Agile and Modeling in embedded systems safety and security

Safety/Security

1

3

l

Ruby Agile

l astah* (JUDE)

l UML+ astah*XPIMPACT MAPPING

4

Je Sutherland

Standish group study report in 2000 chaos report

7

45%

19%

16%

7%

13%

8

IT

Agile

ITOneTeam

9

1-4

24

10

IDEAS

CODE DATA

BUILD LEARN

MEASURE

JIT

AB

AB 5

LeanStartup

(1) IPA/SEC OMG

11 SEC journal http://www.ipa.go.jp/files/000024514.pdf

: D-Case, GSN, SoS, Model-based, Safety Case Certification Engineering, Dependability, ISO26262

(2)DEOS The Open Group

12 : DEOS http://deos.or.jp/technology/process-j.html

(1) (2)

SoS(System of Systems)

14 Copyright (C) 2014 Change Vision CorporaEon. All Rights Reserved.

16

CAD ECAD

UML /

Simulink(/)

UML,ER, DFD,BPMN.. (,,..

SysML() SysML()

/SoS

SysML()

GSN(D-Case)

SafeML(+) SCDL (ISO26262)

2

4

3

1

SysML(Systems Modeling Language

MBSE)

17

1

SysMLRTC :

(Change Vision, Inc) ()

OMGhQp://www.slideshare.net/hiranabe/using-sysml-in-an-roboE-applicaEon

1

Honda R&D Team

SysML to RTC 1 2 OpenRTM to Honda RTM

Geoffrey Biggs

l (Spiral Back-and-Forth) Operator lPCRoombaWi-FiKinect

kinect

Operator Controller PC

Receiver PC

Roomba

Wi-Fi

req [()]

req [Robot]

bdd []

ibd []

ibd [controller]

SysMLSoS

IPA(RISE) (2014 )

SoS

28

1

System of SystemsSoS SoS

29

2014

SoS

Copyright2014 Hidekazu Nishimura.

Context between Automated Driving System and System of Systems[Block] ibd [ ]

transport Infrastructure System

a u t o m a t e d D r i v i n g S y s t e me g o V e h i c l e D r i v e r

p e d e s t r i a n

p h y s i c a l E n v i r o n m e n t s

n a t u r a l E n v i r o n m e n t

s u r r o u n d i n g M o b i l i t y

e g o V e h i c l e

I C T S y s t e m

Driver automated driving commandAutomated driving information

Direct driver monitoring data

Obstacle StateObstacle State

Pedestrian StatePedestrian State

Natural Environment StateNatural Environment State

Surrounding Mobility StateSurrounding Mobility State

Ego vehicle driving state

Automated driving control command

Indirect driver monitoring dataDriver on-board system use

Driver manuever command

Navigation information

Driver navigationsystem use

Transport Infrastrucure State

Transport Infrastrucure State

Navigation information

Ego vehicle navigation related data

Surrounding vehiclenavigation related data

Transport infrastrucure information

Traction Force

Driving forceNavigation information

SoS

ICT

2014

SoS30


} SoS

SoS

SysMLSoSCSPCommunica2ng Sequen2al Processes

CSP

31

2014

SoS


SERA


1

Assurance CaseGSN/D-Case

(Goal Structuring Notation)

33

2

GSN(D-Case)

(Goal Structuring Notation) Tim Kelly

Safety Dependability Security Assure

Assurance Case D-Case: GSN

DEOS

GSN


DHS()

GSN(1)

37

GSN(2)

38

SafeML()

39

3

SafeML Georey Biggs SysML Prole

Hazard, Harm, Context

GSN


SafeMLHazard:

Harm)

Context() (hazardous event) (harmful event)


Safety Model and Systems Model - GSN/MARTE/SysML/SafeML integraEon in RoboEcs

Georey Biggs (AIST) Toshihiro Okamura(Change Vision, Inc.)

12OMGhQp://www.slideshare.net/hiranabe/omg-safety-modelsystemsmodel20141210nal

http://www.slideshare.net/hiranabe/omg-safety-modelsystemsmodel20141210final

3

SysMLUML/MARTE

GSN

Describes system

safety cases.Describes

system and software models

SafeML

Example robot (from AIST)

(Extension to SysML)

Describes hazards and harms related to the system

Goal: Demonstrate the effectiveness of using GSN/SafeML/SysML/MARTE together.

Overview

Modelling process

GSNDesign argument for how system will be developed to be safe (safety analyses to be performed, design methods, etc.)

SysMLModel a system that meets the requirements

SafeMLAdd safety analysis results to system model to aQain traceability between safety analysis and system features (safety requirements)

SysMLRevise system design to implement required safety features

MARTEAdd implementaEon details and analyse model for feasibility of design

GSNRevise argument based on actual steps performed and work productsLink GSN argument to system model to provide context and soluEons

Language Objectives

GSN model

Safety requirement verification result

Sn6

* Hazard analysis statement* Risk assessment statement

C6

DRC is acceptably safe

G1

All hazards have been identified sufficiently

G4

Basic Requirement for Safety:(1) DRC should be safe for using in the second office in the main building of AIST(2) DRC should be safe for users who are not familiar with electric wheelchair

C2

Hazard analysis statement

Sn1

Risks have been analyzed and evaluated properly. And the ways of eliminating the risks are analyzed properly.

G5

Risk assessment statement (each phase)

Sn2

Activities in each phases of the lifecycle of DRC have been figured out

G10

Primitive hazards have been figured out comprehensively by using the hazard identification checklist of JIS B 9700 and ISO13482

G12

Product brief

C7

Hazard identification checklist ofJIS B 9700:2013 (Table B.1)

C9

Hazard identification checklist of ISO13482 (Annex A)

C11 The lists of hazards for each phases of the lifecycle have been created by matching the activities and the hazards figured out by checklists

G13

Table B.3: 'List of risky activities' of JIS B 9700(Standard for safety of machinery)

C8

PhaseSpecification, transport, installation, setting, maintenance, emergency response, removal

Figuring out hazards and activities to identify risks that inhibit the safety

S2

Kinds of improper use have been identified

G11

Hazard identification checklist ofJIS B 9700:2013 (Table B.3)

C10

Product brief

C1

Discuss separately with deriving safety requirements and implementing safety requirements

S1

Hazard analysis statement

C5

Required risk reduction measures have been defined properly

G17

Risks have been reduced to less than the allowable level by risk reduction measures

G18

Safety requirements have been derived properly from the risk reduction measures

G6

All safety requirements have been implemented

G3

Safety requirement definition document

Sn3

All risks have been estimated by following the estimation rules

G15

Acceptable range of risk has been decided properly

G16


C4

The way of estimating risks has been defined concretely

G14

Safety requirements have been led to properly

G2

Break down by activities

S3

The completed product has satisfied all safety requirements

G9

The way of testing the completed product has been defined property depending on the safety requirements

G8

Validation plan document

Sn5

Safety requirements have been adapted to the design

G7

System design model (SysML, SafeML)

Sn4

ISO13482:2014(Standard related to the safety of the personal care robots)

C3(1)

(2) (3) (4)

GSN model (1)

DRC is acceptably safe

G1

Basic Requirement for Safety:(1) DRC should be safe for using in the second office in the main building of AIST(2) DRC should be safe for users who are not familiar with electric wheelchair

C2

Product brief

C1

Discuss separately with deriving safety requirements and implementing safety requirements

S1

All safety requirements have been implemented

G3


C4

Safety requirements have been led to properly

G2

ISO13482:2014(Standard related to the safety of the personal care robots)

C3

[ package] Safet y d iagram s [ 36a. Rid ing user t ouches a wheel during m ot ion and get s t heir hand or fingers caught ]bdd

< < Hazard> >< < block> >

M oving m echan ical com ponent s

< < Harm > >< < block> >

Dislocat ed join t s, b roken bones or choking

< < block> >Wheel cover

< < DefenceResult > >< < block> >

Wheel covers resu lt

< < block> >Elect r ic m ot or

< < block> >Wheel

< < Harm Context> >< < block> >

36a. Rid ing user t ouches a wheel during m ot ion and get s t heir hand or fingers caught

< < deriveHzd> >< < deriveHzd> > < < block> >Wheel

< < deriveHC> >

< < PassiveDefence> >< < block> >

Wheel covers

< < requirem ent> >

text = The wheels shall be covered such t hat t he user and object s cannot t ouch t hem during m ot ion.

Id = 140

Wheel covers

< < reqDefence> >

< < sat isfy> >

SafeML System components, activities, etc.Sources

of hazard

Hazard

Potential harm

Hazardous situation/event

Result of safety measure

Safety measure

Safety requirement

SafeML [ package] Wheelchair robot [Wheelchair robot ]bdd


< < block> >Wheel

< < block> >Drive t rain

< < block> >Drive un it

< < system > >< < block> >

Wheelchair robot

Right drive un it


2

[ package] Safet y d iagram s [ 36a. Rid ing user t ouches a wheel during m ot ion and get s t heir hand or fingers caught ]bdd

< < Hazard> >< < block> >

M oving m echan ical com ponent s

< < Harm > >< < block> >

Dislocat ed join t s, b roken bones or choking


< < DefenceResult > >< < block> >

Wheel covers resu lt


< < block> >Wheel

< < Harm Context> >< < block> >

36a. Rid ing user t ouches a wheel during m ot ion and get s t heir hand or fingers caught

< < deriveHzd> >< < deriveHzd> > < < block> >Wheel

< < deriveHC> >

< < PassiveDefence> >< < block> >

Wheel covers

< < requirem ent> >

text = The wheels shall be covered such t hat t he user and object s cannot t ouch t hem during m ot ion.

Id = 140

Wheel covers

< < reqDefence> >

< < sat isfy> >

SCDL(Safety Concept Description Language:ISO26262)

51

4

SCDL DNV ISO26262

ASIL


53 http://scn-sg.com/

(1/2)


Sub-sys01

SYSXX

Sub-sys02

ECU01 SENS01

mC01

eSW01

(2/2)


ASIL


WG(SafetySecurity)

59

WG


61

() Certification Engineering

http://www.sice.or.jp/org/ce-wg/

Are You Modeling?

()

62

63 http://areyoumodeling.com

64 http://ja.areyoumodeling.com

Web


kenji.hiranabe at change-vision.com

Agile and Modeling in embedded systems safety and security

Software

Transcript of Agile and Modeling in embedded systems safety and security