The principled design of computer system safety analyses

Safety critical computing is a relatively young and rapidly developing technology, which nevertheless is being deployed in applications where a single accident may have extremely severe consequences. The safety record of critical systems presently in service is reasonably good, but increasing expectations of functionality and performance are challenging the capabilities of current design and assessment processes. One specific area where limitations of existing methods are becoming obvious is in the analysis techniques that are used to derive safety requirements and to provide evidence that they have been satisfied. There are significant practical problems in using existing analysis techniques to evaluate computer systems, but few viable new computerspecific methods have been developed. This thesis proposes and evaluates a set of principles for the design of effective techniques to address novel computer system safety analysis requirements. The principles are based on an appreciation of the technical concepts underlying successful existing system level analysis techniques, and of the practical qualities necessary to make a method industrially acceptable. The principles are applied in the development of two new safety analysis techniques for systems containing computers. The first new technique developed is Software Hazard Analysis and Resolution in Design (SHARD), a variant of the process industries' HAZOP technique. SHARD provides a structured approach to the identification of potentially hazardous behaviour in software systems. The second technique, Low-level Interaction Safety Analysis (LISA), implements a novel analysis approach based on a concept of system resources. It provides a method for establishing detailed evidence about the safety implications of interactions between software and the hardware upon which it is executed. The thesis describes the evaluation of the techniques through a series of large scale case studies and industrial trials.

[1]  Felix Redmill,et al.  System Safety: HAZOP and Software HAZOP , 1999 .

[2]  David Harel,et al.  Statecharts: A Visual Formalism for Complex Systems , 1987, Sci. Comput. Program..

[3]  Hugh Miller,et al.  Secrets Of The Dead , 2000 .

[4]  Divya Prasad,et al.  Dependable systems integration using measurement theory and decision analysis , 1998 .

[5]  Dietmar Reinert,et al.  Risk and system integrity concepts for safety-related control systems , 1992 .

[6]  R. M. Pitblado,et al.  A Modified Hazop Methodology For Safety Critical System Assessment , 1993 .

[7]  Paul Ward,et al.  Structured Development for Real-Time Systems , 1986 .

[8]  Chris Higgins,et al.  SAM—A Tool to Support the Construction, Review and Evolution of Safety Arguments , 1993 .

[9]  Grady Booch,et al.  Object-oriented development , 1986, IEEE Transactions on Software Engineering.

[10]  Nancy G Leveson,et al.  Software safety: why, what, and how , 1986, CSUR.

[11]  Donald MacKenzie,et al.  Computer-related accidental death: an empirical exploration , 1994 .

[12]  H. C. Wilson,et al.  Hazop and Hazan: Identifying and Assessing Process Industry Hazards, 4th edition , 2001 .

[13]  Cliff B. Jones,et al.  Developing methods for computer programs including a notion of interference , 1981 .

[14]  Morris F. Chudleigh,et al.  The Benefits of SUSI: Safety Analysis of User System Interaction , 1993, SAFECOMP.

[15]  Nancy G. Leveson,et al.  Safety Analysis Using Petri Nets , 1987, IEEE Transactions on Software Engineering.

[16]  Balbir S. Dhillon Failure modes and effects analysis — Bibliography , 1992 .

[17]  J. A. McDermid,et al.  Integrated techniques for software safety analysis , 1992 .

[18]  Hermann Kopetz,et al.  Dependability: Basic Concepts and Terminology , 1992 .

[19]  W E Vesely,et al.  Fault Tree Handbook , 1987 .

[20]  John A. McDermid,et al.  Experience with the application of HAZOP to computer-based systems , 1995, COMPASS '95 Proceedings of the Tenth Annual Conference on Computer Assurance Systems Integrity, Software Safety and Process Security'.

[21]  P. R. Harvey,et al.  Software fault tree analysis , 1983, J. Syst. Softw..

[22]  E Geake Did ambulance chiefs specify 'safety' software? , 1992 .

[23]  R. Meredith Belbin,et al.  Team Roles at Work , 2022 .

[24]  Edward Yourdon,et al.  Modern structured analysis , 1989 .

[25]  Nancy G. Leveson,et al.  Safety verification of Ada programs using software fault trees , 1991, IEEE Software.

[26]  Mathai Joseph,et al.  Real-time systems - specification, verification and analysis , 1995, Prentice Hall International series in computer science.

[27]  J. Reavell,et al.  Institution of Chemical Engineers , 1930 .

[28]  John A. McDermid,et al.  Issues in the Conduct of PSSA , 2001 .

[29]  Nancy G. Leveson,et al.  High-pressure steam engines and computer software , 1992, Computer.

[30]  Morris F. Chudleigh Hazard Analysis Using HAZOP: A Case Study , 1993, SAFECOMP.

[31]  P. D. T. O'connor,et al.  Reliability, Availability, Maintainability and Safety Assessment, A. Villemeur, Wiley, 1992. Number of pages: 746 (2 volumes). Price: £34.95 (each volume) , 1992 .

[32]  D. M. Rasmuson,et al.  Collection of methods for reliability and safety engineering , 1976 .

[33]  Nancy G. Leveson,et al.  Safeware: System Safety and Computers , 1995 .

[34]  J. P. Rankin Sneak-circuit analysis , 1973 .

[35]  John A. McDermid,et al.  A development of hazard analysis to aid software design , 1994, Proceedings of COMPASS'94 - 1994 IEEE 9th Annual Conference on Computer Assurance.

[36]  Philip M. Thambidurai,et al.  Interactive consistency with multiple failure modes , 1988, Proceedings [1988] Seventh Symposium on Reliable Distributed Systems.

[37]  Nancy G. Leveson,et al.  Analyzing Software Safety , 1983, IEEE Transactions on Software Engineering.

[38]  O. Platz,et al.  A Cause-Consequence Chart of a Redundant Protection System , 1975, IEEE Transactions on Reliability.

[39]  Trevor A. Kletz,et al.  Hazop & Hazan: Identifying and Assessing Process Industry Hazards, Fouth Edition , 1999 .

[40]  L.W.D. Cullen,et al.  The public inquiry into the Piper Alpha disaster , 1993 .

[41]  Clive Fencott,et al.  The application of HAZOP studies to integrated requirements models for control systems , 1995 .

[42]  Donald J. Reifer,et al.  Software Failure Modes and Effects Analysis , 1979, IEEE Transactions on Reliability.

[43]  Andrea Bondavalli,et al.  Failure classification with respect to detection , 1990, [1990] Proceedings. Second IEEE Workshop on Future Trends of Distributed Computing Systems.

[44]  P. Shrivastava Bhopal: Anatomy of a Crisis , 1987 .

[45]  S. S. Cha AeSOP: an interactive failure mode analysis tool , 1994, Proceedings of COMPASS'94 - 1994 IEEE 9th Annual Conference on Computer Assurance.

[46]  Hermann Kopetz,et al.  Real-time systems , 2018, CSC '73.

[47]  J. R. Taylor,et al.  Risk analysis for process plant, pipelines and transport , 1994 .

[48]  Salvatore J. Bavuso,et al.  Fault trees and sequence dependencies , 1990, Annual Proceedings on Reliability and Maintainability Symposium.

[49]  John A. McDermid,et al.  Software fault trees and weakest preconditions: a comparison and analysis , 1993, Softw. Eng. J..

[50]  John A. McDermid,et al.  An integrated tool set for software safety analysis , 1993, J. Syst. Softw..

[51]  Salvatore J. Bavuso,et al.  Dynamic fault-tree models for fault-tolerant computer systems , 1992 .