Modular Certification and Safety Concepts for Mixed Criticality

Author: Imanol Martinez (IKERLAN)

Safety certification according to industrial standards poses many challenges as provide sufficient evidence to demonstrate that the resulting system is safe for its purpose.

A ‘safety case’ "represents an argument supporting the claim that the system is safe for a given application in a given environment". It provides I) arguments to demonstrate that safety properties are satisfied and risk has been mitigated, II) a notation mechanism that is often required as a piece of the certification process and III) interoperability among different standards and domains (e.g., avionic, automotive, railway).

A well partitioned safety case limits the impact of changes to a reduced area of the safety case and enables the reusability of these parts. Partitioning is a complexity management technique that subdivides the system into smaller parts (modules) that are independently generated and used to compose the system. On this basis, the implementation of modular safety cases potentially enables the reusability of predefined modules, reducing the overall complexity (simplification strategy) and supporting the limitation of change impacts to specific modules.

The modular safety case of a system component defines a set of minimum and reasonable arguments and evidences that the component should meet/provide in order to enable/support the development of mixed-criticality systems compliant with a domain specific safety standard. Different devices can fulfil this modular safety case using different strategies and solutions. Therefore a 'linking analysis' document must be provided for each device. The linking analysis describes the way in which the safety arguments are fulfilled by each specific device. This analysis also includes the impact analysis of nonconformities and the identification of exported and imported requirements that shall be provided by the ‘end user’.

This modular safety case is defined from the perspective of the ‘system architect’, in order to ease the specification, development and certification of mixed-criticality product families composed of a large number of ‘building blocks’. This modular safety case aims to support a ‘safe by construction’ modular approach that provides I) arguments to demonstrate that safety properties are satisfied, ii) provide a mechanism for review by RAMS engineers and certification authorities and III) whenever reasonable provide interworking of different standards.

These modular safety cases may be used in isolation or integrated with additional domain specific standard compliant modular safety cases, as seen in figure 1 (e.g., communication network, hypervisor, OS) in order to compose system level safety concepts.

Figure 1: Modularity approach. A compliant module can be changed without impacting the whole safety case, enabling the reusability of each part.