unified systems engeneering with goedelworks

From Deep Space To Deep Sea

R&D project of Open License Society:

Metamodel for systems engineering: “systems grammar”

OpenSpecs and OpenCookBook prototype web portal

Input:

EVOLVE ITEA project

Evolutionary Validation, Verification and Certification

Oct-2011 Altreonic NV – From Deep Space to Deep Sea - 2

Evolutionary Validation, Verification and Certification

FP7 OPENCOSS project:Open Platform for EvolutioNary Certification Of Safety-critical Systems (automotive, railway, avionics)

ASIL: Flanders Drive project on developing a common safety engineering methodology for automotive and related domains

Currently commercialised and redeveloped as GoedelWorks by Altreonic

Refinement by adding structure and properties

Avoids overlapping in concepts

Domain Metamodel Model

d d d1

Instance


E1

E2

d1

d2

d3

d1

d2

d3

Entities Entities and

Interactions

Structure &

Architecture

d1

d2

d3

System /

Process

User levels

M4:

Mathematician

Abstract meta-levels

M4: element (of set)meta-meta-type

RTOS domain

M4: Interacting Entities


Mathematician

M3: Expert

M2: Engineer

M1: User

meta-meta-type

M3: Metatypes declarations (inheritance of the M4 element meta-meta-type)

M2: types declarations (inheritance of M3 meta-types with domain specific attributes)

M1: Instances of M2 types with concrete values of attributes

M4: Interacting Entities

M3: Virtual machine executing M2 functions for

M1 data

M2: domain specific declarations

(types, grammar, functions)

M1: Data

View 1:

System = Processes + Architecture

or: the ”right” System = “how” + “what”

View 2:

A process is a meta-system


A process is a meta-system

Has to be developed as well

In practice different views correspond to complementary domains:

Process, Engineering, Modeling, Simulation, Testing, Software, Hardware, Safety, …

System Sub-entities

Project Sub-Project

Process Sub-Process

Reference

Requirement Sub-Requirement

Specification Sub-Specification

Resource


Resource

Work Package Development, Verification, Test, Validation Task

Work Package Flow Work Package

Work Product Process type (“Evidence”) or development (“Model”)

Model Sub-Models

Entity Sub-Entities

Change Request

Issue

SYSTEM

PROCESS

Development

WPT-

template

WP

Tasks SPC RES

Organ-

isation

Supporti

ng

Plan-

ning

PROJECT

System under Development

MODEL

ENTITY

WP

WPT-

Process

WP Flow

WP


Tasks

DEV

VER

TST

VAT

SPC

REQ

REF

RES WP

Tasks

DEV

VER

TST

VAT

SPEC

REQ

REF

RES

WP

Tasks

DEV

VER

TST

VAT

SPC

REQ

REF

RES

GoedelWorks

Meta-Meta-concept

Association links:

Dependency links:

E.g. a SPC depends on REQ (n)

Precedence links:

A Verification Task preceeds a Test Task

Structural links:


Structural links:

A WP is composed of Tasks (n)

A Model is composed of Entities (n)

Navigation links:

Navigation tree for easy access

Flow links (next-previous) for defining flows


During the life-time of a Project/Process entities go through states:

Defined => In Work => Frozen For Approval => Approved

Dependency and structural relationships create a partial order for Approval

REF=>REQ=>SPC // RES // Tasks =>WP=>WPT (MOD)


A Project is a collection of Processes producing Work Products. Not a single V-model but 100’s.

Overall Process follows from respecting states

WorkProducts morph:

Resource at input is always result of previous Project

Work Product template => Work Product specific Project

System in Project A => component in Project B

PROCESSES

Development

WPT_Process

(out)_

template.

WP

DV-VE-TE-VAT (ᴝ)

SPC (in) REQ (in) REF

RES (in)Organisation

Supporting

Planning

ASIL developed template flow +

template WorkProducts + guidelines To be defined or

completed by

each organisation


SE system

PROJECTS

System Domain

MOD ENT WP

DV-VE-TEt-TAT (ᴝ)

SPC (in) REQ (in)

RES

WPT -Process (out)

(Project specific)WP_flow WP

DVT-VE-TET-VAT

(ᴝ)

SPC (in) REQ (in)

RES (in)

Specific domain

The template is a RES (input) –

hence a link to it or make copy.

When selecting ASIL as process

Explicit difference between Requirements and Specifications

Distinction Process (how) and Project (what)

Verification = verifying the work done

Testing = verifying the system meets specifications

Validation = verifying it meets requirements (includes


Validation = verifying it meets requirements (includes integration)

Process/Project is not seen as flow but as a collection of actions producing WorkProducts (+/- 100!)

System = Implementation model

Safety case is seen as Specification-Fault case

Domain agnostic

Trustworthy system

Safety Security Usability Privacy


no physical fault can

cause harm

no injected fault can

cause harm

no interface fault can

cause harm

no personal data loss

can cause harm

Specification has subtypes:

Normal Case, Test Case, Fault Case

Safety and Security case are subtypes of Fault Case

Input: ASIL project of Flanders Drive

Automotive Safety Integrity Level

Goal: develop common safety engineering process based on existing standards:

Automotive: off-highway, on-highway


Automotive: off-highway, on-highway

Machinery

IEC 61508, IEC 62061, ISO DIS 26262, ISO 13849, ISO DIS 25119 and ISO 15998

Partners:

Altreonic, DANA, EIA, Flanders Drive, Punch Powertrain, Triphase, TüV Nord

DO-178C, DO-254, ARP4761: Altreonic

Acquiring general understanding of Safety and Systems Engineering standards.

Development of ASIL process flow:

Dissecting standards in semi-atomic statements

Tagging according to activity domain

Development of ASIL V-model with 3 Process domains:

Organisational Processes ("safety culture")


Organisational Processes ("safety culture")

Supporting Processes

Safety and Engineering Development Processes.

Completion

Identification of Work Products and RACI Roles

Development of templates for Work Products (.doc or .xls)

Development of Guidelines (e.g. HARA)

Development of Glossary

Organisational

Safety and Engineering/

Development


Supporting

Effort: approx. 21000 personhours (over 3 years.)

Semi-atomic process requirements extracted: ~3800

Work products defined: 98 => templates

Types of roles identified: 17 => HR responsibility

Guidelines developed: 34 => templates

ASIL process flow has 355 steps


ASIL process flow has 355 steps

Organisational processes identified:19

Supporting processes identified: 75

Safety and Engineering processes identified: 261

Work is not finished! (validation using use cases + organisation specific mapping) + templates + iterative!

GoedelWorks ASIL

Process Process

Flow Flow

Work Package Step with descriptive text

Tasks (DEV, VET, TST, VAT) Not defined

Project Not defined

Model/Entity Not defined

Reference Standards’ requirements attached to Step


Reference Standards’ requirements attached to Step

Requirement Not defined, merged in Step description

Specification Not defined

Resource Roles, Work Product template, Guidelines

Work Product Work Product (input and output of Step)

Change Request Not defined, but Change Management Step

Issue Not defined, but Change Management Step

State Not defined

Relationships Net defined, except as WPT input and Roles

V-model respected by following order:

Steps become Work Packages

Default WP Tasks, missing REQ and SPC created

Dependencies and structural relationships inserted but left empty

State: most often “In Work” upon creation

Guidelines and templates attached


Guidelines and templates attached

Benefits from import:

All Process (and Project) Entities user-editable

Project entities and Process entities can be linked

Organisation specific instance of Processes can be created and new processes added

Dependency analysis and reporting

Main lessons learned:

Bridging different domains: semantic differences

Safety engineering standards are subsets of systems engineering

Certification requires “evidence” (artifacts)

Major problems:


Major problems:

Find a common language

Find a clean language: orthogonality

Usability aspects prime requirement for tool

Difficult in a web based environment

Standards’ license terms!

ASIL imported reference


Example of state verification (Approval)


Dependency graph (Process)


Example: shift-by-wire example


Generated precedence graph




Roles and permissions at entity level

Locking during edit

Version management + transaction log

Comments per entity

Importing or creating in bulk


Importing or creating in bulk

Import/export subset

Precedence and dependency tree graphs

Doc generation (html, pdf)

Project schedule, Gannt chart (in work)

….

Portal based HARA (vs. xls template)

Fault Tree Analysis

Templates doc on-line

Linking/integration with software development environments


environments

Conclusion

Systems engineering process can be formalised using a common metamodel

Booklet available from Altreonic website

Challenges

Integration of different domains

Concepts, Architectural design, WorkFlow

System Engineering processes (“standards”) are heuristic

Progress through formalisation


Progress through formalisation

Reduction of design space give reliability

Modular architecture and unified semantics essential for incremental/evolutionary verification/validation/certification

Automated support is feasible

• Work will continue in OPENCOSS FP7 project

• (cover avionics, railway, automotive)

• DO-178C and DO-254

• Focus on re-use


www.altreonic.com

Set-up fee: 1500 euro (SSL, Firewall, …)

Standard process support: 1500 euro/mo/first 3 users

ASIL process support: 1500 euro/mo/first 3 users

(license of standard needed)

Minimum period: 12 months, up to 12 projects

Additional users: 100 euro/month/module


Additional users: 100 euro/month/module

Recommended:

Hands-on training

Completing flow with Organisation’s procedures

Organisation specific customisation

Optional:In-house hosting (open technology license only).

Encryption of data on disk, dedicated VM, …

unified systems engeneering with goedelworks

Technology

deep space

altreonic nv

right system

fault case safety

project boct

template flow

wpt moda project

flanders drive project