Peter H. Jesty

Safety Cases and Their Role in ISO 26262 Functional Safety Assessment

Compliance with the automotive standard ISOa26262 requires the development of a safety case for electrical and/or electronic (E/E) systems whose malfunction has the potential to lead to an unreasonable level of risk. In order to justify freedom from unreasonable risk, a safety argument should be developed in which the safety requirements are shown to be complete and satisfied by the evidence generated from the ISOa26262 work products. However, the standard does not provide practical guidelines for how it should be developed and reviewed. More importantly, the standard does not describe how the safety argument should be evaluated in the functional safety assessment process. In this paper, we categorise and analyse the main argument structures required of a safety case and specify the relationships that exist between these structures. Particular emphasis is placed on the importance of the product-based safety rationale within the argument and the role this rationale should play in assessing functional safety. The approach is evaluated in an industrial case study. The paper concludes with a discussion of the potential benefits and challenges of structured safety arguments for evaluating the rationale, assumptions and evidence put forward when claiming compliance with ISOa26262.

Analysis and Assessment of Advanced Road Transport Telematic Systems

The hazard analysis of an Advanced road Transport Telematic system is an essential part of the safety life-cycle. A systematic methodology for performing this task has been produced by the project PASSPORT. For each of the two phases, preliminary safety analysis and detailed safety analysis, novel modelling techniques have been devised upon which to perform the hazard analysis. The assurance that these analyses give, can be used as part of a certification process which covers security, reliability and environmental issues, as well as safety.

Towards a Unified Approach to Safety and Security in Automotive Systems

At the time when IEC 61508 was being created, analogous work was also being done to harmonise security evaluation criteria. Although there was no cross-fertilisation between these two activities, the MISRA project did use the ITSEC evaluation criteria as the basis for its recommendations on the requirements for software at varying levels of integrity. This paper points out the advantages of this approach for safety engineers, and explains how it overcomes some of the difficulties that people now have in applying IEC 61508. It also shows how the approach can be used for other attributes such as electromagnetic compatibility.

A blackboard-based framework for the development of cooperating schedulers

The authors present the design and implementation of a software framework using the blackboard model. This blackboard-based framework is an abstract interface used for the development of cooperating schedulers in a distributed system. The significance of this work is threefold: first, the interesting features of the blackboard model was applied to the area of software modeling; second, an abstract interface was built to distinguish blackboard modeling issues from scheduling issues; and third, a blackboard-based scheduler was implemented efficiently using lightweight processes.<<ETX>>

DRIVE-ing standards: a safety critical matter

The movement toward common standards for the application of information technology to European road transport systems is discussed. In particular, the Commission of the European Communities project V1051, Procedure for Safety Submissions for Road Transport Informatics, in the DRIVE program and the relevance of a series of recently released draft standards for safety-related software are considered. These include software development standards and those applying to the safety life cycle model.<<ETX>>

The development of safe advanced road transport telematic software

Abstract Whilst the road transport industry has already started to take advantage of the increased functionality offered by the use of programmable electronic systems, the current Type Approval mechanism, whereby all road transport equipment is certified as being fit and safe for its purpose, cannot adequately assess them. This paper describes the work done as part of an EC DRIVE project to propose a European standard for the development of safe road transport telematic systems. In particular the philosophy behind the software standard and its certification criteria, where most of the new problems lie, is discussed. A solution is proposed that is pragmatic, meaningful and workable.

A recovery block scheme for a VAX 11/750 running UNIX

In this paper we describe an implementation of a scheme that is widely used in software fault tolerance, the recovery block scheme. This scheme is usually implemented using special purpose hardware and software. Our implementation runs on a VAX11/750 which has not been modified in any way. This machine uses a very slightly altered version of Berkeleys 4.2 Unix Unix is a trademark of AT&T Bell Laboratories in the USA and other countries. .

Integrity Levels and their Application to Road Transport Systems

This paper describes some of the modifications that are necessary to draft IEC 1508 in order to make it applicable to road transport systems. The assessment of the controllability of the safety of the situation after a failure provides a technique to identify the Safety Integrity Level in cases where the environment is continually changing. By defining a structured approach to gain confidence with increasing Safety Integrity Level, it has been possible to state the properties expected for both software and EMC in a consistent manner. This approach may also permit traffic engineers to “plug and play” with traffic control equipment.

Some results from DRIVE

Interim results that have come from the work of the V1051 project Procedure for Safety Submissions for Road Transport Informatics in the DRIVE research and development program are discussed. The DRIVE program involves the application of information technology to problems of improving road safety, decreasing road congestion and decreasing environmental pollution caused by road transport. Programmable digital computer hardware and software would provide improved or new functionality to road transport systems. The authors concentrate on two aspects: the user-friendliness of formal specifications to engineers trained in a noncomputer sector and the imposition of a statutory evaluation and certification scheme for safety-critical software. While the intention is to produce safer systems, the result is increased complexity. This contradicts good design practice and is the reason for project V1051, which ensures that any safety critical road transport informatic (RTI) component is produced safely. Project V1051 applies to all RTI products and systems, and includes both hardware and software.<<ETX>>