Bernhard Kaiser

Verified

Bernhard verified their affiliation via an institutional email.

Learn more

Verified

Bernhard verified their affiliation via an institutional email.

Learn more

• Dr.-Ing.
• Principal Safety Consultant at ANSYS

This is the slide deck (extended version = including slides I had to hide for the presentation for time reasons) to the paper "An agile approach to safety cases for autonomous systems through MBSE and simulation", given at Safety-Critical Systems Symposium in York on 06th of Feb 2015

Meeting safety objectives of Advanced Driver Assistance Systems (ADAS) and Autonomous Vehicles (AVs) in all driving situations remains a key engineering challenge. The tight integration of system design, safety analysis, soft-ware/hardware design, simulations of driving scenarios for early validation and verification activities into a fully digital...

This paper presents a model-based systems engineering (MBSE ) workflow in compliance with aerospace safety standards, based on the new SysML v2 language and with particular focus on executable models. We extend the SysML modeling concepts by Component Fault Trees (CFTs) to form an integrated modular Model-Based Safety Analysis (MBSA) approach. We s...

Background: The Operational Design Domain (ODD) of an automated driving function defines on which roads and under which environmental conditions the function is safe to operate. It plays an important role in definition, safety analysis and validation of automated driving. In many cases, users want to determine metrics about ODDs, or about ODDs in c...

Advanced driver assistance systems (ADAS) and automated driving functions are the most complex automotive systems today. They span multiple ECUs, sensors and actuators and need to integrate different, sometimes counteracting requirements. On top of this comes their safety-criticality, both in terms of functional safety (FuSa) (failure-related) and...

The ODD specification is an important import document for development and safety assurance of ADAS and automated driving systems. Many use cases require the need to derive metrics for ODDs, for instance to compare the ODDs of two differences in size, or to measure the coverage of an ODD by a set of test scenarios. This talk proposes a definition fo...

This presentation (which is preliminary due to the ongoing standardization process of ISO 21448) starts by explaining what's new about SOTIF (Safety of the Intended Functionality, as related to ADAS and Automated Vehicles) and how a practically applicable SOTIF process might look like. The middle part shows by examples how these analysis and concep...

This article provides a simplified example of the usage of STPA (System-Theoretic Process Analysis) in the context of SOTIF for an automated Highway Pilot function for passenger cars.

Presentation slides belonging to the linked conference paper

Component Fault Trees (CFTs) were invented in 2003 as a compositional extension to fault trees to better reflect the technical architecture of a system in its safety analysis model. Since then, a lot of research has been contributed regarding semantic extensions, evaluation techniques, and tighter linking between system and safety models. This pape...

Component Fault Trees (CFTs) were invented in 2003 as a compositional extension to fault trees to better reflect the technical architecture of a system in its safety analysis model. Since then, a lot of research has been contributed regarding semantic extensions, evaluation techniques, and tighter linking between system and safety models. This pape...

This presentation collects ideas from past consulting projects in the domain of SOTIF and generally safety for ADAS and upcoming higher level vehicle automation. It proposes a 5 step approach how to proceed and gives examples for safety analyses and validation activities to be used at each state, in particular qualitative and quantitative analyses...

The automotive industry is challenged by the ever-increasing complexity of new assistance and automated driving functions. The approach of verification mainly by test-driving comes to its limits, and there is a clear need for more systems engineering and correct-by-construction approaches. Have formal methods reached a degree of applicability to br...

In these days, we encounter the transition from traditional closed and restricted-purpose embedded systems towards networked Cyber-Physical Systems. This applies to many industries, but in particular to the automotive industry, where assistance and automated driving functions are shaped out of complex combinations of functions and electronic contro...

Automated Driving - Safe Design must complement Safety Testing - Safety = Assuring Safe Nominal Function + Coping with Failures - How Structured Requirements Breakdown Leverages Verification - From Verification at Development Time to Safety Monitors at Runtime - What if Artificial Intelligence comes into play?

Automated cooperation is arriving in practice, for instance in vehicular automation like platoon driving. The development and safety assurance of those systems poses new challenges, as the participating nodes are not known at design time; they engage in communication at runtime and the system behaviour can be distorted at any time by failures in so...

Most embedded systems in the automotive, avionics, or automation domains are safety-critical systems which are subject to strict safety standards and regulatory guidelines which govern the development process. These standards and guidelines require a tight integration between the development process and safety assurance. In modular engineering appr...

Today’s safety standard ISO 26262 was written with the ”fai-safe” paradigm in mind: future highly automated vehicle functions shift towards ”fail-operational”, i.e. the system needs to continue operating (at least partly) in presence of failures. Full redundancy, the standard solution in other industry domains, is often not an option for automotive...

Although the main concern of developers of Camera Monitor Systems (CMS) is usually about meeting the legal requirements and image quality demands, one should not forget that CMS are electronic systems with the potential to endanger vehicle safety, and therefore subject to a Functional Safety process according to the worldwide standard ISO 26262. Fu...

• Higher Degree of Vehicle Automation enforces quantitative target requirements regarding performance of the nominal function for the sake of safety • Giant combinatory of influence factors pushes conventional verification approaches by vehicle testing to their limits • Systematic requirements breakdown onto architectural elements shows the way tow...

The distributed design process for safety-critical embedded systems has become an increasingly difficult challenge: Electronic Control Units (ECUs) in vehicles, for instance, participate in many vehicle functions, while each vehicle function, in turn, is spread across several ECUs. Many suppliers participate in systems design and many partial funct...

Im Rahmen des Fallbeispiels des Forschungsprojektes [SPES_XT] wurde ein Sicherheitskonzeptes der Funktion „Cruise Control (CC)“ erstellt. Mit der Funktion „Cruise Control (CC)“ kann die Fahrzeuggeschwindigkeit auf den von Fahrer eingestellten Geschwindigkeitswunsch eingehalten werden. Die kundenerlebbare Funktion ACC ist eine Erweiterung von der Fu...

In this contribution, we present a probabilistic extension of failure nets (FN) originating from Failure Mode and Effects Analysis (FMEA). FMEA is a well-proven qualitative failure analysis method which has been subject to several suggestions towards methodical improvements. The approach of the quantified and extended Multiple FMEA models based on...

For a long time risks related to manipulation protection and data protection of vehicle electronics could be considered relatively uncritical.Prominent examples include the manipulation of odometer readings and the decoding of power limiters that require direct physical access to the vehicle.However, theintroduction of wireless technology and inter...

Designing safety-critical cyber physical systems (CPS) was and remains a challenging task. CPS engineers are supposed to design solutions that are easy to modify, reusable, satisfy certi_cation authorities, meet safety goals, separate between concerns, etc. With these partly contradicting demands it sometimes is even impossible to find a viable CPS...

Seit mehreren Jahren wird an einer stärkeren Integration von modellbasierter Systementwicklung und Sicherheitsanalyse geforscht. In diesem Paper werden ein Ansatz und ein Werkzeug zur besseren und frühzeitigen Verzahnung zwischen der Systementwicklung und der Sicherheitsanalyse präsentiert. Im Vordergrund des Ansatzes steht die Verknüpfung der in d...

• Safety does not only relate to E/E failures (ISO 26262 scope), but also to correctness, performance and reliability of nominal functions, e.g. sensors • Safety Requirements involve probabilistic targets • Verification with acceptable confidence needs structured requirements breakdown onto partial function blocks • Verification by testing requires...

- Verteilte Realisierung von Funktionen erfordert neue Ansätze für Sicherheitsnachweis - Fail Operational erfordert Rückfallebenen und Allokation unter Redundanzgesichtspunkten - Verschmelzung Sicherheit und Nominalfuntktion / Performanz

Kurzfassung: Seit mehreren Jahren wird an einer stärkeren Integration von mo-dellbasierter Systementwicklung und Sicherheitsanalyse geforscht. In diesem Paper werden ein Ansatz und ein Werkzeug zur besseren und frühzeitigen Verzah-nung zwischen der Systementwicklung und der Sicherheitsanalyse präsentiert. Im Vordergrund des Ansatzes steht die Verkn...

The functional and technical safety concept are key work products in the ISO 26262 safety life cycle. However, when developing a safety concept, the high level of complexity and variability of ECU architecture and functions go hand in hand with increasing resource needs for developers and reviewers. Re-usable safety concepts based on a modular desi...

Fahrerassistenz- und Sicherheitssysteme der neuesten Generation (engl. Advanced Driver Assistance Systems – ADAS) sind heute nicht mehr nur Oberklassefahrzeugen vorbehalten, sondern stehen breiten Kundensegmenten zur Verfügung und erhöhen Komfort und Sicherheit des Straßenverkehrs. Hinsichtlich der Entwicklung und besonders der Sicherheit – worunte...

Kurzfassung In den letzten Jahren kam es in der Automobilindustrie zu einem Paradigmenwechsel von der komponentenorientierten hin zu einer funktionsorientierten Entwicklung: Komponenten-übergreifende Systeme werden zunächst als Ganzes funktional modelliert, erst in einem zweiten Schritt erfolgt die Allokation auf technische Komponenten. Auch die Me...

Unlike in the past, automotive systems are no longer developed in a component-oriented fashion (one more or less isolated ECU from one supplier for one dedicated purpose), but allocate many functions onto a network of many ECUs. The functions are structured by components, and there is a high degree of partition of work of component manufacturers an...

Increasing enforcement of safety standards - such as the new ISO 26262 - requires developers of embedded systems to supplement their development processes with safety-related activities, such as hazard analysis or creation of technical safety concepts. Since these activities are often only loosely coupled with core development tasks, their addition...

Safety models for software-controlled systems should be intuitive, compositional and have the expressive power to model both software and hardware behaviour. Moreover, they should provide quantitative results for failure or hazard probabilities. Fault trees are an accepted and intuitive model for safety analysis, but they are incapable of expressin...

State/Event Fault Trees (SEFTs) are a new, hierarchical and state-based modelling formalism for dependability analysis. SEFT semantics are defined by mapping the model onto an equivalent Deterministic and Stochastic Petri Net, which is also used for quantitative evaluation. This state-based analysis increases the expressive power of the model but o...

The ubiquitous presence of software-controlled systems in all areas of everyday life has steadily increased the demand for safety and reliability analyses. On the one hand, these require models that are capable of describing all types of safety relevant system behaviour, and, on the other hand, analysis techniques that derive quantitative hazard or...

Model-driven and component-based software engineering methodologies are currently key factors for the successful construction of complex software systems. To effectively apply these methodologies to mission- and safety-critical systems, component-based models should also support hazard analysis techniques and enable the automatic construction of sa...

The analysis of Fault Trees (FTs) is usually performed by transformation into Binary Decision Diagrams (BDDs). The size of a BDD depends heavily on the order of its variables. Different approaches exist to optimise the variable order by reordering or applying heuristics. We present a new approach that is based on Component Fault Trees (CFTs), an FT...

Over the past years, the paradigm of component-based software engineering has been established in the construction of complex mission-critical systems. Due to this trend, there is a practical need for techniques that evaluate critical properties (such as safety, reliability, availability or performance) of these systems. In this paper, we review se...

The increasing application of COTS-components and component-based software engineering has entailed the development of appropriate component specifications. In the embedded systems domain it would be desirable to benefit from these component specifications to integrate and automate safety and reliability analysis. For this reason, we propose in thi...

Fault Trees (FT) are an established model for reliability and safety analysis of technical systems. They are combinatorial models and thus cannot consider state dependencies or temporal order of events. We recently proposed State-Event-Fault-Trees (SEFTs), an extension of Fault Trees with a State/Event Semantics, as a reliability model for embedded...

Over the past years, component-based software engineering has become an established paradigm in the area of complex software intensive systems. However, many techniques for analyzing these systems for critical properties currently do not make use of the component orientation. In particular, safety analysis of component-based systems is an open fiel...

Safety models for software-controlled systems should be intuitive, compositional and have the expressive power to model both software and hardware behaviour. Moreover, they should provide quantitative results for failure or hazard probabilities. Fault Trees are an accepted and intuitive model for safety analysis, but they are incapable of expressin...

The decomposition of complex systems into manageable parts is an essential principle when dealing with complex technical systems. However, many safety and reliability modelling techniques do not support hierarchical decomposition in the desired way. Fault Tree Analysis (FTA) offers decomposition into modules, a breakdown with regard to the hierarch...

Fault Tree Analysis is a very popular tech- nique to assess safety and reliability of technical sys- tems. However, being a combinatorial model, Fault Trees can only express which combinations of failures contribute to a certain hazard or accident. There is no means to model sequences of actions and temporal or- ders of states and events. Since tod...

In diesem Artikel wird ein Rahmenwerk zur Integ- ration verschiedener Modelle der Sicherheits- und Zuver- lässigkeitsanalyse sowohl untereinander als auch mit Ent- wicklungs-Modellen vorgestellt. Quantitative Analysen erfolgen weiterhin mit den Verfahren der Teilmodelle, das Werkzeug des Rahmenwerks steuert den Gesamtablauf. Da das Rahmenwerk sich...

To deliver complex functionalities in a cost effective manner, distributed manufacturing systems should ideally be based on standard interoperable components and be flexible and easily extensible. At the same time, systems must be demonstrably safe and reliable. In this paper, we argue that to balance these conflicting demands effective safety anal...