Jonas Westman

A characterization of integrated multi-view modeling in the context of embedded and cyber-physical systems

Embedded systems, with their tight technology integration, and multiple requirements and stakeholders, are characterized by tightly interrelated processes, information and tools. Embedded systems will as a consequence be described by multiple, heterogeneous and interrelated descriptions such as for example requirements documents, design and analysis models, software and hardware descriptions. We refer to a system designed this way as a multi-view (MV) system. The main contribution of this paper is a characterization of model-based approaches to MV systems. The characterization takes three main perspectives for the relations between viewpoints: semantic relations (content), relations over time (process), and manipulation of views (operations). We complement these perspectives by investigating MV system challenges and by a survey of related approaches. The characterization aims to provide a basis for a better understanding, design and implementation of MV systems, and thereby to overcome the current fragmented points of view on integrated multi-view modeling (MVM).

Extending Contract theory with Safety Integrity Levels

In functional safety standards such as ISO 26262 and IEC 61508, Safety Integrity Levels (SILs) are assigned to top-level safety requirements on a system. The SILs are then either inherited or decomposed down to safety requirements on sub-systems, such that if the sub-systems are sufficiently reliable in fulfilling their respective safety requirements, as specified by the SILs, then it follows that the system is sufficiently reliable in fulfilling the top-level safety requirement. Present contract theory has previously been shown to provide a suitable foundation to structure safety requirements, but does not include support for the use of SILs. An extension of contract theory with the notion of SILs is therefore presented. As a basis for structuring the breakdown of safety requirements, a graph, called a contract structure, is introduced that provides a necessary foundation to capture the notions of SIL inheritance and decomposition in the context of contract theory.

Environment-Centric Contracts for Design of Cyber-Physical Systems

A contract splits the responsibilities between a component and its environment into a guarantee that expresses an intended property under the responsibility of the component, given that the environment fulfills the assumptions. Although current contract theories are limited to express contracts over interfaces of components, specifications that are not limited to interfaces are used in practice and are needed in order to properly express safety requirements. A framework is therefore presented, generalizing current contract theory to environment-centric contracts - contracts that are not limited to the interface of components. The framework includes revised definitions of properties of contracts, as well as theorems that specify exact conditions for when the properties hold. Furthermore, constraints are introduced, limiting the ports over which an environment-centric contract is expressed where the constraints constitute necessary conditions for the guarantee of the contract to hold in an architecture.

Experience on applying software architecture recovery to automotive embedded systems

The importance and potential advantages with a comprehensive product architecture description are well described in the literature. However, developing such a description takes additional resources, and it is difficult to maintain consistency with evolving implementations. This paper presents an approach and industrial experience which is based on architecture recovery from source code at truck manufacturer Scania CV AB. The extracted representation of the architecture is presented in several views and verified on CAN signal level. Lessons learned are discussed.

Conditions of contracts for separating responsibilities in heterogeneous systems

A general, compositional, and component-based contract theory is proposed for modeling and specifying heterogeneous systems, characterized by consisting of parts from different domains, e.g. software, electrical and mechanical. Given a contract consisting of assumptions and a guarantee, clearly separated conditions on a component and its environment are presented where the conditions ensure that the guarantee is fulfilled—a responsibility assigned to the component, given that the environment fulfills the assumptions. The conditions are applicable whenever it cannot be ensured that the sets of ports of components are partitioned into inputs and outputs, and hence fully support scenarios where components, characterized by both causal and acausal models, are to be integrated by solely relying on the information of a contract. An example of such a scenario of industrial relevance is explicitly considered, namely a scenario in a supply chain where the development of a component is outsourced. To facilitate the application of the theory in practice, necessary properties of contracts are also derived to serve as sanity checks of the conditions. Furthermore, based on a graph that represents a structuring of a hierarchy of contracts, sufficient conditions to achieve compositionality are presented.

Formal architecture modeling of sequential non-recursive C programs

To manage the complexity of C programs, architecture models are used as high-level descriptions, allowing developers to understand, assess, and manage the C programs without having to understand th ...

Formal Architecture Modeling of Sequential C-Programs

To enable verification of a complex C-program, so called compositional verification can be used where the specification for the C-program is split into a set of specifications organized such that the fact that the C-program satisfies its specification can be inferred from verifying that parts of the C-program satisfy their specifications. To support the approach in practice, specifications must be organized in parallel to a formal architecture model capturing the C-program as a hierarchical structure of components with well-defined interfaces. Previous modeling approaches lack support for formal architecture modeling of C-programs. Therefore, a general and formal approach for architecture modeling of sequential C-programs is presented, to support compositional verification, as well as to aid design and management of such C-programs in general.

Failure Propagation Modeling Based on Contracts Theory

Previous approaches to fault and failure modeling are based on adding explicit models of faults/failures, and failure propagation to behavioral and architectural modes. This adds a lot of overhead (extra work), and also, is a cause of creating inconsistencies, especially by obtaining a mismatch between failures and violation of requirements or specifications. Instead of creating separate models for failures, the idea here is to exploit the fundamental definition of failures as violation of requirement or specification. We assume that the systems functionality is specified using a set of requirements, and in particular, requirements structured according to contracts theory. Instead of creating separate models for failure propagation, we exploit the structuring of requirements obtained when the system is specified using contracts theory. The use of contracts theory establishes a formal framework for how traceability links between requirements themselves and to the architecture are specified. It is further explained how fault and failure propagation models in the form of Bayesian Networks are obtained. One particular challenge is the modeling of faults/failure and their propagation when fault management mechanisms have been implemented. Therefore this area is covered in some extra depth.

Preserving Contract Satisfiability Under Non-monotonic Composition

A contracts theory embeds non-monotonic composition (with respect to implementation) if the fact that a composition of two components implements a specification \(\mathcal {S}\) does not generally follow from one of these components implementing \(\mathcal {S}\). In contrast to monotonic composition, non-monotonic composition offers the additional expressiveness of specifying properties that only hold locally for a component since non-monotonic composition does not enforce all properties to be preserved when composing. Despite that this additional expressiveness is clearly needed, it implies that cases where monotony is indeed desired needs to be managed explicitly. The present paper elaborates on this topic by introducing a contracts theory embedding non-monotonic composition, and exploring conditions for ensuring monotonic composition in the context of this theory.

A Hoare Logic Contract Theory: An Exercise in Denotational Semantics

We sketch a simple theory of Hoare logic contracts for programs with procedures, presented in denotational semantics. In particular, we give a simple semantic justification of the usual procedure-modular treatment of such programs. The justification is given by means of a proof of soundness of a contract-relative denotational semantics against the standard denotational semantics of procedures in the context of procedure declarations. The suggested formal development can be used as an inspiration for more ambitious contract theories.