Checsdm: A Method for Ensuring Consistency in Heterogeneous Safety-Critical System Design

Abstract

Safety-critical systems are highly heterogeneous, combining different characteristics. Effectively designing such systems requires a complex modelling approach that deals with diverse components (e.g., mechanical, electronic, software)—each having its own underlying domain theories and vocabularies—as well as with various aspects of the same component (e.g., function, structure, behaviour). Furthermore, the regulated nature of such systems prescribes the objectives for their design verification and validation. This paper proposes <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">checsdm</i> , a systematic approach, based on Model-Driven Engineering (MDE), for assisting engineering teams in ensuring consistency of heterogeneous design of safety-critical systems. The approach is developed as a generic <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">methodology</i> and a <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">tool framework</i> , that can be applied to various design scenarios involving different modelling languages and different design guidelines. The methodology comprises an iterative three-phased process. The first phase, <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">elicitation</i> , aims at specifying requirements of the heterogeneous design scenario. Using the proposed tool framework, the second phase, <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">codification</i> , consists in building a particular tool set that supports the heterogeneous design scenario and helps engineers in flagging consistency errors for review and eventual correction. The third phase, <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">operation</i> , applies the tool set to actual system designs. Empirical evaluation of the work is presented through two executions of the <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">checsdm</i> approach for the specific cases of a design scenario involving a mix of UML, Simulink and Stateflow, and a design scenario involving a mix of AADL, Simulink and Stateflow. The <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">operation</i> phase of the first case was performed over three avionics systems and the identified inconsistencies in the design models of these systems were compared to the results of a fully manual verification carried out by professional engineers. The evaluation also includes an assessment workshop with industrial practitioners to examine their perceptions about the approach. The empirical validation indicates the feasibility and “cost-effectiveness” of the approach. Inconsistencies were identified in the three avionics systems with a greater recall rate over the manual verification. The assessment workshop shows the practitioners found the approach easy to understand and gave an overall likelihood of adoption within the context of their work.