23 research outputs found
Model-Based STPA: Enabling Safety Analysis Coverage Assessment with Formalization
Urban Air Mobility introduces safety-related challenges for future avionics systems. The associated need for increased autonomy demands novel functions based on highperformance algorithms. To provide such functionality in future air vehicles of all sizes, the trend is towards centralized and powerful computing platforms. That turns avionics into a complex, integrated, and software-intensive aircraft system. Simultaneously, this increases the need for adapted safety analyses. The System-Theoretic Process Analysis is a promising approach to analyze the safety of software-intensive systems. It enables consideration of interaction and specification issues additional to component failures. However, even when using state-of-the-art analyses such as STPA, claiming the sufficiency of the safety analysis efforts is a challenging tasks for systems with everincreasing complexity. To address this issue, this paper extends the coverage analysis concepts known from the software development to safety analyses. This is achieved with the utilization of failure graphs, i.e., formalized analysis summaries that can be automatically created during the safety analysis. Failure graphs
have two advantages: they provide the possibility for visual analysis state indication and can be used to calculate various statistical metrics. Thereby, they allow to improve the knowledge about the depth, breadth, and state of the safety analysis. Both visual and statistical consideration complement each other to enhance the safety analysis coverage assessment for future avionic systems. To show all capabilities, the analysis of a flight assistance system serves as demonstrator
Automatic Deployment of Embedded Real-time Software Systems to Hypervisor-managed Platforms
The deterministic integration of concurrent func-
tions on shared multicore platforms is a challenging yet important
task. Especially in safety-critical environments, hypervisors can
be used to achieve time and space partitioning, but their sole
application is often insufficient to guarantee deterministic timing
and data flow behavior. Considering the growing complexity of
modern embedded systems, for example in terms of functionality
and mixed-criticality requirements, model-based approaches are
a promising starting point to tackle this issue. In this work,
we bridge the gap between a model-based behavior specification
methodology based on the Logical Execution Time (LET) concept
and target platforms running a commercially available bare-
metal hypervisor. Therefore, this paper describes a runtime
environment that implements LET semantics at the level of
hypervisor partitions and a tool-supported design methodology
that deploys software to this runtime environment. From a be-
havior specification provided as a system model with annotated C
code, the presented deployment tool generates binary images
with guaranteed timing and data-flow behavior for the XtratuM
hypervisor. The approach is finally validated by applying it to
a Flight Assistance System (FAS) from the avionics domain
Cybersecurity Engineering: Bridging the Security Gaps in Avionics Architectures and DO-326A/ED-202A
Urban Air Mobility is envisioned as an on-demand,
highly automated and autonomous air transportation modality.
It requires the use of advanced sensing and data communication
technologies to gather, process, and share flight-critical data.
Where this sharing of mix-critical data brings opportunities, if
compromised, presents serious cybersecurity threats and safety
risks due to the cyber-physical nature of the airborne vehicles.
Therefore the avionics system design approach of adhering to
functional safety standards (DO-178C) alone is inadequate to
protect the mission-critical avionics functions from cyber-attacks.
To approach this challenge, the DO-326A/ED-202A standard
provides a baseline to effectively manage cybersecurity risks
and to ensure the airworthiness of airborne systems. In this
regard, this paper pursues a holistic cybersecurity engineering
and bridges the security gap by mapping the DO-326A/ED-202A
system security risk assessment activities to the Threat Analysis
and Risk Assessment process. It introduces Resilient Avionics
Architecture as an experimental use case for Urban Air Mobility by
apprehending the DO-326A/ED-202A standard guidelines. It also
presents a comprehensive system security risk assessment of the
use case and derives appropriate risk mitigation strategies. The
presented work facilitates avionics system designers to identify,
assess, protect, and manage the cybersecurity risks across the
avionics system life cycle
Erweiterung von MBSE Prozessen bei der Entwicklung sicherheitskritischer Systemarchitekturen durch die Nutzung Formaler Methoden
Die Komplexität von sicherheitskritischen Systemen ist seit jeher gewachsen, aber besonders in den letzten zwei Jahrzehnten mit dem Anstieg von Komponenten, Funktionen und Interaktionen. Traditionelle Entwicklungsprozesse stehen dementsprechend vor großen Herausforderungen. Sie müssen die Sicherheit der Systeme unter steigender Komplexität und Zeitdruck garantieren. In dieser Masterarbeit wird ein Prozess vorgestellt, der sich dieser Herausforderung annimmt, indem auf Model Based System Engineering (MBSE), System Theoretic Process Analysis (STPA) und Formale Methoden zurückgegriffen wird. Als Grundlage für den vorgeschlagenen Entwicklungsprozess wird MBSE verwendet, welches als multi-disziplinärer und integrativer Prozess zur systematischen Entwicklung von Systemen beschrieben werden kann. Luftfahrt- und Automobilsysteme sind sicherheitskritisch und auf ausführliche Sicherheitsbetrachtungen angewiesen, um eine Zulassung zu bekommen. Während Sicherheitsanalysen traditionell von einem unterschiedlichen Team von Sicherheitsingenieuren anhand von Dokumenten ausgeführt werden, schlägt diese Arbeit eine, mit Formalen Methoden gestützte, Integration der STPA-Sicherheitsanalyse in den MBSE-Prozess vor. Die STPA stellt eine vielversprechende Sicherheitsanalyse dar, die genau wie das MBSE auf der System-Theorie beruht und dementsprechend gut in eine MBSE-Entwicklung integriert werden kann. Durch die Formalisierung der STPA können einige manuelle Schritte der Sicherheitsanalyse automatisiert werden. Die Systems Modeling Language (SysML), die als Grundlage für die MBSE-Modelle genutzt wird, stellt durch ihre semi-formalen Eigenschaften einen geeigneten Kandidaten für die Formalisierung dar. Außerhalb der Durchführung der STPA können auch die entstehenden Sicherheitsanforderungen zum Teil formalisiert und überprüft werden. Für eine formale Überprüfung statischer Sicherheitsanforderungen empfiehlt diese Arbeit die Nutzung der Object Constraint Language (OCL), die standardisiert in Kombination mit der SysML genutzt werden kann. Für die Überprüfung von dynamischen Sicherheitsanforderungen wird die Nutzung von formalen Sprachen basierend auf temporalen Logiken vorgeschlagen, die eine formale Argumentation über zeitliche Eigenschaften ermöglichen. Zusammengefasst stellt diese Arbeit einen ganzheitlichen Prozess vor, der Sicherheitsbetrachtungen mit Formalen Methoden in eine MBSE-Entwicklung integriert und damit ermöglicht, den Komplexitätsanstieg von Systemen zu managen
Evaluating System Architecture Safety in Early Phases of Development with MBSE and STPA
Emerging segments such as autonomous driving require new by-wire system architectures for steering and braking. These system architectures are highly safety-critical and currently not commonly used in the automotive industry. This results in challenges for traditional development approaches. One issue is that a well-thought-out architecture selection is already required in early phases of development. Within this paper, a concept is proposed to help consideration of safety in this timely architecture selection, using a safety trade-off concept. An early consideration of system architecture safety is achieved by utilization of a formalized System-Theoretic Process Analysis on a Systems Modeling Language model. This underlying system model was developed with a Model-based System Engineering approach. Additionally, it is explained how classical safety considerations and safety principles can be integrated into this safety trade-off. Finally, the approach is demonstrated in an architecture comparison for a simplified Steer-by-Wire architecture. Results show that it is possible to find relevant safety requirements and use them to compare solution architecture candidates
Integrating Safety into MBSE Processes with Formal Methods
Emerging segments such as Urban Air Mobility require new safety-critical avionic systems. The complexity of these avionic systems has ever been increasing, but even more rapidly in the last two decades in form of the number of components, functions, and interactions. At the same time, demanding time-to-market requirements have to be adhered to by development companies. To cope with these challenges, agile development approaches are required that guarantee safety-by-construction. This paper presents an endeavor to tackle these challenges by holistic utilization of Model-based Systems Engineering, System-Theoretic Process Analysis, and formal methods. The approach is demonstrated in a use-case that analyzes a simplified Collision Avoidance System architecture. Results show that the presented approach is able to improve the development by automating and validating error-prone tasks of the safety assessment
Model-Based STPA: Towards Agile Safety-Guided Design with Formalization
The competition for market entry in emerging segments such as Urban Air Mobility highlights the need for efficient and flexible development processes. This is accompanied by the trend towards software-intensive avionics systems due to the requirement for complex and computationally expensive algorithms. Considering the successful application of agile developments in the software domain, one might conclude that the agile paradigm would be the perfect fit to address these issues. However, for highly safety-critical domains such as aviation, multiple conflicts with the agile paradigm exist. Especially the constraint to follow rigorous and well documented processes contradicts the ideas of agile. To bridge this gap, a comprehensive and well documented, but still flexible process is necessary. Accordingly, this paper proposes a first step towards such an agile safety-guided design, by combining Model-Based Systems Engineering with the System-Theoretic Process Analysis. Particularly, focus is placed on enabling an iterative safety-guided design by providing functionality to track design changes to the corresponding safety artifacts. This automated functionality is enabled by a formalized execution of the safety analysis. At first glance, formalization sounds like a contradiction to the agile paradigm. However, we argue that formality and agility are not necessarily contradicting each other. Our theory is that moving the focus of formality from the human activities to the assisting functionality even increases overall agility. The iterative safety-guided design and resulting identification of safety improvements is demonstrated with examples of a flight assistance system
Architectural Challenges in Developing an AI-based Collision Avoidance System
Emerging trends in Advanced Air Mobility (AAM)
are pushing the boundaries of the established design approaches
and are forcing developers to find new ways to fulfill the need
for more powerful, reliable and robust equipment for future
software defined aircraft functions. Of particular interest in
achieving this is the field of Artificial Intelligence (AI) and its
subset of Machine Learning (ML) algorithms. The use of AI/ML
within the aviation industry, however, poses significant challenges,
particularly connected to safety, reliability and certifiability.
This paper is about the OpenCAS, a collision avoidance system
based on Feed-Forward Neural Networks. It reports hands-on
experience and outlooks on systems engineering practice for ML
model integration. The architectural design considerations are
elaborated. Particular focus is laid on constraints imposed by
the use of multiple networks within the system