Systems, Software and Services Process Improvement

Artificial Intelligence (AI) has become an increasingly pervasive technology in various industries, offering numerous benefits such as increased efficiency, productivity, and innovation. However, the ethical implications of AI adoption in industry have raised concerns and AI ethics has emerged as a critical field of study, focusing on the trustworthy development, deployment, and use of AI technologies. In this paper, we explore an AI Ethics concept with a particular focus on sustained enabling factors to guide organizations in navigating the ethical challenges associated with AI adoption.

AI-based systems are becoming increasingly prominent in everyday life, from smart assistants like Amazon’s Alexa to their use in the healthcare industry. With this rise, the evidence of bias in AI-based systems has also been witnessed. The effects of this bias on the groups of people targeted can range from inconvenient to life-threatening. As AI-based systems continue to be developed and used, it is important that this bias should be eliminated as much as possible. Through the findings of a multivocal literature review (MLR), we aim to understand what AI-based systems are, what bias is and the types of bias these systems have, the potential risks and effects of this bias, and how to reduce bias in AI-based systems. In conclusion, addressing and mitigating biases in AI-based systems is crucial for fostering equitable and trustworthy applications; by proactively identifying these biases and implementing strategies to counteract them, we can contribute to the development of more responsible and inclusive AI technologies that benefit all users.

Low-code applications promise to lower the hurdles in designing domain-specific apps based on reusable components without prior knowledge of programming. Increasingly more and more platforms and tools are supporting this paradigm. However, as soon as they go beyond the state of prototypes and become part of the IT landscape, such applications start posing challenges in terms of design cultures, corporate processes, security, and performance. In order to ensure high-quality standards in low-code apps, one must implement quality assurance measures and enforce these rules. However, testing these apps in traditional ways seems to be infeasible, as the developers of these apps are not necessarily trained software engineers. This paper presents an approach for enforcing quality assurance measures on low-code apps, while also following the philosophy of low-code in the testing procedures.

Risk Management is a cornerstone of daily business operations that ensures their sustained viability over the long term. It is a critical function for any business as it helps identify potential threats and opportunities and enables informed decision-making. When placed within the context of critical infrastructures, a risk management profile attains a heightened dimension. The integration of security practices within the software development pipeline, commonly known as DevSecOps, is a novel approach to enhance software application security. This approach has been touted as a transformative solution that not only promotes the adoption of security practices but also provides financial benefits by mitigating risk levels and ensuring uninterrupted business operations. The objective of this paper is to present a conceptual framework to manage risk inside critical infrastructures in the DevSecOps context. This framework is built upon three pillars: action, state, and contrivance. It aims to: (i) facilitate the comprehension of risk, (ii) provide an incentive mechanism towards enhancing risk management, (iii) contribute to both human and machine contrivance, and (iv) ensure the quality of the information retrieved by involving all teams.

Focus group discussion is an empirical research method for qualitative studies aimed at eliciting information and perceptions from practitioners. This method is used in software engineering to validate and generalise research results. However, the time available to conduct the sessions could be improved, more tools are required to achieve the discussion in a structured way, and it is vital to avoid the inhibition of the participants. This study proposes a gamification-based strategy to conduct research in which the focus group method is paramount for validation and overcoming some mentioned limitations. For this purpose, a gamification strategy design method consisted of five phases: planning, design, pilot testing, programming and evaluation. The designed strategy was applied in a focus group of seven professionals to prioritise six non-technical factors required in software development teams within Industry 4.0. Applying the gamified strategy allowed us to capture the feelings of all group members methodically within a limited time window. Therefore, the strategy is a potential structured tool for conducting focus group sessions.

The metaverse concept has recently garnered substantial attention, with growing interest in its potential application in governance. This study examines the obstacles, citizen perspectives, and crucial factors that may facilitate or impede the success of metaverse-based digital governance in a country. Through an in-depth analysis of survey data, the research reveals that weak internet connections and insufficient infrastructure constitute the primary barriers to adopting metaverse-based digital governance in The Gambia. However, addressing these challenges could significantly contribute to its successful implementation. The findings indicate that citizens’ familiarity with the metaverse has a mixed impact on their confidence in the government's capacity to utilize the technology effectively. Additionally, a positive correlation was observed between satisfaction with existing digital governance and the public's propensity to engage in metaverse-driven initiatives. Privacy and security concerns surfaced as notable factors influencing citizens’ willingness to participate in digital governance efforts within the metaverse. To ensure the effective adoption or execution of metaverse-based digital governance in The Gambia, the study proposes a roadmap prioritizing digital literacy programs, and infrastructure development, addressing privacy and security concerns, and cultivating trust in the government's ability to manage the transition competently. This research may serve as a valuable resource for other nations considering the adoption of metaverse-based digital governance systems.

Software development is typically a team activity due to its complexity. However, integrating a new team can be challenging because team member needs to adapt to work with the others. In this context, the study of personal or soft skills has become relevant because they are essential for teamwork and individual success in professional life; although evaluating them is challenging. This paper presents a proposal for assessing soft skills, specifically flexibility to change, with games as an alternative. Games abstract participants, making them to forget they are observed, producing an environment in which a more natural performance is expected while recreating situations similar to those during software development projects. Also, results from a case study focused on evaluate flexibility to change are presented. Flexibility to change is a soft skill that can be evaluated at individual level and highly contributes to the success of teamwork.

The Metaverse comprises a network of interconnected 3D virtual worlds, poised to become the primary gateway for future online experiences. These experiences hinge upon the use of avatars, participants' virtual counterparts capable of exhibiting human-like non-verbal behaviors, such as gestures, walking, dancing, and social interaction. Discerning between human and artificial avatars becomes crucial as the concept gains prominence. Advances in artificial intelligence have facilitated the creation of virtual human-like entities, underscoring the importance of distinguishing between virtual agents and human characters. This paper investigates the factors differentiating human and virtual participants within the Metaverse environment. A semi-structured interview approach was employed, with data collected from software practitioners (N = 10). Our preliminary findings indicate that response speed, adaptability to unforeseen events, and recurring scenarios play significant roles in determining whether an entity in the virtual world is a human or an intelligent agent.

Based on the EU AI Act draft from November 2022 a team of data scientists, quality managers and legal experts set out to instantiate the AI Act for their project domain. To focus on the product and service relevant parts of the extensive EU Act, the Level of Done (LoD) layer approach was applied. Based on this LoD layer for the AI Act an evaluation was initiated with ongoing Machine Learning (ML) projects. This case study describes the method and approach on how the instantiation was done and provides a first insight into the LoD-application from an engineering perspective.

The urgency of sustainability concerns has intensified in recent years, sounding alarm bells over the planet's condition and prompting nearly every industry and practice to reassess their contributions to the climate crisis. Software engineering is not immune to this scrutiny. Software engineering practices significantly affect the environment and may not align with sustainability goals. Although sustainability is a relatively recent focus in software engineering, it has garnered increased attention, with numerous studies addressing various concerns and practices. Green software engineering aspires to develop dependable, enduring, and sustainable software that fulfills user requirements while minimizing environmental impacts. As this green paradigm gains traction in software engineering, practitioners must incorporate sustainability considerations into future software designs. However, despite the surge in green software engineering research, a universally accepted definition and framework remain elusive. This paper outlines green software engineering by explaining its principles, challenges, and methods for measuring and evaluating software effectiveness in this context.

EU Blockchain strategy acknowledges the disruptive ability of Blockchain technology for trustful data sharing that is based on the common European values of data protection and sustainability. Given the rapid growth of Blockchain application areas, there is a lack of skills supply and educational programs offered in the market that meet demand needs. The establishment of a blueprint that addresses the need for creating harmonized occupational profiles in Blockchain area is among Erasmus + CHAISE project’s goals. Based on both quantitative and qualitative research, this article elaborates on the necessary aspects that need to be incorporated for creating an EU-wide Blockchain blueprint. The need for a holistic skill perspective that bridges technological, managerial, and transversal skills, as well as the involvement of different actors from education, market and accreditation are crucial for the blueprint uptake at EU and national level.

Automotive and aviation systems are undergoing a radical shift in their software and hardware architectures, affecting the processes and communities used to design them. On a technical level, we see a trend towards integration of heterogeneous function domains on centralized computing platforms. On a process and collaboration level, this trend implies two things: First, heterogeneous communities of OEMs and suppliers on different tiers need to collaborate intensely to create innovative software-intensive products. Second, these communities need to be able to exchange development artifacts efficiently by means of open, model-based exchange formats. Even competing companies will have to collaborate in such heterogeneous communities. We illustrate the challenges of trustful, model-based information exchange in heterogeneous development communities that arise due to intellectual property protection concerns. We identify data security threats for collaborative, model-based engineering processes and suggest guidelines that support trustful information exchange between partners of a heterogeneous community.

This paper focuses on one of the current great challenges of electric vehicle technology, the implementation of a highly technical curriculum, especially under the COVID-19 restricted environment. The presented training program is designed to cater to the automotive market regarding basic electric vehicle skills for engineers. The most notable part of the training program is the blended teaching approach. The trainees attended typical online lectures being available in a synchronous and an asynchronous manner. Significant part of the training are the two teaching mobilities during which the students participate in technical experiments and work on projects based on Augmented Reality and developed on the principles of a project-based learning approach. The training is completed via a short industrial internship period. The paper elaborates lessons learnt from the piloting educational procedure and a thorough discussion on the sustainability of the program and its importance for the electric vehicle market.

Moving towards Circular Economy often implies designing Industrial Product-Service Systems (IPS²). For established products on the consumer market, the most obvious IPS² model to go for is Product-as-a-Service (PaaS), i.e., providing the product to consumers in a sort of leasing model. However, this move is generally confronted with huge challenges of customer acceptance. This research aims at establishing a method for determining design guidelines for the user-centric design of products, services, and business models for Product-as-a-Service (PaaS) systems. It seeks to provide determinants of consumers’ decisions regarding the acceptance and use of PaaS. In particular, it studies leasing options of white goods (washing machines, fridges, and kitchens) through a user-centric methodology through a customer acceptance survey. The results allowed an understanding of consumer expectations and desires for leasing and which socio-demographic factors, as well as product and service attributes influence or even determine PaaS acceptance.

The automotive-mobility ecosystem is ongoing rapid changes supporting the green and digital transition. This directly impacts all stakeholders, including companies, education and training providers, social partners, member states, and regions. The impact requires extensive collaboration on the skills agenda on all levels, to boost the skills intelligence, to know the trends and needed skills and job roles, and to provide relevant training and education courses. This paper provides an overview of the collaboration on skills agenda in the automotive-mobility ecosystem in the context of the Pact for Skills, the particular European project FLAMENCO and its current results [1].

Many of the current innovations in the automotive environment revolve around autonomous driving, digitalization, connectivity, AI, and new services in the context of mobility. These innovations are based on the collection and use of data. However, the handling of data often plays a subordinate, barely visible role in today’s development and operations processes, with corresponding risks. ASPICE as an industry-standard guideline for evaluating system and software development processes helps automotive suppliers incorporate best practices to identify defects earlier in development and ensure that OEM requirements are met. With the purpose of the creation of a process model for data management that is aligned with Automotive SPICE® 3.1 and other established standards in the industry, a draft version of the Data Management SPICE was initiated by the intacs group. In this work, we are going to provide improvement potential on the content of the pilot draft of Data Management SPICE assessment, based on our industrial and academic experience in the field of Automotive and Data Management. A first comparison between Camelot Data Management Strategy Assessment and Data Management SPICE Assessment is given. Based on expert’s knowledge proposals to improve the quality and the content areas of the Data Management SPICE Assessment before issuing the released version of the standard are shown.

To ensure safety, the machinery sector has to comply with the machinery directive. Recently, this directive has been not only revised to include requirements concerning other concerns e.g., safety-relevant cybersecurity and machine learning-based safety-relevant reliable self-evolving behaviour but also transformed into a regulation to avoid divergences in interpretation derived from transposition. To be able to seamlessly and continuously comply with the regulation by 2027, it is fundamental to establish a strategy for knowledge management, aimed at enabling traceability and variability management where chunks of conformity demonstration can be traced, included/excluded based on the machinery characteristics and ultimately queried in order to co-generate the technical evidence for compliance. Currently, no such strategy is available. In this paper, we contribute to the establishment of such a strategy. Specifically, we build our strategy on top of the notion of multi-concern assurance, variability modelling via feature diagrams, and ontology-based modelling. We illustrate our proposed strategy by considering the requirements for the risk management process for generic machineries, refined into sub-sector-specific requirements in the case of centrifugal pumps. We also briefly discuss about our findings and the relationship of our work with the SPI manifesto. Finally, we provide our concluding remarks and sketch future work.

Can we avoid the many minor misunderstandings that generate a lot of rework? Can new tools, and changing a few old habits, create more flow in the development work with a less annoying rework? - We have become used to the meetings and communications required to fix the misunderstandings between different stakeholders and the following rework. Increased number of stakeholders and complexity, in general, means that many projects are reporting a state of meeting suffocation where they are making unsatisfying little progress due to many meetings. One valuable principle that deals with the problem is “Corporate Memory” from Expectations Engineering, which will be briefly described, including the benefit it will bring. To demonstrate the principle in practice, this paper will show an implementation in the IS department of Grundfos. While this is a great example based on a software DevOps environment, it still serves as a general example for implementation in all other available settings.

The process of Requirements Elicitation (RE) demands from a software development team the need to communicate and engage with a variety of stakeholders, for numerous purposes regarding many aspects of the project. The aim is to translate the needs of the “customer” into accurate and actionable requirements. In this initial step of the software life cycle process several ethical challenges are invoked, which, if left unresolved, may lead to unintended consequences.

Computer Ethics focuses on the questions of right and wrong that arise from the development and deployment of computers. Thus, it urges that the ethical and social impact of computers must be analysed. The purpose of normative ethics is to scrutinise standards about the rightness and wrongness of actions, the goal being the identification of the true human good. A rational appeal can be made to normative ethical principles to arrive at a judicious, ethically justifiable judgement.

In software engineering, the Software Process Improvement (SPI) Manifesto was developed by groups of experts in the field, aimed to improve the software produced, through improving the process, the attitudes of software engineers, and the organisational culture and practices. In this position and constructive design research paper, we argue that software developers, in accordance with the SPI Manifesto aim of improving the software produced, address the ethical challenges invoked in the Requirements Elicitation process.

The steps taken in this paper are: First we report on the findings of a broad literature review of related research, which refers to the current challenges in RE. Second, we source from ethical theory, generic Deontological and Teleological ethical principles that can serve as normative guidelines for addressing the challenges identified in the initial step. Third, we prescribe a set of ethical rights and duties that must be exercised and fulfilled by software developers for them to exhibit ethical behaviour. Each of these suggested actions are substantiated via an appeal to one, or several normative guidelines, identified in the second step. By identifying and recommending a set of defensible ethical obligations that must be fulfilled in the RE process, software developers can fulfil their ethical duties and thus reduce the number of unintended consequences that plague Requirements Elicitation. Ultimately RE must be underpinned with ethical consideration.

A symptom is a feature which is regarded as indicating a condition or disease. For an organization a symptom may indicate a problematic condition. Based on 600 maturity CMMI assessments we identified 32 common symptoms across the organizations. We developed a web site with a survey instrument asking 44 companies whether they recognized the symptoms? Thus, from this survey we know which symptoms are common and which ones that rarely are perceived to be present. We then analyzed the symptoms using the Cognitive Maps techniques and identified consequences and root causes for each symptom. We also identified relationships between the symptoms and presented a map thereof. Further, we mapped the root causes from the cognitive maps to CMMI and the recommendations to improve. Finally, we discuss whether and how one can use the symptoms to make recommendations for improvements as a kind of “discount improvement model”. We conclude with an example of the intended use.

INTACS has developed and rolled out Automotive SPICE® for Cybersecurity Assessor training and developed training materials to prepare assessors to rate processes like SEC.1 – SEC.4 and MAN.7 Cybersecurity Risk Management. This requires from automotive projects a well-structured TARA (Cybersecurity Threat Analysis and Risk Assessment) and a basic understanding of automotive cybersecurity architectural frameworks to analyse cybersecurity scenarios and derive cybersecurity controls and requirements. This paper will outline the expectations from automotive projects and provide experiences from a first year of training and assessments on the market applying Automotive SPICE® for Cybersecurity. It will also give hints for how to create additional cybersecurity views in the system and software architecture.

With the rise of cyberattacks in the last years, cybersecurity is of high importance in the context of the automotive domain [10, 22]. As current cars are more connected and reliant on embedded system technologies, the need for security engineering has tremendously accelerated. While ISO/SAE 21434 is available as a security engineering standard for the domain, frameworks and tools for cybersecurity training and testing of concepts are scarce.

Automotive cybersecurity testbeds provide a specified and controlled environment for testing, evaluating, and learning cybersecurity solutions for vehicles, allowing researchers and engineers to be trained and upskill faster.

Therefore, this work focuses on an embedded automotive systems framework for cybersecurity testing. The presented framework simulates a CAN controller network and allows researchers and engineers to test attack vectors and mitigation methods in a simulated environment, providing also basic implementations for the most common attack types. The presented framework is extendable for training and testing purposes with series controllers and real-world demonstrators.

Today’s cyber-physical products are software-intense. That means that the software process is decisive for the ability of these products to learn and adapt behavior, but in turn also to physically harm humans or the environment. Because such systems learn, change their behavior, unlearn, and adapt to their environment makes not only testing a challenge, but also requirements engineering.

A new model for knowledge representation opens a possibility to make intelligent systems predictable at least for certain specific aspects. This in turn opens new challenges for identifying the areas where such predictability should precede over the adaptability that is protruding for intelligent systems.

Adapting the software process leads to Continuous Requirements Engineering as an extension to Continuous Integration/Continuous Deployment & Delivery and Autonomous Real-time Testing.

A modern car is like an IT network. Car makers became IP service providers, and each car has a gateway server with a fixed IP address. Gateway servers are connected to domain controllers and each domain controller has a subnet of ECUs. An ECU (Electronic Control Unit) represents an embedded system integrating electronics, sensors, software and actuators. Such an IT service and communication-based architectures makes the vehicle vulnerable to attacks from outside. The UN (United Nations) reacted on this situation and published the UN 155 regulation for Cybersecurity Management Systems and UN 156 for Software Update Management Systems for automotive. This paper discusses what assessments and audits the automotive industry has been implemented to address the requirements for UN155 and UN156 and illustrates recent research done to closer link the different types of assessments and audits for cybersecurity. These different types of assessments and audits can be supported by the tool Capability Advisor (CapAdv).

Cyberattacks targeting Cyber-Physical Systems (CPS) are becoming increasingly concerning since the well-known Stuxnet attack. These systems are mostly based on Programmable Logic Controllers (PLCs), which have low cybersecurity protection levels that make them vulnerable to the next generation of cyberattacks. Therefore, building resilience to such attacks through cybersecurity has become a significant concern for Industry 4.0. Due to the lack of published research papers on effective methods to train for cyberattacks on manufacturing systems, this experimental paper proposes a low-cost platform for cyberattack scenarios, to demonstrate some possibilities to attack CPS. Attacks on critical CPS assets may have severe consequences in the physical world (e.g. accidents). An experimental environment used to train students and operators in such attacks and related prevention and mitigation measures can be used to sensitize and train staff in CPS cyber-security related challenges and mitigation strategies. This paper proposes such an experimental setup, and some fundamental and accessible training scenarios.

As cybersecurity becomes an integral part of car homologation, the importance of cybersecurity skills in automotive project development teams becomes crucial. It is not just about the experts in automotive security themselves, but also about the whole system development team that needs to have the skills to be able to understand, cope with and make a cybersecurity integral part of the system. In this paper, we are giving an overview and experience of the content of training, the skill sets defined as the main needed skills/competence and knowledge of the automotive cybersecurity managers and engineers and present the pilot course implementation experience.