Sie sind auf Seite 1von 2

7th IFAC Symposium on Advances in Automotive Control

The International Federation of Automatic Control


September 4-7, 2013. Tokyo, Japan

Dependability Assurance Framework


Standardization for Safety-Sensitive
Consumer Devices at the OMG
Yutaka Matsuno ∗ Naoya Ishizaki ∗∗ Geoffrey Biggs ∗∗∗
Kenji Taguchi ∗∗∗ Akira Ohata ∗∗

The University of Electro-Communications, Japan
(e-mail: matsuno@is.uec.ac.jp).
∗∗
Toyota Motor Corporation, Japan
(e-mail: ishizaki@naoya.tec.toyota.co.jp,
ohata@control.tec.toyota.co.jp)
∗∗∗
National Institute of Advanced Industrial Science and Technology,
Japan (e-mail: {kenji.taguchi, geoffrey.biggs}@aist.go.jp)

Abstract: This paper introduces a new effort by the Object Management Group to standardise
the format of information used in the assurance of safety-sensitive consumer devices, such as
automobiles and service robots. The diversity of device types and development approaches
for such devices makes the sharing and re-use of assurance information difficult. The new
standardisation effort aims to resolve this issue through common information models and
consistent argument structures.

Keywords: Dependability, Functional Safety, Standardization

1. INTRODUCTION In this article, we discuss an effort at the Object Manage-


ment Group (OMG) to produce a common, model-based
In recent years, technological advances and increases in method for sharing dependability information. The chal-
connectivity have driven a rapid increase in complex- lenge this effort is tackling is, how to unify dependability
ity of devices used by consumers. These devices, unlike assurance arguments from diverse fields, and so allow the
traditional industrial machinery, are used in diverse and sharing of experience and knowledge.
dynamic environments over which the developer has little
control (Tokoro (2012)).
The increase in complexity is making assurance of de- 2. DEPENDABILITY ASSURANCE FRAMEWORK
pendability (as defined in Avizienis et al. (2004)) of these FOR SSCDS RFP
devices increasingly difficult. This is particularly an issue
for devices with the potential to cause harm, such as The OMG’s System Assurance Platform Task Force (SysA
automobiles. The rising safety concerns caused by the PTF) (OMG System Assurance Task Force (2013a)) fo-
complexity of such devices has led to the development cuses on the use of model-based techniques to facilitate the
of standards in an attempt to increase confidence. For interchange of information regarding system assurance. As
example, the ISO 26262 standard for functional safety of part of this, it is working on model-based techniques for
road vehicles addresses the rising complexity of automobile assurance cases. An assurance case provides an argument
electrical/electronic systems (ISO (2011)). that a particular system can be depended on to perform
as expected. It is
These issues have now compounded to the point where
automobile manufacturers find themselves needing to al- “A documented body of evidence that provides
ter their existing development processes, which are often a convincing and valid argument that a system
model-based and iterative, to comply with a new standard, is adequately dependable for a given applica-
while at the same time attempting to assure the depend- tion in a given environment.”
ability of their increasingly-complex cars. The need to
As part of this, The SysA PTF is working on a standard
create, manage and exchange large quantities of assurance
meta-model-based approach to specifying an assurance
information, and the lack of a common structure or format
case, including the argument itself and supporting evi-
for this information, is a major hindrance to producing and
dence from the system design and its development process.
assuring dependable automobiles.
The OMG has already published several specifications in
this area produced by the SysA; most recently the Struc-
? Yutaka Matsuno and Kenji Taguchi have been partially supported tured Assurance Case Meta-model (SACM) specification
by JST CREST DEOS(Dependable Embedded Operating System for (OMG System Assurance Task Force (2012)), which pro-
practical use) project. vides an interchange model for assurance case arguments.

978-3-902823-48-9/2013 © IFAC 554 10.3182/20130904-4-JP-2042.00154


IFAC AAC 2013
September 4-7, 2013. Tokyo, Japan

The SysA PTF’s next effort focuses on providing a stan- • engine Stall is sufficiently mitigated in updated com-
dard meta-model-based approach for specifying the evi- ponent; and
dence on which an assurance case builds and linking that • engine Stall is sufficiently mitigated in vehicle evalu-
evidence to the argument. This effort recently entered ation.
the official OMG standardization process with the pub-
These three sub-goals are elaborated until sufficient evi-
lication of the “Dependability Assurance Framework for
dence from field data and from verification and validation
Safety-Sensitive Consumer Devices Request for Propos-
results is available. The argument assumes the use of
als” (SSCD RFP) (OMG System Assurance Task Force
model-based development, and so it reflects the current
(2013b)).
state of the art in automobile development. The argument
The SSCD RFP calls for proposals that provide three also assumes the notion of “proven in use” (IEC (2010)):
facilities: Not fully testing all components of the engine, and instead
using available field data to assure that unchanged parts
(1) Dependability Conceptual Models (DCMs), which de- of the engine have previously functioned correctly without
fine what dependability means in the relevant con- engine stalling.
text;
(2) Dependability Process Models (DPMs), which define
4. CONCLUDING REMARKS
the process(es) used for developing SSCDs; and
(3) templates to be used to construct Dependability
Assurance Cases (DACs) for SSCDs. This article has discussed a new standardisation effort
underway at the OMG. Its goal is to provide a model-
The RFP was published in March, 2013. It was preceded based method for the exchange and re-use of dependability
by a Request for Information (RFI) that was published assurance information. By doing so, it will facilitate the
in March, 2012. This RFI attracted responses from four development of dependable safety-sensitive consumer de-
institutions, Nagoya University, Toyota, The University vices and enable manufacturers to use existing knowledge,
of Florence, and the Trusted Computing Group. The processes and assets in line with new standards for safety.
responses provided a broad range of approaches that was
used to construct the RFP. Submissions to the RFP are The dependability of SSCDs is a growing concern in many
due in November, 2013. The specification will be built areas, including automobiles, service robots, consumer
from these submissions; the publication of a standard electronics and smart houses. The production of this new
specification by the OMG is expected by mid-2016. standard will aid manufacturers in these areas and more.
We encourage any interested parties to actively participate
The remainder of this article discusses the effort by the In- in the standardisation process.
formation Technology Promotion Agency of Japan (IPA)
(Information-Technology Agency, Japan (2013)) to pro- REFERENCES
duce a submission in answer to the RFP.
Avizienis, A., Laprie, J.C., Randell, B., and Landwehr,
C. (2004). Basic concepts and taxonomy of dependable
3. SSCD PROPOSAL FROM THE IPA
and secure computing. IEEE Trans. Dependable Secur.
Comput., 1(1), 11–33.
The IPA has founded a committee for the standardisation GSN contributors (2011). GSN community standard
of SSCD assurance; its task is to produce a draft standard version 1.0.
and submit it to the OMG in response to the SSCD RFP. IEC (2010). 61508 association policy document: Proven in
This committee is in the early stages of its work; in this use. Http://www.61508.org/?page id=143.
section, we describe the IPA’s current proposal. Information-Technology Agency, Japan (2013). Ipa home-
The IPA’s proposal is based on a doubly-iterative devel- page. Http://www.ipa.go.jp/index-e.html.
opment process, where development proceeds in an itera- ISO (2011). ISO 26262 road vehicle - functional safety -,
tive fashion in parallel with an assurance process, which part 1 to part 10.
likewise iterates to produce an argument that matches the Matsuno, Y., Taguchi, K., Nakabo, Y., and Ohata, A.
development products. This process is described in greater (2012). Iterative and simultaneous development of
detail in Matsuno et al. (2012). embedded control software and dependability cases for
consumer devices. In Proceedings of SICE Annual
The IPA’s solution for the DACs is based on the Goal Conference 2012.
Structuring Notation (GSN) (GSN contributors (2011)). OMG System Assurance Task Force (2012).
The proposed DAC is being developed experimentally Http://sysa.omg.org.
based on a GSN assurance case for an automobile engine. OMG System Assurance Task Force (2013a).
The assurance case was created in consultation with au- Http://sysa.omg.org/.
tomobile engineers who are experts on engine control and OMG System Assurance Task Force (2013b). Dependabil-
design. The assurance case argues that an update to the ity assurance framework for safety-sensitive consumer
engine’s design will not affect its dependability in terms of devices request for proposal. Sysa/13-03-13.
not suffering from engine stall in all foreseeable operating Tokoro, M. (2012). White paper: Dependable embedded
conditions (this is the top goal of the argument). operating system for practical use (DEOS) project,
The top goal is decomposed into three sub-goals: version 3.

• engine Stall is sufficiently mitigated in previous de-


velopment;

555