; Hand this in to: ece849-staff+hw@ece.cmu.edu ;Required Reading @inproceedings{czerny00_xbywire_safety, author = "Czerny, B.J.; D'Ambrosio, J.G.; Murray, B.T.", title = "Providing convincing evidence of safety in X-by-wire automotive systems", inbook = "High Assurance Systems Engineering, 2000, Fifth IEEE International Symposim on. HASE", year = "2000", pages = "189 -192", abstract = "A new generation of automotive systems, such as brake-,steer-, trhottle-by-wire, and combinations of these by-wire systems, offer the promise of imporved vehicle performance and safety. However, these by-wire systems represent a major technology change, and as a result, merit higher levels of analysis, design, and verification. Like other safety-critical systems, the case for safety should be carefully documented. However, the safety case contains diverse material, and compiling and maintaining a clear and understandable safety case document can be challenging...", url = "http://ieeexplore.ieee.org/iel5/7194/19380/00895458.pdf", studentname = "", summary = "", contribution1 ="", contribution2 ="", contribution3 ="", contribution4 ="", contribution5 ="", weakness1 = "", weakness2 = "", weakness3 = "", weakness4 = "", weakness5 = "", interesting = "high/med/low", opinions = "", } @inproceedings{pilkington98_masstransit, author = "Pilkington, S.D.J. and Lee, A.R.", title = "The development of safety cases for mass transit signalling and control projects-Jubilee Line case study", booktitle = "Developments in Mass Transit Systems", year = "1998", pages = "254--259", url = "http://ieeexplore.ieee.org/iel4/5620/15042/00683605.pdf", studentname = "", summary = "", contribution1 ="", contribution2 ="", contribution3 ="", contribution4 ="", contribution5 ="", weakness1 = "", weakness2 = "", weakness3 = "", weakness4 = "", weakness5 = "", interesting = "high/med/low", opinions = "", } @article{Kelly04, author = "T. Kelly", title = "A systematic appraoch to safety case management", journal = "SAE 04AE-19,", year = "2003", abstract = "In Europe, over recent years, there has been a marked shift in the regulatory approach to ensuring system safety. Whereas compliance with prescriptive safety codes and standards was previously the norm, the responsibility has now shifted back onto the developers and operators to construct and present well reasoned arguments that their systems achieve acceptable levels of safety. These arguments (together with supporting evidence) are typically referred to as a “safety case”. This paper describes the role and purpose of a safety case (as defined by current safety and regulatory standards). Safety arguments within safety cases are often poorly communicated. This paper presents a technique called GSN (Goal Structuring Notation) that is increasingly being used in safety-critical industries to improve the structure, rigor, and clarity of safety arguments. Based upon the GSN approach, the paper also describes how an evolutionary and systematic approach to safety case construction, in step with system development, can be facilitated.", studentname = "", summary = "", contribution1 = "", contribution2 = "", contribution3 = "", contribution4 = "", contribution5 = "", weakness1 = "", weakness2 = "", weakness3 = "", weakness4 = "", weakness5 = "", interesting = "high/med/low", opinions = "", } @InProceedings{ despotou04_safety_case_dependability, author = {G. Despotou and T. Kelly}, title = {Extending the safety case to address dependability}, booktitle = {International System Safety Conference}, year = {2004}, abstract = "A safety case is a well-reasoned argument, supported by evidence that a system is acceptably safe to operate in a particular context. For many, evolving a safety case in step with the design has proved to be an effective means of identifying and addressing safety concerns during a system’s lifecycle. However, ultimately safety cases address only one system attribute - safety. Increasingly, the idea of extending the well-established concept of the safety case to address wider dependability concerns is being discussed. Attempting to address all dependability attributes can result in competing objectives. As a consequence, there are trade-offs among the dependability attributes that need to be resolved in order to achieve the optimum dependability characteristics for the system. Furthermore, the balance of these trade-offs can depend heavily upon the context in which the system operates. In this paper we examine the suitability of extending existing methodologies and concepts from safety case development practice to address the wider concerns of dependability arguments. We will discuss existing approaches to managing trade-offs between competing design objectives and explain how trade-offs may be supported within the Goal Structuring Notation (GSN) framework. In particular we examine how trade-off resolution during the evolution of the dependability objectives, contributes to establishing a final dependability argument.", url = "http://www-users.cs.york.ac.uk/~tpk/issc04b.pdf", studentname = "", summary = "", contribution1 ="", contribution2 ="", contribution3 ="", contribution4 ="", contribution5 ="", weakness1 = "", weakness2 = "", weakness3 = "", weakness4 = "", weakness5 = "", interesting = "high/med/low", opinions = "", } ; Supplemental Reading @inproceedings{jesty00_vehicle_safety, author = "Peter H Jesty and Keith M Hobley (University of Leeds), Richard Evans (Rover Group Ltd), Ian Kendall (Jaguar Cars Ltd)", title = "Safety Analysis of Vehicle-Based Systems", inbook = "Proceedings of the 8th Safety-critical Systems Symposium", year = "2000", abstract = "The Motor Industry Software Reliability Association Steering Group is producing guidance on the safety analysis of vehicle-based systems to support its original Development Guidelines for Vehicle Based Software. Using existing generic techniques, these new guidelines will explain how they may be used in the automotive context. Topics will include System Analysis, Hazard Identification, Hazard Analysis, the identification of Safety Integrity Levels, and the uses of Failure Mode and Effects Analysis and Fault Tree Analysis.", url = "http://www.misra.org.uk/papers/SCSC00-SA.PDF", studentname = "", summary = "", contribution1 = "", contribution2 = "", contribution3 = "", contribution4 = "", contribution5 = "", weakness1 = "", weakness2 = "", weakness3 = "", weakness4 = "", weakness5 = "", interesting = "high/med/low", opinions = "", } @Conference{Lane00, author = "Lane, M. ", title = "Predicting the reliability and safety of commercial software in advanced avionic systems", inbook = "19th DASC. 19th Digital Avionics Systems Conference. Proceedings ", year = "2000", pages = "4E4/1-8", volume = "1", abstract = "Exploiting developments in the commercial domain for military application has been identified as a key to reducing avionic system through-life costs while improving system upgradeability. While the use of commercially available hardware components has, to some extent, been accepted as the only way forward, the use of COTS software components has been highly contentious. Although the potential benefits can still apply to software, new challenges are introduced that must be overcome. These problems are exacerbated by the inherently integrated nature of advanced avionics. The very idea of trusting COTS software in a complex real-time system that may affect, or even be responsible for, safety critical or mission critical functions has been the subject of much debate. The concerns have mainly been centred on reliability and certification. It is these areas that have provided the focus for the study described in this paper. Software failure prediction techniques have been used across many application domains, and software reliability modelling is now a highly developed area in software measurement. The results of research to determine the applicability of these techniques for avionics software are summarised with emphasis on the real-time operating system (RTOS) software. This was selected as it provides a complex component of an avionic system for which there is real scope for using COTS technology. The suitability of these techniques, and others in supporting", url = "http://ieeexplore.ieee.org/iel5/7093/19162/00886963.pdf", studentname = "", summary = "", contribution1 = "", contribution2 = "", contribution3 = "", contribution4 = "", contribution5 = "", weakness1 = "", weakness2 = "", weakness3 = "", weakness4 = "", weakness5 = "", interesting = "high/med/low", opinions = "", } @article{Bell93, author = "Bell, R. ; Reinert, D.", title = "Risk and system integrity concepts for safety-related control systems", journal = "Microprocessors and Microsystems 17,", year = "1993", pages = "3-15", number = "1", abstract = "This paper provides an overview of the concepts of `risk' and `safety integrity' in relation to safety-related electrical/electronic/programmable electronic systems. The paper is an abridged version of Annex A of the emerging International Electrotechnical Commission (IEC) Standard: `Functional safety of electrical/electronic/programmable electronic systems'. Although based on Annex A, the authors have deviated in a few instances from its strict wording in order to more properly represent their own views. Where this occurs, a note in the text has been added to alert the reader to the deviation. The concepts of risk, including tolerable risk, safety integrity, safety-related systems, system and software integrity levels, are discussed", url = "http://ieeexplore.ieee.org/iel2/1065/7178/00288861.pdf", studentname = "", summary = "", contribution1 = "", contribution2 = "", contribution3 = "", contribution4 = "", contribution5 = "", weakness1 = "", weakness2 = "", weakness3 = "", weakness4 = "", weakness5 = "", interesting = "high/med/low", opinions = "", } @Conference{Betts92, author = "Betts, A.E. ; Welbourne, D. ", title = "Software safety assessment and the Sizewell B applications", inbook = "International Conference on Electrical and Control Aspects of the Sizewell B PWR (Conf. Publ. No.361)", year = "1992", pages = "204-7", abstract = "The Sizewell B PWR has two diverse protection systems which initiate automatic reactor trip and engineered safety features (ESF) needed for any fault, by detecting if measured plant signals are outside defined limits. Both systems have four redundant channels with two-out-of-four voting for each action. The primary protection system (PPS) is a computer based system and protects the reactor for all design basis faults. The station also has a computer based integrated system for centralised operations (ISCO), which includes self-contained high integrity computer system (HICS) sections. The authors describe the processes of assessment carried out for Nuclear Electric (NE), of the software provided by Westinghouse, as suppliers of the PPS and HICS. NE conducted extensive reviews and analysis of the software, in the course of establishing the safety case", url = "http://ieeexplore.ieee.org/iel3/1192/4431/00172006.pdf", studentname = "", summary = "", contribution1 = "", contribution2 = "", contribution3 = "", contribution4 = "", contribution5 = "", weakness1 = "", weakness2 = "", weakness3 = "", weakness4 = "", weakness5 = "", interesting = "high/med/low", opinions = "", } @Conference{Wilson97, author = "Wilson, S.P. ; Kelly, T.P. ; McDermid, J.A. ", title = "Safety case development: current practice, future prospects", inbook = "Shaw, R. ", year = "1997", pages = "135-56", abstract = "Safety-critical and safety-related systems are becoming more highly integrated and continue to increase in complexity. In parallel with this, certification standards for such systems are becoming more stringent, requiring more extensive and more detailed analyses. Safety cases, therefore, are themselves growing in size and complexity and are becoming increasingly costly to produce. It has become necessary to re-examine how and why safety cases are built in order that one might provide a means for managing their inherent complexity and reduce production costs. The authors examine some of the key issues in current industrial safety case development, in particular: the purpose of the safety case-examining how stakeholders place demands upon the content and style of the safety case; safety analysis techniques-examining the problem of ensuring consistency and completeness of results; safety case production-examining how and when safety cases are produced through the development life-cycle; safety case structure-examining how the reasoning and evidence aspects of the safety case are combined; safety case maintenance-examining the need and support for safety cases that can be more readily maintained and reused. They propose to address these issues through the use of a goal based notation for more effective structuring, a data model to tightly integrate the safety analysis techniques, and a process model to integrate the safety case activities into the overall", url = "http://citeseer.nj.nec.com/wilson97safety.html", studentname = "", summary = "", contribution1 = "", contribution2 = "", contribution3 = "", contribution4 = "", contribution5 = "", weakness1 = "", weakness2 = "", weakness3 = "", weakness4 = "", weakness5 = "", interesting = "high/med/low", opinions = "", }