Assurance of System Safety: A Survey of Design and Argument Patterns

Abstract: The specification, design, and assurance of safety encompasses various concepts and best practices, subject of reuse in form of patterns. This work summarizes applied research on such concepts and practices with a focus on the last two decades and on the state-of-the-art of patterns in safety-critical system design and assurance argumentation. We investigate several aspects of such patterns, for example, where and when they are applied, their characteristics and purposes, and how they are related. For each asp… Show more

“…Still, aside from standards, several publications related to the automotive domain give definitions for different fault tolerance regimes [24][25][26][27][28][29][30][31][32][33][34][35][36][37][38][39][40][41][42]. An overview of the covered literature is presented in Table I.…”

“…1) Upholding functionality: All publications referenced in this subsection, except for [39], define terms to address the continued provision of a system's functionality in the presence of a fault without performance degradation [24][25][26][27][28][29][30][31][32][33][34][35][36][37][38][40][41][42] and consistently use the term fail-operational. Still, when Author(s) Year Source f a i l -o p e r a t i o n a l f a i l -s a f e f a i l -s i l e n t f a i l -d e g r a d e d f a i l -r e d u c e d f a i l -u n s a f e o t h e r Automotive publications with defintions of fault tolerance regimes Publications in automated vehicle context using fault tolerance regimes without definitions comparing the definitions, the understanding of the term varies slightly between the publications.…”

“…In the first subcategory [24,40,46,47], a core functionality of the fail-operational system is maintained to achieve a defined state. The sole publication of the second subcategory [27] requires the system to maintain full functionality until the defined state is reached. It is not apparent to which subcategory each of the remaining publications [28][29][30]35] can be assigned.…”

“…The fail-silent property of a system is commonly described as the guarantee that no output is provided in the event of failures [24,26,27,29,32,34,41,46]. Therefore, the systems described as fail-silent usually represent (sub-)components of a larger complex system (e. g., a vehicle).…”

Taxonomy to Unify Fault Tolerance Regimes for Automotive Systems: Defining Fail-Operational, Fail-Degraded, and Fail-Safe

“…Still, aside from standards, several publications related to the automotive domain give definitions for different fault tolerance regimes [24][25][26][27][28][29][30][31][32][33][34][35][36][37][38][39][40][41][42]. An overview of the covered literature is presented in Table I.…”

“…1) Upholding functionality: All publications referenced in this subsection, except for [39], define terms to address the continued provision of a system's functionality in the presence of a fault without performance degradation [24][25][26][27][28][29][30][31][32][33][34][35][36][37][38][40][41][42] and consistently use the term fail-operational. Still, when Author(s) Year Source f a i l -o p e r a t i o n a l f a i l -s a f e f a i l -s i l e n t f a i l -d e g r a d e d f a i l -r e d u c e d f a i l -u n s a f e o t h e r Automotive publications with defintions of fault tolerance regimes Publications in automated vehicle context using fault tolerance regimes without definitions comparing the definitions, the understanding of the term varies slightly between the publications.…”

“…In the first subcategory [24,40,46,47], a core functionality of the fail-operational system is maintained to achieve a defined state. The sole publication of the second subcategory [27] requires the system to maintain full functionality until the defined state is reached. It is not apparent to which subcategory each of the remaining publications [28][29][30]35] can be assigned.…”

“…The fail-silent property of a system is commonly described as the guarantee that no output is provided in the event of failures [24,26,27,29,32,34,41,46]. Therefore, the systems described as fail-silent usually represent (sub-)components of a larger complex system (e. g., a vehicle).…”

Taxonomy to Unify Fault Tolerance Regimes for Automotive Systems: Defining Fail-Operational, Fail-Degraded, and Fail-Safe