Software safety : a definition and some preliminary thoughts

Software safety is the subject of a research project in its initial stages at the University of California Irvine. This research deals with critical real-time software where the cost of an error is high, e.g. human life. In this paper software techniques having a bearing on safety are described and evaluated. Initial definitions of software safety concepts are presented along with some preliminary thoughts and research questions

Building safe software

Murphy is a set of techniques and tools under investigation for their potential in enhancing the safety of software. This paper describes some of the work which has been done and some which is planned

System Theoretic Safety Analysis of the Sewol-Ho Ferry Accident in South Korea

This paper is to show the application of CAST, Causal Analysis based on STAMP (Systems Theoretic Accident Model and Processes) accident analysis tool to investigate the Sewol‐Ho Ferry Accident at the entire maritime transportation sociotechnological system level and to provide the system level safety improvements to the system safety control structure; to show that CAST is an accident analysis tool to effectively and holistically analyze the entire maritime transportation sociotechnological system level disaster; and to show that CAST can provide preventive solutions in a holistic view of top‐down system safety engineering

An evaluation of software fault tolerance techniques in real-time safety-critical applications

The usefulness of three software fault tolerance techniques -- n-version programming, recovery blocks, and exception handling is examined within the context of real-time safety-critical environments. The general requirements of such application systems are presented and the techniques evaluated with regard to how well they satisfy these requirements

Improving the Standard Risk Matrix using STPA

This paper first discusses the limitations of the standard risk matrix. It then suggests some changes to the risk matrix and its use to improve the accuracy of the results

Completeness, robustness, and safety in real-time software requirements specification

This paper presents an approach to providing a rigorous basis for ascertaining whether or not a given set of software requirements is internally complete, i.e., closed with respect to questions and inferences that can be made on the basis of information included in the specification. Emphasis is placed on aspects of software requirements specifications that previously have not been adequately handled, including timing abstractions, safety, and robustness

Analyzing safety and fault tolerance using time Petri nets

The application of time Petri net modelling and analysis techniques to safety-critical real-time systems is explored and procedures described which allow analysis of safety, recoverability, and fault tolerance. These procedures can be used to help determine software requirements, to guide the use of fault detection and recovery procedures, to determine conditions which require immediate miti gating action to prevent accidents, etc. Thus it is possible to establish important properties duing the synthesis of the system and software design instead of using guesswork and costly a posteriori analysis

A Systems Thinking Approach to Leading Indicators in the Petrochemical Industry

There are always warning signs before a major accident, but these signs may only be noticeable or interpretable as a leading indicator in hindsight. Before an accident, such “weak signals” are often perceived only as noise. To ask people to “be mindful of weak signals” is asking them to do something that is impossible. There is always a lot of noise and always a lot of signals that do not presage an accident. The problem then becomes how to distinguish the important signals from all the noise. Defining effective leading indicators is a way to accomplish this goal by providing specific clues that people need to look for. Asking people to “look for anything that might be an important sign” is usually asking them to do the impossible. Almost all of the past effort to identify leading indicators has involved finding a set of generally applicable metrics or signals that presage an accident. Examples of such identified leading indicators are quality and backlog of maintenance, inspection, and corrective action; minor incidents such as leaks or spills, equipment failure rates, and so on. There is commonly a belief—or perhaps, hope—that a small number of such “leading indicators” can identify an increase in risk of an accident. While some general indicators may be useful, large amounts of effort over decades has not provided much progress. The lack of progress may be a sign that such general, industry-wide indicators do not exist or will not be particularly effective in identifying increasing risk. An alternative is to identify leading indicators that are specific to the system being monitored. This paper proposes an approach to identifying and monitoring system-specific leading indicators and provides some guidance in designing a risk management structure to use such indicators effectively. The approach is based on the STAMP model of accident causation and tools that have been designed to build on that model. STAMP extends current accident causality to include more complex causes than simply component failures and chains of failure events. It incorporates basic principles of systems thinking and is based on systems theory rather than traditional reliability theory. The next section briefly describes STAMP and STPA, the latter being a new hazard analysis technique based on STAMP. Then the proposal for a new approach to generating and managing leading indicators is outlined

A New Accident Model for Engineering Safer Systems

New technology is making fundamental changes in the etiology of accidents and is creating a need for changes in the explanatory mechanisms used. We need better and less subjective understanding of why accidents occur and how to prevent future ones. The most effective models will go beyond assigning blame and instead help engineers to learn as much as possible about all the factors involved, including those related to social and organizational structures. This paper presents a new accident model founded on basic systems and control theory concepts. The use of such a model provides a theoretical foundation for the introduction of unique new types of accident analysis, hazard analysis, accident prevention strategies including new approaches to designing for safety, risk assessment techniques, and approaches to designing performance monitoring and safety metrics

A systems approach to risk management through leading safety indicators

The goal of leading indicators for safety is to identify the potential for an accident before it occurs. Past efforts have focused on identifying general leading indicators, such as maintenance backlog, that apply widely in an industry or even across industries. Other recommendations produce more system-specific leading indicators, but start from system hazard analysis and thus are limited by the causes considered by the traditional hazard analysis techniques. Most rely on quantitative metrics, often based on probabilistic risk assessments. This paper describes a new and different approach to identifying system-specific leading indicators and provides guidance in designing a risk management structure to generate, monitor and use the results. The approach is based on the STAMP (System-Theoretic Accident Model and Processes) model of accident causation and tools that have been designed to build on that model. STAMP extends current accident causality to include more complex causes than simply component failures and chains of failure events or deviations from operational expectations. It incorporates basic principles of systems thinking and is based on systems theory rather than traditional reliability theory