Philippa Conmy

Component-Based Safety Analysis of FPGAs

Component-based and modular software development techniques have become established in recent years. Without complementary verification and certification methods the benefits of these development techniques are reduced. As part of certification, it is necessary to show a system is acceptably safe which subsumes both the normal and abnormal (failure) cases. However, nonfunctional properties, such as safety and failures, are abstraction breakers, cutting across multiple components. Also, much of the work on component-based engineering has been applied to software-based systems rather than field programmable gate array (FPGA)-based systems whose use is becoming more popular in industry. In this paper, we show how a modular design embedded on a FPGA can be exhaustively analyzed (from a safety perspective) to derive the failure and safety properties to give the evidence needed for a safety case. The specific challenges faced are analyzing the fault characteristics of individual electronic components, combining the results across software modules, and then feeding this into a system safety case. A secondary benefit of taking this approach is that there is less uncertainty in the performance of the device, hence, it can be used for higher integrity systems. Finally, design improvements can be specifically targeted at areas of safety concern, leading to more optimal utilization of the FPGA device.

Use of Modern Processors in Safety-Critical Applications

This paper investigates the implications of using modern superscalar processors in the safety-critical domain. Firstly, a description of current certification practice and devices is given as background. This is followed by an exposition of the certification argument for a processor when used in a safetycritical application. Throughout the presentation of the argument two types of modern processor are considered, commercial off-the-shelf (COTS) processors and purpose-designed bespoke devices. This allows the elaboration of positive and negative features of processors that can be used as part of the selection (for COTS) or design (for bespoke) process.

Challenges when using Model Driven Architecture in the development of Safety Critical Software

The model driven architecture (MDA) is an approach to software engineering in which models are systematically developed and transformed into code. This paper discusses some of the issues which would need to be overcome when attempting to certify a safety critical design or software developed with the MDA approach, partially based on our experience with an avionics software case study. We particularly focus on the need to certify MDA artefacts and produce a compelling system safety case

A Method to Formally Evaluate Safety Case Evidences against a System Architecture Model

For a large and complex safety-critical system, where safety is ensured by a strict control over many properties, the safety information is structured into a safety case. As a small change to the system design may potentially affect a large section of the safety argumentation, a systematic method for evaluating the impact of system changes on the safety argumentation would be valuable. We have chosen two of the most common notations: the Goal Structuring Notation (GSN) for the safety argumentation and the Architecture Analysis and Design Language (AADL) for the system architecture model. In this paper, we address the problem of impact analysis by introducing the GSN and AADL Graph Evaluation (GAGE) method that maps safety argumentation structure against system architecture, which is also a prerequisite for successful composition of modular safety cases.In order to validate the method, we have implemented the GAGE tool that supports the mapping between the GSN and AADL notations and highlight changes in impact on the argumentation.

Assuring Safety for Component Based Software Engineering

Developing Safety-Critical Systems (SCS) is an expensive activity largely due to the cost of testing both components and the systems produced by integrating them. In more mainstream system design, Model-Based Development (MBD) and Component-Based Software Engineering (CBSE) are seen as complementary activities that can reduce these costs, however their use is not yet well supported in the safety critical domain, as safety is an emergent property. The contributions of this paper are to describe some of the challenges of using these approaches in SCS, and then argue how through appropriate safety argument patterns the challenges can be addressed.

Generating evidence for certification of modern processors for use in safety-critical systems

This paper investigates the implications of using a modern super-scalar processor in the safety-critical domain. Firstly, a description of current certification practice and devices is given as background. This is followed by an assessment of how the certification argument and its supporting evidence are affected by the use of a super-scalar processor. Two types of modern processor are considered, a Commercial Off The Shelf (COTS) processor and a purpose designed bespoke device. The respective benefits and drawbacks of both are examined. We then identify some key areas where change in current certification practice is necessary to allow for modern processors.

PROXIMA: Improving Measurement-Based Timing Analysis through Randomisation and Probabilistic Analysis

The use of increasingly complex hardware and software platforms in response to the ever rising performance demands of modern real-time systems complicates the verification and validation of their timing behaviour, which form a time-and-effort-intensive step of system qualification or certification. In this paper we relate the current state of practice in measurement-based timing analysis, the predominant choice for industrial developers, to the proceedings of the PROXIMA (Probabilistic real-time control of mixed-criticality multicore systems) project in that very field. We recall the difficulties that the shift towards more complex computing platforms causes in that regard. Then we discuss the probabilistic approach proposed by PROXIMA to overcome some of those limitations. We present the main principles behind the PROXIMA approach as well as the changes it requires at hardware or software level underneath the application. We also present the current status of the project against its overall goals, and highlight some of the principal confidence-building results achieved so far.

Certification of FPGAs-Current Issues and Possible Solutions

This paper looks at possible applications of Field Programmable Gate Arrays (FPGAs) within the safety critical domain. We examine the potential benefits these devices can offer, such as parallel computation and reconfiguration in the presence of failure and also the difficulties which these raise for certification. A possible safety argument supporting the use of basic reconfiguration facilities of a reprogrammable FPGA to remove Single Event Upsets (SEUs) is presented. We also demonstrate a technique which has the potential to be used to identify areas which are sensitive to SEUs in terms of safety effect, thus allowing optimisation of an FPGAs design and supporting our argument.

Safe composition of real time software

There is an increasing move towards the use of modular approaches to software design and implementation in the development of critical systems. The reason is the approaches have a number of benefits including providing support for concurrent development and helping to simplify software maintenance. However, there is little guidance on how to perform a modular safety process for the certification of critical systems as most of the standards assume a monolithic design. Of particular concern is performing safety analyses, with the limited context afforded by a modular approach, in order to derive valid safety requirements with appropriate context/assumptions. Expressing requirements using contracts is one way to help support change. An example use of contracts between a real-time operating system (RTOS) and application is given. This example has been chosen as the use of an RTOS is an increasingly prevalent form of modularisation, instead of embedding operating system services within the applications. In fact having an RTOS is considered a key enabling technology as it provides a clear interface between the application and platform.

Nuanced term-matching to assist in compositional safety assurance

Increased complexity in the design, technology and supply chains for software-intensive safety-critical systems has resulted in a growing demand for a compositional approach to safety assurance. Assurance data relating to independently-derived components must be melded together into a compelling case for overall system safety. One of the barriers to composition is the lack of consistency in the terminology used to describe and share assurance data. Linguistic mismatches highlight various problems for the composition of peer modules and their integration into an overall case. In this paper, we propose the application of a linguistic model of understanding to identify mismatches and to provide guidance on composition and integration. The approach is illustrated using a simple example.