Development Of Safety-critical Systems Research Articles

Dependability in open proof software with hardware virtualization—The railway control systems perspective

Using the openETCS initiative as a starting point, we describe how open software can be applied in combination with platform-specific, potentially closed-source extensions, in the development, verification, validation and certification of safety-critical railway control systems. To achieve certification credit for safety-critical system developments, evidence about numerous development, verification and validation artifacts has to be provided. Our focus is therefore on open models, and a model-driven development approach ensures that a large portion of the artifacts is automatically generated from the model. This strategy is illustrated by means of the ETCS standard, as far as applicable to the ETCS on-board computer managing train control and train protection. We show that a domain-specific language is suitable to cover all modeling aspects for this computer, starting from the ETCS standard itself and ending at supplier-specific adaptations extending the re-usable core model in concrete developments. In order to re-use certification credits once achieved for the re-usable core model, we suggest virtualization of run-time environments, so that suppliers can embed re-usable core components as binary code into their ETCS target platforms. A detailed analysis is provided, indicating how future changes in the standard and project-specific adaptations, extensions and restrictions, can be accounted for in a new ETCS development, while minimizing the re-certification effort. It is shown for all phases of the development life cycle how the peer-reviewing capacity of the openETCS community may contribute to the correctness of the phases’ outputs, thereby increasing overall system dependability, with special emphasis on safety and security.

Safety-Critical Software [Guest editors' introduction

We live in a world in which our safety depends on software-intensive systems. This is the case for the aeronautic, automotive, medical, nuclear, and railway sectors as well as many more. Organizations everywhere are struggling to find cost-effective methods to deal with the enormous increase in size and complexity of these systems, while simultaneously respecting the need to ensure their safety. Consequently, we're witnessing the ad hoc emergence of a renewed discipline of safety-critical software systems development as a broad range of software engineering methods, tools, and frameworks are revisited from a safety-related perspective. The rise of these complex, critical systems has spawned several recent initiatives to promote reuse, both of the technical artifacts and the artifacts and procedures that certify their suitability for use in safety-related contexts. One unmistakable trend is a strong interest in applying model-driven engineering techniques to safety-critical systems development over the entire life cycle.

Validating Software Reliability Early through Statistical Model Checking

Conventional software reliability assessment validates a system's reliability only at the end of development, resulting in costly defect correction. A proposed framework employs statistical model checking (SMC) to validate reliability at an early stage. SMC computes the probability that a target system will satisfy functional-safety requirements. The framework compares the allocated reliability goal with the calculated reliability using the probabilities and relative weight values for the functional-safety requirements. Early validation can prevent the propagation of reliability allocation errors and design errors at later stages, thereby achieving safer, cheaper, and faster development of safety-critical systems.

Efficient optimization of large probabilistic models

The development of safety critical systems often requires design decisions which influence not only dependability, but also other properties which are often even antagonistic to dependability, e.g., cost. Finding good compromises considering different goals while at the same time guaranteeing sufficiently high safety of a system is a very difficult task.We propose an integrated approach for modeling, analysis and optimization of safety critical systems. It is fully automated with an implementation based on the Eclipse platform. The approach is tool-independent, different analysis tools can be used and there exists an API for the integration of different optimization and estimation algorithms. For safety critical systems, a very important criterion is the hazard occurrence probability, whose computation can be quite costly. Therefore we also provide means to speed up optimization by devising different combinations of stochastic estimators and illustrate how they can be integrated into the approach.We illustrate the approach on relevant case-studies and provide experimental details to validate its effectiveness and applicability.

Automated Safety Integration Analysis of Complex System Based on Functional Model

The development of safety critical systems becomes even harder sine the integrity and complexity of system functions and architecture grows continuously, and this kind of process involves cooperative work between safety and system engineerings during the development of products. The article presents a new approach called automated safety integrity analysis for complex system relying on functional model, and the process of safety integrity is studied by linking functional design phase using SysML(System Model Language) and Altarica Data Flow language based on risk engineering, and the given method can be analyzed automatically and iteratively during the whole life in order to unify the process between the system design and safety assessment.At last, the approach is exemplified by fuel system of aircraft to demonstrate the applicability and versatility, which explores the engineering research for the analysis technology for safety of the complex system.

데이터모델 관점에서의 시스템설계 및 시스템안전 프로세스의 통합에 관한 연구

The issues raised so far in the development of safety-critical systems have centered on how effectively the safety requirements are met in systems design. The systems are becoming more complex due to the increasing demand on the functionality and performance. As such, the integration of both the systems design and systems safety processes becomes more important and at the same time quite difficult to carry out. In this paper, an approach to solving the problem is presented, which is based on an integrated data model. To do so, the data generated from the inputs and outputs of the systems design and systems safety processes are analyzed first. The results of analysis are used to extract common attributes among the data, thereby making it possible to define classes. The classes then become the cores of the interface data model through which the interaction between the two processes under study can be modeled and interpreted. The approach taken has also been applied in a design case to demonstrate its value. It is expected that the results of the study could play a role of the stepping stone in extending to the architecture development of the integrated process.

원개발자 부재에 따른 원시코드 기반의 단위테스트 노력 분석

Unit testing is one of the test levels, which tests an individual unit or a group of related units. Recently, in Agile Development or Safety-critical System Development, the unit testing plays an important role for the qualities. According to the definition of unit testing, it is supposed to be done by the developers of units. That is because test models for the unit testing refers to the structure of units, and others but its original developers hardly can understand the structures. However, in practice, unit testing is often asked to be done without the original developers. For example, it is when faults are revealed in customer sites and the development team does not exit any more. In this case, instead of original developers, other developers or test engineers take a product and test it. The unit testing done by a non-developer, who is not the original developer, would cause some difficulties or cause more cost. In this paper, we tests an open source, JTopas, as a non-developer, with building test models, implementing test codes, and executing test cases. To fit this experiment to practical testing situations, we designed it based on the practices of unit testing, which were surveyed through SPIN(Software Process Improvement Network). This paper analyzes which part of unit testing done by non-developers needs more effort compared to the unit testing done by original developers. And it concludes that Agile Development contributes on reducing the extra effort caused by non-developers, since it implements test codes first before developing source code. That means all the units have already included their own tests code when they are released.

Deriving fault-detection mechanisms from safety requirements

Safety requirements are an important artifact in the development of safety critical systems. They are used by experts as a basis for appropriate selection and implementation of fault detection mechanisms. Various research groups have worked on their formal modeling with the goal of determining if a system can meet these requirements.In this paper, we propose the application of formal models of safety requirements throughout all constructive development phases of a model-driven development process to automatically generate appropriate fault detection mechanisms. The main contribution of this paper is a rigorous formal specification of safety requirements that allows the automatic propagation, transformation and refinement of safety requirements and the derivation of appropriate fault detection mechanisms. This is an important step to guarantee consistency and completeness in the critical transition from requirements engineering to software design, where a lot of errors can be introduced into a system by using conventional, non-formal techniques.

The handbook of human-machine interaction: a human-centered design approach

Contents: Introduction: a human-centered design approach, Guy A. Boy Part I Analysis: Analysis, modeling and simulation of human operator's mental activities, Thierry Bellet Psychophysiology and performance: considerations for human-centered design, Anil K. Raj, Margery J. Doyle and Joshua D. Cameron Automation and situation awareness, Anke Popken and Josef F. Krems Human error, interaction and the development of safety-critical systems, Christopher Johnson Operating documents that change in real-time: dynamic documents and user performance support, Barbara K. Burian and Lynne Martin The authority issue in organizational automation, Guy A. Boy and Gudela Grote. Part II Design: Scenario-based design, John M. Carroll and Stephen R. Haynes Socio-cognitive issues in human-centred design for the real world, Saadi Lahlou Cognitive function analysis in the design of human and machine multi-agent systems, Guy A. Boy Authority and cooperation between humans and machines, Patrick Millot, Serge Debernard and FrA(c)dA(c)ric Vanderhaegen Formal description techniques for human-machine interfaces: model-based approaches for the design and evaluation of dependable usable interactive systems, David Navarre, Philippe Palanque, CA(c)lia Martinie, Marco A.A. Winkler and Sandra Steere Designing human-automation interaction, Amy Pritchett and Michael Feary Human-agent interaction, Jeffrey M. Bradshaw, Paul J. Feltovich and Matthew Johnson. Part III Evaluation: From usability to user experience with interactive systems, Jean-Marc Robert and Annemarie Lesage Designing and evaluating user experience, Jean-Marc Robert and Annmarie Lesage Eye tracking from a human factors perspective, Alexandre Lucas Stephane Operator fatigue: implications for human-machine interaction, Philippa Gander, Curt Graeber and Gregory Belenky Transversal perspectives on human-machine interaction: the effect of age in human-machine systems, Anabela dos Santos SimA es, Marta Pereira and Maria Panou Error on the flight deck: interfaces, organizations and culture, Don Harris and Wen-Chin Li The diminishing relevance of human-machine interaction, Erik Hollnagel Conclusion and perspectives: from automation to interaction design, Guy A. Boy Index.

L1 adaptive control for safety-critical systems

This article presents the development of L1 adaptive-control theory and its application to safety critical flight control system (FCS) development. Several architectures of the theory and benchmark examples are analyzed. The key feature of L1 adaptive-control architectures is the decoupling of estimation and control, which enables the use of arbitrarily fast estimation rates without sacrificing robustness. Rohrs's example and the two-cart system are used as benchmark problems for illustration. NASA's flight tests on subscale commercial jet verify the theoretical claims in a set of safety-critical test flights.

Applying System Theory to Transient Fault Tolerance and Safety Enhancement of Tunnel Construction Wireless Monitoring and Control System

Transient faults are hard to be detected and located due to their unpredictable nature and short duration, and they are the dominant causations of system failures, which makes it necessary to consider transient fault-tolerant design in the development of modern safety-critical industrial system. In this paper an approach based on system theory is proposed to tolerate the transient faults in tunnel construction wireless monitoring and control systems (TCWMCS), in which the effects of transient faults are expressed by dysfunction of interactions among software applications. After analyzing the dysfunctional interactions of the system by the operational process model and educing the causes of dysfunction in the functional control diagram, a safety enhancement way was proposed for the designers, in which effictive safety constraints were set up to tolerate the transient faults. The experiment evaluation indicated that the effects of transient faults could be exposed by the causal factors of dysfunctional interactions and system safety could be enhanced by the enforcement of appropriate constraints.

Transient Fault Tolerance and System Safety Enhancement Based on System Theory

Transient faults are hard to be detected and located due to their unpredictable nature and short duration, and they are the dominant causations of system failures, which makes it necessary to consider transient fault-tolerant design in the development of modern safety-critical industrial system. In this paper an approach based on system theory is proposed to tolerate the transient faults in tunnel construction wireless monitoring and control systems (TCWMCS), in which the effects of transient faults are expressed by dysfunction of interactions among software applications. After analyzing the dysfunctional interactions of the system by the operational process model and educing the causes of dysfunction in the functional control diagram, a safety enhancement way was proposed for the designers, in which effictive safety constraints were set up to tolerate the transient faults. The experiment evaluation indicated that the effects of transient faults could be exposed by the causal factors of dysfunctional interactions and system safety could be enhanced by the enforcement of appropriate constraints.

Using Bounded Model Checking for Coverage Analysis of Safety-Critical Software in an Industrial Setting

Testing and Bounded Model Checking (BMC) are two techniques used in Software Verification for bug-hunting. They are expression of two different philosophies: testing is used on the compiled code and it is more suited to find errors in common behaviors, while BMC is used on the source code to find errors in uncommon behaviors of the system. Nowadays, testing is by far the most used technique for software verification in industry: it is easy to use and even when no error is found, it can release a set of tests certifying the (partial) correctness of the compiled system. In the case of safety critical software, in order to increase the confidence of the correctness of the compiled system, it is often required that the provided set of tests covers 100% of the code. This requirement, however, substantially increases the costs associated to the testing phase, since it often involves the manual generation of tests. In this paper we show how BMC can be productively applied to the Software Verification process in industry. In particular, we show how to productively use a Bounded Model Checker for C programs (CBMC) as an automatic test generator for the Coverage Analysis of Safety Critical Software. In particular, we experimented CBMC on a subset of the modules of the European Train Control System (ETCS) of the European Rail Traffic Management System (ERTMS) source code, an industrial system for the control of the traffic railway, provided by Ansaldo STS. The Code of the ERTMS/ETCS, with thousands of lines, has been used as trial application with CBMC obtaining a set of tests satisfying the target 100% code coverage, requested by the CENELEC EN50128 guidelines for software development of safety critical systems. The use of CBMC for test generation led to a dramatic increase in the productivity of the entire Software Development process by substantially reducing the costs of the testing phase. To the best of our knowledge, this is the first time that BMC techniques have been used in an industrial setting for automatically generating tests achieving full coverage of Safety-Critical Software. The positive results demonstrate the maturity of Bounded Model Checking techniques for automatic test generation in industry.

Reliability study of complex physical systems using SysML

The development of safety critical systems becomes even harder since the complexity of these systems grows continuously. Moreover, this kind of process involves the use of powerful design methods and precise reliability techniques that utilize dissimilar models and construction policy. In this article we propose a method to unify and enhance this process by linking functional design phase using SysML with commonly used reliability techniques such as FMEA and dysfunctional models construction in AltaRica Data Flow. We present how SysML models can be analyzed automatically in order to produce an FMEA and expose a parallel between SysML models and AltaRica Data Flow ones. The given approach is structured around a database of dysfunctional behaviors that supports the studies and is updated by the obtained results. We exemplify the approach to analyze a system of level controlling of a tank.

Investigating a new formal model for a library system using B method

The use of formal methods for development of safety-critical sys-tems has motivated researchers to serve them in distributed appli-cations. B method has the precision to support animation and rigorous verification, but requires significant effort in training to overcome the mathematical barrier that many practitioners perce-ive. In this paper, an overview of B method is described including definition, properties, and tools. Then, a new formal model for a library system using B is presented. This formal model can be ex-tended in distributed environments and be integrated with UML as further work.

Conceptual foundation of dependable systems modelling

In a variety of different standards the subject matter of dependability is defined by various concepts. Their unambiguous definition can lead to a clear interpretation which facilitates communication of all persons involved in the development of safety-critical technical systems. By means of concise communication during specification, subsequent implementation as well as the preparation of operating and maintenance manuals negative legal and financial impacts can be avoided. For this reason this paper introduces a method for terminological disambiguation.

A Contract-based Approach to Specifying and Verifying Safety Critical Systems

Light-weight formal method has been regarded as an important approach to development of component-based safety critical systems. The paper proposes an approach which can formally specify and verify the contract of static structure, dynamic behavior and refinement of component systems based on UML 2.0 superstructure. As results, the correctness of static contract can be obtained via type checking of interfaces and connectors. Dynamic contract can be verified through determining the cooperativeness of integrated components, whose contracts are depicted with interface protocol state machines and their semantics models, namely contract automata. The refinement relation between high level component and its implementation will be guaranteed through defining the alternating simulation between contract automata of components at different levels.

Formalization and assessment of regulatory requirements for safety-critical software

Regulatory requirements, as opposed to requirements for a particular system, have a generic nature, are applicable to a wide range of systems and are the basis for certification or licensing process. The important tasks in requirement engineering are resolving requirements inconsistencies between regulators and developers of safety-critical computer systems and the validation of regulatory requirements. This paper proposes a new approach to the regulatory process, including the use of formal regulatory requirements as a basis for the development of software assessment methods. We address the differences between prescriptive and nonprescriptive regulation, and suggest a middle approach. The notion of a normative package is introduced as the collection of documents to be used by a regulator and provided to a developer. It is argued that the normative package should include not only regulatory requirements, but also methods of their assessment. This approach is illustrated with examples of requirements for protecting computer control systems against unauthorized access and against common-mode software failures, using the Z notation for the formalization.

Software design specification and analysis technique (SDSAT) for the development of safety-critical systems based on a programmable logic controller (PLC)

This paper introduces a Software Design Specification and Analysis Technique (SDSAT) for safety-critical systems based on a Programmable Logic Controller (PLC). During software development phases, the design phase performs an important role in connecting the requirements phase and the implementation phase, and it is a process of translating software requirements into software structures. In this work, the Nuclear FBD-style Design Specification and analysis (NuFDS) approach was proposed for nuclear Instrumentation and Control (I&C) software. The NuFDS approach is suggested in a straightforward manner for effective and formal software design specification and analysis. Accordingly, the proposed NuFDS approach is composed of a software design specification technique and a software design analysis technique. In addition, for tool support in the design phase, we developed the NuSDS tool based on the NuFDS approach; this tool is used specifically for generating software design specification and analysis for nuclear fields.

Template-based construction of verified software

The use of formal verification to prove the correctness of software is increasingly being mandated by international standards for the development of safety critical systems. While formal development environments exist to assist in formal software development, formal verification is still an extremely difficult and time-consuming task, requiring expert skills not possessed by the typical software engineer. The authors propose a component-based development approach, where the aim is not so much to make savings in the cost of implementation, but instead to reduce the amount of verification that the software engineer needs to perform, as well as reducing the complexity of any remaining verification. This is achieved by providing reusable design templates that have been verified offline by an expert in mathematical logic and theorem proving. An important feature of the template language is the presence of higher-order parameters, which enable templates to be defined that are more widely applicable, thus giving better value for the one-off verification effort.