Tim Kelly

Large-scale complex IT systems

The reductionism behind todays software-engineering methods breaks down in the face of systems complexity.

Safety Case Construction and Reuse Using Patterns

This paper presents an approach to the reuse of common structures in safety case arguments through their documentation as ’Safety Case Patterns’. Problems with the existing, informal and ad-hoc approaches to safety case material reuse are highlighted. We argue that through explicit capture and documentation of reusable safety case elements as patterns, the process of safety case construction and reuse can be made more systematic. For the description of patterns a safety case pattern language and a graphical pattern notation (based on the Goal Structuring Notation) are presented. Using this framework we briefly describe a number of example argument patterns. A fully documented example pattern is included as an appendix to this paper.

Deriving safety requirements using scenarios

Elicitation of requirements for safety critical aero-engine control systems is dependent on the capture of core design intent and the systematic derivation of requirements addressing hazardous deviations from that intent. Derivation of these requirements is inextricably linked to the safety assessment process. Conventional civil aerospace practice (as advocated by guidelines such as ARP4754 and ARP4671) promotes the application of Functional Hazard Assessment (FHA) to sets of statements of functional intent. Systematic hazard analysis of scenario-based requirements representations is less well understood. This paper discusses the principles and problems of hazard analysis and proposes an approach to conducting hazard analysis on use case requirements representations. Using the approach, it is possible to justifiably derive hazard-mitigation use cases as first class requirements from systematic hazard analysis of core design intent scenarios. An industrial example is used to illustrate the technique.

International perspectives: computing at the top of the world

M IC H A EL S C H R Ö TE R Starting near sea level in the tropical jungles along its southern border with India and moving northward, Nepal rises steeply to almost 30,000 feet in the Himalayas and contains eight of the 10 tallest mountains in the world, including Mt. Everest (Saragmatha). Beyond these it is downhill to the 15,000-foot Tibetan Plateau and the other Asian giant, China. Although Nepal’s landlocked position at the top of the world helped protect it from some of the worst impositions by foreigners elsewhere in Asia (but has not spared it from the troubles of others, as exemplified by refugee migrations from Tibet and Bhutan), isolation has deemed Nepal a Least Developed Country (LDC), as classified by the United Nations Development Program (UNDP). In the late 1990s, Nepal’s per capita GNP was U.S.

A New Approach to creating Clear Safety Arguments

210; of the country’s roughly 21 million people, 80% were engaged in agriculture; 42% of the population was under 15 years of age. Only 39% of the population is literate, with large variations according to gender, region, and ethnic community. In what is potentially the “Saudi Arabia of hydroelectric power,” only 15% of Nepali households have electricity. Nepal is a parliamentary democracy under a constitutional monarchy (that for a short time had the peculiar distinction of electing a MarxistLeninist government). Some Maoist guerrilla activities and domestic police excesses aside, Nepal has been spared the massive internal bloodshed that too often characterizes other LDCs with internal ethnic divisions. It is not seriously threatened by its giant neighbors. Not many LDCs have a long history of such stability. Nepal is one of many historically poor and geographically isolated countries now looking to

A Systematic Approach to Safety Case Management

We introduce assured safety arguments, a new structure for arguing safety in which the safety argument is accompanied by a confidence argument that documents the confidence in the structure and bases of the safety argument. This structure separates the major components that have traditionally been confused within a single safety argument structure. Separation gives both arguments greater clarity of purpose, and helps avoid the introduction of superfluous arguments and evidence. In this paper we describe a systematic approach to establishing both arguments, illustrated with a running example.

Safety Case Development: Current Practice, Future Prospects

In Europe, over recent years, there has been a marked shift in the regulatory approach to ensuring system safety. Whereas compliance with prescriptive safety codes and standards was previously the norm, the responsibility has now shifted back onto the developers and operators to construct and present well reasoned arguments that their systems achieve acceptable levels of safety. These arguments (together with supporting evidence) are typically referred to as a safety case. This paper describes the role and purpose of a safety case (as defined by current safety and regulatory standards). Safety arguments within safety cases are often poorly communicated. This paper presents a technique called GSN (Goal Structuring Notation) that is increasingly being used in safety-critical industries to improve the structure, rigor, and clarity of safety arguments. Based upon the GSN approach, the paper also describes how an evolutionary and systematic approach to safety case construction, in step with system development, can be facilitated.

A systematic approach to safety case maintenance

Safety-critical and safety-related systems are becoming more highly integrated and continue to increase in complexity. In parallel with this, certification standards for such systems are becoming more stringent, requiring more extensive and more detailed analyses. Safety cases, therefore, are themselves growing in size and complexity and are becoming increasingly costly to produce. It has become necessary to re-examine how and why safety cases are built in order that we might provide a means for managing their inherent complexity and reduce production costs.

Architectural considerations in the certification of modular systems

Abstract A crucial aspect of safety case management is the ongoing maintenance of the safety argument through life. Throughout the operational life of any system, changing regulatory requirements, additional safety evidence and a changing design can challenge the corresponding safety case. In order to maintain an accurate account of the safety of the system, all such challenges must be assessed for their impact on the original safety argument. This is increasingly being recognised by many safety standards. However, many safety engineers are experiencing difficulties with safety case maintenance at present, the prime reason being that they do not have a systematic and methodical approach by which to examine the impact of change on safety argument. The size and complexity of safety arguments and evidence being presented within safety cases is increasing. Nowhere is this more apparent than for Electrical, Electronic and Programmable Electronic systems attempting to comply with the requirements and recommendations of software and hardware safety standards such as IEC 61508 [Functional Safety of Electrical/Electronic/Programmable Electronic Safety-Related Systems. International Electrotechnical Commission, Draft Standard, 1997] and UK Defence Standards 00-54 [MoD. 00-54 Requirements of Safety Related Electronic Hardware in Defence Equipment. Ministry of Defence, Interim Defence Standard, 1999], 00-55 [ MoD. 00-55 Requirements of Safety Related Software in Defence Equipment. Ministry of Defence, Defence Standard, 1997], and 00-56 [MoD. 00-56 Safety Management Requirements for Defence Systems. Ministry of Defence, Defence Standard, 1996 ]. However, this increase in safety case complexity exacerbates problems of comprehension and maintainability later on in the system lifecycle. This paper defines and describes a tool-supported process, based upon the principles of goal structuring, that attempts to address these difficulties through facilitating the systematic impact assessment of safety case challenges.

Arguing Conformance

Abstract Modular system architectures, such as integrated modular avionics (IMA) in the aerospace sector, offer potential benefits of improved flexibility in function allocation, reduced development costs and improved maintainability. However, they require a new certification approach. The traditional approach to certification is to prepare monolithic safety cases as bespoke developments for a specific system in a fixed configuration. However, this nullifies the benefits of flexibility and reduced rework claimed of IMA-based systems and will necessitate the development of new safety cases for all possible (current and future) configurations of the architecture. This paper discusses a modular approach to safety case construction, whereby the safety case is partitioned into separable arguments of safety corresponding with the components of the system architecture. Such an approach relies upon properties of the IMA system architecture (such as segregation and location independence) having been established. The paper describes how such properties can be assessed to show that they are met and trade-offs performed during architecture definition reusing information and techniques from the safety argument process.