Justifying the Transition from Trustworthiness to Resiliency via Generation of Safety Cases

Abstract

Safety analysis plays an important role for developing cyber-physical systems since many of them are also safety critical systems. The failure of cyber-physical systems can have some serious consequences. With the latest development in formal methods, many systems have been converted to a formal model to ensure that all safety requirements have been met. In this case, the systems are called trusted. However, many failures are caused by the missing identification of some properties during the early phase of software development. Thus, a safety case has been widely used as an argument structure to represent how a system has been developed to satisfy safety requirements, and is an important means of communication between various stakeholders in a system. In this paper, we present a novel approach to show how an argument structure can be automatically built via safety case patterns and metamodels underlying a development process. We notice that a transition from trustworthiness to resiliency for many cyber-physical systems is made by separating a fault model from a nominal (non-failure) model in Simulink due to some design considerations such as reduction of a test case generation and the complexity of code. Thus, we take the translation of a nominal model into a fault model into account and employ the model-driven architecture and safety case pattern together to illustrate how a safety case is generated for an argument of the correct transition of a cyber-physical system in Simulink. Last, we discuss how an argument structure of a safety case can be affected by system evolution.