Fig 4 - uploaded by Tayfun Gezgin
Content may be subject to copyright.
Source publication
During the development of software intensive systems, typically several models of this system are designed. These various models represent the system structured by different concerns, e. g. abstraction. While these approaches help to cope with complexity, the need of relating the models to one another arises. A major task is to keep model specifica...
Similar publications
Current design codes and most of the understanding of behaviour of structures in fire are based on small enclosure fires. The World Trade Centre Tower fires in 2001 have highlighted the need of a more realistic design tools to represent fires in large compartments. Following the events Travelling Fires Methodology (TFM) has been developed by Stern-...
Citations
... Semantically, we map to a standard contract of the form , where . For timing and sporadic fault occurrence recognition the validation has already been done in [9]. For other aspects this may, however, be more difficult, which is one reason to also consider a methodological approach. ...
The distributed design process for safety-critical embedded systems has become an increasingly difficult challenge: Electronic Control Units (ECUs) in vehicles, for instance, participate in many vehicle functions, while each vehicle function, in turn, is spread across several ECUs. Many suppliers participate in systems design and many partial functions are reused from past projects, not always knowing the assumptions at the time of their development. In particular, efficient allocation of safety mechanisms and a sound safety case are difficult tasks for original equipment manufacturers (OEMs). Contract-based development has gained popularity as an approach for supporting distributed development by explicitly annotating assumptions and guarantees to components, but an integrated process covering specification of nominal behavior and safety has not been described so far. We present such an integrated development approach that encompasses the systematic breakdown of nominal system behavior using contracts, the consistent derivation of safety analysis by interpreting several types of contract violations as a specification for failure modes, and the subsequent integration of safety mechanisms that cover these failure modes through safety contracts. The approach equally fits hardware and software and is therefore applicable on the system level. We demonstrate it by an electric drive example. The extensibility of our approach towards Cyber Physical Systems, which compose themselves at runtime, is briefly outlined at the end of the article.
... Our development in Section 3.6 of companion paper [11] provides the formal support for this. For the pattern based language used here, a framework for checking refinement of contracts using an observer based strategy is described in [27]. ...
Recently, contract based design has been proposed as an ”orthogonal” approach that can beapplied to all methodologies proposed so far to cope with the complexity of system design. Contract baseddesign provides a rigorous scaffolding for verification, analysis and abstraction/refinement. Companionreport RR-8759 proposes a unified treatment of the topic that can help in putting contract-based design in perspective.This paper complements RR-8759 by further discussing methodological aspects of system design withcontracts in perspective and presenting two application cases.The first application case illustrates the use of contracts in requirement engineering, an area of system designwhere formal methods were scarcely considered, yet are stringently needed. We focus in particular to thecritical design step by which sub-contracts are generated for suppliers from a set of different viewpoints(specified as contracts) on the global system. We also discuss important issues regarding certification inrequirement engineering, such as consistency, compatibility, and completeness of requirements.The second example is developed in the context of the Autosar methodology now widely advocated inthe automotive sector. We propose a contract framework to support schedulability analysis, a key step inAutosar methodology. Our aim differs from the many proposals for compositional schedulability analysisin that we aim at defining sub-contracts for suppliers, not just performing the analysis by parts—we knowfrom companion paper RR-8759 that sub-contracting to suppliers differs from a compositional analysis entirelyperformed by the OEM. We observe that the methodology advocated by Autosar is in contradiction withcontract based design in that some recommended design steps cannot be refinements. We show how tocircumvent this difficulty by precisely bounding the risk at system integration phase. Another feature ofthis application case is the combination of manual reasoning for local properties and use of the formalcontract algebra to lift a collection of local checks to a system wide analysis.
... . For timing and a special subset of safety properties the validation has already been done [6,7]. For other aspects this may, however, be more difficult which is one reason to also consider a methodological approach. ...
Designing safety-critical cyber physical systems (CPS) was and remains a challenging task. CPS engineers are supposed to design solutions that are easy to modify, reusable, satisfy certi_cation authorities, meet safety goals, separate between concerns, etc. With these partly contradicting demands it sometimes is even impossible to find a viable CPS design. The idea using contract-based design methods has been around for over two decades and enables automating the (re-)validation of the specification of CPS against the surrounding system or operational environment. In this work we extend the notion of contracts by component and interface contracts and give ideas on how to integrate them in a modular safety assurance approach. The explicit separation between these two types of contracts also better reflects the separation of concerns and reduces the overall modeling effort. We evaluate our approach with an automotive E-Drive case study.
... For this, we translate all contracts of the corresponding system to UPPAAL timed automata [28], and perform a reachability check [29]. Our refinement check was initially introduced in [30]. For our analysis, we assume that the specification of a system or a component consists of either a single contract or a set of independent contracts that do not affect each other. ...
... Checking dependent contracts would be much more complicated, as we would have to build the conjugation of all dependent contracts, involving negation parts in the formulae. A discussion for this can be found in [30]. Note that contracts between systems can have dependencies. ...
Verification techniques for analyzing the design or
requirements at early development stages are used since the
beginning of the model-based design paradigm. Most of these
analyses are focused on a single purpose, like safety, real-time,
or geometry. This separation of concerns leads to the introduction
of so called aspects that describe these properties of a system.
Nevertheless, these aspects are not necessarily independent. In
this paper we use the fault tolerance time interval, the maximum
time to recover from faults, as an example to state the need for a
multi-aspect analysis. We present how a virtual integration test
can be performed covering safety and real-time properties to
prove the correct refinement of requirements. Our requirements
formalization approach using contracts, a pattern language and
the internal representation as timed automata are described. The
presented technique is applied to an automotive lane-keeping-
support system.
... A (software) contract is commonly used to specify the relation between system artifacts (or components), expressing the pre-and post-conditions of a system component [5]. A safety contract is a similar idea but instead of having pre(post)conditions, it contains assumptions and guarantees assuring a certain level of confidence (integrity) of such a component [6]. ...
... In this sense, the Unified Modelling Language (UML) [11], standard de-facto as modelling language, provides an unified understanding and insight in system and software design. Safety specification in UML has been explored in the research community using the Object Constraint Language (OCL) [12] (a standard UML extension to specify constraints in the UML models), such as the works in [5], [7], [8], [13]. Other works [14], [15] use specific UML profiles (a UML extension in terms of stereotypes and tags), such as SysML and OMEGA, to express safety or correctness contracts in a UML model system. ...
Safety becomes a primordial assessment in safety-related systems where human lives can be somehow put in risk, needing to comply with safety requirements defined by industry standards such as IEC 61508, ISO 26262 or DO-178C. Safety contracts are useful to specify these requirements (as assumptions and guarantees), thus assuring an expected level of confidence. To verify the safety requirements is measured to represent more than a half of the overall system development costs. In this paper, we propose a model-based verification that addresses safety verification from the early beginning of system development, thus saving costs. Namely, we use UML for system design and Object Constraint Language (OCL) for specifying safety contracts, while its verification is carried out using Petri nets. As case study, we assess the safety of an embedded system that models a fire prevention system in a hospital building.
... Our development in Section V-G provides the formal support for this. For the pattern based language used here, a framework for checking refinement of contracts using an observer based strategy is described in [94]. ...
Systems design has become a key challenge and differentiating factor over the last decades for system companies. Aircrafts, trains, cars, plants, distributed telecommunication military or health care systems, and more, involve systems design as a critical step. Complexity has caused system design times and costs to go severely over budget so as to threaten the health of entire industrial sectors. Heuristic methods and standard practices do not seem to scale with complexity so that novel design methods and tools based on a strong theoretical foundation are sorely needed. Model-based design as well as other methodologies such as layered and compositional design have been used recently but a unified intellectual framework with a complete design flow supported by formal tools is still lacking albeit some attempts at this framework such as Platform-based Design have been successfully deployed. Recently an "orthogonal" approach has been proposed that can be applied to all methodologies proposed thus far to provide a rigorous scaffolding for verification, analysis and abstraction/refinement: contractbased design. Several results have been obtained in this domain but a unified treatment of the topic that can help in putting contract-based design in perspective is still missing. This paper intends to provide such treatment where contracts are precisely defined and characterized so that they can be used in design methodologies such as the ones mentioned above with no ambiguity. In addition, the paper provides an important link between interfaces and contracts to show similarities and correspondences. Examples of the use of contracts in design are provided as well as in depth analysis of existing literature.
Embedded systems are often highly integrated into a network of systems. To increase synergies, reduce code redundancies, and to support reuse, the different systems in this network provide conceptual functions for use by other systems. This chapter deals with the challenges resulting from this type of networked approach and provides essential solution concepts for obtaining benefits from the creation and analysis of the model-based documentation of the functional design of such conceptual system function networks. In particular, this chapter explains: The documentation format of the functional design of networked embedded systems, consisting of static/structural function networks, the functional behavior, and the timely execution order Analysis methods to aid validation and verification, as well as an optimal partitioning and deployment of networked embedded systems Construction methods to integrate the consistent creation of the functional design into embedded systems' development processes.
The technical viewpoint is mostly concerned with the question of how to get from the platform-independent models.
The analysis of real-time properties is crucial in safety critical areas, and is particularly difficult for distributed systems as complex interferences between tasks of different priorities can occur. In previous works we have introduced a state-based analysis approach to validate end-to-end deadlines for distributed systems, where the state spaces of all resources, such as processors and buses, are computed in a compositional fashion. For this, abstraction and composition operations were defined to adequately handle task and resource dependencies. During the design process of a system changes occur typically on both the specification and implementation level, such that already performed analyses of the system have to be repeated. In this work, we define a methodology to adequately handle such changes and to determine the minimal part of the affected architecture. For this, we define an appropriate refinement relation between state spaces of the resources.We use contracts to further reduce the re-validation effort. This check takes place at a higher design level, where only the specification is considered.
