Towards Rigorous Construction of Safety Cases (original) (raw)
Related papers
Towards Rigorous Construction of Safety Cases (revised)
2014
Nowadays, certification of safety-critical software systems requires submission of safety assurance documents, often in the form of safety cases. A safety case is a justification argument used to show that a system is safe for a particular application in a particular environment. Different argumentation strategies are applied to derive the evidence for a safety case. They allow us to support a safety case with such evidence as results of hazard analysis, testing, simulation, etc. On the other hand, application of formal methods for development and verification of critical software systems is mandatory for their certification. In this paper, we propose a methodology that combines these two activities. Firstly, it allows us to map the given safety requirements into elements of the formal model to be constructed, which is then used for verification of these requirements. Secondly, it guides the construction of a safety case demonstrating that the safety requirements are indeed met. Consequently, the argumentation used in such a safety case allows us to support the safety case with formal proofs and model checking results as the safety evidence. Moreover, we propose a set of argument patterns that aim at facilitating the construction of (a part of) a safety case from a formal model. In this work, we utilise the Event-B formalism due to its scalability and mature tool support. We illustrate the proposed methodology on numerous small examples as well as validate it on a larger case study -a steam boiler control system.
Facilitating construction of safety cases from formal models in Event-B
Information and Software Technology, 2015
Context: Certification of safety-critical software systems requires submission of safety assurance documents, e.g., in the form of safety cases. A safety case is a justification argument used to show that a system is safe for a particular application in a particular environment. Different argumentation strategies (informal and formal) are applied to determine the evidence for a safety case. For critical software systems, application of formal methods is often highly recommended for their safety assurance. Objective: The objective of this paper is to propose a methodology that combines two activities: formalisation of system safety requirements of critical software systems for their further verification as well as derivation of structured safety cases from the associated formal specifications. Method: We propose a classification of system safety requirements in order to facilitate the mapping of informally defined requirements into a formal model. Moreover, we propose a set of argument patterns that aim at enabling the construction of (a part of) a safety case from a formal model in Event-B. Results: The results reveal that the proposed classification-based mapping of safety requirements into formal models facilitates requirements traceability. Moreover, the provided detailed guidelines on construction of safety cases aim to simplify the task of the argument pattern instantiation for different classes of system safety requirements. The proposed methodology is illustrated by numerous case studies. Conclusion: Firstly, the proposed methodology allows us to map the given system safety requirements into elements of the formal model to be constructed, which is then used for verification of these requirements. Secondly, it guides the construction of a safety case, aiming to demonstrate that the safety requirements are indeed met. Consequently, the argumentation used in such a constructed safety case allows us to support it with formal proofs and model checking results used as the safety evidence.
A case study in software safety assurance using formal methods
1999
This report describes a formal approach to verification and validation of safety requirements for embedded software, by application to a simple control-logic case study. The logic is formally specified in Z. System safety properties are formalised by defining an abstract model of the system’s physical behaviour in Z, including its hazardous states and dominant sensor failures. The Possum specification-animation tool is then used to check that the logic meets its safety requirements. Finally, the logic is implemented in SPARK Ada and SPARK Examiner is used to formally verify the implementation meets its specification. Design safety validation and source code verification are completely automated, removing the need for
Formal Methods: Use and Relevance for the Development of Safety-Critical Systems
The Computer Journal, 1992
We are now starting to see the first applications of formal methods to the development of safety-critical computer based systems. Discussion on what are appropriate methods and tools is still intense, and there is no standard approach that presents a complete solution for the formal development of such systems. Some of the protagonists claim that formal methods offer a complete solution to the problems of safety-critical software development. Others claim that formal methods are of little or no use-or at least that their utility is severely limited by the cost of applying the techniques. The aim of this paper is to try to cast some light on this debate and to discuss from a technico-philosophical viewpoint the benefits and limitations of formal methods in this context.
A Systematic Approach for Developing Software Safety Arguments
2009
It is becoming increasingly common to develop safety arguments (also called assurance arguments) to demonstrate that the software aspects of a system are acceptably safe to operate. A software safety argument enables a compelling justification of the sufficiency of the software to be provided, whilst also giving the software developer flexibility to adopt the development approach that is most appropriate for their system. To be compelling, the safety argument must provide sufficient assurance in the safety claims made about the software. Our investigations have shown that creating compelling software safety arguments remains a major challenge for those developing safety-related software. To help address this challenge we have developed a systematic approach to software safety argument construction which explicitly considers and addresses assurance. Our approach has two key elements which, when used together, facilitate the construction of compelling software safety arguments. Firstl...
Model-Based Safety-Cases for Software-Intensive Systems
Safety cases become increasingly important for software certification. Models play a crucial role in building and combining information for the safety case. This position paper sketches an ideal model-based safety case with defect hypotheses and failure characterisations. From this, open research issues are derived.
Validating Formal Verification using Safety Analysis Techniques
1999
The increased interest in the use of automated safety analysis is supported by the claim that manual safety analysis based on traditional techniques is error-prone, costly and not necessarily complete. It is also claimed that traditional techniques are not able to deal with the inherent complexities of software intensive systems. However, we show in this paper that a transition (from manual to automatic approaches) in the assessment process and technologies is accompanied by an inherent risk of obtaining false confidence, unless safeguards are provided. The safeguard presented in this paper integrates traditional deductive and inductive analysis techniques with model checking, a form of formal verification. The aim is to provide the safety analyst with a rigourous approach for the validation of formal models. The feasibility of the overall approach is illustrated in terms of a case study.
Establishing Formal Regulatory Requirements for Safety-Critical Software Certification
Proc. AQuIS 2002: 5th International Conference on Achieving Quality In Software - SPICE 2002: International Conference on Software Process Improvement and Capability dEtermination, 2002
Formal methods are usually used for computer system specification, production and verification. In this paper, a new direction for the use of formal methods is proposed, namely formalization of the regulatory requirements for software of safety-critical control systems. Formal regulatory requirements, as opposed to formal specifications for a concrete system, have a generic nature, are applicable for a wide range of safety-critical control systems and are the basis for certification or licensing process. The use of formal regulatory requirements could help to eliminate ambiguity or misunderstanding of informal definitions, to allow rigorous assessment of satisfaction with respect to requirements and finally to increase the safety level of a system.As a formal method for describing the regulatory requirements, the Z notation is pro-posed. To demonstrate the approach, requirements for protection against common mode software failures and requirements for protection against unauthorized access are considered. Z schemas for these requirements are presented. Keywords: certification, formal methods, regulatory requirements, software standards, Z notation
Safety-Critical Systems, Formal Methods and Standards
Software Engineering Journal, 1993
Standards concerned with the development of safety-critical systems, and the software in such systems in particular, abound today as the software crisis increasingly affects the world of embedded computer-based systems. The use of formal methods is often advocated as a way of increasing confidence in such systems. This paper examines the industrial use of these techniques, the recommendations concerning formal methods in a number of current and draft standards, and comments on the applicability and problems of using formal methods for the development of safety-critical systems of an industrial scale. Some possible future directions are suggested. Winner of the IEE Charles Babbage Premium award, 1994. Other versions issued as a Oxford University Computing Laboratory Technical Report PRG-TR-5-92, and Chapter 1 in Towards Verified Systems.