Industrial Cases

The achievement of the project’s key goals will be demonstrated through a continuous evaluation of the developed conceptual framework and tools over three representative use cases. The industrial cases help to refine the user needs into proof-of-concept addressed by the OPENCOSS project and estimate the expected business impacts for the three industrial domains. The Figure below shows an overview of the cross domain and the challenges they tackle in reuse.

The details of the three industrial cases are presented below.


Railway Industrial Case

In the railway domain, ALSTOM will apply OPENCOSS outcomes for certifying an on board ERTMS (European Rail Traffic Management System) in the case of a customer delivery, where the presence of ERA (European Railway Agency) as part of the advisory board will help the approach to be aligned with the strategy of the agency.

The OPENCOSS railway case presents the certification of a Railway signaling system. This industrial case describes the certification of a European standardized signalling system provided by Alstom Transport. The Railway case chosen is a part of the European Railway Traffic Management System (ERTMS). The ERTMS is intended to replace almost all national legacy mainline signalling and train control systems all across Europe. This industrial case is related to the Generic Automatic Train Control Trainborne (GATC) Sub-System of the ALSTOM GATC solution for the European Train Control System (ETCS) of the European Railway Traffic Management System (ERTMS), known as European Vital Computer (EVC) in the architecture of ERTMS.

The GATC Trainborne Sub-System is ALSTOM’s Generic solution for ETCS onboard equipment that will be used by ALSTOM ERTMS Application Projects. The main functions of this sub-system are to ensure safe movement of the train and to inform the driver by means of a Cab Display facility. This industrial case is a generic sub-system that is parameterized for specific project application. This generic sub-system contains also railway generic products. This generic development addresses the both the compositional certification and the reuse of safety argumentation. The industrial use case aims to identify what the OPENCOSS framework should provide to improve certification process efficiency by taking into account the existing approach of generic certification. Since the specific project applications may be in different countries that have different National Safety Authority requirements, OPENCOSS shall provide support for “cross-country” certification.



Avionics Industrial Case

In the avionics domain, THALES will utilize the newly-developed methods to measure the reuse gains in the re-certification of a highly modular platform onboard aircraft, composed of both hardware and software.

General context of the Avionics Case is a situation of reuse of product from one domain (Railway) to another domain (Avionic). The goal is to build the Qualification Dossier, based on elements provided with the reused parts. The Qualification Dossier is then presented for certification. It will be taken the example of Execution Platform (Computing Unit and Operating System) to build a scenario where complete Execution Platform or parts of it are provided by an industrial actor in a given domain (Railway) and installed in architecture in another domain (Avionic). The general way to proceed will be to identify data to be provided by the provider to permit building the qualification dossier of the Execution Platform in its final environment. The industrial case aims to identify what the OPENCOSS framework should provide to improve certification process efficiency, reducing effort in building the platform qualification dossier.

In the figure above the red outline indicates the Kernel that is reused from railways domain with Certification Credit.


Automotive Industrial Case  

In the automotive domain, FIAT will use the development of an electric vehicle subsystem as a context to evaluate the effectiveness of the OPENCOSS outcomes for conducting systematic qualification of safety-critical embedded automotive systems.

The electric vehicle subsystem is FIAT's ePARK system. This system is in charge of the management of the park pawl (mechanical engagement) actuation: this device provides mechanical locking of the transmission when the Parking mode is selected (by the driver or automatically), avoiding unwanted movement of the vehicle when stopped. The system includes specific components for the functionality envisaged, made of conventional parts (mechanics, electronics), and is developed as a Safety Element out of Context (SEooC), according to the standard ISO 26262. This use case describes the compliance of the developed system with ISO 26262 with a particular focus on the application of the SEooC requirements.

The subsystem ePark has the following functions:

  • Mechanical locking of the transmission when the Parking mode is selected
  • Avoiding unexpected movement of the vehicle when stopped
  • Safety Element out of Concept device SEooC ISO 26262
  • Independently from a specific vehicle and could be developed by either automakers or suppliers


OPENCOSS will employ a number of measures to maximize industrial impact, including, most notably: (1) mapping the commonalities and discrepancies between different safety standards (e.g. IEC 61508, DO-178) to improve communication and facilitate reuse in certification; (2) bringing together and unifying the “process-based” and “product-based” certification paradigms, with the former drawing on standards, and the latter on the emerging notion of assurance cases.