Reasoning About the Reliability of Multi-version, Diverse Real-Time Systems

This paper is concerned with the development of reliable real-time systems for use in high integrity applications. It advocates the use of diverse replicated channels, but does not require the dependencies between the channels to be evaluated. Rather it develops and extends the approach of Little wood and Rush by (for general systems) by investigating a two channel system in which one channel, A, is produced to a high level of reliability (i.e. has a very low failure rate), while the other, B, employs various forms of static analysis to sustain an argument that it is perfect (i.e. it will never miss a deadline). The first channel is fully functional, the second contains a more restricted computational model and contains only the critical computations. Potential dependencies between the channels (and their verification) are evaluated in terms of aleatory and epistemic uncertainty. At the aleatory level the events ''A fails" and ''B is imperfect" are independent. Moreover, unlike the general case, independence at the epistemic level is also proposed for common forms of implementation and analysis for real-time systems and their temporal requirements (deadlines). As a result, a systematic approach is advocated that can be applied in a real engineering context to produce highly reliable real-time systems, and to support numerical claims about the level of reliability achieved

Safety and security aware framework for the development of feedback control systems

The need to address safety and security related aspects at an early stage of development of feedback control systems (FCS) has been identified as vital for the optimisation of the development process of military land systems. These systems often include network enabled capability (NEC) allowing the use of electronics architectures to integrate different sub-systems. However, this increased integration capability is associated with magnified safety risks and compromise from cyber attacks [4]. This paper discusses how the process of developing FCS for military land systems could benefit from the use of a framework that addresses safety and security issues at the system modelling level. The core part of the suggested framework consists of a Simulink model to be used by design engineers as a blueprint for the development of a modular FCS that are expected to feature a modular architecture with dedicated sub-modules for the processing of data related to safety and security aspects. Since the FCS developed through the use of framework features a modular architecture, the anticipated cost incurred in the design of the associated modular safety case is expected to be reduced, leading to an overall reduction of the cost of the re-certification process [1]

Systematic approach furthering confirmation measures of safety critical automotive systems

Different system elements are developed independently from diverse suppliers and teams before being integrated together into safety critical automotive systems such as steering or braking systems by a manufacturer. It must be guaranteed that, despite this independent development, the achievement of the safety requirements for the overall system can be demonstrated. The necessary agreements and the integration of the necessary safety information for the overall system generate higher extra costs. In order to reduce development time and cost, systematic reuse can be a solution to engineering the required artifacts. Reassessment represents an additional source of cost. Even small modifications of a system or exchanging a component after it has been certified necessitates a reassessment. The effort required for reassessment, in many cases reaches the original effort of certification for the complete system or even exceeds it. To minimize the effort and cost of a reassessment, this paper introduces a theoretical foundation of a model-based engineering approach to reuse a safety case and change only the modified parts. This paper presents a reusability framework to support the distributed development environment together with the different composition scenarios with respect to ISO26262. A further benefit of this approach is that for development of variants in product-line, the Safety assessment process can now be easily expressed and managed

A principles-based ethics assurance argument pattern for AI and autonomous systems

An assurance case is a structured argument, typically produced by safety engineers, to communicate confidence that a critical or complex system, such as an aircraft, will be acceptably safe within its intended context. Assurance cases often inform third party approval of a system. One emerging proposition within the trustworthy AI and autonomous systems (AI/AS) research community is to use assurance cases to instil justified confidence that specific AI/AS will be ethically acceptable when operational in well-defined contexts. This paper substantially develops the proposition and makes it concrete. It brings together the assurance case methodology with a set of ethical principles to structure a principles-based ethics assurance argument pattern. The principles are justice, beneficence, non-maleficence, and respect for human autonomy, with the principle of transparency playing a supporting role. The argument pattern—shortened to the acronym PRAISE—is described. The objective of the proposed PRAISE argument pattern is to provide a reusable template for individual ethics assurance cases, by which engineers, developers, operators, or regulators could justify, communicate, or challenge a claim about the overall ethical acceptability of the use of a specific AI/AS in a given socio-technical context. We apply the pattern to the hypothetical use case of an autonomous ‘robo-taxi’ service in a city centre

Service-Oriented Architectures for Safety-Critical Systems

Many organisations in the safety-critical domain are service-oriented, fundamentally centred on critical services provided by systems and operators. Increasingly, these services rely on software-intensive systems, e.g. medical health informatics and air traffic control, for improving the different aspects of industrial practice, e.g. enhancing efficiency through automation and safety through smart alarm systems. However, many services are categorised as high risk and as such it is vital to analyse the ways in which the software-based systems can contribute to unintentional harm and potentially compromise safety. This thesis defines an approach to modelling and analysing Service-Oriented Architectures (SOAs) used in the safety-critical domain, with emphasis on identifying and classifying potential hazardous behaviour. The approach also provides a systematic and reusable basis for defining how the safety case for these SOAs can be developed in a modular manner. The approach is tool-supported and is evaluated through two case studies, from the healthcare and oil and gas domains, and industrial review

Towards Resilient Energy Systems!

Ziel des Projekts RESYSTRA – Resiliente Gestaltung der Energiesysteme am Beispiel der Transformationsoptionen „EE-Methan-System“ und „Regionale Selbstversorgung“ war ein besseres Verständnis der Erfolgsfaktoren gerichteter Transformationen des Energiesystems herauszuarbeiten. Diese Faktoren wurden im Rahmen eines erweiterten Modells der Innovationssysteme im Bereich der Energieversorgung in Deutschland mit Bezug auf konkrete Akteure und deren Einflussmöglichkeiten dargestellt. http://www.resystra.de

Architectural Considerations in the Certification of Modular Systems

Modular system architectures, such as integrated modular avionics (IMA) in the aerospace sector, offer potential benefits of improved flexibility in function allocation, reduced development costs and improved maintainability. However, they require a new certification approach. The traditional approach to certification is to prepare monolithic safety cases as bespoke developments for a specific system in a fixed configuration. However, this nullifies the benefits of flexibility and reduced rework claimed of IMA-based systems and will necessitate the development of new safety cases for all possible (current and future) configurations of the architecture. This paper discusses a modular approach to safety case construction, whereby the safety case is partitioned into separable arguments of safety corresponding with the components of the system architecture. Such an approach relies upon properties of the IMA system architecture (such as segregation and location independence) having been established. The paper describes how such properties can be assessed to show that they are met and trade-offs performed during architecture definition reusing information and techniques from the safety argument process