Re: [ELISA Safety Architecture WG] What’s in a name?


John MacGregor
 

Hi

On 05/05/2021 15:13, Brink, Peter wrote:
To several points:
Elana: The automotive specification does not call out a safety architecture. It is an expectation that the architectural design (as ISO 26262 refers to it) is going to cover the entire architecture, specifically because attempting to describe the safety mechanisms out of the context of the overall architecture is useless.
Gab: I am not sure why the automotive spec calls out "architectural design" instead of SW Architecture, but the descriptions in Part 6 Clause 7 matches the descriptions in the SWEBOK and the ISO 42010 at a conceptual level.
I'm not sure either, but 26262 is not explicit enough. Back to my original comment that this goes beyond nomenclature. We should also keep in mind that we're not _just_ talking about 26262. I'm sure that other standards can muddy the waters further.

The glossary defines architecture in terms of building blocks and a safety architecture in terms of elements while neither defining system architecture, hardware architecture nor software architecture while mentioning hardware architecture in the context of hardware architecture metrics...

Part 3 Clause 5 defines the item and its elements and their interaction with the environment. It seems to be the point where architectural concerns would be addressed. Part 4 Clause 6 requires the development of a system architectural design, which is a system-level technical solution. It also delineates the fundamental split between hardware and software functionality.

For me, the architecture, as defined by ISO/IEEE is defined in Part 3 Clause 5; that is, the fundamental concepts of the system and their functionality. This is where the architectural concerns would be addressed. The system architectural design is the first cut at describing how the elements will implement their functionality and is a design in the sense that it is a solution.

Part 4 Clause 6 produces the system architectural design, which is presumably broken down into individual hardware and software elements. I'd guess that the resulting set of hardware elements and set of software elements would represent the hardware and software architectural designs, respectively, although the doesn't say so explicitly.

The hardware and software architectures seem to have fallen through the cracks, or are they somehow a sub-product of Part 3 Clause 5?

At any rate Part 7 jumps right into software architectural design, which represents the software architectural _elements_. After that there is a software unit design, which is a detail design of the software units... and then there's the implementation of the units, by the way.

So, to map this to the usual architecture, design, implementation waterfall (neglecting requirements, of course), I'd say:
Architecture = Part 3 Clause 5
Design = Part 4 Clause 6 + Part 6 Clause 7 + (Part 6 Clause 8) / 2
Implementation (or Development) = (Part 6 Clause 8) / 2

And "Architectural Design" is some nebulous combination of system architectural design and the software and hardware architectural designs resulting from the split into hardware and software system elements. But it's not unit detail design.

Whereby, coming back to Pete's comment, Architecture (Part 3 Clause 5) is definitely separated from Architectural Design.

Right?

And, I say again for emphasis, the WG should avoid a terminology that is too intimately entwined with 26262.

What the Architecture WG is doing and what it should be called will be left as an exercise for the reader, and, remember, a WG by any other name is still a WG.

Cheers

John

Pete
-----Original Message-----
From: devel@... <devel@...> On Behalf Of Paoloni, Gabriele via lists.elisa.tech
Sent: Wednesday, May 5, 2021 3:56 AM
To: John MacGregor <open.john.macgregor@...>; Copperman, Elana (Mobileye) <elana.copperman@...>; Christopher Temple <Christopher.Temple@...>; Gurvitz, Eli (Mobileye) <eli.gurvitz@...>; Brink, Peter <Peter.Brink@...>; Paul Albertella <paul.albertella@...>; devel@...; safety-architecture@...
Subject: Re: [ELISA Technical Community] [ELISA Safety Architecture WG] What’s in a name?
Hi John

-----Original Message-----
From: John MacGregor <open.john.macgregor@...>
Sent: Wednesday, May 5, 2021 12:23 PM
To: Paoloni, Gabriele <gabriele.paoloni@...>; Copperman, Elana
(Mobileye) <elana.copperman@...>; Christopher Temple
<Christopher.Temple@...>; Gurvitz, Eli (Mobileye)
<eli.gurvitz@...>; Peter.Brink@...; Paul Albertella
<paul.albertella@...>; devel@...; safety-
architecture@...
Subject: Re: [ELISA Technical Community] [ELISA Safety Architecture
WG] What’s in a name?

Hi

At least I now have a framework to explain what's bugging me (Thanks Chris).

To Elana's question:
Referring to the conceptual model of an architectural description[1]
which was linked in Chris' description, safety is a concern to be
accounted for in an architecture. In other words, it's an aspect of
the architecture. For me, it's a matter of taste if the WG chooses to
concentrate on the safety architecture or the architecture in general.
If the decision is explicit, I can live with it somehow or other.
That being said, I'd focus on all aspects of the architecture in the WG.

To Gab's question:
I really don't know. But one of the fundamental confusions I see is
that both the Development Process WG and the Architecture WG seem to
focus on the Kernel on purpose. That is, regardless of their names,
they're both the Kernel Architecture WG and the Kernel Development
Process WG.

As a practical matter, I find that unfortunate. At least in the short
term, I think it's more likely that the accreditation route will be
over the system. That is, in 26262 terms, we are more likely to be
successful certifying over Part 6 in the context of an item or over
Part
8 Qualification rather than Part 6 SEooC (terminology from Part 10,
Clause 9, Table 4).
I think that we are taking a hierarchical approach where in the domain specific working groups we analyze the system architecture whereas in the safety arc wg and kernel development process wg we focus on the architecture of the kernel; that is the " Software architectural design"
according to the ISO26262-6.
In summary I don't think that a single "architecture" name fits all the WGs and I would stick to "system architecture" for domain WGs whereas "SW Architecture" or "SW Architecture design" may be used in the safety arch and development process WGs...


In that case, the architecture and development processes we should be
primarily concerned with are the system integrator's rather than the
Kernel's.

To the Architecture / Architecture Design question:
I think that an architecture, as defined in Chris' reference, is far
too abstract for the work the WG is doing. For me, the work is
probably being done at the second-last level of abstraction: at the
level of an abstract watchdog driver to cover all the possible
watchdog drivers for particular watchdog hardware and software
implementations. The next level up in abstraction would be at the VFS Level.

As I said in the telco, as far I can tell, we're modelling a
synchronous call on the driver. As we discussed in the Automotive WG,
there's also the possibility of changing the watchdog file in /dev.
This probably uses entirely different mechanisms and control flow.
The Kernel's decision to implement both a control flow over ioct and
/dev was probably a design decision in my terminology.

So, for me, the Arch WG is working at the design level at the most.
If we want to call that "Architecture Design" I can live with it.
I think we can revisit the WG name once we agree on the nomenclature
Thanks
Gab


Cheers

John


[1]
https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.i
so-architecture.org%2Fieee-1471%2Fcm%2F&amp;data=04%7C01%7CPeter.Brink
%40ul.com%7Cac9e03cf943a4819679108d90fb4634b%7C701159540ccd45f087bd03b
2a3587569%7C0%7C1%7C637558089702293600%7CUnknown%7CTWFpbGZsb3d8eyJWIjo
iMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp
;sdata=AaRvJ3yccci1sMGnSOO9TufJIUtS%2BK6CmlQBlZKPSZM%3D&amp;reserved=0

On 05/05/2021 11:38, Paoloni, Gabriele wrote:
Hi Elana

I would like first to clarify the name "architecture" while it is
used in the
current
discussions that we are having about the hybrid mode.
Then we can see if we need to revisit the WG name

Thanks
Gab

-----Original Message-----
From: Copperman, Elana (Mobileye) <elana.copperman@...>
Sent: Wednesday, May 5, 2021 11:34 AM
To: Paoloni, Gabriele <gabriele.paoloni@...>; John MacGregor
<open.john.macgregor@...>; Christopher Temple
<Christopher.Temple@...>; Gurvitz, Eli (Mobileye)
<eli.gurvitz@...>; Peter.Brink@...; Paul Albertella
<paul.albertella@...>; devel@...; safety-
architecture@...
Subject: RE: [ELISA Technical Community] [ELISA Safety Architecture
WG] What’s in a name?

Gab, now I am confused.
Isn't it safety architecture? This also matches the WG name, as
well as the definitions below.
Regards
Elana

-----Original Message-----
From: safety-architecture@... <safety-
architecture@...> On Behalf Of Paoloni, Gabriele
Sent: Wednesday, May 5, 2021 12:32 PM
To: John MacGregor <open.john.macgregor@...>; Christopher
Temple <Christopher.Temple@...>; Gurvitz, Eli (Mobileye)
<eli.gurvitz@...>; Peter.Brink@...; Paul Albertella
<paul.albertella@...>; devel@...; safety-
architecture@...
Subject: Re: [ELISA Technical Community] [ELISA Safety Architecture
WG] What’s in a name?

Hi guys

WRT the discussions that we are having right now about the hybrid
mode I think that the best nomenclature would be "SW Architecture"
or "SW Architecture Design" and to disambiguate we could clearly
refer
to:
ISO26262-6.7 - " Software architectural design".

What do you think?

Thanks
Gab

-----Original Message-----
From: safety-architecture@... <safety-
architecture@...> On Behalf Of John MacGregor
Sent: Wednesday, May 5, 2021 10:30 AM
To: Christopher Temple <Christopher.Temple@...>; Gurvitz, Eli
(Mobileye) <eli.gurvitz@...>; Peter.Brink@...; Paul
Albertella <paul.albertella@...>;
devel@...;
safety- architecture@...
Subject: Re: [ELISA Technical Community] [ELISA Safety
Architecture WG] What’s in a name?

Hi Chris

The referenced definition is great - in-depth, with a discussion
of the different perceptions of the term "architecture" and then
again not too long. It addresses my concern that the definition
must be more than just nomenclature.

Note the link at the top of the page to the conceptual model.
While it's more or less what I would have expected, I liked the
emphasis on the facts that the model is abstract and that it
should focus on documenting the concerns and decisions driving the architecture.

I hope we can find more such good descriptions for other
problematic terms in the realm of safety and embedded systems.

Cheers

John

On 04/05/2021 23:11, Christopher Temple wrote:
It could be a long discussion.

Couldn't we work with ISO/IEC/IEEE 42010
https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2F
www.iso-%2F&amp;data=04%7C01%7CPeter.Brink%40ul.com%7Cac9e03cf943
a4819679108d90fb4634b%7C701159540ccd45f087bd03b2a3587569%7C0%7C1%
7C637558089702293600%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAi
LCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=%
2BLn2fkx4qbKjbH8QxXfo31Cr%2FKeLaPRsRAsOrP7S4Qw%3D&amp;reserved=0
architecture.org/ieee-1471/defining-architecture.html ?

It's quite close to the understandings shared below.

Best regards
Chris



-----Original Message-----
From: devel@... <devel@...> On Behalf
Of Gurvitz,
Eli (Mobileye) via lists.elisa.tech
Sent: Dienstag, 4. Mai 2021 23:01
To: Peter.Brink@...; open.john.macgregor@...; Paul
Albertella
<paul.albertella@...>; devel@...; safety-
architecture@...
Subject: Re: [ELISA Technical Community] [ELISA Safety
Architecture WG]
What’s in a name?

And I'd like to add that the first 3 types of "architecture"s
that Paul lists
below are one and the same, phrased in different forms of
technical
English.
So I'd like to suggest that we think of "architecture" as a set of
components, their properties and the interfaces between them.
Together
they comprise a "system" whose purpose is to implement some
specific
requirements.

Thanks,
Eli

-----Original Message-----
From: devel@... <devel@...> On Behalf
Of Brink,
Peter via lists.elisa.tech
Sent: Tuesday, May 04, 2021 20:16
To: open.john.macgregor@...; Paul Albertella
<paul.albertella@...>; devel@...; safety-
architecture@...
Subject: Re: [ELISA Technical Community] [ELISA Safety
Architecture WG]
What’s in a name?

Which is kind of the point of an architecture 😊

-----Original Message-----
From: devel@... <devel@...> On Behalf
Of John
MacGregor via lists.elisa.tech
Sent: Tuesday, May 4, 2021 10:14 AM
To: Brink, Peter <Peter.Brink@...>; Paul Albertella
<paul.albertella@...>; devel@...; safety-
architecture@...
Subject: Re: [ELISA Technical Community] [ELISA Safety
Architecture WG]
What’s in a name?

Mea Culpa,

I've always been guilty of seeing the forest and forgetting a
couple of
trees...

On 04/05/2021 19:12, Brink, Peter wrote:
Not a botanist indeed, John. You left off the calyx and the
corolla in your
flower description.

-----Original Message-----
From: devel@... <devel@...> On Behalf
Of John MacGregor via lists.elisa.tech
Sent: Tuesday, May 4, 2021 9:54 AM
To: Paul Albertella <paul.albertella@...>;
devel@...; safety-architecture@...
Subject: Re: [ELISA Technical Community] [ELISA Safety
Architecture WG]
What’s in a name?

Hi Paul

Great start. I'd have started with Shakespeare too!

The point for me, as I said in the last Sync Telco, was the
issue is not just
the nomenclature. It's understanding what comprises each of the
concepts and what role in the development process they serve. An
architecture differs from a design which differs from an
implementation at least in the level of abstraction and granularity.

I'll probably have to expand on the idea in the future (and I
don't have
time now). But for now, I'll give a small example:

The architecture of a rose is probably aligned with the
attributes that
make it recognisable:
- a stem with thorns, branches and leaves
- a flower with a certain distinctive petal form
- a distinctive smell that may or may not repel enemies

The design of a rose could
- refine the shape and effects of the thorns, branches, leaves, petals,
to support structural stability, environmental robustness, etc.
- address nourishment and reproduction issues, adding roots,
pistils and stamen

The implementation of a rose might detail the different breeds
of roses.... Hey, even botanists get it :-) [1]

I'm not a botanist, and off the top of my head, I'm not sure
whether the
non-functional aspects (nourishment and reproduction) aren't
architectural concerns, but I'm using the example as a
light-hearted example of the differences in abstraction and granularity.

Cheers

John

BTW, the _Name_ of the Rose is a vaastly different kettle of fish.

[1]
https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fjour
nals.ashs.org%2Fhortsci%2Fview%2Fjournals%2Fhortsci%2F54%2F2%2Farticl
e
-
p236.xml&amp;data=04%7C01%7CPeter.Brink%40ul.com%7C1343db7da51b4
93608
0208d90f201ff9%7C701159540ccd45f087bd03b2a3587569%7C0%7C0%7C63755
74529
14338884%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoi
V2luMzIiL
CJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=twe4Zl9o6LJSxw5r
MdDA3wv
ionay%2BhN%2Fs7zGnrSK0dc%3D&amp;reserved=0


On 04/05/2021 18:19, Paul Albertella wrote:
Hi,

What’s in a name? that which we call a rose By any other name
would smell as sweet
--- W Shakespeare "Romeo and Juliet"

As John MacGregor commented on today's Safety Architecture
call, our discussions are occasionally marred by
misunderstandings arising from the use of terminology that
*seems* to be unambiguous, but actually means different things
to different
people,
or in different contexts.

I believe that we can help to address this by compiling a
common 'lexicon' of terms and definitions that we can use in
ELISA discussions and publications, relating these to specific
domains or contexts where necessary.

The term 'architecture', which John picked on today, for
example, has at least four distinct meanings in the context of
ELISA. Here are are some definitions that may be helpful:

1) Software architecture

The Software Engineering Body of Knowledge [1] includes
architecture under the general heading of design, noting that
"Architectural design describes how software is organized into
components", while "Detailed design describes the desired
behavior
of these components."

It adds that a software architecture can be strictly defined as
"the set of structures needed to reason about the system, which
comprise software elements, relations among them, and
properties of both”, but notes that it can be further subdivided into 'views'
(physical, logical, process, development), focusing on
different aspects of the system (distribution, functionality,
concurrency,
implementation).

2) System architecture

This has a very similar meaning to the term in the software
context, but extends the scope to include the hardware
components
of a system.

IEC 61508 defines architecture as a "specific configuration of
hardware and software elements in a system". ISO 26262 [3]
applies the term to both hardware/software combinations and
pure
software
elements, defining it as a "representation of the structure of
the item or element that allows identification of building
blocks, their boundaries and interfaces, and includes the
allocation of requirements to these building blocks".

3) Safety architecture

This is more or less the same as a system architecture, but
focussing only on safety.

ISO 26262 [3] defines it as the "set of elements and their
interaction to fulfil the safety requirements", where an
element may be a system, component (hardware or software),
hardware
part,
or
software unit.

4) CPU architecture

The term 'architecture' in discussions about the Linux kernel
frequently has a different meaning again, referring to the
underlying architecture of the processor (x86, ARM, MIPs, etc)
in a target system, and the associated 'architecture-specific'
components of the
kernel.

Regards,

Paul


[1]
https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fww
w
.computer.org%2Feducation%2Fbodies-of-knowledge%2Fsoftware-
engineerin
g&amp;data=04%7C01%7CPeter.Brink%40ul.com%7C1343db7da51b49360802
08d90
f201ff9%7C701159540ccd45f087bd03b2a3587569%7C0%7C0%7C637557452914
3488
79%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luM
zIiLCJBTi
I6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=NpmQyjx9wYhQDEzy8z5
s98f4p7i
nt%2Fr5DqGlDlkTWAQ%3D&amp;reserved=0
[2]
https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Farc
hive.org%2Fdetails%2Fgov.in.is.iec.61508.4.1998&amp;data=04%7C01%7CPe
ter.Brink%40ul.com%7C1343db7da51b4936080208d90f201ff9%7C701159540cc
d4
5f087bd03b2a3587569%7C0%7C0%7C637557452914348879%7CUnknown%7C
TWFpbGZs
b3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn
0%3
D%7C1000&amp;sdata=3RMrJan1IqiCJ0Wv4kgXQqTAtpThyJjNhUcZckGJ180%
3D&amp
;reserved=0 [3]
https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fww
w
.iso.org%2Fobp%2Fui%2F%23iso%3Astd%3Aiso%3A26262%3A-
1%3Aed-
2%3Av1%3Ae
n&amp;data=04%7C01%7CPeter.Brink%40ul.com%7C1343db7da51b49360802
08d90
f201ff9%7C701159540ccd45f087bd03b2a3587569%7C0%7C0%7C637557452914
3488
79%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luM
zIiLCJBTi
I6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=4XCPMIOfGI1ZLwmLRU
wVf4fjET7
FtlQZYxGd%2FESASoU%3D&amp;reserved=0














This e-mail may contain privileged or confidential information.
If you are
not the intended recipient: (1) you may not disclose, use,
distribute, copy or rely upon this message or attachment(s); and
(2) please notify the sender by reply e-mail, and then delete this
message and its
attachment(s).
Underwriters Laboratories Inc. and its affiliates disclaim all
liability for any errors, omissions, corruption or virus in this
message or
any
attachments.





This e-mail may contain privileged or confidential information.
If you are
not the intended recipient: (1) you may not disclose, use,
distribute, copy or rely upon this message or attachment(s); and
(2) please notify the sender by reply e-mail, and then delete this
message and its
attachment(s).
Underwriters Laboratories Inc. and its affiliates disclaim all
liability for any errors, omissions, corruption or virus in this
message or
any
attachments.





-----------------------------------------------------------------
---
-
Intel Israel (74) Limited

This e-mail and any attachments may contain confidential material
for the
sole use of the intended recipient(s). Any review or distribution
by others is strictly prohibited. If you are not the intended
recipient, please contact the sender and delete all copies.





IMPORTANT NOTICE: The contents of this email and any attachments
are
confidential and may also be privileged. If you are not the
intended recipient, please notify the sender immediately and do
not disclose the contents to any other person, use it for any
purpose, or store or copy the information in any medium. Thank you.






-------------------------------------------------------------------
-- INTEL CORPORATION ITALIA S.p.A. con unico socio
Sede: Milanofiori Palazzo E 4
CAP 20094 Assago (MI)
Capitale Sociale Euro 104.000,00 interamente versato Partita I.V.A.
e
Codice
Fiscale 04236760155 Repertorio Economico Amministrativo n. 997124
Registro
delle Imprese di Milano nr. 183983/5281/33 Soggetta ad attivita' di
direzione e
coordinamento di INTEL CORPORATION, USA

This e-mail and any attachments may contain confidential material
for the sole use of the intended recipient(s). Any review or
distribution by others
is
strictly prohibited. If you are not the intended recipient, please
contact
the
sender and delete all copies.



--------------------------------------------------------------------
- INTEL CORPORATION ITALIA S.p.A. con unico socio
Sede: Milanofiori Palazzo E 4
CAP 20094 Assago (MI)
Capitale Sociale Euro 104.000,00 interamente versato Partita I.V.A.
e Codice Fiscale 04236760155 Repertorio Economico Amministrativo n.
997124 Registro delle Imprese di Milano nr. 183983/5281/33 Soggetta
ad attivita' di direzione e coordinamento di INTEL CORPORATION, USA

This e-mail and any attachments may contain confidential material
for the sole use of the intended recipient(s). Any review or
distribution by others is strictly prohibited. If you are not the
intended recipient, please contact the sender and delete all copies.




---------------------------------------------------------------------
INTEL CORPORATION ITALIA S.p.A. con unico socio
Sede: Milanofiori Palazzo E 4
CAP 20094 Assago (MI)
Capitale Sociale Euro 104.000,00 interamente versato Partita I.V.A. e Codice Fiscale 04236760155 Repertorio Economico Amministrativo n. 997124 Registro delle Imprese di Milano nr. 183983/5281/33 Soggetta ad attivita' di direzione e coordinamento di INTEL CORPORATION, USA
This e-mail and any attachments may contain confidential material for the sole use of the intended recipient(s). Any review or distribution by others is strictly prohibited. If you are not the intended recipient, please contact the sender and delete all copies.
This e-mail may contain privileged or confidential information. If you are not the intended recipient: (1) you may not disclose, use, distribute, copy or rely upon this message or attachment(s); and (2) please notify the sender by reply e-mail, and then delete this message and its attachment(s). Underwriters Laboratories Inc. and its affiliates disclaim all liability for any errors, omissions, corruption or virus in this message or any attachments.

Join devel@lists.elisa.tech to automatically receive all group messages.