Alexandre Esper, Geoffrey Nelissen, Vincent Nélis, Eduardo Tovar
|
|
- Barry McKenzie
- 5 years ago
- Views:
Transcription
1 Alexandre Esper, Geoffrey Nelissen, Vincent Nélis, Eduardo Tovar
2 Current status MC model gradually gaining in sophistication
3 Current status MC model gradually gaining in sophistication Issue Safety-related standards not freely accessible many academic works are building on top of previous models and claims
4 Current status MC model gradually gaining in sophistication Issue Safety-related standards not freely accessible many academic works are building on top of previous models and claims Risk Facilitates the propagation of misconceptions and drift from actual standards requirements
5 Current status MC model gradually gaining in sophistication Issue Safety-related standards not freely accessible many academic works are building on top of previous models and claims Risk Facilitates the propagation of misconceptions and drift from actual standards requirements Contribution Elaborate on misinterpretations and discuss motivating arguments for future work
6 Safety-Critical Systems Aeronautics Railway Automotive Space Industry
7 Safety-Critical Systems Aeronautics Safety-Critical Systems Development Process System Development Process HW Railway Specs. Integ.+ Test Automotive Space SW + Development Assurance Process Industry Safety Analyses + Reliability, Availability, Maintainability Analyses
8 Safety-Critical Systems Aeronautics Safety-Critical Systems Development Process System Development Process System Operation Railway Automotive Space Specs. HW SW + Integ.+ Test Development Assurance Process Certification Process Certification Authority Industry Safety Analyses + Reliability, Availability, Maintainability Analyses
9 Safety-Critical Systems Aeronautics Safety-Critical Systems Development Process System Development Process System Operation Railway Automotive Space Specs. HW SW + Integ.+ Test Development Assurance Process Certification Process Certification Authority Industry Safety Analyses + Reliability, Availability, Maintainability Analyses Redesign
10 System Safety Assessment Process Hazard Analysis Fault Analysis Criticality Category Assignment Criticality Category A B C D E Failure Condition Severity Classification Catastrophic Hazardous Major Minor No Safety Effect
11 System Safety Assessment Process Hazard Analysis Fault Analysis Criticality Category Assignment Initial criticality assignment Criticality Category A B C D E Failure Condition Severity Classification Catastrophic Hazardous Major Minor No Safety Effect
12 System Safety Assessment Process Hazard Analysis Fault Analysis Criticality Category Assignment Initial criticality assignment Criticality Category A B C D E Failure Condition Severity Classification Catastrophic Hazardous Major Minor No Safety Effect Final criticality assignment considering compensating provisions
13 Industry Automotive ISO Road vehicles Functional safety IEC Functional safety of E/E/PE safetyrelated systems IEC Functional safety Safety instrumented systems for the process industry sector Development Assurance Safety Standards IEC Safety of machinery Functional safety of electrical, electronic and programmable electronic control systems Aeronautics ARP 4761 Guidelines and Methods for Conducting the Safety Assessment Process on Civil Airborne Systems and Equipment ARP 4754 Certification Considerations for Highly-Integrated or Complex Aircraft Systems DO-178B/C Software Considerations in Airborne Systems and Equipment Certification DO-254 Design Assurance Guidance for Airborne Electronic Hardware Railway Space EN Railway applications Specification and demonstration of reliability, availability, maintainability and safety EN Railway applications Communication, signalling and processing systems Software for railway control and protection systems EN Railway applications Communication, signalling and processing systems Safety related electronic systems for signalling ECSS series Processes for project management, engineering and product assurance in space projects and applications NASA-STD B Software Safety Standard NASA Technical Standard
14 Response timing and memory constraints Performance Modelling Partitioning IEC61508 (General E/E/PE) DO-178C (aeronautics) ISO26262 (automotive) Diverse Monitor Dynamic Reconfiguration Resources Sharing Graceful Degradation
15 Response timing and memory constraints Performance Modelling Partitioning IEC61508 (General E/E/PE) DO-178C (aeronautics) ISO26262 (automotive) Diverse Monitor Dynamic Reconfiguration Resources Sharing Graceful Degradation
16 Safety-related Industrial Standards but specify stringent safety requirements Additional challenges No explicit MCS requirements isolation and independence between applications. Multicore + Shared Resources
17 Safety-related Industrial Standards but specify stringent safety requirements Additional challenges No explicit MCS requirements isolation and independence between applications. Multicore + Shared Resources
18 Most MCS works are Based on the Vestal Model: Several modes of execution (1, 2,..., L) tasks period, deadline, WCET and an assurance level System running in mode k Budget of a task is overshot System switches to mode k + 1 All the tasks of criticality not greater than k are suspended (potentially reactivated)
19 Safety-related Industrial Standards Academic Publications Function Used at system level System functionality (HW + SW) Used like a pure SW function E.g.: C function or real-time task
20 Safety-related Industrial Standards Academic Publications System Criticality Level of assurance (e.g. DAL, SIL,...) Safety functions Based on Vestal Modes of execution E.g. high and low criticality
21 Safety-related Industrial Standards Academic Publications Although not fundamentally wrong, it creates confusion in the context of industrial MCS leads the two communities to misunderstand each others work
22 Function 1 Function 2 Severity: Car unusable Probability: Probable Controllability: Driver can keep the car on the road Severity: Car unusable Probability: Probable Controllability: Uncontrollable
23 Function 1 Function 2 Severity: Car unusable Probability: Probable Controllability: Driver can keep the car on the road Both are important! Severity: Car unusable Probability: Probable Controllability: Uncontrollable
24 Function 1 Function 2 Severity: Car unusable Probability: Probable Controllability: Driver can keep the car on the road Severity: Car unusable Probability: Probable Controllability: Uncontrollable But ASIL = Severity + Probability + Controllability
25 Function 1 Function 2 ASIL C Severity: Car unusable Probability: Probable Controllability: Driver can keep the car on the road Severity: Car unusable Probability: Probable Controllability: Uncontrollable But ASIL = Severity + Probability + Controllability
26 Function 1 Function 2 ASIL C Severity: Car unusable Probability: Probable Controllability: Driver can keep the car on the road Severity: Car unusable Probability: Probable Controllability: Uncontrollable ASIL D But ASIL = Severity + Probability + Controllability
27 Function 1 Function 2 ASIL C Severity: Car unusable Probability: Probable Controllability: Driver can keep the car on the road Severity: Car unusable Probability: Probable Controllability: Uncontrollable ASIL D
28 Example from IEC61508 System Control Error and Event Logging Sends Data HW A HW B
29 Example from IEC61508 Highest criticality System Control Error and Event Logging Sends Data HW A HW B
30 Example from IEC61508 Inherits criticality Highest criticality System Control Error and Event Logging Highest criticality Sends Data HW A HW B
31 Example from IEC61508 Highest criticality System Control Error and Event Logging Highest criticality Hardware failure Sends Data HW A HW B
32 Example from IEC61508 Highest criticality System Control Error and Event Logging Highest criticality Hardware failure HW A HW B
33 Example from IEC61508 Highest criticality System Control Error and Event Logging Highest criticality Hardware failure HW A HW B
34 Vestal s model: High and low criticality tasks run on the same processor and scheduler LC task HC task Processor A
35 Vestal s model: High and low criticality tasks run on the same processor and scheduler Industrial perspective FMEA analysis Failure mode: Period change of external event LC task HC task Processor A
36 Vestal s model: High and low criticality tasks run on the same processor and scheduler Industrial perspective FMEA analysis Failure mode: Period change of external event LC task HC task Local Effect: Change of LC task period Processor A
37 Vestal s model: High and low criticality tasks run on the same processor and scheduler Industrial perspective FMEA analysis Failure mode: Period change of external event LC task HC task Local Effect: Change of LC task period Processor A
38 Vestal s model: High and low criticality tasks run on the same processor and scheduler Industrial perspective FMEA analysis Failure mode: Period change of external event LC task HC task End Effect: HC task misses deadline Local Effect: Change of LC task period Processor A
39 Vestal s model: High and low criticality tasks run on the same processor and scheduler Industrial perspective FMEA analysis Failure mode: Period change of external event HC task Inherits criticality HC task End Effect: HC task misses deadline Local Effect: Change of LC task period Processor A
40 Vestal s model: High and low criticality tasks run on the same processor and scheduler Industrial perspective FMEA analysis Failure mode: Period change of external event HC task Criticality propagates HC task End Effect: HC task misses deadline Local Effect: Change of LC task period Processor A
41 Vestal s model: High and low criticality tasks run on the same processor and scheduler Will never be able to convice a certification authority that the tasks are isolated in time The cost of the system would increase exponentially We miss the initial goal of integrating a mixed-criticality system in the same platform to decrease costs
42 Vestal s model & Derivatives: Assumption: Higher degree of assurance of a task more pessimistic WCET estimation WCET upperbound necessary but not sufficient condition to ensure safety
43 Vestal s model & Derivatives: Assumption: Higher degree of assurance of a task more pessimistic WCET estimation WCET upperbound necessary but not sufficient condition to ensure safety Safety- Standards Requires mechanisms to ensure that safety is not compromised in case of timing violation E.g. time partitioning
44 Probabilistic WCET - Provides a probabilistic upper-bound on the execution time - Aims at building a reliability model of the software
45 Probabilistic WCET - Provides a probabilistic upper-bound on the execution time - Aims at building a reliability model of the software Safety- Standards Software reliability models: Still under debate Confidence cannot be placed in such models
46 Probabilistic WCET - Provides a probabilistic upper-bound on the execution time - Aims at building a reliability model of the software Safety- Standards Software reliability models: Still under debate Confidence cannot be placed in such models Important research direction But cannot assume that they will ever be used in industrial systems to prove software safety
47 Probabilistic WCET - Provides a probabilistic upper-bound on the execution time - Aims at building a reliability model of the software Safety- Standards Software reliability models: Still under debate Confidence cannot be placed in such models Important research direction But cannot assume that they will ever be used in industrial systems to prove software safety Need to work on the safety argumentation
48 Probabilistic WCET - Provides a probabilistic upper-bound on the execution time - Aimed at building a reliability model of the software
49 Probabilistic WCET - Provides a probabilistic upper-bound on the execution time - Aimed at building a reliability model of the software Certification Authority Typical question: would you fly an airplane designed with probabilistic software reliability models?
50 Probabilistic WCET - Provides a probabilistic upper-bound on the execution time - Aimed at building a reliability model of the software Certification Authority Typical question: would you fly an airplane designed with probabilistic software reliability models?
51 Clear gap between some of the guidelines provided in safety-related standards and their interpretation by the academic community Misalignment of terminology leads to misunderstanding of each other s work Confusion between the notions of criticality and importance Ensuring safety in terms of timing isolation goes beyond accurate WCET estimates Probabilistic WCET estimates: in case that direction is followed need to work on the argumentation
52
Riccardo Mariani, Intel Fellow, IOTG SEG, Chief Functional Safety Technologist
Riccardo Mariani, Intel Fellow, IOTG SEG, Chief Functional Safety Technologist Internet of Things Group 2 Internet of Things Group 3 Autonomous systems: computing platform Intelligent eyes Vision. Intelligent
More informationNew ARMv8-R technology for real-time control in safetyrelated
New ARMv8-R technology for real-time control in safetyrelated applications James Scobie Product manager ARM Technical Symposium China: Automotive, Industrial & Functional Safety October 31 st 2016 November
More informationStatic Analysis of Embedded Systems
Static Analysis of Embedded Systems Xavier RIVAL rival@di.ens.fr Outline Case study Certification of embedded softwares Demo Static Analysisof Embedded Systems p.2/12 Ariane 5 Flight 501 Ariane 5: sattelite
More informationFunctional Safety and Safety Standards: Challenges and Comparison of Solutions AA309
June 25th, 2007 Functional Safety and Safety Standards: Challenges and Comparison of Solutions AA309 Christopher Temple Automotive Systems Technology Manager Overview Functional Safety Basics Functional
More informationWhat functional safety module designers need from IC developers
What functional safety module designers need from IC developers Embedded Platforms Conference Microcontrollers and Peripherals Nov 9 th 2016 14:50 15:30 TOM MEANY Introduction This presentation gives a
More informationAUTOBEST: A microkernel-based system (not only) for automotive applications. Marc Bommert, Alexander Züpke, Robert Kaiser.
AUTOBEST: A microkernel-based system (not only) for automotive applications Marc Bommert, Alexander Züpke, Robert Kaiser vorname.name@hs-rm.de Outline Motivation AUTOSAR ARINC 653 AUTOBEST Architecture
More informationOverview of Potential Software solutions making multi-core processors predictable for Avionics real-time applications
Overview of Potential Software solutions making multi-core processors predictable for Avionics real-time applications Marc Gatti, Thales Avionics Sylvain Girbal, Xavier Jean, Daniel Gracia Pérez, Jimmy
More informationMixed Criticality Scheduling in Time-Triggered Legacy Systems
Mixed Criticality Scheduling in Time-Triggered Legacy Systems Jens Theis and Gerhard Fohler Technische Universität Kaiserslautern, Germany Email: {jtheis,fohler}@eit.uni-kl.de Abstract Research on mixed
More informationISO Functional Safety Management in the Autonomous Car industry and the overview of the required safety lifecycle.
ISO 26262 Functional Safety Management in the Autonomous Car industry and the overview of the required safety lifecycle TÜV SÜD America PSES San Diego Chapter Meeting Sep. 12, 2017 TÜV SÜD AG Slide 1 Functional
More informationA Model-based, Single-Source approach to Design-Space Exploration and Synthesis of Mixed-Criticality Systems
A Model-based, Single-Source approach to Design-Space Exploration and Synthesis of Mixed-Criticality Systems Reusability Optimization Architectural Mapping Schedulablity Analysis SW Synthesis Simulation
More informationStackAnalyzer Proving the Absence of Stack Overflows
StackAnalyzer Proving the Absence of Stack Overflows AbsInt GmbH 2012 2 Functional Safety Demonstration of functional correctness Well-defined criteria Automated and/or model-based testing Formal techniques:
More informationAutomotive Functional Safety
Automotive Functional Safety Complexity, Confidence, Compliance, Certification Farmington, 2018-03-22 23.03.2018 150 years TÜV SÜD 150 years of inspiring trust Inspiring trust since 1866 The year 2016
More informationBUILDING FUNCTIONAL SAFETY PRODUCTS WITH WIND RIVER VXWORKS RTOS
BUILDING FUNCTIONAL SAFETY PRODUCTS WITH WIND RIVER VXWORKS RTOS Alex Wilson Director, Market Development 2017 WIND RIVER. ALL RIGHTS RESERVED. For over 30 years, Wind River has helped the world's technology
More informationA Model-Based Reference Workflow for the Development of Safety-Related Software
A Model-Based Reference Workflow for the Development of Safety-Related Software 2010-01-2338 Published 10/19/2010 Michael Beine dspace GmbH Dirk Fleischer dspace Inc. Copyright 2010 SAE International ABSTRACT
More informationWHITE PAPER. 10 Reasons to Use Static Analysis for Embedded Software Development
WHITE PAPER 10 Reasons to Use Static Analysis for Embedded Software Development Overview Software is in everything. And in many embedded systems like flight control, medical devices, and powertrains, quality
More informationProduction Code Generation and Verification for Industry Standards Sang-Ho Yoon Senior Application Engineer
Production Code Generation and Verification for Industry Standards Sang-Ho Yoon Senior Application Engineer 2012 The MathWorks, Inc. 1 High-Integrity Applications Often Require Certification Software-based
More informationFormal Methods and their role in Software and System Development. Riccardo Sisto, Politecnico di Torino
Formal Methods and their role in Software and System Development Riccardo Sisto, Politecnico di Torino What are Formal Methods? Rigorous (mathematical) methods for modelling and analysing (computer-based)
More informationError Detection by Code Coverage Analysis without Instrumenting the Code
Error Detection by Code Coverage Analysis without Instrumenting the Code Erol Simsek, isystem AG Exhaustive testing to detect software errors constantly demands more time within development cycles. Software
More informationRequest for Proposal To develop and teach a Training Course on RTCA Airworthiness Security Documents (DO-326A, DO-355, and DO-356A)
Washington, DC August 28, 2018 Request for Proposal To develop and teach a Training Course on RTCA Airworthiness Security Documents (DO-326A, DO-355, and DO-356A) 1. RTCA Background RTCA is a private,
More informationIndustrial Embedded Systems - Design for Harsh Environment - Dr. Alexander Walsch
Industrial Embedded Systems - Design for Harsh Environment - Dr. Alexander Walsch alexander.walsch@ge.com WS 2011/12 Technical University Munich (TUM) Introduction - Our Backgrounds O&G Energy Sensor systems
More informationFault-Injection testing and code coverage measurement using Virtual Prototypes on the context of the ISO standard
Fault-Injection testing and code coverage measurement using Virtual Prototypes on the context of the ISO 26262 standard NMI Automotive Electronics Systems 2013 Event Victor Reyes Technical Marketing System
More informationPart 5. Verification and Validation
Software Engineering Part 5. Verification and Validation - Verification and Validation - Software Testing Ver. 1.7 This lecture note is based on materials from Ian Sommerville 2006. Anyone can use this
More informationSeven Roadblocks to 100% Structural Coverage (and how to avoid them)
Seven Roadblocks to 100% Structural Coverage (and how to avoid them) White Paper Structural coverage analysis (SCA also referred to as code coverage) is an important component of critical systems development.
More informationTCL. ASIL Level. Software. Automotive ISO Tool-Qualification. Safety Manual. Software for Safety-Related Automotive Systems
Best Practice Guideline Software for Safety-Related Automotive Systems ISO 26262 Tool-Qualification Requirements TCL Tool Confidence Level Safety Manual ASIL Level Functional Safety Analysis & Classification
More informationVerification and Validation of High-Integrity Systems
Verification and Validation of High-Integrity Systems Chethan CU, MathWorks Vaishnavi HR, MathWorks 2015 The MathWorks, Inc. 1 Growing Complexity of Embedded Systems Emergency Braking Body Control Module
More informationClick ISO to edit Master title style Update on development of the standard
Click ISO 26262 to edit Master title style Update on development of the standard Dr David Ward Head of Functional Safety January 2016 Agenda Why update ISO 26262? What is the process for updating the standard?
More informationSafety and Security for Automotive using Microkernel Technology
Informationstag "Das Automobil als IT-Sicherheitsfall" Berlin, 11.05.2012 Safety and Security for Automotive using Microkernel Technology Dr.-Ing. Matthias Gerlach OpenSynergy TwoBirds withonestone Safety
More informationDeriving safety requirements according to ISO for complex systems: How to avoid getting lost?
Deriving safety requirements according to ISO 26262 for complex systems: How to avoid getting lost? Thomas Frese, Ford-Werke GmbH, Köln; Denis Hatebur, ITESYS GmbH, Dortmund; Hans-Jörg Aryus, SystemA GmbH,
More informationCONTENTION IN MULTICORE HARDWARE SHARED RESOURCES: UNDERSTANDING OF THE STATE OF THE ART
CONTENTION IN MULTICORE HARDWARE SHARED RESOURCES: UNDERSTANDING OF THE STATE OF THE ART Gabriel Fernandez 1, Jaume Abella 2, Eduardo Quiñones 2, Christine Rochange 3, Tullio Vardanega 4 and Francisco
More informationCertification Authorities Software Team (CAST) Position Paper CAST-25
Certification Authorities Software Team (CAST) Position Paper CAST-25 CONSIDERATIONS WHEN USING A QUALIFIABLE DEVELOPMENT ENVIRONMENT (QDE) IN CERTIFICATION PROJECTS COMPLETED SEPTEMBER 2005 (Rev 0) NOTE:
More informationIBM Rational Rhapsody
IBM Rational Rhapsody IBM Rational Rhapsody TestConductor Add On Qualification Kit for DO-178B/C Overview Version 1.9 License Agreement No part of this publication may be reproduced, transmitted, stored
More informationSoftware architecture in ASPICE and Even-André Karlsson
Software architecture in ASPICE and 26262 Even-André Karlsson Agenda Overall comparison (3 min) Why is the architecture documentation difficult? (2 min) ASPICE requirements (8 min) 26262 requirements (12
More informationApplying Human Factors to Medical Device Design
Applying Human Factors to Medical Device Design Standards and Guidelines MEDEC 2016 Tim Reeves, PhD CHFP About Tim Reeves Founder and Managing Director of Human Factors MD Inc. Ten- person human factors
More informationIs This What the Future Will Look Like?
Is This What the Future Will Look Like? Implementing fault tolerant system architectures with AUTOSAR basic software Highly automated driving adds new requirements to existing safety concepts. It is no
More informationautomatisiertensoftwaretests
FunktionaleSicherheitmit automatisiertensoftwaretests SOFTWARE CONSIDERATIONS IN AIRBORNE SYSTEMS AND EQUIPMENT CERTIFICAION RTCA DO-178B RTCA Dynamisch& Statisch 0 Agenda Übersicht über Sicherheitsstandards
More informationAutomatic Decomposition and Allocation of Safety Integrity Level Using System of Linear Equations
Automatic Decomposition and Allocation of Safety Integrity Level Using System of Linear Equations Mohamed Slim Dhouibi, Jean-Marc Perquis Valeo Etudes Electroniques Creteil, France Email: {slim.dhouibi,
More informationREDUCING CERTIFICATION GRANULARITY TO INCREASE ADAPTABILITY OF AVIONICS SOFTWARE
REDUCING CERTIFICATION GRANULARITY TO INCREASE ADAPTABILITY OF AVIONICS SOFTWARE Martin Rayrole, David Faura, Marc Gatti, Thales Avionics, Meudon la Forêt, France Abstract A strong certification process
More informationTowards an industrial use of FLUCTUAT on safety-critical avionics software
Towards an industrial use of FLUCTUAT on safety-critical avionics software David Delmas 1, Eric Goubault 2, Sylvie Putot 2, Jean Souyris 1, Karim Tekkal 3 and Franck Védrine 2 1. Airbus Operations S.A.S.,
More informationAutomating Best Practices to Improve Design Quality
Automating Best Practices to Improve Design Quality Adam Whitmill, Senior Application Engineer 2015 The MathWorks, Inc. 1 Growing Complexity of Embedded Systems Emergency Braking Body Control Module Voice
More informationAUTOMATIC FUNCTIONALITY ASSIGNMENT TO AUTOSAR MULTICORE DISTRIBUTED ARCHITECTURES
AUTOMATIC FUNCTIONALITY ASSIGNMENT TO AUTOSAR MULTICORE DISTRIBUTED ARCHITECTURES Florin Maticu, Paul Pop Technical University of Denmark (DTU) Axbrink Christian, Islam Mafijul Volvo Group Trucks Technology,
More informationIBM Rational Rhapsody. IBM Rational Rhapsody Kit for ISO 26262, IEC 61508, IEC and EN Overview. Version 1.9
IBM Rational Rhapsody IBM Rational Rhapsody Kit for ISO 26262, IEC 61508, IEC 62304 and EN 50128 Overview Version 1.9 License Agreement No part of this publication may be reproduced, transmitted, stored
More informationEnabling Increased Safety with Fault Robustness in Microcontroller Applications
Enabling Increased Safety with Fault Robustness in Microcontroller Applications Wayne Lyons ARM 110 Fulbourn Road Cambridge CB1 9NJ, England Abstract All safety-critical or high-reliability applications
More informationGeneral Framework for Secure IoT Systems
General Framework for Secure IoT Systems National center of Incident readiness and Strategy for Cybersecurity (NISC) Government of Japan August 26, 2016 1. General Framework Objective Internet of Things
More informationMethods and Tools for Embedded Distributed System Timing and Safety Analysis. Steve Vestal Honeywell Labs
Methods and Tools for Embedded Distributed System Timing and Safety Analysis Steve Vestal Honeywell Labs Steve.Vestal@Honeywell.com 5 April 2006 Outline Preliminary Comments Timing and Resource Utilization
More informationAutomated Freedom from Interference Analysis for Automotive Software
Automated Freedom from Interference Analysis for Automotive Software Florian Leitner-Fischer ZF TRW 78315 Radolfzell, Germany Email: florian.leitner-fischer@zf.com Stefan Leue Chair for Software and Systems
More informationSoftware Verification and Validation (VIMMD052) Introduction. Istvan Majzik Budapest University of Technology and Economics
Software Verification and Validation (VIMMD052) Introduction Istvan Majzik majzik@mit.bme.hu Budapest University of Technology and Economics Dept. of Measurement and Information s Budapest University of
More informationIntegrated and Separate?
Integrated and Separate? A document to aid the demonstration of Independence between Control & Safety by The 61508 Association Overriding key principle...it must be safe! DISCLAIMER: Whilst every effort
More informationFunctional Safety beyond ISO26262 for Neural Networks in Highly Automated Driving
Functional Safety beyond ISO26262 for Neural Networks in Highly Automated Driving Autonomous Driving Meetup #5 MAN Track Forum, Munich 27 th of March 2018 André Roßbach, Tim Heinemann, Florian Bogenberger
More informationDon t Be the Developer Whose Rocket Crashes on Lift off LDRA Ltd
Don t Be the Developer Whose Rocket Crashes on Lift off 2015 LDRA Ltd Cost of Software Defects Consider the European Space Agency s Ariane 5 flight 501 on Tuesday, June 4 1996 Due to an error in the software
More informationTool Safety Manual for Testwell CTC++
Tool Safety Manual for Testwell CTC++ Version: 0.8 Date: 2014-11-17 Status: Author: File: Size: Generic / Adapted / Presented / Generated / Reviewed / Final Dr. David Seider, Dr. Oscar Slotosch TSM_ManualPart.docx
More informationMASP Chapter on Safety and Security
MASP Chapter on Safety and Security Daniel Watzenig Graz, Austria https://artemis.eu MASP Chapter on Safety & Security Daniel Watzenig daniel.watzenig@v2c2.at Francois Tuot francois.tuot@gemalto.com Antonio
More informationT72 - Process Safety and Safety Instrumented Systems
T72 - Process Safety and Safety Instrumented Systems Comprehensive Solutions Portfolio for Fail-Safe to TMR Safety Applications PUBLIC Copyright 2018 Rockwell Automation, Inc. All Rights Reserved. 1 Agenda
More informationAccreditation Criteria
Accreditation Criteria Product Certification BCB 120 Apr 2006 Contents 0.0 Foreword 2 1.0 Scope 2 2.0 Criteria 2 3.0 Guidance on the requirements of ISO Guide 65 2 4.0 Scope of Accreditation 2 5.0 Time
More informationConvergence of Safety, Systems & Cybersecurity Bill StClair, Director, LDRA, US Operations
Convergence of Safety, Systems & Cybersecurity Bill StClair, Director, LDRA, US Operations Agenda Nexus of Safety and Cybersecurity Separation and Connectivity Trends in Aerospace Cybersecurity Isn t Security
More informationConformity Assessment Schemes and Interoperability Testing (1) Keith Mainwaring ITU Telecommunication Standardization Bureau (TSB) Consultant
Conformity Assessment Schemes and Interoperability Testing (1) Keith Mainwaring ITU Standardization Bureau (TSB) Consultant Moscow, 9-11 november 2011 Contents The benefits of conformity assessment Conformity
More informationFailure Modes, Effects and Diagnostic Analysis
Failure Modes, Effects and Diagnostic Analysis Project: Relay couplers IM73-12-R/24VUC and IM73-12-R/230VAC Customer: Hans Turck GmbH & Co. KG Mühlheim Germany Contract No.: TURCK 06/02-16 Report No.:
More informationIntegrated Modular Avionics Development Guidance and Certification Considerations
René L.C. Eveleens National Aerospace Laboratory NLR P.O. Box 90502 1006BM Amsterdam Netherlands eveleens@nlr.nl ABSTRACT From 2001 to 2005 a working group within the European Organisation for Civil Aviation
More informationApportionment of Safety Integrity
Apportionment of Safety Integrity oder Elementare Rechenoperationen im Zahlenraum bis 4 Dr. Hendrik Schäbe TÜV Rheinland InterTraffic GmbH D 51101 Köln T +49 221 806 2466 F +49 221 806 3940 E schaebe@de.tuv.com
More informationFault Propagation and Transformation: A Safety Analysis. Malcolm Wallace
Fault Propagation and Transformation: A Safety Analysis Malcolm Wallace Software Safety Safety is not the same as correctness. Correctness = theorem-proving, model-checking, abstract interpretation, etc.
More informationLow voltage switchgear and controlgear functional safety aspects
Low voltage switchgear and controlgear functional safety aspects Guidance how to use low voltage switchgear and controlgear in functional safety applications Picture Siemens AG A message from the CAPIEL
More informationUK EPR GDA PROJECT. Name/Initials Date 30/06/2011 Name/Initials Date 30/06/2011. Resolution Plan Revision History
RP unique number: GI-UKEPR-CI-01-RP 0 30/06/2011 1 of 19 Approved for EDF by: A. PETIT Approved for AREVA by: C. WOOLDRIDGE Name/Initials Date 30/06/2011 Name/Initials Date 30/06/2011 Resolution Plan History
More informationEntwicklung zuverlässiger Software-Systeme, Stuttgart 30.Juni 2011
Entwicklung zuverlässiger Software-Systeme, Stuttgart 30.Juni 2011 Tools and Methods for Validation and Verification as requested by ISO26262 1 Introduction ISO26262 ISO 26262 is the adaptation of IEC
More informationDefense-in-Depth & Diversity (D3) Charles Kim Electrical and Computer Engineering Howard University
EECE499-01: Computers and Nuclear Energy Defense-in-Depth & Diversity (D3) Charles Kim Electrical and Computer Engineering Howard University www.mwftr.com 1 Defense in Depth Military Strategy Front Line
More informationAutomating Best Practices to Improve Design Quality
Automating Best Practices to Improve Design Quality 임베디드 SW 개발에서의품질확보방안 이제훈차장 2015 The MathWorks, Inc. 1 Key Takeaways Author, manage requirements in Simulink Early verification to find defects sooner
More informationLATEST ISO UPDATE Focusing on Concurrency. Heiko Doerr MGI Group, 06. December 2016
LATEST ISO 26262 UPDATE Focusing on Concurrency Heiko Doerr MGI Group, 06. December 2016 STARTING POINT ISO 26262 released in November 2011 Second edition available for review as ISO/DIS 26262:2018 Final
More informationFUNCTIONAL SAFETY AND THE GPU. Richard Bramley, 5/11/2017
FUNCTIONAL SAFETY AND THE GPU Richard Bramley, 5/11/2017 How good is good enough What is functional safety AGENDA Functional safety and the GPU Safety support in Nvidia GPU Conclusions 2 HOW GOOD IS GOOD
More informationCritical Systems. Objectives. Topics covered. Critical Systems. System dependability. Importance of dependability
Objectives Critical Systems To explain what is meant by a critical system where system failure can have severe human or economic consequence. To explain four dimensions of dependability - availability,
More informationDevelopment Guidance and Certification Considerations
Integrated Modular Avionics Development Guidance and Certification Considerations René L.C. Eveleens National Aerospace Laboratory NLR P.O. Box 90502 1006BM Amsterdam RTO SCI LS-176: Mission System Engineering
More informationWhy testing and analysis. Software Testing. A framework for software testing. Outline. Software Qualities. Dependability Properties
Why testing and analysis Software Testing Adapted from FSE 98 Tutorial by Michal Young and Mauro Pezze Software is never correct no matter what developing testing technique is used All software must be
More informationCertified Software Quality Engineer Preparation On Demand, Web-Based Course Offered by The Westfall Team
Certified Software Quality Engineer (CSQE) Preparation course is an on demand, web-based course design to be a comprehensive, in-depth review of the topics in the ASQ s Certified Software Quality Engineer
More informationStandardkonforme Absicherung mit Model-Based Design
Standardkonforme Absicherung mit Model-Based Design MATLAB EXPO 2014 Dr. Marc Segelken Principal Application Engineer 2014 The MathWorks, Inc. 1 Safety Standards for Embedded Systems IEC 61508 ISO 26262
More informationFMEDA Report Failure Modes, Effects and Diagnostic Analysis and Proven-in-use -assessment KF**-CRG2-**1.D. Transmitter supply isolator
FMEDA Report Failure Modes, Effects and Diagnostic Analysis and Proven-in-use -assessment Device Model Number: Transmitter supply isolator Pepperl+Fuchs GmbH Mannheim Germany Mannheim norm sheet 1 of 10
More informationSafety Argument based on GSN for Automotive Control Systems. Yutaka Matsubara Nagoya University
1 Safety Argument based on GSN for Automotive Control Systems Yutaka Matsubara Nagoya University yutaka@ertl.jp 02.26.2014 2 Agenda 1. Safety argument in ISO26262 2. Requirements related to safety argument
More informationISO meets AUTOSAR - First Lessons Learned Dr. Günther Heling
ISO 26262 meets AUTOSAR - First Lessons Learned Dr. Günther Heling Agenda 1. ISO 26262 and AUTOSAR Two Basic Contradictions Top-Down vs. Reuse Concentration vs. Distribution 2. Approach Mixed ASIL System
More informationEXAM PREPARATION GUIDE
EXAM PREPARATION GUIDE PECB Certified ISO 39001 Lead Auditor The objective of the PECB Certified ISO 39001 Lead Auditor examination is to ensure that the candidate has the knowledge and skills to plan
More informationA Multi-Modal Composability Framework for Cyber-Physical Systems
S5 Symposium June 12, 2012 A Multi-Modal Composability Framework for Cyber-Physical Systems Linh Thi Xuan Phan Insup Lee PRECISE Center University of Pennsylvania Avionics, Automotive Medical Devices Cyber-physical
More informationAMASS. Architecture-driven, Multi-concern and Seamless Assurance and Certification of Cyber-Physical Systems
AMASS Architecture-driven, Multi-concern and Seamless Assurance and Architecture-driven, Multi-concern and Seamless Assurance and Certification of Cyber-Physical Systems AMASS: Technical Vision First EAB
More informationList of proposed requirements for Avionics domain Annex D1.1.b to deliverable D1.1
Collaborative Large-scale Integrating Project Open Platform for EvolutioNary Certification Of Safety-critical Systems List of proposed requirements for domain to deliverable D1.1 Work Package: WP1: Use
More informationSOFTWARE QUALITY. MADE IN GERMANY.
UPCOMING IMPACT OF THE SECOND EDITION OF THE ISO 26262 MGIGroup, 11.07.2017 SOFTWARE QUALITY. MADE IN GERMANY. SOLUTIONS FOR INTEGRATED QUALITY ASSURANCE OF EMBEDDED SOFTWARE MOTIVATION Release ISO 26262:2011
More informationReport. Certificate Z SIMATIC S7 F/FH Systems
Report to the Certificate Z10 16 06 20080 004 Safety-Related Programmable Systems SIMATIC S7 F/FH Systems Manufacturer: Siemens AG PD PA AE R&D Östliche Rheinbrückenstr. 50 D-76187 Karlsruhe Report no.
More informationELECTROTECHNIQUE IEC INTERNATIONALE INTERNATIONAL ELECTROTECHNICAL COMMISSION
COMMISSION CEI ELECTOTECHNIQUE IEC INTENATIONALE 61508-2 INTENATIONAL ELECTOTECHNICAL COMMISSION Functional safety of electrical/electronic/ programmable electronic safety-related systems -- Part 2: equirements
More informationSimulink 모델과 C/C++ 코드에대한매스웍스의정형검증툴소개 The MathWorks, Inc. 1
Simulink 모델과 C/C++ 코드에대한매스웍스의정형검증툴소개 2012 The MathWorks, Inc. 1 Agenda Formal Verification Key concept Applications Verification of designs against (functional) requirements Design error detection Test
More informationSUCCESSFULL MULTICORE CERTIFICATION WITH SOFTWARE-PARTITIONING Efficient Implementation for DO-178C, EN 50128, ISO 26262
Sven Nordhoff, SYSGO AG, Klein-Winternheim, Germany ABSTRACT The usage of multi-core processors (MCPs) in modern systems is state-of-the art and will also come to reality in safetycritical domains like
More informationConstructing and Verifying Cyber Physical Systems
Constructing and Verifying Cyber Physical Systems Mixed Criticality Scheduling and Real-Time Operating Systems Marcus Völp Overview Introduction Mathematical Foundations (Differential Equations and Laplace
More informationCertification Requirements for High Assurance Systems
for High Assurance Systems Gordon M. Uchenick Senior Mentor/Principal Engineer Objective Interface Systems, Inc. and W. Mark Vanfleet Senior Cryptologic Mathematician/ Senior INFOSEC Analyst National Security
More informationMC-SDN: Supporting Mixed-Criticality Scheduling on Switched-Ethernet Using Software-Defined Networking
MC-SDN: Supporting Mixed-Criticality Scheduling on Switched-Ethernet Using Software-Defined Networking Kilho Lee, Taejune Park, Minsu Kim, Hoon Sung Chwa, Jinkyu Lee* Seungwon Shin, and Insik Shin * 1
More informationAUTOMOTIVE FUNCTIONAL SAFETY: ACCELERATING INNOVATION THROUGH COOPERATION AND CONSENSUS IN STANDARDS
AUTOMOTIVE FUNCTIONAL SAFETY: ACCELERATING INNOVATION THROUGH COOPERATION AND CONSENSUS IN STANDARDS May 2018 BSI Standards 020 8996 7261 Alex.Price@BSIgroup.com Copyright 2012 BSI. All rights reserved.
More informationait: WORST-CASE EXECUTION TIME PREDICTION BY STATIC PROGRAM ANALYSIS
ait: WORST-CASE EXECUTION TIME PREDICTION BY STATIC PROGRAM ANALYSIS Christian Ferdinand and Reinhold Heckmann AbsInt Angewandte Informatik GmbH, Stuhlsatzenhausweg 69, D-66123 Saarbrucken, Germany info@absint.com
More informationFreescale, the Freescale logo, AltiVec, C-5, CodeTEST, CodeWarrior, ColdFire, ColdFire+, C- Ware, the Energy Efficient Solutions logo, Kinetis,
July 19, 2013 Freescale, the Freescale logo, AltiVec, C-5, CodeTEST, CodeWarrior, ColdFire, ColdFire+, C- Ware, the Energy Efficient Solutions logo, Kinetis, mobilegt, PEG, PowerQUICC, Processor Expert,
More informationUnderstanding SW Test Libraries (STL) for safetyrelated integrated circuits and the value of white-box SIL2(3) ASILB(D) YOGITECH faultrobust STL
Understanding SW Test Libraries (STL) for safetyrelated integrated circuits and the value of white-box SIL2(3) ASILB(D) YOGITECH faultrobust STL Riccardo Mariani White Paper n. 001/2014 Riccardo Mariani
More informationStrong and Weak Contract Formalism for Third-Party Component Reuse
Strong and Weak Contract Formalism for Third-Party Component Reuse Irfan Sljivo, Barbara Gallina, Jan Carlson, Hans Hansson Mälardalen Real-Time Research Centre, Mälardalen University, Västerås, Sweden
More informationIntegrated Assessment of AutomotiveSPICE 3.0, Functional Safety ISO 26262, Cybersecurity SAE J3061
Integrated Assessment of AutomotiveSPICE 3.0, Functional Safety ISO 26262, Cybersecurity SAE J3061 Christian Kreiner Institute of Technical Informatics TUGraz Richard Messnarz ISCN GesmbH The AQU project
More informationISO/IEC JTC1/SC7 /N3040
ISO/IEC JTC1/SC7 Software and Systems Engineering Secretariat: CANADA (SCC) ISO/IEC JTC1/SC7 /N3040 2004-05-12 Document Type Title Source Report ISO/IEC JTC 1/SC7 WG9 Report to the Brisbane Plenary AG
More informationPosition Paper. Minimal Multicore Avionics Certification Guidance
Position Paper On Minimal Multicore Avionics Certification Guidance Lui Sha and Marco Caccamo University of Illinois at Urbana-Champaign Greg Shelton, Marc Nuessen, J. Perry Smith, David Miller and Richard
More informationCompany: Valeo Powertrain Systems Business Company: Valeo Powertrain Systems Business
"La démarche «Building» appliquée à la Sûreté de Fonctionnement des onduleurs" Building strategy application to functional safety of inverters Hicham LAHBIL Amélie THIONVILLE Company: Valeo Powertrain
More informationIncreasing Design Confidence Model and Code Verification
Increasing Design Confidence Model and Code Verification 2017 The MathWorks, Inc. 1 The Cost of Failure Ariane 5 $7,500,000,000 Rocket & payload lost 2 The Cost of Failure USS Yorktown 0 Knots Top speed
More informationAutomotive Security: Challenges, Standards and Solutions. Alexander Much 12 October 2017
Automotive Security: Challenges, Standards and Solutions Alexander Much 12 October 2017 Driver s fears are being fueled by recent news Connected Cars, new opportunities for hackers Autonomous Driving Concepts
More informationFailure Modes, Effects and Diagnostic Analysis
Failure Modes, Effects and Diagnostic Analysis Project: Solenoid Drivers IM72-11Ex/L and IM72-22Ex/L Customer: Hans Turck GmbH & Co. KG Mühlheim Germany Contract No.: TURCK 04/10-20 Report No.: TURCK 04/10-20
More informationExCuSe A Method for the Model-Based Safety Assessment of Simulink and Stateflow Models
ExCuSe A Method for the Model-Based Safety Assessment of Simulink and Stateflow Models MATLAB Expo 2018 2018-06-26 München Julian Rhein 1 Outline Introduction Property Proving Application to Safety Assessment
More informationFailure Diagnosis and Prognosis for Automotive Systems. Tom Fuhrman General Motors R&D IFIP Workshop June 25-27, 2010
Failure Diagnosis and Prognosis for Automotive Systems Tom Fuhrman General Motors R&D IFIP Workshop June 25-27, 2010 Automotive Challenges and Goals Driver Challenges Goals Energy Rising cost of petroleum
More information