ArticlePDF Available

Model-Based Assurance for Justifying Automotive Functional Safety

  • April 2010
DOI:10.4271/2010-01-0209
Authors:
Ibrahim Habli at The University of York
Ibrahim Habli
Ireri Ibarra at Volvo Car Corporation
Ireri Ibarra
Jaguar Land
Jaguar Land
Jaguar Land
  • This person is not on ResearchGate, or hasn't claimed this research yet.
Roger Rivett at The University of York
Roger Rivett
Show all 5 authorsHide
Download full-text PDF
Read full-text
Download citation

Abstract and Figures

With the growing complexity of, and reliance on, safety-related electrical/electronic (E/E) systems in the automotive sector, the development of an explicit safety case is highly recommended to provide assurance to the different stakeholders interested in automotive functional safety. The production of a safety case is explicitly mandated by the draft automotive functional safety standard ISO26262. A safety case should consider all organisational and technical factors that may contribute to safety. For example, it should provide assurance for the safe behaviours of a particular system as well as assurance for the process by which this system is developed, operated and maintained. In this paper, we address one component of the overall safety case, namely the assurance of the functional safety concept. In particular, we examine how model-driven development and assessment can provide a basis for the systematic generation of functional safety requirements. We demonstrate how an automotive safety case can be structurally and traceably developed, justifying why and how the defined functional safety requirements can adequately mitigate the risk of the identified hazards to an acceptable level. A case study is also presented throughout this paper, discussing examples and lessons learnt from the development of a safety case for an air suspension system.
Figures - uploaded by Tim Patrick Kelly
Author content
All figure content in this area was uploaded by Tim Patrick Kelly
Content may be subject to copyright.
Content uploaded by Tim Patrick Kelly
Author content
All content in this area was uploaded by Tim Patrick Kelly
Content may be subject to copyright.
Page
1
of
16
10AE
-
0181
Model
-
Based Assurance for Justifying Automotive Functional Safety
University of York
Ireri Ibarra,
Jaguar Land Rover
Roger Rivett
Jaguar Land Rover
Tim Kelly
University of York
Copyright © 2010 SAE International
ABSTRACT
With the
growing complexity of, and reliance
on, safety
-
related electrical/
electronic (E/E) systems in the
automotive sector, the development of an explicit safety case is highly recommended to provide assurance to
the different stakeholders interested in automoti
ve functional safety. The production of a safety case is explicitly
mandated by the draft automotive functional safety standard ISO26262.
A safety case should consider all
organisational and technical factors that may contribute
to safety. For example, it
should provide assurance for
the safe behaviours of a particular system as well as assurance for the process by which this system is
dev
eloped, operated and maintained
. In this paper, we address one component of the overall safety case, namely
the assuranc
e of the functional safety concept. In particular, we examine how model
-
driven development and
assessment can provide
a
basis for
the
systematic generation of functional safety requirements. We demonstrate
how an automotive safety case can be structurally
and traceably developed, justifying why and how the defined
functional safety requirements can adequately mitigate the risk of the identified hazards to an acceptable level.
A case study is also presented throughout this paper, discussing examples and less
ons learnt from the
development of a safety case for an air suspension system.
INTRODUCTION
Providing assurance for safety lies at the heart of a safety management system. This assurance can be implicit,
through compliance with a safety process as prescrib
ed within a particular safety standard. In contrast, this
assurance can be explicit, communicated by means of a clear safety case. A safety case presents an argument,
supported by evidence, that the system is acceptably safe to operate in a given environme
nt. A safety case
should consider all organisational and technic
al factors that may contribute
to safety. For example, it should
provide assurance for the safe behaviours of a particular system as well as assurance for the process by which
this system is
developed, operated and maintained. In the automotive sector, safety case development is
increasingly being adopted, partly due to the growing complexity of, and reliance on, E/E systems to perform
safety
-
related functions. The production of a safety case
is explicitly mandated by the draft automotive
functional safety standard ISO26262 (DIS ISO26262
-
2 6.5.3) [
1
].
Page
2
of
16
In this paper, we examine how a safety case can be developed for the assurance of the functional safety concept
for an automotive E/E system.
Th
e objective of the functional safety concept, as described in the draft
ISO26262, is to define a set of functional safety requirements which together satisfy all the safety goals
associated with the hazards determined during hazard analysis and risk assess
ment [
1
]. The functional safety
concept includes fault detection and failure mitigation, transitioning to a safe state, fault tolerance mechanisms,
driver warnings and arbitration logic
[
1
].
In particular, we examine how a model
-
driven approach can provide
a
basis for the systematic generation of the functional safety requirements considered in the safety case. We also
explore and evaluate how traceability between the design models and safety analyses can be enhanced by means
of explicit integration between
the safety case
, represented in
the Goal Structuring Notation (GSN)
[3]
,
and the
system
models
, represented in
the Systems Modelling Language (SysML)
[2]
.
A case study is presented throughout this paper, discussing examples from the development of a prel
iminary
safety case for a 4
-
corner air suspension system
1
.
The two main functions of this system are to maintain a level
vehicle at the target ride height and to allow changes in target vehicle ride height. These changes may either
occur automatically as a
result of constraints in vehicle speed or as a direct request from the driver using the
controls
provided.
The rest of the paper is organised as follows. In the next section, we introduce the model
-
based approach
considered in this paper, briefly discussi
ng the graphical notations used throughout the paper. The top
-
level
safety argument for the air
suspension
system is then presented, showing how it relates to contextual and system
models. Next, we present a fault mitigation argument, demonstrating the ade
quacy of the functional safety
concept to address certain hazardous conditions. The process perspective of assurance is then discussed by
describing
a process
-
based safety argument. Finally, a number of conclusions are presented.
MODEL
-
BASED APPROACH TO FU
NCTIONAL SAFETY ASSU
RANCE
Achieving integration between functional and behavioural design and safety analysis is essential for the
development of safety
-
critical systems. This is mainly because safety is a consequential attribute; i.e. safety
conditions su
ch as hazards and failure modes are often an outcome of certain unintended system functionalities
and behaviours in a given environment. When safety assessment results, such as failure modes and safety
requirements, are generated for a system function, it
is necessary to trace these results explicitly to the design
specifications, including all relevant environmental assumptions, concerning that function. This is why system
hazards are typically identified given the safety analysts’ understanding of the sys
tem and its environment. For
example, safety modes are often stated given certain assumptions about data sampling rates, levels of
independence, expected operation modes, maintenance procedures and end
-
user competencies. In this paper, we
consider how mode
l
-
based engineering can enhance integration between design and safety assurance,
specifically for automotive applications. In particular, we consider two graphical notations: SysML and
GSN
.
Both
SysML and GSN produce graphical representation
s
in a modular
and
hierarchical way. In particular,
m
odularity helps
in
handl
ing
the complexity of the system representation and safety argument by
supporting
the
creation of smaller chunks of informati
on that are scalable and manageable
.
1
Neither the author nor JLR shall be responsible or liable in negligence or otherwise howsoever in respect of any inaccuracy o
r
omission herein. Without de
rogating from the generality of the foregoing neither the author nor JLR shall be liable for any indirect or
consequential loss caused by or arising from any information, advice or inaccuracy or omission contained herein.
Page
3
of
16
THE SYSTEMS MODELING
LANGUAGE (
SYSML)
Companies
which produce
complex
safety
-
critical systems
are increasingly adopting model
-
based approaches
to the development, assessment and assurance of E/E systems. This is best exemplified by the growing interest
in SysML [
2
], particularly in its
role in the description and analysis of systems requirements and design
architectures. SysML, which is
partly
based on the Unified Modelling Language (UML), offer
s
graphical means
for modelling the structural and behavioural aspects of systems through a se
t of syntactically
-
defined diagrams
(Figure 1). These diagrams are particularly useful for the documentation of early
-
lifecycle artefacts such as
requirements and design specifications. For example, use case diagrams, often used for requirements
specificat
ion, capture a particular usage of the system and the way in which the system should interact with its
environment. Conversely, block definition diagrams, normally used for architectural design definition, describe
the modular units of a system, e.g. contr
ol or monitoring units. The behaviours associated with these blocks are
typically described using a set of activity diagrams. Collectively, these diagrams provide an integrated
description of the system, depicted from the behavioural as well as from the st
ructural perspectives.
Fig. 1. SysML Diagrams
[2]
THE GOAL STRUCTURING
NOTATION (GSN)
Recently, there has been a marked shift towards safety standards that recommend or mandate the development
and management of well
-
structured and well
-
guments. To effectively develop such
arguments, the safety sector is increasingly adopting graphical modelling notations for the representation of
safety arguments. This is partly because of the capability of graphical argumentation notations such as GSN t
o
address the difficulty of communicating and maintaining complex safety arguments described in free text [
3
].
GSN represents safety arguments in terms of basic elements such as goals, solutions, and strategies (Figure 2).
Arguments are created in GSN by l
inking these elements using two main relationships, ‘supported by’ and ‘in
context of’ to form a goal structure. The principal purpose of any goal structure is to show how goals (claims
about the system) are successively broken down into sub
-
goals until a
point is reached where claims can be
supported by direct reference to available evidence (solutions). As part of this decomposition, using the GSN it
is also possible to make clear the argument strategies adopted (e.g. adopting a quantitative or qualitativ
e
approach), the rationale for the approach and the context in which goals are stated (e.g. the system scope or the
Page
4
of
16
assumed operational role). To address the complexity of certain safety arguments, GSN supports the
decomposition of safety arguments into a
number of modules (i.e. argument modules), which reference one
another by means of Away Goal
s. This approach is often refer
red
to as '
modular safety cases
' [
4
].
Fig. 2. Principal Elements of the Goal Structuring Notation
OVER
VIEW OF THE APPROACH
As previously mentioned, this paper targets the justification of the functional safety concept for automotive E/E
systems. In particular, we address the justification of the functional safety concept by explicitly representing a
safety
argument which considers the adequacy of the functional safety requirements in mitigating the risk of the
identified system hazards. This safety argument is modelled in GSN and is traced to a set of contextual and
system models, defined in SysML (Figure 3
). These SysML models describe the environment within which the
system is deployed, the functions provided by the systems, the modular units comprising the system and the
behaviours exhibited by the system. These models provide the basis upon which the haz
ard analysis and risk
assessment activities are carried out. Further, these models provide the basis upon which the functional safety
concept is defined by showing the fault mitigation mechanisms deployed to reduce the risks of the identified
hazards. Most
of these SysML models of the environment and the system, particularly those specifying the fault
mitigation behaviours of the system, are referenced in the safety argument, maintaining a traceable link between
the safety assessment artefacts and the SysML
models. In the next sections, we describe this model
-
based
approach to functional safety assurance by discussing examples and lessons learnt from the development of a
safety case for an air suspension system. We first describe the top
-
level argument which
addresses a set of
identified hazards and how they relate to system functions within a particular environment. We then describe
the structure of the arguments addressing the risk of each identified hazard by means of explici
t mitigation
measures, describe
d in a set of SysML diagrams.
Page
5
of
16
x
x
i
x
x
x
I
P
x
x
x
x
4
x
x
x
x
x
x
x
u
x
I
P
x
Fig. 3. Overview of Relation between Safety Case and Context and System
HAZARD
-
AND RISK
-
DIRECTED SAFETY ARGU
MENT
Figure 4 shows the top
-
level safety argument for the air suspension system. The to
p
-
level
goal is a claim that all
due diligence has been performed. This is achieved by adopting industry best practice as defined in the relevant
functional safety standard, ISO 26262. The standard is hazard directed and
"
uses ASILs
[Automotive Safety
Inte
grity Levels]
for specifying the item's necessary safety requirements for achieving an acceptable residual
risk
" [
1
].
Therefore this argument is hazard
-
and risk
-
directed.
That is, the argument explicitly addresses the risk
of each identified hazard, showi
ng that each risk is acceptable. Hazards associated with
the air suspension
system are identified by considering the potential effects of the system's operation, and non
-
operation, in a
variety of different user situations. It is important to note that thi
s safety argument is described in the context of
an explicit definition of the system and its environment (
'AirSus_Def'
,
'AirSus_Env'
and
'C_Safety_Envelope'
).
This definition is referred to as
'Item Definition'
in the Draft ISO26262 (DIS ISO26262
-
3 5.5).
The item
definition for the air suspension system considered in this paper is described in terms of a number of SysML
models, namely:
Context and feature models: described in block definition and internal block definition diagrams
System requirements mode
ls: described in use case diagrams
(mainly high
-
level functionality)
System structure: described in block definition and internal block definition diagrams
System behaviours: described in activity diagrams
In the next subsections, we briefly discuss these
models and how they are linked to the safety conditions
considered within the safety argument.
Page
6
of
16
Fig. 4. Top
-
Level
Safety
Argument
CONTEXT AND FEATURE
MODELS
The context model defines factors in the environment of the air suspen
sion system with which the system
interact
s
. These factors are grouped in a number of packages, addressing:
Vehicle characteristics such as vehicle load and body type (pkg Vehicle)
Peer systems such as those providing ignition status and vehicle speed (pkg
OtherSystems)
Vehicle support covering maintenance and service (pkg Support)
Physical environment such as road and obstacle types (pkg PhysicalEnvironment)
Actors specifying persons affected by the system such as drivers, passengers and maintenance perso
nnel
(pkg Actors)
Further, this context model specifies which contextual factors are core, i.e. common to all system variants, and
which are optional. These factors play a key role in constraining the scope of the safety case
(e.g.
the
'
AirSus_Env
'
contex
t element in
Figure 4
)
. An example of how these contextual factors were specified for
vehicle characteristics (pkg Vehicle) is shown in Figure 5.
Page
7
of
16
<<
core
>>
Load
<<
core
>>
Driving phase
<<
core
>>
Non Stationary
<<
core
>>
Stationary
<<
core
>>
Parked
<<
core
>>
Ingress
/
egress
<<
core
>>
Body type
<<
core
>>
Drive type
<<
Optional
>>
Saloon
<<
Optional
>>
Estate
<
Optional
>>
4
x
4
<<
Optional
>>
Rear wheel drive
<<
Optional
>>
All wheel drive
<<
Optional
>>
Tow bar
<<
core
>>
Towing
<<
core
>>
Plant
(
End of Line
)
<<
core
>>
Garage
pkg
Vehicle
<<
core
>>
Normal height
<<
Optional
>>
Access height
<<
Optional
>>
Crawl height
<<
core
>>
Predefined Height
<<
Optional
>>
Off
-
road height
<<
core
>>
Vehicle Height
<<
Optional
>>
Not Predefined Height
<<
Optional
>>
Default height
<<
core
>>
Bump Stops height
Fig. 5. An Extract from the Air Suspension System Context Model
The feature model
of the air suspension system specifies the system’s core and optional functions and operating
states. Figure 6 shows an extract from the feature model, showing the different ways in which the target ride
height may change. For example, it shows that a cha
nge of the vehicle height can be initiated automatically by
the vehicle (core), manually by the maintenance team (core) or manually by the driver (optional, depending on
the vehicle type).
Fig. 6: An Extract from the Air Suspen
sion System Feature Model
FUNCTIONAL, STRUCTUR
AL AND BEHAVIOURAL S
YSTEM MODELS
The system definition is specified in terms of various SysML models describing the functional, structural and
behavioural characteristics of the system. In particular, the follo
wing models are generated:
Use Case Models: describing system functions captured in the feature model and how they relate to one
another and to their context
Block Definition and Internal Block Definition Models: describing the main components and
communic
ations in the system
Activity Diagrams: describing nominal and fault management behaviours of the system, detailing the
behaviour of each function under normal and impaired conditions.
Page
8
of
16
The main functionality of the air suspension system is to maintain an
d change the target ride height under all
rated vehicle operating conditions. This functionality is provided by controlling the quantity of air in the air
springs at all four corners of the vehicle in response to the signals from sensors that measure the s
uspension
height at each wheel. This functionality is described in Figure 7 in a SysML use case diagram. For example, the
use case
' Change target ride height'
specifies a particular function of the air suspension system which allows
the driver to request
several height settings for different driving conditions. Several different ride heights are
requested automatically for different operating conditions (including special conditions to assist in special
operations such as maintenance and transport). The u
se case diagram also shows how this function relates to the
system's environment by linking the use case
' Change target ride height'
to external factors such as
'Door
status'
,
'Terrain response'
and
'Road prompts'
. All of these factors are captured in the
context model introduced
in the previous section (ensuring explicit model
-
based traceability between the system functions and the
environment within which these functions can be used).
Fig. 7. SysML Use Case Diagram
The detai
led behaviours associated with each function captured in the use case diagram are specified using a
SysML activity diagram. For example, Figure 8 shows an activity diagram detailing the system behaviours
associated with the
'Deliver height'
function. This
activity diagram
describes two key operational behav
iours
related to raising and lowering
the vehicle based on several inputs such as '
Vehicle speed
', '
Lateral acceleration
'
and '
Door status
' (all of which trace
to the context model).
Page
9
of
16
Fig. 8. SysML Activity Diagram (Deliver Height)
In short, the top
-
level safety argument in figure 4 addresses the risk of system hazards as identified with
reference to the item definition described in SysML diagrams. This safety argument present
s a set of claims
regarding the acceptability of the risk associated with each system hazard. In this argument, each of these
claims is encapsulated with
in
a separate
argument module
which presents an argument supporting the claim
about the risk mitigation
of the hazard. For example, the claim about the risk of trap is described in an Away
Goal which is supported by an argument encapsulated in
the
'Trap Hazard Argument'
module (
illustrated
separately in
Figure
9
). The type of arguments encapsulated in these
modules support the claim concerning the
acceptability of the hazard risk by appealing to the adequacy of the functional safety concept to reduce the risk
of the hazard to an acceptable level. This is discussed in further detail in the next section.
Fig.
9
. Argument Module Reference
RISK MITIGATION SAFE
TY ARGUMENT
In this section, we discuss the structure of the argument addressing the claim regarding the acceptability of the
risk associated with a particular hazard by appeali
ng to the adequacy of the functional safety concept. The
Page
10
of
16
structure of the argument is depicted in Figure
10
(the name of the hazard and certain failure conditions were
removed for reasons of commercial sensitivity). The argument shows that the risk has bee
n adequately managed
in accordance with the ASIL defined for that risk. This argument justifies the defined risk classification against
the ISO26262 ASIL scheme, based on the estimated severity, probability of exposure and controllability of each
hazard. B
ased on the ASIL associated with the risk, the argument justifies that the risk has been managed by
eliminating causes of the hazard considered by that risk. Where there are faults which can impair the
elimination of these hazard causes, the argument addre
sses these faults by showing how fault
-
mitigation
measures have been defined to keep the vehicle in an acceptably safe state in presence of these faults.
Fig.
10
. Hazard Argument Module
For the air suspension system, the initi
al SysML models were analysed to determine how system failures could
lead to the hazards. The required fault management behaviours, necessary to mitigate all the
hazards, were
subsequently determined. These fault management behaviours were also captured in
Activity diagrams.
In
ISO26262 terms, the set of fault management behaviours constitute the functional safety concept which was
documented as a set of functional safety requirements, traceable to both the nominal and fault management
Activity diagrams.
Page
11
of
16
Three forms of fault
-
mitigation measure are considered in the safety argument of the air suspension system,
namely:
Lowering the vehicle to an acceptably safe height
the choice of this height depends on factors such as the
detection of certain faults a
nd previous vehicle height and speed
Disabling all requests for a vehicle height change
this includes automatic and manual requests
Warning the driver of a fault
different types of warnings are used, mainly depending on the critically of
the faults an
d the different configurations of the driver interface, e.g. choice of optional features supporting
textual messages in addition to core driver interface features such as warning lamps and chimes.
For instance, the mitigation of the failure condition cause
d by the inability to measure corner heights
(
'Vehicle_height_indeterminate'
) is described in the Activity diagram shown in Figure 1
1
. This Activity
diagram shows that, upon the detection of the inability to measure corner heights or control pressure, the
system
lowers the vehicle to the bump
-
stops height, disables height changes and informs the driver of a fault. The
argument within the air suspension system safety case corresponding to this fault mitigation behaviour is shown
in Figure 1
2
(contained withi
n the argument module supporting the claim
'Vehicle_height_indeterminate'
previously included
in Figure
10
).
Fig. 1
1
.
Inability to Measure Corner Heights SysML Activity Diagram
Page
12
of
16
Fig. 12. Height Mea
surement Argument Module
PROCESS
-
BASED SAFETY ARGUMEN
T
Finally, the air suspension system safety case includes an argument module addressing the assurance of the
hazard identification and risk assessment process (‘
Hazard Analysis Process Argument
’). This a
rgument is
referenced in Figure 4 by the ‘
Top
-
Level Argument
', specifically through the
Ident_Haz
’ context element
referencing the away goal ‘
IdentHazards
’. The objective of this association is to justify the process by which
system hazards have been iden
tified and analysed. The argument presented within the ‘
Hazard Analysis Process
Argument
’ module, depicted in Figure 1
3
, provides assurance about the hazard analysis process by addressing
compliance with the ISO26262 guidance regarding hazard identificatio
n, hazard classification and ASIL
determination. The argument also justifies the competency of the team responsible for carrying out this process.
Further, there are cases where the classification of certain hazards cannot be determined merely based on exp
ert
judgment. In these cases, and in order to mitigate the potential for under
-
classification of these hazards,
additional vehicle tests are required in order to confirm certain assumptions concerning the controllability,
probability of exposure or severit
y of these hazards (‘
Underclass
’).
The argument depicted in Figure 1
3
is typically referred to as
process
-
based argument
[7].
In the previous
sections, we emphasised the fundamental role of the safety case for assuring the safety of the system itself. In
p
articular, we focused on one par
ticular type of safety argument
, namely
product
-
based arguments
. Product
-
based arguments address safety assurance by arguing over the acceptable safe behaviours of the system,
targeting, for example, claims concerning the to
lerability of the risks of all identified hazards and the
satisfaction of all defined safety requirements. These claims are then substantiated by direct evidence generated
from analysis, testing, simulation and in
-
service history. However, confidence in th
e safety of the system may
be undermined by uncertainties about the provenance of the product
-
based evidence. The trustworthiness of this
type of evidence depends on the quality of the underlying engineering process (i.e. the simple question:
why
should I
trust the evidence?
). Process elements such as competency of personnel, reliability of tools, suitability
of notations and soundness of methods constitute key criteria against which the trustworthiness of product
-
based evidence can be determined. Disregard
ed weaknesses and flaws in these process elements may propagate
into the safety
-
critical system itself. The process can fail to deliver its expected outputs and consequently
weaken confidence in the safety of the system.
Page
13
of
16
IdentHazards
Hazard analysis and risk
assessment identifies and
analyses relevant hazards in a
trustworthy manner
C
_
Process
Hazard analysis and
risk assessment
process
Stra
_
Process
Argument over process
compliance and
management of process
weaknesses
Process
_
Compliance
Hazard analysis and risk
assessment complies with
ISO
26262
guidance
C
_
Stan
with ISO
26262
guidance
Process
_
Weaknesses
Hazard analysis and risk
assessment process
weaknesses are suitably
managed
Stra
_
Activity
Argument over hazard
analysis and risk
assessment activities
C
_
Activities
Hazard analysis and
risk assessment
activities
J
C
_
Best
_
Practice
ISO
26262
guidance is a
recognised international ISO
standard
,
developed by the
automotive community
,
focusing
on E
/
E automotive systems
HazIdent
Situation analysis and hazard
identification was adequately carried
out and identified potential unintended
behaviours of the system that could
lead to a hazardous event
SitAnalysis
Situation Analysis
HazClass
Hazard classification was adequately
carried out and determined of the
severity
(
S
)
,
the probability of exposure
(
E
)
and the controllability
(
C
)
associated
with the considered hazard of the item
HazASIL
An automotive safety
integrity level
(
ASIL
)
was
determined for each
identified hazard
C
_
ASIL
ASIL Scheme
C
_
SEC
Hazard severity
(
S
)
,
probability of exposure
(
E
)
and controllability
(
C
)
HzTeam
The team undertaking hazard analysis
and risk assessment included persons
with a good knowledge and domain
experience of the
behaviour of system
,
and of the way that a vehicle and its
driver can behave
C
_
HzTeam
Hazard analysis
and risk
assessment team
Stra
_
Process
_
Weakne
sses
Argument over identified
process weaknesses
Underclass
Under
-
classifcation of new
,
not
previously examined behaviours
has been mitigated by additional
vehicle tests
A
Ass
_
Exp
_
Judgement
Most hazard
classifications can be
estimated by expert
judgement
Trust
_
Ev
Definition of
trustworthy
C
_
FM
_
Process
_
W
eaknesses
Identified process
weaknesses
Fig.
1
3
.
Hazard Analysis and Risk Assessment Process
-
Based Argument
A p
rocess
-
based argument like the one depicted in Figure 1
3
is often called a backing argument as it is used to
show that the direct, product
-
based evidence is “
both credible and soundly based
[
5
]. Process
-
based evidence
is typically generated based on two main criteria [
6
]:
Compliance with nationally and internationally recognised standards which are relevant to the domain and
criticality of the system
Selection of established techniques and t
ools and employment of competent technical and managerial
personnel, e.g. selection of qualified modelling tools or programming language safe subsets.
Eventually, the complete safety case should address all organisational and technical factors that may con
tribute,
to safety such as product design, development, deployment, operation and maintenance as well as organisational
maintenance of an adequate level of safety culture. From the draft ISO26262 perspective, the complete safety
Page
14
of
16
case should address
product
factors such as the functional and technical concepts as well as
process
factors such
as safety management and quality assurance
(illustrated in
Figure 1
4)
.
Fig. 1
4
.
Integrated Product
-
Based and Process
-
Based Arguments
SUMMAR
Y/CONCLUSIONS
In this section, we present an evaluation of the process and outcomes of the model
-
based assurance approach
presented in the previous sections, focusing on lessons learnt from the development of the SysML models and
safety case for the air su
spension system.
DEFINITION OF CONTEX
T AND FEATURE MODELS
A key advantage for creating the air suspension system’s context and feature models was the explicit
documentation of expert domain knowledge. Engineers were able to air their views, agreeing or dis
agreeing
with, or suggesting a different way for, the inclusion, exclusion or categorisation of certain contextual factors or
system features. Further, because these models capture permitted variations, decisions as to which elements are
core and which are
optional were easier to make and evaluate (and even revaluate whenever new information
had been uncovered). The context model was instrumental in contextualising the air suspension system safety
case, explicitly highlighting environmental factors and vehi
cle characteristics which allow system failures to
become hazards. These factors and characteristics were clearly referenced in the safety case. Finally, as a
positive side
-
effect, the air suspension system’s context and feature models were useful for crea
ting additional
diagrams for usages beyond safety analysis. For example, based on the context and feature models, a P
-
diagram
was created to analyse the completeness of identified input
-
output transformations (typically used for
robustness analysis).
SYSTE
M MODELLING IN SYSML
System models were created in order to document the structural and behavioural aspects of the system functions
defined in the feature model. More specifically, the behaviours of these functions were defined given specific
assumptions a
bout the system’s environment as captured in the context model. The most useful diagrams used
in this industrial application, as far as safety assurance is concerned, were the SysML activity diagrams. These
diagrams helped in specifying the nominal and fau
lt management behaviours of the system, which informed the
Page
15
of
16
creation and analysis of the system’s functional safety requirements. These functional safety requirements were
a main input to the development of the safety case, showing how the system, through t
he achievement of these
requirements, can eliminate or mitigate causes of the identified system hazards. Where there were uncertainties
about the assumed behaviours of certain functions, as uncovered by the SysML activity diagrams, further
analysis and veh
icle tests were required to confirm these behaviours. The fault management behaviours
captured in the activity diagrams played a fundamental role in ensuring sufficient coverage of how the system
reacts in the event of deviations from the nominal behaviour
s of the system.
Because of the complexity of the behavioural aspects of system functions and their relationships with one
another and with their environment, in addition to how these behaviours trace to the safety case, further work is
still required to
examine how ‘sophisticated’ modelling tools, such as those offering model merging, querying,
transformation and composition, can support the process of managing the context, feature, system and safety
case models and their interdependencies. Specifically f
or the air
suspension system case study,
Microsoft
Visio
worked well as far as the creation of a limited number of models was concerned. However, by the end of this
case study, around 70 models were created (covering the system’s context, feature, system a
nd safety case
definitions), making the manual traceability of the different concerns addressed by these models unreasonably
time
-
consuming. This was exacerbated by the fact that these models included system variations, the impact of
which can vary dependi
ng on the way in which these variations can be instantiated within different types of
environments, e.g. different vehicle usages, body types and interface characteristics. In short, tool
-
support is
essential for specifying and enforcing invariants and con
straints which are needed for ensuring explicit
traceability between the different models created in this pilot industrial application. Further, the case for tool
-
support becomes more urgent once a decision is made to extend this work to cover the technica
l safety concept
(e.g. low
-
level design), i.e. adding an extra layer of complexity in the relationships between the product line’s
context, system and safety case models.
In general, the ability to represent different technologies, e.g. electrical, pneum
atic and mechanical, with a
single notation such as SysML was an improvement on the previous situation where each technology used a
different notation. The use of a notation with defined syntax meant that the diagrams could easily be understood
by those wh
o were not involved with their creation, e.g. independent reviewers.
SAFETY CASE
The definition of well
-
structured and traceable context, feature and system models paved the way for the
development of the safety case. The relationship between the safety ca
se and the context, feature and system
models was bidirectional. The safety case was a driver for further information that needed to be part of the
context and system models, e.g. assumptions that needed to be m
ade in the safety case which
had no explicit
links with the system or context models. The safety case changed and evolved as more information was
captured in the context, feature and system models. Also,
the following issues
were identified and clarified as a
result of the need to define an explici
t
and traceable safety argument:
Terminology
ambiguities
Need
to make a clear distinction between different types of driver warnings
O
verlaps between the definition of certain fault types in the context and system models
Regarding compliance with ISO26262,
the safety case prompted the reassessment of hazard classifications in
order to be compatible with the ISO26262 classification scheme. Further, the development of the safety case
was an attempt to show how a saf
ety case can be developed in
light of the dra
ft ISO26262 functional safety
concept guidance. In particular, this case study provided a model
-
based assurance interpretation of that
Page
16
of
16
guidance by showing how SysML models can be used to analyse an explicit definition of an automotive item
which is traceab
le to the item’s safety case.
Finally, the safety argument presented in the
Top
-
Level Argument
(Figure 4)
is stated within the context of the
identified hazards (‘
Ident_Haz’
). The validity of this context element is central to the assurance of this
argum
ent. To this end, a process
-
based argument was attached to that context element to justify the adequacy of
the hazard analysis process, through the away goal ‘
IdentHazards
’. This process
-
based argument, encapsulated
in the ‘
Hazard Analysis Process Argument
’ module (discussed in the previous section), justifies the adequacy of
hazard analysis by arguing over compliance with ISO26262 guidance and management of process weaknesses.
This interaction between product
-
-
based arguments highlighted t
he importance of process
-
based arguments, as a form of a backing argument, in justifying certain contextual assumptions stated within the
product
-
based argument.
REFERENCES
1.
ISO/TC 22/SC 3/WG 16,
"
ISO26262 DIS:
Road Vehicles
-
Road Safety," BL15,
Internatio
nal Organization
for Standardization
(ISO),
June 2009.
2.
Object Management Group (OMG), “
Systems Model
l
ing Language (SysML)
,” v1.1, OMG, November
2008.
3.
Kelly
T. P.
,
"
Arguing Safety
A Systematic Approach to Safety Case Management
,
"
DPhil Thesis,
Department
of Computer Science, University of York, UK, 1998.
4.
Bate
I. J.,
Kelly
T. P.
, “
Architectural Considerations in the Certification of Modular Systems
,”
21
st
International Conference on Computer Safety, Rel
iability and Security (SAFECOMP
02), September 2002
.
5.
Civ
il Aviation Authority (CAA),
CAP 670 SW 01: Acceptable Means of Compliance to CAP 670 SW 01:
Guidance for Producing SW 01 Safety Arguments for COTS Equipment
,”
Issue 2,
CAA,
2009.
6.
UK Ministry of Defence
(MoD), "Defence Standard 00
-
56:
Safety Management Re
quirements for Defence
Systems
,”
Part 2, Issue 4, UK Ministry of Defence, 2007.
7.
Habli I.,
Kelly
T
. P.
, “Process and Product Certification Arguments: Getting the Balance Right”, Workshop
on Innovative Techniques for Certification of Embedded Systems, in Con
junction the 12th IEEE Real
-
Time
and Embedded Technology and Applications Symposium, San Jose, California, USA, April 2006.
CONTACT INFORMATION
Ibrahim
Habli
(
C
orresponding
A
uthor
)
High
-
Integrity Systems Engineering
R
esearch
G
roup
University of York
York Y
O10 5DD
United Kingdom
Tel: +44 1904 433387
Fax: +44 1904 432708
Email: Ibrahim.Habli@cs.york.ac.uk
... Habli et al. [15] examines how safety requirements can be systematically derived on the basis of model-driven development. A structured safety argumentation based on the goal structuring notation is given. ...
... For analysing the system design, we first model the intended behaviour by using SysML diagrams and further use a faulttree method for the analysis of possible failures violating the safety goal. A similar procedure was described in [15]. However, we extend the approach by combining safety analysis methods in form of a fault-tree model to further evaluate failures. ...
... However, we extend the approach by combining safety analysis methods in form of a fault-tree model to further evaluate failures. Based on the behaviour, as suggested in [16] and [15], we deduce a failure model by investigating deviations. For modelling the fail-operational behaviour including states and state transitions, we use a state machine diagram. ...
View
... The requirements are expressed by natural text. Graphical notations like the Systems Modeling Language (SysML) (see OMG (2017)) and the Goal Structuring Notation (GSN) (see Habli et al. (2010)) are also used to obtain a structured view to represent the requirements. Some other graphical approaches have been produced independently of SysML and GSN using a Conceptual Model of Traceability, as defined by Katta and Stålhane (2011), or a Traceability Information Model (TIM) according to Antonino et al. (2014)). ...
... The standards recommend to develop a well structured methodology to provide evidence that the system specifications and implementation cover the identified hazards and their mitigations. Habli et al. (2010) use the GSN in order to represent the safety concepts hierarchically. The basic elements of their graphical notation are safety goal (requirement), solutions and strategies. ...
On-Board Train Integrity: safety requirements analysis and traceability
Conference Paper
Full-text available
  • Sep 2019
The evolution of the European Rail Traffic Management System (ERTMS) to level 3 enables increasing the capacity on the lines thanks to continuous on-board train integrity supervision and communication, moving block and virtual block. It relies on the autonomous position and integrity information reported by the train to generate a movement authority. The aim of our paper is to present a short preview of the train integrity monitoring system and its safety challenges. A methodology to maintain traceability of safety requirements to cover the hazards, identified from the system functions, is proposed based on the standard EN 50126.
View
... Such systems are set to be more broadly deployed in society, thereby increasing their level of safety criticality [Guiochet et al. 2017] and requiring a stringent regulatory regime. A successful method for regulatory acceptance is provided by structured assurance cases, which provide comprehensible and indefeasible safety arguments supported by evidence [Habli et al. 2010;Hawkins et al. 2015;Kelly 1999]. However, such assurance cases-whether or not compliant with standards like IEC 61508 1 and DO-178C 2 -can be laborious to create, complicated to maintain and evolve, and must be rigorously checked by the evaluation process to ensure that all obligations are met and confidence in the arguments is achieved [Greenwell et al. 2006;Rushby 2013]. ...
... Model-based assurance [Habli et al. 2010;Hawkins et al. 2015] uses system models to structure assurance cases and represents another opportunity for formal methods in (through-life) assurance. Assurance arguments that are purely informal can be difficult to evaluate, and may be subject to argumentation fallacies [Greenwell et al. 2006]. ...
New Opportunities for Integrated Formal Methods
Article
Formal methods have provided approaches for investigating software engineering fundamentals and also have high potential to improve current practices in dependability assurance. In this article, we summarise known strengths and weaknesses of formal methods. From the perspective of the assurance of robots and autonomous systems (RAS), we highlight new opportunities for integrated formal methods and identify threats to the adoption of such methods. Based on these opportunities and threats, we develop an agenda for fundamental and empirical research on integrated formal methods and for successful transfer of validated research to RAS assurance. Furthermore, we outline our expectations on useful outcomes of such an agenda.
View
... Recently, GSN method has been incorporated into ISO 26262 to satisfy the critical safety assurance of automotive systems [66]. From the literature review, the GSN approach has been used in automotive domain mainly (i) to structure the content of safety cases [67,68] (ii) to establish reusable patterns and modules (particularly for software safety cases) [69][70][71][72], and (iii) to automate the generation process of GSN modules with respect to the model-driven development and assessment (SysML for example) [73,74]. Moreover, both process-based [68,75] and product-based [67,76] safety cases have been discussed, while focusing more on software and subsystems safety cases. ...
Graphical safety assurance case using Goal Structuring Notation (GSN)– challenges, opportunities and a framework for autonomous trains
Article
The development of fully autonomous vehicles is an ambition that took seed in the automotive industry a few years ago and is now growing in the railways considering their benefits. The main objective of autonomous train is to perform its operations and assure its mission with an acceptable safety level in all possible operational conditions. Such an objective needs to be supported by a safety demonstration. In order to authorize the operations of railway systems, they must be proven safe. This requires a technical and operational safety assessment, and also a safety assurance process during the system’s whole life-cycle. The goal of such activities is to ensure that designed systems comply with railway safety standards and regulations. Both safety arguments and evidences are required to demonstrate that this compliance is achieved. These sets of evidence are documented in a so-called safety case. Recently, graphical safety cases, such as Goal Structuring Notation (GSN)-based safety case, have become an interesting alternative to narrative reports and plain texts. The graphical structure and visual properties improve the presentation and comprehension of the safety arguments. In this paper, we firstly review the use of the GSN for building graphical safety case for different transportation systems, with a focus on the railway domain. Then, we discuss the opportunities and challenges of considering such an approach in railway and we propose a high-level framework for building the GSN-based safety assurance case for the autonomous trains.
View
... The work of Habli et al. [24] focuses on addressing one component of the overall safety case, namely the assurance of the functional safety concept. They examine how model-driven development and assessment can provide a basis for the systematic generation of functional safety requirements. ...
A cyber–physical–social approach for engineering Functional Safety Requirements for automotive systems
Article
Several approaches have been developed to assist automotive system manufacturers in designing safer vehicles by facilitating compliance with functional safety standards. However, most of these approaches either mainly focus on the technical aspects of automotive systems and ignore the social ones, or they provide inadequate analysis of such important aspects. To this end, we propose a model-based approach for modeling and analyzing the Functional Safety Requirements (FSR) for automotive systems, which considers both the technical and social aspects of such systems. This approach is based on both the ISO 26262 and ISO/PAS 21448 standards, and it proposes a detailed engineering methodology to assist designers while modeling and analyzing FSR. In particular, this approach proposes a UML profile for modeling the FSR of the automotive system starting from item definition until safety validation, and it offers constraints expressed in Object Constraint Language (OCL) to be used for the verification of FSR models. We demonstrated the applicability and usefulness of the approach relying on a realistic example from the automotive domain, and we also evaluated the usability and utility of the approach with potential end-users.
View
... Building on GSN, Habli et. al. [11] examine how model-driven development can provide a basis for the systematic generation of functional safety requirements and demonstrates how an automotive safety case can be developed. Gallina [8] proposes a model-driven safety certification method to derive arguments as goal structures given in GSN from process models. ...
Towards Certified Analysis of Software Product Line Safety Cases
Preprint
  • Apr 2021
Safety-critical software systems are in many cases designed and implemented as families of products, usually referred to as Software Product Lines (SPLs). Products within an SPL vary from each other in terms of which features they include. Applying existing analysis techniques to SPLs and their safety cases is usually challenging because of the potentially exponential number of products with respect to the number of supported features. In this paper, we present a methodology and infrastructure for certified \emph{lifting} of existing single-product safety analyses to product lines. To ensure certified safety of our infrastructure, we implement it in an interactive theorem prover, including formal definitions, lemmas, correctness criteria theorems, and proofs. We apply this infrastructure to formalize and lift a Change Impact Assessment (CIA) algorithm. We present a formal definition of the lifted algorithm, outline its correctness proof (with the full machine-checked proof available online), and discuss its implementation within a model management framework.
View
... Krithivasan et al. (2015) systematically develop functional safety requirements from a set of safety goals for an electronic throttle controller using a process-modelling concept. Habli et al. (2010) describe the model-based design of a safety argument for an air suspension system comprising the functional safety concept. The safety concept notation used by the authors matches the approach used in the aFAS project (cf. ...
Functional Safety Concept Generation within the Process of Preliminary Design of Automated Driving Functions at the Example of an Unmanned Protective Vehicle
Article
Full-text available
  • Jul 2019
Structuring the early design phase of automotive systems is an important part of efficient and successful development processes. Today, safety considerations (e.g., the safety life cycle of ISO 26262) significantly affect the course of development. Preliminary designs are expressed in functional system architectures, which are required to form safety concepts. Thus, mapping tasks and work products to a reference process during early design stages is an important part of structuring the system development. This contribution describes the systematic creation and notation of the functional safety concept within the concept phase of development of an unmanned protective vehicle within the research project aFAS. Different stages of preliminary design and dependencies between them are displayed by the work products created and used. The full set of functional safety requirements and an excerpt of the safety argument structure of the SAE level 4 application are presented.
View
... Basir et al. [13] propose an approach that adopts the Goal Structuring Notation (GSN) [14] to construct safety cases to trace requirements to the code. The work of Habli et al. [15] examines how modeldriven development and assessment can provide a basis for the systematic generation of functional safety requirements. ...
Engineering Functional Safety Requirements for Automotive Systems: A Cyber-Physical-Social Approach
Conference Paper
Full-text available
  • Jan 2019
Several approaches have been developed to assist automotive system manufacturers in designing safer vehicles by complying with functional safety standards. However, most of these approaches either mainly focus on the technical aspects of automotive systems and ignore the social ones, or they are not equipped with an adequate automated support. To this end, we propose a model-based approach for modeling and analyzing the Functional Safety Requirements (FSR) for automotive systems, which is based on the ISO 26262 standard and considers both technical and social aspects of such systems. This approach proposes a UML profile for modeling the FSR starting from item definition until safety validation, and it proposes constraints expressed in OCL to be used for the verification of FSR models. We illustrate the utility of the approach using an example from the automotive domain.
View
Towards Certified Analysis of Software Product Line Safety Cases
Chapter
  • Aug 2021
Safety-critical software systems are in many cases designed and implemented as families of products, usually referred to as Software Product Lines (SPLs). Products within an SPL vary from each other in terms of which features they include. Applying existing analysis techniques to SPLs and their safety cases is usually challenging because of the potentially exponential number of products with respect to the number of supported features. In this paper, we present a methodology and infrastructure for certified lifting of existing single-product safety analyses to product lines. To ensure certified safety of our infrastructure, we implement it in an interactive theorem prover, including formal definitions, lemmas, correctness criteria theorems, and proofs.
View
MBSE guideline for the development of functional safety according to ISO 26262 of complex distributed vehicle system functions
Thesis
Full-text available
  • Sep 2019
In the course of this master thesis an MBSE guideline for the development of functional safety according to ISO 26262 of complex distributed vehicle system functions will be developed. The focus of the guideline is on the process steps "Item Definition", "Hazard Analysis and Risk Assessment", "Functional Safety Concept" and "Technical Safety Concept" of ISO 26262. Further, the MBSE guideline is based on the SPES Modeling Framework. The modeling language used is SysML. In doing so, an overall model of a generic super sports car will be established in IBM Rational Rhapsody that will demonstrate the development of functional safety in the above-mentioned process steps with the aid of appropriate model elements and diagrams. This approach supports a systematic description and analysis of different types of safety artifacts in a common overall model.
View
Process and product certification arguments: Getting the balance right
Article
Full-text available
  • Oct 2006
Many current safety certification standards are process-based, i.e. they prescribe a set of development techniques and methods. This is perhaps best exemplified by the use of Safety Integrity Levels (SILs), e.g. as defined by IEC 61508 and UK Defence Standard 00-55. SILs are defined according to the level of the risk posed by a system, and hence prescribe the tools, techniques and methods that should be adopted by the development and assessment lifecycle. Product-based certification relies on the generation and assurance of product-specific evidence that meets safety requirements derived from hazard analysis. This evidence can be used as the argument basis in a safety case. However, uncertainty about the provenance of evidence in such a safety case can undermine confidence. To address this problem, we argue that process arguments remain an essential element of any safety case. However, unlike the sweeping process-based integrity arguments of the past, we suggest instead that highly directed process arguments should be linked to the items of evidence used in the product case. Such arguments can address issues of tool integrity, competency of personnel, and configuration management. Much as deductive software safety arguments are desirable, there will always be inductive elements. Process-based arguments of the type we suggest address partly this problem by tackling the otherwise implicit assumptions underlying certification evidence.
View
A Systematic Approach to Safety Case Maintenance
Conference Paper
Full-text available
  • Oct 1999
A crucial aspect of safety case management is the ongoing maintenance of the safety argument through life. Throughout the operational life of any system, the corresponding safety case can be challenged by changing regulatory requirements, additional safety evidence and a changing design. In order to maintain an accurate account of the safety of the system, all such challenges must be assessed for their impact on the original safety argument. This is increasingly being recognised by many safety standards. However, many safety engineers are experiencing difficulties with safety case maintenance at present, the prime reason being that they do not have a systematic and methodical approach by which to examine the impact of change on safety argument. This paper presents an approach that begins to address these difficulties by defining a process, based upon the principles of goal structuring, for the systematic impact assessment of safety case challenges.
View
View
Architectural Considerations in the Certification of Modular Systems
Article
Modular system architectures, such as integrated modular avionics (IMA) in the aerospace sector, offer potential benefits of improved flexibility in function allocation, reduced development costs and improved maintainability. However, they require a new certification approach. The traditional approach to certification is to prepare monolithic safety cases as bespoke developments for a specific system in a fixed configuration. However, this nullifies the benefits of flexibility and reduced rework claimed of IMA-based systems and will necessitate the development of new safety cases for all possible (current and future) configurations of the architecture. This paper discusses a modular approach to safety case construction, whereby the safety case is partitioned into separable arguments of safety corresponding with the components of the system architecture. Such an approach relies upon properties of the IMA system architecture (such as segregation and location independence) having been established. The paper describes how such properties can be assessed to show that they are met and trade-offs performed during architecture definition reusing information and techniques from the safety argument process.
View
Process and Product Certification Arguments: Getting the Balance Right
  • Apr 2006
  • I Habli
  • T P Kelly
Habli I., Kelly T. P., "Process and Product Certification Arguments: Getting the Balance Right", Workshop on Innovative Techniques for Certification of Embedded Systems, in Conjunction the 12th IEEE Real-Time and Embedded Technology and Applications Symposium, San Jose, California, USA, April 2006.
Systems Modelling Language (SysML), " v1.1, OMG
  • Dec 2008
  • Management Object
  • Group
Object Management Group (OMG), " Systems Modelling Language (SysML), " v1.1, OMG, November 2008.
ISO26262 DIS: Road Vehicles -Road Safety
  • Jul 2009
  • Iso Tc
ISO/TC 22/SC 3/WG 16, "ISO26262 DIS: Road Vehicles -Road Safety," BL15, International Organization for Standardization (ISO), June 2009.
CAP 670 SW 01: Acceptable Means of Compliance to CAP 670 SW 01: Guidance for Producing SW 01 Safety Arguments for COTS Equipment
  • Jan 2009
Civil Aviation Authority (CAA), " CAP 670 SW 01: Acceptable Means of Compliance to CAP 670 SW 01: Guidance for Producing SW 01 Safety Arguments for COTS Equipment, " Issue 2, CAA, 2009.
Architectural Considerations in the Certification of Modular Systems
  • Sep 2002
  • I J Bate
  • T P Kelly
Bate I. J., Kelly T. P., "Architectural Considerations in the Certification of Modular Systems," 21st International Conference on Computer Safety, Reliability and Security (SAFECOMP02), September 2002.