WP6 - System qualification and certification


EMC² systems will support a wide range of new applications. They will support openness in the sense that they will dynamically interconnect with other systems and that it will be possible to dynamically modify their software as it is known from ‘Apps’ on mobile phones. Moreover, they will support dynamic adaptation to changing runtime contexts. This includes the external context in the systems’ environment ranging, for example, from available IT infrastructure services to weather conditions. Furthermore it requires the internal context, which is defined, e.g., the availability and quality of available platform resources.

Such open adaptive systems provide a huge potential for society and economy. However, openness and adaptivity make it hard or even impossible to predict the systems’ structure and behavior at design time. This requires the assurance of the systems’ safety, security and reliability, thus, demanding a novel set of risk analysis and risk minimization activities. The whole system lifecycle must be rethought and re-evaluated to provide a key to success of the promising new generation of embedded systems. In particular, a proper combination of offline and runtime assurance approaches will be considered to ensure continuing and efficient assessment of critical properties during lifetime.

An additional innovative feature of EMC² is the combination between safety and security attributes as part of assurance strategy. Addressing security for ensuring safety is of increasing importance in the context addressed by EMC².

Work package structure

WP6 is composed of four tasks.

The characteristics of openness and adaptivity require new methods and techniques for safety assurance and certification. The main focus of Task 6.1 is to identify which constituents of a typical safety process need to be adjusted for meeting the challenges imposed by openness and adaptivity. The impact of openness and adaptivity on existing qualification and certification approaches will be analyzed in detail. Based on the analyses results, requirements will be derived with respect to the safety engineering processes and with respect to the EMC² hardware and software implementation.

Task 6.2 will target the assurance of safety and other qualities, particularly security vulnerabilities and countermeasures through system life-time and maintenance of the integrity and assurance levels. The focus will be on necessary extensions of safety & security co-analysis, co-design, development, development time test approaches as well as the development of appropriate runtime testing approaches and maintenance during the operational phase.
The combination of safety and security attributes as part of assurance strategy represents an additional innovative feature of EMC². Addressing security for ensuring safety is of increasing importance in the context addressed by EMC².

In Task 6.3 the impact of adaptivity and openness on safety assurance and certification will be in the focus and runtime assurance techniques will be introduced as envisioned concept for complementing traditional assurance approaches.
For open systems, safety assurance gets very difficult, since the safety-relevant characteristics of the system elements that are to be integrated at runtime might be completely unknown. This can even lead to a situation where safety assurance at development time is not possible at all. A general solution concept is to shift parts of the safety engineering lifecycle into runtime at the same rate as parts of the general engineering lifecycle have been shifted.
As an example consider the case of open systems where the integration step is partially postponed into runtime. In contrast to development time integration, there is no human safety expert to ensure the safety of the integrated system. Rather, the system must assure its safety on its own. This requires new kinds of safety assurance approaches that integrate tightly with established development time safety engineering activities but extend into runtime. In particular, addressing unknown situations would include autonomous analysis and classification, which can require extensive computational resources. The partitioning between development time and runtime parts must thereby be investigated diligently. The more aspects are shifted into runtime the higher the flexibility, but the more complex the runtime measures. The main goal of this task will therefore be to develop runtime assurance measures that are adequate for the EMC² context.

The validation of the results of WP6 will be done in Task 6.4 in context of the EMC² Living Labs. Finally, the EMC² community will come up with a suggestion to AUTOSAR workgroups to fix weaknesses in the present AUTOSAR safety specification and to aerospace working groups on safety and security to demonstrate applicability of efficient safety approaches in certification. Respective suggestions for further standardization groups will be provided, including energy applications, process industry, railways, robotics and avionics.