From Conceptual Models to Safety Assurance: Applying Model-Based Techniques to Support Safety Assurance

Yaping Luo

Promotor: prof.dr. M.G.J. van den Brand (TU/e)
Copromotors: dr. A.Serebrenik (TU/e) and dr.ir. L.J.P. Engelen (ISAAC Software)
Technische Universiteit Eindhoven
Date: 26 April 2016, 16:00

Summary

In safety-critical domains such as automotive, railway, and avionics, even a small failure of a system might cause injury or death to people. A number of international safety standards are introduced as guidelines for system suppliers to keep the risk of systems at an acceptable level. Those standards are typically large documents containing a huge number of requirements for system development. The safety standards describe generalized approaches to identifying hazards and risks, design life-cycles, and analysis and design techniques. Therefore, when applying such standards for a specific application, significant degree of interpretation of those standards may be necessary.

The process for developing safety-critical systems in these safety domains is manually checked for compliance with the standards. This checking process is referred as safety assurance and certification. Due to the amount of manual work involved, safety assurance is usually costly and time-consuming. Moreover, when a system evolves, some of the existing safety-assurance data needs to be re-gathered or re-validated. To address this, we started our research on safety standard-based approaches. We have proposed a rule-based approach to model the ISO 26262 standard. For demonstration, the model of ISO 26262 Part 3 has been extracted and validated by domain experts. Moreover by utilizing metamodel transformation, we have provided an approach to drive domain or project specific metamodels using a generic metamodel as basis. The companies in safety-critical domains could not only use the generic metamodel for sharing patterns of certification assessment, but also keep their way of working by using their domain concepts. Finally, to facilitate these companies to find the reusable data from models conforming to similar metamodels, the metamodel comparison and traceability management during the metamodel transformation have also been discussed.

In some safety standards, safety case development is highly recommended to justify the safety of a system. The Goal Structuring Notation (GSN) provides a graphical way to construct a safety case. However, the content of the safety case elements, such as safety claims, is in natural language. Therefore, a common understanding of the meaning of a safety claim may be difficult to reach. Consequently, the confidence of a safety claim can be misplaced. Based on these observations, we have carried out our study on safety argument-based approaches. We have proposed to use an SBVR-based controlled language to support safety case development. By using the controlled language, the ambiguities caused by natural language can be mitigated. We have also developed an SBVR editor for building a vocabulary and a GSN editor with vocabulary support. Furthermore, the SBVR safety claims can also be used to facilitate safety evidence collection.

Finally the research on the overall safety assessment process in the automotive domain has been carried out. The ISO 26262 standard has been studied to facilitate functional safety management for an existing system. Moreover, by studying on the whole process of the safety assessment, we have observed that this process is hard to be estimated due to the manual work. To monitor safety assessment process, for instance, identify costly activities, a methodology has been proposed to design metrics for safety assessment from three different perspectives: industrial interests, safety standards, available data. The metrics can help stakeholders, for example safety managers, to estimate the overall cost and monitor the whole compliance process. Besides, the results of these metrics can also help them make decisions during safety assurance process.

To summarize, our research in this thesis consists of three main parts: standard-based approaches, argument-based approaches, approaches on overall safety assessment process. The standard-based approaches discussed how to use metamodeling techniques to obtain standard conceptual models/metamodels. The argument-based approaches introduced how to use controlled-language to facilitate safety argument construction and safety evidence collection. The approaches on overall safety assessment process described how to apply the ISO 26262 standard for an existing system and how to extract metrics for the safety assessment process. Although we mainly focused on the automotive domain in this thesis, our approaches can be applied to other safety-critical domain as well.