Development of increasingly more sophisticated safety-critical embedded systems requires new paradigms, since manual approaches are reaching their limits. Experiences have shown that model-driven engineering is an approach that can overcome many of these limitations. Using model-based approaches however lead to new challenges regarding the cohesive integration of both safety engineering and system design along the system development process. In this paper, we present SOPHIA, a modelling language that formalizes safety-related concepts and their relations with system modelling constructs. We particularly focus on accident models and on how to achieve confidence that the frequency of possible accidents will be tolerable. In addition, we explore some strategies to implement SOPHIA as a complementary modelling language to SysML and reuse some useful constructs form the UML MARTE profile.
In order to cope with the increasing design complexity of safety-critical systems,
safety assurance should be considered as early as possible in the design process.
Among other goals, safety assurance allows achieving confidence that the
frequency of accidents will be acceptable. For this purpose, safety engineers need
to specify all possible safety parameters that directly impact the software
architecture design, and then to determine the probability rates of the deviation from
fulfilling the system functions. The Safety Integrity Level (SIL) attribute is an
example of such a parameter. The design of a given system and its subsystems
changes according to the value of the SIL associated with each functionality
of the system. Possible values range between “0” (less critical) and “4” (most
critical) [
Recently, the railway safety community has proposed a new methodological
guidance to enhance safety evaluation. In this proposal, SIL-to-function
allocations exploit a new attribute named Tolerable Accident Rate (TAR). The TAR is
defined as the “threshold between what is tolerable and what is undesirable with
respect to the consequence of an accident” [
Most of current practices on system safety assurance rely mainly on manual
processes. They are therefore very dependent of the skill and experience of the
engineers. This problem is exacerbated by the fact that safety engineering and
software design domains have developed their own techniques and
methodologies. Let us consider the example of the railway application domain. On the one
hand, safety actors adopt standards that provide recommendations for safety
assessment. Illustrative examples are fault tree analysis [
In order to avoid error-prone processes and to integrate both safety
engineering and system design, we adopt a model-based safety engineering process.
Model-Driven Engineering (MDE) [
As a main contribution within this paper, we introduce for the first time
SOPHIA, a modelling language for safety concerns. SOPHIA provides an
answer to safety industrial concerns by allowing designers to specify the safety
attributes in a software design model. Our paper focuses on the infrastructure of
SOPHIA, which is similar to that of MARTE [
In Section 2, we discuss some related works and we identify fundamental criteria and principles for model-based safety engineering. In Section 3, we explain our industrial motivations. We also provide a rationale for SOPHIA as well as a description of its Fundamental Concepts. Moreover, we investigate the strategies regarding the integration of safety and software design. Section 4 is the central part of the paper. For the first time, we discuss the whole structure of SOPHIA: from its Fundamental Concepts to the implementation. In Section 5, we compare our approach with those given in Section 2. Finally, conclusions and on-going works are presented. 2
Integrating safety concerns in general-purpose modelling process is a big challenge that has been explored in many directions. In this section, we focus on a few works which are receiving specific attention in the MDE community.
In order to study dependability in AADL (Architecture Analysis & Design
Language) [
In order to complement AUTOSAR (the European industrial standard to specify
component-based software infrastructures in automotive applications [
FTA is one of the main safety analysis tools. In [
In [
This section provides some background information that have been taken into account for the definition of SOPHIA. Before describing the safety fundamental concepts, we want to discuss the high-level requirements for safety modelling from an industrial perspective.
Standards EN 50126 [
Typically, in industry there is a gap between formal methods and textual system specifications, as well as between subsystem specifications. The main reason for this gap is that there is no standard and common language can be used to capture the different aspects. Semi-formal modelling approaches can bring a common basis to interconnect these different specification aspects. This is the main motivation for formalizing safety attributes into system models, from the early phases of the development process.
Therefore, SOPHIA has the following objectives: 1. enabling the specification of safety attributes in the architectural model of as sytem; 2. automating the calculation of some safety parameters in order to afford modelbased engineering of safety; 3. providing an environment for system development in which coherence (compatibility of all requirements at the same level of abstraction, i.e., horizontal development) and correction (“good” decomposition of parent requirements into children requirements abstraction, i.e., vertical development) properties can be guaranteed by construction and/or verified a posteriori.
Provided these general needs, we present in the next section an excerpt of some fundamental concepts of SOPHIA related to accident case concerns 3.1
The concepts of SOPHIA (and their relationships) are based on Alstom Ontology [
In this paper, we focus on package ACCIDENTS. Our intent is to show the details of the whole language design chain, from the formalization of the TAR attribute in the SOPHIA Fundamental Concepts, to the language implementation details. The result of our work is a first, but firm step towards model-based safety engineering.
Figure 1 shows some notions of package ACCIDENTS. Among them, we depict the TAR attribute. The notions are represented as metaclasses.
Hazard is “an event observable at the system boundary, which has potential either
directly or in combination with other factors (external to the system), for giving rise
to an accident at railway system level” [
AccidentCase is an unintended event with undesirable outcomes. AccidentCase leads to AccidentConsequenques. An AccidentCase is identified by the following properties: a unique ID; an AccidentType chosen from a statically pre-defined list; AutomaticTolerableAccidentRate and TolerableAccidentRate.
AutomaticTolerableAccidentRate is the maximum rate of occurrence that is tolerable
for a likely Accident [
TolerableAccidentRate and AutomaticTolerableAccidentRate are similar properties. The only difference is that TolerableAccidentRate is manually set by safety engineers when they have to deal with exceptional cases (i.e., for which a pre-defined table is not available). In Figure 5, Table “a:” identifies the Risk Tolerability of an accident. It is described with combinations of the following properties: severity of the consequences and frequency of the accident. TolerableAccidentRate is undefined by default. However, if TolerableAccidentRate is set to a different value than undefined, then it has a higher priority with respect to AutomaticTolerableAccidentRate. The importance of having both properties (i.e., one automatically specified and the other one manually set), is that: 1.) the modelling process can be automated in a correct way that respects table Risk Tolerability, 2.) we have traced to the computation, which is automatically derived from table Risk Tolerability. Furthermore, we can identify the divergence points specified by the exceptional cases. In case of divergence, designers must motivate their choices with respect to the value automatically calculated from table Risk Tolerability. From an implementation standpoint, designers could motivate their decisions in a suitable dialog box. The implementation of this latter is part of our ongoing work.
AccidentConsequences is the result of a given AccidentCase. It is defined by the severity of the consequences with respect to the given AccidentCase. Severity may take only one of the following four predefined values: Catastrophic, Critical, Marginal, or Insignificant. These values of severity are captured by an enumeration which is part of our SOPHIA Fundamental Model library.
Next, we discuss the strategies to integrate the safety conceptual concepts defined above with a given general-purpose modelling language, in this case SysML. SysML was chosen by Alstom since it is an OMG standard specification for modelling of complex systems. Although SysML provides a formalism to manage requirements and system design together, SysML is lacking of concepts for dealing with specific concerns of safety. We have three possible strategies to integrate SOPHIA and SysML.
Strategy a defines SOPHIA as an extension to SysML. It has the advantage to be optimally tailored to the aimed integration with SysML. One of the main drawbacks of this strategy is that safety concepts will strongly depend on SysML. Then, any modification of SysML might lead to a modification in the SOPHIA extensions. In addition, safety concepts and SysML are conceptually disjoint, although complementary, and directly extending SysML does not make sense in our context.
Strategy b defines SOPHIA from scratch, i.e. as a pure domain-specific modeling
specification language (DSML) (i.e. independently of UML) and then combining this
metamodel with SysML. Consequently, Strategy b surmounts the drawbacks of
Strategy a: safety concepts are independent not only of SysML but also of UML. It provides
a framework that is fully dedicated to safety concepts and it is independent from other
formalisms. As discussed in work [
Strategy c proposes to firstly introduce SOPHIA as a package of Fundamental
Concepts via a metamodel, in a way that is independent of the UML formalism. In a second
stage, this metamodel (also called domain model ) is implemented as a UML profile. In
this way, we overcome the drawbacks of Stategies a and b, because the concepts are
defined independently of UML, and, thereby, gain the benefits of a domain-specific
approach. Moreover, this approach improves tool interoperability and facilitates the
interface and traceability between different modelling aspects of the same system. SOPHIA
and SysML languages (which are both designed as UML profiles) may indeed be used
jointly in the same UML tool. A successful example of this approach is MARTE [
YES NO YES
We adopt Strategy c and we develop it further. First af all, we strategically use the definition of profile, firstly introduced by S. Cook, and successfully adopted by other researchers: a profile is a family of related languages. It suggests the idea of exploiting the composition of pre-existing profiles. Indeed, our intent is not to define completely “new” metamodel and profile, covering all concepts from safety to architectural design. Our intend is indeed to reuse the existing work as much as possible, so that we can take advantage of pre-existing works and related tools.
In spite of SysML role for requirements and system’s architecture (requirement and
block diagrams), SysML lacks in the specification of temporal attributes [
In the context of SOPHIA, we were particularly interested in MARTE to define
nonfunctional properties (MARTE::NFP) and MARTE::VSL to valuate these properties. The
MARTE::NFP package allows designers to annotate a UML model with non-functional
properties. VSL stands for Value Specification Language and allows designers to specify
“parameters/variables, constants, and expressions in textual form” [
LANGUAGE ENGINEERS
DOMAIN
END
USER DOMAIN
FUNDAMENTAL
CONCEPT
LEVEL PROFILE
LEVEL MODELING
LEVEL
UML
SOPHIA foundamental concepts
MARTE foundamental
concepts <<reference>>
<<reference>> <<mapping>>
<<mapping>> SysML (subset)
MARTE SOPHIA <<import>> (subset)
<<apply>> USER
MODEL
SOPHIA is a UML profile for safety modelling modelling whose definition is based
on SOPHIA Fundamental Concepts. In UML, there is not a specific symbol between
a profile and its fundamental concepts. To explicitly capture this relationship, we use
a dashed arrow annotated with the word “mapping”, following the OMG notation
introduced in work [
Like SOPHIA, MARTE extends UML and it is based on MARTE Fundamental Concepts, so-called MARTE Domain Model.
At fundamental concepts level, we have UML metamodels respectively denoting SOPHIA Fundamental Concepts and MARTE Fundamental Concepts. 4.2
In this section, we describe the UML profile for SOPHIA. It consists of a set of UML extensions and libraries concretized through stereotypes and data types. They map to the SOPHIA Fundamental Concepts (see Figure 3 for a big picture). Similarly to the SOPHIA Fundamental Concepts packages, the corresponding UML profile the profile is designed following a modular approach by grouping language constructs into individual packages, with the ability to select only those packages that are of direct interest in a given model. Due to space limitations, it is not possible to provide details covering the all profile. Therefore, we will focus on the SOPHIA package ACCIDENTS described in Section 3.1.
In the package ACCIDENTS every fundamental concept will directly result in a UML stereotype with its corresponding properties. In this case, there is a 1:1 mapping between the Fundamental Concepts and the profile element. The bottom package in Figure 4 defines how the metaclasses of the UML metamodel are extended with SOPHIA concepts, while the top-hand package shows a subset of the SOPHIA library with some enumeration types of interest.
Before describing the details of how SOPHIA exploits MARTE::VSL, let us introduce a real industrial railway example of risk assessment.
Example Figure 5 shows a typical example of risk assessment tables used in the railway domain. Such tables are used to identify the tolerable accident rate (TAR) of a given accident case (stereotype AccidentCase in Figure 4) and the occurrence rates of the different consequences of an accident case (stereotype AccidentConsequences in Figure 4). Typically, these tables are standardized by the territory authorities. For the sake of simplicity, we focus on the calculation of the TAR and the consequence occurrence rate parameters for a given country.
Starting from “Table a:” of Figure 5, safety engineers define a severity level for every accident case. This information allows for identifying the threshold of the accident case risk. (annotated with “T” in the figure.) The threshold risk identifies the upper limit of a tolerable risk. For instance, let us consider a Critical severity level. The corresponding threshold risk can be identified in the fourth row of the Critical column. This corresponds to the Undesirable risk level. The obtained threshold risk level can then be used to identify a corresponding threshold frequency of the accident case. In our example, such frequency level is Remote. This yields an input value for “Table b:”.
“Table b:” describes a mapping of frequencies of accident cases and numerical information about the magnitude order of such frequencies. This magnitude order is specified as an interval of real numbers. The lower bound value of this interval, corresponding to the threshold frequency level of a given accident case, represents the LIBRARY <<enumeration>>
SeverityKind Catastrophic Critical Marginal
Insignificant ACCIDENTS <<enumeration>> FrequencyKind Frequent Probable Occasional Remote Improbable Incredible <<enumeration>>
RiskKind Intolerable Undesiderable Tolerable
Negligeable <<import>> PARAMETERS <<apply>> (see fig. 5)
MARTE (subset) <<import>> (uml)
ACTOR <<stereotype>>
Hazard
<<stereotype>>
AccidentConsequences tolerableAccidentRate : THR severity: SeverityKind \automaticTolerableAccidentRate : THR \automaticOccurenceRate: FrequencyMagnitudoMap (uml)
UseCase <<stereotype>>
AccidentCase iD: Identification accidentType: AccidentTypeKind tolerableAccidentRate : TAR \a\utomaticTolerableAccidentRate : TAR
Fig. 4. SOPHIA: focus on TAR TAR value for this accident case. In Figure 5, the TAR value the studied accident case is 1x10-8.
Figure 6 shows the model representation of “Table a:”. In a:RiskTolerabilityAccident, each line of attribute RiskMapping represents a line of “Table a:”. Consider “Table a:”. We can read it as: we taken two values, one for colomn and one for row, then, we uniquely identify one cell, which contains the value of the risk. For example, for the colomn we select severity = critical and, for the row, frequency = Incredible Hence, we achieve a unique cell, which contains risk = N egligeable. The first line in Figure 6 represents the list of these attributes and their values. In instance a:RiskTolerabilityAccident, each line is given by the above procedure. In order to model the threshold between what is tolerable and what is undesiderable (noted by “T” in Figure 5), we introduce the Boolean attribute isThreshold in Figure 6. Therefore, if severity = critical, then risk = U ndesiderable, because isThreshold = T rue.
a:RiskTolerabilityAccident is an instance of class RiskTolerabilityAccident, which
contains one attribute riskMapping of type RiskMappingType. We stereotype RiskMappingType
with VSL::TupleType. As might be expected, the VSL package (which contains a set of
stereotypes extending the data type of UML) is applied to some of the SOPHIA data
types. By definition, a TupleType is a data type that combines different types into a
single aggregated type [
Similarly to Table “a:”, we represents “Table b:” by Figure 7, where some predefined MARTE data types are imported and reused in SOPHIA constructs. For instance, RealInterval (a MARTE’s data type stereotyped VSL::IntervalType) is typing the magnitudoOrder property of FrequencyMapType. This allows instances of IntervalType to
severity frequency Insignificant Marginal Critical Catastrophic
Frequent Intolerable Intolerable Intolerable Intolerable
(3)ORcceamsiootneal TNoelgelriagbelaeble TUnTdoelseirdaebrlaeble TUUnnddeessiiddeerraabbllee(2)IUnntodleesriadbelreable
Incredible Negligeable Negligeable Negligeable Tolerable
(1) input designer b: frequency real interval (6) Frequent 1E−3 <= F AutomaticTolerableRateAccident Probable 1E−5 <= F < 1E−3
Occasional 1E−7 <= F < 1E−5 (4) Remote 1E−8(5<)= F < 1E−7
Improbable 1E−9 <= F < 1E−8
Incredible F < 1E−9 be specified with the VSL syntax for interval values, as depicted in b:FrequencyMagnitudoMap. Algorithm to calculate the TAR parameter: In the sequel, we describes the algorithm used to derivate the TAR parameter.
GLOBAL VAR RiskTolerableAccident : ARRAY[SEVERITY KIND][FREQUENCY KIND]: [risk:RISK KIND,IsThereshold:BOOLEAN];
GLOBAL VAR FrequencyMagnitudeMap: ARRAY[FREQUENCY KIND]: REAL INTERVAL; AutomaticTARCalculate (UserSeverityValue:SEVERITY KIND): TAR; VAR MyFrequency: FREQUENCY KIND; VAR MyInterval: REAL INTERVAL; VAR j: INTEGER; j := 0;
WHILE (RiskTolerableAccident [UserSeverityValue][j].IsThereshold hi TRUE)
DO j := j+1; MyFrequency := FREQUENCY KIND[j]; MyInterval := FrequencyMagnitudeMap[MyFrequency];
RETURN AutomaticTARCalculate := MyInterval.LowerBound;
Although it is written in pseudo-code, it can be implemented in Java code and easly introduced in a static profile implementation of SOPHIA. 5
In Section 2, we have discussed some works on safety that have a great impact in the MDE community. Most of them provide both a way to specify the safety attributes in the design model, and tool support for safety analysis. Often, we have faced on two different models: one for safety and another one for design modelling. The focus is then on the “right mapping” and in the a-posteriori verification of the safety attributes.
SOPHIA is based on four capital pillars: – SOPHIA Fundamental Concepts; – reuse of pre-existing profiles (and then their tool support); – automation on the propagation of the safety attributes in the design model; – a-priori verification of the safety attributes in a correct way regarding to pre-defined risk tables.
In the sequel, we discuss each SOPHIA pillar with respect to some of the works presented in Section 2.
Altough SOPHIA is a UML profile, SOPHIA Fundamental Concepts have been created as free as possible from considerations related to specific solution technologies so as to not embody any premature decisions that may hamper later language use.
This means that the fundamental concepts model can be concretized not only as a
UML profile, but also as an independent modelling language, possibly implemented as
an Ecore metamodel or an XML schema, as well. Note that, although the SOPHIA
Fundamental Concepts are specified in the form of a metamodel with a textual semantic
description (like in MARTE), it represents only conceptualization entities synthesizing
the “universe of discourse”. This pillar is similar to that presented in work [
The second pillar introduces SOPHIA as a UML profile, by adopting the definition of profile firstly given by S. Cook. As a result, SOPHIA profile strategically reuses some packages of MARTE and can be easily integrated in a SysML system architecture.
The third pillar put the strength in improving the automation of the modelling process. In particular, SOPHIA provides a framework to automatically generate the value of TAR and the frequency of an accident, from the specification of only one attribute by users, which is the severity attribute of a consequence. This attribute is given by engineers by choosing one of four possible values.
Finally, the fourth pillar’s objective is to enable safety ensurance calculation along the development process, in a way that is correct with respect to pre-defined tables. 6
In this paper, we present for the fist time SOPHIA, a model-based safety engineering approach. SOPHIA responds to industrial needs regarding the integration of safety engineering and system design. SOPHIA provides a metamodeling and profiling infrastructure to specify and propagate the safety information on design models. We have particularly focused on the TAR calculation, which is the first step of the risk evaluation of an accident. The result of some safety attributes, such as TAR, influences the SIL and, hence, changes the model architecture. Such safety information is a-priori correct regarding to pre-defined risk tables. Currently we are performing tests on industrial real cases. We are applying the same process (as discussed for TAR) to other safety attributes. We also intend to mathematically formalize correctness of the automatic propagation of the safety attributes in the design model.
This work has been performed in the context of the IMOFIS project of the System@tic
Paris R´egion Cluster. It is sponsored by the ”Safe, reliable and adapted transportation”
program (PREDIT) of the “Agence Nationale pour la Recherche”. The authors would
like to thank the all member of the IMOFIS project [