Computer Safety, Reliability, and Security

In this paper we describe a novel concept for reliability analysis of communication architectures in safety-critical systems. This concept has been motivated by applications in the railway control systems domain, where transitions into stable safe state are usually considered as undesired events because they cause a severe deterioration of the service reliability expected by end users. We introduce a domain-specific language for modelling communication architectures, the protocols involved and the fault hypotheses about anticipated deviations of communication channels and possibly other components from expected behaviour. From such model, a generator creates mutant models associated with probability formulae expressing each mutant’s probability of occurrence. Each mutant is analysed with respect to its unreliability, that is, whether it contains paths leading into stable safe state. Then the system reliability can be conservatively estimated by calculating an upper bound of the probability for the system to perform a transition into stable safe state within a given operational period. Our approach deliberately refrains from utilising probabilistic model checking, in order to avoid the state space explosions typically occurring when considering all possible erroneous behaviours within a single model. Instead, we analyse many different models, each only containing a restricted variant of deviations, which leads to faster evaluation times. In addition, several models can be evaluated in parallel in a distributed multi-core environment.

In the EU project IROMEC (Interactive RObotic social MEdiators as Companions) a consortium of eight multidisciplinary partners has developed a new therapeutic robotic system for children. It is composed of a mobile base platform with obstacle detection sensors and a so-called application module with a head and movable arms. The embedded controller is programmed for various play scenarios like following a child or dancing. The system is intended to help children with minor motor disabilities or communication deficiencies like for instance autism, who are thereby expected to overcome their shortcomings. It is evident that an autonomous robot represents a potential hazard to its surrounding, in particular to handicapped children who cannot be assumed to react properly in the presence of an autonomously moving robot. Therefore, a RAMS analysis with emphasis on safety issues was performed with special respect to this specific therapeutic situation. This paper describes the methods used and the results found by applying a holistic HAZOP study with a novel two-fold approach to this specific case of a robotic system.

Reuse of fault trees helps in reducing costs and effort when conducting Fault Tree Analyses (FTAs) for a set of similar systems. Some approaches have been proposed for the systematic reuse of fault trees along with the development of a product line of systems. Nevertheless, these approaches are not longer effective when FTAs are performed after systems have been put into operation. This is mainly due to the lack of product line information required to make fault trees reusable. The model proposed in this paper is a step towards systematically reusing fault trees in the aforementioned context. It acts as an intermediate model between the specification of a system and its corresponding Component Fault Tree (CFT). In particular, it abstracts from the implementation details of a CFT, allowing the integration of variability inherent of product line systems as well as the one obtained from performing fault tree analyses incrementally over time. The model is part of a systematic reuse approach.

Network reliability analysis is usually carried out under the simplified hypothesis that the elements of the network are binary entities that can be in one of two mutually exclusive states, perfect functioning or failed. The present paper enlarges this view from two points of view. The elements of the networks are described by multiple states that can represent a variety of different situations, like degradation levels or multiple failure modes. Furthermore, in order to increase the description power of the model, we assign to each state a weight describing a performance attribute of the element in that state. The weights may assume different physical meanings so that different Quality of Service (QoS) indicators may be evaluated. We show that the QoS analysis of a multi-state weighted probabilistic network can be performed by resorting to data structures called Multi-valued Decision Diagrams. Several examples illustrate the methodology.

In the nuclear domain, regulators have strict requirements for safetycritical software. In this paper requirements in three documents (two software standards and the Common Position of nuclear domain regulators) were compared. The aim of the work was to find out how these requirements compare to each other in terms of strictness and scope, and to evaluate the usefulness of the documents for certification purposes. Another goal was to determine whether it is possible to choose only one of the standards as the basis of software certification. The nuclear domain software standard IEC 60880 provides requirements for the purpose of achieving highly reliable software. The standard is similar to the part 3 of IEC 61508 standard in the sense that it covers requirements for all software lifecycle activities. The Common Position document ”Licensing of safety critical software for nuclear reactors” states the requirements from the perspective of European nuclear regulators. The comparison was twofold. First, the absolute ‘shall’ requirements of a few key themes were extracted from all three documents. The strictness of these requirements was analyzed against each other. Second, to evaluate the documents’ usefulness for certification, the extent in which these themes were covered by each document was analyzed by expert judgment. The main result was that the use of IEC 60880 alone is not sufficient for software certification.

Model-based development and automated code generation are increasingly used for actual production code, in particular in mathematical and engineering domains. However, since code generators are typically not qualified, there is no guarantee that their output satisfies the system requirements, or is even safe. Here we present an approach to systematically derive safety cases that argue along the hierarchical structure in model-based development. The safety cases are constructed mechanically using a formal analysis, based on automated theorem proving, of the automatically generated code. The analysis recovers the model structure and component hierarchy from the code, providing independent assurance of both code and model. It identifies how the given system safety requirements are broken down into component requirements, and where they are ultimately established, thus establishing a hierarchy of requirements that is aligned with the hierarchical model structure. The derived safety cases reflect the results of the analysis, and provide a high-level argument that traces the requirements on the model via the inferred model structure to the code. We illustrate our approach on flight code generated from hierarchical Simulink models by Real-Time Workshop.

A safety case should provide a clear, comprehensible and defensible argument, supported by evidence, that a system is acceptably safe to operate in a particular environment. This approach is not new. For example, in the nuclear industry, safety cases are approaching their 50

th

birthday. In stark contrast, the automotive industry has never been required to produce a safety case. Instead, it has relied on compliance with extensive regional and national regulation. With the imminent introduction of the automotive safety standard ISO 26262, the production of a safety case is now explicitly required by the standard for electrical and electronic systems. This presents both opportunities and challenges to safety practitioners and researchers within that industry. This paper sets out to look at the issues of what a safety case might look like for a complete vehicle and how the ISO 26262 fits into the existing framework of automotive safety. Using the ideas of modular safety case construction, this approach is developed into a number of reusable safety arguments to form an automotive safety case pattern catalogue. Evaluation of the approach is carried out through an industrial case study.

Modern road vehicles are equipped with driver assistance systems which support the safety of the vehicle in case of driver inattention.

Ford

is currently designing Lane Assistance functions which warn the driver haptically when leaving the lane or even generate a steering torque which brings the vehicle back into lane. The overlay of a steering torque includes the risk that an incorrectly performed function could lead to a safety issue. The ISO 26262 standard describes the process which has to be applied from a safety point of view. As with most standards the execution of the rules as laid down leaves room for interpretation and implementation which need to be solved in order to have a closed process. Another trap which has been identified as crucial is the level of detail. A too high level of detail contains the risk that the overview might get lost whereas a too low level of details contains the risk that safety issues might be overlooked.

Ford

, in conjunction with

SystemA Engineering

, has applied practical tools and methods which support the safety process according to ISO 26262. The safety steps and methods PHA, Safety Concept, FTA, FMDEA, Safety Requirements, as well as Validation and Verification are applied as an integrated approach which forms a part of the overall

Ford

development process. Practical experience has driven the methods and the interfaces between the various methods as well as the level of detail necessary for the safety case. This paper and the presentation will show a practical example how a great portion of the ISO 26262 safety case can be developed, documented, evaluated and managed without loosing the overall picture. The example will also cover interfaces between different disciplines as well as between OEM and supplier.

Poorly written requirements are a common source of software defects. In application areas like space systems, the cost of malfunctioning software can be very high. This way, assessing the quality of software requirements before coding is of utmost importance. This work proposes a systematic procedure for assessing software requirements for space systems that adopt the European Cooperation for Space Standardization (ECSS) standards. The main goal is to provide a low-cost, easy-to-use benchmarking procedure that can be applied during the software requirements review to guarantee that the requirements specifications comply with the ECSS standards. The benchmark includes two checklists that are composed by a set of questions to be applied to the requirements specification. It was applied to the software requirements specification for one of the services described in the ECSS Packet Utilization Standard (PUS). Results show that the proposed benchmark allows finding more with a low effort.

Space satellites are examples of complex embedded systems. Dynamic behaviour of such systems is typically described in terms of operational modes that correspond to the different stages of a mission and states of the components. Components are susceptible to various faults that complicate the mode transition scheme. Yet the success of a mission depends on the correct implementation of mode changes. In this paper we propose a formal approach that ensures consistency of mode changes while developing a system architecture by refinement. The approach relies on recursive application of modelling and refinement patterns that enforce correctness while implementing the mode transition scheme. The proposed approach is exemplified by the development of an Attitude and Orbit Control System undertaken within the ICT DEPLOY project.

Unmanned Airborne Systems (UAS) offer significant benefits for long duration missions. They can also be used in situations where it is inappropriate to expose aircrew to increased levels of risk. Partly in consequence, they continue to experience accident rates that are significantly higher than those for most conventional aircraft. It can also be argued that increased mishap rates are due to lower standards of design and maintenance. UAS are, therefore, largely confined to segregated areas that are well away from other airspace users. There are growing commercial and political pressures for them to be integrated into airspace that is directly under the control of air traffic management. Police agencies would like to deploy miniature UAS in populated areas, for example, to augment conventional helicopter operations. There are proposals to operate unmanned freight operations from existing airports. Longer-term proposals include the use of UAS technology to replace the co-pilot. Automated systems might intervene only if the single human pilot is incapacitated. The following pages focus on the computational issues that form one part of wider set of ‘system safety’ concerns that must be addressed before UAS operations can be integrated into controlled airspace.

Cyclic Redundancy Check (CRC) is an approved coding technique to detect errors in industrial communication. Using a checksum calculated with the help of a generator polynomial, CRC guarantees a low probability of undetected errors (residual error probability,

P

re

). The choice of an appropriate polynomial has significant impact on the quality of error detection. Since CRC itself is very efficient, it is obvious to embed safety-critical data protected by an additional CRC into the net data protected by the original CRC in order to increase the error detection of the safety-critical data. The paper introduces a method to determine the corresponding

P

re

by means of stochastic automata. Using the example of the fieldbus PROFIBUS-PA as embedding communication protocol, polynomials for the additional CRC were analyzed. As result, the impact of generator polynomials in the additional CRC on the

P

re

as well as the improvement of the error detection capabilities is shown.

It is expected that commodity hardware is becoming less reliable because of the continuously decreasing feature sizes of integrated circuits. Nevertheless, more and more commodity hardware with insufficient error detection is used in critical applications. One possible solution is to detect hardware errors in software using arithmetic AN-codes. These codes detect hardware errors independent of the actual failure modes of the underlying hardware. However, measurements have shown that AN-codes still exhibit large rates of undetected silent data corruptions (SDC). These high rates of undetected SDCs are caused by the insufficient protection of control and data flow through AN-codes. In contrast, ANB- and ANBD-codes promise much higher error detection rates because they also detect errors in control and data flow. We present our encoding compiler that automatically applies either an AN-, ANBor ANBD-code to an application. Our error injections show that AN-, ANB-, and ANBD-codes successfully detect errors and more important that indeed ANB- and ANBD-codes reduce the SDC rate more effectively than AN-codes. The difference between ANBD- and ANB-codes is also visible but less pronounced.

The European Project COOPERS (Co-operative Networks for Intelligent Road Safety) aims at developing co-operative systems based innovative telematics solutions to increase road safety. In the COOPERS approach, co-operative traffic management is implemented by using intelligent services interfacing vehicles, drivers, road infrastructure and operators. These services which involve various types of embedded systems and wireless communication channels are finally demonstrated in six European countries and evaluated with respect to their influence on driver behaviour and road safety. This scientific investigation requires good system reliability as well as accurate and deterministic system behaviour. The required system properties, including quantitative tolerance limits for temporal and spatial behaviour of the system, were specified as generic requirements in an early phase of the project. Before the final demonstrations, these requirements were verified, including statistical evaluations regarding the degree of fulfilment of single quantitative requirements. This paper presents the test bench and the test methods for validating this complex distributed real-time system. It explains how time synchronisation between the subsystems was handled and how the potential safety-criticality of the system was treated. It gives an insight into the values and parameters measured, and finally it presents some of the first results from the technical validation of COOPERS.

Safety-critical embedded software is used more and more pervasively in the automotive, avionics and healthcare industries. Failures of such safety-critical embedded systems may cause high costs or even endanger human beings. Also for non-safety-critical applications, a software failure may necessitate expensive updates. Making sure that an application is working properly means addressing many different aspects. Development standards like DO-178B, IEC 61508 and the new revisions DO-178C, or ISO 26262 require to identify potential functional and non-functional hazards and to demonstrate that the software does not violate the relevant safety goals.

For ensuring functional program properties automatic or model-based testing, and formal techniques like model checking become more and more widely used. For non-functional properties identifying a safe end-of-test criterion is a hard problem since failures usually occur in corner cases and full test coverage cannot be achieved. For some non-functional program properties this problem is solved by abstract interpretation-based static analysis techniques which provide full coverage and yield provably correct results. In this article we focus on static analyses of worst-case execution time, stack consumption, and runtime errors, which are increasingly adopted by industry in the validation and certification process for safety-critical software. We explain the underlying methodology and identify criteria for their successful application. The integration of static analyzers in the development process requires interfaces to other development tools, like code generators or scheduling tools. Using them for certification requires an appropriate tool qualification. We will address each of these topics and report on industrial experience.

Fault injection is traditionally divided into

simulation-based

and

physical

techniques depending on whether faults are injected into hardware models, or into an actual physical system or prototype. Another classification is based on

how

fault injection mechanisms are implemented. Well known techniques are

hardware-implemented fault injection

(HIFI) and

software-implemented fault injection

(SWIFI). For safety analyses during model-based development, fault injection mechanisms can be added directly into models of hardware, models of software or models of systems. This approach is denoted by the authors as

model-implemented fault injection

. This paper presents the MODIFI (MODel-Implemented Fault Injection) tool. The tool is currently targeting behaviour models in Simulink. Fault models used by MODIFI are defined using XML according to a specific schema file and the fault injection algorithm uses the concept of minimal cut sets (MCS) generation. First, a user defined set of single faults are injected to see if the system is tolerant against single faults. Single faults leading to a failure, i.e. a safety requirement violation, are stored in a MCS list together with the corresponding counterexample. These faults are also removed from the fault space used for subsequent experiments. When all single faults have been injected, the effects of multiple faults are investigated, i.e. two or more faults are introduced at the same time. The complete list of MCS is finally used to automatically generate test cases for efficient fault injection on the target system.

We present

FBDTestMeasurer

, an automated test coverage measurement tool for function block diagram (FBD) programs which are increasingly used in implementing safety critical systems such as nuclear reactor protection systems. We have defined new structural test coverage criteria for FBD programs in which dataflow-centric characteristics of FBD programs were well reflected. Given an FBD program and a set of test cases,

FBDTestMeasurer

produces test coverage score and uncovered test requirements with respect to the selected coverage criteria. Visual representation of uncovered data paths enables testers to easily identify which parts of the program need to be tested further. We found many aspects of the FBD logic that were not tested sufficiently when conducting a case study using test cases prepared by domain experts for reactor protection system software. Domain experts found this technique and tool highly intuitive and useful to measure the adequacy of FBD testing and generate additional test cases.

This paper presents a case study in ”black-box” assessment of a ”smart” device where, based only on the user manuals and the instrument itself, we try to build confidence in smart device reliability. To perform the black-box assessment, we developed a test environment which automates the generation of test data, their execution and interpretation of the results. The assessment was made more complex by the inherent non-determinism of the device. For example, non-determinism can arise due to inaccuracy in an analogue measurement made by the device when two alternative actions are possible depending on the measured value. This non-determinism makes it difficult to predict the output values that are expected from a test sequence of analogue input values. The paper presents two approaches to dealing with this difficulty: (1) based on avoidance of test values that could have multiple responses, (2) based on consideration of all possible interpretations of input data. To support the second approach we use advanced modelling and simulation techniques to predict all the likely interpretations and check whether any of them is observed at the smart device output.

Having a regular job is of great value for people with autism, but acquiring a regular job is not that easy. People with autism do not only face prejudices when applying for a job, they also have social impairments that make this process very difficult for them. Characteristics of people with autism are that they have eye for detail and enjoy repetitive work. These characteristics are characteristic of software testing, seems to make people with autism highly suitable for software testing. From our research it shows that people with autism possess the right qualities to become a test engineer. Companies employing people with autism acquire test engineers with the same level of skill as people without autism and additionally they also practice corporate social responsibility.

Information flow security within the context of multilevel security deals with ways to avoid unwanted information flow from a high level domain to a low level domain. Several confidentiality and information flow properties have been formalized in literature. However, applying them to Cyber-Physical Systems (CPSs) adds to the challenge of protecting confidentiality. This paper performs an information flow analysis of a future power CPS that has complex information flow and confidentiality requirements. Confidentiality properties such as non-deducibility are applied to the infrastructure considered. The proposed approach provides a unique direction for formalizing information flow properties for such systems with inherent complexity and security requirements.

The term “Smart Grid” broadly describes emerging power systems whose physical operation is managed by significant intelligence. The cyber infrastructure providing this intelligence is composed of power electronics devices that regulate the flow of power in the physical portion of the grid. Distributed software is used to determine the appropriate settings for these devices. Failures in the operation of the Smart Grid can occur due to malfunctions in physical or cyber (hardware or software) components.

This paper describes the use of fault injection in identifying failure scenarios for the Smart Grid. Software faults are injected to represent failures in the cyber infrastructure. Physical failures are concurrently represented, creating integrated cyber-physical failure scenarios that differentiate this work from related studies. The effect of these failure scenarios is studied in two cases: with and without fault detection in the distributed software. The paper concludes by utilizing the information gained to refine and improve the accuracy of the quantitative reliability model presented in our earlier work.

We propose a metric for the analysis and estimation of the inter dependencies in networks of dynamic systems, formally defining the dependency among nodes and showing that the metric approximates the strength of the dependency. We propose a data driven metric based on known direct functional input/output relations among nodes, derived from the generic constitutive equations of the systems, giving a physical and rigorous meaning to the otherwise elusive word “dependency”. Our metric is also related to the input/output physical quantities, realizing a data driven approach discarding the internal node dynamics. This metric is particularly suited for the analysis of the Critical Infrastructures (CI) where typically a number of input/output measurements are available. It is vital for these CI, represented as technological networks, to characterize and to measure the inter-dependencies among their components in order to avoid destructive phenomena such as cascading failures. The proposed metric is algorithmically simple and can be used as a real-time tool. It was also shown how this approach is suited to the analysis of large technological networks.

With the integration of security-critical services into Building Automation Systems (BAS), the demands on the underlying network technologies increase rapidly. Relying on physically isolated networks and on “Security by Obscurity”, as it is still common today, is by no means an adequate solution. To be reliable and robust against malicious manipulations, the used communication services must support advanced security mechanisms that counteract potential security threats. This paper identifies important security requirements and challenges within the building automation domain. Based on this analysis, state-of-the-art technologies are carefully examined. Finally, an outlook on advanced security concepts is given.

At Safecomp 2009, we presented a foundation for requirements analysis of dependable software. We defined a set of patterns for expressing and analyzing dependability requirements, such as confidentiality, integrity, availability, and reliability. The patterns take into account random faults as well as certain attacks and therefore support a combined safety and security engineering.

In this paper, we demonstrate how the application of our patterns can be tool supported. We present a UML profile allowing us to express the different dependability requirements using UML diagrams. Integrity conditions are expressed using OCL. We provide tool support based on the Eclipse development environment, extended with an EMF-based UML tool, e.g., Papyrus UML. We illustrate how to use the profile to model dependability requirements of a cooperative adaptive cruise control system.

For systems where functions are distributed but share support for computation, communication, environment sensing and actuation, it is essential to understand how such functions can affect each other. Preliminary Hazard Analysis (PHA) is the task through which safety requirements are established. This is usually a document-based process where each system function is analyzed alone, making it difficult to reason about the commonalities of related functional concepts and the distribution of safety mechanisms across a system-of-systems. This paper presents a model-based approach to PHA with the EAST-ADL2 language and in accordance with the ISO/DIS 26262 standard. The language explicitly supports the definition and handling of requirements, functions and technical solutions, and their various relations and constraints as a coherent whole with multiple views. We show in particular the engineering needs for a systematic approach to PHA and the related language features for precise modeling of requirements, user functionalities, system operation contexts, and the derived safety mechanisms.

Formal verification efforts in the area of robotics are still comparatively scarce. In this paper we report on our experiences with one such effort, which was concerned with designing, implementing and certifying a safety function for autonomous vehicles and robots. We outline the algorithm which was specifically designed with safety through formal verification in mind, and present our verification methodology, which is based on formal proof and verification using the theorem prover Isabelle. The necessary normative measures that are covered are discussed. The algorithm and our methodology have been certified for use in applications up to SIL 3 of IEC61508-3 by a certification authority. Throughout, issues we recognised as being important for a successful application of formal methods in the domain at hand are highlighted. These pertain to the development process, the abstraction level at which specifications should be formulated, and the interplay between simulation and verification, among others.

ARP4754 suggests that, whenever possible, aeronautical safety critical systems may be developed as well as checked in an incremental way. But in practice the safe design emerges from the functional essential design in a discontinuous fashion. Engineers take several decisions in the direction of safety that sometimes can loose some of the desired functional characteristics. This can increase the development cost by only detecting functional problems in late phases of the development life cycle. In this paper we propose a strategy that starts from an initial proposed design, where functional behavior is investigated using model checking, and evolves to a reliable and safe design in a stepwise fashion. At each step, where safety aspects are introduced, safety constraints are checked using probabilistic model checking (Markov analysis). The final design emerges when we cannot find any safety violation.

Programmable components (like personal computers or smart devices) can offer considerable benefits in terms of usability and functionality in a safety-related system. However there is a problem in justifying the use of programmable components if the components have not been safety justified to an appropriate integrity (e.g. to SIL 1 of IEC 61508). This paper outlines an approach (called LowSIL) developed in the UK CINIF nuclear industry research programme to justify the use of non safety-assured programmable components in modest integrity systems. This is a seven step approach that can be applied to new systems from an early design stage, or retrospectively to existing systems. The stages comprise: system characterisation, component suitability assessment, failure analysis, failure mitigation, identification of additional defences, identification of safety evidence requirements, and collation and evaluation of evidence. In the case of personal computers, there is supporting guidance on usage constraints, claim limits on reliability, and advice on “locking down” the component to maximise reliability. The approach is demonstrated for an example system. The approach has been applied successfully to a range of safety-related systems used in the nuclear industry.

Academic and commercial approaches to software product line development have concentrated on the rapid instantiation of source code assets to minimise product time to market. Generative programming and model-based software engineering approaches have been suggested as effective ways of achieving this. However, for high-integrity software systems the instantiated product source code has to be accompanied by development process assets that demonstrate and support the product assurance arguments. This paper describes an approach to the model-based development of software product lines that is specifically designed to address the needs of high-integrity software systems. The approach consists of a reference architecture model and component-based development style, supported by model transformations to instantiate the project-specific components and associated development assets.

Governments across Europe and North America have recently reviewed the ways in which they provide both the public and their own departments with access to electronic data. Information service architectures have been proposed as one important component of the new e-Governance visions. These web-based technologies offer huge benefits by defining common interfaces between different information systems, enabling government services to share information with the members of the public and among each other. However, the introduction of e-Governance architectures also creates a number of concerns. Inaccuracies or errors can be propagated well beyond the organizations that are responsible for maintaining the resource. There is also a concern that data, which was originally gathered for general applications, will be integrated into safety-critical systems without the corresponding levels of assurance or data integrity. This paper advocates the creation of a code of practice for the digital dissemination of safety-related information across government departments.

Traffic control and information systems are used in traffic technology for information propagation from a higher order control unit to the traffic participant. Nowadays, the user interface for the traffic participant is provided via freely programmable signs displaying e.g., traffic jam warnings or speed limits. These signs can be switched on or off and fed with arbitrary data corresponding to the present traffic situation. However, signs are manifold in size, functionality and means to communicate with them. For that reason, a certain degree of configurability of the embedded safety-critical software is needed in order to meet project-specific demands.

Configurability has its advantages in offering a certain degree of flexibility, but poses a risk on safety integrity and requires additional efforts for tools and documentation. This paper focuses on configurability of software in the field of Variable Message Signs (VMS). Possible configuration parameters are considered with regard to its importance during the life-cycle of a VMS and its safety impact. Considering pros and cons, finally an idea of an optimum degree of configurability is being given.

Embedded computing systems have become a pervasive aspect in virtually all application domains, such as industrial, mobile communication, transportation and medical. Due to increasing computational capabilities of microcomputers and their decreasing cost, new functionality has been enabled (e.g., driver assistance systems) and cost savings have become possible, e.g., by the replacement of mechanical components by embedded computers.

Conventionally, each application domain tends to develop customized solutions, often re-inventing concepts that are already applied in other domains. It is therefore expedient to invest into a generic embedded system architecture that supports the development of dependable embedded applications in many different application domains, using the same hardware devices and software modules.

INDEXYS targets to pave the way from the European Commission Framework 7 GENESYS Project reference computing architecture approach towards pilot applications in the automotive-, railway- and aerospace industrial domains. INDEXYS will follow-up GENESYS project results and will implement selected industrial-grade services of GENESYS architectural concepts.

The results of laying together GENESYS, INDEXYS and the new ARTEMIS project ACROSS, which will develop multi processor systems on a chip (MPSoC) using GENESYS reference architecture and services, will provide integral cross-domain architecture and platform, design- and verification- tools, middleware and flexible FPGA- or chip- based devices lowering OEM cost of development and production at faster time-to market.n of COOPERS.

Increasing enforcement of safety standards – such as the new ISO 26262 – requires developers of embedded systems to supplement their development processes with safety-related activities, such as hazard analysis or creation of technical safety concepts. Since these activities are often only loosely coupled with core development tasks, their addition reduces efficiency and causes a lack of consistency and traceability. This paper presents an approach to the integration of architectural modelling, modelling of failure nets, allocation safety mechanisms to architectural elements, and finally traceability to requirements and test coverage. The presented methodology gives clear instructions for the comprehensive usage of existing techniques. The process is demonstrated using a real-world example from the automotive sector. In two industrial projects a significant increase of productivity could be achieved, solely using standard tools such as DOORS and IQ-RM. Nevertheless, the paper concludes with some suggestions for further enhancement of the method through formalization, e.g. using SysML, and tool integration.

Software-implemented fault tolerance is an attractive technique for constructing fail-safe and fault-tolerant processing nodes for road vehicles and other cost-sensitive applications. This paper investigates the memory consumption and execution time overhead obtained when implementing time-redundant execution and control flow checking in software for an automotive brake controller application. These two mechanisms were implemented at the source code level using three implementations techniques: aspect-oriented programming (AOP), source code transformation and manual programming in C. The results show that AOP generates much higher overheads than code transformation for strictly systematic implementations. On the other hand, when application knowledge is used to optimize the implementations, the overhead of AOP is similar to that of manual programming in C.