• Home
• Project Team
• Deliverables
• Activities
• News & Links
• Contact Us
• Testimonials

ModelME!

Model-Driven Software Engineering for the Maritime and Energy Sectors

Technical Reports

Contact us if you would like to receive a copy of any of the reports below.

• Characterizing the Chain of Evidence for Software Safety Cases: A Conceptual Model Based on the IEC 61508 Standard. Lionel Briand, Thierry Coq, Shiva Nejati, Rajwinder Panesar-Walawege, Mehrdad Sabetzadeh. ModelME! Technical Report No. 1 -- Version 1.0, Simula Research Lab and Det Norske Veritas, October 2009. (48 pages)

  Abstract: Increasingly, licensing and safety regulatory bodies require the suppliers of software-intensive, safety-critical systems to provide an explicit software safety case -- a structured set of arguments based on objective evidence to demonstrate that the software elements of a system are acceptably safe. Existing research on safety cases has mainly focused on how to build the arguments in a safety case based on available evidence; but little has been done to precisely characterize what this evidence should be. As a result, system suppliers are left with practically no guidance on what evidence to collect during software development. This has led to the suppliers having to recover the relevant evidence after the fact -- an extremely costly and sometimes impractical task. Although standards such as the IEC 61508 -- which is widely viewed as the best available generic standard for managing functional safety in software -- provide some guidance for the collection of relevant safety and certification information, this guidance is mostly textual, not expressed in a precise and structured form, and is not easy to specialize to context-specific needs. To address these issues, we present a conceptual model to characterize the evidence for arguing about software safety. Our model captures both the information requirements for demonstrating compliance with IEC 61508 and the traceability links necessary to create a seamless chain of evidence. We further describe how our generic model can be specialized according to the needs of a particular context, and discuss some important ways in which our model can facilitate software certification.

  Tool Support. We have developed a tool, called EvidenceAgreement, in support of this technical report.

•  
• Using SysML to Support Safety Certification: A Methodology and Case Study. Lionel Briand, Thierry Coq, Tonje Klykken, Shiva Nejati, Rajwinder Panesar-Walawege, Mehrdad Sabetzadeh. ModelME! Technical Report No. 2 -- Version 1.0, Simula Research Lab and Det Norske Veritas, December 2009. (92 pages)

  Abstract: We report on our experience and lessons learned from applying model-driven development techniques for system engineering to a control system case study. Our primary purpose in this case study is to demonstrate how state-of-the-art, model-driven development techniques for system engineering (SysML) can be used to support the generation of safety cases for the purpose of certification. We propose methodological guidelines for creating models that characterize our system case study along its requirements, structure, and behavior views. We provide a traceability mechanism to specify how these views overlap and complement one another. We utilize the traceability mechanism to provide systematic evidence that the system under analysis fulfills its safety requirements. Finally, we conclude the report with a discussion of open issues and questions, and provide a plan for our future research in this direction.

  Tool Support. We have developed a tool, called SafeSlice, in support of this technical report.

•  
• Guidelines for Model-Driven Development of Safety Software Components at a Partner Company. ModelME! Technical Report No. 3 -- Version 1.0, December 2009. (76 pages)

• Modus: A Goal-Based Approach for Quantitative Assessment of Technical Systems. Mehrdad Sabetzadeh, Davide Falessi, Lionel Briand, Christian Markussen, Rhodri Morgan, Rajwinder Panesar-Walawege, Jonas Borg, Thierry Coq. ModelME! Technical Report No. 4 -- Version 1.0, Simula Research Lab and Det Norske Veritas, August 2010. (48 pages)

  Abstract: Technical systems such as those used in the energy sector often need to satisfy various dependability objectives including Reliability (continuity of correct service), Availability (readiness for correct service), Maintainability (ability to undergo modifications and repairs) and Safety (absence of catastrophic failures leading to injury or environmental damage), while remaining cost-effective to develop. The set of activities concerned with verifying that a technical system indeed meets its dependability and cost-effectiveness goals is called assessment. In this report, we present a flexible methodology, called Modus (Latin term for "measure"), for the assessment of technical systems. Modus, which has been developed in response to the challenges in the current state of practice, is based on two core principles:

  • Goal Elaboration. Providing arguments about the satisfaction of an overall goal requires elaborating the goal into more specific subgoals for which meaningful evidence can be provided. For example, it is extremely hard, if not impossible, to directly argue about whether an overall goal such as ``The system shall be safe'' is met, unless this goal is systematically broken down into specific safety requirements with specific margins.
  • Systematic Elicitation of Expert Opinions. Assessment has a strong dependence on expert opinions, hence it is essential to take measures for ensuring that these opinions are elicited as precisely as possible. An expert refers to an individual (typically a member of the assessment or development teams) with specific knowledge and skills gained from training and experience.
  •  
  While Modus is general and can be used for various types of assessment, the main driver for our work is a particular kind of assessment, called technology qualification, aimed at verifying that the overall goals of a new technology will be satisfied within specific margins. Technology qualification is an increasingly important activity, particularly in fast-growing industry sectors, such as the energy sector, to ensure that newly developed solutions can be brought to the market in an efficient, safe, and credible manner. Our work is guided by DNV's A203 Recommended Practice (RP-A203) which provides a useful overall framework for technology qualification. We take particular note of the activities outlined in RP-A203 and provide a mapping between the steps in Modus and the activities in the recommended practice to facilitate the integration of Modus into the current technology qualification workflow at DNV.
•  
• A SysML Profile for Modeling the Architecture of Integrated Control Systems. Razieh Behjati, Shiva Nejati, Tao Yue, Lionel Briand, Bran Selic. ModelME! Technical Report No. 5 -- Version 1.0, Simula Research Lab, August 2010. (70 pages); Version 2.0, Simula Research Lab, January 2011. (38 pages).

  Abstract: Integrated Control Systems (ICSs) are mostly complex and heterogeneous Systems of Systems (SoSs). Integration issues emerge when subsystems or components developed by different vendors, across different platforms, with large number of variants and configurations, connected through various networks, are integrated together. In order to tackle these integration issues and avoid them at the early stage of the system development lifecycle, we need a suitable and comprehensive modeling and analysis language to capture the system architecture at a desired level of abstraction. The System Modeling Language (SysML) and the Architecture Analysis and Design Language (AADL) are two standardized modeling languages, with system modeling capabilities. SysML is a standard of OMG and extends UML with system modeling capability. AADL is a standard of the Society of Automotive Engineers (SAE). Comparing with AADL, SysML has wide choices of tool support, well-specified graphical notations, and well-specified extension mechanisms (through profiling). As a result, we decided to adopt SysML as a system architecture modeling language. However, AADL has a number of interesting characteristics increasing the precision of modeling (e.g., software and hardware component declaration and implementations, modes), which are missing in SysML. These characteristics are very useful for making architecture modeling more precise and complete, and thus making such modeling more amenable to analysis. Therefore, in this report, we propose a mapping from AADL to SysML, which is based on a thorough review of SysML and AADL. This mapping results in a profile (extension) to extend SysML for the purpose of modeling and analyzing ICS architectures. It is also worth noticing that the mapping is bidirectional; it is also feasible to map SysML extended with our profile to AADL. One would therefore be able to model using our SysML profile and then use a translator to generate an AADL model and use its analysis infrastructure. An Avionics case study is used in the report to illustrate the mapping.

---

Tools

EvidenceAgreement: A Collaborative Tool for Planning the Collection of Safety Evidence Based on the IEC 61508 Standard. Emanuele Turella, Davide Falessi, Mehrdad Sabetzadeh, Lionel Briand, Rajwinder Panesar-Walawege.

Abstract: The EvidenceAgreement tool provides a web-based environment enabling certification bodies and the suppliers of safety-critical systems to collaboratively develop an agreement about the evidence necessary to support claims of compliance to IEC 61508. The basis for the tool is the conceptual model developed in ModelME! Technical Report 1 for the IEC 61508 standard. Specifically, the tool provides a flexible way to attach to the elements of the conceptual model questions, and for each question, a set of alternative answers. The questions attached to each element target the evidence items that need to be collected with respect to that element, and the alternative answers for each question capture the range of acceptable answers to each question. The tool then enables the certifier and the supplier to collaboratively go through the questions and choose specific answers that best suit the circumstances of the system being certified. The tool then generates an agreement about the evidence that needs to be collected based on the answers. In addition, the tool offers reporting facilities to monitor the status of an ongoing agreement project.

Demonstration: A detailed online demonstration of the tool is available at http://modelme.simula.no/EvidenceAgreement/.

 

 

SafeSlice: A tool for Slicing and Inspecting SysML Models of Safety-Critical Systems. Antonio Messina, Davide Falessi, Mehrdad Sabetzadeh, Shiva Nejati, Lionel Briand.

Abstract: SafeSlice provides a comprehensive implementation of the SysML-based methodology for traceability and slicing described in ModelME! Technical Report 2. Specifically, the tool enables establishing the traceability links envisaged by the methodology, checking the consistency of these links, and generating slices of SysML design models. In addition, the tool provides a range of facilities for model navigation, report generation, and project status monitoring. SafeSlice has been implemented as a plugin for Enterprise Architect.

Demonstration: A detailed online demonstration of the tool is available at http://modelme.simula.no/SafeSlice/.

---

Scholarly Publications

• Characterizing the Chain of Evidence for Software Safety Cases: A Conceptual Model Based on the IEC 61508 Standard. Rajwinder Kaur Panesar-Walawege, Mehrdad Sabetzadeh, Lionel Briand, and Thierry Coq. 3rd IEEE International Conference on Software Testing, Verification, and Validation (ICST'10), Paris, France, April 2010. [PDF]
•  
• Traceability and SysML Design Slices to Support Safety Inspections: A Controlled Experiment Lionel Briand, Davide Falessi, Shiva Nejati, Mehrdad Sabetzadeh, and Tao Yue. Submitted to a journal, February 2011.
•  
• Planning for Safety Evidence Collection: A Model-Based Approach Davide Falessi, Mehrdad Sabetzadeh, Lionel Briand, Emanuele Turella, Thierry Coq, and Rajwinder Panesar-Walawege. IEEE Software (to appear) , December 2010. [PDF]
•  
• A SysML-Based Approach to Traceability Management and Design Slicing in Support of Safety Certification: Framework, Tool Support, and Case Studies Shiva Nejati, Mehrdad Sabetzadeh, Davide Falessi, Lionel Briand, and Thierry Coq. Submitted to a journal, May 2011.
•  
• Extending SysML with AADL Concepts for Comprehensive System Architecture Modeling Razieh Behjati, Tao Yue, Shiva Nejati, Lionel Briand, and Bran Selic. Seventh European Conference on Modelling Foundations and Applications (ECMFA'11), Bermingham, UK, June 2011. [PDF]
•  
• Automated Transition from Use Cases to UML State Machines to Support State-based Testing Tao Yue, Shaukat Ali, and Lionel Briand. Seventh European Conference on Modelling Foundations and Applications (ECMFA'11), Bermingham, UK, June 2011. [PDF]
•  
• Combining Goal Models, Expert Elicitation, and Probabilistic Simulation for Qualification of New Technology M. Sabetzadeh, D. Falessi, L. Briand, D. McGeorge, V. Ahjem, and J. Borg. Simula Research Laboratory, Technical Report(2011-09) March 2011. [PDF]
•  
• Using UML Profiles for Sector-Specific Tailoring of Safety Evidence Information Rajwinder Kaur Panesar-Walawege, Mehrdad Sabetzadeh, and Lionel Briand. Submitted to a conference. April 2011. [PDF]