Skip to main content

2018 | Book

Computer Safety, Reliability, and Security

37th International Conference, SAFECOMP 2018, Västerås, Sweden, September 19-21, 2018, Proceedings


About this book

This book constitutes the refereed proceedings of the 37th International Conference on Computer Safety, Reliability, and Security, SAFECOMP 2018, held in Västerås, Sweden, in September 2018.

The 19 revised full papers and 1 short paper presented together with three abstracts of keynotes were carefully reviewed and selected from 63 submissions. The papers are organized in topical sections on Automotive Safety Standards and Cross-domain Reuse Potential; Autonomous Driving and Safety Analysis; Verification; Multi-concern Assurance; Fault Tolerance; and Safety and Security Risk.

Table of Contents


Automotive Safety Standards and Cross-Domain Reuse Potential

Practical Experience Report: Automotive Safety Practices vs. Accepted Principles
This paper documents the state of automotive computer-based system safety practices based on experiences with unintended acceleration litigation spanning multiple vehicle makers. There is a wide gulf between some observed automotive practices and established principles for safety critical system engineering. While some companies strive to do better, at least some car makers in the 2002–2010 era took a test-centric approach to safety that discounted non-reproducible and “unrealistic” faults, instead blaming driver error for mishaps. Regulators still follow policies from the pre-software safety assurance era. Eight general areas of contrast between accepted safety principles and observed automotive safety practices are identified. While the advent of ISO 26262 promises some progress, deployment of highly autonomous vehicles in a non-regulatory environment threatens to undermine safety engineering rigor.
Philip Koopman
A Generic Method for a Bottom-Up ASIL Decomposition
Automotive Safety Integrity Level (ASIL) decomposition is a technique presented in the ISO 26262: Road Vehicles - Functional Safety standard. Its purpose is to satisfy safety-critical requirements by decomposing them into less critical ones. This procedure requires a system-level validation, and the elements of the architecture to which the decomposed requirements are allocated must be analyzed in terms of Common-Cause Faults (CCF). In this work, we present a generic method for a bottom-up ASIL decomposition, which can be used during the development of a new product. The system architecture is described in a three-layer model, from which fault trees are generated, formed by the application, resource, and physical layers and their mappings. A CCF analysis is performed on the fault trees to verify the absence of possible common faults between the redundant elements and to validate the ASIL decomposition.
Alessandro Frigerio, Bart Vermeulen, Kees Goossens
Assurance Benefits of ISO 26262 Compliant Microcontrollers for Safety-Critical Avionics
The usage of complex Microcontroller Units (MCUs) in avionics systems constitutes a challenge in assuring their safety. They are not always developed according to the assurance requirements accepted by the aerospace industry. These Commercial off-the-shelf (COTS) hardware components usually target other domains like the telecommunication branch, because of the volume of sales and reduced liability. In the last years MCUs developed in compliance to the ISO 26262 have been released on the market for safety-related automotive applications. The avionics market could profit taking credit for some of the activities conducted in developing these MCUs. In this paper we present evaluation results based on comparing assurance activities from ISO 26262 that could be considered for compliance to relevant assurance guidance for COTS MCU in avionics.
Andreas Schwierz, Håkan Forsberg

Autonomous Driving and Safety Analysis

Structuring Validation Targets of a Machine Learning Function Applied to Automated Driving

The validation of highly automated driving vehicles is an important challenge to the automotive industry, since even if the system is free from internal faults, its behaviour might still vary from the original intent. Reasons for these deviations from the intended functionality can be found in the unpredictability of environmental conditions as well the intrinsic uncertainties of the Machine Learning (ML) functions used to make sense of this complex input space.In this paper, we propose a safety assurance case for a pedestrian detection function, a safety-relevant baseline functionality for an automated driving system. Our safety assurance case is presented in the graphical structuring notation (GSN) and combines our arguments against the problems of underspecification [9], the semantic gap [3], and the deductive gap [16].

Lydia Gauerhof, Peter Munk, Simon Burton
Multi-aspect Safety Engineering for Highly Automated Driving
Looking Beyond Functional Safety and Established Standards and Methodologies
Highly automated and autonomous driving is a major trend and vast amounts of effort and resources are presently being invested in the development of corresponding solutions. However, safety assurance is a concern, as established safety engineering standards and methodologies are not sufficient in this context. In this paper, we elaborate the fundamental safety engineering steps that are necessary to create safe vehicles of higher automation levels. Furthermore, we map these steps to the guidance presently available in existing (e.g., ISO26262) and upcoming (e.g., ISO PAS 21448) standards and point out open gaps. We then outline an approach for overcoming the identified deficiencies by integrating three different safety engineering disciplines. This includes (1) creating a safe nominal behavior specification; (2) dealing with functional insufficiencies, and (3) assuring the related performance wrt. functional safety. We exemplify our proposed methodology with a case study from industry.
Patrik Feth, Rasmus Adler, Takeshi Fukuda, Tasuku Ishigooka, Satoshi Otsuka, Daniel Schneider, Denis Uecker, Kentaro Yoshimura
A Model-Based Safety Analysis of Dependencies Across Abstraction Layers
Identifying and mitigating possible failure propagation from one safety-critical application to another through common infrastructural components is a challenging task. Examples of such dependencies across software-stack layers (e.g., between application and middleware layer) are common causes and failure propagation scenarios in which a failure of one software component propagates to another software component through shared services and/or common computational resources. To account for this, safety standards demand freedom from interference in order to control failure propagation between mixed-critical software components. Safety analysis is typically focused on one abstraction layer, while robustness tests try to find failure propagation paths across abstraction layers. To this end, this paper presents a model-based failure propagation analysis combining failure propagation within and across abstraction layers. A classification of dependencies in combination with fault trees is used to perform a model-based dependency analysis. In addition, a novel modeling technique for integrating failure propagation aspects resulting from shared services and resources is presented. The analysis was used to carry out an early safety assessment of a real-world automotive redundancy mechanism within an integrated architecture. The results show that the method improved reusability and modularity, and made it easier to estimate failure propagation issues, including possible violations of freedom from interference within an integrated system.
Christoph Dropmann, Eike Thaden, Mario Trapp, Denis Uecker, Rakshith Amarnath, Leandro Avila da Silva, Peter Munk, Markus Schweizer, Matthias Jung, Rasmus Adler


Formal Verification of Signalling Programs with SafeCap
SafeCap is a modern toolkit for modelling, simulation and formal verification of railway networks. This paper discusses the use of SafeCap for formal analysis and fully-automated scalable safety verification of solid state interlocking (SSI) programs – a technology at the heart of many railway signalling solutions. The focus of the work is on making it easy for signalling engineers to use the developed technology and thus to help with its smooth industrial deployment. In this paper we explain the formal foundations of the proposed method, its tool support, and their application to real life railway verification problems.
Alexei Iliasov, Dominic Taylor, Linas Laibinis, Alexander Romanovsky
Deriving and Formalising Safety and Security Requirements for Control Systems
Safety-critical control systems become increasingly open and interconnected. However, there is still a lack of the techniques that enable an integrated analysis of safety and security requirements. In this paper, we propose an approach that allows the designers to derive and formalise safety and security requirements in a structured systematic way. To elicit both types of the requirements, we adapt and integrate traditional safety and security analysis techniques. To formally specify and verify them, we rely on Event-B framework. The framework allows us to develop a complex specification of system behaviour in presence of both accidental faults and security attacks and analyse mutual interdependencies between safety and security requirements.
Elena Troubitsyna, Inna Vistbakka
Optimal Test Suite Generation for Modified Condition Decision Coverage Using SAT Solving
Boolean expressions occur frequently in descriptions of computer systems, but they tend to be complex and error-prone in complex systems. The modified condition decision coverage (MCDC) criterion in system testing is an important testing technique for Boolean expression, as its usage mandated by safety standards such as DO-178 [1] (avionics) and ISO26262 [2] (automotive). In this paper, we develop an algorithm to generate optimal MCDC test suites for Boolean expressions. Our algorithm is based on SAT solving and generates minimal MCDC test suites. Experiments on a real-world avionics system confirm that the technique can construct minimal MCDC test suites within reasonable times, and improves significantly upon prior techniques.
Takashi Kitamura, Quentin Maissonneuve, Eun-Hye Choi, Cyrille Artho, Angelo Gargantini
Efficient Splitting of Test and Simulation Cases for the Verification of Highly Automated Driving Functions
We address the question of feasibility of tests to verify highly automated driving functions by optimizing the trade-off between virtual tests for verifying safety properties and physical tests for validating the models used for such verification. We follow a quantitative approach based on a probabilistic treatment of the different quantities in question. That is, we quantify the accuracy of a model in terms of its probabilistic prediction ability. Similarly, we quantify the compliance of a system with its requirements in terms of the probability of satisfying these requirements. Depending on the costs of an individual virtual and physical test we are then able to calculate an optimal trade-off between physical and virtual tests, yet guaranteeing a probability of satisfying all requirements.
Eckard Böde, Matthias Büker, Ulrich Eberle, Martin Fränzle, Sebastian Gerwinn, Birte Kramer

Multi-Concern Assurance

Roadblocks on the Highway to Secure Cars: An Exploratory Survey on the Current Safety and Security Practice of the Automotive Industry
With various advances in technology, cars evolved to highly interconnected and complex Cyber-Physical Systems. Due to this development, the security of involved components and systems needs to be addressed in a rigorous way. The resulting necessity of combining safety and security aspects during the development processes has proven to be non-trivial due to the high interference between these aspects and their respective treatment. This paper discusses the results of an exploratory survey on how organizations from the automotive industry in the Euroregion tackle the challenge of integrating safety and security aspects during system development. The observed state of practice shows that there are significant deficits in the integration of both domains. The results of the exploratory survey enabled us to identify the most common challenges of realizing an integrated approach in a practical setting and discuss implications for future research.
Michael Huber, Michael Brunner, Clemens Sauerwein, Carmen Carlan, Ruth Breu
Safe and Secure Automotive Over-the-Air Updates
Over-the-air updates have been used for years in the software industry, allowing bug fixes and enhancements to desktop, laptop, and mobile operating systems and applications. Automotive vehicles now depend on software to the extent that manufacturers are turning to over-the-air updates for critical vehicle functionality. History shows that our software systems are most vulnerable to lapses in safety and dependability when they undergo change, and performing an update over a communication channel adds a significant security concern. This paper presents our ideas on assuring integrated safety and security of over-the-air updates through assurance case templates that comply with both ISO 26262 (functional safety) and SAE J3061 (cyber-security). Wisely, the authors of SAE J3061 structured the guidebook so that it meshes well with ISO 26262, and we have been able to use principles we developed for deriving an assurance case template from ISO 26262, to help include compliance with SAE J3061 in the template. The paper also demonstrates how a specialization of the template helps guide us to pre-emptively mitigate against potential vulnerabilities in over-the-air update implementations.
Thomas Chowdhury, Eric Lesiuta, Kerianne Rikley, Chung-Wei Lin, Eunsuk Kang, BaekGyu Kim, Shinichi Shiraishi, Mark Lawford, Alan Wassyng
Dependability Analysis of the AFDX Frame Management Design
Avionics Full Duplex Switched Ethernet (AFDX) is an implementation of the ARINC 664 specification, which defines the electrical and protocol specifications for data exchange between Computer Systems. AFDX implements extensions on standard Ethernet to achieve a deterministic and fault-tolerant network, which is demonstrated through its frame management design. AFDX, like other emerging time-critical Ethernet-based standards, has potential for use in other critical industries, such as nuclear power plants. This would provide an additional option by which industry players can leverage the speed and ubiquity of Ethernet, with the added benefit of services to support highest safety requirements. However, considering that the nuclear industry continues to be a prime target for advanced security threats, it is imperative to demonstrate what protection AFDX offers, as well as what additional attack surface it may introduce. For this paper, the basic taxonomy of dependable and secure computing is used to conduct a dependability analysis of the AFDX frame management design. An OMNeT++ model simulation of an AFDX network is used to demonstrate potential attacks. Considerations for solutions for a robust AFDX specification are proposed for future research.
Venesa Watson, Mahlet Bejiga

Fault Tolerance

Efficient On-Line Error Detection and Mitigation for Deep Neural Network Accelerators
The use of deep neural network accelerators in safety-critical systems, for example autonomous vehicles, requires measures to ensure functional safety of the embedded hardware. However, due to the vast computational requirements that deep neural networks exhibit, the use of traditional redundancy-based approaches for the detection and mitigation of random hardware errors leads to very inefficient systems. In this paper we present an efficient and effective method to detect critical bit-flip errors in neural network accelerators and mitigate their effect at run time. Our method is based on an anomaly detection in the intermediate outputs of the neural network. We evaluate our method by performing fault injection simulations with two deep neural networks and data sets. In these experiments our error detector achieves a recall of up to 99.03% and a precision of up to 97.29%, while requiring a computation overhead of only 2.67% or less.
Christoph Schorn, Andre Guntoro, Gerd Ascheid
Random Additive Control Flow Error Detection
Today, embedded systems are being used in many (safety-critical) applications. However, due to their decreasing feature size and supply voltage, such systems are more susceptible to external disturbances such as electromagnetic interference. These external disturbances are able to introduce bit-flips inside the microcontroller’s hardware. In turn, these bit-flips may also corrupt the software. A possible software corruption is a control flow error. This paper proposes a new software-implemented control flow error detection technique. The advantage of our technique, called Random Additive Control Flow Error Detection, is a high detection ratio with a low execution time overhead. Most control flow errors are detected, while having a lower execution time overhead than the considered existing techniques.
Jens Vankeirsbilck, Niels Penneman, Hans Hallez, Jeroen Boydens
Fault-Tolerant Clock Synchronization with Only Two Redundant Paths
Many safety-relevant real-time systems require a reliable time source, which leads to the requirement of fault-tolerant clock synchronization. This paper proposes a fault-tolerant synchronization protocol for networks where the bridges are connected via point-to-point links (like Ethernet or Time-Sensitive Network) and the number of redundant point-to-point links is kept small for cost reasons, like in ring topologies. This new protocol “single initiator forward and collected answer” (SFC), can tolerate all failures of one faulty bridge though it needs only two disjoint paths between any pair of bridges.
Zoha Moztarzadeh
MORE: MOdel-based REdundancy for Simulink
Fault tolerance plays a significant role in the safety-critical system design that enables a system to continue performing its intended functions in presence of faults. Redundancy is the key underlying method to achieve fault tolerance. Hardware redundancy and software redundancy are well-known redundancy techniques. In case of model-based development, redundancy mechanisms can be applied directly at the model level, e.g. to a Simulink model. This paper introduces a new, model-based redundancy technique to tolerate hardware faults, called model-based redundancy (MORE). Applications of fault-tolerant design patterns, such as comparison, voting, and sparing, to Simulink models are introduced. A Simulink PID controller model is demonstrated as a case study to show the effectiveness and feasibility of the introduced approach. The paper also addresses the mutual optimization of reliability properties and system performance. We apply the MORE separately to the P, I, D terms and analyze system performance and achieved reliability properties, evaluated using a stochastic dual-graph error propagation model.
Kai Ding, Andrey Morozov, Klaus Janschek

Safety and Security Risk

Diversity in Open Source Intrusion Detection Systems
We present an analysis of the diversity that exists in the rules and blacklisted IP addresses of the Snort and Suricata Intrusion Detection Systems (IDSs). We analysed the evolution of the rulesets and blacklisted IP addresses of these two IDSs over a 5-month period between May and October 2017. We used three different off-the-shelf default configurations of the Snort IDS and the Emerging Threats (ET) configuration of the Suricata IDS. Analysing the differences in these systems allows us to get insights on where the diversity in the behaviour of these systems comes from and how does it evolve over time. This gives insight to Security architects on how they can combine and layer these systems in a defence-in-depth deployment. To the best of our knowledge a similar experiment has not been performed before. We will also show results on the observed diversity in behaviour of these systems, when they analysed the network data of the DMZ network of City, University of London.
Hafizul Asad, Ilir Gashi
Inter-device Sensor-Fusion for Action Authorization on Industrial Mobile Robots
Usage of mobile robots in industry increased significantly in recent years. However, mobile robots introduce additional safety issues for human workforce and pose a higher risk of failures in production due to possible abnormal robot behavior. Such abnormal behavior could, among other things, be caused by security weaknesses that entail attacks. These problems lead to a need for action authorization mechanisms to protect humans and mitigate possible costly failures. In this paper, we propose an authorization mechanism for critical actuator actions on industrial mobile robots. The mechanism relies on security principles that prevent adversaries from unauthorized action execution. To the best knowledge of the authors, no similar concept for secured action authorization for industrial mobile robots is currently known in research. Our evaluation shows more than 80% of additional safety hazard causes introduced by the lack of security can be mitigated with the proposed authorization mechanism.
Sarah Haas, Andrea Höller, Thomas Ulz, Christian Steger
Towards a Common Ontology of Safety Risk Concepts for Railway Vehicles and Signaling
In the railway domain, different methods are applied for estimating safety targets (like SIL) in the subdomains of railway rolling stock (e.g., SIRF) and railway control, command and signaling (e.g., BP-Risk), respectively, which are referred to as railway vehicles and railway signaling for the rest of this paper. Such methods are also based on different terminology underlying different concepts used, e.g., as parameters. Even worse, similar terms often mean different concepts. This may lead to different risk estimates for these subdomains of the railway domain.
Our approach for addressing these problems has been to create a common safety ontology covering the important concepts of both subdomains. Hence, we analyzed the methods SIRF and BP-Risk with regard to the terms and parameters used. Based on this analysis and a previous safety ontology for railway vehicles, we created a new common ontology for railway vehicles and signaling. It is also consistent with the related terminology of EN 50126 (for railway systems) and ISO 26262 (for automobiles). Such an ontology should facilitate the reuse of hazard and risk analyses from one subdomain to the other, and it should have important application areas such as estimating safety targets consistently.
Bernhard Hulin, Hermann Kaindl, Roland Beckert, Thomas Rathfux, Roman Popp
Computer Safety, Reliability, and Security
Barbara Gallina
Amund Skavhaug
Friedemann Bitsch
Copyright Year
Electronic ISBN
Print ISBN

Premium Partner