APPENDIX A – GLOSSARY - UGRatcproyectos.ugr.es/recomp/images/stories/deliverables/D2...shell and utilities interfaces, for software compatible with variants of the Unix operating
Post on 09-Jun-2018
216 Views
Preview:
Transcript
APPENDIXA–GLOSSARY
The following acronyms have been used in this document:
Acronym Definition
ElinOS SysGo Linux like operating system
Lime Concolic Tester Lightweight formal Methods for distributed component-based Embedded systems
MCDC Modified Condition/Decision Coverage
PC Portable computer
POSIX “Portable Operating System Interface for Unix". POSIX is the name of a family of related standards to define the application programming interface (API), along with shell and utilities interfaces, for software compatible with variants of the Unix operating system
QEMU QEMU is open source software that provides an interface to the target hardware which the PikeOS and ElinOS operating systems can run on, without the operating systems having to interface directly with the target hardware.
Rx Receiver
TAC Threaded Application Component
Tx Transmitter
APPENDIXB–TCARESULTFORTHEAVIONICSDOMAIN
1 TCLDETAILSOFRECOMPTOOLCHAINThis chapter has been generated from the formal tool chain model and contains all relevant information to determine the TCLs of the used tools. Table 1 shows the settings and Table 2 shows the active variants with which this document was generated. For further details of the report creation see section "Report Generation" of the User Manual.
Setting Value Compact Report false With Assumptions true Include Subsumes true Include Images true
Table 1 Settings for this documentation
• Variant Settings • • Active Variants: • • Avionic
Table 2 Variant Settings
The report starts with an overview of the analysis results, then describes each tool in detail, including TCL determination, and concludes with an appendix for further information. • ToolChain: RECOMP Tool Chain • • Description: • • All models are intergrated here • • TCL Determination: • • TCL 3
Table 3 ToolChain: RECOMP Tool Chain
1.1 TCLRESULTOVERVIEW
Table 4 shows the result of the tool evaluation, particulary the tool confidence levels. Name Tool Impact (TI) Tool
Detection (TD)
Tool Confidence Level (TCL)
Assumptions
Development TI 2 (Impact) TD 3 (LOW)
TCL 3 -
GEMDE Certification
TI 2 (Impact) TD 1 (HIGH)
TCL 1 -
Medini TI 2 (Impact) TD 1 (HIGH)
TCL 1 -
nuSMV Model Checker
TI 2 (Impact) TD 1 (HIGH)
TCL 1 -
Process Checker TI 2 (Impact) TD 1 (HIGH)
TCL 1 -
Simulink TI 2 (Impact) TD 3 (LOW)
TCL 3 1
Tecnalia Assurance Case Editor
TI 2 (Impact) TD 1 (HIGH)
TCL 1 -
Tool Chain Analyzer
TI 2 (Impact) TD 3 (LOW)
TCL 3 1
YICES SMT Solver
TI 2 (Impact) TD 1 (HIGH)
TCL 1 -
Table 4 Evaluation Results of RECOMP Tool Chain
Fig 1 shows the error flow in RECOMP Tool Chain. The number on the edges denotes the number of error flows between the tools. An error flow is a detection possibility or an avoidance possibility of an error. Note that for one error there might be several flows, hence the number of flows can be larger than the numbers of errors in the model. For example the tool Tool Chain Analyzer contains 11 different errors in 19 occurrences. There are 7 error flows (detection or avoidance possibilities for error occurrences) into Tool Chain Analyzer. 7 error flows into the Tool Chain Analyzer itself, i.e. are avoided / detected by carefully using the tool. There are 2
from the Tool Chain Analyzer into the Process Checker, i.e. are detected by the Process Checker.
Fig 1 Error Flow in RECOMP Tool Chain
1.2 DEVELOPMENTThis section explains the determination of the Tool Confidence Level (TCL) for the tool Development.
• Tool: Development • • Description: • • This is not a concrete tool but just a model of any development tool chain (including
humans) that can cause different errors when producing soure code. • • Impact: • • TI 2 (Impact) • • Tool Confidence Level: • • TCL 3
Table 5 Tool: Development
The tool Development is modeled with 5 elements which have impact, none of them are assumptions. No additional features have been modeled.
Elements Amount (Assumptions) Use Cases 1 (0) Checks 0 (0) Restrictions 0 (0) Potential Errors 4 (0)
Table 6 Amount of Elements in Tool: Development
1.2.1 USE CASES OF DEVELOPMENT
This section describes all analyzed use cases of Development in separate subsections. The following use cases of the tool Development are considered:
1. Create Code, see Section 1.2.1.1
1.2.1.1 USE CASE CREATE CODE
This section describes the use case "Create Code". • UseCase: Create Code • • Description: • • This is the use case in creating c code that collects some potential errors that can be
discovered from the test tool
Table 7 UseCase: Create Code
The use case requires no features and calls no other use cases. The use case "Create Code" reads and/or writes the following artifacts. The used artifacts are shown in Fig 2 and are summarized in the subsequent table.
Fig 2 Artifacts of Use Case: Create Code
• Artifacts of Use Case: Create Code • • Outputs: • • C/C++ Source Code
Table 8 Artifacts of Use Case: Create Code
1.2.2 FEATURES OF DEVELOPMENT
There are no features modeled for Development.
1.2.3 POTENTIAL ERRORS IN DEVELOPMENT
The tool has 4 different potential errors in 4 occurrences in use cases. The error flow consists of all relations from errors to checks or restrictions. There are
• no relation from errors caused by other tools to checks or restrictions defined for use cases of this tool.
• no relation from errors caused by this tool to checks or restrictions defined for use cases of this tool.
• no relation from errors caused by this tool to checks or restrictions defined for use cases of other tools.
• 4 errors caused by this tool without any relation to checks or restrictions. The following 4 error occurrences of Development have no relation to any check or restriction:
• Assertion Violation (Table 10) • Dead Code (Table 11) • Other Programing Error (Table 12) • Runtime Error (Table 13)
1.2.4 RESTRICTIONS IN DEVELOPMENT
There are no restrictions in the tool Development.
1.2.5 CHECKS IN DEVELOPMENT
No checks are performed in the tool Development.
1.2.6 ASSUMPTIONS
The determination of the TCL of Development is not based on assumed checks and restrictions. None of the checks and restrictions are modeled as assumptions.
1.2.7 TCL DETERMINATION
This section determines a TCL for each use case by assigning checks or restrictions with detection/avoidance probability to each potential error. The TCL for the entire tool can be derived from the TCL for each use case. The tool Development has no use case with TCL 1, no use case with TCL 2 and one use case with TCL 3. Therefore the tool Development has TCL 3. The use cases are described in the following sections:
• For "Create Code" (TCL 3) see Section 1.2.7.1.
1.2.7.1 TCL DETERMINATION FOR USE CASE: CREATE CODE
The use case "Create Code" has TCL 3. The TCL is determined by the lowest Tool Detection Level (TD) of all errors of the use case. The following table gives an overview of the errors of "Create Code". Error TD Table Assertion Violation TD 3 (LOW) Table 10 Dead Code TD 3 (LOW) Table 11 Other Programing Error TD 3 (LOW) Table 12 Runtime Error TD 3 (LOW) Table 13
Table 9 Errors of Use Case: Create Code
• Error: Assertion Violation • • Description: • • The programm contains assertions that can be violated under some conditions. • • From use case: • • Create Code • • Occurrences: • • in Create Code • • Error View:
•
•
Table 10 Error: Assertion Violation
• Error: Dead Code • • Description: • • Not reachable code is called dead code. • • From use case: • • Create Code • • Occurrences: • • in Create Code • • Error View:
•
•
Table 11 Error: Dead Code
• Error: Other Programing Error • • Description: • • Any other functional error that can be introduced int the code. • • From use case: • • Create Code • • Occurrences: • • in Create Code • • Error View:
•
•
Table 12 Error: Other Programing Error
• Error: Runtime Error • • Description: • • A runtime error is an error that causes the programm to crash during execution. This • • From use case: • • Create Code • • Occurrences: • • in Create Code • • Error View:
•
•
Table 13 Error: Runtime Error
1.3 GEMDECERTIFICATIONThis section explains the determination of the Tool Confidence Level (TCL) for the tool GEMDE Certification. • Tool: GEMDE Certification • • Description: • • Tool for certification support
Comment: This is just a supporting tool to gather all the certification documentation. It does not create running software or test.
• • Impact: • • TI 2 (Impact) • • Tool Confidence Level: • • TCL 1
Table 14 Tool: GEMDE Certification
The tool GEMDE Certification is modeled with 9 elements which have impact, none of them are assumptions. No additional features have been modeled.
Elements Amount (Assumptions) Use Cases 3 (0) Checks 3 (0) Restrictions 0 (0) Potential Errors 3 (0)
Table 15 Amount of Elements in Tool: GEMDE Certification
1.3.1 USE CASES OF GEMDE CERTIFICATION
This section describes all analyzed use cases of GEMDE Certification in separate subsections. The following use cases of the tool GEMDE Certification are considered:
1. Assessment view, see Section 1.3.1.1 2. Quality view, see Section 1.3.1.2 3. Technical view, see Section 1.3.1.3
1.3.1.1 USE CASE ASSESSMENT VIEW
This section describes the use case "Assessment view". • UseCase: Assessment view • • Description: • • Assessment or validation of the Qualification Project against the Qualification Reference
Table 16 UseCase: Assessment view
The use case requires no features and calls no other use cases. The use case "Assessment view" reads and/or writes the following artifacts. The used artifacts are shown in Fig 3 and are summarized in the subsequent table.
Fig 3 Artifacts of Use Case: Assessment view
• Artifacts of Use Case: Assessment view • • Inputs: • • ProjectModel
• ReferenceModel • • Outputs: • • No-Conformity metrics
Table 17 Artifacts of Use Case: Assessment view
1.3.1.2 USE CASE QUALITY VIEW
This section describes the use case "Quality view". • UseCase: Quality view • • Description: • • Selection and definition of the Qualification Reference. Definition of the scope of the
Qualification Reference
Table 18 UseCase: Quality view
The use case requires no features and calls no other use cases. The use case "Quality view" reads and/or writes the following artifacts. The used artifacts are shown in Fig 4 and are summarized in the subsequent table.
Fig 4 Artifacts of Use Case: Quality view
• Artifacts of Use Case: Quality view • • Inputs: • • StandardsRegulation • • Outputs: • • ReferenceModel • • Inputs & Outputs: • • ReferenceModel
Table 19 Artifacts of Use Case: Quality view
1.3.1.3 USE CASE TECHNICAL VIEW
This section describes the use case "Technical view". • UseCase: Technical view • • Description: • • Definition of the Qualification Project and associated Qualification Reference
Table 20 UseCase: Technical view
The use case requires no features and calls 11 other use cases. Fig 5 shows the dependencies between the use cases and features.
Fig 5 Dependency View of Use Case: Technical view
"Technical view" calls following use cases: • Medini,Detailed architecture definition • Medini,FHA Generation
• Medini,FMEA Generation • Medini,FTA Generation • Medini,Function allocation • Medini,Generation HW Coverage • Medini,HW/SW allocation • Medini,Item Definition • Medini,SW Architecture definition • Medini,Safety goals definition • Tecnalia Assurance Case Editor,Assurance Case edition
The use case "Technical view" reads and/or writes the following artifacts. The used artifacts are shown in Fig 6 and are summarized in the subsequent table.
Fig 6 Artifacts of Use Case: Technical view
• Artifacts of Use Case: Technical view • • Inputs: • • Detailed System Architecture
• Evidence • FHA • FMEA • FTA • Failure rate catalog • Functionalities • Malfunctions • No-Conformity metrics • Preliminary System Architecture • ReferenceModel • Safety Case • Safety Goals List • Safety Requirements
• • Outputs: • • ProjectModel
Table 21 Artifacts of Use Case: Technical view
1.3.2 FEATURES OF GEMDE CERTIFICATION
There are no features modeled for GEMDE Certification.
1.3.3 POTENTIAL ERRORS IN GEMDE CERTIFICATION
The tool has 3 different potential errors in 3 occurrences in use cases. The error flow, as can be seen in Fig 7, consists of all relations from errors to checks or restrictions. There are
• no relation from errors caused by other tools to checks or restrictions defined for use cases of this tool.
• 3 relations from errors caused by this tool to checks or restrictions defined for use cases of this tool.
• no relation from errors caused by this tool to checks or restrictions defined for use cases of other tools.
Fig 7 Error Flow to and from GEMDE Certification
GEMDE Certification has the following 3 relations, which are detected by checks or restrictions of this tool. The errors are described in detail in the TCL analysis of the corresponding use cases:
• AssesmentIncorrect (Table 26) • ModelIncorrectness (Table 28) • ProjectIncorrectness (Table 30)
1.3.4 RESTRICTIONS IN GEMDE CERTIFICATION
There are no restrictions in the tool GEMDE Certification.
1.3.5 CHECKS IN GEMDE CERTIFICATION
The following 3 checks are performed in the tool GEMDE Certification. • Check: QualityManagerChecks • • Description: • • The Quality Manager Checks the outputs before the final certification • • From use case: • • GEMDE Certification,Assessment view • • Occurrences: • • in Assessment view • • Error detection probability: • • TD 1 (HIGH) • • Detected errors: • • Assessment view,AssesmentIncorrect
Table 22 Check: QualityManagerChecks
• Check: RegulationManagerChecks • • Description: • • The Regulation Manager Checks the model that gives the result • • From use case: • • GEMDE Certification,Technical view • • Occurrences: • • in Technical view • • Error detection probability: • • TD 1 (HIGH) • • Detected errors: • • Technical view,ProjectIncorrectness
Table 23 Check: RegulationManagerChecks
• Check: TechnicalManagerChecks • • Description: • • The Technical Manager checks every evidence given as an input and the justification for
the objectives • • From use case: • • GEMDE Certification,Quality view • • Occurrences:
• • in Quality view • • Error detection probability: • • TD 1 (HIGH) • • Detected errors: • • Quality view,ModelIncorrectness
Table 24 Check: TechnicalManagerChecks
1.3.6 ASSUMPTIONS
The determination of the TCL of GEMDE Certification is not based on assumed checks and restrictions. None of the checks and restrictions are modeled as assumptions.
1.3.7 TCL DETERMINATION
This section determines a TCL for each use case by assigning checks or restrictions with detection/avoidance probability to each potential error. The TCL for the entire tool can be derived from the TCL for each use case. The tool GEMDE Certification has 3 use cases with TCL 1, no use case with TCL 2 and no use case with TCL 3. Therefore the tool GEMDE Certification has TCL 1. The use cases are described in the following sections:
• For "Assessment view" (TCL 1) see Section 1.3.7.1, • for "Quality view" (TCL 1) see Section 1.3.7.2, and • for "Technical view" (TCL 1) see Section 1.3.7.3.
1.3.7.1 TCL DETERMINATION FOR USE CASE: ASSESSMENT
VIEW
The use case "Assessment view" has TCL 1. The TCL is determined by the lowest Tool Detection Level (TD) of all errors of the use case. The following table gives an overview of the errors of "Assessment view". Error TD Table AssesmentIncorrect TD 1 (HIGH) Table 26
Table 25 Errors of Use Case: Assessment view
• Error: AssesmentIncorrect • • Description: • • lack of evidences or justification are not correct • • From use case: • • Assessment view • • Discovered by the following checks: • • Assessment view.QualityManagerChecks • • Occurrences: • • in Assessment view • • Error View:
•
•
Table 26 Error: AssesmentIncorrect
1.3.7.2 TCL DETERMINATION FOR USE CASE: QUALITY VIEW
The use case "Quality view" has TCL 1. The TCL is determined by the lowest Tool Detection Level (TD) of all errors of the use case. The following table gives an overview of the errors of "Quality view". Error TD Table ModelIncorrectness TD 1 (HIGH) Table 28
Table 27 Errors of Use Case: Quality view
• Error: ModelIncorrectness • • Description: • • Model is not coherent with the standard • • From use case: • • Quality view • • Discovered by the following checks: • • Quality view.TechnicalManagerChecks • • Occurrences: • • in Quality view • • Error View:
•
•
Table 28 Error: ModelIncorrectness
1.3.7.3 TCL DETERMINATION FOR USE CASE: TECHNICAL
VIEW
The use case "Technical view" has TCL 1. The TCL is determined by the lowest Tool Detection Level (TD) of all errors of the use case. The following table gives an overview of the errors of "Technical view". Error TD Table ProjectIncorrectness TD 1 (HIGH) Table 30
Table 29 Errors of Use Case: Technical view
• Error: ProjectIncorrectness • • Description: • • The evidences do not support the certification objectives • • From use case: • • Technical view • • Discovered by the following checks: • • Technical view.RegulationManagerChecks • • Occurrences: • • in Technical view • • Error View:
•
•
Table 30 Error: ProjectIncorrectness
1.4 MEDINIThis section explains the determination of the Tool Confidence Level (TCL) for the tool Medini. • Tool: Medini • • Description: • • Tool Medini Analyzer
Comment: The results are always being reviewed by human experts. It generate the tests that should be addresed during the project, nor the software that should be tested.
• • Impact: • • TI 2 (Impact) • • Tool Confidence Level: • • TCL 1
Table 31 Tool: Medini
The tool Medini is modeled with 65 elements which have impact, none of them are assumptions. No additional features have been modeled.
Elements Amount (Assumptions) Use Cases 10 (0) Checks 20 (0) Restrictions 14 (0) Potential Errors 21 (0)
Table 32 Amount of Elements in Tool: Medini
1.4.1 USE CASES OF MEDINI
This section describes all analyzed use cases of Medini in separate subsections.
The following use cases of the tool Medini are considered:
1. Detailed architecture definition, see Section 1.4.1.1 2. FHA Generation, see Section 1.4.1.2 3. FMEA Generation, see Section 1.4.1.3 4. FTA Generation, see Section 1.4.1.4 5. Function allocation, see Section 1.4.1.5 6. Generation HW Coverage, see Section 1.4.1.6 7. HW/SW allocation, see Section 1.4.1.7 8. Item Definition, see Section 1.4.1.8 9. Safety goals definition, see Section 1.4.1.9 10. SW Architecture definition, see Section 1.4.1.10
1.4.1.1 USE CASE DETAILED ARCHITECTURE DEFINITION
This section describes the use case "Detailed architecture definition". • UseCase: Detailed architecture definition • • Description: • • Detailed architecture definition
Table 33 UseCase: Detailed architecture definition
The use case requires no features and calls no other use cases. Use cases calling "Detailed architecture definition":
• GEMDE Certification,Technical view The use case "Detailed architecture definition" reads and/or writes the following artifacts. The used artifacts are shown in Fig 8 and are summarized in the subsequent table.
Fig 8 Artifacts of Use Case: Detailed architecture definition
• Artifacts of Use Case: Detailed architecture definition • • Outputs: • • Detailed System Architecture • • Inputs & Outputs: • • Detailed System Architecture
Table 34 Artifacts of Use Case: Detailed architecture definition
1.4.1.2 USE CASE FHA GENERATION
This section describes the use case "FHA Generation". • UseCase: FHA Generation • • Description: • • FHA Generation
Table 35 UseCase: FHA Generation
The use case requires no features and calls no other use cases. Use cases calling "FHA Generation":
• GEMDE Certification,Technical view The use case "FHA Generation" reads and/or writes the following artifacts. The used artifacts are shown in Fig 9 and are summarized in the subsequent table.
Fig 9 Artifacts of Use Case: FHA Generation
• Artifacts of Use Case: FHA Generation • • Outputs: • • FHA • • Inputs & Outputs: • • FHA
Table 36 Artifacts of Use Case: FHA Generation
1.4.1.3 USE CASE FMEA GENERATION
This section describes the use case "FMEA Generation". • UseCase: FMEA Generation • • Description: • • FMEA Generation
Table 37 UseCase: FMEA Generation
The use case requires no features and calls no other use cases. Use cases calling "FMEA Generation":
• GEMDE Certification,Technical view In order to fulfill the requirements of the use case, usually a number of artifacts will be read and/or written. But in "FMEA Generation" the tool Medini uses no artifacts.
1.4.1.4 USE CASE FTA GENERATION
This section describes the use case "FTA Generation". • UseCase: FTA Generation • • Description: • • FTA Generation
Table 38 UseCase: FTA Generation
The use case requires no features and calls no other use cases. Use cases calling "FTA Generation":
• GEMDE Certification,Technical view In order to fulfill the requirements of the use case, usually a number of artifacts will be read and/or written. But in "FTA Generation" the tool Medini uses no artifacts.
1.4.1.5 USE CASE FUNCTION ALLOCATION
This section describes the use case "Function allocation". • UseCase: Function allocation • • Description: • • Function allocation
Table 39 UseCase: Function allocation
The use case requires no features and calls no other use cases. Use cases calling "Function allocation":
• GEMDE Certification,Technical view In order to fulfill the requirements of the use case, usually a number of artifacts will be read and/or written. But in "Function allocation" the tool Medini uses no artifacts.
1.4.1.6 USE CASE GENERATION HW COVERAGE
This section describes the use case "Generation HW Coverage". • UseCase: Generation HW Coverage • • Description: • • Generation HW Coverage
Table 40 UseCase: Generation HW Coverage
The use case requires no features and calls no other use cases. Use cases calling "Generation HW Coverage":
• GEMDE Certification,Technical view In order to fulfill the requirements of the use case, usually a number of artifacts will be read and/or written. But in "Generation HW Coverage" the tool Medini uses no artifacts.
1.4.1.7 USE CASE HW/SW ALLOCATION
This section describes the use case "HW/SW allocation". • UseCase: HW/SW allocation • • Description: • • HW/SW allocation
Table 41 UseCase: HW/SW allocation
The use case requires no features and calls no other use cases. Use cases calling "HW/SW allocation":
• GEMDE Certification,Technical view In order to fulfill the requirements of the use case, usually a number of artifacts will be read and/or written. But in "HW/SW allocation" the tool Medini uses no artifacts.
1.4.1.8 USE CASE ITEM DEFINITION
This section describes the use case "Item Definition". • UseCase: Item Definition • • Description: • • Item Definition
Table 42 UseCase: Item Definition
The use case requires no features and calls no other use cases. Use cases calling "Item Definition":
• GEMDE Certification,Technical view In order to fulfill the requirements of the use case, usually a number of artifacts will be read and/or written. But in "Item Definition" the tool Medini uses no artifacts.
1.4.1.9 USE CASE SAFETY GOALS DEFINITION
This section describes the use case "Safety goals definition". • UseCase: Safety goals definition • • Description: • • Safety goals definition
Table 43 UseCase: Safety goals definition
The use case requires no features and calls no other use cases. Use cases calling "Safety goals definition":
• GEMDE Certification,Technical view In order to fulfill the requirements of the use case, usually a number of artifacts will be read and/or written. But in "Safety goals definition" the tool Medini uses no artifacts.
1.4.1.10 USE CASE SW ARCHITECTURE DEFINITION
This section describes the use case "SW Architecture definition". • UseCase: SW Architecture definition • • Description: • • SW Architecture definition
Table 44 UseCase: SW Architecture definition
The use case requires no features and calls one other use case. Fig 10 shows the dependencies between the use cases and features.
Fig 10 Dependency View of Use Case: SW Architecture definition
"SW Architecture definition" calls following use cases: • Simulink,Modelling Requirements
Use cases calling "SW Architecture definition":
• GEMDE Certification,Technical view In order to fulfill the requirements of the use case, usually a number of artifacts will be read and/or written. But in "SW Architecture definition" the tool Medini uses no artifacts.
1.4.2 FEATURES OF MEDINI
There are no features modeled for Medini.
1.4.3 POTENTIAL ERRORS IN MEDINI
The tool has 21 different potential errors in 21 occurrences in use cases. The error flow, as can be seen in Fig 11, consists of all relations from errors to checks or restrictions. There are
• no relation from errors caused by other tools to checks or restrictions defined for use cases of this tool.
• 34 relations from errors caused by this tool to checks or restrictions defined for use cases of this tool.
• no relation from errors caused by this tool to checks or restrictions defined for use cases of other tools.
Fig 11 Error Flow to and from Medini
Medini has the following 34 relations, which are detected by checks or restrictions of this tool. The errors are described in detail in the TCL analysis of the corresponding use cases:
• 001-xxx is not traced with a simulink port (Table 80) • 002-xxx is safety related and has no safety goal assigned (Table 104) • 003-xxx has no functional safety requirement specified (Table 105) • 004-Safety goal has no FTA traced (Table 96) • 005-xxx (safety req) has no unique identifier (Table 106) • 006-Safety goal is not associated to a hazardous event (Table 85) • 007-Architecture element has no name set (Table 81) • 008-Port xxx is not connected (Table 82) • 009-req is not correctly decomposed (Table 101) • 010-xxx has no justification given for the estimated ranking of exposure for the
ISO ASIL (Table 86) • 011-xxx has failure mode with category 'no part' and failure modes with other
categories. (Table 90) • 012-xxx ASIL does not match to ASIL of associated goal (Table 87) • 013-Hazard has no item traced (Table 88) • 014-xxx has an invalid ASIL. ASIL has to be the same or higher than of goals it
contributes to (Table 102) • 015-FTA model has a loop due to transfer gates (Table 97) • 016-The decomposing requirement xxx is allocated to the same architecture or
software element as its neighbor (Table 99) • 017-Name of xxx is different from corresponding system architecture
element(s): yyy (Table 91)
• 018-xxx has no corresponding architecture element in any of the architecture model(s): yyy (Table 92)
• 019-xxx has no corresponding architecture element in the derived worksheet(s): yyy (Table 93)
• 020-"xxx does not have the same failure modes than corresponding architecture element(s): yyy" (Table 94)
• 021-Assessment or validation of the Qualification Project against the Qualification Reference (Table 83)
1.4.4 RESTRICTIONS IN MEDINI
The tool Medini must only be used with the following restrictions. • Restriction: 001-All sistems architecture port traced with simulink • • Description: • • 001--All sistems architecture port traced with simulink • • From use case: • • Medini,Detailed architecture definition • • Error avoidance probability: • • TD 1 (HIGH) • • Occurrences: • • in Detailed architecture definition • • Avoided errors: • • Detailed architecture definition,001-xxx is not traced with a simulink port
Table 45 Restriction: 001-All sistems architecture port traced with simulink
• Restriction: 002- All hazard event assigned to a safety goal • • Description: • • 002- All hazard event assigned to a safety goal • • From use case: • • Medini,Safety goals definition • • Error avoidance probability: • • TD 1 (HIGH) • • Occurrences: • • in Safety goals definition • • Avoided errors: • • Safety goals definition,002-xxx is safety related and has no safety goal assigned
Table 46 Restriction: 002- All hazard event assigned to a safety goal
• Restriction: 003-For all safety goal exist one safety requirement • • Description: • • 003-For all safety goal exist one safety requirement • • From use case: • • Medini,Safety goals definition • • Error avoidance probability: • • TD 1 (HIGH) • • Occurrences:
• • in Safety goals definition • • Avoided errors: • • Safety goals definition,003-xxx has no functional safety requirement specified
Table 47 Restriction: 003-For all safety goal exist one safety requirement
• Restriction: 004-All safety goal traced with FTA • • Description: • • 004-All safety goal traced with FTA • • From use case: • • Medini,FTA Generation • • Error avoidance probability: • • TD 1 (HIGH) • • Occurrences: • • in FTA Generation • • Avoided errors: • • FTA Generation,004-Safety goal has no FTA traced
Table 48 Restriction: 004-All safety goal traced with FTA
• Restriction: 005-Exist a unique safety requirement identifier • • Description: • • 005-Exist a unique safety requirement identifier • • From use case: • • Medini,Safety goals definition • • Error avoidance probability: • • TD 1 (HIGH) • • Occurrences: • • in Safety goals definition • • Avoided errors: • • Safety goals definition,005-xxx (safety req) has no unique identifier
Table 49 Restriction: 005-Exist a unique safety requirement identifier
• Restriction: 006-All safety goal associated to a hazardous event • • Description: • • 006-All safety goal associated to a hazardous event • • From use case: • • Medini,FHA Generation • • Error avoidance probability: • • TD 1 (HIGH) • • Occurrences: • • in FHA Generation • • Avoided errors: • • FHA Generation,006-Safety goal is not associated to a hazardous event
Table 50 Restriction: 006-All safety goal associated to a hazardous event
• Restriction: 007-Each system architecture element is named • • Description: • • 007-Each system architecture element is named
• • From use case: • • Medini,Detailed architecture definition • • Error avoidance probability: • • TD 1 (HIGH) • • Occurrences: • • in Detailed architecture definition • • Avoided errors: • • Detailed architecture definition,007-Architecture element has no name set
Table 51 Restriction: 007-Each system architecture element is named
• Restriction: 008-All ports are connected • • Description: • • 008-All ports are connected • • From use case: • • Medini,Detailed architecture definition • • Error avoidance probability: • • TD 1 (HIGH) • • Occurrences: • • in Detailed architecture definition • • Avoided errors: • • Detailed architecture definition,008-Port xxx is not connected
Table 52 Restriction: 008-All ports are connected
• Restriction: 009-Validation of decomposition • • Description: • • 009-Validation of decomposition • • From use case: • • Medini,HW/SW allocation • • Error avoidance probability: • • TD 1 (HIGH) • • Occurrences: • • in HW/SW allocation • • Avoided errors: • • HW/SW allocation,009-req is not correctly decomposed
Table 53 Restriction: 009-Validation of decomposition
• Restriction: 012-Hazard and goal ASIL must be the same • • Description: • • 012-Hazard and goal ASIL must be the same • • From use case: • • Medini,FHA Generation • • Error avoidance probability: • • TD 1 (HIGH) • • Occurrences: • • in FHA Generation • • Avoided errors: • • FHA Generation,012-xxx ASIL does not match to ASIL of associated goal
Table 54 Restriction: 012-Hazard and goal ASIL must be the same
• Restriction: 013-All hazard model traced to an item • • Description: • • 013-All hazard model traced to an item • • From use case: • • Medini,FHA Generation • • Error avoidance probability: • • TD 1 (HIGH) • • Occurrences: • • in FHA Generation • • Avoided errors: • • FHA Generation,013-Hazard has no item traced
Table 55 Restriction: 013-All hazard model traced to an item
• Restriction: 014-All safety requirements SIL >= safety goal SIL • • Description: • • 014-All safety requirements SIL >= safety goal SIL • • From use case: • • Medini,HW/SW allocation • • Error avoidance probability: • • TD 1 (HIGH) • • Occurrences: • • in HW/SW allocation • • Avoided errors: • • HW/SW allocation,014-xxx has an invalid ASIL. ASIL has to be the same or
higher than of goals it contributes to
Table 56 Restriction: 014-All safety requirements SIL >= safety goal SIL
• Restriction: 015-FTA does not contain loops • • Description: • • 015-FTA does not contain loops • • From use case: • • Medini,FTA Generation • • Error avoidance probability: • • TD 1 (HIGH) • • Occurrences: • • in FTA Generation • • Avoided errors: • • FTA Generation,015-FTA model has a loop due to transfer gates
Table 57 Restriction: 015-FTA does not contain loops
• Restriction: 021-Failure modes names must be consistent for each diagram/table • • Description: • • 021-Failure modes names must be consistent for each diagram/table • • From use case: • • Medini,Detailed architecture definition
• • Error avoidance probability: • • TD 1 (HIGH) • • Occurrences: • • in Detailed architecture definition • • Avoided errors: • • Detailed architecture definition,021-Assessment or validation of the Qualification
Project against the Qualification Reference
Table 58 Restriction: 021-Failure modes names must be consistent for each diagram/table
1.4.5 CHECKS IN MEDINI
The following 20 checks are performed in the tool Medini. • Check: 001-Trace architecture port- Simulink • • Description: • • Checks if each system architecture port is traced with a Simulink port • • From use case: • • Medini,Detailed architecture definition • • Occurrences: • • in Detailed architecture definition • • Error detection probability: • • TD 1 (HIGH) • • Detected errors: • • Detailed architecture definition,001-xxx is not traced with a simulink port
Table 59 Check: 001-Trace architecture port- Simulink
• Check: 002-Link hazard- safety goal • • Description: • • Checks if each safety related hazardous event has a safety goal assigned • • From use case: • • Medini,Safety goals definition • • Occurrences: • • in Safety goals definition • • Error detection probability: • • TD 1 (HIGH) • • Detected errors: • • Safety goals definition,002-xxx is safety related and has no safety goal assigned
Table 60 Check: 002-Link hazard- safety goal
• Check: 003-Checks if for each safety goal at least one functional safety requirement is
specified • • Description: • • 003-Checks if for each safety goal at least one functional safety requirement is specified • • From use case: • • Medini,Safety goals definition • • Occurrences: • • in Safety goals definition • • Error detection probability:
• • TD 1 (HIGH) • • Detected errors: • • Safety goals definition,003-xxx has no functional safety requirement specified
Table 61 Check: 003-Checks if for each safety goal at least one functional safety requirement is specified
• Check: 004-Checks if each safety goal has a FTA traced • • Description: • • 004-Checks if each safety goal has a FTA traced • • From use case: • • Medini,FTA Generation • • Occurrences: • • in FTA Generation • • Error detection probability: • • TD 1 (HIGH) • • Detected errors: • • FTA Generation,004-Safety goal has no FTA traced
Table 62 Check: 004-Checks if each safety goal has a FTA traced
• Check: 005-Checks if every safety requirement has an unique identifier • • Description: • • 005-Checks if every safety requirement has an unique identifier • • From use case: • • Medini,Safety goals definition • • Occurrences: • • in Safety goals definition • • Error detection probability: • • TD 1 (HIGH) • • Detected errors: • • Safety goals definition,005-xxx (safety req) has no unique identifier
Table 63 Check: 005-Checks if every safety requirement has an unique identifier
• Check: 006-Checks if each safety goal is associated to a hazardous event • • Description: • • 006-Checks if each safety goal is associated to a hazardous event • • From use case: • • Medini,FHA Generation • • Occurrences: • • in FHA Generation • • Error detection probability: • • TD 1 (HIGH) • • Detected errors: • • FHA Generation,006-Safety goal is not associated to a hazardous event
Table 64 Check: 006-Checks if each safety goal is associated to a hazardous event
• Check: 007-Checks if each system architecture element has a name set (except for
connectors)
• • Description: • • 007-Checks if each system architecture element has a name set (except for connectors) • • From use case: • • Medini,Detailed architecture definition • • Occurrences: • • in Detailed architecture definition • • Error detection probability: • • TD 1 (HIGH) • • Detected errors: • • Detailed architecture definition,007-Architecture element has no name set
Table 65 Check: 007-Checks if each system architecture element has a name set (except for connectors)
• Check: 008-Checks if each system architecture port is connected • • Description: • • 008-Checks if each system architecture port is connected • • From use case: • • Medini,Detailed architecture definition • • Occurrences: • • in Detailed architecture definition • • Error detection probability: • • TD 1 (HIGH) • • Detected errors: • • Detailed architecture definition,008-Port xxx is not connected
Table 66 Check: 008-Checks if each system architecture port is connected
• Check: 009-Checks if a valid decomposition has been applied • • Description: • • 009-Checks if a valid decomposition has been applied • • From use case: • • Medini,HW/SW allocation • • Occurrences: • • in HW/SW allocation • • Error detection probability: • • TD 1 (HIGH) • • Detected errors: • • HW/SW allocation,009-req is not correctly decomposed
Table 67 Check: 009-Checks if a valid decomposition has been applied
• Check: 010-Checks that each ranking of exposure from E0 to E2 has an justification
given for the estimation • • Description: • • 010-Checks that each ranking of exposure from E0 to E2 has an justification given for the
estimation • • From use case: • • Medini,FHA Generation • • Occurrences: • • in FHA Generation
• • Error detection probability: • • TD 1 (HIGH) • • Detected errors: • • FHA Generation,010-xxx has no justification given for the estimated ranking of
exposure for the ISO ASIL
Table 68 Check: 010-Checks that each ranking of exposure from E0 to E2 has an justification given for the estimation
• Check: 011-Checks that either all failure modes of a FMEA component xxx have
category 'no part' or none • • Description: • • 011-Checks that either all failure modes of a FMEA component xxx have category 'no
part' or none • • From use case: • • Medini,FMEA Generation • • Occurrences: • • in FMEA Generation • • Error detection probability: • • TD 1 (HIGH) • • Detected errors: • • FMEA Generation,011-xxx has failure mode with category 'no part' and failure
modes with other categories.
Table 69 Check: 011-Checks that either all failure modes of a FMEA component xxx have category 'no part' or none
• Check: 012-Checks that the ASIL of a hazard matches the ASIL of an associated goal • • Description: • • 012-Checks that the ASIL of a hazard matches the ASIL of an associated goal • • From use case: • • Medini,FHA Generation • • Occurrences: • • in FHA Generation • • Error detection probability: • • TD 1 (HIGH) • • Detected errors: • • FHA Generation,012-xxx ASIL does not match to ASIL of associated goal
Table 70 Check: 012-Checks that the ASIL of a hazard matches the ASIL of an associated goal
• Check: 013-Checks that each Hazard model is traced to an item • • Description: • • 013-Checks that each Hazard model is traced to an item • • From use case: • • Medini,FHA Generation • • Occurrences: • • in FHA Generation • • Error detection probability: • • TD 1 (HIGH) • • Detected errors:
• • FHA Generation,013-Hazard has no item traced
Table 71 Check: 013-Checks that each Hazard model is traced to an item
• Check: 014-Checks if safety requirements have the same or higher ASIL than of goals
they contribute to • • Description: • • 014-Checks if safety requirements have the same or higher ASIL than of goals they
contribute to • • From use case: • • Medini,HW/SW allocation • • Occurrences: • • in HW/SW allocation • • Error detection probability: • • TD 1 (HIGH) • • Detected errors: • • HW/SW allocation,014-xxx has an invalid ASIL. ASIL has to be the same or
higher than of goals it contributes to
Table 72 Check: 014-Checks if safety requirements have the same or higher ASIL than of goals they contribute to
• Check: 016-Checks that no decomposing requirement is allocated to the same
architecture or software element as its neighbour • • Description: • • 016-Checks that no decomposing requirement is allocated to the same architecture or
software element as its neighbour • • From use case: • • Medini,Function allocation • • Occurrences: • • in Function allocation • • Error detection probability: • • TD 1 (HIGH) • • Detected errors: • • Function allocation,016-The decomposing requirement xxx is allocated to the
same architecture or software element as its neighbor
Table 73 Check: 016-Checks that no decomposing requirement is allocated to the same architecture or software element as its neighbour
• Check: 017-Checks for name differences between FMEA components and
corresponding system architecture elements • • Description: • • 017-Checks for name differences between FMEA components and corresponding system
architecture elements • • From use case: • • Medini,FMEA Generation • • Occurrences: • • in FMEA Generation • • Error detection probability: • • TD 1 (HIGH)
• • Detected errors: • • FMEA Generation,017-Name of xxx is different from corresponding system
architecture element(s): yyy
Table 74 Check: 017-Checks for name differences between FMEA components and corresponding system architecture elements
• Check: 018-Checks that all FMEA components have pendants in at least one system
architecture the worksheet is derived of • • Description: • • 018-Checks that all FMEA components have pendants in at least one system architecture
the worksheet is derived of • • From use case: • • Medini,FMEA Generation • • Occurrences: • • in FMEA Generation • • Error detection probability: • • TD 1 (HIGH) • • Detected errors: • • FMEA Generation,018-xxx has no corresponding architecture element in any of
the architecture model(s): yyy
Table 75 Check: 018-Checks that all FMEA components have pendants in at least one system architecture the worksheet is derived of
• Check: 019-Checks that all system architecture parts have pendants in the derived
FMEA worksheets • • Description: • • 019-Checks that all system architecture parts have pendants in the derived FMEA
worksheets • • From use case: • • Medini,FMEA Generation • • Occurrences: • • in FMEA Generation • • Error detection probability: • • TD 1 (HIGH) • • Detected errors: • • FMEA Generation,019-xxx has no corresponding architecture element in the
derived worksheet(s): yyy
Table 76 Check: 019-Checks that all system architecture parts have pendants in the derived FMEA worksheets
• Check: 020-Checks for consistency between failure modes of FMEA components and
related system architecture elements • • Description: • • 020-Checks for consistency between failure modes of FMEA components and related
system architecture elements • • From use case: • • Medini,FMEA Generation • • Occurrences: • • in FMEA Generation
• • Error detection probability: • • TD 1 (HIGH) • • Detected errors: • • FMEA Generation,020-"xxx does not have the same failure modes than
corresponding architecture element(s): yyy"
Table 77 Check: 020-Checks for consistency between failure modes of FMEA components and related system architecture elements
• Check: 021-Checks for name consistency between failure modes • • Description: • • 021-Checks for name consistency between failure modes • • From use case: • • Medini,Detailed architecture definition • • Occurrences: • • in Detailed architecture definition • • Error detection probability: • • TD 1 (HIGH) • • Detected errors: • • Detailed architecture definition,021-Assessment or validation of the Qualification
Project against the Qualification Reference
Table 78 Check: 021-Checks for name consistency between failure modes
1.4.6 ASSUMPTIONS
The determination of the TCL of Medini is not based on assumed checks and restrictions. None of the checks and restrictions are modeled as assumptions.
1.4.7 TCL DETERMINATION
This section determines a TCL for each use case by assigning checks or restrictions with detection/avoidance probability to each potential error. The TCL for the entire tool can be derived from the TCL for each use case. The tool Medini has 10 use cases with TCL 1, no use case with TCL 2 and no use case with TCL 3. Therefore the tool Medini has TCL 1. The use cases are described in the following sections:
• For "Detailed architecture definition" (TCL 1) see Section 1.4.7.1, • for "FHA Generation" (TCL 1) see Section 1.4.7.2, • for "FMEA Generation" (TCL 1) see Section 1.4.7.3, • for "FTA Generation" (TCL 1) see Section 1.4.7.4, • for "Function allocation" (TCL 1) see Section 1.4.7.5, • for "Generation HW Coverage" (TCL 1) see Section 1.4.7.6, • for "HW/SW allocation" (TCL 1) see Section 1.4.7.7, • for "Item Definition" (TCL 1) see Section 1.4.7.8, • for "Safety goals definition" (TCL 1) see Section 1.4.7.9, and • for "SW Architecture definition" (TCL 1) see Section 1.4.7.10.
1.4.7.1 TCL DETERMINATION FOR USE CASE: DETAILED
ARCHITECTURE DEFINITION
The use case "Detailed architecture definition" has TCL 1. The TCL is determined by the lowest Tool Detection Level (TD) of all errors of the use case. The following table gives an overview of the errors of "Detailed architecture definition". Error TD Table 001-xxx is not traced with a simulink port TD 1 (HIGH) Table 80 007-Architecture element has no name set TD 1 (HIGH) Table 81 008-Port xxx is not connected TD 1 (HIGH) Table 82 021-Assessment or validation of the Qualification Project against the Qualification Reference
TD 1 (HIGH) Table 83
Table 79 Errors of Use Case: Detailed architecture definition
• Error: 001-xxx is not traced with a simulink port • • Description: • • 001-xxx is not traced with a simulink port • • From use case: • • Detailed architecture definition • • Discovered by the following checks: • • Detailed architecture definition.001-Trace architecture port- Simulink • • Occurrences: • • in Detailed architecture definition • • Avoided by the following restrictions: • • Detailed architecture definition.001-All sistems architecture port traced with
simulink • • Error View: •
•
Table 80 Error: 001-xxx is not traced with a simulink port
• Error: 007-Architecture element has no name set • • Description: • • Name 007-Architecture element has no name set • • From use case:
• • Detailed architecture definition • • Discovered by the following checks: • • Detailed architecture definition.007-Checks if each system architecture element
has a name set (except for connectors) • • Occurrences: • • in Detailed architecture definition • • Avoided by the following restrictions: • • Detailed architecture definition.007-Each system architecture element is named • • Error View: •
•
Table 81 Error: 007-Architecture element has no name set
• Error: 008-Port xxx is not connected • • Description: • • 008-Port xxx is not connected • • From use case: • • Detailed architecture definition • • Discovered by the following checks: • • Detailed architecture definition.008-Checks if each system architecture port is
connected • • Occurrences: • • in Detailed architecture definition • • Avoided by the following restrictions: • • Detailed architecture definition.008-All ports are connected • • Error View:
•
•
Table 82 Error: 008-Port xxx is not connected
• Error: 021-Assessment or validation of the Qualification Project against the
Qualification Reference • • Description: • • 021-Assessment or validation of the Qualification Project against the Qualification
Reference • • From use case: • • Detailed architecture definition • • Discovered by the following checks: • • Detailed architecture definition.021-Checks for name consistency between failure
modes • • Occurrences: • • in Detailed architecture definition • • Avoided by the following restrictions: • • Detailed architecture definition.021-Failure modes names must be consistent for
each diagram/table • • Error View:
•
•
Table 83 Error: 021-Assessment or validation of the Qualification Project against the Qualification Reference
1.4.7.2 TCL DETERMINATION FOR USE CASE: FHA
GENERATION
The use case "FHA Generation" has TCL 1. The TCL is determined by the lowest Tool Detection Level (TD) of all errors of the use case. The following table gives an overview of the errors of "FHA Generation". Error TD Table 006-Safety goal is not associated to a hazardous event
TD 1 (HIGH) Table 85
010-xxx has no justification given for the estimated ranking of exposure for the ISO ASIL
TD 1 (HIGH) Table 86
012-xxx ASIL does not match to ASIL of associated goal
TD 1 (HIGH) Table 87
013-Hazard has no item traced TD 1 (HIGH) Table 88
Table 84 Errors of Use Case: FHA Generation
• Error: 006-Safety goal is not associated to a hazardous event • • Description: • • 006-Safety goal is not associated to a hazardous event • • From use case: • • FHA Generation • • Discovered by the following checks: • • FHA Generation.006-Checks if each safety goal is associated to a hazardous event • • Occurrences: • • in FHA Generation • • Avoided by the following restrictions: • • FHA Generation.006-All safety goal associated to a hazardous event • • Error View:
•
•
Table 85 Error: 006-Safety goal is not associated to a hazardous event
• Error: 010-xxx has no justification given for the estimated ranking of exposure for the
ISO ASIL • • Description: • • 010-xxx has no justification given for the estimated ranking of exposure for the ISO ASIL • • From use case: • • FHA Generation • • Discovered by the following checks: • • FHA Generation.010-Checks that each ranking of exposure from E0 to E2 has an
justification given for the estimation • • Occurrences: • • in FHA Generation • • Error View: •
•
Table 86 Error: 010-xxx has no justification given for the estimated ranking of exposure for the ISO ASIL
• Error: 012-xxx ASIL does not match to ASIL of associated goal • • Description: • • 012-xxx ASIL does not match to ASIL of associated goal • • From use case: • • FHA Generation • • Discovered by the following checks: • • FHA Generation.012-Checks that the ASIL of a hazard matches the ASIL of an
associated goal • • Occurrences:
• • in FHA Generation • • Avoided by the following restrictions: • • FHA Generation.012-Hazard and goal ASIL must be the same • • Error View: •
•
Table 87 Error: 012-xxx ASIL does not match to ASIL of associated goal
• Error: 013-Hazard has no item traced • • Description: • • 013-Hazard has no item traced • • From use case: • • FHA Generation • • Discovered by the following checks: • • FHA Generation.013-Checks that each Hazard model is traced to an item • • Occurrences: • • in FHA Generation • • Avoided by the following restrictions: • • FHA Generation.013-All hazard model traced to an item • • Error View: •
•
Table 88 Error: 013-Hazard has no item traced
1.4.7.3 TCL DETERMINATION FOR USE CASE: FMEA
GENERATION
The use case "FMEA Generation" has TCL 1. The TCL is determined by the lowest Tool Detection Level (TD) of all errors of the use case. The following table gives an overview of the errors of "FMEA Generation". Error TD Table 011-xxx has failure mode with category 'no part' and failure modes with other categories.
TD 1 (HIGH) Table 90
017-Name of xxx is different from corresponding system architecture element(s): yyy
TD 1 (HIGH) Table 91
018-xxx has no corresponding architecture element in any of the architecture model(s): yyy
TD 1 (HIGH) Table 92
019-xxx has no corresponding architecture element in the derived worksheet(s): yyy
TD 1 (HIGH) Table 93
020-"xxx does not have the same failure modes than corresponding architecture element(s): yyy"
TD 1 (HIGH) Table 94
Table 89 Errors of Use Case: FMEA Generation
• Error: 011-xxx has failure mode with category 'no part' and failure modes with other
categories. • • Description: • • 001-xxx has failure mode with category 'no part' and failure modes with other categories. • • From use case: • • FMEA Generation • • Discovered by the following checks: • • FMEA Generation.011-Checks that either all failure modes of a FMEA
component xxx have category 'no part' or none • • Occurrences: • • in FMEA Generation • • Error View: •
•
Table 90 Error: 011-xxx has failure mode with category 'no part' and failure modes with other categories.
• Error: 017-Name of xxx is different from corresponding system architecture
element(s): yyy • • Description: • • 017-Name of xxx is different from corresponding system architecture element(s): yyy • • From use case:
• • FMEA Generation • • Discovered by the following checks: • • FMEA Generation.017-Checks for name differences between FMEA components
and corresponding system architecture elements • • Occurrences: • • in FMEA Generation • • Error View: •
•
Table 91 Error: 017-Name of xxx is different from corresponding system architecture element(s): yyy
• Error: 018-xxx has no corresponding architecture element in any of the architecture
model(s): yyy • • Description: • • 018-xxx has no corresponding architecture element in any of the architecture model(s):
yyy • • From use case: • • FMEA Generation • • Discovered by the following checks: • • FMEA Generation.018-Checks that all FMEA components have pendants in at
least one system architecture the worksheet is derived of • • Occurrences: • • in FMEA Generation • • Error View: •
•
Table 92 Error: 018-xxx has no corresponding architecture element in any of the architecture model(s): yyy
• Error: 019-xxx has no corresponding architecture element in the derived worksheet(s):
yyy • • Description: • • 019-xxx has no corresponding architecture element in the derived worksheet(s): yyy • • From use case: • • FMEA Generation • • Discovered by the following checks:
• • FMEA Generation.019-Checks that all system architecture parts have pendants in the derived FMEA worksheets
• • Occurrences: • • in FMEA Generation • • Error View: •
•
Table 93 Error: 019-xxx has no corresponding architecture element in the derived worksheet(s): yyy
• Error: 020-"xxx does not have the same failure modes than corresponding architecture
element(s): yyy" • • Description: • • 020-"xxx does not have the same failure modes than corresponding architecture
element(s): yyy" • • From use case: • • FMEA Generation • • Discovered by the following checks: • • FMEA Generation.020-Checks for consistency between failure modes of FMEA
components and related system architecture elements • • Occurrences: • • in FMEA Generation • • Error View: •
•
Table 94 Error: 020-"xxx does not have the same failure modes than corresponding architecture element(s): yyy"
1.4.7.4 TCL DETERMINATION FOR USE CASE: FTA
GENERATION
The use case "FTA Generation" has TCL 1. The TCL is determined by the lowest Tool Detection Level (TD) of all errors of the use case. The following table gives an overview of the errors of "FTA Generation". Error TD Table 004-Safety goal has no FTA traced TD 1 (HIGH) Table 96 015-FTA model has a loop due to transfer gates TD 1 (HIGH) Table 97
Table 95 Errors of Use Case: FTA Generation
• Error: 004-Safety goal has no FTA traced • • Description:
• • 004-Safety goal has no FTA traced • • From use case: • • FTA Generation • • Discovered by the following checks: • • FTA Generation.004-Checks if each safety goal has a FTA traced • • Occurrences: • • in FTA Generation • • Avoided by the following restrictions: • • FTA Generation.004-All safety goal traced with FTA • • Error View: •
•
Table 96 Error: 004-Safety goal has no FTA traced
• Error: 015-FTA model has a loop due to transfer gates • • Description: • • 015-FTA model has a loop due to transfer gates • • From use case: • • FTA Generation • • Occurrences: • • in FTA Generation • • Avoided by the following restrictions: • • FTA Generation.015-FTA does not contain loops • • Error View:
•
•
Table 97 Error: 015-FTA model has a loop due to transfer gates
1.4.7.5 TCL DETERMINATION FOR USE CASE: FUNCTION
ALLOCATION
The use case "Function allocation" has TCL 1. The TCL is determined by the lowest Tool Detection Level (TD) of all errors of the use case. The following table gives an overview of the errors of "Function allocation". Error TD Table 016-The decomposing requirement xxx is allocated to the same architecture or software element as its neighbor
TD 1 (HIGH) Table 99
Table 98 Errors of Use Case: Function allocation
• Error: 016-The decomposing requirement xxx is allocated to the same architecture or
software element as its neighbor • • Description: • • 016-The decomposing requirement xxx is allocated to the same architecture or software
element as its neighbor • • From use case: • • Function allocation • • Discovered by the following checks: • • Function allocation.016-Checks that no decomposing requirement is allocated to
the same architecture or software element as its neighbour • • Occurrences: • • in Function allocation • • Error View: •
•
Table 99 Error: 016-The decomposing requirement xxx is allocated to the same architecture or software element as its neighbor
1.4.7.6 TCL DETERMINATION FOR USE CASE: GENERATION
HW COVERAGE
The use case "Generation HW Coverage" has TCL 1. The TCL is determined by the lowest Tool Detection Level (TD) of all errors of the use case. This use case has no errors.
1.4.7.7 TCL DETERMINATION FOR USE CASE: HW/SW
ALLOCATION
The use case "HW/SW allocation" has TCL 1. The TCL is determined by the lowest Tool Detection Level (TD) of all errors of the use case. The following table gives an overview of the errors of "HW/SW allocation". Error TD Table 009-req is not correctly decomposed TD 1 (HIGH) Table 101 014-xxx has an invalid ASIL. ASIL has to be the same or higher than of goals it contributes to
TD 1 (HIGH) Table 102
Table 100 Errors of Use Case: HW/SW allocation
• Error: 009-req is not correctly decomposed • • Description: • • 009-Safety requirement is not correctly decomposed • • From use case: • • HW/SW allocation • • Discovered by the following checks: • • HW/SW allocation.009-Checks if a valid decomposition has been applied • • Occurrences: • • in HW/SW allocation • • Avoided by the following restrictions: • • HW/SW allocation.009-Validation of decomposition • • Error View:
•
•
Table 101 Error: 009-req is not correctly decomposed
• Error: 014-xxx has an invalid ASIL. ASIL has to be the same or higher than of goals it
contributes to • • Description: • • 014-xxx has an invalid ASIL. ASIL has to be the same or higher than of goals it
contributes to • • From use case: • • HW/SW allocation • • Discovered by the following checks: • • HW/SW allocation.014-Checks if safety requirements have the same or higher
ASIL than of goals they contribute to • • Occurrences: • • in HW/SW allocation • • Avoided by the following restrictions: • • HW/SW allocation.014-All safety requirements SIL >= safety goal SIL • • Error View: •
•
Table 102 Error: 014-xxx has an invalid ASIL. ASIL has to be the same or higher than of goals it contributes to
1.4.7.8 TCL DETERMINATION FOR USE CASE: ITEM
DEFINITION
The use case "Item Definition" has TCL 1. The TCL is determined by the lowest Tool Detection Level (TD) of all errors of the use case. This use case has no errors.
1.4.7.9 TCL DETERMINATION FOR USE CASE: SAFETY GOALS
DEFINITION
The use case "Safety goals definition" has TCL 1. The TCL is determined by the lowest Tool Detection Level (TD) of all errors of the use case. The following table gives an overview of the errors of "Safety goals definition". Error TD Table 002-xxx is safety related and has no safety goal assigned
TD 1 (HIGH) Table 104
003-xxx has no functional safety requirement specified
TD 1 (HIGH) Table 105
005-xxx (safety req) has no unique identifier TD 1 (HIGH) Table 106
Table 103 Errors of Use Case: Safety goals definition
• Error: 002-xxx is safety related and has no safety goal assigned • • Description: • • xxx is safety related and has no safety goal assigned • • From use case: • • Safety goals definition • • Discovered by the following checks: • • Safety goals definition.002-Link hazard- safety goal • • Occurrences: • • in Safety goals definition • • Avoided by the following restrictions: • • Safety goals definition.002- All hazard event assigned to a safety goal • • Error View:
•
•
Table 104 Error: 002-xxx is safety related and has no safety goal assigned
• Error: 003-xxx has no functional safety requirement specified • • Description: • • 003-xxx has no functional safety requirement specified • • From use case: • • Safety goals definition • • Discovered by the following checks: • • Safety goals definition.003-Checks if for each safety goal at least one functional
safety requirement is specified • • Occurrences: • • in Safety goals definition • • Avoided by the following restrictions: • • Safety goals definition.003-For all safety goal exist one safety requirement • • Error View: •
•
Table 105 Error: 003-xxx has no functional safety requirement specified
• Error: 005-xxx (safety req) has no unique identifier • • Description: • • 005- safety requirement has no unique identifier • • From use case: • • Safety goals definition • • Discovered by the following checks: • • Safety goals definition.005-Checks if every safety requirement has an unique
identifier • • Occurrences: • • in Safety goals definition • • Avoided by the following restrictions: • • Safety goals definition.005-Exist a unique safety requirement identifier • • Error View: •
•
Table 106 Error: 005-xxx (safety req) has no unique identifier
1.4.7.10 TCL DETERMINATION FOR USE CASE: SW
ARCHITECTURE DEFINITION
The use case "SW Architecture definition" has TCL 1. The TCL is determined by the lowest Tool Detection Level (TD) of all errors of the use case. This use case has no errors.
1.5 NUSMVMODELCHECKERThis section explains the determination of the Tool Confidence Level (TCL) for the tool nuSMV Model Checker. • Tool: nuSMV Model Checker • • Description: • • -None- • • Impact: • • TI 2 (Impact) • • Tool Confidence Level: • • TCL 1
Table 107 Tool: nuSMV Model Checker
The tool nuSMV Model Checker is modeled with no element which has impact. No additional features have been modeled.
Elements Amount (Assumptions) Use Cases 0 (0) Checks 0 (0) Restrictions 0 (0) Potential Errors 0 (0)
Table 108 Amount of Elements in Tool: nuSMV Model Checker
1.5.1 USE CASES OF NUSMV MODEL CHECKER
There are no use cases modeled for nuSMV Model Checker.
1.5.2 FEATURES OF NUSMV MODEL CHECKER
There are no features modeled for nuSMV Model Checker.
1.5.3 POTENTIAL ERRORS IN NUSMV MODEL CHECKER
The tool has no potential error.. The error flow consists of all relations from errors to checks or restrictions. There are
• no relation from errors caused by other tools to checks or restrictions defined for use cases of this tool.
• no relation from errors caused by this tool to checks or restrictions defined for use cases of this tool.
• no relation from errors caused by this tool to checks or restrictions defined for use cases of other tools.
1.5.4 RESTRICTIONS IN NUSMV MODEL CHECKER
There are no restrictions in the tool nuSMV Model Checker.
1.5.5 CHECKS IN NUSMV MODEL CHECKER
No checks are performed in the tool nuSMV Model Checker.
1.5.6 ASSUMPTIONS
The determination of the TCL of nuSMV Model Checker is not based on assumed checks and restrictions. None of the checks and restrictions are modeled as assumptions.
1.5.7 TCL DETERMINATION
This section determines a TCL for each use case by assigning checks or restrictions with detection/avoidance probability to each potential error. The TCL for the entire tool can be derived from the TCL for each use case. The tool nuSMV Model Checker has no use case with TCL 1, no use case with TCL 2 and no use case with TCL 3. Therefore the tool nuSMV Model Checker has TCL 1.
There are no use cases modeled for the tool nuSMV Model Checker
1.6 PROCESSCHECKERThis section explains the determination of the Tool Confidence Level (TCL) for the tool Process Checker. • Tool: Process Checker • • Description: • • This is a manual step to validate the process for completeness. If this is the case TCA
model validation can be omitted. • • Impact: • • TI 2 (Impact) • • Tool Confidence Level: • • TCL 1
Table 109 Tool: Process Checker
The tool Process Checker is modeled with one element which has impact which is not an assumption. No additional features have been modeled.
Elements Amount (Assumptions) Use Cases 0 (0) Checks 0 (0) Restrictions 1 (0) Potential Errors 0 (0)
Table 110 Amount of Elements in Tool: Process Checker
1.6.1 USE CASES OF PROCESS CHECKER
There are no use cases modeled for Process Checker.
1.6.2 FEATURES OF PROCESS CHECKER
There are no features modeled for Process Checker.
1.6.3 POTENTIAL ERRORS IN PROCESS CHECKER
The tool has no potential error.. The error flow, as can be seen in Fig 12, consists of all relations from errors to checks or restrictions. There are
• 2 relations from errors caused by other tools to checks or restrictions defined for use cases of this tool.
• no relation from errors caused by this tool to checks or restrictions defined for use cases of this tool.
• no relation from errors caused by this tool to checks or restrictions defined for use cases of other tools.
Fig 12 Error Flow to and from Process Checker
The Table 111 shows all 2 relations, introduced by one other tool:
Tool Error UseCase Table Tool Chain Analyzer
Process Inconsistently Modelled Create Model
Table 181
Process Inconsistently Modelled Review Model
Table 196
Table 111 Errors introduced in Process Checker by other tools
1.6.4 RESTRICTIONS IN PROCESS CHECKER
The tool Process Checker must only be used with the following restriction. • Restriction: Consistent Process • • Description: • • This ensures that the process is consistent • • From use case: • • Process Checker,Validate Process • • Error avoidance probability: • • TD 1 (HIGH) • • Occurrences: • • in Validate Process • • Avoided errors from other tools: • • Validate Process,Tool Chain Analyzer,Model Validation,Process Inconsistently
Modelled • • Relations to other tools: •
•
Table 112 Restriction: Consistent Process
1.6.5 CHECKS IN PROCESS CHECKER
No checks are performed in the tool Process Checker.
1.6.6 ASSUMPTIONS
The determination of the TCL of Process Checker is not based on assumed checks and restrictions. None of the checks and restrictions are modeled as assumptions.
1.6.7 TCL DETERMINATION
This section determines a TCL for each use case by assigning checks or restrictions with detection/avoidance probability to each potential error. The TCL for the entire tool can be derived from the TCL for each use case. The tool Process Checker has no use case with TCL 1, no use case with TCL 2 and no use case with TCL 3. Therefore the tool Process Checker has TCL 1. There are no use cases modeled for the tool Process Checker
1.7 SIMULINKThis section explains the determination of the Tool Confidence Level (TCL) for the tool Simulink. • Tool: Simulink • • Description: • • Simulink • • Impact: • • TI 2 (Impact) • • Tool Confidence Level: • • TCL 3
Table 113 Tool: Simulink
The tool Simulink is modeled with 14 elements which have impact, one of them is an assumption. One additional feature has been modeled which is not an assumption.
Elements Amount (Assumptions) Use Cases 4 (0) Checks 0 (0) Restrictions 0 (0) Potential Errors 10 (1)
Table 114 Amount of Elements in Tool: Simulink
1.7.1 USE CASES OF SIMULINK
This section describes all analyzed use cases of Simulink in separate subsections. The following use cases of the tool Simulink are considered:
1. Code generation, see Section 1.7.1.1 2. Contracts to assertions, see Section 1.7.1.2 3. Modelling, see Section 1.7.1.3 4. Modelling Requirements, see Section 1.7.1.4
1.7.1.1 USE CASE CODE GENERATION
This section describes the use case "Code generation". • UseCase: Code generation • • Description:
• • -None-
Table 115 UseCase: Code generation
The use case requires no features and calls no other use cases. The use case "Code generation" reads and/or writes the following artifacts. The used artifacts are shown in Fig 13 and are summarized in the subsequent table.
Fig 13 Artifacts of Use Case: Code generation
• Artifacts of Use Case: Code generation • • Inputs: • • Simulink Model
• • Outputs: • • Source Code
Table 116 Artifacts of Use Case: Code generation
1.7.1.2 USE CASE CONTRACTS TO ASSERTIONS
This section describes the use case "Contracts to assertions". • UseCase: Contracts to assertions • • Description: • • To check contracts in Simulink Design Verifier (needed to keep the verification
tools at TCL1) there is a need to translate the contracts to assertions and assumptions understood by Simulink Design Verifier. This is added as a use case here, but it could be automated in a tool.
Table 117 UseCase: Contracts to assertions
The use case requires no features and calls no other use cases. The use case "Contracts to assertions" reads and/or writes the following artifacts. The used artifacts are shown in Fig 14 and are summarized in the subsequent table.
Fig 14 Artifacts of Use Case: Contracts to assertions
• Artifacts of Use Case: Contracts to assertions • • Inputs: • • contract
Table 118 Artifacts of Use Case: Contracts to assertions
1.7.1.3 USE CASE MODELLING
This section describes the use case "Modelling". • UseCase: Modelling • • Description: • • -None-
Table 119 UseCase: Modelling
The use case requires no features and calls no other use cases.
The use case "Modelling" reads and/or writes the following artifacts. The used artifacts are shown in Fig 15 and are summarized in the subsequent table.
Fig 15 Artifacts of Use Case: Modelling
• Artifacts of Use Case: Modelling • • Outputs: • • Contract
• Simulink Model • Simulink model • contract
Table 120 Artifacts of Use Case: Modelling
1.7.1.4 USE CASE MODELLING REQUIREMENTS
This section describes the use case "Modelling Requirements". • UseCase: Modelling Requirements • • Description: • • The user reads the requirements and builds the simulink model for them.
Table 121 UseCase: Modelling Requirements
The use case requires one feature and calls no other use cases. Fig 16 shows the dependencies between the use cases and features.
Fig 16 Dependency View of Use Case: Modelling Requirements
"Modelling Requirements" uses following features: • Edit Model
Use cases calling "Modelling Requirements":
• Medini,SW Architecture definition The use case "Modelling Requirements" reads and/or writes the following artifacts. The used artifacts are shown in Fig 17 and are summarized in the subsequent table.
Fig 17 Artifacts of Use Case: Modelling Requirements
• Artifacts of Use Case: Modelling Requirements • • Inputs: • • Safety Requirements • • Outputs: • • Simulink Model
Table 122 Artifacts of Use Case: Modelling Requirements
1.7.2 FEATURES OF SIMULINK
This section describes all analyzed features of Simulink in separate subsections. The following features of the tool Simulink are considered:
1. Edit Model, see Section 1.7.2.1
1.7.2.1 FEATURE EDIT MODEL
This section describes the feature "Edit Model". • Feature: Edit Model • • Description: • • Edit Simulink Model
Table 123 Feature: Edit Model
In order to fulfill the requirements of the feature, usually a number of artifacts will be read and/or written. But in "Edit Model" the tool Simulink uses no artifacts.
1.7.3 POTENTIAL ERRORS IN SIMULINK
The tool has 10 different potential errors in 10 occurrences in use cases. The error flow consists of all relations from errors to checks or restrictions. There are
• no relation from errors caused by other tools to checks or restrictions defined for use cases of this tool.
• no relation from errors caused by this tool to checks or restrictions defined for use cases of this tool.
• no relation from errors caused by this tool to checks or restrictions defined for use cases of other tools.
• 10 errors caused by this tool without any relation to checks or restrictions. The following 10 error occurrences of Simulink have no relation to any check or restriction:
• Contract corruption (Table 131) • Contract removal (Table 132) • Contract violation (Table 133) • Incorrect translation (Table 129) • Non-termination (Table 134) • Runtime error (Table 135)
• Scheduling error (Table 125) • WCET violation (Table 126) • Wrong code (Table 127) • Wrong contract (Table 136)
1.7.4 RESTRICTIONS IN SIMULINK
There are no restrictions in the tool Simulink.
1.7.5 CHECKS IN SIMULINK
No checks are performed in the tool Simulink.
1.7.6 ASSUMPTIONS
The determination of the TCL of Simulink is based on the following 1 assumptions on the development process.
• Error: Incorrect translation o Contracts to assertions
1.7.7 TCL DETERMINATION
This section determines a TCL for each use case by assigning checks or restrictions with detection/avoidance probability to each potential error. The TCL for the entire tool can be derived from the TCL for each use case. The tool Simulink has one use case with TCL 1, no use case with TCL 2 and 3 use cases with TCL 3. Therefore the tool Simulink has TCL 3. The use cases are described in the following sections:
• For "Code generation" (TCL 3) see Section 1.7.7.1, • for "Contracts to assertions" (TCL 3) see Section 1.7.7.2, • for "Modelling" (TCL 3) see Section 1.7.7.3, and • for "Modelling Requirements" (TCL 1) see Section 1.7.7.4.
1.7.7.1 TCL DETERMINATION FOR USE CASE: CODE
GENERATION
The use case "Code generation" has TCL 3. The TCL is determined by the lowest Tool Detection Level (TD) of all errors of the use case. The following table gives an overview of the errors of "Code generation". Error TD Table Scheduling error TD 3 (LOW) Table 125 WCET violation TD 3 (LOW) Table 126 Wrong code TD 3 (LOW) Table 127
Table 124 Errors of Use Case: Code generation
• Error: Scheduling error • • Description:
• • The chosen scheduling scheme used for the implemented (multi-rate) model is infeasible • • From use case: • • Code generation • • Occurrences: • • in Code generation • • Error View: •
•
Table 125 Error: Scheduling error
• Error: WCET violation • • Description: • • The WCET of the code is longer than it should given the chosen scheduling scheme • • From use case: • • Code generation • • Occurrences: • • in Code generation • • Error View: •
•
Table 126 Error: WCET violation
• Error: Wrong code • • Description: • • The semantics of the code does not match the model semantics in terms of blcok
behaviours • • From use case: • • Code generation • • Occurrences: • • in Code generation • • Error View:
•
•
Table 127 Error: Wrong code
1.7.7.2 TCL DETERMINATION FOR USE CASE: CONTRACTS
TO ASSERTIONS
The use case "Contracts to assertions" has TCL 3. The TCL is determined by the lowest Tool Detection Level (TD) of all errors of the use case. The following table gives an overview of the errors of "Contracts to assertions". Error TD Table Incorrect translation TD 3 (LOW) Table 129
Table 128 Errors of Use Case: Contracts to assertions
• Error: Incorrect translation • • Description: • • The translation of contracts to assertions/assumptions might be incorrect.
It is not obvuious how to check that this does not happen in a tool. Manual inspection might be needed.
• • From use case: • • Contracts to assertions • • Occurrences: • • in Contracts to assertions • • Is assumption: • • True • • Error View: •
•
Table 129 Error: Incorrect translation
1.7.7.3 TCL DETERMINATION FOR USE CASE: MODELLING
The use case "Modelling" has TCL 3. The TCL is determined by the lowest Tool Detection Level (TD) of all errors of the use case. The following table gives an overview of the errors of "Modelling". Error TD Table Contract corruption TD 3 (LOW) Table 131 Contract removal TD 3 (LOW) Table 132 Contract violation TD 3 (LOW) Table 133 Non-termination TD 3 (LOW) Table 134 Runtime error TD 3 (LOW) Table 135 Wrong contract TD 3 (LOW) Table 136
Table 130 Errors of Use Case: Modelling
• Error: Contract corruption • • Description: • • -None- • • From use case: • • Modelling • • Occurrences: • • in Modelling • • Error View:
•
•
Table 131 Error: Contract corruption
• Error: Contract removal • • Description: • • Simulink removes a contract or edits the subsystem description field in
such a manner that the contract is not recognised. • • From use case: • • Modelling • • Occurrences: • • in Modelling • • Error View:
•
•
Table 132 Error: Contract removal
• Error: Contract violation • • Description: • • A subsystem does not behave as specified • • From use case: • • Modelling • • Occurrences: • • in Modelling • • Error View:
•
•
Table 133 Error: Contract violation
• Error: Non-termination • • Description: • • Iteration blocks or other blocks might never return results • • From use case: • • Modelling • • Occurrences: • • in Modelling • • Error View: •
•
Table 134 Error: Non-termination
• Error: Runtime error • • Description: • • Runtime error, such as division by zero, array index out of bounds, etc. • • From use case: • • Modelling • • Occurrences: • • in Modelling • • Error View: •
•
Table 135 Error: Runtime error
• Error: Wrong contract • • Description: • • Wrong subsystem specification • • From use case: • • Modelling • • Occurrences: • • in Modelling • • Error View: •
•
Table 136 Error: Wrong contract
1.7.7.4 TCL DETERMINATION FOR USE CASE: MODELLING
REQUIREMENTS
The use case "Modelling Requirements" has TCL 1. The TCL is determined by the lowest Tool Detection Level (TD) of all errors of the use case. This use case has no errors.
1.8 TECNALIAASSURANCECASEEDITORThis section explains the determination of the Tool Confidence Level (TCL) for the tool Tecnalia Assurance Case Editor. • Tool: Tecnalia Assurance Case Editor • • Description: • • This tool support the edition of a safety case in a graphical view
Comment: This is a support for an expert to express in a graphical way the safety case associated with the certification dossier in order to support authorities while checking the evidences
• • Impact: • • TI 2 (Impact) • • Tool Confidence Level: • • TCL 1
Table 137 Tool: Tecnalia Assurance Case Editor
The tool Tecnalia Assurance Case Editor is modeled with 4 elements which have impact, none of them are assumptions. No additional features have been modeled.
Elements Amount (Assumptions) Use Cases 1 (0) Checks 1 (0) Restrictions 0 (0) Potential Errors 2 (0)
Table 138 Amount of Elements in Tool: Tecnalia Assurance Case Editor
1.8.1 USE CASES OF TECNALIA ASSURANCE CASE EDITOR
This section describes all analyzed use cases of Tecnalia Assurance Case Editor in separate subsections. The following use cases of the tool Tecnalia Assurance Case Editor are considered:
1. Assurance Case edition, see Section 1.8.1.1
1.8.1.1 USE CASE ASSURANCE CASE EDITION
This section describes the use case "Assurance Case edition". • UseCase: Assurance Case edition • • Description: • • User can draw the case using the elements defined on the GSN standard
Comment: This is done by a certification expert and just put in a graphical way the arguments that shows that the evidences support the safety goals
Table 139 UseCase: Assurance Case edition
The use case requires no features and calls no other use cases.
Use cases calling "Assurance Case edition":
• GEMDE Certification,Technical view The use case "Assurance Case edition" reads and/or writes the following artifacts. The used artifacts are shown in Fig 18 and are summarized in the subsequent table.
Fig 18 Artifacts of Use Case: Assurance Case edition
• Artifacts of Use Case: Assurance Case edition • • Inputs: • • Safety Case • • Outputs: • • Safety Case • • Inputs & Outputs: • • Safety Case
Table 140 Artifacts of Use Case: Assurance Case edition
1.8.2 FEATURES OF TECNALIA ASSURANCE CASE EDITOR
There are no features modeled for Tecnalia Assurance Case Editor.
1.8.3 POTENTIAL ERRORS IN TECNALIA ASSURANCE CASE
EDITOR
The tool has 2 different potential errors in 2 occurrences in use cases. The error flow, as can be seen in Fig 19, consists of all relations from errors to checks or restrictions. There are
• no relation from errors caused by other tools to checks or restrictions defined for use cases of this tool.
• 2 relations from errors caused by this tool to checks or restrictions defined for use cases of this tool.
• no relation from errors caused by this tool to checks or restrictions defined for use cases of other tools.
Fig 19 Error Flow to and from Tecnalia Assurance Case Editor
Tecnalia Assurance Case Editor has the following 2 relations, which are detected by checks or restrictions of this tool. The errors are described in detail in the TCL analysis of the corresponding use cases:
• Assurance Case is unexplained (Table 143) • Assurance Case is unfounded (Table 144)
1.8.4 RESTRICTIONS IN TECNALIA ASSURANCE CASE EDITOR
There are no restrictions in the tool Tecnalia Assurance Case Editor.
1.8.5 CHECKS IN TECNALIA ASSURANCE CASE EDITOR
The following one check is performed in the tool Tecnalia Assurance Case Editor. • Check: Expert audit • • Description: • • After every assurance case is released, an audit from an expert is done • • From use case: • • Tecnalia Assurance Case Editor,Assurance Case edition • • Occurrences: • • in Assurance Case edition • • Error detection probability: • • TD 1 (HIGH) • • Detected errors: • • Assurance Case edition,Assurance Case is unexplained
• Assurance Case edition,Assurance Case is unfounded
Table 141 Check: Expert audit
1.8.6 ASSUMPTIONS
The determination of the TCL of Tecnalia Assurance Case Editor is not based on assumed checks and restrictions. None of the checks and restrictions are modeled as assumptions.
1.8.7 TCL DETERMINATION
This section determines a TCL for each use case by assigning checks or restrictions with detection/avoidance probability to each potential error. The TCL for the entire tool can be derived from the TCL for each use case. The tool Tecnalia Assurance Case Editor has one use case with TCL 1, no use case with TCL 2 and no use case with TCL 3. Therefore the tool Tecnalia Assurance Case Editor has TCL 1. The use cases are described in the following sections:
• For "Assurance Case edition" (TCL 1) see Section 1.8.7.1.
1.8.7.1 TCL DETERMINATION FOR USE CASE: ASSURANCE
CASE EDITION
The use case "Assurance Case edition" has TCL 1. The TCL is determined by the lowest Tool Detection Level (TD) of all errors of the use case. The following table gives an overview of the errors of "Assurance Case edition". Error TD Table Assurance Case is unexplained TD 1 (HIGH) Table 143 Assurance Case is unfounded TD 1 (HIGH) Table 144
Table 142 Errors of Use Case: Assurance Case edition
• Error: Assurance Case is unexplained • • Description: • • The assurance case cointains evidence not properly linked to argument • • From use case:
• • Assurance Case edition • • Discovered by the following checks: • • Assurance Case edition.Expert audit • • Occurrences: • • in Assurance Case edition • • Error View: •
•
Table 143 Error: Assurance Case is unexplained
• Error: Assurance Case is unfounded • • Description: • • The safety case contain arguments not supproted by proper evidence • • From use case: • • Assurance Case edition • • Discovered by the following checks: • • Assurance Case edition.Expert audit • • Occurrences: • • in Assurance Case edition • • Error View:
•
•
Table 144 Error: Assurance Case is unfounded
1.9 TOOLCHAINANALYZERThis section explains the determination of the Tool Confidence Level (TCL) for the tool Tool Chain Analyzer. • Tool: Tool Chain Analyzer • • Description: • • The tool TCA to analyze tool chains
It can be obtained from Validas AG at www.validas.de/TCA.html • • Impact: • • TI 2 (Impact) • • Tool Confidence Level: • • TCL 3
Table 145 Tool: Tool Chain Analyzer
The tool Tool Chain Analyzer is modeled with 17 elements which have impact, none of them are assumptions. In addition there have been modeled 10 features, one of them is an assumption.
Elements Amount (Assumptions) Use Cases 5 (0) Checks 1 (0) Restrictions 0 (0) Potential Errors 11 (0)
Table 146 Amount of Elements in Tool: Tool Chain Analyzer
1.9.1 USE CASES OF TOOL CHAIN ANALYZER
This section describes all analyzed use cases of Tool Chain Analyzer in separate subsections. The following use cases of the tool Tool Chain Analyzer are considered:
1. Cost Calculation, see Section 1.9.1.1 2. Create Model, see Section 1.9.1.2
3. Determinate Tool Confidence Level, see Section 1.9.1.3 4. Generate Tool Classification Report, see Section 1.9.1.4 5. Review Model, see Section 1.9.1.5
1.9.1.1 USE CASE COST CALCULATION
This section describes the use case "Cost Calculation". • UseCase: Cost Calculation • • Description: • • The TCA can calculate the costs of the tool chain and the manual steps involved.
Table 147 UseCase: Cost Calculation
The use case requires 3 features and calls no other use cases. Fig 20 shows the dependencies between the use cases and features.
Fig 20 Dependency View of Use Case: Cost Calculation
"Cost Calculation" uses following features: • Cost Model • EMF • Excel Interface
In order to fulfill the requirements of the use case, usually a number of artifacts will be read and/or written. But in "Cost Calculation" the tool Tool Chain Analyzer uses no artifacts.
1.9.1.2 USE CASE CREATE MODEL
This section describes the use case "Create Model". • UseCase: Create Model • • Description: • • The TCA model is created using interactive work with the tool
Table 148 UseCase: Create Model
The use case requires 3 features and calls no other use cases. Fig 21 shows the dependencies between the use cases and features.
Fig 21 Dependency View of Use Case: Create Model
"Create Model" uses following features: • EMF • Model Validation • Xml Interface
The use case "Create Model" reads and/or writes the following artifacts. The used artifacts are shown in Fig 22 and are summarized in the subsequent table.
Fig 22 Artifacts of Use Case: Create Model
• Artifacts of Use Case: Create Model • • Inputs: • • Overall Project Plan
• Safety Plan
Table 149 Artifacts of Use Case: Create Model
1.9.1.3 USE CASE DETERMINATE TOOL CONFIDENCE LEVEL
This section describes the use case "Determinate Tool Confidence Level". • UseCase: Determinate Tool Confidence Level • • Description: • • The Tool Chain Analyzer determinates the Tool Confidence Level according to ISO
26262. Comment: The TCA model is considered to be a part of the software tool application guidelines.
Table 150 UseCase: Determinate Tool Confidence Level
The use case requires 2 features and calls no other use cases. Fig 23 shows the dependencies between the use cases and features.
Fig 23 Dependency View of Use Case: Determinate Tool Confidence Level
"Determinate Tool Confidence Level" uses following features: • Compute Tool Confidence Level • EMF
The use case "Determinate Tool Confidence Level" reads and/or writes the following artifacts. The used artifacts are shown in Fig 24 and are summarized in the subsequent table.
Fig 24 Artifacts of Use Case: Determinate Tool Confidence Level
• Artifacts of Use Case: Determinate Tool Confidence Level • • Inputs: • • Overall Project Plan
• Safety Plan • • Outputs: • • Safety Manual
• Tool Evaluation Report
Table 151 Artifacts of Use Case: Determinate Tool Confidence Level
1.9.1.4 USE CASE GENERATE TOOL CLASSIFICATION REPORT
This section describes the use case "Generate Tool Classification Report". • UseCase: Generate Tool Classification Report • • Description: • • A tool classisfication report is generated containing the Tool Confidence Level for all
tools. The tool classification report consists of two parts. The first one is related to the considered process and contains individual descriptions like information sources, tool versions etc. The second part describes the formal model of the tool chain with all elements (tools, use cases, artifacts, errors, probabilities, ...) and the automatically computed tool confidence level for each tool. The second part is generated from the TCA into a word document. The information flows in the generated report are graphically visualised using the GraphViz tool.
Comment: We consider the generated report to be also a part of the tool application guidelines.
Table 152 UseCase: Generate Tool Classification Report
The use case requires 3 features and calls no other use cases. Fig 25 shows the dependencies between the use cases and features.
Fig 25 Dependency View of Use Case: Generate Tool Classification Report
"Generate Tool Classification Report" uses following features: • Compute Tool Confidence Level • EMF • Generate Word (docx)
The use case "Generate Tool Classification Report" reads and/or writes the following artifacts. The used artifacts are shown in Fig 26 and are summarized in the subsequent table.
Fig 26 Artifacts of Use Case: Generate Tool Classification Report
• Artifacts of Use Case: Generate Tool Classification Report • • Inputs: • • Overall Project Plan • • Outputs: • • Tool Evaluation Report • • Inputs & Outputs: • • Safety Manual
Table 153 Artifacts of Use Case: Generate Tool Classification Report
1.9.1.5 USE CASE REVIEW MODEL
This section describes the use case "Review Model".
• UseCase: Review Model • • Description: • • The model is reviewed using Excel interfaces that are easier to use for many reviewers
Table 154 UseCase: Review Model
The use case requires 4 features and calls no other use cases. Fig 27 shows the dependencies between the use cases and features.
Fig 27 Dependency View of Use Case: Review Model
"Review Model" uses following features: • EMF • Excel Interface • Model Validation • SG_Use Review Checklist
The use case "Review Model" reads and/or writes the following artifacts. The used artifacts are shown in Fig 28 and are summarized in the subsequent table.
Fig 28 Artifacts of Use Case: Review Model
• Artifacts of Use Case: Review Model • • Inputs: • • Overall Project Plan
• Safety Plan • • Outputs: • • Review Protocol • • Inputs & Outputs: • • Safety Manual
Table 155 Artifacts of Use Case: Review Model
1.9.2 FEATURES OF TOOL CHAIN ANALYZER
This section describes all analyzed features of Tool Chain Analyzer in separate subsections. The following features of the tool Tool Chain Analyzer are considered:
1. Compute Tool Confidence Level, see Section 1.9.2.1 2. Cost Model, see Section 1.9.2.2 3. EMF, see Section 1.9.2.3 4. Excel Interface, see Section 1.9.2.4 5. Generate Word (docx), see Section 1.9.2.5 6. Model Validation, see Section 1.9.2.6 7. Safety Guidelines, see Section 1.9.2.7 8. SG_Avoid Feature, see Section 1.9.2.8 9. SG_Use Review Checklist, see Section 1.9.2.9 10. Xml Interface, see Section 1.9.2.10
1.9.2.1 FEATURE COMPUTE TOOL CONFIDENCE LEVEL
This section describes the feature "Compute Tool Confidence Level". • Feature: Compute Tool Confidence Level • • Description: • • The tool confidence level is computed according to the ISO 26262.
The tool confidence level (TCL) is computed based on the error detection (TD) probability of all potential errors in the relevant use cases, if a tool has impact (TI) on the safety of the product. More details can be found in the TCA user manual which is located in the TCA plugin Documentation, for example: Programme\TCA150\TCA150\plugins\Documentation_1.5.0\UserManual.pdf
Table 156 Feature: Compute Tool Confidence Level
The feature "Compute Tool Confidence Level" reads and/or writes the following artifacts. The used artifacts are shown in Fig 29 and are summarized in the subsequent table.
Fig 29 Artifacts of Feature: Compute Tool Confidence Level
• Artifacts of Feature: Compute Tool Confidence Level • • Inputs:
• • User Input • • Outputs: • • Display Output
• Excel File • Word Document
• • Inputs & Outputs: • • Model
Table 157 Artifacts of Feature: Compute Tool Confidence Level
1.9.2.2 FEATURE COST MODEL
This section describes the feature "Cost Model". • Feature: Cost Model • • Description: • • Feature to model the costs of the process
Table 158 Feature: Cost Model
The feature "Cost Model" reads and/or writes the following artifacts. The used artifacts are shown in Fig 30 and are summarized in the subsequent table.
Fig 30 Artifacts of Feature: Cost Model
• Artifacts of Feature: Cost Model • • Inputs: • • User Input • • Outputs: • • Display Output • • Inputs & Outputs: • • Excel File
• Model
Table 159 Artifacts of Feature: Cost Model
1.9.2.3 FEATURE EMF
This section describes the feature "EMF". • Feature: EMF • • Description:
• • EMF (Eclipse Modeling Framework) Framework is used for editing and persistency of the models
Table 160 Feature: EMF
The feature "EMF" reads and/or writes the following artifacts. The used artifacts are shown in Fig 31 and are summarized in the subsequent table.
Fig 31 Artifacts of Feature: EMF
• Artifacts of Feature: EMF • • Inputs: • • User Input • • Outputs: • • Display Output • • Inputs & Outputs: • • Model
Table 161 Artifacts of Feature: EMF
1.9.2.4 FEATURE EXCEL INTERFACE
This section describes the feature "Excel Interface". • Feature: Excel Interface • • Description: • • Export and import of different views into excel (.xls) files.
The following views can be exported and imported into excel to ease the modeling process: - tool attributes - features - artifacts - errors More details can be found in the TCA user manual which is located in the TCA plugin Documentation, for example: Programme\TCA150\TCA150\plugins\Documentation_1.5.0\UserManual.pdf
Table 162 Feature: Excel Interface
The feature "Excel Interface" reads and/or writes the following artifacts. The used artifacts are shown in Fig 32 and are summarized in the subsequent table.
Fig 32 Artifacts of Feature: Excel Interface
• Artifacts of Feature: Excel Interface • • Inputs: • • User Input • • Inputs & Outputs: • • Excel File
• Model
Table 163 Artifacts of Feature: Excel Interface
1.9.2.5 FEATURE GENERATE WORD (DOCX)
This section describes the feature "Generate Word (docx)". • Feature: Generate Word (docx) • • Description: • • Generates a word documentation from the model.
A word report is generated from the model that contains the complete information in a readable format. For each tool there is a section with the following informations: - use cases - features - errors - checks - restrictions - assumptions - artifacts - qualifications - tool confidence level explanations for all errors in all use cases of the tool. Furthermore there are graphical visualisations of important relations included.
Table 164 Feature: Generate Word (docx)
The feature "Generate Word (docx)" reads and/or writes the following artifacts. The used artifacts are shown in Fig 33 and are summarized in the subsequent table.
Fig 33 Artifacts of Feature: Generate Word (docx)
• Artifacts of Feature: Generate Word (docx) • • Inputs: • • Model
• User Input • • Outputs: • • Word Document
Table 165 Artifacts of Feature: Generate Word (docx)
1.9.2.6 FEATURE MODEL VALIDATION
This section describes the feature "Model Validation". • Feature: Model Validation • • Description: • • The TCA detects inconsistent models.
There are many consistency checks implemented that exceed the syntactic checks. More details can be found in the TCA user manual which is located in the TCA plugin Documentation, for example: Programme\TCA150\TCA150\plugins\Documentation_1.5.0\UserManual.pdf
Table 166 Feature: Model Validation
The feature "Model Validation" reads and/or writes the following artifacts. The used artifacts are shown in Fig 34 and are summarized in the subsequent table.
Fig 34 Artifacts of Feature: Model Validation
• Artifacts of Feature: Model Validation • • Inputs: • • Model
• User Input • • Outputs: • • Display Output
Table 167 Artifacts of Feature: Model Validation
1.9.2.7 FEATURE SAFETY GUIDELINES
This section describes the feature "Safety Guidelines". • Feature: Safety Guidelines • • Description: • • Use the safety manual of the TCA that contains safety checks that should be applied
Table 168 Feature: Safety Guidelines
The feature "Safety Guidelines" has the following 2 sub-features:
• SG_Avoid Feature • SG_Use Review Checklist
In order to fulfill the requirements of the feature, usually a number of artifacts will be read and/or written. But in "Safety Guidelines" the tool Tool Chain Analyzer uses no artifacts.
1.9.2.8 FEATURE SG_AVOID FEATURE
This section describes the feature "SG_Avoid Feature". • Feature: SG_Avoid Feature • • Description: • • Avodi this feature, since it is redundant. • • Is assumption: • • True
Table 169 Feature: SG_Avoid Feature
The feature "SG_Avoid Feature" is part of the following feature:
• Safety Guidelines In order to fulfill the requirements of the feature, usually a number of artifacts will be read and/or written. But in "SG_Avoid Feature" the tool Tool Chain Analyzer uses no artifacts.
1.9.2.9 FEATURE SG_USE REVIEW CHECKLIST
This section describes the feature "SG_Use Review Checklist". • Feature: SG_Use Review Checklist • • Description: • • Apply the check of the review checklists
Table 170 Feature: SG_Use Review Checklist
The feature "SG_Use Review Checklist" is part of the following feature:
• Safety Guidelines In order to fulfill the requirements of the feature, usually a number of artifacts will be read and/or written. But in "SG_Use Review Checklist" the tool Tool Chain Analyzer uses no artifacts.
1.9.2.10 FEATURE XML INTERFACE
This section describes the feature "Xml Interface". • Feature: Xml Interface • • Description: • • Xml interface supports the export and import of single tool models.
For integration of large models based on single tool models, this feature can be used to develop models in parallel working teams. To ensure the modularity of the exported models, all referenced elements of the tool are also exported, but only with the minimal required information. More details can be found in the TCA user manual which is located in the TCA plugin Documentation, for example: Programme\TCA150\TCA150\plugins\Documentation_1.5.0\UserManual.pdf
Table 171 Feature: Xml Interface
The feature "Xml Interface" reads and/or writes the following artifacts. The used artifacts are shown in Fig 35 and are summarized in the subsequent table.
Fig 35 Artifacts of Feature: Xml Interface
• Artifacts of Feature: Xml Interface • • Inputs: • • User Input • • Inputs & Outputs: • • Model
Table 172 Artifacts of Feature: Xml Interface
1.9.3 POTENTIAL ERRORS IN TOOL CHAIN ANALYZER
The tool has 11 different potential errors in 19 occurrences in use cases. The error flow, as can be seen in Fig 36, consists of all relations from errors to checks or restrictions. There are
• no relation from errors caused by other tools to checks or restrictions defined for use cases of this tool.
• 7 relations from errors caused by this tool to checks or restrictions defined for use cases of this tool.
• 2 relations from errors caused by this tool to checks or restrictions defined for use cases of other tools.
• 10 errors caused by this tool without any relation to checks or restrictions.
Fig 36 Error Flow to and from Tool Chain Analyzer
Tool Chain Analyzer has the following 7 relations, which are detected by checks or restrictions of this tool. The errors are described in detail in the TCL analysis of the corresponding use cases:
• Model Not Adequate (Table 195) • Wrong Export
o 2 occurrences: Table 197, Table 177 • Wrong Import
o 2 occurrences: Table 198, Table 178 • Wrong XML Export (Table 182) • Wrong XML Import (Table 183)
Due to 2 relations, Tool Chain Analyzer is having impact on one other tool. The errors are listed in Table 173.
Tool Error UseCase Table Process Checker Process Inconsistently Modelled Create
Model Table 181
Process Inconsistently Modelled Review Model
Table 196
Table 173 Errors of Tool Chain Analyzer with impact on other tools
The following 10 error occurrences of Tool Chain Analyzer have no relation to any check or restriction:
• Any EMF Error o 5 occurences: Table 185, Table 176, Table 190, Table 180, Table 194
• Document Generated Wrongly (Table 191) • TCL Wrongly Shown (Table 186) • TCL Wrongly Written (Table 187) • Wrong TCL Computed
o 2 occurences: Table 188, Table 192
1.9.4 RESTRICTIONS IN TOOL CHAIN ANALYZER
There are no restrictions in the tool Tool Chain Analyzer.
1.9.5 CHECKS IN TOOL CHAIN ANALYZER
The following one check is performed in the tool Tool Chain Analyzer. • Check: Review Checklist • • Description: • • The model review can be performed using review checklists where the reviewers fill in
their names, findings,.. Comment: Using this there is a high probability of finding missing review elements
• • From feature: • • Tool Chain Analyzer,Safety Guidelines,SG_Use Review Checklist • • Occurrences: • • in SG_Use Review Checklist in Review Model • • Error detection probability: • • TD 1 (HIGH) • • Detected errors: • • Review Model,Model Not Adequate
Table 174 Check: Review Checklist
1.9.6 ASSUMPTIONS
The determination of the TCL of Tool Chain Analyzer is based on the following 1 assumptions on the development process.
• Feature: Safety Guidelines,SG_Avoid Feature
1.9.7 TCL DETERMINATION
This section determines a TCL for each use case by assigning checks or restrictions with detection/avoidance probability to each potential error. The TCL for the entire tool can be derived from the TCL for each use case. The tool Tool Chain Analyzer has no use case with TCL 1, no use case with TCL 2 and 5 use cases with TCL 3. Therefore the tool Tool Chain Analyzer has TCL 3. The use cases are described in the following sections:
• For "Cost Calculation" (TCL 3) see Section 1.9.7.1, • for "Create Model" (TCL 3) see Section 1.9.7.2, • for "Determinate Tool Confidence Level" (TCL 3) see Section 1.9.7.3, • for "Generate Tool Classification Report" (TCL 3) see Section 1.9.7.4, and • for "Review Model" (TCL 3) see Section 1.9.7.5.
1.9.7.1 TCL DETERMINATION FOR USE CASE: COST
CALCULATION
The use case "Cost Calculation" has TCL 3. The TCL is determined by the lowest Tool Detection Level (TD) of all errors of the use case. The following table gives an overview of the errors of "Cost Calculation". Error TD Table Any EMF Error TD 3 (LOW) Table 176 Wrong Export TD 3 (LOW) Table 177 Wrong Import TD 3 (LOW) Table 178
Table 175 Errors of Use Case: Cost Calculation
• Error: Any EMF Error • • Description: • • Any error that can occur in EMF (uncrictical errors may be excluded) • • From feature: • • EMF • • Subsumes: • • "Algorithm Error" from "Fcn_Algorithm"
• "Defect File" from "Data_File" • "Defect Text" from "Data_File_Text" • "Empty File" from "Data_File" • "Empty Model" from "Data_File_Syntax_Model" • "Empty Text" from "Data_File_Text" • "Line Missing" from "Data_File_Text" • "Model Unreadable" from "Data_File_Syntax_Model" • "No Interaction" from "Data_Interaction" • "Not Accessible File" from "Data_File" • "Not Accessible Model" from "Data_File_Syntax_Model" • "Not Accessible Text" from "Data_File_Text" • "Other File" from "Data_File" • "Other Model" from "Data_File_Syntax_Model" • "Other Partner" from "Data_Interaction" • "Other Text" from "Data_File_Text" • "Too Big File" from "Data_File" • "Too Big Model" from "Data_File_Syntax_Model" • "Too Big Text" from "Data_File_Text" • "Too Early Data" from "Data_Interaction" • "Too Late Data" from "Data_Interaction" • "Transformation Not Supported" from "Fcn_Behaviour_Transformation" • "Wrong Algorithm" from "Fcn_Algorithm" • "Wrong Behaviour" from "Fcn_Behaviour" • "Wrong Interaction" from "Data_Interaction" • "Wrong Model Behaviour" from "Data_File_Syntax_Model" • "Wrong Model Description" from "Data_File_Syntax_Model" • "Wrong Transformation" from "Fcn_Behaviour_Transformation" • "Wrong Variant" from "Fcn_Variants"
• • Occurrences: • • in EMF in Cost Calculation • • Error View:
•
•
Table 176 Error: Any EMF Error
• Error: Wrong Export • • Description: • • The excel file does not contain the relevant informations of the model. • • From feature: • • Excel Interface • • Subsumes: • • "Decoded Wongly" from "Fcn_Algorithm_DeEncode"
• "Defect File" from "Data_File" • "Empty File" from "Data_File" • "Empty Syntaxfile" from "Data_File_Syntax" • "Empty Table" from "Data_File_Table" • "Encoded Wrongly" from "Fcn_Algorithm_DeEncode" • "Not Accessible File" from "Data_File" • "Not Accessible Syntaxfile" from "Data_File_Syntax" • "Not Accessible Table" from "Data_File_Table" • "Option Defect" from "Fcn_Variants_Options" • "Option Ignored" from "Fcn_Variants_Options" • "Other File" from "Data_File" • "Other Syntaxfile" from "Data_File_Syntax" • "Other Table" from "Data_File_Table" • "Syntax Error" from "Data_File_Syntax" • "Table Column Error" from "Data_File_Table" • "Table Row Error" from "Data_File_Table" • "Too Big File" from "Data_File" • "Too Big Syntaxfile" from "Data_File_Syntax" • "Transformation Not Supported" from "Fcn_Behaviour_Transformation" • "Wrong Behaviour" from "Fcn_Behaviour" • "Wrong Cell Data" from "Data_File_Table" • "Wrong Semantic" from "Data_File_Syntax" • "Wrong Transformation" from "Fcn_Behaviour_Transformation"
• • Occurrences: • • in Excel Interface in Cost Calculation • • Avoided by the following restrictions: • • Safety Guidelines,SG_Avoid Feature.Avoid Features • • Error View: •
•
Table 177 Error: Wrong Export
• Error: Wrong Import • • Description: • • The model is created wrongly. • • From feature: • • Excel Interface • • Subsumes: • • "Defect File" from "Data_File"
• "Empty File" from "Data_File" • "Empty Model" from "Data_File_Syntax_Model" • "Model Unreadable" from "Data_File_Syntax_Model" • "Not Accessible File" from "Data_File" • "Not Accessible Model" from "Data_File_Syntax_Model" • "Option Defect" from "Fcn_Variants_Options" • "Option Ignored" from "Fcn_Variants_Options" • "Other File" from "Data_File" • "Other Model" from "Data_File_Syntax_Model" • "Too Big File" from "Data_File" • "Too Big Model" from "Data_File_Syntax_Model" • "Wrong Model Behaviour" from "Data_File_Syntax_Model" • "Wrong Model Description" from "Data_File_Syntax_Model"
• • Occurrences: • • in Excel Interface in Cost Calculation • • Avoided by the following restrictions: • • Safety Guidelines,SG_Avoid Feature.Avoid Features • • Error View:
•
•
Table 178 Error: Wrong Import
1.9.7.2 TCL DETERMINATION FOR USE CASE: CREATE
MODEL
The use case "Create Model" has TCL 3. The TCL is determined by the lowest Tool Detection Level (TD) of all errors of the use case. The following table gives an overview of the errors of "Create Model". Error TD Table Any EMF Error TD 3 (LOW) Table 180 Process Inconsistently Modelled TD 1 (HIGH) Table 181 Wrong XML Export TD 3 (LOW) Table 182 Wrong XML Import TD 3 (LOW) Table 183
Table 179 Errors of Use Case: Create Model
• Error: Any EMF Error • • Description: • • Any error that can occur in EMF (uncrictical errors may be excluded) • • From feature: • • EMF • • Subsumes: • • "Algorithm Error" from "Fcn_Algorithm"
• "Defect File" from "Data_File" • "Defect Text" from "Data_File_Text" • "Empty File" from "Data_File" • "Empty Model" from "Data_File_Syntax_Model" • "Empty Text" from "Data_File_Text" • "Line Missing" from "Data_File_Text" • "Model Unreadable" from "Data_File_Syntax_Model" • "No Interaction" from "Data_Interaction" • "Not Accessible File" from "Data_File" • "Not Accessible Model" from "Data_File_Syntax_Model"
• "Not Accessible Text" from "Data_File_Text" • "Other File" from "Data_File" • "Other Model" from "Data_File_Syntax_Model" • "Other Partner" from "Data_Interaction" • "Other Text" from "Data_File_Text" • "Too Big File" from "Data_File" • "Too Big Model" from "Data_File_Syntax_Model" • "Too Big Text" from "Data_File_Text" • "Too Early Data" from "Data_Interaction" • "Too Late Data" from "Data_Interaction" • "Transformation Not Supported" from "Fcn_Behaviour_Transformation" • "Wrong Algorithm" from "Fcn_Algorithm" • "Wrong Behaviour" from "Fcn_Behaviour" • "Wrong Interaction" from "Data_Interaction" • "Wrong Model Behaviour" from "Data_File_Syntax_Model" • "Wrong Model Description" from "Data_File_Syntax_Model" • "Wrong Transformation" from "Fcn_Behaviour_Transformation" • "Wrong Variant" from "Fcn_Variants"
• • Occurrences: • • in EMF in Create Model • • Error View: •
•
Table 180 Error: Any EMF Error
• Error: Process Inconsistently Modelled • • Description: • • The process might be inkonsistent, e.g. a document is neither created nor written. • • From feature: • • Model Validation • • Subsumes: • • "Algorithm Error" from "Fcn_Algorithm"
• "Defect File" from "Data_File" • "Defect Text" from "Data_File_Text"
• "Empty File" from "Data_File" • "Empty Text" from "Data_File_Text" • "Line Missing" from "Data_File_Text" • "No Interaction" from "Data_Interaction" • "Not Accessible File" from "Data_File" • "Not Accessible Text" from "Data_File_Text" • "Other File" from "Data_File" • "Other Partner" from "Data_Interaction" • "Other Text" from "Data_File_Text" • "Too Big File" from "Data_File" • "Too Big Text" from "Data_File_Text" • "Too Early Data" from "Data_Interaction" • "Too Late Data" from "Data_Interaction" • "Wrong Algorithm" from "Fcn_Algorithm" • "Wrong Behaviour" from "Fcn_Behaviour" • "Wrong Error Reported" from "Model Validation" • "Wrong Interaction" from "Data_Interaction" • "Wrong Specification" from "Fcn_Specification"
• • Occurrences: • • in Model Validation in Create Model • • Avoided by the following restrictions: • • Validate Process.Consistent Process • • Error View:
•
•
Table 181 Error: Process Inconsistently Modelled
• Error: Wrong XML Export • • Description: • • The xml file does not contain the relevant informations of the model. • • From feature: • • Xml Interface • • Occurrences: • • in Xml Interface in Create Model • • Avoided by the following restrictions: • • Safety Guidelines,SG_Avoid Feature.Avoid Features • • Error View:
•
•
Table 182 Error: Wrong XML Export
• Error: Wrong XML Import • • Description: • • The model is created wrongly. • • From feature: • • Xml Interface • • Subsumes: • • "Defect File" from "Data_File"
• "Empty File" from "Data_File" • "Empty Model" from "Data_File_Syntax_Model" • "Model Unreadable" from "Data_File_Syntax_Model" • "Not Accessible File" from "Data_File" • "Not Accessible Model" from "Data_File_Syntax_Model" • "Other File" from "Data_File" • "Other Model" from "Data_File_Syntax_Model" • "Too Big File" from "Data_File" • "Too Big Model" from "Data_File_Syntax_Model" • "Wrong Model Behaviour" from "Data_File_Syntax_Model" • "Wrong Model Description" from "Data_File_Syntax_Model"
• • Occurrences: • • in Xml Interface in Create Model • • Avoided by the following restrictions: • • Safety Guidelines,SG_Avoid Feature.Avoid Features • • Error View:
•
•
Table 183 Error: Wrong XML Import
1.9.7.3 TCL DETERMINATION FOR USE CASE: DETERMINATE
TOOL CONFIDENCE LEVEL
The use case "Determinate Tool Confidence Level" has TCL 3. The TCL is determined by the lowest Tool Detection Level (TD) of all errors of the use case. The following table gives an overview of the errors of "Determinate Tool Confidence Level". Error TD Table Any EMF Error TD 3 (LOW) Table 185 TCL Wrongly Shown TD 3 (LOW) Table 186 TCL Wrongly Written TD 3 (LOW) Table 187 Wrong TCL Computed TD 3 (LOW) Table 188
Table 184 Errors of Use Case: Determinate Tool Confidence Level
• Error: Any EMF Error • • Description: • • Any error that can occur in EMF (uncrictical errors may be excluded) • • From feature: • • EMF • • Subsumes: • • "Algorithm Error" from "Fcn_Algorithm"
• "Defect File" from "Data_File" • "Defect Text" from "Data_File_Text" • "Empty File" from "Data_File" • "Empty Model" from "Data_File_Syntax_Model" • "Empty Text" from "Data_File_Text" • "Line Missing" from "Data_File_Text" • "Model Unreadable" from "Data_File_Syntax_Model" • "No Interaction" from "Data_Interaction" • "Not Accessible File" from "Data_File" • "Not Accessible Model" from "Data_File_Syntax_Model"
• "Not Accessible Text" from "Data_File_Text" • "Other File" from "Data_File" • "Other Model" from "Data_File_Syntax_Model" • "Other Partner" from "Data_Interaction" • "Other Text" from "Data_File_Text" • "Too Big File" from "Data_File" • "Too Big Model" from "Data_File_Syntax_Model" • "Too Big Text" from "Data_File_Text" • "Too Early Data" from "Data_Interaction" • "Too Late Data" from "Data_Interaction" • "Transformation Not Supported" from "Fcn_Behaviour_Transformation" • "Wrong Algorithm" from "Fcn_Algorithm" • "Wrong Behaviour" from "Fcn_Behaviour" • "Wrong Interaction" from "Data_Interaction" • "Wrong Model Behaviour" from "Data_File_Syntax_Model" • "Wrong Model Description" from "Data_File_Syntax_Model" • "Wrong Transformation" from "Fcn_Behaviour_Transformation" • "Wrong Variant" from "Fcn_Variants"
• • Occurrences: • • in EMF in Determinate Tool Confidence Level • • Error View: •
•
Table 185 Error: Any EMF Error
• Error: TCL Wrongly Shown • • Description: • • TCL is computed correctly but wrongly shown • • From use case: • • Determinate Tool Confidence Level • • Subsumes: • • "Defect Text" from "Data_File_Text"
• "Empty Text" from "Data_File_Text" • "Line Missing" from "Data_File_Text"
• "No Interaction" from "Data_Interaction" • "Not Accessible Text" from "Data_File_Text" • "Other Partner" from "Data_Interaction" • "Other Text" from "Data_File_Text" • "Too Big Text" from "Data_File_Text" • "Too Early Data" from "Data_Interaction" • "Too Late Data" from "Data_Interaction" • "Wrong Interaction" from "Data_Interaction"
• • Occurrences: • • in Determinate Tool Confidence Level • • Error View: •
•
Table 186 Error: TCL Wrongly Shown
• Error: TCL Wrongly Written • • Description: • • TCL is computed or written wrongly into a file • • From use case: • • Determinate Tool Confidence Level • • Subsumes: • • "Defect File" from "Data_File"
• "Defect Text" from "Data_File_Text" • "Empty File" from "Data_File" • "Empty Model" from "Data_File_Syntax_Model" • "Empty Syntaxfile" from "Data_File_Syntax" • "Empty Table" from "Data_File_Table" • "Empty Text" from "Data_File_Text" • "Line Missing" from "Data_File_Text" • "Model Unreadable" from "Data_File_Syntax_Model" • "No XML Content" from "Data_File_Syntax_XML" • "Not Accessible File" from "Data_File" • "Not Accessible Model" from "Data_File_Syntax_Model" • "Not Accessible Syntaxfile" from "Data_File_Syntax" • "Not Accessible Table" from "Data_File_Table" • "Not Accessible Text" from "Data_File_Text" • "Not Accessible XML File" from "Data_File_Syntax_XML" • "Other File" from "Data_File" • "Other Model" from "Data_File_Syntax_Model" • "Other Syntaxfile" from "Data_File_Syntax"
• "Other Table" from "Data_File_Table" • "Other Text" from "Data_File_Text" • "Other XML File" from "Data_File_Syntax_XML" • "Syntax Error" from "Data_File_Syntax" • "Table Column Error" from "Data_File_Table" • "Table Row Error" from "Data_File_Table" • "Too Big File" from "Data_File" • "Too Big Model" from "Data_File_Syntax_Model" • "Too Big Syntaxfile" from "Data_File_Syntax" • "Too Big Text" from "Data_File_Text" • "Wron XML Composition" from "Data_File_Syntax_XML" • "Wrong Cell Data" from "Data_File_Table" • "Wrong Model Behaviour" from "Data_File_Syntax_Model" • "Wrong Model Description" from "Data_File_Syntax_Model" • "Wrong Semantic" from "Data_File_Syntax" • "XML Attribute Error" from "Data_File_Syntax_XML" • "XML Link Error" from "Data_File_Syntax_XML" • "XML Schema Violation" from "Data_File_Syntax_XML"
• • Occurrences: • • in Determinate Tool Confidence Level • • Error View: •
•
Table 187 Error: TCL Wrongly Written
• Error: Wrong TCL Computed • • Description: • • The TCL is computed wronly, e.g. TCL 1 instead of TCL >1 • • From feature: • • Compute Tool Confidence Level • • Subsumes: • • "Algorithm Error" from "Fcn_Algorithm"
• "Defect File" from "Data_File" • "Defect Text" from "Data_File_Text" • "Empty File" from "Data_File" • "Empty Model" from "Data_File_Syntax_Model" • "Empty Syntaxfile" from "Data_File_Syntax" • "Empty Table" from "Data_File_Table" • "Empty Text" from "Data_File_Text" • "Line Missing" from "Data_File_Text"
• "Model Unreadable" from "Data_File_Syntax_Model" • "No Interaction" from "Data_Interaction" • "Not Accessible File" from "Data_File" • "Not Accessible Model" from "Data_File_Syntax_Model" • "Not Accessible Syntaxfile" from "Data_File_Syntax" • "Not Accessible Table" from "Data_File_Table" • "Not Accessible Text" from "Data_File_Text" • "Other File" from "Data_File" • "Other Model" from "Data_File_Syntax_Model" • "Other Partner" from "Data_Interaction" • "Other Syntaxfile" from "Data_File_Syntax" • "Other Table" from "Data_File_Table" • "Other Text" from "Data_File_Text" • "Syntax Error" from "Data_File_Syntax" • "Table Column Error" from "Data_File_Table" • "Table Row Error" from "Data_File_Table" • "Too Big File" from "Data_File" • "Too Big Model" from "Data_File_Syntax_Model" • "Too Big Syntaxfile" from "Data_File_Syntax" • "Too Big Text" from "Data_File_Text" • "Too Early Data" from "Data_Interaction" • "Too Late Data" from "Data_Interaction" • "Wrong Algorithm" from "Fcn_Algorithm" • "Wrong Cell Data" from "Data_File_Table" • "Wrong Interaction" from "Data_Interaction" • "Wrong Model Behaviour" from "Data_File_Syntax_Model" • "Wrong Model Description" from "Data_File_Syntax_Model" • "Wrong Result" from "Fcn_Behaviour_Calculator" • "Wrong Semantic" from "Data_File_Syntax" • "Wrong Specification" from "Fcn_Specification" • "Wrong Variant" from "Fcn_Variants"
• • Occurrences: • • in Compute Tool Confidence Level in Determinate Tool Confidence Level • • Error View:
•
•
Table 188 Error: Wrong TCL Computed
1.9.7.4 TCL DETERMINATION FOR USE CASE: GENERATE
TOOL CLASSIFICATION REPORT
The use case "Generate Tool Classification Report" has TCL 3. The TCL is determined by the lowest Tool Detection Level (TD) of all errors of the use case. The following table gives an overview of the errors of "Generate Tool Classification Report". Error TD Table Any EMF Error TD 3 (LOW) Table 190 Document Generated Wrongly TD 3 (LOW) Table 191 Wrong TCL Computed TD 3 (LOW) Table 192
Table 189 Errors of Use Case: Generate Tool Classification Report
• Error: Any EMF Error • • Description: • • Any error that can occur in EMF (uncrictical errors may be excluded) • • From feature: • • EMF • • Subsumes: • • "Algorithm Error" from "Fcn_Algorithm"
• "Defect File" from "Data_File" • "Defect Text" from "Data_File_Text" • "Empty File" from "Data_File" • "Empty Model" from "Data_File_Syntax_Model" • "Empty Text" from "Data_File_Text" • "Line Missing" from "Data_File_Text" • "Model Unreadable" from "Data_File_Syntax_Model" • "No Interaction" from "Data_Interaction" • "Not Accessible File" from "Data_File" • "Not Accessible Model" from "Data_File_Syntax_Model" • "Not Accessible Text" from "Data_File_Text"
• "Other File" from "Data_File" • "Other Model" from "Data_File_Syntax_Model" • "Other Partner" from "Data_Interaction" • "Other Text" from "Data_File_Text" • "Too Big File" from "Data_File" • "Too Big Model" from "Data_File_Syntax_Model" • "Too Big Text" from "Data_File_Text" • "Too Early Data" from "Data_Interaction" • "Too Late Data" from "Data_Interaction" • "Transformation Not Supported" from "Fcn_Behaviour_Transformation" • "Wrong Algorithm" from "Fcn_Algorithm" • "Wrong Behaviour" from "Fcn_Behaviour" • "Wrong Interaction" from "Data_Interaction" • "Wrong Model Behaviour" from "Data_File_Syntax_Model" • "Wrong Model Description" from "Data_File_Syntax_Model" • "Wrong Transformation" from "Fcn_Behaviour_Transformation" • "Wrong Variant" from "Fcn_Variants"
• • Occurrences: • • in EMF in Generate Tool Classification Report • • Error View: •
•
Table 190 Error: Any EMF Error
• Error: Document Generated Wrongly • • Description: • • Document does not fit to the model. • • From feature: • • Generate Word (docx) • • Subsumes: • • "Defect File" from "Data_File"
• "Defect Text" from "Data_File_Text" • "Empty File" from "Data_File" • "Empty Syntaxfile" from "Data_File_Syntax"
• "Empty Text" from "Data_File_Text" • "Line Missing" from "Data_File_Text" • "Missing CPU" from "Fcn_Resource_CPU" • "Not Accessible File" from "Data_File" • "Not Accessible Syntaxfile" from "Data_File_Syntax" • "Not Accessible Text" from "Data_File_Text" • "Other File" from "Data_File" • "Other Syntaxfile" from "Data_File_Syntax" • "Other Text" from "Data_File_Text" • "Syntax Error" from "Data_File_Syntax" • "Too Big File" from "Data_File" • "Too Big Syntaxfile" from "Data_File_Syntax" • "Too Big Text" from "Data_File_Text" • "Transformation Not Supported" from "Fcn_Behaviour_Transformation" • "Wrong Semantic" from "Data_File_Syntax" • "Wrong Specification" from "Fcn_Specification" • "Wrong Transformation" from "Fcn_Behaviour_Transformation" • "Wrong Variant" from "Fcn_Variants"
• • Occurrences: • • in Generate Word (docx) in Generate Tool Classification Report • • Error View: •
•
Table 191 Error: Document Generated Wrongly
• Error: Wrong TCL Computed • • Description: • • The TCL is computed wronly, e.g. TCL 1 instead of TCL >1 • • From feature: • • Compute Tool Confidence Level • • Subsumes: • • "Algorithm Error" from "Fcn_Algorithm"
• "Defect File" from "Data_File" • "Defect Text" from "Data_File_Text"
• "Empty File" from "Data_File" • "Empty Model" from "Data_File_Syntax_Model" • "Empty Syntaxfile" from "Data_File_Syntax" • "Empty Table" from "Data_File_Table" • "Empty Text" from "Data_File_Text" • "Line Missing" from "Data_File_Text" • "Model Unreadable" from "Data_File_Syntax_Model" • "No Interaction" from "Data_Interaction" • "Not Accessible File" from "Data_File" • "Not Accessible Model" from "Data_File_Syntax_Model" • "Not Accessible Syntaxfile" from "Data_File_Syntax" • "Not Accessible Table" from "Data_File_Table" • "Not Accessible Text" from "Data_File_Text" • "Other File" from "Data_File" • "Other Model" from "Data_File_Syntax_Model" • "Other Partner" from "Data_Interaction" • "Other Syntaxfile" from "Data_File_Syntax" • "Other Table" from "Data_File_Table" • "Other Text" from "Data_File_Text" • "Syntax Error" from "Data_File_Syntax" • "Table Column Error" from "Data_File_Table" • "Table Row Error" from "Data_File_Table" • "Too Big File" from "Data_File" • "Too Big Model" from "Data_File_Syntax_Model" • "Too Big Syntaxfile" from "Data_File_Syntax" • "Too Big Text" from "Data_File_Text" • "Too Early Data" from "Data_Interaction" • "Too Late Data" from "Data_Interaction" • "Wrong Algorithm" from "Fcn_Algorithm" • "Wrong Cell Data" from "Data_File_Table" • "Wrong Interaction" from "Data_Interaction" • "Wrong Model Behaviour" from "Data_File_Syntax_Model" • "Wrong Model Description" from "Data_File_Syntax_Model" • "Wrong Result" from "Fcn_Behaviour_Calculator" • "Wrong Semantic" from "Data_File_Syntax" • "Wrong Specification" from "Fcn_Specification" • "Wrong Variant" from "Fcn_Variants"
• • Occurrences: • • in Compute Tool Confidence Level in Generate Tool Classification Report • • Error View:
•
•
Table 192 Error: Wrong TCL Computed
1.9.7.5 TCL DETERMINATION FOR USE CASE: REVIEW
MODEL
The use case "Review Model" has TCL 3. The TCL is determined by the lowest Tool Detection Level (TD) of all errors of the use case. The following table gives an overview of the errors of "Review Model". Error TD Table Any EMF Error TD 3 (LOW) Table 194 Model Not Adequate TD 1 (HIGH) Table 195 Process Inconsistently Modelled TD 1 (HIGH) Table 196 Wrong Export TD 3 (LOW) Table 197 Wrong Import TD 3 (LOW) Table 198
Table 193 Errors of Use Case: Review Model
• Error: Any EMF Error • • Description: • • Any error that can occur in EMF (uncrictical errors may be excluded) • • From feature: • • EMF • • Subsumes: • • "Algorithm Error" from "Fcn_Algorithm"
• "Defect File" from "Data_File" • "Defect Text" from "Data_File_Text" • "Empty File" from "Data_File" • "Empty Model" from "Data_File_Syntax_Model" • "Empty Text" from "Data_File_Text" • "Line Missing" from "Data_File_Text" • "Model Unreadable" from "Data_File_Syntax_Model" • "No Interaction" from "Data_Interaction" • "Not Accessible File" from "Data_File"
• "Not Accessible Model" from "Data_File_Syntax_Model" • "Not Accessible Text" from "Data_File_Text" • "Other File" from "Data_File" • "Other Model" from "Data_File_Syntax_Model" • "Other Partner" from "Data_Interaction" • "Other Text" from "Data_File_Text" • "Too Big File" from "Data_File" • "Too Big Model" from "Data_File_Syntax_Model" • "Too Big Text" from "Data_File_Text" • "Too Early Data" from "Data_Interaction" • "Too Late Data" from "Data_Interaction" • "Transformation Not Supported" from "Fcn_Behaviour_Transformation" • "Wrong Algorithm" from "Fcn_Algorithm" • "Wrong Behaviour" from "Fcn_Behaviour" • "Wrong Interaction" from "Data_Interaction" • "Wrong Model Behaviour" from "Data_File_Syntax_Model" • "Wrong Model Description" from "Data_File_Syntax_Model" • "Wrong Transformation" from "Fcn_Behaviour_Transformation" • "Wrong Variant" from "Fcn_Variants"
• • Occurrences: • • in EMF in Review Model • • Error View: •
•
Table 194 Error: Any EMF Error
• Error: Model Not Adequate • • Description: • • An important issue as not been reviewed correctly, i.e. a finduíng has been overseen and
the model is not adaequate. • • From use case: • • Review Model • • Discovered by the following checks: • • Safety Guidelines,SG_Use Review Checklist.Review Checklist
• • Subsumes: • • "Defect File" from "Data_File"
• "Defect Text" from "Data_File_Text" • "Empty File" from "Data_File" • "Empty Model" from "Data_File_Syntax_Model" • "Empty Syntaxfile" from "Data_File_Syntax" • "Empty Table" from "Data_File_Table" • "Empty Text" from "Data_File_Text" • "Line Missing" from "Data_File_Text" • "Model Unreadable" from "Data_File_Syntax_Model" • "No Interaction" from "Data_Interaction" • "Not Accessible File" from "Data_File" • "Not Accessible Model" from "Data_File_Syntax_Model" • "Not Accessible Syntaxfile" from "Data_File_Syntax" • "Not Accessible Table" from "Data_File_Table" • "Not Accessible Text" from "Data_File_Text" • "Other File" from "Data_File" • "Other Model" from "Data_File_Syntax_Model" • "Other Partner" from "Data_Interaction" • "Other Syntaxfile" from "Data_File_Syntax" • "Other Table" from "Data_File_Table" • "Other Text" from "Data_File_Text" • "Syntax Error" from "Data_File_Syntax" • "Table Column Error" from "Data_File_Table" • "Table Row Error" from "Data_File_Table" • "Too Big File" from "Data_File" • "Too Big Model" from "Data_File_Syntax_Model" • "Too Big Syntaxfile" from "Data_File_Syntax" • "Too Big Text" from "Data_File_Text" • "Too Early Data" from "Data_Interaction" • "Too Late Data" from "Data_Interaction" • "Wrong Cell Data" from "Data_File_Table" • "Wrong Interaction" from "Data_Interaction" • "Wrong Model Behaviour" from "Data_File_Syntax_Model" • "Wrong Model Description" from "Data_File_Syntax_Model" • "Wrong Semantic" from "Data_File_Syntax"
• • Occurrences: • • in Review Model • • Error View:
•
•
Table 195 Error: Model Not Adequate
• Error: Process Inconsistently Modelled • • Description: • • The process might be inkonsistent, e.g. a document is neither created nor written. • • From feature: • • Model Validation • • Subsumes: • • "Algorithm Error" from "Fcn_Algorithm"
• "Defect File" from "Data_File" • "Defect Text" from "Data_File_Text" • "Empty File" from "Data_File" • "Empty Text" from "Data_File_Text" • "Line Missing" from "Data_File_Text" • "No Interaction" from "Data_Interaction" • "Not Accessible File" from "Data_File" • "Not Accessible Text" from "Data_File_Text" • "Other File" from "Data_File" • "Other Partner" from "Data_Interaction" • "Other Text" from "Data_File_Text" • "Too Big File" from "Data_File" • "Too Big Text" from "Data_File_Text" • "Too Early Data" from "Data_Interaction" • "Too Late Data" from "Data_Interaction" • "Wrong Algorithm" from "Fcn_Algorithm" • "Wrong Behaviour" from "Fcn_Behaviour" • "Wrong Error Reported" from "Model Validation" • "Wrong Interaction" from "Data_Interaction" • "Wrong Specification" from "Fcn_Specification"
• • Occurrences: • • in Model Validation in Review Model • • Avoided by the following restrictions: • • Validate Process.Consistent Process
• • Error View: •
•
Table 196 Error: Process Inconsistently Modelled
• Error: Wrong Export • • Description: • • The excel file does not contain the relevant informations of the model. • • From feature: • • Excel Interface • • Subsumes: • • "Decoded Wongly" from "Fcn_Algorithm_DeEncode"
• "Defect File" from "Data_File" • "Empty File" from "Data_File" • "Empty Syntaxfile" from "Data_File_Syntax" • "Empty Table" from "Data_File_Table" • "Encoded Wrongly" from "Fcn_Algorithm_DeEncode" • "Not Accessible File" from "Data_File" • "Not Accessible Syntaxfile" from "Data_File_Syntax"
• "Not Accessible Table" from "Data_File_Table" • "Option Defect" from "Fcn_Variants_Options" • "Option Ignored" from "Fcn_Variants_Options" • "Other File" from "Data_File" • "Other Syntaxfile" from "Data_File_Syntax" • "Other Table" from "Data_File_Table" • "Syntax Error" from "Data_File_Syntax" • "Table Column Error" from "Data_File_Table" • "Table Row Error" from "Data_File_Table" • "Too Big File" from "Data_File" • "Too Big Syntaxfile" from "Data_File_Syntax" • "Transformation Not Supported" from "Fcn_Behaviour_Transformation" • "Wrong Behaviour" from "Fcn_Behaviour" • "Wrong Cell Data" from "Data_File_Table" • "Wrong Semantic" from "Data_File_Syntax" • "Wrong Transformation" from "Fcn_Behaviour_Transformation"
• • Occurrences: • • in Excel Interface in Review Model • • Avoided by the following restrictions: • • Safety Guidelines,SG_Avoid Feature.Avoid Features • • Error View: •
•
Table 197 Error: Wrong Export
• Error: Wrong Import • • Description: • • The model is created wrongly. • • From feature: • • Excel Interface • • Subsumes: • • "Defect File" from "Data_File"
• "Empty File" from "Data_File" • "Empty Model" from "Data_File_Syntax_Model"
• "Model Unreadable" from "Data_File_Syntax_Model" • "Not Accessible File" from "Data_File" • "Not Accessible Model" from "Data_File_Syntax_Model" • "Option Defect" from "Fcn_Variants_Options" • "Option Ignored" from "Fcn_Variants_Options" • "Other File" from "Data_File" • "Other Model" from "Data_File_Syntax_Model" • "Too Big File" from "Data_File" • "Too Big Model" from "Data_File_Syntax_Model" • "Wrong Model Behaviour" from "Data_File_Syntax_Model" • "Wrong Model Description" from "Data_File_Syntax_Model"
• • Occurrences: • • in Excel Interface in Review Model • • Avoided by the following restrictions: • • Safety Guidelines,SG_Avoid Feature.Avoid Features • • Error View: •
•
Table 198 Error: Wrong Import
1.10 YICESSMTSOLVERThis section explains the determination of the Tool Confidence Level (TCL) for the tool YICES SMT Solver. • Tool: YICES SMT Solver • • Description: • • -None- • • Impact: • • TI 2 (Impact) • • Tool Confidence Level: • • TCL 1
Table 199 Tool: YICES SMT Solver
The tool YICES SMT Solver is modeled with no element which has impact. No additional features have been modeled.
Elements Amount (Assumptions) Use Cases 0 (0) Checks 0 (0) Restrictions 0 (0) Potential Errors 0 (0)
Table 200 Amount of Elements in Tool: YICES SMT Solver
1.10.1 USE CASES OF YICES SMT SOLVER
There are no use cases modeled for YICES SMT Solver.
1.10.2 FEATURES OF YICES SMT SOLVER
There are no features modeled for YICES SMT Solver.
1.10.3 POTENTIAL ERRORS IN YICES SMT SOLVER
The tool has no potential error.. The error flow consists of all relations from errors to checks or restrictions. There are
• no relation from errors caused by other tools to checks or restrictions defined for use cases of this tool.
• no relation from errors caused by this tool to checks or restrictions defined for use cases of this tool.
• no relation from errors caused by this tool to checks or restrictions defined for use cases of other tools.
1.10.4 RESTRICTIONS IN YICES SMT SOLVER
There are no restrictions in the tool YICES SMT Solver.
1.10.5 CHECKS IN YICES SMT SOLVER
No checks are performed in the tool YICES SMT Solver.
1.10.6 ASSUMPTIONS
The determination of the TCL of YICES SMT Solver is not based on assumed checks and restrictions. None of the checks and restrictions are modeled as assumptions.
1.10.7 TCL DETERMINATION
This section determines a TCL for each use case by assigning checks or restrictions with detection/avoidance probability to each potential error. The TCL for the entire tool can be derived from the TCL for each use case. The tool YICES SMT Solver has no use case with TCL 1, no use case with TCL 2 and no use case with TCL 3. Therefore the tool YICES SMT Solver has TCL 1.
There are no use cases modeled for the tool YICES SMT Solver
1.11 ADDITIONALINFORMATIONThis section contains additional information from the formal model of the tool chain. Additional information is not required from the ISO 26262 for the determination of the TCL, but eases the modeling process and the understanding of the error flow.
1.11.1 ARTIFACTS
The analysis incorporates artifacts for the validation of the model. If an error is checked by another tool, then there should be information flow between them. Artifacts can be used to model this flow and our analysis checks if there is an information flow between error sources and error sinks. Fig 37 shows the whole artifact flow in "RECOMP Tool Chain"
Fig 37 Artifact Flow in RECOMP Tool Chain
The tool chain "RECOMP Tool Chain" is using 64 artifacts, which are described hereafter. • Artifact: AF3 System Model • • Description: • • The integrated data modelof Af3 • • Hierarchy figure:
•
• • • Hierarchy : • • Detailed System Architecture [Parent]
• Preliminary System Architecture [Parent] • Requirement Specification [Parent] • Schedule [Parent] • Software Unit Design Specification [Parent] • Spatial Constraints [Parent] • Test Cases [Parent] • Test Specification [Parent] • Timing Parameters [Parent]
• • Is a: • • Detailed System Architecture
Table 201 Artifact: AF3 System Model
• Artifact: Application task graph • • Description: • • The task graph for each application
Table 202 Artifact: Application task graph
• Artifact: Argumentation • • Description: • • The user writes arguments as input to the tool • • Used by tool: • • Tecnalia Assurance Case Editor
Table 203 Artifact: Argumentation
• Artifact: Binary executable • • Description: • • Target binary executable • • Hierarchy figure: •
• • • Hierarchy : • • Evidence [Parent] • • Used by tool: • • Tecnalia Assurance Case Editor • • Is a: • • Evidence
Table 204 Artifact: Binary executable
• Artifact: C/C++ Source Code • • Description: • • C or C++ • • Hierarchy figure: •
• • • Hierarchy : • • Source Code [Parent] • • Used by tool: • • Tecnalia Assurance Case Editor • • Created by use case: • • Development,Create Code • • Is a: • • Source Code
Table 205 Artifact: C/C++ Source Code
• Artifact: Cache-Related Preemption Cost Function • • Description: • • For any duration t, the function gives the maximum delay that the given task can incur
when preempted for the first time after t time units. A function CRPD(t) which returns, for any duration t > 0, the maximum delay that the given application can incur if it gets preempted after running non-preemptively for t time units after the beginning of its execution.
Table 206 Artifact: Cache-Related Preemption Cost Function
• Artifact: Contract • • Description: • • -None- • • Created by use case: • • Simulink,Modelling
Table 207 Artifact: Contract
• Artifact: contract • • Description: • • -None- • • Used by use case: • • Simulink,Contracts to assertions • • Created by use case: • • Simulink,Modelling • • Created by tool: • • Simulink
Table 208 Artifact: contract
• Artifact: Deployment • • Description: • • generated deployment
Table 209 Artifact: Deployment
• Artifact: Detailed System Architecture • • Description: • • Contain all the parameters and specifications of the platform • • Hierarchy figure: •
• • • Hierarchy : • • AF3 System Model [Child]
• Evidence [Parent] • • Used by use case: • • GEMDE Certification,Technical view • • Used by tool: • • GEMDE Certification
• Tecnalia Assurance Case Editor • • Created by use case: • • Medini,Detailed architecture definition • • Created by tool: • • Medini • • Modified by use case: • • Medini,Detailed architecture definition • • Modified by tool: • • Medini • • Is a: • • Evidence • • Occurences: • • AF3 System Model
Table 210 Artifact: Detailed System Architecture
• Artifact: Display Output
• • Description: • • The tool displays some information to the user • • Created by feature: • • Tool Chain Analyzer,Compute Tool Confidence Level
• Tool Chain Analyzer,Cost Model • Tool Chain Analyzer,EMF • Tool Chain Analyzer,Model Validation
Table 211 Artifact: Display Output
• Artifact: Evidence • • Description: • • Anything that can be considered as a certification evidence • • Hierarchy figure:
•
• • Hierarchy : • • Binary executable [Child]
• Detailed System Architecture [Child] • Excel File [Child] • FHA [Child] • FMEA [Child] • FTA [Child] • Failure rate catalog [Child] • Functionalities [Child] • Malfunctions [Child] • Metrics [Child] • Overall Project Plan [Child] • Preliminary System Architecture [Child] • Report on Maximum CRPDs [Child] • Report on Schedulability (1 mode) [Child] • Report on Schedulability (all) [Child] • Review Protocol [Child] • SLDV verification report [Child] • Safety Goals List [Child] • Safety Manual [Child] • Safety Plan [Child] • Safety Requirements [Child] • Software Unit Design Specification [Child] • Source Code [Child] • TBT Data Model [Child] • TCA-Model [Child] • Test Cases [Child] • Test Specification [Child] • Tool Evaluation Report [Child] • WCET [Child] • WCRT [Child] • Word Document [Child]
• • Used by use case: • • GEMDE Certification,Technical view • • Occurences: • • Binary executable
• Detailed System Architecture • Excel File • FHA • FMEA • FTA • Failure rate catalog • Functionalities • Malfunctions • Metrics • Overall Project Plan • Preliminary System Architecture
• Report on Maximum CRPDs • Report on Schedulability (1 mode) • Report on Schedulability (all) • Review Protocol • SLDV verification report • Safety Goals List • Safety Manual • Safety Plan • Safety Requirements • Software Unit Design Specification • Source Code • TBT Data Model • TCA-Model • Test Cases • Test Specification • Tool Evaluation Report • WCET • WCRT • Word Document
Table 212 Artifact: Evidence
• Artifact: Excel File • • Description: • • The files that can be read/wirtten from the Excel tool • • Hierarchy figure: •
• • • Hierarchy : • • Evidence [Parent] • • Used by tool: • • Tecnalia Assurance Case Editor • • Created by feature: • • Tool Chain Analyzer,Compute Tool Confidence Level • • Modified by feature: • • Tool Chain Analyzer,Cost Model
• Tool Chain Analyzer,Excel Interface • • Is a: • • Evidence
Table 213 Artifact: Excel File
• Artifact: Execution Graph • • Description: • • -None-
Table 214 Artifact: Execution Graph
• Artifact: Failure rate catalog • • Description: • • Failure rate catalog • • Hierarchy figure: •
• • • Hierarchy : • • Evidence [Parent] • • Used by use case: • • GEMDE Certification,Technical view • • Used by tool: • • Medini
• Tecnalia Assurance Case Editor • • Is a: • • Evidence
Table 215 Artifact: Failure rate catalog
• Artifact: FHA • • Description: • • FHA • • Hierarchy figure: •
• • • Hierarchy : • • Evidence [Parent] • • Used by use case: • • GEMDE Certification,Technical view • • Used by tool: • • GEMDE Certification
• Medini • Tecnalia Assurance Case Editor
• • Created by use case: • • Medini,FHA Generation • • Created by tool: • • Medini • • Modified by use case: • • Medini,FHA Generation • • Modified by tool: • • Medini • • Is a: • • Evidence
Table 216 Artifact: FHA
• Artifact: FMEA • • Description:
• • FMEA • • Hierarchy figure: •
• • • Hierarchy : • • Evidence [Parent] • • Used by use case: • • GEMDE Certification,Technical view • • Used by tool: • • Tecnalia Assurance Case Editor • • Created by tool: • • Medini • • Is a: • • Evidence
Table 217 Artifact: FMEA
• Artifact: FTA • • Description: • • FTA • • Hierarchy figure: •
• • • Hierarchy : • • Evidence [Parent] • • Used by use case: • • GEMDE Certification,Technical view • • Used by tool: • • Tecnalia Assurance Case Editor • • Created by tool: • • Medini • • Is a: • • Evidence
Table 218 Artifact: FTA
• Artifact: Functionalities • • Description: • • Functionalities • • Hierarchy figure: •
• • • Hierarchy : • • Evidence [Parent] • • Used by use case: • • GEMDE Certification,Technical view
• • Used by tool: • • Medini
• Tecnalia Assurance Case Editor • • Is a: • • Evidence
Table 219 Artifact: Functionalities
• Artifact: Malfunctions • • Description: • • Malfunctions • • Hierarchy figure: •
• • • Hierarchy : • • Evidence [Parent] • • Used by use case: • • GEMDE Certification,Technical view • • Used by tool: • • Medini
• Tecnalia Assurance Case Editor • • Is a: • • Evidence
Table 220 Artifact: Malfunctions
• Artifact: Mapping of tasks to processing elements • • Description: • • The mapping of tasks to processing elements
Table 221 Artifact: Mapping of tasks to processing elements
• Artifact: Metrics • • Description: • • The metric information that describe how far a test covers's it's requirements. • • Hierarchy figure: •
• • • Hierarchy : • • Evidence [Parent] • • Used by tool: • • Tecnalia Assurance Case Editor • • Is a: • • Evidence
Table 222 Artifact: Metrics
• Artifact: Model
• • Description: • • The tool chain model • • Used by feature: • • Tool Chain Analyzer,Generate Word (docx)
• Tool Chain Analyzer,Model Validation • • Modified by feature: • • Tool Chain Analyzer,Compute Tool Confidence Level
• Tool Chain Analyzer,Cost Model • Tool Chain Analyzer,EMF • Tool Chain Analyzer,Excel Interface • Tool Chain Analyzer,Xml Interface
Table 223 Artifact: Model
• Artifact: No-Conformity metrics • • Description: • • List of all non conformities of a project fopr a standard
specifies the number of steps to be conformant to the standard • • Used by use case: • • GEMDE Certification,Technical view • • Created by use case: • • GEMDE Certification,Assessment view
Table 224 Artifact: No-Conformity metrics
• Artifact: Overall Project Plan • • Description: • • see sections 2.6.5.2, 4.5.5.1 • • Hierarchy figure: •
• • • Hierarchy : • • Evidence [Parent] • • Used by use case: • • Tool Chain Analyzer,Create Model
• Tool Chain Analyzer,Determinate Tool Confidence Level • Tool Chain Analyzer,Generate Tool Classification Report • Tool Chain Analyzer,Review Model
• • Used by tool: • • Tecnalia Assurance Case Editor • • Modified by use case: • • Process Checker,Validate Process • • Is a: • • Evidence
Table 225 Artifact: Overall Project Plan
• Artifact: Partition Static Schedule
• • Description: • • The partitions static schedule, for each processing element
Table 226 Artifact: Partition Static Schedule
• Artifact: Per Core Request Estimator Function • • Description: • • For any duration t, the function gives the maximum number of requests that can be issued
from the given core in a time interval of length t A function PCRE(t) which returns, for any duration t > 0, the maximum number of requests that can be issued from the given core within t time units
Table 227 Artifact: Per Core Request Estimator Function
• Artifact: Preliminary System Architecture • • Description: • • Malfunctions • • Hierarchy figure: •
• • • Hierarchy : • • AF3 System Model [Child]
• Evidence [Parent] • • Used by use case: • • GEMDE Certification,Technical view • • Used by tool: • • Medini
• Tecnalia Assurance Case Editor • • Is a: • • Evidence • • Occurences: • • AF3 System Model
Table 228 Artifact: Preliminary System Architecture
• Artifact: ProjectModel • • Description: • • Certification objectives that apply to the project and evidences and justification that
support it • • Used by use case: • • GEMDE Certification,Assessment view • • Used by tool: • • GEMDE Certification • • Created by use case: • • GEMDE Certification,Technical view • • Created by tool: • • GEMDE Certification • • Modified by tool: • • GEMDE Certification
Table 229 Artifact: ProjectModel
• Artifact: ReferenceModel • • Description: • • Standards, normatives... model • • Used by use case: • • GEMDE Certification,Assessment view
• GEMDE Certification,Technical view • • Used by tool: • • GEMDE Certification • • Created by use case: • • GEMDE Certification,Quality view • • Created by tool: • • GEMDE Certification • • Modified by use case: • • GEMDE Certification,Quality view • • Modified by tool: • • GEMDE Certification
Table 230 Artifact: ReferenceModel
• Artifact: Report on Maximum CRPDs • • Description: • • Report on the maximum Cache-Related Preemption Delay (CRPD) that tasks can incur • • Hierarchy figure: •
• • • Hierarchy : • • Evidence [Parent] • • Used by tool: • • Tecnalia Assurance Case Editor • • Is a: • • Evidence
Table 231 Artifact: Report on Maximum CRPDs
• Artifact: Report on Schedulability (1 mode) • • Description: • • Attest the schedulability of a single mode of the application system • • Hierarchy figure: •
• • • Hierarchy : • • Evidence [Parent] • • Used by tool: • • Tecnalia Assurance Case Editor • • Is a:
• • Evidence
Table 232 Artifact: Report on Schedulability (1 mode)
• Artifact: Report on Schedulability (all) • • Description: • • Attest the schedulability of the application system • • Hierarchy figure: •
• • • Hierarchy : • • Evidence [Parent] • • Used by tool: • • Tecnalia Assurance Case Editor • • Is a: • • Evidence
Table 233 Artifact: Report on Schedulability (all)
• Artifact: Requirement Specification • • Description: • • -None- • • Hierarchy figure: •
• • • Hierarchy : • • AF3 System Model [Child] • • Occurences: • • AF3 System Model
Table 234 Artifact: Requirement Specification
• Artifact: Review Protocol • • Description: • • The protocol of the review • • Hierarchy figure: •
• • • Hierarchy : • • Evidence [Parent] • • Used by tool: • • Tecnalia Assurance Case Editor • • Created by use case: • • Tool Chain Analyzer,Review Model • • Is a: • • Evidence
Table 235 Artifact: Review Protocol
• Artifact: Safety Case • • Description: • • Graphical (GSN notation) safety case • • Used by use case: • • GEMDE Certification,Technical view
• Tecnalia Assurance Case Editor,Assurance Case edition • • Used by tool: • • GEMDE Certification
• Tecnalia Assurance Case Editor • • Created by use case: • • Tecnalia Assurance Case Editor,Assurance Case edition • • Created by tool: • • Tecnalia Assurance Case Editor • • Modified by use case: • • Tecnalia Assurance Case Editor,Assurance Case edition
Table 236 Artifact: Safety Case
• Artifact: Safety Goals List • • Description: • • Safety Goals List • • Hierarchy figure: •
• • • Hierarchy : • • Evidence [Parent] • • Used by use case: • • GEMDE Certification,Technical view • • Used by tool: • • Tecnalia Assurance Case Editor • • Created by tool: • • Medini • • Is a: • • Evidence
Table 237 Artifact: Safety Goals List
• Artifact: Safety Manual • • Description: • • The safety manual of the tool contains the relevant information to work safely with the
tool • • Hierarchy figure: •
• • • Hierarchy :
• • Evidence [Parent] • • Used by tool: • • Tecnalia Assurance Case Editor • • Created by use case: • • Tool Chain Analyzer,Determinate Tool Confidence Level • • Modified by use case: • • Tool Chain Analyzer,Generate Tool Classification Report
• Tool Chain Analyzer,Review Model • • Is a: • • Evidence
Table 238 Artifact: Safety Manual
• Artifact: Safety Plan • • Description: • • see sections 2.6.5.1, 4.5.5.2, 6.5.5.1, 6.7.5.2 • • Hierarchy figure: •
• • • Hierarchy : • • Evidence [Parent] • • Used by use case: • • Tool Chain Analyzer,Create Model
• Tool Chain Analyzer,Determinate Tool Confidence Level • Tool Chain Analyzer,Review Model
• • Used by tool: • • Tecnalia Assurance Case Editor • • Modified by use case: • • Process Checker,Validate Process • • Is a: • • Evidence
Table 239 Artifact: Safety Plan
• Artifact: Safety Requirements • • Description: • • System Requirements Specification related to safety • • Hierarchy figure: •
• • • Hierarchy : • • Evidence [Parent] • • Used by use case: • • GEMDE Certification,Technical view
• Simulink,Modelling Requirements • • Used by tool: • • Tecnalia Assurance Case Editor
• • Created by tool: • • Medini • • Is a: • • Evidence
Table 240 Artifact: Safety Requirements
• Artifact: Schedule • • Description: • • (Optimized Shared Memory Access) • • Hierarchy figure: •
• • • Hierarchy : • • AF3 System Model [Child] • • Occurences: • • AF3 System Model
Table 241 Artifact: Schedule
• Artifact: Simulink Model • • Description: • • Simulink Model • • Hierarchy figure: •
• • • Hierarchy : • • Software Unit Design Specification [Parent] • • Used by use case: • • Simulink,Code generation • • Used by tool: • • Tecnalia Assurance Case Editor • • Created by use case: • • Simulink,Modelling
• Simulink,Modelling Requirements • • Created by tool: • • Simulink • • Is a: • • Software Unit Design Specification
Table 242 Artifact: Simulink Model
• Artifact: Simulink model • • Description: • • -None- • • Created by use case: • • Simulink,Modelling • • Created by tool:
• • Simulink
Table 243 Artifact: Simulink model
• Artifact: SLDV verification report • • Description: • • -None- • • Hierarchy figure: •
• • • Hierarchy : • • Evidence [Parent] • • Used by tool: • • Tecnalia Assurance Case Editor • • Is a: • • Evidence
Table 244 Artifact: SLDV verification report
• Artifact: Software Unit Design Specification • • Description: • • see section 6.8.5.1 • • Hierarchy figure: •
• • • Hierarchy : • • AF3 System Model [Child]
• Evidence [Parent] • Simulink Model [Child]
• • Used by tool: • • Tecnalia Assurance Case Editor • • Is a: • • Evidence • • Occurences: • • AF3 System Model
• Simulink Model
Table 245 Artifact: Software Unit Design Specification
• Artifact: Source Code • • Description: • • Different programming languages • • Hierarchy figure:
•
• • • Hierarchy : • • C/C++ Source Code [Child]
• Evidence [Parent] • Timing Parameters [Child]
• • Used by tool: • • Tecnalia Assurance Case Editor • • Created by use case: • • Simulink,Code generation • • Created by tool: • • Simulink • • Is a: • • Evidence • • Occurences: • • C/C++ Source Code
• Timing Parameters
Table 246 Artifact: Source Code
• Artifact: Spatial Constraints • • Description: • • -None- • • Hierarchy figure: •
• • • Hierarchy : • • AF3 System Model [Child] • • Occurences: • • AF3 System Model
Table 247 Artifact: Spatial Constraints
• Artifact: StandardsRegulation • • Description: • • Standards, Normatives,... documentation • • Used by use case: • • GEMDE Certification,Quality view
Table 248 Artifact: StandardsRegulation
• Artifact: System Models (Event-B) • • Description: • • Models specifying / expressing (with events and invariants) the system requirements
Table 249 Artifact: System Models (Event-B)
• Artifact: TBT Data Model • • Description: • • The model describing the data element in the model and the system • • Hierarchy figure: •
• • • Hierarchy : • • Evidence [Parent] • • Used by tool: • • Tecnalia Assurance Case Editor • • Is a: • • Evidence
Table 250 Artifact: TBT Data Model
• Artifact: TBT Oracle Model • • Description: • • The model describing the behaviour of the system
Table 251 Artifact: TBT Oracle Model
• Artifact: TBT Tactic • • Description: • • A formalized startegy describing the search in the model to derive test cases
Table 252 Artifact: TBT Tactic
• Artifact: TCA-Model • • Description: • • The tool chain model • • Hierarchy figure: •
• • • Hierarchy : • • Evidence [Parent] • • Used by tool: • • Tecnalia Assurance Case Editor • • Is a: • • Evidence
Table 253 Artifact: TCA-Model
• Artifact: Test Cases • • Description: • • The executable test cases implementing the test specification • • Hierarchy figure:
•
• • • Hierarchy : • • AF3 System Model [Child]
• Evidence [Parent] • • Used by tool: • • Tecnalia Assurance Case Editor • • Is a: • • Evidence • • Occurences: • • AF3 System Model
Table 254 Artifact: Test Cases
• Artifact: Test Specification • • Description: • • The textual specification of the tests • • Hierarchy figure: •
• • • Hierarchy : • • AF3 System Model [Child]
• Evidence [Parent] • • Used by tool: • • Tecnalia Assurance Case Editor • • Is a: • • Evidence • • Occurences: • • AF3 System Model
Table 255 Artifact: Test Specification
• Artifact: Timing Parameters • • Description: • • Contain all the parameters concerning the application • • Hierarchy figure: •
• • • Hierarchy : • • AF3 System Model [Child]
• Source Code [Parent] • • Used by tool: • • Tecnalia Assurance Case Editor • • Is a: • • Source Code • • Occurences:
• • AF3 System Model
Table 256 Artifact: Timing Parameters
• Artifact: Tool Evaluation Report • • Description: • • Contains the evaluation/classification of the tools • • Hierarchy figure: •
• • • Hierarchy : • • Evidence [Parent] • • Used by tool: • • Tecnalia Assurance Case Editor • • Created by use case: • • Tool Chain Analyzer,Determinate Tool Confidence Level
• Tool Chain Analyzer,Generate Tool Classification Report • • Is a: • • Evidence
Table 257 Artifact: Tool Evaluation Report
• Artifact: User Input • • Description: • • The user writes input to the tool • • Used by feature: • • Tool Chain Analyzer,Compute Tool Confidence Level
• Tool Chain Analyzer,Cost Model • Tool Chain Analyzer,EMF • Tool Chain Analyzer,Excel Interface • Tool Chain Analyzer,Generate Word (docx) • Tool Chain Analyzer,Model Validation • Tool Chain Analyzer,Xml Interface
• • Used by tool: • • Tecnalia Assurance Case Editor
Table 258 Artifact: User Input
• Artifact: Verification Verdict • • Description: • • The verdict of a verification step (valid/invalid) and a counter example
Table 259 Artifact: Verification Verdict
• Artifact: Verified System Models (Event-B) • • Description: • • Specified and verified system models at different levels of abstraction
Table 260 Artifact: Verified System Models (Event-B)
• Artifact: VerSÅA verification report • • Description: • • -None-
Table 261 Artifact: VerSÅA verification report
• Artifact: WCET • • Description: • • Worst case execution time estimation for each task • • Hierarchy figure: •
• • • Hierarchy : • • Evidence [Parent] • • Used by tool: • • Tecnalia Assurance Case Editor • • Is a: • • Evidence
Table 262 Artifact: WCET
• Artifact: WCRT • • Description: • • Worst-case response time for a task • • Hierarchy figure: •
• • • Hierarchy : • • Evidence [Parent] • • Used by tool: • • Tecnalia Assurance Case Editor • • Is a: • • Evidence
Table 263 Artifact: WCRT
• Artifact: Word Document • • Description: • • The files that can be read/written from Word ´ • • Hierarchy figure: •
• • • Hierarchy : • • Evidence [Parent] • • Used by tool: • • Tecnalia Assurance Case Editor
• • Created by feature: • • Tool Chain Analyzer,Compute Tool Confidence Level
• Tool Chain Analyzer,Generate Word (docx) • • Is a: • • Evidence
Table 264 Artifact: Word Document
1.11.2 ERROR MODEL FOR THE RECOMP TOOL CHAIN TOOL
CHAIN
The error model consists of general attributes that are mapped to the used tools or use cases. Each of these mapped elements receives a copy of the listed errors. In the following sections all used attributes, errors, checks and restrictions are described
1.11.2.1 TOOL ATTRIBUTE DESCRIPTIONS
The following 9 general tool attributes have been used in the analysis of the "RECOMP Tool Chain" • Tool Attribute: Fcn_Algorithm • • Description: • • The function is implemented by an algorithm • • Assigned to the following features: • • Tool Chain Analyzer,Compute Tool Confidence Level
• Tool Chain Analyzer,EMF • Tool Chain Analyzer,Model Validation
• • Contains the following potential errors: • • Algorithm Error
• Wrong Algorithm
Table 265 Tool Attribute: Fcn_Algorithm
• Tool Attribute: Fcn_Algorithm_DeEncode • • Description: • • encoding and decoding algorithms are used • • Assigned to the following features: • • Tool Chain Analyzer,Excel Interface • • Contains the following potential errors: • • Decoded Wongly
• Encoded Wrongly
Table 266 Tool Attribute: Fcn_Algorithm_DeEncode
• Tool Attribute: Fcn_Behaviour • • Description: • • The behaviour of the function • • Assigned to the following features: • • Tool Chain Analyzer,EMF
• Tool Chain Analyzer,Excel Interface • Tool Chain Analyzer,Model Validation
• • Contains the following potential errors: • • Wrong Behaviour
Table 267 Tool Attribute: Fcn_Behaviour
• Tool Attribute: Fcn_Behaviour_Calculator • • Description: • • The tool does an excel like computation with simple arithmetics, e.g. computing th esum
of numbers in a row • • Assigned to the following features: • • Tool Chain Analyzer,Compute Tool Confidence Level • • Contains the following potential errors: • • Wrong Result
Table 268 Tool Attribute: Fcn_Behaviour_Calculator
• Tool Attribute: Fcn_Behaviour_Transformation • • Description: • • The tool transforms information into other reeresentations, e..g a compiler • • Assigned to the following features: • • Tool Chain Analyzer,EMF
• Tool Chain Analyzer,Excel Interface • Tool Chain Analyzer,Generate Word (docx)
• • Contains the following potential errors: • • Transformation Not Supported
• Wrong Transformation
Table 269 Tool Attribute: Fcn_Behaviour_Transformation
• Tool Attribute: Fcn_Resource_CPU • • Description: • • Function requires CPU ressources like RAM, ROM, CPU time which might not be
available • • Assigned to the following features: • • Tool Chain Analyzer,Generate Word (docx) • • Contains the following potential errors: • • Missing CPU
Table 270 Tool Attribute: Fcn_Resource_CPU
• Tool Attribute: Fcn_Specification • • Description: • • The specification/documentation of the function • • Assigned to the following features: • • Tool Chain Analyzer,Compute Tool Confidence Level
• Tool Chain Analyzer,Generate Word (docx) • Tool Chain Analyzer,Model Validation
• • Contains the following potential errors: • • Wrong Specification
Table 271 Tool Attribute: Fcn_Specification
• Tool Attribute: Fcn_Variants • • Description: • • The function can be computed with different variants • • Assigned to the following features: • • Tool Chain Analyzer,Compute Tool Confidence Level
• Tool Chain Analyzer,EMF • Tool Chain Analyzer,Generate Word (docx)
• • Contains the following potential errors: • • Wrong Variant
Table 272 Tool Attribute: Fcn_Variants
• Tool Attribute: Fcn_Variants_Options • • Description: • • The tool supports options
This can be either command line arguments, settings or configuration files • • Assigned to the following features: • • Tool Chain Analyzer,Excel Interface • • Contains the following potential errors: • • Option Defect
• Option Ignored
Table 273 Tool Attribute: Fcn_Variants_Options
1.11.2.2 ERROR DESCRIPTIONS
The following 13 errors have been identified and used in the analysis of the "RECOMP Tool Chain" • Error: Algorithm Error • • Description: • • The algorithm has an error, for example a wrong condition, type, loop,... • • From tool attribute: • • Fcn_Algorithm
Table 274 Error: Algorithm Error
• Error: Decoded Wongly • • Description: • • A correctly encoded object is decoded wrongly • • From tool attribute: • • Fcn_Algorithm_DeEncode
Table 275 Error: Decoded Wongly
• Error: Encoded Wrongly • • Description: • • The data is encoded such that it cannot be decoded any more • • From tool attribute: • • Fcn_Algorithm_DeEncode
Table 276 Error: Encoded Wrongly
• Error: Missing CPU • • Description: • • Not enaught CPU available for computing the correct result.
Comment: Note: in this error we consider only the undeteced case, where the tool terminates without warning and a wrong result, may be due to some internal checks that cause the tool to terminate if no CPU is available, e.g. after a given time using the default value
• • From tool attribute: • • Fcn_Resource_CPU
Table 277 Error: Missing CPU
• Error: Option Defect • • Description: • • The option or combination of options is defect, i.e computing wrong values • • From tool attribute: • • Fcn_Variants_Options
Table 278 Error: Option Defect
• Error: Option Ignored • • Description: • • The entered option is ignored without a warning and the wrong result is computed • • From tool attribute: • • Fcn_Variants_Options
Table 279 Error: Option Ignored
• Error: Transformation Not Supported • • Description: • • The transformation might not support all elements and ignore them, e.g. some settinbgs in
a model or some pragmas in a code • • From tool attribute: • • Fcn_Behaviour_Transformation
Table 280 Error: Transformation Not Supported
• Error: Wrong Algorithm • • Description: • • The chosen algorithm does not solve the problem correctly • • From tool attribute: • • Fcn_Algorithm
Table 281 Error: Wrong Algorithm
• Error: Wrong Behaviour • • Description: • • The function an have a wrong behaviour • • From tool attribute: • • Fcn_Behaviour
Table 282 Error: Wrong Behaviour
• Error: Wrong Result • • Description: • • The calculated results differs from the real result, e.g. 1+1=0 or 1/1=0.99 • • From tool attribute: • • Fcn_Behaviour_Calculator
Table 283 Error: Wrong Result
• Error: Wrong Specification • • Description: • • The function can deviate from the specification • • From tool attribute: • • Fcn_Specification
Table 284 Error: Wrong Specification
• Error: Wrong Transformation • • Description: • • The result of the transformation is not correct • • From tool attribute: • • Fcn_Behaviour_Transformation
Table 285 Error: Wrong Transformation
• Error: Wrong Variant • • Description: • • The wrong variant has been used, e.g. by ignoring an option/configuration • • From tool attribute: • • Fcn_Variants
Table 286 Error: Wrong Variant
1.11.3 ASSUMPTIONS
This section lists all assumptions on toolchain level used in the evaluation of this tool chain. If the assumptions are violated the calculated TCL is not valid. Assumptions that are enforced by the development process are marked in the analysis model and listed here. • Check: Assertion Check • • Description: • • This check detects if an assertion in the code is violated.
This check detects violated assertions. If a testcase claims to violate an assertion but does not, this will also be noted with a high probability. Comment: Since this is an automatic check the detection probability is high.
• • From use case: • • Test Environment,Unit Test • • Error detection probability: • • TD 1 (HIGH)
• • Is assumption: • • True
Table 287 Check: Assertion Check
• Check: Detect Wrong TCL • • Description: • • An error in the TCL computation is detected.
Since the review is performed on the basis of the generated report, it will also detect errors in the report generation and in the image generation and all other modeling errors with a high probability. Comment: TCL computation is an easy task and review is an effective verification method for that purpose.
• • From use case: • • ISO 26262 Reviews,SG_Confirmation Review Of TCLs • • Error detection probability: • • TD 1 (HIGH) • • Detected errors from other tools: • • SG_Confirmation Review Of TCLs,Tool Chain Analyzer,Compute Tool
Confidence Level,Wrong TCL Computed • SG_Confirmation Review Of TCLs,Tool Chain Analyzer,Determinate Tool
Confidence Level,TCL Wrongly Shown • SG_Confirmation Review Of TCLs,Tool Chain Analyzer,Determinate Tool
Confidence Level,TCL Wrongly Written • SG_Confirmation Review Of TCLs,Tool Chain Analyzer,Excel Interface,Wrong
Export • SG_Confirmation Review Of TCLs,Tool Chain Analyzer,Excel Interface,Wrong
Import • SG_Confirmation Review Of TCLs,Tool Chain Analyzer,Generate Word
(docx),Document Generated Wrongly • SG_Confirmation Review Of TCLs,Tool Chain Analyzer,Xml Interface,Wrong
XML Export • SG_Confirmation Review Of TCLs,Tool Chain Analyzer,Xml Interface,Wrong
XML Import • • Is assumption: • • True
Table 288 Check: Detect Wrong TCL
• Check: Executability Check • • Description: • • The generated test is compiled and executed
Comment: There is a high probability of detecting that the test is not executable, e.g. not compiling correctly since this is an automatic check
• • From use case: • • TBT,Validate Tests • • Error detection probability:
• • TD 1 (HIGH) • • Is assumption: • • True
Table 289 Check: Executability Check
• Check: Model Check • • Description: • • Check the validaty of the model
Comment: This can be done using a model checker tool for some consistency rules
• • From use case: • • ProB Model Checker,Check Model • • Error detection probability: • • TD 1 (HIGH) • • Is assumption: • • True
Table 290 Check: Model Check
• Check: Proof Tree - Syntax Check • • Description: • • the syntax check is usually done when this file is used • • From use case: • • Rodin Prover,System Model Verification • • Error detection probability: • • TD 1 (HIGH) • • Is assumption: • • True
Table 291 Check: Proof Tree - Syntax Check
• Check: Review Test against Specification • • Description: • • Review of generated test cases against the correctness with the specification
Comment: Since it is easy to se that a test case covers a specified feature, the review has a high detection probability for detecting the non-coformance errors between the the tests and the spec.
• • From use case: • • TBT,Validate Tests • • Error detection probability: • • TD 1 (HIGH) • • Is assumption: • • True
Table 292 Check: Review Test against Specification
• Error: Incorrect translation • • Description:
• • The translation of contracts to assertions/assumptions might be incorrect. It is not obvuious how to check that this does not happen in a tool. Manual inspection might be needed.
• • From use case: • • Contracts to assertions • • Is assumption: • • True
Table 293 Error: Incorrect translation
• Feature: SG_Avoid Feature • • Description: • • Avodi this feature, since it is redundant. • • From: • • Tool Chain Analyzer • • Parts: • • SG_Avoid Feature • • Is assumption: • • True
Table 294 Feature: SG_Avoid Feature
• Restriction: Avoid Features • • Description: • • Avoid the risky features of the model since they might be buggy. • • From feature: • • Tool Chain Analyzer,Safety Guidelines,SG_Avoid Feature • • Error avoidance probability: • • TD 1 (HIGH) • • Avoided errors: • • Cost Model,Wrong Cost Computed
• Excel Interface,Wrong Export • Excel Interface,Wrong Import • Model Validation,Wrong Error Reported • Xml Interface,Wrong XML Export • Xml Interface,Wrong XML Import
• • Is assumption: • • True
Table 295 Restriction: Avoid Features
• Tool: Test Environment • • Description: • • This is a virtual test environment that is used to formulate asumptions fom the test
generator to test tools and processes in which the generated tests can be executed. • • Impact: • • TI 2 (Impact) • • Tool Confidence Level: • • TCL 1 • • Is assumption: • • True
Table 296 Tool: Test Environment
APPENDIXC–TCARESULTFORTHEINDUSTRIAL
DOMAIN
1 TCLDETAILSOFRECOMPTOOLCHAINThis chapter has been generated from the formal tool chain model and contains all relevant information to determine the TCLs of the used tools. Table 1 shows the settings and Table 2 shows the active variants with which this document was generated. For further details of the report creation see section "Report Generation" of the User Manual.
Setting Value Compact Report false With Assumptions true Include Subsumes true Include Images true
Table 297 Settings for this documentation
Variant Settings Active Variants: • Industrial
Table 298 Variant Settings
The report starts with an overview of the analysis results, then describes each tool in detail, including TCL determination, and concludes with an appendix for further information. ToolChain: RECOMP Tool Chain Description: All models are intergrated here TCL Determination: TCL 3
Table 299 ToolChain: RECOMP Tool Chain
1.1 TCLRESULTOVERVIEW
Table 4 shows the result of the tool evaluation, particulary the tool confidence levels. Name Tool Impact (TI) Tool
Detection (TD)
Tool Confidence Level (TCL)
Assumptions
AF3 TI 2 (Impact) TD 1 (HIGH)
TCL 1 -
Development TI 2 (Impact) TD 2 (MEDIUM)
TCL 2 -
GEMDE Certification
TI 2 (Impact) TD 1 (HIGH)
TCL 1 -
Medini TI 2 (Impact) TD 1 (HIGH)
TCL 1 -
nuSMV Model Checker
TI 2 (Impact) TD 1 (HIGH)
TCL 1 -
ProB Model Checker
TI 2 (Impact) TD 1 (HIGH)
TCL 1 1
Process Checker TI 2 (Impact) TD 1 (HIGH)
TCL 1 -
Rodin Editor TI 2 (Impact) TD 1 (HIGH)
TCL 1 -
Rodin Prover TI 2 (Impact) TD 1 (HIGH)
TCL 1 1
Simulink TI 2 (Impact) TD 3 (LOW)
TCL 3 1
Simulink Design Verifier
TI 2 (Impact) TD 1 (HIGH)
TCL 1 -
TBT TI 2 (Impact) TD 1 (HIGH)
TCL 1 2
Tecnalia Assurance Case Editor
TI 2 (Impact) TD 1 (HIGH)
TCL 1 -
Test Environment TI 2 (Impact) TD 1 (HIGH)
TCL 1 5
Tool Chain Analyzer
TI 2 (Impact) TD 3 (LOW)
TCL 3 1
VerSAA TI 2 (Impact) TD 1 (HIGH)
TCL 1 -
YICES SMT Solver
TI 2 (Impact) TD 1 (HIGH)
TCL 1 -
Table 300 Evaluation Results of RECOMP Tool Chain
Fig 1 shows the error flow in RECOMP Tool Chain. The number on the edges denotes the number of error flows between the tools. An error flow is a detection possibility or an avoidance possibility of an error. Note that for one error there might be several flows, hence the number of flows can be larger than the numbers of errors in the model. For example the tool Simulink Design Verifier contains one error in one occurrence. There are 3 error flows (detection or avoidance possibilities for error occurrences) into Simulink Design Verifier. avoided / detected by carefully using the tool. There are 2 from the Simulink Design Verifier into the VerSAA, i.e. are detected by the VerSAA.
Fig 38 Error Flow in RECOMP Tool Chain
1.2 AF3This section explains the determination of the Tool Confidence Level (TCL) for the tool AF3. Tool: AF3 Description: The AutoFOCUS3 tool as distributed by fortiss GmbH
AF3 is a tool for the model-based development of embedded systems, covering the phases from requirements capture to deployment on the hardware platform.
Impact: TI 2 (Impact) Tool Confidence Level: TCL 1
Table 301 Tool: AF3
The tool AF3 is modeled with 6 elements which have impact, none of them are assumptions. In addition there have been modeled 17 features, none of them are assumptions.
Elements Amount (Assumptions) Use Cases 6 (0) Checks 0 (0) Restrictions 0 (0) Potential Errors 0 (0)
Table 302 Amount of Elements in Tool: AF3
1.2.1 USE CASES OF AF3
This section describes all analyzed use cases of AF3 in separate subsections. The following use cases of the tool AF3 are considered:
1. Deploying a Logical Architecture to Technical Architecture, see Section 1.2.1.1 2. Requirements Elicitaion and Specification, see Section 1.2.7.1 3. Specification of a Logical Architecture, see Section 0 4. Unit Testing, see Section 0 5. Validation of a Logical Architecture, see Section 0 6. Verification of a Logical Architecture, see Section 0
1.2.1.1 USE CASE DEPLOYING A LOGICAL ARCHITECTURE TO
TECHNICAL ARCHITECTURE
This section describes the use case "Deploying a Logical Architecture to Technical Architecture". UseCase: Deploying a Logical Architecture to Technical Architecture Description: The deployment of a logical architecture to the technical platform are defined and the
corresponding parts are synthesized.
Table 303 UseCase: Deploying a Logical Architecture to Technical Architecture
The use case requires 4 features and calls no other use cases. Fig 2 shows the dependencies between the use cases and features.
Fig 39 Dependency View of Use Case: Deploying a Logical Architecture to Technical
Architecture
"Deploying a Logical Architecture to Technical Architecture" uses following features: • Specifying Technical Architecture • Synthesizing Deployment • Synthesizing Real-Time Schedule • Synthesizing SIL-Conformant Mapping
In order to fulfill the requirements of the use case, usually a number of artifacts will be read and/or written. But in "Deploying a Logical Architecture to Technical Architecture" the tool AF3 uses no artifacts.
1.2.1.2 USE CASE REQUIREMENTS ELICITAION AND
SPECIFICATION
This section describes the use case "Requirements Elicitaion and Specification". UseCase: Requirements Elicitaion and Specification Description: The requirements of a system are identified, specified, and structured.
Table 304 UseCase: Requirements Elicitaion and Specification
The use case requires 2 features and calls no other use cases. Table 10 shows the dependencies between the use cases and features.
Fig 40 Dependency View of Use Case: Requirements Elicitaion and Specification
"Requirements Elicitaion and Specification" uses following features: • Specifying MSC Requirements • Specifying Textual Requirements
In order to fulfill the requirements of the use case, usually a number of artifacts will be read and/or written. But in "Requirements Elicitaion and Specification" the tool AF3 uses no artifacts.
1.2.1.3 USE CASE SPECIFICATION OF A LOGICAL
ARCHITECTURE
This section describes the use case "Specification of a Logical Architecture".
UseCase: Specification of a Logical Architecture Description: -None-
Table 305 UseCase: Specification of a Logical Architecture
The use case requires 3 features and calls no other use cases. Table 12 shows the dependencies between the use cases and features.
Fig 41 Dependency View of Use Case: Specification of a Logical Architecture
"Specification of a Logical Architecture" uses following features: • Specifying Code-Baed Behavior of a Logical Architecture • Specifying State-Based Behavior of a Logical Architecture • Specifying Structure of a Logical Architecture
In order to fulfill the requirements of the use case, usually a number of artifacts will be read and/or written. But in "Specification of a Logical Architecture" the tool AF3 uses no artifacts.
1.2.1.4 USE CASE UNIT TESTING
This section describes the use case "Unit Testing". UseCase: Unit Testing Description: -None-
Table 306 UseCase: Unit Testing
The use case requires 2 features and calls no other use cases. Use Case Assessment view shows the dependencies between the use cases and features.
Fig 42 Dependency View of Use Case: Unit Testing
"Unit Testing" uses following features: • Specfying Test Suite • Synthesizing Test Cases
In order to fulfill the requirements of the use case, usually a number of artifacts will be read and/or written. But in "Unit Testing" the tool AF3 uses no artifacts.
1.2.1.5 USE CASE VALIDATION OF A LOGICAL
ARCHITECTURE
This section describes the use case "Validation of a Logical Architecture". UseCase: Validation of a Logical Architecture Description: A logical architecture is validated w.r.t. to its intended behavior.
Table 307 UseCase: Validation of a Logical Architecture
The use case requires one feature and calls no other use cases. Use Case Quality view shows the dependencies between the use cases and features.
Fig 43 Dependency View of Use Case: Validation of a Logical Architecture
"Validation of a Logical Architecture" uses following features: • Simulating a Logical Architecture
In order to fulfill the requirements of the use case, usually a number of artifacts will be read and/or written. But in "Validation of a Logical Architecture" the tool AF3 uses no artifacts.
1.2.1.6 USE CASE VERIFICATION OF A LOGICAL
ARCHITECTURE
This section describes the use case "Verification of a Logical Architecture". UseCase: Verification of a Logical Architecture Description: The properties of a logical architecture are specified and verified.
Table 308 UseCase: Verification of a Logical Architecture
The use case requires 3 features and calls no other use cases. Use Case Technical view shows the dependencies between the use cases and features.
Fig 44 Dependency View of Use Case: Verification of a Logical Architecture
"Verification of a Logical Architecture" uses following features: • Specifying Contracts on Logical Components • Verifing Contracts of a Logical Architecture • Verifying Soundness of a Logical Architecture
In order to fulfill the requirements of the use case, usually a number of artifacts will be read and/or written. But in "Verification of a Logical Architecture" the tool AF3 uses no artifacts.
1.2.2 FEATURES OF AF3
This section describes all analyzed features of AF3 in separate subsections. The following features of the tool AF3 are considered:
1. Simulating a Logical Architecture, see Section 0 2. Specfying Test Suite, see Section 0 3. Specifying Code-Baed Behavior of a Logical Architecture, see Section 0 4. Specifying Contracts on Logical Components, see Section 0 5. Specifying MSC Requirements, see Section 0 6. Specifying SIL Requirements, see Section 0 7. Specifying State-Based Behavior of a Logical Architecture, see Section 0 8. Specifying Structure of a Logical Architecture, see Section 1.4.1.4 9. Specifying Technical Architecture, see Section 1.4.1.6 10. Specifying Textual Requirements, see Section 1.4.1.8 11. Synthesizing Deployment, see Section 1.4.1.10 12. Synthesizing Real-Time Schedule, see Section 0 13. Synthesizing SIL-Conformant Mapping, see Section 0 14. Synthesizing Test Cases, see Section 0 15. Verifing Contracts of a Logical Architecture, see Section 1.4.7.2 16. Verifying MSC Conformance, see Section 0 17. Verifying Soundness of a Logical Architecture, see Section 0
1.2.2.1 FEATURE SIMULATING A LOGICAL ARCHITECTURE
This section describes the feature "Simulating a Logical Architecture". Feature: Simulating a Logical Architecture Description: A logicla architecture is executed using a controled simulation.
Table 309 Feature: Simulating a Logical Architecture
The feature "Simulating a Logical Architecture" reads and/or writes the following artifacts. The used artifacts are shown in Fig 6 and are summarized in the subsequent table.
Fig 45 Artifacts of Feature: Simulating a Logical Architecture
Artifacts of Feature: Simulating a Logical Architecture Inputs: • AF3 System Model Outputs: • Display Output
Table 310 Artifacts of Feature: Simulating a Logical Architecture
1.2.2.2 FEATURE SPECFYING TEST SUITE
This section describes the feature "Specfying Test Suite". Feature: Specfying Test Suite Description: A test suit is specified by the coverage criteria of the suite
A test suit is specified by the coverage criteria of the suite. Possible coverage criteria are radom testing, state coveage, or transition coverage.
Table 311 Feature: Specfying Test Suite
The feature "Specfying Test Suite" reads and/or writes the following artifacts. The used artifacts are shown in TCL Determination for Use Case: Assessment view and are summarized in the subsequent table.
Fig 46 Artifacts of Feature: Specfying Test Suite
Artifacts of Feature: Specfying Test Suite Inputs: • Test Specification Outputs: • AF3 System Model
Table 312 Artifacts of Feature: Specfying Test Suite
1.2.2.3 FEATURE SPECIFYING CODE-BAED BEHAVIOR OF A
LOGICAL ARCHITECTURE
This section describes the feature "Specifying Code-Baed Behavior of a Logical Architecture". Feature: Specifying Code-Baed Behavior of a Logical Architecture Description: The behavior of the components of a logical architecture are defined using a code-based
textual approach.
Table 313 Feature: Specifying Code-Baed Behavior of a Logical Architecture
The feature "Specifying Code-Baed Behavior of a Logical Architecture" reads and/or writes the following artifacts. The used artifacts are shown in TCL Determination for Use Case: Quality view and are summarized in the subsequent table.
Fig 47 Artifacts of Feature: Specifying Code-Baed Behavior of a Logical Architecture
Artifacts of Feature: Specifying Code-Baed Behavior of a Logical Architecture Inputs: • AF3 System Model Outputs: • AF3 System Model
Table 314 Artifacts of Feature: Specifying Code-Baed Behavior of a Logical Architecture
1.2.2.4 FEATURE SPECIFYING CONTRACTS ON LOGICAL
COMPONENTS
This section describes the feature "Specifying Contracts on Logical Components". Feature: Specifying Contracts on Logical Components Description: Formal properties of components of the logical architectuer are specified.
Formal properties of components of the logical architectuer are specified. These properties can be defined via assume-guarantee contracts or patterns.
Table 315 Feature: Specifying Contracts on Logical Components
The feature "Specifying Contracts on Logical Components" reads and/or writes the following artifacts. The used artifacts are shown in TCL Determination for Use Case: Technical view and are summarized in the subsequent table.
Fig 48 Artifacts of Feature: Specifying Contracts on Logical Components
Artifacts of Feature: Specifying Contracts on Logical Components Inputs: • AF3 System Model Outputs: • AF3 System Model
Table 316 Artifacts of Feature: Specifying Contracts on Logical Components
1.2.2.5 FEATURE SPECIFYING MSC REQUIREMENTS
This section describes the feature "Specifying MSC Requirements". Feature: Specifying MSC Requirements Description: The requirements of a system are specified using MSCs to define scenarios.
The textual requirements of a system are specified in a structured way. This includes the specifiation of general requirements as well as use cases including their scenarios, and their hierarchical structure.
Table 317 Feature: Specifying MSC Requirements
The feature "Specifying MSC Requirements" reads and/or writes the following artifacts. The used artifacts are shown in Use Case Detailed architecture definition and are summarized in the subsequent table.
Fig 49 Artifacts of Feature: Specifying MSC Requirements
Artifacts of Feature: Specifying MSC Requirements Inputs: • AF3 System Model
• Requirement Specification Outputs: • AF3 System Model
Table 318 Artifacts of Feature: Specifying MSC Requirements
1.2.2.6 FEATURE SPECIFYING SIL REQUIREMENTS
This section describes the feature "Specifying SIL Requirements". Feature: Specifying SIL Requirements Description: The SIL levels of components of a logical Architecture are defined.
Table 319 Feature: Specifying SIL Requirements
The feature "Specifying SIL Requirements" reads and/or writes the following artifacts. The used artifacts are shown in Use Case FHA Generation and are summarized in the subsequent table.
Fig 50 Artifacts of Feature: Specifying SIL Requirements
Artifacts of Feature: Specifying SIL Requirements Inputs: • AF3 System Model
• Safety Requirements Outputs: • AF3 System Model
Table 320 Artifacts of Feature: Specifying SIL Requirements
1.2.2.7 FEATURE SPECIFYING STATE-BASED BEHAVIOR OF A
LOGICAL ARCHITECTURE
This section describes the feature "Specifying State-Based Behavior of a Logical Architecture". Feature: Specifying State-Based Behavior of a Logical Architecture Description: The behavior of the components of a logical architecture are defined using a tate-machine
approach.
Table 321 Feature: Specifying State-Based Behavior of a Logical Architecture
The feature "Specifying State-Based Behavior of a Logical Architecture" reads and/or writes the following artifacts. The used artifacts are shown in Use Case FMEA Generation and are summarized in the subsequent table.
Fig 51 Artifacts of Feature: Specifying State-Based Behavior of a Logical Architecture
Artifacts of Feature: Specifying State-Based Behavior of a Logical Architecture Inputs: • AF3 System Model Outputs: • AF3 System Model
Table 322 Artifacts of Feature: Specifying State-Based Behavior of a Logical Architecture
1.2.2.8 FEATURE SPECIFYING STRUCTURE OF A LOGICAL
ARCHITECTURE
This section describes the feature "Specifying Structure of a Logical Architecture". Feature: Specifying Structure of a Logical Architecture Description: The strucutre of a logical architecture n terms of components and their subcomponents is
defined.
Table 323 Feature: Specifying Structure of a Logical Architecture
The feature "Specifying Structure of a Logical Architecture" reads and/or writes the following artifacts. The used artifacts are shown in Use Case Function allocation and are summarized in the subsequent table.
Fig 52 Artifacts of Feature: Specifying Structure of a Logical Architecture
Artifacts of Feature: Specifying Structure of a Logical Architecture Outputs: • AF3 System Model
Table 324 Artifacts of Feature: Specifying Structure of a Logical Architecture
1.2.2.9 FEATURE SPECIFYING TECHNICAL ARCHITECTURE
This section describes the feature "Specifying Technical Architecture". Feature: Specifying Technical Architecture Description: -None-
Table 325 Feature: Specifying Technical Architecture
The feature "Specifying Technical Architecture" reads and/or writes the following artifacts. The used artifacts are shown in Use Case HW/SW allocation and are summarized in the subsequent table.
Fig 53 Artifacts of Feature: Specifying Technical Architecture
Artifacts of Feature: Specifying Technical Architecture Inputs: • AF3 System Model
• Spatial Constraints Outputs: • AF3 System Model
• Detailed System Architecture • Spatial Constraints • Timing Parameters
Table 326 Artifacts of Feature: Specifying Technical Architecture
1.2.2.10 FEATURE SPECIFYING TEXTUAL REQUIREMENTS
This section describes the feature "Specifying Textual Requirements". Feature: Specifying Textual Requirements Description: The textual requirements of a system are specified in a structured way.
The textual requirements of a system are specified in a structured way. This includes the specifiation of general requirements as well as use cases including their scenarios, and their hierarchical structure.
Table 327 Feature: Specifying Textual Requirements
The feature "Specifying Textual Requirements" reads and/or writes the following artifacts. The used artifacts are shown in Use Case Safety goals definition and are summarized in the subsequent table.
Fig 54 Artifacts of Feature: Specifying Textual Requirements
Artifacts of Feature: Specifying Textual Requirements Inputs: • Requirement Specification Outputs: • AF3 System Model
Table 328 Artifacts of Feature: Specifying Textual Requirements
1.2.2.11 FEATURE SYNTHESIZING DEPLOYMENT
This section describes the feature "Synthesizing Deployment". Feature: Synthesizing Deployment Description: For logical and technical architectures and a mapping between them, a set of deployable
packages is generated. For logical and technical architectures and a mapping between them, a set of deployable packages is generated. These packages include the generated code for each component, build files and glue code for each ECUs.
Table 329 Feature: Synthesizing Deployment
The feature "Synthesizing Deployment" reads and/or writes the following artifacts. The used artifacts are shown in Fig 10 and are summarized in the subsequent table.
Fig 55 Artifacts of Feature: Synthesizing Deployment
Artifacts of Feature: Synthesizing Deployment Inputs: • AF3 System Model Outputs: • Deployment
• Source Code
Table 330 Artifacts of Feature: Synthesizing Deployment
1.2.2.12 FEATURE SYNTHESIZING REAL-TIME SCHEDULE
This section describes the feature "Synthesizing Real-Time Schedule". Feature: Synthesizing Real-Time Schedule Description: -None-
Table 331 Feature: Synthesizing Real-Time Schedule
The feature "Synthesizing Real-Time Schedule" reads and/or writes the following artifacts. The used artifacts are shown in TCL Determination for Use Case: Detailed architecture definition and are summarized in the subsequent table.
Fig 56 Artifacts of Feature: Synthesizing Real-Time Schedule
Artifacts of Feature: Synthesizing Real-Time Schedule Inputs: • AF3 System Model
• WCET Outputs: • AF3 System Model
Table 332 Artifacts of Feature: Synthesizing Real-Time Schedule
1.2.2.13 FEATURE SYNTHESIZING SIL-CONFORMANT
MAPPING
This section describes the feature "Synthesizing SIL-Conformant Mapping". Feature: Synthesizing SIL-Conformant Mapping Description:
-None-
Table 333 Feature: Synthesizing SIL-Conformant Mapping
The feature "Synthesizing SIL-Conformant Mapping" reads and/or writes the following artifacts. The used artifacts are shown in Table 81 and are summarized in the subsequent table.
Fig 57 Artifacts of Feature: Synthesizing SIL-Conformant Mapping
Artifacts of Feature: Synthesizing SIL-Conformant Mapping Inputs: • AF3 System Model Outputs: • AF3 System Model
Table 334 Artifacts of Feature: Synthesizing SIL-Conformant Mapping
1.2.2.14 FEATURE SYNTHESIZING TEST CASES
This section describes the feature "Synthesizing Test Cases". Feature: Synthesizing Test Cases Description: Test cases are synthesized for a specified test suite according to the coverage criteria.
Table 335 Feature: Synthesizing Test Cases
The feature "Synthesizing Test Cases" reads and/or writes the following artifacts. The used artifacts are shown in Table 83 and are summarized in the subsequent table.
Fig 58 Artifacts of Feature: Synthesizing Test Cases
Artifacts of Feature: Synthesizing Test Cases Inputs: • AF3 System Model Outputs: • Test Cases
Table 336 Artifacts of Feature: Synthesizing Test Cases
1.2.2.15 FEATURE VERIFING CONTRACTS OF A LOGICAL
ARCHITECTURE
This section describes the feature "Verifing Contracts of a Logical Architecture". Feature: Verifing Contracts of a Logical Architecture Description: A logical architecture is verified by means of formal checks.
A logial architecture is verified by means of formal checks. These checks include the use of assume-guarantee contracts or patterns.
Table 337 Feature: Verifing Contracts of a Logical Architecture
The feature "Verifing Contracts of a Logical Architecture" reads and/or writes the following artifacts. The used artifacts are shown in Table 85 and are summarized in the subsequent table.
Fig 59 Artifacts of Feature: Verifing Contracts of a Logical Architecture
Artifacts of Feature: Verifing Contracts of a Logical Architecture Inputs: • AF3 System Model Outputs: • Verification Verdict
Table 338 Artifacts of Feature: Verifing Contracts of a Logical Architecture
1.2.2.16 FEATURE VERIFYING MSC CONFORMANCE
This section describes the feature "Verifying MSC Conformance". Feature: Verifying MSC Conformance Description: For a MSC and a (part of a) logical architecture, their conformance is verified.
For a MSC and a (part of a) logical architecture including the behavior for its components, their conformance is verified; i.e., it i checked that the sequnce of actions of a MSC can be produced by a logical component architecture.
Table 339 Feature: Verifying MSC Conformance
The feature "Verifying MSC Conformance" reads and/or writes the following artifacts. The used artifacts are shown in Table 87 and are summarized in the subsequent table.
Fig 60 Artifacts of Feature: Verifying MSC Conformance
Artifacts of Feature: Verifying MSC Conformance Inputs: • AF3 System Model Outputs: • Verification Verdict
Table 340 Artifacts of Feature: Verifying MSC Conformance
1.2.2.17 FEATURE VERIFYING SOUNDNESS OF A LOGICAL
ARCHITECTURE
This section describes the feature "Verifying Soundness of a Logical Architecture". Feature: Verifying Soundness of a Logical Architecture Description: A logical architecture is verified w.r.t. reachability and determinism of its components.
Table 341 Feature: Verifying Soundness of a Logical Architecture
The feature "Verifying Soundness of a Logical Architecture" reads and/or writes the following artifacts. The used artifacts are shown in TCL Determination for Use Case: FMEA Generation and are summarized in the subsequent table.
Fig 61 Artifacts of Feature: Verifying Soundness of a Logical Architecture
Artifacts of Feature: Verifying Soundness of a Logical Architecture Inputs: • AF3 System Model Outputs: • Verification Verdict
Table 342 Artifacts of Feature: Verifying Soundness of a Logical Architecture
1.2.3 POTENTIAL ERRORS IN AF3
The tool has no potential error.. The error flow consists of all relations from errors to checks or restrictions. There are
• no relation from errors caused by other tools to checks or restrictions defined for use cases of this tool.
• no relation from errors caused by this tool to checks or restrictions defined for use cases of this tool.
• no relation from errors caused by this tool to checks or restrictions defined for use cases of other tools.
1.2.4 RESTRICTIONS IN AF3
There are no restrictions in the tool AF3.
1.2.5 CHECKS IN AF3
No checks are performed in the tool AF3.
1.2.6 ASSUMPTIONS
The determination of the TCL of AF3 is not based on assumed checks and restrictions. None of the checks and restrictions are modeled as assumptions.
1.2.7 TCL DETERMINATION
This section determines a TCL for each use case by assigning checks or restrictions with detection/avoidance probability to each potential error. The TCL for the entire tool can be derived from the TCL for each use case. The tool AF3 has 6 use cases with TCL 1, no use case with TCL 2 and no use case with TCL 3. Therefore the tool AF3 has TCL 1. The use cases are described in the following sections:
• For "Deploying a Logical Architecture to Technical Architecture" (TCL 1) see Section 0,
• for "Requirements Elicitaion and Specification" (TCL 1) see Section 0, • for "Specification of a Logical Architecture" (TCL 1) see Section 0, • for "Unit Testing" (TCL 1) see Section 0, • for "Validation of a Logical Architecture" (TCL 1) see Section 0, and • for "Verification of a Logical Architecture" (TCL 1) see Section 1.4.7.4.
1.2.7.1 TCL DETERMINATION FOR USE CASE: DEPLOYING A
LOGICAL ARCHITECTURE TO TECHNICAL ARCHITECTURE
The use case "Deploying a Logical Architecture to Technical Architecture" has TCL 1. The TCL is determined by the lowest Tool Detection Level (TD) of all errors of the use case. This use case has no errors.
1.2.7.2 TCL DETERMINATION FOR USE CASE:
REQUIREMENTS ELICITAION AND SPECIFICATION
The use case "Requirements Elicitaion and Specification" has TCL 1. The TCL is determined by the lowest Tool Detection Level (TD) of all errors of the use case. This use case has no errors.
1.2.7.3 TCL DETERMINATION FOR USE CASE: SPECIFICATION
OF A LOGICAL ARCHITECTURE
The use case "Specification of a Logical Architecture" has TCL 1. The TCL is determined by the lowest Tool Detection Level (TD) of all errors of the use case. This use case has no errors.
1.2.7.4 TCL DETERMINATION FOR USE CASE: UNIT TESTING
The use case "Unit Testing" has TCL 1. The TCL is determined by the lowest Tool Detection Level (TD) of all errors of the use case. This use case has no errors.
1.2.7.5 TCL DETERMINATION FOR USE CASE: VALIDATION
OF A LOGICAL ARCHITECTURE
The use case "Validation of a Logical Architecture" has TCL 1. The TCL is determined by the lowest Tool Detection Level (TD) of all errors of the use case. This use case has no errors.
1.2.7.6 TCL DETERMINATION FOR USE CASE: VERIFICATION
OF A LOGICAL ARCHITECTURE
The use case "Verification of a Logical Architecture" has TCL 1. The TCL is determined by the lowest Tool Detection Level (TD) of all errors of the use case. This use case has no errors.
1.3 DEVELOPMENTThis section explains the determination of the Tool Confidence Level (TCL) for the tool Development. Tool: Development Description: This is not a concrete tool but just a model of any development tool chain (including
humans) that can cause different errors when producing soure code. Impact: TI 2 (Impact) Tool Confidence Level: TCL 2
Table 343 Tool: Development
The tool Development is modeled with 5 elements which have impact, none of them are assumptions. No additional features have been modeled.
Elements Amount (Assumptions) Use Cases 1 (0) Checks 0 (0) Restrictions 0 (0) Potential Errors 4 (0)
Table 344 Amount of Elements in Tool: Development
1.3.1 USE CASES OF DEVELOPMENT
This section describes all analyzed use cases of Development in separate subsections. The following use cases of the tool Development are considered:
1. Create Code, see Section 0
1.3.1.1 USE CASE CREATE CODE
This section describes the use case "Create Code". UseCase: Create Code Description: This is the use case in creating c code that collects some potential errors that can be
discovered from the test tool
Table 345 UseCase: Create Code
The use case requires no features and calls no other use cases.
The use case "Create Code" reads and/or writes the following artifacts. The used artifacts are shown in Table 97 and are summarized in the subsequent table.
Fig 62 Artifacts of Use Case: Create Code
Artifacts of Use Case: Create Code Outputs: • C/C++ Source Code
Table 346 Artifacts of Use Case: Create Code
1.3.2 FEATURES OF DEVELOPMENT
There are no features modeled for Development.
1.3.3 POTENTIAL ERRORS IN DEVELOPMENT
The tool has 4 different potential errors in 4 occurrences in use cases. The error flow, as can be seen in TCL Determination for Use Case: Function allocation, consists of all relations from errors to checks or restrictions. There are
• no relation from errors caused by other tools to checks or restrictions defined for use cases of this tool.
• no relation from errors caused by this tool to checks or restrictions defined for use cases of this tool.
• 5 relations from errors caused by this tool to checks or restrictions defined for use cases of other tools.
Fig 63 Error Flow to and from Development
Due to 5 relations, Development is having impact on one other tool. The errors are listed in Table 99.
Tool Error UseCase Table
Test Environment
Assertion Violation Create Code
TCL Determination for Use Case: HW/SW allocation
Dead Code Create Code
Table 101
Other Programing Error Create Code
Table 102
Runtime Error Create Code
TCL Determination for Use Case: Item Definition
Runtime Error Create Code
TCL Determination for Use Case: Item Definition
Table 347 Errors of Development with impact on other tools
1.3.4 RESTRICTIONS IN DEVELOPMENT
There are no restrictions in the tool Development.
1.3.5 CHECKS IN DEVELOPMENT
No checks are performed in the tool Development.
1.3.6 ASSUMPTIONS
The determination of the TCL of Development is not based on assumed checks and restrictions. None of the checks and restrictions are modeled as assumptions.
1.3.7 TCL DETERMINATION
This section determines a TCL for each use case by assigning checks or restrictions with detection/avoidance probability to each potential error. The TCL for the entire tool can be derived from the TCL for each use case. The tool Development has no use case with TCL 1, one use case with TCL 2 and no use case with TCL 3. Therefore the tool Development has TCL 2. The use cases are described in the following sections:
• For "Create Code" (TCL 2) see Section 1.4.7.6.
1.3.7.1 TCL DETERMINATION FOR USE CASE: CREATE CODE
The use case "Create Code" has TCL 2. The TCL is determined by the lowest Tool Detection Level (TD) of all errors of the use case. The following table gives an overview of the errors of "Create Code". Error TD Table Assertion Violation TD 2 (MEDIUM) TCL
Determination for Use Case: HW/SW allocation
Dead Code TD 2 (MEDIUM) Table 101
Other Programing Error TD 2 (MEDIUM) Table 102 Runtime Error TD 2 (MEDIUM) TCL
Determination for Use Case: Item Definition
Table 348 Errors of Use Case: Create Code
Error: Assertion Violation Description: The programm contains assertions that can be violated under some conditions. From use case: Create Code Discovered by the following checks: • Unit Test.Runtime Check Occurrences: • in Create Code Error View:
Table 349 Error: Assertion Violation
Error: Dead Code Description: Not reachable code is called dead code. From use case: Create Code Discovered by the following checks: • Unit Test.Life Check Occurrences: • in Create Code Error View:
Table 350 Error: Dead Code
Error: Other Programing Error Description: Any other functional error that can be introduced int the code. From use case:
Create Code Discovered by the following checks: • Unit Test.Programm Verification Occurrences: • in Create Code Error View:
Table 351 Error: Other Programing Error
Error: Runtime Error Description: A runtime error is an error that causes the programm to crash during execution. This From use case: Create Code Discovered by the following checks: • Unit Test.Programm Verification
• Unit Test.Runtime Check Occurrences: • in Create Code
Error View:
Table 352 Error: Runtime Error
1.4 GEMDECERTIFICATIONThis section explains the determination of the Tool Confidence Level (TCL) for the tool GEMDE Certification. Tool: GEMDE Certification Description: Tool for certification support
Comment: This is just a supporting tool to gather all the certification documentation. It does not create running software or test.
Impact: TI 2 (Impact) Tool Confidence Level: TCL 1
Table 353 Tool: GEMDE Certification
The tool GEMDE Certification is modeled with 9 elements which have impact, none of them are assumptions. No additional features have been modeled.
Elements Amount (Assumptions) Use Cases 3 (0) Checks 3 (0) Restrictions 0 (0) Potential Errors 3 (0)
Table 354 Amount of Elements in Tool: GEMDE Certification
1.4.1 USE CASES OF GEMDE CERTIFICATION
This section describes all analyzed use cases of GEMDE Certification in separate subsections. The following use cases of the tool GEMDE Certification are considered:
1. Assessment view, see Section 1.4.7.9 2. Quality view, see Section 0 3. Technical view, see Section 1.4.7.10
1.4.1.1 USE CASE ASSESSMENT VIEW
This section describes the use case "Assessment view". UseCase: Assessment view Description: Assessment or validation of the Qualification Project against the Qualification Reference
Table 355 UseCase: Assessment view
The use case requires no features and calls no other use cases. The use case "Assessment view" reads and/or writes the following artifacts. The used artifacts are shown in Table 104 and are summarized in the subsequent table.
Fig 64 Artifacts of Use Case: Assessment view
Artifacts of Use Case: Assessment view Inputs: • ProjectModel
• ReferenceModel Outputs: • No-Conformity metrics
Table 356 Artifacts of Use Case: Assessment view
1.4.1.2 USE CASE QUALITY VIEW
This section describes the use case "Quality view". UseCase: Quality view Description: Selection and definition of the Qualification Reference. Definition of the scope of the
Qualification Reference
Table 357 UseCase: Quality view
The use case requires no features and calls no other use cases. The use case "Quality view" reads and/or writes the following artifacts. The used artifacts are shown in Table 106 and are summarized in the subsequent table.
Fig 65 Artifacts of Use Case: Quality view
Artifacts of Use Case: Quality view Inputs: • StandardsRegulation Outputs: • ReferenceModel Inputs & Outputs: • ReferenceModel
Table 358 Artifacts of Use Case: Quality view
1.4.1.3 USE CASE TECHNICAL VIEW
This section describes the use case "Technical view". UseCase: Technical view Description: Definition of the Qualification Project and associated Qualification Reference
Table 359 UseCase: Technical view
The use case requires no features and calls 11 other use cases. Fig 12 shows the dependencies between the use cases and features.
Fig 66 Dependency View of Use Case: Technical view
"Technical view" calls following use cases: • Medini,Detailed architecture definition • Medini,FHA Generation • Medini,FMEA Generation • Medini,FTA Generation • Medini,Function allocation • Medini,Generation HW Coverage • Medini,HW/SW allocation • Medini,Item Definition • Medini,SW Architecture definition • Medini,Safety goals definition • Tecnalia Assurance Case Editor,Assurance Case edition
The use case "Technical view" reads and/or writes the following artifacts. The used artifacts are shown in Table 111 and are summarized in the subsequent table.
Fig 67 Artifacts of Use Case: Technical view
Artifacts of Use Case: Technical view Inputs: • Detailed System Architecture
• Evidence • FHA • FMEA • FTA • Failure rate catalog • Functionalities • Malfunctions • No-Conformity metrics • Preliminary System Architecture • ReferenceModel • Safety Case • Safety Goals List • Safety Requirements
Outputs: • ProjectModel
Table 360 Artifacts of Use Case: Technical view
1.4.2 FEATURES OF GEMDE CERTIFICATION
There are no features modeled for GEMDE Certification.
1.4.3 POTENTIAL ERRORS IN GEMDE CERTIFICATION
The tool has 3 different potential errors in 3 occurrences in use cases. The error flow, as can be seen in Use Case Code generation, consists of all relations from errors to checks or restrictions. There are
• no relation from errors caused by other tools to checks or restrictions defined for use cases of this tool.
• 3 relations from errors caused by this tool to checks or restrictions defined for use cases of this tool.
• no relation from errors caused by this tool to checks or restrictions defined for use cases of other tools.
Fig 68 Error Flow to and from GEMDE Certification
GEMDE Certification has the following 3 relations, which are detected by checks or restrictions of this tool. The errors are described in detail in the TCL analysis of the corresponding use cases:
• AssesmentIncorrect (Use Case Contracts to assertions) • ModelIncorrectness (Use Case Modelling) • ProjectIncorrectness (Use Case Modelling Requirements)
1.4.4 RESTRICTIONS IN GEMDE CERTIFICATION
There are no restrictions in the tool GEMDE Certification.
1.4.5 CHECKS IN GEMDE CERTIFICATION
The following 3 checks are performed in the tool GEMDE Certification. Check: QualityManagerChecks Description: The Quality Manager Checks the outputs before the final certification From use case: GEMDE Certification,Assessment view Occurrences: • in Assessment view Error detection probability: TD 1 (HIGH) Detected errors: • Assessment view,AssesmentIncorrect
Table 361 Check: QualityManagerChecks
Check: RegulationManagerChecks Description: The Regulation Manager Checks the model that gives the result From use case: GEMDE Certification,Technical view Occurrences: • in Technical view Error detection probability: TD 1 (HIGH) Detected errors: • Technical view,ProjectIncorrectness
Table 362 Check: RegulationManagerChecks
Check: TechnicalManagerChecks Description: The Technical Manager checks every evidence given as an input and the justification for the
objectives From use case: GEMDE Certification,Quality view Occurrences:
• in Quality view Error detection probability: TD 1 (HIGH) Detected errors: • Quality view,ModelIncorrectness
Table 363 Check: TechnicalManagerChecks
1.4.6 ASSUMPTIONS
The determination of the TCL of GEMDE Certification is not based on assumed checks and restrictions. None of the checks and restrictions are modeled as assumptions.
1.4.7 TCL DETERMINATION
This section determines a TCL for each use case by assigning checks or restrictions with detection/avoidance probability to each potential error. The TCL for the entire tool can be derived from the TCL for each use case. The tool GEMDE Certification has 3 use cases with TCL 1, no use case with TCL 2 and no use case with TCL 3. Therefore the tool GEMDE Certification has TCL 1. The use cases are described in the following sections:
• For "Assessment view" (TCL 1) see Section 0, • for "Quality view" (TCL 1) see Section 0, and • for "Technical view" (TCL 1) see Section 0.
1.4.7.1 TCL DETERMINATION FOR USE CASE: ASSESSMENT
VIEW
The use case "Assessment view" has TCL 1. The TCL is determined by the lowest Tool Detection Level (TD) of all errors of the use case. The following table gives an overview of the errors of "Assessment view". Error TD Table AssesmentIncorrect TD 1 (HIGH) Use Case
Contracts to assertions
Table 364 Errors of Use Case: Assessment view
Error: AssesmentIncorrect Description: lack of evidences or justification are not correct From use case: Assessment view Discovered by the following checks: • Assessment view.QualityManagerChecks Occurrences: • in Assessment view Error View:
Table 365 Error: AssesmentIncorrect
1.4.7.2 TCL DETERMINATION FOR USE CASE: QUALITY VIEW
The use case "Quality view" has TCL 1. The TCL is determined by the lowest Tool Detection Level (TD) of all errors of the use case. The following table gives an overview of the errors of "Quality view". Error TD Table ModelIncorrectness TD 1 (HIGH) Use Case
Modelling
Table 366 Errors of Use Case: Quality view
Error: ModelIncorrectness Description: Model is not coherent with the standard From use case: Quality view Discovered by the following checks: • Quality view.TechnicalManagerChecks Occurrences: • in Quality view Error View:
Table 367 Error: ModelIncorrectness
1.4.7.3 TCL DETERMINATION FOR USE CASE: TECHNICAL
VIEW
The use case "Technical view" has TCL 1. The TCL is determined by the lowest Tool Detection Level (TD) of all errors of the use case. The following table gives an overview of the errors of "Technical view". Error TD Table ProjectIncorrectness TD 1 (HIGH) Use Case
Modelling Requirements
Table 368 Errors of Use Case: Technical view
Error: ProjectIncorrectness Description: The evidences do not support the certification objectives From use case: Technical view Discovered by the following checks: • Technical view.RegulationManagerChecks Occurrences: • in Technical view Error View:
Table 369 Error: ProjectIncorrectness
1.5 MEDINIThis section explains the determination of the Tool Confidence Level (TCL) for the tool Medini. Tool: Medini Description: Tool Medini Analyzer
Comment: The results are always being reviewed by human experts. It generate the tests that should be addresed during the project, nor the software that should be tested.
Impact: TI 2 (Impact) Tool Confidence Level: TCL 1
Table 370 Tool: Medini
The tool Medini is modeled with 65 elements which have impact, none of them are assumptions. No additional features have been modeled.
Elements Amount (Assumptions) Use Cases 10 (0) Checks 20 (0) Restrictions 14 (0) Potential Errors 21 (0)
Table 371 Amount of Elements in Tool: Medini
1.5.1 USE CASES OF MEDINI
This section describes all analyzed use cases of Medini in separate subsections.
The following use cases of the tool Medini are considered:
1. Detailed architecture definition, see Section 0 2. FHA Generation, see Section 1.7.2.1 3. FMEA Generation, see Section 0 4. FTA Generation, see Section 0 5. Function allocation, see Section 0 6. Generation HW Coverage, see Section 1.7.7.2 7. HW/SW allocation, see Section 0 8. Item Definition, see Section 1.7.7.3 9. Safety goals definition, see Section 0 10. SW Architecture definition, see Section 0
1.5.1.1 USE CASE DETAILED ARCHITECTURE DEFINITION
This section describes the use case "Detailed architecture definition". UseCase: Detailed architecture definition Description: Detailed architecture definition
Table 372 UseCase: Detailed architecture definition
The use case requires no features and calls no other use cases. Use cases calling "Detailed architecture definition":
• GEMDE Certification,Technical view The use case "Detailed architecture definition" reads and/or writes the following artifacts. The used artifacts are shown in Fig 17 and are summarized in the subsequent table.
Fig 69 Artifacts of Use Case: Detailed architecture definition
Artifacts of Use Case: Detailed architecture definition Outputs: • Detailed System Architecture Inputs & Outputs: • Detailed System Architecture
Table 373 Artifacts of Use Case: Detailed architecture definition
1.5.1.2 USE CASE FHA GENERATION
This section describes the use case "FHA Generation". UseCase: FHA Generation Description: FHA Generation
Table 374 UseCase: FHA Generation
The use case requires no features and calls no other use cases. Use cases calling "FHA Generation":
• GEMDE Certification,Technical view The use case "FHA Generation" reads and/or writes the following artifacts. The used artifacts are shown in TCL Determination for Use Case: Code generation and are summarized in the subsequent table.
Fig 70 Artifacts of Use Case: FHA Generation
Artifacts of Use Case: FHA Generation Outputs: • FHA Inputs & Outputs: • FHA
Table 375 Artifacts of Use Case: FHA Generation
1.5.1.3 USE CASE FMEA GENERATION
This section describes the use case "FMEA Generation". UseCase: FMEA Generation Description: FMEA Generation
Table 376 UseCase: FMEA Generation
The use case requires no features and calls no other use cases. Use cases calling "FMEA Generation":
• GEMDE Certification,Technical view In order to fulfill the requirements of the use case, usually a number of artifacts will be read and/or written. But in "FMEA Generation" the tool Medini uses no artifacts.
1.5.1.4 USE CASE FTA GENERATION
This section describes the use case "FTA Generation". UseCase: FTA Generation Description: FTA Generation
Table 377 UseCase: FTA Generation
The use case requires no features and calls no other use cases. Use cases calling "FTA Generation":
• GEMDE Certification,Technical view In order to fulfill the requirements of the use case, usually a number of artifacts will be read and/or written. But in "FTA Generation" the tool Medini uses no artifacts.
1.5.1.5 USE CASE FUNCTION ALLOCATION
This section describes the use case "Function allocation". UseCase: Function allocation Description: Function allocation
Table 378 UseCase: Function allocation
The use case requires no features and calls no other use cases. Use cases calling "Function allocation":
• GEMDE Certification,Technical view In order to fulfill the requirements of the use case, usually a number of artifacts will be read and/or written. But in "Function allocation" the tool Medini uses no artifacts.
1.5.1.6 USE CASE GENERATION HW COVERAGE
This section describes the use case "Generation HW Coverage". UseCase: Generation HW Coverage Description: Generation HW Coverage
Table 379 UseCase: Generation HW Coverage
The use case requires no features and calls no other use cases. Use cases calling "Generation HW Coverage":
• GEMDE Certification,Technical view In order to fulfill the requirements of the use case, usually a number of artifacts will be read and/or written. But in "Generation HW Coverage" the tool Medini uses no artifacts.
1.5.1.7 USE CASE HW/SW ALLOCATION
This section describes the use case "HW/SW allocation". UseCase: HW/SW allocation Description: HW/SW allocation
Table 380 UseCase: HW/SW allocation
The use case requires no features and calls no other use cases. Use cases calling "HW/SW allocation":
• GEMDE Certification,Technical view In order to fulfill the requirements of the use case, usually a number of artifacts will be read and/or written. But in "HW/SW allocation" the tool Medini uses no artifacts.
1.5.1.8 USE CASE ITEM DEFINITION
This section describes the use case "Item Definition". UseCase: Item Definition Description: Item Definition
Table 381 UseCase: Item Definition
The use case requires no features and calls no other use cases. Use cases calling "Item Definition":
• GEMDE Certification,Technical view In order to fulfill the requirements of the use case, usually a number of artifacts will be read and/or written. But in "Item Definition" the tool Medini uses no artifacts.
1.5.1.9 USE CASE SAFETY GOALS DEFINITION
This section describes the use case "Safety goals definition". UseCase: Safety goals definition Description: Safety goals definition
Table 382 UseCase: Safety goals definition
The use case requires no features and calls no other use cases. Use cases calling "Safety goals definition":
• GEMDE Certification,Technical view In order to fulfill the requirements of the use case, usually a number of artifacts will be read and/or written. But in "Safety goals definition" the tool Medini uses no artifacts.
1.5.1.10 USE CASE SW ARCHITECTURE DEFINITION
This section describes the use case "SW Architecture definition". UseCase: SW Architecture definition Description: SW Architecture definition
Table 383 UseCase: SW Architecture definition
The use case requires no features and calls one other use case. Table 133 shows the dependencies between the use cases and features.
Fig 71 Dependency View of Use Case: SW Architecture definition
"SW Architecture definition" calls following use cases: • Simulink,Modelling Requirements
Use cases calling "SW Architecture definition":
• GEMDE Certification,Technical view In order to fulfill the requirements of the use case, usually a number of artifacts will be read and/or written. But in "SW Architecture definition" the tool Medini uses no artifacts.
1.5.2 FEATURES OF MEDINI
There are no features modeled for Medini.
1.5.3 POTENTIAL ERRORS IN MEDINI
The tool has 21 different potential errors in 21 occurrences in use cases. The error flow, as can be seen in Table 134, consists of all relations from errors to checks or restrictions. There are
• no relation from errors caused by other tools to checks or restrictions defined for use cases of this tool.
• 34 relations from errors caused by this tool to checks or restrictions defined for use cases of this tool.
• no relation from errors caused by this tool to checks or restrictions defined for use cases of other tools.
Fig 72 Error Flow to and from Medini
Medini has the following 34 relations, which are detected by checks or restrictions of this tool. The errors are described in detail in the TCL analysis of the corresponding use cases:
• 001-xxx is not traced with a simulink port (Table 136) • 002-xxx is safety related and has no safety goal assigned (Feature EMF) • 003-xxx has no functional safety requirement specified (Fig 31) • 004-Safety goal has no FTA traced (Use Case Generate Tool Classification
Report) • 005-xxx (safety req) has no unique identifier (Feature Excel Interface) • 006-Safety goal is not associated to a hazardous event (TCL Determination for
Use Case: Assurance Case edition) • 007-Architecture element has no name set (TCL Determination for Use Case:
Modelling Requirements) • 008-Port xxx is not connected (Use Case Assurance Case edition) • 009-req is not correctly decomposed (Feature Compute Tool Confidence Level) • 010-xxx has no justification given for the estimated ranking of exposure for the
ISO ASIL (Table 143) • 011-xxx has failure mode with category 'no part' and failure modes with other
categories. (Use Case Create Model) • 012-xxx ASIL does not match to ASIL of associated goal (Table 144) • 013-Hazard has no item traced (Use Case Cost Calculation) • 014-xxx has an invalid ASIL. ASIL has to be the same or higher than of goals it
contributes to (Fig 29) • 015-FTA model has a loop due to transfer gates (Fig 25)
• 016-The decomposing requirement xxx is allocated to the same architecture or software element as its neighbor (Use Case Review Model)
• 017-Name of xxx is different from corresponding system architecture element(s): yyy (Fig 21)
• 018-xxx has no corresponding architecture element in any of the architecture model(s): yyy (Fig 22)
• 019-xxx has no corresponding architecture element in the derived worksheet(s): yyy (Use Case Determinate Tool Confidence Level)
• 020-"xxx does not have the same failure modes than corresponding architecture element(s): yyy" (Fig 23)
• 021-Assessment or validation of the Qualification Project against the Qualification Reference (Fig 18)
1.5.4 RESTRICTIONS IN MEDINI
The tool Medini must only be used with the following restrictions. Restriction: 001-All sistems architecture port traced with simulink Description: 001--All sistems architecture port traced with simulink From use case: Medini,Detailed architecture definition Error avoidance probability: TD 1 (HIGH) Occurrences: • in Detailed architecture definition Avoided errors: • Detailed architecture definition,001-xxx is not traced with a simulink port
Table 384 Restriction: 001-All sistems architecture port traced with simulink
Restriction: 002- All hazard event assigned to a safety goal Description: 002- All hazard event assigned to a safety goal From use case: Medini,Safety goals definition Error avoidance probability: TD 1 (HIGH) Occurrences: • in Safety goals definition Avoided errors: • Safety goals definition,002-xxx is safety related and has no safety goal assigned
Table 385 Restriction: 002- All hazard event assigned to a safety goal
Restriction: 003-For all safety goal exist one safety requirement Description: 003-For all safety goal exist one safety requirement From use case:
Medini,Safety goals definition Error avoidance probability: TD 1 (HIGH) Occurrences: • in Safety goals definition Avoided errors: • Safety goals definition,003-xxx has no functional safety requirement specified
Table 386 Restriction: 003-For all safety goal exist one safety requirement
Restriction: 004-All safety goal traced with FTA Description: 004-All safety goal traced with FTA From use case: Medini,FTA Generation Error avoidance probability: TD 1 (HIGH) Occurrences: • in FTA Generation Avoided errors: • FTA Generation,004-Safety goal has no FTA traced
Table 387 Restriction: 004-All safety goal traced with FTA
Restriction: 005-Exist a unique safety requirement identifier Description: 005-Exist a unique safety requirement identifier From use case: Medini,Safety goals definition Error avoidance probability: TD 1 (HIGH) Occurrences: • in Safety goals definition Avoided errors: • Safety goals definition,005-xxx (safety req) has no unique identifier
Table 388 Restriction: 005-Exist a unique safety requirement identifier
Restriction: 006-All safety goal associated to a hazardous event Description: 006-All safety goal associated to a hazardous event From use case: Medini,FHA Generation Error avoidance probability: TD 1 (HIGH) Occurrences: • in FHA Generation Avoided errors: • FHA Generation,006-Safety goal is not associated to a hazardous event
Table 389 Restriction: 006-All safety goal associated to a hazardous event
Restriction: 007-Each system architecture element is named Description: 007-Each system architecture element is named From use case: Medini,Detailed architecture definition Error avoidance probability: TD 1 (HIGH) Occurrences: • in Detailed architecture definition Avoided errors: • Detailed architecture definition,007-Architecture element has no name set
Table 390 Restriction: 007-Each system architecture element is named
Restriction: 008-All ports are connected Description: 008-All ports are connected From use case: Medini,Detailed architecture definition Error avoidance probability: TD 1 (HIGH) Occurrences: • in Detailed architecture definition Avoided errors: • Detailed architecture definition,008-Port xxx is not connected
Table 391 Restriction: 008-All ports are connected
Restriction: 009-Validation of decomposition Description: 009-Validation of decomposition From use case: Medini,HW/SW allocation Error avoidance probability: TD 1 (HIGH) Occurrences: • in HW/SW allocation Avoided errors: • HW/SW allocation,009-req is not correctly decomposed
Table 392 Restriction: 009-Validation of decomposition
Restriction: 012-Hazard and goal ASIL must be the same Description: 012-Hazard and goal ASIL must be the same From use case: Medini,FHA Generation Error avoidance probability: TD 1 (HIGH) Occurrences:
• in FHA Generation Avoided errors: • FHA Generation,012-xxx ASIL does not match to ASIL of associated goal
Table 393 Restriction: 012-Hazard and goal ASIL must be the same
Restriction: 013-All hazard model traced to an item Description: 013-All hazard model traced to an item From use case: Medini,FHA Generation Error avoidance probability: TD 1 (HIGH) Occurrences: • in FHA Generation Avoided errors: • FHA Generation,013-Hazard has no item traced
Table 394 Restriction: 013-All hazard model traced to an item
Restriction: 014-All safety requirements SIL >= safety goal SIL Description: 014-All safety requirements SIL >= safety goal SIL From use case: Medini,HW/SW allocation Error avoidance probability: TD 1 (HIGH) Occurrences: • in HW/SW allocation Avoided errors: • HW/SW allocation,014-xxx has an invalid ASIL. ASIL has to be the same or
higher than of goals it contributes to
Table 395 Restriction: 014-All safety requirements SIL >= safety goal SIL
Restriction: 015-FTA does not contain loops Description: 015-FTA does not contain loops From use case: Medini,FTA Generation Error avoidance probability: TD 1 (HIGH) Occurrences: • in FTA Generation Avoided errors: • FTA Generation,015-FTA model has a loop due to transfer gates
Table 396 Restriction: 015-FTA does not contain loops
Restriction: 021-Failure modes names must be consistent for each diagram/table Description:
021-Failure modes names must be consistent for each diagram/table From use case: Medini,Detailed architecture definition Error avoidance probability: TD 1 (HIGH) Occurrences: • in Detailed architecture definition Avoided errors: • Detailed architecture definition,021-Assessment or validation of the Qualification
Project against the Qualification Reference
Table 397 Restriction: 021-Failure modes names must be consistent for each diagram/table
1.5.5 CHECKS IN MEDINI
The following 20 checks are performed in the tool Medini. Check: 001-Trace architecture port- Simulink Description: Checks if each system architecture port is traced with a Simulink port From use case: Medini,Detailed architecture definition Occurrences: • in Detailed architecture definition Error detection probability: TD 1 (HIGH) Detected errors: • Detailed architecture definition,001-xxx is not traced with a simulink port
Table 398 Check: 001-Trace architecture port- Simulink
Check: 002-Link hazard- safety goal Description: Checks if each safety related hazardous event has a safety goal assigned From use case: Medini,Safety goals definition Occurrences: • in Safety goals definition Error detection probability: TD 1 (HIGH) Detected errors: • Safety goals definition,002-xxx is safety related and has no safety goal assigned
Table 399 Check: 002-Link hazard- safety goal
Check: 003-Checks if for each safety goal at least one functional safety requirement is specified Description: 003-Checks if for each safety goal at least one functional safety requirement is specified From use case: Medini,Safety goals definition
Occurrences: • in Safety goals definition Error detection probability: TD 1 (HIGH) Detected errors: • Safety goals definition,003-xxx has no functional safety requirement specified
Table 400 Check: 003-Checks if for each safety goal at least one functional safety requirement is specified
Check: 004-Checks if each safety goal has a FTA traced Description: 004-Checks if each safety goal has a FTA traced From use case: Medini,FTA Generation Occurrences: • in FTA Generation Error detection probability: TD 1 (HIGH) Detected errors: • FTA Generation,004-Safety goal has no FTA traced
Table 401 Check: 004-Checks if each safety goal has a FTA traced
Check: 005-Checks if every safety requirement has an unique identifier Description: 005-Checks if every safety requirement has an unique identifier From use case: Medini,Safety goals definition Occurrences: • in Safety goals definition Error detection probability: TD 1 (HIGH) Detected errors: • Safety goals definition,005-xxx (safety req) has no unique identifier
Table 402 Check: 005-Checks if every safety requirement has an unique identifier
Check: 006-Checks if each safety goal is associated to a hazardous event Description: 006-Checks if each safety goal is associated to a hazardous event From use case: Medini,FHA Generation Occurrences: • in FHA Generation Error detection probability: TD 1 (HIGH) Detected errors: • FHA Generation,006-Safety goal is not associated to a hazardous event
Table 403 Check: 006-Checks if each safety goal is associated to a hazardous event
Check: 007-Checks if each system architecture element has a name set (except for connectors) Description: 007-Checks if each system architecture element has a name set (except for connectors) From use case: Medini,Detailed architecture definition Occurrences: • in Detailed architecture definition Error detection probability: TD 1 (HIGH) Detected errors: • Detailed architecture definition,007-Architecture element has no name set
Table 404 Check: 007-Checks if each system architecture element has a name set (except for connectors)
Check: 008-Checks if each system architecture port is connected Description: 008-Checks if each system architecture port is connected From use case: Medini,Detailed architecture definition Occurrences: • in Detailed architecture definition Error detection probability: TD 1 (HIGH) Detected errors: • Detailed architecture definition,008-Port xxx is not connected
Table 405 Check: 008-Checks if each system architecture port is connected
Check: 009-Checks if a valid decomposition has been applied Description: 009-Checks if a valid decomposition has been applied From use case: Medini,HW/SW allocation Occurrences: • in HW/SW allocation Error detection probability: TD 1 (HIGH) Detected errors: • HW/SW allocation,009-req is not correctly decomposed
Table 406 Check: 009-Checks if a valid decomposition has been applied
Check: 010-Checks that each ranking of exposure from E0 to E2 has an justification given for the estimation Description: 010-Checks that each ranking of exposure from E0 to E2 has an justification given for the
estimation From use case:
Medini,FHA Generation Occurrences: • in FHA Generation Error detection probability: TD 1 (HIGH) Detected errors: • FHA Generation,010-xxx has no justification given for the estimated ranking of
exposure for the ISO ASIL
Table 407 Check: 010-Checks that each ranking of exposure from E0 to E2 has an justification given for the estimation
Check: 011-Checks that either all failure modes of a FMEA component xxx have category 'no part' or none Description: 011-Checks that either all failure modes of a FMEA component xxx have category 'no part'
or none From use case: Medini,FMEA Generation Occurrences: • in FMEA Generation Error detection probability: TD 1 (HIGH) Detected errors: • FMEA Generation,011-xxx has failure mode with category 'no part' and failure
modes with other categories.
Table 408 Check: 011-Checks that either all failure modes of a FMEA component xxx have category 'no part' or none
Check: 012-Checks that the ASIL of a hazard matches the ASIL of an associated goal Description: 012-Checks that the ASIL of a hazard matches the ASIL of an associated goal From use case: Medini,FHA Generation Occurrences: • in FHA Generation Error detection probability: TD 1 (HIGH) Detected errors: • FHA Generation,012-xxx ASIL does not match to ASIL of associated goal
Table 409 Check: 012-Checks that the ASIL of a hazard matches the ASIL of an associated goal
Check: 013-Checks that each Hazard model is traced to an item Description: 013-Checks that each Hazard model is traced to an item From use case: Medini,FHA Generation Occurrences: • in FHA Generation
Error detection probability: TD 1 (HIGH) Detected errors: • FHA Generation,013-Hazard has no item traced
Table 410 Check: 013-Checks that each Hazard model is traced to an item
Check: 014-Checks if safety requirements have the same or higher ASIL than of goals they contribute to Description: 014-Checks if safety requirements have the same or higher ASIL than of goals they
contribute to From use case: Medini,HW/SW allocation Occurrences: • in HW/SW allocation Error detection probability: TD 1 (HIGH) Detected errors: • HW/SW allocation,014-xxx has an invalid ASIL. ASIL has to be the same or
higher than of goals it contributes to
Table 411 Check: 014-Checks if safety requirements have the same or higher ASIL than of goals they contribute to
Check: 016-Checks that no decomposing requirement is allocated to the same architecture or software element as its neighbour Description: 016-Checks that no decomposing requirement is allocated to the same architecture or
software element as its neighbour From use case: Medini,Function allocation Occurrences: • in Function allocation Error detection probability: TD 1 (HIGH) Detected errors: • Function allocation,016-The decomposing requirement xxx is allocated to the
same architecture or software element as its neighbor
Table 412 Check: 016-Checks that no decomposing requirement is allocated to the same architecture or software element as its neighbour
Check: 017-Checks for name differences between FMEA components and corresponding system architecture elements Description: 017-Checks for name differences between FMEA components and corresponding system
architecture elements From use case: Medini,FMEA Generation Occurrences:
• in FMEA Generation Error detection probability: TD 1 (HIGH) Detected errors: • FMEA Generation,017-Name of xxx is different from corresponding system
architecture element(s): yyy
Table 413 Check: 017-Checks for name differences between FMEA components and corresponding system architecture elements
Check: 018-Checks that all FMEA components have pendants in at least one system architecture the worksheet is derived of Description: 018-Checks that all FMEA components have pendants in at least one system architecture the
worksheet is derived of From use case: Medini,FMEA Generation Occurrences: • in FMEA Generation Error detection probability: TD 1 (HIGH) Detected errors: • FMEA Generation,018-xxx has no corresponding architecture element in any of
the architecture model(s): yyy
Table 414 Check: 018-Checks that all FMEA components have pendants in at least one system architecture the worksheet is derived of
Check: 019-Checks that all system architecture parts have pendants in the derived FMEA worksheets Description: 019-Checks that all system architecture parts have pendants in the derived FMEA
worksheets From use case: Medini,FMEA Generation Occurrences: • in FMEA Generation Error detection probability: TD 1 (HIGH) Detected errors: • FMEA Generation,019-xxx has no corresponding architecture element in the
derived worksheet(s): yyy
Table 415 Check: 019-Checks that all system architecture parts have pendants in the derived FMEA worksheets
Check: 020-Checks for consistency between failure modes of FMEA components and related system architecture elements Description: 020-Checks for consistency between failure modes of FMEA components and related system
architecture elements From use case:
Medini,FMEA Generation Occurrences: • in FMEA Generation Error detection probability: TD 1 (HIGH) Detected errors: • FMEA Generation,020-"xxx does not have the same failure modes than
corresponding architecture element(s): yyy"
Table 416 Check: 020-Checks for consistency between failure modes of FMEA components and related system architecture elements
Check: 021-Checks for name consistency between failure modes Description: 021-Checks for name consistency between failure modes From use case: Medini,Detailed architecture definition Occurrences: • in Detailed architecture definition Error detection probability: TD 1 (HIGH) Detected errors: • Detailed architecture definition,021-Assessment or validation of the Qualification
Project against the Qualification Reference
Table 417 Check: 021-Checks for name consistency between failure modes
1.5.6 ASSUMPTIONS
The determination of the TCL of Medini is not based on assumed checks and restrictions. None of the checks and restrictions are modeled as assumptions.
1.5.7 TCL DETERMINATION
This section determines a TCL for each use case by assigning checks or restrictions with detection/avoidance probability to each potential error. The TCL for the entire tool can be derived from the TCL for each use case. The tool Medini has 10 use cases with TCL 1, no use case with TCL 2 and no use case with TCL 3. Therefore the tool Medini has TCL 1. The use cases are described in the following sections:
• For "Detailed architecture definition" (TCL 1) see Section 0, • for "FHA Generation" (TCL 1) see Section 0, • for "FMEA Generation" (TCL 1) see Section 0, • for "FTA Generation" (TCL 1) see Section 0, • for "Function allocation" (TCL 1) see Section 0, • for "Generation HW Coverage" (TCL 1) see Section 0, • for "HW/SW allocation" (TCL 1) see Section 0, • for "Item Definition" (TCL 1) see Section 1.9.2.2, • for "Safety goals definition" (TCL 1) see Section 0, and • for "SW Architecture definition" (TCL 1) see Section 0.
1.5.7.1 TCL DETERMINATION FOR USE CASE: DETAILED
ARCHITECTURE DEFINITION
The use case "Detailed architecture definition" has TCL 1. The TCL is determined by the lowest Tool Detection Level (TD) of all errors of the use case. The following table gives an overview of the errors of "Detailed architecture definition". Error TD Table 001-xxx is not traced with a simulink port TD 1 (HIGH) Table 136 007-Architecture element has no name set TD 1 (HIGH) TCL
Determination for Use Case: Modelling Requirements
008-Port xxx is not connected TD 1 (HIGH) Use Case Assurance Case edition
021-Assessment or validation of the Qualification Project against the Qualification Reference
TD 1 (HIGH) Fig 18
Table 418 Errors of Use Case: Detailed architecture definition
Error: 001-xxx is not traced with a simulink port Description: 001-xxx is not traced with a simulink port From use case: Detailed architecture definition Discovered by the following checks: • Detailed architecture definition.001-Trace architecture port- Simulink Occurrences: • in Detailed architecture definition Avoided by the following restrictions: • Detailed architecture definition.001-All sistems architecture port traced with
simulink Error View:
Table 419 Error: 001-xxx is not traced with a simulink port
Error: 007-Architecture element has no name set Description: Name 007-Architecture element has no name set From use case: Detailed architecture definition Discovered by the following checks: • Detailed architecture definition.007-Checks if each system architecture element
has a name set (except for connectors) Occurrences: • in Detailed architecture definition Avoided by the following restrictions: • Detailed architecture definition.007-Each system architecture element is named Error View:
Table 420 Error: 007-Architecture element has no name set
Error: 008-Port xxx is not connected Description:
008-Port xxx is not connected From use case: Detailed architecture definition Discovered by the following checks: • Detailed architecture definition.008-Checks if each system architecture port is
connected Occurrences: • in Detailed architecture definition Avoided by the following restrictions: • Detailed architecture definition.008-All ports are connected Error View:
Table 421 Error: 008-Port xxx is not connected
Error: 021-Assessment or validation of the Qualification Project against the Qualification Reference Description: 021-Assessment or validation of the Qualification Project against the Qualification Reference From use case: Detailed architecture definition Discovered by the following checks: • Detailed architecture definition.021-Checks for name consistency between failure
modes Occurrences: • in Detailed architecture definition Avoided by the following restrictions: • Detailed architecture definition.021-Failure modes names must be consistent for
each diagram/table Error View:
Table 422 Error: 021-Assessment or validation of the Qualification Project against the Qualification Reference
1.5.7.2 TCL DETERMINATION FOR USE CASE: FHA
GENERATION
The use case "FHA Generation" has TCL 1. The TCL is determined by the lowest Tool Detection Level (TD) of all errors of the use case. The following table gives an overview of the errors of "FHA Generation". Error TD Table 006-Safety goal is not associated to a hazardous event
TD 1 (HIGH) TCL Determination for Use Case: Assurance Case edition
010-xxx has no justification given for the estimated ranking of exposure for the ISO ASIL
TD 1 (HIGH) Table 143
012-xxx ASIL does not match to ASIL of associated goal
TD 1 (HIGH) Table 144
013-Hazard has no item traced TD 1 (HIGH) Use Case Cost Calculation
Table 423 Errors of Use Case: FHA Generation
Error: 006-Safety goal is not associated to a hazardous event Description: 006-Safety goal is not associated to a hazardous event From use case: FHA Generation Discovered by the following checks: • FHA Generation.006-Checks if each safety goal is associated to a hazardous event Occurrences: • in FHA Generation Avoided by the following restrictions: • FHA Generation.006-All safety goal associated to a hazardous event Error View:
Table 424 Error: 006-Safety goal is not associated to a hazardous event
Error: 010-xxx has no justification given for the estimated ranking of exposure for the ISO ASIL Description: 010-xxx has no justification given for the estimated ranking of exposure for the ISO ASIL From use case: FHA Generation Discovered by the following checks: • FHA Generation.010-Checks that each ranking of exposure from E0 to E2 has an
justification given for the estimation Occurrences: • in FHA Generation Error View:
Table 425 Error: 010-xxx has no justification given for the estimated ranking of exposure for the ISO ASIL
Error: 012-xxx ASIL does not match to ASIL of associated goal Description: 012-xxx ASIL does not match to ASIL of associated goal From use case: FHA Generation Discovered by the following checks: • FHA Generation.012-Checks that the ASIL of a hazard matches the ASIL of an
associated goal Occurrences:
• in FHA Generation Avoided by the following restrictions: • FHA Generation.012-Hazard and goal ASIL must be the same Error View:
Table 426 Error: 012-xxx ASIL does not match to ASIL of associated goal
Error: 013-Hazard has no item traced Description: 013-Hazard has no item traced From use case: FHA Generation Discovered by the following checks: • FHA Generation.013-Checks that each Hazard model is traced to an item Occurrences: • in FHA Generation Avoided by the following restrictions: • FHA Generation.013-All hazard model traced to an item Error View:
Table 427 Error: 013-Hazard has no item traced
1.5.7.3 TCL DETERMINATION FOR USE CASE: FMEA
GENERATION
The use case "FMEA Generation" has TCL 1. The TCL is determined by the lowest Tool Detection Level (TD) of all errors of the use case. The following table gives an overview of the errors of "FMEA Generation". Error TD Table 011-xxx has failure mode with category 'no part' and failure modes with other categories.
TD 1 (HIGH) Use Case Create Model
017-Name of xxx is different from corresponding system architecture element(s): yyy
TD 1 (HIGH) Fig 21
018-xxx has no corresponding architecture element in any of the architecture model(s): yyy
TD 1 (HIGH) Fig 22
019-xxx has no corresponding architecture element in the derived worksheet(s): yyy
TD 1 (HIGH) Use Case Determinate Tool Confidence Level
020-"xxx does not have the same failure modes than corresponding architecture element(s): yyy"
TD 1 (HIGH) Fig 23
Table 428 Errors of Use Case: FMEA Generation
Error: 011-xxx has failure mode with category 'no part' and failure modes with other categories. Description: 001-xxx has failure mode with category 'no part' and failure modes with other categories. From use case: FMEA Generation Discovered by the following checks: • FMEA Generation.011-Checks that either all failure modes of a FMEA
component xxx have category 'no part' or none Occurrences: • in FMEA Generation Error View:
Table 429 Error: 011-xxx has failure mode with category 'no part' and failure modes with other categories.
Error: 017-Name of xxx is different from corresponding system architecture element(s):
yyy Description: 017-Name of xxx is different from corresponding system architecture element(s): yyy From use case: FMEA Generation Discovered by the following checks: • FMEA Generation.017-Checks for name differences between FMEA components
and corresponding system architecture elements Occurrences: • in FMEA Generation Error View:
Table 430 Error: 017-Name of xxx is different from corresponding system architecture element(s): yyy
Error: 018-xxx has no corresponding architecture element in any of the architecture model(s): yyy Description: 018-xxx has no corresponding architecture element in any of the architecture model(s): yyy From use case: FMEA Generation Discovered by the following checks: • FMEA Generation.018-Checks that all FMEA components have pendants in at
least one system architecture the worksheet is derived of Occurrences: • in FMEA Generation Error View:
Table 431 Error: 018-xxx has no corresponding architecture element in any of the architecture model(s): yyy
Error: 019-xxx has no corresponding architecture element in the derived worksheet(s): yyy Description: 019-xxx has no corresponding architecture element in the derived worksheet(s): yyy
From use case: FMEA Generation Discovered by the following checks: • FMEA Generation.019-Checks that all system architecture parts have pendants in
the derived FMEA worksheets Occurrences: • in FMEA Generation Error View:
Table 432 Error: 019-xxx has no corresponding architecture element in the derived worksheet(s): yyy
Error: 020-"xxx does not have the same failure modes than corresponding architecture element(s): yyy" Description: 020-"xxx does not have the same failure modes than corresponding architecture
element(s): yyy" From use case: FMEA Generation Discovered by the following checks: • FMEA Generation.020-Checks for consistency between failure modes of FMEA
components and related system architecture elements Occurrences: • in FMEA Generation Error View:
Table 433 Error: 020-"xxx does not have the same failure modes than corresponding architecture element(s): yyy"
1.5.7.4 TCL DETERMINATION FOR USE CASE: FTA
GENERATION
The use case "FTA Generation" has TCL 1. The TCL is determined by the lowest Tool Detection Level (TD) of all errors of the use case. The following table gives an overview of the errors of "FTA Generation". Error TD Table 004-Safety goal has no FTA traced TD 1 (HIGH) Use Case
Generate Tool Classification
Report 015-FTA model has a loop due to transfer gates TD 1 (HIGH) Fig 25
Table 434 Errors of Use Case: FTA Generation
Error: 004-Safety goal has no FTA traced Description: 004-Safety goal has no FTA traced From use case: FTA Generation Discovered by the following checks: • FTA Generation.004-Checks if each safety goal has a FTA traced Occurrences: • in FTA Generation Avoided by the following restrictions: • FTA Generation.004-All safety goal traced with FTA Error View:
Table 435 Error: 004-Safety goal has no FTA traced
Error: 015-FTA model has a loop due to transfer gates Description: 015-FTA model has a loop due to transfer gates From use case: FTA Generation Occurrences: • in FTA Generation Avoided by the following restrictions: • FTA Generation.015-FTA does not contain loops Error View:
Table 436 Error: 015-FTA model has a loop due to transfer gates
1.5.7.5 TCL DETERMINATION FOR USE CASE: FUNCTION
ALLOCATION
The use case "Function allocation" has TCL 1. The TCL is determined by the lowest Tool Detection Level (TD) of all errors of the use case. The following table gives an overview of the errors of "Function allocation". Error TD Table 016-The decomposing requirement xxx is allocated to the same architecture or software element as its neighbor
TD 1 (HIGH) Use Case Review Model
Table 437 Errors of Use Case: Function allocation
Error: 016-The decomposing requirement xxx is allocated to the same architecture or software element as its neighbor Description: 016-The decomposing requirement xxx is allocated to the same architecture or software
element as its neighbor From use case: Function allocation Discovered by the following checks: • Function allocation.016-Checks that no decomposing requirement is allocated to
the same architecture or software element as its neighbour Occurrences: • in Function allocation Error View:
Table 438 Error: 016-The decomposing requirement xxx is allocated to the same architecture or software element as its neighbor
1.5.7.6 TCL DETERMINATION FOR USE CASE: GENERATION
HW COVERAGE
The use case "Generation HW Coverage" has TCL 1. The TCL is determined by the lowest Tool Detection Level (TD) of all errors of the use case. This use case has no errors.
1.5.7.7 TCL DETERMINATION FOR USE CASE: HW/SW
ALLOCATION
The use case "HW/SW allocation" has TCL 1. The TCL is determined by the lowest Tool Detection Level (TD) of all errors of the use case. The following table gives an overview of the errors of "HW/SW allocation". Error TD Table 009-req is not correctly decomposed TD 1 (HIGH) Feature
Compute Tool Confidence Level
014-xxx has an invalid ASIL. ASIL has to be the same or higher than of goals it contributes to
TD 1 (HIGH) Fig 29
Table 439 Errors of Use Case: HW/SW allocation
Error: 009-req is not correctly decomposed Description: 009-Safety requirement is not correctly decomposed From use case: HW/SW allocation Discovered by the following checks: • HW/SW allocation.009-Checks if a valid decomposition has been applied Occurrences: • in HW/SW allocation Avoided by the following restrictions: • HW/SW allocation.009-Validation of decomposition Error View:
Table 440 Error: 009-req is not correctly decomposed
Error: 014-xxx has an invalid ASIL. ASIL has to be the same or higher than of goals it contributes to Description: 014-xxx has an invalid ASIL. ASIL has to be the same or higher than of goals it contributes
to From use case: HW/SW allocation Discovered by the following checks: • HW/SW allocation.014-Checks if safety requirements have the same or higher
ASIL than of goals they contribute to Occurrences: • in HW/SW allocation Avoided by the following restrictions: • HW/SW allocation.014-All safety requirements SIL >= safety goal SIL Error View:
Table 441 Error: 014-xxx has an invalid ASIL. ASIL has to be the same or higher than of goals it contributes to
1.5.7.8 TCL DETERMINATION FOR USE CASE: ITEM
DEFINITION
The use case "Item Definition" has TCL 1. The TCL is determined by the lowest Tool Detection Level (TD) of all errors of the use case. This use case has no errors.
1.5.7.9 TCL DETERMINATION FOR USE CASE: SAFETY GOALS
DEFINITION
The use case "Safety goals definition" has TCL 1. The TCL is determined by the lowest Tool Detection Level (TD) of all errors of the use case. The following table gives an overview of the errors of "Safety goals definition". Error TD Table 002-xxx is safety related and has no safety goal assigned
TD 1 (HIGH) Feature EMF
003-xxx has no functional safety requirement specified
TD 1 (HIGH) Fig 31
005-xxx (safety req) has no unique identifier TD 1 (HIGH) Feature Excel Interface
Table 442 Errors of Use Case: Safety goals definition
Error: 002-xxx is safety related and has no safety goal assigned Description: xxx is safety related and has no safety goal assigned From use case: Safety goals definition Discovered by the following checks: • Safety goals definition.002-Link hazard- safety goal Occurrences: • in Safety goals definition Avoided by the following restrictions: • Safety goals definition.002- All hazard event assigned to a safety goal Error View:
Table 443 Error: 002-xxx is safety related and has no safety goal assigned
Error: 003-xxx has no functional safety requirement specified Description: 003-xxx has no functional safety requirement specified From use case: Safety goals definition Discovered by the following checks: • Safety goals definition.003-Checks if for each safety goal at least one functional
safety requirement is specified Occurrences: • in Safety goals definition Avoided by the following restrictions: • Safety goals definition.003-For all safety goal exist one safety requirement Error View:
Table 444 Error: 003-xxx has no functional safety requirement specified
Error: 005-xxx (safety req) has no unique identifier Description: 005- safety requirement has no unique identifier From use case: Safety goals definition Discovered by the following checks: • Safety goals definition.005-Checks if every safety requirement has an unique
identifier Occurrences: • in Safety goals definition Avoided by the following restrictions: • Safety goals definition.005-Exist a unique safety requirement identifier Error View:
Table 445 Error: 005-xxx (safety req) has no unique identifier
1.5.7.10 TCL DETERMINATION FOR USE CASE: SW
ARCHITECTURE DEFINITION
The use case "SW Architecture definition" has TCL 1. The TCL is determined by the lowest Tool Detection Level (TD) of all errors of the use case. This use case has no errors.
1.6 NUSMVMODELCHECKERThis section explains the determination of the Tool Confidence Level (TCL) for the tool nuSMV Model Checker. Tool: nuSMV Model Checker Description: -None- Impact: TI 2 (Impact) Tool Confidence Level: TCL 1
Table 446 Tool: nuSMV Model Checker
The tool nuSMV Model Checker is modeled with no element which has impact. No additional features have been modeled.
Elements Amount (Assumptions) Use Cases 0 (0) Checks 0 (0) Restrictions 0 (0) Potential Errors 0 (0)
Table 447 Amount of Elements in Tool: nuSMV Model Checker
1.6.1 USE CASES OF NUSMV MODEL CHECKER
There are no use cases modeled for nuSMV Model Checker.
1.6.2 FEATURES OF NUSMV MODEL CHECKER
There are no features modeled for nuSMV Model Checker.
1.6.3 POTENTIAL ERRORS IN NUSMV MODEL CHECKER
The tool has no potential error.. The error flow consists of all relations from errors to checks or restrictions. There are
• no relation from errors caused by other tools to checks or restrictions defined for use cases of this tool.
• no relation from errors caused by this tool to checks or restrictions defined for use cases of this tool.
• no relation from errors caused by this tool to checks or restrictions defined for use cases of other tools.
1.6.4 RESTRICTIONS IN NUSMV MODEL CHECKER
There are no restrictions in the tool nuSMV Model Checker.
1.6.5 CHECKS IN NUSMV MODEL CHECKER
No checks are performed in the tool nuSMV Model Checker.
1.6.6 ASSUMPTIONS
The determination of the TCL of nuSMV Model Checker is not based on assumed checks and restrictions. None of the checks and restrictions are modeled as assumptions.
1.6.7 TCL DETERMINATION
This section determines a TCL for each use case by assigning checks or restrictions with detection/avoidance probability to each potential error. The TCL for the entire tool can be derived from the TCL for each use case. The tool nuSMV Model Checker has no use case with TCL 1, no use case with TCL 2 and no use case with TCL 3. Therefore the tool nuSMV Model Checker has TCL 1.
There are no use cases modeled for the tool nuSMV Model Checker
1.7 PROBMODELCHECKERThis section explains the determination of the Tool Confidence Level (TCL) for the tool ProB Model Checker. Tool: ProB Model Checker Description: This is not developed from us, but might be helpful to detect errors Impact: TI 2 (Impact) Tool Confidence Level: TCL 1
Table 448 Tool: ProB Model Checker
The tool ProB Model Checker is modeled with 3 elements which have impact, one of them is an assumption. No additional features have been modeled.
Elements Amount (Assumptions) Use Cases 1 (0) Checks 1 (1) Restrictions 0 (0) Potential Errors 1 (0)
Table 449 Amount of Elements in Tool: ProB Model Checker
1.7.1 USE CASES OF PROB MODEL CHECKER
This section describes all analyzed use cases of ProB Model Checker in separate subsections. The following use cases of the tool ProB Model Checker are considered:
1. Check Model, see Section 1.9.2.5
1.7.1.1 USE CASE CHECK MODEL
This section describes the use case "Check Model". UseCase: Check Model Description: -None-
Table 450 UseCase: Check Model
The use case requires no features and calls no other use cases. The use case "Check Model" reads and/or writes the following artifacts. The used artifacts are shown in Fig 33 and are summarized in the subsequent table.
Fig 73 Artifacts of Use Case: Check Model
Artifacts of Use Case: Check Model Inputs: • Safety Requirements
• System Models (Event-B) • Verified System Models (Event-B)
Outputs: • Verified System Models (Event-B)
Table 451 Artifacts of Use Case: Check Model
1.7.2 FEATURES OF PROB MODEL CHECKER
There are no features modeled for ProB Model Checker.
1.7.3 POTENTIAL ERRORS IN PROB MODEL CHECKER
The tool has one potential error in one occurrence in use cases. The error flow, as can be seen in Feature Model Validation, consists of all relations from errors to checks or restrictions. There are
• 2 relations from errors caused by other tools to checks or restrictions defined for use cases of this tool.
• no relation from errors caused by this tool to checks or restrictions defined for use cases of this tool.
• one relation from errors caused by this tool to checks or restrictions defined for use cases of other tools.
Fig 74 Error Flow to and from ProB Model Checker
The Fig 34 shows all 2 relations, introduced by one other tool: Tool Error UseCase Table Rodin Prover Theorem Provers System
Model Verification
Table 194
Verification condition generation System Model Verification
Table 195
Table 452 Errors introduced in ProB Model Checker by other tools
Due to one relation, ProB Model Checker is having impact on one other tool. The error is listed in Feature Safety Guidelines.
Tool Error UseCase Table Rodin Prover States missed Check
Model Feature Xml Interface
Table 453 Errors of ProB Model Checker with impact on other tools
1.7.4 RESTRICTIONS IN PROB MODEL CHECKER
There are no restrictions in the tool ProB Model Checker.
1.7.5 CHECKS IN PROB MODEL CHECKER
The following one check is performed in the tool ProB Model Checker. Check: Model Check Description: Check the validaty of the model
Comment: This can be done using a model checker tool for some consistency rules
From use case: ProB Model Checker,Check Model Occurrences: • in Check Model Error detection probability: TD 1 (HIGH) Detected errors from other tools: • Check Model,Rodin Prover,System Model Verification,Theorem Provers
• Check Model,Rodin Prover,System Model Verification,Verification condition generation
Is assumption: True Relations to other tools:
Table 454 Check: Model Check
1.7.6 ASSUMPTIONS
The determination of the TCL of ProB Model Checker is based on the following 1 assumptions on the development process.
• Check: Model Check (Feature SG_Avoid Feature) occurs in: o Check Model
1.7.7 TCL DETERMINATION
This section determines a TCL for each use case by assigning checks or restrictions with detection/avoidance probability to each potential error. The TCL for the entire tool can be derived from the TCL for each use case. The tool ProB Model Checker has one use case with TCL 1, no use case with TCL 2 and no use case with TCL 3. Therefore the tool ProB Model Checker has TCL 1. The use cases are described in the following sections:
• For "Check Model" (TCL 1) see Section 1.9.2.9.
1.7.7.1 TCL DETERMINATION FOR USE CASE: CHECK MODEL
The use case "Check Model" has TCL 1. The TCL is determined by the lowest Tool Detection Level (TD) of all errors of the use case. The following table gives an overview of the errors of "Check Model". Error TD Table States missed TD 1 (HIGH) Feature Xml
Interface
Table 455 Errors of Use Case: Check Model
Error: States missed Description: -None-
Comment: This holds also for similar errors detectable by the prover
From use case: Check Model Discovered by the following checks: • System Model Verification.Correctness proof Occurrences: • in Check Model Error View:
Table 456 Error: States missed
1.8 PROCESSCHECKERThis section explains the determination of the Tool Confidence Level (TCL) for the tool Process Checker. Tool: Process Checker Description: This is a manual step to validate the process for completeness. If this is the case TCA model
validation can be omitted. Impact: TI 2 (Impact) Tool Confidence Level: TCL 1
Table 457 Tool: Process Checker
The tool Process Checker is modeled with one element which has impact which is not an assumption. No additional features have been modeled.
Elements Amount (Assumptions) Use Cases 0 (0) Checks 0 (0) Restrictions 1 (0) Potential Errors 0 (0)
Table 458 Amount of Elements in Tool: Process Checker
1.8.1 USE CASES OF PROCESS CHECKER
There are no use cases modeled for Process Checker.
1.8.2 FEATURES OF PROCESS CHECKER
There are no features modeled for Process Checker.
1.8.3 POTENTIAL ERRORS IN PROCESS CHECKER
The tool has no potential error.. The error flow, as can be seen in Fig 35, consists of all relations from errors to checks or restrictions. There are
• 2 relations from errors caused by other tools to checks or restrictions defined for use cases of this tool.
• no relation from errors caused by this tool to checks or restrictions defined for use cases of this tool.
• no relation from errors caused by this tool to checks or restrictions defined for use cases of other tools.
Fig 75 Error Flow to and from Process Checker
The Fig 36 shows all 2 relations, introduced by one other tool:
Tool Error UseCase Table Tool Chain Analyzer
Process Inconsistently Modelled Create Model
Table 585
Process Inconsistently Modelled Review Model
Table 600
Table 459 Errors introduced in Process Checker by other tools
1.8.4 RESTRICTIONS IN PROCESS CHECKER
The tool Process Checker must only be used with the following restriction. Restriction: Consistent Process Description: This ensures that the process is consistent From use case: Process Checker,Validate Process Error avoidance probability: TD 1 (HIGH) Occurrences: • in Validate Process Avoided errors from other tools: • Validate Process,Tool Chain Analyzer,Model Validation,Process Inconsistently
Modelled Relations to other tools:
Table 460 Restriction: Consistent Process
1.8.5 CHECKS IN PROCESS CHECKER
No checks are performed in the tool Process Checker.
1.8.6 ASSUMPTIONS
The determination of the TCL of Process Checker is not based on assumed checks and restrictions. None of the checks and restrictions are modeled as assumptions.
1.8.7 TCL DETERMINATION
This section determines a TCL for each use case by assigning checks or restrictions with detection/avoidance probability to each potential error. The TCL for the entire tool can be derived from the TCL for each use case. The tool Process Checker has no use case with TCL 1, no use case with TCL 2 and no use case with TCL 3. Therefore the tool Process Checker has TCL 1. There are no use cases modeled for the tool Process Checker
1.9 RODINEDITORThis section explains the determination of the Tool Confidence Level (TCL) for the tool Rodin Editor. Tool: Rodin Editor Description: Platform for Event-B formal system development Impact: TI 2 (Impact) Tool Confidence Level: TCL 1
Table 461 Tool: Rodin Editor
The tool Rodin Editor is modeled with 10 elements which have impact, none of them are assumptions. No additional features have been modeled.
Elements Amount (Assumptions) Use Cases 1 (0) Checks 1 (0) Restrictions 0 (0) Potential Errors 8 (0)
Table 462 Amount of Elements in Tool: Rodin Editor
1.9.1 USE CASES OF RODIN EDITOR
This section describes all analyzed use cases of Rodin Editor in separate subsections. The following use cases of the tool Rodin Editor are considered:
1. System Modelling, see Section 0
1.9.1.1 USE CASE SYSTEM MODELLING
This section describes the use case "System Modelling". UseCase: System Modelling Description: Refinement-based approach for system modelling
Table 463 UseCase: System Modelling
The use case requires no features and calls no other use cases. The use case "System Modelling" reads and/or writes the following artifacts. The used artifacts are shown in TCL Determination for Use Case: Cost Calculation and are summarized in the subsequent table.
Fig 76 Artifacts of Use Case: System Modelling
Artifacts of Use Case: System Modelling Inputs: • Safety Requirements Outputs: • System Models (Event-B)
Table 464 Artifacts of Use Case: System Modelling
1.9.2 FEATURES OF RODIN EDITOR
There are no features modeled for Rodin Editor.
1.9.3 POTENTIAL ERRORS IN RODIN EDITOR
The tool has 8 different potential errors in 8 occurrences in use cases. The error flow, as can be seen in Table 176, consists of all relations from errors to checks or restrictions. There are
• no relation from errors caused by other tools to checks or restrictions defined for use cases of this tool.
• one relation from errors caused by this tool to checks or restrictions defined for use cases of this tool.
• 7 relations from errors caused by this tool to checks or restrictions defined for use cases of other tools.
Fig 77 Error Flow to and from Rodin Editor
Rodin Editor has the following one relation, which is detected by checks or restrictions of this tool. The errors are described in detail in the TCL analysis of the corresponding use cases:
• Model Corruption 3 (TCL Determination for Use Case: Determinate Tool Confidence Level)
Due to 7 relations, Rodin Editor is having impact on one other tool. The errors are listed in Table 177.
Tool Error UseCase Table Rodin Prover Deadlock System
Modelling TCL Determination for Use Case: Create Model
Event refinement violation System Modelling
Table 180
Invariant violation System Modelling
Table 181
Model corruption 1 System Modelling
Table 182
Model Corruption 2 System Modelling
Table 183
Non-termination System Modelling
Table 185
Syntax error System Modelling
Table 186
Table 465 Errors of Rodin Editor with impact on other tools
1.9.4 RESTRICTIONS IN RODIN EDITOR
There are no restrictions in the tool Rodin Editor.
1.9.5 CHECKS IN RODIN EDITOR
The following one check is performed in the tool Rodin Editor. Check: WYSIWYG Description: What You see is what you get
The human working with the tool sees the important things Comment: This gives a high error detection probability
From use case: Rodin Editor,System Modelling Occurrences: • in System Modelling Error detection probability: TD 1 (HIGH) Detected errors: • System Modelling,Model Corruption 3
Table 466 Check: WYSIWYG
1.9.6 ASSUMPTIONS
The determination of the TCL of Rodin Editor is not based on assumed checks and restrictions. None of the checks and restrictions are modeled as assumptions.
1.9.7 TCL DETERMINATION
This section determines a TCL for each use case by assigning checks or restrictions with detection/avoidance probability to each potential error. The TCL for the entire tool can be derived from the TCL for each use case. The tool Rodin Editor has one use case with TCL 1, no use case with TCL 2 and no use case with TCL 3. Therefore the tool Rodin Editor has TCL 1. The use cases are described in the following sections:
• For "System Modelling" (TCL 1) see Section 0.
1.9.7.1 TCL DETERMINATION FOR USE CASE: SYSTEM
MODELLING
The use case "System Modelling" has TCL 1. The TCL is determined by the lowest Tool Detection Level (TD) of all errors of the use case. The following table gives an overview of the errors of "System Modelling". Error TD Table Deadlock TD 1 (HIGH) TCL
Determination for Use Case: Create Model
Event refinement violation TD 1 (HIGH) Table 180 Invariant violation TD 1 (HIGH) Table 181 Model corruption 1 TD 1 (HIGH) Table 182 Model Corruption 2 TD 1 (HIGH) Table 183 Model Corruption 3 TD 1 (HIGH) TCL
Determination for Use Case: Determinate Tool Confidence Level
Non-termination TD 1 (HIGH) Table 185 Syntax error TD 1 (HIGH) Table 186
Table 467 Errors of Use Case: System Modelling
Error: Deadlock Description: -None- From use case: System Modelling Discovered by the following checks: • System Model Verification.Correctness proof Occurrences: • in System Modelling Error View:
Table 468 Error: Deadlock
Error: Event refinement violation Description: -None- From use case: System Modelling Discovered by the following checks: • System Model Verification.Correctness proof Occurrences: • in System Modelling Error View:
Table 469 Error: Event refinement violation
Error: Invariant violation Description: -None- From use case: System Modelling Discovered by the following checks: • System Model Verification.Correctness proof Occurrences: • in System Modelling Error View:
Table 470 Error: Invariant violation
Error: Model corruption 1 Description: model corruption because of XML format
This is model corruption that lost variable, lost context, lost typing invariant will generate syntax errors
From use case: System Modelling Discovered by the following checks: • System Model Verification.Proof Tree - Syntax Check Occurrences: • in System Modelling Error View:
Table 471 Error: Model corruption 1
Error: Model Corruption 2 Description: Problems like lost invariants, lost guards, etc, will generate proof obligation violations From use case: System Modelling Discovered by the following checks: • System Model Verification.Correctness proof Occurrences: • in System Modelling Error View:
Table 472 Error: Model Corruption 2
Error: Model Corruption 3 Description: Problems like lost events being set to non-convergents when they should be convergents, etc.
There are no tools that can check this case. From use case: System Modelling Discovered by the following checks: • System Modelling.WYSIWYG Occurrences: • in System Modelling Error View:
Table 473 Error: Model Corruption 3
Error: Non-termination Description: -None- From use case: System Modelling Discovered by the following checks: • System Model Verification.Correctness proof Occurrences: • in System Modelling Error View:
Table 474 Error: Non-termination
Error: Syntax error Description: -None- From use case: System Modelling Discovered by the following checks: • System Model Verification.Proof Tree - Syntax Check Occurrences: • in System Modelling Error View:
Table 475 Error: Syntax error
1.10 RODINPROVERThis section explains the determination of the Tool Confidence Level (TCL) for the tool Rodin Prover. Tool: Rodin Prover Description: -None- Impact: TI 2 (Impact) Tool Confidence Level: TCL 1
Table 476 Tool: Rodin Prover
The tool Rodin Prover is modeled with 5 elements which have impact, one of them is an assumption. No additional features have been modeled.
Elements Amount (Assumptions) Use Cases 1 (0) Checks 2 (1) Restrictions 0 (0) Potential Errors 2 (0)
Table 477 Amount of Elements in Tool: Rodin Prover
1.10.1 USE CASES OF RODIN PROVER
This section describes all analyzed use cases of Rodin Prover in separate subsections. The following use cases of the tool Rodin Prover are considered:
1. System Model Verification, see Section 0
1.10.1.1 USE CASE SYSTEM MODEL VERIFICATION
This section describes the use case "System Model Verification". UseCase: System Model Verification Description: System model verification at system level design
Table 478 UseCase: System Model Verification
The use case requires no features and calls no other use cases. The use case "System Model Verification" reads and/or writes the following artifacts. The used artifacts are shown in Table 188 and are summarized in the subsequent table.
Fig 78 Artifacts of Use Case: System Model Verification
Artifacts of Use Case: System Model Verification Inputs: • System Models (Event-B)
• Verified System Models (Event-B) Outputs: • Verified System Models (Event-B)
Table 479 Artifacts of Use Case: System Model Verification
1.10.2 FEATURES OF RODIN PROVER
There are no features modeled for Rodin Prover.
1.10.3 POTENTIAL ERRORS IN RODIN PROVER
The tool has 2 different potential errors in 2 occurrences in use cases. The error flow, as can be seen in TCL Determination for Use Case: Generate Tool Classification Report, consists of all relations from errors to checks or restrictions. There are
• 8 relations from errors caused by other tools to checks or restrictions defined for use cases of this tool.
• no relation from errors caused by this tool to checks or restrictions defined for use cases of this tool.
• 2 relations from errors caused by this tool to checks or restrictions defined for use cases of other tools.
Fig 79 Error Flow to and from Rodin Prover
The Table 190 shows all 8 relations, introduced by 2 other tools:
Tool Error UseCase Table ProB Model Checker
States missed Check Model
Feature Xml Interface
Rodin Editor Deadlock System Modelling
TCL Determination for Use Case: Create Model
Event refinement violation System Modelling
Table 180
Invariant violation System Modelling
Table 181
Model corruption 1 System Modelling
Table 182
Model Corruption 2 System Modelling
Table 183
Non-termination System Modelling
Table 185
Syntax error System Modelling
Table 186
Table 480 Errors introduced in Rodin Prover by other tools
Due to 2 relations, Rodin Prover is having impact on one other tool. The errors are listed in Table 191. Tool Error UseCase Table ProB Model Checker
Theorem Provers System Model Verification
Table 194
Verification condition generation System Model Verification
Table 195
Table 481 Errors of Rodin Prover with impact on other tools
1.10.4 RESTRICTIONS IN RODIN PROVER
There are no restrictions in the tool Rodin Prover.
1.10.5 CHECKS IN RODIN PROVER
The following 2 checks are performed in the tool Rodin Prover. Check: Correctness proof Description: -None- From use case: Rodin Prover,System Model Verification Occurrences: • in System Model Verification Error detection probability: TD 1 (HIGH) Detected errors from other tools: • System Model Verification,ProB Model Checker,Check Model,States missed
• System Model Verification,Rodin Editor,System Modelling,Deadlock • System Model Verification,Rodin Editor,System Modelling,Event refinement
violation • System Model Verification,Rodin Editor,System Modelling,Invariant violation • System Model Verification,Rodin Editor,System Modelling,Model Corruption 2 • System Model Verification,Rodin Editor,System Modelling,Non-termination
Relations to other tools:
Table 482 Check: Correctness proof
Check: Proof Tree - Syntax Check Description: the syntax check is usually done when this file is used From use case: Rodin Prover,System Model Verification Occurrences: • in System Model Verification Error detection probability: TD 1 (HIGH) Detected errors from other tools:
• System Model Verification,Rodin Editor,System Modelling,Model corruption 1 • System Model Verification,Rodin Editor,System Modelling,Syntax error
Is assumption: True Relations to other tools:
Table 483 Check: Proof Tree - Syntax Check
1.10.6 ASSUMPTIONS
The determination of the TCL of Rodin Prover is based on the following 1 assumptions on the development process.
• Check: Proof Tree - Syntax Check (Table 192) occurs in: o System Model Verification
1.10.7 TCL DETERMINATION
This section determines a TCL for each use case by assigning checks or restrictions with detection/avoidance probability to each potential error. The TCL for the entire tool can be derived from the TCL for each use case. The tool Rodin Prover has one use case with TCL 1, no use case with TCL 2 and no use case with TCL 3. Therefore the tool Rodin Prover has TCL 1. The use cases are described in the following sections:
• For "System Model Verification" (TCL 1) see Section 1.9.7.5.
1.10.7.1 TCL DETERMINATION FOR USE CASE: SYSTEM
MODEL VERIFICATION
The use case "System Model Verification" has TCL 1. The TCL is determined by the lowest Tool Detection Level (TD) of all errors of the use case. The following table gives an overview of the errors of "System Model Verification". Error TD Table Theorem Provers TD 1 (HIGH) Table 194 Verification condition generation TD 1 (HIGH) Table 195
Table 484 Errors of Use Case: System Model Verification
Error: Theorem Provers Description: Theorem provers might be unsound From use case: System Model Verification Discovered by the following checks: • Check Model.Model Check Occurrences: • in System Model Verification Error View:
Table 485 Error: Theorem Provers
Error: Verification condition generation Description: The verification condition generation might be incorrect From use case: System Model Verification Discovered by the following checks: • Check Model.Model Check Subsumes: • "Option Defect" from "Option Supporting"
• "Option Ignored" from "Option Supporting" Occurrences: • in System Model Verification Error View:
Table 486 Error: Verification condition generation
1.11 SIMULINKThis section explains the determination of the Tool Confidence Level (TCL) for the tool Simulink. Tool: Simulink Description: Simulink Impact: TI 2 (Impact) Tool Confidence Level: TCL 3
Table 487 Tool: Simulink
The tool Simulink is modeled with 14 elements which have impact, one of them is an assumption. One additional feature has been modeled which is not an assumption.
Elements Amount (Assumptions) Use Cases 4 (0) Checks 0 (0) Restrictions 0 (0) Potential Errors 10 (1)
Table 488 Amount of Elements in Tool: Simulink
1.11.1 USE CASES OF SIMULINK
This section describes all analyzed use cases of Simulink in separate subsections. The following use cases of the tool Simulink are considered:
1. Code generation, see Section 0 2. Contracts to assertions, see Section 0 3. Modelling, see Section 1.11.1.3 4. Modelling Requirements, see Section 1.11.1.4
1.11.1.1 USE CASE CODE GENERATION
This section describes the use case "Code generation". UseCase: Code generation Description: -None-
Table 489 UseCase: Code generation
The use case requires no features and calls no other use cases. The use case "Code generation" reads and/or writes the following artifacts. The used artifacts are shown in Table 197 and are summarized in the subsequent table.
Fig 80 Artifacts of Use Case: Code generation
Artifacts of Use Case: Code generation Inputs: • Simulink Model Outputs: • Source Code
Table 490 Artifacts of Use Case: Code generation
1.11.1.2 USE CASE CONTRACTS TO ASSERTIONS
This section describes the use case "Contracts to assertions".
UseCase: Contracts to assertions Description: To check contracts in Simulink Design Verifier (needed to keep the verification
tools at TCL1) there is a need to translate the contracts to assertions and assumptions understood by Simulink Design Verifier. This is added as a use case here, but it could be automated in a tool.
Table 491 UseCase: Contracts to assertions
The use case requires no features and calls no other use cases. The use case "Contracts to assertions" reads and/or writes the following artifacts. The used artifacts are shown in Fig 37 and are summarized in the subsequent table.
Fig 81 Artifacts of Use Case: Contracts to assertions
Artifacts of Use Case: Contracts to assertions Inputs: • contract
Table 492 Artifacts of Use Case: Contracts to assertions
1.11.1.3 USE CASE MODELLING
This section describes the use case "Modelling". UseCase: Modelling Description: -None-
Table 493 UseCase: Modelling
The use case requires no features and calls no other use cases. The use case "Modelling" reads and/or writes the following artifacts. The used artifacts are shown in Fig 82 and are summarized in the subsequent table.
Fig 82 Artifacts of Use Case: Modelling
Artifacts of Use Case: Modelling Outputs: • Contract
• Simulink Model • Simulink model • contract
Table 494 Artifacts of Use Case: Modelling
1.11.1.4 USE CASE MODELLING REQUIREMENTS
This section describes the use case "Modelling Requirements".
UseCase: Modelling Requirements Description: The user reads the requirements and builds the simulink model for them.
Table 495 UseCase: Modelling Requirements
The use case requires one feature and calls no other use cases. Fig 83 shows the dependencies between the use cases and features.
Fig 83 Dependency View of Use Case: Modelling Requirements
"Modelling Requirements" uses following features: • Edit Model
Use cases calling "Modelling Requirements":
• Medini,SW Architecture definition The use case "Modelling Requirements" reads and/or writes the following artifacts. The used artifacts are shown in Fig 84 and are summarized in the subsequent table.
Fig 84 Artifacts of Use Case: Modelling Requirements
Artifacts of Use Case: Modelling Requirements Inputs: • Safety Requirements Outputs: • Simulink Model
Table 496 Artifacts of Use Case: Modelling Requirements
1.11.2 FEATURES OF SIMULINK
This section describes all analyzed features of Simulink in separate subsections. The following features of the tool Simulink are considered:
1. Edit Model, see Section 1.11.2.1
1.11.2.1 FEATURE EDIT MODEL
This section describes the feature "Edit Model". Feature: Edit Model Description: Edit Simulink Model
Table 497 Feature: Edit Model
In order to fulfill the requirements of the feature, usually a number of artifacts will be read and/or written. But in "Edit Model" the tool Simulink uses no artifacts.
1.11.3 POTENTIAL ERRORS IN SIMULINK
The tool has 10 different potential errors in 10 occurrences in use cases. The error flow, as can be seen in Fig 85, consists of all relations from errors to checks or restrictions. There are
• no relation from errors caused by other tools to checks or restrictions defined for use cases of this tool.
• no relation from errors caused by this tool to checks or restrictions defined for use cases of this tool.
• 6 relations from errors caused by this tool to checks or restrictions defined for use cases of other tools.
• 6 errors caused by this tool without any relation to checks or restrictions.
Fig 85 Error Flow to and from Simulink
Due to 6 relations, Simulink is having impact on one other tool. The errors are listed in Table 498.
Tool Error UseCase Table VerSAA Contract corruption Modelling Table 506
Contract violation Modelling Table 508 Contract violation Modelling Table 508 Runtime error Modelling Table 510 Wrong contract Modelling Table 511 Wrong contract Modelling Table 511
Table 498 Errors of Simulink with impact on other tools
The following 6 error occurrences of Simulink have no relation to any check or restriction:
• Contract removal (Table 507) • Incorrect translation (Table 504) • Non-termination (Table 509) • Scheduling error (Table 500) • WCET violation (Table 501) • Wrong code (Table 502)
1.11.4 RESTRICTIONS IN SIMULINK
There are no restrictions in the tool Simulink.
1.11.5 CHECKS IN SIMULINK
No checks are performed in the tool Simulink.
1.11.6 ASSUMPTIONS
The determination of the TCL of Simulink is based on the following 1 assumptions on the development process.
• Error: Incorrect translation o Contracts to assertions
1.11.7 TCL DETERMINATION
This section determines a TCL for each use case by assigning checks or restrictions with detection/avoidance probability to each potential error. The TCL for the entire tool can be derived from the TCL for each use case. The tool Simulink has one use case with TCL 1, no use case with TCL 2 and 3 use cases with TCL 3. Therefore the tool Simulink has TCL 3. The use cases are described in the following sections:
• For "Code generation" (TCL 3) see Section 1.11.7.1, • for "Contracts to assertions" (TCL 3) see Section 1.11.7.2, • for "Modelling" (TCL 3) see Section 1.11.7.3, and • for "Modelling Requirements" (TCL 1) see Section 1.11.7.4.
1.11.7.1 TCL DETERMINATION FOR USE CASE: CODE
GENERATION
The use case "Code generation" has TCL 3. The TCL is determined by the lowest Tool Detection Level (TD) of all errors of the use case. The following table gives an overview of the errors of "Code generation". Error TD Table Scheduling error TD 3 (LOW) Table 500 WCET violation TD 3 (LOW) Table 501 Wrong code TD 3 (LOW) Table 502
Table 499 Errors of Use Case: Code generation
Error: Scheduling error Description: The chosen scheduling scheme used for the implemented (multi-rate) model is infeasible From use case: Code generation Occurrences: • in Code generation Error View:
Table 500 Error: Scheduling error
Error: WCET violation Description: The WCET of the code is longer than it should given the chosen scheduling scheme From use case: Code generation Occurrences: • in Code generation Error View:
Table 501 Error: WCET violation
Error: Wrong code Description: The semantics of the code does not match the model semantics in terms of blcok behaviours From use case: Code generation Occurrences: • in Code generation Error View:
Table 502 Error: Wrong code
1.11.7.2 TCL DETERMINATION FOR USE CASE: CONTRACTS
TO ASSERTIONS
The use case "Contracts to assertions" has TCL 3. The TCL is determined by the lowest Tool Detection Level (TD) of all errors of the use case. The following table gives an overview of the errors of "Contracts to assertions". Error TD Table Incorrect translation TD 3 (LOW) Table 504
Table 503 Errors of Use Case: Contracts to assertions
Error: Incorrect translation Description: The translation of contracts to assertions/assumptions might be incorrect.
It is not obvuious how to check that this does not happen in a tool. Manual inspection might be needed.
From use case: Contracts to assertions
Occurrences: • in Contracts to assertions Is assumption: True Error View:
Table 504 Error: Incorrect translation
1.11.7.3 TCL DETERMINATION FOR USE CASE: MODELLING
The use case "Modelling" has TCL 3. The TCL is determined by the lowest Tool Detection Level (TD) of all errors of the use case. The following table gives an overview of the errors of "Modelling". Error TD Table Contract corruption TD 1 (HIGH) Table 506 Contract removal TD 3 (LOW) Table 507 Contract violation TD 1 (HIGH) Table 508 Non-termination TD 3 (LOW) Table 509 Runtime error TD 1 (HIGH) Table 510 Wrong contract TD 1 (HIGH) Table 511
Table 505 Errors of Use Case: Modelling
Error: Contract corruption Description: -None- From use case: Modelling Discovered by the following checks: • Verify.Check contracts Occurrences: • in Modelling Error View:
Table 506 Error: Contract corruption
Error: Contract removal Description: Simulink removes a contract or edits the subsystem description field in
such a manner that the contract is not recognised. From use case: Modelling Occurrences: • in Modelling Error View:
Table 507 Error: Contract removal
Error: Contract violation Description: A subsystem does not behave as specified From use case: Modelling Discovered by the following checks: • Verify.Check contracts
• Verify.ContractCheck Occurrences: • in Modelling Error View:
Table 508 Error: Contract violation
Error: Non-termination Description: Iteration blocks or other blocks might never return results From use case: Modelling Occurrences: • in Modelling Error View:
Table 509 Error: Non-termination
Error: Runtime error Description: Runtime error, such as division by zero, array index out of bounds, etc. From use case: Modelling Discovered by the following checks: • Verify.Runtime errors Occurrences: • in Modelling Error View:
Table 510 Error: Runtime error
Error: Wrong contract Description: Wrong subsystem specification From use case: Modelling Discovered by the following checks: • Verify.Check contracts
• Verify.ContractCheck Occurrences: • in Modelling Error View:
Table 511 Error: Wrong contract
1.11.7.4 TCL DETERMINATION FOR USE CASE: MODELLING
REQUIREMENTS
The use case "Modelling Requirements" has TCL 1. The TCL is determined by the lowest Tool Detection Level (TD) of all errors of the use case. This use case has no errors.
1.12 SIMULINKDESIGNVERIFIERThis section explains the determination of the Tool Confidence Level (TCL) for the tool Simulink Design Verifier. Tool: Simulink Design Verifier Description: A verifier for Simulink/Stateflow models provided by Mathworks Impact: TI 2 (Impact) Tool Confidence Level:
TCL 1
Table 512 Tool: Simulink Design Verifier
The tool Simulink Design Verifier is modeled with 3 elements which have impact, none of them are assumptions. No additional features have been modeled.
Elements Amount (Assumptions) Use Cases 1 (0) Checks 1 (0) Restrictions 0 (0) Potential Errors 1 (0)
Table 513 Amount of Elements in Tool: Simulink Design Verifier
1.12.1 USE CASES OF SIMULINK DESIGN VERIFIER
This section describes all analyzed use cases of Simulink Design Verifier in separate subsections. The following use cases of the tool Simulink Design Verifier are considered:
1. Verify, see Section 1.12.1.1
1.12.1.1 USE CASE VERIFY
This section describes the use case "Verify". UseCase: Verify Description: Check that the properties given as special assertion blocks in the model hold
Comment: OS: needs to update the model, otherwise no exchange with VerSAA tool possible
Table 514 UseCase: Verify
The use case requires no features and calls no other use cases. The use case "Verify" reads and/or writes the following artifacts. The used artifacts are shown in Fig 86 and are summarized in the subsequent table.
Fig 86 Artifacts of Use Case: Verify
Artifacts of Use Case: Verify Outputs: • SLDV verification report Inputs & Outputs: • Simulink Model
Table 515 Artifacts of Use Case: Verify
1.12.2 FEATURES OF SIMULINK DESIGN VERIFIER
There are no features modeled for Simulink Design Verifier.
1.12.3 POTENTIAL ERRORS IN SIMULINK DESIGN VERIFIER
The tool has one potential error in one occurrence in use cases. The error flow, as can be seen in Fig 87, consists of all relations from errors to checks or restrictions. There are
• 3 relations from errors caused by other tools to checks or restrictions defined for use cases of this tool.
• no relation from errors caused by this tool to checks or restrictions defined for use cases of this tool.
• 2 relations from errors caused by this tool to checks or restrictions defined for use cases of other tools.
Fig 87 Error Flow to and from Simulink Design Verifier
The Table 516 shows all 3 relations, introduced by one other tool:
Tool Error UseCase Table VerSAA Incorrect translation Verify Table 613
Incorrect VC generation Verify Table 614 Verifier unsound Verify Table 615
Table 516 Errors introduced in Simulink Design Verifier by other tools
Due to 2 relations, Simulink Design Verifier is having impact on one other tool. The errors are listed in Table 517.
Tool Error UseCase Table VerSAA Unsound verification Verify Table 520
Unsound verification Verify Table 520
Table 517 Errors of Simulink Design Verifier with impact on other tools
1.12.4 RESTRICTIONS IN SIMULINK DESIGN VERIFIER
There are no restrictions in the tool Simulink Design Verifier.
1.12.5 CHECKS IN SIMULINK DESIGN VERIFIER
The following one check is performed in the tool Simulink Design Verifier. Check: Check assertions Description: Check assertions representing the contract conditions given using the
assert and assume blocks supported by Simulink design verifier. Unsoundness of VerSÅÅ will be found with high probability, since SLDV and VerSÅ do not share any code. The backend provers are also different: SLDV uses Prover plugin and VerSÅA uses Z3.
From use case: Simulink Design Verifier,Verify Occurrences: • in Verify Error detection probability: TD 1 (HIGH) Detected errors from other tools: • Verify,VerSAA,Verify,Incorrect VC generation
• Verify,VerSAA,Verify,Incorrect translation • Verify,VerSAA,Verify,Verifier unsound
Relations to other tools:
Table 518 Check: Check assertions
1.12.6 ASSUMPTIONS
The determination of the TCL of Simulink Design Verifier is not based on assumed checks and restrictions. None of the checks and restrictions are modeled as assumptions.
1.12.7 TCL DETERMINATION
This section determines a TCL for each use case by assigning checks or restrictions with detection/avoidance probability to each potential error. The TCL for the entire tool can be derived from the TCL for each use case. The tool Simulink Design Verifier has one use case with TCL 1, no use case with TCL 2 and no use case with TCL 3. Therefore the tool Simulink Design Verifier has TCL 1. The use cases are described in the following sections:
• For "Verify" (TCL 1) see Section 1.12.7.1.
1.12.7.1 TCL DETERMINATION FOR USE CASE: VERIFY
The use case "Verify" has TCL 1. The TCL is determined by the lowest Tool Detection Level (TD) of all errors of the use case. The following table gives an overview of the errors of "Verify". Error TD Table Unsound verification TD 1 (HIGH) Table 520
Table 519 Errors of Use Case: Verify
Error: Unsound verification Description: The Simulink Design Verifier is not guaranteed to be sound.
The same problems as for VerSÅA exist. From use case: Verify Discovered by the following checks: • Verify.Check contracts
• Verify.ContractCheck Occurrences: • in Verify Error View:
Table 520 Error: Unsound verification
1.13 TBTThis section explains the determination of the Tool Confidence Level (TCL) for the tool TBT. Tool: TBT Description: Tactic Based Test Generator
Tactic-based testing (TBT) is a variant of model-based testing in which test case search is guided by explicit search tactics in order to efficiently generate test cases for specific test goals. The explicit formulation of search tactics helps to ensure traceability from test specification to the generated test cases. It is also easily extensible to allow fault injection tests to show that applications behave gracefully also when, for instance, core-to-core communication breaks down.
Impact: TI 2 (Impact) Tool Confidence Level: TCL 1
Table 521 Tool: TBT
The tool TBT is modeled with 6 elements which have impact, 2 of them are assumptions. No additional features have been modeled.
Elements Amount (Assumptions) Use Cases 1 (0) Checks 2 (2) Restrictions 0 (0) Potential Errors 3 (0)
Table 522 Amount of Elements in Tool: TBT
1.13.1 USE CASES OF TBT
This section describes all analyzed use cases of TBT in separate subsections. The following use cases of the tool TBT are considered:
1. Generate Test, see Section 1.13.1.1
1.13.1.1 USE CASE GENERATE TEST
This section describes the use case "Generate Test". UseCase: Generate Test Description: Generate test cases according to tactics derived from test specifications
Table 523 UseCase: Generate Test
The use case requires no features and calls no other use cases. The use case "Generate Test" reads and/or writes the following artifacts. The used artifacts are shown in Fig 88 and are summarized in the subsequent table.
Fig 88 Artifacts of Use Case: Generate Test
Artifacts of Use Case: Generate Test Inputs: • Safety Requirements
• TBT Data Model • TBT Oracle Model • TBT Tactic • Test Specification
Outputs: • Metrics
• Test Cases
Table 524 Artifacts of Use Case: Generate Test
1.13.2 FEATURES OF TBT
There are no features modeled for TBT.
1.13.3 POTENTIAL ERRORS IN TBT
The tool has 3 different potential errors in 3 occurrences in use cases. The error flow, as can be seen in Fig 89, consists of all relations from errors to checks or restrictions. There are
• no relation from errors caused by other tools to checks or restrictions defined for use cases of this tool.
• 3 relations from errors caused by this tool to checks or restrictions defined for use cases of this tool.
• no relation from errors caused by this tool to checks or restrictions defined for use cases of other tools.
Fig 89 Error Flow to and from TBT
TBT has the following 3 relations, which are detected by checks or restrictions of this tool. The errors are described in detail in the TCL analysis of the corresponding use cases:
• Non-Executable Test (Table 528) • Wrong Metrics (Table 529) • Wrong Test Generated (Table 530)
1.13.4 RESTRICTIONS IN TBT
There are no restrictions in the tool TBT.
1.13.5 CHECKS IN TBT
The following 2 checks are performed in the tool TBT. Check: Executability Check Description: The generated test is compiled and executed
Comment: There is a high probability of detecting that the test is not executable, e.g. not compiling correctly since this is an automatic check
From use case: TBT,Validate Tests Occurrences: • in Validate Tests Error detection probability: TD 1 (HIGH) Detected errors: • Validate Tests,Generate Test,Non-Executable Test Is assumption: True
Table 525 Check: Executability Check
Check: Review Test against Specification Description: Review of generated test cases against the correctness with the specification
Comment: Since it is easy to se that a test case covers a specified feature, the review has a high detection probability for detecting the non-coformance errors between the the tests and the spec.
From use case: TBT,Validate Tests Occurrences: • in Validate Tests Error detection probability: TD 1 (HIGH) Detected errors:
• Validate Tests,Generate Test,Wrong Metrics • Validate Tests,Generate Test,Wrong Test Generated
Is assumption: True
Table 526 Check: Review Test against Specification
1.13.6 ASSUMPTIONS
The determination of the TCL of TBT is based on the following 2 assumptions on the development process.
• Check: Executability Check (Table 525) occurs in: o Validate Tests
• Check: Review Test against Specification (Table 526) occurs in: o Validate Tests
1.13.7 TCL DETERMINATION
This section determines a TCL for each use case by assigning checks or restrictions with detection/avoidance probability to each potential error. The TCL for the entire tool can be derived from the TCL for each use case. The tool TBT has one use case with TCL 1, no use case with TCL 2 and no use case with TCL 3. Therefore the tool TBT has TCL 1. The use cases are described in the following sections:
• For "Generate Test" (TCL 1) see Section 1.13.7.1.
1.13.7.1 TCL DETERMINATION FOR USE CASE: GENERATE
TEST
The use case "Generate Test" has TCL 1. The TCL is determined by the lowest Tool Detection Level (TD) of all errors of the use case. The following table gives an overview of the errors of "Generate Test". Error TD Table Non-Executable Test TD 1 (HIGH) Table 528 Wrong Metrics TD 1 (HIGH) Table 529 Wrong Test Generated TD 1 (HIGH) Table 530
Table 527 Errors of Use Case: Generate Test
Error: Non-Executable Test Description: The generated test is not executable, e.g. does not compile, link, or aborts at startup From use case: Generate Test Discovered by the following checks: • Validate Tests.Executability Check Subsumes: • "Not Exectuable" from "Executable" Occurrences:
• in Generate Test Error View:
Table 528 Error: Non-Executable Test
Error: Wrong Metrics Description: The wrong coverage is generated, i.e. the test claims to cover the spec but does not cover it From use case: Generate Test Discovered by the following checks: • Validate Tests.Review Test against Specification Subsumes: • "Wrong Data" from "Statistic" Occurrences: • in Generate Test Error View:
Table 529 Error: Wrong Metrics
Error: Wrong Test Generated Description: The generated test does not fit to the specification or does not achieve the claimed coverage From use case: Generate Test Discovered by the following checks: • Validate Tests.Review Test against Specification Subsumes: • "Wrong Computation" from "Executable"
• "Wrong Data" from "Statistic" Occurrences: • in Generate Test Error View:
Table 530 Error: Wrong Test Generated
1.14 TECNALIAASSURANCECASEEDITORThis section explains the determination of the Tool Confidence Level (TCL) for the tool Tecnalia Assurance Case Editor. Tool: Tecnalia Assurance Case Editor Description: This tool support the edition of a safety case in a graphical view
Comment: This is a support for an expert to express in a graphical way the safety case associated with the certification dossier in order to support authorities while checking the evidences
Impact: TI 2 (Impact) Tool Confidence Level: TCL 1
Table 531 Tool: Tecnalia Assurance Case Editor
The tool Tecnalia Assurance Case Editor is modeled with 4 elements which have impact, none of them are assumptions. No additional features have been modeled.
Elements Amount (Assumptions) Use Cases 1 (0) Checks 1 (0) Restrictions 0 (0) Potential Errors 2 (0)
Table 532 Amount of Elements in Tool: Tecnalia Assurance Case Editor
1.14.1 USE CASES OF TECNALIA ASSURANCE CASE EDITOR
This section describes all analyzed use cases of Tecnalia Assurance Case Editor in separate subsections. The following use cases of the tool Tecnalia Assurance Case Editor are considered:
1. Assurance Case edition, see Section 1.14.1.1
1.14.1.1 USE CASE ASSURANCE CASE EDITION
This section describes the use case "Assurance Case edition". UseCase: Assurance Case edition Description: User can draw the case using the elements defined on the GSN standard
Comment: This is done by a certification expert and just put in a graphical way the arguments that shows that the evidences support the safety goals
Table 533 UseCase: Assurance Case edition
The use case requires no features and calls no other use cases. Use cases calling "Assurance Case edition":
• GEMDE Certification,Technical view The use case "Assurance Case edition" reads and/or writes the following artifacts. The used artifacts are shown in Fig 90 and are summarized in the subsequent table.
Fig 90 Artifacts of Use Case: Assurance Case edition
Artifacts of Use Case: Assurance Case edition Inputs: • Safety Case Outputs: • Safety Case Inputs & Outputs: • Safety Case
Table 534 Artifacts of Use Case: Assurance Case edition
1.14.2 FEATURES OF TECNALIA ASSURANCE CASE EDITOR
There are no features modeled for Tecnalia Assurance Case Editor.
1.14.3 POTENTIAL ERRORS IN TECNALIA ASSURANCE CASE
EDITOR
The tool has 2 different potential errors in 2 occurrences in use cases. The error flow, as can be seen in Fig 91, consists of all relations from errors to checks or restrictions. There are
• no relation from errors caused by other tools to checks or restrictions defined for use cases of this tool.
• 2 relations from errors caused by this tool to checks or restrictions defined for use cases of this tool.
• no relation from errors caused by this tool to checks or restrictions defined for use cases of other tools.
Fig 91 Error Flow to and from Tecnalia Assurance Case Editor
Tecnalia Assurance Case Editor has the following 2 relations, which are detected by checks or restrictions of this tool. The errors are described in detail in the TCL analysis of the corresponding use cases:
• Assurance Case is unexplained (Table 537) • Assurance Case is unfounded (Table 538)
1.14.4 RESTRICTIONS IN TECNALIA ASSURANCE CASE EDITOR
There are no restrictions in the tool Tecnalia Assurance Case Editor.
1.14.5 CHECKS IN TECNALIA ASSURANCE CASE EDITOR
The following one check is performed in the tool Tecnalia Assurance Case Editor. Check: Expert audit Description: After every assurance case is released, an audit from an expert is done From use case: Tecnalia Assurance Case Editor,Assurance Case edition Occurrences: • in Assurance Case edition Error detection probability: TD 1 (HIGH) Detected errors: • Assurance Case edition,Assurance Case is unexplained
• Assurance Case edition,Assurance Case is unfounded
Table 535 Check: Expert audit
1.14.6 ASSUMPTIONS
The determination of the TCL of Tecnalia Assurance Case Editor is not based on assumed checks and restrictions. None of the checks and restrictions are modeled as assumptions.
1.14.7 TCL DETERMINATION
This section determines a TCL for each use case by assigning checks or restrictions with detection/avoidance probability to each potential error. The TCL for the entire tool can be derived from the TCL for each use case. The tool Tecnalia Assurance Case Editor has one use case with TCL 1, no use case with TCL 2 and no use case with TCL 3. Therefore the tool Tecnalia Assurance Case Editor has TCL 1. The use cases are described in the following sections:
• For "Assurance Case edition" (TCL 1) see Section 1.14.7.1.
1.14.7.1 TCL DETERMINATION FOR USE CASE: ASSURANCE
CASE EDITION
The use case "Assurance Case edition" has TCL 1. The TCL is determined by the lowest Tool Detection Level (TD) of all errors of the use case. The following table gives an overview of the errors of "Assurance Case edition". Error TD Table Assurance Case is unexplained TD 1 (HIGH) Table 537 Assurance Case is unfounded TD 1 (HIGH) Table 538
Table 536 Errors of Use Case: Assurance Case edition
Error: Assurance Case is unexplained Description: The assurance case cointains evidence not properly linked to argument From use case:
Assurance Case edition Discovered by the following checks: • Assurance Case edition.Expert audit Occurrences: • in Assurance Case edition Error View:
Table 537 Error: Assurance Case is unexplained
Error: Assurance Case is unfounded Description: The safety case contain arguments not supproted by proper evidence From use case: Assurance Case edition Discovered by the following checks: • Assurance Case edition.Expert audit Occurrences: • in Assurance Case edition Error View:
Table 538 Error: Assurance Case is unfounded
1.15 TESTENVIRONMENTThis section explains the determination of the Tool Confidence Level (TCL) for the tool Test Environment. Tool: Test Environment Description: This is a virtual test environment that is used to formulate asumptions fom the test generator
to test tools and processes in which the generated tests can be executed. Impact: TI 2 (Impact) Tool Confidence Level: TCL 1 Is assumption: True
Table 539 Tool: Test Environment
The tool Test Environment is modeled with 5 elements which have impact, 5 of them are assumptions. No additional features have been modeled.
Elements Amount (Assumptions) Use Cases 2 (2) Checks 3 (3) Restrictions 0 (0) Potential Errors 0 (0)
Table 540 Amount of Elements in Tool: Test Environment
1.15.1 USE CASES OF TEST ENVIRONMENT
This section describes all analyzed use cases of Test Environment in separate subsections. The following use cases of the tool Test Environment are considered:
1. Unit Test, see Section 1.15.1.1 2. Validate Tests, see Section 1.15.1.2
1.15.1.1 USE CASE UNIT TEST
This section describes the use case "Unit Test". UseCase: Unit Test Description: -None- Is assumption: True
Table 541 UseCase: Unit Test
The use case requires no features and calls no other use cases. The use case "Unit Test" reads and/or writes the following artifacts. The used artifacts are shown in Fig 92 and are summarized in the subsequent table.
Fig 92 Artifacts of Use Case: Unit Test
Artifacts of Use Case: Unit Test Inputs: • C/C++ Source Code
• Test Cases
Table 542 Artifacts of Use Case: Unit Test
1.15.1.2 USE CASE VALIDATE TESTS
This section describes the use case "Validate Tests".
UseCase: Validate Tests Description: Since the test cases are only stimuli, the results have to be validated manually Is assumption: True
Table 543 UseCase: Validate Tests
The use case requires no features and calls no other use cases. The use case "Validate Tests" reads and/or writes the following artifacts. The used artifacts are shown in Fig 93 and are summarized in the subsequent table.
Fig 93 Artifacts of Use Case: Validate Tests
Artifacts of Use Case: Validate Tests Inputs & Outputs: • Test Cases
Table 544 Artifacts of Use Case: Validate Tests
1.15.2 FEATURES OF TEST ENVIRONMENT
There are no features modeled for Test Environment.
1.15.3 POTENTIAL ERRORS IN TEST ENVIRONMENT
The tool has no potential error.. The error flow, as can be seen in Fig 94, consists of all relations from errors to checks or restrictions. There are
• 5 relations from errors caused by other tools to checks or restrictions defined for use cases of this tool.
• no relation from errors caused by this tool to checks or restrictions defined for use cases of this tool.
• no relation from errors caused by this tool to checks or restrictions defined for use cases of other tools.
Fig 94 Error Flow to and from Test Environment
The Table 545 shows all 5 relations, introduced by one other tool:
Tool Error UseCase Table Development Assertion Violation Create
Code TCL Determination for Use Case: HW/SW allocation
Dead Code Create Code
Table 101
Other Programing Error Create Code
Table 102
Runtime Error Create Code
TCL Determination for Use Case: Item Definition
Runtime Error Create Code
TCL Determination for Use Case: Item Definition
Table 545 Errors introduced in Test Environment by other tools
1.15.4 RESTRICTIONS IN TEST ENVIRONMENT
There are no restrictions in the tool Test Environment.
1.15.5 CHECKS IN TEST ENVIRONMENT
The following 3 checks are performed in the tool Test Environment. Check: Life Check Description: We can show that code is live and pinpoint lines of code that we cannot generate a test case
to reach (which is potentially dead code). Comment: May be too much code is marked as not alive.
From use case: Test Environment,Unit Test Occurrences: • in Unit Test Error detection probability: TD 2 (MEDIUM) Detected errors from other tools: • Unit Test,Development,Create Code,Dead Code Is assumption: True Relations to other tools:
Table 546 Check: Life Check
Check: Programm Verification Description: Based on the tests with a high code coverage the program can be verified.
Comment: This has a medium detction probablity, otherwise the other verification activities (reviews,..) #would not be neccessaray any more.
From use case: Test Environment,Unit Test Occurrences: • in Unit Test Error detection probability: TD 2 (MEDIUM) Detected errors from other tools: • Unit Test,Development,Create Code,Other Programing Error
• Unit Test,Development,Create Code,Runtime Error Is assumption: True Relations to other tools:
Table 547 Check: Programm Verification
Check: Runtime Check Description: This check detects runtime errors like division by zero, array-out-of-bound or null-pointer
errors in the code. Comment: Even if the detection is simple,e .g. by catching the exception) it is in general impossible to compute all possible inputs that could cause this without abstraction. Therefore the probability is medium.
From use case: Test Environment,Unit Test Occurrences: • in Unit Test Error detection probability: TD 2 (MEDIUM) Detected errors from other tools: • Unit Test,Development,Create Code,Assertion Violation
• Unit Test,Development,Create Code,Runtime Error Is assumption: True Relations to other tools:
Table 548 Check: Runtime Check
1.15.6 ASSUMPTIONS
The determination of the TCL of Test Environment is based on the following 5 assumptions on the development process.
• Check: Life Check (Table 546) occurs in: o Unit Test
• Check: Programm Verification (Table 547) occurs in: o Unit Test
• Check: Runtime Check (Table 548) occurs in: o Unit Test
• UseCase: Unit Test • UseCase: Validate Tests
1.15.7 TCL DETERMINATION
This section determines a TCL for each use case by assigning checks or restrictions with detection/avoidance probability to each potential error. The TCL for the entire tool can be derived from the TCL for each use case. The tool Test Environment has 2 use cases with TCL 1, no use case with TCL 2 and no use case with TCL 3. Therefore the tool Test Environment has TCL 1. The use cases are described in the following sections:
• For "Unit Test" (TCL 1) see Section 1.15.7.1, and • for "Validate Tests" (TCL 1) see Section 1.15.7.2.
1.15.7.1 TCL DETERMINATION FOR USE CASE: UNIT TEST
The use case "Unit Test" has TCL 1. The TCL is determined by the lowest Tool Detection Level (TD) of all errors of the use case. This use case has no errors.
1.15.7.2 TCL DETERMINATION FOR USE CASE: VALIDATE
TESTS
The use case "Validate Tests" has TCL 1. The TCL is determined by the lowest Tool Detection Level (TD) of all errors of the use case. This use case has no errors.
1.16 TOOLCHAINANALYZERThis section explains the determination of the Tool Confidence Level (TCL) for the tool Tool Chain Analyzer. Tool: Tool Chain Analyzer Description: The tool TCA to analyze tool chains
It can be obtained from Validas AG at www.validas.de/TCA.html Impact: TI 2 (Impact) Tool Confidence Level: TCL 3
Table 549 Tool: Tool Chain Analyzer
The tool Tool Chain Analyzer is modeled with 17 elements which have impact, none of them are assumptions. In addition there have been modeled 10 features, one of them is an assumption.
Elements Amount (Assumptions) Use Cases 5 (0) Checks 1 (0) Restrictions 0 (0) Potential Errors 11 (0)
Table 550 Amount of Elements in Tool: Tool Chain Analyzer
1.16.1 USE CASES OF TOOL CHAIN ANALYZER
This section describes all analyzed use cases of Tool Chain Analyzer in separate subsections. The following use cases of the tool Tool Chain Analyzer are considered:
1. Cost Calculation, see Section 1.16.1.1 2. Create Model, see Section 1.16.1.2 3. Determinate Tool Confidence Level, see Section 1.16.1.3 4. Generate Tool Classification Report, see Section 1.16.1.4 5. Review Model, see Section 1.16.1.5
1.16.1.1 USE CASE COST CALCULATION
This section describes the use case "Cost Calculation". UseCase: Cost Calculation Description: The TCA can calculate the costs of the tool chain and the manual steps involved.
Table 551 UseCase: Cost Calculation
The use case requires 3 features and calls no other use cases. Fig 95 shows the dependencies between the use cases and features.
Fig 95 Dependency View of Use Case: Cost Calculation
"Cost Calculation" uses following features: • Cost Model • EMF • Excel Interface
In order to fulfill the requirements of the use case, usually a number of artifacts will be read and/or written. But in "Cost Calculation" the tool Tool Chain Analyzer uses no artifacts.
1.16.1.2 USE CASE CREATE MODEL
This section describes the use case "Create Model". UseCase: Create Model Description: The TCA model is created using interactive work with the tool
Table 552 UseCase: Create Model
The use case requires 3 features and calls no other use cases. Fig 96 shows the dependencies between the use cases and features.
Fig 96 Dependency View of Use Case: Create Model
"Create Model" uses following features: • EMF • Model Validation • Xml Interface
The use case "Create Model" reads and/or writes the following artifacts. The used artifacts are shown in Fig 97 and are summarized in the subsequent table.
Fig 97 Artifacts of Use Case: Create Model
Artifacts of Use Case: Create Model Inputs: • Overall Project Plan
• Safety Plan
Table 553 Artifacts of Use Case: Create Model
1.16.1.3 USE CASE DETERMINATE TOOL CONFIDENCE LEVEL
This section describes the use case "Determinate Tool Confidence Level". UseCase: Determinate Tool Confidence Level Description: The Tool Chain Analyzer determinates the Tool Confidence Level according to ISO 26262.
Comment: The TCA model is considered to be a part of the software tool application guidelines.
Table 554 UseCase: Determinate Tool Confidence Level
The use case requires 2 features and calls no other use cases. Fig 98 shows the dependencies between the use cases and features.
Fig 98 Dependency View of Use Case: Determinate Tool Confidence Level
"Determinate Tool Confidence Level" uses following features: • Compute Tool Confidence Level • EMF
The use case "Determinate Tool Confidence Level" reads and/or writes the following artifacts. The used artifacts are shown in Fig 99 and are summarized in the subsequent table.
Fig 99 Artifacts of Use Case: Determinate Tool Confidence Level
Artifacts of Use Case: Determinate Tool Confidence Level Inputs: • Overall Project Plan
• Safety Plan Outputs: • Safety Manual
• Tool Evaluation Report
Table 555 Artifacts of Use Case: Determinate Tool Confidence Level
1.16.1.4 USE CASE GENERATE TOOL CLASSIFICATION REPORT
This section describes the use case "Generate Tool Classification Report". UseCase: Generate Tool Classification Report Description: A tool classisfication report is generated containing the Tool Confidence Level for all tools.
The tool classification report consists of two parts. The first one is related to the considered process and contains individual descriptions like information sources, tool versions etc. The second part describes the formal model of the tool chain with all elements (tools, use cases, artifacts, errors, probabilities, ...) and the automatically computed tool confidence level for each tool. The second part is generated from the TCA into a word document. The information flows in the generated report are graphically visualised using the GraphViz tool. Comment:
We consider the generated report to be also a part of the tool application guidelines.
Table 556 UseCase: Generate Tool Classification Report
The use case requires 3 features and calls no other use cases. Fig 100 shows the dependencies between the use cases and features.
Fig 100 Dependency View of Use Case: Generate Tool Classification Report
"Generate Tool Classification Report" uses following features: • Compute Tool Confidence Level • EMF • Generate Word (docx)
The use case "Generate Tool Classification Report" reads and/or writes the following artifacts. The used artifacts are shown in Fig 101 and are summarized in the subsequent table.
Fig 101 Artifacts of Use Case: Generate Tool Classification Report
Artifacts of Use Case: Generate Tool Classification Report Inputs: • Overall Project Plan Outputs: • Tool Evaluation Report Inputs & Outputs: • Safety Manual
Table 557 Artifacts of Use Case: Generate Tool Classification Report
1.16.1.5 USE CASE REVIEW MODEL
This section describes the use case "Review Model". UseCase: Review Model Description:
The model is reviewed using Excel interfaces that are easier to use for many reviewers
Table 558 UseCase: Review Model
The use case requires 4 features and calls no other use cases. Fig 102 shows the dependencies between the use cases and features.
Fig 102 Dependency View of Use Case: Review Model
"Review Model" uses following features: • EMF • Excel Interface • Model Validation • SG_Use Review Checklist
The use case "Review Model" reads and/or writes the following artifacts. The used artifacts are shown in Fig 103 and are summarized in the subsequent table.
Fig 103 Artifacts of Use Case: Review Model
Artifacts of Use Case: Review Model Inputs: • Overall Project Plan
• Safety Plan Outputs: • Review Protocol Inputs & Outputs: • Safety Manual
Table 559 Artifacts of Use Case: Review Model
1.16.2 FEATURES OF TOOL CHAIN ANALYZER
This section describes all analyzed features of Tool Chain Analyzer in separate subsections. The following features of the tool Tool Chain Analyzer are considered:
1. Compute Tool Confidence Level, see Section 1.16.2.1 2. Cost Model, see Section 1.16.2.2 3. EMF, see Section 1.16.2.3 4. Excel Interface, see Section 1.16.2.4 5. Generate Word (docx), see Section 1.16.2.5 6. Model Validation, see Section 1.16.2.6 7. Safety Guidelines, see Section 1.16.2.7 8. SG_Avoid Feature, see Section 1.16.2.8 9. SG_Use Review Checklist, see Section 1.16.2.9 10. Xml Interface, see Section 1.16.2.10
1.16.2.1 FEATURE COMPUTE TOOL CONFIDENCE LEVEL
This section describes the feature "Compute Tool Confidence Level". Feature: Compute Tool Confidence Level Description: The tool confidence level is computed according to the ISO 26262.
The tool confidence level (TCL) is computed based on the error detection (TD) probability of all potential errors in the relevant use cases, if a tool has impact (TI) on the safety of the product. More details can be found in the TCA user manual which is located in the TCA plugin Documentation, for example: Programme\TCA150\TCA150\plugins\Documentation_1.5.0\UserManual.pdf
Table 560 Feature: Compute Tool Confidence Level
The feature "Compute Tool Confidence Level" reads and/or writes the following artifacts. The used artifacts are shown in Fig 104 and are summarized in the subsequent table.
Fig 104 Artifacts of Feature: Compute Tool Confidence Level
Artifacts of Feature: Compute Tool Confidence Level Inputs: • User Input Outputs:
• Display Output • Excel File • Word Document
Inputs & Outputs: • Model
Table 561 Artifacts of Feature: Compute Tool Confidence Level
1.16.2.2 FEATURE COST MODEL
This section describes the feature "Cost Model". Feature: Cost Model Description: Feature to model the costs of the process
Table 562 Feature: Cost Model
The feature "Cost Model" reads and/or writes the following artifacts. The used artifacts are shown in Fig 105 and are summarized in the subsequent table.
Fig 105 Artifacts of Feature: Cost Model
Artifacts of Feature: Cost Model Inputs: • User Input Outputs: • Display Output Inputs & Outputs: • Excel File
• Model
Table 563 Artifacts of Feature: Cost Model
1.16.2.3 FEATURE EMF
This section describes the feature "EMF". Feature: EMF Description: EMF (Eclipse Modeling Framework) Framework is used for editing and persistency of the
models
Table 564 Feature: EMF
The feature "EMF" reads and/or writes the following artifacts. The used artifacts are shown in Fig 106 and are summarized in the subsequent table.
Fig 106 Artifacts of Feature: EMF
Artifacts of Feature: EMF Inputs: • User Input Outputs: • Display Output Inputs & Outputs: • Model
Table 565 Artifacts of Feature: EMF
1.16.2.4 FEATURE EXCEL INTERFACE
This section describes the feature "Excel Interface". Feature: Excel Interface Description: Export and import of different views into excel (.xls) files.
The following views can be exported and imported into excel to ease the modeling process: - tool attributes - features - artifacts - errors More details can be found in the TCA user manual which is located in the TCA plugin Documentation, for example: Programme\TCA150\TCA150\plugins\Documentation_1.5.0\UserManual.pdf
Table 566 Feature: Excel Interface
The feature "Excel Interface" reads and/or writes the following artifacts. The used artifacts are shown in Fig 107 and are summarized in the subsequent table.
Fig 107 Artifacts of Feature: Excel Interface
Artifacts of Feature: Excel Interface Inputs: • User Input Inputs & Outputs: • Excel File
• Model
Table 567 Artifacts of Feature: Excel Interface
1.16.2.5 FEATURE GENERATE WORD (DOCX)
This section describes the feature "Generate Word (docx)". Feature: Generate Word (docx) Description: Generates a word documentation from the model.
A word report is generated from the model that contains the complete information in a readable format. For each tool there is a section with the following informations: - use cases - features - errors - checks - restrictions - assumptions - artifacts - qualifications - tool confidence level explanations for all errors in all use cases of the tool. Furthermore there are graphical visualisations of important relations included.
Table 568 Feature: Generate Word (docx)
The feature "Generate Word (docx)" reads and/or writes the following artifacts. The used artifacts are shown in Fig 108 and are summarized in the subsequent table.
Fig 108 Artifacts of Feature: Generate Word (docx)
Artifacts of Feature: Generate Word (docx) Inputs: • Model
• User Input Outputs: • Word Document
Table 569 Artifacts of Feature: Generate Word (docx)
1.16.2.6 FEATURE MODEL VALIDATION
This section describes the feature "Model Validation". Feature: Model Validation Description: The TCA detects inconsistent models.
There are many consistency checks implemented that exceed the syntactic checks. More details can be found in the TCA user manual which is located in the TCA plugin Documentation, for example: Programme\TCA150\TCA150\plugins\Documentation_1.5.0\UserManual.pdf
Table 570 Feature: Model Validation
The feature "Model Validation" reads and/or writes the following artifacts. The used artifacts are shown in Fig 109 and are summarized in the subsequent table.
Fig 109 Artifacts of Feature: Model Validation
Artifacts of Feature: Model Validation Inputs: • Model
• User Input Outputs: • Display Output
Table 571 Artifacts of Feature: Model Validation
1.16.2.7 FEATURE SAFETY GUIDELINES
This section describes the feature "Safety Guidelines". Feature: Safety Guidelines Description: Use the safety manual of the TCA that contains safety checks that should be applied
Table 572 Feature: Safety Guidelines
The feature "Safety Guidelines" has the following 2 sub-features:
• SG_Avoid Feature • SG_Use Review Checklist
In order to fulfill the requirements of the feature, usually a number of artifacts will be read and/or written. But in "Safety Guidelines" the tool Tool Chain Analyzer uses no artifacts.
1.16.2.8 FEATURE SG_AVOID FEATURE
This section describes the feature "SG_Avoid Feature". Feature: SG_Avoid Feature Description: Avodi this feature, since it is redundant. Is assumption: True
Table 573 Feature: SG_Avoid Feature
The feature "SG_Avoid Feature" is part of the following feature:
• Safety Guidelines In order to fulfill the requirements of the feature, usually a number of artifacts will be read and/or written. But in "SG_Avoid Feature" the tool Tool Chain Analyzer uses no artifacts.
1.16.2.9 FEATURE SG_USE REVIEW CHECKLIST
This section describes the feature "SG_Use Review Checklist". Feature: SG_Use Review Checklist Description: Apply the check of the review checklists
Table 574 Feature: SG_Use Review Checklist
The feature "SG_Use Review Checklist" is part of the following feature:
• Safety Guidelines In order to fulfill the requirements of the feature, usually a number of artifacts will be read and/or written. But in "SG_Use Review Checklist" the tool Tool Chain Analyzer uses no artifacts.
1.16.2.10 FEATURE XML INTERFACE
This section describes the feature "Xml Interface". Feature: Xml Interface Description: Xml interface supports the export and import of single tool models.
For integration of large models based on single tool models, this feature can be used to develop models in parallel working teams. To ensure the modularity of the exported models, all referenced elements of the tool are also exported, but only with the minimal required information.
More details can be found in the TCA user manual which is located in the TCA plugin Documentation, for example: Programme\TCA150\TCA150\plugins\Documentation_1.5.0\UserManual.pdf
Table 575 Feature: Xml Interface
The feature "Xml Interface" reads and/or writes the following artifacts. The used artifacts are shown in Fig 110 and are summarized in the subsequent table.
Fig 110 Artifacts of Feature: Xml Interface
Artifacts of Feature: Xml Interface Inputs: • User Input Inputs & Outputs: • Model
Table 576 Artifacts of Feature: Xml Interface
1.16.3 POTENTIAL ERRORS IN TOOL CHAIN ANALYZER
The tool has 11 different potential errors in 19 occurrences in use cases. The error flow, as can be seen in Fig 111, consists of all relations from errors to checks or restrictions. There are
• no relation from errors caused by other tools to checks or restrictions defined for use cases of this tool.
• 7 relations from errors caused by this tool to checks or restrictions defined for use cases of this tool.
• 2 relations from errors caused by this tool to checks or restrictions defined for use cases of other tools.
• 10 errors caused by this tool without any relation to checks or restrictions.
Fig 111 Error Flow to and from Tool Chain Analyzer
Tool Chain Analyzer has the following 7 relations, which are detected by checks or restrictions of this tool. The errors are described in detail in the TCL analysis of the corresponding use cases:
• Model Not Adequate (Table 599) • Wrong Export
o 2 occurrences: Table 601, Table 581
• Wrong Import o 2 occurrences: Table 602, Table 582
• Wrong XML Export (Table 586) • Wrong XML Import (Table 587)
Due to 2 relations, Tool Chain Analyzer is having impact on one other tool. The errors are listed in Table 577.
Tool Error UseCase Table Process Checker Process Inconsistently Modelled Create
Model Table 585
Process Inconsistently Modelled Review Model
Table 600
Table 577 Errors of Tool Chain Analyzer with impact on other tools
The following 10 error occurrences of Tool Chain Analyzer have no relation to any check or restriction:
• Any EMF Error o 5 occurences: Table 589, Table 580, Table 594, Table 584, Table 598
• Document Generated Wrongly (Table 595) • TCL Wrongly Shown (Table 590) • TCL Wrongly Written (Table 591) • Wrong TCL Computed
o 2 occurences: Table 592, Table 596
1.16.4 RESTRICTIONS IN TOOL CHAIN ANALYZER
There are no restrictions in the tool Tool Chain Analyzer.
1.16.5 CHECKS IN TOOL CHAIN ANALYZER
The following one check is performed in the tool Tool Chain Analyzer. Check: Review Checklist Description: The model review can be performed using review checklists where the reviewers fill in their
names, findings,.. Comment: Using this there is a high probability of finding missing review elements
From feature: Tool Chain Analyzer,Safety Guidelines,SG_Use Review Checklist Occurrences: • in SG_Use Review Checklist in Review Model Error detection probability: TD 1 (HIGH) Detected errors: • Review Model,Model Not Adequate
Table 578 Check: Review Checklist
1.16.6 ASSUMPTIONS
The determination of the TCL of Tool Chain Analyzer is based on the following 1 assumptions on the development process.
• Feature: Safety Guidelines,SG_Avoid Feature
1.16.7 TCL DETERMINATION
This section determines a TCL for each use case by assigning checks or restrictions with detection/avoidance probability to each potential error. The TCL for the entire tool can be derived from the TCL for each use case. The tool Tool Chain Analyzer has no use case with TCL 1, no use case with TCL 2 and 5 use cases with TCL 3. Therefore the tool Tool Chain Analyzer has TCL 3. The use cases are described in the following sections:
• For "Cost Calculation" (TCL 3) see Section 1.16.7.1, • for "Create Model" (TCL 3) see Section 1.16.7.2, • for "Determinate Tool Confidence Level" (TCL 3) see Section 1.16.7.3, • for "Generate Tool Classification Report" (TCL 3) see Section 1.16.7.4, and • for "Review Model" (TCL 3) see Section 1.16.7.5.
1.16.7.1 TCL DETERMINATION FOR USE CASE: COST
CALCULATION
The use case "Cost Calculation" has TCL 3. The TCL is determined by the lowest Tool Detection Level (TD) of all errors of the use case. The following table gives an overview of the errors of "Cost Calculation". Error TD Table Any EMF Error TD 3 (LOW) Table 580 Wrong Export TD 3 (LOW) Table 581 Wrong Import TD 3 (LOW) Table 582
Table 579 Errors of Use Case: Cost Calculation
Error: Any EMF Error Description: Any error that can occur in EMF (uncrictical errors may be excluded) From feature: EMF Subsumes: • "Algorithm Error" from "Fcn_Algorithm"
• "Defect File" from "Data_File" • "Defect Text" from "Data_File_Text" • "Empty File" from "Data_File" • "Empty Model" from "Data_File_Syntax_Model" • "Empty Text" from "Data_File_Text" • "Line Missing" from "Data_File_Text" • "Model Unreadable" from "Data_File_Syntax_Model"
• "No Interaction" from "Data_Interaction" • "Not Accessible File" from "Data_File" • "Not Accessible Model" from "Data_File_Syntax_Model" • "Not Accessible Text" from "Data_File_Text" • "Other File" from "Data_File" • "Other Model" from "Data_File_Syntax_Model" • "Other Partner" from "Data_Interaction" • "Other Text" from "Data_File_Text" • "Too Big File" from "Data_File" • "Too Big Model" from "Data_File_Syntax_Model" • "Too Big Text" from "Data_File_Text" • "Too Early Data" from "Data_Interaction" • "Too Late Data" from "Data_Interaction" • "Transformation Not Supported" from "Fcn_Behaviour_Transformation" • "Wrong Algorithm" from "Fcn_Algorithm" • "Wrong Behaviour" from "Fcn_Behaviour" • "Wrong Interaction" from "Data_Interaction" • "Wrong Model Behaviour" from "Data_File_Syntax_Model" • "Wrong Model Description" from "Data_File_Syntax_Model" • "Wrong Transformation" from "Fcn_Behaviour_Transformation" • "Wrong Variant" from "Fcn_Variants"
Occurrences: • in EMF in Cost Calculation Error View:
Table 580 Error: Any EMF Error
Error: Wrong Export Description: The excel file does not contain the relevant informations of the model. From feature: Excel Interface Subsumes:
• "Decoded Wongly" from "Fcn_Algorithm_DeEncode" • "Defect File" from "Data_File" • "Empty File" from "Data_File" • "Empty Syntaxfile" from "Data_File_Syntax" • "Empty Table" from "Data_File_Table" • "Encoded Wrongly" from "Fcn_Algorithm_DeEncode" • "Not Accessible File" from "Data_File" • "Not Accessible Syntaxfile" from "Data_File_Syntax" • "Not Accessible Table" from "Data_File_Table" • "Option Defect" from "Fcn_Variants_Options" • "Option Ignored" from "Fcn_Variants_Options" • "Other File" from "Data_File" • "Other Syntaxfile" from "Data_File_Syntax" • "Other Table" from "Data_File_Table" • "Syntax Error" from "Data_File_Syntax" • "Table Column Error" from "Data_File_Table" • "Table Row Error" from "Data_File_Table" • "Too Big File" from "Data_File" • "Too Big Syntaxfile" from "Data_File_Syntax" • "Transformation Not Supported" from "Fcn_Behaviour_Transformation" • "Wrong Behaviour" from "Fcn_Behaviour" • "Wrong Cell Data" from "Data_File_Table" • "Wrong Semantic" from "Data_File_Syntax" • "Wrong Transformation" from "Fcn_Behaviour_Transformation"
Occurrences: • in Excel Interface in Cost Calculation Avoided by the following restrictions: • Safety Guidelines,SG_Avoid Feature.Avoid Features Error View:
Table 581 Error: Wrong Export
Error: Wrong Import
Description: The model is created wrongly. From feature: Excel Interface Subsumes: • "Defect File" from "Data_File"
• "Empty File" from "Data_File" • "Empty Model" from "Data_File_Syntax_Model" • "Model Unreadable" from "Data_File_Syntax_Model" • "Not Accessible File" from "Data_File" • "Not Accessible Model" from "Data_File_Syntax_Model" • "Option Defect" from "Fcn_Variants_Options" • "Option Ignored" from "Fcn_Variants_Options" • "Other File" from "Data_File" • "Other Model" from "Data_File_Syntax_Model" • "Too Big File" from "Data_File" • "Too Big Model" from "Data_File_Syntax_Model" • "Wrong Model Behaviour" from "Data_File_Syntax_Model" • "Wrong Model Description" from "Data_File_Syntax_Model"
Occurrences: • in Excel Interface in Cost Calculation Avoided by the following restrictions: • Safety Guidelines,SG_Avoid Feature.Avoid Features Error View:
Table 582 Error: Wrong Import
1.16.7.2 TCL DETERMINATION FOR USE CASE: CREATE
MODEL
The use case "Create Model" has TCL 3. The TCL is determined by the lowest Tool Detection Level (TD) of all errors of the use case. The following table gives an overview of the errors of "Create Model".
Error TD Table Any EMF Error TD 3 (LOW) Table 584 Process Inconsistently Modelled TD 1 (HIGH) Table 585 Wrong XML Export TD 3 (LOW) Table 586 Wrong XML Import TD 3 (LOW) Table 587
Table 583 Errors of Use Case: Create Model
Error: Any EMF Error Description: Any error that can occur in EMF (uncrictical errors may be excluded) From feature: EMF Subsumes: • "Algorithm Error" from "Fcn_Algorithm"
• "Defect File" from "Data_File" • "Defect Text" from "Data_File_Text" • "Empty File" from "Data_File" • "Empty Model" from "Data_File_Syntax_Model" • "Empty Text" from "Data_File_Text" • "Line Missing" from "Data_File_Text" • "Model Unreadable" from "Data_File_Syntax_Model" • "No Interaction" from "Data_Interaction" • "Not Accessible File" from "Data_File" • "Not Accessible Model" from "Data_File_Syntax_Model" • "Not Accessible Text" from "Data_File_Text" • "Other File" from "Data_File" • "Other Model" from "Data_File_Syntax_Model" • "Other Partner" from "Data_Interaction" • "Other Text" from "Data_File_Text" • "Too Big File" from "Data_File" • "Too Big Model" from "Data_File_Syntax_Model" • "Too Big Text" from "Data_File_Text" • "Too Early Data" from "Data_Interaction" • "Too Late Data" from "Data_Interaction" • "Transformation Not Supported" from "Fcn_Behaviour_Transformation" • "Wrong Algorithm" from "Fcn_Algorithm" • "Wrong Behaviour" from "Fcn_Behaviour" • "Wrong Interaction" from "Data_Interaction" • "Wrong Model Behaviour" from "Data_File_Syntax_Model" • "Wrong Model Description" from "Data_File_Syntax_Model" • "Wrong Transformation" from "Fcn_Behaviour_Transformation" • "Wrong Variant" from "Fcn_Variants"
Occurrences: • in EMF in Create Model Error View:
Table 584 Error: Any EMF Error
Error: Process Inconsistently Modelled Description: The process might be inkonsistent, e.g. a document is neither created nor written. From feature: Model Validation Subsumes: • "Algorithm Error" from "Fcn_Algorithm"
• "Defect File" from "Data_File" • "Defect Text" from "Data_File_Text" • "Empty File" from "Data_File" • "Empty Text" from "Data_File_Text" • "Line Missing" from "Data_File_Text" • "No Interaction" from "Data_Interaction" • "Not Accessible File" from "Data_File" • "Not Accessible Text" from "Data_File_Text" • "Other File" from "Data_File" • "Other Partner" from "Data_Interaction" • "Other Text" from "Data_File_Text" • "Too Big File" from "Data_File" • "Too Big Text" from "Data_File_Text" • "Too Early Data" from "Data_Interaction" • "Too Late Data" from "Data_Interaction" • "Wrong Algorithm" from "Fcn_Algorithm" • "Wrong Behaviour" from "Fcn_Behaviour" • "Wrong Error Reported" from "Model Validation" • "Wrong Interaction" from "Data_Interaction" • "Wrong Specification" from "Fcn_Specification"
Occurrences: • in Model Validation in Create Model Avoided by the following restrictions:
• Validate Process.Consistent Process Error View:
Table 585 Error: Process Inconsistently Modelled
Error: Wrong XML Export Description: The xml file does not contain the relevant informations of the model. From feature: Xml Interface Occurrences: • in Xml Interface in Create Model Avoided by the following restrictions: • Safety Guidelines,SG_Avoid Feature.Avoid Features Error View:
Table 586 Error: Wrong XML Export
Error: Wrong XML Import Description: The model is created wrongly. From feature: Xml Interface Subsumes: • "Defect File" from "Data_File"
• "Empty File" from "Data_File" • "Empty Model" from "Data_File_Syntax_Model" • "Model Unreadable" from "Data_File_Syntax_Model" • "Not Accessible File" from "Data_File" • "Not Accessible Model" from "Data_File_Syntax_Model" • "Other File" from "Data_File" • "Other Model" from "Data_File_Syntax_Model" • "Too Big File" from "Data_File" • "Too Big Model" from "Data_File_Syntax_Model" • "Wrong Model Behaviour" from "Data_File_Syntax_Model" • "Wrong Model Description" from "Data_File_Syntax_Model"
Occurrences: • in Xml Interface in Create Model Avoided by the following restrictions: • Safety Guidelines,SG_Avoid Feature.Avoid Features Error View:
Table 587 Error: Wrong XML Import
1.16.7.3 TCL DETERMINATION FOR USE CASE: DETERMINATE
TOOL CONFIDENCE LEVEL
The use case "Determinate Tool Confidence Level" has TCL 3. The TCL is determined by the lowest Tool Detection Level (TD) of all errors of the use case. The following table gives an overview of the errors of "Determinate Tool Confidence Level". Error TD Table Any EMF Error TD 3 (LOW) Table 589 TCL Wrongly Shown TD 3 (LOW) Table 590 TCL Wrongly Written TD 3 (LOW) Table 591 Wrong TCL Computed TD 3 (LOW) Table 592
Table 588 Errors of Use Case: Determinate Tool Confidence Level
Error: Any EMF Error Description: Any error that can occur in EMF (uncrictical errors may be excluded) From feature: EMF Subsumes: • "Algorithm Error" from "Fcn_Algorithm"
• "Defect File" from "Data_File" • "Defect Text" from "Data_File_Text" • "Empty File" from "Data_File" • "Empty Model" from "Data_File_Syntax_Model" • "Empty Text" from "Data_File_Text" • "Line Missing" from "Data_File_Text" • "Model Unreadable" from "Data_File_Syntax_Model" • "No Interaction" from "Data_Interaction" • "Not Accessible File" from "Data_File" • "Not Accessible Model" from "Data_File_Syntax_Model"
• "Not Accessible Text" from "Data_File_Text" • "Other File" from "Data_File" • "Other Model" from "Data_File_Syntax_Model" • "Other Partner" from "Data_Interaction" • "Other Text" from "Data_File_Text" • "Too Big File" from "Data_File" • "Too Big Model" from "Data_File_Syntax_Model" • "Too Big Text" from "Data_File_Text" • "Too Early Data" from "Data_Interaction" • "Too Late Data" from "Data_Interaction" • "Transformation Not Supported" from "Fcn_Behaviour_Transformation" • "Wrong Algorithm" from "Fcn_Algorithm" • "Wrong Behaviour" from "Fcn_Behaviour" • "Wrong Interaction" from "Data_Interaction" • "Wrong Model Behaviour" from "Data_File_Syntax_Model" • "Wrong Model Description" from "Data_File_Syntax_Model" • "Wrong Transformation" from "Fcn_Behaviour_Transformation" • "Wrong Variant" from "Fcn_Variants"
Occurrences: • in EMF in Determinate Tool Confidence Level Error View:
Table 589 Error: Any EMF Error
Error: TCL Wrongly Shown Description: TCL is computed correctly but wrongly shown From use case: Determinate Tool Confidence Level Subsumes: • "Defect Text" from "Data_File_Text"
• "Empty Text" from "Data_File_Text" • "Line Missing" from "Data_File_Text"
• "No Interaction" from "Data_Interaction" • "Not Accessible Text" from "Data_File_Text" • "Other Partner" from "Data_Interaction" • "Other Text" from "Data_File_Text" • "Too Big Text" from "Data_File_Text" • "Too Early Data" from "Data_Interaction" • "Too Late Data" from "Data_Interaction" • "Wrong Interaction" from "Data_Interaction"
Occurrences: • in Determinate Tool Confidence Level Error View:
Table 590 Error: TCL Wrongly Shown
Error: TCL Wrongly Written Description: TCL is computed or written wrongly into a file From use case: Determinate Tool Confidence Level Subsumes: • "Defect File" from "Data_File"
• "Defect Text" from "Data_File_Text" • "Empty File" from "Data_File" • "Empty Model" from "Data_File_Syntax_Model" • "Empty Syntaxfile" from "Data_File_Syntax" • "Empty Table" from "Data_File_Table" • "Empty Text" from "Data_File_Text" • "Line Missing" from "Data_File_Text" • "Model Unreadable" from "Data_File_Syntax_Model" • "No XML Content" from "Data_File_Syntax_XML" • "Not Accessible File" from "Data_File" • "Not Accessible Model" from "Data_File_Syntax_Model" • "Not Accessible Syntaxfile" from "Data_File_Syntax" • "Not Accessible Table" from "Data_File_Table" • "Not Accessible Text" from "Data_File_Text" • "Not Accessible XML File" from "Data_File_Syntax_XML" • "Other File" from "Data_File" • "Other Model" from "Data_File_Syntax_Model" • "Other Syntaxfile" from "Data_File_Syntax"
• "Other Table" from "Data_File_Table" • "Other Text" from "Data_File_Text" • "Other XML File" from "Data_File_Syntax_XML" • "Syntax Error" from "Data_File_Syntax" • "Table Column Error" from "Data_File_Table" • "Table Row Error" from "Data_File_Table" • "Too Big File" from "Data_File" • "Too Big Model" from "Data_File_Syntax_Model" • "Too Big Syntaxfile" from "Data_File_Syntax" • "Too Big Text" from "Data_File_Text" • "Wron XML Composition" from "Data_File_Syntax_XML" • "Wrong Cell Data" from "Data_File_Table" • "Wrong Model Behaviour" from "Data_File_Syntax_Model" • "Wrong Model Description" from "Data_File_Syntax_Model" • "Wrong Semantic" from "Data_File_Syntax" • "XML Attribute Error" from "Data_File_Syntax_XML" • "XML Link Error" from "Data_File_Syntax_XML" • "XML Schema Violation" from "Data_File_Syntax_XML"
Occurrences: • in Determinate Tool Confidence Level Error View:
Table 591 Error: TCL Wrongly Written
Error: Wrong TCL Computed Description: The TCL is computed wronly, e.g. TCL 1 instead of TCL >1 From feature: Compute Tool Confidence Level Subsumes: • "Algorithm Error" from "Fcn_Algorithm"
• "Defect File" from "Data_File" • "Defect Text" from "Data_File_Text" • "Empty File" from "Data_File" • "Empty Model" from "Data_File_Syntax_Model" • "Empty Syntaxfile" from "Data_File_Syntax" • "Empty Table" from "Data_File_Table" • "Empty Text" from "Data_File_Text" • "Line Missing" from "Data_File_Text"
• "Model Unreadable" from "Data_File_Syntax_Model" • "No Interaction" from "Data_Interaction" • "Not Accessible File" from "Data_File" • "Not Accessible Model" from "Data_File_Syntax_Model" • "Not Accessible Syntaxfile" from "Data_File_Syntax" • "Not Accessible Table" from "Data_File_Table" • "Not Accessible Text" from "Data_File_Text" • "Other File" from "Data_File" • "Other Model" from "Data_File_Syntax_Model" • "Other Partner" from "Data_Interaction" • "Other Syntaxfile" from "Data_File_Syntax" • "Other Table" from "Data_File_Table" • "Other Text" from "Data_File_Text" • "Syntax Error" from "Data_File_Syntax" • "Table Column Error" from "Data_File_Table" • "Table Row Error" from "Data_File_Table" • "Too Big File" from "Data_File" • "Too Big Model" from "Data_File_Syntax_Model" • "Too Big Syntaxfile" from "Data_File_Syntax" • "Too Big Text" from "Data_File_Text" • "Too Early Data" from "Data_Interaction" • "Too Late Data" from "Data_Interaction" • "Wrong Algorithm" from "Fcn_Algorithm" • "Wrong Cell Data" from "Data_File_Table" • "Wrong Interaction" from "Data_Interaction" • "Wrong Model Behaviour" from "Data_File_Syntax_Model" • "Wrong Model Description" from "Data_File_Syntax_Model" • "Wrong Result" from "Fcn_Behaviour_Calculator" • "Wrong Semantic" from "Data_File_Syntax" • "Wrong Specification" from "Fcn_Specification" • "Wrong Variant" from "Fcn_Variants"
Occurrences: • in Compute Tool Confidence Level in Determinate Tool Confidence Level Error View:
Table 592 Error: Wrong TCL Computed
1.16.7.4 TCL DETERMINATION FOR USE CASE: GENERATE
TOOL CLASSIFICATION REPORT
The use case "Generate Tool Classification Report" has TCL 3. The TCL is determined by the lowest Tool Detection Level (TD) of all errors of the use case. The following table gives an overview of the errors of "Generate Tool Classification Report". Error TD Table Any EMF Error TD 3 (LOW) Table 594 Document Generated Wrongly TD 3 (LOW) Table 595 Wrong TCL Computed TD 3 (LOW) Table 596
Table 593 Errors of Use Case: Generate Tool Classification Report
Error: Any EMF Error Description: Any error that can occur in EMF (uncrictical errors may be excluded) From feature: EMF Subsumes: • "Algorithm Error" from "Fcn_Algorithm"
• "Defect File" from "Data_File" • "Defect Text" from "Data_File_Text" • "Empty File" from "Data_File" • "Empty Model" from "Data_File_Syntax_Model" • "Empty Text" from "Data_File_Text" • "Line Missing" from "Data_File_Text" • "Model Unreadable" from "Data_File_Syntax_Model" • "No Interaction" from "Data_Interaction" • "Not Accessible File" from "Data_File" • "Not Accessible Model" from "Data_File_Syntax_Model" • "Not Accessible Text" from "Data_File_Text"
• "Other File" from "Data_File" • "Other Model" from "Data_File_Syntax_Model" • "Other Partner" from "Data_Interaction" • "Other Text" from "Data_File_Text" • "Too Big File" from "Data_File" • "Too Big Model" from "Data_File_Syntax_Model" • "Too Big Text" from "Data_File_Text" • "Too Early Data" from "Data_Interaction" • "Too Late Data" from "Data_Interaction" • "Transformation Not Supported" from "Fcn_Behaviour_Transformation" • "Wrong Algorithm" from "Fcn_Algorithm" • "Wrong Behaviour" from "Fcn_Behaviour" • "Wrong Interaction" from "Data_Interaction" • "Wrong Model Behaviour" from "Data_File_Syntax_Model" • "Wrong Model Description" from "Data_File_Syntax_Model" • "Wrong Transformation" from "Fcn_Behaviour_Transformation" • "Wrong Variant" from "Fcn_Variants"
Occurrences: • in EMF in Generate Tool Classification Report Error View:
Table 594 Error: Any EMF Error
Error: Document Generated Wrongly Description: Document does not fit to the model. From feature: Generate Word (docx) Subsumes: • "Defect File" from "Data_File"
• "Defect Text" from "Data_File_Text" • "Empty File" from "Data_File" • "Empty Syntaxfile" from "Data_File_Syntax"
• "Empty Text" from "Data_File_Text" • "Line Missing" from "Data_File_Text" • "Missing CPU" from "Fcn_Resource_CPU" • "Not Accessible File" from "Data_File" • "Not Accessible Syntaxfile" from "Data_File_Syntax" • "Not Accessible Text" from "Data_File_Text" • "Other File" from "Data_File" • "Other Syntaxfile" from "Data_File_Syntax" • "Other Text" from "Data_File_Text" • "Syntax Error" from "Data_File_Syntax" • "Too Big File" from "Data_File" • "Too Big Syntaxfile" from "Data_File_Syntax" • "Too Big Text" from "Data_File_Text" • "Transformation Not Supported" from "Fcn_Behaviour_Transformation" • "Wrong Semantic" from "Data_File_Syntax" • "Wrong Specification" from "Fcn_Specification" • "Wrong Transformation" from "Fcn_Behaviour_Transformation" • "Wrong Variant" from "Fcn_Variants"
Occurrences: • in Generate Word (docx) in Generate Tool Classification Report Error View:
Table 595 Error: Document Generated Wrongly
Error: Wrong TCL Computed Description: The TCL is computed wronly, e.g. TCL 1 instead of TCL >1 From feature: Compute Tool Confidence Level Subsumes: • "Algorithm Error" from "Fcn_Algorithm"
• "Defect File" from "Data_File" • "Defect Text" from "Data_File_Text"
• "Empty File" from "Data_File" • "Empty Model" from "Data_File_Syntax_Model" • "Empty Syntaxfile" from "Data_File_Syntax" • "Empty Table" from "Data_File_Table" • "Empty Text" from "Data_File_Text" • "Line Missing" from "Data_File_Text" • "Model Unreadable" from "Data_File_Syntax_Model" • "No Interaction" from "Data_Interaction" • "Not Accessible File" from "Data_File" • "Not Accessible Model" from "Data_File_Syntax_Model" • "Not Accessible Syntaxfile" from "Data_File_Syntax" • "Not Accessible Table" from "Data_File_Table" • "Not Accessible Text" from "Data_File_Text" • "Other File" from "Data_File" • "Other Model" from "Data_File_Syntax_Model" • "Other Partner" from "Data_Interaction" • "Other Syntaxfile" from "Data_File_Syntax" • "Other Table" from "Data_File_Table" • "Other Text" from "Data_File_Text" • "Syntax Error" from "Data_File_Syntax" • "Table Column Error" from "Data_File_Table" • "Table Row Error" from "Data_File_Table" • "Too Big File" from "Data_File" • "Too Big Model" from "Data_File_Syntax_Model" • "Too Big Syntaxfile" from "Data_File_Syntax" • "Too Big Text" from "Data_File_Text" • "Too Early Data" from "Data_Interaction" • "Too Late Data" from "Data_Interaction" • "Wrong Algorithm" from "Fcn_Algorithm" • "Wrong Cell Data" from "Data_File_Table" • "Wrong Interaction" from "Data_Interaction" • "Wrong Model Behaviour" from "Data_File_Syntax_Model" • "Wrong Model Description" from "Data_File_Syntax_Model" • "Wrong Result" from "Fcn_Behaviour_Calculator" • "Wrong Semantic" from "Data_File_Syntax" • "Wrong Specification" from "Fcn_Specification" • "Wrong Variant" from "Fcn_Variants"
Occurrences: • in Compute Tool Confidence Level in Generate Tool Classification Report Error View:
Table 596 Error: Wrong TCL Computed
1.16.7.5 TCL DETERMINATION FOR USE CASE: REVIEW
MODEL
The use case "Review Model" has TCL 3. The TCL is determined by the lowest Tool Detection Level (TD) of all errors of the use case. The following table gives an overview of the errors of "Review Model". Error TD Table Any EMF Error TD 3 (LOW) Table 598 Model Not Adequate TD 1 (HIGH) Table 599 Process Inconsistently Modelled TD 1 (HIGH) Table 600 Wrong Export TD 3 (LOW) Table 601 Wrong Import TD 3 (LOW) Table 602
Table 597 Errors of Use Case: Review Model
Error: Any EMF Error Description: Any error that can occur in EMF (uncrictical errors may be excluded) From feature: EMF Subsumes: • "Algorithm Error" from "Fcn_Algorithm"
• "Defect File" from "Data_File" • "Defect Text" from "Data_File_Text" • "Empty File" from "Data_File" • "Empty Model" from "Data_File_Syntax_Model" • "Empty Text" from "Data_File_Text" • "Line Missing" from "Data_File_Text" • "Model Unreadable" from "Data_File_Syntax_Model" • "No Interaction" from "Data_Interaction" • "Not Accessible File" from "Data_File"
• "Not Accessible Model" from "Data_File_Syntax_Model" • "Not Accessible Text" from "Data_File_Text" • "Other File" from "Data_File" • "Other Model" from "Data_File_Syntax_Model" • "Other Partner" from "Data_Interaction" • "Other Text" from "Data_File_Text" • "Too Big File" from "Data_File" • "Too Big Model" from "Data_File_Syntax_Model" • "Too Big Text" from "Data_File_Text" • "Too Early Data" from "Data_Interaction" • "Too Late Data" from "Data_Interaction" • "Transformation Not Supported" from "Fcn_Behaviour_Transformation" • "Wrong Algorithm" from "Fcn_Algorithm" • "Wrong Behaviour" from "Fcn_Behaviour" • "Wrong Interaction" from "Data_Interaction" • "Wrong Model Behaviour" from "Data_File_Syntax_Model" • "Wrong Model Description" from "Data_File_Syntax_Model" • "Wrong Transformation" from "Fcn_Behaviour_Transformation" • "Wrong Variant" from "Fcn_Variants"
Occurrences: • in EMF in Review Model Error View:
Table 598 Error: Any EMF Error
Error: Model Not Adequate Description: An important issue as not been reviewed correctly, i.e. a finduíng has been overseen and the
model is not adaequate. From use case: Review Model Discovered by the following checks: • Safety Guidelines,SG_Use Review Checklist.Review Checklist
Subsumes: • "Defect File" from "Data_File"
• "Defect Text" from "Data_File_Text" • "Empty File" from "Data_File" • "Empty Model" from "Data_File_Syntax_Model" • "Empty Syntaxfile" from "Data_File_Syntax" • "Empty Table" from "Data_File_Table" • "Empty Text" from "Data_File_Text" • "Line Missing" from "Data_File_Text" • "Model Unreadable" from "Data_File_Syntax_Model" • "No Interaction" from "Data_Interaction" • "Not Accessible File" from "Data_File" • "Not Accessible Model" from "Data_File_Syntax_Model" • "Not Accessible Syntaxfile" from "Data_File_Syntax" • "Not Accessible Table" from "Data_File_Table" • "Not Accessible Text" from "Data_File_Text" • "Other File" from "Data_File" • "Other Model" from "Data_File_Syntax_Model" • "Other Partner" from "Data_Interaction" • "Other Syntaxfile" from "Data_File_Syntax" • "Other Table" from "Data_File_Table" • "Other Text" from "Data_File_Text" • "Syntax Error" from "Data_File_Syntax" • "Table Column Error" from "Data_File_Table" • "Table Row Error" from "Data_File_Table" • "Too Big File" from "Data_File" • "Too Big Model" from "Data_File_Syntax_Model" • "Too Big Syntaxfile" from "Data_File_Syntax" • "Too Big Text" from "Data_File_Text" • "Too Early Data" from "Data_Interaction" • "Too Late Data" from "Data_Interaction" • "Wrong Cell Data" from "Data_File_Table" • "Wrong Interaction" from "Data_Interaction" • "Wrong Model Behaviour" from "Data_File_Syntax_Model" • "Wrong Model Description" from "Data_File_Syntax_Model" • "Wrong Semantic" from "Data_File_Syntax"
Occurrences: • in Review Model Error View:
Table 599 Error: Model Not Adequate
Error: Process Inconsistently Modelled Description: The process might be inkonsistent, e.g. a document is neither created nor written. From feature: Model Validation Subsumes: • "Algorithm Error" from "Fcn_Algorithm"
• "Defect File" from "Data_File" • "Defect Text" from "Data_File_Text" • "Empty File" from "Data_File" • "Empty Text" from "Data_File_Text" • "Line Missing" from "Data_File_Text" • "No Interaction" from "Data_Interaction" • "Not Accessible File" from "Data_File" • "Not Accessible Text" from "Data_File_Text" • "Other File" from "Data_File" • "Other Partner" from "Data_Interaction" • "Other Text" from "Data_File_Text" • "Too Big File" from "Data_File" • "Too Big Text" from "Data_File_Text" • "Too Early Data" from "Data_Interaction" • "Too Late Data" from "Data_Interaction" • "Wrong Algorithm" from "Fcn_Algorithm" • "Wrong Behaviour" from "Fcn_Behaviour" • "Wrong Error Reported" from "Model Validation" • "Wrong Interaction" from "Data_Interaction" • "Wrong Specification" from "Fcn_Specification"
Occurrences: • in Model Validation in Review Model Avoided by the following restrictions: • Validate Process.Consistent Process
Error View:
Table 600 Error: Process Inconsistently Modelled
Error: Wrong Export Description: The excel file does not contain the relevant informations of the model. From feature: Excel Interface Subsumes: • "Decoded Wongly" from "Fcn_Algorithm_DeEncode"
• "Defect File" from "Data_File" • "Empty File" from "Data_File" • "Empty Syntaxfile" from "Data_File_Syntax" • "Empty Table" from "Data_File_Table" • "Encoded Wrongly" from "Fcn_Algorithm_DeEncode" • "Not Accessible File" from "Data_File" • "Not Accessible Syntaxfile" from "Data_File_Syntax"
• "Not Accessible Table" from "Data_File_Table" • "Option Defect" from "Fcn_Variants_Options" • "Option Ignored" from "Fcn_Variants_Options" • "Other File" from "Data_File" • "Other Syntaxfile" from "Data_File_Syntax" • "Other Table" from "Data_File_Table" • "Syntax Error" from "Data_File_Syntax" • "Table Column Error" from "Data_File_Table" • "Table Row Error" from "Data_File_Table" • "Too Big File" from "Data_File" • "Too Big Syntaxfile" from "Data_File_Syntax" • "Transformation Not Supported" from "Fcn_Behaviour_Transformation" • "Wrong Behaviour" from "Fcn_Behaviour" • "Wrong Cell Data" from "Data_File_Table" • "Wrong Semantic" from "Data_File_Syntax" • "Wrong Transformation" from "Fcn_Behaviour_Transformation"
Occurrences: • in Excel Interface in Review Model Avoided by the following restrictions: • Safety Guidelines,SG_Avoid Feature.Avoid Features Error View:
Table 601 Error: Wrong Export
Error: Wrong Import Description: The model is created wrongly. From feature: Excel Interface Subsumes: • "Defect File" from "Data_File"
• "Empty File" from "Data_File" • "Empty Model" from "Data_File_Syntax_Model"
• "Model Unreadable" from "Data_File_Syntax_Model" • "Not Accessible File" from "Data_File" • "Not Accessible Model" from "Data_File_Syntax_Model" • "Option Defect" from "Fcn_Variants_Options" • "Option Ignored" from "Fcn_Variants_Options" • "Other File" from "Data_File" • "Other Model" from "Data_File_Syntax_Model" • "Too Big File" from "Data_File" • "Too Big Model" from "Data_File_Syntax_Model" • "Wrong Model Behaviour" from "Data_File_Syntax_Model" • "Wrong Model Description" from "Data_File_Syntax_Model"
Occurrences: • in Excel Interface in Review Model Avoided by the following restrictions: • Safety Guidelines,SG_Avoid Feature.Avoid Features Error View:
Table 602 Error: Wrong Import
1.17 VERSAAThis section explains the determination of the Tool Confidence Level (TCL) for the tool VerSAA. Tool: VerSAA Description: Contract-based verifier for Simulink models developed at AAU Impact: TI 2 (Impact) Tool Confidence Level: TCL 1
Table 603 Tool: VerSAA
The tool VerSAA is modeled with 7 elements which have impact, none of them are assumptions. No additional features have been modeled.
Elements Amount (Assumptions) Use Cases 1 (0) Checks 3 (0) Restrictions 0 (0) Potential Errors 3 (0)
Table 604 Amount of Elements in Tool: VerSAA
1.17.1 USE CASES OF VERSAA
This section describes all analyzed use cases of VerSAA in separate subsections. The following use cases of the tool VerSAA are considered:
1. Verify, see Section 1.17.1.1
1.17.1.1 USE CASE VERIFY
This section describes the use case "Verify". UseCase: Verify Description: Check that the subsystems in the model satisfy their contracts
Comment: OS: needs to update the model, otherwise no flow to design verifier
Table 605 UseCase: Verify
The use case requires no features and calls no other use cases. The use case "Verify" reads and/or writes the following artifacts. The used artifacts are shown in Fig 112 and are summarized in the subsequent table.
Fig 112 Artifacts of Use Case: Verify
Artifacts of Use Case: Verify Inputs: • Contract
• Simulink model • contract
Outputs: • VerSÅA verification report Inputs & Outputs: • Simulink Model
Table 606 Artifacts of Use Case: Verify
1.17.2 FEATURES OF VERSAA
There are no features modeled for VerSAA.
1.17.3 POTENTIAL ERRORS IN VERSAA
The tool has 3 different potential errors in 3 occurrences in use cases. The error flow, as can be seen in Fig 113, consists of all relations from errors to checks or restrictions. There are
• 8 relations from errors caused by other tools to checks or restrictions defined for use cases of this tool.
• no relation from errors caused by this tool to checks or restrictions defined for use cases of this tool.
• 3 relations from errors caused by this tool to checks or restrictions defined for use cases of other tools.
Fig 113 Error Flow to and from VerSAA
The Table 607 shows all 8 relations, introduced by 2 other tools:
Tool Error UseCase Table Simulink Contract corruption Modelling Table 506
Contract violation Modelling Table 508 Contract violation Modelling Table 508 Runtime error Modelling Table 510 Wrong contract Modelling Table 511 Wrong contract Modelling Table 511
Simulink Design Verifier
Unsound verification Verify Table 520 Unsound verification Verify Table 520
Table 607 Errors introduced in VerSAA by other tools
Due to 3 relations, VerSAA is having impact on one other tool. The errors are listed in Table 608.
Tool Error UseCase Table Simulink Design Verifier
Incorrect translation Verify Table 613 Incorrect VC generation Verify Table 614 Verifier unsound Verify Table 615
Table 608 Errors of VerSAA with impact on other tools
1.17.4 RESTRICTIONS IN VERSAA
There are no restrictions in the tool VerSAA.
1.17.5 CHECKS IN VERSAA
The following 3 checks are performed in the tool VerSAA. Check: Check contracts Description: Checks if the subsystems in a model satisfy their contracts From use case: VerSAA,Verify Occurrences: • in Verify Error detection probability: TD 1 (HIGH) Detected errors from other tools: • Verify,Simulink Design Verifier,Verify,Unsound verification
• Verify,Simulink,Modelling,Contract corruption
• Verify,Simulink,Modelling,Contract violation • Verify,Simulink,Modelling,Wrong contract
Relations to other tools:
Table 609 Check: Check contracts
Check: ContractCheck Description: Checks if the subsystems in a model satisfy their contracts From use case: VerSAA,Verify Occurrences: • in Verify Error detection probability: TD 1 (HIGH) Detected errors from other tools: • Verify,Simulink Design Verifier,Verify,Unsound verification
• Verify,Simulink,Modelling,Contract violation • Verify,Simulink,Modelling,Wrong contract
Relations to other tools:
Table 610 Check: ContractCheck
Check: Runtime errors Description:
-None- From use case: VerSAA,Verify Occurrences: • in Verify Error detection probability: TD 1 (HIGH) Detected errors from other tools: • Verify,Simulink,Modelling,Runtime error Relations to other tools:
Table 611 Check: Runtime errors
1.17.6 ASSUMPTIONS
The determination of the TCL of VerSAA is not based on assumed checks and restrictions. None of the checks and restrictions are modeled as assumptions.
1.17.7 TCL DETERMINATION
This section determines a TCL for each use case by assigning checks or restrictions with detection/avoidance probability to each potential error. The TCL for the entire tool can be derived from the TCL for each use case. The tool VerSAA has one use case with TCL 1, no use case with TCL 2 and no use case with TCL 3. Therefore the tool VerSAA has TCL 1. The use cases are described in the following sections:
• For "Verify" (TCL 1) see Section 1.17.7.1.
1.17.7.1 TCL DETERMINATION FOR USE CASE: VERIFY
The use case "Verify" has TCL 1. The TCL is determined by the lowest Tool Detection Level (TD) of all errors of the use case. The following table gives an overview of the errors of "Verify". Error TD Table Incorrect translation TD 1 (HIGH) Table 613 Incorrect VC generation TD 1 (HIGH) Table 614 Verifier unsound TD 1 (HIGH) Table 615
Table 612 Errors of Use Case: Verify
Error: Incorrect translation Description: The verifier translates the models and contracts to an intermediate format.
Simulink is a complex language with no formal semantics and hence it is difficult to ensure correctness of this step . However, this transformation needs to preserve the semantics of the model in order for the verification to produce the correct results
From use case: Verify Discovered by the following checks: • Verify.Check assertions Occurrences: • in Verify Error View:
Table 613 Error: Incorrect translation
Error: Incorrect VC generation Description: Verification conditions are generated from the intermediate representation and the contracts.
They need to be generated correctly. From use case: Verify Discovered by the following checks: • Verify.Check assertions Occurrences: • in Verify Error View:
Table 614 Error: Incorrect VC generation
Error: Verifier unsound Description: The SMT-solver Z3 is used as the backend prover. This prover is not qualified according to
any standard. The prover needs to be sound.
From use case: Verify Discovered by the following checks: • Verify.Check assertions Occurrences: • in Verify Error View:
Table 615 Error: Verifier unsound
1.18 YICESSMTSOLVERThis section explains the determination of the Tool Confidence Level (TCL) for the tool YICES SMT Solver. Tool: YICES SMT Solver Description: -None- Impact: TI 2 (Impact) Tool Confidence Level: TCL 1
Table 616 Tool: YICES SMT Solver
The tool YICES SMT Solver is modeled with no element which has impact. No additional features have been modeled.
Elements Amount (Assumptions) Use Cases 0 (0) Checks 0 (0) Restrictions 0 (0) Potential Errors 0 (0)
Table 617 Amount of Elements in Tool: YICES SMT Solver
1.18.1 USE CASES OF YICES SMT SOLVER
There are no use cases modeled for YICES SMT Solver.
1.18.2 FEATURES OF YICES SMT SOLVER
There are no features modeled for YICES SMT Solver.
1.18.3 POTENTIAL ERRORS IN YICES SMT SOLVER
The tool has no potential error.. The error flow consists of all relations from errors to checks or restrictions. There are
• no relation from errors caused by other tools to checks or restrictions defined for use cases of this tool.
• no relation from errors caused by this tool to checks or restrictions defined for use cases of this tool.
• no relation from errors caused by this tool to checks or restrictions defined for use cases of other tools.
1.18.4 RESTRICTIONS IN YICES SMT SOLVER
There are no restrictions in the tool YICES SMT Solver.
1.18.5 CHECKS IN YICES SMT SOLVER
No checks are performed in the tool YICES SMT Solver.
1.18.6 ASSUMPTIONS
The determination of the TCL of YICES SMT Solver is not based on assumed checks and restrictions. None of the checks and restrictions are modeled as assumptions.
1.18.7 TCL DETERMINATION
This section determines a TCL for each use case by assigning checks or restrictions with detection/avoidance probability to each potential error. The TCL for the entire tool can be derived from the TCL for each use case. The tool YICES SMT Solver has no use case with TCL 1, no use case with TCL 2 and no use case with TCL 3. Therefore the tool YICES SMT Solver has TCL 1. There are no use cases modeled for the tool YICES SMT Solver
1.19 ADDITIONALINFORMATIONThis section contains additional information from the formal model of the tool chain. Additional information is not required from the ISO 26262 for the determination of the TCL, but eases the modeling process and the understanding of the error flow.
1.19.1 ARTIFACTS
The analysis incorporates artifacts for the validation of the model. If an error is checked by another tool, then there should be information flow between them. Artifacts can be used to model this flow and our analysis checks if there is an information flow between error sources and error sinks. Fig 114 shows the whole artifact flow in "RECOMP Tool Chain"
Fig 114 Artifact Flow in RECOMP Tool Chain
The tool chain "RECOMP Tool Chain" is using 64 artifacts, which are described hereafter. Artifact: AF3 System Model Description: The integrated data modelof Af3 Hierarchy figure:
Hierarchy : • Detailed System Architecture [Parent]
• Preliminary System Architecture [Parent] • Requirement Specification [Parent] • Schedule [Parent] • Software Unit Design Specification [Parent] • Spatial Constraints [Parent] • Test Cases [Parent] • Test Specification [Parent] • Timing Parameters [Parent]
Used by feature: • AF3,Simulating a Logical Architecture
• AF3,Specifying Code-Baed Behavior of a Logical Architecture • AF3,Specifying Contracts on Logical Components • AF3,Specifying MSC Requirements • AF3,Specifying SIL Requirements • AF3,Specifying State-Based Behavior of a Logical Architecture • AF3,Specifying Technical Architecture • AF3,Synthesizing Deployment • AF3,Synthesizing Real-Time Schedule • AF3,Synthesizing SIL-Conformant Mapping • AF3,Synthesizing Test Cases • AF3,Verifing Contracts of a Logical Architecture • AF3,Verifying MSC Conformance • AF3,Verifying Soundness of a Logical Architecture
Created by feature: • AF3,Specfying Test Suite
• AF3,Specifying Code-Baed Behavior of a Logical Architecture • AF3,Specifying Contracts on Logical Components • AF3,Specifying MSC Requirements • AF3,Specifying SIL Requirements • AF3,Specifying State-Based Behavior of a Logical Architecture • AF3,Specifying Structure of a Logical Architecture • AF3,Specifying Technical Architecture • AF3,Specifying Textual Requirements • AF3,Synthesizing Real-Time Schedule • AF3,Synthesizing SIL-Conformant Mapping
Created by tool: • AF3 Is a: Detailed System Architecture
Table 618 Artifact: AF3 System Model
Artifact: Application task graph Description: The task graph for each application
Table 619 Artifact: Application task graph
Artifact: Argumentation Description: The user writes arguments as input to the tool Used by tool: • Tecnalia Assurance Case Editor
Table 620 Artifact: Argumentation
Artifact: Binary executable Description: Target binary executable Hierarchy figure:
Hierarchy : • Evidence [Parent] Used by tool: • Tecnalia Assurance Case Editor Is a: Evidence
Table 621 Artifact: Binary executable
Artifact: C/C++ Source Code Description: C or C++
Hierarchy figure:
Hierarchy : • Source Code [Parent] Used by use case: • Test Environment,Unit Test Used by tool: • Tecnalia Assurance Case Editor Created by use case: • Development,Create Code Is a: Source Code
Table 622 Artifact: C/C++ Source Code
Artifact: Cache-Related Preemption Cost Function Description: For any duration t, the function gives the maximum delay that the given task can incur when
preempted for the first time after t time units. A function CRPD(t) which returns, for any duration t > 0, the maximum delay that the given application can incur if it gets preempted after running non-preemptively for t time units after the beginning of its execution.
Table 623 Artifact: Cache-Related Preemption Cost Function
Artifact: Contract Description: -None- Used by use case: • VerSAA,Verify Used by tool: • VerSAA Created by use case: • Simulink,Modelling
Table 624 Artifact: Contract
Artifact: contract Description: -None- Used by use case: • Simulink,Contracts to assertions
• VerSAA,Verify Used by tool: • VerSAA Created by use case: • Simulink,Modelling Created by tool:
• Simulink
Table 625 Artifact: contract
Artifact: Deployment Description: generated deployment Created by feature: • AF3,Synthesizing Deployment
Table 626 Artifact: Deployment
Artifact: Detailed System Architecture Description: Contain all the parameters and specifications of the platform Hierarchy figure:
Hierarchy : • AF3 System Model [Child]
• Evidence [Parent] Used by use case: • GEMDE Certification,Technical view Used by tool: • GEMDE Certification
• Tecnalia Assurance Case Editor Created by feature: • AF3,Specifying Technical Architecture Created by use case: • Medini,Detailed architecture definition Created by tool: • Medini Modified by use case: • Medini,Detailed architecture definition Modified by tool: • Medini Is a: Evidence Occurences: • AF3 System Model
Table 627 Artifact: Detailed System Architecture
Artifact: Display Output Description: The tool displays some information to the user Created by feature: • AF3,Simulating a Logical Architecture
• Tool Chain Analyzer,Compute Tool Confidence Level • Tool Chain Analyzer,Cost Model • Tool Chain Analyzer,EMF • Tool Chain Analyzer,Model Validation
Table 628 Artifact: Display Output
Artifact: Evidence Description: Anything that can be considered as a certification evidence Hierarchy figure:
Hierarchy : • Binary executable [Child]
• Detailed System Architecture [Child] • Excel File [Child] • FHA [Child] • FMEA [Child] • FTA [Child] • Failure rate catalog [Child] • Functionalities [Child] • Malfunctions [Child] • Metrics [Child] • Overall Project Plan [Child] • Preliminary System Architecture [Child] • Report on Maximum CRPDs [Child] • Report on Schedulability (1 mode) [Child] • Report on Schedulability (all) [Child] • Review Protocol [Child] • SLDV verification report [Child] • Safety Goals List [Child] • Safety Manual [Child] • Safety Plan [Child] • Safety Requirements [Child] • Software Unit Design Specification [Child] • Source Code [Child] • TBT Data Model [Child] • TCA-Model [Child] • Test Cases [Child] • Test Specification [Child] • Tool Evaluation Report [Child] • WCET [Child] • WCRT [Child] • Word Document [Child]
Used by use case: • GEMDE Certification,Technical view Occurences: • Binary executable
• Detailed System Architecture • Excel File • FHA • FMEA • FTA • Failure rate catalog • Functionalities • Malfunctions • Metrics • Overall Project Plan • Preliminary System Architecture
• Report on Maximum CRPDs • Report on Schedulability (1 mode) • Report on Schedulability (all) • Review Protocol • SLDV verification report • Safety Goals List • Safety Manual • Safety Plan • Safety Requirements • Software Unit Design Specification • Source Code • TBT Data Model • TCA-Model • Test Cases • Test Specification • Tool Evaluation Report • WCET • WCRT • Word Document
Table 629 Artifact: Evidence
Artifact: Excel File Description: The files that can be read/wirtten from the Excel tool Hierarchy figure:
Hierarchy : • Evidence [Parent] Used by tool: • Tecnalia Assurance Case Editor Created by feature: • Tool Chain Analyzer,Compute Tool Confidence Level Modified by feature: • Tool Chain Analyzer,Cost Model
• Tool Chain Analyzer,Excel Interface Is a: Evidence
Table 630 Artifact: Excel File
Artifact: Execution Graph Description: -None-
Table 631 Artifact: Execution Graph
Artifact: Failure rate catalog Description: Failure rate catalog Hierarchy figure:
Hierarchy : • Evidence [Parent] Used by use case: • GEMDE Certification,Technical view Used by tool: • Medini
• Tecnalia Assurance Case Editor Is a: Evidence
Table 632 Artifact: Failure rate catalog
Artifact: FHA Description: FHA Hierarchy figure:
Hierarchy : • Evidence [Parent] Used by use case: • GEMDE Certification,Technical view Used by tool: • GEMDE Certification
• Medini • Tecnalia Assurance Case Editor
Created by use case: • Medini,FHA Generation Created by tool: • Medini Modified by use case: • Medini,FHA Generation Modified by tool: • Medini Is a: Evidence
Table 633 Artifact: FHA
Artifact: FMEA Description:
FMEA Hierarchy figure:
Hierarchy : • Evidence [Parent] Used by use case: • GEMDE Certification,Technical view Used by tool: • Tecnalia Assurance Case Editor Created by tool: • Medini Is a: Evidence
Table 634 Artifact: FMEA
Artifact: FTA Description: FTA Hierarchy figure:
Hierarchy : • Evidence [Parent] Used by use case: • GEMDE Certification,Technical view Used by tool: • Tecnalia Assurance Case Editor Created by tool: • Medini Is a: Evidence
Table 635 Artifact: FTA
Artifact: Functionalities Description: Functionalities Hierarchy figure:
Hierarchy : • Evidence [Parent] Used by use case: • GEMDE Certification,Technical view
Used by tool: • Medini
• Tecnalia Assurance Case Editor Is a: Evidence
Table 636 Artifact: Functionalities
Artifact: Malfunctions Description: Malfunctions Hierarchy figure:
Hierarchy : • Evidence [Parent] Used by use case: • GEMDE Certification,Technical view Used by tool: • Medini
• Tecnalia Assurance Case Editor Is a: Evidence
Table 637 Artifact: Malfunctions
Artifact: Mapping of tasks to processing elements Description: The mapping of tasks to processing elements
Table 638 Artifact: Mapping of tasks to processing elements
Artifact: Metrics Description: The metric information that describe how far a test covers's it's requirements. Hierarchy figure:
Hierarchy : • Evidence [Parent] Used by use case: • TBT,Validate Tests Used by tool: • Tecnalia Assurance Case Editor Created by use case: • TBT,Generate Test Is a:
Evidence
Table 639 Artifact: Metrics
Artifact: Model Description: The tool chain model Used by feature: • Tool Chain Analyzer,Generate Word (docx)
• Tool Chain Analyzer,Model Validation Modified by feature: • Tool Chain Analyzer,Compute Tool Confidence Level
• Tool Chain Analyzer,Cost Model • Tool Chain Analyzer,EMF • Tool Chain Analyzer,Excel Interface • Tool Chain Analyzer,Xml Interface
Table 640 Artifact: Model
Artifact: No-Conformity metrics Description: List of all non conformities of a project fopr a standard
specifies the number of steps to be conformant to the standard Used by use case: • GEMDE Certification,Technical view Created by use case: • GEMDE Certification,Assessment view
Table 641 Artifact: No-Conformity metrics
Artifact: Overall Project Plan Description: see sections 2.6.5.2, 4.5.5.1 Hierarchy figure:
Hierarchy : • Evidence [Parent] Used by use case: • Tool Chain Analyzer,Create Model
• Tool Chain Analyzer,Determinate Tool Confidence Level • Tool Chain Analyzer,Generate Tool Classification Report • Tool Chain Analyzer,Review Model
Used by tool: • Tecnalia Assurance Case Editor Modified by use case: • Process Checker,Validate Process Is a:
Evidence
Table 642 Artifact: Overall Project Plan
Artifact: Partition Static Schedule Description: The partitions static schedule, for each processing element
Table 643 Artifact: Partition Static Schedule
Artifact: Per Core Request Estimator Function Description: For any duration t, the function gives the maximum number of requests that can be issued
from the given core in a time interval of length t A function PCRE(t) which returns, for any duration t > 0, the maximum number of requests that can be issued from the given core within t time units
Table 644 Artifact: Per Core Request Estimator Function
Artifact: Preliminary System Architecture Description: Malfunctions Hierarchy figure:
Hierarchy : • AF3 System Model [Child]
• Evidence [Parent] Used by use case: • GEMDE Certification,Technical view Used by tool: • Medini
• Tecnalia Assurance Case Editor Is a: Evidence Occurences: • AF3 System Model
Table 645 Artifact: Preliminary System Architecture
Artifact: ProjectModel Description: Certification objectives that apply to the project and evidences and justification that support
it Used by use case: • GEMDE Certification,Assessment view Used by tool: • GEMDE Certification Created by use case: • GEMDE Certification,Technical view
Created by tool: • GEMDE Certification Modified by tool: • GEMDE Certification
Table 646 Artifact: ProjectModel
Artifact: ReferenceModel Description: Standards, normatives... model Used by use case: • GEMDE Certification,Assessment view
• GEMDE Certification,Technical view Used by tool: • GEMDE Certification Created by use case: • GEMDE Certification,Quality view Created by tool: • GEMDE Certification Modified by use case: • GEMDE Certification,Quality view Modified by tool: • GEMDE Certification
Table 647 Artifact: ReferenceModel
Artifact: Report on Maximum CRPDs Description: Report on the maximum Cache-Related Preemption Delay (CRPD) that tasks can incur Hierarchy figure:
Hierarchy : • Evidence [Parent] Used by tool: • Tecnalia Assurance Case Editor Is a: Evidence
Table 648 Artifact: Report on Maximum CRPDs
Artifact: Report on Schedulability (1 mode) Description: Attest the schedulability of a single mode of the application system Hierarchy figure:
Hierarchy : • Evidence [Parent] Used by tool: • Tecnalia Assurance Case Editor Is a: Evidence
Table 649 Artifact: Report on Schedulability (1 mode)
Artifact: Report on Schedulability (all) Description: Attest the schedulability of the application system Hierarchy figure:
Hierarchy : • Evidence [Parent] Used by tool: • Tecnalia Assurance Case Editor Is a: Evidence
Table 650 Artifact: Report on Schedulability (all)
Artifact: Requirement Specification Description: -None- Hierarchy figure:
Hierarchy : • AF3 System Model [Child] Used by feature: • AF3,Specifying MSC Requirements
• AF3,Specifying Textual Requirements Occurences: • AF3 System Model
Table 651 Artifact: Requirement Specification
Artifact: Review Protocol Description: The protocol of the review Hierarchy figure:
Hierarchy : • Evidence [Parent] Used by tool: • Tecnalia Assurance Case Editor Created by use case: • Tool Chain Analyzer,Review Model Is a: Evidence
Table 652 Artifact: Review Protocol
Artifact: Safety Case Description: Graphical (GSN notation) safety case Used by use case: • GEMDE Certification,Technical view
• Tecnalia Assurance Case Editor,Assurance Case edition Used by tool: • GEMDE Certification
• Tecnalia Assurance Case Editor Created by use case: • Tecnalia Assurance Case Editor,Assurance Case edition Created by tool: • Tecnalia Assurance Case Editor Modified by use case: • Tecnalia Assurance Case Editor,Assurance Case edition
Table 653 Artifact: Safety Case
Artifact: Safety Goals List Description: Safety Goals List Hierarchy figure:
Hierarchy : • Evidence [Parent] Used by use case: • GEMDE Certification,Technical view Used by tool: • Tecnalia Assurance Case Editor Created by tool: • Medini Is a: Evidence
Table 654 Artifact: Safety Goals List
Artifact: Safety Manual Description: The safety manual of the tool contains the relevant information to work safely with the tool Hierarchy figure:
Hierarchy : • Evidence [Parent] Used by tool: • Tecnalia Assurance Case Editor Created by use case: • Tool Chain Analyzer,Determinate Tool Confidence Level Modified by use case: • Tool Chain Analyzer,Generate Tool Classification Report
• Tool Chain Analyzer,Review Model Is a: Evidence
Table 655 Artifact: Safety Manual
Artifact: Safety Plan Description: see sections 2.6.5.1, 4.5.5.2, 6.5.5.1, 6.7.5.2 Hierarchy figure:
Hierarchy : • Evidence [Parent] Used by use case: • Tool Chain Analyzer,Create Model
• Tool Chain Analyzer,Determinate Tool Confidence Level • Tool Chain Analyzer,Review Model
Used by tool: • Tecnalia Assurance Case Editor Modified by use case: • Process Checker,Validate Process Is a: Evidence
Table 656 Artifact: Safety Plan
Artifact: Safety Requirements Description: System Requirements Specification related to safety Hierarchy figure:
Hierarchy : • Evidence [Parent] Used by feature: • AF3,Specifying SIL Requirements Used by use case: • GEMDE Certification,Technical view
• ProB Model Checker,Check Model • Rodin Editor,System Modelling • Simulink,Modelling Requirements • TBT,Generate Test
Used by tool: • Tecnalia Assurance Case Editor Created by tool: • Medini Is a: Evidence
Table 657 Artifact: Safety Requirements
Artifact: Schedule Description: (Optimized Shared Memory Access) Hierarchy figure:
Hierarchy : • AF3 System Model [Child] Occurences: • AF3 System Model
Table 658 Artifact: Schedule
Artifact: Simulink Model Description: Simulink Model Hierarchy figure:
Hierarchy : • Software Unit Design Specification [Parent] Used by use case: • Simulink,Code generation Used by tool: • Simulink Design Verifier
• Tecnalia Assurance Case Editor • VerSAA
Created by use case: • Simulink,Modelling
• Simulink,Modelling Requirements Created by tool: • Simulink Modified by use case: • Simulink Design Verifier,Verify
• VerSAA,Verify Is a: Software Unit Design Specification
Table 659 Artifact: Simulink Model
Artifact: Simulink model Description: -None- Used by use case: • VerSAA,Verify Used by tool: • VerSAA Created by use case: • Simulink,Modelling Created by tool: • Simulink
Table 660 Artifact: Simulink model
Artifact: SLDV verification report Description: -None- Hierarchy figure:
Hierarchy : • Evidence [Parent] Used by tool: • Tecnalia Assurance Case Editor Created by use case: • Simulink Design Verifier,Verify Created by tool: • Simulink Design Verifier Is a: Evidence
Table 661 Artifact: SLDV verification report
Artifact: Software Unit Design Specification Description: see section 6.8.5.1 Hierarchy figure:
Hierarchy : • AF3 System Model [Child]
• Evidence [Parent] • Simulink Model [Child]
Used by tool: • Tecnalia Assurance Case Editor Is a: Evidence Occurences: • AF3 System Model
• Simulink Model
Table 662 Artifact: Software Unit Design Specification
Artifact: Source Code Description: Different programming languages Hierarchy figure:
Hierarchy : • C/C++ Source Code [Child]
• Evidence [Parent] • Timing Parameters [Child]
Used by tool: • Tecnalia Assurance Case Editor Created by feature: • AF3,Synthesizing Deployment Created by use case: • Simulink,Code generation Created by tool: • Simulink Is a: Evidence Occurences:
• C/C++ Source Code • Timing Parameters
Table 663 Artifact: Source Code
Artifact: Spatial Constraints Description: -None- Hierarchy figure:
Hierarchy : • AF3 System Model [Child] Used by feature: • AF3,Specifying Technical Architecture Created by feature: • AF3,Specifying Technical Architecture Occurences: • AF3 System Model
Table 664 Artifact: Spatial Constraints
Artifact: StandardsRegulation Description: Standards, Normatives,... documentation Used by use case: • GEMDE Certification,Quality view
Table 665 Artifact: StandardsRegulation
Artifact: System Models (Event-B) Description: Models specifying / expressing (with events and invariants) the system requirements Used by use case: • ProB Model Checker,Check Model
• Rodin Prover,System Model Verification Created by use case: • Rodin Editor,System Modelling
Table 666 Artifact: System Models (Event-B)
Artifact: TBT Data Model Description: The model describing the data element in the model and the system Hierarchy figure:
Hierarchy :
• Evidence [Parent] Used by use case: • TBT,Generate Test Used by tool: • Tecnalia Assurance Case Editor Is a: Evidence
Table 667 Artifact: TBT Data Model
Artifact: TBT Oracle Model Description: The model describing the behaviour of the system Used by use case: • TBT,Generate Test
Table 668 Artifact: TBT Oracle Model
Artifact: TBT Tactic Description: A formalized startegy describing the search in the model to derive test cases Used by use case: • TBT,Generate Test
Table 669 Artifact: TBT Tactic
Artifact: TCA-Model Description: The tool chain model Hierarchy figure:
Hierarchy : • Evidence [Parent] Used by tool: • Tecnalia Assurance Case Editor Is a: Evidence
Table 670 Artifact: TCA-Model
Artifact: Test Cases Description: The executable test cases implementing the test specification Hierarchy figure:
Hierarchy :
• AF3 System Model [Child] • Evidence [Parent]
Used by use case: • TBT,Validate Tests
• Test Environment,Unit Test Used by tool: • Tecnalia Assurance Case Editor Created by feature: • AF3,Synthesizing Test Cases Created by use case: • TBT,Generate Test Modified by use case: • Test Environment,Validate Tests Is a: Evidence Occurences: • AF3 System Model
Table 671 Artifact: Test Cases
Artifact: Test Specification Description: The textual specification of the tests Hierarchy figure:
Hierarchy : • AF3 System Model [Child]
• Evidence [Parent] Used by feature: • AF3,Specfying Test Suite Used by use case: • TBT,Generate Test Used by tool: • Tecnalia Assurance Case Editor Is a: Evidence Occurences: • AF3 System Model
Table 672 Artifact: Test Specification
Artifact: Timing Parameters Description: Contain all the parameters concerning the application Hierarchy figure:
Hierarchy : • AF3 System Model [Child]
• Source Code [Parent] Used by tool: • Tecnalia Assurance Case Editor Created by feature: • AF3,Specifying Technical Architecture Is a: Source Code Occurences: • AF3 System Model
Table 673 Artifact: Timing Parameters
Artifact: Tool Evaluation Report Description: Contains the evaluation/classification of the tools Hierarchy figure:
Hierarchy : • Evidence [Parent] Used by tool: • Tecnalia Assurance Case Editor Created by use case: • Tool Chain Analyzer,Determinate Tool Confidence Level
• Tool Chain Analyzer,Generate Tool Classification Report Is a: Evidence
Table 674 Artifact: Tool Evaluation Report
Artifact: User Input Description: The user writes input to the tool Used by feature: • Tool Chain Analyzer,Compute Tool Confidence Level
• Tool Chain Analyzer,Cost Model • Tool Chain Analyzer,EMF • Tool Chain Analyzer,Excel Interface • Tool Chain Analyzer,Generate Word (docx) • Tool Chain Analyzer,Model Validation • Tool Chain Analyzer,Xml Interface
Used by tool: • Tecnalia Assurance Case Editor
Table 675 Artifact: User Input
Artifact: Verification Verdict Description: The verdict of a verification step (valid/invalid) and a counter example Created by feature: • AF3,Verifing Contracts of a Logical Architecture
• AF3,Verifying MSC Conformance • AF3,Verifying Soundness of a Logical Architecture
Table 676 Artifact: Verification Verdict
Artifact: Verified System Models (Event-B) Description: Specified and verified system models at different levels of abstraction Used by use case: • ProB Model Checker,Check Model
• Rodin Prover,System Model Verification Created by use case: • ProB Model Checker,Check Model
• Rodin Prover,System Model Verification
Table 677 Artifact: Verified System Models (Event-B)
Artifact: VerSÅA verification report Description: -None- Created by use case: • VerSAA,Verify Created by tool: • VerSAA
Table 678 Artifact: VerSÅA verification report
Artifact: WCET Description: Worst case execution time estimation for each task Hierarchy figure:
Hierarchy : • Evidence [Parent] Used by feature: • AF3,Synthesizing Real-Time Schedule Used by tool: • Tecnalia Assurance Case Editor Is a: Evidence
Table 679 Artifact: WCET
Artifact: WCRT Description: Worst-case response time for a task Hierarchy figure:
Hierarchy : • Evidence [Parent] Used by tool: • Tecnalia Assurance Case Editor Is a: Evidence
Table 680 Artifact: WCRT
Artifact: Word Document Description: The files that can be read/written from Word ´ Hierarchy figure:
Hierarchy : • Evidence [Parent] Used by tool: • Tecnalia Assurance Case Editor Created by feature: • Tool Chain Analyzer,Compute Tool Confidence Level
• Tool Chain Analyzer,Generate Word (docx) Is a: Evidence
Table 681 Artifact: Word Document
1.19.2 ERROR MODEL FOR THE RECOMP TOOL CHAIN TOOL
CHAIN
The error model consists of general attributes that are mapped to the used tools or use cases. Each of these mapped elements receives a copy of the listed errors. In the following sections all used attributes, errors, checks and restrictions are described
1.19.2.1 TOOL ATTRIBUTE DESCRIPTIONS
The following 10 general tool attributes have been used in the analysis of the "RECOMP Tool Chain" Tool Attribute: Fcn_Algorithm
Description: The function is implemented by an algorithm Assigned to the following features: • Tool Chain Analyzer,Compute Tool Confidence Level
• Tool Chain Analyzer,EMF • Tool Chain Analyzer,Model Validation
Contains the following potential errors: • Algorithm Error
• Wrong Algorithm
Table 682 Tool Attribute: Fcn_Algorithm
Tool Attribute: Fcn_Algorithm_DeEncode Description: encoding and decoding algorithms are used Assigned to the following features: • Tool Chain Analyzer,Excel Interface Contains the following potential errors: • Decoded Wongly
• Encoded Wrongly
Table 683 Tool Attribute: Fcn_Algorithm_DeEncode
Tool Attribute: Fcn_Behaviour Description: The behaviour of the function Assigned to the following features: • Tool Chain Analyzer,EMF
• Tool Chain Analyzer,Excel Interface • Tool Chain Analyzer,Model Validation
Contains the following potential errors: • Wrong Behaviour
Table 684 Tool Attribute: Fcn_Behaviour
Tool Attribute: Fcn_Behaviour_Calculator Description: The tool does an excel like computation with simple arithmetics, e.g. computing th esum of
numbers in a row Assigned to the following features: • Tool Chain Analyzer,Compute Tool Confidence Level Contains the following potential errors: • Wrong Result
Table 685 Tool Attribute: Fcn_Behaviour_Calculator
Tool Attribute: Fcn_Behaviour_Transformation Description: The tool transforms information into other reeresentations, e..g a compiler Assigned to the following features:
• Tool Chain Analyzer,EMF • Tool Chain Analyzer,Excel Interface • Tool Chain Analyzer,Generate Word (docx)
Contains the following potential errors: • Transformation Not Supported
• Wrong Transformation
Table 686 Tool Attribute: Fcn_Behaviour_Transformation
Tool Attribute: Fcn_Resource_CPU Description: Function requires CPU ressources like RAM, ROM, CPU time which might not be available Assigned to the following features: • Tool Chain Analyzer,Generate Word (docx) Contains the following potential errors: • Missing CPU
Table 687 Tool Attribute: Fcn_Resource_CPU
Tool Attribute: Fcn_Specification Description: The specification/documentation of the function Assigned to the following features: • Tool Chain Analyzer,Compute Tool Confidence Level
• Tool Chain Analyzer,Generate Word (docx) • Tool Chain Analyzer,Model Validation
Contains the following potential errors: • Wrong Specification
Table 688 Tool Attribute: Fcn_Specification
Tool Attribute: Fcn_Variants Description: The function can be computed with different variants Assigned to the following features: • Tool Chain Analyzer,Compute Tool Confidence Level
• Tool Chain Analyzer,EMF • Tool Chain Analyzer,Generate Word (docx)
Contains the following potential errors: • Wrong Variant
Table 689 Tool Attribute: Fcn_Variants
Tool Attribute: Fcn_Variants_Options Description: The tool supports options
This can be either command line arguments, settings or configuration files Assigned to the following features: • Tool Chain Analyzer,Excel Interface Contains the following potential errors:
• Option Defect • Option Ignored
Table 690 Tool Attribute: Fcn_Variants_Options
Tool Attribute: Option Supporting Description: The tool can support different options, e.g. with a command line or configuration file. Assigned to the following use cases: • Rodin Prover,System Model Verification Contains the following potential errors: • Option Defect
• Option Ignored
Table 691 Tool Attribute: Option Supporting
1.19.2.2 ERROR DESCRIPTIONS
The following 15 errors have been identified and used in the analysis of the "RECOMP Tool Chain" Error: Algorithm Error Description: The algorithm has an error, for example a wrong condition, type, loop,... From tool attribute: Fcn_Algorithm
Table 692 Error: Algorithm Error
Error: Decoded Wongly Description: A correctly encoded object is decoded wrongly From tool attribute: Fcn_Algorithm_DeEncode
Table 693 Error: Decoded Wongly
Error: Encoded Wrongly Description: The data is encoded such that it cannot be decoded any more From tool attribute: Fcn_Algorithm_DeEncode
Table 694 Error: Encoded Wrongly
Error: Missing CPU Description: Not enaught CPU available for computing the correct result.
Comment: Note: in this error we consider only the undeteced case, where the tool terminates without warning and a wrong result, may be due to some internal checks that cause the tool to terminate
if no CPU is available, e.g. after a given time using the default value From tool attribute: Fcn_Resource_CPU
Table 695 Error: Missing CPU
Error: Option Defect Description: The option or combination of options is defect, i.e computing wrong values From tool attribute: Fcn_Variants_Options
Table 696 Error: Option Defect
Error: Option Defect Description: The selected option might not function correctly, e.g. an optimization. From tool attribute: Option Supporting
Table 697 Error: Option Defect
Error: Option Ignored Description: The entered option is ignored without a warning and the wrong result is computed From tool attribute: Fcn_Variants_Options
Table 698 Error: Option Ignored
Error: Option Ignored Description: The option has been ignored from the tool, for example due to a misspelling. From tool attribute: Option Supporting
Table 699 Error: Option Ignored
Error: Transformation Not Supported Description: The transformation might not support all elements and ignore them, e.g. some settinbgs in a
model or some pragmas in a code From tool attribute: Fcn_Behaviour_Transformation
Table 700 Error: Transformation Not Supported
Error: Wrong Algorithm Description: The chosen algorithm does not solve the problem correctly From tool attribute: Fcn_Algorithm
Table 701 Error: Wrong Algorithm
Error: Wrong Behaviour Description: The function an have a wrong behaviour From tool attribute: Fcn_Behaviour
Table 702 Error: Wrong Behaviour
Error: Wrong Result Description: The calculated results differs from the real result, e.g. 1+1=0 or 1/1=0.99 From tool attribute: Fcn_Behaviour_Calculator
Table 703 Error: Wrong Result
Error: Wrong Specification Description: The function can deviate from the specification From tool attribute: Fcn_Specification
Table 704 Error: Wrong Specification
Error: Wrong Transformation Description: The result of the transformation is not correct From tool attribute: Fcn_Behaviour_Transformation
Table 705 Error: Wrong Transformation
Error: Wrong Variant Description: The wrong variant has been used, e.g. by ignoring an option/configuration From tool attribute: Fcn_Variants
Table 706 Error: Wrong Variant
1.19.3 ASSUMPTIONS
This section lists all assumptions on toolchain level used in the evaluation of this tool chain. If the assumptions are violated the calculated TCL is not valid. Assumptions that are enforced by the development process are marked in the analysis model and listed here. Check: Assertion Check Description: This check detects if an assertion in the code is violated.
This check detects violated assertions. If a testcase claims to violate an assertion but does not, this will also be noted
with a high probability. Comment: Since this is an automatic check the detection probability is high.
From use case: Test Environment,Unit Test Error detection probability: TD 1 (HIGH) Is assumption: True
Table 707 Check: Assertion Check
Check: Detect Wrong TCL Description: An error in the TCL computation is detected.
Since the review is performed on the basis of the generated report, it will also detect errors in the report generation and in the image generation and all other modeling errors with a high probability. Comment: TCL computation is an easy task and review is an effective verification method for that purpose.
From use case: ISO 26262 Reviews,SG_Confirmation Review Of TCLs Error detection probability: TD 1 (HIGH) Detected errors from other tools: • SG_Confirmation Review Of TCLs,Tool Chain Analyzer,Compute Tool
Confidence Level,Wrong TCL Computed • SG_Confirmation Review Of TCLs,Tool Chain Analyzer,Determinate Tool
Confidence Level,TCL Wrongly Shown • SG_Confirmation Review Of TCLs,Tool Chain Analyzer,Determinate Tool
Confidence Level,TCL Wrongly Written • SG_Confirmation Review Of TCLs,Tool Chain Analyzer,Excel Interface,Wrong
Export • SG_Confirmation Review Of TCLs,Tool Chain Analyzer,Excel Interface,Wrong
Import • SG_Confirmation Review Of TCLs,Tool Chain Analyzer,Generate Word
(docx),Document Generated Wrongly • SG_Confirmation Review Of TCLs,Tool Chain Analyzer,Xml Interface,Wrong
XML Export • SG_Confirmation Review Of TCLs,Tool Chain Analyzer,Xml Interface,Wrong
XML Import Is assumption: True
Table 708 Check: Detect Wrong TCL
Check: Executability Check Description:
The generated test is compiled and executed Comment: There is a high probability of detecting that the test is not executable, e.g. not compiling correctly since this is an automatic check
From use case: TBT,Validate Tests Error detection probability: TD 1 (HIGH) Detected errors: • Validate Tests,Generate Test,Non-Executable Test Is assumption: True
Table 709 Check: Executability Check
Check: Model Check Description: Check the validaty of the model
Comment: This can be done using a model checker tool for some consistency rules
From use case: ProB Model Checker,Check Model Error detection probability: TD 1 (HIGH) Detected errors from other tools: • Check Model,Rodin Prover,System Model Verification,Theorem Provers
• Check Model,Rodin Prover,System Model Verification,Verification condition generation
Is assumption: True
Table 710 Check: Model Check
Check: Proof Tree - Syntax Check Description: the syntax check is usually done when this file is used From use case: Rodin Prover,System Model Verification Error detection probability: TD 1 (HIGH) Detected errors from other tools: • System Model Verification,Rodin Editor,System Modelling,Model corruption 1
• System Model Verification,Rodin Editor,System Modelling,Syntax error Is assumption: True
Table 711 Check: Proof Tree - Syntax Check
Check: Review Test against Specification
Description: Review of generated test cases against the correctness with the specification
Comment: Since it is easy to se that a test case covers a specified feature, the review has a high detection probability for detecting the non-coformance errors between the the tests and the spec.
From use case: TBT,Validate Tests Error detection probability: TD 1 (HIGH) Detected errors: • Validate Tests,Generate Test,Wrong Metrics
• Validate Tests,Generate Test,Wrong Test Generated Is assumption: True
Table 712 Check: Review Test against Specification
Error: Incorrect translation Description: The translation of contracts to assertions/assumptions might be incorrect.
It is not obvuious how to check that this does not happen in a tool. Manual inspection might be needed.
From use case: Contracts to assertions Is assumption: True
Table 713 Error: Incorrect translation
Feature: SG_Avoid Feature Description: Avodi this feature, since it is redundant. From: Tool Chain Analyzer Parts: • SG_Avoid Feature Is assumption: True
Table 714 Feature: SG_Avoid Feature
Restriction: Avoid Features Description: Avoid the risky features of the model since they might be buggy. From feature: Tool Chain Analyzer,Safety Guidelines,SG_Avoid Feature Error avoidance probability: TD 1 (HIGH) Avoided errors: • Cost Model,Wrong Cost Computed
• Excel Interface,Wrong Export • Excel Interface,Wrong Import • Model Validation,Wrong Error Reported • Xml Interface,Wrong XML Export • Xml Interface,Wrong XML Import
Is assumption: True
Table 715 Restriction: Avoid Features
Tool: Test Environment Description: This is a virtual test environment that is used to formulate asumptions fom the test generator
to test tools and processes in which the generated tests can be executed. Impact: TI 2 (Impact) Tool Confidence Level: TCL 1 Is assumption: True
Table 716 Tool: Test Environment
APPENDIXD–TCARESULTFORTHEAUTOMOTIVE
DOMAIN
1 TCLDETAILSOFRECOMPTOOLCHAINThis chapter has been generated from the formal tool chain model and contains all relevant information to determine the TCLs of the used tools. Table 1 shows the settings and Table 2 shows the active variants with which this document was generated. For further details of the report creation see section "Report Generation" of the User Manual.
Setting Value Compact Report false With Assumptions true Include Subsumes true Include Images true
Table 717 Settings for this documentation
Variant Settings Active Variants: 1 Automotive
Table 718 Variant Settings
The report starts with an overview of the analysis results, then describes each tool in detail, including TCL determination, and concludes with an appendix for further information. ToolChain: RECOMP Tool Chain Description: All models are intergrated here TCL Determination: TCL 3
Table 719 ToolChain: RECOMP Tool Chain
1.1 TCLRESULTOVERVIEW
Table 4 shows the result of the tool evaluation, particulary the tool confidence levels. Name Tool Impact (TI) Tool
Detection (TD)
Tool Confidence Level (TCL)
Assumptions
AF3 TI 2 (Impact) TD 1 (HIGH)
TCL 1 -
Development TI 2 (Impact) TD 2 (MEDIUM)
TCL 2 -
ISO 26262 Reviews
TI 2 (Impact) TD 1 (HIGH)
TCL 1 1
nuSMV Model Checker
TI 2 (Impact) TD 1 (HIGH)
TCL 1 -
PharOS micro kernel
TI 2 (Impact) TD 1 (HIGH)
TCL 1 -
PharOS offline computation
TI 2 (Impact) TD 1 (HIGH)
TCL 1 -
PharOS runtime generation
TI 2 (Impact) TD 3 (LOW)
TCL 3 -
Process Checker TI 2 (Impact) TD 1 (HIGH)
TCL 1 -
Simulink Design Verifier
TI 2 (Impact) TD 1 (HIGH)
TCL 1 -
Tool Chain Analyzer
TI 2 (Impact) TD 3 (LOW)
TCL 3 1
YICES SMT Solver
TI 2 (Impact) TD 1 (HIGH)
TCL 1 -
Table 720 Evaluation Results of RECOMP Tool Chain
Fig 1 shows the error flow in RECOMP Tool Chain. The number on the edges denotes the number of error flows between the tools. An error flow is a detection possibility or an avoidance possibility of an error. Note that for one error there might be several flows, hence the number of flows can be larger than the numbers of errors in the model. For example the tool Tool Chain Analyzer contains 11 different errors in 19 occurrences. There are 7 error flows (detection or avoidance possibilities for error occurrences) into Tool Chain Analyzer. 7 error flows into the Tool Chain Analyzer itself, i.e. are avoided / detected by carefully using the tool. There are 11 from the Tool Chain Analyzer into the ISO 26262 Reviews, i.e. are detected by the ISO 26262 Reviews.
Fig 115 Error Flow in RECOMP Tool Chain
1.2 AF3This section explains the determination of the Tool Confidence Level (TCL) for the tool AF3. Tool: AF3 Description: The AutoFOCUS3 tool as distributed by fortiss GmbH
AF3 is a tool for the model-based development of embedded systems, covering the phases from requirements capture to deployment on the hardware platform.
Impact: TI 2 (Impact) Tool Confidence Level: TCL 1
Table 721 Tool: AF3
The tool AF3 is modeled with 6 elements which have impact, none of them are assumptions. In addition there have been modeled 17 features, none of them are assumptions.
Elements Amount (Assumptions) Use Cases 6 (0) Checks 0 (0) Restrictions 0 (0) Potential Errors 0 (0)
Table 722 Amount of Elements in Tool: AF3
1.2.1 USE CASES OF AF3
This section describes all analyzed use cases of AF3 in separate subsections. The following use cases of the tool AF3 are considered:
1. Deploying a Logical Architecture to Technical Architecture, see Section 1.2.1.1 2. Requirements Elicitaion and Specification, see Section 1.2.7.1 3. Specification of a Logical Architecture, see Section 0 4. Unit Testing, see Section 0 5. Validation of a Logical Architecture, see Section 0 6. Verification of a Logical Architecture, see Section 0
1.2.1.1 USE CASE DEPLOYING A LOGICAL ARCHITECTURE TO
TECHNICAL ARCHITECTURE
This section describes the use case "Deploying a Logical Architecture to Technical Architecture". UseCase: Deploying a Logical Architecture to Technical Architecture Description: The deployment of a logical architecture to the technical platform are defined and the
corresponding parts are synthesized.
Table 723 UseCase: Deploying a Logical Architecture to Technical Architecture
The use case requires 4 features and calls no other use cases. Fig 2 shows the dependencies between the use cases and features.
Fig 116 Dependency View of Use Case: Deploying a Logical Architecture to Technical
Architecture
"Deploying a Logical Architecture to Technical Architecture" uses following features: • Specifying Technical Architecture • Synthesizing Deployment • Synthesizing Real-Time Schedule • Synthesizing SIL-Conformant Mapping
In order to fulfill the requirements of the use case, usually a number of artifacts will be read and/or written. But in "Deploying a Logical Architecture to Technical Architecture" the tool AF3 uses no artifacts.
1.2.1.2 USE CASE REQUIREMENTS ELICITAION AND
SPECIFICATION
This section describes the use case "Requirements Elicitaion and Specification". UseCase: Requirements Elicitaion and Specification Description: The requirements of a system are identified, specified, and structured.
Table 724 UseCase: Requirements Elicitaion and Specification
The use case requires 2 features and calls no other use cases. Table 10 shows the dependencies between the use cases and features.
Fig 117 Dependency View of Use Case: Requirements Elicitaion and Specification
"Requirements Elicitaion and Specification" uses following features: • Specifying MSC Requirements • Specifying Textual Requirements
In order to fulfill the requirements of the use case, usually a number of artifacts will be read and/or written. But in "Requirements Elicitaion and Specification" the tool AF3 uses no artifacts.
1.2.1.3 USE CASE SPECIFICATION OF A LOGICAL
ARCHITECTURE
This section describes the use case "Specification of a Logical Architecture". UseCase: Specification of a Logical Architecture Description: -None-
Table 725 UseCase: Specification of a Logical Architecture
The use case requires 3 features and calls no other use cases. Table 12 shows the dependencies between the use cases and features.
Fig 118 Dependency View of Use Case: Specification of a Logical Architecture
"Specification of a Logical Architecture" uses following features: • Specifying Code-Baed Behavior of a Logical Architecture • Specifying State-Based Behavior of a Logical Architecture • Specifying Structure of a Logical Architecture
In order to fulfill the requirements of the use case, usually a number of artifacts will be read and/or written. But in "Specification of a Logical Architecture" the tool AF3 uses no artifacts.
1.2.1.4 USE CASE UNIT TESTING
This section describes the use case "Unit Testing". UseCase: Unit Testing Description: -None-
Table 726 UseCase: Unit Testing
The use case requires 2 features and calls no other use cases. Use Case Assessment view shows the dependencies between the use cases and features.
Fig 119 Dependency View of Use Case: Unit Testing
"Unit Testing" uses following features: • Specfying Test Suite • Synthesizing Test Cases
In order to fulfill the requirements of the use case, usually a number of artifacts will be read and/or written. But in "Unit Testing" the tool AF3 uses no artifacts.
1.2.1.5 USE CASE VALIDATION OF A LOGICAL
ARCHITECTURE
This section describes the use case "Validation of a Logical Architecture". UseCase: Validation of a Logical Architecture Description: A logical architecture is validated w.r.t. to its intended behavior.
Table 727 UseCase: Validation of a Logical Architecture
The use case requires one feature and calls no other use cases. Use Case Quality view shows the dependencies between the use cases and features.
Fig 120 Dependency View of Use Case: Validation of a Logical Architecture
"Validation of a Logical Architecture" uses following features: • Simulating a Logical Architecture
In order to fulfill the requirements of the use case, usually a number of artifacts will be read and/or written. But in "Validation of a Logical Architecture" the tool AF3 uses no artifacts.
1.2.1.6 USE CASE VERIFICATION OF A LOGICAL
ARCHITECTURE
This section describes the use case "Verification of a Logical Architecture". UseCase: Verification of a Logical Architecture Description: The properties of a logical architecture are specified and verified.
Table 728 UseCase: Verification of a Logical Architecture
The use case requires 3 features and calls no other use cases. Use Case Technical view shows the dependencies between the use cases and features.
Fig 121 Dependency View of Use Case: Verification of a Logical Architecture
"Verification of a Logical Architecture" uses following features: • Specifying Contracts on Logical Components • Verifing Contracts of a Logical Architecture
• Verifying Soundness of a Logical Architecture In order to fulfill the requirements of the use case, usually a number of artifacts will be read and/or written. But in "Verification of a Logical Architecture" the tool AF3 uses no artifacts.
1.2.2 FEATURES OF AF3
This section describes all analyzed features of AF3 in separate subsections. The following features of the tool AF3 are considered:
1. Simulating a Logical Architecture, see Section 0 2. Specfying Test Suite, see Section 0 3. Specifying Code-Baed Behavior of a Logical Architecture, see Section 0 4. Specifying Contracts on Logical Components, see Section 0 5. Specifying MSC Requirements, see Section 0 6. Specifying SIL Requirements, see Section 0 7. Specifying State-Based Behavior of a Logical Architecture, see Section 0 8. Specifying Structure of a Logical Architecture, see Section 1.4.1.4 9. Specifying Technical Architecture, see Section 1.4.1.6 10. Specifying Textual Requirements, see Section 1.4.1.8 11. Synthesizing Deployment, see Section 1.4.1.10 12. Synthesizing Real-Time Schedule, see Section 0 13. Synthesizing SIL-Conformant Mapping, see Section 0 14. Synthesizing Test Cases, see Section 0 15. Verifing Contracts of a Logical Architecture, see Section 1.4.7.2 16. Verifying MSC Conformance, see Section 0 17. Verifying Soundness of a Logical Architecture, see Section 0
1.2.2.1 FEATURE SIMULATING A LOGICAL ARCHITECTURE
This section describes the feature "Simulating a Logical Architecture". Feature: Simulating a Logical Architecture Description: A logicla architecture is executed using a controled simulation.
Table 729 Feature: Simulating a Logical Architecture
The feature "Simulating a Logical Architecture" reads and/or writes the following artifacts. The used artifacts are shown in Fig 6 and are summarized in the subsequent table.
Fig 122 Artifacts of Feature: Simulating a Logical Architecture
Artifacts of Feature: Simulating a Logical Architecture Inputs: • AF3 System Model Outputs: • Display Output
Table 730 Artifacts of Feature: Simulating a Logical Architecture
1.2.2.2 FEATURE SPECFYING TEST SUITE
This section describes the feature "Specfying Test Suite". Feature: Specfying Test Suite Description: A test suit is specified by the coverage criteria of the suite
A test suit is specified by the coverage criteria of the suite. Possible coverage criteria are radom testing, state coveage, or transition coverage.
Table 731 Feature: Specfying Test Suite
The feature "Specfying Test Suite" reads and/or writes the following artifacts. The used artifacts are shown in TCL Determination for Use Case: Assessment view and are summarized in the subsequent table.
Fig 123 Artifacts of Feature: Specfying Test Suite
Artifacts of Feature: Specfying Test Suite Inputs: • Test Specification Outputs: • AF3 System Model
Table 732 Artifacts of Feature: Specfying Test Suite
1.2.2.3 FEATURE SPECIFYING CODE-BAED BEHAVIOR OF A
LOGICAL ARCHITECTURE
This section describes the feature "Specifying Code-Baed Behavior of a Logical Architecture". Feature: Specifying Code-Baed Behavior of a Logical Architecture Description: The behavior of the components of a logical architecture are defined using a code-based
textual approach.
Table 733 Feature: Specifying Code-Baed Behavior of a Logical Architecture
The feature "Specifying Code-Baed Behavior of a Logical Architecture" reads and/or writes the following artifacts. The used artifacts are shown in TCL Determination for Use Case: Quality view and are summarized in the subsequent table.
Fig 124 Artifacts of Feature: Specifying Code-Baed Behavior of a Logical Architecture
Artifacts of Feature: Specifying Code-Baed Behavior of a Logical Architecture Inputs: • AF3 System Model Outputs: • AF3 System Model
Table 734 Artifacts of Feature: Specifying Code-Baed Behavior of a Logical Architecture
1.2.2.4 FEATURE SPECIFYING CONTRACTS ON LOGICAL
COMPONENTS
This section describes the feature "Specifying Contracts on Logical Components". Feature: Specifying Contracts on Logical Components Description: Formal properties of components of the logical architectuer are specified.
Formal properties of components of the logical architectuer are specified. These properties can be defined via assume-guarantee contracts or patterns.
Table 735 Feature: Specifying Contracts on Logical Components
The feature "Specifying Contracts on Logical Components" reads and/or writes the following artifacts. The used artifacts are shown in TCL Determination for Use Case: Technical view and are summarized in the subsequent table.
Fig 125 Artifacts of Feature: Specifying Contracts on Logical Components
Artifacts of Feature: Specifying Contracts on Logical Components Inputs: • AF3 System Model Outputs: • AF3 System Model
Table 736 Artifacts of Feature: Specifying Contracts on Logical Components
1.2.2.5 FEATURE SPECIFYING MSC REQUIREMENTS
This section describes the feature "Specifying MSC Requirements". Feature: Specifying MSC Requirements Description: The requirements of a system are specified using MSCs to define scenarios.
The textual requirements of a system are specified in a structured way. This includes the specifiation of general requirements as well as use cases including their scenarios, and their hierarchical structure.
Table 737 Feature: Specifying MSC Requirements
The feature "Specifying MSC Requirements" reads and/or writes the following artifacts. The used artifacts are shown in Use Case Detailed architecture definition and are summarized in the subsequent table.
Fig 126 Artifacts of Feature: Specifying MSC Requirements
Artifacts of Feature: Specifying MSC Requirements Inputs: • AF3 System Model
• Requirement Specification Outputs: • AF3 System Model
Table 738 Artifacts of Feature: Specifying MSC Requirements
1.2.2.6 FEATURE SPECIFYING SIL REQUIREMENTS
This section describes the feature "Specifying SIL Requirements". Feature: Specifying SIL Requirements Description: The SIL levels of components of a logical Architecture are defined.
Table 739 Feature: Specifying SIL Requirements
The feature "Specifying SIL Requirements" reads and/or writes the following artifacts. The used artifacts are shown in Use Case FHA Generation and are summarized in the subsequent table.
Fig 127 Artifacts of Feature: Specifying SIL Requirements
Artifacts of Feature: Specifying SIL Requirements Inputs: • AF3 System Model
• Safety Requirements Outputs: • AF3 System Model
Table 740 Artifacts of Feature: Specifying SIL Requirements
1.2.2.7 FEATURE SPECIFYING STATE-BASED BEHAVIOR OF A
LOGICAL ARCHITECTURE
This section describes the feature "Specifying State-Based Behavior of a Logical Architecture". Feature: Specifying State-Based Behavior of a Logical Architecture Description: The behavior of the components of a logical architecture are defined using a tate-machine
approach.
Table 741 Feature: Specifying State-Based Behavior of a Logical Architecture
The feature "Specifying State-Based Behavior of a Logical Architecture" reads and/or writes the following artifacts. The used artifacts are shown in Use Case FMEA Generation and are summarized in the subsequent table.
Fig 128 Artifacts of Feature: Specifying State-Based Behavior of a Logical Architecture
Artifacts of Feature: Specifying State-Based Behavior of a Logical Architecture Inputs: • AF3 System Model Outputs: • AF3 System Model
Table 742 Artifacts of Feature: Specifying State-Based Behavior of a Logical Architecture
1.2.2.8 FEATURE SPECIFYING STRUCTURE OF A LOGICAL
ARCHITECTURE
This section describes the feature "Specifying Structure of a Logical Architecture". Feature: Specifying Structure of a Logical Architecture Description: The strucutre of a logical architecture n terms of components and their subcomponents is
defined.
Table 743 Feature: Specifying Structure of a Logical Architecture
The feature "Specifying Structure of a Logical Architecture" reads and/or writes the following artifacts. The used artifacts are shown in Use Case Function allocation and are summarized in the subsequent table.
Fig 129 Artifacts of Feature: Specifying Structure of a Logical Architecture
Artifacts of Feature: Specifying Structure of a Logical Architecture Outputs: • AF3 System Model
Table 744 Artifacts of Feature: Specifying Structure of a Logical Architecture
1.2.2.9 FEATURE SPECIFYING TECHNICAL ARCHITECTURE
This section describes the feature "Specifying Technical Architecture". Feature: Specifying Technical Architecture Description: -None-
Table 745 Feature: Specifying Technical Architecture
The feature "Specifying Technical Architecture" reads and/or writes the following artifacts. The used artifacts are shown in Use Case HW/SW allocation and are summarized in the subsequent table.
Fig 130 Artifacts of Feature: Specifying Technical Architecture
Artifacts of Feature: Specifying Technical Architecture Inputs: • AF3 System Model
• Spatial Constraints Outputs: • AF3 System Model
• Detailed System Architecture • Spatial Constraints • Timing Parameters
Table 746 Artifacts of Feature: Specifying Technical Architecture
1.2.2.10 FEATURE SPECIFYING TEXTUAL REQUIREMENTS
This section describes the feature "Specifying Textual Requirements". Feature: Specifying Textual Requirements Description: The textual requirements of a system are specified in a structured way.
The textual requirements of a system are specified in a structured way. This includes the specifiation of general requirements as well as use cases including their scenarios, and their hierarchical structure.
Table 747 Feature: Specifying Textual Requirements
The feature "Specifying Textual Requirements" reads and/or writes the following artifacts. The used artifacts are shown in Use Case Safety goals definition and are summarized in the subsequent table.
Fig 131 Artifacts of Feature: Specifying Textual Requirements
Artifacts of Feature: Specifying Textual Requirements Inputs: • Requirement Specification Outputs: • AF3 System Model
Table 748 Artifacts of Feature: Specifying Textual Requirements
1.2.2.11 FEATURE SYNTHESIZING DEPLOYMENT
This section describes the feature "Synthesizing Deployment". Feature: Synthesizing Deployment Description: For logical and technical architectures and a mapping between them, a set of deployable
packages is generated. For logical and technical architectures and a mapping between them, a set of deployable packages is generated. These packages include the generated code for each component, build files and glue code for each ECUs.
Table 749 Feature: Synthesizing Deployment
The feature "Synthesizing Deployment" reads and/or writes the following artifacts. The used artifacts are shown in Fig 10 and are summarized in the subsequent table.
Fig 132 Artifacts of Feature: Synthesizing Deployment
Artifacts of Feature: Synthesizing Deployment Inputs: • AF3 System Model Outputs: • Deployment
• Source Code
Table 750 Artifacts of Feature: Synthesizing Deployment
1.2.2.12 FEATURE SYNTHESIZING REAL-TIME SCHEDULE
This section describes the feature "Synthesizing Real-Time Schedule". Feature: Synthesizing Real-Time Schedule Description: -None-
Table 751 Feature: Synthesizing Real-Time Schedule
The feature "Synthesizing Real-Time Schedule" reads and/or writes the following artifacts. The used artifacts are shown in TCL Determination for Use Case: Detailed architecture definition and are summarized in the subsequent table.
Fig 133 Artifacts of Feature: Synthesizing Real-Time Schedule
Artifacts of Feature: Synthesizing Real-Time Schedule Inputs: • AF3 System Model
• WCET Outputs: • AF3 System Model
Table 752 Artifacts of Feature: Synthesizing Real-Time Schedule
1.2.2.13 FEATURE SYNTHESIZING SIL-CONFORMANT
MAPPING
This section describes the feature "Synthesizing SIL-Conformant Mapping". Feature: Synthesizing SIL-Conformant Mapping Description:
-None-
Table 753 Feature: Synthesizing SIL-Conformant Mapping
The feature "Synthesizing SIL-Conformant Mapping" reads and/or writes the following artifacts. The used artifacts are shown in Table 81 and are summarized in the subsequent table.
Fig 134 Artifacts of Feature: Synthesizing SIL-Conformant Mapping
Artifacts of Feature: Synthesizing SIL-Conformant Mapping Inputs: • AF3 System Model Outputs: • AF3 System Model
Table 754 Artifacts of Feature: Synthesizing SIL-Conformant Mapping
1.2.2.14 FEATURE SYNTHESIZING TEST CASES
This section describes the feature "Synthesizing Test Cases". Feature: Synthesizing Test Cases Description: Test cases are synthesized for a specified test suite according to the coverage criteria.
Table 755 Feature: Synthesizing Test Cases
The feature "Synthesizing Test Cases" reads and/or writes the following artifacts. The used artifacts are shown in Table 83 and are summarized in the subsequent table.
Fig 135 Artifacts of Feature: Synthesizing Test Cases
Artifacts of Feature: Synthesizing Test Cases Inputs: • AF3 System Model Outputs: • Test Cases
Table 756 Artifacts of Feature: Synthesizing Test Cases
1.2.2.15 FEATURE VERIFING CONTRACTS OF A LOGICAL
ARCHITECTURE
This section describes the feature "Verifing Contracts of a Logical Architecture". Feature: Verifing Contracts of a Logical Architecture Description: A logical architecture is verified by means of formal checks.
A logial architecture is verified by means of formal checks. These checks include the use of assume-guarantee contracts or patterns.
Table 757 Feature: Verifing Contracts of a Logical Architecture
The feature "Verifing Contracts of a Logical Architecture" reads and/or writes the following artifacts. The used artifacts are shown in Table 85 and are summarized in the subsequent table.
Fig 136 Artifacts of Feature: Verifing Contracts of a Logical Architecture
Artifacts of Feature: Verifing Contracts of a Logical Architecture Inputs: • AF3 System Model Outputs: • Verification Verdict
Table 758 Artifacts of Feature: Verifing Contracts of a Logical Architecture
1.2.2.16 FEATURE VERIFYING MSC CONFORMANCE
This section describes the feature "Verifying MSC Conformance". Feature: Verifying MSC Conformance Description: For a MSC and a (part of a) logical architecture, their conformance is verified.
For a MSC and a (part of a) logical architecture including the behavior for its components, their conformance is verified; i.e., it i checked that the sequnce of actions of a MSC can be produced by a logical component architecture.
Table 759 Feature: Verifying MSC Conformance
The feature "Verifying MSC Conformance" reads and/or writes the following artifacts. The used artifacts are shown in Table 87 and are summarized in the subsequent table.
Fig 137 Artifacts of Feature: Verifying MSC Conformance
Artifacts of Feature: Verifying MSC Conformance Inputs: • AF3 System Model Outputs: • Verification Verdict
Table 760 Artifacts of Feature: Verifying MSC Conformance
1.2.2.17 FEATURE VERIFYING SOUNDNESS OF A LOGICAL
ARCHITECTURE
This section describes the feature "Verifying Soundness of a Logical Architecture". Feature: Verifying Soundness of a Logical Architecture Description: A logical architecture is verified w.r.t. reachability and determinism of its components.
Table 761 Feature: Verifying Soundness of a Logical Architecture
The feature "Verifying Soundness of a Logical Architecture" reads and/or writes the following artifacts. The used artifacts are shown in TCL Determination for Use Case: FMEA Generation and are summarized in the subsequent table.
Fig 138 Artifacts of Feature: Verifying Soundness of a Logical Architecture
Artifacts of Feature: Verifying Soundness of a Logical Architecture Inputs: • AF3 System Model Outputs: • Verification Verdict
Table 762 Artifacts of Feature: Verifying Soundness of a Logical Architecture
1.2.3 POTENTIAL ERRORS IN AF3
The tool has no potential error.. The error flow consists of all relations from errors to checks or restrictions. There are
• no relation from errors caused by other tools to checks or restrictions defined for use cases of this tool.
• no relation from errors caused by this tool to checks or restrictions defined for use cases of this tool.
• no relation from errors caused by this tool to checks or restrictions defined for use cases of other tools.
1.2.4 RESTRICTIONS IN AF3
There are no restrictions in the tool AF3.
1.2.5 CHECKS IN AF3
No checks are performed in the tool AF3.
1.2.6 ASSUMPTIONS
The determination of the TCL of AF3 is not based on assumed checks and restrictions. None of the checks and restrictions are modeled as assumptions.
1.2.7 TCL DETERMINATION
This section determines a TCL for each use case by assigning checks or restrictions with detection/avoidance probability to each potential error. The TCL for the entire tool can be derived from the TCL for each use case. The tool AF3 has 6 use cases with TCL 1, no use case with TCL 2 and no use case with TCL 3. Therefore the tool AF3 has TCL 1. The use cases are described in the following sections:
• For "Deploying a Logical Architecture to Technical Architecture" (TCL 1) see Section 0,
• for "Requirements Elicitaion and Specification" (TCL 1) see Section 0, • for "Specification of a Logical Architecture" (TCL 1) see Section 0, • for "Unit Testing" (TCL 1) see Section 0, • for "Validation of a Logical Architecture" (TCL 1) see Section 0, and • for "Verification of a Logical Architecture" (TCL 1) see Section 1.4.7.4.
1.2.7.1 TCL DETERMINATION FOR USE CASE: DEPLOYING A
LOGICAL ARCHITECTURE TO TECHNICAL ARCHITECTURE
The use case "Deploying a Logical Architecture to Technical Architecture" has TCL 1. The TCL is determined by the lowest Tool Detection Level (TD) of all errors of the use case. This use case has no errors.
1.2.7.2 TCL DETERMINATION FOR USE CASE:
REQUIREMENTS ELICITAION AND SPECIFICATION
The use case "Requirements Elicitaion and Specification" has TCL 1. The TCL is determined by the lowest Tool Detection Level (TD) of all errors of the use case. This use case has no errors.
1.2.7.3 TCL DETERMINATION FOR USE CASE: SPECIFICATION
OF A LOGICAL ARCHITECTURE
The use case "Specification of a Logical Architecture" has TCL 1. The TCL is determined by the lowest Tool Detection Level (TD) of all errors of the use case. This use case has no errors.
1.2.7.4 TCL DETERMINATION FOR USE CASE: UNIT TESTING
The use case "Unit Testing" has TCL 1. The TCL is determined by the lowest Tool Detection Level (TD) of all errors of the use case. This use case has no errors.
1.2.7.5 TCL DETERMINATION FOR USE CASE: VALIDATION
OF A LOGICAL ARCHITECTURE
The use case "Validation of a Logical Architecture" has TCL 1. The TCL is determined by the lowest Tool Detection Level (TD) of all errors of the use case. This use case has no errors.
1.2.7.6 TCL DETERMINATION FOR USE CASE: VERIFICATION
OF A LOGICAL ARCHITECTURE
The use case "Verification of a Logical Architecture" has TCL 1. The TCL is determined by the lowest Tool Detection Level (TD) of all errors of the use case. This use case has no errors.
1.3 DEVELOPMENTThis section explains the determination of the Tool Confidence Level (TCL) for the tool Development. Tool: Development Description: This is not a concrete tool but just a model of any development tool chain (including
humans) that can cause different errors when producing soure code. Impact: TI 2 (Impact) Tool Confidence Level: TCL 2
Table 763 Tool: Development
The tool Development is modeled with 5 elements which have impact, none of them are assumptions. No additional features have been modeled.
Elements Amount (Assumptions) Use Cases 1 (0) Checks 0 (0) Restrictions 0 (0) Potential Errors 4 (0)
Table 764 Amount of Elements in Tool: Development
1.3.1 USE CASES OF DEVELOPMENT
This section describes all analyzed use cases of Development in separate subsections. The following use cases of the tool Development are considered:
1. Create Code, see Section 0
1.3.1.1 USE CASE CREATE CODE
This section describes the use case "Create Code". UseCase: Create Code Description: This is the use case in creating c code that collects some potential errors that can be
discovered from the test tool
Table 765 UseCase: Create Code
The use case requires no features and calls no other use cases.
The use case "Create Code" reads and/or writes the following artifacts. The used artifacts are shown in Table 97 and are summarized in the subsequent table.
Fig 139 Artifacts of Use Case: Create Code
Artifacts of Use Case: Create Code Outputs: • C/C++ Source Code
Table 766 Artifacts of Use Case: Create Code
1.3.2 FEATURES OF DEVELOPMENT
There are no features modeled for Development.
1.3.3 POTENTIAL ERRORS IN DEVELOPMENT
The tool has 4 different potential errors in 4 occurrences in use cases. The error flow consists of all relations from errors to checks or restrictions. There are
• no relation from errors caused by other tools to checks or restrictions defined for use cases of this tool.
• no relation from errors caused by this tool to checks or restrictions defined for use cases of this tool.
• no relation from errors caused by this tool to checks or restrictions defined for use cases of other tools.
• 4 errors caused by this tool without any relation to checks or restrictions. The following 4 error occurrences of Development have no relation to any check or restriction:
• Assertion Violation (Table 99) • Dead Code (TCL Determination for Use Case: Generation HW Coverage) • Other Programing Error (TCL Determination for Use Case: HW/SW allocation) • Runtime Error (Table 101)
1.3.4 RESTRICTIONS IN DEVELOPMENT
There are no restrictions in the tool Development.
1.3.5 CHECKS IN DEVELOPMENT
No checks are performed in the tool Development.
1.3.6 ASSUMPTIONS
The determination of the TCL of Development is not based on assumed checks and restrictions. None of the checks and restrictions are modeled as assumptions.
1.3.7 TCL DETERMINATION
This section determines a TCL for each use case by assigning checks or restrictions with detection/avoidance probability to each potential error. The TCL for the entire tool can be derived from the TCL for each use case. The tool Development has no use case with TCL 1, one use case with TCL 2 and no use case with TCL 3. Therefore the tool Development has TCL 2. The use cases are described in the following sections:
• For "Create Code" (TCL 2) see Section 1.4.7.5.
1.3.7.1 TCL DETERMINATION FOR USE CASE: CREATE CODE
The use case "Create Code" has TCL 2. The TCL is determined by the lowest Tool Detection Level (TD) of all errors of the use case. The following table gives an overview of the errors of "Create Code". Error TD Table Assertion Violation TD 3 (LOW) Table 99 Dead Code TD 3 (LOW) TCL
Determination for Use Case: Generation HW Coverage
Other Programing Error TD 3 (LOW) TCL Determination for Use Case: HW/SW allocation
Runtime Error TD 3 (LOW) Table 101
Table 767 Errors of Use Case: Create Code
Error: Assertion Violation Description: The programm contains assertions that can be violated under some conditions. From use case: Create Code Occurrences: • in Create Code Error View:
Table 768 Error: Assertion Violation
Error: Dead Code Description: Not reachable code is called dead code. From use case: Create Code Occurrences: • in Create Code Error View:
Table 769 Error: Dead Code
Error: Other Programing Error Description: Any other functional error that can be introduced int the code. From use case: Create Code Occurrences: • in Create Code Error View:
Table 770 Error: Other Programing Error
Error: Runtime Error Description: A runtime error is an error that causes the programm to crash during execution. This From use case: Create Code Occurrences: • in Create Code Error View:
Table 771 Error: Runtime Error
1.4 ISO26262REVIEWS
This section explains the determination of the Tool Confidence Level (TCL) for the tool ISO 26262 Reviews. Tool: ISO 26262 Reviews Description: This virtual tool represents the reviews required from the ISO 26262.
Comment: If the process shall be compliant to the ISO 26262, the user has to perform these reviews anyhow.
Impact: TI 2 (Impact) Tool Confidence Level: TCL 1
Table 772 Tool: ISO 26262 Reviews
The tool ISO 26262 Reviews is modeled with one element which has impact which is an assumption. No additional features have been modeled.
Elements Amount (Assumptions) Use Cases 0 (0) Checks 1 (1) Restrictions 0 (0) Potential Errors 0 (0)
Table 773 Amount of Elements in Tool: ISO 26262 Reviews
1.4.1 USE CASES OF ISO 26262 REVIEWS
There are no use cases modeled for ISO 26262 Reviews.
1.4.2 FEATURES OF ISO 26262 REVIEWS
There are no features modeled for ISO 26262 Reviews.
1.4.3 POTENTIAL ERRORS IN ISO 26262 REVIEWS
The tool has no potential error.. The error flow, as can be seen in Table 102, consists of all relations from errors to checks or restrictions. There are
• 11 relations from errors caused by other tools to checks or restrictions defined for use cases of this tool.
• no relation from errors caused by this tool to checks or restrictions defined for use cases of this tool.
• no relation from errors caused by this tool to checks or restrictions defined for use cases of other tools.
Fig 140 Error Flow to and from ISO 26262 Reviews
The TCL Determination for Use Case: Item Definition shows all 11 relations, introduced by one other tool: Tool Error UseCase Table Tool Chain Analyzer
Document Generated Wrongly Generate Tool Classification Report
Fig 37
TCL Wrongly Shown Determinate Tool Confidence Level
Table 194
TCL Wrongly Written Determinate Tool Confidence Level
Table 195
Wrong Export Cost Calculation
Table 185
Wrong Export Review Model
Feature Edit Model
Wrong Import Cost Calculation
Table 186
Wrong Import Review Model
Fig 85
Wrong TCL Computed Determinate Tool Confidence Level
Table 196
Wrong TCL Computed Generate Tool Classification Report
Use Case Modelling
Wrong XML Export Create Model Table 190
Wrong XML Import Create Model Table 191
Table 774 Errors introduced in ISO 26262 Reviews by other tools
1.4.4 RESTRICTIONS IN ISO 26262 REVIEWS
There are no restrictions in the tool ISO 26262 Reviews.
1.4.5 CHECKS IN ISO 26262 REVIEWS
The following one check is performed in the tool ISO 26262 Reviews. Check: Detect Wrong TCL Description: An error in the TCL computation is detected.
Since the review is performed on the basis of the generated report, it will also detect errors in the report generation and in the image generation and all other modeling errors with a high probability. Comment: TCL computation is an easy task and review is an effective verification method for that purpose.
From use case: ISO 26262 Reviews,SG_Confirmation Review Of TCLs Occurrences: • in SG_Confirmation Review Of TCLs Error detection probability: TD 1 (HIGH) Detected errors from other tools: • SG_Confirmation Review Of TCLs,Tool Chain Analyzer,Compute Tool
Confidence Level,Wrong TCL Computed • SG_Confirmation Review Of TCLs,Tool Chain Analyzer,Determinate Tool
Confidence Level,TCL Wrongly Shown • SG_Confirmation Review Of TCLs,Tool Chain Analyzer,Determinate Tool
Confidence Level,TCL Wrongly Written • SG_Confirmation Review Of TCLs,Tool Chain Analyzer,Excel Interface,Wrong
Export • SG_Confirmation Review Of TCLs,Tool Chain Analyzer,Excel Interface,Wrong
Import • SG_Confirmation Review Of TCLs,Tool Chain Analyzer,Generate Word
(docx),Document Generated Wrongly • SG_Confirmation Review Of TCLs,Tool Chain Analyzer,Xml Interface,Wrong
XML Export • SG_Confirmation Review Of TCLs,Tool Chain Analyzer,Xml Interface,Wrong
XML Import Is assumption: True Relations to other tools:
Table 775 Check: Detect Wrong TCL
1.4.6 ASSUMPTIONS
The determination of the TCL of ISO 26262 Reviews is based on the following 1 assumptions on the development process.
• Check: Detect Wrong TCL (TCL Determination for Use Case: Safety goals definition) occurs in: o SG_Confirmation Review Of TCLs
1.4.7 TCL DETERMINATION
This section determines a TCL for each use case by assigning checks or restrictions with detection/avoidance probability to each potential error. The TCL for the entire tool can be derived from the TCL for each use case. The tool ISO 26262 Reviews has no use case with TCL 1, no use case with TCL 2 and no use case with TCL 3. Therefore the tool ISO 26262 Reviews has TCL 1. There are no use cases modeled for the tool ISO 26262 Reviews
1.5 NUSMVMODELCHECKERThis section explains the determination of the Tool Confidence Level (TCL) for the tool nuSMV Model Checker. Tool: nuSMV Model Checker Description: -None- Impact: TI 2 (Impact) Tool Confidence Level: TCL 1
Table 776 Tool: nuSMV Model Checker
The tool nuSMV Model Checker is modeled with no element which has impact. No additional features have been modeled.
Elements Amount (Assumptions) Use Cases 0 (0) Checks 0 (0) Restrictions 0 (0) Potential Errors 0 (0)
Table 777 Amount of Elements in Tool: nuSMV Model Checker
1.5.1 USE CASES OF NUSMV MODEL CHECKER
There are no use cases modeled for nuSMV Model Checker.
1.5.2 FEATURES OF NUSMV MODEL CHECKER
There are no features modeled for nuSMV Model Checker.
1.5.3 POTENTIAL ERRORS IN NUSMV MODEL CHECKER
The tool has no potential error.. The error flow consists of all relations from errors to checks or restrictions. There are
• no relation from errors caused by other tools to checks or restrictions defined for use cases of this tool.
• no relation from errors caused by this tool to checks or restrictions defined for use cases of this tool.
• no relation from errors caused by this tool to checks or restrictions defined for use cases of other tools.
1.5.4 RESTRICTIONS IN NUSMV MODEL CHECKER
There are no restrictions in the tool nuSMV Model Checker.
1.5.5 CHECKS IN NUSMV MODEL CHECKER
No checks are performed in the tool nuSMV Model Checker.
1.5.6 ASSUMPTIONS
The determination of the TCL of nuSMV Model Checker is not based on assumed checks and restrictions. None of the checks and restrictions are modeled as assumptions.
1.5.7 TCL DETERMINATION
This section determines a TCL for each use case by assigning checks or restrictions with detection/avoidance probability to each potential error. The TCL for the entire tool can be derived from the TCL for each use case. The tool nuSMV Model Checker has no use case with TCL 1, no use case with TCL 2 and no use case with TCL 3. Therefore the tool nuSMV Model Checker has TCL 1. There are no use cases modeled for the tool nuSMV Model Checker
1.6 PHAROSMICROKERNELThis section explains the determination of the Tool Confidence Level (TCL) for the tool PharOS micro kernel. Tool: PharOS micro kernel
Description: PharOS micro kernel Impact: TI 2 (Impact) Tool Confidence Level: TCL 1
Table 778 Tool: PharOS micro kernel
The tool PharOS micro kernel is modeled with 9 elements which have impact, none of them are assumptions. In addition there have been modeled 4 features, none of them are assumptions.
Elements Amount (Assumptions) Use Cases 1 (0) Checks 4 (0) Restrictions 0 (0) Potential Errors 4 (0)
Table 779 Amount of Elements in Tool: PharOS micro kernel
1.6.1 USE CASES OF PHAROS MICRO KERNEL
This section describes all analyzed use cases of PharOS micro kernel in separate subsections. The following use cases of the tool PharOS micro kernel are considered:
1. target execution, see Section 0
1.6.1.1 USE CASE TARGET EXECUTION
This section describes the use case "target execution". UseCase: target execution Description: -None-
Table 780 UseCase: target execution
The use case requires 4 features and calls no other use cases. Table 105 shows the dependencies between the use cases and features.
Fig 141 Dependency View of Use Case: target execution
"target execution" uses following features: • Budget monitoring • Deadline monitoring • Memory protection • Node transition monitoring
The use case "target execution" reads and/or writes the following artifacts. The used artifacts are shown in Table 106 and are summarized in the subsequent table.
Fig 142 Artifacts of Use Case: target execution
Artifacts of Use Case: target execution Inputs: • Binary executable
Table 781 Artifacts of Use Case: target execution
1.6.2 FEATURES OF PHAROS MICRO KERNEL
This section describes all analyzed features of PharOS micro kernel in separate subsections. The following features of the tool PharOS micro kernel are considered:
1. Budget monitoring, see Section 1.4.7.10 2. Deadline monitoring, see Section 0 3. Memory protection, see Section 0 4. Node transition monitoring, see Section 1.7.1.1
1.6.2.1 FEATURE BUDGET MONITORING
This section describes the feature "Budget monitoring". Feature: Budget monitoring Description: -None-
Table 782 Feature: Budget monitoring
In order to fulfill the requirements of the feature, usually a number of artifacts will be read and/or written. But in "Budget monitoring" the tool PharOS micro kernel uses no artifacts.
1.6.2.2 FEATURE DEADLINE MONITORING
This section describes the feature "Deadline monitoring". Feature: Deadline monitoring Description: -None-
Table 783 Feature: Deadline monitoring
In order to fulfill the requirements of the feature, usually a number of artifacts will be read and/or written. But in "Deadline monitoring" the tool PharOS micro kernel uses no artifacts.
1.6.2.3 FEATURE MEMORY PROTECTION
This section describes the feature "Memory protection". Feature: Memory protection Description: -None-
Table 784 Feature: Memory protection
In order to fulfill the requirements of the feature, usually a number of artifacts will be read and/or written. But in "Memory protection" the tool PharOS micro kernel uses no artifacts.
1.6.2.4 FEATURE NODE TRANSITION MONITORING
This section describes the feature "Node transition monitoring". Feature: Node transition monitoring Description: -None-
Table 785 Feature: Node transition monitoring
In order to fulfill the requirements of the feature, usually a number of artifacts will be read and/or written. But in "Node transition monitoring" the tool PharOS micro kernel uses no artifacts.
1.6.3 POTENTIAL ERRORS IN PHAROS MICRO KERNEL
The tool has 4 different potential errors in 4 occurrences in use cases. The error flow, as can be seen in Fig 13, consists of all relations from errors to checks or restrictions. There are
• no relation from errors caused by other tools to checks or restrictions defined for use cases of this tool.
• 4 relations from errors caused by this tool to checks or restrictions defined for use cases of this tool.
• no relation from errors caused by this tool to checks or restrictions defined for use cases of other tools.
Fig 143 Error Flow to and from PharOS micro kernel
PharOS micro kernel has the following 4 relations, which are detected by checks or restrictions of this tool. The errors are described in detail in the TCL analysis of the corresponding use cases:
• Budget error (Fig 14) • Communication buffer overflow (Use Case Modelling) • Dead line error (Fig 15) • Node transition error (Use Case Modelling Requirements)
1.6.4 RESTRICTIONS IN PHAROS MICRO KERNEL
There are no restrictions in the tool PharOS micro kernel.
1.6.5 CHECKS IN PHAROS MICRO KERNEL
The following 4 checks are performed in the tool PharOS micro kernel. Check: Budget monitoring Description: -None- From feature: PharOS micro kernel,Budget monitoring Occurrences: • in Budget monitoring in target execution Error detection probability: TD 1 (HIGH) Detected errors: • target execution,Budget error
Table 786 Check: Budget monitoring
Check: Monitor memory access Description: -None- From feature: PharOS micro kernel,Memory protection Occurrences: • in Memory protection in target execution Error detection probability: TD 1 (HIGH) Detected errors: • target execution,Communication buffer overflow
Table 787 Check: Monitor memory access
Check: Monitor node transitions Description: -None- From feature: PharOS micro kernel,Node transition monitoring Occurrences: • in Node transition monitoring in target execution Error detection probability: TD 1 (HIGH) Detected errors: • target execution,Node transition error
Table 788 Check: Monitor node transitions
Check: Monitors deadline Description: -None- From feature: PharOS micro kernel,Deadline monitoring Occurrences: • in Deadline monitoring in target execution Error detection probability: TD 1 (HIGH) Detected errors: • target execution,Dead line error
Table 789 Check: Monitors deadline
1.6.6 ASSUMPTIONS
The determination of the TCL of PharOS micro kernel is not based on assumed checks and restrictions. None of the checks and restrictions are modeled as assumptions.
1.6.7 TCL DETERMINATION
This section determines a TCL for each use case by assigning checks or restrictions with detection/avoidance probability to each potential error. The TCL for the entire tool can be derived from the TCL for each use case. The tool PharOS micro kernel has one use case with TCL 1, no use case with TCL 2 and no use case with TCL 3. Therefore the tool PharOS micro kernel has TCL 1. The use cases are described in the following sections:
• For "target execution" (TCL 1) see Section 1.7.1.2.
1.6.7.1 TCL DETERMINATION FOR USE CASE: TARGET
EXECUTION
The use case "target execution" has TCL 1. The TCL is determined by the lowest Tool Detection Level (TD) of all errors of the use case. The following table gives an overview of the errors of "target execution". Error TD Table Budget error TD 1 (HIGH) Fig 14 Communication buffer overflow TD 1 (HIGH) Use Case
Modelling Dead line error TD 1 (HIGH) Fig 15 Node transition error TD 1 (HIGH) Use Case
Modelling Requirements
Table 790 Errors of Use Case: target execution
Error: Budget error Description: A task consumes more than its allocated budget. From use case: target execution Discovered by the following checks: • Budget monitoring.Budget monitoring Occurrences: • in target execution Error View:
Table 791 Error: Budget error
Error: Communication buffer overflow Description: -None- From use case: target execution Discovered by the following checks: • Memory protection.Monitor memory access Occurrences: • in target execution Error View:
Table 792 Error: Communication buffer overflow
Error: Dead line error Description: -None-
From use case: target execution Discovered by the following checks: • Deadline monitoring.Monitors deadline Occurrences: • in target execution Error View:
Table 793 Error: Dead line error
Error: Node transition error Description: -None- From use case: target execution Discovered by the following checks: • Node transition monitoring.Monitor node transitions Occurrences: • in target execution Error View:
Table 794 Error: Node transition error
1.7 PHAROSOFFLINECOMPUTATIONThis section explains the determination of the Tool Confidence Level (TCL) for the tool PharOS offline computation. Tool: PharOS offline computation Description: PsyC to C compiler Impact: TI 2 (Impact) Tool Confidence Level: TCL 1
Table 795 Tool: PharOS offline computation
The tool PharOS offline computation is modeled with 5 elements which have impact, none of them are assumptions. In addition there have been modeled 3 features, none of them are assumptions.
Elements Amount (Assumptions) Use Cases 1 (0) Checks 2 (0) Restrictions 0 (0) Potential Errors 2 (0)
Table 796 Amount of Elements in Tool: PharOS offline computation
1.7.1 USE CASES OF PHAROS OFFLINE COMPUTATION
This section describes all analyzed use cases of PharOS offline computation in separate subsections. The following use cases of the tool PharOS offline computation are considered:
1. Psy1, see Section 0
1.7.1.1 USE CASE PSY1
This section describes the use case "Psy1". UseCase: Psy1 Description: Invokes Psy1 which is a PsyC to C compiler
Table 797 UseCase: Psy1
The use case requires 3 features and calls no other use cases. Fig 17 shows the dependencies between the use cases and features.
Fig 144 Dependency View of Use Case: Psy1
"Psy1" uses following features: • Execution graph extraction • Feasability • Spatial constraints
The use case "Psy1" reads and/or writes the following artifacts. The used artifacts are shown in Feature Edit Model and are summarized in the subsequent table.
Fig 145 Artifacts of Use Case: Psy1
Artifacts of Use Case: Psy1 Inputs: • Timing Parameters Outputs:
• C/C++ Source Code • Execution Graph
Table 798 Artifacts of Use Case: Psy1
1.7.2 FEATURES OF PHAROS OFFLINE COMPUTATION
This section describes all analyzed features of PharOS offline computation in separate subsections. The following features of the tool PharOS offline computation are considered:
1. Execution graph extraction, see Section 1.7.7.1 2. Feasability, see Section 0 3. Spatial constraints, see Section 1.7.7.2
1.7.2.1 FEATURE EXECUTION GRAPH EXTRACTION
This section describes the feature "Execution graph extraction". Feature: Execution graph extraction Description: -None-
Table 799 Feature: Execution graph extraction
The feature "Execution graph extraction" reads and/or writes the following artifacts. The used artifacts are shown in Table 125 and are summarized in the subsequent table.
Fig 146 Artifacts of Feature: Execution graph extraction
Artifacts of Feature: Execution graph extraction Inputs: • Timing Parameters Outputs: • Execution Graph
Table 800 Artifacts of Feature: Execution graph extraction
1.7.2.2 FEATURE FEASABILITY
This section describes the feature "Feasability". Feature: Feasability Description:
-None-
Table 801 Feature: Feasability
The feature "Feasability" reads and/or writes the following artifacts. The used artifacts are shown in Table 127 and are summarized in the subsequent table.
Fig 147 Artifacts of Feature: Feasability
Artifacts of Feature: Feasability Inputs: • Timing Parameters
Table 802 Artifacts of Feature: Feasability
1.7.2.3 FEATURE SPATIAL CONSTRAINTS
This section describes the feature "Spatial constraints". Feature: Spatial constraints Description: Communication buffers sizing, domains, execution stack size, ...
Table 803 Feature: Spatial constraints
The feature "Spatial constraints" reads and/or writes the following artifacts. The used artifacts are shown in Table 129 and are summarized in the subsequent table.
Fig 148 Artifacts of Feature: Spatial constraints
Artifacts of Feature: Spatial constraints Inputs:
• Timing Parameters Outputs: • Spatial Constraints
Table 804 Artifacts of Feature: Spatial constraints
1.7.3 POTENTIAL ERRORS IN PHAROS OFFLINE
COMPUTATION
The tool has 2 different potential errors in 2 occurrences in use cases. The error flow, as can be seen in TCL Determination for Use Case: Modelling, consists of all relations from errors to checks or restrictions. There are
• no relation from errors caused by other tools to checks or restrictions defined for use cases of this tool.
• 2 relations from errors caused by this tool to checks or restrictions defined for use cases of this tool.
• no relation from errors caused by this tool to checks or restrictions defined for use cases of other tools.
Fig 149 Error Flow to and from PharOS offline computation
PharOS offline computation has the following 2 relations, which are detected by checks or restrictions of this tool. The errors are described in detail in the TCL analysis of the corresponding use cases:
• Deadlines are not met (Table 132) • System under sized (Table 133)
1.7.4 RESTRICTIONS IN PHAROS OFFLINE COMPUTATION
There are no restrictions in the tool PharOS offline computation.
1.7.5 CHECKS IN PHAROS OFFLINE COMPUTATION
The following 2 checks are performed in the tool PharOS offline computation. Check: Deadlines Description: Analysis of the tasks and their timing budgets From feature: PharOS offline computation,Feasability Occurrences: • in Feasability in Psy1
Error detection probability: TD 1 (HIGH) Detected errors: • Psy1,Deadlines are not met
Table 805 Check: Deadlines
Check: Timing budget Description: Checks the system can met deadlines even if tasks consume all their timing budget From feature: PharOS offline computation,Feasability Occurrences: • in Feasability in Psy1 Error detection probability: TD 1 (HIGH) Detected errors: • Psy1,System under sized
Table 806 Check: Timing budget
1.7.6 ASSUMPTIONS
The determination of the TCL of PharOS offline computation is not based on assumed checks and restrictions. None of the checks and restrictions are modeled as assumptions.
1.7.7 TCL DETERMINATION
This section determines a TCL for each use case by assigning checks or restrictions with detection/avoidance probability to each potential error. The TCL for the entire tool can be derived from the TCL for each use case. The tool PharOS offline computation has one use case with TCL 1, no use case with TCL 2 and no use case with TCL 3. Therefore the tool PharOS offline computation has TCL 1. The use cases are described in the following sections:
• For "Psy1" (TCL 1) see Section 0.
1.7.7.1 TCL DETERMINATION FOR USE CASE: PSY1
The use case "Psy1" has TCL 1. The TCL is determined by the lowest Tool Detection Level (TD) of all errors of the use case. The following table gives an overview of the errors of "Psy1". Error TD Table Deadlines are not met TD 1 (HIGH) Table 132 System under sized TD 1 (HIGH) Table 133
Table 807 Errors of Use Case: Psy1
Error: Deadlines are not met Description:
-None- From use case: Psy1 Discovered by the following checks: • Feasability.Deadlines Occurrences: • in Psy1 Error View:
Table 808 Error: Deadlines are not met
Error: System under sized Description: Sceduling is not possible with the current timing budgets for tasks From use case: Psy1 Discovered by the following checks: • Feasability.Timing budget Occurrences: • in Psy1 Error View:
Table 809 Error: System under sized
1.8 PHAROSRUNTIMEGENERATIONThis section explains the determination of the Tool Confidence Level (TCL) for the tool PharOS runtime generation. Tool: PharOS runtime generation Description: Creates the compilation environment for the runtime. Impact: TI 2 (Impact) Tool Confidence Level: TCL 3
Table 810 Tool: PharOS runtime generation
The tool PharOS runtime generation is modeled with 3 elements which have impact, none of them are assumptions. In addition there have been modeled 3 features, none of them are assumptions.
Elements Amount (Assumptions) Use Cases 2 (0) Checks 0 (0) Restrictions 0 (0) Potential Errors 1 (0)
Table 811 Amount of Elements in Tool: PharOS runtime generation
1.8.1 USE CASES OF PHAROS RUNTIME GENERATION
This section describes all analyzed use cases of PharOS runtime generation in separate subsections. The following use cases of the tool PharOS runtime generation are considered:
1. cross compilation, see Section 0
2. Psycc, see Section 0
1.8.1.1 USE CASE CROSS COMPILATION
This section describes the use case "cross compilation". UseCase: cross compilation Description: -None-
Table 812 UseCase: cross compilation
The use case requires no features and calls no other use cases. In order to fulfill the requirements of the use case, usually a number of artifacts will be read and/or written. But in "cross compilation" the tool PharOS runtime generation uses no artifacts.
1.8.1.2 USE CASE PSYCC
This section describes the use case "Psycc". UseCase: Psycc Description: Generates the cross compilation environment
Table 813 UseCase: Psycc
The use case requires 3 features and calls no other use cases. Table 136 shows the dependencies between the use cases and features.
Fig 150 Dependency View of Use Case: Psycc
"Psycc" uses following features: • Link with PharOS micro-kernel • Linker script generation • MPU table genration
The use case "Psycc" reads and/or writes the following artifacts. The used artifacts are shown in TCL Determination for Use Case: Modelling Requirements and are summarized in the subsequent table.
Fig 151 Artifacts of Use Case: Psycc
Artifacts of Use Case: Psycc Inputs: • C/C++ Source Code
Table 814 Artifacts of Use Case: Psycc
1.8.2 FEATURES OF PHAROS RUNTIME GENERATION
This section describes all analyzed features of PharOS runtime generation in separate subsections. The following features of the tool PharOS runtime generation are considered:
1. Link with PharOS micro-kernel, see Section 1.8.1.1 2. Linker script generation, see Section 0 3. MPU table genration, see Section 1.8.7.1
1.8.2.1 FEATURE LINK WITH PHAROS MICRO-KERNEL
This section describes the feature "Link with PharOS micro-kernel". Feature: Link with PharOS micro-kernel Description: Micro kernel provides communication mechanisms, scheduling and monitoring features to
the application
Table 815 Feature: Link with PharOS micro-kernel
The feature "Link with PharOS micro-kernel" reads and/or writes the following artifacts. The used artifacts are shown in Fig 18 and are summarized in the subsequent table.
Fig 152 Artifacts of Feature: Link with PharOS micro-kernel
Artifacts of Feature: Link with PharOS micro-kernel Inputs: • Binary executable Outputs:
• Binary executable
Table 816 Artifacts of Feature: Link with PharOS micro-kernel
1.8.2.2 FEATURE LINKER SCRIPT GENERATION
This section describes the feature "Linker script generation". Feature: Linker script generation Description: Generation of platform dependent linker script
Table 817 Feature: Linker script generation
In order to fulfill the requirements of the feature, usually a number of artifacts will be read and/or written. But in "Linker script generation" the tool PharOS runtime generation uses no artifacts.
1.8.2.3 FEATURE MPU TABLE GENRATION
This section describes the feature "MPU table genration". Feature: MPU table genration Description: Memory protection unit configuration
Table 818 Feature: MPU table genration
The feature "MPU table genration" reads and/or writes the following artifacts. The used artifacts are shown in Table 143 and are summarized in the subsequent table.
Fig 153 Artifacts of Feature: MPU table genration
Artifacts of Feature: MPU table genration Inputs: • C/C++ Source Code Outputs: • Binary executable
Table 819 Artifacts of Feature: MPU table genration
1.8.3 POTENTIAL ERRORS IN PHAROS RUNTIME
GENERATION
The tool has one potential error in one occurrence in use cases. The error flow consists of all relations from errors to checks or restrictions. There are
• no relation from errors caused by other tools to checks or restrictions defined for use cases of this tool.
• no relation from errors caused by this tool to checks or restrictions defined for use cases of this tool.
• no relation from errors caused by this tool to checks or restrictions defined for use cases of other tools.
• one error caused by this tool without any relation to checks or restrictions. The following one error occurrence of PharOS runtime generation has no relation to any check or restriction:
• AnyError (Fig 20)
1.8.4 RESTRICTIONS IN PHAROS RUNTIME GENERATION
There are no restrictions in the tool PharOS runtime generation.
1.8.5 CHECKS IN PHAROS RUNTIME GENERATION
No checks are performed in the tool PharOS runtime generation.
1.8.6 ASSUMPTIONS
The determination of the TCL of PharOS runtime generation is not based on assumed checks and restrictions. None of the checks and restrictions are modeled as assumptions.
1.8.7 TCL DETERMINATION
This section determines a TCL for each use case by assigning checks or restrictions with detection/avoidance probability to each potential error. The TCL for the entire tool can be derived from the TCL for each use case. The tool PharOS runtime generation has one use case with TCL 1, no use case with TCL 2 and one use case with TCL 3. Therefore the tool PharOS runtime generation has TCL 3. The use cases are described in the following sections:
• For "cross compilation" (TCL 1) see Section 0, and • for "Psycc" (TCL 3) see Section 1.9.1.1.
1.8.7.1 TCL DETERMINATION FOR USE CASE: CROSS
COMPILATION
The use case "cross compilation" has TCL 1. The TCL is determined by the lowest Tool Detection Level (TD) of all errors of the use case. This use case has no errors.
1.8.7.2 TCL DETERMINATION FOR USE CASE: PSYCC
The use case "Psycc" has TCL 3. The TCL is determined by the lowest Tool Detection Level (TD) of all errors of the use case. The following table gives an overview of the errors of "Psycc". Error TD Table
AnyError TD 3 (LOW) Fig 20
Table 820 Errors of Use Case: Psycc
Error: AnyError Description: -None- From use case: Psycc Occurrences: • in Psycc Error View:
Table 821 Error: AnyError
1.9 PROCESSCHECKERThis section explains the determination of the Tool Confidence Level (TCL) for the tool Process Checker. Tool: Process Checker Description: This is a manual step to validate the process for completeness. If this is the case TCA model
validation can be omitted. Impact: TI 2 (Impact) Tool Confidence Level: TCL 1
Table 822 Tool: Process Checker
The tool Process Checker is modeled with one element which has impact which is not an assumption. No additional features have been modeled.
Elements Amount (Assumptions) Use Cases 0 (0) Checks 0 (0) Restrictions 1 (0) Potential Errors 0 (0)
Table 823 Amount of Elements in Tool: Process Checker
1.9.1 USE CASES OF PROCESS CHECKER
There are no use cases modeled for Process Checker.
1.9.2 FEATURES OF PROCESS CHECKER
There are no features modeled for Process Checker.
1.9.3 POTENTIAL ERRORS IN PROCESS CHECKER
The tool has no potential error.. The error flow, as can be seen in Use Case Create Model, consists of all relations from errors to checks or restrictions. There are
• 2 relations from errors caused by other tools to checks or restrictions defined for use cases of this tool.
• no relation from errors caused by this tool to checks or restrictions defined for use cases of this tool.
• no relation from errors caused by this tool to checks or restrictions defined for use cases of other tools.
Fig 154 Error Flow to and from Process Checker
The Fig 21 shows all 2 relations, introduced by one other tool:
Tool Error UseCase Table Tool Chain Analyzer
Process Inconsistently Modelled Create Model
TCL Determination for Use Case: Generate Tool Classification Report
Process Inconsistently Modelled Review Model
Fig 84
Table 824 Errors introduced in Process Checker by other tools
1.9.4 RESTRICTIONS IN PROCESS CHECKER
The tool Process Checker must only be used with the following restriction. Restriction: Consistent Process Description: This ensures that the process is consistent From use case: Process Checker,Validate Process Error avoidance probability: TD 1 (HIGH) Occurrences:
• in Validate Process Avoided errors from other tools: • Validate Process,Tool Chain Analyzer,Model Validation,Process Inconsistently
Modelled Relations to other tools:
Table 825 Restriction: Consistent Process
1.9.5 CHECKS IN PROCESS CHECKER
No checks are performed in the tool Process Checker.
1.9.6 ASSUMPTIONS
The determination of the TCL of Process Checker is not based on assumed checks and restrictions. None of the checks and restrictions are modeled as assumptions.
1.9.7 TCL DETERMINATION
This section determines a TCL for each use case by assigning checks or restrictions with detection/avoidance probability to each potential error. The TCL for the entire tool can be derived from the TCL for each use case. The tool Process Checker has no use case with TCL 1, no use case with TCL 2 and no use case with TCL 3. Therefore the tool Process Checker has TCL 1. There are no use cases modeled for the tool Process Checker
1.10 SIMULINKDESIGNVERIFIERThis section explains the determination of the Tool Confidence Level (TCL) for the tool Simulink Design Verifier. Tool: Simulink Design Verifier Description: A verifier for Simulink/Stateflow models provided by Mathworks Impact: TI 2 (Impact) Tool Confidence Level: TCL 1
Table 826 Tool: Simulink Design Verifier
The tool Simulink Design Verifier is modeled with 2 elements which have impact, none of them are assumptions. No additional features have been modeled.
Elements Amount (Assumptions) Use Cases 1 (0)
Checks 0 (0) Restrictions 0 (0) Potential Errors 1 (0)
Table 827 Amount of Elements in Tool: Simulink Design Verifier
1.10.1 USE CASES OF SIMULINK DESIGN VERIFIER
This section describes all analyzed use cases of Simulink Design Verifier in separate subsections. The following use cases of the tool Simulink Design Verifier are considered:
1. Verify, see Section 0
1.10.1.1 USE CASE VERIFY
This section describes the use case "Verify". UseCase: Verify Description: Check that the properties given as special assertion blocks in the model hold
Comment: OS: needs to update the model, otherwise no exchange with VerSAA tool possible
Table 828 UseCase: Verify
The use case requires no features and calls no other use cases. The use case "Verify" reads and/or writes the following artifacts. The used artifacts are shown in Use Case Determinate Tool Confidence Level and are summarized in the subsequent table.
Fig 155 Artifacts of Use Case: Verify
Artifacts of Use Case: Verify
Outputs: • SLDV verification report Inputs & Outputs: • Simulink Model
Table 829 Artifacts of Use Case: Verify
1.10.2 FEATURES OF SIMULINK DESIGN VERIFIER
There are no features modeled for Simulink Design Verifier.
1.10.3 POTENTIAL ERRORS IN SIMULINK DESIGN VERIFIER
The tool has one potential error in one occurrence in use cases. The error flow consists of all relations from errors to checks or restrictions. There are
• no relation from errors caused by other tools to checks or restrictions defined for use cases of this tool.
• no relation from errors caused by this tool to checks or restrictions defined for use cases of this tool.
• no relation from errors caused by this tool to checks or restrictions defined for use cases of other tools.
• one error caused by this tool without any relation to checks or restrictions. The following one error occurrence of Simulink Design Verifier has no relation to any check or restriction:
• Unsound verification (Fig 24)
1.10.4 RESTRICTIONS IN SIMULINK DESIGN VERIFIER
There are no restrictions in the tool Simulink Design Verifier.
1.10.5 CHECKS IN SIMULINK DESIGN VERIFIER
No checks are performed in the tool Simulink Design Verifier.
1.10.6 ASSUMPTIONS
The determination of the TCL of Simulink Design Verifier is not based on assumed checks and restrictions. None of the checks and restrictions are modeled as assumptions.
1.10.7 TCL DETERMINATION
This section determines a TCL for each use case by assigning checks or restrictions with detection/avoidance probability to each potential error. The TCL for the entire tool can be derived from the TCL for each use case. The tool Simulink Design Verifier has one use case with TCL 1, no use case with TCL 2 and no use case with TCL 3. Therefore the tool Simulink Design Verifier has TCL 1. The use cases are described in the following sections:
• For "Verify" (TCL 1) see Section 0.
1.10.7.1 TCL DETERMINATION FOR USE CASE: VERIFY
The use case "Verify" has TCL 1. The TCL is determined by the lowest Tool Detection Level (TD) of all errors of the use case. The following table gives an overview of the errors of "Verify". Error TD Table Unsound verification TD 3 (LOW) Fig 24
Table 830 Errors of Use Case: Verify
Error: Unsound verification Description: The Simulink Design Verifier is not guaranteed to be sound.
The same problems as for VerSÅA exist. From use case: Verify Occurrences: • in Verify Error View:
Table 831 Error: Unsound verification
1.11 TOOLCHAINANALYZERThis section explains the determination of the Tool Confidence Level (TCL) for the tool Tool Chain Analyzer. Tool: Tool Chain Analyzer Description: The tool TCA to analyze tool chains
It can be obtained from Validas AG at www.validas.de/TCA.html Impact: TI 2 (Impact) Tool Confidence Level: TCL 3
Table 832 Tool: Tool Chain Analyzer
The tool Tool Chain Analyzer is modeled with 17 elements which have impact, none of them are assumptions. In addition there have been modeled 10 features, one of them is an assumption.
Elements Amount (Assumptions) Use Cases 5 (0) Checks 1 (0) Restrictions 0 (0) Potential Errors 11 (0)
Table 833 Amount of Elements in Tool: Tool Chain Analyzer
1.11.1 USE CASES OF TOOL CHAIN ANALYZER
This section describes all analyzed use cases of Tool Chain Analyzer in separate subsections. The following use cases of the tool Tool Chain Analyzer are considered:
1. Cost Calculation, see Section 1.9.1.4 2. Create Model, see Section 0 3. Determinate Tool Confidence Level, see Section 0 4. Generate Tool Classification Report, see Section 1.9.2.2 5. Review Model, see Section 0
1.11.1.1 USE CASE COST CALCULATION
This section describes the use case "Cost Calculation". UseCase: Cost Calculation Description: The TCA can calculate the costs of the tool chain and the manual steps involved.
Table 834 UseCase: Cost Calculation
The use case requires 3 features and calls no other use cases. Fig 25 shows the dependencies between the use cases and features.
Fig 156 Dependency View of Use Case: Cost Calculation
"Cost Calculation" uses following features: • Cost Model • EMF • Excel Interface
In order to fulfill the requirements of the use case, usually a number of artifacts will be read and/or written. But in "Cost Calculation" the tool Tool Chain Analyzer uses no artifacts.
1.11.1.2 USE CASE CREATE MODEL
This section describes the use case "Create Model". UseCase: Create Model Description: The TCA model is created using interactive work with the tool
Table 835 UseCase: Create Model
The use case requires 3 features and calls no other use cases. Use Case Review Model shows the dependencies between the use cases and features.
Fig 157 Dependency View of Use Case: Create Model
"Create Model" uses following features: • EMF • Model Validation • Xml Interface
The use case "Create Model" reads and/or writes the following artifacts. The used artifacts are shown in Fig 27 and are summarized in the subsequent table.
Fig 158 Artifacts of Use Case: Create Model
Artifacts of Use Case: Create Model Inputs: • Overall Project Plan
• Safety Plan
Table 836 Artifacts of Use Case: Create Model
1.11.1.3 USE CASE DETERMINATE TOOL CONFIDENCE LEVEL
This section describes the use case "Determinate Tool Confidence Level". UseCase: Determinate Tool Confidence Level Description: The Tool Chain Analyzer determinates the Tool Confidence Level according to ISO 26262.
Comment: The TCA model is considered to be a part of the software tool application guidelines.
Table 837 UseCase: Determinate Tool Confidence Level
The use case requires 2 features and calls no other use cases. Feature Compute Tool Confidence Level shows the dependencies between the use cases and features.
Fig 159 Dependency View of Use Case: Determinate Tool Confidence Level
"Determinate Tool Confidence Level" uses following features: • Compute Tool Confidence Level • EMF
The use case "Determinate Tool Confidence Level" reads and/or writes the following artifacts. The used artifacts are shown in Fig 29 and are summarized in the subsequent table.
Fig 160 Artifacts of Use Case: Determinate Tool Confidence Level
Artifacts of Use Case: Determinate Tool Confidence Level Inputs: • Overall Project Plan
• Safety Plan Outputs: • Safety Manual
• Tool Evaluation Report
Table 838 Artifacts of Use Case: Determinate Tool Confidence Level
1.11.1.4 USE CASE GENERATE TOOL CLASSIFICATION REPORT
This section describes the use case "Generate Tool Classification Report". UseCase: Generate Tool Classification Report Description: A tool classisfication report is generated containing the Tool Confidence Level for all tools.
The tool classification report consists of two parts. The first one is related to the considered process and contains individual descriptions like information sources, tool versions etc. The second part describes the formal model of the tool chain with all elements (tools, use cases, artifacts, errors, probabilities, ...) and the automatically computed tool confidence level for each tool. The second part is generated from the TCA into a word document. The information flows in the generated report are graphically visualised using the GraphViz tool. Comment: We consider the generated report to be also a part of the tool application guidelines.
Table 839 UseCase: Generate Tool Classification Report
The use case requires 3 features and calls no other use cases. Fig 30 shows the dependencies between the use cases and features.
Fig 161 Dependency View of Use Case: Generate Tool Classification Report
"Generate Tool Classification Report" uses following features: • Compute Tool Confidence Level • EMF • Generate Word (docx)
The use case "Generate Tool Classification Report" reads and/or writes the following artifacts. The used artifacts are shown in Feature EMF and are summarized in the subsequent table.
Fig 162 Artifacts of Use Case: Generate Tool Classification Report
Artifacts of Use Case: Generate Tool Classification Report Inputs: • Overall Project Plan Outputs: • Tool Evaluation Report Inputs & Outputs: • Safety Manual
Table 840 Artifacts of Use Case: Generate Tool Classification Report
1.11.1.5 USE CASE REVIEW MODEL
This section describes the use case "Review Model". UseCase: Review Model Description: The model is reviewed using Excel interfaces that are easier to use for many reviewers
Table 841 UseCase: Review Model
The use case requires 4 features and calls no other use cases. Feature Excel Interface shows the dependencies between the use cases and features.
Fig 163 Dependency View of Use Case: Review Model
"Review Model" uses following features: • EMF • Excel Interface • Model Validation • SG_Use Review Checklist
The use case "Review Model" reads and/or writes the following artifacts. The used artifacts are shown in Fig 32 and are summarized in the subsequent table.
Fig 164 Artifacts of Use Case: Review Model
Artifacts of Use Case: Review Model Inputs: • Overall Project Plan
• Safety Plan Outputs: • Review Protocol Inputs & Outputs: • Safety Manual
Table 842 Artifacts of Use Case: Review Model
1.11.2 FEATURES OF TOOL CHAIN ANALYZER
This section describes all analyzed features of Tool Chain Analyzer in separate subsections. The following features of the tool Tool Chain Analyzer are considered:
1. Compute Tool Confidence Level, see Section 1.9.2.5 2. Cost Model, see Section 1.9.2.6 3. EMF, see Section 1.9.2.7 4. Excel Interface, see Section 1.9.2.9 5. Generate Word (docx), see Section 0 6. Model Validation, see Section 0 7. Safety Guidelines, see Section 0 8. SG_Avoid Feature, see Section 0 9. SG_Use Review Checklist, see Section 0 10. Xml Interface, see Section 1.9.7.2
1.11.2.1 FEATURE COMPUTE TOOL CONFIDENCE LEVEL
This section describes the feature "Compute Tool Confidence Level". Feature: Compute Tool Confidence Level Description: The tool confidence level is computed according to the ISO 26262.
The tool confidence level (TCL) is computed based on the error detection (TD) probability of all potential errors in the relevant use cases, if a tool has impact (TI) on the safety of the product.
More details can be found in the TCA user manual which is located in the TCA plugin Documentation, for example: Programme\TCA150\TCA150\plugins\Documentation_1.5.0\UserManual.pdf
Table 843 Feature: Compute Tool Confidence Level
The feature "Compute Tool Confidence Level" reads and/or writes the following artifacts. The used artifacts are shown in Fig 33 and are summarized in the subsequent table.
Fig 165 Artifacts of Feature: Compute Tool Confidence Level
Artifacts of Feature: Compute Tool Confidence Level Inputs: • User Input Outputs: • Display Output
• Excel File • Word Document
Inputs & Outputs: • Model
Table 844 Artifacts of Feature: Compute Tool Confidence Level
1.11.2.2 FEATURE COST MODEL
This section describes the feature "Cost Model". Feature: Cost Model Description: Feature to model the costs of the process
Table 845 Feature: Cost Model
The feature "Cost Model" reads and/or writes the following artifacts. The used artifacts are shown in Fig 34 and are summarized in the subsequent table.
Fig 166 Artifacts of Feature: Cost Model
Artifacts of Feature: Cost Model Inputs: • User Input Outputs: • Display Output Inputs & Outputs: • Excel File
• Model
Table 846 Artifacts of Feature: Cost Model
1.11.2.3 FEATURE EMF
This section describes the feature "EMF". Feature: EMF Description: EMF (Eclipse Modeling Framework) Framework is used for editing and persistency of the
models
Table 847 Feature: EMF
The feature "EMF" reads and/or writes the following artifacts. The used artifacts are shown in Feature SG_Avoid Feature and are summarized in the subsequent table.
Fig 167 Artifacts of Feature: EMF
Artifacts of Feature: EMF Inputs: • User Input Outputs: • Display Output Inputs & Outputs:
• Model
Table 848 Artifacts of Feature: EMF
1.11.2.4 FEATURE EXCEL INTERFACE
This section describes the feature "Excel Interface". Feature: Excel Interface Description: Export and import of different views into excel (.xls) files.
The following views can be exported and imported into excel to ease the modeling process: - tool attributes - features - artifacts - errors More details can be found in the TCA user manual which is located in the TCA plugin Documentation, for example: Programme\TCA150\TCA150\plugins\Documentation_1.5.0\UserManual.pdf
Table 849 Feature: Excel Interface
The feature "Excel Interface" reads and/or writes the following artifacts. The used artifacts are shown in Feature Xml Interface and are summarized in the subsequent table.
Fig 168 Artifacts of Feature: Excel Interface
Artifacts of Feature: Excel Interface Inputs: • User Input Inputs & Outputs: • Excel File
• Model
Table 850 Artifacts of Feature: Excel Interface
1.11.2.5 FEATURE GENERATE WORD (DOCX)
This section describes the feature "Generate Word (docx)". Feature: Generate Word (docx) Description: Generates a word documentation from the model.
A word report is generated from the model that contains the complete information in a readable format. For each tool there is a section with the following informations: - use cases - features - errors - checks - restrictions - assumptions - artifacts - qualifications - tool confidence level explanations for all errors in all use cases of the tool. Furthermore there are graphical visualisations of important relations included.
Table 851 Feature: Generate Word (docx)
The feature "Generate Word (docx)" reads and/or writes the following artifacts. The used artifacts are shown in Fig 36 and are summarized in the subsequent table.
Fig 169 Artifacts of Feature: Generate Word (docx)
Artifacts of Feature: Generate Word (docx) Inputs: • Model
• User Input Outputs: • Word Document
Table 852 Artifacts of Feature: Generate Word (docx)
1.11.2.6 FEATURE MODEL VALIDATION
This section describes the feature "Model Validation". Feature: Model Validation Description: The TCA detects inconsistent models.
There are many consistency checks implemented that exceed the syntactic checks. More details can be found in the TCA user manual which is located in the TCA plugin Documentation, for example: Programme\TCA150\TCA150\plugins\Documentation_1.5.0\UserManual.pdf
Table 853 Feature: Model Validation
The feature "Model Validation" reads and/or writes the following artifacts. The used artifacts are shown in TCL Determination for Use Case: Cost Calculation and are summarized in the subsequent table.
Fig 170 Artifacts of Feature: Model Validation
Artifacts of Feature: Model Validation Inputs: • Model
• User Input Outputs: • Display Output
Table 854 Artifacts of Feature: Model Validation
1.11.2.7 FEATURE SAFETY GUIDELINES
This section describes the feature "Safety Guidelines". Feature: Safety Guidelines Description: Use the safety manual of the TCA that contains safety checks that should be applied
Table 855 Feature: Safety Guidelines
The feature "Safety Guidelines" has the following 2 sub-features:
• SG_Avoid Feature • SG_Use Review Checklist
In order to fulfill the requirements of the feature, usually a number of artifacts will be read and/or written. But in "Safety Guidelines" the tool Tool Chain Analyzer uses no artifacts.
1.11.2.8 FEATURE SG_AVOID FEATURE
This section describes the feature "SG_Avoid Feature". Feature: SG_Avoid Feature Description: Avodi this feature, since it is redundant. Is assumption: True
Table 856 Feature: SG_Avoid Feature
The feature "SG_Avoid Feature" is part of the following feature:
• Safety Guidelines In order to fulfill the requirements of the feature, usually a number of artifacts will be read and/or written. But in "SG_Avoid Feature" the tool Tool Chain Analyzer uses no artifacts.
1.11.2.9 FEATURE SG_USE REVIEW CHECKLIST
This section describes the feature "SG_Use Review Checklist". Feature: SG_Use Review Checklist Description: Apply the check of the review checklists
Table 857 Feature: SG_Use Review Checklist
The feature "SG_Use Review Checklist" is part of the following feature:
• Safety Guidelines In order to fulfill the requirements of the feature, usually a number of artifacts will be read and/or written. But in "SG_Use Review Checklist" the tool Tool Chain Analyzer uses no artifacts.
1.11.2.10 FEATURE XML INTERFACE
This section describes the feature "Xml Interface". Feature: Xml Interface Description: Xml interface supports the export and import of single tool models.
For integration of large models based on single tool models, this feature can be used to develop models in parallel working teams. To ensure the modularity of the exported models, all referenced elements of the tool are also exported, but only with the minimal required information. More details can be found in the TCA user manual which is located in the TCA plugin Documentation, for example: Programme\TCA150\TCA150\plugins\Documentation_1.5.0\UserManual.pdf
Table 858 Feature: Xml Interface
The feature "Xml Interface" reads and/or writes the following artifacts. The used artifacts are shown in Table 180 and are summarized in the subsequent table.
Fig 171 Artifacts of Feature: Xml Interface
Artifacts of Feature: Xml Interface Inputs: • User Input Inputs & Outputs: • Model
Table 859 Artifacts of Feature: Xml Interface
1.11.3 POTENTIAL ERRORS IN TOOL CHAIN ANALYZER
The tool has 11 different potential errors in 19 occurrences in use cases.
The error flow, as can be seen in Table 181, consists of all relations from errors to checks or restrictions. There are
• no relation from errors caused by other tools to checks or restrictions defined for use cases of this tool.
• 7 relations from errors caused by this tool to checks or restrictions defined for use cases of this tool.
• 13 relations from errors caused by this tool to checks or restrictions defined for use cases of other tools.
• 5 errors caused by this tool without any relation to checks or restrictions.
Fig 172 Error Flow to and from Tool Chain Analyzer
Tool Chain Analyzer has the following 7 relations, which are detected by checks or restrictions of this tool. The errors are described in detail in the TCL analysis of the corresponding use cases:
• Model Not Adequate (Fig 83) • Wrong Export
o 2 occurrences: Feature Edit Model, Table 185 • Wrong Import
o 2 occurrences: Fig 85, Table 186 • Wrong XML Export (Table 190) • Wrong XML Import (Table 191)
Due to 13 relations, Tool Chain Analyzer is having impact on 2 other tools. The errors are listed in Table 182. Tool Error UseCase Table ISO 26262 Reviews
Document Generated Wrongly Generate Tool Classification Report
Fig 37
TCL Wrongly Shown Determinate Tool Confidence Level
Table 194
TCL Wrongly Written Determinate Tool Confidence Level
Table 195
Wrong Export Cost Calculation
Table 185
Wrong Export Review Model
Feature Edit Model
Wrong Import Cost Calculation
Table 186
Wrong Import Review Model
Fig 85
Wrong TCL Computed Determinate Tool Confidence Level
Table 196
Wrong TCL Computed Generate Tool Classification Report
Use Case Modelling
Wrong XML Export Create Model Table 190 Wrong XML Import Create Model Table 191
Process Checker Process Inconsistently Modelled Create Model TCL Determination for Use Case: Generate Tool Classification Report
Process Inconsistently Modelled Review Model
Fig 84
Table 860 Errors of Tool Chain Analyzer with impact on other tools
The following 5 error occurrences of Tool Chain Analyzer have no relation to any check or restriction:
• Any EMF Error o 5 occurences: TCL Determination for Use Case: Review Model, TCL
Determination for Use Case: Determinate Tool Confidence Level, Table 198, Table 188, Use Case Modelling Requirements
1.11.4 RESTRICTIONS IN TOOL CHAIN ANALYZER
There are no restrictions in the tool Tool Chain Analyzer.
1.11.5 CHECKS IN TOOL CHAIN ANALYZER
The following one check is performed in the tool Tool Chain Analyzer. Check: Review Checklist Description: The model review can be performed using review checklists where the reviewers fill in their
names, findings,.. Comment: Using this there is a high probability of finding missing review elements
From feature: Tool Chain Analyzer,Safety Guidelines,SG_Use Review Checklist Occurrences: • in SG_Use Review Checklist in Review Model Error detection probability:
TD 1 (HIGH) Detected errors: • Review Model,Model Not Adequate
Table 861 Check: Review Checklist
1.11.6 ASSUMPTIONS
The determination of the TCL of Tool Chain Analyzer is based on the following 1 assumptions on the development process.
• Feature: Safety Guidelines,SG_Avoid Feature
1.11.7 TCL DETERMINATION
This section determines a TCL for each use case by assigning checks or restrictions with detection/avoidance probability to each potential error. The TCL for the entire tool can be derived from the TCL for each use case. The tool Tool Chain Analyzer has no use case with TCL 1, no use case with TCL 2 and 5 use cases with TCL 3. Therefore the tool Tool Chain Analyzer has TCL 3. The use cases are described in the following sections:
• For "Cost Calculation" (TCL 3) see Section 0, • for "Create Model" (TCL 3) see Section 0, • for "Determinate Tool Confidence Level" (TCL 3) see Section 0, • for "Generate Tool Classification Report" (TCL 3) see Section 0, and • for "Review Model" (TCL 3) see Section 0.
1.11.7.1 TCL DETERMINATION FOR USE CASE: COST
CALCULATION
The use case "Cost Calculation" has TCL 3. The TCL is determined by the lowest Tool Detection Level (TD) of all errors of the use case. The following table gives an overview of the errors of "Cost Calculation". Error TD Table Any EMF Error TD 3 (LOW) TCL
Determination for Use Case: Determinate Tool Confidence Level
Wrong Export TD 1 (HIGH) Table 185 Wrong Import TD 1 (HIGH) Table 186
Table 862 Errors of Use Case: Cost Calculation
Error: Any EMF Error Description: Any error that can occur in EMF (uncrictical errors may be excluded)
From feature: EMF Subsumes: • "Algorithm Error" from "Fcn_Algorithm"
• "Defect File" from "Data_File" • "Defect Text" from "Data_File_Text" • "Empty File" from "Data_File" • "Empty Model" from "Data_File_Syntax_Model" • "Empty Text" from "Data_File_Text" • "Line Missing" from "Data_File_Text" • "Model Unreadable" from "Data_File_Syntax_Model" • "No Interaction" from "Data_Interaction" • "Not Accessible File" from "Data_File" • "Not Accessible Model" from "Data_File_Syntax_Model" • "Not Accessible Text" from "Data_File_Text" • "Other File" from "Data_File" • "Other Model" from "Data_File_Syntax_Model" • "Other Partner" from "Data_Interaction" • "Other Text" from "Data_File_Text" • "Too Big File" from "Data_File" • "Too Big Model" from "Data_File_Syntax_Model" • "Too Big Text" from "Data_File_Text" • "Too Early Data" from "Data_Interaction" • "Too Late Data" from "Data_Interaction" • "Transformation Not Supported" from "Fcn_Behaviour_Transformation" • "Wrong Algorithm" from "Fcn_Algorithm" • "Wrong Behaviour" from "Fcn_Behaviour" • "Wrong Interaction" from "Data_Interaction" • "Wrong Model Behaviour" from "Data_File_Syntax_Model" • "Wrong Model Description" from "Data_File_Syntax_Model" • "Wrong Transformation" from "Fcn_Behaviour_Transformation" • "Wrong Variant" from "Fcn_Variants"
Occurrences: • in EMF in Cost Calculation Error View:
Table 863 Error: Any EMF Error
Error: Wrong Export Description: The excel file does not contain the relevant informations of the model. From feature: Excel Interface Discovered by the following checks: • SG_Confirmation Review Of TCLs.Detect Wrong TCL Subsumes: • "Decoded Wongly" from "Fcn_Algorithm_DeEncode"
• "Defect File" from "Data_File" • "Empty File" from "Data_File" • "Empty Syntaxfile" from "Data_File_Syntax" • "Empty Table" from "Data_File_Table" • "Encoded Wrongly" from "Fcn_Algorithm_DeEncode" • "Not Accessible File" from "Data_File" • "Not Accessible Syntaxfile" from "Data_File_Syntax" • "Not Accessible Table" from "Data_File_Table" • "Option Defect" from "Fcn_Variants_Options" • "Option Ignored" from "Fcn_Variants_Options" • "Other File" from "Data_File" • "Other Syntaxfile" from "Data_File_Syntax" • "Other Table" from "Data_File_Table" • "Syntax Error" from "Data_File_Syntax" • "Table Column Error" from "Data_File_Table" • "Table Row Error" from "Data_File_Table" • "Too Big File" from "Data_File" • "Too Big Syntaxfile" from "Data_File_Syntax" • "Transformation Not Supported" from "Fcn_Behaviour_Transformation" • "Wrong Behaviour" from "Fcn_Behaviour" • "Wrong Cell Data" from "Data_File_Table"
• "Wrong Semantic" from "Data_File_Syntax" • "Wrong Transformation" from "Fcn_Behaviour_Transformation"
Occurrences: • in Excel Interface in Cost Calculation Avoided by the following restrictions: • Safety Guidelines,SG_Avoid Feature.Avoid Features Error View:
Table 864 Error: Wrong Export
Error: Wrong Import Description: The model is created wrongly. From feature: Excel Interface Discovered by the following checks: • SG_Confirmation Review Of TCLs.Detect Wrong TCL Subsumes: • "Defect File" from "Data_File"
• "Empty File" from "Data_File" • "Empty Model" from "Data_File_Syntax_Model" • "Model Unreadable" from "Data_File_Syntax_Model" • "Not Accessible File" from "Data_File" • "Not Accessible Model" from "Data_File_Syntax_Model" • "Option Defect" from "Fcn_Variants_Options" • "Option Ignored" from "Fcn_Variants_Options" • "Other File" from "Data_File" • "Other Model" from "Data_File_Syntax_Model" • "Too Big File" from "Data_File" • "Too Big Model" from "Data_File_Syntax_Model" • "Wrong Model Behaviour" from "Data_File_Syntax_Model" • "Wrong Model Description" from "Data_File_Syntax_Model"
Occurrences: • in Excel Interface in Cost Calculation Avoided by the following restrictions: • Safety Guidelines,SG_Avoid Feature.Avoid Features Error View:
Table 865 Error: Wrong Import
1.11.7.2 TCL DETERMINATION FOR USE CASE: CREATE
MODEL
The use case "Create Model" has TCL 3. The TCL is determined by the lowest Tool Detection Level (TD) of all errors of the use case. The following table gives an overview of the errors of "Create Model". Error TD Table Any EMF Error TD 3 (LOW) Table 188 Process Inconsistently Modelled TD 1 (HIGH) TCL
Determination for Use Case: Generate Tool Classification Report
Wrong XML Export TD 1 (HIGH) Table 190 Wrong XML Import TD 1 (HIGH) Table 191
Table 866 Errors of Use Case: Create Model
Error: Any EMF Error Description: Any error that can occur in EMF (uncrictical errors may be excluded) From feature: EMF Subsumes: • "Algorithm Error" from "Fcn_Algorithm"
• "Defect File" from "Data_File" • "Defect Text" from "Data_File_Text" • "Empty File" from "Data_File" • "Empty Model" from "Data_File_Syntax_Model" • "Empty Text" from "Data_File_Text" • "Line Missing" from "Data_File_Text" • "Model Unreadable" from "Data_File_Syntax_Model" • "No Interaction" from "Data_Interaction" • "Not Accessible File" from "Data_File" • "Not Accessible Model" from "Data_File_Syntax_Model" • "Not Accessible Text" from "Data_File_Text" • "Other File" from "Data_File" • "Other Model" from "Data_File_Syntax_Model" • "Other Partner" from "Data_Interaction" • "Other Text" from "Data_File_Text" • "Too Big File" from "Data_File" • "Too Big Model" from "Data_File_Syntax_Model" • "Too Big Text" from "Data_File_Text" • "Too Early Data" from "Data_Interaction" • "Too Late Data" from "Data_Interaction" • "Transformation Not Supported" from "Fcn_Behaviour_Transformation"
• "Wrong Algorithm" from "Fcn_Algorithm" • "Wrong Behaviour" from "Fcn_Behaviour" • "Wrong Interaction" from "Data_Interaction" • "Wrong Model Behaviour" from "Data_File_Syntax_Model" • "Wrong Model Description" from "Data_File_Syntax_Model" • "Wrong Transformation" from "Fcn_Behaviour_Transformation" • "Wrong Variant" from "Fcn_Variants"
Occurrences: • in EMF in Create Model Error View:
Table 867 Error: Any EMF Error
Error: Process Inconsistently Modelled Description: The process might be inkonsistent, e.g. a document is neither created nor written. From feature: Model Validation Subsumes: • "Algorithm Error" from "Fcn_Algorithm"
• "Defect File" from "Data_File" • "Defect Text" from "Data_File_Text" • "Empty File" from "Data_File" • "Empty Text" from "Data_File_Text" • "Line Missing" from "Data_File_Text" • "No Interaction" from "Data_Interaction" • "Not Accessible File" from "Data_File" • "Not Accessible Text" from "Data_File_Text" • "Other File" from "Data_File" • "Other Partner" from "Data_Interaction" • "Other Text" from "Data_File_Text" • "Too Big File" from "Data_File" • "Too Big Text" from "Data_File_Text"
• "Too Early Data" from "Data_Interaction" • "Too Late Data" from "Data_Interaction" • "Wrong Algorithm" from "Fcn_Algorithm" • "Wrong Behaviour" from "Fcn_Behaviour" • "Wrong Error Reported" from "Model Validation" • "Wrong Interaction" from "Data_Interaction" • "Wrong Specification" from "Fcn_Specification"
Occurrences: • in Model Validation in Create Model Avoided by the following restrictions: • Validate Process.Consistent Process Error View:
Table 868 Error: Process Inconsistently Modelled
Error: Wrong XML Export Description: The xml file does not contain the relevant informations of the model.
From feature: Xml Interface Discovered by the following checks: • SG_Confirmation Review Of TCLs.Detect Wrong TCL Occurrences: • in Xml Interface in Create Model Avoided by the following restrictions: • Safety Guidelines,SG_Avoid Feature.Avoid Features Error View:
Table 869 Error: Wrong XML Export
Error: Wrong XML Import Description: The model is created wrongly. From feature: Xml Interface Discovered by the following checks: • SG_Confirmation Review Of TCLs.Detect Wrong TCL Subsumes: • "Defect File" from "Data_File"
• "Empty File" from "Data_File" • "Empty Model" from "Data_File_Syntax_Model" • "Model Unreadable" from "Data_File_Syntax_Model" • "Not Accessible File" from "Data_File" • "Not Accessible Model" from "Data_File_Syntax_Model" • "Other File" from "Data_File" • "Other Model" from "Data_File_Syntax_Model" • "Too Big File" from "Data_File" • "Too Big Model" from "Data_File_Syntax_Model" • "Wrong Model Behaviour" from "Data_File_Syntax_Model" • "Wrong Model Description" from "Data_File_Syntax_Model"
Occurrences: • in Xml Interface in Create Model Avoided by the following restrictions: • Safety Guidelines,SG_Avoid Feature.Avoid Features Error View:
Table 870 Error: Wrong XML Import
1.11.7.3 TCL DETERMINATION FOR USE CASE: DETERMINATE
TOOL CONFIDENCE LEVEL
The use case "Determinate Tool Confidence Level" has TCL 3. The TCL is determined by the lowest Tool Detection Level (TD) of all errors of the use case. The following table gives an overview of the errors of "Determinate Tool Confidence Level". Error TD Table Any EMF Error TD 3 (LOW) TCL
Determination for Use Case: Review Model
TCL Wrongly Shown TD 1 (HIGH) Table 194 TCL Wrongly Written TD 1 (HIGH) Table 195 Wrong TCL Computed TD 1 (HIGH) Table 196
Table 871 Errors of Use Case: Determinate Tool Confidence Level
Error: Any EMF Error Description: Any error that can occur in EMF (uncrictical errors may be excluded) From feature: EMF Subsumes: • "Algorithm Error" from "Fcn_Algorithm"
• "Defect File" from "Data_File" • "Defect Text" from "Data_File_Text" • "Empty File" from "Data_File" • "Empty Model" from "Data_File_Syntax_Model" • "Empty Text" from "Data_File_Text" • "Line Missing" from "Data_File_Text" • "Model Unreadable" from "Data_File_Syntax_Model" • "No Interaction" from "Data_Interaction" • "Not Accessible File" from "Data_File" • "Not Accessible Model" from "Data_File_Syntax_Model" • "Not Accessible Text" from "Data_File_Text" • "Other File" from "Data_File" • "Other Model" from "Data_File_Syntax_Model" • "Other Partner" from "Data_Interaction" • "Other Text" from "Data_File_Text" • "Too Big File" from "Data_File" • "Too Big Model" from "Data_File_Syntax_Model" • "Too Big Text" from "Data_File_Text" • "Too Early Data" from "Data_Interaction" • "Too Late Data" from "Data_Interaction" • "Transformation Not Supported" from "Fcn_Behaviour_Transformation" • "Wrong Algorithm" from "Fcn_Algorithm"
• "Wrong Behaviour" from "Fcn_Behaviour" • "Wrong Interaction" from "Data_Interaction" • "Wrong Model Behaviour" from "Data_File_Syntax_Model" • "Wrong Model Description" from "Data_File_Syntax_Model" • "Wrong Transformation" from "Fcn_Behaviour_Transformation" • "Wrong Variant" from "Fcn_Variants"
Occurrences: • in EMF in Determinate Tool Confidence Level Error View:
Table 872 Error: Any EMF Error
Error: TCL Wrongly Shown Description: TCL is computed correctly but wrongly shown From use case: Determinate Tool Confidence Level Discovered by the following checks: • SG_Confirmation Review Of TCLs.Detect Wrong TCL Subsumes: • "Defect Text" from "Data_File_Text"
• "Empty Text" from "Data_File_Text" • "Line Missing" from "Data_File_Text" • "No Interaction" from "Data_Interaction" • "Not Accessible Text" from "Data_File_Text" • "Other Partner" from "Data_Interaction" • "Other Text" from "Data_File_Text" • "Too Big Text" from "Data_File_Text" • "Too Early Data" from "Data_Interaction" • "Too Late Data" from "Data_Interaction" • "Wrong Interaction" from "Data_Interaction"
Occurrences: • in Determinate Tool Confidence Level
Error View:
Table 873 Error: TCL Wrongly Shown
Error: TCL Wrongly Written Description: TCL is computed or written wrongly into a file From use case: Determinate Tool Confidence Level Discovered by the following checks: • SG_Confirmation Review Of TCLs.Detect Wrong TCL Subsumes: • "Defect File" from "Data_File"
• "Defect Text" from "Data_File_Text" • "Empty File" from "Data_File" • "Empty Model" from "Data_File_Syntax_Model" • "Empty Syntaxfile" from "Data_File_Syntax" • "Empty Table" from "Data_File_Table"
• "Empty Text" from "Data_File_Text" • "Line Missing" from "Data_File_Text" • "Model Unreadable" from "Data_File_Syntax_Model" • "No XML Content" from "Data_File_Syntax_XML" • "Not Accessible File" from "Data_File" • "Not Accessible Model" from "Data_File_Syntax_Model" • "Not Accessible Syntaxfile" from "Data_File_Syntax" • "Not Accessible Table" from "Data_File_Table" • "Not Accessible Text" from "Data_File_Text" • "Not Accessible XML File" from "Data_File_Syntax_XML" • "Other File" from "Data_File" • "Other Model" from "Data_File_Syntax_Model" • "Other Syntaxfile" from "Data_File_Syntax" • "Other Table" from "Data_File_Table" • "Other Text" from "Data_File_Text" • "Other XML File" from "Data_File_Syntax_XML" • "Syntax Error" from "Data_File_Syntax" • "Table Column Error" from "Data_File_Table" • "Table Row Error" from "Data_File_Table" • "Too Big File" from "Data_File" • "Too Big Model" from "Data_File_Syntax_Model" • "Too Big Syntaxfile" from "Data_File_Syntax" • "Too Big Text" from "Data_File_Text" • "Wron XML Composition" from "Data_File_Syntax_XML" • "Wrong Cell Data" from "Data_File_Table" • "Wrong Model Behaviour" from "Data_File_Syntax_Model" • "Wrong Model Description" from "Data_File_Syntax_Model" • "Wrong Semantic" from "Data_File_Syntax" • "XML Attribute Error" from "Data_File_Syntax_XML" • "XML Link Error" from "Data_File_Syntax_XML" • "XML Schema Violation" from "Data_File_Syntax_XML"
Occurrences: • in Determinate Tool Confidence Level Error View:
Table 874 Error: TCL Wrongly Written
Error: Wrong TCL Computed Description: The TCL is computed wronly, e.g. TCL 1 instead of TCL >1 From feature: Compute Tool Confidence Level Discovered by the following checks: • SG_Confirmation Review Of TCLs.Detect Wrong TCL Subsumes: • "Algorithm Error" from "Fcn_Algorithm"
• "Defect File" from "Data_File" • "Defect Text" from "Data_File_Text" • "Empty File" from "Data_File" • "Empty Model" from "Data_File_Syntax_Model" • "Empty Syntaxfile" from "Data_File_Syntax" • "Empty Table" from "Data_File_Table"
• "Empty Text" from "Data_File_Text" • "Line Missing" from "Data_File_Text" • "Model Unreadable" from "Data_File_Syntax_Model" • "No Interaction" from "Data_Interaction" • "Not Accessible File" from "Data_File" • "Not Accessible Model" from "Data_File_Syntax_Model" • "Not Accessible Syntaxfile" from "Data_File_Syntax" • "Not Accessible Table" from "Data_File_Table" • "Not Accessible Text" from "Data_File_Text" • "Other File" from "Data_File" • "Other Model" from "Data_File_Syntax_Model" • "Other Partner" from "Data_Interaction" • "Other Syntaxfile" from "Data_File_Syntax" • "Other Table" from "Data_File_Table" • "Other Text" from "Data_File_Text" • "Syntax Error" from "Data_File_Syntax" • "Table Column Error" from "Data_File_Table" • "Table Row Error" from "Data_File_Table" • "Too Big File" from "Data_File" • "Too Big Model" from "Data_File_Syntax_Model" • "Too Big Syntaxfile" from "Data_File_Syntax" • "Too Big Text" from "Data_File_Text" • "Too Early Data" from "Data_Interaction" • "Too Late Data" from "Data_Interaction" • "Wrong Algorithm" from "Fcn_Algorithm" • "Wrong Cell Data" from "Data_File_Table" • "Wrong Interaction" from "Data_Interaction" • "Wrong Model Behaviour" from "Data_File_Syntax_Model" • "Wrong Model Description" from "Data_File_Syntax_Model" • "Wrong Result" from "Fcn_Behaviour_Calculator" • "Wrong Semantic" from "Data_File_Syntax" • "Wrong Specification" from "Fcn_Specification" • "Wrong Variant" from "Fcn_Variants"
Occurrences: • in Compute Tool Confidence Level in Determinate Tool Confidence Level Error View:
Table 875 Error: Wrong TCL Computed
1.11.7.4 TCL DETERMINATION FOR USE CASE: GENERATE
TOOL CLASSIFICATION REPORT
The use case "Generate Tool Classification Report" has TCL 3. The TCL is determined by the lowest Tool Detection Level (TD) of all errors of the use case. The following table gives an overview of the errors of "Generate Tool Classification Report". Error TD Table Any EMF Error TD 3 (LOW) Table 198 Document Generated Wrongly TD 1 (HIGH) Fig 37
Wrong TCL Computed TD 1 (HIGH) Use Case Modelling
Table 876 Errors of Use Case: Generate Tool Classification Report
Error: Any EMF Error Description: Any error that can occur in EMF (uncrictical errors may be excluded) From feature: EMF Subsumes: • "Algorithm Error" from "Fcn_Algorithm"
• "Defect File" from "Data_File" • "Defect Text" from "Data_File_Text" • "Empty File" from "Data_File" • "Empty Model" from "Data_File_Syntax_Model" • "Empty Text" from "Data_File_Text" • "Line Missing" from "Data_File_Text" • "Model Unreadable" from "Data_File_Syntax_Model" • "No Interaction" from "Data_Interaction" • "Not Accessible File" from "Data_File" • "Not Accessible Model" from "Data_File_Syntax_Model" • "Not Accessible Text" from "Data_File_Text" • "Other File" from "Data_File" • "Other Model" from "Data_File_Syntax_Model" • "Other Partner" from "Data_Interaction" • "Other Text" from "Data_File_Text" • "Too Big File" from "Data_File" • "Too Big Model" from "Data_File_Syntax_Model" • "Too Big Text" from "Data_File_Text" • "Too Early Data" from "Data_Interaction" • "Too Late Data" from "Data_Interaction" • "Transformation Not Supported" from "Fcn_Behaviour_Transformation" • "Wrong Algorithm" from "Fcn_Algorithm" • "Wrong Behaviour" from "Fcn_Behaviour" • "Wrong Interaction" from "Data_Interaction" • "Wrong Model Behaviour" from "Data_File_Syntax_Model" • "Wrong Model Description" from "Data_File_Syntax_Model" • "Wrong Transformation" from "Fcn_Behaviour_Transformation" • "Wrong Variant" from "Fcn_Variants"
Occurrences: • in EMF in Generate Tool Classification Report Error View:
Table 877 Error: Any EMF Error
Error: Document Generated Wrongly Description: Document does not fit to the model. From feature: Generate Word (docx) Discovered by the following checks: • SG_Confirmation Review Of TCLs.Detect Wrong TCL Subsumes: • "Defect File" from "Data_File"
• "Defect Text" from "Data_File_Text" • "Empty File" from "Data_File" • "Empty Syntaxfile" from "Data_File_Syntax" • "Empty Text" from "Data_File_Text" • "Line Missing" from "Data_File_Text" • "Missing CPU" from "Fcn_Resource_CPU" • "Not Accessible File" from "Data_File" • "Not Accessible Syntaxfile" from "Data_File_Syntax" • "Not Accessible Text" from "Data_File_Text" • "Other File" from "Data_File" • "Other Syntaxfile" from "Data_File_Syntax" • "Other Text" from "Data_File_Text" • "Syntax Error" from "Data_File_Syntax" • "Too Big File" from "Data_File" • "Too Big Syntaxfile" from "Data_File_Syntax" • "Too Big Text" from "Data_File_Text" • "Transformation Not Supported" from "Fcn_Behaviour_Transformation" • "Wrong Semantic" from "Data_File_Syntax" • "Wrong Specification" from "Fcn_Specification" • "Wrong Transformation" from "Fcn_Behaviour_Transformation" • "Wrong Variant" from "Fcn_Variants"
Occurrences: • in Generate Word (docx) in Generate Tool Classification Report Error View:
Table 878 Error: Document Generated Wrongly
Error: Wrong TCL Computed Description: The TCL is computed wronly, e.g. TCL 1 instead of TCL >1 From feature: Compute Tool Confidence Level Discovered by the following checks:
• SG_Confirmation Review Of TCLs.Detect Wrong TCL Subsumes: • "Algorithm Error" from "Fcn_Algorithm"
• "Defect File" from "Data_File" • "Defect Text" from "Data_File_Text" • "Empty File" from "Data_File" • "Empty Model" from "Data_File_Syntax_Model" • "Empty Syntaxfile" from "Data_File_Syntax" • "Empty Table" from "Data_File_Table" • "Empty Text" from "Data_File_Text" • "Line Missing" from "Data_File_Text" • "Model Unreadable" from "Data_File_Syntax_Model" • "No Interaction" from "Data_Interaction" • "Not Accessible File" from "Data_File" • "Not Accessible Model" from "Data_File_Syntax_Model" • "Not Accessible Syntaxfile" from "Data_File_Syntax" • "Not Accessible Table" from "Data_File_Table" • "Not Accessible Text" from "Data_File_Text" • "Other File" from "Data_File" • "Other Model" from "Data_File_Syntax_Model" • "Other Partner" from "Data_Interaction" • "Other Syntaxfile" from "Data_File_Syntax" • "Other Table" from "Data_File_Table" • "Other Text" from "Data_File_Text" • "Syntax Error" from "Data_File_Syntax" • "Table Column Error" from "Data_File_Table" • "Table Row Error" from "Data_File_Table" • "Too Big File" from "Data_File" • "Too Big Model" from "Data_File_Syntax_Model" • "Too Big Syntaxfile" from "Data_File_Syntax" • "Too Big Text" from "Data_File_Text" • "Too Early Data" from "Data_Interaction" • "Too Late Data" from "Data_Interaction" • "Wrong Algorithm" from "Fcn_Algorithm" • "Wrong Cell Data" from "Data_File_Table" • "Wrong Interaction" from "Data_Interaction" • "Wrong Model Behaviour" from "Data_File_Syntax_Model" • "Wrong Model Description" from "Data_File_Syntax_Model" • "Wrong Result" from "Fcn_Behaviour_Calculator" • "Wrong Semantic" from "Data_File_Syntax" • "Wrong Specification" from "Fcn_Specification" • "Wrong Variant" from "Fcn_Variants"
Occurrences: • in Compute Tool Confidence Level in Generate Tool Classification Report Error View:
Table 879 Error: Wrong TCL Computed
1.11.7.5 TCL DETERMINATION FOR USE CASE: REVIEW
MODEL
The use case "Review Model" has TCL 3. The TCL is determined by the lowest Tool Detection Level (TD) of all errors of the use case. The following table gives an overview of the errors of "Review Model". Error TD Table Any EMF Error TD 3 (LOW) Use Case
Modelling
Requirements Model Not Adequate TD 1 (HIGH) Fig 83 Process Inconsistently Modelled TD 1 (HIGH) Fig 84 Wrong Export TD 1 (HIGH) Feature Edit
Model Wrong Import TD 1 (HIGH) Fig 85
Table 880 Errors of Use Case: Review Model
Error: Any EMF Error Description: Any error that can occur in EMF (uncrictical errors may be excluded) From feature: EMF Subsumes: • "Algorithm Error" from "Fcn_Algorithm"
• "Defect File" from "Data_File" • "Defect Text" from "Data_File_Text" • "Empty File" from "Data_File" • "Empty Model" from "Data_File_Syntax_Model" • "Empty Text" from "Data_File_Text" • "Line Missing" from "Data_File_Text" • "Model Unreadable" from "Data_File_Syntax_Model" • "No Interaction" from "Data_Interaction" • "Not Accessible File" from "Data_File" • "Not Accessible Model" from "Data_File_Syntax_Model" • "Not Accessible Text" from "Data_File_Text" • "Other File" from "Data_File" • "Other Model" from "Data_File_Syntax_Model" • "Other Partner" from "Data_Interaction" • "Other Text" from "Data_File_Text" • "Too Big File" from "Data_File" • "Too Big Model" from "Data_File_Syntax_Model" • "Too Big Text" from "Data_File_Text" • "Too Early Data" from "Data_Interaction" • "Too Late Data" from "Data_Interaction" • "Transformation Not Supported" from "Fcn_Behaviour_Transformation" • "Wrong Algorithm" from "Fcn_Algorithm" • "Wrong Behaviour" from "Fcn_Behaviour" • "Wrong Interaction" from "Data_Interaction" • "Wrong Model Behaviour" from "Data_File_Syntax_Model" • "Wrong Model Description" from "Data_File_Syntax_Model" • "Wrong Transformation" from "Fcn_Behaviour_Transformation" • "Wrong Variant" from "Fcn_Variants"
Occurrences: • in EMF in Review Model Error View:
Table 881 Error: Any EMF Error
Error: Model Not Adequate Description: An important issue as not been reviewed correctly, i.e. a finduíng has been overseen and the
model is not adaequate. From use case: Review Model Discovered by the following checks: • Safety Guidelines,SG_Use Review Checklist.Review Checklist Subsumes: • "Defect File" from "Data_File"
• "Defect Text" from "Data_File_Text" • "Empty File" from "Data_File" • "Empty Model" from "Data_File_Syntax_Model" • "Empty Syntaxfile" from "Data_File_Syntax" • "Empty Table" from "Data_File_Table" • "Empty Text" from "Data_File_Text" • "Line Missing" from "Data_File_Text" • "Model Unreadable" from "Data_File_Syntax_Model" • "No Interaction" from "Data_Interaction" • "Not Accessible File" from "Data_File" • "Not Accessible Model" from "Data_File_Syntax_Model" • "Not Accessible Syntaxfile" from "Data_File_Syntax" • "Not Accessible Table" from "Data_File_Table" • "Not Accessible Text" from "Data_File_Text" • "Other File" from "Data_File" • "Other Model" from "Data_File_Syntax_Model" • "Other Partner" from "Data_Interaction" • "Other Syntaxfile" from "Data_File_Syntax" • "Other Table" from "Data_File_Table" • "Other Text" from "Data_File_Text"
• "Syntax Error" from "Data_File_Syntax" • "Table Column Error" from "Data_File_Table" • "Table Row Error" from "Data_File_Table" • "Too Big File" from "Data_File" • "Too Big Model" from "Data_File_Syntax_Model" • "Too Big Syntaxfile" from "Data_File_Syntax" • "Too Big Text" from "Data_File_Text" • "Too Early Data" from "Data_Interaction" • "Too Late Data" from "Data_Interaction" • "Wrong Cell Data" from "Data_File_Table" • "Wrong Interaction" from "Data_Interaction" • "Wrong Model Behaviour" from "Data_File_Syntax_Model" • "Wrong Model Description" from "Data_File_Syntax_Model" • "Wrong Semantic" from "Data_File_Syntax"
Occurrences: • in Review Model Error View:
Table 882 Error: Model Not Adequate
Error: Process Inconsistently Modelled Description: The process might be inkonsistent, e.g. a document is neither created nor written. From feature: Model Validation Subsumes: • "Algorithm Error" from "Fcn_Algorithm"
• "Defect File" from "Data_File" • "Defect Text" from "Data_File_Text" • "Empty File" from "Data_File" • "Empty Text" from "Data_File_Text" • "Line Missing" from "Data_File_Text" • "No Interaction" from "Data_Interaction" • "Not Accessible File" from "Data_File"
• "Not Accessible Text" from "Data_File_Text" • "Other File" from "Data_File" • "Other Partner" from "Data_Interaction" • "Other Text" from "Data_File_Text" • "Too Big File" from "Data_File" • "Too Big Text" from "Data_File_Text" • "Too Early Data" from "Data_Interaction" • "Too Late Data" from "Data_Interaction" • "Wrong Algorithm" from "Fcn_Algorithm" • "Wrong Behaviour" from "Fcn_Behaviour" • "Wrong Error Reported" from "Model Validation" • "Wrong Interaction" from "Data_Interaction" • "Wrong Specification" from "Fcn_Specification"
Occurrences: • in Model Validation in Review Model Avoided by the following restrictions: • Validate Process.Consistent Process Error View:
Table 883 Error: Process Inconsistently Modelled
Error: Wrong Export Description: The excel file does not contain the relevant informations of the model. From feature: Excel Interface Discovered by the following checks: • SG_Confirmation Review Of TCLs.Detect Wrong TCL Subsumes: • "Decoded Wongly" from "Fcn_Algorithm_DeEncode"
• "Defect File" from "Data_File" • "Empty File" from "Data_File" • "Empty Syntaxfile" from "Data_File_Syntax" • "Empty Table" from "Data_File_Table" • "Encoded Wrongly" from "Fcn_Algorithm_DeEncode" • "Not Accessible File" from "Data_File"
• "Not Accessible Syntaxfile" from "Data_File_Syntax" • "Not Accessible Table" from "Data_File_Table" • "Option Defect" from "Fcn_Variants_Options" • "Option Ignored" from "Fcn_Variants_Options" • "Other File" from "Data_File" • "Other Syntaxfile" from "Data_File_Syntax" • "Other Table" from "Data_File_Table" • "Syntax Error" from "Data_File_Syntax" • "Table Column Error" from "Data_File_Table" • "Table Row Error" from "Data_File_Table" • "Too Big File" from "Data_File" • "Too Big Syntaxfile" from "Data_File_Syntax" • "Transformation Not Supported" from "Fcn_Behaviour_Transformation" • "Wrong Behaviour" from "Fcn_Behaviour" • "Wrong Cell Data" from "Data_File_Table" • "Wrong Semantic" from "Data_File_Syntax" • "Wrong Transformation" from "Fcn_Behaviour_Transformation"
Occurrences: • in Excel Interface in Review Model Avoided by the following restrictions: • Safety Guidelines,SG_Avoid Feature.Avoid Features Error View:
Table 884 Error: Wrong Export
Error: Wrong Import Description: The model is created wrongly. From feature: Excel Interface Discovered by the following checks: • SG_Confirmation Review Of TCLs.Detect Wrong TCL Subsumes: • "Defect File" from "Data_File"
• "Empty File" from "Data_File" • "Empty Model" from "Data_File_Syntax_Model" • "Model Unreadable" from "Data_File_Syntax_Model" • "Not Accessible File" from "Data_File" • "Not Accessible Model" from "Data_File_Syntax_Model" • "Option Defect" from "Fcn_Variants_Options" • "Option Ignored" from "Fcn_Variants_Options" • "Other File" from "Data_File" • "Other Model" from "Data_File_Syntax_Model" • "Too Big File" from "Data_File" • "Too Big Model" from "Data_File_Syntax_Model" • "Wrong Model Behaviour" from "Data_File_Syntax_Model" • "Wrong Model Description" from "Data_File_Syntax_Model"
Occurrences: • in Excel Interface in Review Model Avoided by the following restrictions: • Safety Guidelines,SG_Avoid Feature.Avoid Features Error View:
Table 885 Error: Wrong Import
1.12 YICESSMTSOLVERThis section explains the determination of the Tool Confidence Level (TCL) for the tool YICES SMT Solver. Tool: YICES SMT Solver Description: -None- Impact: TI 2 (Impact) Tool Confidence Level: TCL 1
Table 886 Tool: YICES SMT Solver
The tool YICES SMT Solver is modeled with no element which has impact. No additional features have been modeled.
Elements Amount (Assumptions) Use Cases 0 (0) Checks 0 (0) Restrictions 0 (0) Potential Errors 0 (0)
Table 887 Amount of Elements in Tool: YICES SMT Solver
1.12.1 USE CASES OF YICES SMT SOLVER
There are no use cases modeled for YICES SMT Solver.
1.12.2 FEATURES OF YICES SMT SOLVER
There are no features modeled for YICES SMT Solver.
1.12.3 POTENTIAL ERRORS IN YICES SMT SOLVER
The tool has no potential error.. The error flow consists of all relations from errors to checks or restrictions. There are
• no relation from errors caused by other tools to checks or restrictions defined for use cases of this tool.
• no relation from errors caused by this tool to checks or restrictions defined for use cases of this tool.
• no relation from errors caused by this tool to checks or restrictions defined for use cases of other tools.
1.12.4 RESTRICTIONS IN YICES SMT SOLVER
There are no restrictions in the tool YICES SMT Solver.
1.12.5 CHECKS IN YICES SMT SOLVER
No checks are performed in the tool YICES SMT Solver.
1.12.6 ASSUMPTIONS
The determination of the TCL of YICES SMT Solver is not based on assumed checks and restrictions. None of the checks and restrictions are modeled as assumptions.
1.12.7 TCL DETERMINATION
This section determines a TCL for each use case by assigning checks or restrictions with detection/avoidance probability to each potential error. The TCL for the entire tool can be derived from the TCL for each use case. The tool YICES SMT Solver has no use case with TCL 1, no use case with TCL 2 and no use case with TCL 3. Therefore the tool YICES SMT Solver has TCL 1. There are no use cases modeled for the tool YICES SMT Solver
1.13 ADDITIONALINFORMATIONThis section contains additional information from the formal model of the tool chain. Additional information is not required from the ISO 26262 for the determination of the TCL, but eases the modeling process and the understanding of the error flow.
1.13.1 ARTIFACTS
The analysis incorporates artifacts for the validation of the model. If an error is checked by another tool, then there should be information flow between them. Artifacts can be used to model this flow and our analysis checks if there is an information flow between error sources and error sinks. Table 498 shows the whole artifact flow in "RECOMP Tool Chain"
Fig 173 Artifact Flow in RECOMP Tool Chain
The tool chain "RECOMP Tool Chain" is using 64 artifacts, which are described hereafter. Artifact: AF3 System Model Description: The integrated data modelof Af3
Hierarchy figure:
Hierarchy : • Detailed System Architecture [Parent]
• Preliminary System Architecture [Parent] • Requirement Specification [Parent] • Schedule [Parent] • Software Unit Design Specification [Parent] • Spatial Constraints [Parent] • Test Cases [Parent] • Test Specification [Parent] • Timing Parameters [Parent]
Used by feature: • AF3,Simulating a Logical Architecture
• AF3,Specifying Code-Baed Behavior of a Logical Architecture • AF3,Specifying Contracts on Logical Components • AF3,Specifying MSC Requirements • AF3,Specifying SIL Requirements • AF3,Specifying State-Based Behavior of a Logical Architecture • AF3,Specifying Technical Architecture • AF3,Synthesizing Deployment • AF3,Synthesizing Real-Time Schedule • AF3,Synthesizing SIL-Conformant Mapping • AF3,Synthesizing Test Cases • AF3,Verifing Contracts of a Logical Architecture • AF3,Verifying MSC Conformance • AF3,Verifying Soundness of a Logical Architecture
Created by feature:
• AF3,Specfying Test Suite • AF3,Specifying Code-Baed Behavior of a Logical Architecture • AF3,Specifying Contracts on Logical Components • AF3,Specifying MSC Requirements • AF3,Specifying SIL Requirements • AF3,Specifying State-Based Behavior of a Logical Architecture • AF3,Specifying Structure of a Logical Architecture • AF3,Specifying Technical Architecture • AF3,Specifying Textual Requirements • AF3,Synthesizing Real-Time Schedule • AF3,Synthesizing SIL-Conformant Mapping
Created by tool: • AF3 Is a: Detailed System Architecture
Table 888 Artifact: AF3 System Model
Artifact: Application task graph Description: The task graph for each application
Table 889 Artifact: Application task graph
Artifact: Argumentation Description: The user writes arguments as input to the tool
Table 890 Artifact: Argumentation
Artifact: Binary executable Description: Target binary executable Hierarchy figure:
Hierarchy : • Evidence [Parent] Used by feature: • PharOS runtime generation,Link with PharOS micro-kernel Used by use case: • PharOS micro kernel,target execution Used by tool: • PharOS micro kernel Created by feature: • PharOS runtime generation,Link with PharOS micro-kernel
• PharOS runtime generation,MPU table genration Created by tool:
• PharOS runtime generation Is a: Evidence
Table 891 Artifact: Binary executable
Artifact: C/C++ Source Code Description: C or C++ Hierarchy figure:
Hierarchy : • Source Code [Parent] Used by feature: • PharOS runtime generation,MPU table genration Used by use case: • PharOS runtime generation,Psycc Used by tool: • PharOS runtime generation Created by use case: • Development,Create Code
• PharOS offline computation,Psy1 Is a: Source Code
Table 892 Artifact: C/C++ Source Code
Artifact: Cache-Related Preemption Cost Function Description: For any duration t, the function gives the maximum delay that the given task can incur when
preempted for the first time after t time units. A function CRPD(t) which returns, for any duration t > 0, the maximum delay that the given application can incur if it gets preempted after running non-preemptively for t time units after the beginning of its execution.
Table 893 Artifact: Cache-Related Preemption Cost Function
Artifact: Contract Description: -None-
Table 894 Artifact: Contract
Artifact: contract Description: -None-
Table 895 Artifact: contract
Artifact: Deployment Description: generated deployment Created by feature: • AF3,Synthesizing Deployment
Table 896 Artifact: Deployment
Artifact: Detailed System Architecture Description: Contain all the parameters and specifications of the platform Hierarchy figure:
Hierarchy : • AF3 System Model [Child]
• Evidence [Parent] Created by feature: • AF3,Specifying Technical Architecture Is a: Evidence Occurences: • AF3 System Model
Table 897 Artifact: Detailed System Architecture
Artifact: Display Output Description: The tool displays some information to the user Created by feature: • AF3,Simulating a Logical Architecture
• Tool Chain Analyzer,Compute Tool Confidence Level • Tool Chain Analyzer,Cost Model • Tool Chain Analyzer,EMF • Tool Chain Analyzer,Model Validation
Table 898 Artifact: Display Output
Artifact: Evidence Description: Anything that can be considered as a certification evidence Hierarchy figure:
Hierarchy : • Binary executable [Child]
• Detailed System Architecture [Child] • Excel File [Child] • FHA [Child] • FMEA [Child] • FTA [Child] • Failure rate catalog [Child] • Functionalities [Child] • Malfunctions [Child] • Metrics [Child] • Overall Project Plan [Child] • Preliminary System Architecture [Child] • Report on Maximum CRPDs [Child] • Report on Schedulability (1 mode) [Child] • Report on Schedulability (all) [Child] • Review Protocol [Child] • SLDV verification report [Child] • Safety Goals List [Child] • Safety Manual [Child] • Safety Plan [Child] • Safety Requirements [Child] • Software Unit Design Specification [Child] • Source Code [Child] • TBT Data Model [Child] • TCA-Model [Child] • Test Cases [Child] • Test Specification [Child] • Tool Evaluation Report [Child] • WCET [Child] • WCRT [Child] • Word Document [Child]
Occurences: • Binary executable
• Detailed System Architecture • Excel File • FHA • FMEA • FTA • Failure rate catalog • Functionalities • Malfunctions • Metrics • Overall Project Plan • Preliminary System Architecture • Report on Maximum CRPDs • Report on Schedulability (1 mode)
• Report on Schedulability (all) • Review Protocol • SLDV verification report • Safety Goals List • Safety Manual • Safety Plan • Safety Requirements • Software Unit Design Specification • Source Code • TBT Data Model • TCA-Model • Test Cases • Test Specification • Tool Evaluation Report • WCET • WCRT • Word Document
Table 899 Artifact: Evidence
Artifact: Excel File Description: The files that can be read/wirtten from the Excel tool Hierarchy figure:
Hierarchy : • Evidence [Parent] Created by feature: • Tool Chain Analyzer,Compute Tool Confidence Level Modified by feature: • Tool Chain Analyzer,Cost Model
• Tool Chain Analyzer,Excel Interface Is a: Evidence
Table 900 Artifact: Excel File
Artifact: Execution Graph Description: -None- Used by tool: • PharOS micro kernel Created by feature: • PharOS offline computation,Execution graph extraction Created by use case: • PharOS offline computation,Psy1
Table 901 Artifact: Execution Graph
Artifact: Failure rate catalog Description: Failure rate catalog Hierarchy figure:
Hierarchy : • Evidence [Parent] Is a: Evidence
Table 902 Artifact: Failure rate catalog
Artifact: FHA Description: FHA Hierarchy figure:
Hierarchy : • Evidence [Parent] Is a: Evidence
Table 903 Artifact: FHA
Artifact: FMEA Description: FMEA Hierarchy figure:
Hierarchy : • Evidence [Parent] Is a: Evidence
Table 904 Artifact: FMEA
Artifact: FTA Description: FTA Hierarchy figure:
Hierarchy : • Evidence [Parent] Is a: Evidence
Table 905 Artifact: FTA
Artifact: Functionalities Description: Functionalities Hierarchy figure:
Hierarchy : • Evidence [Parent] Is a: Evidence
Table 906 Artifact: Functionalities
Artifact: Malfunctions Description: Malfunctions Hierarchy figure:
Hierarchy : • Evidence [Parent] Is a: Evidence
Table 907 Artifact: Malfunctions
Artifact: Mapping of tasks to processing elements Description: The mapping of tasks to processing elements
Table 908 Artifact: Mapping of tasks to processing elements
Artifact: Metrics Description: The metric information that describe how far a test covers's it's requirements. Hierarchy figure:
Hierarchy : • Evidence [Parent] Is a: Evidence
Table 909 Artifact: Metrics
Artifact: Model Description: The tool chain model Used by feature: • Tool Chain Analyzer,Generate Word (docx)
• Tool Chain Analyzer,Model Validation Modified by feature: • Tool Chain Analyzer,Compute Tool Confidence Level
• Tool Chain Analyzer,Cost Model • Tool Chain Analyzer,EMF • Tool Chain Analyzer,Excel Interface • Tool Chain Analyzer,Xml Interface
Table 910 Artifact: Model
Artifact: No-Conformity metrics Description: List of all non conformities of a project fopr a standard
specifies the number of steps to be conformant to the standard
Table 911 Artifact: No-Conformity metrics
Artifact: Overall Project Plan Description: see sections 2.6.5.2, 4.5.5.1 Hierarchy figure:
Hierarchy : • Evidence [Parent] Used by use case: • Tool Chain Analyzer,Create Model
• Tool Chain Analyzer,Determinate Tool Confidence Level • Tool Chain Analyzer,Generate Tool Classification Report • Tool Chain Analyzer,Review Model
Modified by use case: • Process Checker,Validate Process Is a:
Evidence
Table 912 Artifact: Overall Project Plan
Artifact: Partition Static Schedule Description: The partitions static schedule, for each processing element
Table 913 Artifact: Partition Static Schedule
Artifact: Per Core Request Estimator Function Description: For any duration t, the function gives the maximum number of requests that can be issued
from the given core in a time interval of length t A function PCRE(t) which returns, for any duration t > 0, the maximum number of requests that can be issued from the given core within t time units
Table 914 Artifact: Per Core Request Estimator Function
Artifact: Preliminary System Architecture Description: Malfunctions Hierarchy figure:
Hierarchy : • AF3 System Model [Child]
• Evidence [Parent] Is a: Evidence Occurences: • AF3 System Model
Table 915 Artifact: Preliminary System Architecture
Artifact: ProjectModel Description: Certification objectives that apply to the project and evidences and justification that support
it
Table 916 Artifact: ProjectModel
Artifact: ReferenceModel Description: Standards, normatives... model
Table 917 Artifact: ReferenceModel
Artifact: Report on Maximum CRPDs Description: Report on the maximum Cache-Related Preemption Delay (CRPD) that tasks can incur
Hierarchy figure:
Hierarchy : • Evidence [Parent] Is a: Evidence
Table 918 Artifact: Report on Maximum CRPDs
Artifact: Report on Schedulability (1 mode) Description: Attest the schedulability of a single mode of the application system Hierarchy figure:
Hierarchy : • Evidence [Parent] Is a: Evidence
Table 919 Artifact: Report on Schedulability (1 mode)
Artifact: Report on Schedulability (all) Description: Attest the schedulability of the application system Hierarchy figure:
Hierarchy : • Evidence [Parent] Is a: Evidence
Table 920 Artifact: Report on Schedulability (all)
Artifact: Requirement Specification Description: -None- Hierarchy figure:
Hierarchy : • AF3 System Model [Child] Used by feature:
• AF3,Specifying MSC Requirements • AF3,Specifying Textual Requirements
Occurences: • AF3 System Model
Table 921 Artifact: Requirement Specification
Artifact: Review Protocol Description: The protocol of the review Hierarchy figure:
Hierarchy : • Evidence [Parent] Created by use case: • ISO 26262 Reviews,SG_Confirmation Review Of TCLs
• Tool Chain Analyzer,Review Model Is a: Evidence
Table 922 Artifact: Review Protocol
Artifact: Safety Case Description: Graphical (GSN notation) safety case
Table 923 Artifact: Safety Case
Artifact: Safety Goals List Description: Safety Goals List Hierarchy figure:
Hierarchy : • Evidence [Parent] Is a: Evidence
Table 924 Artifact: Safety Goals List
Artifact: Safety Manual Description: The safety manual of the tool contains the relevant information to work safely with the tool Hierarchy figure:
Hierarchy : • Evidence [Parent] Created by use case: • Tool Chain Analyzer,Determinate Tool Confidence Level Modified by use case: • Tool Chain Analyzer,Generate Tool Classification Report
• Tool Chain Analyzer,Review Model Is a: Evidence
Table 925 Artifact: Safety Manual
Artifact: Safety Plan Description: see sections 2.6.5.1, 4.5.5.2, 6.5.5.1, 6.7.5.2 Hierarchy figure:
Hierarchy : • Evidence [Parent] Used by use case: • Tool Chain Analyzer,Create Model
• Tool Chain Analyzer,Determinate Tool Confidence Level • Tool Chain Analyzer,Review Model
Modified by use case: • Process Checker,Validate Process Is a: Evidence
Table 926 Artifact: Safety Plan
Artifact: Safety Requirements Description: System Requirements Specification related to safety Hierarchy figure:
Hierarchy : • Evidence [Parent] Used by feature: • AF3,Specifying SIL Requirements Is a: Evidence
Table 927 Artifact: Safety Requirements
Artifact: Schedule Description: (Optimized Shared Memory Access) Hierarchy figure:
Hierarchy : • AF3 System Model [Child] Occurences: • AF3 System Model
Table 928 Artifact: Schedule
Artifact: Simulink Model Description: Simulink Model Hierarchy figure:
Hierarchy : • Software Unit Design Specification [Parent] Used by tool: • Simulink Design Verifier Modified by use case: • Simulink Design Verifier,Verify Is a: Software Unit Design Specification
Table 929 Artifact: Simulink Model
Artifact: Simulink model Description: -None-
Table 930 Artifact: Simulink model
Artifact: SLDV verification report Description: -None- Hierarchy figure:
Hierarchy : • Evidence [Parent] Created by use case:
• Simulink Design Verifier,Verify Created by tool: • Simulink Design Verifier Is a: Evidence
Table 931 Artifact: SLDV verification report
Artifact: Software Unit Design Specification Description: see section 6.8.5.1 Hierarchy figure:
Hierarchy : • AF3 System Model [Child]
• Evidence [Parent] • Simulink Model [Child]
Is a: Evidence Occurences: • AF3 System Model
• Simulink Model
Table 932 Artifact: Software Unit Design Specification
Artifact: Source Code Description: Different programming languages Hierarchy figure:
Hierarchy : • C/C++ Source Code [Child]
• Evidence [Parent] • Timing Parameters [Child]
Created by feature: • AF3,Synthesizing Deployment Is a: Evidence Occurences:
• C/C++ Source Code • Timing Parameters
Table 933 Artifact: Source Code
Artifact: Spatial Constraints Description: -None- Hierarchy figure:
Hierarchy : • AF3 System Model [Child] Used by feature: • AF3,Specifying Technical Architecture Used by tool: • PharOS micro kernel Created by feature: • AF3,Specifying Technical Architecture
• PharOS offline computation,Spatial constraints Occurences: • AF3 System Model
Table 934 Artifact: Spatial Constraints
Artifact: StandardsRegulation Description: Standards, Normatives,... documentation
Table 935 Artifact: StandardsRegulation
Artifact: System Models (Event-B) Description: Models specifying / expressing (with events and invariants) the system requirements
Table 936 Artifact: System Models (Event-B)
Artifact: TBT Data Model Description: The model describing the data element in the model and the system Hierarchy figure:
Hierarchy : • Evidence [Parent] Is a: Evidence
Table 937 Artifact: TBT Data Model
Artifact: TBT Oracle Model Description: The model describing the behaviour of the system
Table 938 Artifact: TBT Oracle Model
Artifact: TBT Tactic Description: A formalized startegy describing the search in the model to derive test cases
Table 939 Artifact: TBT Tactic
Artifact: TCA-Model Description: The tool chain model Hierarchy figure:
Hierarchy : • Evidence [Parent] Is a: Evidence
Table 940 Artifact: TCA-Model
Artifact: Test Cases Description: The executable test cases implementing the test specification Hierarchy figure:
Hierarchy : • AF3 System Model [Child]
• Evidence [Parent] Created by feature: • AF3,Synthesizing Test Cases Is a: Evidence Occurences: • AF3 System Model
Table 941 Artifact: Test Cases
Artifact: Test Specification Description: The textual specification of the tests Hierarchy figure:
Hierarchy : • AF3 System Model [Child]
• Evidence [Parent] Used by feature: • AF3,Specfying Test Suite Is a: Evidence Occurences: • AF3 System Model
Table 942 Artifact: Test Specification
Artifact: Timing Parameters Description: Contain all the parameters concerning the application Hierarchy figure:
Hierarchy : • AF3 System Model [Child]
• Source Code [Parent] Used by feature: • PharOS offline computation,Execution graph extraction
• PharOS offline computation,Feasability • PharOS offline computation,Spatial constraints
Used by use case: • PharOS offline computation,Psy1 Used by tool: • PharOS offline computation Created by feature: • AF3,Specifying Technical Architecture Is a: Source Code Occurences: • AF3 System Model
Table 943 Artifact: Timing Parameters
Artifact: Tool Evaluation Report Description: Contains the evaluation/classification of the tools Hierarchy figure:
Hierarchy : • Evidence [Parent] Created by use case: • Tool Chain Analyzer,Determinate Tool Confidence Level
• Tool Chain Analyzer,Generate Tool Classification Report Is a: Evidence
Table 944 Artifact: Tool Evaluation Report
Artifact: User Input Description: The user writes input to the tool Used by feature: • Tool Chain Analyzer,Compute Tool Confidence Level
• Tool Chain Analyzer,Cost Model • Tool Chain Analyzer,EMF • Tool Chain Analyzer,Excel Interface • Tool Chain Analyzer,Generate Word (docx) • Tool Chain Analyzer,Model Validation • Tool Chain Analyzer,Xml Interface
Table 945 Artifact: User Input
Artifact: Verification Verdict Description: The verdict of a verification step (valid/invalid) and a counter example Created by feature: • AF3,Verifing Contracts of a Logical Architecture
• AF3,Verifying MSC Conformance • AF3,Verifying Soundness of a Logical Architecture
Table 946 Artifact: Verification Verdict
Artifact: Verified System Models (Event-B) Description: Specified and verified system models at different levels of abstraction
Table 947 Artifact: Verified System Models (Event-B)
Artifact: VerSÅA verification report Description: -None-
Table 948 Artifact: VerSÅA verification report
Artifact: WCET Description: Worst case execution time estimation for each task Hierarchy figure:
Hierarchy : • Evidence [Parent] Used by feature: • AF3,Synthesizing Real-Time Schedule Used by tool: • PharOS offline computation Is a: Evidence
Table 949 Artifact: WCET
Artifact: WCRT Description: Worst-case response time for a task Hierarchy figure:
Hierarchy : • Evidence [Parent] Is a: Evidence
Table 950 Artifact: WCRT
Artifact: Word Document Description: The files that can be read/written from Word ´ Hierarchy figure:
Hierarchy : • Evidence [Parent] Used by use case: • ISO 26262 Reviews,SG_Confirmation Review Of TCLs Created by feature: • Tool Chain Analyzer,Compute Tool Confidence Level
• Tool Chain Analyzer,Generate Word (docx) Is a: Evidence
Table 951 Artifact: Word Document
1.13.2 ERROR MODEL FOR THE RECOMP TOOL CHAIN TOOL
CHAIN
The error model consists of general attributes that are mapped to the used tools or use cases. Each of these mapped elements receives a copy of the listed errors. In the following sections all used attributes, errors, checks and restrictions are described
1.13.2.1 TOOL ATTRIBUTE DESCRIPTIONS
The following 10 general tool attributes have been used in the analysis of the "RECOMP Tool Chain" Tool Attribute: Fcn_Algorithm Description: The function is implemented by an algorithm Assigned to the following features: • Tool Chain Analyzer,Compute Tool Confidence Level
• Tool Chain Analyzer,EMF • Tool Chain Analyzer,Model Validation
Contains the following potential errors: • Algorithm Error
• Wrong Algorithm
Table 952 Tool Attribute: Fcn_Algorithm
Tool Attribute: Fcn_Algorithm_DeEncode Description: encoding and decoding algorithms are used Assigned to the following features: • Tool Chain Analyzer,Excel Interface Contains the following potential errors: • Decoded Wongly
• Encoded Wrongly
Table 953 Tool Attribute: Fcn_Algorithm_DeEncode
Tool Attribute: Fcn_Behaviour Description: The behaviour of the function Assigned to the following features: • Tool Chain Analyzer,EMF
• Tool Chain Analyzer,Excel Interface • Tool Chain Analyzer,Model Validation
Contains the following potential errors: • Wrong Behaviour
Table 954 Tool Attribute: Fcn_Behaviour
Tool Attribute: Fcn_Behaviour_Calculator Description: The tool does an excel like computation with simple arithmetics, e.g. computing th esum of
numbers in a row Assigned to the following features: • Tool Chain Analyzer,Compute Tool Confidence Level Contains the following potential errors: • Wrong Result
Table 955 Tool Attribute: Fcn_Behaviour_Calculator
Tool Attribute: Fcn_Behaviour_Transformation Description: The tool transforms information into other reeresentations, e..g a compiler Assigned to the following features: • Tool Chain Analyzer,EMF
• Tool Chain Analyzer,Excel Interface • Tool Chain Analyzer,Generate Word (docx)
Contains the following potential errors: • Transformation Not Supported
• Wrong Transformation
Table 956 Tool Attribute: Fcn_Behaviour_Transformation
Tool Attribute: Fcn_Resource_CPU Description: Function requires CPU ressources like RAM, ROM, CPU time which might not be available Assigned to the following features: • Tool Chain Analyzer,Generate Word (docx) Contains the following potential errors: • Missing CPU
Table 957 Tool Attribute: Fcn_Resource_CPU
Tool Attribute: Fcn_Specification Description: The specification/documentation of the function Assigned to the following features: • Tool Chain Analyzer,Compute Tool Confidence Level
• Tool Chain Analyzer,Generate Word (docx) • Tool Chain Analyzer,Model Validation
Contains the following potential errors: • Wrong Specification
Table 958 Tool Attribute: Fcn_Specification
Tool Attribute: Fcn_Variants Description: The function can be computed with different variants Assigned to the following features: • Tool Chain Analyzer,Compute Tool Confidence Level
• Tool Chain Analyzer,EMF • Tool Chain Analyzer,Generate Word (docx)
Contains the following potential errors: • Wrong Variant
Table 959 Tool Attribute: Fcn_Variants
Tool Attribute: Fcn_Variants_Options Description: The tool supports options
This can be either command line arguments, settings or configuration files Assigned to the following features: • Tool Chain Analyzer,Excel Interface Contains the following potential errors: • Option Defect
• Option Ignored
Table 960 Tool Attribute: Fcn_Variants_Options
Tool Attribute: micro kernel Description: -None- Used from the following tools: • PharOS offline computation Assigned to the following features: • PharOS offline computation,Spatial constraints Contains the following potential errors: • Communication buffer overflow
• Deadline error • Graph error • Segmentation fault
Table 961 Tool Attribute: micro kernel
1.13.2.2 ERROR DESCRIPTIONS
The following 17 errors have been identified and used in the analysis of the "RECOMP Tool Chain" Error: Algorithm Error Description: The algorithm has an error, for example a wrong condition, type, loop,... From tool attribute: Fcn_Algorithm
Table 962 Error: Algorithm Error
Error: Communication buffer overflow Description: -None- From tool attribute: micro kernel
Table 963 Error: Communication buffer overflow
Error: Deadline error Description: A deadline is not met From tool attribute: micro kernel
Table 964 Error: Deadline error
Error: Decoded Wongly Description: A correctly encoded object is decoded wrongly From tool attribute: Fcn_Algorithm_DeEncode
Table 965 Error: Decoded Wongly
Error: Encoded Wrongly Description: The data is encoded such that it cannot be decoded any more From tool attribute: Fcn_Algorithm_DeEncode
Table 966 Error: Encoded Wrongly
Error: Graph error Description: Execution graph error From tool attribute: micro kernel
Table 967 Error: Graph error
Error: Missing CPU Description: Not enaught CPU available for computing the correct result.
Comment: Note: in this error we consider only the undeteced case, where the tool terminates without warning and a wrong result, may be due to some internal checks that cause the tool to terminate if no CPU is available, e.g. after a given time using the default value
From tool attribute: Fcn_Resource_CPU
Table 968 Error: Missing CPU
Error: Option Defect Description: The option or combination of options is defect, i.e computing wrong values From tool attribute: Fcn_Variants_Options
Table 969 Error: Option Defect
Error: Option Ignored Description: The entered option is ignored without a warning and the wrong result is computed From tool attribute: Fcn_Variants_Options
Table 970 Error: Option Ignored
Error: Segmentation fault Description: Violation of spatial isolation From tool attribute: micro kernel
Table 971 Error: Segmentation fault
Error: Transformation Not Supported Description: The transformation might not support all elements and ignore them, e.g. some settinbgs in a
model or some pragmas in a code From tool attribute: Fcn_Behaviour_Transformation
Table 972 Error: Transformation Not Supported
Error: Wrong Algorithm Description: The chosen algorithm does not solve the problem correctly From tool attribute: Fcn_Algorithm
Table 973 Error: Wrong Algorithm
Error: Wrong Behaviour Description: The function an have a wrong behaviour From tool attribute: Fcn_Behaviour
Table 974 Error: Wrong Behaviour
Error: Wrong Result Description: The calculated results differs from the real result, e.g. 1+1=0 or 1/1=0.99 From tool attribute: Fcn_Behaviour_Calculator
Table 975 Error: Wrong Result
Error: Wrong Specification
Description: The function can deviate from the specification From tool attribute: Fcn_Specification
Table 976 Error: Wrong Specification
Error: Wrong Transformation Description: The result of the transformation is not correct From tool attribute: Fcn_Behaviour_Transformation
Table 977 Error: Wrong Transformation
Error: Wrong Variant Description: The wrong variant has been used, e.g. by ignoring an option/configuration From tool attribute: Fcn_Variants
Table 978 Error: Wrong Variant
1.13.3 ASSUMPTIONS
This section lists all assumptions on toolchain level used in the evaluation of this tool chain. If the assumptions are violated the calculated TCL is not valid. Assumptions that are enforced by the development process are marked in the analysis model and listed here. Check: Assertion Check Description: This check detects if an assertion in the code is violated.
This check detects violated assertions. If a testcase claims to violate an assertion but does not, this will also be noted with a high probability. Comment: Since this is an automatic check the detection probability is high.
From use case: Test Environment,Unit Test Error detection probability: TD 1 (HIGH) Is assumption: True
Table 979 Check: Assertion Check
Check: Detect Wrong TCL Description: An error in the TCL computation is detected.
Since the review is performed on the basis of the generated report, it will also detect errors in the report generation and in the image generation and all other modeling errors with a high probability.
Comment: TCL computation is an easy task and review is an effective verification method for that purpose.
From use case: ISO 26262 Reviews,SG_Confirmation Review Of TCLs Error detection probability: TD 1 (HIGH) Detected errors from other tools: • SG_Confirmation Review Of TCLs,Tool Chain Analyzer,Compute Tool
Confidence Level,Wrong TCL Computed • SG_Confirmation Review Of TCLs,Tool Chain Analyzer,Determinate Tool
Confidence Level,TCL Wrongly Shown • SG_Confirmation Review Of TCLs,Tool Chain Analyzer,Determinate Tool
Confidence Level,TCL Wrongly Written • SG_Confirmation Review Of TCLs,Tool Chain Analyzer,Excel Interface,Wrong
Export • SG_Confirmation Review Of TCLs,Tool Chain Analyzer,Excel Interface,Wrong
Import • SG_Confirmation Review Of TCLs,Tool Chain Analyzer,Generate Word
(docx),Document Generated Wrongly • SG_Confirmation Review Of TCLs,Tool Chain Analyzer,Xml Interface,Wrong
XML Export • SG_Confirmation Review Of TCLs,Tool Chain Analyzer,Xml Interface,Wrong
XML Import Is assumption: True
Table 980 Check: Detect Wrong TCL
Check: Executability Check Description: The generated test is compiled and executed
Comment: There is a high probability of detecting that the test is not executable, e.g. not compiling correctly since this is an automatic check
From use case: TBT,Validate Tests Error detection probability: TD 1 (HIGH) Is assumption: True
Table 981 Check: Executability Check
Check: Model Check Description: Check the validaty of the model
Comment:
This can be done using a model checker tool for some consistency rules From use case: ProB Model Checker,Check Model Error detection probability: TD 1 (HIGH) Is assumption: True
Table 982 Check: Model Check
Check: Proof Tree - Syntax Check Description: the syntax check is usually done when this file is used From use case: Rodin Prover,System Model Verification Error detection probability: TD 1 (HIGH) Is assumption: True
Table 983 Check: Proof Tree - Syntax Check
Check: Review Test against Specification Description: Review of generated test cases against the correctness with the specification
Comment: Since it is easy to se that a test case covers a specified feature, the review has a high detection probability for detecting the non-coformance errors between the the tests and the spec.
From use case: TBT,Validate Tests Error detection probability: TD 1 (HIGH) Is assumption: True
Table 984 Check: Review Test against Specification
Error: Incorrect translation Description: The translation of contracts to assertions/assumptions might be incorrect.
It is not obvuious how to check that this does not happen in a tool. Manual inspection might be needed.
From use case: Contracts to assertions Is assumption: True
Table 985 Error: Incorrect translation
Feature: SG_Avoid Feature
Description: Avodi this feature, since it is redundant. From: Tool Chain Analyzer Parts: • SG_Avoid Feature Is assumption: True
Table 986 Feature: SG_Avoid Feature
Restriction: Avoid Features Description: Avoid the risky features of the model since they might be buggy. From feature: Tool Chain Analyzer,Safety Guidelines,SG_Avoid Feature Error avoidance probability: TD 1 (HIGH) Avoided errors: • Cost Model,Wrong Cost Computed
• Excel Interface,Wrong Export • Excel Interface,Wrong Import • Model Validation,Wrong Error Reported • Xml Interface,Wrong XML Export • Xml Interface,Wrong XML Import
Is assumption: True
Table 987 Restriction: Avoid Features
Tool: Test Environment Description: This is a virtual test environment that is used to formulate asumptions fom the test generator
to test tools and processes in which the generated tests can be executed. Impact: TI 2 (Impact) Tool Confidence Level: TCL 1 Is assumption: True Table 988 Tool: Test Environment
top related