Building safe software

Murphy is a set of techniques and tools under investigation for their potential in enhancing the safety of software. This paper describes some of the work which has been done and some which is planned

Software safety : a definition and some preliminary thoughts

Software safety is the subject of a research project in its initial stages at the University of California Irvine. This research deals with critical real-time software where the cost of an error is high, e.g. human life. In this paper software techniques having a bearing on safety are described and evaluated. Initial definitions of software safety concepts are presented along with some preliminary thoughts and research questions

Software fault tree analysis tool user's manual

The Software Fault Tree Analysis Tool allows the user to interactively modify the graphic representation of a fault tree. This manual describes the user interface of the tool. The tool is currently available only for Sun-2 workstations running 4.2 BSD Unix

A Systems Thinking Approach to Leading Indicators in the Petrochemical Industry

There are always warning signs before a major accident, but these signs may only be noticeable or interpretable as a leading indicator in hindsight. Before an accident, such “weak signals” are often perceived only as noise. To ask people to “be mindful of weak signals” is asking them to do something that is impossible. There is always a lot of noise and always a lot of signals that do not presage an accident. The problem then becomes how to distinguish the important signals from all the noise. Defining effective leading indicators is a way to accomplish this goal by providing specific clues that people need to look for. Asking people to “look for anything that might be an important sign” is usually asking them to do the impossible. Almost all of the past effort to identify leading indicators has involved finding a set of generally applicable metrics or signals that presage an accident. Examples of such identified leading indicators are quality and backlog of maintenance, inspection, and corrective action; minor incidents such as leaks or spills, equipment failure rates, and so on. There is commonly a belief—or perhaps, hope—that a small number of such “leading indicators” can identify an increase in risk of an accident. While some general indicators may be useful, large amounts of effort over decades has not provided much progress. The lack of progress may be a sign that such general, industry-wide indicators do not exist or will not be particularly effective in identifying increasing risk. An alternative is to identify leading indicators that are specific to the system being monitored. This paper proposes an approach to identifying and monitoring system-specific leading indicators and provides some guidance in designing a risk management structure to use such indicators effectively. The approach is based on the STAMP model of accident causation and tools that have been designed to build on that model. STAMP extends current accident causality to include more complex causes than simply component failures and chains of failure events. It incorporates basic principles of systems thinking and is based on systems theory rather than traditional reliability theory. The next section briefly describes STAMP and STPA, the latter being a new hazard analysis technique based on STAMP. Then the proposal for a new approach to generating and managing leading indicators is outlined

An evaluation of software fault tolerance techniques in real-time safety-critical applications

The usefulness of three software fault tolerance techniques -- n-version programming, recovery blocks, and exception handling is examined within the context of real-time safety-critical environments. The general requirements of such application systems are presented and the techniques evaluated with regard to how well they satisfy these requirements

Bion-M2 PI 1-Pagers

No abstract availabl

A systems approach to risk management through leading safety indicators

The goal of leading indicators for safety is to identify the potential for an accident before it occurs. Past efforts have focused on identifying general leading indicators, such as maintenance backlog, that apply widely in an industry or even across industries. Other recommendations produce more system-specific leading indicators, but start from system hazard analysis and thus are limited by the causes considered by the traditional hazard analysis techniques. Most rely on quantitative metrics, often based on probabilistic risk assessments. This paper describes a new and different approach to identifying system-specific leading indicators and provides guidance in designing a risk management structure to generate, monitor and use the results. The approach is based on the STAMP (System-Theoretic Accident Model and Processes) model of accident causation and tools that have been designed to build on that model. STAMP extends current accident causality to include more complex causes than simply component failures and chains of failure events or deviations from operational expectations. It incorporates basic principles of systems thinking and is based on systems theory rather than traditional reliability theory

The Use of Safety Cases in Certification and Regulation

Certification of safety-critical systems is usually based on evaluation of whether a system or product reduces risk of specific losses to an acceptable level. There are major differences, however, in how that decision is made and on what evidence is required. The term Safety Case has become popular recently as a solution to the problem of regulating safety-critical systems. The term arises from the HSE (Health and Safety Executive) in the U.K., but different definitions seem to be rife. To avoid confusion, this paper uses the term “assurance cases” for the general term and limits the use of the term “safety case” to a very specific definition as an argument for why the system is safe. This paper examines the use of safety cases and regulation in general. The first important distinction is between types of regulation

Analyzing safety and fault tolerance using time Petri nets

The application of time Petri net modelling and analysis techniques to safety-critical real-time systems is explored and procedures described which allow analysis of safety, recoverability, and fault tolerance. These procedures can be used to help determine software requirements, to guide the use of fault detection and recovery procedures, to determine conditions which require immediate miti gating action to prevent accidents, etc. Thus it is possible to establish important properties duing the synthesis of the system and software design instead of using guesswork and costly a posteriori analysis

A system-theoretic, control-inspired view and approach to process safety

Accidents in the process industry continue to occur, and we do not seem to be making much progress in reducing them (Venkatasubramanian, 2011). Postmortem analysis has indicated that they were preventable and had similar systemic causes (Kletz, 2003). Why do we fail to learn from the past and make adequate changes to prevent their reappearance? A variety of explanations have been offered; operators' faults, component failures, lax supervision of operations, poor maintenance, etc. All of these explanations, and many others, have been exhaustively studied, analyzed, “systematized” into causal groups, and a variety of approaches have been developed to address them. Even so, they still occur with significant numbers of fatalities and injured people, with significant disruption of productive operations and frequently extensive destruction of the surrounding environment, both physical and social