EN 
DE How security benefits from model-based development
Authors: Dr. Peter Munk, Dr. Arne Nordmann, Dr. Eike Thaden, Rakshith Amarnath, Markus Schweizer, Dr. Simon Burton, Robert Bosch GmbH
Contribution – Embedded Software Engineering Congress 2017
With ever-shorter development cycles, the complexity of electrical/electronic (E/E) systems in automobiles is constantly increasing. Functional safety standards, such as ISO 26262, prescribe labor-intensive steps like Fault Tree Analysis (FTA) and Failure Mode and Effects Analysis (FMEA). These steps are often performed manually and without systematic reuse of artifacts. We present This paper presents a semi-automated safety analysis and optimization methodology. Based on established approaches such as Component Fault Trees [1], a functional or technical system model is extended with fault propagation information. From this, the FTA and FMEA for the overall system are automatically derived. Furthermore, the model can be optimized using reusable architectural patterns based on these analyses [2]. As part of a model-based development approach, the presented methodology thus increases the degree of automation and reduces development time..
Introduction
The complexity and performance requirements of current safety- and real-time-critical electrical/electronic (E/E) systems in automobiles are constantly increasing. This trend results from increasingly advanced driver assistance functions, which require more and more functions and computing power. This development is driven by the vision of highly automated and autonomous driving. Such systems must function flawlessly for increasingly longer periods without driver intervention, which is why safety and availability requirements are also rising. To remain competitive in the cost-driven automotive sector, the development of such systems must take place in ever shorter cycles.
Relevant functional safety standards, such as ISO 26262 for the automotive sector, prescribe various labor-intensive and time-consuming steps. These include, among other things, the specification of a functional safety concept, the creation of technical safety requirements for each safety objective, and the verification and validation of the system through testing, FTA, and FMEA. These steps are often performed manually with little or no systematic reuse of existing artifacts.
To keep pace with increasing complexity and ever-shorter development cycles, the level of automation in the specification of technical safety requirements, as well as in the verification and validation of systems, must be increased. We present our approach to semi-automated safety analysis and optimization for this purpose.
The semi-automatic safety analysis
A model-based systems engineering approach is necessary to manage the complexity of future E/E systems. It also forms the basis for semi-automated safety analysis and optimization. We assume that the functional requirements are elicited using existing requirements engineering methods and are available. As shown in Figure 1 (see PDFAs shown in Figure 2, the requirements are first translated into a functional architecture. This is independent of any technical implementation and consists of functional blocks with inputs and outputs, as well as the connections between them. PDF) shown as an example. SysML can be used as the modeling language, but alternatives such as AADL are also available.
Furthermore, we assume that the safety objectives are determined using existing Hazard Analysis & Risk Assessment (HARA) methods and are available. The safety objectives are then linked to the components of the functional architecture. Following the work on Component Fault Trees [1] and Hierarchically Performed Hazard Origin and Propagation Studies (HiP-HOPS) [2], fault propagation per component is modeled using logical AND and OR gates between the inputs and outputs. Various fault modes can occur at each input and output. It is also possible to model fault causes and their probability of occurrence. Figure 3 (see PDF) shows, as an example, the error propagation of the „controller“ component from Figure 2 (see PDFThe input "in B" has one error mode called "wrong", which is logically ANDed (&&) with the error cause "basic" to produce the intermediate result "intermediary". The input "in A" has two different error modes ("wrong value" and "too late"), which are logically ORed (||) with the intermediate result "intermediary". The result of the OR operation, called "error", is also the only error mode of the output "out".
In the design and allocation step, a technical architecture model is derived from the functional architecture model. This technical model includes hardware components and software components, as well as their allocation. The technical architecture model can also be modeled in SysML. Analogous to the functional architecture model, error propagation within each hardware component and software component is then modeled.
The enriched functional or technical architecture models can now automatically generate and analyze the fault tree for the entire system. Simultaneously, the system's FMEA can be supported by automatically generating key artifacts, such as the structure tree, the function network, and the fault network, from the architecture model. This is possible even before the system is implemented as a prototype or product, allowing insights into functional safety to be gained early in the development cycle. If the architecture model changes during further development, the model-based safety analyses can be repeated with minimal manual effort. The automatically generated FTA and FMEA documents also provide important evidence for demonstrating sufficient functional safety for the overall system.
The semi-automatic safety optimization
If the FTA results do not meet the required reliability standards, the functional or technical architecture can be automatically improved. This requires a catalog of safety mechanisms stored as model transformations. One example of a safety mechanism is the replication of a critical component followed by a comparison of the results (Dual Modular Redundancy). A (heuristic) optimization algorithm, such as an evolutionary algorithm, iteratively applies suitable safety mechanisms to critical components and re-performs the FTA after each step. This allows the Pareto front between the overall system reliability and the costs incurred due to runtime, memory requirements, chip or board area, and the financial costs of the additional safety mechanism components to be determined. This approach also facilitates the exchange of proven safety mechanisms between business units in the form of model transformations.
Summary and Outlook
The presented approach to semi-automated safety analysis and optimization is part of a model-based systems engineering process and facilitates the development of safety-critical products. We have implemented the approach in a prototype tool and are currently evaluating it in collaboration with several business units of Robert Bosch GmbH.
Bibliography and list of sources
[1] B. Kaiser, P. Liggesmeyer and O. Mäckel, „A New Component Concept for Fault Trees,“ in Proceedings of the 8th Australian Workshop on Safety Critical Systems and Software, 2003.
[2] Y. Papadopoulos, M. Walker, D. Parker, E. Rüde, R. Hamann, A. Uhlig, U. Grätz and R. Lien, „Engineering failure analysis and design optimisation with HiP-HOPS“, Engineering Failure Analysis, Vol. 18, No. 2, pp. 590-608, 2011.
Our training courses & coaching sessions
Do you want to bring yourself up to date with the latest technology?
Then find out more here Regarding training courses/seminars/workshops and individual coaching sessions offered by MircoConsult on the topic Quality, Safety & Security.
Training & coaching on the other topics in our portfolio can be found here. here.
Quality, Safety & Security – Expertise
Valuable expertise on the topics of quality, safety & security is available. here Available for you to download free of charge.
You can find expertise on other topics in our portfolio here. here.
