Robin E. Bloomfield

A Methodology for Safety Case Development

A safety case is a requirement in many safety standards. Explicit safety cases are required for military systems, the off shore oil industry, rail transport and the nuclear industry. Furthermore, equivalent requirements can be found in other industry standards, such as IEC 1508 (which requires a “functional safety assessment”) the EN 292 Machinery Directive (which requires a “technical file”) and DO 178B for avionics (which requires an “accomplishment summary”).

Safety and Assurance Cases: Past, Present and Possible Future – an Adelard Perspective

This paper focuses on the approaches used in safety cases for software based systems. We outline the history of approaches for assuring the safety of software-based systems, the current uptake of safety and assurance cases and the current practice on structured safety cases. Directions for further development are discussed.

A conservative theory for long term reliability growth prediction

The paper describes a different approach to software reliability growth modelling which should enable conservative long term predictions to be made. Using relatively standard assumptions it is shown that the expected value of the failure rate after a usage time t is bounded by: /spl lambda/~/sub t//spl les/(N/(et)) where N is the initial number of faults and e is the exponential constant. This is conservative since it places a worst case bound on the reliability rather than making a best estimate. We also show that the predictions might be relatively insensitive to assumption violations over the longer term. The theory offers the potential for making long term software reliability growth predictions based solely on prior estimates of the number of residual faults. The predicted bound appears to agree with a wide range of industrial and experimental reliability data. It is shown that less pessimistic results can be obtained if additional assumptions are made about the failure rate distribution of faults.

Confidence: Its Role in Dependability Cases for Risk Assessment

Society is increasingly requiring quantitative assessment of risk and associated dependability cases. Informally, a dependability case comprises some reasoning, based on assumptions and evidence, that supports a dependability claim at a particular level of confidence. In this paper we argue that a quantitative assessment of claim confidence is necessary for proper assessment of risk. We discuss the way in which confidence depends upon uncertainty about the underpinnings of the dependability case (truth of assumptions, correctness of reasoning, strength of evidence), and propose that probability is the appropriate measure of uncertainty. We discuss some of the obstacles to quantitative assessment of confidence (issues of composability of subsystem claims; of the multi-dimensional, multi-attribute nature of dependability claims; of the difficult role played by dependence between different kinds of evidence, assumptions, etc). We show that, even in simple cases, the confidence in a claim arising from a dependability case can be surprisingly low.

Multi-legged arguments:the impact of diversity upon confidence in dependability arguments

Intellectual diversity ‐ difference ‐ has long been used in human affairs to minimise the impact of mistakes. In the past couple of decades design diversity has been used to seek dependability in software-based systems. This use of design diversity prompted the first formal studies of the efficacy of intellectual diversity. In this paper we examine diverse arguments ‐ in particular arguments to support claims about system dependability (reliability, safety). Our purpose is to see whether the probabilistic approach that has been so successful in design diversity can be applied to diversity in arguments. The work reported here is somewhat tentative and speculative.

The application of formal methods to the assessment of high integrity software

A case study is presented in which the Vienna development method (VDM), a formal specification and development methodology, was used during the analysis phase of the assessment of a prototype nuclear reactor protection system. The VDM specification was also translated into the logic language Prolog to animate the specification and to provide a diverse implementation for use in back-to-back testing. It is claimed that this technique provides a visible and effective method of analysis which is superior to the informal alternatives.

The Practicalities of Goal-Based Safety Regulation

“Goal-based regulation” does not specify the means of achieving compliance but sets goals that allow alternative ways of achieving compliance, e.g. “People shall be prevented from falling over the edge of the cliff”. In “prescriptive regulation” the specific means of achieving compliance is mandated, e.g. “You shall install a 1 meter high rail at the edge of the cliff”.

Security-Informed Safety: If It’s Not Secure, It’s Not Safe

Traditionally, safety and security have been treated as separate disciplines, but this position is increasingly becoming untenable and stakeholders are beginning to argue that if it’s not secure, it’s not safe. In this paper we present some of the work we have been doing on “security-informed safety”. Our approach is based on the use of structured safety cases and we discuss the impact that security might have on an existing safety case. We also outline a method we have been developing for assessing the security risks associated with an existing safety system such as a large-scale critical infrastructure.

Software criticality analysis of COTS/SOUP

This paper describes the Software Criticality Analysis (SCA) approach that was developed to support the justification of commercial off-the-shelf software (COTS) used in a safety-related system. The primary objective of SCA is to assess the importance to safety of the software components within the COTS and to show there is segregation between software components with different safety importance. The approach taken was a combination of Hazops based on design documents and on a detailed analysis of the actual code (100kloc). Considerable effort was spent on validation and ensuring the conservative nature of the results. The results from reverse engineering from the code showed that results based only on architecture and design documents would have been misleading.

A conservative theory for long-term reliability-growth prediction [of software]

This paper describes a different approach to software reliability growth modeling which enables long-term predictions. Using relatively common assumptions, it is shown that the average value of the failure rate of the program, after a particular use-time, t, is bounded by N/(e/spl middot/t), where N is the initial number of faults. This is conservative since it places a worst-case bound on the reliability rather than making a best estimate. The predictions might be relatively insensitive to assumption violations over the longer term. The theory offers the potential for making long-term software reliability growth predictions based solely on prior estimates of the number of residual faults. The predicted bound appears to agree with a wide range of industrial and experimental reliability data. Less pessimistic results can be obtained if additional assumptions are made about the failure rate distribution of faults.