Knowledge centered assessment pattern: an effective tool for assessing safety concerns in software architecture

In software-based systems, the notion of software failure is magnified if the software in question is a component of a safety critical system. Hence, to ensure a required level of safety, the product must undergo expensive rigorous testing and verification/validation activities. To minimize the cost of quality (COQ) associated with the development of safety critical systems, it becomes imperative that the assessment of intermediate artifacts (e.g., requirement, design documents or models) is done efficiently and effectively to maximize early defect detection and/or defect prevention. However, as a human-centered process, the assessment of software architecture for safety critical systems relies heavily on the experience and knowledge of the assessment team to ensure that the proposed architecture is consistent with the software functional and safety requirements.The knowledge centered assessment pattern (KCAP) acts as effective tool to assist assessment teams by providing key information on what architectural elements should be assessed, why they should to be assessed, and how they should be assessed. Furthermore, the use of KCAP highlights cases where the software architecture has been properly, over, under, or incoherently engineered.     

Safety-critical systems built with COTS

In the rail transportation industry competitive pressure has led to the increased use of COTS (commercial off-the-shelf equipment in safety critical systems), making it imperative that we extend proven safety techniques to COTS based systems as well. To this end, we have developed the Vital Framework (V-Frame), which is used to develop a safety critical platform from COTS hardware and software. The key technologies in this framework are formal methods, information redundancy, a proprietary data format, and a concurrent checking scheme. Combining these technologies results in a real time, checkable correctness criterion that is a signature of the application's algorithm structure and is independent of both the hardware and the operating system. V-Frame's most significant attribute is that the fail safe properties of applications do not require the firmware to be correct: the application will operate in a fail safe (or vital) manner even if there are design faults in the operating system and/or the hardware fails. This does not mean that the application does not have to be correctly specified and designed. Formal methods are appropriate in the design of safety critical COTS systems because a generic processing environment is analogous to a formal system: it is designed to apply well defined transformation rules to inputs     

The concept of smartness in cyber–physical systems and connection to urban environment

The next-generation systems are expected to be largely cyber–physical systems (CPSs) that autonomously control physical processes, through sensors and actuators typically in real-time feedback and cooperative control loops distributed among physical and cyber environments. The rapid technological advancements enhance the smartness of these CPSs, pushing their boundaries of performance and efficiency by embedding new information and communication technologies. However, to what extent CPSs should be smarter so that they do not compromise safety and security of safety critical systems? is an open research question. Towards this goal, the purpose of this study is to establish a grounded theory to analyse what makes these systems smart? and eventually, how to find a balance between smartness and safety risks? In this precinct, this article aims to develop a conceptual framework, define the dimensions and derive the characteristics that make CPSs smart. The proposed approach combines an automated informetric and systematic analysis of literature pertinent to the topic of smartness across anthropology, science, engineering and technology. The analysis of a case study building and the discussions presented herein support the connection between the existing understanding of CPSs and smartness offered by the building design approach in urban environment.     

安全关键系统高可信保障技术的研究

1 引言安全关键系统SCS(Safety Critical Systems)是指系统功能一旦失效将引起生命、财产的重大损失以及环境可能遭到严重破坏的系统。这类系统广泛存在于航空航天、国防、交通运输、核电能源和医疗卫生等诸多安全关键领域中。而高可信(Ultradependability)则是指系统在任务开始时可用性给定的情况下,在规定的时间和环境内能够使用且能完成规定功能的能力,即系统“动则成功”的能力。随着现代社会的高速发展及不稳定因素的存在,安全关键系统日益庞大和复杂,带来了系统可靠性和安全性的下降、投资增加、研发周期加长、风险增加。安全关键系统的应用环境也更加复杂和恶劣,从陆地、海洋到天空、太空,安全关键系统的使用环境不断地扩展和更加严酷。严酷的环境对系统高可靠、高安全性等综合特性的实现提出了严峻的挑战。除此,系统要求的持续无故障任务     

Detecting safety‐related components in statecharts through traceability and model slicing

With rapid development in software technology, more and more safety‐critical systems are software intensive. Safety issues become important when software is used to control such systems. However, there are 2 important problems in software safety analysis: (1) there is often a significant traceability gap between safety requirements and software design, resulting in safety analysis and software design are often conducted separately; and (2) the growing complexity of safety‐critical software makes it difficult to determine whether software design fulfills safety requirements. In this paper, we propose a technique to address the above 2 important problems on the model level. The technique is based on statecharts, which are used to model the behavior of software, and fault tree safety analysis. This technique contains the following 2 parts, which are corresponding to the 2 problems, respectively. The first part is to build a metamodel of traceability between fault trees and statecharts, which is to bridge their traceability gap. A collection of rules for the creation and maintenance of traceability links is provided. The second part is a model slicing technique to reduce the complexity of statecharts with respect to the traceability information. The slicing technique can deal with the characteristics of hierarchy, concurrency, and synchronization of statecharts. The reduced statecharts are much smaller than their original statecharts, which are helpful to successive safety analysis. Finally, we illustrate the effectiveness and the importance of the method by a case study of slats and flaps control units in flight control systems.     

Hidden Markov Model Approach for Software Reliability Estimation with Logic Error

Machine Intelligence Research - To ensure the safe operation of any software controlled critical systems, quality factors like reliability and safety are given utmost importance. In this paper, we...     

On the family of critical section problems

Mutual exclusion is a fundamental process synchronization problem in concurrent systems. In this paper, we propose a unified framework for mutual exclusion, k-mutual exclusion, mutual inclusion, ?-mutual inclusion and such, what we call critical section problem. Then, we show that critical section problem is characterized by a pair of integers.     

Formal methods integration in software engineering

This paper presents an extract from our works on a software engineering method for avionic real-time systems [3], the C-Method, which covers the whole software lifecycle thanks to a seamless process, and integrates formal methods in its process. Because distributed, real-time and embedded (DRE) systems have safety critical concerns, they require the use of formal languages (that allow non-ambiguous and rigorous specifications) in order to be able to prove their non-functional properties. Therefore, the “C-Method” relies on the use of formal languages in the earliest steps of the system specification and on the use of semi-formal languages in the analysis, design and programming steps. The fundamental question is how to integrate several languages with different levels of formalization and abstraction. The previous software engineering methods were based on a single language or notation, so they did not address this issue. In order to make the transitions more continuous between semi-formal and formal specifications, we have introduced in the development process what we call “intermediate” languages (+CAL and Why), that are easy to manipulate but directly linked to a formal language (TLA+ for +CAL, Why for PVS).     

Metaheuristics for protecting critical components in a service system: A computational study

Deliberate sabotages and terrorist attacks are major threats to the safety of modern societies. These attacks often target at important infrastructures such as energy production and transmission systems, food and water supply networks, telecommunications networks, transportation networks, etc. In such systems, some components are critical as their malfunction may adversely affect the operations of the whole systems. This research examines several models based on the median problem for identifying these components in a service system. In addition to the existing exact solution methods, we propose meta-heuristics to tackle this computationally hard problem. Our hybrid approach combines the strengths of both meta-heuristics and exact solution methods. The experiment shows that the combination of solution methods significantly cut down the computational requirement for finding the critical components in a service network for protection.     

Employing early model-based safety evaluation to iteratively derive E/E architecture design

ISO 26262 addresses development of safe in-vehicle functions by specifying methods potentially used in the design and development lifecycle. It does not indicate what is sufficient and leaves room for interpretation. Yet the architects of electric/electronic systems need design boundaries to make decisions during architecture evolutionary design without adding a risk of late changes. Correct selection of safety mechanisms from alternatives at early design stages is vital for time-to-market of critical systems. In this paper we present and discuss an iterative architecture design and refinement process that is centered around ISO 26262 requirements and model-based analysis of safety-related metrics. This process simplifies identification of the most sensitive parts of the architecture, selection of the best suitable safety mechanisms to reduce thereby failure rate on the system level and improve the metrics defined by the standard. To support the defined process we present the metamodels that can be integrated with existing DSL (domain-specific language) frameworks to extend them with information supporting further extraction of fault propagation behavior. We provide a framework for architecture model analysis and selection of safety mechanisms. We provide details on the model-based toolset that has been developed to support the proposed analysis and synthesis methods, and demonstrate its application to analysis of a steer-by-wire system model and selection of safety mechanisms for it.     

从安全角度评述汽车操作系统

汽车操作系统是连接和管理汽车电子电气系统中软、硬件的重要组件,具有极强的领域性.当前,汽车电子电气系统结构正在经历一场革命,汽车操作系统也将随之发生巨大变化.然而,无论如何变化,汽车安全始终是汽车的第一属性.本文立足于汽车安全的角度评述当前汽车操作系统:第一,概要地介绍汽车安全的两个分类;第二,概述汽车操作系统的特点,...     

Evidence management for compliance of critical systems with safety standards: A survey on the state of practice

ContextDemonstrating compliance of critical systems with safety standards involves providing convincing evidence that the requirements of a standard are adequately met. For large systems, practitioners need to be able to effectively collect, structure, and assess substantial quantities of evidence.ObjectiveThis paper aims to provide insights into how practitioners deal with safety evidence management for critical computer-based systems. The information currently available about how this activity is performed in the industry is very limited.MethodWe conducted a survey to determine practitioners’ perspectives and practices on safety evidence management. A total of 52 practitioners from 15 countries and 11 application domains responded to the survey. The respondents indicated the types of information used as safety evidence, how evidence is structured and assessed, how evidence evolution is addressed, and what challenges are faced in relation to provision of safety evidence.ResultsOur results indicate that (1) V&V artefacts, requirements specifications, and design specifications are the most frequently used safety evidence types, (2) evidence completeness checking and impact analysis are mostly performed manually at the moment, (3) text-based techniques are used more frequently than graphical notations for evidence structuring, (4) checklists and expert judgement are frequently used for evidence assessment, and (5) significant research effort has been spent on techniques that have seen little adoption in the industry. The main contributions of the survey are to provide an overall and up-to-date understanding of how the industry addresses safety evidence management, and to identify gaps in the state of the art.ConclusionWe conclude that (1) V&V plays a major role in safety assurance, (2) the industry will clearly benefit from more tool support for collecting and manipulating safety evidence, and (3) future research on safety evidence management needs to place more emphasis on industrial applications.     

Facilitating construction of safety cases from formal models in Event-B

ContextCertification of safety–critical software systems requires submission of safety assurance documents, e.g., in the form of safety cases. A safety case is a justification argument used to show that a system is safe for a particular application in a particular environment. Different argumentation strategies (informal and formal) are applied to determine the evidence for a safety case. For critical software systems, application of formal methods is often highly recommended for their safety assurance.ObjectiveThe objective of this paper is to propose a methodology that combines two activities: formalisation of system safety requirements of critical software systems for their further verification as well as derivation of structured safety cases from the associated formal specifications.MethodWe propose a classification of system safety requirements in order to facilitate the mapping of informally defined requirements into a formal model. Moreover, we propose a set of argument patterns that aim at enabling the construction of (a part of) a safety case from a formal model in Event-B.ResultsThe results reveal that the proposed classification-based mapping of safety requirements into formal models facilitates requirements traceability. Moreover, the provided detailed guidelines on construction of safety cases aim to simplify the task of the argument pattern instantiation for different classes of system safety requirements. The proposed methodology is illustrated by numerous case studies.ConclusionFirstly, the proposed methodology allows us to map the given system safety requirements into elements of the formal model to be constructed, which is then used for verification of these requirements. Secondly, it guides the construction of a safety case, aiming to demonstrate that the safety requirements are indeed met. Consequently, the argumentation used in such a constructed safety case allows us to support it with formal proofs and model checking results used as the safety evidence.     

Representing classifier confidence in the safety critical domain: an illustration from mortality prediction in trauma cases

This work proposes a novel approach to assessing confidence measures for software classification systems in demanding applications such as those in the safety critical domain. Our focus is the Bayesian framework for developing a model-averaged probabilistic classifier implemented using Markov chain Monte Carlo (MCMC) and where appropriate its reversible jump variant (RJ-MCMC). Within this context we suggest a new technique, building on the reject region idea, to identify areas in feature space that are associated with “unsure” classification predictions. We term such areas “uncertainty envelopes” and they are defined in terms of the full characteristics of the posterior predictive density in different regions of the feature space. We argue this is more informative than use of a traditional reject region which considers only point estimates of predictive probabilities. Results from the method we propose are illustrated on synthetic data and also usefully applied to real life safety critical systems involving medical trauma data.     

基于不可满足核的近似逼近可达性分析

近年来,形式化验证技术受到了越来越多的关注,它在保障安全关键领域系统的安全性和正确性方面发挥着重要的作用.模型检测作为形式化验证中自动化程度较高的分支,具有十分广阔的发展前景.本文中我们研究并提出了一种新的模型检测技术,可以有效地对迁移系统进行模型检测,包括不安全性检测和证明安全性.与现有的模型检测算法不同,我们提出的这种方法——基于不可满足核（unsatisfiable core,UC）的近似逼近可达性分析（UC-based approximate incremental reachability,UAIR）,主要利用不可满足核来求解一系列的候选安全不变式直至生成最终的不变式,以此来实现安全性证明和不安全性检测（漏洞查找）.在基于SAT求解器的符号模型检测中,我们使用由可满足性求解器得到的UC构造候选安全不变式,如果迁移系统本身是安全的,我们得到的初始不变式只是安全不变式的一个近似.然后,我们在检查安全性的同时,逐步改进候选安全不变式,直到找到一个真正的不变式,证明系统是安全的;如果系统是不安全的,我们的方法最终可以找到一个反例证明系统是不安全的.作为一种全新的方法,我们利用不可满足核进行安全性模型检测,取得了相当好的效果.众所周知,模型检测领域没有绝对最好的方法,尽管我们的方法在基准的可解数量上无法超越当前的成熟方法例如IC3、CAR等,但是我们的方法却可以解出3个其他方法都无法解出的案例,相信本方法可以作为模型检测工具集很有价值的补充.     

Mechanical Software Verification: High Level Control Aspects from a User's Perspective

We present lessons learned from using mechanical theorem proving for proof support in software verification, with trusted execution of programs in mind. We will use two realistic running examples, compiler verification, which is central if we want to prove that we can trust a piece of executable software, and an industrial project in which we proved the correctness of a safety critical expert system using (verified) runtime result verification. We will emphasize the role of partial program correctness and its preservation. And we will comment on high level control aspects, in particular on what we can and what we will not be able to prove for a concrete piece of executable software.     

Rethinking the role of social theory in socio-technical analysis: a critical realist approach to aircraft maintenance

Based on empirical research within the aviation industry we have come to some surprising and sometimes counterintuitive conclusions concerning aircraft maintenance that are relevant for the discussion of social theory and its application towards the explanation and management of socio-technical systems. In this article, the human role in the activity of aircraft maintenance is taken as an example to illustrate the need for critical discussions on social theory in order to better understand safety in socio-technical systems This challenges us to consider the theoretical basis related to how we currently approach the human factor in management of such systems. We propose in the article that Roy Bhaskars' book “The possibility of naturalism—a philosophical critique of the contemporary human sciences (1979)” delivers a compelling social theory from which follows a social ontology of the objects of socio-technical systems that is a necessary precursor to developing applied models and empirical accounts of socio-technical systems.     

Hidden Implementation Dependencies in High Assurance and Critical Computing Systems

Critical and catastrophic failures in high assurance and critical computing systems can arise from unfounded assumptions of independence between system components, requirements, and constraints (work product sections), which can stem from misunderstandings and miscommunication between system engineers, managers, and operators and from inadequate or incomplete traceability between system work products. In this article, we propose a formal framework for the effective implementation of traceability between work product sections along with a technique for discovering potential causes of critical failures in high assurance and critical computing system models. We introduce a new abstraction of interrelated work product sections called implementation meta-work product and describe how our technique finds these meta-work products. We also demonstrate how this technique can be used to help analysts discover potential causes of safety-related errors in high assurance and critical computing systems by applying it to one case study of a known critical error and to one case study where we anticipate potential safety hazards     

A critical review of the systems approach within patient safety research

The application of concepts, theories and methods from systems ergonomics within patient safety has proved to be an expanding area of research and application in the last decade. This paper aims to take a step back and examine what types of research have been conducted so far and use the results to suggest new ways forward. An analysis of a selection of the patient safety literature suggests that research has so far focused on human error, frameworks for safety and risk and incident reporting. The majority of studies have addressed system concerns at an individual level of analysis with only a few analysing systems across multiple system boundaries. Based on the findings, it is argued that future research needs to move away from a concentration on errors and towards an examination of the connections between systems levels. Examples of how this could be achieved are described in the paper. The outcomes from the review of the systems approach within patient safety provide practitioners and researchers within health care (e.g. the UK National Health Service) with a picture of what types of research are currently being investigated, gaps in understanding and possible future ways forward.