Assuring Safety and Security

Large technological systems produce new capabilities that allow innovative solutions to social, engineering and environmental problems. This trend is especially important in the safety-critical systems (SCS) domain where we simultaneously aim to do more with the systems whilst reducing the harm they might cause. Even with the increased uncertainty created by these opportunities, SCS still need to be assured against safety and security risk and, in many cases, certified before use. A large number of approaches and standards have emerged, however there remain challenges related to technical risk such as identifying inter-domain risk interactions, developing safety-security causal models, and understanding the impact of new risk information. In addition, there are socio-technical challenges that undermine technical risk activities and act as a barrier to co-assurance, these include insufficient processes for risk acceptance, unclear responsibilities, and a lack of legal, regulatory and organisational structure to support safety-security alignment. A new approach is required. The Safety-Security Assurance Framework (SSAF) is proposed here as a candidate solution. SSAF is based on the new paradigm of independent co-assurance, that is, keeping the disciplines separate but having synchronisation points where required information is exchanged. SSAF is comprised of three parts - the Conceptual Model defines the underlying philosophy, and the Technical Risk Model (TRM) and Socio-Technical Model (STM) consist of processes and models for technical risk and socio-technical aspects of co-assurance. Findings from a partial evaluation of SSAF using case studies reveal that the approach has some utility in creating inter-domain relationship models and identifying socio-technical gaps for co-assurance. The original contribution to knowledge presented in this thesis is the novel approach to co-assurance that uses synchronisation points, explicit representation of a technical risk argument that argues over interaction risks, and a confidence argument that explicitly considers co-assurance socio-technical factors

Automotive Intelligence Embedded in Electric Connected Autonomous and Shared Vehicles Technology for Sustainable Green Mobility

The automotive sector digitalization accelerates the technology convergence of perception, computing processing, connectivity, propulsion, and data fusion for electric connected autonomous and shared (ECAS) vehicles. This brings cutting-edge computing paradigms with embedded cognitive capabilities into vehicle domains and data infrastructure to provide holistic intrinsic and extrinsic intelligence for new mobility applications. Digital technologies are a significant enabler in achieving the sustainability goals of the green transformation of the mobility and transportation sectors. Innovation occurs predominantly in ECAS vehicles’ architecture, operations, intelligent functions, and automotive digital infrastructure. The traditional ownership model is moving toward multimodal and shared mobility services. The ECAS vehicle’s technology allows for the development of virtual automotive functions that run on shared hardware platforms with data unlocking value, and for introducing new, shared computing-based automotive features. Facilitating vehicle automation, vehicle electrification, vehicle-to-everything (V2X) communication is accomplished by the convergence of artificial intelligence (AI), cellular/wireless connectivity, edge computing, the Internet of things (IoT), the Internet of intelligent things (IoIT), digital twins (DTs), virtual/augmented reality (VR/AR) and distributed ledger technologies (DLTs). Vehicles become more intelligent, connected, functioning as edge micro servers on wheels, powered by sensors/actuators, hardware (HW), software (SW) and smart virtual functions that are integrated into the digital infrastructure. Electrification, automation, connectivity, digitalization, decarbonization, decentralization, and standardization are the main drivers that unlock intelligent vehicles' potential for sustainable green mobility applications. ECAS vehicles act as autonomous agents using swarm intelligence to communicate and exchange information, either directly or indirectly, with each other and the infrastructure, accessing independent services such as energy, high-definition maps, routes, infrastructure information, traffic lights, tolls, parking (micropayments), and finding emergent/intelligent solutions. The article gives an overview of the advances in AI technologies and applications to realize intelligent functions and optimize vehicle performance, control, and decision-making for future ECAS vehicles to support the acceleration of deployment in various mobility scenarios. ECAS vehicles, systems, sub-systems, and components are subjected to stringent regulatory frameworks, which set rigorous requirements for autonomous vehicles. An in-depth assessment of existing standards, regulations, and laws, including a thorough gap analysis, is required. Global guidelines must be provided on how to fulfill the requirements. ECAS vehicle technology trustworthiness, including AI-based HW/SW and algorithms, is necessary for developing ECAS systems across the entire automotive ecosystem. The safety and transparency of AI-based technology and the explainability of the purpose, use, benefits, and limitations of AI systems are critical for fulfilling trustworthiness requirements. The article presents ECAS vehicles’ evolution toward domain controller, zonal vehicle, and federated vehicle/edge/cloud-centric based on distributed intelligence in the vehicle and infrastructure level architectures and the role of AI techniques and methods to implement the different autonomous driving and optimization functions for sustainable green mobility.publishedVersio

On Safe Usage of Shared Data in Safety-Critical Control Systems

Prognostiziert durch Konzepte der Industrie 4.0 und den Cyber-Physischen-Systemen, können autonome Systeme zukünftig dynamisch auf Datenquellen in ihrer Umgebung zugreifen. Während die gemeinsame Nutzung solcher Datenquellen ein enormes Performanzpotenzial bietet, stellt die benötigte Systemarchitektur vorherrschende Sicherheitsprozesse vor neue Herausforderungen. Die vorliegende Arbeit motiviert zunächst, dass diese nur zur Laufzeit des Systems adressiert werden könne, bevor sie daraus zwei zentrale Ziele ableitet und verfolgt. Zum einen wird ein Beschreibungsmodel für die Darstellung von Fehlercharakteristika gemeinsam genutzter Daten vorgestellt. Dieses generische Fehlermodell erlaubt es zum anderen eine Sicherheitsanalyse zu definieren, die eine spezifische, dynamische Systemkomposition zur Laufzeit mit Hinblick auf die zu erwartenden Unsicherheiten bewerten kann. Die als Region of Safety betitelte Analysestrategie erlaubt, in Kombination mit dem generischen Fehlermodell, die Sicherheit der auf gemeinsam genutzten Daten basierenden Kollisionsvermeidungsstrategie zweier Roboter noch zur Designzeit zu garantieren, obwohl die spezifischen Fehlercharakteristika der Daten erst zur Laufzeit bekannt werden.:List of Acronyms List of Theorems List of Definitions List of Figures List of Tables 1. Introduction – Safety in Future Smart Industries 1.1. The Example of Smart Warehouses 1.2. Functional Safety Standards 1.2.1. Overview of Functional Safety Standards 1.2.2. IEC 61508 1.3. Scope of this Thesis 1.3.1. Objectives 1.3.2. Contributions 1.3.3. Outline 1.4. Related Publications by the Author 1.5. Mathematical Notation 2. State of the Art 2.1. State of the Art in Run-Time Safety Assessment 2.1.1. Approaches at the Functional Level 2.1.2. Approaches at the Technical Level 2.1.3. Conclusions 2.2. State of the Art in Failure Modeling 2.2.1. The Definition of (Sensor) Failure Model 2.2.2. Interval-Based Failure Modeling 2.2.3. Distribution-Based Failure Modeling 2.2.4. Failure-Type-Based Failure Modeling 2.2.5. Conclusions 2.3. Conclusions from the State of the Art 3. Generic Failure Model 3.1. Defining the Generic Failure Model 3.1.1. Time- and Value-Correlated Random Distribution 3.1.2. A Failure Type’s Failure Amplitudes 3.1.3. A Failure Type’s State Function 3.1.4. Polynomial Representation of a Failure Type 3.1.5. Discussion on the Fulfillment of the Predefined Criteria 3.2. Converting a Generic Failure Model to an Interval 3.2.1. Converting a Time- and Value-Correlated Random Distribution 3.2.2. A Failure Type’s Interval 3.3. Processing Chain for Generating Generic Failure Models 3.3.1. Identifying Failure Types 3.3.2. Parameterizing Failure Types 3.3.3. Confidence Calculation 3.4. Exemplary Application to Artificial Failure Characteristics 3.4.1. Generating the Artificial Data Set – Manually Designing GFMs 3.4.2. Identifying Failure Types 3.4.3. Parameterizing Failure Types 3.4.4. Confidence Calculation 3.4.5. Comparison to State-of-the-Art Models 3.5. Summary 4. Region of Safety 4.1. Explicitly Modeling Uncertainties for Dynamically Composed Systems 4.2. Regions of Safety for Dynamically Composed Systems 4.2.1. Estimating Regions of Attraction in Presence of Uncertainty 4.2.2. Introducing the Concept of Region of Safety 4.2.3. Discussion on the Fulfillment of the Predefined Criteria 4.3. Evaluating the Concept of Region of Safety 4.3.1. Defining the Scenario and Considered Uncertainties 4.3.2. Designing a Control Lyapunov Function 4.3.3. Determining an Appropriate Value for λc 4.3.4. The Effect of Varying Sensor Failures on Regions of Safety 4.4. Summary 5. Evaluation and Integration 5.1. Multi-Robot Collision Avoidance 5.1.1. Assumptions 5.1.2. Design of the Circle and Navigation Scenarios 5.1.3. Kinematics 5.1.4. Control Policy 5.1.5. Intention Modeling by Model Uncertainty 5.1.6. Fusing Regions of Safety of Multiple Stability Points 5.2. Failure Modeling for Shared Data – A Marker Detection Failure Model 5.2.1. Data Acquisition 5.2.2. Failure Model Generation 5.2.3. Evaluating the Quality of the Failure Model 5.3. Safe Handling of Shared Data in a Collision Avoidance Strategy 5.3.1. Configuration for Region of Safety Estimation 5.3.2. Estimating Regions of Safety 5.3.3. Evaluation Using the Circle Scenario 5.3.4. Evaluation Using the Navigation Scenario 5.4. Summary 6. Conclusions and Future Work 6.1. Summary 6.2. Limitations and Future Work 6.2.1. Limitations and Future Work on the Generic Failure Model 6.2.2. Limitations and Future Work on Region of Safety 6.2.3. Future Work on Safety in Dynamically Composed Systems Appendices A. Defining Factors of Risk According to IEC 61508 B. Evaluation Results for the Identification Stage C. Overview of Failure Amplitudes of Marker Detection Results BibliographyThe concepts of Cyber-Physical-Systems and Industry 4.0 prognosticate autonomous systems to integrate sources of shared data dynamically at their run-time. While this promises substantial increases in their performance, the openness of the required system architecture poses new challenges to processes guaranteeing their safety. This thesis firstly motivates that these can be addressed only at their run-time, before it derives and pursues two corresponding goals. Firstly, a model for describing failure characteristics of shared data is presented. Secondly, this Generic Failure Model is built upon to define a run-time safety assessment methodology that enables analyzing dynamic system compositions integrating shared data with respect to the expected uncertainties at run-time. This analysis strategy, entitled Region of Safety, allows in combination with the generic failure model to guarantee the safety of robots sharing position data for collision avoidance already at design-time, although specific failure characteristics become available only at run-time.:List of Acronyms List of Theorems List of Definitions List of Figures List of Tables 1. Introduction – Safety in Future Smart Industries 1.1. The Example of Smart Warehouses 1.2. Functional Safety Standards 1.2.1. Overview of Functional Safety Standards 1.2.2. IEC 61508 1.3. Scope of this Thesis 1.3.1. Objectives 1.3.2. Contributions 1.3.3. Outline 1.4. Related Publications by the Author 1.5. Mathematical Notation 2. State of the Art 2.1. State of the Art in Run-Time Safety Assessment 2.1.1. Approaches at the Functional Level 2.1.2. Approaches at the Technical Level 2.1.3. Conclusions 2.2. State of the Art in Failure Modeling 2.2.1. The Definition of (Sensor) Failure Model 2.2.2. Interval-Based Failure Modeling 2.2.3. Distribution-Based Failure Modeling 2.2.4. Failure-Type-Based Failure Modeling 2.2.5. Conclusions 2.3. Conclusions from the State of the Art 3. Generic Failure Model 3.1. Defining the Generic Failure Model 3.1.1. Time- and Value-Correlated Random Distribution 3.1.2. A Failure Type’s Failure Amplitudes 3.1.3. A Failure Type’s State Function 3.1.4. Polynomial Representation of a Failure Type 3.1.5. Discussion on the Fulfillment of the Predefined Criteria 3.2. Converting a Generic Failure Model to an Interval 3.2.1. Converting a Time- and Value-Correlated Random Distribution 3.2.2. A Failure Type’s Interval 3.3. Processing Chain for Generating Generic Failure Models 3.3.1. Identifying Failure Types 3.3.2. Parameterizing Failure Types 3.3.3. Confidence Calculation 3.4. Exemplary Application to Artificial Failure Characteristics 3.4.1. Generating the Artificial Data Set – Manually Designing GFMs 3.4.2. Identifying Failure Types 3.4.3. Parameterizing Failure Types 3.4.4. Confidence Calculation 3.4.5. Comparison to State-of-the-Art Models 3.5. Summary 4. Region of Safety 4.1. Explicitly Modeling Uncertainties for Dynamically Composed Systems 4.2. Regions of Safety for Dynamically Composed Systems 4.2.1. Estimating Regions of Attraction in Presence of Uncertainty 4.2.2. Introducing the Concept of Region of Safety 4.2.3. Discussion on the Fulfillment of the Predefined Criteria 4.3. Evaluating the Concept of Region of Safety 4.3.1. Defining the Scenario and Considered Uncertainties 4.3.2. Designing a Control Lyapunov Function 4.3.3. Determining an Appropriate Value for λc 4.3.4. The Effect of Varying Sensor Failures on Regions of Safety 4.4. Summary 5. Evaluation and Integration 5.1. Multi-Robot Collision Avoidance 5.1.1. Assumptions 5.1.2. Design of the Circle and Navigation Scenarios 5.1.3. Kinematics 5.1.4. Control Policy 5.1.5. Intention Modeling by Model Uncertainty 5.1.6. Fusing Regions of Safety of Multiple Stability Points 5.2. Failure Modeling for Shared Data – A Marker Detection Failure Model 5.2.1. Data Acquisition 5.2.2. Failure Model Generation 5.2.3. Evaluating the Quality of the Failure Model 5.3. Safe Handling of Shared Data in a Collision Avoidance Strategy 5.3.1. Configuration for Region of Safety Estimation 5.3.2. Estimating Regions of Safety 5.3.3. Evaluation Using the Circle Scenario 5.3.4. Evaluation Using the Navigation Scenario 5.4. Summary 6. Conclusions and Future Work 6.1. Summary 6.2. Limitations and Future Work 6.2.1. Limitations and Future Work on the Generic Failure Model 6.2.2. Limitations and Future Work on Region of Safety 6.2.3. Future Work on Safety in Dynamically Composed Systems Appendices A. Defining Factors of Risk According to IEC 61508 B. Evaluation Results for the Identification Stage C. Overview of Failure Amplitudes of Marker Detection Results Bibliograph

Service-based Fault Tolerance for Cyber-Physical Systems: A Systems Engineering Approach

Cyber-physical systems (CPSs) comprise networked computing units that monitor and control physical processes in feedback loops. CPSs have potential to change the ways people and computers interact with the physical world by enabling new ways to control and optimize systems through improved connectivity and computing capabilities. Compared to classical control theory, these systems involve greater unpredictability which may affect the stability and dynamics of the physical subsystems. Further uncertainty is introduced by the dynamic and open computing environments with rapidly changing connections and system configurations. However, due to interactions with the physical world, the dependable operation and tolerance of failures in both cyber and physical components are essential requirements for these systems.The problem of achieving dependable operations for open and networked control systems is approached using a systems engineering process to gain an understanding of the problem domain, since fault tolerance cannot be solved only as a software problem due to the nature of CPSs, which includes close coordination among hardware, software and physical objects. The research methodology consists of developing a concept design, implementing prototypes, and empirically testing the prototypes. Even though modularity has been acknowledged as a key element of fault tolerance, the fault tolerance of highly modular service-oriented architectures (SOAs) has been sparsely researched, especially in distributed real-time systems. This thesis proposes and implements an approach based on using loosely coupled real-time SOA to implement fault tolerance for a teleoperation system.Based on empirical experiments, modularity on a service level can be used to support fault tolerance (i.e., the isolation and recovery of faults). Fault recovery can be achieved for certain categories of faults (i.e., non-deterministic and aging-related) based on loose coupling and diverse operation modes. The proposed architecture also supports the straightforward integration of fault tolerance patterns, such as FAIL-SAFE, HEARTBEAT, ESCALATION and SERVICE MANAGER, which are used in the prototype systems to support dependability requirements. For service failures, systems rely on fail-safe behaviours, diverse modes of operation and fault escalation to backup services. Instead of using time-bounded reconfiguration, services operate in best-effort capabilities, providing resilience for the system. This enables, for example, on-the-fly service changes, smooth recoveries from service failures and adaptations to new computing environments, which are essential requirements for CPSs.The results are combined into a systems engineering approach to dependability, which includes an analysis of the role of safety-critical requirements for control system software architecture design, architectural design, a dependability-case development approach for CPSs and domain-specific fault taxonomies, which support dependability case development and system reliability analyses. Other contributions of this work include three new patterns for fault tolerance in CPSs: DATA-CENTRIC ARCHITECTURE, LET IT CRASH and SERVICE MANAGER. These are presented together with a pattern language that shows how they relate to other patterns available for the domain

Safety and Reliability - Safe Societies in a Changing World

The contributions cover a wide range of methodologies and application areas for safety and reliability that contribute to safe societies in a changing world. These methodologies and applications include: - foundations of risk and reliability assessment and management - mathematical methods in reliability and safety - risk assessment - risk management - system reliability - uncertainty analysis - digitalization and big data - prognostics and system health management - occupational safety - accident and incident modeling - maintenance modeling and applications - simulation for safety and reliability analysis - dynamic risk and barrier management - organizational factors and safety culture - human factors and human reliability - resilience engineering - structural reliability - natural hazards - security - economic analysis in risk managemen

Certifications of Critical Systems – The CECRIS Experience

In recent years, a considerable amount of effort has been devoted, both in industry and academia, to the development, validation and verification of critical systems, i.e. those systems whose malfunctions or failures reach a critical level both in terms of risks to human life as well as having a large economic impact.Certifications of Critical Systems – The CECRIS Experience documents the main insights on Cost Effective Verification and Validation processes that were gained during work in the European Research Project CECRIS (acronym for Certification of Critical Systems). The objective of the research was to tackle the challenges of certification by focusing on those aspects that turn out to be more difficult/important for current and future critical systems industry: the effective use of methodologies, processes and tools.The CECRIS project took a step forward in the growing field of development, verification and validation and certification of critical systems. It focused on the more difficult/important aspects of critical system development, verification and validation and certification process. Starting from both the scientific and industrial state of the art methodologies for system development and the impact of their usage on the verification and validation and certification of critical systems, the project aimed at developing strategies and techniques supported by automatic or semi-automatic tools and methods for these activities, setting guidelines to support engineers during the planning of the verification and validation phases

Certifications of Critical Systems – The CECRIS Experience

In recent years, a considerable amount of effort has been devoted, both in industry and academia, to the development, validation and verification of critical systems, i.e. those systems whose malfunctions or failures reach a critical level both in terms of risks to human life as well as having a large economic impact.Certifications of Critical Systems – The CECRIS Experience documents the main insights on Cost Effective Verification and Validation processes that were gained during work in the European Research Project CECRIS (acronym for Certification of Critical Systems). The objective of the research was to tackle the challenges of certification by focusing on those aspects that turn out to be more difficult/important for current and future critical systems industry: the effective use of methodologies, processes and tools.The CECRIS project took a step forward in the growing field of development, verification and validation and certification of critical systems. It focused on the more difficult/important aspects of critical system development, verification and validation and certification process. Starting from both the scientific and industrial state of the art methodologies for system development and the impact of their usage on the verification and validation and certification of critical systems, the project aimed at developing strategies and techniques supported by automatic or semi-automatic tools and methods for these activities, setting guidelines to support engineers during the planning of the verification and validation phases

Kommunikation und Bildverarbeitung in der Automation

In diesem Open Access-Tagungsband sind die besten Beiträge des 11. Jahreskolloquiums "Kommunikation in der Automation" (KommA 2020) und des 7. Jahreskolloquiums "Bildverarbeitung in der Automation" (BVAu 2020) enthalten. Die Kolloquien fanden am 28. und 29. Oktober 2020 statt und wurden erstmalig als digitale Webveranstaltung auf dem Innovation Campus Lemgo organisiert. Die vorgestellten neuesten Forschungsergebnisse auf den Gebieten der industriellen Kommunikationstechnik und Bildverarbeitung erweitern den aktuellen Stand der Forschung und Technik. Die in den Beiträgen enthaltenen anschauliche Anwendungsbeispiele aus dem Bereich der Automation setzen die Ergebnisse in den direkten Anwendungsbezug

Cyber-Physical Threat Intelligence for Critical Infrastructures Security

Modern critical infrastructures can be considered as large scale Cyber Physical Systems (CPS). Therefore, when designing, implementing, and operating systems for Critical Infrastructure Protection (CIP), the boundaries between physical security and cybersecurity are blurred. Emerging systems for Critical Infrastructures Security and Protection must therefore consider integrated approaches that emphasize the interplay between cybersecurity and physical security techniques. Hence, there is a need for a new type of integrated security intelligence i.e., Cyber-Physical Threat Intelligence (CPTI). This book presents novel solutions for integrated Cyber-Physical Threat Intelligence for infrastructures in various sectors, such as Industrial Sites and Plants, Air Transport, Gas, Healthcare, and Finance. The solutions rely on novel methods and technologies, such as integrated modelling for cyber-physical systems, novel reliance indicators, and data driven approaches including BigData analytics and Artificial Intelligence (AI). Some of the presented approaches are sector agnostic i.e., applicable to different sectors with a fair customization effort. Nevertheless, the book presents also peculiar challenges of specific sectors and how they can be addressed. The presented solutions consider the European policy context for Security, Cyber security, and Critical Infrastructure protection, as laid out by the European Commission (EC) to support its Member States to protect and ensure the resilience of their critical infrastructures. Most of the co-authors and contributors are from European Research and Technology Organizations, as well as from European Critical Infrastructure Operators. Hence, the presented solutions respect the European approach to CIP, as reflected in the pillars of the European policy framework. The latter includes for example the Directive on security of network and information systems (NIS Directive), the Directive on protecting European Critical Infrastructures, the General Data Protection Regulation (GDPR), and the Cybersecurity Act Regulation. The sector specific solutions that are described in the book have been developed and validated in the scope of several European Commission (EC) co-funded projects on Critical Infrastructure Protection (CIP), which focus on the listed sectors. Overall, the book illustrates a rich set of systems, technologies, and applications that critical infrastructure operators could consult to shape their future strategies. It also provides a catalogue of CPTI case studies in different sectors, which could be useful for security consultants and practitioners as well

Towards more effective testing of communications-critical large scale systems

This thesis was submitted for the degree of Doctor of Philosophy and awarded by Brunel University.A publication based on the research from this thesis has been published and can be cited as Nabulsi, MA and Hierons, RM (2014), A new test framework for communications-critical large scale systems, IEEE Software, In press. The published version can be accessed via the link below.None of today’s large scale systems could function without the reliable availability of a varied range of network communications capabilities. Whilst software, hardware and communications technologies have been advancing throughout the past two decades, the methods commonly used by industry for testing large scale systems which incorporate critical communications interfaces have not kept pace. This thesis argues for the need for a specifically tailored framework to achieve effective testing of communications-critical large scale systems (CCLSS). The thesis initially discusses how generic test approaches are leading to inefficient and costly test activities in industry. The thesis then presents the form and features of an alternative CCLSS domain-specific test framework, develops its ideas further into a detailed and structured test approach for one of its layers, and then provides a detailed example of how this framework can be applied using a real-life case study. The thesis concludes with a qualitative as well a simulation-based evaluation of the framework’s benefits observed during the case study and an evaluation by expert external participants considering whether similar benefits can be realised if the framework is adopted for the testing of other comparable systems. Requirements data from a second CCLSS is included in the evaluation by external participants as a second smaller case study