Software Engineers' Information Seeking Behavior in Change Impact Analysis - An Interview Study

Software engineers working in large projects must navigate complex information landscapes. Change Impact Analysis (CIA) is a task that relies on engineers' successful information seeking in databases storing, e.g., source code, requirements, design descriptions, and test case specifications. Several previous approaches to support information seeking are task-specific, thus understanding engineers' seeking behavior in specific tasks is fundamental. We present an industrial case study on how engineers seek information in CIA, with a particular focus on traceability and development artifacts that are not source code. We show that engineers have different information seeking behavior, and that some do not consider traceability particularly useful when conducting CIA. Furthermore, we observe a tendency for engineers to prefer less rigid types of support rather than formal approaches, i.e., engineers value support that allows flexibility in how to practically conduct CIA. Finally, due to diverse information seeking behavior, we argue that future CIA support should embrace individual preferences to identify change impact by empowering several seeking alternatives, including searching, browsing, and tracing.Comment: Accepted for publication in the proceedings of the 25th International Conference on Program Comprehensio

Operational Data Framework for Safety Instrumented Systems : A Case Study in Functional Safety and Reliability

In various industries, companies are adopting functional safety measures to address safety concerns, adhere to standards, and manage complex systems. This research is focused on ensuring the reliable operation of Safety Instrumented Systems (SISs) by emphasizing the reliability data. The study examines methodologies for collecting data, classifying failures, mitigating risks, and complying with international safety standards. Through a case study in the energy and marine power industry, a theoretical framework is developed to utilize operational data for assessing SIS performance in the form of a new Engine Safety System (ESS). By complying with IEC standards 61508 and 61511 and incorporating the framework into the ESS's Functional Safety Management Plan, the research addresses key challenges such as data collection, failure analysis, and performance verification. The primary research questions involve determining the type of data to be collected and establishing guidelines for analysing and evaluating that data. A mixed method approach is chosen, with a greater emphasis on qualitative aspects due to the nature of interpreting standards and establishing procedures. The developed framework is presented using tables that outline the required data inputs for reporting actual demands, spurious trips, failures of other barriers, and SIS element failures. Failure report templates are provided, emphasizing the importance of identifying root causes and categorizing failures into Safe or Dangerous failures, as well as Undetected or Detected. The reliability assessment involves comparing actual performance data against the criteria defined in the Safety Integrity Requirements that have been established for the SIS, based on the outcome of the risk assessment. Different risk assessment techniques, such as Layer of Protection Analysis, Fault tree analysis, and risk matrices, are presented in this context, while key performance indicators like demand rates and failure rates are explored to highlight their role in verifying SIS performance. The established framework, designed for the ESS to execute safety functions at Safety Integrity Level 2, is versatile and can serve as a robust foundation for the development of future Functional Safety projects within the organisation and can be applied to other SISs with different Safety Integrity level targets. The study concludes by addressing challenges associated with reliability and various data sources, such as human error and lack of functional safety training, emphasizing the significance of comprehending functional safety when operating with data of SISs

Towards Standardisation Measures to Support the Security of Control and Real-Time Systems for Energy Critical Infrastructures

This report outlines the context for control and real time systems vulnerability in the energy sector, their role in energy critical infrastructures and their emerging vulnerabilities as they were put in light by some recent episodes. Then it provides a survey on the current efforts to set up reference frameworks addressing the broad issue of supervisory and control systems security. It discusses the role of standards and outlines the reference approaches in that respect. The current attitude of Europe towards the issue of control systems security is discussed and compared with the US situation, based on a stakeholder consultation, and gaps and challenges are outlined. A set of recommendations for policy measures to address the issue is given.JRC.DG.G.6-Security technology assessmen

Quarantine-mode based live patching for zero downtime safety-critical systems

150 p.En esta tesis se presenta una arquitectura y diseño de software, llamado Cetratus, que permite las actualizaciones en caliente en sistemas críticos, donde se efectúan actualizaciones dinámicas de los componentes de la aplicación. La característica principal es la ejecución y monitorización en modo cuarentena, donde la nueva versión del software es ejecutada y monitorizada hasta que se compruebe la confiabilidad de esta nueva versión. Esta característica también ofrece protección contra posibles fallos de software y actualización, así como la propagación de esos fallos a través del sistema. Para este propósito, se emplean técnicas de particionamiento. Aunque la actualización del software es iniciada por el usuario Updater, se necesita la ratificación del auditor para poder proceder y realizar la actualización dinámica. Estos usuarios son autenticados y registrados antes de continuar con la actualización. También se verifica la autenticidad e integridad del parche dinámico. Cetratus está alineado con las normativas de seguridad funcional y de ciber-seguridad industriales respecto a las actualizaciones de software.Se proporcionan dos casos de estudio. Por una parte, en el caso de uso de energía inteligente, se analiza una aplicación de gestión de energía eléctrica, compuesta por un sistema de gestión de energía (BEMS por sus siglas en ingles) y un servicio de optimización de energía en la nube (BEOS por sus siglas en ingles). El BEMS monitoriza y controla las instalaciones de energía eléctrica en un edificio residencial. Toda la información relacionada con la generación, consumo y ahorro es enviada al BEOS, que estima y optimiza el consumo general del edificio para reducir los costes y aumentar la eficiencia energética. En este caso de estudio se incorpora una nueva capa de ciberseguridad para aumentar la ciber-seguridad y privacidad de los datos de los clientes. Específicamente, se utiliza la criptografía homomorfica. Después de la actualización, todos los datos son enviados encriptados al BEOS.Por otro lado, se presenta un caso de estudio ferroviario. En este ejemplo se actualiza el componente Euroradio, que es la que habilita las comunicaciones entre el tren y el equipamiento instalado en las vías en el sistema de gestión de tráfico ferroviario en Europa (ERTMS por sus siglas en ingles). En el ejemplo se actualiza el algoritmo utilizado para el código de autenticación del mensaje (MAC por sus siglas en inglés) basado en el algoritmo de encriptación AES, debido a los fallos de seguridad del algoritmo actual

The challenges to the safety process when using Agile development models

Safety related systems are traditionally developed using traditional models like the V-model. Agile development models are now increasingly used, and the experiences with these models makes it tempting to also use Agile models when developing safety related systems. To do this, Agile development models need include a safety process that also are as agile as possible. However, introducing safety activities into an agile environment reintroduces limitations from traditional de-velopment. The challenge is to reduce these limitations, so that the benefits of Agile development can be utilized also when developing safety related systems, and still maintain the expected level of safety. The current thesis identifies and investigates some of the challenges to the safety process from IEC 61508 when using an Agile development process. The thesis starts by giving an overview of traditional development, Agile development and the safety process, before examining literature concerning Agile models used for developing safety related systems. To simplify the discussion, the safety process is grouped into three areas: safety analysis, safety assessment, and safety validation. Agile development is also divided into three groups: the incremental part, the iterative part, and main Agile practices not covered by the two first discussions. The discussion starts with examining all the incremental implications to each of the safety pro-cess groups. Then the iterative implications are discussed, and finally the implications of the re-maining practices are considered. The discussion is summarized by giving a suggestion for a more agile safety process, based on the Scrum model

Coding Guidelines and Undecidability

The C and C++ programming languages are widely used for the implementation of software in critical systems. They are complex languages with subtle features and peculiarities that might baffle even the more expert programmers. Hence, the general prescription of language subsetting, which occurs in most functional safety standards and amounts to only using a "safer" subset of the language, is particularly applicable to them. Coding guidelines are the preferred way of expressing language subsets. Some guidelines are formulated in terms of the programming language and its implementation only: in this case they are amenable to automatic checking. However, due to fundamental limitations of computing, some guidelines are undecidable, that is, they are based on program properties that no current and future algorithm can capture in all cases. The most mature and widespread coding standards, the MISRA ones, explicitly tag guidelines with undecidable or decidable. It turns out that this information is not of secondary nature and must be taken into account for a full understanding of what the guideline is asking for. As a matter of fact, undecidability is a common source of confusion affecting many users of coding standards and of the associated checking tools. In this paper, we recall the notions of decidability and undecidability in terms that are understandable to any C/C++ programmer. The paper includes a systematic study of all the undecidable MISRA C:2012 guidelines, discussing the reasons for the undecidability and its consequences. We pay particular attention to undecidable guidelines that have decidable approximations whose enforcement would not overly constrain the source code. We also discuss some coding guidelines for which compliance is hard, if not impossible, to prove, even beyond the issue of decidability.Comment: 12 pages, 5 figures, 1 tabl

Systems Engineering

The book "Systems Engineering: Practice and Theory" is a collection of articles written by developers and researches from all around the globe. Mostly they present methodologies for separate Systems Engineering processes; others consider issues of adjacent knowledge areas and sub-areas that significantly contribute to systems development, operation, and maintenance. Case studies include aircraft, spacecrafts, and space systems development, post-analysis of data collected during operation of large systems etc. Important issues related to "bottlenecks" of Systems Engineering, such as complexity, reliability, and safety of different kinds of systems, creation, operation and maintenance of services, system-human communication, and management tasks done during system projects are addressed in the collection. This book is for people who are interested in the modern state of the Systems Engineering knowledge area and for systems engineers involved in different activities of the area. Some articles may be a valuable source for university lecturers and students; most of case studies can be directly used in Systems Engineering courses as illustrative materials

Designing Functional Safety Systems: A Pattern Language Approach

Human beings, at least most of us, want to feel and be safe. This is one of the fundamental needs of an organism. However, several of the processes and machines used in current societies introduce hazards that could and can harm us causing unnecessary pain and financial losses. Still, our modern societies need these processes and machines to operate so we cannot really be without them. Fortunately, there are ways to reduce risks introduced by systems around us to a tolerable level.This thesis considers the design and development of safety-related systems and safetyrelated parts of control systems referred to as functional safety systems. These systems implement safety functions that reduce risks introduced by machines, processes, and other systems. That is, the functions affect the system under control so that the likelihood of occurrence or severity of consequences are reduced.The design and development of safety systems is typically regulated by laws and standards. This increases the cost of safety system development and therefore eventually also the product in which it is incorporated. However, from a manufacturer viewpoint, safety in all its forms is also a potential asset for the companies developing, producing, and selling the systems. An increase in efficiency to develop and design safety systems offers the potential for a larger margin or increased sales due to the reduced price.One way to support design and development efficiency is to apply good design methods and solutions in form of design patterns. In this thesis, a design pattern language for the development and design of functional safety systems is introduced. The purpose of the language is to support the designers in their task to design and implement safety functions in machines and processes. The language considers various aspects of the development and design of safety systems starting from the initial phases of hazard and risk analysis, followed by the selection of the hazard and risk reduction methods, and concluding with the hardware and software structure, functionality, and design principles considerations. Finally, a functional safety system may, and often does, co-exist and co-operate with a control system. Therefore, a part of the pattern language takes this aspect into account.To compile the design pattern language and the included patterns a design science research approach complemented with grounded theory approach is applied The data to identify the patterns is collected from literature, personal experience, interviews, and discussions with industry representatives and people engaged with the design or use of systems including safety systems or functionality. Like the patterns have evolved during the research, so has the approach to identify, document, and process the patterns

Human Machine Interaction

In this book, the reader will find a set of papers divided into two sections. The first section presents different proposals focused on the human-machine interaction development process. The second section is devoted to different aspects of interaction, with a special emphasis on the physical interaction