Certifications of Critical Systems – The CECRIS Experience

In recent years, a considerable amount of effort has been devoted, both in industry and academia, to the development, validation and verification of critical systems, i.e. those systems whose malfunctions or failures reach a critical level both in terms of risks to human life as well as having a large economic impact.Certifications of Critical Systems – The CECRIS Experience documents the main insights on Cost Effective Verification and Validation processes that were gained during work in the European Research Project CECRIS (acronym for Certification of Critical Systems). The objective of the research was to tackle the challenges of certification by focusing on those aspects that turn out to be more difficult/important for current and future critical systems industry: the effective use of methodologies, processes and tools.The CECRIS project took a step forward in the growing field of development, verification and validation and certification of critical systems. It focused on the more difficult/important aspects of critical system development, verification and validation and certification process. Starting from both the scientific and industrial state of the art methodologies for system development and the impact of their usage on the verification and validation and certification of critical systems, the project aimed at developing strategies and techniques supported by automatic or semi-automatic tools and methods for these activities, setting guidelines to support engineers during the planning of the verification and validation phases

Certifications of Critical Systems – The CECRIS Experience

In recent years, a considerable amount of effort has been devoted, both in industry and academia, to the development, validation and verification of critical systems, i.e. those systems whose malfunctions or failures reach a critical level both in terms of risks to human life as well as having a large economic impact.Certifications of Critical Systems – The CECRIS Experience documents the main insights on Cost Effective Verification and Validation processes that were gained during work in the European Research Project CECRIS (acronym for Certification of Critical Systems). The objective of the research was to tackle the challenges of certification by focusing on those aspects that turn out to be more difficult/important for current and future critical systems industry: the effective use of methodologies, processes and tools.The CECRIS project took a step forward in the growing field of development, verification and validation and certification of critical systems. It focused on the more difficult/important aspects of critical system development, verification and validation and certification process. Starting from both the scientific and industrial state of the art methodologies for system development and the impact of their usage on the verification and validation and certification of critical systems, the project aimed at developing strategies and techniques supported by automatic or semi-automatic tools and methods for these activities, setting guidelines to support engineers during the planning of the verification and validation phases

Applying model-based systems engineering to architecture optimization and selection during system acquisition

2018 Fall.Includes bibliographical references.The architecture selection process early in a major system acquisition is a critical step in determining the overall affordability and technical performance success of a program. There are recognized deficiencies that frequently occur in this step such as poor transparency into the final selection decision and excessive focus on lowest cost, which is not necessarily the best value for all of the stakeholders. This research investigates improvements to the architecture selection process by integrating Model-Based Systems Engineering (MBSE) techniques, enforcing rigorous, quantitative evaluation metrics with a corresponding understanding of uncertainties, and stakeholder feedback in order to generate an architecture that is more optimized and trusted to provide better value for the stakeholders. Three case studies were analyzed to demonstrate this proposed process. The first focused on a satellite communications System of Systems (SoS) acquisition to demonstrate the overall feasibility and applicability of the process. The second investigated an electro-optical remote sensing satellite system to compare this proposed process to a current architecture selection process typified by the United States Department of Defense (U.S. DoD) Analysis of Alternatives (AoA). The third case study analyzed the evaluation of a service-oriented architecture (SOA) providing satellite command and control with cyber security protections in order to demonstrate rigorous accounting of uncertainty through the architecture evaluation and selection. These case studies serve to define and demonstrate a new, more transparent and trusted architecture selection process that consistently provides better value for the stakeholders of a major system acquisition. While the examples in this research focused on U.S. DoD and other major acquisitions, the methodology developed is broadly applicable to other domains where this is a need for optimization of enterprise architectures as the basis for effective system acquisition. The results from the three case studies showed the new process outperformed the current methodology for conducting architecture evaluations in nearly all criteria considered and in particular selects architectures of better value, provides greater visibility into the actual decision making, and improves trust in the decision through a robust understanding of uncertainty. The primary contribution of this research then is improved information support to an architecture selection in the early phases of a system acquisition program. The proposed methodology presents a decision authority with an integrated assessment of each alternative, traceable to the concerns of the system's stakeholders, and thus enables a more informed and objective selection of the preferred alternative. It is recommended that the methodology proposed in this work is considered for future architecture evaluations

The 14th Overture Workshop: Towards Analytical Tool Chains

This report contains the proceedings from the 14th Overture workshop organized in connection with the Formal Methods 2016 symposium. This includes nine papers describing different technological progress in relation to the Overture/VDM tool support and its connection with other tools such as Crescendo, Symphony, INTO-CPS, TASTE and ViennaTalk

Formalised responsibility modelling for automated socio-technical systems analysis

Modelling the structure of social-technical systems as a basis for informing software system design is a difficult compromise. Formal methods struggle to capture the scale and complexity of the heterogeneous organisations that use technical systems. Conversely, informal approaches lack the rigour needed to inform the software design and construction process or enable automated analysis. We revisit the concept of responsibility modelling, which models social technical systems as a collection of actors who discharge their responsibilities, whilst using and producing resources in the process. In this thesis responsibility modelling is formalised as a structured approach for socio-technical system specification and modelling, with well-defined semantics and support for automated structure and validity analysis. We provide structured definitions for entity types and relations, and define the semantics of delegation and dependency. A constraint logic is introduced, providing simple specification of complex interactions between entities. Additionally, we introduce the ability to explicitly model uncertainty. To support this formalism, we present a new software toolkit that supports modelling and automatic analysis of responsibility models in both graphical and textual form. The new methodology is validated by applying it to case studies across different problem domains. A study of nuclear power station emergency planning is validated by comparison to a similar study performed with earlier forms of responsibility modelling, and a study of the TCAS mid-air collision avoidance system is validated by evaluation with domain experts. Additionally, we perform an explorative study of responsibility modelling understanding and applicability through a qualitative study of modellers

Towards Automated Formal Analysis of Model Transformation Specifications

In Model-Driven Engineering, model transformation is a key model management operation, used to translate models between notations. Model transformation can be used for many engineering activities, for instance as a preliminary to merging models from different meta- models, or to generate codes from diagrammatic models. A mapping model needs to be developed (the transformation specification) to represent relations between concepts from the metamodels. The evaluation of the mapping model creates new challenges, for both conventional verification and validation, and also in guaranteeing that models generated by applying the transformation specification to source models still retain the intention of the initial transformation requirements. Most model transformation creates and evaluates a transformation specification in an ad-hoc manner. The specifications are usu- ally unstructured, and the quality of the transformations can only be assessed when the transformations are used. Analysis is not systematically applied even when the transformations are in use, so there is no way to determine whether the transformations are correct and consistent. This thesis addresses the problem of systematic creation and analysis of model transformation, via a facility for planning and designing model transformations which have conceptual-level properties that are tractable to formal analysis. We proposed a framework that provides steps to systematically build a model transformation specification, a visual notation for specifying model transformation and a template-based approach for producing a formal specification that is not just structure-equivalent but also amenable to formal analysis. The framework allows evaluation of syntactic and semantic correctness of generated models, metamodel coverage, and semantic correctness of the transformations themselves, with the help of snapshot analysis using patterns

Verifizierbare Entwicklung eines satellitenbasierten Zugsicherungssystems mit Petrinetzen

Nowadays model-based techniques are widely used in system design and development, especially for safety-critical systems such as train control systems. Given a design model, executable codes could be generated automatically from the model following certain transformation rules. A high-quality model of a system provides a good understanding, a favourable structure, a reasonable scale and abstraction level as well as realistic behaviours with respect to the concurrent operation of independent subsystems. Motivated by this principle, a first Coloured Petri Net (CPN) model of a satellite-based train control system (SatZB) with the capability of continuous simulation is developed employing the BASYSNET method which adopts Petri nets as the means of description during the whole development process. After establishing the system model, the verification tasks are identified based on the hazard analysis of the train control system. To verify the identified tasks for quality assurance, verification by means of simulation, formal analysis and testing is carried out considering the four representing system properties: function, state, structure and behaviour. For structural analysis, the concept of open nets is proposed to check the reproducibility of empty markings of scenario nets, the existence of dead transitions in the scenario nets, and the terminating states of the scenario nets. The system behaviour, in which states are involved, is investigated by reachability analysis. Unlike the conventional method of reachability analysis by calculating the state space of the Petri net, techniques based on Petri net unfoldings are introduced in this thesis. As to the functional verification, two model-based test generation techniques, i.e., CPN-based and SPENAT (Safe Place Transition Nets with Attributes)-based techniques, are presented. In this thesis, the proposed methods are exemplified by the application to the on-board module of SatZB model. According to the verification results, no errors were found in the module. Therefore, the confidence in the quality of the on-board module has been significantly increased.Heutzutage werden in zahlreichen Anwendungen modellbasierte Techniken zur Systementwicklung, insbesondere für sicherheitskritische Systeme wie Eisenbahnleit- und -sicherungssysteme, verwendet. Aus einem Design Modell kann dabei ausführbarer Code automatisch nach bestimmten Transformationsregeln generiert werden. Ein hochwertiges Modell des Systems bietet für die Entwicklung ein gutes Verständnis, eine günstige Struktur, eine angemessene Größenordnung und Abstraktionsebene als auch realistische Verhaltensweisen in Bezug auf den gleichzeitigen Betrieb von unabhängigen Subsystemen. Motiviert von dieses Prinzip wird ein erstes Farbige Petri-Netz (CPN)-Modell eines satellitenbasierten Zugsicherungssystem (SatZB) unter Verwendung der BASYSNET Methode entwickelt, der Petri-Netze als Beschreibungsmittel während des gesamten Entwicklungsprozesses nutzt. Dieses Modell bietet die Möglichkeit zur kontinuierlichen Simulation des Systemverhaltens. Nach der Erstellung des Systemmodells werden die Verifikationsaufgaben auf der Grundlage der Gefährdungsanalyse des Zugsicherungssystems identifiziert. Die abgeleiteten Bedingungen werden zur Qualitätssicherung durch Simulation, formale Analysen und Tests unter Berücksichtigung der vier Systemeigenschaften (Funktion, Zustand, Struktur und Verhalten) verifiziert. Für die Strukturanalyse wird das Konzept der offenen Netzen vorgeschlagen, um die Reproduzierbarkeit der leeren Markierungen der Szenario-Netze, die Existenz der Toten Transitionen in den Szenario-Netze, und die Abschluss Zustände der Szenario-Netze zu prüfen. Das Systemverhalten wird dabei durch Zustände beschrieben und durch eine Erreichbarkeitsanalyse untersucht. Im Gegensatz zu der konventionellen Methode, welche die Erreichbarkeit durch die Berechnung des Zustandsraums des Petri-Netzes analysiert, werden in dieser Arbeit Techniken auf Basis von Petri-Netz-Entfaltung eingeführt. Für die funktionale Verifikation werden zwei modellbasierte Testgenerierungstechniken, eine CPN-basierte und eine SPENAT (Sicheres Petrinetz mit Attributen)-basierte, vorgestellt. In dieser Arbeit werden die vorgeschlagenen Methoden durch die Anwendung auf das On-Board-Modul des SatZB-Modells veranschaulicht. Dabei wurden nach dem Abschluss der Prüfungen keine Fehler im Modul gefunden, wodurch das Vertrauen in die Qualität des On-Board-Moduls deutlich erhöht wurde

Engineering security into distributed systems: a survey of methodologies

Rapid technological advances in recent years have precipitated a general shift towards software distribution as a central computing paradigm. This has been accompanied by a corresponding increase in the dangers of security breaches, often causing security attributes to become an inhibiting factor for use and adoption. Despite the acknowledged importance of security, especially in the context of open and collaborative environments, there is a growing gap in the survey literature relating to systematic approaches (methodologies) for engineering secure distributed systems. In this paper, we attempt to fill the aforementioned gap by surveying and critically analyzing the state-of-the-art in security methodologies based on some form of abstract modeling (i.e. model-based methodologies) for, or applicable to, distributed systems. Our detailed reviews can be seen as a step towards increasing awareness and appreciation of a range of methodologies, allowing researchers and industry stakeholders to gain a comprehensive view of the field and make informed decisions. Following the comprehensive survey we propose a number of criteria reflecting the characteristics security methodologies should possess to be adopted in real-life industry scenarios, and evaluate each methodology accordingly. Our results highlight a number of areas for improvement, help to qualify adoption risks, and indicate future research directions.Anton V. Uzunov, Eduardo B. Fernandez, Katrina Falkne