The safety-critical systems can have the potential to pose significant risks to human life (injuries or even deaths) or create damage to equipment, property, or the environment, therefore it is crucial to provide pre-release safety and/or security assurance evidence to demonstrate that the system effectively manages and mitigates risks. Additionally, highly critical systems often require certification by a relevant regulatory authority or governing body before they can be used or deployed to ensure that systems meet the necessary safety/security requirements and comply with regulations and standards such as safety standard ISO 26262 for automotive or cybersecurity standard for ISO/SAE 21434 (see Figure 1).
The TRANSACT project investigates the transformation of safety-critical cyber-physical systems from localized standalone systems into safe and secure distributed solutions leveraging edge and cloud computing towards such benefits. This is only possible with safety and security assurance and (re)certification. If the system or product is upgraded or modified then it may require (re)certification, especially when the modifications affect safety-critical aspects of the system. The regulatory authority or certification body needs to review the changes and update assurance assets. However, if the system or component is used without modification then reuse of the existing documentation is possible, such as hazard analysis and risk assessment (HARA), verification report, and assurance cases. The reuse of existing documentation can significantly reduce the effort and cost of (re)certification.
The assurance and (re)certification of highly critical systems require the execution of complex and labor-intensive activities, for instance, the definition of an asset or item, performing HARA, development of assurance (safety or security) cases, and generating and maintaining evidence (e.g., design documents, test reports, simulation results). In TRANSACT project we considered that existing tools can be used to automate repetitive tasks, perform consistency checks, and provide guidance, which can increase efficiency and reduce the likelihood of human errors. For this we used three main tools integrated into the AMASS platform : EPF (Eclipse Process Framework) Composer, Eclipse OpenCert, and Eclipse CHESS (Composition with Guarantees for High-integrity Embedded Software Components Assembly) Toolset for assurance and (re)certification as shown in Figure 2.
We apply the safety and security assurance process on UC3 Over-the-Air Updates (OTA) . OTA plays a crucial role in the maintenance and optimization of modern vehicles, including electric vehicles. Especially when the system demands critical bug fixes, the addition of a new feature, the removal of an existing feature, and so on. However, OTA updates also introduce potential cybersecurity risks, updates should not affect the safety aspects of the system. Therefore, the process defined in security standard ISO/SAE 21434  should be followed and threat analysis and risk assessment (TARA) should be performed.
Standard Requirements and Process Modeling: EPF Composer was used for modeling the standard requirements and processes as plugins by following the guidelines mentioned in [3, 4]. It also provides support for basic compliance between processes and requirements. OpenCert baseline editor can also be used for the modeling process. These tools support the definition of development and assurance processes as well as the tailoring of particular project plans for assurance.
System Design and Dependability Analyses: In the CHESS toolset, the Requirement View is used to model functional, safety, or security requirements and System View is used for modeling the system’s hierarchical architecture. CHESS toolset also supports the mechanism of contract-based system specification and architectural pattern management. After the system (or item) has been defined, the next step is to identify the threats to the item. TARA was performed and MAGERIT was considered. Based on the analysis results, cybersecurity goals are derived, and the cybersecurity assurance level (CAL) is allocated. Cybersecurity requirements and contracts are derived from cybersecurity goals and modeled in CHESS views.
Assurance Case Management: Assurance cases are structured arguments, often in the form of documents, that provide a logical and structured justification for the safety and security of a system. An assurance case consists of process-based arguments that can show processes generate trustworthy evidence and product-based arguments that may directly show from the evidence that residual risks for the product are acceptably low . Assurance cases can be manually in the Assurance Case editor in OpenCert. Process-based arguments can be generated from the process modeled in EPF Composer. The product-based arguments can be generated from the contract-based architectural specification. The existing or changed evidence (e.g., the result of a test case, or TARA report) can be linked to an assurance case claim. The reuse of techniques and documents reduced the cost.
- AMASS Project deliverable D2.5 https://www.amass-ecsel.eu/sites/amass.drupal.pulsartecnalia.com/files/D2.5_User-guidance-and-methodological-framework_AMASS_Final.pdf
- Transact ECSEL. “Energy Efficient Electric Vehicles – UC3: Cloud-Featured Battery Management For Electric Vehicles”, TRANSACT Project Website, https://transact-ecsel.eu/energy-efficient-electric-vehicles, 2022,
- F.U. Muram, B. Gallina, L. G. Rodriguez, “Preventing Omission of Key Evidence Fallacy in Process-based Argumentations”. In: 11th International Conference on the Quality of Information and Communications Technology (QUATIC), Coimbra, Portugal, September 4-7, 2018. pp. 65–73
- F.U. Muram, B. Gallina, S. Kanwal, S. “A Tool-Supported Model-Based Method for Facilitating the EN50129-Compliant Safety Approval Process.” Reliability, Safety, and Security of Railway Systems. Modelling, Analysis, Verification, and Certification. RSSRail 2019. vol 11495.
- F. U. Muram, M. A. Javed, ATTEST: Automating the review and update of assurance case arguments, Journal of Systems Architecture (JSA), Volume 134, 2023
- ISO/SAE 21434:2021 Road vehicles — Cybersecurity engineering