SlideShare a Scribd company logo

Unified Systems Engineering feasibility

Eric Verhulst
Eric Verhulst

Is unified systems and safety engineering feasible? This presentation introduces a new approach for developing composable systems with different SIL levels will be presented. It introduces the new notion of ARRL (Assured Reliability and Resilience Level).

1 of 38
Download to read offline
Cross-domain systems and safety engineering: is it feasible? Composable safety: is it feasible? Eric.Verhulst@altreonic.com Altreonic NV 17.01.2013 From Deep Space to Deep Sea 1
Content • Intro to safety and its importance • Some results from OPENCOSS project • The issue with the SIL concept • Introducing the ARRL concept • A unified process pattern • Conclusions 17.01.2013 From Deep Space to Deep Sea 2
Some data for thought • 35000 people killed in cars /yr /Europe • 500 people killed in airplanes /yr /world • Why the difference? => many reasons • The Renault Logan is the most reliable car • Why? Less electronics, proven in use design • Is it also safer? • The US is considering to make black boxes a legal requirement in cars • What does this mean? What could be the impact? 17.01.2013 From Deep Space to Deep Sea 3
Systems Engineering vs. Safety Engineering • System = holistic • Real goal is "Trustworthy Systems" • Cfr. Felix Baumgartner almost did not do it because he didn't trust his safe jumpsuit • TRUST = by the user or stakeholders • Safety • Security • Usability (UI) • Privacy • Achieving intended Functionality • Meeting non-functional objectives • Cost, energy, volume, maintainability, scalability, Manufacturability,.. • So why focus on safety? 17.01.2013 From Deep Space to Deep Sea 4
Safety • Safety is the state of being "safe" the condition of being protected against physical, social, spiritual, financial, political, emotional, occupational, psychological, educational or other types or consequences of failure, damage, error, accidents, harm or any other event which could be considered non-desirable. • Safety can also be defined to be the control of recognized hazards to achieve an acceptable level of risk risk. • Safety is general property of a system • Not just a concern when programmable elecronics are used !!! • What are the consequences of not meeting the requirements? • Annoyance • Business lost • People can get killed or harmed • => it is complex but there are moral liabilities 17.01.2013 From Deep Space to Deep Sea 5
Role of certification • In depth review => safe to operate • “Conformity assessment” (for automotive) • Not a technical requirement: • Confidence requirement • Legal requirement • Where is the evidence? • Evidence: • Evidence is a coherent collection of information that relying on a number of process artifacts linked together by their dependencies and sufficient structured arguments provides an acceptable proof that a specific system goal has been reached. 17.01.2013 From Deep Space to Deep Sea 6
Some background projects • ASIL project • Project with Flanders Drive to develop a common "automotive" safety engineering methodology • IEC-61508, IEC-62061, ISO-26262 ISO-13849, ISO-25119 and ISO-15998. (+ ISO-26262, CMMI, Automotive SPICE) • About 350 steps, 100 workproducts, ... • ASIL imported in GoedelWorks portal • EU FP7 IP OPENCOSS • Project with 17 EU partners (avionics, raillway, automotive) on reducing the cost and effort of certification • ISO-26262, DO-178C/254/..., CENELEC 50126-128-129 • Cross-domain � LinkedIn discussion grops • Product families • => there is interest and a growing awareness 17.01.2013 From Deep Space to Deep Sea 7
Altreonic's OPENCOSS survey • First survey on standards and certification awareness done. (public, 85 respondents) • In-depth interviews executed: Alstom, Thales Toulouse, Thales Valence, Renault, CRF • Cross domain workshop to be organised 17.01.2013 From Deep Space to Deep Sea 8
About 41% of the respondents indicate that organisation has been certified. About half for ISO-9001 and CMMI 17.01.2013 From Deep Space to Deep Sea 9
17.01.2013 From Deep Space to Deep Sea 10
17.01.2013 From Deep Space to Deep Sea 11
17.01.2013 From Deep Space to Deep Sea 12
Standards: pick your own (total: 266, out of more) EN ISO 10993, ISO 26262, D0-178,IEC 60118, ANY, IEC 60601, 21 CFR, EN ISO 389, IEC  61000, IEC 61508, EN 50126, EN 60601, ISO 9000, AUTOSAR, IEC 60068, EN ISO 14644, IEC 60068, SYSML, CENELEC, EN 45502, EN 50128, EN 868, UML, CMMI, DVB, EN 10088, EN 17025, EN 50129, EN ISO 11138, IEC 62304, ISO 8253, ISO 965, 93/42/EC, EN 17020, EN 556, EN ISO 11137, EN ISO 11607, EN ISO 12100, EN ISO 14155, EN ISO 14698, ETSI EN 301 489, IEC 60086, IEC 61511, IEEE 1149.1, ISO 13485, ISO 14971, ISO 15223, ISO 2768, ISO 9126, UNISIG, W3C, 2000/70/EC, 2004/108/EC, 2006/42/EC, 2007/47/EC, 89/392/EC, 90/385/EC, 95/46/EC, AADL, AAMI HE74, AAMI HE75, AAMI ST241, AAMI ST81, AAMI TIR 32, AAMI TIR 36, AAMI TIR18, AAMI TIR40, AAMI TIR80002, ABET, Ada, AEC-Q100, ANSI S3.21, ANSI S3.22, AQAP, ARINC 629, AS 9100, ASN.1, ASQ D1160, ASQ Z1.4, ASQ Z1.9, ASTM B265, ASTM D3078, ASTM D4169, ASTM F 1140, ASTM F 1608, ASTM F 17, ASTM F 1886, ASTM F 1929, ASTM F 1980, ASTM F 2052, ASTM F 2054, ASTM F 2095, ASTM F 2096, ASTM F 2097, ASTM F 2119, ASTM F 2182, ASTM F 2213, ASTM F 2503, ASTM F 2504, ASTM F 382, ASTM F 67, ASTM F 88, ASTM F136, ATEX, CAN, CEPT/ERC Report 25, CISPR 11, CISPR 14, CISPR 15, CR CCS TSI, DICOM, DIN, DO-254, EASA, ECSS, ECTS, EN 1040, EN 1041, EN 1080, EN 12353, EN 1275, EN 1276, EN 13060, EN 13427, EN 13428, EN 13429, EN 13430, EN 13697, EN 13824, EN 1422, EN 14682, EN 1499, EN 1500, EN 15038, EN 1650, EN 1656, EN 1657, EN 285, EN 475, EN 50155, EN 60825, EN 60850, EN 62304, EN 62366, EN 867, EN 980, EN ISO 11135, EN ISO 11140, EN ISO 13485, EN ISO 14121, EN ISO 14161, EN ISO 14937, EN ISO 14971, EN ISO 15882, EN ISO 16061, EN ISO 17664, EN ISO 17665, ESD S20.20, ETSI EN 300 330, ETSI TS 105175, FFFIS, FlexRay, HL7, HS CCS TSI, I2C, IEC 12207, IEC 60318, IEC 60512, IEC 60645, IEC 60812, IEC 60950, IEC 61131, IEC 61158, IEC 61438, IEC 61499, IEC 61951, IEC 61959, IEC 61960, IEC 62061, IEC 62133, IEC 62281, IEC  60384, IEC 60529, IEC 60884, IEC 61058, IEC/TR 62354, IEC61508, IEEE 1074, IEEE 11073, IEEE 12207, IEEE 1588, IEEE 1625, IEEE 1725, IETF, IHE, IPC 7351, IPC-A-600, IPC-STD-001E, IPC-STD-033, IPV6, IRIS, ISA 100, ISO 10012, ISO 11137, ISO 13606, ISO 13715, ISO 13781, ISO 13940, ISO 14000, ISO 15225, ISO 15504, ISO 16022, ISO 22600, ISO 250xx, ISO 26000, ISO 2700, ISO 2859, ISO 5832, ISO 5834, ISO 5838, ISO 60118, ISO 6474, ITIL, ITU-R 27, Java RT, JIS C 8711, LN, MDD, MED DEV 2.7.1, MED DEV 2.7.2, MIL B 49030, MIL standards (all), MIL-M 38510, MIL-PRF 38534, MIL-PRF 38535, MIL-PRF-49471B, MIL-STD-883H, MISRA-C, MOF, MOST1000, MPEG, NATO Stanags, NE 2575, NEN 1010, NEN 2575, NEN 2654, OCL, Pascal (ISO), Privacy, Python, QVT, RFID, Safety, SAFETY SIL, SDL, SDL-RT, SOA, SOX, SQUARE, Subset026, TTCN-3, UIC 544-1 , UL 2054, USB, WirelessHART, Zigbee, 17.01.2013 From Deep Space to Deep Sea 13
Importance and obstacles for standards �Importance: � It is a legal or market requirement 31.1% � It enhances quality, reduces cost and increase lifetime of products/systems developed. 32.8% � Interoperability 36.1% �Obstacles: � Standards are complex, difficult, costly, change constantly, vague and difficult to obtain 60.3% � Acceptance by the organisation or culture is lacking 22.4% � Proprietary solutions work better, standards lag technology and hamper innovation 17.2% 17.01.2013 From Deep Space to Deep Sea 14
Demotivating factors for certification • Effort, cost, complexity, inconsistency, bureaucratic (paperwork) 60.7% • Change management (evolving standards, evolving products), differences national/ international 21.4% • Rigidity, lagging market and technology 17.9% 17.01.2013 From Deep Space to Deep Sea 15
Conclusion from the in-depth interviews • Certification and safety engineering is complex • The safety domain is still in an early phase (diversity of practices and safety standards across the different domains) • The maturity is greatest for avionics, followed by railway whereas automotive still in an emerging phase. • From paper-driven waterfall to agile, lean processes. • Word, excel, etc. dominate • Lots of human/manual work • Lowering certification costs today: • use a better process, not so much more tools • Lean/agile: -30% cost, integration from 12m to 3w 17.01.2013 From Deep Space to Deep Sea 16
Safety as a goal = "Safety Integrity Levels" Domain General (IEC-61508) SIL0 SIL1 SIL2 SIL3 SIL4 Programmable elecronics Automotive ASIL-A ASIL-B ASIL-C ASIL-D - (26262) Avionics DAL-E DAL-D DAL-C DAL-B DAL-A (DO-178/254) Railway (CENELEC SIL0 SIL1 SIL2 SIL3 SIL4 50126/128/129) Detailed analysis reveals only partial mapping! 17.01.2013 From Deep Space to Deep Sea 17
SIL targets risk reduction SIL PFD PFD (power) RRF (Probability of Failure per Hour) (Risk Reduction Factor) 1 0.1-0.01 10−1 - 10−2 10-100 2 0.01-0.001 10−2 - 10−3 100-1000 3 0.001-0.0001 10−3 - 10−4 1000-10,000 4 0.0001-0.00001 10−4 - 10−5 10,000-100,000 For continuous operation, these change to the following. SIL PFH PFH (power) RRF 1 0.00001-0.000001 10−5 - 10−6 100,000-1,000,000 2 0.000001-0.0000001 10−6 - 10−7 1,000,000-10,000,000 3 0.0000001-0.00000001 10−7 - 10−8 10,000,000-100,000,000 4 0.00000001-0.000000001 10−8 - 10−9 100,000,000-1,000,000,000 Note: risk reduction depends on domain! 17.01.2013 From Deep Space to Deep Sea 18
Problems with SIL definition • Poor harmonization of definition across the different standards bodies which utilize SIL • Process-oriented metrics for derivation of SIL • Estimation of SIL based on reliability estimates • System complexity, particularly in software systems, makes SIL estimation difficult if not impossible • => based on probabilities that are very hard if not impossible to measure and estimate • Risk figures are different for each domain => reuse? • The law of Murphy still applies: • The next instant can be catastrophic 17.01.2013 From Deep Space to Deep Sea 19
Problems with SIL as a design goal • Safety goal is put first => architecture is derived • Clearly effort in standards to minimise effort and costs => complex and hard to use tables • First principles in safety engineering: • Safety culture: is also keep it Simple and Smart • Quality is a pre-condition • Traceability • Configuration management 17.01.2013 From Deep Space to Deep Sea 20
How to achieve safety? • It’s a requirement • What are the derived specifications? • How to derive these safety specifications? • How to fulfill these safety specifications? • Develop a solution that is safe by design • Follow a process that leads to safe(r) products 17.01.2013 From Deep Space to Deep Sea 21
The real issue with SIL • SIL is a system level concept • But we design using components and reuse • SIL cannot be reused • But components can! • SIL is domain specific • Components are domain independent • Composibility still unclear issue. Why? • => we must start at the component level 17.01.2013 From Deep Space to Deep Sea 22
Safety composibility • Although this is the practice in systems engineering, it is poorly addressed in the standards • Example from ISO-DIS-25119 (derived ISO 13849) • "The safety-related parts of control systems shall be designed in accordance with the requirements of one or more of the 5 categories specified in ISO-DIS-25119-2:2008-Annex A. When a safety function is realized by an integrated combination of multiple hardware categories, the resulting safety function AgPL is limited by the overall hardware category, including MTTFdc, DC, SRL, CCF, etc." • If the embedded software has to implement software components with different SRLs or safety-related and non-safety related software components, then the overall SRL is limited to the component with the lowest SRL, unless adequate independence between the software components can be demonstrated 17.01.2013 From Deep Space to Deep Sea 23
Redefining SIL to be domain independent ? SIL 0 no impact • S = Safety • ( includes security) SIL 1 material • Integrity Level damage • Attempt at one SIL SIL2 harmful impact on definition for all people domains SIL3 one person dead • If we would follow the standards in SIL4 many persons spirit dead 17.01.2013 From Deep Space to Deep Sea 24
What's wrong with this definition? • Even a perfectly designed and proven system composed of perfect components can fail catastrophically • Concorde: 100% safe until the first one crashed due to an improbable external cause • The law of Murphy has priority over probability over a life time • SIL is a lifetime indicator for a system, not a criterium for selecting components 17.01.2013 From Deep Space to Deep Sea 25
Why is ASIL-D ≠ SIL4 ? • More or less: ASIL-C = SIL3 • Switch to fail-safe mode • More or less: ASIL-D = SIL 3.5 • Supervised operation • Whereas SIL4 implies fault tolerance • According to generic SIL table => • car has upto 5 passengers => SIL 3.5 • but 35000 people get killed per year (EU) => SIL4 • System is not the car but car based transport • Car is component in the larger system 17.01.2013 From Deep Space to Deep Sea 26
New definition: we start from the component • ARRL: Assured Reliability and Resilience Level ARRL 0 it might work (use as is) ARRL 1 works as tested, but no guarantee ARRL 2 works correctly, IF no fault occurs, guaranteed no errors in implementation) => formal evidence ARRL 3 ARRL 2 + goes to fail-safe or reduced operational mode upon fault (requires monitoring + redundancy) - fault behavior is predictable as well as next state ARRL 4 ARRL 3 + tolerates one major failure and is fault tolerant (fault behavior is predictable and 17.01.2013 transparent for Sea external world) From Deep Space to Deep the 27
Consequences • If a system/component has a fault, it drops into a degraded mode => lower ARRL • ARRL3 is the operational mode after an ARRL4 failure • Functionality is preserved • Assurance level is lowered • SIL not affected and domain independent • System + environment + operator defines SIL 17.01.2013 From Deep Space to Deep Sea 28
Composition rule: • A system can only reach a certain SIL level if all it components are at least of the same ARRL level. • This is a pre-condition, not a sufficient condition • Redundancy can compose ARRL 4 components out of ARRL 3 components (needs an ARRL 4 voter) • ARRL3 component can use ARRL 2 components (>2) • Consequences: • Interfaces and interactions also need ARRL level! • Error propagation is to be prevented => partitioning architecture (e.g. distributed, concurrent) 17.01.2013 From Deep Space to Deep Sea 29
Generic example ARRL-3 ARRL-3 function voter ARRL-3 ARRL-3 function voter ARRL-3 ARRL-3 function voter ARRL-4 2 out of 3 voter ARRL-4 function 17.01.2013 From Deep Space to Deep Sea 30
Common mode failures => ARRL-5 • ARRL-4 assumes independence of faults in each redundant channel • Covers only a subset of the common mode failures • Less visible are e.g. common misunderstanding of requirements, translation tool errors, time dependent faults => require asynchronous operation and diversity/heterogenous solutions • Hence we can define an ARRL-5 as well 17.01.2013 From Deep Space to Deep Sea 31
Dependency analysis • SIL is a top level Requirement, decomposable in • Normal Case requirements (ARRP 1 &2) • Fault Case Requirements (ARRL 3 & 4 or even 5) • Requirements become Specified properties to be met and verified by implementation • Each ARRP level has same "normal case" architecture but different "ARRP" level architecture and hence also different non-functional properties safety (measures have a resource cost) 17.01.2013 From Deep Space to Deep Sea 32
What about a unified SE process? • Dependency chain + iteration • Requirements => Specifications • By decomposition and refinements ("testable") • Input for Work Package • also needs Resources • Composed of Development, Verification, Test and Validation/integration Tasks • Produces Work Products: • Process artefacts (evidence, ...) • Entities and Models (incl. implementation) 17.01.2013 From Deep Space to Deep Sea 33
Current practice (example from DO-178B - SW) System Requirements S/W partitioning Design Coding requirements standards integrity is standards standards confirmed [6.3.3f] Compatible with Comply layer] [System [11.6] Consistent [6.3.3b] [11.7] [11.8] target computer Traceable Conform Conform [6.3.2e] [6.3.1a] Compatible with Conform Comply [6.4.2.1; 6.4.3] [6.4.3a] [6.3.1f] [6.3.1e] [1] target computer [6.3.4d] [1] Produce exec object [6.3.3c] [6.3.3e] Robust [6.4.2.2; 6.4.3] code, integrate into t gt [2] [2] computer [5.4.1a] Verifiable [6.3.3d] Comply [6.4.2.1; 6.4.3] [3] [3] Executable Object Code Robust [6.4.2.2; 6.4.3] [11.12] Develop Define [4] [4] high level derived Compatible requirem high level [6.3.3a] Develop software Comply ents requireme architecture [6.3.4.b] nts Integrate and conduct software tests [Inferred] [5.1.1a] Comply [6.3.2a] [5.2.1a] [5.1.1b] Develop Develop Comply [6.3.4a] Software Requirements Data low level derived Software Verification Develop requirem low level Results [11.14]* Traceable [6.3.2f] and ents requireme Traceable [11.9] integrate nts [6.3.4e] Test results are source code [5.2.1a] Test coverage is correct and [5.2.1b] achieved [6.4.4.1] discrepancies [5] Design Description [5.3.1a] Source [5] explained [6.3.6c] Code Test coverage is [11.10] achieved [6.4.4.1] [6] [6] Develop Software Algorithms are [11.11] Algorithms are Test coverage (decision Verification Cases and accurate accurate coverage) is achieved Procedures Verifiable [6.3.1d] [6.3.1g] [6.3.2g] [6.4.4.2a,b] Verifiable [6.3.2d] Compatible with Test coverage (statement Compatible with [Inferred] Verification Software target computer coverage) is achieved target computer Cases and Procedures Accurate and [6.3.1c] Accurate and [6.4.4.2a,b] [6.3.2c] Test coverage (data coupling consistent consistent and control coupling) is [11.13] [6.3.1b] Legend: Arrows denote [6.3.2b] achieved [6.4.4.2a,b] Denotes verification Test coverage (modified activities and Required for level A, B, C, D activities: condition/decision) is collection of Denotes Required for level A, B, C achieved [6.4.4.2c] activities objects Denotes life Required for level A, B external to Outputs of software Test procedures are cycle data Required for level A the integration process are correct [6.3.6b] development To be achieved with independence fo r level A and B complete and correct [6.3.5] Denotes software/hardware and Verifiable [6.3.4c] integration and test artefacts To be achieved with independence for level A Accurate and verification * Includes outputs of verification activities indicated by arrows process consistent RTCA-DO/178B Software Development and Verification Processes RTCA- 17.01.2013 From Deep Space to Deep Sea 34
ARRL process flow 17.01.2013 From Deep Space to Deep Sea 35
What we need: a process pattern for reuse Specific ations Work Resources Package Work devel verif test valid Product devel verif test valid report report report report devel verif test valid Certificat review review review review report 17.01.2013 From Deep Space to Deep Sea 36
Interplay of view (as in GoedelWorks) 17.01.2013 From Deep Space to Deep Sea 37
Conclusions • Unified system and safety engineering is feasible • Unified safety certification is not yet feasible (standards and SIL differ too much) • ARRL concept allows composable safety engineering with reuse of components • A unified process pattern can unify systems and safety engineering standards: DO - DOCUMENT - REVIEW More info: www.altreonic.com/content/altreonic-releases-new-approach - systems-engineering-goedelworks 17.01.2013 From Deep Space to Deep Sea 38

Recommended

Functional integrity certification exida
Functional integrity certification exidaFunctional integrity certification exida
Functional integrity certification exida
KoenLeekens
 
Cost Effective Outcomes from FPSO Safety Case
Cost Effective Outcomes from FPSO Safety CaseCost Effective Outcomes from FPSO Safety Case
Cost Effective Outcomes from FPSO Safety Case
IQPC
 
MISRA Safety Case Guidelines -
MISRA Safety Case Guidelines - MISRA Safety Case Guidelines -
MISRA Safety Case Guidelines -
Automotive IQ
 
Mohamed HENDI CV
Mohamed HENDI CVMohamed HENDI CV
Mohamed HENDI CV
Mohamed Hendi
 
Kalyani technologies corporate presentation
Kalyani technologies corporate presentationKalyani technologies corporate presentation
Kalyani technologies corporate presentation
Kalyani Technologies
 
Extronics AeroScout Automatic Mustering & Evacuation Monitoring Solutions
Extronics AeroScout Automatic Mustering & Evacuation Monitoring SolutionsExtronics AeroScout Automatic Mustering & Evacuation Monitoring Solutions
Extronics AeroScout Automatic Mustering & Evacuation Monitoring Solutions
Susie Marriott
 
Amol scadaowasp
Amol scadaowaspAmol scadaowasp
Amol scadaowasp
drewz lin
 
FISITA 2018 Keynote Speech by Matthias Popp
FISITA 2018 Keynote Speech by Matthias PoppFISITA 2018 Keynote Speech by Matthias Popp
FISITA 2018 Keynote Speech by Matthias Popp
SGS
 

Recommended

Functional integrity certification exida
Functional integrity certification exidaFunctional integrity certification exida
Functional integrity certification exida
KoenLeekens
 
Cost Effective Outcomes from FPSO Safety Case
Cost Effective Outcomes from FPSO Safety CaseCost Effective Outcomes from FPSO Safety Case
Cost Effective Outcomes from FPSO Safety Case
IQPC
 
MISRA Safety Case Guidelines -
MISRA Safety Case Guidelines - MISRA Safety Case Guidelines -
MISRA Safety Case Guidelines -
Automotive IQ
 
Mohamed HENDI CV
Mohamed HENDI CVMohamed HENDI CV
Mohamed HENDI CV
Mohamed Hendi
 
Kalyani technologies corporate presentation
Kalyani technologies corporate presentationKalyani technologies corporate presentation
Kalyani technologies corporate presentation
Kalyani Technologies
 
Extronics AeroScout Automatic Mustering & Evacuation Monitoring Solutions
Extronics AeroScout Automatic Mustering & Evacuation Monitoring SolutionsExtronics AeroScout Automatic Mustering & Evacuation Monitoring Solutions
Extronics AeroScout Automatic Mustering & Evacuation Monitoring Solutions
Susie Marriott
 
Amol scadaowasp
Amol scadaowaspAmol scadaowasp
Amol scadaowasp
drewz lin
 
FISITA 2018 Keynote Speech by Matthias Popp
FISITA 2018 Keynote Speech by Matthias PoppFISITA 2018 Keynote Speech by Matthias Popp
FISITA 2018 Keynote Speech by Matthias Popp
SGS
 
Outdoor Equipment Tracking customer stories from Extronics Advance
Outdoor Equipment Tracking customer stories from Extronics AdvanceOutdoor Equipment Tracking customer stories from Extronics Advance
Outdoor Equipment Tracking customer stories from Extronics Advance
Susie Marriott
 
WIP Throughput customer stories from Extronics Advance
WIP Throughput customer stories from Extronics AdvanceWIP Throughput customer stories from Extronics Advance
WIP Throughput customer stories from Extronics Advance
Susie Marriott
 
i.roc® Ci70 -Ex webinar 3/3 • RFID - Free Introductory
i.roc® Ci70 -Ex webinar 3/3 • RFID - Free Introductoryi.roc® Ci70 -Ex webinar 3/3 • RFID - Free Introductory
i.roc® Ci70 -Ex webinar 3/3 • RFID - Free Introductory
ecom instruments GmbH
 
Ploughshare intro 2014
Ploughshare intro 2014Ploughshare intro 2014
Ploughshare intro 2014
ctgoff
 
Mynd company presentation
Mynd company presentationMynd company presentation
Mynd company presentation
Davide Enrico Arnoldi
 
Worker Safety & Contractor Tracking customer stories from Extronics Advance
Worker Safety & Contractor Tracking customer stories from Extronics AdvanceWorker Safety & Contractor Tracking customer stories from Extronics Advance
Worker Safety & Contractor Tracking customer stories from Extronics Advance
Susie Marriott
 
i.roc® Ci70 -Ex webinar 1/3 - Increasing Mobile Computing ROI in hazardous areas
i.roc® Ci70 -Ex webinar 1/3 - Increasing Mobile Computing ROI in hazardous areasi.roc® Ci70 -Ex webinar 1/3 - Increasing Mobile Computing ROI in hazardous areas
i.roc® Ci70 -Ex webinar 1/3 - Increasing Mobile Computing ROI in hazardous areas
ecom instruments GmbH
 
AeroScout Worker Safety & Contractor Tracking from Extronics
AeroScout Worker Safety & Contractor Tracking from ExtronicsAeroScout Worker Safety & Contractor Tracking from Extronics
AeroScout Worker Safety & Contractor Tracking from Extronics
Susie Marriott
 
IoT workshop - Is 1kV Also Enough for IoT ESD Protection – Do Current Test Me...
IoT workshop - Is 1kV Also Enough for IoT ESD Protection – Do Current Test Me...IoT workshop - Is 1kV Also Enough for IoT ESD Protection – Do Current Test Me...
IoT workshop - Is 1kV Also Enough for IoT ESD Protection – Do Current Test Me...
Sofics
 
Thesis
ThesisThesis
Thesis
Zain Khan
 
Extronics Advance AeroScout Real Time Worker Location use case
Extronics Advance AeroScout Real Time Worker Location use caseExtronics Advance AeroScout Real Time Worker Location use case
Extronics Advance AeroScout Real Time Worker Location use case
Susie Marriott
 
02 cta yellow line station evanston cc 04.16.12
02 cta yellow line station evanston cc 04.16.1202 cta yellow line station evanston cc 04.16.12
02 cta yellow line station evanston cc 04.16.12
cityofevanston
 
Kingston Greenline & Ulster County Trails Summit - KPRT Feasibility Study
Kingston Greenline & Ulster County Trails Summit - KPRT Feasibility StudyKingston Greenline & Ulster County Trails Summit - KPRT Feasibility Study
Kingston Greenline & Ulster County Trails Summit - KPRT Feasibility Study
The Kingston Land Trust
 
green concrete
green concretegreen concrete
green concrete
kamaruddin vn
 
BEB801 - Oral Presentation
BEB801 - Oral PresentationBEB801 - Oral Presentation
BEB801 - Oral Presentation
Mitch Stubbings
 
Jovian Design - Permeable Surface Stormwater Management Feasibility Study
Jovian Design - Permeable Surface Stormwater Management Feasibility StudyJovian Design - Permeable Surface Stormwater Management Feasibility Study
Jovian Design - Permeable Surface Stormwater Management Feasibility Study
Aniruddha
 
DMAP's presentation
DMAP's presentationDMAP's presentation
DMAP's presentation
SILKAN
 
Jamil R. Mazzawi, Founder and CEO, Optima Design Automation
Jamil R. Mazzawi, Founder and CEO, Optima Design AutomationJamil R. Mazzawi, Founder and CEO, Optima Design Automation
Jamil R. Mazzawi, Founder and CEO, Optima Design Automation
chiportal
 
Dorner works do-254_information
Dorner works do-254_informationDorner works do-254_information
Dorner works do-254_information
Annmarie Davidson
 
ISApaperIEC61508_AMN_Final
ISApaperIEC61508_AMN_FinalISApaperIEC61508_AMN_Final
ISApaperIEC61508_AMN_Final
Andy Nack
 
Narated mike bartley reqs signoff
Narated mike bartley reqs signoffNarated mike bartley reqs signoff
Narated mike bartley reqs signoff
MikeBartley
 
Volvo Presents: Support for ISO 26262 in the EAST-ADL/AUTOSAR Context
Volvo Presents: Support for ISO 26262 in the EAST-ADL/AUTOSAR ContextVolvo Presents: Support for ISO 26262 in the EAST-ADL/AUTOSAR Context
Volvo Presents: Support for ISO 26262 in the EAST-ADL/AUTOSAR Context
Torben Haagh
 

More Related Content

What's hot

What's hot (11)

Outdoor Equipment Tracking customer stories from Extronics Advance
Outdoor Equipment Tracking customer stories from Extronics AdvanceOutdoor Equipment Tracking customer stories from Extronics Advance
Outdoor Equipment Tracking customer stories from Extronics Advance
 
WIP Throughput customer stories from Extronics Advance
WIP Throughput customer stories from Extronics AdvanceWIP Throughput customer stories from Extronics Advance
WIP Throughput customer stories from Extronics Advance
 
i.roc® Ci70 -Ex webinar 3/3 • RFID - Free Introductory
i.roc® Ci70 -Ex webinar 3/3 • RFID - Free Introductoryi.roc® Ci70 -Ex webinar 3/3 • RFID - Free Introductory
i.roc® Ci70 -Ex webinar 3/3 • RFID - Free Introductory
 
Ploughshare intro 2014
Ploughshare intro 2014Ploughshare intro 2014
Ploughshare intro 2014
 
Mynd company presentation
Mynd company presentationMynd company presentation
Mynd company presentation
 
Worker Safety & Contractor Tracking customer stories from Extronics Advance
Worker Safety & Contractor Tracking customer stories from Extronics AdvanceWorker Safety & Contractor Tracking customer stories from Extronics Advance
Worker Safety & Contractor Tracking customer stories from Extronics Advance
 
i.roc® Ci70 -Ex webinar 1/3 - Increasing Mobile Computing ROI in hazardous areas
i.roc® Ci70 -Ex webinar 1/3 - Increasing Mobile Computing ROI in hazardous areasi.roc® Ci70 -Ex webinar 1/3 - Increasing Mobile Computing ROI in hazardous areas
i.roc® Ci70 -Ex webinar 1/3 - Increasing Mobile Computing ROI in hazardous areas
 
AeroScout Worker Safety & Contractor Tracking from Extronics
AeroScout Worker Safety & Contractor Tracking from ExtronicsAeroScout Worker Safety & Contractor Tracking from Extronics
AeroScout Worker Safety & Contractor Tracking from Extronics
 
IoT workshop - Is 1kV Also Enough for IoT ESD Protection – Do Current Test Me...
IoT workshop - Is 1kV Also Enough for IoT ESD Protection – Do Current Test Me...IoT workshop - Is 1kV Also Enough for IoT ESD Protection – Do Current Test Me...
IoT workshop - Is 1kV Also Enough for IoT ESD Protection – Do Current Test Me...
 
Thesis
ThesisThesis
Thesis
 
Extronics Advance AeroScout Real Time Worker Location use case
Extronics Advance AeroScout Real Time Worker Location use caseExtronics Advance AeroScout Real Time Worker Location use case
Extronics Advance AeroScout Real Time Worker Location use case
 

Viewers also liked

DMAP's presentation
DMAP's presentationDMAP's presentation
DMAP's presentation
SILKAN
 
Dorner works do-254_information
Dorner works do-254_informationDorner works do-254_information
Dorner works do-254_information
Annmarie Davidson
 
ISApaperIEC61508_AMN_Final
ISApaperIEC61508_AMN_FinalISApaperIEC61508_AMN_Final
ISApaperIEC61508_AMN_Final
Andy Nack
 
Narated mike bartley reqs signoff
Narated mike bartley reqs signoffNarated mike bartley reqs signoff
Narated mike bartley reqs signoff
MikeBartley
 
Volvo Presents: Support for ISO 26262 in the EAST-ADL/AUTOSAR Context
Volvo Presents: Support for ISO 26262 in the EAST-ADL/AUTOSAR ContextVolvo Presents: Support for ISO 26262 in the EAST-ADL/AUTOSAR Context
Volvo Presents: Support for ISO 26262 in the EAST-ADL/AUTOSAR Context
Torben Haagh
 
Using Trees To Reduce Stormwater Runoff
Using Trees To Reduce Stormwater Runoff Using Trees To Reduce Stormwater Runoff
Using Trees To Reduce Stormwater Runoff
watershedprotection
 
T062500000 p003050ppte
T062500000 p003050ppteT062500000 p003050ppte
T062500000 p003050ppte
Phani Kumar
 

Viewers also liked (17)

02 cta yellow line station evanston cc 04.16.12
02 cta yellow line station evanston cc 04.16.1202 cta yellow line station evanston cc 04.16.12
02 cta yellow line station evanston cc 04.16.12
 
Kingston Greenline & Ulster County Trails Summit - KPRT Feasibility Study
Kingston Greenline & Ulster County Trails Summit - KPRT Feasibility StudyKingston Greenline & Ulster County Trails Summit - KPRT Feasibility Study
Kingston Greenline & Ulster County Trails Summit - KPRT Feasibility Study
 
green concrete
green concretegreen concrete
green concrete
 
BEB801 - Oral Presentation
BEB801 - Oral PresentationBEB801 - Oral Presentation
BEB801 - Oral Presentation
 
Jovian Design - Permeable Surface Stormwater Management Feasibility Study
Jovian Design - Permeable Surface Stormwater Management Feasibility StudyJovian Design - Permeable Surface Stormwater Management Feasibility Study
Jovian Design - Permeable Surface Stormwater Management Feasibility Study
 
DMAP's presentation
DMAP's presentationDMAP's presentation
DMAP's presentation
 
Jamil R. Mazzawi, Founder and CEO, Optima Design Automation
Jamil R. Mazzawi, Founder and CEO, Optima Design AutomationJamil R. Mazzawi, Founder and CEO, Optima Design Automation
Jamil R. Mazzawi, Founder and CEO, Optima Design Automation
 
Dorner works do-254_information
Dorner works do-254_informationDorner works do-254_information
Dorner works do-254_information
 
ISApaperIEC61508_AMN_Final
ISApaperIEC61508_AMN_FinalISApaperIEC61508_AMN_Final
ISApaperIEC61508_AMN_Final
 
Narated mike bartley reqs signoff
Narated mike bartley reqs signoffNarated mike bartley reqs signoff
Narated mike bartley reqs signoff
 
Volvo Presents: Support for ISO 26262 in the EAST-ADL/AUTOSAR Context
Volvo Presents: Support for ISO 26262 in the EAST-ADL/AUTOSAR ContextVolvo Presents: Support for ISO 26262 in the EAST-ADL/AUTOSAR Context
Volvo Presents: Support for ISO 26262 in the EAST-ADL/AUTOSAR Context
 
Rtlws2013
Rtlws2013Rtlws2013
Rtlws2013
 
Using Trees To Reduce Stormwater Runoff
Using Trees To Reduce Stormwater Runoff Using Trees To Reduce Stormwater Runoff
Using Trees To Reduce Stormwater Runoff
 
TÜV SÜD on functional safety for multi-core architectures
TÜV SÜD on functional safety for multi-core architecturesTÜV SÜD on functional safety for multi-core architectures
TÜV SÜD on functional safety for multi-core architectures
 
Iec61508 guide
Iec61508 guideIec61508 guide
Iec61508 guide
 
Impact of IEC 61508 Standards on Intelligent Electrial Networks and Safety Im...
Impact of IEC 61508 Standards on Intelligent Electrial Networks and Safety Im...Impact of IEC 61508 Standards on Intelligent Electrial Networks and Safety Im...
Impact of IEC 61508 Standards on Intelligent Electrial Networks and Safety Im...
 
T062500000 p003050ppte
T062500000 p003050ppteT062500000 p003050ppte
T062500000 p003050ppte
 

Similar to Unified Systems Engineering feasibility

POC To Product: 8 Key Processes in Design Path
POC To Product: 8 Key Processes in Design PathPOC To Product: 8 Key Processes in Design Path
POC To Product: 8 Key Processes in Design Path
futurewardcentral
 
T06 machine safetyachievingandmaintainingregulatorycompliance-canada
T06 machine safetyachievingandmaintainingregulatorycompliance-canadaT06 machine safetyachievingandmaintainingregulatorycompliance-canada
T06 machine safetyachievingandmaintainingregulatorycompliance-canada
Vo Quoc Hieu
 
Low Cost Rail Crack Inspection System
Low Cost Rail Crack Inspection SystemLow Cost Rail Crack Inspection System
Low Cost Rail Crack Inspection System
Editor IJMTER
 
Field Services overview for Marine applications
Field Services overview for Marine applicationsField Services overview for Marine applications
Field Services overview for Marine applications
Anton Svinenkov
 
OSSJP/ALS19: The Road to Safety Certification: Overcoming Community Challeng...
OSSJP/ALS19: The Road to Safety Certification: Overcoming Community Challeng...OSSJP/ALS19: The Road to Safety Certification: Overcoming Community Challeng...
OSSJP/ALS19: The Road to Safety Certification: Overcoming Community Challeng...
The Linux Foundation
 
Enhancing & Predicting Auto Reliability Using Physics of Failure Software Mod...
Enhancing & Predicting Auto Reliability Using Physics of Failure Software Mod...Enhancing & Predicting Auto Reliability Using Physics of Failure Software Mod...
Enhancing & Predicting Auto Reliability Using Physics of Failure Software Mod...
Cheryl Tulkoff
 
demo ppt final edition
demo ppt final editiondemo ppt final edition
demo ppt final edition
Hao Liang
 

Similar to Unified Systems Engineering feasibility (20)

UL's guide to differentiate your wearables from competition
UL's guide to differentiate your wearables from competitionUL's guide to differentiate your wearables from competition
UL's guide to differentiate your wearables from competition
 
Products and solutions by Capital Safety
Products and solutions by Capital SafetyProducts and solutions by Capital Safety
Products and solutions by Capital Safety
 
Verification of IVI Over-The-Air using UML/OCL
Verification of IVI Over-The-Air using UML/OCLVerification of IVI Over-The-Air using UML/OCL
Verification of IVI Over-The-Air using UML/OCL
 
WIB March 2016 de Leeuw Focus on basics: simple, robust and safe automation a...
WIB March 2016 de Leeuw Focus on basics: simple, robust and safe automation a...WIB March 2016 de Leeuw Focus on basics: simple, robust and safe automation a...
WIB March 2016 de Leeuw Focus on basics: simple, robust and safe automation a...
 
Data and Power Isolation (Design Conference 2013)
Data and Power Isolation (Design Conference 2013)Data and Power Isolation (Design Conference 2013)
Data and Power Isolation (Design Conference 2013)
 
POC To Product: 8 Key Processes in Design Path
POC To Product: 8 Key Processes in Design PathPOC To Product: 8 Key Processes in Design Path
POC To Product: 8 Key Processes in Design Path
 
Introduction to Functional Safety and SIL Certification
Introduction to Functional Safety and SIL CertificationIntroduction to Functional Safety and SIL Certification
Introduction to Functional Safety and SIL Certification
 
Digital Procurement in the Nuclear Industry: Tips on Embracing New Technologies
Digital Procurement in the Nuclear Industry: Tips on Embracing New TechnologiesDigital Procurement in the Nuclear Industry: Tips on Embracing New Technologies
Digital Procurement in the Nuclear Industry: Tips on Embracing New Technologies
 
T06 machine safetyachievingandmaintainingregulatorycompliance-canada
T06 machine safetyachievingandmaintainingregulatorycompliance-canadaT06 machine safetyachievingandmaintainingregulatorycompliance-canada
T06 machine safetyachievingandmaintainingregulatorycompliance-canada
 
Why SIL3 (ENG)
Why SIL3 (ENG)Why SIL3 (ENG)
Why SIL3 (ENG)
 
Low Cost Rail Crack Inspection System
Low Cost Rail Crack Inspection SystemLow Cost Rail Crack Inspection System
Low Cost Rail Crack Inspection System
 
Field Services overview for Marine applications
Field Services overview for Marine applicationsField Services overview for Marine applications
Field Services overview for Marine applications
 
Smart Manufacturing
Smart ManufacturingSmart Manufacturing
Smart Manufacturing
 
2019 06-26 effective multi-vendor management -fortinet algo sec webinar final
2019 06-26 effective multi-vendor management -fortinet algo sec webinar final2019 06-26 effective multi-vendor management -fortinet algo sec webinar final
2019 06-26 effective multi-vendor management -fortinet algo sec webinar final
 
Practical control valve sizing, selection and maintenance
Practical control valve sizing, selection and maintenancePractical control valve sizing, selection and maintenance
Practical control valve sizing, selection and maintenance
 
OSSJP/ALS19: The Road to Safety Certification: Overcoming Community Challeng...
OSSJP/ALS19: The Road to Safety Certification: Overcoming Community Challeng...OSSJP/ALS19: The Road to Safety Certification: Overcoming Community Challeng...
OSSJP/ALS19: The Road to Safety Certification: Overcoming Community Challeng...
 
Oliot samsung-daeyoungkim-kaist wide-version-final
Oliot samsung-daeyoungkim-kaist wide-version-finalOliot samsung-daeyoungkim-kaist wide-version-final
Oliot samsung-daeyoungkim-kaist wide-version-final
 
Enhancing & Predicting Auto Reliability Using Physics of Failure Software Mod...
Enhancing & Predicting Auto Reliability Using Physics of Failure Software Mod...Enhancing & Predicting Auto Reliability Using Physics of Failure Software Mod...
Enhancing & Predicting Auto Reliability Using Physics of Failure Software Mod...
 
[Webinar] Why Security Certification is Crucial for IoT Success
[Webinar] Why Security Certification is Crucial for IoT Success[Webinar] Why Security Certification is Crucial for IoT Success
[Webinar] Why Security Certification is Crucial for IoT Success
 
demo ppt final edition
demo ppt final editiondemo ppt final edition
demo ppt final edition
 

More from Eric Verhulst

More from Eric Verhulst (9)

Session 1 introduction concurrent programming
Session 1 introduction concurrent programmingSession 1 introduction concurrent programming
Session 1 introduction concurrent programming
 
OpenComRTOS 1.4_tutorial_3o4_presentation
OpenComRTOS 1.4_tutorial_3o4_presentationOpenComRTOS 1.4_tutorial_3o4_presentation
OpenComRTOS 1.4_tutorial_3o4_presentation
 
Open ComRTOS 1.4_tutorial_2o4_presentation
Open ComRTOS 1.4_tutorial_2o4_presentationOpen ComRTOS 1.4_tutorial_2o4_presentation
Open ComRTOS 1.4_tutorial_2o4_presentation
 
OpenComRtos 1.4_tutorial_1o4_presentation
OpenComRtos 1.4_tutorial_1o4_presentationOpenComRtos 1.4_tutorial_1o4_presentation
OpenComRtos 1.4_tutorial_1o4_presentation
 
MARC ONERA Toulouse2012 Altreonic
MARC ONERA Toulouse2012 AltreonicMARC ONERA Toulouse2012 Altreonic
MARC ONERA Toulouse2012 Altreonic
 
Zen and the art of safety engineering
Zen and the art of safety engineeringZen and the art of safety engineering
Zen and the art of safety engineering
 
Unified Systems Engeneering with GoedelWorks
Unified Systems Engeneering with GoedelWorksUnified Systems Engeneering with GoedelWorks
Unified Systems Engeneering with GoedelWorks
 
Open comrtos formally_developed _rtos_for_heterogeneous_systems
Open comrtos formally_developed _rtos_for_heterogeneous_systemsOpen comrtos formally_developed _rtos_for_heterogeneous_systems
Open comrtos formally_developed _rtos_for_heterogeneous_systems
 
Concurrent systems composing
Concurrent systems composingConcurrent systems composing
Concurrent systems composing
 

Unified Systems Engineering feasibility

  • 1. Cross-domain systems and safety engineering: is it feasible? Composable safety: is it feasible? Eric.Verhulst@altreonic.com Altreonic NV 17.01.2013 From Deep Space to Deep Sea 1
  • 2. Content • Intro to safety and its importance • Some results from OPENCOSS project • The issue with the SIL concept • Introducing the ARRL concept • A unified process pattern • Conclusions 17.01.2013 From Deep Space to Deep Sea 2
  • 3. Some data for thought • 35000 people killed in cars /yr /Europe • 500 people killed in airplanes /yr /world • Why the difference? => many reasons • The Renault Logan is the most reliable car • Why? Less electronics, proven in use design • Is it also safer? • The US is considering to make black boxes a legal requirement in cars • What does this mean? What could be the impact? 17.01.2013 From Deep Space to Deep Sea 3
  • 4. Systems Engineering vs. Safety Engineering • System = holistic • Real goal is "Trustworthy Systems" • Cfr. Felix Baumgartner almost did not do it because he didn't trust his safe jumpsuit • TRUST = by the user or stakeholders • Safety • Security • Usability (UI) • Privacy • Achieving intended Functionality • Meeting non-functional objectives • Cost, energy, volume, maintainability, scalability, Manufacturability,.. • So why focus on safety? 17.01.2013 From Deep Space to Deep Sea 4
  • 5. Safety • Safety is the state of being "safe" the condition of being protected against physical, social, spiritual, financial, political, emotional, occupational, psychological, educational or other types or consequences of failure, damage, error, accidents, harm or any other event which could be considered non-desirable. • Safety can also be defined to be the control of recognized hazards to achieve an acceptable level of risk risk. • Safety is general property of a system • Not just a concern when programmable elecronics are used !!! • What are the consequences of not meeting the requirements? • Annoyance • Business lost • People can get killed or harmed • => it is complex but there are moral liabilities 17.01.2013 From Deep Space to Deep Sea 5
  • 6. Role of certification • In depth review => safe to operate • “Conformity assessment” (for automotive) • Not a technical requirement: • Confidence requirement • Legal requirement • Where is the evidence? • Evidence: • Evidence is a coherent collection of information that relying on a number of process artifacts linked together by their dependencies and sufficient structured arguments provides an acceptable proof that a specific system goal has been reached. 17.01.2013 From Deep Space to Deep Sea 6
  • 7. Some background projects • ASIL project • Project with Flanders Drive to develop a common "automotive" safety engineering methodology • IEC-61508, IEC-62061, ISO-26262 ISO-13849, ISO-25119 and ISO-15998. (+ ISO-26262, CMMI, Automotive SPICE) • About 350 steps, 100 workproducts, ... • ASIL imported in GoedelWorks portal • EU FP7 IP OPENCOSS • Project with 17 EU partners (avionics, raillway, automotive) on reducing the cost and effort of certification • ISO-26262, DO-178C/254/..., CENELEC 50126-128-129 • Cross-domain � LinkedIn discussion grops • Product families • => there is interest and a growing awareness 17.01.2013 From Deep Space to Deep Sea 7
  • 8. Altreonic's OPENCOSS survey • First survey on standards and certification awareness done. (public, 85 respondents) • In-depth interviews executed: Alstom, Thales Toulouse, Thales Valence, Renault, CRF • Cross domain workshop to be organised 17.01.2013 From Deep Space to Deep Sea 8
  • 9. About 41% of the respondents indicate that organisation has been certified. About half for ISO-9001 and CMMI 17.01.2013 From Deep Space to Deep Sea 9
  • 10. 17.01.2013 From Deep Space to Deep Sea 10
  • 11. 17.01.2013 From Deep Space to Deep Sea 11
  • 12. 17.01.2013 From Deep Space to Deep Sea 12
  • 13. Standards: pick your own (total: 266, out of more) EN ISO 10993, ISO 26262, D0-178,IEC 60118, ANY, IEC 60601, 21 CFR, EN ISO 389, IEC  61000, IEC 61508, EN 50126, EN 60601, ISO 9000, AUTOSAR, IEC 60068, EN ISO 14644, IEC 60068, SYSML, CENELEC, EN 45502, EN 50128, EN 868, UML, CMMI, DVB, EN 10088, EN 17025, EN 50129, EN ISO 11138, IEC 62304, ISO 8253, ISO 965, 93/42/EC, EN 17020, EN 556, EN ISO 11137, EN ISO 11607, EN ISO 12100, EN ISO 14155, EN ISO 14698, ETSI EN 301 489, IEC 60086, IEC 61511, IEEE 1149.1, ISO 13485, ISO 14971, ISO 15223, ISO 2768, ISO 9126, UNISIG, W3C, 2000/70/EC, 2004/108/EC, 2006/42/EC, 2007/47/EC, 89/392/EC, 90/385/EC, 95/46/EC, AADL, AAMI HE74, AAMI HE75, AAMI ST241, AAMI ST81, AAMI TIR 32, AAMI TIR 36, AAMI TIR18, AAMI TIR40, AAMI TIR80002, ABET, Ada, AEC-Q100, ANSI S3.21, ANSI S3.22, AQAP, ARINC 629, AS 9100, ASN.1, ASQ D1160, ASQ Z1.4, ASQ Z1.9, ASTM B265, ASTM D3078, ASTM D4169, ASTM F 1140, ASTM F 1608, ASTM F 17, ASTM F 1886, ASTM F 1929, ASTM F 1980, ASTM F 2052, ASTM F 2054, ASTM F 2095, ASTM F 2096, ASTM F 2097, ASTM F 2119, ASTM F 2182, ASTM F 2213, ASTM F 2503, ASTM F 2504, ASTM F 382, ASTM F 67, ASTM F 88, ASTM F136, ATEX, CAN, CEPT/ERC Report 25, CISPR 11, CISPR 14, CISPR 15, CR CCS TSI, DICOM, DIN, DO-254, EASA, ECSS, ECTS, EN 1040, EN 1041, EN 1080, EN 12353, EN 1275, EN 1276, EN 13060, EN 13427, EN 13428, EN 13429, EN 13430, EN 13697, EN 13824, EN 1422, EN 14682, EN 1499, EN 1500, EN 15038, EN 1650, EN 1656, EN 1657, EN 285, EN 475, EN 50155, EN 60825, EN 60850, EN 62304, EN 62366, EN 867, EN 980, EN ISO 11135, EN ISO 11140, EN ISO 13485, EN ISO 14121, EN ISO 14161, EN ISO 14937, EN ISO 14971, EN ISO 15882, EN ISO 16061, EN ISO 17664, EN ISO 17665, ESD S20.20, ETSI EN 300 330, ETSI TS 105175, FFFIS, FlexRay, HL7, HS CCS TSI, I2C, IEC 12207, IEC 60318, IEC 60512, IEC 60645, IEC 60812, IEC 60950, IEC 61131, IEC 61158, IEC 61438, IEC 61499, IEC 61951, IEC 61959, IEC 61960, IEC 62061, IEC 62133, IEC 62281, IEC  60384, IEC 60529, IEC 60884, IEC 61058, IEC/TR 62354, IEC61508, IEEE 1074, IEEE 11073, IEEE 12207, IEEE 1588, IEEE 1625, IEEE 1725, IETF, IHE, IPC 7351, IPC-A-600, IPC-STD-001E, IPC-STD-033, IPV6, IRIS, ISA 100, ISO 10012, ISO 11137, ISO 13606, ISO 13715, ISO 13781, ISO 13940, ISO 14000, ISO 15225, ISO 15504, ISO 16022, ISO 22600, ISO 250xx, ISO 26000, ISO 2700, ISO 2859, ISO 5832, ISO 5834, ISO 5838, ISO 60118, ISO 6474, ITIL, ITU-R 27, Java RT, JIS C 8711, LN, MDD, MED DEV 2.7.1, MED DEV 2.7.2, MIL B 49030, MIL standards (all), MIL-M 38510, MIL-PRF 38534, MIL-PRF 38535, MIL-PRF-49471B, MIL-STD-883H, MISRA-C, MOF, MOST1000, MPEG, NATO Stanags, NE 2575, NEN 1010, NEN 2575, NEN 2654, OCL, Pascal (ISO), Privacy, Python, QVT, RFID, Safety, SAFETY SIL, SDL, SDL-RT, SOA, SOX, SQUARE, Subset026, TTCN-3, UIC 544-1 , UL 2054, USB, WirelessHART, Zigbee, 17.01.2013 From Deep Space to Deep Sea 13
  • 14. Importance and obstacles for standards �Importance: � It is a legal or market requirement 31.1% � It enhances quality, reduces cost and increase lifetime of products/systems developed. 32.8% � Interoperability 36.1% �Obstacles: � Standards are complex, difficult, costly, change constantly, vague and difficult to obtain 60.3% � Acceptance by the organisation or culture is lacking 22.4% � Proprietary solutions work better, standards lag technology and hamper innovation 17.2% 17.01.2013 From Deep Space to Deep Sea 14
  • 15. Demotivating factors for certification • Effort, cost, complexity, inconsistency, bureaucratic (paperwork) 60.7% • Change management (evolving standards, evolving products), differences national/ international 21.4% • Rigidity, lagging market and technology 17.9% 17.01.2013 From Deep Space to Deep Sea 15
  • 16. Conclusion from the in-depth interviews • Certification and safety engineering is complex • The safety domain is still in an early phase (diversity of practices and safety standards across the different domains) • The maturity is greatest for avionics, followed by railway whereas automotive still in an emerging phase. • From paper-driven waterfall to agile, lean processes. • Word, excel, etc. dominate • Lots of human/manual work • Lowering certification costs today: • use a better process, not so much more tools • Lean/agile: -30% cost, integration from 12m to 3w 17.01.2013 From Deep Space to Deep Sea 16
  • 17. Safety as a goal = "Safety Integrity Levels" Domain General (IEC-61508) SIL0 SIL1 SIL2 SIL3 SIL4 Programmable elecronics Automotive ASIL-A ASIL-B ASIL-C ASIL-D - (26262) Avionics DAL-E DAL-D DAL-C DAL-B DAL-A (DO-178/254) Railway (CENELEC SIL0 SIL1 SIL2 SIL3 SIL4 50126/128/129) Detailed analysis reveals only partial mapping! 17.01.2013 From Deep Space to Deep Sea 17
  • 18. SIL targets risk reduction SIL PFD PFD (power) RRF (Probability of Failure per Hour) (Risk Reduction Factor) 1 0.1-0.01 10−1 - 10−2 10-100 2 0.01-0.001 10−2 - 10−3 100-1000 3 0.001-0.0001 10−3 - 10−4 1000-10,000 4 0.0001-0.00001 10−4 - 10−5 10,000-100,000 For continuous operation, these change to the following. SIL PFH PFH (power) RRF 1 0.00001-0.000001 10−5 - 10−6 100,000-1,000,000 2 0.000001-0.0000001 10−6 - 10−7 1,000,000-10,000,000 3 0.0000001-0.00000001 10−7 - 10−8 10,000,000-100,000,000 4 0.00000001-0.000000001 10−8 - 10−9 100,000,000-1,000,000,000 Note: risk reduction depends on domain! 17.01.2013 From Deep Space to Deep Sea 18
  • 19. Problems with SIL definition • Poor harmonization of definition across the different standards bodies which utilize SIL • Process-oriented metrics for derivation of SIL • Estimation of SIL based on reliability estimates • System complexity, particularly in software systems, makes SIL estimation difficult if not impossible • => based on probabilities that are very hard if not impossible to measure and estimate • Risk figures are different for each domain => reuse? • The law of Murphy still applies: • The next instant can be catastrophic 17.01.2013 From Deep Space to Deep Sea 19
  • 20. Problems with SIL as a design goal • Safety goal is put first => architecture is derived • Clearly effort in standards to minimise effort and costs => complex and hard to use tables • First principles in safety engineering: • Safety culture: is also keep it Simple and Smart • Quality is a pre-condition • Traceability • Configuration management 17.01.2013 From Deep Space to Deep Sea 20
  • 21. How to achieve safety? • It’s a requirement • What are the derived specifications? • How to derive these safety specifications? • How to fulfill these safety specifications? • Develop a solution that is safe by design • Follow a process that leads to safe(r) products 17.01.2013 From Deep Space to Deep Sea 21
  • 22. The real issue with SIL • SIL is a system level concept • But we design using components and reuse • SIL cannot be reused • But components can! • SIL is domain specific • Components are domain independent • Composibility still unclear issue. Why? • => we must start at the component level 17.01.2013 From Deep Space to Deep Sea 22
  • 23. Safety composibility • Although this is the practice in systems engineering, it is poorly addressed in the standards • Example from ISO-DIS-25119 (derived ISO 13849) • "The safety-related parts of control systems shall be designed in accordance with the requirements of one or more of the 5 categories specified in ISO-DIS-25119-2:2008-Annex A. When a safety function is realized by an integrated combination of multiple hardware categories, the resulting safety function AgPL is limited by the overall hardware category, including MTTFdc, DC, SRL, CCF, etc." • If the embedded software has to implement software components with different SRLs or safety-related and non-safety related software components, then the overall SRL is limited to the component with the lowest SRL, unless adequate independence between the software components can be demonstrated 17.01.2013 From Deep Space to Deep Sea 23
  • 24. Redefining SIL to be domain independent ? SIL 0 no impact • S = Safety • ( includes security) SIL 1 material • Integrity Level damage • Attempt at one SIL SIL2 harmful impact on definition for all people domains SIL3 one person dead • If we would follow the standards in SIL4 many persons spirit dead 17.01.2013 From Deep Space to Deep Sea 24
  • 25. What's wrong with this definition? • Even a perfectly designed and proven system composed of perfect components can fail catastrophically • Concorde: 100% safe until the first one crashed due to an improbable external cause • The law of Murphy has priority over probability over a life time • SIL is a lifetime indicator for a system, not a criterium for selecting components 17.01.2013 From Deep Space to Deep Sea 25
  • 26. Why is ASIL-D ≠ SIL4 ? • More or less: ASIL-C = SIL3 • Switch to fail-safe mode • More or less: ASIL-D = SIL 3.5 • Supervised operation • Whereas SIL4 implies fault tolerance • According to generic SIL table => • car has upto 5 passengers => SIL 3.5 • but 35000 people get killed per year (EU) => SIL4 • System is not the car but car based transport • Car is component in the larger system 17.01.2013 From Deep Space to Deep Sea 26
  • 27. New definition: we start from the component • ARRL: Assured Reliability and Resilience Level ARRL 0 it might work (use as is) ARRL 1 works as tested, but no guarantee ARRL 2 works correctly, IF no fault occurs, guaranteed no errors in implementation) => formal evidence ARRL 3 ARRL 2 + goes to fail-safe or reduced operational mode upon fault (requires monitoring + redundancy) - fault behavior is predictable as well as next state ARRL 4 ARRL 3 + tolerates one major failure and is fault tolerant (fault behavior is predictable and 17.01.2013 transparent for Sea external world) From Deep Space to Deep the 27
  • 28. Consequences • If a system/component has a fault, it drops into a degraded mode => lower ARRL • ARRL3 is the operational mode after an ARRL4 failure • Functionality is preserved • Assurance level is lowered • SIL not affected and domain independent • System + environment + operator defines SIL 17.01.2013 From Deep Space to Deep Sea 28
  • 29. Composition rule: • A system can only reach a certain SIL level if all it components are at least of the same ARRL level. • This is a pre-condition, not a sufficient condition • Redundancy can compose ARRL 4 components out of ARRL 3 components (needs an ARRL 4 voter) • ARRL3 component can use ARRL 2 components (>2) • Consequences: • Interfaces and interactions also need ARRL level! • Error propagation is to be prevented => partitioning architecture (e.g. distributed, concurrent) 17.01.2013 From Deep Space to Deep Sea 29
  • 30. Generic example ARRL-3 ARRL-3 function voter ARRL-3 ARRL-3 function voter ARRL-3 ARRL-3 function voter ARRL-4 2 out of 3 voter ARRL-4 function 17.01.2013 From Deep Space to Deep Sea 30
  • 31. Common mode failures => ARRL-5 • ARRL-4 assumes independence of faults in each redundant channel • Covers only a subset of the common mode failures • Less visible are e.g. common misunderstanding of requirements, translation tool errors, time dependent faults => require asynchronous operation and diversity/heterogenous solutions • Hence we can define an ARRL-5 as well 17.01.2013 From Deep Space to Deep Sea 31
  • 32. Dependency analysis • SIL is a top level Requirement, decomposable in • Normal Case requirements (ARRP 1 &2) • Fault Case Requirements (ARRL 3 & 4 or even 5) • Requirements become Specified properties to be met and verified by implementation • Each ARRP level has same "normal case" architecture but different "ARRP" level architecture and hence also different non-functional properties safety (measures have a resource cost) 17.01.2013 From Deep Space to Deep Sea 32
  • 33. What about a unified SE process? • Dependency chain + iteration • Requirements => Specifications • By decomposition and refinements ("testable") • Input for Work Package • also needs Resources • Composed of Development, Verification, Test and Validation/integration Tasks • Produces Work Products: • Process artefacts (evidence, ...) • Entities and Models (incl. implementation) 17.01.2013 From Deep Space to Deep Sea 33
  • 34. Current practice (example from DO-178B - SW) System Requirements S/W partitioning Design Coding requirements standards integrity is standards standards confirmed [6.3.3f] Compatible with Comply layer] [System [11.6] Consistent [6.3.3b] [11.7] [11.8] target computer Traceable Conform Conform [6.3.2e] [6.3.1a] Compatible with Conform Comply [6.4.2.1; 6.4.3] [6.4.3a] [6.3.1f] [6.3.1e] [1] target computer [6.3.4d] [1] Produce exec object [6.3.3c] [6.3.3e] Robust [6.4.2.2; 6.4.3] code, integrate into t gt [2] [2] computer [5.4.1a] Verifiable [6.3.3d] Comply [6.4.2.1; 6.4.3] [3] [3] Executable Object Code Robust [6.4.2.2; 6.4.3] [11.12] Develop Define [4] [4] high level derived Compatible requirem high level [6.3.3a] Develop software Comply ents requireme architecture [6.3.4.b] nts Integrate and conduct software tests [Inferred] [5.1.1a] Comply [6.3.2a] [5.2.1a] [5.1.1b] Develop Develop Comply [6.3.4a] Software Requirements Data low level derived Software Verification Develop requirem low level Results [11.14]* Traceable [6.3.2f] and ents requireme Traceable [11.9] integrate nts [6.3.4e] Test results are source code [5.2.1a] Test coverage is correct and [5.2.1b] achieved [6.4.4.1] discrepancies [5] Design Description [5.3.1a] Source [5] explained [6.3.6c] Code Test coverage is [11.10] achieved [6.4.4.1] [6] [6] Develop Software Algorithms are [11.11] Algorithms are Test coverage (decision Verification Cases and accurate accurate coverage) is achieved Procedures Verifiable [6.3.1d] [6.3.1g] [6.3.2g] [6.4.4.2a,b] Verifiable [6.3.2d] Compatible with Test coverage (statement Compatible with [Inferred] Verification Software target computer coverage) is achieved target computer Cases and Procedures Accurate and [6.3.1c] Accurate and [6.4.4.2a,b] [6.3.2c] Test coverage (data coupling consistent consistent and control coupling) is [11.13] [6.3.1b] Legend: Arrows denote [6.3.2b] achieved [6.4.4.2a,b] Denotes verification Test coverage (modified activities and Required for level A, B, C, D activities: condition/decision) is collection of Denotes Required for level A, B, C achieved [6.4.4.2c] activities objects Denotes life Required for level A, B external to Outputs of software Test procedures are cycle data Required for level A the integration process are correct [6.3.6b] development To be achieved with independence fo r level A and B complete and correct [6.3.5] Denotes software/hardware and Verifiable [6.3.4c] integration and test artefacts To be achieved with independence for level A Accurate and verification * Includes outputs of verification activities indicated by arrows process consistent RTCA-DO/178B Software Development and Verification Processes RTCA- 17.01.2013 From Deep Space to Deep Sea 34
  • 35. ARRL process flow 17.01.2013 From Deep Space to Deep Sea 35
  • 36. What we need: a process pattern for reuse Specific ations Work Resources Package Work devel verif test valid Product devel verif test valid report report report report devel verif test valid Certificat review review review review report 17.01.2013 From Deep Space to Deep Sea 36
  • 37. Interplay of view (as in GoedelWorks) 17.01.2013 From Deep Space to Deep Sea 37
  • 38. Conclusions • Unified system and safety engineering is feasible • Unified safety certification is not yet feasible (standards and SIL differ too much) • ARRL concept allows composable safety engineering with reuse of components • A unified process pattern can unify systems and safety engineering standards: DO - DOCUMENT - REVIEW More info: www.altreonic.com/content/altreonic-releases-new-approach - systems-engineering-goedelworks 17.01.2013 From Deep Space to Deep Sea 38