first opencoss eab · pdf filefirst opencoss eab meeting toulouse, september 23-24, ... best...
TRANSCRIPT
1
© OPENCOSS – First Project Review, Brussels, June 19, 2012
First OPENCOSS EAB Meeting
Toulouse, September 23-24, 2013
Agenda (1/2): Monday, Sept 23, 2013
2© OPENCOSS – First EAB Meeting, Toulouse, September 23-24, 2013
Welcome Session [10:30am – 11:00am]
Overview Session [11:00am – 12:30am]• The need / The scope / Our vision / Expectations (T im Kelly)• Role of EAB and quick Round table• OPENCOSS usage scenarios (Huascar Espinoza)• Q&A
Expectation of industry [12:30 – 1pm] • Automotive, Avionics, Railway – (Cedric Chevrel, Lau rent de la Beaujardiere) • Q&A
Technical Session [2pm – 4pm]• Common Certification Language (Jose-Luis de la Vara ) • Evidence management infrastructure (Jose-Luis de la Vara) • Process management infrastructure (Jérôme Lambourg) • Reuse and composability strategy (Tim Kelly) • Q&A
Coffee break [15:30]
Round table – Discussion on challenges (Tim Kelly wi th Andrea Palermo) [4pm – 5pm]
Agenda (2/2): Tuesday, Sept 24, 2013
3© OPENCOSS – First EAB Meeting, Toulouse, September 23-24, 2013
Round table – Best Practises & Solutions (Tim Kelly, Huascar Espinoza) [9am –12am]
• Group work: Feedback from experience
Coffee break [10:30]
• Feedback from experience• Wrap up
Shared session with SASSUR [2pm – 4pm]
• Present the results of the morning discussion (for open discussion)
Meeting Attendees: OPENCOSS Consortium
5© OPENCOSS – First EAB Meeting, Toulouse, September 23-24, 2013
Open Platform for EvolutioNary
Certification Of Safety-critical Systems
Large-scale integrating project (IP)
Project Objectives and Overview
First EAB Meeting
Toulouse, September 23, 2013
Tim Kelly
OPENCOSS Technical Coordinator
The three motivating factors behind OPENCOSS
7
• Initial & Rework Costs
• Coping with Risks
– Deploying a safe system
– Certification risks
• Acceptance of Innovative
Technologies/Methods
– System development approaches
– Certification approaches
Goals
Risks
© OPENCOSS – First EAB Meeting, Toulouse, September 23-24, 2013
9
The OPENCOSS Objectives
1. Create a cross-domain and standardized conceptual
framework to specify and manage certification assets
(e.g. goals, claims, evidence).
2. Develop a compositional safety assurance approach to
enable cost-effective reuse of pre-qualified building
blocks.
3. Develop an tool platform for evolutionary and
transparent safety assurance with the ability to automate
the most labor-intensive certification-related activities
(e.g. evidence & compliance management, metrics).
© OPENCOSS – First EAB Meeting, Toulouse, September 23-24, 2013
10
The OPENCOSS Mission
Integrating Engineering &
Certification from Early Stages
Guidance to Follow an Cost-
effective Certification
Reuse of Certification Assets
Automate labor-intensive
certification-related activities
1
2
3
4
Levels of
Capability
Maturity
Reuse across projects
(same standards)
Reuse across projects
(different standards)
Reuse across domains Reuse across
countries
© OPENCOSS – First EAB Meeting, Toulouse, September 23-24, 2013
OPENCOSS at a Glance
11
External Advisory Board: 21 membersfrom industry, regulation organizations,academia
© OPENCOSS – First EAB Meeting, Toulouse, September 23-24, 2013
Tangible Outcomes Targeted
12
Conceptual Certification
Framework
Safety Certification Management
Infrastructure
Target for
Standardization
Target for Open
Source Services
• Conceptual Certification Framework� The common certification language (CCL)
� A compositional certification approach.
• Safety Certification Management Infrastructure� Management of a Evolutionary evidential chain
� Management of visible and transparent certification process
�Management of a Compliance-Aware Process
© OPENCOSS – First EAB Meeting, Toulouse, September 23-24, 2013
The Common Certification Language
13
Goals:
� Getting mutual understanding of fundamental concepts
of safety assurance and certification
� Reconciling argument-based and standards-based
approaches to certification
� Devising, based on the common concepts, domain-
specific “solutions”
� Facilitating reuse of safety assurance and certification
assets
© OPENCOSS – First EAB Meeting, Toulouse, September 23-24, 2013
The Common Certification Language
14
Co
nce
ptu
al le
ve
l
Top Level GoalThe ‘aircraft’ is acceptably safe for
operations
Argument based on a comprehensive safety case to reduce risk via
a safe design, safe operation and safe
environment
ContextAcceptably Safe
ContextSOIU
Top Level GoalThe ‘aircraft’ is acceptably safe for
operations
Argument based on a comprehensive safety case to reduce risk via
a safe design, safe operation and safe
environment
ContextAcceptably Safe
ContextSOIU
Goal 3Safety management arrangements are such that the
interface between the ‘aircraft’, its operating infrastructure and the environment in which the ‘ai rcraft’
is operated is maintained adequately safe.
Goal 2‘Aircraft’operations are managed and carried out with appropriate
safety
Goal 4Co-ordinated safety management activities
ensure that all risks remain broadly acceptable or tolerable and ALARP, or
management action is initiated
Goal 1The design and build of the
‘aircraft’ is such that the aircraft may be operated safely.
Goal 3Safety management arrangements are such that the
interface between the ‘aircraft’, its operating infrastructure and the environment in which the ‘ai rcraft’
is operated is maintained adequately safe.
Goal 3Safety management arrangements are such that the
interface between the ‘aircraft’, its operating infrastructure and the environment in which the ‘ai rcraft’
is operated is maintained adequately safe.
Goal 2‘Aircraft’operations are managed and carried out with appropriate
safety
Goal 2‘Aircraft’operations are managed and carried out with appropriate
safety
Goal 4Co-ordinated safety management activities
ensure that all risks remain broadly acceptable or tolerable and ALARP, or
management action is initiated
Goal 4Co-ordinated safety management activities
ensure that all risks remain broadly acceptable or tolerable and ALARP, or
management action is initiated
Goal 1The design and build of the
‘aircraft’ is such that the aircraft may be operated safely.
Goal 1The design and build of the
‘aircraft’ is such that the aircraft may be operated safely.
Top Level GoalThe ‘aircraft’is acceptably safe for
operations
Argument based on a comprehensive safety case to reduce risk via
a safe design, safe operation and safe
environment
ContextAcceptably Safe
ContextSOIU
Top Level GoalThe ‘aircraft’is acceptably safe for
operations
Argument based on a comprehensive safety case to reduce risk via
a safe design, safe operation and safe
environment
ContextAcceptably Safe
ContextSOIU
Goal 3Safety management arrangements are such that the
interface between the ‘aircraft’, its operating infrastructure and the environment in which the ‘ai rcraft’
is operated is maintained adequately safe.
Goal 2‘Aircraft’operations are managed and carried out with appropriate
safety
Goal 4Co-ordinated safety management activities
ensure that all risks remain broadly acceptable or tolerable and ALARP, or
management action is initiated
Goal 1The design and build of the
‘aircraft’is such that the aircraft may be operated safely.
Goal 3Safety management arrangements are such that the
interface between the ‘aircraft’, its operating infrastructure and the environment in which the ‘ai rcraft’
is operated is maintained adequately safe.
Goal 3Safety management arrangements are such that the
interface between the ‘aircraft’, its operating infrastructure and the environment in which the ‘ai rcraft’
is operated is maintained adequately safe.
Goal 2‘Aircraft’operations are managed and carried out with appropriate
safety
Goal 2‘Aircraft’operations are managed and carried out with appropriate
safety
Goal 4Co-ordinated safety management activities
ensure that all risks remain broadly acceptable or tolerable and ALARP, or
management action is initiated
Goal 4Co-ordinated safety management activities
ensure that all risks remain broadly acceptable or tolerable and ALARP, or
management action is initiated
Goal 1The design and build of the
‘aircraft’is such that the aircraft may be operated safely.
Goal 1The design and build of the
‘aircraft’is such that the aircraft may be operated safely.
Sta
nd
ard
-sp
eci
fic
Pro
ject
-sp
eci
fic
Safety assurance &
certification processes
Safety cases
& evidence
repository
Process execution
assessment
CCL provides the core
concepts organized in
semantically related groups
Compliance managementSafety Argumentation
Evidence Characterization
IEC 61508EN 50126
ISO 26262
Gu
ida
nce
National
Rules
Re
qu
ire
me
nts
FAR 25
EN 50128
EN 50129
EN 50159
ARP4761
ARP4754
DO297
DO178
DO254
UE rules
ERMTS
UE
216/2008
CS 25
IR 21 PART 21
Cert. Project
Railways X
Cert. items
Railways X.1
Cert. Project
Avionics Y
Cert. items
Avionics X-Y.1
Re
-use
Definition of certification scope
Cert. items
Railways X.2Cert. items
Avionics Y.2
Mappings
e.g. SBVR
CCF
propositional
language
CCL Vocabulary
© OPENCOSS – First EAB Meeting, Toulouse, September 23-24, 2013
A Compositional Certification Approach
15
Goals
� Defining a compositional, contract-based certification
approach compatible with the CCL.
� Using the contracts for integration of assured
components.
� Assessing emergent properties or unexpected
interactions which may arise during integration
� Preserving the chain of evidence across these processes
© OPENCOSS – First EAB Meeting, Toulouse, September 23-24, 2013
A Compositional Certification Approach
16© OPENCOSS – First EAB Meeting, Toulouse, September 23-24, 2013
A Compositional Certification Approach
17
Principles:
1. A change to a design element (Component, RTOS, etc.) should only
affect the corresponding module, and not impact the entire argument.
2. Assurance Case Modules can be composed if: (a) Goals match and (b)
Context is compatible.
3. Results can be recorded in a assurance case contract.
4. Establish a defined record of the inter assurance case agreement:
Supports management of change!...
5. Change scenarios include: hardware vendor change, addition of a
single application, addition of extra processing nodes, change of data
bus.
© OPENCOSS – First EAB Meeting, Toulouse, September 23-24, 2013
A Compositional Certification Approach
18
Component A -new domain requires
new standards,similar safety system
Component A -new domain requires
new standards, and new type of system
challenges safetyassumptions
Component A - no new standards,
but new system challenges
assumptions
Component A - original certification
Different Systems
Diff
eren
t Dom
ains
© OPENCOSS – First EAB Meeting, Toulouse, September 23-24, 2013
Safety Certification Management Infrastructure
19
Goals:
�Management of Standards-related information and interpretations
(storage, classification, traceability, searching).
�Assurance-case – centered approach for structured management of
certification assets (e.g. arguments, evidence).
�Management of evidence evolution and change gap analysis.
�Tool assistance for enabling transparent process management through
metrics and estimations.
�Integration with state-of-the-practice engineering tools (e.g. DOORS,
Simulink, Word, Excel, Medini Analyze,…).
© OPENCOSS – First EAB Meeting, Toulouse, September 23-24, 2013
20
State of the Practice
Reports and artefacts
Reports
Unawareness of the
certification processEngineers
A t
yp
ica
l o
rga
niz
ati
on
pro
du
cin
g
safe
ty-c
riti
cal
syst
em
s
Safety Manager
Repository
Executive
Authorities Independent Assessor
Difficulties in
interpretations and
communication of
argumentation
Data exists on
many places,
with different
formats,
multiple copies
and versions
a
b
d
Time-consuming
to compile
reports,
artefacts &
difficult to
retrieve
c
No transparency on
costs estimationse
© OPENCOSS – First EAB Meeting, Toulouse, September 23-24, 2013
21
OPENCOSS Vision
OPENCOSSEngineers
Safety Manager
Executive
Independent Assessor
a
b
cd
e
Authorities
Harmonized and
synchronized agreements
in interpretations
Transparent Safety
Assurance Costs and
Estimations
Awareness of
compliance and the
certification process
Centralized
management of safety
assurance assets
The Safety Case concept
provides an understandable
compilation of safety
argumentation and evidence
External Tools
© OPENCOSS – First EAB Meeting, Toulouse, September 23-24, 2013
Conclusions
22
• Activities and deliverables on track
• Finding a “common OPENCOSS vision” and
borderline implied a significant effort
• Technical risks handled by
• Scoping work and “prototyping” approach
• Reuse of existing approaches (projects, standards)
• Adoption risks handled by:
• Deploying EAB and industrial outreach plan
(workshops, events)
• External Training program
© OPENCOSS – First EAB Meeting, Toulouse, September 23-24, 2013