Christian Kreiner

SAHARA: a security-aware hazard and risk analysis method

Safety and Security are two seemingly contradictory system features, which have challenged researchers for decades. Traditionally, these two features have been treated separately, but due to the increasing knowledge about their mutual impacts, similarities, and interdisciplinary values, they have become more important. Because systems (such as Car2x in the automotive industry) are increasingly interlaced, it is no longer acceptable to assume that safety systems are immune to security risks. Future automotive systems will require appropriate systematic approaches that will support security-aware safety development. Therefore, this paper presents a combined approach of the automotive HARA (hazard analysis and risk assessment) approach with the security domain STRIDE approach, and outlines the impacts of security issues on safety concepts at system level. We present an approach to classify the probability of security threats, which can be used to determine the appropriate number of countermeasures that need to be considered. Furthermore, we analyze the impact of these security threats on the safety analysis of automotive systems. This paper additionally describes how such a method has been developed based on the HARA approach, and how the safety-critical contributions of successful security attacks can be quantified and processed.

Automotive Knowledge Alliance AQUA – Integrating Automotive SPICE, Six Sigma, and Functional Safety

This paper discusses (based on the EU project AQUA) how the core elements of three complementary approaches and standards can be integrated into one compact skill set with training and best practices to be applied. In this project experts from Automotive SPICE (ISO 15504), Functional Safety (ISO 26262) and Lean Six Sigma collaborate. In a first analysis the experts identified an architecture of core elements where all three approaches fit together and where a holistic view about improvement is needed. The Automotive Clusters from Austria and Slovenia are trial partners and will roll out this knowledge in pilot courses to the industry. Other Automotive Clusters showed interest and will join the trial phase.

The Entity Container - An Object-Oriented and Model-Driven Persistency Cache

Data persistency is a fundamental, but complex aspect of a modern software development process. Therefore, in order to reduce development costs and improve a systems quality, support for data persistency must be provided to common software paradigms, such as object-oriented programming or component based development. In this paper we present a new approach of an object persistency cache - the Entity Container (EC), based on a data model. The EC allows data and metadata management according to a data model independent of any specific persistency mechanism. We present the complete architecture, functionality and implementation of the system and compare our new approach with existing frameworks in order to point out features and major improvements of the EC.

Local components and reuse of legacy code in the CORBA component model

The CORBA component model (CCM) seemed to be a new powerful multi-language and multi-platform component development framework. First applications based on CCM have shown that there are some drawbacks in practical use. We present a new approach for the CCM component implementation which improves communication performance of components living in the same address space. At the same time we simplify the component development process and the reuse of legacy code within components. These extensions to CCM are possible without changing its specification.

A Computer-Aided Approach to Preliminary Hazard Analysis for Automotive Embedded Systems

Powertrain electrification of automobiles leads to a higher number of sensors, actuators and control functions, which in turn increases the complexity of automotive embedded systems. The safety-criticality of the system requires the application of Preliminary Hazard Analysis early in the development process. This is a necessary first step for the development of an automotive embedded system that is acceptably safe. Goal of this activity is the identification and classification of hazards and the definition of top level safety requirements that are the basis for designing a safety-critical embedded system that is able to control or mitigate the identified hazards. A computeraided framework to support Preliminary Hazard Analysis for automotive embedded systems is presented in this work. The contribution consists of (1) an enhancement for Preliminary Hazard Analysis to the domain-specific language EAST-ADL, as well as (2) the identification of properties that indicate the correct application of Preliminary Hazard Analysis using the language. These properties and an analysis model reflecting the results of the Preliminary Hazard Analysis are used for the automated detection of an erroneously applied Preliminary Hazard Analysis (property checker) and the automated suggestion and application of corrective measures (model corrector). The applicability of the approach is evaluated by the case study of hybrid electric vehicle development.

Managing ERP configuration variants: an experience report

The concepts of Software Product Line Engineering (SPLE) have been adapted and applied to enterprise IT systems, in particular the ERP systems of a production company. Based on a 2-layer feature model for the domain of the companys business processes, individual, albeit similar divisions ERP system configurations can be derived by feature selection forming a variant description model. It is indicated that regular release upgrades can also benefit from the SPLE approach. The customization capabilities of the ERP platform are captured in another model; building up this model is automated according to information extracted online. As well, customizing an ERP system -- based on the models mentioned - is performed online with the help of a connector developed in this project. Quantitative analysis and lessons learned during the project conclude this experience report.

Agility Meets Systems Engineering: A Catalogue of Success Factors from Industry Practice

Agile software development methods are widely accepted and valued in software-dominated industries. In more complex setups like multidisciplinary system development the adoption of an agile development paradigm is much less straightforward. Bigger teams, longer development cycles, process and product standard compliance and products lacking flexibility make an agile behaviour more difficult to achieve. Focusing on the fundamental underlying problem of dealing with ever ongoing change, this paper presents an agile Systems Engineering approach as a potential solution. Therefore a generic Systems Engineering action model was upgraded respecting agile principles and adapted according to practical needs discovered in an empirical study. This study was conducted among the partners of the S2QI agile workgroup made up from experts of automotive, logistics and electronics industries. Additionally to an agile Systems Engineering action model, a list of 15 practical success factors that should be considered when using an agile Systems Engineering approach is one of the main outcomes of this survey. It was also found that an agile behaviour in Systems Engineering could be supported in many different areas within companies. These areas are listed and it is also shown how the agile action model and the agile success factors are related to them.

A Virtual Fault Injection Framework for Reliability-Aware Software Development

Ever more dependable embedded systems are built with commercial off-the-shelf hardware components that are not intended for highly reliable applications. Consequently, software-based fault tolerance techniques have to maintain a safe operation despite underlying hardware faults. In order to efficiently develop fault tolerant software, fault injection is needed in early development stages. However, common fault injection approaches require manufactured products or detailed hardware models. Thus, these techniques are typically not applicable if software and hardware providers are separate vendors. Additionally, the rise of third-party OTS software components limits the means to inject faults. In this paper, we present a virtual fault injection framework that simulates safety-standard aligned fault models and supports OTS software components as well as widely-used embedded processors such as ARM cores. Additionally, we show how to integrate the framework into various software development stages. Finally, we illustrate the practicability of the approach by exemplifying the integration of the framework in the development of an industrial safety-critical system.

Computer-aided PHA, FTA and FMEA for automotive embedded systems

The shift of the automotive industry towards powertrain electrification introduces new automotive sensors, actuators and functions that lead to an increasing complexity of automotive embedded systems. The safety-criticality of these systems demands the application of analysis techniques such as PHA (Preliminary Hazard Analysis), FTA (Fault Tree Analysis) and FMEA (Failure Modes and Effects Analysis) in the development process. The early application of PHA allows to identify and classify hazards and to define top-level safety requirements. Building on this, the application of FTA and FMEA supports the verification of a system architecture defining an embedded system together with connected sensors and controlled actuators. This work presents a modeling framework with automated analysis and synthesis capabilities that supports a safety engineering workflow using the domain-specific language EAST-ADL. The contribution of this work is (1) the definition of properties that indicate the correct application of the workflow using the language. The properties and a model integrating the work products of the workflow are used for the automated detection of errors (property checker) and the automated suggestion and application of corrective measures (model corrector). Furthermore, (2) fault trees and a FMEA table can be automatically synthesized from the same model. The applicability of this computer-aided and tightly integrated approach is evaluated using the case study of a hybrid electric vehicle development.

A Combined Safety-Hazards and Security-Threat Analysis Method for Automotive Systems

Safety and Security appear to be two contradicting overall system features. Traditionally, these two features have been treated separately, but due to increasing awareness of mutual impacts, cross domain knowledge becomes more important. Due to the increasing interlacing of automotive systems with networks (such as Car2X), it is no longer acceptable to assume that safety-critical systems are immune to security risks and vice versa.