Architecture Modeling - SPES 2020
Architecture Modeling - SPES 2020
Architecture Modeling - SPES 2020
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
<strong>Architecture</strong> <strong>Modeling</strong><br />
OEMs are increasingly using models within procurement processes, typically safeguarding<br />
themselves against potential liability issues by requiring suppliers to validate such models<br />
against textual requirement specifications. A re-appearing reason for failures causing deep iterations<br />
across supply chain boundaries rests in incomplete characterizations of the environment<br />
of the system to be developed by the supplier, such as missing information about failure modes<br />
and failure rates, missing information on possible sources for interferences through shared resources,<br />
missing boundary conditions, etc. This highlights the need to explicate assumptions on<br />
the design context in OEM-supplier contracts. This key need was one of the major motivations<br />
for introducing the contract-based design methodology for embedded systems, as initially developed<br />
in the Integrated Project SPEEDS. In enforcing the analysis of the key characteristics of<br />
the environment required to enforce the system specification up front, responsibilities between<br />
what has to be guaranteed by the OEM (that the system provided by the supplier will be embedded<br />
in an overall design meeting the assumptions on the environment specified in the contract)<br />
and the supplier (in providing an implementation to the system specification provided that the<br />
system is used in a context meeting the specified environment characteristics) are clearly defined.<br />
In the light of an increased sharing of hardware resources by applications developed by<br />
multiple suppliers, such a contract-based approach seems indispensable for resolving liability<br />
issues and allowing co-existence of applications with different criticality levels (such as ASIL<br />
levels in automotive).<br />
In domains developing safety related systems, domain specific standards clearly define the responsibilities<br />
and duties of companies across the supply chain to demonstrate functional safety,<br />
such as in the ISO 26262 for the automotive domain, IEC 61508 for automation, its derivatives<br />
Cenelec EN 50128 and 50126 for rail, and Do 178 B for civil avionics.<br />
The challenge in defining standards rests in balancing the need for stability with the need of<br />
not blocking process innovations seen as indispensible to cope with the exponential growth in<br />
systems complexity and the overarching need of optimization techniques for cost reduction. As<br />
an example, means for compositional construction of safety cases thus allowing modular certification<br />
are seen as mandatory to reduce certification costs in the aerospace and rail domains.<br />
Similarly, the potential of using formal verification techniques to cope with increasing system<br />
complexity will lead to an adaptation of the current DO 178 B standard, establishing the role<br />
of these techniques within the construction of safety cases. In general, this calls for a closed<br />
feedback loop between design and safety processes, assessment the potential impact and benefit<br />
of such design representations and enabled process optimizations on safety standards, and identifying<br />
techniques with strong optimization potential and high industrial relevance early enough<br />
for adaptation of standards enabling their usage in safety-critical system design.<br />
5.2.3 Getting Initial Requirements Right<br />
Depending on application domains, up to 50% of all errors result from imprecise, incomplete,<br />
or inconsistent requirements. Out of the many approaches taken in industry for getting requirements<br />
right, we focus here on those for initial systems requirements, relying on ISO 26262<br />
compliant approaches such as discussed in the context of virtual system integration to systematically<br />
reduce system contracts to contracts on subsystems which are jointly powerful enough<br />
to establish the total set of system contracts.<br />
To cope with the inherently unstructured problem of (in-)completeness of requirements, industry<br />
has set up domain- and application-class specific methodologies striving towards completeness<br />
of requirement analysis. As particular examples, we mention learning process, such as<br />
employed by Airbus to incorporate the knowledge base of what is called external hazards from<br />
101/ 156