The processes used to develop software need to comply with normative requirements (e.g., standards and regulations) to align with the market and the law. Manual compliance checking is challenging because there are numerous requirements with changing nature and different purposes. Despite the importance of automated techniques, there is not any systematic study in this field. This lack may hinder organizations from moving toward automated compliance checking practices. In this paper, we characterize the methods for automatic compliance checking of software processes, including used techniques, potential impacts, and challenges. For this, we undertake a systematic literature review (SLR) of studies reporting methods in this field. As a result, we identify solutions that use different techniques (e.g., anthologies and metamodels) to represent processes and their artifacts (e.g., tasks and roles). Various languages, which have diverse capabilities for managing competing and changing norms, and agile strategies, are also used to represent normative requirements. Most solutions require tool-support concretization and enhanced capabilities to handle processes and normative diversity. Our findings outline compelling areas for future research. In particular, there is a need to select suitable languages for consolidating a generic and normative-agnostic solution, increase automation levels, tool support, and boost the application in practice by improving usability aspects.
Compliance with process-based safety standards may imply the provision of a safety plan and its corresponding compliance justification. The provision of this justification is time-consuming since it requires that the process engineer checks the fulfillment of hundred of requirements by taking into account the evidence provided by the process entities. Available methodologies and their implemented tools can be used to automate this checking and provide a compliance report that can be part of the justification to be scrutinized by the safety auditor. In this paper, we explain our compliance checking vision for supporting the process engineer, in which the interaction between SPEM 2.0 (Software & Systems Process Engineering Metamodel) and Regorous (a tool-supported methodology for compliance checking) is established. Then, we focus on SPEM 2.0 to identify mechanisms to provide the minimal set of elements required to be processed by Regorous and describe how to implement them in EPF Composer. We also illustrate these mechanisms by modeling a simple example from ISO 26262 and show how a compliance report can be used to trace unfulfilled requirements.
In some domains, the applicable safety standards prescribe processrelated requirements. Essential pieces of evidence for compliance assessment with such standard are the compliance justifications of the process plans used to engineer systems. These justifications should show that the process plans are produced in accordance with the prescribed requirements. However, providing the required evidence may be time-consuming and error-prone since safety standards are large, natural language-based documents with hundreds of requirements. Besides, a company may have many safety-critical-related processes to be examined. In this paper, we propose a novel approach that combines process modeling and compliance checking capabilities. Our approach aims at facilitating the analysis required to conclude whether the model of a process plan corresponds to a model with compliant states. Hitherto, our proposed methodology has been evaluated with academic examples that show the potential benefits of its use.
Context: Software processes have increased demands coming from normative requirements. Organizations developing software comply with such demands to be in line with the market and the law. The state-of-the-art provides means to automatically check whether a software process complies with a set of normative requirements. However, no comprehensive and systematic review has been conducted to characterize such works. Objective: We characterize the current research on this topic, including an account of the used techniques, their potential impacts, and challenges. Method: We undertake a Systematic Literature Review (SLR) of primary studies reporting techniques for automated compliance checking of software processes. Results: We identified 41 papers reporting solutions focused on limited normative frameworks. Such solutions use specific languages for the processes and normative representation. Thus, the artifacts represented vary from one solution to the other. The level of automation, which in most methods requires tool-support concretization, focuses mostly on the reasoning process and requires human intervention, e.g., for creating the inputs for such reasoning. In addition, only a few contemplate agile environments and standards evolution. Conclusions: Our findings outline compelling areas for future research. In particular, there is a need to consolidate existing languages for process and normative representation, compile efforts in a generic and normative-agnostic solution, increase automation and tool support, and incorporate a layer of trust to guarantee that rules are correctly derived from the normative requirements.
Manual compliance with process-based standards is time-consuming and prone-to-error. No ready-to-use solution is currently available for increasing efficiency and confidence. In our previous work, we have presented our automated compliance checking vision to support the process engineer’s work. This vision includes the creation of a process model, given by using a SPEM 2.0 (Systems & Software Process Engineering Metamodel)-reference implementation, to be checked by Regorous, a compliance checker used in the business context. In this paper, we move a step further for the concretization of our vision by defining the transformation, necessary to automatically generate the models required by Regorous. Then, we apply our transformation to a small portion of the design phase recommended in the rail sector. Finally, we discuss our findings, and present conclusions and future work.
Hybrid software development, meant as a combination of traditional and agile methods/practices, has become a reality in safety-critical systems engineering. The spreading of hybrid software development stems from the impossibility to face the manyfold challenges via the definition of a process by the book. In this context, compliance management becomes challenging and the role of existing means for compliance should be clarified/rethought. In this position paper, we discuss the challenges and we propose our compliance management vision, which is being implemented in the context of the EU ECSEL AMASS project.
The key to system safety is the identification and elimination/mitigation of potential hazards and documentation of evidences for safety cases. This is generally done during the system design and development phase. However, for automated systems, there is also a need to deal with unknowns and uncertainties during operational phase. This paper focuses on virtual boundaries around geographic zones (i.e., geofences) that can serve as an active countermeasure for dynamic management of risks in automated transportation/production contexts. At first, hazard analysis is performed using the Hazard and Operability (HAZOP) and Fault Tree Analysis (FTA) techniques. Based on the hazard analysis, appropriate measures, such as geofences for elimination/mitigation of hazards are defined. Subsequently, they are translated into the safety requirements. We leverage on simulation based digital twins to perform verification and validation of production site by incorporating safety requirements in them. Finally, to manage risks in a dynamic manner, the operational data is gathered, deviations from specified behaviours are tracked, possible implications of control actions are evaluated and necessary adaptations are performed. The risk management is assured in situations, such as communication loss, subsystem failures and unsafe paths. This approach provides a basis to fill the gaps between the safety cases and the actual system safety emanating from system/environment evolution as well as obsolescence of evidences. The applicability of the proposed framework is exemplified in the context of a semi-automated quarry production scenario.
The goal of Industry 4.0 is to be faster, more efficient and more customer-centric, by enhancing the automation and digitalisation of production systems. Frequently, the production in Industry 4.0 is categorised as safetycritical, for example, due to the interactions between autonomous machines and hazardous substances that can result in human injury or death, damage to machines, property or the environment. In order to demonstrate the acceptable safety of production operations, safety cases are constructed to provide comprehensive, logical and defensible justification of the safety of a production system for a given application in a predefined operating environment. However, the construction and maintenance of safety cases in alignment with Industry 4.0 are challenging tasks. For their construction, besides the modular, dynamic and reconfigurable nature of Industry 4.0, the architectural levels of the things, fog and cloud computing have to be considered. The safety cases constructed at system design and development phases might be invalidated during production operations, thus necessitating some means for dynamic safety assurance. Moreover, flexible manufacturing in Industry 4.0 also underlines the need for safety assurance in a dynamic manner during the operational phase. Currently published studies are not explicitly supporting the safety assurance of Industry 4.0, which is the focus of this paper with special emphasis on dynamic safety assurance. At first, the Hazard and Operability (HAZOP) and Fault Tree Analysis (FTA) techniques are used for the identification and mitigation/elimination of potential hazards. Next, based on the hazard analysis results, we derived the safety requirements and safety contracts. Subsequently, safety cases are constructed using the OpenCert platform and safety contracts are associated with them to enable necessary changes during runtime. Finally, we use a simulations based approach to identify and resolve the deviations between the system understanding reflected in the safety cases and the current system operation. The dynamic safety assurance is demonstrated using a use case scenario of materials transportation and data flow in the Industry 4.0 context.
Automated Guided Vehicles (AGVs) are widely used for materials transportation. Operating them in a platooned manner has the potential to improve safety, security and efficiency, control overall traffic flow and reduce resource usage. However, the published studies on platooning focus mainly on the design of technical solutions in the context of automotive domain. In this paper we focus on a largely unexplored theme of platooning in production sites transformed to the Industry 4.0, with the aim of providing safety and security assurances. We present an overall approach for a fault- and threat tolerant platooning for materials transportation in production environments. Our functional use cases include the platoon control for collision avoidance, data acquisition and processing by considering range, and connectivity with fog and cloud levels. To perform the safety and security analyses, the Hazard and Operability (HAZOP) and Threat and Operability (THROP) techniques are used. Based on the results obtained from them, the safety and security requirements are derived for the identification and prevention/mitigation of potential platooning hazards, threats and vulnerabilities. The assurance cases are constructed to show the acceptable safety and security of materials transportation using AGV platooning. We leveraged a simulation-based digital twin for performing the verification and validation as well as fine tuning of the platooning strategy. Simulation data is gathered from digital twin to monitor platoon operations, identify unexpected or incorrect behaviour, evaluate the potential implications, trigger control actions to resolve them, and continuously update assurance cases. The applicability of the AGV platooning is demonstrated in the context of a quarry site.
After the painstaking process of traceability construction, a substantial evolution of a software system, such as a new major version leads to the decay of traceability links. To date, however, none of the published studies have considered the on-demand update of traceability links. This paper presents an on-demand automated approach for case-based maintenance and evolution of traceability links in the context of different versions of a software project. The approach focuses on the component-to-component features for identification and prioritization of previous traceability cases, which are then used to perform reuse and adaptation of traceability links based on the matches and mismatches, respectively. The adapted (i.e., newly constructed) traceability links can then be verified by a human analyst and stored in a case base. The approach has been validated using an open-source framework for mobile games, named Soomla Android store.
Compliance with the CENELEC series is mandatory during the planning of as well as development of railway systems. For compliance purposes, the creation of safety plans, which define safety-related activities and all other process elements relevant at the planning phase, is also needed. These plans are expected to be executed during the development phase. Specifically, EN 50129 defines the safety plan acceptance and approval process, where interactions between the applicant and the certification body are recommended: after the planning phase, to ensure the compliance between plans and standards, and after the development phase, to ensure the effective and not-deviating-unless-justified execution of plans. In this paper, we provide a tool-supported method for facilitating the safety approval processes/certification liaison processes. More specifically, the facilitation consists in guidance for modelling planned processes and the requirements listed in the standards in order to enable the automatic generation of baselines, post-planning processes and evidence models, needed during the execution phase and change impact tracking for manual monitoring of the compatibility between plans and their execution. The applicability of the proposed method is illustrated in the context of EN 50126-1 and EN 50129 standards.
Process-based argumentations argue that a safety-critical system has been developed in compliance with the development process defined in the standards and provide the evidence for certification of compliance. However, the process-based argumentations cannot ensure that the evidences are sufficient to support the claim. If the argumentations are insufficient (i.e., fallacious) they may result in a loss of confidence on system's safety. It is thus crucial to prevent or detect fallacies in the process-based argumentations. Currently, argumentations review process to detect fallacies largely depends on the reviewers' expertise, which is a labour-intensive and error prone task. This paper presents an approach that validates the process models (compliant with Process Engineering Metamodel 2.0), and prevent the occurrence of fallacy, specifically, omission of key evidence in process-based argumentations. If fallacies are detected in the process models, the approach develops the recommendations to resolve them; afterwards the process and/or safety engineers modify the process models based on the provided recommendations. Finally, the approach generates the safety argumentations (compliant with Structured Assurance Case Metamodel) from the modified process models by using model-driven engineering principles that are free from the fallacies. The applicability of the proposed approach is illustrated in the context of ECSS-E-ST-40C (Space engineering-Software) standard.
Compliance of process models with relevant standards is mandatory for certifying the critical systems. However, it is often carried out in a manual manner, which is complex and labour-intensive. Previous studies have not considered the automated processing of standard documents for achieving and demonstrating the process compliance. This paper leverages natural language processing for extracting the normative process models embedded in the standard documents. The mapping rules are established for structuring the standard requirements and content elements of process models, such as tasks, roles and work products. They are organized into a process structure by considering the phases, activities and milestones. During the planning phase, the standard requirements, process models and compliance mappings are generated in EPF Composer; it supports the major parts of the OMG's Software & Systems Process Engineering Metamodel (SPEM) 2.0. The reverse compliance of extended or pre-existing process models can be carried out during the execution phase; specifically, the compliance gaps are detected, possible measures for their resolution are provided and missing elements are added after the process engineer approval. The applicability of the proposed methodology is demonstrated for the ECSS-E-ST-40C compliant space system engineering process.
The drones provide an active measure to identify, monitor, analyze and resolve risks of autonomous systems during operational phase. To date, however, the published studies have not considered them for managing risks in a dynamic manner. The capability to deal with unknowns and uncertainties during operational phase is regarded as essential to exploit the autonomous systems at their full potential. This paper targets the drone-based assurance of autonomous systems. The hazard and threat analyses are performed during design and development phase by using the Hazard and Operability (HAZOP) and Threat and Operability (THROP) techniques, respectively. Based on the analyses results, the safety and security requirements are derived. The assume-guarantee contracts are also derived for uncertainty sources; they are integrated in the blockchain-based smart contracts. The simulators are leveraged for performing the verification and validation as well as improving systems. For assuring safety and security during operational phase, the contracts derived for uncertainty sources are checked. In case of divergence, the drones provide assistance; otherwise, depending on the severity risk factor, system control is taken to avoid the mishap risk. The applicability of the proposed methodology is exemplified in the context of a quarry site production scenario.
The current trends of digitalization and Industry 4.0 are bringing ample opportunities for manufacturing industry to fine tune their products and processes at will, to meet changing market needs within short notice. However, the characteristics of advanced production systems, such as dynamic interactions between machines and reconfigurations, if not carefully orchestrated, could potentially lead to production failures or mishaps, making them safety-critical. Previous studies on hazard analysis, safety-performance tradeoffs and assurance cases have not specifically considered the dynamic reconfiguration scenarios in production systems. In this paper, for the hazard identification and mitigation/elimination, the principal characteristics of highly reconfigurable production systems have been given special consideration. Even if the hazard analysis results are incorporated in the initial designs of production systems, operational changes, such as adding/removing machines in response to market demands, system failures, or unanticipated hazardous conditions may still adversely impact the production safety and operational performance. For the operational changes, we perform the quantitative assessment through configuration analytics to determine the corresponding impacts on safety, performance and production demands. After that, the assurance case models are obtained with production line to cope with the potential problems during the dynamic safety assurance. The applicability of the proposed methodology is demonstrated in the context of a quarry site production scenario.
The advanced production systems are composed of separate and distinct systems that operate in both isolation and conjunction, and therefore forms the System-of-Systems (SoS). However, a lot of production systems are classified as safety-critical, for example, due to the interactions between machines and involved materials. From the safety perspective, besides the behaviour of an individual system in SoS, the emergent behaviour of systems that comes from their individual actions and interactions must be considered. An unplanned event or sequence of events in safety-critical production systems may results in human injury or death, damage to machines or the environment. This paper focuses on the construction equipment domain, particularly the quarry site, which solely produce dimension stone and/or gravel products. The principal contribution of this paper is SoS hazard identification and mitigation/elimination for the electric quarry site for which the combination of guide words based collaborative method Hazard and Operability (HAZOP) and Fault Tree Analysis (FTA) are used. The published studies on HAZOP and FTA techniques have not considered the emergent behaviours of different machines. The applicability of particular techniques is demonstrated for individual and emergent behaviours of machines used in the quarry operations, such as autonomous hauler, wheel loader, excavator and crusher.
The capability to dynamically reconfigure in response to change of mode or function, failures, or unanticipated hazardous conditions is fundamental for many critical systems. The modelling and verification of such systems are frequently carried out with product lines and model checking, respectively. At first, the objectives and related requirements of reconfigurable systems are mapped to a feature model, whereas the units related to operational modes are selected in individual configurations. After that, the proposed approach performs automated transformation of particular models into formal constraints and descriptions for leveraging the analytical powers of model checking techniques: the formal verification of completeness, consistency and conflict is carried out with NuSMV model checker. Finally, in circumstances when the counterexample is produced, its analysis is performed for the identification of corresponding problems and their resolutions. The applicability of the proposed approach is demonstrated through case study of attitude and orbit control system.
Models are extensively used in many areas of software engineering to represent the behaviour of software systems at different levels of abstraction. Because of the involvement of different stakeholders in constructing these models and their independent evolution, inconsistencies might occur between the models. It is thus crucial to detect these inconsistencies at early phases of the software development process, and especially as soon as refined models deviate from their abstract counterparts. In this article, we introduce a containment checking approach to verify whether a certain low-level behaviour model, typically created by refining and enhancing a high-level model, still is consistent with the specification provided in its high-level counterpart. We interpret the containment checking problem as a model checking problem, which has not received special treatment in the literature so far. Because the containment checking is based on model checking, it requires both formal consistency constraints and specifications of these models. Unfortunately, creating formal consistency constraints and specifications is currently done manually, and therefore, labour-intensive and error prone. To alleviate this issue, we define and develop a fully automated transformation of behaviour models into formal specifications and properties. The generated formal specifications and properties can directly be used by existing model checkers for detecting any discrepancy between the input models and yield corresponding counterexamples. Moreover, our approach can provide the developers more informative and comprehensive feedback regarding the inconsistency issues, and therefore, help them to efficiently identify and resolve the problems. The evaluation of various scenarios from industrial case studies demonstrates that the proposed approach efficiently translates the behaviour models into formal specifications and properties.