appendix a – glossary - ugratcproyectos.ugr.es/recomp/images/stories/deliverables/d2...shell and...

APPENDIXA–GLOSSARY

The following acronyms have been used in this document:

Acronym Definition

ElinOS SysGo Linux like operating system

Lime Concolic Tester Lightweight formal Methods for distributed component-based Embedded systems

MCDC Modified Condition/Decision Coverage

PC Portable computer

POSIX “Portable Operating System Interface for Unix". POSIX is the name of a family of related standards to define the application programming interface (API), along with shell and utilities interfaces, for software compatible with variants of the Unix operating system

QEMU QEMU is open source software that provides an interface to the target hardware which the PikeOS and ElinOS operating systems can run on, without the operating systems having to interface directly with the target hardware.

Rx Receiver

TAC Threaded Application Component

Tx Transmitter

APPENDIXB–TCARESULTFORTHEAVIONICSDOMAIN

1 TCLDETAILSOFRECOMPTOOLCHAINThis chapter has been generated from the formal tool chain model and contains all relevant information to determine the TCLs of the used tools. Table 1 shows the settings and Table 2 shows the active variants with which this document was generated. For further details of the report creation see section "Report Generation" of the User Manual.

Setting Value Compact Report false With Assumptions true Include Subsumes true Include Images true

Table 1 Settings for this documentation

• Variant Settings • • Active Variants: • • Avionic

Table 2 Variant Settings

The report starts with an overview of the analysis results, then describes each tool in detail, including TCL determination, and concludes with an appendix for further information. • ToolChain: RECOMP Tool Chain • • Description: • • All models are intergrated here • • TCL Determination: • • TCL 3

Table 3 ToolChain: RECOMP Tool Chain

1.1 TCLRESULTOVERVIEW

Table 4 shows the result of the tool evaluation, particulary the tool confidence levels. Name Tool Impact (TI) Tool

Detection (TD)

Tool Confidence Level (TCL)

Assumptions

Development TI 2 (Impact) TD 3 (LOW)

TCL 3 -

GEMDE Certification

TI 2 (Impact) TD 1 (HIGH)

TCL 1 -

Medini TI 2 (Impact) TD 1 (HIGH)

TCL 1 -

nuSMV Model Checker


TCL 1 -

Process Checker TI 2 (Impact) TD 1 (HIGH)

TCL 1 -

Simulink TI 2 (Impact) TD 3 (LOW)

TCL 3 1

Tecnalia Assurance Case Editor


TCL 1 -

Tool Chain Analyzer

TI 2 (Impact) TD 3 (LOW)

TCL 3 1

YICES SMT Solver


TCL 1 -

Table 4 Evaluation Results of RECOMP Tool Chain

Fig 1 shows the error flow in RECOMP Tool Chain. The number on the edges denotes the number of error flows between the tools. An error flow is a detection possibility or an avoidance possibility of an error. Note that for one error there might be several flows, hence the number of flows can be larger than the numbers of errors in the model. For example the tool Tool Chain Analyzer contains 11 different errors in 19 occurrences. There are 7 error flows (detection or avoidance possibilities for error occurrences) into Tool Chain Analyzer. 7 error flows into the Tool Chain Analyzer itself, i.e. are avoided / detected by carefully using the tool. There are 2

from the Tool Chain Analyzer into the Process Checker, i.e. are detected by the Process Checker.

Fig 1 Error Flow in RECOMP Tool Chain

1.2 DEVELOPMENTThis section explains the determination of the Tool Confidence Level (TCL) for the tool Development.

• Tool: Development • • Description: • • This is not a concrete tool but just a model of any development tool chain (including

humans) that can cause different errors when producing soure code. • • Impact: • • TI 2 (Impact) • • Tool Confidence Level: • • TCL 3

Table 5 Tool: Development

The tool Development is modeled with 5 elements which have impact, none of them are assumptions. No additional features have been modeled.

Elements Amount (Assumptions) Use Cases 1 (0) Checks 0 (0) Restrictions 0 (0) Potential Errors 4 (0)

Table 6 Amount of Elements in Tool: Development

1.2.1 USE CASES OF DEVELOPMENT

This section describes all analyzed use cases of Development in separate subsections. The following use cases of the tool Development are considered:

1. Create Code, see Section 1.2.1.1

1.2.1.1 USE CASE CREATE CODE

This section describes the use case "Create Code". • UseCase: Create Code • • Description: • • This is the use case in creating c code that collects some potential errors that can be

discovered from the test tool

Table 7 UseCase: Create Code

The use case requires no features and calls no other use cases. The use case "Create Code" reads and/or writes the following artifacts. The used artifacts are shown in Fig 2 and are summarized in the subsequent table.

Fig 2 Artifacts of Use Case: Create Code

• Artifacts of Use Case: Create Code • • Outputs: • • C/C++ Source Code

Table 8 Artifacts of Use Case: Create Code

1.2.2 FEATURES OF DEVELOPMENT

There are no features modeled for Development.

1.2.3 POTENTIAL ERRORS IN DEVELOPMENT

The tool has 4 different potential errors in 4 occurrences in use cases. The error flow consists of all relations from errors to checks or restrictions. There are

• no relation from errors caused by other tools to checks or restrictions defined for use cases of this tool.

• no relation from errors caused by this tool to checks or restrictions defined for use cases of this tool.

• no relation from errors caused by this tool to checks or restrictions defined for use cases of other tools.

• 4 errors caused by this tool without any relation to checks or restrictions. The following 4 error occurrences of Development have no relation to any check or restriction:

• Assertion Violation (Table 10) • Dead Code (Table 11) • Other Programing Error (Table 12) • Runtime Error (Table 13)

1.2.4 RESTRICTIONS IN DEVELOPMENT

There are no restrictions in the tool Development.

1.2.5 CHECKS IN DEVELOPMENT

No checks are performed in the tool Development.

1.2.6 ASSUMPTIONS

The determination of the TCL of Development is not based on assumed checks and restrictions. None of the checks and restrictions are modeled as assumptions.

1.2.7 TCL DETERMINATION

This section determines a TCL for each use case by assigning checks or restrictions with detection/avoidance probability to each potential error. The TCL for the entire tool can be derived from the TCL for each use case. The tool Development has no use case with TCL 1, no use case with TCL 2 and one use case with TCL 3. Therefore the tool Development has TCL 3. The use cases are described in the following sections:

• For "Create Code" (TCL 3) see Section 1.2.7.1.

1.2.7.1 TCL DETERMINATION FOR USE CASE: CREATE CODE

The use case "Create Code" has TCL 3. The TCL is determined by the lowest Tool Detection Level (TD) of all errors of the use case. The following table gives an overview of the errors of "Create Code". Error TD Table Assertion Violation TD 3 (LOW) Table 10 Dead Code TD 3 (LOW) Table 11 Other Programing Error TD 3 (LOW) Table 12 Runtime Error TD 3 (LOW) Table 13

Table 9 Errors of Use Case: Create Code

• Error: Assertion Violation • • Description: • • The programm contains assertions that can be violated under some conditions. • • From use case: • • Create Code • • Occurrences: • • in Create Code • • Error View:

•

•

Table 10 Error: Assertion Violation

• Error: Dead Code • • Description: • • Not reachable code is called dead code. • • From use case: • • Create Code • • Occurrences: • • in Create Code • • Error View:

•

•

Table 11 Error: Dead Code

• Error: Other Programing Error • • Description: • • Any other functional error that can be introduced int the code. • • From use case: • • Create Code • • Occurrences: • • in Create Code • • Error View:

•

•

Table 12 Error: Other Programing Error

• Error: Runtime Error • • Description: • • A runtime error is an error that causes the programm to crash during execution. This • • From use case: • • Create Code • • Occurrences: • • in Create Code • • Error View:

•

•

Table 13 Error: Runtime Error

1.3 GEMDECERTIFICATIONThis section explains the determination of the Tool Confidence Level (TCL) for the tool GEMDE Certification. • Tool: GEMDE Certification • • Description: • • Tool for certification support

Comment: This is just a supporting tool to gather all the certification documentation. It does not create running software or test.

• • Impact: • • TI 2 (Impact) • • Tool Confidence Level: • • TCL 1

Table 14 Tool: GEMDE Certification

The tool GEMDE Certification is modeled with 9 elements which have impact, none of them are assumptions. No additional features have been modeled.


Table 15 Amount of Elements in Tool: GEMDE Certification

1.3.1 USE CASES OF GEMDE CERTIFICATION

This section describes all analyzed use cases of GEMDE Certification in separate subsections. The following use cases of the tool GEMDE Certification are considered:

1. Assessment view, see Section 1.3.1.1 2. Quality view, see Section 1.3.1.2 3. Technical view, see Section 1.3.1.3

1.3.1.1 USE CASE ASSESSMENT VIEW

This section describes the use case "Assessment view". • UseCase: Assessment view • • Description: • • Assessment or validation of the Qualification Project against the Qualification Reference

Table 16 UseCase: Assessment view

The use case requires no features and calls no other use cases. The use case "Assessment view" reads and/or writes the following artifacts. The used artifacts are shown in Fig 3 and are summarized in the subsequent table.

Fig 3 Artifacts of Use Case: Assessment view

• Artifacts of Use Case: Assessment view • • Inputs: • • ProjectModel

• ReferenceModel • • Outputs: • • No-Conformity metrics

Table 17 Artifacts of Use Case: Assessment view

1.3.1.2 USE CASE QUALITY VIEW

This section describes the use case "Quality view". • UseCase: Quality view • • Description: • • Selection and definition of the Qualification Reference. Definition of the scope of the

Qualification Reference

Table 18 UseCase: Quality view

The use case requires no features and calls no other use cases. The use case "Quality view" reads and/or writes the following artifacts. The used artifacts are shown in Fig 4 and are summarized in the subsequent table.

Fig 4 Artifacts of Use Case: Quality view

• Artifacts of Use Case: Quality view • • Inputs: • • StandardsRegulation • • Outputs: • • ReferenceModel • • Inputs & Outputs: • • ReferenceModel

Table 19 Artifacts of Use Case: Quality view

1.3.1.3 USE CASE TECHNICAL VIEW

This section describes the use case "Technical view". • UseCase: Technical view • • Description: • • Definition of the Qualification Project and associated Qualification Reference

Table 20 UseCase: Technical view

The use case requires no features and calls 11 other use cases. Fig 5 shows the dependencies between the use cases and features.

Fig 5 Dependency View of Use Case: Technical view

"Technical view" calls following use cases: • Medini,Detailed architecture definition • Medini,FHA Generation

• Medini,FMEA Generation • Medini,FTA Generation • Medini,Function allocation • Medini,Generation HW Coverage • Medini,HW/SW allocation • Medini,Item Definition • Medini,SW Architecture definition • Medini,Safety goals definition • Tecnalia Assurance Case Editor,Assurance Case edition

The use case "Technical view" reads and/or writes the following artifacts. The used artifacts are shown in Fig 6 and are summarized in the subsequent table.

Fig 6 Artifacts of Use Case: Technical view

• Artifacts of Use Case: Technical view • • Inputs: • • Detailed System Architecture

• Evidence • FHA • FMEA • FTA • Failure rate catalog • Functionalities • Malfunctions • No-Conformity metrics • Preliminary System Architecture • ReferenceModel • Safety Case • Safety Goals List • Safety Requirements

• • Outputs: • • ProjectModel

Table 21 Artifacts of Use Case: Technical view

1.3.2 FEATURES OF GEMDE CERTIFICATION

There are no features modeled for GEMDE Certification.

1.3.3 POTENTIAL ERRORS IN GEMDE CERTIFICATION

The tool has 3 different potential errors in 3 occurrences in use cases. The error flow, as can be seen in Fig 7, consists of all relations from errors to checks or restrictions. There are


• 3 relations from errors caused by this tool to checks or restrictions defined for use cases of this tool.


Fig 7 Error Flow to and from GEMDE Certification

GEMDE Certification has the following 3 relations, which are detected by checks or restrictions of this tool. The errors are described in detail in the TCL analysis of the corresponding use cases:

• AssesmentIncorrect (Table 26) • ModelIncorrectness (Table 28) • ProjectIncorrectness (Table 30)

1.3.4 RESTRICTIONS IN GEMDE CERTIFICATION

There are no restrictions in the tool GEMDE Certification.

1.3.5 CHECKS IN GEMDE CERTIFICATION

The following 3 checks are performed in the tool GEMDE Certification. • Check: QualityManagerChecks • • Description: • • The Quality Manager Checks the outputs before the final certification • • From use case: • • GEMDE Certification,Assessment view • • Occurrences: • • in Assessment view • • Error detection probability: • • TD 1 (HIGH) • • Detected errors: • • Assessment view,AssesmentIncorrect

Table 22 Check: QualityManagerChecks

• Check: RegulationManagerChecks • • Description: • • The Regulation Manager Checks the model that gives the result • • From use case: • • GEMDE Certification,Technical view • • Occurrences: • • in Technical view • • Error detection probability: • • TD 1 (HIGH) • • Detected errors: • • Technical view,ProjectIncorrectness

Table 23 Check: RegulationManagerChecks

• Check: TechnicalManagerChecks • • Description: • • The Technical Manager checks every evidence given as an input and the justification for

the objectives • • From use case: • • GEMDE Certification,Quality view • • Occurrences:

• • in Quality view • • Error detection probability: • • TD 1 (HIGH) • • Detected errors: • • Quality view,ModelIncorrectness

Table 24 Check: TechnicalManagerChecks

1.3.6 ASSUMPTIONS

The determination of the TCL of GEMDE Certification is not based on assumed checks and restrictions. None of the checks and restrictions are modeled as assumptions.


This section determines a TCL for each use case by assigning checks or restrictions with detection/avoidance probability to each potential error. The TCL for the entire tool can be derived from the TCL for each use case. The tool GEMDE Certification has 3 use cases with TCL 1, no use case with TCL 2 and no use case with TCL 3. Therefore the tool GEMDE Certification has TCL 1. The use cases are described in the following sections:

• For "Assessment view" (TCL 1) see Section 1.3.7.1, • for "Quality view" (TCL 1) see Section 1.3.7.2, and • for "Technical view" (TCL 1) see Section 1.3.7.3.

1.3.7.1 TCL DETERMINATION FOR USE CASE: ASSESSMENT

VIEW

The use case "Assessment view" has TCL 1. The TCL is determined by the lowest Tool Detection Level (TD) of all errors of the use case. The following table gives an overview of the errors of "Assessment view". Error TD Table AssesmentIncorrect TD 1 (HIGH) Table 26

Table 25 Errors of Use Case: Assessment view

• Error: AssesmentIncorrect • • Description: • • lack of evidences or justification are not correct • • From use case: • • Assessment view • • Discovered by the following checks: • • Assessment view.QualityManagerChecks • • Occurrences: • • in Assessment view • • Error View:

•

•

Table 26 Error: AssesmentIncorrect

1.3.7.2 TCL DETERMINATION FOR USE CASE: QUALITY VIEW

The use case "Quality view" has TCL 1. The TCL is determined by the lowest Tool Detection Level (TD) of all errors of the use case. The following table gives an overview of the errors of "Quality view". Error TD Table ModelIncorrectness TD 1 (HIGH) Table 28

Table 27 Errors of Use Case: Quality view

• Error: ModelIncorrectness • • Description: • • Model is not coherent with the standard • • From use case: • • Quality view • • Discovered by the following checks: • • Quality view.TechnicalManagerChecks • • Occurrences: • • in Quality view • • Error View:

•

•

Table 28 Error: ModelIncorrectness

1.3.7.3 TCL DETERMINATION FOR USE CASE: TECHNICAL

VIEW

The use case "Technical view" has TCL 1. The TCL is determined by the lowest Tool Detection Level (TD) of all errors of the use case. The following table gives an overview of the errors of "Technical view". Error TD Table ProjectIncorrectness TD 1 (HIGH) Table 30

Table 29 Errors of Use Case: Technical view

• Error: ProjectIncorrectness • • Description: • • The evidences do not support the certification objectives • • From use case: • • Technical view • • Discovered by the following checks: • • Technical view.RegulationManagerChecks • • Occurrences: • • in Technical view • • Error View:

•

•

Table 30 Error: ProjectIncorrectness

1.4 MEDINIThis section explains the determination of the Tool Confidence Level (TCL) for the tool Medini. • Tool: Medini • • Description: • • Tool Medini Analyzer

Comment: The results are always being reviewed by human experts. It generate the tests that should be addresed during the project, nor the software that should be tested.


Table 31 Tool: Medini

The tool Medini is modeled with 65 elements which have impact, none of them are assumptions. No additional features have been modeled.


Table 32 Amount of Elements in Tool: Medini

1.4.1 USE CASES OF MEDINI

This section describes all analyzed use cases of Medini in separate subsections.

The following use cases of the tool Medini are considered:

1. Detailed architecture definition, see Section 1.4.1.1 2. FHA Generation, see Section 1.4.1.2 3. FMEA Generation, see Section 1.4.1.3 4. FTA Generation, see Section 1.4.1.4 5. Function allocation, see Section 1.4.1.5 6. Generation HW Coverage, see Section 1.4.1.6 7. HW/SW allocation, see Section 1.4.1.7 8. Item Definition, see Section 1.4.1.8 9. Safety goals definition, see Section 1.4.1.9 10. SW Architecture definition, see Section 1.4.1.10

1.4.1.1 USE CASE DETAILED ARCHITECTURE DEFINITION

This section describes the use case "Detailed architecture definition". • UseCase: Detailed architecture definition • • Description: • • Detailed architecture definition

Table 33 UseCase: Detailed architecture definition

The use case requires no features and calls no other use cases. Use cases calling "Detailed architecture definition":

• GEMDE Certification,Technical view The use case "Detailed architecture definition" reads and/or writes the following artifacts. The used artifacts are shown in Fig 8 and are summarized in the subsequent table.

Fig 8 Artifacts of Use Case: Detailed architecture definition

• Artifacts of Use Case: Detailed architecture definition • • Outputs: • • Detailed System Architecture • • Inputs & Outputs: • • Detailed System Architecture

Table 34 Artifacts of Use Case: Detailed architecture definition

1.4.1.2 USE CASE FHA GENERATION

This section describes the use case "FHA Generation". • UseCase: FHA Generation • • Description: • • FHA Generation

Table 35 UseCase: FHA Generation

The use case requires no features and calls no other use cases. Use cases calling "FHA Generation":

• GEMDE Certification,Technical view The use case "FHA Generation" reads and/or writes the following artifacts. The used artifacts are shown in Fig 9 and are summarized in the subsequent table.

Fig 9 Artifacts of Use Case: FHA Generation

• Artifacts of Use Case: FHA Generation • • Outputs: • • FHA • • Inputs & Outputs: • • FHA

Table 36 Artifacts of Use Case: FHA Generation

1.4.1.3 USE CASE FMEA GENERATION

This section describes the use case "FMEA Generation". • UseCase: FMEA Generation • • Description: • • FMEA Generation

Table 37 UseCase: FMEA Generation

The use case requires no features and calls no other use cases. Use cases calling "FMEA Generation":

• GEMDE Certification,Technical view In order to fulfill the requirements of the use case, usually a number of artifacts will be read and/or written. But in "FMEA Generation" the tool Medini uses no artifacts.

1.4.1.4 USE CASE FTA GENERATION

This section describes the use case "FTA Generation". • UseCase: FTA Generation • • Description: • • FTA Generation

Table 38 UseCase: FTA Generation

The use case requires no features and calls no other use cases. Use cases calling "FTA Generation":

• GEMDE Certification,Technical view In order to fulfill the requirements of the use case, usually a number of artifacts will be read and/or written. But in "FTA Generation" the tool Medini uses no artifacts.

1.4.1.5 USE CASE FUNCTION ALLOCATION

This section describes the use case "Function allocation". • UseCase: Function allocation • • Description: • • Function allocation

Table 39 UseCase: Function allocation

The use case requires no features and calls no other use cases. Use cases calling "Function allocation":

• GEMDE Certification,Technical view In order to fulfill the requirements of the use case, usually a number of artifacts will be read and/or written. But in "Function allocation" the tool Medini uses no artifacts.

1.4.1.6 USE CASE GENERATION HW COVERAGE

This section describes the use case "Generation HW Coverage". • UseCase: Generation HW Coverage • • Description: • • Generation HW Coverage

Table 40 UseCase: Generation HW Coverage

The use case requires no features and calls no other use cases. Use cases calling "Generation HW Coverage":

• GEMDE Certification,Technical view In order to fulfill the requirements of the use case, usually a number of artifacts will be read and/or written. But in "Generation HW Coverage" the tool Medini uses no artifacts.

1.4.1.7 USE CASE HW/SW ALLOCATION

This section describes the use case "HW/SW allocation". • UseCase: HW/SW allocation • • Description: • • HW/SW allocation

Table 41 UseCase: HW/SW allocation

The use case requires no features and calls no other use cases. Use cases calling "HW/SW allocation":

• GEMDE Certification,Technical view In order to fulfill the requirements of the use case, usually a number of artifacts will be read and/or written. But in "HW/SW allocation" the tool Medini uses no artifacts.

1.4.1.8 USE CASE ITEM DEFINITION

This section describes the use case "Item Definition". • UseCase: Item Definition • • Description: • • Item Definition

Table 42 UseCase: Item Definition

The use case requires no features and calls no other use cases. Use cases calling "Item Definition":

• GEMDE Certification,Technical view In order to fulfill the requirements of the use case, usually a number of artifacts will be read and/or written. But in "Item Definition" the tool Medini uses no artifacts.

1.4.1.9 USE CASE SAFETY GOALS DEFINITION

This section describes the use case "Safety goals definition". • UseCase: Safety goals definition • • Description: • • Safety goals definition

Table 43 UseCase: Safety goals definition

The use case requires no features and calls no other use cases. Use cases calling "Safety goals definition":

• GEMDE Certification,Technical view In order to fulfill the requirements of the use case, usually a number of artifacts will be read and/or written. But in "Safety goals definition" the tool Medini uses no artifacts.

1.4.1.10 USE CASE SW ARCHITECTURE DEFINITION

This section describes the use case "SW Architecture definition". • UseCase: SW Architecture definition • • Description: • • SW Architecture definition

Table 44 UseCase: SW Architecture definition

The use case requires no features and calls one other use case. Fig 10 shows the dependencies between the use cases and features.

Fig 10 Dependency View of Use Case: SW Architecture definition

"SW Architecture definition" calls following use cases: • Simulink,Modelling Requirements

Use cases calling "SW Architecture definition":

• GEMDE Certification,Technical view In order to fulfill the requirements of the use case, usually a number of artifacts will be read and/or written. But in "SW Architecture definition" the tool Medini uses no artifacts.

1.4.2 FEATURES OF MEDINI

There are no features modeled for Medini.

1.4.3 POTENTIAL ERRORS IN MEDINI





Fig 11 Error Flow to and from Medini

Medini has the following 34 relations, which are detected by checks or restrictions of this tool. The errors are described in detail in the TCL analysis of the corresponding use cases:

• 001-xxx is not traced with a simulink port (Table 80) • 002-xxx is safety related and has no safety goal assigned (Table 104) • 003-xxx has no functional safety requirement specified (Table 105) • 004-Safety goal has no FTA traced (Table 96) • 005-xxx (safety req) has no unique identifier (Table 106) • 006-Safety goal is not associated to a hazardous event (Table 85) • 007-Architecture element has no name set (Table 81) • 008-Port xxx is not connected (Table 82) • 009-req is not correctly decomposed (Table 101) • 010-xxx has no justification given for the estimated ranking of exposure for the

ISO ASIL (Table 86) • 011-xxx has failure mode with category 'no part' and failure modes with other

categories. (Table 90) • 012-xxx ASIL does not match to ASIL of associated goal (Table 87) • 013-Hazard has no item traced (Table 88) • 014-xxx has an invalid ASIL. ASIL has to be the same or higher than of goals it

contributes to (Table 102) • 015-FTA model has a loop due to transfer gates (Table 97) • 016-The decomposing requirement xxx is allocated to the same architecture or

software element as its neighbor (Table 99) • 017-Name of xxx is different from corresponding system architecture

element(s): yyy (Table 91)

• 018-xxx has no corresponding architecture element in any of the architecture model(s): yyy (Table 92)

• 019-xxx has no corresponding architecture element in the derived worksheet(s): yyy (Table 93)

• 020-"xxx does not have the same failure modes than corresponding architecture element(s): yyy" (Table 94)

• 021-Assessment or validation of the Qualification Project against the Qualification Reference (Table 83)

1.4.4 RESTRICTIONS IN MEDINI

The tool Medini must only be used with the following restrictions. • Restriction: 001-All sistems architecture port traced with simulink • • Description: • • 001--All sistems architecture port traced with simulink • • From use case: • • Medini,Detailed architecture definition • • Error avoidance probability: • • TD 1 (HIGH) • • Occurrences: • • in Detailed architecture definition • • Avoided errors: • • Detailed architecture definition,001-xxx is not traced with a simulink port

Table 45 Restriction: 001-All sistems architecture port traced with simulink

• Restriction: 002- All hazard event assigned to a safety goal • • Description: • • 002- All hazard event assigned to a safety goal • • From use case: • • Medini,Safety goals definition • • Error avoidance probability: • • TD 1 (HIGH) • • Occurrences: • • in Safety goals definition • • Avoided errors: • • Safety goals definition,002-xxx is safety related and has no safety goal assigned

Table 46 Restriction: 002- All hazard event assigned to a safety goal

• Restriction: 003-For all safety goal exist one safety requirement • • Description: • • 003-For all safety goal exist one safety requirement • • From use case: • • Medini,Safety goals definition • • Error avoidance probability: • • TD 1 (HIGH) • • Occurrences:

• • in Safety goals definition • • Avoided errors: • • Safety goals definition,003-xxx has no functional safety requirement specified

Table 47 Restriction: 003-For all safety goal exist one safety requirement

• Restriction: 004-All safety goal traced with FTA • • Description: • • 004-All safety goal traced with FTA • • From use case: • • Medini,FTA Generation • • Error avoidance probability: • • TD 1 (HIGH) • • Occurrences: • • in FTA Generation • • Avoided errors: • • FTA Generation,004-Safety goal has no FTA traced

Table 48 Restriction: 004-All safety goal traced with FTA

• Restriction: 005-Exist a unique safety requirement identifier • • Description: • • 005-Exist a unique safety requirement identifier • • From use case: • • Medini,Safety goals definition • • Error avoidance probability: • • TD 1 (HIGH) • • Occurrences: • • in Safety goals definition • • Avoided errors: • • Safety goals definition,005-xxx (safety req) has no unique identifier

Table 49 Restriction: 005-Exist a unique safety requirement identifier

• Restriction: 006-All safety goal associated to a hazardous event • • Description: • • 006-All safety goal associated to a hazardous event • • From use case: • • Medini,FHA Generation • • Error avoidance probability: • • TD 1 (HIGH) • • Occurrences: • • in FHA Generation • • Avoided errors: • • FHA Generation,006-Safety goal is not associated to a hazardous event

Table 50 Restriction: 006-All safety goal associated to a hazardous event

• Restriction: 007-Each system architecture element is named • • Description: • • 007-Each system architecture element is named

• • From use case: • • Medini,Detailed architecture definition • • Error avoidance probability: • • TD 1 (HIGH) • • Occurrences: • • in Detailed architecture definition • • Avoided errors: • • Detailed architecture definition,007-Architecture element has no name set

Table 51 Restriction: 007-Each system architecture element is named

• Restriction: 008-All ports are connected • • Description: • • 008-All ports are connected • • From use case: • • Medini,Detailed architecture definition • • Error avoidance probability: • • TD 1 (HIGH) • • Occurrences: • • in Detailed architecture definition • • Avoided errors: • • Detailed architecture definition,008-Port xxx is not connected

Table 52 Restriction: 008-All ports are connected

• Restriction: 009-Validation of decomposition • • Description: • • 009-Validation of decomposition • • From use case: • • Medini,HW/SW allocation • • Error avoidance probability: • • TD 1 (HIGH) • • Occurrences: • • in HW/SW allocation • • Avoided errors: • • HW/SW allocation,009-req is not correctly decomposed

Table 53 Restriction: 009-Validation of decomposition

• Restriction: 012-Hazard and goal ASIL must be the same • • Description: • • 012-Hazard and goal ASIL must be the same • • From use case: • • Medini,FHA Generation • • Error avoidance probability: • • TD 1 (HIGH) • • Occurrences: • • in FHA Generation • • Avoided errors: • • FHA Generation,012-xxx ASIL does not match to ASIL of associated goal

Table 54 Restriction: 012-Hazard and goal ASIL must be the same

• Restriction: 013-All hazard model traced to an item • • Description: • • 013-All hazard model traced to an item • • From use case: • • Medini,FHA Generation • • Error avoidance probability: • • TD 1 (HIGH) • • Occurrences: • • in FHA Generation • • Avoided errors: • • FHA Generation,013-Hazard has no item traced

Table 55 Restriction: 013-All hazard model traced to an item

• Restriction: 014-All safety requirements SIL >= safety goal SIL • • Description: • • 014-All safety requirements SIL >= safety goal SIL • • From use case: • • Medini,HW/SW allocation • • Error avoidance probability: • • TD 1 (HIGH) • • Occurrences: • • in HW/SW allocation • • Avoided errors: • • HW/SW allocation,014-xxx has an invalid ASIL. ASIL has to be the same or

higher than of goals it contributes to

Table 56 Restriction: 014-All safety requirements SIL >= safety goal SIL

• Restriction: 015-FTA does not contain loops • • Description: • • 015-FTA does not contain loops • • From use case: • • Medini,FTA Generation • • Error avoidance probability: • • TD 1 (HIGH) • • Occurrences: • • in FTA Generation • • Avoided errors: • • FTA Generation,015-FTA model has a loop due to transfer gates

Table 57 Restriction: 015-FTA does not contain loops

• Restriction: 021-Failure modes names must be consistent for each diagram/table • • Description: • • 021-Failure modes names must be consistent for each diagram/table • • From use case: • • Medini,Detailed architecture definition

• • Error avoidance probability: • • TD 1 (HIGH) • • Occurrences: • • in Detailed architecture definition • • Avoided errors: • • Detailed architecture definition,021-Assessment or validation of the Qualification

Project against the Qualification Reference

Table 58 Restriction: 021-Failure modes names must be consistent for each diagram/table

1.4.5 CHECKS IN MEDINI

The following 20 checks are performed in the tool Medini. • Check: 001-Trace architecture port- Simulink • • Description: • • Checks if each system architecture port is traced with a Simulink port • • From use case: • • Medini,Detailed architecture definition • • Occurrences: • • in Detailed architecture definition • • Error detection probability: • • TD 1 (HIGH) • • Detected errors: • • Detailed architecture definition,001-xxx is not traced with a simulink port

Table 59 Check: 001-Trace architecture port- Simulink

• Check: 002-Link hazard- safety goal • • Description: • • Checks if each safety related hazardous event has a safety goal assigned • • From use case: • • Medini,Safety goals definition • • Occurrences: • • in Safety goals definition • • Error detection probability: • • TD 1 (HIGH) • • Detected errors: • • Safety goals definition,002-xxx is safety related and has no safety goal assigned

Table 60 Check: 002-Link hazard- safety goal

• Check: 003-Checks if for each safety goal at least one functional safety requirement is

specified • • Description: • • 003-Checks if for each safety goal at least one functional safety requirement is specified • • From use case: • • Medini,Safety goals definition • • Occurrences: • • in Safety goals definition • • Error detection probability:

• • TD 1 (HIGH) • • Detected errors: • • Safety goals definition,003-xxx has no functional safety requirement specified

Table 61 Check: 003-Checks if for each safety goal at least one functional safety requirement is specified

• Check: 004-Checks if each safety goal has a FTA traced • • Description: • • 004-Checks if each safety goal has a FTA traced • • From use case: • • Medini,FTA Generation • • Occurrences: • • in FTA Generation • • Error detection probability: • • TD 1 (HIGH) • • Detected errors: • • FTA Generation,004-Safety goal has no FTA traced

Table 62 Check: 004-Checks if each safety goal has a FTA traced

• Check: 005-Checks if every safety requirement has an unique identifier • • Description: • • 005-Checks if every safety requirement has an unique identifier • • From use case: • • Medini,Safety goals definition • • Occurrences: • • in Safety goals definition • • Error detection probability: • • TD 1 (HIGH) • • Detected errors: • • Safety goals definition,005-xxx (safety req) has no unique identifier

Table 63 Check: 005-Checks if every safety requirement has an unique identifier

• Check: 006-Checks if each safety goal is associated to a hazardous event • • Description: • • 006-Checks if each safety goal is associated to a hazardous event • • From use case: • • Medini,FHA Generation • • Occurrences: • • in FHA Generation • • Error detection probability: • • TD 1 (HIGH) • • Detected errors: • • FHA Generation,006-Safety goal is not associated to a hazardous event

Table 64 Check: 006-Checks if each safety goal is associated to a hazardous event

• Check: 007-Checks if each system architecture element has a name set (except for

connectors)

• • Description: • • 007-Checks if each system architecture element has a name set (except for connectors) • • From use case: • • Medini,Detailed architecture definition • • Occurrences: • • in Detailed architecture definition • • Error detection probability: • • TD 1 (HIGH) • • Detected errors: • • Detailed architecture definition,007-Architecture element has no name set

Table 65 Check: 007-Checks if each system architecture element has a name set (except for connectors)

• Check: 008-Checks if each system architecture port is connected • • Description: • • 008-Checks if each system architecture port is connected • • From use case: • • Medini,Detailed architecture definition • • Occurrences: • • in Detailed architecture definition • • Error detection probability: • • TD 1 (HIGH) • • Detected errors: • • Detailed architecture definition,008-Port xxx is not connected

Table 66 Check: 008-Checks if each system architecture port is connected

• Check: 009-Checks if a valid decomposition has been applied • • Description: • • 009-Checks if a valid decomposition has been applied • • From use case: • • Medini,HW/SW allocation • • Occurrences: • • in HW/SW allocation • • Error detection probability: • • TD 1 (HIGH) • • Detected errors: • • HW/SW allocation,009-req is not correctly decomposed

Table 67 Check: 009-Checks if a valid decomposition has been applied

• Check: 010-Checks that each ranking of exposure from E0 to E2 has an justification

given for the estimation • • Description: • • 010-Checks that each ranking of exposure from E0 to E2 has an justification given for the

estimation • • From use case: • • Medini,FHA Generation • • Occurrences: • • in FHA Generation

• • Error detection probability: • • TD 1 (HIGH) • • Detected errors: • • FHA Generation,010-xxx has no justification given for the estimated ranking of

exposure for the ISO ASIL

Table 68 Check: 010-Checks that each ranking of exposure from E0 to E2 has an justification given for the estimation

• Check: 011-Checks that either all failure modes of a FMEA component xxx have

category 'no part' or none • • Description: • • 011-Checks that either all failure modes of a FMEA component xxx have category 'no

part' or none • • From use case: • • Medini,FMEA Generation • • Occurrences: • • in FMEA Generation • • Error detection probability: • • TD 1 (HIGH) • • Detected errors: • • FMEA Generation,011-xxx has failure mode with category 'no part' and failure

modes with other categories.

Table 69 Check: 011-Checks that either all failure modes of a FMEA component xxx have category 'no part' or none

• Check: 012-Checks that the ASIL of a hazard matches the ASIL of an associated goal • • Description: • • 012-Checks that the ASIL of a hazard matches the ASIL of an associated goal • • From use case: • • Medini,FHA Generation • • Occurrences: • • in FHA Generation • • Error detection probability: • • TD 1 (HIGH) • • Detected errors: • • FHA Generation,012-xxx ASIL does not match to ASIL of associated goal

Table 70 Check: 012-Checks that the ASIL of a hazard matches the ASIL of an associated goal

• Check: 013-Checks that each Hazard model is traced to an item • • Description: • • 013-Checks that each Hazard model is traced to an item • • From use case: • • Medini,FHA Generation • • Occurrences: • • in FHA Generation • • Error detection probability: • • TD 1 (HIGH) • • Detected errors:

• • FHA Generation,013-Hazard has no item traced

Table 71 Check: 013-Checks that each Hazard model is traced to an item

• Check: 014-Checks if safety requirements have the same or higher ASIL than of goals

they contribute to • • Description: • • 014-Checks if safety requirements have the same or higher ASIL than of goals they

contribute to • • From use case: • • Medini,HW/SW allocation • • Occurrences: • • in HW/SW allocation • • Error detection probability: • • TD 1 (HIGH) • • Detected errors: • • HW/SW allocation,014-xxx has an invalid ASIL. ASIL has to be the same or


Table 72 Check: 014-Checks if safety requirements have the same or higher ASIL than of goals they contribute to

• Check: 016-Checks that no decomposing requirement is allocated to the same

architecture or software element as its neighbour • • Description: • • 016-Checks that no decomposing requirement is allocated to the same architecture or

software element as its neighbour • • From use case: • • Medini,Function allocation • • Occurrences: • • in Function allocation • • Error detection probability: • • TD 1 (HIGH) • • Detected errors: • • Function allocation,016-The decomposing requirement xxx is allocated to the

same architecture or software element as its neighbor

Table 73 Check: 016-Checks that no decomposing requirement is allocated to the same architecture or software element as its neighbour

• Check: 017-Checks for name differences between FMEA components and

corresponding system architecture elements • • Description: • • 017-Checks for name differences between FMEA components and corresponding system

architecture elements • • From use case: • • Medini,FMEA Generation • • Occurrences: • • in FMEA Generation • • Error detection probability: • • TD 1 (HIGH)

• • Detected errors: • • FMEA Generation,017-Name of xxx is different from corresponding system

architecture element(s): yyy

Table 74 Check: 017-Checks for name differences between FMEA components and corresponding system architecture elements

• Check: 018-Checks that all FMEA components have pendants in at least one system

architecture the worksheet is derived of • • Description: • • 018-Checks that all FMEA components have pendants in at least one system architecture

the worksheet is derived of • • From use case: • • Medini,FMEA Generation • • Occurrences: • • in FMEA Generation • • Error detection probability: • • TD 1 (HIGH) • • Detected errors: • • FMEA Generation,018-xxx has no corresponding architecture element in any of

the architecture model(s): yyy

Table 75 Check: 018-Checks that all FMEA components have pendants in at least one system architecture the worksheet is derived of

• Check: 019-Checks that all system architecture parts have pendants in the derived

FMEA worksheets • • Description: • • 019-Checks that all system architecture parts have pendants in the derived FMEA

worksheets • • From use case: • • Medini,FMEA Generation • • Occurrences: • • in FMEA Generation • • Error detection probability: • • TD 1 (HIGH) • • Detected errors: • • FMEA Generation,019-xxx has no corresponding architecture element in the

derived worksheet(s): yyy

Table 76 Check: 019-Checks that all system architecture parts have pendants in the derived FMEA worksheets

• Check: 020-Checks for consistency between failure modes of FMEA components and

related system architecture elements • • Description: • • 020-Checks for consistency between failure modes of FMEA components and related

system architecture elements • • From use case: • • Medini,FMEA Generation • • Occurrences: • • in FMEA Generation

• • Error detection probability: • • TD 1 (HIGH) • • Detected errors: • • FMEA Generation,020-"xxx does not have the same failure modes than

corresponding architecture element(s): yyy"

Table 77 Check: 020-Checks for consistency between failure modes of FMEA components and related system architecture elements

• Check: 021-Checks for name consistency between failure modes • • Description: • • 021-Checks for name consistency between failure modes • • From use case: • • Medini,Detailed architecture definition • • Occurrences: • • in Detailed architecture definition • • Error detection probability: • • TD 1 (HIGH) • • Detected errors: • • Detailed architecture definition,021-Assessment or validation of the Qualification


Table 78 Check: 021-Checks for name consistency between failure modes

1.4.6 ASSUMPTIONS

The determination of the TCL of Medini is not based on assumed checks and restrictions. None of the checks and restrictions are modeled as assumptions.


This section determines a TCL for each use case by assigning checks or restrictions with detection/avoidance probability to each potential error. The TCL for the entire tool can be derived from the TCL for each use case. The tool Medini has 10 use cases with TCL 1, no use case with TCL 2 and no use case with TCL 3. Therefore the tool Medini has TCL 1. The use cases are described in the following sections:

• For "Detailed architecture definition" (TCL 1) see Section 1.4.7.1, • for "FHA Generation" (TCL 1) see Section 1.4.7.2, • for "FMEA Generation" (TCL 1) see Section 1.4.7.3, • for "FTA Generation" (TCL 1) see Section 1.4.7.4, • for "Function allocation" (TCL 1) see Section 1.4.7.5, • for "Generation HW Coverage" (TCL 1) see Section 1.4.7.6, • for "HW/SW allocation" (TCL 1) see Section 1.4.7.7, • for "Item Definition" (TCL 1) see Section 1.4.7.8, • for "Safety goals definition" (TCL 1) see Section 1.4.7.9, and • for "SW Architecture definition" (TCL 1) see Section 1.4.7.10.

1.4.7.1 TCL DETERMINATION FOR USE CASE: DETAILED

ARCHITECTURE DEFINITION

The use case "Detailed architecture definition" has TCL 1. The TCL is determined by the lowest Tool Detection Level (TD) of all errors of the use case. The following table gives an overview of the errors of "Detailed architecture definition". Error TD Table 001-xxx is not traced with a simulink port TD 1 (HIGH) Table 80 007-Architecture element has no name set TD 1 (HIGH) Table 81 008-Port xxx is not connected TD 1 (HIGH) Table 82 021-Assessment or validation of the Qualification Project against the Qualification Reference

TD 1 (HIGH) Table 83

Table 79 Errors of Use Case: Detailed architecture definition

• Error: 001-xxx is not traced with a simulink port • • Description: • • 001-xxx is not traced with a simulink port • • From use case: • • Detailed architecture definition • • Discovered by the following checks: • • Detailed architecture definition.001-Trace architecture port- Simulink • • Occurrences: • • in Detailed architecture definition • • Avoided by the following restrictions: • • Detailed architecture definition.001-All sistems architecture port traced with

simulink • • Error View: •

•

Table 80 Error: 001-xxx is not traced with a simulink port

• Error: 007-Architecture element has no name set • • Description: • • Name 007-Architecture element has no name set • • From use case:

• • Detailed architecture definition • • Discovered by the following checks: • • Detailed architecture definition.007-Checks if each system architecture element

has a name set (except for connectors) • • Occurrences: • • in Detailed architecture definition • • Avoided by the following restrictions: • • Detailed architecture definition.007-Each system architecture element is named • • Error View: •

•

Table 81 Error: 007-Architecture element has no name set

• Error: 008-Port xxx is not connected • • Description: • • 008-Port xxx is not connected • • From use case: • • Detailed architecture definition • • Discovered by the following checks: • • Detailed architecture definition.008-Checks if each system architecture port is

connected • • Occurrences: • • in Detailed architecture definition • • Avoided by the following restrictions: • • Detailed architecture definition.008-All ports are connected • • Error View:

•

•

Table 82 Error: 008-Port xxx is not connected

• Error: 021-Assessment or validation of the Qualification Project against the

Qualification Reference • • Description: • • 021-Assessment or validation of the Qualification Project against the Qualification

Reference • • From use case: • • Detailed architecture definition • • Discovered by the following checks: • • Detailed architecture definition.021-Checks for name consistency between failure

modes • • Occurrences: • • in Detailed architecture definition • • Avoided by the following restrictions: • • Detailed architecture definition.021-Failure modes names must be consistent for

each diagram/table • • Error View:

•

•

Table 83 Error: 021-Assessment or validation of the Qualification Project against the Qualification Reference

1.4.7.2 TCL DETERMINATION FOR USE CASE: FHA

GENERATION

The use case "FHA Generation" has TCL 1. The TCL is determined by the lowest Tool Detection Level (TD) of all errors of the use case. The following table gives an overview of the errors of "FHA Generation". Error TD Table 006-Safety goal is not associated to a hazardous event


010-xxx has no justification given for the estimated ranking of exposure for the ISO ASIL


012-xxx ASIL does not match to ASIL of associated goal


013-Hazard has no item traced TD 1 (HIGH) Table 88

Table 84 Errors of Use Case: FHA Generation

• Error: 006-Safety goal is not associated to a hazardous event • • Description: • • 006-Safety goal is not associated to a hazardous event • • From use case: • • FHA Generation • • Discovered by the following checks: • • FHA Generation.006-Checks if each safety goal is associated to a hazardous event • • Occurrences: • • in FHA Generation • • Avoided by the following restrictions: • • FHA Generation.006-All safety goal associated to a hazardous event • • Error View:

•

•

Table 85 Error: 006-Safety goal is not associated to a hazardous event

• Error: 010-xxx has no justification given for the estimated ranking of exposure for the

ISO ASIL • • Description: • • 010-xxx has no justification given for the estimated ranking of exposure for the ISO ASIL • • From use case: • • FHA Generation • • Discovered by the following checks: • • FHA Generation.010-Checks that each ranking of exposure from E0 to E2 has an

justification given for the estimation • • Occurrences: • • in FHA Generation • • Error View: •

•

Table 86 Error: 010-xxx has no justification given for the estimated ranking of exposure for the ISO ASIL

• Error: 012-xxx ASIL does not match to ASIL of associated goal • • Description: • • 012-xxx ASIL does not match to ASIL of associated goal • • From use case: • • FHA Generation • • Discovered by the following checks: • • FHA Generation.012-Checks that the ASIL of a hazard matches the ASIL of an

associated goal • • Occurrences:

• • in FHA Generation • • Avoided by the following restrictions: • • FHA Generation.012-Hazard and goal ASIL must be the same • • Error View: •

•

Table 87 Error: 012-xxx ASIL does not match to ASIL of associated goal

• Error: 013-Hazard has no item traced • • Description: • • 013-Hazard has no item traced • • From use case: • • FHA Generation • • Discovered by the following checks: • • FHA Generation.013-Checks that each Hazard model is traced to an item • • Occurrences: • • in FHA Generation • • Avoided by the following restrictions: • • FHA Generation.013-All hazard model traced to an item • • Error View: •

•

Table 88 Error: 013-Hazard has no item traced

1.4.7.3 TCL DETERMINATION FOR USE CASE: FMEA

GENERATION

The use case "FMEA Generation" has TCL 1. The TCL is determined by the lowest Tool Detection Level (TD) of all errors of the use case. The following table gives an overview of the errors of "FMEA Generation". Error TD Table 011-xxx has failure mode with category 'no part' and failure modes with other categories.


017-Name of xxx is different from corresponding system architecture element(s): yyy


018-xxx has no corresponding architecture element in any of the architecture model(s): yyy


019-xxx has no corresponding architecture element in the derived worksheet(s): yyy


020-"xxx does not have the same failure modes than corresponding architecture element(s): yyy"


Table 89 Errors of Use Case: FMEA Generation

• Error: 011-xxx has failure mode with category 'no part' and failure modes with other

categories. • • Description: • • 001-xxx has failure mode with category 'no part' and failure modes with other categories. • • From use case: • • FMEA Generation • • Discovered by the following checks: • • FMEA Generation.011-Checks that either all failure modes of a FMEA

component xxx have category 'no part' or none • • Occurrences: • • in FMEA Generation • • Error View: •

•

Table 90 Error: 011-xxx has failure mode with category 'no part' and failure modes with other categories.

• Error: 017-Name of xxx is different from corresponding system architecture

element(s): yyy • • Description: • • 017-Name of xxx is different from corresponding system architecture element(s): yyy • • From use case:

• • FMEA Generation • • Discovered by the following checks: • • FMEA Generation.017-Checks for name differences between FMEA components

and corresponding system architecture elements • • Occurrences: • • in FMEA Generation • • Error View: •

•

Table 91 Error: 017-Name of xxx is different from corresponding system architecture element(s): yyy

• Error: 018-xxx has no corresponding architecture element in any of the architecture

model(s): yyy • • Description: • • 018-xxx has no corresponding architecture element in any of the architecture model(s):

yyy • • From use case: • • FMEA Generation • • Discovered by the following checks: • • FMEA Generation.018-Checks that all FMEA components have pendants in at

least one system architecture the worksheet is derived of • • Occurrences: • • in FMEA Generation • • Error View: •

•

Table 92 Error: 018-xxx has no corresponding architecture element in any of the architecture model(s): yyy

• Error: 019-xxx has no corresponding architecture element in the derived worksheet(s):

yyy • • Description: • • 019-xxx has no corresponding architecture element in the derived worksheet(s): yyy • • From use case: • • FMEA Generation • • Discovered by the following checks:

• • FMEA Generation.019-Checks that all system architecture parts have pendants in the derived FMEA worksheets

• • Occurrences: • • in FMEA Generation • • Error View: •

•

Table 93 Error: 019-xxx has no corresponding architecture element in the derived worksheet(s): yyy

• Error: 020-"xxx does not have the same failure modes than corresponding architecture

element(s): yyy" • • Description: • • 020-"xxx does not have the same failure modes than corresponding architecture

element(s): yyy" • • From use case: • • FMEA Generation • • Discovered by the following checks: • • FMEA Generation.020-Checks for consistency between failure modes of FMEA

components and related system architecture elements • • Occurrences: • • in FMEA Generation • • Error View: •

•

Table 94 Error: 020-"xxx does not have the same failure modes than corresponding architecture element(s): yyy"

1.4.7.4 TCL DETERMINATION FOR USE CASE: FTA

GENERATION

The use case "FTA Generation" has TCL 1. The TCL is determined by the lowest Tool Detection Level (TD) of all errors of the use case. The following table gives an overview of the errors of "FTA Generation". Error TD Table 004-Safety goal has no FTA traced TD 1 (HIGH) Table 96 015-FTA model has a loop due to transfer gates TD 1 (HIGH) Table 97

Table 95 Errors of Use Case: FTA Generation

• Error: 004-Safety goal has no FTA traced • • Description:

• • 004-Safety goal has no FTA traced • • From use case: • • FTA Generation • • Discovered by the following checks: • • FTA Generation.004-Checks if each safety goal has a FTA traced • • Occurrences: • • in FTA Generation • • Avoided by the following restrictions: • • FTA Generation.004-All safety goal traced with FTA • • Error View: •

•

Table 96 Error: 004-Safety goal has no FTA traced

• Error: 015-FTA model has a loop due to transfer gates • • Description: • • 015-FTA model has a loop due to transfer gates • • From use case: • • FTA Generation • • Occurrences: • • in FTA Generation • • Avoided by the following restrictions: • • FTA Generation.015-FTA does not contain loops • • Error View:

•

•

Table 97 Error: 015-FTA model has a loop due to transfer gates

1.4.7.5 TCL DETERMINATION FOR USE CASE: FUNCTION

ALLOCATION

The use case "Function allocation" has TCL 1. The TCL is determined by the lowest Tool Detection Level (TD) of all errors of the use case. The following table gives an overview of the errors of "Function allocation". Error TD Table 016-The decomposing requirement xxx is allocated to the same architecture or software element as its neighbor


Table 98 Errors of Use Case: Function allocation

• Error: 016-The decomposing requirement xxx is allocated to the same architecture or

software element as its neighbor • • Description: • • 016-The decomposing requirement xxx is allocated to the same architecture or software

element as its neighbor • • From use case: • • Function allocation • • Discovered by the following checks: • • Function allocation.016-Checks that no decomposing requirement is allocated to

the same architecture or software element as its neighbour • • Occurrences: • • in Function allocation • • Error View: •

•

Table 99 Error: 016-The decomposing requirement xxx is allocated to the same architecture or software element as its neighbor

1.4.7.6 TCL DETERMINATION FOR USE CASE: GENERATION

HW COVERAGE

The use case "Generation HW Coverage" has TCL 1. The TCL is determined by the lowest Tool Detection Level (TD) of all errors of the use case. This use case has no errors.

1.4.7.7 TCL DETERMINATION FOR USE CASE: HW/SW

ALLOCATION

The use case "HW/SW allocation" has TCL 1. The TCL is determined by the lowest Tool Detection Level (TD) of all errors of the use case. The following table gives an overview of the errors of "HW/SW allocation". Error TD Table 009-req is not correctly decomposed TD 1 (HIGH) Table 101 014-xxx has an invalid ASIL. ASIL has to be the same or higher than of goals it contributes to


Table 100 Errors of Use Case: HW/SW allocation

• Error: 009-req is not correctly decomposed • • Description: • • 009-Safety requirement is not correctly decomposed • • From use case: • • HW/SW allocation • • Discovered by the following checks: • • HW/SW allocation.009-Checks if a valid decomposition has been applied • • Occurrences: • • in HW/SW allocation • • Avoided by the following restrictions: • • HW/SW allocation.009-Validation of decomposition • • Error View:

•

•

Table 101 Error: 009-req is not correctly decomposed

• Error: 014-xxx has an invalid ASIL. ASIL has to be the same or higher than of goals it

contributes to • • Description: • • 014-xxx has an invalid ASIL. ASIL has to be the same or higher than of goals it

contributes to • • From use case: • • HW/SW allocation • • Discovered by the following checks: • • HW/SW allocation.014-Checks if safety requirements have the same or higher

ASIL than of goals they contribute to • • Occurrences: • • in HW/SW allocation • • Avoided by the following restrictions: • • HW/SW allocation.014-All safety requirements SIL >= safety goal SIL • • Error View: •

•

Table 102 Error: 014-xxx has an invalid ASIL. ASIL has to be the same or higher than of goals it contributes to

1.4.7.8 TCL DETERMINATION FOR USE CASE: ITEM

DEFINITION

The use case "Item Definition" has TCL 1. The TCL is determined by the lowest Tool Detection Level (TD) of all errors of the use case. This use case has no errors.

1.4.7.9 TCL DETERMINATION FOR USE CASE: SAFETY GOALS

DEFINITION

The use case "Safety goals definition" has TCL 1. The TCL is determined by the lowest Tool Detection Level (TD) of all errors of the use case. The following table gives an overview of the errors of "Safety goals definition". Error TD Table 002-xxx is safety related and has no safety goal assigned


003-xxx has no functional safety requirement specified


005-xxx (safety req) has no unique identifier TD 1 (HIGH) Table 106

Table 103 Errors of Use Case: Safety goals definition

• Error: 002-xxx is safety related and has no safety goal assigned • • Description: • • xxx is safety related and has no safety goal assigned • • From use case: • • Safety goals definition • • Discovered by the following checks: • • Safety goals definition.002-Link hazard- safety goal • • Occurrences: • • in Safety goals definition • • Avoided by the following restrictions: • • Safety goals definition.002- All hazard event assigned to a safety goal • • Error View:

•

•

Table 104 Error: 002-xxx is safety related and has no safety goal assigned

• Error: 003-xxx has no functional safety requirement specified • • Description: • • 003-xxx has no functional safety requirement specified • • From use case: • • Safety goals definition • • Discovered by the following checks: • • Safety goals definition.003-Checks if for each safety goal at least one functional

safety requirement is specified • • Occurrences: • • in Safety goals definition • • Avoided by the following restrictions: • • Safety goals definition.003-For all safety goal exist one safety requirement • • Error View: •

•

Table 105 Error: 003-xxx has no functional safety requirement specified

• Error: 005-xxx (safety req) has no unique identifier • • Description: • • 005- safety requirement has no unique identifier • • From use case: • • Safety goals definition • • Discovered by the following checks: • • Safety goals definition.005-Checks if every safety requirement has an unique

identifier • • Occurrences: • • in Safety goals definition • • Avoided by the following restrictions: • • Safety goals definition.005-Exist a unique safety requirement identifier • • Error View: •

•

Table 106 Error: 005-xxx (safety req) has no unique identifier

1.4.7.10 TCL DETERMINATION FOR USE CASE: SW


The use case "SW Architecture definition" has TCL 1. The TCL is determined by the lowest Tool Detection Level (TD) of all errors of the use case. This use case has no errors.

1.5 NUSMVMODELCHECKERThis section explains the determination of the Tool Confidence Level (TCL) for the tool nuSMV Model Checker. • Tool: nuSMV Model Checker • • Description: • • -None- • • Impact: • • TI 2 (Impact) • • Tool Confidence Level: • • TCL 1

Table 107 Tool: nuSMV Model Checker

The tool nuSMV Model Checker is modeled with no element which has impact. No additional features have been modeled.


Table 108 Amount of Elements in Tool: nuSMV Model Checker

1.5.1 USE CASES OF NUSMV MODEL CHECKER

There are no use cases modeled for nuSMV Model Checker.

1.5.2 FEATURES OF NUSMV MODEL CHECKER

There are no features modeled for nuSMV Model Checker.

1.5.3 POTENTIAL ERRORS IN NUSMV MODEL CHECKER

The tool has no potential error.. The error flow consists of all relations from errors to checks or restrictions. There are




1.5.4 RESTRICTIONS IN NUSMV MODEL CHECKER

There are no restrictions in the tool nuSMV Model Checker.

1.5.5 CHECKS IN NUSMV MODEL CHECKER

No checks are performed in the tool nuSMV Model Checker.

1.5.6 ASSUMPTIONS

The determination of the TCL of nuSMV Model Checker is not based on assumed checks and restrictions. None of the checks and restrictions are modeled as assumptions.


This section determines a TCL for each use case by assigning checks or restrictions with detection/avoidance probability to each potential error. The TCL for the entire tool can be derived from the TCL for each use case. The tool nuSMV Model Checker has no use case with TCL 1, no use case with TCL 2 and no use case with TCL 3. Therefore the tool nuSMV Model Checker has TCL 1.

There are no use cases modeled for the tool nuSMV Model Checker

1.6 PROCESSCHECKERThis section explains the determination of the Tool Confidence Level (TCL) for the tool Process Checker. • Tool: Process Checker • • Description: • • This is a manual step to validate the process for completeness. If this is the case TCA

model validation can be omitted. • • Impact: • • TI 2 (Impact) • • Tool Confidence Level: • • TCL 1

Table 109 Tool: Process Checker

The tool Process Checker is modeled with one element which has impact which is not an assumption. No additional features have been modeled.


Table 110 Amount of Elements in Tool: Process Checker

1.6.1 USE CASES OF PROCESS CHECKER

There are no use cases modeled for Process Checker.

1.6.2 FEATURES OF PROCESS CHECKER

There are no features modeled for Process Checker.

1.6.3 POTENTIAL ERRORS IN PROCESS CHECKER

The tool has no potential error.. The error flow, as can be seen in Fig 12, consists of all relations from errors to checks or restrictions. There are

• 2 relations from errors caused by other tools to checks or restrictions defined for use cases of this tool.



Fig 12 Error Flow to and from Process Checker

The Table 111 shows all 2 relations, introduced by one other tool:

Tool Error UseCase Table Tool Chain Analyzer

Process Inconsistently Modelled Create Model

Table 181

Process Inconsistently Modelled Review Model

Table 196

Table 111 Errors introduced in Process Checker by other tools

1.6.4 RESTRICTIONS IN PROCESS CHECKER

The tool Process Checker must only be used with the following restriction. • Restriction: Consistent Process • • Description: • • This ensures that the process is consistent • • From use case: • • Process Checker,Validate Process • • Error avoidance probability: • • TD 1 (HIGH) • • Occurrences: • • in Validate Process • • Avoided errors from other tools: • • Validate Process,Tool Chain Analyzer,Model Validation,Process Inconsistently

Modelled • • Relations to other tools: •

•

Table 112 Restriction: Consistent Process

1.6.5 CHECKS IN PROCESS CHECKER

No checks are performed in the tool Process Checker.

1.6.6 ASSUMPTIONS

The determination of the TCL of Process Checker is not based on assumed checks and restrictions. None of the checks and restrictions are modeled as assumptions.


This section determines a TCL for each use case by assigning checks or restrictions with detection/avoidance probability to each potential error. The TCL for the entire tool can be derived from the TCL for each use case. The tool Process Checker has no use case with TCL 1, no use case with TCL 2 and no use case with TCL 3. Therefore the tool Process Checker has TCL 1. There are no use cases modeled for the tool Process Checker

1.7 SIMULINKThis section explains the determination of the Tool Confidence Level (TCL) for the tool Simulink. • Tool: Simulink • • Description: • • Simulink • • Impact: • • TI 2 (Impact) • • Tool Confidence Level: • • TCL 3

Table 113 Tool: Simulink

The tool Simulink is modeled with 14 elements which have impact, one of them is an assumption. One additional feature has been modeled which is not an assumption.


Table 114 Amount of Elements in Tool: Simulink

1.7.1 USE CASES OF SIMULINK

This section describes all analyzed use cases of Simulink in separate subsections. The following use cases of the tool Simulink are considered:

1. Code generation, see Section 1.7.1.1 2. Contracts to assertions, see Section 1.7.1.2 3. Modelling, see Section 1.7.1.3 4. Modelling Requirements, see Section 1.7.1.4

1.7.1.1 USE CASE CODE GENERATION

This section describes the use case "Code generation". • UseCase: Code generation • • Description:

• • -None-

Table 115 UseCase: Code generation

The use case requires no features and calls no other use cases. The use case "Code generation" reads and/or writes the following artifacts. The used artifacts are shown in Fig 13 and are summarized in the subsequent table.

Fig 13 Artifacts of Use Case: Code generation

• Artifacts of Use Case: Code generation • • Inputs: • • Simulink Model

• • Outputs: • • Source Code

Table 116 Artifacts of Use Case: Code generation

1.7.1.2 USE CASE CONTRACTS TO ASSERTIONS

This section describes the use case "Contracts to assertions". • UseCase: Contracts to assertions • • Description: • • To check contracts in Simulink Design Verifier (needed to keep the verification

tools at TCL1) there is a need to translate the contracts to assertions and assumptions understood by Simulink Design Verifier. This is added as a use case here, but it could be automated in a tool.

Table 117 UseCase: Contracts to assertions

The use case requires no features and calls no other use cases. The use case "Contracts to assertions" reads and/or writes the following artifacts. The used artifacts are shown in Fig 14 and are summarized in the subsequent table.

Fig 14 Artifacts of Use Case: Contracts to assertions

• Artifacts of Use Case: Contracts to assertions • • Inputs: • • contract

Table 118 Artifacts of Use Case: Contracts to assertions

1.7.1.3 USE CASE MODELLING

This section describes the use case "Modelling". • UseCase: Modelling • • Description: • • -None-

Table 119 UseCase: Modelling

The use case requires no features and calls no other use cases.

The use case "Modelling" reads and/or writes the following artifacts. The used artifacts are shown in Fig 15 and are summarized in the subsequent table.

Fig 15 Artifacts of Use Case: Modelling

• Artifacts of Use Case: Modelling • • Outputs: • • Contract

• Simulink Model • Simulink model • contract

Table 120 Artifacts of Use Case: Modelling

1.7.1.4 USE CASE MODELLING REQUIREMENTS

This section describes the use case "Modelling Requirements". • UseCase: Modelling Requirements • • Description: • • The user reads the requirements and builds the simulink model for them.

Table 121 UseCase: Modelling Requirements

The use case requires one feature and calls no other use cases. Fig 16 shows the dependencies between the use cases and features.

Fig 16 Dependency View of Use Case: Modelling Requirements

"Modelling Requirements" uses following features: • Edit Model

Use cases calling "Modelling Requirements":

• Medini,SW Architecture definition The use case "Modelling Requirements" reads and/or writes the following artifacts. The used artifacts are shown in Fig 17 and are summarized in the subsequent table.

Fig 17 Artifacts of Use Case: Modelling Requirements

• Artifacts of Use Case: Modelling Requirements • • Inputs: • • Safety Requirements • • Outputs: • • Simulink Model

Table 122 Artifacts of Use Case: Modelling Requirements

1.7.2 FEATURES OF SIMULINK

This section describes all analyzed features of Simulink in separate subsections. The following features of the tool Simulink are considered:

1. Edit Model, see Section 1.7.2.1

1.7.2.1 FEATURE EDIT MODEL

This section describes the feature "Edit Model". • Feature: Edit Model • • Description: • • Edit Simulink Model

Table 123 Feature: Edit Model

In order to fulfill the requirements of the feature, usually a number of artifacts will be read and/or written. But in "Edit Model" the tool Simulink uses no artifacts.

1.7.3 POTENTIAL ERRORS IN SIMULINK





• 10 errors caused by this tool without any relation to checks or restrictions. The following 10 error occurrences of Simulink have no relation to any check or restriction:

• Contract corruption (Table 131) • Contract removal (Table 132) • Contract violation (Table 133) • Incorrect translation (Table 129) • Non-termination (Table 134) • Runtime error (Table 135)

• Scheduling error (Table 125) • WCET violation (Table 126) • Wrong code (Table 127) • Wrong contract (Table 136)

1.7.4 RESTRICTIONS IN SIMULINK

There are no restrictions in the tool Simulink.

1.7.5 CHECKS IN SIMULINK

No checks are performed in the tool Simulink.

1.7.6 ASSUMPTIONS

The determination of the TCL of Simulink is based on the following 1 assumptions on the development process.

• Error: Incorrect translation o Contracts to assertions


This section determines a TCL for each use case by assigning checks or restrictions with detection/avoidance probability to each potential error. The TCL for the entire tool can be derived from the TCL for each use case. The tool Simulink has one use case with TCL 1, no use case with TCL 2 and 3 use cases with TCL 3. Therefore the tool Simulink has TCL 3. The use cases are described in the following sections:

• For "Code generation" (TCL 3) see Section 1.7.7.1, • for "Contracts to assertions" (TCL 3) see Section 1.7.7.2, • for "Modelling" (TCL 3) see Section 1.7.7.3, and • for "Modelling Requirements" (TCL 1) see Section 1.7.7.4.

1.7.7.1 TCL DETERMINATION FOR USE CASE: CODE

GENERATION

The use case "Code generation" has TCL 3. The TCL is determined by the lowest Tool Detection Level (TD) of all errors of the use case. The following table gives an overview of the errors of "Code generation". Error TD Table Scheduling error TD 3 (LOW) Table 125 WCET violation TD 3 (LOW) Table 126 Wrong code TD 3 (LOW) Table 127

Table 124 Errors of Use Case: Code generation

• Error: Scheduling error • • Description:

• • The chosen scheduling scheme used for the implemented (multi-rate) model is infeasible • • From use case: • • Code generation • • Occurrences: • • in Code generation • • Error View: •

•

Table 125 Error: Scheduling error

• Error: WCET violation • • Description: • • The WCET of the code is longer than it should given the chosen scheduling scheme • • From use case: • • Code generation • • Occurrences: • • in Code generation • • Error View: •

•

Table 126 Error: WCET violation

• Error: Wrong code • • Description: • • The semantics of the code does not match the model semantics in terms of blcok

behaviours • • From use case: • • Code generation • • Occurrences: • • in Code generation • • Error View:

•

•

Table 127 Error: Wrong code

1.7.7.2 TCL DETERMINATION FOR USE CASE: CONTRACTS

TO ASSERTIONS

The use case "Contracts to assertions" has TCL 3. The TCL is determined by the lowest Tool Detection Level (TD) of all errors of the use case. The following table gives an overview of the errors of "Contracts to assertions". Error TD Table Incorrect translation TD 3 (LOW) Table 129

Table 128 Errors of Use Case: Contracts to assertions

• Error: Incorrect translation • • Description: • • The translation of contracts to assertions/assumptions might be incorrect.

It is not obvuious how to check that this does not happen in a tool. Manual inspection might be needed.

• • From use case: • • Contracts to assertions • • Occurrences: • • in Contracts to assertions • • Is assumption: • • True • • Error View: •

•

Table 129 Error: Incorrect translation

1.7.7.3 TCL DETERMINATION FOR USE CASE: MODELLING

The use case "Modelling" has TCL 3. The TCL is determined by the lowest Tool Detection Level (TD) of all errors of the use case. The following table gives an overview of the errors of "Modelling". Error TD Table Contract corruption TD 3 (LOW) Table 131 Contract removal TD 3 (LOW) Table 132 Contract violation TD 3 (LOW) Table 133 Non-termination TD 3 (LOW) Table 134 Runtime error TD 3 (LOW) Table 135 Wrong contract TD 3 (LOW) Table 136

Table 130 Errors of Use Case: Modelling

• Error: Contract corruption • • Description: • • -None- • • From use case: • • Modelling • • Occurrences: • • in Modelling • • Error View:

•

•

Table 131 Error: Contract corruption

• Error: Contract removal • • Description: • • Simulink removes a contract or edits the subsystem description field in

such a manner that the contract is not recognised. • • From use case: • • Modelling • • Occurrences: • • in Modelling • • Error View:

•

•

Table 132 Error: Contract removal

• Error: Contract violation • • Description: • • A subsystem does not behave as specified • • From use case: • • Modelling • • Occurrences: • • in Modelling • • Error View:

•

•

Table 133 Error: Contract violation

• Error: Non-termination • • Description: • • Iteration blocks or other blocks might never return results • • From use case: • • Modelling • • Occurrences: • • in Modelling • • Error View: •

•

Table 134 Error: Non-termination

• Error: Runtime error • • Description: • • Runtime error, such as division by zero, array index out of bounds, etc. • • From use case: • • Modelling • • Occurrences: • • in Modelling • • Error View: •

•

Table 135 Error: Runtime error

• Error: Wrong contract • • Description: • • Wrong subsystem specification • • From use case: • • Modelling • • Occurrences: • • in Modelling • • Error View: •

•

Table 136 Error: Wrong contract


REQUIREMENTS

The use case "Modelling Requirements" has TCL 1. The TCL is determined by the lowest Tool Detection Level (TD) of all errors of the use case. This use case has no errors.

1.8 TECNALIAASSURANCECASEEDITORThis section explains the determination of the Tool Confidence Level (TCL) for the tool Tecnalia Assurance Case Editor. • Tool: Tecnalia Assurance Case Editor • • Description: • • This tool support the edition of a safety case in a graphical view

Comment: This is a support for an expert to express in a graphical way the safety case associated with the certification dossier in order to support authorities while checking the evidences


Table 137 Tool: Tecnalia Assurance Case Editor

The tool Tecnalia Assurance Case Editor is modeled with 4 elements which have impact, none of them are assumptions. No additional features have been modeled.


Table 138 Amount of Elements in Tool: Tecnalia Assurance Case Editor

1.8.1 USE CASES OF TECNALIA ASSURANCE CASE EDITOR

This section describes all analyzed use cases of Tecnalia Assurance Case Editor in separate subsections. The following use cases of the tool Tecnalia Assurance Case Editor are considered:

1. Assurance Case edition, see Section 1.8.1.1

1.8.1.1 USE CASE ASSURANCE CASE EDITION

This section describes the use case "Assurance Case edition". • UseCase: Assurance Case edition • • Description: • • User can draw the case using the elements defined on the GSN standard

Comment: This is done by a certification expert and just put in a graphical way the arguments that shows that the evidences support the safety goals

Table 139 UseCase: Assurance Case edition


Use cases calling "Assurance Case edition":

• GEMDE Certification,Technical view The use case "Assurance Case edition" reads and/or writes the following artifacts. The used artifacts are shown in Fig 18 and are summarized in the subsequent table.

Fig 18 Artifacts of Use Case: Assurance Case edition

• Artifacts of Use Case: Assurance Case edition • • Inputs: • • Safety Case • • Outputs: • • Safety Case • • Inputs & Outputs: • • Safety Case

Table 140 Artifacts of Use Case: Assurance Case edition

1.8.2 FEATURES OF TECNALIA ASSURANCE CASE EDITOR

There are no features modeled for Tecnalia Assurance Case Editor.

1.8.3 POTENTIAL ERRORS IN TECNALIA ASSURANCE CASE

EDITOR





Fig 19 Error Flow to and from Tecnalia Assurance Case Editor

Tecnalia Assurance Case Editor has the following 2 relations, which are detected by checks or restrictions of this tool. The errors are described in detail in the TCL analysis of the corresponding use cases:

• Assurance Case is unexplained (Table 143) • Assurance Case is unfounded (Table 144)

1.8.4 RESTRICTIONS IN TECNALIA ASSURANCE CASE EDITOR

There are no restrictions in the tool Tecnalia Assurance Case Editor.

1.8.5 CHECKS IN TECNALIA ASSURANCE CASE EDITOR

The following one check is performed in the tool Tecnalia Assurance Case Editor. • Check: Expert audit • • Description: • • After every assurance case is released, an audit from an expert is done • • From use case: • • Tecnalia Assurance Case Editor,Assurance Case edition • • Occurrences: • • in Assurance Case edition • • Error detection probability: • • TD 1 (HIGH) • • Detected errors: • • Assurance Case edition,Assurance Case is unexplained

• Assurance Case edition,Assurance Case is unfounded

Table 141 Check: Expert audit

1.8.6 ASSUMPTIONS

The determination of the TCL of Tecnalia Assurance Case Editor is not based on assumed checks and restrictions. None of the checks and restrictions are modeled as assumptions.


This section determines a TCL for each use case by assigning checks or restrictions with detection/avoidance probability to each potential error. The TCL for the entire tool can be derived from the TCL for each use case. The tool Tecnalia Assurance Case Editor has one use case with TCL 1, no use case with TCL 2 and no use case with TCL 3. Therefore the tool Tecnalia Assurance Case Editor has TCL 1. The use cases are described in the following sections:

• For "Assurance Case edition" (TCL 1) see Section 1.8.7.1.

1.8.7.1 TCL DETERMINATION FOR USE CASE: ASSURANCE

CASE EDITION

The use case "Assurance Case edition" has TCL 1. The TCL is determined by the lowest Tool Detection Level (TD) of all errors of the use case. The following table gives an overview of the errors of "Assurance Case edition". Error TD Table Assurance Case is unexplained TD 1 (HIGH) Table 143 Assurance Case is unfounded TD 1 (HIGH) Table 144

Table 142 Errors of Use Case: Assurance Case edition

• Error: Assurance Case is unexplained • • Description: • • The assurance case cointains evidence not properly linked to argument • • From use case:

• • Assurance Case edition • • Discovered by the following checks: • • Assurance Case edition.Expert audit • • Occurrences: • • in Assurance Case edition • • Error View: •

•

Table 143 Error: Assurance Case is unexplained

• Error: Assurance Case is unfounded • • Description: • • The safety case contain arguments not supproted by proper evidence • • From use case: • • Assurance Case edition • • Discovered by the following checks: • • Assurance Case edition.Expert audit • • Occurrences: • • in Assurance Case edition • • Error View:

•

•

Table 144 Error: Assurance Case is unfounded

1.9 TOOLCHAINANALYZERThis section explains the determination of the Tool Confidence Level (TCL) for the tool Tool Chain Analyzer. • Tool: Tool Chain Analyzer • • Description: • • The tool TCA to analyze tool chains

It can be obtained from Validas AG at www.validas.de/TCA.html • • Impact: • • TI 2 (Impact) • • Tool Confidence Level: • • TCL 3

Table 145 Tool: Tool Chain Analyzer

The tool Tool Chain Analyzer is modeled with 17 elements which have impact, none of them are assumptions. In addition there have been modeled 10 features, one of them is an assumption.


Table 146 Amount of Elements in Tool: Tool Chain Analyzer

1.9.1 USE CASES OF TOOL CHAIN ANALYZER

This section describes all analyzed use cases of Tool Chain Analyzer in separate subsections. The following use cases of the tool Tool Chain Analyzer are considered:

1. Cost Calculation, see Section 1.9.1.1 2. Create Model, see Section 1.9.1.2

3. Determinate Tool Confidence Level, see Section 1.9.1.3 4. Generate Tool Classification Report, see Section 1.9.1.4 5. Review Model, see Section 1.9.1.5

1.9.1.1 USE CASE COST CALCULATION

This section describes the use case "Cost Calculation". • UseCase: Cost Calculation • • Description: • • The TCA can calculate the costs of the tool chain and the manual steps involved.

Table 147 UseCase: Cost Calculation

The use case requires 3 features and calls no other use cases. Fig 20 shows the dependencies between the use cases and features.

Fig 20 Dependency View of Use Case: Cost Calculation

"Cost Calculation" uses following features: • Cost Model • EMF • Excel Interface

In order to fulfill the requirements of the use case, usually a number of artifacts will be read and/or written. But in "Cost Calculation" the tool Tool Chain Analyzer uses no artifacts.

1.9.1.2 USE CASE CREATE MODEL

This section describes the use case "Create Model". • UseCase: Create Model • • Description: • • The TCA model is created using interactive work with the tool

Table 148 UseCase: Create Model


Fig 21 Dependency View of Use Case: Create Model

"Create Model" uses following features: • EMF • Model Validation • Xml Interface

The use case "Create Model" reads and/or writes the following artifacts. The used artifacts are shown in Fig 22 and are summarized in the subsequent table.

Fig 22 Artifacts of Use Case: Create Model

• Artifacts of Use Case: Create Model • • Inputs: • • Overall Project Plan

• Safety Plan

Table 149 Artifacts of Use Case: Create Model

1.9.1.3 USE CASE DETERMINATE TOOL CONFIDENCE LEVEL

This section describes the use case "Determinate Tool Confidence Level". • UseCase: Determinate Tool Confidence Level • • Description: • • The Tool Chain Analyzer determinates the Tool Confidence Level according to ISO

26262. Comment: The TCA model is considered to be a part of the software tool application guidelines.

Table 150 UseCase: Determinate Tool Confidence Level


Fig 23 Dependency View of Use Case: Determinate Tool Confidence Level

"Determinate Tool Confidence Level" uses following features: • Compute Tool Confidence Level • EMF

The use case "Determinate Tool Confidence Level" reads and/or writes the following artifacts. The used artifacts are shown in Fig 24 and are summarized in the subsequent table.

Fig 24 Artifacts of Use Case: Determinate Tool Confidence Level

• Artifacts of Use Case: Determinate Tool Confidence Level • • Inputs: • • Overall Project Plan

• Safety Plan • • Outputs: • • Safety Manual

• Tool Evaluation Report

Table 151 Artifacts of Use Case: Determinate Tool Confidence Level

1.9.1.4 USE CASE GENERATE TOOL CLASSIFICATION REPORT

This section describes the use case "Generate Tool Classification Report". • UseCase: Generate Tool Classification Report • • Description: • • A tool classisfication report is generated containing the Tool Confidence Level for all

tools. The tool classification report consists of two parts. The first one is related to the considered process and contains individual descriptions like information sources, tool versions etc. The second part describes the formal model of the tool chain with all elements (tools, use cases, artifacts, errors, probabilities, ...) and the automatically computed tool confidence level for each tool. The second part is generated from the TCA into a word document. The information flows in the generated report are graphically visualised using the GraphViz tool.

Comment: We consider the generated report to be also a part of the tool application guidelines.

Table 152 UseCase: Generate Tool Classification Report


Fig 25 Dependency View of Use Case: Generate Tool Classification Report

"Generate Tool Classification Report" uses following features: • Compute Tool Confidence Level • EMF • Generate Word (docx)

The use case "Generate Tool Classification Report" reads and/or writes the following artifacts. The used artifacts are shown in Fig 26 and are summarized in the subsequent table.

Fig 26 Artifacts of Use Case: Generate Tool Classification Report

• Artifacts of Use Case: Generate Tool Classification Report • • Inputs: • • Overall Project Plan • • Outputs: • • Tool Evaluation Report • • Inputs & Outputs: • • Safety Manual

Table 153 Artifacts of Use Case: Generate Tool Classification Report

1.9.1.5 USE CASE REVIEW MODEL

This section describes the use case "Review Model".

• UseCase: Review Model • • Description: • • The model is reviewed using Excel interfaces that are easier to use for many reviewers

Table 154 UseCase: Review Model


Fig 27 Dependency View of Use Case: Review Model

"Review Model" uses following features: • EMF • Excel Interface • Model Validation • SG_Use Review Checklist

The use case "Review Model" reads and/or writes the following artifacts. The used artifacts are shown in Fig 28 and are summarized in the subsequent table.

Fig 28 Artifacts of Use Case: Review Model

• Artifacts of Use Case: Review Model • • Inputs: • • Overall Project Plan

• Safety Plan • • Outputs: • • Review Protocol • • Inputs & Outputs: • • Safety Manual

Table 155 Artifacts of Use Case: Review Model

1.9.2 FEATURES OF TOOL CHAIN ANALYZER

This section describes all analyzed features of Tool Chain Analyzer in separate subsections. The following features of the tool Tool Chain Analyzer are considered:

1. Compute Tool Confidence Level, see Section 1.9.2.1 2. Cost Model, see Section 1.9.2.2 3. EMF, see Section 1.9.2.3 4. Excel Interface, see Section 1.9.2.4 5. Generate Word (docx), see Section 1.9.2.5 6. Model Validation, see Section 1.9.2.6 7. Safety Guidelines, see Section 1.9.2.7 8. SG_Avoid Feature, see Section 1.9.2.8 9. SG_Use Review Checklist, see Section 1.9.2.9 10. Xml Interface, see Section 1.9.2.10

1.9.2.1 FEATURE COMPUTE TOOL CONFIDENCE LEVEL

This section describes the feature "Compute Tool Confidence Level". • Feature: Compute Tool Confidence Level • • Description: • • The tool confidence level is computed according to the ISO 26262.

The tool confidence level (TCL) is computed based on the error detection (TD) probability of all potential errors in the relevant use cases, if a tool has impact (TI) on the safety of the product. More details can be found in the TCA user manual which is located in the TCA plugin Documentation, for example: Programme\TCA150\TCA150\plugins\Documentation_1.5.0\UserManual.pdf

Table 156 Feature: Compute Tool Confidence Level

The feature "Compute Tool Confidence Level" reads and/or writes the following artifacts. The used artifacts are shown in Fig 29 and are summarized in the subsequent table.

Fig 29 Artifacts of Feature: Compute Tool Confidence Level

• Artifacts of Feature: Compute Tool Confidence Level • • Inputs:

• • User Input • • Outputs: • • Display Output

• Excel File • Word Document

• • Inputs & Outputs: • • Model

Table 157 Artifacts of Feature: Compute Tool Confidence Level

1.9.2.2 FEATURE COST MODEL

This section describes the feature "Cost Model". • Feature: Cost Model • • Description: • • Feature to model the costs of the process

Table 158 Feature: Cost Model

The feature "Cost Model" reads and/or writes the following artifacts. The used artifacts are shown in Fig 30 and are summarized in the subsequent table.

Fig 30 Artifacts of Feature: Cost Model

• Artifacts of Feature: Cost Model • • Inputs: • • User Input • • Outputs: • • Display Output • • Inputs & Outputs: • • Excel File

• Model

Table 159 Artifacts of Feature: Cost Model

1.9.2.3 FEATURE EMF

This section describes the feature "EMF". • Feature: EMF • • Description:

• • EMF (Eclipse Modeling Framework) Framework is used for editing and persistency of the models

Table 160 Feature: EMF

The feature "EMF" reads and/or writes the following artifacts. The used artifacts are shown in Fig 31 and are summarized in the subsequent table.

Fig 31 Artifacts of Feature: EMF

• Artifacts of Feature: EMF • • Inputs: • • User Input • • Outputs: • • Display Output • • Inputs & Outputs: • • Model

Table 161 Artifacts of Feature: EMF

1.9.2.4 FEATURE EXCEL INTERFACE

This section describes the feature "Excel Interface". • Feature: Excel Interface • • Description: • • Export and import of different views into excel (.xls) files.

The following views can be exported and imported into excel to ease the modeling process: - tool attributes - features - artifacts - errors More details can be found in the TCA user manual which is located in the TCA plugin Documentation, for example: Programme\TCA150\TCA150\plugins\Documentation_1.5.0\UserManual.pdf

Table 162 Feature: Excel Interface

The feature "Excel Interface" reads and/or writes the following artifacts. The used artifacts are shown in Fig 32 and are summarized in the subsequent table.

Fig 32 Artifacts of Feature: Excel Interface

• Artifacts of Feature: Excel Interface • • Inputs: • • User Input • • Inputs & Outputs: • • Excel File

• Model

Table 163 Artifacts of Feature: Excel Interface

1.9.2.5 FEATURE GENERATE WORD (DOCX)

This section describes the feature "Generate Word (docx)". • Feature: Generate Word (docx) • • Description: • • Generates a word documentation from the model.

A word report is generated from the model that contains the complete information in a readable format. For each tool there is a section with the following informations: - use cases - features - errors - checks - restrictions - assumptions - artifacts - qualifications - tool confidence level explanations for all errors in all use cases of the tool. Furthermore there are graphical visualisations of important relations included.

Table 164 Feature: Generate Word (docx)

The feature "Generate Word (docx)" reads and/or writes the following artifacts. The used artifacts are shown in Fig 33 and are summarized in the subsequent table.

Fig 33 Artifacts of Feature: Generate Word (docx)

• Artifacts of Feature: Generate Word (docx) • • Inputs: • • Model

• User Input • • Outputs: • • Word Document

Table 165 Artifacts of Feature: Generate Word (docx)

1.9.2.6 FEATURE MODEL VALIDATION

This section describes the feature "Model Validation". • Feature: Model Validation • • Description: • • The TCA detects inconsistent models.

There are many consistency checks implemented that exceed the syntactic checks. More details can be found in the TCA user manual which is located in the TCA plugin Documentation, for example: Programme\TCA150\TCA150\plugins\Documentation_1.5.0\UserManual.pdf

Table 166 Feature: Model Validation

The feature "Model Validation" reads and/or writes the following artifacts. The used artifacts are shown in Fig 34 and are summarized in the subsequent table.

Fig 34 Artifacts of Feature: Model Validation

• Artifacts of Feature: Model Validation • • Inputs: • • Model

• User Input • • Outputs: • • Display Output

Table 167 Artifacts of Feature: Model Validation

1.9.2.7 FEATURE SAFETY GUIDELINES

This section describes the feature "Safety Guidelines". • Feature: Safety Guidelines • • Description: • • Use the safety manual of the TCA that contains safety checks that should be applied

Table 168 Feature: Safety Guidelines

The feature "Safety Guidelines" has the following 2 sub-features:

• SG_Avoid Feature • SG_Use Review Checklist

In order to fulfill the requirements of the feature, usually a number of artifacts will be read and/or written. But in "Safety Guidelines" the tool Tool Chain Analyzer uses no artifacts.

1.9.2.8 FEATURE SG_AVOID FEATURE

This section describes the feature "SG_Avoid Feature". • Feature: SG_Avoid Feature • • Description: • • Avodi this feature, since it is redundant. • • Is assumption: • • True

Table 169 Feature: SG_Avoid Feature

The feature "SG_Avoid Feature" is part of the following feature:

• Safety Guidelines In order to fulfill the requirements of the feature, usually a number of artifacts will be read and/or written. But in "SG_Avoid Feature" the tool Tool Chain Analyzer uses no artifacts.

1.9.2.9 FEATURE SG_USE REVIEW CHECKLIST

This section describes the feature "SG_Use Review Checklist". • Feature: SG_Use Review Checklist • • Description: • • Apply the check of the review checklists

Table 170 Feature: SG_Use Review Checklist

The feature "SG_Use Review Checklist" is part of the following feature:

• Safety Guidelines In order to fulfill the requirements of the feature, usually a number of artifacts will be read and/or written. But in "SG_Use Review Checklist" the tool Tool Chain Analyzer uses no artifacts.

1.9.2.10 FEATURE XML INTERFACE

This section describes the feature "Xml Interface". • Feature: Xml Interface • • Description: • • Xml interface supports the export and import of single tool models.

For integration of large models based on single tool models, this feature can be used to develop models in parallel working teams. To ensure the modularity of the exported models, all referenced elements of the tool are also exported, but only with the minimal required information. More details can be found in the TCA user manual which is located in the TCA plugin Documentation, for example: Programme\TCA150\TCA150\plugins\Documentation_1.5.0\UserManual.pdf

Table 171 Feature: Xml Interface

The feature "Xml Interface" reads and/or writes the following artifacts. The used artifacts are shown in Fig 35 and are summarized in the subsequent table.

Fig 35 Artifacts of Feature: Xml Interface

• Artifacts of Feature: Xml Interface • • Inputs: • • User Input • • Inputs & Outputs: • • Model

Table 172 Artifacts of Feature: Xml Interface

1.9.3 POTENTIAL ERRORS IN TOOL CHAIN ANALYZER




• 2 relations from errors caused by this tool to checks or restrictions defined for use cases of other tools.

• 10 errors caused by this tool without any relation to checks or restrictions.

Fig 36 Error Flow to and from Tool Chain Analyzer

Tool Chain Analyzer has the following 7 relations, which are detected by checks or restrictions of this tool. The errors are described in detail in the TCL analysis of the corresponding use cases:

• Model Not Adequate (Table 195) • Wrong Export

o 2 occurrences: Table 197, Table 177 • Wrong Import

o 2 occurrences: Table 198, Table 178 • Wrong XML Export (Table 182) • Wrong XML Import (Table 183)

Due to 2 relations, Tool Chain Analyzer is having impact on one other tool. The errors are listed in Table 173.

Tool Error UseCase Table Process Checker Process Inconsistently Modelled Create

Model Table 181


Table 196

Table 173 Errors of Tool Chain Analyzer with impact on other tools

The following 10 error occurrences of Tool Chain Analyzer have no relation to any check or restriction:

• Any EMF Error o 5 occurences: Table 185, Table 176, Table 190, Table 180, Table 194

• Document Generated Wrongly (Table 191) • TCL Wrongly Shown (Table 186) • TCL Wrongly Written (Table 187) • Wrong TCL Computed

o 2 occurences: Table 188, Table 192

1.9.4 RESTRICTIONS IN TOOL CHAIN ANALYZER

There are no restrictions in the tool Tool Chain Analyzer.

1.9.5 CHECKS IN TOOL CHAIN ANALYZER

The following one check is performed in the tool Tool Chain Analyzer. • Check: Review Checklist • • Description: • • The model review can be performed using review checklists where the reviewers fill in

their names, findings,.. Comment: Using this there is a high probability of finding missing review elements

• • From feature: • • Tool Chain Analyzer,Safety Guidelines,SG_Use Review Checklist • • Occurrences: • • in SG_Use Review Checklist in Review Model • • Error detection probability: • • TD 1 (HIGH) • • Detected errors: • • Review Model,Model Not Adequate

Table 174 Check: Review Checklist

1.9.6 ASSUMPTIONS

The determination of the TCL of Tool Chain Analyzer is based on the following 1 assumptions on the development process.

• Feature: Safety Guidelines,SG_Avoid Feature


This section determines a TCL for each use case by assigning checks or restrictions with detection/avoidance probability to each potential error. The TCL for the entire tool can be derived from the TCL for each use case. The tool Tool Chain Analyzer has no use case with TCL 1, no use case with TCL 2 and 5 use cases with TCL 3. Therefore the tool Tool Chain Analyzer has TCL 3. The use cases are described in the following sections:

• For "Cost Calculation" (TCL 3) see Section 1.9.7.1, • for "Create Model" (TCL 3) see Section 1.9.7.2, • for "Determinate Tool Confidence Level" (TCL 3) see Section 1.9.7.3, • for "Generate Tool Classification Report" (TCL 3) see Section 1.9.7.4, and • for "Review Model" (TCL 3) see Section 1.9.7.5.

1.9.7.1 TCL DETERMINATION FOR USE CASE: COST

CALCULATION

The use case "Cost Calculation" has TCL 3. The TCL is determined by the lowest Tool Detection Level (TD) of all errors of the use case. The following table gives an overview of the errors of "Cost Calculation". Error TD Table Any EMF Error TD 3 (LOW) Table 176 Wrong Export TD 3 (LOW) Table 177 Wrong Import TD 3 (LOW) Table 178

Table 175 Errors of Use Case: Cost Calculation

• Error: Any EMF Error • • Description: • • Any error that can occur in EMF (uncrictical errors may be excluded) • • From feature: • • EMF • • Subsumes: • • "Algorithm Error" from "Fcn_Algorithm"

• "Defect File" from "Data_File" • "Defect Text" from "Data_File_Text" • "Empty File" from "Data_File" • "Empty Model" from "Data_File_Syntax_Model" • "Empty Text" from "Data_File_Text" • "Line Missing" from "Data_File_Text" • "Model Unreadable" from "Data_File_Syntax_Model" • "No Interaction" from "Data_Interaction" • "Not Accessible File" from "Data_File" • "Not Accessible Model" from "Data_File_Syntax_Model" • "Not Accessible Text" from "Data_File_Text" • "Other File" from "Data_File" • "Other Model" from "Data_File_Syntax_Model" • "Other Partner" from "Data_Interaction" • "Other Text" from "Data_File_Text" • "Too Big File" from "Data_File" • "Too Big Model" from "Data_File_Syntax_Model" • "Too Big Text" from "Data_File_Text" • "Too Early Data" from "Data_Interaction" • "Too Late Data" from "Data_Interaction" • "Transformation Not Supported" from "Fcn_Behaviour_Transformation" • "Wrong Algorithm" from "Fcn_Algorithm" • "Wrong Behaviour" from "Fcn_Behaviour" • "Wrong Interaction" from "Data_Interaction" • "Wrong Model Behaviour" from "Data_File_Syntax_Model" • "Wrong Model Description" from "Data_File_Syntax_Model" • "Wrong Transformation" from "Fcn_Behaviour_Transformation" • "Wrong Variant" from "Fcn_Variants"

• • Occurrences: • • in EMF in Cost Calculation • • Error View:

•

•

Table 176 Error: Any EMF Error

• Error: Wrong Export • • Description: • • The excel file does not contain the relevant informations of the model. • • From feature: • • Excel Interface • • Subsumes: • • "Decoded Wongly" from "Fcn_Algorithm_DeEncode"

• "Defect File" from "Data_File" • "Empty File" from "Data_File" • "Empty Syntaxfile" from "Data_File_Syntax" • "Empty Table" from "Data_File_Table" • "Encoded Wrongly" from "Fcn_Algorithm_DeEncode" • "Not Accessible File" from "Data_File" • "Not Accessible Syntaxfile" from "Data_File_Syntax" • "Not Accessible Table" from "Data_File_Table" • "Option Defect" from "Fcn_Variants_Options" • "Option Ignored" from "Fcn_Variants_Options" • "Other File" from "Data_File" • "Other Syntaxfile" from "Data_File_Syntax" • "Other Table" from "Data_File_Table" • "Syntax Error" from "Data_File_Syntax" • "Table Column Error" from "Data_File_Table" • "Table Row Error" from "Data_File_Table" • "Too Big File" from "Data_File" • "Too Big Syntaxfile" from "Data_File_Syntax" • "Transformation Not Supported" from "Fcn_Behaviour_Transformation" • "Wrong Behaviour" from "Fcn_Behaviour" • "Wrong Cell Data" from "Data_File_Table" • "Wrong Semantic" from "Data_File_Syntax" • "Wrong Transformation" from "Fcn_Behaviour_Transformation"

• • Occurrences: • • in Excel Interface in Cost Calculation • • Avoided by the following restrictions: • • Safety Guidelines,SG_Avoid Feature.Avoid Features • • Error View: •

•

Table 177 Error: Wrong Export

• Error: Wrong Import • • Description: • • The model is created wrongly. • • From feature: • • Excel Interface • • Subsumes: • • "Defect File" from "Data_File"

• "Empty File" from "Data_File" • "Empty Model" from "Data_File_Syntax_Model" • "Model Unreadable" from "Data_File_Syntax_Model" • "Not Accessible File" from "Data_File" • "Not Accessible Model" from "Data_File_Syntax_Model" • "Option Defect" from "Fcn_Variants_Options" • "Option Ignored" from "Fcn_Variants_Options" • "Other File" from "Data_File" • "Other Model" from "Data_File_Syntax_Model" • "Too Big File" from "Data_File" • "Too Big Model" from "Data_File_Syntax_Model" • "Wrong Model Behaviour" from "Data_File_Syntax_Model" • "Wrong Model Description" from "Data_File_Syntax_Model"

• • Occurrences: • • in Excel Interface in Cost Calculation • • Avoided by the following restrictions: • • Safety Guidelines,SG_Avoid Feature.Avoid Features • • Error View:

•

•

Table 178 Error: Wrong Import

1.9.7.2 TCL DETERMINATION FOR USE CASE: CREATE

MODEL

The use case "Create Model" has TCL 3. The TCL is determined by the lowest Tool Detection Level (TD) of all errors of the use case. The following table gives an overview of the errors of "Create Model". Error TD Table Any EMF Error TD 3 (LOW) Table 180 Process Inconsistently Modelled TD 1 (HIGH) Table 181 Wrong XML Export TD 3 (LOW) Table 182 Wrong XML Import TD 3 (LOW) Table 183

Table 179 Errors of Use Case: Create Model


• "Defect File" from "Data_File" • "Defect Text" from "Data_File_Text" • "Empty File" from "Data_File" • "Empty Model" from "Data_File_Syntax_Model" • "Empty Text" from "Data_File_Text" • "Line Missing" from "Data_File_Text" • "Model Unreadable" from "Data_File_Syntax_Model" • "No Interaction" from "Data_Interaction" • "Not Accessible File" from "Data_File" • "Not Accessible Model" from "Data_File_Syntax_Model"

• "Not Accessible Text" from "Data_File_Text" • "Other File" from "Data_File" • "Other Model" from "Data_File_Syntax_Model" • "Other Partner" from "Data_Interaction" • "Other Text" from "Data_File_Text" • "Too Big File" from "Data_File" • "Too Big Model" from "Data_File_Syntax_Model" • "Too Big Text" from "Data_File_Text" • "Too Early Data" from "Data_Interaction" • "Too Late Data" from "Data_Interaction" • "Transformation Not Supported" from "Fcn_Behaviour_Transformation" • "Wrong Algorithm" from "Fcn_Algorithm" • "Wrong Behaviour" from "Fcn_Behaviour" • "Wrong Interaction" from "Data_Interaction" • "Wrong Model Behaviour" from "Data_File_Syntax_Model" • "Wrong Model Description" from "Data_File_Syntax_Model" • "Wrong Transformation" from "Fcn_Behaviour_Transformation" • "Wrong Variant" from "Fcn_Variants"

• • Occurrences: • • in EMF in Create Model • • Error View: •

•


• Error: Process Inconsistently Modelled • • Description: • • The process might be inkonsistent, e.g. a document is neither created nor written. • • From feature: • • Model Validation • • Subsumes: • • "Algorithm Error" from "Fcn_Algorithm"

• "Defect File" from "Data_File" • "Defect Text" from "Data_File_Text"

• "Empty File" from "Data_File" • "Empty Text" from "Data_File_Text" • "Line Missing" from "Data_File_Text" • "No Interaction" from "Data_Interaction" • "Not Accessible File" from "Data_File" • "Not Accessible Text" from "Data_File_Text" • "Other File" from "Data_File" • "Other Partner" from "Data_Interaction" • "Other Text" from "Data_File_Text" • "Too Big File" from "Data_File" • "Too Big Text" from "Data_File_Text" • "Too Early Data" from "Data_Interaction" • "Too Late Data" from "Data_Interaction" • "Wrong Algorithm" from "Fcn_Algorithm" • "Wrong Behaviour" from "Fcn_Behaviour" • "Wrong Error Reported" from "Model Validation" • "Wrong Interaction" from "Data_Interaction" • "Wrong Specification" from "Fcn_Specification"

• • Occurrences: • • in Model Validation in Create Model • • Avoided by the following restrictions: • • Validate Process.Consistent Process • • Error View:

•

•

Table 181 Error: Process Inconsistently Modelled

• Error: Wrong XML Export • • Description: • • The xml file does not contain the relevant informations of the model. • • From feature: • • Xml Interface • • Occurrences: • • in Xml Interface in Create Model • • Avoided by the following restrictions: • • Safety Guidelines,SG_Avoid Feature.Avoid Features • • Error View:

•

•

Table 182 Error: Wrong XML Export

• Error: Wrong XML Import • • Description: • • The model is created wrongly. • • From feature: • • Xml Interface • • Subsumes: • • "Defect File" from "Data_File"

• "Empty File" from "Data_File" • "Empty Model" from "Data_File_Syntax_Model" • "Model Unreadable" from "Data_File_Syntax_Model" • "Not Accessible File" from "Data_File" • "Not Accessible Model" from "Data_File_Syntax_Model" • "Other File" from "Data_File" • "Other Model" from "Data_File_Syntax_Model" • "Too Big File" from "Data_File" • "Too Big Model" from "Data_File_Syntax_Model" • "Wrong Model Behaviour" from "Data_File_Syntax_Model" • "Wrong Model Description" from "Data_File_Syntax_Model"

• • Occurrences: • • in Xml Interface in Create Model • • Avoided by the following restrictions: • • Safety Guidelines,SG_Avoid Feature.Avoid Features • • Error View:

•

•

Table 183 Error: Wrong XML Import

1.9.7.3 TCL DETERMINATION FOR USE CASE: DETERMINATE

TOOL CONFIDENCE LEVEL

The use case "Determinate Tool Confidence Level" has TCL 3. The TCL is determined by the lowest Tool Detection Level (TD) of all errors of the use case. The following table gives an overview of the errors of "Determinate Tool Confidence Level". Error TD Table Any EMF Error TD 3 (LOW) Table 185 TCL Wrongly Shown TD 3 (LOW) Table 186 TCL Wrongly Written TD 3 (LOW) Table 187 Wrong TCL Computed TD 3 (LOW) Table 188

Table 184 Errors of Use Case: Determinate Tool Confidence Level




• • Occurrences: • • in EMF in Determinate Tool Confidence Level • • Error View: •

•


• Error: TCL Wrongly Shown • • Description: • • TCL is computed correctly but wrongly shown • • From use case: • • Determinate Tool Confidence Level • • Subsumes: • • "Defect Text" from "Data_File_Text"

• "Empty Text" from "Data_File_Text" • "Line Missing" from "Data_File_Text"

• "No Interaction" from "Data_Interaction" • "Not Accessible Text" from "Data_File_Text" • "Other Partner" from "Data_Interaction" • "Other Text" from "Data_File_Text" • "Too Big Text" from "Data_File_Text" • "Too Early Data" from "Data_Interaction" • "Too Late Data" from "Data_Interaction" • "Wrong Interaction" from "Data_Interaction"

• • Occurrences: • • in Determinate Tool Confidence Level • • Error View: •

•

Table 186 Error: TCL Wrongly Shown

• Error: TCL Wrongly Written • • Description: • • TCL is computed or written wrongly into a file • • From use case: • • Determinate Tool Confidence Level • • Subsumes: • • "Defect File" from "Data_File"

• "Defect Text" from "Data_File_Text" • "Empty File" from "Data_File" • "Empty Model" from "Data_File_Syntax_Model" • "Empty Syntaxfile" from "Data_File_Syntax" • "Empty Table" from "Data_File_Table" • "Empty Text" from "Data_File_Text" • "Line Missing" from "Data_File_Text" • "Model Unreadable" from "Data_File_Syntax_Model" • "No XML Content" from "Data_File_Syntax_XML" • "Not Accessible File" from "Data_File" • "Not Accessible Model" from "Data_File_Syntax_Model" • "Not Accessible Syntaxfile" from "Data_File_Syntax" • "Not Accessible Table" from "Data_File_Table" • "Not Accessible Text" from "Data_File_Text" • "Not Accessible XML File" from "Data_File_Syntax_XML" • "Other File" from "Data_File" • "Other Model" from "Data_File_Syntax_Model" • "Other Syntaxfile" from "Data_File_Syntax"

• "Other Table" from "Data_File_Table" • "Other Text" from "Data_File_Text" • "Other XML File" from "Data_File_Syntax_XML" • "Syntax Error" from "Data_File_Syntax" • "Table Column Error" from "Data_File_Table" • "Table Row Error" from "Data_File_Table" • "Too Big File" from "Data_File" • "Too Big Model" from "Data_File_Syntax_Model" • "Too Big Syntaxfile" from "Data_File_Syntax" • "Too Big Text" from "Data_File_Text" • "Wron XML Composition" from "Data_File_Syntax_XML" • "Wrong Cell Data" from "Data_File_Table" • "Wrong Model Behaviour" from "Data_File_Syntax_Model" • "Wrong Model Description" from "Data_File_Syntax_Model" • "Wrong Semantic" from "Data_File_Syntax" • "XML Attribute Error" from "Data_File_Syntax_XML" • "XML Link Error" from "Data_File_Syntax_XML" • "XML Schema Violation" from "Data_File_Syntax_XML"

• • Occurrences: • • in Determinate Tool Confidence Level • • Error View: •

•

Table 187 Error: TCL Wrongly Written

• Error: Wrong TCL Computed • • Description: • • The TCL is computed wronly, e.g. TCL 1 instead of TCL >1 • • From feature: • • Compute Tool Confidence Level • • Subsumes: • • "Algorithm Error" from "Fcn_Algorithm"

• "Defect File" from "Data_File" • "Defect Text" from "Data_File_Text" • "Empty File" from "Data_File" • "Empty Model" from "Data_File_Syntax_Model" • "Empty Syntaxfile" from "Data_File_Syntax" • "Empty Table" from "Data_File_Table" • "Empty Text" from "Data_File_Text" • "Line Missing" from "Data_File_Text"

• "Model Unreadable" from "Data_File_Syntax_Model" • "No Interaction" from "Data_Interaction" • "Not Accessible File" from "Data_File" • "Not Accessible Model" from "Data_File_Syntax_Model" • "Not Accessible Syntaxfile" from "Data_File_Syntax" • "Not Accessible Table" from "Data_File_Table" • "Not Accessible Text" from "Data_File_Text" • "Other File" from "Data_File" • "Other Model" from "Data_File_Syntax_Model" • "Other Partner" from "Data_Interaction" • "Other Syntaxfile" from "Data_File_Syntax" • "Other Table" from "Data_File_Table" • "Other Text" from "Data_File_Text" • "Syntax Error" from "Data_File_Syntax" • "Table Column Error" from "Data_File_Table" • "Table Row Error" from "Data_File_Table" • "Too Big File" from "Data_File" • "Too Big Model" from "Data_File_Syntax_Model" • "Too Big Syntaxfile" from "Data_File_Syntax" • "Too Big Text" from "Data_File_Text" • "Too Early Data" from "Data_Interaction" • "Too Late Data" from "Data_Interaction" • "Wrong Algorithm" from "Fcn_Algorithm" • "Wrong Cell Data" from "Data_File_Table" • "Wrong Interaction" from "Data_Interaction" • "Wrong Model Behaviour" from "Data_File_Syntax_Model" • "Wrong Model Description" from "Data_File_Syntax_Model" • "Wrong Result" from "Fcn_Behaviour_Calculator" • "Wrong Semantic" from "Data_File_Syntax" • "Wrong Specification" from "Fcn_Specification" • "Wrong Variant" from "Fcn_Variants"

• • Occurrences: • • in Compute Tool Confidence Level in Determinate Tool Confidence Level • • Error View:

•

•

Table 188 Error: Wrong TCL Computed

1.9.7.4 TCL DETERMINATION FOR USE CASE: GENERATE

TOOL CLASSIFICATION REPORT

The use case "Generate Tool Classification Report" has TCL 3. The TCL is determined by the lowest Tool Detection Level (TD) of all errors of the use case. The following table gives an overview of the errors of "Generate Tool Classification Report". Error TD Table Any EMF Error TD 3 (LOW) Table 190 Document Generated Wrongly TD 3 (LOW) Table 191 Wrong TCL Computed TD 3 (LOW) Table 192

Table 189 Errors of Use Case: Generate Tool Classification Report


• "Defect File" from "Data_File" • "Defect Text" from "Data_File_Text" • "Empty File" from "Data_File" • "Empty Model" from "Data_File_Syntax_Model" • "Empty Text" from "Data_File_Text" • "Line Missing" from "Data_File_Text" • "Model Unreadable" from "Data_File_Syntax_Model" • "No Interaction" from "Data_Interaction" • "Not Accessible File" from "Data_File" • "Not Accessible Model" from "Data_File_Syntax_Model" • "Not Accessible Text" from "Data_File_Text"

• "Other File" from "Data_File" • "Other Model" from "Data_File_Syntax_Model" • "Other Partner" from "Data_Interaction" • "Other Text" from "Data_File_Text" • "Too Big File" from "Data_File" • "Too Big Model" from "Data_File_Syntax_Model" • "Too Big Text" from "Data_File_Text" • "Too Early Data" from "Data_Interaction" • "Too Late Data" from "Data_Interaction" • "Transformation Not Supported" from "Fcn_Behaviour_Transformation" • "Wrong Algorithm" from "Fcn_Algorithm" • "Wrong Behaviour" from "Fcn_Behaviour" • "Wrong Interaction" from "Data_Interaction" • "Wrong Model Behaviour" from "Data_File_Syntax_Model" • "Wrong Model Description" from "Data_File_Syntax_Model" • "Wrong Transformation" from "Fcn_Behaviour_Transformation" • "Wrong Variant" from "Fcn_Variants"

• • Occurrences: • • in EMF in Generate Tool Classification Report • • Error View: •

•


• Error: Document Generated Wrongly • • Description: • • Document does not fit to the model. • • From feature: • • Generate Word (docx) • • Subsumes: • • "Defect File" from "Data_File"

• "Defect Text" from "Data_File_Text" • "Empty File" from "Data_File" • "Empty Syntaxfile" from "Data_File_Syntax"

• "Empty Text" from "Data_File_Text" • "Line Missing" from "Data_File_Text" • "Missing CPU" from "Fcn_Resource_CPU" • "Not Accessible File" from "Data_File" • "Not Accessible Syntaxfile" from "Data_File_Syntax" • "Not Accessible Text" from "Data_File_Text" • "Other File" from "Data_File" • "Other Syntaxfile" from "Data_File_Syntax" • "Other Text" from "Data_File_Text" • "Syntax Error" from "Data_File_Syntax" • "Too Big File" from "Data_File" • "Too Big Syntaxfile" from "Data_File_Syntax" • "Too Big Text" from "Data_File_Text" • "Transformation Not Supported" from "Fcn_Behaviour_Transformation" • "Wrong Semantic" from "Data_File_Syntax" • "Wrong Specification" from "Fcn_Specification" • "Wrong Transformation" from "Fcn_Behaviour_Transformation" • "Wrong Variant" from "Fcn_Variants"

• • Occurrences: • • in Generate Word (docx) in Generate Tool Classification Report • • Error View: •

•

Table 191 Error: Document Generated Wrongly

• Error: Wrong TCL Computed • • Description: • • The TCL is computed wronly, e.g. TCL 1 instead of TCL >1 • • From feature: • • Compute Tool Confidence Level • • Subsumes: • • "Algorithm Error" from "Fcn_Algorithm"


• "Empty File" from "Data_File" • "Empty Model" from "Data_File_Syntax_Model" • "Empty Syntaxfile" from "Data_File_Syntax" • "Empty Table" from "Data_File_Table" • "Empty Text" from "Data_File_Text" • "Line Missing" from "Data_File_Text" • "Model Unreadable" from "Data_File_Syntax_Model" • "No Interaction" from "Data_Interaction" • "Not Accessible File" from "Data_File" • "Not Accessible Model" from "Data_File_Syntax_Model" • "Not Accessible Syntaxfile" from "Data_File_Syntax" • "Not Accessible Table" from "Data_File_Table" • "Not Accessible Text" from "Data_File_Text" • "Other File" from "Data_File" • "Other Model" from "Data_File_Syntax_Model" • "Other Partner" from "Data_Interaction" • "Other Syntaxfile" from "Data_File_Syntax" • "Other Table" from "Data_File_Table" • "Other Text" from "Data_File_Text" • "Syntax Error" from "Data_File_Syntax" • "Table Column Error" from "Data_File_Table" • "Table Row Error" from "Data_File_Table" • "Too Big File" from "Data_File" • "Too Big Model" from "Data_File_Syntax_Model" • "Too Big Syntaxfile" from "Data_File_Syntax" • "Too Big Text" from "Data_File_Text" • "Too Early Data" from "Data_Interaction" • "Too Late Data" from "Data_Interaction" • "Wrong Algorithm" from "Fcn_Algorithm" • "Wrong Cell Data" from "Data_File_Table" • "Wrong Interaction" from "Data_Interaction" • "Wrong Model Behaviour" from "Data_File_Syntax_Model" • "Wrong Model Description" from "Data_File_Syntax_Model" • "Wrong Result" from "Fcn_Behaviour_Calculator" • "Wrong Semantic" from "Data_File_Syntax" • "Wrong Specification" from "Fcn_Specification" • "Wrong Variant" from "Fcn_Variants"

• • Occurrences: • • in Compute Tool Confidence Level in Generate Tool Classification Report • • Error View:

•

•


1.9.7.5 TCL DETERMINATION FOR USE CASE: REVIEW

MODEL

The use case "Review Model" has TCL 3. The TCL is determined by the lowest Tool Detection Level (TD) of all errors of the use case. The following table gives an overview of the errors of "Review Model". Error TD Table Any EMF Error TD 3 (LOW) Table 194 Model Not Adequate TD 1 (HIGH) Table 195 Process Inconsistently Modelled TD 1 (HIGH) Table 196 Wrong Export TD 3 (LOW) Table 197 Wrong Import TD 3 (LOW) Table 198

Table 193 Errors of Use Case: Review Model


• "Defect File" from "Data_File" • "Defect Text" from "Data_File_Text" • "Empty File" from "Data_File" • "Empty Model" from "Data_File_Syntax_Model" • "Empty Text" from "Data_File_Text" • "Line Missing" from "Data_File_Text" • "Model Unreadable" from "Data_File_Syntax_Model" • "No Interaction" from "Data_Interaction" • "Not Accessible File" from "Data_File"

• "Not Accessible Model" from "Data_File_Syntax_Model" • "Not Accessible Text" from "Data_File_Text" • "Other File" from "Data_File" • "Other Model" from "Data_File_Syntax_Model" • "Other Partner" from "Data_Interaction" • "Other Text" from "Data_File_Text" • "Too Big File" from "Data_File" • "Too Big Model" from "Data_File_Syntax_Model" • "Too Big Text" from "Data_File_Text" • "Too Early Data" from "Data_Interaction" • "Too Late Data" from "Data_Interaction" • "Transformation Not Supported" from "Fcn_Behaviour_Transformation" • "Wrong Algorithm" from "Fcn_Algorithm" • "Wrong Behaviour" from "Fcn_Behaviour" • "Wrong Interaction" from "Data_Interaction" • "Wrong Model Behaviour" from "Data_File_Syntax_Model" • "Wrong Model Description" from "Data_File_Syntax_Model" • "Wrong Transformation" from "Fcn_Behaviour_Transformation" • "Wrong Variant" from "Fcn_Variants"

• • Occurrences: • • in EMF in Review Model • • Error View: •

•


• Error: Model Not Adequate • • Description: • • An important issue as not been reviewed correctly, i.e. a finduíng has been overseen and

the model is not adaequate. • • From use case: • • Review Model • • Discovered by the following checks: • • Safety Guidelines,SG_Use Review Checklist.Review Checklist

• • Subsumes: • • "Defect File" from "Data_File"

• "Defect Text" from "Data_File_Text" • "Empty File" from "Data_File" • "Empty Model" from "Data_File_Syntax_Model" • "Empty Syntaxfile" from "Data_File_Syntax" • "Empty Table" from "Data_File_Table" • "Empty Text" from "Data_File_Text" • "Line Missing" from "Data_File_Text" • "Model Unreadable" from "Data_File_Syntax_Model" • "No Interaction" from "Data_Interaction" • "Not Accessible File" from "Data_File" • "Not Accessible Model" from "Data_File_Syntax_Model" • "Not Accessible Syntaxfile" from "Data_File_Syntax" • "Not Accessible Table" from "Data_File_Table" • "Not Accessible Text" from "Data_File_Text" • "Other File" from "Data_File" • "Other Model" from "Data_File_Syntax_Model" • "Other Partner" from "Data_Interaction" • "Other Syntaxfile" from "Data_File_Syntax" • "Other Table" from "Data_File_Table" • "Other Text" from "Data_File_Text" • "Syntax Error" from "Data_File_Syntax" • "Table Column Error" from "Data_File_Table" • "Table Row Error" from "Data_File_Table" • "Too Big File" from "Data_File" • "Too Big Model" from "Data_File_Syntax_Model" • "Too Big Syntaxfile" from "Data_File_Syntax" • "Too Big Text" from "Data_File_Text" • "Too Early Data" from "Data_Interaction" • "Too Late Data" from "Data_Interaction" • "Wrong Cell Data" from "Data_File_Table" • "Wrong Interaction" from "Data_Interaction" • "Wrong Model Behaviour" from "Data_File_Syntax_Model" • "Wrong Model Description" from "Data_File_Syntax_Model" • "Wrong Semantic" from "Data_File_Syntax"

• • Occurrences: • • in Review Model • • Error View:

•

•

Table 195 Error: Model Not Adequate

• Error: Process Inconsistently Modelled • • Description: • • The process might be inkonsistent, e.g. a document is neither created nor written. • • From feature: • • Model Validation • • Subsumes: • • "Algorithm Error" from "Fcn_Algorithm"

• "Defect File" from "Data_File" • "Defect Text" from "Data_File_Text" • "Empty File" from "Data_File" • "Empty Text" from "Data_File_Text" • "Line Missing" from "Data_File_Text" • "No Interaction" from "Data_Interaction" • "Not Accessible File" from "Data_File" • "Not Accessible Text" from "Data_File_Text" • "Other File" from "Data_File" • "Other Partner" from "Data_Interaction" • "Other Text" from "Data_File_Text" • "Too Big File" from "Data_File" • "Too Big Text" from "Data_File_Text" • "Too Early Data" from "Data_Interaction" • "Too Late Data" from "Data_Interaction" • "Wrong Algorithm" from "Fcn_Algorithm" • "Wrong Behaviour" from "Fcn_Behaviour" • "Wrong Error Reported" from "Model Validation" • "Wrong Interaction" from "Data_Interaction" • "Wrong Specification" from "Fcn_Specification"

• • Occurrences: • • in Model Validation in Review Model • • Avoided by the following restrictions: • • Validate Process.Consistent Process

• • Error View: •

•


• Error: Wrong Export • • Description: • • The excel file does not contain the relevant informations of the model. • • From feature: • • Excel Interface • • Subsumes: • • "Decoded Wongly" from "Fcn_Algorithm_DeEncode"

• "Defect File" from "Data_File" • "Empty File" from "Data_File" • "Empty Syntaxfile" from "Data_File_Syntax" • "Empty Table" from "Data_File_Table" • "Encoded Wrongly" from "Fcn_Algorithm_DeEncode" • "Not Accessible File" from "Data_File" • "Not Accessible Syntaxfile" from "Data_File_Syntax"

• "Not Accessible Table" from "Data_File_Table" • "Option Defect" from "Fcn_Variants_Options" • "Option Ignored" from "Fcn_Variants_Options" • "Other File" from "Data_File" • "Other Syntaxfile" from "Data_File_Syntax" • "Other Table" from "Data_File_Table" • "Syntax Error" from "Data_File_Syntax" • "Table Column Error" from "Data_File_Table" • "Table Row Error" from "Data_File_Table" • "Too Big File" from "Data_File" • "Too Big Syntaxfile" from "Data_File_Syntax" • "Transformation Not Supported" from "Fcn_Behaviour_Transformation" • "Wrong Behaviour" from "Fcn_Behaviour" • "Wrong Cell Data" from "Data_File_Table" • "Wrong Semantic" from "Data_File_Syntax" • "Wrong Transformation" from "Fcn_Behaviour_Transformation"

• • Occurrences: • • in Excel Interface in Review Model • • Avoided by the following restrictions: • • Safety Guidelines,SG_Avoid Feature.Avoid Features • • Error View: •

•


• Error: Wrong Import • • Description: • • The model is created wrongly. • • From feature: • • Excel Interface • • Subsumes: • • "Defect File" from "Data_File"

• "Empty File" from "Data_File" • "Empty Model" from "Data_File_Syntax_Model"

• "Model Unreadable" from "Data_File_Syntax_Model" • "Not Accessible File" from "Data_File" • "Not Accessible Model" from "Data_File_Syntax_Model" • "Option Defect" from "Fcn_Variants_Options" • "Option Ignored" from "Fcn_Variants_Options" • "Other File" from "Data_File" • "Other Model" from "Data_File_Syntax_Model" • "Too Big File" from "Data_File" • "Too Big Model" from "Data_File_Syntax_Model" • "Wrong Model Behaviour" from "Data_File_Syntax_Model" • "Wrong Model Description" from "Data_File_Syntax_Model"

• • Occurrences: • • in Excel Interface in Review Model • • Avoided by the following restrictions: • • Safety Guidelines,SG_Avoid Feature.Avoid Features • • Error View: •

•


1.10 YICESSMTSOLVERThis section explains the determination of the Tool Confidence Level (TCL) for the tool YICES SMT Solver. • Tool: YICES SMT Solver • • Description: • • -None- • • Impact: • • TI 2 (Impact) • • Tool Confidence Level: • • TCL 1

Table 199 Tool: YICES SMT Solver

The tool YICES SMT Solver is modeled with no element which has impact. No additional features have been modeled.


Table 200 Amount of Elements in Tool: YICES SMT Solver

1.10.1 USE CASES OF YICES SMT SOLVER

There are no use cases modeled for YICES SMT Solver.

1.10.2 FEATURES OF YICES SMT SOLVER

There are no features modeled for YICES SMT Solver.

1.10.3 POTENTIAL ERRORS IN YICES SMT SOLVER





1.10.4 RESTRICTIONS IN YICES SMT SOLVER

There are no restrictions in the tool YICES SMT Solver.

1.10.5 CHECKS IN YICES SMT SOLVER

No checks are performed in the tool YICES SMT Solver.

1.10.6 ASSUMPTIONS

The determination of the TCL of YICES SMT Solver is not based on assumed checks and restrictions. None of the checks and restrictions are modeled as assumptions.


This section determines a TCL for each use case by assigning checks or restrictions with detection/avoidance probability to each potential error. The TCL for the entire tool can be derived from the TCL for each use case. The tool YICES SMT Solver has no use case with TCL 1, no use case with TCL 2 and no use case with TCL 3. Therefore the tool YICES SMT Solver has TCL 1.

There are no use cases modeled for the tool YICES SMT Solver

1.11 ADDITIONALINFORMATIONThis section contains additional information from the formal model of the tool chain. Additional information is not required from the ISO 26262 for the determination of the TCL, but eases the modeling process and the understanding of the error flow.

1.11.1 ARTIFACTS

The analysis incorporates artifacts for the validation of the model. If an error is checked by another tool, then there should be information flow between them. Artifacts can be used to model this flow and our analysis checks if there is an information flow between error sources and error sinks. Fig 37 shows the whole artifact flow in "RECOMP Tool Chain"

Fig 37 Artifact Flow in RECOMP Tool Chain

The tool chain "RECOMP Tool Chain" is using 64 artifacts, which are described hereafter. • Artifact: AF3 System Model • • Description: • • The integrated data modelof Af3 • • Hierarchy figure:

•

• • • Hierarchy : • • Detailed System Architecture [Parent]

• Preliminary System Architecture [Parent] • Requirement Specification [Parent] • Schedule [Parent] • Software Unit Design Specification [Parent] • Spatial Constraints [Parent] • Test Cases [Parent] • Test Specification [Parent] • Timing Parameters [Parent]

• • Is a: • • Detailed System Architecture

Table 201 Artifact: AF3 System Model

• Artifact: Application task graph • • Description: • • The task graph for each application

Table 202 Artifact: Application task graph

• Artifact: Argumentation • • Description: • • The user writes arguments as input to the tool • • Used by tool: • • Tecnalia Assurance Case Editor

Table 203 Artifact: Argumentation

• Artifact: Binary executable • • Description: • • Target binary executable • • Hierarchy figure: •

• • • Hierarchy : • • Evidence [Parent] • • Used by tool: • • Tecnalia Assurance Case Editor • • Is a: • • Evidence

Table 204 Artifact: Binary executable

• Artifact: C/C++ Source Code • • Description: • • C or C++ • • Hierarchy figure: •

• • • Hierarchy : • • Source Code [Parent] • • Used by tool: • • Tecnalia Assurance Case Editor • • Created by use case: • • Development,Create Code • • Is a: • • Source Code

Table 205 Artifact: C/C++ Source Code

• Artifact: Cache-Related Preemption Cost Function • • Description: • • For any duration t, the function gives the maximum delay that the given task can incur

when preempted for the first time after t time units. A function CRPD(t) which returns, for any duration t > 0, the maximum delay that the given application can incur if it gets preempted after running non-preemptively for t time units after the beginning of its execution.

Table 206 Artifact: Cache-Related Preemption Cost Function

• Artifact: Contract • • Description: • • -None- • • Created by use case: • • Simulink,Modelling

Table 207 Artifact: Contract

• Artifact: contract • • Description: • • -None- • • Used by use case: • • Simulink,Contracts to assertions • • Created by use case: • • Simulink,Modelling • • Created by tool: • • Simulink

Table 208 Artifact: contract

• Artifact: Deployment • • Description: • • generated deployment

Table 209 Artifact: Deployment

• Artifact: Detailed System Architecture • • Description: • • Contain all the parameters and specifications of the platform • • Hierarchy figure: •

• • • Hierarchy : • • AF3 System Model [Child]

• Evidence [Parent] • • Used by use case: • • GEMDE Certification,Technical view • • Used by tool: • • GEMDE Certification

• Tecnalia Assurance Case Editor • • Created by use case: • • Medini,Detailed architecture definition • • Created by tool: • • Medini • • Modified by use case: • • Medini,Detailed architecture definition • • Modified by tool: • • Medini • • Is a: • • Evidence • • Occurences: • • AF3 System Model

Table 210 Artifact: Detailed System Architecture

• Artifact: Display Output

• • Description: • • The tool displays some information to the user • • Created by feature: • • Tool Chain Analyzer,Compute Tool Confidence Level

• Tool Chain Analyzer,Cost Model • Tool Chain Analyzer,EMF • Tool Chain Analyzer,Model Validation

Table 211 Artifact: Display Output

• Artifact: Evidence • • Description: • • Anything that can be considered as a certification evidence • • Hierarchy figure:

• • Hierarchy : • • Binary executable [Child]

• Detailed System Architecture [Child] • Excel File [Child] • FHA [Child] • FMEA [Child] • FTA [Child] • Failure rate catalog [Child] • Functionalities [Child] • Malfunctions [Child] • Metrics [Child] • Overall Project Plan [Child] • Preliminary System Architecture [Child] • Report on Maximum CRPDs [Child] • Report on Schedulability (1 mode) [Child] • Report on Schedulability (all) [Child] • Review Protocol [Child] • SLDV verification report [Child] • Safety Goals List [Child] • Safety Manual [Child] • Safety Plan [Child] • Safety Requirements [Child] • Software Unit Design Specification [Child] • Source Code [Child] • TBT Data Model [Child] • TCA-Model [Child] • Test Cases [Child] • Test Specification [Child] • Tool Evaluation Report [Child] • WCET [Child] • WCRT [Child] • Word Document [Child]

• • Used by use case: • • GEMDE Certification,Technical view • • Occurences: • • Binary executable

• Detailed System Architecture • Excel File • FHA • FMEA • FTA • Failure rate catalog • Functionalities • Malfunctions • Metrics • Overall Project Plan • Preliminary System Architecture

• Report on Maximum CRPDs • Report on Schedulability (1 mode) • Report on Schedulability (all) • Review Protocol • SLDV verification report • Safety Goals List • Safety Manual • Safety Plan • Safety Requirements • Software Unit Design Specification • Source Code • TBT Data Model • TCA-Model • Test Cases • Test Specification • Tool Evaluation Report • WCET • WCRT • Word Document

Table 212 Artifact: Evidence

• Artifact: Excel File • • Description: • • The files that can be read/wirtten from the Excel tool • • Hierarchy figure: •

• • • Hierarchy : • • Evidence [Parent] • • Used by tool: • • Tecnalia Assurance Case Editor • • Created by feature: • • Tool Chain Analyzer,Compute Tool Confidence Level • • Modified by feature: • • Tool Chain Analyzer,Cost Model

• Tool Chain Analyzer,Excel Interface • • Is a: • • Evidence

Table 213 Artifact: Excel File

• Artifact: Execution Graph • • Description: • • -None-

Table 214 Artifact: Execution Graph

• Artifact: Failure rate catalog • • Description: • • Failure rate catalog • • Hierarchy figure: •

• • • Hierarchy : • • Evidence [Parent] • • Used by use case: • • GEMDE Certification,Technical view • • Used by tool: • • Medini

• Tecnalia Assurance Case Editor • • Is a: • • Evidence

Table 215 Artifact: Failure rate catalog

• Artifact: FHA • • Description: • • FHA • • Hierarchy figure: •

• • • Hierarchy : • • Evidence [Parent] • • Used by use case: • • GEMDE Certification,Technical view • • Used by tool: • • GEMDE Certification

• Medini • Tecnalia Assurance Case Editor

• • Created by use case: • • Medini,FHA Generation • • Created by tool: • • Medini • • Modified by use case: • • Medini,FHA Generation • • Modified by tool: • • Medini • • Is a: • • Evidence

Table 216 Artifact: FHA

• Artifact: FMEA • • Description:

• • FMEA • • Hierarchy figure: •

• • • Hierarchy : • • Evidence [Parent] • • Used by use case: • • GEMDE Certification,Technical view • • Used by tool: • • Tecnalia Assurance Case Editor • • Created by tool: • • Medini • • Is a: • • Evidence

Table 217 Artifact: FMEA

• Artifact: FTA • • Description: • • FTA • • Hierarchy figure: •


Table 218 Artifact: FTA

• Artifact: Functionalities • • Description: • • Functionalities • • Hierarchy figure: •

• • • Hierarchy : • • Evidence [Parent] • • Used by use case: • • GEMDE Certification,Technical view

• • Used by tool: • • Medini


Table 219 Artifact: Functionalities

• Artifact: Malfunctions • • Description: • • Malfunctions • • Hierarchy figure: •

• • • Hierarchy : • • Evidence [Parent] • • Used by use case: • • GEMDE Certification,Technical view • • Used by tool: • • Medini


Table 220 Artifact: Malfunctions

• Artifact: Mapping of tasks to processing elements • • Description: • • The mapping of tasks to processing elements

Table 221 Artifact: Mapping of tasks to processing elements

• Artifact: Metrics • • Description: • • The metric information that describe how far a test covers's it's requirements. • • Hierarchy figure: •


Table 222 Artifact: Metrics

• Artifact: Model

• • Description: • • The tool chain model • • Used by feature: • • Tool Chain Analyzer,Generate Word (docx)

• Tool Chain Analyzer,Model Validation • • Modified by feature: • • Tool Chain Analyzer,Compute Tool Confidence Level

• Tool Chain Analyzer,Cost Model • Tool Chain Analyzer,EMF • Tool Chain Analyzer,Excel Interface • Tool Chain Analyzer,Xml Interface

Table 223 Artifact: Model

• Artifact: No-Conformity metrics • • Description: • • List of all non conformities of a project fopr a standard

specifies the number of steps to be conformant to the standard • • Used by use case: • • GEMDE Certification,Technical view • • Created by use case: • • GEMDE Certification,Assessment view

Table 224 Artifact: No-Conformity metrics

• Artifact: Overall Project Plan • • Description: • • see sections 2.6.5.2, 4.5.5.1 • • Hierarchy figure: •

• • • Hierarchy : • • Evidence [Parent] • • Used by use case: • • Tool Chain Analyzer,Create Model

• Tool Chain Analyzer,Determinate Tool Confidence Level • Tool Chain Analyzer,Generate Tool Classification Report • Tool Chain Analyzer,Review Model

• • Used by tool: • • Tecnalia Assurance Case Editor • • Modified by use case: • • Process Checker,Validate Process • • Is a: • • Evidence

Table 225 Artifact: Overall Project Plan

• Artifact: Partition Static Schedule

• • Description: • • The partitions static schedule, for each processing element

Table 226 Artifact: Partition Static Schedule

• Artifact: Per Core Request Estimator Function • • Description: • • For any duration t, the function gives the maximum number of requests that can be issued

from the given core in a time interval of length t A function PCRE(t) which returns, for any duration t > 0, the maximum number of requests that can be issued from the given core within t time units

Table 227 Artifact: Per Core Request Estimator Function

• Artifact: Preliminary System Architecture • • Description: • • Malfunctions • • Hierarchy figure: •


• Evidence [Parent] • • Used by use case: • • GEMDE Certification,Technical view • • Used by tool: • • Medini

• Tecnalia Assurance Case Editor • • Is a: • • Evidence • • Occurences: • • AF3 System Model

Table 228 Artifact: Preliminary System Architecture

• Artifact: ProjectModel • • Description: • • Certification objectives that apply to the project and evidences and justification that

support it • • Used by use case: • • GEMDE Certification,Assessment view • • Used by tool: • • GEMDE Certification • • Created by use case: • • GEMDE Certification,Technical view • • Created by tool: • • GEMDE Certification • • Modified by tool: • • GEMDE Certification

Table 229 Artifact: ProjectModel

• Artifact: ReferenceModel • • Description: • • Standards, normatives... model • • Used by use case: • • GEMDE Certification,Assessment view

• GEMDE Certification,Technical view • • Used by tool: • • GEMDE Certification • • Created by use case: • • GEMDE Certification,Quality view • • Created by tool: • • GEMDE Certification • • Modified by use case: • • GEMDE Certification,Quality view • • Modified by tool: • • GEMDE Certification

Table 230 Artifact: ReferenceModel

• Artifact: Report on Maximum CRPDs • • Description: • • Report on the maximum Cache-Related Preemption Delay (CRPD) that tasks can incur • • Hierarchy figure: •


Table 231 Artifact: Report on Maximum CRPDs

• Artifact: Report on Schedulability (1 mode) • • Description: • • Attest the schedulability of a single mode of the application system • • Hierarchy figure: •

• • • Hierarchy : • • Evidence [Parent] • • Used by tool: • • Tecnalia Assurance Case Editor • • Is a:

• • Evidence

Table 232 Artifact: Report on Schedulability (1 mode)

• Artifact: Report on Schedulability (all) • • Description: • • Attest the schedulability of the application system • • Hierarchy figure: •


Table 233 Artifact: Report on Schedulability (all)

• Artifact: Requirement Specification • • Description: • • -None- • • Hierarchy figure: •

• • • Hierarchy : • • AF3 System Model [Child] • • Occurences: • • AF3 System Model

Table 234 Artifact: Requirement Specification

• Artifact: Review Protocol • • Description: • • The protocol of the review • • Hierarchy figure: •

• • • Hierarchy : • • Evidence [Parent] • • Used by tool: • • Tecnalia Assurance Case Editor • • Created by use case: • • Tool Chain Analyzer,Review Model • • Is a: • • Evidence

Table 235 Artifact: Review Protocol

• Artifact: Safety Case • • Description: • • Graphical (GSN notation) safety case • • Used by use case: • • GEMDE Certification,Technical view

• Tecnalia Assurance Case Editor,Assurance Case edition • • Used by tool: • • GEMDE Certification

• Tecnalia Assurance Case Editor • • Created by use case: • • Tecnalia Assurance Case Editor,Assurance Case edition • • Created by tool: • • Tecnalia Assurance Case Editor • • Modified by use case: • • Tecnalia Assurance Case Editor,Assurance Case edition

Table 236 Artifact: Safety Case

• Artifact: Safety Goals List • • Description: • • Safety Goals List • • Hierarchy figure: •


Table 237 Artifact: Safety Goals List

• Artifact: Safety Manual • • Description: • • The safety manual of the tool contains the relevant information to work safely with the

tool • • Hierarchy figure: •

• • • Hierarchy :

• • Evidence [Parent] • • Used by tool: • • Tecnalia Assurance Case Editor • • Created by use case: • • Tool Chain Analyzer,Determinate Tool Confidence Level • • Modified by use case: • • Tool Chain Analyzer,Generate Tool Classification Report

• Tool Chain Analyzer,Review Model • • Is a: • • Evidence

Table 238 Artifact: Safety Manual

• Artifact: Safety Plan • • Description: • • see sections 2.6.5.1, 4.5.5.2, 6.5.5.1, 6.7.5.2 • • Hierarchy figure: •

• • • Hierarchy : • • Evidence [Parent] • • Used by use case: • • Tool Chain Analyzer,Create Model

• Tool Chain Analyzer,Determinate Tool Confidence Level • Tool Chain Analyzer,Review Model

• • Used by tool: • • Tecnalia Assurance Case Editor • • Modified by use case: • • Process Checker,Validate Process • • Is a: • • Evidence

Table 239 Artifact: Safety Plan

• Artifact: Safety Requirements • • Description: • • System Requirements Specification related to safety • • Hierarchy figure: •

• • • Hierarchy : • • Evidence [Parent] • • Used by use case: • • GEMDE Certification,Technical view

• Simulink,Modelling Requirements • • Used by tool: • • Tecnalia Assurance Case Editor

• • Created by tool: • • Medini • • Is a: • • Evidence

Table 240 Artifact: Safety Requirements

• Artifact: Schedule • • Description: • • (Optimized Shared Memory Access) • • Hierarchy figure: •


Table 241 Artifact: Schedule

• Artifact: Simulink Model • • Description: • • Simulink Model • • Hierarchy figure: •

• • • Hierarchy : • • Software Unit Design Specification [Parent] • • Used by use case: • • Simulink,Code generation • • Used by tool: • • Tecnalia Assurance Case Editor • • Created by use case: • • Simulink,Modelling

• Simulink,Modelling Requirements • • Created by tool: • • Simulink • • Is a: • • Software Unit Design Specification

Table 242 Artifact: Simulink Model

• Artifact: Simulink model • • Description: • • -None- • • Created by use case: • • Simulink,Modelling • • Created by tool:

• • Simulink

Table 243 Artifact: Simulink model

• Artifact: SLDV verification report • • Description: • • -None- • • Hierarchy figure: •


Table 244 Artifact: SLDV verification report

• Artifact: Software Unit Design Specification • • Description: • • see section 6.8.5.1 • • Hierarchy figure: •


• Evidence [Parent] • Simulink Model [Child]

• • Used by tool: • • Tecnalia Assurance Case Editor • • Is a: • • Evidence • • Occurences: • • AF3 System Model

• Simulink Model

Table 245 Artifact: Software Unit Design Specification

• Artifact: Source Code • • Description: • • Different programming languages • • Hierarchy figure:

•

• • • Hierarchy : • • C/C++ Source Code [Child]

• Evidence [Parent] • Timing Parameters [Child]

• • Used by tool: • • Tecnalia Assurance Case Editor • • Created by use case: • • Simulink,Code generation • • Created by tool: • • Simulink • • Is a: • • Evidence • • Occurences: • • C/C++ Source Code

• Timing Parameters

Table 246 Artifact: Source Code

• Artifact: Spatial Constraints • • Description: • • -None- • • Hierarchy figure: •


Table 247 Artifact: Spatial Constraints

• Artifact: StandardsRegulation • • Description: • • Standards, Normatives,... documentation • • Used by use case: • • GEMDE Certification,Quality view

Table 248 Artifact: StandardsRegulation

• Artifact: System Models (Event-B) • • Description: • • Models specifying / expressing (with events and invariants) the system requirements

Table 249 Artifact: System Models (Event-B)

• Artifact: TBT Data Model • • Description: • • The model describing the data element in the model and the system • • Hierarchy figure: •


Table 250 Artifact: TBT Data Model

• Artifact: TBT Oracle Model • • Description: • • The model describing the behaviour of the system

Table 251 Artifact: TBT Oracle Model

• Artifact: TBT Tactic • • Description: • • A formalized startegy describing the search in the model to derive test cases

Table 252 Artifact: TBT Tactic

• Artifact: TCA-Model • • Description: • • The tool chain model • • Hierarchy figure: •


Table 253 Artifact: TCA-Model

• Artifact: Test Cases • • Description: • • The executable test cases implementing the test specification • • Hierarchy figure:

•


• Evidence [Parent] • • Used by tool: • • Tecnalia Assurance Case Editor • • Is a: • • Evidence • • Occurences: • • AF3 System Model

Table 254 Artifact: Test Cases

• Artifact: Test Specification • • Description: • • The textual specification of the tests • • Hierarchy figure: •


• Evidence [Parent] • • Used by tool: • • Tecnalia Assurance Case Editor • • Is a: • • Evidence • • Occurences: • • AF3 System Model

Table 255 Artifact: Test Specification

• Artifact: Timing Parameters • • Description: • • Contain all the parameters concerning the application • • Hierarchy figure: •


• Source Code [Parent] • • Used by tool: • • Tecnalia Assurance Case Editor • • Is a: • • Source Code • • Occurences:

• • AF3 System Model

Table 256 Artifact: Timing Parameters

• Artifact: Tool Evaluation Report • • Description: • • Contains the evaluation/classification of the tools • • Hierarchy figure: •

• • • Hierarchy : • • Evidence [Parent] • • Used by tool: • • Tecnalia Assurance Case Editor • • Created by use case: • • Tool Chain Analyzer,Determinate Tool Confidence Level

• Tool Chain Analyzer,Generate Tool Classification Report • • Is a: • • Evidence

Table 257 Artifact: Tool Evaluation Report

• Artifact: User Input • • Description: • • The user writes input to the tool • • Used by feature: • • Tool Chain Analyzer,Compute Tool Confidence Level

• Tool Chain Analyzer,Cost Model • Tool Chain Analyzer,EMF • Tool Chain Analyzer,Excel Interface • Tool Chain Analyzer,Generate Word (docx) • Tool Chain Analyzer,Model Validation • Tool Chain Analyzer,Xml Interface

• • Used by tool: • • Tecnalia Assurance Case Editor

Table 258 Artifact: User Input

• Artifact: Verification Verdict • • Description: • • The verdict of a verification step (valid/invalid) and a counter example

Table 259 Artifact: Verification Verdict

• Artifact: Verified System Models (Event-B) • • Description: • • Specified and verified system models at different levels of abstraction

Table 260 Artifact: Verified System Models (Event-B)

• Artifact: VerSÅA verification report • • Description: • • -None-

Table 261 Artifact: VerSÅA verification report

• Artifact: WCET • • Description: • • Worst case execution time estimation for each task • • Hierarchy figure: •


Table 262 Artifact: WCET

• Artifact: WCRT • • Description: • • Worst-case response time for a task • • Hierarchy figure: •


Table 263 Artifact: WCRT

• Artifact: Word Document • • Description: • • The files that can be read/written from Word ´ • • Hierarchy figure: •

• • • Hierarchy : • • Evidence [Parent] • • Used by tool: • • Tecnalia Assurance Case Editor

• • Created by feature: • • Tool Chain Analyzer,Compute Tool Confidence Level

• Tool Chain Analyzer,Generate Word (docx) • • Is a: • • Evidence

Table 264 Artifact: Word Document

1.11.2 ERROR MODEL FOR THE RECOMP TOOL CHAIN TOOL

CHAIN

The error model consists of general attributes that are mapped to the used tools or use cases. Each of these mapped elements receives a copy of the listed errors. In the following sections all used attributes, errors, checks and restrictions are described

1.11.2.1 TOOL ATTRIBUTE DESCRIPTIONS

The following 9 general tool attributes have been used in the analysis of the "RECOMP Tool Chain" • Tool Attribute: Fcn_Algorithm • • Description: • • The function is implemented by an algorithm • • Assigned to the following features: • • Tool Chain Analyzer,Compute Tool Confidence Level

• Tool Chain Analyzer,EMF • Tool Chain Analyzer,Model Validation

• • Contains the following potential errors: • • Algorithm Error

• Wrong Algorithm

Table 265 Tool Attribute: Fcn_Algorithm

• Tool Attribute: Fcn_Algorithm_DeEncode • • Description: • • encoding and decoding algorithms are used • • Assigned to the following features: • • Tool Chain Analyzer,Excel Interface • • Contains the following potential errors: • • Decoded Wongly

• Encoded Wrongly

Table 266 Tool Attribute: Fcn_Algorithm_DeEncode

• Tool Attribute: Fcn_Behaviour • • Description: • • The behaviour of the function • • Assigned to the following features: • • Tool Chain Analyzer,EMF

• Tool Chain Analyzer,Excel Interface • Tool Chain Analyzer,Model Validation

• • Contains the following potential errors: • • Wrong Behaviour

Table 267 Tool Attribute: Fcn_Behaviour

• Tool Attribute: Fcn_Behaviour_Calculator • • Description: • • The tool does an excel like computation with simple arithmetics, e.g. computing th esum

of numbers in a row • • Assigned to the following features: • • Tool Chain Analyzer,Compute Tool Confidence Level • • Contains the following potential errors: • • Wrong Result

Table 268 Tool Attribute: Fcn_Behaviour_Calculator

• Tool Attribute: Fcn_Behaviour_Transformation • • Description: • • The tool transforms information into other reeresentations, e..g a compiler • • Assigned to the following features: • • Tool Chain Analyzer,EMF

• Tool Chain Analyzer,Excel Interface • Tool Chain Analyzer,Generate Word (docx)

• • Contains the following potential errors: • • Transformation Not Supported

• Wrong Transformation

Table 269 Tool Attribute: Fcn_Behaviour_Transformation

• Tool Attribute: Fcn_Resource_CPU • • Description: • • Function requires CPU ressources like RAM, ROM, CPU time which might not be

available • • Assigned to the following features: • • Tool Chain Analyzer,Generate Word (docx) • • Contains the following potential errors: • • Missing CPU

Table 270 Tool Attribute: Fcn_Resource_CPU

• Tool Attribute: Fcn_Specification • • Description: • • The specification/documentation of the function • • Assigned to the following features: • • Tool Chain Analyzer,Compute Tool Confidence Level

• Tool Chain Analyzer,Generate Word (docx) • Tool Chain Analyzer,Model Validation

• • Contains the following potential errors: • • Wrong Specification

Table 271 Tool Attribute: Fcn_Specification

• Tool Attribute: Fcn_Variants • • Description: • • The function can be computed with different variants • • Assigned to the following features: • • Tool Chain Analyzer,Compute Tool Confidence Level

• Tool Chain Analyzer,EMF • Tool Chain Analyzer,Generate Word (docx)

• • Contains the following potential errors: • • Wrong Variant

Table 272 Tool Attribute: Fcn_Variants

• Tool Attribute: Fcn_Variants_Options • • Description: • • The tool supports options

This can be either command line arguments, settings or configuration files • • Assigned to the following features: • • Tool Chain Analyzer,Excel Interface • • Contains the following potential errors: • • Option Defect

• Option Ignored

Table 273 Tool Attribute: Fcn_Variants_Options

1.11.2.2 ERROR DESCRIPTIONS

The following 13 errors have been identified and used in the analysis of the "RECOMP Tool Chain" • Error: Algorithm Error • • Description: • • The algorithm has an error, for example a wrong condition, type, loop,... • • From tool attribute: • • Fcn_Algorithm

Table 274 Error: Algorithm Error

• Error: Decoded Wongly • • Description: • • A correctly encoded object is decoded wrongly • • From tool attribute: • • Fcn_Algorithm_DeEncode

Table 275 Error: Decoded Wongly

• Error: Encoded Wrongly • • Description: • • The data is encoded such that it cannot be decoded any more • • From tool attribute: • • Fcn_Algorithm_DeEncode

Table 276 Error: Encoded Wrongly

• Error: Missing CPU • • Description: • • Not enaught CPU available for computing the correct result.

Comment: Note: in this error we consider only the undeteced case, where the tool terminates without warning and a wrong result, may be due to some internal checks that cause the tool to terminate if no CPU is available, e.g. after a given time using the default value

• • From tool attribute: • • Fcn_Resource_CPU

Table 277 Error: Missing CPU

• Error: Option Defect • • Description: • • The option or combination of options is defect, i.e computing wrong values • • From tool attribute: • • Fcn_Variants_Options

Table 278 Error: Option Defect

• Error: Option Ignored • • Description: • • The entered option is ignored without a warning and the wrong result is computed • • From tool attribute: • • Fcn_Variants_Options

Table 279 Error: Option Ignored

• Error: Transformation Not Supported • • Description: • • The transformation might not support all elements and ignore them, e.g. some settinbgs in

a model or some pragmas in a code • • From tool attribute: • • Fcn_Behaviour_Transformation

Table 280 Error: Transformation Not Supported

• Error: Wrong Algorithm • • Description: • • The chosen algorithm does not solve the problem correctly • • From tool attribute: • • Fcn_Algorithm

Table 281 Error: Wrong Algorithm

• Error: Wrong Behaviour • • Description: • • The function an have a wrong behaviour • • From tool attribute: • • Fcn_Behaviour

Table 282 Error: Wrong Behaviour

• Error: Wrong Result • • Description: • • The calculated results differs from the real result, e.g. 1+1=0 or 1/1=0.99 • • From tool attribute: • • Fcn_Behaviour_Calculator

Table 283 Error: Wrong Result

• Error: Wrong Specification • • Description: • • The function can deviate from the specification • • From tool attribute: • • Fcn_Specification

Table 284 Error: Wrong Specification

• Error: Wrong Transformation • • Description: • • The result of the transformation is not correct • • From tool attribute: • • Fcn_Behaviour_Transformation

Table 285 Error: Wrong Transformation

• Error: Wrong Variant • • Description: • • The wrong variant has been used, e.g. by ignoring an option/configuration • • From tool attribute: • • Fcn_Variants

Table 286 Error: Wrong Variant

1.11.3 ASSUMPTIONS

This section lists all assumptions on toolchain level used in the evaluation of this tool chain. If the assumptions are violated the calculated TCL is not valid. Assumptions that are enforced by the development process are marked in the analysis model and listed here. • Check: Assertion Check • • Description: • • This check detects if an assertion in the code is violated.

This check detects violated assertions. If a testcase claims to violate an assertion but does not, this will also be noted with a high probability. Comment: Since this is an automatic check the detection probability is high.

• • From use case: • • Test Environment,Unit Test • • Error detection probability: • • TD 1 (HIGH)

• • Is assumption: • • True

Table 287 Check: Assertion Check

• Check: Detect Wrong TCL • • Description: • • An error in the TCL computation is detected.

Since the review is performed on the basis of the generated report, it will also detect errors in the report generation and in the image generation and all other modeling errors with a high probability. Comment: TCL computation is an easy task and review is an effective verification method for that purpose.

• • From use case: • • ISO 26262 Reviews,SG_Confirmation Review Of TCLs • • Error detection probability: • • TD 1 (HIGH) • • Detected errors from other tools: • • SG_Confirmation Review Of TCLs,Tool Chain Analyzer,Compute Tool

Confidence Level,Wrong TCL Computed • SG_Confirmation Review Of TCLs,Tool Chain Analyzer,Determinate Tool

Confidence Level,TCL Wrongly Shown • SG_Confirmation Review Of TCLs,Tool Chain Analyzer,Determinate Tool

Confidence Level,TCL Wrongly Written • SG_Confirmation Review Of TCLs,Tool Chain Analyzer,Excel Interface,Wrong

Export • SG_Confirmation Review Of TCLs,Tool Chain Analyzer,Excel Interface,Wrong

Import • SG_Confirmation Review Of TCLs,Tool Chain Analyzer,Generate Word

(docx),Document Generated Wrongly • SG_Confirmation Review Of TCLs,Tool Chain Analyzer,Xml Interface,Wrong

XML Export • SG_Confirmation Review Of TCLs,Tool Chain Analyzer,Xml Interface,Wrong

XML Import • • Is assumption: • • True

Table 288 Check: Detect Wrong TCL

• Check: Executability Check • • Description: • • The generated test is compiled and executed

Comment: There is a high probability of detecting that the test is not executable, e.g. not compiling correctly since this is an automatic check

• • From use case: • • TBT,Validate Tests • • Error detection probability:

• • TD 1 (HIGH) • • Is assumption: • • True

Table 289 Check: Executability Check

• Check: Model Check • • Description: • • Check the validaty of the model

Comment: This can be done using a model checker tool for some consistency rules

• • From use case: • • ProB Model Checker,Check Model • • Error detection probability: • • TD 1 (HIGH) • • Is assumption: • • True

Table 290 Check: Model Check

• Check: Proof Tree - Syntax Check • • Description: • • the syntax check is usually done when this file is used • • From use case: • • Rodin Prover,System Model Verification • • Error detection probability: • • TD 1 (HIGH) • • Is assumption: • • True

Table 291 Check: Proof Tree - Syntax Check

• Check: Review Test against Specification • • Description: • • Review of generated test cases against the correctness with the specification

Comment: Since it is easy to se that a test case covers a specified feature, the review has a high detection probability for detecting the non-coformance errors between the the tests and the spec.

• • From use case: • • TBT,Validate Tests • • Error detection probability: • • TD 1 (HIGH) • • Is assumption: • • True

Table 292 Check: Review Test against Specification

• Error: Incorrect translation • • Description:

• • The translation of contracts to assertions/assumptions might be incorrect. It is not obvuious how to check that this does not happen in a tool. Manual inspection might be needed.

• • From use case: • • Contracts to assertions • • Is assumption: • • True


• Feature: SG_Avoid Feature • • Description: • • Avodi this feature, since it is redundant. • • From: • • Tool Chain Analyzer • • Parts: • • SG_Avoid Feature • • Is assumption: • • True


• Restriction: Avoid Features • • Description: • • Avoid the risky features of the model since they might be buggy. • • From feature: • • Tool Chain Analyzer,Safety Guidelines,SG_Avoid Feature • • Error avoidance probability: • • TD 1 (HIGH) • • Avoided errors: • • Cost Model,Wrong Cost Computed

• Excel Interface,Wrong Export • Excel Interface,Wrong Import • Model Validation,Wrong Error Reported • Xml Interface,Wrong XML Export • Xml Interface,Wrong XML Import

• • Is assumption: • • True

Table 295 Restriction: Avoid Features

• Tool: Test Environment • • Description: • • This is a virtual test environment that is used to formulate asumptions fom the test

generator to test tools and processes in which the generated tests can be executed. • • Impact: • • TI 2 (Impact) • • Tool Confidence Level: • • TCL 1 • • Is assumption: • • True

Table 296 Tool: Test Environment

APPENDIXC–TCARESULTFORTHEINDUSTRIAL

DOMAIN




Variant Settings Active Variants: • Industrial


The report starts with an overview of the analysis results, then describes each tool in detail, including TCL determination, and concludes with an appendix for further information. ToolChain: RECOMP Tool Chain Description: All models are intergrated here TCL Determination: TCL 3




Detection (TD)


Assumptions

AF3 TI 2 (Impact) TD 1 (HIGH)

TCL 1 -

Development TI 2 (Impact) TD 2 (MEDIUM)

TCL 2 -

GEMDE Certification


TCL 1 -

Medini TI 2 (Impact) TD 1 (HIGH)

TCL 1 -

nuSMV Model Checker


TCL 1 -

ProB Model Checker


TCL 1 1


TCL 1 -

Rodin Editor TI 2 (Impact) TD 1 (HIGH)

TCL 1 -

Rodin Prover TI 2 (Impact) TD 1 (HIGH)

TCL 1 1

Simulink TI 2 (Impact) TD 3 (LOW)

TCL 3 1

Simulink Design Verifier


TCL 1 -

TBT TI 2 (Impact) TD 1 (HIGH)

TCL 1 2

Tecnalia Assurance Case Editor


TCL 1 -

Test Environment TI 2 (Impact) TD 1 (HIGH)

TCL 1 5

Tool Chain Analyzer


TCL 3 1

VerSAA TI 2 (Impact) TD 1 (HIGH)

TCL 1 -

YICES SMT Solver


TCL 1 -


Fig 1 shows the error flow in RECOMP Tool Chain. The number on the edges denotes the number of error flows between the tools. An error flow is a detection possibility or an avoidance possibility of an error. Note that for one error there might be several flows, hence the number of flows can be larger than the numbers of errors in the model. For example the tool Simulink Design Verifier contains one error in one occurrence. There are 3 error flows (detection or avoidance possibilities for error occurrences) into Simulink Design Verifier. avoided / detected by carefully using the tool. There are 2 from the Simulink Design Verifier into the VerSAA, i.e. are detected by the VerSAA.


1.2 AF3This section explains the determination of the Tool Confidence Level (TCL) for the tool AF3. Tool: AF3 Description: The AutoFOCUS3 tool as distributed by fortiss GmbH

AF3 is a tool for the model-based development of embedded systems, covering the phases from requirements capture to deployment on the hardware platform.

Impact: TI 2 (Impact) Tool Confidence Level: TCL 1

Table 301 Tool: AF3

The tool AF3 is modeled with 6 elements which have impact, none of them are assumptions. In addition there have been modeled 17 features, none of them are assumptions.


Table 302 Amount of Elements in Tool: AF3

1.2.1 USE CASES OF AF3

This section describes all analyzed use cases of AF3 in separate subsections. The following use cases of the tool AF3 are considered:

1. Deploying a Logical Architecture to Technical Architecture, see Section 1.2.1.1 2. Requirements Elicitaion and Specification, see Section 1.2.7.1 3. Specification of a Logical Architecture, see Section 0 4. Unit Testing, see Section 0 5. Validation of a Logical Architecture, see Section 0 6. Verification of a Logical Architecture, see Section 0

1.2.1.1 USE CASE DEPLOYING A LOGICAL ARCHITECTURE TO

TECHNICAL ARCHITECTURE

This section describes the use case "Deploying a Logical Architecture to Technical Architecture". UseCase: Deploying a Logical Architecture to Technical Architecture Description: The deployment of a logical architecture to the technical platform are defined and the

corresponding parts are synthesized.

Table 303 UseCase: Deploying a Logical Architecture to Technical Architecture


Fig 39 Dependency View of Use Case: Deploying a Logical Architecture to Technical

Architecture

"Deploying a Logical Architecture to Technical Architecture" uses following features: • Specifying Technical Architecture • Synthesizing Deployment • Synthesizing Real-Time Schedule • Synthesizing SIL-Conformant Mapping

In order to fulfill the requirements of the use case, usually a number of artifacts will be read and/or written. But in "Deploying a Logical Architecture to Technical Architecture" the tool AF3 uses no artifacts.

1.2.1.2 USE CASE REQUIREMENTS ELICITAION AND

SPECIFICATION

This section describes the use case "Requirements Elicitaion and Specification". UseCase: Requirements Elicitaion and Specification Description: The requirements of a system are identified, specified, and structured.

Table 304 UseCase: Requirements Elicitaion and Specification

The use case requires 2 features and calls no other use cases. Table 10 shows the dependencies between the use cases and features.

Fig 40 Dependency View of Use Case: Requirements Elicitaion and Specification

"Requirements Elicitaion and Specification" uses following features: • Specifying MSC Requirements • Specifying Textual Requirements

In order to fulfill the requirements of the use case, usually a number of artifacts will be read and/or written. But in "Requirements Elicitaion and Specification" the tool AF3 uses no artifacts.

1.2.1.3 USE CASE SPECIFICATION OF A LOGICAL

ARCHITECTURE

This section describes the use case "Specification of a Logical Architecture".

UseCase: Specification of a Logical Architecture Description: -None-

Table 305 UseCase: Specification of a Logical Architecture


Fig 41 Dependency View of Use Case: Specification of a Logical Architecture

"Specification of a Logical Architecture" uses following features: • Specifying Code-Baed Behavior of a Logical Architecture • Specifying State-Based Behavior of a Logical Architecture • Specifying Structure of a Logical Architecture

In order to fulfill the requirements of the use case, usually a number of artifacts will be read and/or written. But in "Specification of a Logical Architecture" the tool AF3 uses no artifacts.

1.2.1.4 USE CASE UNIT TESTING

This section describes the use case "Unit Testing". UseCase: Unit Testing Description: -None-

Table 306 UseCase: Unit Testing

The use case requires 2 features and calls no other use cases. Use Case Assessment view shows the dependencies between the use cases and features.

Fig 42 Dependency View of Use Case: Unit Testing

"Unit Testing" uses following features: • Specfying Test Suite • Synthesizing Test Cases

In order to fulfill the requirements of the use case, usually a number of artifacts will be read and/or written. But in "Unit Testing" the tool AF3 uses no artifacts.

1.2.1.5 USE CASE VALIDATION OF A LOGICAL

ARCHITECTURE

This section describes the use case "Validation of a Logical Architecture". UseCase: Validation of a Logical Architecture Description: A logical architecture is validated w.r.t. to its intended behavior.

Table 307 UseCase: Validation of a Logical Architecture

The use case requires one feature and calls no other use cases. Use Case Quality view shows the dependencies between the use cases and features.

Fig 43 Dependency View of Use Case: Validation of a Logical Architecture

"Validation of a Logical Architecture" uses following features: • Simulating a Logical Architecture

In order to fulfill the requirements of the use case, usually a number of artifacts will be read and/or written. But in "Validation of a Logical Architecture" the tool AF3 uses no artifacts.

1.2.1.6 USE CASE VERIFICATION OF A LOGICAL

ARCHITECTURE

This section describes the use case "Verification of a Logical Architecture". UseCase: Verification of a Logical Architecture Description: The properties of a logical architecture are specified and verified.

Table 308 UseCase: Verification of a Logical Architecture

The use case requires 3 features and calls no other use cases. Use Case Technical view shows the dependencies between the use cases and features.

Fig 44 Dependency View of Use Case: Verification of a Logical Architecture

"Verification of a Logical Architecture" uses following features: • Specifying Contracts on Logical Components • Verifing Contracts of a Logical Architecture • Verifying Soundness of a Logical Architecture

In order to fulfill the requirements of the use case, usually a number of artifacts will be read and/or written. But in "Verification of a Logical Architecture" the tool AF3 uses no artifacts.

1.2.2 FEATURES OF AF3

This section describes all analyzed features of AF3 in separate subsections. The following features of the tool AF3 are considered:

1. Simulating a Logical Architecture, see Section 0 2. Specfying Test Suite, see Section 0 3. Specifying Code-Baed Behavior of a Logical Architecture, see Section 0 4. Specifying Contracts on Logical Components, see Section 0 5. Specifying MSC Requirements, see Section 0 6. Specifying SIL Requirements, see Section 0 7. Specifying State-Based Behavior of a Logical Architecture, see Section 0 8. Specifying Structure of a Logical Architecture, see Section 1.4.1.4 9. Specifying Technical Architecture, see Section 1.4.1.6 10. Specifying Textual Requirements, see Section 1.4.1.8 11. Synthesizing Deployment, see Section 1.4.1.10 12. Synthesizing Real-Time Schedule, see Section 0 13. Synthesizing SIL-Conformant Mapping, see Section 0 14. Synthesizing Test Cases, see Section 0 15. Verifing Contracts of a Logical Architecture, see Section 1.4.7.2 16. Verifying MSC Conformance, see Section 0 17. Verifying Soundness of a Logical Architecture, see Section 0

1.2.2.1 FEATURE SIMULATING A LOGICAL ARCHITECTURE

This section describes the feature "Simulating a Logical Architecture". Feature: Simulating a Logical Architecture Description: A logicla architecture is executed using a controled simulation.

Table 309 Feature: Simulating a Logical Architecture

The feature "Simulating a Logical Architecture" reads and/or writes the following artifacts. The used artifacts are shown in Fig 6 and are summarized in the subsequent table.

Fig 45 Artifacts of Feature: Simulating a Logical Architecture

Artifacts of Feature: Simulating a Logical Architecture Inputs: • AF3 System Model Outputs: • Display Output

Table 310 Artifacts of Feature: Simulating a Logical Architecture

1.2.2.2 FEATURE SPECFYING TEST SUITE

This section describes the feature "Specfying Test Suite". Feature: Specfying Test Suite Description: A test suit is specified by the coverage criteria of the suite

A test suit is specified by the coverage criteria of the suite. Possible coverage criteria are radom testing, state coveage, or transition coverage.

Table 311 Feature: Specfying Test Suite

The feature "Specfying Test Suite" reads and/or writes the following artifacts. The used artifacts are shown in TCL Determination for Use Case: Assessment view and are summarized in the subsequent table.

Fig 46 Artifacts of Feature: Specfying Test Suite

Artifacts of Feature: Specfying Test Suite Inputs: • Test Specification Outputs: • AF3 System Model

Table 312 Artifacts of Feature: Specfying Test Suite

1.2.2.3 FEATURE SPECIFYING CODE-BAED BEHAVIOR OF A

LOGICAL ARCHITECTURE

This section describes the feature "Specifying Code-Baed Behavior of a Logical Architecture". Feature: Specifying Code-Baed Behavior of a Logical Architecture Description: The behavior of the components of a logical architecture are defined using a code-based

textual approach.

Table 313 Feature: Specifying Code-Baed Behavior of a Logical Architecture

The feature "Specifying Code-Baed Behavior of a Logical Architecture" reads and/or writes the following artifacts. The used artifacts are shown in TCL Determination for Use Case: Quality view and are summarized in the subsequent table.

Fig 47 Artifacts of Feature: Specifying Code-Baed Behavior of a Logical Architecture

Artifacts of Feature: Specifying Code-Baed Behavior of a Logical Architecture Inputs: • AF3 System Model Outputs: • AF3 System Model

Table 314 Artifacts of Feature: Specifying Code-Baed Behavior of a Logical Architecture

1.2.2.4 FEATURE SPECIFYING CONTRACTS ON LOGICAL

COMPONENTS

This section describes the feature "Specifying Contracts on Logical Components". Feature: Specifying Contracts on Logical Components Description: Formal properties of components of the logical architectuer are specified.

Formal properties of components of the logical architectuer are specified. These properties can be defined via assume-guarantee contracts or patterns.

Table 315 Feature: Specifying Contracts on Logical Components

The feature "Specifying Contracts on Logical Components" reads and/or writes the following artifacts. The used artifacts are shown in TCL Determination for Use Case: Technical view and are summarized in the subsequent table.

Fig 48 Artifacts of Feature: Specifying Contracts on Logical Components

Artifacts of Feature: Specifying Contracts on Logical Components Inputs: • AF3 System Model Outputs: • AF3 System Model

Table 316 Artifacts of Feature: Specifying Contracts on Logical Components

1.2.2.5 FEATURE SPECIFYING MSC REQUIREMENTS

This section describes the feature "Specifying MSC Requirements". Feature: Specifying MSC Requirements Description: The requirements of a system are specified using MSCs to define scenarios.

The textual requirements of a system are specified in a structured way. This includes the specifiation of general requirements as well as use cases including their scenarios, and their hierarchical structure.

Table 317 Feature: Specifying MSC Requirements

The feature "Specifying MSC Requirements" reads and/or writes the following artifacts. The used artifacts are shown in Use Case Detailed architecture definition and are summarized in the subsequent table.

Fig 49 Artifacts of Feature: Specifying MSC Requirements

Artifacts of Feature: Specifying MSC Requirements Inputs: • AF3 System Model

• Requirement Specification Outputs: • AF3 System Model

Table 318 Artifacts of Feature: Specifying MSC Requirements

1.2.2.6 FEATURE SPECIFYING SIL REQUIREMENTS

This section describes the feature "Specifying SIL Requirements". Feature: Specifying SIL Requirements Description: The SIL levels of components of a logical Architecture are defined.

Table 319 Feature: Specifying SIL Requirements

The feature "Specifying SIL Requirements" reads and/or writes the following artifacts. The used artifacts are shown in Use Case FHA Generation and are summarized in the subsequent table.

Fig 50 Artifacts of Feature: Specifying SIL Requirements

Artifacts of Feature: Specifying SIL Requirements Inputs: • AF3 System Model

• Safety Requirements Outputs: • AF3 System Model

Table 320 Artifacts of Feature: Specifying SIL Requirements

1.2.2.7 FEATURE SPECIFYING STATE-BASED BEHAVIOR OF A


This section describes the feature "Specifying State-Based Behavior of a Logical Architecture". Feature: Specifying State-Based Behavior of a Logical Architecture Description: The behavior of the components of a logical architecture are defined using a tate-machine

approach.

Table 321 Feature: Specifying State-Based Behavior of a Logical Architecture

The feature "Specifying State-Based Behavior of a Logical Architecture" reads and/or writes the following artifacts. The used artifacts are shown in Use Case FMEA Generation and are summarized in the subsequent table.

Fig 51 Artifacts of Feature: Specifying State-Based Behavior of a Logical Architecture

Artifacts of Feature: Specifying State-Based Behavior of a Logical Architecture Inputs: • AF3 System Model Outputs: • AF3 System Model

Table 322 Artifacts of Feature: Specifying State-Based Behavior of a Logical Architecture

1.2.2.8 FEATURE SPECIFYING STRUCTURE OF A LOGICAL

ARCHITECTURE

This section describes the feature "Specifying Structure of a Logical Architecture". Feature: Specifying Structure of a Logical Architecture Description: The strucutre of a logical architecture n terms of components and their subcomponents is

defined.

Table 323 Feature: Specifying Structure of a Logical Architecture

The feature "Specifying Structure of a Logical Architecture" reads and/or writes the following artifacts. The used artifacts are shown in Use Case Function allocation and are summarized in the subsequent table.

Fig 52 Artifacts of Feature: Specifying Structure of a Logical Architecture

Artifacts of Feature: Specifying Structure of a Logical Architecture Outputs: • AF3 System Model

Table 324 Artifacts of Feature: Specifying Structure of a Logical Architecture

1.2.2.9 FEATURE SPECIFYING TECHNICAL ARCHITECTURE

This section describes the feature "Specifying Technical Architecture". Feature: Specifying Technical Architecture Description: -None-

Table 325 Feature: Specifying Technical Architecture

The feature "Specifying Technical Architecture" reads and/or writes the following artifacts. The used artifacts are shown in Use Case HW/SW allocation and are summarized in the subsequent table.

Fig 53 Artifacts of Feature: Specifying Technical Architecture

Artifacts of Feature: Specifying Technical Architecture Inputs: • AF3 System Model

• Spatial Constraints Outputs: • AF3 System Model

• Detailed System Architecture • Spatial Constraints • Timing Parameters

Table 326 Artifacts of Feature: Specifying Technical Architecture

1.2.2.10 FEATURE SPECIFYING TEXTUAL REQUIREMENTS

This section describes the feature "Specifying Textual Requirements". Feature: Specifying Textual Requirements Description: The textual requirements of a system are specified in a structured way.


Table 327 Feature: Specifying Textual Requirements

The feature "Specifying Textual Requirements" reads and/or writes the following artifacts. The used artifacts are shown in Use Case Safety goals definition and are summarized in the subsequent table.

Fig 54 Artifacts of Feature: Specifying Textual Requirements

Artifacts of Feature: Specifying Textual Requirements Inputs: • Requirement Specification Outputs: • AF3 System Model

Table 328 Artifacts of Feature: Specifying Textual Requirements

1.2.2.11 FEATURE SYNTHESIZING DEPLOYMENT

This section describes the feature "Synthesizing Deployment". Feature: Synthesizing Deployment Description: For logical and technical architectures and a mapping between them, a set of deployable

packages is generated. For logical and technical architectures and a mapping between them, a set of deployable packages is generated. These packages include the generated code for each component, build files and glue code for each ECUs.

Table 329 Feature: Synthesizing Deployment

The feature "Synthesizing Deployment" reads and/or writes the following artifacts. The used artifacts are shown in Fig 10 and are summarized in the subsequent table.

Fig 55 Artifacts of Feature: Synthesizing Deployment

Artifacts of Feature: Synthesizing Deployment Inputs: • AF3 System Model Outputs: • Deployment

• Source Code

Table 330 Artifacts of Feature: Synthesizing Deployment

1.2.2.12 FEATURE SYNTHESIZING REAL-TIME SCHEDULE

This section describes the feature "Synthesizing Real-Time Schedule". Feature: Synthesizing Real-Time Schedule Description: -None-

Table 331 Feature: Synthesizing Real-Time Schedule

The feature "Synthesizing Real-Time Schedule" reads and/or writes the following artifacts. The used artifacts are shown in TCL Determination for Use Case: Detailed architecture definition and are summarized in the subsequent table.

Fig 56 Artifacts of Feature: Synthesizing Real-Time Schedule

Artifacts of Feature: Synthesizing Real-Time Schedule Inputs: • AF3 System Model

• WCET Outputs: • AF3 System Model

Table 332 Artifacts of Feature: Synthesizing Real-Time Schedule

1.2.2.13 FEATURE SYNTHESIZING SIL-CONFORMANT

MAPPING

This section describes the feature "Synthesizing SIL-Conformant Mapping". Feature: Synthesizing SIL-Conformant Mapping Description:

-None-

Table 333 Feature: Synthesizing SIL-Conformant Mapping

The feature "Synthesizing SIL-Conformant Mapping" reads and/or writes the following artifacts. The used artifacts are shown in Table 81 and are summarized in the subsequent table.

Fig 57 Artifacts of Feature: Synthesizing SIL-Conformant Mapping

Artifacts of Feature: Synthesizing SIL-Conformant Mapping Inputs: • AF3 System Model Outputs: • AF3 System Model

Table 334 Artifacts of Feature: Synthesizing SIL-Conformant Mapping

1.2.2.14 FEATURE SYNTHESIZING TEST CASES

This section describes the feature "Synthesizing Test Cases". Feature: Synthesizing Test Cases Description: Test cases are synthesized for a specified test suite according to the coverage criteria.

Table 335 Feature: Synthesizing Test Cases

The feature "Synthesizing Test Cases" reads and/or writes the following artifacts. The used artifacts are shown in Table 83 and are summarized in the subsequent table.

Fig 58 Artifacts of Feature: Synthesizing Test Cases

Artifacts of Feature: Synthesizing Test Cases Inputs: • AF3 System Model Outputs: • Test Cases

Table 336 Artifacts of Feature: Synthesizing Test Cases

1.2.2.15 FEATURE VERIFING CONTRACTS OF A LOGICAL

ARCHITECTURE

This section describes the feature "Verifing Contracts of a Logical Architecture". Feature: Verifing Contracts of a Logical Architecture Description: A logical architecture is verified by means of formal checks.

A logial architecture is verified by means of formal checks. These checks include the use of assume-guarantee contracts or patterns.

Table 337 Feature: Verifing Contracts of a Logical Architecture

The feature "Verifing Contracts of a Logical Architecture" reads and/or writes the following artifacts. The used artifacts are shown in Table 85 and are summarized in the subsequent table.

Fig 59 Artifacts of Feature: Verifing Contracts of a Logical Architecture

Artifacts of Feature: Verifing Contracts of a Logical Architecture Inputs: • AF3 System Model Outputs: • Verification Verdict

Table 338 Artifacts of Feature: Verifing Contracts of a Logical Architecture

1.2.2.16 FEATURE VERIFYING MSC CONFORMANCE

This section describes the feature "Verifying MSC Conformance". Feature: Verifying MSC Conformance Description: For a MSC and a (part of a) logical architecture, their conformance is verified.

For a MSC and a (part of a) logical architecture including the behavior for its components, their conformance is verified; i.e., it i checked that the sequnce of actions of a MSC can be produced by a logical component architecture.

Table 339 Feature: Verifying MSC Conformance

The feature "Verifying MSC Conformance" reads and/or writes the following artifacts. The used artifacts are shown in Table 87 and are summarized in the subsequent table.

Fig 60 Artifacts of Feature: Verifying MSC Conformance

Artifacts of Feature: Verifying MSC Conformance Inputs: • AF3 System Model Outputs: • Verification Verdict

Table 340 Artifacts of Feature: Verifying MSC Conformance

1.2.2.17 FEATURE VERIFYING SOUNDNESS OF A LOGICAL

ARCHITECTURE

This section describes the feature "Verifying Soundness of a Logical Architecture". Feature: Verifying Soundness of a Logical Architecture Description: A logical architecture is verified w.r.t. reachability and determinism of its components.

Table 341 Feature: Verifying Soundness of a Logical Architecture

The feature "Verifying Soundness of a Logical Architecture" reads and/or writes the following artifacts. The used artifacts are shown in TCL Determination for Use Case: FMEA Generation and are summarized in the subsequent table.

Fig 61 Artifacts of Feature: Verifying Soundness of a Logical Architecture

Artifacts of Feature: Verifying Soundness of a Logical Architecture Inputs: • AF3 System Model Outputs: • Verification Verdict

Table 342 Artifacts of Feature: Verifying Soundness of a Logical Architecture

1.2.3 POTENTIAL ERRORS IN AF3





1.2.4 RESTRICTIONS IN AF3

There are no restrictions in the tool AF3.

1.2.5 CHECKS IN AF3

No checks are performed in the tool AF3.

1.2.6 ASSUMPTIONS

The determination of the TCL of AF3 is not based on assumed checks and restrictions. None of the checks and restrictions are modeled as assumptions.


This section determines a TCL for each use case by assigning checks or restrictions with detection/avoidance probability to each potential error. The TCL for the entire tool can be derived from the TCL for each use case. The tool AF3 has 6 use cases with TCL 1, no use case with TCL 2 and no use case with TCL 3. Therefore the tool AF3 has TCL 1. The use cases are described in the following sections:

• For "Deploying a Logical Architecture to Technical Architecture" (TCL 1) see Section 0,

• for "Requirements Elicitaion and Specification" (TCL 1) see Section 0, • for "Specification of a Logical Architecture" (TCL 1) see Section 0, • for "Unit Testing" (TCL 1) see Section 0, • for "Validation of a Logical Architecture" (TCL 1) see Section 0, and • for "Verification of a Logical Architecture" (TCL 1) see Section 1.4.7.4.

1.2.7.1 TCL DETERMINATION FOR USE CASE: DEPLOYING A

LOGICAL ARCHITECTURE TO TECHNICAL ARCHITECTURE

The use case "Deploying a Logical Architecture to Technical Architecture" has TCL 1. The TCL is determined by the lowest Tool Detection Level (TD) of all errors of the use case. This use case has no errors.

1.2.7.2 TCL DETERMINATION FOR USE CASE:

REQUIREMENTS ELICITAION AND SPECIFICATION

The use case "Requirements Elicitaion and Specification" has TCL 1. The TCL is determined by the lowest Tool Detection Level (TD) of all errors of the use case. This use case has no errors.

1.2.7.3 TCL DETERMINATION FOR USE CASE: SPECIFICATION

OF A LOGICAL ARCHITECTURE

The use case "Specification of a Logical Architecture" has TCL 1. The TCL is determined by the lowest Tool Detection Level (TD) of all errors of the use case. This use case has no errors.

1.2.7.4 TCL DETERMINATION FOR USE CASE: UNIT TESTING

The use case "Unit Testing" has TCL 1. The TCL is determined by the lowest Tool Detection Level (TD) of all errors of the use case. This use case has no errors.

1.2.7.5 TCL DETERMINATION FOR USE CASE: VALIDATION


The use case "Validation of a Logical Architecture" has TCL 1. The TCL is determined by the lowest Tool Detection Level (TD) of all errors of the use case. This use case has no errors.

1.2.7.6 TCL DETERMINATION FOR USE CASE: VERIFICATION


The use case "Verification of a Logical Architecture" has TCL 1. The TCL is determined by the lowest Tool Detection Level (TD) of all errors of the use case. This use case has no errors.

1.3 DEVELOPMENTThis section explains the determination of the Tool Confidence Level (TCL) for the tool Development. Tool: Development Description: This is not a concrete tool but just a model of any development tool chain (including

humans) that can cause different errors when producing soure code. Impact: TI 2 (Impact) Tool Confidence Level: TCL 2







1. Create Code, see Section 0


This section describes the use case "Create Code". UseCase: Create Code Description: This is the use case in creating c code that collects some potential errors that can be




The use case "Create Code" reads and/or writes the following artifacts. The used artifacts are shown in Table 97 and are summarized in the subsequent table.


Artifacts of Use Case: Create Code Outputs: • C/C++ Source Code





The tool has 4 different potential errors in 4 occurrences in use cases. The error flow, as can be seen in TCL Determination for Use Case: Function allocation, consists of all relations from errors to checks or restrictions. There are




Fig 63 Error Flow to and from Development

Due to 5 relations, Development is having impact on one other tool. The errors are listed in Table 99.

Tool Error UseCase Table

Test Environment

Assertion Violation Create Code

TCL Determination for Use Case: HW/SW allocation

Dead Code Create Code

Table 101

Other Programing Error Create Code

Table 102

Runtime Error Create Code

TCL Determination for Use Case: Item Definition



Table 347 Errors of Development with impact on other tools





1.3.6 ASSUMPTIONS



This section determines a TCL for each use case by assigning checks or restrictions with detection/avoidance probability to each potential error. The TCL for the entire tool can be derived from the TCL for each use case. The tool Development has no use case with TCL 1, one use case with TCL 2 and no use case with TCL 3. Therefore the tool Development has TCL 2. The use cases are described in the following sections:



The use case "Create Code" has TCL 2. The TCL is determined by the lowest Tool Detection Level (TD) of all errors of the use case. The following table gives an overview of the errors of "Create Code". Error TD Table Assertion Violation TD 2 (MEDIUM) TCL

Determination for Use Case: HW/SW allocation

Dead Code TD 2 (MEDIUM) Table 101

Other Programing Error TD 2 (MEDIUM) Table 102 Runtime Error TD 2 (MEDIUM) TCL

Determination for Use Case: Item Definition


Error: Assertion Violation Description: The programm contains assertions that can be violated under some conditions. From use case: Create Code Discovered by the following checks: • Unit Test.Runtime Check Occurrences: • in Create Code Error View:


Error: Dead Code Description: Not reachable code is called dead code. From use case: Create Code Discovered by the following checks: • Unit Test.Life Check Occurrences: • in Create Code Error View:


Error: Other Programing Error Description: Any other functional error that can be introduced int the code. From use case:

Create Code Discovered by the following checks: • Unit Test.Programm Verification Occurrences: • in Create Code Error View:


Error: Runtime Error Description: A runtime error is an error that causes the programm to crash during execution. This From use case: Create Code Discovered by the following checks: • Unit Test.Programm Verification

• Unit Test.Runtime Check Occurrences: • in Create Code

Error View:


1.4 GEMDECERTIFICATIONThis section explains the determination of the Tool Confidence Level (TCL) for the tool GEMDE Certification. Tool: GEMDE Certification Description: Tool for certification support

Comment: This is just a supporting tool to gather all the certification documentation. It does not create running software or test.


Table 353 Tool: GEMDE Certification

The tool GEMDE Certification is modeled with 9 elements which have impact, none of them are assumptions. No additional features have been modeled.


Table 354 Amount of Elements in Tool: GEMDE Certification

1.4.1 USE CASES OF GEMDE CERTIFICATION

This section describes all analyzed use cases of GEMDE Certification in separate subsections. The following use cases of the tool GEMDE Certification are considered:

1. Assessment view, see Section 1.4.7.9 2. Quality view, see Section 0 3. Technical view, see Section 1.4.7.10

1.4.1.1 USE CASE ASSESSMENT VIEW

This section describes the use case "Assessment view". UseCase: Assessment view Description: Assessment or validation of the Qualification Project against the Qualification Reference

Table 355 UseCase: Assessment view

The use case requires no features and calls no other use cases. The use case "Assessment view" reads and/or writes the following artifacts. The used artifacts are shown in Table 104 and are summarized in the subsequent table.

Fig 64 Artifacts of Use Case: Assessment view

Artifacts of Use Case: Assessment view Inputs: • ProjectModel

• ReferenceModel Outputs: • No-Conformity metrics

Table 356 Artifacts of Use Case: Assessment view

1.4.1.2 USE CASE QUALITY VIEW

This section describes the use case "Quality view". UseCase: Quality view Description: Selection and definition of the Qualification Reference. Definition of the scope of the

Qualification Reference

Table 357 UseCase: Quality view

The use case requires no features and calls no other use cases. The use case "Quality view" reads and/or writes the following artifacts. The used artifacts are shown in Table 106 and are summarized in the subsequent table.

Fig 65 Artifacts of Use Case: Quality view

Artifacts of Use Case: Quality view Inputs: • StandardsRegulation Outputs: • ReferenceModel Inputs & Outputs: • ReferenceModel

Table 358 Artifacts of Use Case: Quality view

1.4.1.3 USE CASE TECHNICAL VIEW

This section describes the use case "Technical view". UseCase: Technical view Description: Definition of the Qualification Project and associated Qualification Reference

Table 359 UseCase: Technical view

The use case requires no features and calls 11 other use cases. Fig 12 shows the dependencies between the use cases and features.

Fig 66 Dependency View of Use Case: Technical view

"Technical view" calls following use cases: • Medini,Detailed architecture definition • Medini,FHA Generation • Medini,FMEA Generation • Medini,FTA Generation • Medini,Function allocation • Medini,Generation HW Coverage • Medini,HW/SW allocation • Medini,Item Definition • Medini,SW Architecture definition • Medini,Safety goals definition • Tecnalia Assurance Case Editor,Assurance Case edition

The use case "Technical view" reads and/or writes the following artifacts. The used artifacts are shown in Table 111 and are summarized in the subsequent table.

Fig 67 Artifacts of Use Case: Technical view

Artifacts of Use Case: Technical view Inputs: • Detailed System Architecture

• Evidence • FHA • FMEA • FTA • Failure rate catalog • Functionalities • Malfunctions • No-Conformity metrics • Preliminary System Architecture • ReferenceModel • Safety Case • Safety Goals List • Safety Requirements

Outputs: • ProjectModel

Table 360 Artifacts of Use Case: Technical view

1.4.2 FEATURES OF GEMDE CERTIFICATION

There are no features modeled for GEMDE Certification.

1.4.3 POTENTIAL ERRORS IN GEMDE CERTIFICATION

The tool has 3 different potential errors in 3 occurrences in use cases. The error flow, as can be seen in Use Case Code generation, consists of all relations from errors to checks or restrictions. There are




Fig 68 Error Flow to and from GEMDE Certification

GEMDE Certification has the following 3 relations, which are detected by checks or restrictions of this tool. The errors are described in detail in the TCL analysis of the corresponding use cases:

• AssesmentIncorrect (Use Case Contracts to assertions) • ModelIncorrectness (Use Case Modelling) • ProjectIncorrectness (Use Case Modelling Requirements)

1.4.4 RESTRICTIONS IN GEMDE CERTIFICATION

There are no restrictions in the tool GEMDE Certification.

1.4.5 CHECKS IN GEMDE CERTIFICATION

The following 3 checks are performed in the tool GEMDE Certification. Check: QualityManagerChecks Description: The Quality Manager Checks the outputs before the final certification From use case: GEMDE Certification,Assessment view Occurrences: • in Assessment view Error detection probability: TD 1 (HIGH) Detected errors: • Assessment view,AssesmentIncorrect

Table 361 Check: QualityManagerChecks

Check: RegulationManagerChecks Description: The Regulation Manager Checks the model that gives the result From use case: GEMDE Certification,Technical view Occurrences: • in Technical view Error detection probability: TD 1 (HIGH) Detected errors: • Technical view,ProjectIncorrectness

Table 362 Check: RegulationManagerChecks

Check: TechnicalManagerChecks Description: The Technical Manager checks every evidence given as an input and the justification for the

objectives From use case: GEMDE Certification,Quality view Occurrences:

• in Quality view Error detection probability: TD 1 (HIGH) Detected errors: • Quality view,ModelIncorrectness

Table 363 Check: TechnicalManagerChecks

1.4.6 ASSUMPTIONS

The determination of the TCL of GEMDE Certification is not based on assumed checks and restrictions. None of the checks and restrictions are modeled as assumptions.


This section determines a TCL for each use case by assigning checks or restrictions with detection/avoidance probability to each potential error. The TCL for the entire tool can be derived from the TCL for each use case. The tool GEMDE Certification has 3 use cases with TCL 1, no use case with TCL 2 and no use case with TCL 3. Therefore the tool GEMDE Certification has TCL 1. The use cases are described in the following sections:

• For "Assessment view" (TCL 1) see Section 0, • for "Quality view" (TCL 1) see Section 0, and • for "Technical view" (TCL 1) see Section 0.

1.4.7.1 TCL DETERMINATION FOR USE CASE: ASSESSMENT

VIEW

The use case "Assessment view" has TCL 1. The TCL is determined by the lowest Tool Detection Level (TD) of all errors of the use case. The following table gives an overview of the errors of "Assessment view". Error TD Table AssesmentIncorrect TD 1 (HIGH) Use Case

Contracts to assertions

Table 364 Errors of Use Case: Assessment view

Error: AssesmentIncorrect Description: lack of evidences or justification are not correct From use case: Assessment view Discovered by the following checks: • Assessment view.QualityManagerChecks Occurrences: • in Assessment view Error View:

Table 365 Error: AssesmentIncorrect

1.4.7.2 TCL DETERMINATION FOR USE CASE: QUALITY VIEW

The use case "Quality view" has TCL 1. The TCL is determined by the lowest Tool Detection Level (TD) of all errors of the use case. The following table gives an overview of the errors of "Quality view". Error TD Table ModelIncorrectness TD 1 (HIGH) Use Case

Modelling

Table 366 Errors of Use Case: Quality view

Error: ModelIncorrectness Description: Model is not coherent with the standard From use case: Quality view Discovered by the following checks: • Quality view.TechnicalManagerChecks Occurrences: • in Quality view Error View:

Table 367 Error: ModelIncorrectness

1.4.7.3 TCL DETERMINATION FOR USE CASE: TECHNICAL

VIEW

The use case "Technical view" has TCL 1. The TCL is determined by the lowest Tool Detection Level (TD) of all errors of the use case. The following table gives an overview of the errors of "Technical view". Error TD Table ProjectIncorrectness TD 1 (HIGH) Use Case

Modelling Requirements

Table 368 Errors of Use Case: Technical view

Error: ProjectIncorrectness Description: The evidences do not support the certification objectives From use case: Technical view Discovered by the following checks: • Technical view.RegulationManagerChecks Occurrences: • in Technical view Error View:

Table 369 Error: ProjectIncorrectness

1.5 MEDINIThis section explains the determination of the Tool Confidence Level (TCL) for the tool Medini. Tool: Medini Description: Tool Medini Analyzer

Comment: The results are always being reviewed by human experts. It generate the tests that should be addresed during the project, nor the software that should be tested.


Table 370 Tool: Medini

The tool Medini is modeled with 65 elements which have impact, none of them are assumptions. No additional features have been modeled.


Table 371 Amount of Elements in Tool: Medini

1.5.1 USE CASES OF MEDINI

This section describes all analyzed use cases of Medini in separate subsections.

The following use cases of the tool Medini are considered:

1. Detailed architecture definition, see Section 0 2. FHA Generation, see Section 1.7.2.1 3. FMEA Generation, see Section 0 4. FTA Generation, see Section 0 5. Function allocation, see Section 0 6. Generation HW Coverage, see Section 1.7.7.2 7. HW/SW allocation, see Section 0 8. Item Definition, see Section 1.7.7.3 9. Safety goals definition, see Section 0 10. SW Architecture definition, see Section 0

1.5.1.1 USE CASE DETAILED ARCHITECTURE DEFINITION

This section describes the use case "Detailed architecture definition". UseCase: Detailed architecture definition Description: Detailed architecture definition

Table 372 UseCase: Detailed architecture definition

The use case requires no features and calls no other use cases. Use cases calling "Detailed architecture definition":

• GEMDE Certification,Technical view The use case "Detailed architecture definition" reads and/or writes the following artifacts. The used artifacts are shown in Fig 17 and are summarized in the subsequent table.

Fig 69 Artifacts of Use Case: Detailed architecture definition

Artifacts of Use Case: Detailed architecture definition Outputs: • Detailed System Architecture Inputs & Outputs: • Detailed System Architecture

Table 373 Artifacts of Use Case: Detailed architecture definition

1.5.1.2 USE CASE FHA GENERATION

This section describes the use case "FHA Generation". UseCase: FHA Generation Description: FHA Generation

Table 374 UseCase: FHA Generation

The use case requires no features and calls no other use cases. Use cases calling "FHA Generation":

• GEMDE Certification,Technical view The use case "FHA Generation" reads and/or writes the following artifacts. The used artifacts are shown in TCL Determination for Use Case: Code generation and are summarized in the subsequent table.

Fig 70 Artifacts of Use Case: FHA Generation

Artifacts of Use Case: FHA Generation Outputs: • FHA Inputs & Outputs: • FHA

Table 375 Artifacts of Use Case: FHA Generation

1.5.1.3 USE CASE FMEA GENERATION

This section describes the use case "FMEA Generation". UseCase: FMEA Generation Description: FMEA Generation

Table 376 UseCase: FMEA Generation

The use case requires no features and calls no other use cases. Use cases calling "FMEA Generation":

• GEMDE Certification,Technical view In order to fulfill the requirements of the use case, usually a number of artifacts will be read and/or written. But in "FMEA Generation" the tool Medini uses no artifacts.

1.5.1.4 USE CASE FTA GENERATION

This section describes the use case "FTA Generation". UseCase: FTA Generation Description: FTA Generation

Table 377 UseCase: FTA Generation

The use case requires no features and calls no other use cases. Use cases calling "FTA Generation":

• GEMDE Certification,Technical view In order to fulfill the requirements of the use case, usually a number of artifacts will be read and/or written. But in "FTA Generation" the tool Medini uses no artifacts.

1.5.1.5 USE CASE FUNCTION ALLOCATION

This section describes the use case "Function allocation". UseCase: Function allocation Description: Function allocation

Table 378 UseCase: Function allocation

The use case requires no features and calls no other use cases. Use cases calling "Function allocation":

• GEMDE Certification,Technical view In order to fulfill the requirements of the use case, usually a number of artifacts will be read and/or written. But in "Function allocation" the tool Medini uses no artifacts.

1.5.1.6 USE CASE GENERATION HW COVERAGE

This section describes the use case "Generation HW Coverage". UseCase: Generation HW Coverage Description: Generation HW Coverage

Table 379 UseCase: Generation HW Coverage

The use case requires no features and calls no other use cases. Use cases calling "Generation HW Coverage":

• GEMDE Certification,Technical view In order to fulfill the requirements of the use case, usually a number of artifacts will be read and/or written. But in "Generation HW Coverage" the tool Medini uses no artifacts.

1.5.1.7 USE CASE HW/SW ALLOCATION

This section describes the use case "HW/SW allocation". UseCase: HW/SW allocation Description: HW/SW allocation

Table 380 UseCase: HW/SW allocation

The use case requires no features and calls no other use cases. Use cases calling "HW/SW allocation":

• GEMDE Certification,Technical view In order to fulfill the requirements of the use case, usually a number of artifacts will be read and/or written. But in "HW/SW allocation" the tool Medini uses no artifacts.

1.5.1.8 USE CASE ITEM DEFINITION

This section describes the use case "Item Definition". UseCase: Item Definition Description: Item Definition

Table 381 UseCase: Item Definition

The use case requires no features and calls no other use cases. Use cases calling "Item Definition":

• GEMDE Certification,Technical view In order to fulfill the requirements of the use case, usually a number of artifacts will be read and/or written. But in "Item Definition" the tool Medini uses no artifacts.

1.5.1.9 USE CASE SAFETY GOALS DEFINITION

This section describes the use case "Safety goals definition". UseCase: Safety goals definition Description: Safety goals definition

Table 382 UseCase: Safety goals definition

The use case requires no features and calls no other use cases. Use cases calling "Safety goals definition":

• GEMDE Certification,Technical view In order to fulfill the requirements of the use case, usually a number of artifacts will be read and/or written. But in "Safety goals definition" the tool Medini uses no artifacts.

1.5.1.10 USE CASE SW ARCHITECTURE DEFINITION

This section describes the use case "SW Architecture definition". UseCase: SW Architecture definition Description: SW Architecture definition

Table 383 UseCase: SW Architecture definition

The use case requires no features and calls one other use case. Table 133 shows the dependencies between the use cases and features.

Fig 71 Dependency View of Use Case: SW Architecture definition

"SW Architecture definition" calls following use cases: • Simulink,Modelling Requirements

Use cases calling "SW Architecture definition":

• GEMDE Certification,Technical view In order to fulfill the requirements of the use case, usually a number of artifacts will be read and/or written. But in "SW Architecture definition" the tool Medini uses no artifacts.

1.5.2 FEATURES OF MEDINI

There are no features modeled for Medini.

1.5.3 POTENTIAL ERRORS IN MEDINI

The tool has 21 different potential errors in 21 occurrences in use cases. The error flow, as can be seen in Table 134, consists of all relations from errors to checks or restrictions. There are




Fig 72 Error Flow to and from Medini

Medini has the following 34 relations, which are detected by checks or restrictions of this tool. The errors are described in detail in the TCL analysis of the corresponding use cases:

• 001-xxx is not traced with a simulink port (Table 136) • 002-xxx is safety related and has no safety goal assigned (Feature EMF) • 003-xxx has no functional safety requirement specified (Fig 31) • 004-Safety goal has no FTA traced (Use Case Generate Tool Classification

Report) • 005-xxx (safety req) has no unique identifier (Feature Excel Interface) • 006-Safety goal is not associated to a hazardous event (TCL Determination for

Use Case: Assurance Case edition) • 007-Architecture element has no name set (TCL Determination for Use Case:

Modelling Requirements) • 008-Port xxx is not connected (Use Case Assurance Case edition) • 009-req is not correctly decomposed (Feature Compute Tool Confidence Level) • 010-xxx has no justification given for the estimated ranking of exposure for the

ISO ASIL (Table 143) • 011-xxx has failure mode with category 'no part' and failure modes with other

categories. (Use Case Create Model) • 012-xxx ASIL does not match to ASIL of associated goal (Table 144) • 013-Hazard has no item traced (Use Case Cost Calculation) • 014-xxx has an invalid ASIL. ASIL has to be the same or higher than of goals it

contributes to (Fig 29) • 015-FTA model has a loop due to transfer gates (Fig 25)

• 016-The decomposing requirement xxx is allocated to the same architecture or software element as its neighbor (Use Case Review Model)

• 017-Name of xxx is different from corresponding system architecture element(s): yyy (Fig 21)

• 018-xxx has no corresponding architecture element in any of the architecture model(s): yyy (Fig 22)

• 019-xxx has no corresponding architecture element in the derived worksheet(s): yyy (Use Case Determinate Tool Confidence Level)

• 020-"xxx does not have the same failure modes than corresponding architecture element(s): yyy" (Fig 23)

• 021-Assessment or validation of the Qualification Project against the Qualification Reference (Fig 18)

1.5.4 RESTRICTIONS IN MEDINI

The tool Medini must only be used with the following restrictions. Restriction: 001-All sistems architecture port traced with simulink Description: 001--All sistems architecture port traced with simulink From use case: Medini,Detailed architecture definition Error avoidance probability: TD 1 (HIGH) Occurrences: • in Detailed architecture definition Avoided errors: • Detailed architecture definition,001-xxx is not traced with a simulink port

Table 384 Restriction: 001-All sistems architecture port traced with simulink

Restriction: 002- All hazard event assigned to a safety goal Description: 002- All hazard event assigned to a safety goal From use case: Medini,Safety goals definition Error avoidance probability: TD 1 (HIGH) Occurrences: • in Safety goals definition Avoided errors: • Safety goals definition,002-xxx is safety related and has no safety goal assigned

Table 385 Restriction: 002- All hazard event assigned to a safety goal

Restriction: 003-For all safety goal exist one safety requirement Description: 003-For all safety goal exist one safety requirement From use case:

Medini,Safety goals definition Error avoidance probability: TD 1 (HIGH) Occurrences: • in Safety goals definition Avoided errors: • Safety goals definition,003-xxx has no functional safety requirement specified

Table 386 Restriction: 003-For all safety goal exist one safety requirement

Restriction: 004-All safety goal traced with FTA Description: 004-All safety goal traced with FTA From use case: Medini,FTA Generation Error avoidance probability: TD 1 (HIGH) Occurrences: • in FTA Generation Avoided errors: • FTA Generation,004-Safety goal has no FTA traced

Table 387 Restriction: 004-All safety goal traced with FTA

Restriction: 005-Exist a unique safety requirement identifier Description: 005-Exist a unique safety requirement identifier From use case: Medini,Safety goals definition Error avoidance probability: TD 1 (HIGH) Occurrences: • in Safety goals definition Avoided errors: • Safety goals definition,005-xxx (safety req) has no unique identifier

Table 388 Restriction: 005-Exist a unique safety requirement identifier

Restriction: 006-All safety goal associated to a hazardous event Description: 006-All safety goal associated to a hazardous event From use case: Medini,FHA Generation Error avoidance probability: TD 1 (HIGH) Occurrences: • in FHA Generation Avoided errors: • FHA Generation,006-Safety goal is not associated to a hazardous event

Table 389 Restriction: 006-All safety goal associated to a hazardous event

Restriction: 007-Each system architecture element is named Description: 007-Each system architecture element is named From use case: Medini,Detailed architecture definition Error avoidance probability: TD 1 (HIGH) Occurrences: • in Detailed architecture definition Avoided errors: • Detailed architecture definition,007-Architecture element has no name set

Table 390 Restriction: 007-Each system architecture element is named

Restriction: 008-All ports are connected Description: 008-All ports are connected From use case: Medini,Detailed architecture definition Error avoidance probability: TD 1 (HIGH) Occurrences: • in Detailed architecture definition Avoided errors: • Detailed architecture definition,008-Port xxx is not connected

Table 391 Restriction: 008-All ports are connected

Restriction: 009-Validation of decomposition Description: 009-Validation of decomposition From use case: Medini,HW/SW allocation Error avoidance probability: TD 1 (HIGH) Occurrences: • in HW/SW allocation Avoided errors: • HW/SW allocation,009-req is not correctly decomposed

Table 392 Restriction: 009-Validation of decomposition

Restriction: 012-Hazard and goal ASIL must be the same Description: 012-Hazard and goal ASIL must be the same From use case: Medini,FHA Generation Error avoidance probability: TD 1 (HIGH) Occurrences:

• in FHA Generation Avoided errors: • FHA Generation,012-xxx ASIL does not match to ASIL of associated goal

Table 393 Restriction: 012-Hazard and goal ASIL must be the same

Restriction: 013-All hazard model traced to an item Description: 013-All hazard model traced to an item From use case: Medini,FHA Generation Error avoidance probability: TD 1 (HIGH) Occurrences: • in FHA Generation Avoided errors: • FHA Generation,013-Hazard has no item traced

Table 394 Restriction: 013-All hazard model traced to an item

Restriction: 014-All safety requirements SIL >= safety goal SIL Description: 014-All safety requirements SIL >= safety goal SIL From use case: Medini,HW/SW allocation Error avoidance probability: TD 1 (HIGH) Occurrences: • in HW/SW allocation Avoided errors: • HW/SW allocation,014-xxx has an invalid ASIL. ASIL has to be the same or


Table 395 Restriction: 014-All safety requirements SIL >= safety goal SIL

Restriction: 015-FTA does not contain loops Description: 015-FTA does not contain loops From use case: Medini,FTA Generation Error avoidance probability: TD 1 (HIGH) Occurrences: • in FTA Generation Avoided errors: • FTA Generation,015-FTA model has a loop due to transfer gates

Table 396 Restriction: 015-FTA does not contain loops

Restriction: 021-Failure modes names must be consistent for each diagram/table Description:

021-Failure modes names must be consistent for each diagram/table From use case: Medini,Detailed architecture definition Error avoidance probability: TD 1 (HIGH) Occurrences: • in Detailed architecture definition Avoided errors: • Detailed architecture definition,021-Assessment or validation of the Qualification


Table 397 Restriction: 021-Failure modes names must be consistent for each diagram/table

1.5.5 CHECKS IN MEDINI

The following 20 checks are performed in the tool Medini. Check: 001-Trace architecture port- Simulink Description: Checks if each system architecture port is traced with a Simulink port From use case: Medini,Detailed architecture definition Occurrences: • in Detailed architecture definition Error detection probability: TD 1 (HIGH) Detected errors: • Detailed architecture definition,001-xxx is not traced with a simulink port

Table 398 Check: 001-Trace architecture port- Simulink

Check: 002-Link hazard- safety goal Description: Checks if each safety related hazardous event has a safety goal assigned From use case: Medini,Safety goals definition Occurrences: • in Safety goals definition Error detection probability: TD 1 (HIGH) Detected errors: • Safety goals definition,002-xxx is safety related and has no safety goal assigned

Table 399 Check: 002-Link hazard- safety goal

Check: 003-Checks if for each safety goal at least one functional safety requirement is specified Description: 003-Checks if for each safety goal at least one functional safety requirement is specified From use case: Medini,Safety goals definition

Occurrences: • in Safety goals definition Error detection probability: TD 1 (HIGH) Detected errors: • Safety goals definition,003-xxx has no functional safety requirement specified

Table 400 Check: 003-Checks if for each safety goal at least one functional safety requirement is specified

Check: 004-Checks if each safety goal has a FTA traced Description: 004-Checks if each safety goal has a FTA traced From use case: Medini,FTA Generation Occurrences: • in FTA Generation Error detection probability: TD 1 (HIGH) Detected errors: • FTA Generation,004-Safety goal has no FTA traced

Table 401 Check: 004-Checks if each safety goal has a FTA traced

Check: 005-Checks if every safety requirement has an unique identifier Description: 005-Checks if every safety requirement has an unique identifier From use case: Medini,Safety goals definition Occurrences: • in Safety goals definition Error detection probability: TD 1 (HIGH) Detected errors: • Safety goals definition,005-xxx (safety req) has no unique identifier

Table 402 Check: 005-Checks if every safety requirement has an unique identifier

Check: 006-Checks if each safety goal is associated to a hazardous event Description: 006-Checks if each safety goal is associated to a hazardous event From use case: Medini,FHA Generation Occurrences: • in FHA Generation Error detection probability: TD 1 (HIGH) Detected errors: • FHA Generation,006-Safety goal is not associated to a hazardous event

Table 403 Check: 006-Checks if each safety goal is associated to a hazardous event

Check: 007-Checks if each system architecture element has a name set (except for connectors) Description: 007-Checks if each system architecture element has a name set (except for connectors) From use case: Medini,Detailed architecture definition Occurrences: • in Detailed architecture definition Error detection probability: TD 1 (HIGH) Detected errors: • Detailed architecture definition,007-Architecture element has no name set

Table 404 Check: 007-Checks if each system architecture element has a name set (except for connectors)

Check: 008-Checks if each system architecture port is connected Description: 008-Checks if each system architecture port is connected From use case: Medini,Detailed architecture definition Occurrences: • in Detailed architecture definition Error detection probability: TD 1 (HIGH) Detected errors: • Detailed architecture definition,008-Port xxx is not connected

Table 405 Check: 008-Checks if each system architecture port is connected

Check: 009-Checks if a valid decomposition has been applied Description: 009-Checks if a valid decomposition has been applied From use case: Medini,HW/SW allocation Occurrences: • in HW/SW allocation Error detection probability: TD 1 (HIGH) Detected errors: • HW/SW allocation,009-req is not correctly decomposed

Table 406 Check: 009-Checks if a valid decomposition has been applied

Check: 010-Checks that each ranking of exposure from E0 to E2 has an justification given for the estimation Description: 010-Checks that each ranking of exposure from E0 to E2 has an justification given for the

estimation From use case:

Medini,FHA Generation Occurrences: • in FHA Generation Error detection probability: TD 1 (HIGH) Detected errors: • FHA Generation,010-xxx has no justification given for the estimated ranking of

exposure for the ISO ASIL

Table 407 Check: 010-Checks that each ranking of exposure from E0 to E2 has an justification given for the estimation

Check: 011-Checks that either all failure modes of a FMEA component xxx have category 'no part' or none Description: 011-Checks that either all failure modes of a FMEA component xxx have category 'no part'

or none From use case: Medini,FMEA Generation Occurrences: • in FMEA Generation Error detection probability: TD 1 (HIGH) Detected errors: • FMEA Generation,011-xxx has failure mode with category 'no part' and failure

modes with other categories.

Table 408 Check: 011-Checks that either all failure modes of a FMEA component xxx have category 'no part' or none

Check: 012-Checks that the ASIL of a hazard matches the ASIL of an associated goal Description: 012-Checks that the ASIL of a hazard matches the ASIL of an associated goal From use case: Medini,FHA Generation Occurrences: • in FHA Generation Error detection probability: TD 1 (HIGH) Detected errors: • FHA Generation,012-xxx ASIL does not match to ASIL of associated goal

Table 409 Check: 012-Checks that the ASIL of a hazard matches the ASIL of an associated goal

Check: 013-Checks that each Hazard model is traced to an item Description: 013-Checks that each Hazard model is traced to an item From use case: Medini,FHA Generation Occurrences: • in FHA Generation

Error detection probability: TD 1 (HIGH) Detected errors: • FHA Generation,013-Hazard has no item traced

Table 410 Check: 013-Checks that each Hazard model is traced to an item

Check: 014-Checks if safety requirements have the same or higher ASIL than of goals they contribute to Description: 014-Checks if safety requirements have the same or higher ASIL than of goals they

contribute to From use case: Medini,HW/SW allocation Occurrences: • in HW/SW allocation Error detection probability: TD 1 (HIGH) Detected errors: • HW/SW allocation,014-xxx has an invalid ASIL. ASIL has to be the same or


Table 411 Check: 014-Checks if safety requirements have the same or higher ASIL than of goals they contribute to

Check: 016-Checks that no decomposing requirement is allocated to the same architecture or software element as its neighbour Description: 016-Checks that no decomposing requirement is allocated to the same architecture or

software element as its neighbour From use case: Medini,Function allocation Occurrences: • in Function allocation Error detection probability: TD 1 (HIGH) Detected errors: • Function allocation,016-The decomposing requirement xxx is allocated to the

same architecture or software element as its neighbor

Table 412 Check: 016-Checks that no decomposing requirement is allocated to the same architecture or software element as its neighbour

Check: 017-Checks for name differences between FMEA components and corresponding system architecture elements Description: 017-Checks for name differences between FMEA components and corresponding system

architecture elements From use case: Medini,FMEA Generation Occurrences:

• in FMEA Generation Error detection probability: TD 1 (HIGH) Detected errors: • FMEA Generation,017-Name of xxx is different from corresponding system

architecture element(s): yyy

Table 413 Check: 017-Checks for name differences between FMEA components and corresponding system architecture elements

Check: 018-Checks that all FMEA components have pendants in at least one system architecture the worksheet is derived of Description: 018-Checks that all FMEA components have pendants in at least one system architecture the

worksheet is derived of From use case: Medini,FMEA Generation Occurrences: • in FMEA Generation Error detection probability: TD 1 (HIGH) Detected errors: • FMEA Generation,018-xxx has no corresponding architecture element in any of

the architecture model(s): yyy

Table 414 Check: 018-Checks that all FMEA components have pendants in at least one system architecture the worksheet is derived of

Check: 019-Checks that all system architecture parts have pendants in the derived FMEA worksheets Description: 019-Checks that all system architecture parts have pendants in the derived FMEA

worksheets From use case: Medini,FMEA Generation Occurrences: • in FMEA Generation Error detection probability: TD 1 (HIGH) Detected errors: • FMEA Generation,019-xxx has no corresponding architecture element in the

derived worksheet(s): yyy

Table 415 Check: 019-Checks that all system architecture parts have pendants in the derived FMEA worksheets

Check: 020-Checks for consistency between failure modes of FMEA components and related system architecture elements Description: 020-Checks for consistency between failure modes of FMEA components and related system

architecture elements From use case:

Medini,FMEA Generation Occurrences: • in FMEA Generation Error detection probability: TD 1 (HIGH) Detected errors: • FMEA Generation,020-"xxx does not have the same failure modes than

corresponding architecture element(s): yyy"

Table 416 Check: 020-Checks for consistency between failure modes of FMEA components and related system architecture elements

Check: 021-Checks for name consistency between failure modes Description: 021-Checks for name consistency between failure modes From use case: Medini,Detailed architecture definition Occurrences: • in Detailed architecture definition Error detection probability: TD 1 (HIGH) Detected errors: • Detailed architecture definition,021-Assessment or validation of the Qualification


Table 417 Check: 021-Checks for name consistency between failure modes

1.5.6 ASSUMPTIONS

The determination of the TCL of Medini is not based on assumed checks and restrictions. None of the checks and restrictions are modeled as assumptions.


This section determines a TCL for each use case by assigning checks or restrictions with detection/avoidance probability to each potential error. The TCL for the entire tool can be derived from the TCL for each use case. The tool Medini has 10 use cases with TCL 1, no use case with TCL 2 and no use case with TCL 3. Therefore the tool Medini has TCL 1. The use cases are described in the following sections:

• For "Detailed architecture definition" (TCL 1) see Section 0, • for "FHA Generation" (TCL 1) see Section 0, • for "FMEA Generation" (TCL 1) see Section 0, • for "FTA Generation" (TCL 1) see Section 0, • for "Function allocation" (TCL 1) see Section 0, • for "Generation HW Coverage" (TCL 1) see Section 0, • for "HW/SW allocation" (TCL 1) see Section 0, • for "Item Definition" (TCL 1) see Section 1.9.2.2, • for "Safety goals definition" (TCL 1) see Section 0, and • for "SW Architecture definition" (TCL 1) see Section 0.

1.5.7.1 TCL DETERMINATION FOR USE CASE: DETAILED


The use case "Detailed architecture definition" has TCL 1. The TCL is determined by the lowest Tool Detection Level (TD) of all errors of the use case. The following table gives an overview of the errors of "Detailed architecture definition". Error TD Table 001-xxx is not traced with a simulink port TD 1 (HIGH) Table 136 007-Architecture element has no name set TD 1 (HIGH) TCL

Determination for Use Case: Modelling Requirements

008-Port xxx is not connected TD 1 (HIGH) Use Case Assurance Case edition

021-Assessment or validation of the Qualification Project against the Qualification Reference

TD 1 (HIGH) Fig 18

Table 418 Errors of Use Case: Detailed architecture definition

Error: 001-xxx is not traced with a simulink port Description: 001-xxx is not traced with a simulink port From use case: Detailed architecture definition Discovered by the following checks: • Detailed architecture definition.001-Trace architecture port- Simulink Occurrences: • in Detailed architecture definition Avoided by the following restrictions: • Detailed architecture definition.001-All sistems architecture port traced with

simulink Error View:

Table 419 Error: 001-xxx is not traced with a simulink port

Error: 007-Architecture element has no name set Description: Name 007-Architecture element has no name set From use case: Detailed architecture definition Discovered by the following checks: • Detailed architecture definition.007-Checks if each system architecture element

has a name set (except for connectors) Occurrences: • in Detailed architecture definition Avoided by the following restrictions: • Detailed architecture definition.007-Each system architecture element is named Error View:

Table 420 Error: 007-Architecture element has no name set

Error: 008-Port xxx is not connected Description:

008-Port xxx is not connected From use case: Detailed architecture definition Discovered by the following checks: • Detailed architecture definition.008-Checks if each system architecture port is

connected Occurrences: • in Detailed architecture definition Avoided by the following restrictions: • Detailed architecture definition.008-All ports are connected Error View:

Table 421 Error: 008-Port xxx is not connected

Error: 021-Assessment or validation of the Qualification Project against the Qualification Reference Description: 021-Assessment or validation of the Qualification Project against the Qualification Reference From use case: Detailed architecture definition Discovered by the following checks: • Detailed architecture definition.021-Checks for name consistency between failure

modes Occurrences: • in Detailed architecture definition Avoided by the following restrictions: • Detailed architecture definition.021-Failure modes names must be consistent for

each diagram/table Error View:

Table 422 Error: 021-Assessment or validation of the Qualification Project against the Qualification Reference

1.5.7.2 TCL DETERMINATION FOR USE CASE: FHA

GENERATION

The use case "FHA Generation" has TCL 1. The TCL is determined by the lowest Tool Detection Level (TD) of all errors of the use case. The following table gives an overview of the errors of "FHA Generation". Error TD Table 006-Safety goal is not associated to a hazardous event

TD 1 (HIGH) TCL Determination for Use Case: Assurance Case edition

010-xxx has no justification given for the estimated ranking of exposure for the ISO ASIL


012-xxx ASIL does not match to ASIL of associated goal


013-Hazard has no item traced TD 1 (HIGH) Use Case Cost Calculation

Table 423 Errors of Use Case: FHA Generation

Error: 006-Safety goal is not associated to a hazardous event Description: 006-Safety goal is not associated to a hazardous event From use case: FHA Generation Discovered by the following checks: • FHA Generation.006-Checks if each safety goal is associated to a hazardous event Occurrences: • in FHA Generation Avoided by the following restrictions: • FHA Generation.006-All safety goal associated to a hazardous event Error View:

Table 424 Error: 006-Safety goal is not associated to a hazardous event

Error: 010-xxx has no justification given for the estimated ranking of exposure for the ISO ASIL Description: 010-xxx has no justification given for the estimated ranking of exposure for the ISO ASIL From use case: FHA Generation Discovered by the following checks: • FHA Generation.010-Checks that each ranking of exposure from E0 to E2 has an

justification given for the estimation Occurrences: • in FHA Generation Error View:

Table 425 Error: 010-xxx has no justification given for the estimated ranking of exposure for the ISO ASIL

Error: 012-xxx ASIL does not match to ASIL of associated goal Description: 012-xxx ASIL does not match to ASIL of associated goal From use case: FHA Generation Discovered by the following checks: • FHA Generation.012-Checks that the ASIL of a hazard matches the ASIL of an

associated goal Occurrences:

• in FHA Generation Avoided by the following restrictions: • FHA Generation.012-Hazard and goal ASIL must be the same Error View:

Table 426 Error: 012-xxx ASIL does not match to ASIL of associated goal

Error: 013-Hazard has no item traced Description: 013-Hazard has no item traced From use case: FHA Generation Discovered by the following checks: • FHA Generation.013-Checks that each Hazard model is traced to an item Occurrences: • in FHA Generation Avoided by the following restrictions: • FHA Generation.013-All hazard model traced to an item Error View:

Table 427 Error: 013-Hazard has no item traced

1.5.7.3 TCL DETERMINATION FOR USE CASE: FMEA

GENERATION

The use case "FMEA Generation" has TCL 1. The TCL is determined by the lowest Tool Detection Level (TD) of all errors of the use case. The following table gives an overview of the errors of "FMEA Generation". Error TD Table 011-xxx has failure mode with category 'no part' and failure modes with other categories.

TD 1 (HIGH) Use Case Create Model

017-Name of xxx is different from corresponding system architecture element(s): yyy

TD 1 (HIGH) Fig 21

018-xxx has no corresponding architecture element in any of the architecture model(s): yyy

TD 1 (HIGH) Fig 22

019-xxx has no corresponding architecture element in the derived worksheet(s): yyy

TD 1 (HIGH) Use Case Determinate Tool Confidence Level

020-"xxx does not have the same failure modes than corresponding architecture element(s): yyy"

TD 1 (HIGH) Fig 23

Table 428 Errors of Use Case: FMEA Generation

Error: 011-xxx has failure mode with category 'no part' and failure modes with other categories. Description: 001-xxx has failure mode with category 'no part' and failure modes with other categories. From use case: FMEA Generation Discovered by the following checks: • FMEA Generation.011-Checks that either all failure modes of a FMEA

component xxx have category 'no part' or none Occurrences: • in FMEA Generation Error View:

Table 429 Error: 011-xxx has failure mode with category 'no part' and failure modes with other categories.

Error: 017-Name of xxx is different from corresponding system architecture element(s):

yyy Description: 017-Name of xxx is different from corresponding system architecture element(s): yyy From use case: FMEA Generation Discovered by the following checks: • FMEA Generation.017-Checks for name differences between FMEA components

and corresponding system architecture elements Occurrences: • in FMEA Generation Error View:

Table 430 Error: 017-Name of xxx is different from corresponding system architecture element(s): yyy

Error: 018-xxx has no corresponding architecture element in any of the architecture model(s): yyy Description: 018-xxx has no corresponding architecture element in any of the architecture model(s): yyy From use case: FMEA Generation Discovered by the following checks: • FMEA Generation.018-Checks that all FMEA components have pendants in at

least one system architecture the worksheet is derived of Occurrences: • in FMEA Generation Error View:

Table 431 Error: 018-xxx has no corresponding architecture element in any of the architecture model(s): yyy

Error: 019-xxx has no corresponding architecture element in the derived worksheet(s): yyy Description: 019-xxx has no corresponding architecture element in the derived worksheet(s): yyy

From use case: FMEA Generation Discovered by the following checks: • FMEA Generation.019-Checks that all system architecture parts have pendants in

the derived FMEA worksheets Occurrences: • in FMEA Generation Error View:

Table 432 Error: 019-xxx has no corresponding architecture element in the derived worksheet(s): yyy

Error: 020-"xxx does not have the same failure modes than corresponding architecture element(s): yyy" Description: 020-"xxx does not have the same failure modes than corresponding architecture

element(s): yyy" From use case: FMEA Generation Discovered by the following checks: • FMEA Generation.020-Checks for consistency between failure modes of FMEA

components and related system architecture elements Occurrences: • in FMEA Generation Error View:

Table 433 Error: 020-"xxx does not have the same failure modes than corresponding architecture element(s): yyy"

1.5.7.4 TCL DETERMINATION FOR USE CASE: FTA

GENERATION

The use case "FTA Generation" has TCL 1. The TCL is determined by the lowest Tool Detection Level (TD) of all errors of the use case. The following table gives an overview of the errors of "FTA Generation". Error TD Table 004-Safety goal has no FTA traced TD 1 (HIGH) Use Case

Generate Tool Classification

Report 015-FTA model has a loop due to transfer gates TD 1 (HIGH) Fig 25

Table 434 Errors of Use Case: FTA Generation

Error: 004-Safety goal has no FTA traced Description: 004-Safety goal has no FTA traced From use case: FTA Generation Discovered by the following checks: • FTA Generation.004-Checks if each safety goal has a FTA traced Occurrences: • in FTA Generation Avoided by the following restrictions: • FTA Generation.004-All safety goal traced with FTA Error View:

Table 435 Error: 004-Safety goal has no FTA traced

Error: 015-FTA model has a loop due to transfer gates Description: 015-FTA model has a loop due to transfer gates From use case: FTA Generation Occurrences: • in FTA Generation Avoided by the following restrictions: • FTA Generation.015-FTA does not contain loops Error View:

Table 436 Error: 015-FTA model has a loop due to transfer gates

1.5.7.5 TCL DETERMINATION FOR USE CASE: FUNCTION

ALLOCATION

The use case "Function allocation" has TCL 1. The TCL is determined by the lowest Tool Detection Level (TD) of all errors of the use case. The following table gives an overview of the errors of "Function allocation". Error TD Table 016-The decomposing requirement xxx is allocated to the same architecture or software element as its neighbor

TD 1 (HIGH) Use Case Review Model

Table 437 Errors of Use Case: Function allocation

Error: 016-The decomposing requirement xxx is allocated to the same architecture or software element as its neighbor Description: 016-The decomposing requirement xxx is allocated to the same architecture or software

element as its neighbor From use case: Function allocation Discovered by the following checks: • Function allocation.016-Checks that no decomposing requirement is allocated to

the same architecture or software element as its neighbour Occurrences: • in Function allocation Error View:

Table 438 Error: 016-The decomposing requirement xxx is allocated to the same architecture or software element as its neighbor

1.5.7.6 TCL DETERMINATION FOR USE CASE: GENERATION

HW COVERAGE

The use case "Generation HW Coverage" has TCL 1. The TCL is determined by the lowest Tool Detection Level (TD) of all errors of the use case. This use case has no errors.

1.5.7.7 TCL DETERMINATION FOR USE CASE: HW/SW

ALLOCATION

The use case "HW/SW allocation" has TCL 1. The TCL is determined by the lowest Tool Detection Level (TD) of all errors of the use case. The following table gives an overview of the errors of "HW/SW allocation". Error TD Table 009-req is not correctly decomposed TD 1 (HIGH) Feature

Compute Tool Confidence Level

014-xxx has an invalid ASIL. ASIL has to be the same or higher than of goals it contributes to

TD 1 (HIGH) Fig 29

Table 439 Errors of Use Case: HW/SW allocation

Error: 009-req is not correctly decomposed Description: 009-Safety requirement is not correctly decomposed From use case: HW/SW allocation Discovered by the following checks: • HW/SW allocation.009-Checks if a valid decomposition has been applied Occurrences: • in HW/SW allocation Avoided by the following restrictions: • HW/SW allocation.009-Validation of decomposition Error View:

Table 440 Error: 009-req is not correctly decomposed

Error: 014-xxx has an invalid ASIL. ASIL has to be the same or higher than of goals it contributes to Description: 014-xxx has an invalid ASIL. ASIL has to be the same or higher than of goals it contributes

to From use case: HW/SW allocation Discovered by the following checks: • HW/SW allocation.014-Checks if safety requirements have the same or higher

ASIL than of goals they contribute to Occurrences: • in HW/SW allocation Avoided by the following restrictions: • HW/SW allocation.014-All safety requirements SIL >= safety goal SIL Error View:

Table 441 Error: 014-xxx has an invalid ASIL. ASIL has to be the same or higher than of goals it contributes to

1.5.7.8 TCL DETERMINATION FOR USE CASE: ITEM

DEFINITION

The use case "Item Definition" has TCL 1. The TCL is determined by the lowest Tool Detection Level (TD) of all errors of the use case. This use case has no errors.

1.5.7.9 TCL DETERMINATION FOR USE CASE: SAFETY GOALS

DEFINITION

The use case "Safety goals definition" has TCL 1. The TCL is determined by the lowest Tool Detection Level (TD) of all errors of the use case. The following table gives an overview of the errors of "Safety goals definition". Error TD Table 002-xxx is safety related and has no safety goal assigned

TD 1 (HIGH) Feature EMF

003-xxx has no functional safety requirement specified

TD 1 (HIGH) Fig 31

005-xxx (safety req) has no unique identifier TD 1 (HIGH) Feature Excel Interface

Table 442 Errors of Use Case: Safety goals definition

Error: 002-xxx is safety related and has no safety goal assigned Description: xxx is safety related and has no safety goal assigned From use case: Safety goals definition Discovered by the following checks: • Safety goals definition.002-Link hazard- safety goal Occurrences: • in Safety goals definition Avoided by the following restrictions: • Safety goals definition.002- All hazard event assigned to a safety goal Error View:

Table 443 Error: 002-xxx is safety related and has no safety goal assigned

Error: 003-xxx has no functional safety requirement specified Description: 003-xxx has no functional safety requirement specified From use case: Safety goals definition Discovered by the following checks: • Safety goals definition.003-Checks if for each safety goal at least one functional

safety requirement is specified Occurrences: • in Safety goals definition Avoided by the following restrictions: • Safety goals definition.003-For all safety goal exist one safety requirement Error View:

Table 444 Error: 003-xxx has no functional safety requirement specified

Error: 005-xxx (safety req) has no unique identifier Description: 005- safety requirement has no unique identifier From use case: Safety goals definition Discovered by the following checks: • Safety goals definition.005-Checks if every safety requirement has an unique

identifier Occurrences: • in Safety goals definition Avoided by the following restrictions: • Safety goals definition.005-Exist a unique safety requirement identifier Error View:

Table 445 Error: 005-xxx (safety req) has no unique identifier

1.5.7.10 TCL DETERMINATION FOR USE CASE: SW


The use case "SW Architecture definition" has TCL 1. The TCL is determined by the lowest Tool Detection Level (TD) of all errors of the use case. This use case has no errors.

1.6 NUSMVMODELCHECKERThis section explains the determination of the Tool Confidence Level (TCL) for the tool nuSMV Model Checker. Tool: nuSMV Model Checker Description: -None- Impact: TI 2 (Impact) Tool Confidence Level: TCL 1


















1.6.6 ASSUMPTIONS



This section determines a TCL for each use case by assigning checks or restrictions with detection/avoidance probability to each potential error. The TCL for the entire tool can be derived from the TCL for each use case. The tool nuSMV Model Checker has no use case with TCL 1, no use case with TCL 2 and no use case with TCL 3. Therefore the tool nuSMV Model Checker has TCL 1.

There are no use cases modeled for the tool nuSMV Model Checker

1.7 PROBMODELCHECKERThis section explains the determination of the Tool Confidence Level (TCL) for the tool ProB Model Checker. Tool: ProB Model Checker Description: This is not developed from us, but might be helpful to detect errors Impact: TI 2 (Impact) Tool Confidence Level: TCL 1

Table 448 Tool: ProB Model Checker

The tool ProB Model Checker is modeled with 3 elements which have impact, one of them is an assumption. No additional features have been modeled.


Table 449 Amount of Elements in Tool: ProB Model Checker

1.7.1 USE CASES OF PROB MODEL CHECKER

This section describes all analyzed use cases of ProB Model Checker in separate subsections. The following use cases of the tool ProB Model Checker are considered:

1. Check Model, see Section 1.9.2.5

1.7.1.1 USE CASE CHECK MODEL

This section describes the use case "Check Model". UseCase: Check Model Description: -None-

Table 450 UseCase: Check Model

The use case requires no features and calls no other use cases. The use case "Check Model" reads and/or writes the following artifacts. The used artifacts are shown in Fig 33 and are summarized in the subsequent table.

Fig 73 Artifacts of Use Case: Check Model

Artifacts of Use Case: Check Model Inputs: • Safety Requirements

• System Models (Event-B) • Verified System Models (Event-B)

Outputs: • Verified System Models (Event-B)

Table 451 Artifacts of Use Case: Check Model

1.7.2 FEATURES OF PROB MODEL CHECKER

There are no features modeled for ProB Model Checker.

1.7.3 POTENTIAL ERRORS IN PROB MODEL CHECKER

The tool has one potential error in one occurrence in use cases. The error flow, as can be seen in Feature Model Validation, consists of all relations from errors to checks or restrictions. There are



• one relation from errors caused by this tool to checks or restrictions defined for use cases of other tools.

Fig 74 Error Flow to and from ProB Model Checker

The Fig 34 shows all 2 relations, introduced by one other tool: Tool Error UseCase Table Rodin Prover Theorem Provers System

Model Verification

Table 194

Verification condition generation System Model Verification

Table 195

Table 452 Errors introduced in ProB Model Checker by other tools

Due to one relation, ProB Model Checker is having impact on one other tool. The error is listed in Feature Safety Guidelines.

Tool Error UseCase Table Rodin Prover States missed Check

Model Feature Xml Interface

Table 453 Errors of ProB Model Checker with impact on other tools

1.7.4 RESTRICTIONS IN PROB MODEL CHECKER

There are no restrictions in the tool ProB Model Checker.

1.7.5 CHECKS IN PROB MODEL CHECKER

The following one check is performed in the tool ProB Model Checker. Check: Model Check Description: Check the validaty of the model


From use case: ProB Model Checker,Check Model Occurrences: • in Check Model Error detection probability: TD 1 (HIGH) Detected errors from other tools: • Check Model,Rodin Prover,System Model Verification,Theorem Provers

• Check Model,Rodin Prover,System Model Verification,Verification condition generation

Is assumption: True Relations to other tools:


1.7.6 ASSUMPTIONS

The determination of the TCL of ProB Model Checker is based on the following 1 assumptions on the development process.

• Check: Model Check (Feature SG_Avoid Feature) occurs in: o Check Model


This section determines a TCL for each use case by assigning checks or restrictions with detection/avoidance probability to each potential error. The TCL for the entire tool can be derived from the TCL for each use case. The tool ProB Model Checker has one use case with TCL 1, no use case with TCL 2 and no use case with TCL 3. Therefore the tool ProB Model Checker has TCL 1. The use cases are described in the following sections:

• For "Check Model" (TCL 1) see Section 1.9.2.9.

1.7.7.1 TCL DETERMINATION FOR USE CASE: CHECK MODEL

The use case "Check Model" has TCL 1. The TCL is determined by the lowest Tool Detection Level (TD) of all errors of the use case. The following table gives an overview of the errors of "Check Model". Error TD Table States missed TD 1 (HIGH) Feature Xml

Interface

Table 455 Errors of Use Case: Check Model

Error: States missed Description: -None-

Comment: This holds also for similar errors detectable by the prover

From use case: Check Model Discovered by the following checks: • System Model Verification.Correctness proof Occurrences: • in Check Model Error View:

Table 456 Error: States missed

1.8 PROCESSCHECKERThis section explains the determination of the Tool Confidence Level (TCL) for the tool Process Checker. Tool: Process Checker Description: This is a manual step to validate the process for completeness. If this is the case TCA model

validation can be omitted. Impact: TI 2 (Impact) Tool Confidence Level: TCL 1















The Fig 36 shows all 2 relations, introduced by one other tool:



Table 585


Table 600



The tool Process Checker must only be used with the following restriction. Restriction: Consistent Process Description: This ensures that the process is consistent From use case: Process Checker,Validate Process Error avoidance probability: TD 1 (HIGH) Occurrences: • in Validate Process Avoided errors from other tools: • Validate Process,Tool Chain Analyzer,Model Validation,Process Inconsistently

Modelled Relations to other tools:




1.8.6 ASSUMPTIONS




1.9 RODINEDITORThis section explains the determination of the Tool Confidence Level (TCL) for the tool Rodin Editor. Tool: Rodin Editor Description: Platform for Event-B formal system development Impact: TI 2 (Impact) Tool Confidence Level: TCL 1

Table 461 Tool: Rodin Editor

The tool Rodin Editor is modeled with 10 elements which have impact, none of them are assumptions. No additional features have been modeled.


Table 462 Amount of Elements in Tool: Rodin Editor

1.9.1 USE CASES OF RODIN EDITOR

This section describes all analyzed use cases of Rodin Editor in separate subsections. The following use cases of the tool Rodin Editor are considered:

1. System Modelling, see Section 0

1.9.1.1 USE CASE SYSTEM MODELLING

This section describes the use case "System Modelling". UseCase: System Modelling Description: Refinement-based approach for system modelling

Table 463 UseCase: System Modelling

The use case requires no features and calls no other use cases. The use case "System Modelling" reads and/or writes the following artifacts. The used artifacts are shown in TCL Determination for Use Case: Cost Calculation and are summarized in the subsequent table.

Fig 76 Artifacts of Use Case: System Modelling

Artifacts of Use Case: System Modelling Inputs: • Safety Requirements Outputs: • System Models (Event-B)

Table 464 Artifacts of Use Case: System Modelling

1.9.2 FEATURES OF RODIN EDITOR

There are no features modeled for Rodin Editor.

1.9.3 POTENTIAL ERRORS IN RODIN EDITOR

The tool has 8 different potential errors in 8 occurrences in use cases. The error flow, as can be seen in Table 176, consists of all relations from errors to checks or restrictions. There are


• one relation from errors caused by this tool to checks or restrictions defined for use cases of this tool.


Fig 77 Error Flow to and from Rodin Editor

Rodin Editor has the following one relation, which is detected by checks or restrictions of this tool. The errors are described in detail in the TCL analysis of the corresponding use cases:

• Model Corruption 3 (TCL Determination for Use Case: Determinate Tool Confidence Level)

Due to 7 relations, Rodin Editor is having impact on one other tool. The errors are listed in Table 177.

Tool Error UseCase Table Rodin Prover Deadlock System

Modelling TCL Determination for Use Case: Create Model

Event refinement violation System Modelling

Table 180

Invariant violation System Modelling

Table 181

Model corruption 1 System Modelling

Table 182

Model Corruption 2 System Modelling

Table 183

Non-termination System Modelling

Table 185

Syntax error System Modelling

Table 186

Table 465 Errors of Rodin Editor with impact on other tools

1.9.4 RESTRICTIONS IN RODIN EDITOR

There are no restrictions in the tool Rodin Editor.

1.9.5 CHECKS IN RODIN EDITOR

The following one check is performed in the tool Rodin Editor. Check: WYSIWYG Description: What You see is what you get

The human working with the tool sees the important things Comment: This gives a high error detection probability

From use case: Rodin Editor,System Modelling Occurrences: • in System Modelling Error detection probability: TD 1 (HIGH) Detected errors: • System Modelling,Model Corruption 3

Table 466 Check: WYSIWYG

1.9.6 ASSUMPTIONS

The determination of the TCL of Rodin Editor is not based on assumed checks and restrictions. None of the checks and restrictions are modeled as assumptions.


This section determines a TCL for each use case by assigning checks or restrictions with detection/avoidance probability to each potential error. The TCL for the entire tool can be derived from the TCL for each use case. The tool Rodin Editor has one use case with TCL 1, no use case with TCL 2 and no use case with TCL 3. Therefore the tool Rodin Editor has TCL 1. The use cases are described in the following sections:

• For "System Modelling" (TCL 1) see Section 0.

1.9.7.1 TCL DETERMINATION FOR USE CASE: SYSTEM

MODELLING

The use case "System Modelling" has TCL 1. The TCL is determined by the lowest Tool Detection Level (TD) of all errors of the use case. The following table gives an overview of the errors of "System Modelling". Error TD Table Deadlock TD 1 (HIGH) TCL

Determination for Use Case: Create Model

Event refinement violation TD 1 (HIGH) Table 180 Invariant violation TD 1 (HIGH) Table 181 Model corruption 1 TD 1 (HIGH) Table 182 Model Corruption 2 TD 1 (HIGH) Table 183 Model Corruption 3 TD 1 (HIGH) TCL

Determination for Use Case: Determinate Tool Confidence Level

Non-termination TD 1 (HIGH) Table 185 Syntax error TD 1 (HIGH) Table 186

Table 467 Errors of Use Case: System Modelling

Error: Deadlock Description: -None- From use case: System Modelling Discovered by the following checks: • System Model Verification.Correctness proof Occurrences: • in System Modelling Error View:

Table 468 Error: Deadlock

Error: Event refinement violation Description: -None- From use case: System Modelling Discovered by the following checks: • System Model Verification.Correctness proof Occurrences: • in System Modelling Error View:

Table 469 Error: Event refinement violation

Error: Invariant violation Description: -None- From use case: System Modelling Discovered by the following checks: • System Model Verification.Correctness proof Occurrences: • in System Modelling Error View:

Table 470 Error: Invariant violation

Error: Model corruption 1 Description: model corruption because of XML format

This is model corruption that lost variable, lost context, lost typing invariant will generate syntax errors

From use case: System Modelling Discovered by the following checks: • System Model Verification.Proof Tree - Syntax Check Occurrences: • in System Modelling Error View:

Table 471 Error: Model corruption 1

Error: Model Corruption 2 Description: Problems like lost invariants, lost guards, etc, will generate proof obligation violations From use case: System Modelling Discovered by the following checks: • System Model Verification.Correctness proof Occurrences: • in System Modelling Error View:

Table 472 Error: Model Corruption 2

Error: Model Corruption 3 Description: Problems like lost events being set to non-convergents when they should be convergents, etc.

There are no tools that can check this case. From use case: System Modelling Discovered by the following checks: • System Modelling.WYSIWYG Occurrences: • in System Modelling Error View:

Table 473 Error: Model Corruption 3

Error: Non-termination Description: -None- From use case: System Modelling Discovered by the following checks: • System Model Verification.Correctness proof Occurrences: • in System Modelling Error View:


Error: Syntax error Description: -None- From use case: System Modelling Discovered by the following checks: • System Model Verification.Proof Tree - Syntax Check Occurrences: • in System Modelling Error View:

Table 475 Error: Syntax error

1.10 RODINPROVERThis section explains the determination of the Tool Confidence Level (TCL) for the tool Rodin Prover. Tool: Rodin Prover Description: -None- Impact: TI 2 (Impact) Tool Confidence Level: TCL 1

Table 476 Tool: Rodin Prover

The tool Rodin Prover is modeled with 5 elements which have impact, one of them is an assumption. No additional features have been modeled.


Table 477 Amount of Elements in Tool: Rodin Prover

1.10.1 USE CASES OF RODIN PROVER

This section describes all analyzed use cases of Rodin Prover in separate subsections. The following use cases of the tool Rodin Prover are considered:

1. System Model Verification, see Section 0

1.10.1.1 USE CASE SYSTEM MODEL VERIFICATION

This section describes the use case "System Model Verification". UseCase: System Model Verification Description: System model verification at system level design

Table 478 UseCase: System Model Verification

The use case requires no features and calls no other use cases. The use case "System Model Verification" reads and/or writes the following artifacts. The used artifacts are shown in Table 188 and are summarized in the subsequent table.

Fig 78 Artifacts of Use Case: System Model Verification

Artifacts of Use Case: System Model Verification Inputs: • System Models (Event-B)

• Verified System Models (Event-B) Outputs: • Verified System Models (Event-B)

Table 479 Artifacts of Use Case: System Model Verification

1.10.2 FEATURES OF RODIN PROVER

There are no features modeled for Rodin Prover.

1.10.3 POTENTIAL ERRORS IN RODIN PROVER

The tool has 2 different potential errors in 2 occurrences in use cases. The error flow, as can be seen in TCL Determination for Use Case: Generate Tool Classification Report, consists of all relations from errors to checks or restrictions. There are




Fig 79 Error Flow to and from Rodin Prover

The Table 190 shows all 8 relations, introduced by 2 other tools:

Tool Error UseCase Table ProB Model Checker

States missed Check Model

Feature Xml Interface

Rodin Editor Deadlock System Modelling

TCL Determination for Use Case: Create Model

Event refinement violation System Modelling

Table 180

Invariant violation System Modelling

Table 181

Model corruption 1 System Modelling

Table 182

Model Corruption 2 System Modelling

Table 183

Non-termination System Modelling

Table 185

Syntax error System Modelling

Table 186

Table 480 Errors introduced in Rodin Prover by other tools

Due to 2 relations, Rodin Prover is having impact on one other tool. The errors are listed in Table 191. Tool Error UseCase Table ProB Model Checker

Theorem Provers System Model Verification

Table 194

Verification condition generation System Model Verification

Table 195

Table 481 Errors of Rodin Prover with impact on other tools

1.10.4 RESTRICTIONS IN RODIN PROVER

There are no restrictions in the tool Rodin Prover.

1.10.5 CHECKS IN RODIN PROVER

The following 2 checks are performed in the tool Rodin Prover. Check: Correctness proof Description: -None- From use case: Rodin Prover,System Model Verification Occurrences: • in System Model Verification Error detection probability: TD 1 (HIGH) Detected errors from other tools: • System Model Verification,ProB Model Checker,Check Model,States missed

• System Model Verification,Rodin Editor,System Modelling,Deadlock • System Model Verification,Rodin Editor,System Modelling,Event refinement

violation • System Model Verification,Rodin Editor,System Modelling,Invariant violation • System Model Verification,Rodin Editor,System Modelling,Model Corruption 2 • System Model Verification,Rodin Editor,System Modelling,Non-termination

Relations to other tools:

Table 482 Check: Correctness proof

Check: Proof Tree - Syntax Check Description: the syntax check is usually done when this file is used From use case: Rodin Prover,System Model Verification Occurrences: • in System Model Verification Error detection probability: TD 1 (HIGH) Detected errors from other tools:

• System Model Verification,Rodin Editor,System Modelling,Model corruption 1 • System Model Verification,Rodin Editor,System Modelling,Syntax error

Is assumption: True Relations to other tools:


1.10.6 ASSUMPTIONS

The determination of the TCL of Rodin Prover is based on the following 1 assumptions on the development process.

• Check: Proof Tree - Syntax Check (Table 192) occurs in: o System Model Verification


This section determines a TCL for each use case by assigning checks or restrictions with detection/avoidance probability to each potential error. The TCL for the entire tool can be derived from the TCL for each use case. The tool Rodin Prover has one use case with TCL 1, no use case with TCL 2 and no use case with TCL 3. Therefore the tool Rodin Prover has TCL 1. The use cases are described in the following sections:

• For "System Model Verification" (TCL 1) see Section 1.9.7.5.

1.10.7.1 TCL DETERMINATION FOR USE CASE: SYSTEM

MODEL VERIFICATION

The use case "System Model Verification" has TCL 1. The TCL is determined by the lowest Tool Detection Level (TD) of all errors of the use case. The following table gives an overview of the errors of "System Model Verification". Error TD Table Theorem Provers TD 1 (HIGH) Table 194 Verification condition generation TD 1 (HIGH) Table 195

Table 484 Errors of Use Case: System Model Verification

Error: Theorem Provers Description: Theorem provers might be unsound From use case: System Model Verification Discovered by the following checks: • Check Model.Model Check Occurrences: • in System Model Verification Error View:

Table 485 Error: Theorem Provers

Error: Verification condition generation Description: The verification condition generation might be incorrect From use case: System Model Verification Discovered by the following checks: • Check Model.Model Check Subsumes: • "Option Defect" from "Option Supporting"

• "Option Ignored" from "Option Supporting" Occurrences: • in System Model Verification Error View:

Table 486 Error: Verification condition generation

1.11 SIMULINKThis section explains the determination of the Tool Confidence Level (TCL) for the tool Simulink. Tool: Simulink Description: Simulink Impact: TI 2 (Impact) Tool Confidence Level: TCL 3

Table 487 Tool: Simulink

The tool Simulink is modeled with 14 elements which have impact, one of them is an assumption. One additional feature has been modeled which is not an assumption.


Table 488 Amount of Elements in Tool: Simulink

1.11.1 USE CASES OF SIMULINK

This section describes all analyzed use cases of Simulink in separate subsections. The following use cases of the tool Simulink are considered:

1. Code generation, see Section 0 2. Contracts to assertions, see Section 0 3. Modelling, see Section 1.11.1.3 4. Modelling Requirements, see Section 1.11.1.4

1.11.1.1 USE CASE CODE GENERATION

This section describes the use case "Code generation". UseCase: Code generation Description: -None-

Table 489 UseCase: Code generation

The use case requires no features and calls no other use cases. The use case "Code generation" reads and/or writes the following artifacts. The used artifacts are shown in Table 197 and are summarized in the subsequent table.

Fig 80 Artifacts of Use Case: Code generation

Artifacts of Use Case: Code generation Inputs: • Simulink Model Outputs: • Source Code

Table 490 Artifacts of Use Case: Code generation

1.11.1.2 USE CASE CONTRACTS TO ASSERTIONS

This section describes the use case "Contracts to assertions".

UseCase: Contracts to assertions Description: To check contracts in Simulink Design Verifier (needed to keep the verification

tools at TCL1) there is a need to translate the contracts to assertions and assumptions understood by Simulink Design Verifier. This is added as a use case here, but it could be automated in a tool.

Table 491 UseCase: Contracts to assertions

The use case requires no features and calls no other use cases. The use case "Contracts to assertions" reads and/or writes the following artifacts. The used artifacts are shown in Fig 37 and are summarized in the subsequent table.

Fig 81 Artifacts of Use Case: Contracts to assertions

Artifacts of Use Case: Contracts to assertions Inputs: • contract

Table 492 Artifacts of Use Case: Contracts to assertions

1.11.1.3 USE CASE MODELLING

This section describes the use case "Modelling". UseCase: Modelling Description: -None-

Table 493 UseCase: Modelling

The use case requires no features and calls no other use cases. The use case "Modelling" reads and/or writes the following artifacts. The used artifacts are shown in Fig 82 and are summarized in the subsequent table.

Fig 82 Artifacts of Use Case: Modelling

Artifacts of Use Case: Modelling Outputs: • Contract

• Simulink Model • Simulink model • contract

Table 494 Artifacts of Use Case: Modelling

1.11.1.4 USE CASE MODELLING REQUIREMENTS

This section describes the use case "Modelling Requirements".

UseCase: Modelling Requirements Description: The user reads the requirements and builds the simulink model for them.

Table 495 UseCase: Modelling Requirements

The use case requires one feature and calls no other use cases. Fig 83 shows the dependencies between the use cases and features.

Fig 83 Dependency View of Use Case: Modelling Requirements

"Modelling Requirements" uses following features: • Edit Model

Use cases calling "Modelling Requirements":

• Medini,SW Architecture definition The use case "Modelling Requirements" reads and/or writes the following artifacts. The used artifacts are shown in Fig 84 and are summarized in the subsequent table.

Fig 84 Artifacts of Use Case: Modelling Requirements

Artifacts of Use Case: Modelling Requirements Inputs: • Safety Requirements Outputs: • Simulink Model

Table 496 Artifacts of Use Case: Modelling Requirements

1.11.2 FEATURES OF SIMULINK

This section describes all analyzed features of Simulink in separate subsections. The following features of the tool Simulink are considered:

1. Edit Model, see Section 1.11.2.1

1.11.2.1 FEATURE EDIT MODEL

This section describes the feature "Edit Model". Feature: Edit Model Description: Edit Simulink Model

Table 497 Feature: Edit Model

In order to fulfill the requirements of the feature, usually a number of artifacts will be read and/or written. But in "Edit Model" the tool Simulink uses no artifacts.

1.11.3 POTENTIAL ERRORS IN SIMULINK






Fig 85 Error Flow to and from Simulink

Due to 6 relations, Simulink is having impact on one other tool. The errors are listed in Table 498.

Tool Error UseCase Table VerSAA Contract corruption Modelling Table 506

Contract violation Modelling Table 508 Contract violation Modelling Table 508 Runtime error Modelling Table 510 Wrong contract Modelling Table 511 Wrong contract Modelling Table 511

Table 498 Errors of Simulink with impact on other tools

The following 6 error occurrences of Simulink have no relation to any check or restriction:

• Contract removal (Table 507) • Incorrect translation (Table 504) • Non-termination (Table 509) • Scheduling error (Table 500) • WCET violation (Table 501) • Wrong code (Table 502)

1.11.4 RESTRICTIONS IN SIMULINK

There are no restrictions in the tool Simulink.

1.11.5 CHECKS IN SIMULINK

No checks are performed in the tool Simulink.

1.11.6 ASSUMPTIONS

The determination of the TCL of Simulink is based on the following 1 assumptions on the development process.

• Error: Incorrect translation o Contracts to assertions


This section determines a TCL for each use case by assigning checks or restrictions with detection/avoidance probability to each potential error. The TCL for the entire tool can be derived from the TCL for each use case. The tool Simulink has one use case with TCL 1, no use case with TCL 2 and 3 use cases with TCL 3. Therefore the tool Simulink has TCL 3. The use cases are described in the following sections:

• For "Code generation" (TCL 3) see Section 1.11.7.1, • for "Contracts to assertions" (TCL 3) see Section 1.11.7.2, • for "Modelling" (TCL 3) see Section 1.11.7.3, and • for "Modelling Requirements" (TCL 1) see Section 1.11.7.4.

1.11.7.1 TCL DETERMINATION FOR USE CASE: CODE

GENERATION

The use case "Code generation" has TCL 3. The TCL is determined by the lowest Tool Detection Level (TD) of all errors of the use case. The following table gives an overview of the errors of "Code generation". Error TD Table Scheduling error TD 3 (LOW) Table 500 WCET violation TD 3 (LOW) Table 501 Wrong code TD 3 (LOW) Table 502

Table 499 Errors of Use Case: Code generation

Error: Scheduling error Description: The chosen scheduling scheme used for the implemented (multi-rate) model is infeasible From use case: Code generation Occurrences: • in Code generation Error View:

Table 500 Error: Scheduling error

Error: WCET violation Description: The WCET of the code is longer than it should given the chosen scheduling scheme From use case: Code generation Occurrences: • in Code generation Error View:

Table 501 Error: WCET violation

Error: Wrong code Description: The semantics of the code does not match the model semantics in terms of blcok behaviours From use case: Code generation Occurrences: • in Code generation Error View:

Table 502 Error: Wrong code

1.11.7.2 TCL DETERMINATION FOR USE CASE: CONTRACTS

TO ASSERTIONS

The use case "Contracts to assertions" has TCL 3. The TCL is determined by the lowest Tool Detection Level (TD) of all errors of the use case. The following table gives an overview of the errors of "Contracts to assertions". Error TD Table Incorrect translation TD 3 (LOW) Table 504

Table 503 Errors of Use Case: Contracts to assertions

Error: Incorrect translation Description: The translation of contracts to assertions/assumptions might be incorrect.


From use case: Contracts to assertions

Occurrences: • in Contracts to assertions Is assumption: True Error View:



The use case "Modelling" has TCL 3. The TCL is determined by the lowest Tool Detection Level (TD) of all errors of the use case. The following table gives an overview of the errors of "Modelling". Error TD Table Contract corruption TD 1 (HIGH) Table 506 Contract removal TD 3 (LOW) Table 507 Contract violation TD 1 (HIGH) Table 508 Non-termination TD 3 (LOW) Table 509 Runtime error TD 1 (HIGH) Table 510 Wrong contract TD 1 (HIGH) Table 511

Table 505 Errors of Use Case: Modelling

Error: Contract corruption Description: -None- From use case: Modelling Discovered by the following checks: • Verify.Check contracts Occurrences: • in Modelling Error View:

Table 506 Error: Contract corruption

Error: Contract removal Description: Simulink removes a contract or edits the subsystem description field in

such a manner that the contract is not recognised. From use case: Modelling Occurrences: • in Modelling Error View:

Table 507 Error: Contract removal

Error: Contract violation Description: A subsystem does not behave as specified From use case: Modelling Discovered by the following checks: • Verify.Check contracts

• Verify.ContractCheck Occurrences: • in Modelling Error View:

Table 508 Error: Contract violation

Error: Non-termination Description: Iteration blocks or other blocks might never return results From use case: Modelling Occurrences: • in Modelling Error View:


Error: Runtime error Description: Runtime error, such as division by zero, array index out of bounds, etc. From use case: Modelling Discovered by the following checks: • Verify.Runtime errors Occurrences: • in Modelling Error View:

Table 510 Error: Runtime error

Error: Wrong contract Description: Wrong subsystem specification From use case: Modelling Discovered by the following checks: • Verify.Check contracts

• Verify.ContractCheck Occurrences: • in Modelling Error View:

Table 511 Error: Wrong contract


REQUIREMENTS

The use case "Modelling Requirements" has TCL 1. The TCL is determined by the lowest Tool Detection Level (TD) of all errors of the use case. This use case has no errors.

1.12 SIMULINKDESIGNVERIFIERThis section explains the determination of the Tool Confidence Level (TCL) for the tool Simulink Design Verifier. Tool: Simulink Design Verifier Description: A verifier for Simulink/Stateflow models provided by Mathworks Impact: TI 2 (Impact) Tool Confidence Level:

TCL 1

Table 512 Tool: Simulink Design Verifier

The tool Simulink Design Verifier is modeled with 3 elements which have impact, none of them are assumptions. No additional features have been modeled.


Table 513 Amount of Elements in Tool: Simulink Design Verifier

1.12.1 USE CASES OF SIMULINK DESIGN VERIFIER

This section describes all analyzed use cases of Simulink Design Verifier in separate subsections. The following use cases of the tool Simulink Design Verifier are considered:

1. Verify, see Section 1.12.1.1

1.12.1.1 USE CASE VERIFY

This section describes the use case "Verify". UseCase: Verify Description: Check that the properties given as special assertion blocks in the model hold

Comment: OS: needs to update the model, otherwise no exchange with VerSAA tool possible

Table 514 UseCase: Verify

The use case requires no features and calls no other use cases. The use case "Verify" reads and/or writes the following artifacts. The used artifacts are shown in Fig 86 and are summarized in the subsequent table.

Fig 86 Artifacts of Use Case: Verify

Artifacts of Use Case: Verify Outputs: • SLDV verification report Inputs & Outputs: • Simulink Model

Table 515 Artifacts of Use Case: Verify

1.12.2 FEATURES OF SIMULINK DESIGN VERIFIER

There are no features modeled for Simulink Design Verifier.

1.12.3 POTENTIAL ERRORS IN SIMULINK DESIGN VERIFIER

The tool has one potential error in one occurrence in use cases. The error flow, as can be seen in Fig 87, consists of all relations from errors to checks or restrictions. There are




Fig 87 Error Flow to and from Simulink Design Verifier


Tool Error UseCase Table VerSAA Incorrect translation Verify Table 613

Incorrect VC generation Verify Table 614 Verifier unsound Verify Table 615

Table 516 Errors introduced in Simulink Design Verifier by other tools

Due to 2 relations, Simulink Design Verifier is having impact on one other tool. The errors are listed in Table 517.

Tool Error UseCase Table VerSAA Unsound verification Verify Table 520

Unsound verification Verify Table 520

Table 517 Errors of Simulink Design Verifier with impact on other tools

1.12.4 RESTRICTIONS IN SIMULINK DESIGN VERIFIER

There are no restrictions in the tool Simulink Design Verifier.

1.12.5 CHECKS IN SIMULINK DESIGN VERIFIER

The following one check is performed in the tool Simulink Design Verifier. Check: Check assertions Description: Check assertions representing the contract conditions given using the

assert and assume blocks supported by Simulink design verifier. Unsoundness of VerSÅÅ will be found with high probability, since SLDV and VerSÅ do not share any code. The backend provers are also different: SLDV uses Prover plugin and VerSÅA uses Z3.

From use case: Simulink Design Verifier,Verify Occurrences: • in Verify Error detection probability: TD 1 (HIGH) Detected errors from other tools: • Verify,VerSAA,Verify,Incorrect VC generation

• Verify,VerSAA,Verify,Incorrect translation • Verify,VerSAA,Verify,Verifier unsound


Table 518 Check: Check assertions

1.12.6 ASSUMPTIONS

The determination of the TCL of Simulink Design Verifier is not based on assumed checks and restrictions. None of the checks and restrictions are modeled as assumptions.


This section determines a TCL for each use case by assigning checks or restrictions with detection/avoidance probability to each potential error. The TCL for the entire tool can be derived from the TCL for each use case. The tool Simulink Design Verifier has one use case with TCL 1, no use case with TCL 2 and no use case with TCL 3. Therefore the tool Simulink Design Verifier has TCL 1. The use cases are described in the following sections:

• For "Verify" (TCL 1) see Section 1.12.7.1.

1.12.7.1 TCL DETERMINATION FOR USE CASE: VERIFY

The use case "Verify" has TCL 1. The TCL is determined by the lowest Tool Detection Level (TD) of all errors of the use case. The following table gives an overview of the errors of "Verify". Error TD Table Unsound verification TD 1 (HIGH) Table 520

Table 519 Errors of Use Case: Verify

Error: Unsound verification Description: The Simulink Design Verifier is not guaranteed to be sound.

The same problems as for VerSÅA exist. From use case: Verify Discovered by the following checks: • Verify.Check contracts

• Verify.ContractCheck Occurrences: • in Verify Error View:

Table 520 Error: Unsound verification

1.13 TBTThis section explains the determination of the Tool Confidence Level (TCL) for the tool TBT. Tool: TBT Description: Tactic Based Test Generator

Tactic-based testing (TBT) is a variant of model-based testing in which test case search is guided by explicit search tactics in order to efficiently generate test cases for specific test goals. The explicit formulation of search tactics helps to ensure traceability from test specification to the generated test cases. It is also easily extensible to allow fault injection tests to show that applications behave gracefully also when, for instance, core-to-core communication breaks down.


Table 521 Tool: TBT

The tool TBT is modeled with 6 elements which have impact, 2 of them are assumptions. No additional features have been modeled.


Table 522 Amount of Elements in Tool: TBT

1.13.1 USE CASES OF TBT

This section describes all analyzed use cases of TBT in separate subsections. The following use cases of the tool TBT are considered:

1. Generate Test, see Section 1.13.1.1

1.13.1.1 USE CASE GENERATE TEST

This section describes the use case "Generate Test". UseCase: Generate Test Description: Generate test cases according to tactics derived from test specifications

Table 523 UseCase: Generate Test

The use case requires no features and calls no other use cases. The use case "Generate Test" reads and/or writes the following artifacts. The used artifacts are shown in Fig 88 and are summarized in the subsequent table.

Fig 88 Artifacts of Use Case: Generate Test

Artifacts of Use Case: Generate Test Inputs: • Safety Requirements

• TBT Data Model • TBT Oracle Model • TBT Tactic • Test Specification

Outputs: • Metrics

• Test Cases

Table 524 Artifacts of Use Case: Generate Test

1.13.2 FEATURES OF TBT

There are no features modeled for TBT.

1.13.3 POTENTIAL ERRORS IN TBT





Fig 89 Error Flow to and from TBT

TBT has the following 3 relations, which are detected by checks or restrictions of this tool. The errors are described in detail in the TCL analysis of the corresponding use cases:

• Non-Executable Test (Table 528) • Wrong Metrics (Table 529) • Wrong Test Generated (Table 530)

1.13.4 RESTRICTIONS IN TBT

There are no restrictions in the tool TBT.

1.13.5 CHECKS IN TBT

The following 2 checks are performed in the tool TBT. Check: Executability Check Description: The generated test is compiled and executed


From use case: TBT,Validate Tests Occurrences: • in Validate Tests Error detection probability: TD 1 (HIGH) Detected errors: • Validate Tests,Generate Test,Non-Executable Test Is assumption: True


Check: Review Test against Specification Description: Review of generated test cases against the correctness with the specification


From use case: TBT,Validate Tests Occurrences: • in Validate Tests Error detection probability: TD 1 (HIGH) Detected errors:

• Validate Tests,Generate Test,Wrong Metrics • Validate Tests,Generate Test,Wrong Test Generated

Is assumption: True


1.13.6 ASSUMPTIONS

The determination of the TCL of TBT is based on the following 2 assumptions on the development process.

• Check: Executability Check (Table 525) occurs in: o Validate Tests

• Check: Review Test against Specification (Table 526) occurs in: o Validate Tests


This section determines a TCL for each use case by assigning checks or restrictions with detection/avoidance probability to each potential error. The TCL for the entire tool can be derived from the TCL for each use case. The tool TBT has one use case with TCL 1, no use case with TCL 2 and no use case with TCL 3. Therefore the tool TBT has TCL 1. The use cases are described in the following sections:

• For "Generate Test" (TCL 1) see Section 1.13.7.1.


TEST

The use case "Generate Test" has TCL 1. The TCL is determined by the lowest Tool Detection Level (TD) of all errors of the use case. The following table gives an overview of the errors of "Generate Test". Error TD Table Non-Executable Test TD 1 (HIGH) Table 528 Wrong Metrics TD 1 (HIGH) Table 529 Wrong Test Generated TD 1 (HIGH) Table 530

Table 527 Errors of Use Case: Generate Test

Error: Non-Executable Test Description: The generated test is not executable, e.g. does not compile, link, or aborts at startup From use case: Generate Test Discovered by the following checks: • Validate Tests.Executability Check Subsumes: • "Not Exectuable" from "Executable" Occurrences:

• in Generate Test Error View:

Table 528 Error: Non-Executable Test

Error: Wrong Metrics Description: The wrong coverage is generated, i.e. the test claims to cover the spec but does not cover it From use case: Generate Test Discovered by the following checks: • Validate Tests.Review Test against Specification Subsumes: • "Wrong Data" from "Statistic" Occurrences: • in Generate Test Error View:

Table 529 Error: Wrong Metrics

Error: Wrong Test Generated Description: The generated test does not fit to the specification or does not achieve the claimed coverage From use case: Generate Test Discovered by the following checks: • Validate Tests.Review Test against Specification Subsumes: • "Wrong Computation" from "Executable"

• "Wrong Data" from "Statistic" Occurrences: • in Generate Test Error View:

Table 530 Error: Wrong Test Generated

1.14 TECNALIAASSURANCECASEEDITORThis section explains the determination of the Tool Confidence Level (TCL) for the tool Tecnalia Assurance Case Editor. Tool: Tecnalia Assurance Case Editor Description: This tool support the edition of a safety case in a graphical view

Comment: This is a support for an expert to express in a graphical way the safety case associated with the certification dossier in order to support authorities while checking the evidences


Table 531 Tool: Tecnalia Assurance Case Editor

The tool Tecnalia Assurance Case Editor is modeled with 4 elements which have impact, none of them are assumptions. No additional features have been modeled.


Table 532 Amount of Elements in Tool: Tecnalia Assurance Case Editor

1.14.1 USE CASES OF TECNALIA ASSURANCE CASE EDITOR

This section describes all analyzed use cases of Tecnalia Assurance Case Editor in separate subsections. The following use cases of the tool Tecnalia Assurance Case Editor are considered:

1. Assurance Case edition, see Section 1.14.1.1

1.14.1.1 USE CASE ASSURANCE CASE EDITION

This section describes the use case "Assurance Case edition". UseCase: Assurance Case edition Description: User can draw the case using the elements defined on the GSN standard

Comment: This is done by a certification expert and just put in a graphical way the arguments that shows that the evidences support the safety goals

Table 533 UseCase: Assurance Case edition

The use case requires no features and calls no other use cases. Use cases calling "Assurance Case edition":

• GEMDE Certification,Technical view The use case "Assurance Case edition" reads and/or writes the following artifacts. The used artifacts are shown in Fig 90 and are summarized in the subsequent table.

Fig 90 Artifacts of Use Case: Assurance Case edition

Artifacts of Use Case: Assurance Case edition Inputs: • Safety Case Outputs: • Safety Case Inputs & Outputs: • Safety Case

Table 534 Artifacts of Use Case: Assurance Case edition

1.14.2 FEATURES OF TECNALIA ASSURANCE CASE EDITOR

There are no features modeled for Tecnalia Assurance Case Editor.

1.14.3 POTENTIAL ERRORS IN TECNALIA ASSURANCE CASE

EDITOR





Fig 91 Error Flow to and from Tecnalia Assurance Case Editor

Tecnalia Assurance Case Editor has the following 2 relations, which are detected by checks or restrictions of this tool. The errors are described in detail in the TCL analysis of the corresponding use cases:

• Assurance Case is unexplained (Table 537) • Assurance Case is unfounded (Table 538)

1.14.4 RESTRICTIONS IN TECNALIA ASSURANCE CASE EDITOR

There are no restrictions in the tool Tecnalia Assurance Case Editor.

1.14.5 CHECKS IN TECNALIA ASSURANCE CASE EDITOR

The following one check is performed in the tool Tecnalia Assurance Case Editor. Check: Expert audit Description: After every assurance case is released, an audit from an expert is done From use case: Tecnalia Assurance Case Editor,Assurance Case edition Occurrences: • in Assurance Case edition Error detection probability: TD 1 (HIGH) Detected errors: • Assurance Case edition,Assurance Case is unexplained

• Assurance Case edition,Assurance Case is unfounded

Table 535 Check: Expert audit

1.14.6 ASSUMPTIONS

The determination of the TCL of Tecnalia Assurance Case Editor is not based on assumed checks and restrictions. None of the checks and restrictions are modeled as assumptions.


This section determines a TCL for each use case by assigning checks or restrictions with detection/avoidance probability to each potential error. The TCL for the entire tool can be derived from the TCL for each use case. The tool Tecnalia Assurance Case Editor has one use case with TCL 1, no use case with TCL 2 and no use case with TCL 3. Therefore the tool Tecnalia Assurance Case Editor has TCL 1. The use cases are described in the following sections:

• For "Assurance Case edition" (TCL 1) see Section 1.14.7.1.

1.14.7.1 TCL DETERMINATION FOR USE CASE: ASSURANCE

CASE EDITION

The use case "Assurance Case edition" has TCL 1. The TCL is determined by the lowest Tool Detection Level (TD) of all errors of the use case. The following table gives an overview of the errors of "Assurance Case edition". Error TD Table Assurance Case is unexplained TD 1 (HIGH) Table 537 Assurance Case is unfounded TD 1 (HIGH) Table 538

Table 536 Errors of Use Case: Assurance Case edition

Error: Assurance Case is unexplained Description: The assurance case cointains evidence not properly linked to argument From use case:

Assurance Case edition Discovered by the following checks: • Assurance Case edition.Expert audit Occurrences: • in Assurance Case edition Error View:

Table 537 Error: Assurance Case is unexplained

Error: Assurance Case is unfounded Description: The safety case contain arguments not supproted by proper evidence From use case: Assurance Case edition Discovered by the following checks: • Assurance Case edition.Expert audit Occurrences: • in Assurance Case edition Error View:

Table 538 Error: Assurance Case is unfounded

1.15 TESTENVIRONMENTThis section explains the determination of the Tool Confidence Level (TCL) for the tool Test Environment. Tool: Test Environment Description: This is a virtual test environment that is used to formulate asumptions fom the test generator

to test tools and processes in which the generated tests can be executed. Impact: TI 2 (Impact) Tool Confidence Level: TCL 1 Is assumption: True


The tool Test Environment is modeled with 5 elements which have impact, 5 of them are assumptions. No additional features have been modeled.


Table 540 Amount of Elements in Tool: Test Environment

1.15.1 USE CASES OF TEST ENVIRONMENT

This section describes all analyzed use cases of Test Environment in separate subsections. The following use cases of the tool Test Environment are considered:

1. Unit Test, see Section 1.15.1.1 2. Validate Tests, see Section 1.15.1.2

1.15.1.1 USE CASE UNIT TEST

This section describes the use case "Unit Test". UseCase: Unit Test Description: -None- Is assumption: True

Table 541 UseCase: Unit Test

The use case requires no features and calls no other use cases. The use case "Unit Test" reads and/or writes the following artifacts. The used artifacts are shown in Fig 92 and are summarized in the subsequent table.

Fig 92 Artifacts of Use Case: Unit Test

Artifacts of Use Case: Unit Test Inputs: • C/C++ Source Code

• Test Cases

Table 542 Artifacts of Use Case: Unit Test

1.15.1.2 USE CASE VALIDATE TESTS

This section describes the use case "Validate Tests".

UseCase: Validate Tests Description: Since the test cases are only stimuli, the results have to be validated manually Is assumption: True

Table 543 UseCase: Validate Tests

The use case requires no features and calls no other use cases. The use case "Validate Tests" reads and/or writes the following artifacts. The used artifacts are shown in Fig 93 and are summarized in the subsequent table.

Fig 93 Artifacts of Use Case: Validate Tests

Artifacts of Use Case: Validate Tests Inputs & Outputs: • Test Cases

Table 544 Artifacts of Use Case: Validate Tests

1.15.2 FEATURES OF TEST ENVIRONMENT

There are no features modeled for Test Environment.

1.15.3 POTENTIAL ERRORS IN TEST ENVIRONMENT





Fig 94 Error Flow to and from Test Environment


Tool Error UseCase Table Development Assertion Violation Create

Code TCL Determination for Use Case: HW/SW allocation

Dead Code Create Code

Table 101

Other Programing Error Create Code

Table 102





Table 545 Errors introduced in Test Environment by other tools

1.15.4 RESTRICTIONS IN TEST ENVIRONMENT

There are no restrictions in the tool Test Environment.

1.15.5 CHECKS IN TEST ENVIRONMENT

The following 3 checks are performed in the tool Test Environment. Check: Life Check Description: We can show that code is live and pinpoint lines of code that we cannot generate a test case

to reach (which is potentially dead code). Comment: May be too much code is marked as not alive.

From use case: Test Environment,Unit Test Occurrences: • in Unit Test Error detection probability: TD 2 (MEDIUM) Detected errors from other tools: • Unit Test,Development,Create Code,Dead Code Is assumption: True Relations to other tools:

Table 546 Check: Life Check

Check: Programm Verification Description: Based on the tests with a high code coverage the program can be verified.

Comment: This has a medium detction probablity, otherwise the other verification activities (reviews,..) #would not be neccessaray any more.

From use case: Test Environment,Unit Test Occurrences: • in Unit Test Error detection probability: TD 2 (MEDIUM) Detected errors from other tools: • Unit Test,Development,Create Code,Other Programing Error

• Unit Test,Development,Create Code,Runtime Error Is assumption: True Relations to other tools:

Table 547 Check: Programm Verification

Check: Runtime Check Description: This check detects runtime errors like division by zero, array-out-of-bound or null-pointer

errors in the code. Comment: Even if the detection is simple,e .g. by catching the exception) it is in general impossible to compute all possible inputs that could cause this without abstraction. Therefore the probability is medium.

From use case: Test Environment,Unit Test Occurrences: • in Unit Test Error detection probability: TD 2 (MEDIUM) Detected errors from other tools: • Unit Test,Development,Create Code,Assertion Violation

• Unit Test,Development,Create Code,Runtime Error Is assumption: True Relations to other tools:

Table 548 Check: Runtime Check

1.15.6 ASSUMPTIONS

The determination of the TCL of Test Environment is based on the following 5 assumptions on the development process.

• Check: Life Check (Table 546) occurs in: o Unit Test

• Check: Programm Verification (Table 547) occurs in: o Unit Test

• Check: Runtime Check (Table 548) occurs in: o Unit Test

• UseCase: Unit Test • UseCase: Validate Tests


This section determines a TCL for each use case by assigning checks or restrictions with detection/avoidance probability to each potential error. The TCL for the entire tool can be derived from the TCL for each use case. The tool Test Environment has 2 use cases with TCL 1, no use case with TCL 2 and no use case with TCL 3. Therefore the tool Test Environment has TCL 1. The use cases are described in the following sections:

• For "Unit Test" (TCL 1) see Section 1.15.7.1, and • for "Validate Tests" (TCL 1) see Section 1.15.7.2.

1.15.7.1 TCL DETERMINATION FOR USE CASE: UNIT TEST

The use case "Unit Test" has TCL 1. The TCL is determined by the lowest Tool Detection Level (TD) of all errors of the use case. This use case has no errors.

1.15.7.2 TCL DETERMINATION FOR USE CASE: VALIDATE

TESTS

The use case "Validate Tests" has TCL 1. The TCL is determined by the lowest Tool Detection Level (TD) of all errors of the use case. This use case has no errors.

1.16 TOOLCHAINANALYZERThis section explains the determination of the Tool Confidence Level (TCL) for the tool Tool Chain Analyzer. Tool: Tool Chain Analyzer Description: The tool TCA to analyze tool chains

It can be obtained from Validas AG at www.validas.de/TCA.html Impact: TI 2 (Impact) Tool Confidence Level: TCL 3







1. Cost Calculation, see Section 1.16.1.1 2. Create Model, see Section 1.16.1.2 3. Determinate Tool Confidence Level, see Section 1.16.1.3 4. Generate Tool Classification Report, see Section 1.16.1.4 5. Review Model, see Section 1.16.1.5


This section describes the use case "Cost Calculation". UseCase: Cost Calculation Description: The TCA can calculate the costs of the tool chain and the manual steps involved.







This section describes the use case "Create Model". UseCase: Create Model Description: The TCA model is created using interactive work with the tool







Artifacts of Use Case: Create Model Inputs: • Overall Project Plan

• Safety Plan



This section describes the use case "Determinate Tool Confidence Level". UseCase: Determinate Tool Confidence Level Description: The Tool Chain Analyzer determinates the Tool Confidence Level according to ISO 26262.

Comment: The TCA model is considered to be a part of the software tool application guidelines.







Artifacts of Use Case: Determinate Tool Confidence Level Inputs: • Overall Project Plan

• Safety Plan Outputs: • Safety Manual




This section describes the use case "Generate Tool Classification Report". UseCase: Generate Tool Classification Report Description: A tool classisfication report is generated containing the Tool Confidence Level for all tools.

The tool classification report consists of two parts. The first one is related to the considered process and contains individual descriptions like information sources, tool versions etc. The second part describes the formal model of the tool chain with all elements (tools, use cases, artifacts, errors, probabilities, ...) and the automatically computed tool confidence level for each tool. The second part is generated from the TCA into a word document. The information flows in the generated report are graphically visualised using the GraphViz tool. Comment:

We consider the generated report to be also a part of the tool application guidelines.





The use case "Generate Tool Classification Report" reads and/or writes the following artifacts. The used artifacts are shown in Fig 101 and are summarized in the subsequent table.


Artifacts of Use Case: Generate Tool Classification Report Inputs: • Overall Project Plan Outputs: • Tool Evaluation Report Inputs & Outputs: • Safety Manual



This section describes the use case "Review Model". UseCase: Review Model Description:

The model is reviewed using Excel interfaces that are easier to use for many reviewers







Artifacts of Use Case: Review Model Inputs: • Overall Project Plan

• Safety Plan Outputs: • Review Protocol Inputs & Outputs: • Safety Manual




1. Compute Tool Confidence Level, see Section 1.16.2.1 2. Cost Model, see Section 1.16.2.2 3. EMF, see Section 1.16.2.3 4. Excel Interface, see Section 1.16.2.4 5. Generate Word (docx), see Section 1.16.2.5 6. Model Validation, see Section 1.16.2.6 7. Safety Guidelines, see Section 1.16.2.7 8. SG_Avoid Feature, see Section 1.16.2.8 9. SG_Use Review Checklist, see Section 1.16.2.9 10. Xml Interface, see Section 1.16.2.10


This section describes the feature "Compute Tool Confidence Level". Feature: Compute Tool Confidence Level Description: The tool confidence level is computed according to the ISO 26262.

The tool confidence level (TCL) is computed based on the error detection (TD) probability of all potential errors in the relevant use cases, if a tool has impact (TI) on the safety of the product. More details can be found in the TCA user manual which is located in the TCA plugin Documentation, for example: Programme\TCA150\TCA150\plugins\Documentation_1.5.0\UserManual.pdf




Artifacts of Feature: Compute Tool Confidence Level Inputs: • User Input Outputs:

• Display Output • Excel File • Word Document

Inputs & Outputs: • Model



This section describes the feature "Cost Model". Feature: Cost Model Description: Feature to model the costs of the process




Artifacts of Feature: Cost Model Inputs: • User Input Outputs: • Display Output Inputs & Outputs: • Excel File

• Model


1.16.2.3 FEATURE EMF

This section describes the feature "EMF". Feature: EMF Description: EMF (Eclipse Modeling Framework) Framework is used for editing and persistency of the

models


The feature "EMF" reads and/or writes the following artifacts. The used artifacts are shown in Fig 106 and are summarized in the subsequent table.


Artifacts of Feature: EMF Inputs: • User Input Outputs: • Display Output Inputs & Outputs: • Model



This section describes the feature "Excel Interface". Feature: Excel Interface Description: Export and import of different views into excel (.xls) files.



The feature "Excel Interface" reads and/or writes the following artifacts. The used artifacts are shown in Fig 107 and are summarized in the subsequent table.


Artifacts of Feature: Excel Interface Inputs: • User Input Inputs & Outputs: • Excel File

• Model



This section describes the feature "Generate Word (docx)". Feature: Generate Word (docx) Description: Generates a word documentation from the model.





Artifacts of Feature: Generate Word (docx) Inputs: • Model

• User Input Outputs: • Word Document



This section describes the feature "Model Validation". Feature: Model Validation Description: The TCA detects inconsistent models.



The feature "Model Validation" reads and/or writes the following artifacts. The used artifacts are shown in Fig 109 and are summarized in the subsequent table.


Artifacts of Feature: Model Validation Inputs: • Model

• User Input Outputs: • Display Output



This section describes the feature "Safety Guidelines". Feature: Safety Guidelines Description: Use the safety manual of the TCA that contains safety checks that should be applied






This section describes the feature "SG_Avoid Feature". Feature: SG_Avoid Feature Description: Avodi this feature, since it is redundant. Is assumption: True





This section describes the feature "SG_Use Review Checklist". Feature: SG_Use Review Checklist Description: Apply the check of the review checklists





This section describes the feature "Xml Interface". Feature: Xml Interface Description: Xml interface supports the export and import of single tool models.

For integration of large models based on single tool models, this feature can be used to develop models in parallel working teams. To ensure the modularity of the exported models, all referenced elements of the tool are also exported, but only with the minimal required information.

More details can be found in the TCA user manual which is located in the TCA plugin Documentation, for example: Programme\TCA150\TCA150\plugins\Documentation_1.5.0\UserManual.pdf


The feature "Xml Interface" reads and/or writes the following artifacts. The used artifacts are shown in Fig 110 and are summarized in the subsequent table.


Artifacts of Feature: Xml Interface Inputs: • User Input Inputs & Outputs: • Model










• Model Not Adequate (Table 599) • Wrong Export

o 2 occurrences: Table 601, Table 581

• Wrong Import o 2 occurrences: Table 602, Table 582

• Wrong XML Export (Table 586) • Wrong XML Import (Table 587)

Due to 2 relations, Tool Chain Analyzer is having impact on one other tool. The errors are listed in Table 577.

Tool Error UseCase Table Process Checker Process Inconsistently Modelled Create

Model Table 585


Table 600



• Any EMF Error o 5 occurences: Table 589, Table 580, Table 594, Table 584, Table 598

• Document Generated Wrongly (Table 595) • TCL Wrongly Shown (Table 590) • TCL Wrongly Written (Table 591) • Wrong TCL Computed

o 2 occurences: Table 592, Table 596




The following one check is performed in the tool Tool Chain Analyzer. Check: Review Checklist Description: The model review can be performed using review checklists where the reviewers fill in their

names, findings,.. Comment: Using this there is a high probability of finding missing review elements

From feature: Tool Chain Analyzer,Safety Guidelines,SG_Use Review Checklist Occurrences: • in SG_Use Review Checklist in Review Model Error detection probability: TD 1 (HIGH) Detected errors: • Review Model,Model Not Adequate


1.16.6 ASSUMPTIONS





• For "Cost Calculation" (TCL 3) see Section 1.16.7.1, • for "Create Model" (TCL 3) see Section 1.16.7.2, • for "Determinate Tool Confidence Level" (TCL 3) see Section 1.16.7.3, • for "Generate Tool Classification Report" (TCL 3) see Section 1.16.7.4, and • for "Review Model" (TCL 3) see Section 1.16.7.5.


CALCULATION

The use case "Cost Calculation" has TCL 3. The TCL is determined by the lowest Tool Detection Level (TD) of all errors of the use case. The following table gives an overview of the errors of "Cost Calculation". Error TD Table Any EMF Error TD 3 (LOW) Table 580 Wrong Export TD 3 (LOW) Table 581 Wrong Import TD 3 (LOW) Table 582


Error: Any EMF Error Description: Any error that can occur in EMF (uncrictical errors may be excluded) From feature: EMF Subsumes: • "Algorithm Error" from "Fcn_Algorithm"

• "Defect File" from "Data_File" • "Defect Text" from "Data_File_Text" • "Empty File" from "Data_File" • "Empty Model" from "Data_File_Syntax_Model" • "Empty Text" from "Data_File_Text" • "Line Missing" from "Data_File_Text" • "Model Unreadable" from "Data_File_Syntax_Model"

• "No Interaction" from "Data_Interaction" • "Not Accessible File" from "Data_File" • "Not Accessible Model" from "Data_File_Syntax_Model" • "Not Accessible Text" from "Data_File_Text" • "Other File" from "Data_File" • "Other Model" from "Data_File_Syntax_Model" • "Other Partner" from "Data_Interaction" • "Other Text" from "Data_File_Text" • "Too Big File" from "Data_File" • "Too Big Model" from "Data_File_Syntax_Model" • "Too Big Text" from "Data_File_Text" • "Too Early Data" from "Data_Interaction" • "Too Late Data" from "Data_Interaction" • "Transformation Not Supported" from "Fcn_Behaviour_Transformation" • "Wrong Algorithm" from "Fcn_Algorithm" • "Wrong Behaviour" from "Fcn_Behaviour" • "Wrong Interaction" from "Data_Interaction" • "Wrong Model Behaviour" from "Data_File_Syntax_Model" • "Wrong Model Description" from "Data_File_Syntax_Model" • "Wrong Transformation" from "Fcn_Behaviour_Transformation" • "Wrong Variant" from "Fcn_Variants"

Occurrences: • in EMF in Cost Calculation Error View:


Error: Wrong Export Description: The excel file does not contain the relevant informations of the model. From feature: Excel Interface Subsumes:

• "Decoded Wongly" from "Fcn_Algorithm_DeEncode" • "Defect File" from "Data_File" • "Empty File" from "Data_File" • "Empty Syntaxfile" from "Data_File_Syntax" • "Empty Table" from "Data_File_Table" • "Encoded Wrongly" from "Fcn_Algorithm_DeEncode" • "Not Accessible File" from "Data_File" • "Not Accessible Syntaxfile" from "Data_File_Syntax" • "Not Accessible Table" from "Data_File_Table" • "Option Defect" from "Fcn_Variants_Options" • "Option Ignored" from "Fcn_Variants_Options" • "Other File" from "Data_File" • "Other Syntaxfile" from "Data_File_Syntax" • "Other Table" from "Data_File_Table" • "Syntax Error" from "Data_File_Syntax" • "Table Column Error" from "Data_File_Table" • "Table Row Error" from "Data_File_Table" • "Too Big File" from "Data_File" • "Too Big Syntaxfile" from "Data_File_Syntax" • "Transformation Not Supported" from "Fcn_Behaviour_Transformation" • "Wrong Behaviour" from "Fcn_Behaviour" • "Wrong Cell Data" from "Data_File_Table" • "Wrong Semantic" from "Data_File_Syntax" • "Wrong Transformation" from "Fcn_Behaviour_Transformation"

Occurrences: • in Excel Interface in Cost Calculation Avoided by the following restrictions: • Safety Guidelines,SG_Avoid Feature.Avoid Features Error View:


Error: Wrong Import

Description: The model is created wrongly. From feature: Excel Interface Subsumes: • "Defect File" from "Data_File"





MODEL

The use case "Create Model" has TCL 3. The TCL is determined by the lowest Tool Detection Level (TD) of all errors of the use case. The following table gives an overview of the errors of "Create Model".

Error TD Table Any EMF Error TD 3 (LOW) Table 584 Process Inconsistently Modelled TD 1 (HIGH) Table 585 Wrong XML Export TD 3 (LOW) Table 586 Wrong XML Import TD 3 (LOW) Table 587




Occurrences: • in EMF in Create Model Error View:


Error: Process Inconsistently Modelled Description: The process might be inkonsistent, e.g. a document is neither created nor written. From feature: Model Validation Subsumes: • "Algorithm Error" from "Fcn_Algorithm"


Occurrences: • in Model Validation in Create Model Avoided by the following restrictions:

• Validate Process.Consistent Process Error View:


Error: Wrong XML Export Description: The xml file does not contain the relevant informations of the model. From feature: Xml Interface Occurrences: • in Xml Interface in Create Model Avoided by the following restrictions: • Safety Guidelines,SG_Avoid Feature.Avoid Features Error View:


Error: Wrong XML Import Description: The model is created wrongly. From feature: Xml Interface Subsumes: • "Defect File" from "Data_File"


Occurrences: • in Xml Interface in Create Model Avoided by the following restrictions: • Safety Guidelines,SG_Avoid Feature.Avoid Features Error View:




The use case "Determinate Tool Confidence Level" has TCL 3. The TCL is determined by the lowest Tool Detection Level (TD) of all errors of the use case. The following table gives an overview of the errors of "Determinate Tool Confidence Level". Error TD Table Any EMF Error TD 3 (LOW) Table 589 TCL Wrongly Shown TD 3 (LOW) Table 590 TCL Wrongly Written TD 3 (LOW) Table 591 Wrong TCL Computed TD 3 (LOW) Table 592





Occurrences: • in EMF in Determinate Tool Confidence Level Error View:


Error: TCL Wrongly Shown Description: TCL is computed correctly but wrongly shown From use case: Determinate Tool Confidence Level Subsumes: • "Defect Text" from "Data_File_Text"

• "Empty Text" from "Data_File_Text" • "Line Missing" from "Data_File_Text"

• "No Interaction" from "Data_Interaction" • "Not Accessible Text" from "Data_File_Text" • "Other Partner" from "Data_Interaction" • "Other Text" from "Data_File_Text" • "Too Big Text" from "Data_File_Text" • "Too Early Data" from "Data_Interaction" • "Too Late Data" from "Data_Interaction" • "Wrong Interaction" from "Data_Interaction"

Occurrences: • in Determinate Tool Confidence Level Error View:


Error: TCL Wrongly Written Description: TCL is computed or written wrongly into a file From use case: Determinate Tool Confidence Level Subsumes: • "Defect File" from "Data_File"

• "Defect Text" from "Data_File_Text" • "Empty File" from "Data_File" • "Empty Model" from "Data_File_Syntax_Model" • "Empty Syntaxfile" from "Data_File_Syntax" • "Empty Table" from "Data_File_Table" • "Empty Text" from "Data_File_Text" • "Line Missing" from "Data_File_Text" • "Model Unreadable" from "Data_File_Syntax_Model" • "No XML Content" from "Data_File_Syntax_XML" • "Not Accessible File" from "Data_File" • "Not Accessible Model" from "Data_File_Syntax_Model" • "Not Accessible Syntaxfile" from "Data_File_Syntax" • "Not Accessible Table" from "Data_File_Table" • "Not Accessible Text" from "Data_File_Text" • "Not Accessible XML File" from "Data_File_Syntax_XML" • "Other File" from "Data_File" • "Other Model" from "Data_File_Syntax_Model" • "Other Syntaxfile" from "Data_File_Syntax"

• "Other Table" from "Data_File_Table" • "Other Text" from "Data_File_Text" • "Other XML File" from "Data_File_Syntax_XML" • "Syntax Error" from "Data_File_Syntax" • "Table Column Error" from "Data_File_Table" • "Table Row Error" from "Data_File_Table" • "Too Big File" from "Data_File" • "Too Big Model" from "Data_File_Syntax_Model" • "Too Big Syntaxfile" from "Data_File_Syntax" • "Too Big Text" from "Data_File_Text" • "Wron XML Composition" from "Data_File_Syntax_XML" • "Wrong Cell Data" from "Data_File_Table" • "Wrong Model Behaviour" from "Data_File_Syntax_Model" • "Wrong Model Description" from "Data_File_Syntax_Model" • "Wrong Semantic" from "Data_File_Syntax" • "XML Attribute Error" from "Data_File_Syntax_XML" • "XML Link Error" from "Data_File_Syntax_XML" • "XML Schema Violation" from "Data_File_Syntax_XML"



Error: Wrong TCL Computed Description: The TCL is computed wronly, e.g. TCL 1 instead of TCL >1 From feature: Compute Tool Confidence Level Subsumes: • "Algorithm Error" from "Fcn_Algorithm"

• "Defect File" from "Data_File" • "Defect Text" from "Data_File_Text" • "Empty File" from "Data_File" • "Empty Model" from "Data_File_Syntax_Model" • "Empty Syntaxfile" from "Data_File_Syntax" • "Empty Table" from "Data_File_Table" • "Empty Text" from "Data_File_Text" • "Line Missing" from "Data_File_Text"

• "Model Unreadable" from "Data_File_Syntax_Model" • "No Interaction" from "Data_Interaction" • "Not Accessible File" from "Data_File" • "Not Accessible Model" from "Data_File_Syntax_Model" • "Not Accessible Syntaxfile" from "Data_File_Syntax" • "Not Accessible Table" from "Data_File_Table" • "Not Accessible Text" from "Data_File_Text" • "Other File" from "Data_File" • "Other Model" from "Data_File_Syntax_Model" • "Other Partner" from "Data_Interaction" • "Other Syntaxfile" from "Data_File_Syntax" • "Other Table" from "Data_File_Table" • "Other Text" from "Data_File_Text" • "Syntax Error" from "Data_File_Syntax" • "Table Column Error" from "Data_File_Table" • "Table Row Error" from "Data_File_Table" • "Too Big File" from "Data_File" • "Too Big Model" from "Data_File_Syntax_Model" • "Too Big Syntaxfile" from "Data_File_Syntax" • "Too Big Text" from "Data_File_Text" • "Too Early Data" from "Data_Interaction" • "Too Late Data" from "Data_Interaction" • "Wrong Algorithm" from "Fcn_Algorithm" • "Wrong Cell Data" from "Data_File_Table" • "Wrong Interaction" from "Data_Interaction" • "Wrong Model Behaviour" from "Data_File_Syntax_Model" • "Wrong Model Description" from "Data_File_Syntax_Model" • "Wrong Result" from "Fcn_Behaviour_Calculator" • "Wrong Semantic" from "Data_File_Syntax" • "Wrong Specification" from "Fcn_Specification" • "Wrong Variant" from "Fcn_Variants"

Occurrences: • in Compute Tool Confidence Level in Determinate Tool Confidence Level Error View:




The use case "Generate Tool Classification Report" has TCL 3. The TCL is determined by the lowest Tool Detection Level (TD) of all errors of the use case. The following table gives an overview of the errors of "Generate Tool Classification Report". Error TD Table Any EMF Error TD 3 (LOW) Table 594 Document Generated Wrongly TD 3 (LOW) Table 595 Wrong TCL Computed TD 3 (LOW) Table 596



• "Defect File" from "Data_File" • "Defect Text" from "Data_File_Text" • "Empty File" from "Data_File" • "Empty Model" from "Data_File_Syntax_Model" • "Empty Text" from "Data_File_Text" • "Line Missing" from "Data_File_Text" • "Model Unreadable" from "Data_File_Syntax_Model" • "No Interaction" from "Data_Interaction" • "Not Accessible File" from "Data_File" • "Not Accessible Model" from "Data_File_Syntax_Model" • "Not Accessible Text" from "Data_File_Text"

• "Other File" from "Data_File" • "Other Model" from "Data_File_Syntax_Model" • "Other Partner" from "Data_Interaction" • "Other Text" from "Data_File_Text" • "Too Big File" from "Data_File" • "Too Big Model" from "Data_File_Syntax_Model" • "Too Big Text" from "Data_File_Text" • "Too Early Data" from "Data_Interaction" • "Too Late Data" from "Data_Interaction" • "Transformation Not Supported" from "Fcn_Behaviour_Transformation" • "Wrong Algorithm" from "Fcn_Algorithm" • "Wrong Behaviour" from "Fcn_Behaviour" • "Wrong Interaction" from "Data_Interaction" • "Wrong Model Behaviour" from "Data_File_Syntax_Model" • "Wrong Model Description" from "Data_File_Syntax_Model" • "Wrong Transformation" from "Fcn_Behaviour_Transformation" • "Wrong Variant" from "Fcn_Variants"

Occurrences: • in EMF in Generate Tool Classification Report Error View:


Error: Document Generated Wrongly Description: Document does not fit to the model. From feature: Generate Word (docx) Subsumes: • "Defect File" from "Data_File"

• "Defect Text" from "Data_File_Text" • "Empty File" from "Data_File" • "Empty Syntaxfile" from "Data_File_Syntax"

• "Empty Text" from "Data_File_Text" • "Line Missing" from "Data_File_Text" • "Missing CPU" from "Fcn_Resource_CPU" • "Not Accessible File" from "Data_File" • "Not Accessible Syntaxfile" from "Data_File_Syntax" • "Not Accessible Text" from "Data_File_Text" • "Other File" from "Data_File" • "Other Syntaxfile" from "Data_File_Syntax" • "Other Text" from "Data_File_Text" • "Syntax Error" from "Data_File_Syntax" • "Too Big File" from "Data_File" • "Too Big Syntaxfile" from "Data_File_Syntax" • "Too Big Text" from "Data_File_Text" • "Transformation Not Supported" from "Fcn_Behaviour_Transformation" • "Wrong Semantic" from "Data_File_Syntax" • "Wrong Specification" from "Fcn_Specification" • "Wrong Transformation" from "Fcn_Behaviour_Transformation" • "Wrong Variant" from "Fcn_Variants"

Occurrences: • in Generate Word (docx) in Generate Tool Classification Report Error View:


Error: Wrong TCL Computed Description: The TCL is computed wronly, e.g. TCL 1 instead of TCL >1 From feature: Compute Tool Confidence Level Subsumes: • "Algorithm Error" from "Fcn_Algorithm"


• "Empty File" from "Data_File" • "Empty Model" from "Data_File_Syntax_Model" • "Empty Syntaxfile" from "Data_File_Syntax" • "Empty Table" from "Data_File_Table" • "Empty Text" from "Data_File_Text" • "Line Missing" from "Data_File_Text" • "Model Unreadable" from "Data_File_Syntax_Model" • "No Interaction" from "Data_Interaction" • "Not Accessible File" from "Data_File" • "Not Accessible Model" from "Data_File_Syntax_Model" • "Not Accessible Syntaxfile" from "Data_File_Syntax" • "Not Accessible Table" from "Data_File_Table" • "Not Accessible Text" from "Data_File_Text" • "Other File" from "Data_File" • "Other Model" from "Data_File_Syntax_Model" • "Other Partner" from "Data_Interaction" • "Other Syntaxfile" from "Data_File_Syntax" • "Other Table" from "Data_File_Table" • "Other Text" from "Data_File_Text" • "Syntax Error" from "Data_File_Syntax" • "Table Column Error" from "Data_File_Table" • "Table Row Error" from "Data_File_Table" • "Too Big File" from "Data_File" • "Too Big Model" from "Data_File_Syntax_Model" • "Too Big Syntaxfile" from "Data_File_Syntax" • "Too Big Text" from "Data_File_Text" • "Too Early Data" from "Data_Interaction" • "Too Late Data" from "Data_Interaction" • "Wrong Algorithm" from "Fcn_Algorithm" • "Wrong Cell Data" from "Data_File_Table" • "Wrong Interaction" from "Data_Interaction" • "Wrong Model Behaviour" from "Data_File_Syntax_Model" • "Wrong Model Description" from "Data_File_Syntax_Model" • "Wrong Result" from "Fcn_Behaviour_Calculator" • "Wrong Semantic" from "Data_File_Syntax" • "Wrong Specification" from "Fcn_Specification" • "Wrong Variant" from "Fcn_Variants"

Occurrences: • in Compute Tool Confidence Level in Generate Tool Classification Report Error View:



MODEL

The use case "Review Model" has TCL 3. The TCL is determined by the lowest Tool Detection Level (TD) of all errors of the use case. The following table gives an overview of the errors of "Review Model". Error TD Table Any EMF Error TD 3 (LOW) Table 598 Model Not Adequate TD 1 (HIGH) Table 599 Process Inconsistently Modelled TD 1 (HIGH) Table 600 Wrong Export TD 3 (LOW) Table 601 Wrong Import TD 3 (LOW) Table 602



• "Defect File" from "Data_File" • "Defect Text" from "Data_File_Text" • "Empty File" from "Data_File" • "Empty Model" from "Data_File_Syntax_Model" • "Empty Text" from "Data_File_Text" • "Line Missing" from "Data_File_Text" • "Model Unreadable" from "Data_File_Syntax_Model" • "No Interaction" from "Data_Interaction" • "Not Accessible File" from "Data_File"

• "Not Accessible Model" from "Data_File_Syntax_Model" • "Not Accessible Text" from "Data_File_Text" • "Other File" from "Data_File" • "Other Model" from "Data_File_Syntax_Model" • "Other Partner" from "Data_Interaction" • "Other Text" from "Data_File_Text" • "Too Big File" from "Data_File" • "Too Big Model" from "Data_File_Syntax_Model" • "Too Big Text" from "Data_File_Text" • "Too Early Data" from "Data_Interaction" • "Too Late Data" from "Data_Interaction" • "Transformation Not Supported" from "Fcn_Behaviour_Transformation" • "Wrong Algorithm" from "Fcn_Algorithm" • "Wrong Behaviour" from "Fcn_Behaviour" • "Wrong Interaction" from "Data_Interaction" • "Wrong Model Behaviour" from "Data_File_Syntax_Model" • "Wrong Model Description" from "Data_File_Syntax_Model" • "Wrong Transformation" from "Fcn_Behaviour_Transformation" • "Wrong Variant" from "Fcn_Variants"

Occurrences: • in EMF in Review Model Error View:


Error: Model Not Adequate Description: An important issue as not been reviewed correctly, i.e. a finduíng has been overseen and the

model is not adaequate. From use case: Review Model Discovered by the following checks: • Safety Guidelines,SG_Use Review Checklist.Review Checklist

Subsumes: • "Defect File" from "Data_File"

• "Defect Text" from "Data_File_Text" • "Empty File" from "Data_File" • "Empty Model" from "Data_File_Syntax_Model" • "Empty Syntaxfile" from "Data_File_Syntax" • "Empty Table" from "Data_File_Table" • "Empty Text" from "Data_File_Text" • "Line Missing" from "Data_File_Text" • "Model Unreadable" from "Data_File_Syntax_Model" • "No Interaction" from "Data_Interaction" • "Not Accessible File" from "Data_File" • "Not Accessible Model" from "Data_File_Syntax_Model" • "Not Accessible Syntaxfile" from "Data_File_Syntax" • "Not Accessible Table" from "Data_File_Table" • "Not Accessible Text" from "Data_File_Text" • "Other File" from "Data_File" • "Other Model" from "Data_File_Syntax_Model" • "Other Partner" from "Data_Interaction" • "Other Syntaxfile" from "Data_File_Syntax" • "Other Table" from "Data_File_Table" • "Other Text" from "Data_File_Text" • "Syntax Error" from "Data_File_Syntax" • "Table Column Error" from "Data_File_Table" • "Table Row Error" from "Data_File_Table" • "Too Big File" from "Data_File" • "Too Big Model" from "Data_File_Syntax_Model" • "Too Big Syntaxfile" from "Data_File_Syntax" • "Too Big Text" from "Data_File_Text" • "Too Early Data" from "Data_Interaction" • "Too Late Data" from "Data_Interaction" • "Wrong Cell Data" from "Data_File_Table" • "Wrong Interaction" from "Data_Interaction" • "Wrong Model Behaviour" from "Data_File_Syntax_Model" • "Wrong Model Description" from "Data_File_Syntax_Model" • "Wrong Semantic" from "Data_File_Syntax"

Occurrences: • in Review Model Error View:




Occurrences: • in Model Validation in Review Model Avoided by the following restrictions: • Validate Process.Consistent Process

Error View:


Error: Wrong Export Description: The excel file does not contain the relevant informations of the model. From feature: Excel Interface Subsumes: • "Decoded Wongly" from "Fcn_Algorithm_DeEncode"

• "Defect File" from "Data_File" • "Empty File" from "Data_File" • "Empty Syntaxfile" from "Data_File_Syntax" • "Empty Table" from "Data_File_Table" • "Encoded Wrongly" from "Fcn_Algorithm_DeEncode" • "Not Accessible File" from "Data_File" • "Not Accessible Syntaxfile" from "Data_File_Syntax"

• "Not Accessible Table" from "Data_File_Table" • "Option Defect" from "Fcn_Variants_Options" • "Option Ignored" from "Fcn_Variants_Options" • "Other File" from "Data_File" • "Other Syntaxfile" from "Data_File_Syntax" • "Other Table" from "Data_File_Table" • "Syntax Error" from "Data_File_Syntax" • "Table Column Error" from "Data_File_Table" • "Table Row Error" from "Data_File_Table" • "Too Big File" from "Data_File" • "Too Big Syntaxfile" from "Data_File_Syntax" • "Transformation Not Supported" from "Fcn_Behaviour_Transformation" • "Wrong Behaviour" from "Fcn_Behaviour" • "Wrong Cell Data" from "Data_File_Table" • "Wrong Semantic" from "Data_File_Syntax" • "Wrong Transformation" from "Fcn_Behaviour_Transformation"

Occurrences: • in Excel Interface in Review Model Avoided by the following restrictions: • Safety Guidelines,SG_Avoid Feature.Avoid Features Error View:


Error: Wrong Import Description: The model is created wrongly. From feature: Excel Interface Subsumes: • "Defect File" from "Data_File"

• "Empty File" from "Data_File" • "Empty Model" from "Data_File_Syntax_Model"

• "Model Unreadable" from "Data_File_Syntax_Model" • "Not Accessible File" from "Data_File" • "Not Accessible Model" from "Data_File_Syntax_Model" • "Option Defect" from "Fcn_Variants_Options" • "Option Ignored" from "Fcn_Variants_Options" • "Other File" from "Data_File" • "Other Model" from "Data_File_Syntax_Model" • "Too Big File" from "Data_File" • "Too Big Model" from "Data_File_Syntax_Model" • "Wrong Model Behaviour" from "Data_File_Syntax_Model" • "Wrong Model Description" from "Data_File_Syntax_Model"



1.17 VERSAAThis section explains the determination of the Tool Confidence Level (TCL) for the tool VerSAA. Tool: VerSAA Description: Contract-based verifier for Simulink models developed at AAU Impact: TI 2 (Impact) Tool Confidence Level: TCL 1

Table 603 Tool: VerSAA

The tool VerSAA is modeled with 7 elements which have impact, none of them are assumptions. No additional features have been modeled.


Table 604 Amount of Elements in Tool: VerSAA

1.17.1 USE CASES OF VERSAA

This section describes all analyzed use cases of VerSAA in separate subsections. The following use cases of the tool VerSAA are considered:

1. Verify, see Section 1.17.1.1


This section describes the use case "Verify". UseCase: Verify Description: Check that the subsystems in the model satisfy their contracts

Comment: OS: needs to update the model, otherwise no flow to design verifier


The use case requires no features and calls no other use cases. The use case "Verify" reads and/or writes the following artifacts. The used artifacts are shown in Fig 112 and are summarized in the subsequent table.


Artifacts of Use Case: Verify Inputs: • Contract

• Simulink model • contract

Outputs: • VerSÅA verification report Inputs & Outputs: • Simulink Model


1.17.2 FEATURES OF VERSAA

There are no features modeled for VerSAA.

1.17.3 POTENTIAL ERRORS IN VERSAA





Fig 113 Error Flow to and from VerSAA

The Table 607 shows all 8 relations, introduced by 2 other tools:

Tool Error UseCase Table Simulink Contract corruption Modelling Table 506

Contract violation Modelling Table 508 Contract violation Modelling Table 508 Runtime error Modelling Table 510 Wrong contract Modelling Table 511 Wrong contract Modelling Table 511


Unsound verification Verify Table 520 Unsound verification Verify Table 520

Table 607 Errors introduced in VerSAA by other tools

Due to 3 relations, VerSAA is having impact on one other tool. The errors are listed in Table 608.

Tool Error UseCase Table Simulink Design Verifier

Incorrect translation Verify Table 613 Incorrect VC generation Verify Table 614 Verifier unsound Verify Table 615

Table 608 Errors of VerSAA with impact on other tools

1.17.4 RESTRICTIONS IN VERSAA

There are no restrictions in the tool VerSAA.

1.17.5 CHECKS IN VERSAA

The following 3 checks are performed in the tool VerSAA. Check: Check contracts Description: Checks if the subsystems in a model satisfy their contracts From use case: VerSAA,Verify Occurrences: • in Verify Error detection probability: TD 1 (HIGH) Detected errors from other tools: • Verify,Simulink Design Verifier,Verify,Unsound verification

• Verify,Simulink,Modelling,Contract corruption

• Verify,Simulink,Modelling,Contract violation • Verify,Simulink,Modelling,Wrong contract


Table 609 Check: Check contracts

Check: ContractCheck Description: Checks if the subsystems in a model satisfy their contracts From use case: VerSAA,Verify Occurrences: • in Verify Error detection probability: TD 1 (HIGH) Detected errors from other tools: • Verify,Simulink Design Verifier,Verify,Unsound verification

• Verify,Simulink,Modelling,Contract violation • Verify,Simulink,Modelling,Wrong contract


Table 610 Check: ContractCheck

Check: Runtime errors Description:

-None- From use case: VerSAA,Verify Occurrences: • in Verify Error detection probability: TD 1 (HIGH) Detected errors from other tools: • Verify,Simulink,Modelling,Runtime error Relations to other tools:

Table 611 Check: Runtime errors

1.17.6 ASSUMPTIONS

The determination of the TCL of VerSAA is not based on assumed checks and restrictions. None of the checks and restrictions are modeled as assumptions.


This section determines a TCL for each use case by assigning checks or restrictions with detection/avoidance probability to each potential error. The TCL for the entire tool can be derived from the TCL for each use case. The tool VerSAA has one use case with TCL 1, no use case with TCL 2 and no use case with TCL 3. Therefore the tool VerSAA has TCL 1. The use cases are described in the following sections:

• For "Verify" (TCL 1) see Section 1.17.7.1.


The use case "Verify" has TCL 1. The TCL is determined by the lowest Tool Detection Level (TD) of all errors of the use case. The following table gives an overview of the errors of "Verify". Error TD Table Incorrect translation TD 1 (HIGH) Table 613 Incorrect VC generation TD 1 (HIGH) Table 614 Verifier unsound TD 1 (HIGH) Table 615


Error: Incorrect translation Description: The verifier translates the models and contracts to an intermediate format.

Simulink is a complex language with no formal semantics and hence it is difficult to ensure correctness of this step . However, this transformation needs to preserve the semantics of the model in order for the verification to produce the correct results

From use case: Verify Discovered by the following checks: • Verify.Check assertions Occurrences: • in Verify Error View:


Error: Incorrect VC generation Description: Verification conditions are generated from the intermediate representation and the contracts.

They need to be generated correctly. From use case: Verify Discovered by the following checks: • Verify.Check assertions Occurrences: • in Verify Error View:

Table 614 Error: Incorrect VC generation

Error: Verifier unsound Description: The SMT-solver Z3 is used as the backend prover. This prover is not qualified according to

any standard. The prover needs to be sound.

From use case: Verify Discovered by the following checks: • Verify.Check assertions Occurrences: • in Verify Error View:

Table 615 Error: Verifier unsound

1.18 YICESSMTSOLVERThis section explains the determination of the Tool Confidence Level (TCL) for the tool YICES SMT Solver. Tool: YICES SMT Solver Description: -None- Impact: TI 2 (Impact) Tool Confidence Level: TCL 1


















1.18.6 ASSUMPTIONS



This section determines a TCL for each use case by assigning checks or restrictions with detection/avoidance probability to each potential error. The TCL for the entire tool can be derived from the TCL for each use case. The tool YICES SMT Solver has no use case with TCL 1, no use case with TCL 2 and no use case with TCL 3. Therefore the tool YICES SMT Solver has TCL 1. There are no use cases modeled for the tool YICES SMT Solver


1.19.1 ARTIFACTS

The analysis incorporates artifacts for the validation of the model. If an error is checked by another tool, then there should be information flow between them. Artifacts can be used to model this flow and our analysis checks if there is an information flow between error sources and error sinks. Fig 114 shows the whole artifact flow in "RECOMP Tool Chain"


The tool chain "RECOMP Tool Chain" is using 64 artifacts, which are described hereafter. Artifact: AF3 System Model Description: The integrated data modelof Af3 Hierarchy figure:

Hierarchy : • Detailed System Architecture [Parent]


Used by feature: • AF3,Simulating a Logical Architecture

• AF3,Specifying Code-Baed Behavior of a Logical Architecture • AF3,Specifying Contracts on Logical Components • AF3,Specifying MSC Requirements • AF3,Specifying SIL Requirements • AF3,Specifying State-Based Behavior of a Logical Architecture • AF3,Specifying Technical Architecture • AF3,Synthesizing Deployment • AF3,Synthesizing Real-Time Schedule • AF3,Synthesizing SIL-Conformant Mapping • AF3,Synthesizing Test Cases • AF3,Verifing Contracts of a Logical Architecture • AF3,Verifying MSC Conformance • AF3,Verifying Soundness of a Logical Architecture

Created by feature: • AF3,Specfying Test Suite

• AF3,Specifying Code-Baed Behavior of a Logical Architecture • AF3,Specifying Contracts on Logical Components • AF3,Specifying MSC Requirements • AF3,Specifying SIL Requirements • AF3,Specifying State-Based Behavior of a Logical Architecture • AF3,Specifying Structure of a Logical Architecture • AF3,Specifying Technical Architecture • AF3,Specifying Textual Requirements • AF3,Synthesizing Real-Time Schedule • AF3,Synthesizing SIL-Conformant Mapping

Created by tool: • AF3 Is a: Detailed System Architecture


Artifact: Application task graph Description: The task graph for each application


Artifact: Argumentation Description: The user writes arguments as input to the tool Used by tool: • Tecnalia Assurance Case Editor


Artifact: Binary executable Description: Target binary executable Hierarchy figure:

Hierarchy : • Evidence [Parent] Used by tool: • Tecnalia Assurance Case Editor Is a: Evidence


Artifact: C/C++ Source Code Description: C or C++

Hierarchy figure:

Hierarchy : • Source Code [Parent] Used by use case: • Test Environment,Unit Test Used by tool: • Tecnalia Assurance Case Editor Created by use case: • Development,Create Code Is a: Source Code


Artifact: Cache-Related Preemption Cost Function Description: For any duration t, the function gives the maximum delay that the given task can incur when

preempted for the first time after t time units. A function CRPD(t) which returns, for any duration t > 0, the maximum delay that the given application can incur if it gets preempted after running non-preemptively for t time units after the beginning of its execution.


Artifact: Contract Description: -None- Used by use case: • VerSAA,Verify Used by tool: • VerSAA Created by use case: • Simulink,Modelling


Artifact: contract Description: -None- Used by use case: • Simulink,Contracts to assertions

• VerSAA,Verify Used by tool: • VerSAA Created by use case: • Simulink,Modelling Created by tool:

• Simulink


Artifact: Deployment Description: generated deployment Created by feature: • AF3,Synthesizing Deployment


Artifact: Detailed System Architecture Description: Contain all the parameters and specifications of the platform Hierarchy figure:

Hierarchy : • AF3 System Model [Child]

• Evidence [Parent] Used by use case: • GEMDE Certification,Technical view Used by tool: • GEMDE Certification

• Tecnalia Assurance Case Editor Created by feature: • AF3,Specifying Technical Architecture Created by use case: • Medini,Detailed architecture definition Created by tool: • Medini Modified by use case: • Medini,Detailed architecture definition Modified by tool: • Medini Is a: Evidence Occurences: • AF3 System Model


Artifact: Display Output Description: The tool displays some information to the user Created by feature: • AF3,Simulating a Logical Architecture

• Tool Chain Analyzer,Compute Tool Confidence Level • Tool Chain Analyzer,Cost Model • Tool Chain Analyzer,EMF • Tool Chain Analyzer,Model Validation


Artifact: Evidence Description: Anything that can be considered as a certification evidence Hierarchy figure:

Hierarchy : • Binary executable [Child]


Used by use case: • GEMDE Certification,Technical view Occurences: • Binary executable

• Detailed System Architecture • Excel File • FHA • FMEA • FTA • Failure rate catalog • Functionalities • Malfunctions • Metrics • Overall Project Plan • Preliminary System Architecture

• Report on Maximum CRPDs • Report on Schedulability (1 mode) • Report on Schedulability (all) • Review Protocol • SLDV verification report • Safety Goals List • Safety Manual • Safety Plan • Safety Requirements • Software Unit Design Specification • Source Code • TBT Data Model • TCA-Model • Test Cases • Test Specification • Tool Evaluation Report • WCET • WCRT • Word Document


Artifact: Excel File Description: The files that can be read/wirtten from the Excel tool Hierarchy figure:

Hierarchy : • Evidence [Parent] Used by tool: • Tecnalia Assurance Case Editor Created by feature: • Tool Chain Analyzer,Compute Tool Confidence Level Modified by feature: • Tool Chain Analyzer,Cost Model

• Tool Chain Analyzer,Excel Interface Is a: Evidence


Artifact: Execution Graph Description: -None-


Artifact: Failure rate catalog Description: Failure rate catalog Hierarchy figure:

Hierarchy : • Evidence [Parent] Used by use case: • GEMDE Certification,Technical view Used by tool: • Medini

• Tecnalia Assurance Case Editor Is a: Evidence


Artifact: FHA Description: FHA Hierarchy figure:

Hierarchy : • Evidence [Parent] Used by use case: • GEMDE Certification,Technical view Used by tool: • GEMDE Certification

• Medini • Tecnalia Assurance Case Editor

Created by use case: • Medini,FHA Generation Created by tool: • Medini Modified by use case: • Medini,FHA Generation Modified by tool: • Medini Is a: Evidence


Artifact: FMEA Description:

FMEA Hierarchy figure:

Hierarchy : • Evidence [Parent] Used by use case: • GEMDE Certification,Technical view Used by tool: • Tecnalia Assurance Case Editor Created by tool: • Medini Is a: Evidence


Artifact: FTA Description: FTA Hierarchy figure:



Artifact: Functionalities Description: Functionalities Hierarchy figure:

Hierarchy : • Evidence [Parent] Used by use case: • GEMDE Certification,Technical view

Used by tool: • Medini



Artifact: Malfunctions Description: Malfunctions Hierarchy figure:

Hierarchy : • Evidence [Parent] Used by use case: • GEMDE Certification,Technical view Used by tool: • Medini



Artifact: Mapping of tasks to processing elements Description: The mapping of tasks to processing elements


Artifact: Metrics Description: The metric information that describe how far a test covers's it's requirements. Hierarchy figure:

Hierarchy : • Evidence [Parent] Used by use case: • TBT,Validate Tests Used by tool: • Tecnalia Assurance Case Editor Created by use case: • TBT,Generate Test Is a:

Evidence


Artifact: Model Description: The tool chain model Used by feature: • Tool Chain Analyzer,Generate Word (docx)

• Tool Chain Analyzer,Model Validation Modified by feature: • Tool Chain Analyzer,Compute Tool Confidence Level



Artifact: No-Conformity metrics Description: List of all non conformities of a project fopr a standard

specifies the number of steps to be conformant to the standard Used by use case: • GEMDE Certification,Technical view Created by use case: • GEMDE Certification,Assessment view


Artifact: Overall Project Plan Description: see sections 2.6.5.2, 4.5.5.1 Hierarchy figure:

Hierarchy : • Evidence [Parent] Used by use case: • Tool Chain Analyzer,Create Model


Used by tool: • Tecnalia Assurance Case Editor Modified by use case: • Process Checker,Validate Process Is a:

Evidence


Artifact: Partition Static Schedule Description: The partitions static schedule, for each processing element


Artifact: Per Core Request Estimator Function Description: For any duration t, the function gives the maximum number of requests that can be issued



Artifact: Preliminary System Architecture Description: Malfunctions Hierarchy figure:


• Evidence [Parent] Used by use case: • GEMDE Certification,Technical view Used by tool: • Medini

• Tecnalia Assurance Case Editor Is a: Evidence Occurences: • AF3 System Model


Artifact: ProjectModel Description: Certification objectives that apply to the project and evidences and justification that support

it Used by use case: • GEMDE Certification,Assessment view Used by tool: • GEMDE Certification Created by use case: • GEMDE Certification,Technical view

Created by tool: • GEMDE Certification Modified by tool: • GEMDE Certification


Artifact: ReferenceModel Description: Standards, normatives... model Used by use case: • GEMDE Certification,Assessment view

• GEMDE Certification,Technical view Used by tool: • GEMDE Certification Created by use case: • GEMDE Certification,Quality view Created by tool: • GEMDE Certification Modified by use case: • GEMDE Certification,Quality view Modified by tool: • GEMDE Certification


Artifact: Report on Maximum CRPDs Description: Report on the maximum Cache-Related Preemption Delay (CRPD) that tasks can incur Hierarchy figure:



Artifact: Report on Schedulability (1 mode) Description: Attest the schedulability of a single mode of the application system Hierarchy figure:



Artifact: Report on Schedulability (all) Description: Attest the schedulability of the application system Hierarchy figure:



Artifact: Requirement Specification Description: -None- Hierarchy figure:

Hierarchy : • AF3 System Model [Child] Used by feature: • AF3,Specifying MSC Requirements

• AF3,Specifying Textual Requirements Occurences: • AF3 System Model


Artifact: Review Protocol Description: The protocol of the review Hierarchy figure:

Hierarchy : • Evidence [Parent] Used by tool: • Tecnalia Assurance Case Editor Created by use case: • Tool Chain Analyzer,Review Model Is a: Evidence


Artifact: Safety Case Description: Graphical (GSN notation) safety case Used by use case: • GEMDE Certification,Technical view

• Tecnalia Assurance Case Editor,Assurance Case edition Used by tool: • GEMDE Certification

• Tecnalia Assurance Case Editor Created by use case: • Tecnalia Assurance Case Editor,Assurance Case edition Created by tool: • Tecnalia Assurance Case Editor Modified by use case: • Tecnalia Assurance Case Editor,Assurance Case edition


Artifact: Safety Goals List Description: Safety Goals List Hierarchy figure:



Artifact: Safety Manual Description: The safety manual of the tool contains the relevant information to work safely with the tool Hierarchy figure:

Hierarchy : • Evidence [Parent] Used by tool: • Tecnalia Assurance Case Editor Created by use case: • Tool Chain Analyzer,Determinate Tool Confidence Level Modified by use case: • Tool Chain Analyzer,Generate Tool Classification Report

• Tool Chain Analyzer,Review Model Is a: Evidence


Artifact: Safety Plan Description: see sections 2.6.5.1, 4.5.5.2, 6.5.5.1, 6.7.5.2 Hierarchy figure:



Used by tool: • Tecnalia Assurance Case Editor Modified by use case: • Process Checker,Validate Process Is a: Evidence


Artifact: Safety Requirements Description: System Requirements Specification related to safety Hierarchy figure:

Hierarchy : • Evidence [Parent] Used by feature: • AF3,Specifying SIL Requirements Used by use case: • GEMDE Certification,Technical view

• ProB Model Checker,Check Model • Rodin Editor,System Modelling • Simulink,Modelling Requirements • TBT,Generate Test

Used by tool: • Tecnalia Assurance Case Editor Created by tool: • Medini Is a: Evidence


Artifact: Schedule Description: (Optimized Shared Memory Access) Hierarchy figure:

Hierarchy : • AF3 System Model [Child] Occurences: • AF3 System Model


Artifact: Simulink Model Description: Simulink Model Hierarchy figure:

Hierarchy : • Software Unit Design Specification [Parent] Used by use case: • Simulink,Code generation Used by tool: • Simulink Design Verifier

• Tecnalia Assurance Case Editor • VerSAA

Created by use case: • Simulink,Modelling

• Simulink,Modelling Requirements Created by tool: • Simulink Modified by use case: • Simulink Design Verifier,Verify

• VerSAA,Verify Is a: Software Unit Design Specification


Artifact: Simulink model Description: -None- Used by use case: • VerSAA,Verify Used by tool: • VerSAA Created by use case: • Simulink,Modelling Created by tool: • Simulink


Artifact: SLDV verification report Description: -None- Hierarchy figure:

Hierarchy : • Evidence [Parent] Used by tool: • Tecnalia Assurance Case Editor Created by use case: • Simulink Design Verifier,Verify Created by tool: • Simulink Design Verifier Is a: Evidence


Artifact: Software Unit Design Specification Description: see section 6.8.5.1 Hierarchy figure:



Used by tool: • Tecnalia Assurance Case Editor Is a: Evidence Occurences: • AF3 System Model

• Simulink Model


Artifact: Source Code Description: Different programming languages Hierarchy figure:

Hierarchy : • C/C++ Source Code [Child]


Used by tool: • Tecnalia Assurance Case Editor Created by feature: • AF3,Synthesizing Deployment Created by use case: • Simulink,Code generation Created by tool: • Simulink Is a: Evidence Occurences:

• C/C++ Source Code • Timing Parameters


Artifact: Spatial Constraints Description: -None- Hierarchy figure:

Hierarchy : • AF3 System Model [Child] Used by feature: • AF3,Specifying Technical Architecture Created by feature: • AF3,Specifying Technical Architecture Occurences: • AF3 System Model


Artifact: StandardsRegulation Description: Standards, Normatives,... documentation Used by use case: • GEMDE Certification,Quality view


Artifact: System Models (Event-B) Description: Models specifying / expressing (with events and invariants) the system requirements Used by use case: • ProB Model Checker,Check Model

• Rodin Prover,System Model Verification Created by use case: • Rodin Editor,System Modelling


Artifact: TBT Data Model Description: The model describing the data element in the model and the system Hierarchy figure:

Hierarchy :

• Evidence [Parent] Used by use case: • TBT,Generate Test Used by tool: • Tecnalia Assurance Case Editor Is a: Evidence


Artifact: TBT Oracle Model Description: The model describing the behaviour of the system Used by use case: • TBT,Generate Test


Artifact: TBT Tactic Description: A formalized startegy describing the search in the model to derive test cases Used by use case: • TBT,Generate Test


Artifact: TCA-Model Description: The tool chain model Hierarchy figure:



Artifact: Test Cases Description: The executable test cases implementing the test specification Hierarchy figure:

Hierarchy :

• AF3 System Model [Child] • Evidence [Parent]

Used by use case: • TBT,Validate Tests

• Test Environment,Unit Test Used by tool: • Tecnalia Assurance Case Editor Created by feature: • AF3,Synthesizing Test Cases Created by use case: • TBT,Generate Test Modified by use case: • Test Environment,Validate Tests Is a: Evidence Occurences: • AF3 System Model


Artifact: Test Specification Description: The textual specification of the tests Hierarchy figure:


• Evidence [Parent] Used by feature: • AF3,Specfying Test Suite Used by use case: • TBT,Generate Test Used by tool: • Tecnalia Assurance Case Editor Is a: Evidence Occurences: • AF3 System Model


Artifact: Timing Parameters Description: Contain all the parameters concerning the application Hierarchy figure:


• Source Code [Parent] Used by tool: • Tecnalia Assurance Case Editor Created by feature: • AF3,Specifying Technical Architecture Is a: Source Code Occurences: • AF3 System Model


Artifact: Tool Evaluation Report Description: Contains the evaluation/classification of the tools Hierarchy figure:

Hierarchy : • Evidence [Parent] Used by tool: • Tecnalia Assurance Case Editor Created by use case: • Tool Chain Analyzer,Determinate Tool Confidence Level

• Tool Chain Analyzer,Generate Tool Classification Report Is a: Evidence


Artifact: User Input Description: The user writes input to the tool Used by feature: • Tool Chain Analyzer,Compute Tool Confidence Level


Used by tool: • Tecnalia Assurance Case Editor


Artifact: Verification Verdict Description: The verdict of a verification step (valid/invalid) and a counter example Created by feature: • AF3,Verifing Contracts of a Logical Architecture

• AF3,Verifying MSC Conformance • AF3,Verifying Soundness of a Logical Architecture


Artifact: Verified System Models (Event-B) Description: Specified and verified system models at different levels of abstraction Used by use case: • ProB Model Checker,Check Model

• Rodin Prover,System Model Verification Created by use case: • ProB Model Checker,Check Model

• Rodin Prover,System Model Verification


Artifact: VerSÅA verification report Description: -None- Created by use case: • VerSAA,Verify Created by tool: • VerSAA


Artifact: WCET Description: Worst case execution time estimation for each task Hierarchy figure:

Hierarchy : • Evidence [Parent] Used by feature: • AF3,Synthesizing Real-Time Schedule Used by tool: • Tecnalia Assurance Case Editor Is a: Evidence


Artifact: WCRT Description: Worst-case response time for a task Hierarchy figure:



Artifact: Word Document Description: The files that can be read/written from Word ´ Hierarchy figure:

Hierarchy : • Evidence [Parent] Used by tool: • Tecnalia Assurance Case Editor Created by feature: • Tool Chain Analyzer,Compute Tool Confidence Level

• Tool Chain Analyzer,Generate Word (docx) Is a: Evidence



CHAIN



The following 10 general tool attributes have been used in the analysis of the "RECOMP Tool Chain" Tool Attribute: Fcn_Algorithm

Description: The function is implemented by an algorithm Assigned to the following features: • Tool Chain Analyzer,Compute Tool Confidence Level


Contains the following potential errors: • Algorithm Error

• Wrong Algorithm


Tool Attribute: Fcn_Algorithm_DeEncode Description: encoding and decoding algorithms are used Assigned to the following features: • Tool Chain Analyzer,Excel Interface Contains the following potential errors: • Decoded Wongly

• Encoded Wrongly


Tool Attribute: Fcn_Behaviour Description: The behaviour of the function Assigned to the following features: • Tool Chain Analyzer,EMF


Contains the following potential errors: • Wrong Behaviour


Tool Attribute: Fcn_Behaviour_Calculator Description: The tool does an excel like computation with simple arithmetics, e.g. computing th esum of

numbers in a row Assigned to the following features: • Tool Chain Analyzer,Compute Tool Confidence Level Contains the following potential errors: • Wrong Result


Tool Attribute: Fcn_Behaviour_Transformation Description: The tool transforms information into other reeresentations, e..g a compiler Assigned to the following features:

• Tool Chain Analyzer,EMF • Tool Chain Analyzer,Excel Interface • Tool Chain Analyzer,Generate Word (docx)

Contains the following potential errors: • Transformation Not Supported



Tool Attribute: Fcn_Resource_CPU Description: Function requires CPU ressources like RAM, ROM, CPU time which might not be available Assigned to the following features: • Tool Chain Analyzer,Generate Word (docx) Contains the following potential errors: • Missing CPU


Tool Attribute: Fcn_Specification Description: The specification/documentation of the function Assigned to the following features: • Tool Chain Analyzer,Compute Tool Confidence Level


Contains the following potential errors: • Wrong Specification


Tool Attribute: Fcn_Variants Description: The function can be computed with different variants Assigned to the following features: • Tool Chain Analyzer,Compute Tool Confidence Level


Contains the following potential errors: • Wrong Variant


Tool Attribute: Fcn_Variants_Options Description: The tool supports options

This can be either command line arguments, settings or configuration files Assigned to the following features: • Tool Chain Analyzer,Excel Interface Contains the following potential errors:

• Option Defect • Option Ignored


Tool Attribute: Option Supporting Description: The tool can support different options, e.g. with a command line or configuration file. Assigned to the following use cases: • Rodin Prover,System Model Verification Contains the following potential errors: • Option Defect

• Option Ignored

Table 691 Tool Attribute: Option Supporting


The following 15 errors have been identified and used in the analysis of the "RECOMP Tool Chain" Error: Algorithm Error Description: The algorithm has an error, for example a wrong condition, type, loop,... From tool attribute: Fcn_Algorithm


Error: Decoded Wongly Description: A correctly encoded object is decoded wrongly From tool attribute: Fcn_Algorithm_DeEncode


Error: Encoded Wrongly Description: The data is encoded such that it cannot be decoded any more From tool attribute: Fcn_Algorithm_DeEncode


Error: Missing CPU Description: Not enaught CPU available for computing the correct result.

Comment: Note: in this error we consider only the undeteced case, where the tool terminates without warning and a wrong result, may be due to some internal checks that cause the tool to terminate

if no CPU is available, e.g. after a given time using the default value From tool attribute: Fcn_Resource_CPU


Error: Option Defect Description: The option or combination of options is defect, i.e computing wrong values From tool attribute: Fcn_Variants_Options


Error: Option Defect Description: The selected option might not function correctly, e.g. an optimization. From tool attribute: Option Supporting


Error: Option Ignored Description: The entered option is ignored without a warning and the wrong result is computed From tool attribute: Fcn_Variants_Options


Error: Option Ignored Description: The option has been ignored from the tool, for example due to a misspelling. From tool attribute: Option Supporting


Error: Transformation Not Supported Description: The transformation might not support all elements and ignore them, e.g. some settinbgs in a

model or some pragmas in a code From tool attribute: Fcn_Behaviour_Transformation


Error: Wrong Algorithm Description: The chosen algorithm does not solve the problem correctly From tool attribute: Fcn_Algorithm


Error: Wrong Behaviour Description: The function an have a wrong behaviour From tool attribute: Fcn_Behaviour


Error: Wrong Result Description: The calculated results differs from the real result, e.g. 1+1=0 or 1/1=0.99 From tool attribute: Fcn_Behaviour_Calculator


Error: Wrong Specification Description: The function can deviate from the specification From tool attribute: Fcn_Specification


Error: Wrong Transformation Description: The result of the transformation is not correct From tool attribute: Fcn_Behaviour_Transformation


Error: Wrong Variant Description: The wrong variant has been used, e.g. by ignoring an option/configuration From tool attribute: Fcn_Variants


1.19.3 ASSUMPTIONS

This section lists all assumptions on toolchain level used in the evaluation of this tool chain. If the assumptions are violated the calculated TCL is not valid. Assumptions that are enforced by the development process are marked in the analysis model and listed here. Check: Assertion Check Description: This check detects if an assertion in the code is violated.

This check detects violated assertions. If a testcase claims to violate an assertion but does not, this will also be noted

with a high probability. Comment: Since this is an automatic check the detection probability is high.

From use case: Test Environment,Unit Test Error detection probability: TD 1 (HIGH) Is assumption: True


Check: Detect Wrong TCL Description: An error in the TCL computation is detected.


From use case: ISO 26262 Reviews,SG_Confirmation Review Of TCLs Error detection probability: TD 1 (HIGH) Detected errors from other tools: • SG_Confirmation Review Of TCLs,Tool Chain Analyzer,Compute Tool








XML Import Is assumption: True


Check: Executability Check Description:

The generated test is compiled and executed Comment: There is a high probability of detecting that the test is not executable, e.g. not compiling correctly since this is an automatic check

From use case: TBT,Validate Tests Error detection probability: TD 1 (HIGH) Detected errors: • Validate Tests,Generate Test,Non-Executable Test Is assumption: True


Check: Model Check Description: Check the validaty of the model


From use case: ProB Model Checker,Check Model Error detection probability: TD 1 (HIGH) Detected errors from other tools: • Check Model,Rodin Prover,System Model Verification,Theorem Provers

• Check Model,Rodin Prover,System Model Verification,Verification condition generation

Is assumption: True


Check: Proof Tree - Syntax Check Description: the syntax check is usually done when this file is used From use case: Rodin Prover,System Model Verification Error detection probability: TD 1 (HIGH) Detected errors from other tools: • System Model Verification,Rodin Editor,System Modelling,Model corruption 1

• System Model Verification,Rodin Editor,System Modelling,Syntax error Is assumption: True


Check: Review Test against Specification

Description: Review of generated test cases against the correctness with the specification


From use case: TBT,Validate Tests Error detection probability: TD 1 (HIGH) Detected errors: • Validate Tests,Generate Test,Wrong Metrics

• Validate Tests,Generate Test,Wrong Test Generated Is assumption: True




From use case: Contracts to assertions Is assumption: True


Feature: SG_Avoid Feature Description: Avodi this feature, since it is redundant. From: Tool Chain Analyzer Parts: • SG_Avoid Feature Is assumption: True


Restriction: Avoid Features Description: Avoid the risky features of the model since they might be buggy. From feature: Tool Chain Analyzer,Safety Guidelines,SG_Avoid Feature Error avoidance probability: TD 1 (HIGH) Avoided errors: • Cost Model,Wrong Cost Computed


Is assumption: True


Tool: Test Environment Description: This is a virtual test environment that is used to formulate asumptions fom the test generator

to test tools and processes in which the generated tests can be executed. Impact: TI 2 (Impact) Tool Confidence Level: TCL 1 Is assumption: True


APPENDIXD–TCARESULTFORTHEAUTOMOTIVE

DOMAIN




Variant Settings Active Variants: 1 Automotive


The report starts with an overview of the analysis results, then describes each tool in detail, including TCL determination, and concludes with an appendix for further information. ToolChain: RECOMP Tool Chain Description: All models are intergrated here TCL Determination: TCL 3




Detection (TD)


Assumptions

AF3 TI 2 (Impact) TD 1 (HIGH)

TCL 1 -

Development TI 2 (Impact) TD 2 (MEDIUM)

TCL 2 -

ISO 26262 Reviews


TCL 1 1

nuSMV Model Checker


TCL 1 -

PharOS micro kernel


TCL 1 -

PharOS offline computation


TCL 1 -

PharOS runtime generation


TCL 3 -


TCL 1 -



TCL 1 -

Tool Chain Analyzer


TCL 3 1

YICES SMT Solver


TCL 1 -


Fig 1 shows the error flow in RECOMP Tool Chain. The number on the edges denotes the number of error flows between the tools. An error flow is a detection possibility or an avoidance possibility of an error. Note that for one error there might be several flows, hence the number of flows can be larger than the numbers of errors in the model. For example the tool Tool Chain Analyzer contains 11 different errors in 19 occurrences. There are 7 error flows (detection or avoidance possibilities for error occurrences) into Tool Chain Analyzer. 7 error flows into the Tool Chain Analyzer itself, i.e. are avoided / detected by carefully using the tool. There are 11 from the Tool Chain Analyzer into the ISO 26262 Reviews, i.e. are detected by the ISO 26262 Reviews.


1.2 AF3This section explains the determination of the Tool Confidence Level (TCL) for the tool AF3. Tool: AF3 Description: The AutoFOCUS3 tool as distributed by fortiss GmbH

AF3 is a tool for the model-based development of embedded systems, covering the phases from requirements capture to deployment on the hardware platform.


Table 721 Tool: AF3

The tool AF3 is modeled with 6 elements which have impact, none of them are assumptions. In addition there have been modeled 17 features, none of them are assumptions.


Table 722 Amount of Elements in Tool: AF3

1.2.1 USE CASES OF AF3

This section describes all analyzed use cases of AF3 in separate subsections. The following use cases of the tool AF3 are considered:

1. Deploying a Logical Architecture to Technical Architecture, see Section 1.2.1.1 2. Requirements Elicitaion and Specification, see Section 1.2.7.1 3. Specification of a Logical Architecture, see Section 0 4. Unit Testing, see Section 0 5. Validation of a Logical Architecture, see Section 0 6. Verification of a Logical Architecture, see Section 0

1.2.1.1 USE CASE DEPLOYING A LOGICAL ARCHITECTURE TO

TECHNICAL ARCHITECTURE

This section describes the use case "Deploying a Logical Architecture to Technical Architecture". UseCase: Deploying a Logical Architecture to Technical Architecture Description: The deployment of a logical architecture to the technical platform are defined and the

corresponding parts are synthesized.

Table 723 UseCase: Deploying a Logical Architecture to Technical Architecture


Fig 116 Dependency View of Use Case: Deploying a Logical Architecture to Technical

Architecture

"Deploying a Logical Architecture to Technical Architecture" uses following features: • Specifying Technical Architecture • Synthesizing Deployment • Synthesizing Real-Time Schedule • Synthesizing SIL-Conformant Mapping

In order to fulfill the requirements of the use case, usually a number of artifacts will be read and/or written. But in "Deploying a Logical Architecture to Technical Architecture" the tool AF3 uses no artifacts.

1.2.1.2 USE CASE REQUIREMENTS ELICITAION AND

SPECIFICATION

This section describes the use case "Requirements Elicitaion and Specification". UseCase: Requirements Elicitaion and Specification Description: The requirements of a system are identified, specified, and structured.

Table 724 UseCase: Requirements Elicitaion and Specification


Fig 117 Dependency View of Use Case: Requirements Elicitaion and Specification

"Requirements Elicitaion and Specification" uses following features: • Specifying MSC Requirements • Specifying Textual Requirements

In order to fulfill the requirements of the use case, usually a number of artifacts will be read and/or written. But in "Requirements Elicitaion and Specification" the tool AF3 uses no artifacts.

1.2.1.3 USE CASE SPECIFICATION OF A LOGICAL

ARCHITECTURE

This section describes the use case "Specification of a Logical Architecture". UseCase: Specification of a Logical Architecture Description: -None-

Table 725 UseCase: Specification of a Logical Architecture


Fig 118 Dependency View of Use Case: Specification of a Logical Architecture

"Specification of a Logical Architecture" uses following features: • Specifying Code-Baed Behavior of a Logical Architecture • Specifying State-Based Behavior of a Logical Architecture • Specifying Structure of a Logical Architecture

In order to fulfill the requirements of the use case, usually a number of artifacts will be read and/or written. But in "Specification of a Logical Architecture" the tool AF3 uses no artifacts.

1.2.1.4 USE CASE UNIT TESTING

This section describes the use case "Unit Testing". UseCase: Unit Testing Description: -None-

Table 726 UseCase: Unit Testing

The use case requires 2 features and calls no other use cases. Use Case Assessment view shows the dependencies between the use cases and features.

Fig 119 Dependency View of Use Case: Unit Testing

"Unit Testing" uses following features: • Specfying Test Suite • Synthesizing Test Cases

In order to fulfill the requirements of the use case, usually a number of artifacts will be read and/or written. But in "Unit Testing" the tool AF3 uses no artifacts.

1.2.1.5 USE CASE VALIDATION OF A LOGICAL

ARCHITECTURE

This section describes the use case "Validation of a Logical Architecture". UseCase: Validation of a Logical Architecture Description: A logical architecture is validated w.r.t. to its intended behavior.

Table 727 UseCase: Validation of a Logical Architecture

The use case requires one feature and calls no other use cases. Use Case Quality view shows the dependencies between the use cases and features.

Fig 120 Dependency View of Use Case: Validation of a Logical Architecture

"Validation of a Logical Architecture" uses following features: • Simulating a Logical Architecture

In order to fulfill the requirements of the use case, usually a number of artifacts will be read and/or written. But in "Validation of a Logical Architecture" the tool AF3 uses no artifacts.

1.2.1.6 USE CASE VERIFICATION OF A LOGICAL

ARCHITECTURE

This section describes the use case "Verification of a Logical Architecture". UseCase: Verification of a Logical Architecture Description: The properties of a logical architecture are specified and verified.

Table 728 UseCase: Verification of a Logical Architecture

The use case requires 3 features and calls no other use cases. Use Case Technical view shows the dependencies between the use cases and features.

Fig 121 Dependency View of Use Case: Verification of a Logical Architecture

"Verification of a Logical Architecture" uses following features: • Specifying Contracts on Logical Components • Verifing Contracts of a Logical Architecture

• Verifying Soundness of a Logical Architecture In order to fulfill the requirements of the use case, usually a number of artifacts will be read and/or written. But in "Verification of a Logical Architecture" the tool AF3 uses no artifacts.

1.2.2 FEATURES OF AF3

This section describes all analyzed features of AF3 in separate subsections. The following features of the tool AF3 are considered:

1. Simulating a Logical Architecture, see Section 0 2. Specfying Test Suite, see Section 0 3. Specifying Code-Baed Behavior of a Logical Architecture, see Section 0 4. Specifying Contracts on Logical Components, see Section 0 5. Specifying MSC Requirements, see Section 0 6. Specifying SIL Requirements, see Section 0 7. Specifying State-Based Behavior of a Logical Architecture, see Section 0 8. Specifying Structure of a Logical Architecture, see Section 1.4.1.4 9. Specifying Technical Architecture, see Section 1.4.1.6 10. Specifying Textual Requirements, see Section 1.4.1.8 11. Synthesizing Deployment, see Section 1.4.1.10 12. Synthesizing Real-Time Schedule, see Section 0 13. Synthesizing SIL-Conformant Mapping, see Section 0 14. Synthesizing Test Cases, see Section 0 15. Verifing Contracts of a Logical Architecture, see Section 1.4.7.2 16. Verifying MSC Conformance, see Section 0 17. Verifying Soundness of a Logical Architecture, see Section 0

1.2.2.1 FEATURE SIMULATING A LOGICAL ARCHITECTURE

This section describes the feature "Simulating a Logical Architecture". Feature: Simulating a Logical Architecture Description: A logicla architecture is executed using a controled simulation.

Table 729 Feature: Simulating a Logical Architecture

The feature "Simulating a Logical Architecture" reads and/or writes the following artifacts. The used artifacts are shown in Fig 6 and are summarized in the subsequent table.

Fig 122 Artifacts of Feature: Simulating a Logical Architecture

Artifacts of Feature: Simulating a Logical Architecture Inputs: • AF3 System Model Outputs: • Display Output

Table 730 Artifacts of Feature: Simulating a Logical Architecture

1.2.2.2 FEATURE SPECFYING TEST SUITE

This section describes the feature "Specfying Test Suite". Feature: Specfying Test Suite Description: A test suit is specified by the coverage criteria of the suite

A test suit is specified by the coverage criteria of the suite. Possible coverage criteria are radom testing, state coveage, or transition coverage.

Table 731 Feature: Specfying Test Suite

The feature "Specfying Test Suite" reads and/or writes the following artifacts. The used artifacts are shown in TCL Determination for Use Case: Assessment view and are summarized in the subsequent table.

Fig 123 Artifacts of Feature: Specfying Test Suite

Artifacts of Feature: Specfying Test Suite Inputs: • Test Specification Outputs: • AF3 System Model

Table 732 Artifacts of Feature: Specfying Test Suite

1.2.2.3 FEATURE SPECIFYING CODE-BAED BEHAVIOR OF A


This section describes the feature "Specifying Code-Baed Behavior of a Logical Architecture". Feature: Specifying Code-Baed Behavior of a Logical Architecture Description: The behavior of the components of a logical architecture are defined using a code-based

textual approach.

Table 733 Feature: Specifying Code-Baed Behavior of a Logical Architecture

The feature "Specifying Code-Baed Behavior of a Logical Architecture" reads and/or writes the following artifacts. The used artifacts are shown in TCL Determination for Use Case: Quality view and are summarized in the subsequent table.

Fig 124 Artifacts of Feature: Specifying Code-Baed Behavior of a Logical Architecture

Artifacts of Feature: Specifying Code-Baed Behavior of a Logical Architecture Inputs: • AF3 System Model Outputs: • AF3 System Model

Table 734 Artifacts of Feature: Specifying Code-Baed Behavior of a Logical Architecture

1.2.2.4 FEATURE SPECIFYING CONTRACTS ON LOGICAL

COMPONENTS

This section describes the feature "Specifying Contracts on Logical Components". Feature: Specifying Contracts on Logical Components Description: Formal properties of components of the logical architectuer are specified.

Formal properties of components of the logical architectuer are specified. These properties can be defined via assume-guarantee contracts or patterns.

Table 735 Feature: Specifying Contracts on Logical Components

The feature "Specifying Contracts on Logical Components" reads and/or writes the following artifacts. The used artifacts are shown in TCL Determination for Use Case: Technical view and are summarized in the subsequent table.

Fig 125 Artifacts of Feature: Specifying Contracts on Logical Components

Artifacts of Feature: Specifying Contracts on Logical Components Inputs: • AF3 System Model Outputs: • AF3 System Model

Table 736 Artifacts of Feature: Specifying Contracts on Logical Components

1.2.2.5 FEATURE SPECIFYING MSC REQUIREMENTS

This section describes the feature "Specifying MSC Requirements". Feature: Specifying MSC Requirements Description: The requirements of a system are specified using MSCs to define scenarios.


Table 737 Feature: Specifying MSC Requirements

The feature "Specifying MSC Requirements" reads and/or writes the following artifacts. The used artifacts are shown in Use Case Detailed architecture definition and are summarized in the subsequent table.

Fig 126 Artifacts of Feature: Specifying MSC Requirements

Artifacts of Feature: Specifying MSC Requirements Inputs: • AF3 System Model

• Requirement Specification Outputs: • AF3 System Model

Table 738 Artifacts of Feature: Specifying MSC Requirements

1.2.2.6 FEATURE SPECIFYING SIL REQUIREMENTS

This section describes the feature "Specifying SIL Requirements". Feature: Specifying SIL Requirements Description: The SIL levels of components of a logical Architecture are defined.

Table 739 Feature: Specifying SIL Requirements

The feature "Specifying SIL Requirements" reads and/or writes the following artifacts. The used artifacts are shown in Use Case FHA Generation and are summarized in the subsequent table.

Fig 127 Artifacts of Feature: Specifying SIL Requirements

Artifacts of Feature: Specifying SIL Requirements Inputs: • AF3 System Model

• Safety Requirements Outputs: • AF3 System Model

Table 740 Artifacts of Feature: Specifying SIL Requirements

1.2.2.7 FEATURE SPECIFYING STATE-BASED BEHAVIOR OF A


This section describes the feature "Specifying State-Based Behavior of a Logical Architecture". Feature: Specifying State-Based Behavior of a Logical Architecture Description: The behavior of the components of a logical architecture are defined using a tate-machine

approach.

Table 741 Feature: Specifying State-Based Behavior of a Logical Architecture

The feature "Specifying State-Based Behavior of a Logical Architecture" reads and/or writes the following artifacts. The used artifacts are shown in Use Case FMEA Generation and are summarized in the subsequent table.

Fig 128 Artifacts of Feature: Specifying State-Based Behavior of a Logical Architecture

Artifacts of Feature: Specifying State-Based Behavior of a Logical Architecture Inputs: • AF3 System Model Outputs: • AF3 System Model

Table 742 Artifacts of Feature: Specifying State-Based Behavior of a Logical Architecture

1.2.2.8 FEATURE SPECIFYING STRUCTURE OF A LOGICAL

ARCHITECTURE

This section describes the feature "Specifying Structure of a Logical Architecture". Feature: Specifying Structure of a Logical Architecture Description: The strucutre of a logical architecture n terms of components and their subcomponents is

defined.

Table 743 Feature: Specifying Structure of a Logical Architecture

The feature "Specifying Structure of a Logical Architecture" reads and/or writes the following artifacts. The used artifacts are shown in Use Case Function allocation and are summarized in the subsequent table.

Fig 129 Artifacts of Feature: Specifying Structure of a Logical Architecture

Artifacts of Feature: Specifying Structure of a Logical Architecture Outputs: • AF3 System Model

Table 744 Artifacts of Feature: Specifying Structure of a Logical Architecture

1.2.2.9 FEATURE SPECIFYING TECHNICAL ARCHITECTURE

This section describes the feature "Specifying Technical Architecture". Feature: Specifying Technical Architecture Description: -None-

Table 745 Feature: Specifying Technical Architecture

The feature "Specifying Technical Architecture" reads and/or writes the following artifacts. The used artifacts are shown in Use Case HW/SW allocation and are summarized in the subsequent table.

Fig 130 Artifacts of Feature: Specifying Technical Architecture

Artifacts of Feature: Specifying Technical Architecture Inputs: • AF3 System Model

• Spatial Constraints Outputs: • AF3 System Model

• Detailed System Architecture • Spatial Constraints • Timing Parameters

Table 746 Artifacts of Feature: Specifying Technical Architecture

1.2.2.10 FEATURE SPECIFYING TEXTUAL REQUIREMENTS

This section describes the feature "Specifying Textual Requirements". Feature: Specifying Textual Requirements Description: The textual requirements of a system are specified in a structured way.


Table 747 Feature: Specifying Textual Requirements

The feature "Specifying Textual Requirements" reads and/or writes the following artifacts. The used artifacts are shown in Use Case Safety goals definition and are summarized in the subsequent table.

Fig 131 Artifacts of Feature: Specifying Textual Requirements

Artifacts of Feature: Specifying Textual Requirements Inputs: • Requirement Specification Outputs: • AF3 System Model

Table 748 Artifacts of Feature: Specifying Textual Requirements

1.2.2.11 FEATURE SYNTHESIZING DEPLOYMENT

This section describes the feature "Synthesizing Deployment". Feature: Synthesizing Deployment Description: For logical and technical architectures and a mapping between them, a set of deployable

packages is generated. For logical and technical architectures and a mapping between them, a set of deployable packages is generated. These packages include the generated code for each component, build files and glue code for each ECUs.

Table 749 Feature: Synthesizing Deployment

The feature "Synthesizing Deployment" reads and/or writes the following artifacts. The used artifacts are shown in Fig 10 and are summarized in the subsequent table.

Fig 132 Artifacts of Feature: Synthesizing Deployment

Artifacts of Feature: Synthesizing Deployment Inputs: • AF3 System Model Outputs: • Deployment

• Source Code

Table 750 Artifacts of Feature: Synthesizing Deployment

1.2.2.12 FEATURE SYNTHESIZING REAL-TIME SCHEDULE

This section describes the feature "Synthesizing Real-Time Schedule". Feature: Synthesizing Real-Time Schedule Description: -None-

Table 751 Feature: Synthesizing Real-Time Schedule

The feature "Synthesizing Real-Time Schedule" reads and/or writes the following artifacts. The used artifacts are shown in TCL Determination for Use Case: Detailed architecture definition and are summarized in the subsequent table.

Fig 133 Artifacts of Feature: Synthesizing Real-Time Schedule

Artifacts of Feature: Synthesizing Real-Time Schedule Inputs: • AF3 System Model

• WCET Outputs: • AF3 System Model

Table 752 Artifacts of Feature: Synthesizing Real-Time Schedule

1.2.2.13 FEATURE SYNTHESIZING SIL-CONFORMANT

MAPPING

This section describes the feature "Synthesizing SIL-Conformant Mapping". Feature: Synthesizing SIL-Conformant Mapping Description:

-None-

Table 753 Feature: Synthesizing SIL-Conformant Mapping

The feature "Synthesizing SIL-Conformant Mapping" reads and/or writes the following artifacts. The used artifacts are shown in Table 81 and are summarized in the subsequent table.

Fig 134 Artifacts of Feature: Synthesizing SIL-Conformant Mapping

Artifacts of Feature: Synthesizing SIL-Conformant Mapping Inputs: • AF3 System Model Outputs: • AF3 System Model

Table 754 Artifacts of Feature: Synthesizing SIL-Conformant Mapping

1.2.2.14 FEATURE SYNTHESIZING TEST CASES

This section describes the feature "Synthesizing Test Cases". Feature: Synthesizing Test Cases Description: Test cases are synthesized for a specified test suite according to the coverage criteria.

Table 755 Feature: Synthesizing Test Cases

The feature "Synthesizing Test Cases" reads and/or writes the following artifacts. The used artifacts are shown in Table 83 and are summarized in the subsequent table.

Fig 135 Artifacts of Feature: Synthesizing Test Cases

Artifacts of Feature: Synthesizing Test Cases Inputs: • AF3 System Model Outputs: • Test Cases

Table 756 Artifacts of Feature: Synthesizing Test Cases

1.2.2.15 FEATURE VERIFING CONTRACTS OF A LOGICAL

ARCHITECTURE

This section describes the feature "Verifing Contracts of a Logical Architecture". Feature: Verifing Contracts of a Logical Architecture Description: A logical architecture is verified by means of formal checks.

A logial architecture is verified by means of formal checks. These checks include the use of assume-guarantee contracts or patterns.

Table 757 Feature: Verifing Contracts of a Logical Architecture

The feature "Verifing Contracts of a Logical Architecture" reads and/or writes the following artifacts. The used artifacts are shown in Table 85 and are summarized in the subsequent table.

Fig 136 Artifacts of Feature: Verifing Contracts of a Logical Architecture

Artifacts of Feature: Verifing Contracts of a Logical Architecture Inputs: • AF3 System Model Outputs: • Verification Verdict

Table 758 Artifacts of Feature: Verifing Contracts of a Logical Architecture

1.2.2.16 FEATURE VERIFYING MSC CONFORMANCE

This section describes the feature "Verifying MSC Conformance". Feature: Verifying MSC Conformance Description: For a MSC and a (part of a) logical architecture, their conformance is verified.

For a MSC and a (part of a) logical architecture including the behavior for its components, their conformance is verified; i.e., it i checked that the sequnce of actions of a MSC can be produced by a logical component architecture.

Table 759 Feature: Verifying MSC Conformance

The feature "Verifying MSC Conformance" reads and/or writes the following artifacts. The used artifacts are shown in Table 87 and are summarized in the subsequent table.

Fig 137 Artifacts of Feature: Verifying MSC Conformance

Artifacts of Feature: Verifying MSC Conformance Inputs: • AF3 System Model Outputs: • Verification Verdict

Table 760 Artifacts of Feature: Verifying MSC Conformance

1.2.2.17 FEATURE VERIFYING SOUNDNESS OF A LOGICAL

ARCHITECTURE

This section describes the feature "Verifying Soundness of a Logical Architecture". Feature: Verifying Soundness of a Logical Architecture Description: A logical architecture is verified w.r.t. reachability and determinism of its components.

Table 761 Feature: Verifying Soundness of a Logical Architecture

The feature "Verifying Soundness of a Logical Architecture" reads and/or writes the following artifacts. The used artifacts are shown in TCL Determination for Use Case: FMEA Generation and are summarized in the subsequent table.

Fig 138 Artifacts of Feature: Verifying Soundness of a Logical Architecture

Artifacts of Feature: Verifying Soundness of a Logical Architecture Inputs: • AF3 System Model Outputs: • Verification Verdict

Table 762 Artifacts of Feature: Verifying Soundness of a Logical Architecture

1.2.3 POTENTIAL ERRORS IN AF3





1.2.4 RESTRICTIONS IN AF3

There are no restrictions in the tool AF3.

1.2.5 CHECKS IN AF3

No checks are performed in the tool AF3.

1.2.6 ASSUMPTIONS

The determination of the TCL of AF3 is not based on assumed checks and restrictions. None of the checks and restrictions are modeled as assumptions.


This section determines a TCL for each use case by assigning checks or restrictions with detection/avoidance probability to each potential error. The TCL for the entire tool can be derived from the TCL for each use case. The tool AF3 has 6 use cases with TCL 1, no use case with TCL 2 and no use case with TCL 3. Therefore the tool AF3 has TCL 1. The use cases are described in the following sections:

• For "Deploying a Logical Architecture to Technical Architecture" (TCL 1) see Section 0,

• for "Requirements Elicitaion and Specification" (TCL 1) see Section 0, • for "Specification of a Logical Architecture" (TCL 1) see Section 0, • for "Unit Testing" (TCL 1) see Section 0, • for "Validation of a Logical Architecture" (TCL 1) see Section 0, and • for "Verification of a Logical Architecture" (TCL 1) see Section 1.4.7.4.

1.2.7.1 TCL DETERMINATION FOR USE CASE: DEPLOYING A

LOGICAL ARCHITECTURE TO TECHNICAL ARCHITECTURE

The use case "Deploying a Logical Architecture to Technical Architecture" has TCL 1. The TCL is determined by the lowest Tool Detection Level (TD) of all errors of the use case. This use case has no errors.

1.2.7.2 TCL DETERMINATION FOR USE CASE:

REQUIREMENTS ELICITAION AND SPECIFICATION

The use case "Requirements Elicitaion and Specification" has TCL 1. The TCL is determined by the lowest Tool Detection Level (TD) of all errors of the use case. This use case has no errors.

1.2.7.3 TCL DETERMINATION FOR USE CASE: SPECIFICATION


The use case "Specification of a Logical Architecture" has TCL 1. The TCL is determined by the lowest Tool Detection Level (TD) of all errors of the use case. This use case has no errors.

1.2.7.4 TCL DETERMINATION FOR USE CASE: UNIT TESTING

The use case "Unit Testing" has TCL 1. The TCL is determined by the lowest Tool Detection Level (TD) of all errors of the use case. This use case has no errors.

1.2.7.5 TCL DETERMINATION FOR USE CASE: VALIDATION


The use case "Validation of a Logical Architecture" has TCL 1. The TCL is determined by the lowest Tool Detection Level (TD) of all errors of the use case. This use case has no errors.

1.2.7.6 TCL DETERMINATION FOR USE CASE: VERIFICATION


The use case "Verification of a Logical Architecture" has TCL 1. The TCL is determined by the lowest Tool Detection Level (TD) of all errors of the use case. This use case has no errors.

1.3 DEVELOPMENTThis section explains the determination of the Tool Confidence Level (TCL) for the tool Development. Tool: Development Description: This is not a concrete tool but just a model of any development tool chain (including

humans) that can cause different errors when producing soure code. Impact: TI 2 (Impact) Tool Confidence Level: TCL 2







1. Create Code, see Section 0


This section describes the use case "Create Code". UseCase: Create Code Description: This is the use case in creating c code that collects some potential errors that can be




The use case "Create Code" reads and/or writes the following artifacts. The used artifacts are shown in Table 97 and are summarized in the subsequent table.


Artifacts of Use Case: Create Code Outputs: • C/C++ Source Code









• 4 errors caused by this tool without any relation to checks or restrictions. The following 4 error occurrences of Development have no relation to any check or restriction:

• Assertion Violation (Table 99) • Dead Code (TCL Determination for Use Case: Generation HW Coverage) • Other Programing Error (TCL Determination for Use Case: HW/SW allocation) • Runtime Error (Table 101)





1.3.6 ASSUMPTIONS



This section determines a TCL for each use case by assigning checks or restrictions with detection/avoidance probability to each potential error. The TCL for the entire tool can be derived from the TCL for each use case. The tool Development has no use case with TCL 1, one use case with TCL 2 and no use case with TCL 3. Therefore the tool Development has TCL 2. The use cases are described in the following sections:



The use case "Create Code" has TCL 2. The TCL is determined by the lowest Tool Detection Level (TD) of all errors of the use case. The following table gives an overview of the errors of "Create Code". Error TD Table Assertion Violation TD 3 (LOW) Table 99 Dead Code TD 3 (LOW) TCL

Determination for Use Case: Generation HW Coverage

Other Programing Error TD 3 (LOW) TCL Determination for Use Case: HW/SW allocation

Runtime Error TD 3 (LOW) Table 101


Error: Assertion Violation Description: The programm contains assertions that can be violated under some conditions. From use case: Create Code Occurrences: • in Create Code Error View:


Error: Dead Code Description: Not reachable code is called dead code. From use case: Create Code Occurrences: • in Create Code Error View:


Error: Other Programing Error Description: Any other functional error that can be introduced int the code. From use case: Create Code Occurrences: • in Create Code Error View:


Error: Runtime Error Description: A runtime error is an error that causes the programm to crash during execution. This From use case: Create Code Occurrences: • in Create Code Error View:


1.4 ISO26262REVIEWS

This section explains the determination of the Tool Confidence Level (TCL) for the tool ISO 26262 Reviews. Tool: ISO 26262 Reviews Description: This virtual tool represents the reviews required from the ISO 26262.

Comment: If the process shall be compliant to the ISO 26262, the user has to perform these reviews anyhow.


Table 772 Tool: ISO 26262 Reviews

The tool ISO 26262 Reviews is modeled with one element which has impact which is an assumption. No additional features have been modeled.


Table 773 Amount of Elements in Tool: ISO 26262 Reviews

1.4.1 USE CASES OF ISO 26262 REVIEWS

There are no use cases modeled for ISO 26262 Reviews.

1.4.2 FEATURES OF ISO 26262 REVIEWS

There are no features modeled for ISO 26262 Reviews.

1.4.3 POTENTIAL ERRORS IN ISO 26262 REVIEWS

The tool has no potential error.. The error flow, as can be seen in Table 102, consists of all relations from errors to checks or restrictions. There are




Fig 140 Error Flow to and from ISO 26262 Reviews

The TCL Determination for Use Case: Item Definition shows all 11 relations, introduced by one other tool: Tool Error UseCase Table Tool Chain Analyzer

Document Generated Wrongly Generate Tool Classification Report

Fig 37

TCL Wrongly Shown Determinate Tool Confidence Level

Table 194

TCL Wrongly Written Determinate Tool Confidence Level

Table 195

Wrong Export Cost Calculation

Table 185

Wrong Export Review Model

Feature Edit Model

Wrong Import Cost Calculation

Table 186

Wrong Import Review Model

Fig 85

Wrong TCL Computed Determinate Tool Confidence Level

Table 196

Wrong TCL Computed Generate Tool Classification Report

Use Case Modelling

Wrong XML Export Create Model Table 190

Wrong XML Import Create Model Table 191

Table 774 Errors introduced in ISO 26262 Reviews by other tools

1.4.4 RESTRICTIONS IN ISO 26262 REVIEWS

There are no restrictions in the tool ISO 26262 Reviews.

1.4.5 CHECKS IN ISO 26262 REVIEWS

The following one check is performed in the tool ISO 26262 Reviews. Check: Detect Wrong TCL Description: An error in the TCL computation is detected.


From use case: ISO 26262 Reviews,SG_Confirmation Review Of TCLs Occurrences: • in SG_Confirmation Review Of TCLs Error detection probability: TD 1 (HIGH) Detected errors from other tools: • SG_Confirmation Review Of TCLs,Tool Chain Analyzer,Compute Tool








XML Import Is assumption: True Relations to other tools:


1.4.6 ASSUMPTIONS

The determination of the TCL of ISO 26262 Reviews is based on the following 1 assumptions on the development process.

• Check: Detect Wrong TCL (TCL Determination for Use Case: Safety goals definition) occurs in: o SG_Confirmation Review Of TCLs


This section determines a TCL for each use case by assigning checks or restrictions with detection/avoidance probability to each potential error. The TCL for the entire tool can be derived from the TCL for each use case. The tool ISO 26262 Reviews has no use case with TCL 1, no use case with TCL 2 and no use case with TCL 3. Therefore the tool ISO 26262 Reviews has TCL 1. There are no use cases modeled for the tool ISO 26262 Reviews

1.5 NUSMVMODELCHECKERThis section explains the determination of the Tool Confidence Level (TCL) for the tool nuSMV Model Checker. Tool: nuSMV Model Checker Description: -None- Impact: TI 2 (Impact) Tool Confidence Level: TCL 1


















1.5.6 ASSUMPTIONS



This section determines a TCL for each use case by assigning checks or restrictions with detection/avoidance probability to each potential error. The TCL for the entire tool can be derived from the TCL for each use case. The tool nuSMV Model Checker has no use case with TCL 1, no use case with TCL 2 and no use case with TCL 3. Therefore the tool nuSMV Model Checker has TCL 1. There are no use cases modeled for the tool nuSMV Model Checker

1.6 PHAROSMICROKERNELThis section explains the determination of the Tool Confidence Level (TCL) for the tool PharOS micro kernel. Tool: PharOS micro kernel

Description: PharOS micro kernel Impact: TI 2 (Impact) Tool Confidence Level: TCL 1

Table 778 Tool: PharOS micro kernel

The tool PharOS micro kernel is modeled with 9 elements which have impact, none of them are assumptions. In addition there have been modeled 4 features, none of them are assumptions.


Table 779 Amount of Elements in Tool: PharOS micro kernel

1.6.1 USE CASES OF PHAROS MICRO KERNEL

This section describes all analyzed use cases of PharOS micro kernel in separate subsections. The following use cases of the tool PharOS micro kernel are considered:

1. target execution, see Section 0

1.6.1.1 USE CASE TARGET EXECUTION

This section describes the use case "target execution". UseCase: target execution Description: -None-

Table 780 UseCase: target execution


Fig 141 Dependency View of Use Case: target execution

"target execution" uses following features: • Budget monitoring • Deadline monitoring • Memory protection • Node transition monitoring

The use case "target execution" reads and/or writes the following artifacts. The used artifacts are shown in Table 106 and are summarized in the subsequent table.

Fig 142 Artifacts of Use Case: target execution

Artifacts of Use Case: target execution Inputs: • Binary executable

Table 781 Artifacts of Use Case: target execution

1.6.2 FEATURES OF PHAROS MICRO KERNEL

This section describes all analyzed features of PharOS micro kernel in separate subsections. The following features of the tool PharOS micro kernel are considered:

1. Budget monitoring, see Section 1.4.7.10 2. Deadline monitoring, see Section 0 3. Memory protection, see Section 0 4. Node transition monitoring, see Section 1.7.1.1

1.6.2.1 FEATURE BUDGET MONITORING

This section describes the feature "Budget monitoring". Feature: Budget monitoring Description: -None-

Table 782 Feature: Budget monitoring

In order to fulfill the requirements of the feature, usually a number of artifacts will be read and/or written. But in "Budget monitoring" the tool PharOS micro kernel uses no artifacts.

1.6.2.2 FEATURE DEADLINE MONITORING

This section describes the feature "Deadline monitoring". Feature: Deadline monitoring Description: -None-

Table 783 Feature: Deadline monitoring

In order to fulfill the requirements of the feature, usually a number of artifacts will be read and/or written. But in "Deadline monitoring" the tool PharOS micro kernel uses no artifacts.

1.6.2.3 FEATURE MEMORY PROTECTION

This section describes the feature "Memory protection". Feature: Memory protection Description: -None-

Table 784 Feature: Memory protection

In order to fulfill the requirements of the feature, usually a number of artifacts will be read and/or written. But in "Memory protection" the tool PharOS micro kernel uses no artifacts.

1.6.2.4 FEATURE NODE TRANSITION MONITORING

This section describes the feature "Node transition monitoring". Feature: Node transition monitoring Description: -None-

Table 785 Feature: Node transition monitoring

In order to fulfill the requirements of the feature, usually a number of artifacts will be read and/or written. But in "Node transition monitoring" the tool PharOS micro kernel uses no artifacts.

1.6.3 POTENTIAL ERRORS IN PHAROS MICRO KERNEL





Fig 143 Error Flow to and from PharOS micro kernel

PharOS micro kernel has the following 4 relations, which are detected by checks or restrictions of this tool. The errors are described in detail in the TCL analysis of the corresponding use cases:

• Budget error (Fig 14) • Communication buffer overflow (Use Case Modelling) • Dead line error (Fig 15) • Node transition error (Use Case Modelling Requirements)

1.6.4 RESTRICTIONS IN PHAROS MICRO KERNEL

There are no restrictions in the tool PharOS micro kernel.

1.6.5 CHECKS IN PHAROS MICRO KERNEL

The following 4 checks are performed in the tool PharOS micro kernel. Check: Budget monitoring Description: -None- From feature: PharOS micro kernel,Budget monitoring Occurrences: • in Budget monitoring in target execution Error detection probability: TD 1 (HIGH) Detected errors: • target execution,Budget error

Table 786 Check: Budget monitoring

Check: Monitor memory access Description: -None- From feature: PharOS micro kernel,Memory protection Occurrences: • in Memory protection in target execution Error detection probability: TD 1 (HIGH) Detected errors: • target execution,Communication buffer overflow

Table 787 Check: Monitor memory access

Check: Monitor node transitions Description: -None- From feature: PharOS micro kernel,Node transition monitoring Occurrences: • in Node transition monitoring in target execution Error detection probability: TD 1 (HIGH) Detected errors: • target execution,Node transition error

Table 788 Check: Monitor node transitions

Check: Monitors deadline Description: -None- From feature: PharOS micro kernel,Deadline monitoring Occurrences: • in Deadline monitoring in target execution Error detection probability: TD 1 (HIGH) Detected errors: • target execution,Dead line error

Table 789 Check: Monitors deadline

1.6.6 ASSUMPTIONS

The determination of the TCL of PharOS micro kernel is not based on assumed checks and restrictions. None of the checks and restrictions are modeled as assumptions.


This section determines a TCL for each use case by assigning checks or restrictions with detection/avoidance probability to each potential error. The TCL for the entire tool can be derived from the TCL for each use case. The tool PharOS micro kernel has one use case with TCL 1, no use case with TCL 2 and no use case with TCL 3. Therefore the tool PharOS micro kernel has TCL 1. The use cases are described in the following sections:

• For "target execution" (TCL 1) see Section 1.7.1.2.

1.6.7.1 TCL DETERMINATION FOR USE CASE: TARGET

EXECUTION

The use case "target execution" has TCL 1. The TCL is determined by the lowest Tool Detection Level (TD) of all errors of the use case. The following table gives an overview of the errors of "target execution". Error TD Table Budget error TD 1 (HIGH) Fig 14 Communication buffer overflow TD 1 (HIGH) Use Case

Modelling Dead line error TD 1 (HIGH) Fig 15 Node transition error TD 1 (HIGH) Use Case

Modelling Requirements

Table 790 Errors of Use Case: target execution

Error: Budget error Description: A task consumes more than its allocated budget. From use case: target execution Discovered by the following checks: • Budget monitoring.Budget monitoring Occurrences: • in target execution Error View:

Table 791 Error: Budget error

Error: Communication buffer overflow Description: -None- From use case: target execution Discovered by the following checks: • Memory protection.Monitor memory access Occurrences: • in target execution Error View:

Table 792 Error: Communication buffer overflow

Error: Dead line error Description: -None-

From use case: target execution Discovered by the following checks: • Deadline monitoring.Monitors deadline Occurrences: • in target execution Error View:

Table 793 Error: Dead line error

Error: Node transition error Description: -None- From use case: target execution Discovered by the following checks: • Node transition monitoring.Monitor node transitions Occurrences: • in target execution Error View:

Table 794 Error: Node transition error

1.7 PHAROSOFFLINECOMPUTATIONThis section explains the determination of the Tool Confidence Level (TCL) for the tool PharOS offline computation. Tool: PharOS offline computation Description: PsyC to C compiler Impact: TI 2 (Impact) Tool Confidence Level: TCL 1

Table 795 Tool: PharOS offline computation

The tool PharOS offline computation is modeled with 5 elements which have impact, none of them are assumptions. In addition there have been modeled 3 features, none of them are assumptions.


Table 796 Amount of Elements in Tool: PharOS offline computation

1.7.1 USE CASES OF PHAROS OFFLINE COMPUTATION

This section describes all analyzed use cases of PharOS offline computation in separate subsections. The following use cases of the tool PharOS offline computation are considered:

1. Psy1, see Section 0

1.7.1.1 USE CASE PSY1

This section describes the use case "Psy1". UseCase: Psy1 Description: Invokes Psy1 which is a PsyC to C compiler

Table 797 UseCase: Psy1


Fig 144 Dependency View of Use Case: Psy1

"Psy1" uses following features: • Execution graph extraction • Feasability • Spatial constraints

The use case "Psy1" reads and/or writes the following artifacts. The used artifacts are shown in Feature Edit Model and are summarized in the subsequent table.

Fig 145 Artifacts of Use Case: Psy1

Artifacts of Use Case: Psy1 Inputs: • Timing Parameters Outputs:

• C/C++ Source Code • Execution Graph

Table 798 Artifacts of Use Case: Psy1

1.7.2 FEATURES OF PHAROS OFFLINE COMPUTATION

This section describes all analyzed features of PharOS offline computation in separate subsections. The following features of the tool PharOS offline computation are considered:

1. Execution graph extraction, see Section 1.7.7.1 2. Feasability, see Section 0 3. Spatial constraints, see Section 1.7.7.2

1.7.2.1 FEATURE EXECUTION GRAPH EXTRACTION

This section describes the feature "Execution graph extraction". Feature: Execution graph extraction Description: -None-

Table 799 Feature: Execution graph extraction

The feature "Execution graph extraction" reads and/or writes the following artifacts. The used artifacts are shown in Table 125 and are summarized in the subsequent table.

Fig 146 Artifacts of Feature: Execution graph extraction

Artifacts of Feature: Execution graph extraction Inputs: • Timing Parameters Outputs: • Execution Graph

Table 800 Artifacts of Feature: Execution graph extraction

1.7.2.2 FEATURE FEASABILITY

This section describes the feature "Feasability". Feature: Feasability Description:

-None-

Table 801 Feature: Feasability

The feature "Feasability" reads and/or writes the following artifacts. The used artifacts are shown in Table 127 and are summarized in the subsequent table.

Fig 147 Artifacts of Feature: Feasability

Artifacts of Feature: Feasability Inputs: • Timing Parameters

Table 802 Artifacts of Feature: Feasability

1.7.2.3 FEATURE SPATIAL CONSTRAINTS

This section describes the feature "Spatial constraints". Feature: Spatial constraints Description: Communication buffers sizing, domains, execution stack size, ...

Table 803 Feature: Spatial constraints

The feature "Spatial constraints" reads and/or writes the following artifacts. The used artifacts are shown in Table 129 and are summarized in the subsequent table.

Fig 148 Artifacts of Feature: Spatial constraints

Artifacts of Feature: Spatial constraints Inputs:

• Timing Parameters Outputs: • Spatial Constraints

Table 804 Artifacts of Feature: Spatial constraints

1.7.3 POTENTIAL ERRORS IN PHAROS OFFLINE

COMPUTATION

The tool has 2 different potential errors in 2 occurrences in use cases. The error flow, as can be seen in TCL Determination for Use Case: Modelling, consists of all relations from errors to checks or restrictions. There are




Fig 149 Error Flow to and from PharOS offline computation

PharOS offline computation has the following 2 relations, which are detected by checks or restrictions of this tool. The errors are described in detail in the TCL analysis of the corresponding use cases:

• Deadlines are not met (Table 132) • System under sized (Table 133)

1.7.4 RESTRICTIONS IN PHAROS OFFLINE COMPUTATION

There are no restrictions in the tool PharOS offline computation.

1.7.5 CHECKS IN PHAROS OFFLINE COMPUTATION

The following 2 checks are performed in the tool PharOS offline computation. Check: Deadlines Description: Analysis of the tasks and their timing budgets From feature: PharOS offline computation,Feasability Occurrences: • in Feasability in Psy1

Error detection probability: TD 1 (HIGH) Detected errors: • Psy1,Deadlines are not met

Table 805 Check: Deadlines

Check: Timing budget Description: Checks the system can met deadlines even if tasks consume all their timing budget From feature: PharOS offline computation,Feasability Occurrences: • in Feasability in Psy1 Error detection probability: TD 1 (HIGH) Detected errors: • Psy1,System under sized

Table 806 Check: Timing budget

1.7.6 ASSUMPTIONS

The determination of the TCL of PharOS offline computation is not based on assumed checks and restrictions. None of the checks and restrictions are modeled as assumptions.


This section determines a TCL for each use case by assigning checks or restrictions with detection/avoidance probability to each potential error. The TCL for the entire tool can be derived from the TCL for each use case. The tool PharOS offline computation has one use case with TCL 1, no use case with TCL 2 and no use case with TCL 3. Therefore the tool PharOS offline computation has TCL 1. The use cases are described in the following sections:

• For "Psy1" (TCL 1) see Section 0.

1.7.7.1 TCL DETERMINATION FOR USE CASE: PSY1

The use case "Psy1" has TCL 1. The TCL is determined by the lowest Tool Detection Level (TD) of all errors of the use case. The following table gives an overview of the errors of "Psy1". Error TD Table Deadlines are not met TD 1 (HIGH) Table 132 System under sized TD 1 (HIGH) Table 133

Table 807 Errors of Use Case: Psy1

Error: Deadlines are not met Description:

-None- From use case: Psy1 Discovered by the following checks: • Feasability.Deadlines Occurrences: • in Psy1 Error View:

Table 808 Error: Deadlines are not met

Error: System under sized Description: Sceduling is not possible with the current timing budgets for tasks From use case: Psy1 Discovered by the following checks: • Feasability.Timing budget Occurrences: • in Psy1 Error View:

Table 809 Error: System under sized

1.8 PHAROSRUNTIMEGENERATIONThis section explains the determination of the Tool Confidence Level (TCL) for the tool PharOS runtime generation. Tool: PharOS runtime generation Description: Creates the compilation environment for the runtime. Impact: TI 2 (Impact) Tool Confidence Level: TCL 3

Table 810 Tool: PharOS runtime generation

The tool PharOS runtime generation is modeled with 3 elements which have impact, none of them are assumptions. In addition there have been modeled 3 features, none of them are assumptions.


Table 811 Amount of Elements in Tool: PharOS runtime generation

1.8.1 USE CASES OF PHAROS RUNTIME GENERATION

This section describes all analyzed use cases of PharOS runtime generation in separate subsections. The following use cases of the tool PharOS runtime generation are considered:

1. cross compilation, see Section 0

2. Psycc, see Section 0

1.8.1.1 USE CASE CROSS COMPILATION

This section describes the use case "cross compilation". UseCase: cross compilation Description: -None-

Table 812 UseCase: cross compilation

The use case requires no features and calls no other use cases. In order to fulfill the requirements of the use case, usually a number of artifacts will be read and/or written. But in "cross compilation" the tool PharOS runtime generation uses no artifacts.

1.8.1.2 USE CASE PSYCC

This section describes the use case "Psycc". UseCase: Psycc Description: Generates the cross compilation environment

Table 813 UseCase: Psycc


Fig 150 Dependency View of Use Case: Psycc

"Psycc" uses following features: • Link with PharOS micro-kernel • Linker script generation • MPU table genration

The use case "Psycc" reads and/or writes the following artifacts. The used artifacts are shown in TCL Determination for Use Case: Modelling Requirements and are summarized in the subsequent table.

Fig 151 Artifacts of Use Case: Psycc

Artifacts of Use Case: Psycc Inputs: • C/C++ Source Code

Table 814 Artifacts of Use Case: Psycc

1.8.2 FEATURES OF PHAROS RUNTIME GENERATION

This section describes all analyzed features of PharOS runtime generation in separate subsections. The following features of the tool PharOS runtime generation are considered:

1. Link with PharOS micro-kernel, see Section 1.8.1.1 2. Linker script generation, see Section 0 3. MPU table genration, see Section 1.8.7.1

1.8.2.1 FEATURE LINK WITH PHAROS MICRO-KERNEL

This section describes the feature "Link with PharOS micro-kernel". Feature: Link with PharOS micro-kernel Description: Micro kernel provides communication mechanisms, scheduling and monitoring features to

the application

Table 815 Feature: Link with PharOS micro-kernel

The feature "Link with PharOS micro-kernel" reads and/or writes the following artifacts. The used artifacts are shown in Fig 18 and are summarized in the subsequent table.

Fig 152 Artifacts of Feature: Link with PharOS micro-kernel

Artifacts of Feature: Link with PharOS micro-kernel Inputs: • Binary executable Outputs:

• Binary executable

Table 816 Artifacts of Feature: Link with PharOS micro-kernel

1.8.2.2 FEATURE LINKER SCRIPT GENERATION

This section describes the feature "Linker script generation". Feature: Linker script generation Description: Generation of platform dependent linker script

Table 817 Feature: Linker script generation

In order to fulfill the requirements of the feature, usually a number of artifacts will be read and/or written. But in "Linker script generation" the tool PharOS runtime generation uses no artifacts.

1.8.2.3 FEATURE MPU TABLE GENRATION

This section describes the feature "MPU table genration". Feature: MPU table genration Description: Memory protection unit configuration

Table 818 Feature: MPU table genration

The feature "MPU table genration" reads and/or writes the following artifacts. The used artifacts are shown in Table 143 and are summarized in the subsequent table.

Fig 153 Artifacts of Feature: MPU table genration

Artifacts of Feature: MPU table genration Inputs: • C/C++ Source Code Outputs: • Binary executable

Table 819 Artifacts of Feature: MPU table genration

1.8.3 POTENTIAL ERRORS IN PHAROS RUNTIME

GENERATION

The tool has one potential error in one occurrence in use cases. The error flow consists of all relations from errors to checks or restrictions. There are




• one error caused by this tool without any relation to checks or restrictions. The following one error occurrence of PharOS runtime generation has no relation to any check or restriction:

• AnyError (Fig 20)

1.8.4 RESTRICTIONS IN PHAROS RUNTIME GENERATION

There are no restrictions in the tool PharOS runtime generation.

1.8.5 CHECKS IN PHAROS RUNTIME GENERATION

No checks are performed in the tool PharOS runtime generation.

1.8.6 ASSUMPTIONS

The determination of the TCL of PharOS runtime generation is not based on assumed checks and restrictions. None of the checks and restrictions are modeled as assumptions.


This section determines a TCL for each use case by assigning checks or restrictions with detection/avoidance probability to each potential error. The TCL for the entire tool can be derived from the TCL for each use case. The tool PharOS runtime generation has one use case with TCL 1, no use case with TCL 2 and one use case with TCL 3. Therefore the tool PharOS runtime generation has TCL 3. The use cases are described in the following sections:

• For "cross compilation" (TCL 1) see Section 0, and • for "Psycc" (TCL 3) see Section 1.9.1.1.

1.8.7.1 TCL DETERMINATION FOR USE CASE: CROSS

COMPILATION

The use case "cross compilation" has TCL 1. The TCL is determined by the lowest Tool Detection Level (TD) of all errors of the use case. This use case has no errors.

1.8.7.2 TCL DETERMINATION FOR USE CASE: PSYCC

The use case "Psycc" has TCL 3. The TCL is determined by the lowest Tool Detection Level (TD) of all errors of the use case. The following table gives an overview of the errors of "Psycc". Error TD Table

AnyError TD 3 (LOW) Fig 20

Table 820 Errors of Use Case: Psycc

Error: AnyError Description: -None- From use case: Psycc Occurrences: • in Psycc Error View:

Table 821 Error: AnyError

1.9 PROCESSCHECKERThis section explains the determination of the Tool Confidence Level (TCL) for the tool Process Checker. Tool: Process Checker Description: This is a manual step to validate the process for completeness. If this is the case TCA model

validation can be omitted. Impact: TI 2 (Impact) Tool Confidence Level: TCL 1










The tool has no potential error.. The error flow, as can be seen in Use Case Create Model, consists of all relations from errors to checks or restrictions. There are





The Fig 21 shows all 2 relations, introduced by one other tool:



TCL Determination for Use Case: Generate Tool Classification Report


Fig 84



The tool Process Checker must only be used with the following restriction. Restriction: Consistent Process Description: This ensures that the process is consistent From use case: Process Checker,Validate Process Error avoidance probability: TD 1 (HIGH) Occurrences:

• in Validate Process Avoided errors from other tools: • Validate Process,Tool Chain Analyzer,Model Validation,Process Inconsistently

Modelled Relations to other tools:




1.9.6 ASSUMPTIONS




1.10 SIMULINKDESIGNVERIFIERThis section explains the determination of the Tool Confidence Level (TCL) for the tool Simulink Design Verifier. Tool: Simulink Design Verifier Description: A verifier for Simulink/Stateflow models provided by Mathworks Impact: TI 2 (Impact) Tool Confidence Level: TCL 1

Table 826 Tool: Simulink Design Verifier

The tool Simulink Design Verifier is modeled with 2 elements which have impact, none of them are assumptions. No additional features have been modeled.

Elements Amount (Assumptions) Use Cases 1 (0)

Checks 0 (0) Restrictions 0 (0) Potential Errors 1 (0)

Table 827 Amount of Elements in Tool: Simulink Design Verifier

1.10.1 USE CASES OF SIMULINK DESIGN VERIFIER

This section describes all analyzed use cases of Simulink Design Verifier in separate subsections. The following use cases of the tool Simulink Design Verifier are considered:

1. Verify, see Section 0


This section describes the use case "Verify". UseCase: Verify Description: Check that the properties given as special assertion blocks in the model hold

Comment: OS: needs to update the model, otherwise no exchange with VerSAA tool possible


The use case requires no features and calls no other use cases. The use case "Verify" reads and/or writes the following artifacts. The used artifacts are shown in Use Case Determinate Tool Confidence Level and are summarized in the subsequent table.


Artifacts of Use Case: Verify

Outputs: • SLDV verification report Inputs & Outputs: • Simulink Model


1.10.2 FEATURES OF SIMULINK DESIGN VERIFIER

There are no features modeled for Simulink Design Verifier.

1.10.3 POTENTIAL ERRORS IN SIMULINK DESIGN VERIFIER

The tool has one potential error in one occurrence in use cases. The error flow consists of all relations from errors to checks or restrictions. There are




• one error caused by this tool without any relation to checks or restrictions. The following one error occurrence of Simulink Design Verifier has no relation to any check or restriction:

• Unsound verification (Fig 24)

1.10.4 RESTRICTIONS IN SIMULINK DESIGN VERIFIER

There are no restrictions in the tool Simulink Design Verifier.

1.10.5 CHECKS IN SIMULINK DESIGN VERIFIER

No checks are performed in the tool Simulink Design Verifier.

1.10.6 ASSUMPTIONS

The determination of the TCL of Simulink Design Verifier is not based on assumed checks and restrictions. None of the checks and restrictions are modeled as assumptions.


This section determines a TCL for each use case by assigning checks or restrictions with detection/avoidance probability to each potential error. The TCL for the entire tool can be derived from the TCL for each use case. The tool Simulink Design Verifier has one use case with TCL 1, no use case with TCL 2 and no use case with TCL 3. Therefore the tool Simulink Design Verifier has TCL 1. The use cases are described in the following sections:

• For "Verify" (TCL 1) see Section 0.


The use case "Verify" has TCL 1. The TCL is determined by the lowest Tool Detection Level (TD) of all errors of the use case. The following table gives an overview of the errors of "Verify". Error TD Table Unsound verification TD 3 (LOW) Fig 24


Error: Unsound verification Description: The Simulink Design Verifier is not guaranteed to be sound.

The same problems as for VerSÅA exist. From use case: Verify Occurrences: • in Verify Error View:

Table 831 Error: Unsound verification

1.11 TOOLCHAINANALYZERThis section explains the determination of the Tool Confidence Level (TCL) for the tool Tool Chain Analyzer. Tool: Tool Chain Analyzer Description: The tool TCA to analyze tool chains

It can be obtained from Validas AG at www.validas.de/TCA.html Impact: TI 2 (Impact) Tool Confidence Level: TCL 3







1. Cost Calculation, see Section 1.9.1.4 2. Create Model, see Section 0 3. Determinate Tool Confidence Level, see Section 0 4. Generate Tool Classification Report, see Section 1.9.2.2 5. Review Model, see Section 0


This section describes the use case "Cost Calculation". UseCase: Cost Calculation Description: The TCA can calculate the costs of the tool chain and the manual steps involved.







This section describes the use case "Create Model". UseCase: Create Model Description: The TCA model is created using interactive work with the tool


The use case requires 3 features and calls no other use cases. Use Case Review Model shows the dependencies between the use cases and features.





Artifacts of Use Case: Create Model Inputs: • Overall Project Plan

• Safety Plan



This section describes the use case "Determinate Tool Confidence Level". UseCase: Determinate Tool Confidence Level Description: The Tool Chain Analyzer determinates the Tool Confidence Level according to ISO 26262.

Comment: The TCA model is considered to be a part of the software tool application guidelines.


The use case requires 2 features and calls no other use cases. Feature Compute Tool Confidence Level shows the dependencies between the use cases and features.





Artifacts of Use Case: Determinate Tool Confidence Level Inputs: • Overall Project Plan

• Safety Plan Outputs: • Safety Manual




This section describes the use case "Generate Tool Classification Report". UseCase: Generate Tool Classification Report Description: A tool classisfication report is generated containing the Tool Confidence Level for all tools.

The tool classification report consists of two parts. The first one is related to the considered process and contains individual descriptions like information sources, tool versions etc. The second part describes the formal model of the tool chain with all elements (tools, use cases, artifacts, errors, probabilities, ...) and the automatically computed tool confidence level for each tool. The second part is generated from the TCA into a word document. The information flows in the generated report are graphically visualised using the GraphViz tool. Comment: We consider the generated report to be also a part of the tool application guidelines.





The use case "Generate Tool Classification Report" reads and/or writes the following artifacts. The used artifacts are shown in Feature EMF and are summarized in the subsequent table.


Artifacts of Use Case: Generate Tool Classification Report Inputs: • Overall Project Plan Outputs: • Tool Evaluation Report Inputs & Outputs: • Safety Manual



This section describes the use case "Review Model". UseCase: Review Model Description: The model is reviewed using Excel interfaces that are easier to use for many reviewers


The use case requires 4 features and calls no other use cases. Feature Excel Interface shows the dependencies between the use cases and features.





Artifacts of Use Case: Review Model Inputs: • Overall Project Plan

• Safety Plan Outputs: • Review Protocol Inputs & Outputs: • Safety Manual




1. Compute Tool Confidence Level, see Section 1.9.2.5 2. Cost Model, see Section 1.9.2.6 3. EMF, see Section 1.9.2.7 4. Excel Interface, see Section 1.9.2.9 5. Generate Word (docx), see Section 0 6. Model Validation, see Section 0 7. Safety Guidelines, see Section 0 8. SG_Avoid Feature, see Section 0 9. SG_Use Review Checklist, see Section 0 10. Xml Interface, see Section 1.9.7.2


This section describes the feature "Compute Tool Confidence Level". Feature: Compute Tool Confidence Level Description: The tool confidence level is computed according to the ISO 26262.

The tool confidence level (TCL) is computed based on the error detection (TD) probability of all potential errors in the relevant use cases, if a tool has impact (TI) on the safety of the product.

More details can be found in the TCA user manual which is located in the TCA plugin Documentation, for example: Programme\TCA150\TCA150\plugins\Documentation_1.5.0\UserManual.pdf




Artifacts of Feature: Compute Tool Confidence Level Inputs: • User Input Outputs: • Display Output

• Excel File • Word Document

Inputs & Outputs: • Model



This section describes the feature "Cost Model". Feature: Cost Model Description: Feature to model the costs of the process




Artifacts of Feature: Cost Model Inputs: • User Input Outputs: • Display Output Inputs & Outputs: • Excel File

• Model


1.11.2.3 FEATURE EMF

This section describes the feature "EMF". Feature: EMF Description: EMF (Eclipse Modeling Framework) Framework is used for editing and persistency of the

models


The feature "EMF" reads and/or writes the following artifacts. The used artifacts are shown in Feature SG_Avoid Feature and are summarized in the subsequent table.


Artifacts of Feature: EMF Inputs: • User Input Outputs: • Display Output Inputs & Outputs:

• Model



This section describes the feature "Excel Interface". Feature: Excel Interface Description: Export and import of different views into excel (.xls) files.



The feature "Excel Interface" reads and/or writes the following artifacts. The used artifacts are shown in Feature Xml Interface and are summarized in the subsequent table.


Artifacts of Feature: Excel Interface Inputs: • User Input Inputs & Outputs: • Excel File

• Model



This section describes the feature "Generate Word (docx)". Feature: Generate Word (docx) Description: Generates a word documentation from the model.





Artifacts of Feature: Generate Word (docx) Inputs: • Model

• User Input Outputs: • Word Document



This section describes the feature "Model Validation". Feature: Model Validation Description: The TCA detects inconsistent models.



The feature "Model Validation" reads and/or writes the following artifacts. The used artifacts are shown in TCL Determination for Use Case: Cost Calculation and are summarized in the subsequent table.


Artifacts of Feature: Model Validation Inputs: • Model

• User Input Outputs: • Display Output



This section describes the feature "Safety Guidelines". Feature: Safety Guidelines Description: Use the safety manual of the TCA that contains safety checks that should be applied






This section describes the feature "SG_Avoid Feature". Feature: SG_Avoid Feature Description: Avodi this feature, since it is redundant. Is assumption: True





This section describes the feature "SG_Use Review Checklist". Feature: SG_Use Review Checklist Description: Apply the check of the review checklists





This section describes the feature "Xml Interface". Feature: Xml Interface Description: Xml interface supports the export and import of single tool models.

For integration of large models based on single tool models, this feature can be used to develop models in parallel working teams. To ensure the modularity of the exported models, all referenced elements of the tool are also exported, but only with the minimal required information. More details can be found in the TCA user manual which is located in the TCA plugin Documentation, for example: Programme\TCA150\TCA150\plugins\Documentation_1.5.0\UserManual.pdf


The feature "Xml Interface" reads and/or writes the following artifacts. The used artifacts are shown in Table 180 and are summarized in the subsequent table.


Artifacts of Feature: Xml Interface Inputs: • User Input Inputs & Outputs: • Model



The tool has 11 different potential errors in 19 occurrences in use cases.

The error flow, as can be seen in Table 181, consists of all relations from errors to checks or restrictions. There are







• Model Not Adequate (Fig 83) • Wrong Export

o 2 occurrences: Feature Edit Model, Table 185 • Wrong Import

o 2 occurrences: Fig 85, Table 186 • Wrong XML Export (Table 190) • Wrong XML Import (Table 191)

Due to 13 relations, Tool Chain Analyzer is having impact on 2 other tools. The errors are listed in Table 182. Tool Error UseCase Table ISO 26262 Reviews

Document Generated Wrongly Generate Tool Classification Report

Fig 37

TCL Wrongly Shown Determinate Tool Confidence Level

Table 194

TCL Wrongly Written Determinate Tool Confidence Level

Table 195

Wrong Export Cost Calculation

Table 185

Wrong Export Review Model

Feature Edit Model

Wrong Import Cost Calculation

Table 186

Wrong Import Review Model

Fig 85

Wrong TCL Computed Determinate Tool Confidence Level

Table 196

Wrong TCL Computed Generate Tool Classification Report

Use Case Modelling

Wrong XML Export Create Model Table 190 Wrong XML Import Create Model Table 191

Process Checker Process Inconsistently Modelled Create Model TCL Determination for Use Case: Generate Tool Classification Report


Fig 84



• Any EMF Error o 5 occurences: TCL Determination for Use Case: Review Model, TCL

Determination for Use Case: Determinate Tool Confidence Level, Table 198, Table 188, Use Case Modelling Requirements




The following one check is performed in the tool Tool Chain Analyzer. Check: Review Checklist Description: The model review can be performed using review checklists where the reviewers fill in their

names, findings,.. Comment: Using this there is a high probability of finding missing review elements

From feature: Tool Chain Analyzer,Safety Guidelines,SG_Use Review Checklist Occurrences: • in SG_Use Review Checklist in Review Model Error detection probability:

TD 1 (HIGH) Detected errors: • Review Model,Model Not Adequate


1.11.6 ASSUMPTIONS





• For "Cost Calculation" (TCL 3) see Section 0, • for "Create Model" (TCL 3) see Section 0, • for "Determinate Tool Confidence Level" (TCL 3) see Section 0, • for "Generate Tool Classification Report" (TCL 3) see Section 0, and • for "Review Model" (TCL 3) see Section 0.


CALCULATION

The use case "Cost Calculation" has TCL 3. The TCL is determined by the lowest Tool Detection Level (TD) of all errors of the use case. The following table gives an overview of the errors of "Cost Calculation". Error TD Table Any EMF Error TD 3 (LOW) TCL

Determination for Use Case: Determinate Tool Confidence Level

Wrong Export TD 1 (HIGH) Table 185 Wrong Import TD 1 (HIGH) Table 186


Error: Any EMF Error Description: Any error that can occur in EMF (uncrictical errors may be excluded)

From feature: EMF Subsumes: • "Algorithm Error" from "Fcn_Algorithm"


Occurrences: • in EMF in Cost Calculation Error View:


Error: Wrong Export Description: The excel file does not contain the relevant informations of the model. From feature: Excel Interface Discovered by the following checks: • SG_Confirmation Review Of TCLs.Detect Wrong TCL Subsumes: • "Decoded Wongly" from "Fcn_Algorithm_DeEncode"

• "Defect File" from "Data_File" • "Empty File" from "Data_File" • "Empty Syntaxfile" from "Data_File_Syntax" • "Empty Table" from "Data_File_Table" • "Encoded Wrongly" from "Fcn_Algorithm_DeEncode" • "Not Accessible File" from "Data_File" • "Not Accessible Syntaxfile" from "Data_File_Syntax" • "Not Accessible Table" from "Data_File_Table" • "Option Defect" from "Fcn_Variants_Options" • "Option Ignored" from "Fcn_Variants_Options" • "Other File" from "Data_File" • "Other Syntaxfile" from "Data_File_Syntax" • "Other Table" from "Data_File_Table" • "Syntax Error" from "Data_File_Syntax" • "Table Column Error" from "Data_File_Table" • "Table Row Error" from "Data_File_Table" • "Too Big File" from "Data_File" • "Too Big Syntaxfile" from "Data_File_Syntax" • "Transformation Not Supported" from "Fcn_Behaviour_Transformation" • "Wrong Behaviour" from "Fcn_Behaviour" • "Wrong Cell Data" from "Data_File_Table"

• "Wrong Semantic" from "Data_File_Syntax" • "Wrong Transformation" from "Fcn_Behaviour_Transformation"



Error: Wrong Import Description: The model is created wrongly. From feature: Excel Interface Discovered by the following checks: • SG_Confirmation Review Of TCLs.Detect Wrong TCL Subsumes: • "Defect File" from "Data_File"





MODEL

The use case "Create Model" has TCL 3. The TCL is determined by the lowest Tool Detection Level (TD) of all errors of the use case. The following table gives an overview of the errors of "Create Model". Error TD Table Any EMF Error TD 3 (LOW) Table 188 Process Inconsistently Modelled TD 1 (HIGH) TCL

Determination for Use Case: Generate Tool Classification Report

Wrong XML Export TD 1 (HIGH) Table 190 Wrong XML Import TD 1 (HIGH) Table 191



• "Defect File" from "Data_File" • "Defect Text" from "Data_File_Text" • "Empty File" from "Data_File" • "Empty Model" from "Data_File_Syntax_Model" • "Empty Text" from "Data_File_Text" • "Line Missing" from "Data_File_Text" • "Model Unreadable" from "Data_File_Syntax_Model" • "No Interaction" from "Data_Interaction" • "Not Accessible File" from "Data_File" • "Not Accessible Model" from "Data_File_Syntax_Model" • "Not Accessible Text" from "Data_File_Text" • "Other File" from "Data_File" • "Other Model" from "Data_File_Syntax_Model" • "Other Partner" from "Data_Interaction" • "Other Text" from "Data_File_Text" • "Too Big File" from "Data_File" • "Too Big Model" from "Data_File_Syntax_Model" • "Too Big Text" from "Data_File_Text" • "Too Early Data" from "Data_Interaction" • "Too Late Data" from "Data_Interaction" • "Transformation Not Supported" from "Fcn_Behaviour_Transformation"

• "Wrong Algorithm" from "Fcn_Algorithm" • "Wrong Behaviour" from "Fcn_Behaviour" • "Wrong Interaction" from "Data_Interaction" • "Wrong Model Behaviour" from "Data_File_Syntax_Model" • "Wrong Model Description" from "Data_File_Syntax_Model" • "Wrong Transformation" from "Fcn_Behaviour_Transformation" • "Wrong Variant" from "Fcn_Variants"

Occurrences: • in EMF in Create Model Error View:



• "Defect File" from "Data_File" • "Defect Text" from "Data_File_Text" • "Empty File" from "Data_File" • "Empty Text" from "Data_File_Text" • "Line Missing" from "Data_File_Text" • "No Interaction" from "Data_Interaction" • "Not Accessible File" from "Data_File" • "Not Accessible Text" from "Data_File_Text" • "Other File" from "Data_File" • "Other Partner" from "Data_Interaction" • "Other Text" from "Data_File_Text" • "Too Big File" from "Data_File" • "Too Big Text" from "Data_File_Text"

• "Too Early Data" from "Data_Interaction" • "Too Late Data" from "Data_Interaction" • "Wrong Algorithm" from "Fcn_Algorithm" • "Wrong Behaviour" from "Fcn_Behaviour" • "Wrong Error Reported" from "Model Validation" • "Wrong Interaction" from "Data_Interaction" • "Wrong Specification" from "Fcn_Specification"

Occurrences: • in Model Validation in Create Model Avoided by the following restrictions: • Validate Process.Consistent Process Error View:


Error: Wrong XML Export Description: The xml file does not contain the relevant informations of the model.

From feature: Xml Interface Discovered by the following checks: • SG_Confirmation Review Of TCLs.Detect Wrong TCL Occurrences: • in Xml Interface in Create Model Avoided by the following restrictions: • Safety Guidelines,SG_Avoid Feature.Avoid Features Error View:


Error: Wrong XML Import Description: The model is created wrongly. From feature: Xml Interface Discovered by the following checks: • SG_Confirmation Review Of TCLs.Detect Wrong TCL Subsumes: • "Defect File" from "Data_File"


Occurrences: • in Xml Interface in Create Model Avoided by the following restrictions: • Safety Guidelines,SG_Avoid Feature.Avoid Features Error View:




The use case "Determinate Tool Confidence Level" has TCL 3. The TCL is determined by the lowest Tool Detection Level (TD) of all errors of the use case. The following table gives an overview of the errors of "Determinate Tool Confidence Level". Error TD Table Any EMF Error TD 3 (LOW) TCL

Determination for Use Case: Review Model

TCL Wrongly Shown TD 1 (HIGH) Table 194 TCL Wrongly Written TD 1 (HIGH) Table 195 Wrong TCL Computed TD 1 (HIGH) Table 196



• "Defect File" from "Data_File" • "Defect Text" from "Data_File_Text" • "Empty File" from "Data_File" • "Empty Model" from "Data_File_Syntax_Model" • "Empty Text" from "Data_File_Text" • "Line Missing" from "Data_File_Text" • "Model Unreadable" from "Data_File_Syntax_Model" • "No Interaction" from "Data_Interaction" • "Not Accessible File" from "Data_File" • "Not Accessible Model" from "Data_File_Syntax_Model" • "Not Accessible Text" from "Data_File_Text" • "Other File" from "Data_File" • "Other Model" from "Data_File_Syntax_Model" • "Other Partner" from "Data_Interaction" • "Other Text" from "Data_File_Text" • "Too Big File" from "Data_File" • "Too Big Model" from "Data_File_Syntax_Model" • "Too Big Text" from "Data_File_Text" • "Too Early Data" from "Data_Interaction" • "Too Late Data" from "Data_Interaction" • "Transformation Not Supported" from "Fcn_Behaviour_Transformation" • "Wrong Algorithm" from "Fcn_Algorithm"

• "Wrong Behaviour" from "Fcn_Behaviour" • "Wrong Interaction" from "Data_Interaction" • "Wrong Model Behaviour" from "Data_File_Syntax_Model" • "Wrong Model Description" from "Data_File_Syntax_Model" • "Wrong Transformation" from "Fcn_Behaviour_Transformation" • "Wrong Variant" from "Fcn_Variants"

Occurrences: • in EMF in Determinate Tool Confidence Level Error View:


Error: TCL Wrongly Shown Description: TCL is computed correctly but wrongly shown From use case: Determinate Tool Confidence Level Discovered by the following checks: • SG_Confirmation Review Of TCLs.Detect Wrong TCL Subsumes: • "Defect Text" from "Data_File_Text"

• "Empty Text" from "Data_File_Text" • "Line Missing" from "Data_File_Text" • "No Interaction" from "Data_Interaction" • "Not Accessible Text" from "Data_File_Text" • "Other Partner" from "Data_Interaction" • "Other Text" from "Data_File_Text" • "Too Big Text" from "Data_File_Text" • "Too Early Data" from "Data_Interaction" • "Too Late Data" from "Data_Interaction" • "Wrong Interaction" from "Data_Interaction"

Occurrences: • in Determinate Tool Confidence Level

Error View:


Error: TCL Wrongly Written Description: TCL is computed or written wrongly into a file From use case: Determinate Tool Confidence Level Discovered by the following checks: • SG_Confirmation Review Of TCLs.Detect Wrong TCL Subsumes: • "Defect File" from "Data_File"

• "Defect Text" from "Data_File_Text" • "Empty File" from "Data_File" • "Empty Model" from "Data_File_Syntax_Model" • "Empty Syntaxfile" from "Data_File_Syntax" • "Empty Table" from "Data_File_Table"

• "Empty Text" from "Data_File_Text" • "Line Missing" from "Data_File_Text" • "Model Unreadable" from "Data_File_Syntax_Model" • "No XML Content" from "Data_File_Syntax_XML" • "Not Accessible File" from "Data_File" • "Not Accessible Model" from "Data_File_Syntax_Model" • "Not Accessible Syntaxfile" from "Data_File_Syntax" • "Not Accessible Table" from "Data_File_Table" • "Not Accessible Text" from "Data_File_Text" • "Not Accessible XML File" from "Data_File_Syntax_XML" • "Other File" from "Data_File" • "Other Model" from "Data_File_Syntax_Model" • "Other Syntaxfile" from "Data_File_Syntax" • "Other Table" from "Data_File_Table" • "Other Text" from "Data_File_Text" • "Other XML File" from "Data_File_Syntax_XML" • "Syntax Error" from "Data_File_Syntax" • "Table Column Error" from "Data_File_Table" • "Table Row Error" from "Data_File_Table" • "Too Big File" from "Data_File" • "Too Big Model" from "Data_File_Syntax_Model" • "Too Big Syntaxfile" from "Data_File_Syntax" • "Too Big Text" from "Data_File_Text" • "Wron XML Composition" from "Data_File_Syntax_XML" • "Wrong Cell Data" from "Data_File_Table" • "Wrong Model Behaviour" from "Data_File_Syntax_Model" • "Wrong Model Description" from "Data_File_Syntax_Model" • "Wrong Semantic" from "Data_File_Syntax" • "XML Attribute Error" from "Data_File_Syntax_XML" • "XML Link Error" from "Data_File_Syntax_XML" • "XML Schema Violation" from "Data_File_Syntax_XML"



Error: Wrong TCL Computed Description: The TCL is computed wronly, e.g. TCL 1 instead of TCL >1 From feature: Compute Tool Confidence Level Discovered by the following checks: • SG_Confirmation Review Of TCLs.Detect Wrong TCL Subsumes: • "Algorithm Error" from "Fcn_Algorithm"

• "Defect File" from "Data_File" • "Defect Text" from "Data_File_Text" • "Empty File" from "Data_File" • "Empty Model" from "Data_File_Syntax_Model" • "Empty Syntaxfile" from "Data_File_Syntax" • "Empty Table" from "Data_File_Table"

• "Empty Text" from "Data_File_Text" • "Line Missing" from "Data_File_Text" • "Model Unreadable" from "Data_File_Syntax_Model" • "No Interaction" from "Data_Interaction" • "Not Accessible File" from "Data_File" • "Not Accessible Model" from "Data_File_Syntax_Model" • "Not Accessible Syntaxfile" from "Data_File_Syntax" • "Not Accessible Table" from "Data_File_Table" • "Not Accessible Text" from "Data_File_Text" • "Other File" from "Data_File" • "Other Model" from "Data_File_Syntax_Model" • "Other Partner" from "Data_Interaction" • "Other Syntaxfile" from "Data_File_Syntax" • "Other Table" from "Data_File_Table" • "Other Text" from "Data_File_Text" • "Syntax Error" from "Data_File_Syntax" • "Table Column Error" from "Data_File_Table" • "Table Row Error" from "Data_File_Table" • "Too Big File" from "Data_File" • "Too Big Model" from "Data_File_Syntax_Model" • "Too Big Syntaxfile" from "Data_File_Syntax" • "Too Big Text" from "Data_File_Text" • "Too Early Data" from "Data_Interaction" • "Too Late Data" from "Data_Interaction" • "Wrong Algorithm" from "Fcn_Algorithm" • "Wrong Cell Data" from "Data_File_Table" • "Wrong Interaction" from "Data_Interaction" • "Wrong Model Behaviour" from "Data_File_Syntax_Model" • "Wrong Model Description" from "Data_File_Syntax_Model" • "Wrong Result" from "Fcn_Behaviour_Calculator" • "Wrong Semantic" from "Data_File_Syntax" • "Wrong Specification" from "Fcn_Specification" • "Wrong Variant" from "Fcn_Variants"

Occurrences: • in Compute Tool Confidence Level in Determinate Tool Confidence Level Error View:




The use case "Generate Tool Classification Report" has TCL 3. The TCL is determined by the lowest Tool Detection Level (TD) of all errors of the use case. The following table gives an overview of the errors of "Generate Tool Classification Report". Error TD Table Any EMF Error TD 3 (LOW) Table 198 Document Generated Wrongly TD 1 (HIGH) Fig 37

Wrong TCL Computed TD 1 (HIGH) Use Case Modelling




Occurrences: • in EMF in Generate Tool Classification Report Error View:


Error: Document Generated Wrongly Description: Document does not fit to the model. From feature: Generate Word (docx) Discovered by the following checks: • SG_Confirmation Review Of TCLs.Detect Wrong TCL Subsumes: • "Defect File" from "Data_File"

• "Defect Text" from "Data_File_Text" • "Empty File" from "Data_File" • "Empty Syntaxfile" from "Data_File_Syntax" • "Empty Text" from "Data_File_Text" • "Line Missing" from "Data_File_Text" • "Missing CPU" from "Fcn_Resource_CPU" • "Not Accessible File" from "Data_File" • "Not Accessible Syntaxfile" from "Data_File_Syntax" • "Not Accessible Text" from "Data_File_Text" • "Other File" from "Data_File" • "Other Syntaxfile" from "Data_File_Syntax" • "Other Text" from "Data_File_Text" • "Syntax Error" from "Data_File_Syntax" • "Too Big File" from "Data_File" • "Too Big Syntaxfile" from "Data_File_Syntax" • "Too Big Text" from "Data_File_Text" • "Transformation Not Supported" from "Fcn_Behaviour_Transformation" • "Wrong Semantic" from "Data_File_Syntax" • "Wrong Specification" from "Fcn_Specification" • "Wrong Transformation" from "Fcn_Behaviour_Transformation" • "Wrong Variant" from "Fcn_Variants"

Occurrences: • in Generate Word (docx) in Generate Tool Classification Report Error View:


Error: Wrong TCL Computed Description: The TCL is computed wronly, e.g. TCL 1 instead of TCL >1 From feature: Compute Tool Confidence Level Discovered by the following checks:

• SG_Confirmation Review Of TCLs.Detect Wrong TCL Subsumes: • "Algorithm Error" from "Fcn_Algorithm"

• "Defect File" from "Data_File" • "Defect Text" from "Data_File_Text" • "Empty File" from "Data_File" • "Empty Model" from "Data_File_Syntax_Model" • "Empty Syntaxfile" from "Data_File_Syntax" • "Empty Table" from "Data_File_Table" • "Empty Text" from "Data_File_Text" • "Line Missing" from "Data_File_Text" • "Model Unreadable" from "Data_File_Syntax_Model" • "No Interaction" from "Data_Interaction" • "Not Accessible File" from "Data_File" • "Not Accessible Model" from "Data_File_Syntax_Model" • "Not Accessible Syntaxfile" from "Data_File_Syntax" • "Not Accessible Table" from "Data_File_Table" • "Not Accessible Text" from "Data_File_Text" • "Other File" from "Data_File" • "Other Model" from "Data_File_Syntax_Model" • "Other Partner" from "Data_Interaction" • "Other Syntaxfile" from "Data_File_Syntax" • "Other Table" from "Data_File_Table" • "Other Text" from "Data_File_Text" • "Syntax Error" from "Data_File_Syntax" • "Table Column Error" from "Data_File_Table" • "Table Row Error" from "Data_File_Table" • "Too Big File" from "Data_File" • "Too Big Model" from "Data_File_Syntax_Model" • "Too Big Syntaxfile" from "Data_File_Syntax" • "Too Big Text" from "Data_File_Text" • "Too Early Data" from "Data_Interaction" • "Too Late Data" from "Data_Interaction" • "Wrong Algorithm" from "Fcn_Algorithm" • "Wrong Cell Data" from "Data_File_Table" • "Wrong Interaction" from "Data_Interaction" • "Wrong Model Behaviour" from "Data_File_Syntax_Model" • "Wrong Model Description" from "Data_File_Syntax_Model" • "Wrong Result" from "Fcn_Behaviour_Calculator" • "Wrong Semantic" from "Data_File_Syntax" • "Wrong Specification" from "Fcn_Specification" • "Wrong Variant" from "Fcn_Variants"

Occurrences: • in Compute Tool Confidence Level in Generate Tool Classification Report Error View:



MODEL

The use case "Review Model" has TCL 3. The TCL is determined by the lowest Tool Detection Level (TD) of all errors of the use case. The following table gives an overview of the errors of "Review Model". Error TD Table Any EMF Error TD 3 (LOW) Use Case

Modelling

Requirements Model Not Adequate TD 1 (HIGH) Fig 83 Process Inconsistently Modelled TD 1 (HIGH) Fig 84 Wrong Export TD 1 (HIGH) Feature Edit

Model Wrong Import TD 1 (HIGH) Fig 85




Occurrences: • in EMF in Review Model Error View:


Error: Model Not Adequate Description: An important issue as not been reviewed correctly, i.e. a finduíng has been overseen and the

model is not adaequate. From use case: Review Model Discovered by the following checks: • Safety Guidelines,SG_Use Review Checklist.Review Checklist Subsumes: • "Defect File" from "Data_File"

• "Defect Text" from "Data_File_Text" • "Empty File" from "Data_File" • "Empty Model" from "Data_File_Syntax_Model" • "Empty Syntaxfile" from "Data_File_Syntax" • "Empty Table" from "Data_File_Table" • "Empty Text" from "Data_File_Text" • "Line Missing" from "Data_File_Text" • "Model Unreadable" from "Data_File_Syntax_Model" • "No Interaction" from "Data_Interaction" • "Not Accessible File" from "Data_File" • "Not Accessible Model" from "Data_File_Syntax_Model" • "Not Accessible Syntaxfile" from "Data_File_Syntax" • "Not Accessible Table" from "Data_File_Table" • "Not Accessible Text" from "Data_File_Text" • "Other File" from "Data_File" • "Other Model" from "Data_File_Syntax_Model" • "Other Partner" from "Data_Interaction" • "Other Syntaxfile" from "Data_File_Syntax" • "Other Table" from "Data_File_Table" • "Other Text" from "Data_File_Text"

• "Syntax Error" from "Data_File_Syntax" • "Table Column Error" from "Data_File_Table" • "Table Row Error" from "Data_File_Table" • "Too Big File" from "Data_File" • "Too Big Model" from "Data_File_Syntax_Model" • "Too Big Syntaxfile" from "Data_File_Syntax" • "Too Big Text" from "Data_File_Text" • "Too Early Data" from "Data_Interaction" • "Too Late Data" from "Data_Interaction" • "Wrong Cell Data" from "Data_File_Table" • "Wrong Interaction" from "Data_Interaction" • "Wrong Model Behaviour" from "Data_File_Syntax_Model" • "Wrong Model Description" from "Data_File_Syntax_Model" • "Wrong Semantic" from "Data_File_Syntax"

Occurrences: • in Review Model Error View:



• "Defect File" from "Data_File" • "Defect Text" from "Data_File_Text" • "Empty File" from "Data_File" • "Empty Text" from "Data_File_Text" • "Line Missing" from "Data_File_Text" • "No Interaction" from "Data_Interaction" • "Not Accessible File" from "Data_File"

• "Not Accessible Text" from "Data_File_Text" • "Other File" from "Data_File" • "Other Partner" from "Data_Interaction" • "Other Text" from "Data_File_Text" • "Too Big File" from "Data_File" • "Too Big Text" from "Data_File_Text" • "Too Early Data" from "Data_Interaction" • "Too Late Data" from "Data_Interaction" • "Wrong Algorithm" from "Fcn_Algorithm" • "Wrong Behaviour" from "Fcn_Behaviour" • "Wrong Error Reported" from "Model Validation" • "Wrong Interaction" from "Data_Interaction" • "Wrong Specification" from "Fcn_Specification"

Occurrences: • in Model Validation in Review Model Avoided by the following restrictions: • Validate Process.Consistent Process Error View:


Error: Wrong Export Description: The excel file does not contain the relevant informations of the model. From feature: Excel Interface Discovered by the following checks: • SG_Confirmation Review Of TCLs.Detect Wrong TCL Subsumes: • "Decoded Wongly" from "Fcn_Algorithm_DeEncode"

• "Defect File" from "Data_File" • "Empty File" from "Data_File" • "Empty Syntaxfile" from "Data_File_Syntax" • "Empty Table" from "Data_File_Table" • "Encoded Wrongly" from "Fcn_Algorithm_DeEncode" • "Not Accessible File" from "Data_File"

• "Not Accessible Syntaxfile" from "Data_File_Syntax" • "Not Accessible Table" from "Data_File_Table" • "Option Defect" from "Fcn_Variants_Options" • "Option Ignored" from "Fcn_Variants_Options" • "Other File" from "Data_File" • "Other Syntaxfile" from "Data_File_Syntax" • "Other Table" from "Data_File_Table" • "Syntax Error" from "Data_File_Syntax" • "Table Column Error" from "Data_File_Table" • "Table Row Error" from "Data_File_Table" • "Too Big File" from "Data_File" • "Too Big Syntaxfile" from "Data_File_Syntax" • "Transformation Not Supported" from "Fcn_Behaviour_Transformation" • "Wrong Behaviour" from "Fcn_Behaviour" • "Wrong Cell Data" from "Data_File_Table" • "Wrong Semantic" from "Data_File_Syntax" • "Wrong Transformation" from "Fcn_Behaviour_Transformation"



Error: Wrong Import Description: The model is created wrongly. From feature: Excel Interface Discovered by the following checks: • SG_Confirmation Review Of TCLs.Detect Wrong TCL Subsumes: • "Defect File" from "Data_File"




1.12 YICESSMTSOLVERThis section explains the determination of the Tool Confidence Level (TCL) for the tool YICES SMT Solver. Tool: YICES SMT Solver Description: -None- Impact: TI 2 (Impact) Tool Confidence Level: TCL 1


















1.12.6 ASSUMPTIONS



This section determines a TCL for each use case by assigning checks or restrictions with detection/avoidance probability to each potential error. The TCL for the entire tool can be derived from the TCL for each use case. The tool YICES SMT Solver has no use case with TCL 1, no use case with TCL 2 and no use case with TCL 3. Therefore the tool YICES SMT Solver has TCL 1. There are no use cases modeled for the tool YICES SMT Solver


1.13.1 ARTIFACTS

The analysis incorporates artifacts for the validation of the model. If an error is checked by another tool, then there should be information flow between them. Artifacts can be used to model this flow and our analysis checks if there is an information flow between error sources and error sinks. Table 498 shows the whole artifact flow in "RECOMP Tool Chain"


The tool chain "RECOMP Tool Chain" is using 64 artifacts, which are described hereafter. Artifact: AF3 System Model Description: The integrated data modelof Af3

Hierarchy figure:

Hierarchy : • Detailed System Architecture [Parent]


Used by feature: • AF3,Simulating a Logical Architecture

• AF3,Specifying Code-Baed Behavior of a Logical Architecture • AF3,Specifying Contracts on Logical Components • AF3,Specifying MSC Requirements • AF3,Specifying SIL Requirements • AF3,Specifying State-Based Behavior of a Logical Architecture • AF3,Specifying Technical Architecture • AF3,Synthesizing Deployment • AF3,Synthesizing Real-Time Schedule • AF3,Synthesizing SIL-Conformant Mapping • AF3,Synthesizing Test Cases • AF3,Verifing Contracts of a Logical Architecture • AF3,Verifying MSC Conformance • AF3,Verifying Soundness of a Logical Architecture

Created by feature:

• AF3,Specfying Test Suite • AF3,Specifying Code-Baed Behavior of a Logical Architecture • AF3,Specifying Contracts on Logical Components • AF3,Specifying MSC Requirements • AF3,Specifying SIL Requirements • AF3,Specifying State-Based Behavior of a Logical Architecture • AF3,Specifying Structure of a Logical Architecture • AF3,Specifying Technical Architecture • AF3,Specifying Textual Requirements • AF3,Synthesizing Real-Time Schedule • AF3,Synthesizing SIL-Conformant Mapping

Created by tool: • AF3 Is a: Detailed System Architecture


Artifact: Application task graph Description: The task graph for each application


Artifact: Argumentation Description: The user writes arguments as input to the tool


Artifact: Binary executable Description: Target binary executable Hierarchy figure:

Hierarchy : • Evidence [Parent] Used by feature: • PharOS runtime generation,Link with PharOS micro-kernel Used by use case: • PharOS micro kernel,target execution Used by tool: • PharOS micro kernel Created by feature: • PharOS runtime generation,Link with PharOS micro-kernel

• PharOS runtime generation,MPU table genration Created by tool:

• PharOS runtime generation Is a: Evidence


Artifact: C/C++ Source Code Description: C or C++ Hierarchy figure:

Hierarchy : • Source Code [Parent] Used by feature: • PharOS runtime generation,MPU table genration Used by use case: • PharOS runtime generation,Psycc Used by tool: • PharOS runtime generation Created by use case: • Development,Create Code

• PharOS offline computation,Psy1 Is a: Source Code


Artifact: Cache-Related Preemption Cost Function Description: For any duration t, the function gives the maximum delay that the given task can incur when

preempted for the first time after t time units. A function CRPD(t) which returns, for any duration t > 0, the maximum delay that the given application can incur if it gets preempted after running non-preemptively for t time units after the beginning of its execution.


Artifact: Contract Description: -None-


Artifact: contract Description: -None-


Artifact: Deployment Description: generated deployment Created by feature: • AF3,Synthesizing Deployment


Artifact: Detailed System Architecture Description: Contain all the parameters and specifications of the platform Hierarchy figure:


• Evidence [Parent] Created by feature: • AF3,Specifying Technical Architecture Is a: Evidence Occurences: • AF3 System Model


Artifact: Display Output Description: The tool displays some information to the user Created by feature: • AF3,Simulating a Logical Architecture

• Tool Chain Analyzer,Compute Tool Confidence Level • Tool Chain Analyzer,Cost Model • Tool Chain Analyzer,EMF • Tool Chain Analyzer,Model Validation


Artifact: Evidence Description: Anything that can be considered as a certification evidence Hierarchy figure:

Hierarchy : • Binary executable [Child]


Occurences: • Binary executable

• Detailed System Architecture • Excel File • FHA • FMEA • FTA • Failure rate catalog • Functionalities • Malfunctions • Metrics • Overall Project Plan • Preliminary System Architecture • Report on Maximum CRPDs • Report on Schedulability (1 mode)

• Report on Schedulability (all) • Review Protocol • SLDV verification report • Safety Goals List • Safety Manual • Safety Plan • Safety Requirements • Software Unit Design Specification • Source Code • TBT Data Model • TCA-Model • Test Cases • Test Specification • Tool Evaluation Report • WCET • WCRT • Word Document


Artifact: Excel File Description: The files that can be read/wirtten from the Excel tool Hierarchy figure:

Hierarchy : • Evidence [Parent] Created by feature: • Tool Chain Analyzer,Compute Tool Confidence Level Modified by feature: • Tool Chain Analyzer,Cost Model

• Tool Chain Analyzer,Excel Interface Is a: Evidence


Artifact: Execution Graph Description: -None- Used by tool: • PharOS micro kernel Created by feature: • PharOS offline computation,Execution graph extraction Created by use case: • PharOS offline computation,Psy1


Artifact: Failure rate catalog Description: Failure rate catalog Hierarchy figure:

Hierarchy : • Evidence [Parent] Is a: Evidence


Artifact: FHA Description: FHA Hierarchy figure:



Artifact: FMEA Description: FMEA Hierarchy figure:



Artifact: FTA Description: FTA Hierarchy figure:



Artifact: Functionalities Description: Functionalities Hierarchy figure:



Artifact: Malfunctions Description: Malfunctions Hierarchy figure:



Artifact: Mapping of tasks to processing elements Description: The mapping of tasks to processing elements


Artifact: Metrics Description: The metric information that describe how far a test covers's it's requirements. Hierarchy figure:



Artifact: Model Description: The tool chain model Used by feature: • Tool Chain Analyzer,Generate Word (docx)

• Tool Chain Analyzer,Model Validation Modified by feature: • Tool Chain Analyzer,Compute Tool Confidence Level



Artifact: No-Conformity metrics Description: List of all non conformities of a project fopr a standard

specifies the number of steps to be conformant to the standard


Artifact: Overall Project Plan Description: see sections 2.6.5.2, 4.5.5.1 Hierarchy figure:



Modified by use case: • Process Checker,Validate Process Is a:

Evidence


Artifact: Partition Static Schedule Description: The partitions static schedule, for each processing element


Artifact: Per Core Request Estimator Function Description: For any duration t, the function gives the maximum number of requests that can be issued



Artifact: Preliminary System Architecture Description: Malfunctions Hierarchy figure:


• Evidence [Parent] Is a: Evidence Occurences: • AF3 System Model


Artifact: ProjectModel Description: Certification objectives that apply to the project and evidences and justification that support

it


Artifact: ReferenceModel Description: Standards, normatives... model


Artifact: Report on Maximum CRPDs Description: Report on the maximum Cache-Related Preemption Delay (CRPD) that tasks can incur

Hierarchy figure:



Artifact: Report on Schedulability (1 mode) Description: Attest the schedulability of a single mode of the application system Hierarchy figure:



Artifact: Report on Schedulability (all) Description: Attest the schedulability of the application system Hierarchy figure:



Artifact: Requirement Specification Description: -None- Hierarchy figure:

Hierarchy : • AF3 System Model [Child] Used by feature:

• AF3,Specifying MSC Requirements • AF3,Specifying Textual Requirements

Occurences: • AF3 System Model


Artifact: Review Protocol Description: The protocol of the review Hierarchy figure:

Hierarchy : • Evidence [Parent] Created by use case: • ISO 26262 Reviews,SG_Confirmation Review Of TCLs



Artifact: Safety Case Description: Graphical (GSN notation) safety case


Artifact: Safety Goals List Description: Safety Goals List Hierarchy figure:



Artifact: Safety Manual Description: The safety manual of the tool contains the relevant information to work safely with the tool Hierarchy figure:

Hierarchy : • Evidence [Parent] Created by use case: • Tool Chain Analyzer,Determinate Tool Confidence Level Modified by use case: • Tool Chain Analyzer,Generate Tool Classification Report



Artifact: Safety Plan Description: see sections 2.6.5.1, 4.5.5.2, 6.5.5.1, 6.7.5.2 Hierarchy figure:



Modified by use case: • Process Checker,Validate Process Is a: Evidence


Artifact: Safety Requirements Description: System Requirements Specification related to safety Hierarchy figure:

Hierarchy : • Evidence [Parent] Used by feature: • AF3,Specifying SIL Requirements Is a: Evidence


Artifact: Schedule Description: (Optimized Shared Memory Access) Hierarchy figure:

Hierarchy : • AF3 System Model [Child] Occurences: • AF3 System Model


Artifact: Simulink Model Description: Simulink Model Hierarchy figure:

Hierarchy : • Software Unit Design Specification [Parent] Used by tool: • Simulink Design Verifier Modified by use case: • Simulink Design Verifier,Verify Is a: Software Unit Design Specification


Artifact: Simulink model Description: -None-


Artifact: SLDV verification report Description: -None- Hierarchy figure:

Hierarchy : • Evidence [Parent] Created by use case:

• Simulink Design Verifier,Verify Created by tool: • Simulink Design Verifier Is a: Evidence


Artifact: Software Unit Design Specification Description: see section 6.8.5.1 Hierarchy figure:



Is a: Evidence Occurences: • AF3 System Model

• Simulink Model


Artifact: Source Code Description: Different programming languages Hierarchy figure:

Hierarchy : • C/C++ Source Code [Child]


Created by feature: • AF3,Synthesizing Deployment Is a: Evidence Occurences:

• C/C++ Source Code • Timing Parameters


Artifact: Spatial Constraints Description: -None- Hierarchy figure:

Hierarchy : • AF3 System Model [Child] Used by feature: • AF3,Specifying Technical Architecture Used by tool: • PharOS micro kernel Created by feature: • AF3,Specifying Technical Architecture

• PharOS offline computation,Spatial constraints Occurences: • AF3 System Model


Artifact: StandardsRegulation Description: Standards, Normatives,... documentation


Artifact: System Models (Event-B) Description: Models specifying / expressing (with events and invariants) the system requirements


Artifact: TBT Data Model Description: The model describing the data element in the model and the system Hierarchy figure:



Artifact: TBT Oracle Model Description: The model describing the behaviour of the system


Artifact: TBT Tactic Description: A formalized startegy describing the search in the model to derive test cases


Artifact: TCA-Model Description: The tool chain model Hierarchy figure:



Artifact: Test Cases Description: The executable test cases implementing the test specification Hierarchy figure:


• Evidence [Parent] Created by feature: • AF3,Synthesizing Test Cases Is a: Evidence Occurences: • AF3 System Model


Artifact: Test Specification Description: The textual specification of the tests Hierarchy figure:


• Evidence [Parent] Used by feature: • AF3,Specfying Test Suite Is a: Evidence Occurences: • AF3 System Model


Artifact: Timing Parameters Description: Contain all the parameters concerning the application Hierarchy figure:


• Source Code [Parent] Used by feature: • PharOS offline computation,Execution graph extraction

• PharOS offline computation,Feasability • PharOS offline computation,Spatial constraints

Used by use case: • PharOS offline computation,Psy1 Used by tool: • PharOS offline computation Created by feature: • AF3,Specifying Technical Architecture Is a: Source Code Occurences: • AF3 System Model


Artifact: Tool Evaluation Report Description: Contains the evaluation/classification of the tools Hierarchy figure:

Hierarchy : • Evidence [Parent] Created by use case: • Tool Chain Analyzer,Determinate Tool Confidence Level

• Tool Chain Analyzer,Generate Tool Classification Report Is a: Evidence


Artifact: User Input Description: The user writes input to the tool Used by feature: • Tool Chain Analyzer,Compute Tool Confidence Level



Artifact: Verification Verdict Description: The verdict of a verification step (valid/invalid) and a counter example Created by feature: • AF3,Verifing Contracts of a Logical Architecture

• AF3,Verifying MSC Conformance • AF3,Verifying Soundness of a Logical Architecture


Artifact: Verified System Models (Event-B) Description: Specified and verified system models at different levels of abstraction


Artifact: VerSÅA verification report Description: -None-


Artifact: WCET Description: Worst case execution time estimation for each task Hierarchy figure:

Hierarchy : • Evidence [Parent] Used by feature: • AF3,Synthesizing Real-Time Schedule Used by tool: • PharOS offline computation Is a: Evidence


Artifact: WCRT Description: Worst-case response time for a task Hierarchy figure:



Artifact: Word Document Description: The files that can be read/written from Word ´ Hierarchy figure:

Hierarchy : • Evidence [Parent] Used by use case: • ISO 26262 Reviews,SG_Confirmation Review Of TCLs Created by feature: • Tool Chain Analyzer,Compute Tool Confidence Level

• Tool Chain Analyzer,Generate Word (docx) Is a: Evidence



CHAIN



The following 10 general tool attributes have been used in the analysis of the "RECOMP Tool Chain" Tool Attribute: Fcn_Algorithm Description: The function is implemented by an algorithm Assigned to the following features: • Tool Chain Analyzer,Compute Tool Confidence Level


Contains the following potential errors: • Algorithm Error

• Wrong Algorithm


Tool Attribute: Fcn_Algorithm_DeEncode Description: encoding and decoding algorithms are used Assigned to the following features: • Tool Chain Analyzer,Excel Interface Contains the following potential errors: • Decoded Wongly

• Encoded Wrongly


Tool Attribute: Fcn_Behaviour Description: The behaviour of the function Assigned to the following features: • Tool Chain Analyzer,EMF


Contains the following potential errors: • Wrong Behaviour


Tool Attribute: Fcn_Behaviour_Calculator Description: The tool does an excel like computation with simple arithmetics, e.g. computing th esum of

numbers in a row Assigned to the following features: • Tool Chain Analyzer,Compute Tool Confidence Level Contains the following potential errors: • Wrong Result


Tool Attribute: Fcn_Behaviour_Transformation Description: The tool transforms information into other reeresentations, e..g a compiler Assigned to the following features: • Tool Chain Analyzer,EMF

• Tool Chain Analyzer,Excel Interface • Tool Chain Analyzer,Generate Word (docx)

Contains the following potential errors: • Transformation Not Supported



Tool Attribute: Fcn_Resource_CPU Description: Function requires CPU ressources like RAM, ROM, CPU time which might not be available Assigned to the following features: • Tool Chain Analyzer,Generate Word (docx) Contains the following potential errors: • Missing CPU


Tool Attribute: Fcn_Specification Description: The specification/documentation of the function Assigned to the following features: • Tool Chain Analyzer,Compute Tool Confidence Level


Contains the following potential errors: • Wrong Specification


Tool Attribute: Fcn_Variants Description: The function can be computed with different variants Assigned to the following features: • Tool Chain Analyzer,Compute Tool Confidence Level


Contains the following potential errors: • Wrong Variant


Tool Attribute: Fcn_Variants_Options Description: The tool supports options

This can be either command line arguments, settings or configuration files Assigned to the following features: • Tool Chain Analyzer,Excel Interface Contains the following potential errors: • Option Defect

• Option Ignored


Tool Attribute: micro kernel Description: -None- Used from the following tools: • PharOS offline computation Assigned to the following features: • PharOS offline computation,Spatial constraints Contains the following potential errors: • Communication buffer overflow

• Deadline error • Graph error • Segmentation fault

Table 961 Tool Attribute: micro kernel


The following 17 errors have been identified and used in the analysis of the "RECOMP Tool Chain" Error: Algorithm Error Description: The algorithm has an error, for example a wrong condition, type, loop,... From tool attribute: Fcn_Algorithm


Error: Communication buffer overflow Description: -None- From tool attribute: micro kernel

Table 963 Error: Communication buffer overflow

Error: Deadline error Description: A deadline is not met From tool attribute: micro kernel

Table 964 Error: Deadline error

Error: Decoded Wongly Description: A correctly encoded object is decoded wrongly From tool attribute: Fcn_Algorithm_DeEncode


Error: Encoded Wrongly Description: The data is encoded such that it cannot be decoded any more From tool attribute: Fcn_Algorithm_DeEncode


Error: Graph error Description: Execution graph error From tool attribute: micro kernel

Table 967 Error: Graph error

Error: Missing CPU Description: Not enaught CPU available for computing the correct result.

Comment: Note: in this error we consider only the undeteced case, where the tool terminates without warning and a wrong result, may be due to some internal checks that cause the tool to terminate if no CPU is available, e.g. after a given time using the default value

From tool attribute: Fcn_Resource_CPU


Error: Option Defect Description: The option or combination of options is defect, i.e computing wrong values From tool attribute: Fcn_Variants_Options


Error: Option Ignored Description: The entered option is ignored without a warning and the wrong result is computed From tool attribute: Fcn_Variants_Options


Error: Segmentation fault Description: Violation of spatial isolation From tool attribute: micro kernel

Table 971 Error: Segmentation fault

Error: Transformation Not Supported Description: The transformation might not support all elements and ignore them, e.g. some settinbgs in a

model or some pragmas in a code From tool attribute: Fcn_Behaviour_Transformation


Error: Wrong Algorithm Description: The chosen algorithm does not solve the problem correctly From tool attribute: Fcn_Algorithm


Error: Wrong Behaviour Description: The function an have a wrong behaviour From tool attribute: Fcn_Behaviour


Error: Wrong Result Description: The calculated results differs from the real result, e.g. 1+1=0 or 1/1=0.99 From tool attribute: Fcn_Behaviour_Calculator


Error: Wrong Specification

Description: The function can deviate from the specification From tool attribute: Fcn_Specification


Error: Wrong Transformation Description: The result of the transformation is not correct From tool attribute: Fcn_Behaviour_Transformation


Error: Wrong Variant Description: The wrong variant has been used, e.g. by ignoring an option/configuration From tool attribute: Fcn_Variants


1.13.3 ASSUMPTIONS

This section lists all assumptions on toolchain level used in the evaluation of this tool chain. If the assumptions are violated the calculated TCL is not valid. Assumptions that are enforced by the development process are marked in the analysis model and listed here. Check: Assertion Check Description: This check detects if an assertion in the code is violated.

This check detects violated assertions. If a testcase claims to violate an assertion but does not, this will also be noted with a high probability. Comment: Since this is an automatic check the detection probability is high.

From use case: Test Environment,Unit Test Error detection probability: TD 1 (HIGH) Is assumption: True


Check: Detect Wrong TCL Description: An error in the TCL computation is detected.

Since the review is performed on the basis of the generated report, it will also detect errors in the report generation and in the image generation and all other modeling errors with a high probability.

Comment: TCL computation is an easy task and review is an effective verification method for that purpose.

From use case: ISO 26262 Reviews,SG_Confirmation Review Of TCLs Error detection probability: TD 1 (HIGH) Detected errors from other tools: • SG_Confirmation Review Of TCLs,Tool Chain Analyzer,Compute Tool








XML Import Is assumption: True


Check: Executability Check Description: The generated test is compiled and executed


From use case: TBT,Validate Tests Error detection probability: TD 1 (HIGH) Is assumption: True


Check: Model Check Description: Check the validaty of the model

Comment:

This can be done using a model checker tool for some consistency rules From use case: ProB Model Checker,Check Model Error detection probability: TD 1 (HIGH) Is assumption: True


Check: Proof Tree - Syntax Check Description: the syntax check is usually done when this file is used From use case: Rodin Prover,System Model Verification Error detection probability: TD 1 (HIGH) Is assumption: True


Check: Review Test against Specification Description: Review of generated test cases against the correctness with the specification


From use case: TBT,Validate Tests Error detection probability: TD 1 (HIGH) Is assumption: True




From use case: Contracts to assertions Is assumption: True


Feature: SG_Avoid Feature

Description: Avodi this feature, since it is redundant. From: Tool Chain Analyzer Parts: • SG_Avoid Feature Is assumption: True


Restriction: Avoid Features Description: Avoid the risky features of the model since they might be buggy. From feature: Tool Chain Analyzer,Safety Guidelines,SG_Avoid Feature Error avoidance probability: TD 1 (HIGH) Avoided errors: • Cost Model,Wrong Cost Computed


Is assumption: True


Tool: Test Environment Description: This is a virtual test environment that is used to formulate asumptions fom the test generator

to test tools and processes in which the generated tests can be executed. Impact: TI 2 (Impact) Tool Confidence Level: TCL 1 Is assumption: True Table 988 Tool: Test Environment

appendix a – glossary - ugratcproyectos.ugr.es/recomp/images/stories/deliverables/d2...shell and...

Documents