Marc Zeller

Marc Zeller, Thomas Waschulzik, Reiner Schmid et al.

Traditional automation technologies alone are not sufficient to enable driverless operation of trains (called Grade of Automation (GoA) 4) on non-restricted infrastructure. The required perception tasks are nowadays realized using Machine Learning (ML) and thus need to be developed and deployed reliably and efficiently. One important aspect to achieve this is to use an MLOps process for tackling improved reproducibility, traceability, collaboration, and continuous adaptation of a driverless operation to changing conditions. MLOps mixes ML application development and operation (Ops) and enables high frequency software releases and continuous innovation based on the feedback from operations. In this paper, we outline a safe MLOps process for the continuous development and safety assurance of ML-based systems in the railway domain. It integrates system engineering, safety assurance, and the ML life-cycle in a comprehensive workflow. We present the individual stages of the process and their interactions. Moreover, we describe relevant challenges to automate the different stages of the safe MLOps process.

Marc Zeller

Traditionally, promoted by the internet companies, continuous delivery is more and more appealing to industries which develop systems with safety-critical functions. Since safety-critical systems must meet regulatory requirements and require specific safety assessment processes in addition to the normal development steps, enabling continuous delivery of software in safety-critical systems requires the automation of the safety assessment process in the delivery pipeline. In this paper, we outline a continuous delivery pipeline for realizing continuous safety assessment in software-intensive safety-critical systems based on model-based safety assessment methods.

Sebastian Reiter, Marc Zeller, Kai Hoefig et al.

The growing complexity of safety-relevant systems causes an increasing effort for safety assurance. The reduction of development costs and time-to-market, while guaranteeing safe operation, is therefore a major challenge. In order to enable efficient safety assessment of complex architectures, we present an approach, which combines deductive safety analyses, in form of Component Fault Trees (CFTs), with an Error Effect Simulation (EES) for sanity checks. The combination reduces the drawbacks of both analyses, such as the subjective failure propagation assumptions in the CFTs or the determination of relevant fault scenarios for the EES. Both CFTs and the EES provide a modular, reusable and compositional safety analysis and are applicable throughout the whole design process. They support continuous model refinement and the reuse of conducted safety analysis and simulation models. Hence, safety goal violations can be identified in early design stages and the reuse of conducted safety analyses reduces the overhead for safety assessment.

Marc Zeller, Daniel Ratiu, Kai Hoefig

Model-based engineering promises to boost productivity and quality of complex systems development. In the context of safety-critical systems, a traditionally highly regulated and conservative domain, the use of models gained importance in the recent years. In this paper, we present a set of practical challenges in developing safety-critical systems with the help of several examples of development projects that belong to different application domains. Following this, we show how could the adoption of model-based engineering for the development of safety-critical systems cope with these challenges.

Marc Zeller, Kai Hoefig, Martin Rothfelder

In this work, we outline a cross-domain assurance process for safety-relevant software in embedded systems. This process aims to be applied in various different application domains and in conjunction with any development methodology. With this approach we plan to reduce the growing effort for safety assessment in embedded systems by reusing safety analysis techniques and tools for the product development in different domains.

Erik Armengaud, Georg Macher, Alexander Massoner et al.

The open and cooperative nature of Cyber-Physical Systems (CPS) poses new challenges in assuring dependability. The DEIS project (Dependability Engineering Innovation for automotive CPS. This project has received funding from the European Union's Horizon 2020 research and innovation programme under grant agreement No 732242, see http://www.deis-project.eu) addresses these challenges by developing technologies that form a science of dependable system integration. In the core of these technologies lies the concept of a Digital Dependability Identity (DDI) of a component or system. DDIs are modular, composable, and executable in the field facilitating (a) efficient synthesis of component and system dependability information over the supply chain and (b) effective evaluation of this information in-the-field for safe and secure composition of highly distributed and autonomous CPS. The paper outlines the DDI concept and opportunities for application in four industrial use cases.

Jef Stegen, Stefan Dutre, Joe Zhensheng Guo et al.

This paper presents the application of a meta model and single underlying model on an applied avionics system design use case. System models, safety assurance cases and safety requirements are maintained in a central repository. This enables to link these data which are originally developed in unrelated tools. By having such a central repository, traceability can be established, and consistency can be ensured, which leads to less errors and a shorter development time. A meta model was constructed which matches the central repository to enable bidirectional synchronization with an external authoring tool.

Kai Hoefig, Marc Zeller, Reiner Heilmann

Identifying drawbacks or insufficiencies in terms of safety is important also in early development stages of safety critical systems. In industry, development artefacts such as components or units, are often reused from existing artefacts to save time and costs. When development artefacts are reused, their existing safety analysis models are an important input for an early safety assessment for the new system, since they already provide a valid model. Component fault trees support such reuse strategies by a compositional horizontal approach. But current development strategies do not only divide systems horizontally, e.g., By encapsulating different functionality into separate components and hierarchies of components, but also vertically, e.g. Into software and hardware architecture layers. Current safety analysis methodologies, such as component fault trees, do not support such vertical layers. Therefore, we present here a methodology that is able to divide safety analysis models into different layers of a systems architecture. We use so called Architecture Layer Failure Dependencies to enable component fault trees on different layers of an architecture. These dependencies are then used to generate safety evidence for the entire system and over all different architecture layers. A case study applies the approach to hardware and software layers.

Marc Zeller, Francesco Montrone

Fault Tree analysis is a widely used failure analysis methodology to assess a system in terms of safety or reliability in many industrial application domains. However, with Fault Tree methodology there is no possibility to express a temporal sequence of events or state-dependent behavior of software-controlled systems. In contrast to this, Markov Chains are a state-based analysis technique based on a stochastic model. But the use of Markov Chains for failure analysis of complex safety-critical systems is limited due to exponential explosion of the size of the model. In this paper, we present a concept to integrate Markov Chains in Component Fault Tree models. Based on a component concept for Markov Chains, which enables the association of Markov Chains to system development elements such as components, complex or software-controlled systems can be analyzed w.r.t. safety or reliability in a modular and compositional way. We illustrate this approach using a case study from the automotive domain.

Kai Hoefig, Andreas Joanni, Marc Zeller et al.

The importance of mission or safety critical software systems in many application domains of embedded systems is continuously growing, and so is the effort and complexity for reliability and safety analysis. Model driven development is currently one of the key approaches to cope with increasing development complexity, in general. Applying similar concepts to reliability, availability, maintainability and safety (RAMS) analysis activities is a promising approach to extend the advantages of model driven development to safety engineering activities aiming at a reduction of development costs, a higher product quality and a shorter time-to-market. Nevertheless, many model-based safety or reliability engineering approaches aim at reducing the analysis complexity but applications or case studies are rare. Therefore we present here a large scale industrial case study which shows the benefits of the application of component fault trees when it comes to complex safety mechanisms. We compare the methodology of component fault trees against classic fault trees and summarize benefits and drawbacks of both modeling methodologies.

Marc Zeller, Kai Hoefig, Jean-Pascal Schwinn

The growing size and complexity of software in embedded systems poses new challenges to the safety assessment of embedded control systems. In industrial practice, the control software is mostly treated as a black box during the system's safety analysis. The appropriate representation of the failure propagation of the software is a pressing need in order to increase the accuracy of safety analyses. However, it also increase the effort for creating and maintaining the safety analysis models (such as fault trees) significantly. In this work, we present a method to automatically generate Component Fault Trees from Continuous Function Charts. This method aims at generating the failure propagation model of the detailed software specification. Hence, control software can be included into safety analyses without additional manual effort required to construct the safety analysis models of the software. Moreover, safety analyses created during early system specification phases can be verified by comparing it with the automatically generated one in the detailed specification phased.

Fabian Ritz, Thomy Phan, Robert Müller et al.

A characteristic of reinforcement learning is the ability to develop unforeseen strategies when solving problems. While such strategies sometimes yield superior performance, they may also result in undesired or even dangerous behavior. In industrial scenarios, a system's behavior also needs to be predictable and lie within defined ranges. To enable the agents to learn (how) to align with a given specification, this paper proposes to explicitly transfer functional and non-functional requirements into shaped rewards. Experiments are carried out on the smart factory, a multi-agent environment modeling an industrial lot-size-one production facility, with up to eight agents and different multi-agent reinforcement learning algorithms. Results indicate that compliance with functional and non-functional constraints can be achieved by the proposed approach.

Hamid Jahanian, David Parker, Marc Zeller et al.

Failure Mode Reasoning (FMR) is a novel approach for analyzing failure in a Safety Instrumented System (SIS). The method uses an automatic analysis of an SIS program to calculate potential failures in parts of the SIS. In this paper we use a case study from the power industry to demonstrate how FMR can be utilized in conjunction with other model-based safety analysis methods, such as HiP-HOPS and CFT, in order to achieve a comprehensive safety analysis of SIS. In this case study, FMR covers the analysis of SIS inputs while HiP-HOPS/CFT models the faults of logic solver and final elements. The SIS program is analyzed by FMR and the results are exported to HiP-HOPS/CFT via automated interfaces. The final outcome is the collective list of SIS failure modes along with their reliability measures. We present and review the results from both qualitative and quantitative perspectives.

Zhensheng Guo, Marc Zeller

This paper proposes a novel model-based approach to combine the quantitative dependability (safety, reliability, availability, maintainability and IT security) analysis and trade-off analysis. The proposed approach is called DPN (Dependability Priority Numbers) and allows the comparison of different actual dependability characteristics of a systems with its target values and evaluates them regarding trade-off analysis criteria. Therefore, the target values of system dependability characteristics are taken as requirements, while the actual value of a specific system design are provided by quantitative and qualitative dependability analysis (FHA, FMEA, FMEDA, of CFT-based FTA). The DPN approach evaluates the fulfillment of individual target requirements and perform trade-offs between analysis objectives. We present the workflow and meta-model of the DPN approach, and illustrate our approach using a case study on a brake warning contact system. Hence, we demonstrate how the model-based DPNs improve system dependability by selecting the project crucial dependable design alternatives or measures.

Christof Kaukewitsch, Henrik Papist, Marc Zeller et al.

In today's industrial practice, safety, reliability or availability artifacts such as fault trees, Markov models or FMEAs are mainly created manually by experts, often distinctively decoupled from systems engineering activities. Significant efforts, costs and timely requirements are involved to conduct the required analyses. In this paper, we describe a novel integrated model-based approach of systems engineering and dependability analyses. The behavior of system components is specified by UML state machines determining intended/correct and undesired/faulty behavior. Based on this information, our approach automatically generates different dependability analyses in the form of fault trees. Hence, alternative system layouts can easily be evaluated. The same applies for simple variations of the logical input-output relations of logical units such as controllers. We illustrate the feasibility of our approach with the help of simple examples using a prototypical implementation of the presented concepts.