Mälardalen University Press Licentiate Theses No. 227
INCORPORATING FUNCTIONAL SAFETY IN
MODEL-BASED DEVELOPMENT OF PRODUCT LINES
Stephan Baumgart
2016
School of Innovation, Design and Engineering
No. 227
INCORPORATING FUNCTIONAL SAFETY IN
MODEL-BASED DEVELOPMENT OF PRODUCT LINES
Stephan Baumgart
2016
Copyright © Stephan Baumgart, 2016 ISBN 978-91-7485-253-0
ISSN 1651-9256
Printed by Arkitektkopia, Västerås, Sweden
Product lines in industry are often based on an engineer’s focus on fast and feasible product instantiation rather than a precise product line de-velopment method and process as described in literature. When consid-ering functional safety, we need a precise model that includes evidence for the safety of each variant of the product. Functional safety stan-dards provide guidance to develop safety critical products and require that evidence is collected to prove the safety of the product. But today’s functional safety standards do not provide guidance on how to achieve functional safety in product lines. At the same time arguments need to be collected during development so that each product configuration is safe and is fulfilling the requirements of the standards. Providing these arguments requires tracing safety-related requirements and dependen-cies through the development process taking the impact of variability in different development artifacts into consideration.
In this thesis, we study the challenges of developing safety critical products in product lines. We explore industrial practices to achieve functional safety standard compliance in product lines by interviewing practitioners from different companies and by collecting the reported challenges and practices. This information helps us to identify improve-ment areas and we derive requireimprove-ments that a product line engineering method needs to fulfill. Based on these findings we analyze variabil-ity management methods from the software product line engineering research domain to identify potential candidate solutions that can be adapted to support safety critical products. We provide an approach for capturing functional safety related characteristics in a model-based product line engineering method. We apply our method in an industrial case demonstrating the applicability.
Product lines in industry are often based on an engineer’s focus on fast and feasible product instantiation rather than a precise product line de-velopment method and process as described in literature. When consid-ering functional safety, we need a precise model that includes evidence for the safety of each variant of the product. Functional safety stan-dards provide guidance to develop safety critical products and require that evidence is collected to prove the safety of the product. But today’s functional safety standards do not provide guidance on how to achieve functional safety in product lines. At the same time arguments need to be collected during development so that each product configuration is safe and is fulfilling the requirements of the standards. Providing these arguments requires tracing safety-related requirements and dependen-cies through the development process taking the impact of variability in different development artifacts into consideration.
In this thesis, we study the challenges of developing safety critical products in product lines. We explore industrial practices to achieve functional safety standard compliance in product lines by interviewing practitioners from different companies and by collecting the reported challenges and practices. This information helps us to identify improve-ment areas and we derive requireimprove-ments that a product line engineering method needs to fulfill. Based on these findings we analyze variabil-ity management methods from the software product line engineering research domain to identify potential candidate solutions that can be adapted to support safety critical products. We provide an approach for capturing functional safety related characteristics in a model-based product line engineering method. We apply our method in an industrial case demonstrating the applicability.
Produktlinjer inom industrin ¨ar oftast baserade p˚a ingenj¨orernas vilja att snabbt och enkelt utveckla nya varianter, snarare ¨an p˚a n˚agon precis utvecklingsmodell f¨or produktlinjer beskriven i litteraturen. F¨or att visa p˚a funktionss¨akerhet kr¨avs en precis modell som inneh˚aller argumenten f¨or att p˚avisa s¨akerheten hos alla varianter av produkten. Funktionss¨a-kerhetsstandarder ger en v¨agledning f¨or att utveckla s¨akerhetskritiska produkter och kr¨aver att bel¨agg samlas f¨or att bevisa produktens s¨aker-het. Men dagens funktionss¨akerhetsstandarder beskriver inte hur man uppn˚a funktionss¨akerhet i produkt linjer. Argument beh¨over samlas un-der utveckling som bevisar att varje produktkonfiguration ¨ar s¨aker och uppfyller kraven i standarden. Detta kr¨aver i sin tur att sp˚ara beroen-den till s¨akerhetsrelaterade krav genom utvecklingsprocessen och visa hur de p˚averkas av variabilitet. I denna avhandling studerar vi utma-ningarna med att utveckla s¨akerhetskritiska produkter i produktlinjer. Vi unders¨oker industrins metoder f¨or att uppn˚a funktionss¨akerhet genom att intervjua experter fr˚an olika f¨oretag och sammanst¨alla utmaningar och praxis. Denna information hj¨alper oss att identifiera f¨orb¨attringsom-r˚aden och vi beskriver de krav som en tillt¨ankt produktlinjeteknik m˚aste uppfylla. Baserat p˚a dessa resultat vi analyserar varianthanteringsmeto-der som beskrivs inom omr˚adet produktlinjemetoder (eng: product line engineering), f¨or att identifiera potentiella kandidatl¨osningar vilka kun-de anpassas f¨or att st¨odja s¨akerhetskritiska produkter. Vi presenterar en metod f¨or att hantera funktionss¨akerhetsrelaterade egenskaper i en mo-dellbaserad metod f¨or att hantera produktlinjer. Vi till¨ampar v˚ar metod i ett industriellt fall f¨or att demonstrera till¨ampligheten.
Produktlinjer inom industrin ¨ar oftast baserade p˚a ingenj¨orernas vilja att snabbt och enkelt utveckla nya varianter, snarare ¨an p˚a n˚agon precis utvecklingsmodell f¨or produktlinjer beskriven i litteraturen. F¨or att visa p˚a funktionss¨akerhet kr¨avs en precis modell som inneh˚aller argumenten f¨or att p˚avisa s¨akerheten hos alla varianter av produkten. Funktionss¨a-kerhetsstandarder ger en v¨agledning f¨or att utveckla s¨akerhetskritiska produkter och kr¨aver att bel¨agg samlas f¨or att bevisa produktens s¨aker-het. Men dagens funktionss¨akerhetsstandarder beskriver inte hur man uppn˚a funktionss¨akerhet i produkt linjer. Argument beh¨over samlas un-der utveckling som bevisar att varje produktkonfiguration ¨ar s¨aker och uppfyller kraven i standarden. Detta kr¨aver i sin tur att sp˚ara beroen-den till s¨akerhetsrelaterade krav genom utvecklingsprocessen och visa hur de p˚averkas av variabilitet. I denna avhandling studerar vi utma-ningarna med att utveckla s¨akerhetskritiska produkter i produktlinjer. Vi unders¨oker industrins metoder f¨or att uppn˚a funktionss¨akerhet genom att intervjua experter fr˚an olika f¨oretag och sammanst¨alla utmaningar och praxis. Denna information hj¨alper oss att identifiera f¨orb¨attringsom-r˚aden och vi beskriver de krav som en tillt¨ankt produktlinjeteknik m˚aste uppfylla. Baserat p˚a dessa resultat vi analyserar varianthanteringsmeto-der som beskrivs inom omr˚adet produktlinjemetoder (eng: product line engineering), f¨or att identifiera potentiella kandidatl¨osningar vilka kun-de anpassas f¨or att st¨odja s¨akerhetskritiska produkter. Vi presenterar en metod f¨or att hantera funktionss¨akerhetsrelaterade egenskaper i en mo-dellbaserad metod f¨or att hantera produktlinjer. Vi till¨ampar v˚ar metod i ett industriellt fall f¨or att demonstrera till¨ampligheten.
First of all, I would like to thank my supervisors Sasikumar Punnekkat and Joakim Fr¨oberg who have guided and encouraged me throughout my studies. Without their guidance, support and encouragement this thesis would not have been possible. I have learned a lot from their advices and feedback. I would also like to thank my mentor Peter Wallin from Volvo Construction Equipment who guided me and supported my research at Volvo Construction Equipment.
Thanks a lot to Volvo Construction Equipment and the industrial research school ITS-EASY for giving me the opportunity to be an indus-trial PhD student. I would like to express my gratitude to the ITS-EASY team for their great support and my fellow ITS-EASY PhD students for having a great time.
The research leading to this thesis has received funding from the ARTEMIS Joint Undertaking under grant agreements no269265 and no295373, Vinnova and the KKS-funded ITS-EASY Post Graduate School for Embedded Software and Systems.
Stephan Baumgart V¨aster˚as, April, 2016
First of all, I would like to thank my supervisors Sasikumar Punnekkat and Joakim Fr¨oberg who have guided and encouraged me throughout my studies. Without their guidance, support and encouragement this thesis would not have been possible. I have learned a lot from their advices and feedback. I would also like to thank my mentor Peter Wallin from Volvo Construction Equipment who guided me and supported my research at Volvo Construction Equipment.
Thanks a lot to Volvo Construction Equipment and the industrial research school ITS-EASY for giving me the opportunity to be an indus-trial PhD student. I would like to express my gratitude to the ITS-EASY team for their great support and my fellow ITS-EASY PhD students for having a great time.
The research leading to this thesis has received funding from the ARTEMIS Joint Undertaking under grant agreements no269265 and no295373, Vinnova and the KKS-funded ITS-EASY Post Graduate School for Embedded Software and Systems.
Stephan Baumgart V¨aster˚as, April, 2016
Papers Included in the Licentiate Thesis
1 Paper A Towards Efficient Functional Safety Certification ofConstruc-tion Machinery using a Component-based Approach. Stephan
Baum-gart, Joakim Fr¨oberg and Sasikumar Punnekkat. In Proceedings of the 3rdInternational Workshop on Product Line Approaches in
Software Engineering (PLEASE), Zurich, Switzerland, 2012 Paper B Industrial Challenges to Achieve Functional Safety
Compli-ance in Product Lines. Stephan Baumgart, Joakim Fr¨oberg and
Sasikumar Punnekkat. In Proceedings of the 40th EUROMICRO
Conference on Software Engineering and Advanced Applications (SEAA), Verona, Italy, 2014
Paper C Variability management in product lines of safety critical
em-bedded systems. Stephan Baumgart, Xiaodi Zhang, Joakim Fr¨oberg
and Sasikumar Punnekkat. In Proceedings of the International Conference on Embedded Systems (ICES), Coimbatore, India, 2014 Paper D Graphical Approach for Modeling of Safety and Variability in
Product Lines. Aleksandra Salikiryaki, Iliana Petrova and Stephan
Baumgart. In Proceedings of the 41st EUROMICRO Conference
on Software Engineering and Advanced Applications (SEAA), Fun-chal, Portugal, 2015
1The included articles have been reformatted to comply with the licentiate layout
Papers Included in the Licentiate Thesis
1 Paper A Towards Efficient Functional Safety Certification ofConstruc-tion Machinery using a Component-based Approach. Stephan
Baum-gart, Joakim Fr¨oberg and Sasikumar Punnekkat. In Proceedings of the 3rd International Workshop on Product Line Approaches in
Software Engineering (PLEASE), Zurich, Switzerland, 2012 Paper B Industrial Challenges to Achieve Functional Safety
Compli-ance in Product Lines. Stephan Baumgart, Joakim Fr¨oberg and
Sasikumar Punnekkat. In Proceedings of the 40th EUROMICRO
Conference on Software Engineering and Advanced Applications (SEAA), Verona, Italy, 2014
Paper C Variability management in product lines of safety critical
em-bedded systems. Stephan Baumgart, Xiaodi Zhang, Joakim Fr¨oberg
and Sasikumar Punnekkat. In Proceedings of the International Conference on Embedded Systems (ICES), Coimbatore, India, 2014 Paper D Graphical Approach for Modeling of Safety and Variability in
Product Lines. Aleksandra Salikiryaki, Iliana Petrova and Stephan
Baumgart. In Proceedings of the 41st EUROMICRO Conference
on Software Engineering and Advanced Applications (SEAA), Fun-chal, Portugal, 2015
1The included articles have been reformatted to comply with the licentiate layout
Paper E Enhancing Model-Based Engineering of Product Lines by Adding
Functional Safety. Stephan Baumgart, Joakim Fr¨oberg and
Sasiku-mar Punnekkat. In Proceedings of MASE - Modeling in Automo-tive Software Engineering at the 18thInternational Conference on
Model Driven Engineering Languages and Systems (MODELS), Ottawa, Canada, 2015
Additional Papers, Not Included in the
Li-centiate Thesis
1. Platform guidelines (both E&E system as well as operating
sys-tems) to support development projects in the context of product lines. Stephan Baumgart, et al., SafeCer Report, 2013, www.safecer.eu
2. Challenges for Reuse in a Safety-Critical Context: A
State-of-Practice Study. Helmut Martin, Stephan Baumgart, Andrea
Leit-ner and Daniel Watzenig. In proceedings of the SAE 2014 World Congress & Exhibition, Detroit, USA, 2014
3. Predicting the Effort for Functional Safety in Product Lines. Stephan Baumgart and Ditmar Parmeza. In Proceedings of the
41st EUROMICRO Conference on Software Engineering and
Ad-vanced Applications (SEAA) - Work in Progress Session, Funchal, Portugal, 2015
Paper E Enhancing Model-Based Engineering of Product Lines by Adding
Functional Safety. Stephan Baumgart, Joakim Fr¨oberg and
Sasiku-mar Punnekkat. In Proceedings of MASE - Modeling in Automo-tive Software Engineering at the 18thInternational Conference on
Model Driven Engineering Languages and Systems (MODELS), Ottawa, Canada, 2015
Additional Papers, Not Included in the
Li-centiate Thesis
1. Platform guidelines (both E&E system as well as operating
sys-tems) to support development projects in the context of product lines. Stephan Baumgart, et al., SafeCer Report, 2013, www.safecer.eu
2. Challenges for Reuse in a Safety-Critical Context: A
State-of-Practice Study. Helmut Martin, Stephan Baumgart, Andrea
Leit-ner and Daniel Watzenig. In proceedings of the SAE 2014 World Congress & Exhibition, Detroit, USA, 2014
3. Predicting the Effort for Functional Safety in Product Lines. Stephan Baumgart and Ditmar Parmeza. In Proceedings of the
41st EUROMICRO Conference on Software Engineering and
Ad-vanced Applications (SEAA) - Work in Progress Session, Funchal, Portugal, 2015
I
Thesis
1
1 Introduction 3
1.1 Thesis Outline . . . 8
2 Research Description 13 2.1 Problem Statement and Research Goals . . . 13
2.2 Research Process . . . 15
2.3 Research Methods . . . 18
2.3.1 Literature Analysis . . . 18
2.3.2 Case Study Research . . . 19
2.3.3 Constructive Research . . . 19
3 Background 21 3.1 Functional Safety . . . 21
3.1.1 General . . . 21
3.1.2 Safety Lifecycle . . . 22
3.1.3 Fault Avoidance and Fault Tolerance . . . 25
3.1.4 Reuse and Functional Safety . . . 26
3.2 Software Product Line Engineering . . . 26
4 Related Work 31 4.1 Functional Safety and SPLE . . . 31
4.1.1 Reuse of Hazard Analyses . . . 31
4.1.2 Safety Process and SPLE . . . 33
4.1.3 Safety Cases and SPLE . . . 33
4.2 Documenting Functional Safety in Product Lines . . . 34
I
Thesis
1
1 Introduction 3
1.1 Thesis Outline . . . 8
2 Research Description 13 2.1 Problem Statement and Research Goals . . . 13
2.2 Research Process . . . 15
2.3 Research Methods . . . 18
2.3.1 Literature Analysis . . . 18
2.3.2 Case Study Research . . . 19
2.3.3 Constructive Research . . . 19
3 Background 21 3.1 Functional Safety . . . 21
3.1.1 General . . . 21
3.1.2 Safety Lifecycle . . . 22
3.1.3 Fault Avoidance and Fault Tolerance . . . 25
3.1.4 Reuse and Functional Safety . . . 26
3.2 Software Product Line Engineering . . . 26
4 Related Work 31 4.1 Functional Safety and SPLE . . . 31
4.1.1 Reuse of Hazard Analyses . . . 31
4.1.2 Safety Process and SPLE . . . 33
4.1.3 Safety Cases and SPLE . . . 33
4.2 Documenting Functional Safety in Product Lines . . . 34
5 Thesis Contributions 37 5.1 Challenges to Manage Functional Safety in Product Lines 37 5.2 Categorizing Variability Management
Methods . . . 42
5.3 Incorporating Functional Safety in Model-based PLE . . . 44
5.3.1 Application of PLUS . . . 44
5.3.2 Extending a Model-based Product Line Model . . 48
5.3.3 Summary . . . 55
5.4 Validity Discussion . . . 55
5.4.1 Contribution 1 - Challenges to Manage Functional Safety in Product Lines . . . 56
5.4.2 Contribution 2 - Categorizing Variability Manage-ment Methods . . . 56
5.4.3 Contribution 3 -Incorporating Functional Safety in Model-based PLE . . . 57
6 Conclusions 59 6.1 Summary and Conclusions . . . 59
6.2 Future work . . . 61
Bibliography 63
II
Included Papers
73
7 Paper A: Towards Efficient Functional Safety Certification of Con-struction Machinery using a Component-based Approach 75 7.1 Introduction . . . 777.2 Use Case . . . 79
7.3 Challenges . . . 81
7.4 Analysis of the Problem . . . 83
7.5 Conclusions . . . 85
Bibliography . . . 87
8 Paper B: Industrial Challenges to Achieve Functional Safety Com-pliance in Product Lines 89 8.1 Introduction . . . 91
8.2 Related Work . . . 92
8.3 Case Study Design . . . 93
8.3.1 Subjects Selection . . . 93
8.3.2 Data Collection Procedure . . . 94
8.3.3 Analysis Procedures . . . 94 8.4 Results . . . 95 8.4.1 Synthesis of Challenges . . . 95 8.4.2 Approaches . . . 98 8.4.3 Discussion . . . 99 8.4.4 Validity . . . 100 8.5 Conclusion . . . 101 8.6 Acknowledgments . . . 102 Bibliography . . . 103 9 Paper C: Variability Management in Product Lines of Safety Crit-ical Embedded Systems 105 9.1 Introduction . . . 107
9.2 Requirements . . . 108
9.3 Literature Study . . . 109
9.3.1 Introduction . . . 109
9.3.2 Variability Management - feature orientation . . . 110
9.3.3 Variability Management - extraction to external models . . . 110
9.3.4 Variability Management - life-cycle coverage . . . . 111
9.3.5 Pros and cons of different approaches . . . 111
9.3.6 Other relevant approaches . . . 113
9.4 Case Description . . . 114
9.4.1 Variant 1 - Left-right steering . . . 114
9.4.2 Variant 2 - Joystick Steering . . . 114
9.4.3 Product line scenarios and impact on functional safety . . . 114
9.5 Application of PLUS . . . 115
9.5.1 PLUS Requirements Model . . . 116
9.5.2 PLUS Analysis Model . . . 117
9.6 Discussions . . . 118
9.7 Conclusions . . . 120
9.8 Acknowledgments . . . 120
5 Thesis Contributions 37 5.1 Challenges to Manage Functional Safety in Product Lines 37 5.2 Categorizing Variability Management
Methods . . . 42
5.3 Incorporating Functional Safety in Model-based PLE . . . 44
5.3.1 Application of PLUS . . . 44
5.3.2 Extending a Model-based Product Line Model . . 48
5.3.3 Summary . . . 55
5.4 Validity Discussion . . . 55
5.4.1 Contribution 1 - Challenges to Manage Functional Safety in Product Lines . . . 56
5.4.2 Contribution 2 - Categorizing Variability Manage-ment Methods . . . 56
5.4.3 Contribution 3 -Incorporating Functional Safety in Model-based PLE . . . 57
6 Conclusions 59 6.1 Summary and Conclusions . . . 59
6.2 Future work . . . 61
Bibliography 63
II
Included Papers
73
7 Paper A: Towards Efficient Functional Safety Certification of Con-struction Machinery using a Component-based Approach 75 7.1 Introduction . . . 777.2 Use Case . . . 79
7.3 Challenges . . . 81
7.4 Analysis of the Problem . . . 83
7.5 Conclusions . . . 85
Bibliography . . . 87
8 Paper B: Industrial Challenges to Achieve Functional Safety Com-pliance in Product Lines 89 8.1 Introduction . . . 91
8.2 Related Work . . . 92
8.3 Case Study Design . . . 93
8.3.1 Subjects Selection . . . 93
8.3.2 Data Collection Procedure . . . 94
8.3.3 Analysis Procedures . . . 94 8.4 Results . . . 95 8.4.1 Synthesis of Challenges . . . 95 8.4.2 Approaches . . . 98 8.4.3 Discussion . . . 99 8.4.4 Validity . . . 100 8.5 Conclusion . . . 101 8.6 Acknowledgments . . . 102 Bibliography . . . 103 9 Paper C: Variability Management in Product Lines of Safety Crit-ical Embedded Systems 105 9.1 Introduction . . . 107
9.2 Requirements . . . 108
9.3 Literature Study . . . 109
9.3.1 Introduction . . . 109
9.3.2 Variability Management - feature orientation . . . 110
9.3.3 Variability Management - extraction to external models . . . 110
9.3.4 Variability Management - life-cycle coverage . . . . 111
9.3.5 Pros and cons of different approaches . . . 111
9.3.6 Other relevant approaches . . . 113
9.4 Case Description . . . 114
9.4.1 Variant 1 - Left-right steering . . . 114
9.4.2 Variant 2 - Joystick Steering . . . 114
9.4.3 Product line scenarios and impact on functional safety . . . 114
9.5 Application of PLUS . . . 115
9.5.1 PLUS Requirements Model . . . 116
9.5.2 PLUS Analysis Model . . . 117
9.6 Discussions . . . 118
9.7 Conclusions . . . 120
9.8 Acknowledgments . . . 120
10 Paper D:
Graphical Approach for Modeling of Safety and
Variabil-ity in Product Lines 123
10.1 Introduction . . . 125
10.2 State of the practice . . . 126
10.2.1 Empirical study . . . 126
10.2.2 Requirements . . . 127
10.3 Related work . . . 128
10.4 Approach . . . 130
10.4.1 Feature Diagram . . . 133
10.4.2 Use Case Diagram . . . 134
10.4.3 State Machine Diagram . . . 136
10.4.4 Safety Configuration Diagram . . . 138
10.5 Discussion of Approach . . . 140
10.5.1 Benefits of the approach . . . 140
10.5.2 Limitations of the approach . . . 141
10.6 Conclusion . . . 142
10.7 Future work . . . 142
10.8 Acknowledgments . . . 143
Bibliography . . . 145
11 Paper E: Enhancing Model-Based Engineering of Product Lines by Adding Functional Safety 149 11.1 Introduction . . . 151
11.2 Background and Related Work . . . 152
11.3 Approach . . . 154
11.3.1 General Idea . . . 154
11.3.2 Approach - Concept Phase . . . 156
11.4 Discussion . . . 159 11.5 Conclusion . . . 160 Bibliography . . . 163
I
Thesis
110 Paper D:
Graphical Approach for Modeling of Safety and
Variabil-ity in Product Lines 123
10.1 Introduction . . . 125
10.2 State of the practice . . . 126
10.2.1 Empirical study . . . 126
10.2.2 Requirements . . . 127
10.3 Related work . . . 128
10.4 Approach . . . 130
10.4.1 Feature Diagram . . . 133
10.4.2 Use Case Diagram . . . 134
10.4.3 State Machine Diagram . . . 136
10.4.4 Safety Configuration Diagram . . . 138
10.5 Discussion of Approach . . . 140
10.5.1 Benefits of the approach . . . 140
10.5.2 Limitations of the approach . . . 141
10.6 Conclusion . . . 142
10.7 Future work . . . 142
10.8 Acknowledgments . . . 143
Bibliography . . . 145
11 Paper E: Enhancing Model-Based Engineering of Product Lines by Adding Functional Safety 149 11.1 Introduction . . . 151
11.2 Background and Related Work . . . 152
11.3 Approach . . . 154
11.3.1 General Idea . . . 154
11.3.2 Approach - Concept Phase . . . 156
11.4 Discussion . . . 159 11.5 Conclusion . . . 160 Bibliography . . . 163
I
Thesis
1Introduction
Reuse of already developed components and system parts is widely used in industry today and the main goals are to reduce cost and to achieve a faster time to market. When components are reused it is possible that they are tested during each integration attempt and therefore a higher quality can be reached. Not only software components can be consid-ered for reuse, but also common requirements specifications, test speci-fications, a common Electrical and Electronics (E&E) architecture and common electronic parts as for example commonly used sensors, actua-tors and electronic control units (ECU). For these development artifacts and parts different reuse strategies may be applied. Software compo-nents and electronic parts can be reused between different product types or copied from earlier product generations. A common E&E architecture can contain architecture patterns, a topology of used ECUs and commu-nication channels and is developed in such a way that it can be applied by different product lines. In the construction equipment domain, we can distinguish two product groups with respect to product configurations. The first group contains multi-purpose machines, which suite most cus-tomer needs and application scenarios. The cuscus-tomers can configure a machine based on a list of standard, optional and alternative features de-fined for the product line. The second group covers special-purpose ma-chines that are specifically build to meet customer’s requirements. These special-purpose machines can be machines applied in environments like mines or special plants, where specific requirements need to be fulfilled. Another reason for developing differentiated products is selling products
Introduction
Reuse of already developed components and system parts is widely used in industry today and the main goals are to reduce cost and to achieve a faster time to market. When components are reused it is possible that they are tested during each integration attempt and therefore a higher quality can be reached. Not only software components can be consid-ered for reuse, but also common requirements specifications, test speci-fications, a common Electrical and Electronics (E&E) architecture and common electronic parts as for example commonly used sensors, actua-tors and electronic control units (ECU). For these development artifacts and parts different reuse strategies may be applied. Software compo-nents and electronic parts can be reused between different product types or copied from earlier product generations. A common E&E architecture can contain architecture patterns, a topology of used ECUs and commu-nication channels and is developed in such a way that it can be applied by different product lines. In the construction equipment domain, we can distinguish two product groups with respect to product configurations. The first group contains multi-purpose machines, which suite most cus-tomer needs and application scenarios. The cuscus-tomers can configure a machine based on a list of standard, optional and alternative features de-fined for the product line. The second group covers special-purpose ma-chines that are specifically build to meet customer’s requirements. These special-purpose machines can be machines applied in environments like mines or special plants, where specific requirements need to be fulfilled. Another reason for developing differentiated products is selling products
globally with different requirements in different regions. Apart from dif-ferent legal requirements defined for difdif-ferent regions, customer needs may differ as well. In some markets customers request high end product while in other markets customers request cheaper products and therefore scaled-down products need to be provided. This leads to a high number of projected product configurations and a high complexity that need to be taken care of during development and verification.
Furthermore, the trend of growing importance of electronics and soft-ware in new product generations as described for many domains is also observable in the construction equipment domain. Today, new features are typically implemented using electronics and software, which is in-creasing the complexity as well. Copying development artifacts like requirements, design and software from existing products and reusing proven parts is common practice in industry today, but instead adapted methods for managing the increasing complexity in industrial product lines are needed.
The products developed in the construction equipment domain are safety critical, which means that a failure in a part of a machine may lead to damaged equipment, injuries or death of humans. It is therefore necessary to design the products in a way to avoid such malfunctioning behavior. Safety is a property of the complete system including different technologies involved like hydraulics, mechanics and the E&E system. Functional safety standards have been developed to define the state of the art practices and processes for developing the E&E system of safety critical products to guide practitioners in industry. The functional safety standards IEC 61508 [1], ISO 15998 [2], ISO 13849 [3] and the automo-tive domain specific standard ISO 262626 [4] define requirements on the development process to avoid systematic and random failures. Evidence on how the initially identified hazards are considered throughout the de-velopment of the product, need to be collected and provided in a safety case to be submitted and explained to authorized certifiers. A safety case is an “argument that the safety requirements for an item are complete and satisfied by evidence compiled from work products of the safety ac-tivities during development” [4]. Such collected evidences are composed of process details and artifacts required by the standard like verification reports and test results together with a comprehensive argumentation on the safety of the developed product is referred to as a safety case.
Functional safety standard compliance is achieved by rigorously fol-lowing the process of developing the system as described in the standards.
The functional safety standards typically assume a V-model-based de-velopment process and the requirements mainly focus on single product development. When different product configurations are possible to be developed, the safety argumentation must hold for all derived product configurations.
If we copy development artifacts such as specifications, design and software from other products or previous product generations we would assume that we can reuse the corresponding safety artifacts and safety argumentation. But, safety is the property of one product applied in a specific context and for copying development artifacts, these products must be identical and applied in the same context. This is not always the case and instead this approach may lead to unexplored hazards or violations of safety goals. Instead of just assuring that a component cannot fail dangerously in one product, we now face a situation where we must assure that no variant can fail dangerously in any of the possible product configurations. The flexibility in creating variants can increase the effort for assuring functional safety standard compliance.
An often cited example is the failure of the maiden flight of Ari-ane 5 rocket of European Space Agency (ESA) and the reasons for its failure [5]. Ariane 5 rocket was built at a cost of USD 7 Billion over a decade, but its first launch on June 4, 1996 ended in explosion just after 40 seconds from lift-off. The independent inquiry board found that code was copied from the successful Ariane 4 without considering the design differences between Ariane 4 and Ariane 5. Furthermore, the reviews and tests of the Ariane 5 did not apply adequate methods for the reused inertial navigation subsystem.
Apart from this example, we observe that more and more car manu-facturers are forced to recall many of their car models due to design errors and failures. One discussed case in 2011 is the Toyota case of “unintended acceleration”, where the cars suddenly accelerated and several fatal ac-cidents have been reported. Toyota’s technical solution, documents and arguments were reviewed by NASA Engineering and Safety Center and resulted in the assessment report Assessment #: TI-10-00618 [6] and an action plan of the National Highway Traffic Safety Administration (NHTSA) [7]. After thorough analysis, problems with the electronic throttle control (ETC) have not been found. Nonetheless, the NASA experts found many coding problems in the investigated Toyota source code [8]. In the main software for example 256 647 non-commented lines of code, over 10 000 global variables and functions with many lines of
globally with different requirements in different regions. Apart from dif-ferent legal requirements defined for difdif-ferent regions, customer needs may differ as well. In some markets customers request high end product while in other markets customers request cheaper products and therefore scaled-down products need to be provided. This leads to a high number of projected product configurations and a high complexity that need to be taken care of during development and verification.
Furthermore, the trend of growing importance of electronics and soft-ware in new product generations as described for many domains is also observable in the construction equipment domain. Today, new features are typically implemented using electronics and software, which is in-creasing the complexity as well. Copying development artifacts like requirements, design and software from existing products and reusing proven parts is common practice in industry today, but instead adapted methods for managing the increasing complexity in industrial product lines are needed.
The products developed in the construction equipment domain are safety critical, which means that a failure in a part of a machine may lead to damaged equipment, injuries or death of humans. It is therefore necessary to design the products in a way to avoid such malfunctioning behavior. Safety is a property of the complete system including different technologies involved like hydraulics, mechanics and the E&E system. Functional safety standards have been developed to define the state of the art practices and processes for developing the E&E system of safety critical products to guide practitioners in industry. The functional safety standards IEC 61508 [1], ISO 15998 [2], ISO 13849 [3] and the automo-tive domain specific standard ISO 262626 [4] define requirements on the development process to avoid systematic and random failures. Evidence on how the initially identified hazards are considered throughout the de-velopment of the product, need to be collected and provided in a safety case to be submitted and explained to authorized certifiers. A safety case is an “argument that the safety requirements for an item are complete and satisfied by evidence compiled from work products of the safety ac-tivities during development” [4]. Such collected evidences are composed of process details and artifacts required by the standard like verification reports and test results together with a comprehensive argumentation on the safety of the developed product is referred to as a safety case.
Functional safety standard compliance is achieved by rigorously fol-lowing the process of developing the system as described in the standards.
The functional safety standards typically assume a V-model-based de-velopment process and the requirements mainly focus on single product development. When different product configurations are possible to be developed, the safety argumentation must hold for all derived product configurations.
If we copy development artifacts such as specifications, design and software from other products or previous product generations we would assume that we can reuse the corresponding safety artifacts and safety argumentation. But, safety is the property of one product applied in a specific context and for copying development artifacts, these products must be identical and applied in the same context. This is not always the case and instead this approach may lead to unexplored hazards or violations of safety goals. Instead of just assuring that a component cannot fail dangerously in one product, we now face a situation where we must assure that no variant can fail dangerously in any of the possible product configurations. The flexibility in creating variants can increase the effort for assuring functional safety standard compliance.
An often cited example is the failure of the maiden flight of Ari-ane 5 rocket of European Space Agency (ESA) and the reasons for its failure [5]. Ariane 5 rocket was built at a cost of USD 7 Billion over a decade, but its first launch on June 4, 1996 ended in explosion just after 40 seconds from lift-off. The independent inquiry board found that code was copied from the successful Ariane 4 without considering the design differences between Ariane 4 and Ariane 5. Furthermore, the reviews and tests of the Ariane 5 did not apply adequate methods for the reused inertial navigation subsystem.
Apart from this example, we observe that more and more car manu-facturers are forced to recall many of their car models due to design errors and failures. One discussed case in 2011 is the Toyota case of “unintended acceleration”, where the cars suddenly accelerated and several fatal ac-cidents have been reported. Toyota’s technical solution, documents and arguments were reviewed by NASA Engineering and Safety Center and resulted in the assessment report Assessment #: TI-10-00618 [6] and an action plan of the National Highway Traffic Safety Administration (NHTSA) [7]. After thorough analysis, problems with the electronic throttle control (ETC) have not been found. Nonetheless, the NASA experts found many coding problems in the investigated Toyota source code [8]. In the main software for example 256 647 non-commented lines of code, over 10 000 global variables and functions with many lines of
code and high complexity have been found. This leads to problems with testability and maintainability and therefore even with functional safety. The development process was also analyzed and the report states that the “coding rules used by Toyota predate the MISRA guidelines (the original MISRA coding guidelines date from 1998), but that an estimated 50% of the MISRA rules were being followed” [8]. Since the MISRA guidelines are seen as state of the art, the Toyota development process is criticized of not being state of the art. This shows, that even the development processes need to be checked to be state of the art and both product arguments and process arguments need to be collected. The NASA ex-perts analyzed only some product variants and have not been able to analyze all affected Toyota car variants due to complexity and to reduce the effort for analysis. Nonetheless, it shows the importance to provide a safety case and safety argumentation for all product configurations.
Even though the Toyota case was reported and analyzed thoroughly, the database of the NHTSA [9] provides a list of all customer complaints, investigations and recalls of different car manufacturers. When reviewing the reasons of the recalls, often the electronic system is involved and not the complete product range is affected. If only a subset of all product configurations is affected, we can conclude that not all failures in the possible product configurations have been found by the manufactures during development. One example reported in 2015 by the NHTSA (NHTSA Campaign number 15V436000 ) visualizes this conclusion. In this recall campaign, Ford recalled some of their cars, because customers were not able to shut off the engine and the engine first stopped when the fuel tank was empty. The reason was a software bug in some of car configurations and was fixed by a software update. There are many more of such cases listed and described in the NHTSA database.
We draw the conclusion, that the complexity of product variants and its relation to functional safety compliance is a common challenge in industry today. There is a need to provide guidance and methods for enabling practitioners to manage the complexity and functional safety in product lines more efficiently and effectively.
The software product line engineering (SPLE) described in litera-ture [10, 11, 12] provides methods and processes to manage the complex-ity of developing software in a product line. We study software product line engineering methods in this licentiate thesis to identify candidate solutions to the challenges we identified in industrial product lines. In this licentiate thesis we propose safety extensions to a model-based
soft-ware product line engineering approach and discuss the applicability for industrial product lines of safety critical products.
code and high complexity have been found. This leads to problems with testability and maintainability and therefore even with functional safety. The development process was also analyzed and the report states that the “coding rules used by Toyota predate the MISRA guidelines (the original MISRA coding guidelines date from 1998), but that an estimated 50% of the MISRA rules were being followed” [8]. Since the MISRA guidelines are seen as state of the art, the Toyota development process is criticized of not being state of the art. This shows, that even the development processes need to be checked to be state of the art and both product arguments and process arguments need to be collected. The NASA ex-perts analyzed only some product variants and have not been able to analyze all affected Toyota car variants due to complexity and to reduce the effort for analysis. Nonetheless, it shows the importance to provide a safety case and safety argumentation for all product configurations.
Even though the Toyota case was reported and analyzed thoroughly, the database of the NHTSA [9] provides a list of all customer complaints, investigations and recalls of different car manufacturers. When reviewing the reasons of the recalls, often the electronic system is involved and not the complete product range is affected. If only a subset of all product configurations is affected, we can conclude that not all failures in the possible product configurations have been found by the manufactures during development. One example reported in 2015 by the NHTSA (NHTSA Campaign number 15V436000 ) visualizes this conclusion. In this recall campaign, Ford recalled some of their cars, because customers were not able to shut off the engine and the engine first stopped when the fuel tank was empty. The reason was a software bug in some of car configurations and was fixed by a software update. There are many more of such cases listed and described in the NHTSA database.
We draw the conclusion, that the complexity of product variants and its relation to functional safety compliance is a common challenge in industry today. There is a need to provide guidance and methods for enabling practitioners to manage the complexity and functional safety in product lines more efficiently and effectively.
The software product line engineering (SPLE) described in litera-ture [10, 11, 12] provides methods and processes to manage the complex-ity of developing software in a product line. We study software product line engineering methods in this licentiate thesis to identify candidate solutions to the challenges we identified in industrial product lines. In this licentiate thesis we propose safety extensions to a model-based
soft-ware product line engineering approach and discuss the applicability for industrial product lines of safety critical products.
1.1
Thesis Outline
In the first part of this licentiate thesis the research is summarized as follows: The research methods applied to achieve the results presented in this licentiate thesis are described in chapter 2. We present the research questions and describe the research methods we conducted to achieve the contributions. We present the background to our research in chapter 3 and research related to our work is described in chapter 4. We highlight the contribution of our thesis in chapter 5. We conclude the first part of this licentiate thesis in chapter 6 and present directions of our future work.
The second part of this licentiate thesis consists of a collection of our included research articles in chapters 7-11. We now present a quick summary of the five included papers.
Paper A (Chapter 7)
Towards Efficient Functional Safety Certification of Construction Ma-chinery using a Component-based Approach, Stephan Baumgart, Joakim
Fr¨oberg, Sasikumar Punnekkat
Abstract: Electronic systems in the automotive domain implement
safety critical functionality in vehicles and the safety certification pro-cess according to a functional safety standard is time consuming and a big part of the expenses of a development project. We describe the func-tional safety certification of electronic automotive systems by presenting a use case from the construction equipment industry. In this context, we highlight some of the major challenges we foresee, while using a product line approach to achieve efficient functional safety certification of vehi-cle variants. We further elaborate on the impact of functional safety certification when applying the component-based approach on develop-ing safety critical product variants and discuss the implications by cost modeling and analysis. [13]
Status: Published at 3rd International Workshop on Product Line
Ap-proaches in Software Engineering (PLEASE), 2012
My Contribution: I was the main driver of the work. The co-authors are
my supervisors contributed by discussions and reviewing the paper.
Paper B (Chapter 8)
Industrial Challenges to Achieve Functional Safety Compliance in Prod-uct Lines , Stephan Baumgart, Joakim Fr¨oberg, Sasikumar Punnekkat
Abstract: Developing safety critical products demands a clear safety
argumentation for each product in spite of whether it has been derived from a product line or not. The functional safety standards do not ex-plain how to develop safety critical products in product lines, and the product line concept is lacking specific approaches to develop safety crit-ical products. Nonetheless, product lines are well-established concepts even in companies developing safety critical products. In this paper we present the results of an exploratory study interviewing 15 practition-ers from 6 different companies. We identify typical challenges and ap-proaches from industry and discuss their suitability. The challenges and approaches brought out by this study help us to identify and enhance applicable methods from the product line engineering domain that can meet the challenges in the safety critical domain as well. [14]
Status: Published at 40th EUROMICRO Conference on Software
Engi-neering and Advanced Applications (SEAA), 2014
My Contribution: I was the main driver of the work. The co-authors are
my supervisors contributed by discussions and reviewing the paper. Paper C (Chapter 9)
Variability management in product lines of safety critical embedded sys-tems, Stephan Baumgart, Xiaodi Zhang, Joakim Fr¨oberg, Sasikumar
Punnekkat
Abstract: The product line engineering approach is a promising
con-cept to identify and manage reuse in a structured and efficient way and is even applied for the development of safety critical embedded systems. Managing the complexity of variability and addressing functional safety at the same time is challenging and is not yet solved. Variability manage-ment is an enabler to both establish traceability and making necessary information visible for safety engineers. We identify a set of require-ments for such a method and evaluate existing variability management methods. We apply the most promising method to an industrial case
1.1
Thesis Outline
In the first part of this licentiate thesis the research is summarized as follows: The research methods applied to achieve the results presented in this licentiate thesis are described in chapter 2. We present the research questions and describe the research methods we conducted to achieve the contributions. We present the background to our research in chapter 3 and research related to our work is described in chapter 4. We highlight the contribution of our thesis in chapter 5. We conclude the first part of this licentiate thesis in chapter 6 and present directions of our future work.
The second part of this licentiate thesis consists of a collection of our included research articles in chapters 7-11. We now present a quick summary of the five included papers.
Paper A (Chapter 7)
Towards Efficient Functional Safety Certification of Construction Ma-chinery using a Component-based Approach, Stephan Baumgart, Joakim
Fr¨oberg, Sasikumar Punnekkat
Abstract: Electronic systems in the automotive domain implement
safety critical functionality in vehicles and the safety certification pro-cess according to a functional safety standard is time consuming and a big part of the expenses of a development project. We describe the func-tional safety certification of electronic automotive systems by presenting a use case from the construction equipment industry. In this context, we highlight some of the major challenges we foresee, while using a product line approach to achieve efficient functional safety certification of vehi-cle variants. We further elaborate on the impact of functional safety certification when applying the component-based approach on develop-ing safety critical product variants and discuss the implications by cost modeling and analysis. [13]
Status: Published at 3rd International Workshop on Product Line
Ap-proaches in Software Engineering (PLEASE), 2012
My Contribution: I was the main driver of the work. The co-authors are
my supervisors contributed by discussions and reviewing the paper.
Paper B (Chapter 8)
Industrial Challenges to Achieve Functional Safety Compliance in Prod-uct Lines , Stephan Baumgart, Joakim Fr¨oberg, Sasikumar Punnekkat
Abstract: Developing safety critical products demands a clear safety
argumentation for each product in spite of whether it has been derived from a product line or not. The functional safety standards do not ex-plain how to develop safety critical products in product lines, and the product line concept is lacking specific approaches to develop safety crit-ical products. Nonetheless, product lines are well-established concepts even in companies developing safety critical products. In this paper we present the results of an exploratory study interviewing 15 practition-ers from 6 different companies. We identify typical challenges and ap-proaches from industry and discuss their suitability. The challenges and approaches brought out by this study help us to identify and enhance applicable methods from the product line engineering domain that can meet the challenges in the safety critical domain as well. [14]
Status: Published at 40th EUROMICRO Conference on Software
Engi-neering and Advanced Applications (SEAA), 2014
My Contribution: I was the main driver of the work. The co-authors are
my supervisors contributed by discussions and reviewing the paper. Paper C (Chapter 9)
Variability management in product lines of safety critical embedded sys-tems, Stephan Baumgart, Xiaodi Zhang, Joakim Fr¨oberg, Sasikumar
Punnekkat
Abstract: The product line engineering approach is a promising
con-cept to identify and manage reuse in a structured and efficient way and is even applied for the development of safety critical embedded systems. Managing the complexity of variability and addressing functional safety at the same time is challenging and is not yet solved. Variability manage-ment is an enabler to both establish traceability and making necessary information visible for safety engineers. We identify a set of require-ments for such a method and evaluate existing variability management methods. We apply the most promising method to an industrial case
and study its suitability for developing safety critical product family members. This study provides positive feedback on the potential of the model-based method PLUS in supporting the development of functional safety critical embedded systems in product lines. As a result of our analysis we suggest potential improvements for it. [15]
Status: Published at International Conference on Embedded Systems
(ICES), 2014
My Contribution: I was the originator of the ideas and main driver of
the research. The second author did some detailing and writing as part of her master thesis under my supervision. The third and fourth co-author are my supervisors and contributed by discussions and reviewing the paper.
Paper D (Chapter 10)
Graphical Approach for Modeling of Safety and Variability in Product Lines, Aleksandra Salikiryaki, Iliana Petrova, Stephan Baumgart
Abstract: Reuse of already developed parts and concepts is a common
concept in industry in order to reduce the time to market and to reduce the development cost. Product lines exist based on an engineers mindset, but there is a lack of structured approaches to support decision making and manage the complexity. In many domains as automotive, railways and avionics, functional safety standards require the development of ev-idence that a specific product is safe. In product lines, evev-idence must be provided for all possible product configurations. The lack of a structured product line approach taking the functional safety dimension into con-sideration makes it challenging for practitioners to provide the required evidence. In this paper we (1) identify requirements that a variability management approach will need to fulfill, (2) discuss existing approaches and their limitations, (3) propose potential extension, (4) apply our ap-proach in an industrial use case and (5) discuss its applicability and future work. [16]
Status: Published at 41th EUROMICRO Conference on Software
Engi-neering and Advanced Applications (SEAA), 2015
My Contribution: I was the originator of the ideas and main driver of
the research. The other authors did some detailing and writing as part of their master thesis under my supervision.
Paper E (Chapter 11)
Enhancing Model-Based Engineering of Product Lines by Adding Func-tional Safety, Stephan Baumgart, Joakim Fr¨oberg, Sasikumar Punnekkat Abstract: Today’s industrial product lines in the automotive and
construction equipment domain face the challenge to show functional safety standard compliance and argue for the absence of failures for all derived product variants. The product line approaches are not sufficient to support practitioners to trace safety-related characteristics through development. We aim to provide aid in creating a safety case for a certain configuration in a product line such that overall less effort is nec-essary for each configuration. In this paper we 1) discuss the impact of functional safety on product line development, 2) propose a model-based approach to capture safety-related characteristics during concept phase for product lines and 3) analyze the usefulness of our proposal. [17]
Status: Published at MASE - Modeling in Automotive Software
Engi-neering 2015 at Models 2015
My Contribution: I was the main driver of the work. The co-authors are
and study its suitability for developing safety critical product family members. This study provides positive feedback on the potential of the model-based method PLUS in supporting the development of functional safety critical embedded systems in product lines. As a result of our analysis we suggest potential improvements for it. [15]
Status: Published at International Conference on Embedded Systems
(ICES), 2014
My Contribution: I was the originator of the ideas and main driver of
the research. The second author did some detailing and writing as part of her master thesis under my supervision. The third and fourth co-author are my supervisors and contributed by discussions and reviewing the paper.
Paper D (Chapter 10)
Graphical Approach for Modeling of Safety and Variability in Product Lines, Aleksandra Salikiryaki, Iliana Petrova, Stephan Baumgart
Abstract: Reuse of already developed parts and concepts is a common
concept in industry in order to reduce the time to market and to reduce the development cost. Product lines exist based on an engineers mindset, but there is a lack of structured approaches to support decision making and manage the complexity. In many domains as automotive, railways and avionics, functional safety standards require the development of ev-idence that a specific product is safe. In product lines, evev-idence must be provided for all possible product configurations. The lack of a structured product line approach taking the functional safety dimension into con-sideration makes it challenging for practitioners to provide the required evidence. In this paper we (1) identify requirements that a variability management approach will need to fulfill, (2) discuss existing approaches and their limitations, (3) propose potential extension, (4) apply our ap-proach in an industrial use case and (5) discuss its applicability and future work. [16]
Status: Published at 41th EUROMICRO Conference on Software
Engi-neering and Advanced Applications (SEAA), 2015
My Contribution: I was the originator of the ideas and main driver of
the research. The other authors did some detailing and writing as part of their master thesis under my supervision.
Paper E (Chapter 11)
Enhancing Model-Based Engineering of Product Lines by Adding Func-tional Safety, Stephan Baumgart, Joakim Fr¨oberg, Sasikumar Punnekkat Abstract: Today’s industrial product lines in the automotive and
construction equipment domain face the challenge to show functional safety standard compliance and argue for the absence of failures for all derived product variants. The product line approaches are not sufficient to support practitioners to trace safety-related characteristics through development. We aim to provide aid in creating a safety case for a certain configuration in a product line such that overall less effort is nec-essary for each configuration. In this paper we 1) discuss the impact of functional safety on product line development, 2) propose a model-based approach to capture safety-related characteristics during concept phase for product lines and 3) analyze the usefulness of our proposal. [17]
Status: Published at MASE - Modeling in Automotive Software
Engi-neering 2015 at Models 2015
My Contribution: I was the main driver of the work. The co-authors are
Research Description
In this chapter we describe the product statement and the research goals we identified. We furthermore describe our research process leading to the results presented in this licentiate thesis. The research methods we applied are presented and discussed as well.
2.1
Problem Statement and Research Goals
Achieving functional safety standard compliance requires that company internal development and verification processes are adapted to meet the requirements stated in the applicable functional safety standards. It fur-thermore requires that evidence and arguments are collected to show that the developed products comply with the functional safety standard and the product is sufficiently safe. When safety critical products are de-veloped in product lines and development artifacts such as specifications, code or test cases are reused within one product line, between product line generations or across different product lines, the system safety of all possible product configurations must be assured. As part of the system safety, the correctness of the Electrical and Electronics (E&E) system i.e. avoiding malfunctioning behavior must be realized. As a consequence of the increasing complexity in the product line context, arguing for func-tional safety requires high efforts and ad-hoc development approaches are not feasible.
Research Description
In this chapter we describe the product statement and the research goals we identified. We furthermore describe our research process leading to the results presented in this licentiate thesis. The research methods we applied are presented and discussed as well.
2.1
Problem Statement and Research Goals
Achieving functional safety standard compliance requires that company internal development and verification processes are adapted to meet the requirements stated in the applicable functional safety standards. It fur-thermore requires that evidence and arguments are collected to show that the developed products comply with the functional safety standard and the product is sufficiently safe. When safety critical products are de-veloped in product lines and development artifacts such as specifications, code or test cases are reused within one product line, between product line generations or across different product lines, the system safety of all possible product configurations must be assured. As part of the system safety, the correctness of the Electrical and Electronics (E&E) system i.e. avoiding malfunctioning behavior must be realized. As a consequence of the increasing complexity in the product line context, arguing for func-tional safety requires high efforts and ad-hoc development approaches are not feasible.
The goal of this licentiate thesis is
to analyze product line development scenarios for industrial safety critical products and to incorporate functional safety in model-based prod-uct line engineering to support the safety certification efforts of practi-tioners.
We subdivide this goal into three research questions. Research Question 1:
Which challenges and practices exist when engineering safety critical products in product lines?
For this research question we need to consider the proposed product line concepts described in literature and the requirements defined in the functional safety standards. Product line engineering as described in literature differs from the applied practices in industry. It is therefore important to analyze the established product line practices and how func-tional safety is managed in this context. One way is to interview prac-titioners who develop safety critical products today and to understand the reuse of already developed system elements and artifacts. Collecting typical challenges and applied practices will help to identify critical gaps in todays development processes and will also help to search for potential solutions.
Research Question 2:
Which variant management concepts have a potential to be adapted for safety critical product lines?
We need to analyze which variant management concept exist in the software product line engineering research domain and study their ability to be applied for developing safety critical products in product lines. We derive requirements based on the results of Research Question 1 in order to evaluate these methods. The study shall help to identify candidate solutions that can be adapted in future research to develop a variability management method for safety critical product lines.
Research Question 3:
How can functional safety be incorporated in model-based product line engineering?
Functional safety standards describe processes and activities on how to develop safety critical functions, but assume a V-model-based devel-opment process. The requirements from the functional safety standards need to be translated and mapped onto a product line development pro-cess and the creation of safety cases for all potential product variants needs to be supported. Since industry is moving towards model-based approaches and due to better formalisms associated with them, we aim to develop a model-based approach to manage safety critical product lines. We utilize an existing model-based concept for software product line engineering and extend the approach by a functional safety dimen-sion. We apply it in an industrial case to show its applicability and to iteratively improve our approach in the future.
2.2
Research Process
In this section we describe the research process applied this thesis. In Figure 2.1 the phases performed in our research are described. Though our research process is of an iterative nature, we have simplified it and show it as a linear one for easy comprehension and visualization. The research process can be split into two groups, where the first group (1-5) contains the development phases for building the knowledge foundation for our research and the second group (6-7) contains the research phases that aim to develop a new method including its evaluation.
Phase 1: Identifying the Research Goals
In the first phase, we defined and refined the research goals and since this research is performed in cooperation with Volvo Construction Equipment, the preliminary research goal is oriented on the industrial needs. The challenges experienced in industry need to be mapped and translated into research goals and research questions. We set up the research goals and discussed the feasibility also within the industrial context, since our aim for this research is to overcome the challenges faced in industrial product lines by providing new methods.
The goal of this licentiate thesis is
to analyze product line development scenarios for industrial safety critical products and to incorporate functional safety in model-based prod-uct line engineering to support the safety certification efforts of practi-tioners.
We subdivide this goal into three research questions. Research Question 1:
Which challenges and practices exist when engineering safety critical products in product lines?
For this research question we need to consider the proposed product line concepts described in literature and the requirements defined in the functional safety standards. Product line engineering as described in literature differs from the applied practices in industry. It is therefore important to analyze the established product line practices and how func-tional safety is managed in this context. One way is to interview prac-titioners who develop safety critical products today and to understand the reuse of already developed system elements and artifacts. Collecting typical challenges and applied practices will help to identify critical gaps in todays development processes and will also help to search for potential solutions.
Research Question 2:
Which variant management concepts have a potential to be adapted for safety critical product lines?
We need to analyze which variant management concept exist in the software product line engineering research domain and study their ability to be applied for developing safety critical products in product lines. We derive requirements based on the results of Research Question 1 in order to evaluate these methods. The study shall help to identify candidate solutions that can be adapted in future research to develop a variability management method for safety critical product lines.
Research Question 3:
How can functional safety be incorporated in model-based product line engineering?
Functional safety standards describe processes and activities on how to develop safety critical functions, but assume a V-model-based devel-opment process. The requirements from the functional safety standards need to be translated and mapped onto a product line development pro-cess and the creation of safety cases for all potential product variants needs to be supported. Since industry is moving towards model-based approaches and due to better formalisms associated with them, we aim to develop a model-based approach to manage safety critical product lines. We utilize an existing model-based concept for software product line engineering and extend the approach by a functional safety dimen-sion. We apply it in an industrial case to show its applicability and to iteratively improve our approach in the future.
2.2
Research Process
In this section we describe the research process applied this thesis. In Figure 2.1 the phases performed in our research are described. Though our research process is of an iterative nature, we have simplified it and show it as a linear one for easy comprehension and visualization. The research process can be split into two groups, where the first group (1-5) contains the development phases for building the knowledge foundation for our research and the second group (6-7) contains the research phases that aim to develop a new method including its evaluation.
Phase 1: Identifying the Research Goals
In the first phase, we defined and refined the research goals and since this research is performed in cooperation with Volvo Construction Equipment, the preliminary research goal is oriented on the industrial needs. The challenges experienced in industry need to be mapped and translated into research goals and research questions. We set up the research goals and discussed the feasibility also within the industrial context, since our aim for this research is to overcome the challenges faced in industrial product lines by providing new methods.
Figure 2.1: Research process applied in the thesis
Phase 2: Performing a Preliminary Analysis of the Problem
A main challenge practitioners in industry are facing is the high efforts that are necessary to certify the products according to the functional safety standards. We therefore studied the mentioned problem in detail to identify possible reasons. As part of this work we studied the domain specific standards, literature and talked to the practitioners. We discussed this research goal within the research community and published, presented and discussed our results in Paper A [13].
Phase 3: Setting up Research Questions
The feedback from the research community, the results from the literature analysis and the discussions with the industrial practitioners helped us to set up and refine our research questions for our studies. We identified three main areas for our studies: 1) to understand the product line engineering approach applied in practice, 2) searching a model that can be used for explaining the observed practices and reviewing methods proposed in literature and 3) to propose a solution by extending existing approaches.
Phase 4: State of Practice Analysis / Empirical Studies
We identified during phase 3, that a more structured study of industrial practice is required to analyze. In our study we analyzed which challenges exist and which of them seem to be general. We discussed possible ways of collecting data on the management of functional safety in industrial product lines. The biggest challenge we faced was the fact, that information on how safety is managed is not freely available for commercial cases. Furthermore, analyzing the safety cases may not reveal the actual problem and specific information might be hidden. We therefore decided to perform an interview study, set up a questionnaire and conducted detailed interviews of 15 practitioners from six companies. This work resulted in the included Paper B [14] and another paper not included in this thesis [18].
Phase 5: Studying Candidate Solutions
We analyzed literature and surveyed existing variant management methods. We evaluated their potential for extension based on criteria we derived from the interview study. We identified that product line engineering concepts which among others cover several development phases already and utilize concepts that are expandable can be candi-date solutions for further work. We applied a candicandi-date solution in an industrial case to gain further knowledge and presented the results in Paper C [15].
![Figure 3.1: IEC 61508 Safety Lifecycle [1]](https://thumb-eu.123doks.com/thumbv2/5dokorg/4552755.116005/42.718.110.569.181.706/figure-iec-safety-lifecycle.webp)
![Figure 3.1: IEC 61508 Safety Lifecycle [1]](https://thumb-eu.123doks.com/thumbv2/5dokorg/4552755.116005/43.718.195.553.527.724/figure-iec-safety-lifecycle.webp)
![Figure 3.3: Software Product Line Engineering Process [12]](https://thumb-eu.123doks.com/thumbv2/5dokorg/4552755.116005/46.718.159.525.202.593/figure-software-product-line-engineering-process.webp)
![Figure 5.2: Product Line UML-based Software Engineering (PLUS) - -Domain Engineering [42]](https://thumb-eu.123doks.com/thumbv2/5dokorg/4552755.116005/63.718.223.531.208.545/figure-product-line-based-software-engineering-domain-engineering.webp)
