INSiDER: Incorporation of System and Safety Analysis Models using a Dedicated Reference Model Marc Zeller, Siemens AG, Corporate Technology Kai Höfig, Siemens AG, Corporate Technology Key Words: safety, model-based development, system design, safety analysis, synchronization SUMMARY & CONCLUSIONS approaches provide promising solutions [2]. In order to take full advantage of this potential in the development of safety- In order to enable model-based, iterative design of safety- relevant embedded systems, model-based techniques should relevant systems, an efficient incorporation of safety and be applied for both, the system and the safety engineering system engineering is a pressing need. Our approach [3,4]. Moreover, an iterative and incremental design process interconnects system design and safety analysis models should be applied to break with delaying “try and error” and efficiently using a dedicated reference model. Since all “clone and own” project cultures in industrial practice and to information are available in a structured way, traceability make the right development decisions in early design phases. between the model elements and consistency checks enable In order to enable model-based, iterative design of safety- automated synchronization to guarantee that information relevant embedded systems, the incorporation of safety and within both kind of models are consistent during the system engineering is a pressing need. But to interconnect development life-cycle. system and safety analysis models efficiently the following 1 INTRODUCTION challenges must be solved: An automated mapping between the elements of the Nowadays, embedded systems are omnipresent in the system design and the safety analysis model is required in daily life, e.g. in industrial automation, medical devices or order to enable seamless traceability. transportation systems. These systems often implement safety- The information within both kinds of models must be kept relevant functionalities. A failure within these systems may consistent during the complete development process. For lead to catastrophic accidents. Therefore, safety must be instance, if a certain system element is deleted or considered during the whole development process of a safety- renamed, the safety analysis model must be adjusted relevant embedded system [1]. However, as practical accordingly. This synchronization should be performed experiences in industrial projects show, safety analyses are automatically to guarantee that the safety as well as the often performed only once and very late in the development system engineer always works on consistent data. cycle because they are very time-consuming. Pre-existing methodologies for both system and safety Traditionally, safety analyses are performed by safety modeling should be used when incorporating system engineers, while the system is designed by system engineers. design and safety analysis. Thus, the system as well as the Thus, separate techniques and tools are used in industry for the safety engineer can continue to work with well known design of the system and the analysis of the system in terms of techniques and tools, they are already familiar with. safety. In general, system engineers are not familiar with the To cope with these challenges, our approach interconnects methodologies, notions and tools related to safety and vice system design and safety analysis models by using a dedicated versa. This is because system and safety engineering are two reference model. This concept aims to incorporate system and very different disciplines. However, this gap poses an safety engineering during the model-based development additional issue during the development of safety-relevant process using existing, well-established system design and systems and increases the communication as well as the safety analysis techniques (such as Fault Tree analysis, synchronization overhead between the different kinds of Markov chains, FMEAs, etc.). Thus, available information engineers. from the system model can be used as input for the safety With the increasing system complexity of today's analysis model. Since all information are available in a embedded systems, also the number of structured way, the resulting traceability between the model safety-relevant functions grows continuously. Due to this, the elements enables the automated synchronization to guarantee safety analysis of modern embedded systems has become very that information within both kind of models are consistent complex and time-consuming. To cope with the system w.r.t. correctness and completeness. complexity in the system development, model-based © 2016 IEEE. Personal use of this material is permitted. Permission from IEEE must be obtained for all other uses, in any current or future media, including reprinting/republishing this material for advertising or promotional purposes, creating new collective works, for resale or redistribution to servers or lists, or reuse of any copyrighted component of this work in other works. DOI: 10.1109/RAMS.2016.7448074 URL: https://ieeexplore.ieee.org/document/7448074 The reminder of this paper is organized as follows: In development process for safety-relevant embedded systems, a Section 2 we summarize related work in this area. Afterwards, dedicated reference model is used to link system and safety our approach to interconnect and synchronize system and analysis models. Thus, it stores all information from the safety analysis models with a dedicated reference model is system design as well as all safety-related information in a presented and illustrated using a running example. Finally, the structured way by providing references to these models. The paper is concluded in Section 5. so-called System Safety Analysis Model (S2AM) is a common super-set of the System Model (SM) (e.g. defined by a generic 2 RELATED WORK approach for model-based system engineering such as SysML A straight-forward approach to connect system and safety [16] or a domain-specific one such as EAST-ADL [17] in the models is to use model-to-model transformations. A model automotive domain) as well as the Safety Analysis Model transformation has one or several models as input and (SAM) (e.g. FEMA, Fault Tree or Markov chain): specifies rules how to produce a specific output model. This S 2 AM SM SAM | SM SAM {} (1) method can be adopted to any kind of system or safety model. But since a model-to-model transformation is executed with manually, the consistency between system and safety model SM C, P,CON (2) cannot be guaranteed. Moreover, a specific model-to-model transformation for each kind of system model in combination and with each kind of safety analysis is needed. SAM E,FM , (3) Various approaches incorporate the safety analysis model The SM is defined as a tuple consisting of a set of components into the system model by extending it with specific safety- related information. For instance, a UML-based [5,6], SysML- C c1,...,cn (4) based [7,8] or EAST-ADL-based [9] model of the system is and a set of ports annotated with safety information by incorporation them into in out in out the existing modeling artifacts. Other approaches as presented P P P | P P {} (5) in [10,11,12] extend the system model by specific modeling in in in where P p1 ,..., pr is the set of input ports and artifacts to represent safety information. The safety analysis out out out P p1 ,..., ps is the set of output ports. Each port is model may then be derived (semi-)automatically from such an allocated to a specific component: extended system model in order to improve consistency [13]. : P C (6) However, the system model must be extended in order to enable the annotation with safety information. Therefore, CON is a set of directed communication links between the specific tooling is needed to work with the extended system components of the systems, respectively their ports: model. Moreover, the annotation must be performed manually CON Pout Pin (7) by the safety engineer, which may not familiar with the common approaches for system modeling. In contrast to this tight coupling of system and safety models, our approach enables loose coupling and supports any kind of system and safety analysis model. Thus, the safety as well as the system engineering can work with models they are familiar with. Other approaches in the area of model-based safety analysis, such as HiP-HOPS [14] or FPTN [15], are based on a dedicated model for safety analysis. To enable traceability w.r.t. the elements within the system design, the safety analysis model reflects the structure of the system by the notion of components, their relationship, and their hierarchical Figure 1 - Exemplary system model SM Ex organization. However, these are specific methodologies An example system is shown in Figure 1 with which require dedicated tools for safety analysis. (c1,c2,c3, 3 THE INSIDER APPROACH SM Ex in1,in2,in3,out1,out2,out3,out4, (8) In this section, we present our approach to interconnect con1,con2) and synchronize system design and safety analysis models. In the following, this method is described formally and illustrated with using an example system (see Figure 1). (in1) c1, (in2) c2, (in3) c3, 3.1 Interconnection (out1) c1, (out2) c1, (9) (out3) c2 (out4) c3 In order to enable a model-based and iterative and con1 out1,in2, con1 out2,in3 (10) where The SAM is a tuple with a set of (basic) events (also SAMc1 w, x,a,b,c,d,a w b,a x d,a c called causes) SAMc2 y , e, f ,h,i, e y h, f i (18) E e1,..., er (11) SAMc3 z , g, j , g z j and a set of failure ports and F F in F out | F in F out {} (12) con1' b,e, con2' c, f ,con3' d, g (19) in in in where F f1 ,..., fv is the set of failure inports and out out out In order to enable the seamless information flow between F f1 ,..., fw is the set of failure outports.