Safety Critical Systems

Organic Computing systems are systems which have the capability to autonomously (re-)organize and adapt themselves. The benefit of such systems with self-x properties is that they are more dependable, as they can compensate for some failures. They are easier to maintain, because they can automatically configure themselves and are more convenient to use because of automatic adaptation to new situations. While Organic Computing systems have a lot of desired properties, there still exists only little knowledge on how they can be designed and built. In this paper an approach for specification and construction of a class of Organic Computing systems is presented, called the Restore Invariant Approach (RIA). The core idea is that the behaviour of an Organic Computing system can be split into productive phases and self-x phases. This allows for a generic description of how "organic" aspects can be specified and implemented. The approach will be illustrated by applying it to a design methodology for Organic Computing systems and further refining it to an explicit case study in the domain of production automation.

Purpose: Commercial aviation is feasible thanks to the complex socio-technical air transportation system, which involves interactions between human operators, technical systems, and procedures. In view of the expected growth in commercial aviation, significant changes in this socio-technical system are in development both in the USA and Europe. Such a complex socio-technical system may generate various types of emergent behavior, which may range from simple emergence, through weak emergence, up to strong emergence. The purpose of this paper is to demonstrate that agent-based modeling and simulation allows identifying changed and novel rare emergent behavior in this complex socio-technical system. Methods: An agent based model of a specific operation at an airport has been developed. The specific operation considered is the controlled crossing by a taxiing aircraft of a runway that is in use for controlled departures. The agent-based model includes all relevant human and technical agents, such as the aircraft, the pilots, the controllers and the decision support systems involved. This agent-based model is used to conduct rare event Monte Carlo (MC) simulations. Results: The MC simulation results obtained confirm that agent based modeling and simulation of a socio-technical air transportation system allows to identify rare emergent behavior that was not identified through earlier, non-agent-based simulations, including human-in-the-loop simulations of the same operation. A typical example of such emergent behavior is the finding that alerting systems do not really reduce the safety risk. Conclusions: Agent based MC simulations of commercial aviation operations has been demonstrated as a viable way to be evaluated regarding rare emergent behaviour. This rare emergent behaviour could not have been found through the more traditional simulation approaches.

All avionics software systems are subjected to certification constraints imposed by DO-178 standards. Civil avionics equipment manufacturers are quite conservative in their software development processes: most still use time-tested software engineering tools and methods, due to strict certification constraints. These certification constraints, along with the increasing size and complexity of modern avionics software-intensive systems, are having a huge impact on the cost of certifiable avionics software development. To cope with this increasing complexity, avionics equipment manufacturers need to use modern software development methodologies. This is possible with the release of DO-178C standard. In my thesis, I have explored the use of model-based software product line engineering for certifiable avionics software development, and have proposed industrial-level solutions for using a model-based software product line process based on commercially available tools. In this thesis, I have also explored the applicability of our model-based software product line process to export-controlled, certifiable avionics software development, identifying constraints that limit the reuse of software components among export-controlled avionics software and proposing technical solutions that facilitate the application of a model-based software product line to export-controlled, certifiable avionics software development. The proposed solutions are validated using industrial case studies.

Formal Methods are necessary for the specification, development and verification of safety critical systems. Formal Languages help us to identify errors at an early stage in the development process and can aid in reducing overall system development costs. Despite their benefits, formal methods are not widely accepted in the industry due to the need for high abstraction and a mathematical labor pool. The SOFL (Structured Object-Oriented Formal Language) methodology can be effective and efficient for safety critical systems. Some major issues with formal languages like higher abstraction levels, the need of mathematical skills, developer maturity and high costs can be overcome by using SOFL. SOFL specifically encapsulates three major layers: 1) structured methodology in the early stage of development, 2) object oriented methodology at the detailed level and 3) incorporation of formal methods. In this paper, we have tested the SOFL 3-step approach for the formal specification of a Railway Signaling System, already implemented by using Zed. Afterward we performed a comparison, using certain parameters identified from literature, to assess the appropriateness of Zed and SOFL methodology for the formal specification of a safety critical system. We found SOFL as an instinctive and perceptive for formal specification which overcome the limitations of other formal languages.

The traditional automotive homologation processes aim to ensure the safety of vehicles on public roads. Autonomous Vehicles (AV) with Artificial Intelligence (AI) are difficult to account for in these conventional processes. This research aims to map and attempt to close the gaps in the areas of testing and approval of such automated and connected vehicles. During our research into the homologation process of traditional vehicles; functional safety issues, challenges of AI in safety critical systems, along with questions of cyber security were investigated. Our process focuses on the integration of the already existing functions and prototypes into new products safely. As a key result, we managed to identify the main gaps between Information and Communication Technology (ICT) and automotive technology: the rigidity of the automotive homologation process, functional safety, AI in safety critical areas and we propose a solution.

Smart home safety and security systems have gained much importance over the last few years owing to their notable impact in reducing and preventing losses in resources and human life caused by unwanted situations that could occur while homeowners are far away from their homes. To date, there is a lack of an in-depth literature analysis that could help researchers and developers better understand these systems and their applications in different contexts. It is therefore crucial that research evidence published in this area is presented. In this study, 63 research papers that examined smart home safety and security systems using the Arduino platform from popular literature databases were thoroughly surveyed to extract useful data. Then, the extracted data were analyzed to answer many research questions concerning state-ofthe-art applications of these systems, their architectures, their enabling technologies, their components, etc. In addition, several challenges that these systems currently face and how future research could enable better implementation and use of these systems were discussed.

Roboethics is a recently developed field of applied ethics which deals with the ethical aspects of technologies such as robots, ambient intelligence, direct neural interfaces and invasive nano-devices and intelligent soft bots. In this article we look specifically at the issue of (moral) responsibility in artificial intelligent systems. We argue for a pragmatic approach, where responsibility is seen as a social regulatory mechanism. We claim that having a system which takes care of certain tasks intelligently, learning from experience and making autonomous decisions gives us reasons to talk about a system (an artifact) as being "responsible" for a task. No doubt, technology is morally significant for humans, so the "responsibility for a task" with moral consequences could be seen as moral responsibility. Intelligent systems can be seen as parts of socio-technological systems with distributed responsibilities, where responsible (moral) agency is a matter of degree. Knowing that all possible abnormal conditions of a system operation can never be predicted, and no system can ever be tested for all possible situations of its use, the responsibility of a producer is to assure proper functioning of a system under reasonably foreseeable circumstances. Additional safety measures must however be in place in order to mitigate the consequences of an accident. The socio-technological system aimed at assuring a beneficial deployment of intelligent systems has several functional responsibility feedback loops which must function properly: the awareness and procedures for handling of risks and responsibilities on the side of designers, producers, implementers and maintenance personnel as well as the understanding of society at large of the values and dangers of intelligent technology. The basic precondition for developing of this socio-technological control system is education of engineers in ethics and keeping alive the democratic debate on the preferences about future society.

Estimating the worst-case execution time (WCET) of parallel applications running on many-core architectures is a significant challenge. Some approaches have been proposed, but they assume the mapping of parallel applications on cores already done. Unfortunately, on architectures with caches, task mapping requires a priori known WCETs for tasks, which in turn requires knowing task mapping (i.e., co-located tasks, co-running tasks) to have tight WCET bounds. Therefore, scheduling parallel applications and estimating their WCET introduce a chicken and egg situation. In this paper, we address this issue by developing an optimal integer linear programming formulation for solving the scheduling problem, whose objective is to minimize the WCET of a parallel application. Our proposed static partitioned non-preemptive mapping strategy addresses the effect of local caches to tighten the estimated WCET of the parallel application. We report preliminary results obtained on synthetic parallel ap...

He made my PhD journey an excellent experience with his knowledge, kindness, thoughtfulness and encouragement. I would like to dedicate my deep thanks for my mother, for the encouragement she provided, her unlimited patience, prayers and the sacrifices she made to help me after my father passed away, which without, I would not be able to achieve my goals and survive difficult times. I am greatly indebted to my sincere wife Dalia and my daughter Julie, without their hopeful smiles, emotional support, patience, understanding and infinite love I would not have been able to stand during the difficult moments in my PhD. I would like to convey my sincerest gratitude to my uncle Wahid Hamza who has been supportive through all my life stages. His sympathy and understanding were enormous and significantly appreciated. I am very grateful to all people in the Department of Information Systems and Computing at Brunel University who helped me during my study and provided such a friendly and comfortable environment. Last, but by no means least, I would like to thank all my friends and colleagues who have been my other family in the UK.

Inference Systems (ANFIS), are implemented to diagnose the leakage faults in a nonlinear three tank system. Two separate structures are utilized for fault diagnosis. One is to identify the dynamics of the plant and the other is to construct the residual logic mechanism. The performance of the proposed methods are evaluated by simulations carried out on a three tank system (TTS). The leakages in tanks are considered as faults in the tank system.

The four-variable model of software-controlled embedded systems originally proposed by Parnas and Madey has been used successfully in the development of safety-critical applications in various industries. The model does not explicitly specify the software requirements, but rather bounds them by specifying the system requirements and the input and output hardware interfaces of the system. The software engineers are left with the problem of how to construct software that satisfies the system requirements and hardware interfacing constraints. After formalizing the properties of acceptable system and software implementations using the demonic calculus of relations, we provide (i) a necessary and sufficient condition for the existence of an acceptable software implementation and (ii) a mathematical characterization of the software requirements in terms of their weakest specification.

Software has come to mediate many of the activities in life, including financial service platforms, social networks and vehicle control. As a result, governing bodies have responded to this trend by creating standards and regulations to address issues such as safety and privacy. In this context, the compliance of software development to standards and regulations has emerged as a key issue. For software development organizations, compliance is a complex and costly goal to achieve. They may have to comply with multiple standards due to multiple jurisdictions or to address different aspects of the software and these may overlap and conflict with each other. The evolution of standards must be tracked and changes assessed. Evidence for claims of compliance must be collected and managed. Finally, maintaining families of related software products (product lines) further multiplies the effort. In this paper, we propose to exploit the connection between the field of model management and the problem of compliance management and explore how to use model management techniques to address software compliance management issues.

Safety cases have become popular, even mandated, in a number of jurisdictions that develop products that have to be safe. Prior to their use in software certification, safety cases were already in use in domains like aviation, military applications, and the nuclear industry. Argument based methodologies/approaches have recently become the cornerstone for structuring justification and evidence to support safety claims. We believe that the safety case methodology is useful for the software certification domain, but needs to be tailored, more clearly defined, and more appropriately structured in analogy with regulatory regimes in classical engineering disciplines. This paper presents a number of reasons as to why current approaches to safety cases do not satisfy essential attributes for an effective software certification process and proposes improvements based on lessons learned from other engineering disciplines. In particular, the safety case approach lacks the highly prescriptive and domain specific nature that can be seen in other engineering specialities, in terms of engineering and analysis methods to be applied in generating the relevant evidence. Safety case approaches and corresponding methods should aim to achieve the levels of precision and effectiveness of engineering methods underpinning regulatory regimes in other engineering disciplines.

Many safety-critical computer systems are required to monitor and control physical processes. The four-variable model, which has been used successfully in industry for almost four decades, helps to clarify the behaviors of, and the boundaries between the physical processes, input/output devices, and software. In this model, the acceptable behaviors of the software are constrained by the physical environment, system requirements, and input/output devices. If acceptable software behaviors are possible, then the system requirements are said to be implementable with respect to these constraints. The only acceptability condition proposed in the literature deems as acceptable software behaviors that can lead to undesirable system behaviors, in particular, nondeterministic system behaviors that for the same input sometimes do not produce any results and some other times produce expected results. In this sense, the acceptability condition can be seen as angelic. In this paper we strengthen the acceptability condition using the demonic calculus of relations such that no undesirable system or software behaviors are allowed and prove a necessary and sufficient implementability condition for the system requirements. As a byproduct, we also obtain a mathematical characterization of the least restrictive software specification, which, for all intents and purposes, can play the role of the software requirements.

In designing systems, engineers decompose the problem into smaller, more manageable tasks. A classic example of this is the separation principle from control systems which allows one to decompose the design of an optimal feedback control system into two independent tasks by designing (a) an observer, and (b) a controller. We investigate an analogous result for embedded system interfacing that will allow separation of the design of the input and output hardware interfaces while still guaranteeing the ability of the software to meet the system requirements. We define the notions of observability (controllability) of the system requirements with respect to the input (output) interface. We show that for a system that can be modeled by a functional four-variable model, observability and controllability allow for the separation of the design of the input and output interfaces. We also show that this separation is not always possible for systems that need the general, relational fourvariable model. By strengthening either observability or controllability, we restrict the choice of input or output interfaces, but ensure separability of their designs.

The Operating System (OS) is a major part of embedded software systems and its robustness has considerable influence on the robustness of the entire system. Thus, its robustness testing is critical for assessing the dependability of the system. In this paper, a state-aware approach is proposed to evaluate the robustness of components of embedded real-time OSs in the presence of different types of faulty inputs. This approach leads to identifying critical OS states, their criticality level, and the maximum and minimum level of the OS robustness. It also facilitates comparing the robustness level of OS's components and helps the system developers to select the most appropriate fault tolerance techniques by considering the robustness level and timing limitations. The experimental results demonstrate the ability of the proposed approach in providing more information about the robustness vulnerabilities in the states of the system.

Human systems integration (HSI) involves augmented human design with the objectives of augmenting human capabilities and improving human performance using behavioral technologies. The fundamental matter of human systems integration and augmented human design is the organization and the nature of interactions that couple physiological systems, humans-and engineered systems, artifacts. By this definition, augmented human consists of interactive artefacts linked to physiological systems. This paper focuses on the rationale of a HSI model based on specific experiments (comparison of dynamical sensorimotor integration and motor performances in real and virtual environments) that confirm the hypothesis of functional interaction in the framework of Chauvet's mathematical theory of integrative physiology (MTIP). Epistemological constraints for HSI and the role of MTIP are briefly discussed in this context.

Formal methods involve a mature development technology that can be used to provide the highest confidence and that is used in a wide and expanding variety of environments, especially in key areas where the integrity of systems is critical or where there is a high intensity of use. Formal methods allow the logical properties of a computer system to be predicted from a mathematical model of the system by means of a logical calculation, which is a process analogous to numerical calculation. They make it possible to calculate whether certain properties are consequences of proposed requirements or whether requirements have been interpreted correctly in the derivation of a design. The objective of this paper is to discuss the possible use of formal methods in the field of requirement specification of the railway interlocking system behaviour, followed by the check of its correctness. A simple example is used to demonstrate the use of concrete formal description (Z notation). Then the principles of realisation of more complex solutions in the field of railway interlocking are indicated. Despite the specific contents of the paper concerning the railway applications the conclusions can be generalised and applied to other areas.

What has become apparent therefore, is the need to pay special attention to the utilization of advanced optimized procedures in the charging of Electric Vehicles (EVs) and the determination of the lifespan because of the rise of the usage of renewable energy. Proper battery characterization and SoC prediction are crucial to guarantee the high efficiency, dependability, and durability of EV batteries in various, often challenging, and different scenarios. This review systematically reviews the state-of-art approaches for the prognosis of E-BEH and SoC estimation, the techniques based on traditional physics-based, empiricism-based, ECM and their Machine learning and hybrid techniques' breakthrough. The findings of the research cover parameter tuning and its correlation with machine learning, conventional and neural networks, the impact of proper parameter tuning on accuracy, and reinforcement learning of energy management. The synthesis of different data inputs and the combination of different techniques that can be applied to the nonlinear characteristics of EV batteries are deemed potential to enhance and surpass traditional techniques including enhanced Kalman filter kinds. These sophisticated approaches are illustrated through studies in actual conditions proving their efficiency in making better charging choices, increasing the life cycle of batteries, and ensuring the battery's good state in harsh environments. The major technology trends emerging for the next level of EV battery management are stated as digital twin models and data-centric learning, the standard benchmarking for such systems, data protection through blockchain technology, convergence of edge computing, and high computation ability cloud for EV battery management. Issues like the presence of abnormal data, interpretability of developed models, restrictions in real-time processing, and scalability are contemplated on somewhat extreme, which gives the reader a balanced perspective of state of the art. This review shall present the key findings with an outlook toward the future of EV battery resolution and SoC management highlighting that there remains much more to explore and achieve via practical innovation coupled with the leading-edge technologies requisite for sustainable and adaptive automotive electrification.

The international climate strategy is failing. Current policies will act too slowly to prevent rising temperatures from crossing critical climate tipping points. IPCC assessments underestimate the non-linear risks and catastrophic costs of overshooting Paris Agreement targets. 
Opponents of solar geoengineering cite concerns about moral hazard and other potential risks; however, at this juncture cooling interventions are the only feasible way to stop dangerous climate change.
Worsening impacts will force many climate sceptics to address the crisis. They will increasingly support solar geoengineering, as these methods will allow global temperatures to be rapidly lowered without reducing emissions.
Major powers are already researching climate geoengineering. In the near future one or more countries will almost inevitably deploy unilateral climate interventions to prevent increasingly extreme weather from causing massive crop failures and other deadly disasters.
To forestall the unilateral deployment of untested technologies, an international program is urgently needed to research safe climate cooling methods and develop effective global governance.
Solar geoengineering can reduce temperatures to safe levels, but will not stop rising concentrations of atmospheric greenhouse gases from acidifying the oceans and destroying critical marine ecosystems. Cooling interventions are imperative, but they must be used as supplements for existing strategies to reduce and remove greenhouse gases, not as substitutes.
To ensure constructive outcomes, international dialogue and research must immediately begin on a new, viable climate strategy: supplementing greenhouse gas emission reduction and carbon dioxide removal with cooling interventions. There is no realistic alternative.

In mixed-criticality systems, functionalities of different degrees of importance (or criticalities) are implemented upon a common platform. Such mixed-criticality implementations are becoming increasingly common in embedded systems – consider, for example, the Integrated Modular Avionics (IMA) software architecture used in aviation [5] and the AUTOSAR initiative (AUTomotive Open System ARchitecture – www.autosar.org) for automotive systems. As a consequence the real-time systems research community has recently been devoting much attention to better understanding the challenges that arise in implementing such mixed-criticality systems; this includes research on various aspects of mixed-criticality scheduling. Most of this prior work draws inspiration from the seminal work of Vestal [6], and has taken the approach of validating the correctness of highly critical functionalities under more pessimistic assumptions than the assumptions used in validating the correctness of less critical ...

High-risk industries, particularly the oil and gas sector, face significant safety challenges. This review explores the concept of Chronic Unease and its role in enhancing Safety management, focusing on its interaction with cognitive processes and decision-making strategies. A systematic literature review was conducted using databases including PubMed, Web of Science, and Google Scholar, with search terms such as "Chronic Unease," "Safety management," "High-risk industries," "Cognitive biases," and "decision-making." Articles published between 2010 and 2024 were included.Chronic Unease, characterized by constant vigilance towards potential risks, plays a crucial role in creating proactive safety environments. The interplay between Chronic Unease, fast-thinking and slow thinking processes, and Cognitive biases significantly influences decision-making in high-risk scenarios. Practical applications in the oil and gas industry include comprehensive safety training programs, leveraging advanced technologies, and implementing safety-focused project management methodologies.An integrated approach combining Chronic Unease awareness, slowthinking processes, and strategies to mitigate Cognitive biases can enhance safety performance in High-risk industries. Future research should focus on quantifying the impact of Chronic Unease on safety outcomes and exploring potential drawbacks of sustained vigilance.

This article is a contribution to the special issue on safety science research in the new age of work. It aims to promotes an interdisciplinary and broad (multilevel) approach of safety, recognising the interplay of technology, tasks, culture, structure, power, strategy, regulation, society and markets At the conceptual level, the article promotes a multilevel approach to change which connects mega-macro (global) trends with meso-micro realities with the help of an analytical (integrative) framework. It argues that safety has become a networked, digital and global reality during the last decades. At the methodological level, ethnographic research is presented as one suitable approach to studying safety in this context. Its relevance is based on prolonged periods of time spent in safety-critical systems observing work combined with interviews concerning daily operations and incidents. At the empirical level, a study of a plant in the chemical industry is used as an illustration of the argument. A narrative of the case is developed, exploring the implications of changes in automation and computerisation, externalisation of activities and organisational structure following a new corporate strategy. Change in plant boundaries, in the level of standardisation, in the amount of bureaucratic work, and in group (and regulatory) control and oversight are discussed along with their implications in terms of the nature of tasks and activities, professional identities, patterns of social interactions and distribution of power (decision making). Through the narrative, the increasingly networked, digital and global reality of the plant is revealed in full, with its multiple implications. The article then discusses the findings and reflects on the current flurry of changes which expose safety-critical systems to new challenges.

This proposal highlights several doubts about the complexities of CO2-atmospheric interactions and the need for ongoing research. While some arguments require further investigation and nuanced context, these do not dismiss CO2's influence in global warming. This proposal has not as objective to dismiss CO2 influence in global warming, but aim to improve the theory adding to the global warming equation thermodynamic laws, however, several questions remain about the role of CO2. A comprehensive understanding of all contributing factors, including CO2's role alongside other greenhouse gases and thermodynamic principles, is crucial for addressing the multifaceted challenge of climate change.

The paper will complement a SCITECH 25 presentation on the AIAA cooperation with the  International Test and Evaluation Association (ITEA) on a T&E Code of Practice and explore NATO Research and Technology Organisation and subsequent similar developments for suitability and applicability to the T&E, ground and flight test, and Model-Based System Engineering communities for aircraft stores compatibility focusing on  stores separation and network-enabled weapons and future intelligent and autonomous systems.
Store separation techniques for military aircraft using wind tunnels and computational fluid dynamics, modelling and simulation and flight testing are well established in                        MIL-STD/HDBK-1763 and interoperability in STANAG 7068. This paper will explore over a hundred years of experience of doing this means for novel applications such as Neuromorphic Aircraft Stores Centric Expendable, Returnable Networked Technology Vehicles and the use of analogy to minimize the cost of simulation and flight test while maximizing the outcomes of both the experiment/test in terms of the employment and jettison envelopes being certified for operational use. The case studies will explore lessons learned and our Achilles Heels from both F/A-18 and F-16 conducted under the auspices of NATO RTO and the Fives Eyes nations involved with furthering the science and engineering underpinning future aircraft stores compatibility interoperability and lethal autonomous weapon systems.

Many safety-related systems are built from generic software which is customised to work in a particular situation by static configuration data. Examples of such systems are railway interlockings and air traffic control systems. While there is now considerable experience and guidance on how to develop safety-related software, and there are a number of standards in this area, the topic of safety-related configuration data is hardly mentioned in the literature. This paper discusses the desirable properties of safety-related data and sets out principles for the safety management of such data, including a data lifecycle which is analogous to a software development lifecycle. Validation and verification of the data, and the means used to achieve such validation and verification are given particular attention.

This paper reports work to support dependability arguments about the future reliability of a product before there is direct empirical evidence. We develop a method for estimating the number of residual faults at the time of release from a "barrier model" of the development process, where in each phase faults are created or detected. These estimates can be used in a conservative theory in which a reliability bound can be obtained or can be used to support arguments of fault freeness. We present the work done to demonstrate that the model can be applied in practice. A company that develops safety-critical systems provided access to two projects as well as data over a wide range of past projects. The software development process as enacted was determined and we developed a number of probabilistic process models calibrated with generic data from the literature and from the company projects. The predictive power of the various models was compared.

Over the years, advancements in technology have significantly improved the efficiency of meeting DO-178 requirements. The use of automated testing tools, advanced modeling techniques, and more sophisticated development environments has reduced the time and cost involved in software certification. Learn more in DO-178 courses.

Fault diagnosis and prognosis are some of the most crucial functionalities in complex and safety-critical engineering systems, and particularly fault diagnosis, has been a subject of intensive research in the past four decades. Such capabilities allow for detection and isolation of early developing faults as well as prediction of fault propagation, which can allow for preventive maintenance, or even serve as a countermeasure to the possibility of catastrophic incidence as a result of a failure. Following a short preliminary overview and definitions, this article provides a survey of recent research on fault prognosis. Additionally, we report on some of the significant application domains where prognosis techniques are employed. Finally, some potential directions for future research are outlined.

Multifunctional spoiler (MFS) is one of the most critical parts of the jet aircraft that can be degraded due to incipient faults and consequently jeopardize the safety of a flight. This paper introduces a new fault diagnosis method for the MFS using fusion methodology. Three main faults including null bias current, actuator leakage coefficient, and internal leakage faults are considered and three parallel fusion blocks are invoked to isolate these faults in the system. In each block, an integrated method using an artificial neural network (ANN) and discrete wavelet transform (DWT) is developed via ordered weighted averaging (OWA) operator to achieve a higher reliability and faster diagnosing system. Moreover, several test scenarios are examined to validate the system performance under faulty conditions. Simulation results show the capability of the system in isolating incipient faults in comparison with artificial neural network and discrete wavelet transform methods.

The RE is likely to be the more critical activity in the IS development. A misleading requirements definition results in an inadequate IS deployment for the target workplace. The activity of requirements engineering (RE) is the initial stage for the information systems development process. The RE is often developed using an excessive technological-driven approach. This aspect is pointed as a factor for the failure of the RE and consequently to the corresponding information system. An IS supports work activities. Work activities can be viewed as having different dimensions, namely: technical, social, and organizational. A successful IS should be well conceived technically and should support adequately the social and organizational aspects . We present an evaluation framework for the requirements engineering activities within organizational settings that can help on analysing how this important activity is carried out in organizations. This framework, designed by RETIS, is composed by three parts. The first part focuses on the organizational domain, the second focuses on the users and information systems' stakeholders, and the third focuses on the underlying methods and techniques. Often requirements engineers assume a decisionmaking role asking the users what type of system should be designed. The users have a consultive and passive role. This work is often developed without social and organizational concerns. The IS implementation in a real setting interferes with the social and organizational structures. These effects should be considered in the requirement engineering activity 31,. This requires that RE should be conducted by requirements engineers with expertise on social and organizational issues. It also requires that requirements engineers promote an active, participative, and responsible involvement of users [5, 31,. The idea is to encourage the representation of users' tacit values, motivations and perspectives . The initial validation of this investigation was based in the application of the RETIS in five real organizational settings. Organizations that demonstrate higher maturity in their information systems' function presented a less technological-driven RE approach.

The present paper deals with the development of recommendations for the application of graphical programming languages in safetyrelated system developments. The basis for this development is the analysis of existing safety-related systems and the way in which these systems implemented in text-based programming environments meet the applicable norms and standards. Based on that a present research project analyzes how graphical programming environments can meet these requirements. The core of the project is the development and validation of recommendations for graphical programming languages to meet these applicable norms and standards, including certification bodies, professional associations, manufacturers and users. The elaboration is limited to concepts and suggestions regarding software aspects. Finally, these recommendations should be implemented and verified in the specific development environment LabVIEW.

The pre-silicon verification is typically more significant than post-silicon
verification, which produces an algorithm with the correct functionality and timing parameters. In this paper we propose innovative pre-silicon
verification methodology focused on the Ethernet controller architecture as the design under test (DUT). The methodology employs a layered
verification architecture implemented using the system Verilog language,
aiming to streamline the testing process. A novel test pattern test generator, interfaces and blocks are used to perform the verification. The test patterns are generated based on the operational principles of the ethernet controller block, ensuring comprehensive verification coverage. Additionally, the paper combines different verification parameters with existing approaches to demonstrate the effectiveness of the proposed methodology. It is observed that the performance of the proposed method is better compared to existing methods.

Fault diagnosis and prognosis are some of the most crucial functionalities in complex and safety-critical engineering systems, and particularly fault diagnosis, has been a subject of intensive research in the past four decades. Such capabilities allow for detection and isolation of early developing faults as well as prediction of fault propagation, which can allow for preventive maintenance, or even serve as a countermeasure to the possibility of catastrophic incidence as a result of a failure. Following a short preliminary overview and definitions, this article provides a survey of recent research on fault prognosis. Additionally, we report on some of the significant application domains where prognosis techniques are employed. Finally, some potential directions for future research are outlined. Index Terms-Degradation, fault diagnosis, failure prognosis, remaining useful life. NOMENCLATURE AHSMM Adaptive hidden semi-Markov model. ANFIS Neuro-fuzzy inference systems. AR Autoregressive. ARMA Autoregressive moving average. ARIMA Autoregressive integrated moving average. BIT Built-In test. CBM Condition-based maintenance. CM Condition monitoring. CNC Computer numerical control. CNN Convolutional neural network. DBN Deep belief network.

Multifunctional spoiler (MFS) is one of the most critical parts of the jet aircraft that can be degraded due to incipient faults and consequently jeopardize the safety of a flight. This paper introduces a new fault diagnosis method for the MFS using fusion methodology. Three main faults including null bias current, actuator leakage coefficient, and internal leakage faults are considered and three parallel fusion blocks are invoked to isolate these faults in the system. In each block, an integrated method using an artificial neural network (ANN) and discrete wavelet transform (DWT) is developed via ordered weighted averaging (OWA) operator to achieve a higher reliability and faster diagnosing system. Moreover, several test scenarios are examined to validate the system performance under faulty conditions. Simulation results show the capability of the system in isolating incipient faults in comparison with artificial neural network and discrete wavelet transform methods.

Safety‐critical systems are of paramount importance for many application domains, where safety properties are a key driver to engineer critical aspects and avoid system failures. For the benefits of large‐scale reuse, software product lines (SPL) have been adopted in critical systems industry. However, the integration of safety analysis in the SPL development process is nontrivial. Also, the different usage contexts of safety‐critical systems complicates component fault modeling tasks and the identification of potential hazards. In this light, better methods become necessary to estimate the impact of dependability properties during Hazard Analysis and Risk Assessment. Existing methods incorporating the analysis of safety properties in SPL are limited as they do not include hazard analysis and component fault modeling. In this paper, we present the novel DEPendable Software Product Line Engineering (DEPendable‐SPLE) approach, which extends traditional SPL processes to support the reu...

I would not have been able to provide and complete this Thesis without the sincere support and help of many people. Foremost, I would like to thank my supervisor Dr. Steve Counsell for his patience, motivation, advice, and continuous help and support. He made my PhD journey an excellent experience with his knowledge, kindness, thoughtfulness and encouragement. I would like to dedicate my deep thanks for my mother, for the encouragement she provided, her unlimited patience, prayers and the sacrifices she made to help me after my father passed away, which without, I would not be able to achieve my goals and survive difficult times. I am greatly indebted to my sincere wife Dalia and my daughter Julie, without their hopeful smiles, emotional support, patience, understanding and infinite love I would not have been able to stand during the difficult moments in my PhD. I would like to convey my sincerest gratitude to my uncle Wahid Hamza who has been supportive through all my life stages. His sympathy and understanding were enormous and significantly appreciated. I am very grateful to all people in the Department of Information Systems and Computing at Brunel University who helped me during my study and provided such a friendly and comfortable environment. Last, but by no means least, I would like to thank all my friends and colleagues who have been my other family in the UK.

The aim of this paper is to validate the effectiveness of model-based approach for the indigenously developed stall warning and aircraft interface computer system (SWS/AIC) by generating the software engineering process metrics and the development of the empirical relationship between the conventional and the model-based approach. The quantitative metrics for software analyzability, changeability, testability, stability, traceability, safety compliance, reliability, design time, de-bug time, upgrade time, reusability, readability, maintainability, modularity, reachability and availability is derived and generated for the two approaches to demonstrate the effectiveness of the model-based approach. The empirical relationship developed helps in analyzing the reduction in effort for development of safety critical software using model-based approach. The metrics generated and the empirical relationship derived between the two approaches proves the effectiveness of the model-based approac...

The aim of this paper is to validate the effectiveness of model-based approach for the indigenously developed stall warning and aircraft interface computer system (SWS/AIC) by generating the software engineering process metrics and the development of the empirical relationship between the conventional and the model-based approach. The quantitative metrics for software analyzability, changeability, testability, stability, traceability, safety compliance, reliability, design time, de-bug time, upgrade time, reusability, readability, maintainability, modularity, reachability and availability is derived and generated for the two approaches to demonstrate the effectiveness of the model-based approach. The empirical relationship developed helps in analyzing the reduction in effort for development of safety critical software using model-based approach. The metrics generated and the empirical relationship derived between the two approaches proves the effectiveness of the model-based approac...

 Users may download and print one copy of any publication from the public portal for the purpose of private study or research.  You may not further distribute the material or use it for any profit-making activity or commercial gain  You may freely distribute the URL identifying the publication in the public portal If you believe that this document breaches copyright please contact us providing details, and we will remove access to the work immediately and investigate your claim.

CompCert is the first commercially available optimizing compiler that is formally verified, using machine-assisted mathematical proofs, to be exempt from mis-compilation. The executable code it produces is proved to behave exactly as specified by the semantics of the source C program. This article gives an overview of the use of CompCert to gain certification credits for a highly safety-critical industry application, certified according to IEC 60880. We will briefly introduce the target application, illustrate the process of changing the existing compiler infrastructure to CompCert, and discuss performance characteristics. The main part focuses on the tool qualification strategy, in particular on how to take advantage of the formal correctness proof in the certification process.

CompCert is the first commercially available optimizing compiler that is formally verified, using machine-assisted mathematical proofs, to be free from miscompilation. The executable code it produces is proved to behave exactly as specified by the semantics of the source C program. CompCert's intended use is the compilation of safety-critical and mission-critical software meeting high levels of assurance. This article gives an overview of the design of CompCert and its proof concept, summarizes the resulting confidence argument, and gives an overview of relevant tool qualification strategies. We briefly summarize practical experience and give an overview of recent CompCert developments.

The safety-critical system communities have been struggling to manage and maintain their legacy software systems because upgrading such systems has been a complex challenge. To overcome or reduce this problem, reverse engineering has been increasingly used in safety-critical systems. This paper proposes C2AADL_Reverse, a model-driven reverse engineering approach for safety-critical software development and verification. C2AADL_Reverse takes multi-task C source code as input, and generates AADL (Architecture Analysis and Design Language) model of the legacy software systems. Compared with

The growing trend to use multi-core processors to get more performance is increasingly present in safety-critical systems. Synchronous dataflow programming is naturally well-suited to parallel execution, thanks to the fact that all data dependencies are always explicit. MiniSIGNAL is a multi-task code generation tool for the synchronous dataflow language SIGNAL. The existing Min-iSIGNAL code generation strategies mainly consider coarse-grained parallelism based on Ada multi-task model. However, when we applied it to industrial case studies, this code generation scheme has revealed inefficient: architecture aspects of the target platform have to be taken into account to achieve finegrained parallelism. To generate more efficient target code from industrial cases, this paper presents a new multi-task code generation method for MiniSIGNAL. Starting at the level of synchronous clocked guarded actions (S-CGA) which is an intermediate language for the compilation process of MiniSIGNAL, the transformation consists of two parts: at the platform-independent level, transforming the S-CGA representation to an abstract multi-task structure (called Virtual Multi-Tasks, VMT); at the platform-dependent level, adopting the thread pool pattern concurrent JobQueue to support fine-grained parallel Ada code genera

The safety-critical system communities have been struggling to manage and maintain their legacy software systems because upgrading such systems has been a complex challenge. To overcome or reduce this problem, reverse engineering has been increasingly used in safety-critical systems. This paper proposes C2AADL_Reverse, a model-driven reverse engineering approach for safety-critical software development and verification. C2AADL_Reverse takes multi-task C source code as input, and generates AADL (Architecture Analysis and Design Language) model of the legacy software systems. Compared with

Designing safety critical systems is a complex task due to the need of guaranteeing that the resulting model can cope with all the functional and non-functional requirements of the system. Obtaining such guarantees is only possible with the use of model verification techniques. This paper presents an approach aimed to fulfill the needs of critical system design. The proposed approach is based on the Architecture Analysis and Design Language (AADL), which is suitable to describe the system's architecture. It contains a sequence of model transformations that easies the verification of the designed AADL model and so assures its correctness. It must be highlighted that this is not performed in a single step, as it is possible to verify AADL models with different abstraction levels, which allows successive refinements in a top-down approach. We use a case study from an Autonomous Parking System to illustrate the proposed development process.