Model-Based STPA: Enabling Safety Analysis Coverage Assessment with Formalization

Urban Air Mobility introduces safety-related challenges for future avionics systems. The associated need for increased autonomy demands novel functions based on highperformance algorithms. To provide such functionality in future air vehicles of all sizes, the trend is towards centralized and powerful computing platforms. That turns avionics into a complex, integrated, and software-intensive aircraft system. Simultaneously, this increases the need for adapted safety analyses. The System-Theoretic Process Analysis is a promising approach to analyze the safety of software-intensive systems. It enables consideration of interaction and specification issues additional to component failures. However, even when using state-of-the-art analyses such as STPA, claiming the sufficiency of the safety analysis efforts is a challenging tasks for systems with everincreasing complexity. To address this issue, this paper extends the coverage analysis concepts known from the software development to safety analyses. This is achieved with the utilization of failure graphs, i.e., formalized analysis summaries that can be automatically created during the safety analysis. Failure graphs have two advantages: they provide the possibility for visual analysis state indication and can be used to calculate various statistical metrics. Thereby, they allow to improve the knowledge about the depth, breadth, and state of the safety analysis. Both visual and statistical consideration complement each other to enhance the safety analysis coverage assessment for future avionic systems. To show all capabilities, the analysis of a flight assistance system serves as demonstrator

Automatic Deployment of Embedded Real-time Software Systems to Hypervisor-managed Platforms

The deterministic integration of concurrent func- tions on shared multicore platforms is a challenging yet important task. Especially in safety-critical environments, hypervisors can be used to achieve time and space partitioning, but their sole application is often insufficient to guarantee deterministic timing and data flow behavior. Considering the growing complexity of modern embedded systems, for example in terms of functionality and mixed-criticality requirements, model-based approaches are a promising starting point to tackle this issue. In this work, we bridge the gap between a model-based behavior specification methodology based on the Logical Execution Time (LET) concept and target platforms running a commercially available bare- metal hypervisor. Therefore, this paper describes a runtime environment that implements LET semantics at the level of hypervisor partitions and a tool-supported design methodology that deploys software to this runtime environment. From a be- havior specification provided as a system model with annotated C code, the presented deployment tool generates binary images with guaranteed timing and data-flow behavior for the XtratuM hypervisor. The approach is finally validated by applying it to a Flight Assistance System (FAS) from the avionics domain

Cybersecurity Engineering: Bridging the Security Gaps in Avionics Architectures and DO-326A/ED-202A

Urban Air Mobility is envisioned as an on-demand, highly automated and autonomous air transportation modality. It requires the use of advanced sensing and data communication technologies to gather, process, and share flight-critical data. Where this sharing of mix-critical data brings opportunities, if compromised, presents serious cybersecurity threats and safety risks due to the cyber-physical nature of the airborne vehicles. Therefore the avionics system design approach of adhering to functional safety standards (DO-178C) alone is inadequate to protect the mission-critical avionics functions from cyber-attacks. To approach this challenge, the DO-326A/ED-202A standard provides a baseline to effectively manage cybersecurity risks and to ensure the airworthiness of airborne systems. In this regard, this paper pursues a holistic cybersecurity engineering and bridges the security gap by mapping the DO-326A/ED-202A system security risk assessment activities to the Threat Analysis and Risk Assessment process. It introduces Resilient Avionics Architecture as an experimental use case for Urban Air Mobility by apprehending the DO-326A/ED-202A standard guidelines. It also presents a comprehensive system security risk assessment of the use case and derives appropriate risk mitigation strategies. The presented work facilitates avionics system designers to identify, assess, protect, and manage the cybersecurity risks across the avionics system life cycle

Erweiterung von MBSE Prozessen bei der Entwicklung sicherheitskritischer Systemarchitekturen durch die Nutzung Formaler Methoden

Die Komplexität von sicherheitskritischen Systemen ist seit jeher gewachsen, aber besonders in den letzten zwei Jahrzehnten mit dem Anstieg von Komponenten, Funktionen und Interaktionen. Traditionelle Entwicklungsprozesse stehen dementsprechend vor großen Herausforderungen. Sie müssen die Sicherheit der Systeme unter steigender Komplexität und Zeitdruck garantieren. In dieser Masterarbeit wird ein Prozess vorgestellt, der sich dieser Herausforderung annimmt, indem auf Model Based System Engineering (MBSE), System Theoretic Process Analysis (STPA) und Formale Methoden zurückgegriffen wird. Als Grundlage für den vorgeschlagenen Entwicklungsprozess wird MBSE verwendet, welches als multi-disziplinärer und integrativer Prozess zur systematischen Entwicklung von Systemen beschrieben werden kann. Luftfahrt- und Automobilsysteme sind sicherheitskritisch und auf ausführliche Sicherheitsbetrachtungen angewiesen, um eine Zulassung zu bekommen. Während Sicherheitsanalysen traditionell von einem unterschiedlichen Team von Sicherheitsingenieuren anhand von Dokumenten ausgeführt werden, schlägt diese Arbeit eine, mit Formalen Methoden gestützte, Integration der STPA-Sicherheitsanalyse in den MBSE-Prozess vor. Die STPA stellt eine vielversprechende Sicherheitsanalyse dar, die genau wie das MBSE auf der System-Theorie beruht und dementsprechend gut in eine MBSE-Entwicklung integriert werden kann. Durch die Formalisierung der STPA können einige manuelle Schritte der Sicherheitsanalyse automatisiert werden. Die Systems Modeling Language (SysML), die als Grundlage für die MBSE-Modelle genutzt wird, stellt durch ihre semi-formalen Eigenschaften einen geeigneten Kandidaten für die Formalisierung dar. Außerhalb der Durchführung der STPA können auch die entstehenden Sicherheitsanforderungen zum Teil formalisiert und überprüft werden. Für eine formale Überprüfung statischer Sicherheitsanforderungen empfiehlt diese Arbeit die Nutzung der Object Constraint Language (OCL), die standardisiert in Kombination mit der SysML genutzt werden kann. Für die Überprüfung von dynamischen Sicherheitsanforderungen wird die Nutzung von formalen Sprachen basierend auf temporalen Logiken vorgeschlagen, die eine formale Argumentation über zeitliche Eigenschaften ermöglichen. Zusammengefasst stellt diese Arbeit einen ganzheitlichen Prozess vor, der Sicherheitsbetrachtungen mit Formalen Methoden in eine MBSE-Entwicklung integriert und damit ermöglicht, den Komplexitätsanstieg von Systemen zu managen

Evaluating System Architecture Safety in Early Phases of Development with MBSE and STPA

Emerging segments such as autonomous driving require new by-wire system architectures for steering and braking. These system architectures are highly safety-critical and currently not commonly used in the automotive industry. This results in challenges for traditional development approaches. One issue is that a well-thought-out architecture selection is already required in early phases of development. Within this paper, a concept is proposed to help consideration of safety in this timely architecture selection, using a safety trade-off concept. An early consideration of system architecture safety is achieved by utilization of a formalized System-Theoretic Process Analysis on a Systems Modeling Language model. This underlying system model was developed with a Model-based System Engineering approach. Additionally, it is explained how classical safety considerations and safety principles can be integrated into this safety trade-off. Finally, the approach is demonstrated in an architecture comparison for a simplified Steer-by-Wire architecture. Results show that it is possible to find relevant safety requirements and use them to compare solution architecture candidates

Integrating Safety into MBSE Processes with Formal Methods

Emerging segments such as Urban Air Mobility require new safety-critical avionic systems. The complexity of these avionic systems has ever been increasing, but even more rapidly in the last two decades in form of the number of components, functions, and interactions. At the same time, demanding time-to-market requirements have to be adhered to by development companies. To cope with these challenges, agile development approaches are required that guarantee safety-by-construction. This paper presents an endeavor to tackle these challenges by holistic utilization of Model-based Systems Engineering, System-Theoretic Process Analysis, and formal methods. The approach is demonstrated in a use-case that analyzes a simplified Collision Avoidance System architecture. Results show that the presented approach is able to improve the development by automating and validating error-prone tasks of the safety assessment

Model-Based STPA: Towards Agile Safety-Guided Design with Formalization

The competition for market entry in emerging segments such as Urban Air Mobility highlights the need for efficient and flexible development processes. This is accompanied by the trend towards software-intensive avionics systems due to the requirement for complex and computationally expensive algorithms. Considering the successful application of agile developments in the software domain, one might conclude that the agile paradigm would be the perfect fit to address these issues. However, for highly safety-critical domains such as aviation, multiple conflicts with the agile paradigm exist. Especially the constraint to follow rigorous and well documented processes contradicts the ideas of agile. To bridge this gap, a comprehensive and well documented, but still flexible process is necessary. Accordingly, this paper proposes a first step towards such an agile safety-guided design, by combining Model-Based Systems Engineering with the System-Theoretic Process Analysis. Particularly, focus is placed on enabling an iterative safety-guided design by providing functionality to track design changes to the corresponding safety artifacts. This automated functionality is enabled by a formalized execution of the safety analysis. At first glance, formalization sounds like a contradiction to the agile paradigm. However, we argue that formality and agility are not necessarily contradicting each other. Our theory is that moving the focus of formality from the human activities to the assisting functionality even increases overall agility. The iterative safety-guided design and resulting identification of safety improvements is demonstrated with examples of a flight assistance system

Architectural Challenges in Developing an AI-based Collision Avoidance System

Emerging trends in Advanced Air Mobility (AAM) are pushing the boundaries of the established design approaches and are forcing developers to find new ways to fulfill the need for more powerful, reliable and robust equipment for future software defined aircraft functions. Of particular interest in achieving this is the field of Artificial Intelligence (AI) and its subset of Machine Learning (ML) algorithms. The use of AI/ML within the aviation industry, however, poses significant challenges, particularly connected to safety, reliability and certifiability. This paper is about the OpenCAS, a collision avoidance system based on Feed-Forward Neural Networks. It reports hands-on experience and outlooks on systems engineering practice for ML model integration. The architectural design considerations are elaborated. Particular focus is laid on constraints imposed by the use of multiple networks within the system