EN 
DE Authors: Pablo Oliveira Antonino, David Santiago, Velasco Moncada, Thomas Kuhn, Daniel Schneider, Mario Trapp, Fraunhofer IESE
Contribution – Embedded Software Engineering Congress 2015
Even in the age of computerization, safety engineering is still a matter of textual documents and even pen and paper. One major consequence of this are inconsistent and incomplete specifications of safety-critical systems, which are a core reason of catastrophic failures. To improve the completeness and consistency of safety-critical systems specifications, we present an integrated multi-analysis and multi-viewpoint safety engineering tool called I-SafE, which is a solution that supports general safety analysis as well as the specification and analysis of safety requirements traceability to architecture and failure models.
Safety engineering artifacts still have been defined by means of natural text in documents, spreadsheets or databases. One major issue caused by that is inconsistency between safety requirements, failure models and architecture [1]. However, safety requirements often result from a safety analysis of the architecture and, lately, must be allocated to elements of the architecture[1]. In this regard, the existing inconsistencies and incompleteness lead to intense efforts required to update the artifacts impacted by the changes and, consequently, significantly decrease the efficiency of the safety assurance architecture [2].
To contribute to overcoming this challenge, this paper introduces I-SafE: Integrated Safety Engineering, an Enterprise Architect[1] based tool that supports the specification of traceable safety requirements, failure models and architecture models, thus contributing to ensure safety-by-construction, as safety is considered early in the process of the system design.
Running Example
The I-SafE features described in this paper will be illustrated using a simplified version of a fictional electric motor drive (E-Drive) system, which is depicted in Fig. 1 (see PDF)
Specifying Architecture Models with the Embedded Modeling Profile
I-SafE supports the specification of functional, logical and technical aspects of the architecture which are based on the Embedded Modeling Profile [3]. Examples of the architecture modeling toolbox provided by I-SafE is depicted in Fig. 2 (see PDF).
Creation of Failure Models with I-SafE
I-SafE supports the creation of failure models of the types Component Fault Trees – CFTs, Failure Modes and Effects Analysis – FMEAs and Markov Chains that are associated to architectural elements. Due to space constraints, only the CFT and FMEA support are described in this paper.
Component Fault Trees (CFT) extend standard fault trees with the concept of modularity in component based specifications. For example, Fig. 3 (see PDF) depicts a CFT created with I-SafE for the emergency shut-off component of the E-Drive system illustrated in Fig. 1 (see PDF).
The I-SafE support regarding the specification of FMEA is based on interface-focused IF-FMEA [4] for each system component. For instance, Fig. 4 (see PDF) depicts an FMEA for the E-Drive's Pedal Sensor shown in Fig. 1 (see PDF).
Tracing Safety Requirements Specified with Natural Language to Failure Models and to The Architecture
In order to conveniently support the creation of trace links, I-SafE provides an autocomplete mechanism that suggests elements that should be referenced in the safety requirement being specified. These suggestions are made when the text is written, having similarities with the names of elements present in the failure models or architecture models. For instance, as shown in Fig. 5 (see PDF), as soon as the user starts to type the text fragment “The M”, the suggestions of the architecture component “MicroController” (cf. Fig. 1, see PDF), along with other elements that have similarities with this string, such as the MicroController CFT (cf. Fig. 2, see PDF), are shown in the suggestion list.
I-Safe Visual Trace
I-SafE provides a visual trace mechanism that allows engineers to visualize all elements related to each safety requirement specification. It allows visualization of (i) architectural elements and elements of failure models that are explicitly referenced in textual safety requirements specifications; (ii) architectural elements that are not explicitly mentioned in safety requirements specifications, but that are related (over a series of indirections) to those that are explicitly referenced.; and (iii) other specifications related to safety requirements being analyzed, such as Conditional Safety Certificate [5] of a given component related to a safety requirement.
In the example shown in Fig. 6 (see PDF), the safety requirement has an explicit trace to the MotorController element (cf. Fig. 1, see PDF). After activating the Visual Trace mode of I-SafE, whenever the user clicks on the safety requirement element, the diagram shown in Fig. 1 (see PDF) opens and only the referenced element MicroController is highlighted.
Automated completeness and consistency checks
I-SafE supports the execution of completeness and consistency checks between safety requirements and architecture design, aiming at detecting and alerting engineers to existing incompleteness and inconsistencies.
With respect to completeness, I-SafE checks whether (i) every safety requirement describes mitigation strategies for failures that are described in at least one failure propagation model; (ii) every failure propagation model describes the failures of at least one safety-critical architecture element; and (iii) every safety requirement describes failure mitigations referencing at least one safety-critical architecture element. The completeness checks are displayed to the user as shown in Fig. 7 (see PDF), where a list of safety requirements is displayed along with their types and the completeness violation.
With respect to consistency, one of the main checks offered by I-SafE is on Safety Integrity Level – SIL inconsistencies, which are caused when safety requirements and the safety-critical architecture elements that address them have incompatible safety integrity levels. For instance, Fig. 8 (see PDF) shows a list of architectural elements that have ASIL incompatibility. The basis for these and for all the other completeness and consistency checks implemented in I-SafE is described in [6]. The other consistency checks supported by I-SafE are not described due to space limitations.
Conclusion
I-SafE provides a range of features that are rarely found in other tools. Among the features presented in this paper, we consider the aspects of integration and traceability as particularly important. Integration between different (types of) modular analysis models in the context of a larger system and traceability between safety requirements and related artifacts along the safety engineering chains are features that are bound to ease the daily work of software and safety engineers.
References
[1] PO Antonino, M. Trapp, P. Barbosa, EC Gurjäo, J. Rosário: The Safety Requirements Decomposition Pattern. SAFECOMP 2015: 269-282
[2] J. Hatcliff et al., 2014. Certifiably safe software-dependent systems: challenges and directions. Hyderabad, India, sn, pp. 182-200.
[3] T. Kuhn and PO Antonino. Model Driven Development of Embedded Systems. Proceedings of the Embedded Software Engineering Congress 2014. Pages 47–53.
[4] Y. Papadopoulos, J. McDermid, R. Sasse, and G. Heiner, 2001. Analysis and synthesis of the behavior of complex programmable electronic systems in conditions of failure. Reliability Engineering & System Safety, 71(3), pp. 229-247.
[5] D. Schneider and M. Trapp, 2013. Conditional Safety Certification of Open Adaptive Systems. ACM Transactions on Autonomous and Adaptive Systems (TAAS), 8(2), pp. 1-20.
[6] PO Antonino and M. Trapp. Automatic detection of incomplete and inconsistent safety requirements. SAE 2015 World Congress and Exhibition, Detroit, Michigan USA, 2015.
[1] https://www.sparxsystems.com
Our training courses & coaching sessions
Do you want to bring yourself up to date with the latest technology?
Then find out more here Regarding training courses/seminars/workshops and individual coaching sessions offered by MircoConsult on the topic Quality, Safety & Security.
Here You will also find training courses on software and contract law.
Training & coaching on the other topics in our portfolio can be found here. here.
Quality, Safety & Security – Expertise
Valuable expertise on the topics of quality, safety & security is available. here Available for you to download free of charge.
You can find expertise on other topics in our portfolio here. here.
