethernet, although it is low cost and has high speeds, is known to be unsuitable for real-time and safety-critical applications. Several extensions have been proposed to make Ethernet suitable for safety-critical systems, such as TTEthernet, standardized by SAE. This talk will present the current developments under the umbrella of "Deterministic Ethernet", which are a set of standards developed by the IEEE Time-Sensitive Networking Task Group. We will cover time synchronization, quality of service, traffic shaping and scheduled traffic. The talk will also present the current state-of-the-art in methods and tools for the analysis and optimization of Deterministic Ethernet.
|1300-1700 Workshop 6 - Managing safety development|
Lessons learned: Introducing safety in organizations
Henrik Thane, Safety Integrity AB
To introduce safety management into organizations has proven to be quite a challenge in practice. In this presentation Dr. Henrik Thane, Independent Safety Assessor, and Safety Management consultant, at Safety Integrity AB will convey his experience, and lessons learned from introducing ISO26262, EN-ISO13849, EN62061, and EN50128 into large and small organizations both from a safety management perspective as well as from an Assessor’s perspective.
ISO 26262 Supplier management
Tord Wullt, Addalot
The presentation discusses the challenges and experiences of buying 26262 compliant development. Suppliers are often not mature in the application of 26262 which require special consideration. An approach together with experiences for follow up and to push the suppliers maturity is discussed.
Planning for Safety Demonstration
Vikash Katta, Institute for Energy Technology, Norway
The presentation gives an overview of the work being done in the PLANS (Planning Safety Demonstration) project. PLANS aims to provide detailed guidance on safety demonstration planning for digital instrumentation and control systems in nuclear power plants. More often, submittals to regulators consist of vast amount of documentation without providing any explicit argumentation/explanation on how this documentation supports safety demonstration. In addition, there is a lack of planning at the early stages of the project on how to perform safety demonstration, and utility/suppliers plans for achieving safety are not being communicated to the regulators. PLANS addresses some of the challenges of safety demonstration by improving guidance on safety demonstration planning. Ongoing work involves detailing a multidisciplinary approach for safety demonstration planning covering the entire development lifecycle and identifying development artefacts that could be used as evidence to justify the claims on safety of a system.
Automotive Industry Approach to Functional Safety
Fredrik Törner , Volvo Cars
Innovation in the automotive industry is driven by introduction of electronics and software. Many of the new features and functions may be safety related; hence, it is necessary to mitigate risks with SW and HW to enable safe cars. The automotive industry has, during the past decade, joined forces to define an industry wide common approach, the ISO26262, a risk based standard based on the approach of IEC 61508. This speech intends to provide an overview of safety related automotive E/E systems and ISO26262s structure, content and an update from the ongoing revision activities.