Safety Requirements (Identification, Verification and Validation)

[janWelte]

Task:
Development of Safety Requirements and Properties for Model VnV

Related to the following overall tasks:
#6

Workscope:

Tasks to be done

System structure breackdown:

• Analyse Subset 26 input (and additional)
• Identify main components at system level and limits

System functional breakdown:

• Identify main functions at system level
• Identify lower level kernel functions (based on the benchmark model)
• Compare work of Subset 88 & 91 to functional breakdown

Requirements for Functional Decomposition according to safety analysis

• Document: Needed Functional Decomposition (as input for @BaseliyosJacob)
• Document decribing the SRAC for other outside components
• Documents allocation safety Requirements on kernel functions

This shall be done for the following examples:

Examples of Kernel Hazards (from Subset-88 Part 3)
a. KERNEL-6 Manage communication session failure
(Related to model of Subset 26 §3.5.3 Establishing a communication session)

Detailed tasks in #44 and #50

b. KERNEL-9 Speed calculation underestimates train speed
(Related to model of Subset 26 §3.13 Braking curves)

Detailed tasks in #45 and #49

c. KERNEL-19 Failure of train trip supervision in OS, LS and FS
(Related to model of Subset 26 §5.9 Procedure On-Sight)

Detailed tasks in #46 and #51

Additional task to be done:

For the functional components:

• FMEA
• FTA

@MerlinPokam
@cyrilcornu
@janWelte

[janWelte]

Meeting at the 26.08.2014

Safety Tool Use Case Coordination

Participants:
@vallee @jensgerlach @UweSteinkeFromSiemens @vgontier @MariellePetitDoche @janWelte

Objective:
The meeting shall serve to identify use cases for provided safety analysis tools analyzing the SysML and SCADE models of openETCS. The resulting task shall be combined to a consistent work plan to analyze hazardous events, derive resulting safety properties and check models with respect to these safety properties.

Agenda:

1. Introduction of current and planned safety related activities

• Systerel:
  • Safety analysis on SysML model for "Train Position Calculation"
    Safety analysis of the function "Train Position Calculation" has been made in a classical way
    • Inputs :
      1. Function informal description (Subset 26)
      2. Hazardous Events from Subset 88
      3. SysML model (from WP 3)
    • Output: set of safety requirements (informal)
    • Status Work Steps:
      • Analysis finished
      • Document internal reviewed at Systerel and uploaded to github @MariellePetitDoche (planned for 02.09. to be uploaded at github)
      • Document external review by project partners @vgontier @janWelte
  • Formal proof of safety properties on SCADE model for "Train Position Calculation"
    Use of Systerel Smart Solver (S3) to prove the safety properties issued of the safety analysis on the Scade model (SAT technologies)
    • Inputs :
      1. Safety requirements (from SysML model safety analysis)
      2. SCADE model (from WP 3)
    • Output: Validation report for checked safety properties
    • Status Work Steps:
      • Imported SCADE model in S3 Solver
      • formalized safety properties for solver (in Lustre?)
      • performed model checks
      • Validation report generated, internally reviewed and uploaded to github
      • Document external reviewed by project partners
  • Second formal approach with B method (Depending on the other partners, generation and validation of a B model to have an open source alternative)
    Ongoing work
• All4Tec:
  • FMEA on the Sysml model with Safety Architect
    Use of Safety Architect to perform an FMEA analysis on the SysML model of a function
    • Inputs :
      1. SysML Model (from WP 3)
      2. Hazardous/ feared events (based on Subset 88)
      3. design rules and additional safety barriers not shown in the model
  • Output: Risk analysis report with recommendations (some will be mandatory!)
  • Status Work Steps:
    • new version of Safety Architect to be compatible with openETCS SysML models
    • proposal which SysML model (function) and which Hazardous/ feared events shall be used for first analysis @vallee @vgontier
    • perform analysis
    • Risk analysis report generated, internally reviewed and uploaded to github
  • CCR and coding rules verification (for critical handmade code)
    Critical code review with All4Tec tool Safety Code Reviewer to support the manual code review for handmade code
    • Inputs :
      1. Handmade code (use Siemens bit walker code for first evaluation)
      2. Design, Code, Coding rules (not available for the provide work)
      3. Results of FMEA (not available for current work)
    • Output: CCR report
    • Next Step:
      • Compare work and potential results for bit walker code to D 4.2.2 @vallee
      • Provide proposal for use of enhancement of CR and coding rules verification in openETCS
  • RT RT models

This is not a specific All4tec activity. Contributions from all partners are organized in the global testing work scheduled managed by @MarcBehrens and @cecilebraun

Further coordination in WP 4 Wednesday meetings, when Cecile is back (End of September)

• Operational validation with Matelo
  Matelo tool used to design usage models for validation. Depending on the facilities to generate random scenarios offered by the testing environment this method will be more or less representative of the operational life of the system.
  • Inputs :
    1. Usage profile
    2. System specification
    3. Description of the available testing environment (in connection with WP5)
  • Output: Validation report
  • Next Step:

    • Coordination with @MarcBehrens and @Nicolas-VanLandeghem how Matelo could be integrated

      Further coordination shall be done in the general WP 4 Validation activities and in discussions with WP5.

1. Coordination of work

Goal is to derive safety properties by an FMEA analysis with Safety Architect, which afterwards can be checked in the SCADE model by S3.

Next Steps

1. Systerel finishes and presents the first safety analysis
2. All4Tec will evaluate potential function and feared events for the use of Safety Architect (new version)
3. Follow-Up meeting to discuss results and coordinate next steps
   Doodle Questionnaire for next Telco.
   Please indicate at which time slots you would be available for a follow-up meeting

Further steps (planned to be performed after the follow-up meeting)

• Perform FMEA with Safety Architect @vallee
• Translation of FMEA results in provable safety properties for S3 model checking
• Perform S3 model checking for SCADE model "Train Position" @MariellePetitDoche
• Coordination meeting to compare status of all task and evaluate potential additional steps after InnoTrans (begin of October)

[janWelte]

The meeting to propose and coordinate use case for safety analysis tools will be held
Mo 15.09.2014 14:00 – 15:00 on go2meeting

Agenda:

1. Status of current safety related activities
   a. Systerel: Safety analysis on SysML model for "Train Position Calculation"
   very difficult in current state, few links between different design documents
2. result noch sufficient (for required analysis),
3. different unformal documents, (what is the reference, how to link to the SRS)
   b. Systerel: Systerel Smart Solver (S3)
   c. All4Tec: FMEA on the Sysml model with Safety Architect
   d. All4Tec: CCR and coding rules verification (for critical handmade code)
4. Coordinate further tasks
   a. Which results can be reviewed and used
   b. Which task are planned next

• Traceability for SCADE "Train Position Calaucaltion" needed determine safety properties

[MarcBehrens]

a list of safety relevant requirements is needed for the design

relates to openETCS/product-backlog#31

grooming needed here @janWelte @fvallee @AbdelnasirMohamed

[MarcBehrens]

a new SUBSET-091 has been released, see http://www.era.europa.eu/Document-Register/Pages/Set-2-Safety-Requirements-fo-the-Technical-Interoperability-of-ETCS-in-Levels-1-2.aspx

[MarcBehrens]

put on hold until October to focus on functional verification