PhD Studentship – Engineering Dependability Cases for Systems of Systems

Name of Supervisor

Dr Tim Kelly, University of York

Project Title

Engineering Dependability Cases for Systems of Systems

Project Objective

To identify how dependability cases (assuring the properties of safety, security, availability and performance) for platforms intended to operate as part of a NEC (Network Enabled Capability) System of Systems can be established and integrated to form an overall NEC dependability case.

What would success look like?

Established processes, notations and exemplars (documented as Dependability Case Patterns) for the structuring, presentation and composition of NEC platform dependability cases that are considered acceptable and compelling by relevant certification authorities, and minimise the re-certification effort necessitated by NEC Systems of Systems configuration changes.

Background

This studentship is offered as part of the NECTISE (Network Enabled Capability through Innovative Systems Engineering) project.

NECTISE is an EPSRC & BAE SYSTEMS funded joint academic-industry research programme that investigates some of the many implications of moving to a capability-based acquisition environment in which the delivered capability is network enabled.

The challenges addressed are centred on:

·         Through-life provision of military capability: acquisition, service and support

·         Decision support within a capability-based acquisition environment: decision support tools and collaborative environments

·         Architectures for network enabled capability: service oriented, evolvable architectures for military capability and support organisations

·         Control and monitoring for systems of systems: health monitoring, reconfiguration and prognosis

The first two of these are associated with the systems engineering needed for industry to deliver into the NEC environment. The second two apply to frameworks and technologies to support operational effectiveness in that environment.

The NECTISE project involves the following universities:

Loughborough (lead) Bath Cambridge Cranfield Leeds Leicester Manchester Queen’s (Belfast) Strathclyde York

York’s contribution to NECTISE is to examine how the dependability of NEC Systems of Systems can be assured and certified

There are many dependability attributes of interest for NEC (Network Enabled Capability) platforms – including safety, security, availability and performance.  It will be necessary to justify that the required level of dependability is being achieved by any given NEC configuration, or set of configurations.  Such justifications have typically been presented in separate ‘cases’ – e.g. safety cases, security cases and reliability cases.  This task will investigate how an overall ‘dependability case’ – showing the inherent trade-offs between individual attributes – can be constructed for NEC.

Service-Oriented Architectures (SOA) offer great flexibility in the organisation of NEC platforms.  However, if this flexibility is not matched by flexibility in the organisation of the NEC dependability case the benefits of NEC reconfiguration could be swamped by re-justification effort.  Such an SOA NEC Dependability Case will need to demonstrate how service-level dependability agreements can be achieved by the composition of component system level properties.

The aim of this task is to define the means of justifying and certifying (to the relevant regulatory authorities) the dependability characteristics of Service-Oriented Architectures for NEC. In particular, to correspond with the anticipated upgrading and adaptation of the elements of the system of systems, the strand will examine how to evolve a dependability case of ‘parts’ (i.e. a modular dependability case) that can be incrementally certified and adapted alongside systems of systems evolution. Such a flexible approach to dependability case development will be essential to realising the benefits of re-configurable SOAs in NEC.

Methodology

The proposed research contains the following work packages:

Composable NEC Platform Dependability Cases

Initially, discussion with regulatory authorities will be required to gain a clear understanding of the expectations concerning NEC dependability cases.  In addition, discussions with a number of NEC design authorities will be held to build a clear picture of the upgrades / evolutions of NEC Systems of Systems typically expected.  Following these discussions, the task will establish a baseline definition of the dependability case concept with clear guidance (as already exists for safety cases) as to the typical organisation and structure of dependability arguments and supporting evidence.  In order to support the anticipated NEC upgrades and evolution, candidate architectures for the overall architecture of a ‘Service-Oriented’ Dependability Case will be proposed that mirror the expected structure of typical NEC configuration.  Through the defined interfaces and contracts between layers of a SOA Dependability Cases the task will seek to demonstrate how re-justification effort can be limited in the presence of change.    In addition, in order to provide the maximum flexibility in the construction of an overall NEC Dependability Case from component parts the task will establish guidance / heuristics on establishing ‘open’ (readily composable) component system dependability cases, together with flexible integration strategies.

Establishing Development and Certification Processes to support Incremental Certification of SOA

Alongside the principle of establishing overall SOA NEC dependability cases from the controlled composition of component system dependability cases is the principle that these component cases can be certified (accepted by a regulatory authority) separately from certification of the whole NEC Systems of Systems.  This task examines the modifications to certification standards and processes that will be required to support these principles of incremental certification.  The timing of NEC dependability case development and it’s integration with, and influence upon, NEC system integration will be examined.

The task will explore the particular problem of Dependability Case Style ‘Mismatch’ – where differences in the strength and nature of dependability arguments and evidence established for individual component systems makes it difficult to integrate them as part of the overall NEC case.  Mismatch mitigation strategies such as Dependability Case ‘Wrapping’ (for legacy systems) and bridging arguments will be explored and documented as Dependability Case Patterns (building on existing principles of Safety Case Patterns).

The task will investigate and define the maintenance processes associated with SOA NEC Dependability Case evolution.  In the presence of credible NEC Systems of Systems upgrades and reconfigurations, the task will demonstrate how it is possible to use the interfaces and contractual agreements of the component level dependability cases to limit the effects of change.  The necessary processes to validate that an overall dependability case contract has been ‘upheld’ in the presence of change will be established.

Finally, the task will examine how the dependability information recorded by the NEE Dependability Case, both at the Systems of Systems level and component system level (as recorded in Dependability Case Interfaces) can be used operationally to inform dynamic reconfiguration decisions.

Case Study Application of Dependability Case approach:

Case study / scenario examples (integrated with the NECTISE Demonstrations) will be used to validate the SOA Dependability Case approach – including stakeholder involvement from appropriate regulatory authorities.  In particular, the case study will demonstrate the development of multiple NEC dependability cases (corresponding to a number of NEC configurations) from the same stock of component system level dependability cases.  In addition, the case study will demonstrate how it is possible to satisfy the same NEC service-level dependability properties through different combinations of component level dependability cases (corresponding to different NEC Systems of Systems configurations).

Through the above tasks, this strand of research will establish the principles, notations, methods and processes necessary to support the development, certification and maintenance of NEC SOA Dependability Cases.

Research Plan

In addition to the tasks already described above, the Department of Computer Science at York has a fixed set of milestones for any student registered for a full-time PhD. Assuming Year 1/Oct start, the following milestones are set:

·         Literature Review Seminar (Year 1/Dec) – presenting the results of the first three months of literature survey (examining dependability, assurance methods, existing practice in assurance case development)

·         Qualifying Dissertation (Year 1/Jun) – production of a report summarizing the first nine months of literature survey, together with a proposed “line of attack” for the PhD and a summary of preliminary research results.  This report is assessed by viva voce examination with the supervisor and appointed internal assessor.

·         Thesis proposal (Year 2/Mar) – production of a report outlining the intended thesis structure, hypothesis, key contributions and intended forms of evaluation. This report is assessed by viva voce examination with the supervisor and appointed internal assessor.

·         Thesis audit (Year 3/Jan) – a review of progress in completion of the thesis as outlined in the thesis proposal.

·         Thesis seminar (Year 3/Jul) – a peer-reviewed seminar at which the student presents the key contributions and findings of their thesis

·         Thesis submission (target date Year 3/Sep)

Programme Links

This work would complement the work on Through-life Certification of NEC Platforms being performed by the University of York as part of the Through-Life Systems Management (TLSM) strand.  For practical reasons, in the existing work we have focused on the certification processes of one attribute of dependability – namely, safety.  This proposal would enable us to explore the relationship between the assurance and justification of safety and the other attributes of dependability for NEC platforms.

In addition, our interest in the relationship between establishing dependability cases for NEC platforms and Service Oriented Architectures provides a cross-cutting link between TLSM’s work on dependability and the work on Service Oriented Architectures being performed by Leeds as part of the Architectures strand.  We would hope to examine the dependability assurance and certification implications of the architecture proposals emerging from the Leeds work.   Ultimately, as well as providing our proposed work with concrete architecture proposals, our proposed work has the potential to improve the technology transfer of the results of the Leeds architectures work to industry (where assurance of dependability will be a key concern).

Business links/support

We expect to exploit the links with BAE SYSTEMS that York has already established through our work on the NECTISE programme and other programmes (SEAS DTC, DCSC, SSEI).  In particular, the following links will be used:

·         Nimrod (Air Systems)

·         FRES (Land Systems)

·         Type 45