checsdm: A Method for Ensuring Consistency in Heterogeneous Safety-Critical System Design

Safety-critical systems are highly heterogeneous, combining different characteristics. Effectively designing such systems requires a complex modelling approach that deals with diverse components (e.g., mechanical, electronic, software)-each having its own underlying domain theories and vocabularies-as well as with various aspects of the same component (e.g., function, structure, behaviour). Furthermore, the regulated nature of such systems prescribes the objectives for their design verification and validation. This paper proposes checsdm, a systematic approach, based on Model-Driven Engineering (MDE), for assisting engineering teams in ensuring consistency of heterogeneous design of safety-critical systems. The approach is developed as a generic methodology and a tool framework, that can be applied to various design scenarios involving different modelling languages and different design guidelines. The methodology comprises an iterative three-phased process. The first phase, elicitation, aims at specifying requirements of the heterogeneous design scenario. Using the proposed tool framework, the second phase, codification, consists in building a particular tool set that supports the heterogeneous design scenario and helps engineers in flagging consistency errors for review and eventual correction. The third phase, operation, applies the tool set to actual system designs. Empirical evaluation of the work is presented through two executions of the checsdm approach for the specific cases of a design scenario involving a mix of UML, Simulink and Stateflow, and a design scenario involving a mix of AADL, Simulink and Stateflow. The operation phase of the first case was performed over three avionics systems and the identified inconsistencies in the design models of these systems were compared to the results of a fully manual verification carried out by professional engineers. The evaluation also includes an assessment workshop with industrial practitioners to examine their perceptions about the approach. The empirical validation indicates the feasibility and "cost-effectiveness" of the approach. Inconsistencies were identified in the three avionics systems with a greater recall rate over the manual verification. The assessment workshop shows the practitioners found the approach easy to understand and gave an overall likelihood of adoption within the context of their work.