Fredrik Törner

Modelling Support for Design of Safety-Critical Automotive Embedded Systems

This paper describes and demonstrates an approach that promises to bridge the gap between model-based systems engineering and the safety process of automotive embedded systems. The basis for this is the integration of safety analysis techniques, a method for developing and managing Safety Cases, and a systematic approach to model-based engineering --- the EAST-ADL2 architecture description language. Three areas are highlighted: (1) System model development on different levels of abstraction. This enables fulfilling many requirements on software development as specified by ISO-CD-26262; (2) Safety Case development in close connection to the system model; (3) Analysis of mal-functional behaviour that may cause hazards, by modelling of errors and error propagation in a (complex and hierarchical) system model.

Selecting software reliability growth models and improving their predictive accuracy using historical projects data

8 software reliability growth models are evaluated on 11 large projects.Logistic and Gompertz models have the best fit and asymptote predictions.Using growth rate from earlier projects improves asymptote prediction accuracy.Trend analysis allows choosing the best shape of the model at 50% of project time. During software development two important decisions organizations have to make are: how to allocate testing resources optimally and when the software is ready for release. SRGMs (software reliability growth models) provide empirical basis for evaluating and predicting reliability of software systems. When using SRGMs for the purpose of optimizing testing resource allocation, the models ability to accurately predict the expected defect inflow profile is useful. For assessing release readiness, the asymptote accuracy is the most important attribute. Although more than hundred models for software reliability have been proposed and evaluated over time, there exists no clear guide on which models should be used for a given software development process or for a given industrial domain.Using defect inflow profiles from large software projects from Ericsson, Volvo Car Corporation and Saab, we evaluate commonly used SRGMs for their ability to provide empirical basis for making these decisions. We also demonstrate that using defect intensity growth rate from earlier projects increases the accuracy of the predictions. Our results show that Logistic and Gompertz models are the most accurate models; we further observe that classifying a given project based on its expected shape of defect inflow help to select the most appropriate model.

Evaluating long-term predictive power of standard reliability growth models on automotive systems

Software is today an integral part of providing improved functionality and innovative features in the automotive industry. Safety and reliability are important requirements for automotive software and software testing is still the main source of ensuring dependability of the software artifacts. Software Reliability Growth Models (SRGMs) have been long used to assess the reliability of software systems; they are also used for predicting the defect inflow in order to allocate maintenance resources. Although a number of models have been proposed and evaluated, much of the assessment of their predictive ability is studied for short term (e.g. last 10% of data). But in practice (in industry) the usefulness of SRGMs with respect to optimal resource allocation depends heavily on the long term predictive power of SRGMs i.e. much before the project is close to completion. The ability to reasonably predict the expected defect inflow provides important insight that can help project and quality managers to take necessary actions related to testing resource allocation on time to ensure high quality software at the release. In this paper we evaluate the long-term predictive power of commonly used SRGMs on four software projects from the automotive sector. The results indicate that Gompertz and Logistic model performs best among the tested models on all fit criterias as well as on predictive power, although these models are not reliable for long-term prediction with partial data.

A Light-Weight Defect Classification Scheme for Embedded Automotive Software and Its Initial Evaluation

Objective: Defect classification is an essential part of software development process models as a means of early identification of patterns in defect inflow profiles. Such classification, however, may often be a tedious task requiring analysis work in addition to what is necessary to resolve the issue. To increase classification efficiency, adapted schemes are needed. In this paper a light-weight defect classification scheme adapted for minimal process footprint -- in terms of learning and classification effort -- is proposed and initially evaluated. Method: A case study was conducted at Volvo Car Corporation to adapt the IEEE Std. 1044 for automotive embedded software. An initial evaluation was conducted by applying the adapted scheme to defects from an existing software product with industry professionals as subjects. Results: The results showed that the classification scheme was quick to learn and understand -- required classification time stabilized around 5-10 minutes already after practicing on 3-5 defects. The results also showed that the patterns in the classified defects were interesting for the professionals, although in order to apply statistical methods more data was needed. Conclusions: We conclude that the adapted classification scheme captures what is currently tacit knowledge and has the potential of revealing patterns in the defects detected in different project phases. Furthermore, we were, in the initial evaluation, able to contribute with new information about the development process. As a result we are currently in the process of incorporating the classification scheme into the companys defect reporting system.

Evaluation of Standard Reliability Growth Models in the Context of Automotive Software Systems

Reliability and dependability of software in modern cars is of utmost importance. Predicting these properties for software under development is therefore important for modern car OEMs, and using reliability growth models (e.g. Rayleigh, Goel-Okumoto) is one approach. In this paper we evaluate a number of standard reliability growth models on a real software system from automotive industry. The results of the evaluation show that models can be fitted well with defect inflow data, but certain parameters need to be adjusted manually in order to predict reliability more precisely in the late test phases. In this paper we provide recommendations for how to adjust the models and how the adjustments should be used in the development process of software in the automotive domain by investigating data from an industrial project.

Defects in automotive use cases

This paper presents an empirical quality assessment of use cases with the purpose to provide defect data from industry. In the assessment, twelve criteria, based on earlier research, were applied to 43 use cases from Volvo Car Corporation developed according to current practice. The collected defect data were statistically analyzed to determine significant intensity differences and to establish a partial order between the defects types based on their intensity. In addition, a qualitative assessment was made to assess the effect of remaining defects on the established order. The study shows that the defect types with the highest defect intensity are Missing element and Incorrect linguistics. Further, the established defect order is the basis for a comparison between the criteria used and earlier research on guidelines and checklists for use case authoring, resulting in improvement propositions.

Actuator Based Hazard Analysis for Safety Critical Systems

In the early stages of a design process, a detailed hazard analysis should be performed, particularly for safety critical systems. In this paper an actuator based hazard analysis method is presented. Since it is the actuators that affect the systems environment, this actuator based approach is the logical approach for an early hazard analysis when only limited information of the system implementation is available. This approach is also unique since all identified failures are distributed on four different severities. A criticality ranking is assigned to each failure as a combination of the severities and their distribution. This ranking is also used to give an indication of the preferred fail states. For the hazards resulting in a high criticality that needs to be handled, the method supports a solvability analysis between different design solutions. This solvability analysis rewards design concepts that handles hazards with high criticality numbers.

Automotive Safety Case A Qualitative Case Study of Drivers, Usages, and Issues

The automotive industry is using software and electronics to an increasing degree to realize new functionality that can be considered to be safety related. This qualitative study, with rigorous data analysis, takes the perspective of automotive vehicle manufacturers and explores the drivers, usages and potential issues in relation to a possible introduction of the safety case concept in the automotive industry. The study involves three automotive OEMs contributing access to potential stakeholders of a safety case. The study identifies 18 motivating factors for the introduction of safety cases, e.g. need of engineer design support and a definition of acceptable risk. Further, 21 possible usages of a safety case are identified and classified into five subcategories, e.g. communication and system development. To conclude, the study identifies several drivers for introducing safety cases as well as a wide application area, but also raises questions about their design, required competence, and increased workload.

Assessment of hazard identification methods for the automotive domain

Many automotive electronic systems are safety related and therefore need to be developed using a safety process. A preliminary hazard analysis, PHA, is one of the first and vital steps in such a process. In this paper, two methods with different approaches are experimentally evaluated using an electrical steering column lock system. The two methods are an adapted FFA, functional failure analysis, method based on induction with generic failure modes and a method from ESA based on induction with generic low level hazards. In the evaluation, interviews and questionnaires are used to triangulate the results. Both methods are found to be applicable for hazard identification in the automotive system context. The experiments conducted also show, with statistical significance, that the adapted FFA method is less time consuming and easier to use than the ESA method. Hence, the FFA method is found to be more suitable for hazard identification in early phases of development in this context.

Supporting an Automotive Safety Case through Systematic Model Based Development - the EAST-ADL2 Approach

Automotive electronic systems are becoming safety related causing a need for more systematic and stringent approaches for demonstrating the functional safety. The safety case consists of an argumentation, supported by evidence, of why the system is safe to operate in a given context. It is dependent on referencing and aggregating information which is part of the EAST-ADL2, an architecture description language for automotive embedded systems. This paper explores the possibilities of integrating the safety case metamodel with the EAST-ADL2, enabling safety case development in close connection to the system model. This is done by including a safety case object in EAST-ADL2, and defining the external and internal relations. Combined with the support for structured information management and systematic safety/reliability analysis, the EAST-ADL2’s ability to support a safety case is shown and further benefits, as high level of traceability between the safety case and the design information, are identified.