47 pages

English

swa omg tutorial slides - kelly

Phawyar - Tpk

Le téléchargement nécessite un accès à la bibliothèque YouScribe
Tout savoir sur nos offres

47 pages

English

Le téléchargement nécessite un accès à la bibliothèque YouScribe
Tout savoir sur nos offres

A propos
Informations
Extrait

Description

zzzzzzzzzzSoftware Safety CaseManagementDr Tim KellyDepartment of Computer ScienceUniversity of YorkE-mail: tim.kelly@cs.york.ac.uk© Copyright Tim Kelly, 2007 Not to be reproduced without permission of authorTutorial OverviewPart One: 1300-1515Introduction to Safety CasesThe Importance of Safety ArgumentsThe Goal Structuring Notation (GSN)Part Two: 1530-1745Software Safety CasesProblems with Current ApproachesThe Structure of a Typical Software Safety ArgumentEstablishing Hazard-Directed Software Safety ArgumentsLinking Process and Product ArgumentsSoftware Safety Case Management Tutorial – Tim Kelly 2© Copyright Tim Kelly, 2007 Not to be reproduced without permission of authorPage 1zzzzzzzzzPart 1: OverviewSafety Case concept and purposeRequirements from standardsSafety Case contentsSafety argumentspresenting clear argumentsGoal Structuring Notation (GSN)Creating Arguments in GSNWhere, When and How to Create Assurance ArgumentsSoftware Safety Case Management Tutorial – Tim Kelly 3© Copyright Tim Kelly, 2007 Not to be reproduced without permission of authorMotivationMany (UK) standards establish the need for production of a safety case, e.g.“Safety Cases are required for all new ships and equipment as ameans of formally documenting the adequate control of Risk and demonstrating that levels of risk achieved are As Low AsReasonably Practicable (ALARP).” (JSP430)A person in control of any railway infrastructure ...

Informations

Publié par	Phawyar
Nombre de lectures	31
Langue	English

Extrait

Software Safety Case Management

Dr Tim Kelly Department of Computer Science University of York E-mail: tim.kelly@cs.york.ac.uk

Tutorial Overview

zPart One: 1300-1515 zIntroduction to Safety Cases zThe Importance of Safety Arguments zThe Goal Structuring Notation (GSN) zPart Two: 1530-1745 zSoftware Safety Cases zProblems with Current Approaches zThe Structure of a Typical Software Safety Argument zEstablishing Hazard-Directed Software Safety Arguments zLinking Process and Product Arguments

Software Safety Case Management Tutorial  Tim Kelly © Copyright Tim Kelly, 2007 Not to be reproduced without permission of author

Page 1

Part 1: Overview

zSafety Case concept and purpose zRequirements from standards zSafety Case contents zSafety arguments zpresenting clear arguments zGoal Structuring Notation (GSN) zCreating Arguments in GSN zWhen and How to Create Assurance ArgumentsWhere,

Software Safety Case Management Tutorial  Tim Kelly © Copyright Tim Kelly, 2007 Not to be reproduced without permission of author

Motivation zMany (UK) standards establish the need for production of a safety case, e.g. “Safety Cases are required for all new ships and equipment as a means of formally documenting the adequate control of Risk and demonstrating that levels of risk achieved are As Low As Reasonably Practicable (ALARP). (JSP430) A person in control of any railway infrastructure shall not use or permit it to be used for the operation of trains unless (a) he has prepared a safety case (b) the Executive has accepted that safety case (HSE Railway Safety Case Regulations) “The Software Design Authority shall provide a Software Safety Case (U.K. Defence Standard 00-55) Software Safety Case Management Tutorial  Tim Kelly 4 © Copyright Tim Kelly, 2007 Not to be reproduced without permission of author

Page 2

The Purpose of a Safety Case

Principal Objective: zSafety case presents the argument that a system will be acceptably safe in a given context z be ...System could  zphysical (e.g. aero-engines, reactor protection systems) zprocedural (e.g. railway operations, off-shore) zSafety Cases can be prepared for .. zcommissioning zmaintenance zdecommissioning ...

Software Safety Case Management Tutorial  Tim Kelly © Copyright Tim Kelly, 2007 Not to be reproduced without permission of author

Some Definitions

z"A safety case is a comprehensive and structured set of safety documentation which is aimed to ensure that the safety of a specific vessel or equipment can be demonstrated by reference to: zsafety arrangements and organisation zsafety analyses zcompliance with the standards and best practice zacceptance tests zaudits zinspections zfeedback zprovision made for safe use including emergency arrangements(JSP 430) zshall present a well-organised and reasoned"The software safety case justification based on objective evidence, that the software does or will satisfy the safety aspects of the Statement of Technical Requirements and the Software Requirements specification."(DS 00-5 5) Software Safety Case Management Tutorial  Tim Kelly 6 © Copyright Tim Kelly, 2007 Not to be reproduced without permission of author

Page 3

Argument & Evidence

A safety case requires two elements: zSupporting Evidence Results of observing, analysing, testing, simulating and estimating the properties of a system that provide the ademfnu tnlafrom which safety can be inferredinformation zHigh Level Argument Explanation of how the available evidence can be reasonably interpreted as indicating acceptable safety  usually by demonstrating compliance with requirements, sufficient mitigation / avoidance of hazards etc zArgument without Evidence is unfounded zEvidence without Argument is unexplained

Software Safety Case Management Tutorial  Tim Kelly © Copyright Tim Kelly, 2007 Not to be reproduced without permission of author

Argument & Evidence 2 Safety Requirements & Objectives

Safety Argument

Safety Evidence

Software Safety Case Management Tutorial  Tim Kelly © Copyright Tim Kelly, 2007 Not to be reproduced without permission of author

Page 4

Safety Cases vs. Safety Case Reports

zSafety Caseis the totality of the safety justification + all the supporting material: testing reports, validation reports, relevant design information etc

zSafety Case Reportis the document that summarises all the key components of the Safety Case andreferences all supporting documentation in a clear and concise format

Software Safety Case Management Tutorial  Tim Kelly © Copyright Tim Kelly, 2007 Not to be reproduced without permission of author

Safety Case Reports

zExact contents depends on regulatory environment zfollowing are key elements of most standards:The zScope zSystem Description zSystem Hazards zSafety Requirements zRisk Assessment zHazard Control / Risk Reduction Measures zSafety Analysis / Test zSafety Management System zDevelopment Process Justification zCosnoisulcn

Software Safety Case Management Tutorial  Tim Kelly © Copyright Tim Kelly, 2007 Not to be reproduced without permission of author

Page 5

Safety Arguments

zThe Safety Case is not just a collection of disparate pieces of information z the Safety Case ofThe Safety Argument should form the spine  showing how these elements are related and combined to provide assurance of safety zwithin the limits defined [Scope], the system [System Description] is SAFE because all identified hazards [System Hazards] and requirements [Safety Requirements] have been addressed. Hazards have been sufficiently controlled and mitigated [Hazard Control / Risk Reduction Measures] according to the safety risk posed [Risk Assessment]. Evidence [Safety Analysis / Test] is provided that demonstrates the effectiveness and sufficiency of these measures. Appropriate roles, responsibilities and methods were defined throughout the development of this system [Development Process Justification] [Safety Management System] and defined future operation Software Safety Case Management Tutorial  Tim Kelly 11 © Copyright Tim Kelly, 2007 Not to be reproduced without permission of author

Safety Arguments  Text Example

The Defence in Depth principle (P65) has been addressed in this system through the provision of the following: •Multiple physical barriers between hazard source and the environment (see Section X) •A protection system to prevent breach of these barriers and to mitigate the effects of a barrier being breached (see Section Y) ...

zSafety Arguments should clearly describe how a safety objective / requirement / claim has been achieved in the system as proposed zhow it has been interpreted zultimately, what evidence supports the requirements Software Safety Case Management Tutorial  Tim Kelly 12 © Copyright Tim Kelly, 2007 Not to be reproduced without permission of author

Page 6

Safety Arguments  Text Problems

For hazards associated with warnings,the assumptions of [7] Section 3.4 associated with the requirement to present a warning when no equipment failure has occurred are carried forward. In particular, with respect to hazard 17 in section 5.7 [4] that for test operation, operating limits will need to be introduced to protect against the hazard, whilst further data is gathered to determine the extent of the problem. znot everyone can write clear English zcan take many readings to decipher meaning zmultiple cross-references in text can be awkward zis there a clear shared understanding of the argument? Software Safety Case Management Tutorial  Tim Kelly 13 © Copyright Tim Kelly, 2007 Not to be reproduced without permission of author

Presenting Clear Arguments

zIt is possible in text  at least sometimes zuse simple language and short sentences zuse bullet points for key statements zbreak down the argument one step at a time zand refer to following sub-sections zstructure document sub-sections around separate concepts z6.2  Control of Hazard  Inadvertent Chaff Releasee.g. Section  zBut it is easier with pictures! zuse agraphical notationto summarise argument zGoal Structuring Notation(GSN) zClaims Argument Evidence (CAE)

Software Safety Case Management Tutorial  Tim Kelly © Copyright Tim Kelly, 2007 Not to be reproduced without permission of author

Page 7

The Goal Structuring Notation

Purpose of a Goal Structure To show howgoalsare broken down into sub-goals, and eventually supported by evidence (solutions) whilst making clear thestrategiesadopted, the rationale for the approach (assumptions, justifications)A/J and thecontextin which goals are stated

Software Safety Case Management Tutorial  Tim Kelly © Copyright Tim Kelly, 2007 Not to be reproduced without permission of author

A Simple Goal Structure

Control System is Safe

1x10-6 Secondary of H3 Probability Protection Primary of H2p.a. Probability CalHtiaamsitt rforodprshicHe1li hmaisn abteeedn< o1 cxc 1ur0r-i6ccruog n< 1rer p01 x-i3emstyS rneoitcetorPp 4dto I.gLn.edevolepSsyet m za annum annum developed to I.L. 2

Formal Fault Tree Process Process vidence Evidence of VerificationAnalysisEof I.L. 4I.L. 2 Software Safety Case Management Tutorial  Tim Kelly © Copyright Tim Kelly, 2007 Not to be reproduced without permission of author

Page 8

A Simple Goal Structure Safety Requirements & Objectives

Hazards Identified from FHA (Ref Y) All identified Software hazards eliminated developed to I.L. I.L. Process Guidelines / sufficiently appropriate to defined by Ref X. Tolerability targets hazards involved (Ref Z) Safety Argument 1x10-6 y op.a. Probabi o y a ro occurring CaHltiaamszittra fordoprshicHe1li hmains abteeden< 1 ax n1n0u-6 1 x01rur < poccnueanrm-i3loved pe Ito. .Ltcet noitsySedmegn2etsySnoitcetorP rymarimPer pPyordnraeSoc.L4 o I.pedtvelom de

Group Exercise zCreate a goal structure to support the claim:

Top This is a good pint of beer

Page 9

Step 1 Identify goals to be supported

Step 2 Define basis on which goals stated

Step 5 - Elaborate strategy Step 3 Step 6 IdentifyIdentify strategoyrttoBasic supopalsSolution gSTOP

Step 4 Define basisProcess on which strategyOverview tated

Step 1 - Identify Goals: Phrasing zGoals should be phrased as propositions zStatements that can be said to be TRUE / FALSE (e.g. The sky is blue or York is a beautiful city) zNB: not limited to statements that can be objectively proven zStatement should be expressed as a single statement (1 sentence) of in the form: <NOUN-PHRASE><VERB-PHRASE> zNoun-Phrase identifies the subject of the goal zVerb-Phrase defines a predicate over the sub ect 1 3 6 2 4 20

Page 10

Step 1 Identify Goals: Phrasing -zThe following are examples of correctly stated goals: Subject Predicate <Noun-Phrase> <Verb-Phrase> Component X has no ‘critical’ failure modes All identified hazards for System Y have been sufficiently mitigated Non-destructive examination of has been performed weld-site Z Design A employs triple modular redundancy 5 1 3 6 2 4 21

Step 1 - Identify Goals: Phrasing zThe following are examples ofincorrectlystated goals:Reason: y “Hazard Log for System Y - entitNP describes an • not a statement •“Fault Tree for Hazard H1As above •“Perform Fault Tree Analysis ofVP - an action - not a Hazard H1statement •“How many failure modes doesQuestion - not a component X have?statement zTest: can we say goal isTRUE/FALSE?1 3 6 2 4 Software Safety Case Management Tutorial  Tim Kelly 22 © Copyright Tim Kelly, 2007 Not to be reproduced without permission of author

Page 11