1

MAGAZINE 10.2014

the 4th international symposium on model based safety assessment

2

WElcoME to thE IMBSA 2014

In 2011, a group of academic scientist and industrial researchers met in Toulouse with the com-mon aim of exchanging thoughts and ideas on model-based safety assessment. This event was very successful and led to follow-ups in the years 2012 and 2013. Today – 2014 – we present you the fourth edition of IMBSA. 2014 brings a number of new features like full Springer Proceedings for all participants. However, maybe the most important new feature is IMBSA’s tutorial day.

As highlight of the symposium, eight interesting tutorials in the domain of safety assessment – ranging from architecture optimization through conformance with standards to automatic tools for fault tree generation – will be giving by expert speakers from academia and industry. Each tutorial will be given in an interactive manner allowing participants to not only learn about the methods and tools, but also get practical experience with them.

We hope that we have gained your interest and are looking forward to seeing you in Munich.

Prof. Dr. Frank Ortmeier Martin Bott

Dipl. Ing.MARtINBott

PRoF. DR.Frank oRtMEIER

IMBSA2 Preface3 About the IMBSA3 Table of Content4 Venue6 Program

30 Registration32 Chairs and Committees, Addresses & Sponsors

8 MoNDAy, octoBER 27th

8 Short Session I: Methods 8 Session I: Safety Assessment in the Automotive Domain8 Session II: Case Studies8 Session III: Modeling Paradigms

10 tUESDAy, octoBER 28th

12 Tutorial I: Prof. Dr. Janusz Górski & Dr. Andrzej Wardziński 14 Tutorial II: Dr. Christel Seguin16 Tutorial III: Dr. Marco Bozzano18 Tutorial IV: Prof. Dr. Lars Grunske20 Tutorial V: Dr. Agnes Lanusse22 Tutorial VI: Marco Filax, M.Sc. 24 Tutorial VII: Dr. Luís Silva Azevedo, M.Sc.26 Tutorial VIII: Dr. Zoe Andrews & Dr. Richard Payne

28 WEDNESDAy, octoBER 29th

28 Session IV: Fault Detection and Handling28 Session V: Validation and Testing28 Short Session II: Tools

content

thE IMBSA APPRoAch

IMBSA is looking back at a rich tradition of successfully combining research with a high number of industrial contribu-tions. It shows that bridging the gap between basic research and industrial practice can be done effectively through interactive presentation of tools and methods. To take this into account, the conference will - in contrast to solely scientific events – be split into three main parts:

a scientific part, where newest findings are presented by renown scientists a tools and tutorials parts, in which consolidated research achievements are interactively demonstrated and one part reporting on experiences and hot challenges in industrial practice of safety critical systems

This way, participants from industry may learn about new tools and techniques, while research groups and spin-off companies get the opportunity to present their achievements and services to an interested audience. Also industrial contributors can demonstrate future customers their tools. We believe, that this mixture of conventional talks about newest achievements, presentation of practical experiences and interactive learning allows for fruitful discussions, exchange of information as well as future cooperation.

chAIR oF SoFtWAREENGINEERING, MAGDEBURG

hEAD oF ZÜhlkE ENGINEERING, MUNIch

54

The Rilano Hotel

Domagkstraße 26

80807 München

Fon: +49 (0) 89 36 001 0

Fax: +49 (0) 89 36 001 9217

Mail: info-muc@rilano.com

www.rilano.com

VENUEthE RIlANo hotEl

The Rilano Hotel München is in the new “Parkstadt Schwabing” office center located next to the Leopoldstrasse. It captivates with excellent service, modernly furnished rooms and a passion for the latest technology. The Olympic Park, the English Garden and Allianz Arena are all quite close. The Rilano Hotel München also offers an exquisite restaurant, a cozy bar, a modern cafe and a pasta bar. In the “Vitello” Restaurant, the “Jazz Bar”, “Coffee Fellows” and “MammaMinuti”, guests can kick back, relax and enjoy the exceptional service.Along with the most modern conference technology, the Hotel offer wireless high-speed internet access. The creative hotel kitchens will keep your spirits up - even during demanding conferences and seminars - with drinks, coffee and small snacks.The hotel offers 228 completely refurnished rooms on 11 floors in the stylish Rilano 24|7 design. Coordinated down to the tiniest detail, the Hotel is done up in typical Rilano style - a chic, purist and welcoming atmosphere and the most modern amenities. Subtle grey and blue dominate all rooms’ interiors, a color theme continued in the public areas and restaurants with skillfully added color accents in warm purple and lilac tones.All rooms now offer the specially designed Rilano beds for a rejuvenating and relaxing night’s sleep, flatscreens, high-speed internet and much more. The Hotel offers innovative, trend-setting hotel service that takes the lifestyles and needs of their technically savvy guests into account: online films and music archives, a complete web communications platform and an ergonomically designed workstation.

SPEcIAl

For participants of the upcoming IMBSA 2014, we can offer a reduced price for the hotel rooms including breakfast. To take advantage of this offer, use the booking code “IMBSA2014” when booking your hotel room.

SocIAl EVENttUESDAy, octoBER 28th

18.00 - 22.00“Bavarian Surprise”

76

PRoGRAM

MoNDAy, octoBER 27th

8.00 - 9.00 Registration Desk

9.00 - 9.30 Welcome Note

9.30 - 10.30 Short Session I: New Safety Methods

10.30 - 11.00 Coffee Break

11.00 - 12.30 Session I: Safety Assessment in the Automotive Domain

12.30 - 14.00 Lunch Break

14.00 - 15.30 Session II: Case Studies

15.30 - 16.00 Coffee Break

16.00 - 17.30 Session III: Modelling Paradigms

tUESDAy, octoBER 28th

8.00 - 8.30 Registration Desk

8.30 - 10.30 Tutorial I: Prof. Dr. Janusz Górski & Dr. Andrzej Wardziński Tutorial II: Dr. Christel SeguinTutorial III: Dr. Marco BozzanoTutorial VI: Marco Filax, M.Sc.

10.30 - 11.00 Coffee Break

11.00 - 13.00 Tutorial II: Dr. Christel SeguinTutorial III: Dr. Marco BozzanoTutorial IV: Prof. Dr. Lars GrunskeTutorial V: Dr. Agnes Lanusse

13.00 - 14.30 Lunch Break

14.30 - 16.30 Tutorial I: Prof. Dr. Janusz Górski & Dr. Andrzej WardzińskiTutorial VI: Marco Filax, M.Sc.Tutorial VII: Dr. Luís Silva Azevedo, M.Sc.Tutorial VIII: Dr. Zoe Andrews & Dr. Richard Payne

WEDNESDAy, octoBER 29th

9.00 - 9.30 Registration Desk

9.30 - 11.00 Session IV: Fault Detection and Handling

11.00 - 11.30 Coffee Break

11.30 - 12.30 Short Session II: Tools

12.30 - 14.00 Lunch Break

14.00 - 15.30 Session V: Validation and Testing

The Rilano Hotel coNFERENcE AREA

27TH Schwabing 2-4

28TH Schwabing 2-4 München 2

29TH Schwabing 2-4

Schw

abin

g 4

Schw

abin

g 3

Schw

abin

g 2

Schw

abin

g 1 München 1München 2

FoyerRestaurant Lobby

Bogen-hausen

* Registration Desk

*

98

Monday october 27th

SESSIoN I: SAFEty ASSESSMENt IN thE AUtoMotIVE DoMAIN

AltaRica 3 Based Models for ISO 26262 Automotive Safety Mechanisms Abraham Cherfi, Antoine Rauzy and Michel Leeman

A pattern-based approach towards the guided reuse of safety mechanisms in the automotive domain Maged Khalil, Alejandro Prieto and Florian Hölzl

Towards the Derivation of Guidelines for the Deployment of Real-Time Tasks on a Multicore Processor Stefan Schmidhuber, Michael Deubzer, Ralph Mader, Michael Niemetz and Jürgen Mottok

SESSIoN II: cASE StUDIES

Adaptive Error and Sensor Management for Autonomous Vehicles: Model-based Approach and Run-time System Jelena Frtunikj, Vladimir Rupanov, Michael Armbruster and Alois Knoll

Safety Assessment of an Electrical System with AltaRica 3.0 Hala Mortada, Tatiana Prosvirnova and Antoine Rauzy

Applying Formal Methods into Safety-Critical Health Applications Mohammad-Reza Gholami and Hanifa Boucheneb

SESSIoN III: MoDEllING PARADIGMS

A Practicable MBSA Modeling Process Using Altarica Shaojun Li

On Efficiently Specifying Models for Model Checking Mykhaylo Nykolaychuk, Michael Lipaczewski, Tino Liebusch and Frank Ortmeier

A New Methodology for System Architecture Modeling Melissa Issad, Leila Kloul and Antoine Rauzy

11.00 - 12.30 14.00 - 15.30 16.00 - 17.30 ShoRt SESSIoN I: NEW SAFEty MEthoDS

Automatic architecture hardening using safety patterns Kevin Delmas, Rémi Delmas and Claire Pagetti

On Traceability of Informal Specifications for Model-Based Verification Marco Filax, Tim Gonschorek, Michael Lipaczewski and Frank Ortmeier

Challenges in providing support for management of evidence-based arguments Janusz Gorski, Aleksander Jarzebowicz, Jakub Miler and Andrzej Wardziński

The OpenAltaRica project Michel Batteux, Antoine Rauzy and Paul Labrogère

9.30 - 10.30

1110

tuesday october 28th

tUtoRIAl I // RooM MÜNchEN 2 NOR-STA – a tool supporting applications of evidence-based argumentsProf. Dr. Janusz Górski & Dr. Andrzej Wardziński // page 12

tUtoRIAl II // RooM SchWABING 2 Altarica models and tools for system safety assessment – Best practices and lessons learnt from the aerospace domainDr. Christel Seguin // page 14

tUtoRIAl III // RooM SchWABING 4 FAME – A Model-Based Environment for FDIR Design in Aerospace Dr. Marco Bozzano // page 16

tUtoRIAl IV // RooM MÜNchEN 2 Architecture Optimization vs. Cargo Cult – Why it is hard to thoroughly optimize industrial size architecture specificationsProf. Dr. Lars Grunske // page 18

tUtoRIAl V // RooM SchWABING 3 Model Based Safety Assessment with Safety Architect – Boost your safety analyses!Dr. Agnes Lanusse // page 20

tUtoRIAl VI // RooM SchWABING 3 VECS – Verification Environment for Critical Systems: tool supported formal modeling and verificationMarco Filax, M.Sc. // page 22

tUtoRIAl VII // RooM SchWABING 4 Tool for Automated and Cost Efficient Allocation of Safety Integrity Levels – And Application to an Automotive Hybrid Braking SystemDr. Luís Silva Azevedo, M.Sc. // page 24

tUtoRIAl VIII // RooM SchWABING 2 Modelling and Analysis of Faults in SysMLDr. Zoe Andrews & Dr. Richard Payne // page 26

8.30 - 10.30

11.00 - 13.00

14.30 - 16.30

Tutorials

I II III VI

II III IV V

I VI VII VIII

tUtoRIAlS

Bridging the gap between academia and industry is the most important goal of IMBSA. Our approach to do this, is to provide a platform form interactive demonstration of tools and methods. This allows interested audience to get into direct contact with potentially interesting partners and/or getting to know newest ideas in depth. To allow for highly specialized and interactive demonstrations, we will do tutorials in four parallel tracks. Most of the tutorials will be repeated twice, this allows participants to choose the most interesting combination of tutorials based on their personal background. Above, you can find the tentative schedule, while tutorials are briefly listed on the right. The following pages will then provide and an extended for each of them.

1312

Dr.Andrzej Wardzinski

Exploiting the potential of assurance cases within the whole lifecycle of a critical sys-tem requires, in addition to representing an argument itself, integration with other pro-cesses (development, maintenance, certification) and the resulting artefacts, effective cooperation and communication of different stakeholders (including external experts) and adequate management. NOR-STA is a tool supporting applications of evidence-based arguments (safety cases, assurance cases, conformance cases) and address-ing these needs. NOR-STA helps to make your evidence-based argument a ‘live’ asset within the scope of your system lifecycle.

Motivation: Using evidence-based arguments (EBA) for demonstrating system properties is becoming a common practice in different sectors. Such properties may concern safety, security, privacy (demonstrated by assurance cases, safety cases) or conformance with standards (demonstrated by conformance cases). Assurance cases are already required by some standards (for instance ISO 26262, IEC 62278) and recommended by some regulators (for instance US FDA draft guidance for use of safety arguments for medical devices). NOR-STA is a tool supporting development, maintenance and assessment of complex EBAs for system assurance and conformance. It supports integration with different sources of evidence, assessment of the argument strength and effective change control. It is designed as a web application to promote teamwork and to support communication and cooperation. Argument assessment, visualization and reporting help in progress supervision and decision making. Flexibility and traceability in assets management and different deployment options provide for meeting different security expectations of end users.

Content of the tutorial: The tutorial will introduce basic concepts related to argument repre-sentation (the NOR-STA argument model) and then will demonstrate how NOR-STA is used for argument development, assessment, maintenance and management. It will also cover issues related to data security, reporting, ARM/SACM import and export, and argument portfolio and user management.The main part of the tutorial will be demonstrations of two live arguments, a safety case example for medical device and a conformance case related to EU regulation.You will be given access to the demonstrators to get some hands-on experience with the tool. The tutorial will be concluded by a Q&A session.

Goals of the tutorial: The participants will learn how NOR-STA supports assurance and con-formance management processes. After the tutorial you will be able to:

Understand the NOR-STA argument model

Create and maintain arguments using NOR-STA features

Make assessments of arguments and report the results

Understand how NOR-STA manages users and projects

After the tutorial you will be able to use NOR-STA to create and manage your own arguments. You will also have insight in the roles of persons involved in the process of argument develop-ment, assessment, maintenance and management.

Speakers: Professor Janusz Górski is the Head of the Department of Software Engineering at Gdansk University of Technology where he has been lead-ing the research (by the Information Assurance Group http://iag.pg.gda.pl/iag/ ) resulting in the NOR-STA tool. His present interests are in trust, safety and security, software engineering and information assurance. Since 2010 he has been advising the European Network and Information Security Agency acting as a member of ENISA Permanent Stakeholders Group (PSG). He is also a member of Academic Committee of ERNCIP – the action focusing on critical infrastructures protection led by EC JRC in Ispra. Provides consultancy to compa-nies on information security, software quality assurance and risk management. He is a co-founder of ARGEVIDE spin-off company that brings NOR-STA to the market.

Andrzej Wardziński is a researcher at Gdańsk Univer-sity of Technology (GUT) and the CEO of Argevide. He received MSc in software engineering and PhD in com-puter science at GUT in 1993 and 1997 respectively. His research work focused on safety analysis and for-mal methods. Andrzej was also working as a consultant and software quality manager in software companies for

tUtoRIAl I: NoR-StA A tool SUPPoRtING APPlIcAtIoNS oF EVIDENcE-BASED ARGUMENtS

almost 15 years. Andrzej joined GUT in 2007 and was involved in safety-related R&D projects. Once he was a passionate C programmer, now his core competencies are dependability analysis and assurance cases, formal methods and quality systems.

tIME: 8.30 – 10.30 // 14.30 – 16.30

locAtIoN: MÜNchEN 2

Prof. Dr. Janusz Górski

Argevide Sp. z o.o.

ul. Gabriela Narutowicza 11/12

80-233 Gdańsk, Poland

Tel. +48 58 690 70 99

www.argevide.com

Mail: office@argevide.com

Mail: andrzej.wardzinski@argevide.com

Mail: janusz.gorski@argevide.com

1514

Dr.christel Seguin

tUtoRIAl II: AltARIcA MoDElS AND toolS FoR SyStEM SAFEty ASSESSMENt – BESt PRActIcES AND lESSoNS lEARNt FRoM thE AERoSPAcE DoMAIN

AltaRica language and tools offer a mature alternative to classical safety assessment techniques such as fault tree analysis (FTA) or failure mode and effect analysis (FMEA). This tutorial aims at making explicit the concepts which underlie this model based safety assessment approach and the best practices observed after 15 years of applica-tion in the aerospace domain.

Motivation: At the end of the 90’s, the increase of system complexity and integration led to the development of the “model based safety assessment” paradigm to overcome some limitations of classical techniques such as fault tree analysis. Some key motivations were to ground the failure propagation analysis on formal models that better reflect the system architecture and behavior. After years of application in research and operational projects, it appears that some approaches met these objectives and are now mature enough to be more widely applied. This is the case of the AltaRica language and associated tools. This tutorial aims at clarifying when, how and why AltaRica can be successfully applied while finding a good balance between theoretical and practical lessons learnt.

Content of the tutorial: This tutorial introduces basics of model based system safety and it synthetizes best modelling and assessment practices observed after 15 years of application of AltaRica models and tools to concrete cases of aeronautic and space industries. It addresses more specifically the following questions.Which safety analyses can or cannot be done using formal models such as AltaRica?The qualitative analyses of failure causes or consequences by FTA or FMEA rely explicitly or implicitly on simple Boolean mathematical models whereas probabilistic analyses can be car-ried on both with fault tree or with stochastic processes. What happens when the underlying mathematical model is more expressive? What are the impacts on the modelling activity and on the computation of causes, consequences, probabilities?How to build and query AltaRica models to achieve various analyses efficiently?The language expressiveness leaves room for various applications. This strength becomes a weakness for new users who need more guidance to use efficiently the available facilities. A general methodology is presented and illustrated on pedagogical examples. Issues raised by specific cases (e.g. control loop, a-causal dependencies introduced by system physique, safety barriers, transient fault, …) are identified and the possible solutions are presented.What is the applicability scope of the AltaRica approach and what is it degree of compatibility with the safety standards?Building and querying AltaRica models require skills, time and computing resources and it shall be an acceptable means of compliance for relevant safety authorities. This last part reports metrics observed for different cases and the latest feedbacks of the aeronautic stand-ardization group who proposes MBSA as a possible mean of compliance.

Goals of the tutorial: This tutorial aims at providing end users, tool developers and researchers with fundamentals and pragmatic references on model-based safety assessment. The concepts will be defined both from the stand point of the safety community and the formal methods community to ease common understanding by different actors of the MBSA. Successful methodologies of use and application processes will be detailed to guide participants who want to get quickly started with MBSA and to avoid known pitfalls.Finally all concepts and recommended practices will be illustrated by cases and demo of some applicable tools to make the tutorial as concrete as possible.

Speaker: Dr. Christel Seguin is researcher at ONERA (the French Aerospace lab) since 1992 and dependabil-ity professor at ISAE (engineering school for aeronaut-ics and space) since 2008. She carries on researches on formal methods for safety critical systems in various European or national projects, in close relation with the Aeronautic and Space companies (Airbus, Thalès, Alenia, Astrium, ...) and academics partners (University of York, Trento, Toulouse, CNRS, ....).

Her research activities include: Development of safety assessment techniques based

on formal models, compliant with applicable safety standards

Application of these techniques to various: aircraft systems (flight control, electrical power generation and distribution, engine control, ....), satellite, avionic launcher, unmanned aerial vehicle.

Dissemination of the research results via participation to conferences and organization of specific events (see for instance http://asso-cisec.org/le-cisec/ for former edition of the MBSA conferences)

Student education (dependability lectures, master and PhD supervision...)

tIME: 8.30 – 10.30 // 11.00 – 13.00

locAtIoN: SchWABING 2

ONERA/DCSD Toulouse center

2 avenue Edouard Belin

31055 Toulouse France

Fon: +33 5 62 25 26 42

Mail: Christel.seguin@onera.fr

1716

Dr. Marco Bozzano

The FAME environment is a model-based toolset that implements an integrated process for FDIR (Fault Detection, Isolation and Recovery) design, addressing the shortcomings of existing practices for FDIR development in aerospace. It builds upon COMPASS, a tool for system-software co-engineering developed in the frame of an ESA-funded project.

Motivation: The increasing complexity of safety critical systems requires an adequate increase in the capability of safety engineers to assess system correctness, safety and reliability, encouraging the adoption of formal techniques. Moreover, the correct system operation increasingly relies on the ability to detect and recover from faults. The design of FDIR is highly challenging, due to the complexity of the underlying system, the number of faults to be considered and their dynamics.

The FAME environment is built on top of the COMPASS tool, a framework for model-based design and verification. It supports modeling using the SLIM language (a variant of AADL) and a wide range of verification capabilities including model simulation, functional verification, and safety assessment (FTA, FMEA). Moreover, it supports FDIR design by providing mission and FDIR requirements, fault propagation modeling using Timed Failure Propagation Graphs (TFPGs), and automated synthesis of FDIR models from TFPGs and FDIR requirements.

The FAME environment has been developed within an ESA-funded study, and has been thor-oughly evaluated on a case study derived from the ExoMars project. The tool is freely avail-able for download within the ESA member states.

Content of the tutorial: The tutorial will consist of a presentation and interactive demonstra-tion of the FAME tool. The SLIM modeling language will be illustrated by means of a running example. The formal verification functionalities will be illustrated. In particular, the following functionalities that are relevant to FDIR design will be demonstrated: mission specification, i.e. specification of mission phases and operational modes; modeling of fault propagation using TFPGs; behavioral and effectiveness validation, and automatic synthesis of a TFPG; specification of FDIR requirements, i.e. definition of alarms and recovery targets; automatic synthesis of FDIR models; FDIR effectiveness validation. The tool demonstration will be com-plemented by additional material that illustrates the FAME process, and explains the basics of the formal verification technologies underlying the tool.

Goals of the tutorial: The tutorial is targeted at both academics, practitioners, and people from industry. After the tutorial, participants will be able to:

Understand the main concepts underlying model-based specification and verification

Use the SLIM language to model the nominal and faulty behavior of a system

Understand TFPG models, and use them to specify fault propagation information

Specify mission requirements and FDIR requirements, and use the FAME tool to automatically synthesize FDIR models

Use the FAME tool to assess functional correctness, safety and FDIR effectiveness of both the system and FDIR models

Speaker: Marco Bozzano got his M.Sc. degree in Computer Science from the University of Genova (Italy), in 1997, and a Ph.D. degree in Computer Science, from the same University, in 2002. He is currently employed as full-time senior researcher at Fondazione Bruno Kes-sler, Trento (Italy). His research interests include, but are not limited to, formal methods, formal verification, model checking and model-based safety assessment. He has coauthored more than 50 papers on these topics, and one book entitled “Design and Safety Assessment of Critical Sys-tems” (Taylor & Francis, 2010).

Marco has participated in several projects with major companies in the avionics and aerospace sectors, including the ESACS, ISAAC, and MISSA EU projects, which pioneered the idea of model-based safety as-sessment. More recently, he has participated in the COMPASS project, and has been FBK scientist in charge for the AUTOGEF, FAME, and HASDEL pro-jects – funded by the European Space Agency. Finally, in 2012 Marco has been invited as external expert to SAE ARP 4761 working group on Model Based Safety Analysis.

tUtoRIAl III: FAMEA MoDEl-BASED ENVIRoNMENt FoR FDIR DESIGN IN AERoSPAcE

tIME: 8.30 – 10.30 // 11.00 – 13.00

locAtIoN: SchWABING 4

Fondazione Bruno Kessler

Via Sommarive 18

38123 Trento, Italy

Phone: +39 0461 314367

Mail: bozzano@fbk.eu

1918

Prof. Dr. lars Grunske

tUtoRIAl IV: ARchItEctURE oPtIMIZAtIoN VS. cARGo cUlt – Why it is hard to thoroughly optimize industrial size architecture specifications

There is currently a significant interest in architecture optimization methods from industry and academia. However, the existing state of the art approaches produces suboptimal results and future innovations are required to leverage the result at an industrial scale. This tutorial will present the current state of the art and highlight direction for further improvement of these methods.

Motivation: Due to significant industrial demands toward software systems with increasing complexity and challenging quality requirements, software architecture design has become an important development activity. In the last decades, software architecture optimization meth-ods, which aim to automate the search for an optimal architecture design with respect to a (set of) quality attribute(s), have proliferated. As a result of this, the content of this tutorial will be of interest for any architect of complex software-intensive systems that has to deal with the problem of finding good or optimal architectural designs on a day-to-day basis.

Content of the tutorial: This tutorial will provide an introduction to the Software Architecture Optimization field, provide an overview of the existing approaches [1], and discuss gaps as well as recommendations for future research specifically targeted at optimizing the perfor-mance of the search algorithm itself.

The tutorial will be based on a systematic literature review that has been performed by the presenter and which analyzes 188 approaches from the different research communities. Based on this survey, a taxonomy will be presented which is used to classify the existing research. Furthermore, the systematic analysis of these approaches helps our community in consolidating the existing research efforts and deriving a research agenda for future develop-ments.

Goals of the tutorial: The goal of this tutorial is to create awareness of the problems of cur-rent architecture optimization approaches and thus help industry and academia to overcome these challenges in the near future.

Speaker: Lars Grunske is currently a Professor at the University of Stuttgart, Germany. He received his PhD degree in computer science from the University of Potsdam (Hasso-Plattner-Institute for Software Sys-tems Engineering) in 2004. He was Junior Professor at the University of Kaiserslautern, Boeing Postdoctoral Research Fellow at the University of Queensland from 2004-2007 and a lecturer at the Swinburne University of Technology, Australia from 2008-2011. He has active research interests in the areas modelling and verifica-tion of systems and software. His main focus is on au-tomated analysis, mainly probabilistic and timed model checking and model-based dependability evaluation of complex software intensive systems.

tIME: 11.00 – 13.00

locAtIoN: MÜNchEN 2

Prof. Dr. Lars Grunske

Head of the Reliable Software Systems Research Group

University of Stuttgart

Institute of Software Technology

Universitätsstraße 38

D-70569 Stuttgart, Germany

Fon.: +49 711 685-88 273

Mail: lars.grunske@informatik.uni-stuttgart.de

2120

Dr.Agnes lanusse

tUtoRIAl V: MoDEl BASED SAFEty ASSESSMENt WIth SAFEty ARchItEct – BooSt yoUR SAFEty ANAlySES!

Model-based system engineering is nowadays more and more considered as essential to help defining complex systems. Model-based safety assessment is also today a way more and more considered in order to improve the safety analyses of complex system. Safety Architect© is a tool that combines both trends.

Motivation: System engineering processes are useful for the development of complex systems with a lot of functions, flows and interactions between components. They are based on a system decomposition (into “components”) that is not too complex in order to be controlled by one hu-man brain (the system engineer). Therefore the approach is recursive: components are often very complex and must follow a new system engineering approach to be designed.The dependability process is one of those processes that is performed in parallel with all other engineering processes and that includes safety analyses of the system under design.During the system requirements analysis phase, all system potential or possible hazards and accidents are analyzed. The potential sources or sequences of events leading to hazards or accidents and their impacts are identified. From this risk analysis, dependability requirements are deduced to define which risk levels are acceptable and which high level safety tests must be performed. During the design definition phase, the functional and physical architectures are ana-lyzed in order to determine the hazard or accident propagation through the data flow communi-cation links or interfaces. Additionally the likelihood and consequence of hazards for all system components are evaluated and allocated to safety requirements. The chosen implementation methods or protection techniques are defined with the corresponding tests to be performed. They are traced as dependability requirements too. At the end of the engineering process, the “system Feared Events (FE)” have been refined into “Components Feared Events”. Because system engineering is more and more frequently model-based, the need of a way to automati-cally interface the systems models in order to perform the safety analyses has quickly emerged.

Content of the tutorial: The tutorial addresses successively system engineering and system modeling main concepts. This includes Transversal concepts and definitions (like block-sys-tem, exchanges between block-systems, work by iteration, multi-disciplines teams, documents elaboration) as well as system engineering processes with a focus on stakeholders definition processes, system requirement analysis processes, functional system design processes and physical system design processes. It also addresses how safety analysis of successive mod-els must be conducted in accordance with system engineering principles. Furthermore the tutorial covers the main objectives of the safety architect tool like local analysis, feared events definition, global analysis (or propagation), Failure Modes Effects and Criticality Analysis (FMECA) tables and fault trees.

Goals of the tutorial: With this tutorial, we want to introduce participants to the concepts implemented into the tool Safety Architect and particularly to make them understand why:

Complex systems must follow the system engineering processes based on system decomposition and block-system concept.

Safety requirements must be allocated on the basis of this decomposition frame Model based system engineering and model based safety analysis are

strongly correlated There is a necessity to ensure the consistency of both models Automatic exchanges between system engineering and safety engineering

approaches increases productivity

Speaker: Agnes Lanusse graduated in Computer Science (Artificial Intelligence and Robotics) from Paul Sabatier University (Toulouse, France)in 1981 and got a Phd in the same university in 1984. She joined the CEA (Commissariat à l’Energie Atomique et aux Energies Alternatives) in 1986. Since then, she has been involved in R&D projects dealing with methodological support for real-time embedded systems design and more particularly with dependability issues. She has a long experience with model driven system engineer-ing and standards (UML, SysML, MARTE) and other methodological frameworks and languages (AADL, EAST-ADL). She is currently in charge of Model Based Safety Assessment research activities in the Laboratory of Model Driven Engineering for Embedded Systems at CEA LIST were an open framework for Safety Assess-ment named Sophia is being developed. She contrib-utes also to several collaborative projects involved in safety assessment in various domains (PERFECT, RO-MEO2, Open-ETCS, RISC, ..) and is member of French IMdR (Institut de Management des Risques), and AFIS (Association Française d’Ingénierie Système) associa-tions in the domains of Risk Management of Systems Engineering.

She also contributes to Safety Architect tool of ALL4TEC in a common laboratory named CALL4S.

tIME: 11.00 – 13.00

locAtIoN: SchWABING 3

ALL4TEC

Immeuble Odyssée

Bâtiment E - 4ème étage

2-12 Chemin des Femmes

91300 MASSY

Mobil: (33) 06 81 68 92 92

Mail : Agnes.Lanusse@cea.fr

2322

Marco Filax, M.Sc.

tUtoRIAl VI: VEcS VERIFIcAtIoN ENVIRoNMENt FoR cRItIcAl SyStEMS: tool SUPPoRtED FoRMAl MoDElING AND VERIFIcAtIoN

Performing formal model analyzes is always referred to as unpractical and expert-only domain. By introducing an easy to learn and simple to use modeling language along with a user friendly interface that hands you all the support known from modern pro-gramming environments, formal modeling and verification can be done by basically everyone.

Motivation: Formal methods are a powerful tool for guaranteeing functional correctness and safety. Rather than providing only informal arguments of reasonable engineering, formal model checkers will give a definite answer about a system’s correctness and safeness.Unfortunately formal methods lack industrial acceptance. Among several reasons, the one we are going to challenge with this tutorial is the usability. Most model checkers focus on smart algorithms and faster calculation times, but do not take the input language into account. The creation of models for model checkers is often time consuming and difficult. In most cases, such textual models are created in simple plain text editors. This makes it hard to create complex models and/or maintain and extend them. The result is an inacceptable amount of time spent on fixing and testing of the created model.

Content of the tutorial: VECS (Verification Environment for Critical System) is an Eclipse based development environment for SAML (System Analysis and Modeling Language). It was designed to make creation of formal models as easy as writing source code.While creating a model with VECS, the user benefits from syntax highlighting, auto comple-tion and instant syntax checking. This allows for creating larger models in shorter time and reduces the chance of specification errors.

After creating the model, users can use the supported model checkers from inside the tool with easy readable result displaying. This hides away many technical details of the verifica-tion engine and allows for using different verifications on the same model. This is comparable to compiler frameworks for platform independent development of source code. Furthermore graphical representations allow a better understanding of the model behavior.For an even deeper insight in the model’s behavior, VECS allows the user to directly interact with the model to analyze it. With a stepwise simulator, similar to a debugger in programming languages, the user can analyze specific behavioral sequence of the model and/or simulated it.

Goals of the tutorial: With this tutorial, we want to introduce participants to the world of for-mal methods for quality assurance. After the tutorial, you will be able to:

Understand the most important concepts of formal specification and verification

Create, understand and maintain formal models using VECS

Verify formal models using several different analyzing techniques

Being able to understand and interpret results of formal verification

Moreover we will introduce you to the main features that will enable you to start with formal verification. Furthermore we will hand you a documentation and training material, so you will be able to extend your knowledge on your own.

Speaker: Marco Filax received his Bachelor of Science in Computer Science at the OvGU (Otto-von-Guericke University) Magdeburg in 2011. During his studies, he gathered practical experience by developing complex applications for local companies.

In 2010, he joined the METOP GmbH, affiliated insti-tute of the OvGU and gained additional experience in specifying and developing heterogeneous systems as a research assistant. Successfully applied projects in his vita exemplarily include cooperation with the Bayer AG or the State Office of Criminal Investigations of Saxony-Anhalt and Lower Saxony. He received his Master of Science in 2013 at the OvGU. In context with his master thesis he also received the Hugo Junkers prize for innovative research in applied science. The Ministry for Economy and Science yearly tenders this price for important innovative projects, which are also applicable in industrial scenarios.

Currently Marco is employed as a full time researcher at the Chair of Software Engineering. His research interests include but are not limited to formal verifica-tion techniques and requirement analysis. He joined the

working group in 2014. Besides his research activi-ties, his tasks also include the management of VECS development as well as designing concept for formally grounded traceability of requirements.

tIME: 8.30 – 10.30 // 14.30 – 16.30

locAtIoN: SchWABING 3

Computer Systems in Engineering (CSE)

Institut für techn. und betriebl. Informationssysteme (ITI)

Faculty of Computer Science

Otto-von-Guericke-Universität Magdeburg (OvGU)

Universitätsplatz 2, 39106 Magdeburg

Fon: +49 391 67 52705

Mail: marco.filax@ovgu.de

2524

Dr. luís Silva Azevedo, M.Sc.

tUtoRIAl VII: hIP-hoPS AUtoMAtED AND coSt EFFIcIENt AllocAtIoN oF SAFEty INtEGRIty lEVElS – AND APPlI-cAtIoN to AN AUtoMotIVE hyBRID BRAkING SyStEM

This tutorial features a tool that can automatically allocate system safety requirements, in the form of Safety Integrity Levels, to elements of the system architecture in a cost ef-fective manner. The tool extends the HiP-HOPS safety analysis tool and can simplify ISO 26262 implementation. Application is shown on an automotive Hybrid Braking System.

Motivation: Modern safety standards use the concept of Safety Integrity Level (SIL) to allocate requirements of different stringencies to components of safety-critical architectures. SILs were originally introduced by the generic functional safety standard IEC 61508 and industry-specific versions followed - for example, the Automotive SIL (ASIL) by ISO 26262 and the Development Assurance Level (DAL) by ARP4754-A in the aerospace domain.SILs are initially assigned to system hazards. The higher the risk posed by the hazard, the high-er the SIL. As the system architecture is designed, SILs are iteratively allocated to relevant sub-systems and components. The allocation is based on the contributions of individual component failures to system level hazards; SILs can be divided, or decomposed, amongst architectural el-ements, e.g. when redundancy is present. Finding correct allocations is however, a difficult and error-prone task: contemporary systems deliver multiple functions; functions share components; and components have multiple failure modes. In addition, different SILs impose different require-ments and efforts, which are reflected in different development costs. Potentially, there are many allocation possibilities, and to choose the most advantageous, costs need to be considered. We have found in the past relatively small examples whose solution space could not be explored completely with exhaustive search methods; not only manual solutions are generally infeasible, but this is a complex optimisation problem for which sophisticated automation is imperative.

Content of the tutorial: A tool has been developed at the University of Hull to extend the well-established model-based safety analysis tool, HiP-HOPS, with automated SIL alloca-tion capabilities. The tool includes advanced optimisation algorithms that allow scalability. In this tutorial, the problem of efficiently allocating integrity requirements is initially introduced; subsequently the audience is guided through the tool’s working principle, from modelling and analysis, to optimisation and support of decision making. Application of the tool is demonstrat-ed using the case study of an automotive Hybrid Braking System.

Goals of the tutorial:

Illustrate that safety integrity requirements allocation cannot be solved effectively manually, even in small systems

Define this as a complex optimisation problem, where the goal is to find allocations that meet overall system safety requirements with minimal cost. In the general case, there are many possibilities for allocation and therefore search is needed to find optimal or near optimal solutions that minimise cost

Demonstrate a tool that automates the process of finding cost efficient allocations

Illustrate tool application to an automotive Hybrid Braking System

Speaker: Luís Silva Azevedo is a researcher in the Computer Science Department at the University of Hull. His research focuses on the optimization of requirement allocation in safety-critical systems. Azevedo’s research expands the popular model-based safety analysis tool, HiP-HOPS, and he is a co-author in multiple scientific publications. He has also been actively involved in the European FP7 Project MAENAD, for model-based analysis of dependable electric vehicle architectures. Azevedo holds an MSc in Electrical and Computer Engineering awarded by the University of Porto.

tIME: 14.30 – 16.30

locAtIoN: SchWABING 4

Dr. Luís Silva Azevedo, M.Sc.

Computer Science Department

University of Hull

Cottingham Rd, Hull

Yorkshire HU6 7RX

United Kingdom

Mail: l.p.azevedo@2012.hull.ac.uk

2726

Dr. Richard Payne

tUtoRIAl VIII: MoDEllING AND ANAlySIS oF FAUltS IN SySMl

This tutorial introduces methods and tools that support engineering of dependable Systems of Systems (SoSs). The main features that are demonstrated in this tutorial are SysML profiles for fault modelling and fault analysis and a plug-in to Atego’s Artisan Studio. The features support model creation for the purposes of reasoning about faults in SoSs and provide analysis of the annotated SysML models via the HiP-HOPS tool.

Motivation: The growing reliance placed upon complex systems and SoSs – where the individual constituent parts are typically developed, managed and controlled by different stakeholders – is the main reason for developing these methods and tools. In order to address this challenge there is a need for capturing and reusing the modelling experience to support systematic reasoning about faults at the architectural level. The methods and tools aid in un-derstanding and communicating the potential failures of SoSs and the obligations placed upon the stakeholders of the SoS to avoid such failures.

Content of the tutorial: In this tutorial we stress the need to consider faults at the architectural design phase of devel-oping an SoS. In response to this we present Architectural Frameworks (AF) and supporting SysML profiles to provide a systematic approach to modelling faults and recovery mecha-nisms. The tutorial will focus on fault modelling and fault analysis (such as Fault Tree Analysis and Failure Modes and Effects Analysis) of SoSs. The tutorial will first describe the Fault Modelling Architectural Framework (FMAF), which aids an SoS engineer in: exploring the relationships between faults, errors and failures in a SoS; recording error detection and recovery responsibilities in a SoS; and designing SoS-level fault tolerance strategies. We then introduce a new tool, which is supported by a new ergonomic (an ergonomic profile includes scripting) SysML profile and Fault Analysis AF (FAAF). The tool support has been developed within an industrial-strength tool for SysML, Artisan Studio, to provide fault analysis of annotated SysML models via the HiP-HOPS fault analysis tool.Furthermore the tutorial will cover the integration of these profiles and tools into a single de-velopment method. For a better understanding of the presented material, these methods and tools are demonstrated and discussed in detail with the help of examples.

Goals of the tutorial: With this tutorial, we want to introduce participants to the area of systems of systems and model-based SoS engineering approaches for fault modelling and analysis. After the tutorial, you will be equipped with the knowledge to:

Understand the main SoS concepts and the need for SoS fault modelling and analysis

Take a model-based approach to SoS architecture design and architectural frameworks

Understand the distinction between faults, errors and failures in SoSs Incorporate fault modelling concepts in SysML architectural models using the FMAF Generate fault trees and FMEA tables from SysML architectural models using the

FAAF and HiP-HOPS Furthermore we will provide references to background material for further reading.

Speakers: Dr. Zoe Andrews is a Research Associate in the School of Computing Science at Newcastle Univer-sity (UNEW). She has a BSc in Computer Science & Statistics (UNEW 2004) and an MSc in Process Analyt-ics and Quality Technology (UNEW 2005). Zoe’s PhD investigated stochastic extensions to model-based specification languages (UNEW 2012). Zoe’s research interests include dependability, formal methods, prob-ability and systems of systems (SoSs). She has partici-pated in various EU projects including: ReSIST, where she coordinated work on metadata-based descriptions of resilience mechanisms; and COMPASS, in which she developed SysML extensions to support fault modelling and analysis of SoSs.

Dr. Richard Payne is a Research Associate in the School of Computing Science at Newcastle University. His research interests include architectural modelling, systems of systems, and verification tools for formal methods. Following his PhD (Newcastle University 2012) on verifiable resilience in dynamic reconfigura-tion, he worked on the UK Ministry of Defence project on Interface Contracts for Architectural Specification and Assessment. He is now working on the COMPASS

project, designing advanced modelling and verification techniques — in particular in SoS architectural modelling, fault modelling, fault analysis and tool development.

tIME: 14.30 – 16.30

locAtIoN: SchWABING 2

School of Computing Science

Newcastle University

Newcastle upon Tyne

NE1 7RU

United Kingdom

Mail: zoe.andrews@newcastle.ac.uk

Mail: richard.payne@newcastle.ac.uk

Dr. Zoe Andrews

2928

Wednesday october 29th

SESSIoN IV: FAUlt DEtEctIoN AND hANDlING

An Integrated Process for FDIR Design in Aerospace

Benjamin Bittner, Marco Bozzano, Alessandro Cimatti, Regis de Ferluc, Marco Gario, Andrea Guiotto and Yuri Yushtein

Reliability Analysis of Dynamic Systems by Translating Temporal Fault Trees into Bayesian Networks Sohag Kabir, Martin Walker and Yiannis Papadopoulos

metaFMEA - A Framework for Reusable FMEAs Kai Höfig, Marc Zeller and Lars Grunske

SESSIoN V: VAlIDAtIoN AND tEStING

A Systematic Approach to Requirements Driven Test Generation for Safety Critical Systems Toby Wilkinson, Michael Butler and John Colley

Model-based Safety Approach for early validation of integrated and modular avionics architectures Marion Morel

Exploring the Impact of Different Cost Heuristics in the Allocation of Safety Integrity Levels Luis Silva Azevedo, David Parker, Yiannis Papadopoulos, Martin Walker, Ioannis Sorokos and Rui Esteves Araújo

9.30 - 11.00 14.00 - 15.30 ShoRt SESSIoN II: toolS

Anatomy of the Open-PSA model exchange format Antoine Rauzy

A Dataflow Notation for SAML - Formal Modeling Without Fearing Timing Constraints Robert Heumüller, Michael Lipaczewski and Frank Ortmeier

Case study of a landing gear system safety analysis by using MBSA Xiaoxun Li, Duo Su and Xiaojie Xu

Model-based safety assessment: How to improve results analysis? Fault tree generation from a list of minimal cut sets Jean-Pierre Heckmann, Laurent Sagaspe and Julien Niol

11.30 - 12.30

30 31

RegistrationoPtIoNS

We offer different packages for your participation. Based on your time and your domain of interest, you can choose to only attend the tutorial day or a single presentation day. Obviously participating in the whole event will bring you the best price-value ratio. Also we strongly believe that taking the time to listen to the presentation is worth it and therefor encourage you to book the full conference option.

Full Conference booking allows you to attend all presentation sessions as well as the tutorial day with up to three tutorials. Besides lunch meals and coffee breaks with snacks are included. You will get both the Springer Proceedings of scientific papers and the Tutorials & Short Paper proceedings. The full package also contains one ticket for the social event. If needed, additional tickets can be purchased at the registration desk.

Single Presentation Day offers you between eight and twelve talks (for more details refer to the program), lunch meal as well as coffee breaks for this day. You will get a digital and a printed copy of the Springer Proceedings as well as a printed Tutorial and Short Paper Proceedings.

Tutorial Day offers you up to three tutorial participations, lunch meal as well as coffee breaks for the tutorial day. Additionally you will get a printed Tutorial & Short Paper proceedings as well as a certificate for the attendance of your tutorials. A ticket for the social event is not included but can be purchased at the registration desk.

Standard prices(until 24th of October)

On-Site prices

FUll coNFERENcE

SINGlE PRESENtAtIoN DAy

tUtoRIAl

DAy

reduced* normal reduced* normal

550€

350€

400€

850€

550€

650€

600€

400€

450€

900€

600€

700€

PRIcES

* reduced fee can be applied for members of academia, sponsors or GI

To verify the membership that allows you to make use of the reduced fees,

we would like to ask you to either send us a membership document via email

or bring a document when checking in at the registration desk. For an fast

and easy check-in, we favor the first method.

REGIStRAtIoN

To register for the conference, please use our registration site on www.imbsa.org.

An online registration is possible until the 24th of October. Afterwards you have still the possibility of registering directly at the conference registration desk. For a registration directly at the registra-tion desk, we will have to charge you additional 50€.

Ges

taltu

ng: K

reat

ivbü

ro 2

Dse

in, D

ipl.

Des

. Mar

eike

Ortm

eier

; Bild

quel

le: F

otol

iaSponsored by

chAIRS & coMMIttEESGeneral Chairs:

Martin Bott (Zühlke Engineering, DE) Frank Ortmeier (Otto-von-Guericke University of Magdeburg, DE)

PC-Chairs: Frank Ortmeier (Otto-von-Guericke University of Magdeburg, DE) Antoine Rauzy (Ecole Polytechnique, FR)

Tools & Tutorials Chairs: Jürgen Mottok (Hochschule Regensburg, DE) Antoine Rauzy (Ecole Polytechnique, FR)

Industrial Chairs: Martin Bott (Zühlke Engineering, DE) Christel Seguin (ONERA, FR)

Program Committee: Jean-Paul Blanquart (Astrium Satellites, FR) Marco Bozzano (FBK-irst, IT) Jean-Charles Chaudemar (ISAE, FR) Jana Dittmann (Otto-von-Guericke University of Magdeburg, DE) Marielle Doche-Petit (Systerel, FR) Lars Grunske (University of Stuttgart, DE) Matthias Güdemann (Systerel, FR) Kai Höfig (Siemens, DE) Michaela Huhn (Technical University of Clausthal, DE) Tim Kelly (University of York, GB) Leila Kloul (Universite de Versailles, FR) Agnes Lanusse (CEA LIST, FR) Till Mossakowski (Otto-von-Guericke University of Magdeburg, DE) Jürgen Mottok (University of Regensburg, DE) Frank Ortmeier (Otto-von-Guericke University of Magdeburg, DE) Yiannis Papadopoulos (University of Hull, GB) Antoine Rauzy (Ecole Polytechnique, FR) Wolfgang Reif (Augsburg University, DE) Jean-Marc Roussel (LURPA, ENS Cachan, FR) Christel Seguin (ONERA, FR) Pascal Traverse (AIRBUS, FR)

Organizing Committee: Marco Filax Tim Gonschorek Robert Heumüller Michael Lipaczewski Marianne Schulze

VenueThe Rilano HotelDomagkstraße 26, 80807 MünchenFon: +49 (0) 89 36 001 0Fax: +49 (0) 89 36 001 9217Mail: info-muc@rilano.com

Computer Systems in Engineering (CSE)

Institut für techn. und betriebl. Informationssysteme (ITI)

Faculty of Computer Science

Otto-von-Guericke-Universität Magdeburg (OvGU)

Universitätsplatz 2, 39106 Magdeburg

Organization: Michael Lipaczewski

Mail: Michael.Lipaczewski@ovgu.de

Registration Desk Fon: 01590 2117882