| |
Preface |
6 |
|
| |
A message from the sponsors |
6 |
|
| |
THE SAFETY-CRITICAL SYSTEMS CLUB |
7 |
|
| |
Safety-critical Systems Symposium |
7 |
|
| |
What is the Safety-Critical Systems Club? |
7 |
|
| |
Objectives |
7 |
|
| |
History |
7 |
|
| |
The Club’s activities |
7 |
|
| |
Education and communication |
8 |
|
| |
Influence on research |
8 |
|
| |
Membership |
8 |
|
| |
Contents |
9 |
|
| |
Safety Cases |
11 |
|
| |
A New Approach to creating Clear SafetyArguments |
12 |
|
| |
1 Introduction |
12 |
|
| |
2 The difficulties with a single argument |
15 |
|
| |
3 Constructing assured safety arguments |
15 |
|
| |
3.1 Asserted inference |
18 |
|
| |
3.2 Asserted context |
18 |
|
| |
3.3 Asserted solution |
21 |
|
| |
3.4 Confidence argument structure |
22 |
|
| |
3.5 The overall confidence argument |
26 |
|
| |
4 Example assured safety argument |
27 |
|
| |
5 Conclusions |
31 |
|
| |
Acknowledgments |
32 |
|
| |
References |
32 |
|
| |
Safety Cases – what can we learn from Science? |
33 |
|
| |
1 Introduction |
33 |
|
| |
2 How science works |
34 |
|
| |
2.1 Some history |
34 |
|
| |
2.2 Knowledge through science |
35 |
|
| |
2.3 The practice of science |
36 |
|
| |
3 Some comments on safety case fundamentals |
37 |
|
| |
4 Safety cases from a scientific viewpoint |
38 |
|
| |
4.1 Safety cases, hypotheses and challenges |
39 |
|
| |
4.1.1 The safety case hypothesis |
39 |
|
| |
4.1.2 Challenging the safety case hypothesis |
39 |
|
| |
4.1.2.1 While the safety case is being developed |
40 |
|
| |
4.1.2.2 Independent assessment of the completed safety case |
40 |
|
| |
4.1.2.3 After the system has entered service |
41 |
|
| |
4.2 ‘Normal science’ and paradigm shift |
41 |
|
| |
4.3 Implications |
42 |
|
| |
5 Compatibility with standards and regulatory requirements |
44 |
|
| |
5.1 Def Stan 00-56 Issue 4 |
44 |
|
| |
5.2 IEC 61508 |
45 |
|
| |
5.3 CAP 670/SW01 |
46 |
|
| |
6 Conclusions |
47 |
|
| |
References |
48 |
|
| |
Accounting for Evidence: Managing Evidencefor Goal Based Software Safety Standards |
49 |
|
| |
1 Introduction |
49 |
|
| |
2 Managing the argument |
50 |
|
| |
3 Managing the processes that create evidence |
52 |
|
| |
4 Assessing the evidence |
54 |
|
| |
4.1 Overall process of assessment |
54 |
|
| |
4.2 Limitations, counter-evidence and assurance deficits |
56 |
|
| |
4.3 Safety case evidence report |
57 |
|
| |
5 Conclusion |
58 |
|
| |
Acknowledgments |
59 |
|
| |
References |
59 |
|
| |
Projects, Services and Systems of Systems |
60 |
|
| |
Distinguishing Fact from Fiction in a System ofSystems Safety Case |
61 |
|
| |
1 Introduction |
61 |
|
| |
2 Hazard assessment approach |
63 |
|
| |
2.1 Feature modelling |
66 |
|
| |
2.2 Configuration space structure |
67 |
|
| |
2.3 Pre-deployment hazard assessment |
68 |
|
| |
2.4 Post-deployment hazard assessment |
69 |
|
| |
2.5 Safety case |
70 |
|
| |
3 Analysis of the human element |
72 |
|
| |
3.1 Towards human factors methods for SoS hazard identification |
72 |
|
| |
3.2 Human factors differential analysis for IAT |
73 |
|
| |
4 Validation |
75 |
|
| |
5 Summary and future work |
76 |
|
| |
References |
77 |
|
| |
A Project Manager’s View of Safety-CriticalSystems |
79 |
|
| |
1 Introduction |
79 |
|
| |
2 The commercial reality |
80 |
|
| |
3 Doing what has to be done |
82 |
|
| |
4 Requirements, acceptance criteria and constraints |
84 |
|
| |
5 Testing in a smart way |
87 |
|
| |
5.1 Did we test the product in the right way? |
87 |
|
| |
5.2 Did we introduce other defects that were not found? |
89 |
|
| |
6 Project management of product defects |
89 |
|
| |
6.1 The fundamental question |
90 |
|
| |
6.2 Relating cost of failure to cost of testing |
91 |
|
| |
6.3 Benefit, cost and risk |
92 |
|
| |
6.4 Design for testing |
92 |
|
| |
7 Concluding remarks |
93 |
|
| |
References |
94 |
|
| |
System Safety in an IT Service Organization |
95 |
|
| |
1 Introduction |
95 |
|
| |
1.1 About Logica |
95 |
|
| |
1.2 About Logica in the UK |
96 |
|
| |
1.3 Logica services |
96 |
|
| |
1.3.1 Safety-related services |
96 |
|
| |
1.4 Service model description |
97 |
|
| |
1.4.1 Service delivery lifecycle |
97 |
|
| |
1.4.1.1 Bid |
97 |
|
| |
1.4.1.2 Due diligence |
98 |
|
| |
1.4.1.3 Transition |
99 |
|
| |
1.4.1.4 Business as usual |
99 |
|
| |
1.4.1.5 Hand over or close down service |
99 |
|
| |
1.4.2 Service lines |
99 |
|
| |
1.5 Origins of work |
100 |
|
| |
1.6 Existing safety guidance |
100 |
|
| |
2 Systems safety in a service organization |
101 |
|
| |
2.1 Internal functional audit |
101 |
|
| |
2.2 Road map for implementation |
102 |
|
| |
2.3 Identification of safety services |
102 |
|
| |
2.4 Identification of service processes and controlling documents |
103 |
|
| |
2.4.1 Process and template changes |
103 |
|
| |
2.4.1.1 Due diligence |
103 |
|
| |
2.4.1.2 Transition |
104 |
|
| |
2.4.1.3 Business as usual |
107 |
|
| |
2.4.1.4 Close down or transfer service process |
109 |
|
| |
2.5 What happens next? |
109 |
|
| |
2.5.1 Roll-out of updates to existing services |
109 |
|
| |
2.5.2 Monitoring and ongoing improvements |
110 |
|
| |
2.5.3 Resolution of Issues |
110 |
|
| |
3 Future work |
110 |
|
| |
4 Conclusions |
113 |
|
| |
References |
113 |
|
| |
Systems Safety in Healthcare |
114 |
|
| |
Integrating a Risk-based Approach and ISO62304 into a Quality System for Medical Devices |
115 |
|
| |
1 Introduction |
115 |
|
| |
2 Risk management to assure safety |
116 |
|
| |
2.1 Risk-driven approach |
116 |
|
| |
3 ISO 62304 |
117 |
|
| |
3.1 Outline of the standard |
117 |
|
| |
3.2 Integration with risk processes |
118 |
|
| |
3.2.1 Software life cycle and classification issues |
118 |
|
| |
3.3 Comparison with other known standards |
119 |
|
| |
3.4 Integration with the quality system |
120 |
|
| |
3.4.1 Processes within scope – full match or mapping |
120 |
|
| |
3.4.2 Processes out of scope – compatible and complementary |
120 |
|
| |
4 Map of processes |
121 |
|
| |
4.1 Risk management |
122 |
|
| |
4.2 Reviews |
123 |
|
| |
4.3 Verification and validation |
123 |
|
| |
4.4 Defect control |
124 |
|
| |
4.5 Change control |
124 |
|
| |
4.6 Release process |
125 |
|
| |
4.7 Supporting processes |
125 |
|
| |
5 Conclusions |
129 |
|
| |
References |
129 |
|
| |
Maintaining the Safety of Operational HealthICT Systems |
130 |
|
| |
1 Introduction |
130 |
|
| |
2 Regulatory framework |
131 |
|
| |
2.1 Legislation and case law |
132 |
|
| |
2.2 NHS regulatory requirements and international standards |
132 |
|
| |
3 Impact and response |
133 |
|
| |
3.1 Impact of regulation |
133 |
|
| |
3.2 A strategy for compliance |
133 |
|
| |
4 Strategic considerations in the Trust context |
134 |
|
| |
4.1 Elements and principles of strategy |
135 |
|
| |
5 Implementation |
135 |
|
| |
5.1 ICT Safety Board |
135 |
|
| |
5.2 Safety Management Policy document |
136 |
|
| |
5.3 Coordination with stakeholders |
136 |
|
| |
5.4 Safety culture, commitment and safety management |
136 |
|
| |
5.4.1 Assurance and competencies |
137 |
|
| |
5.5 An overall approach to safety justification |
137 |
|
| |
5.6 Safety management: hazard analysis |
138 |
|
| |
5.7 The lifecycle includes safety management |
138 |
|
| |
5.8 Development methods and controls |
139 |
|
| |
5.9 Development file, records and configuration management |
140 |
|
| |
5.10 Safety records |
140 |
|
| |
5.11 Impact on procurement from third parties |
140 |
|
| |
5.12 Change Advisory Board (CAB) |
141 |
|
| |
5.13 Release of applications and equipment into the liveenvironment |
142 |
|
| |
5.14 Incident management, root causes and after action reviews |
142 |
|
| |
5.15 Network resilience, diversity and reliability |
143 |
|
| |
5.16 Marketing of software as a medical device |
143 |
|
| |
6 Conclusion and way ahead |
143 |
|
| |
Acknowledgments |
144 |
|
| |
References |
144 |
|
| |
Testing of Safety-Critical Software Embeddedin an Artificial Heart |
145 |
|
| |
1 Introduction |
145 |
|
| |
2 H-VAD artificial heart |
146 |
|
| |
3 Testing the H-VAD software |
148 |
|
| |
3.1 In-Vitro environment: testing and code coverage measurement |
148 |
|
| |
3.2 H-VAD software testing in an animal experiment |
151 |
|
| |
4 Conclusions |
153 |
|
| |
Acknowledgments |
154 |
|
| |
References |
154 |
|
| |
Testing Safety-Critical Systems |
156 |
|
| |
A Risk Driven Approach to testing MedicalDevice Software |
157 |
|
| |
1 Introduction |
157 |
|
| |
2 Risk driven testing for new software |
159 |
|
| |
3 Risk driven testing during maintenance |
163 |
|
| |
4 Test definition in risk driven testing |
164 |
|
| |
5 Conclusions |
167 |
|
| |
References |
168 |
|
| |
Testing Experiences of Safety-CriticalEmbedded Systems |
169 |
|
| |
1 Introduction |
169 |
|
| |
2 Safety-criticality |
170 |
|
| |
3 The V-Model |
171 |
|
| |
4 Risk-based testing |
173 |
|
| |
5 Specific test activities on high risk items |
178 |
|
| |
5.1 Hardware imperfections |
178 |
|
| |
5.2 Software measures |
179 |
|
| |
5.3 Test techniques |
179 |
|
| |
5.4 Integration testing |
180 |
|
| |
5.5 Reliability testing |
180 |
|
| |
6 Test reporting |
182 |
|
| |
7 Tool support |
183 |
|
| |
8 Releasing the system |
183 |
|
| |
9 Incremental development |
184 |
|
| |
10 Summary |
184 |
|
| |
References |
185 |
|
| |
Testing of Safety-Critical Systems – a StructuralApproach to Test Case Design |
187 |
|
| |
1 Introduction |
187 |
|
| |
2 Problems of testing safety-critical systems |
188 |
|
| |
3 Testing requirements and standards |
190 |
|
| |
4 A method guide for test case design |
192 |
|
| |
4.1 Resolved issues and related work |
193 |
|
| |
4.2 Analysis and design of test cases with the method guide |
194 |
|
| |
5 Case study: Testing a railway interlocking system for SiemensTransportation Systems (TS) |
202 |
|
| |
5.1 Test process |
203 |
|
| |
5.2 Test-case design supported by the method guide |
204 |
|
| |
6 Conclusion and future work |
209 |
|
| |
Acknowledgments |
210 |
|
| |
References |
210 |
|
| |
Technological Matters |
212 |
|
| |
Safety, Security and Multicore |
213 |
|
| |
1 Introduction |
213 |
|
| |
2 Safety |
214 |
|
| |
2.1 Federated avionics architecture |
214 |
|
| |
2.2 Integrated Modular Avionics architecture |
216 |
|
| |
3 Security |
218 |
|
| |
3.1 Multiple Independent Levels of Security |
219 |
|
| |
3.2 Hypervisors and virtualization |
220 |
|
| |
4 Multicore |
221 |
|
| |
4.1 Symmetric Multiprocessing |
223 |
|
| |
4.2 Asymmetric Multiprocessing |
224 |
|
| |
4.3 Supervised and virtualized asymmetric multiprocessing |
225 |
|
| |
5 Convergence |
225 |
|
| |
5.1 Safety and multicore convergence |
225 |
|
| |
5.2 Security and multicore convergence |
227 |
|
| |
5.3 Safety, security and multicore convergence |
227 |
|
| |
6 Conclusions |
228 |
|
| |
References |
229 |
|
| |
A Pragmatic View of Formal Methods: theHi-Lite Project |
231 |
|
| |
1 Introduction |
231 |
|
| |
2 Reliability and correctness |
232 |
|
| |
3 Safety and security |
234 |
|
| |
4 Proving entire programs correct |
235 |
|
| |
4.1 Difficulty and expense of producing a formal specification |
235 |
|
| |
4.2 Errors in the specification |
236 |
|
| |
4.3 Incomplete specifications |
236 |
|
| |
4.4 Things that cannot be formally specified |
236 |
|
| |
4.5 Partial versus total correctness |
237 |
|
| |
4.6 Programming language specification |
237 |
|
| |
5 Proving properties of programs |
238 |
|
| |
5.1 Proving freedom from run-time errors |
238 |
|
| |
5.2 Proving security properties |
239 |
|
| |
6 The role of testing |
240 |
|
| |
7 Using formal approaches to reasoning about existing programs |
242 |
|
| |
8 Putting it all together: the Hi-Lite project |
243 |
|
| |
9 Conclusion |
245 |
|
| |
References |
245 |
|
| |
Safety Standards |
247 |
|
| |
CE Marking – the Essential Requirements |
248 |
|
| |
1 Introduction |
248 |
|
| |
2 Product liability |
249 |
|
| |
3 What is CE marking? |
250 |
|
| |
4 Product compliance requirements |
252 |
|
| |
5 The essential requirements of directives |
253 |
|
| |
6 ‘Product’ |
253 |
|
| |
7 Combinations of product |
254 |
|
| |
7.1 Systems and assemblies |
254 |
|
| |
7.2 Partially finished products |
254 |
|
| |
7.3 Fixed installations |
255 |
|
| |
8 Harmonised standards |
255 |
|
| |
9 Conformity assessment procedures |
257 |
|
| |
10 The CE marking process |
258 |
|
| |
11 The EC declaration of conformity |
259 |
|
| |
12 CE Marking – getting started |
260 |
|
| |
12.1 Product safety considerations |
261 |
|
| |
13 CE compliance of a complex product |
261 |
|
| |
14 CE marking summary |
266 |
|
| |
14.1 Key points |
266 |
|
| |
References |
267 |
|
| |
Introduction and Revision of IEC 61508 |
269 |
|
| |
1 Background |
269 |
|
| |
2 Structure of IEC 61508 |
270 |
|
| |
3 Scope of IEC 61508 |
271 |
|
| |
4 Concept of functional safety |
272 |
|
| |
5 Strategy to achieve functional safety |
273 |
|
| |
6 Essence of functional safety |
276 |
|
| |
7 Safety-related systems |
277 |
|
| |
8 Safety Integrity Levels |
277 |
|
| |
9 Risk based approach |
280 |
|
| |
10 Revision of IEC 61508 |
281 |
|
| |
10.1 Terminology |
281 |
|
| |
10.2 Architectural constraints |
282 |
|
| |
10.3 Modes of operation |
283 |
|
| |
10.4 Systematic safety integrity |
283 |
|
| |
10.5 Systematic Capability |
284 |
|
| |
10.6 Security |
284 |
|
| |
10.7 E/E/PE requirements specification |
284 |
|
| |
10.8 Digital communications |
284 |
|
| |
10.9 Management of functional safety |
285 |
|
| |
10.10 ASICS and integrated circuits |
285 |
|
| |
10.11 Safety manual for compliant items |
286 |
|
| |
10.12 Software |
286 |
|
| |
Acknowledgments |
286 |
|
| |
References |
287 |
|
| |
Are we there yet? A Practitioner’s View ofDO-178C/ED-12C |
288 |
|
| |
1 What is DO-178B? |
288 |
|
| |
2 Why DO-178C? |
290 |
|
| |
3 DO-178C Core Text |
291 |
|
| |
3.1 Overview |
291 |
|
| |
3.2 Section 1: Introduction |
292 |
|
| |
3.3 Section 2: System aspects relating to software development |
292 |
|
| |
3.4 Section 3: Software life cycle and Section 4: Software planningprocess |
293 |
|
| |
3.5 Section 5: Software development processes |
293 |
|
| |
3.5.1 High-level and low-level requirements |
293 |
|
| |
3.5.2 Derived requirements |
294 |
|
| |
3.6 Section 6: Software verification process |
295 |
|
| |
3.6.1 Objectives versus activities |
295 |
|
| |
3.6.2 Verification independence |
295 |
|
| |
3.6.3 Requirements-based testing |
295 |
|
| |
3.6.4 Requirements expressed by logic equations |
295 |
|
| |
3.6.5 Deactivated code |
297 |
|
| |
3.6.6 Parameter data items |
298 |
|
| |
3.7 Section 7: Software configuration management process,Section 8: Software quality assurance process, Section 9:Certification liaison process, Section 10: Overview of aircraft andengine certification and Section 11: Software life cycle data |
298 |
|
| |
3.8 Section 12: Additional considerations |
298 |
|
| |
4 DO-278A |
299 |
|
| |
5 DO-248C |
299 |
|
| |
6 Tool qualification supplement |
300 |
|
| |
7 Model-based development and verification supplement |
301 |
|
| |
8 Object-oriented and related technology supplement |
303 |
|
| |
9 Formal methods technology supplement |
305 |
|
| |
10 Conclusions |
306 |
|
| |
References |
307 |
|
| |
AUTHOR INDEX |
309 |
|
