Product Engineering Class in the Software Safety Risk Taxonomy for Building Safety-Critical Systems

When software safety requirements are imposed on legacy safety-critical systems, retrospective safety cases need to be formulated as part of recertifying the systems for further use and risks must be documented and managed to give confidence for reusing the systems. The SEJ Software Development Risk Taxonomy [4] focuses on general software development issues. It does not, however, cover all the safety risks. The Software Safety Risk Taxonomy [8] was developed which provides a construct for eliciting and categorizing software safety risks in a straightforward manner. In this paper, we present extended work on the taxonomy for safety that incorporates the additional issues inherent in the development and maintenance of safety-critical systems with software. An instrument called a Software Safety Risk Taxonomy Based Questionnaire (TBQ) is generated containing questions addressing each safety attribute in the Software Safety Risk Taxonomy. Software safety risks are surfaced using the new TBQ and then analyzed. In this paper we give the definitions for the specialized Product Engineering Class within the Software Safety Risk Taxonomy. At the end of the paper, we present the tool known as the 'Legacy Systems Risk Database Tool' that is used to collect and analyze the data required to show traceability to a particular safety standar

Exploiting Parts-of-Speech for Effective Automated Requirements Traceability

Context: Requirement traceability (RT) is defined as the ability to describe and follow the life of a requirement. RT helps developers ensure that relevant requirements are implemented and that the source code is consistent with its requirement with respect to a set of traceability links called trace links. Previous work leverages Parts Of Speech (POS) tagging of software artifacts to recover trace links among them. These studies work on the premise that discarding one or more POS tags results in an improved accuracy of Information Retrieval (IR) techniques. Objective: First, we show empirically that excluding one or more POS tags could negatively impact the accuracy of existing IR-based traceability approaches, namely the Vector Space Model (VSM) and the Jensen Shannon Model (JSM). Second, we propose a method that improves the accuracy of IR-based traceability approaches. Method: We developed an approach, called ConPOS, to recover trace links using constraint-based pruning. ConPOS uses major POS categories and applies constraints to the recovered trace links for pruning as a filtering process to significantly improve the effectiveness of IR-based techniques. We conducted an experiment to provide evidence that removing POSs does not improve the accuracy of IR techniques. Furthermore, we conducted two empirical studies to evaluate the effectiveness of ConPOS in recovering trace links compared to existing peer RT approaches. Results: The results of the first empirical study show that removing one or more POS negatively impacts the accuracy of VSM and JSM. Furthermore, the results from the other empirical studies show that ConPOS provides 11%-107%, 8%-64%, and 15%-170% higher precision, recall, and mean average precision (MAP) than VSM and JSM. Conclusion: We showed that ConPosout performs existing IR-based RT approaches that discard some POS tags from the input documents

Hazard Relation Diagramme - Definition und Evaluation

Der Entwicklungsprozess sicherheitskritischer, software-intensiver eingebetteter Systeme wird im Besonderen durch die Notwendigkeit charakterisiert, zu einem frühestmöglichem Zeitpunkt im Rahmen des Safety Assessments sogenannte Hazards aufzudecken, welche im Betrieb zu Schaden in Form von Tod oder Verletzung von Menschen sowie zu Beschädigung oder Zerstörung externer Systeme führen können. Um die Sicherheit des Systems im Betrieb zu fördern, werden für jeden Hazard sogenannte Mitigationen entwickelt, welche durch hazard-mitigierende Anforderungen im Rahmen des Requirements Engineering dokumentiert werden. Hazard-mitigierende Anforderungen müssen in dem Sinne adäquat sein, dass sie zum einen die von Stakeholdern gewünschte Systemfunktionalität spezifizieren und zum anderen die Wahrscheinlichkeit von Schaden durch Hazards im Betrieb minimieren. Die Adäquatheit von hazard-mitigierenden Anforderungen wird im Entwicklungsprozess im Rahmen der Anforderungsvalidierung bestimmt. Die Validierung von hazard-mitigierenden Anforderungen wird allerdings dadurch erschwert, dass Hazards sowie Kontextinformationen über Hazards ein Arbeitsprodukt des Safety Assessments darstellen und die hazard-mitigierenden Anforderungen ein Arbeitsprodukt des Requirements Engineering sind. Diese beiden Arbeitsprodukte sind in der Regel nicht schlecht integriert, sodass den Stakeholdern bei der Validierung nicht alle Informationen zur Verfügung stehen, die zur Bestimmung der Adäquatheit der hazard-mitigierenden Anforderungen notwendig sind. In Folge könnte es dazu kommen, dass Inadäquatheit in hazard-mitigierenden Anforderungen nicht aufgedeckt wird und das System fälschlicherweise als ausreichend sicher betrachtet wird. Im Rahmen dieses Dissertationsvorhabens wurde ein Ansatz entwickelt, welcher Hazards, Kontextinformationen zu Hazards, hazard-mitigierende Anforderungen sowie die spezifischen Abhängigkeiten in einem graphischen Modell visualisiert und somit für die Validierung zugänglich macht. Zudem wird ein automatisierter Ansatz zur Generierung der graphischen Modelle vorgestellt und prototypisch implementiert. Darüber hinaus wird anhand von vier detaillierten empirischen Experimenten der Nutzen der graphischen Modelle für die Validierung hazard-mitigierender Anforderungen nachgewiesen. Die vorliegende Arbeit leistet somit einen Beitrag zur Integration der Arbeitsergebnisse des Safety Assessments und des Requirements Engineerings mit dem Ziel die Validierung der Adäquatheit hazard-mitigierender Anforderungen zu unterstützen.The development process of safety-critical, software-intensive embedded systems is characterized by the need to identify hazards during safety assessment in early stages of development. During operation, such hazards may lead to harm to come to humans and external systems in the form of death, injury, damage, or destruction, respectively. In order to improve the safety of the system during operation, mitigations are conceived for each hazard, and documented during requirements engineering by means of hazard-mitigating requirements. These hazard-mitigating requirements must be adequate in the sense that they must specify the functionality required by the stakeholders and must render the system sufficiently safe during operation with regard to the identified hazards. The adequacy of hazard-mitigating requirements is determined during requirements validation. Yet, the validation of the adequacy of hazard-mitigating requirements is burdened by the fact that hazards and contextual information about hazards are a work product of safety assessment and hazard-mitigating requirements are a work product of requirements engineering. These work products are poorly integrated such that the information needed to determine the adequacy of hazard-mitigating requirements are not available to stakeholders during validation. In consequence, there is the risk that inadequate hazard-mitigating requirements remain covert and the system is falsely considered sufficiently safe. In this dissertation, an approach was developed, which visualizes hazards, contextual information about hazards, hazard-mitigating requirements, as well as their specific dependencies in graphical models. The approach hence renders these information accessible to stakeholders during validation. In addition, an approach to create these graphical models was developed and prototypically implemented. Moreover, the benefits of using these graphical models during validation of hazard-mitigating requirements was investigated and established by means of four detailed empirical experiments. The dissertation at hand hence provides a contribution towards the integration of the work products of safety assessment and requirements engineering with the purpose to support the validation of the adequacy of hazard-mitigating requirements

AMAN-DA : Une approche basée sur la réutilisation de la connaissance pour l'ingénierie des exigences de sécurité

In recent years, security in Information Systems (IS) has become an important issue that needs to be taken into account in all stages of IS development, including the early phase of Requirement Engineering (RE). Considering security during early stages of IS development allows IS developers to envisage threats, their consequences and countermeasures before a system is in place. Security requirements are known to be “the most difficult of requirements types”, and potentially the ones causing the greatest risk if they are not correct. Moreover, requirements engineers are not primarily interested in, or knowledgeable about, security. Their tacit knowledge about security and their primitive knowledge about the domain for which they elicit security requirements make the resulting security requirements poor and too generic.This thesis explores the approach of eliciting requirements based on the reuse of explicit knowledge. First, the thesis proposes an extensive systematic mapping study of the literature on the reuse of knowledge in security requirements engineering identifying the diferent knowledge forms. This is followed by a review and classification of security ontologies as the main reuse form.In the second part, AMAN-DA is presented. AMAN-DA is the method developed in this thesis. It allows the elicitation of domain-specific security requirements of an information system by reusing knowledge encapsulated in domain and security ontologies. Besides that, the thesis presents the different elements of AMANDA: (i) a core security ontology, (ii) a multi-level domain ontology, (iii) security goals and requirements’s syntactic models, (iv) a set of rules and mechanisms necessary to explore and reuse the encapsulated knowledge of the ontologies and produce security requirements specifications.The last part reports the evaluation of the method. AMAN-DA was implemented in a prototype tool. Its feasibility was evaluated and applied in case studies of three different domains (maritime, web applications, and sales). The ease of use and the usability of the method and its tool were also evaluated in a controlled experiment. The experiment revealed that the method is beneficial for the elicitation of domain specific security requirements, and that the tool is friendly and easy to use.Au cours de ces dernières années, la sécurité des Systèmes d'Information (SI) est devenue une préoccupation importante, qui doit être prise en compte dans toutes les phases du développement du SI, y compris dans la phase initiale de l'ingénierie des exigences (IE). Prendre en considération la sécurité durant les premieres phases du dévelopment des SI permet aux développeurs d'envisager les menaces, leurs conséquences et les contre-mesures avant qu'un système soit mis en place. Les exigences de sécurité sont connues pour être "les plus difficiles des types d’exigences", et potentiellement celles qui causent le plus de risque si elles ne sont pas correctes. De plus, les ingénieurs en exigences ne sont pas principalement intéressés à, ou formés sur la sécurité. Leur connaissance tacite de la sécurité et leur connaissance primitive sur le domaine pour lequel ils élucident des exigences de sécurité rendent les exigences de sécurité résultantes pauvres et trop génériques.Cette thèse explore l'approche de l’élucidation des exigences fondée sur la réutilisation de connaissances explicites. Tout d'abord, la thèse propose une étude cartographique systématique et exhaustive de la littérature sur la réutilisation des connaissances dans l'ingénierie des exigences de sécurité identifiant les diférentes formes de connaissances. Suivi par un examen et une classification des ontologies de sécurité comme étant la principale forme de réutilisation.Dans la deuxième partie, AMAN-DA est présentée. AMAN-DA est la méthode développée dans cette thèse. Elle permet l’élucidation des exigences de sécurité d'un système d'information spécifique à un domaine particulier en réutilisant des connaissances encapsulées dans des ontologies de domaine et de sécurité. En outre, la thèse présente les différents éléments d'AMAN-DA : (i) une ontologie de sécurité noyau, (ii) une ontologie de domaine multi-niveau, (iii) des modèles syntaxique de buts et d’exigences de sécurité, (iv) un ensemble de règles et de mécanismes nécessaires d'explorer et de réutiliser la connaissance encapsulée dans les ontologies et de produire des spécifications d’exigences de sécurité.La dernière partie rapporte l'évaluation de la méthode. AMAN-DA a été implémenté dans un prototype d'outil. Sa faisabilité a été évaluée et appliquée dans les études de cas de trois domaines différents (maritimes, applications web, et de vente). La facilité d'utilisation et l’utilisabilité de la méthode et de son outil ont également été évaluées dans une expérience contrôlée. L'expérience a révélé que la méthode est bénéfique pour l’élucidation des exigences de sécurité spécifiques aux domaines, et l'outil convivial et facile à utiliser

An introduction to the mechanics of performance assessment using examples of calculations done for the Waste Isolation Pilot Plant between 1990 and 1992. Revision

This document provides an overview of the processes used to access the performance of the Waste Isolation Pilot Plant (WIPP). The quantitative metrics used in the performance-assessment (PA) process are those put forward in the Environmental Protection Agency`s Environmental Standards for the Management and Disposal of Spent Nuclear Fuel, HIgh-LEvel and transuranic radioactive Wastes (40 CFR 191)

Federal Register

Daily publication of the U.S. Office of the Federal Register contains rules and regulations, proposed legislation and rule changes, and other notices, including "Presidential proclamations and Executive Orders, Federal agency documents having general applicability and legal effect, documents required to be published by act of Congress, and other Federal agency documents of public interest" (p. ii). Table of Contents starts on page iii