Recently, there has been a noticeable increase in abort of systems and services which support critical social infrastructures, such as abort of online systems of banks, communication failures of mobile phones and IP phones, and security failures of various commercial services, resulting in great influence on our lives. This is primarily due to a dramatic increase in scales and complexities of such commodities and services using embedded computer systems. Further investigation of the causes shows that many cases were due to human errors.
Conventionally, reliability, availability, maintainability, safety, integrity, and confidentiality of computer systems have been discussed as attributes called dependability to be provided in computer systems (Non-patent Literature 3). In the development of embedded systems, a development project is formed initially, functional requirements and non-functional requirements of target systems and services are exactly listed as specifications, long-term verifications and tests are made, and the embedded systems are deployed. However, as described above, the number of failures is increasing day by day. In standards such as CMMI and ISO 26262, attempts to reduce human errors have been made. However, these conventional techniques and standards do not take consideration of attributes of systems under open environments.
Conventional methods are based on the assumption that the specification at the time of development is surely implemented as a computer program, and the specification does not change after commodities and services are deployed. However, open environments change from the time of development to the time of deployment. Furthermore, the environments continue to change after the deployment. Accordingly, it is necessary to respond to such changes.
In order to deal with this, Japan Science and Technology Agency established the DEOS (Dependable Embedded Operating Systems/Dependability Engineering for Open Systems) project in CREST program (http://www.crest-os.jst.go.jp/), and has researched and developed a dependable operating system for embedded systems. The DEOS project calls dependability in open environments as open systems dependability, which is defined as follows. “Functions, structures, and system boundaries of modern large-scale software systems change temporally, which may result in incompleteness and uncertainty. Such incompleteness and uncertainty cannot be removed completely, and so the modern large-scale software systems essentially have factors that may result in failures in the future (Factors of Open Systems Failure). Open Systems Dependability is the ability to perform continuously the effort to remove such factors before they cause failure and to provide appropriate and quick action when they occur in order to minimize the damage, so that the system provides safely and continuously the services expected by the users, and to maintain accountability for the system operations and processes.” (see Non-patent Literature 1)
Conventionally, embedded systems are developed (not limited to development of the embedded systems) based on requirements from stakeholders and specifications reflecting the requirements. Specifically, systems are developed according to specifications summarizing functional requirements and non-functional requirements of a target system. In a case of changing a part of the system in operation, the specifications and the system implementation are updated with consistency therebetween.
One of the reasons why the specifications and the system implementation should be updated consistently is that dependability of the system (see Non-patent Literatures 1, 3 etc.) must be maintained regardless of a change in the environment. Accordingly, it must be ensured that update of dependability description data corresponding to the specifications and development and addition of a module for monitoring and controlling a system for realizing the specification are made in consistency with the specifications.
Non-patent Literature 2 describes that a document called a Safety Case, which indicates the safety of a system, should be updated in accordance with a change in the system throughout the lifecycle of the system (e.g. concept, development, operation, maintenance, update, destruction).
The Safety Case is a structured document which presents the grounds (evidence) for the safety of a system. The Safety Case has so prevailed in the United Kingdom and other countries that it is mandatory to submit a Safety Case to the certification organization in the development and operation of a system requiring high safety, such as a nuclear plant. The Safety Case is prevailing worldwide. For example, ISO 26262, which is a functional safety standard for automobiles, makes it mandatory to submit a Safety Case.