Recent Advances towards the Industrial Application of
Model-Driven Engineering for Assurance of Safety-Critical Systems
Jose Luis de la Vara
1
, Alejandra Ruiz
2
and Huáscar Espinoza
2
1
Departamento de Informática, Universidad Carlos III de Madrid, Leganés, Spain
2
ICT Division, TECNALIA, Derio, Spain
Keywords: Safety-Critical Systems, Assurance, Certification, Model-Driven Engineering, Model-based Engineering.
Abstract: Safety-critical systems are typically subject to assurance processes as way to ensure that they do not pose
undue risks to people, property, or the environment, usually in compliance with assurance standards. The
planning, execution, and management of assurance processes can be a complex activity in practice because
of issues in the application of the standards, the large amount of information to handle, and the need for
providing convincing justifications of assurance adequacy, among other difficulties. As a solution, many
authors have argued that the use of Model-Driven Engineering principles and techniques can facilitate and
improve assurance of safety-critical systems. This paper presents some of the latest advances that have been
and are being made towards the use of these principles and techniques in industry. Although models have
been used for assurance of safety-critical systems for many years, e.g. to specify safety cases, it has only
been recently when the full potential of Model-Driven Engineering has started to be more widely exploited.
This includes aspects such as the specification of metamodels and domain specific languages for assurance,
the extension and application of UML, and the use of model transformations.
1 INTRODUCTION
Safety-critical systems are those whose failure can
harm people, property, or the environment, e.g. cars,
trains, aircrafts, and medical devices. These systems
are subject to rigorous assurance processes.
Assurance can be defined as “the planned and
systematic actions necessary to provide adequate
confidence and evidence that a product or process
satisfies given requirements” (RTCA, 2011);
dependability requirements in general, safety ones in
particular, and typically in compliance with
assurance standards for certification.
Examples of assurance standards include IEC
61508 (IEC, 2011) for electrical, electronic, and
programmable electronic systems in a wide range of
industries, and more specific standards such as DO-
178C for avionics (RTCA, 2011), the CENELEC
standards for railway (e.g. EN 50128 (CENELEC,
2011)), and ISO 26262 for the automotive sector
(ISO, 2011). Systems (and components) developers
must follow the standards and enact assurance
processes for safety-critical systems, and system
evaluators (e.g. assessors, certification authorities, or
regulators) must confirm the adequacy of the
assurance activities executed by the developers.
Assurance of safety-critical systems is a complex
activity in practice. Standards are usually large
textual documents that contain hundreds of pages
and define thousands of compliance criteria.
Ambiguity and inconsistency are common. System
developers can easily face challenges because of
difficulties in following and applying the standards,
having to manage large amounts of assurance
evidence, and having to provide valid justifications
of system assurance and of the adequacy of the
assurance activities, among other difficulties (de la
Vara, 2016a; Nair, 2015a). These difficulties can
lead to assurance risks (Alexander, et al., 2010),
which are conditions that can make a safety-critical
system developer incapable of (1) developing a
system that complies with assurance standards and
can be deemed safe, (2) adequately collecting and
managing assurance evidence and thus guaranteeing
system safety, or (3) making a third-party (e.g. an
assessor) gain sufficient confidence in system safety.
As a solution to the above issues, several authors
have argued during the last decade that the use of
Model-Driven Engineering (MDE) principles and
632
Vara, J., Ruiz, A. and Espinoza, H.
Recent Advances towards the Industrial Application of Model-Driven Engineering for Assurance of Safety-Critical Systems.
DOI: 10.5220/0006733906320641
In Proceedings of the 6th International Conference on Model-Driven Engineering and Software Development (MODELSWARD 2018), pages 632-641
ISBN: 978-989-758-283-7
Copyright © 2018 by SCITEPRESS Science and Technology Publications, Lda. All rights reserved
techniques can help practitioners to perform
assurance activities, e.g. (Biggs, et al., 2016; de la
Vara, et al., 2016c; Espinoza, et al., 2011; Falessi, et
al., 2012; Panesar-Walawege, et al., 2013; Ruiz, et
al., 2016; Wu, et al., 2015). Models, in conformance
to metamodels (Bézivin, 2005), can used be e.g. to
create representations of assurance standards and of
how to follow them, to specify a reference of the
assurance evidence to manage and of how to
structure it, and to represent the justification of
system assurance and of assurance adequacy,
including the semi-automatic derivation of this
justification with model transformations.
Many of the possible usages of MDE for
assurance of safety-critical systems have only been
proposed in the literature, but some results are
already starting to be transferred to practice through
collaborative industry-academia projects, software
tools, and international standards. In addition to
providing support to assurance processes, MDE has
also been used as the overall technology to develop
tools to support the processes.
This paper presents recent advances towards the
industrial application of MDE for assurance of
safety-critical systems. This information can be
valuable (1) for practitioners (both system
developers and evaluators) to gain awareness of how
to exploit MDE for improvement of their assurance
processes, (2) for tool vendors to find possible new
features and new ways to develop software support
to assurance processes, and (3) for academia to
obtain an overall picture of recent research results on
MDE-based assurance of safety-critical systems and
to identify research opportunities.
The rest of the paper is organized as follows.
Section 2 presents the main background of the paper,
and Sections 3 to 7 describe specific efforts towards
the industrial application of MDE for safety
assurance. More specifically, Section 3 describes the
OPENCOSS project, Section 4 the OpenCert
platform, Section 5 initiatives and the OMG (Object
Management Group), and Section 6 the AMASS
project. Section 7 reports our main conclusions.
2 BACKGROUND
The background of the paper is divided into two
broad areas: how models have been used for
assurance of safety-critical systems in practice, and
related work, i.e. other publications that have
provided similar or related overviews about
assurance process and practices.
2.1 Use of Models for Assurance of
Safety-Critical Systems in Practice
The use of models, understood as graphical
representations with a specific and constrained
structure, in assurance activities for safety-critical
systems is not an idea proposed during the last
decade, but models have been used since long
before. Practitioners have indeed reported the use of
models to e.g. manage assurance evidence (de la
Vara, 2016a; Nair, 2015a). In this section we focus
on the arguably two main specific usages of models
for safety-critical systems: the specification of safety
cases and the representation of safety analyses.
A safety case can be defined as “a clear,
comprehensive and defensible argument that a
system is acceptably safe to operate in a particular
context” (Kelly, 1999). Safety cases are a
specialization of assurance cases, which can be
defined as “A collection of auditable claims,
arguments, and evidence created to support the
contention that a defined system/service will satisfy
its assurance requirements” (OMG, 2017d). The
notion of and the need for creating and maintaining
safety cases is common in practically all the safety-
critical domains, in spite of being referred to with a
different term, e.g. Software Accomplishment
Summary for avionics software.
Safety cases are usually provided as textual
reports, but they can contain graphical
representations. There exist two main graphical
notations: CAE (Claims, Arguments and Evidence)
(Adelard, 2017) and GSN (Goal Structuring
Notation) (Goal Structuring Notation, 2017). Both
support the modelling of the claims that assure
system safety, the arguments that justify the claims,
and the supporting evidence. GSN provides further
concepts to represent e.g. the context of a claim,
argument modules, and argument patterns. Figure 1
shows an example of a GSN diagram.
Regarding safety analyses, the application of
classical techniques (Ericsson, 2015) is usually
based on tables, but some are based on models. The
most typical one arguably is FTA (Fault Tree
Analysis). It is used to determine the root causes and
probability of occurrence of a specified undesired
event, and allows systems analysts to model the
unique combinations of fault events that can cause
an undesired event to occur (Ericsson, 2015). A fault
tree is a model that logically represents the various
combinations of possible events, both faulty and
normal one, occurring in a system that lead to an
undesired event or state (Ericsson, 2015).
Recent Advances towards the Industrial Application of Model-Driven Engineering for Assurance of Safety-Critical Systems
633
Figure 1: Example of GSN diagram (Goal Structuring Notation, 2017).
Recent techniques for safety analysis are based
on models too, e.g. STAMP (Systems-Theoretic
Accident Model and Processes) (Leveson, 2011).
This technique has three basic underlying constructs:
safety constraints, hierarchical safety control
structures, and process models.
2.2 Related Work
Several publications have provided an overview of
the safety assurance area and have provided insights
into or referred to the application of MDE.
The periodic seminal vision papers about the
future of software engineering research published at
the International Conference on Software
Engineering are part of these publications. In a paper
on challenges and directions for safety-critical
systems, (Knight, 2002) states that “It is essential
that comprehensive approaches to total system
modelling are developed so that properties of entire
systems can be analyzed. Such approaches must […]
provide high fidelity models of critical software
characteristics”. Five years later, (Heimdahl, 2007)
reports that the “reliance on models and automated
tools […] promises to increase productivity and
reduce the very high costs associated with software
development for critical systems”. Nonetheless, he
also acknowledges that “The reliance on tools rather
than people, however, introduces new and poorly
understood sources of problems, such as the level of
trust we can place in the results of our automation”.
Heimdahl also reviews model-based development as
an element of his vision for safety and software-
intensive systems. In the latest related publication of
this paper series, on certifiably safe software-
dependent systems, (Hatcliff, et al., 2014) argue that:
“The potential of domain modelling […] (now) is
much more realizable by leveraging advancements
in ontologies, modeling semantic networks, and
knowledge representation combined with the use of
stylized natural language”, and that “Open source
projects should be pursued that provide […]
modeling environments for building qualifiable
tools”. Hatcliff et al. also review the potential of
model-based system analysis and development.
Regarding other publications, (Panesar-
Walawege, et al., 2011) present their experience,
position, and vision on how to use MDE for safety
evidence characterisation and management, mainly
based on work in the maritime and energy sector.
They worked with companies on the application of
MDE to create common interpretations of standards,
specialise standards to industrial contexts, align
standards to organisational practices, plan
certification, and manage evidence electronically.
In our prior work (de la Vara, et al., 2016c), we
reviewed approaches for model-based management
of safety compliance and divided them into three
IndTrackMODELSWARD 2018 - MODELSWARD - Industrial Track
634
categories: (1) approaches for safety regulation
modelling, to model the content (i.e. text) of
standards in order to perform some analysis for
identification of issues such as conflicts and
inconsistencies, e.g. (Sannier, Baudry, 2014); (2)
approaches for safety standard-specific modelling,
which correspond to those model-based approaches
that focus on some safety standard, e.g. DO-178B
(Zoughbi, et al., 2011) or IEC 61508 (Panesar-
Walawege, et al., 2013), and; (3) approaches for
safety standard-independent modelling, which
explicitly aim to support the specification of safety
compliance needs in a generic way, so that they can
be instantiated for any safety standard or domain,
e.g. for process assurance (Gallina, et al., 2014) and
for evidence traceability (Nair, et al., 2014a).
Finally, insights into the usage of models for
assurance of safety-critical systems can be found in
reviews of the literature (Nair, et al., 2014b) and in
industrial surveys with practitioners (de la Vara, et
al., 2016a; Nair, et al., 2015a), e.g. about the use of
graphical argumentation notations.
3 THE OPENCOSS PROJECT
OPENCOSS (Open Platform for EvolutioNary
Certification of Safety-critical Systems) (Espinoza,
et al., 2011; OPENCOSS project, 2017) was a
European research project on safety assurance and
certification of embedded systems. The OPENCOSS
consortium comprised four academic partners and
13 companies, including safety-critical system
manufacturers, component suppliers, certification
authorities, safety assessors, and tool vendors. The
project was supported by a large advisory board with
representatives from more than 20 organisations.
The project tackled the lack of precision and
large variety of certification requirements, the lack
of composable and system views for certification,
the high and non-measured costs for
(re)certification, and the lack of openness to
innovation and new approaches. As solutions.
OPENCOSS (a) devised a common certification
framework that spans different vertical markets for
railway, avionics, and automotive, and (b) developed
an open-source safety certification infrastructure.
The ultimate goal of the project was to bring
about substantial reductions in recurring safety
certification costs and, at the same time, reduce
assurance risks through the introduction of more
systematic safety assurance practices. The project
dealt with (1) creation of a common certification
conceptual framework, (2) compositional
certification, (3) evolutionary chain of evidence, (4)
transparent certification process, and (5)
compliance-aware development process.
Figure 2 shows the MDE approach for safety
assurance and certification defined in OPENCOSS.
It is based on several related metamodels targeted at
different safety assurance and certification needs.
The set of metamodels corresponds to the common
certification conceptual framework.
The Reference Assurance Framework
Metamodel supports the specification of the
safety compliance needs that have or might have
to be considered in an assurance project. Safety
compliance needs can be from specific standards,
recommended practices, or company-specific
practices, and typically have to be tailored to
project-specific characteristics. The latter is done
by means of baselines.
Another source of information for safety
compliance is the data about the product for
which compliance is sought. The metamodels
include the concepts and relationships necessary
for modelling and managing project- and
product-specific information.
o The process executed to create a product
(Process Metamodel).
o The evidence of safety and of compliance
(Evidence Metamodel).
o The arguments that will be used to justify key
safety-related decisions taken during the
project (Argumentation Metamodel).
Figure 2: Overall OPENCOSS MDE approach for safety
assurance and certification.
Recent Advances towards the Industrial Application of Model-Driven Engineering for Assurance of Safety-Critical Systems
635
The Vocabulary Metamodel is a means to define
and record the terms and concepts used to
characterize reusable assurance assets such as
evidence, argumentation, and process data, as
well as terms from standards.
With the Mappings Metamodel, maps can be
created to specify the degree of equivalence
between vocabulary terms (e.g. from different
domains), the assurance information of a project
(e.g. artefacts) and its baseline for indicating
compliance, and safety standards (i.e. reference
assurance frameworks).
More details about the metamodels and the MDE
approach can be found in (OPENCOSS project,
2015c). The approach provides support to all the
areas dealt with in OPENCOSS. For example, the
MDE approach has enabled the systematic reuse of
assurance information across systems and projects
(Ruiz, et al., 2017), the semi-automatic generation of
arguments (Ruiz, et al., 2015), the modelling of
context-aware process families (Ayora, et al., 2016),
and argument-based assessment of confidence in
evidence (Nair, et al., 2015b).
The approach was applied in three industrial case
studies (OPENCOSS project, 2015a): an ePARK
system for an electric vehicle in the automotive
domain, the reuse of a railway execution platform in
the avionics domain, and the certification of a
signalling system in the railway domain. The
application resulted in the determination of several
improvements over the current practices for safety
assurance and certification (OPENCOSS project,
2015b), including a reduction of recurring costs for
safety certification across systems, a reduction of
recurring costs for safety certification across vertical
markets, and a gain for product innovation and
upgrading. Experiments in which people have used
some parts of the OPENCOSS MDE approach have
also been conducted to validate it (de la Vara, et al.,
2016b; de la Vara, et al., 2017c).
4 OPENCERT
The safety certification infrastructure for MDE-
based safety assurance and certification
implemented in OPENCOSS (Ruiz, et al., 2015) has
been further developed and maintained and has
resulted in the OpenCert platform (OpenCert
platform, 2017; Figure 3). OpenCert is an open-
source integrated and holistic solution for assurance
and certification management of Cyber-Physical
Systems (CPS) spanning the largest safety and
security-critical industrial markets, such as
aerospace, space, railway, manufacturing, energy,
and health. The ultimate aim of the platform is to
lower certification costs in face of rapidly changing
product features and market needs.
Figure 3: OpenCert screenshot.
IndTrackMODELSWARD 2018 - MODELSWARD - Industrial Track
636
OpenCert is hosted and managed by the Eclipse
Foundation through the PolarSys Working Group
(PolarSys, 2017). This group corresponds to a
collaboration of large end-user companies and open-
source tools providers dedicated to supplying
industrial-grade open-source tools for the
development of embedded systems. All the PolarSys
solutions are based on technology and tools that
have been deployed by large systems engineering
and embedded systems development teams.
The current features of OpenCert include the
management of information from standards and
regulations, the management of assurance projects,
architecture-driven assurance, assurance case
management, and compliance management. For
architecture-driven assurance, OpenCert is linked
with the Papyrus (Papyrus, 2017) and CHESS
(PolarSys CHESS, 2017) Eclipse projects, and with
the EPF project (Eclipse Process Framework Project,
2017) for compliance management.
In addition to supporting model-based CPS
assurance and certification, the development of
OpenCert itself exploits Eclipse-based MDE
technologies such as EEF (Eclipse EEF, 2017),
EuGENia (EuGENia, 2017) and GMF (Graphical
Modeling Framework, 2017) for editor development,
Epsilon (Epsilon, 2017) for model transformation,
and CDO (CDO Model Repository, 2017) for data
storage.
5 OMG INITIATIVES
We have presented above approaches, projects, and
tools for MDE-based assurance of safety-critical
systems that have resulted from arguably reduced-
scope initiatives, such as a consortium of
organizations. However, the recent advances
towards the industrial application of MDE for safety
assurance go beyond these results. There are
international, world-wide organizations and
collaborations working on the topic. OMG (OMG,
2017a) is among the main ones.
OMG is a non-profit organization that develops
open technical specifications and international
standards for application of MDE in different
domains, e.g. UML (OMG, 2017g) and SysML
(OMG, 2017f) for software modelling and systems
modelling, respectively. OMG members correspond
to a consortium with international organizations of
vendors, developers, end users, and researchers. The
set of OMG specifications has also started to address
system assurance aspects, and we review them in
this section. Most of these specifications have been
or are being developed in the scope of System
Assurance Task Force (OMG, 2017e).
SACM (Structured Assurance Case Metamodel)
(OMG, 2017e) supports the representation of
assurance cases in a structured and standard way. Its
main sources have been CAE and GSN, and the
main developers of these notations have contributed
to the standard. SACM consists of a sub-metamodel
for argumentation, one for evidence artefacts, and
another for terminology. The metamodels aim to
allow the interchange of structured arguments
between diverse tools by different vendors. In a
structured argument, the relationships between the
asserted claims, and from the evidence to the claims
are explicitly represented. The latest SACM version
represents a considerable re-work and improvement
to address certain limitations of previous versions
(see e.g. (de la Vara, et al., 2017a)).
DAF (Dependability Assurance Framework For
Safety-Sensitive Consumer Devices) (OMG, 2017b)
provides a system assurance methodology for the
dependability argumentation for consumer devices.
This is achieved by integrating conventional system
assurance approaches, e.g. risk analysis and
assessments, with a new way of approaching unique
characteristics of consumer devices. The
specification supports the objectives of device
integration and includes the dependability case for
argumentation, as well as new dependability
development processes. The focus is to include the
dependability argumentation particularly for
consumer devices. To this end, a link with SACM is
established.
The most recent initiative is a request for
proposals for a standard UML profile for safety and
reliability (OMG, 2017c). The scope and content of
this profile will be similar to some published in the
latest years, e.g. (Biggs, et al., 2016; Wu, et al.,
2015), which are profiles that include concepts from
safety standards so that they are explicitly and
directly included in a system representation, e.g.
created with SysML. This way, the system and the
assurance information can be processed and
analysed together. In addition, the request explicitly
states that proposals must consider how the safety
information […] can be integrated into a SACM
model as supporting evidence for an assurance case
argument”, and that “Proposals shall discuss how the
profile/model library can be used in conjunction
with SACM, and how the proposed profile/model
library’s argument notation compares with SACM
and GSN”. This way, different OMG’s MDE means
for assurance of safety-critical systems will be
linked together.
Recent Advances towards the Industrial Application of Model-Driven Engineering for Assurance of Safety-Critical Systems
637
There is also some work ongoing for UML-based
operational threat and risk modelling (OMG,
2017h). This initiative aims to provide a conceptual
model that unifies the semantics of and can provide
a bridge across multiple threat and risk schemas and
interfaces. The conceptual model will be informed
by high-level concepts as defined by the cyber
domain and other domains, but it will not be specific
to any particular domain.
Finally, the above specifications are recent and
more work on their development and usage is
expected in the future. This has been argued as
necessary, e.g. for SACM (de la Vara, 2014).
6 THE AMASS PROJECT
The previous three sections have presented projects
and initiatives from which stable, mature results
exist. This section introduces an ongoing effort that
is already providing new MDE-based support for
assurance of safety-critical systems: the AMASS
project (AMASS project, 2017a; Ruiz, et al., 2016).
AMASS (Architecture-driven, Multi-concern and
Seamless Assurance and Certification of Cyber-
Physical Systems) is a very large-scale European
research project. The consortium consists of 29
partners; 21 from industry. The main issues
addressed are the increase in CPS product
complexity, the very high costs and effort for CPS
assurance and certification, the lack of standardised
and harmonised practices, the new assurance and
certification risks, the need for dealing with
architecture-specific aspects and with multiple
dependability concerns, the wider variety of tools
and stakeholders, and the insufficient reuse support.
The project is developing an integrated and
holistic approach and supporting tools for assurance
and certification of CPS by creating and
consolidating the first European-wide certification
platform, ecosystem and community spanning the
largest CPS vertical markets. The approach will be
driven by architectural decisions, including multiple
assurance concerns such as safety, security,
availability, robustness and reliability. The main
goal is to reduce time, cost and risks for assurance
and (re)certification by adopting an evolutionary
compositional certification and reuse approach.
The AMASS approaches focus on the
development and consolidation of an open and
holistic framework that constitutes the evolution of
the approaches from the OPENCOSS project and the
SafeCer project (SafeCer project, 2017) towards an
architecture-driven, multi-concern assurance, reuse-
oriented, and seamlessly interoperable tool platform.
In more specific terms, AMASS has four main
scientific and technical objectives, each addressing
several sub-areas and all using MDE principles and
techniques for the development of solutions for CPS
assurance (Figure 4):
Figure 4: AMASS work areas.
IndTrackMODELSWARD 2018 - MODELSWARD - Industrial Track
638
Architecture-driven assurance, to adequately link
system architecture specifications and assurance
models. This includes system architecture
modelling for assurance, management of
assurance pattern libraries, assurance impact
assessment based on verification and validation,
and component contract-based assurance
composition.
Multi-concern assurance, to deal not only with
safety for CPS but also with assurance of further
concerns, most notably security. Other relevant
concerns are reliability and performance, among
others. Multi-concern assurance requires system
dependability co-analysis and co-assessment,
dependability assurance modelling, and contract-
based multi-concern assurance.
Seamless interoperability, to ensure that
assurance and engineering activities and the joint
effort of the different assurance stakeholders are
properly linked and supported. To this end, the
sub-areas addressed are tool integration,
collaborative work management, and tool quality
characterisation and management.
Cross- and intra-domain assurance reuse, to
make the reuse of CPS products across systems,
standards, and domains more cost-effective. This
will be possible thanks to new reuse assistance,
semantic equivalence mapping of standards, and
product, process, and assurance case lines.
AMASS technology will be applied in 11
industrial case studies from the automotive, railway,
aerospace, space, and energy domains (AMASS
project, 2016). Initial results from the application of
the first project outcomes are available (AMASS
project, 2017b), e.g. about modelling and co-
assessment of safety and security characteristics and
about modelling of standards. Effort is also being
spent to link the AMASS MDE approaches with
other industrial practices for safety-critical systems
engineering, e.g. the use of ontologies for system
quality analysis (de la Vara, et al., 2017b).
Last but not least, it is planned that the open-
source AMASS results are integrated, maintained,
and further developed in OpenCert.
7 CONCLUSION
Assurance processes must be performed to provide
confidence in the dependability of safety-critical
systems. These processes can however be complex,
and the application of Model-Driven Engineering
(MDE) as supporting technology is advocated by
many researchers and practitioners as a solution.
We have reviewed recent advances that have
been and are being made so that MDE becomes an
industrial practice for the assurance of safety-critical
systems. By using MDE principles and technologies
such as metamodels and model transformation,
complex and challenging assurance activities can be
facilitated and improved, e.g. the specification of
how to comply with a standard, the management of
assurance evidence, the development of assurance
cases, the specification of assurance processes, and
the reuse of assurance information between projects.
These benefits are a result of initiatives such as the
OPENCOSS project, the OpenCert platform, OMG
standards, and the AMASS project.
We argue and envision that MDE will be a
central technology in the future for system assurance
in most organizations developing safety-critical
systems. Many organizations are already using MDE
principles and techniques although they might not be
aware of it, e.g. when using models to represent
assurance information or MDE-based tools such as
OpenCert. This usage will be very likely extended in
the future thanks to more mature MDE approaches
for assurance that result in international standards.
Finally, and based on our knowledge and
experience, the full adoption of MDE for assurance
of safety-critical systems needs to overcome some
barriers. Challenges arising from practical aspects
such as scalability, efficient model storage, and tool
qualification must be tackled, at least for many
open-source solutions. From a research perspective,
the development of MDE solutions that cover a wide
range of domains and of dependability concerns
remains an area where further work is necessary.
ACKNOWLEDGEMENT
The research leading to this paper has received
funding from the AMASS project (H2020-ECSEL
no 692474; Spain’s MINECO ref. PCIN-2015-262).
We also thank all the people that have contributed to
the results presented in the paper and with whom we
have collaborated to develop them.
REFERENCES
Adelard, 2017. Claims, Arguments and Evidence (CAE).
Online, https://www.adelard.com/asce/choosing-
asce/cae.html (Accessed October 31st, 2017)
Alexander, R., Kelly, T., Gorry, B., 2010. Safety Lifecycle
Activities for Autonomous Systems Development. In
5th SEAS DTC Technical Conference.
Recent Advances towards the Industrial Application of Model-Driven Engineering for Assurance of Safety-Critical Systems
639
AMASS project, 2016. Deliverable D1.1 - Case studies
description and business impact. Online,
https://www.amass-
ecsel.eu/sites/amass.drupal.pulsartecnalia.com/files/do
cuments/D1.1_Case-studies-description-and-business-
impact_AMASS_Final.pdf (Accessed October 31st,
2017)
AMASS project, 2017a. Online, https://www.amass-
ecsel.eu/ (Accessed October 31st, 2017)
AMASS project, 2017b. Deliverable D1.4 AMASS
Demonstrators (a). Online, https://www.amass-
ecsel.eu/sites/amass.drupal.pulsartecnalia.com/files/do
cuments/D1.4_AMASS-demonstrators-
%28a%29_AMASS_Final.pdf (Accessed October
31st, 2017)
Ayora, C., Torres, V., de la Vara, J.L., Pelechano, V.,
2016. Variability Management in Process Families
through Change Patterns. Information and Software
Technology 74: 86-104.
Bézivin, J., 2005. On the unification power of models.
Software and System Modeling 4(2): 171-188.
Biggs, G., Sakamoto, T., Kotoku, T., 2016. A profile and
tool for modelling safety information with design
information in SysML. Software and System Modeling
15(1): 147-178.
CDO Model Repository, 2017. Online,
https://www.eclipse.org/cdo/ (Accessed October 31st,
2017)
CENELEC, 2011. EN 50128 - Railway applications -
Communications, signalling and processing systems -
Software for railway control and protection systems.
de la Vara, J.L., 2014. Current and Necessary Insights into
SACM: An Analysis Based on Past Publications. In
RELAW 2014, 7th International Workshop on
Requirements Engineering and Law. IEEE.
de la Vara, J.L., Borg, M., Wnuk, K., Moonen, L., 2016a.
An Industrial Survey on Safety Evidence Change
Impact Analysis Practice. IEEE Transactions on
Software Engineering 42(12): 1095-1117.
de la Vara, J.L., Marín, B., Giachetti, G., Ayora, C.,
2016b. Do Models Improve the Understanding of
Safety Compliance Needs? Insights from a Pilot
Experiment. In ESEM 2016, 10th ACM/IEEE
International Symposium on Empirical Software
Engineering and Measurement. ACM.
de la Vara, J.L., Ruiz, A., Attwood, K., Espinoza, H.,
Panesar-Walawege, R.K., Lopez, A., del Rio, I., Kelly,
T., 2016c. Model-Based Specification of Safety
Compliance Needs: A Holistic Generic Metamodel.
Information and Software Technology 72: 16-30.
de la Vara, J.L., Génova, G., Álvarez-Rodríguez, J.M.,
Llorens, J., 2017a. An Analysis of Safety Evidence
Management with the Structured Assurance Case
Metamodel. Computer Standards & Interfaces 50: 179-
198.
de la Vara, J.L., Gómez, A., Gallego, E., Génova, G.,
Fraga, A., 2017b. Representation of Safety Standards
with Semantic Technologies Used in Industrial
Environments. In SASSUR 2017, 6th International
Workshop on Next Generation of System Assurance
Approaches for Safety-Critical Systems. Springer.
de la Vara, J.L., Marín, B., Ayora, C., Giachetti, G.,
2017c. An Experimental Evaluation of the
Understanding of Safety Compliance Needs with
Models. In ER 2017, 36th International Conference on
Conceptual Modeling. Springer.
Eclipse EEF, 2017. Online, https://eclipse.org/eef/#/
(Accessed October 31st, 2017)
Eclipse Process Framework Project, 2017. Online,
https://eclipse.org/epf/ (Accessed October 31st, 2017)
Epsilon, 2017. Online, https://www.eclipse.org/epsilon/
(Accessed October 31st, 2017)
Ericson, C. A., 2015. Hazard analysis techniques for
system safety. John Wiley & Sons. 2nd edition.
Espinoza, H., Ruiz, A., Sabetzadeh, M., Panaroni, P.,
2011. Challenges for an Open and Evolutionary
Approach to Safety Assurance and Certification of
Safety-Critical Systems. In WoSoCER 2011, First
International Workshop on Software Certification.
IEEE.
EuGENia, 2017. Online,
https://www.eclipse.org/epsilon/doc/eugenia/
(Accessed October 31st, 2017)
Falessi, D., Sabetzadeh, M., Briand, L., Turella, E., Coq,
T., Panesar-Walawege, R.K., 2012. Planning for
Safety Standards Compliance: A Model-Based Tool-
Supported Approach. IEEE Software 29(3): 64-70.
Gallina, B., Pitchai, J.P., Lundqvist, K., 2014: S-
TunExSPEM: Towards an Extension of SPEM 2.0 to
Model and Exchange Tunable Safety-Oriented
Processes. In Software Engineering Research,
Management and Applications. Springer.
Goal Structuring Notation, 2017. Online,
http://www.goalstructuringnotation.info/ (Accessed
October 31st, 2017)
Graphical Modeling Framework, 2017. Online,
https://www.eclipse.org/modeling/gmp/ (Accessed
October 31st, 2017)
Hatcliff, J., Wassyng, A., Kelly, T., Comar, C., Jones,
P.L., 2014. Certifiably safe software-dependent
systems: challenges and directions. In FOSE 2014,
Future of Software Engineering. ACM.
Heimdahl, M.P.E., 2007. Safety and Software Intensive
Systems: Challenges Old and New. In FOSE 20017,
Workshop on the Future of Software Engineering.
IEEE.
IEC, 2010. IEC 61508 - Functional Safety of
Electrical/Electronic/Programmable Electronic
Safety-related Systems. 2nd edition.
ISO, 2011. ISO 26262 - Road vehicles - Functional safety.
Kelly, T., 1999. Arguing Safety - A Systematic Approach
to Managing Safety Cases. University of York. PhD
thesis.
Knight, J.C., 2002. Safety critical systems: challenges and
directions. In ICSE 2002, 24th International
Conference on Software Engineering. ACM.
Leveson, N., 2011. Engineering a safer world: Systems
thinking applied to safety. MIT press.
IndTrackMODELSWARD 2018 - MODELSWARD - Industrial Track
640
Nair, S., de la Vara, J.L., Sabetzadeh, M., Falessi, D.,
2015a. Evidence Management for Compliance of
Critical Systems with Safety Standards: A Survey on
the State of Practice. Information and Software
Technology 60: 1-15.
Nair, S., Walkinshaw, N., Kelly, T., de la Vara, J.L.,
2015b. An Evidential Reasoning Approach for
Assessing Confidence in Safety Evidence. In ISSRE
2015, 26th IEEE International Symposium on
Software Reliability Engineering. IEEE.
Nair, S., de la Vara, J.L., Melzi, A., Tagliaferri, G., de-la-
Beaujardiere, L., Belmonte, F., 2014a. Safety
Evidence Traceability: Problem Analysis and Model.
In REFSQ 2014, 20th International Working
Conference on Requirements Engineering:
Foundation for Software Quality. Springer.
Nair, S., de la Vara, J.L., Sabetzadeh, M., Briand, L.,
2014b. An Extended Systematic Literature Review on
Provision of Evidence for Safety Certification.
Information and Software Technology 56(7): 689-717.
OMG, 2017a. Online, http://www.omg.org/ (Accessed
October 31st, 2017)
OMG, 2017b. Dependability Assurance Framework For
Safety-Sensitive Consumer Devices (DAF). Online,
http://www.omg.org/spec/DAF/ (Accessed October
31st, 2017)
OMG, 2017c. Safety and Reliability for UML RFP.
Online, http://www.omg.org/cgi-bin/doc.cgi?ad/2017-
3-5 (Accessed October 31st, 2017)
OMG, 2017d. Structured Assurance Case Metamodel
(SACM). Online, http://www.omg.org/spec/SACM/
(Accessed October 31st, 2017)
OMG, 2017e. System Assurance (SysA) Task Force.
Online, http://sysa.omg.org/ (Accessed October 31st,
2017)
OMG, 2017f. System Modeling Language (SysML).
Online, http://www.omgsysml.org/ (Accessed October
31st, 2017)
OMG, 2017g. Unified Modeling Language (UML).
Online, http://www.uml.org/ (Accessed October 31st,
2017)
OMG, 2017h. UML Operational Threat & Risk Model.
Online, http://www.omg.org/cgi-
bin/doc.cgi?sysa/2014-6-17 (Accessed October 31st,
2017)
OpenCert Platform, 2017. Online,
https://www.polarsys.org/opencert/ (Accessed October
31st, 2017)
OPENCOSS project, 2015a. Deliverable D1.4 -
Implementation of use cases on top of OPENCOSS
platform. Online, http://www.opencoss-
project.eu/sites/default/files/D1.4_Implementation_of_
use_cases_on_top_of_OPENCOSS_platform_final.pdf
(Accessed October 31st, 2017)
OPENCOSS project, 2015b. Deliverable D1.5
OPENCOSS Benchmarking. Online,
http://www.opencoss-
project.eu/sites/default/files/D1.5_OPENCOSS_Bench
marking__Final.pdf (Accessed October 31st, 2017)
OPENCOSS project, 2015c. Deliverable D4.4 - Common
Certification Language: Conceptual Model. Online,
http://www.opencoss-
project.eu/sites/default/files/D4.4_v1.5_FINAL.pdf
(Accessed October 31st, 2017)
OPENCOSS project, 2017. Online, http://www.opencoss-
project.eu/ (Accessed October 31st, 2017)
Panesar-Walawege, R.K., Sabetzadeh, M., Briand, L.,
2011. Using Model-Driven Engineering for Managing
Safety Evidence: Challenges, Vision and Experience.
In WoSoCER 2011, First International Workshop on
Software Certification. IEEE.
Panesar-Walawege, R.K., Sabetzadeh, M., Briand, L.,
2013. Supporting the verification of compliance to
safety standards via model-driven engineering:
Approach, tool-support and empirical validation.
Information & Software Technology 55(5): 836-864.
Papyrus, 2017. Online, https://eclipse.org/papyrus/
(Accessed October 31st, 2017)
PolarSys, 2017. Online, https://www.polarsys.org/
(Accessed October 31st, 2017)
PolarSys CHESS, 2017. Online,
https://www.polarsys.org/projects/polarsys.chess
(Accessed October 31st, 2017)
RTCA, 2011. DO-178C - Software Considerations in
Airborne Systems and Equipment Certification.
Ruiz, A., Larrucea, X., Espinoza, H., 2015. A Tool Suite
for Assurance Cases and Evidences: Avionics
Experiences. In EuroSPI 2015, 22nd European
Conference on Systems, Software and Services
Process Improvement. Springer.
Ruiz, A., Gallina, B., de la Vara, J.L., Mazzini, S.,
Espinoza, H, 2016. Architecture-driven, Multi-
concern, Seamless, Reuse-Oriented Assurance and
Certification of Cyber-Physical Systems. In SASSUR
2016, 5th International Workshop on Next Generation
of System Assurance Approaches for Safety-Critical
Systems. Springer.
Ruiz, A., Juez, G., Espinoza, H., de la Vara, J.L.,
Larrucea, X., 2017. Reuse of safety certification
artefacts across standards and domains: A systematic
approach. Reliability Engineering and System Safety
158: 153-171.
SafeCer project, 2017. Online, http://www.safecer.eu/
(Accessed October 31st, 2017)
Sannier, N., Baudry, B., 2014. INCREMENT: A Mixed
MDE-IR Approach for Regulatory Requirements
Modeling and Analysis. In REFSQ 2014, 20th
International Working Conference on Requirements
Engineering: Foundation for Software Quality.
Springer.
Wu, J., Yue, T., Ali, S., Zhang, H., 2015. A modeling
methodology to facilitate safety-oriented architecture
design of industrial avionics software. Software -
Practice and Experience 45(7): 893-924.
Zoughbi, G., Briand, L., Labiche, Y., 2011. Modeling
safety and airworthiness (RTCA DO-178B)
information: conceptual model and UML profile.
Software and System Modeling 10(3): 337-367.
Recent Advances towards the Industrial Application of Model-Driven Engineering for Assurance of Safety-Critical Systems
641