INSiDER: Incorporation of System and Safety Analysis Models using a Dedicated Reference Model
Marc Zeller, Siemens AG, Corporate Technology Kai Höfig, Siemens AG, Corporate Technology
Key Words: safety, model-based development, system design, safety analysis, synchronization
SUMMARY & CONCLUSIONS approaches provide promising solutions [2]. In order to take full advantage of this potential in the development of safety- In order to enable model-based, iterative design of safety- relevant embedded systems, model-based techniques should relevant systems, an efficient incorporation of safety and be applied for both, the system and the safety engineering system engineering is a pressing need. Our approach [3,4]. Moreover, an iterative and incremental design process interconnects system design and safety analysis models should be applied to break with delaying “try and error” and efficiently using a dedicated reference model. Since all “clone and own” project cultures in industrial practice and to information are available in a structured way, traceability make the right development decisions in early design phases. between the model elements and consistency checks enable In order to enable model-based, iterative design of safety- automated synchronization to guarantee that information relevant embedded systems, the incorporation of safety and within both kind of models are consistent during the system engineering is a pressing need. But to interconnect development life-cycle. system and safety analysis models efficiently the following 1 INTRODUCTION challenges must be solved: An automated mapping between the elements of the Nowadays, embedded systems are omnipresent in the system design and the safety analysis model is required in daily life, e.g. in industrial automation, medical devices or order to enable seamless traceability. transportation systems. These systems often implement safety- The information within both kinds of models must be kept relevant functionalities. A failure within these systems may consistent during the complete development process. For lead to catastrophic accidents. Therefore, safety must be instance, if a certain system element is deleted or considered during the whole development process of a safety- renamed, the safety analysis model must be adjusted relevant embedded system [1]. However, as practical accordingly. This synchronization should be performed experiences in industrial projects show, safety analyses are automatically to guarantee that the safety as well as the often performed only once and very late in the development system engineer always works on consistent data. cycle because they are very time-consuming. Pre-existing methodologies for both system and safety Traditionally, safety analyses are performed by safety modeling should be used when incorporating system engineers, while the system is designed by system engineers. design and safety analysis. Thus, the system as well as the Thus, separate techniques and tools are used in industry for the safety engineer can continue to work with well known design of the system and the analysis of the system in terms of techniques and tools, they are already familiar with. safety. In general, system engineers are not familiar with the To cope with these challenges, our approach interconnects methodologies, notions and tools related to safety and vice system design and safety analysis models by using a dedicated versa. This is because system and safety engineering are two reference model. This concept aims to incorporate system and very different disciplines. However, this gap poses an safety engineering during the model-based development additional issue during the development of safety-relevant process using existing, well-established system design and systems and increases the communication as well as the safety analysis techniques (such as Fault Tree analysis, synchronization overhead between the different kinds of Markov chains, FMEAs, etc.). Thus, available information engineers. from the system model can be used as input for the safety With the increasing system complexity of today's analysis model. Since all information are available in a embedded systems, also the number of structured way, the resulting traceability between the model safety-relevant functions grows continuously. Due to this, the elements enables the automated synchronization to guarantee safety analysis of modern embedded systems has become very that information within both kind of models are consistent complex and time-consuming. To cope with the system w.r.t. correctness and completeness. complexity in the system development, model-based
© 2016 IEEE. Personal use of this material is permitted. Permission from IEEE must be obtained for all other uses, in any current or future media, including reprinting/republishing this material for advertising or promotional purposes, creating new collective works, for resale or redistribution to servers or lists, or reuse of any copyrighted component of this work in other works. DOI: 10.1109/RAMS.2016.7448074 URL: https://ieeexplore.ieee.org/document/7448074 The reminder of this paper is organized as follows: In development process for safety-relevant embedded systems, a Section 2 we summarize related work in this area. Afterwards, dedicated reference model is used to link system and safety our approach to interconnect and synchronize system and analysis models. Thus, it stores all information from the safety analysis models with a dedicated reference model is system design as well as all safety-related information in a presented and illustrated using a running example. Finally, the structured way by providing references to these models. The paper is concluded in Section 5. so-called System Safety Analysis Model (S2AM) is a common super-set of the System Model (SM) (e.g. defined by a generic 2 RELATED WORK approach for model-based system engineering such as SysML A straight-forward approach to connect system and safety [16] or a domain-specific one such as EAST-ADL [17] in the models is to use model-to-model transformations. A model automotive domain) as well as the Safety Analysis Model transformation has one or several models as input and (SAM) (e.g. FEMA, Fault Tree or Markov chain): specifies rules how to produce a specific output model. This S 2 AM SM SAM | SM SAM {} (1) method can be adopted to any kind of system or safety model. But since a model-to-model transformation is executed with manually, the consistency between system and safety model SM C, P,CON (2) cannot be guaranteed. Moreover, a specific model-to-model transformation for each kind of system model in combination and with each kind of safety analysis is needed. SAM E,FM , (3) Various approaches incorporate the safety analysis model The SM is defined as a tuple consisting of a set of components into the system model by extending it with specific safety- related information. For instance, a UML-based [5,6], SysML- C c1,...,cn (4) based [7,8] or EAST-ADL-based [9] model of the system is and a set of ports annotated with safety information by incorporation them into in out in out the existing modeling artifacts. Other approaches as presented P P P | P P {} (5) in [10,11,12] extend the system model by specific modeling in in in where P p1 ,..., pr is the set of input ports and artifacts to represent safety information. The safety analysis out out out P p1 ,..., ps is the set of output ports. Each port is model may then be derived (semi-)automatically from such an allocated to a specific component: extended system model in order to improve consistency [13]. : P C (6) However, the system model must be extended in order to enable the annotation with safety information. Therefore, CON is a set of directed communication links between the specific tooling is needed to work with the extended system components of the systems, respectively their ports: model. Moreover, the annotation must be performed manually CON Pout Pin (7) by the safety engineer, which may not familiar with the common approaches for system modeling. In contrast to this tight coupling of system and safety models, our approach enables loose coupling and supports any kind of system and safety analysis model. Thus, the safety as well as the system engineering can work with models they are familiar with. Other approaches in the area of model-based safety analysis, such as HiP-HOPS [14] or FPTN [15], are based on a dedicated model for safety analysis. To enable traceability w.r.t. the elements within the system design, the safety analysis model reflects the structure of the system by the notion of components, their relationship, and their hierarchical Figure 1 - Exemplary system model SM Ex organization. However, these are specific methodologies An example system is shown in Figure 1 with which require dedicated tools for safety analysis. (c1,c2,c3, 3 THE INSIDER APPROACH SM Ex in1,in2,in3,out1,out2,out3,out4, (8) In this section, we present our approach to interconnect con1,con2) and synchronize system design and safety analysis models. In the following, this method is described formally and illustrated with using an example system (see Figure 1). (in1) c1, (in2) c2, (in3) c3, 3.1 Interconnection (out1) c1, (out2) c1, (9) (out3) c2 (out4) c3 In order to enable a model-based and iterative and con1 out1,in2, con1 out2,in3 (10) where The SAM is a tuple with a set of (basic) events (also SAMc1 w, x,a,b,c,d,a w b,a x d,a c called causes) SAMc2 y , e, f ,h,i, e y h, f i (18) E e1,..., er (11) SAMc3 z , g, j , g z j and a set of failure ports and F F in F out | F in F out {} (12) con1' b,e, con2' c, f ,con3' d, g (19) in in in where F f1 ,..., fv is the set of failure inports and out out out In order to enable the seamless information flow between F f1 ,..., fw is the set of failure outports. Moreover, the function the system and the safety analysis models, the modeling elements can be mapped automatically within the S2AM by in out : E F F (13) using unique identifiers (e.g. a unique name of the element). describes the relationship between failure inports or For instance, if a component has a unique name within the (basic) events and failure outports using the Boolean operators system model, it can also be identified within the safety ,,. analysis model by this name and vice versa. Thus, the Apart from describing a complete system by one single relationship between the artifacts within the system model and SAM, it is also possible to define a SAM for each of the the safety analysis models is completely traceable. However, system components: the modeling environment (i.e. the tools used to create and maintain the models) must ensure that the names of the c C : SAM E , F , (14) i ci ci ci ci modeling elements are unique. with 3.2 Synchronization n n SAM SAM | SAM {},CON' (15) i1 ci i1 By using our approach, it is also possible to check the ci consistency of the safety analysis model w.r.t. the given CON’ is a set of directed communication links describing system model. Thus, it can be checked, if the failure propagation from the SAM of one component to a representation SAMc exists within the safety analysis another: model for each component c within the system model out in (e.g. a CFT element within a Component Fault Tree): CON' Fc Fc with ci c j C (16) i j c C : SAM (20) i ci Thereby, it is possible to describe the failure propagation within the system in a structured way which is consistent to all ports P of each component of the system are component-based system design, e.g. by using Interface represented within the safety analysis model by at least Focused-FMEA (IF-FMEA) [18] or Component Fault Trees one failure port f: (CFTs) [19]. pin Pin : f in SAM with c pin (21) i c j c j j i and pout Pout : f out SAM with c pout (22) i c j j i Hence, a mapping between ports and failure ports is created with : P F (23) ci ci ': F P (24) ci ci all connections between the ports within the system model are represented by connections between failure ports Figure 2 - Exemplary safety analysis model SAM in Ex within the safety analysis model: form of a CFT out in conCON with px , py : An exemplary CFT (equivalent to the classical Fault Tree in In conCON' c Ec F , fk i i ci [19]) for the analysis of SM Ex is shown in Figure 2 with (25) out in with ci px , c j p y , ci c j C SAMEx (SAMc1, SAMc2 ,SAMc3, (17) In In and fk F con1',con2',con3') c j 2 With the help of these consistency checks, it is possible to exemplary system S AM Ex SM Ex SAMEx enables to detect deviation or gaps between the system design and the perform the following synchronization between the system safety analysis model. design model SM Ex and the safety analysis model SAM Ex : Based on these consistency checks, an algorithm for the c1 SAM automatic synchronization of the system and the safety c1 analysis model can be build. Thereby, the safety analysis c2 SAM c2 model is synchronized with an existing system model. Hence, c3 SAM c3 a new safety analysis model, which is consistent with the in1 a system design, can be created easily (and semi-automatically). in2 e, f Moreover, the safety analysis model can be maintained in3 g consistent automatically during the development life-cycle (26) with an evolving system design. out1 b,c For the synchronization of an existing system design out2 d model with a safety analysis model the following algorithm out3 h,i (displayed in pseudo code) is used: out4 j FOR each component c in the SM con1 con1',con2' IF no SAMc for component c exists in the SAM THEN con2 con3' CALL create new SAMc in the SAM Figure 3 illustrates the synchronization between the END IF exemplary system design and its safety analysis model. FOReach port p of component c IFport p is not represented in the SAMc THEN CALLcreate new failure port f p the SAMc END IF END FOR END FOR
FOR each component SAMc in the SAM IF no component c for SAMc exists in the SM THEN CALL remove SAMc from the SAM END IF FOReach failure port f of SAMc IFfailure port f is not represented in component c Figure 3 – Synchronization of the exemplary system THEN design SAEx and the safety analysis model SAM Ex CALLremove failure port f from SAMc END IF 3.3 Discussion END FOR 2 END FOR The S AM is composed of a reference to the safety analysis model and a reference to the system model. The use FOR each connection con between p1 and p2 in the SM of references enables a loosely coupled linking of the safety IFno connection con’ between p1 and p2 exists analysis models with the system design model without in the SAM THEN modifying any of the models. An extension of the system CALL create new con’ between failure ports model is not needed to store the relevant safety information. f 1 p1 and f 2 p2 Thus, the system engineer and also the safety engineer can END IF work with the notions, methodologies and tools with which 2 END FOR they are familiar with. Since the S AM is solely working with references, the models can be easily exchanged during the FOR each connection con’ between f1 and f2 in the SAM development life-cycle by redefining the references. Also IFno connection con between ' f 1 and ' f 2 references to additional models can be added in order to exists in the SM THEN integrate additional safety analysis techniques or new system CALL remove con’ from the SAM design information without the need to rework existing parts END IF of the model (minimal invasive). END FOR Moreover, the safety analysis model can use information provided in the system model via the references provided by 2 For example, the system safety analysis model for the the S AM. With the information flow enabled by our approach, it is possible to perform safety analyses based on the information from the system design. Hence, the results of the Programme (FP7 2007-2013) under grant agreement safety analyses are consistent with the system model and can No. 608945 (SafeAdapt). be used as feedback to refine or modify the system design along the development process. Based on our approach to synchronize system design and REFERENCES safety analysis model, it is possible the keep the information of both kinds of models consistent. Changes of the system 1. International Electrotechnical Commission (IEC), “IEC design are automatically reflected in the safety analysis model. 61508: Functional safety of For instance, if a element in the system design model electrical/electronic/programmable electronic safety (component, inport/outport, connection between ports) is related systems”, 1998 added, deleted or renamed, the safety analysis model is 2. Holzmann, G. J., “Conquering Complexity“, IEEE adjusted accordingly by adding, deleting or renaming the Computer, vol.40, 2007, pp 111-113 corresponding elements (safety analysis model, failure inport / 3. Joshi, A., Heimdahl, M. P., Miller, S. P., Whalen, M. W., failure outport, connection between failure ports). Thus, it is “Model-based safety analysis“, NASA Final Report, guaranteed that the system engineer as well as the safety http://shemesh.larc.nasa.gov/fm/papers/Model- engineer works on with the same information, since an BasedSafetyAnalysis.pdf, 2006 automatic mapping between modeling artifacts is possible. 4. Schultz, M., Meyer, L., Langer, B., Fricke, H., “Model- However, the synchronization of the elements of the SAM based safety assessment as integrated part of system (events and the Boolean formulae describing the intra- development” International Workshop on Aircraft System component failure propagation) cannot be synchronized Technologies (AST), 2011 automatically, since the information are manually added or 5. Le Guennec A., Dion, B., “Bridging UML and safety- modified by the safety engineer. But since these information critical software development environments”, are clearly assigned to a specific component, it is possible to International Conference on Embedded and Real-Time store them in a repository and reuse them with the component Software (ERTS), 2006 itself. 6. Schreiber, S., Schmidberger, T., Fay, A., May, J., Drewes, J., Schnieder, E., “UML-based safety analysis of 4 CONCLUSON AND FUTURE WORK distributed automation systems”, Proceedings of the IEEE Our approach interconnects system design and safety Conference on Emerging Technologies and Factory analysis using a dedicated reference model. Thus, available Automation (ETFA), 2007, pp 1069-1075 information from the system model can be used as input for 7. Helle, P., “Automatic SysML-based safety analysis”, the safety analysis model. Since all information are available Proceedings of the 5th International Workshop on Model in a structured way, traceability between the model elements Based Architecting and Construction of Embedded and consistency checks enable an automated synchronization Systems (ACES-MB '12), 2012, pp 19-24 to guarantee that information within both kind of models are 8. Biggs, G., Sakamoto, T., Kotoku, T., “A profile and tool consistent. This incorporation of system design and safety for modelling safety information with design information analysis models increases the quality of the safety analyses by in SysML”, Software & Systems Modeling, 2014, pp 1-32 detection potential errors during the creation and maintenance 9. Chen, D., Johansson, R., Lönn, H., Blom, H., Walker, M., of the safety analysis models. Furthermore, the time needed Papadopoulos, Y.,Torchiaro, S., Tagliabo, F., Sandberg, for the safety assessment is reduced by enabling semi- A., “Integrated safety and architecture modeling for automated generation of the analysis models and hence automotive embedded systems”, e & i Elektrotechnik und providing modeling support for the system’s failure Informationstechnik, vol. 128, 2011, pp 196-202 propagation which are kept consistent with the system model. 10. Cancila, D., Terrier, F., Belmonte, F., Dubois, H., Moreover, safety analyses can be performed iteratively during Espinoza, H., Gérard, S., Cuccuru, A., “Sophia: A the whole development life-cycle and provide feedback to the modeling language for model-based safety engineering”, system design, which fosters the incremental, model-based 2nd International Workshop on model-based architecting development of safety-relevant embedded systems. and construction of embedded systems (ACES-MB), 2009, Future work will include the development of methods for pp 11-26 the systematic reuse of safety analysis models as well as 11. Peikenkamp, T., Cavallo, A., Valacca, L., Böde, E., techniques to fully automate safety analyses at early Pretzer, M., Hahn, E.M., “Towards a unified model-based development stages based on the INSiDER approach. safety assessment”, Computer Safety, Reliability, and Security, Lecture Notes in Computer Science, vol. 4166, ACKNOLEDGEMENT 2006, pp 275-288 12. Zoughbi, G., Briand, L., Labiche, Y., “Modeling safety Parts of the research leading to these results have received and airworthiness (RTCA DO-178B) information: funding from the European Union Seventh Framework conceptual model and UML profile”, Software & Systems Modeling, vol. 10, 2011, pp 337-367 e-mail: [email protected] 13. Abdulla, P.A., Deneux, J., Stalmarck, G., Agren, H., Marc Zeller works as a research scientist at Siemens AG, Akerlund, O., “Designing safe, reliable systems using Corporate Technology, in Munich since 2014. His research SCADE”, Leveraging Applications of Formal Methods, interests are focused on the model-based safety and reliability Lecture Notes in Computer Science, vol. 4313, 2006, pp engineering of complex software-intensive embedded systems. 115-129 Marc Zeller studied Computer Science at the Karlsruhe 14. Papadopoulos, Y., McDermid, J., “Hierarchically Institute of Technology (KIT) and graduated in 2007. He performed hazard origin and propagation studies”, obtained a PhD from the University of Augsburg in 2013 for Computer Safety, Reliability and Security, Springer Berlin his work on self-adaptation in networked embedded systems at Heidelberg, 1999, pp 139-152 the Fraunhofer Institute for Embedded Systems and 15. Fenelon, P., McDermid, J., “An integrated toolset for Communication Technologies ESK in Munich. software safety analysis”, Journal of Systems and Software, vol. 21, 1993, pp 279-290 16. Object Management Group (OMG), “OMG Systems Kai Höfig Modeling Language (OMG SysML)”, Version 1.3, Siemens AG http://www.omg.org/spec/SysML/1.3/, 2012 Corporate Technology 17. EAST-ADL Association, “EAST-ADL Domain Model Otto-Hahn-Ring 6 Specification”, Version 2.1.12, http://www.aadl.info/, Munich, 81739, Germany 2013 e-mail: [email protected] 18. Papadopoulos, Y., McDermid, J., Sasse, R., Heiner, G., “Analysis and synthesis of the behaviour of complex Kai Höfig studied Computer Science at RWTH Aachen, programmable electronic systems in conditions of Germany and holds a PhD from the Fraunhofer Institute for failure”, Reliability Engineering & System Safety, vol. 71, Experimental Software Engineering (IESE) where he 2001, pp 229-247 combined safety-related models and timing analysis models in 19. Kaiser, B., Liggesmeyer, P., Mäckel, O., “A new a probabilistic approach for conditional execution time. He component concept for fault trees”, Proceedings of the 8th currently leads the Model-based Reliability and Safety Australian Workshop on Safety Critical Systems and Engineering Lab at the Research and Technology Cluster Software (SCS '03), 2003, pp 37-46 Systems Engineering at Siemens Corporate Technology. There he continues to work with safety-critical systems and supports BIOGRAPHIES certification activities in various domains, such as automotive, Marc Zeller healthcare, railway, energy and industry automation. His Siemens AG research activities include model-based approaches for Corporate Technology reliability, availability, maintainability and safety. Otto-Hahn-Ring 6 Munich, 81739, Germany