Sebastian Müller

• Under the notion of Cyber-Physical Systems an increasingly important research area has evolved with the aim of improving the connectivity and interoperability of previously separate system functions. Today, the advanced networking and processing capabilities of embedded systems make it possible to establish strongly distributed, heterogeneous systems of systems. In such configurations, the system boundary does not necessarily end with the hardware, but can also take into account the wider context such as people and environmental factors. In addition to being open and adaptive to other networked systems at integration time, such systems need to be able to adapt themselves in accordance with dynamic changes in their application environments. Considering that many of the potential application domains are inherently safety-critical, it has to be ensured that the necessary modifications in the individual system behavior are safe. However, currently available state-of-the-practice and state-of-the-art approaches for safety assurance and certification are not applicable to this context. To provide a feasible solution approach, this thesis introduces a framework that allows “just-in-time” safety certification for the dynamic adaptation behavior of networked systems. Dynamic safety contracts (DSCs) are presented as the core solution concept for monitoring and synthesis of decentralized safety knowledge. Ultimately, this opens up a path towards standardized service provision concepts as a set of safety-related runtime evidences. DSCs enable the modular specification of relevant safety features in networked applications as a series of formalized demand-guarantee dependencies. The specified safety features can be hierarchically integrated and linked to an interpretation level for accessing the scope of possible safe behavioral adaptations. In this way, the networked adaptation behavior can be conditionally certified with respect to the fulfilled DSC safety features during operation. As long as the continuous evaluation process provides safe adaptation behavior for a networked application context, safety can be guaranteed for a networked system mode at runtime. Significant safety-related changes in the application context, however, can lead to situations in which no safe adaptation behavior is available for the current system state. In such cases, the remaining DSC guarantees can be utilized to determine optimal degradation concepts for the dynamic applications. For the operationalization of the DSCs approach, suitable specification elements and mechanisms have been defined. Based on a dedicated GUI-engineering framework it is shown how DSCs can be systematically developed and transformed into appropriate runtime representations. Furthermore, a safety engineering backbone is outlined to support the DSC modeling process in concrete application scenarios. The conducted validation activities show the feasibility and adequacy of the proposed DSCs approach. In parallel, limitations and areas of future improvement are pointed out.