Risks Related to the Use of Software Tools when Developing Cyber-Physical Systems A Critical Perspective on the Future of Developing Complex, Safety-Critical Systems

Abstract: The increasing complexity and size of modern Cyber-Physical Systems (CPS) has led to a sharp decline in productivity among CPS designers. Requirements on safety aggravate this problem further, both by being difficult to ensure and due to their high importance to the public.Tools, or rather efforts to facilitate the automation of development processes, are a central ingredient in many of the proposed innovations to mitigate this problem. Even though the safety-related implications of introducing automation in development processes have not been extensively studied, it is known that automation has already had a large impact on operational systems. If tools are to play a part in mitigating the increase in safety-critical CPS complexity, then their actual impact on CPS development, and thereby the safety of the corresponding end products, must be sufficiently understood.An survey of relevant research fields, such as system safety, software engineering and tool integration, is provided to facilitate the discussion on safety-related implications of tool usage. Based on the identification of industrial safety standards as an important source of information and considering that the risks posed by separate tools have been given considerable attention in the transportation domain, several high-profile safety standards in this domain have been surveyed. According to the surveyed standards, automation should primarily be evaluated on its reliable execution of separate process steps independent of human operators. Automation that only supports the actions of operators during CPS development is viewed as relatively inconsequential.A conceptual model and a reference model have been created based on the surveyed research fields. The former defines the entities and relationships most relevant to safety-related risks associated with tool usage. The latter describes aspects of tool integration and how these relate to each other. By combining these models, a risk analysis could be performed and properties of tool chains which need to be ensured to mitigate risk identified. Ten such safety-related characteristics of tool chains are described.These safety-related characteristics provide a systematic way to narrow down what to look for with regard to tool usage and risk. The hypothesis that a large set of factors related to tool usage may introduce risk could thus be tested through an empirical study, which identified safety-related weaknesses in support environments tied both to high and low levels of automation. The conclusion is that a broader perspective, which includes more factors related to tool usage than those considered by the surveyed standards, will be needed.Three possible reasons to disregard such a broad perspective have been refuted, namely requirements on development processes enforced by the domain of CPS itself, certain characteristics of safety-critical CPS and the possibility to place trust in a proven, manual development process. After finding no strong reason to keep a narrow perspective on tool usage, arguments are put forward as to why the future evolution of support environments may actually increase the importance of such a broad perspective.Suggestions for how to update the mental models of the surveyed safety standards, and other standards like them, are put forward based on this identified need for a broader perspective.