Hazard Contribution Modes of Machine Learning Components

Amongst the essential steps to be taken towards developing and deploying safe systems with embedded learning-enabled components (LECs) i.e., software components that use ma- chine learning (ML)are to analyze and understand the con- tribution of the constituent LECs to safety, and to assure that those contributions have been appropriately managed. This paper addresses both steps by, first, introducing the notion of hazard contribution modes (HCMs) a categorization of the ways in which the ML elements of LECs can contribute to hazardous system states; and, second, describing how argumentation patterns can capture the reasoning that can be used to assure HCM mitigation. Our framework is generic in the sense that the categories of HCMs developed i) can admit different learning schemes, i.e., supervised, unsupervised, and reinforcement learning, and ii) are not dependent on the type of system in which the LECs are embedded, i.e., both cyber and cyber-physical systems. One of the goals of this work is to serve a starting point for systematizing L analysis towards eventually automating it in a tool

A PRISMA-driven systematic mapping study on system assurance weakeners

Context: An assurance case is a structured hierarchy of claims aiming at demonstrating that a given mission-critical system supports specific requirements (e.g., safety, security, privacy). The presence of assurance weakeners (i.e., assurance deficits, logical fallacies) in assurance cases reflects insufficient evidence, knowledge, or gaps in reasoning. These weakeners can undermine confidence in assurance arguments, potentially hindering the verification of mission-critical system capabilities. Objectives: As a stepping stone for future research on assurance weakeners, we aim to initiate the first comprehensive systematic mapping study on this subject. Methods: We followed the well-established PRISMA 2020 and SEGRESS guidelines to conduct our systematic mapping study. We searched for primary studies in five digital libraries and focused on the 2012-2023 publication year range. Our selection criteria focused on studies addressing assurance weakeners at the modeling level, resulting in the inclusion of 39 primary studies in our systematic review. Results: Our systematic mapping study reports a taxonomy (map) that provides a uniform categorization of assurance weakeners and approaches proposed to manage them at the modeling level. Conclusion: Our study findings suggest that the SACM (Structured Assurance Case Metamodel) -- a standard specified by the OMG (Object Management Group) -- may be the best specification to capture structured arguments and reason about their potential assurance weakeners

A Pattern-based Approach towards Modular Safety Analysis and Argumentation

International audienceSafety standards recommend (if not dictate) performing many analyses during the concept phase of development as well as the early adoption of multiple measures at the architectural design level. In practice, the reuse of architectural measures or safety mechanisms is widely-spread, especially in well-understood domains, as is reusing the corresponding safety-cases aiming to document and prove the fulfillment of the underlying safety goals. Safety-cases in the automotive domain are not well-integrated into architectural models and as such do not provide comprehensible and reproducible argumentation nor any evidence for argument correctness. The reuse is mostly ad-hoc, with loss of knowledge and traceability and lack of consistency or process maturity as well as being the most widely spread and cited drawbacks.Using a simplified description of software functions and their most common error management subtypes (avoidance, detection, handling, ..) we propose to define a pattern library covering known solution algorithms and architectural measures/constraints in a seamless holistic model-based approach with corresponding tool support. The pattern libraries would comprise the requirement the pattern covers and the architecture elements/ measures / constraints required and may include deployment or scheduling strategies as well as the supporting safety case template, which would then be integrated into existing development environments. This paper explores this approach using an illustrative example

A Taxonomy of Fallacies in System Safety Arguments

Safety cases are gaining acceptance as assurance vehicles for safety-related systems. A safety case documents the evidence and argument that a system is safe to operate; however, logical fallacies in the underlying argument may undermine a system s safety claims. Removing these fallacies is essential to reduce the risk of safety-related system failure. We present a taxonomy of common fallacies in safety arguments that is intended to assist safety professionals in avoiding and detecting fallacious reasoning in the arguments they develop and review. The taxonomy derives from a survey of general argument fallacies and a separate survey of fallacies in real-world safety arguments. Our taxonomy is specific to safety argumentation, and it is targeted at professionals who work with safety arguments but may lack formal training in logic or argumentation. We discuss the rationale for the selection and categorization of fallacies in the taxonomy. In addition to its applications to the development and review of safety cases, our taxonomy could also support the analysis of system failures and promote the development of more robust safety case patterns

Towards Understanding and Applying Security Assurance Cases for Automotive Systems

Security Assurance Cases (SAC) are structured bodies of arguments and evidence used to reason about security properties of a certain artefact.SAC are gaining focus in the automotive domain as the need for security assurance is growing due to software becoming a main part of vehicles. Market demands for new services and products in the domain require connectivity, and hence, raise security concerns. Regulators and standardisation bodies started recently to require a structured for security assurance of products in the automotive domain, and automotive companies started, hence, to study ways to create and maintain these cases, as well as adopting them in their current way of working.In order to facilitate the adoption of SAC in the automotive domain, we created CASCADE, an approach for creating SAC which have integrated quality assurance and are compliant with the requirements of ISO/SAE-21434, the upcoming cybersecurity standard for automotive systems.CASCADE was created by conducting design science research study in two iterative cycles. The design decisions of CASCADE are based on insights from a qualitative research study which includes a workshop, a survey, and one-to-one interviews, done in collaboration with our industrial partners about the needs and drivers of work in SAC in industry, and a systematic literature review in which we identified gaps between the industrial needs and the state of the art.The evaluation of CASCADE was done with help of security experts from a large automotive OEM. It showed that CASCADE is suitable for integration in industrial product development processes. Additionally, our results show that the elements of CASCADE align well with respect to the way of working at the company, and has the potential to scale to cover the requirements and needs of the company with its large organization and complex products

Security Support in Continuous Deployment Pipeline

Continuous Deployment (CD) has emerged as a new practice in the software industry to continuously and automatically deploy software changes into production. Continuous Deployment Pipeline (CDP) supports CD practice by transferring the changes from the repository to production. Since most of the CDP components run in an environment that has several interfaces to the Internet, these components are vulnerable to various kinds of malicious attacks. This paper reports our work aimed at designing secure CDP by utilizing security tactics. We have demonstrated the effectiveness of five security tactics in designing a secure pipeline by conducting an experiment on two CDPs - one incorporates security tactics while the other does not. Both CDPs have been analyzed qualitatively and quantitatively. We used assurance cases with goal-structured notations for qualitative analysis. For quantitative analysis, we used penetration tools. Our findings indicate that the applied tactics improve the security of the major components (i.e., repository, continuous integration server, main server) of a CDP by controlling access to the components and establishing secure connections

Modeling And Applying Biomimetic Metaheuristics To Product Life Cycle Engineering

Due to its potential for significant impact, interest continues to grow in the assessment of products from a life cycle perspective. As the nature of products shifts from mechanized and Newtonian to more adaptive and complex, the behavior of products more closely resembles biological organisms in community. The change in product nature is increasingly mirrored at the component level. The work presented in this dissertation is twofold. First, the research proposes a general, systematic and holistic classification of life cycle data to transform the design problem into an optimization problem. Second, the research proposes two new metaheuristics (bio-inspired and socio-inspired) to solve optimization problems to produce grouped solutions that are efficient, evolvable and sustainable. The bio-inspired approach is schooling genetic algorithms (SGA), while the socio-inspired approach is referred to as genetic social networks (GSN). SGA is an approach that combines fish schooling concepts with genetic algorithms (GAs) to enable a dynamic search process. The application of GA operators is subject to the perception of the immediate local environment by clusters of candidate solutions behaving as schools of fish. GSN is an approach that adds social network concepts to GAs, implementing single and dyadic social interactions of social groups (clusters of similar candidate solutions) with GA operators. SGA and GSN both use phenotypic representations of a hypothetical product or system as input. The representations are derived from the proposed life cycle engineering (LCE) data classification. The outputs of either method are the representations that are more than likely to perform better, longer, and more autonomously within their environment during their life cycle. Both methods can also be used as a decision making tool. Both approaches were tested on product design problems with differing parametric relations, underlying solution space, and problem size