MERgE stands for “Multi-Concerns Interactions System Engineering”. Within the “Engineering support” theme of ITEA2 roadmap, the purpose of this project is to develop and demonstrate innovative concepts and design tools addressing in combination the “Safety” and “Security” concerns, targeting the elaboration of effective architectural solutions. In a variety of application domains (e.g. avionics, telecommunications, transportation, automotive, energy industry), engineering methods and practices, engineering support tools, and architectural solutions are available to answer demanding safety or security requirements. Such methods, tools, and architectural solutions can be enforced by domain specific standards and certification processes. However, in all domains, the demand for new capabilities and the technology opportunities for more integrated devices and more interconnected subsystems are challenging established practices and architectural solutions. In particular, some systems, subsystems or equipments must now comply simultaneously to “Safety” and “Security” requirements and standards. In MERgE project, the solution development and their application take place in four different use case domains.

Aerospace Use Case: The development of on-board software for space systems is subject to strict requirements both at the technical and the process level in order to achieve the high levels of dependability and safety expected in the space domain. These requirements are driven by standards such as ECSS for European spacecraft or DO-178B for aerospace systems. Following these standards, Space Applications Services uses a toolchain based on commercial and open-source tools that cover end-to-end the phases of software development. However, the integration of these tools is imperfect and requires manual links between the artefacts produced by the engineering process, which is both costly and error prone. To overcome this problem, Space Applications Services is setting up, in the frame of the MERgE project, an integrated toolchain that provides multiple views of the system (architecture, dependability and safety) and maintains traceability from the requirements baseline to the software code units and tests. This toolchain combines commercial software with tools specifically developed by the project partners, and supports a development process compliant with international standards. Space Applications Services is presently evaluating the development process and the toolchain in the context of an On-Board Control Procedure (OBCP) system that is being developed for the European Space Agency. In addition, Space Applications Services relies on technologies selected for the MERgE platform to build the development environment of the OBCP system. This has proven invaluable to gain experience in model-driven software engineering.

Radio Communication Use Case: The Eclipse MERgE platform maintained by Obeo now successfully integrates Capella that is used to model TCS radio communication use case. The radio platform model was updated in the MERgE platform to represent the information flows using Capella functional chains. Safety/security architects can now specify the required DO-178 safety level and Common Criteria security level in the system model thanks to the viewpoints developed with KitAlpha and Syrius from Obeo. These viewpoints were demonstrated at Co-summit 2015 held on 10 & 11 March in the Berlin Congress Center. A first model transformation from TRT automatically generates an ALL4TEC Safety Architect model from the radio platform model in the MERgE platform. This transformation provides a valuable productivity gain compared to a manual transformation. A dysfunctional analysis of the Safety Architect model is currently being performed with ALL4TEC, ONERA, TRT and TCS to analyse the propagation of feared events such as unavailability of communication and platform services. The integration of MERgE viewpoints with the last MERgE platform is in progress to model multi-concern architecture evaluation with TRT, product line variability with INRIA and safety/security patterns with TGS. A fuzzing analysis of a SNMP server and the network stack was performed on the embedded demonstrator with Codenomicon’s Defensics to perform software-level safety/security analysis during the last MERgE meeting at Oulu on June. This platform notably contains five Linux ELinOS virtual machines that are supervised by Sysgo PikeOS hypervisor to satisfy the isolation requirements between the safety/security domains and partitions of the radio communication use case.

Automotive Use Case: The automotive demonstrator combines software product line engineering with model-driven generative design in the development of the Triaxis® Hall Effect Sensor. The Triaxis sensor handles angle calculation in a family of safety-critical automotive applications, ranging from a windshield wiper to a brake pedal. Developing and maintaining a wide range of dedicated sensor products is costly in practice: rigorous safety assessment and verification of individual sensor variants increases time-to-market, while the current hardware-software co-design approach complicates the necessary reuse efforts. The solution proposed and illustrated in the demonstrator is a tailored software product line (SPL) approach that uses model-driven techniques and tools for deriving suitable sensor variants. The SPL approach consists of two phases. In a domain engineering phase, designers construct feature models, a reference architecture, a library of (safety) patterns, and many more reusable artifacts. In the application engineering phase, developers configure a variant by selecting the required features and the desired safety level using dedicated configuration tools. A set of candidate architectures is generated automatically —each involving slightly different engineering trade-offs— based on the reusable artifacts of phase one. A human expert uses architectural trade-off analysis to narrow the candidate set.

Industrial Control System Use Case: Industrial Control Systems (ICS) use case is driven by the lack of suitable test environments that enable information security teams to assess the security of ICS used in industrial sectors and in critical infrastructures such as energy, transportation and manufacturing segments. To address this gap, ICS specific services have been chosen as the demonstrator to align ISA99 based example architecture and partners’ security expertise with the ICS companies’ business and security needs. As ICS environments are dependent on the vendors, their needs were addressed as well – to fully secure an environment, industrial companies must have vendors who are able to tackle both ICT and ICS security. The focus was chosen to assess multi-concerns in post-development ICS environments. The services developed in collaboration by the use case partners include lab based ICS security testing and training services as the demonstrator. Use case partners included both academic and governmental organizations (University of Oulu, University of Jyväskylä, STUK), in addition to security and technology practioners (Codenomicon, Pohto, nSense). Additionally, ICS related modelling needs are addressed by the MERgE modelling framework (Obeo). nSense has developed further services utilizing the capabilities developed by other use case partners. The Industrial Security Improvement Program (ISIP) has been successfully test-driven in the real-world in early 2015.