<?xml version="1.0" encoding="UTF-8"?>
<?xml-stylesheet type="text/xsl" href="9788793519558.xsl"?>
<book id="home" xmlns:xlink="http://www.w3.org/1999/xlink">
<bookinfo>
<title>Certifications of Critical Systems &#x02013; The CECRIS Experience</title>
<affiliation><emphasis role="strong">Editors</emphasis></affiliation>
<authorgroup>
<author><firstname>Andrea</firstname>
<surname>Bondavalli</surname></author>
</authorgroup>
<affiliation>Consorzio Interuniversitario Nazionale per l&#x02019;Informatica (CINI)<?lb?>and University of Florence, Italy</affiliation>
<authorgroup>
<author><firstname>Francesco</firstname>
<surname>Brancati</surname>
</author>
</authorgroup>
<affiliation>ResilTech Srl, Italy</affiliation>
<publisher>
<publishername>River Publishers</publishername>
</publisher>
<isbn>9788793519558</isbn>
</bookinfo>
<preface class="preface" id="preface01">
<title>RIVER PUBLISHERS SERIES IN INFORMATION SCIENCE AND TECHNOLOGY</title>
<para><emphasis>Series Editors</emphasis></para>
<para><emphasis role="strong">K. C. CHEN</emphasis><?lb?><emphasis>National Taiwan University</emphasis><?lb?><emphasis>Taipei, Taiwan</emphasis></para>
<para><emphasis role="strong">SANDEEP SHUKLA</emphasis><?lb?><emphasis>Virginia Tech</emphasis>, <emphasis>USA</emphasis><?lb?><emphasis>and</emphasis><?lb?><emphasis>Indian Institute of Technology Kanpur, India</emphasis></para>
<para>Indexing: All books published in this series are submitted to Thomson Reuters Book Citation Index (BkCI), CrossRef and to Google Scholar.</para>
<para>The &#x0201C;River Publishers Series in Information Science and Technology&#x0201D; covers research which ushers the 21st Century into an Internet and multimedia era. Multimedia means the theory and application of filtering, coding, estimating, analyzing, detecting and recognizing, synthesizing, classifying, recording, and reproducing signals by digital and/or analog devices or techniques, while the scope of &#x0201C;signal&#x0201D; includes audio, video, speech, image, musical, multimedia, data/content, geophysical, sonar/radar, bio/medical, sensation, etc. Networking suggests transportation of such multimedia contents among nodes in communication and/or computer networks, to facilitate the ultimate Internet.</para>
<para>Theory, technologies, protocols and standards, applications/services, practice and implementation of wired/wireless networking are all within the scope of this series. Based on network and communication science, we further extend the scope for 21st Century life through the knowledge in robotics, machine learning, embedded systems, cognitive science, pattern recognition, quantum/biological/molecular computation and information processing, biology, ecology, social science and economics, user behaviors and interface, and applications to health and society advance.</para>
<para>Books published in the series include research monographs, edited volumes, handbooks and textbooks. The books provide professionals, researchers, educators, and advanced students in the field with an invaluable insight into the latest research and developments.</para>
<para>Topics covered in the series include, but are by no means restricted to the following:</para>
<itemizedlist mark="bullet" spacing="normal">
<listitem>
<para>Communication/Computer Networking Technologies and Applications</para></listitem>
<listitem>
<para>Queuing Theory</para></listitem>
<listitem>
<para>Optimization</para></listitem>
<listitem>
<para>Operation Research</para></listitem>
<listitem>
<para>Stochastic Processes</para></listitem>
<listitem>
<para>Information Theory</para></listitem>
<listitem>
<para>Multimedia/Speech/Video Processing</para></listitem>
<listitem>
<para>Computation and Information Processing</para></listitem>
<listitem>
<para>Machine Intelligence</para></listitem>
<listitem>
<para>Cognitive Science and Brian Science</para></listitem>
<listitem>
<para>Embedded Systems</para></listitem>
<listitem>
<para>Computer Architectures</para></listitem>
<listitem>
<para>Reconfigurable Computing</para></listitem>
<listitem>
<para>Cyber Security</para></listitem></itemizedlist>
<para>For a list of other books in this series, <ulink url="http://www.riverpublishers.com">www.riverpublishers.com</ulink></para>
</preface>
<preface class="preface" id="preface02">
<title>Preface</title>
<para>The rapid spread of critical systems raises new challenges from multiple aspects. The functionality embedded into critical systems is a major driver of efficient and economic operation of a variety of societal services ranging from traffic control to health care, but at the same time, the vulnerability of the society to malfunctioning equipment reaches a critical level both in the terms of risks to the human life and huge economic impacts. The rapid development of underlying technologies implies a huge challenge to this industry which followed for decades a safety driven conservative approach. This way, a uniform approach to the development, validation and verification is an important factor in the Europe wide integration of services as emphasized for instance by the creation of the ARTEMIS European Technology Platform on the side of technology. On the human skill side, the dissemination of the best industrial practices and appropriate training is a key enabling factor for this unification process.</para>
<para>All over Europe there is a significant lack of skilled workforce related to critical embedded systems.</para>
<para>Traditional V&#x00026;V methods frequently exceed effort needed for the core development time, and while the &#x0201C;soft&#x0201D; IT industry rapidly turns to system integration based on the reuse of high volume hardware and software components, for safety related applications this will still evolve.</para>
<para>All this poses serious difficulties to companies, which are on one hand constrained to meet predefined quality goals, whereas, on the other hand, are required to deliver systems at acceptable cost and time to market. Large companies mainly follow a brute-force approach by focused large volume investment into tooling and in-house training, but even high-tech SMEs are highly vulnerable to the new challenges.</para>
<para>Looking at the field of the Verification and Validation one of the most challenging goals is the definition of methods, strategies and tools able to validate a system adequately, while simultaneously keeping the cost and delivery time reasonably low. It is not easily possible to establish a proper balance between achievable quality with a particular technique (in terms of RAMS attributes) and the costs required for achieving such quality. The situation is even worse in the case of integration of existing SW in a safety critical system to be certified, since, assessing products which encompass COTS software is a challenge although modern standards consider this possibility. An additional concern is the usage of recently adopted methods for SW development like model based ones, since the certification of systems using software developed with these supports is at the limit of the applicability of the existing standards, and only the most recent ones are aligned with these &#x02018;modern&#x02019; methods.</para>
<para>This book documents the main insights on Cost Effective Verification and Validation processes that we gained during our work in the European Research Project CECRIS (acronym for <emphasis>Certification of Critical Systems</emphasis>). The objective of this research was to tackle the challenges of certification by focusing on those aspects that turn out to be more difficult and or important for current and future critical systems industry: the effective use of methodologies, processes and tools.</para>
<para>The CECRIS project took a step forward in the growing field of development, verification and validation and certification of critical systems. It focused on the more difficult/important points of (safety, efficiency, business) of critical system development, verification and validation and certification process. The scientific objectives of the project were to study both the scientific and industrial state of the art methodologies for system development and the impact of their usage on the verification and validation and certification of critical systems. Moreover the project aimed at developing strategies and techniques supported by automatic or semi-automatic tools and methods for these types of activities, whose cost-quality achievements are well-predictable in order to tie costs of application of techniques to the RAMS attributes level achieved by the product being tested. The project set guidelines to support engineers during the planning of the verification &#x00026; validation phases.</para>
<para>The Project Consortium was composed by three academic partners and three companies:</para>
<orderedlist numeration="arabic" continuation="restarts" spacing="normal">
<listitem>
<para>CINI-Consorzio Interuniversitario Nazionale per l&#x02019;Informatica</para></listitem>
<listitem>
<para>Resiltech S.r.l.</para></listitem>
<listitem>
<para>Universidade de Coimbra</para></listitem>
<listitem>
<para>Budapesti Muszaki es Gazdasagtudomanyi Egyetem</para></listitem>
<listitem>
<para>Prolan Iranyitastechnikai Zartkoruen Mukodo Reszvenytarsasag</para></listitem>
<listitem>
<para>CRITICAL Software SA</para></listitem></orderedlist>
<para>The CECRIS project has given to the partners the opportunity of sharing their industrial-academic expertise and experiences and to develop fruitful collaborations and research products. Through the &#x02018;Transfer of Knowledge&#x02019; activities, industrial partners have had the opportunity to better know, evaluate and apply new research methods, while the academic partners could get from industry valuable feedback, better understanding the industrial problems and needs.</para>
<para>Several synergies that have been established during the secondments, are now in place beyond the project termination for exploiting further potential strategic research activities. Moreover, the collaborations for the maintenance and improvement of the project tools developed during CECRIS will last for years, since these tools support the overall V&#x00026;V process and reduce the certification costs of safety-critical systems.</para>
<para>It is the objective of this book to collect the main project results in terms of methodologies and processes and to propose them in a single edited book.</para>
<para>The first part of the book is related to certification processes. Chapter one presents an easy-to-use framework and a supporting methodology to perform a rapid gap analysis on the usage of standards for safety-critical software, being them new ones to be introduced or standards already applied. In other words, the framework can be applied to reason in terms of &#x0201C;changing standard&#x0201D; or in terms of &#x0201C;introducing a new standard&#x0201D;. The ultimate objective is to discover with limited effort how far a company is from acquiring sufficient the necessary and sufficient level of knowledge to apply a specific standard. Our approach is based on the concept of rating the knowledge available: it starts from an understanding of the expertise of a company, and it rates the improvements, in terms of training, needed to reach an adequate level of confidence with the techniques and processes required in the standard. Our approach can be applied to an entire standard, a part of it, or to individual techniques and tools. Thus, our framework offers the possibility to depict the status of the knowledge available in the company, which may offer valuable insights on the areas that are mostly covered, and where potential improvements are possible. The approach can indicate the introduction time, which estimates the overall training time required to introduce a new standard.</para>
<para>The second part of the book focuses on model-driven methodologies. For a company being competitive on the market, following technologies and being updated with new trends and practices is essential. In safety-critical domains, the introduction of new practices and methodologies is slower than in other engineering fields, since safety standards and long established practices tend to defer the adoption of new emerging technologies, until assessments and time reveal them mature and safe enough. Slow introduction of new methods is especially characterizing the railway domain where the lifespan of products could easily reach decades or even a century. Now it is long time that Model-Driven Engineering techniques and tools have been proposed, but their maturity &#x02013; especially for safety-critical systems &#x02013; is still debated. Some recent surveys investigated the adoption of MDE methodologies and technologies in practice. They revealed the increasing adoption of MDE in industry. The technology is attractive for the development of critical systems, since it can speed up the activities of Verification and Validation (V&#x00026;V), and it enables the early verification of systems, through techniques such as model reviews, guideline checkers, rapid control prototyping and model- and software-in-the-loop Tests. These techniques shift the cost of development from the phases of V&#x00026;V to the ones of requirement analysis and design, thus leading to benefits in terms of residual errors. Companies not performing model-in-the-loop testing find almost 30% more errors during module test. Chapter two reports the results of a twelve months industrial-academic partnership for the transfer of knowledge of MDE techniques from the academy to one of the company involved in the project, with the goal of assessing their level of maturity for industrial adoption. During this activity, it emerged the lack of well-defined processes for the development of a CENELEC SIL-4 safety critical signaling system that was suited for the real industrial needs.</para>
<para>In Chapter three focuses on the issues related to the lack of expertise in CS/OO/SysML formalisms that often lead to the need of a lot of training and support to use the modeling tools. Ideally, designers should spend all their effort on modeling and nothing else. However, existing modeling tools have lot of issues related to installation and plug-ins. The use of Google Blockly was envisaged for modeling and simulation of systems. Blockly is a visual programming library, used to model/program using interlocked blocks. Each of the blocks also supports traditional input widgets such as labels, images, textbox, checkbox, combo box, etc. It can be configured in such a way that only compatible blocks can be connected together (i.e. can be made &#x0201C;valid by design&#x0201D;). Blockly supports code and XML generation, and requires only a modern web browser which can be run on any device or operating system. However, Blockly was not readily usable for modeling using SysML/UML like formalisms. A lot of changes and customizations were made in Blockly to make it more suitable for such type of modeling.</para>
<para>The Third part of this book composed of Chapters four, five, six and seven, deals with V&#x00026;V and quality processes.</para>
<para>Chapter four presents a process for finding and tackling the main root causes that affect critical systems quality. Following standards and applying good engineering practices during software development is not enough to guarantee defects free software, thus additional processes, such as Independent Software Verification and Validation (ISVV), are required in critical projects. The objective of ISVV is to provide complementary and independent assessments of the software artifacts in order to find residual defects and allow their correction in a timely manner. Independence is the most important concept of ISVV and it has been referred to and used in safety-critical domains such as civil aviation (DO-178B), railway signaling systems (CENELEC), and space missions (European Cooperation for Space Standardization &#x02013; ECSS). However, such systems are still far from being perfect and it is common to hear about software bugs in aeronautics, train accidents caused by software problems, satellite systems that need to be patched after launch, and so on. This chapter presents an analysis on trends, common (and uncommon) problems and their causes, and looks at the general picture of critical defects within the software development lifecycle of space systems, considering a dataset of 1070 defects. The results are intended to help engineers in tackling the problems starting from the most frequent ones, instead of dealing with them one by one, as is traditionally done in industry nowadays. In practice, this work brings light to the main root causes of issues in space projects, which were identified, based on the defects classification and on relevant expert knowledge about those defects and about the software development process, contributing towards proposing improvements to the processes, methodologies, tools, standards and industry culture.</para>
<para><link linkend="ch05">Chapter <xref linkend="ch5" remap="5"/></link> describes a framework for automation of hazard log management on large critical projects. A hazard is any situation that could cause harm to the system or lives. Hazards depend on the system and its environment, and the probability of the hazard to cause harm is known as risk. Hazards are analyzed by identifying their causes and the possible negative consequences that might ensue. This chapter describes a modular and extensible way to specify rules for checks locally at the stake-holder side, as well as while combining data from various parties to form the hazard log (HL). The HZ-LOG automatization tool simplifies the process of hazard data collection on large projects to form the hazard log while ensuring data consistency and correctness. The data provided by all parties are collected using a template containing scripts to check for mistakes/errors based on internal standards of the company in charge of the hazard management. The collected data is then subjected to merging in DOORS, which also contain scripts to check and import data to form the hazard log.</para>
<para><link linkend="ch06">Chapter <xref linkend="ch6" remap="6"/></link> instead deals with cost estimation for independent systems verification and validation. Validation, verification and especially certification are skill and effort demanding activities which are typically performed in an independent way by specialized small and medium enterprises. Prediction of the work needed to accomplish them is crucial for the management of such projects, which is by its very nature heavily depending on the implementation of the V&#x00026;V process and its support. Process management widely uses cost estimators in planning of software development projects for resource allocation. Cost estimators use the scoring of a set of cost influencing factors, as input. They use extrapolation functions calibrated previously on measures extracted from a set of representative historical project records. These predictors do not provide reliable measures for the separate phases of V&#x00026;V and certification in safety critical projects. The current chapter summarizes the main use cases and results of an activity focusing on these particular phases.</para>
<para><link linkend="ch07">Chapter <xref linkend="ch7" remap="7"/></link> addresses lightweight formal analysis of requirements which are the core items of the design (and Validation) workflow of safety critical systems. Accordingly, their completeness, compliance with the standards and understandability is a dominant factor in the subsequent steps. Requirements review is a special kind of Independent Software/Systems Verification and Validation (ISVV). The chapter presents methodologies to use lightweight formal methods supporting experts in a peer review based ISVV.</para>
<para>Part four of this book, composed of chapters eight and nine, deals with particular phases of V&#x00026;V processes known as FMEA &#x00026; FMECA.</para>
<para><link linkend="ch08">Chapter <xref linkend="ch8" remap="8"/></link> describes STECA which stands for &#x0201C;Security Threats, Effects and Criticality Analysis&#x0201D; and its application to a Smart Grids scenario. The STECA approach is meant to perform security assessment and the chapter explains the process proposed to identify vulnerabilities, their related threats, a risk assessment approach and finally a path to identify appropriate countermeasures. This process is based on the same principles used for the FMEA/FMECA process, widely used for safety critical analysis and highly regarded by the majority of international standards. STECA starts from a vulnerability point of view and moves on towards threat analysis and criticality assessment. Following the guidelines defined, the approach is then instantiated on a Smart Grid use case, resulting in a set of precise guidelines and a systematic way to perform security assessment including vulnerability evaluation and attack impact analysis.</para>
<para><link linkend="ch09">Chapter <xref linkend="ch9" remap="9"/></link> describes a composable framework support for Software-FMEA through Model Execution. Performing Failure Mode and Effects Analysis (FMEA) during software architecture design is becoming a basic requirement in an increasing number of domains. However, due to the lack of standardized early design-phase model execution, classic Software-FMEA (SW-FMEA) approaches carry significant risks and are human effort-intensive even in processes that use Model-Driven Engineering.</para>
<para>From a dependability-critical development process point of view, FMEA should be performed in the early phases of system design; for software, this usually translates to the architecture design phase. Additionally, for some domains, standards prescribe the safety analysis of the software architecture &#x02013; as is the case e.g. with ISO 26262 in the automotive domain. Significant risk is introduced by the fact that the error propagation assumptions usually made at this stage have to hold for the final system &#x02013; otherwise the constructed hazard mitigation arguments will not hold. This chapter addresses SFMEA based on a new standard for UML 2 modeling language. Throughout the chapter, the reader will be introduced to i) advances in standardized model execution semantics, ii) the outline of a composable framework built on top of executable software architecture models to help SW-FMEA, iii) a realization of such a framework applied on a case study from the railway domain.</para>
<para>The last part of this book, Part five, contains contributions developed in CECRIS related to Robustness and Fault injection and is composed of 3 chapters.</para>
<para><link linkend="ch010">Chapter <xref linkend="ch10" remap="10"/></link> describes a monitoring and testing framework for critical off-the-shelf applications and services. One of the biggest verification and validation challenges is the definition of approaches and tools to support systems assessment while minimizing costs and delivery time. Such tools reduce the time and cost of assessing Off-The-Shelf (OTS) software components that must undergo proper certification or approval processes to be used in critical scenarios. In the case of testing, due to the particularities of components, developers often build ad-hoc and poorly-reusable testing tools, which results in increased time and costs. This chapter introduces a framework for testing and monitoring of critical OTS applications and services. The framework includes i) a box instrumented for monitoring OS and application level variables, ii) a toolset for testing the target components and iii) tools for data storing, retrieval and analysis. The chapter presents an implementation of the framework that allows applying, in a cost-effective fashion, functional testing, robustness testing and penetration testing to web services. Finally, the framework usability and utility is demonstrated based on two different case studies that also show its flexibility.</para>
<para><link linkend="ch011">Chapter <xref linkend="ch11" remap="11"/></link> is about the validation of a safety critical railway application using fault injection. This chapter will summarize the fault injection experiments performed with the ProSigma system. It will include a detailed description of the system, fault injection test goals, description of the fault injection tool, the results of the FI tests, etc.</para>
<para><link linkend="ch012">Chapter <xref linkend="ch12" remap="12"/></link> is concerned with robustness of complex Critical Systems. Systems are nowadays being deployed also as services or web applications, and are being used to provide enterprise-level business-critical operations. These systems are supported by complex middleware, which often links different systems, and where a failure can bring in disastrous consequences for both clients and service providers. In this chapter we present a toolset that can be used to evaluate the robustness of a given system, under the following two different perspectives: i) executing robustness tests against the service&#x02019;s external interface (e.g., the interface with business clients) and also inner interfaces (e.g., the application-database interface); ii) emulating the presence of source code defects, on the service middleware, to understand how the presence of a defect can affect the robustness of the overall system. The toolset has been demonstrated on a set of web services, an Enterprise Resource Planning web application, and on the popular Apache HTTP server. Results show that the toolset can be easily used to disclose critical problems in web applications and to support middleware, helping developers in building and validating more reliable services.</para>
<para>Although the chapters of the book are arranged in a logical order, an effort has been made to keep each chapter self-contained. This book can be used for supplemental reading for advanced teaching on Critical systems validation and verification methodologies.</para>
<blockquote>
<para><emphasis role="strong">Andrea Bondavalli</emphasis></para>
<para><emphasis role="strong">Francesco Brancati</emphasis></para>
</blockquote>
</preface>
<preface class="preface" id="preface03">
<title>List of Contributors</title>
<para><emphasis role="strong">Alexandre Esper,</emphasis> <emphasis>CRITICAL Software S.A., Coimbra, Portugal</emphasis></para>
<para><emphasis role="strong">Andr&#x000E1;s Pataricza,</emphasis> <emphasis>Dept. of Measurement and Information Systems, Budapest University of Technology and Economics, Budapest, Hungary</emphasis></para>
<para><emphasis role="strong">Andr&#x000E1;s Zentai,</emphasis> <emphasis>Prolan Process Control Co., Szentendrei &#x000FA;t 1&#x02013;3, H-2011 Budakal&#x000E1;sz, Hungary</emphasis></para>
<para><emphasis role="strong">Andrea Bondavalli,</emphasis> <emphasis>1) Department of Mathematics and Informatics, University of Florence, Florence, Italy</emphasis></para>
<para><emphasis>2) CINI-Consorzio Interuniversitario Nazionale per l&#x02019;Informatica-University of Florence, Florence, Italy</emphasis></para>
<para><emphasis role="strong">Andrea Ceccarelli,</emphasis> <emphasis>1) Department of Mathematics and Informatics, University of Florence, Florence, Italy</emphasis></para>
<para><emphasis>2) CINI-Consorzio Interuniversitario Nazionale per l&#x02019;Informatica-University of Florence, Florence, Italy</emphasis> </para>
<para><emphasis role="strong">Arun Babu Puthuparambil,</emphasis> <emphasis>Robert Bosch Center for Cyber Physical Systems, Indian Institute of Science, Bangalore, India</emphasis> </para>
<para><emphasis role="strong">Cristiana Areias,</emphasis> <emphasis>1) CISUC, Department of Informatics Engineering, University of Coimbra, Portugal</emphasis></para>
<para><emphasis>2) ISEC &#x02013; Coimbra Institute of Engineering, Polytechnic Institute of Coimbra, Portugal</emphasis></para>
<para><emphasis role="strong">Fabio Scippacercola,</emphasis> <emphasis>1) DIETI, Universit&#x000E0; degli Studi di Napoli Federico II, Via Claudio 21, 80125 Napoli, Italy</emphasis></para>
<para><emphasis>2) CINI-Consorzio Interuniversitario Nazionale per l&#x02019;Informatica, Italy</emphasis> </para>
<para><emphasis role="strong">Francesco Brancati,</emphasis> <emphasis>Resiltech s.r.l., Pontedera (PI), Italy</emphasis> </para>
<para><emphasis role="strong">Francesco Rossi,</emphasis> <emphasis>Resiltech s.r.l., Pontedera (PI), Italy</emphasis> </para>
<para><emphasis role="strong">Francisco Moreira,</emphasis> <emphasis>CRITICAL Software S.A., Coimbra, Portugal</emphasis> </para>
<para><emphasis role="strong">Gon&#x000E7;alo Pereira,</emphasis> <emphasis>CISUC, Department of Informatics Engineering, University of Coimbra, Portugal</emphasis> </para>
<para><emphasis role="strong">Henrique Madeira,</emphasis> <emphasis>CISUC, Department of Informatics Engineering, University of Coimbra, Portugal</emphasis></para>
<para><emphasis role="strong">Imre Kocsis,</emphasis> <emphasis>Dept. of Measurement and Information Systems, Budapest University of Technology and Economics, Budapest, Hungary</emphasis> </para>
<para><emphasis role="strong">Ivano Irrera,</emphasis> <emphasis>CISUC, Department of Informatics Engineering, University of Coimbra, Portugal</emphasis></para>
<para><emphasis role="strong">JoCarlos Cunha,</emphasis> <emphasis>1) CISUC, Department of Informatics Engineering, University of Coimbra, Portugal</emphasis></para>
<para><emphasis>2) ISEC &#x02013; Coimbra Institute of Engineering, Polytechnic Institute of Coimbra, Portugal</emphasis></para>
<para><emphasis role="strong">Jorge Bernardino,</emphasis> <emphasis>1) CISUC, Department of Informatics Engineering, University of Coimbra, Portugal</emphasis></para>
<para><emphasis>2) ISEC &#x02013; Coimbra Institute of Engineering, Polytechnic Institute of Coimbra, Portugal</emphasis></para>
<para><emphasis role="strong">L&#x000E1;szl&#x000F3; G&#x000F6;nczy,</emphasis> <emphasis>Dept. of Measurement and Information Systems, Budapest University of Technology and Economics, Budapest, Hungary</emphasis> </para>
<para><emphasis role="strong">Leonardo Montecchi,</emphasis> <emphasis>1) Department of Mathematics and Informatics, University of Florence, Florence, Italy</emphasis></para>
<para><emphasis>2) CINI-Consorzio Interuniversitario Nazionale per l&#x02019;Informatica-University of Florence, Florence, Italy</emphasis> </para>
<para><emphasis role="strong">Lorenzo Vinerbi,</emphasis> <emphasis>Resiltech s.r.l., Pontedera (PI), Italy</emphasis> </para>
<para><emphasis role="strong">Marco Vieira,</emphasis> <emphasis>CISUC, Department of Informatics Engineering, University of Coimbra, Portugal</emphasis> </para>
<para><emphasis role="strong">Mario Rui Baptista,</emphasis> <emphasis>CRITICAL Software S.A., Coimbra, Portugal</emphasis> </para>
<para><emphasis role="strong">Nicola Nostro,</emphasis> <emphasis>Resiltech s.r.l., Pontedera (PI), Italy</emphasis> </para>
<para><emphasis role="strong">Nuno Antunes,</emphasis> <emphasis>CISUC, Department of Informatics Engineering, University of Coimbra, Portugal</emphasis> </para>
<para><emphasis role="strong">Nuno Laranjeiro,</emphasis> <emphasis>CISUC, Department of Informatics Engineering, University of Coimbra, Portugal</emphasis> </para>
<para><emphasis role="strong">Nuno Silva,</emphasis> <emphasis>CRITICAL Software S.A., Coimbra, Portugal</emphasis> </para>
<para><emphasis role="strong">Raul Barbosa,</emphasis> <emphasis>CISUC, Department of Informatics Engineering, University of Coimbra, Portugal</emphasis> </para>
<para><emphasis role="strong">Rosaria Esposito,</emphasis> <emphasis>Resiltech s.r.l., Pontedera (PI), Italy</emphasis> </para>
<para><emphasis role="strong">Seyma Nur Soydemir,</emphasis> <emphasis>CISUC, Department of Informatics Engineering, University of Coimbra, Portugal</emphasis> </para>
<para><emphasis role="strong">Stefano Russo,</emphasis> <emphasis>1) DIETI, Universit&#x000E0; degli Studi di Napoli Federico II, Via Claudio 21, 80125 Napoli, Italy</emphasis></para>
<para><emphasis>2) CINI-Consorzio Interuniversitario Nazionale per l&#x02019;Informatica, Italy</emphasis> </para>
<para><emphasis role="strong">Tommaso Zoppi,</emphasis> <emphasis>1) Department of Mathematics and Informatics, University of Florence, Florence, Italy</emphasis></para>
<para><emphasis>2) CINI-Consorzio Interuniversitario Nazionale per l&#x02019;Informatica-University of Florence, Florence, Italy</emphasis> </para>
<para><emphasis role="strong">Valentina Bonfiglio,</emphasis> <emphasis>Resiltech s.r.l., Pontedera (PI), Italy</emphasis> </para>
<para><emphasis role="strong">Vince Moln&#x000E1;r,</emphasis> <emphasis>Dept. of Measurement and Information Systems, Budapest University of Technology and Economics, Budapest, Hungary</emphasis></para>
</preface>
<preface class="preface" id="preface04">
<title>List of Figures</title>
<table-wrap position="float">
<table cellspacing="5" cellpadding="5" frame="none" rules="none">
<tbody>
<tr><td valign="top" width="15%"><emphasis role="strong"><link linkend="F1-1">Figure <xref linkned="F1-1" remap="1.1"/></link></emphasis></td><td>Overall view of the gap analysis framework.</td></tr>
<tr><td valign="top"><emphasis role="strong"><link linkend="F1-2">Figure <xref linkned="F1-2" remap="1.2"/></link></emphasis></td><td>EER structure of the database.</td></tr>
<tr><td valign="top"><emphasis role="strong"><link linkend="F1-3">Figure <xref linkned="F1-3" remap="1.3"/></link></emphasis></td><td>Example of roles organization in a critical software company.</td></tr>
<tr><td valign="top"><emphasis role="strong"><link linkend="F1-4">Figure <xref linkned="F1-4" remap="1.4"/></link></emphasis></td><td>Involvement of the different roles in avionics standards.</td></tr>
<tr><td valign="top"><emphasis role="strong"><link linkend="F2-1">Figure <xref linkned="F2-1" remap="2.1"/></link></emphasis></td><td>A representation of the Prolan Block and its operating environment.</td></tr>
<tr><td valign="top"><emphasis role="strong"><link linkend="F2-2">Figure <xref linkned="F2-2" remap="2.2"/></link></emphasis></td><td>Software Development Life Cycle according to EN 50128.</td></tr>
<tr><td valign="top"><emphasis role="strong"><link linkend="F2-3">Figure <xref linkned="F2-3" remap="2.3"/></link></emphasis></td><td>The adapted model-driven V-Model life cycle for Prolan.</td></tr>
<tr><td valign="top"><emphasis role="strong"><link linkend="F2-4">Figure <xref linkned="F2-4" remap="2.4"/></link></emphasis></td><td><emphasis>Prolan Block</emphasis> (PB) functional requirements.</td></tr>
<tr><td valign="top"><emphasis role="strong"><link linkend="F2-5">Figure <xref linkned="F2-5" remap="2.5"/></link></emphasis></td><td>PB non-functional requirements.</td></tr>
<tr><td valign="top"><emphasis role="strong"><link linkend="F2-6">Figure <xref linkned="F2-6" remap="2.6"/></link></emphasis></td><td>BDD diagram showing the environment of the PB.</td></tr>
<tr><td valign="top"><emphasis role="strong"><link linkend="F2-7">Figure <xref linkned="F2-7" remap="2.7"/></link></emphasis></td><td>Computation Independent Model (CIM) use case diagram for the Prolan Block.</td></tr>
<tr><td valign="top"><emphasis role="strong"><link linkend="F2-8">Figure <xref linkned="F2-8" remap="2.8"/></link></emphasis></td><td>State machine diagram of the semaphore behavior.</td></tr>
<tr><td valign="top"><emphasis role="strong"><link linkend="F2-9">Figure <xref linkned="F2-9" remap="2.9"/></link></emphasis></td><td>High-level system architecture.</td></tr>
<tr><td valign="top"><emphasis role="strong"><link linkend="F2-10">Figure <xref linkned="F2-10" remap="2.10"/></link></emphasis></td><td>The transformations of the BB-PIT.</td></tr>
<tr><td valign="top"><emphasis role="strong"><link linkend="F2-11">Figure <xref linkned="F2-11" remap="2.11"/></link></emphasis></td><td>A test case automatically generated from the BB-PIT by Conformiq.</td></tr>
<tr><td valign="top"><emphasis role="strong"><link linkend="F2-12">Figure <xref linkned="F2-12" remap="2.12"/></link></emphasis></td><td>The configuration of the PM for HIL Testing.</td></tr>
<tr><td valign="top"><emphasis role="strong"><link linkend="F3-1">Figure <xref linkned="F3-1" remap="3.1"/></link></emphasis></td><td>Various types of blocks in Blockly.</td></tr>
<tr><td valign="top"><emphasis role="strong"><link linkend="F3-2">Figure <xref linkned="F3-2" remap="3.2"/></link></emphasis></td><td>An example of a vending machine profile in PlantUML.</td></tr>
<tr><td valign="top"><emphasis role="strong"><link linkend="F3-3">Figure <xref linkned="F3-3" remap="3.3"/></link></emphasis></td><td>An example of a vending machine model under construction.</td></tr>
<tr><td valign="top"><emphasis role="strong"><link linkend="F3-4">Figure <xref linkned="F3-4" remap="3.4"/></link></emphasis></td><td>An example of requirements management.</td></tr>
<tr><td valign="top"><emphasis role="strong"><link linkend="F3-5">Figure <xref linkned="F3-5" remap="3.5"/></link></emphasis></td><td>MDE flow.</td></tr>
<tr><td valign="top"><emphasis role="strong"><link linkend="F3-6">Figure <xref linkned="F3-6" remap="3.6"/></link></emphasis></td><td>An example of guiding users with compatible blocks (for Transitions).</td></tr>
<tr><td valign="top"><emphasis role="strong"><link linkend="F3-7">Figure <xref linkned="F3-7" remap="3.7"/></link></emphasis></td><td>An example of type indicator plugin (Shows which blocks are compatible with the current selected block &#x0201C;Transition/t4&#x0201D; with yellow color).</td></tr>
<tr><td valign="top"><emphasis role="strong"><link linkend="F3-8">Figure <xref linkned="F3-8" remap="3.8"/></link></emphasis></td><td>An example of constraints.</td></tr>
<tr><td valign="top"><emphasis role="strong"><link linkend="F3-9">Figure <xref linkned="F3-9" remap="3.9"/></link></emphasis></td><td>An example of groups and links.</td></tr>
<tr><td valign="top"><emphasis role="strong"><link linkend="F3-10">Figure <xref linkned="F3-10" remap="3.10"/></link></emphasis></td><td>Enabling and disabling viewpoints in model.</td></tr>
<tr><td valign="top"><emphasis role="strong"><link linkend="F3-11">Figure <xref linkned="F3-11" remap="3.11"/></link></emphasis></td><td>Model query without any filter (return true;).</td></tr>
<tr><td valign="top"><emphasis role="strong"><link linkend="F3-12">Figure <xref linkned="F3-12" remap="3.12"/></link></emphasis></td><td>Example of model query to select all blocks of type &#x0201C;RUMI&#x0201D; (return block.of_type == &#x02018;RUMI&#x02019;).</td></tr>
<tr><td valign="top"><emphasis role="strong"><link linkend="F3-13">Figure <xref linkned="F3-13" remap="3.13"/></link></emphasis></td><td>The subset of example model of &#x0201C;Vending machine&#x0201D; exported to PlantUML.</td></tr>
<tr><td valign="top"><emphasis role="strong"><link linkend="F3-14">Figure <xref linkned="F3-14" remap="3.14"/></link></emphasis></td><td>Example sequence diagram in Blockly.</td></tr>
<tr><td valign="top"><emphasis role="strong"><link linkend="F3-15">Figure <xref linkned="F3-15" remap="3.15"/></link></emphasis></td><td>Classical view of sequence diagram (subset).</td></tr>
<tr><td valign="top"><emphasis role="strong"><link linkend="F3-16">Figure <xref linkned="F3-16" remap="3.16"/></link></emphasis></td><td>Blocks to support custom simulation initialization and code to execute when simulation ends.</td></tr>
<tr><td valign="top"><emphasis role="strong"><link linkend="F3-17">Figure <xref linkned="F3-17" remap="3.17"/></link></emphasis></td><td>Blocks with images.</td></tr>
<tr><td valign="top"><emphasis role="strong"><link linkend="F4-1">Figure <xref linkned="F4-1" remap="4.1"/></link></emphasis></td><td>ISVV phases.</td></tr>
<tr><td valign="top"><emphasis role="strong"><link linkend="F4-2">Figure <xref linkned="F4-2" remap="4.2"/></link></emphasis></td><td>Generalized defect assessment procedure.</td></tr>
<tr><td valign="top"><emphasis role="strong"><link linkend="F4-3">Figure <xref linkned="F4-3" remap="4.3"/></link></emphasis></td><td>Defect type vs. defect impact.</td></tr>
<tr><td valign="top"><emphasis role="strong"><link linkend="F4-4">Figure <xref linkned="F4-4" remap="4.4"/></link></emphasis></td><td>Defect trigger vs. defect impact.</td></tr>
<tr><td valign="top"><emphasis role="strong"><link linkend="F5-1">Figure <xref linkned="F5-1" remap="5.1"/></link></emphasis></td><td>Populating the hazard log (HL).</td></tr>
<tr><td valign="top"><emphasis role="strong"><link linkend="F5-2">Figure <xref linkned="F5-2" remap="5.2"/></link></emphasis></td><td>Excel sheet of one of the participants.</td></tr>
<tr><td valign="top"><emphasis role="strong"><link linkend="F5-3">Figure <xref linkned="F5-3" remap="5.3"/></link></emphasis></td><td>Checking of HA data through MS Excel scripts.</td></tr>
<tr><td valign="top"><emphasis role="strong"><link linkend="F5-4">Figure <xref linkned="F5-4" remap="5.4"/></link></emphasis></td><td>Dialogue boxes of MS Excel scripts.</td></tr>
<tr><td valign="top"><emphasis role="strong"><link linkend="F5-5">Figure <xref linkned="F5-5" remap="5.5"/></link></emphasis></td><td>Errors caught in HZ analysis by scripts.</td></tr>
<tr><td valign="top"><emphasis role="strong"><link linkend="F5-6">Figure <xref linkned="F5-6" remap="5.6"/></link></emphasis></td><td>Excel sheet imported and merged in DOORS to form HL.</td></tr>
<tr><td valign="top"><emphasis role="strong"><link linkend="F6-1">Figure <xref linkned="F6-1" remap="6.1"/></link></emphasis></td><td>Schematic view on V&#x00026;V activities.</td></tr>
<tr><td valign="top"><emphasis role="strong"><link linkend="F6-2">Figure <xref linkned="F6-2" remap="6.2"/></link></emphasis></td><td>COSYSMO 2.0: Size Drivers/Effort Multipliers.</td></tr>
<tr><td valign="top"><emphasis role="strong"><link linkend="F6-3">Figure <xref linkned="F6-3" remap="6.3"/></link></emphasis></td><td>Rayleigh distribution by different parameters (a) fault detection rate (b) fault coverage.</td></tr>
<tr><td valign="top"><emphasis role="strong"><link linkend="F6-4">Figure <xref linkned="F6-4" remap="6.4"/></link></emphasis></td><td>COSYSMO estimation compared to real V&#x00026;V effort.</td></tr>
<tr><td valign="top"><emphasis role="strong"><link linkend="F6-5">Figure <xref linkned="F6-5" remap="6.5"/></link></emphasis></td><td>Cost drivers sensitivity analysis.</td></tr>
<tr><td valign="top"><emphasis role="strong"><link linkend="F6-6">Figure <xref linkned="F6-6" remap="6.6"/></link></emphasis></td><td>Trends of fault in multi-phased ISVV projects.</td></tr>
<tr><td valign="top"><emphasis role="strong"><link linkend="F6-7">Figure <xref linkned="F6-7" remap="6.7"/></link></emphasis></td><td>Complexity metrics and fault density.</td></tr>
<tr><td valign="top"><emphasis role="strong"><link linkend="F7-1">Figure <xref linkned="F7-1" remap="7.1"/></link></emphasis></td><td>ReqIF based information exchange.</td></tr>
<tr><td valign="top"><emphasis role="strong"><link linkend="F7-2">Figure <xref linkned="F7-2" remap="7.2"/></link></emphasis></td><td>Exchange document structure.</td></tr>
<tr><td valign="top"><emphasis role="strong"><link linkend="F7-3">Figure <xref linkned="F7-3" remap="7.3"/></link></emphasis></td><td>Specifications, requirements, and attributes.</td></tr>
<tr><td valign="top"><emphasis role="strong"><link linkend="F7-4">Figure <xref linkned="F7-4" remap="7.4"/></link></emphasis></td><td>Unstructured and structured model.</td></tr>
<tr><td valign="top"><emphasis role="strong"><link linkend="F7-5">Figure <xref linkned="F7-5" remap="7.5"/></link></emphasis></td><td>Causality statistics structure.</td></tr>
<tr><td valign="top"><emphasis role="strong"><link linkend="F7-6">Figure <xref linkned="F7-6" remap="7.6"/></link></emphasis></td><td>The original and changed specification in our example.</td></tr>
<tr><td valign="top"><emphasis role="strong"><link linkend="F7-7">Figure <xref linkned="F7-7" remap="7.7"/></link></emphasis></td><td>Propagation resolution and computed change impact cover extent.</td></tr>
<tr><td valign="top"><emphasis role="strong"><link linkend="F7-8">Figure <xref linkned="F7-8" remap="7.8"/></link></emphasis></td><td>Example rich requirement structure for propagation categorization.</td></tr>
<tr><td valign="top"><emphasis role="strong"><link linkend="F7-9">Figure <xref linkned="F7-9" remap="7.9"/></link></emphasis></td><td>Change impact propagation categories.</td></tr>
<tr><td valign="top"><emphasis role="strong"><link linkend="F8-1">Figure <xref linkned="F8-1" remap="8.1"/></link></emphasis></td><td>High level view of the STEC process.</td></tr>
<tr><td valign="top"><emphasis role="strong"><link linkend="F8-2">Figure <xref linkned="F8-2" remap="8.2"/></link></emphasis></td><td>Example from the Energy industry showing the architecture of a Smart Grid.</td></tr>
<tr><td valign="top"><emphasis role="strong"><link linkend="F8-3">Figure <xref linkned="F8-3" remap="8.3"/></link></emphasis></td><td>Attack probability graph.</td></tr>
<tr><td valign="top"><emphasis role="strong"><link linkend="F8-4">Figure <xref linkned="F8-4" remap="8.4"/></link></emphasis></td><td>Threat Event Risk Matrix.</td></tr>
<tr><td valign="top"><emphasis role="strong"><link linkend="F8-5">Figure <xref linkned="F8-5" remap="8.5"/></link></emphasis></td><td>Description of impact categories.</td></tr>
<tr><td valign="top"><emphasis role="strong"><link linkend="F8-6">Figure <xref linkned="F8-6" remap="8.6"/></link></emphasis></td><td>STECA report example.</td></tr>
<tr><td valign="top"><emphasis role="strong"><link linkend="F9-1">Figure <xref linkned="F9-1" remap="9.1"/></link></emphasis></td><td>Composite error token passing during execution and component activation.</td></tr>
<tr><td valign="top"><emphasis role="strong"><link linkend="F9-2">Figure <xref linkned="F9-2" remap="9.2"/></link></emphasis></td><td>Framework components for program composition.</td></tr>
<tr><td valign="top"><emphasis role="strong"><link linkend="F9-3">Figure <xref linkned="F9-3" remap="9.3"/></link></emphasis></td><td>Parts of the simulated environment in the case study.</td></tr>
<tr><td valign="top"><emphasis role="strong"><link linkend="F9-4">Figure <xref linkned="F9-4" remap="9.4"/></link></emphasis></td><td>Main components of the modelled system.</td></tr>
<tr><td valign="top"><emphasis role="strong"><link linkend="F9-5">Figure <xref linkned="F9-5" remap="9.5"/></link></emphasis></td><td>Structure of a balise telegram.</td></tr>
<tr><td valign="top"><emphasis role="strong"><link linkend="F9-6">Figure <xref linkned="F9-6" remap="9.6"/></link></emphasis></td><td>Alf implementation of a BTM behaviour.</td></tr>
<tr><td valign="top"><emphasis role="strong"><link linkend="F9-7">Figure <xref linkned="F9-7" remap="9.7"/></link></emphasis></td><td>Log trace of a fault-free execution of the case study model.</td></tr>
<tr><td valign="top"><emphasis role="strong"><link linkend="F9-8">Figure <xref linkned="F9-8" remap="9.8"/></link></emphasis></td><td>Visualization of a fault-free execution tree of the case study model.</td></tr>
<tr><td valign="top"><emphasis role="strong"><link linkend="F9-9">Figure <xref linkned="F9-9" remap="9.9"/></link></emphasis></td><td>Blockly-based model of the case study system and its environment.</td></tr>
<tr><td valign="top"><emphasis role="strong"><link linkend="F9-10">Figure <xref linkned="F9-10" remap="9.10"/></link></emphasis></td><td>Error propagation in the case study model when input is consistent.</td></tr>
<tr><td valign="top"><emphasis role="strong"><link linkend="F10-1">Figure <xref linkned="F10-1" remap="10.1"/></link></emphasis></td><td>Framework architecture: overall view and interactions.</td></tr>
<tr><td valign="top"><emphasis role="strong"><link linkend="F10-2">Figure <xref linkned="F10-2" remap="10.2"/></link></emphasis></td><td>Detailed functioning of the Instrumented System.</td></tr>
<tr><td valign="top"><emphasis role="strong"><link linkend="F10-3">Figure <xref linkned="F10-3" remap="10.3"/></link></emphasis></td><td>Detailed functioning of the Test and Collect.</td></tr>
<tr><td valign="top"><emphasis role="strong"><link linkend="F10-4">Figure <xref linkned="F10-4" remap="10.4"/></link></emphasis></td><td>An extract of the workload to set a New Calendar Event.</td></tr>
<tr><td valign="top"><emphasis role="strong"><link linkend="F10-5">Figure <xref linkned="F10-5" remap="10.5"/></link></emphasis></td><td>Extract from robustness test results.</td></tr>
<tr><td valign="top"><emphasis role="strong"><link linkend="F10-6">Figure <xref linkned="F10-6" remap="10.6"/></link></emphasis></td><td>Example of robustness test: (a) request; (b) response.</td></tr>
<tr><td valign="top"><emphasis role="strong"><link linkend="F10-7">Figure <xref linkned="F10-7" remap="10.7"/></link></emphasis></td><td>Calendar Service penetration tests result.</td></tr>
<tr><td valign="top"><emphasis role="strong"><link linkend="F10-8">Figure <xref linkned="F10-8" remap="10.8"/></link></emphasis></td><td>Evolution of Number of working processes in SHAPE.</td></tr>
<tr><td valign="top"><emphasis role="strong"><link linkend="F11-1">Figure <xref linkned="F11-1" remap="11.1"/></link></emphasis></td><td>The ProSigma abstraction layers.</td></tr>
<tr><td valign="top"><emphasis role="strong"><link linkend="F11-2">Figure <xref linkned="F11-2" remap="11.2"/></link></emphasis></td><td>System architecture.</td></tr>
<tr><td valign="top"><emphasis role="strong"><link linkend="F11-3">Figure <xref linkned="F11-3" remap="11.3"/></link></emphasis></td><td>LI card interfaces.</td></tr>
<tr><td valign="top"><emphasis role="strong"><link linkend="F11-4">Figure <xref linkned="F11-4" remap="11.4"/></link></emphasis></td><td>ETH card architecture.</td></tr>
<tr><td valign="top"><emphasis role="strong"><link linkend="F11-5">Figure <xref linkned="F11-5" remap="11.5"/></link></emphasis></td><td>RPI card architecture.</td></tr>
<tr><td valign="top"><emphasis role="strong"><link linkend="F11-6">Figure <xref linkned="F11-6" remap="11.6"/></link></emphasis></td><td>Fault injection structure and environment.</td></tr>
<tr><td valign="top"><emphasis role="strong"><link linkend="F11-7">Figure <xref linkned="F11-7" remap="11.7"/></link></emphasis></td><td>Fault injection structure and environment.</td></tr>
<tr><td valign="top"><emphasis role="strong"><link linkend="F11-8">Figure <xref linkned="F11-8" remap="11.8"/></link></emphasis></td><td>The ProSigma system and the FI tool and environment.</td></tr>
<tr><td valign="top"><emphasis role="strong"><link linkend="F11-9">Figure <xref linkned="F11-9" remap="11.9"/></link></emphasis></td><td>Fault injection campaign: failure modes distribution.</td></tr>
<tr><td valign="top"><emphasis role="strong"><link linkend="F12-1">Figure <xref linkned="F12-1" remap="12.1"/></link></emphasis></td><td>Scenario for service robustness evaluation using wsrbench, PDInjector and ucXception.</td></tr>
<tr><td valign="top"><emphasis role="strong"><link linkend="F12-2">Figure <xref linkned="F12-2" remap="12.2"/></link></emphasis></td><td>Basic execution profile of the tests.</td></tr>
<tr><td valign="top"><emphasis role="strong"><link linkend="F12-3">Figure <xref linkned="F12-3" remap="12.3"/></link></emphasis></td><td>Anomalous effects by type of patch.</td></tr>
<tr><td valign="top"><emphasis role="strong"><link linkend="F12-4">Figure <xref linkned="F12-4" remap="12.4"/></link></emphasis></td><td>Effects by behavior.</td></tr>
</tbody>
</table>
</table-wrap>
</preface>
<preface class="preface" id="preface05">
<title>List of Tables</title>
<table-wrap position="float">
<table cellspacing="5" cellpadding="5" frame="none" rules="none">
<tbody>
<tr><td valign="top" width="15%"><emphasis role="strong"><link linkend="T1-1">Table <xref linkned="T1-1" remap="1.1"/></link></emphasis></td><td>A sample extract of the traceability matrix on processes</td></tr>
<tr><td valign="top"><emphasis role="strong"><link linkend="T1-2">Table <xref linkned="T1-2" remap="1.2"/></link></emphasis></td><td>A sample extract of the traceability matrix on techniques</td></tr>
<tr><td valign="top"><emphasis role="strong"><link linkend="T1-3">Table <xref linkned="T1-3" remap="1.3"/></link></emphasis></td><td>The binary decision diagram</td></tr>
<tr><td valign="top"><emphasis role="strong"><link linkend="T1-4">Table <xref linkned="T1-4" remap="1.4"/></link></emphasis></td><td>An extract of our sheet for data analysis; overall it contains 48 techniques and 41 tools. The whole data set is not reported because of its dimension and non-disclosure agreements</td></tr>
<tr><td valign="top"><emphasis role="strong"><link linkend="T4-1">Table <xref linkned="T4-1" remap="4.1"/></link></emphasis></td><td>Orthogonal defect classification attributes description</td></tr>
<tr><td valign="top"><emphasis role="strong"><link linkend="T4-2">Table <xref linkned="T4-2" remap="4.2"/></link></emphasis></td><td>Enhanced ODC classification results</td></tr>
<tr><td valign="top"><emphasis role="strong"><link linkend="T4-3">Table <xref linkned="T4-3" remap="4.3"/></link></emphasis></td><td>Summary of root causes for main defect types</td></tr>
<tr><td valign="top"><emphasis role="strong"><link linkend="T4-4">Table <xref linkned="T4-4" remap="4.4"/></link></emphasis></td><td>Summary of root causes for main defect triggers</td></tr>
<tr><td valign="top"><emphasis role="strong"><link linkend="T5-1">Table <xref linkned="T5-1" remap="5.1"/></link></emphasis></td><td>Hazard analysis template</td></tr>
<tr><td valign="top"><emphasis role="strong"><link linkend="T5-2">Table <xref linkned="T5-2" remap="5.2"/></link></emphasis></td><td>An example configuration of hazard log tool (&#x0201C;Hazard Log Field&#x0201D; are the fields in DOORS, &#x0201C;HA&#x0201D; is the fields in Excel, and &#x0201C;Type&#x0201D; indicates where the field can be found (HZ, &#x02018;hazard&#x02019;; MT, &#x02018;mitigation&#x02019;; BH, &#x02018;can be found in both&#x02019;)</td></tr>
<tr><td valign="top"><emphasis role="strong"><link linkend="T5-3">Table <xref linkned="T5-3" remap="5.3"/></link></emphasis></td><td>Example configuration for Excel scripts</td></tr>
<tr><td valign="top"><emphasis role="strong"><link linkend="T6-1">Table <xref linkned="T6-1" remap="6.1"/></link></emphasis></td><td>Pilot use case for introducing formal methods in verification</td></tr>
<tr><td valign="top"><emphasis role="strong"><link linkend="T6-2">Table <xref linkned="T6-2" remap="6.2"/></link></emphasis></td><td>Effect of requirement lifecycle</td></tr>
<tr><td valign="top"><emphasis role="strong"><link linkend="T7-1">Table <xref linkned="T7-1" remap="7.1"/></link></emphasis></td><td>Comparison of change impact propagation categories</td></tr>
<tr><td valign="top"><emphasis role="strong"><link linkend="T8-1">Table <xref linkned="T8-1" remap="8.1"/></link></emphasis></td><td>Vulnerabilities, weak spots, and security threats</td></tr>
<tr><td valign="top"><emphasis role="strong"><link linkend="T8-2">Table <xref linkned="T8-2" remap="8.2"/></link></emphasis></td><td>Linking weak spots and ISO/IEC 27005 vulnerability categories</td></tr>
<tr><td valign="top"><emphasis role="strong"><link linkend="T10-1">Table <xref linkned="T10-1" remap="10.1"/></link></emphasis></td><td>Extract test results for New Calendar Event</td></tr>
<tr><td valign="top"><emphasis role="strong"><link linkend="T10-2">Table <xref linkned="T10-2" remap="10.2"/></link></emphasis></td><td>Summary of the variables monitored</td></tr>
<tr><td valign="top"><emphasis role="strong"><link linkend="T11-1">Table <xref linkned="T11-1" remap="11.1"/></link></emphasis></td><td>Railway object outputs</td></tr>
<tr><td valign="top"><emphasis role="strong"><link linkend="T11-2">Table <xref linkned="T11-2" remap="11.2"/></link></emphasis></td><td>Failure modes</td></tr>
<tr><td valign="top"><emphasis role="strong"><link linkend="T11-3">Table <xref linkned="T11-3" remap="11.3"/></link></emphasis></td><td>Summary of FI campaign results</td></tr>
<tr><td valign="top"><emphasis role="strong"><link linkend="T12-1">Table <xref linkned="T12-1" remap="12.1"/></link></emphasis></td><td>Examples of Robustness and poor data quality mutations</td></tr>
<tr><td valign="top"><emphasis role="strong"><link linkend="T12-2">Table <xref linkned="T12-2" remap="12.2"/></link></emphasis></td><td>Fault emulation operators</td></tr>
<tr><td valign="top"><emphasis role="strong"><link linkend="T12-3">Table <xref linkned="T12-3" remap="12.3"/></link></emphasis></td><td>Fault emulation constraints</td></tr>
<tr><td valign="top"><emphasis role="strong"><link linkend="T12-4">Table <xref linkned="T12-4" remap="12.4"/></link></emphasis></td><td>Overview of the tests and results for case study #2</td></tr>
<tr><td valign="top"><emphasis role="strong"><link linkend="T12-5">Table <xref linkned="T12-5" remap="12.5"/></link></emphasis></td><td>Selected cases from case study #2</td></tr>
<tr><td valign="top"><emphasis role="strong"><link linkend="T12-6">Table <xref linkned="T12-6" remap="12.6"/></link></emphasis></td><td>Number of patches for mod_rewrite</td></tr>
<tr><td valign="top"><emphasis role="strong"><link linkend="T12-7">Table <xref linkned="T12-7" remap="12.7"/></link></emphasis></td><td>Types of observed behaviors</td></tr>
<tr><td valign="top"><emphasis role="strong"><link linkend="T12-8">Table <xref linkned="T12-8" remap="12.8"/></link></emphasis></td><td>Results by behavior</td></tr>
</tbody>
</table>
</table-wrap>
</preface>
<preface class="preface" id="preface06">
<title>Contents</title>
<table-wrap position="float">
<table cellspacing="5" cellpadding="5" frame="none" rules="none" width="100%">
<tbody>
<tr><td valign="top"><emphasis role="strong"><link linkend="ch01">1 A Framework to Identify Companies Gaps When Introducing New Standards for Safety-Critical Software</link></emphasis><?lb?><emphasis>Andrea Ceccarelli and Nuno Silva</emphasis></td><td valign="top" align="left" width="15%"><ulink url="http://riverpublishers.com/dissertations_xml/9788793519558/pdf/01_Chapter_01.pdf">Download As PDF</ulink></td></tr>
<tr><td valign="top"><emphasis role="strong"><link linkend="ch02">2 Experiencing Model-Driven Engineering for Railway Interlocking Systems</link></emphasis><?lb?><emphasis>Fabio Scippacercola, Andr&#x000E1;s Zentai and Stefano Russo</emphasis></td><td valign="top" align="left"><ulink url="http://riverpublishers.com/dissertations_xml/9788793519558/pdf/02_Chapter_02.pdf">Download As PDF</ulink></td></tr>
<tr><td valign="top"><emphasis role="strong"><link linkend="ch03">3 SYSML-UML Like Modeling Environment Based on Google Blockly Customization</link></emphasis><?lb?><emphasis>Arun Babu Puthuparambil, Francesco Brancati, Andrea Bondavalli and Andrea Ceccarelli</emphasis></td><td valign="top" align="left"><ulink url="http://riverpublishers.com/dissertations_xml/9788793519558/pdf/03_Chapter_03.pdf">Download As PDF</ulink></td></tr>
<tr><td valign="top"><emphasis role="strong"><link linkend="ch04">4 A Process for Finding and Tackling the Main Root Causes that Affect Critical Systems Quality</link></emphasis><?lb?><emphasis>Nuno Silva, Francisco Moreira, Jo&#x000E3;o Carlos Cunha and Marco Vieira</emphasis></td><td valign="top" align="left"><ulink url="http://riverpublishers.com/dissertations_xml/9788793519558/pdf/04_Chapter_04.pdf">Download As PDF</ulink></td></tr>
<tr><td valign="top"><emphasis role="strong"><link linkend="ch05">5 Framework for Automation of Hazard Log Management on Large Critical Projects</link></emphasis><?lb?><emphasis>Lorenzo Vinerbi and Arun Babu Puthuparambil</emphasis></td><td valign="top" align="left"><ulink url="http://riverpublishers.com/dissertations_xml/9788793519558/pdf/05_Chapter_05.pdf">Download As PDF</ulink></td></tr>
<tr><td valign="top"><emphasis role="strong"><link linkend="ch06">6 Cost Estimation for Independent Systems Verification and Validation</link></emphasis><?lb?><emphasis>Andr&#x000E1;s Pataricza, L&#x000E1;szl&#x000F3; G&#x000F6;nczy, Francesco Brancati, Francisco Moreira, Nuno Silva, Rosaria Esposito, Andrea Bondavalli and Alexandre Esper</emphasis></td><td valign="top" align="left"><ulink url="http://riverpublishers.com/dissertations_xml/9788793519558/pdf/06_Chapter_06.pdf">Download As PDF</ulink></td></tr>
<tr><td valign="top"><emphasis role="strong"><link linkend="ch07">7 Lightweight Formal Analysis of Requirements</link></emphasis><?lb?><emphasis>Andr&#x000E1;s Pataricza, Imre Kocsis, Francesco Brancati, Lorenzo Vinerbi and Andrea Bondavalli</emphasis></td><td valign="top" align="left"><ulink url="http://riverpublishers.com/dissertations_xml/9788793519558/pdf/07_Chapter_07.pdf">Download As PDF</ulink></td></tr>
<tr><td valign="top"><emphasis role="strong"><link linkend="ch08">8 STECA &#x02013; Security Threats, Effects and Criticality Analysis: Definition and Application to Smart Grids</link></emphasis><?lb?><emphasis>Mario Rui Baptista, Nuno Silva, Nicola Nostro, Tommaso Zoppi and Andrea Ceccarelli</emphasis></td><td valign="top" align="left"><ulink url="http://riverpublishers.com/dissertations_xml/9788793519558/pdf/08_Chapter_08.pdf">Download As PDF</ulink></td></tr>
<tr><td valign="top"><emphasis role="strong"><link linkend="ch09">9 Composable Framework Support for Software-FMEA through Model Execution</link></emphasis><?lb?><emphasis>Valentina Bonfiglio, Francesco Brancati, Francesco Rossi, Andrea Bondavalli, Leonardo Montecchi, Andr&#x000E1;s Pataricza, Imre Kocsis and Vince Moln&#x000E1;r</emphasis></td><td valign="top" align="left"><ulink url="http://riverpublishers.com/dissertations_xml/9788793519558/pdf/09_Chapter_09.pdf">Download As PDF</ulink></td></tr>
<tr><td valign="top"><emphasis role="strong"><link linkend="ch10">10 A Monitoring and Testing Framework for Critical Off-the-Shelf Applications and Services</link></emphasis><?lb?><emphasis>Nuno Antunes, Francesco Brancati, Andrea Ceccarelli, Andrea Bondavalli and Marco Vieira</emphasis></td><td valign="top" align="left"><ulink url="http://riverpublishers.com/dissertations_xml/9788793519558/pdf/10_Chapter_10.pdf">Download As PDF</ulink></td></tr>
<tr><td valign="top"><emphasis role="strong"><link linkend="ch11">11 Validating a Safety Critical Railway Application Using Fault Injection</link></emphasis><?lb?><emphasis>Ivano Irrera, Andr&#x000E1;s Zentai, Jo&#x000E3;o Carlos Cunha and Henrique Madeira</emphasis></td><td valign="top" align="left"><ulink url="http://riverpublishers.com/dissertations_xml/9788793519558/pdf/11_Chapter_11.pdf">Download As PDF</ulink></td></tr>
<tr><td valign="top"><emphasis role="strong"><link linkend="ch12">12 Robustness and Fault Injection for the Validation of Critical Systems</link></emphasis><?lb?><emphasis>Nuno Laranjeiro, Gon&#x000E7;alo Pereira, Seyma Nur Soydemir, Raul Barbosa, Jorge Bernardino, Cristiana Areias, Nuno Antunes, Jo&#x000E3;o Carlos Cunha, Marco Vieira and Henrique Madeira</emphasis></td><td valign="top" align="left"><ulink url="http://riverpublishers.com/dissertations_xml/9788793519558/pdf/12_Chapter_12.pdf">Download As PDF</ulink></td></tr>
</tbody>
</table>
</table-wrap>
</preface>
<chapter class="chapter" id="ch01" label="1" xreflabel="1">
<title>A Framework to Identify Companies Gaps When Introducing New Standards for Safety-Critical Software</title>
<para role="author"><emphasis role="strong">Andrea Ceccarelli<superscript>1,2</superscript> and Nuno Silva<superscript>3</superscript></emphasis></para>
<para><superscript>1</superscript>Department of Mathematics and Informatics, University of Florence,<?lb?>Florence, Italy</para>
<para><superscript>2</superscript>CINI-Consorzio Interuniversitario Nazionale per l&#x02019;Informatica-University of Florence, Florence, Italy</para>
<para><superscript>3</superscript>CRITICAL Software S.A., Coimbra, Portugal</para>
<section class="lev1" id="sec1-1" label="1.1" xreflabel="1.1">
<title>Introduction</title>
<para>Companies working in safety-critical domains as the avionics or space have mandatorily to comply with standards, regulating the lifecycle of the system development, the techniques to be adopted and requirements to be fulfilled in different lifecycle phases. Consequently, a company that develops systems or products in compliance with a standard need skill to use the recommended techniques, often with the support of tools developed within the company or from third parties.</para>
<para>The variety of Information and Communications Technology (ICT) world and applicable domains nowadays imply that several standards for safety-critical systems exist, applied mandatorily and regulating the development and operation of critical systems. As examples, the DO-178B/C [<link linkend="ch01bib1">1</link>, <link linkend="ch01bib2">2</link>], DO-254 [<link linkend="ch01bib3">3</link>] are the mandatory international standards for the avionics domain; the CENELEC EN 50126 [<link linkend="ch01bib4">4</link>], 50128 [<link linkend="ch01bib5">5</link>] and 50129 [<link linkend="ch01bib6">6</link>] are the mandatory standards for the European railway domain; the ECSS [<link linkend="ch01bib7">7</link>] is the set of standards for the space domain in Europe.</para>
<para>When changing domain, a company needs to apply different standards and can encounter several connected issues, such as different: (i) definitions; (ii) level of expectations; (iii) level of details of the required tasks; (iv) maturity level of processes, techniques, tools, customers, etc.; (v) requirements for tool qualification.</para>
<para>A company wanting to adopt a standard, e.g., as the consequence to the decision to enter a new market, must necessarily (i) gain the skills, techniques and tools necessary to appropriately operate in compliance with the standard, (ii) have a different mindset, and (iii) acquire the necessary expertise. The question that is naturally raised is related to the effort, both in time and cost, of introduction of a standard in a company. Such an effort can be considerable, if the company never worked with similar standards or domains.</para>
<section class="lev2" id="sec1-1-1" label="1.1.1" xreflabel="1.1.1">
<title>Contribution</title>
<para>We present <emphasis>an easy-to-use framework and a supporting methodology to perform a rapid gap analysis on the usage of standards for safety-critical software</emphasis>, being them new ones to be introduced or already applied. In other words, the framework can be applied to reason in terms of &#x0201C;changing standard&#x0201D; or in terms of &#x0201C;introducing a new standard&#x0201D;. The ultimate objective is to discover with limited effort how far a company is from acquiring a level of knowledge sufficient to apply a specific standard. Our approach is based on the concept of rating the knowledge available: it starts from an understanding of the expertise of a company, and it rates the improvements, in terms of training, needed to reach an adequate level of confidence with the techniques and processes required in the standard. Our approach can be applied to a whole standard, a part of it, or to individual techniques and tools. Thus, our framework offers the possibility to depict the status of the knowledge available in the company, which may offer valuable insights on the areas that are mostly covered, and where potential improvements are possible. The approach can indicate the introduction time, which estimates the overall training time required to introduce a new standard.</para>
<para>In the case study, the framework and the supporting methodology are applied to investigate the verification and validation phases of the DO-178B standard in the company <emphasis>CRITICAL Software S.A</emphasis>.</para>
<para>We note that our framework cannot be dissociated from the personnel operating in the company: in fact, the personnel are actually holding the background knowledge and are in charge of acquiring new knowledge. Consequently, the identification of the personnel in the company and their role, together with an investigation of their skills, is part of our approach and connected to the outcome of the analysis.</para>
<para>A relevant note is that we specifically target <emphasis>software companies</emphasis>, <emphasis>prescriptive standards for software</emphasis>, and the <emphasis>safety-critical domains</emphasis>. Although the framework may also be applicable to other kinds of companies, standards (e.g., goal-based standards opposed to prescriptive ones [<link linkend="ch01bib8">8</link>]), and domains, we explicitly remark that our investigations, use case and claims of validity are exclusively related to the above targets. A preliminary version of the framework and methodology appeared in [<link linkend="ch01bib9">9</link>].</para>
<para>The rest of this chapter is organized as follows. Section 1.2 presents the state of the art. Section 1.3 illustrates the framework and the methodology. Section 1.4 presents the structure of the dataset used, and how to populate it. Section 1.5 presents the metrics for the qualitative and quantitative evaluation of gaps. Section 1.6 presents the case study, Section 1.7 discusses relevant arguments to exercise the framework, and Section 1.8 concludes the Chapter.</para>
</section>
</section>
<section class="lev1" id="sec1-2" label="1.2" xreflabel="1.2">
<title>State of the Art on Gap Analysis in the ICT World</title>
<para>Gap analysis is a renowned concept that finds application in several fields since many years; significant examples are in the fields of civil engineering [<link linkend="ch01bib10">10</link>], biology [<link linkend="ch01bib11">11</link>], economics [<link linkend="ch01bib12">12</link>] and ICT [<link linkend="ch01bib13">13</link>&#x02013;<link linkend="ch01bib18">18</link>].</para>
<para>In ICT, gap analysis is usually defined as the study of the differences between two information systems or applications, often for the purpose of determining how to get from one state to a new state. A gap can be presented as the space between where we are and where we want to be; gap analysis is undertaken as a mean of bridging that space. We report on most relevant examples of gap analysis for safety-critical systems.</para>
<para>Gap analysis is part of the Software Process Improvement and Capability Determination (SPICE, now an ISO/IEC standards set [<link linkend="ch01bib14">14</link>]) to afford the process capability level evaluations of suppliers. SPICE can result useful to select the cheapest supplier amongst those with adequate qualification, or to identify gaps between the current capability of the supplier and the level required by a potential customer. Similarly, the Automotive SPICE (ASPICE, [<link linkend="ch01bib195">195</link>]) starts from SPICE but is specific to the automotive industry. Furthermore, the Capability Maturity Model Integration (CMMI, [<link linkend="ch01bib13">13</link>]) includes the Standard CMMI Appraisal Method for Process Improvement (SCAMPI, [<link linkend="ch01bib13">13</link>]) that is aimed to appraise organizations capability maturity; the SCAMPI approach can result in a capability level profile, or also in benchmarking against other organizations. However, evaluating performance lies out of its scope [<link linkend="ch01bib20">20</link>]. CMMI compliance is not a guarantee of good performance <emphasis>per se</emphasis>, i.e., there is high variance in performance results within a maturity level [<link linkend="ch01bib20">20</link>]. According to [<link linkend="ch01bib21">21</link>, <link linkend="ch01bib22">22</link>], in general, these structured processes are widely applicable for large organizations, while their suitability is more arguable for smaller ones. For both large and small organizations, main concerns are the often elevated costs, the highly complex recommendations, and the improvement projects which involve a large investment in terms of money, time, resources and long time to benefit.</para>
<para>There are several other examples of gap analysis in the ICT. The Integration DEFinition (IDEF, [<link linkend="ch01bib15">15</link>]) is a group of methods used to create a model of a system, analyze the model, create a model of a desired version of the system, and aid in the transition from one to the other. [<link linkend="ch01bib16">16</link>] defines an index for measuring and analyzing the divide among countries in the area of ICT infrastructure and access [<link linkend="ch01bib17">17</link>] develops a Skills Gap Analysis study to respond to immediate inquiries for information on the needs for ICT skills covering the local, regional, and global markets [<link linkend="ch01bib18">18</link>] explores the determinants of cross-country disparities in personalcomputer and Internet penetration, relating technology penetration rates with income, human capital, the youth dependency ratio, telephone density, legal quality, and banking sector development.</para>
<para>Other related approaches can be identified in methods for evaluating the cost of software development projects (e.g., COCOMO [<link linkend="ch01bib23">23</link>]), as well as system engineering costs (e.g., COSYSMO [<link linkend="ch01bib24">24</link>]). Additionally, there have been efforts in building frameworks to guide and support the design, assessment and certification process, for example [<link linkend="ch01bib25">25</link>, <link linkend="ch01bib26">26</link>].</para>
<para>Summarizing, overall a vast literature exists on gap analysis, introduction time, and compliance to safety-critical standards. To the authors&#x02019; knowledge, till today there are no publicly-available gap analysis for software safety standards that are easy-to-use, easy-to-maintain, and that allows understanding, with limited investment, the effort required to become confident with a standard. Companies can benefit from our solution to evaluate their expertise with a standard, measure how difficult it would be to introduce it, and define an appropriate plan for such a standard.</para>
</section>
<section class="lev1" id="sec1-3" label="1.3" xreflabel="1.3">
<title>Overview of the Framework and Methodology</title>
<para>The framework and the related methodology are presented in this Section. They can be realized and executed with the support of a database and tools for drafting questionnaires and data analysis tools. In fact, the whole methodology was implemented and exercised using as supporting instruments a MySQL database to store data, MySQL Workbench to ease database management, the Google Docs suite to make questionnaire and reports, and a few Java classes for data extraction and elaboration, and to implement the decision tree of Section 1.5.</para>
<para>In the following chapter, to include examples and to guide our case study, we refer as background knowledge to [<link linkend="ch01bib27">27</link>] that classifies the main items, techniques, and processes of aerospace software standards.</para>
<section class="lev2" id="sec1-3-1" label="1.3.1" xreflabel="1.3.1">
<title>The Framework</title>
<para>We present the overall framework with the support of <link linkend="F1-1">Figure <xref linkend="F1-1" remap="1.1"/></link>. It is structured in three main blocks: <emphasis>Processes</emphasis>, <emphasis>Techniques, and Tools</emphasis>, and <emphasis>Personnel</emphasis>. The input to the first two blocks is the <emphasis>standard</emphasis> under analysis.</para>
<section class="lev3" id="sec1-3-1-1" label="1.3.1.1" xreflabel="1.3.1.1">
<title>Processes</title>
<para>This block is devoted to the identification and matching of the processes. It contains <emphasis>internal processes</emphasis> and <emphasis>standard processes.</emphasis> Internal processes are defined and applied in a company e.g., internal quality management systems, or internal processes that are required for having certifications like ISO 9001 [<link linkend="ch01bib28">28</link>] or CMMI. <emphasis>Standard processes</emphasis> are instead the processes or requirements defined in standards; examples at a macro level are design, development, verification, validation, or integration processes.</para>
<fig id="F1-1" position="float" xmlns:xlink="http://www.w3.org/1999/xlink">
<label><link linkend="F1-1">Figure <xref linkend="F1-1" remap="1.1"/></link></label>
<caption><para>Overall view of the gap analysis framework.</para></caption>
<graphic xlink:href="graphics/ch01_fig001new.jpg"/>
</fig>
<para>For each standard, a corresponding traceability matrix must be created and populated; it checks that <emphasis>internal processes</emphasis> are compliant to <emphasis>standard processes</emphasis>. One or more internal processes should be matched to each process of each individual standard. If the matching is not complete, there may be the necessity to review internal processes; otherwise the applicability of the standard may be compromised.</para>
<para>Although solutions to automate these checks exist [<link linkend="ch01bib29">29</link>, <link linkend="ch01bib30">30</link>], we believe that a visual inspection of the standard is sufficient to identify major inconsistencies. This claim is supported by the typically structured descriptions of internal processes and standard processes.</para>
<para>The identification and matching of such processes are inputs to the block Techniques and Tools.</para>
</section>
<section class="lev3" id="sec1-3-1-2" label="1.3.1.2" xreflabel="1.3.1.2">
<title>Techniques and tools</title>
<para>Both standard processes and internal processes typically list recommended or mandatory techniques.</para>
<para>A whole list of techniques in the standard (<emphasis>techniques in standard</emphasis>) and techniques available in the company (<emphasis>techniques in company</emphasis>) is required. The list of the techniques in standard needs to be compiled for each standard; the list of techniques in company needs to be compiled only once, and updated when a new technique is learnt.</para>
<para>A traceability matrix can match techniques in company and techniques in standard, to identify the correspondence between the two or possible mismatches. For example, a technique discussed in a standard that has no correspondence among the techniques available in the company know-how. One or more <emphasis>techniques in company</emphasis> may be matched to each <emphasis>technique in standard</emphasis>. Techniques in standard and techniques in company are also matched to, respectively, standard processes and internal process.</para>
<para><emphasis>Tools</emphasis> are connected to the techniques in the company, because they can support their execution (occasionally tools can support the whole process [<link linkend="ch01bib25">25</link>, <link linkend="ch01bib26">26</link>], although this possibility is not represented in <link linkend="F1-1">Figure <xref linkend="F1-1" remap="1.1"/></link>). Similarly, <emphasis>training</emphasis> materials (e.g., slides from courses or tutorials), whenever available, are enlisted and mapped to the company tools and techniques. Noteworthy, techniques or tools not explicitly mentioned in internal processes may be available in the company and useful to support the execution of such internal processes: in this case, it is required to add such techniques or tools and create the appropriate connections to the internal processes.</para>
<para>It is fundamental to understand the confidence in using a technique or a tool; an option is to acquire this information through a questionnaire, as we will discuss in later sections of this chapter. Obviously, this has not to be done on individual basis to rate the single worker, but as a collective exercise between expert workers.</para>
</section>
<section class="lev3" id="sec1-3-1-3" label="1.3.1.3" xreflabel="1.3.1.3">
<title>Personnel</title>
<para>The personnel are actually holding the background knowledge of the company and are in charge of acquiring new knowledge. The block <emphasis>personnel</emphasis> relate the company&#x02019;s personnel to the know-how available on the listed techniques and tools. The block contains information on the personnel as the available <emphasis>roles</emphasis>, the desired <emphasis>aptitude skills</emphasis> for each specific role, and the required <emphasis>competences</emphasis>. Roles are matched directly to the techniques, while competences are matched to training. <emphasis>Aptitude skills</emphasis> [<link linkend="ch01bib31">31</link>] are instead soft skills as behavioral skills; which have an ancillary role in the framework but are included to present a complete characterization of personnel. More information on the roles and skills are in Section 1.4.</para>
</section>
</section>
<section class="lev2" id="sec1-3-2" label="1.3.2" xreflabel="1.3.2">
<title>The Methodology to Exercise the Framework</title>
<para>The overall methodology resulting from the execution of the framework is hereby presented. The steps are the same for gap analysis of standards already in use and for the introduction of a new standard. For simplicity of the discussion, we refer here only to the last case. We assume that the standards <emphasis>S</emphasis><subscript>1</subscript>, &#x02026;, <emphasis>S<subscript>n</subscript></emphasis><subscript>-1</subscript> are already part of the framework, and that data on internal processes, techniques in the companies and personnel are already available. This can be done iterating the below steps for the standards <emphasis>S</emphasis><subscript>1</subscript>&#x02026;<emphasis>S<subscript>n</subscript></emphasis><subscript>-1</subscript>, until the dataset is up-to-date.</para>
<para>When a new standard <emphasis>S<subscript>n</subscript></emphasis> is introduced, the approach is the following.</para>
<para><emphasis>Step 1.</emphasis> The list of standards is updated with <emphasis>S<subscript>n</subscript></emphasis>, and the corresponding traceability matrix of <emphasis>S<subscript>n</subscript></emphasis> w.r.t. internal processes is created. <link linkend="T1-1">Table <xref linkend="T1-1" remap="1.1"/></link> presents a sample extract of such traceability matrix.</para>
<table-wrap position="float" id="T1-1">
<label><link linkend="T1-1">Table <xref linkend="T1-1" remap="1.1"/></link></label>
<caption><para>A sample extract of the traceability matrix on processes</para></caption>
<table cellspacing="5" cellpadding="5" frame="hsides" rules="groups">
<thead>
<tr>
<td valign="bottom" align="left">Standard Processes (Requirements) from DO-178B</td>
<td valign="bottom" align="left">Internal Processes</td>
</tr>
</thead>
<tbody>
<tr>
<td valign="top" align="left">SW high-level requirements comply with system requirements</td>
<td valign="top" align="left">Verification Process</td>
</tr>
<tr>
<td valign="top" align="left">SW high-level requirements comply with system requirements</td>
<td valign="top" align="left">Requirements Analysis</td>
</tr>
<tr>
<td valign="top" align="left">High-level requirements are accurate and consistent</td>
<td valign="top" align="left">Requirements Analysis</td></tr>
</tbody>
</table>
</table-wrap>
<table-wrap position="float" id="T1-2">
<label><link linkend="T1-2">Table <xref linkend="T1-2" remap="1.2"/></link></label>
<caption><para>A sample extract of the traceability matrix on techniques</para></caption>
<table cellspacing="5" cellpadding="5" frame="hsides" rules="groups">
<thead>
<tr>
<td valign="bottom" align="left">Techniques in Standard</td>
<td valign="bottom" align="left">Techniques in Company</td>
</tr>
</thead>
<tbody>
<tr>
<td valign="top" align="left"></td>
<td valign="top" align="left">Reviews</td></tr>
<tr>
<td valign="top" align="left"></td>
<td valign="top" align="left">Inspections</td>
</tr>
<tr>
<td valign="top" align="left">Reviews, inspections, analysis</td>
<td valign="top" align="left">HW/SW interaction analysis (HSIA)</td>
</tr>
<tr>
<td valign="top" align="left"></td>
<td valign="top" align="left">Traceability</td>
</tr>
<tr>
<td valign="top" align="left"></td>
<td valign="top" align="left">Static analysis</td></tr>
</tbody>
</table>
</table-wrap>
<para><emphasis>Step 2.</emphasis> The list of <emphasis>techniques in standards</emphasis> is updated with techniques that are mentioned in <emphasis>S<subscript>n</subscript></emphasis>; consequently, the match with <emphasis>techniques in company</emphasis> is updated. For example, in <link linkend="T1-2">Table <xref linkend="T1-2" remap="1.2"/></link>, the techniques &#x0201C;reviews, inspections, analysis&#x0201D; from the list in [<link linkend="ch01bib27">27</link>] are matched to several company techniques, as reviews, inspections, HW/SW interaction analysis (HSIA), traceability analysis. If in <emphasis>S<subscript>n</subscript></emphasis> there is a technique with no matches amongst the list of techniques in company, it is sufficient to add the same exact name to such list. As a result, a very low rating on the maturity in using such technique will be assigned in Step 4; this will be further discussed also in Section 1.4 and Section 1.5. Ultimately, tools are listed and matched to the techniques in company.</para>
<para><emphasis>Step 3.</emphasis> The data acquisition process gathers information on the confidence in using each technique and tool.</para>
<para><emphasis>Step 4.</emphasis> Data is analyzed, and gap analysis and learning time are computed.</para>
<fig id="F1-2" position="float" xmlns:xlink="http://www.w3.org/1999/xlink">
<label><link linkend="F1-2">Figure <xref linkend="F1-2" remap="1.2"/></link></label>
<caption><para>EER structure of the database.</para></caption>
<graphic xlink:href="graphics/ch01_fig02.jpg"/>
</fig>
</section>
</section>
<section class="lev1" id="sec1-4" label="1.4" xreflabel="1.4">
<title>Dataset Structure and Population</title>
<section class="lev2" id="sec1-4-1" label="1.4.1" xreflabel="1.4.1">
<title>Dataset Structure</title>
<para>With the support of the Enhanced Entity&#x02013;Relationship (EER) diagram in <link linkend="F1-2">Figure <xref linkend="F1-2" remap="1.2"/></link>, we comment on the most relevant elements of the dataset that are required to exercise the framework. The diagram is organized in three areas: the first one (dashed line) contains information on the standards, the second one (dotted line) discusses internal processes and the third one (dash-dotted line) is dedicated to the definition and characterization of the personnel.</para>
<para>We start discussing the first area (dashed line). Table <emphasis>standards</emphasis> enlist the standards in use in the company including general information, for example release date, involved industrial domain, and emitting agency. Additional tables can be linked to table <emphasis>standard</emphasis> to annotate concepts that differs from a standard to another. As an example, the EER diagram includes the table <emphasis>safety levels</emphasis>, which describes the different notion of safety levels across standards. In fact, for example, safety levels are called &#x0201C;Software Levels&#x0201D; and organized in five levels in the DO-178B/C, while they are called &#x0201C;Automotive Software Integrity Levels&#x0201D; (ASILs) and organized in four levels in the ISO 26262. Other examples on safety levels can be found in [<link linkend="ch01bib27">27</link>]. Although these annotations are not deemed fundamental for the successful execution of the framework, they can simplify the execution of Step 1 and Step 2 of Section 1.3.</para>
<para>Table <emphasis>requirements</emphasis> enlist the requirements, often expressed in terms of steps of a process, described in each standard. Requirements usually suggest specific techniques: table <emphasis>techniques in standards</emphasis> enlist the techniques named in each standard. The <emphasis>table techniques in standards</emphasis> can specify if a technique is a replacement or alterative to others that are mentioned in the standard. This is useful for the mapping with the second area of <link linkend="F1-2">Figure <xref linkend="F1-2" remap="1.2"/></link> (dotted line), to favor the matching of techniques in standards with those applied in a company. It is important to report recommendation level of each technique for the considered standard.</para>
<para>The second area includes the table <emphasis>company processes</emphasis>, which describes the processes available in the company. Usually, these are described in the internal documentation of a company. Table <emphasis>techniques in company</emphasis> enlist the techniques available. Again, such list can be extracted from the internal documentation. To perform the gap analysis, it is required to score the relevance of the technique in the daily work, its frequency of use, the complexity from the point of view of the personnel, the experience of the team in using such technique, the <emphasis>learning time</emphasis> (learning time indicates how much training time and hands-on-the-job time is required to gather confidence in applying a specific technique). Table <emphasis>tools</emphasis> contain the list of tools available in the company. For the tools table, it is required to evaluate the same attributes as above: relevance, frequency of use, complexity, team experience, learning time of the tool. Section 1.4.2 discusses how to collect such values. Finally, the table <emphasis>training</emphasis> enlists the training material available in the company.</para>
<para>The third area (dash-dotted line) is devoted to the identification of personnel. We propose the following minimum set of tables to describe the personnel, although our approach is open to improvements or adjustments in case companies offer different or enhanced characterizations of personnel.</para>
<para>Table <emphasis>roles</emphasis> enlist the different roles. Roles are related to the techniques and tools, because it is expected that people having different roles are able to apply different techniques and tools, or take responsibility over different processes. Regarding table aptitude skills, we propose from [<link linkend="ch01bib31">31</link>]: (i) behavioral skills e.g., personal integrity, interpersonal skills; (ii) underpinning knowledge i.e., knowledge on the system, required to successfully applying a technique; (iii) underpinning understanding that is general knowledge on the area of work; (iv) statutory and legislation knowledge. Table <emphasis>competences</emphasis>, instead, list the required competences as the number of years of experience, or the expertise in a specific topic or domain. Intuitively, table competences and aptitude skills are connected to table roles.</para>
<para>Relations between tables allow connecting and extracting the relevant information from the dataset. For example, the dataset can be used to verify the matching between the standards requirements and company processes. The dataset is also able to differentiate techniques that are similar but used in a different way from domain to domain; the relation of the technique to the corresponding standard is in this case fundamental.</para>
<para>It should be noted that terms reported in the dataset may be very general and several techniques can be matched e.g., requirements-based testing may encompass a large part of the testing activities that are performed on a system or component. The implication is that querying the dataset, different techniques applied in a company can be matched to the same technique in a standard. However this does not alter the methodology, because the different techniques available in the company are first evaluated individually, and then summarizing results are drafted, as explained in Section 1.5.</para>
</section>
<section class="lev2" id="sec1-4-2" label="1.4.2" xreflabel="1.4.2">
<title>Population of the Dataset</title>
<para>We discuss hereafter how to collect the main data to populate the dataset. Some data and especially those in the first area are acquired from the documentation typically available in a company.</para>
<para>Regarding the second area, it is required to acquire information on relevance, frequency of use, complexity, experience, and learning time of techniques and tools. While different approaches may exist, in this chapter we propose a questionnaire that can be distributed between expert personnel to acquire anonymous data.</para>
<para>In this chapter, we propose the following entries and scores to rate techniques and tools applied in the company:</para>
<itemizedlist mark="bullet" spacing="normal">
<listitem>
<para><emphasis>Relevance</emphasis>: high relevance = 4, medium relevance = 3,<?lb?>limited relevance = 2;</para></listitem>
<listitem>
<para><emphasis>Frequency of use</emphasis>: often = 4, rarely = 3, and never = 2;</para></listitem>
<listitem>
<para><emphasis>Complexity</emphasis>: complex = 4, affordable = 3, and easy = 2;</para></listitem>
<listitem>
<para><emphasis>Experience</emphasis>: high experience = 4, medium experience = 3,<?lb?>low or no experience = 2;</para>
<itemizedlist mark="bullet" spacing="normal">
<listitem>
<para><emphasis>Learning time</emphasis> (the time requested by a low-experienced worker to become able to apply a technique or tool with only periodic supervision): less than 1 month = 0.5, &#x0223C;1 month = 1, &#x0223C;2 months = 2, &#x0223C;3 months = 3, and more than 3 months = 4.</para></listitem></itemizedlist>
</listitem></itemizedlist>
<para>The possibility to select the option &#x0201C;<emphasis>unknown</emphasis>&#x0201D; is offered, meaning that the person was unable to decide on a rating. This option should be selected when the personnel feels that he is not able to comment on the technique or tool despite being an expert in the specific area. Also, the questionnaire is supposed to be filled only by personnel expert on safety-critical processes, so that they can adequately judge on the techniques and tools, even when they had limited opportunities to get confident with them. Ultimately, note that a questionnaire for techniques in standards is not necessary, because at least one corresponding technique in company is matched to each technique in a standard (see also Step 2 in Section 1.3).</para>
<para>Once all questionnaires are filled, for each technique and tool we select the following values to be computed and added in the dataset: <emphasis>average, standard deviation</emphasis>, <emphasis>mode</emphasis>, and the <emphasis>number of unknowns</emphasis> (number of answers in which the &#x0201C;unknown&#x0201D; option was selected). The mode can be selected instead of the average if the number of questionnaires is small or the results do not lead to a normal distribution. This may result useful in boundary cases, for example when a small subset of the personnel is very skilled on a tool, while the others do not know how to use it.</para>
<para>With respect to the third area (<link linkend="F1-3">Figure <xref linkend="F1-3" remap="1.3"/></link>) proposes a classification of the main personnel roles requested in critical software standards that can be used as reference to populate table <emphasis>roles</emphasis> in the dataset. Since our experience is from the aerospace, <link linkend="F1-3">Figure <xref linkend="F1-3" remap="1.3"/></link> is specifically drafted having aerospace software standards in mind. The following blocks are here considered external to the company: Certification Agency, where the Designated Engineering Representatives, or DER, is located, Hardware Manufacturer, Independent Verification &#x00026; Validation (V&#x00026;V) engineer and Audit Team. This is common although it is mandatory only for the Certification Agency. System integrators are connected, because they need to interact closely for hardware&#x02013;software integration.</para>
<fig id="F1-3" position="float" xmlns:xlink="http://www.w3.org/1999/xlink">
<label><link linkend="F1-3">Figure <xref linkend="F1-3" remap="1.3"/></link></label>
<caption><para>Example of roles organization in a critical software company.</para></caption>
<graphic xlink:href="graphics/ch01_fig003new.jpg"/>
</fig>
<para>The V&#x00026;V Team and the Independent V&#x00026;V Team include Test Managers and Test Engineers. The Auditor and the Lead Auditor should be included when addressing services for Independent V&#x00026;V. The Design and Development Team should include also the Configuration Team, but we merge this role with Integrators, Software Designers and Software Developers. The Quality Assurance Team is in a separate group, which includes Software Product Assurance Engineers. These roles can have different aggregations on other organizations.</para>

<para>To verify the effectiveness of the roles subdivision, we examined the involvement of each role in the most relevant aerospace standards. We identified the personnel roles involved in the different parts of each standard, with sub-section granularity. In other words, we assigned one or more roles to the requirements set contained in a subsection. We excluded introductory sections, acronyms, glossary, references sections, and Annexes.</para>
<para>We start our analysis from the avionics standards DO-178B, DO-178C, ED-153 [<link linkend="ch01bib32">32</link>] and ARP4754A [<link linkend="ch01bib33">33</link>]. The ED-153 applies to software that forms part of an Air Navigation System, and ARP4754A is intended for development of civil aircraft and systems, with emphasis on safety aspects. Results are depicted in <link linkend="F1-4">Figure <xref linkend="F1-4" remap="1.4"/></link>, showing the percentage computed approximating to the nearest integer. V&#x00026;V and Independent V&#x00026;V engineers are considered together due to their similar responsibilities. The managerial roles are omitted for readability as they have implicit involvement in every part of the standards. We can note that, overall, the various standards present similar percentage of involvement for the various roles. Especially, the surveyed standards have a similar percentage of V&#x00026;V engineers, which ranges from 61 to 82%, and of DER. The three standards DO-178B, DO-178C and ED-153 are exclusively related to software and highly correspond for the involvement of software designers, software developers, and hardware-related roles. Instead the ARP4754A is a system-level standard and considers mainly system engineers, RAMS engineers, V&#x00026;V engineers and DER, while software and hardware designers and developers have a marginal role. Security engineers are little or not considered in these standards.</para>
<fig id="F1-4" position="float" xmlns:xlink="http://www.w3.org/1999/xlink">
<label><link linkend="F1-4">Figure <xref linkend="F1-4" remap="1.4"/></link></label>
<caption><para>Involvement of the different roles in avionics standards.</para></caption>
<graphic xlink:href="graphics/ch01_fig004new.jpg"/>
</fig>
<para>We performed a similar analysis on most relevant space standards and especially software-related ones. The standards analyzed are the Galileo software standard GSWS [<link linkend="ch01bib34">34</link>], the EUROCAE Guidelines for ANS Software Safety Assurance ED-153 [<link linkend="ch01bib32">32</link>], and ECSS standards that we deemed most relevant for safety critical software design and V&#x00026;V [<link linkend="ch01bib35">35</link>&#x02013;<link linkend="ch01bib38">38</link>] and product assurance [<link linkend="ch01bib39">39</link>&#x02013;<link linkend="ch01bib41">41</link>]. All standards showed a similar behavior, with the exceptions of GSWS considering also System integrators, and of ED-153 giving low relevance to security engineers. [<link linkend="ch01bib36">36</link>] targets mostly system engineers, and to a lesser extent RAMS Engineers and V&#x00026;V Engineers. [<link linkend="ch01bib37">37</link>] and [<link linkend="ch01bib38">38</link>] instead are almost exclusively devoted to V&#x00026;V Engineers. [<link linkend="ch01bib39">39</link>] and [<link linkend="ch01bib40">40</link>] are intended for RAMS Engineers and V&#x00026;V Engineers.</para>
</section>
</section>
<section class="lev1" id="sec1-5" label="1.5" xreflabel="1.5">
<title>Metrics for Gap Analysis</title>
<para>Once the dataset is populated, qualitative, and quantitative approaches can support the identification of the gaps and the estimation of the introduction time.</para>
<section class="lev2" id="sec1-5-1" label="1.5.1" xreflabel="1.5.1">
<title>Qualitative Indications</title>
<para>We propose a qualitative analysis for the rapid identification of potential weaknesses and get an overall grasp on the results achieved. Several approaches can be identified; we propose in this chapter an intuitive one, based on a simple binary tree that can be easily built for each technique and tool.</para>
<para>The first four levels of the tree correspond to the attributes <emphasis>relevance</emphasis>, <emphasis>experience</emphasis>, <emphasis>frequency of use</emphasis>, <emphasis>complexity</emphasis>. The fifth level is a comment in natural language. Starting from the root, at each node, the left or right branch is selected if the score assigned to the attribute is below a threshold or not. The leaves of the tree include conclusive judgments on the technique or tool under exam.</para>
<para>As example, we show in <link linkend="T1-3">Table <xref linkend="T1-3" remap="1.3"/></link> the binary tree that we defined for our case study. Thresholds are set as follows:</para>
<itemizedlist mark="bullet" spacing="normal">
<listitem>
<para><emphasis>relevance</emphasis> of the technique (for the target standard) = 3</para></listitem>
<listitem>
<para><emphasis>experience</emphasis> = 3</para></listitem>
<listitem>
<para><emphasis>frequency of use</emphasis>= 3</para></listitem>
<listitem>
<para><emphasis>complexity</emphasis> = 3</para></listitem></itemizedlist>
<table-wrap position="float" id="T1-3">
<label><link linkend="T1-3">Table <xref linkend="T1-3" remap="1.3"/></link></label>
<caption><para>The binary decision diagram</para></caption>
<table cellspacing="5" cellpadding="5" frame="hsides" rules="groups">
<thead>
<tr>
<td valign="bottom" align="left">Relevance</td>
<td valign="bottom" align="left">Experience</td>
<td valign="bottom" align="center">Frequency of Usage</td>
<td valign="bottom" align="left">Complexity</td>
<td valign="bottom" align="left">Qualitative Comment</td>
</tr>
</thead>
<tbody>
<tr>
<td valign="top" align="center">&#x02265;3</td>
<td valign="top" align="center">&#x02265;3</td>
<td valign="top" align="center">&#x02265;3</td>
<td valign="top" align="center">any</td>
<td valign="top" align="left">Relevant, applied, and experienced.</td>
</tr>
<tr>
<td valign="top" align="center">&#x02265;3</td>
<td valign="top" align="center">&#x02265;3</td>
<td valign="top" align="center">&#x0003C;3</td>
<td valign="top" align="center">&#x02265;3</td>
<td valign="top" align="left">Relevantand large experience, but not applied.</td>
</tr>
<tr>
<td valign="top" align="center">&#x02265;3</td>
<td valign="top" align="center">&#x02265;3</td>
<td valign="top" align="center">&#x0003C;3</td>
<td valign="top" align="center">&#x0003C;3</td>
<td valign="top" align="left">Relevant, simple, large experience, but not applied. R<emphasis role="strong">equires further investigation</emphasis>.</td>
</tr>
<tr>
<td valign="top" align="center">&#x02265;3</td>
<td valign="top" align="center">&#x0003C;3</td>
<td valign="top" align="center">&#x02265;3</td>
<td valign="top" align="center">&#x02265;3</td>
<td valign="top" align="left">Relevant and complex. <emphasis>Applied with little experience</emphasis>. <emphasis role="strong">Requires further investigation</emphasis>.</td>
</tr>
<tr>
<td valign="top" align="center">&#x02265;3</td>
<td valign="top" align="center">&#x0003C;3</td>
<td valign="top" align="center">&#x02265;3</td>
<td valign="top" align="center">&#x0003C;3</td>
<td valign="top" align="left">Relevant and <emphasis>applied with little experience</emphasis>. <emphasis role="strong">Requires further investigation</emphasis>.</td>
</tr>
<tr>
<td valign="top" align="center">&#x02265;3</td>
<td valign="top" align="center">&#x0003C;3</td>
<td valign="top" align="center">&#x0003C;3</td>
<td valign="top" align="center">Any</td>
<td valign="top" align="left"><emphasis>Relevant but not applied</emphasis>and not experienced.<emphasis role="strong">Requires further investigation</emphasis>.</td>
</tr>
<tr>
<td valign="top" align="center">&#x0003C;3</td>
<td valign="top" align="center">&#x02265;3</td>
<td valign="top" align="center">&#x02265;3</td>
<td valign="top" align="center">Any</td>
<td valign="top" align="left">Little relevance, large experience, and applied.</td>
</tr>
<tr>
<td valign="top" align="center">&#x0003C;3</td>
<td valign="top" align="center">&#x02265;3</td>
<td valign="top" align="center">&#x0003C;3</td>
<td valign="top" align="center">Any</td>
<td valign="top" align="left">Little relevance, and not applied.</td>
</tr>
<tr>
<td valign="top" align="center">&#x0003C;3</td>
<td valign="top" align="center">&#x0003C;3</td>
<td valign="top" align="center">&#x02265;3</td>
<td valign="top" align="center">Any</td>
<td valign="top" align="left">Little relevance, but applied <emphasis>with limited experience</emphasis>. <emphasis role="strong">Requires further investigation</emphasis>.</td>
</tr>
<tr>
<td valign="top" align="center">&#x0003C;3</td>
<td valign="top" align="center">&#x0003C;3</td>
<td valign="top" align="center">&#x0003C;3</td>
<td valign="top" align="center">Any</td>
<td valign="top" align="left">Little relevant, and not applied.</td>
</tr>
</tbody>
</table>
</table-wrap>
<para>The final leaf includes a qualitative comment, resulting from the path of the tree, which may suggest the necessity of further investigation.</para>
<para>Obviously, this approach can be easily extended in case of additional attributes or different rating schemes that consider multiple thresholds.</para>
</section>
<section class="lev2" id="sec1-5-2" label="1.5.2" xreflabel="1.5.2">
<title>Quantitative Indication</title>
<para>The data acquired may contain information that is not grasped during the qualitative analysis above. We define the quantities Q<subscript>1</subscript>, Q<subscript>2</subscript>, Q<subscript>3</subscript>, Q<subscript>4</subscript> to relate relevance, (team) experience, frequency of use (called also <emphasis>applied</emphasis> below for simplicity), complexity, and to identify those techniques and tools that may need particular attention. Obviously several other different quantities could be identified and applied, without introducing any limitation to the methodology.</para>
<para>We select Q<subscript>1</subscript>, Q<subscript>2</subscript>, Q<subscript>3</subscript>, Q<subscript>4</subscript> to seek the appropriate balance between complexity, relevance, frequency of use and team experience. The score 0 represents a balance between the different attributes; the highest it is, the highest is the necessity of further investigating the technique or tool.</para>
<para><emphasis>Is complexity an issue? Q<subscript>1</subscript></emphasis>= <emphasis>complexity</emphasis><superscript>2</superscript>-<emphasis>applied</emphasis> &#x000D7;<emphasis>experience</emphasis>. This quantity raises awareness of misalignment between difficulty and confidence. Q<subscript>1</subscript> is intended to heavily penalize complex techniques. A small Q<subscript>1</subscript> means that there is high confidence in the usage of a technique.</para>
<para><emphasis>Is Experience Adequate? Q<subscript>2</subscript> = (relevance</emphasis>+ <emphasis>applied</emphasis>) &#x02013; (<emphasis>experience</emphasis> &#x000D7; 2). The objective of this quantity is to indicate that experience is sufficient w.r.t. the relevance and application of a technique.</para>
<para><emphasis>Is there an overall balancing? Q<subscript>3</subscript> = (relevance</emphasis> &#x000D7;<emphasis>complexity</emphasis>) &#x02013; (<emphasis>applied</emphasis> &#x000D7; <emphasis>experience</emphasis>). <emphasis>Q</emphasis><subscript>3</subscript> compares the confidence in using a technique, i.e., experience and frequency of application, to the relevance and complexity of the technique. It is a summarizing quantity that relates all attributes used up to now.</para>
<para><emphasis>Is experience justified? Q<subscript>4</subscript> = relevance</emphasis> &#x02013; <emphasis>experience</emphasis>. <emphasis>Q</emphasis><subscript>4</subscript> indicates the experience of the team w.r.t. the relevance of a technique or tool. Ideally, its target score is 0, meaning for example that a very relevant tool is applied with excellent skill; or on the opposite, that a tool recognized as almost irrelevant is also almost unknown. If <emphasis>Q</emphasis><subscript>4</subscript> is a positive score, it indicates that a tool or technique acknowledged as relevant is not known adequately.</para>
<para>The case study in Section 0 reports results of these metrics for the analysis of DO-178B in a software company.</para>
</section>
<section class="lev2" id="sec1-5-3" label="1.5.3" xreflabel="1.5.3">
<title>Driving Conclusions</title>
<para>The data and the results of the qualitative and quantitative analysis need to be investigated to finalize conclusions. The optimal is that for each recommended technique in the standard, one or more techniques in company are frequently applied with good experience. However, we note that often the techniques recommended in the standards can have replacement techniques, or only a subset of such techniques is actually necessary: this is further elaborated in Section 1.7.</para>
<para>Checks of paperwork or interviews can be a viable support to verify the gaps resulting from the above analysis. This is especially true in two cases. First, we should consider the case when different techniques can be used as alternatives to meet requirements of the standard. A gap in a technique may actually be irrelevant as far as other substitute techniques are applied with good confidence. Second, it is required to prove that the techniques are actually practiced with the skill level declared by the personnel. It is fundamental to know whether the personnel are really practicing in an effective way as declared, matching the on-paper capability of the organization with the as-practiced capability.</para>
<para>Whenever a gap is identified, the value of the <emphasis>learning time</emphasis> estimates the time required to fill the gap. The learning time indicates the effort required to train people on a technique or tool; the overall cost to cover the gap should also include the cost of tools licenses, if needed.</para>
<para>Finally, the <emphasis>introduction time</emphasis> of the standard can be estimated from all the learning times from techniques and tools where a gap is identified.</para>
</section>
</section>
<section class="lev1" id="sec1-6" label="1.6" xreflabel="1.6">
<title>Case Study and Gap Analysis for DO-178B</title>
<para>The framework and methodology were applied within CRITICAL Software S.A.personnel for what concern the DO-178B standard for avionic systems. To reduce complexity, the analysis of the DO-178B we performed was limited to the sections devoted to verification and validation.</para>
<para>CRITICAL Software is an international information systems and software company, headquartered in Coimbra, Portugal, where our experiment took place. While CRITICAL Software works across several markets, in this work we referred to the aerospace division, which is active since 1998. In fact, it has to be noted that CRITICAL Software has relevant experience with DO-178B, applied successfully in several projects for many years. Consequently, it is evident that the objective of this case study is <emphasis>not</emphasis> to identify possible lacks in CRITICAL Software processes or inadequate knowledge about the required techniques, but it is to exercise the framework in a real context and verify its applicability.</para>
<para>Relevant data on techniques in standard were acquired from [<link linkend="ch01bib27">27</link>]. Techniques in company and tools were identified from material available at CRITICAL Software and expert involvement: this ranged from short interviews/meetings, to training material, publications, and leaflets, V&#x00026;V plans for different projects, V&#x00026;V reports, case studies and specific tools reports. The engineering personnel were also interviewed in order to gather the list of tools they typically use, and that may not necessarily be referred on written reports. In total, 22 Verification &#x00026; Validation techniques were identified; the validation technique <emphasis>testing</emphasis> was further subdivided in 26 testing techniques. The number of tools identified is instead 41.</para>
<section class="lev2" id="sec1-6-1" label="1.6.1" xreflabel="1.6.1">
<title>Matching of DO-178B Techniques and Company&#x02019;s Techniques</title>
<para>Matching between standard&#x02019;s and company&#x02019;s processes was performed by manual inspection of the standard and the company&#x02019;s internal processes.</para>
<para>For each verification and validation technique in the standard, one or more techniques were identified in CRITICAL Software processes, use cases, and V&#x00026;V plans.</para>
<para>We summarize main results. At least one <emphasis>technique in company</emphasis> was assigned to each <emphasis>technique in standard</emphasis>. There were more than one in some cases. For example the entry &#x0201C;reviews, inspections, analysis&#x0201D; from the table technique in standard is matched to reviews, inspections, HW/SW interaction analysis (HSIA), traceability, static analysis. Similarly, the requirements-based testing amongst techniques in standard is matched to coding/unit testing, system testing, functional testing and black box testing from techniques in company.</para>
<para>General comments on the examples above are that i) such techniques presents significant overlaps, e.g., between functional and system testing, and ii) terms reported in the standards are often very general and several techniques can fit them e.g., requirements-based testing may encompass a large part of the testing activities that are performed on a system or component.</para>
</section>
<section class="lev2" id="sec1-6-2" label="1.6.2" xreflabel="1.6.2">
<title>Acquire Data from Personnel</title>
<para>Questionnaires were filled independently by eight CRITICAL Software workers, operating as V&#x00026;V, RAMS engineers or having managerial responsibilities, prevalently in the context of verification and validation and certification projects. The engineers had been selected with different experiences and expertise in order to make the questionnaires results more representative of the company level. The data were analyzed, and average, mode, standard deviation, minimum value, maximum value and number of unknowns were computed and added to the database.</para>
</section>
<section class="lev2" id="sec1-6-3" label="1.6.3" xreflabel="1.6.3">
<title>Analyze the Data: Techniques</title>
<para>To favor understanding the structure of the results, an extract of the data sheets we compiled is reported in <link linkend="T1-4">Table <xref linkend="T1-4" remap="1.4"/></link>.</para>
<table-wrap position="float" id="T1-4">
<label><link linkend="T1-4">Table <xref linkend="T1-4" remap="1.4"/></link></label>
<caption><para>An extract of our sheet for data analysis; overall it contains 48 techniques and 41 tools. The whole data set is not reported because of its dimension and non-disclosure agreements</para></caption>
<graphic xlink:href="graphics/ch04_tab4.jpg"/>
</table-wrap>
<para>For most techniques, the standard deviation was rather limited (below 0.5) showing that despite the limited number of questionnaires, there was a good-to-high convergence of answers. Thus we preferred to use the average rather than the mode in our case study.</para>
<itemizedlist mark="bullet" spacing="normal">
<listitem>
<para><emphasis>Complexity</emphasis>. Less complex techniques were identified in reviews, inspections (e.g., Fagan, or walk-throughs), static analysis, traceability, code analysis, HW/SW interaction, and almost all testing techniques. Instead the most complex techniques were recognized in formal methods and modeling, with an average complexity of 3.8 (we remember from <link linkend="T1-3">Table <xref linkend="T1-3" remap="1.3"/></link> that the maximum is 4). Overall, the <emphasis>unknowns</emphasis> were very limited, with at the highest 3 for formal methods.</para></listitem>
<listitem>
<para><emphasis>Knowledge.</emphasis> Highest scores were assigned to reviews and inspections, Fault Trees, Dependence diagrams, testing. In particular regarding testing, although several kinds of testing are enlisted, a high score was assigned to all of them.</para></listitem>
<listitem>
<para><emphasis>Relevance</emphasis> and <emphasis>Frequency of use.</emphasis> The smallest scores for these two quantities were assigned to model checking/formal verification. In fact, these techniques have not been considered very relevant for the company business up to now. Amongst testing, security testing was considered of little relevance and seldom applied. The reason is mostly due to the standards in use, which only sparingly require security testing.</para></listitem></itemizedlist>
<para>Overall, the execution of the binary tree suggested verifying 6 techniques. The one who raised the most interesting discussion is safety analysis, which resulted relevant and complex but little applied. The reason is that a proper and unified process for safety analysis does not exist, although the companies are constantly applying techniques that are part of the safety analysis. Other two techniques that are worth noting are usability testing and use case testing: they were rated relevant, and the personnel felt expert about them, but they were seldom applied. This scarce usage of usability and use case testing is not directly imputable to the will of the engineers but it is due to the characteristics of their projects. The other three techniques were identified as relevant but not applied and with limited experience; replacement techniques are typically used in such cases.</para>
<para><emphasis>Quantitative indicators.</emphasis> Q<subscript>1</subscript> answers the question &#x0201C;<emphasis>is complexity an issue?</emphasis>&#x0201D; Q<subscript>1</subscript> score is 10.50 for formal methods and 10.87 for model checking, resulting in the highest score for Q<subscript>1</subscript>. This is in line with all the above observations. Similarly, and not surprisingly, the lowest scores are assigned to reviews (&#x02013;10.48) and inspections (below &#x02013;10 in both cases), confirming that they were considered techniques with low complexity.</para>
<para><emphasis>Q</emphasis><subscript>2</subscript> answers the question &#x0201C;<emphasis>is experience adequate?</emphasis>&#x0201D; <emphasis>Q</emphasis><subscript>2</subscript> relates experience to relevance and application of a technique. Most of the results are contained within the interval [&#x02013;1.5; +1.5], i.e., near 0. This means that there is a good balance between the relevance and application of a technique, and the experience in its usage, thus not raising any particular alarm. Few techniques are slightly outside such interval. Although no techniques are significantly exceeding the interval, the worst value is registered by safety analysis; this is justified by the reason explained previously.</para>
<para>Instead regarding <emphasis>Q</emphasis><subscript>3</subscript>, which answer the question &#x0201C;<emphasis>is there an overall balancing?</emphasis>&#x0201D; we noticed that most of the techniques are in the interval [&#x02013;7; +7]. For techniques outside such interval, relevant differences were identified between the couples [relevance; complexity] and [frequency of use; experience]. Most balanced scores, close to 0, are HW/SW interaction analysis (HSIA) and functional analysis (FFPA), considered in general with average scores around 3 for all attributes.</para>
<para>Most troublesome (high <emphasis>Q</emphasis><subscript>3</subscript> score) is obviously when the score is a high positive value, suggesting that there is a bad feeling with a technique acknowledged as relevant and complex. Worst values are assigned to security assessment and safety analysis. Regarding safety analysis, the previous considerations hold. A different reasoning is instead applied for security assessment. Security assessment is (correctly) perceived as relevant, and this is easily motivated with the increasing attention that security is gaining nowadays. Also, security assessment is perceived as complex, because widely-accepted methodologies or techniques for security assessment of software-based systems are still failing to root in several industrial domains. Finally, standards sparingly mention security assessment, and consequently it is rarely applied in a company.</para>
<para>Finally, Q<subscript>4</subscript> answers the question &#x0201C;<emphasis>is experience justified?</emphasis>&#x0201D; It resulted that safety analysis has the highest score, meaning that although acknowledged as relevant, the personnel interviewed expressed some doubts on their team experience. This outcome is strictly connected to the previous considerations on safety analysis. Values of Q<subscript>4</subscript> significantly below 0 were not identified; meaning that overall there is a good balance between relevance and frequency of application of techniques.</para>
<para><emphasis>Learning time.</emphasis> The shortest learning time was assigned i) amongst verification techniques, to reviews, inspections, traceability, static analysis, and ii) amongst validation techniques, to coding/unit testing, regression testing, input-based testing, boundary value analysis, smoke testing, ad hoc testing. Longest learning time was assigned to formal methods and model checking.</para>
</section>
<section class="lev2" id="sec1-6-4" label="1.6.4" xreflabel="1.6.4">
<title>Analyze the Data: Tools</title>
<para>Tools connected to the above techniques were evaluated, although no specific issues were identified. Some tools were identified as little relevant, not applied, or largely unknown, but this was due to the fact that the tools list included also obsolete tools.</para>
<para>As an example, the quantity Q<subscript>4</subscript> resulted in almost all the tools as a negative value, with a few exceptions. In all cases, the value was in the interval [&#x02013;1.1; 0.7]. Note that the best value, which is &#x02013;1.1, was assigned to a text editor tool: it is reasonable to believe that there is a good experience in using it, although it is not fundamental because it can be easily replaced by other products.</para>
</section>
<section class="lev2" id="sec1-6-5" label="1.6.5" xreflabel="1.6.5">
<title>Conclusive Recommendations and Feedbacks</title>
<para>As expected, no issues can be identified from the analysis. In general, the outcomes which suggest smaller confidence are those related to formal methods and model checking, although other replacement techniques are accepted in DO-178B and this does not really constitutes a gap in what concerns the DO-178B application.</para>
<para>It is worth observing that a long learning time (above 3 months) is assigned to these techniques, meaning that it is considered not easy to acquire proficiency with them. However, this is mostly due to the fact that the company has a limited focus in such activities, thus having a limited number of people skilled in the area.</para>
<para>The fact that Formal Methods and Modeling are not (for the particular case study) well ranked has several reasons, and specifically: (i) engineers are not prepared for these techniques from university and prior experience, (ii) they are not yet widely accepted in industry, especially from customers, (iii) they are more complex than others, and (iv) they lack appropriate tools support.</para>
<para>A final remark is about the techniques in standard that are grouped as number 11 in [<link linkend="ch01bib27">27</link>], that is, <emphasis>similarity, service experience, failure statistics</emphasis>. The corresponding techniques in company were rated poorly, mostly showing the entry &#x0201C;<emphasis>unknown</emphasis>&#x0201D; in the questionnaire for all attributes. A later analysis with direct confrontation with personnel concluded that the terms used for such techniques were unclear and confused the personnel involved. In fact, the questionnaire was provided to the personnel but entries not discussed in advance. The clarification allowed to verify the absence of any gap, thus solving all issues on similarity-based approaches for the verification of critical systems, with the only action of correcting techniques names in the dataset.</para>
<para>Finally, it is important to note that the case study was performed in a short time frame and its results might be interesting to plan ahead, estimate and have the company ready to tackle new domains and new certification challenges. It is relevant to mention that once these results have been presented to the company personnel, CRITICAL Software has taken actions to fill these gaps, and, in the frame of the European project FP7-2012-324334-CECRIS [<link linkend="ch01bib42">42</link>], processes, techniques and training material for safety analysis and for security assessments were developed. This outcome shows the direct impact that these types of analysis can have in prioritizing Research &#x00026; Development within an organization. A more detailed discussion on this aspect, which we rate an important outcome of our work, is in Section 1.7.</para>
</section>
</section>
<section class="lev1" id="sec1-7" label="1.7" xreflabel="1.7">
<title>Discussion about the Gap Analysis Framework</title>
<section class="lev2" id="sec1-7-1" label="1.7.1" xreflabel="1.7.1">
<title>An Application to the Moving Process</title>
<para>This work represents a formalization of what is usually done by industries when tackling a new domain of expertise, but not always in a structure way and not always with all the required information to make sound decisions and appropriate plans. The results of this framework help to determine the actual level of knowledge and resources that can be reused instead of doing it in an <emphasis>ad hoc</emphasis> and less supported manner.</para>
<para>Discussing the specific <emphasis>moving process</emphasis> is not part of the paper but we cannot ignore it. Moving from one existing standard into a standard from another domain involves different factors. For example, the switch between space, avionics, railway or automotive domains involves at least cultural implications, domains specific adaptations, and a large learning process. We provide the basis to support this moving process, by identifying clear gaps, improvements and adaptations, and by providing an estimation of the effort of moving from one domain to the other based on what the company is already applying and the maturity associated to the application of those standards.</para>
<para>For the gap analysis or determination of where a certain company is before entering a specific new domain, it is essential to be able to properly and precisely model the new standards i.e., extracting the requirements, phases, techniques, outputs, etc. This is one of the main tasks of our work and it consists in studying the standards and modeling their contents. Then, it is also extremely important for a company to hold an internal knowledge base about their processes (e.g., in an internal quality management database), techniques (e.g., detailed plans) and tools (e.g., in the form of Software Development Plans and Verification and Validation Plans).</para>
</section>
<section class="lev2" id="sec1-7-2" label="1.7.2" xreflabel="1.7.2">
<title>Time and Cost</title>
<para>Gap analysis processes are typically executed sparingly because of the required time, overall complexity, and cost. Consequently, we present an approach that can be executed with little time, effort and cost, provided that personnel with a strong background on safety-critical systems are available. As example, let us consider our case study. Once the framework and the methodology were ready, the whole case study including the population of the dataset was completed in a short time frame. Considering only time-consuming activities, the analysis of the DO-178B standard to fill table <emphasis>techniques in standard</emphasis> required 2 days, and the analysis of techniques and tools to fill table <emphasis>techniques in company</emphasis> and table <emphasis>tools</emphasis> required instead 4 days. It should be noted that these two tables will require only minor updates whenever the framework is exercised on a different standard. Two days were instead necessary to build relations between all tables. The questionnaires were filled in less than two hours each. Drafting conclusions, making interviews and presenting results required four more days.</para>
<para>Our analyses were carried out with a small number of supporting tools: the tools we used in our case study are a database, a spreadsheet tool, a text editor, and Java applications we developed in less than 600 lines of code. These Java applications allowed parsing the questionnaire, interfacing to the dataset, and building the binary tree. The artifacts produced by the framework, including those used in this work, are totally reusable for future analysis; this can be achieved simply maintaining the dataset.</para>
</section>
<section class="lev2" id="sec1-7-3" label="1.7.3" xreflabel="1.7.3">
<title>Effectiveness and Reactions</title>
<para>Benefits of recovering a gap are usually acquired only after the introduction of the new standard is completed and the new market penetrated, or when novel services are sold thanks to the new skills acquired. This process is typically long and consequently the return on investment for covering a gap or applying a systematic quality assurance process is typically considered on the medium-long term [<link linkend="ch01bib21">21</link>].</para>
<para>However, since the benefits are evident, in all cases <emphasis>the identification of gaps should be the trigger of recovery plans</emphasis>. As an example, let us consider our case study. Although overall no problems were identified in the application of DO-178B, our analysis led the Research &#x00026; Development of CRITICAL Software to focus on the topics of Safety Analysis procedures and Security Assessment techniques. In particular, two main actions were taken, partially supported by the project FP7-2012-324334-CECRIS [<link linkend="ch01bib42">42</link>].</para>
<para>First, research on approaches for safety analyses was started. We cite two published works that underline this research direction [<link linkend="ch01bib43">43</link>] discuss a measurable approach to fulfill the standard requirements but with an acceptable level of effort and within a reasonable timeframe [<link linkend="ch01bib44">44</link>] focus on techniques selection for safety analysis, aiming to provide to industries a ranked list of techniques that avoid specific types of issues.</para>
<para>Second, research on the interplay between safety and security was carried on, studying how security issues may impact safety [<link linkend="ch01bib45">45</link>] and walking towards the identification of threat assessment methodologies [<link linkend="ch01bib46">46</link>, <link linkend="ch01bib47">47</link>]. A new security assessment process named STECA &#x0201C;Security Threats, Effects and Criticality Analysis&#x0201D; is currently under research, with the objective of making the company more competitive and more prepared to provide related services to the industry.</para>
</section>
<section class="lev2" id="sec1-7-4" label="1.7.4" xreflabel="1.7.4">
<title>Replacement Techniques</title>
<para>It is important to consider that the standards, mostly based on a waterfall traditional V model, have requirements usually divided by lifecycle phases. For each of these phases there are proposed or recommended techniques, actions, and analysis, but not all of the listed techniques need to be applied in order to fulfill the standards requirements. We are aware that this situation has an impact on our framework, especially when determining gaps between standards: some gaps might be mitigated by other replacement techniques.</para>
<para>As future work, the most relevant foreseen improvement is to introduce the concept of <emphasis>minimum set of recommended techniques.</emphasis> Generally, the standards provide recommendations to several techniques but only a few are really required: several are proposed as alternatives. A company needs to be knowledgeable only with a set of such techniques. For example, formal methods are barely used, but all systems can get certified even without formal methods, and a similar reasoning can be carried out for fault injection. In this framework we are addressing this problem only in Step 4, once that all techniques have been evaluated individually. The future improvements of the framework will include solutions to automatically deal with this problem, introducing groups of techniques in the dataset, and adapting the questionnaires to rate the groups and not only the individual technique.</para>
</section>
<section class="lev2" id="sec1-7-5" label="1.7.5" xreflabel="1.7.5">
<title>Different Approaches to Compliance</title>
<para>It should be remarked that compliance with standards may take place in two different ways: by sticking to what is recommended or by following tailoring rules. The framework usage applied in our case study directly fits the first approach. The second approach is also followed in practice, especially in the case that standards requirements are unclear and open to interpretations. In several cases, certification authorities&#x02019; engineers or auditors supports this approach, helping the companies to adapt and accomplish the certification evidences.</para>
<para>In these cases, our framework can be successfully applied only after the tailoring rules are translated into requirements and are added to the dataset. Once this operation is completed, the framework can be exercised as usual.</para>
</section>
<section class="lev2" id="sec1-7-6" label="1.7.6" xreflabel="1.7.6">
<title>Questionnaire Assessment and Bias</title>
<para>We want to depict the status of the company and the feeling of workers towards specific techniques and standards in general, considering that also most of the time the workers themselves are in charge of training personnel and transfer knowledge. The personnel are expected to have a general, broad knowledge of the techniques that are executed and on their usual relevance. In other words, as far as personnel skilled in certification of safety-critical software is available, our framework will be able to rate techniques event if personnel is not familiar with them.</para>
<para>However, a relevant concern is the risk of a bias in the outputs due to the personnel perception of their expertise and experience. It is intuitive to expect that engineers will report higher scores for the techniques they have experience with and actually use, and that the analysis may underemphasize important techniques that the company is unfamiliar with. This reflects a simplification from an engineering perspective, as we tend to apply only one technique or a simpler tool if it is accepted for the certification or for completing the job.</para>
<para>These considerations require that, when interviewing the personnel, a good assessor, or an expert engineer that deeply studied the considered standard, is present. Otherwise, the process and self-image of competence, for example personnel feeling they are much more skilled than they actually are, may introduce significant bias in the results.</para>
</section>
</section>
<section class="lev1" id="sec1-8" label="1.8" xreflabel="1.8">
<title>Conclusions</title>
<para>This chapter proposed an <emphasis>easy-to-use</emphasis> framework and a supporting methodology to perform a <emphasis>rapid</emphasis> gap analysis on the usage of <emphasis>standards for safety-critical software</emphasis>. The methodology can be applied to new standards to be introduced or to standards that are already applied in the company as long as skilled personnel are available. The ultimate objective is to discover with reduced effort and minimal supporting tools how far a company is from having a sufficient level of knowledge to apply a specific standard. Also, the framework allows estimating the time required to cover the gaps. Our case study was executed in a short time frame, proving evidence of the intuitiveness of our solution. Results have been presented to a larger audience at the company CRITICAL Software SA, where the audience agreed that they reflect the global feeling about strengths and weaknesses, and recovery actions were taken by the Research &#x00026; Development team.</para>
</section>
<section class="lev1" id="sec1-9">
<title>References</title>
<orderedlist numeration="arabic" continuation="restarts" spacing="normal">
<listitem>
<para><anchor id="ch01bib1"/>RTCA. (1992). <emphasis>Software Considerations in Airborne Systems and Equipment Certification</emphasis> (DO-178B/EUROCAE ED-12B). <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=RTCA%2E+%281992%29%2E+Software+Considerations+in+Airborne+Systems+and+Equipment+Certification+%28DO-178B%2FEUROCAE+ED-12B%29%2E" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch01bib2"/>RTCA. (2011). <emphasis>Software Considerations in Airborne Systems and Equipment Certification</emphasis> (DO-178C/EUROCAE ED-12C).</para></listitem>
<listitem>
<para><anchor id="ch01bib3"/>RTCA. (2000). <emphasis>Design Assurance Guidance for Airborne Electronic Hardware</emphasis>. (DO-254/EUROCAE ED-80). <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=RTCA%2E+%282000%29%2E+Design+Assurance+Guidance+for+Airborne+Electronic+Hardware%2E+%28DO-254%2FEUROCAE+ED-80%29%2E" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch01bib4"/>CENELEC. (2006). <emphasis>Railway applications: The specification and demonstration of Reliability, Availability, Maintainability and Safety (RAMS) Part 1: Basic requirements and generic process</emphasis> (EN 50126-1/EC: 2006-05). <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=CENELEC%2E+%282006%29%2E+Railway+applications%3A+The+specification+and+demonstration+of+Reliability%2C+Availability%2C+Maintainability+and+Safety+%28RAMS%29+Part+1%3A+Basic+requirements+and+generic+process+%28EN+50126-1%2FEC%3A+2006-05%29%2E" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch01bib5"/>CENELEC. (2002). <emphasis>Railway applications: Communications, signalling and processing systems &#x02013; Software for railway control and protection systems</emphasis>, EN 50128.</para></listitem>
<listitem>
<para><anchor id="ch01bib6"/>CENELEC. (2004). <emphasis>Railway applications: Communication, signalling and processing systems &#x02013; Safety related electronic systems for signalling</emphasis>, EN 50129. <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=CENELEC%2E+%282004%29%2E+Railway+applications%3A+Communication%2C+signalling+and+processing+systems+-+Safety+related+electronic+systems+for+signalling%2C+EN+50129%2E" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch01bib7"/>European Cooperation on Space Standardization (ECSS). (2014). Available at: <ulink url="http://www.ecss.nl/">http://www.ecss.nl/</ulink> (last accessed 11 November 2014).</para></listitem>
<listitem>
<para><anchor id="ch01bib8"/>Penny, J., et al. (2001). <emphasis>The practicalities of goal-based safety regulation.&#x0201D; Aspects of Safety Management</emphasis>. London: Springer, 35&#x02013;48. <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=Penny%2C+J%2E%2C+et+al%2E+%282001%29%2E+The+practicalities+of+goal-based+safety+regulation%2E%22+Aspects+of+Safety+Management%2E+London%3A+Springer%2C+35-48%2E" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch01bib9"/>Ceccarelli, A., and Silva, N. (2015). &#x0201C;Analysis of companies gaps in the application of standards for safety-critical software,&#x0201D; in <emphasis>RESA4CI workshop, Computer Safety, Reliability, and Security</emphasis>. London: Springer International Publishing, 303&#x02013;313. <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=Ceccarelli%2C+A%2E%2C+and+Silva%2C+N%2E+%282015%29%2E+%22Analysis+of+companies+gaps+in+the+application+of+standards+for+safety-critical+software%2C%22+in+RESA4CI+workshop%2C+Computer+Safety%2C+Reliability%2C+and+Security%2E+London%3A+Springer+International+Publishing%2C+303-313%2E" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch01bib10"/>Karbhari, V. M., et al. (2003). Durability gap analysis for fiber-reinforced polymer composites in civil infrastructure. <emphasis>J Compos. Construct</emphasis>. 7.3, 238&#x02013;247. <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=Karbhari%2C+V%2E+M%2E%2C+et+al%2E+%282003%29%2E+Durability+gap+analysis+for+fiber-reinforced+polymer+composites+in+civil+infrastructure%2E+J+Compos%2E+Construct%2E+7%2E3%2C+238-247%2E" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch01bib11"/>Powell, G. V. N., Barborak, J., and Rodriguez, M. S. (2000). Assessing representativeness of protected natural areas in Costa Rica for conserving biodiversity: a preliminary gap analysis. <emphasis>Biol. Conserv</emphasis>. 93.1, 35&#x02013;41. <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=Powell%2C+G%2E+V%2E+N%2E%2C+Barborak%2C+J%2E%2C+and+Rodriguez%2C+M%2E+S%2E+%282000%29%2E+Assessing+representativeness+of+protected+natural+areas+in+Costa+Rica+for+conserving+biodiversity%3A+a+preliminary+gap+analysis%2E+Biol%2E+Conserv%2E+93%2E1%2C+35-41%2E" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch01bib12"/>Brown, S. W., and Swartz, T. A. (1989). A gap analysis of professional service quality. <emphasis>J. Market</emphasis>. 53, 92&#x02013;98. <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=Brown%2C+S%2E+W%2E%2C+and+Swartz%2C+T%2E+A%2E+%281989%29%2E+A+gap+analysis+of+professional+service+quality%2E+J%2E+Market%2E+53%2C+92-98%2E" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch01bib13"/>CMMI Product Team. (2010). &#x0201C;CMMI for Development&#x0201D;. Technical Report, Software Engineering Institute, CMU, Pennsylvania.</para></listitem>
<listitem>
<para><anchor id="ch01bib14"/>ISO/IEC 15504. (2004). <emphasis>Information technology &#x02013; Process assessment</emphasis> 2004. <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=ISO%2FIEC+15504%2E+%282004%29%2E+Information+technology+-+Process+assessment+2004%2E" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch01bib15"/>Hanrahan, R. P. (1995). &#x0201C;The IDEF process modeling methodology,&#x0201D; in <emphasis>Software Technology Support Center</emphasis>, New York, NY: IEEE 1995. <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=Hanrahan%2C+R%2E+P%2E+%281995%29%2E+%22The+IDEF+process+modeling+methodology%2C%22+in+Software+Technology+Support+Center%2C+New+York%2C+NY%3A+IEEE+1995%2E" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch01bib16"/>Hanafizadeh, M. R., Saghaei, A., and Hanafizadeh, P. (2009). An index for cross-country analysis of ICT infrastructure and access. <emphasis>Telecommun. Policy</emphasis> 33, 385&#x02013;405. <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=Hanafizadeh%2C+M%2E+R%2E%2C+Saghaei%2C+A%2E%2C+and+Hanafizadeh%2C+P%2E+%282009%29%2E+An+index+for+cross-country+analysis+of+ICT+infrastructure+and+access%2E+Telecommun%2E+Policy+33%2C+385-405%2E" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch01bib17"/>El-Gabaly, M., and Majidi, M. (2003). <emphasis>ICT Penetration and skills gap analysis</emphasis>. Egypt: US AID&#x02019;s Mission in Egypt. <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=El-Gabaly%2C+M%2E%2C+and+Majidi%2C+M%2E+%282003%29%2E+ICT+Penetration+and+skills+gap+analysis%2E+Egypt%3A+US+AID%27s+Mission+in+Egypt%2E" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch01bib18"/>Chinn, M. D., and Fairlie, R. W. (2010). ICT use in the developing world: an analysis of differences in computer and internet penetration. <emphasis>Rev. Int. Econ</emphasis>. 18.1, 153&#x02013;167. <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=Chinn%2C+M%2E+D%2E%2C+and+Fairlie%2C+R%2E+W%2E+%282010%29%2E+ICT+use+in+the+developing+world%3A+an+analysis+of+differences+in+computer+and+internet+penetration%2E+Rev%2E+Int%2E+Econ%2E+18%2E1%2C+153-167%2E" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch01bib19"/>Verband der Automobilindustrie (VDA). <emphasis>Automotive SPICE &#x02013; Process Assessment Model</emphasis>, 1st edn, 2008.</para></listitem>
<listitem>
<para><anchor id="ch01bib20"/>Margarido, I. L., Faria, J. P., Vidal, R. M., and Vieira, M. (2012). &#x0201C;Towards a framework to evaluate and improve the quality of implementation of CMMI<superscript>&#x00AE;</superscript> practices&#x0201D;. Product-Focused Software Process Improvement. Berlin: Springer, 361&#x02013;365. <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=Margarido%2C+I%2E+L%2E%2C+Faria%2C+J%2E+P%2E%2C+Vidal%2C+R%2E+M%2E%2C+and+Vieira%2C+M%2E+%282012%29%2E+%22Towards+a+framework+to+evaluate+and+improve+the+quality+of+implementation+of+CMMI+practices%22%2E+Product-Focused+Software+Process+Improvement%2E+Berlin%3A+Springer%2C+361-365%2E" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch01bib21"/>Pino, F. J., Pardo, C., Garc&#x000ED;a, F., and Piattini, M. (2010). Assessment methodology for software process improvement in small organizations. <emphasis>Inf. Softw. Technol.</emphasis> 52, 1044&#x02013;1061. <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=Pino%2C+F%2E+J%2E%2C+Pardo%2C+C%2E%2C+Garc%EDa%2C+F%2E%2C+and+Piattini%2C+M%2E+%282010%29%2E+Assessment+methodology+for+software+process+improvement+in+small+organizations%2E+Inf%2E+Softw%2E+Technol%2E+52%2C+1044-1061%2E" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch01bib22"/>Mark, S., et al. (2007). An exploratory study of why organizations do not adopt CMMI. J. Syst. Softw. 80.6, 883&#x02013;895. <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=Mark%2C+S%2E%2C+et+al%2E+%282007%29%2E+An+exploratory+study+of+why+organizations+do+not+adopt+CMMI%2E+J%2E+Syst%2E+Softw%2E+80%2E6%2C+883-895%2E" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch01bib23"/>Kemerer, C. F. (1987). An empirical validation of software cost estimation models. Commun. <emphasis>ACM</emphasis> 30.5, 416&#x02013;429. <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=Kemerer%2C+C%2E+F%2E+%281987%29%2E+An+empirical+validation+of+software+cost+estimation+models%2E+Commun%2E+ACM+30%2E5%2C+416-429%2E" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch01bib24"/>Valerdi, R., Boehm, B., Reifer, D. (2003). &#x0201C;Cosysmo: a constructive systems engineering cost model coming age,&#x0201D; in <emphasis>Proceedings of the 13th Annual International INCOSE Symposium</emphasis> (pp. 70&#x02013;82). New York, NY: IEEE. <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=Valerdi%2C+R%2E%2C+Boehm%2C+B%2E%2C+Reifer%2C+D%2E+%282003%29%2E+%22Cosysmo%3A+a+constructive+systems+engineering+cost+model+coming+age%2C%22+in+Proceedings+of+the+13th+Annual+International+INCOSE+Symposium+%28pp%2E+70-82%29%2E+New+York%2C+NY%3A+IEEE%2E" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch01bib25"/>Ceccarelli, A., Vinerbi, L., Falai, L., and Bondavalli, A. (2011). &#x0201C;RACME: A Framework to Support V&#x00026;V and Certification,&#x0201D; in <emphasis>5th Latin-American Symposium on Dependable Computing (LADC)</emphasis>, 116, 125, 25&#x02013;29. <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=Ceccarelli%2C+A%2E%2C+Vinerbi%2C+L%2E%2C+Falai%2C+L%2E%2C+and+Bondavalli%2C+A%2E+%282011%29%2E+%22RACME%3A+A+Framework+to+Support+V%26V+and+Certification%2C%22+in+5th+Latin-American+Symposium+on+Dependable+Computing+%28LADC%29%2C+116%2C+125%2C+25-29%2E" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch01bib26"/>Rezabal, M. I., Elorza, L. E., Letona, X. E. (2013). &#x0201C;Reuse in Safety Critical Systems: Educational Use Case,&#x0201D; in <emphasis>39th EUROMICRO Conference on Software Engineering and Advanced Applications (SEAA)</emphasis>, 402, 407. <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=Rezabal%2C+M%2E+I%2E%2C+Elorza%2C+L%2E+E%2E%2C+Letona%2C+X%2E+E%2E+%282013%29%2E+%22Reuse+in+Safety+Critical+Systems%3A+Educational+Use+Case%2C%22+in+39th+EUROMICRO+Conference+on+Software+Engineering+and+Advanced+Applications+%28SEAA%29%2C+402%2C+407%2E" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch01bib27"/>Ceccarelli, A., and Silva, N. (2013). &#x0201C;Qualitative comparison of aerospace standards: An objective approach,&#x0201D; in <emphasis>2013 IEEE International Symposium on Software Reliability Engineering Workshops (ISSREW)</emphasis>, 331, 336. New York, NY: IEEE. <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=Ceccarelli%2C+A%2E%2C+and+Silva%2C+N%2E+%282013%29%2E+%22Qualitative+comparison+of+aerospace+standards%3A+An+objective+approach%2C%22+in+2013+IEEE+International+Symposium+on+Software+Reliability+Engineering+Workshops+%28ISSREW%29%2C+331%2C+336%2E+New+York%2C+NY%3A+IEEE%2E" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch01bib28"/>ISO 9001:2008 Quality Management Systems.</para></listitem>
<listitem>
<para><anchor id="ch01bib29"/>Deeptimahanti, D. K., and Sanyal, R. (2011). &#x0201C;Semi-automatic generation of UML models from natural language requirements,&#x0201D; in <emphasis>Proceedings of the 4th India Software Engineering Conference</emphasis>. New York, NY: ACM. <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=Deeptimahanti%2C+D%2E+K%2E%2C+and+Sanyal%2C+R%2E+%282011%29%2E+%22Semi-automatic+generation+of+UML+models+from+natural+language+requirements%2C%22+in+Proceedings+of+the+4th+India+Software+Engineering+Conference%2E+New+York%2C+NY%3A+ACM%2E" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch01bib30"/>Kof, L. (2009). &#x0201C;Translation of textual specifications to automata by means of discourse context modelling,&#x0201D; in <emphasis>Requirements Engineering: Foundation for Software Quality</emphasis>. Berlin: Springer, pp. 197&#x02013;211. <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=Kof%2C+L%2E+%282009%29%2E+%22Translation+of+textual+specifications+to+automata+by+means+of+discourse+context+modelling%2C%22+in+Requirements+Engineering%3A+Foundation+for+Software+Quality%2E+Berlin%3A+Springer%2C+pp%2E+197-211%2E" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch01bib31"/>IET. (2007). <emphasis>Competence Criteria for Safety-related system practitioners</emphasis>.</para></listitem>
<listitem>
<para><anchor id="ch01bib32"/>EUROCAE. (2009). <emphasis>EUROCAE ED-153 &#x02013; Guidelines for ANS Software Safety Assurance</emphasis>.</para></listitem>
<listitem>
<para><anchor id="ch01bib33"/>SAE. (2010). <emphasis>ARP4754A/EUROCAE ED-79 &#x02013; Guidelines for development of civil aircraft and systems-Revision</emphasis> A. <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=SAE%2E+%282010%29%2E+ARP4754A%2FEUROCAE+ED-79+-+Guidelines+for+development+of+civil+aircraft+and+systems-Revision+A%2E" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch01bib34"/>Galileo industries. (2004). <emphasis>GAL-SPE-GLI-SYST-A/0092 &#x02013; Galileo Software Standard (GSWS)</emphasis>.</para></listitem>
<listitem>
<para><anchor id="ch01bib35"/>ECSS. (2009). <emphasis>ECSS-E-ST-40C &#x02013; Space engineering &#x02013; Software</emphasis>. <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=ECSS%2E+%282009%29%2E+ECSS-E-ST-40C+-+Space+engineering+-+Software%2E" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch01bib36"/>ECSS. (2009). <emphasis>ECSS-E-ST-10C &#x02013; Space engineering &#x02013; System enginee- ring general requirements</emphasis>.</para></listitem>
<listitem>
<para><anchor id="ch01bib37"/>ECSS. (2009). <emphasis>ECSS-E-ST-10-02C: Space engineering &#x02013; Verification</emphasis>.</para></listitem>
<listitem>
<para><anchor id="ch01bib38"/>ECSS. (2012). <emphasis>ECSS-E-ST-10-03C: Space engineering &#x02013; Testing</emphasis>.</para></listitem>
<listitem>
<para><anchor id="ch01bib39"/>ECSS. (2009). <emphasis>ECSS-Q-ST-30C: Space product assurance &#x02013;<?lb?>Dependability</emphasis>. <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=ECSS%2E+%282009%29%2E+ECSS-Q-ST-30C%3A+Space+product+assurance+-Dependability%2E" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch01bib40"/>ECSS. (2009). ECSS-Q-ST-40C: Space product assurance &#x02013; Safety. <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=ECSS%2E+%282009%29%2E+ECSS-Q-ST-40C%3A+Space+product+assurance+-+Safety%2E" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch01bib41"/>ECSS. (2009). ECSS-Q-ST-80C: Space product assurance-Sw product assurance. <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=ECSS%2E+%282009%29%2E+ECSS-Q-ST-80C%3A+Space+product+assurance-Sw+product+assurance%2E" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch01bib42"/>CECRIS. (2016). FP7-2012-324334-CECRIS: CErtification of Critical Systems. Available at: <ulink url="http://www.cecris-project.eu/">http://www.cecris-project.eu/</ulink> <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=CECRIS%2E+%282016%29%2E+FP7-2012-324334-CECRIS%3A+CErtification+of+Critical+Systems%2E+Available+at%3A+http%3A%2F%2Fwww%2Ececris-project%2Eeu%2F" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch01bib43"/>Silva, N., and Vieira, M. (2013). &#x0201C;Certification of embedded systems: Quantitative analysis and irrefutable evidences,&#x0201D; in <emphasis>2013 IEEE International Symposium on Software Reliability Engineering Workshops (ISSREW)</emphasis>. New York, NY: IEEE. <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=Silva%2C+N%2E%2C+and+Vieira%2C+M%2E+%282013%29%2E+%22Certification+of+embedded+systems%3A+Quantitative+analysis+and+irrefutable+evidences%2C%22+in+2013+IEEE+International+Symposium+on+Software+Reliability+Engineering+Workshops+%28ISSREW%29%2E+New+York%2C+NY%3A+IEEE%2E" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch01bib44"/>Silva, N. and Vieira, M. (2014). Towards making safety-critical systems safer: learning from mistakes,&#x0201D; in 2014 IEEE International Symposium on Software Reliability Engineering Workshops (ISSREW), vol., no., 162&#x02013;167. <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=Silva%2C+N%2E+and+Vieira%2C+M%2E+%282014%29%2E+Towards+making+safety-critical+systems+safer%3A+learning+from+mistakes%2C%22+in+2014+IEEE+International+Symposium+on+Software+Reliability+Engineering+Workshops+%28ISSREW%29%2C+vol%2E%2C+no%2E%2C+162-167%2E" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch01bib45"/>Nostro, N., Bondavalli, A., Silva, N. (2014). <emphasis>Adding Security Concerns to Safety Critical Certification</emphasis>. ISSRE Workshops, 521&#x02013;526. New York, NY: IEEE. <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=Nostro%2C+N%2E%2C+Bondavalli%2C+A%2E%2C+Silva%2C+N%2E+%282014%29%2E+Adding+Security+Concerns+to+Safety+Critical+Certification%2E+ISSRE+Workshops%2C+521-526%2E+New+York%2C+NY%3A+IEEE%2E" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch01bib46"/>Nostro, N., Ceccarelli, A., Bondavalli, A., and Brancati, F. (2014). Insider threat assessment: a model-based methodology. <emphasis>SIGOPS Oper. Syst. Rev.</emphasis> 48, 3&#x02013;12. <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=Nostro%2C+N%2E%2C+Ceccarelli%2C+A%2E%2C+Bondavalli%2C+A%2E%2C+and+Brancati%2C+F%2E+%282014%29%2E+Insider+threat+assessment%3A+a+model-based+methodology%2E+SIGOPS+Oper%2E+Syst%2E+Rev%2E+48%2C+3-12%2E" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch01bib47"/>Nostro, N., Ceccarelli, A., Bondavalli, A., and Brancati, F. (2013). &#x0201C;A methodology and supporting techniques for the quantitative assessment of insider threats,&#x0201D; in <emphasis>Proceedings of the 2nd International Workshop on Dependability Issues in Cloud Computing &#x02013; DISCCO &#x02019;13</emphasis>, 1&#x02013;6, Braga (Portugal). <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=Nostro%2C+N%2E%2C+Ceccarelli%2C+A%2E%2C+Bondavalli%2C+A%2E%2C+and+Brancati%2C+F%2E+%282013%29%2E+%22A+methodology+and+supporting+techniques+for+the+quantitative+assessment+of+insider+threats%2C%22+in+Proceedings+of+the+2nd+International+Workshop+on+Dependability+Issues+in+Cloud+Computing+-+DISCCO+%2713%2C+1-6%2C+Braga+%28Portugal%29%2E" target="_blank">Google Scholar</ulink></para></listitem></orderedlist>
</section>
</chapter>
<chapter class="chapter" id="ch02" label="2" xreflabel="2">
<title>Experiencing Model-Driven Engineering for Railway Interlocking Systems</title>
<para role="author"><emphasis role="strong">Fabio Scippacercola<superscript>1,2</superscript>, Andr&#x000E1;s Zentai<superscript>3</superscript> and Stefano Russo<superscript>1,2</superscript></emphasis></para>
<para><superscript>1</superscript>DIETI, Universit&#x000E0; degli Studi di Napoli Federico II, Via Claudio 21, 80125 Napoli, Italy</para>
<para><superscript>2</superscript>CINI-Consorzio Interuniversitario Nazionale per l&#x02019;Informatica, Italy</para>
<para><superscript>3</superscript>Prolan Process Control Co., Szentendrei &#x000FA;t 1-3, H-2011 Budakal&#x000E1;sz, Hungary</para>
<section class="lev1" id="sec2-1" label="2.1" xreflabel="2.1">
<title>Introduction</title>
<para>For a company to be competitive in the market, following technologies and being updated with new trends and practices, is essential. In safety-critical domains, the introduction of new practices and methodologies is slower than in other engineering fields, since safety standards and long established practices tend to defer the adoption of new emerging technologies, until assessments and time reveal them mature and safe. Slow introduction of new methods is especially characterizing the railway domain, where the lifespan of products could easily reach decades or even a century. Now it is long time that Model-Driven Engineering (MDE) techniques and tools have been proposed, but their maturity &#x02013; especially for safety-critical systems &#x02013; is still debated.</para>
<para>Some recent surveys investigated the adoption of MDE methodologies and technologies in practice [<link linkend="ch02bib1">1</link>, <link linkend="ch02bib2">2</link>]. They revealed the increasing adoption of MDE in industry. The technology is attractive for the development of critical systems, since it can speed up the activities of Verification and Validation (V&#x00026;V), and it enables the early verification of systems, through techniques such as model reviews, guideline checkers, Rapid Control Prototyping (RCP) and Model- and Software-in-the-Loop Tests. These techniques shift the cost of development from the phases of V&#x00026;V to the ones of requirement analysis and design, thus leading to benefits in terms of residual errors. Companies not performing model-in-the-loop testing find almost 30% more errors during module test [<link linkend="ch02bib3">3</link>].</para>
<para>Prolan Co. is a Hungarian company, which develops certified products for safety critical process control and rail signaling systems. Prolan joined the European project &#x0201C;CErtification of CRItical Systems&#x0201D; (CECRIS [<link linkend="ch02bib4">4</link>]); in its framework, Prolan started an industrial-academic partnership for the transfer of knowledge of MDE techniques from the academy to the company, with the goal of assessing their level of maturity for industrial adoption.</para>
<para>During this activity, it emerged the lack of well-defined processes for the development of a CENELEC SIL-4 safety critical signaling system that was suited for the real industrial needs.</para>
</section>
<section class="lev1" id="sec2-2" label="2.2" xreflabel="2.2">
<title>Background: MDE</title>
<para>As for most engineering branches, advances in software engineering have always resulted from increases in the level of abstraction. Let us consider, for instance, one of the most peculiar activities of this discipline, namely computer programming: the first abstraction, i.e., the second generation programming languages &#x02013; or assembly languages &#x02013; were born soon after programmers had struggled with binary machine code; then came the third generation programming languages (procedural and object-oriented), that freed the programmers from low-level details of the machine, and then fourth generation languages, which added more facilities and masked recurrent problems, such as the representation of data and the interworking between heterogeneous systems. The same holds in other areas, such as operating systems, middleware technologies, and network protocols. In this perspective, MDE aims at raising the level of abstraction in software design and verification [<link linkend="ch02bib5">5</link>], and promises to change the traditional methodologies of software development.</para>
<para>Model-driven approaches focus on a model, i.e., on a set of specifications or representations of a system that neglect aspects that are not of interest at the current stage in a software process; the process advances transforming the model in documents, intermediate artifacts, or in the final product. The result is that MDE shifts the traditional development paradigm, based on different kinds of artifacts composed by domain experts in multiple formats, to a common formalism &#x02013; the model &#x02013; by which the artifacts are obtained through computer-assisted transformations. This model-centric paradigm provides several benefits, leading to increased productivity and quality of artifacts, shorter development time, and enhanced automation, which includes automatic code generation and automatic support to the software engineering activities.</para>
<para>Since models have always been applied at different extents in engineering problems and activities, there are many acronyms with fuzzy borders in the universe of software engineering. We refer to the terminology of Brambilla et al. [<link linkend="ch02bib6">6</link>].</para>
<para>When processes exploit models as support for their goals they are part of Model-Based Engineering (MBE), and we call the activities document-centric, since models are only a means to achieve the targets, but there is no particular emphasis on them. Therefore, MBE is the broadest term, encompassing all the methodologies and activities that employ models.</para>
<para>Model-Driven Engineering focuses on the processes where models are key artifacts of the activities (model-centric). When we restrict to considering MDE for supporting the development of systems, we can use the more specific term of Model-Driven Development (MDD). One approach of MDD is the Model-Driven Architecture (MDA), proposed by the Object Management Group (OMG) [<link linkend="ch02bib7">7</link>]. The Model-Driven Testing (MDT) is a theory of software testing that introduces concepts enabling to transform models in test-cases in order to support V&#x00026;V activities. Even though MDT is not an OMG standard, it uses an OMG&#x02019;s standard profile, the UML-Testing Profile (UTP) [<link linkend="ch02bib8">8</link>, <link linkend="ch02bib9">9</link>].</para>
<para>Model-Driven Engineering is founded on concepts of <emphasis>models</emphasis> and <emphasis>transformations</emphasis>: instead of producing (textual) documents as artifacts &#x02013; requirements, design, code, test artifacts &#x02013; engineers focus on models as primary artifacts.</para>
<para>Models are defined in (semi-)formal languages, which are typically machine-understandable and drawn with the support of tools. Other artifacts are derived through defined transformations, be they: Model-to-Model transformations (M2M) or Model-to-Text transformations (M2T) from models to textual documents, source code or testing artifacts (such as test cases and test scripts).</para>
<para>As argued by Kent [<link linkend="ch02bib10">10</link>], MDE can identify different levels of decomposition and can employ ad hoc or domain-specific languages for models and transformations, whereas MDA is bound to OMG&#x02019;s standards.</para>
<para>The OMG is an international open membership not-for-profit consortium grouping many IT companies and organizations around the globe. OMG first conceived MDA as a technology to overcome the interoperability problems of applications partially addressed by the CORBA standard [<link linkend="ch02bib11">11</link>]. Indeed, even if CORBA provided a good solution for the interoperability of applications, it became soon clear how it is difficult for large enterprises to standardize on different middleware platforms: enterprises have applications on different middleware, that have to be integrated even though this process turned out to be expensive and time-consuming. Furthermore, middleware systems continue to evolve and even CORBA could not be a guarantee for next decades. Therefore, MDA was proposed as a better way to reach portability, interoperability and reusability through architectural separation of concerns in the OMG vision that postulates how the myth of a standalone application or standard for developing software as well as for data interchange died.</para>
<para>The recent version 2.0 of the Guide to the standard [<link linkend="ch02bib7">7</link>] defines MDA as an approach for deriving value from models and architecture in support of the full life cycle of physical, organizational and IT systems. MDA became an approach to deal with complexity and interdependences in large systems, namely to derive value from modeling by defining the structure, semantics, and notations of models using industry standards.</para>
<para>In order to enable (automatic) transformations of models, mechanisms were introduced to reason on the models themselves: this has been done through the concept of meta-modeling, namely introducing models for modeling languages. These concepts are commons to MDE, but MDA standardized the formalisms to use, so as to have four layers of abstractions:</para>
<itemizedlist mark="bullet" spacing="normal">
<listitem>
<para>M0 is the user data layer, it is the layer at lowest abstraction and the elements are concrete objects of the problem domain.</para></listitem>
<listitem>
<para>M1 is the layer of modeling concepts. Here are the UML models of entities that abstract the user data layer, like UML classes or association. At this level are models defined by software engineers to define the requirements or architecture of the system.</para></listitem>
<listitem>
<para>M2 is UML Metamodel, i.e., M2 defines, through UML, the syntax of UML models in M1, as well as their semantic. For instance, M2 will constraint you to do not use UML links for connecting classes but UML objects. M1 models can be seen as instances of concepts of M2 layer and, by M2, you can check consistence of your UML models.</para></listitem>
<listitem>
<para>M3 is most abstract layer defined by OMG. At this level is Meta-Object Facility (MOF) language. By MOF OMG can define syntax and semantic for meta-languages. In the MDA, MOF enables to define transformation rules among different models (of M1 layers) that are compliant to different meta-models (of M2 layers).</para></listitem></itemizedlist>
<para>Using its modeling infrastructure, it is possible to define rules to transform models into other models (M2M) or model into text (M2T). With M2T transformation, MDE refers specifically to that kind of transformation that produces source code (or other textual documents) from models.</para>
<section class="lev2" id="sec2-2-1" label="2.2.1" xreflabel="2.2.1">
<title>MDA Viewpoints and Views</title>
<para>Model-Driven Architecture starts with the well-known and long-established idea of separating the specification of the operation of a system from the details on how that system uses the capabilities of its platform. MDA enables to specify a system independently from the platform that supports it, and to transform the system specification into one for a particular platform.</para>
<para>A <emphasis>viewpoint</emphasis> specifies a reusable set of criteria for the construction, selection, and presentation of a portion of the information about a system, addressing stakeholder concerns [<link linkend="ch02bib7">7</link>]; in other words, a viewpoint defines the abstractions to adopt to focus on particular concerns within the system. A <emphasis>view</emphasis> is a representation of a system that conforms to a viewpoint [<link linkend="ch02bib7">7</link>].</para>
<para>In MDA terms, abstraction eliminates certain elements from the defined scope and may result in introducing a higher-level viewpoint at the expense of removing detail. A more abstract model encompasses a broader set of systems, whereas a less abstract model is more specific to a single system or restricted set of systems. One important capability of MDA is the automation that provides for the transformation between levels of abstraction by the use of patterns.</para>
<para>Model-Driven Architecture specifies three viewpoints, which offer levels of separation of concerns to realize a system. The three viewpoints are:</para>
<para><emphasis role="strong">Computation Independent Viewpoint (CIV)</emphasis>. The computation independent viewpoint focuses on the environment of the system, and the requirements for the system; the details of the structure and processing of the system are hidden or as yet undetermined;</para>
<para><emphasis role="strong">Platform Independent Viewpoint (PIV)</emphasis>. The platform independent viewpoint focuses on the operation of a system while hiding the details necessary for a particular platform;</para>
<para><emphasis role="strong">Platform Specific Viewpoint (PSV)</emphasis>. The platform specific viewpoint combines the platform independent viewpoint with an additional focus on the detail of the use of a specific platform by a system.</para>
<para>The recent version of MDA standard [<link linkend="ch02bib7">7</link>] reduces the emphasis on the CIV, and defines a platform as a set of resources on which a system is realized. This set of resources is used to implement or support the system. For instance, a platform can be the organizational structure or a set of buildings and machines (in case of business or domain platform types); or operating systems, programming libraries, and CPUs (when considering computer hardware and software platform types).</para>
<para>A platform model also specifies requirements on the connection and use of parts of the platform, and the connections of an application to the platform. Example: OMG has specified a model of a portion of the CORBA platform in the UML profile for CORBA. This profile provides a language to use when specifying CORBA systems. The stereotypes of the profile can function as a set of markings. A generic platform model can amount to a specification of a particular architectural style.</para>
<para>Considering the previous views, MDA defines the Computation independent Model (CIM), the Platform Independent Model (PIM), and the Platform Specific Model (PSM). MDA refines CIM in PIM and in PSM using model transformations during development process.</para>
</section>
</section>
<section class="lev1" id="sec2-3" label="2.3" xreflabel="2.3">
<title>The Maturity of MDE</title>
<para>Several surveys analyzed the diffusion and the benefits of Model-Based and Model-Driven techniques and technologies into industrial practices, after 30 years from the introduction of the first MD tools on the market. However, these analyses are still not enough to get a complete picture about the state of the MD practices. Indeed, an aspect that is often neglected by these surveys is that the utilization of MD techniques is tightly dependent on the domain, which influences the demands of the users as well as the stability of the environment and the availability and maturity of the supporting tools. The domain of embedded systems, for instance, has seen the diffusion of sophisticated MD tools such as Matlab Simulink or SCADE, that keep evolving in the offered functionalities since they were introduced on the market, many years ago. However, if we consider all other domains, we can see that the adoption of MDE in software companies differs from that in the domain of embedded systems: although MDE is always perceived beneficial, the benefits are not as evident as in the embedded system industry.</para>
<para>In general MDE seems not completely mature yet, and the feasibility of its adoption partially debated, with tools not enough stable integrated, and much of the MDE potential yet to be demonstrated. Summarizing the various observations in the surveys of past years in industry, we may conclude that:</para>
<itemizedlist mark="bullet" spacing="normal">
<listitem>
<para><emphasis>MDE is spreading in industry, but it is still far to be pervasive</emphasis>. It followed the concurrent evolution of modeling languages (such as UML) and of related tools: in 2005 practitioners were using MBE for conceptual modeling [<link linkend="ch02bib12">12</link>], in 2008 model-centric approaches were perceived better than code-centric ones in most of tasks [<link linkend="ch02bib13">13</link>], in 2010 and 2011 MDE has been observed in a wide range of application domains [<link linkend="ch02bib14">14</link>&#x02013;<link linkend="ch02bib21">21</link>], despite there are many problems and no general and common consensus on these approaches;</para></listitem>
<listitem>
<para><emphasis>Models are mainly used for design and documentation</emphasis>, while the benefits of advanced techniques (such as code generation, test case generation, or model animation) are lowly exploited: models are introduced mostly as an enabling technology inside the process, to enable business that otherwise would not be possible [<link linkend="ch02bib14">14</link>&#x02013;<link linkend="ch02bib16">16</link>];</para></listitem>
<listitem>
<para><emphasis>UML is gaining popularity, but support tools are not enough mature yet to build toolchains meeting the specific needs of companies</emphasis>: they are considered one of the biggest problem by the industry, that is worried about ease of their usage, the vendor lock-in problem, and the interoperability among different tools [<link linkend="ch02bib18">18</link>&#x02013;<link linkend="ch02bib21">21</link>];</para></listitem></itemizedlist>
<para>Model-Driven Engineering depends on the business domain and on organizational factors, and its adoption requires changes in the personnel skills, the software processes, and the company practices. MDE demands for special skills and for changes in the roles of developers and software engineers: retraining programmers to think at a higher level of abstraction can reveal a difficult task. These aspects have not been well addressed so far, and the current approaches do not adequate to the people, but the people have to adapt to them.</para>
<para>A partially different scenario is observed in the domain of embedded systems, where we can draw the following picture:</para>
<itemizedlist mark="bullet" spacing="normal">
<listitem>
<para>Model-based techniques are widely adopted (almost pervasive in automotive domain), and models are used not only for informative and documentation purposes but they were the key artifacts of the development processes [<link linkend="ch02bib1">1</link>, <link linkend="ch02bib2">2</link>].</para></listitem>
<listitem>
<para>The needs for introducing models was mainly for shorter development time, and to improve reusability and quality, whereas less than half had the need to introduce models to exploit formal methods, or because they were required by the standards [<link linkend="ch02bib1">1</link>, <link linkend="ch02bib2">2</link>].</para></listitem>
<listitem>
<para>The activities of V&#x00026;V had a huge impact by their adoption in the automotive domain [<link linkend="ch02bib3">3</link>]: the automotive industry was used to exploit model-driven approaches for the early verification of the systems, by techniques such as model reviews, guideline checkers, RCP and Model- and Software-in-the-Loop Tests, that lead to better quality, reduced development time, due to the shifting of the costs to the phases of requirement analysis and design;</para></listitem>
<listitem>
<para>According to [<link linkend="ch02bib22">22</link>], UML is not used widely due to short lead-time for the software development, or lack of understanding or knowledge of UML models; however this survey, limited to MDE/MDA in the Brazilian industry, does not agree with [<link linkend="ch02bib1">1</link>, <link linkend="ch02bib2">2</link>] targeting the European industries of embedded systems. These authors found that the majority of survey participants were using Matlab/Simulink/Stateflow, followed by Eclipse-based tools. The most used modeling languages were the OMGs ones (UML and SysML);</para></listitem>
<listitem>
<para>As for generic software companies, in the top shortcomings identified there are the scarce interoperability and usability of tools, and the high (initial) effort to train developers [<link linkend="ch02bib1">1</link>, <link linkend="ch02bib2">2</link>].</para></listitem></itemizedlist>
<para>Why was the diffusion of MB and MD techniques different in the embedded systems domain with respect to other application areas? We claim that this is due to:</para>
<orderedlist numeration="lowerroman" continuation="restarts" spacing="normal">
<listitem>
<para>The different weight of the activities in the development process (more emphasis on design and implementation for generic software systems; more emphasis on analysis and V&#x00026;V for embedded systems);</para></listitem>
<listitem>
<para>The parallel evolution of the code-centric technologies that are available for the development, which raised even more the level of abstraction during the design, and simplified the way the systems are implemented. The hypothesis partially reflects the different focus on the adoption of models in the two domains, since there is more emphasis on design and documentation in the general market, and on the V&#x00026;V techniques for the embedded systems.</para></listitem></orderedlist>
<para>The cited surveys identify the current state of the adoption of MD techniques in industry by collecting the opinions of the practitioners on the benefits and drawbacks of model-based and model-driven techniques. However, besides these quantitative data, there is the need of empirical studies that analyze qualitatively and critically the merits and faults of model-driven approaches. Indeed, the success or failing factors of MDE are still unclear, and more research is needed [<link linkend="ch02bib23">23</link>].</para>
<para>A systematic review of empirical studies on MDE from 2000 up to June 2007 was performed by Mohagheghi and Dehlen [<link linkend="ch02bib24">24</link>]. They show that MDE can effectively reduce the cost and development time, however this depends on the grade of adoption in the development process: a success story is the one of Motorola [<link linkend="ch02bib25">25</link>, <link linkend="ch02bib26">26</link>], that used MDE for more than 15 years in a wide spectrum of activities, ranging from protocol implementations up to handheld devices or network controllers; they experienced an increase in quality and productivity (ranging from 1.2&#x000D7; to 8&#x000D7;) and an approximately 33% reduction in the effort required to develop test cases.</para>
<para>Motorola could achieve these results within a mature process that was supported by own-made translators and tools for the model exploitation. Indeed, one common issue of MDE is the absence of well-defined processes [<link linkend="ch02bib24">24</link>, <link linkend="ch02bib27">27</link>, <link linkend="ch02bib28">28</link>], as the application of MDE requires changes in the activities, corporate culture and skills of the employees: many software engineering methods are not fitted to use models as main artifacts, and the environments seems not mature enough. Some previous studies attempted to apply pre-existing processes to MDE, or to create own ones, but MDE shifts the importance of many activities to (automatic) transformation rules, and change consolidated development process is not a naive task. The study [<link linkend="ch02bib29">29</link>] reports a successful introduction of a MBE process after 4 years and three projects had been defined and consolidated: there is the need to look beyond the technical benefits of a particular approach to MDE and instead concentrate on social and organizational issues [<link linkend="ch02bib16">16</link>].</para>
<para>Moreover, the process becomes a more difficult problem in safety-critical domain, where compliance with certification standards poses additional requirements on the methodologies for product life cycle. For these kind of systems, the major part of costs are for the activities of V&#x00026;V, so rigorous and well-assessed techniques have to be integrated within the development process for the early detection of faults and to guarantee the quality of the product. In addition, non-functional requirements, such as safety, reliabi- lity and timing requirements, are a primary concern that have to be taken into account by these processes: current MDE methodologies do not cope with stringent functional requirements and qualities in current systems, i.e., the ability of these approaches to adapt to rapidly changing hardware and implementation platforms that are highly complex [<link linkend="ch02bib23">23</link>].</para>
<para>Parallel to the challenge of the product life cycle, there is the open problem of the supporting tools: they are not mature yet, and influence most of the adoption of MDE. Moreover, the vendor lock-in problem is also perceived as a problem, and the companies prefer to adopt open source solutions or to develop their own tools. Indeed, the tools are not well usable, do not interoperate between themselves, do not keep in synchronization the models at different level of abstractions, are not flexible to collaborative working, and are not suited with the adoption of different models and modeling notations [<link linkend="ch02bib23">23</link>]. Thus, model-driven processes have to carefully consider the problem of defining the toolchain for supporting the activities.</para>
</section>
<section class="lev1" id="sec2-4" label="2.4" xreflabel="2.4">
<title>A Model-Driven Methodology for Prolan</title>
<para>In the period when CECRIS started, Prolan was developing the next generation of railway interlocking systems, and in particular the first product of this generation, the <emphasis>Prolan Block</emphasis> (PB), a safety-critical system for railway interlocking that must be CENELEC EN 50126, EN 50128 and EN 50129 SIL-4 certified.</para>
<para>The system is deployed alongside railway segments, which are named <emphasis>blocks</emphasis>. Each block is equipped with a PB, with sensors for detecting incoming and outgoing trains (these sensors are the axle counters), and with semaphores that are part of the signaling system. The PB manages the block (<link linkend="F2-1">Figure <xref linkend="F2-1" remap="2.1"/></link>), receiving data from sensors, and properly setting the semaphores according to its internal state.</para>
<fig id="F2-1" position="float" xmlns:xlink="http://www.w3.org/1999/xlink">
<label><link linkend="F2-1">Figure <xref linkend="F2-1" remap="2.1"/></link></label>
<caption><para>A representation of the Prolan Block and its operating environment.</para></caption>
<graphic xlink:href="graphics/ch02_Fig-2_1.jpg"/>
</fig>
<para>The interlocking is realized by the overall distributed system that consists of interacting PBs, which must ensure that no collision will happen on the railway, directing the train movements by proper sequences of signals. For instance, according to the specific regulations, the yellow lamps can indicate that the next block&#x02019;s semaphore is red because there is an obstacle (e.g., a train) in the block after the next (e.g., there is a train two semaphores ahead).</para>
<para>Prolan was interested in understanding the potentialities that model-driven technologies could give for the development of the PB and for the other products of the same generation. Indeed, small and medium size enterprises like Prolan are interested in model-driven technologies but there are barriers to their introduction, for the deep changes that these require into the organization and in the current industrial practices. Indeed, for the adoption of MDE Prolan needs to carefully rethink and redesign its current product development life cycle, that currently complies with the railway standards CENELEC EN 50126, EN 50128 and EN 50129, as well as the skills of the employees, even if no proven-in-use model-driven lifecycle for this domain is available and supported by long-term evidence.</para>
<para>The traditional Prolan development life cycle follows the V-Model and is compliant with the European railway standard EN 50128. The activities of the CENELEC V-Model process can be grouped in those concerning development, that are on the left side of the &#x02018;V&#x02019;, and those focusing on V&#x00026;V, that are on the opposite side as it can be seen in <link linkend="F2-2">Figure <xref linkend="F2-2" remap="2.2"/></link>. The activities of V&#x00026;V require planning stages that are performed before their actual execution: these planning stages are carried out during design.</para>
<fig id="F2-2" position="float" xmlns:xlink="http://www.w3.org/1999/xlink">
<label><link linkend="F2-2">Figure <xref linkend="F2-2" remap="2.2"/></link></label>
<caption><para>Software Development Life Cycle according to EN 50128.</para></caption>
<graphic xlink:href="graphics/ch02_Fig-2_2.jpg"/>
</fig>
<para>Besides the activities in the V-Model, CENELEC EN 50128 also prescribes requirements on the documents produced at each stage, as well as on the project organization. For instance, if we consider the highest integrity level (SIL-4), distinct people have to test, verify and validate the product, in order to cross-check their work. The phases adjacent to the &#x02018;V&#x02019;, the Software Planning and Software Assessment, aim at tuning and assessing the activities of the life cycle, defining the tasks to be performed during the process and checking that the product and all artifacts satisfy the requirements and comply with the standard.</para>
<para>To gain experience on model-driven technologies, Prolan started a collaboration with CINI in the framework of the CECRIS Project to develop a development process enhanced with model-driven approaches.</para>
<para>Since Prolan wanted a concrete and feasible option for replacing its current methodology, the researcher proposed a development process backed to Prolan&#x02019;s traditional process. This solution minimizes the impact of the change on the organization, and is also compatible with the safety standards pursued by the company. The adaptation of the development processes of Prolan to MDE focused on core phases of the CENELEC V-Model, starting from the System Development Phase up to the Software Validation Phase, i.e., on the Software Development Life Cycle (SDLC).</para>
<para>The proposed model-driven V-Model lifecycle is shown in <link linkend="F2-3">Figure <xref linkend="F2-3" remap="2.3"/></link>: it is composed of a left, center and a right part; the title lines of the boxes refer to the SDLC activities performed by Prolan, according to CENELEC EN 50128 standard. For each activity, the boxes contain the models produced, and the formalisms used. Arrows represent dependency between the artifacts. The Component Design also depends on the Component Verification Design if it exploits the test model to early detect faults.</para>
<fig id="F2-3" position="float" xmlns:xlink="http://www.w3.org/1999/xlink">
<label><link linkend="F2-3">Figure <xref linkend="F2-3" remap="2.3"/></link></label>
<caption><para>The adapted model-driven V-Model life cycle for Prolan [<link linkend="ch02bib31">31</link>].</para></caption>
<graphic xlink:href="graphics/ch02_FigN-2_3.jpg"/>
</fig>
<para>On the left there are forward engineering activities (system analysis, design and implementation); the phases in the center are for V&#x00026;V planning, while on the right side there are the activities of V&#x00026;V execution. The CENELEC V-Model life cycle adopts implicitly different viewpoints on the system for each level of the &#x02018;V&#x02019;: the top level focuses on the system as a whole, the level below uses a viewpoint on the system architecture, then it considers the components and their internal design; finally, the lowest level of the &#x02018;V&#x02019; sees source code details. These abstractions are used on both sides of the V-Model, for development and V&#x00026;V.</para>
<para>The activities are assigned to a number of roles that comply with the CENELEC EN 50128 standard. We consider the following roles and responsibilities:</para><itemizedlist mark="bullet" spacing="normal">
<listitem>
<para>The <emphasis role="strong">Requirements Manager</emphasis> is responsible for specifying the software requirements. (S)he shall be competent in requirements engineering and be experienced in application&#x02019;s domain (as well as in safety attributes);</para></listitem>
<listitem>
<para>The <emphasis role="strong">Designer</emphasis> transforms software requirements into a solution, defining the system architecture and developing component specifications. (S)he has be competent in the application area, and in safety design principles;</para></listitem>
<listitem>
<para>The <emphasis role="strong">Implementer</emphasis> transforms design solutions into data, source code or other representations to create the product software artifacts. (S)he has to be competent in engineering of the application area and implementation languages and supporting tools;</para></listitem>
<listitem>
<para>The <emphasis role="strong">Tester</emphasis> develops the test specifications, and performs the test execution. (S)he has to be competent in the domain where testing is carried out;</para></listitem>
<listitem>
<para>The <emphasis role="strong">Integrator</emphasis> manages the integration process using the software baselines, developing the integration test specification. (S)he has to be competent in the domain where component integration is carried out.</para></listitem></itemizedlist>
<para>All these roles require advanced modeling skills, and experience with MDE, as well as with the adopted formalisms and tools.</para>
<para>The process starts with System Requirements Specification, by defining the system environment and software requirements. Then, System Design and Component Design are carried out. The former defines a high-level system architecture, identifying the hardware-software interface, and the components interfaces. Requirements are then allocated to components, and the Designer specifies their responsibilities and expected interactions. Finally, in Component Design the Designer completes the components with the internal design, and the Implementation concludes the development.</para>
<para>For enabling forward engineering to model-driven technologies, we define in three stages a CIM, a PIM, and PSM, following the MDA principles.</para>
<para>The V&#x00026;V planning activities (Validation Design, Integration Verification Design, and Component Verification Design) have been isolated at the center of the V-Model. They are followed by the ones of V&#x00026;V execution that are performed on the right side of the &#x02018;V&#x02019;, i.e., Validation, Integration Verification and Component Verification. For instance, Validation Design produces the Overall Software Test Specification after the System Requirement Specification. Then, the actual validation is performed in the Validation activity, at the end of the &#x02018;V&#x02019;, after Integration Verification, to assess the product conformance to requirements.</para>
<para>For the phases of V&#x00026;V, we propose a model-driven methodology based on the MDA abstractions: the planning phases use Platform Independent Test Models, whereas the execution phases build Platform-Specific Test Models. In fact, the V&#x00026;V execution phases on the right side of the &#x02018;V&#x02019; benefit from the availability of the implementation, which constrains the technological platform.</para>
<para>Using this methodology, Prolan aims at improving the reuse of artifacts of design and V&#x00026;V, supporting most of activities of the life cycle with model-driven approaches. Prolan wanted to evaluate the adoption of OMG standards, i.e., SysML [<link linkend="ch02bib30">30</link>] and UML, to be open to multiple tools and promote the interoperability of the models. It is worth to note that custom profiles can be introduced in the process to potentiate the automatic generation of artifacts throughout the whole SDLC, thus reducing the manual efforts.</para>
<para>We remark that since Prolan&#x02019;s products must undergo safety certification, one of the main requirements of the methodology is to exploit model-driven technologies for supporting multiple activities of V&#x00026;V. Indeed, the proposed process is open to multiple forms of V&#x00026;V, and includes techniques of early system validation, through the definition of the Computation Independent Test (CIT) model.</para>
<section class="lev2" id="sec2-4-1" label="2.4.1" xreflabel="2.4.1">
<title>Experimentation within A Pilot Project</title>
<para>Prolan started a pilot project on a subset of requirements for the Prolan Block, in order to assess the benefits and drawbacks of the model-driven technologies.</para>
</section>
<section class="lev2" id="sec2-4-2" label="2.4.2" xreflabel="2.4.2">
<title>System Requirements Specification</title>
<para>At this phase, the Requirements Manager defines the system and the speci- fication of software requirements. We defined a CIM starting from the high-level system specification.</para>
<para>The CIM models requirements, and the relations between them, in SysML, because the language turns out particularly suited in this phase due to the Requirement diagram, the Use Case Diagram, and the Block Definition Diagram. In particular, SysML Requirement Diagram is useful to display textual requirements, and their relationships, and to trace them with other modeling elements.</para>
<para>Prolan built in the pilot project a CIM using MagicDraw [<link linkend="ch02bib32">32</link>], a modeling tool created by No Magic. Functional and non-functional requirements of the system were described using requirement diagrams meanwhile the system context was described with block definition diagrams. Modeling using the MagicDraw tool was introduced in an earlier phase of the CECRIS project in the framework of the knowledge transfer with Budapest University of Technology and Economics. Using models to capture requirements increased requirement quality significantly because the graphical representation made it possible to overview complex systems as well as the constraints of the modeling environment forced the engineers to create consistent requirements. We found it convenient to separate functional and non-functional requirements in different groups as well as to mark derived requirements using the refinement relationship.</para>
<para>An example of functional and non-functional requirements modeling can be seen in <link linkend="F2-4">Figures <xref linkend="F2-4" remap="2.4"/></link> and <link linkend="F2-5"><xref linkend="F2-5" remap="2.5"/></link>. As it can be seen from <link linkend="F2-6">Figure <xref linkend="F2-6" remap="2.6"/></link>, the PB system is connected to a Radio Block Center (RBC) to a PB Human Machine Interface (HMI) to a Station Interlocking System and to track occupancy detectors. In the BDD diagram not only the related components but also the multiplicity as well as the exchanged information and signals could be visualized.</para>
<fig id="F2-4" position="float" xmlns:xlink="http://www.w3.org/1999/xlink">
<label><link linkend="F2-4">Figure <xref linkend="F2-4" remap="2.4"/></link></label>
<caption><para><emphasis>Prolan Block</emphasis> (PB) functional requirements.</para></caption>
<graphic xlink:href="graphics/ch02_Fig-2_4.jpg"/>
</fig>
<fig id="F2-5" position="float" xmlns:xlink="http://www.w3.org/1999/xlink">
<label><link linkend="F2-5">Figure <xref linkend="F2-5" remap="2.5"/></link></label>
<caption><para>PB non-functional requirements.</para></caption>
<graphic xlink:href="graphics/ch02_Fig5new1.jpg"/>
</fig>
<fig id="F2-6" position="float" xmlns:xlink="http://www.w3.org/1999/xlink">
<label><link linkend="F2-6">Figure <xref linkend="F2-6" remap="2.6"/></link></label>
<caption><para>BDD diagram showing the environment of the PB.</para></caption>
<graphic xlink:href="graphics/ch02_Fig-2_6.jpg"/>
</fig>
<para>Not only other actors, but also their relations and compositions were modeled with the BDD. Use case diagrams were created to describe in which functionalities the actors are involved (<link linkend="F2-7">Figure <xref linkend="F2-7" remap="2.7"/></link>).</para>
<fig id="F2-7" position="float" xmlns:xlink="http://www.w3.org/1999/xlink">
<label><link linkend="F2-7">Figure <xref linkend="F2-7" remap="2.7"/></link></label>
<caption><para>Computation Independent Model (CIM) use case diagram for the Prolan Block.</para></caption>
<graphic xlink:href="graphics/ch02_FigN-2_7.jpg"/>
</fig>
<para>One use case of the PB HMI is to receive the status of the PB and display it. Another use case is to reset the track occupancy detectors in case the operator activates the axle counter reset.</para>
<para>High-level functionalities of the system defined by functional requirements and use cases are further detailed by behavioral diagrams: state machine diagrams, activity diagrams and sequence diagrams. Requirements coming from the railway domain like the description of the semaphore&#x02019;s behavior (in <link linkend="F2-8">Figure <xref linkend="F2-8" remap="2.8"/></link>) are primarily introduced into the CIM.</para>
<fig id="F2-8" position="float" xmlns:xlink="http://www.w3.org/1999/xlink">
<label><link linkend="F2-8">Figure <xref linkend="F2-8" remap="2.8"/></link></label>
<caption><para>State machine diagram of the semaphore behavior [<link linkend="ch02bib31">31</link>].</para></caption>
<graphic xlink:href="graphics/ch02_Fig-2_8.jpg"/>
</fig>
<para>Active support from the CINI side was necessary in modeling the CIM, because the technology was relatively new to the requirement engineers of the company. During this phase 6 SysML Requirement diagrams; 12 SysML Block Definition diagrams; 41 Use Cases diagrams; 6 State Machines diagrams; 29 Activity diagrams; and 33 Sequence diagrams were created.</para>
</section>
<section class="lev2" id="sec2-4-3" label="2.4.3" xreflabel="2.4.3">
<title>System Design</title>
<para>In System Design, the Software Designer builds the Platform Independent Model to define the software architecture, the interfaces between the components, and between the components and the overall software. To this end, (s)he uses structural diagrams, such as Component and Class Diagrams, and assigns the requirements to the system components. Since the viewpoint is platform independent, the interfaces are independent of any technological platform.</para>
<para>In the pilot project, Prolan used UML component and class diagrams to model the high-level architecture of the PB.</para>
<para>The PB design comprises five components (<link linkend="F2-9">Figure <xref linkend="F2-9" remap="2.9"/></link>): <emphasis>Prolan Block Core Logic</emphasis>, <emphasis>Track Occupancy Detector</emphasis>, <emphasis>Network Communicator</emphasis>, IS Controller, and <emphasis>HMI Controller</emphasis>.</para>
<fig id="F2-9" position="float" xmlns:xlink="http://www.w3.org/1999/xlink">
<label><link linkend="F2-9">Figure <xref linkend="F2-9" remap="2.9"/></link></label>
<caption><para>High-level system architecture [<link linkend="ch02bib31">31</link>].</para></caption>
<graphic xlink:href="graphics/ch02_Fig-2_9.jpg"/>
</fig>
<para>By communicating with the axle counters, the <emphasis>Track Occupancy Detector</emphasis> notifies to the system events such as &#x0201C;a train entered the block&#x0201D; or &#x0201C;a train has left the block&#x0201D;. It also manages device failures, notifying exceptional conditions.</para>
<para>The <emphasis>IS Controller</emphasis> interacts with the semaphore, setting the proper aspect and coping with malfunctionings. Similarly, the <emphasis>NetworkCommunicator</emphasis> uses the network, for interacting with adjacent PBs, and the <emphasis>HMIController</emphasis> manages the human-machine interface.</para>
<para>Finally, the <emphasis>ProlanBlockCoreLogic</emphasis> sets the interlocking systems according to its internal status and by collaborating with the other four components.</para>
<para>The components&#x02019; interfaces were defined following guidelines to keep them as much as possible UML standard and platform-independent. For instance the services of any middleware or library have been defined in terms of abstract interfaces, and the data types of the variables neglected one specific programming language.</para>
</section>
<section class="lev2" id="sec2-4-4" label="2.4.4" xreflabel="2.4.4">
<title>Component Design</title>
<para>The next phase is Component Design: here the Designer refines the PIM, to specify the internal design of the components. (S)he identifies all lowest software units, fully detailing their input and output, and specifying algorithms and data structure. The PIM becomes complete, and can be runnable and object of simulation.</para>
<para>In the pilot project, Prolan defined the PIM using IBM Rhapsody Deve- loper [<link linkend="ch02bib33">33</link>] (hereinafter: Rhapsody), but following the guidelines to build a model platform-independent. Indeed, the tool does not allow a clear separation between a PIM and a PSM, thus we avoided to insert C++ code, and adopted UML compliant syntax where possible.</para>
<para>Only few parts could not be specified in a platform-independent style. However, these parts were specified in C++, to exploit the model animation feature of Rhapsody. Indeed, Prolan was interested in this feature as a technique of early fault detection: Rhapsody&#x02019;s model animation generates an instrumented implementation of the model that allows to observe at runtime the program execution. This feature was useful and valuable for getting an immediate feedback on the design.</para>
<para>By Rhapsody Panel Diagrams, we drew a graphical user interface bound to the model that enabled to generate and receive model events at runtime. Of course, the execution can be also followed on behavioral diagrams, e.g., state machines or sequence diagrams.</para>
<section class="lev3" id="sec2-4-4-1" label="2.4.4.1" xreflabel="2.4.4.1">
<title>Implementation</title>
<para>Implementation phase deals with the production of software that is analy- zable, testable, verifiable and maintainable. Following MDA, the PIM is refined into one (or more) Platform Specific Models that are bound to target platforms. The PSM adds low-level implementation details. For instance, a PSM binds data and interfaces to the target OS and middleware chosen for the instantiation of the PIM.</para>
<para>Using IBM Rhapsody, Prolan set tagged values and other parameters to enrich the PIM with information platform-specific details, to specify how to translate the association (e.g., by static or dynamic arrays), what is the clock for the scheduler of the state machines&#x02019; event queues, and other parameters. These are used by Rhapsody for the automatic translation of PSM into code.</para>
<para>Considering the requirements of the PB, Prolan specified that the generated code cannot use dynamic memory and that the variables have to be initialized at runtime, due to the lack of memory isolation on Prosigma, the technological platform for the PB. The platform specific code can also exploit the round-trip code feature of MDE tools:</para>
<orderedlist numeration="arabic" continuation="restarts" spacing="normal">
<listitem>
<para>By automatic code generation, packages, code skeletons, make files and other artifacts are automatically model-to-text produced;</para></listitem>
<listitem>
<para>The Implementer fills the code skeletons with platform-specific details, using the support of modern development environments (such as Eclipse);</para></listitem>
<listitem>
<para>By code round-trip, the model is automatically augmented with the information written manually by the Implementer in the source code.</para></listitem></orderedlist>
<para>According to the requirements, there are many options for the translator that include the execution framework at runtime. For instance, Rhapsody offers two C/C++ frameworks: IBM Rhapsody Object Execution Framework (OXF), and IBM Rhapsody Simple Execution Framework (SXF). The latter is dedicated to embedded systems and safety-related development: qualification kits support the certification of the automatic generated code for several standard (including ISO 26262, EN 50128 and recently DO-178B).</para>
<para>The translation of our PSM in C++ source code generated around 7.5 thousands of lines of code for a platform using a conventional OS, 7.3 thousands for target platform using a commercial Real Time Operating System (VxWorks), and 5.9 thousands C lines of code for an embedded systems not using an OS. We used the SXF framework in the last code generation.</para>
</section>
</section>
<section class="lev2" id="sec2-4-5" label="2.4.5" xreflabel="2.4.5">
<title>Validation Design</title>
<para>For Validation Design, we propose a model, named CIT Model, to specify the behavior of the actors and of the environment. CIT can be used for designing validation tests, e.g., as UTP sequence diagrams representing the interactions of the actors with the system.</para>
<para>Prolan decided to does not build a CIT model for the Prolan Block, and the benefits of CIT modeling have been experimented on another system, the Prolan Monitor, that is discussed in the next section.</para>
</section>
<section class="lev2" id="sec2-4-6" label="2.4.6" xreflabel="2.4.6">
<title>Integration Verification Design</title>
<para>During Integration Verification Design, the Integrator realizes integration tests to show that components behave correctly when integrated together. The expected behavior of the components is independent from their inner design, thus we refer to this model is named Black Box Platform Independent Test Model (BB-PIT).</para>
<para>BB-PIT provides static and dynamic views of the system&#x02019;s components, and supports functional testing for unit/integration/system verification (<link linkend="F2-10">Figure <xref linkend="F2-10" remap="2.10"/></link>). The static description supports the generation of test harness, such as stubs and drivers for unit and integration testing. The dynamic description supports the generation of test suites and test cases.</para>
<fig id="F2-10" position="float" xmlns:xlink="http://www.w3.org/1999/xlink">
<label><link linkend="F2-10">Figure <xref linkend="F2-10" remap="2.10"/></link></label>
<caption><para>The transformations of the BB-PIT.</para></caption>
<graphic xlink:href="graphics/ch02_Fig-2_10.jpg"/>
</fig>
<para>The components&#x02019; behavior seems modeled twice, in PIM and BB-PIT. However, the two models have different purposes: the first specifies how to build the system, and represents the specification that an actual implementation must comply with; the second describes the expected behavior in a way to verify its correspondence between requirements and implementation (e.g., by test cases).</para>
<para>For tests specification, UML-UTP Sequence diagrams are less error-prone than textual notations, and it is easier to derive test cases for multiple target platforms (such as TTCN-3 and JUnit), enhancing reusability and maintainability.</para>
<para>In the pilot project, Prolan adopted Conformiq Designer (from here onward: Conformiq) [<link linkend="ch02bib34">34</link>] to generate automatically test cases from the BB-PIT. However, since Conformiq is not fully compliant with UML, the behavior was specified in QML, the language used by the tool. As adequacy criterion we used the requirement coverage, using the requirement traceability offered by the model-driven tools.</para>
<para>In total, Prolan achieved the full coverage of requirements generating 21 test cases for the <emphasis>ProlanBlockCoreLogic</emphasis>. Test cases were exported to JUnit from sequence diagrams (<link linkend="F2-11">Figure <xref linkend="F2-11" remap="2.11"/></link>), and the tool also provided us with the traceability matrix correlating test cases with the structural features they cover (states, transitions, requirements).</para>
<fig id="F2-11" position="float" xmlns:xlink="http://www.w3.org/1999/xlink">
<label><link linkend="F2-11">Figure <xref linkend="F2-11" remap="2.11"/></link></label>
<caption><para>A test case automatically generated from the BB-PIT by Conformiq.</para></caption>
<graphic xlink:href="graphics/ch02_Fig-2_11.jpg"/>
</fig>
<para>We also assessed the test harness generation from BB-PIT. Conformiq required to write the SUT adapter to let the testing framework interact with the system. Instead, Rhapsody offers the Test Conductor Add On [<link linkend="ch02bib35">35</link>], that automatically generates the testing harness (including the drivers and stubs), starting from model design diagrams. Within Test Conductor we could execute test cases directly in Rhapsody, observing the effects, and following the behavior of the SUT by means of sequence diagrams.</para>
</section>
<section class="lev2" id="sec2-4-7" label="2.4.7" xreflabel="2.4.7">
<title>Component Verification Design</title>
<para>In Component Verification Design tests have to confirm that components perform their intended functions. Here, we define the Grey Box Platform Independent Test (GB-PIT) Model, which is used for verification by the internal view of the components. Following this flow, engineers focus on a functional V&#x00026;V modeling in the Integration Verification Design, whereas they focus on functional and structural V&#x00026;V modeling at this stage.</para>
<para>Prolan assessed the IBM Rhapsody Automatic Test Generator (ATG) [<link linkend="ch02bib36">36</link>] for the structural verification of the <emphasis>ProlanBlockCoreLogic</emphasis>. ATG generated ten test cases (<link linkend="F2-11">Figure <xref linkend="F2-11" remap="2.11"/></link>) achieving the 91% coverage of the structural features of the model (they covered 19/21 states and 22/24 transitions). However, it was not able to reach the complete coverage.</para>
</section>
<section class="lev2" id="sec2-4-8" label="2.4.8" xreflabel="2.4.8">
<title>Model-Driven V&#x00026;V Subprocess</title>
<para>The activities on the right side of the V-Model concern V&#x00026;V execution: we propose to use in these phases the models built during the Design activities, but after they have been refined with the new details added in PSM during implementation.</para>
<para>Thus, in Component Verification we named the model White Box Platform Specific Model (WB-PST), and the Tester adds new test cases considering the details of the target platform. The WB-PST can be used to calculate the test coverage on the basis of the final system code, as well as to support any kind of verification of the actual code, such as to derive consistent and efficient code review plans by considering the component software metrics and implementation details.</para>
<para>Similarly, during Integration Verification phase the BB-PIT model is refined in the Black Box Platform Specific Test Model (BB-PST), where platform specific details complete the integration test specification. For instance, the BB-PST can be exploited to perform interface testing, a technique that is highly recommended by CENELEC EN 50128: interface testing is executed knowing the actual domain of all interface variables, and selecting particular input to assess the behavior of the (integrated) components (e.g., at their normal, boundary, or invalid values).</para>
<para>Finally, in Validation phase, the Tester assesses that system and software requirements are met. To this end, (s)he executes the overall system tests defined in the CIT. Moreover, if the CIT is executable, the Tester can put the CIT and the software in-a-loop, to perform software-in-the-loop and hardware-in-the-loop testing.</para>
</section>
</section>
<section class="lev1" id="sec2-5" label="2.5" xreflabel="2.5">
<title>Environment System Validation</title>
<para>Our methodology also exploits MDE for validation, by defining an environmental model during Validation Design to analyze the actors&#x02019; behavior. This model, named CIT Model, specifies the expected behavior of the environment when interacting with the system by behavioral diagrams (e.g., Sequence, State Machine or Activity diagrams) that are used to derive validation test case.</para>
<para>The CIT also appears in other studies [<link linkend="ch02bib37">37</link>] but our definition differs from the previous ones, since we define the CIT a model for validation that abstracts from the computation details of the system under analysis (SUT), and also propose to develop the CIT as an executable model of the environment, with interfaces specular to those of the PIM. This definition supports multiple forms of V&#x00026;V during the product life cycle.</para>
<para>Since the CIT has an interface specular to the one of the PIM, we can put the two models in-a-loop and the CIT can be used to perform model-in-the-loop test (since it is runnable), enabling to:</para>
<itemizedlist mark="bullet" spacing="normal">
<listitem>
<para>Validate the system against its expected interactions with external actors;</para></listitem>
<listitem>
<para>Create a simulated environment to reason about the operational aspects of the system in its environment (also through model animation).</para></listitem></itemizedlist>
<para>Model-in-the-loop (MIL) testing can be performed as soon as the PIM is available, i.e., during the Component Design, enabling to an early fault detection. Moreover, if the Tester can use additional/external sources of knowledge to model the actors&#x02019; behavior (such as domain knowledge or historical data), MIL testing can also be useful to detect missed software requirements, by assessing the behavior in a simulated environment.</para>
<para>Then, when a system implementation is available, the Tester can build an adapter to allow the CIT to interact with the actual SUT, allowing Software- and Hardware-in-the-loop Testing.</para>
<para>CIT also enables to performance testing, generally adopted for the assessment of critical systems, as it is recommended by the safety standards. Indeed, the CIT can generate inputs representative of the operational profile.</para>
<para>Other forms of verification allowed by the CIT are:</para>
<para><emphasis role="strong">Model-checking</emphasis> through the in-the-loop model. This can assess the absence of undesired conditions during the operation, analyzing the states of the PIM and CIT.</para>
<para><emphasis role="strong">Back-to-back testing</emphasis>, a special case is when the CIT can be seen as another PIM, for instance when we consider systems that act as client and server at the same time. For this kind of systems, we can instantiate two PIMs, putting in-a-loop each other, to perform back-to-back testing.</para>
</section>
<section class="lev1" id="sec2-6" label="2.6" xreflabel="2.6">
<title>Experimenting the CIT</title>
<para>The benefits of the CIT and of environmental modeling have been assessed in another part of the interlocking system with which Prolan Block interacts, the Prolan Monitor.</para>
<para>The Prolan Monitor (PM) shares with the PB the Prosigma hardware and middleware platform, which is the basis of the next generation of Prolan&#x02019;s products.</para>
<para>The purpose of the PM is to send signals generated by legacy interlocking devices to modern interlocking systems that communicate through protocols based on IP networks (such as via X.25 over TCP/IP). More specifically, PM monitors <emphasis>railway objects</emphasis>: each object is associated to one bit of information, which is encoded by one couple of valent and antivalent physical signal values. The PM transmits the bit of information to other devices, detecting invalid values for the couple of electric signals. Indeed, the input can suffer of special unstable states during which the signals quickly alternate in their value for a transient time, called <emphasis>bounce time</emphasis>: the PM must properly filter the signals, separating transient noise from invalid inputs.</para>
<para>To assess the benefits of the CIT, Prolan made an executable model of the PM&#x02019;s environment. The CIT is composed of two <emphasis>CIT Railway Objects</emphasis>: each <emphasis>CIT Railway Object</emphasis> controls the couple of logical signals associated with the binary information that they encapsulate; from the CIT point of view, the PM is an actor.</para>
<para>The <emphasis>CIT Railway Objects</emphasis> are implemented by a <emphasis>Signal Generator</emphasis> and an <emphasis>Event Generator</emphasis>: the <emphasis>Event Generator</emphasis> determines the next output to be triggered (including transient and invalid states), as specified by a user-defined operational profile, whereas the <emphasis>Signal Generator</emphasis> sets the couple of output signals and manages the duration of the transients.</para>
<para>A panel diagram makes the CIT interactive: a couple of knobs allow to set the event generation period and to customize the duration of transient states.</para>
<para>Linking together with an adapter simulating a physical relay the CIT and the PIM, we preliminarily performed Model-in-the-loop testing. Only changing the adapter with a real hardware card forwarding the events to the actual SUT, we could also perform Hardware in-the-loop testing (<link linkend="F2-12">Figure <xref linkend="F2-12" remap="2.12"/></link>).</para>
<fig id="F2-12" position="float" xmlns:xlink="http://www.w3.org/1999/xlink">
<label><link linkend="F2-12">Figure <xref linkend="F2-12" remap="2.12"/></link></label>
<caption><para>The configuration of the PM for HIL Testing.</para></caption>
<graphic xlink:href="graphics/ch02_Fig-2_12.jpg"/>
</fig>
</section>
<section class="lev1" id="sec2-7" label="2.7" xreflabel="2.7">
<title>Lesson Learned</title>
<para>The CECRIS knowledge transfer activities allowed assessing the maturity of MDE for railway interlocking systems. The project managers became acquainted with MDE methodologies and tools, and Prolan started to consider their introduction into the development processes.</para>
<para>Indeed, the pilot project showed that MDE is a mature technology, which supports the whole development process. Using SysML for requirements specification helped to produce better artifacts, reasoning formally on incongruences and missing specifications than with the current document-centric approach. Also, fast prototyping, early fault detection, automatic test generation, and other MDE features revealed a gain of productivity and quality during design and V&#x00026;V phases than current methodology.</para>
<para>However, even for SME companies as Prolan that have limited engineering capacity, it is not easy to change current development process and practices. MDE requires for a technological and knowledge transfer. While the former can be addressed with personnel trainings, the latter is more subtle, long, and expensive. Therefore, Prolan submitted a joint tender proposal together with the Hungarian University, partner of CECRIS project, aiming at getting active support in their introduction during the next safety critical project, and to investigate model-driven technologies further.</para>
<para>Indeed, still an extensive experimentation of model-driven methodologies is needed. By the pilot project on the Prolan Block we qualitatively assessed MDE: even if the benefits of model-driven approaches turned out to be evident, we could not easily evaluate how much time is needed for Prolan to have a return of investment. This tender would introduce the academic know-how and support in the planning, design and implementation for a complete Railway Interlocking System project.</para>
<para>However, the current experience has been saved by Prolan, and if the tender is rejected then the enhancement of the current development lifecycle of Prolan with the one proposed in the framework of the pilot project will be applied. The innovation is planned to be applied gradually, through several stages expected to last several years.</para>
<para>At the first stage, Prolan targets to introduce models for supporting the current activities, starting to use MBE than MDE approaches. For instance, it is expected to adopt modelling tools for system requirement specification and system design phases. The current document-based system requirements specification and the the requirement management system will be replaced with software using SysML models, taking benefits of the improved model traceability.</para>
<para>These first changes already raise knowledge and technologies issues: we still have not decided if to adopt exclusively SysML for describing the system requirements, because we could be not able to teach satisfactorily modeling and SysML to all the team members; moreover, we have not completed the tool selection process. Among the selection criteria it is required that new tools be stable, and easily interoperable with the other software suites already in use at Prolan. The fully compliance with standards, and the vendor lock-in problem are also of interest for the tool selection. The relatively high price of licenses and the difficulty of using these modeling tools have an adverse effect on the introduction of model-driven methodologies.</para>
<para>The CECRIS experience revealed that model-driven technologies can really improve the development, enhancing quality of the product and of the development life cycle. Despite these advantages, the management of the railway product development decided to pursue a conservative approach towards the introduction of model based tools and development methods: the big issues of MDE concern skills and organization. The learning curve of these technologies is long and difficult to quantify, and the relevance of roles during the development will change, deeply impacting human-organizational factors. The innovation must be introduced gradually, taking into account these factors.</para>
<para>The benefits of cooperating with academic partners within the CECRIS project were manifold, as it was demonstrated by the pilot project: the experience in the methodologies and tools enabled Prolan to receive active tutoring and support for the full product lifecycle, shortening the learning curves and reducing the number of errors caused by the lack of knowledge, method, and experience with the tools. Moreover, the broad knowledge of the emerging new technologies in the field enabled the academic partners to suggest the criteria in selecting the appropriate tools and methodologies.</para>
</section>
<section class="lev1" id="sec2-8">
<title>References</title>
<orderedlist numeration="arabic" continuation="restarts" spacing="normal">
<listitem>
<para><anchor id="ch02bib1"/>Liebel, G., Marko, N., Tichy, M., Leitner, A., and Hansson J. (2014). &#x0201C;Assessing the State-of-Practice of Model-Based Engineering in the Embedded Systems Domain,&#x0201D; in <emphasis>Proceedings of the 7th International Conference on Model-Driven Engineering Languages and Systems (MODELS)</emphasis>, eds. J. Dingel, W. Schulte, I. Ramos, S. Abrah&#x000E3;o, and E. Insfran (Berlin: Springer International Publishing), 166&#x02013;182. <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=Liebel%2C+G%2E%2C+Marko%2C+N%2E%2C+Tichy%2C+M%2E%2C+Leitner%2C+A%2E%2C+and+Hansson+J%2E+%282014%29%2E+%22Assessing+the+State-of-Practice+of+Model-Based+Engineering+in+the+Embedded+Systems+Domain%2C%22+in+Proceedings+of+the+7th+International+Conference+on+Model-Driven+Engineering+Languages+and+Systems+%28MODELS%29%2C+eds%2E+J%2E+Dingel%2C+W%2E+Schulte%2C+I%2E+Ramos%2C+S%2E+Abrah%E3o%2C+and+E%2E+Insfran+%28Berlin%3A+Springer+International+Publishing%29%2C+166-182%2E" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch02bib2"/>Marko, N., Liebel, G., Sauter, D., Lodwich, A., Tichy, M., Leitner, A., and Hansson J. (2014). Model-based engineering for embedded systems in practice. Research Reports in Software Engineering and Management, Technical report, University of Gothenburg, Gothenburg. <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=Marko%2C+N%2E%2C+Liebel%2C+G%2E%2C+Sauter%2C+D%2E%2C+Lodwich%2C+A%2E%2C+Tichy%2C+M%2E%2C+Leitner%2C+A%2E%2C+and+Hansson+J%2E+%282014%29%2E+Model-based+engineering+for+embedded+systems+in+practice%2E+Research+Reports+in+Software+Engineering+and+Management%2C+Technical+report%2C+University+of+Gothenburg%2C+Gothenburg%2E" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch02bib3"/>Broy, M., Kirstan, S., Krcmar, H., Sch&#x000E4;tz, B., and Zimmermann, J. (2013). &#x0201C;What is the benefit of a model-based design of embedded software systems in the car industry&#x0201D; in <emphasis>Emerging Technologies for the Evolution and Maintenance of Software Models</emphasis> (Hershey, PA: IGI Global), 343&#x02013;369. <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=Broy%2C+M%2E%2C+Kirstan%2C+S%2E%2C+Krcmar%2C+H%2E%2C+Sch%E4tz%2C+B%2E%2C+and+Zimmermann%2C+J%2E+%282013%29%2E+%22What+is+the+benefit+of+a+model-based+design+of+embedded+software+systems+in+the+car+industry%22+in+Emerging+Technologies+for+the+Evolution+and+Maintenance+of+Software+Models+%28Hershey%2C+PA%3A+IGI+Global%29%2C+343-369%2E" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch02bib4"/>CECRIS. (2016). <emphasis>EU Project CECRIS, CErtification of CRItical Systems</emphasis>. Available at: <ulink url="http://www.cecris-project.eu">http://www.cecris-project.eu</ulink> <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=CECRIS%2E+%282016%29%2E+EU+Project+CECRIS%2C+CErtification+of+CRItical+Systems%2E+Available+at%3A+http%3A%2F%2Fwww%2Ececris-project%2Eeu" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch02bib5"/>Schmidt, D. C. (2006). &#x0201C;Guest Editor&#x02019;s Introduction: Model-Driven Engineering,&#x0201D; in: <emphasis>Computer 39.2</emphasis>, 25&#x02013;31. Lecture Notes in Computer Science (Berlin: Springer).</para></listitem>
<listitem>
<para><anchor id="ch02bib6"/>Brambilla, M., Cabot, J., and Wimmer, M. (2012). <emphasis>Model-Driven Software Engineering in Practice</emphasis>. San Rafael, CA: Morgan &#x00026; Claypool Publishers.</para></listitem>
<listitem>
<para><anchor id="ch02bib7"/>Object Management Group (OMG). (2014). <emphasis>MDA Guide</emphasis> (Version 2.0). Available at: <ulink url="http://www.omg.org/cgi-bin/doc?ormsc/14-06-01">http://www.omg.org/cgi-bin/doc?ormsc/14-06-01</ulink> (accessed on 2016-03). <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=Object+Management+Group+%28OMG%29%2E+%282014%29%2E+MDA+Guide+%28Version+2%2E0%29%2E+Available+at%3A+http%3A%2F%2Fwww%2Eomg%2Eorg%2Fcgi-bin%2Fdoc%B4ormsc%2F14-06-01+%28accessed+on+2016-03%29%2E" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch02bib8"/>Baker, P., Dai, Z. R., Grabowski, J., Haugen, &#x000D8;., Schieferdecker, I., and Williams, C. (2007). <emphasis>Model-Driven Testing: Using the UML Testing Profile</emphasis> (New York, NY: Springer-Verlag New York, Inc.). <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=Baker%2C+P%2E%2C+Dai%2C+Z%2E+R%2E%2C+Grabowski%2C+J%2E%2C+Haugen%2C+%D8%2E%2C+Schieferdecker%2C+I%2E%2C+and+Williams%2C+C%2E+%282007%29%2E+Model-Driven+Testing%3A+Using+the+UML+Testing+Profile+%28New+York%2C+NY%3A+Springer-Verlag+New+York%2C+Inc%2E%29%2E" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch02bib9"/>Dai, Z. R. (2004). &#x0201C;Model-driven testing with UML 2.0,&#x0201D; in <emphasis>Proceedings of the 2nd European Workshop on Model Driven Architecture (MDA) with an emphasis on Methodologies and Transformations (EWMDA)</emphasis>, eds D. Akehurst, 179&#x02013;187. Tech. rep. 17-04, University of Kent, Canterbury. <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=Dai%2C+Z%2E+R%2E+%282004%29%2E+%22Model-driven+testing+with+UML+2%2E0%2C%22+in+Proceedings+of+the+2nd+European+Workshop+on+Model+Driven+Architecture+%28MDA%29+with+an+emphasis+on+Methodologies+and+Transformations+%28EWMDA%29%2C+eds+D%2E+Akehurst%2C+179-187%2E+Tech%2E+rep%2E+17-04%2C+University+of+Kent%2C+Canterbury%2E" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch02bib10"/>Kent, S. (2002). &#x0201C;Model Driven Engineering,&#x0201D; in <emphasis>the Proceedings of the Third International Conference on Integrated Formal Methods (IFM)</emphasis>, 286&#x02013;298. Berlin: Springer-Verlag. <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=Kent%2C+S%2E+%282002%29%2E+%22Model+Driven+Engineering%2C%22+in+the+Proceedings+of+the+Third+International+Conference+on+Integrated+Formal+Methods+%28IFM%29%2C+286-298%2E+Berlin%3A+Springer-Verlag%2E" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch02bib11"/>Object Management Group (OMG). (2003). <emphasis>MDA Guide (Version 1.0.1)</emphasis>. Available at: <ulink url="http://www.omg.org/cgi-bin/doc?omg/03-06-01">http://www.omg.org/cgi-bin/doc?omg/03-06-01</ulink> (accessed on 2016-03).</para></listitem>
<listitem>
<para><anchor id="ch02bib12"/>Davies, I., Green, P., Rosemann, M., Indulska, M., and Gallo, S. (2006). How do practitioners use conceptual modeling in practice? <emphasis>Data Knowl. Eng.</emphasis> 58.3, 358&#x02013;380. <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=Davies%2C+I%2E%2C+Green%2C+P%2E%2C+Rosemann%2C+M%2E%2C+Indulska%2C+M%2E%2C+and+Gallo%2C+S%2E+%282006%29%2E+How+do+practitioners+use+conceptual+modeling+in+practice%B4+Data+Knowl%2E+Eng%2E+58%2E3%2C+358-380%2E" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch02bib13"/>Forward, A. and Lethbridge, T. C. (2008). &#x0201C;Problems and Opportunities for Model-centric Versus Code-centric Software Development: A Survey of Software Professionals,&#x0201D; in <emphasis>Proc. of the International Workshop on Models in Software Engineering (MISE)</emphasis> (New York, NY: ACM), 27&#x02013;32. <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=Forward%2C+A%2E+and+Lethbridge%2C+T%2E+C%2E+%282008%29%2E+%22Problems+and+Opportunities+for+Model-centric+Versus+Code-centric+Software+Development%3A+A+Survey+of+Software+Professionals%2C%22+in+Proc%2E+of+the+International+Workshop+on+Models+in+Software+Engineering+%28MISE%29+%28New+York%2C+NY%3A+ACM%29%2C+27-32%2E" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch02bib14"/>Hutchinson, J., Rouncefield, M., and Whittle, J. (2011). &#x0201C;Model-driven engineering practices in industry,&#x0201D; in <emphasis>Proceedings of the 33rd International Conference on Software Engineering (ICSE)</emphasis> (New York, NY: IEEE), 633&#x02013;642.</para></listitem>
<listitem>
<para><anchor id="ch02bib15"/>Hutchinson, J., Whittle, J., Rouncefield, M., and Kristoffersen, S. (2011). &#x0201C;Empirical Assessment of MDE in Industry,&#x0201D; in <emphasis>Proceedings of the 33rd International Conference on Software Engineering (ICSE)</emphasis> (New York, NY: ACM), 471&#x02013;480. <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=Hutchinson%2C+J%2E%2C+Whittle%2C+J%2E%2C+Rouncefield%2C+M%2E%2C+and+Kristoffersen%2C+S%2E+%282011%29%2E+%22Empirical+Assessment+of+MDE+in+Industry%2C%22+in+Proceedings+of+the+33rd+International+Conference+on+Software+Engineering+%28ICSE%29+%28New+York%2C+NY%3A+ACM%29%2C+471-480%2E" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch02bib16"/>Hutchinson, J., Whittle, J., and Rouncefield, M. (2014). &#x0201C;Model-driven engineering practices in industry: social, organizational and managerial factors that lead to success or failure,&#x0201D; in <emphasis>Science of Computer Programming 89, Part B</emphasis> (Amsterdam: Elsevier), 144&#x02013;161. <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=Hutchinson%2C+J%2E%2C+Whittle%2C+J%2E%2C+and+Rouncefield%2C+M%2E+%282014%29%2E+%22Model-driven+engineering+practices+in+industry%3A+social%2C+organizational+and+managerial+factors+that+lead+to+success+or+failure%2C%22+in+Science+of+Computer+Programming+89%2C+Part+B+%28Amsterdam%3A+Elsevier%29%2C+144-161%2E" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch02bib17"/>Whittle, J., Hutchinson, J., and Rouncefield, M. (2014). &#x0201C;The state of practice in model-driven engineering,&#x0201D; in <emphasis>IEEE Software 31.3</emphasis> (New York, NY: IEEE), 79&#x02013;85. <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=Whittle%2C+J%2E%2C+Hutchinson%2C+J%2E%2C+and+Rouncefield%2C+M%2E+%282014%29%2E+%22The+state+of+practice+in+model-driven+engineering%2C%22+in+IEEE+Software+31%2E3+%28New+York%2C+NY%3A+IEEE%29%2C+79-85%2E" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch02bib18"/>Tomassetti, F., Torchiano, M., Tiso, A., Ricca, F., and Reggio, G. (2012). &#x0201C;Maturity of software modelling and model driven engineering: A survey in the Italian industry,&#x0201D; in <emphasis>Proceedings of the 16th International Conference on Evaluation Assessment in Software Engineering (EASE)</emphasis> (New York, NY: ACM), pp. 91&#x02013;100. <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=Tomassetti%2C+F%2E%2C+Torchiano%2C+M%2E%2C+Tiso%2C+A%2E%2C+Ricca%2C+F%2E%2C+and+Reggio%2C+G%2E+%282012%29%2E+%22Maturity+of+software+modelling+and+model+driven+engineering%3A+A+survey+in+the+Italian+industry%2C%22+in+Proceedings+of+the+16th+International+Conference+on+Evaluation+Assessment+in+Software+Engineering+%28EASE%29+%28New+York%2C+NY%3A+ACM%29%2C+pp%2E+91-100%2E" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch02bib19"/>Torchiano, M., Tomassetti, F., Ricca, F., Tiso, A., and Reggio, G. (2011). &#x0201C;Preliminary Findings from a Survey on the MD State of the Practice,&#x0201D; in <emphasis>Proceedings of the International Symposium on Empirical Software Engineering and Measurement (ESEM)</emphasis> (New York, NY: ACM), 372&#x02013;375. <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=Torchiano%2C+M%2E%2C+Tomassetti%2C+F%2E%2C+Ricca%2C+F%2E%2C+Tiso%2C+A%2E%2C+and+Reggio%2C+G%2E+%282011%29%2E+%22Preliminary+Findings+from+a+Survey+on+the+MD+State+of+the+Practice%2C%22+in+Proceedings+of+the+International+Symposium+on+Empirical+Software+Engineering+and+Measurement+%28ESEM%29+%28New+York%2C+NY%3A+ACM%29%2C+372-375%2E" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch02bib20"/>Torchiano, M., Tomassetti, F., Ricca, F., Tiso, A., and Reggio, G. (2012). &#x0201C;Benefits from modelling and MDD adoption: expectations and achievements,&#x0201D; in <emphasis>Proceedings of the 2nd International Workshop on Experiences and Empirical Studies in Software Modelling (EESSMod)</emphasis> (New York, NY: ACM), 1&#x02013;6. <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=Torchiano%2C+M%2E%2C+Tomassetti%2C+F%2E%2C+Ricca%2C+F%2E%2C+Tiso%2C+A%2E%2C+and+Reggio%2C+G%2E+%282012%29%2E+%22Benefits+from+modelling+and+MDD+adoption%3A+expectations+and+achievements%2C%22+in+Proceedings+of+the+2nd+International+Workshop+on+Experiences+and+Empirical+Studies+in+Software+Modelling+%28EESSMod%29+%28New+York%2C+NY%3A+ACM%29%2C+1-6%2E" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch02bib21"/>Torchiano, M., Tomassetti, F., Ricca, F., Tiso, A., and Reggio, G. (2013). Relevance, benefits, and problems of software modelling and model driven techniques &#x02013; A survey in the Italian industry. <emphasis>J. Syst. Softw</emphasis>. 86.8, 2110&#x02013;2126. <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=Torchiano%2C+M%2E%2C+Tomassetti%2C+F%2E%2C+Ricca%2C+F%2E%2C+Tiso%2C+A%2E%2C+and+Reggio%2C+G%2E+%282013%29%2E+Relevance%2C+benefits%2C+and+problems+of+software+modelling+and+model+driven+techniques+-+A+survey+in+the+Italian+industry%2E+J%2E+Syst%2E+Softw%2E+86%2E8%2C+2110-2126%2E" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch02bib22"/>Agner, L. T. W., Soares, I. W., Stadzisz, P. C., and Sim[x00E3;]o, J. M. (2013). A Brazilian survey on UML and model-driven practices for embedded software development. <emphasis>J. Syst. Softw</emphasis>. 86.4, 997&#x02013;1005. <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=Agner%2C+L%2E+T%2E+W%2E%2C+Soares%2C+I%2E+W%2E%2C+Stadzisz%2C+P%2E+C%2E%2C+and+Sim%5Bx00E3%3B%5Do%2C+J%2E+M%2E+%282013%29%2E+A+Brazilian+survey+on+UML+and+model-driven+practices+for+embedded+software+development%2E+J%2E+Syst%2E+Softw%2E+86%2E4%2C+997-1005%2E" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch02bib23"/>Mussbacher, G., Amyot, D., Breu, R., Bruel, J. M., Cheng, B. H. C., Collet, P., Combemale, B., France, R. B., Heldal, R., Hill, J., Kienzle, J., Sch&#x000F6;ttle, M., Steimann, F., Stikkolorum, D., and Whittle, J. (2014). &#x0201C;The relevance of model-driven engineering thirty years from now,&#x0201D; in <emphasis>Proceedings of the 17th International Conference on Model-Driven Engineering Languages and Systems (MODELS)</emphasis> eds. J. Dingel, W. Schulte, I. Ramos, S. Abrah, and E. Insfran (New York, NY: Springer International Publishing), 183&#x02013;200. <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=Mussbacher%2C+G%2E%2C+Amyot%2C+D%2E%2C+Breu%2C+R%2E%2C+Bruel%2C+J%2E+M%2E%2C+Cheng%2C+B%2E+H%2E+C%2E%2C+Collet%2C+P%2E%2C+Combemale%2C+B%2E%2C+France%2C+R%2E+B%2E%2C+Heldal%2C+R%2E%2C+Hill%2C+J%2E%2C+Kienzle%2C+J%2E%2C+Sch%F6ttle%2C+M%2E%2C+Steimann%2C+F%2E%2C+Stikkolorum%2C+D%2E%2C+and+Whittle%2C+J%2E+%282014%29%2E+%22The+relevance+of+model-driven+engineering+thirty+years+from+now%2C%22+in+Proceedings+of+the+17th+International+Conference+on+Model-Driven+Engineering+Languages+and+Systems+%28MODELS%29+eds%2E+J%2E+Dingel%2C+W%2E+Schulte%2C+I%2E+Ramos%2C+S%2E+Abrah%2C+and+E%2E+Insfran+%28New+York%2C+NY%3A+Springer+International+Publishing%29%2C+183-200%2E" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch02bib24"/>Mohagheghi, P. and Dehlen, V. (2008). &#x0201C;Where Is the Proof? A Review of Experiences from Applying MDE in Industry,&#x0201D; in <emphasis>Proceedings of 4th European Conference on the Model Driven Architecture &#x02013; Foundations and Applications (ECMDA-FA)</emphasis>, Vol. 5095, ed. I. Schiefer-decker and A. Hartman. Lecture Notes in Computer Science. Springer Berlin Heidelberg, 2008, pp. 432&#x02013;443. <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=Mohagheghi%2C+P%2E+and+Dehlen%2C+V%2E+%282008%29%2E+%22Where+Is+the+Proof%B4+A+Review+of+Experiences+from+Applying+MDE+in+Industry%2C%22+in+Proceedings+of+4th+European+Conference+on+the+Model+Driven+Architecture+-+Foundations+and+Applications+%28ECMDA-FA%29%2C+Vol%2E+5095%2C+ed%2E+I%2E+Schiefer-decker+and+A%2E+Hartman%2E+Lecture+Notes+in+Computer+Science%2E+Springer+Berlin+Heidelberg%2C+2008%2C+pp%2E+432-443%2E" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch02bib25"/>Baker, P., Loh, S., and Weil, F. (2005). &#x0201C;Model-Driven Engineering in a Large Industrial Context &#x02013; Motorola Case Study,&#x0201D; in <emphasis>Proceedings of the 8th International Conference on Model Driven Engineering Languages and Systems (MODELS)</emphasis>, eds. L. Briand and C. Williams (Berlin: Springer), 476&#x02013;491. <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=Baker%2C+P%2E%2C+Loh%2C+S%2E%2C+and+Weil%2C+F%2E+%282005%29%2E+%22Model-Driven+Engineering+in+a+Large+Industrial+Context+-+Motorola+Case+Study%2C%22+in+Proceedings+of+the+8th+International+Conference+on+Model+Driven+Engineering+Languages+and+Systems+%28MODELS%29%2C+eds%2E+L%2E+Briand+and+C%2E+Williams+%28Berlin%3A+Springer%29%2C+476-491%2E" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch02bib26"/>Weigert, T. and Weil, F. (2006). &#x0201C;Practical experiences in using model-driven engineering to develop trustworthy computing systems,&#x0201D; in <emphasis>Proc. of the IEEE International Conference on Sensor Networks, Ubiquitous, and Trustworthy Computing</emphasis>, Vol. 1 (New York: IEEE), 208&#x02013;215. <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=Weigert%2C+T%2E+and+Weil%2C+F%2E+%282006%29%2E+%22Practical+experiences+in+using+model-driven+engineering+to+develop+trustworthy+computing+systems%2C%22+in+Proc%2E+of+the+IEEE+International+Conference+on+Sensor+Networks%2C+Ubiquitous%2C+and+Trustworthy+Computing%2C+Vol%2E+1+%28New+York%3A+IEEE%29%2C+208-215%2E" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch02bib27"/>Huhn, M. and Hungar, H. (2010). &#x0201C;8 UML for software safety and certification,&#x0201D; in <emphasis>Model-Based Engineering of Embedded Real-Time Systems: International Dagstuhl Workshop. Revised Selected Papers</emphasis>, eds. H. Giese, G. Karsai, E. Lee, B. Rumpe, and B. Sch&#x000E4;tz (Berlin: Springer), 201&#x02013;237. <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=Huhn%2C+M%2E+and+Hungar%2C+H%2E+%282010%29%2E+%228+UML+for+software+safety+and+certification%2C%22+in+Model-Based+Engineering+of+Embedded+Real-Time+Systems%3A+International+Dagstuhl+Workshop%2E+Revised+Selected+Papers%2C+eds%2E+H%2E+Giese%2C+G%2E+Karsai%2C+E%2E+Lee%2C+B%2E+Rumpe%2C+and+B%2E+Sch%E4tz+%28Berlin%3A+Springer%29%2C+201-237%2E" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch02bib28"/>Pettit, R., Mezcciani, N., and Fant, J. (2014). &#x0201C;On the needs and challenges of model-based engineering for spaceflight software systems,&#x0201D; in <emphasis>Proceedings of the IEEE 17th International Symposium on Object/Component/Service-Oriented Real-Time Distributed Computing (ISORC)</emphasis> (New York: IEEE), 25&#x02013;31. <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=Pettit%2C+R%2E%2C+Mezcciani%2C+N%2E%2C+and+Fant%2C+J%2E+%282014%29%2E+%22On+the+needs+and+challenges+of+model-based+engineering+for+spaceflight+software+systems%2C%22+in+Proceedings+of+the+IEEE+17th+International+Symposium+on+Object%2FComponent%2FService-Oriented+Real-Time+Distributed+Computing+%28ISORC%29+%28New+York%3A+IEEE%29%2C+25-31%2E" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch02bib29"/>Ferrari, A., Fantechi, A., and Gnesi, S. (2012). &#x0201C;Lessons learnt from the adoption of formal model-based development,&#x0201D; in <emphasis>Proc. of 4th International Symposium on the NASA Formal Methods (NFM)</emphasis>, eds. A. E. Goodloe and S. Person (Berlin: Springer), 24&#x02013;38. <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=Ferrari%2C+A%2E%2C+Fantechi%2C+A%2E%2C+and+Gnesi%2C+S%2E+%282012%29%2E+%22Lessons+learnt+from+the+adoption+of+formal+model-based+development%2C%22+in+Proc%2E+of+4th+International+Symposium+on+the+NASA+Formal+Methods+%28NFM%29%2C+eds%2E+A%2E+E%2E+Goodloe+and+S%2E+Person+%28Berlin%3A+Springer%29%2C+24-38%2E" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch02bib30"/>Object Management Group (OMG). (2008). Systems modeling language (SysML). Available at: <ulink url="http://www.omg.org/docs/formal/08-11-02.pdf">http://www.omg.org/docs/formal/08-11-02.pdf</ulink> (accessed on 2016-03).</para></listitem>
<listitem>
<para><anchor id="ch02bib31"/>Scippacercola, F., Pietrantuono, R., Russo, S., Zentai, A. (2015). &#x0201C;Model-driven engineering of a railway interlocking system,&#x0201D; in <emphasis>Proceedings of the 3rd International Conference on Model-Driven Engineering and Software Development (MODELSWARD 2015)</emphasis> (Set&#x000FA;bal: SCITEPRESS), 509&#x02013;519. <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=Scippacercola%2C+F%2E%2C+Pietrantuono%2C+R%2E%2C+Russo%2C+S%2E%2C+Zentai%2C+A%2E+%282015%29%2E+%22Model-driven+engineering+of+a+railway+interlocking+system%2C%22+in+Proceedings+of+the+3rd+International+Conference+on+Model-Driven+Engineering+and+Software+Development+%28MODELSWARD+2015%29+%28Set%FAbal%3A+SCITEPRESS%29%2C+509-519%2E" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch02bib32"/>No Magic, Inc. (2016). <emphasis>Magic Draw. MagicDraw</emphasis>. Available at: <ulink url="http://www.nomagic.com/products/magic-draw.html">http://www.nomagic.com/products/magic-draw.html</ulink> (accessed on 2016-03).</para></listitem>
<listitem>
<para><anchor id="ch02bib33"/>IBM Corp. (2016). <emphasis>Rational<superscript>&#x000AE;</superscript> Rhapsody<superscript>&#x000AE;</superscript> Developer</emphasis>. Available at: <ulink url="http://www-03.ibm.com/software/products/it/ratirhap">http://www-03.ibm.com/software/products/it/ratirhap</ulink> (accessed on 2016-03).</para></listitem>
<listitem>
<para><anchor id="ch02bib34"/>Conformiq Inc. Conformiq Designer. <ulink url="http://www.conformiq.com/products/conformiq-designer">http://www.conformiq.com/products/conformiq-designer</ulink>, (accessed on 2016-03).</para></listitem>
<listitem>
<para><anchor id="ch02bib35"/>IBM Corp. (2016). <emphasis>Rational</emphasis><superscript>&#x000AE;</superscript> <emphasis>Rhapsody</emphasis><superscript>&#x000AE;</superscript> <emphasis>Test Conductor Add On</emphasis>. User Guide. Available at: <ulink url="http://pic.dhe.ibm.com/infocenter/rhaphlp/v7r6/topic/com.ibm.rhp.oem.pdf.doc/pdf/RTCUserGuide.pdf">http://pic.dhe.ibm.com/infocenter/rhaphlp/v7r6/topic/com.ibm.rhp.oem.pdf.doc/pdf/RTCUserGuide.pdf</ulink> (accessed on 2016-03).</para></listitem>
<listitem>
<para><anchor id="ch02bib36"/>IBM Corp. (2016). <emphasis>Rational</emphasis><superscript>&#x000AE;</superscript> <emphasis>Rhapsody</emphasis><superscript>&#x000AE;</superscript> <emphasis>Automatic Test Generator Add On</emphasis>. User Guide. Available at: <ulink url="http://pic.dhe.ibm.com/infocenter/rhaphlp/v7r5/topic/com.ibm.rhapsody.oem.pdf.doc/pdf/ATG-UserGuide.pdf">http://pic.dhe.ibm.com/infocenter/rhaphlp/v7r5/topic/com.ibm.rhapsody.oem.pdf.doc/pdf/ATG-UserGuide.pdf</ulink> (accessed on 2016-03).</para></listitem>
<listitem>
<para><anchor id="ch02bib37"/>Schieferdecker, I. (2005). &#x0201C;The UML 2.0 Test Profile as a Basis for Integrated System and Test Development,&#x0201D; in <emphasis>Proceedings of K&#x000F6;llen Druck+Verlag GmbH, Jahrestagung der Gesellschaft f&#x000FC;r Informatik</emphasis> (Germany: K&#x000F6;llen Druck &#x00026; Verlag GmbH), Vol. 35, pp. 395&#x02013;399. <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=Schieferdecker%2C+I%2E+%282005%29%2E+%22The+UML+2%2E0+Test+Profile+as+a+Basis+for+Integrated+System+and+Test+Development%2C%22+in+Proceedings+of+K%F6llen+Druck%2BVerlag+GmbH%2C+Jahrestagung+der+Gesellschaft+f%FCr+Informatik+%28Germany%3A+K%F6llen+Druck+%26+Verlag+GmbH%29%2C+Vol%2E+35%2C+pp%2E+395-399%2E" target="_blank">Google Scholar</ulink></para></listitem></orderedlist>
</section>
</chapter>
<chapter class="chapter" id="ch03" label="3" xreflabel="3">
<title>SYSML-UML Like Modeling Environment Based on Google Blockly Customization</title>
<para role="author"><emphasis role="strong">Arun Babu Puthuparambil<superscript>1</superscript>, Francesco Brancati<superscript>2</superscript>, Andrea Bondavalli<superscript>3,4</superscript> and Andrea Ceccarelli<superscript>3,4</superscript></emphasis></para>
<para><superscript>1</superscript>Robert Bosch Center for Cyber Physical Systems, Indian Institute of Science, Bangalore, India</para>
<para><superscript>2</superscript>Resiltech s.r.l., Pontedera (PI), Italy</para>
<para><superscript>3</superscript>Department of Mathematics and Informatics, University of Florence, Florence, Italy</para>
<para><superscript>4</superscript>CINI-Consorzio Interuniversitario Nazionale per l&#x02019;Informatica-University of Florence, Florence, Italy</para>
<section class="lev1" id="sec3-1" label="3.1" xreflabel="3.1">
<title>Introduction</title>
<para>In industries, it is often observed that system designers may not be CS/OO/SysML experts and often required lot of training and support to use the modeling tools. Ideally, designers should spend all their effort on modeling and nothing else. However, existing modeling tools have lot of issues related to installation and plug-ins.</para>
<para>The use of Google Blockly was envisaged for use of modeling and simulation of systems. Blockly is a visual programming library, used to model/program using interlocked blocks (<link linkend="F3-1">Figure <xref linkend="F3-1" remap="3.1"/></link>). Each of the blocks also support traditional input widgets such as labels, images, textbox, checkbox, combo box, etc. It can be configured in such a way that only compatible blocks can be connected together (i.e. can be made &#x0201C;valid by design&#x0201D;). Blockly supports code and XML generation, and requires only a modern web browser which can be run on any device or operating system.</para>
<fig id="F3-1" position="float" xmlns:xlink="http://www.w3.org/1999/xlink">
<label><link linkend="F3-1">Figure <xref linkend="F3-1" remap="3.1"/></link></label>
<caption><para>Various types of blocks in Blockly.<footnote id="fn3_1" label="1"> <para>https://blockly-games.appspot.com/puzzle</para></footnote></para></caption>
<graphic xlink:href="graphics/ch03_fig001.jpg"/>
</fig>
<para>However, Blockly was not readily useable for modeling SysML/UML like models. A lot of changes and customizations were made in Blockly to make it more suitable for such type of modeling.</para>
<section class="lev2" id="sec3-1-1" label="3.1.1" xreflabel="3.1.1">
<title>Goal</title>
<para>To create a tool to create object diagrams based on a UML/SysML profile, which is simple, intuitive, fast, and reduce cognitive complexity. Also, the tool must support rapid modeling and code-generation. On a whole, the goal was to design a tool to model, validate, query, and support simulation.</para>
</section>
<section class="lev2" id="sec3-1-2" label="3.1.2" xreflabel="3.1.2">
<title>Blockly Customization</title>
<para>Below is the list of customization performed on Blockly to make it more suitable to create SysML/UML like models. (i) support constraints; (ii) support behaviors; (iii) support links; (iv) support viewpoints; (v) support intuitive maximize, collapse, and semi-collapse; (vi) support requirements management; (vii) guide user to select compatible blocks; (viii) Blockly to PlantUML conversion; (ix) Blockly to Python code generation; (x) Blockly to graph conversion and graph querying; (xi) support sequence diagrams; (xii) custom minification of JavaScript for faster loading; and (xiii) support cardinality and singleton blocks.</para>
</section>
<section class="lev2" id="sec3-1-3" label="3.1.3" xreflabel="3.1.3">
<title>Model Transformation</title>
<para>A SysML/UML profile can be given as an input to the tool, which will be converted to an intermediately format in PlantUML. As PlantUML is a simple textual language, <footnote id="fn3_2" label="2"> <para>http://plantuml.com/PlantUML_Language_Reference_Guide.pdf</para></footnote> conversion to PlantUML makes it easier to debug model transformation. This also makes possible to edit and add any extra features/statements in the converted PlantUML by hand/tool if the earlier format did not support certain features.</para>
<para><link linkend="F3-2">Figures <xref linkend="F3-2" remap="3.2"/></link> and <link linkend="F3-2"><xref linkend="F3-3" remap="3.3"/></link> show a simple example of a vending machine system. The profile in PlantUML is given as input and the tool transforms it into interconnectable blocks.</para>
<fig id="F3-2" position="float" xmlns:xlink="http://www.w3.org/1999/xlink">
<label><link linkend="F3-2">Figure <xref linkend="F3-2" remap="3.2"/></link></label>
<caption><para>An example of a vending machine profile in PlantUML.</para></caption>
<graphic xlink:href="graphics/ch03_fig002.jpg"/>
</fig>
<fig id="F3-3" position="float" xmlns:xlink="http://www.w3.org/1999/xlink">
<label><link linkend="F3-3">Figure <xref linkend="F3-3" remap="3.3"/></link></label>
<caption><para>An example of a vending machine model under construction.</para></caption>
<graphic xlink:href="graphics/ch03_fig003.jpg"/>
</fig>
</section>
<section class="lev2" id="sec3-1-4" label="3.1.4" xreflabel="3.1.4">
<title>Requirements Management</title>
<para>In the tool, each block can satisfy a set of requirements and a requirement can be satisfied by a set of blocks (<link linkend="F3-4">Figure <xref linkend="F3-4" remap="3.4"/></link>).</para>
<fig id="F3-4" position="float" xmlns:xlink="http://www.w3.org/1999/xlink">
<label><link linkend="F3-4">Figure <xref linkend="F3-4" remap="3.4"/></link></label>
<caption><para>An example of requirements management.</para></caption>
<graphic xlink:href="graphics/ch03_fig004.jpg"/>
</fig>
</section>
<section class="lev2" id="sec3-1-5" label="3.1.5" xreflabel="3.1.5">
<title>MDE Flow</title>
<para>The model-driven engineering (MDE) flow with the tool is shown in <link linkend="F3-5">Figure <xref linkend="F3-5" remap="3.5"/></link>. First, a profile expert provides a domain specific profile in SysML/UML. This profile restricts what a designer can design and which blocks are compatible with each other. The profile is then converted automatically to PlantUML and is imported into the Blockly format. The designer now uses the tool to model and validate the design. After validation code can be generated in Python programming language, which can be used for simulation/testing. After testing the results can be analyzed and changes can be made in the model if necessary. This cycle continues till the model is refined as necessary.</para>
<fig id="F3-5" position="float" xmlns:xlink="http://www.w3.org/1999/xlink">
<label><link linkend="F3-5">Figure <xref linkend="F3-5" remap="3.5"/></link></label>
<caption><para>MDE flow.</para></caption>
<graphic xlink:href="graphics/ch03_fig005.jpg"/>
</fig>
</section>
<section class="lev2" id="sec3-1-6" label="3.1.6" xreflabel="3.1.6">
<title>Guiding and Warning Users</title>
<para>The tool guides the designer in two ways: (i) Suggestions for the list of compatible blocks (<link linkend="F3-6">Figure <xref linkend="F3-6" remap="3.6"/></link>); and (ii) Using the type-Indicator plugin <footnote id="fn3_3" label="3"> <para>https://github.com/SPE-Systemhaus/blockly-type-indicator/wiki/Type-Indicator</para></footnote> (<link linkend="F3-7">Figure <xref linkend="F3-7" remap="3.7"/></link>).</para>
<fig id="F3-6" position="float" xmlns:xlink="http://www.w3.org/1999/xlink">
<label><link linkend="F3-6">Figure <xref linkend="F3-6" remap="3.6"/></link></label>
<caption><para>An Example of guiding users with compatible blocks (for Transitions).</para></caption>
<graphic xlink:href="graphics/ch03_fig006.jpg"/>
</fig>
<fig id="F3-7" position="float" xmlns:xlink="http://www.w3.org/1999/xlink">
<label><link linkend="F3-7">Figure <xref linkend="F3-7" remap="3.7"/></link></label>
<caption><para>An example of type indicator plugin (Shows which blocks are compatible with the current selected block &#x0201C;Transition/t4&#x0201D; with yellow color).</para></caption>
<graphic xlink:href="graphics/ch03_fig007.jpg"/>
</fig>
<para>Constraints make a model more precise, hence design time constraints are supported to warn designers when they make mistakes. These constraints are written in JavaScript and are evaluated at every <emphasis>on change</emphasis> event of a block (<link linkend="F3-8">Figure <xref linkend="F3-8" remap="3.8"/></link>).</para>
<fig id="F3-8" position="float" xmlns:xlink="http://www.w3.org/1999/xlink">
<label><link linkend="F3-8">Figure <xref linkend="F3-8" remap="3.8"/></link></label>
<caption><para>An example of constraints.</para></caption>
<graphic xlink:href="graphics/ch03_fig008.jpg"/>
</fig>
</section>
<section class="lev2" id="sec3-1-7" label="3.1.7" xreflabel="3.1.7">
<title>Modular Design and Viewpoints</title>
<para>Meaningful groups can be formed to modularize design and links can be used instead of lines to connect two blocks which are away from each other. Use of groups and links avoid the spaghetti diagrams in large models (see <link linkend="F3-9">Figure <xref linkend="F3-9" remap="3.9"/></link>).</para>
<fig id="F3-9" position="float" xmlns:xlink="http://www.w3.org/1999/xlink">
<label><link linkend="F3-9">Figure <xref linkend="F3-9" remap="3.9"/></link></label>
<caption><para>An example of groups and links.</para></caption>
<graphic xlink:href="graphics/ch03_fig009.jpg"/>
</fig>
<para>Viewpoints are used in profile to reduce cognitive complexity for the designers. Viewpoints allow users to focus on one aspect of the model, e.g.: Architecture/Communication etc. Usually viewpoints do not exist in isolation; various viewpoints have relationships between each other. <link linkend="F3-10">Figure <xref linkend="F3-10" remap="3.10"/></link> is an example of viewpoints in the tool; the viewpoints can be enabled/disabled.</para>
<fig id="F3-10" position="float" xmlns:xlink="http://www.w3.org/1999/xlink">
<label><link linkend="F3-10">Figure <xref linkend="F3-10" remap="3.10"/></link></label>
<caption><para>Enabling and disabling viewpoints in model.</para></caption>
<graphic xlink:href="graphics/ch03_fig0010.jpg"/>
</fig>
</section>
<section class="lev2" id="sec3-1-8" label="3.1.8" xreflabel="3.1.8">
<title>Model Querying</title>
<para>On large models, it is important to query for blocks satisfying certain conditions. Thus, support for model querying in JavaScript was provided in the tool. The user provides a filter function, which is checked with all blocks. If the condition is satisfied, then it is highlighted, else it is not. <link linkend="F3-11">Figure <xref linkend="F3-11" remap="3.11"/></link> is an example of the query &#x0201C;return true;&#x0201D; query, i.e., does not apply any filter and show all blocks. In <link linkend="F3-12">Figure <xref linkend="F3-12" remap="3.12"/></link>, instead, a filter is applied: it selects all blocks of type &#x0201C;RUMI&#x0201D; (return block.of_type == &#x02018;RUMI&#x02019;).</para>
<fig id="F3-11" position="float" xmlns:xlink="http://www.w3.org/1999/xlink">
<label><link linkend="F3-11">Figure <xref linkend="F3-11" remap="3.11"/></link></label>
<caption><para>Model query without any filter (return true;).</para></caption>
<graphic xlink:href="graphics/ch03_fig0011.jpg"/>
</fig>
<fig id="F3-12" position="float" xmlns:xlink="http://www.w3.org/1999/xlink">
<label><link linkend="F3-12">Figure <xref linkend="F3-12" remap="3.12"/></link></label>
<caption><para>Example of model query to select all blocks of type &#x0201C;RUMI&#x0201D; (return block.of_type == &#x02018;RUMI&#x02019;).</para></caption>
<graphic xlink:href="graphics/ch03_fig0012.jpg"/>
</fig>
</section>
<section class="lev2" id="sec3-1-9" label="3.1.9" xreflabel="3.1.9">
<title>Code Generation and Export to PlantUML</title>
<para>From the model, code can be generated to Python automatically. Python was chosen as it is one of the simplest object oriented programming language. However, other programming languages can easily be supported in Blockly. <footnote id="fn3_4" label="4"> <para>https://developers.google.com/blockly/guides/configure/web/code-generators</para></footnote></para>
<para>Also, as the model is available in .xml format and PlantUML format, custom code <footnote id="fn3_5" label="5"> <para>https://developers.google.com/blockly/guides/create-custom-blocks/generating-code</para></footnote> and other programming languages can be supported in future.</para>
<para>Blockly models can be exported to PlantUML (<link linkend="F3-13">Figure <xref linkend="F3-13" remap="3.13"/></link>). The PlantUML version of model consist of two type of diagrams (i) the whole model without viewpoints; and (ii) model divided into separate files with grouped as viewpoints. These PlantUML models can be used for further refinement or be used with other tools. <footnote id="fn3_6" label="6"> <para>http://plantuml.com/running</para></footnote></para>
<fig id="F3-13" position="float" xmlns:xlink="http://www.w3.org/1999/xlink">
<label><link linkend="F3-13">Figure <xref linkend="F3-13" remap="3.13"/></link></label>
<caption><para>The subset of example model of &#x0201C;Vending machine&#x0201D; exported to PlantUML.</para></caption>
<graphic xlink:href="graphics/ch03_fig0013.jpg"/>
</fig>
</section>
<section class="lev2" id="sec3-1-10" label="3.1.10" xreflabel="3.1.10">
<title>Simulation</title>
<para>Simulation of scenarios is supported using sequence diagrams and simulation related blocks custom code in Python. Domain specific sequence diagrams blocks are supportedto make design easier and error-free. As opposed to traditional generic sequence diagrams, these domain specific blocks are non-ambiguous and it allows correct code generation. <link linkend="F3-14">Figure <xref linkend="F3-14" remap="3.14"/></link> shows an example of a sequence diagram containing domain specific blocks. Each sequence diagram can consist of sub-sequence, which in turn can consist of simple blocks such as: if, while, parallel, etc., and may also contain custom domain specific blocks.</para>
<fig id="F3-14" position="float" xmlns:xlink="http://www.w3.org/1999/xlink">
<label><link linkend="F3-14">Figure <xref linkend="F3-14" remap="3.14"/></link></label>
<caption><para>Example sequence diagram in Blockly.</para></caption>
<graphic xlink:href="graphics/ch03_fig0014.jpg"/>
</fig>
<para>The sequence diagram drawn using blocks can also be automatically converted to classical sequence diagram view as shown in <link linkend="F3-15">Figure <xref linkend="F3-15" remap="3.15"/></link>.</para>
<fig id="F3-15" position="float" xmlns:xlink="http://www.w3.org/1999/xlink">
<label><link linkend="F3-15">Figure <xref linkend="F3-15" remap="3.15"/></link></label>
<caption><para>Classical view of sequence diagram (subset).</para></caption>
<graphic xlink:href="graphics/ch03_fig0015.jpg"/>
</fig>
<para>Custom code to be run before starting and after ending simulation can also be added using the simulation related blocks (<link linkend="F3-16">Figure <xref linkend="F3-16" remap="3.16"/></link>). These blocks can be used in initializing variables before simulation, pre-processing of data before simulation, and post-processing of results after simulation.</para>
<fig id="F3-16" position="float" xmlns:xlink="http://www.w3.org/1999/xlink">
<label><link linkend="F3-16">Figure <xref linkend="F3-16" remap="3.16"/></link></label>
<caption><para>Blocks to support custom simulation initialization and code to execute when simulation ends.</para></caption>
<graphic xlink:href="graphics/ch03_fig0016.jpg"/>
</fig>
</section>
<section class="lev2" id="sec3-1-11" label="3.1.11" xreflabel="3.1.11">
<title>Conclusion and Future Work</title>
<para>This chapter has introduced an intuitive and simple semi-formal tool to be used to model, validate, query and simulate systems based on a SysML/UML profile. There is always scope to improve upon the approaches proposed in the chapter especially to make semi-formal methods popular among non-experts.</para>
<para>Some of the possible future research areas are: (i) Blocks with images or blocks shaped as images could make a great feature to make the design more intuitive (<link linkend="F3-17">Figure <xref linkend="F3-17" remap="3.17"/></link>); (ii) Currently, a transformation from Eclipse/Papyrus to PlantUML is available and can be readily used by the tool, however many more transformations can be written to PlantUML; and (iii) More programming languages support could be added in future.</para>
<fig id="F3-17" position="float" xmlns:xlink="http://www.w3.org/1999/xlink">
<label><link linkend="F3-17">Figure <xref linkend="F3-17" remap="3.17"/></link></label>
<caption><para>Blocks with images.</para></caption>
<graphic xlink:href="graphics/ch03_fig0017.jpg"/>
</fig>
</section>
</section>
</chapter>
<chapter class="chapter" id="ch04" label="4" xreflabel="4">
<title>A Process for Finding and Tackling the Main Root Causes that Affect Critical Systems Quality</title>
<para role="author"><emphasis role="strong">Nuno Silva<superscript>1</superscript>, Francisco Moreira<superscript>1</superscript>, Jo&#x000E3;o Carlos Cunha<superscript>2,3</superscript> and Marco Vieira<superscript>3</superscript></emphasis></para>
<para><superscript>1</superscript>CRITICAL Software S.A., Coimbra, Portugal</para>
<para><superscript>2</superscript>ISEC &#x02013; Coimbra Institute of Engineering, Polytechnic Institute of Coimbra, Portugal</para>
<para><superscript>3</superscript>CISUC, Department of Informatics Engineering, University of Coimbra, Portugal</para>
<section class="lev1" id="sec4-1" label="4.1" xreflabel="4.1">
<title>Introduction</title>
<para>Following standards and applying good engineering practices during software development is not enough to guarantee defects free software, thus additional processes, such as Independent Software Verification and Validation (ISVV), are required in critical projects. The objective of ISVV is to provide complementary and independent assessments of the software artifacts in order to find residual defects and allow their correction in a timely manner. Independence is the most important concept of ISVV and it has been referred to and used in safety-critical domains such as civil aviation (DO-178B [<link linkend="ch04bib1">1</link>]), railway signalling systems (CENELEC [<link linkend="ch04bib2">2</link>]), and space missions (European Cooperation for Space Standardization (ECSS), e.g., [<link linkend="ch04bib3">3</link>, <link linkend="ch04bib4">4</link>]). However, such systems are still far from being perfect and it is common to hear about software bugs in aeronautics, train accidents caused by software problems, satellite systems that need to be patched after launch, and so on.</para>
<para>Previous studies have analysed the results of ISVV activities [<link linkend="ch04bib5">5</link>, <link linkend="ch04bib7">7</link>], looked into consolidated ISVV metrics [<link linkend="ch04bib8">8</link>] and studied the importance of independent test verification [<link linkend="ch04bib9">9</link>], showing that existing standards and good engineering practices are not enough to guarantee the required levels of safety and dependability of critical systems (CSs). Independence of Verification and Validation (V&#x00026;V) avoids author bias and is often more effective at finding defects and failures. Independence can be managerial, financial or technical, brings separation of concerns, complementarity, second/alternative opinions, and also has the merit of pushing development and in-house V&#x00026;V teams to focus on the quality of their work. The role of independence at early development phases is highlighted in EasterBrook [<link linkend="ch04bib10">10</link>] and clearly stated in the requirements of several standards such as CENELEC [<link linkend="ch04bib2">2</link>] (depending on the SIL level), and DO-178 [<link linkend="ch04bib1">1</link>] (where, for example, for the most critical level &#x02013; Level A &#x02013; 33 out of the 71 objectives/requirements of the standard must be satisfied with full independence).</para>
<para>The Orthogonal Defect Classification (ODC) [<link linkend="ch04bib11">11</link>] is a generic classification technique that turns semantic information in the software defect stream into a measurement on the process where defects have been caused, enabling an efficient root cause analysis. ODC [<link linkend="ch04bib11">11</link>] can be applied to the defects identified during ISVV in order to study their classifications (namely: type, the fix that removed the defect; trigger, the defect identification activity/condition; and impact, the effect of the defect if not corrected). ODC is the most commonly used defect classification scheme, but it was not specifically developed for CSs, or for systems that need to fulfil specific certification requirements.</para>
<para>The application of ODC to the defects identified during ISVV has been described in Silva and Vieira [<link linkend="ch04bib12">12</link>]. In that work, we used ODC to classify a dataset of 1070 development, validation, and operation defects from space applications that followed ECSS standards. The conclusions were that most of the defect types found are related to: (i) documentation issues (this is logical since the ECSS processes are heavily based on documentation evidences); (ii) functionality issues (generally related to requirements understanding and source code bugs that compromise the foreseen functionalities); and (iii) defective implementations of the planned functions (algorithms). The classification has also shown that the main defect triggers are related to document consistency, traceability activities, and test activities. Also, the main impacts include system capability, reliability, maintainability, and documentation quality. However, the key conclusion is that a large number of issues could not be classified due to unfit taxonomy of defect types, triggers and impacts, causing many doubts in the classifications (more that 30% of the cases).</para>
<para>In order to enhance ODC for better applicability to CSs, thus covering all ISVV defects and easing the classification for industry, as in Silva and Vieira [<link linkend="ch04bib13">13</link>, <link linkend="ch04bib29">29</link>], we proposed specific adaptations of the taxonomies of three classification attributes: Type, Trigger, and Impact. The enhanced classification enabled the full coverage of the defects in the dataset, providing more precision and a sounder root cause analysis support. The adaptation has been defined after conducting the classification of the 1070 defects with the original ODC (presented in Silva and Vieira [<link linkend="ch04bib12">12</link>]) and by carefully analysing the classification gaps. To validate the modifications, this enhanced version of ODC was used to reclassify the entire dataset, allowing its full classification. However, the work presented in Silva and Vieira [<link linkend="ch04bib13">13</link>] does not concretely contribute to understanding the problems that lead to the defects, which motivates the root cause analysis and the suggestions for improvements performed in the present work. The work described in this chapter represents the definition of a defects assessment process and the results of the application of this process to a space systems defects dataset.</para>
<para>This chapter presents an analysis on trends, common (and uncommon) problems and their causes, and look at the general picture of critical defects within the software development lifecycle of space systems, considering our dataset of 1070 defects. The results are intended to help engineers in tackling the problems starting from the most frequent ones, instead of dealing with them one by one, as is traditionally done in industry nowadays. In practice, this work brings to light the main root causes of issues in space projects, which were identified, based on the defects classification and on relevant expert knowledge about those defects and about the software development process, contributing toward proposing improvements to the processes, methodologies, tools, standards, and industry culture.</para>
<para>The ultimate objective of this work is to enable, through a proposed assessment process, a detailed analysis of the defects and identification of their sources (common root causes) in order to: (i) avoid their introduction (by tackling the main deficiencies in software engineering); and (ii) allow a more efficient detection of the remaining defects during the software deve- lopment lifecycle (by identifying appropriate V&#x00026;V methods and techniques). To support our work, the results of the enhanced ODC taxonomy proposed in Silva and Vieira [<link linkend="ch04bib13">13</link>] are used as input and analysed in detail to support the root cause analysis.</para>
</section>
<section class="lev1" id="sec4-2" label="4.2" xreflabel="4.2">
<title>Background</title>
<para>This section presents some background concepts, namely in what concerns the Orthogonal Defect Classification (ODC), ISVV, and previous relevant works.</para>
<section class="lev2" id="sec4-2-1" label="4.2.1" xreflabel="4.2.1">
<title>Orthogonal Defect Classification</title>
<para>The ODC, originally proposed by IBM (Chillarege et al. [<link linkend="ch04bib11">11</link>]), is one of the most used defects classification approaches. It is intended to be generic and applicable to different technology domains, but it is mostly oriented to design, code and testing defects. ODC defines eight attributes for defects classification, divided into two main groups: (i) opener, and (ii) closer. Three attributes (Activity, Trigger, and Impact) classify the defect when it has been discovered and so they are part of the opener group. The other five attributes (Target, Type, Qualifier, Age, and Source) are used when the defect is resolved, being thus part of the closer group. The full taxonomies for each attribute can be obtained from the ODC v5.2 specification and are not included here for brevity. Nevertheless, a description of ODC attributes is summarized in <link linkend="T4-1">Table <xref linkend="T4-1" remap="4.1"/></link>.</para>
<table-wrap position="float" id="T4-1">
<label><link linkend="T4-1">Table <xref linkend="T4-1" remap="4.1"/></link></label>
<caption><para>Orthogonal defect classification attributes description</para></caption>
<table cellspacing="5" cellpadding="5" frame="hsides" rules="groups">
<thead>
<tr>
<td valign="bottom" align="left">ODC Attribute</td>
<td valign="bottom" align="center">Description</td></tr>
</thead>
<tbody>
<tr>
<td valign="top" align="left">Activity</td>
<td valign="top" align="left">The actual activity that was being performed at the time the defect was discovered. The main activities applicable to this work are: Requirements verification, design verification, code verification, test verification and test execution.</td>
</tr>
<tr>
<td valign="top" align="left">Trigger</td>
<td valign="top" align="left">A trigger represents the environment or condition that had to exist for the defect to surface.</td>
</tr>
<tr>
<td valign="top" align="left">Impact</td>
<td valign="top" align="left">The impact is the effect that the team who is classifying the defect thinks it would have on the system if not corrected.</td>
</tr>
<tr>
<td valign="top" align="left">Target</td>
<td valign="top" align="left">Represents the high level identity of the entity that was fixed.</td>
</tr>
<tr>
<td valign="top" align="left">Type</td>
<td valign="top" align="left">The defect type is defined according to the fix that is necessary to remove it from the system. For that reason, it is best classified by a team/person who applied the fix to the defect.</td>
</tr>
<tr>
<td valign="top" align="left">Qualifier</td>
<td valign="top" align="left">Captures the element of a non-existent, wrong or irrelevant implementation.</td>
</tr>
<tr>
<td valign="top" align="left">Age</td>
<td valign="top" align="left">Categorizes the age of the defect, whether if it is new or surfaced from a previous defect.</td>
</tr>
<tr>
<td valign="top" align="left">Source</td>
<td valign="top" align="left">Describes the source of the defect in terms of its developmental history.</td>
</tr>
</tbody>
</table>
</table-wrap>
<para>In addition to ODC, several other classification taxonomies exist, including Beizer&#x02019;s [<link linkend="ch04bib14">14</link>], and IEEE Standard Classification for Software Anomalies [<link linkend="ch04bib15">15</link>]. Although ODC comprises some questionable attributes (8 dimensions), making it also somehow complex to classify, we have selected this taxonomy due to its generic nature, its orthogonality, its comprehensiveness and the level of usage in industry that seemed higher than for all the others. Also, it is important to emphasize that ODC has been used in the past as a starting point for developing new and focused defect taxonomies for different domains. A few examples were presented by Leszak et al. [<link linkend="ch04bib16">16</link>] and Lopes Margarido et al. [<link linkend="ch04bib17">17</link>], which used ODC for studying, building and validating defect categorization schemes. In practice, the focus of ODC is to support the analysis and feedback of defect data targeting quality issues from different phases of the engineering lifecycle.</para>
</section>
<section class="lev2" id="sec4-2-2" label="4.2.2" xreflabel="4.2.2">
<title>Independent Software Verification and Validation (ISVV)</title>
<para>Independent Software Verification and Validation is a set of structured engineering activities and tools that allow independent analysts to evaluate the quality of the software engineering artifacts produced at each phase of the development lifecycle. ISVV is performed on mature artifacts, which follow a strict engineering standard and that have been previously verified and validated as part of the development process. It provides an additional layer of confidence and is not expected to find a large number of severe defects.</para>
<para>Independent Software Verification and Validation produces evidences that support measuring the quality of the software and related processes and is referenced in several international standards: (i) ISVV guide from the European Space Agency (ESA) [<link linkend="ch04bib18">18</link>]; (ii) ISO Software Lifecycle Processes (ISO/IEC 12207) [<link linkend="ch04bib19">19</link>]; and (iii) IEEE Software V&#x00026;V (IEEE 1012) [<link linkend="ch04bib20">20</link>].</para>
<para>Independent Software Verification and Validation includes six phases (<link linkend="F4-1">Figure <xref linkend="F4-1" remap="4.1"/></link>) that can be executed sequentially or selected/adapted as the result of a tailoring process based on a criticality analysis [<link linkend="ch04bib18">18</link>].</para>
<fig id="F4-1" position="float" xmlns:xlink="http://www.w3.org/1999/xlink">
<label><link linkend="F4-1">Figure <xref linkend="F4-1" remap="4.1"/></link></label>
<caption><para>ISVV phases.</para></caption>
<graphic xlink:href="graphics/ch04_fig0001.jpg"/>
</fig>
<para>According to the ESA ISVV Guide [<link linkend="ch04bib18">18</link>], ISVV engineers classify defects considering three severity levels: (i) Major (defect with a significant impact in the system dependability, quality or safety); (ii) Minor (defect with a minimum impact on the artifacts quality but not in the end system); and (iii) Comment (an improvement suggestion). Each ISVV defect is also classified according to an ISVV defect type (e.g., External Consistency, Internal Consistency, Correctness, Technical Feasibility, Completeness, Readability, and Maintainability).</para>
</section>
<section class="lev2" id="sec4-2-3" label="4.2.3" xreflabel="4.2.3">
<title>Related Work</title>
<para>Some studies in the literature have analysed metrics, efficiency and efficacy of the techniques used within ISVV to identify the defects in critical projects [<link linkend="ch04bib5">5</link>&#x02013;<link linkend="ch04bib8">8</link>]. However, none of these studies considered their observations and results to classify the defects and improve the development processes, techniques, tools, or standards. Furthermore, we could not find in the research literature any complete study focused on defects in mission- and safety-critical systems, nor an extensive and complete classification or root cause analysis that relates the results of ISVV with the development lifecycle parameters of the systems under study. For space systems, Jones [<link linkend="ch04bib21">21</link>] has provided a small study about space failures in the frame of the European Space Agency missions, but simply concluded that the main cause for all the accidents was lack of testing. A more in-depth analysis is necessary as testing is not the cause but one of the detection methods.</para>
<para>Several researchers have looked into the analysis of failures in safety-critical systems during different life-cycle phases (from requirements to operations) and performed empirical studies and root cause analysis [<link linkend="ch04bib22">22</link>&#x02013;<link linkend="ch04bib24">24</link>]. For example, Seaman et al. [<link linkend="ch04bib25">25</link>] used historical datasets with defects data from reviews and inspections and applied different categorization schemes to the defects. However, none of the mentioned studies covers all the lifecycle phases for the used defects dataset, nor bases the root cause analysis and the defects avoidance measures in a sound orthogonal classification of the defects.</para>
<para>Regarding the root cause analysis topic, it is worth mentioning some works that relate and somehow present results that are connected to the work presented in this chapter. Neufelder [<link linkend="ch04bib26">26</link>] collects data from field defects since 1993 and correlates that data to find the process properties that generate more defects; however, she is not focusing on CSs or systems developed under strict requirements and standards. Rao [<link linkend="ch04bib27">27</link>] has made an industry study about root cause defect classification for documentation defects, analysing only a few dozen defects on a monthly basis. Kumaresh et al. [<link linkend="ch04bib28">28</link>] conducted a study with data from a few hundreds of collected defects, where these defects have been classified and the corresponding root causes have been proposed to the learning of the projects as preventive ideas. No work has been performed for CSs nor with such a complete assessment and coverage of so many defect types (as shown by the ODC defect type results), as we did in our work.</para>
</section>
</section>
<section class="lev1" id="sec4-3" label="4.3" xreflabel="4.3">
<title>Defects Assessment Process</title>
<para>Based on the analysis that we conducted and the lessons learned, we propose a general approach for root cause analysis of critical software, enabling the continuous improvement of implementation and V&#x00026;V at all levels (processes, techniques, tools, personnel, application of standards, organization, and so on). Although our dataset and our experience are mainly from space software, we believe that this generalization is able to support the evaluation and root cause analysis of any critical system, independently from the domain. <link linkend="F4-2">Figure <xref linkend="F4-2" remap="4.2"/></link> shows the general approach of a defects assessment procedure, which includes a root-cause analysis and a continuous improvement procedure, described hereafter.</para>
<fig id="F4-2" position="float" xmlns:xlink="http://www.w3.org/1999/xlink">
<label><link linkend="F4-2">Figure <xref linkend="F4-2" remap="4.2"/></link></label>
<caption><para>Generalized defect assessment procedure.</para></caption>
<graphic xlink:href="graphics/ch04_fig0002.jpg"/>
</fig>
<section class="lev2" id="sec4-3-1" label="4.3.1" xreflabel="4.3.1">
<title>Procedure Prerequisites</title>
<para>The approach is based on data analysis and software engineering knowledge that require some prerequisites to be fulfilled for the correct application of the process:</para>
<para><emphasis>0. Start:</emphasis></para>
<para>In order to successfully perform the defects analysis, it is necessary that the collected data (A. Defects Data and B. Other Project Data) contain the necessary information. This includes basic requirements such as: (i) detailed information about each defect and its fix; (ii) knowledge of defect environment conditions, such as tools, personnel and constraints; (iii) engineers&#x02019; assessment of the defect causes; and (iv) phase when the defect was introduced and when it was detected.</para>
<para>Some prerequisites are necessary to successfully apply the process. The first one includes training on the involved techniques, such as defects classification (e.g. ODC) and root cause analysis. The second includes rules and guidelines (or a template) for defects description or defect data collection.</para>
<para><emphasis>1. Data preparation and clean-up:</emphasis></para>
<para>Once we have the necessary data it is important to organize it and perform some anonymization if required. Data organization is essential for the next steps, since it is important to have the data in a searchable and manageable manner.</para>
</section>
<section class="lev2" id="sec4-3-2" label="4.3.2" xreflabel="4.3.2">
<title>Defects Classification</title>
<para>In order to efficiently and concretely tackle the important problems of critical software engineering, the first set of activities shall focus on an orthogonal classification of the sets of defects:</para>
<para><emphasis>2. ODC:</emphasis></para>
<para>Perform the ODC classification on the organized dataset. Enhancements and adaptations to the ODC taxonomy can be useful depending on the nature of the defects and the domain; however, these enhancements should be quite precise. For examples, see Silva and Vieira [<link linkend="ch04bib12">12</link>, <link linkend="ch04bib13">13</link>].</para>
<para><emphasis>3. ODC Analysis:</emphasis></para>
<para>Provide a summary of the ODC analysis. This information gives the first hints about the quality of the dataset, which can provide some feedback to the implementation and V&#x00026;V teams. For examples, Silva and Vieira [<link linkend="ch04bib12">12</link>, <link linkend="ch04bib13">13</link>].</para>
</section>
<section class="lev2" id="sec4-3-3" label="4.3.3" xreflabel="4.3.3">
<title>Defects Root Cause Analysis</title>
<para>The root cause analysis is composed by several steps that include analysis of the defects types, the triggers allowing defect detection, the defects that could have been detected earlier, and then prioritization and consolidation of these root causes leading to concrete proposed improvements:</para>
<para><emphasis>4. Defect Type RCA:</emphasis></para>
<para>Based on the different defect types, identify the possible generic root causes. This list of causes shall come from experience and expert judgement or a dedicated database where defect types are mapped to root causes. The list of root causes might be reduced or harmonized in step (8) below.!</para>
<para><emphasis>5. Defect Trigger RCA:</emphasis></para>
<para>Based on the classified defect triggers identify the causes and V&#x00026;V techniques (or triggers) that allowed the defects detection at the current defect detection stage. This list of causes shall come from experience and expert judgement or a dedicated database where defect triggers are mapped to root causes. The list of root causes might be reduced or harmonized in step (8) below.</para>
<para><emphasis>6. Late Detection RCA:</emphasis></para>
<para>With the list of defects that have slipped more than one lifecycle phase milestone identify the causes of the failures in the V&#x00026;V and ISVV techniques that allowed the defects to propagate until a later stage in the development lifecycle. This list of causes shall be added/harmonized with the list from step (5) Defect trigger RCA.</para>
<para><emphasis>7. Defects prioritization:</emphasis></para>
<para>If required (for example to tackle the defects with high impact on the system, or due to the large amount of defects and respective causes) list of defect types and triggers can be prioritized according to a defined severity (for example, based on the main impact of those defects) and the respective root causes can be filtered according to the prioritized type and trigger.</para>
<para><emphasis>8. RCA consolidation:</emphasis></para>
<para>The list of root causes obtained in the previous steps (4&#x02013;6) is consolidated according to the prioritization done in step (7). This consolidation can also contribute to reduce to an essential and more concrete list of causes.</para>
<para><emphasis>9. Improvements Suggestions:</emphasis></para>
<para>For all the root causes, define solutions or modifications to the processes, techniques, tools, training, resources, environment or application of standards. The solutions must cover the development activities to avoid the creation of defects and also the defect detection activities in order to identify the defects as soon as possible.</para>
</section>
<section class="lev2" id="sec4-3-4" label="4.3.4" xreflabel="4.3.4">
<title>Improvements and Validation</title>
<para>The suggested improvements might be difficult to implement, and their effectiveness can vary from team to team. They shall contribute to improve the software quality and reduce the amount of defects, different defects can then surface, and this is why this process shall have a consistent process improvement in place:</para>
<para><emphasis>10. Improvements Implementation:</emphasis></para>
<para>The development and V&#x00026;V teams must be informed about the required changes or adjustments (9. Improvements Suggestions), and the organization, management and quality planning shall decide on the improvements to implement for future projects.</para>
<para><emphasis>11. Process Validation and Improvements:</emphasis></para>
<para>At every step, it is possible to derive improvements to the process. Such improvements can be set to adjust to the company culture, to the project environment, to the customer requirements, etc. However, it is essential to measure the effectiveness of the implementation of the results (9. Improvements Suggestions and 10. Improvements Implementation) once the suggestions have been implemented and new defects (or no defects) have been collected. Note that Improvement can and shall also be about the current process, the defects classification scheme, the root cause analysis techniques and so on. The presented process shall be able to adapt and help in improving itself and the related techniques that compose it.</para>
</section>
</section>
<section class="lev1" id="sec4-4" label="4.4" xreflabel="4.4">
<title>Results</title>
<para>This section presents the dataset case studies description and the results of application of the process described in the Section 4.3.</para>
<section class="lev2" id="sec4-4-1" label="4.4.1" xreflabel="4.4.1">
<title>Characterization of the Systems</title>
<para>Our analysis is based on a set of real defects from ISVV activities in space projects. The projects include subsystems that compose satellite systems for three different domains (i) scientific exploration; (ii) earth observation; and (iii) telecommunications; covering different types of software, such as start-up or boot software, on-board application software, command and control units, payload software, and attitude and orbit control units. The engineering processes used in the selected missions were driven by the ECSS standards, namely the space engineering standard E-ST-40 [<link linkend="ch04bib3">3</link>] and the quality standard Q-ST-80 [<link linkend="ch04bib4">4</link>] which has a comparable lifecycle and similar strict requirements imposed by the European Space Agency.</para>
<para>The subsystems were developed according to functional and non-functional requirements mandated from ECSS and mission specifics. They were characterized by the following needs/objectives, which are common to space CSs, that were collected from the ECCS standards [<link linkend="ch04bib3">3</link>, <link linkend="ch04bib4">4</link>] and the corresponding engineering interpretations of the specification documents from several missions:</para><itemizedlist mark="bullet" spacing="normal">
<listitem>
<para>No crash or hang shall happen at any time;</para></listitem>
<listitem>
<para>No dynamic memory allocation is allowed;</para></listitem>
<listitem>
<para>Communication &#x02013; Telemetry (TM)/Telecommands (TC) &#x02013; must always be possible between ground control and the satellite;</para></listitem>
<listitem>
<para>The system must implement a Safe Mode (with basic communications, patch and dump functionalities);</para></listitem>
<listitem>
<para>Most systems shall have a very simple and stable start-up software (also called boot software);</para></listitem>
<listitem>
<para>There must be a watchdog (Hardware and/or Software) or an alive signal;</para></listitem>
<listitem>
<para>Systems are built with redundancy (at least Hardware);</para></listitem>
<listitem>
<para>Most systems must include FDIR (Fault Detection Isolation and Reco- very) functionalities to account for the environment and external faults;</para></listitem>
<listitem>
<para>The systems must have high autonomy and some self-correction procedures;</para></listitem>
<listitem>
<para>Systems are categorized with a criticality level related to the impact or consequences of system failures (in this case, the ECSS defined levels are: Catastrophic, Critical, Major and Minor or Negligible).</para></listitem></itemizedlist>
<para>The projects are also characterized by:</para><itemizedlist mark="bullet" spacing="normal">
<listitem>
<para>Requirements written in natural language (structured), highly based on documentation and non-formal processes and languages;</para></listitem>
<listitem>
<para>Documentation in UML/SysML and PDF, with limited possibilities of automated verification and formal analysis;</para></listitem>
<listitem>
<para>Programming languages such as C, Ada and Assembly, that are quite mature and low level languages;</para></listitem>
<listitem>
<para>Unit tests performed in commercial tools (e.g. Cantata++, VectorCast, LDRA), commonly developed and adapted for the specific projects embedded systems and environments;</para></listitem>
<listitem>
<para>Integration and system testing performed in specific validation environment (Software Validation Facility &#x02013; SVF) developed for this purpose on a case by case situation, with HW emulation and HW in-the-loop, simulated instruments, etc.</para></listitem></itemizedlist>
</section>
<section class="lev2" id="sec4-4-2" label="4.4.2" xreflabel="4.4.2">
<title>Defects in the Dataset</title>
<para><link linkend="T4-2">Table <xref linkend="T4-2" remap="4.2"/></link> summarizes the 1070 defects in the dataset, divided by severity (having a major or minor impact in the system, or just being comments to improve the engineering) and considering the ISVV activities in which they were found. The defects have been originated from the analysis of more than 10,000 software requirements, more than 1 million lines of code (mostly C, Ada95 and some Assembly), and over 3,000 tests <footnote id="fn4_1" label="1"> <para>The 3,000 tests correspond to only part of the requirements and code referred, as not all ISVV activities cover the full set of artifacts, e.g., for some projects only source code analysis was performed, no tests related to that specific codehave been assessed.</para></footnote> (some unit tests, some integration tests). In practice, the objective of ISVV was to find issues in the project artifacts, report and classify them in a clear and consistent way for the customer to act upon.</para>
<table-wrap position="float" id="T4-2">
<label><link linkend="T4-2">Table <xref linkend="T4-2" remap="4.2"/></link></label>
<caption><para>Enhanced ODC classification results</para></caption>
<table cellspacing="5" cellpadding="5" frame="hsides" rules="groups">
<thead>
<tr>
<td valign="bottom" align="left">Defect Type</td>
<td valign="bottom" align="center">Qty</td>
<td valign="bottom" align="center">%</td>
<td valign="bottom" align="center">Defect Trigger</td>
<td valign="bottom" align="center">Qty</td>
<td valign="bottom" align="center">%</td>
<td valign="bottom" align="center">Defect Impact</td>
<td valign="bottom" align="center">Qty</td>
<td valign="bottom" align="center">%</td>
</tr>
</thead>
<tbody>
<tr>
<td valign="top" align="left">Documentation</td>
<td valign="top" align="center">515</td>
<td valign="top" align="center">48.1%</td>
<td valign="top" align="left">Traceability/Compatibility</td>
<td valign="top" align="center">309</td>
<td valign="top" align="center">28.9%</td>
<td valign="top" align="left">Capability</td>
<td valign="top" align="center">308</td>
<td valign="top" align="center">28.8%</td>
</tr>
<tr>
<td valign="top" align="left">Function/Class/Object</td>
<td valign="top" align="center">203</td>
<td valign="top" align="center">19.0%</td>
<td valign="top" align="left">Test Coverage</td>
<td valign="top" align="center">227</td>
<td valign="top" align="center">21.2%</td>
<td valign="top" align="left">Maintenance</td>
<td valign="top" align="center">264</td>
<td valign="top" align="center">24.7%</td>
</tr>
<tr>
<td valign="top" align="left">Algorithm/Method</td>
<td valign="top" align="center">&#x00A0;&#x00A0;96</td>
<td valign="top" align="center">&#x00A0;&#x00A0;9.0%</td>
<td valign="top" align="left">Consistency/Completeness</td>
<td valign="top" align="center">206</td>
<td valign="top" align="center">19.3%</td>
<td valign="top" align="left">Reliability</td>
<td valign="top" align="center">252</td>
<td valign="top" align="center">23.6%</td>
</tr>
<tr>
<td valign="top" align="left">Checking</td>
<td valign="top" align="center">&#x00A0;&#x00A0;69</td>
<td valign="top" align="center">&#x00A0;&#x00A0;6.4%</td>
<td valign="top" align="left">Logic/Flow</td>
<td valign="top" align="center">119</td>
<td valign="top" align="center">11.1%</td>
<td valign="top" align="left">Documentation</td>
<td valign="top" align="center">157</td>
<td valign="top" align="center">14.7%</td>
</tr>
<tr>
<td valign="top" align="left">Interface</td>
<td valign="top" align="center">&#x00A0;&#x00A0;56</td>
<td valign="top" align="center">&#x00A0;&#x00A0;5.2%</td>
<td valign="top" align="left">Design Conformance</td>
<td valign="top" align="center">119</td>
<td valign="top" align="center">11.1%</td>
<td valign="top" align="left">Performance</td>
<td valign="top" align="center">&#x00A0;&#x00A0;39</td>
<td valign="top" align="center">&#x00A0;&#x00A0;3.6%</td>
</tr>
<tr>
<td valign="top" align="left">Build/Package/Environment</td>
<td valign="top" align="center">&#x00A0;&#x00A0;52</td>
<td valign="top" align="center">&#x00A0;&#x00A0;4.9%</td>
<td valign="top" align="left">Rare Situation</td>
<td valign="top" align="center">&#x00A0;&#x00A0;26</td>
<td valign="top" align="center">&#x00A0;&#x00A0;2.4%</td>
<td valign="top" align="left">Usability</td>
<td valign="top" align="center">&#x00A0;&#x00A0;28</td>
<td valign="top" align="center">&#x00A0;&#x00A0;2.6%</td>
</tr>
<tr>
<td valign="top" align="left">Assignment/Initialization</td>
<td valign="top" align="center">&#x00A0;&#x00A0;46</td>
<td valign="top" align="center">&#x00A0;&#x00A0;4.3%</td>
<td valign="top" align="left">Test Sequencing</td>
<td valign="top" align="center">&#x00A0;&#x00A0;16</td>
<td valign="top" align="center">&#x00A0;&#x00A0;1.5%</td>
<td valign="top" align="left">Requirements</td>
<td valign="top" align="center">&#x00A0;&#x00A0;&#x00A0;&#x00A0;9</td>
<td valign="top" align="center">&#x00A0;&#x00A0;0.8%</td>
</tr>
<tr>
<td valign="top" align="left">Timing/Serialization</td>
<td valign="top" align="center">&#x00A0;&#x00A0;33</td>
<td valign="top" align="center">&#x00A0;&#x00A0;3.1%</td>
<td valign="top" align="left">Standards Conformance</td>
<td valign="top" align="center">&#x00A0;&#x00A0;14</td>
<td valign="top" align="center">&#x00A0;&#x00A0;1.3%</td>
<td valign="top" align="left">Migration</td>
<td valign="top" align="center">&#x00A0;&#x00A0;&#x00A0;&#x00A0;8</td>
<td valign="top" align="center">&#x00A0;&#x00A0;0.7%</td>
</tr>
<tr>
<td valign="top" align="left"></td>
<td valign="top" align="center"></td>
<td valign="top" align="center"></td>
<td valign="top" align="left">HW/SW Configuration</td>
<td valign="top" align="center">&#x00A0;&#x00A0;13</td>
<td valign="top" align="center">&#x00A0;&#x00A0;1.2%</td>
<td valign="top" align="left">Standards</td>
<td valign="top" align="center">&#x00A0;&#x00A0;&#x00A0;&#x00A0;4</td>
<td valign="top" align="center">&#x00A0;&#x00A0;0.4%</td>
</tr>
<tr>
<td valign="top" align="left"></td>
<td valign="top" align="center"></td>
<td valign="top" align="center"></td>
<td valign="top" align="left">Recovery/Exception</td>
<td valign="top" align="center">&#x00A0;&#x00A0;10</td>
<td valign="top" align="center">&#x00A0;&#x00A0;0.9%</td>
<td valign="top" align="left">Installability</td>
<td valign="top" align="center">&#x00A0;&#x00A0;&#x00A0;&#x00A0;1</td>
<td valign="top" align="center">&#x00A0;&#x00A0;0.1%</td>
</tr>
<tr style="border-bottom:1px solid;">
<td valign="top" align="left"></td>
<td valign="top" align="center"></td>
<td valign="top" align="center"></td>
<td valign="top" align="left">Other Triggers</td>
<td valign="top" align="center">&#x00A0;&#x00A0;11</td>
<td valign="top" align="center">&#x00A0;&#x00A0;1.0%</td>
<td valign="top" align="left"></td>
<td valign="top" align="center"></td>
<td valign="top" align="center"></td>
</tr>
<tr>
<td valign="top" align="left">Total</td>
<td valign="top" align="center">1070</td>
<td valign="top" align="center">100%</td>
<td valign="top" align="left">Total</td>
<td valign="top" align="center">1070</td>
<td valign="top" align="center">100%</td>
<td valign="top" align="left">Total</td>
<td valign="top" align="center">1070</td>
<td valign="top" align="center">100%</td></tr>
</tbody>
</table>
</table-wrap>
</section>
<section class="lev2" id="sec4-4-3" label="4.4.3" xreflabel="4.4.3">
<title>Enhanced ODC Results</title>
<para>The results of the application of the enhanced ODC for space defects are summarized in <link linkend="T4-2">Table <xref linkend="T4-2" remap="4.2"/></link> showing the five top types, triggers and impacts cover about 90% of the issues analysed. This observation suggests that actions can be taken to quickly improve the quality of systems, by tackling a limited amount of properties.</para>
<para>The &#x02018;<emphasis>Documentation</emphasis>&#x02019; defect type represents almost half of the defects and &#x02018;<emphasis>Function/Class/Object</emphasis>&#x02019; represents almost 20% of the defects. This can be justified by the fact that CSs highly depend on documentation and documented evidences to prove the accomplishment of requirements and standards and to ensure qualification/certification of the systems by external entities. &#x02018;<emphasis>Function/Class/Object</emphasis>&#x02019; identifies functionality implementation deficiencies, especially at implementation level.</para>
<para>&#x02018;<emphasis>Traceability/Compatibility</emphasis>&#x02019; is the most frequent trigger, although &#x02018;<emphasis>Test Coverage</emphasis>&#x02019; and &#x02018;<emphasis>Consistency/Completeness</emphasis>&#x02019; are quite frequent. This suggests that the most efficient defect triggers are the simplest and most logical ones, namely those related to traceability, reviews and testing activities. This is due to the nature of the artifacts under analysis that require extensive documentation and creation of evidences that are developed over lifecycle phases depending on the previous phases artifacts.</para>
<para>In terms of the impacts, four of them are very important, namely: &#x02018;<emphasis>Capability</emphasis>&#x02019;, &#x02018;<emphasis>Maintenance</emphasis>&#x02019;, &#x02018;<emphasis>Reliability</emphasis>&#x02019; and &#x02018;<emphasis>Documentation</emphasis>&#x02019; (in this order). It is normal that Capability (i.e. functionality) is the most affected property but, in such space CSs, maintenance has a significant importance as well as the reliability requirements (see Section 4.4.1 regarding the needs/objectives of the target systems).</para>
</section>
<section class="lev2" id="sec4-4-4" label="4.4.4" xreflabel="4.4.4">
<title>Enhanced ODC Defect Impact Analysis</title>
<para>The ODC Impact analysis can be used to prioritize the defect types/triggers to identify the development and V&#x00026;V activities that might conduct to the defects with a high impact in the system. As &#x0201C;high impact&#x0201D;, we consider equally the impacts in Capability, Reliability, and Maintenance, as they are the most severe since they represent three essential requirements of critical space systems: functional quality, non-functional reliability assurance, and maintainability. Though, for the purpose of this work, we have considered the importance of impact as the frequency that the defects affect system capability, reliability, or maintenance.</para>
<para>The following graphs in this section represent the defect impacts as they have been originated by specific defect types, and also as they have been uncovered by specific defect triggers. The graphs provide an idea of the importance of defect types (related to root causes) and how defects that lead to specific impacts have been detected with specific triggers.</para>
<section class="lev3" id="sec4-4-4-1" label="4.4.4.1" xreflabel="4.4.4.1">
<title>Type vs. Impact</title>
<para><link linkend="F4-3">Figure <xref linkend="F4-3" remap="4.3"/></link> shows the defect types that have a high impact in the system (affecting Capability, Reliability and Maintenance). Defects with impact in Capability (blue dashed line) are mainly related with Function/Class/Object, Documentation and Algorithm/Method types, confirming that the functionality specification/implementation, the documented artifacts and the design decision in what concerns algorithms and methods to apply are the main contributors to defects that influence the system capability.</para>
<fig id="F4-3" position="float" xmlns:xlink="http://www.w3.org/1999/xlink">
<label><link linkend="F4-3">Figure <xref linkend="F4-3" remap="4.3"/></link></label>
<caption><para>Defect type vs. defect impact.</para></caption>
<graphic xlink:href="graphics/ch04_fig0003.jpg"/>
</fig>
<para>Defects with impact in Reliability (orange dotted line) are originated from Documentation, Checking, Function/Class/Object and also Algorithm/ Method defect types. In this case, there is a new defect type that contributes significantly to reliability issues: Checking. It is clear that reliability (including redundancy, fault detection/monitoring, isolation and recovery) is often implemented with checks and verifications and so the importance of avoiding this type of defects to guarantee higher reliability.</para>
<para>Defects with impact in Maintenance (gray line) originate essentially from Documentation defect type. This is an expected result due to the fact that maintenance depends on documented artifacts that include installation and download instructions, user and developer manuals, and maintenance procedures.</para>
<para>The prioritization related with the three impacts is presented in the Section 4.4.5, namely in <link linkend="T4-3">Table <xref linkend="T4-3" remap="4.3"/></link>.</para>
<table-wrap position="float" id="T4-3">
<label><link linkend="T4-3">Table <xref linkend="T4-3" remap="4.3"/></link></label>
<caption><para>Summary of root causes for main defect types</para></caption>
<table cellspacing="5" cellpadding="5" frame="hsides" rules="groups">
<thead>
<tr>
<td valign="bottom" align="left">Root Cause</td>
<td valign="bottom" align="center">Defect Types</td></tr>
</thead>
<tbody>
<tr>
<td valign="top" align="left">Inefficient/insufficient reviews</td>
<td valign="top" align="left">Documentation; Function/Class/Object; Algorithm/Method; Checking; Interface</td>
</tr>
<tr>
<td valign="top" align="left">Ambiguous/missing/incorrect artifacts (documentation, requirements, design, tests)</td>
<td valign="top" align="left">Function/Class/Object; Algorithm/Method; Checking; Interface</td>
</tr>
<tr>
<td valign="top" align="left">Insufficient/Wrong tests (unit, integration, system, fault injection)</td>
<td valign="top" align="left">Function/Class/Object; Algorithm/Method; Checking; Interface</td>
</tr>
<tr>
<td valign="top" align="left">Limitations of the tools or toolsets that deal with documentation</td>
<td valign="top" align="left">Documentation</td>
</tr>
<tr>
<td valign="top" align="left">Lack of Completeness and consistency of system level (or previous phases) documentation</td>
<td valign="top" align="left">Documentation; Function/Class/Object; Algorithm/Method</td>
</tr>
<tr>
<td valign="top" align="left">Oversimplified documentation planning procedures <?lb?>Lack of time to produce, review and accept documentation artifacts <?lb?>Lack of importance given to some documentation artifacts <?lb?>Simplification of the product assurance processes related to documentation artifacts</td>
<td valign="top" align="left">Documentation</td>
</tr>
<tr>
<td valign="top" align="left">Limited engineers domain knowledge &#x02013; lack of appropriate skills</td>
<td valign="top" align="left">Function/Class/Object; Algorithm/Method</td>
</tr>
<tr>
<td valign="top" align="left">Incomplete specifications in what concerns FDIR and erroneous situations</td>
<td valign="top" align="left">Checking</td>
</tr>
<tr>
<td valign="top" align="left">Lack of reliability and safety culture</td>
<td valign="top" align="left">Checking</td>
</tr>
<tr>
<td valign="top" align="left">Incomplete specifications in what concerns interfaces, environment and communications</td>
<td valign="top" align="left">Interface</td>
</tr>
<tr>
<td valign="top" align="left">Limited definition of the operation, usability, maintainability requirements</td>
<td valign="top" align="left">Interface</td>
</tr>
<tr>
<td valign="top" align="left">Lack of tools knowledge, programming languages, design languages</td>
<td valign="top" align="left">Function/Class/Object; Algorithm/Method</td>
</tr>
<tr>
<td valign="top" align="left">Version and configuration management procedures inappropriately implemented</td>
<td valign="top" align="left">Build/Package/Environment</td>
</tr>
</tbody>
</table>
</table-wrap>
</section>
<section class="lev3" id="sec4-4-4-2" label="4.4.4.2" xreflabel="4.4.4.2">
<title>Trigger vs. Impact</title>
<para><link linkend="F4-4">Figure <xref linkend="F4-4" remap="4.4"/></link> shows the defect triggers that allow detection of the defects with a high impact. The graph reinforces the importance of the 3 main triggers: a) Consistency/Completeness, b) Test Coverage, and c) Traceability/Compatibility as the most important (frequent) triggers (overall they allowed the detection of 77.0% of the issues). For this particular case, Reliability can be ensured with better Traceability/Compatibility analysis, Test Coverage and Logic/Flow analysis. Capability shall be assessed more efficiently with Test Coverage, Traceability/Compatibility assessment and Design Conformance Analysis. Maintenance defect impact can be mitigated with Traceability/ Compatibility and Consistency/Completeness analysis.</para>
<fig id="F4-4" position="float" xmlns:xlink="http://www.w3.org/1999/xlink">
<label><link linkend="F4-4">Figure <xref linkend="F4-4" remap="4.4"/></link></label>
<caption><para>Defect trigger vs. defect impact.</para></caption>
<graphic xlink:href="graphics/ch04_fig0004.jpg"/>
</fig>
<para>The results of the prioritization related with these three impacts are presented in Section 4.4.5, <link linkend="T4-4">Table <xref linkend="T4-4" remap="4.4"/></link>.</para>
</section>
</section>
<section class="lev2" id="sec4-4-5" label="4.4.5" xreflabel="4.4.5">
<title>Consolidation of the Root Cause Analysis and Proposed Improvements</title>
<para>The defects with impact on capability, reliability, and maintenance, identified in Section 4.4, represent 77% of the total dataset. From these, we considered the top 6 defect types and the top 5 defect triggers (<link linkend="T4-2">Table <xref linkend="T4-2" remap="4.2"/></link>) because they account for more than 90% of the defects with high impact. Then we were able to identify the main root causes for the most important defect types (<link linkend="T4-3">Table <xref linkend="T4-3" remap="4.3"/></link>) and the most important defect triggers (<link linkend="T4-4">Table <xref linkend="T4-4" remap="4.4"/></link>).</para>
<table-wrap position="float" id="T4-4">
<label><link linkend="T4-4">Table <xref linkend="T4-4" remap="4.4"/></link></label>
<caption><para>Summary of root causes for main defect triggers</para></caption>
<table cellspacing="5" cellpadding="5" frame="hsides" rules="groups">
<thead>
<tr>
<td valign="bottom" align="left">Root Cause</td>
<td valign="bottom" align="center">Defect Trigger</td></tr>
</thead>
<tbody>
<tr>
<td valign="top" align="left">Lack of traceability verification culture</td>
<td valign="top" align="left">Traceability/Compatibility</td>
</tr>
<tr>
<td valign="top" align="left">Lack or inefficient usage of tools that support traceability across lifecycle phases</td>
<td valign="top" align="left"></td>
</tr>
<tr>
<td valign="top" align="left">Lack of appropriate test planning and test strategy definition</td>
<td valign="top" align="left">Test Coverage</td>
</tr>
<tr>
<td valign="top" align="left">Lack or inefficient testing tool and testing environment support</td>
<td valign="top" align="left"></td>
</tr>
<tr>
<td valign="top" align="left">Incomplete tests specification and execution</td>
<td valign="top" align="left"></td>
</tr>
<tr>
<td valign="top" align="left">Review process related root causes</td>
<td valign="top" align="left">Document Consistency Completeness (Internal Document)</td>
</tr>
<tr>
<td valign="top" align="left">Documentation related root causes</td>
<td valign="top" align="left">Document Consistency/Completeness (Internal Document)</td>
</tr>
<tr>
<td valign="top" align="left">Deficient usage of tools and applicable processes</td>
<td valign="top" align="left">Document Consistency/Completeness (Internal Document)</td>
</tr>
<tr>
<td valign="top" align="left">Unclear or missing/incomplete specifications</td>
<td valign="top" align="left">Document Consistency/Completeness (Internal Document); Logic/Flow</td>
</tr>
<tr>
<td valign="top" align="left">Ambiguous or unclear architecture definition</td>
<td valign="top" align="left">Logic/Flow</td>
</tr>
<tr>
<td valign="top" align="left">Lack of usage of tools that support data and control flow analysis</td>
<td valign="top" align="left">Logic/Flow</td>
</tr>
<tr>
<td valign="top" align="left">Inappropriate architecture support tools or tool usage</td>
<td valign="top" align="left">Design Conformance</td>
</tr>
<tr>
<td valign="top" align="left">Deficient specification or design artifacts</td>
<td valign="top" align="left">Design Conformance</td></tr>
</tbody>
</table>
</table-wrap>
<para>This analysis results on a list of the most important causes of the defects identified during ISVV, and for the most important causes of failure in the verification and validation activities during the development lifecycle. For high defects with impact, the listed causes show that software engineering processes, methods and tools require some adjustments in order to become more efficient to produce more dependable and safe systems. The identified root causes are all related to existing development and V&#x00026;V activities that require more careful application, especially in what concerns schedule and planning pressures (or we can call it strategies as well), rigor and caution on the application of engineering processes, and V&#x00026;V activities importance. The quality/product assurance strategies and the guidance from applicable processes and required standards are essential to ensure that these root causes are minimized.</para>
<para>The root causes presented (in <link linkend="T4-3">Tables <xref linkend="T4-3" remap="4.3"/></link> and <link linkend="T4-4"><xref linkend="T4-4" remap="4.4"/></link>) have been ordered according to expert knowledge and experience applicable to the high impact defects, and intend to provide a preliminary ordering in what concerns their contribution to the high defect impacts.</para>
<para>The identified root causes for defect triggers indicate that improvements to the current processes, both development (to avoid the introduction of defects) and V&#x00026;V (to detect the defects within the phase they are introduced) might be possible. At a higher level, the leading safety standards might require additional guidance to support development and V&#x00026;V in order to reinforce that the product/quality assurance (PA/QA), and safety and dependability assessments should be properly realized, reducing the amount of defects caught by ISVV. The proposed improvements are guidelines derived directly from the root causes summarized in <link linkend="T4-3">Tables <xref linkend="T4-3" remap="4.3"/></link> and <link linkend="T4-4"><xref linkend="T4-4" remap="4.4"/></link> and from domain and expert knowledge of the authors and industrial contributors to this work. Their intent is to fulfil the needs of the development and V&#x00026;V processes in order to avoid the most important and more frequent defects as those in our dataset.</para>
<para>From the development perspective, based on <link linkend="T4-3">Table <xref linkend="T4-3" remap="4.3"/></link>, the following measures should be considered:</para><itemizedlist mark="bullet" spacing="normal">
<listitem>
<para>Define/redefine appropriate review methods, processes and tools and enforce their application at every stage of the SDP;</para></listitem>
<listitem>
<para>Implement automated documentation generation processes and tools to avoid inconsistencies between artifacts/lifecycle phases;</para></listitem>
<listitem>
<para>Use tools that integrate and manage all the phases of the lifecycle, such as concept specifications, requirements, architecture, source code, tests, etc.;</para></listitem>
<listitem>
<para>Introduce/use tools with automatic validations (documentation completeness, design consistency, code analysis, control and data flow analysis);</para></listitem>
<listitem>
<para>Provide training to the engineering teams, to improve the domain knowledge, the system or interfacing systems knowledge, standards knowledge and techniques and tools practice;</para></listitem>
<listitem>
<para>Promote workshops or meetings to present the specifications/requirements, to discuss and clarify them before advancing to the following phase;</para></listitem>
<listitem>
<para>Introduce additional guidelines or even specific requirements (e.g., by defining and specifying the reasoning behind the standards requirements and how to achieve them in full conformance) in the applicable standards (PA/QA, version and configuration control and development).</para></listitem></itemizedlist>
<para>From the V&#x00026;V perspective, based on the results in <link linkend="T4-4">Table <xref linkend="T4-4" remap="4.4"/></link>, the following measures should be considered:</para><itemizedlist mark="bullet" spacing="normal">
<listitem>
<para>Define appropriate test plans and strategies, especially unit and integration tests. The soundness of the test plans and strategies will reflect in the success of the validation;</para></listitem>
<listitem>
<para>Ensure appropriate (or automated) traceability analysis at every stage of the development lifecycle;</para></listitem>
<listitem>
<para>Improve the testing completeness, coverage and reviews;</para></listitem>
<listitem>
<para>Implement non-functional tests (fault detection, fault injection, redundancy, etc.);</para></listitem>
<listitem>
<para>Apply or develop tools to verify and validate the implementation and design compliance.</para></listitem></itemizedlist>
</section>
</section>
<section class="lev1" id="sec4-5" label="4.5" xreflabel="4.5">
<title>Conclusions</title>
<para>This chapter presented a defects assessment process based on a field study on root cause analysis of 1070 defects in space software projects.</para>
<para>We proposed a general procedure to derive improvement suggestions for the systems and the analysis process itself applying an improved ODC taxonomy and examining the defect types, triggers and impacts. We have also prioritized the root causes based on their importance by considering the impact of the defects on capability, reliability, and maintainability, and proposed generic solutions to implementation (to prevent defects) and V&#x00026;V (to effectively detect defects) in order to avoid these defects in future projects.</para>
<para>The outcomes of the field study show that, although CSs are already guided by appropriate development and V&#x00026;V techniques and processes, most of the defects are caused by an inefficient usage or implementation of these techniques and processes. Appropriate guidance, additional requirements and constraints, better test strategies and tools that are able to help in the application of the techniques and processes would be essential to obtain better results (less defects). ISVV was originally able to detect the 1070 defects but could still be enriched by applying the proposed V&#x00026;V actions in order to avoid defects slippage.</para>
</section>
<section class="lev1" id="sec4-6">
<title>References</title>
<orderedlist numeration="arabic" continuation="restarts" spacing="normal">
<listitem>
<para><anchor id="ch04bib1"/>RTCA DO-178B. (1992). <emphasis>(EUROCAE ED-12B), Software Considerations in Airborne Systems and Equipment Certification</emphasis>. RTCA Inc., Washington, DC. <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=RTCA+DO-178B%2E+%281992%29%2E+%28EUROCAE+ED-12B%29%2C+Software+Considerations+in+Airborne+Systems+and+Equipment+Certification%2E+RTCA+Inc%2E%2C+Washington%2C+DC%2E" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch04bib2"/>Sai Global. (2011). CENELEC EN 50128: Railway applications &#x02013; Communication, signalling and processing systems &#x02013; Software for railway control and protection systems. <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=Sai+Global%2E+%282011%29%2E+CENELEC+EN+50128%3A+Railway+applications+-+Communication%2C+signalling+and+processing+systems+-+Software+for+railway+control+and+protection+systems%2E" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch04bib3"/>ECSS. (2009). <emphasis>ECSS-E-ST-40C, Space engineering &#x02013; Software</emphasis>. <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=ECSS%2E+%282009%29%2E+ECSS-E-ST-40C%2C+Space+engineering+-+Software%2E" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch04bib4"/>ECSS. (2009). <emphasis>ECSS-Q-ST-80, Space Product Assurance &#x02013; Software Product Assurance</emphasis>. <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=ECSS%2E+%282009%29%2E+ECSS-Q-ST-80%2C+Space+Product+Assurance+-+Software+Product+Assurance%2E" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch04bib5"/>Silva, N., Lopes, R. (2012). &#x0201C;Overview of 10 Years of ISVV Findings in Safety-Critical Systems,&#x0201D; in <emphasis>2012 IEEE 23rd International Symposium on Software Reliability Engineering Work-shops (ISSREW)</emphasis> (New York, NY: IEEE), 83. <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=Silva%2C+N%2E%2C+Lopes%2C+R%2E+%282012%29%2E+%22Overview+of+10+Years+of+ISVV+Findings+in+Safety-Critical+Systems%2C%22+in+2012+IEEE+23rd+International+Symposium+on+Software+Reliability+Engineering+Work-shops+%28ISSREW%29+%28New+York%2C+NY%3A+IEEE%29%2C+83%2E" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch04bib6"/>Silva, N., Lopes, R. (2012). &#x0201C;Independent Assessment of Safety-Critical Systems: We Bring Data!&#x0201D; in <emphasis>IEEE 23rd International Symposium on Software Reliability Engineering Workshops (ISSREW)</emphasis> (New York, NY: IEEE), 84. <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=Silva%2C+N%2E%2C+Lopes%2C+R%2E+%282012%29%2E+%22Independent+Assessment+of+Safety-Critical+Systems%3A+We+Bring+Data%21%22+in+IEEE+23rd+International+Symposium+on+Software+Reliability+Engineering+Workshops+%28ISSREW%29+%28New+York%2C+NY%3A+IEEE%29%2C+84%2E" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch04bib7"/>Silva, N., Lopes, R. (2012).&#x0201C;10 Years of ISVV: What&#x02019;s Next?&#x0201D; in <emphasis>2012 IEEE 23rd International Symposium on Software Reliability Enginee- ring Workshops (ISSREW)</emphasis>(New York, NY: IEEE), 361&#x02013;366. <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=Silva%2C+N%2E%2C+Lopes%2C+R%2E+%282012%29%2E%2210+Years+of+ISVV%3A+What%27s+Next%B4%22+in+2012+IEEE+23rd+International+Symposium+on+Software+Reliability+Enginee-+ring+Workshops+%28ISSREW%29%28New+York%2C+NY%3A+IEEE%29%2C+361-366%2E" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch04bib8"/>Silva, N., Lopes, R. (2011). &#x0201C;Independent Test Verification: What Metrics Have a Word to Say&#x0201D;, in <emphasis>1st International Workshop on Software Certification (WoSoCER)</emphasis>, ISSRE, Hiroshima, Japan (New York, NY: IEEE). <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=Silva%2C+N%2E%2C+Lopes%2C+R%2E+%282011%29%2E+%22Independent+Test+Verification%3A+What+Metrics+Have+a+Word+to+Say%22%2C+in+1st+International+Workshop+on+Software+Certification+%28WoSoCER%29%2C+ISSRE%2C+Hiroshima%2C+Japan+%28New+York%2C+NY%3A+IEEE%29%2E" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch04bib9"/>Silva, N., Lopes, R., Esper, A., Barbosa, R. (2013). &#x0201C;Results from an independent view on the validation of safety critical space system,&#x0201D; in DASIA 2013, 14&#x02013;16 May, Oporto, Portugal. <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=Silva%2C+N%2E%2C+Lopes%2C+R%2E%2C+Esper%2C+A%2E%2C+Barbosa%2C+R%2E+%282013%29%2E+%22Results+from+an+independent+view+on+the+validation+of+safety+critical+space+system%2C%22+in+DASIA+2013%2C+14-16+May%2C+Oporto%2C+Portugal%2E" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch04bib10"/>EasterBrook, S. (1996). &#x0201C;The Role of Independent V&#x00026;V in Upstream Software Development Processes&#x0201D;, in <emphasis>Proceedings of 2nd World Conference on Integrated Design and Process Technology (IDPT)</emphasis>, Austin, Texas, December 1&#x02013;4. <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=EasterBrook%2C+S%2E+%281996%29%2E+%22The+Role+of+Independent+V%26V+in+Upstream+Software+Development+Processes%22%2C+in+Proceedings+of+2nd+World+Conference+on+Integrated+Design+and+Process+Technology+%28IDPT%29%2C+Austin%2C+Texas%2C+December+1-4%2E" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch04bib11"/>Chillarege et al. (2013). <emphasis>Orthogonal Defect Classification v 5.2 for Software Design and Code</emphasis> IBM.</para></listitem>
<listitem>
<para><anchor id="ch04bib12"/>Silva, N., and Vieira, M. (2014). &#x0201C;Towards Making Safety-Critical Systems Safer: Learning from Mistakes,&#x0201D; in <emphasis>ISSRE2014</emphasis>, Naples, Italy. <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=Silva%2C+N%2E%2C+and+Vieira%2C+M%2E+%282014%29%2E+%22Towards+Making+Safety-Critical+Systems+Safer%3A+Learning+from+Mistakes%2C%22+in+ISSRE2014%2C+Naples%2C+Italy%2E" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch04bib13"/>Silva, N., and Vieira, M. (2016). &#x0201C;Software for Embedded Systems: A Quality Assessment based on improved ODC taxonomy,&#x0201D; in SAC 2016, Pisa, Italy. <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=Silva%2C+N%2E%2C+and+Vieira%2C+M%2E+%282016%29%2E+%22Software+for+Embedded+Systems%3A+A+Quality+Assessment+based+on+improved+ODC+taxonomy%2C%22+in+SAC+2016%2C+Pisa%2C+Italy%2E" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch04bib14"/>Copeland, L. &#x0201C;Software Defect Taxonomies&#x0201D;. Available at: <ulink url="http://flylib.com/books/en/2.156.1.108/1/">http://flylib.com/books/en/2.156.1.108/1/</ulink> <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=Copeland%2C+L%2E+%22Software+Defect+Taxonomies%22%2E+Available+at%3A+http%3A%2F%2Fflylib%2E+com%2Fbooks%2Fen%2F2%2E156%2E1%2E108%2F1%2F" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch04bib15"/>IEEE. (2010). <emphasis>IEEE 1044-2009 Standard Classification for Software Anomalies</emphasis>. Institute of Electrical and Electronics Engineers, New York, NY.</para></listitem>
<listitem>
<para><anchor id="ch04bib16"/>Leszak, M., Perry, D. E., and Stoll, D. (2002). Classification and evaluation of defects in a project retrospective. <emphasis>J. Syst. Softw</emphasis>. 61, 173&#x02013;187. <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=Leszak%2C+M%2E%2C+Perry%2C+D%2E+E%2E%2C+and+Stoll%2C+D%2E+%282002%29%2E+Classification+and+evaluation+of+defects+in+a+project+retrospective%2E+J%2E+Syst%2E+Softw%2E+61%2C+173-187%2E" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch04bib17"/>Margarido, I. L., Faria, J. P., Vidal, R. M., Vieira M. (2011). &#x0201C;Classification of Defect Types in Requirements Specifications: Literature Review, Proposal and Assessment.&#x0201D; 2011 6th Iberian Conference on Information Systems and Technologies (CISTI) (New York, NY: IEEE), 1&#x02013;6. Available at: <ulink url="http://ieeexplore.ieee.org/xpls/abs_all.jsp?arnumber=5974237">http://ieeexplore.ieee.org/xpls/abs_all.jsp?arnumber=5974237</ulink> <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=Margarido%2C+I%2E+L%2E%2C+Faria%2C+J%2E+P%2E%2C+Vidal%2C+R%2E+M%2E%2C+Vieira+M%2E+%282011%29%2E+%22Classification+of+Defect+Types+in+Requirements+Specifications%3A+Literature+Review%2C+Proposal+and+Assessment%2E%22+2011+6th+Iberian+Conference+on+Information+Systems+and+Technologies+%28CISTI%29+%28New+York%2C+NY%3A+IEEE%29%2C+1-6%2E+Available+at%3A+http%3A%2F%2Fieeexplore%2Eieee%2Eorg%2Fxpls%2Fabs%5Fall%2Ejsp%B4arnumber%3D5974237" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch04bib18"/>ESA ISVV Guide, issue 2.0, 29/12/2008, European Space Agency.</para></listitem>
<listitem>
<para><anchor id="ch04bib19"/>ISO/IEC 12207:2008 <emphasis>Systems and software engineering &#x02013; Software life cycle processes</emphasis>.</para></listitem>
<listitem>
<para><anchor id="ch04bib20"/>IEEE 1012-2004 &#x02013; <emphasis>IEEE Standard for Software Verification and Validation. IEEE Computer Society</emphasis>.</para></listitem>
<listitem>
<para><anchor id="ch04bib21"/>Jones, M. (2005). <emphasis>Software Engineering: Are we getting better at it?</emphasis> ESA Bulletin 121, 52&#x02013;57. <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=Jones%2C+M%2E+%282005%29%2E+Software+Engineering%3A+Are+we+getting+better+at+it%B4+ESA+Bulletin+121%2C+52-57%2E" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch04bib22"/>Leszak, M., Perry, D. E., Stoll, D. (2002). &#x0201C;A Case Study in Root Cause Defect Analysis,&#x0201D; in <emphasis>Proceedings of 22nd Intl Conf SW Eng (ICSE&#x02019;OO)</emphasis> (New York, NY: IEEE), IEEE CS Press, Los Alamitos, CA, 428&#x02013;437. <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=Leszak%2C+M%2E%2C+Perry%2C+D%2E+E%2E%2C+Stoll%2C+D%2E+%282002%29%2E+%22A+Case+Study+in+Root+Cause+Defect+Analysis%2C%22+in+Proceedings+of+22nd+Intl+Conf+SW+Eng+%28ICSE%27OO%29+%28New+York%2C+NY%3A+IEEE%29%2C+IEEE+CS+Press%2C+Los+Alamitos%2C+CA%2C+428-437%2E" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch04bib23"/>Lutz, R. (1993). &#x0201C;Analyzing Software Requirements Errors in Safety-Critical,&#x0201D; in <emphasis>Embedded Systems, Proc IEEE Intl Symp Req Eng</emphasis> (New York, NY: IEEE CS Press), 126&#x02013;133. <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=Lutz%2C+R%2E+%281993%29%2E+%22Analyzing+Software+Requirements+Errors+in+Safety-Critical%2C%22+in+Embedded+Systems%2C+Proc+IEEE+Intl+Symp+Req+Eng+%28New+York%2C+NY%3A+IEEE+CS+Press%29%2C+126-133%2E" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch04bib24"/>Weiss, K. A., Leveson, N., Lundqvist, K., Farid, N., Stringfellow, M. (2001) &#x0201C;An Analysis of Causation in Aerospace Accidents,&#x0201D; in Digital Avionics Systems, 2001. DASC. 20th Conference (New York, NY: IEEE). <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=Weiss%2C+K%2E+A%2E%2C+Leveson%2C+N%2E%2C+Lundqvist%2C+K%2E%2C+Farid%2C+N%2E%2C+Stringfellow%2C+M%2E+%282001%29+%22An+Analysis+of+Causation+in+Aerospace+Accidents%2C%22+in+Digital+Avionics+Systems%2C+2001%2E+DASC%2E+20th+Conference+%28New+York%2C+NY%3A+IEEE%29%2E" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch04bib25"/>Seaman, C. B., Shull, F., Regardie, M., Elbert, D., Feldmann, R. L., Guo, Y., and Godfrey, S. (2008). &#x0201C;Defect Categorization: Making Use of a Decade of Widely Varying Historical Data,&#x0201D; in <emphasis>Proceedings of the Second ACM-IEEE International Symposium on Empirical Software Engineering and Measurement</emphasis> (New York, NY: ACM), 149&#x02013;57. Available at: <ulink url="http://dl.acm.org/citation.cfm?id=1414030">http://dl.acm.org/citation.cfm?id=1414030</ulink> <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=Seaman%2C+C%2E+B%2E%2C+Shull%2C+F%2E%2C+Regardie%2C+M%2E%2C+Elbert%2C+D%2E%2C+Feldmann%2C+R%2E+L%2E%2C+Guo%2C+Y%2E%2C+and+Godfrey%2C+S%2E+%282008%29%2E+%22Defect+Categorization%3A+Making+Use+of+a+Decade+of+Widely+Varying+Historical+Data%2C%22+in+Proceedings+of+the+Second+ACM-IEEE+International+Symposium+on+Empirical+Software+Engineering+and+Measurement+%28New+York%2C+NY%3A+ACM%29%2C+149-57%2E+Available+at%3A+http%3A%2F%2Fdl%2Eacm%2Eorg%2Fcitation%2Ecfm%B4id%3D1414030" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch04bib26"/>Neufelder, A. M. (2012). <emphasis>The top ten things that have been proven to impact software reliability</emphasis>. Available at: <ulink url="http://www.softrel.com/downloads/TopTen.pdf">http://www.softrel.com/downloads/TopTen.pdf</ulink> <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=Neufelder%2C+A%2E+M%2E+%282012%29%2E+The+top+ten+things+that+have+been+proven+to+impact+software+reliability%2E+Available+at%3A+http%3A%2F%2Fwww%2Esoftrel%2Ecom%2Fdownlo+ads%2FTopTen%2Epdf" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch04bib27"/>Rao, R. (2014). <emphasis>Root Cause Defect Classification (RCDC) for Documentation Defects</emphasis>. Available at: <ulink url="http://www.stc-india.org/conferences/2014/presentations/Root%20Cause%20and%20Defect%20Classification%20for%20Documentation%20Bugs%20-%20Ramaa%20Rao.pdf">http://www.stc-india.org/conferences/ 2014/presentations/Root%20Cause%20and%20Defect%20Classification%20for%20Documentation%20Bugs%20-%20Ramaa%20Rao.pdf</ulink> <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=Rao%2C+R%2E+%282014%29%2E+Root+Cause+Defect+Classification+%28RCDC%29+for+Documentation+Defects%2E+Available+at%3A+http%3A%2F%2Fwww%2Estc-india%2Eorg%2Fconferences%2F2014%2F+presentations%2FRoot%2520Cause%2520and%2520Defect%2520Classification%2520+for%2520Documentation%2520Bugs%2520-%2520Ramaa%2520Rao%2Epdf" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch04bib28"/>Kumaresh, S. and Baskaran, R. (2010). Defect Analysis and Prevention for Software Process Quality Improvement. <emphasis>Int J. Comput. Appl</emphasis>. (0975&#x02013;8887), 8. <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=Kumaresh%2C+S%2E+and+Baskaran%2C+R%2E+%282010%29%2E+Defect+Analysis+and+Prevention+for+Software+Process+Quality+Improvement%2E+Int+J%2E+Comput%2E+Appl%2E+%280975-8887%29%2C+8%2E" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch04bib29"/>Silva, N., Vieira, M., Ricci, D., Cotroneo, D. (2015). &#x0201C;Assessment of Defect Type influence in Complex and Integrated Space Systems: Ana- lysis Based on ODC and ISVV Issues,&#x0201D; in <emphasis>2015 IEEE International Conference on Dependable Systems and Networks Workshops (DSN-W)</emphasis> (New York, NY: IEEE), 63&#x02013;68. <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=Silva%2C+N%2E%2C+Vieira%2C+M%2E%2C+Ricci%2C+D%2E%2C+Cotroneo%2C+D%2E+%282015%29%2E+%22Assessment+of+Defect+Type+influence+in+Complex+and+Integrated+Space+Systems%3A+Ana-+lysis+Based+on+ODC+and+ISVV+Issues%2C%22+in+2015+IEEE+International+Conference+on+Dependable+Systems+and+Networks+Workshops+%28DSN-W%29+%28New+York%2C+NY%3A+IEEE%29%2C+63-68%2E" target="_blank">Google Scholar</ulink></para></listitem></orderedlist>
</section>
</chapter>
<chapter class="chapter" id="ch05" label="5" xreflabel="5">
<title>Framework for Automation of Hazard Log Management on Large Critical Projects</title>
<para role="author"><emphasis role="strong">Lorenzo Vinerbi<superscript>1</superscript> and Arun Babu Puthuparambil<superscript>2</superscript></emphasis></para>
<para><superscript>1</superscript>Resiltech s.r.l., Pontedera (PI), Italy</para>
<para><superscript>2</superscript>Robert Bosch Center for Cyber Physical Systems, Indian Institute of Science, Bangalore, India</para>
<section class="lev1" id="sec5-1" label="5.1" xreflabel="5.1">
<title>Introduction</title>
<para>A hazard (HZ) is any situation that could cause harm to the system or lives. HZ depends on the system and its environment, and the probability of the HZ to cause harm is known as risk. HZs are analyzed by identifying their causes and the possible negative consequences that might ensue. For example, the dangerous failure of a traffic signal could be caused by a logic error in the traffic signaling controller&#x02019;s software program. The consequence could be conflicting traffic flows simultaneously receiving green signals.</para>
<para>A hazard log (HL) is a database of all risk management activities in a project. Maintaining its correctness and consistency on large safety/mission critical projects involving multiple vendors, suppliers, and partners is critical and challenging. IBM DOORS [<link linkend="ch05bib1">1</link>, <link linkend="ch05bib2">2</link>] is one of the popular tool used for HZ management in mission critical applications. However, not all stake-holders are familiar with it. Also, it may not always feasible for all stake-holders to provide correct, well structured, and consistent HZ data. IBM DOORS have been reported to be useful in managing DO-178 compliance for avionics [<link linkend="ch05bib3">3</link>]. Also, HL in DOORS allows capabilities for tracing requirements and test results. However, DOORS has steeper learning curve and is difficult to use by common people and beginners [<link linkend="ch05bib4">4</link>]. Also, they lack validation capabilities [<link linkend="ch05bib5">5</link>]. Custom checks may require difficult to use plug-ins which are not generic. This complexity makes it difficult to maintain the rules; preventing reuse in other projects.</para>
<para>This chapter demonstrates a modular and extensible way to specify rules for checks locally at the stake-holder side, as well as while combining data from various parties to form the HL. The HZ-LOG automatization tool simplifies the process of HZ data collection on large projects to form the HL, while ensuring data consistency and correctness. The data provided by all parties are collected using a template containing scripts. The scripts check for mistakes/errors based on internal standards of company in charge of the HZ management. The collected data is then subjected to merging in DOORS, which also contain scripts to check and import data to form the HL.</para>
<para>The requirements of HL tool are:</para>
<orderedlist numeration="lowerroman" continuation="restarts" spacing="normal">
<listitem>
<para>Perform checks of incoming data from vendors and partners;</para></listitem>
<listitem>
<para>It shall allow to collect and keep log for all information related to identified HZs (and related identified mitigations), structuring information accordingly;</para></listitem>
<listitem>
<para>It shall be possible to manage the status of the HZs and related mitigations, allowing for the control of risk. Only allowed HZ status transitions shall be possible and logging of the related status transition activity shall be kept in the tool for traceability purposes;</para></listitem>
<listitem>
<para>Only RAMS specialist are allowed to manage HZs being necessary no different user profiles for the management of HZs in the tool;</para></listitem>
<listitem>
<para>A function of the tool shall allow to extract the &#x0201C;current&#x0201D; status of the project system HL by allowing the creation of documentary reports containing the set of necessary information about the predicted HZs, mitigations identified, and the status of all related risk control activities.</para></listitem></orderedlist>
<section class="lev2" id="sec5-1-1" label="5.1.1" xreflabel="5.1.1">
<title>Brief Introduction on DOORS</title>
<para>IBM Rational DOORS is an enterprise-wide requirements management tool, designed to link and manage diverse textual and graphical information to ensure a project&#x02019;s compliance to specified requirements and standards. It represents a layer to perform:</para>
<orderedlist numeration="lowerroman" continuation="restarts" spacing="normal">
<listitem>
<para>Import documentation into a DB in order to convert free text into requirements;</para></listitem>
<listitem>
<para>Maintain such requirements during the time;</para></listitem>
<listitem>
<para>Relate requirements belonging to different documents (or level of detail);</para></listitem>
<listitem>
<para>Relate requirements to other artefact (e.g., test specification or report).</para></listitem></orderedlist>
<para>Due to its features, it is widely adopted in different domain as reference tool to manage requirements and HL.</para>
</section>
</section>
<section class="lev1" id="sec5-2" label="5.2" xreflabel="5.2">
<title>Approach</title>
<para>All the activities described in the previous sections lead to a set of HZs and mitigations; which in the end allow to guarantee the safety all along the lifecycle (see <link linkend="F5-1">Figure <xref linkend="F5-1" remap="5.1"/></link>).</para>
<para>The mitigations identified in PHA [<link linkend="ch05bib6">6</link>] and SHA [<link linkend="ch05bib7">7</link>] shall be evaluated, along with design changes, on a continuing basis, to ensure that risk associated to HZs has been eliminated or lowered to an acceptable or practicable level. The result of this activity shall be stored in the Hazard Log Tool. Some other activities may provide results to be logged, e.g. design implementation schemes, design analyses, test specifications and test reports etc. Whilst main HZ analyses are planned by the project&#x02019;s safety plan, [<link linkend="ch05bib7">7</link>] other safety analyses and project activities providing results to be logged in the HL have no plan. It is the Safety Organization&#x02019;s responsibility to log the outcome of safety activities when resulting new HZs as well as to record all the information necessary to provide final evidence of safety.</para>
<fig id="F5-1" position="float" xmlns:xlink="http://www.w3.org/1999/xlink">
<label><link linkend="F5-1">Figure <xref linkend="F5-1" remap="5.1"/></link></label>
<caption><para>Populating the hazard log (HL).</para></caption>
<graphic xlink:href="graphics/ch05_fig001.jpg"/>
</fig>
<para>A template with configuration and script is created and sent to all participants in the project. Template fields are listed and explained in <link linkend="T5-1">Table <xref linkend="T5-1" remap="5.1"/></link>. <link linkend="T5-2">Table <xref linkend="T5-2" remap="5.2"/></link> reports possible configurations for mapping DOORS fields into excel ones, while <link linkend="T5-3">Table <xref linkend="T5-3" remap="5.3"/></link> is an example of configuration for excel template that specifies allowed combination of hazard frequency, severity, and risk evaluation tool. This template is designed in MS-Excel, which allows running of scripts/macros. These macros are written considering requirements of the project.</para>
<table-wrap position="float" id="T5-1">
<label><link linkend="T5-1">Table <xref linkend="T5-1" remap="5.1"/></link></label>
<caption><para>Hazard analysis template</para></caption>
<table cellspacing="5" cellpadding="5" frame="hsides" rules="groups">
<thead>
<tr>
<td valign="bottom" align="left">HLS ID</td>
<td valign="bottom" align="left">Field Name</td>
<td valign="bottom" align="left">Format</td>
<td valign="bottom" align="left">Description</td>
</tr>
</thead>
<tbody>
<tr>
<td valign="top" align="left">1</td>
<td valign="top" align="left">Hazard ID</td>
<td valign="top" align="left">A specific format has to be defined</td>
<td valign="top" align="left">It is the unique identifier for a hazard.</td>
</tr>
<tr>
<td valign="top" align="left">2</td>
<td valign="top" align="left">Hazard Opening Date</td>
<td valign="top" align="left">A specific format has to be defined</td>
<td valign="top" align="left">This field contains the date in which the hazard has been opened.</td>
</tr>
<tr>
<td valign="top" align="left">3</td>
<td valign="top" align="left">Hazard Closure Date</td>
<td valign="top" align="left">A specific format has to be defined</td>
<td valign="top" align="left">This field will contain the date in which the hazard closes.</td>
</tr>
<tr>
<td valign="top" align="left">4</td>
<td valign="top" align="left">Hazard Source</td>
<td valign="top" align="left">Text</td>
<td valign="top" align="left">Initial generic source from which the hazard was identified.</td>
</tr>
<tr>
<td valign="top" align="left">5</td>
<td valign="top" align="left">Hazard Description</td>
<td valign="top" align="left">Text</td>
<td valign="top" align="left">A complete exhaustive description of the hazard.</td>
</tr>
<tr>
<td valign="top" align="left">6</td>
<td valign="top" align="left">Hazard Cause</td>
<td valign="top" align="left">Text</td>
<td valign="top" align="left">All possible failure modes of functions/subsystems/ equipment/components which could lead to the hazard.</td>
</tr>
<tr>
<td valign="top" align="left">7</td>
<td valign="top" align="left">Hazard Consequence</td>
<td valign="top" align="left">Text</td>
<td valign="top" align="left">It is the possible accidents to which the hazard could lead.</td>
</tr>
<tr>
<td valign="top" align="left">8</td>
<td valign="top" align="left">Hazard Event</td>
<td valign="top" align="left">Usually each hazard is categorized following a limited list of possible hazard event, in order to ease maintenance and analysis of the results</td>
<td valign="top" align="left">This field reports the top level event (or a combination of events) resulting from the hazard.</td>
</tr>
<tr>
<td valign="top" align="left">9</td>
<td valign="top" align="left">Hazard Initial Frequency</td>
<td valign="top" align="left">One out of # possible values (they depends on the project, e.g., &#x0201C;Incredible&#x0201D;, &#x0201C;Improbable&#x0201D;, &#x0201C;Remote&#x0201D;, &#x0201C;Occasional&#x0201D;, &#x0201C;Probable,&#x0201D; or &#x0201C;Frequent&#x0201D;)</td>
<td valign="top" align="left">This field evaluates the initial frequency of the hazard, based on previous experiences, previous evaluations, expert judgment, statistical analysis and by considering the existing mitigations of legacy system and so it will be based on the data/information already available.</td>
</tr>
<tr>
<td valign="top" align="left">10</td>
<td valign="top" align="left">Hazard Initial Severity Level</td>
<td valign="top" align="left">One out of # possible values (they depends on the project, e.g., &#x0201C;Catastrophic&#x0201D;, &#x0201C;Critical&#x0201D;, &#x0201C;Marginal&#x0201D; or &#x0201C;Insignificant&#x0201D;)</td>
<td valign="top" align="left">This field evaluates the severity of the consequences related to the hazard, based on previous experiences, previous evaluations, expert judgment, statistical analysis and by considering the existing mitigations of legacy system and so it will be based on the data/information already available.</td>
</tr>
<tr>
<td valign="top" align="left">11</td>
<td valign="top" align="left">Hazard Initial Risk Valuation</td>
<td valign="top" align="left">One out of # possible values (they depends on the project, e.g., &#x0201C;Undesirable&#x0201D;, &#x0201C;Intolerable&#x0201D;, &#x0201C;Tolerable&#x0201D; or &#x0201C;Negligible&#x0201D;)</td>
<td valign="top" align="left">It is the combination of initial consequence and initial frequency. It establishes the level of risk generated by the hazardous event.</td>
</tr>
<tr>
<td valign="top" align="left">12</td>
<td valign="top" align="left">Hazard Final Frequency</td>
<td valign="top" align="left">One out of # possible values (they depends on the project. e.g., &#x0201C;Incredible&#x0201D;, &#x0201C;Improbable&#x0201D;, &#x0201C;Remote&#x0201D;, &#x0201C;Occasional&#x0201D;, &#x0201C;Probable&#x0201D; or &#x0201C;Frequent&#x0201D;)</td>
<td valign="top" align="left">In this field we report the final residual frequency of the hazard.</td>
</tr>
<tr>
<td valign="top" align="left">13</td>
<td valign="top" align="left">Hazard Final Severity Level</td>
<td valign="top" align="left">One out of # possible values (they depends on the project. e.g., &#x0201C;Catastrophic&#x0201D;, &#x0201C;Critical&#x0201D;, &#x0201C;Marginal&#x0201D; or &#x0201C;Insignificant&#x0201D;.)</td>
<td valign="top" align="left">This field evaluates the final residual severity of the consequences related to the hazard.</td>
</tr>
<tr>
<td valign="top" align="left">14</td>
<td valign="top" align="left">Hazard Final Risk Evaluation</td>
<td valign="top" align="left">One out of # possible values (they depends on the project. e.g., &#x0201C;Undesirable&#x0201D;, &#x0201C;Intolerable&#x0201D;, &#x0201C;Tolerable&#x0201D; or &#x0201C;Negligible&#x0201D;)</td>
<td valign="top" align="left">It is the final combination of residual consequence and frequency.</td>
</tr>
<tr>
<td valign="top" align="left">15</td>
<td valign="top" align="left">Hazard Status</td>
<td valign="top" align="left">One out of four possible values: &#x0201C;Open&#x0201D;, &#x0201C;Solved&#x0201D;, &#x0201C;Deleted&#x0201D; or &#x0201C;Closed&#x0201D;.</td>
<td valign="top" align="left">It is the status of hazard.</td>
</tr>
</tbody>
</table>
</table-wrap>
<table-wrap position="float" id="T5-2">
<label><link linkend="T5-2">Table <xref linkend="T5-2" remap="5.2"/></link></label>
<caption><para>An example configuration of hazard log tool (&#x0201C;Hazard Log Field&#x0201D; are the fields in DOORS, &#x0201C;HA&#x0201D; is the fields in Excel, and &#x0201C;Type&#x0201D; indicates where the field can be found (HZ, &#x02018;hazard&#x02019;; MT, &#x02018;mitigation&#x02019;; BH, &#x02018;can be found in both&#x02019;)</para></caption>
<table cellspacing="5" cellpadding="5" frame="hsides" rules="groups">
<thead>
<tr>
<td valign="bottom" align="left">Hazard Log (HL) Field</td>
<td valign="bottom" align="center">Type</td>
<td valign="bottom" align="left">HA</td>
<td valign="bottom" align="center">Id</td>
</tr>
</thead>
<tbody>
<tr>
<td valign="top" align="left">Hazard Log Id</td>
<td valign="top" align="center">BH</td>
<td valign="top" align="left">Hazard Log Id</td>
<td valign="top" align="center">1</td>
</tr>
<tr>
<td valign="top" align="left">Hazard Opening Date</td>
<td valign="top" align="center">HZ</td>
<td valign="top" align="left">Hazard Opening Date</td>
<td valign="top" align="center">2</td>
</tr>
<tr>
<td valign="top" align="left">Hazard Revision Id</td>
<td valign="top" align="center">HZ</td>
<td valign="top" align="left">Hazard Revision Id</td>
<td valign="top" align="center">3</td></tr>
<tr>
<td valign="top" align="left">Hazard Closure date</td>
<td valign="top" align="center">HZ</td>
<td valign="top" align="left">Hazard Closure date</td>
<td valign="top" align="center">4</td>
</tr>
<tr>
<td valign="top" align="left">Hazard Consequence</td>
<td valign="top" align="center">HZ</td>
<td valign="top" align="left">Hazard Consequence</td>
<td valign="top" align="center">5</td>
</tr>
<tr>
<td valign="top" align="left">Hazard Frequency Pre Mitigation</td>
<td valign="top" align="center">HZ</td>
<td valign="top" align="left">Hazard Frequency Pre Mitigation</td>
<td valign="top" align="center">6</td>
</tr>
<tr>
<td valign="top" align="left">Hazard Status</td>
<td valign="top" align="center">HZ</td>
<td valign="top" align="left">Hazard Status</td>
<td valign="top" align="center">7</td>
</tr>
<tr>
<td valign="top" align="left">Mitigation Id</td>
<td valign="top" align="center">BH</td>
<td valign="top" align="left">Mitigation Id</td>
<td valign="top" align="center">8</td>
</tr>
<tr>
<td valign="top" align="left">Mitigation status</td>
<td valign="top" align="center">MT</td>
<td valign="top" align="left">Mitigation status</td>
<td valign="top" align="center">9</td></tr>
</tbody>
</table>
</table-wrap>
<table-wrap position="float" id="T5-3">
<label><link linkend="T5-3">Table <xref linkend="T5-3" remap="5.3"/></link></label>
<caption><para>Example configuration for Excel scripts</para></caption>
<table cellspacing="5" cellpadding="5" frame="hsides" rules="groups">
<thead>
<tr>
<td valign="bottom" align="left">Hazard Frequency<?lb?>Pre Mitigation</td>
<td valign="bottom" align="left">Hazard Severity Level<?lb?>Pre Mitigation</td>
<td valign="bottom" align="left">Hazard Risk Evaluation<?lb?>Pre Mitigation</td>
</tr>
<tr>
<td colspan="3"><emphasis role="cline"/></td>
</tr>
<tr>
<td valign="bottom" align="center" colspan="3">Allowed Words</td></tr>
</thead>
<tbody>
<tr>
<td valign="top" align="left">F0-Frequent</td>
<td valign="top" align="left">S4-Disastrous</td>
<td valign="top" align="left">Intolerable</td>
</tr>
<tr>
<td valign="top" align="left">F1-Probable</td>
<td valign="top" align="left">S3-Catastrophic</td>
<td valign="top" align="left">Undesirable</td>
</tr>
<tr>
<td valign="top" align="left">F2-Occational</td>
<td valign="top" align="left">S2-Critical</td>
<td valign="top" align="left">Tolerable</td>
</tr>
<tr>
<td valign="top" align="left">F3-Remote</td>
<td valign="top" align="left">S1-Marginal</td>
<td valign="top" align="left">Negligible</td></tr>
</tbody>
</table>
</table-wrap>
<para>The database consists of a collection of HZ records (one record for each identified HZ) and a collection of the mitigation action records related to the identified HZs. Each HZ record contains the information regarding the HZ such as: Hazard identification, Hazard Revision Number, Identified in phase, Hazard originator&#x02019;s code, Operating mode, Hazard description, etc., as per the company and project specific standard. Also, the systems and subsystems have to identify all necessary mitigations to the identified HZs so the associated risk is eliminated or ALARP (as low as reasonably practicable) according to the risk categories definitions and as explained in the safety cases. For each HZ, mitigation actions are specified to control the risk to ALARP. Each mitigation record contains information such as: Mitigation ID, Mitigation Revision, Mitigation Revision date, Mitigation Description, Applied to phase, Mitigation Status, etc. Since, each project has different needs, check of data consistency and correctness rules are needed to generate correct HL. Hence, a template and set of rules are created in MS-Excel. The rules are based on high-level requirements of standards of company in charge of HZ management, written in the form of scripts [<link linkend="ch05bib8">8</link>]. Each participant receives the template, and it is filled out with HZ data and it is thoroughly checked with Excel scripts (<link linkend="F5-2">Figure <xref linkend="F5-2" remap="5.2"/></link>, <link linkend="F5-3">Figure <xref linkend="F5-3" remap="5.3"/></link>, <link linkend="F5-4">Figure <xref linkend="F5-4" remap="5.4"/></link>, <link linkend="F5-5">Figure <xref linkend="F5-5" remap="5.5"/></link>). Once all checks are passed, it is compliant with the company and project standards. It is then sent to a central place to merge and form the <emphasis>HL</emphasis>. The merging of data from Excel format to DOORS is done through custom scripts which validates the data columns for correctness and consistency (<link linkend="F5-6">Figure <xref linkend="F5-6" remap="5.6"/></link>). Each HZ data from a participant is checked for consistency using scripts in DOORS and are integrated to form HL if no errors are found. Often Excel file consist of more fields than that of DOORS, they are either discarded or used for computation. A second script checks if a previous version of the file was uploaded yet, in such case HL is updated. Finally, the HZ log sheet is produced containing: Hazard identification, Hazard revision number, Hazard originator&#x02019;s Code, Hazard description, Hazard Owner, Party to act, Hazard Comments, Mitigation Comments, etc. Several fields are marked as NULL; as they will be entered during the lifetime of the system.</para>
<para>The cost-effectiveness of the HL management process has been achieved by the following scripts:</para>
<orderedlist numeration="lowerroman" continuation="restarts" spacing="normal">
<listitem>
<para>Scripts to be used jointly with MS Office tool suite in order to make simple checks, and to reduce the number of errors introduced into the DOORS DB;</para></listitem>
<listitem>
<para>Scripts to be used in DOORS in order to ease import from excel file, update and export. Concerning the support for MS Office, the scripts were created implementing the following checks of interest for an HL:</para></listitem></orderedlist>
<itemizedlist mark="bullet" spacing="normal">
<listitem>
<para>Concerning the hazards:</para>
<itemizedlist mark="bullet" spacing="normal">
<listitem>
<para>each hazard shall have a unique identifier;</para></listitem>
<listitem>
<para>each hazard shall have a non-empty &#x0201C;consequences&#x0201D;, &#x0201C;causes&#x0201D;, and &#x0201C;status&#x0201D;;</para></listitem>
<listitem>
<para>each not cancelled hazard shall have a risk evaluation pre-mitigation;</para></listitem>
<listitem>
<para>each not cancelled hazard having a risk level pre-mitigation higher than tolerable shall have a risk evaluation post-mitigation;</para></listitem>
<listitem>
<para>when risk evaluation is applied the risk matrix shall be respected;</para></listitem>
<listitem>
<para>each hazard having status different from &#x0201C;cancelled&#x0201D; or &#x0201C;open&#x0201D; shall have a mitigation.</para>
</listitem>
</itemizedlist></listitem>
<listitem>
<para>Concerning the mitigations:</para>
<itemizedlist mark="bullet" spacing="normal">
<listitem>
<para>each mitigation shall have a unique identifier;</para></listitem>
<listitem>
<para>each mitigation shall have a non-empty &#x0201C;description&#x0201D;, &#x0201C;assigned to&#x0201D;, &#x0201C;status&#x0201D;.</para></listitem></itemizedlist>
</listitem>
<listitem>
<para>Concerning the traceability:</para>
<itemizedlist mark="bullet" spacing="normal">
<listitem>
<para>if &#x0201C;Mitigation Implementation (reference)&#x0201D; field is not empty, check trace on document list;</para></listitem>
<listitem>
<para>if &#x0201C;SRAC&#x0201D; field is not empty, check trace on SRAC list;</para></listitem>
<listitem>
<para>if &#x0201C;RTM&#x0201D; field is not empty, check trace on RTM list;</para></listitem>
<listitem>
<para>in case of structured HL (i.e. HZ and mitigation separated tables) &#x02013; coherence checks like:</para>
<itemizedlist mark="bullet" spacing="normal">
<listitem>
<para>Does the mitigation referred in HZ table have at least an existing HZ?</para></listitem>
<listitem>
<para>Does all the mitigations referred in HZ table exists in the mitigation table?</para></listitem></itemizedlist>
</listitem></itemizedlist>
</listitem></itemizedlist>
</section>
<section class="lev1" id="sec5-3" label="5.3" xreflabel="5.3">
<title>Case Study</title>
<para>The proposed approach has been applied to four different critical projects where each project has 6&#x02013;10 suppliers, and each supplier produced HZ analysis with 200&#x02013;400 rows and the merged HL of &#x0223C;2000 rows for each project.</para>
<para>In order to evaluate the correctness and the improvement given by the scripts, we used them in different real project in order to appreciate how it is used by different teams working on different contexts. In particular we used four projects related to the Railway domain, concerning metro lines to be installed in different cities.</para>
<para>The main characteristic of the different project are shown in the below table.</para>
<table-wrap position="float">
<table cellspacing="5" cellpadding="5" frame="hsides" rules="groups">
<thead>
<tr>
<td valign="bottom" align="left">Metro Line</td>
<td valign="bottom" align="left">Team Size</td>
<td valign="bottom" align="left">No. of Involved<?lb?>Subsystems</td>
<td valign="bottom" align="left">Project Duration</td>
<td valign="bottom" align="left">No. of Hazards<?lb?>Composing the HL</td>
</tr>
</thead>
<tbody>
<tr>
<td valign="top" align="left">Metro X01</td>
<td valign="top" align="left">3</td>
<td valign="top" align="left">9</td>
<td valign="top" align="left">2015&#x02013;2016</td>
<td valign="top" align="left">&#x0223C;1600</td>
</tr>
<tr>
<td valign="top" align="left">Metro X02</td>
<td valign="top" align="left">4</td>
<td valign="top" align="left">10</td>
<td valign="top" align="left">2015&#x02013;on going</td>
<td valign="top" align="left">&#x0223C;2000</td>
</tr>
<tr>
<td valign="top" align="left">Metro X03</td>
<td valign="top" align="left">3</td>
<td valign="top" align="left">8</td>
<td valign="top" align="left">2015&#x02013;on going</td>
<td valign="top" align="left">&#x0223C;1400</td>
</tr>
<tr>
<td valign="top" align="left">Metro X04</td>
<td valign="top" align="left">5</td>
<td valign="top" align="left">10</td>
<td valign="top" align="left">2014&#x02013;on going</td>
<td valign="top" align="left">&#x0223C;2500</td>
</tr>
</tbody>
</table>
</table-wrap>
<para>Scripts have been used during the different phases of the safety lifecycle. The scripts related to MS Office have used in the early stages to evaluate first drafts (/releases) of the files coming from suppliers. The feedbacks from the different teams are quite similar:</para>
<orderedlist numeration="lowerroman" continuation="restarts" spacing="normal">
<listitem>
<para>No. of syntactic errors contained in the files given by the suppliers are drastically reduced (90%);</para></listitem>
<listitem>
<para>Time spent in reviewing (just from syntactic point of view) is drastically reduced (70%);</para></listitem>
<listitem>
<para>This goal has not been reached in a single step, indeed most of the suppliers complained on the low usability of the scripts. This is something we expected indeed they are just first releases to have feedback &#x0201C;from the field&#x0201D;, so the user interface was not good enough to be reasonably used without some initial difficulties.</para></listitem></orderedlist>
<para>Scripts related to MS Office have been then used to verify correctness of the integrated HL (the one composed joining the different HAs from suppliers). Scripts related to DOORS have been used to import system HL in DOORS. In this case, feedbacks from the different teams differs. Most of the teams noticed a real improvement in using such scripts, since they:</para>
<orderedlist numeration="lowerroman" continuation="restarts" spacing="normal">
<listitem>
<para>reduce time related to import activities;</para></listitem>
<listitem>
<para>make people, who are not familiar with DOORS, capable to easily use it; and</para></listitem>
<listitem>
<para>reported a real decrease in time connected with import activities (up to 80%).</para></listitem>
<listitem>
<para>One team reported no real improvement in using such scripts. This is because:</para>
<orderedlist numeration="loweralpha" continuation="restarts" spacing="normal">
<listitem>
<para>people present in the team are very skilled on DOORS (they already have their own processes to easily import HAs on it);</para></listitem>
<listitem>
<para>the presence of template for HA are really hard to be managed. This led a lot of error related to configuration of the script, which took more time to be solved.</para></listitem></orderedlist>
</listitem></orderedlist>
<para>Scripts related to DOORS have also been used to update HL. In this case, feedbacks from the teams were not so good. Indeed, most of them reported difficulties in applying the process to be used in order to correctly keep track of the different change in HL. This has led us to re-consider this phase from the scratch and changing such approach in the future projects.</para>
</section>
<section class="lev1" id="sec5-4" label="5.4" xreflabel="5.4">
<title>Conclusion</title>
<para>As HL is the database for all HZ/risk information and is updated throughout the project life-cycle, it is critical that the HZ analysis data is correctly and consistently merged. Especially, in large projects having multiple partners/ vendors. In the current study, the proposed approach has been found to be useful in reducing mistakes in HZ analysis. Also, it has been found to reduce the amount taken to create the HL. The use of automatic checks paves the way for correct tracking of risk and HZ analysis activities for large critical projects. More specifically:</para>
<orderedlist numeration="lowerroman" continuation="restarts" spacing="normal">
<listitem>
<para>All the excel sheets from all participants have been automatically imported into the DOORS tool;</para></listitem>
<listitem>
<para>It has been observed that a significant reduction in the number of non-conformities presents in the document provided by the different suppliers.</para></listitem>
<listitem>
<para>The time required to merge data to form HL is reduced by &#x0223C;30%.</para></listitem>
<listitem>
<para>Engineers in the main company are now more likely to use DOORS, since the offered framework, allowing them to easily interact with it. This also resulted in increase in quality of the project. The proposed approach has been found to be generic and suitable to all critical systems.</para></listitem></orderedlist>
</section>
<section class="lev1" id="sec5-5" label="5.5" xreflabel="5.5">
<title>Tool Screenshots</title>
<fig id="F5-2" position="float" xmlns:xlink="http://www.w3.org/1999/xlink">
<label><link linkend="F5-2">Figure <xref linkend="F5-2" remap="5.2"/></link></label>
<caption><para>Excel sheet of one of the participants.</para></caption>
<graphic xlink:href="graphics/ch05_fig002.jpg"/>
</fig>
<fig id="F5-3" position="float" xmlns:xlink="http://www.w3.org/1999/xlink">
<label><link linkend="F5-3">Figure <xref linkend="F5-3" remap="5.3"/></link></label>
<caption><para>Checking of HA data through MS Excel scripts.</para></caption>
<graphic xlink:href="graphics/ch05_fig003.jpg"/>
</fig>
<fig id="F5-4" position="float" xmlns:xlink="http://www.w3.org/1999/xlink">
<label><link linkend="F5-4">Figure <xref linkend="F5-4" remap="5.4"/></link></label>
<caption><para>Dialogue boxes of MS Excel scripts.</para></caption>
<graphic xlink:href="graphics/ch05_fig004.jpg"/>
</fig>
<fig id="F5-5" position="float" xmlns:xlink="http://www.w3.org/1999/xlink">
<label><link linkend="F5-5">Figure <xref linkend="F5-5" remap="5.5"/></link></label>
<caption><para>Errors caught in HZ analysis by scripts.</para></caption>
<graphic xlink:href="graphics/ch05_fig005.jpg"/>
</fig>
<fig id="F5-6" position="float" xmlns:xlink="http://www.w3.org/1999/xlink">
<label><link linkend="F5-6">Figure <xref linkend="F5-6" remap="5.6"/></link></label>
<caption><para>Excel sheet imported and merged in DOORS to form HL.</para></caption>
<graphic xlink:href="graphics/ch05_fig006.jpg"/>
</fig>
</section>
<section class="lev1" id="sec5-6">
<title>References</title>
<orderedlist numeration="arabic" continuation="restarts" spacing="normal">
<listitem>
<para><anchor id="ch05bib1"/>IBM. (s.d.). (<emphasis>Rational DOORS Family</emphasis>). Available at: <ulink url="http://www-03.ibm.com/software/products/en/ratidoorfami">http://www-03.ibm.com/software/products/en/ratidoorfami</ulink> (accessed on 15 February 2016).</para></listitem>
<listitem>
<para><anchor id="ch05bib2"/>Dave, H., and Saeed, B. (2009). &#x0201C;Hazard Management with DOORS: Rail Infrastructure Projects,&#x0201D; in <emphasis>Safety-Critical Systems: Problems, Process and Practice</emphasis> (London: Springer), 71&#x02013;93. <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=Dave%2C+H%2E%2C+and+Saeed%2C+B%2E+%282009%29%2E+%22Hazard+Management+with+DOORS%3A+Rail+Infrastructure+Projects%2C%22+in+Safety-Critical+Systems%3A+Problems%2C+Process+and+Practice+%28London%3A+Springer%29%2C+71-93%2E" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch05bib3"/>&#x000C7;akmak, K. M. (2013). Managing DO-178 Compliance with IBM Rational Platform. <emphasis>J. KONBiN</emphasis>, 25, 59&#x02013;74. <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=%C7akmak%2C+K%2E+M%2E+%282013%29%2E+Managing+DO-178+Compliance+with+IBM+Rational+Platform%2E+J%2E+KONBiN%2C+25%2C+59-74%2E" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch05bib4"/>L&#x000F6;&#x000F6;f, R., and Pussinen, K. (2014). <emphasis>Visualisation of requirements and their relations in embedded systems</emphasis>. Uppsala University. Sweden. <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=L%F6%F6f%2C+R%2E%2C+and+Pussinen%2C+K%2E+%282014%29%2E+Visualisation+of+requirements+and+their+relations+in+embedded+systems%2E+Uppsala+University%2E+Sweden%2E" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch05bib5"/>Dibbern, J., Geisser, M., Hildenbrand, T., and Heinzl, T. (2009). Design, implementation, and evaluation of an ICT-supported collaboration methodology for distributed requirements determination. Working paper. <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=Dibbern%2C+J%2E%2C+Geisser%2C+M%2E%2C+Hildenbrand%2C+T%2E%2C+and+Heinzl%2C+T%2E+%282009%29%2E+Design%2C+implementation%2C+and+evaluation+of+an+ICT-supported+collaboration+methodology+for+distributed+requirements+determination%2E+Working+paper%2E" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch05bib6"/>Pasquale, T., Rosaria, E., Pietro, M., Antonio, O., and Segnalamento Ferroviario, A. (2003). &#x0201C;Hazard analysis of complex distributed railway systems,&#x0201D; in <emphasis>Proceedings of</emphasis> <emphasis>22nd International Symposium on Reliable Distributed Systems, 2003</emphasis>, 283&#x02013;292. doi: 10.1109/RELDIS.2003. 1238078 <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=Pasquale%2C+T%2E%2C+Rosaria%2C+E%2E%2C+Pietro%2C+M%2E%2C+Antonio%2C+O%2E%2C+and+Segnalamento+Ferroviario%2C+A%2E+%282003%29%2E+%22Hazard+analysis+of+complex+distributed+railway+systems%2C%22+in++Proceedings+of+22nd+International+Symposium+on+Reliable+Distributed+Systems%2C+2003%2C+283-292%2E+doi%3A+10%2E1109%2FRELDIS%2E2003%2E+1238078" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch05bib7"/>Chapra, S. (2003). <emphasis>Power Programming with VBA/Excel</emphasis>. Upper Saddle River, NJ: Prentice Hall. <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=Chapra%2C+S%2E+%282003%29%2E+Power+Programming+with+VBA%2FExcel%2E+Upper+Saddle+River%2C+NJ%3A+Prentice+Hall%2E" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch05bib8"/>Gowen, L. D., Collofello, J. S., and Calliss, F. W. (1992). &#x0201C;Preliminary hazard analysis for safety-critical software systems,&#x0201D; in <emphasis>Eleventh Annual International Phoenix Conference on Computers and Communication [1992 Conference Proceedings]</emphasis>, Scottsdale, AZ, USA, 1992, 501&#x02013;508. doi: 10.1109/PCCC.1992.200597 <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=Gowen%2C+L%2E+D%2E%2C+Collofello%2C+J%2E+S%2E%2C+and+Calliss%2C+F%2E+W%2E+%281992%29%2E+%22Preliminary+hazard+analysis+for+safety-critical+software+systems%2C%22+in+Eleventh+Annual+International+Phoenix+Conference+on+Computers+and+Communication+%5B1992+Conference+Proceedings%5D%2C+Scottsdale%2C+AZ%2C+USA%2C+1992%2C+501-508%2E+doi%3A+10%2E1109%2FPCCC%2E1992%2E200597" target="_blank">Google Scholar</ulink></para></listitem></orderedlist>
</section>
</chapter>
<chapter class="chapter" id="ch06" label="6" xreflabel="6">
<title>Cost Estimation for Independent Systems Verification and Validation</title>
<para role="author"><emphasis role="strong">Andr&#x000E1;s Pataricza<superscript>1</superscript>, L&#x000E1;szl&#x000F3; G&#x000F6;nczy<superscript>1</superscript>, FrancescoBrancati<superscript>2</superscript> , Francisco Moreira<superscript>3</superscript> , Nuno Silva<superscript>3</superscript> , Rosaria Esposito<superscript>2</superscript>, Andrea Bondavalli<superscript>4,5</superscript> and Alexandre Esper<superscript>3</superscript></emphasis></para>
<para><superscript>1</superscript>Dept. of Measurement and Information Systems, Budapest University of Technology and Economics, Budapest, Hungary</para>
<para><superscript>2</superscript>Resiltech s.r.l., Pontedera (PI), Italy</para>
<para><superscript>3</superscript>CRITICAL Software S.A., Coimbra, Portugal</para>
<para><superscript>4</superscript>Department of Mathematics and Informatics, University of Florence, Florence, Italy</para>
<para><superscript>5</superscript>CINI-Consorzio Interuniversitario Nazionale per l&#x02019;Informatica-University of Florence, Florence, Italy</para>
<para>Validation, verification, and especially certification are skill and effort demanding activities. Typically, specialized small and medium enterprises perform the independent assessment of safety critical applications. Prediction of the work needed to accomplish them is crucial for the management of such projects, which is by nature heavily dependent on the implementation of the V&#x00026;V process and its support. Process management widely uses cost estimators in planning of software development projects for resource allocation. Cost estimators use the scoring of a set of cost influencing factors, as input. They use extrapolation functions calibrated previously on measures extracted from a set of representative historical project records. These predictors do not provide reliable measures for the separate phases of verification, validation and certification in safety critical projects. The current chapter summarizes the main use cases and results of a project focusing on these particular phases.</para>
<section class="lev1" id="sec6-1" label="6.1" xreflabel="6.1">
<title>Introduction</title>
<para>Verification and validation (V&#x00026;V), and Independent Software and System Verification and Validation (ISVV) are crucial in critical system development. However, the execution of such activities underlies strict time and budget limits and depends on input elements delivered by the entity performing the design and implementation of surprisingly changing quality.</para>
<para>Our research (described in details in CECRIS [<link linkend="ch06bib1">1</link>, <link linkend="ch06bib2">2</link>]) focused on synthetizing a method for estimating the cost and focusing the effort of V&#x00026;V activities in order to make these critical steps more managed and foreseeable in terms of time and cost aspects.</para>
<para>This necessitated an appropriate, organized, and scientifically well-founded working methodology.</para>
<para>The traditional software and system design industry has well-elaborated methods for the assessment of the aspects of efficiency and quality w.r.t. the human actors, technology used and project management background of the companies. Cost estimators (CEs) use the scoring of a set of cost influencing factors, as input. Their respective predictor uses extrapolation functions calibrated previously on measures extracted from a set of representative historical project records.</para>
<section class="lev2" id="sec6-1-1" label="6.1.1" xreflabel="6.1.1">
<title>ISVV Workflow</title>
<para>The domain standards [<link linkend="ch06bib3">3</link>&#x02013;<link linkend="ch06bib8">8</link>] define the project lifecycle and forms part of the design workflow and its phases. They envisage a purely top-down process starting with the requirements for implementation and checks. The individual phases are self-contained in the terms of design and V&#x00026;V. <link linkend="F6-1">Figure <xref linkend="F6-1" remap="6.1"/></link> presents a schematic view on the interoperation of the development and V&#x00026;V phases.</para>
<fig id="F6-1" position="float" xmlns:xlink="http://www.w3.org/1999/xlink">
<label><link linkend="F6-1">Figure <xref linkend="F6-1" remap="6.1"/></link></label>
<caption><para>Schematic view on V&#x00026;V activities.</para></caption>
<graphic xlink:href="graphics/ch06_fig0001.jpg"/>
</fig>
<para>However, the practice indicates, that in many cases there are deviances of this idealistic model. For instance, changes in the specification triggered by the end user during the design may result in iterations.</para>
<para>Constraints related to delivery time force occasionally corrections executed in parallel in phases intended to be sequential by the idealistic process model. We suppose a typical &#x0201C;waterfall&#x0201D; development, which, however, has its disadvantage that decisions taken in the project are often not reflected by artifacts (e.g., design documentation) created in an earlier project phase.</para>
<para>Even in critical projects, due to resource constraints, early deliverables are often not updated which may result in inconsistent documentation.</para>
<para>Note that the <link linkend="F6-1">Figure <xref linkend="F6-1" remap="6.1"/></link> shows a simplified partial view of the process presented in Pataricza et al. [<link linkend="ch06bib9">9</link>].</para>
<para>Verification and validation activities of a particular phase and design activities in the successor phase frequently show a similar temporal overlap, for instance, coding starts before the completion of design verification.</para>
<para>If design verification detects faults later, feedforward change management has to take care to correct the design and update the specification of the already ongoing coding activity.</para>
<para>Furthermore, latent faults escaping the V&#x00026;V of their respective earlier phase trigger feedback loops and multi-phase correction actions affecting preceding project deliverables as well.</para>
<para>Review Item Discrepancy (RID) is the output measure of a V&#x00026;V activity. A RID is an issue, identified by a reviewer who is uncompliant with a requirement, a review objective or a design goal.</para>
<para>Our suggestion is to facilitate effort estimation and &#x0201C;spot out&#x0201D; problematic parts of the target artifact of verification by applying complexity/quality metrics. These metrics can be retrieved right at the beginning of verification; also, such metrics for previous project deliverables (e.g., code metrics in the case of test verification) are reusable.</para>
</section>
<section class="lev2" id="sec6-1-2" label="6.1.2" xreflabel="6.1.2">
<title>Objectives</title>
<para>Cost estimators are fundamental elements all along the lifecycle of a project from the proposal definition through the project execution and <emphasis>a posteriori</emphasis> evaluation. Their main purpose is assuring a timely execution of the target project without overspending. A variety of general-purpose CE methodologies exists supporting the project management activities by predicting Key Performance Indicators (KPI), such as time/effort/cost/quality/risk.</para>
<para>Similarly, different measures assure the compliance of an ISVV or certification process with the standards. However, the objective of an assessor is an effective V&#x00026;V and certification process among the standard-compliant ones. Effectivity means here both productivity and quality.</para>
<para>Rough estimates, and rules of thumbs like approximating testing related costs as by around 40% of the overall development project costs, as typical for non-critical applications do not deliver reliable results for safety-critical ones.</para>
<para>Academic experts performed a thorough going evaluation of the current practice of the ISVV companies performed for third parties. They analyzed numerous historical project logs with a particular focus on the cost aspects to identify the main factors influencing the efficiency of the projects and the dominant quality and productivity bottlenecks. One main observation was that automatic quality checking of incoming project artifacts has a high priority, as this is the core factor determining the efficiency of the entire assessment projects.</para>
<para>The primary objective of the research based on the results of the analysis was checking the validity of the original approach of creating general-purpose CEs for the purpose of ISVV-related effort prediction.</para>
<para>The most important use case is the improvement of the ISVV process. Accordingly, the focus of the evaluation was on the &#x0201C;what-if&#x0201D; &#x02013; like analysis of the impacts of factor-by-factor changes in the process factors. This way, sensitivity analysis can predict the relative improvement expected, for instance, by the introduction of a new technology.</para>
</section>
<section class="lev2" id="sec6-1-3" label="6.1.3" xreflabel="6.1.3">
<title>Approach</title>
<para>The enrichment of the ISVV workflow design by effort metrics necessitates a proper cost predictor. The literature refers to a large number of general-purpose and dedicated approaches.</para>
<para>Flexibility, understandability and possible accuracy were the main selection criteria in designing a CE specific for V&#x00026;V.</para>
<para>The COCOMO family of CEs served as the starting point, as this is popular and relies on an open model. Note that the different versions of the CEs covering different use cases take nearly twenty factors as input to generate a cost estimate (as detailed in the next section).</para>
<para>The moderate number of historical project log does not even adequately sample this vast parameter space allowing the generation of an entirely new CE dedicated to ISVV.</para>
<para>Accordingly, our approach consisted of the following main steps:</para>
<itemizedlist mark="bullet" spacing="normal">
<listitem>
<para>estimation of those general factors related to software development processes which are independent of the peculiarities of ISVV;</para></listitem>
<listitem>
<para>cross-validation of the measured predicted by the general-purpose CE and the logged efforts in the ISVV sample set;</para></listitem>
<listitem>
<para>checking the set of input factors for completeness and potential revision of the definition according to ISVV.</para></listitem></itemizedlist>
</section>
</section>
<section class="lev1" id="sec6-2" label="6.2" xreflabel="6.2">
<title>Construction of the ISVV Specific Cost Estimator</title>
<para>Software project management offers a huge variety of approaches and tools for cost estimation. As no single one is detailed enough to describe the specific V&#x00026;V processes related to critical systems, we started the elaboration of an ISVV-specific CE model referred further as CECRISMO [<link linkend="ch06bib10">10</link>].</para>
<para>The COCOMO family of CEs served [<link linkend="ch06bib11">11</link>&#x02013;<link linkend="ch06bib13">13</link>] as the starting point of the designated CECRISMO. The COCOMO family of CE has a widespread industrial acceptance and use including (embedded) system design. Members of it support different project types and process models including mixed hardware&#x02013;software development, component reuse, and integration-based system design, etc. All COCOMO styled predictors rely on an open model. Thus, the adaptation can follow the usual process of the creation of a new member of this family. Most members of the family have an open source tool support.</para>
<section class="lev2" id="sec6-2-1" label="6.2.1" xreflabel="6.2.1">
<title>Structure of the Cost Predictor</title>
<para>All the members of the COCOMO family (incl. COSYSMO) share a similar formula for cost prediction (see <link linkend="F6-2">Figure <xref linkend="F6-2" remap="6.2"/></link>).</para>
<fig id="F6-2" position="float" xmlns:xlink="http://www.w3.org/1999/xlink">
<label><link linkend="F6-2">Figure <xref linkend="F6-2" remap="6.2"/></link></label>
<caption><para>COSYSMO 2.0: Size Drivers/Effort Multipliers.</para></caption>
<graphic xlink:href="graphics/ch06_fig0002.jpg"/>
</fig>
<para><graphic xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="graphics/ch06eq1.jpg"/></para>
<para>where</para><itemizedlist mark="bullet" spacing="normal">
<listitem>
<para><italic>Person Months<subscript>Nominal Schedule</subscript></italic> is the estimated effort in man-months needed for the end-to-end execution of the project (nominal schedule),</para></listitem>
<listitem>
<para>&#x0201C;<italic>size driver</italic>&#x0201D; is an estimated metrics (a single real number) of the size and complexity of the target of the project (&#x0201C;<emphasis>What is the output of the development project?</emphasis>&#x0201D;).</para></listitem>
<listitem>
<para>For instance, early COCOMO cost predictors used the estimated number of source line of codes or function points as size estimators in pure coding projects. As not all elements within a particular category result in the same amount of efforts, difficulty categories express the differences in efforts and the total numbers are calculated as weighted sums. These weights are in the range of one order of magnitude for each step of a difficulty category. Similarly, the decreased efforts due to reuse of already existing artifacts is weighted by a reduction factor.</para></listitem>
<listitem>
<para>&#x0201C;<emphasis>effort multiplier</emphasis>&#x0201D; expresses the efficiency of the development process from technology, skills, development infrastructure and organizational aspects (&#x0201C;<emphasis>How effective is the output of the development project elaborated?</emphasis>&#x0201D;);</para></listitem>
<listitem>
<para>The evaluator expert assigns to each individual effort influencing factor a grade (an ordinal measure) <emphasis role="strong">Very low/Low/Nominal/High/Very high,</emphasis> which in turn is converted with an aspect dependent empirical constant vector into a relative effort multiplier (for instance an effort multiplier metric less than 1 corresponds to a speedup w.r.t. to the nominal case).</para></listitem>
<listitem>
<para><italic>A</italic> and <italic>E</italic> are calibration constants estimated during curve fitting to the data in the calibration set.</para></listitem></itemizedlist>
</section>
<section class="lev2" id="sec6-2-2" label="6.2.2" xreflabel="6.2.2">
<title>Cost Drivers</title>
<para>COSYSMO targeted the entire system development process in the large. When designing a new member of the COCOMO family, the standard procedure is an analysis and if necessary of the original model simultaneously keeping the core of its original factors and prediction methodology.</para>
<para>The following evaluation targets the creation of a CE corresponding to ISVV in focus. This analysis addresses the following central questions:</para>
<itemizedlist mark="bullet" spacing="normal">
<listitem>
<para>How appropriate are the input factors defined originally for the end-to-end process for ISVV (completeness and scoring methodology)?</para></listitem>
<listitem>
<para>Is there a necessity for the re-interpretation of the factors originally defined for end-to-end development to the peculiarities of ISVV?</para></listitem></itemizedlist>
</section>
<section class="lev2" id="sec6-2-3" label="6.2.3" xreflabel="6.2.3">
<title>Focal Problems in Predicting Costs for ISVV</title>
<para>The primary reason of the non-existence of ISVV specific CEs is the lack of a sufficient number of available project logs and other processable artifacts supporting statistically justified generalized statements.</para>
<para>In addition, the efforts needed for ISVV heavily depend on the quality of the input artefacts supplied by the separate design entity. This way, the input quality has an at least equally important influence, like the size and complexity of the system under assessment.</para>
<para>These important interdependencies necessitate a re-interpretation of the individual factors.</para>
<para>General-purpose CEs have to cover a broad spectrum of human skill levels ranging from a post-secondary level programmer to domain experts. Accordingly, they apply a rough-granular scoring range covering this wide set. ISVV, a highly demanding task is typically carried out by SMEs having a well-educated staff frequently having a higher academy degree and a long industrial expertise. This way, the staff in ISVV belongs to the top few scores related to human factors in general-purpose CEs, and the expressive power of these factors becomes insufficient due to the low resolution.</para>
</section>
<section class="lev2" id="sec6-2-4" label="6.2.4" xreflabel="6.2.4">
<title>Factor Reusability for ISVV-Related CE</title>
<para>The <emphasis role="strong">size drivers</emphasis> express the scale of the system under development adequately, but the size alone is insufficient to determine or approximate the efforts necessary for ISVV.</para>
<para>In the case of system requirements and artifacts corresponding to them, the impact of safety criticality on ISVV-related efforts needs refined weighting methods and scores. Critical requirements, components, etc., necessitate a thoroughgoing analysis as defined in the standards.</para>
<para>Moreover, standards define variation points in the checking process. Accordingly, here the weight of the factor needs a fitting to the actual process instance chosen for the actual object of ISVV instead of a global weight used in the original CE.</para>
<para>Similarly, as ISVV is a follow-up activity of a design phase the design quality heavily influences the amount of work to its execution.</para>
<para>The quality of the outputs of some V&#x00026;V preliminary activities (e.g., design the V&#x00026;V Plan, Requirement Verification, and Hazard Analysis) are major effort drivers for rest of the V&#x00026;V cycle. Modeling this behavior will also allow to perform ROI analyses at early stage of the V&#x00026;V process and/or continuously monitoring the cost-quality tradeoff of the overall V&#x00026;V cycle.</para>
<para>The notion of quality has a double meaning here. On the one hand, it refers to the care of the preparation of the ISVV input artifacts (how well is a design document structured and formulated). The quality of the input artifacts has a direct impact on the problem size (how many items needs the review report to detail).</para>
<para>On the other hand, it covers technical aspects (like the testability of code). The expressive power of the grading system is insufficient, and this issue is subject to a detailed analysis in a subsequent section.</para>
</section>
<section class="lev2" id="sec6-2-5" label="6.2.5" xreflabel="6.2.5">
<title>Human and Organizational Factors</title>
<para>An important obstacle originates in the difference regarding the organizational background.</para>
<para>Companies developing non-critical applications typically follow an end-to-end in-house approach. Mono-company development assures independence at the team-level within the company boundaries, if required by the standards, at all. Both the development and V&#x00026;V teams share the same enterprise culture regarding skills, organizational and technology aspects in case an entirely in-house process. This way the assumption of having a nearly homogenous culture and quality along the entire process is highly probable. Experts performing the scoring of the individual organizational and technology-related cost factors can typically do it at the level of the company.</para>
<para>On the contrary, ISVV relies on two organizationally independent, but to a given extent collaborative partners each having his separate culture. Moreover, ISVV performed for different clients faces different cultures at the side of the designer companies.</para>
<para>The group of team factors has nearly the same semantics as in the original model.</para>
<para>However, ISVV is typically a much more complex activity using different methods and tools as a traditional development process. This way, for instance, human and technical factors are related to the individual activities instead of using flat, global grading. If an ISVV process consists of a mix of peer review and formal analysis, tool support, personal experience, etc. all have to be evaluated at the resolution of these individual activities instead of a single approach based scoring. Mostly SMEs having a limited number of experts perform ISVV. Occasionally, the proper level of assessment is that of individuals instead of &#x0201C;average programmer at the company.&#x0201D;</para>
<para>The evaluation of cooperation related factors needs adaptation, as well (multisite coordination, stakeholder team cohesion). These aspects cover namely two kinds of teams: Intra-team communication at the unit performing ISVV where the interpretation is identical with that in the design organization; inter-team communication between the design entity and the ISVV site. A good approximate solution is a simple logic taking a pessimistic approach by assigning the minimum score of the two particular scores to these two communication-related aspects.</para>
</section>
<section class="lev2" id="sec6-2-6" label="6.2.6" xreflabel="6.2.6">
<title>Motivating Example: Testing</title>
<para>One of the core issues is the dependency of ISVV related costs on the quality of the input artifacts (like software source code), while the output of the process has to comply with the strict quality requirements formulated in the standards.</para>
<para>This dichotomy in the requirements has non-trivial consequences on cost estimation.</para>
<itemizedlist mark="bullet" spacing="normal">
<listitem>
<para>Testing of non-critical applications has as input typically a moderate quality code. It has to reach an acceptable, but not an extremely high fault coverage.</para></listitem>
<listitem>
<para>Testing of safety-critical applications however, always targets high-fault coverage.</para></listitem></itemizedlist>
<para>According to numerous observations, the detection rate drastically drops along the progress of the testing process after an initial peak (the testing time to detection rate distribution usually corresponds to a long-tailed Rayleigh distribution as shown in <link linkend="F6-3">Figure <xref linkend="F6-3" remap="6.3"/></link>, see [<link linkend="ch06bib14">14</link>]).</para>
<fig id="F6-3" position="float" xmlns:xlink="http://www.w3.org/1999/xlink">
<label><link linkend="F6-3">Figure <xref linkend="F6-3" remap="6.3"/></link></label>
<caption><para>Rayleigh distribution by different parameters (a) fault detection rate (b) fault coverage (source: wikipedia.org).</para></caption>
<graphic xlink:href="graphics/ch06_fig0003.jpg"/>
</fig>
<itemizedlist mark="bullet" spacing="normal">
<listitem>
<para>This way effort estimation (the time to finish testing by reaching the required coverage) has to cope in case non-critical applications dominantly with the initial bulk of faults (which is relatively easy to estimate).</para></listitem>
<listitem>
<para>Regarding safety-critical objects under test this termination time instance lies on the long flat tail resulting in a potentially large estimation error.</para></listitem></itemizedlist>
<para>This way the scoring scheme of traditional CEs is inappropriate, as a score corresponding to a &#x0201C;High input quality&#x0201D; would mean, that fault coverage is above a threshold. However, this corresponds in testing time to an interval between the threshold and infinity.</para>
<para>However, input characterization may improve estimation accuracy by substituting the original grade-like scores with continuous metrics. We used mainly visual Exploratory Data Analysis methods in order to find and validate main correlations and interdependencies on project data. During CECRIS, some typical and &#x0201C;atypical&#x02019; projects were examined in order to see what connections and measureable characteristics can be set up between outputs and inputs of ISVV activities.</para>
</section>
</section>
<section class="lev1" id="sec6-3" label="6.3" xreflabel="6.3">
<title>Experimental Results</title>
<para>Even the initial experiments delivered some highly valuable conclusions for prioritizing the individual goals in CECRIS.</para>
<para>Note that the low number of cases presented here is apparently insufficient to draw any conclusions with a sound mathematical foundation but they serve as an orientation for the further experiments.</para>
<section class="lev2" id="sec6-3-1" label="6.3.1" xreflabel="6.3.1">
<title>Faithfulness of the Results</title>
<para><link linkend="F6-4">Figure <xref linkend="F6-4" remap="6.4"/></link> shows the effort estimated by COSYSMO compared to the real effort spent by the V&#x00026;V activities for each pilot project.</para>
<fig id="F6-4" position="float" xmlns:xlink="http://www.w3.org/1999/xlink">
<label><link linkend="F6-4">Figure <xref linkend="F6-4" remap="6.4"/></link></label>
<caption><para>COSYSMO estimation compared to real V&#x00026;V effort.</para></caption>
<graphic xlink:href="graphics/ch06_fig0004.jpg"/>
</fig>
<para>The ratio of the logged and predicted efforts is for the entire four projects 4 &#x000B1; 10%. The correlation coefficient is 0.99, which means a strict proportionality. (It is well visible in the figure that the two curves have a similar shape.)</para>
<para>This way, the first impression is that the direct application of COSYSMO to pure V&#x00026;V phases delivers a qualitatively correct, but in absolute numbers wrong estimation. The main reason is that COSYSMO accounts for the efforts of the entire development process (starting with requirement analysis and including the entire code development and in-production testing phases, as well). The reference values from project logs cover only a smaller set of sub-activities of this process, V&#x00026;V, accounting for 22&#x02013;28% of the global project efforts.</para>
<para>The ratio of V&#x00026;V efforts w.r.t. to global efforts is in a narrow interval over all the pilot projects.</para>
<para>Expert&#x02019;s estimations predict in general 30&#x02013;35% share for V&#x00026;V in the industrial practice depending on the project and product in contrary to the observed &#x0223C;25% in the pilot calibration set. This better than average productivity originates in the very highly skilled and experienced personal typical in university close spin-offs.</para>
<para>Note that while the observed &#x0223C;25% holds in the pilot calibration set, but this value should be further validated on a larger data set. It presents a further problem that the independent V&#x00026;V and certification organizations have no exact data on the ratio to the total effort, while CECRISMO explicitly estimates effort for these phases.</para>
<para>COSYSMO can serve this way as a comparison base if the ratio of a particular V&#x00026;V and certification activity can be properly approximated.</para>
<para>V&#x00026;V efforts can be taken as a constant fraction of the predicted total development costs if only a rough estimate is targeted. Some COSYSMO implementations rely on the assumption on a constant ratio, which is valid if the entire project is carried out completely in-house.</para>
<para>However; the assumption has globally no proper justification in the case of an external accessor. The total effort estimation mixes activities carried out at the product manufacturer (3/4 share) and V&#x00026;V carried out at the independent accessor. A rigid subdivision cannot properly predict V&#x00026;V related efforts in general, as all factors may differ in the two actor enterprises.</para>
<para>However; such a first estimate is a candidate for a rough relative comparison of two solutions of V&#x00026;V tasks carried out by the same company.</para>
</section>
<section class="lev2" id="sec6-3-2" label="6.3.2" xreflabel="6.3.2">
<title>Sensitivity Analysis</title>
<para>Sensitivity analysis is widely used in order to estimate the impact of changing some input value or values onto the output of a function or a system.</para>
<para>The corresponding inputs are the size drivers and the effort multipliers in the case of cost estimation.</para>
<para>Sensitivity analysis forms the basis of answering numerous critical questions:</para>
<itemizedlist mark="bullet" spacing="normal">
<listitem>
<para><emphasis role="strong">Impact prediction for process changes</emphasis>: Process improvement necessitates always investments like the introduction of new tools into <emphasis role="strong">technology</emphasis>, improvement of team cohesion by teamwork support or investment into the human capital by training. While it is generally true that such investments has a beneficial impact onto the productivity and cost, <emphasis>sensitivity calculation is able to predict their impact in quantitative terms</emphasis>, as well.</para></listitem>
<listitem>
<para><emphasis role="strong">Adaptive project management</emphasis>: Sensitivity to the size drivers is a main characteristic to describe scalability of a project. Here the breakdown of the different size drivers into qualitative categories and taking <emphasis>the individual sensitivity values for instance delivers a good indicator of system specification modifications during the process</emphasis>.</para></listitem>
<listitem>
<para><emphasis role="strong">Estimation of the impacts of misscoring</emphasis>: The different effort multipliers need a special care from the point of view of sensitivity analysis. These are all categorical variables with assigned ordinals as domain (the effort multipliers take their score values from an ordered enumerated list).</para></listitem></itemizedlist>
<para>By the very nature of the scoring by an expert judgment guided by an informal description is somewhat subjective.</para>
<para>The evaluator can score a particular factor by one score up or down. <emphasis>Sensitivity analysis here answers the question what are the impacts if the evaluation expert puts a score to a wrong value</emphasis> (typically some of the neighboring values of the proper one).</para>
<para>The estimation of the impacts of such scoring errors assures that a range of uncertainty can be provided in addition to the single effort estimate as the final result. (Some cost estimation methods apply a non-deterministic simulation around the expected scoring to deliver such an uncertainty estimate.)</para>
<para>The V&#x00026;V focus of CECRIS necessitated this analysis, as the focus of the original COSYSMO description was not completely identical with the CECRIS objectives; this way, miscategorizations may occur. Another problem was that the scope of COSYSMO is essentially wider than that of CECRIS. This way, a significant part of the large domain of effort multipliers is irrelevant in the cases of CECRIS (for instance, no staff of very low skills and novice to certification will be involved into V&#x00026;V activities despite the fact that a this is a valid score allocation in COSYSMO).</para>
<para>Accordingly; only a subdomain of the COSYSMO&#x02019;s score space is relevant for CECRIS and this raises the question of applying a narrower but finer granular set of candidate scores.</para>
<para>A sensitivity analysis of all the individual cost drivers was performed in order to estimate the potential impact of miscategorization and a refined scoring system.</para>
<para>This is basically performed by taking the nearest lower and higher score of an input factor. If the mismatch between the observed value and the predicted one drastically changes, thus the cost is highly sensitive to the particular factor than the scoring rules have to be revised.</para>
<para>If the observed values typically lie between the two predictor values corresponding to neighboring score settings, than a refinement of the input scoring (introduction of an intermediate value) may increase the resolution and accuracy.</para>
<para>The <link linkend="F6-5">Figure <xref linkend="F6-5" remap="6.5"/></link> shows the relative impact of three cost drivers, <emphasis role="strong">Requirement Understanding</emphasis>, <emphasis role="strong">Architecture Understanding,</emphasis> and <emphasis role="strong">Personnel Experience/Continuity</emphasis>, on the cost estimator. Only these three cost drivers are analyzed for the sake of simplicity and without lose generality. As shown in <link linkend="F6-5">Figure <xref linkend="F6-5" remap="6.5"/></link>, increasing cost driver scores (<emphasis>x</emphasis>-axis), decreases the cost estimate (<emphasis>y</emphasis>-axis) nearly in a linear way. <emphasis role="strong">Requirements Understanding</emphasis> has a higher impact on the cost like <emphasis role="strong">Architecture Understanding</emphasis> and <emphasis role="strong">Personnel Experience/Continuity</emphasis>.</para>
<fig id="F6-5" position="float" xmlns:xlink="http://www.w3.org/1999/xlink">
<label><link linkend="F6-5">Figure <xref linkend="F6-5" remap="6.5"/></link></label>
<caption><para>Cost drivers sensitivity analysis.</para></caption>
<graphic xlink:href="graphics/ch06_fig0005.jpg"/>
</fig>
<para>Even this small example indicates the importance of sensitivity analysis from the point of view of project- and process management.</para>
<para>If the quality of the requirement set specification is improved by a score than &#x0223C;20% can be reached in the terms of cost saving. If for instance, the traditional textual specification is substituted with an unambiguous formal model in an easy to understand form like the mathematically precise but well readable controlled natural language, then a significant cost saving can be reached with relatively low effort in training.</para>
<para>Naturally, multiple cost factors change in the case of the introduction of a new technology.</para>
</section>
<section class="lev2" id="sec6-3-3" label="6.3.3" xreflabel="6.3.3">
<title>Pilot Use Case for Project Management</title>
<para>As pilot case for what-if analysis the core CECRIS action line was selected: In a company dealing with V&#x00026;V/certification of critical ES advanced academic approaches are introduced. The skills of the local personnel would be at the beginning moderate and may only gradually reach the level of professional expertise. As a special case we investigated what happens if intensive coaching was provided by senior experts to help the transition. One of the previously analyzed projects was selected to carry out the what-if analysis.</para>
<para>COSYSMO calculator was taken and factors were determined as summarized by <link linkend="T6-1">Table <xref linkend="T6-1" remap="6.1"/></link>. Concentrating only on factors (taking values from Very Low through Nominal to Very High) where significant impact is expected, leaving other multipliers unchanged.</para>
<table-wrap position="float" id="T6-1">
<label><link linkend="T6-1">Table <xref linkend="T6-1" remap="6.1"/></link></label>
<caption><para>Pilot use case for introducing formal methods in verification</para></caption>
<table cellspacing="5" cellpadding="5" frame="hsides" rules="groups">
<thead>
<tr>
<td valign="bottom" align="left">Factors</td>
<td valign="bottom" align="center">Orig.</td>
<td valign="bottom" align="center">Introductory</td>
<td valign="bottom" align="center">Final</td>
<td valign="bottom" align="center">Intermediate</td>
</tr>
</thead>
<tbody>
<tr>
<td valign="top" align="left">Requirements understanding</td>
<td valign="top" align="center">H</td>
<td valign="top" align="center">N</td>
<td valign="top" align="center">VH</td>
<td valign="top" align="center">VH</td>
</tr>
<tr>
<td valign="top" align="left">Personal experience</td>
<td valign="top" align="center">N</td>
<td valign="top" align="center">L</td>
<td valign="top" align="center">N</td>
<td valign="top" align="center">N</td>
</tr>
<tr>
<td valign="top" align="left">Tool support</td>
<td valign="top" align="center">VL</td>
<td valign="top" align="center">H</td>
<td valign="top" align="center">VH</td>
<td valign="top" align="center">H</td>
</tr>
</tbody>
</table>
<table-wrap-foot>
<para>H, high; L, low; N, nominal; VH, very high.</para>
</table-wrap-foot>
</table-wrap>
<para>Our pilot calculation showed that a project introducing formal methods without experience (&#x0201C;Introductory&#x0201D;) has approximately the same cost as a project working with traditional, mostly human checks. Due to increased uncertainty, real costs (and technology related risk) may even be higher in this case. On the other hand, a guided &#x0201C;coaching&#x0201D; may result almost the same cost/effort saving as the ideal &#x0201C;final&#x0201D; stage, due to the reduced risk of novel technology and lack of experience (50 vs. 60%). Although these factors were not primarily calibrated for V&#x00026;V (nor for embedded systems), such overall project management considerations also hold in this area.</para>
</section>
</section>
<section class="lev1" id="sec6-4" label="6.4" xreflabel="6.4">
<title>Case Studies</title>
<para>In this chapter we present case studies to illustrate how the estimation method can be used on real-life data. During this analysis, we were also validating our assumptions about the process model.</para>
<section class="lev2" id="sec6-4-1" label="6.4.1" xreflabel="6.4.1">
<title>Complexity Factors</title>
<para>Complexity is an essential factor, used both in COSYSMO and in <emphasis>ad-hoc</emphasis> effort estimations for ISVV. As we described in Section 6.1, one overall scoring for projects cannot describe the overall difficulty of the problem, therefore a more fine-grained estimation is needed. Scaling/rating of the input may also depend on the problem or domain, so this estimation should be calibrated to the domain and the nature of the problem as well (e.g., boot software, a communication submodule or a computationally intensive software component may be different). Note that this complexity is expressed also in the COCOMO family as &#x0201C;algorithmic complexity&#x0201D;. In case of ISVV, we can rely on the advantage that the software to be checked is already available, so metrics which are typically measurable on the outcome of a traditional development project can be used for input characterization.</para>
<para>Although the interpretation and calculation of complexity differs across domains and development steps, we took some examples which are easy to calculate. Here we introduce complexity in the sense of code complexity.</para>
<para>Code complexity is measured usually on the source code of components. It concentrates on measuring the structure of the code (which do not necessarily correlates with the actual complexity of the problem solved by the particular software component, which is the main criticism wrt. complexity measurements).</para>
<para>One of the most widely used metrics is McCabe complexity:</para>
<para><graphic xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="graphics/ch06eq2.jpg"/></para>
<para>This metric fits well with problems which are control dominated, captured by the structure of their Control Flow Graph (CFG).</para>
<para>The above definition is independent from the programming language but is influenced by the coding convention, therefore its application may be limited for domains/teams. It should be quantized (e.g. low-medium-big). A typical upper threshold for &#x0201C;low&#x0201D; complexity may be five for instance in embedded software.</para>
<para>Another important metric is the <emphasis>Halstead</emphasis> metric concentrating on the &#x0201C;language&#x0201D; of the software, measured in the number of terms used.</para>
<para>Halstead metrics are concentrating on the &#x0201C;size&#x0201D; of the software measured in the number of &#x0201C;operators&#x0201D; and &#x0201C;operands&#x0201D; in software.</para>
<para>Let n1 be the number of <emphasis>unique</emphasis> <emphasis>operators</emphasis> and n2 the number of <emphasis>unique</emphasis> <emphasis>operands</emphasis>, while N1 denotes the <emphasis>total</emphasis> number of <emphasis>operators</emphasis> and N2 stands for <emphasis>total</emphasis> number of <emphasis>operands</emphasis>.</para>
<para><graphic xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="graphics/ch06eq3.jpg"/></para>
<para>It is important to note that the latter two derived metrics are highly domain-dependent. Effort refers to actual effort creating the software while &#x0201C;Delivered Bugs&#x0201D; is a rough estimation of &#x0201C;faults inserted&#x0201D;. E.g., the number of Delivered bugs is known to be an underestimate in general-purpose C/C++ programs but is in the range of ISVV found bugs, since ISVV deals with &#x0201C;residual&#x0201D; bugs not detected by in-house testing and other means of fault detection.</para>
<para>The programming language itself has a trivial impact on these metrics, especially the Halstead length of a program.</para>
<para>These metrics can also be applied at the model level since most of their concepts are already captured by (detailed) software models. Similarly to McCabe metrics, Halstead (derived) metrics can be used to calculate size drivers for COCOMO-like estimations.</para>
<para>We have recently experimented (among others) with C, Java, Python, JavaScript and found that these metrics may be used on only for input characterization, but also for finding outliers. For instance, in the examined subset, there were different solutions available for a computationally intensive problem written in the same programming language with drastically different complexity metrics. It turned out that one na&#x000EF;ve solution is inefficient, but simple iteration logic while the other solution relied on specialties of the problem. This second component would be trivially harder to maintain but runs with less execution time for the majority of the inputs. However, this is such a difference which could not have been found only by looking at the requirements or test cases of the given software component.</para>
<para>These examples also illustrate that the COCOMO family is too high granular when talking about factors, basic estimations should be supported by more detailed metrics. Most of the effort multipliers, however, will remain similar. These methods can also be used to select the appropriate level and target of the application of (semi) automated formal methods.</para>
</section>
<section class="lev2" id="sec6-4-2" label="6.4.2" xreflabel="6.4.2">
<title>Cost Impact of Requirement Management</title>
<para>Taking the example of a breakdown of a difficult requirement to five simple ones, the difference is 50% (2.5 vs. 5) in nominal difficulty. Of course, these numbers represent more rules of thumb than exact calculation, but still they express industrial best practice in project planning. Structuring of requirements is therefore a crucial part of project design. Although this can be done in any textual tool or in Excel (the most widespread requirement definition tool), a structured, object-oriented approach can help requirement refactoring and reuse by introducing typed interdependencies and domain specific notation in requirement specification.</para>
<para>As requirements have a specific &#x0201C;lifecycle&#x0201D;, changes and modifications have significant impact on overall project difficulty, and therefore affect related ISVV activities.</para>
<para><link linkend="T6-2">Table <xref linkend="T6-2" remap="6.2"/></link> shows, for instance, that a requirement of &#x0201C;Nominal&#x0201D; difficulty has a 30% less effort implications if it is reused from an existing requirement set.</para>
<table-wrap position="float" id="T6-2">
<label><link linkend="T6-2">Table <xref linkend="T6-2" remap="6.2"/></link></label>
<caption><para>Effect of requirement lifecycle</para></caption>
<table cellspacing="5" cellpadding="5" frame="hsides" rules="groups">
<thead>
<tr>
<td valign="bottom" align="left">No. of System Requirements</td>
<td valign="bottom" align="center">Easy</td>
<td valign="bottom" align="center">Nominal</td>
<td valign="bottom" align="center">Diff.</td>
</tr>
</thead>
<tbody>
<tr>
<td valign="top" align="left">New</td>
<td valign="top" align="center">0.5</td>
<td valign="top" align="center">1.0</td>
<td valign="top" align="center">5.0</td></tr>
<tr>
<td valign="top" align="left">Design for Reuse</td>
<td valign="top" align="center">0.7</td>
<td valign="top" align="center">1.4</td>
<td valign="top" align="center">6.9</td>
</tr>
<tr>
<td valign="top" align="left">Modified</td>
<td valign="top" align="center">0.3</td>
<td valign="top" align="center">0.7</td>
<td valign="top" align="center">3.3</td>
</tr>
<tr>
<td valign="top" align="left">Deleted</td>
<td valign="top" align="center">0.3</td>
<td valign="top" align="center">0.5</td>
<td valign="top" align="center">2.6</td>
</tr>
<tr>
<td valign="top" align="left">Adopted</td>
<td valign="top" align="center">0.2</td>
<td valign="top" align="center">0.4</td>
<td valign="top" align="center">2.2</td>
</tr>
<tr>
<td valign="top" align="left">Managed</td>
<td valign="top" align="center">0.1</td>
<td valign="top" align="center">0.2</td>
<td valign="top" align="center">0.8</td></tr>
</tbody>
</table>
</table-wrap>
<para>Requirements here are measured in a uniform way, however, from safety critical point of view, there can be huge differences even between requirements of same category (e.g., change in a &#x0201C;nominal&#x0201D; requirement related to emergency shutdown may have larger impact on software testing).</para>
<para>Also there are interdependencies among the requirement set, which may override the above numbers.</para>
</section>
<section class="lev2" id="sec6-4-3" label="6.4.3" xreflabel="6.4.3">
<title>Automated Analysis for Factor Selection</title>
<para>Besides exploratory analysis methods, a wide selection of automated analysis technique is available in &#x0201C;algorithm as a service tools&#x0201D; like IBM Watson Analytics, Microsoft Cortana or other evolving services. These tools typically support data cleansing and evaluation by combining a selection of well-known statistical algorithms with heuristics and other (e.g., text mining based) methods in order to find correspondences between input variables of datasets.</para>
<para>These tools return with a number of suggestions which in turn can be justified, refined (or even invalidated) by a profound analysis and check of human experts. These automated methods can not only speed up the initial steps of data analysis, but also systematically reduce the chance of overlooking factors or biasing analysis by false assumptions.</para>
<para>We analyzed 7 different ISVV projects with source code files in the range of 500 from the aerospace domain and submitted input information (complexity measurements, number of requirements/files to check, etc.) and output evaluation (number of RIDs found, information about these RIDs w.r.t. input artifacts, overall effort estimation) and performed automated analysis in order to see what correspondences and implications are derived. We were using IBM Watson Analytics. Our findings were the following:</para>
<para><emphasis role="strong">Input quality</emphasis>. As expected, data quality was very heterogeneous across projects. The tool pointed out factors where the number of missing entries (NAs) or constant data may distort the analysis. Input quality information is important as filtering out irrelevant or partially missing factors can prevent later analysis methods from generating false/not interpretable results.</para>
<para><emphasis role="strong">Categorization</emphasis>. Without any previous domain knowledge, some interesting categorization suggestions (expressed in the form of automatically derived decision tree) were found. The categorization returned by the tool was approximately the same as returned by experts. Such information might be used in qualitative &#x0201C;labelling&#x0201D; of projects.</para>
<para><emphasis role="strong">Heat map on frequent combination of factors</emphasis>. When selecting input factors, it is important to know which combination of values (intervals) appear in data to see how realistic/relevant the scaling of factors is. Analysis methods returned some important suggestions, for instance on how to combine readability metrics and file size to find a rough estimator for input quality (fault density measured in the &#x0201C;frequency&#x0201D; of RIDs).</para>
<para><emphasis role="strong">Derived factors</emphasis>. The analysis tool was also able to derive estimators (based on partial linear regression) which can take the project characteristics into account and return function-like closed formula predictors where parametrization may depend on project nature (which may be derived from the same metrics as used for project categorization).</para>
<para>Of course, the above estimations/predictions do not hold for all V&#x00026;V projects, but such automated analysis results may speed up the domain specific estimation and quality improvement process by inserting systematic analysis into today&#x02019;s mostly ad-hoc method.</para>
</section>
<section class="lev2" id="sec6-4-4" label="6.4.4" xreflabel="6.4.4">
<title>Quality Maintenance Across Project Phases</title>
<para>In order to see the effects of multiple-phase development (and, therefore, multiple-phase ISVV activities), we took two examples from the aerospace domain [<link linkend="ch06bib9">9</link>].</para>
<para>Our research questions were the following:</para>
<itemizedlist mark="bullet" spacing="normal">
<listitem>
<para>How does the &#x0201C;coding style&#x0201D; (i.e., structuring the code in smaller/bigger files with corresponding &#x0201C;header/specification&#x0201D; information) affect the quality of the code?</para></listitem>
<listitem>
<para>How do the number if iteration and the timespan of the project (and, therefore, the ISVV activities) influence the quality?</para></listitem></itemizedlist>
<para>As <link linkend="F6-1">Figure <xref linkend="F6-1" remap="6.1"/></link> shows, quality of artefacts may affect subsequent project phases, and thus, the input of the corresponding V&#x00026;V activity. In critical projects, traces among phases are typically available and support the identification of engineering decisions (e.g., how many classes will implement a certain requirement).</para>
<para>We also tried to introduce metrics to support the evaluation of dependency between phases in a quantitative way; the number of requirements/KLOC is such a candidate.</para>
<para>Main findings of this experiment were the following:</para>
<itemizedlist mark="bullet" spacing="normal">
<listitem>
<para>Although traceability is assured by the development process and tools, the effect of a fault inserted in an early phase (e.g., in a requirement) is not always corrected, especially during re-iteration.</para></listitem>
<listitem>
<para>Mainly due to the mostly human work during verification phases, RIDs are often recorded in a way which does not help later analysis: typical faults (e.g., in coding style, comments, or even implementation not fully consistent with design documents) may be reported once but may refer to multiple artefacts. Moreover, this also underlines that the number of RIDs may not be a precise characterization of ISVV project output, since the granularity of RIDs might move on a wide scale.</para></listitem>
<listitem>
<para>The timespan of the original project heavily influences the &#x0201C;lifecycle&#x0201D; of artifacts and also the quality assurance. We concentrated mostly on completeness and correctness faults, as during the re-iteration phase of ISVV, these get a special emphasis. We measured the fault ratio per KLOC in the source code. In the case of an &#x0201C;incremental&#x0201D; project with shorter iteration times (see the left part of <link linkend="F6-6">Figure <xref linkend="F6-6" remap="6.6"/></link>), the project converges and the ratio of faulty input items drastically decreases. In the case of long iterations and multiple changes in requirements, both the completeness and correctness of the software code got significantly worse. Note that these relatively small fault rates (when compared to a rule of thumb of 5 faults/KLOC) are detected after the code has been approved by in-house checks.</para></listitem></itemizedlist>
<fig id="F6-6" position="float" xmlns:xlink="http://www.w3.org/1999/xlink">
<label><link linkend="F6-6">Figure <xref linkend="F6-6" remap="6.6"/></link></label>
<caption><para>Trends of fault in multi-phased ISVV projects.</para></caption>
<graphic xlink:href="graphics/ch06_fig0006.jpg"/>
</fig>
<para>This experiment also underlines that measuring only the characteristics of input artefacts is not enough without the organizational and human factors, which obviously have a huge impact on project effort both at the customer side and at the ISVV company.</para>
</section>
<section class="lev2" id="sec6-4-5" label="6.4.5" xreflabel="6.4.5">
<title>Fault Density and Input Complexity</title>
<para>In the following section, we present an analysis example which tries to set up high level correspondence between fault density (measured <emphasis>post-mortem</emphasis>, at the end of closed ISVV project phases) and complexity metrics (measurable at project planning stage).</para>
<para>A simplified and cleaned set of data has been loaded to Microsoft Power BI tool used for data analysis and visualization. Results presented here do not depend on the particular tool of choice. Besides basic &#x0201C;BI&#x0201D; visualizations, some R code was used to generate the plots. A part of the dashboard is shown on <link linkend="F6-7">Figure <xref linkend="F6-7" remap="6.7"/></link>.</para>
<fig id="F6-7" position="float" xmlns:xlink="http://www.w3.org/1999/xlink">
<label><link linkend="F6-7">Figure <xref linkend="F6-7" remap="6.7"/></link></label>
<caption><para>Complexity metrics and fault density.</para></caption>
<graphic xlink:href="graphics/ch06_fig0007.jpg"/>
</fig>
<para>The left figure shows the number of RIDs (indicated by the size of circles) and their correspondence with the complexity metrics (McCabe and maximum nesting). The figure suggests that there is a more direct influence of complexity on fault number than the maximum nesting value. The figure on the right shows the distribution of RIDs according to their severity. Besides other findings, our experiment also showed that there is a clear negative correlation between comment to code ratio and code complexity.</para>
<para>Some high level conclusions on RIDs found in this project:</para><orderedlist numeration="arabic" continuation="restarts" spacing="normal">
<listitem>
<para><emphasis role="strong">Comment</emphasis> RIDS (which are often neglected by the customer, especially if a project is close to mission start) may have been found by ISVV or prevented during development if basic formal methods and automated, &#x0201C;template-like&#x0201D; check were used.</para></listitem>
<listitem>
<para>In the case of <emphasis role="strong">Minor</emphasis> and <emphasis role="strong">Major</emphasis> RIDs, requirement traceability is a key factor in efficient V&#x00026;V. These result in more objective RIDs which are also easier to validate and accept by the customer, while their correction can also be better traced.</para></listitem></orderedlist>
<para>Major RIDs may include a wide variety of discrepancies, from potential deadlocks caused by obsolete code to using wrong data types which may result in buffer overflow. Some of these faults are hard to find using manual methods, but are supported by formal tools which also return counter examples representing (potentially) wrong behavior. Major RIDs also require peer review, and are mostly accepted by the customers. Introducing Behavior-Driven Design technologies in the development may also help focusing testing and V&#x00026;V effort and eliminating faults caused by inconsistent development phases.</para>
</section>
</section>
<section class="lev1" id="sec6-5" label="6.5" xreflabel="6.5">
<title>Conclusions</title>
<para>Cost estimation is a fundamental pillar stone of all project management activities. Traditional systems and software engineering can rely on a variety of CEs providing sufficiently accurate predictors on the efforts needed to a particular application development. Independent systems verification and validation of safety critical applications is a crucial activity in assuring the compliance with the standards.</para>
<para>The current chapter evaluated the possibilities of creating a cost estimator dedicated to the V&#x00026;V phase of system design. The creation of such an estimator is feasible currently primarily due to the unavailability of a sufficiently large calibration dataset. However, a proper adaptation of traditional software CEs has proven its usefulness in process improvements and what-if style evaluation on changes in the workflow.</para>
<para>The adaptation of software cost predictors is not a mechanical process. Differences in assigning a metrics to the complexity of the target project, the scoring of the highly skilled personnel, the impact analysis of the introduction of sophisticated tools, etc. all need a domain expert.</para>
<para>As ISVV is a follow-up activity of a design phase, the design quality heavily influences the amount of work to its execution. The quality of outputs of the previous activities (e.g., design in the V&#x00026;V Plan, Requirement Verification, Hazard Analysis) are major Effort drivers for rest of the V&#x00026;V cycle. Modeling this behavior will also allow to perform ROI analyses at early stage of the V&#x00026;V process and/or continuously monitoring the cost-quality tradeoff of the overall V&#x00026;V cycle.</para>
<para>A major innovation of the approach is the use of advanced exploratory data analysis techniques [<link linkend="ch06bib15">15</link>] to get deep insights into the ISVV process. Finally, the chapter pinpoints that minimal dataset which is a recommended target of project logging to support future process improvement.</para>
</section>
<section class="lev1" id="sec6-6">
<title>References</title>
<orderedlist numeration="arabic" continuation="restarts" spacing="normal">
<listitem>
<para><anchor id="ch06bib1"/>CECRIS. <emphasis>FP7-PEOPLE-IAPP-CECRIS-324334 D2.1 Assessment methodology for analysis of companies V&#x00026;V processes</emphasis>.</para></listitem>
<listitem>
<para><anchor id="ch06bib2"/>CECRIS. <emphasis>FP7-PEOPLE-IAPP-CECRIS-324334 D2.5 Definition of Certification Oriented V&#x00026;V Processes</emphasis>.</para></listitem>
<listitem>
<para><anchor id="ch06bib3"/>CENELEC. (1999). <emphasis>EN 50126: Railway Applications &#x02013; The Specification and Demonstration of Reliability, Availability, Maintainability and Safety (RAMS)</emphasis>. Brussels: CENELEC.</para></listitem>
<listitem>
<para><anchor id="ch06bib4"/>CENELEC. (2011). <emphasis>EN 50128: Railway applications &#x02013; Communication, signalling and processing systems &#x02013; Software for railway control and protection systems</emphasis>. Brussels: CENELEC. <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=CENELEC%2E+%282011%29%2E+EN+50128%3A+Railway+applications+-+Communication%2C+signalling+and+processing+systems+-+Software+for+railway+control+and+protection+systems%2E+Brussels%3A+CENELEC%2E" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch06bib5"/>CENELEC. (2003). <emphasis>EN 50129: Railway applications &#x02013; Communication, signalling and processing systems &#x02013; Safety related electronic systems for signaling</emphasis>. Brussels: CENELEC. <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=CENELEC%2E+%282003%29%2E+EN+50129%3A+Railway+applications+-+Communication%2C+signalling+and+processing+systems+-+Safety+related+electronic+systems+for+signaling%2E+Brussels%3A+CENELEC%2E" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch06bib6"/>ISO. (2011). <emphasis>ISO26262 &#x02013; Road vehicles &#x02013; functional safety, International Organization for Standardization</emphasis>. <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=ISO%2E+%282011%29%2E+ISO26262+-+Road+vehicles+-+functional+safety%2C+International+Organization+for+Standardization%2E" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch06bib7"/>ISO (International Organisation for Standardisation) and IEC (International Electrotechnical Commission). (2009). &#x0201C;Software Product Quality,&#x0201D; in <emphasis>ISO/IEC 9126</emphasis>, November 2009.</para></listitem>
<listitem>
<para><anchor id="ch06bib8"/>RTCA. (2012). <emphasis>RTCA/DO-178C, Software Considerations in Airborne Systems and Equipment Certification</emphasis>.</para></listitem>
<listitem>
<para><anchor id="ch06bib9"/>Pataricza, A., G&#x000F6;nczy, L., Brancati, F., Moreira, F., Silva, N., Esposito, R., Sal&#x000E1;nki, &#x000C1;., Bondavalli A. (2016). &#x0201C;Towards an analysis framework for cost &#x00026; quality estimation of V&#x00026;V project,&#x0201D; in <emphasis>DASIA 2016</emphasis>, Tallin, Estonia.</para></listitem>
<listitem>
<para><anchor id="ch06bib10"/>Brancati, F., Pataricza, A., Silva, N., Heged&#x000FC;s, &#x000C1;., G&#x000F6;nczy, L., Bondavalli, A., and Esposito, R. (2015). &#x0201C;Cost Prediction for V&#x00026;V and Certification Processes,&#x0201D; in <emphasis>2015 IEEE International Conference on Dependable Systems and Networks Workshops (DSN-W)</emphasis> (New York, NY: IEEE), 57&#x02013;62. <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=Brancati%2C+F%2E%2C+Pataricza%2C+A%2E%2C+Silva%2C+N%2E%2C+Heged%FCs%2C+%C1%2E%2C+G%F6nczy%2C+L%2E%2C+Bondavalli%2C+A%2E%2C+and+Esposito%2C+R%2E+%282015%29%2E+%22Cost+Prediction+for+V%26V+and+Certification+Processes%2C%22+in+2015+IEEE+International+Conference+on+Dependable+Systems+and+Networks+Workshops+%28DSN-W%29+%28New+York%2C+NY%3A+IEEE%29%2C+57-62%2E" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch06bib11"/>COCOMO. (2015). <emphasis>COCOMO II &#x02013; Constructive Cost Model</emphasis>. University of Southern California.</para></listitem>
<listitem>
<para><anchor id="ch06bib12"/>Constructive System Engineering Cost Model (COSYSMO). Available at: <ulink url="http://cosysmo.mit.edu/">http://cosysmo.mit.edu/</ulink></para></listitem>
<listitem>
<para><anchor id="ch06bib13"/>Fortune, J., Valerdi, R., Boehm, B. W., and Stan Settles, F. (2009). &#x0201C;<emphasis>Estimating Systems Engineering Reuse</emphasis>.&#x0201D; MITLibraries. Available at: <ulink url="http://dspace.mit.edu/handle/1721.1/84088.">http://dspace.mit.edu/handle/1721.1/84088.</ulink></para></listitem>
<listitem>
<para><anchor id="ch06bib14"/>Kan, S. H. (2002). <emphasis>Metrics and Models in Software Quality Engineering</emphasis>, 2nd ed. Boston, MA: Addison-Wesley Longman Publishing Co., Inc. <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=Kan%2C+S%2E+H%2E+%282002%29%2E+Metrics+and+Models+in+Software+Quality+Engineering%2C+2nd+ed%2E+Boston%2C+MA%3A+Addison-Wesley+Longman+Publishing+Co%2E%2C+Inc%2E" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch06bib15"/>Pataricza A., Kocsis I., Sal&#x000E1;nki &#x000C1;., G&#x000F6;nczy L. (2013) &#x0201C;Empirical Assessment of Resilience,&#x0201D; in <emphasis>Software Engineering for Resilient Systems. SERENE 2013</emphasis>, eds A. Gorbenko, A. Romanovsky, V. Kharchenko. Lecture Notes in Computer Science, vol. 8166. Springer, Berlin, Heidelberg.</para></listitem></orderedlist>
</section>
</chapter>
<chapter class="chapter" id="ch07" label="7" xreflabel="7">
<title>Lightweight Formal Analysis of Requirements</title>
<para role="author"><emphasis role="strong">Andr&#x000E1;s Pataricza<superscript>1</superscript>, Imre Kocsis<superscript>1</superscript>, Francesco Brancati<superscript>2</superscript>, Lorenzo Vinerbi<superscript>2</superscript> and Andrea Bondavalli<superscript>3,4</superscript></emphasis></para>
<para><superscript>1</superscript>Dept. of Measurement and Information Systems, Budapest University of Technology and Economics, Budapest, Hungary</para>
<para><superscript>2</superscript>Resiltech s.r.l., Pontedera (PI), Italy</para>
<para><superscript>3</superscript>Department of Mathematics and Informatics, University of Florence, Florence, Italy</para>
<para><superscript>4</superscript>CINI-Consorzio Interuniversitario Nazionale per l&#x02019;Informatica-University of Florence, Florence, Italy</para>
<para>Requirements are the core work items of the design and checking workflow target safety critical systems. Accordingly, their completeness, compliance with the standards and understandability is a dominant factor in the subsequent steps. Requirements review is a special kind of Independent Software/Systems Verification and Validation (ISVV). The current chapter presents methodologies to use lightweight formal methods supporting experts in a peer review based ISVV.</para>
<section class="lev1" id="sec7-1" label="7.1" xreflabel="7.1">
<title>Introduction</title>
<para>The quality of requirements dominates the efforts of a design process especially in the case of safety-critical applications (see <link linkend="ch06">Chapter <xref linkend="ch6" remap="6"/></link>). As described in the previous chapter in details, the effort and quality of the ISVV heavily depend on the input quality of the work items submitted for review by the customer. Frequently a significant part of the efforts is wasted to basic activities similar to the data cleansing phase in the field of data analysis regarding their level and ratio (which can reach a few tens of percents). For instance, ill-structured documents, inconsequent and non-conformant with the standards use of terminology all require expert effort to be checked although they do not form the essence of the assessment.</para>
<para>Correspondingly, the exhaustiveness of the checks performed has a major impact on all the activities relying on the completeness, standards compliance and integrity of them. This way, requirement review has to be as thoroughgoing as possible. However, this part of the workflow benefits only to a moderate extent of the advantages of Model-Based System Engineering (MBSE) and formal methods due to the typically conservative (informal) or at most semi-structured text based formulation used mostly in the industry.</para>
<para>The objective of the current chapter is the presentation of an approach targeting a gradual introduction of MBSE and formal methods to requirement checking. The introduction of easy-to-use methods simultaneously assures an increased productivity and quality without the need of a single step introduction of a complete framework or specialized skills in formal methods.</para>
<para>The chapter introduces the basic modeling concepts as defined by standards. The subsequent section presents techniques carrying out extended syntactic analysis over the requirement documents. After addressing change management in iterative requirement design/modification-checking workflows the closing section deals with the integration of the measures described into the ISVV.</para>
</section>
<section class="lev1" id="sec7-2" label="7.2" xreflabel="7.2">
<title>Objective</title>
<para>Our objective is supporting dominantly peer review based ISVV executed by SMEs. Typically, highly-qualified experts constitute the personal of such companies. Reviewers usually are very familiar and knowledgeable of the application domain without deep skills in advanced formal methods.</para>
<para>Accordingly, our evolutionary approach is less ambitious, than a revolutionary one exploiting the full potential of mathematical proof of correctness methods. It follows the paradigm of hidden formal methods in which the user of the tool gets the support from a built-in intelligence, but the working environment has no or very moderate changes compared to the traditional one.</para>
<para>Our approach does assume either an end-to-end MBSE or a complete automation of the workflow; however, it can contribute to a significant effort saving by reducing the overhead originating in document cleaning, managing the progress of the assessment including checking its completeness.</para>
<para>This way, the efforts of the experts can be focused on the hardcore problems related to technical evaluation deliberated of the majority of the pure mechanical tasks not requiring their expertise.</para>
<para>The subsequent sections address the three major questions in improving ISVV:</para><itemizedlist mark="bullet" spacing="normal">
<listitem>
<para>How to create interchangeable and well-structured documents out of traditional unstructured ones?</para></listitem>
<listitem>
<para>How to create a domain-specific working environment out of a traditional one by adding quality improvement and checking measures based on hidden formal methods?</para></listitem>
<listitem>
<para>How to improve the convergence of requirements by change management in iterative design-ISVV workflows?</para></listitem></itemizedlist>
</section>
<section class="lev1" id="sec7-3" label="7.3" xreflabel="7.3">
<title>ReqIF and Modeling</title>
<para>The requirements play an important role in cooperating between final product manufacturers and part suppliers, as these provide the basis of outsourcing and acceptance tests between them. This way, the exchange of requirement between cooperating partners is a crucial part for instance in the automotive industry demanding relatively low interaction times.</para>
<para>The Object Management Group (OMG) developed an open standard [<link linkend="ch07bib1">1</link>] called Requirements Interchange Format (ReqIF) to assure interoperability between cooperating partners (see <link linkend="F7-1">Figure <xref linkend="F7-1" remap="7.1"/></link>). This standard is open toward different design and checking technologies thus it is a natural candidate to information exchange between designer and independent software/system verification and validation (ISVV). OMG ReqIF provides a well-regulated set of rules and protocols for cooperation.</para>
<fig id="F7-1" position="float" xmlns:xlink="http://www.w3.org/1999/xlink">
<label><link linkend="F7-1">Figure <xref linkend="F7-1" remap="7.1"/></link></label>
<caption><para>ReqIF based information exchange.</para></caption>
<graphic xlink:href="graphics/ch07_fig001new.jpg"/>
</fig>
<para>Requirements Interchange Format has wide support regarding open and commercial requirement design and management tools. Also, leading vendors put requirements as the core entity of the entire design and checking workflow. Advanced MBSE based frameworks integrate requirement management with design and test. Traceability is a priority concept in ReqIF.</para>
<para>The following summary presents the main benefits of ReqIF as an exchange model language for ISVV based on the top-level constructs in its meta-model.</para>
<para>Requirements Interchange Format supports the exchange of core content labeled by a header sufficiently detailed to identify the document itself and optionally tool specific extensions from other information sources, like results of evaluation (<link linkend="F7-2">Figure <xref linkend="F7-2" remap="7.2"/></link>).</para>
<fig id="F7-2" position="float" xmlns:xlink="http://www.w3.org/1999/xlink">
<label><link linkend="F7-2">Figure <xref linkend="F7-2" remap="7.2"/></link></label>
<caption><para>Exchange document structure.</para></caption>
<graphic xlink:href="graphics/ch07_fig002new.jpg"/>
</fig>
<para>The specification is the core content of a ReqIF instance associated with specification types, objects and the relations between them (<link linkend="F7-3">Figure <xref linkend="F7-3" remap="7.3"/></link>). The notion of links (called here &#x0201C;SpecRelations&#x0201D;) assures the traceability of the requirement model to other artifacts. The metamodel supports hierarchical composition of requirement sets, like a well-structured description of safety cases derived by specialization from a standard, e.g., as an evidence list and interlinked supportive arguments.</para>
<fig id="F7-3" position="float" xmlns:xlink="http://www.w3.org/1999/xlink">
<label><link linkend="F7-3">Figure <xref linkend="F7-3" remap="7.3"/></link></label>
<caption><para>Specifications, requirements, and attributes.</para></caption>
<graphic xlink:href="graphics/ch07_fig003new.jpg"/>
</fig>
<para>The most popular infrastructure for ReqIF is Eclipse RMF (Requirement Management Framework) [<link linkend="ch07bib2">2</link>]. ProR [<link linkend="ch07bib3">3</link>] an open-source editor to edit structured requirement documents.</para>
<para>Definition of data types, including enumeration types, supports the creation of a domain-specific MBSE-styled model representation.</para>
<para>For instance, the different Safety Integrity Levels form a core enumeration datatype of the form of &#x0007B;<emphasis>SIL0&#x02026;SIL4</emphasis>&#x0007D;. Traditional type checking assures the avoidance of omissions or ill-specified values in the corresponding field.</para>
<para>Syntax-driven editors constrain the designer to use only such values in the field, that comply with the datatype definition.</para>
<para>However, turning a column in an Excel worksheet from the general string type to one out of the predefined values forming the enumerated data type implements simply the same principle. Such constraints simply prohibit entering a wrong value into the instance model corresponding to the application under development.</para>
<para>Moreover, this tiny example indicates a further opportunity in separating the duties: If a domain and modeling specialist designs the Excel template, he could embed the terminology, structure, etc., from the standards, as well. The application designer filling out the template with the content corresponding to the particular application under development will face his traditional working environment with the hidden type model and check already embedded by the expert.</para>
<para>At the same time, the example pinpoints the limitations of a pure ReqIF-based working environment design approach, as well. Implementation of complex relations necessitates low-level (e.g., VisualBasic) programming and it benefits of modeling only by starting from a proper blueprint, which implies all the drawbacks of traditional programming.</para>
<para>Bidirectional communication between cooperating partners was a primary design objective of the OMG ReqIF standard. In the context of ISVV, this offers the opportunity of using it in the ISVV-to-developer communication for feeding back the review results in an entirely standards compliant way. This way, the iterative process can benefit from the rich navigation and traceability supporting features of ReqIf.</para>
<section class="lev2" id="sec7-3-1" label="7.3.1" xreflabel="7.3.1">
<title>Domain Conceptualization</title>
<para>The industrial success of ReqIF in the inter-party communication in product design makes it a natural candidate in developer-to-assessor cooperation and model-based ISVV, as well. Moreover, as ReqIF documents carry both the instance model and its respective metamodel, they can harmonize of requirement design and ISVV.</para>
<para>At the top end, ReqIF-based requirement modeling serves as the starting point of sophisticated methodologies aiming at correctness by design (like RODIN &#x02013; Rigorous Open Development Environment for Complex Systems [<link linkend="ch07bib12">12</link>] transforming specifications into formal Event-B models). However, the introduction of heavyweight formal methods into ISVV, a single phase of the product development process faces serious obstacles regarding skills, and in the overwhelming majority of ISVV tasks, it has an improper modeling effort/benefit ratio.</para>
<para>Our approach uses ReqIF similarly for information exchange, as this assures a well-structured requirement set. Lightweight modeling should complement the methodology of customization of the ReqIF metamodel and work environment of the requirement composer to a particular product or product family using MBSE. Finally, the customized work environment accommodates traditional, manual, design, and V&#x00026;V methods, as well.</para>
<para>Ontologies serve as primary candidates for semantics based unification and conceptually clean metamodel design [<link linkend="ch07bib4">4</link>]. Ontologies are formalized vocabularies of terms covering a specific domain. They define the meaning of terms by describing their relationships with other terms in the ontology. They classify the terms that can be used in a particular application, characterize possible relationships, and define possible constraints on their use by providing formal naming and definition of the types, properties, and interrelationships [<link linkend="ch07bib5">5</link>].</para>
<para>Knowledge organization, complexity reduction, and problem solution all use ontologies for a variety of fields ranging from the Semantic Web, through systems and software engineering to such non-technical fields, as library science. The main use case of ontologies is conceptual data integration.</para>
<para>The driving force behind their standardization of formats (RDF and RDF Schemas, OWL) is the World Wide Web Consortium (W3C). The formats support interoperability, information fusion, and interchange.</para>
<para>MBSE largely depends on metamodeling (UML and derivatives). Metamodeling and ontologies are two different, but mutually transformable approaches <footnote id="fn7_1" label="1"> <para>Theoretically, not all ontologies have an explicit metamodel counterpart, but the subclass of ontologies referred in the current chapter is subject of metamodeling based design. For instance, the Object Management Group (OMG) offers a bridge in the form of an &#x0201C;<emphasis>Ontology Definition Metamodel</emphasis>&#x0201D; [<link linkend="ch07bib13">13</link>].</para></footnote> to modeling language and model construction. Both paradigms focus on the description of the relations between concepts, checking of the compliance of instances (individual models) with their respective parent metamodel or upper ontology.</para>
<para>In contrary of usual metamodels, ontologies have a precise semantics regarding mathematical logic, for instance in ISO/IEC Common Logic [<link linkend="ch07bib6">6</link>]. Ontology tools have built-in functions checking the completeness and consistency of the models, and the correspondence of subontologies (speciali- zations) and instances to their upper ontology (subsumption check).</para>
<para>The gradual introduction of hierarchical and relational elements into the model following a vocabulary&#x02013;taxonomy&#x02013;ontology process results in an ontology corresponding to a particular standard. Such an ISVV ontology consolidates notions and their mutual relations defined in standards as concepts.</para>
<para>Ontology processing has supportive mechanisms for information fusion by virtually merging multiple, physically separate ontologies. Starting from multiple ontologies representing different viewpoints facilitates aspect-oriented modeling.</para>
<para>The requirement set related to a particular application (legacy documentation, source code, and comments, etc.) are then instances of this ontology. This way the interdependence of entities and V&#x00026;V steps managing them is explicit.</para>
</section>
<section class="lev2" id="sec7-3-2" label="7.3.2" xreflabel="7.3.2">
<title>Integration with Existing Practice of ISVV</title>
<para>A (slightly simplified and obfuscated) real-life example taken from a railway hazard analysis project serves as motivating example.</para>
<para>The railway is a safety-critical domain; various safety measures designed into the system address the hazards that pose an unacceptable risk; these have to be proven to mitigate the various risks to an acceptable level.</para>
<para>The assignment of so-called Safety Integrity Levels ranging from 0 to 4 classify safety instrumented systems and functions. Each level has an associated interval of probability of failure on demand of the safety function, what translates to an overall risk reduction capability.</para>
<para>Designers of the original documentation used a plain, unstructured list of hazards as the input for risk analysis (<link linkend="F7-4">Figure <xref linkend="F7-4" remap="7.4"/></link>). However, structuring the potential causes indicates clearly its flaws. At first, the introduction of the abstract concepts &#x0201C;<emphasis>Subject</emphasis>&#x0201D; and &#x0201C;<emphasis>Impact</emphasis>&#x0201D; separates the different aspects related to a hazard event (<link linkend="F7-4">Figure <xref linkend="F7-4" remap="7.4"/></link>).</para>
<fig id="F7-4" position="float" xmlns:xlink="http://www.w3.org/1999/xlink">
<label><link linkend="F7-4">Figure <xref linkend="F7-4" remap="7.4"/></link></label>
<caption><para>Unstructured and structured model.</para></caption>
<graphic xlink:href="graphics/ch07_fig004new10.jpg"/>
</fig>
<para>Aspect weaving in the form of interrelating them derives the individual categories, like &#x0201C;<emphasis>Line Controller Death</emphasis>.&#x0201D; The inclusion of &#x0201C;<emphasis>No Hazard Event</emphasis>&#x0201D; and &#x0201C;<emphasis>Fire</emphasis>&#x0201D; do not fit into the scheme. The list of hazards is still incomplete w.r.t cardinality constraints. For instance, the standard may require the complete coverage of all potential hazard events by evaluating all &#x0201C;<emphasis>Subject</emphasis>&#x0201D; and &#x0201C;<emphasis>Impact</emphasis>&#x0201D; combinations. Automated reasoning reveals that the &#x0201C;<emphasis>Staff OnBoard Death</emphasis>&#x0201D; category lacks the considerations.</para>
<para>At the same time, this model is easy to maintain. For instance, after the introduction of the notion of a &#x0201C;<emphasis>Driver</emphasis>&#x0201D; as a separate category, inherence mechanisms can derive the two subcases &#x0201C;<emphasis>Driver Death</emphasis>&#x0201D; and &#x0201C;<emphasis>Driver Injury</emphasis>&#x0201D; without touching other parts of the model.</para>
<para>Moreover, the design and ISVV workflows may rely on external information sources, as well. Information fusion necessitates the unification of the concepts of the different data sources by establishing the correspondence between their notions.</para>
<para>For instance, risk analysis should cover all the hazards above a given frequency of occurrence, which necessitates the inclusion of historical statistical data from external data sources (like [<link linkend="ch07bib14">14</link>] in <link linkend="F7-5">Figure <xref linkend="F7-5" remap="7.5"/></link>). Their integration into the ontology can follow the same unification approach, as in [<link linkend="ch07bib7">7</link>] based on mapping the notions in different models after some elementary operation (like calculating totals when aggregating overly fine granular statistical data).</para>
<fig id="F7-5" position="float" xmlns:xlink="http://www.w3.org/1999/xlink">
<label><link linkend="F7-5">Figure <xref linkend="F7-5" remap="7.5"/></link></label>
<caption><para>Causality statistics structure.</para></caption>
<graphic xlink:href="graphics/ch07_fig005new.jpg"/>
</fig>
<para>Note, that the process of information fusion is an important engineering task and not a pure semantic matching of two models. Apparently, resolution of the two models differ merging different categories in the statistics into a single concept in the model of hazard events assumes a similarity in their occurrence and impacts. Aggregation of categories is at the same time an input specification for the underlying summation of frequencies of their occurrence.</para>
<para>Such an interrelation of statistical data and the input model of hazard analysis support augmentative maintenance of the model. The appearance of a new category in the statistics (e.g., security) with no counterpart in the hazard event ontology pinpoints that the later one is not up-to-date.</para>
</section>
</section>
<section class="lev1" id="sec7-4" label="7.4" xreflabel="7.4">
<title>Requirement Change Propagation</title>
<para>Our motivational example comes from the railway domain loosely based on an actual change scenario, similarly as the example above. It highlights the importance of lightweight formal methods from a further aspect, change management. For didactical as well as legal reasons, the case presented here is very heavily simplified and sanitized from multiple aspects.</para>
<para>The SIL of a function has a fundamental impact on its development cost and time, as higher levels require increasingly sophisticated V&#x00026;V activities. Consequently, during requirement change impact analysis it is essential to correctly identify whether a requirement change indirectly causes SIL changes in a specification through change propagation.</para>
<section class="lev2" id="sec7-4-1" label="7.4.1" xreflabel="7.4.1">
<title>Original Specification</title>
<para>Our example demonstrates how the changes in the requirement set of a Central Traffic Control system have a propagation effect in the whole specification.</para>
<para>Keeping station area traffic safe is a complex problem involving many tracks and switches in a complex manner, and the risks stemming from a significant number of hazardous situations have to be mitigated. Trackside signals regulate station area traffic allowing or denying entry to a track or (switching) point. Classically, the control of the traffic through the signals has been performed by local personnel and systems. The main means of risk mitigation is <emphasis>signal interlocking</emphasis>: a separate system overrides any traffic control command that would lead to a hazardous signal configuration. (For instance, giving a &#x0201C;clear&#x0201D; signal at the same time at two entry points of an interlocking.) Signal interlocking can be overridden in the local traffic control system under strict operational rules, e.g., a switch with broken switch state monitoring correctly halts traffic; however, to resume traffic, local personnel has the situational awareness and authority of a temporal override of the associated signal interlocking.</para>
<para>Traffic control has been and is being centralized worldwide To increase operational efficiency, a Central Traffic Control (CTC) system manages the traffic at multiple stations. CTC can be an overlay to the existing systems without substituting the local traffic control and the remote CTC &#x0201C;pushes its buttons&#x0201D; instead of local personnel. Local signal interlocking is left unchanged, too.</para>
<para>The &#x0201C;original&#x0201D; specification on <link linkend="F7-6">Figure <xref linkend="F7-6" remap="7.6"/></link> represents a simplified excerpt from the specification of such a system. Importantly, the CTC does not have the full authority of local personnel; it is not allowed to issue signal interlocking override (more generally, safety-critical) commands. As a result, the process of setting up safety goals, decomposing them into safety requirements and mapping those onto elements of the functional architecture identifies that it is SIL0 (not safety critical). On the other hand, notice how the high-risk mitigation capability requirement (SIL4) is carried over from the safety goal to the interlocking system.</para>
<fig id="F7-6" position="float" xmlns:xlink="http://www.w3.org/1999/xlink">
<label><link linkend="F7-6">Figure <xref linkend="F7-6" remap="7.6"/></link></label>
<caption><para>The original and changed specification in our example.</para></caption>
<graphic xlink:href="graphics/ch07_fig006new.jpg"/>
</fig>
</section>
<section class="lev2" id="sec7-4-2" label="7.4.2" xreflabel="7.4.2">
<title>Changed Specification</title>
<para>This specification has the chance to lead to a highly safe system that conforms to the legal requirements on safety. However, an operator is also concerned about operational efficiency. Let us assume that the operator finds the above specification too restrictive; in many circumstances, override situations can be managed acceptably safely, even if the override command is issued remotely. However, some characteristic hazards have to be avoided [<link linkend="ch07bib8">8</link>]; one of them is the CTC issuing override commands unintentionally. (The CTC is usually a complex, software-based system, where operators manage multiple stations of a geographical region with reduced situational awareness due to their remote location.) This leads to the specification excerpt depicted in <link linkend="F7-6">Figure <xref linkend="F7-6" remap="7.6"/></link> as the changed specification.</para>
<para>The key difference between the two specifications from change impact analysis is that the central traffic control became a safety-critical component. Risk mitigation assumes the absence of override commands issued by the central traffic control unintentionally. <footnote id="fn7_2" label="2"> <para>There are many ways to ensure this, regarding the operators as well as the software/hardware system; discussing these is not in the scope of this chapter.</para></footnote> This change in SIL has further propagating effects; the V&#x00026;V activities associated with the architecture, interfaces and implementing components of central traffic control have to be revisited.</para>
</section>
<section class="lev2" id="sec7-4-3" label="7.4.3" xreflabel="7.4.3">
<title>The Change Impact Propagation Method</title>
<para>Requirement engineers have to evaluate the propagating effect of changes and rework the specification accordingly. This task involves two major phases.</para><itemizedlist mark="bullet" spacing="normal">
<listitem>
<para><emphasis role="strong"><emphasis>Suspicion marking through change impact propagation</emphasis></emphasis>. The directed dependency graph of the specification is traversed starting from the initial changes introduced into the specification. Dependencies and requirements that may have to be changed as an effect of the original change are marked as <emphasis>SUSPICIOUS</emphasis>. After that, specification objects that are connected to <emphasis>SUSPICIOUS</emphasis> ones are evaluated and potentially marked, too in a transitive manner. Effectively, the <emphasis>SUSPICIOUS</emphasis> marking is &#x0201C;propagated&#x0201D; in the reachability subgraph of the originally changed elements. The resulting <emphasis>change impact cover</emphasis> &#x02013; the subgraph defined by the vertices marked <emphasis>SUSPICIOUS</emphasis> &#x02013; is passed on to marking processing.</para></listitem>
<listitem>
<para><emphasis role="strong"><emphasis>Processing marking</emphasis></emphasis>. One by one, the suspicion-marking of the marked dependencies and requirements has to be either accepted or refuted. If accepted, the appropriate specification change has to be designed and performed.</para></listitem></itemizedlist>
<para>We are mainly concerned here with the first phase, although the value-based change impact propagation we introduce gives guidance to the second one, too.</para><itemizedlist mark="bullet" spacing="normal">
<listitem>
<para>In practice, manually performing the first activity is a repetitive, time-consuming and error-prone task even for moderate size specifications.</para></listitem>
<listitem>
<para>The best of breed modern requirement management tools support topology-based propagation: anything that is connected to a specification element marked <emphasis>SUSPICOUS</emphasis> is <emphasis>SUSPICIOUS</emphasis>, too.</para></listitem>
<listitem>
<para>Some modern tools begin to support type-based propagation. In this case, marking is propagated only along the configured types of dependencies and only upon the configured types of requirement attributes becoming <emphasis>SUSPICIOUS</emphasis>.</para></listitem></itemizedlist>
<para>Type-based propagation is a powerful tool to reduce the extent of the change impact cover in the specification. Observe that on <link linkend="F7-6">Figure <xref linkend="F7-6" remap="7.6"/></link>, textual description change along the <emphasis role="monofont">&#x0003C;<emphasis>SG2, SR2, FA2, HW1</emphasis>&#x003E;</emphasis> trace does not propagate into the functional architecture due to the safety requirement mapping nature of the <emphasis role="monofont">(<emphasis>SR2, FA2</emphasis>)</emphasis> link. On the other hand, SIL change does propagate, as <emphasis role="monofont"><emphasis>FA2</emphasis></emphasis> got connected to a new safety requirement; thus, its SIL has to be potentially (and in this case, also actually) modified.</para>
<para>Value-based propagation can further reduce the extent of the change impact cover. In addition to types, it also takes into account the nature of the propagating changes as well as the current values captured in each requirement. Notice that HW1 has not to be changed, although <emphasis role="monofont">FA2</emphasis> has been mapped to it. The reason is that although it got newly connected to a (newly) high-SIL function, it already has the highest SIL level. Thus, during marking, propagation can safely stop here. <link linkend="F7-7">Figure <xref linkend="F7-7" remap="7.7"/></link> demonstrates the relationship between the change impact cover extents and the resolution of propagation.</para>
<fig id="F7-7" position="float" xmlns:xlink="http://www.w3.org/1999/xlink">
<label><link linkend="F7-7">Figure <xref linkend="F7-7" remap="7.7"/></link></label>
<caption><para>Propagation resolution and computed change impact cover extent.</para></caption>
<graphic xlink:href="graphics/ch07_fig007new.jpg"/>
</fig>
<para>Independently of the category, we have to note that propagation does not necessarily happen only &#x0201C;forward&#x0201D; or &#x0201C;downstream&#x0201D;. The change of a requirement may impact its parent (containment-wise), not just its children; and it may impact the sources of its incoming traceability links, not just the targets of its outgoing ones. Tooling supports the user to configure the directionality of propagation; this is a largely orthogonal concern to the propagation resolution. For the sake of simplicity, in the following, we focus on the forward direction unless otherwise noted.</para>
</section>
</section>
<section class="lev1" id="sec7-5" label="7.5" xreflabel="7.5">
<title>Abstraction Levels of Impact Propagation</title>
<para>We have argued informally that there are three major categories of change impact propagation from resolution. In this section, we describe and compare these categories using a simple example.</para>
<para>Let us consider the rich requirement structure in <link linkend="F7-8">Figure <xref linkend="F7-8" remap="7.8"/></link>. In addition to an SIL attribute, our requirements can have a priority attribute, too. In the context of this example, priority expresses the importance of overall operational efficiency with the levels <emphasis role="monofont">HIGH, MEDIUM</emphasis> and <emphasis role="monofont">LOW.</emphasis> It aggregates some concepts, including maintainability, time to repair and cost of operation. This priority concept is largely independent of SIL, and while the safety level is an absolute requirement, priorities are subject to business considerations and not critical to meet.</para>
<fig id="F7-8" position="float" xmlns:xlink="http://www.w3.org/1999/xlink">
<label><link linkend="F7-8">Figure <xref linkend="F7-8" remap="7.8"/></link></label>
<caption><para>Example rich requirement structure for propagation categorization.</para></caption>
<graphic xlink:href="graphics/ch07_fig008new.jpg"/>
</fig>
<para>The example requirement model uses</para><itemizedlist mark="bullet" spacing="normal">
<listitem>
<para>containment (parent relationship, denoted by P),</para></listitem>
<listitem>
<para>SIL-mapping traceability links (denoted by S) and</para></listitem>
<listitem>
<para>SIL and priority level attributes for the requirements.</para></listitem></itemizedlist>
<para>For the purposes our example, we assume that the following consistency rules are applied during requirement management.</para><itemizedlist mark="bullet" spacing="normal">
<listitem>
<para><emphasis role="strong">Rule 1</emphasis>. Any requirement that has an incoming &#x0201C;safety mapping&#x0201D; (S) traceability link has an SIL attribute, and its value is the maximum of the SIL values at the source requirements. For codification, the requirement engineer should be able to derive this rule from the process definition and the safety standards that have to be applied.</para></listitem>
<listitem>
<para><emphasis role="strong">Rule 2</emphasis>. A prioritized requirement must have only prioritized descendants. This value can be only less or equal than that of the parent. For codification, the requirement engineer should be able to formulate this rule as a locally used and observed rule.</para></listitem></itemizedlist>
<para>Let us emphasize that these rules are for demonstration purposes. SIL value constraints along traceability links can be much more complicated in the general case. The handling of priorities also represents only one possible choice; among others, even its exact reverse may be justified in a specific project. Our modeling approach and the subsequently introduced solution method can support almost arbitrary rules. We also handle the potential non-determinism of the rules.</para>
<para>The change we will be concerned with is modifying the priority of <emphasis role="monofont">REQ3</emphasis> from <emphasis role="monofont">HIGH</emphasis> to <emphasis role="monofont">MEDIUM</emphasis>. <link linkend="F7-9">Figure <xref linkend="F7-9" remap="7.9"/></link> demonstrates propagation for the three categories.</para>
<fig id="F7-9" position="float" xmlns:xlink="http://www.w3.org/1999/xlink">
<label><link linkend="F7-9">Figure <xref linkend="F7-9" remap="7.9"/></link></label>
<caption><para>Change impact propagation categories.</para></caption>
<graphic xlink:href="graphics/ch07_fig009new.jpg"/>
</fig>
<section class="lev2" id="sec7-5-1" label="7.5.1" xreflabel="7.5.1">
<title>Topology-Based Propagation</title>
<para>We can propagate the change along the outgoing dependencies (containment and traceability links) of the requirement, marking requirements transitively as <emphasis>SUSPICIOUS</emphasis>. This approach is commonly referred to as <emphasis>topology-based</emphasis> change propagation. In addition to attribute changes, the creation of new dependencies as well as deletion of existing ones (through deleting the source/target requirement or otherwise) is seamlessly supported.</para>
</section>
<section class="lev2" id="sec7-5-2" label="7.5.2" xreflabel="7.5.2">
<title>Type-Based Propagation</title>
<para>The next level is <emphasis>type-based</emphasis> propagation. Dependencies have types, as well as the attribute of the originally changed requirement that is changed. We can filter propagation for dependency type as well as changed attribute type. We reflect the changes that are allowed to propagate into the first-level dependents by marking the dependents or some of their own attributes as <emphasis>SUSPICIOUS</emphasis>. We can then perform propagation from this first level transitively by propagating the requirement or attribute <emphasis>SUSPICIOUS</emphasis> marking using the same configurable filtering and configurable attribute marking mapping mechanism. In the context of the example of <link linkend="F7-8">Figure <xref linkend="F7-8" remap="7.8"/></link>: for priority changes, we propagate the <emphasis>SUSPICIOUS</emphasis> marking only along the descendants of the changed requirement. Priority attribute markings are mapped into priority attribute markings, as there is no logical dependency between the two attributes in this case. Note that in addition to the orthogonal analysis of attributes, this as well as the next category supports conjoint analysis &#x02013; we can express when the change of an attribute propagates to another.</para>
<para>Dependency changes are handled similarly to topology-based propagation.</para>
</section>
<section class="lev2" id="sec7-5-3" label="7.5.3" xreflabel="7.5.3">
<title>Value-Based Propagation</title>
<para>Type-based propagation is a powerful tool for controlling the extent of change propagation in specifications that have a dense dependency structure; however, it still does not take into account the <emphasis>kind</emphasis> of the change in the value domain. Change can be described either qualitatively or in specific terms; a qualitative description for priorities would be e.g. declaring its <emphasis>increase</emphasis> or <emphasis>decrease</emphasis>, while the specific description is either the new value or the old-new value pair. We establish the category of <emphasis>value-based</emphasis> change impact propagation with these two subcategories.</para>
<para>In the qualitative case, observe that if Rule 2 is known, it means that the priority <emphasis>increase</emphasis> change of a parent does not <emphasis>need</emphasis> <emphasis>SUSPICIOUS</emphasis>-marking on the children. However, when it <emphasis>decreases</emphasis>, priorities in the children <emphasis>may</emphasis> have to be revisited. We can say even more: when the priority at the next level is <emphasis role="monofont">HIGH</emphasis>, we are certain that changes are necessary; conversely when it&#x02019;s <emphasis role="monofont">LOW</emphasis>, we are certain that propagation stops here. A somewhat similar qualitative logic exists for the SIL mapping in our case; at level 4, any increase upstream will not have any impact, while a decrease may require requirement reconsideration.</para>
<para>The downside is that the rule set that is to be used has to be defined; however, with predefined templates, this promises to be a manageable overhead.</para>
<para>The next logical step is to consider propagating the specific change and computing the specific local changes that may be necessary to be made. We call this approach <emphasis>specific value based change propagation</emphasis>. On paper, this idea seems not too far-fetched (see the example in <link linkend="F7-9">Figure <xref linkend="F7-9" remap="7.9"/></link>). However, it requires formulating explicit, value-specific consistency rules. More specifically, propagation needs value <emphasis>change</emphasis> consistency rules that connect allowed changes in localized requirement contexts (in the simplest, the allowed attribute co-changes at the two ends of a typed link). However, it is easy to see that the most of such change consistency rules can be transformed into value-specific specification consistency rules and vice versa. In this last case, the line between propagation and marking processing becomes very blurred, as essentially specific change candidates are computed as a marking during propagation.</para>
<para>We treat this last category as a theoretically interesting option; however, it is one that has little immediate value to the practice in an industry that doesn&#x02019;t even use type-based change propagation in a widespread way yet.</para>
<para>We have conducted an analysis of a sample of the best-of-breed requirement management solutions, to determine the extent and sophistication to which they support assessing the propagation of requirement change impacts. Topology-based propagation seems becoming available. Type-based propagation is still a novel feature, available, e.g., in Rational DOORS Next Generation. Value based propagation (qualitative or otherwise) is practically non-existent yet.</para>
</section>
</section>
<section class="lev1" id="sec7-6" label="7.6" xreflabel="7.6">
<title>Resolution Modeling with CSP</title>
<para>To establish a common, computable framework for the first three categories above, we define them declaratively as finite-domain Constraint Satisfaction Problems (CSPs) [<link linkend="ch07bib9">9</link>]. The motivation is that many sensitivity analysis tasks in error propagation assessment and test generation are known to be definable and also solvable this way &#x02013; and tracking the propagating effect of requirement changes is very similar to tracking the potential effects of faults in a system.</para>
<para>In CSPs, a finite set of variables, each with a nonempty domain, is subjected to a set of constraints. Each constraint is a relation that specifies the permissible value combinations for a subset of the variables; a solution of the CSP is such a value-assignment of the variables that satisfies each constraint. An important category of such problems is finite-domain CSP, or csp(FD); in this case, the variables are discrete and have finite domains. This way, csp(FD) expresses combinatorial search style problems.</para>
<para>The power of csp(FD) is that it can be used to declaratively specify a problem and letting one of the mature, optimized and very sophisticated existing tools to look for a solution (or enumerate all solutions). Tools widely recognize a standard set of composable &#x0201C;simple&#x0201D; constraints (linear arithmetic equalities and inequalities, Boolean arithmetic, etc. over the declared variables) and so-called global constraints, too. The latter involve a potentially large number of variables and need specific algorithmic optimization (for an exhaustive list, see the Global Constraint Catalog [<link linkend="ch07bib10">10</link>]). Constraint problems have a widely recognized standard representational language in the form of XCSP3 [<link linkend="ch07bib11">11</link>].</para>
<para>Change impact propagation problems can be easily represented as a CSP. We declare the marking of each requirement, attribute and dependency (containment and traceability links) as a variable; define the possible marking value set for each; describe propagation as constraints and lastly introduce the constraints for the performed changes. <link linkend="T7-1">Table <xref linkend="T7-1" remap="7.1"/></link> gives an outline of this process.</para>
<table-wrap position="float" id="T7-1">
<label><link linkend="T7-1">Table <xref linkend="T7-1" remap="7.1"/></link></label>
<caption><para>Comparison of change impact propagation categories</para></caption>
<table cellspacing="5" cellpadding="5" frame="hsides" rules="groups">
<thead>
<tr>
<td valign="bottom" align="left"></td>
<td valign="bottom" align="left"></td>
<td valign="bottom" align="center" colspan="2">Constraints for the Dependencies<emphasis role="cline"/></td>
<td valign="bottom" align="left"></td></tr>
<tr>
<td valign="bottom" align="left">Cat</td>
<td valign="bottom" align="left">Requirement/<?lb?>Dependency Marking Literals</td>
<td valign="bottom" align="left">If Dependency <emphasis>d</emphasis> with Type <emphasis>t</emphasis> is &#x02026;</td>
<td valign="bottom" align="left">&#x02026;then</td>
<td valign="bottom" align="left">Further Constraints</td>
</tr>
</thead>
<tbody>
<tr>
<td valign="top" align="left">1.</td>
<td valign="top" align="left">Reqs:<?lb?><emphasis>CHANGED,<?lb?>SUSPICIOUS,<?lb?>INTACT</emphasis></td>
<td valign="top" align="left">Not <emphasis>DELETED</emphasis><?lb?>or <emphasis>ADDED</emphasis></td>
<td valign="top" align="left">Target of <emphasis>d</emphasis> not <emphasis>INTACT</emphasis></td>
<td valign="top" align="left">Only the actual changes can be <emphasis>CHANGED, DELETED, ADDED</emphasis></td>
</tr>
<tr>
<td valign="top" align="left"></td>
<td valign="top" align="left">Attributes: N/A</td>
<td valign="top" align="left">the source of <emphasis>d</emphasis> is not <emphasis>INTACT</emphasis></td>
<td valign="top" align="left"><emphasis>d</emphasis> is <?lb?><emphasis>SUSPICION_<?lb?>LINK</emphasis></td>
<td valign="top" align="left">Maximize the number of <emphasis>INTACT</emphasis> markings</td>
</tr>
<tr>
<td valign="top" align="left"></td>
<td valign="top" align="left">Dependencies: <emphasis>DELETED, ADDED, SUSPICION_LINK, INTACT</emphasis></td>
<td valign="top" align="left">Not <emphasis>INTACT</emphasis></td>
<td valign="top" align="left">Target of <emphasis>d</emphasis> is not <emphasis>INTACT</emphasis></td>
<td valign="top" align="left"></td>
</tr>
<tr>
<td colspan="5"><emphasis role="cline"/></td>
</tr>
<tr>
<td valign="top" align="left">2.</td>
<td valign="top" align="left">Reqs: N/A</td>
<td valign="top" align="left">not <emphasis>DELETED</emphasis> or <emphasis>ADDED</emphasis></td>
<td valign="top" align="left">Attributes declared as <emphasis>a</emphasis>-propagation target for <emphasis>t</emphasis> at the target of <emphasis>d</emphasis> not <emphasis>INTACT</emphasis></td>
<td valign="top" align="left">Only the actual changes can be <emphasis>CHANGED, DELETED, ADDED</emphasis></td>
</tr>
<tr>
<td valign="top" align="left"></td>
<td valign="top" align="left">Attributes:<?lb?><emphasis>CHANGED,<?lb?>INTACT,<?lb?>SUSPICIOUS</emphasis></td>
<td valign="top" align="left">attribute <emphasis>a</emphasis> at the source not <emphasis>INTACT</emphasis></td>
<td valign="top" align="left"><emphasis>d</emphasis> is<?lb?><emphasis>SUSPICION_<?lb?>LINK</emphasis></td>
<td valign="top" align="left">Maximize the number of <emphasis>INTACT</emphasis> markings</td>
</tr>
<tr>
<td valign="top" align="left"></td>
<td valign="top" align="left">Dependencies: <emphasis>DELETED, ADDED, SUSPICION_LINK,</emphasis></td>
<td valign="top" align="left"><emphasis>a</emphasis> declared propagation source for <emphasis>t</emphasis></td>
</tr>
<tr>
<td valign="top" align="left"></td>
<td valign="top" align="left"><emphasis>INTACT</emphasis></td>
<td valign="top" align="left"><emphasis>DELETED</emphasis> or <emphasis>ADDED</emphasis></td>
<td valign="top" align="left">Attributes at the target declared for <emphasis>t</emphasis> creation or deletion propagation not <emphasis>INTACT</emphasis></td>
<td valign="top" align="left"></td>
</tr>
<tr>
<td colspan="5"><emphasis role="cline"/></td>
</tr>
<tr>
<td valign="top" align="left">3a.</td>
<td valign="top" align="left">Reqs: N/A</td>
<td valign="top" align="left" colspan="2">Rule set that for each dependency type <emphasis>t</emphasis>, encodes the relation expressing the together permissible (or ruled out)</td>
<td valign="top" align="left">Only the actual changes can be <emphasis>CHANGED,<?lb?>DELETED,<?lb?>ADDED</emphasis></td>
</tr>
<tr>
<td valign="top" align="left"></td>
<td valign="top" align="left">For each attribute: <emphasis>NOCHANGE,<?lb?>SUSPICIOUS_CHTYPE1, SUSPICIOUS_ CHTYPE2, &#x02026;</emphasis></td>
<td valign="top" align="left"><itemizedlist mark="bullet" spacing="normal"><listitem><para>source-side attribute marking values,</para></listitem> <listitem><para>target-side attribute marking values,</para></listitem> <listitem><para>dependency markings.</para></listitem></itemizedlist></td>
</tr>
<tr>
<td valign="top" align="left"></td>
<td valign="top" align="left">Dependencies: <emphasis>DELETED, ADDED, SUSPICION_LINK, INTACT</emphasis></td>
<td valign="top" align="left">Rules allowed also to incorporate current attribute values.</td>
<td valign="top" align="left"></td>
</tr>
</tbody>
</table>
</table-wrap>
<para>A few things have to be noted on this framework. For topology- and type-based propagation, the table describes only rules for forward propagation; however, backward propagation rules can be introduced similarly. Notice that type-based propagation introduces attribute marking and discards requirement marking; the latter can be incorporated (with some complexity increase) or emulated by declaring all attributes suspicious.</para>
<para>For qualitative value-based propagation, due to the variability of the rules (that is the intended goal), we can&#x02019;t characterize propagation rules in the same manner. Still, all practically important propagation intentions can be formulated using standard CSP expressions. For instance, propagation of priority increase suspicion for requirement <emphasis role="monofont">R1</emphasis> and <emphasis role="monofont">R2</emphasis> interconnected through a link type <emphasis role="monofont">t</emphasis> can be expressed e.g. as <emphasis role="monofont">t_connected (<emphasis role="strong">R1_p_marking, R2_p_marking</emphasis>) AND <emphasis role="strong">R1_p_marking</emphasis>== <emphasis>SUSPICIOUS_INCREASE</emphasis> AND <emphasis role="strong">R2_p_current</emphasis>&#x0003C; <emphasis>HIGH</emphasis> &#x02192; <emphasis role="strong">R2_p_marking</emphasis> == <emphasis>SUS PICIOUS_INCREASE</emphasis></emphasis>. <footnote id="fn7_3" label="3"> <para>Variables are typeset bold, value-literals are typeset italic and <emphasis role="monofont">t_connected</emphasis> is a constraint that we defined based on the specification.</para></footnote> That said, our ongoing work addresses creating a domain-specific language that simplifies the creation of the sets of rules.</para>
</section>
<section class="lev1" id="sec7-7" label="7.7" xreflabel="7.7">
<title>Conclusions</title>
<para>The OMG Requirements Interchange Format (ReqIF) assures interoperability between cooperating partners. This standard is a natural candidate to information exchange between designer and independent software/system verification and validation (ISVV).</para>
<para>Using ReqIF facilitates (which is occasionally only the question of asking the developers using top-end requirement design tools for providing the native ReqIF model in addition to the derived documentation not containing the model) an immediate entry to the benefits of lightweight formal models.</para>
<para>At the same time, OMG ReqIF provides a well-regulated set of rules for the developer-ISVV interoperation and the communication of the assessment results.</para>
<para>Traceability is a priority concept in ReqIF. The option of defining the structure the document, introducing types and well-formedness constraints are all major means to introduce the main concepts of domain-specific MBSE.</para>
<para>Similarly to development, where advanced tools can generate traditional office-like documentation out of their internal ReqIFmodels, ISVV can highly benefit from using RequIF as the core model for communicating ISVV results.</para>
<para>Ontologies provide an easy way to overcome the limitations of ReqIF regarding conceptual modeling. Ontology-based metamodel design is a modern model development paradigm, as its standardized language and development tools implement all the main concepts of complexity management, like the composition of complex ontologies out of simpler ones, hierarchical modeling and aspect weaving. At the same time, their well-defined semantics allows using reasoners.</para>
<para>The simple mathematical background of ontologies, set theory results in a low entry threshold related to skills. The built-in logic reasoners can check the contradiction freedom of a requirement set (by a satisfiability test), and its well-formedness (by a subsumption check), thus deliberating the ISVV of tedious manual checks.</para>
<para>Ontologies are highly standardized. Model formats assure interoperability; moreover, standard transformations exist to the world of metamodeling. As ontologies provide an abstract representation of knowledge, automated export and import tools exist between ontologies and knowledge storage tools like structured semi-formal representations (Excel), relational, object-oriented and graph databases.</para>
<para>Classically, requirement changes involve a significant effort and quality cost, especially if the tooling provides no proper guidance for the reassessment. Intelligent change impact analysis helps properly focusing the assessment after a change by evaluating the propagating effects of the introduced changes. In a properly structured requirement specification with a rich traceability structure, algorithmic analysis can significantly reduce the extent of the change impact propagation cover that analysts have to check.</para>
</section>
<section class="lev1" id="sec7-8">
<title>References</title>
<orderedlist numeration="arabic" continuation="restarts" spacing="normal">
<listitem>
<para><anchor id="ch07bib1"/>Object Management Group. (2017). <emphasis>Requirement Interchange Format (ReqIF)</emphasis>. Available at: <ulink url="http://www.omg.org/spec/ReqIF/">http://www.omg.org/spec/ReqIF/</ulink> (accessed on 1 March 2017).</para></listitem>
<listitem>
<para><anchor id="ch07bib2"/><emphasis>Requirements Management for Eclipse</emphasis>. Available at: https://eclipse.org/ rmf/ (accessed on 1 March 2017).</para></listitem>
<listitem>
<para><anchor id="ch07bib3"/>Eclipse. (2017). <emphasis>ProR Requirements Engineering Platform</emphasis>. Available at: <ulink url="http://www.eclipse.org/rmf/pror/">http://www.eclipse.org/rmf/pror/</ulink> (accessed on 1 March 2017).</para></listitem>
<listitem>
<para><anchor id="ch07bib4"/>Knublauch, H. (2004). &#x0201C;Ontology-driven software development in the context of the semantic web: An example scenario with Protege/OWL,&#x0201D; in <emphasis>1st International Workshop on the Model-Driven Semantic Web (MDSW2004)</emphasis> (New York, NY: IEEE), pp. 381&#x02013;401. <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=Knublauch%2C+H%2E+%282004%29%2E+%22Ontology-driven+software+development+in+the+context+of+the+semantic+web%3A+An+example+scenario+with+Protege%2FOWL%2C%22+in+1st+International+Workshop+on+the+Model-Driven+Semantic+Web+%28MDSW2004%29+%28New+York%2C+NY%3A+IEEE%29%2C+pp%2E+381-401%2E" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch07bib5"/>W3C. (2009). <emphasis>W3C: OWL 2 Web Ontology Language Document Overview</emphasis>. Available at: https://www.w3.org/2009/pdf/REC-owl2-over view-20091027.pdf (accessed on 1 March 2017).</para></listitem>
<listitem>
<para><anchor id="ch07bib6"/>ISO. (2007). <emphasis>ISO/IEC 24707:2007: Information technology &#x02013; Common Logic (CL): a framework for a family of logic-based languages</emphasis>. <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=ISO%2E+%282007%29%2E+ISO%2FIEC+24707%3A2007%3A+Information+technology+-+Common+Logic+%28CL%29%3A+a+framework+for+a+family+of+logic-based+languages%2E" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch07bib7"/>Pataricza, A., G&#x000F6;nczy, L., K&#x000F6;vi, A., and Szatm&#x000E1;ri Z. (2011). &#x0201C;A Methodology for Stand-ards-Driven Metamodel Fusion,&#x0201D; in <emphasis>Model and Data Engineering: First International Conference, MEDI 2011</emphasis> (Berlin: Springer), 270&#x02013;277, &#x000D3;bidos, Portugal, September 28&#x02013;30, 2011. Eds L. Bel-latreche and F. Mota Pinto. <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=Pataricza%2C+A%2E%2C+G%F6nczy%2C+L%2E%2C+K%F6vi%2C+A%2E%2C+and+Szatm%E1ri+Z%2E+%282011%29%2E+%22A+Methodology+for+Stand-ards-Driven+Metamodel+Fusion%2C%22+in+Model+and+Data+Engineering%3A+First+International+Conference%2C+MEDI+2011+%28Berlin%3A+Springer%29%2C+270-277%2C+%D3bidos%2C+Portugal%2C+September+28-30%2C+2011%2E+Eds+L%2E+Bel-latreche+and+F%2E+Mota+Pinto%2E" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch07bib8"/>Tarnai, G., and S&#x000E1;ghi, B. (2006). &#x0201C;Hazard and Risk Analysis of Human-Machine Interfaces of Railway Interlocking Systems,&#x0201D; in <emphasis>7th World Congress on Railway Research</emphasis>, Montr[x00E9;]al, Canada, 4&#x02013;8 June. <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=Tarnai%2C+G%2E%2C+and+S%E1ghi%2C+B%2E+%282006%29%2E+%22Hazard+and+Risk+Analysis+of+Human-Machine+Interfaces+of+Railway+Interlocking+Systems%2C%22+in+7th+World+Congress+on+Railway+Research%2C+Montr%5Bx00E9%3B%5Dal%2C+Canada%2C+4-8+June%2E" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch07bib9"/>Brailsford, S. C., Potts, C. N., and Smith, B. M. (1999). Constraint satisfaction problems: algorithms and applications. <emphasis>Eur. J. Operat. Res</emphasis>. 119.3, 557&#x02013;581. <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=Brailsford%2C+S%2E+C%2E%2C+Potts%2C+C%2E+N%2E%2C+and+Smith%2C+B%2E+M%2E+%281999%29%2E+Constraint+satisfaction+problems%3A+algorithms+and+applications%2E+Eur%2E+J%2E+Operat%2E+Res%2E+119%2E3%2C+557-581%2E" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch07bib10"/>Beldiceanu, N., Carlsson, M., and Rampon, J.-X. (2012). &#x0201C;<emphasis>Global Constraint Catalog, (revision a)</emphasis>.&#x0201D; Available at: <ulink url="http://www.diva-portal.org/smash/record.jsf?pid=diva2:1043063">http://www.diva-portal.org/smash/record.jsf?pid=diva2:1043063</ulink> (accessed on 1 March 2017). <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=Beldiceanu%2C+N%2E%2C+Carlsson%2C+M%2E%2C+and+Rampon%2C+J%2E-X%2E+%282012%29%2E+%22Global+Constraint+Catalog%2C+%28revision+a%29%2E%22+Available+at%3A+http%3A%2F%2Fwww%2Ediva-portal%2Eorg%2Fsmash%2Frecord%2Ejsf%B4pid%3Ddiva2%3A1043063+%28accessed+on+1+March+2017%29%2E" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch07bib11"/>Fr&#x000E9;[x00E9;]d&#x000E9;[x00E9;]ric, B., Lecoutre, C., and Piette, C. (2016). &#x0201C;<emphasis>XCSP3 Specifications &#x02013; Version 3.0</emphasis>.&#x0201D; Available at: <ulink url="http://www.xcsp.org">http://www.xcsp.org</ulink> (accessed on 1 March 2017).</para></listitem>
<listitem>
<para><anchor id="ch07bib12"/>RODIN. (2017). <emphasis>Rigorous Open Development Environment for Complex Systems</emphasis>. Available at: <ulink url="http://rodin.cs.ncl.ac.uk/">http://rodin.cs.ncl.ac.uk/</ulink> (accessed on 1 March 2017)</para></listitem>
<listitem>
<para><anchor id="ch07bib13"/>Object Management Group. (2017). <emphasis>Ontology Definition Metamodel (ODM)</emphasis>. Available at: <ulink url="http://www.omg.org/spec/ODM/">http://www.omg.org/spec/ODM/</ulink> (accessed on 1 March 2017).</para></listitem>
<listitem>
<para><anchor id="ch07bib14"/>Government of the United Kingdom, Department of Transport. (2017). <emphasis>Rail Accidents and Safety Statistics Tables</emphasis>. Available at: https://www.gov.uk/government/statistical-data-sets/rai05-rail-accidents-and-safety (accessed on 1 March 2017).</para></listitem></orderedlist>
</section>
</chapter>
<chapter class="chapter" id="ch08" label="8" xreflabel="8">
<title>STECA &#x02013; Security Threats, Effects and Criticality Analysis: Definition and Application to Smart Grids</title>
<para role="author"><emphasis role="strong">Mario Rui Baptista<superscript>1</superscript>, Nuno Silva<superscript>1</superscript>, Nicola Nostro<superscript>2</superscript>, TommasoZoppi<superscript>3,4</superscript> and Andrea Ceccarelli<superscript>3,4</superscript></emphasis></para>
<para><superscript>1</superscript>CRITICAL Software S.A., Coimbra, Portugal</para>
<para><superscript>2</superscript>Resiltech s.r.l., Pontedera (PI), Italy</para>
<para><superscript>3</superscript>Department of Mathematics and Informatics, University of Florence, Florence, Italy</para>
<para><superscript>4</superscript>CINI-Consorzio Interuniversitario Nazionale per l&#x02019;Informatica-University of Florence, Florence, Italy</para>
<section class="lev1" id="sec8-1" label="8.1" xreflabel="8.1">
<title>Introduction</title>
<para>The reliability of electrical power systems, since their first use, has been addressed focusing on ensuring the continuous power supply and on the management of critical situations in order to avoid electrical disruption due to potential failures. In the last decade, we are witnessing the increasing development of Smart Grids, with &#x20AC;3.15 billion investment in Smart Grids projects amongst the EU-28 Member States only in the period 2002&#x02013;2014 [<link linkend="ch08bib1">1</link>]. Smart Grids enhance the classical electrical systems by introducing optimization of grid management, both from transmission and quick reaction to power disruption through real-time and automated technologies; deploying and integrating of large-scale renewable energy systems; reducing management and power costs, for final users; and introducing and integrating of smart appliances and consumer devices. While these new aspects make the electrical systems effective, they become more and more interconnected thus making them vulnerable to cyber and physical attacks [<link linkend="ch08bib2">2</link>&#x02013;<link linkend="ch08bib4">4</link>]. Indeed, it is possible to remotely perform changes (e.g., to instructions, commands and configurations), disabling actions, shut down or in general interfere with the proper functioning of the system, thus causing in the worst case significant damages and safety issues [<link linkend="ch08bib3">3</link>, <link linkend="ch08bib5">5</link>].</para>
<para>In the Smart Grid domain, security threats can be originated by several agents: consumers, insiders, and terrorists [<link linkend="ch08bib3">3</link>]. Customers could be interested in falsifying smart meters data in order to steal electrical power. Similarly to attacks performed to broadband modems, customers may try to attempts attacks to smart meters aiming at modifying the firmware controlling the reporting operation, thus decreasing the usage of electricity [<link linkend="ch08bib3">3</link>]. Terrorist attacks to smart grids may lead to unprecedented black-outs, from the point of view of spatial and time extension [<link linkend="ch08bib4">4</link>]. This calls for a fundamental attention to the identification and management of potential security threats.</para>
<para>This chapter proposes the STECA (STECA &#x02013; Security Threats, Effects and Criticality Analysis) approach to perform security assessment of Smart Grids. The hereby proposed process describes a way in which to identify vulnerabilities, their related threats, and proposes a risk assessment approach and a path to identify appropriate countermeasures. This process is based on the same principles used for the Failure Mode and Effect Analysis (FMEA)/FMECA process, which is a technique widely used for safety critical analysis and is highly regarded by the majority of international standards [<link linkend="ch08bib6">6</link>]. STECA starts from a vulnerability point of view and moves on towards threat analysis and criticality assessment. Following the guidelines defined in [<link linkend="ch08bib7">7</link>], the approach is instantiated on a Smart Grid use case, resulting in a set of precise guidelines and a systematic way to perform security assessment including vulnerability evaluation and attack impact analysis.</para>
</section>
<section class="lev1" id="sec8-2" label="8.2" xreflabel="8.2">
<title>Motivation</title>
<section class="lev2" id="sec8-2-1" label="8.2.1" xreflabel="8.2.1">
<title>Motivating Concerns in Industry</title>
<para>A fundamental aspect that has to be considered in the implementation of Smart Grids and that is currently under the stakeholders&#x02019; spotlight is related to the security issues yet to unveil in the overall Smart Grid or at the connected devices [<link linkend="ch08bib3">3</link>, <link linkend="ch08bib8">8</link>], and the consequent impact on safety. Among the impact situations of a service disruption due to a cyber or physical attack, <emphasis>property/financial damage</emphasis> and <emphasis>human life hazard</emphasis> should be kept in closer consideration, as the time for recovering is currently unpredictable.</para>
<para>Previous works on Smart Meters qualification revealed potential security weakness and exposed some of the equipment vulnerabilities [<link linkend="ch08bib3">3</link>]. This can present a great risk for the future implementation of Smart Grids. It is also true that, due to the ground-breaking character of this technology and the quantity of interfaces that are made available, the <emphasis>security requirements</emphasis> <emphasis>of the components that will operate in the grid and the grid system itself are not yet sufficiently accurate</emphasis> (either they are not studied or implemented/tested, not analysed or imposed yet at a larger scale). This is also strengthened if we consider these systems general exposure in terms of pervasive interfaces.</para>
<para>In fact, in an informal <emphasis>industrial security assessment of Smart Grid</emphasis> components, the company CRITICAL Software identified security problems that are usually disregarded by traditional assessment approaches if performed without a proper process or tools. Examples of these problems included: (i) denial of service possibility, (ii) proscribed access to equipment; (iii) physical security deficiencies; (iv) unintended access to systems parameters that should be read-only; and (v) communication protocol implementation and specification weakness. The experience of CRITICAL Software&#x02019;s industrial assessment projects ended up providing most of the incentive for the development of the STECA process due to the gaps found. First, CRITICAL Software was providing a security assessment to substantiate a test framework being developed at the time. Security issues were observed in the assessed Smart Grid components, both on requirement analysis and actual component functional tests, despite the work was focused only on a limited part of the target Smart Grid equipment. In yet another case only the communications protocols were under test on a preliminary stage. For instance, it was identified that it is possible without much trouble to generate conditions that force the interruption of energy supply to a user on the grid. Either by simulating excessive energy demand or by tampering with billing contract parameters, it is also possible to provoke a Denial of Service. This form of service disruption by hacking the metering equipment is a commonly acknowledged threat, but the impact is largely underestimated. Several other ways of generating conditions that will switch off the Load Control Switch can also be identified. It was also clear from the functional testing that the meter&#x02019;s communication ports could easily be disabled by setting its timeout parameter to zero, rendering the equipment incommunicable and thus impossible to be reconfigured remotely.</para>
<para>Though this experience identified serious security impact scenarios that justified the need of security assessment, the support available today to security assessment is limited. There is no history on the components usage and thus no clear way to understand the attack trends or attacker profiles, the attacker objectives and the effects of the attacks. It is extremely difficult to rate the likelihood of a threat, on which to perform a risk or hazard assessment. Summarizing, there are no real data to work on, which obstacles the possibility to create a solid base to build a security assessment upon. Also, as there is no relevant history of these analyses, it is impossible to even start by using previous knowledge, checklists, pre-defined lists, etc.</para>
<para>One should also consider the constant struggle that resides in identifying the vulnerabilities and security threats. On a system of this sort the number and diversity of security threats could be huge. An undertaking of this magnitude should inevitably find trouble when aiming to achieve completeness: to claim that all vulnerabilities have been identified and all security threats analysed will prove to be a nearly impossible task. Even an expert experience based approach to identify a procedure to tackle this problem is not a straightforward exercise.</para>
</section>
<section class="lev2" id="sec8-2-2" label="8.2.2" xreflabel="8.2.2">
<title>State of the Art and Background</title>
<para>Standards such as [<link linkend="ch08bib9">9</link>&#x02013;<link linkend="ch08bib11">11</link>] propose general, high level methodologies to guide the security assessment of systems. However, standards typically present the main steps but they do not describe the techniques that can be exploited to realize these steps. This calls for solutions that, still maintaining compatibility with the standards, are able to provide an adequate support to the security engineers. Additionally, several challenges are still open, such as verifying the completeness of an analysis or compute likelihood and impact of a given threat.</para>
<para>Several works target techniques for security assessment, also considering interdependencies between security and safety. The work presented in [<link linkend="ch08bib12">12</link>] proposes an extension of the FMEA safety analysis technique, aiming to analyse likelihood and impact of cyber-attacks to embedded multicore systems in the automotive industry. Another contribution, still related to the automotive domain [<link linkend="ch08bib13">13</link>] aims at proposing a novel approach to deal with both safety hazard and security threat analysis combining the Hazard Analysis and Risk Assessment with the security STRIDE approach for the automotive battery management [<link linkend="ch08bib14">14</link>] proposes a framework for quantitative security analysis used to identify potential attack points and paths, thus to recognize those that are feasible from the perspective of an attacker and finally proposing meaningful countermeasures to the system. In [<link linkend="ch08bib7">7</link>] the authors propose a general methodology to understand issues&#x02019; criticality and the difficulties in finding a proper solution able to deal with interdependencies between safety and security. To this purpose, in their work a general security threats library has been developed, which can be updated over the time and has been mapped to the NIST security controls [<link linkend="ch08bib8">8</link>]. Other contributions evaluating the effects of security breaches exploits exist as the work in [<link linkend="ch08bib15">15</link>], which states a comprehensive and practical framework for electric smart grid cyber-attack impact analysis using graph-theoretic dynamical systems paradigm.</para>
<para>The STECA process presented in this chapter is specifically focused on Smart Grids. It naturally includes the objective of detecting potential security threats and providing efficient mitigations, and it translates the concept of FMEA to a <emphasis>vulnerability-oriented</emphasis> security assessment where reference categories are extracted from supporting <emphasis>threat libraries</emphasis>. Additionally, it guarantees compatibility with main standards [<link linkend="ch08bib9">9</link>&#x02013;<link linkend="ch08bib11">11</link>]: in fact, the reference data to build the threat libraries are extracted from the standard [<link linkend="ch08bib10">10</link>], and it is easy to define a correspondence between the main steps of the STECA process and the steps of methodologies in [<link linkend="ch08bib9">9</link>, <link linkend="ch08bib11">11</link>].</para>
</section>
</section>
<section class="lev1" id="sec8-3" label="8.3" xreflabel="8.3">
<title>STECA Process Description</title>
<para>This section presents a detailed description of the STECA process, along with a running example to illustrate the application of the process to an actual industry problem related to the main theme of this publication.</para>
<section class="lev2" id="sec8-3-1" label="8.3.1" xreflabel="8.3.1">
<title>The High Level STECA</title>
<para>The hereby proposed process (<link linkend="F8-1">Figure <xref linkend="F8-1" remap="8.1"/></link>) describes a way to identify vulnerabilities, their related threats, proposing both a risk assessment approach and a path to identify appropriate countermeasures. Four high-level steps are identified.</para>
<fig id="F8-1" position="float" xmlns:xlink="http://www.w3.org/1999/xlink">
<label><link linkend="F8-1">Figure <xref linkend="F8-1" remap="8.1"/></link></label>
<caption><para>High level view of the STEC process.</para></caption>
<graphic xlink:href="graphics/ch08_fig001.jpg"/>
</fig>
<para>This process is based on the same principles used for the <emphasis>FMEA/FMECA</emphasis> process [<link linkend="ch08bib12">12</link>] which is widely used for safety critical analysis, and is highly regarded by the majority of international standards. Subsequently, the high level steps depicted in <link linkend="F8-1">Figure <xref linkend="F8-1" remap="8.1"/></link> will be described in closer detail.</para>
</section>
<section class="lev2" id="sec8-3-2" label="8.3.2" xreflabel="8.3.2">
<title>STECA Inputs</title>
<para>In order to efficiently apply the process several inputs are required and need to be collected. The input set includes, but is not limited to:</para>
<orderedlist numeration="arabic" continuation="restarts" spacing="normal">
<listitem>
<para><emphasis>The Architecture Diagrams</emphasis>. These, along with the Functional Analysis, will be used to identify the system&#x02019;s vulnerabilities.</para></listitem>
<listitem>
<para><emphasis>The Interface Control Documents</emphasis>. These will allow a better threat identification while analysing vulnerabilities.</para></listitem>
<listitem>
<para><emphasis>A Functional Analysis.</emphasis> This, along with the Architecture Diagrams, will be used to identify the system&#x02019;s vulnerabilities.</para></listitem>
<listitem>
<para><emphasis>Other useful input information</emphasis>. Typical security attacks, history data, system requirements, environment conditions, requirements, etc.</para></listitem></orderedlist>
<para>For the running example we&#x02019;re using the diagram in <link linkend="F8-2">Figure <xref linkend="F8-2" remap="8.2"/></link> &#x02013; an energy industry Smart Grid, focusing on the Smart Meter Home Area Network (HAN) &#x02013; the most widespread case of user connected to the Smart Grid, also a high vulnerability spot as it exposes the metering devices to the internet through the Consumer HAN.</para>
</section>
<section class="lev2" id="sec8-3-3" label="8.3.3" xreflabel="8.3.3">
<title>Security Vulnerabilities</title>
<para>With the STECA inputs we can identify possible intrusion and attack locations considering the system weak spots listed in <link linkend="T8-1">Table <xref linkend="T8-1" remap="8.1"/></link>. For each of them, we reported an extended description and the links to the consolidated ISO/IEC 27005 [<link linkend="ch08bib6">6</link>] vulnerability classification which lists the hardware, network and software vulnerability categories. Additional vulnerability classifications are the Microsoft Security envelopment Lifecycle (SDL) [<link linkend="ch08bib16">16</link>] and the CWE3 (Common Weakness Enumeration [<link linkend="ch08bib17">17</link>]), which is a detailed and community-developed list of common software weaknesses.</para>
<table-wrap position="float" id="T8-1">
<label><link linkend="T8-1">Table <xref linkend="T8-1" remap="8.1"/></link></label>
<caption><para>Vulnerabilities, weak spots, and security threats</para></caption>
<table cellspacing="5" cellpadding="5" frame="hsides" rules="groups">
<thead>
<tr>
<td valign="bottom" align="left">Vulnerabilities</td>
<td valign="bottom" align="left">Weak Spots</td>
<td valign="bottom" align="left">Weak Spots</td>
<td valign="bottom" align="left">Security Threats</td>
</tr>
</thead>
<tbody>
<tr>
<td valign="top" align="left">Network</td>
<td valign="top" align="left">CH communications protocol</td>
<td valign="top" align="left">CH communications protocol</td>
<td valign="top" align="left">Message Modification<?lb?>Man in the middle<?lb?>Footprinting</td>
</tr>
<tr>
<td valign="top" align="left"></td>
<td valign="top" align="left">Smart Meter access control</td>
<td valign="top" align="left"></td>
<td valign="top" align="left"></td>
</tr>
<tr>
<td colspan="4"><emphasis role="cline"/></td>
</tr>
<tr>
<td valign="top" align="left">Software</td>
<td valign="top" align="left">CH communications protocol <?lb?>Smart Meter access control <?lb?>Smart Meter functions</td>
<td valign="top" align="left">Smart Meter access control</td>
<td valign="top" align="left">Unauthorized access<?lb?>Password cracking <?lb?>Disclosure of confidential data</td>
</tr>
<tr>
<td colspan="4"><emphasis role="cline"/></td>
</tr>
<tr>
<td valign="top" align="left">Hardware</td>
<td valign="top" align="left">Smart Meter functions</td>
<td valign="top" align="left">Smart Meter functions</td>
<td valign="top" align="left">Conduct cyber-physical attacks on organizational facilities</td>
</tr>
<tr>
<td valign="top" align="left"></td>
<td valign="top" align="left"></td>
<td valign="top" align="left"></td>
<td valign="top" align="left">Arbitrary code execution</td>
</tr>
</tbody>
</table>
</table-wrap>
<para>Traditionally, the vulnerability assessment [<link linkend="ch08bib2">2</link>, <link linkend="ch08bib11">11</link>] of architectures such as the one in <link linkend="F8-2">Figure <xref linkend="F8-2" remap="8.2"/></link> are performed by (i) cataloguing assets and capabilities (resources) in a system, (ii) assigning quantifiable value (or at least rank order) and importance to those resources, (iii) identifying the vulnerabilities or potential threats to each resource and, (iv) mitigating or eliminating the most dangerous vulnerabilities for the most valuable resources.</para>
<fig id="F8-2" position="float" xmlns:xlink="http://www.w3.org/1999/xlink">
<label><link linkend="F8-2">Figure <xref linkend="F8-2" remap="8.2"/></link></label>
<caption><para>Example from the Energy industry showing the architecture of a Smart Grid.</para></caption>
<graphic xlink:href="graphics/ch08_Fig8_2.jpg"/>
</fig>
<para>The first three steps are required to be performed in order to obtain a vulnerability list. Also, by assigning an order (value) to the resource (vulnerability) we are simplifying the threat severity definition described in Section 8.3.5.</para>
<para>Each component (system resource) should be classified with a value (as of an asset) which could simply be a traditional High, Medium or Low grade according to the associated monetary replacement cost &#x02013; to be defined by the system/subsystem owner; and a severity grade based on the impact that its failure would inflict on the system. To do this, the catalogue depicted later in Section 8.3.5 is proposed to be used.</para>
<para>Continuing the running example, and focusing on the Communications Hub (in the Smart Meter HAN) as it is a gateway to the metering devices, and the electricity Smart Meter itself, as it is a big concern in the motivation, we obtain the following:</para><itemizedlist mark="bullet" spacing="normal">
<listitem>
<para><emphasis role="strong">Communication Hub</emphasis>: <emphasis>Value</emphasis>: Low; <emphasis>Severity:</emphasis> Minor;</para></listitem>
<listitem>
<para><emphasis role="strong">Electricity Smart Meter</emphasis>: <emphasis>Value</emphasis> Low; <emphasis>Severity:</emphasis> Critical/Catastrophic.</para></listitem></itemizedlist>
</section>
<section class="lev2" id="sec8-3-4" label="8.3.4" xreflabel="8.3.4">
<title>Threats Map</title>
<para>In this step of the process the security threats shall be identified and catalogued by performing the following sub-steps:</para>
<itemizedlist mark="bullet" spacing="normal">
<listitem>
<para><emphasis>Identify the threats for each vulnerability</emphasis>. Following the list produced in the previous step, we list the threats that may exploit each vulnerability. This operation will produce a list of threats per vulnerability.</para></listitem>
<listitem>
<para><emphasis>Catalogue Threats (NIST classes)</emphasis>. Identified threats will most likely be found in the known threats list, thus having associated countermeasures. Most possibly, the gathered threats have already been identified in different contexts and catalogued in a generic fashion in existing documents, thus a set of countermeasures and preventive actions might already be available. For this purpose, already existing classification taxonomy may be used. For this process we&#x02019;re using the threat library already created in [<link linkend="ch08bib7">7</link>], which will help to catalogue the threats to the NIST classes and the suggested countermeasures.</para></listitem>
<listitem>
<para><emphasis>Threat Classification Completeness Check</emphasis>. If unlisted threats arise, countermeasures should be suggested to mitigate them and the threat library should be complemented by adding this new information to the respective taxonomy class.</para></listitem></itemizedlist>
<para>Next in the running example, the weak spots are identified and respective Vulnerability categories. Some examples are reported in <link linkend="T8-2">Table <xref linkend="T8-2" remap="8.2"/></link>.</para>
<table-wrap position="float" id="T8-2">
<label><link linkend="T8-2">Table <xref linkend="T8-2" remap="8.2"/></link></label>
<caption><para>Linking weak spots and ISO/IEC 27005 vulnerability categories</para></caption>
<table cellspacing="5" cellpadding="5" frame="hsides" rules="groups">
<thead>
<tr>
<td valign="bottom" align="left">Weak Spots</td>
<td valign="bottom" align="left">Description</td>
<td valign="bottom" align="left">ISO/IEC 27005<?lb?> [<link linkend="ch08bib6">6</link>] Categories</td>
<td valign="bottom" align="left">Threat Example</td>
</tr>
</thead>
<tbody>
<tr>
<td valign="top" align="left">Component interfaces, communications ports/ protocols</td>
<td valign="top" align="left">These are usually the targets to corrupt communications either to attain disruption or impersonating another party.</td>
<td valign="top" align="left">Network <?lb?>Software</td>
<td valign="top" align="left">Man in the middle packet sniffing conducted between the smart meter and the Energy Management Gateway <?lb?>Inject malicious code into the USB device controller (<emphasis>BadUSB</emphasis>, [<link linkend="ch08bib18">18</link>])</td>
</tr>
<tr>
<td valign="top" align="left">Memory and Storage Units</td>
<td valign="top" align="left">These may be used to store malicious code for later execution or even altered firmware when system reconfiguration is required.</td>
<td valign="top" align="left">Software <?lb?>Hardware</td>
<td valign="top" align="left">Installation of a malware which damages user data or key memory areas <?lb?>Damaging the Hard Drives (i.e., putting a magnetic source near the storage rack servers)</td>
</tr>
<tr>
<td valign="top" align="left">Processing Units</td>
<td valign="top" align="left">These, of course, may be used to execute the malicious code.</td>
<td valign="top" align="left">Software</td>
<td valign="top" align="left">Inserting malicious code that calls for ALU operations slow downing the whole execution</td>
</tr>
<tr>
<td valign="top" align="left"></td>
<td valign="top" align="left"></td>
<td valign="top" align="left">Hardware</td>
<td valign="top" align="left">Malicious hardware module targeting the performance of the cache accesses or generating power faults</td>
</tr>
</tbody>
</table>
</table-wrap>
<para>Following through with the running example and mapping these threats to the Threat Library it is possible to catalogue almost all of them to the NIST classes and gather the respective countermeasures to mitigate them. The NIST 7628 [<link linkend="ch08bib9">9</link>] states, in more than one occasion, that its focus is cyber-security and therefore &#x0201C;The requirements related to emergency lighting, fire protection, temperature and humidity controls, water damage, power equipment and power cabling, and lockout/tag-out are important requirements for safety. These are outside the scope of cyber security and are not included in this report. However, these requirements must be addressed by each organization in accordance with local, state, federal, and organizational regulations, policies, and procedures.&#x0201D; In this example, the &#x0201C;Conduct cyber-physical attacks on organizational facilities&#x0201D; threat could be the example stated in the motivation section where an Electricity Smart Meter is rendered inoperative and incommunicable, inducing a denial of service occurrence with potentially catastrophic impact, and will be the focus of the running example in the following sections.</para>
</section>
<section class="lev2" id="sec8-3-5" label="8.3.5" xreflabel="8.3.5">
<title>Risk Assessment and Attack Severity</title>
<para>For this step, similar to the <emphasis>Cause and Effects analysis</emphasis>, there are two things that need to be accounted for when considering each threat event: <emphasis>probability</emphasis> and <emphasis>impact</emphasis>.</para>
<para><emphasis>Probability: (Attack Profit &#x02013; Motivation)</emphasis>. In several contexts the parameters used to calculate the probability of an attack are based on a likelihood extracted from existing data. In general, there are no &#x0201C;reasonable&#x0201D; approaches to compute the likelihood of an attack, apart using past history, meaning that this specific approach is applicable only for few systems. As in this case there is no such data, we propose to use the estimated benefit that the attacker may obtain due to a successful attack. This can be seen as a combination of (i) <emphasis>Cost:</emphasis> availability of resources to perform the attack (time, money, state of the art hardware), (ii) <emphasis>Risk of detection</emphasis> (to what extent can the attacker hide his actions and how much does he care about being detected) and (iii) <emphasis>Payoff</emphasis> (the benefit that an attacker expects from exploiting a vulnerability). These three components can be considered separately or grouped together to build a unique likelihood score that can be obtained depending on the specific needs. One possible likelihood example could be an index that represents the cost/benefit trade-off, calculated as the fraction of <emphasis>Payoff</emphasis> over <emphasis>Cost</emphasis> but, for this purpose, we propose a form of calculation using the three variables as shown in <link linkend="F8-3">Figure <xref linkend="F8-3" remap="8.3"/></link>.</para>
<fig id="F8-3" position="float" xmlns:xlink="http://www.w3.org/1999/xlink">
<label><link linkend="F8-3">Figure <xref linkend="F8-3" remap="8.3"/></link></label>
<caption><para>Attack probability graph.</para></caption>
<graphic xlink:href="graphics/ch08_fig003.jpg"/>
</fig>
<para>Having the lowest values on the origin (0,0,0) and increasing each variable in each of the respective axis. Colour code (green, yellow and red) represents the likelihood of an attack as depicted (unlikely, moderate and likely, respectively).</para>
<para>The Attack Probability assigned values are just an example and, when applied, should be adapted to the respective domain requirements. If it is considered that a system exposure to attack is less dependent on payoff than the other variables, more red and yellow dots should be reflected on the graph.</para>
<para><emphasis>Impact: (Attack Damage)</emphasis>. The extent to which an attack may cause damage. This should include all harmful consequences. It may be calculated based on the individual resources involved (associated value and severity), the effects produced by a general failure of the resources involved and the derivate pernicious effects from the aftermath. The worst case scenario should be considered for the Impact calculation.</para>
<para>The Risk of a given Threat Event used in this case is based on a traditional Criticality approach. The values used in this example have a higher weight on the Impact rather than the Probability.</para>
<para>The values in <link linkend="F8-4">Figure <xref linkend="F8-4" remap="8.4"/></link> were calculated by multiplying the grades assigned to the respective probability and impact ranks. A green code was assigned to values lesser than or equal to 3, yellow to values between 4 and 9 inclusive and red to values greater than or equal to 10. Again, this is an illustrative example and the colour code should be adapted to the domain requirements. Higher a criticality is inherent the intervals should slide accordingly.</para>
<fig id="F8-4" position="float" xmlns:xlink="http://www.w3.org/1999/xlink">
<label><link linkend="F8-4">Figure <xref linkend="F8-4" remap="8.4"/></link></label>
<caption><para>Threat Event Risk Matrix.</para></caption>
<graphic xlink:href="graphics/ch08_fig005.jpg"/>
</fig>
<para>As for the Severity categories, the consequences were gathered from the NIST Threat Events Impact Assessment Scale but, once again, they should be dependent on the domain requirements. Discrimination goes as in <link linkend="F8-5">Figure <xref linkend="F8-5" remap="8.5"/></link>.</para>
<fig id="F8-5" position="float" xmlns:xlink="http://www.w3.org/1999/xlink">
<label><link linkend="F8-5">Figure <xref linkend="F8-5" remap="8.5"/></link></label>
<caption><para>Description of impact categories.</para></caption>
<graphic xlink:href="graphics/ch08_fig004.jpg"/>
</fig>
<para>Picking up the running example, to assess a likelihood value for the &#x0201C;Conduct cyber-physical attacks &#x02026;&#x0201D; threat by using the suggested process, we would come out with the following result: <emphasis>Cost: low, Risk: Medium, Payoff: Medium/High</emphasis>.</para>
<para>In the case of the Payoff the assigned grade may depend on the objective of attacker. If the objective is the actual denial of service, the Payoff could be considered High &#x02013; the worst case scenario. This would produce a Probability result of Moderate to Likely (2 or 3 in <link linkend="F8-5">Figure <xref linkend="F8-5" remap="8.5"/></link>). Moving to the Threat Event Risk calculation, and considering the Smart Meter asset severity grade of Critical/Catastrophic (4 or 5 in <link linkend="F8-5">Figure <xref linkend="F8-5" remap="8.5"/></link>), the result would come out in the range of 8 to 15 (mostly Red).</para>
</section>
<section class="lev2" id="sec8-3-6" label="8.3.6" xreflabel="8.3.6">
<title>STECA Recommendations</title>
<para>After all vulnerabilities and respective threats are considered and analysed, countermeasures and preventive actions should be suggested for each of them. Either from the existing documentation and standards and the educated analysis performed where the vulnerabilities are yet to be acknowledged. Countermeasures should be suggested according to their respective mitigation type, as in:</para>
<itemizedlist mark="bullet" spacing="normal">
<listitem>
<para><emphasis>Vulnerability</emphasis>: the optimal option if possible. If a vulnerability may be avoided all the associated threats will be cleared.</para></listitem>
<listitem>
<para><emphasis>Threat Event</emphasis>: if a treat event may be prevented, the associated security threat will be cleared.</para></listitem>
<listitem>
<para><emphasis>Threat probability/impact</emphasis>: If it is impossible to avoid a threat, consideration should be given to reducing its impact. By downsizing the probability and/or the impact its risk will be downgraded making the system a bit safer. The priority will be set according to the domain and/or system requirements.</para></listitem></itemizedlist>
<para>The countermeasures are not mutually exclusive and more than one might be applied for each threat. There are, of course, a number of considerations while selecting from the available options, most typically the trade-off between the countermeasure implementation costs vs. its effective security improvement. For a better evaluation in this regard, further iterations of the process including the countermeasures implementations should be performed.</para>
<fig id="F8-6" position="float" xmlns:xlink="http://www.w3.org/1999/xlink">
<label><link linkend="F8-6">Figure <xref linkend="F8-6" remap="8.6"/></link></label>
<caption><para>STECA report example.</para></caption>
<graphic xlink:href="graphics/ch08_fig006.jpg"/>
</fig>
<para>To aid and formalize the process of the security threats analysis, a STECA report depicted in <link linkend="F8-6">Figure <xref linkend="F8-6" remap="8.6"/></link> should be produced based on the proposed template. For each security threat one of these entries should be included (the fields should be self-explanatory once one is acquainted with the process):</para>
<orderedlist numeration="arabic" continuation="restarts" spacing="normal">
<listitem>
<para>STECA ID &#x02013; Unique identifier of a security threat;</para></listitem>
<listitem>
<para>Architecture Diagram/Model &#x02013; Relevant Model and/or Diagram files for the process;</para></listitem>
<listitem>
<para>Domain &#x02013; Domain to which the process will adapt (Space, Automotive, Railway, Energy&#x02026;);</para></listitem>
<listitem>
<para>Weak Spot (Vulnerability) &#x02013; A mark on the Diagram/Model to signal a weak spot on a component (as in <link linkend="T8-1">Table <xref linkend="T8-1" remap="8.1"/></link>);</para></listitem>
<listitem>
<para>Vulnerability (ISO/IEC 27005 connected categories);</para></listitem>
<listitem>
<para>Security Threats &#x02013; Threat on a vulnerable component (weak spot);</para></listitem>
<listitem>
<para>Threat Library Mapping &#x02013; Respective threat in the Threat Library;</para></listitem>
<listitem>
<para>NIST Proposed Countermeasures &#x02013; Countermeasure info from the Threat Library;</para></listitem>
<listitem>
<para>Countermeasure Effectiveness &#x02013; Applicability of the Threat Library proposed countermeasure to this specific security threat;</para></listitem>
<listitem>
<para>Attack probability &#x02013; Calculated as described in Section 8.3.5;</para></listitem>
<listitem>
<para>Impact Severity &#x02013; Calculated as described in Section 8.3.5;</para></listitem>
<listitem>
<para>Treat Event Risk &#x02013; Calculated as described in Section 8.3.5;</para></listitem>
<listitem>
<para>Alternative Countermeasures &#x02013; Countermeasure suggestion if none are available or are considered ineffective;</para></listitem>
<listitem>
<para>Recommendations &#x02013; Further considerations to be kept in mind;</para></listitem>
<listitem>
<para>Assumptions &#x02013; Assumptions to security threat or regarding information if any;</para></listitem>
</orderedlist>
<para>Notes: Any additional information that might be relevant and does not fit any of the previous.</para>
<para>Note that some of the columns in <link linkend="F8-6">Figure <xref linkend="F8-6" remap="8.6"/></link> are hidden considering only the most relevant ones for the example. After the report is concluded, meaning all the threats in all the weak spots are analysed and addressed, the STECA process iteration is finished.</para>
<para>To conclude the running example, and as far as countermeasures are concerned (apart from the ones suggested by the Threat Library as shown in <link linkend="F8-6">Figure <xref linkend="F8-6" remap="8.6"/></link>), the suggestions could be something along the lines of the physical countermeasures referred in Section 8.2, filling in the gap in the Threat Library:</para><itemizedlist mark="bullet" spacing="normal">
<listitem>
<para>Dumb Meter Bypass</para></listitem>
<listitem>
<para>Smart Meter Black Box</para></listitem></itemizedlist>
<para>Even if cyber security issues are addressed by threat and risk assessment processes, the STECA can help to identify unaddressed high impact security issues, and support a security/safety report to deliver to the proper authorities. Based on the STECA results new security requirements may be derived or the existing ones may be improved; those new/updated requirements will lead to improvements in the system safety architecture and design.</para>
</section>
</section>
<section class="lev1" id="sec8-4" label="8.4" xreflabel="8.4">
<title>Conclusion</title>
<para>In this chapter, we presented the STECA (Security Threats Effects and Criticality Analysis) process to help formalizing the security analysis of complex systems such as Smart Grids. The necessity of devising STECA stems from the direct experience of engineers working in the security assessment of the Smart Grid domain. The proposed process is established on a similar mature technique used for safety critical systems for decades (FMEA/FMECA) and maps to the well-known NIST taxonomy for the security vulnerabilities and threats analysis. We demonstrated that STECA application is straightforward and useful for security assessment.</para>
</section>
<section class="lev1" id="sec8-5">
<title>References</title>
<orderedlist numeration="arabic" continuation="restarts" spacing="normal">
<listitem>
<para><anchor id="ch08bib1"/>European Commission. (2014). <emphasis>JRC Science and Policy Reports, Smart Grids projects outlook</emphasis>.</para></listitem>
<listitem>
<para><anchor id="ch08bib2"/>European Union Agency for Network and Information Security (ENISA). (2013). Smart Grid Threat Landscape and Good Practice Guide. <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=European+Union+Agency+for+Network+and+Information+Security+%28ENISA%29%2E+%282013%29%2E+Smart+Grid+Threat+Landscape+and+Good+Practice+Guide%2E" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch08bib3"/>Parks, R.C. (2007). <emphasis>Advanced Metering Infrastructure Security Considerations</emphasis>. Sandia Report SAND2007-7327. <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=Parks%2C+R%2EC%2E+%282007%29%2E+Advanced+Metering+Infrastructure+Security+Considerations%2E+Sandia+Report+SAND2007-7327%2E" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch08bib4"/>National Research Council. (2012). <emphasis>Terrorism and the Electric Power Delivery System.</emphasis> Washington, DC: The National Academies Press. <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=National+Research+Council%2E+%282012%29%2E+Terrorism+and+the+Electric+Power+Delivery+System%2E+Washington%2C+DC%3A+The+National+Academies+Press%2E" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch08bib5"/>NIST. (2011). <emphasis>NIST Special Publication 800-82, Guide to Industrial Control Systems (ICS) Security</emphasis>.</para></listitem>
<listitem>
<para><anchor id="ch08bib6"/>International Organization for Standardization (ISO). (2008). <emphasis>ISO/IEC 27005, Information technology &#x02013; Security techniques &#x02013; Information security risk management</emphasis>. <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=International+Organization+for+Standardization+%28ISO%29%2E+%282008%29%2E+ISO%2FIEC+27005%2C+Information+technology+-+Security+techniques+-+Information+security+risk+management%2E" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch08bib7"/>Nostro, N., Bondavalli, A., and Silva, N. (2014). Adding Security Concerns to Safety Critical Certification,&#x0201D; in <emphasis>Software Reliability Engineering Workshops (ISSREW)</emphasis> (New York, NY: IEEE), 521&#x02013;526. <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=Nostro%2C+N%2E%2C+Bondavalli%2C+A%2E%2C+and+Silva%2C+N%2E+%282014%29%2E+Adding+Security+Concerns+to+Safety+Critical+Certification%2C%22+in+Software+Reliability+Engineering+Workshops+%28ISSREW%29+%28New+York%2C+NY%3A+IEEE%29%2C+521-526%2E" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch08bib8"/>NIST. (2013). <emphasis>Joint Task Force Transformation Initiative, Security and privacy controls for federal information systems and organizations NIST SP 800-53r4</emphasis>. <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=NIST%2E+%282013%29%2E+Joint+Task+Force+Transformation+Initiative%2C+Security+and+privacy+controls+for+federal+information+systems+and+organizations+NIST+SP+800-53r4%2E" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch08bib9"/>NISTIR. (2014). <emphasis>NISTIR 7628</emphasis>: <emphasis>Guidelines for smart grid cyber security strategy and requirements</emphasis>.</para></listitem>
<listitem>
<para><anchor id="ch08bib10"/>NIST. (2013). <emphasis>NIST Special Publication 800-53 Revision 4: Security and Privacy Controls for Federal Information Systems and Organizations</emphasis>. <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=NIST%2E+%282013%29%2E+NIST+Special+Publication+800-53+Revision+4%3A+Security+and+Privacy+Controls+for+Federal+Information+Systems+and+Organizations%2E" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch08bib11"/>NIST. (2012). <emphasis>Special Publication 800-30 Revision 1</emphasis>: <emphasis>Guide for Conducting Risk Assessment</emphasis>. <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=NIST%2E+%282012%29%2E+Special+Publication+800-30+Revision+1%3A+Guide+for+Conducting+Risk+Assessment%2E" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch08bib12"/>Schmittner, C., Gruber, T., Puschner, P., Schoitsch, E. (2014) &#x0201C;Security Application of Failure Mode and Effect Analysis (FMEA),&#x0201D; in <emphasis>Computer Safety, Reliability, and Security</emphasis>, eds A. Bondavalli, F. Di Giandomenico. SAFECOMP 2014. Lecture Notes in Computer Science, Vol. 8666. Springer, Cham.</para></listitem>
<listitem>
<para><anchor id="ch08bib13"/>Macher, G., H&#x000F6;ller, A., Sporer, H., Armengaud E., and Kreiner C. (2015) A Combined Safety-Hazards and Security-Threat Analysis Method for Automotive Systems, in <emphasis>Computer Safety, Reliability, and Security</emphasis>, eds Koornneef, F. and van Gulijk, C. Lecture Notes in Computer Science, Vol. 9338. Springer, Cham. <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=Macher%2C+G%2E%2C+H%F6ller%2C+A%2E%2C+Sporer%2C+H%2E%2C+Armengaud+E%2E%2C+and+Kreiner+C%2E+%282015%29+A+Combined+Safety-Hazards+and+Security-Threat+Analysis+Method+for+Automotive+Systems%2C+in+Computer+Safety%2C+Reliability%2C+and+Security%2C+eds+Koornneef%2C+F%2E+and+van+Gulijk%2C+C%2E+Lecture+Notes+in+Computer+Science%2C+Vol%2E+9338%2E+Springer%2C+Cham%2E" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch08bib14"/>Nostro, N., Matteucci, I., Ceccarelli, A., Di Giandomenico, F., Martinelli, F., and Bondavalli, A. (2014) On Security Countermeasures Ranking through Threat Analysis,&#x0201D; in Computer Safety, Reliability, and Security, eds A. Bondavalli, A. Ceccarelli, F. Ortmeier. SAFECOMP 2014. Lecture Notes in Computer Science, Vol. 8696. Springer, Cham. <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=Nostro%2C+N%2E%2C+Matteucci%2C+I%2E%2C+Ceccarelli%2C+A%2E%2C+Di+Giandomenico%2C+F%2E%2C+Martinelli%2C+F%2E%2C+and+Bondavalli%2C+A%2E+%282014%29+On+Security+Countermeasures+Ranking+through+Threat+Analysis%2C%22+in+Computer+Safety%2C+Reliability%2C+and+Security%2C+eds+A%2E+Bondavalli%2C+A%2E+Ceccarelli%2C+F%2E+Ortmeier%2E+SAFECOMP+2014%2E+Lecture+Notes+in+Computer+Science%2C+Vol%2E+8696%2E+Springer%2C+Cham%2E" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch08bib15"/>Kundur, D., et al. (2010). &#x0201C;Towards a framework for cyber attack impact analysis of the electric smart grid,&#x0201D; in <emphasis>Smart Grid Communications (SmartGridComm)</emphasis> (New York, NY: IEEE). <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=Kundur%2C+D%2E%2C+et+al%2E+%282010%29%2E+%22Towards+a+framework+for+cyber+attack+impact+analysis+of+the+electric+smart+grid%2C%22+in+Smart+Grid+Communications+%28SmartGridComm%29+%28New+York%2C+NY%3A+IEEE%29%2E" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch08bib16"/>Microsoft. (2010). <emphasis>Security Development Lifecycle</emphasis>.</para></listitem>
<listitem>
<para><anchor id="ch08bib17"/>Common Weakness Enumeration. (2017) <emphasis>A Community-Developed Dictionary of Software Weakness Types</emphasis>. Available at: https://cwe.mitre.org/index.html</para></listitem>
<listitem>
<para><anchor id="ch08bib18"/>Kaspersky Lab. (2014). <emphasis>Release of Attack Code Raises Stakes for USB Security</emphasis>. Available at: https://threatpost.com/badusb-attack-code-publicly-disclosed/108663/ (accessed on 2 October 2014).</para></listitem></orderedlist>
</section>
</chapter>
<chapter class="chapter" id="ch09" label="9" xreflabel="9">
<title>Composable Framework Support for Software-FMEA through Model Execution</title>
<para role="author"><emphasis role="strong">Valentina Bonfiglio<superscript>1</superscript>, Francesco Brancati<superscript>1</superscript>, Francesco Rossi<superscript>1</superscript>,Andrea Bondavalli<superscript>2,3</superscript> , Leonardo Montecchi<superscript>2,3</superscript> , Andr&#x000E1;s Pataricza<superscript>4</superscript>, Imre Kocsis<superscript>4</superscript> and Vince Moln&#x000E1;r<superscript>4</superscript></emphasis></para>
<para><superscript>1</superscript>Resiltech s.r.l., Pontedera (PI), Italy</para>
<para><superscript>2</superscript>Department of Mathematics and Informatics, University of Florence, Florence, Italy</para>
<para><superscript>3</superscript>CINI-Consorzio Interuniversitario Nazionale per l&#x02019;Informatica-University of Florence, Florence, Italy</para>
<para><superscript>4</superscript>Dept. of Measurement and Information Systems, Budapest University of Technology and Economics, Budapest, Hungary</para>
<section class="lev1" id="sec9-1" label="9.1" xreflabel="9.1">
<title>Introduction</title>
<para>Performing Failure Mode and Effects Analysis (FMEA) during software architecture design is becoming a basic requirement in an increasing number of domains. However, due to the lack of standardized early design-phase model execution, classic Software-FMEA (SW-FMEA) approaches carry significant risks and are human effort-intensive even in processes that use Model-Driven Engineering (MDE).</para>
<para>From a dependability-critical development process point of view, FMEA &#x02013; more generally, the identification of hazards and planning their mitigation &#x02013; should be performed in the early phases of system design; for software, this usually translates to the architecture design phase [<link linkend="ch09bib1">1</link>]. Additionally, for some domains, standards prescribe the safety analysis of the software architecture &#x02013; as is the case, e.g., with ISO 26262 in the automotive domain.</para>
<para>However, historically, software architecture specifications in the most widely used modelling languages either do not represent behaviour, only structure, or the behavioural models do not have standardized operational semantics. This is a major problem for SW-FMEA; in contrast to hardware, relatively small changes of &#x0201C;internals&#x0201D; of a software component (essentially the program logic) can lead to wide variations in the response of executed software components to various external and internal faults. This means that in addition to computing error propagation from component to component, the sensitivity of each component for internal and external faults has to be explored on a case by case basis, and this can be done only by using specifications of behaviour.</para>
<para>In the absence of this capability, the system modeller has to either make strong guarantees in advance (&#x0201C;this component will be fail-silent under all circumstances&#x0201D;), or make too pessimistic assumptions (e.g., &#x0201C;all kinds of output failures are possible&#x0201D;). Significant risk is introduced by the fact that the error propagation assumptions made at this stage have to hold for the final system &#x02013; otherwise the constructed hazard mitigation arguments will not hold, either. Thus, without rolling back the development process, we run the risk of having to enforce not easily enforceable guarantees, or having to use dependability mechanisms that are actually superfluous in the given system.</para>
<para>This chapter addresses the aforementioned problem on the basis of a new standard for the UML 2 modelling language. Throughout the next sections, we will introduce the reader to advances in standardized model execution semantics, the outline of a composable framework built on top of executable software architecture models to help SW-FMEA, as well as a realization of such a framework applied on a case study from the railway domain.</para>
</section>
<section class="lev1" id="sec9-2" label="9.2" xreflabel="9.2">
<title>Software-FMEA Using fUML/ALF</title>
<para>For UML 2, the status quo of not having standardized operational semantics has changed with the standardization of &#x0201C;Foundational UML&#x0201D; (fUML) [<link linkend="ch09bib2">2</link>]: a core subset of UML 2 has been given standardized execution semantics. Although fUML mainly contains facilities for describing structured activities of communicating, typed objects, in theory, the whole UML 2 language can be mapped to it. To facilitate practical application, fUML also has an action language called Alf, the &#x0201C;Action Language for Foundational UML&#x0201D; [<link linkend="ch09bib3">3</link>].</para>
<para>Alf is a quasi-imperative, Java-like programming language. As a &#x0201C;surface language&#x0201D; for fUML, its structure and execution is directly and unambiguously mapped to fUML. Whole programs can be written purely in Alf, but it can be also used to define specific behaviours in an encompassing UML 2 model. However, in this case, the operational semantics of the embedding model containing the Alf code snippets also has to be specified, e.g., by translating the whole model to pure Alf. This is not necessarily a shortcoming; our approach actively exploits the partially &#x0201C;underdefined&#x0201D; composite structure semantics. That said, it is worth to note that the newly finalized standard &#x0201C;Precise Semantics of UML Composite Structures&#x0201D; (PSCS) [<link linkend="ch09bib4">4</link>] addresses exactly this issue.</para>
<section class="lev2" id="sec9-2-1" label="9.2.1" xreflabel="9.2.1">
<title>Tooling for fUML and Alf</title>
<para>Due to the novelty of the languages, fUML and Alf tooling is still maturing, but the progress is steady. For both fUML and Alf, reference interpreters exist [<link linkend="ch09bib5">5</link>]; for fUML, additional execution engines are also available [<link linkend="ch09bib6">6</link>]. Papyrus, the popular Eclipse-based modelling environment includes an Alf editor for UML 2 language elements and supports direct compilation of Alf code into UML 2 [<link linkend="ch09bib7">7</link>].</para>
<para>The compilation of fUML/Alf to other languages and the formal analysis of fUML/Alf specifications are much less developed, with no directly (re)usable solutions known. That said, notably [<link linkend="ch09bib8">8</link>] presents a full Model-Driven Engineering approach where Alf code is translated into an intermediate model that, in turn, is translated to C++. On the formal analysis side, initial progress has been made both for theorem proving [<link linkend="ch09bib9">9</link>] and classic model checking [<link linkend="ch09bib10">10</link>].</para>
</section>
<section class="lev2" id="sec9-2-2" label="9.2.2" xreflabel="9.2.2">
<title>Software-FMEA through Alf Execution</title>
<para>Earlier work performed in the CECRIS project (&#x0201C;Certification of Critical Systems&#x0201D;) [<link linkend="ch09bib11">11</link>] has proposed an approach for the SW-FMEA of component-based systems through Alf execution (using an interpreter) [<link linkend="ch09bib12">12</link>]. The main idea of the approach is summarized in the following three steps.</para>
<orderedlist numeration="arabic" continuation="restarts" spacing="normal">
<listitem>
<para>Components as well as their Alf code are translated into a single Alf program. During translation, the code for a cyclic scheduler component is also woven into the Alf source (with a simple logical clock). The static component activation schedule is determined by the modeller.</para></listitem>
<listitem>
<para>As a form of model-level fault injection, the translation can inject some simple errors into the scheduler as well as replace output/input port behaviours with &#x0201C;programmed&#x0201D; error behaviours.</para></listitem>
<listitem>
<para>Error propagation is analyzed by comparing simulation runs of the fault-free case to various fault activations.</para></listitem></orderedlist>
<para>In general, simulation certainly has its drawbacks; e.g., it is hard to ensure that all execution paths have been exercised in a nondeterministic system, though this is not a major issue for three reasons. First, the reference simulator performs sequential execution with deterministic choices (a semantic variation that the fUML standard fully allows). Second, although the embedded system models we apply our approach to do not exhibit parallelism at either the micro or the macro level, there is at least one fUML virtual machine called <emphasis>moliz</emphasis> that supports very fine-grained external control of model execution [<link linkend="ch09bib13">13</link>]. This means that if the need arises, the various interleaving executions can be tracked, accounted for and controlled. Thirdly, we do expect solutions for the application of formal methods (at least model checking) on fUML/Alf models to appear in the near future; these, by their nature, cover the entire state space of models.</para>
<para>These considerations demonstrate an important strength of the approach proposed in Bonfiglio et al. [<link linkend="ch09bib12">12</link>] and provides one of the main motivations for the framework presented in this chapter. If, during the translation of the component model to pure Alf, we are able to equip the Alf code with all the facilities that transform model execution into explicit error propagation execution, then we can reap the benefits of advances in fUML/Alf tooling without additional effort.</para>
</section>
<section class="lev2" id="sec9-2-3" label="9.2.3" xreflabel="9.2.3">
<title>Framework Support for Executable Error Propagation</title>
<para>Along the previous consideration, we describe the design of a model transformation framework that transforms component models with Alf behaviour specifications into a pure Alf program that simulates error propagation by passing error tokens between the components and computing (or approximating) the input-output error transformation that a potentially faulty software component exhibits upon (erroneous or correct) activation (<link linkend="F9-1">Figure <xref linkend="F9-1" remap="9.1"/></link>). As the user-supplied Alf code cannot always be used to compute error propagation (e.g., the component itself might have an active internal fault), in some cases, error transformation draws on a library of behavioural patterns (e.g., &#x0201C;fail-silent&#x0201D;).</para>
<para>The orchestration of the execution of components is broken into a number of configurable, cooperating functions. These functions have generic variants; these are drawn from a framework library of options (<link linkend="F9-2">Figure <xref linkend="F9-2" remap="9.2"/></link>).</para>
<fig id="F9-1" position="float" xmlns:xlink="http://www.w3.org/1999/xlink">
<label><link linkend="F9-1">Figure <xref linkend="F9-1" remap="9.1"/></link></label>
<caption><para>Composite error token passing during execution and component activation.</para></caption>
<graphic xlink:href="graphics/ch09_fig001.jpg"/>
</fig>
<fig id="F9-2" position="float" xmlns:xlink="http://www.w3.org/1999/xlink">
<label><link linkend="F9-2">Figure <xref linkend="F9-2" remap="9.2"/></link></label>
<caption><para>Framework components for program composition.</para></caption>
<graphic xlink:href="graphics/ch09_fig002.jpg"/>
</fig>
</section>
<section class="lev2" id="sec9-2-4" label="9.2.4" xreflabel="9.2.4">
<title>Error Tokens, Component Activation</title>
<para>The composite error tokens passed between components carry a reference value &#x02013; the object that should be seen during the interaction in a fault free system &#x02013; as well as error information. The error being passed is either a standard category (succinctly introduced, e.g., in TanjaMayerhofer [<link linkend="ch09bib14">14</link>]), a refinement thereof, or a specific one (e.g., a specific erroneous value that is late by a known amount of time).</para>
<para>Component activation computes the output error tokens of the component based on the input ones. The logic for producing the error outputs depends on numerous, but mostly straightforward factors (<link linkend="F9-2">Figure <xref linkend="F9-2" remap="9.2"/></link>); to note is that for computing the error output when the specific error is not known, only the category, the modeller may decide to either run the user-supplied Alf code on a sample from the class or use a predefined error category transformation logic from a library of dependability behavioural patterns.</para>
</section>
<section class="lev2" id="sec9-2-5" label="9.2.5" xreflabel="9.2.5">
<title>Execution Orchestration</title>
<para>Component models in UML 2 do not have standard execution semantics; the cyclic execution logic with a static schedule in Bonfiglio et al. [<link linkend="ch09bib12">12</link>] (summarized in Section 9.2.2) came from the domain of the modelled system. As a matter of fact, the overall approach is able to support numerous models of computation (MoC) &#x02013; rules defining the semantics of control, concurrency, communications and time. Synchronous data flow networks, discrete events, static scheduling, and workflow-like execution all fit the approach through configurable, reusable implementations in Alf (with varying complexity, of course). In order to be able to account for orchestration errors, the framework is also intended to support runtime fault injection on the MoC implementations.</para>
</section>
<section class="lev2" id="sec9-2-6" label="9.2.6" xreflabel="9.2.6">
<title>Fault Injection</title>
<para>Fault injection is performed by configurable fault activation logic implementations. These determine active faults of the various components (including orchestration) at various points in time (if the MoC defines a notion of time).</para>
</section>
</section>
<section class="lev1" id="sec9-3" label="9.3" xreflabel="9.3">
<title>Case Study: Application of Software-FMEA through Model Execution</title>
<para>The case study used for the Software FMEA process was based on the railway domain, more specifically the European Rail Traffic Management System (ERTMS) and its Control Command part European Train Control System (ETCS) [<link linkend="ch09bib15">15</link>]. ERTMS/ERTCS is an automatic train protection system, and as such, a safety-critical system. ERTMS is composed of trackside units (e.g. beacons for positioning and information reporting) and on-board units. The full system is rather complex, thus in the case study only a small, simplified part of the specification was modelled. The focus of the modelling was on the safety function of receiving and consistency checking of messages from trackside beacons called <emphasis>balises</emphasis>.</para>
<section class="lev2" id="sec9-3-1" label="9.3.1" xreflabel="9.3.1">
<title>Definition of the Modelled System</title>
<para>The case study system was based on the balise-related basic functionality of ERTMS/ETCS. The system was modelled using UML and Alf (Action Language for Foundational UML) [<link linkend="ch09bib16">16</link>]. The static structure part of the system was also described with the textual syntax of Alf; however, some of these will be represented on graphical diagrams for convenience.</para>
<para>As the envisioned Software-FMEA approach should be applied early in the design phase, no actual implementation or detailed design model is available in this stage. Therefore, in order to exercise the behaviour defined in the executable model, the &#x0201C;environment&#x0201D; of the modelled system had to be simulated. This scaffolding was also developed in Alf, thus the model consists of two main parts.</para>
<itemizedlist mark="bullet" spacing="normal">
<listitem>
<para><emphasis role="strong">Target system</emphasis>: the On-board Unit (OBU) of ETCS, the core software running in the train.</para></listitem>
<listitem>
<para><emphasis role="strong">Environment</emphasis>: simulation of the track, trackside equipment and movement of the train.</para></listitem></itemizedlist>
<para>Note that to reduce the complexity, the simulation of the environment focuses only on the necessary details to support the modelled functionality. Hence, the simulation is based on discrete events, and speed, distance and braking are all abstracted.</para>
<para>The main elements in the environment of the system are depicted on <link linkend="F9-3">Figure <xref linkend="F9-3" remap="9.3"/></link> (based on <link linkend="F2-6">Figure <xref linkend="F2-6" remap="2.6"/></link> in ETCS Subsection 026 <link linkend="ch02">Chapter <xref linkend="ch2" remap="2"/></link> [<link linkend="ch09bib15">15</link>]) and are briefly explained below.</para>
<fig id="F9-3" position="float" xmlns:xlink="http://www.w3.org/1999/xlink">
<label><link linkend="F9-3">Figure <xref linkend="F9-3" remap="9.3"/></link></label>
<caption><para>Parts of the simulated environment in the case study (figure based on European Railway Agency [<link linkend="ch09bib15">15</link>]).</para></caption>
<graphic xlink:href="graphics/ch09_fig003new.jpg"/>
</fig>
<itemizedlist mark="bullet" spacing="normal">
<listitem>
<para><emphasis>Track</emphasis>. The train is moving on a track (the actual physical dimensions of the track are abstracted in the case study).</para></listitem>
<listitem>
<para><emphasis>Segment</emphasis>. The track is composed of neighboring segments. The train can move from one segment to another neighboring one.</para></listitem>
<listitem>
<para><emphasis>Train</emphasis>. The train can move in forward or backward one segment in each simulation step (the actual speed of the train is abstracted).</para></listitem>
<listitem>
<para><emphasis>Balise</emphasis>. A passive beacon deployed onto the track. When the train passes over a balise, it powers it up remotely via radio waves, causing the balise to send a so called telegram to the train.</para></listitem>
<listitem>
<para><emphasis>Balise Group</emphasis>. Balises can be organized in balise groups. A balise group can contain up to 8 balises. By giving position numbers to individual balises inside a group, the train can identify direction and detect missed balises.</para></listitem></itemizedlist>
<para>The modelled target system consists of the main parts depicted on <link linkend="F9-4">Figure <xref linkend="F9-4" remap="9.4"/></link> and explained below.</para>
<fig id="F9-4" position="float" xmlns:xlink="http://www.w3.org/1999/xlink">
<label><link linkend="F9-4">Figure <xref linkend="F9-4" remap="9.4"/></link></label>
<caption><para>Main components of the modelled system.</para></caption>
<graphic xlink:href="graphics/ch09_fig004.jpg"/>
</fig>
<itemizedlist mark="bullet" spacing="normal">
<listitem>
<para><emphasis>Balise Transmission Module</emphasis> (BTM). Responsible for receiving raw, individual telegrams from the balises, checking and then forwarding them to the Kernel.</para></listitem>
<listitem>
<para><emphasis>Kernel</emphasis>. Responsible for the core functionality in ETCS. In the current case study, it collects telegrams from different balises to form and analyze balise group messages. If an error is detected, it can notify the driver through DMI or control the train through TIU.</para></listitem>
<listitem>
<para><emphasis>Driver Machine Interface</emphasis> (DMI). Can display information on the driver interface.</para></listitem>
<listitem>
<para><emphasis>Train Interface Unit</emphasis> (TIU). Can control the train. In the current case study, it can apply breaking.</para></listitem></itemizedlist>
<para>The simulated environment and the target OBU system is connected by sending and receiving balise telegrams. The structure of a telegram is defined in <link linkend="ch08">Chapter <xref linkend="ch8" remap="8"/></link> of the ETCS Subset 26 (SRS) [<link linkend="ch09bib15">15</link>], and is summarized in <link linkend="F9-5">Figure <xref linkend="F9-5" remap="9.5"/></link>.</para>
<fig id="F9-5" position="float" xmlns:xlink="http://www.w3.org/1999/xlink">
<label><link linkend="F9-5">Figure <xref linkend="F9-5" remap="9.5"/></link></label>
<caption><para>Structure of a balise telegram [<link linkend="ch09bib15">15</link>].</para></caption>
<graphic xlink:href="graphics/ch09_fig005.jpg"/>
</fig>
<para>The telegram itself was modelled using data types in Alf. The simulated balise and the BTM module directly work on this data structure, while the Kernel receives an object structure built by the BTM based on the telegrams.</para>
<para>The modelled behaviour is attached to the active classes in the system. Basically, they are all waiting for signals to receive, and then perform the signal handler behaviour specified in Alf. For example, upon receiving a raw telegram, the BTM checks the consistency of the header fields. This was implemented in the Alf activity presented in <link linkend="F9-6">Figure <xref linkend="F9-6" remap="9.6"/></link>.</para>
<fig id="F9-6" position="float" xmlns:xlink="http://www.w3.org/1999/xlink">
<label><link linkend="F9-6">Figure <xref linkend="F9-6" remap="9.6"/></link></label>
<caption><para>Alf implementation of a BTM behaviour.</para></caption>
<graphic xlink:href="graphics/ch09_fig006.jpg"/>
</fig>
<para>The model and the modelled scenarios were executed in the Alf Reference Implementation [<link linkend="ch09bib17">17</link>]. The model includes logging to create execution traces. For example, the output in <link linkend="F9-7">Figure <xref linkend="F9-7" remap="9.7"/></link> shows a simple, valid execution trace where the OBU receives a consistent telegram from a single balise. The same trace can be visualised by PlantUML as a sequence diagram (<link linkend="F9-8">Figure <xref linkend="F9-8" remap="9.8"/></link>). In the modelled environment, there is a train, a track with two segments (s1, s2) and a balise (b1). The train initially stands on the first segment (s1) and it moves to the second (s2) as the first step of the test case. Note that for the sake of simplicity, the component representing the train in the case study is not associated with the balise component, so powering up a balise is mediated by the segment component.</para>
<fig id="F9-7" position="float" xmlns:xlink="http://www.w3.org/1999/xlink">
<label><link linkend="F9-7">Figure <xref linkend="F9-7" remap="9.7"/></link></label>
<caption><para>Log trace of a fault-free execution of the case study model.</para></caption>
<graphic xlink:href="graphics/ch09_fig007.jpg"/>
</fig>
<fig id="F9-8" position="float" xmlns:xlink="http://www.w3.org/1999/xlink">
<label><link linkend="F9-8">Figure <xref linkend="F9-8" remap="9.8"/></link></label>
<caption><para>Visualization of a fault-free execution tree of the case study model.</para></caption>
<graphic xlink:href="graphics/ch09_fig008.jpg"/>
</fig>
</section>
<section class="lev2" id="sec9-3-2" label="9.3.2" xreflabel="9.3.2">
<title>Process Evaluation</title>
<para>As the discussion in section &#x0201C;Software-FMEA Using fUML/ALF&#x0201D; pointed out, the fundamental tenet of our method is to perform SW-FMEA on component-based systems through Alf execution (as of now, using an interpreter).</para>
<para>Based on the presented use case, process-wise, it is apparent that the SW-FMEA approach can be used in a &#x0201C;drop-in&#x0201D; fashion in existing safety processes, replacing classic approaches during software architecture analysis. The major added value is delivering much tighter bounds on error propagation characteristics (certainly not probabilities!) at the point in design where the major dependability mechanisms are most probably decided upon. While much more sophisticated than classic FMEA (and even such composable methods as HiP-HOPS [<link linkend="ch09bib18">18</link>]), the approach largely remains an FME(C)A &#x02013; and thus there is no real reason it cannot be a candidate method in virtually all safety processes where SW-FMEA is necessary.</para>
<para>Importantly, the ability to &#x0201C;mix and match&#x0201D; specific errors and error categories in evaluating and propagating errors may enable new process patterns. Refinement of our knowledge of the error propagation characteristics in the system is a definite (and largely new) option in this setting; thus, in theory, safety arguments could very well evolve <emphasis>cooperatively</emphasis> with the refinement of system and software design. Future research will explore this possibility.</para>
<para>Certainly, there are some apparent drawbacks, too.</para>
<itemizedlist mark="bullet" spacing="normal">
<listitem>
<para><emphasis role="strong">Modelling overhead</emphasis>. The least significant drawback that nevertheless has to be mentioned is that the whole approach assumes that the system under design is created in an appropriate Model-Driven System Design (MDSD) workflow. Although MDSD is becoming the default in many industries where SW-FMEA has to be performed, it is not necessarily used in all settings.</para></listitem>
<listitem>
<para><emphasis role="strong">Early definition of behaviour</emphasis>. Executable models such as Alf give us the possibility to model behaviour early on in the design process &#x02013; but this does not automatically mean that it is convenient or feasible at all. Further studies are necessary to evaluate this aspect.</para></listitem>
<listitem>
<para><emphasis role="strong">Proof of behavioural equivalence</emphasis>. When executable behavior is specified early on in the development process and it is the basis of safety arguments, behavioural equivalence of the final system (and components) with this early specification has to be maintained during development.</para></listitem>
<listitem>
<para><emphasis role="strong">Simulation.</emphasis> As of now, we use simulation for model evaluation. Simulation has its drawbacks; e.g., it is hard to assure that all execution paths have been exercised in a nondeterministic system. We argued in chapter &#x0201C;Software-FMEA through Alf execution&#x0201D; that in our case this is not a major issue. In fact, the proposed approach does not rely on any specific simulation technique; all the facilities that transform model execution into explicit error propagation execution are included in the model. This way, we will be able to reap the benefits of advances in fUML/Alf tooling without additional effort.</para></listitem></itemizedlist>
</section>
</section>
<section class="lev1" id="sec9-4" label="9.4" xreflabel="9.4">
<title>Implementation in a Blockly-based Modelling Tool</title>
<para>To demonstrate the general applicability of the approach presented so far, the main points of the framework were also implemented for the modelling tool introduced in &#x0201C;<link linkend="ch04">Chapter <xref linkend="ch4" remap="4"/></link> &#x02013; SYSML-UML like modeling environment based on Google Blockly customization&#x0201D;.</para>
<para>The tool supports the modelling of static and dynamic aspects of component-based systems by using blocks, interfaces and connections to model structure, as well as sequence diagrams to model the collective behaviour of the whole system. The former aspect defines the participants and their relations, while the latter describes their interactions and the exchanged data. The basic block of behaviour is a <emphasis>Service</emphasis>, which may have a specific implementation in Python. Interactions then consist of <emphasis>Service Requests</emphasis> and control logic (e.g. decisions). Once modelled, the tool can visualize the connections in the system, as well as the sequence diagram defined for the global behaviour. One of the strongest aspects of the tool is the ability to generate a Python program for the simulation of the system. With small modifications, the generated code is an appropriate candidate for the methods defined in the previous sections.</para>
<section class="lev2" id="sec9-4-1" label="9.4.1" xreflabel="9.4.1">
<title>Preparation of the Model</title>
<para>The case study model was again based on the balise-related basic functionality of ERTMS/ETCS (<link linkend="F9-3">Figures <xref linkend="F9-3" remap="9.3"/></link> and <link linkend="F9-4"><xref linkend="F9-4" remap="9.4"/></link> for the structure and <link linkend="F9-7">Figure <xref linkend="F9-7" remap="9.7"/></link> for the behaviour). A bird&#x02019;s eye view of the model itself is presented in <link linkend="F9-9">Figure <xref linkend="F9-9" remap="9.9"/></link>.</para>
<fig id="F9-9" position="float" xmlns:xlink="http://www.w3.org/1999/xlink">
<label><link linkend="F9-9">Figure <xref linkend="F9-9" remap="9.9"/></link></label>
<caption><para>Blockly-based model of the case study system and its environment.</para></caption>
<graphic xlink:href="graphics/ch09_fig009.jpg"/>
</fig>
<para>The generated code has been augmented with logging: values of parameters and variables after assignment result of decisions and assertions as well as service requests were all output to build an execution trace.</para>
<para>As before, faults activation was done by injected, configurable logic that would determine which faults are activated during execution. In practice, this involves the replacement of certain constructs (e.g., expressions) with a function call that either performs the original behaviour (e.g., returns the value of the original expression) or alters the behaviour in some way (e.g., negates a condition). In the current case study, faults affected the assignment of Boolean and integer values (altering the value of the right-hand-side expression), the conditions in decisions and the sending of service requests (causing an <emphasis>omission</emphasis> fault).</para>
<para>The fault activation logic can be fine-tuned by setting the maximum number of active faults as well as if the faults are transient of permanent. In case of permanent faults, fault distribution is balanced by an initialization logic that randomly selects a configured number of faults, which may then activate if the affected statements are executed (i.e. the injected fault activation function is called). In this case study, the logic was configured to activate <emphasis>at most one</emphasis> permanent fault.</para>
<para>Faults were injected in the relevant parts of the control logic of the train (i.e. the <emphasis>Kernel</emphasis> and the <emphasis>Balise Transmission Module</emphasis>), but message omissions were also included in the code simulating the powering of the balise to emulate failure of equipment. Every time a fault activated, its type and the affected line were logged, but not the specific value used to modify the original expression.</para>
<para>Two test cases were used for the simulations: in the first one, the balise sends a consistent telegram, while in the second; the balise has corrupted data (it has an invalid position value). Thus, according to the specified behaviour, correct reactions of the system would be to acknowledge the reception of the telegram in the first case, and applying emergency brake in the second. Assertions in the model checked if the produced behaviour was in accordance with the balise data, as well as if a telegram was successfully processed in a given time frame (in more complex settings, this could be detected and handled when reaching the next balise).</para>
</section>
<section class="lev2" id="sec9-4-2" label="9.4.2" xreflabel="9.4.2">
<title>Aggregation and Analysis of Traces</title>
<para>A single simulation of the fault-free model and 1000 simulations with random faults in each test case provided a satisfying number of traces to conduct a probabilistic analysis. The traces were processed through the following steps:</para>
<orderedlist numeration="arabic" continuation="restarts" spacing="normal">
<listitem>
<para><emphasis>Error traces:</emphasis> Every faulty trace was compared to the reference (fault-free) trace to obtain the differences, i.e. to identify the chain of errors that led from a single fault activation to a failed assertion. Corresponding to the injected faults, the errors could be <emphasis>Parameter errors</emphasis>, <emphasis>Data errors</emphasis>, <emphasis>Control errors</emphasis> and <emphasis>Missing calls.</emphasis></para></listitem>
<listitem>
<para><emphasis>Superposition of traces:</emphasis> The error traces were merged to obtain a graph. An arc in this graph from A to B means that in some trace, error A was immediately followed by error B.</para></listitem>
<listitem>
<para><emphasis>Annotation with occurrences:</emphasis> Arcs of the graph were then annotated by the ratio of the number of traces in which B has <emphasis>eventually</emphasis> occurred after A to the total number of traces in which A has occurred. This value corresponds to the <emphasis>conditional probability</emphasis> of eventually seeing B if A has occurred. This way, a probability of 1 means there is a strong correlation between errors A and B, which in this case may also suggest a causal relationship. Hence, these cases are visually distinguished by using a solid line for the potential causalities and a dashed line otherwise.</para></listitem>
<listitem>
<para><emphasis>Reducing noise:</emphasis> Various techniques were employed to remove arcs that were the consequences of other relationships. It is worth to note that, this part of the process is the most theoretic and has a lot of room for improvements. The more efficient the techniques used here are, the more meaningful the results of the process can be.</para></listitem></orderedlist>
<para>Nodes of the graph (fault activations, errors and assertion failures) were grouped by the component which logged them. The output for the test case with the valid telegram can be seen on <link linkend="F9-10">Figure <xref linkend="F9-10" remap="9.10"/></link>. Things to node about the figure are the following.</para>
<fig id="F9-10" position="float" xmlns:xlink="http://www.w3.org/1999/xlink">
<label><link linkend="F9-10">Figure <xref linkend="F9-10" remap="9.10"/></link></label>
<caption><para>Error propagation in the case study model when input is consistent.</para></caption>
<graphic xlink:href="graphics/ch09_fig010.jpg"/>
</fig>
<itemizedlist mark="bullet" spacing="normal">
<listitem>
<para>In an FMEA terminology, each box corresponding to a component contains the internal faults and the failure modes (errors) of the component. Arcs entering the box denote external failure modes that affect this component, while outgoing arcs denote failure modes of the component that affect others.</para>
</listitem>
<listitem>
<para>In the case study model, omission of service requests always results in a failure to handle the balise.</para></listitem>
<listitem>
<para>On the other hand, corruption of data causes a system-level failure only if the value of the Boolean flag &#x0201C;Consistent&#x0201D; gets corrupted. Once this happens, there is no way to avoid failure, but only some corruption of the other values leads to the corruption of the flag.</para></listitem>
<listitem>
<para>A fault affecting the value of &#x0201C;Consistent&#x0201D; does not always cause a data error, because always returning <emphasis>True</emphasis> is considered a correct answer in this scenario.</para></listitem></itemizedlist>
<para>Analysis of the test case with the invalid telegram showed similar results.</para>
</section>
</section>
<section class="lev1" id="sec9-5" label="9.5" xreflabel="9.5">
<title>Concluding Remarks</title>
<para>In the chapter, the reader was introduced to the main ideas of a novel approach to SW-FMEA for component-based systems that can be composed with existing safety processes. The method can replace or augment classic approaches during software architecture analysis and automating much of the traditional FMEA techniques.</para>
<para>The work transfers techniques well-known in academia into the SW-FMEA of safety-critical embedded systems, with strong potential applicability in other dependability-critical domains. These techniques include explicitly embedding fault activation logic and operational semantics into the interpreted model and constructing error automata from the specification of normal and abnormal behaviours (see e.g., [<link linkend="ch09bib19">19</link>]). At the same time, the presented approach promises to have a low effort overhead over producing the base models (that are produced in a model-driven process even in the absence of SW-FMEA); something that is sorely missing from manually performing SW-FMEA.</para>
</section>
<section class="lev1" id="sec9-6">
<title>References</title>
<orderedlist numeration="arabic" continuation="restarts" spacing="normal">
<listitem>
<para><anchor id="ch09bib1"/>Pataricza, A. (2007). &#x0201C;Systematic Generation of Dependability Cases from Functional Models,&#x0201D; in <emphasis>Proceedings of the Symposium FORMS/FORMAT &#x02013; Formal Methods for Automation and Safety in Railway and Automotive Systems</emphasis>, Budapest, Hungary. <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=Pataricza%2C+A%2E+%282007%29%2E+%22Systematic+Generation+of+Dependability+Cases+from+Functional+Models%2C%22+in+Proceedings+of+the+Symposium+FORMS%2FFORMAT+-+Formal+Methods+for+Automation+and+Safety+in+Railway+and+Automotive+Systems%2C+Budapest%2C+Hungary%2E" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch09bib2"/>Object Management Group. (2016). <emphasis>Semantics of a Foundational Subset for Executable UML Models (fUML), version 1.2.1.</emphasis></para></listitem>
<listitem>
<para><anchor id="ch09bib3"/>Object Management Group. (2013). <emphasis>Action Language for Foundational UML (Alf), version 1.0.1</emphasis>.</para></listitem>
<listitem>
<para><anchor id="ch09bib4"/>Object Management Group. (2015). <emphasis>Precise Semantics of UML Composite Structures (PSCS), version 1.0</emphasis>.</para></listitem>
<listitem>
<para><anchor id="ch09bib5"/>GitHub. (2016). <emphasis>Foundational UML Reference Implementation</emphasis>. [Online]. Available at: https://github.com/ModelDriven/fUML-Reference-Implem entation (accessed on 1 February 2016).</para></listitem>
<listitem>
<para><anchor id="ch09bib6"/>GitHub. (2016). <emphasis>moliz &#x02013; Model Execution Based on fUML</emphasis> [Online]. Available at: https://github.com/moliz (accessed on 1 February 2016).</para></listitem>
<listitem>
<para><anchor id="ch09bib7"/>Seidewitz, E, and Tatibouet, J. (2015). &#x0201C;Combining Alf and UML in Modeling Tools &#x02013; An Example with Papyrus,&#x0201D; in <emphasis>OCL 2015 &#x02013; 15th International Workshop on OCL and Textual Modeling: Tools and Textual Model Transformations Workshop Proceedings</emphasis>, 105&#x02013;119. <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=Seidewitz%2C+E%2C+and+Tatibouet%2C+J%2E+%282015%29%2E+%22Combining+Alf+and+UML+in+Modeling+Tools+-+An+Example+with+Papyrus%2C%22+in+OCL+2015+-+15th+International+Workshop+on+OCL+and+Textual+Modeling%3A+Tools+and+Textual+Model+Transformations+Workshop+Proceedings%2C+105-119%2E" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch09bib8"/>Ciccozzi, F. (2014). <emphasis>From Models to Code and Back: A Round-trip Approach for Model-driven Engineering of Embedded Systems</emphasis>. Doctoral thesis, M&#x000E4;lardalen University, Sweden. <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=Ciccozzi%2C+F%2E+%282014%29%2E+From+Models+to+Code+and+Back%3A+A+Round-trip+Approach+for+Model-driven+Engineering+of+Embedded+Systems%2E+Doctoral+thesis%2C+M%E4lardalen+University%2C+Sweden%2E" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch09bib9"/>Romero, G., Schneider, K., and Ferreira, M. G. V. (2014). &#x0201C;Using the base semantics given by fUML for verification,&#x0201D; in <emphasis>2014 2nd International Conference on Model-Driven Engineering and Software Development (MODELSWARD)</emphasis> (New York, NY: IEEE), 5&#x02013;16. <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=Romero%2C+G%2E%2C+Schneider%2C+K%2E%2C+and+Ferreira%2C+M%2E+G%2E+V%2E+%282014%29%2E+%22Using+the+base+semantics+given+by+fUML+for+verification%2C%22+in+2014+2nd+International+Conference+on+Model-Driven+Engineering+and+Software+Development+%28MODELSWARD%29+%28New+York%2C+NY%3A+IEEE%29%2C+5-16%2E" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch09bib10"/>Schneider, A. S. and Treharne, H. (2011). &#x0201C;Towards a Practical Approach to Check UML/fUML Models Consistency Using CSP,&#x0201D; in <emphasis>Formal Methods and Software Engineering</emphasis>, eds S. Qin and Z. Qiu (Berlin: Springer), 33&#x02013;48. <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=Schneider%2C+A%2E+S%2E+and+Treharne%2C+H%2E+%282011%29%2E+%22Towards+a+Practical+Approach+to+Check+UML%2FfUML+Models+Consistency+Using+CSP%2C%22+in+Formal+Methods+and+Software+Engineering%2C+eds+S%2E+Qin+and+Z%2E+Qiu+%28Berlin%3A+Springer%29%2C+33-48%2E" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch09bib11"/>CECRIS. (2016). <emphasis>CECRIS &#x02013; Certification of Critical Systems, Grant Agreement no.: 324334, IAPP Marie Curie Action, 7th Framework Program</emphasis>. Available at: <ulink url="http://www.cecris-project.eu">http://www.cecris-project.eu</ulink> (accessed on 16 January 2016). <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=CECRIS%2E+%282016%29%2E+CECRIS+-+Certification+of+Critical+Systems%2C+Grant+Agreement+no%2E%3A+324334%2C+IAPP+Marie+Curie+Action%2C+7th+Framework+Program%2E+Available+at%3A+http%3A%2F%2Fwww%2Ececris-project%2Eeu+%28accessed+on+16+January+2016%29%2E" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch09bib12"/>Bonfiglio, V., Montecchi, L., Rossi, F., Lollini, P., Pataricza, A., and Bondavalli, A. (2015). &#x0201C;Executable Models to Support Automated Software FMEA,&#x0201D; in <emphasis>2015 IEEE 16th International Symposium on High Assurance Systems Engineering (HASE)</emphasis> (New York, NY: IEEE), pp. 189&#x02013;196. <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=Bonfiglio%2C+V%2E%2C+Montecchi%2C+L%2E%2C+Rossi%2C+F%2E%2C+Lollini%2C+P%2E%2C+Pataricza%2C+A%2E%2C+and+Bondavalli%2C+A%2E+%282015%29%2E+%22Executable+Models+to+Support+Automated+Software+FMEA%2C%22+in+2015+IEEE+16th+International+Symposium+on+High+Assurance+Systems+Engineering+%28HASE%29+%28New+York%2C+NY%3A+IEEE%29%2C+pp%2E+189-196%2E" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch09bib13"/>Object Management Group. (2011). <emphasis>UML Profile for MARTE: Modeling and Analysis of Real-Time Embedded Systems, version 1.1</emphasis>. <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=Object+Management+Group%2E+%282011%29%2E+UML+Profile+for+MARTE%3A+Modeling+and+Analysis+of+Real-Time+Embedded+Systems%2C+version+1%2E1%2E" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch09bib14"/>Mayerhofer, T. (2014). <emphasis>Defining Executable Modeling Languages with fUML</emphasis>. Doctoral thesis, Vienna University of Technology. <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=Mayerhofer%2C+T%2E+%282014%29%2E+Defining+Executable+Modeling+Languages+with+fUML%2E+Doctoral+thesis%2C+Vienna+University+of+Technology%2E" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch09bib15"/>European Railway Agency. (2014). &#x0201C;ERTMS/ETCS System Requirements Specification&#x0201D;, SUBSET-26.</para></listitem>
<listitem>
<para><anchor id="ch09bib16"/>Object Management Group. (2013). Semantics of a Foundational Subset for Executable UML Models (fUML).</para></listitem>
<listitem>
<para><anchor id="ch09bib17"/>ModelDriven. (2016). ModelDriven.org: Action language for UML (Alf) open source implementation. Available at: <ulink url="http://modeldriven.github.io/Alf-Reference-Implementation/">http://modeldriven.github.io/Alf-Reference-Implementation/</ulink> <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=ModelDriven%2E+%282016%29%2E+ModelDriven%2Eorg%3A+Action+language+for+UML+%28Alf%29+open+source+implementation%2E+Available+at%3A+http%3A%2F%2Fmodeldriven%2Egithub%2Eio%2F+Alf-Reference-Implementation%2F" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch09bib18"/>Papadopoulos, Y., McDermid, J., Sasse, R., and Heiner G. (2001). Analysis and synthesis of the behaviour of complex programmable electronic systems in conditions of failure. <emphasis>Reliabil. Eng. Syst. Safety</emphasis> 71, 229&#x02013;247. <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=Papadopoulos%2C+Y%2E%2C+McDermid%2C+J%2E%2C+Sasse%2C+R%2E%2C+and+Heiner+G%2E+%282001%29%2E+Analysis+and+synthesis+of+the+behaviour+of+complex+programmable+electronic+systems+in+conditions+of+failure%2E+Reliabil%2E+Eng%2E+Syst%2E+Safety+71%2C+229-247%2E" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch09bib19"/>Gallina, B., and Punnekkat, S. (2011). &#x0201C;FI4FA: A Formalism for Incompletion, Inconsistency, Interference and Impermanence Failures&#x02019; Analy- sis,&#x0201D; in <emphasis>2011 37th EUROMICRO Conference on Software Engineering and Advanced Applications (SEAA)</emphasis> (New York, NY: IEEE), 493&#x02013;500. <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=Gallina%2C+B%2E%2C+and+Punnekkat%2C+S%2E+%282011%29%2E+%22FI4FA%3A+A+Formalism+for+Incompletion%2C+Inconsistency%2C+Interference+and+Impermanence+Failures%27+Analy-+sis%2C%22+in+2011+37th+EUROMICRO+Conference+on+Software+Engineering+and+Advanced+Applications+%28SEAA%29+%28New+York%2C+NY%3A+IEEE%29%2C+493-500%2E" target="_blank">Google Scholar</ulink></para></listitem></orderedlist>
</section>
</chapter>
<chapter class="chapter" id="ch10" label="10" xreflabel="10">
<title>A Monitoring and Testing Framework for Critical Off-the-Shelf Applications and Services</title>
<para role="author"><emphasis role="strong">Nuno Antunes<superscript>1</superscript>, Francesco Brancati<superscript>2</superscript>, Andrea Ceccarelli<superscript>3,4</superscript>, Andrea Bondavalli<superscript>3,4</superscript> and Marco Vieira<superscript>1</superscript></emphasis></para>
<para><superscript>1</superscript>CISUC, Department of Informatics Engineering, University of Coimbra, Portugal</para>
<para><superscript>2</superscript>Resiltech s.r.l., Pontedera (PI), Italy</para>
<para><superscript>3</superscript>Department of Mathematics and Informatics, University of Florence, Florence, Italy</para>
<para><superscript>4</superscript>CINI-Consorzio Interuniversitario Nazionale per l&#x02019;Informatica-University of Florence</para>
<para>One of the biggest verification and validation challenges is the definition of approaches and tools to support systems assessment while minimizing costs and delivery time. Such tools reduce the time and cost of assessing Off-The-Shelf (OTS) software components that must undergo proper certification or approval processes to be used in critical scenarios. In the case of testing, due to the particularities of components, developers often build <emphasis>ad hoc</emphasis> and poorly-reusable testing tools, which results in increased time and costs. This chapter introduces a framework for testing and monitoring of critical OTS applications and services. The framework includes (i) a box instrumented for monitoring OS and application level variables, (ii) a toolset for testing the target components, and (iii) tools for data storing, retrieval and analysis. We present an implementation of the framework that allows applying, in a cost-effective fashion, functional testing, robustness testing and penetration testing to web services. Finally, the framework usability and utility is demonstrated based on two different case studies that also show its flexibility.</para>
<section class="lev1" id="sec10-1" label="10.1" xreflabel="10.1">
<title>Introduction</title>
<para>Verification and Validation (V&#x00026;V) has been largely applied in scenarios that involve life and mission critical embedded systems, and is dominantly used as a design-time quality control process for the purpose of evaluation of the compliance between of a product, service, or system [<link linkend="ch10bib1">1</link>]. Checking a system using traditional V&#x00026;V methods frequently exceeds the effort needed for the core development time. In fact, rigorous V&#x00026;V in on the fundaments of critical applications and has been applied in several domains as the railway [<link linkend="ch10bib2">2</link>] and space [<link linkend="ch10bib3">3</link>], and recently a strong effort has been made to standardize these practices for automotive [<link linkend="ch10bib4">4</link>].</para>
<para>Although the industry rapidly turns to system integration based on the reuse of hardware and software components, also known as off-the-shelf (OTS) components, it is still necessary to apply rigorous V&#x00026;V techniques to assess the applications. While hardware OTS are nowadays widely accepted, and used (they have their own certification), software OTS still creates serious difficulties to companies, which are on one hand constrained to meet predefined quality goals, whereas, on the other hand, are required to deliver systems at acceptable cost and time to market. Large companies mainly follow a brute-force approach by focusing large volume investment into tooling and in-house training, but even high-tech SMEs are highly vulnerable to the new challenges.</para>
<para>In this context, one of the biggest challenges to the V&#x00026;V community is to define <emphasis role="strong">methods, strategies and tools able to validate a system adequately</emphasis>, while simultaneously keeping the <emphasis role="strong">cost and delivery time reasonably low</emphasis>. The key part of the challenge is to establish a proper balance between achievable quality with a particular technique (in terms of RAMS attributes) and the costs required for achieving such quality. The problem grows when it is necessary to include COTS components in a critical system that must be certified. As a matter of fact, although modern standards consider the possibility of assessing products, which encompass COTS software, this is still considered a challenge [<link linkend="ch10bib5">5</link>].</para>
<para>In industrial practices, <emphasis>integration</emphasis> and <emphasis>usage</emphasis> of OTS software components in critical systems is generally supported by two different assessment processes, both to understand the behaviour of the component and to assess that it does not introduce hazards in the system. In the first, whenever applicable, the activity is limited to assess the integration, verifying that the OTS component is properly wrapped in the system without affecting system&#x02019;s safety. In the second, a complete assessment of the OTS component is performed; this may include activities as production of documentation, reverse engineering, and static analysis, among others. For companies, this usually means a reasonable amount of <emphasis role="strong">effort in developing a specific tool</emphasis> that can support the testing of a specific OTS component to be integrated in a certain critical system.</para>
<para>This chapter presents a framework for testing and monitoring critical applications and services. The framework monitors the variables of the system while applying diverse forms of testing over the applications. This way, it is possible to better detect problems in the applications as well as better diagnosing them, maximizing the effectiveness of the tests. The framework is based on an application independent and reusable core infrastructure, allowing the user to apply cost effective practices. The proposed framework consists of two main components, as follows.</para>
<para>The first, named <emphasis role="strong">Instrumented System</emphasis> is a monitoring environment where the applications or services can be executed and monitored. The kernel of the operating system is instrumented to monitor all the variables that are representative for V&#x00026;V process. The environment also includes middleware that is also instrumented to provide values of the all the variables representative for V&#x00026;V at this level. The second component named <emphasis role="strong">Test and Collect</emphasis> contains a set of tools for application testing and, data storage and analysis. The testing tools included should be able to generate different types of testing including functional testing, robustness testing, security testing, etc. For data storage the framework includes a database management system and tools to allow the user, in a semi-automated way, to generate a schema able to store the values of the monitored variables.</para>
<para>The use of this kind of analysis is essential for the conscious use of OTS components. By testing the OTS, it is also possible to use wrapping strategies [<link linkend="ch10bib6">6</link>, <link linkend="ch10bib7">7</link>] around the identified problematic parts of the component. An important part of the implementation is that one instance of this component can be connected to multiple instrumented systems. This way, the framework is prepared to be extended for other purposes, as in the case of monitoring a large scale system with multiple nodes, as it is possible to correlate data from multiple sources and also analyse more complex systems.</para>
<para>Several works have shown the usefulness of system monitoring to detect anomalies in the system. Statistical analysis algorithms have been used in the past for on-line fault detection [<link linkend="ch10bib8">8</link>]. This technique overcomes some of the limitations of static threshold analysis, that for instance in [<link linkend="ch10bib9">9</link>] monitoring techniques are used to detect application hangs. Works towards certifying OTS components are also not new. The technique [<link linkend="ch10bib10">10</link>] tries to determine the quality of OTS components using black box and fault injection in two phases: first, the component is tested to make sure it works properly, and second, the system is tested to make sure that the system works even if the component presents an incorrect behaviour.</para>
<para>The chapter also presents a prototype implementation and demonstration of the framework. The implementation includes tools that allow the user to apply to the web services different types of testing: functional, stress, robustness and penetration testing. During the different testing processes, the system variables are monitored both at middleware level and at operating system level. Two different case studies were devised to demonstrate and evaluate the framework.</para>
<para>The first <emphasis role="strong">case study is focused on the services of the Life ray Portal</emphasis>, an enterprise web platform project that aims for immediate delivery of robust business solutions for organizations. This case study allowed us to demonstrate the flexibility, usability and utility of the framework. The results revealed the services under test performing quite well in the situations tested. Obviously, the quality of the tests performed depends on the testing tools used, but this discussion is out of the scope of this work, as the merits of each tool were evaluated and discussed in different works by their authors [<link linkend="ch10bib11">11</link>, <link linkend="ch10bib12">12</link>].</para>
<para>The second <emphasis role="strong">case study is focused on simulator of a railway</emphasis> environment that includes a system that should detect anomalous and hazardous situations on the trains running on that line. The stringent requirements of the system that should be tested and validated exactly in the same setup as it will operate demonstrated the flexibility of the toolbox, which was able to be easily ported into such environment.</para>
<para>The chapter is organized as follows. Section 10.2 describes the concepts behind the framework, while Section 10.3 presents the implementation details. Section 10.4 presents the case studies used to demonstrate the framework and the respective details. Section 10.5 concludes the section and puts forward relevant future work.</para>
</section>
<section class="lev1" id="sec10-2" label="10.2" xreflabel="10.2">
<title>Framework Architecture</title>
<para>Our proposal is an advanced framework for testing and monitoring critical applications and services. Despite the most common approach for testing OTS web services is the &#x0201C;black box&#x0201D;, the tool has been designed to take advantages of any piece of information available. The overall architecture of the proposed framework is depicted in <link linkend="F10-1">Figure <xref linkend="F10-1" remap="10.1"/></link>. As it is possible to observe, the framework is based on two main components: i) <emphasis>Instrumented System</emphasis>, which the system in which the web service is running, and ii) <emphasis>Test and Collect</emphasis>, which is used to stimulated the web service and to collect evidences of its behaviour. Although the current implementation focuses on Java Web Services running over a Tomcat 7 Application Server (AS) and a Linux CentOS 6 Operative System (OS), the proposed solution can be evolved to different platforms and Web Services Middleware (AS).</para>
<fig id="F10-1" position="float" xmlns:xlink="http://www.w3.org/1999/xlink">
<label><link linkend="F10-1">Figure <xref linkend="F10-1" remap="10.1"/></link></label>
<caption><para>Framework architecture: overall view and interactions.</para></caption>
<graphic xlink:href="graphics/ch10_figN001.jpg"/>
</fig>
<para>As we can observe, <link linkend="F10-1">Figure <xref linkend="F10-1" remap="10.1"/></link> also shows the interactions between the two systems of the framework: the testing tool invokes methods of the web service triggering specific functionalities, and at the same time the analysis tools read information on the overall status of the operative system and service middleware. The next sections present the concepts behind each component.</para>
<section class="lev2" id="sec10-2-1" label="10.2.1" xreflabel="10.2.1">
<title>Instrumented System (IS)</title>
<para>The Instrumented System is a monitoring environment where the applications or services can be executed and tested. Considering that weaknesses can affect the middleware layer (e.g., depleting available free memory in the heap) and the operating system layer (e.g., exchanging a huge amount of data or delaying the overall system), both are object of monitoring.</para>
<para><link linkend="F10-2">Figure <xref linkend="F10-2" remap="10.2"/></link> represents the monitored components (Operating System, Middleware, Applications) and data flows. The key innovation is to monitor both the variables of the <emphasis>OS</emphasis> and of the <emphasis>Middleware</emphasis> (when applicable) at the same time the application is being tested. This provides detailed data on the behaviour of the OTS component, thus going beyond the mere collection of inputs and outputs or the monitoring of specific functions of the underlying system that the OTS component uses. To achieve this, it is necessary to instrument the kernel of the OS introducing monitoring probes that report the value of the selected variables per unit of time. These values should be stored in a standard format to later be externalized through the <emphasis>Dataflow Out (DO)</emphasis>.</para>
<fig id="F10-2" position="float" xmlns:xlink="http://www.w3.org/1999/xlink">
<label><link linkend="F10-2">Figure <xref linkend="F10-2" remap="10.2"/></link></label>
<caption><para>Detailed functioning of the Instrumented System.</para></caption>
<graphic xlink:href="graphics/ch10_fig002.jpg"/>
</fig>
<para>As example of middleware, the environment may include an <emphasis>application server</emphasis> where the user can run the web applications and services that are necessary to be tested. Also, the application server includes monitoring of the values of relevant variables that are also stored in a standard format for later use of the <emphasis>DO</emphasis>. Due to the emerging role that web applications and services have in critical systems, the inclusion of a monitored application server is a very important requirement, as this allows gathering the values of variables that are closer to the applications under test.</para>
<para>The <emphasis>Dataflow In (DI)</emphasis> is necessary to perform the test in the applications. In the case of web applications and services, which have an interface available over the network, the DI In is constituted by the ports used to perform the tests together with OTS components that can execute the tests through these ports. The environment should also be ready to support the testing of other applications, with the Dataflow having the responsibility of translating the tests created by the testing tools in a form that can be executed in the target application. In practice, the Dataflow In represents the only part of Instrumented System that the user should implement in order to have his application tested.</para>
</section>
<section class="lev2" id="sec10-2-2" label="10.2.2" xreflabel="10.2.2">
<title>Test and Collect</title>
<para>Test and Collect includes a set of extensible tools that should support the user in two main activities: (i) <emphasis>testing</emphasis>, and (ii) <emphasis>storage and analysis</emphasis>. The <emphasis role="strong">testing</emphasis> component controls the execution of the testing tools. Although the framework is designed to be fully automated, the human interaction cannot be completely avoided at least for the test execution.</para>
<para>The level of human interaction can vary from test to test; thus, each testing tool should provide its own interaction interface. It is mandatory that the testing tool communicates with the <emphasis role="strong">storage and analysis</emphasis> module to trace testing activity, providing information as test input/output, and executions results and durations that should be logged by the storage module to match the results provided by the IS during the execution of these tests. <link linkend="F10-3">Figure <xref linkend="F10-3" remap="10.3"/></link> depicts this relationship, which is detailed below.</para>
<fig id="F10-3" position="float" xmlns:xlink="http://www.w3.org/1999/xlink">
<label><link linkend="F10-3">Figure <xref linkend="F10-3" remap="10.3"/></link></label>
<caption><para>Detailed functioning of the Test and Collect.</para></caption>
<graphic xlink:href="graphics/ch10_fig003.jpg"/>
</fig>
<para>The <emphasis role="strong">storage and analysis</emphasis> module is also in charge of harvesting data from the IS probes and of structuring and storing them to facilitate the subsequent data analysis. The storage component is made up of three modules: (i) <emphasis>Probes Collector</emphasis> (PC), (ii) <emphasis>Data Manager</emphasis> (DM), and (iii) <emphasis>Database</emphasis> (DB).</para>
<para>The PC is responsible of reading data from IS probes and due to the different sources (middleware or OS) it needs to use different policies to respect the data availability and probe servers&#x02019; constraints. Data read are then managed by the DM component that organizes the data coming from middleware structuring it to provide the state of the monitored system from a specific point of view.</para>
<para>Finally, data is stored in the underlying database. To provide more efficient data analysis capabilities, the template schema follows the model of a star schema from OLAP. In fact, a well-structured data repository and OLAP analysis can be very useful for analysis of results from dependability evaluation experiments [<link linkend="ch10bib13">13</link>]. Additionally, it makes possible to share and compare the results of multiple different experimental evaluations [<link linkend="ch10bib13">13</link>].</para>
<para>The <emphasis role="strong">testing tools</emphasis> included should be able to generate different types of testing including functional testing, stress testing, robustness testing, penetration testing, security testing, etc. The definition of tests is always dependent on the type of application as well as specific to the domain of the application (e.g., testing requirements from standards). In the case of web applications and services, where the interfaces are usually well defined, the test generating tools usually require only minor configuration. However, in the case of other applications the user may be requested to configure or even extend the testing tools. To cope with this, the tools included are prepared to be easily extensible to accommodate the user needs. As the tools are easy to modify or replace, the framework provides high flexibility and makes it easier to test applications.</para>
<para>Functional testing is a black box testing technique that tries to find discrepancies between the program and the external specification [<link linkend="ch10bib14">14</link>] and it is based on a set of test cases derived from the analysis of the specification. Stress testing subjects the program to heavy loads or stresses [<link linkend="ch10bib14">14</link>]. In this case, the testing application must submit loads that match (or even surpass) the load that the application under test is specified to sustain over a period of time. This is particularly useful in web-based applications where you want to ensure that your application can handle a specific volume of concurrent users or requests. Robustness testing is a specific form of black-box testing. The goal is to characterize the behaviour of a system in presence of erroneous input conditions. Robustness testing stimulates the system in a way that triggers internal errors, exposing programming and design errors both in the error detection and recovery mechanisms. Penetration testing is a specialization of robustness testing that consists of the analysis of the program execution in the presence of malicious inputs, searching for potential vulnerabilities. Penetration testing tools provide an automatic way to search for vulnerabilities avoiding the repetitive and tedious task of doing hundreds or even thousands of tests by hand for each vulnerability type.</para>
<para>Finally, the toolset should be allowed to be used several data analysis algorithms; including fault detection mechanisms based in static threshold analysis algorithms and also statistical analysis algorithms. However, the main idea is to leave to the user the conditions to perform the analysis using the algorithms that he is more experienced with and, above of all, that are most adequate to his business domain. In fact, one strength of the use OLAP analysis techniques is the optimization of their schema for the use of <emphasis>ad-hoc</emphasis> queries [<link linkend="ch10bib13">13</link>].</para>
</section>
</section>
<section class="lev1" id="sec10-3" label="10.3" xreflabel="10.3">
<title>Implementation Details</title>
<para>To show the applicability of the approach and perform an experimental evaluation, a prototype was designed and is currently under development. For cost reduction and to allow bigger flexibility, effort was made to use low licensing cost solutions resulting many times in preference for free or open source software. It is important that, in many cases, the selection of one technology to use impacts the technologies for other layers. The next sections detail the status of implementation of each one of the components of the framework as well as the technologies selected to use.</para>
<section class="lev2" id="sec10-3-1" label="10.3.1" xreflabel="10.3.1">
<title>Instrumented System (IS) Implementation</title>
<para>The node component was implemented in a virtual machine. This option for virtualization provides flexibility as can be easily replicated and maintained. This will allow the deployment of the node ready to use in any number necessary for the system. The operating system selected to implement the prototype was CentOS [<link linkend="ch10bib15">15</link>]. First we narrowed our options to Linux based distributions due to the cost advantage and to the diversity of monitoring options to monitor the kernel events. From the multitude of options available, CentOS provides a free enterprise class OS.</para>
<para>The instrumentation of the operating system was implemented in the form of a loadable kernel module using the SystemTap tool [<link linkend="ch10bib16">16</link>]. This tool builds on and extends the capabilities of the <emphasis>kprobes</emphasis> [<link linkend="ch10bib17">17</link>] kernel debugging infrastructure and allows to program breakpoint handlers using a high-level scripting language that is later translated into C code. This way, SystemTap simplifies the development of system instrumentation and also improves the reuse of existing instrumentations, thus allowing building up on the expertise of others. The developers of SystemTap also took into consideration the portability and safety concerns, both of which have major importance in this work.</para>
<para>The prototype implementation of Instrumented System includes, as example of middleware, an application server with monitoring capabilities to allow testing the web applications and services. The selection of choice was JBoss Application Server (JBoss AS) [<link linkend="ch10bib18">18</link>], an application server that implements the Java Platform, Enterprise Edition (Java EE). It is free and open source software available under the terms of the GNU LGPL and it is written in Java and as such is cross-platform: usable on any operating system that supports Java. JBoss represents the industry <emphasis>de facto</emphasis> standard for deploying Java-based Web applications, it has a wide community acceptance, and support subscriptions can be purchased. For monitoring the values of the applications running inside the app server, it is used Java Management Extensions (JMX) Technology. JMX provides the tools for building distributed, modular and dynamic solutions for monitoring devices or applications. It is designed to provide high flexibility both for legacy systems and for the future. JMX is supported by the most relevant Java application servers. This will allow in the future, porting the monitoring solution to other application servers, and it was one of the requirements as it is planned to add other servers to the prototype to provide a broader range of options and compatibility to the user.</para>
<para>The implementation of the <emphasis>Dataflow In</emphasis> depends greatly on the applications to be tested. For the case of web applications and web services, OTS components together with the ports that allow the network traffic constitute the <emphasis>Dataflow In</emphasis>. For instance, in the case of web services, the toolset includes the open source tool <emphasis>soapui</emphasis> [<link linkend="ch10bib19">19</link>], that is the visible part of the Dataflow In for the user. This tool allows to easily executing user-defined tests in the web services under test. In other cases, where the test execution such be from inside the testing machine, it is under development a daemon to run in background accepting communication through TPC sockets and performing the required tests.</para>
<para>Finally, the dataflow out was implemented as folder where the monitoring systems can write the files and from where the Test and Collect can pool the files periodically. The data is split in chunks, each file containing the data respecting to a certain period of time that is identified in the filename. There are many ways to extract the files from the exterior, but the solution currently adopted consists of using <emphasis>secure copy</emphasis> (scp), is a protocol to securely transfer files between two hosts, based on the <emphasis>SSH</emphasis> protocol. This is a preliminary implementation that will be enough for experimental evaluation but as a more automated solution is under development and should replace it in a near future.</para>
</section>
<section class="lev2" id="sec10-3-2" label="10.3.2" xreflabel="10.3.2">
<title>Test and Collect Implementation</title>
<para>The Test and Collect includes a set of testing tools ready to use. Most of these tools are black-box tools, and as the name shows, these tools view the program as a black box and are completely unconcerned about its internal behaviour. Our framework by analysing the values of the monitored variables uses information about the behaviour of the application in a transparent fashion to the testing tools. Most of the tools included also target web services, one of the main targets of the framework, as they are increasingly used in business-critical systems. They provide always a well-defined interface, allowing an easy use of automated tools. Other types of tools and also targeting other will be added in future versions of the framework. In very specific domains, the user will need to write the necessary tests and implement the necessary tools to use them.</para>
<para>The testing tools currently available allow performing functional and stress test, penetration test and robustness test. The testing framework has been developed minimizing the human interaction especially during the testing activities. With the present tools, the human interaction is indeed focused in the configuration phase, which must be performed one time for each tool. Such tools can provide common configurations as well as they can propose a configuration that suits the testing needs.</para>
<section class="lev3" id="sec10-3-2-1" label="10.3.2.1" xreflabel="10.3.2.1">
<title>Functional and stress testing</title>
<para>Functional test is a quality assurance process based on black-box approach that aims to provide a proof of implementation correctness regarding the specifications of the software under test. The test is performed feeding the software under test with well-known values and examining the output produced.</para>
<para>Although common functional tests involve the test of single methods, within this context, it has been followed an approach which tackles high-level functionalities. The approach consists of a set of workflows that mimic the behaviour of a software user for executing specific high-level tasks, which in turn can comprise the invocation of a huge variety of methods [<link linkend="ch10bib20">20</link>].</para>
<para>The workflows definition is a cornerstone of this approach and it must be defined specifically for each service under test considering its interface and the software specification. Workflows define how and when the service interface of the software under test should be questioned and, also, they provide the information needed for the subsequent phase of result validation. Following the black-box approach the verification is done invoking specific methods of the service for checking its internal status.</para>
<para>The importance of these workflows is further emphasized since they can be used as bricks for compound and complex workflows for Stress testing. Stress testing is a form of deliberately intense testing used to determine the stability of a given system. The tool developed for functional test, properly configured with suitable workflows, can stimulate the system under test to provide evidence of stability. Workflows for Stress testing have been defined from the high-level tasks identified for the functional tests by parallelizing multiple high-level tasks invoked from a variety of users and abbreviating to the minimum the delay between sequential invocations.</para>
</section>
<section class="lev3" id="sec10-3-2-2" label="10.3.2.2" xreflabel="10.3.2.2">
<title>Robustness testing and penetration testing</title>
<para>Robustness testing is a specific form of black-box testing that attempts to characterize the behaviour of a system in the presence of erroneous or unexpected input conditions [<link linkend="ch10bib21">21</link>]. The tool instrumented in the testing framework implements the technique proposed in [<link linkend="ch10bib22">22</link>]. The approach consists of a set of robustness tests that is applied during execution to disclose both programming and design problems.</para>
<para>The set of robustness tests is automatically generated by applying a set of predefined rules (see detailed list in [<link linkend="ch10bib22">22</link>]) to the parameters of each operation of the web service during the workload execution. An important aspect is that rules focus difficult input validation aspects, such as: null and empty values, valid values with special characteristics, invalid values with special characteristics, maximum and minimum valid values in the domain, values exceeding the maximum and minimum valid values in the domain, and values that cause data type overflow. The robustness of the web services is characterized according to the failure modes adapted from the CRASH scale.</para>
<para>Penetration testing is nowadays one of the most used techniques by web developers to detect vulnerabilities in their applications and services. This technique assumes particular relevance in the web services environment, as many times clients and providers need to test services without having access to the source code (e.g. when testing third-party services), which prevents the use of more effective techniques that require that access. The tool instrumented in the testing framework implements a technique targeting the detection of SQL Injection vulnerabilities in web services. The tool was originally presented in [<link linkend="ch10bib11">11</link>].</para>
</section>
<section class="lev3" id="sec10-3-2-3" label="10.3.2.3" xreflabel="10.3.2.3">
<title>Data storage and analysis tools</title>
<para>A tool is under development for the generation of the star schema according to the needs of the user. This tool, based on the template star schema provided, and after some configuration by the user, generates the schema that will store the monitored data. This tool will also include capabilities to perform the extraction, transformation and load (ETL) of the data. It will allow the user to retrieve the data from the Instrumented Systems using the <emphasis>Dataflow Out</emphasis> channel and insert the data in the schema. With a wide range of options for ETL software available, the option for developing a new tool comes from simplicity reasons: it would be an exaggeration to use a heavy ETL tool while our toolset only needs for a very specific and simple tool that designed to work based on a the configuration that the user provides when creating the star schema for the DBMS. Also, the use of third party ETL tools would most probably require the user to have knowledge on how to operate them.</para>
<para>A myriad of solutions are available to implement the data storage. PostgreSQL <footnote id="fn10_1" label="1"> <para>www.postgresql.org</para></footnote> is an open source solution with a long history of development a proven architecture with recognized reputation for reliability, data integrity, and correctness. It gives to the framework great flexibility as it runs on all major operating systems, including Linux, UNIX, and Windows. A lot of tools from the community support PostgreSQL, and it is also widely supported by open source business intelligence tools as SpagoBI <footnote id="fn10_2" label="2"> <para>www.spagobi.org</para></footnote> and Pentaho community edition <footnote id="fn10_3" label="3"> <para>http://community.pentaho.com</para></footnote>.</para>
<para>As aforementioned, in terms of data analysis, the main goal is to provide the user the best conditions for the execution of the analysis of his preference. With this goal, the tool set includes basis tools for data visualization and query execution. The toolset will also include the more advanced tools as the mentioned BI tools (SpagoBI and Pentaho CE) as well as other options that are also considered to be included in the toolset [<link linkend="ch10bib23">23</link>]. For better analysis, it is necessary that the data is correlated to the tests executed, and this is a very important part of the ETL process. Finally, the toolset will include ready to use tools that use some more specific algorithms targeting fault detection, proposed by research community. Examples of these works are static threshold analysis [<link linkend="ch10bib9">9</link>] and statistical analysis algorithms for on-line fault detection [<link linkend="ch10bib8">8</link>].</para>
</section>
</section></section>
<section class="lev1" id="sec10-4" label="10.4" xreflabel="10.4">
<title>Demonstration</title>
<para>Two case studies were devised to demonstrate the applicability and feasibility of the approach.</para>
<para>The first case study is presented in Section 10.4.1 and uses the Life ray Portal [<link linkend="ch10bib24">24</link>], which is an enterprise web platform project that aims for immediate delivery of robust business solutions for organizations. An API based on SOAP web services is provided, containing a diverse range of functionalities. These services are an interesting case for testing the framework, after the framework is deployed on top of the instrumented JBoss AS middleware.</para>
<para>The second case study, presented in Section 10.4.2, is based on the PMF simulator. SHAPE is a system installed along a specific railway line. The main purpose of the system is to automatically detect anomalous and hazardous situations on the trains running on that line. SHAPE aims at detecting two specific situations: i) SHAPE can detect fires on board a train, through reading at a distance of the temperature of the external surface of the trains; ii) it is able to detect possible violations of the reference shape, through specific laser scanners, in order to identify any dangerous protruding part of the train.</para>
<section class="lev2" id="sec10-4-1" label="10.4.1" xreflabel="10.4.1">
<title>Case Study: Life Ray Web Services</title>
<para>Life ray is free and open sourced Java software that was initially developed to provide an open source enterprise quality portal. Since the early stages of development, Life ray has been widely adopted for intranet as well as extranet enterprise solution. Eventually, it brought Life ray to have a big supporting community, which, together with the Life ray foundation, contributed to define a generic and extendible product.</para>
<para>Life ray Portal is an enterprise web platform project that aims for immediate delivery of robust business solutions for organizations. It includes features that are usually necessary for the development of websites and portals, as built-in web content and document management system. Life ray is developed using Java technologies and it is ready to work in a large set of web/application servers. In fact, the community edition is free and open source software available under Licensed under the terms of the GNU LGPL. It follows an extendible architecture by plugins that, in turn, encompass collaboration, social networking, and single sign on, per-component privileges policy as well as e-commerce tools. Third-party plugins are also available to provide more advanced feature such as Microsoft office integration. A plugin can be seen as a J2EE-Servlet and is referred to as a portlet. Portlets communicate with each other using the services that each one exposes that, in turn perform the portlets business logic. Our installation of Life ray includes the version 6.0 of the portal and 83 deployed SOAP (Simple Object Access Protocol) web services. More details on Life ray can be found in [<link linkend="ch10bib24">24</link>].</para>
<section class="lev3" id="sec10-4-1-1" label="10.4.1.1" xreflabel="10.4.1.1">
<title>Tests performed</title>
<para>During this case study, different types of tests were applied: Functional, Stress, Penetration and Robustness tests. To verify the correctness of Liferay services, a study on its plugins interaction has been conducted. The necessity for the preliminary study has been felt because of the strictly correlated invocations among methods exposed by web services.</para>
<para>The preliminary study has been exploited to define workloads that could mimic the behavior of Life ray internal interactions, which correspond to <emphasis role="strong">functional tests</emphasis>. Even simple activity, like posting a message on the blog by UI interface, could involve a plethora of plugins including authentication, user information retrieving, permission checking and finally messaging service. To stimulate Life ray in a way that could resemble human activities, many Workloads have been defined to cover Life ray functionalities by mimicking the behavior of human interaction. Mimicked actions encompass posting a message in the blog and in the forum, creating an event in the calendar, creating a directory-tree in the file repository and uploading a file in it.</para>
<para>These workloads have been used to define other workloads for <emphasis role="strong">stress tests,</emphasis> to highlight possible weakness in terms of concurrency management. Those tests have been designed from the workloads defined for functional tests to evaluate Life ray behavior under a heavy load. For each workload, that mimics a specific action, a new one is defined as a composition of many copies of the same workload; these copies differ just for the user. The purpose of this approach is to simulate multiple users&#x02019; activities on Life ray, that stimulate the same services and some shared data. The stress test, as it is designed, suits especially well when there isn&#x02019;t a sound knowledge of web services internal mechanism; the deeper is the knowledge of web service internals the more effective workloads can be designed.</para>
<para>Regarding <emphasis role="strong">robustness testing</emphasis>, due to the preliminary study performed for the functional test, a generic knowledge of methods invocation was available to configure the tool to generate better tests. This knowledge was especially important for the tool to use values that exercise the code of the web service under test in a more complete way. After the configuration of the tool it submits the robustness tests in an automated way and reports the robustness problems found.</para>
<para>As for <emphasis role="strong">penetration testing</emphasis>, the available knowledge of methods invocation was a key to configure the tool to generate better workloads and attack loads. This is especially relevant for this tool as its effectiveness is depending on the completeness of its workloads. After this configuration, the test execution is a straightforward process in which the tool submits its workload and attack load to the web service and then reports the vulnerabilities found.</para>
</section>
<section class="lev3" id="sec10-4-1-2" label="10.4.1.2" xreflabel="10.4.1.2">
<title>Tests results</title>
<para>Experiment execution is made up of three phases, where just the final one is specific for the kind of test to be conducted. The phases are:</para><orderedlist numeration="arabic" continuation="restarts" spacing="normal">
<listitem>
<para>Set up Service Under Test (SUT),</para></listitem>
<listitem>
<para>Data Logger execution,</para></listitem>
<listitem>
<para>Testing tool execution.</para></listitem></orderedlist>
<para>On the first phase the service under test is started up. This phase includes also the startup of middleware and OS probes. The second phase can be launched simultaneously, as it does not read information from OS or middleware probes: it just prepares the structures needed for logging. During test execution, the testing framework logs raw tests results and prints on the console information on the tests execution (test currently running, test duration, etc.). This information is useful to monitoring the tests execution. Test results are collected during test execution; at the tests termination, collected data are flushed into a database.</para>
<para>Different tools that range from very specific tools such as R or MatLab to commonly available and general-purpose tool such as OpenOffice-Calc are installed on the Test and Collect system, connected to the database, and can be used to retrieve and analyze data.</para>
<para>Due to the wide usage and the extended support that Life ray received from its community since its development started, it was expected that Life ray passed all the functional tests defined.</para>
<para><link linkend="F10-4">Figure <xref linkend="F10-4" remap="10.4"/></link> shows an extract of the workload (set of services invocations) used for creating a new event on a calendar (it includes logging in to the system, listing the available/subscribed calendars, choose to first one and listing all the events of February, adding the new item then logging out; subsequently further invocations checks that the event was correctly recorded). The invocation correctness is verified by a visual inspection of Life ray services.</para>
<fig id="F10-4" position="float" xmlns:xlink="http://www.w3.org/1999/xlink">
<label><link linkend="F10-4">Figure <xref linkend="F10-4" remap="10.4"/></link></label>
<caption><para>An extract of the workload to set a New Calendar Event.</para></caption>
<graphic xlink:href="graphics/ch10_fig004.jpg"/>
</fig>
<para>The output produced during the execution of the test is displayed on the screen of the Test and Collect system and consists of a sequence of services methods invocations. For each one of these, the HTTP response code is printed out. Being a functional test is mandatory that the HTTP response code would match with the expected one.</para>
<para>The aim of this <emphasis role="strong">stress testing</emphasis> is to assess the ability to resist against a workload which leverage on high frequency of requests, and the results can be evaluated in term of system loads and resource usage. <link linkend="T10-1">Table <xref linkend="T10-1" remap="10.1"/></link> shows the average CPU usage and memory usage; the former one is furthermore detailed distinguishing between process CPU load and system CPU load, with system CPU load that encompasses any task running on the system. Memory usage is furthermore detailed as well distinguishing between heap memory, used for java objects and non-heap memory.</para>
<table-wrap position="float" id="T10-1">
<label><link linkend="T10-1">Table <xref linkend="T10-1" remap="10.1"/></link></label>
<caption><para>Extract test results for New Calendar Event</para></caption>
<table cellspacing="5" cellpadding="5" frame="hsides" rules="groups">
<thead>
<tr>
<td valign="bottom" align="center">Parallel Requests (n<subscript><italic>r</italic></subscript>)</td>
<td valign="bottom" align="center">Process CPU Load (%)</td>
<td valign="bottom" align="center">System CPU Load (%)</td>
<td valign="bottom" align="center">System Load Average</td>
<td valign="bottom" align="center">Free Heap Memory (B)</td>
<td valign="bottom" align="center">Free Non Heap Mem (B)</td>
<td valign="bottom" align="center">IO Written/Read Data (B)</td>
</tr>
</thead>
<tbody>
<tr>
<td valign="top" align="center">5</td>
<td valign="top" align="center">0.3031</td>
<td valign="top" align="center">0.38245</td>
<td valign="top" align="center">1.54</td>
<td valign="top" align="center">100128920</td>
<td valign="top" align="center">24899588</td>
<td valign="top" align="center">5959</td>
</tr>
<tr>
<td valign="top" align="center">10</td>
<td valign="top" align="center">0.1254</td>
<td valign="top" align="center">0.651</td>
<td valign="top" align="center">1.195</td>
<td valign="top" align="center">86411094</td>
<td valign="top" align="center">22482534</td>
<td valign="top" align="center">77344</td>
</tr>
<tr>
<td valign="top" align="center">100</td>
<td valign="top" align="center">0.1342</td>
<td valign="top" align="center">0.999</td>
<td valign="top" align="center">2.34</td>
<td valign="top" align="center">84833658</td>
<td valign="top" align="center">21993838</td>
<td valign="top" align="center">184244</td></tr>
</tbody>
</table>
</table-wrap>
<para>The table encompasses the experiments of 5, 10 and 100 simultaneous execution of the &#x0201C;New Calendar Event&#x0201D; workload. Data are collected 1 times per second. <link linkend="T10-1">Table <xref linkend="T10-1" remap="10.1"/></link> shows that the CPU usage of service process remains quite stable despite the increase of the number of requests. Process CPU load, the system load as well as memory usage vary as the number of parallel requests increase. The table shows that system resources usage clearly increases due to the waits for Disk Output activities, which rise.</para>
<para><link linkend="F10-5">Figure <xref linkend="F10-5" remap="10.5"/></link> shows an extract of the <emphasis role="strong">robustness test</emphasis> report, in which all the tests reported robustness problems. This would suggest weakness in the services, but a manual inspection revealed that while tool reports &#x0201C;PROBLEM&#x0201D;, the service correctly identify and discard the invalid request. We explain this with the help of <link linkend="F10-6">Figure <xref linkend="F10-6" remap="10.6"/></link>.</para>
<fig id="F10-5" position="float" xmlns:xlink="http://www.w3.org/1999/xlink">
<label><link linkend="F10-5">Figure <xref linkend="F10-5" remap="10.5"/></link></label>
<caption><para>Extract from robustness test results.</para></caption>
<graphic xlink:href="graphics/ch10_fig005.jpg"/>
</fig>
<fig id="F10-6" position="float" xmlns:xlink="http://www.w3.org/1999/xlink">
<label><link linkend="F10-6">Figure <xref linkend="F10-6" remap="10.6"/></link></label>
<caption><para>Example of robustness test: (a) request; (b) response.</para></caption>
<graphic xlink:href="graphics/ch10_fig006.jpg"/>
</fig>
<para><link linkend="F10-6">Figure <xref linkend="F10-6" remap="10.6"/></link>(a) shows an extract of a robustness test involving the Poll Service, in particular the &#x0201C;add Question&#x0201D; method. Life ray, relying on Axis2 for parsing values, automatically manages the invalid value for the parameter &#x0201C;expiration DateMonth&#x0201D; rejecting the request and without passing it to the &#x0201C;actual&#x0201D; service. The rejection causes an HTTP 533 (which belongs to the &#x0201C;internal error&#x0201D; family): the tool used for robustness testing, operating at black-box, can&#x02019;t distinguished this answer from any other internal error, and consequently the &#x0201C;PROBLEM&#x0201D; code is displayed in <link linkend="F10-6">Figure <xref linkend="F10-6" remap="10.6"/></link>(b) which shows the response that Life ray produces for the request.</para>
<para>Life ray uses Axis2 for service publishing and interface, Axis2 is responsible for parsing values passed by SOAP as well as for invoking the actual Java method which was remotely requested. The parsing phase consists also of a validation phase in which the parsed values are validate against their destination types constraints. The failure of this phase implies the subsequent rejection of the request and thus the generation of a response with HTTP code 500.</para>
<para><link linkend="F10-7">Figure <xref linkend="F10-7" remap="10.7"/></link> shows an extract of the results of the <emphasis role="strong">penetration tests</emphasis> applied to Life ray Calendar Service. The extracted data, as well as the entire test results, show the robustness of Life ray against penetration attacks. All the potentially risky requests are identified and discarded by the Axis2 Layer for services interface, by the Object Relational Mapping (ORM) layer for objects persistency and by the permission checking mechanism, which constitute a cornerstone for Life ray services interoperability.</para>
<fig id="F10-7" position="float" xmlns:xlink="http://www.w3.org/1999/xlink">
<label><link linkend="F10-7">Figure <xref linkend="F10-7" remap="10.7"/></link></label>
<caption><para>Calendar Service penetration tests result.</para></caption>
<graphic xlink:href="graphics/ch10_fig007.jpg"/>
</fig>
<para>In fact, Life ray exposes its services using Axis2, which validates the invocation parameters before passing the request to the &#x0201C;actual&#x0201D; service. Additionally, Life ray relays upon Hibernate (the ORM used) which provides an SQL parameter sanitizing service, which in turn it uses named queries that work on top of statements of the JDBC API; all those layers operate the necessary actions to avoid risks from malicious requests. Finally, the invocations that include items the user is not authorized to use are identified by the Life ray Permission Service.</para>
</section>
</section>
<section class="lev2" id="sec10-4-2" label="10.4.2" xreflabel="10.4.2">
<title>Case Study: SHAPE</title>
<para>We used a second use case to show the flexibility of the approach and also to demonstrate that the approach is not depending on the concrete technological implementation. This use case was based on SHAPE, which is a system installed along a specific railway line. SHAPE has the requirement that the all the tests to be performed must be done in an environment certified as equivalent to the target environment.</para>
<para>The main purpose of the system is to automatically detect anomalous and hazardous situations on the trains running on that line. In particular, SHAPE aims at detecting two specific situations: i) SHAPE is able to detect fires on board a train, through reading at a distance of the temperature of the external surface of the trains; ii) it is able to detect possible violations of the reference shape, through specific laser scanners, in order to identify any dangerous protruding part of the train.</para>
<para>SHAPE was designed to be suitable for interfacing with existing signalling systems, thus to send possible alarms useful to safely stop the train and to properly manage the critical detected event, according to the foreseen recovery actions. SHAPE is composed by the components: Scanner, Init &#x00026; Diagnosis, Data Acquisition, Data Aggregator, Data Analyser and Monitor, System State.</para><itemizedlist mark="bullet" spacing="normal">
<listitem>
<para>Init &#x00026; Diagnosis &#x02013; communicates with the scanner in order to collect diagnostic data and to trigger scanner activation.</para></listitem>
<listitem>
<para>Data Acquisition &#x02013; receives raw data from scanners.</para></listitem>
<listitem>
<para>Data Aggregator &#x02013; receives train data from Data Acquisition (e.g. images produced by the scanner) and aggregates such information, to be sent to the Monitor component.</para></listitem>
<listitem>
<para>Data Analyser &#x02013; receives aggregated data from the Data Aggregator and send analysis results to the Monitor component.</para></listitem>
<listitem>
<para>Monitor &#x02013; manages all the system states phases according to the data received from the Shape Component.</para></listitem>
<listitem>
<para>System State &#x02013; acquires information regarding the system state from each component and sends them to the WaySide component.</para></listitem></itemizedlist>
<section class="lev3" id="sec10-4-2-1" label="10.4.2.1" xreflabel="10.4.2.1">
<title>Monitoring environment adaptation</title>
<para>SHAPE has stringent requirements whichneeds to be tested in the same operating system, configuration, and equivalent hardware that it is supposed to be used in the future. Therefore, to be able to use the monitoring and testing approach in together with SHAPE, it was necessary to port the monitoring facilities to the target system and configuration.</para>
<para>The new system uses a different operating system and due to criticality restrictions, it cannot have new packages installed, as the system monitoring tools (SystemTAP) required by used in the implementation of the Instrumented System. Therefore, the challenge was to implement similar monitoring functionalities with less intrusive solutions.</para>
<para>The solution used the following tools, which are present in most of unix and linux distributions:</para><itemizedlist mark="bullet" spacing="normal">
<listitem>
<para>top &#x02013; provides data about cpu and memory usage;</para></listitem>
<listitem>
<para>mpstat &#x02013; provides data about system load;</para></listitem>
<listitem>
<para>iostat &#x02013; provides data about I/O usage;</para></listitem></itemizedlist>
<para>Another tool was necessary because the SHAPE simulator involves a set of processes and subprocesses that are continuously evolving.</para><itemizedlist mark="bullet" spacing="normal">
<listitem>
<para>pstree &#x02013; allows to track the processes and the respective process tree, so it is possible to gather data about all the processes relevant for the monitoring system.</para></listitem></itemizedlist>
<para>The downside of this solution is the performance. In practice, although less intrusive than the SystemTAP solution, it takes much more time to obtain data, and therefore it does not allow small gathering windows. However, we believe that the window is still small enough to do fine grained analysis of the system behavior.</para>
</section>
<section class="lev3" id="sec10-4-2-2" label="10.4.2.2" xreflabel="10.4.2.2">
<title>Tests performed</title>
<para>To demonstrate the solution, we executed the SHAPE simulator during 24h while monitoring the relevant variables of the system. During this period, the simulator was exercised using the test cases available to test the correctness of his responses. At the same time, the newly included probes seamlessly monitored the variables of interest. <link linkend="T10-2">Table <xref linkend="T10-2" remap="10.2"/></link> contains the summary of the most relevant variables monitored during the period.</para>
<table-wrap position="float" id="T10-2">
<label><link linkend="T10-2">Table <xref linkend="T10-2" remap="10.2"/></link></label>
<caption><para>Summary of the variables monitored</para></caption>
<table cellspacing="5" cellpadding="5" frame="hsides" rules="groups">
<thead>
<tr>
<td valign="bottom" align="left">Variable</td>
<td valign="bottom" align="center">AVG</td>
<td valign="bottom" align="center">STDV</td>
<td valign="bottom" align="center">MIN</td>
<td valign="bottom" align="center">MAX</td></tr>
</thead>
<tbody>
<tr>
<td valign="top" align="left">Total User CPU</td>
<td valign="top" align="center">0.14</td>
<td valign="top" align="center">0.08</td>
<td valign="top" align="center">0.00</td>
<td valign="top" align="center">0.30</td>
</tr>
<tr>
<td valign="top" align="left">Total System CPU</td>
<td valign="top" align="center">0.24</td>
<td valign="top" align="center">0.12</td>
<td valign="top" align="center">0.00</td>
<td valign="top" align="center">0.50</td>
</tr>
<tr>
<td valign="top" align="left">Average User CPU</td>
<td valign="top" align="center">0.14</td>
<td valign="top" align="center">0.07</td>
<td valign="top" align="center">0.02</td>
<td valign="top" align="center">0.26</td>
</tr>
<tr>
<td valign="top" align="left">Average System CPU</td>
<td valign="top" align="center">0.25</td>
<td valign="top" align="center">0.12</td>
<td valign="top" align="center">0.03</td>
<td valign="top" align="center">0.45</td>
</tr>
<tr>
<td valign="top" align="left">Average IO Wait CPU</td>
<td valign="top" align="center">0.11</td>
<td valign="top" align="center">0.00</td>
<td valign="top" align="center">0.11</td>
<td valign="top" align="center">0.12</td>
</tr>
<tr>
<td valign="top" align="left">Memory Used</td>
<td valign="top" align="center">837945</td>
<td valign="top" align="center">32356</td>
<td valign="top" align="center">782680</td>
<td valign="top" align="center">903032</td>
</tr>
<tr>
<td valign="top" align="left">Memory Free</td>
<td valign="top" align="center">1031399</td>
<td valign="top" align="center">32356</td>
<td valign="top" align="center">966312</td>
<td valign="top" align="center">1086664</td>
</tr>
<tr>
<td valign="top" align="left">Memory Cached</td>
<td valign="top" align="center">188067</td>
<td valign="top" align="center">10077</td>
<td valign="top" align="center">168972</td>
<td valign="top" align="center">205268</td>
</tr>
<tr>
<td valign="top" align="left">Swap Used</td>
<td valign="top" align="center">0.00</td>
<td valign="top" align="center">0.00</td>
<td valign="top" align="center">0.00</td>
<td valign="top" align="center">0.00</td>
</tr>
<tr>
<td valign="top" align="left">Swap Cached</td>
<td valign="top" align="center">582445</td>
<td valign="top" align="center">20468</td>
<td valign="top" align="center">547568</td>
<td valign="top" align="center">618732</td>
</tr>
<tr>
<td valign="top" align="left">IO Disk Read Per Sec</td>
<td valign="top" align="center">1.78</td>
<td valign="top" align="center">0.03</td>
<td valign="top" align="center">1.74</td>
<td valign="top" align="center">1.83</td>
</tr>
<tr>
<td valign="top" align="left">IO Disk Write Per Sec</td>
<td valign="top" align="center">7.15</td>
<td valign="top" align="center">0.22</td>
<td valign="top" align="center">6.50</td>
<td valign="top" align="center">7.52</td>
</tr>
<tr>
<td valign="top" align="left">IO Disk Read</td>
<td valign="top" align="center">2913344</td>
<td valign="top" align="center">30</td>
<td valign="top" align="center">2913256</td>
<td valign="top" align="center">2913424</td>
</tr>
<tr>
<td valign="top" align="left">IO Disk Write</td>
<td valign="top" align="center">11674444</td>
<td valign="top" align="center">527703</td>
<td valign="top" align="center">10347224</td>
<td valign="top" align="center">12589656</td>
</tr>
<tr>
<td valign="top" align="left"># of SHAPE Processes</td>
<td valign="top" align="center">2.98</td>
<td valign="top" align="center">0.17</td>
<td valign="top" align="center">1.00</td>
<td valign="top" align="center">4.00</td>
</tr>
<tr>
<td colspan="5"><emphasis role="cline"/></td>
</tr>
<tr>
<td valign="top" align="left"><emphasis>Number of Samples</emphasis></td>
<td valign="top" align="center"><emphasis>151146</emphasis></td>
<td valign="top" align="center"></td>
<td valign="top" align="center"></td>
<td valign="top" align="center"></td>
</tr>
</tbody>
</table>
</table-wrap>
<para>All the variables were analyzed are stored for each sampling instance. This allows us to do temporal analysis of the variables. <link linkend="F10-8">Figure <xref linkend="F10-8" remap="10.8"/></link> presents the evolution of one specific variable over time, in this case the &#x0201C;Number of SHAPE processes&#x0201D;. As we can observe, the amount of CPU usage keeps increasing throughout the collection period, but still in relatively short values.</para>
<fig id="F10-8" position="float" xmlns:xlink="http://www.w3.org/1999/xlink">
<label><link linkend="F10-8">Figure <xref linkend="F10-8" remap="10.8"/></link></label>
<caption><para>Evolution of Number of working processes in SHAPE.</para></caption>
<graphic xlink:href="graphics/ch10_figN008.jpg"/>
</fig>
</section>
</section></section>
<section class="lev1" id="sec10-5" label="10.5" xreflabel="10.5">
<title>Conclusion</title>
<para>In a context where OTS components are increasingly used on critical scenarios, companies need tools that help them to understand the quality of these components. In specific cases of testing, rather than using their own developed ad-hoc and poorly-reusable testing tools, these companies can benefit from using cost effective techniques and tools.</para>
<para>This chapter presented a reusable and adaptable framework for testing and monitoring of critical OTS applications and services that includes an instrumented box for monitoring OS and application level variables, a testing toolset that is adaptable for testing the target components, and tools for data storage and analysis. The architecture of the framework was described as well as the status of its implementation.</para>
<para>The framework allows users to easily apply functional testing, stress testing, robustness testing and penetration testing to their web services. The procedure to use the framework is described and its usability is illustrated with a case study that uses the Life ray platform, composed of several web services. The case study shows how flexible is the framework, allowing integration of multiple third party tools seamlessly. Obviously, in the case of functional testing, it is necessary to conduct some preliminary study to emulate its use cases, but this is expected due to the nature of the tests. The framework can orchestrate the use of the tools and reduce the human effort by reutilizing the information provided at configuration time within multiple tools.</para>
<para>The concepts behind the framework can also be extended to setups that differ from the ones defined in the framework implementation. This was demonstrated in the second use case, in which the concepts.</para>
<para>Future work includes the integration of failure detection and prediction algorithms in the box. Additionally, the framework can be modified to use more than one Instrumented System at the same time, allows testing more complex systems. Finally, it can be extended to take advantage of other kinds of information monitoring.</para>
</section>
<section class="lev1" id="sec10-6">
<title>References</title>
<orderedlist numeration="arabic" continuation="restarts" spacing="normal">
<listitem>
<para><anchor id="ch10bib1"/>Tran, E. (1999). &#x0201C;Verification/Validation/Certification,&#x0201D; in: Topics in Dependable Embedded Systems, ed. P. Koopman. Carnegie Mellon University, Pittsburgh, PA. <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=Tran%2C+E%2E+%281999%29%2E+%22Verification%2FValidation%2FCertification%2C%22+in%3A+Topics+in+Dependable+Embedded+Systems%2C+ed%2E+P%2E+Koopman%2E+Carnegie+Mellon+University%2C+Pittsburgh%2C+PA%2E" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch10bib2"/>IEC. (1998). IEC 61508 TC: IEC 61508, Functional Safety of Electrical/Electronic/Programmable Electronic (E/E/PE) Safety Related Systems, Part 3: Software Requirements. IEC, Geneva, Swiss (1998). <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=IEC%2E+%281998%29%2E+IEC+61508+TC%3A+IEC+61508%2C+Functional+Safety+of+Electrical%2FElectronic%2FProgrammable+Electronic+%28E%2FE%2FPE%29+Safety+Related+Systems%2C+Part+3%3A+Software+Requirements%2E+IEC%2C+Geneva%2C+Swiss+%281998%29%2E" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch10bib3"/>RTCA. (2011). RTCA: RTCA DO-178C/EUROCAE ED-12C &#x02013; Software Considerations in Airborne Systems and Equipment Certification. <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=RTCA%2E+%282011%29%2E+RTCA%3A+RTCA+DO-178C%2FEUROCAE+ED-12C+-+Software+Considerations+in+Airborne+Systems+and+Equipment+Certification%2E" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch10bib4"/>ISO. (2011). ISO: Road vehicles &#x02013; Functional safety &#x02013; Part 6: Product development at the software level. <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=ISO%2E+%282011%29%2E+ISO%3A+Road+vehicles+-+Functional+safety+-+Part+6%3A+Product+development+at+the+software+level%2E" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch10bib5"/>IEEE Computer Society. (2012). Software &#x00026; Systems Engineering Standards Committee: 1012&#x02013;2012 &#x02013; IEEE Standard for System and Software Verification and Validation.</para></listitem>
<listitem>
<para><anchor id="ch10bib6"/>Ghosh, A. K., Schmid, M., and Hill, F. (1999). &#x0201C;Wrapping Windows NT software for robustness. In: Fault-Tolerant Computing,&#x0201D; in Twenty-Ninth Annual International Symposium on Digest of Papers (New York, NY: IEEE), 344&#x02013;347. <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=Ghosh%2C+A%2E+K%2E%2C+Schmid%2C+M%2E%2C+and+Hill%2C+F%2E+%281999%29%2E+%22Wrapping+Windows+NT+software+for+robustness%2E+In%3A+Fault-Tolerant+Computing%2C%22+in+Twenty-Ninth+Annual+International+Symposium+on+Digest+of+Papers+%28New+York%2C+NY%3A+IEEE%29%2C+344-347%2E" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch10bib7"/>Popov, P., Strigini, L., Riddle, S., and Romanovsky, A. (2001). &#x0201C;Protective Wrapping of OTS components,&#x0201D; in Proc. 4th ICSE Workshop on Component-Based Software Engineering: Component Certification and System Prediction, Toronto. <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=Popov%2C+P%2E%2C+Strigini%2C+L%2E%2C+Riddle%2C+S%2E%2C+and+Romanovsky%2C+A%2E+%282001%29%2E+%22Protective+Wrapping+of+OTS+components%2C%22+in+Proc%2E+4th+ICSE+Workshop+on+Component-Based+Software+Engineering%3A+Component+Certification+and+System+Prediction%2C+Toronto%2E" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch10bib8"/>Brancati, F. (2012). Adaptive and Safe Estimation of Different Sources of Uncertainty to Improve Dependability of Highly Dynamic Systems Through Online Monitoring Analysis (New York, NY: IEEE).</para></listitem>
<listitem>
<para><anchor id="ch10bib9"/>Carrozza, G., Cinque, M., Cotroneo, D., and Natella, R. (2008). &#x0201C;Operating system support to detect application hangs,&#x0201D; in International Workshop on Verification and Evaluation of Computer and Communication Systems, VECoS, Leeds, UK. <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=Carrozza%2C+G%2E%2C+Cinque%2C+M%2E%2C+Cotroneo%2C+D%2E%2C+and+Natella%2C+R%2E+%282008%29%2E+%22Operating+system+support+to+detect+application+hangs%2C%22+in+International+Workshop+on+Verification+and+Evaluation+of+Computer+and+Communication+Systems%2C+VECoS%2C+Leeds%2C+UK%2E" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch10bib10"/>Voas, J. M. (1998). Certifying off-the-shelf software components. Computer 31, 53&#x02013;59. <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=Voas%2C+J%2E+M%2E+%281998%29%2E+Certifying+off-the-shelf+software+components%2E+Computer+31%2C+53-59%2E" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch10bib11"/>Antunes, N., and Vieira, M. (2009). &#x0201C;Detecting SQL Injection Vulnerabilities in Web Services,&#x0201D; in Fourth Latin-American Symposium on Dependable Computing (LADC &#x02019;09), 17&#x02013;24. IEEE Computer Society, Joao Pessoa, Brazil. <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=Antunes%2C+N%2E%2C+and+Vieira%2C+M%2E+%282009%29%2E+%22Detecting+SQL+Injection+Vulnerabilities+in+Web+Services%2C%22+in+Fourth+Latin-American+Symposium+on+Dependable+Computing+%28LADC+%2709%29%2C+17-24%2E+IEEE+Computer+Society%2C+Joao+Pessoa%2C+Brazil%2E" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch10bib12"/>Laranjeiro, N., Canelas, S., and Vieira, M. (2008). &#x0201C;wsrbench: An On-Line Tool for Robustness Benchmarking,&#x0201D; in IEEE International Conference on Services Computing, 2008 SCC &#x02019;08 (New York, NY: IEEE), 187&#x02013;194. <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=Laranjeiro%2C+N%2E%2C+Canelas%2C+S%2E%2C+and+Vieira%2C+M%2E+%282008%29%2E+%22wsrbench%3A+An+On-Line+Tool+for+Robustness+Benchmarking%2C%22+in+IEEE+International+Conference+on+Services+Computing%2C+2008+SCC+%2708+%28New+York%2C+NY%3A+IEEE%29%2C+187-194%2E" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch10bib13"/>Madeira, H., Costa, J., and Vieira, M. (2003). &#x0201C;The OLAP and data warehousing approaches for analysis and sharing of results from dependability evaluation experiments,&#x0201D; in Proc. of 2003 International Conference on Dependable Systems and Networks (DSN 2003) (New York, NY: IEEE), 86&#x02013;91. <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=Madeira%2C+H%2E%2C+Costa%2C+J%2E%2C+and+Vieira%2C+M%2E+%282003%29%2E+%22The+OLAP+and+data+warehousing+approaches+for+analysis+and+sharing+of+results+from+dependability+evaluation+experiments%2C%22+in+Proc%2E+of+2003+International+Conference+on+Dependable+Systems+and+Networks+%28DSN+2003%29+%28New+York%2C+NY%3A+IEEE%29%2C+86-91%2E" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch10bib14"/>Myers, G. J., Sandler, C., and Badgett, T. (2011). The art of software testing. Hoboken, NJ: John Wiley &#x00026; Sons. <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=Myers%2C+G%2E+J%2E%2C+Sandler%2C+C%2E%2C+and+Badgett%2C+T%2E+%282011%29%2E+The+art+of+software+testing%2E+Hoboken%2C+NJ%3A+John+Wiley+%26+Sons%2E" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch10bib15"/>CentOS Project. The Community ENTerprise Operating System. Available at: <ulink url="http://www.centos.org/">http://www.centos.org/</ulink></para></listitem>
<listitem>
<para><anchor id="ch10bib16"/>Prasad, V., Cohen, W., Eigler, F. C., Hunt, M., Keniston, J., and Chen, B. (2005). &#x0201C;Locating system problems using dynamic instrumentation,&#x0201D; in 2005 Ottawa Linux Symposium (New York, NY: IEEE), 49&#x02013;64 (2005). <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=Prasad%2C+V%2E%2C+Cohen%2C+W%2E%2C+Eigler%2C+F%2E+C%2E%2C+Hunt%2C+M%2E%2C+Keniston%2C+J%2E%2C+and+Chen%2C+B%2E+%282005%29%2E+%22Locating+system+problems+using+dynamic+instrumentation%2C%22+in+2005+Ottawa+Linux+Symposium+%28New+York%2C+NY%3A+IEEE%29%2C+49-64+%282005%29%2E" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch10bib17"/>Moore, R. J. (2001). &#x0201C;A Universal Dynamic Trace for Linux and Other Operating Systems,&#x0201D; in USENIX Annual Technical Conference, FREENIX Track, Boston, MA, USA, 297&#x02013;308. <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=Moore%2C+R%2E+J%2E+%282001%29%2E+%22A+Universal+Dynamic+Trace+for+Linux+and+Other+Operating+Systems%2C%22+in+USENIX+Annual+Technical+Conference%2C+FREENIX+Track%2C+Boston%2C+MA%2C+USA%2C+297-308%2E" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch10bib18"/>Red Hat. JBoss Application Server. Available at: https://www.jboss.org/jbossas/</para></listitem>
<listitem>
<para><anchor id="ch10bib19"/>eviware: soapUI. Available at: <ulink url="http://www.soapui.org/">http://www.soapui.org/</ulink></para></listitem>
<listitem>
<para><anchor id="ch10bib20"/>Ceccarelli, A., Zoppi, T., Bondavalli, A., Duchi, F., and Vella, G. (2014). &#x0201C;A testbed for evaluating anomaly detection monitors through fault injection,&#x0201D; in 5th IEEE Workshop on self-organizing real-time systems (SORT 2014), Reno, Nevada, USA. <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=Ceccarelli%2C+A%2E%2C+Zoppi%2C+T%2E%2C+Bondavalli%2C+A%2E%2C+Duchi%2C+F%2E%2C+and+Vella%2C+G%2E+%282014%29%2E+%22A+testbed+for+evaluating+anomaly+detection+monitors+through+fault+injection%2C%22+in+5th+IEEE+Workshop+on+self-organizing+real-time+systems+%28SORT+2014%29%2C+Reno%2C+Nevada%2C+USA%2E" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch10bib21"/>Koopman, P., and DeVale, J. (1999). &#x0201C;Comparing the robustness of POSIX operating systems,&#x0201D; in Twenty-Ninth Annual International Symposium on Fault-Tolerant Computing Digest of Papers (New York, NY: IEEE), 30&#x02013;37. <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=Koopman%2C+P%2E%2C+and+DeVale%2C+J%2E+%281999%29%2E+%22Comparing+the+robustness+of+POSIX+operating+systems%2C%22+in+Twenty-Ninth+Annual+International+Symposium+on+Fault-Tolerant+Computing+Digest+of+Papers+%28New+York%2C+NY%3A+IEEE%29%2C+30-37%2E" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch10bib22"/>Vieira, M., Laranjeiro, N., and Madeira, H. (2007). &#x0201C;Benchmarking the Robustness of Web Services,&#x0201D; in 13th Pacific Rim International Symposium on Dependable Computing, 2007 PRDC 2007 (New York, NY: IEEE), 322&#x02013;329.</para></listitem>
<listitem>
<para><anchor id="ch10bib23"/>Golfarelli, M. (2009). &#x0201C;Open source BI platforms: a functional and architectural comparison,&#x0201D; in Data Warehousing and Knowledge Discovery (Berlin: Springer), 287&#x02013;297. <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=Golfarelli%2C+M%2E+%282009%29%2E+%22Open+source+BI+platforms%3A+a+functional+and+architectural+comparison%2C%22+in+Data+Warehousing+and+Knowledge+Discovery+%28Berlin%3A+Springer%29%2C+287-297%2E" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch10bib24"/>Liferay, Inc. Liferay Portal. Available at: <ulink url="http://www.liferay.com/">http://www.liferay.com/</ulink></para></listitem></orderedlist>
</section>
</chapter>
<chapter class="chapter" id="ch11" label="11" xreflabel="11">
<title>Validating a Safety Critical Railway Application Using Fault Injection</title>
<para role="author"><emphasis role="strong">Ivano Irrera<superscript>1</superscript>, Andr&#x000E1;s Zentai<superscript>2</superscript>, Jo&#x000E3;o Carlos Cunha<superscript>1,3</superscript> andHenrique Madeira<superscript>1</superscript></emphasis></para>
<para><superscript>1</superscript>CISUC, Department of Informatics Engineering, University of Coimbra, Portugal</para>
<para><superscript>2</superscript>Prolan Process Control Co., Szentendrei &#x000FA;t 1-3, H-2011 Budakal&#x000E1;sz, Hungary</para>
<para><superscript>3</superscript>ISEC &#x02013; Coimbra Institute of Engineering, Polytechnic Institute of Coimbra, Portugal</para>
<para>The need for safety assurance in critical systems demand for new tools and techniques which are able to provide the required confidence while maintaining the costs relatively at a low level. Fault Injection (FI) is a technique extensively used in several domains, such as space, but sporadically used in the railways. In this chapter, we present a fault-injection tool able to complement the traditional verification and validation procedures, to validate the safety of ProSigma, a Safety Integrity Level (SIL) 4 safety-critical system for railway signaling, implementing a Triple Modular Redundancy (TMR) architecture. This tool is based on the Joint Test Action Group (JTAG) technology, and allows emulating the effects of hardware faults. Results from the FI campaigns show the ProSigma system exhibiting a high degree of tolerance to most of the injected faults, and unexpected behavior in some cases. The results also confirm the efficacy of the proposed technique to help understand worst-case scenarios for validating safety of such a critical system.</para>
<section class="lev1" id="sec11-1" label="11.1" xreflabel="11.1">
<title>Introduction</title>
<para>The products in all technical and societal domains are required to be certified against hidden design and implementation defects that may induce malfunctioning, which may cause critical damage to the system itself, including the environment and humans. Several accidents caused by malfunctioning systems are sadly known, going along with the human technological rise.</para>
<para>A safe system is a system that will not cause harm to its users and the environment, in case a malfunctioning occurs. <emphasis>Safety</emphasis>, thus, comes to be an attribute of systems, which corresponds to guarantee the absence of catastrophic consequences on the user(s) and the environment to a certain extent. A system whose malfunctioning is likely to cause harm to users or the environment is named a <emphasis>safety-critical system</emphasis>.</para>
<para>Since their first realization, railway system fall into the class of safety-critical systems. For assuring the safety of such systems, best practices and standards have been proposed and used along with their technological evolution. In the last decades, a new series of standards have been proposed, namely the CENELEC standards (e.g., EN 50126, EN 50128, EN 50129, EN 50159), for regulating the development and safety assessment of software and hardware. In particular, the EN 50128 describes methods to be used in order to provide software that meet the demands for safety integrity. Although not directly referring fault-injection as a possible technique for verification and validation (V&#x00026;V) processes, this is an approach extensively used in other domains, such as space.</para>
<para>Fault injection (FI) consists of the deliberate insertion of faults (i.e., realistic perturbations) in computer systems components in order to evaluate the dependability and safety properties of systems or to validate specific fault handling mechanisms. As typically FI tools perform FI campaigns with minimal user intervention (ideally, the process is fully automatic), it is possible to perform very large number of experiments (very often thousands or even millions), which makes FI a valuable method to anticipate worst-case scenarios or rare failure modes that are very hard to anticipate using analytical modeling or simulations techniques.</para>
<para>In this chapter, we present a FI tool and report some preliminary results meant to validate a TMR system for railway signaling. In the field of railway interlocking systems copper-based, long-distance connections exists between relay switches and remote equipment. In the case of constructing a new system, such as the one reported in this paper, the state-of-the-art solution is to apply Internet Protocol (IP) based signal transmission using Global System for Mobile communications (GSM) or fiber-optic communication. These new technologies pose significant safety challenges, which constitutes a relevant scenario for using FI.</para>
<para>The rest of the chapter is organized as followed: Section 11.2 presents background on V&#x00026;V processes, certification and standards of railway systems, and FI; Section 11.3 presents the ProSigma system railway signaling system; the proposed FI tool-based on On-Chip Debugging (OCD) technology is described in Section 11.4. The experimental application of the proposed FI tool for the validation of the safety of the ProSigma signaling system is presented in Section 11.5, where results obtained are discussed. Section 11.6 concludes the chapter.</para>
</section>
<section class="lev1" id="sec11-2" label="11.2" xreflabel="11.2">
<title>Fault Injection for V&#x00026;V and Certification</title>
<para>Several approaches have been proposed to assess and guarantee the correct functioning of a given product. Among these systems V&#x00026;V are activities that allow verifying whether a product meets its own requirements (Verification), and that the product does what is expected to be done (Validation). However, the application of V&#x00026;V is challenging, as the definition of methods, strategies, and tools for verifying and validating a system adequately, while simultaneously keeping the cost and delivery time reasonably low, is inherently complex. Companies, in fact, are often, on one hand, pushed towards meeting predefined quality goals, and on the other hand, required to deliver systems at acceptable cost and time to market. It is not rare to find companies following a brute-force approach, by focusing large volume investments into tooling and in-house training, especially when coming down to the development of mission- and safety-critical systems.</para>
<para>Validation and verification are time-consuming activities in traditional software engineering even for non-critical applications. In the case of safety-critical systems, which are often embedded, the complexity of V&#x00026;V and certification procedures are exacerbated by the need of keeping properties such as safety or availability, and by involving custom and Commercial Off-The-Shelf (COTS) hardware elements and application dependent-interfaces, resulting in an extremely large number of potential factors.</para>
<para>Safety-critical systems also required, over time, the creation of a field of study particularly aimed at focusing on safety-related issues: safety engineering. Safety engineering is a well-established field, including several techniques for the assurance and assessment of safety in a system. Among these, Failure Modes and Effects Analysis (FMEA), Preliminary Hazard Analysis (PHA), and Fault-Tree Analysis (FTA) are some of the most used techniques. In particular, FMEA is a technique that aims at collecting the known system&#x02019;s failure modes, and studying its propagation paths through the system and its effects. Failure Modes, Effects and Criticality Analysis (FMECA) is a version of FMEA in which criticality is taken into account, aiming to identify all critical and catastrophic subsystem or system failure modes.</para>
<para>FMEA is performed mainly manually, even though several works for an automated FMEA have been proposed [<link linkend="ch11bib1">1</link>].</para>
<para>Such techniques are expected to be part of the V&#x00026;V process of a safety-critical system, and even be mandatory. In this direction, standards started to rise with the aim of reducing risks related to the use of safety-critical systems.</para>
<section class="lev2" id="sec11-2-1" label="11.2.1" xreflabel="11.2.1">
<title>Standards for Safety-critical Railway Applications</title>
<para>Standards have been proposed for developing safety-critical systems, both general and domain specific and suggesting strategies, processes, and techniques to adopt along the entire development cycle.</para>
<para>The specification, design and validation of dependability-related aspects concerning <emphasis>railway</emphasis> applications are regulated by the CENELEC standards. The most important European standard concerning robustness in this field is the standard EN 50128:2011 &#x02013; Railway applications &#x02013; Communication, signaling, and processing systems &#x02013; Software for railway control and protection systems (EN 50128) [<link linkend="ch11bib2">2</link>]. The EN 50128 gives indication about the lifecycle that has to be followed, the techniques and measures to be applied, the necessary competences, and the expected documents and their content. The Software Requirements Specification shall express the required properties of the software being developed. These properties, which are all (except safety) defined in ISO/IEC 9126 series, shall include (among others) robustness and maintainability. The Software Verification Plan shall address (among other properties) the evaluation of the safety and robustness requirements (defined in the Software Requirements Specification). Several techniques and methodologies are also indicated for ensuring the software robustness properties, as Software Error Effect Analysis (i.e., SW-FMEA).</para>
<para>Furthermore, the EN 50128 concentrates on methods that need to be used in order to provide software that meet the demands for safety integrity. The EN 50128 defines robustness as the &#x0201C;<emphasis>ability of an item to detect and handle abnormal situations</emphasis>&#x0201D;. The most important of software techniques to assess and increase the robustness are the following: Defensive Programming, Information Encapsulation, Fault Detection and Diagnosis, Error Detecting and Correcting Codes, Diverse Programming, Software Error Effect Analysis, Control Flow Analysis, Common Cause Failure Analysis, FI, Boundary Value Analysis, and Coding Standard.</para>
<para>Generally, Railway Safety Cases shall provide evidences that the consideration of Robustness (error cases, abnormal inputs, etc.) is provided together with the system validation and verification.</para>
<para>According to the standard CENELEC EN 50129:2003 [<link linkend="ch11bib15">15</link>], safety-related software has been classified into five safety integrity levels, where 0 is the lowest and 4 is the highest. To be conforming to SIL 4 requirements, the safety availability of the equipment must be over 99.999%. From the safety functionality point of view (CENELEC EN 50129:2003 [<link linkend="ch11bib15">15</link>]), SIL is a number that indicates the required degree of confidence that a system will meet its specified safety functions with respect to systematic failures. From the software point of view, CENELEC EN 50128:2011 [<link linkend="ch11bib14">14</link>] defines software safety integrity level as a classification number that determines the techniques and measures that have to be applied to software.</para>
</section>
<section class="lev2" id="sec11-2-2" label="11.2.2" xreflabel="11.2.2">
<title>Fault Injection</title>
<para>Fault injection is a technique consisting in deliberately injecting faults (e.g., bombarding devices with radiations) or modifying parts of the system in a way that emulates the presence of such faults.</para>
<para>Fault injection has been used extensively in research and also already recommended by several standards, such as space [<link linkend="ch11bib3">3</link>] and automotive [<link linkend="ch11bib4">4</link>] industry standards, in addition to Information and Communication Technology (ICT) industry in general [<link linkend="ch11bib5">5</link>]. The space industry, in particular, has a long tradition of using FI as part of the V&#x00026;V activities, namely to simulate the effects of cosmic radiation in on-board systems. As mere examples, here are some references for the interested reader [<link linkend="ch11bib6">6</link>&#x02013;<link linkend="ch11bib8">8</link>]. There are also some examples of the use of FI in the railway industry [<link linkend="ch11bib9">9</link>, <link linkend="ch11bib10">10</link>].</para>
<para>Faults are the hypothesized cause of an error (an unexpected internal state of a system) that can lead to a system failure (e.g., crash, performance degradation, or any interruption of the service provided by the system) [<link linkend="ch11bib11">11</link>]. Hardware faults, such as bit-flip and stuck-at, occur in hardware components, while software faults are defects in a piece of software that exist due to some issue during the development phase, such as a missing system specification or poor testing. FI consists of deliberately inserting faults into a system in a way that emulates real faults [<link linkend="ch11bib12">12</link>]. It is a well-known approach used in many works, where the observation of systems in the presence of faults is needed, such as for fault tolerance and dependability validation [<link linkend="ch11bib13">13</link>, <link linkend="ch11bib14">14</link>], estimation of fault-tolerance parameters [<link linkend="ch11bib12">12</link>], and benchmarking [<link linkend="ch11bib15">15</link>].</para>
<para>The type of faults injected typically fall into three kinds: hardware faults (e.g., bit flips), software faults (i.e., bugs), or input corruption at component interface level (often named as robustness testing). Although the initial FI tools are used to hardware approaches to inject (hardware) faults, including pin-level, heavy-ion radiation, and electromagnetic disturbances, modern FI tools use software approaches to inject the faults (actually, faults are emulated by software by mimicking the fault effects through the injection of errors). As modern FI tools use software to inject/emulate the faults, a key issue is the precision of the fault models. That is, the injected faults should be representative of the real faults that affect systems in the field. This is not a problem for the hardware faults, as the classic bit-flip or bit stuck-at models (at the processor register or memory level) are widely accepted, but the injection of realistic software faults (i.e., bugs) is far more complex. In software FI, the goal is to inject software faults (bugs) in a given software component to emulate the erroneous behavior that may result from the activation of residual bugs that may exist in that component. In this way it is possible to evaluate whether the system can cope up with the failures in the target software component or not, or to perform an experimental estimation of the risk of (re-) using software components.</para>
<para>An example of a survey of the earlier FI methods can be found in [<link linkend="ch11bib16">16</link>] and a very recent and extensive survey (57 pages) covering software FI is in [<link linkend="ch11bib17">17</link>], where the issue of defining realistic software fault models is explained in detail.</para>
</section>
</section>
<section class="lev1" id="sec11-3" label="11.3" xreflabel="11.3">
<title>The ProSigma Safety-critical Railway Interlocking System</title>
<para>ProSigma [<link linkend="ch11bib18">18</link>] is a versatile Hardware&#x02013;Software (HW&#x02013;SW) system designed primarily for railway trackside signaling and communication purposes. It is a Safety Signal Transmitter (SST), which provides fail-safe signal transmission with high availability. It captures the analog signal outputs of the railway interlocking system, processes and transmits this information to a remote control center (DaKo). The ProSigma system is designed to be SIL 4 certified according to CENELEC EN 50126-1, 50126-2, 50128, and 50129 standards [<link linkend="ch11bib12">12</link>&#x02013;<link linkend="ch11bib15">15</link>].</para>
<para>In case of disconnection or system failure, the outputs move into a safety position. The system is built from modular cards installed in racks, which enables system designers to scale the system according to the application needs.</para>
<section class="lev2" id="sec11-3-1" label="11.3.1" xreflabel="11.3.1">
<title>Concepts of Generic Product, Generic Application and Specific Application</title>
<para>To ease the certification process, the system software is designed to have a three-layered architecture as it can be seen in <link linkend="F11-1">Figure <xref linkend="F11-1" remap="11.1"/></link>.</para>
<fig id="F11-1" position="float" xmlns:xlink="http://www.w3.org/1999/xlink">
<label><link linkend="F11-1">Figure <xref linkend="F11-1" remap="11.1"/></link></label>
<caption><para>The ProSigma abstraction layers.</para></caption>
<graphic xlink:href="graphics/ch11_fig001.jpg"/>
</fig>
<para>The bottom layer, called Generic Product (GP), implements the common functionalities of the system, including time synchronization, handling Controller Area Network (CAN) communication and other HW interfaces. The GP is quite complex, but it has to be certified only once, as it is common to all applications.</para>
<para>The middle layer, called Generic Application (GA), is a lightweight software component running on the top of the GP. Each GA handles one railway object (e.g. railway traffic signal, switch, etc.). Because of the simplicity of the code, the certification process of GA is relatively easy.</para>
<para>In the deployment phase of the system the GAs has to be parameterized with the actual values of the specific environment (e.g., voltage comparator thresholds, sampling frequency, etc.), which result in Specific Applications (SAs), which are the top layer of the software architecture. In the ProSigma system, the Logic and Input (LI) cards implement these three-layers design architecture.</para>
</section>
<section class="lev2" id="sec11-3-2" label="11.3.2" xreflabel="11.3.2">
<title>The System Architecture and Functionality</title>
<para>A ProSigma test system was built in a pilot project to assess the benefits and drawbacks of FI, whose experimental results are presented in this chapter. The system has identical functionality but limited number of components compared to the one which is deployed trackside. The system adds a networking layer on top of a conventional relay based interlocking system. This network layer transmits the railway object states &#x02013; represented by the relay outputs &#x02013; to a remote control center (DaKo). The system architecture (<link linkend="F11-2">Figure <xref linkend="F11-2" remap="11.2"/></link>) consists of the following components:</para>
<itemizedlist mark="bullet" spacing="normal">
<listitem>
<para>Power Supply Unit (PSU), which supply 3.3 and 24 V of DC voltage to the cards;</para></listitem>
<listitem>
<para>An analog signal conditioning unit (JIF) which filters and down-scales the relay output voltages from 0&#x02013;48 V to 0&#x02013;3 V range.</para></listitem>
<listitem>
<para>Logic and Input card (LI) which are sampling the input voltages. They also contain the railway logic.</para></listitem>
<listitem>
<para>CAN to UDP protocol converter cards (ETH), which convert CAN messages to UDP packets.</para></listitem>
<listitem>
<para>UDP to X25 over IP protocol converter cards (RPI), which convert UDP packets to X25 over IP telegrams.</para></listitem>
<listitem>
<para>Two diagnostic centers, which are responsible to log status and communication information and to provide diagnostic data to the operator.</para></listitem></itemizedlist>
<fig id="F11-2" position="float" xmlns:xlink="http://www.w3.org/1999/xlink">
<label><link linkend="F11-2">Figure <xref linkend="F11-2" remap="11.2"/></link></label>
<caption><para>System architecture.</para></caption>
<graphic xlink:href="graphics/ch11_fig0002.jpg"/>
</fig>
<section class="lev3" id="sec11-3-2-1" label="11.3.2.1" xreflabel="11.3.2.1">
<title>Logic and Input (LI) card</title>
<para>The input signals of the system are the analog output voltage signals of a relay-based railway interlocking system: &#x0201C;Domino 70&#x0201D;. These voltage signals are passed through a relay interface unit (JIF), which performs the voltage level interfacing for the Digital Inputs (DI) of the LI card. The Logic and Input (LI) card is a TMR system composed of three microcontrollers from different controller families. Red, Green and Blue (R, G, B) are the codenames for the three channels.</para>
<para>The Logic and Input (LI) cards are reading the analogous input signals and interpret them according to the rules of the specific railway object, which they are connected to. Finally LI cards transmit the status of the railway object states via CAN bus. The three channels (R, G, B) communicate on separate CAN buses, which are located on the back-panel of the mounting rack. See <link linkend="F11-3">Figure <xref linkend="F11-3" remap="11.3"/></link> for the LI card.</para>
<fig id="F11-3" position="float" xmlns:xlink="http://www.w3.org/1999/xlink">
<label><link linkend="F11-3">Figure <xref linkend="F11-3" remap="11.3"/></link></label>
<caption><para>LI card interfaces.</para></caption>
<graphic xlink:href="graphics/ch11_fig0003.jpg"/>
</fig>
<para>The firmware (FW) of the controllers has been developed by different SW teams to avoid common mode faults. LI cards follow the three layered SW architecture described before consisting of two different FWs: GP and GA are parameters for the SA. On each channel, the FW of GP and GA are running on the microcontroller in a time and space partitioning architecture. On all channels, FW of the GPs handle the A/D conversion of the input signals. The raw data of the converted signals are filtered with a SW implemented de-bouncing algorithm in the GP to filter out the high frequency glitches of the relays. The GP FW calls the GA FW every 32 ms and the de-bounced values of the input signals are passed to the GA. The GA implements the railway object.</para>
<para>The railway object used in this case study is called block direction, which contains the information of the direction of traffic on the actual railway segment. The object has one input encoded by a pair of valent-antivalent input signals. Depending on the input signals and the value of parameter P1 the meaning of the direction could be entry, exit, transient or invalid as it is described in <link linkend="T11-1">Table <xref linkend="T11-1" remap="11.1"/></link>. The valent-antivalent signal pair does not change simultaneously so for a short period of time invalid input patterns (00 or 11) are accepted as transients. After that time period is passed, the signals became invalid.</para>
<table-wrap position="float" id="T11-1">
<label><link linkend="T11-1">Table <xref linkend="T11-1" remap="11.1"/></link></label>
<caption><para>Railway object outputs</para></caption>
<table cellspacing="5" cellpadding="5" frame="hsides" rules="groups">
<thead>
<tr>
<td valign="bottom" align="center">Valent Input</td>
<td valign="bottom" align="center">Antivalent Input</td>
<td valign="bottom" align="left">Meaning in Case P1 = 0</td>
<td valign="bottom" align="left">Meaning in Case P1 = 1</td>
</tr>
</thead>
<tbody>
<tr>
<td valign="top" align="center">0</td>
<td valign="top" align="center">0</td>
<td valign="top" align="left">Transient (0 &#x000D7; 20) or invalid (0 &#x000D7; 80) state</td>
<td valign="top" align="left">Transient (0 &#x000D7; 20) or invalid (0 &#x000D7; 80) state</td>
</tr>
<tr>
<td valign="top" align="center">0</td>
<td valign="top" align="center">1</td>
<td valign="top" align="left">Direction = Exit (0 &#x000D7; 02)</td>
<td valign="top" align="left">Direction = Entry (0 &#x000D7; 01)</td>
</tr>
<tr>
<td valign="top" align="center">1</td>
<td valign="top" align="center">0</td>
<td valign="top" align="left">Direction = Entry (0 &#x000D7; 01)</td>
<td valign="top" align="left">Direction = Exit (0 &#x000D7; 02)</td>
</tr>
<tr>
<td valign="top" align="center">1</td>
<td valign="top" align="center">1</td>
<td valign="top" align="left">Transient (0 &#x000D7; 20) or invalid (0 &#x000D7; 80) state</td>
<td valign="top" align="left">Transient (0 &#x000D7; 20) or invalid (0 &#x000D7; 80) state</td>
</tr>
</tbody>
</table>
</table-wrap>
<para>The interpreted railway object state, encoded in the hexadecimal numbers indicated in <link linkend="T11-1">Table <xref linkend="T11-1" remap="11.1"/></link>, is transmitted on the CAN bus. The Sigma bus in <link linkend="F11-3">Figure <xref linkend="F11-3" remap="11.3"/></link> indicates a proprietary application layer protocol implemented on top of the CAN bus. Specific Application Module (SAM) contains the parameters for the Generic Application. In the SAM module, 3 Flash memory chips contain the parameters for the three channels R, G, B. The LI card reads the parameter values from the memory via Serial Peripheral Interface (SPI) bus.</para>
<para>Interfaces of a LI card can be seen in <link linkend="F11-3">Figure <xref linkend="F11-3" remap="11.3"/></link>.</para>
<para>Up to 10 railway object modules could be inserted in one rack. In case there are more than 10 railway objects in a system, then the extra object modules are inserted into multiple racks. The racks are connected together to form a Local Area Network (LAN) using ETH cards.</para>
</section>
<section class="lev3" id="sec11-3-2-2" label="11.3.2.2" xreflabel="11.3.2.2">
<title>ETH card</title>
<para>Primary function of the CAN to UDP protocol converter (ETH) card is to collect the railway object state information of the three channels from the CAN bus and transmit these messages as UDP datagrams on the Ethernet network. As it can be seen from <link linkend="F11-4">Figure <xref linkend="F11-4" remap="11.4"/></link>, ETH cards are connected to the CAN buses of all the three channels of the LI cards. This connection is physically realized through the back panel of the modular racks. Each ETH card contains two identical HWs. The inputs from both HWs are the same CAN channels, while the outputs are connected to two distinct LAN networks.</para>
<fig id="F11-4" position="float" xmlns:xlink="http://www.w3.org/1999/xlink">
<label><link linkend="F11-4">Figure <xref linkend="F11-4" remap="11.4"/></link></label>
<caption><para>ETH card architecture.</para></caption>
<graphic xlink:href="graphics/ch11_fig004.jpg"/>
</fig>
</section>
<section class="lev3" id="sec11-3-2-3" label="11.3.2.3" xreflabel="11.3.2.3">
<title>RPI card</title>
<para>The UDP messages are transmitted to the UDP to X25 over IP protocol converter unit (RPI). RPI architecture is depicted in <link linkend="F11-5">Figure <xref linkend="F11-5" remap="11.5"/></link>. This unit is responsible for converting the UDP packages to X25 over IP telegrams and sending these to the data receiver (DaKo), which is not part of the system.</para>
<fig id="F11-5" position="float" xmlns:xlink="http://www.w3.org/1999/xlink">
<label><link linkend="F11-5">Figure <xref linkend="F11-5" remap="11.5"/></link></label>
<caption><para>RPI card architecture.</para></caption>
<graphic xlink:href="graphics/ch11_fig005.jpg"/>
</fig>
<para>The RPI module also performs a voting on the data collected from the three channels (extracted from the UDP packets), thus being central to the correct functioning of the TMR schema. Moreover, it provides two times 2-out-of-2 fault tolerance schema applied to both received data and voting result: the information is analyzed from two separated nodes (here named node 0 and node 1), and differences among data cause the entire RPI node to fail. Each node has a 2-out-of-2 architecture.</para>
<para>The underlying hardware of the UDP to X25 over IP protocol converter card/RBC-Prolan Interface (RPI) card is identical to the ETH card.</para>
<para>The functionality of the RPI card includes:</para>
<itemizedlist mark="bullet" spacing="normal">
<listitem>
<para>Managing X25 connection with the Radio Block Center;</para></listitem>
<listitem>
<para>Voting about the object states;</para></listitem>
<listitem>
<para>Transmitting object states to the RBC;</para></listitem>
<listitem>
<para>Exchanging Heartbeat (HB) signals both on active and on the potentially active channel.</para></listitem></itemizedlist>
</section>
<section class="lev3" id="sec11-3-2-4" label="11.3.2.4" xreflabel="11.3.2.4">
<title>Power Supply Units</title>
<para>In each rack, three Power SUpply (PSU) cards provide the necessary energy for the operation of the system.</para>
</section>
<section class="lev3" id="sec11-3-2-5" label="11.3.2.5" xreflabel="11.3.2.5">
<title>Diagnostic centers</title>
<para>Two diagnostic centres (PSDK1 and PSDK2) are monitoring and logging the traffic on the internal and external networks.</para>
</section>
<section class="lev3" id="sec11-3-2-6" label="11.3.2.6" xreflabel="11.3.2.6">
<title>Parameter modules</title>
<para>The parameter modules (PAR) contain the parameters of the GP and GA, which are required for the operation of the system.</para>
</section>
</section>
<section class="lev2" id="sec11-3-3" label="11.3.3" xreflabel="11.3.3">
<title>System&#x02019;s Critical Aspects Worth to Study Using FI</title>
<para>Considering the block direction railway object, a dangerous situation occurs when the DaKo system&#x02019;s block direction information is the opposite direction than the actual block direction. This situation could occur when an opposite block direction information is sent to the DaKo or when the block direction changes but the system does not transmit this information to the DaKo. Thus the critical parts of the system are the input processing parts of the LI cards and the voting part of the RPIs. These are the parts where fault-injection should be applied to assess the system&#x02019;s robustness.</para>
</section>
</section>
<section class="lev1" id="sec11-4" label="11.4" xreflabel="11.4">
<title>The ProSigma FI Framework</title>
<para>Hardware and software failures may both occur with non-negligible probability, especially in a complex safety-critical system operating in harsh environments, and both types have a potentially huge impact on the system and on the application (railway signaling in the ProSigma case). As presented, the FI technique aims at emulating situations in which the system and its fault tolerance mechanisms face the activation of hardware and software faults, and, at the same time, collecting information on the fault activation, errors and failures caused.</para>
<para>The proposed FI framework has been designed to inject hardware and software faults, taking advantage of on-board scan-chain circuitry (or OCD), to emulate faults with controlled intrusiveness. The proposed framework also provides the infrastructure for collecting the experiment results automatically, allowing posterior validation of system safety requirements. In particular, the FI framework is based on the JTAG scan-chain circuitry, a <emphasis>de-facto</emphasis> standard implemented on a large variety of microcontrollers, including those used in safety-critical scenarios. The JTAG allows, for instance, reading values in RAM without interrupting the controller execution, and writing values in local controller registries. These are key features to both inject the faults and collect direct impact at CPU level. As an example, a bit-flip fault is injected by stopping the controller execution, reading the value of a CPU register, changing the value of a given bit (or bits), and writing back the new value to the register. The intrusiveness of such injection operation is just a few operation cycles.</para>
<section class="lev2" id="sec11-4-1" label="11.4.1" xreflabel="11.4.1">
<title>Fault Injector Framework Architecture and Functionalities</title>
<para>The architecture of the FI framework, shown in <link linkend="F11-6">Figure <xref linkend="F11-6" remap="11.6"/></link>, is made up of several components, distributed on a host system and on the target system, namely:</para>
<itemizedlist mark="bullet" spacing="normal">
<listitem>
<para>the <emphasis role="strong">fault injector component</emphasis>, executing a set of instructions directly on the target system, using the OCD interface of the target system. The fault to be injected are defined in a specific module of the injector, called fault library;</para></listitem>
<listitem>
<para>the <emphasis role="strong">workload generator</emphasis>, controlling the inputs to the target system. The stimuli are stored in a workload library;</para></listitem>
<listitem>
<para>the <emphasis role="strong">monitor</emphasis>, which collects information about the correct functioning of the target system from the target system and its environment. The data is stored in a collection module, including a data analyzer for the user;</para></listitem>
<listitem>
<para>the <emphasis role="strong">controller module</emphasis>, which orchestrates the several modules of the FI tool according to parameters specified in the form of configuration profiles.</para></listitem></itemizedlist>
<fig id="F11-6" position="float" xmlns:xlink="http://www.w3.org/1999/xlink">
<label><link linkend="F11-6">Figure <xref linkend="F11-6" remap="11.6"/></link></label>
<caption><para>Fault injection structure and environment.</para></caption>
<graphic xlink:href="graphics/ch11_fig0006.jpg"/>
</fig>
<para>Fault Injection campaigns consist of five phases, ranging from the definition of the faults to their injection, ending in the analysis of the results. In details:</para>
<itemizedlist mark="bullet" spacing="normal">
<listitem>
<para><emphasis role="strong">Definition phase</emphasis>: the user defines the faults to inject and their locations, the workload details and profiles, and the information to be monitored;</para></listitem>
<listitem>
<para><emphasis role="strong">Set-up phase</emphasis>: in this phase the user connects the FI environment installed in the host system to the target system, configure the profile of the FI campaign(s), and defines the target system requirements to be validated automatically by the system;</para></listitem>
<listitem>
<para><emphasis role="strong">Execution phase</emphasis>: in this phase the user launches one FI campaign at a time, which can be paused and resumed at any moment. A FI campaign is made of several runs, each run executing the target system (in this context the ProSigma system, or part of it) and injecting a fault (FI run, or FIR). Alternatively, runs with no fault injected are called Golden runs (GR), which are useful to observe the nominal behavior of the system;</para></listitem>
<listitem>
<para><emphasis role="strong">Analysis phase</emphasis>: this phase serves for analyzing the data collected for possible errors and failure events collected. Depending on the target system, a huge variety of analysis can be carried out;</para></listitem>
<listitem>
<para><emphasis role="strong">Validation phase</emphasis>, finally, correlating the errors and failure events, if any, to the target system requirements defined.</para></listitem></itemizedlist>
</section>
<section class="lev2" id="sec11-4-2" label="11.4.2" xreflabel="11.4.2">
<title>The ProSigma FI Tool (ProSigma-FIT)</title>
<para>The proposed framework was implemented into the ProSigma FI tool for the ProSigma system (ProSigma-FIT). A representation of the implemented FI environment is depicted in <link linkend="F11-7">Figure <xref linkend="F11-7" remap="11.7"/></link>. The tool can inject &#x0201C;bit-flips&#x0201D; hardware faults, i.e., emulating the flip from 0 to 1 or viceversa, in one of the positions of a given registers, These kinds of faults are usually caused by environmental conditions, as charged particles passing through the circuitry. ProSigma-FIT injects faults in the microcontrollers that constitute the ProSigma system, using a host system running Windows 7. The host performs the injection using a debugger communicating through USB port, an external electronic board equipped with circuitry for communicating with a given set of microcontrollers using an OCD port (JTAG in the current case).</para>
<fig id="F11-7" position="float" xmlns:xlink="http://www.w3.org/1999/xlink">
<label><link linkend="F11-7">Figure <xref linkend="F11-7" remap="11.7"/></link></label>
<caption><para>Fault injection structure and environment.</para></caption>
<graphic xlink:href="graphics/ch11_figN007.jpg"/>
</fig>
<para>ProSigma-FIT is developed as a Java application, and it uses an external library named OpenOCD, which eases the use of JTAG protocol by offering a set of high-level command to a user of the host system. OpenOCD is a project developed at University of Applied Sciences Augsburg [<link linkend="ch11bib19">19</link>]. The tool is made of core classes, which include objects for injecting faults and saving data into a MySQL database (<emphasis>Fault Injector package</emphasis>), a package for managing the FI environment and the target environment (<emphasis>ProSigma Environment package</emphasis>), and objects for monitoring the status of the target system and its environment (<emphasis>Monitor package</emphasis>).</para>
</section>
</section>
<section class="lev1" id="sec11-5" label="11.5" xreflabel="11.5">
<title>ProSigma Safety Assessment Through FI: Experiments and Results</title>
<para>The ProSigma-FIT was used to assess the safety mechanisms implemented by the ProSigma system, both at hardware and software level, as a whole. The ProSigma-FIT was setup to target both CPU registers and RAM memory locations of both the targets locations (G channel of the LI card and RPI), and to performed several FI campaigns.</para>
<section class="lev2" id="sec11-5-1" label="11.5.1" xreflabel="11.5.1">
<title>Safety Assessment of the Prosigma System: Experimental Setup</title>
<para>We injected hardware bit flips in the ProSigma system, namely in the G channel of the LI card (target system: TI LM3S2948 microcontroller), which is one of the TMR channels, and in the RPI, node 0 (target: TI TMS570LS3137 microcontroller), which is one of the two modules contained in a RPI card performing the voting functionality. The faults are injected using two JTAG debuggers, namely the Texas Instruments LM3S8962 and the Texas Instruments XDS100. <link linkend="F11-8">Figure <xref linkend="F11-8" remap="11.8"/></link> shows a photo of the complete experimental setup.</para>
<fig id="F11-8" position="float" xmlns:xlink="http://www.w3.org/1999/xlink">
<label><link linkend="F11-8">Figure <xref linkend="F11-8" remap="11.8"/></link></label>
<caption><para>The ProSigma system and the FI tool and environment.</para></caption>
<graphic xlink:href="graphics/ch11_fig0008.jpg"/>
</fig>
</section>
<section class="lev2" id="sec11-5-2" label="11.5.2" xreflabel="11.5.2">
<title>Results</title>
<para>The ProSigma-FIT injected a total of 10,702 faults in few days. <link linkend="T11-2">Table <xref linkend="T11-2" remap="11.2"/></link> presents the failure modes (system&#x02019;s modules level) monitored by the observers in the LI and the RPI cards. <link linkend="T11-3">Table <xref linkend="T11-3" remap="11.3"/></link> shows the FI campaigns performed and presents a summary of key results. <link linkend="F11-9">Figure <xref linkend="F11-9" remap="11.9"/></link> shows the distribution of the failure modes in each FI campaign.</para>
<table-wrap position="float" id="T11-2">
<label><link linkend="T11-2">Table <xref linkend="T11-2" remap="11.2"/></link></label>
<caption><para>Failure modes</para></caption>
<table cellspacing="5" cellpadding="5" frame="hsides" rules="groups">
<thead>
<tr>
<td valign="bottom" align="left">Target</td>
<td valign="bottom" align="left">Observer</td>
<td valign="bottom" align="left">Failure Mode</td>
<td valign="bottom" align="left">Conditions</td>
</tr>
</thead>
<tbody>
<tr>
<td valign="top" align="left">LI card, G channel</td>
<td valign="top" align="left">CAN bus</td>
<td valign="top" align="left">No PIT&#x0002A; messages (NPm)</td>
<td valign="top" align="left">No PIT messages from the G channel on the CAN bus for more than 3 seconds</td>
</tr>
<tr>
<td valign="top" align="left">LI card, G channel</td>
<td valign="top" align="left">CAN bus</td>
<td valign="top" align="left">No CONN&#x0002A;&#x0002A; messages (NCm)</td>
<td valign="top" align="left">No CONN messages from the G channel on the CAN bus for more than 3 sec.</td>
</tr>
<tr>
<td valign="top" align="left">LI card, G channel</td>
<td valign="top" align="left">CAN bus</td>
<td valign="top" align="left">Performance failure (P)</td>
<td valign="top" align="left">PIT or CONN messages appear late on the CAN bus (latency between 1 and 3 seconds)</td>
</tr>
<tr>
<td valign="top" align="left">LI card, G channel</td>
<td valign="top" align="left">CAN bus</td>
<td valign="top" align="left">Crash (C)</td>
<td valign="top" align="left">No PIT and CONN messages for more than 3 sec.</td>
</tr>
<tr>
<td valign="top" align="left">RPI card, module 0</td>
<td valign="top" align="left">CAN bus</td>
<td valign="top" align="left" colspan="2">All the same failure modes defined for the LI card</td></tr>
</tbody>
</table>
<table-wrap-foot>
<para>&#x0002A;PIT is a high-level protocol implemented by the ProSigma system in the LI card.</para>
<para>&#x0002A;&#x0002A;CONN is a low-level protocol (right above the CAN messages) implemented by the ProSigma system in the LI card.</para>
</table-wrap-foot>
</table-wrap>
<table-wrap position="float" id="T11-3">
<label><link linkend="T11-3">Table <xref linkend="T11-3" remap="11.3"/></link></label>
<caption><para>Summary of FI campaign results</para></caption>
<table cellspacing="5" cellpadding="5" frame="hsides" rules="groups">
<thead>
<tr>
<td valign="bottom" align="center" colspan="7">Target Failures<emphasis role="cline"/></td>
</tr>
<tr>
<td valign="bottom" align="left">Campaign</td>
<td valign="bottom" align="center"># FI Runs</td>
<td valign="bottom" align="center">NCm</td>
<td valign="bottom" align="center">NPm</td>
<td valign="bottom" align="center">P</td>
<td valign="bottom" align="center">C</td>
<td valign="bottom" align="left">ProSigma Behavior</td>
</tr>
</thead>
<tbody>
<tr>
<td valign="top" align="left">#1 (LI, registers)</td>
<td valign="top" align="center">674</td>
<td valign="top" align="center">0</td>
<td valign="top" align="center">15</td>
<td valign="top" align="center">5</td>
<td valign="top" align="center">152</td>
<td valign="top" align="left">Failure tolerated</td>
</tr>
<tr>
<td valign="top" align="left">#2 (LI, registers)</td>
<td valign="top" align="center">618</td>
<td valign="top" align="center">0</td>
<td valign="top" align="center">2</td>
<td valign="top" align="center">0</td>
<td valign="top" align="center">159</td>
<td valign="top" align="left">Failure tolerated</td>
</tr>
<tr>
<td valign="top" align="left">#3 (LI, registers)</td>
<td valign="top" align="center">720</td>
<td valign="top" align="center">0</td>
<td valign="top" align="center">5</td>
<td valign="top" align="center">1</td>
<td valign="top" align="center">172</td>
<td valign="top" align="left">Failure tolerated</td>
</tr>
<tr>
<td valign="top" align="left">#4 (LI, registers)</td>
<td valign="top" align="center">721</td>
<td valign="top" align="center">0</td>
<td valign="top" align="center">6</td>
<td valign="top" align="center">0</td>
<td valign="top" align="center">171</td>
<td valign="top" align="left">Failure tolerated</td>
</tr>
<tr>
<td valign="top" align="left">#5 (LI, RAM)</td>
<td valign="top" align="center">2,116</td>
<td valign="top" align="center">0</td>
<td valign="top" align="center">10</td>
<td valign="top" align="center">0</td>
<td valign="top" align="center">828</td>
<td valign="top" align="left">Failure tolerated</td>
</tr>
<tr>
<td valign="top" align="left">#6 (LI, RAM)</td>
<td valign="top" align="center">2,950</td>
<td valign="top" align="center">0</td>
<td valign="top" align="center">0</td>
<td valign="top" align="center">0</td>
<td valign="top" align="center">854</td>
<td valign="top" align="left">Failure tolerated</td>
</tr>
<tr>
<td valign="top" align="left">#7 (LI, RAM)</td>
<td valign="top" align="center">2,150</td>
<td valign="top" align="center">0</td>
<td valign="top" align="center">23</td>
<td valign="top" align="center">1</td>
<td valign="top" align="center">828</td>
<td valign="top" align="left">Failure tolerated</td>
</tr>
<tr>
<td valign="top" align="left">#8 (RPI, registers)</td>
<td valign="top" align="center">753</td>
<td valign="top" align="center">0</td>
<td valign="top" align="center">28</td>
<td valign="top" align="center">1</td>
<td valign="top" align="center">472</td>
<td valign="top" align="left">Safety state (Crash)</td>
</tr>
<tr>
<td valign="top" align="left">Total</td>
<td valign="top" align="center">10,702</td>
<td valign="top" align="center">0</td>
<td valign="top" align="center">61</td>
<td valign="top" align="center">7</td>
<td valign="top" align="center">3164</td>
<td valign="top" align="left"></td></tr>
</tbody>
</table>
</table-wrap>
<para>As an example, we selected one of the ProSigma system requirements (R1) to be at validated. Due to the page limit, this chapter does not address the validation of other requirements. The requirement selected is the following:</para>
<sidebar>
<para><emphasis role="strong"><emphasis>R1</emphasis></emphasis> <emphasis>&#x02013; AFTER the INPUT status is set, the system&#x02019;s client must EVENTUALLY receive a message indicating the SWITCHING STATE and the CORRECT OBJECT STATE.</emphasis></para>
</sidebar>
<para>Most of the faults injected in the channel G of the LI card (i.e., one of the channels of the TMR) caused effects in the ProSigma system, as shown in <link linkend="T11-3">Table <xref linkend="T11-3" remap="11.3"/></link>. However, as expected, the system managed to tolerate all the faults injected in the LI card. In addition to the more detailed analysis of the fault effects (especially for the ones that caused Crashes and Performance Failures) in the LI card, more comprehensive FI campaigns are needed to gain additional confidence in the system. Previous FI experiments performed for space application [<link linkend="ch11bib3">3</link>] have shown that unexpected error propagation due to shared resources such as memory may cause common mode failures.</para>
<para>Concerning the faults injected in the RPI (voting) card, a single campaign was enough to observe Crash failures that caused the system to stop working, entering in a fail-safe state. Next FI campaigns will be focused on the comprehensive evaluation of the SW voting elements.</para>
<para>As shown in <link linkend="F11-9">Figure <xref linkend="F11-9" remap="11.9"/></link>, the faults injected caused a significant percentage of failures in the target (G channel and RPI). In particular, faults injected in the LI card caused failures in the G channel in about 30% of the times, with &#x0201C;Crash&#x0201D; failures being the most frequent type, followed by &#x0201C;No PIT messages&#x0201D; and &#x0201C;Performance&#x0201D;, and with &#x0201C;No CONN messages&#x0201D; failures only occurred when a Crash occurred, without any isolated occurrence. Conversely, more than 60% of the faults injected in the RPI card caused failures, most of which were &#x0201C;Crash&#x0201D;-type. We believe that such behavior is due to additional fault tolerance mechanisms contained in the TMS570LS3137 microcontroller, as the lock-step schema.</para>
<fig id="F11-9" position="float" xmlns:xlink="http://www.w3.org/1999/xlink">
<label><link linkend="F11-9">Figure <xref linkend="F11-9" remap="11.9"/></link></label>
<caption><para>Fault injection campaign: failure modes distribution.</para></caption>
<graphic xlink:href="graphics/ch11_fig009.jpg"/>
</fig>
<para>Finally, during the campaigns we measured an average injection time below 1ms (round-trip-time host-controller-host). The injection operation is hence quite invasive, being the period of the fastest microcontroller of 6.25 ns. However, the impact of the introduced latency can be tolerated by the single target system. We aim at implementing dedicated module to reduce the injection time in a future work.</para>
</section>
</section>
<section class="lev1" id="sec11-6" label="11.6" xreflabel="11.6">
<title>Conclusion</title>
<para>This chapter presented a FI tool based on the JTAG technology proposed for validating a safety-critical railway signaling system, called ProSigma, a TMR system for railway trackside signaling and communication purposes. The ProSigma system has been developed at Prolan Zrt., and has been designed for being certified by the CENELEC standards as SIL 4, the most demanding level in terms of Safety availability.</para>
<para>The FI tool demonstrated to potentially reduce costs related to V&#x00026;V activities, as it is able to highlight critical situations in which the system under test acts in a hazardous manner. The use of automated FI campaigns, focused on several components of the target system, allows to expose the system to a very large number of fault scenarios, helping gaining confidence in the safety properties of the system under validation. Results from a thorough FI campaigns are presented, illustrating the effectiveness of the FI tool and the approach in general, which confirms to be a valid instrument to help on the V&#x00026;V of safety-critical system.</para>
</section>
<section class="lev1" id="sec11-7">
<title>References</title>
<orderedlist numeration="arabic" continuation="restarts" spacing="normal">
<listitem>
<para><anchor id="ch11bib1"/>Bonfiglio, V., Montecchi, L., Irrera, I., Rossi, F., Lollini, P., and Bondavalli, A. (2015). &#x0201C;Software Faults Emulation at Model-Level: Towards Automated Software FMEA,&#x0201D; in <emphasis>Proceedings of 2015 IEEE International Conference on Dependable Systems and Networks Workshops (DSN-W)</emphasis> (New York. NY: IEEE), 133&#x02013;140. <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=Bonfiglio%2C+V%2E%2C+Montecchi%2C+L%2E%2C+Irrera%2C+I%2E%2C+Rossi%2C+F%2E%2C+Lollini%2C+P%2E%2C+and+Bondavalli%2C+A%2E+%282015%29%2E+%22Software+Faults+Emulation+at+Model-Level%3A+Towards+Automated+Software+FMEA%2C%22+in+Proceedings+of+2015+IEEE+International+Conference+on+Dependable+Systems+and+Networks+Workshops+%28DSN-W%29+%28New+York%2E+NY%3A+IEEE%29%2C+133-140%2E" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch11bib2"/>European Committee for Standardization. Available at: <ulink url="http://www.cen.eu">www.cen.eu</ulink></para></listitem>
<listitem>
<para><anchor id="ch11bib3"/>NASA. (2004). <emphasis>NASA Software Safety Guidebook, NASA-GB-8719.13</emphasis>.</para></listitem>
<listitem>
<para><anchor id="ch11bib4"/>ISO. (2011). <emphasis>Product development: software level. ISO 26262: Road vehicles &#x02013; Functional safety 6</emphasis>.</para></listitem>
<listitem>
<para><anchor id="ch11bib5"/>Microsoft Corporation. (2014). <emphasis>Resilience by design for cloud services</emphasis>.</para></listitem>
<listitem>
<para><anchor id="ch11bib6"/>Barbosa, R., Costa, D., and Madeira, H. (2006). &#x0201C;An empirical approach to assess software off-the-shelf components using fault injection,&#x0201D; in <emphasis>International Conference on Data Systems in Aerospace, DASIA 2006</emphasis>, Berlin, Germany. <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=Barbosa%2C+R%2E%2C+Costa%2C+D%2E%2C+and+Madeira%2C+H%2E+%282006%29%2E+%22An+empirical+approach+to+assess+software+off-the-shelf+components+using+fault+injection%2C%22+in+International+Conference+on+Data+Systems+in+Aerospace%2C+DASIA+2006%2C+Berlin%2C+Germany%2E" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch11bib7"/>Madeira, H., Some, R. (NASA), Moreira, F., Costa, D., (Critical Software), and Rennels, D. (UCLA). &#x0201C;Experimental evaluation of a COTS system for space applications,&#x0201D; in <emphasis>IEEE/IFIP Int. Conf. on Dependable Systems and Networks</emphasis> (New York. NY: IEEE), DSN, USA, June 2002. <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=Madeira%2C+H%2E%2C+Some%2C+R%2E+%28NASA%29%2C+Moreira%2C+F%2E%2C+Costa%2C+D%2E%2C+%28Critical+Software%29%2C+and+Rennels%2C+D%2E+%28UCLA%29%2E+%22Experimental+evaluation+of+a+COTS+system+for+space+applications%2C%22+in+IEEE%2FIFIP+Int%2E+Conf%2E+on+Dependable+Systems+and+Networks+%28New+York%2E+NY%3A+IEEE%29%2C+DSN%2C+USA%2C+June+2002%2E" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch11bib8"/>Silva, A., S&#x000E1;nchez, S., Polo, O. R., and Parra, P. (2014). Injecting faults to succeed. Verification of the boot software on-board solar orbiter&#x02019;s energetic particle detector. <emphasis>Acta Astronautica</emphasis>, 95. <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=Silva%2C+A%2E%2C+S%E1nchez%2C+S%2E%2C+Polo%2C+O%2E+R%2E%2C+and+Parra%2C+P%2E+%282014%29%2E+Injecting+faults+to+succeed%2E+Verification+of+the+boot+software+on-board+solar+orbiter%27s+energetic+particle+detector%2E+Acta+Astronautica%2C+95%2E" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch11bib9"/>Wei, S., Cai Bai-gen, Chen-xi, G., Jian, W., Jing-jing, W. (2010). &#x0201C;Research on reliability evaluation of high-speed railway train control system based on fault injection,&#x0201D; in <emphasis>Int. Conf. Environmental Science and Information Application Technology (ESIAT)</emphasis>, Vol. 3, 288&#x02013;293, Wuhan, China, 17&#x02013;18 July. <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=Wei%2C+S%2E%2C+Cai+Bai-gen%2C+Chen-xi%2C+G%2E%2C+Jian%2C+W%2E%2C+Jing-jing%2C+W%2E+%282010%29%2E+%22Research+on+reliability+evaluation+of+high-speed+railway+train+control+system+based+on+fault+injection%2C%22+in+Int%2E+Conf%2E+Environmental+Science+and+Information+Application+Technology+%28ESIAT%29%2C+Vol%2E+3%2C+288-293%2C+Wuhan%2C+China%2C+17-18+July%2E" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch11bib10"/>Benso, A., and Prinetto, P. (2006). <emphasis>Fault Injection Techniques and Tools for Embedded Systems Reliability Evaluation.</emphasis> Berlin: Springer Science &#x00026; Business Media. <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=Benso%2C+A%2E%2C+and+Prinetto%2C+P%2E+%282006%29%2E+Fault+Injection+Techniques+and+Tools+for+Embedded+Systems+Reliability+Evaluation%2E+Berlin%3A+Springer+Science+%26+Business+Media%2E" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch11bib11"/><ulink url="http://www.prolan.hu/en/divisions/railway-automation/prosigma/">http://www.prolan.hu/en/divisions/railway-automation/prosigma/</ulink></para></listitem>
<listitem>
<para><anchor id="ch11bib12"/>CENELEC. (1999). <emphasis>EN 50126-1:1999 Railway application,</emphasis> <emphasis>The specification and demonstration of Reliability. Availability, Maintainability and Safety (RAMS), Part 1: Basic requirements and generic process</emphasis>.</para></listitem>
<listitem>
<para><anchor id="ch11bib13"/>CENELEC. (2007). <emphasis>EN 50126-2:2007 Railway applications.</emphasis> <emphasis>The specification and demonstration of Reliability, Availability, Maintainability and Safety (RAMS) &#x02013; Part 2: Guide to the application of EN 50126-1 for safety</emphasis>.</para></listitem>
<listitem>
<para><anchor id="ch11bib14"/>CENELEC. (2011). <emphasis>EN 50128:2011 Railway applications: Communication, signaling and processing systems &#x02013; Software for railway control and protection systems</emphasis>.</para></listitem>
<listitem>
<para><anchor id="ch11bib15"/>CENELEC. (2003). <emphasis>EN 50129:2003 Railway applications: Communication, signaling and processing systems &#x02013; Safety related electronic systems for signaling</emphasis>.</para></listitem>
<listitem>
<para><anchor id="ch11bib16"/>Hsueh, M. C., Tsai, T. K., and Iyer, R. K. (1997). Fault injection techniques and tools. <emphasis>IEEE Comput. J</emphasis>. 30, 75&#x02013;82. <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=Hsueh%2C+M%2E+C%2E%2C+Tsai%2C+T%2E+K%2E%2C+and+Iyer%2C+R%2E+K%2E+%281997%29%2E+Fault+injection+techniques+and+tools%2E+IEEE+Comput%2E+J%2E+30%2C+75-82%2E" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch11bib17"/>Natella, R., Cotroneo, D., and Madeira, H. (2016). &#x0201C;Assessing dependability with software fault injection: a survey&#x0201D;, in <emphasis>ACM Computing Surveys</emphasis> (ACM: New York, NY), Vol. 48. <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=Natella%2C+R%2E%2C+Cotroneo%2C+D%2E%2C+and+Madeira%2C+H%2E+%282016%29%2E+%22Assessing+dependability+with+software+fault+injection%3A+a+survey%22%2C+in+ACM+Computing+Surveys+%28ACM%3A+New+York%2C+NY%29%2C+Vol%2E+48%2E" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch11bib18"/>ProSigma. <emphasis>Prolan Process Control Co</emphasis>. Available at: <ulink url="http://www.prolan.hu/en/divisions/railway-automation/prosigma/">http://www.prolan.hu/en/divisions/railway-automation/prosigma/</ulink></para></listitem>
<listitem>
<para><anchor id="ch11bib19"/>OpenODC. <emphasis>University of Applied Sciences Augsburg</emphasis>. Available at: <ulink url="http://openocd.org/documentation/">http://openocd.org/documentation/</ulink></para></listitem></orderedlist>
</section>
</chapter>
<chapter class="chapter" id="ch12" label="12" xreflabel="12">
<title>Robustness and Fault Injection for the Validation of Critical Systems</title>
<para role="author"><emphasis role="strong">Nuno Laranjeiro<superscript>1</superscript>, Gon&#x000E7;alo Pereira<superscript>1</superscript>, Seyma Nur Soydemir<superscript>1</superscript>, Raul Barbosa<superscript>1</superscript>, Jorge Bernardino<superscript>1,2</superscript>, Cristiana Areias<superscript>1,2</superscript>, Nuno Antunes<superscript>1</superscript>, Jo&#x00E3;o Carlos Cunha<superscript>1,2</superscript>, Marco Vieira<superscript>1</superscript> and Henrique Madeira<superscript>1</superscript></emphasis></para>
<para><superscript>1</superscript>CISUC, Department of Informatics Engineering, University of Coimbra, Portugal</para>
<para><superscript>2</superscript>ISEC &#x02013; Coimbra Institute of Engineering, Polytechnic Institute of Coimbra, Portugal</para>
<para>Critical systems are nowadays being deployed as services or web applications, and are being used to provide enterprise-level business-critical operations. These systems are supported by complex middleware, which often links different systems, and where a failure can bring in disastrous consequences for both clients and service providers. In this chapter we present a toolset that can be used to evaluate the robustness of a given system, under the following two different perspectives: i) executing robustness tests against the service&#x02019;s external interface (e.g., the interface with business clients) and also inner interfaces (e.g., the application-database interface); ii) emulating the presence of source code defects, on the service middleware, to understand how the presence of a defect can affect the robustness of the overall system. The toolset has been demonstrated on a set of web services, an Enterprise Resource Planning web application, and on the popular Apache HTTP server. Results show that the toolset can be easily used to disclose critical problems in web applications and to support middleware, helping developers in building and validating more reliable services.</para>
<section class="lev1" id="sec12-1" label="12.1" xreflabel="12.1">
<title>Introduction</title>
<para>Web applications and services are nowadays used as the interface of many businesses to the outside world, providing services that are frequently supported by web servers and back-end databases. In these environments, a service failure can damage the complete business, potentially bringing in considerable losses for service providers. These losses might be due to lost business transactions, but can also refer to other kinds of financial losses (e.g., time to repair, human resources used to recover systems), including reputation losses [<link linkend="ch12bib1">1</link>].</para>
<para>The need for practical means to assess the robustness of Web-based systems (e.g., web applications or services) is supported by several studies, which show the predominance of software faults (i.e., program defects or bugs) [<link linkend="ch12bib2">2</link>&#x02013;<link linkend="ch12bib4">4</link>] as the root cause of computer failures. If we consider the huge complexity of modern software, the weight of these faults will tend to increase. Web services and applications are certainly no exception, as they are normally quite complex software applications, supported by several components of also high complexity. Moreover, the current tendency of fast-paced development of software leads developers to focus on functionality, and this means that non-functional requirements, such as application robustness, are many times overlooked [<link linkend="ch12bib5">5</link>] leading to the deployment of applications holding residual bugs.</para>
<para>Considering the typical structure of an application built for the Web and including supporting software, we identify the following three key issues to be handled: (i) how the application behaves in the presence of <emphasis role="strong">external interface faults</emphasis> (e.g., invalid client inputs); (ii) how the application behaves in the presence of <emphasis role="strong">inner interface faults</emphasis> (e.g., invalid database data, delivered to the application); and (iii) how residual <emphasis role="strong">software faults</emphasis> on the supporting middleware can affect the overall system. These obviously are not exhaustive, but represent an integrative and comprehensive view that relates to the robustness of an overall web-based system and that many works tend to overlook.</para>
<para>Interface faults, which relate to issues in the interaction among different software components/modules [<link linkend="ch12bib6">6</link>] are quite relevant in service environments, in particular <emphasis role="strong">external interface faults</emphasis>, as services are highly exposed to heterogeneous or malicious clients on the Web and must be able to provide robust service to clients, even when facing invalid inputs (generated by bugs in client applications, corruptions caused by silent failures in the network, or even security attacks).</para>
<para>From a robustness perspective, the problem regarding interface faults is generally tackled from an external point-of-view, typically with robustness tests targeting the public interface. However, industry reports suggest that the way <emphasis role="strong">applications handle incoming data at the application&#x02013;database interface</emphasis> is an aspect that is many times disregarded. In fact, developers many times assume that the data being handled by the application is correct, which experience shows that is not always the case. This is corroborated by industry reports [<link linkend="ch12bib1">1</link>], where the presence of poor quality data has led to severe system failures and/or huge financial losses. As mentioned, this kind of problem at the interface level is relatively well-known in the robustness testing domain, where tests using invalid inputs applied on external interfaces of many different systems have been successfully used [<link linkend="ch12bib5">5</link>, <link linkend="ch12bib7">7</link>, <link linkend="ch12bib8">8</link>]. However, the definition of tests at the inner interfaces (e.g., application-database) has been largely overlooked.</para>
<para>In general, web applications or services rely on a web server, which in practice is a software container that supports the whole application. This kind of middleware component is subject to change (as any software component nowadays built for the Web), as providers want to deploy the latest versions, where usually a number of software bugs are corrected but, at the same time, the new code brings in the potential for more bugs. Despite the popularity of this kind of component there is still little information of the behavior of <emphasis role="strong">web applications in the presence of residual software faults in the web servers</emphasis>. Thus, the absence of practical means to assess the behavior of web-based applications in this kind of scenario is a strong limitation for deployments where dependability is of critical importance.</para>
<para>In this chapter we present a toolset, summarized in the next paragraphs, that targets the three above mentioned issues and is composed of the following tools:(i) wsrbench &#x02013; a tool for testing the robustness of web services; (ii) PDInjector &#x02013; a tool for testing the behavior of web applications and services in presence of poor quality data; (iii) ucXception &#x02013; a tool for the practical injection of software faults, demonstrated on a popular web server.</para>
<para>wsrbench generates and applies <emphasis role="strong">external-interface</emphasis> robustness tests to SOAP web services. The goal is to understand the behavior of the system being tested in the presence of invalid inputs or stressful conditions [<link linkend="ch12bib7">7</link>], possibly exposing internal errors and allowing developers to solve the identified problems. This kind of technique can be used to distinguish systems according to the number and severity of the problems disclosed, from a black-box perspective [<link linkend="ch12bib7">7</link>, <link linkend="ch12bib8">8</link>]. wsrbench has been used, for the first time, to test the web services of a Diagnostic Centre for a Locomotive On-board Computer, with the results revealing problems that required urgent developer attention.</para>
<para>PDInjector was built based on an approach whose main concept revolves around the idea of <emphasis role="strong">injecting poor quality data at the application&#x02013;storage interface</emphasis>. We inject mutated data on returning result sets from the database. The mutated data is based on typical data quality problems, which were identified in a survey of the state of the art in dirty data [<link linkend="ch12bib9">9</link>]. In short, PDInjector replaces valid data coming from the database with poor quality data (that should be correctly handled by the application) and observe the application behavior. The tool was used to show how a major open-source Enterprise Resource Planning web application would handle invalid inputs, and was able to disclose serious bugs, not only in the code being tested, but also issues in the Object Relational Mapping (ORM) framework, and JDBC driver used by the web application.</para>
<para>Finally, ucXception formally describes a set of software fault injection operators, and includes a comprehensive test suite to apply these operators to emulate faults in the software and to verify its correctness. The performance of the fault injection process is optimized by compiling only the file in which a fault is injected and linking/installing that file. We illustrate the use of the tool by carrying out an experimental evaluation using the currently most popular web server, the Apache web server. The results revealed issues that require developer&#x02019;s attention, including potential security problems.</para>
<para>The structure of this chapter is as follows. Section 12.2 presents related work on robustness testing and software fault injection and Section 12.3 describes in detail our toolset for robustness testing and fault injection of services. Section 12.4 describes the operating mode of our toolset and Section 12.5 illustrates the use of the toolset in 3 case studies. Finally, Section 12.6 concludes this chapter.</para>
</section>
<section class="lev1" id="sec12-2" label="12.2" xreflabel="12.2">
<title>Related Work</title>
<para>Robustness testing is a technique that allows understanding the behavior of a system when in presence of invalid input or stressful conditions [<link linkend="ch12bib7">7</link>]. The objective is to stimulate a particular system to expose possible internal errors, which will then allow developers to solve the identified problems. The technique can be used to distinguish systems according to the number and severity of the issues uncovered and has been mostly applied to external (i.e., public) interface of several systems, from a black-box perspective [<link linkend="ch12bib7">7</link>, <link linkend="ch12bib8">8</link>]. Using robustness tests on the inner interfaces of different independent systems is something that has been largely overlooked in previous research.</para>
<para>Ballista [<link linkend="ch12bib7">7</link>] is a tool for robustness testing that uses a combination of acceptable and exceptional values on calls to kernel functions of operating systems. The values that are used in each call are randomly extracted from a predefined set of tests that apply to the particular data type involved in the call. The robustness of the system being tested is classified according to the CRASH scale [<link linkend="ch12bib7">7</link>], which distinguishes five failure modes. MAFALDA [<link linkend="ch12bib8">8</link>] is also a robustness testing tool that targets microkernels. In previous work we defined an approach to assess the behavior of web services in presence of mutated SOAP messages [<link linkend="ch12bib5">5</link>], which are used on web services call parameters. The services are classified according to the failures observed during the tests, using an adapted version of the CRASH scale.</para>
<para>Fuzzers are tools that can be used to disclose security problems in applications. In short, from a code perspective, these problems, essentially refer to the presence of code vulnerabilities (i.e., bugs in <emphasis>lato senso</emphasis>) or to the use of bad programming practices [<link linkend="ch12bib10">10</link>]. Although the domain is security, it is common for these tools to operate by providing erroneous data (originally random) to the applications&#x02019; interfaces. Our toolset includes a robustness testing tool, wsrbench, which essentially operates by generating wrong data that is used on call parameters for web service operations.</para>
<para>Data quality has been defined in a huge number of different ways in the literature [<link linkend="ch12bib11">11</link>]. The ISO/IEC 25012 standard defines it as &#x0201C;the degree to which a set of characteristics of data fulfills requirements&#x0201D; [<link linkend="ch12bib12">12</link>]. A few examples of such characteristics are completeness, accuracy, or consistency [<link linkend="ch12bib9">9</link>]. The requirements mentioned in the definition express the needs and constraints that contribute to the solution of a problem [<link linkend="ch12bib13">13</link>].</para>
<para>Industry reports have shown the severe damage caused by the presence of poor quality data in many different contexts [<link linkend="ch12bib14">14</link>&#x02013;<link linkend="ch12bib17">17</link>], with the Gartner Group identifying bad data as the main cause of failure in CRM systems [<link linkend="ch12bib18">18</link>]. The growth of the volume of data can also increase its management complexity, which can result in a higher probability of generating poor data. The current fast-changing dynamics of the Web environment can also lead to the degeneration of customer data (e.g., due to the update software components holding bugs) and this is something has actually been reported in real systems [<link linkend="ch12bib18">18</link>].</para>
<para>Activities such as analysis or improvement of data quality have gathered much of the attention (e.g., to perform data cleaning) of researchers and practitioners [<link linkend="ch12bib16">16</link>, <link linkend="ch12bib19">19</link>&#x02013;<link linkend="ch12bib23">23</link>]. In fact, the impact of poor data in business critical systems [<link linkend="ch12bib24">24</link>] is quite well-known. Despite this, understanding how well an application is prepared to handle the inevitable appearance of poor data has been largely disregarded. To achieve this goal, it is essential to identify representative data quality problems and to understand how to integrate them in test cases. We researched the state of the art in data quality classification and data quality problems in previous work [<link linkend="ch12bib9">9</link>], precisely to support the definition of these test cases.</para>
<para>The impact of erroneous data on the reliability of web services has studied in [<link linkend="ch12bib25">25</link>]. The approach includes creating an architecture view of the system under test; assessing the data quality or validity with a tool; assessing the reliability of the data and software components; defining a state machine using the architecture as basis; and calculating the system reliability. The invalid types used in the work are limited to seven issues that are already present. So the approach is limited to reliability estimation based on identified and already present issues. In previous work [<link linkend="ch12bib26">26</link>], we created a preliminary view for a testing approach using data quality problems. PDInjector uses the above reasoning to generate faults, that emulate the presence of dirty data in the database that are delivered to a running application. The complete tool uses a comprehensive set of data quality problems [<link linkend="ch12bib9">9</link>] and is based on the approach presented in [<link linkend="ch12bib27">27</link>].</para>
<para>Software fault injection is currently a quite mature topic, after emerging from the general area of fault injection, and gained the interest of researchers as a specific category of fault injection technique and related tools. A survey presenting a quite comprehensive perspective on software fault injection can be found in [<link linkend="ch12bib28">28</link>].</para>
<para>In general, the goal of injecting software faults (i.e., realistically mimicking software defects or bugs) is to assess the impact that the activation of residual bugs in specific software components (the target component) has in the rest of the system. This is useful for different purposes. For instance, software fault injection experiments can be used to provide feedback to the development process of fault-tolerant systems [<link linkend="ch12bib29">29</link>], to validate software fault tolerance mechanisms [<link linkend="ch12bib30">30</link>], to analyze how error propagates in component-based software [<link linkend="ch12bib31">31</link>], to perform dependability benchmarking of operating systems [<link linkend="ch12bib32">32</link>], to experimentally assess the risk of using legacy software components [<link linkend="ch12bib33">33</link>], or to assess recovery features in virtualized environments [<link linkend="ch12bib8">8</link>, <link linkend="ch12bib34">34</link>].</para>
<para>An important question in software fault injection is how to represent (i.e., model) software faults (bugs). The concept that a software bug has unique features and is very difficult to emulate by a fault injection tool has persisted for a long time. Actually, the early works on software fault injection assume rather simple software fault models, extracted from educated guesses of developers and testers [<link linkend="ch12bib29">29</link>, <link linkend="ch12bib30">30</link>].</para>
<para>A first work that tried to emulate realistic software faults based on field studies on real bugs is presented in [<link linkend="ch12bib35">35</link>]. However, the assumption in this early work on software fault injection representativeness was that real data on residual bugs found in the target system was available, in order to generate accurate fault models. Unfortunately, in general there is no data on real bugs previously found in the target systems, so the technique proposed in [<link linkend="ch12bib35">35</link>] was of limited use.</para>
<para>A field study on real software faults was presented in [<link linkend="ch12bib36">36</link>]. This work concluded that there is a quite short list of software fault types that represent the most frequent types of bugs found in deployed software. Actually, it was found that more than 60% of the software faults found in the field fall in just 13 fault types. This finding opened the possibility of creating a fault injection tool (G-SWIFIT) that injects the most frequent types of faults, knowing that even with a small number of fault injection operators (a fault operator injects a given fault type) it is possible to achieve a reasonably good coverage of the software faults universe.</para>
<para>A recent work [<link linkend="ch12bib32">32</link>] researched whether software faults injected according to the fault types identified in [<link linkend="ch12bib36">36</link>] are really representative of residual elusive software faults. The results show that in some cases a significant share (up to 72%) of injected faults cannot be considered representative of residual software faults.</para>
<para>Concerning the technology of fault injection tools, the tool proposed in [<link linkend="ch12bib36">36</link>] (G-SWIFIT) injects faults at the executable code level. This has the advantage of being able to inject faults in any software component, even without access to its source code. However, the precision of the fault injection operators is not ideal, as the information available at assembly level (the G-SWIFIT tool creates an assembly version from the target executable code) does not allow a perfect identification of all the code patterns where a given fault type can be injected. Despite this, G-SWIFIT has the advantage of being quite fast, as the injection process consists of changing just a few bytes in the executable code.</para>
<para>The tool used in [<link linkend="ch12bib32">32</link>] assumes that there is access to the source code of the target software. This allows a more precise emulation of the faults but incurs on the extra cost of requiring the compilation and linking of the target code after the injection of each fault, which can take a considerable amount of time. The ucXception tool discussed in this chapter also assumes that the source code is available but considerably optimizes the process of injecting the faults.</para>
<para>In the context of this chapter, it is relevant to overview some fault injection tools that can inject software faults (in fact, most of the fault injection tools found in the literature only emulate hardware faults).</para>
<para>JACA [<link linkend="ch12bib37">37</link>] is a source-code independent tool that has been designed to validate Java applications. It injects high-level software faults and is based on reflection to inject interface faults in Java applications at the bytecode level [<link linkend="ch12bib38">38</link>]. The goal of this tool is to use high-level programming features to corrupt attribute values, methods parameters or return values during runtime. The Java Software Fault Injection Tool [<link linkend="ch12bib39">39</link>] does not need the source code to perform the injection because it can directly mutate compiled code and it is based on the G-SWFIT [<link linkend="ch12bib36">36</link>].</para>
<para>The SAFE tool [<link linkend="ch12bib32">32</link>] is an application that uses Software Implemented Fault Injection (SWIFI) technique to inject realistic software faults in programs coded in C and C++. This tool uses MCPP as parser, to get the tree of code and then applies some variations to the original files (code with simple mutations) with the selected operators. SAFE implements thirteen operators, the same number as in G-SWIFT [<link linkend="ch12bib36">36</link>]. However, while SAFE implements these operators at the source code level, G-SWIFT implements them at the binary level.</para>
<para>The third tool described in this chapter, the ucXception software fault injection tool, and it follows an approach similar to SAFE [<link linkend="ch12bib40">40</link>] in terms of output, which consists of producing the source code files with changes made in it. However, the proposed tool was designed to optimize the maintainability and easiness of using the fault injector, which is an essential aspect to disseminate the use of software fault injection tools.</para>
</section>
<section class="lev1" id="sec12-3" label="12.3" xreflabel="12.3">
<title>Robustness Testing and Fault Injection for the Robustness Evaluation of Services</title>
<para>In this section, we explain the concepts implemented by our toolset that allow the evaluation of services, based on robustness testing and fault injection. <link linkend="F12-1">Figure <xref linkend="F12-1" remap="12.1"/></link> overviews our target scenario by depicting a runtime interaction between a client and a service application. The service is supported by an HTTP server and also makes use of a database. We highlight in red critical points where our tools inject faults. Faults in the client request are set by our robustness testing tool for external interfaces (SOAP interfaces) &#x02013; <emphasis role="strong">wsrbench</emphasis>; faults in result sets that are delivered to the application are injected by our robustness testing tool for inner interfaces (application-database interfaces) &#x02013; <emphasis role="strong">PDInjector</emphasis>; and finally, we emulate the presence of software faults in the underlying middleware being used with our third tool &#x02013; <emphasis role="strong">ucXception</emphasis>, which is capable of injecting such faults o&#x0FB04;ine. As wsrbench and PDInjector are, in practice, separated by small details, we merge the explanation of both tools in the next paragraphs, explaining the differences whenever appropriate. ucXception is overviewed in the last part of this section.</para>
<fig id="F12-1" position="float" xmlns:xlink="http://www.w3.org/1999/xlink">
<label><link linkend="F12-1">Figure <xref linkend="F12-1" remap="12.1"/></link></label>
<caption><para>Scenario for service robustness evaluation using wsrbench, PDInjector and ucXception.</para></caption>
<graphic xlink:href="graphics/ch12_figN001.jpg"/>
</fig>
<section class="lev2" id="sec12-3-1" label="12.3.1" xreflabel="12.3.1">
<title>Robustness Testing with wsrbench and PDInjector</title>
<para>wsrbench is a web-based tool for external interface testing of web services and is available at <emphasis>wsrbench.dei.uc.pt</emphasis>. In summary, it operates by sending invalid calls to web service operations. For this, the tool user must provide a WSDL document location, which describes all service operations, including input and output parameters (and data types). The tool then generates random calls based on the operation arguments data types and also domains (when provided by the user). These random calls are then sent to the service without further changes (to understand its behavior without the presence of invalid inputs). The remaining calls are mutated to include the invalid parameters that typically form the robustness tests. These mutated calls will eventually be sent to the service, so that its behavior can be assessed.</para>
<para>PDInjector is the tool used for testing the internal interfaces. It is based on the presence of an instrumented data access driver (e.g., a JDBC driver) that should be placed between the application, generically designated by <emphasis>service application</emphasis>, and the data storage system. This instrumented driver has the exact same interface of a regular data access driver, which essentially means that to use the tool, no changes to the service code, database management system, or database are required. The main idea is that the driver intercepts all calls to the database management system and, at specific moments, simulates the presence of poor quality data, by replacing the original data coming from the database with poor quality data. The goal is to understand if the application can handle the mutated data coming from the database in a robust manner or if, otherwise the service is poorly built and cannot tolerate the presence of dirty data (e.g., by becoming unavailable or throwing unexpected exceptions when processing the data).</para>
<para>Both tools wsrbench and PDInjector are prepared to operate according to the following sequential phases:</para>
<orderedlist numeration="arabic" continuation="restarts" spacing="normal">
<listitem>
<para><emphasis role="strong">Warm-up</emphasis>: Valid client requests are issued to the service application and the goal is just to warm-up the system to reach typical operational conditions;</para></listitem>
<listitem>
<para><emphasis role="strong">Injection</emphasis>: Invalid inputs are injected before the application code is reached(invalid inputs are generated at the client by wsrbench, and at the driver by PDInjector);</para></listitem>
<listitem>
<para><emphasis role="strong">Analysis</emphasis>: The service behavior is analyzed by examining the responses produced by the system.</para></listitem></orderedlist>
<para>During the first two phases, PDInjector assumes there is a workload generation client that is able to place valid requests on the system, as requests must be generated by some outside entity. Since wsrbench is placed at the client-side, it is able to generate those valid requests. These requests are then used as basis to perform different functions according to the phase being executed.</para>
<para>During the <emphasis role="strong">warm-up phase</emphasis> all calls pass from the client and reach the server and there is no injection of invalid data by wsrbench. Similarly, PDInjector intercepts all data access calls, but does not inject any mutated data during this phase. As mentioned, the goal is to let the system warm-up and reach typical working conditions.</para>
<para>During the <emphasis role="strong">injection phase</emphasis>, we replace genuine data generated by the client in wsrbench, or coming from the database in PDInjector, with data that, for the particular data type and value being handled, represents a robustness problem. The types of problems that should be emulated by our tools were based on previous studies on robustness testing for wsrbench and also on a survey in data quality classification, where we identified representative data quality problems (e.g., misspellings, abbreviations, empty data, extraneous data) associated with common data types (e.g., text, numbers) [<link linkend="ch12bib9">9</link>]. The total number of mutations is quite large and, as such, we present a subset in <link linkend="T12-1">Table <xref linkend="T12-1" remap="12.1"/></link> (detailed versions can be consulted in [<link linkend="ch12bib5">5</link>] and [<link linkend="ch12bib41">41</link>]).</para>
<table-wrap position="float" id="T12-1">
<label><link linkend="T12-1">Table <xref linkend="T12-1" remap="12.1"/></link></label>
<caption><para>Examples of Robustness and poor data quality mutations</para></caption>
<table cellspacing="5" cellpadding="5" frame="hsides" rules="groups">
<thead>
<tr>
<td valign="bottom" align="left" width="15%">Data Type</td>
<td valign="bottom" align="center">Robustness Mutations</td>
<td valign="bottom" align="center">Data Quality Mutations</td></tr>
</thead>
<tbody>
<tr>
<td valign="top" align="left">String</td>
<td valign="top" align="left">Replace by null</td>
<td valign="top" align="left">Replace by null</td>
</tr>
<tr>
<td valign="top" align="left"></td>
<td valign="top" align="left">Replace by empty</td>
<td valign="top" align="left">Replace by empty</td>
</tr>
<tr>
<td valign="top" align="left"></td>
<td valign="top" align="left">Replace by string with nonprintable characters</td>
<td valign="top" align="left">Replace a word by a misspelled word (Dictionary-based) or, if no match, use a random single edit operation (insertion; deletion; substitution of a single character; or transposition of two adjacent characters) over a randomly selected word</td>
</tr>
<tr>
<td valign="top" align="left"></td>
<td valign="top" align="left">Add nonprintable characters to the string</td>
<td valign="top" align="left">Add whitespace in a leading or trailing position, or between words (random choice)</td>
</tr>
<tr>
<td valign="top" align="left"></td>
<td valign="top" align="left">Replace by alphanumeric string</td>
<td valign="top" align="left">Add extraneous data in leading, trailing, or random position (random choice)</td>
</tr>
<tr>
<td valign="top" align="left"></td>
<td valign="top" align="left"></td>
<td valign="top" align="left"></td>
</tr>
<tr>
<td valign="top" align="left">Integer</td>
<td valign="top" align="left">Replace by MAX_INTEGER</td>
<td valign="top" align="left">Add one numeric character</td>
</tr>
<tr>
<td valign="top" align="left"></td>
<td valign="top" align="left">Replace by MAX_INTEGER &#x02013; 1</td>
<td valign="top" align="left">Set to zero</td>
</tr>
<tr>
<td valign="top" align="left"></td>
<td valign="top" align="left">Replace by MAX_DOMAIN + 1</td>
<td valign="top" align="left">Remove one random numeric character</td>
</tr>
<tr>
<td valign="top" align="left"></td>
<td valign="top" align="left">Subtract 1</td>
<td valign="top" align="left">Flip sign</td>
</tr>
<tr>
<td valign="top" align="left">&#x02026;</td>
<td valign="top" align="left"></td>
<td valign="top" align="left"></td></tr>
</tbody>
</table>
</table-wrap>
<para>The injection of invalid/mutated data can be performed once per each client call, since the goal is to understand how faulty data can affect the execution of that particular operation. Despite this, it is also possible to inject a given number of faults during the execution of a service operation (which we have followed in our experiments with PDInjector). Although injecting several faults may lead to difficulties in understanding the exact causes of a failure, it is frequently the typical choice in the robustness testing domain due to its simplicity and ability to disclose problems.</para>
<para>It is desirable that all public operations should be tested, but this obviously depends on the test being executed. For instance, a developer may be only interested in testing a few operations). In any case, for each operation being tested, each of the operation parameters (wsrbench) or of the data access points (PDInjector) present in the code should also be tested in this phase. This desirable execution profile of the injection phase is represented in <link linkend="F12-2">Figure <xref linkend="F12-2" remap="12.2"/></link>.</para>
<fig id="F12-2" position="float" xmlns:xlink="http://www.w3.org/1999/xlink">
<label><link linkend="F12-2">Figure <xref linkend="F12-2" remap="12.2"/></link></label>
<caption><para>Basic execution profile of the tests.</para></caption>
<graphic xlink:href="graphics/ch12_figN002.jpg"/>
</fig>
<para>Covering all data access points naturally depends on the client workload, which must provide adequate coverage. This aspect is currently out of the scope of our toolset. In some cases, data access points may be shared by different service operations. Even in such cases, it is desirable to invoke the different service operations, as it will exercise different areas of the code, thus having the ability to disclose different problems. Each data access point (or operation parameter, in the case of wsrbench) should be tested by PDInjector with all predefined poor data faults.</para>
<para>The injection phase could be automatically configured to stop when a given number of data access points (or operations/parameters) has been covered by the tests. After starting a test, wsrbench stops when all operations/parameters have been tested. In the case of PDInjector, we currently determine that a test should stop when either the client action has concluded (i.e., a response is delivered to the client) or when a failure is detected.</para>
<para>The last phase refers to the <emphasis role="strong">analysis</emphasis> of the tests results, which includes classifying any observed failures (e.g., using a failure mode scale, such as CRASH [<link linkend="ch12bib7">7</link>]) and also understanding the location and origin of the problems disclosed during the tests. Performing this analysis step requires source code access to understand if the output of the tests is a bug, what is the exact location (note that an value delivered to a specific point in the code may only be improperly used in another part of the code) and why it is a problem (so that it is corrected). If the developers want to classify the service behavior it is possible to use the CRASH scale, which classifies the severity of failures in Catastrophic, Restart, Abort, Silent, or Hindering. This kind of classification is only necessary if the developer needs to, for instance, prioritize bug fixing.</para>
</section>
<section class="lev2" id="sec12-3-2" label="12.3.2" xreflabel="12.3.2">
<title>Emulating Software Faults with ucXception</title>
<para>This section describes the operating mode of the ucXception software fault injection tool, which aims at simplifying and generalizing the process of emulating software faults. ucXception modifies the source code of programs by applying software fault emulation operators over abstract syntax tree and produces software patches in an automated way. The existing specifications of emulation operators in the literature, target the emulation of software faults in binary code, and source-level operators have not been properly specified. ucXception currently uses a refined and adapted version of the existing specifications to work at the source-level.</para>
<para>This fault injector tool injects faults in code and the emulated faults resemble real software faults made by actual developers, which might lead to bugs. This tool was created in Java, using Eclipse CDT Plugin, and is able to inject faults in C code by following the Software Implemented Fault Injection (SWIFI) technique.</para>
<para><link linkend="T12-2">Table <xref linkend="T12-2" remap="12.2"/></link> shows the most important fault operators of ucXception. To apply each of these operators, there is a set of rules, which we name constraints, that assure the realism of the injected faults. These constraints were created based on the observation of real bugs [<link linkend="ch12bib10">10</link>]. The injection is location-based, because only the code locations that validate all constraints related to each of the operator, can be used to inject faults realistically. <link linkend="T12-3">Table <xref linkend="T12-3" remap="12.3"/></link> shows all the constraints that are used with the operators. Each of the operators can use one or more constraints and an important aspect is that all related constraints of a given operator must be valid so that it can be applied in some location of the code.</para>
<table-wrap position="float" id="T12-2">
<label><link linkend="T12-2">Table <xref linkend="T12-2" remap="12.2"/></link></label>
<caption><para>Fault emulation operators</para></caption>
<table cellspacing="5" cellpadding="5" frame="hsides" rules="groups">
<thead>
<tr>
<td valign="bottom" align="left">Operators</td>
<td valign="bottom" align="center">Description</td></tr>
</thead>
<tbody>
<tr>
<td valign="top" align="left">MFC</td>
<td valign="top" align="left">Missing function call</td>
</tr>
<tr>
<td valign="top" align="left">MIA</td>
<td valign="top" align="left">Missing if construct around statements</td>
</tr>
<tr>
<td valign="top" align="left">MIEB</td>
<td valign="top" align="left">Missing if construct plus statements plus else before statements</td>
</tr>
<tr>
<td valign="top" align="left">MIFS</td>
<td valign="top" align="left">Missing if construct and surrounded statements</td>
</tr>
<tr>
<td valign="top" align="left">MLAC</td>
<td valign="top" align="left">Missing and sub-expr. in logical expression used in branch condition</td>
</tr>
<tr>
<td valign="top" align="left">MLOC</td>
<td valign="top" align="left">Missing or sub-expr. in logical expression used in branch condition</td>
</tr>
<tr>
<td valign="top" align="left">MLPA</td>
<td valign="top" align="left">Missing localized part of the algorithm</td>
</tr>
<tr>
<td valign="top" align="left">MVAE</td>
<td valign="top" align="left">Missing variable assignment with an expression</td>
</tr>
<tr>
<td valign="top" align="left">MVAV</td>
<td valign="top" align="left">Missing variable assignment with a value</td>
</tr>
<tr>
<td valign="top" align="left">MVIV</td>
<td valign="top" align="left">Missing variable initialization with a value</td>
</tr>
<tr>
<td valign="top" align="left">WAEP</td>
<td valign="top" align="left">Wrong arithmetic expression in parameters of function call</td>
</tr>
<tr>
<td valign="top" align="left">WPFV</td>
<td valign="top" align="left">Wrong variable used in parameter of function call</td>
</tr>
<tr>
<td valign="top" align="left">WVAV</td>
<td valign="top" align="left">Wrong value assigned to a variable</td></tr>
</tbody>
</table>
</table-wrap>
<table-wrap position="float" id="T12-3">
<label><link linkend="T12-3">Table <xref linkend="T12-3" remap="12.3"/></link></label>
<caption><para>Fault emulation constraints</para></caption>
<table cellspacing="5" cellpadding="5" frame="hsides" rules="groups">
<thead>
<tr>
<td valign="bottom" align="left">Constraints</td>
<td valign="bottom" align="center">Description</td></tr>
</thead>
<tbody>
<tr>
<td valign="top" align="left">C01</td>
<td valign="top" align="left">Return value of the function must not be used</td>
</tr>
<tr>
<td valign="top" align="left">C02</td>
<td valign="top" align="left">Call/Assignment/The if construct/The statements must not be the only statement in the block</td>
</tr>
<tr>
<td valign="top" align="left">C03</td>
<td valign="top" align="left">Variable must be inside stack frame</td></tr>
<tr>
<td valign="top" align="left">C04</td>
<td valign="top" align="left">Must be the first assignment for that variable in the module</td>
</tr>
<tr>
<td valign="top" align="left">C05</td>
<td valign="top" align="left">Assignment must not be inside a loop</td>
</tr>
<tr>
<td valign="top" align="left">C06</td>
<td valign="top" align="left">Assignment must not be part of a for construct</td>
</tr>
<tr>
<td valign="top" align="left">C07</td>
<td valign="top" align="left">Must not be the first assignment for that variable in the module</td>
</tr>
<tr>
<td valign="top" align="left">C08</td>
<td valign="top" align="left">The if construct must not be associated to an else construct</td>
</tr>
<tr>
<td valign="top" align="left">C09</td>
<td valign="top" align="left">Statements must not include more than five statements and not include loops</td>
</tr>
<tr>
<td valign="top" align="left">C10</td>
<td valign="top" align="left">Statements are in the same block, do not include more than five statements, nor loops</td>
</tr>
<tr>
<td valign="top" align="left">C11</td>
<td valign="top" align="left">There must be at least two variables in this module</td>
</tr>
<tr>
<td valign="top" align="left">C12</td>
<td valign="top" align="left">Must have at least two branch conditions</td>
</tr>
<tr>
<td valign="top" align="left">C13</td>
<td valign="top" align="left">The if construct must be associated to an else construct</td>
</tr>
</tbody>
</table>
</table-wrap>
<para>The main tasks performed by the ucXception software fault injection tool are as follows:</para><orderedlist numeration="arabic" continuation="restarts" spacing="normal">
<listitem>
<para>Read source code;</para></listitem>
<listitem>
<para>Create the Abstract Syntax Tree (AST);</para></listitem>
<listitem>
<para>Verify all constraints related to the current operator;</para></listitem>
<listitem>
<para>Apply the operator in the AST (if the validity of the constraints is verified);</para></listitem>
<listitem>
<para>Create the patch with the modifications, comparing modified code with the initially source code.</para></listitem></orderedlist>
<para>The fault injector beings by reading the source code, which consists of files typically coded in C or C++. The code is then analyzed by the Eclipse CDT plugin and an AST tree is built. In order to inject a fault, the injector searches for the node where it can be injected (it evaluates the truthfulness of all constraints of the particular operator), and modifies it, according to operator specification. After that, the AST is rewritten, by reading the modified code. The output of the ucXception tool is a set of individual patches, with each patch corresponding to the emulation of a particular bug. Thus, each patch can be applied in an experimental evaluation to emulate the presence of a bug at a particular code location.</para>
</section>
</section>
<section class="lev1" id="sec12-4" label="12.4" xreflabel="12.4">
<title>Case Studies</title>
<para>In this section we describe three case studies that illustrate the application of our toolset. The first case study illustrates the usefulness of wsrbench in testing the public interface of web services that serve to diagnose a Locomotive On-board computer; the second case study focuses on inner interface testing of a web based Enterprise Resource Planning system with the use of PDInjector; and finally, the third case study illustrates the ucXception software fault injection tool by targeting popular middleware for web-based systems &#x02013; the Apache HTTP server.</para>
<section class="lev2" id="sec12-4-1" label="12.4.1" xreflabel="12.4.1">
<title>External Interface Testing: Case Study #1</title>
<para>MFB is a Locomotive On-board Computer (LOC) used for data acquisition. The on-board computer continuously provides data to the dispatching center regarding current position, operation status and mechanical parameters of the traction vehicle. The functions of the device are the following.</para>
<itemizedlist mark="bullet" spacing="normal">
<listitem>
<para>Automatically connect to the main supervisory system of traction vehicles and engine drivers.</para></listitem>
<listitem>
<para>Management of the electronic logbook.</para></listitem>
<listitem>
<para>Supervise of the electric traction energy on diesel and electric locomotives.</para></listitem>
<listitem>
<para>Automatically measure the fuel flowing to and from the feeder, sending reports to the dispatch center in case of unaccounted fuel consumption.</para></listitem>
<listitem>
<para>Supervise the engine&#x02019;s activity, support the engine&#x02019;s diagnostic and maintenance, collect digital signals supplied by the relay contactors, and count the operating hours of the mechanical machinery.</para></listitem></itemizedlist>
<para>The MFB Diagnostic Centre is composed of a set of SOAP web services, implemented in PHP, that run on an Debian Linux server and use a PostgreSQL database. We used wsrbench to perform robustness tests on the web services of the MFB Diagnostic Centre. The robustness tests of the tool were complemented with manual code inspection, which focused on the analysis of the code in terms of robustness and also security.</para>
<section class="lev3" id="sec12-4-1-1">
<title>Results for case study #1</title>
<para>In total, 6 services and 53 inputs were tested with the wsrbench tool, which resulted in a total of 473 tests performed. The following items highlight the main findings:</para>
<itemizedlist mark="bullet" spacing="normal">
<listitem>
<para>37 tests disclosed robustness problems.</para></listitem>
<listitem>
<para>7 tests results were inconclusive and were checked manually.</para></listitem>
<listitem>
<para>15 out of the 47 inconclusive test cases revealed the presence of real problems, requiring developer attention.</para></listitem>
<listitem>
<para>The final results showed robustness problems in &#x0223C;38% of the inputs (20 out of 53).</para></listitem></itemizedlist>
<para>Not all the revealed issues led directly to hang or crash failures, but these issues show that inputs are incorrectly handled, and therefore represent bug prone code. These issues also mean that there was improper preparation of the code to deal with unexpected inputs. Such cases may lead to severe problems under special operational conditions, and also hinder the maintainability of the system.</para>
</section>
</section>
<section class="lev2" id="sec12-4-2" label="12.4.2" xreflabel="12.4.2">
<title>Inner Interface Testing: Case Study #2</title>
<para>In this case study, we opted to test a business-critical pure web-based application for Enterprise Resource Planning [<link linkend="ch12bib27">27</link>]. We selected a well-known widely used commercial open source ERP business solution for enterprises. This ERP is a world leader in its category, with, at the time of writing, about 2.5 million downloads. It allows managing a whole business, and supports typical business processes such as sales, manufacturing, or finance. As we are not allowed to disclose the name of the tool, we name it ERPx. ERPx requires a database, which we opted to be PostgreSQL 9.3, and a web server for which we chose the popular Apache Tomcat 7.0.68. As we had the intention to repeat the tests, besides using a web browser, we recorded and later replayed user operations on the browser (when interacting with ERPx) with SikuliX 1.1.0.</para>
<para>ERPx is a very large application and, as such, we opted to select a few test cases, which should suffice to illustrate the usefulness of PDInjector. We considered the CRUD model [<link linkend="ch12bib42">42</link>] for selecting operations with different profiles: CREATE, READ, UPDATE and DELETE. An important aspect is that all the selected test cases are quite complex and are mostly composed of read operations, but we classified them according to their main goal. Our intention was to obtain a good mix between operations that potentially have distinct data access patterns or are built in differently. <link linkend="T12-4">Table <xref linkend="T12-4" remap="12.4"/></link> presents the operations that we selected for testing, how they map to the CRUD model, and a letter (A, B, C, D, and E) that identifies a type of failure uncovered during testing. The uncovered failures are discussed in the next section.</para>
<table-wrap position="float" id="T12-4">
<label><link linkend="T12-4">Table <xref linkend="T12-4" remap="12.4"/></link></label>
<caption><para>Overview of the tests and results for case study #2</para></caption>
<table cellspacing="5" cellpadding="5" frame="hsides" rules="groups">
<thead>
<tr>
<td valign="bottom" align="left">Operation Name</td>
<td valign="bottom" align="center">Type (CRUD)</td>
<td valign="bottom" align="center">Failure Reference<?lb?>(See Table V)</td></tr>
</thead>
<tbody>
<tr>
<td valign="top" align="left">Login</td>
<td valign="top" align="center">R</td>
<td valign="top" align="left">A, B, C, D</td>
</tr>
<tr>
<td valign="top" align="left">Create Organization</td>
<td valign="top" align="center">C</td>
<td valign="top" align="left">A, C, D</td>
</tr>
<tr>
<td valign="top" align="left">Create a new User</td>
<td valign="top" align="center">C</td>
<td valign="top" align="left">A, B, C, D</td>
</tr>
<tr>
<td valign="top" align="left">Create a new Role</td>
<td valign="top" align="center">C</td>
<td valign="top" align="left">A, B, C, D</td>
</tr>
<tr>
<td valign="top" align="left">Create Product</td>
<td valign="top" align="center">C</td>
<td valign="top" align="left">A, B, C, D, E</td>
</tr>
<tr>
<td valign="top" align="left">Delete Product</td>
<td valign="top" align="center">D</td>
<td valign="top" align="left">A, B, C, D</td>
</tr>
<tr>
<td valign="top" align="left">Update Product</td>
<td valign="top" align="center">U</td>
<td valign="top" align="left">A, B, C, D</td>
</tr>
<tr>
<td valign="top" align="left">Export Product Categories</td>
<td valign="top" align="center">R</td>
<td valign="top" align="left">A, B, D</td>
</tr>
</tbody>
</table>
</table-wrap>
<section class="lev3" id="sec12-4-2-1">
<title>Results for case study #2</title>
<para>As we can see in <link linkend="T12-4">Table <xref linkend="T12-4" remap="12.4"/></link>, we were able to disclose failures in all operations tested. The uncovered issues were discovered at the following three distinct parts of the system: (i) the application code; (ii) in the widely used Object-Relational Mapping framework used by ERPx; and (iii) in the popular PostgreSQL driver code.</para>
<para><link linkend="T12-5">Table <xref linkend="T12-5" remap="12.5"/></link> presents an excerpt of the issues uncovered during the tests, which were selected due to their manifestation in different forms and due to their location in different structural parts of the system (as visible in <link linkend="T12-4">Table <xref linkend="T12-4" remap="12.4"/></link>). All of these examples are problematic, even in those cases where no message was shown to the user, as eventually the application became unusable.</para>
<table-wrap position="float" id="T12-5">
<label><link linkend="T12-5">Table <xref linkend="T12-5" remap="12.5"/></link></label>
<caption><para>Selected cases from case study #2</para></caption>
<table cellspacing="5" cellpadding="5" frame="hsides" rules="groups">
<thead>
<tr>
<td valign="bottom" align="left">Ref</td>
<td valign="bottom" align="center">Root Exception<?lb?>Triggered</td>
<td valign="bottom" align="center">Location</td>
<td valign="bottom" align="center">Last Mutation</td>
<td valign="bottom" align="center">External Behavior</td>
</tr>
</thead>
<tbody>
<tr>
<td valign="top" align="left">A</td>
<td valign="top" align="left">NullPointerException</td>
<td valign="top" align="left">Application</td>
<td valign="top" align="left">changeToOppositeCase</td>
<td valign="top" align="left">TemplateModelException reported to the user</td>
</tr>
<tr>
<td valign="top" align="left">B</td>
<td valign="top" align="left">ClassNotFoundException</td>
<td valign="top" align="left">Application</td>
<td valign="top" align="left">add Extraneous</td>
<td valign="top" align="left">No message displayed to the user</td>
</tr>
<tr>
<td valign="top" align="left">C</td>
<td valign="top" align="left">PSQLException</td>
<td valign="top" align="left">Application</td>
<td valign="top" align="left">replaceBySQLString</td>
<td valign="top" align="left">Application error message disclosing table row contents</td>
</tr>
<tr>
<td valign="top" align="left">D</td>
<td valign="top" align="left">StringIndexOutOfBounds</td>
<td valign="top" align="left">JPA Middleware</td>
<td valign="top" align="left">replaceByEmptyString</td>
<td valign="top" align="left">Application error message stating String index out of range</td>
</tr>
<tr>
<td valign="top" align="left">E</td>
<td valign="top" align="left">ArrayIndexOutOfBounds</td>
<td valign="top" align="left">JDBC Driver</td>
<td valign="top" align="left">addCharactersToString</td>
<td valign="top" align="left">No message displayed to the user</td>
</tr>
</tbody>
</table>
</table-wrap>
<para><emphasis>Failure A</emphasis> mostly occurred whenever the data was mutated to null. However, in the case of the example, it is a mutated variable value (variable <emphasis>referenceID</emphasis>) that causes an access to the database to return null. This null value is then used without being checked, triggering a <emphasis>NullPointerException</emphasis> (the developer could first check the value to avoid the exception). This internal exception triggers a <emphasis>TemplateModelException</emphasis> that becomes visible to the user in an alert box.</para>
<para>ERPx loads a few classes dynamically, and <emphasis>Failure B</emphasis> occurs when one of the class names is incorrect (due to the injection of a mutation). We do not have enough information to state if this is the right design choice (i.e., having dynamic loading of classes), however disclosing this issue can actually help programmers understanding if this is a good design decision and especially how the application is prepared to handle this kind of situation. Anyway, the user should be informed in the event of an error (especially if it renders the application unusable), which did not happen during our tests. This suggests that the application&#x02019;s error handling mechanisms have space for improvement.</para>
<para><emphasis>Failure C</emphasis> is a critical example. It actually is a second order SQL Injection problem, where malicious data present in the database is improperly used to build an SQL query. A malicious user might be able to obtain sensitive information, as the information coming from the database is not sanitized by the service. This shows the potential of PDInjector to disclose security problems. In addition to this, and although the error messaging system of the service was correctly triggered, the actual message displayed to the user discloses the contents of an entire database table row, which should not happen.</para>
<para><emphasis>Failure D</emphasis> is an interesting case, where the tool disclosed fragility in the implementation of the Object-Relational Mapping framework used by ERPx. In this particular case, the ORM framework accesses the first character of a string and fails as the string had turned empty due to the mutation applied. It is interesting because the framework previously checks if the string is null, but it does not check if it is empty and then immediately accesses the first character. This triggers a <emphasis>StringIndexOutOfBoundsException</emphasis>. This is an implementation flaw, quite similar to the one described in the next paragraph (which already received a correction from the developer community).</para>
<para><emphasis>Failure E</emphasis> is triggered when adding characters that include a single quote to a string. This is a bug in the driver being used in the experiments (PostgreSQL JDBC Driver 9.4&#x02013;1201) that has been reported [<link linkend="ch12bib43">43</link>] and fixed in version 9.4&#x02013;1204. In summary, the code fails to find the closing single quote and returns the position of the last character in the query as the end of the string. The issue here is that in another part of the driver, the code does not expect this behavior, and the outcome is an access to a position that is one place after the end.</para>
<para>Before executing the tests we were expecting to find a few application-level issues, but PDInjector was able to find issues at the middleware level (in fact at two middleware levels &#x02013; ORM framework and JDBC driver). The fact that the middleware is widely used and also tested highlights the usefulness of the tool in disclosing issues in applications experiencing unexpected conditions. Moreover, the potential to find problems that go beyond aborted executions with exceptions (or wrong messages presented to the user) and that can actually represent security problems, further emphasizes value of this type of testing for application architects and developers.</para>
</section>
</section>
<section class="lev2" id="sec12-4-3" label="12.4.3" xreflabel="12.4.3">
<title>Injecting Software Faults in Service Middleware: Case Study #3</title>
<para>In this case study, we illustrate the application of the ucXception software fault injection tool to the Apache Web server [<link linkend="ch12bib44">44</link>]. The main idea is to have the Apache Web server installed, allowing the use of HTML and PHP pages. For this, along with specific typical configurations, we installed the Apache2 HTTP Server (version 2.4.12); the Apache Portable Runtime; Perl Compatible Regular Expressions (PCRE); and PHP: Hypertext Preprocessor (PHP5, including the package libapache2-mod-php5).</para>
<para>We are also using the APache eXtenSion tool (APXS), so that we can install new modules (e.g., patched modules) without the need to recompile the complete Apache server. As a result, APXS makes it possible to execute a large number of experiments in a reasonable amount of time. The experiments were carried out in a specific environment, with faults being injected mod_rewrite. The goal is to demonstrate that the fault injector tool really works and that the injected faults produce effects on the Apache Web Server.</para>
<para>To verify the integrity of the target environment after the injection of each fault we perform the following tests:</para>
<itemizedlist mark="bullet" spacing="normal">
<listitem>
<para><emphasis role="strong">Apache:</emphasis> This is the most basic test that should be done at Apache after installation and consists of sending an HTTP request to <emphasis>index.html</emphasis>. The response is normally a page with information about the Apache installation, with the string: &#x0201C;It works&#x0201D;;</para></listitem>
<listitem>
<para><emphasis role="strong">PHPInfo:</emphasis> This test is carried out to check the operation of PHP. It provides a large amount of information to the user, including configuration settings, PHP version, OS version;</para></listitem>
<listitem>
<para><emphasis role="strong">Out:</emphasis> Request holding parameters that will be shown at the response;</para></listitem>
<listitem>
<para><emphasis role="strong">PHPBench:</emphasis> Verify and measure the time that certain PHP functions take related with the manipulation of strings and arrays;.</para></listitem></itemizedlist>
</section>
<section class="lev2" id="sec12-4-4" label="12.4.4" xreflabel="12.4.4">
<title>Results for Case Study #3</title>
<para>In order to inject faults, our injection tool analyses the source code nodes to identify where each fault operator can be applied (as mentioned, all constraints associated with a particular fault emulation operator need to be valid at a particular location). After evaluating the code of the Apache module &#x0201C;mod_rewrite&#x0201D;, the tool identified 1474 locations in this component where faults could be injected. As previously mentioned, ucXception produces one patch file each time a software fault emulation operator is injected. Thus, the output of the tool is a set of patch files, each of which is applied to the original source code file in order to generate a version with the target program with the software fault. <link linkend="T12-6">Table <xref linkend="T12-6" remap="12.6"/></link> shows the number of patch files that the tool produced for mod_rewrite.</para>
<table-wrap position="float" id="T12-6">
<label><link linkend="T12-6">Table <xref linkend="T12-6" remap="12.6"/></link></label>
<caption><para>Number of patches for mod_rewrite</para></caption>
<table cellspacing="5" cellpadding="5" frame="hsides" rules="groups">
<thead>
<tr>
<td valign="bottom" align="left">Operator</td>
<td valign="bottom" align="center">MIFS</td>
<td valign="bottom" align="center">MLAC</td>
<td valign="bottom" align="center">MFC</td>
<td valign="bottom" align="center">MIA</td>
<td valign="bottom" align="center">MLOC</td>
<td valign="bottom" align="center">MLPA</td>
<td valign="bottom" align="center">MVAE</td>
<td valign="bottom" align="center">MVAV</td>
<td valign="bottom" align="center">MIEB</td>
<td valign="bottom" align="center">MVIV</td>
<td valign="bottom" align="center">WVAV</td>
<td valign="bottom" align="center">WAEP</td>
<td valign="bottom" align="center">WPFV</td>
<td valign="bottom" align="center">Total</td>
</tr>
</thead>
<tbody>
<tr>
<td valign="top" align="left">Nr. of Patches</td>
<td valign="top" align="center">239</td>
<td valign="top" align="center">79</td>
<td valign="top" align="center">162</td>
<td valign="top" align="center">260</td>
<td valign="top" align="center">41</td>
<td valign="top" align="center">526</td>
<td valign="top" align="center">25</td>
<td valign="top" align="center">15</td>
<td valign="top" align="center">54</td>
<td valign="top" align="center">14</td>
<td valign="top" align="center">24</td>
<td valign="top" align="center">34</td>
<td valign="top" align="center">1</td>
<td valign="top" align="center">1474</td>
</tr>
</tbody>
</table>
</table-wrap>
<para>It is important to refer that the number of patches created by the application of the MLPA operator is quite large, as it removes a small part of the algorithm, consisting of any combination of up to five function calls and/or statements. As a result, the application of this operator produced over one third of the patch files. Also, it is worth mentioning that only one patch was created through the application of operator WPFV. This operator consists of the replacement of a function parameter by another that must be of the same type. This restriction is related to the environment in which the fault is injected, since its lack could trigger compilation errors. Thus, the existence of only one patch is related to the need of the changed parameter to be exactly of the same type of the initial parameter. In C and C++ languages, developers typically create their own structures of a specific type, to be easier to represent the data in the application. Due to this, the types of variables used are quite different in a function and their number of occurrence is low.</para>
<para><emphasis role="strong">The injected faults produced anomalous effects in 213 trials, corresponding to 14.45% of injected faults</emphasis>. In our context, a fault has no effect whenever the output is equal to the one in a fault-free program. The fault has effect if there is no output, if the output is incorrect, or if the output is corrupted. In our experiments, the output refers to the HTTP responses received from the Apache web server. The number of experiments is a result of the constraints that need to be evaluated at each potential location in the code. If all the constraints of one operator are valid, then the operator will be applied.</para>
<para>The behaviors observed during the different tests were evaluated in three steps. In the first step we selected only unique behaviors, in the second step we analyzed and compared the selected behaviors to create a classification scheme, and in the final step, a script evaluated all the behaviors, one by one, through the classification. The behaviors observed were grouped in the following three categories (failure modes):</para><itemizedlist mark="bullet" spacing="normal">
<listitem>
<para><emphasis role="strong">Correct</emphasis>: The Web server shows a correct behavior;</para></listitem>
<listitem>
<para><emphasis role="strong">Wrong output</emphasis>: The Web server returns incorrect information, or no information at all;</para></listitem>
<listitem>
<para><emphasis role="strong">Apache error</emphasis>: Refers to the errors directly related with the behavior of apache2, such as bad request, not found with/without correct url, Internal Server Error, Ok, and Forbidden. After classifying each experiment, we further divided the initial set of Apache errors into 9 distinct categories, in order to understand, in a more comprehensive manner, the diverse failure modes of the Apache web server in the presence of software faults. <link linkend="T12-7">Table <xref linkend="T12-7" remap="12.7"/></link> shows each of the nine identified categories and their respective numeric reference.</para></listitem></itemizedlist>
<table-wrap position="float" id="T12-7">
<label><link linkend="T12-7">Table <xref linkend="T12-7" remap="12.7"/></link></label>
<caption><para>Types of observed behaviors</para></caption>
<table cellspacing="5" cellpadding="5" frame="hsides" rules="groups">
<thead>
<tr>
<td valign="bottom" align="left">#</td>
<td valign="bottom" align="left">Description</td>
</tr>
</thead>
<tbody>
<tr>
<td valign="top" align="left">1</td>
<td valign="top" align="left">Bad request</td>
</tr>
<tr>
<td valign="top" align="left">2</td>
<td valign="top" align="left">Empty</td>
</tr>
<tr>
<td valign="top" align="left">3</td>
<td valign="top" align="left">Forbidden</td></tr>
<tr>
<td valign="top" align="left">4</td>
<td valign="top" align="left">Found</td>
</tr>
<tr>
<td valign="top" align="left">5</td>
<td valign="top" align="left">Internal Server Error</td>
</tr>
<tr>
<td valign="top" align="left">6</td>
<td valign="top" align="left">Not found &#x02013; url OK</td>
</tr>
<tr>
<td valign="top" align="left">7</td>
<td valign="top" align="left">Not found &#x02013; wrong url</td>
</tr>
<tr>
<td valign="top" align="left">8</td>
<td valign="top" align="left">Apache error &#x02013; Ok</td>
</tr>
<tr>
<td valign="top" align="left">9</td>
<td valign="top" align="left">Wrong output</td></tr>
</tbody>
</table>
</table-wrap>
<para><link linkend="T12-8">Table <xref linkend="T12-8" remap="12.8"/></link> summarizes the results obtained during our experimental campaign, highlighting and counting the different anomalous behaviors found during the experiments. C, W, and A in the table, respectively correspond to Correct, Wrong output, and Apache error.</para>
<table-wrap position="float" id="T12-8">
<label><link linkend="T12-8">Table <xref linkend="T12-8" remap="12.8"/></link></label>
<caption><para>Results by behavior</para></caption>
<table cellspacing="5" cellpadding="5" frame="hsides" rules="groups">
<thead>
<tr>
<td valign="bottom" align="left">#</td>
<td valign="bottom" align="center">Apache</td>
<td valign="bottom" align="center">PHPInfo</td>
<td valign="bottom" align="center">Out</td>
<td valign="bottom" align="center">PHPBench</td>
<td valign="bottom" align="center">Number</td>
</tr>
</thead>
<tbody>
<tr>
<td valign="top" align="left">1</td>
<td valign="top" align="center">W</td>
<td valign="top" align="center">W</td>
<td valign="top" align="center">W</td>
<td valign="top" align="center">W</td>
<td valign="top" align="center">86</td></tr>
<tr>
<td valign="top" align="left">2</td>
<td valign="top" align="center">C</td>
<td valign="top" align="center">C</td>
<td valign="top" align="center">A</td>
<td valign="top" align="center">C</td>
<td valign="top" align="center">61</td>
</tr>
<tr>
<td valign="top" align="left">3</td>
<td valign="top" align="center">A</td>
<td valign="top" align="center">A</td>
<td valign="top" align="center">A</td>
<td valign="top" align="center">A</td>
<td valign="top" align="center">25</td>
</tr>
<tr>
<td valign="top" align="left">4</td>
<td valign="top" align="center">C</td>
<td valign="top" align="center">C</td>
<td valign="top" align="center">W</td>
<td valign="top" align="center">C</td>
<td valign="top" align="center">19</td>
</tr>
<tr>
<td valign="top" align="left">5</td>
<td valign="top" align="center">W</td>
<td valign="top" align="center">W</td>
<td valign="top" align="center">C</td>
<td valign="top" align="center">W</td>
<td valign="top" align="center">19</td>
</tr>
<tr>
<td valign="top" align="left">6</td>
<td valign="top" align="center">C</td>
<td valign="top" align="center">W</td>
<td valign="top" align="center">A</td>
<td valign="top" align="center">W</td>
<td valign="top" align="center">1</td>
</tr>
<tr>
<td valign="top" align="left">7</td>
<td valign="top" align="center">A</td>
<td valign="top" align="center">W</td>
<td valign="top" align="center">W</td>
<td valign="top" align="center">W</td>
<td valign="top" align="center">1</td>
</tr>
<tr>
<td valign="top" align="left">8</td>
<td valign="top" align="center">A</td>
<td valign="top" align="center">A</td>
<td valign="top" align="center">A</td>
<td valign="top" align="center">C</td>
<td valign="top" align="center">1</td></tr>
</tbody>
</table>
<table-wrap-foot>
<para>A, Apache Error; C, Correct; W, Wrong Output.</para>
</table-wrap-foot>
</table-wrap>
<para>We can see that even the basic Apache operation is affected by the introduced faults. However, there is no rule for rewriting of files when they are available in the directory, which is the case of Apache &#x0201C;It works!&#x0201D;.</para>
<para><link linkend="F12-3">Figure <xref linkend="F12-3" remap="12.3"/></link> shows the number of anomalous effects produced by patch type, and according to the type of test executed.</para>
<fig id="F12-3" position="float" xmlns:xlink="http://www.w3.org/1999/xlink">
<label><link linkend="F12-3">Figure <xref linkend="F12-3" remap="12.3"/></link></label>
<caption><para>Anomalous effects by type of patch.</para></caption>
<graphic xlink:href="graphics/ch12_figN003.jpg"/>
</fig>
<para>It is quite visible in <link linkend="F12-3">Figure <xref linkend="F12-3" remap="12.3"/></link> that the operator that causes the most failures is MLPA, but this is a result of the relatively higher number of patch files created, as explained earlier. <link linkend="F12-4">Figure <xref linkend="F12-4" remap="12.4"/></link> shows a detailed view of the number of different effects observed during the tests, with respect to the different types of tests executed.</para>
<fig id="F12-4" position="float" xmlns:xlink="http://www.w3.org/1999/xlink">
<label><link linkend="F12-4">Figure <xref linkend="F12-4" remap="12.4"/></link></label>
<caption><para>Effects by behavior.</para></caption>
<graphic xlink:href="graphics/ch12_fig004new.jpg"/>
</fig>
<para>As we can see in <link linkend="F12-4">Figure <xref linkend="F12-4" remap="12.4"/></link>, the most frequent behavior is an <emphasis>Empty</emphasis> response, which occurs when the Apache web server responds with an empty HTML body. The remaining most frequent behaviors are <emphasis>Internal Server Error</emphasis> and <emphasis>Wrong output</emphasis>. There are 2 anomalous behaviors that occur with a quite low frequency, in particular <emphasis>Forbidden</emphasis> and a <emphasis>Not found - wrong url</emphasis> (having an absolute frequency of two and one, respectively). Internal server errors are sent by Web servers to signal errors occurring at the server-side, while a wrong output consists of an incorrect result being sent to the user in the HTML body.</para>
<para>As a side note, the results obtained in PHPInfo and PHPBench tests were similar. This occurs because the PHPInfo and the PHPBench tests are based in two pages with different PHP code, but the rewriting process for both is the same. Thus, these two tests involve the same principles, the same workflow in Apache. Regarding the results of tests with some parameters, we observed that four anomalous behaviors just occur in this test, <emphasis>Not found - url ok</emphasis>, <emphasis>Bad Request</emphasis>, <emphasis>OK</emphasis> and <emphasis>Found</emphasis>. As might be expected, these are the tests where there are more errors due to a greater use of module &#x0201C;mod_rewrite&#x0201D;. All the requests are rewritten, and the parameters are presented on a page in PHP.</para>
<para>The highest number of anomalous behaviors was observed during the <emphasis>Out</emphasis> test. Moreover, we should note that the error <emphasis>Not found - url ok</emphasis> occurs often. This behavior means that the request is done correctly, and received properly by the Apache server, but actually it is not rewritten correctly, and because there is no file with that name and in that directory, returns <emphasis>Not Found</emphasis>.</para>
<para>As a final note, in some cases, instead of obtaining the right result, it is possible to obtain the exact path where the HTML or PHP files are located, the <emphasis>DocumentRoot</emphasis> of Apache. This can be a serious security problem and it occurred with, for example, one application of operator <emphasis>MIEB</emphasis> and one of <emphasis>MIFS</emphasis>. There are also two cases, applying the operator <emphasis>MIA</emphasis>, where it is possible to see a page with PHP code, instead of the result of the execution of code. More than suggesting that a problem has occurred during the loading of the PHP module, it may represent a potential security problem, as a user will have access to internal code details. This also shows that a single fault introduced into the Apache module can affect the operation of other, as is the case of the PHP module.</para>
</section>
</section>
<section class="lev1" id="sec12-5" label="12.5" xreflabel="12.5">
<title>Conclusion</title>
<para>In this chapter, we presented a toolset, composed of three tools: <emphasis>wsrbench</emphasis> and <emphasis>PDInjector</emphasis>, for robustness testing of external and inner interfaces, respectively; and <emphasis>ucXception</emphasis> for the injection of software faults. The tools were described from a functional perspective and their use was illustrated in three case studies. In particular, <emphasis>wsrbench</emphasis> was used to assess the robustness of a set of web services used in a safety-critical environment, <emphasis>PDInjector</emphasis> was used to assess the robustness of a web application used in business-critical environments, and finally <emphasis>ucXception</emphasis> was used to inject software faults in the very popular web server Apache HTTP server. The tests disclosed several different failures, including bugs at the application-level and supporting middleware for database access (i.e., JPA implementation and the JDBC driver used) and also in the web server tested. Some of the issues found were related with security problems. In future work we intend to further integrate the tools and research ways of automating the tests, possibly resorting to machine learning algorithms to analyze the behavior of the systems being tested.</para>
</section>
<section class="lev1" id="sec12-6">
<title>References</title>
<orderedlist numeration="arabic" continuation="restarts" spacing="normal">
<listitem>
<para><anchor id="ch12bib1"/>Loshin, D. (2011). Evaluating Business Impacts of Poor Data Quality. <emphasis>Inform. Quality J.</emphasis> <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=Loshin%2C+D%2E+%282011%29%2E+Evaluating+Business+Impacts+of+Poor+Data+Quality%2E+Inform%2E+Quality+J%2E" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch12bib2"/>Lee, I., and Iyer, R. K. (1995). Software Dependability in the Tandem GUARDIAN System. <emphasis>IEEE Trans. Softw. Eng</emphasis>. 21, 455&#x02013;467. <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=Lee%2C+I%2E%2C+and+Iyer%2C+R%2E+K%2E+%281995%29%2E+Software+Dependability+in+the+Tandem+GUARDIAN+System%2E+IEEE+Trans%2E+Softw%2E+Eng%2E+21%2C+455-467%2E" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch12bib3"/>Kalyanakrishnam, M., Kalbarczyk, Z., and Iyer, R. (1999). &#x0201C;Failure Data Analysis of a LAN of Windows NT Based Computers,&#x0201D; in <emphasis>Proceedings of the 18th IEEE Symposium on Reliable Distributed Systems</emphasis>, 178, IEEE Computer Society. <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=Kalyanakrishnam%2C+M%2E%2C+Kalbarczyk%2C+Z%2E%2C+and+Iyer%2C+R%2E+%281999%29%2E+%22Failure+Data+Analysis+of+a+LAN+of+Windows+NT+Based+Computers%2C%22+in+Proceedings+of+the+18th+IEEE+Symposium+on+Reliable+Distributed+Systems%2C+178%2C+IEEE+Computer+Society%2E" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch12bib4"/>Rodr&#x000ED;guez, M., Albinet, A., and Arlat, J. (2002). &#x0201C;MAFALDA-RT: A Tool for Dependability Assessment of Real-Time Systems,&#x0201D; in <emphasis>The 2002 International Conference on Dependable Systems and Networks (DSN 2002)</emphasis>, 267&#x02013;272, IEEE Computer Society. <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=Rodr%EDguez%2C+M%2E%2C+Albinet%2C+A%2E%2C+and+Arlat%2C+J%2E+%282002%29%2E+%22MAFALDA-RT%3A+A+Tool+for+Dependability+Assessment+of+Real-Time+Systems%2C%22+in+The+2002+International+Conference+on+Dependable+Systems+and+Networks+%28DSN+2002%29%2C+267-272%2C+IEEE+Computer+Society%2E" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch12bib5"/>Laranjeiro, N., Vieira, M., and Madeira, H. (2012). A Robustness Testing Approach for SOAP Web Services. <emphasis>JISA</emphasis> 3, 215&#x02013;232. <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=Laranjeiro%2C+N%2E%2C+Vieira%2C+M%2E%2C+and+Madeira%2C+H%2E+%282012%29%2E+A+Robustness+Testing+Approach+for+SOAP+Web+Services%2E+JISA+3%2C+215-232%2E" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch12bib6"/>Weyuker, E.J. (1998). Testing component-based software: a cautionary tale. <emphasis>Softw. IEEE</emphasis> 15, 54&#x02013;59. <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=Weyuker%2C+E%2EJ%2E+%281998%29%2E+Testing+component-based+software%3A+a+cautionary+tale%2E+Softw%2E+IEEE+15%2C+54-59%2E" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch12bib7"/>Koopman, P., and DeVale, J. (1999). &#x0201C;Comparing the robustness of POSIX operating systems,&#x0201D; in <emphasis>Twenty-Ninth Annual International Symposium on Fault-Tolerant Computing</emphasis>, 30&#x02013;37. <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=Koopman%2C+P%2E%2C+and+DeVale%2C+J%2E+%281999%29%2E+%22Comparing+the+robustness+of+POSIX+operating+systems%2C%22+in+Twenty-Ninth+Annual+International+Symposium+on+Fault-Tolerant+Computing%2C+30-37%2E" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch12bib8"/>Rodr&#x000ED;guez, M., Salles, F., Fabre, J.-C., and Arlat, J. (1999). &#x0201C;MAFALDA: Microkernel Assessment by Fault Injection and Design Aid,&#x0201D; in <emphasis>The Third European Dependable Computing Conference on Dependable Computing</emphasis> (Berlin: Springer-Verlag), pp. 143&#x02013;160. <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=Rodr%EDguez%2C+M%2E%2C+Salles%2C+F%2E%2C+Fabre%2C+J%2E-C%2E%2C+and+Arlat%2C+J%2E+%281999%29%2E+%22MAFALDA%3A+Microkernel+Assessment+by+Fault+Injection+and+Design+Aid%2C%22+in+The+Third+European+Dependable+Computing+Conference+on+Dependable+Computing+%28Berlin%3A+Springer-Verlag%29%2C+pp%2E+143-160%2E" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch12bib9"/>Laranjeiro, N., Nur Soydemir, S., and Bernardino, J. (2015). &#x0201C;A Survey on Data Quality: Classifying Poor Data,&#x0201D; in <emphasis>The 21st IEEE Pacific Rim International Symposium on Dependable Computing (PRDC 2015)</emphasis>, IEEE Computer Society, Zhangjiajie, China. <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=Laranjeiro%2C+N%2E%2C+Nur+Soydemir%2C+S%2E%2C+and+Bernardino%2C+J%2E+%282015%29%2E+%22A+Survey+on+Data+Quality%3A+Classifying+Poor+Data%2C%22+in+The+21st+IEEE+Pacific+Rim+International+Symposium+on+Dependable+Computing+%28PRDC+2015%29%2C+IEEE+Computer+Society%2C+Zhangjiajie%2C+China%2E" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch12bib10"/>Antunes, J. and Neves, N. (2012). &#x0201C;Recycling Test Cases to Detect Security Vulnerabilities,&#x0201D; in <emphasis>IEEE 23rd International Symposium on Software Reliability Engineering (ISSRE 2012)</emphasis>, pp. 231&#x02013;240, IEEE Computer Society, Washington, DC, USA. <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=Antunes%2C+J%2E+and+Neves%2C+N%2E+%282012%29%2E+%22Recycling+Test+Cases+to+Detect+Security+Vulnerabilities%2C%22+in+IEEE+23rd+International+Symposium+on+Software+Reliability+Engineering+%28ISSRE+2012%29%2C+pp%2E+231-240%2C+IEEE+Computer+Society%2C+Washington%2C+DC%2C+USA%2E" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch12bib11"/>Batini, C., Palmonari, M., Viscusi, G. (2014). Opening thande Closed World: A Survey of Information Quality Research in the Wild, in <emphasis>The Philosophy of Information Quality</emphasis> (Berlin: Springer International Publishing), 43&#x02013;73. <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=Batini%2C+C%2E%2C+Palmonari%2C+M%2E%2C+Viscusi%2C+G%2E+%282014%29%2E+Opening+thande+Closed+World%3A+A+Survey+of+Information+Quality+Research+in+the+Wild%2C+in+The+Philosophy+of+Information+Quality+%28Berlin%3A+Springer+International+Publishing%29%2C+43-73%2E" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch12bib12"/>ISO/IEC (2008). <emphasis>Software engineering &#x02013; Software product Quality Requirements and Evaluation (SQuaRE) &#x02013; Data quality model. ISO/IEC.</emphasis> <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=ISO%2FIEC+%282008%29%2E+Software+engineering+-+Software+product+Quality+Requirements+and+Evaluation+%28SQuaRE%29+-+Data+quality+model%2E+ISO%2FIEC%2E" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch12bib13"/><emphasis>SWEBOK V3 Guide IEEE Computer Society</emphasis>.</para></listitem>
<listitem>
<para><anchor id="ch12bib14"/>Ge, M. and Helfert, M. (2007). &#x0201C;A Review of Information Quality Research &#x02013; Develop a Research Agenda,&#x0201D; in <emphasis>12th International Conference on Information Quality</emphasis>, pp. 76&#x02013;91, Cambridge, MA, USA. <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=Ge%2C+M%2E+and+Helfert%2C+M%2E+%282007%29%2E+%22A+Review+of+Information+Quality+Research+-+Develop+a+Research+Agenda%2C%22+in+12th+International+Conference+on+Information+Quality%2C+pp%2E+76-91%2C+Cambridge%2C+MA%2C+USA%2E" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch12bib15"/>Pipino, L. L., Lee, Y. W., and Wang, R. Y. (2002). Data quality assessment. <emphasis>Commun. ACM</emphasis> 45, 211&#x02013;218. <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=Pipino%2C+L%2E+L%2E%2C+Lee%2C+Y%2E+W%2E%2C+and+Wang%2C+R%2E+Y%2E+%282002%29%2E+Data+quality+assessment%2E+Commun%2E+ACM+45%2C+211-218%2E" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch12bib16"/>Loshin, D. (2010). <emphasis>The practitioner&#x02019;s guide to data quality improvement</emphasis>. Burlington, MA: Morgan Kaufmann. <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=Loshin%2C+D%2E+%282010%29%2E+The+practitioner%27s+guide+to+data+quality+improvement%2E+Burlington%2C+MA%3A+Morgan+Kaufmann%2E" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch12bib17"/>Quality, E. D. (2015). <emphasis>The data quality benchmark report</emphasis>. Experian Data Quality. <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=Quality%2C+E%2E+D%2E+%282015%29%2E+The+data+quality+benchmark+report%2E+Experian+Data+Quality%2E" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch12bib18"/>Marsh, R. (2005). Drowning in dirty data It&#x02019;s time to sink or swim: A four-stage methodology for total data quality management. <emphasis>J. Database Market. Cust. Strat. Manage</emphasis>. 12, 105&#x02013;112. <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=Marsh%2C+R%2E+%282005%29%2E+Drowning+in+dirty+data+It%27s+time+to+sink+or+swim%3A+A+four-stage+methodology+for+total+data+quality+management%2E+J%2E+Database+Market%2E+Cust%2E+Strat%2E+Manage%2E+12%2C+105-112%2E" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch12bib19"/>Caro, A., Calero, C., Mendes, E., and Piattini, M. (2007). A Probabilistic Approach to Web Portal&#x02019;s Data Quality Evaluation, in <emphasis>6th International Conference on the Quality of Information and Communications Technology, 2007, QUATIC 2007</emphasis> (New York, NY: IEEE). 143&#x02013;153. <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=Caro%2C+A%2E%2C+Calero%2C+C%2E%2C+Mendes%2C+E%2E%2C+and+Piattini%2C+M%2E+%282007%29%2E+A+Probabilistic+Approach+to+Web+Portal%27s+Data+Quality+Evaluation%2C+in+6th+International+Conference+on+the+Quality+of+Information+and+Communications+Technology%2C+2007%2C+QUATIC+2007+%28New+York%2C+NY%3A+IEEE%29%2E+143-153%2E" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch12bib20"/>Xiaojuan, B., Shurong, N., Zhaolin, X., and Peng, C. (2008). Novel method for the evaluation of data quality based on fuzzy control. <emphasis>J. Syst. Eng. Electron</emphasis>. 19, 606&#x02013;610. <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=Xiaojuan%2C+B%2E%2C+Shurong%2C+N%2E%2C+Zhaolin%2C+X%2E%2C+and+Peng%2C+C%2E+%282008%29%2E+Novel+method+for+the+evaluation+of+data+quality+based+on+fuzzy+control%2E+J%2E+Syst%2E+Eng%2E+Electron%2E+19%2C+606-610%2E" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch12bib21"/>Bergdahl, M., Ehling, M., Elvers, E., F&#x000F6;ldesi, E., K&#x000F6;rner, T., Kron, A., Lohau&#x000DF;, P., Mag, K., Morais, V., and Nimmergut, A. (2007). <emphasis>Handbook on Data Quality Assessment Methods and Tools</emphasis>, Wiesbaden.</para></listitem>
<listitem>
<para><anchor id="ch12bib22"/>Choi, O.-H., Lim, J.-E., Na, H.-S., Seong, K.-J., and Baik, D.-K. (2008). &#x0201C;An Efficient Method of Data Quality Evaluation Using Metadata Registry,&#x0201D; in <emphasis>Advanced Software Engineering and Its Applications, 2008, ASEA 2008</emphasis> (New York, NY: IEEE), 9&#x02013;12. <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=Choi%2C+O%2E-H%2E%2C+Lim%2C+J%2E-E%2E%2C+Na%2C+H%2E-S%2E%2C+Seong%2C+K%2E-J%2E%2C+and+Baik%2C+D%2E-K%2E+%282008%29%2E+%22An+Efficient+Method+of+Data+Quality+Evaluation+Using+Metadata+Registry%2C%22+in+Advanced+Software+Engineering+and+Its+Applications%2C+2008%2C+ASEA+2008+%28New+York%2C+NY%3A+IEEE%29%2C+9-12%2E" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch12bib23"/>Galhardas, H., Florescu, D., and Shasha, D. (2001). &#x0201C;Declarative Data Cleaning: Language, Model, and Algorithms,&#x0201D; in In VLDB (New York, NY: IEEE), pp. 371&#x02013;380. <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=Galhardas%2C+H%2E%2C+Florescu%2C+D%2E%2C+and+Shasha%2C+D%2E+%282001%29%2E+%22Declarative+Data+Cleaning%3A+Language%2C+Model%2C+and+Algorithms%2C%22+in+In+VLDB+%28New+York%2C+NY%3A+IEEE%29%2C+pp%2E+371-380%2E" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch12bib24"/>Haug, A., Zachariassen, F., Liempd, D. van (2011). The costs of poor data quality. <emphasis>J. Ind. Eng. Manage</emphasis>. 4. <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=Haug%2C+A%2E%2C+Zachariassen%2C+F%2E%2C+Liempd%2C+D%2E+van+%282011%29%2E+The+costs+of+poor+data+quality%2E+J%2E+Ind%2E+Eng%2E+Manage%2E+4%2E" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch12bib25"/>Musial, E. and Chen, M.-H. (2012). &#x0201C;Effect of Data Validity on the Reliability of Data-centric Web Service,&#x0201D; in <emphasis>IEEE 19th International Conference onWeb Services (ICWS), 2012</emphasis>, Honolulu, HI, USA. <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=Musial%2C+E%2E+and+Chen%2C+M%2E-H%2E+%282012%29%2E+%22Effect+of+Data+Validity+on+the+Reliability+of+Data-centric+Web+Service%2C%22+in+IEEE+19th+International+Conference+onWeb+Services+%28ICWS%29%2C+2012%2C+Honolulu%2C+HI%2C+USA%2E" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch12bib26"/>Ivaki, N., Laranjeiro, N., and Vieira, M. (2013). &#x0201C;Towards Evaluating the Impact of Data Quality on Service Applications,&#x0201D; in <emphasis>Workshop on Reliability and Security Data Analysis (RSDA 2013) co-located with The 43rd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN 2013)</emphasis>, IEEE Computer Society, Budapest, Hungary. <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=Ivaki%2C+N%2E%2C+Laranjeiro%2C+N%2E%2C+and+Vieira%2C+M%2E+%282013%29%2E+%22Towards+Evaluating+the+Impact+of+Data+Quality+on+Service+Applications%2C%22+in+Workshop+on+Reliability+and+Security+Data+Analysis+%28RSDA+2013%29+co-located+with+The+43rd+Annual+IEEE%2FIFIP+International+Conference+on+Dependable+Systems+and+Networks+%28DSN+2013%29%2C+IEEE+Computer+Society%2C+Budapest%2C+Hungary%2E" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch12bib27"/>Laranjeiro, N., Soydemir, S. N., and Bernardino, J. (2016). Testing Web Applications Using Poor Quality Data,&#x0201D; in <emphasis>Latin-American Symposium on Dependable Computing (LADC 2016)</emphasis>. IEEE Computer Society, Cali, Colombia.</para></listitem>
<listitem>
<para><anchor id="ch12bib28"/>Natella, R., Cotroneo, D., and Madeira, H. S. (2016). Assessing Dependability with Software Fault Injection: a Survey. <emphasis>ACM Comput. Surv</emphasis>. 48, 44:1&#x02013;44:55. <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=Natella%2C+R%2E%2C+Cotroneo%2C+D%2E%2C+and+Madeira%2C+H%2E+S%2E+%282016%29%2E+Assessing+Dependability+with+Software+Fault+Injection%3A+a+Survey%2E+ACM+Comput%2E+Surv%2E+48%2C+44%3A1-44%3A55%2E" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch12bib29"/>Ng, W.T., and Chen, P.M. (2001). The Design and Verification of the Rio File Cache. <emphasis>IEEE Trans. Comput</emphasis>. 50, 322&#x02013;337. <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=Ng%2C+W%2ET%2E%2C+and+Chen%2C+P%2EM%2E+%282001%29%2E+The+Design+and+Verification+of+the+Rio+File+Cache%2E+IEEE+Trans%2E+Comput%2E+50%2C+322-337%2E" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch12bib30"/>Voas, E., Charron, F., McGraw, G., Miller, K., and Friedman, M. (1997). Predicting how badly &#x0201C;good&#x0201D; software can behave. <emphasis>IEEE Softw</emphasis>. 14, 73&#x02013;83. <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=Voas%2C+E%2E%2C+Charron%2C+F%2E%2C+McGraw%2C+G%2E%2C+Miller%2C+K%2E%2C+and+Friedman%2C+M%2E+%281997%29%2E+Predicting+how+badly+%22good%22+software+can+behave%2E+IEEE+Softw%2E+14%2C+73-83%2E" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch12bib31"/>Hiller, M., Jhumka, A., Suri, N. (2001). &#x0201C;An approach for analysing the propagation of data errors in software,&#x0201D; in <emphasis>2001 International Conference on Dependable Systems and Networks</emphasis> (New York, NY: IEEE), 161&#x02013;170. <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=Hiller%2C+M%2E%2C+Jhumka%2C+A%2E%2C+Suri%2C+N%2E+%282001%29%2E+%22An+approach+for+analysing+the+propagation+of+data+errors+in+software%2C%22+in+2001+International+Conference+on+Dependable+Systems+and+Networks+%28New+York%2C+NY%3A+IEEE%29%2C+161-170%2E" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch12bib32"/>Natella, R., Cotroneo, D., Duraes, J. A., and Madeira, H.S. (2013). On Fault Representativeness of Software Fault Injection. <emphasis>IEEE Trans. Softw. Eng</emphasis>. 39, 80&#x02013;96. <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=Natella%2C+R%2E%2C+Cotroneo%2C+D%2E%2C+Duraes%2C+J%2E+A%2E%2C+and+Madeira%2C+H%2ES%2E+%282013%29%2E+On+Fault+Representativeness+of+Software+Fault+Injection%2E+IEEE+Trans%2E+Softw%2E+Eng%2E+39%2C+80-96%2E" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch12bib33"/>Moraes, R., Duraes, J., Barbosa, R., Martins, E., and Madeira, H. (2007). &#x0201C;Experimental risk assessment and comparison using software fault injection,&#x0201D; in <emphasis>37th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN&#x02019;07)</emphasis> (New York, NY: IEEE), 512&#x02013;521. <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=Moraes%2C+R%2E%2C+Duraes%2C+J%2E%2C+Barbosa%2C+R%2E%2C+Martins%2C+E%2E%2C+and+Madeira%2C+H%2E+%282007%29%2E+%22Experimental+risk+assessment+and+comparison+using+software+fault+injection%2C%22+in+37th+Annual+IEEE%2FIFIP+International+Conference+on+Dependable+Systems+and+Networks+%28DSN%2707%29+%28New+York%2C+NY%3A+IEEE%29%2C+512-521%2E" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch12bib34"/>Cerveira, F., Barbosa, R., Madeira, H., and Araujo, F. (2015). &#x0201C;Recovery for Virtualized Environments,&#x0201D; in <emphasis>2015 11th European Dependable Computing Conference (EDCC)</emphasis> (New York, NY: IEEE), pp. 25&#x02013;36.</para></listitem>
<listitem>
<para><anchor id="ch12bib35"/>Christmansson, J., and Chillarege, R. (1996). &#x0201C;Generation of an error set that emulates software faults based on field data,&#x0201D; in <emphasis>Proceedings of Annual Symposium on Fault Tolerant Computing</emphasis> (New York, NY: IEEE), 304&#x02013;313. IEEE. <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=Christmansson%2C+J%2E%2C+and+Chillarege%2C+R%2E+%281996%29%2E+%22Generation+of+an+error+set+that+emulates+software+faults+based+on+field+data%2C%22+in+Proceedings+of+Annual+Symposium+on+Fault+Tolerant+Computing+%28New+York%2C+NY%3A+IEEE%29%2C+304-313%2E+IEEE%2E" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch12bib36"/>Dur&#x000E3;es, J. and Madeira, H. (2006). Emulation of software faults: a field data study and a practical approach. <emphasis>IEEE Trans. Softw. Eng</emphasis>. 32, 849&#x02013;867. <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=Dur%E3es%2C+J%2E+and+Madeira%2C+H%2E+%282006%29%2E+Emulation+of+software+faults%3A+a+field+data+study+and+a+practical+approach%2E+IEEE+Trans%2E+Softw%2E+Eng%2E+32%2C+849-867%2E" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch12bib37"/>Moraes, R. L. de O., and Martins, E. (2003). &#x0201C;Jaca &#x02013; a software fault injection tool,&#x0201D; in <emphasis>Proceedings 2003 International Conference on Dependable Systems and Networks</emphasis> (New York, NY: IEEE), 667&#x02013;667. <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=Moraes%2C+R%2E+L%2E+de+O%2E%2C+and+Martins%2C+E%2E+%282003%29%2E+%22Jaca+-+a+software+fault+injection+tool%2C%22+in+Proceedings+2003+International+Conference+on+Dependable+Systems+and+Networks+%28New+York%2C+NY%3A+IEEE%29%2C+667-667%2E" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch12bib38"/>Martins, E., Rubira, C. M. F., and Leme, N. G. M. (2002). &#x0201C;Jaca: a reflective fault injection tool based on patterns,&#x0201D; in <emphasis>Proceedings International Conference on Dependable Systems and Networks</emphasis> (New York, NY: IEEE), pp. 483&#x02013;487. <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=Martins%2C+E%2E%2C+Rubira%2C+C%2E+M%2E+F%2E%2C+and+Leme%2C+N%2E+G%2E+M%2E+%282002%29%2E+%22Jaca%3A+a+reflective+fault+injection+tool+based+on+patterns%2C%22+in+Proceedings+International+Conference+on+Dependable+Systems+and+Networks+%28New+York%2C+NY%3A+IEEE%29%2C+pp%2E+483-487%2E" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch12bib39"/>Sanches, B. P., Basso, T., and Moraes, R. (2011). &#x0201C;J-SWFIT: A Java Software Fault Injection Tool,&#x0201D; in <emphasis>2011 5th Latin-American Symposium on Dependable Computing</emphasis> (New York, NY: ACM Library), pp. 106&#x02013;115. <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=Sanches%2C+B%2E+P%2E%2C+Basso%2C+T%2E%2C+and+Moraes%2C+R%2E+%282011%29%2E+%22J-SWFIT%3A+A+Java+Software+Fault+Injection+Tool%2C%22+in+2011+5th+Latin-American+Symposium+on+Dependable+Computing+%28New+York%2C+NY%3A+ACM+Library%29%2C+pp%2E+106-115%2E" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch12bib40"/>Natella, R. (2011). <emphasis>Achieving Representative Faultloads in Software Fault Injection</emphasis>. <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=Natella%2C+R%2E+%282011%29%2E+Achieving+Representative+Faultloads+in+Software+Fault+Injection%2E" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch12bib41"/>Laranjeiro, N., Seyma, N. S., and Jorge, B. (2016) <emphasis>Poor Data Injector Toolset</emphasis>. Available at: <ulink url="http://eden.dei.uc.pt/&#x0223C;cnl/papers/2016-ladc.zip">http://eden.dei.uc.pt/&#x0223C;cnl/papers/2016-ladc.zip</ulink> <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=Laranjeiro%2C+N%2E%2C+Seyma%2C+N%2E+S%2E%2C+and+Jorge%2C+B%2E+%282016%29+Poor+Data+Injector+Toolset%2E+Available+at%3A+http%3A%2F%2Feden%2Edei%2Euc%2Ept%2F&#x223C;cnl%2Fpapers%2F2016-ladc%2Ezip" target="_blank">Google Scholar</ulink></para></listitem>
<listitem>
<para><anchor id="ch12bib42"/>Martin, J. (1983). <emphasis>Managing the Data Base Environment</emphasis>. Upper Saddle River, NJ: Prentice Hall PTR.</para></listitem>
<listitem>
<para><anchor id="ch12bib43"/>PostgreSQL (2017). <emphasis>JDBC Driver &#x02013; GitHub</emphasis>. Available at: https://github. com/pgjdbc/pgjdbc/issues/369</para></listitem>
<listitem>
<para><anchor id="ch12bib44"/>Pereira, G., Barbosa, R., and Madeira, H. (2016). &#x0201C;Practical Emulation of Software Defects in Source Code,&#x0201D; in <emphasis>2016 12th European Dependable Computing Conference (EDCC)</emphasis>, Gothenburg, Sweden. <ulink url="https://scholar.google.com/scholar?hl=en&amp;q=Pereira%2C+G%2E%2C+Barbosa%2C+R%2E%2C+and+Madeira%2C+H%2E+%282016%29%2E+%22Practical+Emulation+of+Software+Defects+in+Source+Code%2C%22+in+2016+12th+European+Dependable+Computing+Conference+%28EDCC%29%2C+Gothenburg%2C+Sweden%2E" target="_blank">Google Scholar</ulink></para></listitem></orderedlist>
</section>
</chapter>
<chapter class="nosec" id="ch13">
<title>About the Editors</title>
<para><emphasis role="strong">Andrea Bondavalli</emphasis> is a Full Professor of Computer Science at the University of Firenze. Previously he has been a researcher and a senior researcher of the Italian National Research Council, working at the CNUCE Institute in Pisa. His research activity is focused on Dependability and Resilience of critical systems and infrastructures. In particular he has been working on safety, security, fault tolerance, evaluation of attributes such as reliability, availability and performability. His scientific activities have originated more than 220 papers appeared in international Journals and Conferences. Andrea Bondavalli supports as an expert the European Commission in the selection and evaluation of project proposals and regularly consultes companies in the application field. Andrea Bondavalli led various national and European projects such as the Italian MIUR PRIN &#x0201C;DOTS-LCCI&#x0201D; and &#x0201C;TENACE&#x0201D; and the European projects ESPRIT BRA 3092 PDCS, 6362 PDCS-2, ESPRIT 20716 GUARDS, ESPRIT 27439 HIDE, IST-FP6-STREP-26979 HIDENETS, TST5-CT-2006-031413 SAFEDMI e FP7 &#x02013; 216295 CA AMBER, FP7 SST-2008-234088 ALARP, the ARTEMIS-2012-1-333053 &#x0201C;CONCERTO&#x0201D;, the POR CReO 2007-2013, linea di intervento 1.5.a &#x02013; 1.6 &#x0201C;SECURE&#x0201D;, the FP7-ICT-2013-10-610535 &#x0201C;AMADEOS&#x0201D; (coordinator), the FP7-PEOPLE-2012-IAPP-324334 &#x0201C;CECRIS&#x0201D; (Coordinator) and the PIRSES-GA-2013-612569 &#x0201C;DEVASSES&#x0201D;. Andrea Bondavalli participates to (and has been chairing) the program committee in several International Conferences such as IEEE FTCS, IEEE SRDS, EDCC, IEEE HASE, IEEE ISORC, IEEE ISADS, IEEE DSN, SAFECOMP. He is the chair of the Steering Committees of IEEE SRDS and a member of the editorial board of the International Journal of Critical Computer-Based Systems. Andrea Bondavalli is a member of the IEEE, the IFIP W.G. 10.4 Working Group on &#x0201C;Dependable Computing and Fault-Tolerance&#x0201D;.</para>
<para><emphasis role="strong">Francesco Brancati</emphasis> took his Master degree in Computer Science at the University of Firenze in 2008 and his Ph.D. degree in Computer Science at the Resilient Computing Lab &#x02013; University of Firenze in 2012. His research activity mainly focused on adaptive and safe estimation of different sources of uncertainty to improve dependability of highly dynamic systems through online monitoring analysis. During his Ph.D. he participated in the national project DOTS-LCCI (Funded by MIUR) and in the European funded project FP7-STREP-234088 ALARP) where he was mainly involved within the Architecture Design WPs, and where he worked also as Resiltech on system integration activities. Currently he works at Resiltech as Innovation Manager and SW Solution Expert, he led ResilTech participation in AMADEOS (FP7-ICT-610535) and in the CECRIS (FP7-PEOPLE-IAPP-324334) projects and he is leading the participation in the STORM project (H2020-DRS-2015-700191).</para>
</chapter>
</book>
