Mario Trapp

Conditional Safety Certification of Open Adaptive Systems

In recent years it has become more and more evident that openness and adaptivity are key characteristics of next-generation distributed systems. The reason for this is not least due to the advent of computing trends like ubiquitous computing, ambient intelligence, and cyber-physical systems, where systems are usually open for dynamic integration and able to react adaptively to changing situations. Despite being open and adaptive, it is a common requirement for such systems to be safe. However, traditional safety assurance techniques, both state-of-the-practice and state-of-the-art ones, are not sufficient in this context. We have recently developed some initial solution concepts based on conditional safety certificates and corresponding runtime analyses. In this article we show how to operationalize these concepts. To this end, we present in detail how to specify conditional safety certificates, how to transform them into suitable runtime models, and how these models finally support dynamic safety evaluations.

Integrating Safety Analyses and Component-Based Design

In recent years, awareness of how software impacts safety has increased rapidly. Instead of regarding software as a black box, more and more standards demand safety analyses of software architectures and software design. Due to the complexity of software-intensive embedded systems, safety analyses easily become very complex, time consuming, and error prone. To overcome these problems, safety analyses have to be integrated into the complete development process as tightly as possible. This paper introduces an approach to integrating safety analyses into a component-oriented, model-based software engineering approach. The reasons for this are twofold: First, component- and model-based development have already been proven in practical use to handle complexity and reduce effort. Second, they easily support the integration of functional and non-functional properties into design, which can be used to integrate safety analyses.

Integration of component fault trees into the UML

Efficient safety analyses of complex software intensive embedded systems are still a challenging task. This article illustrates how model-driven development principles can be used in safety engineering to reduce cost and effort. To this end, the article shows how well accepted safety engineering approaches can be shifted to the level of model-driven development by integrating safety models into functional development models. Namely, we illustrate how UML profiles, model transformations, and techniques for multi language development can be used to seamlessly integrate component fault trees into the UML.

Component-based modeling and verification of dynamic adaptation in safety-critical embedded systems

Adaptation is increasingly used in the development of safety-critical embedded systems, in particular to reduce hardware needs and to increase availability. However, composing a system from many reconfigurable components can lead to a huge number of possible system configurations, inducing a complexity that cannot be handled during system design. To overcome this problem, we propose a new component-based modeling and verification method for adaptive embedded systems. The component-based modeling approach facilitates abstracting a composition of components to a hierarchical component. In the hierarchical component, the number of possible configurations of the composition is reduced to a small number of hierarchical configurations. Only these hierarchical configurations have to be considered when the hierarchical component is used in further compositions such that design complexity is reduced at each hierarchical level. In order to ensure well-definedness of components, we provide a model of computation enabling the formal verification of critical requirements of the adaptation behavior.

Fault Tree Analysis of Software-Controlled Component Systems Based on Second-Order Probabilities

Software is still mostly regarded as a black box in the development process, and its safety-related quality ensured primarily by process measures. For systems whose lion share of service is delivered by (embedded) software, process-centred methods are seen to be no longer sufficient. Recent safety norms (for example, ISO 26262) thus prescribe the use of safety models for both hardware and software. However, failure rates or probabilities for software are difficult to justify. Only if developers take good design decisions from the outset will they achieve safety goals efficiently. To support safety-oriented navigation of the design space and to bridge the existing gap between qualitative analyses for software and quantitiative ones for hardware, we propose a fault-tree-based approach to the safety analysis of software-controlled systems. Assigning intervals instead of fixed values to events and using Monte-Carlo sampling, probability mass functions of failure probabilities are derived. Further analysis of PMF lead to estimates of system quality that enable safety managers to take an optimal choice between design alternatives and to target cost-efficient solutions in every phase of the design process.

A Safety Roadmap to Cyber-Physical Systems

In recent years, the term cyber-physical systems has emerged to characterize a new generation of embedded systems. In cyber-physical systems, embedded systems will be open in the sense that they will dynamically interconnect with other systems and will be able to dynamically adapt to changing runtime contexts. Such open adaptive systems provide a huge potential for society and for the economy. On the other hand, however, openness and adaptivity make it hard or even impossible for developers to predict a system’s dynamic structure and behavior. This impedes the assurance of important system quality properties, especially safety and reliability. Safety assurance of cyber-physical systems will therefore be both one of the most urgent and one of the most challenging research questions of the next decade. This chapter analyzes the state of the art in order to identify open gaps and suggests a runtime safety assurance framework for cyber-physical systems to structure ongoing and future research activities.

A Safety Engineering Framework for Open Adaptive Systems

In recent years it has become more and more evident that openness and adaptivity are key characteristics of next generation distributed systems. The reason for that is not least the advent of computing trends like Ubiquitous Computing, Ambient Intelligence, and Cyber Physical Systems, where systems are usually open for dynamic integration and able to react adaptively to changing situations. Despite being open and adaptive it is a common requirement for such systems to be safe. However, traditional safety assurance techniques, both state-of-the-practice and state-of-the-art, are not sufficient in this context. We recently developed some initial solution concepts based on conditional safety certificates and corresponding runtime analyses. In this paper we show how to operationalize these concepts. To this end we present in detail how to specify conditional safety certificates, how to transform them into suitable runtime models, and how these models finally support dynamic safety evaluations.

Approaching runtime trust assurance in open adaptive systems

In recent years it has become more and more evident that the ability of systems to adapt themselves is an increasingly important requirement. This is not least driven by emerging computing trends like Ubiquitous Computing, Ambient Intelligence, and Cyber Physical Systems, where systems have to react on changing user needs, service/device availability and resource situations. Despite being open and adaptive it is a common requirement for such systems to be trustworthy, whereas traditional assurance techniques for related system properties like safety, reliability and security are not sufficient in this context. We recently developed the Plug&Safe approach for composition time safety assurance in systems of systems. In this position paper we provide an overview on Plug&Safe, elaborate the different facets of trust, and discuss how our approach can be augmented to enable trust assurance in open adaptive systems.

Vertical safety interfaces: improving the efficiency of modular certification

Modular certification is a technique for transferring the modularity of an embedded systems architecture to the traditionally monolithic craft of safety engineering. Particularly when applying integrated architectures like AUTOSAR or IMA, modular certification allows the construction of modular safety cases, which ensures the flexible handling of platforms and applications. However, the task of integrating these safety cases is still a manual and expensive endeavor, lowering the intended flexibility of an integrated architecture. We propose a toolsupported semi-automatic integration method that preserves the architectures flexibility and helps to lower the integration costs. Our method is based on a language capable of specifying the conditions for a valid integration of a platform and of an application using a contract-based approach to model safety case interfaces. This paper presents the language in detail.

A pattern-based approach to DSL development

Tool support for the development of Domain-specific Languages (DSLs) is continuously increasing. This reduces implementation effort for DSLs and enables the development of rather complex languages within reasonable amounts of time. However, the lack of commonly agreed and applied language engineering processes, many times turns DSL development into a set of creative activities, whose outcomes depend on the experience of the developers involved. Consequently, outcomes of language engineering activities are unpredictable with respect to their quality, and are often not maintainable either. We have therefore developed an approach that transfers the concept of architecture and design patterns from software engineering to language development. In this paper, we propose this approach and evaluate its applicability in a case study.