This page is hosted by the courtesy of Noe Information Service.

PROJECT

Name : SQUALE , Security, Safety and Quality Evaluation for Dependable Systems.

Contract number : AC097.


Short Description

The objective of the SQUALE project is to analyze the existing standards and practices in the safety as well as the security area and define a combined harmonised approach to gain confidence in the correctness and effectiveness of systems with safety and security requirements. The project will define “dependability criteria” describing this harmonised approach and apply these criteria to a demonstrator system. This demonstrator system is the Automated Train Operation System (ATOS) developped by Matra Transport to equip the METEOR underground line of the Paris metro. This existing system has very high dependability requirements and is therefore the ideal candidate to test the criteria developed within this project.

The new criteria will be based on the many existing standards in the safety and security world. A mapping to existing standards (which all cover only specific dependability aspects) is needed and will be provided as part of the project. This shall ensure that the criteria and practices developed can (and will) be applied in practice. Therefore a careful analysis of the existing sector and area specific approaches will be performed at the beginning of the project.

The main objectives of this project will be :

The project is intended to develop an approach to increase the confidence into dependable systems significantly. The partners within the project combine long years of experience in the safety and security area.


Project Description

SQUALE (Security, Safety and Quality Evaluation for Dependable Systems) is a project within European Commission ACTS (Advanced Communications Technologies and Services) programme.

The need for reliability, safety and security in communication systems is rapidly growing as those systems are now more and more used for business and life critical applications. Failure of communication systems may their origin be accidental, due to program or equipment fault or due to deliberate attack become highly critical. The definition of “dependability” which tries to cover all these aspects was introduced some years ago, but until now no generic framework to gain confidence in the correctness and effectiveness has been introduced which covers all dependability aspects.

Background and State of the art

Many methods and standards to increase and measure the confidence in critical functions of IT-systems in general and communication systems in particular have been developed in the past. But all of them have been developed from a specific viewpoint either in the safety or security sector. So most of them cover just a narrow sector of the total dependability area. In the safety area several sector specific standards, methods and codes of practice have been developed in the past. The fact that those approaches are sector specific arise from the fact that they are based on a long history of standards and methods developed long before modern communication systems became available. In these times the standards dealt mainly with the production and test methods used to check the correctness and effectiveness of the sector specific critical functions of dependable systems. Since the functional requirements, the materials used and the production processes where highly different from sector to sector, there was little pressure to harmonise these approaches.

This belief is mainly based upon the fact that each sector has developed its own standards separately from each other while, in fact, they are intended to address the same problem. In many cases it cannot be determined whether a failure was caused deliberately, by accident or by equipment fault, whatever the concerned sector is, the User is only interested by the following requirements :

Today this scattered approach is also reflected in different standards and codes of practice each sector has developed to check the IT- and communication related parts of safety critical systems. Examples for those sector specific standards are [ESA 1991], [RTCA 1992] for Aerospace, [IEC 1986] for the Nuclear and [MoD 1991a], [MoD 1991b] for the Military sector. There are also sector independent standards like [ISA 1993], [IEC 1992], [IEC 1991] and [DIN 1990]. But nevertheless all the approaches in the safety area have several basic elements in common :


Main Objectives

The objective of the SQUALE project is to analyze the existing standards and practices in the safety as well as the security area and define a combined harmonised approach to gain confidence in the correctness and effectiveness of systems with safety and security requirements. The project will define “dependability criteria” describing this harmonised approach and apply these criteria to demonstrator systems.

The new criteria will be based on the many existing standards in the safety and security world. A mapping to existing standards (which all cover only specific dependability aspects) is needed and will be provided as part of the project. This shall ensure that the criteria and practices developed can (and will) be applied in practice. Therefore a careful analysis of the existing sector and area specific approaches will be performed at the beginning of the project.

The objectives of this project are therefore :


Technical Approach

The project will select the appropriate standards, codes of practice and study results from the safety, security and quality assurance area, analyse those standards for differences, commonality, specific areas. This is done on a general level as well as on a detailed level to show specific differences in common areas. The aspects that are addressed start from the requirements engineering phase including the aspects of risk and hazard analysis, will then cover the aspects of design and implementation of the communication system and include also areas like accreditation, audit and incident reporting. So the whole life-cycle is covered by this project.

Using the result from this activity the project will define generic dependability criteria and a general framework showing how these criteria can be applied in the life-cycle of a dependable communication system. Concerning the evaluation aspects, the ITSEC will be taken as a starting point for those criteria, but significantly enhanced with methods and practices taken from the various safety standards. These new criteria will then be applied to communication systems with high safety and security requirements in the nuclear and railway sectors. A first demonstrator is taken from the transport sector, where a communication system is used to control an underground line Since this system is currently tested in France, it is an ideal candidate to apply the dependability criteria to such a project. The project will define the specific activities that have to be performed for a dependability assessment of this specific communication system. These activities are derived from the dependability criteria developed within the project as instantiations of the generic activities described in these criteria. In addition those elements of the total communication system are identified where the criteria will be used.


Value Added

This project is aimed to develop a methodology to measure the quality of systems and services which is also economically acceptable by trying to combine and harmonise the existing standards and codes of practice in the safety, security and quality assurance area.

This project will tackle directly the more difficult problem of defining assurance levels and performing assessments for the full range of dependability aspects, and will therefore contribute directly to the improvement of the standards in both fields, making them more generally useful within their current scope, and making it possible to use them in situations where a wider range of dependability requirements apply.

The experimental results as legal and social impacts given by the application of the general dependability evaluation criteria will be integrated in the final evaluation report


Trial

The project will develop new criteria for dependability assessment which will be applied to a communication system with high safety and security requirements. This demonstrator will be taken, mainly, from the railways sector, where a communications system automatically pilot an underground line. The actual system to serve as a demonstrator is currently tested by the Region of " Ile de France " underground operator. The system controls the traffic on the railway line METEOR which is divided into sections. Commands to trains are sent by an operator from a control room with safety panels, computers and consoles. Types of commands are :

Each section of the line possesses hardware and software equipments used to receive commands from the control room, to transmit them to the trains, to collect the information representing the status of the railway line, of the trains and of the traffic. Connection between the central computer and the line equipments are realized by networks. The functions realized by the system are divided into three sets :

Criteria trial example

An illustration of the system which will be the basis for our worked example for the use of the SQUALE Criteria is given below. It is a part of a system which transmits messages between a central control centre and equipment at the trackside, and hence to trains. The data transmitted has a range of functions, some of which are concerned with functions with dependability attributes, such as Automatic Train Operation and Automatic Train Protection.

A Hazard Analysis of this system, considering hazardous conditions which could lead to unacceptable operation of the railway, results in the following partial hazard list :

These indicate that the system has a number of Dependability Objectives:

All of these objectives will have associated with them a success rate of how effectively they can be met with the system as it is designed. For example objective six depends on the strength of configuration control and system validation processes; objective three depends on the physical strength of the cable trunking. An assessment is made of the likelihood and consequences of each of the objectives not being met in a hazard rating process. This process involves judgments on the degree of acceptable risk, and will vary between application fields (e.g. road transport, air traffic control, nuclear, defence, etc.).

The hazard rating activity results in a Dependability Confidence Profile for the system. For this system there is a significant contribution from failure of this system to safety of the overall system, the safety confidence requirement is S3. The rest of the system depends heavily on the validity of messages passed, hence the integrity confidence requirement is I3. Unavailability of this component does not pose a high risk in the overall system context, hence the availability confidence level is A2. The overall Dependability Confidence Profile is therefore : S3, I3, A2.

This profile defines the level of confidence that is required in the correct and effective operation of the system in meeting its Dependability Objectives.

In order to bring together all the requirements for assessment activities which will be needed to demonstrate achievement of the confidence level, a document, the Dependability Target, is produced. This will provide both a claim that this level has been achieved and also provide a basis for the necessary assessment work to support it.

Using the selection techniques given in the SQUALE Criteria, the techniques to be used to assess the system are chosen. For each assessment technique a degree of rigour, detail and independence of the assessment is defined, selected by using the dependability confidence profile. The precise meaning of the techniques and the levels chosen are defined in the Criteria.


Links

ACTS Information window

Visit the IS&N'98 Conference Web Site

Sponsored by the ACTS Programme, Alcatel, Belgacom, IONA Technologies

With official support from ETSI, EURESCOM, NMF, OMG, TINA-C

IS&N'98 Conference Web Site

NoE Information Service Home Page

European Commission

Telecommunication, Information Market and Exploitation of Research