Kai Höfig

Integration of component fault trees into the UML

Efficient safety analyses of complex software intensive embedded systems are still a challenging task. This article illustrates how model-driven development principles can be used in safety engineering to reduce cost and effort. To this end, the article shows how well accepted safety engineering approaches can be shifted to the level of model-driven development by integrating safety models into functional development models. Namely, we illustrate how UML profiles, model transformations, and techniques for multi language development can be used to seamlessly integrate component fault trees into the UML.

WAP: Digital dependability identities

Cyber-Physical Systems (CPS) provide enormous potential for innovation but a precondition for this is that the issue of dependability has been addressed. This paper presents the concept of a Digital Dependability Identity (DDI) of a component or system as foundation for assuring the dependability of CPS. A DDI is an analyzable and potentially executable model of information about the dependability of a component or system. We argue that DDIs must fulfill a number of properties including being universally useful across supply chains, enabling off-line certification of systems where possible, and providing capabilities for in-field certification of safety of CPS. In this paper, we focus on system safety as one integral part of dependability and as a practical demonstration of the concept, we present an initial implementation of DDIs in the form of Conditional Safety Certificates (also known as ConSerts). We explain ConSerts and their practical operationalization based on an illustrative example.

A Controlled Experiment on Component Fault Trees

In safety analysis for safety-critical embedded systems, methods such as FMEA and fault trees (FT) are strongly established in practice. However, the current shift towards model-based development has resulted in various new safety analysis methods, such as Component Integrated Fault Trees (CFT). Industry demands to know the benefits of these new methods. To compare CFT to FT, we conducted a controlled experiment in which 18 participants from industry and academia had to apply each method to safety modeling tasks from the avionics domain. Although the analysis of the solutions showed that the use of CFT did not yield a significantly different number of correct or incorrect solutions, the participants subjectively rated the modeling capacities of CFT significantly higher in terms of model consistency, clarity, and maintainability. The results are promising for the potential of CFT as a model-based approach.

Failure-Dependent timing analysis - a new methodology for probabilistic worst-case execution time analysis

Embedded real-time systems are growing in complexity, which goes far beyond simplistic closed-loop functionality. Current approaches for worst-case execution time (WCET) analysis are used to verify the deadlines of such systems. These approaches calculate or measure the WCET as a single value that is expected as an upper bound for a systems execution time. Overestimations are taken into account to make this upper bound a safe bound, but modern processor architectures expand those overestimations into unrealistic areas. Therefore, we present in this paper how of safety analysis model probabilities can be combined with elements of system development models to calculate a probabilistic WCET. This approach can be applied to systems that use mechanisms belonging to the area of fault tolerance, since such mechanisms are usually quantified using safety analyses to certify the system as being highly reliable or safe. A tool prototype implementing this approach is also presented which provides reliable safe upper bounds by performing a static WCET analysis and which overcomes the frequently encountered problem of dependence structures by using a fault injection approach.

A Consistency Check Algorithm for Component-Based Refinements of Fault Trees

The number of embedded systems in our daily lives that are distributed, hidden, and ubiquitous continues to increase. Many of them are safety-critical. To provide additional or better functionalities, they are becoming more and more complex, which makes it difficult to guarantee safety. It is undisputed that safety must be considered before the start of development, continue until decommissioning, and is particularly important during the design of the system and software architecture. An architecture must be able to avoid, detect, or mitigate all dangerous failures to a sufficient degree. For this purpose, the architectural design must be guided and verified by safety analyses. However, state-of-the-art component-oriented or model-based architectural design approaches use different levels of abstraction to handle complexity. So, safety analyses must also be applied on different levels of abstraction, and it must be checked and guaranteed that they are consistent with each other, which is not supported by standard safety analyses. In this paper, we present a consistency check for CFTs that automatically detects commonalities and inconsistencies between fault trees of different levels of abstraction. This facilitates the application of safety analyses in top-down architectural designs and reduces effort.

ALFRED: A Methodology to Enable Component Fault Trees for Layered Architectures

Identifying drawbacks or insufficiencies in terms of safety is important also in early development stages of safety critical systems. In industry, development artefacts such as components or units, are often reused from existing artefacts to save time and costs. When development artefacts are reused, their existing safety analysis models are an important input for an early safety assessment for the new system, since they already provide a valid model. Component fault trees support such reuse strategies by a compositional horizontal approach. But current development strategies do not only divide systems horizontally, e.g., By encapsulating different functionality into separate components and hierarchies of components, but also vertically, e.g. Into software and hardware architecture layers. Current safety analysis methodologies, such as component fault trees, do not support such vertical layers. Therefore, we present here a methodology that is able to divide safety analysis models into different layers of a systems architecture. We use so called Architecture Layer Failure Dependencies to enable component fault trees on different layers of an architecture. These dependencies are then used to generate safety evidence for the entire system and over all different architecture layers. A case study applies the approach to hardware and software layers.

INSiDER: Incorporation of system and safety analysis models using a dedicated reference model

In order to enable model-based, iterative design of safety-relevant systems, an efficient incorporation of safety and system engineering is a pressing need. Our approach interconnects system design and safety analysis models efficiently using a dedicated reference model. Since all information are available in a structured way, traceability between the model elements and consistency checks enable automated synchronization to guarantee that information within both kind of models are consistent during the development life-cycle.

Towards a Cross-Domain Software Safety Assurance Process for Embedded Systems

In this work, we outline a cross-domain assurance process for safety-relevant software in embedded systems. This process aims to be applied in various different application domains and in conjunction with any development methodology. With this approach we plan to reduce the growing effort for safety assessment in embedded systems by reusing safety analysis techniques and tools for the product development in different domains.

metaFMEA-A Framework for Reusable FMEAs

Failure mode and effects analysis (FMEA), is a widely used deductive failure analysis for safety critical systems. Since modern safety critical systems tend to increased complexity, automation and tool support have a long history in research and industry. Whereas compact embedded systems can be analyzed using FMEA in a manually maintained table using for example a spreadsheet application, complex systems easily result in an unmanageable long table especially when larger development teams are involved. During the application of the methodology in industry, two central problems were observed. First, textually described effects are interpreted differently and lead to inconsistencies. Second, one component often is used multiple times in a system, e.g. in electronic circuits where huge circuits are build using a small number of electronic devices. Each implementation of a component results in the same failure modes in a FMEA. Manually inserting them is error prone and adding a new failure mode to an existing component can be very time consuming. Therefore, we describe here a meta model that is capable to solve the aforementioned problems of different inconsistencies and analyze the benefits of this meta model in a tool implementation along with a case study.

Modeling Quality Aspects: Safety

Safety is typically defined as freedom from unacceptable risk (of harm) To ensure a certain level of quality, in most industrial domains the development of safety-critical systems is governed by standards.