page 1  (12 pages)
2to next section


P Fenelon, J A McDermid, M Nicholson, D J Pumfrey

University of York


There are currently many problems with the development and assessment of software intensive safety-critical systems. In this paper we describe the problems, and introduce a novel approach to their solution, based around goal-structuring concepts, which we believe will ameliorate some of the difficulties. We discuss the use of modified and new forms of safety assessment notations to provide evidence of safety, and the use of data derived from such notations as a means of providing quantified input into the design assessment process. We then show how the design assessment can be partially automated, and from this develop some ideas on how we might move from analytical to synthetic approaches, using safety criteria and evidence as a fitness function for comparing alternative automaticallygenerated designs.

Keywords: safety assessment, architectural design, goal structures, method integration, automated design


Much current industrial practice in the design and assessment of safety-critical systems could, only slightly unfairly, be characterised as an ?over the wall? process. A design is produced with some cognisance of safety issues, it is ?tossed over the wall? to safety assessors who analyse the design and later ?toss it back? together with comments on the safety of the design and requests for change. Whilst something of a caricature, the above is not entirely unrepresentative of current industrial processes.

Industrial processes which have this character do so for organisational and cultural reasons ? the design and safety departments are separate entities, populated by engineers with different skills ? but there are also technical reasons. Specifically there is poor integration between safety analysis and design techniques, especially for software based systems, and the processes used do not easily accommodate the much tighter interaction between safety analysis and design needed for effective integration. In this paper we describe some of our work on producing more effective integration of safety analysis and design, and cover process issues, design and assessment methods and relate our work to more traditional safety analysis practices.

There are three major strands to our work. First, we propose a new way of organising and structuring development and assessment processes to encourage the stronger integration of design and analysis. Part of our aim in defining the process is to facilitate change management. For the purposes of this paper, however, we assume a ?top down? development model, but this should be viewed in the spirit of Parnas? ?rational design process ? how and why to fake it? [28]. However we do recognise the need for investigating different designs, including assessing different design strategies for their safety properties.

Second, we consider adaptations of classical safety techniques to computer-based systems, introducing a modified form of the Hazard and Operability Study (HAZOP) for carrying out analysis of high level design proposals. We also show how techniques such as fault-trees and zonal hazard analysis can be adapted to software, and indicate how to carry out automated analysis of at least some safety properties, building on classical approaches such as Markov chains.

Third, we consider how to use the analysis techniques to guide design synthesis, i.e. deriving detailed designs from more abstract designs so that they have the desired safety and timing properties. Our approach uses heuristics for searching the design space, and the automated analysis techniques for ?pruning? the space, i.e. rejecting unsuitable designs. Whilst this work is in its early stages, it draws together the other two strands, and indicates the way in which we believe it will be possible to achieve a much more strongly integrated, and automated, design and safety analysis process.

First we discuss process issues, proposing a new way of modelling and controlling processes, and setting out the role of safety analysis in a design process. We use this discussion to set the rest of the paper in context.

Safety Analysis and its role in the Design Process

The design of a safety critical system inevitably involves tradeoffs. Safety requirements may conflict with other requirements, e.g. for availability or performance, and compromises have to be found. The identification of conflicts between requirements, and their resolution, is therefore a central part of the design process; we have previously proposed the use of ?goal-structuring? as a way of making the ?spine? of the process clear [26], focusing on the derivation of requirements. It is our contention that these concepts help structure and document the complex processes of developing safety critical systems, particularly showing the relationship between safety analysis and design. We briefly introduce the concepts and show how they put the more detailed analyses discussed in the rest of the paper in context. The reader is directed towards surveys such as Leveson?s [24] or Bennett?s [3] for an overview of some of the techniques commonly used in software safety assessment, and to [4] for an overview of some of the classical means of achieving software dependability. An excellent survey of general dependability and reliability analysis methods is given in [35].

Goal Structuring Concepts

The two most fundamental concepts which are the basis of our process model are:

? goal ? is something that someone wishes to be achieved; it is more general than a requirement and may encompass process issues (e.g. some action to be performed) and product issues, e.g. more conventional requirements;