Eckard Böde

Compositional Performability Evaluation for STATEMATE

This paper reports on our efforts to link an industrial state-of-the-art modelling tool to academic state-of-the-art analysis algorithms. In a nutshell, we enable timed reachability analysis of uniform continuous-time Markov decision processes, which are generated from STATEMATE models. We give a detailed explanation of several construction, transformation, reduction, and analysis steps required to make this possible. The entire tool flow has been implemented, and it is applied to a nontrivial example

Model Based Importance Analysis for Minimal Cut Sets

We show how fault injection together with recent advances in stochastic model checking can be combined to form a crucial ingredient for improving quantitative safety analysis. Based on standard design notations (Statecharts) annotated with fault occurrence distributions we compute to what extent certain fault configurations contribute to the probability of reaching a safety-critical state.

Towards a unified model-based safety assessment

The increase of complexity in aircraft systems demands for enhanced analysis techniques. Methods are required that leverage the burden of their application by reusing existing design and process information and by enforcing the reusability of analyses results allowing early identification of designs weak points and check of design alternatives.This report elaborates on a method that assumes a system specification in an industrial standard notation and allows to perform several formal safety analyses. Based on a collection of failure models and means of specifying safety requirements, the techniques produce results along the lines of traditional methods. We show how to combine traditional techniques, required by the AerospaceRecommendedPractice (SAE-ARP) standards, likeFaultTree Analysis, Failure Mode and Effect Analysis and Common Cause Analysis and also how to automate most of the analysis activities. The methods described in this paper can be used as means to support the Certification process.

Contract-Based Design of Embedded Systems Integrating Nominal Behavior and Safety

The distributed design process for safety-critical embedded systems has become an increasingly difficult challenge: Electronic Control Units (ECUs) in vehicles, for instance, participate in many vehicle functions, while each vehicle function, in turn, is spread across several ECUs. Many suppliers participate in systems design and many partial functions are reused from past projects, not always knowing the assumptions at the time of their development. In particular, efficient allocation of safety mechanisms and a sound safety case are difficult tasks for original equipment manufacturers (OEMs). Contract-based development has gained popularity as an approach for supporting distributed development by explicitly annotating assumptions and guarantees to components, but an integrated process covering specification of nominal behavior and safety has not been described so far. We present such an integrated development approach that encompasses the systematic breakdown of nominal system behavior using contracts, the consistent derivation of safety analysis by interpreting several types of contract violations as a specification for failure modes, and the subsequent integration of safety mechanisms that cover these failure modes through safety contracts. The approach equally fits hardware and software and is therefore applicable on the system level. We demonstrate it by an electric drive example. The extensibility of our approach towards Cyber Physical Systems, which compose themselves at runtime, is briefly outlined at the end of the article.

Model-Based Risk Assessment Supporting Development of HSE Plans for Safe Offshore Operations

The commercial installation of offshore wind farms is still far from having established standards or procedures and puts high demands on employees who deal with uncertainty and risks. We present a model-based risk assessment approach to support the development of health, safety, and environment (HSE) plans for safe offshore operations. For this purpose, a process model is used to integrate all aspects of these complex and safety-critical operations which involve many different actors, resources, and environmental conditions. On the basis of this model, we are able to identify and precisely describe hazards, quantify their safety impact, and develop risk mitigation means. To this end, we developed methods and tools to support this process, resulting in a formalization of hazardous events that can be used to unambiguously describe the risks of a given offshore operation model. We will demonstrate the feasibility of our approach on a specific offshore scenario.

Adding Value to Automotive Models

We report on how implementing a Model Based Automotive SW Engineering Process in an industrial setting can ensure the correctness of automotive applications when a process based on formal models is used. We show how formal methods, in particular model checking, can be used to ensure consistency of the models and can prove that the models satisfy selected functional and safety requirements. The technique can also be used to automatically generate test vectors from the model. Hence we show how in many ways formal verification techniques can add value to the models used for different purposes in developing automotive applications.

Proving Compliance of Implementation Models to Safety Specifications

Current safety standards like the ISO 26262 require a continuous safety argumentation starting from the initial hazard and risk assessment, down to the implementation of hardware and software. To enable re-use of components and ease handling of changes in the system, modular safety cases are addressed by many research projects. Current approaches are focusing on hierarchical safety specifications describing the relevant fault propagation behavior. Nevertheless, it needs to be ensured that the final implementation meets the safety specification. Currently, this is at most a manual and error prone process of matching fault trees or test results to the specification. In this paper, we present an automated approach based on fault-injection and model checking for proving the compliance of an implementation to a safety specification. In our multi-aspect analysis, (safety and functional aspect) we rely on the popular specification mechanism of safety contracts and implementations modeled in Matlab/Stateflow.

A method for guided hazard identification and risk mitigation for offshore operations

One of the effects of the radically changing energy market is that more and more offshore wind turbines are being constructed. To meet the increasing demand for renewable energy, many new companies with different levels of experience are entering the market. As the construction and maintenance of large offshore wind farms is a complex task, safety aspects of these operations are of crucial importance to avoid accidents. To this end, we introduce a method that assists in (1) identifying and precisely describing hazards of a scenario of an offshore operation, (2) quantifying their safety impact, and (3) developing risk mitigation means. Based on a guided hazard identification process, a formalization of hazardous scenarios will be proposed that unambiguously describes the risks of a given offshore operation. We will demonstrate the feasibility of our approach on a specific offshore scenario.

Expressing Best Practices in (Risk) Analysis and Testing of Safety-Critical Systems Using Patterns

The continuing pervasion of our society with safety-critical cyber-physical systems not only demands for adequate (risk) analysis, testing and verification techniques, it also generates growing experience on their use, which can be considered as important as the tools themselves for their efficient use. This paper introduces workflow patterns to describe such best practices in a systematic way that efficiently represents this knowledge, and also provides a way to relate different patterns, making them easier to identify and use, and cover as wide a range of experiences as possible. The value of the approach is demonstrated using some pattern examples from a collection developed in the Artemis-project MBAT. Finally, the paper presents a wiki-based approach for developing and maintaining the pattern collection.

Efficient Splitting of Test and Simulation Cases for the Verification of Highly Automated Driving Functions

We address the question of feasibility of tests to verify highly automated driving functions by optimizing the trade-off between virtual tests for verifying safety properties and physical tests for validating the models used for such verification. We follow a quantitative approach based on a probabilistic treatment of the different quantities in question. That is, we quantify the accuracy of a model in terms of its probabilistic prediction ability. Similarly, we quantify the compliance of a system with its requirements in terms of the probability of satisfying these requirements. Depending on the costs of an individual virtual and physical test we are then able to calculate an optimal trade-off between physical and virtual tests, yet guaranteeing a probability of satisfying all requirements.