An audit model for safety-critical software

Atualmente o uso de software considerados complexos e críticos está crescendo em diversos setores da indústria como a aeronáutica com seus diversos sistemas embarcados em aeronaves e a médica com seus dispositivos médicos cada vez mais avançados. Devido a isso, a quantidade de standards dedicados a esse tipo de desenvolvimento está crescendo nos últimos anos e autoridades regulamentadoras estão reconhecendo a sua aplicabilidade e, em alguns casos, tornando como parte dos requisitos obrigatórios de certificação ou aprovação. O intuito de uma auditoria de software é verificar que o software desenvolvido está de acordo com a norma aplicável, no entanto os modelos existentes não permitem o auditor ter a flexibilidade de adequar o modelo de auditoria às suas necessidades. Como parte dessa pesquisa, diferentes modelos de desenvolvimento software foram considerados, bem como standards da área aeronáutica (RTCA DO-178C) e área médica (IEC 62304) foram estudados quanto as suas recomendações e requisitos para desenvolvimento de software safety-crítico. Como objetivo dessa dissertação, um modelo de auditoria de software foi proposto com as atividades que são necessárias para a condução de auditoria de software safety-crítico, permitindo ao auditor aplicar o modelo de acordo com as atividades que precisam ser auditadas, dando a flexibilidade necessária para o escopo da auditoria, bem como um conjunto de perguntas para a auditoria de software desenvolvido utilizando RTCA DO-178C e IEC 62304 foi sugerido e avaliado por especialistas de software para garantir a maturidade e eficiência das perguntas propostas. Além da avaliação das perguntas, também foi conduzido um estudo de caso, em uma empresa aeroespacial, com duas instanciações para avaliar a maturidade do modelo de auditoria de software proposto.Nowadays, the use of software considered complex and critical is growing in several industry sectors, such as aeronautics with its various systems embedded in aircraft and the medical one with its increasingly advanced medical devices. Because of this, the number of standards dedicated to this type of development is growing in recent years, and regulatory authorities are recognizing its applicability and, in some cases, making it part of the mandatory certification requirements or approval. The software audit intent is to verify that the software developed complies with the applicable standard. However, the existing audit models do not allow the auditor to tailor the audit model to its audit necessities. As part of this research, the various software development models were considered, and standards in the aeronautical (RTCA DO-178C) and medical (IEC/ISO 62304) areas were studied regarding their guidelines and requirements for safety-critical software development. This thesis aims to propose a software audit model with the activities necessary for conducting a safety-critical software audit, giving the auditor the necessary flexibility in the audit execution without the need to achieve specific predetermined milestones. Additionally, a set of questions for software auditing developed using RTCA DO-178C and IEC 62304 has been suggested and evaluated by software experts to ensure the maturity and efficiency of the proposed questions. In addition to evaluating the questions, a case study was also conducted in an aerospace company, with two instances to evaluate the proposed software audit model’s maturity.Não recebi financiament

Staging urban emergence through collective creativity: Devising an outdoor mobile augmented reality tool

The unpredictability of global geopolitical conflicts, economic trends, and impacts of climate change, coupled with an increasing urban population, necessitates a more profound commitment to resilience thinking in urban planning and design. In contrast to top-down planning and designing for sustainability, allowing for emergence to take place seems to contribute to a capacity to better deal with this complex unpredictability, by allowing incremental changes through bottom-up, self-organized adaptation made by diverse actors in the proximity of various social, economical and functional entities in the urban context.The present thesis looks into the processes of creating urban emergence from both theoretical and practical perspectives. The theoretical section of the thesis first looks into the relationship between the processes and the qualities of a compact city. The Japanese city of Tokyo is used as an example of a resilient compact city that continuously emerges through incremental micro-adaptations by individual actors guided by urban rules that ‘let it happen’ without much central control or top-down design of the individual outcomes. The thesis then connects such rule-based emergent processes and the qualities of a compact city to complex adaptive system’s (CAS) theory, emphasizing the value of incremental and individual multiple-stakeholder input. The latter part of the thesis focuses on how to create a platform that can combine the bottom-up, emergent, rule-based planning approaches, and collective creativity based on individual participation and input from the public. This section is dedicated to developing a tool for a collaborative urban design using outdoor mobile augmented reality (MAR) by research-through-design method.The thesis thus has three parts addressing the topics: 1. urban planning processes and resulting urban qualities concerning compact city – i.e., density and diversity; 2. the processes of urban emergence, which generates complexity that renders urban resilience from the urban planning theory perspective; 3. developing a tool for non-expert citizens and other stakeholders to design and visualize an urban neighborhood by simulating the rule-based urban emergence using outdoor MAR. The results include a proposal for a complementary hybrid planning approaches that might approximate the CAS in urban systems with qualities that contribute to urban resiliency. Thereafter, the results describe specifications and design criteria for a tool as a public collaborative design platform using outdoor MAR to promote public participation: Urban CoBuilder. The processes of developing and prototyping such a tool to test various urban concepts concerning identified adaptive urban planning approaches are also presented with an assessment of the MAR tool based on focus group user tests. Future studies need to better include the potential of crowdsourcing public creativity through mass participation using the collaborative design tool and actual integration of these participatory design results in urban policies

Modelling and verifying land-use regulations comprising 3D components to detect spatio-semantic conflicts

L'utilisation du territoire est régie par différents mécanismes que nous pourrions nommer géorèglementations comme par exemples les plans d'urbanisme, les permis de construire ou le zonage. La géorèglementation, en anglais, on parle de Land-use Regulation (LuR), permet d'imposer ou d'influencer l'utilisation d'un territoire dans le but d'atteindre des objectifs de politique publique. Qu'on le veule ou pas, la géorèglementation est nécessaire car elle permet de consolider une saine gestion des ressources, elle aide à la conservation et au développement du territoire, elle fournit un cadre législatif important pour assurer la sécurité et le bon fonctionnement pour l'accès et l'utilisation harmonieuse du territoire. La géorèglementation s'applique donc sur un territoire, où les composantes spatiales, comme la géométrie des éléments, sont primordiales. Il faudra par exemple tenir compte des marges de recul (donc distance) lors de la construction d'une maison, d'une superficie maximale de construction, etc. Ces composantes spatiales du territoire et son occupation peuvent également faire intervenir la 3e dimension comme la profondeur, la hauteur ou encore le volume. La pratique et la littérature montrent que la géorèglementation est actuellement principalement décrite dans des documents de planification et des lignes directrices, dont certains peuvent inclure une représentation spatiale en 2D (i.e. des cartes). On retrouve parfois de coupes transversales en 2D pour représenter l'étendue 2D/3D des LuRs. Cette manière de travailler à partir de document manuscrit et de plans 2D présente des lacunes importantes. Elle limite la possibilité d'avoir une compréhension complète et adéquate de l'étendue 3D des LuRs et donc dans la prise de décision, comme par exemple, la détection de conflits potentiels dans la délivrance de permis de construire ou d'aménagement. De plus, l'application et donc la validation de ces géorèglementations à partir de documents descriptifs prend du temps et laisse place à la subjectivité, ce qui peut conduire à de mauvaises décisions. Les autorités en matière de planification territoriale devraient avoir accès à toutes les informations et à toutes les représentations spatiales requises pour évaluer les LuRs et détecter les conflits potentiels. Force est de constater, que ce n'est pas le cas actuellement, et que même si des modèles 3D de bâtiments (BIM) ou de ville (CityGML) ont vu le jour, ils ne sont pas intégrés dans ces processus de géorèglementation. Cette recherche doctorale est dédiée à la conception et au développement d'un cadre de référence pour la modélisation géométrique 3D des LuRs, leur intégration dans le contexte des modèles de ville 3D et la détection automatique des conflits spatio-sémantiques potentiels lors de la validation des LuRs. Ce cadre de référence vise donc à soutenir les autorités en matière d'application de géorèglementations. La recherche se décline en cinq sous-objectifs soit 1) proposer un inventaire des différents LuRs 3D en précisant leurs composantes 3D/verticales, 2) proposer une classification fonctionnelle basée sur l'ampleur des conflits potentiels des LuRs 3D pour soutenir la prise de décision des autorités, 3) modéliser les LuRs en 3D puis les combiner avec d'autres sources d'information (ex. BIM, CityGML et cartes de zonage), 4) détecter les conflits spatiaux et sémantiques potentiels qui pourraient survenir entre les LuRs modélisés et les objets physiques comme les éléments de construction et, 5) concevoir et développer une preuve de faisabilité. Parmi plus de 100 de géorèglementations 2D/3D passés en revue, 18 de géorèglementations 3D sont inventoriées et discutées en profondeur. Par la suite, pour chacune de ces géorèglementations, les informations et paramètres requis pour leur modélisation 3D automatique sont établis. L'approche proposée permet l'intégration de la modélisation 3D de ces géorèglementations à des modèles de villes et de bâtiments 3D (par exemple, BIM, CityGML et le zonage). Enfin, la thèse fournie un cadre procédurale pour vérifier automatiquement si les géorèglementations 3D viennent en conflit avec des éléments de bâtis planifiés. La preuve de faisabilité est un prototype Web basée sur une étude de cas axée sur le processus d'émission de permis de construire d'un bâtiment situé dans la ville de Melbourne, Victoria, Australie. Les géorèglementations 3D suivantes ont été modélisées et vérifiées : 1) limites de construction en hauteur, 2) exposition au soleil pour estimer l'efficacité énergétique du bâtiment, 3) limite des zones d'ombrage, 4) limites de l'impact sonore, 5) zonage de vue, 6) marges latérales et arrières, 7) marges de rue (côtés et frontaux), et 8) limites d'inondation.The use and developments of land are regulated by utilising different mechanisms called Land-use Regulation (LuR) in various forms such as planning activities, zoning codes, permit requirements, or subdivision controls of cities. LuR makes it possible to impose or influence the use and development of land in order to achieve public policy objectives. Indeed, LuR is essential since it allows the appropriate reinforcement of resource management, contributes to the land protection and development, and provides a tangible legal framework to ensure safety and proper functioning for the harmonious access and use of land. LuRs applies to land, where the spatial components, such as the geometry of the elements, are essential. For example, setback and height limits (i.e., the distance) or different floors' gross area should be considered when owners/developers propose a new construction on their property. These spatial components of the land, its occupied elements (e.g., building elements), or LuR itself can comprise the third dimension (i.e., depth, height, or even volume). Literature and related works show that LuR is currently mainly described in planning documents and guidelines, some of which may include 2D spatial representation (i.e., maps) or 2D cross-sections to represent the LuRs' 2D/3D extent. This method (i.e., working on textual documents and 2D plans) has significant shortcomings in understanding the LuRs' 3D extent and in decision-making (e.g., detecting potential conflicts in issuing planning/building permits). Moreover, checking LuRs' descriptions inside the textual documents is time-consuming, and subjective which might lead to erroneous decisions. Planning authorities need to have access to all information and the spatial representation that is required to assess LuRs and detect their potential conflicts. Clearly, it is generally lacking and even if 3D models of buildings (e.g., BIM designs) or cities (e.g., CityGML) have emerged, they do not incorporate the concept of LuRs. This Ph.D. research follows qualitative engineering type of method that generally aims to propose a conceptual framework for modelling 3D LuRs geometrically as part of 3D city models and formalising geometric and semantic requirements for detecting LuRs' potential conflicts automatically to support planning authorities in the statuary planning phase. To achieve the general objective, five specific objectives are defined as: 1) to formulate an inventory of various 3D LuRs specifying their 3D/vertical components, 2) to propose a functional classification based on the magnitude of 3D LuRs' potential conflicts for supporting planning authorities' decision-making goals, 3) to model LuRs in 3D and then combine them with other sources of information (e.g., BIM, city models, and zoning maps), 4) to automate the detection of potential spatio-semantic conflicts that might arise between the modelled LuRs and physical objects like building elements, and 5) to design and develop proof of feasibility for modelling and verifying 3D LuRs automatically. Among more than one hundred 2D/3D reviewed LuRs, eighteen 3D LuRs are inventoried and discussed thoroughly. For each of these LuRs, the research work identifies and proposes the required information (as level of information need) by considering both geometries and semantics to combine modelled LuRs with other sources of information (e.g., BIM, CityGML, and planning maps). Finally, the thesis proposes the level of information need considering requirements to verify 3D LuRs automatically for detecting potential conflicts using analytical rules (e.g., clash detection). The proof of feasibility is a web-based prototype based on a case study located in the City of Melbourne (where planning activities are under the control of authorities in the state of Victoria, Australia) focusing on the planning permit process. The following 3D LuRs were modelled and verified: 1) building height limits, 2) energy efficiency protection, 3) overshadowing open space, 4) noise impacts, 5) overlooking, 6) side and rear setbacks, 7) street setbacks (side and front), and 8) flooding limits

New European Technical Rules for the Assessment and Retrofitting of Existing Structures.

The consideration of sustainability aspects in the construction sector jointly with considerable economic interests have been the main impulse to include the work item of assessment and retrofitting of existing structures in the Mandate M/515 with a high priority. The new European technical rules will be developed using the existing organization of CEN/TC250. The present report has been worked out in the frame of CEN/TC250/WG2 activities. The report encompasses: Part I introduces the policy framework and the CEN/TC250 initiative. Part II is a collation of the different existing National regulations and standards in Europe with regard to existing structures. Part III gives a prospect for CEN guidance for the assessment and retrofitting of existing structures. Having in mind the stepwise procedure for preparation of CEN Technical Documents, the contents of Part III is broader, covers more aspects, and includes more information than the normative technical recommendations. In particular, key issues are identified that require resolution and a summary of different national perspectives is provided rather than seeking to resolve all difficult technical issues during the first work step. The report presents scientific and technical background intended to stimulate debate and serves as a basis for further work to achieve a harmonized European view on the assessment and retrofitting of existing structures.JRC.G.4-European laboratory for structural assessmen

Re-use of tests and arguments for assesing dependable mixed-critically systems

The safety assessment of mixed-criticality systems (MCS) is a challenging activity due to system heterogeneity, design constraints and increasing complexity. The foundation for MCSs is the integrated architecture paradigm, where a compact hardware comprises multiple execution platforms and communication interfaces to implement concurrent functions with different safety requirements. Besides a computing platform providing adequate isolation and fault tolerance mechanism, the development of an MCS application shall also comply with the guidelines defined by the safety standards. A way to lower the overall MCS certification cost is to adopt a platform-based design (PBD) development approach. PBD is a model-based development (MBD) approach, where separate models of logic, hardware and deployment support the analysis of the resulting system properties and behaviour. The PBD development of MCSs benefits from a composition of modular safety properties (e.g. modular safety cases), which support the derivation of mixed-criticality product lines. The validation and verification (V&V) activities claim a substantial effort during the development of programmable electronics for safety-critical applications. As for the MCS dependability assessment, the purpose of the V&V is to provide evidences supporting the safety claims. The model-based development of MCSs adds more V&V tasks, because additional analysis (e.g., simulations) need to be carried out during the design phase. During the MCS integration phase, typically hardware-in-the-loop (HiL) plant simulators support the V&V campaigns, where test automation and fault-injection are the key to test repeatability and thorough exercise of the safety mechanisms. This dissertation proposes several V&V artefacts re-use strategies to perform an early verification at system level for a distributed MCS, artefacts that later would be reused up to the final stages in the development process: a test code re-use to verify the fault-tolerance mechanisms on a functional model of the system combined with a non-intrusive software fault-injection, a model to X-in-the-loop (XiL) and code-to-XiL re-use to provide models of the plant and distributed embedded nodes suited to the HiL simulator, and finally, an argumentation framework to support the automated composition and staged completion of modular safety-cases for dependability assessment, in the context of the platform-based development of mixed-criticality systems relying on the DREAMS harmonized platform.La dificultad para evaluar la seguridad de los sistemas de criticidad mixta (SCM) aumenta con la heterogeneidad del sistema, las restricciones de diseño y una complejidad creciente. Los SCM adoptan el paradigma de arquitectura integrada, donde un hardware embebido compacto comprende múltiples plataformas de ejecución e interfaces de comunicación para implementar funciones concurrentes y con diferentes requisitos de seguridad. Además de una plataforma de computación que provea un aislamiento y mecanismos de tolerancia a fallos adecuados, el desarrollo de una aplicación SCM además debe cumplir con las directrices definidas por las normas de seguridad. Una forma de reducir el coste global de la certificación de un SCM es adoptar un enfoque de desarrollo basado en plataforma (DBP). DBP es un enfoque de desarrollo basado en modelos (DBM), en el que modelos separados de lógica, hardware y despliegue soportan el análisis de las propiedades y el comportamiento emergente del sistema diseñado. El desarrollo DBP de SCMs se beneficia de una composición modular de propiedades de seguridad (por ejemplo, casos de seguridad modulares), que facilitan la definición de líneas de productos de criticidad mixta. Las actividades de verificación y validación (V&V) representan un esfuerzo sustancial durante el desarrollo de aplicaciones basadas en electrónica confiable. En la evaluación de la seguridad de un SCM el propósito de las actividades de V&V es obtener las evidencias que apoyen las aseveraciones de seguridad. El desarrollo basado en modelos de un SCM incrementa las tareas de V&V, porque permite realizar análisis adicionales (por ejemplo, simulaciones) durante la fase de diseño. En las campañas de pruebas de integración de un SCM habitualmente se emplean simuladores de planta hardware-in-the-loop (HiL), en donde la automatización de pruebas y la inyección de faltas son la clave para la repetitividad de las pruebas y para ejercitar completamente los mecanismos de tolerancia a fallos. Esta tesis propone diversas estrategias de reutilización de artefactos de V&V para la verificación temprana de un MCS distribuido, artefactos que se emplearán en ulteriores fases del desarrollo: la reutilización de código de prueba para verificar los mecanismos de tolerancia a fallos sobre un modelo funcional del sistema combinado con una inyección de fallos de software no intrusiva, la reutilización de modelo a X-in-the-loop (XiL) y código a XiL para obtener modelos de planta y nodos distribuidos aptos para el simulador HiL y, finalmente, un marco de argumentación para la composición automatizada y la compleción escalonada de casos de seguridad modulares, en el contexto del desarrollo basado en plataformas de sistemas de criticidad mixta empleando la plataforma armonizada DREAMS.Kritikotasun nahastuko sistemen segurtasun ebaluazioa jarduera neketsua da beraien heterogeneotasuna dela eta. Sistema hauen oinarria arkitektura integratuen paradigman datza, non hardware konpaktu batek exekuzio plataforma eta komunikazio interfaze ugari integratu ahal dituen segurtasun baldintza desberdineko funtzio konkurrenteak inplementatzeko. Konputazio plataformek isolamendu eta akatsen aurkako mekanismo egokiak emateaz gain, segurtasun arauek definituriko jarraibideak jarraitu behar dituzte kritikotasun mistodun aplikazioen garapenean. Sistema hauen zertifikazio prozesuaren kostua murrizteko aukera bat plataformetan oinarritutako garapenean (PBD) datza. Garapen planteamendu hau modeloetan oinarrituriko garapena da (MBD) non modeloaren logika, hardware eta garapen desberdinak sistemaren propietateen eta portaeraren aurka aztertzen diren. Kritikotasun mistodun sistemen PBD garapenak etekina ateratzen dio moduluetan oinarrituriko segurtasun propietateei, adibidez: segurtasun kasu modularrak (MSC). Modulu hauek kritikotasun mistodun produktu-lerroak ere hartzen dituzte kontutan. Berifikazio eta balioztatze (V&V) jarduerek esfortzu kontsideragarria eskatzen dute segurtasun-kiritikoetarako elektronika programagarrien garapenean. Kritikotasun mistodun sistemen konfiantzaren ebaluazioaren eta V&V jardueren helburua segurtasun eskariak jasotzen dituzten frogak proportzionatzea da. Kritikotasun mistodun sistemen modelo bidezko garapenek zeregin gehigarriak atxikitzen dizkio V&V jarduerari, fase honetan analisi gehigarriak (hots, simulazioak) zehazten direlako. Bestalde, kritikotasun mistodun sistemen integrazio fasean, hardware-in-the-loop (Hil) simulazio plantek V&V iniziatibak sostengatzen dituzte non testen automatizazioan eta akatsen txertaketan funtsezko jarduerak diren. Jarduera hauek frogen errepikapena eta segurtasun mekanismoak egiaztzea ahalbidetzen dute. Tesi honek V&V artefaktuen berrerabilpenerako estrategiak proposatzen ditu, kritikotasun mistodun sistemen egiaztatze azkarrerako sistema mailan eta garapen prozesuko azken faseetaraino erabili daitezkeenak. Esate baterako, test kodearen berrabilpena akats aurkako mekanismoak egiaztatzeko, modelotik X-in-the-loop (XiL)-ra eta kodetik XiL-rako konbertsioa HiL simulaziorako eta argumentazio egitura bat DREAMS Europear proiektuan definituriko arkitektura estiloan oinarrituriko segurtasun kasu modularrak automatikoki eta gradualki sortzeko

Domain theory practice and theories a discussion of possible research topics

By a domain we mean a universe of discourse.\r \r Typical examples are (partially) man-made universes of discourse - such as Air Traffic, Airports, Financial Services (banks, insurance companies, securities trading [brokers, traders, stock exchanges]), Health Care (hospitals etc.), Secure IT Systems (according to Intl. ISO/IEC Standard 17799), The Market (consumers, retailers, wholesalers, producers, "the supply chain"), Transportation (road, air, sea and/or rail transport), etc.\r \r We shall outline how one might describe such (infrastructure component) domains, informally and formally - what the current descriptional limitations appear to be, and, hence, the prospects for future research as well as practice.\r \r The current paper is based on Part IV, Chaps. 8-16 of [3]. The volume is one of [1, 2, 3].\r \r The aim of this paper is to suggest a number of areas of domain theory and methodology research. Document type: Part of book or chapter of boo