Abstract

The distributed design process for safety-critical embedded systems has become an increasingly difficult challenge: Electronic Control Units (ECUs) in vehicles, for instance, participate in many vehicle functions, while each vehicle function, in turn, is spread across several ECUs. Many suppliers participate in systems design and many partial functions are reused from past projects, not always knowing the assumptions at the time of their development. In particular, efficient allocation of safety mechanisms and a sound safety case are difficult tasks for original equipment manufacturers (OEMs). Contract-based development has gained popularity as an approach for supporting distributed development by explicitly annotating assumptions and guarantees to components, but an integrated process covering specification of nominal behavior and safety has not been described so far. We present such an integrated development approach that encompasses the systematic breakdown of nominal system behavior using contracts, the consistent derivation of safety analysis by interpreting several types of contract violations as a specification for failure modes, and the subsequent integration of safety mechanisms that cover these failure modes through safety contracts. The approach equally fits hardware and software and is therefore applicable on the system level. We demonstrate it by an electric drive example. The extensibility of our approach towards Cyber Physical Systems, which compose themselves at runtime, is briefly outlined at the end of the article.