Ref

eren

ce: T

RT

-Fr/

ST

I/L

SE

C/S

PA

,14/0

048

ITEA2 project #11011

2012 – 2015

MERgE: Multi-Concerns Interactions

System Engineering

Stéphane Paul – Thales Research & Technology

SafeComp ISSE Workshop 2014, Florence

September 8th, 2014

Ref

eren

ce: T

RT

-Fr/

ST

I/L

SE

C/S

PA

,14/0

048

Context

• IT Systems grow larger, more complex, whilst their engineering suffers

from increased cost-reduction pressure, so:

• Model Based Engineering (MBE)

• Separation of Concerns (i.e. Multi-Viewpoint Engineering)

• Safety-critical systems have a long engineering history, with well-

established standards, methods & tools, but:

• Extended connectivity growing security concerns!

• Managing interactions between concerns?

Project Goal

• Build your own engineering workbench suited to your needs

(incl. trade-off between user-defined concerns)

• Using a generic meta-tooling environment

• Specific guidance concerning safety and security co-engineering

ITEA2 project #11011, 2012-2015 2

Context and project rationale

Ref

eren

ce: T

RT

-Fr/

ST

I/L

SE

C/S

PA

,14/0

048

ITEA2 project #11011, 2012-2015 3

Project Work Breakdown & Presentation Outline

Ref

eren

ce: T

RT

-Fr/

ST

I/L

SE

C/S

PA

,14/0

048

Polarsys Kitalpha (open-source

software)

• Multi-viewpoint meta-workbench

https://www.polarsys.org/projects/

polarsys.kitalpha

SIRIUS (open-source software)

• Enables the specification of a modelling workbench in terms of graphical,

or table editors, with validation rules and actions, using declarative

descriptions

https://projects.eclipse.org/projects/modeling.sirius

ITEA2 project #11011, 2012-2015 4

The MERgE platform: core results

Ref

eren

ce: T

RT

-Fr/

ST

I/L

SE

C/S

PA

,14/0

048

Design Patterns Technology

Integration of Kermeta CVL (open-source software)

• Variability modelling (Common Variability Language standard)

with customisation of the semantics of CVL variation points (Kermeta)

Architecture Multi-criteria Evaluation Framework

And more…

ITEA2 project #11011, 2012-2015 5

The MERgE platform: core results

[Upcoming soon]

Ref

eren

ce: T

RT

-Fr/

ST

I/L

SE

C/S

PA

,14/0

048

Automotive Test Case – Melexis

• Design of the sensors (embedded software/firmware, hardware design)

• Safety verification and certification, Reuse, Integration, Variability

Communications Test Case (Software-Defined Radio) - Thales

• (Re-)Programmable Software, Secure Communications, Open System

Architecture, Architecture Evaluation

Aerospace Test Case - SpaceApplications

• Dependable embedded and real-time on-board software development

process

Industrial Control Test Case

• Focus on post-development

assessment (i.e. assurance)

ITEA2 project #11011, 2012-2015 6

Test Cases – On-going Validation

Ref

eren

ce: T

RT

-Fr/

ST

I/L

SE

C/S

PA

,14/0

048

Essentially state of the art work

• Report on open-issues in security and safety concern integration (D3.4.1), March 2014

• Recommendations for security and safety co-engineering (D3.4.2), 1st draft, June 2014

Some initial engineering trials

• J. Brunel, L. Rioux, S. Paul, A. Faucogney, F. Vallée, Formal Safety and Security Assessment of an Avionic Architecture with Alloy, 3rd International Workshop on Engineering Safety and Security Systems (ESSS'14), EPTCS, 2014, pp. 8-19, Singapore, May 13, 2014. DOI: 10.4204/EPTCS.150.2

• P. Bieber , J. Brunel, From Safety Models to Security Models: Preliminary Lessons Learnt, ISSE workshop (at 2PM today)

• J. Brunel, D. Chemouil, L. Rioux, M. Bakkali, F. Vallée, A Viewpoint-Based Approach for Formal Safety & Security Assessment of System Architectures, Workshop ModeVVA’14, MODELS Conference, Valencia, Spain (to be published)

ITEA2 project #11011, 2012-2015 7

Advanced concepts in S&S co-engineering

Ref

eren

ce: T

RT

-Fr/

ST

I/L

SE

C/S

PA

,14/0

048

And to conclude…

Bringing grist for the (panel-discussion) mill!

ITEA2 project #11011, 2012-2015 8

3 assumptions

3 proposals

Ref

eren

ce: T

RT

-Fr/

ST

I/L

SE

C/S

PA

,14/0

048

Assumption n

1: Industrial Safety and Security Engineering

Processes / Methods are difficult, and at best very slow, to

change because they are:

• Domain Standard-Related

• Customer RFT-Related

• Legacy-Related

• Proprietary-Related

• Etc.

Grounds supporting that assumption

• Most (if not all) standards are specialty-specific (if not domain-specific)

• The state of the art shows that numerous co-engineering processes have

been proposed, but none have really emerged

ITEA2 project #11011, 2012-2015 9

Assumptions

Ref

eren

ce: T

RT

-Fr/

ST

I/L

SE

C/S

PA

,14/0

048

Assumption n

2: Safety and Security Jargon is difficult, and

at best very slow, to change because it is:

• Specialty Community-Related

• Process-Related

• Domain Standard-Related

• Customer RFT-Related

• Legacy-Related

• Proprietary-Related

• Etc.

Grounds supporting that assumption

• Communities of specialty-experts are and remain apart

• There is no common glossary

ITEA2 project #11011, 2012-2015 10

Assumptions

Ref

eren

ce: T

RT

-Fr/

ST

I/L

SE

C/S

PA

,14/0

048

Assumption n

3: Safety and Security Tools are Diverse, but

tend towards a Formalisation of their Conceptual Data

Model in particular

• To suppress ambiguities & ensure coverage

• To support analyses

• To support interchange between tools

Grounds supporting that assumption

• The DO-178C / ED-12C standards now recommend the use of formal

methods

• Fault trees, Altarica, (Attack Trees)… support formal analyses

• OpenPSA initiative

ITEA2 project #11011, 2012-2015 11

Assumptions

Ref

eren

ce: T

RT

-Fr/

ST

I/L

SE

C/S

PA

,14/0

048

Proposal n

1: Intermediate Safety and Security Work

Products can be Shared as long as the specialty-specific jargon

is maintained for each specialty

• Definition of a Safety and Security Common Model ( cross-fertilisation?)

• Mapping between Specialty-Concepts and the Common Model

• Specialties retain concepts that cannot be shared

Question: mapping independence wrt. abstraction level?

ITEA2 project #11011, 2012-2015 12

Way Forward Proposals

Common Model Safety Model Security Model

Hazard Feared Event

Target

level of

safety

Ref

eren

ce: T

RT

-Fr/

ST

I/L

SE

C/S

PA

,14/0

048

Analysed standards

• ISO 15408

• ISO 61508

• ISO 27k

• ED-109/DO-178C

ITEA2 project #11011, 2012-2015 13

Looking into conceptual models (on-going work)

Ref

eren

ce: T

RT

-Fr/

ST

I/L

SE

C/S

PA

,14/0

048

Proposal n

2: Work on Common Intermediate Safety and

Security Work Products should be transparent for each

specialty except in case of conflict / inconsistencies

• Cases of conflict / inconsistencies should be analysed

• Is the safety-first or security-first hypothesis dimensioning?

• Can conflict / inconsistencies be detected and how?

• Is there a need for automated support for the resolution?

ITEA2 project #11011, 2012-2015 14

Way Forward Proposals

Ref

eren

ce: T

RT

-Fr/

ST

I/L

SE

C/S

PA

,14/0

048

Proposal n

3: A new tooled-up process may be acceptable by

the industry if it is solely an add-on to existing processes

with added-value related to formal analyses

• Proposed technique must be proven in the other specialty

• Choice of the most relevant abstraction level(s)

• Definition of the process(es)

• Will new processes have synchronisation side-effects on existing processes?

• Definition of the supporting tools

ITEA2 project #11011, 2012-2015 15

Way Forward Proposals

Ref

eren

ce: T

RT

-Fr/

ST

I/L

SE

C/S

PA

,14/0

048

For more details

Project Coordinator: Charles Robinson

charles.robinson@thalesgroup.com

Web site:

http://www.merge-project.eu/

ITEA2 project #11011, 2012-2015 16

Questions?

Ref

eren

ce: T

RT

-Fr/

ST

I/L

SE

C/S

PA

,14/0

048

ITEA2 project #11011, 2012-2015 17

Consortium