Integrated Systems and Safety Engineering Towards Meaningful Assurance Cases

Similar documents
A Model-Based Reference Workflow for the Development of Safety-Critical Software

Siemens Rail Automation Embedding Innovation: A Case Study. Introduction of Mathematical Verification techniques to Railway Interlockings

The WW Technology Group

CS 313 High Integrity Systems/ CS M13 Critical Systems

CSC313 High Integrity Systems/CSCM13 Critical Systems CSC313 High Integrity Systems/ CSCM13 Critical Systems

11th International Workshop on the Application of FPGAs in Nuclear Power Plants

Deterministic Modeling and Qualifiable Ada Code Generation for Safety-Critical Projects

Research on software systems dependability at the OECD Halden Reactor Project

IEC Functional Safety Assessment

Inside! icteam, a confluence of parallels. - Jyothi G Shivashankar (Robert Bosch Engineering and Business Solutions) Eclipsecon 2013

IEC Functional Safety Assessment

Compliance driven Integrated circuit development based on ISO26262

Interlocking Design Automation. The Process

ida Certification Services IEC Functional Safety Assessment Project: Series 327 Solenoid Valves Customer: ASCO Numatics

Results of the IEC Functional Safety Assessment

Architecture-led Incremental System Assurance (ALISA) Demonstration

Using Safety Contracts to Verify Design Assumptions During Runtime

Functional Safety Implications for Development Infrastructures

IEC Functional Safety Assessment

Testability of Dynamic

DO-178B 김영승 이선아

Safety inside! ensured with technology

Safety cannot rely on testing

ida Certification Services IEC Functional Safety Assessment Project: Series 8314, 8316, and Way/2 Position Solenoid Valves Customer:

CLEARSY PRODUCTS AND SERVICES SAFETY SYSTEMS SAFETY SOFTWARE CLEARSY OFFER RAILWAY PRODUCTS AND SERVICES

Software verification services for aerospace. »» Unit and integration testing. »» Timing analysis and optimization»» System and acceptance testing

version NDIA CMMI Conf 3.5 SE Tutorial RE - 1

A Formal Approach in the Implementation of a Safety System for Automatic Control of Platform Doors

Using an IEC Certified RTOS Kernel for Safety-Critical Systems

IBM Continuous Engineering augmenting PLM with ALM and Systems Engineering

Traceability in Model-Driven Engineering of Safety-Critical Systems

Frontload the design, V&V and certification of software-intensive mechatronic systems by adopting the Digital Twin approach

AMASS. Architecture-driven, Multi-concern and Seamless Assurance and

A Cost-effective Methodology for Achieving ISO26262 Software Compliance. Mark Pitchford

THE CHALLENGE OF ISO FOR COMPLEX SOFTWARE MODELS Oliver Collmann

Automotive Systems Engineering und Functional Safety: The Way Forward

REQUIREMENTS FOR SAFETY RELATED SOFTWARE IN DEFENCE EQUIPMENT PART 1: REQUIREMENTS

Implementation of requirements from ISO in the development of E/E components and systems

FUNCTIONAL SAFETY CERTIFICATE. IQT3 Actuator manufactured by

Supporting Safety Evaluation Process using AADL

Integrating Functional Safety with ARM. November, 2015 Lifeng Geng, Embedded Marketing Manager

Monday, July 26, 2010, Minutes Same room: Please be about 10 minutes early!

IEC Functional Safety Assessment

FUNCTIONAL SAFETY CERTIFICATE

System-level Co-simulation of Integrated Avionics Using Polychrony durch Klicken bearbeiten

Model-Based Design for ISO Applications. April 2010

TOPIC DESCRIPTION SUPPLEMENT for the SYSTEMS ENGINEERING SURVEY DESCRIPTION

MODPROD 2017, Linköping February 8, 2017

Brochure. About. Tools. Services. Where can we help? Our approach Why choose Rapita?

Software Safety Assurance What Is Sufficient?

Verifying and Validating Software in a Regulated Environment

Brochure Services. About. Tools. »» Where can we help? »» Unit/system testing. »» Multicore timing services»» Our approach

Challenges in Automotive Software Development --- Running on Big Software

WORK PLAN AND IV&V METHODOLOGY Information Technology - Independent Verification and Validation RFP No IVV-B

Overview of the 2nd Edition of ISO 26262: Functional Safety Road Vehicles

Certification of Safety-Critical Software Under DO-178C and DO-278A

Functional Safety: ISO26262

EUROCONTROL Guidance Material for Approach Path Monitor Appendix B-2: Generic Safety Plan for APM Implementation

FUNDAMENTAL SAFETY OVERVIEW VOLUME 2: DESIGN AND SAFETY CHAPTER G: INSTRUMENTATION AND CONTROL

CIS 890: High-Assurance Systems

Validation, Verification and MER Case Study

FUNCTIONAL SAFETY CERTIFICATE. IQ3 Valve Actuator manufactured by

MOVEP 2012 Tutorial Safety, Dependability and Performance Analysis of Extended AADL Models

Software Quality. A Definition of Quality. Definition of Software Quality. Definition of Implicit Requirements

Magillem. X-Spec. For embedded Software and Software-driven verification teams

BCS THE CHARTERED INSTITUTE FOR IT. BCS HIGHER EDUCATION QUALIFICATIONS BCS Level 6 Professional Graduate Diploma in IT SOFTWARE ENGINEERING 2

{Irfan.sljivo, Barbara.Gallina, Jan.Carlson,

Functional Safety with ISO Principles and Practice Dr. Christof Ebert, Dr. Arnulf Braatz Vector Consulting Services

CSE 435 Software Engineering. Sept 14, 2015

Brief Summary of Last Lecture. Model checking of timed automata: general approach

Brochure Services. About. Tools. »» Where can we help? »» Unit/system testing. »» Software verification services»» Our approach

A Cost-Effective Model-Based Approach for Developing ISO Compliant Automotive Safety Related Applications

Introduction to Simulink & Stateflow

AMASS. Architecture-driven, Multi-concern and Seamless Assurance and Certification of Cyber-Physical Systems

IBM Rational Systems Developer, Version 7.0

Supply Chain MICROSOFT BUSINESS SOLUTIONS DEMAND PLANNER

Measuring and Assessing Software Quality

Changing the way the world thinks about software systems

An integrated System Development Approach for Mobile Machinery in consistence with Functional Safety Requirements

Integrating Machine Safety for OEMs and Manufacturers

Technical report. Type testing

The software process

Brochure Services. About. Tools. »» Where can we help? »» Unit/system testing. »» Software verification services»» Our approach

Work Plan and IV&V Methodology

AIRBORNE SOFTWARE VERIFICATION FRAMEWORK AIMED AT AIRWORTHINESS

The System Verification Manager (SVM)

CMMI-DEV V1.3 CMMI for Development Version 1.3 Quick Reference Guide

Model-based Development of Safety Critical Software: Opportunities and Challenges

SERIES 92/93 SAFETY MANUAL PNEUMATIC ACTUATOR. The High Performance Company

Brochure Services. About. Tools. » Where can we help? » Unit/system testing. » Software verification services» Our approach

Results of the IEC Functional Safety Assessment. ABB, Inc. Baton Rouge, LA USA

Report. Certificate Z F-CM AS-i Safety for SIMATIC ET 200SP

INSIGHTS. Demand Planner for Microsoft Dynamics. Product Overview. Date: November,

Juha Halminen Teollisuuden Voima Oy Olkiluoto, Finland. Lic. Tech. Risto Nevalainen Finnish Software Measurement Association ry FiSMA Espoo, Finland

Business Process Management

Introducing Capital HarnessXC The Newest Member of the CHS Family

The Road from Software Testing to Theorem Proving

Management of Functional Safety

Validation, Verification and MER Case Study

Open Core Engineering Freedom and efficiency redefined

Transcription:

Integrated Systems and Safety Engineering Towards Meaningful Assurance Cases Carmen Cârlan Harald Ruess Sebastian Voss Supported by D-MILS (d-mils.org) fortiss GmbH An-Institut Technische Universität München

Assurance Cases State-of-the-Practice (I) Implicit assurance/safety cases are mainly supported by standardmandated evidence (i.e. IEC 61508, ISO26262, DO178C) Checkmark-based approach to safety engineering is encouraged, since the role/purpose of standard-mandated evidence often remains unclear Example: Section B.30 of the IEC 61508 recommends the use of formal methods for example CCS, CSP, HOL, LOTOS, OBJ, VDM, Z, B for SIL2 and beyond; and highly recommended for SIL4). These phrases were copied into the tender document for a drive-by-wire development, and relegated to a TIER2 supplier of a wheel angle sensor Tailoring according to the specific safety-needs of the product difficult: unclear how to be best use avilable resources for increased assurance; also considerable impact on development costs Not all design decisions necessarily explicated, as current certification regimes focus on traceability 2

Assurance Cases State-of-the-Practice (II) Explicit assurance cases (goals, arguments, evidence) not state-of-thepractice for developing safety-critical systems Assurance cases with the purpose of certification, but not wellintegrated into product design and development Sometimes considered to be an extra document, if not extraneous from the point-of-view of the design team and the safety team. What other uses are there for an assurance case? 3

Assurance Cases State-of-the-Practice (III) SUCCESFUL DELIVERY SUCCESFUL CERTIFICATION Developing a working system, which complies with the client s requirements Systems & Software Engineers Safety Engineers Convincing regulators that the system is safe in the given context 4

Our Approach Integrated Model-Based Development of Product and Assurance Case Synchronization by means of Transformations Systems & Software Engineers Safety engineers I. Model-based development approach with integrating views for a modular construction systems; II. Modular construction and argumentation principles within these views, based on safety standards; III. High-level design decisions and their documentation by means of safety case patterns. 5

Model-based Development AF3 Framework Supports concept phase and product development at system, hardware and software Level Explicates allocations and refinements between different abstractions Provides modular, hierarchic concept for networks of components Can be simulated and formally verified Supports automated verification (e.g., contracts) Supports automated generation (e.g., test cases, code, platform configurations, schedules) Requirements Logical Architecture Deployment Technical Architecture 6

GSN-based Assurance Cases in AF3 The Argument Structure View GSN model elements 7

Modular Assurance Case Patterns Library of Assurance case patterns Pattern instantiation provides references in assurance cases to corresponding system artefacts as the basis for integrated views for the design of a system and the argumentation about its functional safety 8

Integrated Development of System and Assurance Case Requirements High-Level Assurance Argument Component Architecture Deployment Synchronization by means of M2M Transformation Software-related Assurance Argument Deployment-related assurance argument Technical Architecture System Design Artefacts Hardware-related Assurance Argument Modular System Safety Case 9 [VCST15] S. Voss, C. Cârlan, B. Schätz, T. Kelly, Safety Case Driven Model-Based Systems Construction, EITEC, CPS Week, April 2015, Seattle.

Example 1 Deciding on Appropriate Architectural Design Requirements High-Level Assurance Argument Component Architecture Software-related Assurance Argument Deployment Deployment-related assurance argument 10 Technical Architecture System Design Artefacts Hardware-related Assurance Argument Modular System Assurance Case

Example 2 Architectural Refinement by Means of TMR Transformation Requirements Component Architecture Deployment Technical Architecture System Design Artifacts 11 High-Level Assurance Argument Software-related Assurance Argument Deployment-related assurance argument Hardware-related Assurance Argument Modular System Safety Case

Example 3 MILS Architectural Assurance Case Pattern Autofocus Model Simulink Model Security Analysis Safety Analysis Performance Analysis C Code Autocode C Code Autocode Ada Code Architectural Refinement MILS AADL MILS AADL MILS AADL Implements/ Satisfies App A Level B Classified App B Level C Unclassified Configurations / Schedules / Communication Routes App C Level A Top Secret Node1 Node2 Node3 A C B MILS Platform Configuration Compiler D-MLS Technical Platform 12

Example 3 MILS Architectural Assurance Case Pattern (II) SuC satisfies security/safety goals MILS Architectural Strategy Architectural description (in MILS- AADL) satisfies security/safety goals (in LTL) Correctness of Architectural Refinement Application Code satisfies / implements architectural constraints Architectural information flow policy implemented correctly on technical platform AND OR AND Model Checking 13 Safety & Security goals preserved under architectural refinement Architectural Transformations respect refinement relation Testing Once and forall Formal Verification Run-time wrapper Application-Specific MILS Platform Configuration Compiler formally verifed MILS Platform configuration as generated by the MILS Platform configuration compiler exactly implements architectural information flow policy OR Isomorphism between configuration & architectural information flow Technical Platform under consideration satisfies MILS SKPP (including isolation, flow control policy, determinism) Technical platform is verified to satisfy SKPP

Example 4 Certifying Model Checker For Building Assurance Cases Model Checkers (MC) usually only output counterexamples on failed proof attempts. Counterexamples have been used to construct FTA and FMEA in an automated fashion. Certifying MC produce independably checkable certificate Certifying MC for mu-calculus (including CTL, CTL*, LTL, ) with winning strategies for corresponding games as certificates [HNR15] Certificates may be computed for both safety and liveness properties from MC Winning strategies are checkable in low polynomial time Winning strategies may be used to scrutinise safety arguments a la interactive proofs Challenger suggests a move, to which Prover responds with a move according to strategy, and so on, [HNR15] M. Hofmann, C. Neukirchen, H. Rueß, Certification for mu-calculus with winning strategies, submitted to ICTAC 2015. 14

Integrated System and Assurance Case Development Potential Benefits Assurance cases decompose along vertical and horizontal structure of system design artefacts Assurance case may guide safe and efficient system development Architecture-centric approach provides opportunity for high-level assurance patterns (e.g. MILS) for reducing the effort of building up safety cases Certifying model checkers for automatically generating formally checkable evidence in assurance cases Assurance case may extend, and even replace, the traditional syntactic tracing ( depends-on ) with a semantic tracing ( why? ) capability System may safely (self-) evolve/adapt within the limits of the capability of adapting corresponding safety case(s) 15

Conclusions Presented first steps towards realizing integrated system development and its corresponding safety case in the AF3 model-based framework Approach needs to be formalized with the goal of having M2M transformations and also deployment formally verified (e.g. PVS) More complete catalogue of transformations (e.g. architectural refinement by means of fault-tolerance patterns) needed Refine MILS architecture-specific assurance case patterns and implement as transforimation in AF3 Approach needs to be validated by means of realistic case studies 16

AF3 Try it out! Eclipse Public License af3.fortiss.org 17

how much better will it be to bring under mathematical laws human reasoning, which is the most excellent and useful thing we have. (Leibniz) Harald Ruess ruess@fortiss.org fortiss GmbH An-Institut Technische Universität München Guerickestraße 25 80805 München Germany tel +49 89 3603522 33 fax +49 89 3603522 50 www.fortiss.org 18

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback