Irfan Sljivo

Towards a Safety-Oriented Process Line for Enabling Reuse in Safety Critical Systems Development and Certification

Safety standards define development processes by indicating the set of partially ordered tasks that have to be executed to achieve acceptably safe systems. Process compliance constitutes a fundamental ingredient in safety argumentation for certification purposes. Certification is a very expensive, time-consuming and quality demanding activity. To increase quality and reduce time and cost, reuse-based approaches are being investigated. In this paper, we adopt process line approach in the framework of safety processes. This means that we treat a family of processes as a product line, and we identify commonalities and variabilities between them. The resulting information guides developers in reusing parts of the process, the system and safety case, e.g. which parts to make more generic, isolating changes in others to avoid ripple effects etc.

Generation of Safety Case Argument-Fragments from Safety Contracts

Composable safety certification envisions reuse of safety case argument-fragments together with safety-relevant components in order to reduce the cost and time needed to achieve certification. The argument-fragments could cover safety aspects relevant for different contexts in which the component can be used. Creating argument-fragments for the out-of-context components is time-consuming and currently no satisfying approach exists to facilitate their automatic generation. In this paper we propose an approach based on (semi-)automatic generation of argument-fragments from assumption/guarantee safety contracts. We use the contracts to capture the safety claims related to the component, including supporting evidence. We provide an overview of the argument-fragment architecture and rules for automatic generation, including their application in an illustrative example. The proposed approach enables safety engineers to focus on increasing the confidence in the knowledge about the system, rather than documenting a safety case.

A Method to Generate Reusable Safety Case Argument-Fragments from Compositional Safety Analysis

Safety-critical systems usually need to be accompanied by an explained and well-founded body of evidence to show that the system is acceptably safe. While reuse within such systems covers mainly code, reusing accompanying safety artefacts is limited due to a wide range of context dependencies that need to be satisfied for safety evidence to be valid in a different context. Currently the most commonly used approaches that facilitate reuse lack support for reuse of safety artefacts.

Strong and weak contract formalism for third-party component reuse

Our aim is to contribute to bridging the gap between the justified need from industry to reuse third-party components and skepticism of the safety community in integrating and reusing components developed without real knowledge of the system context. We have developed a notion of safety contract that will help to capture safety-related information for supporting the reuse of software components in and across safety-critical systems. In this paper we present our extension of the contract formalism for specifying strong and weak assumption/guarantee contracts for out-of-context reusable components. We elaborate on notion of satisfaction, including refinement, dominance and composition check. To show the usage and the expressiveness of our extended formalism, we specify strong and weak safety contracts related to a wheel braking system.

Cooperative safety critical CPS platooning in SafeCOP

This paper presents the platooning research within the Safe Cooperating Cyber-Physical Systems using Wireless Communication (SafeCOP) project. Cooperating Cyber-Physical Systems (CO-CPS) using wireless communication and having multiple stakeholders, dynamic system definitions (openness), and unpredictable operating environments, are the main application of SafeCOP. In addition to safety assurance methods and tools, SafeCOP devises a runtime manager architecture that detects irregular operation, hence, prompting a safe degraded mode in case of need. SafeCOP lays a safety and security umbrella over the usage of current wireless technologies, contributes to new standards and regulations by providing scientifically validated solutions to establish standards which also addresses cooperation and system-of-systems issues. SafeCOP addresses several use cases that solve customer related problems. However, in this paper we will present a use case that extract generic principles from the combination of the previous use cases to stimulate the European collaboration around the project objectives, and to collect general requirements for the SafeCOP solution, applicable across all the areas considered. We consider a CO-CPS composed of two or more systems moving in a platoon while cooperating in a safe function.

A Method to Generate Reusable Safety Case Fragments from Compositional Safety Analysis

Safety-critical systems usually need to be accompanied by an explained and well-founded body of evidence to show that the system is acceptably safe. While reuse within such systems covers mainly code, reusing accompanying safety artefacts is limited due to a wide range of context dependencies that need to be satisfied for safety evidence to be valid in a different context. Currently the most commonly used approaches that facilitate reuse lack support for reuse of safety artefacts.

Configuration-Aware Contracts

Assumption/guarantee contracts represent the basis for independent development of reusable components and their safety assurance within contract-based design. In the context of safety-critical systems, their use for reuse of safety assurance efforts has encountered some challenges: the need for evidence supporting the confidence in the contracts; and the challenge of context, where contracts need to impose different requirements on different systems.

Tool-Supported Safety-Relevant Component Reuse: From Specification to Argumentation

Contracts are envisaged to support compositional verification of a system as well as reuse and independent development of their implementations. But reuse of safety-relevant components in safety-critical systems needs to cover more than just the implementations. As many safety-relevant artefacts related to the component as possible should be reused together with the implementation to assist the integrator in assuring that the system they are developing is acceptably safe. Furthermore, the reused assurance information related to the contracts should be structured clearly to communicate the confidence in the component. In this work we present a tool-supported methodology for contract-driven assurance and reuse. We define the variability on the contract level in the scope of a trace-based approach to contract-based design. With awareness of the hierarchical nature of systems subject to compositional verification, we propose assurance patterns for arguing confidence in satisfaction of requirements and contracts. We present an implementation extending the AMASS platform to support automated instantiation of the proposed patterns, and evaluate its adequacy for assurance and reuse in a real-world case study.

Agent-Centred Approach for Assuring Ethics in Dependable Service Systems

As the world enters the information era, more and more dependable services controlling and even making our decisions are moved to the ubiquitous smart devices. While various standards are in place to impose the societal ethical norms on decision-making of those devices, the rights of the individuals to satisfy their own moral norms are not addressed with the same scrutiny. Hence, the right of the individuals to reason on their own and evaluate morality of certain decisions is at stake. In this work we propose an agent-centred approach for assuring ethics in dependable technological service systems. We build upon assurance of safety and security and propose the notion of ethics assurance case as a way to assure that individual users have been made aware of all the ethically challenging decisions that might be performed or enabled by the service provider. We propose a framework for identifying and categorising ethically challenging decisions, and documenting the ethics assurance case. We apply the framework on an illustrative example.

Assuring Degradation Cascades of Car Platoons via Contracts

Automated cooperation is arriving in practice, for instance in vehicular automation like platoon driving. The development and safety assurance of those systems poses new challenges, as the participating nodes are not known at design time; they engage in communication at runtime and the system behaviour can be distorted at any time by failures in some participant or in the communication itself. When running on a highway, simply switching off the function is not an option, as this would also result in hazardous situations. Graceful degradation offer a systematic approach to define a partial-order of less and less acceptable operation modes, of which the best achievable is selected in presence of failures. In this work we propose an approach for assurance of the degradation cascades based on mode-specific assertions, captured by assumption/guarantee contracts. More specifically, we share our experiences and methodology for specifying the contracts for both the nominal safe behaviour as well as the less safe but acceptable behaviour in presence of failures. Furthermore, we present an argument pattern for adequacy of the degradation cascades for meeting the global safety goals based on the contracts. We illustrate our approach by a car platooning case study.