1 / 21

Guiding Assurance of Architectural Design Patterns for Critical Applications

Guiding Assurance of Architectural Design Patterns for Critical Applications. Irfan Sljivo , Garazi Juez Uriagereka , Stefano Puri , Barbara Gallina { Irfan.sljivo , Barbara.Gallina }@ mdh.se , garazi.juez@ tecnalia.com , stefano.puri@intecs.it.

dderr
Download Presentation

Guiding Assurance of Architectural Design Patterns for Critical Applications

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Guiding Assurance of Architectural Design Patterns for Critical Applications • Irfan Sljivo, GaraziJuezUriagereka, Stefano Puri, Barbara Gallina • {Irfan.sljivo, Barbara.Gallina}@mdh.se, garazi.juez@tecnalia.com, stefano.puri@intecs.it 24th International Conference on Reliable Software Technologies – Ada-Europe 2019 Warsaw 2019

  2. Outline • Safety-critical systems and safety cases • Design patterns in safety-critical systems • The AMASS Platform overview • Design pattern assurance in the AMASS platform • CACC and car platooning case study • Conclusions and future work Irfan Sljivo - Guiding Assurance of Architectural Design Patterns for Critical Applications @ADA-Europe2019

  3. Safety-Critical Systems and Certification • Safety-critical systems • Malfunctioning can result in harm or loss of human life, or damage to property or the environment • Sometimes the harm can be done even in absence of failures! (Safety of the intended function) • Functional safety: absence of unreasonable risk caused by hazards due to malfunctioning behaviour • Usually need to comply with domain-specific safety standards • Some safety standards require a safety case to show that the system is acceptably safe • Developing the system and its accompanying safety case is rarely done from scratch nowadays • Avionics standard – DO-178C • Automotive – ISO 26262 • Railways – EN 50128… Irfan Sljivo - Guiding Assurance of Architectural Design Patterns for Critical Applications @ADA-Europe2019

  4. Design Patterns in Safety-Critical Systems • Design pattern facilitate the system architect's work when facing commonly recurring design problems • When design patterns are used in critical systems, their application needs to be accompanied by evidence supporting their usage • This evidence is often presented in the system safety case argument Irfan Sljivo - Guiding Assurance of Architectural Design Patterns for Critical Applications @ADA-Europe2019

  5. Safety Case • A safety case is documented in form of a structured argument to clearly communicate that the system is acceptably safe to operate in a given context [Kelly, 1998] • Safety argument is the “spine” of the safety case showing how safety objectives/requirements are connected with evidence Safety Argument • Assurance case – safety case generalisation • Goal Structuring Notation (GSN) - a graphical argumentation notation that can be used to specify elements of any argument [GSN, 2011] Irfan Sljivo - Guiding Assurance of Architectural Design Patterns for Critical Applications @ADA-Europe2019

  6. GSN – An Argument Example • We can read the initial goal structure as follows: • The system is acceptably safe to operate in a given operating context when all relevant hazards have been identified and the system is compliant with all applicable safety standards. • The context statements define what acceptably safe, system and operating context mean. Irfan Sljivo - Guiding Assurance of Architectural Design Patterns for Critical Applications @ADA-Europe2019

  7. Design Patterns in AMASS Architecture-driven Methodology • AMASS - Architecture-driven, Multi-concern and Seamless Assurance and Certification of Cyber-Physical Systems Irfan Sljivo - Guiding Assurance of Architectural Design Patterns for Critical Applications @ADA-Europe2019

  8. AMASS Platform Irfan Sljivo - Guiding Assurance of Architectural Design Patterns for Critical Applications @ADA-Europe2019

  9. AMASS Platform (1) • The core tools of the AMASS platform • OpenCert • Assurance case modelling and other certification-related activities • CHESS • System modelling with support for model-driven component and contract-based development • EPF Composer • System and software process engineering • The BVR tool • Variability management Irfan Sljivo - Guiding Assurance of Architectural Design Patterns for Critical Applications @ADA-Europe2019

  10. AMASS Platform (1) • The core tools of the AMASS platform • OpenCert • Assurance case modelling and other certification-related activities • CHESS • System modelling with support for model-driven component and contract-based development • EPF Composer • System and software process engineering • The BVR tool • Variability management Irfan Sljivo - Guiding Assurance of Architectural Design Patterns for Critical Applications @ADA-Europe2019

  11. The AMASS methodology for design pattern application and assurance System Architecture Generate Argumentation Architectural Patterns Library DefineArchitectural Pattern Assurance Case Argument Patterns Library ApplyArchitectural Pattern Irfan Sljivo - Guiding Assurance of Architectural Design Patterns for Critical Applications @ADA-Europe2019

  12. Design pattern template • The extended design pattern template • Pattern name • Other well-known names • Intent/context • Problem • Solution/Pattern Structure • Consequences • Implementation • PatternAssumptions • PatternGuarantees Contract is an assumption/guarantee pair Using contracts for design patterns offers a way of capturing under which conditions instantiating a pattern offers the desired specification. Irfan Sljivo - Guiding Assurance of Architectural Design Patterns for Critical Applications @ADA-Europe2019

  13. Assurance of design patterns Irfan Sljivo - Guiding Assurance of Architectural Design Patterns for Critical Applications @ADA-Europe2019

  14. Tool support in the AMASS platform • Design patterns in CHESS • Modelled as a special kind of UML Collaborations • Pattern application achieved by binding the design pattern with a system component • The pattern instantiation is stored in the target model and can be retrieved together with all of its information • Argument pattern instantiation from CHESS to Opencert • The target argument pattern is pre-defined • The information from the corresponding design pattern template is used to instantiate the argument pattern Irfan Sljivo - Guiding Assurance of Architectural Design Patterns for Critical Applications @ADA-Europe2019

  15. Case Study: CACC and car platooning • Cooperative Adaptive Cruise Control (CACC) • A typical example of a cooperative safety-critical system • The cruise control of a vehicle is automatically guided by the information wirelessly received from the predecessor vehicle • The goal of the case study is to evaluate the feasibility of use of the AMASS tool-support design pattern application and assurance methodology to different kinds of design patterns. Irfan Sljivo - Guiding Assurance of Architectural Design Patterns for Critical Applications @ADA-Europe2019

  16. Safety and security implications • H1: Inadequate longitudinal control • It may lead to rear collision of one or more vehicles • A part of the functional safety concept (ISO 26262) to address H1: • SG1:A sudden braking manoeuvre of predecessor vehicle shall not result in distance shorter than 2m. • FSR1: The vehicle shall maintain safe distance to the predecessor by monitoring the system and environmental conditions, and selecting an appropriate operation mode (platoon, CACC, ACC, manual) based on the observed conditions. • FSR3: The Car2Car messages shall be encrypted to prevent against unauthorised messages propagating to the CACC control software. Irfan Sljivo - Guiding Assurance of Architectural Design Patterns for Critical Applications @ADA-Europe2019

  17. Design pattern selection • Security Gateway • Control incoming and outgoing messages/connections, restrict access to certain entities • Monitor-Actuator Pattern • The Monitor-Actuator pattern is a special type of heterogeneous redundancy intended for systems with low availability requirements and a fail-safe system state Irfan Sljivo - Guiding Assurance of Architectural Design Patterns for Critical Applications @ADA-Europe2019

  18. Design pattern application • On the CACC level we apply the security gateway pattern between WLAN adapter and the CACC SW controller • The SW controller contains the needed communication components, as well as the CACC manager that issues the driving commands • We apply the monitor-actuator design pattern within the CACC manager such that the CACC state manager performs monitoring, while the CACC controller performs the actuation Irfan Sljivo - Guiding Assurance of Architectural Design Patterns for Critical Applications @ADA-Europe2019

  19. Automatically generated argument fragment example • Instantiation of the argument fragment from the monitor-actuator design pattern template Irfan Sljivo - Guiding Assurance of Architectural Design Patterns for Critical Applications @ADA-Europe2019

  20. Conclusions and Future Work • The basis for assuring the application of a design pattern lies in the template that defines the pattern • We proposed to extend the design pattern templates with assumption/guarantee contracts • We have partially integrated this methodology within the AMASS platform • The automotive case study showed that the methodology is not specific to a particular system concern, but can be applied to multiple concerns • As future work • We plan to fully support the design pattern application and assurance within the AMASS platform • Support for different types of pattern contract specification • Assist with identification of conflicting pattern applications Irfan Sljivo - Guiding Assurance of Architectural Design Patterns for Critical Applications @ADA-Europe2019

  21. Thank you!

More Related