AMASS: Call for Users and Contributors

This newsletter represents the continuation of the one published last year¹, were we presented the toolchain developed by the EU ECSEL AMASS (Architecture-driven, Multi-concern and Seamless Assurance and Certification of Cyber-Physical Systems) project, integrated under the umbrella of the PolarSys OpenCert project. In a nutshell, AMASS toolchain aims at increasing the efficiency of assurance and certification activities and lowering certification costs in the face of rapidly-changing product features and market needs. The purpose of this article is to report the final achievements of the project and also to call for users and stakeholders in order to extend the ecosystem and the community around it. In what follows, we go over the context and problem, derived scientific objectives, the achieved tangible results, the demonstrators and the used evaluation framework, and, last but not least, the main identified roles and stakeholders.

Context and Problem:

Embedded systems have significantly increased in technical complexity towards open, interconnected cyber-physical systems (CPS), exacerbating the problem of ensuring rolesseveral dependability concerns such as safety and security. Unlike practices in electrical and mechanical equipment engineering, CPS do not have a set of standardized and harmonized practices for assurance and certification that ensures safe, secure, and reliable operation with typical software and hardware architectures. As a result, the CPS community often finds it difficult to apply existing certification guidance. Ultimately, the pace of assurance and certification will be determined by the ability of the industry and the certification and assessment authorities to overcome technical, regulatory, and operational challenges. Another key difficulty appears when trying to reuse CPS products between projects and even from one application domain to another. Product evolutions become costly and time-consuming because they entail regenerating the entire body of evidence or their certification can be constrained by different standards. This may imply that the full assurance and certification process is applied as for a new product, thus reducing the return on investment of such reuse decision.

Derived Scientific Technical Objectives:

AMASS has defined four Scientific and Technical Objectives (STOs):

• Architecture-Driven Assurance : Explicit integration of assurance and certification activities with the CPS development activities, including specification and design. It provides support for system components composition in accordance with the domain best practices, guaranteeing that emerging behavior does not interfere with the whole system assurance.
• Multi-concern Assurance : Tool-supported methodology for the development of assurance cases, co-assessment, and contract-based assurance, which addresses multiple system characteristics (mainly safety and security, but also other dependability aspects such as availability, robustness, and reliability).
• Seamless Interoperability : Open and generically applicable approach to ensure the interoperability between the tools used in the modelling, analysis, and development of CPS, among other possible engineering activities; in particular, interoperability from an assurance and certification-specific perspective, and collaborative work among the stakeholders of the assurance and certification of CPS.
• Cross/Intra-Domain Reuse : Consistent assistance for intra- and-cross-domain reuse, or cross-concern, based on a conceptual framework to specify and manage assurance and certification assets.

AMASS Tangible Results

As summarized in Figure 1, the AMASS Project created and consolidated the first European assurance and certification open tool platform (which implements the AMASS reference tool architecture), and an ecosystem and self-sustainable community spanning the largest CPS vertical markets.

Since the inception of the AMASS project, the consortium agreed to deliver the AMASS Tool Platform results in open source. This ensures both the usability of the platform to fulfill AMASS objectives and the interoperability between potential specializations of AMASS.

Figure 1: AMASS Tangible Outcomes

AMASS has proposed the Common Assurance and Certification Metamodel (CACM)² where concepts about process and system assurance are included. The CACM provides a means to integrate the domain-specific languages resulting from the OPENCOSS³, SafeCer⁴ , and CHESS⁵ projects and allows for the integration and extension of their conceptual, modelling, and methodological frameworks. Based on this CACM, the AMASS Reference Tool architecture (ARTA) has been developed (point 1 in Figure1).

The AMASS Reference Tool Architecture represents a virtual entity that embodies a common set of tool interfaces/adaptors, working methods, tool usage methodologies, and protocols that is expected to allow any stakeholder of the assurance and certification/qualification activities to seamlessly integrate their activities (e.g., product engineering, external/independent assessment, component/parts supply) into tool chains adapted to the specific needs of the targeted CPS markets. During the AMASS Project's life, the ARTA architecture has been implemented, thus creating the AMASS Open Platform, which is available at https://polarsys.org/opencert/downloads/.

The internal and external tools integrated into and available for the AMASS Platform are shown in Figure 2, grouped with the aforementioned STOs. The STO Seamless Interoperability is not explicitly added as it is provided by the internal platform tools.

Figure 2: AMASS Platform Tools ecosystem

The internal tools are highlighted in blue, whereas the external ones are depicted in green. The internal tools are all available in Open Source and integrated into the AMASS Open Platform:

• PolarSys OpenCert⁶ is the core of the AMASS Open Source platform. OpenCert, which was created by the members of the OPENCOSS research project², supports evidence management, assurance case specification and part of the compliance management functionality (see Figure 3). It also includes new functionality implemented during the AMASS project, such as argument fragments generation starting from the information available in the system model (Polarsys CHESS) and tool interoperability with the OSLC technology⁷.

Figure 3: Compliance management in OpenCert

The PolarSys CHESS⁸ toolset, which was created by the CHESS research project⁴ and continued by SafeCer³, adds support for Architecture-Driven Assurance. The CHESS toolset leverages another important Eclipse project, the Papyrus⁹ platform for UML (Unified Modelling Language) design and profiles, including system modelling with SysML (Systems Modelling Language) and MARTE (Modeling and Analysis of Real-time and Embedded systems). In particular, CHESS provides support for:

• Contract-based modelling and analysis via integration with xSAP¹⁰ and OCRA¹¹ tools.
• Dependability modelling and analysis.
• Performance analysis through MARTE based modelling and integration with MAST¹² tool.
• Code generation facilities.

In the context of the AMASS project, the support for contract-based and dependability modelling and analysis has been extended and brand new functionalities have been provided (e.g. support for architectural patterns, documentation generation, dedicated views to support the modelling activities and to check the analysis results) to enable the architecture-driven assurance process depicted in Figure 4.

Figure 4: CHESS process for architecture-driven assurance

• EPF Composer¹³; this pre-existing Eclipse project, created by IBM more than a decade ago and brought back to life thanks to the AMASS contribution¹⁴, which is already used in the context of SafeCer, is a key component used to model the standards (a), the processes (b), the basic compliance (c) during the planning (Figure 5). In addition, from process models and standards models created in EPF Composer, users can semi-automatically generate process-based arguments aimed at offering justification for compliance as well as enabling compliance checking.

Figure 5: Standards, processes and compliance modelling in EPF Composer¹⁵

• BVR Tool¹⁶ is a series of Eclipse plugins that implement the BVR metamodel, a language for enabling variability management in the context of safety-critical systems engineering. The BVR Tool supports feature modelling, resolution, realization, and derivation of specific family members.

In AMASS, as part of the solutions for Cross-domain and Intra-Domain reuse, BVR Tool has been integrated with EPF Composer, CHESS toolset and OpenCert enabling the variability management at the process (Figure 6), product, assurance case level.

Figure 6: Managing variability at process level via the integration of EPF Composer and BVR Tool

Capra¹⁷ is a dedicated traceability management tool that allows the creation, management, visualisation, and analysis of trace links within Eclipse. Capra is highly configurable and is used and extended in AMASS to allow the creation of traceability links between different artifacts and in particular to manage the links between assurance and system design/analysis related entities (e.g. see Figure 7), as logically depicted in Figure 4.

Figure 7: Traceability View

• CDO¹⁸ is both a development-time model repository and a runtime persistence framework. It is used to store all the data in AMASS.

Apart from the internal tools, which integrate directly with the AMASS platform, external tools can be used via standardized, mostly open interfaces. For instance, WEFACT, a requirements-based workflow engine that couples to various tools, which perform the workflow activities, as depicted in Figure 8, uses EPF Composer's interfaces to import process models, representing the processes as prescribed by functional safety or cybersecurity standards. Among other features, WEFACT is capable of creating and managing requirements, plus those which represent the rules imposed by standards. These can then be exported and imported into the CHESS toolset.

Figure 8: WEFACT user interface example after importing a process model

The Enterprise Architect-based tool called MORETO ("Requirements tool") is another external tool which benefits from standardized interfaces.

Whereas each Eclipse project has its own lifecycle, according to the Eclipse Development Process and its own website, the advantage of the AMASS Open Platform is that it synchronizes several different projects and contributions in consistent versions that can be downloaded from the Polarsys OpenCert Tools Platform website¹⁹.

Demonstrators and Evaluation Framework

AMASS demonstrators are the result of the case studies implementation for several meaningful CPS industry segments. Partners have focused on modelling standards depending on their domain (industrial automation, automotive, railway, avionics, space, and air traffic), establishing an assurance project, and using the appropriate tools based on their exploitation objectives.

The AMASS Evaluation Framework, based on the Goal-Question-Metric (GQM) approach, includes a set of quality metrics to quantify the benefits at the levels of architecture driven assurance, multi-concern assurance, seamless interoperability, and cross/intra domain reuse. This framework has been used in the context of reference case studies. More specifically, a benchmarking exercise has been conducted aimed at comparing results achieved thanks to the AMASS platform with those achieved via former state of practice.

The AMASS benchmarking has been driven by project goals, including gain for design efficiency of complex CPS by reducing their assurance and certification/qualification effort; and reuse of assurance results (qualified or certified before the rise of technology innovation and sustainable impact in CPS industry).

Evaluation results from the final AMASS Platform Prototype show the fulfillment of overall AMASS goals, which are set to improve the current situation in CPS design technologies:

• G1 to demonstrate a potential gain for design efficiency of complex CPS by reducing their assurance and certification/qualification effort by 50%.
• G2 to demonstrate potential reuse of assurance results (qualified or certified before), leading to 40% of cost reductions for component/product (re)certification/qualification activities.
• G3 to demonstrate a potential rise of technology innovation led by a 35% reduction of assurance and certification/qualification risks of new CPS products. The reduction of risks can be "invested" into the risky adoption of new technologies, for which there was no space without the reduction.
• G4 to demonstrate a potential sustainable impact in CPS industry by increasing the harmonization and interoperability of assurance and certification/qualification tool technologies by 60%.

Roles and Stakeholders

The profiles of AMASS Platform users can be grouped as shown in Figure 9.

Figure 9: AMASS Tool Platform Roles, taken from D2.5 User guidance and methodological framework²⁰

In addition, potential stakeholders of the Open Source community are as follows: Tools Architects, Eclipse modelling experts, AMASS open platform developers, Researchers, Journalists, Industry / Decision makers, and general-purpose Open Source contributors.

Resources

1. https://www.eclipse.org/community/eclipse_newsletter/2018/july/amass.php
2. AMASS D2.4 Reference architecture (c), June 2018
3. OPENCOSS research project http://opencoss-project.eu/
4. SafeCer project (Certification of Software-intensive Systems with Reusable Components http://cordis.europa.eu/project/rcn/103721_en.html and http://cordis.europa.eu/project/rcn/105610_en.html
5. CHESS research project http://www.chess-project.org
6. OpenCert project page http://www.polarsys.org/projects/polarsys.opencert
7. http://trc-research.github.io/spec/km/
8. PolarSys CHESS projecthttp://www.polarsys.org/chess/start.html
9. Papyrus project http://www.eclipse.org/papyrus/
10. https://xsap.fbk.eu/
11. https://ocra.fbk.eu/
12. https://mast.unican.es/
13. Eclipse Process Framework Project (EPF) http://eclipse.org/epf/
14. EclipseCon-2018, https://www.eclipsecon.org/france2018/session/get-epf-composer-back-future-trip-galileo-photon-after-11-years
15. Ul Muram F., Gallina B., Kanwal S. (2019) A Tool-Supported Model-Based Method for Facilitating the EN50129-Compliant Safety Approval Process. In: Collart-Dutilleul S., Lecomte T., Romanovsky A. (eds) Reliability, Safety, and Security of Railway Systems. Modelling, Analysis, Verification, and Certification. RSSRail 2019. Lecture Notes in Computer Science, vol 11495. Springer, Cham
16. BVR Toolhttp://www.amass-ecsel.eu/content/bvr-tool-amass
17. Capra traceability frameworkhttp://projects.eclipse.org/projects/modeling.capra
18. CDO - Connected Data Objects http://www.eclipse.org/cdo/
19. Polarsys OpenCert Tools Platform websitehttp://www.polarsys.org/opencert/
20. AMASS Deliverable D2.5 AMASS User guidance and Methodological framework, November 2018 https://www.amass-ecsel.eu/sites/amass.drupal.pulsartecnalia.com/files/D2.5_User-guidance-and-methodological-framework_AMASS_Final.pdf