Skip to main content

Über dieses Buch

This book constitutes the refereed proceedings of 5 workshops co-located with SAFECOMP 2015, the 34th International Conference on Computer Safety, Reliability, and Security, held in Delft, The Netherlands, in September 2015.

The 36 revised full papers presented were carefully reviewed and selected from numerous submissions. This year’s workshop are: ASSURE 2015 - Assurance Cases for Software-intensive Systems; DECSoS'15 - EWICS/ERCIM/ARTEMIS Dependable Cyber-physical Systems and Systems-of-Systems Workshop; ISSE'15 - International workshop on the Integration of Safety and Security Engineering; ReSA4CI 2015 - International Workshop on Reliability and Security Aspects for Critical Infrastructure Protection; SASSUR 2015 - International Workshop on Next Generation of System Assurance Approaches for Safety-Critical Systems.



Assurance Cases for Software-Intensive Systems (ASSURE 2015)


Informing Assurance Case Review Through a Formal Interpretation of GSN Core Logic

A formalization of a logical subset of Goal Structuring Notation (GSN) arguments is presented. The aim is to reveal the conditions which must be true in order to guarantee that an argument thus formalized is internally consistent. These conditions justify a number of systematic questions which must be answered in the affirmative if a standard safety argument based on natural language is to be believed to be free from inconsistencies. The relevance of these findings to the combination of GSN and controlled natural language with first-order logic semantics is discussed.

Victor Bandur, John McDermid

Representing Confidence in Assurance Case Evidence

When evaluating assurance cases, being able to capture the confidence one has in the individual evidence nodes is crucial, as these values form the foundation for determining the confidence one has in the assurance case as a whole. Human opinions are subjective, oftentimes with uncertainty—it is difficult to capture an opinion with a single probability value. Thus, we believe that a distribution best captures a human opinion such as confidence. Previous work used a doubly-truncated normal distribution or a Dempster-Shafer theory-based belief mass to represent confidence in the evidence nodes, but we argue that a beta distribution is more appropriate. The beta distribution models a variety of shapes and we believe it provides an intuitive way to represent confidence. Furthermore, there exists a duality between the beta distribution and subjective logic, which can be exploited to simplify mathematical calculations. This paper is the first to apply this duality to assurance cases.

Lian Duan, Sanjai Rayadurgam, Mats P. E. Heimdahl, Oleg Sokolsky, Insup Lee

Safe & Sec Case Patterns

Many industrial sectors, which manufacture safety intensive systems e.g., automotive, railway, etc., now face technical challenges on how to integrate and harmonize critical issues on safety in addition to security for their systems. In this paper, we will explore a new way of reconciling those issues in an argument form, which we call Safe & Sec (Safety and Security) case patterns. They are derived from process patterns identified from our literature survey on research and standards. Safe & Sec case patterns in this paper will provide practitioners a wide perspective and baseline on how they could provide an assurance framework for their safety intensive systems with security focus.

Kenji Taguchi, Daisuke Souma, Hideaki Nishihara

A Comprehensive Safety Lifecycle

CLASS is a novel approach to the safety engineering and management of safety-critical systems in which the system safety case becomes the focus of safety engineering throughout the system lifecycle. CLASS expands the role of the safety case across all phases of the system’s lifetime, from concept formation and problem definition to decommissioning. Having the system safety case as the focus of safety engineering and management only has value if the safety case is properly engineered and appropriately consistent with the system. To achieve these properties, CLASS requires that a system and its safety case be regarded as a single composite entity, always linked and always correctly representing one another. CLASS introduces new techniques for the creation, approval and maintenance of safety cases, a rigorous analysis mechanism that allows determination of properties that relate to defect detection in subject systems, and a set of software support tools.

John Knight, Jonathan Rowanhill, M. Anthony Aiello, Kimberly Wasson

An Approach to Assure Dependability Through ArchiMate

This paper describes a method to create assurance cases for the Open Dependability through Assuredness (O-DA) standard of The Open Group (TOG) based on ArchiMate. ArchiMate provides Enterprise Architecture (EA) models to describe Business, Application and Technology Architectures. Although O-DA shows the necessity of agreeing on the assuredness of EA using assurance cases, O-DA does not mention how to create assurance cases for EA. In this paper, an assurance case pattern is proposed to argue the assuredness for these three kinds of architectures modelled by ArchiMate.

Shuichiro Yamamoto

Tool Support for Assurance Case Building Blocks

Providing a Helping Hand with CAE

This paper presents a tool for structuring arguments in assurance cases. The tool is designed to support the methodology of Claims-Arguments- Evidence (CAE) Building Blocks that provides a series of archetypal CAE fragments to help structure cases more formally and systematically. It assists with the development and maintenance of structured assurance cases by providing facilities to manage CAE blocks and partially automate the generation of claim structures. In addition to the tool, new visual guidelines called “Helping hand” is provided to assist in applying the building blocks. The tool has been implemented on the Adelard ASCE platform. The target users are assurance case developers and reviewers. The tool and associated methodology can also be useful for people learning how to structure cases in a more rigorous and systematic manner.

Kateryna Netkachova, Oleksandr Netkachov, Robin Bloomfield

Safety.Lab: Model-Based Domain Specific Tooling for Safety Argumentation

Assurance cases capture the argumentation that a system is safe by putting together pieces of evidence at different levels of abstraction and of different nature. Managing the interdependencies between these artefacts lies at the heart of any safety argument. Keeping the assurance case complete and consistent with the system is a manual and very ressource consuming process. Current tools do not address these challenges in constructing and maintaining safety arguments. In this paper we present a tooling prototype called Safety.Lab which features rich and deeply integrated models to describe requirements, hazards list, fault trees and architecture. We show how Safety.Lab opens opportunities to automate completeness and consistency checks for safety argumentation.

Daniel Ratiu, Marc Zeller, Lennart Killian

A Safety Condition Monitoring System

In any safety argument, belief in the top-level goal depends upon a variety of assumptions that derive from the system development process, the operating context, and the system itself. If an assumption is false or becomes false at any point during the lifecycle, the rationale for belief in the safety goal might be invalidated and the safety of the associated system compromised. Assurance that assumptions actually hold when they are supposed to is not guaranteed, and so monitoring of assumptions might be required. In this paper, we describe the Safety Condition Monitoring System, a system that permits comprehensive yet flexible monitoring of assumptions throughout the entire lifecycle together with an alert infrastructure that allows tailored responses to violations of assumptions. An emphasis of the paper is the approach used to run-time monitoring of assumptions derived from software where the software cannot be easily changed.

John Knight, Jonathan Rowanhill, Jian Xiang

Error Type Refinement for Assurance of Families of Platform-Based Systems

Medical Application Platforms (MAPs) are an emerging paradigm for developing interoperable medical systems. Existing assurance-related concepts for conventional medical devices including hazard analyses, risk management processes, and assurance cases need to be enhanced and reworked to deal with notions of interoperability, reuse, and compositionality in MAPs.

In this paper, we present the motivation for a framework for defining and refining error types associated with interoperable systems and its relevance to safety standards development activities. This framework forms the starting point for the analysis and documentation of faults, propagations of errors related to those faults, and their associated hazards and mitigation strategies—all of which need to be addressed in risk management activities and assurance cases for these systems.

Sam Procter, John Hatcliff, Sandy Weininger, Anura Fernando

EWICS/ERCIM/ARTEMIS Dependable Cyber-physical Systems and Systems-of-Systems Workshop (DECSoS 2015)


Qualitative and Quantitative Analysis of CFTs Taking Security Causes into Account

Component fault trees that contain safety basic events as well as security basic events cannot be analyzed like normal CFTs. Safety basic events are rated with probabilities in an interval [0,1], for security basic events simpler scales such as {low, medium, high} make more sense. In this paper an approach is described how to handle a quantitative safety analysis with different rating schemes for safety and security basic events. By doing so, it is possible to take security causes for safety failures into account and to rate their effect on system safety.

Max Steiner, Peter Liggesmeyer

Sequential Logic for State/Event Fault Trees: A Methodology to Support the Failure Modeling of Cyber Physical Systems

The society is nowadays increasingly controlled through embedded systems. The certification process of such systems is often supported by tree based approaches like fault trees. Nevertheless, these methodologies have some crucial drawbacks when it comes to dynamic systems. In the standard fault tree analysis it is not possible to model dependent events as well as timing behavior. To deal with these disadvantages state/event fault trees (SEFTs) were developed. However, this method is mainly restricted to academic problems due to its poor analysis procedures. To overcome this problem, this paper introduces a new qualitative analysis technique for SEFTs based on event sequences that can be identified out of their reachability graphs. To analyze these sequences an event sequence minimization schema similar to minimal cut sets of normal fault trees is proposed. Afterwards, a sequence algebra is used to further minimize these temporal expressions and transform them as far as possible into static ones.

Michael Roth, Peter Liggesmeyer

Towards a Framework for Alignment Between Automotive Safety and Security Standards

Modern automotive systems increasingly rely on software and network connectivity for new functions and features. Security of the software and communications of the on-board system of systems becomes a critical concern for the safety of new generation vehicles. Besides methods and tools, safety and security of automotive systems requires frameworks of standards for holistic process and assurance. As a part of our ongoing work, this paper investigates the possibility of a combined safety and security approach to standards in the automotive domain. We examine existing approaches in the railway and avionics domain with similar challenges and identify specific requirements for the automotive domain. We evaluate ISO 15408 as a potential candidate for a combined safety and security approach for complementing automotive safety standard ISO 26262, and discuss their points of alignment.

Christoph Schmittner, Zhendong Ma

Reconfiguration Testing for Cooperating Autonomous Agents

In order to verify reconfiguration of interacting autonomous agents to be exclusively beneficial and never hazardous to cyber-physical systems, this article suggests a systematic approach based on incremental model-based testing and illustrates its application to cooperating mobile robots.

Francesca Saglietti, Stefan Winzinger, Raimar Lill

A Motion Certification Concept to Evaluate Operational Safety and Optimizing Operating Parameters at Runtime

For technical systems, which perform highly automated or so-called autonomous actions, there exist a large demand to evaluate their operational safety in a uniform way at runtime based on the combination of environmental threats and the conditions of subordinated system modules. To guarantee a safe motion based on autonomous decisions we have introduced a universal and transparent certification process which not only takes functional aspects like environment detection and collision avoidance techniques into account but especially identifies the associated system condition itself as a key aspect for the determination of operational safety and for an automated optimization of operating parameters. Similar to a feedback loop possible constraints for environment perception of sensor components or the ability of actuator components to interact with their environment have to be taken into account to introduce a generalized safety evaluation for the entire system. Therefore, a model is derived to evaluate the operational safety for the autonomous driving robot RAVON from TU Kaiserslautern based on an integrated behavior-based control (IB



Sebastian Müller, Peter Liggesmeyer

Approach for Demonstrating Safety for a Collision Avoidance System

For many years, the Digital Safety and Security Department of the Austrian Institute of Technology has been developing stereo vision algorithms for various application purposes. Recently, these algorithms have been adapted for use in a collision avoidance system for tramways. The safety validation of such a system is a specific challenge as - like in the automotive domain - the rate of false positives cannot be lowered to zero. While automotive suppliers typically tackle with this problem by reducing the sensitivity of the system and validating it in hundreds of thousands of test kilometres, this paper presents an approach how it is possible to demonstrate safety with a carefully chosen functionality and less field test kilometres.

Thomas Gruber, Christian Zinner

Contract Modeling and Verification with FormalSpecs Verifier Tool-Suite - Application to Ansaldo STS Rapid Transit Metro System Use Case

Motivated by the emergent research on mixed techniques of analysis and testing, we focus our attention on producing analysis results that can efficiently reduce the effort in testing a modern metro system. In particular, we promote contract-based design to formalize requirements and support different kind of analyses on hazards, coverage and signal independency. This work is carried out on the following three different levels: at the application level, the system under development is specified and modeled by the experts of the railway industrial domain; at the methodology level, the contract-based paradigm was adopted to join the application requirements with a rigorous formal view necessary for enabling an automated verification process; at the machinery level, the utilization of the FSV tool suite for aiding the design represents a twofold gain for its developers since, first, it provides a new occasion to validate and improve their technology for automatic analyses and, second, it lets them to identify the analysis technique of the equivalent model checking, to match the industrial need in reducing the effort of testing.

Marco Carloni, Orlando Ferrante, Alberto Ferrari, Gianpaolo Massaroli, Antonio Orazzo, Luigi Velardi

Towards Verification of Multicore Motor-Drive Controllers in Aerospace

It is a known fact that development of models on the design stage of a product, constitutes a highly important stage proving early evidence of error absence for the proposed artifact. Meanwhile, advances in the embedded systems domain push for rapid architecture product changes based on current state-of-the-art solutions. Multicore systems have exhibit enormous benefits due to parallelization of task execution, increasing availability of resources in multiple domains such as the automotive and telecommunication. Such a premise creates the need to invest into new verification methodologies that will re-assure the safe and efficient transition of new solutions like multicores, especially in the demanding aerospace world. In this paper we describe current challenges and trends on the development of safe and efficient methods for power controllers’ verification in multicore-based hardware platforms, such as motor-drive applications. We outline current industrial practices and describe common toolsets, workflows and techniques used in the aerospace domain. Then our discussion focus on formal verification techniques that could provide efficient solutions for verifying power control algorithms in aerospace applications.We conclude with remarks about an ongoing verification effort for power control of a multicore-based motor drive towards producing certification evidence.

Stylianos Basagiannis, Francisco Gonzalez-Espin

FlexRay Robustness Testing Contributing to Automated Safety Certification

Software development work flows for safety relevant software require that each artefact is tested by at least one test case. An automatic overnight test case execution process supplying the newest results every morning makes this time-consuming process more efficient.

This paper describes a tool framework consisting of the BusScope, the TCBP (Test Case Batch Processor) and WEFACT (Workflow Engine For Analysis, Certification and Test). It manages all necessary steps: initialization of the test objects, execution of the test cases by applying test patterns and test evaluation to find the test verdict - Passed or Failed. It supports automation of the certification process by managing requirements and collecting evidences for the safety case.

A demonstrator, a steering actuator of a steer-by-wire application with redundant components, implemented on a real hardware and software platform, shows the proposed fully automated test case execution.

The demonstrator was developed in the EU-funded research project SafeCer (Research partly funded by ARTEMIS-JU Call 2011 project no. 295373 (nSafeCer)).

Erwin Kristen, Egbert Althammer

Towards Perfectly Scalable Real-Time Systems

Verification and Validation (V&V) systems used in automotive engineering typically face two potentially contradicting design constraints: real-time capability versus scalability. While there has been substantial research on deterministic timing behavior [1, 2], the software of such systems is usually designed statically to satisfy requirements available at design time only. If those requirements change due to new V&V applications, a complete redesign might be necessary. This paper suggests a design methodology and architecture as a step towards perfectly scalable real-time systems, i.e. systems with deterministic timing behavior and the ability to be structurally modified even at run-time, including the ability to add, re-configure, re-connect or remove existing components without affecting timing correctness of the remaining system. A component model is introduced which allows to easily extract signal dependencies of software components instantiated by the run-time system, as well as to control and manage changes in system composition automatically. As an additional benefit, modularization allows component isolation equivalent to sand boxing of modern general purpose operating systems, thus improving system robustness. We conclude with an outlook on how to extend scalability from multi-core to many-core hardware platforms.

Peter Priller, Werner Gruber, Niklas Olberding, Dietmar Peinsipp

Dependable Cyber-Physical Systems with Redundant Consumer Single-Board Linux Computers

There are a large number of small and inexpensive single-board computers with Linux operating systems available on the market today. Most of these aim for the consumer and enthusiast market, but can also be used in research and commercial applications. This paper builds on several years of experience with using such computers in student projects, as well as the development of cyber-physical and embedded control systems. A summary of the properties that are key for dependability for selected boards is given in tabulated form. These boards have interesting properties for many embedded and cyber-physical systems, e.g. high-performance, small size and low cost. The use of Linux for operating system means a development environment that is familiar to many developers, and the availability of many libraries and applications. While not suitable for applications were formally proven dependability is necessary, we argue that by actively mitigating some of the potential problems identified in this paper such computers can be used in many applications where high dependability is desirable, especially in combination with low-cost. A solution with redundant single-board computers is presented as a strategy for achieving high dependability. Due to the low cost and small size, this is feasible for applications were redundancy traditionally would be prohibitively too large or costly.

Øyvind Netland, Amund Skavhaug

International workshop on the Integration of Safety and Security Engineering (ISSE 2015)


A Combined Safety-Hazards and Security-Threat Analysis Method for Automotive Systems

Safety and Security appear to be two contradicting overall system features. Traditionally, these two features have been treated separately, but due to increasing awareness of mutual impacts, cross domain knowledge becomes more important. Due to the increasing interlacing of automotive systems with networks (such as Car2X), it is no longer acceptable to assume that safety-critical systems are immune to security risks and vice versa.

This paper presents the application and method description of a novel approach for combined safety hazard and security threat analysis. In this paper we present a detailed description of the SAHARA method and an application of this method for an automotive system. We analyze the impact of this novel method and highlight the impacts of security threats on safety targets of the system. The paper describes the experiences gained at application of the method and how safety-critical contribution of successful security attacks can be quantified.

Georg Macher, Andrea Höller, Harald Sporer, Eric Armengaud, Christian Kreiner

Safety and Security Assessment of Behavioral Properties Using Alloy

In this paper, we propose a formal approach to supporting safety and security engineering, in the spirit of Model-Based Safety Assessment, using the Alloy language. We first implement a system modeling framework, called Coy, allowing to model system architectures and their behavior with respect to component failures. Then we illustrate the use of Coy by defining a fire detection system example and analyzing some safety and security requirements. An interesting aspect of this approach lies in the “declarative” style provided by Alloy, which allows the lean specification of both the model and its properties.

Julien Brunel, David Chemouil

Combining MILS with Contract-Based Design for Safety and Security Requirements

The distributed MILS (D-MILS) approach to high-assurance systems is based on an architecture-driven end-to-end methodology that encompasses techniques and tools for modeling the system architecture, contract-based analysis of the architecture, automatic configuration of the platform, and assurance case generation from patterns. Following the MILS (“MILS” was originally an acronym for “Multiple Independent Levels of Security”. Today, we use “MILS” as a proper name for an architectural approach and an implementation framework, promulgated by a community of interested parties, and elaborated by ongoing MILS research and development efforts.) paradigm, the architecture is pivotal to define the security policy that is to be enforced by the platform, and to design safety mechanisms such as redundancies or failures monitoring. In D-MILS we enriched these security guarantees with formal reasoning to show that the global system requirements are met provided local policies are guaranteed by application components. We consider both safetyrelated and security-related requirements and we analyze the decomposition also taking into account the possibility of component failures. In this paper, we give an overview of our approach and we exemplify the architecture-driven paradigm for design and verification with an example of a fail-secure design pattern.

Alessandro Cimatti, Rance DeLong, Davide Marcantonio, Stefano Tonetta

Security Analysis of Urban Railway Systems: The Need for a Cyber-Physical Perspective

Urban railway systems are increasingly relying on information and communications technologies (ICT). This evolution makes cybersecurity an important concern, in addition to the traditional focus on reliability, availability, maintainability and safety. In this paper, we examine two examples of cyber-intensive systems in urban railway environments—a communications-based train control system, and a mobile app that provides transit information to commuters—and use them to study the challenges for conducting security analysis in this domain. We show the need for a cyber-physical perspective in order to understand the cross-domain attack/defense and the complicated physical consequence of cyber breaches. We present security analysis results from two different methods that are used in the safety and ICT security engineering domains respectively, and use them as concrete references to discuss the way to move forward.

Binbin Chen, Christoph Schmittner, Zhendong Ma, William G. Temple, Xinshu Dong, Douglas L. Jones, William H. Sanders

Sequential and Parallel Attack Tree Modelling

The intricacy of socio-technical systems requires a careful planning and utilisation of security resources to ensure uninterrupted, secure and reliable services. Even though many studies have been conducted to understand and model the behaviour of a potential attacker, the detection of crucial security vulnerabilities in such a system still provides a substantial challenge for security engineers. The success of a sophisticated attack crucially depends on two factors: the resources and time available to the attacker; and the stepwise execution of interrelated attack steps. This paper presents an extension of dynamic attack tree models by using both, the sequential and parallel behaviour of AND and OR-gates. Thereby we take great care to allow the modelling of any kind of temporal and stochastic dependencies which might occur in the model. We demonstrate the applicability on several case studies.

Florian Arnold, Dennis Guck, Rajesh Kumar, Mariële Stoelinga

International Workshop on Reliability and Security Aspects for Critical Infrastructure Protection (ReSA4CI 2015)


Analysis of Companies Gaps in the Application of Standards for Safety-Critical Software

The introduction of a new standard for safety-critical systems in a company usually requires investments in training and tools to achieve a deep understanding of the processes, the techniques and the required technological support. In general, for a new standard that is desired to be introduced, it is both relevant and challenging to rate the capability of the company to apply the standard, and consequently to estimate the effort in its adoption. Additionally, questions on the maturity in the application of such standard may still persist for a long time after its introduction. Focusing on prescriptive software standards for critical systems, this paper presents a framework for gap analysis that measures the compliance of a company’s practices, knowledge and skills with the requirements of a standard for the development of safety-critical systems. The framework is exercised in a company to rate its maturity in the usage of the avionic standard DO-178B.

Andrea Ceccarelli, Nuno Silva

Simulative Evaluation of Security Attacks in Networked Critical Infrastructures

ICT is becoming a fundamental and pervasive component of critical infrastructures (CIs). Despite the advantages that it brings about, ICT also exposes CIs to a number of security attacks that can severely compromise human safety, service availability and business interests. Although it is vital to ensure an adequate level of security, it is practically infeasible to counteract all possible attacks to the maximum extent. Thus, it is important to understand attacks’ impact and rank attacks according to their severity. We propose SEA++, a tool for simulative evaluation of attack impact based on the INET framework and the OMNeT++ platform. Rather than actually executing attacks, SEA++ reproduces their effects and allows to quantitatively evaluate their impact. The user describes attacks through a high-level description language and simulates their effects without any modification to the simulation platform. We show SEA++ capabilities referring to different attacks carried out against a traffic light system.

Marco Tiloca, Francesco Racciatti, Gianluca Dini

Optimization of Reconfiguration Mechanisms in Critical Infrastructures

Recently, the protection of critical infrastructures became a core problem due to their importance in the everyday life and the attacks that may affect these systems. In order to ensure the safety and the efficient operation of such systems, a method together with an integrated framework is proposed to find a solution to the problem to deliver a system with cost-optimal operation by reconfiguration. Reconfiguration is possible via redundant structures of crucial resources while optimization aims at the minimization of the cost of the reconfiguration and the operational cost of the modified system. The method is illustrated by a SCADA control system case study.

Szilvia Varró-Gyapay, Dániel László Magyar, Melinda Kocsis-Magyar, Katalin Tasi, Attila Hoangthanh Dinh, Ágota Bausz, László Gönczy

How to Use Mobile Communication in Critical Infrastructures: A Dependability Analysis

Critical infrastructures, like the future power grid, rely strongly on a reliable communication infrastructure. Mobile communication seems an attractive candidate, as the entry costs are low and, provided the coverage, the new devices have immediate communication access upon installation. However, considering the long time-frame of this investment, it is important to think about the constraints in mobile networks and also potential challenges waiting in the future. In this study, which is based on the situation in Norway, we discuss four important future challenges: policy change, contract change, change of

Quality of Service

and network failure. We show that a clever use of mobile communication like multihoming or using a mobile virtual network operator may meet the challenges. In the second part, we quantify the availability of the different mobile communication usages with the help of analytical models and show that already a small increase of additional battery capacity in the mobile network improves the availability significantly.

Jonas Wäfler, Poul E. Heegaard

Using Structured Assurance Case Approach to Analyse Security and Reliability of Critical Infrastructures

The evaluation of the security, reliability and resilience of critical infrastructures (CI) faces a wide range of challenges ranging from the scale and tempo of attacks to the need to address complex and interdependent systems of systems. Model-based approaches and probabilistic design are fundamental to the evaluation of CI and we need to know whether we can trust these models. This paper presents an approach we are developing to justify the models used to assure CI using structured assurance cases based on Claims, Arguments and Evidence (CAE). The modelling and quantitative evaluation of the properties are supported by the Preliminary Interdependency Analysis (PIA) method and platform applied to a case study – a reference power transmission network enhanced with an industrial distributed system of monitoring, protection and control. We discuss the usefulness of the modelling and assurance case structuring approaches, some findings from the case study, and outline the directions of further work.

Kateryna Netkachova, Robin Bloomfield, Peter Popov, Oleksandr Netkachov

International Workshop on Next Generation of System Assurance Approaches for Safety-Critical Systems (SASSUR-2015)


Multidirectional Modular Conditional Safety Certificates

Over the last 20 years, embedded systems have evolved from closed, rather static single-application systems towards open, flexible, multi-application systems of systems. While this is a blessing from an application perspective, it certainly is a curse from a safety engineering perspective as it invalidates the base assumptions of established engineering methodologies. Due to the combinatorial complexity and the amount of uncertainty encountered in the analysis of such systems, we believe that more potent modular safety approaches coupled with adequate runtime checks are required. In this paper, we investigate the possibility of an integrated contract-based approach covering vertical dependencies (between platform and application) and horizontal dependencies (between applications) in order to efficiently assure the safety of the whole system of systems through modularization. We integrate both concepts using state-of-the-art research and showcase the application of the integrated approach based on a small industrial case study.

Tiago Amorim, Alejandra Ruiz, Christoph Dropmann, Daniel Schneider

Approaches for Software Verification of An Emergency Recovery System for Micro Air Vehicles

This paper describes the development and verification of a competitive parachute system for Micro Air Vehicles, in particular focusing on verification of the embedded software. We first introduce the overall solution including a system level failure analysis, and then show how we minimized the influence of faulty software. This paper demonstrates that with careful abstraction and little overapproximation, the entire code running on a microprocessor can be verified using

bounded model checking

, and that this is a useful approach for resource-constrained embedded systems. The resulting Emergency Recovery System is to our best knowledge the first of its kind that passed formal verification, and furthermore is superior to all other existing solutions (including commercially available ones) from an operational point of view.

Martin Becker, Markus Neumair, Alexander Söhn, Samarjit Chakraborty

The Role of CM in Agile Development of Safety-Critical Software

Agile development is getting more and more used, also in the development of safety-critical software. For the sake of certification, it is necessary to comply with relevant standards – in this case IEC 61508 and EN 50128. In this paper we focus on two aspects of the need for configuration management and SafeScrum. First and foremost we need to adapt SafeScrum to the standards’ needs for configuration management. We show that this can be achieved by relative simple amendments to SafeScrum. In addition – in order to keep up with a rapidly changing set of development paradigms it is necessary to move the standards’ requirement in a goal based direction – more focus on what and not so much focus on how.

Tor Stålhane, Thor Myklebust

Is Current Incremental Safety Assurance Sound?

Incremental design is an essential part of engineering. Without it, engineering would not likely be an economic, nor an effective, aid to economic progress. Further, engineering relies on this view of incrementality to retain the reliability attributes of the engineering method. When considering the assurance of safety for such artifacts, it is not surprising that the same economic and reliability arguments are deployed to justify an incremental approach to safety assurance. In a sense, it is possible to argue that, with engineering artifacts becoming more and more complex, it would be economically disastrous to not “do” safety incrementally. Indeed, many enterprises use such an incremental approach, reusing safety artifacts when assuring incremental design changes. In this work, we make some observations about the inadequacy of this trend and suggest that safety practices must be rethought if incremental safety approaches are ever going to be fit for purpose. We present some examples to justify our position and comment on what a more adequate approach to incremental safety assurance may look like.

V. Cassano, S. Grigorova, N. K. Singh, M. Adedjouma, M. Lawford, T. S. E. Maibaum, A. Wassyng

Dependability Arguments Supported by Fuzz-Testing

Today’s situation in operating theaters is characterized by many different devices from various manufacturers. Missing standards for device intercommunication lead to the fact that inter-device communication in most cases is either difficult or even impossible. A system oriented approach with networked devices is envisioned to improve this heterogeneous situation. Every device in the operating theater shall be able to interchange data with every other device in the network. Even remote control of other devices shall be possible. Therefore, concepts for safe and secure dynamic networking of components in operation theaters and hospitals have to be provided. This paper will show methods to test such systems of systems and provide a way to increase the robustness of the interfaces. This will be part of the evidence described in multidimensional dependability arguments provided to certification authorities.

Uwe Becker


Weitere Informationen

Premium Partner