scieee Science in your language
[en] (orig)

Reuse of safety certification artefacts across standards and domains: A systematic approach

Author: Ruiz, Alejandra,Juez, Garazi,Espinoza, Huáscar,De la Vara, Jose Luis,Larrucea Uriarte, Xabier
Publisher: Elsevier
Year: 2017
DOI: 10.1016/j.ress.2016.08.017
Source: https://addi.ehu.eus/bitstream/10810/78562/5/RESS2016_100.pdf
1
Reuse o sa e y ce i ica ion a e ac s ac oss s anda ds and
domains: A sys ema ic app oach
Alejand a Ruiz, Ga azi Juez, Huásca Espinoza
ICT Di ision, TECNALIA
De io, Spain
{name.su name}@ ecnalia.com
Jose Luis de la Va a
Compu e Science Depa men , Ca los III Uni e si y o Mad id,
Leganés, Mad id, Spain
[email p o ec ed]m.es
Xabie La ucea
Escuela Uni e si a ia de Ingenie ía, Uni e sidad del País Vasco,
Vi o ia, Spain
xabie .la [email p o ec ed]us
Abs ac —P oduc euse is a common p ac ice in sa e y-c i ical sys ems enginee ing. Reuse can imp o e sys em
de elopmen and assu ance, and he e a e ecommenda ions on euse o some domains. C oss-domain euse, in
which a p e iously ce i ied p oduc ypically needs o be assessed agains di e en sa e y s anda ds, has howe e
ecei ed li le a en ion. No guidance exis s o his euse scena io despi e i s ele ance in indus y, hus p ac i ione s
need new means o ackle i . This pape aims o ill his gap by p esen ing a sys ema ic app oach o euse o sa e y
ce i ica ion a e ac s ac oss s anda ds and domains. The app oach is based on he analysis o he simila i ies and on
he speci ica ion o maps be ween s anda ds. These maps a e used o de e mine he sa e y ce i ica ion a e ac s ha
can be eused om one domain o ano he and euse consequences. The app oach has been alida ed wi h
p ac i ione s in a case s udy on he euse o an execu ion pla o m om ailway o a ionics. The esul s show ha he
app oach can be e ec i ely applied and ha i can educe he cos o sa e y ce i ica ion ac oss s anda ds and
domains. The e o e, he app oach is a p omising way o making c oss-domain euse mo e cos -e ec i e in indus y.
Keywo ds: sa e y-c i ical sys em, sa e y ce i ica ion, sa e y assu ance, euse, sa e y s anda d, c oss-domain.
1 INTRODUCTION
Sa e y-c i ical sys ems a e hose whose ailu e could end up in loss o inju ies o people o he en i onmen .
These sys ems a e usually equi ed o go h ough ce i ica ion p ocesses, o sa e y assu ance p ocesses in
gene al, acco ding o some sa e y (o sa e y- ela ed) s anda d [1]. The goal o ce i ica ion is o p o ide he
di e en s akeholde s, including he socie y, he assu ance ha a sys em does no in oduce unaccep able isks o
ca as ophic consequences [2]. P esc ip i e s anda ds such as DO-178C in a ionics [3] o he gene al IEC 61508
s anda d [4] de ine p ocesses and speci ic e idence o show compliance. O he s anda ds ollow a goal-based
s a egy whe e he achie emen o compliance and o a sys em’s sa e y objec i es is documen ed in an assu ance
case. This case oughly consis s o a gumen s ha jus i y compliance and sys em sa e y, a e suppo ed by
e idence, and a e e alua ed by a ce i ica ion body. An example o his second app oach is he De 00-56
mili a y s anda d [5]. I is also common ha speci ic domains ha e hei own applicable s anda ds, such as EN
50128 o ailway [6] and ISO 26262 o au omo i e [7].
Ce i ica ion p ocesses a e labo ious and expensi e, and end o inc ease he e o and cos o de elop sa e y-
c i ical sys ems. Fo example, Boeing’s 787 D eamline ai c a needed a ce i ica ion assessmen p ocess ha
las ed eigh yea s in o de o ob ain he ai wo hiness ce i ica e [8]. Du ing ha p ocess, he Fede al A ia ion
Agency epo ed abou 200,000 hou s o echnical wo k, which we e exceeded by he hou s equi ed by
echnicians om he company. Boeing needed o p esen mo e han 4,000 documen s o show e idence o
compliance.
Sa e y-c i ical sys ems a e ypically no buil up om sc a ch as a massi e and unique elemen , bu as a
composi ion o a sys ems and subsys ems wo king in collabo a ion. This decomposi ion in o subsys ems
in oduces a good chance o euse, whe e he e o needed o compliance can be assumed by he di e en
sys ems in which a subsys em o componen is used o eused. In o de o educe he ime needed o pu a new
sys em in o he ma ke , euse o e.g. so wa e imp o es p oduc i i y and eliabili y o de elopmen p ojec s and
This is he accep ed manusc ip o he a icle ha appea ed in inal o m in Reliabili y Enginee ing and Sys em Sa e y
158 : 153-171 (2017), which has been published in inal o m a h ps://doi.o g/10.1016/j. ess.2016.08.017. © 2016 Else ie
unde CC BY-NC-ND license (h p://c ea i ecommons.o g/licenses/by-nc-nd/4.0/)
2
lowe s hei o e all cos . These bene i s could inc ease up o 50% wi h a high le el o euse [9]. The e is
guidance on how o euse componen s and subsys ems in domains such as au omo i e [7] and a ionics [10].
No only he ce i ica ion in es men can bene i om euse bu also o he ad an ages ha e been ecognised
[11]:
- Dependabili y p ope y imp o emen . Sys ems and componen s a e ho oughly e i ied and p o ed
each ime hey a e eused. The his o ical da a o hei pe o mance and o eac ions o ulne abili ies
also inc eases, p o iding he sys em o componen de elope wi h exac da a o imp o e dependabili y.
- P ocess isk educ ion. When ollowing a euse s a egy, he isk is sha ed by each o he imes he
euse has been pe o med. E en mo e, euse suppo s he applica ion o p ocess bes p ac ices,
mi iga ing he p ocess isk associa ed.
- E ec i e use o specialis s. The knowledge is encapsula ed in he di e en componen s and associa ed
a e ac s ha a e eused, libe a ing his way a specialis om mono onous wo k. Specialis s can ocus
on challenging a eas whe e hei knowledge is specially needed.
- Accele a ed de elopmen . The ime o ma ke o a p oduc is educed by eusing p e iously de eloped
p ojec s o pa o p ojec s.
Di icul y in deciding i a componen can be eused and p o ision o sa e y e idence o sys ems ha euse
exis ing sys ems and componen s ha e been acknowledged as challenges bo h in he li e a u e [12] and by
p ac i ione s [13,14]. I is also conside ed ha indus y needs mo e sys ema ic app oaches o sa e y ce i ica ion
a e ac (aka e idence) euse [15]. A majo issue a ises when aiming o euse, in a gi en domain, a sys em ha
has been p e iously ce i ied and deployed in ano he domain. This is mainly due o he di e ences be ween he
applicable sa e y s anda ds and hus be ween he ce i ica ion equi emen s.
Al hough e ec i e c oss-domain euse is gaining a en ion in indus y [16] and seems o be a e-ce i ica ion
scena io in which a ound hal o he p ac i ione s dealing wi h sa e y e idence change impac analysis ha e been
in ol ed [14], he e a e no ecommenda ions o guidance o e ed by ce i ica ion au ho i ies in o de o acili a e
p oduc euse ac oss di e en domains. C oss-domain ce i ica ion is e en mo e challenging when audi o s and
assesso s aim o iden i y he equi ed e idence o ce i ying a sys em agains he a ge ce i ica ion scheme,
based on he e idence p o ided o he sou ce scheme. Wi hou a alid analysis and unde s anding o sa e y
e idence euse consequences, a sys em will need o go h ough he en i e ce i ica ion p ocess o he a ge
domain. This will equi e a conside able amoun o ime and esou ces, educing he bene i s o p oduc euse.
These issues gene ally apply o e-ce i ica ion o a sys em agains a di e en sa e y s anda d. This can occu
bo h in c oss-domain euse and in a single domain, whe e s anda ds and ce i ica ion schemes migh e.g. a y
among coun ies.
This pape aims o con ibu e o add essing he abo e issues by p oposing a no el app oach ha suppo s he
sys ema ic euse o sa e y ce i ica ion a e ac s ac oss s anda ds and domains (he ea e e e ed o as euse
app oach). The app oach has been de eloped in he scope o OPENCOSS (h p://www.opencoss-p ojec .eu),
which is a Eu opean indus y-academia p ojec on e olu iona y ce i ica ion o sa e y-c i ical sys ems o
au omo i e, a ionics, and ailway. OPENCOSS indus y s akeholde s ha e p o ided inpu o designing he
euse app oach and ha e con ibu ed o i s alida ion.
The euse app oach is based on he speci ica ion o how simila wo sa e y s anda ds a e by mapping hem. A
pai o sa e y s anda ds can ha e commonali ies and di e ences, hus hei sa e y c i e ia can be ully o pa ially
simila o no map migh exis . The esul ing maps can be la e exploi ed o de e mine he ex en o which a
p oduc complain wi h a sa e y s anda d complies wi h he o he and hus sa e y a e ac use consequences. The
app oach has been alida ed wi h p ac i ione s in a case s udy on he euse o an execu ion pla o m om
ailway o a ionics. To he bes o ou knowledge, no o he app oach has been de eloped in o de o
sys ema ically euse sa e y ce i ica ion a e ac s ac oss s anda ds and domains.
This pape ex ends he wo k p esen ed in [17], whe e we p esen ed an o e iew o he case s udy and epo ed
on he expe ience in mapping EN 50128 and DO-178. The ex ension is mainly based on: (1) a mo e de ailed
explana ion o he backg ound, he ounda ions, and he a ionale o he euse app oach; (2) a gene al and
gene ic desc ip ion o he p inciples o he app oach and o he p ocess o apply i , indica ing and explaining all
he necessa y ac i i ies, and; (3) a deepe p esen a ion and analysis o he alida ion o he app oach, including
he epo ing and discussion o u he esul s. This ex ension allows a eade o gain a wide unde s anding o
how he euse app oach has been de eloped, i s basis, how o apply he app oach, and he bene i s o i s
applica ion.
The es o he pape is o ganized as ollows. Sec ion 2 p esen s he backg ound o he pape . Sec ion 3 desc ibes
he euse app oach, and Sec ion 4 epo s on i s alida ion. Sec ion 5 summa ises ou conclusions and u u e
wo k.
3
2 BACKGROUND
This sec ion p esen s he main backg ound o he pape , which co esponds o (1) he cu en s a e o he
p ac ice, (2) a compa ison o sa e y s anda ds, and (3) he ela ed li e a u e.
2.1 S a e o he p ac ice
The pu pose o his sec ion is o desc ibe how sa e y-c i ical sys em ce i ica ion is handled in p ac ice. To his
end, he sec ion analyses sa e y ce i ica ion and euse in a ionics and ailway, he wo domains add essed in he
case s udy wi h which he euse app oach has been alida ed. The compa ison o sa e y s anda ds in he nex
sub-sec ion complemen s his analysis by p esen ing a b oade o e iew o how he s anda ds in u he domains
a e and o hei simila i ies and commonali ies.
Ce i ica ion is de ined in ci il a ia ion as a legal ecogni ion ha a p oduc , se ice, o ganiza ion, o pe son
complies wi h he equi emen s s a ed in a ce ain s anda d. This implies echnically checking he objec o
ce i ica ion o e i y o mally ha i complies wi h he applicable equi emen s. Fo ce i ying a p oduc , he
au ho i y should assess he design p ocess o he p oduc o ensu e an accep able le el o sa e y, check whe he
he p oduc ac ually con o ms o he expec ed design, and issuance a ce i ica e equi ed by he na ional laws o
show ha he p oduc has gone h ough he assessmen s p ocess [3].
Che el [18] desc ibes he di e en ac o s in ol ed in ai c a manu ac u ing. Fi s , he ai c a manu ac u e
ag ees wi h he a ionics au ho i y o he coun y upon he ype ce i ica e. This ce i ica e will include he i s
de ini ion o he p oduc wi h documen s de ining he ai c a cha ac e is ics. This is done a he e y beginning
o he design phase. The manu ac u e will hen make a con ac wi h he di e en a ionics sys em de elope s o
con ac he de elopmen o one o mo e sys ems o he ai c a and eques hei con ibu ion o he
ai wo hiness ce i ica ion p ocess. Sys em de elopmen supplie s should also con ac wi h he au ho i y in o de
o ge a Technical S anda d O de au ho iza ion o ensu e ha hei sys em is complian wi h he a ionics
s anda ds. Ge ing his au ho iza ion does no mean ha he sys em will be ce i ied. The ai c a manu ac u e
has o discuss wi h he au ho i y in o de o ge he au ho isa ion o ins alling he sys em on an ai c a . A e he
ins alla ion, he comple e ai c a goes h ough a sa e y assessmen and i is a e all he e alua ion p ocess ha
he ai c a is eady o ge he ai wo hiness ce i ica ion.
In he a ionics domain, he DO-297 s anda d [10] and he ad iso y ci cula AC 20-148 [19] deal wi h euse.
DO-297 appea ed as a consequence o he mo e om ede a ed a chi ec u es o IMA (In eg a ed Modula
A ionics) a chi ec u e, and AC 20-148 is he esul o c ea ing guidelines o so wa e componen euse.
IMA is he e m used o a dis ibu ed compu ing ne wo k aboa d ai c a , which suppo s a ionics applica ions
o many di e en assu ance le els, and i is designed o lexibili y in con igu a ions and modula i y. I suppo s
assu ance e idence euse o he educe e o equi ed when eusing componen s in di e en sys ems.
Compliance wi h DO-297 aims o educe he cos o main enance and ce i ica ion. IMA echnology has
in oduced he possibili y o agmen he ce i ica ion p ocess in o se e al asks: (a) module and/o pla o m
accep ance; (b) applica ion accep ance (so wa e and ha dwa e); (c) IMA sys em accep ance (in eg a ion o
mul iple applica ions); (d) ai c a in eg a ion; (e) change o modules o applica ions; and ( ) euse o modules o
applica ions. IMA aims o enable he euse o applica ions om di e en a ge sys ems wi hou inc easing he
ce i ica ion cos s. The IMA pla o m a chi ec ole es ablishes a ce i ica ion baseline abou sizing hypo hesis
(memo y, p ocesso h oughpu ), applicable ce i ica ion s anda ds (e.g., DO-254 and DO-178C), and
unc ionali y expec ed (e.g., API A653). The module supplie p o ides wha DO-297 calls he usage domain
(cha ac e is ics and usage cons ain s and quali ica ion ma e ial o ce i ica ion demons a ion.
Howe e , applying DO-297 is no an easy ask. E eleens [20] indica es ha one o he challenges o eusing an
IMA is he lack o su icien suppo o dealing wi h changes made in exis ing IMA sys ems o when eusing
design elemen s. The e is a need o jus i ica ion in o de o euse p e-quali ica ion documen s due o he numbe
o accep ance c i e ia, sa e y a gumen s, and e idence ha need o be conside ed in a new in eg a ion p ojec .
Ad iso y ci cula s in he a ionics domain a e documen s issued by au ho i ies (e.g., he Fede al A ionics
Agency om USA). These ci cula s a e no s anda ds bu a e in ended o p o ide guidance on accep ed
compliance means o speci ic opics. Fo ins ance, AC 20-148 p o ides ecommenda ions conce ning eusable
so wa e componen s. This ad iso y ci cula indica es ha , o euse componen s, s akeholde s mus iden i y any
ins alla ion, sa e y, ope a ional, unc ional, and pe o mance possible conce ns. Al hough AC 20-148 is no a
s anda d, i s applica ion is highly ecommended when using Reusable So wa e Componen s: “ he so wa e, i s
suppo ing RTCA/DO-178B so wa e li e cycle da a, and o he suppo ing documen a ion being conside ed o
euse. The componen designa ed o euse may be any collec ion o so wa e, such as lib a ies, ope a ing
sys ems, o speci ic sys em so wa e unc ions” [19]. AC 20-148 dis inguishes be ween wha he componen is
om he de elope pe spec i e and om he in eg a o one. This esembles p econdi ions and pos condi ions
ha should be accomplished o sui able euse.
4
Rega ding ailway, he EN 50126 s anda d [21] co e s he speci ica ion and demons a ion o sa e y o all
ailway applica ions and a all le els o such applica ions, as app op ia e, om comple e ailway ou es o majo
sys ems wi hin a ailway ou e, and o indi idual and combined sub-sys ems and componen s wi hin hese majo
sys ems. This includes so wa e and ha dwa e. The s anda d also add esses eliabili y, a ailabili y, and
main ainabili y as essen ial aspec s o a ailway sys em ha con ibu e o sa e y. EN 50126 se es as he en y
poin o pa en s anda d o o he ailway s anda ds, such as EN 50128 o so wa e [6] and EN 50129 o
elec onic sys ems o signalling [22].
The p ocesses ha de ine he sa e y li ecycle o a ailway sys em can be ailo ed, p o ided ha he modi ica ions
do no ha e any consequence on he s anda d sa e y li ecycle and a e well mo i a ed. Fo each phase in he
design, he ac i i ies o be ca ied ou o sa e y assu ance will be execu ed in pa allel. The sa e y o a sys em is
mean as he p ope y ha ailu e a es o po en ially dange ous consequences a e low enough, o globally educe
he isk (i.e. he p obabili y o inju ies, a ali ies, damages) o a speci ied accep able alue. The p ocess equi es
he applica ion o EN 50129, which lis s ac o s ha in luence eliabili y, a ailabili y, main enance, and sa e y as
de ined in EN 50126. The CENELEC Applica ion Guideline (TR 50506-2 [23]) p o ides addi ional in o ma ion
on he applica ion o he s anda d o achie e he case o sa e y, and includes ma e ial conce ning Sa e y
Assessmen , Sa e y App o al, and C oss-Accep ance (i.e., euse).
EN 50129 de ines how he condi ions o sa e y accep ance and app o al shall be p esen ed. The condi ions shall
co e h ee majo hemes: (1) Quali y Managemen ; (2) Sa e y Managemen , and; (3) Func ional and Technical
Sa e y. The documen a y e idence ha hese condi ions ha e been sa is ied shall be included in a s uc u ed
sa e y jus i ica ion documen known as he Sa e y Case. Accep ance by quali ied o ganisa ions and na ional
egula o y bodies o he Sa e y Case, h ough ac i i ies o app o al, assessmen , and c oss accep ance, is he
ul ima e s ep o allow a ailway sys em o en e passenge se ice.
2.2 Compa ison o s anda ds
Se e al egula ions ha e been issued o each sa e y-c i ical domain. The s anda ds a e ela ed o he
de elopmen , implemen a ion, alida ion, and main enance o sa e y-c i ical sys ems. Some examples a e:
● IEC 61508 (gene ic), o unc ional sa e y o elec ical/elec onic/p og ammable elec onic sa e y-
ela ed sys ems
● ISO 26262 (au omo i e), o unc ional sa e y o oad ehicles
● EN 50126 ( ailway), o he speci ica ion and demons a ion o eliabili y, a ailabili y, main ainabili y
and sa e y
● EN 50128 ( ailway), o so wa e o ailway con ol and p o ec ion sys ems o communica ions,
signalling and p ocessing sys ems
● EN 50129 ( ailway), o sa e y- ela ed elec onic sys ems o signalling o communica ions, signalling
and p ocessing sys ems
● DO-178C (ae ospace), o so wa e conside a ions in ai bo ne sys ems and equipmen ce i ica ion
● DO-254 (ae ospace), o design assu ance o ai bo ne elec onic ha dwa e
● SAE-ARP 4754/4754A (ae ospace), o de elopmen o ci il ai c a and sys ems
● SAE-ARP 4761 (ae ospace), o conduc ing he sa e y assessmen p ocess on ci il ai bo ne sys ems and
equipmen .
O he s anda ds include IEC 62304, IEC 60601, IEC 14971 o medical equipmen , IEC 61513 o nuclea
ene gy, IEC 62061 o indus ial machine y, IEC 61511 o indus ial p ocesses, IEC 61800 o elec onic
con ol mo o s, and ISO 10218 o obo s. S anda ds a e also used in e.g. de ence and space.
Since a “common language” o sa e y is a e y long way o , a leas a clea unde s anding o simila i ies and
di e ences o in o m euse is needed. Di e en aspec s need o be analysed in he s anda ds in o de o add ess
he di e ences and simila i ies among hem. I has o be no ed ha a deep, comp ehensi e compa ison is ou o
he scope o his wo k. Howe e , i is impo an o unde s and he mos ele an issues.
1) Objec i es. Classi ica ion o s anda ds can be done based on di e en c i e ia.
● P esc ip i e, no ma i e, in o ma i e. Since no ma i e ones a e absolu ely manda o y, he
co esponding domain-speci ic p oduc needs o comply wi h ha s anda d. Con e sely, he in o ma i e
ones p o ide added in o ma ion and guidance on he use o he a o emen ioned ones, aiming o
acili a e hei applica ion.
● P ocess-o ien ed, objec i es-o ien ed, and p oduc -o ien ed. Whe eas au omo i e and a ionics ollow
in eg a ed sa e y, ailway p e e s he so-called ex e nal sa e y whe e his a ibu e is moni o ed and
gua an eed by a di e en speci ic sys em. The e a e basically wo app oaches o de ining he
implica ion o sa e y equi emen s: objec i es-o ien ed (p ocess-o ien ed) e sus p oduc -o ien ed. The
o me speci y equi emen s implica ions as objec i es, whe eas he la e de ines cons ain s on wha is
possible o obse e on an a e ac . P ojec managemen and independen assessmen a e p ocess-
o ien ed ac i i ies. Ha dwa e and so wa e design o coding ules a e usually p oduc -o ien ed.
5
2) Te minology/Vocabula y. Al hough he e is some common e minology used ac oss he di e en sa e y
s anda ds, some imes hei de ini ions do no absolu ely ma ch o e en a e di e en om gene al de ini ions. I
migh happen ha de ini ions abou common dependabili y e ms such as aul , e o , ailu e, sa e y, o some
o he e ms like andom ha dwa e and sys ema ic aul s, a e ei he di e en ly used o e en no conside ed
wi hin hem. An example o be highligh ed conce ns e o de ini ion. Fo example, Lap ie de ines i as he pa
o he sys em s a e ha may cause a subsequen ailu e [24], whe eas DO-178C conside s i a mis ake in design,
code o equi emen s and a aul i s mani es a ion. Di e ences also exis in common e ms like e i ica ion,
alida ion, sa e y, assessmen , and ce i ica ion.
3) Reuse. The a ionics domain uses comme cial-o - he-shel componen s, which we e o iginally designed o a
non-ae ospace ma ke . The ad iso y ci cula AC 20-148 p esen s he so wa e componen o euse as a
comme cial-o - he-shel componen , and DO-297 add esses module o applica ion euse o IMA pla o ms.
ISO 26262 includes in o ma ion ega ding he sa e y elemen ou o con ex , bu he guidelines p o ided a e e y
high-le el conside a ions. I is when dealing wi h he ha dwa e and so wa e quali ied componen concep s ha
we can go deepe in o he knowledge o he ac ual equi emen s o compliance. IEC 61508 uses ano he
ele an euse concep , he so-called sa e y manual o he quali ied i em.
4) Sa e y Li ecycle and Sa e y Managemen /Li ecycle. The e a e sa e y li ecycle simila i ies and di e ences
wi h ega d o ac i i ies ela ed o sa e y compliance and o he planning o such ac i i ies wi hin he sys em
de elopmen p ocesses. To s a wi h, some s anda ds de ine a p ecise sa e y managemen p ocess (e.g., ISO
26262 and IEC 61508), whe eas e.g. DO-178C does no and he numbe o equi ed p ocesses di e s. The
p o ision o a sa e y case (i.e., a documen ed body o e idence ha p o ides a con incing and alid a gumen
ha a sys em is adequa ely sa e o a gi en applica ion in a gi en en i onmen ) is compulso y in ailway while
highly ecommended in domains.
5) Ha dwa e De elopmen Li ecycle. Some s anda ds such as ISO 26262 conside ha dwa e p ocess and
p oduc in eg i y wi hin he same unique s anda d, whils a ionics es ablished a sepa a e speci ic s anda d (DO-
254). ISO 26262 and IEC 61508 include he de ini ion o speci ic ailu es a es pe in eg i y le el and di e en
ha dwa e me ics o be achie ed. Di e ences can be ound no only in he ypes o aul s bu also in he
ha dwa e me ics o calcula e. In au omo i e, speci ic maximum ailu e a e alue pe ASIL (Au omo i e Sa e y
In eg i y Le el) is es ablished, bu his is no de ined in all sa e y s anda ds. Conce ning ep og ammable
ha dwa e, i is no di ec ly conside ed in ISO 26262, whe eas DO-254 ackles his aspec .
6) So wa e De elopmen Li ecycle. No all he sa e y s anda ds p esc ibe a speci ic so wa e de elopmen
li ecycle. ISO 26262 is one o he s anda ds ha explici ly de ine a V-Model o de elop so wa e.
7) Sa e y Ca ego ies o Le els o In eg i y. Unde a ious names bu add essing he same aim, hey cons i u e
a undamen al basis o sa e y s anda ds. They a e called Sa e y In eg i y Le els (SILs) in IEC 61508 and
ailway, ASIL in he au omo i e domain, and De elopmen Assu ance Le el (DAL) in a ionics. All o hem
depic he isk and he e ec s o he po en ial ailu es o he conside ed sys em, making possible o quan i y he
sa e y le el o a sys em and consequen ly o e alua e c i icali y. Thus i associa es a alue ha cha ac e izes how
much he sa e y depends on he absence o ailu es om he sys em unde conside a ion. The highe he in eg i y
le el is, he mo e exhaus i e he de elopmen and V&V p ocesses need o be so ha de elopmen aul s a e
a oided as much as possible. This implies ha he equi emen s o comply wi h inc ease as he sa e y le el does.
This is he case when dealing wi h speci ic echniques o me hods o a ce ain design phase. Depending on he
c i icali y le el o add ess, ei he complemen a y echniques o mo e exhaus i e ones a e needed o comply wi h
he s anda d (see echniques). Railway and au omo i e unc ional sa e y s anda ds associa e a speci ic SIL/ASIL
wi h a maximum mean ime o ailu e o minimum (dange ous) ailu e a e. In a ionics, he e is no a emp o
nume ically e alua e he p obabili y o ailu e due o such aul s, bu o conside ha ul illing s anda d’s
equi emen s p o ides a le el o con idence compa ible wi h he se e i y o he isk.
8) Haza d Analysis and Risk Assessmen (HARA). The haza ds ela ed o he sa e y- ela ed unc ions a e
add essed in all he s anda ds ollowing a sys ema ic analysis. Acco ding o ISO 26262, HARA is he me hod o
iden i y and ca ego ize haza dous e en s o i ems and o speci y sa e y goals and ASILs ela ed o he p e en ion
o mi iga ion o he associa ed haza ds in o de o a oid un easonable isk. Fu he mo e, his s anda d speci ies
me hods such as FMEA (Failu e Modes and E ec s Analysis) o b ains o ming in o de o de i e he possible
haza ds. The impac ac o s such as se e i y o exposu e used o de e mine he co esponding in eg i y le els can
di e o some ex en among domains. Fo example, au omo i e akes con ollabili y in o accoun , and in
a ionics se e i y is implici ly conside ed as high exposu e.
9) Ve i ica ion and Valida ion. Ve i ica ion usually s ands o he de e mina ion o comple eness and o
comple eness and co ec speci ica ion o implemen a ion o equi emen s om a phase o sub-phase [7]. E en
hough he de ini ions migh be a bi di e en among s anda ds, he aim is he same in all o hem. Conce ning
he applied me hods, hey can di e . Common ones a e analysis and e iew.
The same applies o alida ion. To be mo e p ecise, ISO 26262 e e s o his e m as “sa e y alida ion”, whe e
me hods such as e iews, ep oducible es s wi h pass/ ail c i e ia, o analyses can be applied o assu e ha he
sa e y goals a e su icien and ha e been achie ed. Valida ion in IEC 61508 s ands o sa e y alida ion as well

6
and simila me hods a e implemen ed (e.g., es ing and s a ic/dynamic analysis). Howe e , DO-178C does no
speci y any me hod o be applied and i s de ini ion is based on he comple eness o he speci ied equi emen s.
10) Techniques. The applied echniques o me hods do no only depend on he ype o s anda d bu also on he
c i icali y le el and he p oduc de elopmen phase. Fu he mo e, some echniques can be ecommended o
highly ecommended whe eas o he s a e s ic ly manda o y. Se e al echniques a e usually lis ed o each
de elopmen phase. A ull mapping o all he equi ed echniques is ou o he scope o his wo k. Howe e ,
some o he mos ema kable a e aul injec ion, o mal me hods, and FMEA (Failu e Modes and E ec s
Analysis), FMEDA (Failu e Modes E ec s and Diagnos ics Analysis), FTA (Faul T ee Analysis), DFA
(Dependen Failu e Analysis), es ing, walk- h ough, and simula ion. Mos o hese echniques appea in
di e en sa e y s anda ds. None heless, he e a e simila i ies and di e gences in e ms o li ecycle phase,
objec i e and scope o ecommenda ion le el.
11) Tool quali ica ion. Failu e o au oma e complex e i ica ion and de elopmen ac i i ies can comp omise
sys em sa e y. In o de o mi iga e his isk, in eg i y equi emen s in e ms o ool quali ica ion can be p o ided.
Mos domains ha e in oduced ool quali ica ion equi emen s conce ning planning, documen a ion,
classi ica ion analysis, quali ica ion epo ing, and con idence, and ca ego ize ools based on he po en ial impac
o i on he applica ion. Rega ding equi emen s on ool de elopmen , DO-330 is cu en ly he s anda d wi h
mo e elabo a ed equi emen s.
12) Secu i y Aspec s. Secu i y- ela ed sa e y issues a e s a ing o be s a e o he a and some hing i is qui e
clea : he e is no sa e y wi hou secu i y. Howe e , no all he s anda ds conside secu i y aspec s wi hin hei
equi emen s, and he end seems o be he gene a ion o complemen a y secu i y s anda ds.
2.3 Rela ed li e a u e
Rela ed li e a u e on he euse o ce i ica ion a e ac s ac oss s anda ds and ac oss domains can be ega ded as
limi ed. None heless, some au ho s ha e analysed euse needs and p oposed app oaches o suppo a e ac
euse. We e iew his kind o publica ions in his sec ion.
Reusing a e ac s om one domain in o o he s is no a s aigh o wa d ac i i y, and i equi es a nego ia ion o
i s euse [25]. The e a e sca ce indus ial epo s desc ibing componen euse such as he one desc ibed in [26].
In he so wa e enginee ing domain, se e al esea ch wo ks ha e been ocused on eusing componen s [27,28],
a chi ec u es [29], and echniques [28,30,31]. Some app oaches a ge ing euse a e also applied in sec o s such
as manu ac u ing [32], whe e cos -e ec i eness o euse is conside ed o decide upon euse. The au omo i e
indus y also euses some pa s o hei componen s [33,34].
Reusing an a e ac ha has been p e iously ce i ied in one domain implies a wide and deep analysis o i s use
in a di e en domain o p ojec . I is especially ele an when human li es a e in ol ed o hey migh be
a ec ed by a misbeha iou o ailu e o a sys em. Reusing a p ojec is no s aigh o wa d and is e en mo e
di icul when he con ex changes, as o example in c oss-domain euse. This can be a eason o why e y ew
a emp s ha e been made. Zelle e al. [35] p opose a c oss-domain assu ance p ocess in conjunc ion wi h a
de elopmen me hodology o sa e y- ele an so wa e. The objec i e was o educe he e o equi ed o
pe o m a sa e y assessmen by eusing sa e y analysis echniques and ools as well as a e ac s p oduced du ing
he sa e y assu ance p ocess. The p ocess consis ed o gene ic and domain-speci ic s eps ha mus be execu ed
in each o he conside ed domains as well as s eps ha a e only necessa y in speci ic domains. The au ho s we e
able o euse echniques and ools o sa e y analysis on di e en domains. Howe e , no all o he phases o
hei p oposed p ocess we e domain-independen and sa e y ce i ica ion a e ac euse was no conside ed in
hei esea ch. Papadopoulos and McDe mid de eloped a simila app oach [36].
Sa eCe (h p://sa ece .eu/) is a Eu opean esea ch p ojec s ela ed o euse o sa e y ce i ica ion a e ac s ac oss
s anda ds and domains. The Sa eCe p ojec add essed an indus ial use case on he euse o ool quali ica ion
ac oss domains [37]. The p oposal is based on h ee pilla s: (1) c oss-domain equi emen s spanning di e en
s anda ds, (2) c oss-domain de elopmen p ocess acco ding o he associa ed s anda ds and hei in eg i y le els,
and (3) c oss-domain ools, ins an ia ed acco ding o he associa ed s anda d. They p oposed a ool quali ica ion
p ocess line o enable he euse ac oss domain o p ocess elemen s. Gallina e al. [38] s a ed ha his app oach
also suppo s he euse o ce i ica ion a e ac s by ela ing he p ocess line wi h he co esponding amily o
p ocess-based a gumen s ela ed o p ocess compliance. Howe e , his has no been shown and a sys ema ic
p ocess o sa e y ce i ica ion a e ac euse has no been speci ied. Gallina and Sza má i [39] ha e also
p oposed he use o on ologies o iden i ica ion o commonali ies and di e ences among sa e y p ocesses.
Model-d i en app oaches can also applied o ce i ica ion pu poses [40]. New sys ems can be composed o
subsys ems s emming om di e en domains [41], bu i is no clea how an a e ac can be eused in his
con ex . Some app oaches ely on sa e y cases ( hus on a gumen s) (e.g., [42]). Howe e , wi h his app oaches
he enginee needs o in e p e he equi emen s and objec i es o he s anda ds ha will apply o he speci ic
si ua ion and some imes his is open o in e p e a ions.
7
3 APPROACH FOR REUSE OF SAFETY CERTIFICATION ARTEFACTS
As explained in he p e ious sec ion, p ac ices o sa e y-c i ical sys em enginee ing and assu ance a y among
domains. The e a e no only simila i ies bu also di e ences be ween he applicable sa e y s anda ds. The e o e,
any app oach a ge ing sa e y ce i ica ion a e ac euse mus p o ide a sys ema ic way o check commonali ies
and iden i y he di e ences, and o ackle hem. Al hough ecommenda ions on euse can be ound o some
domains, no guidance has ye been p o ided on how o sys ema ically euse sa e y ce i ica ion a e ac s ac oss
s anda ds and domains. The ela ed li e a u e has also p o ided e y ew insigh s in o how o euse sa e y
ce i ica ion a e ac s ac oss s anda d and domains. A new, sys ema ic app oach is necessa y o eusing sa e y
ce i ica ion a e ac s ac oss s anda ds and domains.
This sec ion p esen s he app oach de eloped in he OPENCOSS p ojec o euse sa e y ce i ica ion a e ac s
ac oss s anda ds and domains. We i s in oduce he o e all app oach o e olu iona y ce i ica ion o sa e y-
c i ical sys ems and hen he p inciples and he p ocess o euse o sa e y ce i ica ion a e ac s. Bo h he
p inciples and he p ocess a e suppo ed by he ool pla o m de eloped in OPENCOSS [43]. This shows ha
hey can be implemen ed. We use in o ma ion om he DO-178C a ionics s anda d [3] and he EN 50128
ailway s anda d [6] as unning examples. These s anda ds ha e been used in he alida ion o he euse
app oach (Sec ion 4). Finally, we discuss p ac ical conside a ions o he euse app oach.
3.1 OPENCOSS app oach o e olu iona y ce i ica ion o sa e y-c i ical sys ems
OPENCOSS is a la ge-scale Eu opean esea ch p ojec on sa e y assu ance and ce i ica ion o embedded
sys ems. The OPENCOSS conso ium comp ises ou academic pa ne s and 13 companies, including sa e y-
c i ical sys em manu ac u e s, componen supplie s, ce i ica ion au ho i ies, sa e y assesso s, and ool endo s.
The p ojec is also suppo ed by a la ge ad iso y boa d wi h ep esen a i es om mo e han 20 in e na ional
o ganiza ions.
The p ojec has (1) de ised a common ce i ica ion amewo k ha spans di e en e ical ma ke s o ailway,
a ionics, and au omo i e, and (2) de eloped an open-sou ce sa e y ce i ica ion in as uc u e. The ul ima e goal
o he p ojec is o b ing abou subs an ial educ ions in ecu ing sa e y ce i ica ion cos s and a he same ime
educe ce i ica ion isks h ough he in oduc ion o mo e sys ema ic sa e y assu ance p ac ices. The p ojec
deals wi h: (1) c ea ion o a common ce i ica ion concep ual amewo k; (2) composi ional ce i ica ion; (3)
e olu iona y chain o e idence; (4) anspa en ce i ica ion p ocess; and (5) compliance-awa e de elopmen
p ocess.
The euse o sa e y ce i ica ion a e ac s ac oss s anda ds and domains is mos ly enabled by he common
ce i ica ion concep ual amewo k. The main objec i e o he amewo k is o c ea e a language ha can be used
in di e en domains o desc ibe sa e y- ela ed in o ma ion, s anda ds, and p ojec s. Such a language acili a es
he analysis and he compa ison o sa e y s anda ds, and he euse o sa e y- ela ed in o ma ion ac oss p ojec s.
This includes p ojec s unde di e en sa e y s anda ds o in di e en domain.
Fig. 1 ske ches he app oach de ined in OPENCOSS o e olu iona y ce i ica ion o sa e y-c i ical sys ems. The
app oach is model-based and is suppo ed by se e al me amodels a ge ed a di e en sa e y assu ance and
ce i ica ion needs. The se o me amodels co esponds o he common ce i ica ion concep ual amewo k.
The Re e ence Assu ance F amewo k Me amodel suppo s he speci ica ion o he sa e y compliance needs ha
ha e o migh ha e o be conside ed in an assu ance p ojec . The needs can be speci ied by means o e e ence
assu able elemen s in he o m o e e ence equi emen s o ul il, e e ence a e ac o manage, and e e ence
ac i i ies o execu e. Sa e y compliance needs can be om speci ic s anda ds, ecommended p ac ices, o
company-speci ic p ac ices, and ypically ha e o be ailo ed o p ojec -speci ic cha ac e is ics. The la e is done
by means o baselines, which co espond o he speci ic sa e y c i e ia o a s anda d wi h which a gi en
assu ance p ojec has o show compliance. A baseline is usually a subse o all he sa e y c i e ia p esen in a
s anda d and a ies among p ojec s. Fo example, he sa e y c i e ia will a y i a sys em is de eloped using
model-based echniques.
Ano he sou ce o in o ma ion o sa e y compliance is he da a abou he p oduc o which compliance is
sough . The e o e, he me amodels also include he concep s and ela ionships necessa y o modelling and
managing p ojec -speci ic in o ma ion. This in o ma ion needs o be eco ded ega dless o which sa e y
s anda d is being ollowed. OPENCOSS has de ined me amodels o modelling he p ocess execu ed o c ea e a
p oduc (P ocess Me amodel), he e idence o sa e y and o compliance (E idence Me amodel), and he
a gumen s ha will be used o jus i y key sa e y- ela ed decisions aken du ing he p ojec (A gumen a ion
Me amodel). The co esponding model ep esen s he assu ance asse s o a p ojec .
Two o he me amodels a e p oposed. The Vocabula y Me amodel is a means o de ine and eco d he e ms and
concep s used o cha ac e ize eusable assu ance asse s such as e idence, a gumen a ion, and p ocess da a.
Finally, he e is a Mappings Me amodel. Maps can be speci ied be ween ocabula y e ms (e.g. om di e en
domains), be ween he assu ance in o ma ion ga he ed du ing a p ojec and i s baseline o indica ing
8
compliance, and be ween sa e y s anda ds (i.e. e e ence assu ance amewo ks) o indica ing how he s anda ds
ela e and i equi alences exis be ween hem. The la e is a key o euse o sa e y ce i ica ion a e ac s ac oss
di e en s anda ds and domains. In gene al, he mappings aim o allow enginee s and manage s o make
in o med decisions abou he app op ia eness and implica ions o eusing assu ance in o ma ion ac oss p ojec s,
sa e y s anda ds, and domains.
Fu he in o ma ion abou he OPENCOSS app oach o e olu iona y ce i ica ion o sa e y-c i ical sys ems can
be ound in [44].
Fig. 1. O e iew o he OPENCOSS app oach o sa e y assu ance and ce i ica ion [45]
3.2 P inciples o euse o sa e y ce i ica ion a e ac s ac oss s anda ds and domains
The applica ion o he euse app oach is based on p inciples elici ed om cu en p ac ices and needs (see
Sec ion 2), and discussed wi h OPENCOSS indus y pa ne s. The e a e ou main p inciples: he in en o a
sa e y ce i ica ion a e ac mus be aken in o accoun when aiming o euse i , maps mus be es ablished
be ween he sou ce s anda d ( euse om) and he a ge one ( euse o), p ojec compliance mus be de e mined
(by means o maps), and needs and gaps esul ing om sa e y ce i ica ion a e ac euse mus be de e mined.
1) Sa e y ce i ica ion a e ac in en
Sa e y ce i ica ion a e ac euse is no a challenge pe se. In heo y, any a e ac is eusable. The main euse
need s ems om he ac ha each sa e y s anda d has i s own equi emen s o ul il, and such equi emen s can
a y among s anda ds. Fo example, DO-178C lis s objec i es ( equi emen s) o he di e en so wa e
de elopmen p ocesses, and some objec i es a e no ully add essed in EN 50128. When eusing a sa e y
ce i ica ion a e ac , i mus be de e mined wha equi emen s o he a ge s anda d a e ul illed when he
sou ce s anda d is complied wi h. Sa e y ce i ica ion a e ac euse can be ega ded as he p ocess a ge ed a
de e mining wha equi emen s o a gi en sa e y s anda d a e ul illed when compliance wi h ano he s anda d
has been achie ed.
9
The abo e need can only be me i he s anda d’s equi emen s o whose ul ilmen a sa e y ce i ica ion a e ac
con ibu es a e eco ded. These equi emen s co espond o he a e ac in en : wha p ope ies a e assu ed in he
a e ac and hus why he a e ac is necessa y. Fo example, he DO-178C So wa e Requi emen s Da a mus
include he pe o mance c i e ia, iming equi emen s and cons ain s, and memo y size cons ain s so ha he
a e ac ul ils i s in en (i.e., o show ha such cha ac e is ics ha e been conside ed and speci ied).
Sa e y ce i ica ion a e ac in en is also based on he ac i i ies ha use o p oduce he a e ac . In gene al, and i
we hink o ac i i ies ha use and p oduce se e al sa e y ce i ica ion a e ac s, he o e all aim o an ac i i y
co esponds o a highe -le el in en o he indi idual in en o he ou pu a e ac s o he ac i i y. The
achie emen o his highe -le el in en is also enabled by he indi idual in en o he inpu a e ac s o he
ac i i y. Fo example, EN 50128 In eg a ion P ocess (ac i i y) aims o demons a e ha so wa e and ha dwa e
in e ac co ec ly o pe o m hei in ended unc ions. To his end, he ac i i y uses he So wa e In eg a ion Tes
Speci ica ion and he So wa e/Ha dwa e In eg a ion Tes Speci ica ion as inpu , and p oduces he So wa e
In eg a ion Tes Repo and he So wa e/Ha dwa e In eg a ion Tes Repo as ou pu .
2) Equi alence mapping be ween s anda ds
In addi ion o eco ding he in en o he sa e y ce i ica ion a e ac s, i is also necessa y o de e mine he
equi alence be ween s anda ds o sa e y ce i ica ion a e ac euse. This can be done by means o maps ha
indica e he ex en o which he c i e ia o he s anda ds a e equal (e.g., be ween EN 50128 So wa e
Requi emen s Speci ica ion and DO-178C So wa e Requi emen s Da a). Based on hese mappings, he
simila i y and di e ences o he s anda ds can be assessed, and hus how complian a sa e y ce i ica ion a e ac
is wi h a gi en s anda d acco ding o i s compliance wi h ano he s anda d.
Th ee gene al ypes o maps can exis be ween he elemen s o wo s anda ds:
● Full map: he elemen s in he mapping a e iden ical; he cha ac e is ics o he elemen in i s o iginal
con ex (i s o m, i s equi ed con en , i s p econdi ions, i s objec i es, i s pos -condi ions on i s use...)
ully sa is y he equi emen s o he con ex in which i is o be eused.
● Pa ial map: he elemen s a e simila , bu hey a e no iden ical; depending on he con ex and he
objec i es, he di e ences be ween hem migh be signi ican ; in his case, a clea eco d o he
simila i ies and di e ences is equi ed.
● No map: he e is insu icien simila i y be ween he elemen s o enable us o asse a map; in his case, i
may be impo an o eco d he di e ences, and he easons why he mapping is disallowed, in o de o
in o m u he gap analysis and p e en inad e en euse.
Full maps a e usually a e in he assu ance domain and he majo i y o maps a e pa ial.
Th ee elemen s play a ole in equi alence mapping: a e ac s, ac i i ies, and equi emen s. P agma ically, any o
hese e e ence assu able elemen s can be eused. The accep abili y o he euse needs o be a gued in e ms o
he o e all assu ance objec i es indica ed by a s anda d: i.e. wha needs o be demons a ed o assu ance and
compliance in he a ge con ex .
Equi alence maps a e also necessa y be ween he baseline o an assu ance p ojec and he e e ence amewo k
(o amewo ks) o he s anda d acco ding o which a sys em has o be assu ed. Some di e ences migh exis as
esul o e.g. ha ing o ailo how o ollow a s anda d acco ding o he speci ic cha ac e is ics o a sys em.
3) Compliance mapping
Ano he necessa y ype o maps o c oss-s anda d and c oss-domain euse is compliance maps. These mappings
speci y how he in o ma ion o an assu ance p ojec (i.e., i s body o assu ance asse s) complies wi h i s baseline.
As equi alence maps, compliance maps can be ull, pa ial, o no map. By mapping an a e ac o a e e ence
a e ac selec ed o a baseline, he in en o he a e ac is indica ed.
The compliance maps o he sou ce assu ance p ojec will ypically be ull and 1:1. I s baseline will co espond
o a empla e acco ding o which he p ojec is execu ed. Fo example, a baseline om a e e ence amewo k o
DO-178C will ha e So wa e Requi emen s Da a as an a e ac o p o ide, and an assu ance p ojec can ha e a
single a e ac ha maps o So wa e Requi emen s Da a. None heless, an assu ance p ojec can also manage,
s uc u e, o g oup i s a e ac s in a di e en way o wha a s anda d indica es, bu s ill being complian . Fo
example, an assu ance p ojec could ha e mo e han one a e ac o i s So wa e Requi emen s Da a, such as
high-le el equi emen s speci ica ion and low-le el equi emen s speci ica ion. Each o hese a e ac s would
pa ially map o So wa e Requi emen s Da a.
Compliance maps o he a ge assu ance p ojec can be de i ed om he compliance maps o he sou ce
p ojec . In his case, he likelihood o de i ed ull maps is low because o he di e ences ha usually exis
be ween s anda ds. The assu ance in o ma ion o he sou ce p ojec ul ils he equi emen s o i s baseline and i
u n o some sou ce e e ence amewo k. The a ge assu ance p ojec will ha e a di e en baseline and
e e ence amewo k, hus di e en equi emen s o ul il. None heless, some e e ence equi emen s can be
simila o equal. Fo example, an a e ac ha complies wi h EN 50128 So wa e Requi emen s Speci ica ion
will pa ially map o DO-178C So wa e Requi emen s Da a.
16
co e age. The es ima es o euse om AP1 o AP2 wi h he euse app oach is based on AP1 wi h he euse
app oach, he co e age o AP1 wi hou he app oach, and on euse om AP1 o AP2 wi hou he app oach.
Based on he es ima es by he p ac i ione s, c oss-domain euse (i.e., Reuse om AP1 o AP2) wi h he cu en
p ac ices esul s in only 4.5% o e o and cos educ ion. The applica ion o he euse app oach could lead o
e o educ ion by 53.8% and cos educ ion by 26.6%,
Table. 2. Me ic measu emen
Me ic Value Commen s
Ra io o assu ance asse s ha a e eused 0,74 Focused on ( e e ence) baseline equi emen s
Reused assu ance asse s 155 Reused compliance equi emen s
To al assu ance asse s 210 To al se o a ionics baseline equi emen s
Ra io o baseline elemen s ha do no need a
new compliance map
0,19 Focused on ( e e ence) baseline equi emen s
Baseline elemen s ha do no need a new
compliance map 40 Numbe o asse s eused whose compliance map is ull
To al baseline elemen s 210 To al se o e e ence equi emen s
Ra io o e e ence assu able elemen s wi h
applicable equi alence maps
0,67 Focused on e e ence equi emen s
Re e ence assu able elemen s wi h applicable
equi alence maps 210 Numbe o e e ence equi emen s wi h equi alence
maps
To al e e ence assu able elemen s 315 To al se o e e ence equi emen s
Ra io o compliance maps au oma ically
c ea ed
0,74 Focused on au oma ed compliance maps o baseline
equi emen s
Compliance maps au oma ically c ea ed 155
To al compliance maps 210
Ra io o e e ence assu able elemen s wi h
some equi alence map
0,67 Focused on e e ence equi emen s
Re e ence assu able elemen s wi h equi alence
maps 210 Numbe o e e ence equi emen s wi h equi alence
maps
To al e e ence assu able elemen s 315 To al se o a ionics e e ence equi emen s
Ra io o assu ance asse euse ha a e eused
ac oss domains
0,74 Focused on ( e e ence) baseline equi emen s
Assu ance asse s eused ac oss domains 155 Reused compliance equi emen s
To al assu ance asse s 210 To al se o a ionics baseline equi emen s
Ra io o baseline elemen s whose compliance
wi h has o be shown
0,81 Focused on ( e e ence) baseline equi emen s
Baseline elemen s ha need a new compliance
map on he new domain 170 Numbe o asse s ha need a compliance map, ull o
pa ial, in he new domain
To al baseline elemen s 210 To al se o a ionics compliance equi emen s

17
Table. 3. E o and cos es ima ion wi hou he euse app oach
Table. 4. E o and cos es ima ion wi h he euse app oach
4.4 Discussion
We discuss in his sec ion he answe s o he RQs, he p ac ical conside a ions o applying he euse app oach,
and he alidi y o he esul s ob ained and he conclusions d awn.
We conside ha he answe o RQ1 (Can he app oach be e ec i ely applied o euse o ce i ica ion
a e ac s?) is posi i e. The esul s o he case s udy, which we e alida ed by p ac i ione s, show ha he euse
app oach was success ully applied o analysing he euse o an execu ion pla o m om ailway o a ionics. All
he ac i i ies o he p ocess o enac he app oach (Sec ion 3.3) could be execu ed, and in acco dance o he euse
p inciples p esen ed (Sec ion 3.2). The whole se o a e ac s om ailway could be eused and he euse
consequences could be de e mined.
When analysing he impac o applying he p oposed app oach (RQ2), he esul s s ongly sugges ha he euse
app oach can educe o ecu ing cos s o p oduc sa e y ce i ica ion ac oss s anda ds and domains. Fi s ,
me ic measu emen shows gains abo e 65%, wi h almos a 20% o baseline elemen s ha do no new
compliance maps (i.e., al eady complian elemen s a e euse). Second, p ac i ione s conside ha he
applica ion o he euse app oach can lead o e o educ ion by abo e 50% and o cos educ ion by abo e 25%.
E en hough he es ima es we e oo op imis ic, we conside ha he es ima es p o ide e idence o he po en ial
e o and cos educ ions ha he euse app oach can enable.
The e a e aspec s ela ed o he alidi y o he case s udy ha a e inhe en o his esea ch me hod, such as he
applica ion o he app oach in a single case and in a gi en con ex ( euse o an execu ion pla o m om ailway
o a ionics). This a ec s ex e nal alidi y. O he aspec s o which a eade mus be awa e a e as ollows:
● Fully accu a e esul s can only be ob ained i he euse app oach is applied a eal ull p ojec . The
cu en alida ion has been he ini ial s ep owa ds demons a ing he po en ial o he app oach in
p ac ice.
● Some esul s a e based on es ima es. This has been mi iga ed by aking measu es o p o ide sound
es ima es (e.g., in ol emen o se e al p ac i ione s).
● The case s udy has ocused on he euse be ween wo so wa e s anda ds. The esul s migh hus di e
o e.g. sys em-le el s anda ds. The same applies o euse si ua ions in which goal-based s anda ds a e
in ol ed and assu ance p ojec s ha ha e o show compliance wi h se e al s anda ds.
None heless, we a e con iden in he o e all alidi y o he case s udy, hus o he euse app oach. Fi s ,
p ac i ione s ha e been s ongly in ol ed h oughou he case s udy. They also p o ided egula eedback du ing
OPENCOSS on how he euse app oach should be o i indus y needs. Second, mos p ac i ione s in ol ed in
sa e y-c i ical sys em enginee ing and ce i ica ion deal wi h DO-178, EN 50128, o simila s anda ds (e.g.,
18
ARP4754 o IEC 61508-based s anda ds, espec i ely), acco ding o he backg ound in o ma ion o ecen la ge
su eys on sa e y e idence managemen [13,14].
5 Conclusion
P oduc euse is a common ac i i y in he de elopmen o sa e y-c i ical sys ems. I can imp o e sa e y-c i ical
sys em enginee ing and ce i ica ion, and he e is guidance o p oduc euse ac oss sys ems o a same domain.
Howe e , euse ac oss s anda ds and domains has ecei ed li le a en ion and no ecommenda ions exis o
such euse scena ios Al hough simila i ies migh exis be ween domain, eusing sa e y ce i ica ion a e ac s
om one domain o ano he is no a s aigh o wa d because each domain has i s enginee ing p ac ices and
s anda ds.
This pape has p esen ed a sys ema ic app oach o e ec i ely euse sa e y ce i ica ion a e ac s ac oss s anda ds
and domains. The euse app oach is based on he mapping o he sa e y c i e ia o wo s anda ds and he
mapping o he a e ac s o an assu ance p ojec o he s anda d wi h which he p ojec has o comply. The
esul ing chain o maps can be la e used o iden i y he consequences o eusing sa e y ce i ica ion a e ac s
om a sou ce assu ance p ojec o a a ge p ojec in ano he domain and wi h di e en applicable s anda ds.
The euse app oach has been alida ed in a case s udy on euse om ailway o a ionics. In collabo a ion wi h
p ac i ione s, we we e able o apply he app oach o euse assu ance in o ma ion complian wi h EN 50128 in a
DO-178 p ojec . The applica ion esul ed in he euse o all he ailway a e ac s, ull compliance demons a ion
o almos 20% o he elemen s o he a ge assu ance p ojec , and almos a 75% o compliance needs co e age.
P ac i ione s u he es ima ed ha he use o he euse app oach could lead o e o educ ion by abo e 50%
and cos educ ion by abo e 25%. The e o e, we a gue ha he app oach can be e ec i ely applied and ha i
can educe he cos o sa e y ce i ica ion ac oss s anda ds and domains. We u he conclude ha i is a
p omising way o making c oss-domain euse mo e cos -e ec i e in indus y.
As u u e wo k, seman ically en iching he maps, u he aking e minological aspec s in o accoun , and
inc eased, mo e au oma ed ool assis ance a e aspec s om which he euse app oach migh bene i . We a e also
in e es ed in conduc ing a case s udy wi h some goal-based s anda d and a di e en one o gain insigh s in o
possible u he needs o he euse app oach, such as hose ha migh a ise om ha ing o p o ide an assu ance
case.
Acknowledgemen . The esea ch leading o his pape has ecei ed unding om he FP7 p og amme unde
g an ag eemen n° 289011 (OPENCOSS). The au ho s also hank he OPENCOSS pa ne s who p o ided inpu
o and eedback on he app oach p esen ed in he pape and i s alida ion, especially F anck Aimé, Ka ina
A wood, Céd ic Che el, Tim Kelly, and Cy il Ma chand.
Re e ences
1. Knigh JC. Sa e y c i ical sys ems: challenges and di ec ions. ICSE 2002, pp. 547–550.
2. Rushby J. Jus -in- ime ce i ica ion. ICECCS 2007, pp. 15–24.
3. RTCA DO-178C/EUROCAE ED-12c. So wa e Conside a ions in Ai bo ne Sys em and Equipmen
Ce i ica ion, 2011
4. IEC 61508. Func ional sa e y o elec ical/elec onic/p og ammable elec onic sa e y ela ed sys ems, 2011.
5. UK Minis y o De ence. In e im De ence S anda d 00-56,Issue 3: Sa e y Managemen Requi emen s o
De ence Sys ems. Pa 2: Guidance on Es ablishing a Means o Complying wi h Pa 1, 2004.
6. CENELEC. EN 50128 - Railway applica ions — Communica ion, signalling and p ocessing sys ems —
So wa e o ailway con ol and p o ec ion sys ems, 2011.
7. ISO 26262. Road ehicles — Func ional sa e y, 2011.
8. Boeing. Ce i ying Boeing's Ai planes. Online, h p://787upda es.newai plane.com/Ce i ica ion-P ocess
(accessed 24-Jan-16)
9. Gill NS. Reusabili y issues in componen -based de elopmen . ACM SIGSOFT So wa e Enginee ing No es,
28(4): 4–4, 2003.
10. RTCA DO-297/EUROCAE ED-124 In eg a ed Modula A ionics (IMA) De elopmen Guidance and
Ce i ica ion Conside a ions, 2005.
11. Somme ille I. So wa e Enginee ing (10 h ed.). Pea son, 2015.
12. Nai S, de la Va a JL, Sabe zadeh M, B iand L. An Ex ended Sys ema ic Li e a u e Re iew on P o ision o
E idence o Sa e y Ce i ica ion. In o ma ion and So wa e Technology 56(7): 689-717, 2014
13. Nai S, de la Va a JL, Sabe zadeh M, Falessi D. E idence Managemen o Compliance o C i ical Sys ems
wi h Sa e y S anda ds: A Su ey on he S a e o P ac ice. In o ma ion and So wa e Technology 60: 1-15,
2015
14. de la Va a JL, Bo g M, Wnuk K, Moonen L. Su ey on Sa e y E idence Change Impac Analysis in
P ac ice: De ailed Desc ip ion and Analysis. Simula Resea ch Labo a o y, Technical Repo 2014-18, 2014.
19
15. Ma in H, Baumga S, Lei ne A, Wa zenig D. Challenges o euse in a sa e y-c i ical con ex : A s a e-o -
p ac ice s udy. SAE Technical Pape 2014-01-0218, 2014
16. Mach ouh J, Blanqua JP, Bau e on P, Boulange JL, Delseny H, Gassino J, Ladie G, Ledino E, Leeman
M, As uc JM. C oss domain compa ison o Sys em Assu ance. ERTS-2012, pp. 1–3.
17. Ruiz A, La ucea X, Espinoza H, Aime F, Ma chand C. An Indus ial Expe ience in C oss Domain
Assu ance P ojec s. Eu oSPI 2015, pp. 29–38.
18. Che el C. A ionics Sys em Ce i ica ion, Ce i ica ion Toge he Con e ence, 2011.
19. FAA Ad iso y Ci cula : AC 20-148 Reusable So wa e Componen s, 2004.
20. E eleens RLC. RTO-EN-SCI-176 In eg a ed Modula A ionics De elopmen Guidance and Ce i ica ion
Conside a ions, 2006.
21. CENELEC. EN 50126 - Railway applica ions — The speci ica ion and demons a ion o eliabili y,
a ailabili y, main ainabili y and sa e y (RAMS), 1999.
22. CENELEC. EN 50129 - Railway applica ions — Communica ion, signalling and p ocessing sys ems —
Sa e y ela ed elec onic sys ems o signalling, 2003.
23. CENELEC. TR 50506-2: Railway applica ions - Communica ion, signalling and p ocessing sys ems -
Applica ion Guide o EN 50129, Pa 2: Sa e y Assu ance, 2009.
24. Lap ie JC. Dependabili y: Basic Concep s and Te minology. Sp inge , 1992.
25. Li J, Zhang HC, Lin Z. Asymme ic nego ia ion based collabo a i e p oduc design o componen euse in
dispa a e p oduc s. Compu . Ind. Eng. 57(1): 80–90, 2009.
26. K ohn CA. Space Shu le Componen Reuse S udy. IEEE T ans. Reliab. R-25(4): pp. 234–238, 1976.
27. Jha M, O’B ien L. A compa ison o so wa e euse in so wa e de elopmen communi ies. MySEC 2011,
pp. 313–318.
28. Salinesi C, Mazo R, Djebbi O, Diaz D, Lo a-Michiels A. Cons ain s: The co e o p oduc line enginee ing.
RCIS 2011, pp. 1–10.
29. Ha n H, Be zins V, Luqi. So wa e e olu ion ia eusable a chi ec u e. ECBS 1999, pp. 11–17.
30. Obbink H, Pohl K (Eds.). So wa e P oduc Lines. Sp inge , 2005.
31. an de Linden F (Ed.). So wa e A chi ec u es o P oduc Families. Sp inge , 2000.
32. Mangun D, Thu s on DL. Inco po a ing componen euse, emanu ac u e, and ecycle in o p oduc po olio
design. IEEE T ans. Eng. Manag. 49(4): 479–490, 2002.
33. Amelia L, Wahab DA, Che Ha on CH, Muhamad N, Azha i CH. Ini ia ing au omo i e componen euse in
Malaysia. J. Clean. P od. 17(17): 1572–1579, 2009.
34. Go TF, Wahab DA, Rahman MNA, Ramli R, Hussain A. Gene ically op imised disassembly sequence o
au omo i e componen euse. Expe Sys . Appl. 39(5): 5409–5417, 2012.
35. Zelle M, Hö ig K, Ro h elde M. Towa ds a C oss-Domain So wa e Sa e y Assu ance P ocess o
Embedded Sys ems. SASSUR 2014, pp. 396–400.
36. Papadopoulos Y, McDe mid JA. The po en ial o a gene ic app oach o ce i ica ion o sa e y c i ical
sys ems in he anspo a ion sec o . Reliab. Eng. Sys . Sa . 63(1):47-66, 1999.
37. pSAFECER p ojec . Deli e able “De ini ion o c oss-domain use case desc ip ion, use case-speci ic
equi emen s and assessmen c i e ia”, 2012.
38. Gallina B, Kashiya andi S, Zugsb a l K, Ge en A. Enabling C oss-Domain Reuse o Tool Quali ica ion
Ce i ica ion A e ac s. SAFECOMP Wo kshops 2014, pp. 255-266
39. Gallina B, Sza má i Z. On ology-Based Iden i ica ion o Commonali ies and Va iabili ies Among Sa e y
P ocesses. PROFES 2015, pp. 182-189
40.
Gallina B. A Model-D i en Sa e y Ce i ica ion Me hod o P ocess Compliance. ISSREW 2014, pp. 204–
209.
41.
Rod iguez-Dapena P. So wa e sa e y ce i ica ion: a mul idomain p oblem. IEEE So w. 16(4): 31–38,
1999.
42. Zeng F, Lu M, Zhong D. So wa e Sa e y Ce i ica ion F amewo k Based on Sa e y Case. CSSS 2012, pp.
566–569.
43. OPENCOSS p ojec . OPENCOSS Pla o m - Final P o o ype Use Manual. Online, h p://www.opencoss-
p ojec .eu/node/7, 2014 (accessed 24-Jan-16)
44. OPENCOSS p ojec . Deli e able D4.4 - Common Ce i ica ion Language: Concep ual Model, e sion 1.4.
Online, h p://www.opencoss-p ojec .eu/node/7, 2015 (accessed 24-Jan-16)
45. de la Va a JL, Ruiz A, A wood K, Espinoza H, Panesa -Walawege RK, Lopez A, del Rio I, Kelly T.
Model-Based Speci ica ion o Sa e y Compliance Needs: A Holis ic Gene ic Me amodel. In o ma ion and
So wa e Technology 72: 16-30, 2016.
46. OPENCOSS p ojec . Deli e able D5.2 - De ailed equi emen s o he OPENCOSS composi ional
ce i ica ion app oach. Online, h p://www.opencoss-p ojec .eu/node/7, 2012 (accessed 24-Jan-16)
47. OPENCOSS p ojec . Deli e able D1.2 - Use cases desc ip ion and business impac . Online,
h p://www.opencoss-p ojec .eu/node/7, 2012 (accessed 24-Jan-16)
20
48. OPENCOSS p ojec . Deli e able D1.4 - Implemen a ion o use cases on op o OPENCOSS pla o m.
Online, h p://www.opencoss-p ojec .eu/node/7, 2015 (accessed 24-Jan-16)
49. OPENCOSS p ojec . Deli e able D1.3 - E alua ion amewo k and quali y me ics, e sion 1.2. Online,
h p://www.opencoss-p ojec .eu/node/7, 2013 (accessed 24-Jan-16)
50. OPENCOSS p ojec . Deli e able D1.5 - OPENCOSS Benchma king. Online, h p://www.opencoss-
p ojec .eu/node/7, 2015 (accessed 24-Jan-16)