A Model-Based Safety Analysis of Dependencies Across Abstraction Layers

  • Christoph DropmannEmail author
  • Eike Thaden
  • Mario Trapp
  • Denis Uecker
  • Rakshith Amarnath
  • Leandro Avila da Silva
  • Peter Munk
  • Markus Schweizer
  • Matthias Jung
  • Rasmus Adler
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11093)


Identifying and mitigating possible failure propagation from one safety-critical application to another through common infrastructural components is a challenging task. Examples of such dependencies across software-stack layers (e.g., between application and middleware layer) are common causes and failure propagation scenarios in which a failure of one software component propagates to another software component through shared services and/or common computational resources. To account for this, safety standards demand freedom from interference in order to control failure propagation between mixed-critical software components. Safety analysis is typically focused on one abstraction layer, while robustness tests try to find failure propagation paths across abstraction layers. To this end, this paper presents a model-based failure propagation analysis combining failure propagation within and across abstraction layers. A classification of dependencies in combination with fault trees is used to perform a model-based dependency analysis. In addition, a novel modeling technique for integrating failure propagation aspects resulting from shared services and resources is presented. The analysis was used to carry out an early safety assessment of a real-world automotive redundancy mechanism within an integrated architecture. The results show that the method improved reusability and modularity, and made it easier to estimate failure propagation issues, including possible violations of freedom from interference within an integrated system.


Software and system safety Interferences Safety analysis 



We acknowledge financial support for this work from the German Federal Ministry of Education and Research (BMBF) in the projects “ARAMiS II” (01IS16025) and “Software Campus” (01IS12053). All responsibility for the content remains with the authors.


  1. 1.
    QNX Auto Blog. Accessed 22 Feb 2018
  2. 2.
    Kopetz, H., Obermaisser, R., El Salloum, C., Huber, B.: Automotive software development for a multi-core system-on-a-chip. In: Proceedings of the 4th International Workshop on Software Engineering for Automotive Systems. IEEE Computer Society, May 2007Google Scholar
  3. 3.
    ISO: ISO 26262 - Road vehicles - Functional safety (2011)Google Scholar
  4. 4.
    IEC: IEC 61508 - functional safety of electrical/electronic/programmable electronic safety-related systems (2010)Google Scholar
  5. 5.
    RTCA: DO-178C: Software Consideration in Airborne Systems and Equipment Certification (2012)Google Scholar
  6. 6.
    SYSGO Homepage. Accessed 22 Feb 2018
  7. 7.
    BlackBerry Homepage. Accessed 22 Feb 2018
  8. 8.
    AUTOSAR development partnership, Specification of Operating System (v 5.3.0) (2014)Google Scholar
  9. 9.
    Schirmeier, H., Hoffmann, M., Kapitza, R., Lohmann, D., Spinczyk, O.: Fail∗: towards a versatile fault-injection experiment framework. In: ARCS Workshops (ARCS) 2012, pp. 1–5. IEEE, February 2012Google Scholar
  10. 10.
    John, R.: Partitioning in avionics architectures: requirements, mechanisms, and assurance (1999)Google Scholar
  11. 11.
    Kotaba, O., Nowotsch, J., Paulitsch, M., Petters, S.M., Theiling, H.: Multicore in real-time systems–temporal isolation challenges due to shared resources. In: Workshop on Industry-Driven Approaches for Cost-effective Certification of Safety-Critical, Mixed-Criticality Systems, March 2013Google Scholar
  12. 12.
    Zimmer, B., Dropmann, C., Hänger, J.U.: A systematic approach for software interference analysis. In: Software Reliability Engineering (ISSRE) 2014. IEEE, November 2014Google Scholar
  13. 13.
    Dropmann, C., Amorim, T., Ruiz, A., Schneider, D.: Towards safe mixed critical embedded multi-core systems in dynamic and changeable environments. CPS Week EMC2, Vienna, Austria, April 2016Google Scholar
  14. 14.
    OMG SysML Website. Accessed 05 Mar 2018
  15. 15.
    Zimmer, B., Bürklen, S., Knoop, M., Höfflinger, J., Trapp, M.: Vertical safety interfaces – improving the efficiency of modular certification. In: Flammini, F., Bologna, S., Vittorini, V. (eds.) SAFECOMP 2011. LNCS, vol. 6894, pp. 29–42. Springer, Heidelberg (2011). Scholar
  16. 16.
    Schneider, D., Trapp, M.: Conditional safety certification of open adaptive systems. ACM Trans. Auton. Adapt. Syst. (TAAS) 8(2), 8 (2013)Google Scholar
  17. 17.
    Feiler, P.H., Gluch, D.P., Hudak, J.J.: The architecture analysis & design language (AADL): an introduction (No. CMU/SEI-2006-TN-011). Carnegie-Mellon University, Pittsburgh, Software Engineering Institute, PA (2006)Google Scholar
  18. 18.
    EAST-ADL Association: EAST-ADL Domain Model Specification. Version V2.1.12. EAST-ADL Association, Göteborg (2013)Google Scholar
  19. 19.
    Hilbrich, R., Behrisch, M.: Improving the efficiency of dislocality constraints for an automated software mapping in safety-critical systems (2018)Google Scholar
  20. 20.
    Papadopoulos, Y., Walker, M., Parker, D., Rüde, E., et al.: Engineering failure analysis and design optimisation with HiP-HOPS. Eng. Fail. Anal. 18(2), 590–608 (2011)CrossRefGoogle Scholar
  21. 21.
    Höfig, K., Trapp, M., Zimmer, B., Liggesmeyer, P.: Modeling quality aspects: safety. In: Pohl, K., Hönninger, H., Achatz, R., Broy, M. (eds.) Model-Based Engineering of Embedded Systems, pp 107–118. Springer, Heidelberg (2012). Scholar
  22. 22.
    Kaiser, B., Weber, R., Oertel, M., Böde, E., Nejad, B.M., Zander, J.: Contract-based design of embedded systems integrating nominal behavior and safety. Complex Syst. Inf. Model. Q. 4, 66–91 (2015)Google Scholar
  23. 23.
    Höfig, K., Zeller, M., Heilmann, R.: ALFRED: a methodology to enable component fault trees for layered architectures. In: 2015 41st Euromicro Conference on Software Engineering and Advanced Applications (SEAA), pp. 167–176. IEEE, August 2015Google Scholar
  24. 24.
    Vitali, E., Palermo, G.: Early stage interference checking for automatic design space exploration of mixed critical systems. In: Proceedings of the 9th Workshop on Rapid Simulation and Performance Evaluation: Methods and Tools, p. 3. ACM, January 2017Google Scholar
  25. 25.
    Sari, B., Reuss, H.C.: A model-driven approach for dependent failure analysis in consideration of multicore processors using modified EAST-ADL (No. 2017-01-0065). SAE Technical Paper (2017)Google Scholar
  26. 26.
    Di Vito, B.L.: A model of cooperative noninterference for integrated modular avionics. In: Dependable Computing for Critical Applications 7, 1999. IEEE, January 1999Google Scholar
  27. 27.
    Dunjó, J., Fthenakis, V., Vílchez, J.A., Arnaldos, J.: Hazard and operability (HAZOP) analysis. A literature review. J. Hazard. Mater. 173(1–3), 19–32 (2010)CrossRefGoogle Scholar
  28. 28.
    Auerswald, M., Herrmann, M., Schulte-Coerne, V.: Entwurfsmuster für fehlertolerante softwareintensive Systeme (Design Patterns for Fault-Tolerant Software-Intensive Systems). at-Automatisierungstechnik Methoden und Anwendungen der Steuerungs-, Regelungs-und Informationstechnik, 50(8/2002), 389 (2002)Google Scholar
  29. 29.
    Feth, P., Adler, R.: Service-based modeling of cyber-physical automotive systems: a classification of services. In: Workshop CARS 2016-Critical Automotive Applications: Robustness & Safety, September 2016Google Scholar
  30. 30.
    Avizienis, A., Laprie, J.C., et al.: Basic concepts and taxonomy of dependable and secure computing. IEEE Trans. Dependable Secure Comput. 1(1), 11–33 (2004)CrossRefGoogle Scholar
  31. 31.
    Möhrle, F., Bizik, K., Zeller, M., Höfig, K., Rothfelder, M., Liggesmeyer, P.: A formal approach for automating compositional safety analysis using flow type annotations in: component fault trees. In: Risk, Reliability and Safety: Innovating Theory and Practice: Proceedings of ESREL. Taylor & Francis, CRC Press, Portoroz, Slovenia, June 2017Google Scholar
  32. 32.
    Amalthea Project Homepage. Accessed 01 Mar 2018
  33. 33.
    Li, H., De Meulenaere, P., Hellinckx, P.: Powerwindow: a multi-component TACLeBench benchmark for timing analysis. Advances on P2P, Parallel, Grid, Cloud and Internet Computing. LNDECT, vol. 1, pp. 779–788. Springer, Cham (2017). Scholar

Copyright information

© Springer Nature Switzerland AG 2018

Authors and Affiliations

  • Christoph Dropmann
    • 1
    Email author
  • Eike Thaden
    • 2
  • Mario Trapp
    • 1
  • Denis Uecker
    • 1
  • Rakshith Amarnath
    • 2
  • Leandro Avila da Silva
    • 1
  • Peter Munk
    • 2
  • Markus Schweizer
    • 2
  • Matthias Jung
    • 1
  • Rasmus Adler
    • 1
  1. 1.Fraunhofer IESEKaiserslauternGermany
  2. 2.Robert Bosch GmbHRenningenGermany

Personalised recommendations