PSAM 16 - Session Th24 Overview

PSAM 16 Conference Session Th24 Overview

Paper 1 IV42

Lead Author: Ivo Häring Co-author(s): Vivek Sudheendran, vivek.sudheendran@desy.de Roman Sankin, roman.sankin@de.bosch.com

SysML supported functional safety ISO 26262 and cybersecurity STRIDE/HEAVENS assessment for automotive model-based system engineering
To manage the increasing complexity of modern automotive systems, development companies adhere to model based systems engineering (MBSE). Within MBSE processes, suitable modeling approaches need to be selected and combined. Modelling and simulation approaches include semi-formal modeling, software generation, engineering simulation and software emulation. By now, even the selection, tailoring and interfacing of modeling approaches can be supported within framing methodologies. Within such a digitalized development process context, the presentation addresses the question, how to use SysML modeling to support efficiently the functional safety as well as the cybersecurity (IT security) assessment within the early stages of the system development process in the automotive domain. The feasibility of the approach is realized by the development of a concept for functional safety and cybersecurity analysis which supports the Software Platform Embedded Systems (SPES) framework. The concept is documented with metamodels and is backed by SysML profiles which extend the SPES profile within the IBM Rational Rhapsody environment. The profile for the safety analysis supports ISO 26262 functional safety process on the system level. The profile for cybersecurity analysis supports assessment at the system level adhering to the guidelines of the Microsoft STRIDE based HEAaling Vulnerabilities to Enhance Software Security and Safety (HEAVENS) security model, which was specifically developed for the automotive domain. SysML model-based prototypes, i.e. SysML system designs including their functional safety and cybersecurity assessment, are developed, which validate the approach within an automotive MBSE pilot project. A sample prototype application shows the feasibility of the approach and allows to estimate the effort of SysML supported functional safety and cybersecurity assessments within a SPES conform environment. Main results include the feasibility of reuse and invention of SPES oriented SysML models (e.g. context, scenario, goal, function) intended for system design. The functional safety and cybersecurity relevant model extensions and refinements are realized within these system models. The refinements and extensions result in functional safety relevant models which support item definition, hazard and risk analysis, functional safety concept and technical safety concept. Similarly, cybersecurity relevant SysML models help in Target of Evaluation (TOE) description, threat analysis and risk assessment and cybersecurity requirement derivation according to the HEAVENS approach. The automations imparted on these extended SysML models by using helpers, enhance the usability of the models within the approach. For instance, the helpers provide automatic functional safety and cybersecurity parameter determination within models (e.g. ASIL determination, security level derivation) and filtered graphical views given sufficient inputs. Application of a model checker assists fast execution of the analyses and generation of the assessment artifacts, e.g. tabular overview of risks and their control with safety functions or cyber threats and related counter measures.

SysML supported functional safety ISO 26262 and cybersecurity STRIDE/HEAVENS assessment for automotive model-based system engineering

To manage the increasing complexity of modern automotive systems, development companies adhere to model based systems engineering (MBSE). Within MBSE processes, suitable modeling approaches need to be selected and combined. Modelling and simulation approaches include semi-formal modeling, software generation, engineering simulation and software emulation. By now, even the selection, tailoring and interfacing of modeling approaches can be supported within framing methodologies. Within such a digitalized development process context, the presentation addresses the question, how to use SysML modeling to support efficiently the functional safety as well as the cybersecurity (IT security) assessment within the early stages of the system development process in the automotive domain. The feasibility of the approach is realized by the development of a concept for functional safety and cybersecurity analysis which supports the Software Platform Embedded Systems (SPES) framework. The concept is documented with metamodels and is backed by SysML profiles which extend the SPES profile within the IBM Rational Rhapsody environment. The profile for the safety analysis supports ISO 26262 functional safety process on the system level. The profile for cybersecurity analysis supports assessment at the system level adhering to the guidelines of the Microsoft STRIDE based HEAaling Vulnerabilities to Enhance Software Security and Safety (HEAVENS) security model, which was specifically developed for the automotive domain. SysML model-based prototypes, i.e. SysML system designs including their functional safety and cybersecurity assessment, are developed, which validate the approach within an automotive MBSE pilot project. A sample prototype application shows the feasibility of the approach and allows to estimate the effort of SysML supported functional safety and cybersecurity assessments within a SPES conform environment. Main results include the feasibility of reuse and invention of SPES oriented SysML models (e.g. context, scenario, goal, function) intended for system design. The functional safety and cybersecurity relevant model extensions and refinements are realized within these system models. The refinements and extensions result in functional safety relevant models which support item definition, hazard and risk analysis, functional safety concept and technical safety concept. Similarly, cybersecurity relevant SysML models help in Target of Evaluation (TOE) description, threat analysis and risk assessment and cybersecurity requirement derivation according to the HEAVENS approach. The automations imparted on these extended SysML models by using helpers, enhance the usability of the models within the approach. For instance, the helpers provide automatic functional safety and cybersecurity parameter determination within models (e.g. ASIL determination, security level derivation) and filtered graphical views given sufficient inputs. Application of a model checker assists fast execution of the analyses and generation of the assessment artifacts, e.g. tabular overview of risks and their control with safety functions or cyber threats and related counter measures.

Paper IV42 | Download the paper file. | Download the presentation pdf file.

Name: Ivo Häring (ivo.haering@emi.fraunhofer.de)

Bio: Ivo Häring holds a PhD of the Max-Planck-Institute for the Physics of Complex Systems (MPIPKS) and TU Dresden. Since 2004 he works at Fraunhofer Ernst-Mach-Institut, EMI, currently as Senior Scientist in the Department Safety and Resilience of Technical Systems. He is Lecturer in security, safety and resilience engineering at the University of Applied Science Furtwangen, within advanced continuous academic courses together Fraunhofer Academy, and at the Department of Sustainable Systems Engineering (INATECH) of the University Freiburg. He has an applied research project (set up) and publication record of more than 25 million Euro funding. Relevant sample projects include the German BMWK projects KIsSME on “AI for selective near-real-time acquisition of scenario and maneuver data in testing highly automated vehicles” with focus on scenario criticality evaluation and RDV on “Real driving validation” with focus on safety simulation using Markov approaches.

Country: DEU
Company: Ivo Häring, Fraunhofer EMI, Am Klingelberg 1, 79588 Efringen-Kirchen, Germany
Job Title: Senior Scientist

Paper 2 FR54

Lead Author: Cesare Frepoli Co-author(s): Jarrett Valeri, jarrett.valeri@fpolisolutions.com, Robert P. Martin, rpmartin@bwxt.com

DEVELOPMENT OF AN ENTERPRISE DIGITAL PLATFORM FOR RISK-INFORMED DESIGN
Currently, many advanced reactor designs are under development in the U.S., promising sustainable solutions to the growing world energy needs. In response, the U.S. Nuclear Regulatory Commission (NRC) staff is moving forward with development of the 10 CFR Part 53 rulemaking, which will establish a new risk-informed framework for licensing and regulating such new designs. The motivation has been to develop a technology-agnostic regulatory framework; but in practice, it is important that the new rule is used and is useful, meaning that there is no unreasonable increase in regulatory burden and thus to the scope to the safety assessment. This is because the risk assessment is now folded in the design process itself, rather than being a simple confirmatory step of the design. Such a level of sophistication is only possible and practical in a highly automated and scrutable digital framework. This paper describes a solution to this problem. An agile, generic, digital platform, called FPoliAAP, was developed to facilitate orchestration of complex workflows, taking advantage of modern software development and data management tactics while leveraging recent technologies developed at national laboratories such as Idaho National Laboratory’s (INL) RAVEN and EMRALD frameworks. FPoliAAP is a suite of applications (or services) which, in the aggregate, can be seen as a ”wizard” or smart procedure to help developers and regulators navigate through the process of building a transparent safety case. One of these applications is called Risk-Informed System Engineering (RISE). At a high level, the vision behind RISE has been to fully automate the workflow that connects the physical reality of the plant to its virtual representation in modeling (sometimes called the plant Digital Twin) to readily produce output which aids users in making risk-informed decisions that demonstrate the plant safety case consistent with RG 1.203, RG 1.233 and 10 CFR Part 53. For the sole purpose of training and illustration here, the RISE technology is presented using a simple metamodel that describes a PWR during a postulated Station Black Out (SBO) event. The simple model was applied to a Loss-of-Coolant Accident (LOCA) in an earlier edition of NURETH and is used here as a trivial, but representative, abstraction of the ”digital-twin” element considered within modern evaluation models (EMs).

DEVELOPMENT OF AN ENTERPRISE DIGITAL PLATFORM FOR RISK-INFORMED DESIGN

Currently, many advanced reactor designs are under development in the U.S., promising sustainable solutions to the growing world energy needs. In response, the U.S. Nuclear Regulatory Commission (NRC) staff is moving forward with development of the 10 CFR Part 53 rulemaking, which will establish a new risk-informed framework for licensing and regulating such new designs. The motivation has been to develop a technology-agnostic regulatory framework; but in practice, it is important that the new rule is used and is useful, meaning that there is no unreasonable increase in regulatory burden and thus to the scope to the safety assessment. This is because the risk assessment is now folded in the design process itself, rather than being a simple confirmatory step of the design. Such a level of sophistication is only possible and practical in a highly automated and scrutable digital framework. This paper describes a solution to this problem. An agile, generic, digital platform, called FPoliAAP, was developed to facilitate orchestration of complex workflows, taking advantage of modern software development and data management tactics while leveraging recent technologies developed at national laboratories such as Idaho National Laboratory’s (INL) RAVEN and EMRALD frameworks. FPoliAAP is a suite of applications (or services) which, in the aggregate, can be seen as a ”wizard” or smart procedure to help developers and regulators navigate through the process of building a transparent safety case. One of these applications is called Risk-Informed System Engineering (RISE). At a high level, the vision behind RISE has been to fully automate the workflow that connects the physical reality of the plant to its virtual representation in modeling (sometimes called the plant Digital Twin) to readily produce output which aids users in making risk-informed decisions that demonstrate the plant safety case consistent with RG 1.203, RG 1.233 and 10 CFR Part 53. For the sole purpose of training and illustration here, the RISE technology is presented using a simple metamodel that describes a PWR during a postulated Station Black Out (SBO) event. The simple model was applied to a Loss-of-Coolant Accident (LOCA) in an earlier edition of NURETH and is used here as a trivial, but representative, abstraction of the ”digital-twin” element considered within modern evaluation models (EMs).

Paper FR54 | Download the paper file. | Download the presentation pdf file.

A PSAM Profile is not yet available for this author.

Paper 3 AR216

Lead Author: Sascha Schmidt

Model-Based Reliability Engineering of Automotive Drivetrain Architectures With Multi-Trajectory Simulation
Key words: Reliability Analysis Methods and Tools; Dynamic Reliability and Safety, Simulation, Example application (safety-critical automotive systems) The architecture of complex systems is often decided in an early stage of the design process. This leads to risky outcomes, as there is not yet much information available about the planned system. Non-functional properties such as reliability and safety are crucial for critical systems, yet the effect of low-level design decisions in modules on the overall system behavior is often unclear because of their emergent nature. Formal models and performability evaluation algorithms in the field of model-based systems design are useful tools to improve this situation [1-3]. In reliability and safety, the classic models such as fault trees and reliability block diagrams allow static systems, but fall short in the description of dynamic processes. Such a behavior is important to cover in the model for systems including dynamic fault tolerance, or if there is a significant influence of the underlying timed behavior. Dynamic models in the reliability and safety context have to support discrete events, states, probabilistic choices and stochastic activities. Markov chains and variants of stochastic Petri nets are used for reliability engineering of dynamic systems in international standards and in the literature [1, 3, 4, 5]. There are mainly two types of algorithms to compute performability measures of interest from such models: numerical analysis and simulation. Numerical analysis methods are (mainly) restricted to Markovian models and manageable reachability graph sizes. Simulation be applied to any model, but will lead to intractably long runs in reliability evaluations because of the computational effort to generate enough failure states to achieve statistical confidence in the estimated results. This problem is known as rare-event simulation, and there are several approaches described in the literature (mostly variants of importance sampling [6] and splitting [7, 8]). However, they only achieve the theoretically possible speedup if the models are simple and symmetric in the case of sampling, or if a heuristic guiding the simulation is known a-priori for splitting [9]. A more recently developed algorithm tries to overcome this by integrating elements of numerical analysis with simulation [10]. It aims at retaining the advantages of both approaches: For models with manageable reachability graph size, it works similarly to a numerical analysis; while in the case of larger state spaces, it will work more like a splitting simulation to speed up rare-event problems. There is, however, no switching: the method allows seamless adaptations “in between” the underlying algorithms of simulation (which follows exactly one system state trajectory) and numerical analysis (which covers all possible trajectories). The paper will show how the reliability and safety of dynamic systems can be efficiently evaluated by this method. It will use stochastic Petri nets for the modeling part and show selected use cases from the areas of safety-critical embedded control systems in the automotive field. A prototype implementation of the algorithm in our software tool TimeNET [11] is used to derive numerical values, showing typical design trade-offs as the result. References [1] K. Trivedi, A. Bobbio, Reliability and Availability Engineering: Modeling, Analysis, and Applications, Cambridge University Press 2017. [2] J. Faulin, A. A. Juan, S. Martorell, J.-E. Ramirez-Marquez, Eds., Simulation methods for reliability and availability of complex systems, Springer 2010. [3] A. Zimmermann, Stochastic Discrete Event Systems — Modeling, Evaluation, Applications, Springer, 2007. [4] Analysis techniques for dependability — Petri net techniques, IEC 62551:2012, IEC Norm DIN EN 00 338, Sep. 2013. [5] Application of Markov techniques, IEC 61165:2006 Ed. 2.0, IEC Norm DIN EN 00 338, May 2006. [6] P. W. Glynn, D. L. Iglehart, Importance sampling for stochastic simulations, Management Science, vol. 35, no. 11, (Nov.) 1989. [7] P. Glasserman, P. Heidelberger, P. Shahabuddin, T. Zajic, Multilevel splitting for estimating rare event probabilities, Operations Research, vol. 47, pp. 585–600, 1999. [8] M. Villen-Altamirano and J. Villen-Altamirano, On the efficiency of RESTART for multidimensional systems, ACM Transactions on Modeling and Computer Simulation, vol. 16, no. 3, pp. 251-279, Jul. 2006. [9] M. J. Garvels, J.-K. C. Van Ommeren, and D. P. Kroese, On the importance function in splitting simulation, European Transactions on Telecommunications, vol. 13, no. 4, pp. 363-371, 2002. [10] A. Zimmermann and T. Hotz, Integrating simulation and numerical analysis in the evaluation of generalized stochastic Petri nets, ACM Transactions on Modeling and Computer Simulation (TOMACS), vol. 29, no. 4, 2019. [11] A. Zimmermann, Modelling and Performance Evaluation with TimeNET 4.4, Proc. Quantitative Evaluation of Systems (QEST 2017) 14th Int. Conf., LNCS 10503, (Sep.) 2017, pp. 300-303.

Model-Based Reliability Engineering of Automotive Drivetrain Architectures With Multi-Trajectory Simulation

Key words: Reliability Analysis Methods and Tools; Dynamic Reliability and Safety, Simulation, Example application (safety-critical automotive systems) The architecture of complex systems is often decided in an early stage of the design process. This leads to risky outcomes, as there is not yet much information available about the planned system. Non-functional properties such as reliability and safety are crucial for critical systems, yet the effect of low-level design decisions in modules on the overall system behavior is often unclear because of their emergent nature. Formal models and performability evaluation algorithms in the field of model-based systems design are useful tools to improve this situation [1-3]. In reliability and safety, the classic models such as fault trees and reliability block diagrams allow static systems, but fall short in the description of dynamic processes. Such a behavior is important to cover in the model for systems including dynamic fault tolerance, or if there is a significant influence of the underlying timed behavior. Dynamic models in the reliability and safety context have to support discrete events, states, probabilistic choices and stochastic activities. Markov chains and variants of stochastic Petri nets are used for reliability engineering of dynamic systems in international standards and in the literature [1, 3, 4, 5]. There are mainly two types of algorithms to compute performability measures of interest from such models: numerical analysis and simulation. Numerical analysis methods are (mainly) restricted to Markovian models and manageable reachability graph sizes. Simulation be applied to any model, but will lead to intractably long runs in reliability evaluations because of the computational effort to generate enough failure states to achieve statistical confidence in the estimated results. This problem is known as rare-event simulation, and there are several approaches described in the literature (mostly variants of importance sampling [6] and splitting [7, 8]). However, they only achieve the theoretically possible speedup if the models are simple and symmetric in the case of sampling, or if a heuristic guiding the simulation is known a-priori for splitting [9]. A more recently developed algorithm tries to overcome this by integrating elements of numerical analysis with simulation [10]. It aims at retaining the advantages of both approaches: For models with manageable reachability graph size, it works similarly to a numerical analysis; while in the case of larger state spaces, it will work more like a splitting simulation to speed up rare-event problems. There is, however, no switching: the method allows seamless adaptations “in between” the underlying algorithms of simulation (which follows exactly one system state trajectory) and numerical analysis (which covers all possible trajectories). The paper will show how the reliability and safety of dynamic systems can be efficiently evaluated by this method. It will use stochastic Petri nets for the modeling part and show selected use cases from the areas of safety-critical embedded control systems in the automotive field. A prototype implementation of the algorithm in our software tool TimeNET [11] is used to derive numerical values, showing typical design trade-offs as the result. References [1] K. Trivedi, A. Bobbio, Reliability and Availability Engineering: Modeling, Analysis, and Applications, Cambridge University Press 2017. [2] J. Faulin, A. A. Juan, S. Martorell, J.-E. Ramirez-Marquez, Eds., Simulation methods for reliability and availability of complex systems, Springer 2010. [3] A. Zimmermann, Stochastic Discrete Event Systems — Modeling, Evaluation, Applications, Springer, 2007. [4] Analysis techniques for dependability — Petri net techniques, IEC 62551:2012, IEC Norm DIN EN 00 338, Sep. 2013. [5] Application of Markov techniques, IEC 61165:2006 Ed. 2.0, IEC Norm DIN EN 00 338, May 2006. [6] P. W. Glynn, D. L. Iglehart, Importance sampling for stochastic simulations, Management Science, vol. 35, no. 11, (Nov.) 1989. [7] P. Glasserman, P. Heidelberger, P. Shahabuddin, T. Zajic, Multilevel splitting for estimating rare event probabilities, Operations Research, vol. 47, pp. 585–600, 1999. [8] M. Villen-Altamirano and J. Villen-Altamirano, On the efficiency of RESTART for multidimensional systems, ACM Transactions on Modeling and Computer Simulation, vol. 16, no. 3, pp. 251-279, Jul. 2006. [9] M. J. Garvels, J.-K. C. Van Ommeren, and D. P. Kroese, On the importance function in splitting simulation, European Transactions on Telecommunications, vol. 13, no. 4, pp. 363-371, 2002. [10] A. Zimmermann and T. Hotz, Integrating simulation and numerical analysis in the evaluation of generalized stochastic Petri nets, ACM Transactions on Modeling and Computer Simulation (TOMACS), vol. 29, no. 4, 2019. [11] A. Zimmermann, Modelling and Performance Evaluation with TimeNET 4.4, Proc. Quantitative Evaluation of Systems (QEST 2017) 14th Int. Conf., LNCS 10503, (Sep.) 2017, pp. 300-303.

Paper AR216 | Download the paper file. | Download the presentation PowerPoint file.

Name: Sascha Schmidt (sascha.schmidt@tu-ilmenau.de)

Bio: Sascha Schmidt studied computer science at the Technical University of Ilmenau. He received his Master of Science degree in 2021 and has since been working as a research associate at the Department of Systems- and Software Engineering at the Technical University of Ilmenau. In the German BMWK project AnRox on "Fail-safe and efficient electric drive system for robot cabs" he is working on a methodology for reliability evaluation using stochastic Petri net models.

Country: DEU
Company: Technische Universität Ilmenau
Job Title: Research Assistant