The main objectives of the project are :
the integration of Safety and Security concepts and the production of a harmonised framework
the production of harmonised dependability criteria describing how confidence in the correctness and effectiveness of functions in systems with safety as well as security requirements can be gained,
the validation of the approach using an existing and evolving communication system with very high dependability requirements,
the promotion of results in safety and security communities (especially in nuclear and railway sectors);
the generalisation of results through close links with various standardisation bodies (e.g. ISO, CEN/CENELEC, IEEE);
the validation of results applicability to other ACTS technologies (e.g. virtual networks, broadband networks).
The purpose of the dependability criteria is the definition of assessment activities that are necessary to gain confidence that the system meets its dependability objectives.
The criteria are generic and shall be used in various application domain in safety and security fields using various life cycle for product and system development. This means the dependability assessment framework defined by the project is compatible with any life cycle. Therefore, it does not prescribe the life cycle on which the development process relies. However, it makes the assumptions that :
any life cycle will go in more and more details from requirements to implementation,
any life cycle is composed of construction, operational and decommissioning phases.
Within the overall life cycle of a critical system, assessment activities have to be performed to ensure that the system meets its dependability objectives continuously. Those activities are organised in three different categories :
Dependability Requirements Assessment Activities.
Correctness Verification Activities.
Dependability Validation Activities..
Quality Assurance Activities.
A system may have requirements to possess some of the six dependability attributes (availability, reliability, safety, confidentiality, integrity, maintainability) and the importance of the attributes in a particular application may not be uniform. Therefore, each attribute of dependability will have associated with it a confidence level on a scale equivalent to the overall dependability scale. This might be termed the system dependability confidence profile. The dependability assessment is the result of activities from the developer and an independent assessor. The role of the developer is to check that his system is developed in conformance with the criteria and must provide proofs to the assessor that the system developed is compliant with the criteria for its dependability confidence profile.
The dependability terminology, assessment concepts, confidence levels and assessment activities including the techniques to be used for each dependability attribute level are detailed in the public deliverable "Definition of Draft criteria for the assessment of dependable systems"
The development of a harmonised framework and methodology will increase the social confidence in the reliability, safety and security of systems and services.
The increased awareness of the two currently separate, security and safety communities about common approaches towards dependability,
The contribution to the relevant standardisation effort.
The project has selected the appropriate standards, codes of practice and study results from the safety, security and quality assurance area, has analysed those standards for differences, commonalties, specific areas. This was done on a general level as well as on a detailed level to show specific differences in common areas. The aspects that are addressed start from the requirements engineering phase including the aspects of risk and hazard analysis, then cover the aspects of design and implementation of the communication system. They include also areas like accreditation, audit, incident reporting and decommissioning, so the whole system life-cycle is covered by this project. (The results of this study are available by the way of a public deliverable "Analysis of Security, Safety, Quality Standards and Codes of Practice").
Subsequently, the project has defined a generic dependability criteria and a general framework showing how these criteria can be applied in the life-cycle of a dependable communication system. A summary of the contents of the public deliverable which are actually the major achievement of the work can be found further.
These new criteria will then be applied to a communication systems with high safety and security requirements in the railways sector. The project will define the specific activities that have to be performed for a dependability assessment of this specific communication system. These activities are derived from the dependability criteria developed within the project as instances of the generic activities described in these criteria. In addition those elements of the total communication system are identified where the criteria will be used. The next step will be to perform a dependability analysis as defined in the criteria and the dependability target developed within this project. This analysis will cover aspects of the development process as well as an evaluation of the critical parts of the communication system. A major part of this analysis will be an effectiveness analysis as described in ITSEC combined with a hazard analysis as known in the safety area. The activity is performed in close co-operation with the developers as well the people responsible for the communication system to get their feedback on the usability of the approach. The report produced as result of this activity shall serve as a useful document for accreditation, audit and the preparation of an incident report system.
The objectives of the dependability analysis are :
To identify possible flaws and vulnerabilities of the communication system and describe their potential impact on the safety and security;
To give a more detailed description of the remaining risks;
To give guidance for maintaining the level of confidence during the operation of the system (i. e. make suggestions for specific activities performed during an accreditation like process, for system audit and for the establishment of an incidence reporting system).
The result of the dependability analysis will be feed back to the developers, users and operators of the communication system to get their comments on the result of the dependability analysis as well as their comments on the criteria and the activities performed during the analysis. The applicability of the criteria on a nuclear communication system will also be checked. The experience made during this trial dependability analysis as well as the feedback from the developers, users and operators of the system will then be used to enhance the original criteria to make them more effective and get a better acceptability. A new enhanced version of the criteria will be produced. This version will then be distributed to a selected audience outside of the project to get their feedback. A workshop at this stage is planned to promote the results of the project to the user community. The result of the project may well be submitted as an input to the relevant standardisation committees and Common Interest Groups.
Summary of Trial
The project will develop new criteria for dependability assessment which will be applied to a communication system with high safety and security requirements. This demonstrator will be taken mainly from the railways sector, where a communications system automatically pilots an underground line. The actual system to serve as a demonstrator is currently tested by the underground operator of the Ile de France region. The system controls the traffic on a railway line which is divided into sections. Commands to trains are sent by an operator from a control room equipped with safety panels, computers and consoles. Types of commands are :
inhibition of traction alarms,
set-up of traction status,
Each section of the line possesses hardware and software used to receive commands from the control room, to transmit them to the trains, to collect the information representing the status of the railway line, of the trains and of the traffic. Connection between the central computer and the line equipment is realised by networks. The functions realised by the system are divided into three sets :
automatic train protection (speed control, anti-collision, evacuation, train-platform passenger transit,..);
automatic train operation (speed control loop, service braking, train control,..),
automatic train supervision (monitoring and display, command sending, train tracking,..)
Development of harmonised security and safety criteria for dependability assessment,
Development of dependability target,
Demonstrator using a mission critical communication system,
Submission of results to standardisation bodies .