Book•
Safeware: System Safety and Computers
01 Jan 1995-
TL;DR: This chapter discusses the role of humans in Automated Systems, the nature of risk, and elements of a Safeware Program, which aims to manage Safety and Security through design and implementation.
Abstract: I The Nature Of Risk. Risk In Modern Society. Changing Attitudes Toward Risk. Is Increased Concern Justified?. Unique Risk Factors in Industrialized Society. Computers And Risk. The Role of Computers in Accidents. Software Myths. Why Software Engineering is hard. The Reality We Face. Causes Of Accidents. The Concept of Causality. Flaws in the Safety Culture. Ineffective Organizational Structure. Ineffective Technical Activities. Human Error And Risk. Do Humans Cause Most Accidents?. The Need for Humans in Automated Systems. Human Error as Human-Task Mismatch. Conclusions. The Role Of Humans In Automated Systems. Mental Models. The Human as Monitor. The Human as Backup. The Human as Partner. Conclusions. II Introduction To System Safety. Foundations Of System Safety. Safety Engineering Pre-World War II. Systems Theory. Systems Engineering. Systems Analysis. Fundamentals Of System Safety. Historical Development. Basic Concepts. Software System Safety. Cost and Effectiveness of System Safety. Other Approaches To Safety. Industrial Safety. Reliability Engineering. Application-Specific Approaches to Safety. III Definitions And Models. Terminology. Failure and Error. Accident and Incident. Hazard. Risk. Safety. Safety and Security. Accident And Human Error Models. Accident Models. Human Task and Error Models. Summary. IV Elements Of A Safeware Program. Managing Safety. The Role of General Management. Place in the Organizational Structure. Documentation. The System And Software Safety Process. The General Tasks. Conceptual Development. Design. Full-Scale Development. Production and Deployment. Operation. "Examples. Hazard Analysis. The Hazard Analysis Process. Types of System Models. General Types of Analysis. Limitations and Criticisms of Hazard Analysis. Hazard Analysis Models And Techniques. Checklists. Hazard Indices. Fault Tree Analysis. Management Oversight and Risk Tree (MORT) Analysis. Event Tree Analysis. Cause-Consequence analysis (CCA). Hazards and Operability Analysis (HAZOP). Interface Analyses. Failure Modes and Effects Analysis (FMEA). Failure Modes, Effects, and Criticality Analysis (FMECA). Fault Hazard Analysis (FHA). State Machine Hazard Analysis (SMHA). Task and Human Error Analysis Techniques. Evaluations of Hazard Analysis Techniques. Software Hazard And Requirements Analysis. Process Considerations. Requirements Specification Components. Completeness in Requirements Specifications. Completeness Criteria for Requirements Analysis. Constraint Analysis. Designing For Safety. The Design Process. Design Techniques. Design Modification and Maintenance. Design Of The Human-Machine Interface. General Process Considerations. Matching Tasks to Human Characteristics. Reducing Safety-Critical Human Errors. Providing Appropriate Information and Feedback. Training and Maintaining Skills. Guidelines for Safe HMI Design. Verification Of Safety. Dynamic Analysis. Static Analysis. Independent Verification and Validation. Summary.
Citations
More filters
Book•
25 Apr 2008
TL;DR: Principles of Model Checking offers a comprehensive introduction to model checking that is not only a text suitable for classroom use but also a valuable reference for researchers and practitioners in the field.
Abstract: Our growing dependence on increasingly complex computer and software systems necessitates the development of formalisms, techniques, and tools for assessing functional properties of these systems. One such technique that has emerged in the last twenty years is model checking, which systematically (and automatically) checks whether a model of a given system satisfies a desired property such as deadlock freedom, invariants, and request-response properties. This automated technique for verification and debugging has developed into a mature and widely used approach with many applications. Principles of Model Checking offers a comprehensive introduction to model checking that is not only a text suitable for classroom use but also a valuable reference for researchers and practitioners in the field. The book begins with the basic principles for modeling concurrent and communicating systems, introduces different classes of properties (including safety and liveness), presents the notion of fairness, and provides automata-based algorithms for these properties. It introduces the temporal logics LTL and CTL, compares them, and covers algorithms for verifying these logics, discussing real-time systems as well as systems subject to random phenomena. Separate chapters treat such efficiency-improving techniques as abstraction and symbolic manipulation. The book includes an extensive set of examples (most of which run through several chapters) and a complete set of basic results accompanied by detailed proofs. Each chapter concludes with a summary, bibliographic notes, and an extensive list of exercises of both practical and theoretical nature.
4,905 citations
Cites methods from "Safeware: System Safety and Compute..."
...Books by Storey [381] and Leveson [269] describe techniques for developing safety-critical software and discuss the role of formal verification in this context....
[...]
TL;DR: It is argued that risk management must be modelled by cross-disciplinary studies, considering risk management to be a control problem and serving to represent the control structure involving all levels of society for each particular hazard category, and that this requires a system-oriented approach based on functional abstraction rather than structural decomposition.
2,547 citations
Cites background from "Safeware: System Safety and Compute..."
...(For recent reviews of the state of the art, see Leveson, 1995; Taylor, 1994)....
[...]
TL;DR: In this paper, the authors present a new accident model based on basic systems theory concepts, which provides a theoretical foundation for the introduction of unique new types of accident analysis, hazard analysis, accident prevention strategies including new approaches to designing for safety, risk assessment techniques, and approaches to design performance monitoring and safety metrics.
1,898 citations
Cites background from "Safeware: System Safety and Compute..."
...This is both its blessing and its curse: we do not have to worry about the physical realization of our software designs, but we also no longer have physical laws that limit the complexity of these designs—the latter could be called the curse of flexibility (Leveson, 1995)....
[...]
...We have defined (or at least made progress toward defining) what it means for a software model of the process to be complete in this sense (Leveson, 1995) and are working on determining what the human controller’s mental model must contain to safely control the process and to supervise automated…...
[...]
...One can be found in Leveson (1995)....
[...]
TL;DR: The paper compares the main approaches to goal modeling, goal specification and goal-based reasoning in the many activities of the requirements engineering process and suggests what a goal-oriented requirements engineering method may look like.
Abstract: Goals capture, at different levels of abstraction, the various objectives the system under consideration should achieve. Goal-oriented requirements engineering is concerned with the use of goals for eliciting, elaborating, structuring, specifying, analyzing, negotiating, documenting, and modifying requirements. This area has received increasing attention. The paper reviews various research efforts undertaken along this line of research. The arguments in favor of goal orientation are first briefly discussed. The paper then compares the main approaches to goal modeling, goal specification and goal-based reasoning in the many activities of the requirements engineering process. To make the discussion more concrete, a real case study is used to suggest what a goal-oriented requirements engineering method may look like. Experience, with such approaches and tool support are briefly discussed as well.
1,729 citations
Cites methods from "Safeware: System Safety and Compute..."
...Compared with standard fault-tree analysis [ Lev95 ], obstacle analysis is goal-oriented, formal, and produces obstacle trees that are provably complete with respect to what is known about the domain [Lam00a]....
[...]
[...]
TL;DR: This work presents a light-weight formalism that captures the temporal aspects of software component interfaces through an automata-based language that supports automatic compatability checks between interface models, and thus constitutes a type system for component interaction.
Abstract: Conventional type systems specify interfaces in terms of values and domains. We present a light-weight formalism that captures the temporal aspects of software component interfaces. Specifically, we use an automata-based language to capture both input assumptions about the order in which the methods of a component are called, and output guarantees about the order in which the component calls external methods. The formalism supports automatic compatability checks between interface models, and thus constitutes a type system for component interaction. Unlike traditional uses of automata, our formalism is based on an optimistic approach to composition, and on an alternating approach to design refinement. According to the optimistic approach, two components are compatible if there is some environment that can make them work together. According to the alternating approach, one interface refines another if it has weaker input assumptions, and stronger output guarantees. We show that these notions have game-theoretic foundations that lead to efficient algorithms for checking compatibility and refinement.
1,336 citations