2019-08-15 14:09:55 +00:00
|
|
|
(*************************************************************************
|
|
|
|
* Copyright (C)
|
|
|
|
* 2019 The University of Exeter
|
|
|
|
* 2018-2019 The University of Paris-Saclay
|
|
|
|
* 2018 The University of Sheffield
|
|
|
|
*
|
|
|
|
* License:
|
|
|
|
* This program can be redistributed and/or modified under the terms
|
|
|
|
* of the 2-clause BSD-style license.
|
|
|
|
*
|
|
|
|
* SPDX-License-Identifier: BSD-2-Clause
|
|
|
|
*************************************************************************)
|
|
|
|
|
2018-03-21 10:59:27 +00:00
|
|
|
chapter \<open>An Outline of a CENELEC Ontology\<close>
|
|
|
|
|
2019-01-31 09:38:18 +00:00
|
|
|
text\<open> NOTE: An Ontology-Model of a certification standard such as CENELEC or Common Criteria
|
|
|
|
identifies:
|
2022-08-01 13:53:33 +00:00
|
|
|
- notions (conceptual \<^emph>\<open>categories\<close>) having \<^emph>\<open>instances\<close>
|
2018-03-21 10:59:27 +00:00
|
|
|
(similar to classes and objects),
|
2022-08-01 13:53:33 +00:00
|
|
|
- their \<^emph>\<open>subtype\<close> relation (eg., a "SRAC" is an "assumption"),
|
2018-03-21 10:59:27 +00:00
|
|
|
- their syntactical structure
|
|
|
|
(for the moment: defined by regular expressions describing the
|
|
|
|
order of category instances in the overall document as a regular language)
|
2019-01-31 09:38:18 +00:00
|
|
|
\<close>
|
2018-04-04 15:04:19 +00:00
|
|
|
|
2018-05-14 13:47:16 +00:00
|
|
|
(*<<*)
|
2019-02-05 09:42:12 +00:00
|
|
|
theory CENELEC_50128
|
2022-05-06 08:17:10 +00:00
|
|
|
imports "Isabelle_DOF.technical_report"
|
2018-03-21 10:59:27 +00:00
|
|
|
begin
|
2020-04-23 12:31:59 +00:00
|
|
|
|
2022-12-03 23:09:29 +00:00
|
|
|
define_ontology "DOF-CENELEC_50128.sty"
|
|
|
|
|
2020-12-02 08:32:48 +00:00
|
|
|
(* this is a hack and should go into an own ontology, providing thingsd like:
|
|
|
|
- Assumption*
|
|
|
|
- Hypothesis*
|
|
|
|
- Definition*. (Une redefinition de ce qui se passe dans tech-report, cible a semi-formal
|
|
|
|
“Definitions of terminology” \<dots> )
|
|
|
|
- Objective"
|
|
|
|
- Claim*
|
|
|
|
- Requirement*
|
|
|
|
|
|
|
|
*)
|
|
|
|
|
|
|
|
|
2022-08-01 13:53:33 +00:00
|
|
|
text\<open>We re-use the class \<^typ>\<open>math_content\<close>, which provides also a framework for
|
2020-12-02 08:32:48 +00:00
|
|
|
semi-formal "math-alike" terminology, which we re-use by this definition.\<close>
|
2020-04-23 12:31:59 +00:00
|
|
|
|
|
|
|
doc_class semi_formal_content = math_content +
|
|
|
|
status :: status <= "semiformal"
|
2022-08-01 13:53:33 +00:00
|
|
|
mcc :: math_content_class
|
|
|
|
|
|
|
|
|
2020-04-23 12:31:59 +00:00
|
|
|
|
|
|
|
type_synonym sfc = semi_formal_content
|
|
|
|
|
2022-08-01 13:53:33 +00:00
|
|
|
doc_class cenelec_term = semi_formal_content +
|
|
|
|
mcc :: math_content_class <= "terminology"
|
2018-04-22 11:47:29 +00:00
|
|
|
|
2020-12-02 08:32:48 +00:00
|
|
|
|
2022-08-01 13:53:33 +00:00
|
|
|
text\<open> in the following, all \<^theory_text>\<open>Definition*\<close> statements are interpreted as
|
|
|
|
\<^doc_class>\<open>cenelec_term\<close>s, i.e. semi-formal teminological definitions.\<close>
|
2020-12-02 08:32:48 +00:00
|
|
|
|
2022-08-01 13:53:33 +00:00
|
|
|
(*
|
|
|
|
ML\<open>
|
|
|
|
val typ_abbrev = Scan.lift
|
|
|
|
\<close>
|
|
|
|
|
|
|
|
ML\<open>
|
|
|
|
Parse.position: ( Token.T list -> 'a * Token.T list) -> ('a * Position.T) parser;
|
|
|
|
Scan.lift(Parse.position Args.name) ;
|
|
|
|
Args.name_position;
|
|
|
|
Proof_Context.read_typ_abbrev;
|
|
|
|
|
|
|
|
Args.typ_abbrev : Context.generic * Token.T list -> typ * (Context.generic * Token.T list) ;
|
|
|
|
|
|
|
|
Proof_Context.read_typ_abbrev;
|
|
|
|
|
|
|
|
(Args.typ_abbrev >> (fn Type(ss,_) => ss
|
|
|
|
| _ => error "Undefined Class Id"))
|
|
|
|
|
|
|
|
|
|
|
|
\<close>
|
|
|
|
ML\<open>
|
|
|
|
|
|
|
|
fun context_position_parser parse_con (ctxt, toks) =
|
|
|
|
let val pos = case toks of
|
|
|
|
a :: _ => Token.pos_of a
|
|
|
|
| _ => @{here} \<comment> \<open>a real hack !\<close>
|
|
|
|
val (res, (ctxt', toks')) = parse_con (ctxt, toks)
|
|
|
|
in ((res,pos),(ctxt', toks')) end
|
|
|
|
|
|
|
|
val parse_cid = (context_position_parser Args.typ_abbrev)
|
|
|
|
>> (fn (Type(ss,_),pos) => (pos,ss)
|
|
|
|
|( _,pos) => ISA_core.err "Undefined Class Id" pos);
|
|
|
|
|
|
|
|
|
|
|
|
val parse_cid' = Term_Style.parse -- parse_cid
|
2019-02-02 08:11:54 +00:00
|
|
|
|
2022-08-01 13:53:33 +00:00
|
|
|
fun pretty_cid_style ctxt (style,(pos,cid)) =
|
|
|
|
(*reconversion to term in order to haave access to term print options like: short_names etc...) *)
|
|
|
|
Document_Output.pretty_term ctxt ((AttributeAccess.compute_cid_repr ctxt cid pos));
|
|
|
|
|
|
|
|
val _ = Theory.setup (AttributeAccess.basic_entity \<^binding>\<open>Onto_class\<close> parse_cid' pretty_cid_style)
|
|
|
|
|
|
|
|
\<close>
|
|
|
|
|
|
|
|
text\<open> \<^Onto_class>\<open>cenelec_term\<close> \<close>
|
|
|
|
|
|
|
|
*)
|
|
|
|
|
|
|
|
declare[[ Definition_default_class="cenelec_term"]]
|
|
|
|
(*>>*)
|
|
|
|
|
|
|
|
|
|
|
|
text\<open> Excerpt of the BE EN 50128:2011, page 22. \<close>
|
2020-04-23 12:31:59 +00:00
|
|
|
|
2019-02-02 08:11:54 +00:00
|
|
|
section\<open>Terms and Definitions\<close>
|
|
|
|
|
2020-12-02 08:32:48 +00:00
|
|
|
Definition*[assessment,short_name="''assessment''"]
|
2020-04-23 12:31:59 +00:00
|
|
|
\<open>process of analysis to determine whether software, which may include
|
2019-02-09 22:05:52 +00:00
|
|
|
process, documentation, system, subsystem hardware and/or software components, meets the specified
|
|
|
|
requirements and to form a judgement as to whether the software is fit for its intended purpose.
|
|
|
|
Safety assessment is focused on but not limited to the safety properties of a system.\<close>
|
|
|
|
|
2020-12-02 08:32:48 +00:00
|
|
|
Definition*[assessor, short_name="''assessor''"]
|
2022-08-01 13:53:33 +00:00
|
|
|
\<open>entity that carries out an assessment.\<close>
|
2019-02-09 22:05:52 +00:00
|
|
|
|
2020-12-02 08:32:48 +00:00
|
|
|
Definition*[COTS, short_name="''commercial off-the-shelf software''"]
|
2019-02-09 22:05:52 +00:00
|
|
|
\<open>software defined by market-driven need, commercially available and whose fitness for purpose
|
2022-08-01 13:53:33 +00:00
|
|
|
has been demonstrated by a broad spectrum of commercial users.\<close>
|
2019-02-09 22:05:52 +00:00
|
|
|
|
|
|
|
|
2020-12-02 08:32:48 +00:00
|
|
|
Definition*[component]
|
2019-02-09 22:05:52 +00:00
|
|
|
\<open>a constituent part of software which has well-defined interfaces and behaviour
|
2019-02-02 08:11:54 +00:00
|
|
|
with respect to the software architecture and design and fulfils the following
|
|
|
|
criteria:
|
2022-08-01 13:53:33 +00:00
|
|
|
\<^enum> it is designed according to “Components” (see Table A.20);
|
|
|
|
\<^enum> it covers a specific subset of software requirements;
|
|
|
|
\<^enum> it is clearly identified and has an independent version inside the
|
|
|
|
configuration management system or is a part of a collection of components
|
|
|
|
(e. g. subsystems) which have an independent version
|
2019-02-02 08:11:54 +00:00
|
|
|
\<close>
|
2020-11-10 12:07:54 +00:00
|
|
|
typ "sfc"
|
2019-02-02 08:11:54 +00:00
|
|
|
|
2020-12-02 08:32:48 +00:00
|
|
|
Definition*[CMGR, short_name="''configuration manager''"]
|
2019-02-09 22:05:52 +00:00
|
|
|
\<open>entity that is responsible for implementing and carrying out the processes
|
2019-02-02 08:11:54 +00:00
|
|
|
for the configuration management of documents, software and related tools including
|
2022-08-01 13:53:33 +00:00
|
|
|
\<^emph>\<open>change management\<close>.\<close>
|
2019-02-02 08:11:54 +00:00
|
|
|
|
2020-12-02 08:32:48 +00:00
|
|
|
Definition*[customer]
|
2022-08-01 13:53:33 +00:00
|
|
|
\<open>entity which purchases a railway control and protection system including the software.\<close>
|
2019-02-02 08:11:54 +00:00
|
|
|
|
2020-12-02 08:32:48 +00:00
|
|
|
Definition*[designer]
|
2019-02-09 22:05:52 +00:00
|
|
|
\<open>entity that analyses and transforms specified requirements into acceptable design solutions
|
2022-08-01 13:53:33 +00:00
|
|
|
which have the required safety integrity level.\<close>
|
2019-02-02 08:11:54 +00:00
|
|
|
|
2020-12-02 08:32:48 +00:00
|
|
|
Definition*[entity]
|
2022-08-01 13:53:33 +00:00
|
|
|
\<open>person, group or organisation who fulfils a role as defined in this European Standard.\<close>
|
2019-02-09 22:05:52 +00:00
|
|
|
|
2023-02-06 16:09:02 +00:00
|
|
|
declare_reference*[fault::cenelec_term]
|
2020-12-02 08:32:48 +00:00
|
|
|
Definition*[error]
|
2019-02-09 22:05:52 +00:00
|
|
|
\<open>defect, mistake or inaccuracy which could result in failure or in a deviation
|
2023-02-06 16:09:02 +00:00
|
|
|
from the intended performance or behaviour (cf. @{cenelec_term (unchecked) \<open>fault\<close>}).\<close>
|
2019-02-02 08:11:54 +00:00
|
|
|
|
2020-12-02 08:32:48 +00:00
|
|
|
Definition*[fault]
|
2019-02-09 22:05:52 +00:00
|
|
|
\<open>defect, mistake or inaccuracy which could result in failure or in a deviation
|
2022-08-01 13:53:33 +00:00
|
|
|
from the intended performance or behaviour (cf @{cenelec_term \<open>error\<close>}).\<close>
|
2019-02-02 08:11:54 +00:00
|
|
|
|
2020-12-02 08:32:48 +00:00
|
|
|
Definition*[failure]
|
2022-08-01 13:53:33 +00:00
|
|
|
\<open>unacceptable difference between required and observed performance.\<close>
|
2019-02-02 08:11:54 +00:00
|
|
|
|
2020-12-02 08:32:48 +00:00
|
|
|
Definition*[FT, short_name="''fault tolerance''"]
|
2019-02-09 22:05:52 +00:00
|
|
|
\<open>built-in capability of a system to provide continued correct provision of service as specified,
|
2022-08-01 13:53:33 +00:00
|
|
|
in the presence of a limited number of hardware or software faults.\<close>
|
2019-02-02 08:11:54 +00:00
|
|
|
|
2020-12-02 08:32:48 +00:00
|
|
|
Definition*[firmware]
|
2019-02-09 22:05:52 +00:00
|
|
|
\<open>software stored in read-only memory or in semi-permanent storage such as flash memory, in a
|
2022-08-01 13:53:33 +00:00
|
|
|
way that is functionally independent of applicative software.\<close>
|
2019-02-02 08:11:54 +00:00
|
|
|
|
2020-12-02 08:32:48 +00:00
|
|
|
Definition*[GS,short_name="''generic software''"]
|
2019-02-09 22:05:52 +00:00
|
|
|
\<open>software which can be used for a variety of installations purely by the provision of
|
2022-08-01 13:53:33 +00:00
|
|
|
application-specific data and/or algorithms.\<close>
|
2019-02-02 08:11:54 +00:00
|
|
|
|
2020-12-02 08:32:48 +00:00
|
|
|
Definition*[implementer]
|
2022-08-01 13:53:33 +00:00
|
|
|
\<open>entity that transforms specified designs into their physical realisation.\<close>
|
2019-02-02 08:11:54 +00:00
|
|
|
|
2020-12-02 08:32:48 +00:00
|
|
|
Definition*[integration]
|
2019-02-09 22:05:52 +00:00
|
|
|
\<open>process of assembling software and/or hardware items, according to the architectural and
|
2022-08-01 13:53:33 +00:00
|
|
|
design specification, and testing the integrated unit.\<close>
|
2019-02-02 08:11:54 +00:00
|
|
|
|
2020-12-02 08:32:48 +00:00
|
|
|
Definition*[integrator]
|
2022-08-01 13:53:33 +00:00
|
|
|
\<open>entity that carries out software integration.\<close>
|
2019-02-02 08:11:54 +00:00
|
|
|
|
2022-08-01 13:53:33 +00:00
|
|
|
Definition*[PES, short_name="''pre-existing software''"]
|
2019-02-09 22:05:52 +00:00
|
|
|
\<open>software developed prior to the application currently in question, including COTS (commercial
|
2022-08-01 13:53:33 +00:00
|
|
|
off-the shelf) and open source software.\<close>
|
2019-02-02 08:11:54 +00:00
|
|
|
|
2022-08-01 13:53:33 +00:00
|
|
|
Definition*[OS, short_name="''open source software''"]
|
|
|
|
\<open>source code available to the general public with relaxed or non-existent copyright restrictions.\<close>
|
2019-02-02 08:11:54 +00:00
|
|
|
|
2020-12-02 08:32:48 +00:00
|
|
|
Definition*[PLC, short_name="''programmable logic controller''"]
|
2019-02-09 22:05:52 +00:00
|
|
|
\<open>solid-state control system which has a user programmable memory for storage of instructions to
|
2022-08-01 13:53:33 +00:00
|
|
|
implement specific functions.\<close>
|
2019-02-02 08:11:54 +00:00
|
|
|
|
2020-12-02 08:32:48 +00:00
|
|
|
Definition*[PM, short_name="''project management''"]
|
2022-08-01 13:53:33 +00:00
|
|
|
\<open>administrative and/or technical conduct of a project, including safety aspects.\<close>
|
2019-02-02 08:11:54 +00:00
|
|
|
|
2022-05-12 14:04:09 +00:00
|
|
|
Definition*[PMGR, short_name="''project manager''"]
|
2022-08-01 13:53:33 +00:00
|
|
|
\<open>entity that carries out \<^cenelec_term>\<open>PM\<close>.\<close>
|
2019-02-02 08:11:54 +00:00
|
|
|
|
2020-12-02 08:32:48 +00:00
|
|
|
Definition*[reliability]
|
2019-02-09 22:05:52 +00:00
|
|
|
\<open>ability of an item to perform a required function under given conditions for a given period of time\<close>
|
2019-02-02 08:11:54 +00:00
|
|
|
|
2020-12-02 08:32:48 +00:00
|
|
|
Definition*[robustness]
|
2019-02-09 22:05:52 +00:00
|
|
|
\<open>ability of an item to detect and handle abnormal situations\<close>
|
2019-02-02 08:11:54 +00:00
|
|
|
|
2022-05-12 14:04:09 +00:00
|
|
|
Definition*[RM, short_name="''requirements management''"]
|
2019-02-09 22:05:52 +00:00
|
|
|
\<open>the process of eliciting, documenting, analysing, prioritising and agreeing on requirements and
|
2019-02-02 08:11:54 +00:00
|
|
|
then controlling change and communicating to relevant stakeholders. It is a continuous process
|
2019-02-09 22:05:52 +00:00
|
|
|
throughout a project\<close>
|
2019-02-02 08:11:54 +00:00
|
|
|
|
2022-08-01 13:53:33 +00:00
|
|
|
Definition*[RMGR, short_name="''requirements manager''"]
|
|
|
|
\<open>entity that carries out \<^cenelec_term>\<open>RM\<close>.\<close>
|
|
|
|
|
2020-12-02 08:32:48 +00:00
|
|
|
Definition*[risk]
|
2019-02-09 22:05:52 +00:00
|
|
|
\<open>combination of the rate of occurrence of accidents and incidents resulting in harm (caused by
|
2022-08-01 13:53:33 +00:00
|
|
|
a hazard) and the degree of severity of that harm.\<close>
|
2019-02-02 08:11:54 +00:00
|
|
|
|
2020-12-02 08:32:48 +00:00
|
|
|
Definition*[safety]
|
2022-08-01 13:53:33 +00:00
|
|
|
\<open>freedom from unacceptable levels of risk of harm to people.\<close>
|
2019-02-02 08:11:54 +00:00
|
|
|
|
2020-12-02 08:32:48 +00:00
|
|
|
Definition*[SA, short_name="''safety authority''"]
|
2019-02-09 22:05:52 +00:00
|
|
|
\<open>body responsible for certifying that safety related software or services comply with relevant
|
2022-08-01 13:53:33 +00:00
|
|
|
statutory safety requirements.\<close>
|
2019-02-02 08:11:54 +00:00
|
|
|
|
2020-12-02 08:32:48 +00:00
|
|
|
Definition*[SF, short_name="''safety function''"]
|
2022-08-01 13:53:33 +00:00
|
|
|
\<open>a function that implements a part or whole of a safety requirement.\<close>
|
2019-02-02 08:11:54 +00:00
|
|
|
|
2020-12-02 08:32:48 +00:00
|
|
|
Definition*[SFRS, short_name= "''safety-related software''"]
|
2022-08-01 13:53:33 +00:00
|
|
|
\<open>software which performs safety functions.\<close>
|
2019-02-02 08:11:54 +00:00
|
|
|
|
2020-12-02 08:32:48 +00:00
|
|
|
Definition*[software]
|
2019-02-09 22:05:52 +00:00
|
|
|
\<open>intellectual creation comprising the programs, procedures, rules, data and any associated
|
2022-08-01 13:53:33 +00:00
|
|
|
documentation pertaining to the operation of a system.\<close>
|
2019-02-02 08:11:54 +00:00
|
|
|
|
2020-12-02 08:32:48 +00:00
|
|
|
Definition*[SB, short_name="''software baseline''"]
|
2019-02-09 22:05:52 +00:00
|
|
|
\<open>complete and consistent set of source code, executable files, configuration files,
|
2019-02-02 08:11:54 +00:00
|
|
|
installation scripts and documentation that are needed for a software release. Information about
|
|
|
|
compilers, operating systems, preexisting software and dependent tools is stored as part of the
|
2022-05-12 14:04:09 +00:00
|
|
|
baseline. This will enable the organisation to reproduce defined versions and be the input
|
2022-08-01 13:53:33 +00:00
|
|
|
for future releases at enhancements or at upgrade in the maintenance phase.\<close>
|
2019-02-02 08:11:54 +00:00
|
|
|
|
2022-05-12 14:04:09 +00:00
|
|
|
Definition*[SD, short_name="''software deployment''"]
|
|
|
|
\<open>transferring, installing and activating a deliverable software baseline that has already been
|
2022-08-01 13:53:33 +00:00
|
|
|
released and assessed.\<close>
|
2019-02-02 08:11:54 +00:00
|
|
|
|
|
|
|
|
2020-12-02 08:32:48 +00:00
|
|
|
Definition*[SWLC, short_name="''software life-cycle''"]
|
2019-02-09 22:05:52 +00:00
|
|
|
\<open>those activities occurring during a period of time that starts when
|
2019-02-02 08:11:54 +00:00
|
|
|
software is conceived and ends when the software is no longer available for use. The software life
|
2022-08-01 13:53:33 +00:00
|
|
|
cycle typically includes a requirements phase, design phase, test phase, integration phase,
|
|
|
|
deployment phase and a maintenance phase.\<close>
|
2022-05-12 14:04:09 +00:00
|
|
|
|
|
|
|
Definition*[SWMA, short_name="''software maintainability''"]
|
|
|
|
\<open>capability of the software to be modified; to correct faults,
|
|
|
|
improve performance or other attributes, or adapt it to a different environment\<close>
|
2019-02-02 08:11:54 +00:00
|
|
|
|
2020-12-02 08:32:48 +00:00
|
|
|
Definition*[SM, short_name="''software maintenance''"]
|
2019-02-09 22:05:52 +00:00
|
|
|
\<open> action, or set of actions, carried out on software after deployment functionality
|
2022-08-01 13:53:33 +00:00
|
|
|
performance or other attributes, or adapt it with the aim of enhancing or correcting its behaviour.\<close>
|
2019-02-02 08:11:54 +00:00
|
|
|
|
2020-12-02 08:32:48 +00:00
|
|
|
Definition*[SOSIL, short_name="''software safety integrity level''"]
|
2019-02-09 22:05:52 +00:00
|
|
|
\<open>classification number which determines the techniques and measures that have to be applied to
|
2022-08-01 13:53:33 +00:00
|
|
|
software.
|
|
|
|
|
2022-05-12 14:04:09 +00:00
|
|
|
NOTE: Safety-related software has been classified into five safety integrity levels, where
|
2019-02-09 22:05:52 +00:00
|
|
|
0 is the lowest and 4 the highest.\<close>
|
2019-02-02 08:11:54 +00:00
|
|
|
|
2020-12-02 08:32:48 +00:00
|
|
|
Definition*[supplier]
|
2019-02-09 22:05:52 +00:00
|
|
|
\<open>entity that designs and builds a railway control and protection system including the software
|
2019-02-02 08:11:54 +00:00
|
|
|
or parts thereof\<close>
|
|
|
|
|
2020-12-02 08:32:48 +00:00
|
|
|
Definition*[SYSIL, short_name="''system safety integrity level''"]
|
2019-02-09 22:05:52 +00:00
|
|
|
\<open>classification number which indicates the required degree of confidence that an integrated
|
|
|
|
system comprising hardware and software will meet its specified safety requirements\<close>
|
2019-02-02 08:11:54 +00:00
|
|
|
|
2020-12-02 08:32:48 +00:00
|
|
|
Definition*[tester]\<open>an entity that carries out testing\<close>
|
2019-02-02 08:11:54 +00:00
|
|
|
|
2020-12-02 08:32:48 +00:00
|
|
|
Definition*[testing]
|
2019-02-09 22:05:52 +00:00
|
|
|
\<open>process of executing software under controlled conditions as to ascertain its behaviour and
|
|
|
|
performance compared to the corresponding requirements specification\<close>
|
2019-02-02 08:11:54 +00:00
|
|
|
|
2020-12-02 08:32:48 +00:00
|
|
|
Definition*[TCT1, short_name="''tool class T1''"]
|
2019-02-09 22:05:52 +00:00
|
|
|
\<open>generates no outputs which can directly or indirectly contribute to the executable code
|
2022-05-12 14:04:09 +00:00
|
|
|
(including data) of the software
|
|
|
|
NOTE: T1 examples include: a text editor or a requirement or
|
2019-02-09 22:05:52 +00:00
|
|
|
design support tool with no automatic code generation capabilities; configuration control tools.\<close>
|
2019-02-02 08:11:54 +00:00
|
|
|
|
2020-12-02 08:32:48 +00:00
|
|
|
Definition*[TCT2,short_name="''tool class T2''"]
|
2019-02-09 22:05:52 +00:00
|
|
|
\<open>supports the test or verification of the design or executable code, where errors in the tool
|
2019-02-02 08:11:54 +00:00
|
|
|
can fail to reveal defects but cannot directly create errors in the executable software
|
2022-05-12 14:04:09 +00:00
|
|
|
NOTE: T2 examples include: a test harness generator; a test coverage measurement tool; a static
|
|
|
|
analysis tool.\<close>
|
2019-02-02 08:11:54 +00:00
|
|
|
|
2020-12-02 08:32:48 +00:00
|
|
|
Definition*[TCT3, short_name="''tool class T3''"]
|
2019-02-09 22:05:52 +00:00
|
|
|
\<open>generates outputs which can directly or indirectly contribute to the executable code
|
2022-05-12 14:04:09 +00:00
|
|
|
(including data) of the safety related system
|
|
|
|
NOTE: T3 examples include: a source code compiler,
|
2019-02-02 08:11:54 +00:00
|
|
|
a data/algorithms compiler, a tool to change set-points during system operation; an optimising
|
|
|
|
compiler where the relationship between the source code program and the generated object code is
|
|
|
|
not obvious; a compiler that incorporates an executable run-time package into the executable code.
|
|
|
|
\<close>
|
2020-12-02 08:32:48 +00:00
|
|
|
Definition*[traceability, short_name="''traceability''"]
|
2019-02-09 22:05:52 +00:00
|
|
|
\<open>degree to which relationship can be established between two or more products of a development
|
2019-02-02 08:11:54 +00:00
|
|
|
process, especially those having a predecessor/successor or master/subordinate relationship to one
|
2022-08-01 13:53:33 +00:00
|
|
|
another.\<close>
|
2019-02-02 08:11:54 +00:00
|
|
|
|
2020-12-02 08:32:48 +00:00
|
|
|
Definition*[validation, short_name="''validation''"]
|
2019-02-09 22:05:52 +00:00
|
|
|
\<open>process of analysis followed by a judgment based on evidence to
|
2019-02-02 08:11:54 +00:00
|
|
|
documentation, software or application) fits the user needs,in particular with respect to safety
|
|
|
|
and quality and determine whether an item (e.g. process, with emphasis on the suitability of its
|
2022-08-01 13:53:33 +00:00
|
|
|
operation in accordance to its purpose in its intended environment.\<close>
|
2019-02-02 08:11:54 +00:00
|
|
|
|
2020-12-02 08:32:48 +00:00
|
|
|
Definition*[validator, short_name="''validator''"]
|
2022-08-01 13:53:33 +00:00
|
|
|
\<open>entity that is responsible for the validation.\<close>
|
2019-02-02 08:11:54 +00:00
|
|
|
|
2020-12-02 08:32:48 +00:00
|
|
|
Definition*[verification, short_name="''verification''"]
|
2019-02-09 22:05:52 +00:00
|
|
|
\<open>process of examination followed by a judgment based on evidence that output items (process,
|
2019-02-02 08:11:54 +00:00
|
|
|
documentation, software or application) of a specific development phase fulfils the requirements of
|
|
|
|
that phase with respect to completeness, correctness and consistency.
|
2022-05-12 14:04:09 +00:00
|
|
|
NOTE: Verification is mostly based on document reviews
|
|
|
|
(design, implementation, test documents etc.).
|
2019-02-02 08:11:54 +00:00
|
|
|
\<close>
|
|
|
|
|
2020-12-02 08:32:48 +00:00
|
|
|
Definition*[verifier, short_name="''verifier''"]
|
2022-08-01 13:53:33 +00:00
|
|
|
\<open>entity that is responsible for one or more verification activities.\<close>
|
2019-02-02 08:11:54 +00:00
|
|
|
|
2022-05-11 16:12:37 +00:00
|
|
|
chapter\<open>Software Management and Organisation\<close>
|
|
|
|
text\<open>Representing chapter 5 in @{cite "bsi:50128:2014"}.\<close>
|
2019-04-11 17:40:10 +00:00
|
|
|
|
2019-02-12 21:13:28 +00:00
|
|
|
section\<open>Organization, Roles and Responsabilities\<close>
|
2022-08-01 13:53:33 +00:00
|
|
|
text\<open>See also section \<^emph>\<open>Software management and organization\<close> and Annex B and C.\<close>
|
2019-02-02 08:11:54 +00:00
|
|
|
|
2022-05-25 15:13:49 +00:00
|
|
|
text\<open>REQ role in Table C.1 is assumed to be a typo and should be RQM.\<close>
|
|
|
|
|
|
|
|
datatype role = RQM \<comment> \<open>Requirements Manager\<close>
|
2022-05-11 16:12:37 +00:00
|
|
|
| DES \<comment> \<open>Designer\<close>
|
|
|
|
| IMP \<comment> \<open>Implementer\<close>
|
|
|
|
| TST \<comment> \<open>Tester\<close>
|
|
|
|
| VER \<comment> \<open>Verifier\<close>
|
2022-05-25 15:13:49 +00:00
|
|
|
| INT \<comment> \<open>Integrator\<close>
|
2022-05-11 16:12:37 +00:00
|
|
|
| VAL \<comment> \<open>Validator\<close>
|
2022-05-25 15:13:49 +00:00
|
|
|
| ASR \<comment> \<open>Assessor\<close>
|
|
|
|
| PM \<comment> \<open>Program Manager\<close>
|
|
|
|
| CM \<comment> \<open>Configuration Manager\<close>
|
|
|
|
| No_Role_Defined \<comment> \<open>See Annex C footnote a\<close>
|
2022-05-11 16:12:37 +00:00
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
datatype phase = SYSDEV_ext \<comment> \<open> System Development Phase (external)\<close>
|
2022-08-01 13:53:33 +00:00
|
|
|
| SPl \<comment> \<open>Software Planning\<close>
|
|
|
|
| SR \<comment> \<open>Software Requirements\<close>
|
|
|
|
| SADES \<comment> \<open>Software Architecture and Design\<close>
|
|
|
|
| SCDES \<comment> \<open>Software Component Design\<close>
|
|
|
|
| CInT \<comment> \<open>Component Implementation and Testing\<close>
|
|
|
|
| SI \<comment> \<open>Software Integration\<close>
|
|
|
|
| SV \<comment> \<open>Overall Software Testing/Final Validation\<close>
|
|
|
|
| SCADA \<comment> \<open>Systems Configured by Application Data/Algorithms\<close>
|
|
|
|
| SD \<comment> \<open>Software Deployment\<close>
|
|
|
|
| SM \<comment> \<open>Software Maintenance\<close>
|
|
|
|
| SA \<comment> \<open>Software Assessment\<close>
|
2019-02-02 08:11:54 +00:00
|
|
|
|
2022-05-25 15:13:49 +00:00
|
|
|
abbreviation software_planning :: "phase" where "software_planning \<equiv> SPl"
|
2022-05-18 16:23:57 +00:00
|
|
|
abbreviation software_requirements :: "phase" where "software_requirements \<equiv> SR"
|
|
|
|
abbreviation software_architecture_and_design :: "phase"
|
|
|
|
where "software_architecture_and_design \<equiv> SADES"
|
2020-08-20 10:53:39 +00:00
|
|
|
abbreviation software_component_design :: "phase" where "software_component_design \<equiv> SCDES"
|
2019-02-02 08:11:54 +00:00
|
|
|
abbreviation component_implementation_and_testing :: "phase"
|
2022-05-25 15:13:49 +00:00
|
|
|
where "component_implementation_and_testing \<equiv> CInT"
|
2020-08-20 10:53:39 +00:00
|
|
|
abbreviation software_integration :: "phase" where "software_integration \<equiv> SI"
|
|
|
|
abbreviation software_validation :: "phase" where "software_validation \<equiv> SV"
|
2022-05-25 15:13:49 +00:00
|
|
|
abbreviation systems_configured_application_data_algorithm :: "phase"
|
|
|
|
where "systems_configured_application_data_algorithm \<equiv> SCADA"
|
2020-08-20 10:53:39 +00:00
|
|
|
abbreviation software_deployment :: "phase" where "software_deployment \<equiv> SD"
|
|
|
|
abbreviation software_maintenance :: "phase" where "software_maintenance \<equiv> SM"
|
2022-05-25 15:13:49 +00:00
|
|
|
abbreviation software_assessment :: "phase" where "software_assessment \<equiv> SM"
|
2019-02-02 08:11:54 +00:00
|
|
|
|
2019-02-12 21:13:28 +00:00
|
|
|
term "SR" (* meta-test *)
|
|
|
|
|
|
|
|
|
|
|
|
section\<open>Objectives, Conformance and Software Integrity Levels\<close>
|
|
|
|
|
2019-04-29 20:24:32 +00:00
|
|
|
datatype sil = SIL0 | SIL1 | SIL2 | SIL3 | SIL4
|
|
|
|
|
2021-05-13 12:37:27 +00:00
|
|
|
type_synonym safety_integration_level = sil
|
2019-02-02 08:11:54 +00:00
|
|
|
|
2022-05-25 15:13:49 +00:00
|
|
|
text\<open>Requirement levels specified Annex A: we use the term \<^emph>\<open>normative level\<close> to distinguish
|
|
|
|
them from the requirements specified in the standard.\<close>
|
|
|
|
|
|
|
|
datatype normative_level =
|
2022-08-01 13:53:33 +00:00
|
|
|
M \<comment> \<open>(Mandatory)\<close>
|
2022-05-25 15:13:49 +00:00
|
|
|
| HR \<comment> \<open>Highly Recommended\<close>
|
|
|
|
| R \<comment> \<open>Recommended\<close>
|
|
|
|
| Any \<comment> \<open>No recommendation\<close>
|
|
|
|
| NR \<comment> \<open>Not Recommended\<close>
|
2019-02-13 11:22:55 +00:00
|
|
|
|
2022-05-25 15:13:49 +00:00
|
|
|
doc_class objective =
|
2019-02-02 08:11:54 +00:00
|
|
|
long_name :: "string option"
|
|
|
|
is_concerned :: "role set"
|
2018-03-21 10:59:27 +00:00
|
|
|
|
2019-02-12 21:13:28 +00:00
|
|
|
|
2019-04-29 20:24:32 +00:00
|
|
|
doc_class requirement = text_element +
|
2019-02-13 11:22:55 +00:00
|
|
|
long_name :: "string option"
|
|
|
|
is_concerned :: "role set"
|
|
|
|
|
2019-04-11 17:40:10 +00:00
|
|
|
text\<open>The following class permits to represent common situations where a set of requirements
|
|
|
|
decomposes a main requirement. The GSN notation favors this particular decomposition style.\<close>
|
|
|
|
doc_class sub_requirement =
|
|
|
|
decomposes :: requirement
|
|
|
|
relates_to :: "requirement set"
|
|
|
|
|
|
|
|
doc_class safety_requirement = requirement +
|
|
|
|
formal_definition :: "thm list"
|
|
|
|
|
2019-02-13 11:22:55 +00:00
|
|
|
|
2022-08-01 13:53:33 +00:00
|
|
|
text\<open>
|
|
|
|
The category \<^emph>\<open>hypothesis\<close> is used for assumptions from the
|
|
|
|
foundational mathematical or physical domain, so for example:
|
|
|
|
\<^item> the Mordell-Lang conjecture holds,
|
|
|
|
\<^item> euklidian geometry is assumed, or
|
|
|
|
\<^item> Newtonian (non-relativistic) physics is assumed,
|
|
|
|
Their acceptance is inherently outside the scope of the model
|
|
|
|
and can only established inside certification process by
|
|
|
|
authority argument.
|
2019-02-13 11:22:55 +00:00
|
|
|
\<close>
|
|
|
|
|
|
|
|
datatype hyp_type = physical | mathematical | computational | other
|
2019-02-12 21:13:28 +00:00
|
|
|
|
|
|
|
|
2019-02-13 11:22:55 +00:00
|
|
|
typ "CENELEC_50128.requirement"
|
|
|
|
|
|
|
|
doc_class hypothesis = requirement +
|
|
|
|
hyp_type :: hyp_type <= physical (* default *)
|
2019-02-12 21:13:28 +00:00
|
|
|
|
2019-02-13 11:22:55 +00:00
|
|
|
text\<open> The following sub-class of security related hypothesis might comprise, for example:
|
2022-08-01 13:53:33 +00:00
|
|
|
\<^item> \<^term>\<open>P \<noteq> NP\<close>,
|
2019-02-13 11:22:55 +00:00
|
|
|
\<^item> or the computational hardness of certain functions
|
|
|
|
relevant for cryptography (like prime-factorization).
|
|
|
|
(* speculation bu, not 50128 *)\<close>
|
2019-02-12 21:13:28 +00:00
|
|
|
|
2019-02-13 11:22:55 +00:00
|
|
|
doc_class security_hyp = hypothesis +
|
|
|
|
hyp_type :: hyp_type <= physical (* default *)
|
|
|
|
|
|
|
|
|
|
|
|
doc_class FnI = requirement +
|
|
|
|
is_concerned :: "role set" <= "UNIV"
|
|
|
|
type_synonym functions_and_interfaces = FnI
|
|
|
|
|
|
|
|
|
|
|
|
text\<open>The category \<^emph>\<open>assumption\<close> is used for domain-specific assumptions. It has formal, semi-formal
|
|
|
|
and informal sub-categories. They have to be tracked and discharged by appropriate
|
|
|
|
validation procedures within a certification process, by it by test or proof. \<close>
|
2019-02-12 21:13:28 +00:00
|
|
|
|
2019-02-13 11:22:55 +00:00
|
|
|
datatype ass_kind = informal | semiformal | formal
|
|
|
|
|
|
|
|
doc_class assumption = requirement +
|
|
|
|
assumption_kind :: ass_kind <= informal
|
|
|
|
|
2022-03-18 16:00:06 +00:00
|
|
|
doc_class AC = assumption +
|
|
|
|
is_concerned :: "role set" <= "UNIV"
|
|
|
|
|
|
|
|
type_synonym application_conditions = AC
|
|
|
|
|
|
|
|
|
2019-02-13 11:22:55 +00:00
|
|
|
text\<open> The category \<^emph>\<open>exported constraint\<close> (or \<^emph>\<open>EC\<close> for short) is used for formal application
|
|
|
|
conditions; They represent in particular \<^emph>\<open>derived constraints\<close>, i.e. constraints that arrive
|
|
|
|
as side-conditions during refinement proofs or implementation decisions and must be tracked.\<close>
|
|
|
|
|
|
|
|
doc_class EC = AC +
|
|
|
|
assumption_kind :: ass_kind <= (*default *) formal
|
|
|
|
type_synonym exported_constraint = EC
|
|
|
|
|
|
|
|
text\<open> The category \<^emph>\<open>safety related application condition\<close> (or \<^emph>\<open>SRAC\<close> for short) is used
|
|
|
|
for exported constraints assuring in judgements safety requirements of the system. \<close>
|
|
|
|
|
|
|
|
doc_class SRAC = EC +
|
|
|
|
assumption_kind :: ass_kind <= (*default *) formal
|
2019-04-16 09:06:21 +00:00
|
|
|
formal_repr :: "thm list"
|
2019-02-13 11:22:55 +00:00
|
|
|
type_synonym safety_related_application_condition = SRAC
|
2019-02-12 21:13:28 +00:00
|
|
|
|
2019-02-13 11:22:55 +00:00
|
|
|
|
|
|
|
doc_class CoAS = requirement +
|
2019-02-12 21:13:28 +00:00
|
|
|
is_concerned :: "role set" <= "UNIV"
|
2019-02-13 11:22:55 +00:00
|
|
|
type_synonym configuration_or_architecture_of_system = CoAS
|
2019-02-12 21:13:28 +00:00
|
|
|
|
2019-02-13 11:22:55 +00:00
|
|
|
doc_class HtbC = requirement +
|
|
|
|
is_concerned :: "role set" <= "UNIV"
|
|
|
|
type_synonym hazard_to_be_controlled = HtbC
|
|
|
|
|
|
|
|
doc_class SIR = requirement +
|
|
|
|
is_concerned :: "role set" <= "UNIV"
|
|
|
|
type_synonym safety_integrity_requirement = SIR
|
2019-02-12 21:13:28 +00:00
|
|
|
|
|
|
|
text\<open>The following class is a bit unclear about usage and seems to be in
|
2022-05-25 15:13:49 +00:00
|
|
|
sfcual mismatch with @{typ objective}: \<close>
|
2019-02-13 11:22:55 +00:00
|
|
|
doc_class SILA = requirement +
|
2019-02-12 21:13:28 +00:00
|
|
|
is_concerned :: "role set" <= "UNIV"
|
|
|
|
alloc :: "sil" <= "SIL0"
|
2019-02-13 11:22:55 +00:00
|
|
|
type_synonym allocation_of_SIL = SILA
|
2019-02-12 21:13:28 +00:00
|
|
|
|
2019-02-13 11:22:55 +00:00
|
|
|
doc_class TC = requirement +
|
2019-02-12 21:13:28 +00:00
|
|
|
is_concerned :: "role set" <= "UNIV"
|
2019-02-13 11:22:55 +00:00
|
|
|
type_synonym timing_constraint = TC
|
|
|
|
|
2022-05-11 16:12:37 +00:00
|
|
|
|
|
|
|
section\<open>Personal Competence\<close>
|
|
|
|
|
|
|
|
text\<open>pp. 20 MORE TO COME\<close>
|
|
|
|
|
|
|
|
section\<open>Lifecycle Issues and Documentation\<close>
|
|
|
|
|
|
|
|
text\<open>Figure 3 in Chapter 5: Illustrative Development Lifecycle 1\<close>
|
|
|
|
|
|
|
|
text\<open>Global Overview\<close>
|
|
|
|
|
|
|
|
figure*[fig3::figure, relative_width="100",
|
|
|
|
src="''examples/CENELEC_50128/mini_odo/document/figures/CENELEC-Fig.3-docStructure.png''"]
|
|
|
|
\<open>Illustrative Development Lifecycle 1\<close>
|
2022-05-18 16:23:57 +00:00
|
|
|
|
|
|
|
text\<open>Actually, the Figure 4 in Chapter 5: Illustrative Development Lifecycle 2 is more fidele
|
2022-08-01 13:53:33 +00:00
|
|
|
to the remaining document: Software Architecture and Design phases are merged, like in 7.3.\<close>
|
2022-05-18 16:23:57 +00:00
|
|
|
|
2019-02-13 11:22:55 +00:00
|
|
|
section\<open>Software Assurance related Entities and Concepts\<close>
|
|
|
|
|
|
|
|
|
2019-07-20 15:08:47 +00:00
|
|
|
text\<open>subcategories are :\<close>
|
2019-02-13 11:22:55 +00:00
|
|
|
|
2019-04-11 17:40:10 +00:00
|
|
|
text\<open>Table A.13: \<close>
|
|
|
|
|
|
|
|
datatype dyn_ana_kind =
|
|
|
|
boundary_analysis (* -- Test Case Execution from Boundary Analysis *)
|
|
|
|
| error_guessing (* -- Test Case Execution from Error Guessing *)
|
|
|
|
| error_seeding (* -- Test Case Execution from Error Seeding *)
|
|
|
|
| performance_modeling (* -- Performance Modeling *)
|
|
|
|
| equivalence_class_test(* -- Equivalence Classes and Input Partition Testing*)
|
|
|
|
| structure_based_test (* -- Structure-Based Testing *)
|
|
|
|
|
|
|
|
text\<open>Table A.14: \<close>
|
|
|
|
|
|
|
|
datatype fun_test_kind =
|
|
|
|
cause_consequence_diagram (* -- Test Case Execution from Cause Consequence Diagrams *)
|
|
|
|
| prototyping (* -- Prototyping / Animation *)
|
|
|
|
| bounadry_value_analysis (* -- Boundary Value Analysis *)
|
|
|
|
| equivalence_class_test (* -- Equivalence Classes and Input Partition Testing*)
|
|
|
|
| process_simulation (* -- Process Simulation *)
|
|
|
|
|
|
|
|
|
|
|
|
text\<open>Table A.5: Verification and Testing\<close>
|
2019-02-13 11:22:55 +00:00
|
|
|
|
|
|
|
datatype test_coverage_criterion =
|
|
|
|
allpathk nat nat (* depth, test_coverage_degree *)
|
|
|
|
| mcdc nat (* depth, test_coverage_degree *)
|
|
|
|
| exhaustive
|
|
|
|
| dnf_E_d string nat (* equivalence class testing *)
|
|
|
|
| other string
|
|
|
|
|
2019-04-11 17:40:10 +00:00
|
|
|
datatype vnt_technique =
|
|
|
|
formal_proof "thm list"
|
|
|
|
| stat_analysis
|
|
|
|
| dyn_analysis dyn_ana_kind
|
|
|
|
| metrics
|
|
|
|
| traceability
|
|
|
|
| sw_error_effect_analysis
|
|
|
|
| test_coverage_for_code test_coverage_criterion
|
|
|
|
| functional_testing fun_test_kind test_coverage_criterion
|
|
|
|
| perf_testing test_coverage_criterion
|
|
|
|
| interface_testing test_coverage_criterion
|
|
|
|
| model_based_testing test_coverage_criterion (* 'modeling' unclear *)
|
|
|
|
|
|
|
|
|
|
|
|
type_synonym verification_and_testing_technique = vnt_technique
|
|
|
|
|
2022-06-17 07:37:43 +00:00
|
|
|
(* modelling example of a table ... *)
|
2022-06-17 07:31:17 +00:00
|
|
|
|
2022-06-17 07:37:43 +00:00
|
|
|
fun table_A_5 :: "vnt_technique \<Rightarrow> sil \<Rightarrow> normative_level option"
|
2022-06-17 07:31:17 +00:00
|
|
|
where "table_A_5 (formal_proof _) = Map.empty( SIL1 \<mapsto> R, SIL2 \<mapsto> R, SIL3 \<mapsto> HR,SIL4 \<mapsto> HR)"
|
2022-06-17 07:37:43 +00:00
|
|
|
|"table_A_5 stat_analysis = Map.empty( SIL1 \<mapsto> HR,SIL2 \<mapsto> HR,SIL3 \<mapsto> HR,SIL4 \<mapsto> HR)"
|
|
|
|
|"table_A_5 (dyn_analysis _) = Map.empty( SIL1 \<mapsto> HR,SIL2 \<mapsto> HR,SIL3 \<mapsto> HR,SIL4 \<mapsto> HR)"
|
|
|
|
|"table_A_5 traceability = Map.empty(SIL0 \<mapsto> R,SIL1 \<mapsto> HR,SIL2 \<mapsto> HR,SIL3 \<mapsto> M ,SIL4 \<mapsto> M )"
|
2019-04-11 17:40:10 +00:00
|
|
|
|
2019-02-13 11:22:55 +00:00
|
|
|
text\<open>The objective of software verification is to examine and arrive at a \<^emph>\<open>judgement\<close> based on
|
|
|
|
\<^emph>\<open>evidence\<close> that output items (process, documentation, software or application) of a specific
|
|
|
|
development phase fulfil the requirements and plans with respect to completeness, correctness
|
|
|
|
and consistency. \<close>
|
2019-04-11 17:40:10 +00:00
|
|
|
datatype status = complete | in_complete | reject | unclear | unknown
|
|
|
|
|
|
|
|
doc_class judgement =
|
|
|
|
refers_to :: requirement
|
2019-02-27 10:42:45 +00:00
|
|
|
evidence :: "vnt_technique list"
|
2019-04-11 17:40:10 +00:00
|
|
|
status :: status
|
2019-02-13 11:22:55 +00:00
|
|
|
is_concerned :: "role set" <= "{VER,ASR,VAL}"
|
2019-02-12 21:13:28 +00:00
|
|
|
|
2022-08-01 13:53:33 +00:00
|
|
|
section\<open> A Classification of CENELEC Reports and Documents \<close>
|
2019-02-12 21:13:28 +00:00
|
|
|
|
2022-08-01 13:53:33 +00:00
|
|
|
(* should we rename this as "report" ??? bu *)
|
2022-08-01 19:50:49 +00:00
|
|
|
doc_class cenelec_report = text_element +
|
2019-04-29 20:24:32 +00:00
|
|
|
phase :: "phase"
|
2022-05-25 15:13:49 +00:00
|
|
|
sil :: "sil"
|
|
|
|
level :: "int option" <= "Some(0)"
|
|
|
|
nlvl :: "normative_level" \<comment> \<open>Annex A Table A.1\<close>
|
2022-05-18 16:23:57 +00:00
|
|
|
written_by :: "role option" \<comment> \<open>Annex C Table C.1 \<close>
|
|
|
|
fst_check :: "role option" \<comment> \<open>Annex C Table C.1\<close>
|
|
|
|
snd_check :: "role option" \<comment> \<open>Annex C Table C.1\<close>
|
2022-05-25 15:13:49 +00:00
|
|
|
is_concerned :: "role set" <= "UNIV"
|
|
|
|
accepts "\<lbrace>objective\<rbrace>\<^sup>+||\<lbrace>requirement\<rbrace>\<^sup>+"
|
2022-05-11 16:12:37 +00:00
|
|
|
invariant must_be_chapter :: "text_element.level \<sigma> = Some(0)"
|
|
|
|
invariant three_eyes_prcpl:: " written_by \<sigma> \<noteq> fst_check \<sigma>
|
|
|
|
\<and> written_by \<sigma> \<noteq> snd_check \<sigma>"
|
2022-05-18 16:23:57 +00:00
|
|
|
|
|
|
|
text\<open>see \<^figure>\<open>fig3\<close> and Fig 4 in Chapter 5: Illustrative Development Lifecycle 2\<close>
|
2019-04-29 20:24:32 +00:00
|
|
|
|
2022-05-18 16:23:57 +00:00
|
|
|
doc_class external_specification =
|
|
|
|
phase :: "phase" <= "SYSDEV_ext"
|
2019-04-29 20:24:32 +00:00
|
|
|
|
2022-05-18 16:23:57 +00:00
|
|
|
doc_class SYSREQS = external_specification +
|
2019-02-12 21:13:28 +00:00
|
|
|
phase :: "phase" <= "SYSDEV_ext"
|
|
|
|
type_synonym system_requirements_specification = SYSREQS
|
|
|
|
|
2022-05-18 16:23:57 +00:00
|
|
|
doc_class SYSSREQS = external_specification +
|
2019-02-12 21:13:28 +00:00
|
|
|
phase :: "phase" <= "SYSDEV_ext"
|
|
|
|
type_synonym system_safety_requirements_specification = SYSSREQS
|
|
|
|
|
2022-05-18 16:23:57 +00:00
|
|
|
doc_class SYSAD = external_specification +
|
2019-02-13 11:22:55 +00:00
|
|
|
phase :: "phase" <= "SYSDEV_ext"
|
|
|
|
type_synonym system_architecture_description = SYSAD
|
|
|
|
|
2022-05-18 16:23:57 +00:00
|
|
|
doc_class SYSS_pl = external_specification +
|
|
|
|
phase :: "phase" <= "SYSDEV_ext"
|
2019-02-12 21:13:28 +00:00
|
|
|
type_synonym system_safety_plan = SYSS_pl
|
|
|
|
|
2022-05-25 15:13:49 +00:00
|
|
|
(* SYS_VnV_pl exists in Figure 3 but not in Figure 4: surely a typo in Figure 4 *)
|
2022-05-18 16:23:57 +00:00
|
|
|
doc_class SYS_VnV_pl = external_specification +
|
|
|
|
phase :: "phase" <= "SYSDEV_ext"
|
2019-02-13 11:22:55 +00:00
|
|
|
type_synonym system_VnV_plan = SYS_VnV_pl
|
2022-05-25 15:13:49 +00:00
|
|
|
|
2022-08-01 19:50:49 +00:00
|
|
|
doc_class SQAP = cenelec_report +
|
2022-05-25 15:13:49 +00:00
|
|
|
phase :: "phase" <= "SPl"
|
|
|
|
nlvl :: "normative_level" <= "HR"
|
|
|
|
invariant force_nlvl_sqap :: "nlvl \<sigma> = HR"
|
|
|
|
type_synonym software_quality_assurance_plan = SQAP
|
|
|
|
|
2022-08-01 19:50:49 +00:00
|
|
|
doc_class SQAVR = cenelec_report +
|
2022-05-25 15:13:49 +00:00
|
|
|
phase :: "phase" <= "SPl"
|
|
|
|
nlvl :: "normative_level" <= "HR"
|
|
|
|
invariant force_nlvl_sqavr :: "nlvl \<sigma> = HR"
|
|
|
|
type_synonym software_quality_assurance_verfication_report = SQAVR
|
|
|
|
|
2022-08-01 19:50:49 +00:00
|
|
|
doc_class SCMP = cenelec_report +
|
2022-05-25 15:13:49 +00:00
|
|
|
phase :: "phase" <= "SPl"
|
|
|
|
nlvl :: "normative_level" <= "HR"
|
|
|
|
invariant force_nlvl_scmp :: "nlvl \<sigma> = HR"
|
|
|
|
type_synonym software_configuration_management_plan = SCMP
|
|
|
|
|
2022-08-01 19:50:49 +00:00
|
|
|
doc_class SVP = cenelec_report +
|
2022-05-25 15:13:49 +00:00
|
|
|
phase :: "phase" <= "SPl"
|
|
|
|
nlvl :: "normative_level" <= "HR"
|
|
|
|
invariant force_nlvl_svp :: "nlvl \<sigma> = HR"
|
|
|
|
type_synonym software_verification_plan = SVP
|
|
|
|
|
2022-08-01 19:50:49 +00:00
|
|
|
doc_class SVAP = cenelec_report +
|
2022-05-25 15:13:49 +00:00
|
|
|
phase :: "phase" <= "SPl"
|
|
|
|
nlvl :: "normative_level" <= "HR"
|
|
|
|
invariant force_nlvl_svap :: "nlvl \<sigma> = HR"
|
|
|
|
type_synonym software_validation_plan = SVAP
|
2019-02-13 11:22:55 +00:00
|
|
|
|
2022-08-01 19:50:49 +00:00
|
|
|
doc_class SWRS = cenelec_report +
|
2022-05-25 15:13:49 +00:00
|
|
|
phase :: "phase" <= "SR"
|
|
|
|
nlvl :: "normative_level" <= "HR"
|
|
|
|
invariant force_nlvl_swrs :: "nlvl \<sigma> = HR"
|
|
|
|
type_synonym software_requirements_specification = SWRS
|
2019-02-13 11:22:55 +00:00
|
|
|
|
2022-08-01 19:50:49 +00:00
|
|
|
doc_class OSWTS = cenelec_report +
|
2022-05-25 15:13:49 +00:00
|
|
|
phase :: "phase" <= "SR"
|
|
|
|
nlvl :: "normative_level" <= "HR"
|
|
|
|
invariant force_nlvl_oswts :: "nlvl \<sigma> = HR"
|
|
|
|
type_synonym overall_software_test_specification = OSWTS
|
2019-02-13 11:22:55 +00:00
|
|
|
|
2022-08-01 19:50:49 +00:00
|
|
|
doc_class SWRVR = cenelec_report +
|
2022-05-25 15:13:49 +00:00
|
|
|
phase :: "phase" <= "SR"
|
|
|
|
nlvl :: "normative_level" <= "HR"
|
|
|
|
invariant force_nlvl_swrvr :: "nlvl \<sigma> = HR"
|
|
|
|
type_synonym software_requirements_verification_report = SWRVR
|
2022-05-11 16:12:37 +00:00
|
|
|
|
2022-08-01 19:50:49 +00:00
|
|
|
doc_class SWAS = cenelec_report +
|
2022-05-18 16:23:57 +00:00
|
|
|
phase :: "phase" <= "SADES"
|
2022-05-25 15:13:49 +00:00
|
|
|
nlvl :: "normative_level" <= "HR"
|
|
|
|
invariant force_nlvl_swas :: "nlvl \<sigma> = HR"
|
2019-02-13 11:22:55 +00:00
|
|
|
type_synonym software_architecture_specification = SWAS
|
|
|
|
|
2022-08-01 19:50:49 +00:00
|
|
|
doc_class SWDS = cenelec_report +
|
2022-05-25 15:13:49 +00:00
|
|
|
phase :: "phase" <= "SADES"
|
|
|
|
nlvl :: "normative_level" <= "HR"
|
|
|
|
invariant force_nlvl_swds :: "nlvl \<sigma> = HR"
|
2019-02-13 11:22:55 +00:00
|
|
|
type_synonym software_design_specification = SWDS
|
|
|
|
|
2022-05-11 16:12:37 +00:00
|
|
|
doc_class SWIS_E =
|
|
|
|
\<comment> \<open>input - output of an operation; alternatives could be channels or public global variables ...\<close>
|
|
|
|
op_name :: "string"
|
|
|
|
op_args_ty :: "(string \<times> typ) list \<times> typ"
|
|
|
|
raises_exn :: "(string \<times> typ) list" \<comment> \<open>exn name and value\<close>
|
|
|
|
pre_cond :: "(string \<times> thm) list" <= "[]" \<comment> \<open>labels and predicates\<close>
|
|
|
|
post_cond :: "(string \<times> thm) list" <= "[]" \<comment> \<open>labels and predicates\<close>
|
|
|
|
boundary_pre_cond :: "thm list" <= "[]"
|
|
|
|
type_synonym software_interface_specification_element = SWIS_E
|
|
|
|
|
|
|
|
|
2022-08-01 19:50:49 +00:00
|
|
|
doc_class SWIS = cenelec_report +
|
2022-05-18 16:23:57 +00:00
|
|
|
phase :: "phase" <= "SADES"
|
2022-05-25 15:13:49 +00:00
|
|
|
nlvl :: "normative_level" <= "HR"
|
2022-05-18 16:23:57 +00:00
|
|
|
written_by :: "role option" <= "Some DES"
|
|
|
|
fst_check :: "role option" <= "Some VER"
|
|
|
|
snd_check :: "role option" <= "Some VAL"
|
2022-05-11 16:12:37 +00:00
|
|
|
components :: "SWIS_E list"
|
2022-05-25 15:13:49 +00:00
|
|
|
invariant force_nlvl_swis :: "nlvl \<sigma> = HR"
|
|
|
|
type_synonym software_interface_specifications = SWIS
|
2019-02-13 11:22:55 +00:00
|
|
|
|
2022-08-01 19:50:49 +00:00
|
|
|
doc_class SWITS = cenelec_report +
|
2022-05-18 16:23:57 +00:00
|
|
|
phase :: "phase" <= "SADES"
|
2022-05-25 15:13:49 +00:00
|
|
|
nlvl :: "normative_level" <= "HR"
|
|
|
|
invariant force_nlvl_swits :: "nlvl \<sigma> = HR"
|
2019-02-13 11:22:55 +00:00
|
|
|
type_synonym software_integration_test_specification = SWITS
|
2019-02-12 21:13:28 +00:00
|
|
|
|
2022-08-01 19:50:49 +00:00
|
|
|
doc_class SWHITS = cenelec_report +
|
2022-05-18 16:23:57 +00:00
|
|
|
phase :: "phase" <= "SADES"
|
2022-05-25 15:13:49 +00:00
|
|
|
nlvl :: "normative_level" <= "HR"
|
|
|
|
invariant force_nlvl_swhits :: "nlvl \<sigma> = HR"
|
2019-02-13 11:22:55 +00:00
|
|
|
type_synonym software_hardware_integration_test_specification = SWHITS
|
2019-02-12 21:13:28 +00:00
|
|
|
|
2022-08-01 19:50:49 +00:00
|
|
|
doc_class SWADVR = cenelec_report +
|
2022-05-25 15:13:49 +00:00
|
|
|
phase :: "phase" <= "SADES"
|
|
|
|
nlvl :: "normative_level" <= "HR"
|
|
|
|
invariant force_nlvl_swadvr :: "nlvl \<sigma> = HR"
|
2022-08-01 13:53:33 +00:00
|
|
|
type_synonym software_architecture_and_design_verification = SWADVR
|
2019-02-12 21:13:28 +00:00
|
|
|
|
2022-08-01 19:50:49 +00:00
|
|
|
doc_class SWCDS = cenelec_report +
|
2022-05-25 15:13:49 +00:00
|
|
|
phase :: "phase" <= "SCDES"
|
|
|
|
invariant force_nlvl_swcds :: "if sil \<sigma> = SIL0 then nlvl \<sigma> = R else nlvl \<sigma> = HR"
|
2019-02-13 11:22:55 +00:00
|
|
|
type_synonym software_component_design_specification = SWCDS
|
2019-02-12 21:13:28 +00:00
|
|
|
|
2022-08-01 19:50:49 +00:00
|
|
|
doc_class SWCTS = cenelec_report +
|
2022-05-25 15:13:49 +00:00
|
|
|
phase :: "phase" <= "SCDES"
|
|
|
|
invariant force_nlvl_swcts :: "if sil \<sigma> = SIL0 then nlvl \<sigma> = R else nlvl \<sigma> = HR"
|
2019-02-13 11:22:55 +00:00
|
|
|
type_synonym software_component_test_specification = SWCTS
|
2019-02-12 21:13:28 +00:00
|
|
|
|
2022-08-01 19:50:49 +00:00
|
|
|
doc_class SWCDVR = cenelec_report +
|
2022-05-25 15:13:49 +00:00
|
|
|
phase :: "phase" <= "SCDES"
|
|
|
|
invariant force_nlvl_swcdvr :: "if sil \<sigma> = SIL0 then nlvl \<sigma> = R else nlvl \<sigma> = HR"
|
2022-08-01 13:53:33 +00:00
|
|
|
type_synonym software_component_design_verification = SWCDVR
|
2019-02-12 21:13:28 +00:00
|
|
|
|
2022-08-01 19:50:49 +00:00
|
|
|
doc_class SWSCD = cenelec_report +
|
2022-05-25 15:13:49 +00:00
|
|
|
phase :: "phase" <= "CInT"
|
|
|
|
nlvl :: "normative_level" <= "HR"
|
|
|
|
invariant force_nlvl_swscd :: "nlvl \<sigma> = HR"
|
2019-02-13 11:22:55 +00:00
|
|
|
type_synonym software_source_code_and_documentation = SWSCD
|
2019-02-12 21:13:28 +00:00
|
|
|
|
2022-08-01 19:50:49 +00:00
|
|
|
doc_class SWCTR = cenelec_report +
|
2022-05-25 15:13:49 +00:00
|
|
|
phase :: "phase" <= "CInT"
|
|
|
|
invariant force_nlvl_swctr :: "if sil \<sigma> = SIL0 then nlvl \<sigma> = R else nlvl \<sigma> = HR"
|
2019-02-13 11:22:55 +00:00
|
|
|
type_synonym software_component_test_report = SWCTR
|
2019-02-12 21:13:28 +00:00
|
|
|
|
2022-08-01 19:50:49 +00:00
|
|
|
doc_class SWSCVR = cenelec_report +
|
2022-05-25 15:13:49 +00:00
|
|
|
phase :: "phase" <= "CInT"
|
|
|
|
nlvl :: "normative_level" <= "HR"
|
|
|
|
invariant force_nlvl_swscvr :: "nlvl \<sigma> = HR"
|
2019-02-13 11:22:55 +00:00
|
|
|
type_synonym software_source_code_verification_report = SWSCVR
|
2019-02-12 21:13:28 +00:00
|
|
|
|
2022-08-01 19:50:49 +00:00
|
|
|
doc_class SWITR = cenelec_report +
|
2022-05-25 15:13:49 +00:00
|
|
|
phase :: "phase" <= "SI"
|
|
|
|
nlvl :: "normative_level" <= "HR"
|
|
|
|
invariant force_nlvl_switr :: "nlvl \<sigma> = HR"
|
|
|
|
type_synonym software_integration_test_report = SWITR
|
|
|
|
|
2022-08-01 19:50:49 +00:00
|
|
|
doc_class SWHAITR = cenelec_report +
|
2022-05-25 15:13:49 +00:00
|
|
|
phase :: "phase" <= "SI"
|
|
|
|
nlvl :: "normative_level" <= "HR"
|
|
|
|
invariant force_nlvl_swhaitr :: "nlvl \<sigma> = HR"
|
2019-02-13 11:22:55 +00:00
|
|
|
type_synonym software_hardware_integration_test_report = SWHAITR
|
2019-02-12 21:13:28 +00:00
|
|
|
|
2022-08-01 19:50:49 +00:00
|
|
|
doc_class SWIVR = cenelec_report +
|
2022-05-18 16:23:57 +00:00
|
|
|
phase :: "phase" <= "SI"
|
2022-05-25 15:13:49 +00:00
|
|
|
nlvl :: "normative_level" <= "HR"
|
|
|
|
invariant force_nlvl_swivr :: "nlvl \<sigma> = HR"
|
2019-02-13 11:22:55 +00:00
|
|
|
type_synonym software_integration_verification_report = SWIVR
|
2019-02-12 21:13:28 +00:00
|
|
|
|
2022-08-01 19:50:49 +00:00
|
|
|
doc_class OSWTR = cenelec_report +
|
2022-05-25 15:13:49 +00:00
|
|
|
phase :: "phase" <= "SV"
|
|
|
|
nlvl :: "normative_level" <= "HR"
|
|
|
|
invariant force_nlvl_oswtr :: "nlvl \<sigma> = HR"
|
|
|
|
type_synonym overall_software_test_report = OSWTR
|
2019-02-12 21:13:28 +00:00
|
|
|
|
2022-08-01 19:50:49 +00:00
|
|
|
doc_class SWVALR = cenelec_report +
|
2022-05-18 16:23:57 +00:00
|
|
|
phase :: "phase" <= "SV"
|
2022-05-25 15:13:49 +00:00
|
|
|
nlvl :: "normative_level" <= "HR"
|
|
|
|
invariant force_nlvl_swvalr :: "nlvl \<sigma> = HR"
|
2019-02-13 11:22:55 +00:00
|
|
|
type_synonym software_validation_report = SWVALR
|
2019-02-12 21:13:28 +00:00
|
|
|
|
2022-08-01 19:50:49 +00:00
|
|
|
doc_class TVALR = cenelec_report +
|
2022-05-25 15:13:49 +00:00
|
|
|
phase :: "phase" <= "SV"
|
|
|
|
invariant force_nlvl_tvalr :: "if sil \<sigma> = SIL0 then nlvl \<sigma> = R else nlvl \<sigma> = HR"
|
|
|
|
type_synonym tools_validation_report = TVALR
|
|
|
|
|
2022-08-01 19:50:49 +00:00
|
|
|
doc_class SWVRN = cenelec_report +
|
2022-05-25 15:13:49 +00:00
|
|
|
phase :: "phase" <= "SV"
|
|
|
|
nlvl :: "normative_level" <= "HR"
|
|
|
|
invariant force_nlvl_swvrn :: "nlvl \<sigma> = HR"
|
|
|
|
type_synonym software_validation_release_note = SWVRN
|
|
|
|
|
2022-08-01 19:50:49 +00:00
|
|
|
doc_class ARS = cenelec_report +
|
2022-05-25 15:13:49 +00:00
|
|
|
phase :: "phase" <= "SCADA"
|
|
|
|
nlvl :: "normative_level" <= "HR"
|
|
|
|
invariant force_nlvl_ars :: "nlvl \<sigma> = HR"
|
|
|
|
type_synonym application_requirements_specification = ARS
|
|
|
|
|
2022-08-01 19:50:49 +00:00
|
|
|
doc_class APP = cenelec_report +
|
2022-05-25 15:13:49 +00:00
|
|
|
phase :: "phase" <= "SCADA"
|
|
|
|
nlvl :: "normative_level" <= "HR"
|
|
|
|
invariant force_nlvl_APP :: "nlvl \<sigma> = HR"
|
|
|
|
type_synonym application_preparation_plan = APP
|
|
|
|
|
2022-08-01 19:50:49 +00:00
|
|
|
doc_class ATS = cenelec_report +
|
2022-05-25 15:13:49 +00:00
|
|
|
phase :: "phase" <= "SCADA"
|
|
|
|
nlvl :: "normative_level" <= "HR"
|
|
|
|
invariant force_nlvl_ats :: "nlvl \<sigma> = HR"
|
|
|
|
type_synonym application_test_specification = ATS
|
|
|
|
|
2022-08-01 19:50:49 +00:00
|
|
|
doc_class AAD = cenelec_report +
|
2022-05-25 15:13:49 +00:00
|
|
|
phase :: "phase" <= "SCADA"
|
|
|
|
nlvl :: "normative_level" <= "HR"
|
|
|
|
invariant force_nlvl_aad :: "nlvl \<sigma> = HR"
|
|
|
|
type_synonym application_architecture_design = AAD
|
|
|
|
|
2022-08-01 19:50:49 +00:00
|
|
|
doc_class APVR = cenelec_report +
|
2022-05-25 15:13:49 +00:00
|
|
|
phase :: "phase" <= "SCADA"
|
|
|
|
nlvl :: "normative_level" <= "HR"
|
|
|
|
invariant force_nlvl_apvr :: "nlvl \<sigma> = HR"
|
|
|
|
type_synonym application_preparation_verification_report = APVR
|
|
|
|
|
2022-08-01 19:50:49 +00:00
|
|
|
doc_class ATR = cenelec_report +
|
2022-05-25 15:13:49 +00:00
|
|
|
phase :: "phase" <= "SCADA"
|
|
|
|
nlvl :: "normative_level" <= "HR"
|
|
|
|
invariant force_nlvl_atr :: "nlvl \<sigma> = HR"
|
|
|
|
type_synonym application_test_report= ATR
|
|
|
|
|
2022-08-01 19:50:49 +00:00
|
|
|
doc_class SOCOADA = cenelec_report +
|
2022-05-25 15:13:49 +00:00
|
|
|
phase :: "phase" <= "SCADA"
|
|
|
|
nlvl :: "normative_level" <= "HR"
|
|
|
|
invariant force_nlvl_socoada :: "nlvl \<sigma> = HR"
|
|
|
|
type_synonym source_code_application_data_algorithms = SOCOADA
|
|
|
|
|
2022-08-01 19:50:49 +00:00
|
|
|
doc_class ADAVR = cenelec_report +
|
2022-05-25 15:13:49 +00:00
|
|
|
phase :: "phase" <= "SCADA"
|
|
|
|
nlvl :: "normative_level" <= "HR"
|
|
|
|
invariant force_nlvl_adavr :: "nlvl \<sigma> = HR"
|
|
|
|
type_synonym application_data_algorithms_verification_report= ADAVR
|
|
|
|
|
2022-08-01 19:50:49 +00:00
|
|
|
doc_class SWRDP = cenelec_report +
|
2022-05-25 15:13:49 +00:00
|
|
|
phase :: "phase" <= "SD"
|
|
|
|
invariant force_nlvl_swrdp :: "if sil \<sigma> = SIL0 then nlvl \<sigma> = R else nlvl \<sigma> = HR"
|
|
|
|
type_synonym software_release_deployment_plan = SWRDP
|
|
|
|
|
2022-08-01 19:50:49 +00:00
|
|
|
doc_class SWDM = cenelec_report +
|
2022-05-25 15:13:49 +00:00
|
|
|
phase :: "phase" <= "SD"
|
|
|
|
invariant force_nlvl_swdm :: "if sil \<sigma> = SIL0 then nlvl \<sigma> = R else nlvl \<sigma> = HR"
|
|
|
|
type_synonym software_deployment_manual = SWDM
|
|
|
|
|
2022-08-01 19:50:49 +00:00
|
|
|
doc_class SWDRN = cenelec_report +
|
2022-05-25 15:13:49 +00:00
|
|
|
phase :: "phase" <= "SD"
|
|
|
|
nlvl :: "normative_level" <= "HR"
|
|
|
|
invariant force_nlvl_swdrn :: "nlvl \<sigma> = HR"
|
|
|
|
type_synonym software_deployment_release_notes = SWDRN
|
|
|
|
|
2022-08-01 19:50:49 +00:00
|
|
|
doc_class SWDR = cenelec_report +
|
2022-05-25 15:13:49 +00:00
|
|
|
phase :: "phase" <= "SD"
|
|
|
|
invariant force_nlvl_swdr :: "if sil \<sigma> = SIL0 then nlvl \<sigma> = R else nlvl \<sigma> = HR"
|
|
|
|
type_synonym software_deployment_records = SWDR
|
|
|
|
|
2022-08-01 19:50:49 +00:00
|
|
|
doc_class SWDVR = cenelec_report +
|
2022-05-25 15:13:49 +00:00
|
|
|
phase :: "phase" <= "SD"
|
|
|
|
invariant force_nlvl_swdvr :: "if sil \<sigma> = SIL0 then nlvl \<sigma> = R else nlvl \<sigma> = HR"
|
|
|
|
type_synonym software_deployment_verification_report = SWDVR
|
|
|
|
|
2022-08-01 19:50:49 +00:00
|
|
|
doc_class SWMP = cenelec_report +
|
2022-05-25 15:13:49 +00:00
|
|
|
phase :: "phase" <= "SM"
|
|
|
|
invariant force_nlvl_swmp :: "if sil \<sigma> = SIL0 then nlvl \<sigma> = R else nlvl \<sigma> = HR"
|
|
|
|
type_synonym software_maintenance_plan = SWMP
|
|
|
|
|
2022-08-01 19:50:49 +00:00
|
|
|
doc_class SWCR = cenelec_report +
|
2022-05-25 15:13:49 +00:00
|
|
|
phase :: "phase" <= "SM"
|
|
|
|
nlvl :: "normative_level" <= "HR"
|
|
|
|
invariant force_nlvl_swcr :: "nlvl \<sigma> = HR"
|
|
|
|
type_synonym software_change_records = SWCR
|
|
|
|
|
2022-08-01 19:50:49 +00:00
|
|
|
doc_class SWMR = cenelec_report +
|
2022-05-25 15:13:49 +00:00
|
|
|
phase :: "phase" <= "SM"
|
|
|
|
invariant force_nlvl_swmr :: "if sil \<sigma> = SIL0 then nlvl \<sigma> = R else nlvl \<sigma> = HR"
|
|
|
|
type_synonym software_maintenance_records = SWMR
|
|
|
|
|
2022-08-01 19:50:49 +00:00
|
|
|
doc_class SWMVR = cenelec_report +
|
2022-05-25 15:13:49 +00:00
|
|
|
phase :: "phase" <= "SM"
|
|
|
|
invariant force_nlvl_swmvr :: "if sil \<sigma> = SIL0 then nlvl \<sigma> = R else nlvl \<sigma> = HR"
|
|
|
|
type_synonym software_maintenance_verification_report = SWMVR
|
|
|
|
|
2022-08-01 19:50:49 +00:00
|
|
|
doc_class SWAP = cenelec_report +
|
2022-05-25 15:13:49 +00:00
|
|
|
phase :: "phase" <= "SA"
|
|
|
|
invariant force_nlvl_swap :: "if sil \<sigma> = SIL0 then nlvl \<sigma> = R else nlvl \<sigma> = HR"
|
|
|
|
type_synonym software_assessment_plan = SWAP
|
|
|
|
|
2022-08-01 19:50:49 +00:00
|
|
|
doc_class SWAR = cenelec_report +
|
2022-05-25 15:13:49 +00:00
|
|
|
phase :: "phase" <= "SA"
|
|
|
|
invariant force_nlvl_swar :: "if sil \<sigma> = SIL0 then nlvl \<sigma> = R else nlvl \<sigma> = HR"
|
|
|
|
type_synonym software_assessment_report = SWAR
|
|
|
|
|
|
|
|
text\<open>Table A.1: Lifecycle Issues and Documentation (5.3).
|
|
|
|
The requirement levels of table A.1 is expressed with monitor classes:
|
|
|
|
first the SIL of each class is enforced to be the same as the monitor class SIL,
|
|
|
|
then, when closing the monitor, the normative level (requirement level in CENELEC lingua)
|
|
|
|
of each CENELEC document instance is checked and warning/errors are triggered
|
|
|
|
if they do not respect the monitor class SIL\<close>
|
|
|
|
|
|
|
|
doc_class monitor_SIL =
|
|
|
|
sil :: sil
|
|
|
|
|
|
|
|
doc_class monitor_SIL0 = monitor_SIL +
|
|
|
|
sil :: sil <= SIL0
|
|
|
|
accepts "\<lbrakk>SQAP\<rbrakk> ~~ \<lbrakk>SQAVR\<rbrakk> ~~ \<lbrakk>SCMP\<rbrakk> ~~ \<lbrakk>SVP\<rbrakk> ~~ \<lbrakk>SVAP\<rbrakk>
|
|
|
|
~~ \<lbrakk>SWRS\<rbrakk> ~~ \<lbrakk>OSWTS\<rbrakk> ~~ \<lbrakk>SWRVR\<rbrakk>
|
|
|
|
~~ \<lbrakk>SWAS\<rbrakk> ~~ \<lbrakk>SWDS\<rbrakk> ~~ \<lbrakk>SWIS\<rbrakk> ~~ \<lbrakk>SWITS\<rbrakk> ~~ \<lbrakk>SWHITS\<rbrakk> ~~ \<lbrakk>SWADVR\<rbrakk>
|
|
|
|
~~ \<lbrakk>SWCDS\<rbrakk> ~~ \<lbrakk>SWCTS\<rbrakk> ~~ \<lbrakk>SWCDVR\<rbrakk>
|
|
|
|
~~ \<lbrakk>SWSCD\<rbrakk> ~~ \<lbrakk>SWCTR\<rbrakk> ~~ \<lbrakk>SWSCVR\<rbrakk>
|
|
|
|
~~ \<lbrakk>SWITR\<rbrakk> ~~ \<lbrakk>SWHAITR\<rbrakk> ~~ \<lbrakk>SWIVR\<rbrakk>
|
|
|
|
~~ \<lbrakk>OSWTR\<rbrakk> ~~ \<lbrakk>SWVALR\<rbrakk> ~~ \<lbrakk>TVALR\<rbrakk> ~~ \<lbrakk>SWVRN\<rbrakk>
|
|
|
|
~~ \<lbrakk>ARS\<rbrakk> ~~ \<lbrakk>APP\<rbrakk> ~~ \<lbrakk>ATS\<rbrakk> ~~ \<lbrakk>AAD\<rbrakk> ~~ \<lbrakk>APVR\<rbrakk> ~~ \<lbrakk>ATR\<rbrakk> ~~ \<lbrakk>SOCOADA\<rbrakk> ~~ \<lbrakk>ADAVR\<rbrakk>
|
|
|
|
~~ \<lbrakk>SWRDP\<rbrakk> ~~ \<lbrakk>SWDM\<rbrakk> ~~ \<lbrakk>SWDRN\<rbrakk> ~~ \<lbrakk>SWDR\<rbrakk> ~~ \<lbrakk>SWDVR\<rbrakk>
|
|
|
|
~~ \<lbrakk>SWMP\<rbrakk> ~~ \<lbrakk>SWCR\<rbrakk> ~~ \<lbrakk>SWMR\<rbrakk> ~~ \<lbrakk>SWMVR\<rbrakk>
|
|
|
|
~~ \<lbrakk>SWAP\<rbrakk> ~~ \<lbrakk>SWAR\<rbrakk>"
|
|
|
|
invariant force_sil0 :: "sil \<sigma> = SIL0"
|
|
|
|
|
|
|
|
doc_class monitor_SIL1 = monitor_SIL +
|
|
|
|
sil :: sil <= SIL1
|
|
|
|
accepts "\<lbrakk>SQAP\<rbrakk> ~~ \<lbrakk>SQAVR\<rbrakk> ~~ \<lbrakk>SCMP\<rbrakk> ~~ \<lbrakk>SVP\<rbrakk> ~~ \<lbrakk>SVAP\<rbrakk>
|
|
|
|
~~ \<lbrakk>SWRS\<rbrakk> ~~ \<lbrakk>OSWTS\<rbrakk> ~~ \<lbrakk>SWRVR\<rbrakk>
|
|
|
|
~~ \<lbrakk>SWAS\<rbrakk> ~~ \<lbrakk>SWDS\<rbrakk> ~~ \<lbrakk>SWIS\<rbrakk> ~~ \<lbrakk>SWITS\<rbrakk> ~~ \<lbrakk>SWHITS\<rbrakk> ~~ \<lbrakk>SWADVR\<rbrakk>
|
|
|
|
~~ \<lbrakk>SWCDS\<rbrakk> ~~ \<lbrakk>SWCTS\<rbrakk> ~~ \<lbrakk>SWCDVR\<rbrakk>
|
|
|
|
~~ \<lbrakk>SWSCD\<rbrakk> ~~ \<lbrakk>SWCTR\<rbrakk> ~~ \<lbrakk>SWSCVR\<rbrakk>
|
|
|
|
~~ \<lbrakk>SWITR\<rbrakk> ~~ \<lbrakk>SWHAITR\<rbrakk> ~~ \<lbrakk>SWIVR\<rbrakk>
|
|
|
|
~~ \<lbrakk>OSWTR\<rbrakk> ~~ \<lbrakk>SWVALR\<rbrakk> ~~ \<lbrakk>TVALR\<rbrakk> ~~ \<lbrakk>SWVRN\<rbrakk>
|
|
|
|
~~ \<lbrakk>ARS\<rbrakk> ~~ \<lbrakk>APP\<rbrakk> ~~ \<lbrakk>ATS\<rbrakk> ~~ \<lbrakk>AAD\<rbrakk> ~~ \<lbrakk>APVR\<rbrakk> ~~ \<lbrakk>ATR\<rbrakk> ~~ \<lbrakk>SOCOADA\<rbrakk> ~~ \<lbrakk>ADAVR\<rbrakk>
|
|
|
|
~~ \<lbrakk>SWRDP\<rbrakk> ~~ \<lbrakk>SWDM\<rbrakk> ~~ \<lbrakk>SWDRN\<rbrakk> ~~ \<lbrakk>SWDR\<rbrakk> ~~ \<lbrakk>SWDVR\<rbrakk>
|
|
|
|
~~ \<lbrakk>SWMP\<rbrakk> ~~ \<lbrakk>SWCR\<rbrakk> ~~ \<lbrakk>SWMR\<rbrakk> ~~ \<lbrakk>SWMVR\<rbrakk>
|
|
|
|
~~ \<lbrakk>SWAP\<rbrakk> ~~ \<lbrakk>SWAR\<rbrakk>"
|
|
|
|
invariant force_sil1 :: "sil \<sigma> = SIL1"
|
|
|
|
|
|
|
|
doc_class monitor_SIL2 = monitor_SIL +
|
|
|
|
sil :: sil <= SIL2
|
|
|
|
accepts "\<lbrakk>SQAP\<rbrakk> ~~ \<lbrakk>SQAVR\<rbrakk> ~~ \<lbrakk>SCMP\<rbrakk> ~~ \<lbrakk>SVP\<rbrakk> ~~ \<lbrakk>SVAP\<rbrakk>
|
|
|
|
~~ \<lbrakk>SWRS\<rbrakk> ~~ \<lbrakk>OSWTS\<rbrakk> ~~ \<lbrakk>SWRVR\<rbrakk>
|
|
|
|
~~ \<lbrakk>SWAS\<rbrakk> ~~ \<lbrakk>SWDS\<rbrakk> ~~ \<lbrakk>SWIS\<rbrakk> ~~ \<lbrakk>SWITS\<rbrakk> ~~ \<lbrakk>SWHITS\<rbrakk> ~~ \<lbrakk>SWADVR\<rbrakk>
|
|
|
|
~~ \<lbrakk>SWCDS\<rbrakk> ~~ \<lbrakk>SWCTS\<rbrakk> ~~ \<lbrakk>SWCDVR\<rbrakk>
|
|
|
|
~~ \<lbrakk>SWSCD\<rbrakk> ~~ \<lbrakk>SWCTR\<rbrakk> ~~ \<lbrakk>SWSCVR\<rbrakk>
|
|
|
|
~~ \<lbrakk>SWITR\<rbrakk> ~~ \<lbrakk>SWHAITR\<rbrakk> ~~ \<lbrakk>SWIVR\<rbrakk>
|
|
|
|
~~ \<lbrakk>OSWTR\<rbrakk> ~~ \<lbrakk>SWVALR\<rbrakk> ~~ \<lbrakk>TVALR\<rbrakk> ~~ \<lbrakk>SWVRN\<rbrakk>
|
|
|
|
~~ \<lbrakk>ARS\<rbrakk> ~~ \<lbrakk>APP\<rbrakk> ~~ \<lbrakk>ATS\<rbrakk> ~~ \<lbrakk>AAD\<rbrakk> ~~ \<lbrakk>APVR\<rbrakk> ~~ \<lbrakk>ATR\<rbrakk> ~~ \<lbrakk>SOCOADA\<rbrakk> ~~ \<lbrakk>ADAVR\<rbrakk>
|
|
|
|
~~ \<lbrakk>SWRDP\<rbrakk> ~~ \<lbrakk>SWDM\<rbrakk> ~~ \<lbrakk>SWDRN\<rbrakk> ~~ \<lbrakk>SWDR\<rbrakk> ~~ \<lbrakk>SWDVR\<rbrakk>
|
|
|
|
~~ \<lbrakk>SWMP\<rbrakk> ~~ \<lbrakk>SWCR\<rbrakk> ~~ \<lbrakk>SWMR\<rbrakk> ~~ \<lbrakk>SWMVR\<rbrakk>
|
|
|
|
~~ \<lbrakk>SWAP\<rbrakk> ~~ \<lbrakk>SWAR\<rbrakk>"
|
|
|
|
invariant force_sil2 :: "sil \<sigma> = SIL2"
|
|
|
|
|
|
|
|
doc_class monitor_SIL3 = monitor_SIL +
|
|
|
|
sil :: sil <= SIL3
|
|
|
|
accepts "\<lbrakk>SQAP\<rbrakk> ~~ \<lbrakk>SQAVR\<rbrakk> ~~ \<lbrakk>SCMP\<rbrakk> ~~ \<lbrakk>SVP\<rbrakk> ~~ \<lbrakk>SVAP\<rbrakk>
|
|
|
|
~~ \<lbrakk>SWRS\<rbrakk> ~~ \<lbrakk>OSWTS\<rbrakk> ~~ \<lbrakk>SWRVR\<rbrakk>
|
|
|
|
~~ \<lbrakk>SWAS\<rbrakk> ~~ \<lbrakk>SWDS\<rbrakk> ~~ \<lbrakk>SWIS\<rbrakk> ~~ \<lbrakk>SWITS\<rbrakk> ~~ \<lbrakk>SWHITS\<rbrakk> ~~ \<lbrakk>SWADVR\<rbrakk>
|
|
|
|
~~ \<lbrakk>SWCDS\<rbrakk> ~~ \<lbrakk>SWCTS\<rbrakk> ~~ \<lbrakk>SWCDVR\<rbrakk>
|
|
|
|
~~ \<lbrakk>SWSCD\<rbrakk> ~~ \<lbrakk>SWCTR\<rbrakk> ~~ \<lbrakk>SWSCVR\<rbrakk>
|
|
|
|
~~ \<lbrakk>SWITR\<rbrakk> ~~ \<lbrakk>SWHAITR\<rbrakk> ~~ \<lbrakk>SWIVR\<rbrakk>
|
|
|
|
~~ \<lbrakk>OSWTR\<rbrakk> ~~ \<lbrakk>SWVALR\<rbrakk> ~~ \<lbrakk>TVALR\<rbrakk> ~~ \<lbrakk>SWVRN\<rbrakk>
|
|
|
|
~~ \<lbrakk>ARS\<rbrakk> ~~ \<lbrakk>APP\<rbrakk> ~~ \<lbrakk>ATS\<rbrakk> ~~ \<lbrakk>AAD\<rbrakk> ~~ \<lbrakk>APVR\<rbrakk> ~~ \<lbrakk>ATR\<rbrakk> ~~ \<lbrakk>SOCOADA\<rbrakk> ~~ \<lbrakk>ADAVR\<rbrakk>
|
|
|
|
~~ \<lbrakk>SWRDP\<rbrakk> ~~ \<lbrakk>SWDM\<rbrakk> ~~ \<lbrakk>SWDRN\<rbrakk> ~~ \<lbrakk>SWDR\<rbrakk> ~~ \<lbrakk>SWDVR\<rbrakk>
|
|
|
|
~~ \<lbrakk>SWMP\<rbrakk> ~~ \<lbrakk>SWCR\<rbrakk> ~~ \<lbrakk>SWMR\<rbrakk> ~~ \<lbrakk>SWMVR\<rbrakk>
|
|
|
|
~~ \<lbrakk>SWAP\<rbrakk> ~~ \<lbrakk>SWAR\<rbrakk>"
|
|
|
|
invariant force_sil3 :: "sil \<sigma> = SIL3"
|
|
|
|
|
|
|
|
doc_class monitor_SIL4 = monitor_SIL +
|
|
|
|
sil :: sil <= SIL4
|
|
|
|
accepts "\<lbrakk>SQAP\<rbrakk> ~~ \<lbrakk>SQAVR\<rbrakk> ~~ \<lbrakk>SCMP\<rbrakk> ~~ \<lbrakk>SVP\<rbrakk> ~~ \<lbrakk>SVAP\<rbrakk>
|
|
|
|
~~ \<lbrakk>SWRS\<rbrakk> ~~ \<lbrakk>OSWTS\<rbrakk> ~~ \<lbrakk>SWRVR\<rbrakk>
|
|
|
|
~~ \<lbrakk>SWAS\<rbrakk> ~~ \<lbrakk>SWDS\<rbrakk> ~~ \<lbrakk>SWIS\<rbrakk> ~~ \<lbrakk>SWITS\<rbrakk> ~~ \<lbrakk>SWHITS\<rbrakk> ~~ \<lbrakk>SWADVR\<rbrakk>
|
|
|
|
~~ \<lbrakk>SWCDS\<rbrakk> ~~ \<lbrakk>SWCTS\<rbrakk> ~~ \<lbrakk>SWCDVR\<rbrakk>
|
|
|
|
~~ \<lbrakk>SWSCD\<rbrakk> ~~ \<lbrakk>SWCTR\<rbrakk> ~~ \<lbrakk>SWSCVR\<rbrakk>
|
|
|
|
~~ \<lbrakk>SWITR\<rbrakk> ~~ \<lbrakk>SWHAITR\<rbrakk> ~~ \<lbrakk>SWIVR\<rbrakk>
|
|
|
|
~~ \<lbrakk>OSWTR\<rbrakk> ~~ \<lbrakk>SWVALR\<rbrakk> ~~ \<lbrakk>TVALR\<rbrakk> ~~ \<lbrakk>SWVRN\<rbrakk>
|
|
|
|
~~ \<lbrakk>ARS\<rbrakk> ~~ \<lbrakk>APP\<rbrakk> ~~ \<lbrakk>ATS\<rbrakk> ~~ \<lbrakk>AAD\<rbrakk> ~~ \<lbrakk>APVR\<rbrakk> ~~ \<lbrakk>ATR\<rbrakk> ~~ \<lbrakk>SOCOADA\<rbrakk> ~~ \<lbrakk>ADAVR\<rbrakk>
|
|
|
|
~~ \<lbrakk>SWRDP\<rbrakk> ~~ \<lbrakk>SWDM\<rbrakk> ~~ \<lbrakk>SWDRN\<rbrakk> ~~ \<lbrakk>SWDR\<rbrakk> ~~ \<lbrakk>SWDVR\<rbrakk>
|
|
|
|
~~ \<lbrakk>SWMP\<rbrakk> ~~ \<lbrakk>SWCR\<rbrakk> ~~ \<lbrakk>SWMR\<rbrakk> ~~ \<lbrakk>SWMVR\<rbrakk>
|
|
|
|
~~ \<lbrakk>SWAP\<rbrakk> ~~ \<lbrakk>SWAR\<rbrakk>"
|
|
|
|
invariant force_sil4 :: "sil \<sigma> = SIL4"
|
|
|
|
|
|
|
|
ML\<open>
|
|
|
|
fun check_sil oid _ ctxt =
|
|
|
|
let
|
|
|
|
val ctxt' = Proof_Context.init_global(Context.theory_of ctxt)
|
2023-02-06 16:09:02 +00:00
|
|
|
val DOF_core.Instance {value = monitor_record_value, ...} =
|
|
|
|
DOF_core.get_object_global (oid, Position.none) (Context.theory_of ctxt)
|
2022-05-25 15:13:49 +00:00
|
|
|
val Const _ $ _ $ monitor_sil $ _ = monitor_record_value
|
2022-11-24 09:41:50 +00:00
|
|
|
val traces = AttributeAccess.compute_trace_ML ctxt oid NONE \<^here>
|
2022-05-25 15:13:49 +00:00
|
|
|
fun check_sil'' [] = true
|
|
|
|
| check_sil'' (x::xs) =
|
|
|
|
let
|
|
|
|
val (_, doc_oid) = x
|
2023-02-06 16:09:02 +00:00
|
|
|
val DOF_core.Instance {value = doc_record_value, ...} =
|
|
|
|
DOF_core.get_object_global (doc_oid, Position.none) (Context.theory_of ctxt)
|
2022-05-25 15:13:49 +00:00
|
|
|
val Const _ $ _ $ _ $ _ $ _ $ cenelec_document_ext = doc_record_value
|
|
|
|
val Const _ $ _ $ _ $ doc_sil $ _ $ _ $ _ $ _ $ _ $ _ = cenelec_document_ext
|
|
|
|
in
|
|
|
|
if doc_sil <> monitor_sil
|
|
|
|
then error(doc_oid
|
|
|
|
^ " cenelec document SIL must be: "
|
|
|
|
^ Syntax.string_of_term ctxt' monitor_sil)
|
|
|
|
else check_sil'' xs end
|
|
|
|
in check_sil'' traces end
|
|
|
|
\<close>
|
|
|
|
|
|
|
|
setup\<open>DOF_core.update_class_invariant "CENELEC_50128.monitor_SIL0" check_sil\<close>
|
|
|
|
|
|
|
|
text\<open>
|
|
|
|
A more generic example of check_sil which can be generalized:
|
|
|
|
it is decoupled from the CENELEC current implementation
|
|
|
|
but is much less efficient regarding time computation by relying on Isabelle evaluation mechanism.\<close>
|
|
|
|
ML\<open>
|
|
|
|
fun check_sil_slow oid _ ctxt =
|
|
|
|
let
|
|
|
|
val ctxt' = Proof_Context.init_global(Context.theory_of ctxt)
|
2023-02-06 16:09:02 +00:00
|
|
|
val DOF_core.Instance {value = monitor_record_value, ...} =
|
|
|
|
DOF_core.get_object_global (oid, Position.none) (Context.theory_of ctxt)
|
|
|
|
val DOF_core.Instance {cid = monitor_cid, ...} =
|
|
|
|
DOF_core.get_object_global (oid, Position.none) (Context.theory_of ctxt)
|
2022-05-25 15:13:49 +00:00
|
|
|
val monitor_sil_typ = (Syntax.read_typ ctxt' monitor_cid) --> @{typ "sil"}
|
|
|
|
val monitor_sil = Value_Command.value ctxt'
|
|
|
|
(Const("CENELEC_50128.monitor_SIL.sil", monitor_sil_typ) $ monitor_record_value)
|
2022-11-24 09:41:50 +00:00
|
|
|
val traces = AttributeAccess.compute_trace_ML ctxt oid NONE \<^here>
|
2022-05-25 15:13:49 +00:00
|
|
|
fun check_sil' [] = true
|
|
|
|
| check_sil' (x::xs) =
|
|
|
|
let
|
|
|
|
val (doc_cid, doc_oid) = x
|
2023-02-06 16:09:02 +00:00
|
|
|
val DOF_core.Instance {value = doc_record_value, ...} =
|
|
|
|
DOF_core.get_object_global (doc_oid, Position.none) (Context.theory_of ctxt)
|
2022-05-25 15:13:49 +00:00
|
|
|
val doc_sil_typ = (Syntax.read_typ ctxt' doc_cid) --> @{typ "sil"}
|
|
|
|
val doc_sil = Value_Command.value ctxt'
|
|
|
|
(Const ("CENELEC_50128.cenelec_document.sil", doc_sil_typ) $ doc_record_value)
|
|
|
|
in
|
|
|
|
if doc_sil <> monitor_sil
|
|
|
|
then error(doc_oid
|
|
|
|
^ " cenelec document SIL must be: "
|
|
|
|
^ Syntax.string_of_term ctxt' monitor_sil)
|
|
|
|
else check_sil' xs end
|
|
|
|
in check_sil' traces end
|
|
|
|
\<close>
|
|
|
|
|
|
|
|
(*setup\<open>DOF_core.update_class_invariant "CENELEC_50128.monitor_SIL0" check_sil_slow\<close>*)
|
|
|
|
|
|
|
|
(* As traces of monitor instances (docitems) are updated each time an instance is declared
|
2022-12-22 06:14:29 +00:00
|
|
|
(with text*, section*, etc.), invariants checking functions which check the full list of traces
|
|
|
|
must be declared as lazy invariants, to be checked only when closing a monitor, i.e.,
|
|
|
|
after all the monitor traces are populated.
|
2022-05-25 15:13:49 +00:00
|
|
|
*)
|
|
|
|
ML\<open>
|
|
|
|
fun check_required_documents oid _ ctxt =
|
|
|
|
let
|
|
|
|
val ctxt' = Proof_Context.init_global(Context.theory_of ctxt)
|
2023-02-09 15:41:32 +00:00
|
|
|
val DOF_core.Monitor_Info {accepted_cids, ...} =
|
|
|
|
DOF_core.get_monitor_info_global (oid, Position.none) (Context.theory_of ctxt)
|
2022-11-24 09:41:50 +00:00
|
|
|
val traces = AttributeAccess.compute_trace_ML ctxt oid NONE \<^here>
|
2022-05-25 15:13:49 +00:00
|
|
|
fun check_required_documents' [] = true
|
|
|
|
| check_required_documents' (cid::cids) =
|
|
|
|
if exists (fn (doc_cid, _) => equal cid doc_cid) traces
|
|
|
|
then check_required_documents' cids
|
|
|
|
else
|
|
|
|
let
|
|
|
|
val ctxt' = Proof_Context.init_global(Context.theory_of ctxt)
|
2023-02-06 16:09:02 +00:00
|
|
|
val DOF_core.Instance {value = monitor_record_value, ...} =
|
|
|
|
DOF_core.get_object_global (oid, Position.none) (Context.theory_of ctxt)
|
2022-05-25 15:13:49 +00:00
|
|
|
val Const _ $ _ $ monitor_sil $ _ = monitor_record_value
|
|
|
|
in error ("A " ^ cid ^ " cenelec document is required with "
|
|
|
|
^ Syntax.string_of_term ctxt' monitor_sil)
|
|
|
|
end
|
|
|
|
in check_required_documents' accepted_cids end
|
|
|
|
\<close>
|
2019-02-12 21:13:28 +00:00
|
|
|
|
2022-05-25 15:13:49 +00:00
|
|
|
setup\<open>DOF_core.update_class_lazy_invariant "CENELEC_50128.monitor_SIL0" check_required_documents\<close>
|
|
|
|
|
|
|
|
(* Test pattern matching for the records of the current CENELEC implementation classes,
|
|
|
|
and used by checking functions.
|
|
|
|
If the test failed, then it means that the CENELEC implementation has changed
|
|
|
|
(the class definitions have been updated) and the checking functions must be updated.
|
|
|
|
*)
|
|
|
|
text*[MonitorPatternMatchingTest::monitor_SIL0]\<open>\<close>
|
|
|
|
text*[CenelecClassPatternMatchingTest::SQAP, sil = "SIL0"]\<open>\<close>
|
|
|
|
ML\<open>
|
|
|
|
val thy = @{theory}
|
2023-02-06 16:09:02 +00:00
|
|
|
val DOF_core.Instance {value = monitor_record_value, ...} =
|
|
|
|
DOF_core.get_object_global ("MonitorPatternMatchingTest", Position.none) thy
|
2022-05-25 15:13:49 +00:00
|
|
|
val Const _ $ _ $ monitor_sil $ _ = monitor_record_value
|
2023-02-06 16:09:02 +00:00
|
|
|
val DOF_core.Instance {value = doc_record_value, ...} =
|
|
|
|
DOF_core.get_object_global ("CenelecClassPatternMatchingTest", Position.none) thy
|
2022-05-25 15:13:49 +00:00
|
|
|
val Const _ $ _ $ _ $ _ $ _ $ cenelec_document_ext = doc_record_value
|
|
|
|
val Const _ $ _ $ _ $ doc_sil $ _ $ _ $ _ $ _ $ _ $ _ = cenelec_document_ext
|
|
|
|
\<close>
|
2019-02-12 21:13:28 +00:00
|
|
|
|
|
|
|
section\<open> Software Assurance \<close>
|
2022-05-11 16:12:37 +00:00
|
|
|
\<comment> \<open>MORE TO COME\<close>
|
2019-02-12 21:13:28 +00:00
|
|
|
|
|
|
|
subsection\<open> Software Testing \<close>
|
|
|
|
text\<open>Objective:
|
|
|
|
The objective of software testing, as performed by the Tester and/or Integrator,
|
|
|
|
is to ascertain the behaviour or performance of software against the corresponding test
|
|
|
|
specification to the extent achievable by the selected test coverage.
|
|
|
|
\<close>
|
|
|
|
|
|
|
|
text\<open>Outputs:
|
|
|
|
\<^enum> @{typ overall_software_test_report}
|
2022-05-25 15:13:49 +00:00
|
|
|
\<^enum> @{typ overall_software_test_specification} Overall Software Test Specification
|
2019-02-12 21:13:28 +00:00
|
|
|
\<^enum> Overall Software Test Report
|
|
|
|
\<^enum> Software Integration Test Specification
|
|
|
|
\<^enum> Software Integration Test Report
|
|
|
|
\<^enum> Software/Hardware Integration Test Specification
|
|
|
|
\<^enum> Software/Hardware Integration Test Report
|
|
|
|
\<^enum> Software Component Test Specification
|
|
|
|
\<^enum> Software Component Test Report
|
|
|
|
\<close>
|
|
|
|
|
|
|
|
subsection\<open> Software Verification \<close>
|
|
|
|
text\<open>Objective:
|
|
|
|
The objective of software verification is to examine and arrive at a judgement based on evidence
|
|
|
|
that output items (process, documentation, software or application) of a specific development
|
|
|
|
phase fulfil the requirements and plans with respect to completeness, correctness and consistency.
|
2020-04-23 12:31:59 +00:00
|
|
|
These activities are managed by the @{semi_formal_content \<open>verifier\<close>}.
|
2019-02-12 21:13:28 +00:00
|
|
|
\<close>
|
|
|
|
|
|
|
|
text\<open>Outputs:
|
|
|
|
\<^enum> Software Verification Plan
|
|
|
|
\<^enum> Software Verification Report(s)
|
|
|
|
\<^enum> Software Quality Assurance Verification Report
|
|
|
|
\<close>
|
|
|
|
|
|
|
|
subsection\<open> Software Validation \<close>
|
|
|
|
text\<open>Objective:
|
|
|
|
\<^enum>The objective of software validation is to demonstrate that the processes and their outputs are
|
|
|
|
such that the software is of the defined software safety integrity level, fulfils the software
|
|
|
|
requirements and is fit for its intended application. This activity is performed by the Validator.
|
|
|
|
\<^enum>The main validation activities are to demonstrate by analysis and/or testing that all the software
|
|
|
|
requirements are specified, implemented, tested and fulfilled as required by the applicable SIL,
|
|
|
|
and to evaluate the safety criticality of all anomalies and non-conformities based on the results
|
|
|
|
of reviews, analyses and tests.
|
|
|
|
\<close>
|
|
|
|
text\<open>Output documents:
|
|
|
|
\<^enum> Software Validation Plan
|
|
|
|
\<^enum> Software Validation Report
|
|
|
|
\<^enum> Software Validation Verification Report
|
|
|
|
\<close>
|
|
|
|
|
|
|
|
subsection\<open> Software Assessment \<close> (* other word for : formal evaluation. *)
|
|
|
|
text\<open>Objective:
|
|
|
|
\<^enum>To evaluate that the lifecycle processes and their outputs are such that the software is of the
|
|
|
|
defined software safety integrity levels 1-4 andis fit for its intended application.
|
|
|
|
\<^enum> For SIL 0 software, requirements of this standard shall be fulfilled but where a certificate stating
|
|
|
|
compliance with EN ISO 9001 is available, no assessment will be required.
|
|
|
|
\<close>
|
|
|
|
|
|
|
|
subsection\<open> Software Quality Assurance \<close>
|
|
|
|
text\<open>Objectives: To identify, monitor and control all those activities, both technical and
|
|
|
|
managerial, which are necessary to ensure that the software achieves the quality required.
|
|
|
|
This is necessary to provide the required qualitative defence against systematic faults and
|
|
|
|
to ensure that an audit trail can be established to allow
|
|
|
|
verification and validation activities to be undertaken effectively.\<close>
|
|
|
|
(* So : pretty much META *)
|
2018-03-21 10:59:27 +00:00
|
|
|
|
|
|
|
|
|
|
|
|
2019-01-08 09:34:49 +00:00
|
|
|
|
|
|
|
|
2019-02-14 10:50:19 +00:00
|
|
|
(* DEATH ZONE FROM HERE ... >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> *)
|
2019-01-08 09:34:49 +00:00
|
|
|
|
|
|
|
|
2019-01-31 09:38:18 +00:00
|
|
|
section\<open> Design related Categories \<close>
|
2018-03-21 10:59:27 +00:00
|
|
|
|
|
|
|
doc_class design_item =
|
2020-05-20 12:55:49 +00:00
|
|
|
description :: string
|
2018-04-20 11:19:50 +00:00
|
|
|
|
2020-05-20 12:55:49 +00:00
|
|
|
datatype design_kind = unit | module | protocol
|
2018-03-21 10:59:27 +00:00
|
|
|
|
|
|
|
doc_class interface = design_item +
|
2020-05-20 12:55:49 +00:00
|
|
|
kind :: design_kind
|
2018-03-21 10:59:27 +00:00
|
|
|
|
|
|
|
|
2019-01-31 09:38:18 +00:00
|
|
|
section\<open> Requirements-Analysis related Categories \<close>
|
2018-03-21 10:59:27 +00:00
|
|
|
|
|
|
|
doc_class test_item =
|
2020-05-20 12:55:49 +00:00
|
|
|
nn :: "string option"
|
2018-03-21 10:59:27 +00:00
|
|
|
|
|
|
|
doc_class test_specification = test_item +
|
2020-05-20 12:55:49 +00:00
|
|
|
short_goal :: string
|
2018-03-21 10:59:27 +00:00
|
|
|
|
|
|
|
doc_class test_case = test_item +
|
2020-05-20 12:55:49 +00:00
|
|
|
descr :: string
|
2018-03-21 10:59:27 +00:00
|
|
|
|
|
|
|
doc_class test_result = test_item +
|
|
|
|
verdict :: bool
|
|
|
|
remarks :: string
|
|
|
|
covvrit :: test_coverage_criterion
|
|
|
|
|
2020-05-20 12:55:49 +00:00
|
|
|
datatype test_environment_kind = hardware_in_the_loop ("hil")
|
|
|
|
| simulated_hardware_in_the_loop ("shil")
|
2018-03-21 10:59:27 +00:00
|
|
|
|
2020-05-20 12:55:49 +00:00
|
|
|
doc_class test_environment = test_item +
|
2018-03-21 10:59:27 +00:00
|
|
|
descr :: string
|
|
|
|
kind :: test_environment_kind <= shil
|
|
|
|
|
2020-05-20 12:55:49 +00:00
|
|
|
doc_class test_tool = test_item +
|
2018-03-21 10:59:27 +00:00
|
|
|
descr :: string
|
|
|
|
|
2020-05-20 12:55:49 +00:00
|
|
|
doc_class test_requirement = test_item +
|
2018-03-21 10:59:27 +00:00
|
|
|
descr :: string
|
|
|
|
|
2020-05-20 12:55:49 +00:00
|
|
|
doc_class test_adm_role = test_item +
|
2018-03-21 10:59:27 +00:00
|
|
|
name :: string
|
|
|
|
|
2022-05-11 16:12:37 +00:00
|
|
|
doc_class test_documentation = (* OUTDATED ? *)
|
2020-05-20 12:55:49 +00:00
|
|
|
no :: "nat"
|
|
|
|
accepts "test_specification ~~
|
|
|
|
\<lbrace>test_case~~test_result\<rbrace>\<^sup>+ ~~
|
|
|
|
\<lbrace>test_environment||test_tool\<rbrace>\<^sup>+ ~~
|
|
|
|
\<lbrakk>test_requirement\<rbrakk> ~~
|
|
|
|
test_adm_role"
|
|
|
|
|
2018-03-21 10:59:27 +00:00
|
|
|
|
2022-05-11 16:12:37 +00:00
|
|
|
section\<open>Global Documentation Structure\<close>
|
|
|
|
|
|
|
|
doc_class global_documentation_structure = text_element +
|
|
|
|
level :: "int option" <= "Some(-1::int)" \<comment> \<open>document must be a chapter\<close>
|
|
|
|
accepts "SYSREQS ~~ \<comment> \<open>system_requirements_specification\<close>
|
|
|
|
SYSSREQS ~~ \<comment> \<open>system_safety_requirements_specification\<close>
|
|
|
|
SYSAD ~~ \<comment> \<open>system_architecture description\<close>
|
|
|
|
SYSS_pl ~~ \<comment> \<open>system safety plan\<close>
|
2022-05-25 15:13:49 +00:00
|
|
|
(SWRS || OSWTS) " \<comment> \<open>software requirements specification OR
|
2022-05-11 16:12:37 +00:00
|
|
|
overall software test specification\<close>
|
|
|
|
(* MORE TO COME : *)
|
2018-03-21 10:59:27 +00:00
|
|
|
|
2019-02-14 10:50:19 +00:00
|
|
|
section\<open> META : Testing and Validation \<close>
|
2019-02-13 11:22:55 +00:00
|
|
|
|
2020-04-23 12:31:59 +00:00
|
|
|
text\<open>Test : @{semi_formal_content \<open>COTS\<close>}\<close>
|
2019-02-09 22:05:52 +00:00
|
|
|
|
2020-05-20 12:55:49 +00:00
|
|
|
ML
|
|
|
|
\<open> DOF_core.read_cid_global @{theory} "requirement";
|
|
|
|
DOF_core.read_cid_global @{theory} "SRAC";
|
|
|
|
DOF_core.is_defined_cid_global "SRAC" @{theory};
|
|
|
|
DOF_core.is_defined_cid_global "EC" @{theory}; \<close>
|
|
|
|
|
|
|
|
ML
|
|
|
|
\<open> DOF_core.is_subclass @{context} "CENELEC_50128.EC" "CENELEC_50128.EC";
|
|
|
|
DOF_core.is_subclass @{context} "CENELEC_50128.SRAC" "CENELEC_50128.EC";
|
|
|
|
DOF_core.is_subclass @{context} "CENELEC_50128.EC" "CENELEC_50128.SRAC";
|
|
|
|
DOF_core.is_subclass @{context} "CENELEC_50128.EC" "CENELEC_50128.test_requirement"; \<close>
|
|
|
|
|
|
|
|
ML
|
2023-02-06 16:09:02 +00:00
|
|
|
\<open> val ref_tab = DOF_core.get_instances \<^context>
|
|
|
|
val {docclass_tab=class_tab,...} = DOF_core.get_data @{context};
|
|
|
|
Name_Space.dest_table ref_tab;
|
2020-05-20 12:55:49 +00:00
|
|
|
Symtab.dest class_tab; \<close>
|
|
|
|
|
|
|
|
ML
|
|
|
|
\<open> val internal_data_of_SRAC_definition = DOF_core.get_attributes_local "SRAC" @{context} \<close>
|
|
|
|
|
|
|
|
ML
|
|
|
|
\<open> DOF_core.read_cid_global @{theory} "requirement";
|
|
|
|
Syntax.parse_typ @{context} "requirement";
|
|
|
|
val Type(t,_) = Syntax.parse_typ @{context} "requirement" handle ERROR _ => dummyT;
|
|
|
|
Syntax.read_typ @{context} "hypothesis" handle _ => dummyT;
|
|
|
|
Proof_Context.init_global; \<close>
|
|
|
|
|
2022-05-11 16:12:37 +00:00
|
|
|
end
|