320 likes | 539 Views
Software Safety Case. Why, what and how…. Jon Arvid Børretzen. Why safety case?. A tool for managing safety A reasoned argument that a system is or will be safe A means to obtain regulatory approval to operate A unique collection of data, information, logical arguments.
E N D
Software Safety Case Why, what and how… Jon Arvid Børretzen
Why safety case? • A tool for managing safety • A reasoned argument that a system is or will be safe • A means to obtain regulatory approval to operate • A unique collection of data, information, logical arguments
Goal-based vs. Prescriptive regulations Problems with prescriptive regulations: • Safety responsibility, regulator or service provider? • Prescriptive regulations tend to be based on past experiences. Software development is often innovative. • Best practice vs. evolving technologies Goal-based regulations are more flexible, yet aim to ensure the safety in a system.
Motivation for safety case • Provide an assurance viewpoint • Provide a focus and rationale for safety activities • Provide a reviewable approach • Demonstrate a clear link between risk/hazards and implemented solutions • Allow interworking between standards and innovation Using safety case, the emphasis should be on the behaviour of the product, not the development process. “What has been achieved, not how hard you have tried”
Value of Safety Cases to safety management • Consistency • Completeness • Identifying and managing the safety impacts of change • Setting safety targets • Confidence in meeting safety targets
What is (a) safety case? “A documented body of evidence that provides a convincing and valid argument that a system is adequately safe for a given application in a given environment” [Adelard]
Implementing a safety case • Make an explicit set of claims about the system • Produce the supporting evidence • Provide a set of safety arguments that link the claims to the evidence • Make clear the assumptions and judgements underlying the arguments
Safety case structure and content • Logical stepping stones • Based on: • Safety requirements • Safety argument • Safety evidence Safety case is structure as well as content!
Inference rule Evidence Evidence Claim Claim Evidence Evidence Sub-claim Sub-claim Inference rule Argument structure Main elements of a safety case • Claims • Evidence • facts • assumptions • sub-claims, • Arguments • Inference rules
Reliability/availability Security Maintainability Time response Functional correctness Usability Fail-safety Accuracy Overload robustness Modifiability Etc.. Types of claims Claim Quality Attributes
The design The development process Simulated experience (for example from reliability testing) Prior field experience Evidence requirements What evidence is needed? How can it be provided? What will be adequate? Argument from simulation? Sources of evidence Evidence
Types ofarguments • Deterministic • Probabilistic • Qualitative Choices depend on available evidence and type of claim Inference rule Inference rule Argument structure
How is safety case used? • Throughout the whole of the software life cycle • Layering of safety cases • High level safety case • Subsidiary safety cases for subsystems • Traceability between whole system and subsystem levels • Design for assessment
Starts at top level Overall safety target Derived requirements for subsystems At high level of abstraction: Reliability,security etc. At more detailed level: Design requirements implemented in subsystem System safety requirement Safety functions 1 Safety functions 2 System architecture System part 1 System part 2 Detailed functions Detailed functions Layered safety cases
Traceability between levels Reliability Testing Inspection Coding Standards Maintainability Accessible source code
The Safety Case life cycle • Preliminary • Architectural • Implementation • Operation and Installation
Main stages of safety case evolution (1) • Safety functions and top-level safety attributes identification • System architecture and outline safety case identification • Preliminary assessment of design options • Progressive elaboration of the design and safety case in parallel
Main stages of safety case evolution (2) • Integration into final safety case • Long-term support infrastructure plans • Approval • Long-term monitoring and audits • System updates and corrections
Things to have in mind… • Produce a safety case before you find that you needed it! • Changes have safety implications
Safety case contents (1) • Environment description • Safety requirements • System architecture • Planned implementation approach
Safety case contents (2) • Subsystem design and safety arguments • Long-term support requirements • Maintenance and operation procedures • Status information • Evidence of quality and safety management
Tool support for safety cases • Decision support and elicitation tools. • Drawing out ideas • Tools to generate evidence • Safety analysis tools • Tools for collecting and analysing field experience • Test tools • Safety Management system infrastructure support
Inference rule Evidence Claim Evidence Sub-claim Inference rule Argument structure Notations - ASCAD • ASCAD - Adelard Safety Case Development • claims-arguments-evidence motif
Notations - GSN • GSN - Goal Structuring Notation • goals-strategies-solution form of construction • Linked by logical connections to form an argument structure
Coupling with other safety-critical methods • PHA and Hazop to identify risks and safety concerns that the safety case will handle • FMEA and FTA for evidence generation
The business-critical setting • Safety case very comprehensive • The main concept and structure useful • Aiding documentation • Trace hazards to solutions • Levels of abstraction • Methods, tools and experience exist
Concluding remarks • Emphasis on claims about system behaviour and suitable arguments • Simple structuring ideas, but allows quite complex safety cases which are understandable and traceable • Layered structure of the safety case allows the safety case to evolve over time