Maintaining safety requirements of updated maritime surveillance systems

Abstract

Abstract The maritime domain is undergoing a transformation away from manual control and navigation towards automated and autonomous vessels controlled by a dedicated software system. These systems are composed out of interdependent and heterogeneous modules, that together form a System of Systems (SoS). Unlike before, these software-based modules allow their functionality to be monitored continuously and changes to be made remotely while in operation. However, adjustments made to devices that have already been approved can cause the existing certification to lose its validity and previously made safety properties may no longer apply. This poses a particular danger when the system is driving autonomously or a navigator is relying on it to function and is unaware of a failure and cannot take alternative action. Especially in case of new functionality being added through adaptive updates, unforeseen errors can occur that were not apparent beforehand. For this reason, a procedure based on assumption-guarantee contracts is presented to verify the impact on the safety properties of a system after an update and outline the required changes to the associated safety case. For this purpose, a safety case based on the Goal Structuring Notation (GSN) is made, whose tree structure has modular properties, so that the effects on the safety behavior can be tracked on a small scale and only partial branches have to be replaced or updated. Moreover, it is shown how a safety case augmented with contracts can meet its safety goals even when the system needs to revert to the state before the update while keeping the vessel operator informed. The concept is demonstrated by extending the functionality of a maritime collision avoidance system by a predictive resolution module and show how in situations missing a valid prediction, the system can still meet its overarching safety goal.