Deriving safety cases for hierarchical structure in model-based development

Model-based development and automated code generation are increasingly used for actual production code, in particular in mathematical and engineering domains. However, since code generators are typically not qualified, there is no guarantee that their output satisfies the system requirements, or is even safe. Here we present an approach to systematically derive safety cases that argue along the hierarchical structure in model-based development. The safety cases are constructed mechanically using a formal analysis, based on automated theorem proving, of the automatically generated code. The analysis recovers the model structure and component hierarchy from the code, providing independent assurance of both code and model. It identifies how the given system safety requirements are broken down into component requirements, and where they are ultimately established, thus establishing a hierarchy of requirements that is aligned with the hierarchical model structure. The derived safety cases reflect the results of the analysis, and provide a high-level argument that traces the requirements on the model via the inferred model structure to the code. We illustrate our approach on flight code generated from hierarchical Simulink models by Real-Time Worksho

ISO 26262 Compliant Automatic Requirements-Based Testing for TargetLink

International audienceThis paper presents an automatic method that has been developed in order to support international standards regarding functional safety, like ISO 26262 for automotive and DO178B for aeronautics. It describes a seamless and integrated method to formalise requirements based on pattern specification automatons and generated C-observer code. Based on such C-Observers then requirements based functional tests can be generated and formal verification can be automated as the generated C-code observers are integrated into a test and verification tool environment. The advantage of such approach includes the possibility to enable requirements-based test case generation, automatic test execution and analysis and test quality measurement by automatic generation of requirements coverage and traceability reports. The described method is in-line with the software quality standards as it is for example specified in the new automotive standard for functional safety ISO 26262. The approach has already been implemented in a first instance for the Matlab/Simulink models and production code generation with TargetLink from dSPACE

Ein verallgemeinerter Prozess zur Verifikation und Validerung von Modellen und Simulationsergebnissen

With technologies increasing rapidly, symbolic, quantitative modeling and computer-based simulation (M&S) have become affordable and easy-to-apply tools in numerous application areas as, e.g., supply chain management, pilot training, car safety improvement, design of industrial buildings, or theater-level war gaming. M&S help to reduce the resources required for many types of projects, accelerate the development of technical systems, and enable the control and management of systems of high complexity. However, as the impact of M&S on the real world grows, the danger of adverse effects of erroneous or unsuitable models or simu-lation results also increases. These effects may range from the delayed delivery of an item ordered by mail to hundreds of avoidable casualties caused by the simulation-based acquisi-tion (SBA) of a malfunctioning communication system for rescue teams. In order to benefit from advancing M&S, countermeasures against M&S disadvantages and drawbacks must be taken. Verification and Validation (V&V) of models and simulation results are intended to ensure that only correct and suitable models and simulation results are used. However, during the development of any technical system including models for simulation, numerous errors may occur. The later they are detected, and the further they have propagated through the model development process, the more resources they require to correct thus, their propaga-tion should be avoided. If the errors remain undetected, and major decisions are based on in-correct or unsuitable models or simulation results, no benefit is gained from M&S, but a dis-advantage. This thesis proposes a structured and rigorous approach to support the verification and valida-tion of models and simulation results by a) the identification of the most significant of the current deficiencies of model develop-ment (design and implementation) and use, including the need for more meaningful model documentation and the lack of quality assurance (QA) as an integral part of the model development process; b) giving an overview of current quality assurance measures in M&S and in related areas. The transferability of concepts like the capability maturity model for software (SW-CMM) and the ISO9000 standard is discussed, and potentials and limits of documents such as the VV&A Recommended Practices Guide of the US Defense Modeling and Simulation Office are identified; c) analysis of quality assurance measures and so called V&V techniques for similarities and differences, to amplify their strengths and to reduce their weaknesses. d) identification and discussion of influences that drive the required rigor and intensity of V&V measures (risk involved in using models and simulation results) on the one hand, and that limit the maximum reliability of V&V activities (knowledge about both the real system and the model) on the other. This finally leads to the specification of a generalized V&V process - the V&V Triangle. It illustrates the dependencies between numerous V&V objectives, which are derived from spe-cific potential errors that occur during model development, and provides guidance for achiev-ing these objectives by the association of V&V techniques, required input, and evidence made available. The V&V Triangle is applied to an M&S sample project, and the lessons learned from evaluating the results lead to the formulation of future research objectives in M&S V&V

Towards a Formalism-Based Toolkit for Automotive Applications

The success of a number of projects has been shown to be significantly improved by the use of a formalism. However, there remains an open issue: to what extent can a development process based on a singular formal notation and method succeed. The majority of approaches demonstrate a low level of flexibility by attempting to use a single notation to express all of the different aspects encountered in software development. Often, these approaches leave a number of scalability issues open. We prefer a more eclectic approach. In our experience, the use of a formalism-based toolkit with adequate notations for each development phase is a viable solution. Following this principle, any specific notation is used only where and when it is really suitable and not necessarily over the entire software lifecycle. The approach explored in this article is perhaps slowly emerging in practice - we hope to accelerate its adoption. However, the major challenge is still finding the best way to instantiate it for each specific application scenario. In this work, we describe a development process and method for automotive applications which consists of five phases. The process recognizes the need for having adequate (and tailored) notations (Problem Frames, Requirements State Machine Language, and Event-B) for each development phase as well as direct traceability between the documents produced during each phase. This allows for a stepwise verification/validation of the system under development. The ideas for the formal development method have evolved over two significant case studies carried out in the DEPLOY project

Model Based Systems Engineering for a Venture Class Launch Facility

A study of Model-Based Systems Engineering (MBSE) applied to a small-lift launch facility is presented. The research uses Systems Modeling Language (SysML) products and functional diagrams to document the structure, controls, electrical power, hydraulic, safety mechanisms, software, and fluid ground systems on a launch pad. The research is motivated by the need to design complex systems with an unambiguous understanding that improves communication, quality, productivity, and reduces risk. A model is developed following the ISO/IEC-15288 technical process framework. The stakeholder requirements are defined and analyzed to provide traceability to individual systems and subsystems. An architectural design is realized and implemented by generating engineering artifacts such as Piping and Instrumentation drawings (P&ID) and a hydraulic circuit diagram. The architecture is verified and validated by performing engineering trade studies focused on the fuel and pneumatic systems

Développement sans rupture de systèmes complexes : une approche basée multi-exigences

Prouver qu'un système satisfait à ses exigences est un défi important de l'ingénierie des exigences. D'une part, les approches formelles fournissent un moyen d'exprimer les exigences mathématiquement et de prouver qu'un système satisfait ses exigences. Cependant, si la formalisation offre des possibilités supplémentaires telles que la vérification, voire la validation, elle s'avère souvent trop difficile à utiliser en pratique par les acteurs impliqués dans le développement des systèmes. D'autre part, dans la plupart des cas, les exigences sont écrites et parfois tracées en langage naturel à des fins de communication et de compréhension mutuelle. De plus, cela reste le cas tout au long du processus de développement. Ainsi, il est nécessaire de considérer le besoin de s'adresser à toutes ces parties prenantes pendant le processus de développement. L'objectif principal de cette thèse est de fournir une méthodologie sans rupture qui permet de bénéficier de la formalisation des exigences tout en étant compréhensible par toutes les parties prenantes. Nous proposons une approche qui considère les exigences comme des parties du code du système, ce qui, en tant que tel, contribue à améliorer l'évaluation de la qualité. De plus, l'intégration des exigences dans le code garantit un développement sans rupture. Ces contributions visent trois avantages principaux. Premièrement, il n'est pas nécessaire de passer d'un outil ou d'un environnement à un autre : un cadre unique prend en charge le développement de l'analyse à la mise en œuvre. Deuxièmement, les changements et la réversibilité deviennent un phénomène régulier, directement pris en charge par la méthode, le langage et les outils, ce qui facilite les allers-retours. Enfin, les différents niveaux d'abstraction restent dans le cadre du paradigme orienté objet. Nous appliquons cette vision au processus de développement lui-même avec les mêmes avantages attendus. Le cycle de vie du développement peut alors bénéficier de cette forte intégration des exigences dans le code. Ces artefacts aident au développement du logiciel en fournissant un support et des lignes directrices pour l'analyse ou l'aide à la décision et en renforçant la qualité du logiciel. En outre, la réutilisabilité, l'évolutivité et la maintenabilité sont améliorées. La traçabilité entre les exigences et le code permet une analyse d'impact facile lorsque l'un de ces artefacts évolue. Cependant, si ce paradigme est familier aux développeurs et même si nous faisons un effort d'expressivité, il ne s'adresse pas aux autres parties prenantes qui ont l'habitude de travailler avec d'autres outils. Puisque nous souhaitons également que des non-experts utilisent notre approche pour valider des systèmes dans la première phase de leur développement, nous proposons un langage spécifique au domaine : (i) proche du langage naturel et (ii) basé sur une sémantique formelle. En utilisant les techniques de l'ingénierie dirigée par les modèles, ce langage permet de combler le fossé entre les différents acteurs impliqués dans un projet (compte tenu de leurs différentes expériences) et entre les exigences et le code. Nous avons enfin consacré un effort de recherche à la définition des relations entre les exigences. Nous fournissons leurs définitions formelles et leurs propriétés sur la propagation de l'état de satisfaction. Ces définitions peuvent aider les ingénieurs à vérifier les exigences (en vérifiant la validité de la sémantique des relations entre deux exigences) et à vérifier la conformité du système (grâce à la propagation de la satisfaction). Ce travail est une étape vers l'introduction de la sémantique formelle dans la traçabilité, permettant d'analyser automatiquement les exigences et d'utiliser leurs relations pour vérifier l'implémentation correspondante du système.Proving that a system satisfies its requirements is an important challenge of Requirements Engineering. On the one hand, formal approaches provide a way to express requirements mathematically and prove that a system satisfies its requirements. However, if formalization offers additional possibilities such as verification, or even validation, it often proves to be too difficult to use in practice by the stakeholders involved in the development of systems. On the other hand, in most cases, requirements are written and sometimes traced in Natural Language for communication and mutual understanding purposes. Moreover, this remains during the whole development process. Thus, it is necessary to consider the need to address all these stakeholders during the development process. The main objective of this thesis is to provide a seamless methodology that allows benefiting from the formalization of requirements while being understandable by all stakeholders. We propose an approach that considers requirements as parts of the system's code, which, as such, contributes to improving quality assessment. In addition, integrating the requirements into the code guarantees a seamless development. The contributions target three main benefits. First, there is no need to switch from one tool or environment to another: a single framework supports the development from analysis to implementation. Second, changes and reversibility become a regular occurrence, directly supported by the method, language, and tools, facilitating round-trips. Third, the different levels of abstraction remain inside the object-oriented paradigm. We apply this vision to the development process itself with the same expected advantages. The development life-cycle can then benefit from this strong integration of requirements into the code. These artifacts help in software development by providing support and guidelines for analysis or decision support and reinforcing the software quality. Besides, reusability, evolutivity, and maintainability are enhanced. Traceability between requirements and code allows an easy impact analysis when any of these artifacts evolve. However, if this paradigm is familiar to developers and even if we put an effort in providing expressivity, they are not addressed to other stakeholders that used to work with several tools. Since we also want non-experts to use our approach to validate systems in the early stage of their development, we propose a Domain-Specific Language: (i) close to natural language and (ii) based on formal semantics. Using Model-Driven Engineering techniques, this language bridges the gap between the several stakeholders involved in a project (considering their different backgrounds) and between the requirements and the code. We finally put a research effort into defining relationships between requirements. We provide their formal definitions and properties on the propagation of the satisfaction state. These definitions can help engineers verify requirements (by checking the validity of the semantics of the relationships between two requirements) and verify the system compliance (thanks to satisfaction propagation). This work is a step towards introducing formal semantics into traceability, making it possible to automatically analyze requirements and use their relationships to verify the corresponding implementation of the system