chapter \An Outline of a CENELEC Ontology\ text\ NOTE: An Ontology-Model of a certification standard such as CENELEC or Common Criteria identifies: - notions (conceptual \emph{categories}) having \emph{instances} (similar to classes and objects), - their subtype relation (eg., a "SRAC" is an "assumption"), - their syntactical structure (for the moment: defined by regular expressions describing the order of category instances in the overall document as a regular language) \ (*<<*) theory CENELEC_50128 imports "../Isa_COL" begin (*>>*) text\ Excerpt of the BE EN 50128:2011, page 22. \ section\Terms and Definitions\ Definition*[assessment::concept]\process of analysis to determine whether software, which may include process, documentation, system, subsystem hardware and/or software components, meets the specified requirements and to form a judgement as to whether the software is fit for its intended purpose. Safety assessment is focused on but not limited to the safety properties of a system.\ Definition*[assessor::concept, tag="''assessor''"] \entity that carries out an assessment\ Definition*[COTS::concept, tag="''commercial off-the-shelf software''"] \software defined by market-driven need, commercially available and whose fitness for purpose has been demonstrated by a broad spectrum of commercial users\ Definition*[component::concept] \a constituent part of software which has well-defined interfaces and behaviour with respect to the software architecture and design and fulfils the following criteria: \<^enum> it is designed according to “Components” (see Table A.20); \<^enum> it covers a specific subset of software requirements; \<^enum> it is clearly identified and has an independent version inside the configuration management system or is a part of a collection of components (e. g. subsystems) which have an independent version \ Definition*[CMGR::concept, tag="''configuration manager''"] \entity that is responsible for implementing and carrying out the processes for the configuration management of documents, software and related tools including \<^emph>\change management\\ Definition*[customer::concept] \entity which purchases a railway control and protection system including the software\ Definition*[designer::concept] \entity that analyses and transforms specified requirements into acceptable design solutions which have the required safety integrity level\ Definition*[entity::concept] \person, group or organisation who fulfils a role as defined in this European Standard\ declare_reference*[fault::concept] Definition*[error::concept] \defect, mistake or inaccuracy which could result in failure or in a deviation from the intended performance or behaviour (cf @{concept (unchecked) \fault\}))\ Definition*[fault::concept] \defect, mistake or inaccuracy which could result in failure or in a deviation from the intended performance or behaviour (cf @{concept \error\})\ Definition*[failure::concept] \unacceptable difference between required and observed performance\ Definition*[FT::concept, tag="''fault tolerance''"] \built-in capability of a system to provide continued correct provision of service as specified, in the presence of a limited number of hardware or software faults\ Definition*[firmware::concept] \software stored in read-only memory or in semi-permanent storage such as flash memory, in a way that is functionally independent of applicative software\ Definition*[GS::concept,tag="''generic software''"] \software which can be used for a variety of installations purely by the provision of application-specific data and/or algorithms\ Definition*[implementer::concept] \entity that transforms specified designs into their physical realisation\ Definition*[integration::concept] \process of assembling software and/or hardware items, according to the architectural and design specification, and testing the integrated unit\ Definition*[integrator::concept] \entity that carries out software integration\ Definition*[PES :: concept, tag="''pre-existing software''"] \software developed prior to the application currently in question, including COTS (commercial off-the shelf) and open source software\ Definition*[OSS :: concept, tag="''open source software''"] \source code available to the general public with relaxed or non-existent copyright restrictions\ Definition*[PLC::concept, tag="''programmable logic controller''"] \solid-state control system which has a user programmable memory for storage of instructions to implement specific functions\ Definition*[PM::concept, tag="''project management''"] \administrative and/or technical conduct of a project, including safety aspects\ Definition*[PGMGR::concept, tag="''project manager''"] \entity that carries out project management\ Definition*[reliability::concept] \ability of an item to perform a required function under given conditions for a given period of time\ Definition*[robustness::concept] \ability of an item to detect and handle abnormal situations\ Definition*[RMGR::concept, tag="''requirements manager''"] \entity that carries out requirements management\ Definition*[RMGMT::concept, tag="''requirements management''"] \the process of eliciting, documenting, analysing, prioritising and agreeing on requirements and then controlling change and communicating to relevant stakeholders. It is a continuous process throughout a project\ Definition*[risk::concept] \combination of the rate of occurrence of accidents and incidents resulting in harm (caused by a hazard) and the degree of severity of that harm\ Definition*[safety::concept] \freedom from unacceptable levels of risk of harm to people\ Definition*[SA::concept, tag="''safety authority''"] \body responsible for certifying that safety related software or services comply with relevant statutory safety requirements\ Definition*[SF::concept, tag="''safety function''"] \a function that implements a part or whole of a safety requirement\ Definition*[SFRS::concept, tag= "''safety-related software''"] \software which performs safety functions\ Definition*[software::concept] \intellectual creation comprising the programs, procedures, rules, data and any associated documentation pertaining to the operation of a system\ Definition*[SB::concept, tag="''software baseline''"] \complete and consistent set of source code, executable files, configuration files, installation scripts and documentation that are needed for a software release. Information about compilers, operating systems, preexisting software and dependent tools is stored as part of the baseline. This will enable the organisation to software deployment transferring, installing and activating a deliverable software baseline that has already been released and assessed \ Definition*[SWLC::concept, tag="''software life-cycle''"] \those activities occurring during a period of time that starts when software is conceived and ends when the software is no longer available for use. The software life cycle typically includes a requirements phase, design phase,test phase, integration phase, deployment phase and a maintenance phase 3.1.35 software maintainability capability of the software to be modified; to correct faults, improve to a different environment \ Definition*[SM::concept, tag="''software maintenance''"] \ action, or set of actions, carried out on software after deployment functionality performance or other attributes, or adapt it with the aim of enhancing or correcting its\ Definition*[SOSIL::concept, tag="''software safety integrity level''"] \classification number which determines the techniques and measures that have to be applied to software NOTE Safety-related software has been classified into five safety integrity levels, where 0 is the lowest and 4 the highest.\ Definition*[supplier::concept] \entity that designs and builds a railway control and protection system including the software or parts thereof\ Definition*[SYSIL::concept, tag="''system safety integrity level''"] \classification number which indicates the required degree of confidence that an integrated system comprising hardware and software will meet its specified safety requirements\ Definition*[tester::concept]\an entity that carries out testing\ Definition*[testing::concept] \process of executing software under controlled conditions as to ascertain its behaviour and performance compared to the corresponding requirements specification\ Definition*[TCT1::concept, tag="''tool class T1''"] \generates no outputs which can directly or indirectly contribute to the executable code (including data) of the software NOTE 11 examples include: a text editor or a requirement or design support tool with no automatic code generation capabilities; configuration control tools.\ Definition*[TCT2::concept,tag="''tool class T2''"] \supports the test or verification of the design or executable code, where errors in the tool can fail to reveal defects but cannot directly create errors in the executable software NOTE T2 examples include: a test harness generator; a test coverage measurement tool; a static analysis tool. reproduce defined versions and be the input for future releases at enhancements or at upgrade in the maintenance phase \ Definition*[TCT3::concept, tag="''tool class T3''"] \generates outputs which can directly or indirectly contribute to the executable code (including data) of the safety related system NOTE T3 examples include: a source code compiler, a data/algorithms compiler, a tool to change set-points during system operation; an optimising compiler where the relationship between the source code program and the generated object code is not obvious; a compiler that incorporates an executable run-time package into the executable code. \ Definition*[traceability::concept] \degree to which relationship can be established between two or more products of a development process, especially those having a predecessor/successor or master/subordinate relationship to one another\ Definition*[validation::concept] \process of analysis followed by a judgment based on evidence to documentation, software or application) fits the user needs,in particular with respect to safety and quality and determine whether an item (e.g. process, with emphasis on the suitability of its operation in accordance to its purpose in its intended environment\ Definition*[validator::concept] \entity that is responsible for the validation\ Definition*[verification::concept] \process of examination followed by a judgment based on evidence that output items (process, documentation, software or application) of a specific development phase fulfils the requirements of that phase with respect to completeness, correctness and consistency. NOTE Verification is mostly based on document reviews (design, implementation, test documents etc.). \ Definition*[verifier::concept] \entity that is responsible for one or more verification activities\ section\Organization, Roles and Responsabilities\ text\see also section \<^emph>\Software management and organization\.\ datatype role = PM (* Program Manager *) | RQM (* Requirements Manager *) | DES (* Designer *) | IMP (* Implementer *) | ASR (* Assessor *) | INT (* Integrator *) | TST (* Tester *) | VER (* Verifier *) | VnV (* Verification and Validation *) | VAL (* Validator *) datatype phase = SYSDEV_ext (* System Development Phase (external) *) | SPl (* Software Planning *) | SR (* Software Requirement *) | SA (* Software Architecture *) | SDES (* Software Design *) | SCDES (* Software Component Design *) | CInT (* Component Implementation and Testing *) | SI (* Software Integration *) | SV (* Software Validation *) | SD (* Software Deployment *) | SM (* Software Maintenance *) abbreviation software_requirement :: "phase" where "software_requirement \ SR" abbreviation software_architecture :: "phase" where "software_architecture \ SA" abbreviation software_design :: "phase" where "software_design \ SD" abbreviation software_component_design:: "phase" where "software_component_design \ SCDES" abbreviation component_implementation_and_testing :: "phase" where "component_implementation_and_testing \ CInT" abbreviation software_integration :: "phase" where "software_integration \ SI" abbreviation software_validation :: "phase" where "software_validation \ SV" abbreviation software_deployment :: "phase" where "software_deployment \ SD" abbreviation software_maintenance :: "phase" where "software_maintenance \ SM" term "SR" (* meta-test *) section\Objectives, Conformance and Software Integrity Levels\ datatype sil = SIL0 | SIL1 | SIL2 | SIL3 | SIL4 type_synonym saftety_integraytion_level = sil doc_class objectives = long_name :: "string option" is_concerned :: "role set" doc_class requirement = text_element + long_name :: "string option" is_concerned :: "role set" (* doc_class requirement_analysis = no :: "nat" accepts "\requirement\\<^sup>+" *) text\The category @{emph \hypothesis\} is used for assumptions from the foundational mathematical or physical domain, so for example: \<^item> the Mordell-Lang conjecture holds, \<^item> euklidian geometry is assumed, or \<^item> Newtonian (non-relativistic) physics is assumed, Their acceptance is inherently outside the scope of the model and can only established inside certification process by authority argument. \ datatype hyp_type = physical | mathematical | computational | other typ "CENELEC_50128.requirement" doc_class hypothesis = requirement + hyp_type :: hyp_type <= physical (* default *) text\ The following sub-class of security related hypothesis might comprise, for example: \<^item> @{term "P \ NP"}, \<^item> or the computational hardness of certain functions relevant for cryptography (like prime-factorization). (* speculation bu, not 50128 *)\ doc_class security_hyp = hypothesis + hyp_type :: hyp_type <= physical (* default *) doc_class FnI = requirement + is_concerned :: "role set" <= "UNIV" type_synonym functions_and_interfaces = FnI doc_class AC = requirement + is_concerned :: "role set" <= "UNIV" type_synonym application_conditions = AC text\The category \<^emph>\assumption\ is used for domain-specific assumptions. It has formal, semi-formal and informal sub-categories. They have to be tracked and discharged by appropriate validation procedures within a certification process, by it by test or proof. \ datatype ass_kind = informal | semiformal | formal doc_class assumption = requirement + assumption_kind :: ass_kind <= informal text\ The category \<^emph>\exported constraint\ (or \<^emph>\EC\ for short) is used for formal application conditions; They represent in particular \<^emph>\derived constraints\, i.e. constraints that arrive as side-conditions during refinement proofs or implementation decisions and must be tracked.\ doc_class EC = AC + assumption_kind :: ass_kind <= (*default *) formal type_synonym exported_constraint = EC text\ The category \<^emph>\safety related application condition\ (or \<^emph>\SRAC\ for short) is used for exported constraints assuring in judgements safety requirements of the system. \ doc_class SRAC = EC + assumption_kind :: ass_kind <= (*default *) formal type_synonym safety_related_application_condition = SRAC doc_class CoAS = requirement + is_concerned :: "role set" <= "UNIV" type_synonym configuration_or_architecture_of_system = CoAS doc_class HtbC = requirement + is_concerned :: "role set" <= "UNIV" type_synonym hazard_to_be_controlled = HtbC doc_class SIR = requirement + is_concerned :: "role set" <= "UNIV" type_synonym safety_integrity_requirement = SIR text\The following class is a bit unclear about usage and seems to be in conceptual mismatch with @{typ objectives}: \ doc_class SILA = requirement + is_concerned :: "role set" <= "UNIV" alloc :: "sil" <= "SIL0" type_synonym allocation_of_SIL = SILA doc_class TC = requirement + is_concerned :: "role set" <= "UNIV" type_synonym timing_constraint = TC section\Software Assurance related Entities and Concepts\ text{* subcategories are : *} text\Table A.5: Verification and Testing\ datatype vnt_technique = formal_proof | stat_analysis | dyn_analysis (* Refinedin Table A.13: -- Test Case Execution from Boundary Analysis -- Test Case Execution from Error Guessing -- Test Case Execution from Error Seeding -- Performance Modeling -- Equivalence Classes and Input Partition Testing -- Structure-Based Testing *) | metrics | traceability | sw_error_effect_analysis | test_coverage_for_code | functional_testing (* Refined in Table A.14: -- Test Case Execution from Cause Consequence Diagrams -- Prototyping / Animation -- Boundary Value Analysis -- Equivalence Classes and Input Partition Testing -- Process Simulation *) | perf_testing | interface_testing | model_based_testing (* 'modeling' unclear *) type_synonym verification_and_testing_technique = vnt_technique datatype test_coverage_criterion = allpathk nat nat (* depth, test_coverage_degree *) | mcdc nat (* depth, test_coverage_degree *) | exhaustive | dnf_E_d string nat (* equivalence class testing *) | other string text\The objective of software verification is to examine and arrive at a \<^emph>\judgement\ based on \<^emph>\evidence\ that output items (process, documentation, software or application) of a specific development phase fulfil the requirements and plans with respect to completeness, correctness and consistency. \ doc_class judgement = evidence :: "vnt_technique list" is_concerned :: "role set" <= "{VER,ASR,VAL}" section\ Design and Test Documents \ doc_class cenelec_text = text_element + phase :: "phase" is_concerned :: "role set" <= "UNIV" doc_class SYSREQS = cenelec_text + phase :: "phase" <= "SYSDEV_ext" accepts "\objectives||requirement||cenelec_text\\<^sup>+ " type_synonym system_requirements_specification = SYSREQS doc_class SYSSREQS = cenelec_text + phase :: "phase" <= "SYSDEV_ext" type_synonym system_safety_requirements_specification = SYSSREQS doc_class SYSAD = cenelec_text + phase :: "phase" <= "SYSDEV_ext" type_synonym system_architecture_description = SYSAD doc_class SYSS_pl = cenelec_text + phase :: "phase" <= "SPl" type_synonym system_safety_plan = SYSS_pl doc_class SYS_VnV_pl = cenelec_text + phase :: "phase" <= "SPl" type_synonym system_VnV_plan = SYS_VnV_pl doc_class SWRS = cenelec_text + phase :: "phase" <= "SD" type_synonym software_requirements_specification = SWRS doc_class SWRVR = cenelec_text + phase :: "phase" <= "SD" type_synonym software_requirements_verification_report = SWRVR doc_class SWTS = cenelec_text + phase :: "phase" <= "SD" type_synonym software_test_specification = SWTS doc_class SWAS = cenelec_text + phase :: "phase" <= "SD" type_synonym software_architecture_specification = SWAS doc_class SWDS = cenelec_text + phase :: "phase" <= "SD" type_synonym software_design_specification = SWDS doc_class SWIS = cenelec_text + phase :: "phase" <= "SD" type_synonym software_interface_specification = SWIS doc_class SWITS = cenelec_text + phase :: "phase" <= "SD" type_synonym software_integration_test_specification = SWITS doc_class SWHITS = cenelec_text + phase :: "phase" <= "SD" type_synonym software_hardware_integration_test_specification = SWHITS doc_class SWADVR = cenelec_text + phase :: "phase" <= "SD" type_synonym software_architecture_and_design_verification_report = SWADVR doc_class SWCDS = cenelec_text + phase :: "phase" <= "SD" type_synonym software_component_design_specification = SWCDS doc_class SWCTS = cenelec_text + phase :: "phase" <= "SD" type_synonym software_component_test_specification = SWCTS doc_class SWCDVR = cenelec_text + phase :: "phase" <= "SD" type_synonym software_component_design_verification_report = SWCDVR doc_class SWSCD = cenelec_text + phase :: "phase" <= "SD" type_synonym software_source_code_and_documentation = SWSCD doc_class SWCTR = cenelec_text + phase :: "phase" <= "SD" type_synonym software_component_test_report = SWCTR doc_class SWSCVR = cenelec_text + phase :: "phase" <= "SD" type_synonym software_source_code_verification_report = SWSCVR doc_class SWHAITR = cenelec_text + phase :: "phase" <= "SD" type_synonym software_hardware_integration_test_report = SWHAITR doc_class SWIVR = cenelec_text + phase :: "phase" <= "SD" type_synonym software_integration_verification_report = SWIVR doc_class SWTR_global = cenelec_text + phase :: "phase" <= "SD" type_synonym overall_software_test_report = SWTR_global doc_class SWVALR = cenelec_text + phase :: "phase" <= "SD" type_synonym software_validation_report = SWVALR doc_class SWDD = cenelec_text + phase :: "phase" <= "SD" type_synonym software_deployment_documents = SWDD doc_class SWMD = cenelec_text + phase :: "phase" <= "SD" type_synonym software_maintenance_documents = SWMD section\ Software Assurance \ subsection\ Software Testing \ text\Objective: The objective of software testing, as performed by the Tester and/or Integrator, is to ascertain the behaviour or performance of software against the corresponding test specification to the extent achievable by the selected test coverage. \ text\Outputs: \<^enum> @{typ overall_software_test_report} \<^enum> @{typ software_test_specification} Overall Software Test Specification \<^enum> Overall Software Test Report \<^enum> Software Integration Test Specification \<^enum> Software Integration Test Report \<^enum> Software/Hardware Integration Test Specification \<^enum> Software/Hardware Integration Test Report \<^enum> Software Component Test Specification \<^enum> Software Component Test Report \ subsection\ Software Verification \ text\Objective: The objective of software verification is to examine and arrive at a judgement based on evidence that output items (process, documentation, software or application) of a specific development phase fulfil the requirements and plans with respect to completeness, correctness and consistency. These activities are managed by the @{concept \verifier\}. \ text\Outputs: \<^enum> Software Verification Plan \<^enum> Software Verification Report(s) \<^enum> Software Quality Assurance Verification Report \ subsection\ Software Validation \ text\Objective: \<^enum>The objective of software validation is to demonstrate that the processes and their outputs are such that the software is of the defined software safety integrity level, fulfils the software requirements and is fit for its intended application. This activity is performed by the Validator. \<^enum>The main validation activities are to demonstrate by analysis and/or testing that all the software requirements are specified, implemented, tested and fulfilled as required by the applicable SIL, and to evaluate the safety criticality of all anomalies and non-conformities based on the results of reviews, analyses and tests. \ text\Output documents: \<^enum> Software Validation Plan \<^enum> Software Validation Report \<^enum> Software Validation Verification Report \ subsection\ Software Assessment \ (* other word for : formal evaluation. *) text\Objective: \<^enum>To evaluate that the lifecycle processes and their outputs are such that the software is of the defined software safety integrity levels 1-4 andis fit for its intended application. \<^enum> For SIL 0 software, requirements of this standard shall be fulfilled but where a certificate stating compliance with EN ISO 9001 is available, no assessment will be required. \ subsection\ Software Quality Assurance \ text\Objectives: To identify, monitor and control all those activities, both technical and managerial, which are necessary to ensure that the software achieves the quality required. This is necessary to provide the required qualitative defence against systematic faults and to ensure that an audit trail can be established to allow verification and validation activities to be undertaken effectively.\ (* So : pretty much META *) (* DEATH ZONE FROM HERE ... >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> *) section\ Design related Categories \ doc_class design_item = description :: string datatype design_kind = unit | module | protocol doc_class interface = design_item + kind :: design_kind section\ Requirements-Analysis related Categories \ doc_class test_item = nn :: "string option" doc_class test_specification = test_item + short_goal :: string doc_class test_case = test_item + descr :: string doc_class test_result = test_item + verdict :: bool remarks :: string covvrit :: test_coverage_criterion datatype test_environment_kind = hardware_in_the_loop ("hil") | simulated_hardware_in_the_loop ("shil") doc_class test_environment = test_item + descr :: string kind :: test_environment_kind <= shil doc_class test_tool = test_item + descr :: string doc_class test_requirement = test_item + descr :: string doc_class test_adm_role = test_item + name :: string doc_class test_documentation = no :: "nat" accepts "test_specification ~~ \test_case~~test_result\\<^sup>+ ~~ \test_environment||test_tool\\<^sup>+ ~~ \test_requirement\ ~~ test_adm_role" accepts " test_specification ~~ \test_case~~test_result\\<^sup>+ ~~ \test_environment||test_tool\\<^sup>+ ~~ \test_requirement \ ~~ test_adm_role" section\ META : Testing and Validation \ text\Test : @{concept \COTS\}\ ML\ DOF_core.name2doc_class_name @{theory} "requirement"; DOF_core.name2doc_class_name @{theory} "SRAC"; DOF_core.is_defined_cid_global "SRAC" @{theory}; DOF_core.is_defined_cid_global "EC" @{theory}; "XXXXXXXXXXXXXXXXX"; DOF_core.is_subclass @{context} "CENELEC_50128.EC" "CENELEC_50128.EC"; DOF_core.is_subclass @{context} "CENELEC_50128.SRAC" "CENELEC_50128.EC"; DOF_core.is_subclass @{context} "CENELEC_50128.EC" "CENELEC_50128.SRAC"; DOF_core.is_subclass @{context} "CENELEC_50128.EC" "CENELEC_50128.test_requirement"; "XXXXXXXXXXXXXXXXX"; val {docobj_tab={maxano, tab=ref_tab},docclass_tab=class_tab,...} = DOF_core.get_data @{context}; Symtab.dest ref_tab; Symtab.dest class_tab; \ ML\ "XXXXXXXXXXXXXXXXX"; DOF_core.get_attributes_local "SRAC" @{context}; @{term assumption_kind} \ ML\ DOF_core.name2doc_class_name @{theory} "requirement"; Syntax.parse_typ @{context} "requirement"; val Type(t,_) = Syntax.parse_typ @{context} "requirement" handle ERROR _ => dummyT; Syntax.read_typ @{context} "hypothesis" handle _ => dummyT; Proof_Context.init_global; \ end