Change search
ReferencesLink to record
Permanent link

Direct link
Specifying Safety-Critical Heterogeneous Systems Using Contracts Theory
KTH, School of Industrial Engineering and Management (ITM), Machine Design (Dept.), Mechatronics. (Inbyggda kontrollsystem)ORCID iD: 0000-0002-9655-7326
2016 (English)Doctoral thesis, comprehensive summary (Other academic)
Abstract [en]

Requirements engineering (RE) is a well-established practice that is also emphasized in safety standards such as IEC 61508 and ISO 26262. Safety standards advocate a particularly stringent RE where requirements must be structured in an hierarchical manner in accordance with the system architecture; at each level, requirements must be allocated to heterogeneous (SW, HW, mechanical, electrical, etc.) architecture elements and trace links must be established between requirements. In contrast to the stringent RE in safety standards, according to previous studies, RE in industry is in general of poor quality. Considering a typical RE tool, other than basic impact analysis, the tool neither gives feedback nor guides a user  when specifying, allocating, and structuring requirements. In practice, for industry to comply with the stringent RE in safety standards, better support for RE is needed, not only from tools, but also from principles and methods.

Therefore, a foundation is presented consisting of an underlying theory for specifying heterogeneous systems and complementary principles and methods to specifically support the stringent RE in safety standards. This foundation is indeed suitable as a base for implementing guidance- and feedback-driven tool support for such stringent RE; however, the fact is that the proposed theory, principles, and methods provide essential support  regardless if tools are used or not.

The underlying theory is a formal compositional contracts theory for heterogeneous systems. This contracts theory embodies the essential RE property of separating requirements on a system from assumptions on its environment. Moreover, the contracts theory formalizes the stringent RE effort of structuring requirements hierarchically with respect to the system architecture. Thus, the proposed principles and methods for supporting the stringent RE in safety standards are well-rooted in formal concepts and conditions, and are thus, theoretically sound. Not only that, but the foundation is indeed also tailored to be enforced by both existing and new tools considering that the support is based on precise mathematical expressions that can be interpreted unambiguously by machines. Enforcing the foundation in a tool entails support that guides and gives feedback when specifying heterogeneous systems in general, and safety-critical ones in particular.

Abstract [sv]

Kravhantering är en väletablerad praxis som ocksåbetonas i säkerhetsstandarder såsom IEC 61508 och ISO 26262. Säkerhetsstandarder förespråkar en särskilt noggrann kravhantering där krav skall struktureras på ett hierarkiskt sätt i enlighet med systemarkitekturen; på varje nivå så skall krav allokeras till heterogena (SW, HW, mekaniska, elektriska, etc.) arkitekturelement och spårlänkar skall upprättas mellan kraven. I motsats till den noggranna kravhanteringen i säkerhetsstandarder så är kravhantering i industrin av allmänt dålig kvalitet enligt tidigare studier. Ett typisk kravverktyg ger inte mycket mer stöd än grundläggande konsekvensanalyser, d.v.s.\ verktyget ger varken återkoppling eller vägledning för att formulera, allokera, och strukturera krav. Bättre stöd behövs för att industrin i praktiken skall kunna förverkliga den noggranna kravhanteringen i säkerhetsstandarder -- inte bara stöd från verktyg, men också från kravhanteringsprinciper och metoder.

Därför presenteras ett fundament bestående av en underliggande teori för specifiering av heterogena system, samt kompletterande principer och metoder för att stödja den noggranna kravhanteringen i säkerhetsstandarder. Detta fundament är lämplig som en bas för att kunna implementera verktyg som ger återkoppling och vägledning för kravhantering; likväl så ger den föreslagna teorin, principerna och metoderna essentiellt stöd oavsett om verktyg används eller inte.

Den underliggande teorin är en kompositionell och formell kontraktsteori för heterogena system. Denna kontraktsteori ger konkret form åt den centrala kravhanteringsegenskapen att separera kraven på ett system från antaganden på dess omgivning. Dessutom så formaliserar kontraksteorin den noggranna uppgiften att hierarkiskt strukturera krav i enlighet med systemarkitekturen. Således så är de föreslagna principerna och metoderna för att stödja den noggranna kravhanteringen i säkerhetsstandarder välförankrade i formella begrepp och villkor och är därmed också teoretiskt sunda. Det erbjudna stödet är dessutom välanpassat för att kunna verkställas av såväl befintliga som nyaverktyg med tanke på att stödet är grundat på exakta matematiska uttryck som kan tolkas entydigt av maskiner. Verkställandet av fundamentet av ett verktyg medför stöd i form av vägledning och återkoppling vid specifiering av heterogena system i allmänhet, och säkerhetskritiska sådana i synnerhet.

Place, publisher, year, edition, pages
KTH Royal Institute of Technology, 2016. , 237 p.
Series
TRITA-MMK, ISSN 1400-1179 ; 2016:05
Keyword [en]
Contracts, Heterogeneous Systems, Safety, Architecture, Requirements, Specification, Elements, Compositional, IEC 61508, ISO 26262
Keyword [sv]
Kontrakt, Heterogena System, Säkerhet, Arkitektur, Kravhantering, Specifiering, Element, Kompositionell, IEC 61508, ISO 26262
National Category
Mechanical Engineering Mathematics
Research subject
Machine Design
Identifiers
URN: urn:nbn:se:kth:diva-192150ISBN: 978-91-7729-106-0OAI: oai:DiVA.org:kth-192150DiVA: diva2:958202
Public defence
2016-09-29, Kollegiesalen, Brinellvägen 8, Stockholm, 09:00 (English)
Opponent
Supervisors
Projects
ESPRESSO
Funder
VINNOVA
Note

QC 20160909

Available from: 2016-09-11 Created: 2016-09-06 Last updated: 2016-09-11Bibliographically approved
List of papers
1. Conditions of Contracts for Separating Responsibilities in Heterogeneous Systems
Open this publication in new window or tab >>Conditions of Contracts for Separating Responsibilities in Heterogeneous Systems
2016 (English)In: Formal methods in system design, ISSN 0925-9856, E-ISSN 1572-8102Article in journal (Other academic) Submitted
Abstract [en]

A general, compositional, and component-based contract theory is proposed for modeling and specifying heterogeneous systems, characterized by consisting of parts from different domains, e.g. software, electrical and mechanical.Given a contract consisting of assumptions and a guarantee, clearly separated conditions on a component and its environment are presented where the conditions ensure that the  guarantee is fulfilled - a responsibility assigned to the component, given that the environment fulfills the assumptions. To support both causal and acausal modeling, the conditions are applicable regardless if the set of ports of the component is partitioned into inputs and outputs or not, and hence fully support any scenario where components from different domains are to be integrated by solely relying on the information of a contract. An example of such a scenario of industrial relevanceis explicitly considered, namely a scenario in a supply chainwhere the development of a component is outsourced.To facilitate the application of the theory in practice, necessary properties of contracts are also derived to serve as sanity checks of the conditions. Furthermore, based on a graph that represents a structuring of a hierarchy of contracts, sufficient conditions to achieve compositionality are presented.

National Category
Mechanical Engineering Mathematics
Research subject
Machine Design
Identifiers
urn:nbn:se:kth:diva-192374 (URN)
External cooperation:
Projects
ESPRESSO
Funder
VINNOVA
Note

QC 20160911

Available from: 2016-09-11 Created: 2016-09-11 Last updated: 2016-09-11Bibliographically approved
2. Extending Contract Theory with Safety Integrity Levels
Open this publication in new window or tab >>Extending Contract Theory with Safety Integrity Levels
2015 (English)In: 2015 IEEE 16th International Symposium on High Assurance Systems Engineering (HASE), IEEE Computer Society, 2015, 85-92 p.Conference paper (Refereed)
Abstract [en]

In functional safety standards such as ISO 26262 and IEC 61508, Safety Integrity Levels (SILs) are assigned to top-level safety requirements on a system. The SILs are then either inherited or decomposed down to safety requirements on sub-systems, such that if the sub-systems are sufficiently reliable in fulfilling their respective safety requirements, as specified by the SILs, then it follows that the system is sufficiently reliable in fulfilling the top-level safety requirement. Present contract theory has previously been shown to provide a suitable foundation to structure safety requirements, but does not include support for the use of SILs. An extension of contract theory with the notion of SILs is therefore presented. As a basis for structuring the breakdown of safety requirements, a graph, called a contract structure, is introduced that provides a necessary foundation to capture the notions of SIL inheritance and decomposition in the context of contract theory.

Place, publisher, year, edition, pages
IEEE Computer Society, 2015
Series
, IEEE International Symposium on High-Assurance Systems Engineering, ISSN 1530-2059
Keyword
Contracts, Decompositon, IEC61508, ISO26262, Requirements, Safety Integrity Levels, SIL
National Category
Mechanical Engineering
Identifiers
urn:nbn:se:kth:diva-170391 (URN)10.1109/HASE.2015.21 (DOI)000380911000011 ()2-s2.0-84936853007 (ScopusID)978-1-4799-8110-6 (ISBN)
Conference
IEEE International Conference on High Assurance Systems Engineering (HASE), 8-10 Jan. 2015, Daytona Beach Shores, FL, United States
Projects
ESPRESSO
Note

QC 20150630

Available from: 2015-06-29 Created: 2015-06-29 Last updated: 2016-09-16Bibliographically approved
3. Formal Architecture Modeling of Sequential Non-Recursive C Programs
Open this publication in new window or tab >>Formal Architecture Modeling of Sequential Non-Recursive C Programs
2016 (English)In: Science of Computer Programming, ISSN 0167-6423, E-ISSN 1872-7964Article in journal (Other academic) Submitted
Abstract [en]

To manage the complexity of C programs, architecture models are used as high-level descriptions, allowing developers to understand, assess, and manage the C programs without having to understand the intricate complexity of the code implementations. However, for the architecture models to serve their purpose, they must be accurate representations of the code implementations. In order to achieve this in practice, support is needed in the form of a stringent mapping from the C language to an architecture modeling formalism.Considering that there exists no such uniform mapping from the C language to Modeling Languages (MLs) such as SysML or UML and Architecture Description Languages (ADLs) such as AADL, modeling C programs using such languages is essentially ad-hoc.Therefore, a unique mapping is established from the domain of sequential non-recursive C programs to a domain of formal architecture models.

National Category
Mechanical Engineering
Research subject
Machine Design
Identifiers
urn:nbn:se:kth:diva-192375 (URN)
External cooperation:
Projects
ESPRESSO
Funder
VINNOVA
Note

QC 20160911

Available from: 2016-09-11 Created: 2016-09-11 Last updated: 2016-09-11Bibliographically approved
4. Providing Tool Support for Specifying Safety-Critical Systems by Enforcing Syntactic Contract Conditions
Open this publication in new window or tab >>Providing Tool Support for Specifying Safety-Critical Systems by Enforcing Syntactic Contract Conditions
2016 (English)In: Requirements Engineering, ISSN 0947-3602, E-ISSN 1432-010XArticle in journal (Other academic) Submitted
Abstract [en]

Functional safety (FuSa) standards such as IEC 61508 and ISO 26262 advocate a particularly stringent Requirements engineering (RE) where safety requirements must be structured in an hierarchical manner and specified in accordance with the system architecture. In contrast to the stringent RE in FuSa standards, according to previous studies, RE in industry is in general of poor quality. Contracts theory has been previously shown to be suitable for supporting such a stringent RE effort; this support has also been implemented in tools. However, to use these contract-based tools, requirements must be formalized, which is a major challenge in industry. Therefore, to support current industrial RE practice and the stringent RE in FuSa standards, it is shown how support in a specification tool can be provided even when requirements, and also architectures, are not formalized. This is achieved by enforcing syntactic, yet formal, conditions in contracts theory. Furthermore, a validating industrial case study is presented where the proposed support is shown to be fully applicable in an industrial setting.

National Category
Mechanical Engineering
Research subject
Machine Design
Identifiers
urn:nbn:se:kth:diva-192376 (URN)
External cooperation:
Projects
ESPRESSO
Funder
VINNOVA
Note

QC 20160911

Available from: 2016-09-11 Created: 2016-09-11 Last updated: 2016-09-11Bibliographically approved

Open Access in DiVA

Westman - Specifying Safety-Critical Heterogeneous Systems Using Contracts Theory(2667 kB)45 downloads
File information
File name FULLTEXT01.pdfFile size 2667 kBChecksum SHA-512
1914f82df7811e035d74833fa9d229cad6086274374cfd26b24f80f49a28fe896c618a2ca85eebd0222010cb59770571b1670e179db28aeec7427a5b1253c030
Type fulltextMimetype application/pdf

Search in DiVA

By author/editor
Westman, Jonas
By organisation
Mechatronics
Mechanical EngineeringMathematics

Search outside of DiVA

GoogleGoogle Scholar
Total: 45 downloads
The number of downloads is the sum of all downloads of full texts. It may include eg previous versions that are now no longer available

Total: 238 hits
ReferencesLink to record
Permanent link

Direct link