How to increase efficiency with the certification of process compliance
Safety Certification of Software-Inte How to increase efficiency with withthe Reusable Compone certification of process compliance Barbara Gallina School of Innovation, Design and Engineering, Mälardalen University, Västerås, Sweden [email protected] Report type Report name Dissemination level nSC D1 A Generic Proc Certification and Deve 24th March 2015, 3rd Scandinavian Conference on SYSTEM & SOFTWARE SAFETY Status Talk outline • Preliminary concepts Safety Certification of Software-Inte with Reusable Compone – Certification – Certification crisis – Certification framework • • • • • Context and motivation Background THRUST/MDSafeCer Video-demo Report type Conclusion and future work Report name Dissemination level nSC D1 A Generic Proc Certification and Deve 24th March 2015, 3rd Scandinavian Conference on SYSTEM & SOFTWARE SAFETY Status 2 Preliminary concepts Safety Certification of Software-Inte with Reusable Compone • Certification – from Latin, certify-->make certain – in common use: attestation by someone trustworthy that a certain statement is true to the best of his/her knowledge • Why Safety Certification? “Safety certification assures society at large that deployment of a given system does not pose an unacceptable risk of harm. There are several ways of organizing and conducting certification, but all nSC D1 Report type are conceptually based on scrutiny of Report an argument that certainA Generic Proc name Certification claims about safety are justified by evidence about the system. “ and Deve Taken from Rushby, Substantially revised version; original appears in Proceedings of the Ninth ACM International Conference On Embedded Software (EMSOFT), pp. 211–218, Taipei, Taiwan, October 2011. Dissemination level 24th March 2015, 3rd Scandinavian Conference on SYSTEM & SOFTWARE SAFETY Status 3 Preliminary concepts Safety Certification of Software-Inte with Reusable Compone • What can be certified in the context of safety-critical systems? – Processes – Products – Tools used during the development of products • Tool qualification processes – … Report type Report name Dissemination level nSC D1 A Generic Proc Certification and Deve 24th March 2015, 3rd Scandinavian Conference on SYSTEM & SOFTWARE SAFETY Status 4 Why process-based certification? of Software-Inte [Wassyng et al 2010]Safety Certification with Reusable Compone • We have no real consensus on absolutely essential metrics for products. Ironically, even if we did have consensus on essential metrics, what metrics would help us evaluate the dependability of software products directly? • It is widely accepted that testing software products completely is not possible. One of the major differences between software products and more traditional, physical products, is that the principle of continuity does not apply to software products. Since software engineers felt that even a huge number of test Report type nSC D1 cases could not guarantee the quality of the product, we turned Report name A Generic Proc to supportive evidence, hoping that layers of evidence willand Deve Certification add up to more tangible proof of quality/dependability. Dissemination level 24th March 2015, 3rd Scandinavian Conference on SYSTEM & SOFTWARE SAFETY Status 5 Process and process-based certification Safety Certification of Software-Inte with Reusable Compone • Processes are not useful • Documentation is not useful Self-fulfilling prophecy1 [Parnas et al 1986] àticking mentality Report type Report name 1A prediction nSC D1 A Generic Proc Certification and Deve that directly or indirectly causes itself to become true, by the very terms of the prophecy itself, due to positive feedback between belief and behavior Dissemination level 24th March 2015, 3rd Scandinavian Conference on SYSTEM & SOFTWARE SAFETY Status 6 Process-based certification Safety Certification of Software-Inte with Reusable Compone § Which is the danger? – “box ticking” mentality (checklist of deliverables) § We need product assurance instead of compliance with standard. Compliance with standard is a necessary but not a sufficient condition! § Why is not sufficient? Report(UNKNOWN) type – efficacy of development approaches Report name – benefits of certification schemes (UNKNOWN) Dissemination level nSC D1 A Generic Proc Certification and Deve 24th March 2015, 3rd Scandinavian Conference on SYSTEM & SOFTWARE SAFETY Status 7 Safety Certification of Software-Inte with Reusable Compone “The ideal would be a study that used historical data to assess the in-service history of software developed to DO- 178B. It is considered unlikely that such data will be made available by industry or that it even exists. … Those seeking to reduce costs argue that some of the DO- 178B objectives or activities are unnecessary and could be eliminated. The danger is that, if we don’t know why DO-178B works, we could stop doing something that really matters, which could lead to an accident.” Taken from D. Daniels “The Efficacy of DO-178B ” Report type Report name Dissemination level nSC D1 A Generic Proc Certification and Deve 24th March 2015, 3rd Scandinavian Conference on SYSTEM & SOFTWARE SAFETY Status 8 Safety Certification of Software-Inte with Reusable Compone Certification crisis!!! Why? Report type Report name Dissemination level nSC D1 A Generic Proc Certification and Deve 24th March 2015, 3rd Scandinavian Conference on SYSTEM & SOFTWARE SAFETY Status 9 Certification framework [Bender et al 2013] ECEASST Safety Certification of Software-Inte with Reusable Compone Report type Report name Dissemination level nSC D1 A Generic Proc Certification and Deve 24th March 2015, 3rd Scandinavian Conference on SYSTEM & SOFTWARE SAFETY Status Figure 1: The framework 10 Safety Certification of Software-Inte with Reusable Compone Let’s look at reality… Report type Report name Dissemination level nSC D1 A Generic Proc Certification and Deve 24th March 2015, 3rd Scandinavian Conference on SYSTEM & SOFTWARE SAFETY Status 11 Context Objective-based • DO-178B • DO-178C • … Prescriptive, triple V model + tailoring rules ISO 26262-2011 ISO 26262-2018 Safety Certification of Software-Inte with Reusable Compone Prescriptive, V model BS EN 50128:2001 BS EN 50128:2011 The original DO-178 had sixty-seven pages. Today’s engineers working on a modern Integrated Modular Avionic (IMA) platform have to be familiar with (and in many cases comply to) over a thousand pages of official RTCA publications supported by Report nSC D1 hundreds of pages of regulatory guidance. The DO-178C family of documents alonetype weighs in at over six hundred pages. Report name Dissemination level A Generic Proc Certification and Deve 24th March 2015, 3rd Scandinavian Conference on SYSTEM & SOFTWARE SAFETY Status 12 Problem Safety Certification of Software-Inte with Reusable Compone IEC 61508 ISO 26262 ASPICE EN 5012x Thousands of pages! àincreasing complexity àproliferation of standards à(re)certification is inefficient (time consuming and expensive!) DO 178B/C DO 330 … Report type Report name Dissemination level nSC D1 A Generic Proc Certification and Deve 24th March 2015, 3rd Scandinavian Conference on SYSTEM & SOFTWARE SAFETY Status 13 How the proliferations of standards could Safety Certification of Software-Inte with Reusable Compone be faced? • • • • • • • • • How complexity could be mastered? How can we speed up (re)certification? How can we enable intra/cross domain reuse? How can we enable process-related systematic reuse? What varies from one criticality level to another? What varies from one version to another? What remains unchanged? What can be reused? Report type nSC D1 Report name A Generic Proc What can be generated? Certification and Deve Dissemination level 24th March 2015, 3rd Scandinavian Conference on SYSTEM & SOFTWARE SAFETY Status 14 Talk outline • Preliminary concepts • Context and motivation • Background – – – – – Safety Certification of Software-Inte with Reusable Compone Safety-oriented process lines engineering (SoPLE) Safety-oriented process line modeling Process compliance Process compliance documentation Model-driven Engineering/Certification • THRUST/MDSafeCer • Video-demo • Conclusion and future work Report type Report name Dissemination level nSC D1 A Generic Proc Certification and Deve 24th March 2015, 3rd Scandinavian Conference on SYSTEM & SOFTWARE SAFETY Status 15 Safety-oriented process lines engineering of Software-Inte (SoPLE) Safety Certification with Reusable Compone • Concurrent engineering of a set o safety-oriented processes – Why? To reuse systematically! Gallina et al 2012 Gallina et al 2014a Gallina et al 2014b • Which consists of: – Scoping – Domain engineering (full and partial commonalities, Report type nSC D1 Report name A Generic Proc variabilities) Certification and Deve – Process engineering Dissemination level 24th March 2015, 3rd Scandinavian Conference on SYSTEM & SOFTWARE SAFETY Status 16 show the reuse, in e safetyvelopment d a crosstituted of • The above language constructs are concretized via the icons given in Table 1. Table 1 mainly (except for phase) shows the icons that can be used to define statically the processes. To define processes dynamically, additional icons are available. These Safety-oriented process lines modeling additional icons are obtained by decorating SPEM2.0 Safety Certification of Software-Inte inUse icons, in a similar way as for Definition icons. with Reusable Compone S-TunExSPEM (SPEM2.0 extension) Table 1. Subset of S-TunExSPEM Icons Task Role Tool Work Guidance Phase processes, product disposal language Gallina et al 2014c s lines. In disposal, to model respect vSPEM, we recall its support for oser [10] • Table 2.With Subset of to vSPEM Icons wheneve vSPEM (SPEM2.0 extension) variability by focusing on the concrete syntax. As Report type nSC D1 processConcept Variation point Variant Table 2 shows, vSPEM basically introduces the Report name A Generic Proc 2.0 have Deve possibility to model: 1) variation points, by Certification and To cess lines Task SPEM2.0 icons with empty circles; and 2) decorating various exchange variants, by decorating SPEM2.0 icons with level a V. Dissemination (e.g. se th To connect a variant (optional/alternative/etc. Status 24 March 2015, 3rd Scandinavian Conference on SYSTEM & SOFTWARE SAFETY 17 language Process compliance • To be compliant, a company has two Safety Certification of Software-Inte with Reusable Compone alternatives: – strict and almost literal implementation of the process • identification and assignment of roles; • execution of all the activities according a specific order (if any) and/or grouping (if any); • consumption/provision of all the required work products; • application of specific guidance (if any); • usage of specific tools (if any). – execution of a tailored process obtained Reportby typeapplying tailoring rules nSC D1 Report name Dissemination level A Generic Proc Certification and Deve 24th March 2015, 3rd Scandinavian Conference on SYSTEM & SOFTWARE SAFETY Status 18 languages (e.g., Goal Structuring Notation (GSN) [17], Claim-Argument-Evidence (CAE) [18]), or a combination of both. These means are more generally used to document safety cases. Recently, an OMG Process standard, calledcompliance SACM [19], has documentation been provided to unify argumentation languages (namely, GSN and Safety Certification of Software-Inte applicant to CAE). GSN is (plain currently the only documentation with Reusable Compone • Textual languages natural language) ft) behaves means that offers constructs to argue about ment process • Graphical notations argumentation lines [4]. Thus, in this subsection, we of scientific– CAEbriefly recall its concrete syntax. SACM acy of the– GSN he standards processes is company has nsists of the ion of the nt, vSPEM ow, which is osite side. nment Report type of Report name nSC D1 A Generic Proc Certification and Deve Dissemination level according a 2015, 3rd Scandinavian Conference on SYSTEM 24th March & SOFTWARE SAFETY Figure 1. GSN Modeling Elements Status g (if any); 19 Model-driven Engineering Safety Certification of Software-Inte with Reusable Compone • MDE: Model-centric software engineering method – Model transformations from source to target space • Vertical transformations aimed at generating code • Horizontal transformation aimed at analyzing properties Report type Report name Dissemination level nSC D1 A Generic Proc Certification and Deve 24th March 2015, 3rd Scandinavian Conference on SYSTEM & SOFTWARE SAFETY Status 20 Talk outline Safety Certification of Software-Inte with Reusable Compone • • • • Background THRUST/MDSafeCer Video-demo Conclusion and future work Report type Report name Dissemination level nSC D1 A Generic Proc Certification and Deve 24th March 2015, 3rd Scandinavian Conference on SYSTEM & SOFTWARE SAFETY Status 21 THRUST Safety Certification of Software-Inte with Reusable Compone • Method for speeding up the creation of process-based artefacts via: – Systematic reuse • safety-oriented process lines • safety argumentation lines – Semi-automatic generation • model driven certification Report type Report name Dissemination level nSC D1 A Generic Proc Certification and Deve 24th March 2015, 3rd Scandinavian Conference on SYSTEM & SOFTWARE SAFETY Status 22 ordered logically. Various executions are possible since concurrent phases can be serialized in various ways. At the end, however, the deliverables of both branches (left and right) have to be available to THRUST satisfy the certification authorithies. Safety Certification of Software-Inte with Reusable Compone Report type Report name nSC D1 A Generic Proc Certification and Deve MDSafeCer Figure 3. THRUST-high-level Activity Diagram23 24 March 2015, 3rd Scandinavian Conference on SYSTEM & SOFTWARE SAFETY th Dissemination level Status THRUST Safety Certification of Software-Inte with Reusable Compone Report type Report name Dissemination level nSC D1 A Generic Proc Certification and Deve 24th March 2015, 3rd Scandinavian Conference on SYSTEM & SOFTWARE SAFETY Status 24 THRUST Safety Certification of Software-Inte with Reusable Compone Report type Report name Dissemination level nSC D1 A Generic Proc Certification and Deve 24th March 2015, 3rd Scandinavian Conference on SYSTEM & SOFTWARE SAFETY Status 25 THRUST Safety Certification of Software-Inte with Reusable Compone Report type Report name Dissemination level nSC D1 A Generic Proc Certification and Deve 24th March 2015, 3rd Scandinavian Conference on SYSTEM & SOFTWARE SAFETY Status 26 epresent a possibility towards the realization of o er method, allowing for the generation of ARM/S iant argumentation models from SPEM 2.0-co MDSafeCer s models. Safety Certification of Software-Inte with Reusable Compone Report type Report name M2M tranformation. Dissemination level nSC D1 A Generic Proc Certification and Deve 24th March 2015, 3rd Scandinavian Conference on SYSTEM & SOFTWARE SAFETY Status 27 Video-demo Safety Certification of Software-Inte with Reusable Compone • Implementation within AIT-WEFACT-tool Work in cooperation with: Austrian Institute of Technology (AIT) Virtual Vehicle Research Center (ViF) http://www.ait.ac.at/research-services/research-services-digital-safetysecurity/verification-and-validation/methods-and-tools/wefact-workflowengine-for-analysis-certification-and-test/?L=1 Report type nSC D1 Report name A Generic Proc https://www.youtube.com/watch?v=B9JpRBMg-D4&feature=youtu.be Certification and Deve Dissemination level 24th March 2015, 3rd Scandinavian Conference on SYSTEM & SOFTWARE SAFETY Status 28 Conclusion Safety Certification of Software-Inte with Reusable Compone • THRUST/MDSafeCer: Novel model-driven approaches for time and cost reduction during the provision of process-based safety argumentation via automatic generation – Mapping of (ideally reusable) process structures onto (ideally reusable) argumentation structures (patterns) • Prototype tool support – proof of concepts Report type Report name Dissemination level nSC D1 A Generic Proc Certification and Deve 24th March 2015, 3rd Scandinavian Conference on SYSTEM & SOFTWARE SAFETY Status 29 Future work Safety Certification of Software-Inte with Reusable Compone • Provision of a fully defined pattern for process compliance • Experimental validation on a more complex case-study • Contribution to provision of adequate meta-models • ECSEL-AMASS-project proposalcontinuation of SafeCer & OPENCOSS Report type Report name Dissemination level nSC D1 A Generic Proc Certification and Deve 24th March 2015, 3rd Scandinavian Conference on SYSTEM & SOFTWARE SAFETY Status 30 Publications • B. Gallina, L. Provenzano. Deriving Reusable Process-based Arguments from Process Models Safety Certification Software-Inte in the Context of Railway Safety Standards. 20th International Conferenceofon Reliable with Reusable Software Technologies-Industrial Presentation- (Ada-Europe-2015), Madrid, Spain,Compone June, 2015. • B. Gallina. Towards Enabling Reuse in the Context of Safety-critical Product Lines. 5th International Workshop on Product LinE Approaches in Software Engineering (PLEASE), joint event of ICSE, Florence, Italy, May 19th, 2015. • B. Gallina, K. Lundqvist and K. Forsberg. THRUST: A Method for Speeding Up the Creation of Process-related Deliverables. IEEE 33rd Digital Avionics Systems Conference (DASC-33), doi:10.1109/DASC.2014.6979489, Colorado Springs, CO, USA, October 5-9, 2014. • B. Gallina, K. R. Pitchai and K. Lundqvist. S-TunExSPEM: Towards an Extension of SPEM Report type nSC D1 2.0 to Model and Exchange Tuneable Safety-oriented Processes. 11th International Report name A Generic Proc Certification and Deve Conference on Software Engineering Research, Management and Applications (SERA), SCI 496, Springer, ISBN 978-3-319-00947-6, Prague, Czech Republic, August 7-9, 2013, 2014. Dissemination level 24th March 2015, 3rd Scandinavian Conference on SYSTEM & SOFTWARE SAFETY Status 31 Publications • B. Gallina. A Model-driven Safety Certification Method for Process Compliance. 2nd IEEE Safety Certification of (ASSURE), Software-Inte International Workshop on Assurance Cases for Software-intensive Systems with Reusable Compone Naples, Italy, doi:10.1109/ISSREW.2014.30, pp. 204-209, November 3-6, 2014. • B. Gallina, S. Kashiyarandi, K.Zugsbrati and A. Geven. Enabling Cross-domain Reuse of Tool Qualification Certification Artefacts. Proceedings of the 1st International Workshop on DEvelopment, Verification and VAlidation of cRiTical Systems (DEVVARTS), Springer, LNCS 8696, ISBN: 978-3-319-10556-7, pp. 255-266, Florence (Italy), 8 September, 2014. • B. Gallina, S. Kashiyarandi, H. Martin and R. Bramberger. Modeling a Safety- and Automotive-oriented Process Line to Enable Reuse and Flexible Process Derivation. Proceedings of the 8th IEEE International Workshop on Quality-Oriented Reuse of Software (QUORS), joint workshop at COMPSAC conference, IEEE Computer Society, doi: 10.1109/ COMPSACW.2014.84, pp. 504-509,Västerås (Sweden), 2014. Report type • nSC D1 Report name A Generic Proc B. Gallina, I. Sljivo, and O. Jaradat. Towards a Safety-oriented Process Line for Enabling Certification and Deve Reuse in Safety Critical Systems Development and Certification. Post-proceedings of the 35th IEEE Software Engineering Workshop (SEW-35), IEEE Computer Society, ISBN 978-1-4673-5574-2, Heraclion, Crete (Greece), 2012.Dissemination level 24th March 2015, 3rd Scandinavian Conference on SYSTEM Status & SOFTWARE SAFETY 32 Videos • MDSafeCer within AIT-WEFACT Safety Certification of Software-Inte with Reusable Compone http://www.ait.ac.at/research-services/research-services-digital-safety-security/verificationand-validation/methods-and-tools/wefact-workflow-engine-for-analysis-certification-and-test/? L=1 Report type Report name nSC D1 A Generic Proc Certification and Deve Dissemination level 24th March 2015, 3rd Scandinavian Conference on SYSTEM Status & SOFTWARE SAFETY 33 Safety Certification of Software-Inte with Reusable Compone Thank you for your attention! Discussion time… Report type Report name Dissemination level nSC D1 A Generic Proc Certification and Deve 24th March 2015, 3rd Scandinavian Conference on SYSTEM & SOFTWARE SAFETY Status 34 References Certification of Software-Inte • [Bender et al 2013] Marc Bender, Tom Maibaum, Safety Mark Lawford and Alan with Reusable Compone Wassyng, "Positioning Verification in the Context of Software/System Certification", In Proceedings of the 11th International Workshop on Automated Verification of Critical Systems (AVoCS 2011), Electronic Communications of the EASST (European Association of Software Science a n d T e c h n o l o g y ) , V o l u m e 4 6 , 2 0 1 3 . http://www.cas.mcmaster.ca/~lawford/papers/ § [Parnas 86]Parnas, D., Clements, P.: A rational design process: How and why to fake it. IEEE Trans. Software Engineering 12(2), 251–257 (1986) http://www.ics.uci.edu/~taylor/classes/121/IEEE86_Parnas_Clement.pdf • [Wassyng et al 2010] Alan Wassyng, Tom Maibaum, and Mark Lawford, ``On Software Certification: We Need Product-Focused Approaches, C. Choppy Report type and O. Sokolsky (Eds.): Monterey Workshop 2008, LNCS Vol. 6028, nSC D1 Report name A Generic Proc Springer, 2010, 250-274 Certification and Deve Dissemination level 24th March 2015, 3rd Scandinavian Conference on SYSTEM & SOFTWARE SAFETY Status 35
© Copyright 2024