EN 
DE Efficiency potential in safety and security
Author: Dr. Dominik Holling, ITK Engineering GmbH
Contribution – Embedded Software Engineering Congress 2018
Vehicle computers enable timely and flexible software updates. This allows new networked functions to reach the market faster than before. To achieve this, not only development but also support processes must be accelerated. Potential for improvement exists particularly in safety and security release processes, as these are usually associated with manual effort and lengthy cycles. By considering release aspects early in the development process and automating the toolchain for validation, this effort can be significantly reduced. Furthermore, ensuring safety and security offers potential synergies (e.g., in quality assurance, review and test results) that can be leveraged through effective process design to manage complexity.
To bring features to market and to customers more quickly, modern software engineering techniques such as Continuous Integration (CI), Continuous Delivery (CD), and DevOps are being used not only in IT systems but also in systems engineering [1]. The use of these techniques for embedded or cyber-physical systems enables continuous software delivery, early error detection, and cross-functional collaboration to manage increased complexity.
In addition to engineering processes, support processes must also be adapted to ensure the software or system can be completed. Release and its documentation are particularly important factors that are also becoming increasingly complex. With shorter release cycles, release must be timed precisely with the delivery of complex software or systems. Otherwise, the subsequent process lacks the legitimacy to use the provided artifacts. Synergies from the areas of safety and security, as well as the automation of documentation generation, can be leveraged here. In this way, a lengthy, manual process can be transformed into an automated and efficient release documentation process.
Safety and Security approval process
Software and system release is achieved by demonstrating that the defined process has been adhered to and all defined artifacts have been created to the required quality. This ensures compliance with quality objectives and regulatory requirements, particularly in the areas of safety and security. Each release also has a scope that relates to software (parts) or system (parts). For example, there may be releases for software components required for integration, which in turn necessitates a release of the entire system. Due to the high number of deliveries in CI, CD, and DevOps environments, releases for the entire software or parts thereof are frequently required and, due to their complexity, offer the greatest potential for optimization. The following section will focus on two of these potentials in particular: synergy effects in release aspects related to security and safety, and in the creation and storage of release documentation.
Potential 1: Synergy effects of the release documentation
Responsibilities for safety and security typically lie at different points within the organization, with limited opportunities for communication. Nevertheless, release documentation offers synergistic benefits from shared aspects required for quality management, safety, and security. These consist of metrics that evaluate the relevant processes and capture the quality of the associated artifacts. It is also possible to create summaries based on text modules and the value of a metric. Generally, the following metrics are collected and summaries are created:
- Status of requirements
- Status of the change/problem ticket
- Status of traceability at all levels
- Results of quality assurance, reviews and tests
In addition, summaries and metrics exist for the Safety and Security areas, respectively, along the Safety and Security Engineering processes for:
- Status of the risk analysis(s)
- Status of the concept(s)
- Results of the residual risk analysis(s) and source code analysis(s)
In the area of safety, there are additional results regarding tool qualification, which are incorporated into the release documentation. For the area of security, the results of penetration testing are also taken into account.
Potential 2: Automation of release documentation
Creating release documentation can be a bottleneck if it requires many manual, error-prone steps. This highlights the potential for automation to perform this task automatically and reliably. This requires careful planning of the process for generating (1) and storing (2) the artifacts, as well as the tools used. To maximize this potential, this planning should be carried out before the project begins. Since the necessary information is generated and retrieved automatically with this approach, the various tools in a toolchain must work together seamlessly.
When generating artifacts, it is helpful to extend techniques like CI and CD so that information is automatically generated and made available for documentation. This can be achieved, for example, through the automatic creation of problem tickets for failed tests or automatic traceability checks at all levels of software development. Furthermore, when collecting artifacts, it is advisable to store them in a comprehensive application management (ALM) system. This centralizes the necessary information and generates the corresponding release documentation using a reporting function. Alternatively, interoperability standards [2] can be used to collect and compile the required information. In practice, however, this type of compilation proves to be error-prone and maintenance-intensive. Nevertheless, it is usually unavoidable, as not all information can be represented in a single ALM system, and thus a hybrid approach combining ALM and scripts for interoperability is typically chosen.
List of abbreviations
- CI: Continuous Integration
- CD: Continuous Delivery
- ALM: Application Management
Bibliography and list of sources
[1] Pranav Ashar, Shifting Mindsets: Static Verification Transforms SoC Design at RT Level
[2] Frédéric Loiret, Interoperability Specifications (IOS) v1
author
Dr. Dominik Holling works in the area of test methodology and development processes at ITK Engineering GmbH. His focus is on software engineering and software testing. This includes integrating development and quality assurance, as well as the early stages of requirements engineering and software architecture. His main interests lie in the topics of continuous integration, continuous delivery, and SysDevOps for embedded/cyber-physical control units. Holling studied computer science with a focus on security at the Technical University of Kaiserslautern and earned his doctorate at the Chair of Software Engineering at the Technical University of Munich, specializing in knowledge-based test methodology.
Our training courses & coaching sessions
Do you want to bring yourself up to date with the latest technology?
Then find out more here Regarding training courses/seminars/workshops and individual coaching sessions offered by MircoConsult on the topic Quality, Safety & Security.
Training & coaching on the other topics in our portfolio can be found here. here.
Quality, Safety & Security – Expertise
Valuable expertise on the topics of quality, safety & security is available. here Available for you to download free of charge.
You can find expertise on other topics in our portfolio here. here.
