https://www.mdu.se/

The assessment of Common Cause Failures (CCF), i.e., failures of multiple components due to a shared root cause, is essential during probabilistic risk assessment in safety-critical industries. However, not all contributing causes to the CCF are directly observable at the component level as they typically stem from the systematic factors, i.e., design, operations, or environmental conditions. Thus, the industries need to implement methodologies such as the β-factor model to account for these causes. The β-factor estimation suggested by the functional safety standard IEC 61508 is based on the assessment of a defined set of defense measures. However, the extent to which these defense measures address the industry specific CCF remains unclear due to the limited contextual validation. In this paper, we evaluate the defense measures proposed by IEC 61508 with a specific focus on their applicability to the railway industry. To support this evaluation, we define a four-step process inspired by post-mortem analysis, a method traditionally used to learn from past projects. This process is applied to a set of historical railway safety events, allowing us to identify significant CCF events and their underlying root causes. We then make a categorization based on the root causes of CCF in relation to the defense measures outlined in IEC 61508 and estimate the corresponding β-factor for each category. Finally, we assess coverage and adequacy of the standard’s defenses in addressing the identified CCF. The insights gained from this study aim to support the development of more robust, context-aware CCF assessment methods for the railway sector.

The emergence of Connected, Cooperative, and Automated Mobility (CCAM) systems has significantly transformed the safety assessment landscape. Because they integrate automated vehicle functions beyond those managed by a human driver, new methods are required to evaluate their safety. Approaches that compile evidence from multiple test environments have been proposed for type-approval and similar evaluations, emphasizing scenario coverage within the system’s Operational Design Domain (ODD). However, aligning diverse test environment requirements with distinct testing capabilities remains challenging. This paper presents a method for evaluating the suitability of test case allocation to various test environments by drawing on and extending an existing ODD formalization with key testing attributes. The resulting construct integrates ODD parameters and additional test attributes to capture a given test environment’s relevant capabilities. This approach supports automatic suitability evaluation and is demonstrated through a case study on an automated reversing truck function. The system’s implementation fidelity is tied to ODD parameters, facilitating automated test case allocation based on each environment’s capacity for object-detection sensor assessment.

Systems of Systems (SoS) in critical domains like construction require the coordination of independent and heterogeneous Constituent Systems (CS) to accomplish complex missions. To help with such coordination, an architectural approach, called orchestration, has been proposed. However, safety in such an approach remains unexplored. In this paper, we present a safety-aware strategy synthesis framework to fill this gap. It combines formal modeling of CS and shared resources as timed automata, integration of safety contracts to capture assumptions and guarantees, and Q-learning strategy generation by using Uppaal Stratego. As a result, the framework enables the synthesis of execution strategies that not only fulfill mission objectives but also ensure safety constraints. We demonstrate our method through a case study in autonomous construction operations, highlighting its ability to minimize unsafe interactions and to reduce resource conflicts and waiting times. © 2025 Elsevier B.V., All rights reserved.

Safety assurance in System of Systems (SoS) orchestrations is challenged by the inherent variability of Constituent Systems (CS) and the dynamic environments in which they must operate. To address this challenge, we previously introduced SOSoS (Safe Orchestration of Systems of Systems), a process that integrates System-Theoretic Process Analysis (STPA) with principles from Software Product Line Engineering (SPLE) to support safety reasoning about the SoS variability at the macro-level, i.e., analysis of the SoS as a whole in its context. However, SOSoS lacked a clearly defined mechanism for managing variability at lower levels. Thus, in this paper, we expand SOSoS to the mesolevel, i.e., a level focusing on the constellation formation within a SoS. A constellation is a subset of CS that together form operational links and interact to deliver a specific SoS capability. This constellation-level variability analysis employs the concepts of Orthogonal Variability Modeling (OVM) to identify key Variation Points (VP), Variants (V), and Inter-Variant Constraints (IVC) that govern the formation of viable constellations and can be used to generate Refined Safety Constraints (RSC). We demonstrate the method's applicability through a case study on a construction site. The meso-level analysis shifts the focus to constellation tactical configuration options, enabling a more precise characterization of orchestration logic and its associated safety constraints.

Systems of Systems (SoS) face challenges related to coordinated management of the various tasks performed by constituent systems (CS), resource allocation, and SoS-level decision-making to achieve optimal performance related to costs and energy consumption. Addressing these challenges requires rigorous modeling and verification methods that accurately represent CS, capturing their interactions and synchronization. This becomes paramount as the complexity of the SoS grows with the increasing autonomy of individual CS. In this paper, we propose a methodology for efficient resource optimization in batterypowered autonomous CS within an SoS. We begin by modeling the CS and their respective controllers within a constellation of an SoS using Uppaal Stratego. Then, we synthesize a strategy for mission planning and efficient resource utilization to achieve the mission. We also apply our proposed approach to an industrial case study focused on mass removal in the construction site modeled as an SoS to validate our proposed approach. The simulation results show that the synthesized strategies significantly improved resource optimization and reduced mission completion times compared to the ones without the synthesized strategies. Our approach, based on a synergetic combination of formal model modeling and reinforcement learning, provides a viable approach to achieve efficiency in SoS contexts.

The deployment of automated functions that can operate without direct human supervision has changed safety evaluation in domains seeking higher levels of automation. Unlike conventional systems that rely on human operators, these functions require new assessment frameworks to demonstrate that they do not introduce unacceptable risks under real-world conditions. To make a convincing safety claim, the developer must present a thorough justification argument, supported by evidence, that a function is free from unreasonable risk when operated in its intended context. The key concept relevant to the presented work is the intended context, often captured by an Operational Design Domain specification (ODD) specification. ODD formalization is challenging due to the need to maintain flexibility in adopting diverse specification formats while preserving consistency and traceability and integrating seamlessly into the development, validation, and assessment. This paper presents a way to formalize an ODD in the Pkl language, addressing central challenges in specifying ODDs while improving usability through specialized configuration language features. The approach is illustrated with an automotive example but can be broadly applied to ensure rigorous assessments of operational contexts.

Orchestration, an approach to service composition, has emerged as a promising solution to integrate independent constituent systems (CS) in a System of Systems (SoS). However, safety in SoS orchestrations remains unexplored. In this paper, we introduce SOSoS (Safe Orchestration of Systems of Systems), a process that utilizes the System-Theoretic Process Analysis (STPA) steps extended with the features proposed in the software product line engineering (SPLE) approach to cope with safety in the inherent SoS variability. We also demonstrate SOSoS in action by considering a case study from the construction domain. As a result, we define SoS-level safety constraints that could lead to actionable technical recommendations for making systems of systems orchestrations safer. 

The standard IEC 61508 provides a methodology to calculate β, a factor used to estimate the probability of common cause failures (CCF), i.e., failures that result from a single cause. This methodology consists of answering 37 checklist questions, each one providing a scored value that is accumulated in the final β-factor. Those questions cover 8 different defense measures, i.e., practices done to mitigate the CCF against system dependencies. Since the inception of the standard in 2010, there has been evolution regarding both new technologies with an impact on the system dependency factors, as well as new knowledge on how to address them. Hence, it is important to capture these aspects and update the methodology that can be used to reason about CCF’s causes. In this paper, we present an enhanced methodology for estimating the β-factor, which builds upon the core methodology provided by IEC 61508. In particular, we add 33 new questions and provide an estimation method for scoring the β-factor. We also illustrate our methodology by applying it to a realistic system and discuss the findings. Our proposed methodology permits the consideration of aspects not included in the core methodology, such as the level of defense support and safety culture. It also allows practitioners to consider more dependencies, leading to CCF reduction. The rationale is that the more defenses are addressed, the more protection can be achieved against CCF. 

CAMP proposes a hierarchical cache subsystem for multi-core mixed criticality processors, focusing on ensuring worst-case execution time (WCET) predictability in automotive applications. It incorporates criticality-aware locked L1 and L2 caches, reconfigurable at mode change intervals, along with criticality-aware last level cache partitioning. Evaluation using CACOSIM, Moola Multicore simulator, and CACTI simulation tools confirms the suitability of CAMP for keeping high-criticality jobs within timing budgets. A practical case study involving an automotive wake-up controller using the sniper v7.2 architecture simulator further validates its usability in real-world mixed criticality applications. CAMP presents a promising cache architecture for optimized multi-core mixed criticality systems. 

The recent advances in digitalization, improved connectivity and cloud based services are making a huge revolution in manufacturing domain. In spite of the huge potential benefits in productivity, these trends also bring in some concerns related to safety and security to the traditionally closed industrial operation scenarios. This paper presents a high-level view of some of the research results and technological contributions of the InSecTT Project for meeting safety/security goals. These technology contributions are expected to support both the design and operational phases in the production life cycle. Specifically, our contributions spans (a) enforcing stricter but flexible access control, (b) evaluation of machine learning techniques for intrusion detection, (c) generation of realistic process control and network oriented datasets with injected anomalies and (d) performing safety and security analysis on automated guided vehicle platoons.