Safety Assurance and Certification: Current Practices, Challenges, and Brainstorming on Ways Forward

Barbara Gallina
barbara.gallina@mdh.se
Certifiable Evidences & Justification Engineering
Mälardalen University, Västerås, Sweden
29th October 2019, 9th IEEE International Workshop on Software Certification (WoSoCER)
Safety Assurance and Certification: Current Practices,
Challenges, and Brainstorming on Ways Forward

Talk outline:
• Safety
– Safety standards in automotive for road vehicles
– Safety standards introduction process
• Safety assurance and certification
• Challenges
• Ways forwards
• Brainstorming
B. Gallina, WoSoCER, 29th October 2019

Safety
Which risk related to which system?
Due to what? Which hazards? How safe is safe?
Safety- According to Avizienis et al. 2004
absence of catastrophic consequences
on the user(s) and the environment.
Safety – according to EN 61508-4:2010
freedom from unacceptable risk
Safety – according to EN 50126-1:2017
freedom from unacceptable risk
Safety- according to ISO 26262-1:2018
absence of unreasonable risk
What does “catastrophic” mean?
What does “unacceptable” mean?
What does “unreasonable” mean?
Carrot diagram:
acceptable, tolerable, unacceptable
Via a magic stick, we set the lines

Safety of road vehicles (cars, trucks, etc)
ISO 26262:2018 Functional safety, revised version of ISO 26262:2011, 2006-2018
absence of unreasonable risk due to hazards
caused by malfunctioning behaviour of E/E systems
Electric power steering, taken from [1]
Adaptive cruise control, taken from [2]
12 years

Safety of road vehicles (cars, trucks, etc)
Do you need help to categorize your hazards? Severity? Exposure? Controllability?
Do you need help with ASIL determination?
J2980
J2980:2018-04 –Considerations for ISO 26262 ASIL Hazard Classification
SAE recommended focusing on Moving control systems

Safety of road vehicles
ISO 26262
ISO 21448
ISO 21448:2019 SOTIF
Safety of the intended functionality (PAS)
” to be applied to intended functionality,
where proper situational awareness is critical to safety,
and where that situational awareness is derived
from complex sensors and processing algorithms;
especially emergency intervention systems
(e.g. emergency braking systems) and
Advanced Driver Assistance Systems (ADAS)
with levels 1 and 2 on the OICA/SAE standard
J3016 automation scales. ”
Source: https://www.iso.org/standard/70939.html
J2980
Source: https://www.nhtsa.gov/technology-innovation/automated-vehicles-safety

ISO 26262
ISO 21448 UL 4600
No driver
Controllability?
UL 4600
The First Comprehensive Safety Standard for Autonomous Products
Prompts-based standard
J2980
Source: https://edge-case-research.com/wp-content/uploads/2019/10/UL-4600-Prelim-Review-Proposal_20191002.pdf

Safety of connected road vehicles
Vehicle to Vehicle (V2V) and Vehicle to other systems (V2X) communication capabilities
J3061-available handbook
Need for:
Security-informed safety
Safe communication
J2980

Safety of connected road vehicles
-> New business models
Fleet-centric (systems of systems ) vs Vehicle-centric –>platooning
(->substantial reduction of the inter-vehicle distance to minimize drag)
Safety at system of systems level due to emergent behaviour
Extension of ISO 26262:2018?
CACC-Cooperative automatic Cruise Control
”Vehicle-level ASIL determination is influenced by vehicle-to-vehicle communication faults” [13]

Safety-related standards for vehicles
-big bang-
Safety
Domain-independent safety
Domain-specific safety
Safety of air vehicles
Safety of rail vehicles
Growing complexity of the standardization frameworks

What about safety of other vehicles
Air vehicles?
Rail vehicles?
Road&Air vehicles?
Hyperloop?
…
Ongoing: 125 system requirements,
proposed by one of the companies
involved in making the hyperloop technology concrete
Source: https://www.smartcitiesarabia.com/government/42560-hyperloop-tt-presents-hyperloop-safety-guidelines-to-the-ec
IEC 62267:2009
ISO 17253:2014

Standards introduction process
is not available to either developers or conformance experts. In fact, the rational
essentially discarded once development of the standard was complete and the
mittee disbanded.
2.2 Using Standards
Fig. 1. Standards development and use as currently practiced.
The Indispensable Role of Rationale in Safety Standards
Adapted from [Knight et al 16]

Standards introduction according to ISO
From 18 to 48 months
Every 5 years, it should be revised
It takes time to introduce a standard!
It takes time to maintain a standard!
Who participates to the introduction of a standard?
OEMs (original equipment manufacturers),
Governance,
Research Institutions
Suppliers
…
Baseline
Source: https://www.iso.org/files/live/sites/isoorg/files/developing_standards/docs/en/Target_date_planner_4_ISO_standards_development_tracks_2017.pdf

What do standards contain?
• Goals? Yes
• Means to achieve goals? Yes, e.g, the reference process models, the
techniques/guidelines recommended
• Expected evidence? Yes
• Example of a goal:
• eighty-five percent of the children must be unable to open the package within
five minutes –child resistant packaging

Safety assurance and certification

Assurance and Certification
Why Safety Certification?
“Safety certification assures society at large that deployment of a given system
does not pose an unacceptable risk of harm.”
[Rushby, 2011]

Assurance and Certification -Phases
plans
Planned
DO-178C, recognized by FAA via AC20-115C on July 19, 2013.
Confirmed recognition via AC20-115D on July 21, 2017.
Adapted from [Knight et al 16] [Taken from Knight et al 16]

Current practice: process centered
Compliance
Management
/Safety
demonstration
Risk-driven processes

Current practice: product centered
Formalization
Normative SpaceProduct Space
Product Model(s)
Norm(s)
Compliance
Management
/Safety
demonstration

Assurance and Certification -Safety Cases
There are several ways of organizing
and conducting certification, but all are conceptually based on scrutiny of an argument
that certain claims about safety are justified by evidence about the system.”
[Rushby, 2011]
Automotive domain? YES, An argument is a requirement
Rail domain? YES, An argument is a requirement
Aviation domain? NO, An argument is not a requirement.
However some researchers point out its implicit presence
Debate: Is a safety case beneficial?
Would it be sufficient to during the assessment?
ISO/IEC 15026-2:2011

Confirmation bias!
Is it the only one?

Fertilizing the safety community with Toulmin’ model for argumentation
https://en.wikipedia.org/wiki/Stephen_Toulmin
https://slideplayer.com/slide/12972736/

Is a GSN-documented safety case the panacea?
No experimental evidence is available
SACM
(Structured Assurance
Case Metamodel)
20+Years of development..
to fix the syntax..
is it beneficial? YES!
to enable automatic generation. But,
does it help to document sound arguments?
Claim Argument Evidence (CAE)
Source: https://www.adelard.com/asce/choosing-asce/cae.html
Concrete syntax
Abstract syntax
Goal Structuring Notation (GSN)
Concrete syntax

ISO/IEC
15026-2:2011
Argumentation pattern including
arguments for:
Rationale
Satisfaction
Means
Organizational environment
A non-goal based set of guidelines

Challenges

Challenges: setting the bar, and its nature
Is not trivial…
• performance of performance-based regulation remains an open but vital
empirical question, one whose answer is long overdue, see [12]

ISO 26262:2018
EN 50126-1&2:2017
EN 50128:2011
EN 50129:2019
ARP4754A:2010
DO 178C: 2011
ARP4761:1996
Standards proliferation, cognitive complexity,
inefficiency
DO-326A
SAE J3061:2016

Way forward: Let’s go for a big crunch!

Safety-related standards for vehicles
-big crunch-

Going back to the overarching properties
is not available to either developers or conformance experts. In fact, the rationale was
essentially discarded once development of the standard was complete and the com-
mittee disbanded.
Fig. 1. Standards development and use as currently practiced.
The Indispensable Role of Rationale in Safety Standards 41
users
Meta-
objectives
FAA-work started in 2015
RESSAC project
OP-standard

Overarching properties
• Intent: The defined intended behavior is correct and complete with
respect to the desired behavior
• Correctness: The implementation is correct with respect to its
defined intended behavior, under foreseeable operating conditions
• Acceptability: Any part of the implementation that is not required by
the defined intended behavior has no unacceptable safety impact
Taken from Chelini et al. 2018 [4]; Holloway, 2019 [5] &OPWG
EU research project, Re-Engineering and Streamlining the. Standards for Avionics Certification (RESSAC)
Assumptions: the following the set of properties is sufficient
OP text is either unambiguous as to its meaning or, alternatively, that any ambiguities
that exist resolve to equally permissible interpretations, all of which preserve su ciency.

-current status of development-
• How OPs should be assessed? Direct evidence? Indirect evidence? Via
an argument?
• Let’s assume the oracale Quinn exists..
…but Quinn does not exist on Earth…

-current status of development-
• At the time being it is an intellectual exercise..and it likely it will remain
so for several years..and perhaps it will generate a ready-to-go
argument-based approach for the safety assessment, see [14]..
However, ”Writing an OP-possession argument might not be
cheaper than, e.g., writing a DO-178C software accomplish- ment
summary” [14]..
• No experimental evidence is accessible..
• No substantial experimental evidence has been produced..
• Possible issue: interoperability ..
– How OEMs and suppliers can co-work?

4+1 Principles
by T. Kelly&C
1. Software safety requirements shall be defined to address the software contribution to
system hazards
2. The intent of the software safety requirements shall be maintained throughout
requirements decomposition
3. Software safety requirements shall be satisfied
4. Hazardous behaviour of the software has been identified and mitigated
4+1. The confidence established in addressing the software safety principles shall be
commensurate to the contribution of the software to system risk

Way forward: Let’s systematise what
we have achieved so far

Streamlining certification via the AMASS platform
No wild removal of standards but
Increased efficiency via a platform for certification enabling:
-systematisation of their commonalities/variabilities for facilitating tailoring
-seamless interoperability
-semi-automatic generation of artefacts and arguments
https://polarsys.org/opencert/downloads/
including
product and process-based argumentsAdapted from [15-16]

Brainstorming on:
where to act

Brainstorming: Knowing the the 4 P
model to influence the safety agenda
Note power and perception may filter/alter the proximity and the potency
Power: to persuade, manipulate coerce, ..
Perception: turn issues into problems,
what issues shall be deemed important
“Quite often policy makers, opinion makers and other personalities of public life
selectively report and interprets events so as to activate (de-activate) empathy
or support for an item”
Potency: intensity or severity of consequences of a given issues.
Proximity: distance to the issue
Note that proximity plays a role
“all politics is local”
The skolstreik phenomenon –all of a sudden the perception has changed..

Politically-informed policy analysis
• FAA-Federal Aviation Agency was created in 1958. At that time it was
an independent unit
• In 1966 is was renamed Federal Aviation Administration and its
independece status was lost
• FAA has a dual mandate with conflicting objectives:
– safety concerns and regulation; àoversight of the airlines
– promotion of the airlines business àlaissez-faire approach in which
airlines would largely be responsible of regulating themselves
Superiority relation was introduced in 1996
• In the ninenities, FAA has been considered to be slow in responding to
changing safety neeeds
• The tombstone agency

Policy makers might be acting on social media
Social media/likes generate addiction
If you like “likes”, go for rationalized likes in order to contribute to build a discourse
Brainstorming: 4 P model – Perception in action

Brainstorming on:
How to act

• ”Let us think of the philosopher's eye resting upon existence: he wants
to determine its value anew. For it has been the proper task of all great
thinkers to be lawgivers as to the measure, stamp and weight of things.”
• If the philosopher is an ideal educator, ”from the ideal image it is
possible to fasten upon ourselves a chain of fulfillable duties”.
• http://nietzsche.holtof.com/Nietzsche_untimely_meditations/schopenhauer_as_educator.htm
• https://books.google.com.gi/books?id=Yaw0AAAAQBAJ&printsec=copyright#v=onepage&q&f=false
Towards Regulatory Excellence
Analogy: Philosopher/Safety Policy Maker
Source: https://it.wikipedia.org/wiki/Friedrich_Nietzsche#/media/File:Nietzsche1882.jpg

Regulatory excellence
-attributes-
Source:
https://www.law.upenn.edu/live/files/4946-pprfinalconvenersreport.pdf

..Chain of fulfillable duties
Taken from [10]

…Observation
Taken from [10]

What if Regulatory fails?
…chain of non-fulfillable duties
Taken from [10]

Conduct of code … inheriting from Ippocrate
“I will use treatment to help the sick according to my ability and judgment,
but never with a view to injury and wrong-doing.
…
I will utterly reject harm and mischief”
https://en.wikipedia.org/wiki/Hippocratic_Oath
http://www.pbs.org/wgbh/nova/body/hippocratic-oath-today.html
A promise said out loud

Conduct of code learning from the medical domain
“The Hippocratic Oath for Connected Medical Devices describes
commitments to capabilities that preserve patient safety, as well
as trust in the process of care delivery itself.”
Sources: https://www.iamthecavalry.org/domains/medical/oath/
https://www.iamthecavalry.org/wp-content/uploads/2016/01/I-Am-The-Cavalry-Hippocratic-Oath-for-Connected-Medical-Devices.pdf

• Synthesis of conflicting trends
– Process/Product
– Safety Case/Alternatives
– Expanding/Reducing
Quoting Ovid:
« medio tutissimus ibis »
safety lies in the middle course
Thinking while walking through the “stoa”

Brainstorming on:
actions

• Elaborating on a code of conduct
– Razionalized “likes”
• A Manifesto for Industrial/Academic Responsibility in
Guaranteeing Reporting and Data Open access for
Measuring the Benefits/Effectiveness of Emerging as well as
so-called Best Development Practices
– Open-access repository of proven in use evidence regarding
benefits/effectiveness of practices
Actions

References
1. Christopher Becker, Ahmad Nasser, Fouad Attioui, David Arthur, Andy Moy, and John Brewer. Functional Safety
Assessment Of a Generic Electric Power Steering System With Active Steering and Four-Wheel Steering Features. DOT HS
812 575 , August 2018.
https://www.nhtsa.gov/sites/nhtsa.dot.gov/files/documents/13501_812575_electricpowersteeringreport.pdf
2. 5th Meeting of the U.S. Software System Safety Working Group April 12th-14th 2005 @ Anaheim, California USA. Adaptive
Cruise Control System Overview.
http://sunnyday.mit.edu/safety-club/workshop5/Adaptive_Cruise_Control_Sys_Overview.pdf
3. ISO/IEC 15026-2:2011. Systems and software engineering — Systems and software assurance — Part 2: Assurance case
4. James Chelini, Jean Camus, Cyrille Comar, Duncan Brown, Anne-Perrine Porte, et al.. Avionics Certification: Back to
Fundamentals with Overarching Properties. ERTS 2018, Jan 2018, Toulouse, France. ⟨hal-02156109⟩
5. Holloway, C. Michael. 2019. Understanding the Overarching Properties. NASA/TM-2019-220292. (Earlier drafts of this
document were supported in substantial part through an annex, “Streamlining Assurance Processes”, to a Reimbursable
Interagency Agreement (Numbered IA-1407 by NASA and DTFAWA-14-C-00019 by the FAA)
6. SOFTWARE SAFETY STANDARD, NASA TECHNICAL STANDARD, National Aeronautics and Space Administration
Washington, DC 20546-0001, NASA-STD-8719.13C. Approved: 05-07-2013.
7. http://nietzsche.holtof.com/Nietzsche_untimely_meditations/schopenhauer_as_educator.htm
8. On Hyperloop:
https://www.era.europa.eu/sites/default/files/library/docs/hyperloop_innovation_for_global_transportation_en_1.pdf
9. The 4+1 Software Safety Principles and their relation to building safety cases .http://www.goalstructuringnotation.info/wp-
content/uploads/2013/02/The-4+1-Software-Safety-Principles-and-their-relation-to-building-safety-cases.pdf

References
10. REDUCING THE RISK OF POLICY FAILURE: CHALLENGES FOR REGULATORY COMPLIANCE, Organisation for
Economic Co-operation and Development, 2000.
11. [Knight et al 16] John C. Knight, Jonathan C. Rowanhill: The Indispensable Role of Rationale in Safety Standards.
SAFECOMP 2016: 39-50
12. The Limits of Performance-Based Regulation. Cary Coglianese, 2017
13. Y. Dajsuren and G. Loupias, "Safety Analysis Method for Cooperative Driving Systems," 2019 IEEE International Conference
on Software Architecture (ICSA), Hamburg, Germany, 2019, pp. 181-190.
doi: 10.1109/ICSA.2019.00027
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=8703914&isnumber=8703896
14. M. Graydon, "Retrospectively Documenting SAFEGUARD's Possession of the Overarching Properties," 2019 49th Annual
IEEE/IFIP International Conference on Dependable Systems and Networks – Supplemental Volume (DSN-S), Portland, OR,
USA, 2019, pp. 27-28.
doi: 10.1109/DSN-S.2019.00019
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=8805812&isnumber=8805745
15. B. Gallina. Towards Enabling Reuse in the Context of Safety-critical Product Lines. IEEE/ACM 5th International Workshop
on Product LinE Approaches in Software Engineering (PLEASE), joint event of ICSE, Florence, Italy, May 19th, 2015. IEEE,
pp. 15-18, DOI: 10.1109/PLEASE.2015.12. Electronic ISBN: 978-1-4673-7061-5.
16. B. Gallina. Quantitative Evaluation of Tailoring within SPICE-compliant Security-informed Safety-oriented Process Lines.
Journal of Software: Evolution and Process, EuroSPI Special Issue, August, 2019, DOI:10.1002/smr.2212.

Thank you for your
attention!
Discussion time…

Safety Assurance and Certification: Current Practices, Challenges, and Brainstorming on Ways Forward

Recommended

Recommended

More Related Content

Similar to Safety Assurance and Certification: Current Practices, Challenges, and Brainstorming on Ways Forward

Similar to Safety Assurance and Certification: Current Practices, Challenges, and Brainstorming on Ways Forward (20)

Recently uploaded

Recently uploaded (20)

Safety Assurance and Certification: Current Practices, Challenges, and Brainstorming on Ways Forward