CCC (Controlling Concurrent Change) is a research unit at the TU Braunschweig
which is funded by the DFG (German Research Foundation).  The objective of this
project is to develop methods and mechanism that enable the control of
independent software updates for application domains that impose (hard)
constraints on the systems' safety, reliability, security and/or real-time
behaviour. While competing updates in the field have long found their way
into the manageable world of standard computers or smartphones, software
updates in cars or other complex and distributed safety critical systems
are still thoroughly lab-tested using models and prototypes under
controlled conditions before they can be released to the field. There is
still a serious lack of understanding how to efficiently anticipate, detect
and control the often subtle side effects of function updates in such
complex embedded system platforms and make these systems robust against
errors and malicious attacks.

For this purpose, we develop an in-system contracting mechanism which allows
the formal negotiation of assumptions and guarantees between the platform and
the changing applications. This particularly includes several analysis methods
whose results decide whether to accept, reject or constrain an application
update for the composed system. Such an application update or reconfiguration
can either be triggered manually by the user or autonomously by a changing
environment, which thus enables system evolution and optimisation.

In order to achieve this degree of (automated) analysability, we require
well-defined interfaces and bounded interference between the system components.
Otherwise, certain countermeasures like monitoring or replication must be
applied so that the previously negotiated contract can be enforced. Moreover,
the controlling entity must be granted ultimate control over the system
configuration without creating a single point of failure for the entire
system.

In this talk, I will first introduce the CCC approach and its challenges in
general. Furthermore, I am going to present the current (software) system
architecture and design principles that we use in order to provide the
infrastructure and (non-functional) requirements for the contract-based
integration and (re)configuration of critical (embedded) systems.