SafeSoft
Safety Critical Software in Machine Systems
Principal Investigator at ASE: Prof. Seppo Kuikka
Duration of the project: 1.3.2009 - 30.9.2011
Safety Critical software in Machinery Systems is a research project realized in co-operation by Tampere University of Technology (TUT) and VTT Technical Research Centre of Finland. In TUT, there are two units participating in the project: the department of Automation Science and Engineering (ASE) and the Department of Software Systems (OHJ). The project was started in 2009 and will continue until autumn 2011.
The research topics of the project are divided to 7 work packages. The work packages and the units having the main responsibility over the package are: concept and technology survey (VTT), functional safety and security as components of overall safety (ASE/TUT), safety requirements of software development phases (OHJ/TUT), architectures of control systems and control (ASE/TUT), development of an operations model for software engineering (VTT), customer cases (VTT) as well as Coordination and reporting (VTT). In addition to work packages 2 and 4, ASE/TUT also participates in other work packages including the customer cases.
Concept and technology survey
The first work package of the project, concept and technology survey, focuses on finding, describing and assessing suitable, valued practices for different phases in development of safety critical applications and systems. The practices are gathered from suitable standards and guidelines and categorized based on the aimed task and the phase of the project. One categorizing aspect is also the suitability to different safety integrity levels defined by the IEC 61508 standard.
Functional safety and security as components of overall safety
The work package 2, functional safety and security as components of overall safety, is based on notion that although there are dependencies between safety and security aspects of systems, they are currently treated separately in the industry. In the work package, our main objective is to unify the concepts behind functional safety and security into a cohesive entity supporting the development of safety critical applications.
We focus on modeling of requirements, perhaps the most challenging part of development, which have been also studied in the AUKOTON project but not from the point of view of safety and security. In development of safety critical applications, especially important aspects include the traceability and rationale of requirements. In more detail, everything should be possible to trace back to the actual safety needs that are revealed by careful hazard and risk analysis. Part of the metamodels developed during the project is illustrated in figure 1.
Figure 1. Part of the risk and hazard modeling concepts developed during.
Another working direction is in simulation capabilities, in which we extend our work done in the CODES project. The approach originally developed during Codes is integrated to development and design-time verification of alternative approaches to achieve safety.
Safety requirements of software development phases
The third work package, safety requirements of software development phases, focuses on development processes of safety critical applications. Traditionally, the development has followed the well-known water fall model (V-model) that is suggested also by several standards. However, iterative and agile development processes offer nowadays considerable alternatives for the traditional development process. The aim of the task is to compare the traditional V-model to modern, more agile process models in order to assess whether agile development processes could also be utilized in the safety domain.
Architectures of control systems and control applications
In addition to aspects common to all software development, the development of safety related software contains challenges of special character, such as, isolating the safety critical parts of applications from non-safety-related-parts. However, there are also other challenges related to, for example, utilization of commercial or open source components or solutions, such as design patterns, as part of application. Mainly the challenges are caused by the need to be able to prove characteristics of the system and the responsibility over the safety of the application. The architecture of the software and the system play important role when these aspects are designed into the software.
In the project, architectural challenges are mainly covered in work package 4, architectures of control systems and control applications. Solutions to some problems, such as reliability aspects, can be found from standards and literature, however, part of the architectures and patters need refactoring to meet the constraints and characteristics of the domain. In addition, the industry requires practical examples of utilizations of the solutions in a successful way.
The influence of safety standards must be kept in mind when safety-critical software architectures are considered. Standards such as IEC 61508-3 and IEC 13849 impose requirements on the software handling safety-critical functionalities and the standards also set requirements on the architecture of the software. Because of this the influence of standards on the work is considerable.
In practice countless ways to implement safety system exist. Figure 2 illustrates one simple possibility. Safety and main control logic is separated to own modules. This simplifies design of safety functionality. A switch is incorporated to handle selection of the final output signal. Safety logic has higher priorization and it may thus override main control fmodule’s output anytime.
Figure 2: Safety functionality aside main control functionality
Development of an operations model for software engineering
The aim of the fifth work package of the project, development of an operations model for software engineering, is to synthesize the work of the work packages 2, 3 and 4 into an operations model for software engineering and development. The practices to be used are based on both the required safety integrity levels of the applications but also the type of the applications.
Customer cases
In the sixth work package, customer cases, the results and findings of the other work packages are applied to industrial, real world applications of the companies participating in the project. The main focus is in improving and developing the development process used in the companies but also in technologies and architectures of safety systems.
Coordination and reporting
Task seven, coordination and reporting, is related to coordinating the research carried out in the project and to reporting its results. The results are being published in both national and international conferences and publications. At ASE, we are currently working with several publications and the currently published papers and thesis include:
• Malm, Timo; Hietikko, Marita; Katara Mika: Safety requirements for software of machinery – The weakest link in design. Automaatio 2011, 15.-16.3.2011
• Paalijärvi, Jani; Katara, Mika; Karaila, Mika; Parkkinen, Teemu: Agile Development of Safety-Critical Software for Machinery: A View on the Change Management in IEC-61508-3. SIAS 2010, Tampere 14.-15.6.2010.
• Malm, Timo; Hietikko, Marita; Alanen, Jarmo: Safety-related systems in machinery – Variety of software. Safety of Industrial Automated Systems 2010 (SIAS), Tampere 14.-15.6.2010.
• Jani Paalijärvi: Turvallisuuskriittisten ohjelmistojen kehitys ketterillä menetelmillä. Master thesis 2010. (in Finnish)
Funding:
TEKES, VTT, TTY, John Deere Forestry, Bronto Skylift, ABB, Sandvik Mining and Construction, Metso Automation, EPEC, Konecranes, Sundcon, Safety Advisor
Partners:
VTT Techincal Research Centre of Finland
Personnel:
Seppo Kuikka
Jari Seppälä
Timo Vepsäläinen
Jari Rauhamäki