Conditional safety certification for open adaptive systems

Over the last decade, it has become increasingly evident that nextgeneration systems will be strongly distributed, networked heterogeneous systems of systems. New corresponding computing paradigms have been coined along the way, such as Ubiquitous Computing, Ambient Intelligence, and, more recently, Cyber-Physical Systems. It is expected that such systems will be open with respect to dynamic integration and adaptive with respect to dynamic changes in their environments. Considering that many application domains of such next-generation systems are inherently safety-critical, it is a common requirement for them to be safe - despite being open and adaptive. However, established safety assurance and certification approaches, both state-of-the-practice and state-of-the-art ones, are not applicable to that context. As a first solution approach, this thesis presents a framework that enables conditional safety certification for open adaptive systems. Modular conditional safety certificates (ConSerts) are introduced as the core solution concept. ConSerts contain a series of formalized guarantee-demand relationships and can be composed and evaluated at runtime. The evaluation result can be interpreted as a runtime safety certificate that supports the autonomous decision of whether the integrated system is currently safe to run or not. For the operationalization of ConSerts, adequate support for dynamic integration and adaptation as well as appropriate modularization concepts and mapping functions have been established. Moreover, it is shown how the ConSert models can be transformed into a suitable runtime representation, and mechanisms and protocols have been defined that operate on these runtime representations to conduct the dynamic evaluation of dynamically integrated systems of systems. Finally, it is elaborated how the presented approach can be integrated with established engineering methodologies to provide guidance with respect to the required safety engineering backbone for conditional safety certification in concrete settings. The results of the validation show that the approach is feasible and can be operationalized effectively, thus potentially opening up a path towards approaches to runtime safety certification of open adaptive system. At the same time, these results highlight limitations and areas of future improvement.