Barbara Gallina

A Model-Driven Safety Certification Method for Process Compliance

A safety case is a contextualized structured argument constituted of process and product-based sub-arguments to show that a system is acceptably safe. The creation of a safety case is an extremely time-consuming and costly activity needed for certification purposes. To reduce time and cost, reuse as well as automatic generation possibilities represent urgent research directions. In this paper, we focus on safety processes mandated by prescriptive standards and we identify process-related structures from which process-based arguments (those aimed at showing that a required development process has been applied according to the standard) can be generated and more easily reused. Then, we propose a model-driven safety certification method to derive those arguments as goal structures given in Goal Structuring Notation from process models given in compliance with Software Process Engineering Meta-model 2.0. The method is illustrated by generating process-based arguments in the context of ISO 26262.

Modeling a Safety- and Automotive-Oriented Process Line to Enable Reuse and Flexible Process Derivation

ISO 26262 is a recently introduced automotive functional safety standard. This standard imposes new requirements that must be fulfilled for conformance purposes. Thus, companies used to develop safety-related E/E systems in compliance with either only Automotive SPICE (ASPICE) or a combination of ASPICE and IEC 61508 have to quickly perform a gap analysis in order to introduce adequate changes in their way of working. Implementing such changes in a visionary way with expectations of a long-term payback is an urgent open issue. To contribute to addressing such issue, in this paper, we introduce a safety-oriented process line-based methodological framework to model commonalities and variabilities (changes) between the standards to enable reuse and flexible process derivation. To show the usefulness of our approach, we apply it to model a process-phase line for the development of safety-critical control units. Finally, we provide our lessons learned and concluding remarks.

Towards a Safety-Oriented Process Line for Enabling Reuse in Safety Critical Systems Development and Certification

Safety standards define development processes by indicating the set of partially ordered tasks that have to be executed to achieve acceptably safe systems. Process compliance constitutes a fundamental ingredient in safety argumentation for certification purposes. Certification is a very expensive, time-consuming and quality demanding activity. To increase quality and reduce time and cost, reuse-based approaches are being investigated. In this paper, we adopt process line approach in the framework of safety processes. This means that we treat a family of processes as a product line, and we identify commonalities and variabilities between them. The resulting information guides developers in reusing parts of the process, the system and safety case, e.g. which parts to make more generic, isolating changes in others to avoid ripple effects etc.

Industrial Experiences of Building a Safety Case in Compliance with ISO 26262

The ISO 26262 functional safety standard provides appropriate development processes, requirements and safety integrity levels specific for the automotive domain. One crucial requirement consists of the creation of a safety case, a structured argument, which inter-relates evidence and claims, needed to show that safety-critical systems are acceptably safe. The standard is currently not mandatory to be applied to safety critical systems installed in heavy trucks, however, this is likely to be changed by 2016. This paper describes the experience gathered by applying the standard to the Fuel Level Estimation and Display System, a subsystem that together with other subsystems plays a significant role in terms of global system safety for heavy trucks manufactured by Scania. More specifically, exploratory and laborious work related to the creation of a safety case in compliance with ISO 26262 in an inexperienced industrial setting is described, and the paper ends with presenting some lessons learned together with guidelines to facilitate the adoption of ISO 26262.

Generation of Safety Case Argument-Fragments from Safety Contracts

Composable safety certification envisions reuse of safety case argument-fragments together with safety-relevant components in order to reduce the cost and time needed to achieve certification. The argument-fragments could cover safety aspects relevant for different contexts in which the component can be used. Creating argument-fragments for the out-of-context components is time-consuming and currently no satisfying approach exists to facilitate their automatic generation. In this paper we propose an approach based on (semi-)automatic generation of argument-fragments from assumption/guarantee safety contracts. We use the contracts to capture the safety claims related to the component, including supporting evidence. We provide an overview of the argument-fragment architecture and rules for automatic generation, including their application in an illustrative example. The proposed approach enables safety engineers to focus on increasing the confidence in the knowledge about the system, rather than documenting a safety case.

FI4FA: A Formalism for Incompletion, Inconsistency, Interference and Impermanence Failures' Analysis

To architect dependable distributed component-based, transactional systems, failures as well as their mitigation behaviors must be analyzed. Analysis helps in planning if, where and which mitigation means are needed to increase quality, by reducing the failures that threaten the systems dependability. Fault Propagation and Transformation Calculus (FPTC) is a technique for automatically calculating the failure behavior of the entire system from the failure behavior of its components [1]. FPTC, however, considers few failure types and offers no support to analyse the mitigation behaviour. To overcome these limitations and support the mitigations planning, we introduce a new formalism, called FI4FA. FI4FA focuses on failures avoidable through transaction-based mitigations. FI4FA extends FPTC by enabling the analysis of I4 (incompletion, inconsistency, interference and impermanence) failures as well as the analysis of the mitigations, needed to guarantee completion, consistency, isolation and durability. We also illustrate the usage of FI4FA on a set of examples.

Enabling Cross-Domain Reuse of Tool Qualification Certification Artefacts

The development and verification of safety-critical systems increasingly relies on the use of tools which automate/replace/ supplement complex verification and/or development tasks. The safety of such systems risks to be compromised, if the tools fail. To mitigate this risk, safety standards (e.g. DO-178C/DO330, IEC 61508) define prescriptive tool qualification processes. Compliance with these processes can be required for (re-)certification purposes. To enable reuse and thus reduce time and cost related to certification, cross-domain tool manufacturers need to understand what varies and what remains in common when transiting from one domain to another. To ease reuse, in this paper we focus on verification tools and model a cross-domain tool qualification process line. Finally, we discuss how reusable cross-domain process-based arguments can be obtained.

S-TunExSPEM: Towards an Extension of SPEM 2.0 to Model and Exchange Tunable Safety-Oriented Processes

Prescriptive process-based safety standards (e.g. EN 50128, DO-178B, etc.) incorporate best practices to be adopted to develop safety-critical systems or software. In some domains, compliance with the standards is required to get the certificate from the certification authorities. Thus, a well-defined interpretation of the processes to be adopted is essential for certification purposes. Currently, no satisfying means allows process engineers and safety managers to model and exchange safety-oriented processes. To overcome this limitation, this paper proposes S-TunExSPEM, an extension of Software & Systems Process Engineering Meta- Model 2.0 (SPEM 2.0) to allow users to specify safety-oriented processes for the development of safety-critical systems in the context of safety standards according to the required safety level. Moreover, to enable exchange for simulation, monitoring, execution purposes, S-TunExSPEM concepts are mapped onto XML Process Definition Language 2.2 (XPDL 2.2) concepts. Finally, a case-study from the avionics domain illustrates the usage and effectiveness of the proposed extension.

A Method to Generate Reusable Safety Case Argument-Fragments from Compositional Safety Analysis

Safety-critical systems usually need to be accompanied by an explained and well-founded body of evidence to show that the system is acceptably safe. While reuse within such systems covers mainly code, reusing accompanying safety artefacts is limited due to a wide range of context dependencies that need to be satisfied for safety evidence to be valid in a different context. Currently the most commonly used approaches that facilitate reuse lack support for reuse of safety artefacts.

Strong and weak contract formalism for third-party component reuse

Our aim is to contribute to bridging the gap between the justified need from industry to reuse third-party components and skepticism of the safety community in integrating and reusing components developed without real knowledge of the system context. We have developed a notion of safety contract that will help to capture safety-related information for supporting the reuse of software components in and across safety-critical systems. In this paper we present our extension of the contract formalism for specifying strong and weak assumption/guarantee contracts for out-of-context reusable components. We elaborate on notion of satisfaction, including refinement, dominance and composition check. To show the usage and the expressiveness of our extended formalism, we specify strong and weak safety contracts related to a wheel braking system.