Spectrm and safety
Download
1 / 39

SpecTRM and Safety - PowerPoint PPT Presentation


  • 51 Views
  • Uploaded on

SpecTRM and Safety. Jeffrey Howard Patrick Anderson. Safety and Requirements. Software-related accidents are usually caused by flawed requirements Incomplete or wrong assumptions about the controlled system or required operation Unhandled controlled-system states and environmental conditions

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' SpecTRM and Safety' - buffy-floyd


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Spectrm and safety

SpecTRM and Safety

Jeffrey Howard

Patrick Anderson

Safeware Engineering Corporation


Safety and requirements
Safety and Requirements

  • Software-related accidents are usually caused by flawed requirements

    • Incomplete or wrong assumptions about the controlled system or required operation

    • Unhandled controlled-system states and environmental conditions

  • “Correct” (in the sense that the software meets the requirements) or “reliable” software will not necessarily be safe

Safeware Engineering Corporation


Safety process
Safety Process

  • Safety-Driven process must encompass the whole lifecycle

  • Safety activities must be integrated into system engineering

  • Hazards must be tracked from identification through resolution

Safeware Engineering Corporation


Intent specifications
Intent Specifications

  • Improved form for writing specifications

  • Based on “why” (design rationale) as well as what and how

    • Design decisions at each stage map back to requirements and constraints (including safety constraints) they are derived to satisfy

    • Earlier decisions map to later stages of the process

    • Results in a record of progression of design rationale from high-level requirements to component requirements and designs

    • Provides traceability of safety information

Safeware Engineering Corporation


Intent specification structure

Intent Specification Levels

Program Management

System Purpose

System Design Principles

Blackbox Behavior

Design Representation

Physical Representation

Operations

Each level has information about

Environment

Operator

System and Components

Verification and Validation

Links between sections and level provide traceability

Intent Specification Structure

Safeware Engineering Corporation


Spectrm rl modeling
SpecTRM-RL Modeling

  • Intent Specifications include blackbox models of software behavior

  • Models are executable and analyzable

Safeware Engineering Corporation


Spectrm rl modeling 2
SpecTRM-RL Modeling (2)

  • SpecTRM-RL is based on state machines

  • Each state transition has an AND/OR table

    • Rows represent AND

    • Columns represent OR

  • SpecTRM-RL emphasizes readability

    • Review is vital to ensuring properties such as safety

    • The model is the specification

Safeware Engineering Corporation


Spectrm tool capabilities
SpecTRM Tool Capabilities

  • Editing tools tailored to specification and model development

    • User-friendly editor

    • Easy AND/OR table creation and editing

    • Graphical control loop view is automatically updated

Safeware Engineering Corporation


Editing
Editing

  • SpecTRM’s editing environment

    • Is easy to use

    • Contains templates for SpecTRM-RL model elements

    • Facilitates editing of AND/OR tables

Safeware Engineering Corporation


Editing demonstration
Editing Demonstration

  • SpecTRM combines common word processing features with customization for writing specifications and building models

Safeware Engineering Corporation


Editing demonstration 2
Editing Demonstration (2)

  • SpecTRM facilitates model building with model element templates and AND/OR table editing commands

Safeware Engineering Corporation


Spectrm tool capabilities 2
SpecTRM Tool Capabilities (2)

  • Editing tools tailored to specification and model development

  • Links and navigation support traceability

    • Map between levels of the intent specification, bridging between downstream decisions and their rationale

    • Track hazards throughout the project life cycle from identification to resolution

Safeware Engineering Corporation


Linking and navigation
Linking and Navigation

  • Links are underlined and displayed in blue for ease of use

  • Arrows denote whether the link is to a level above or below in the intent specification

Safeware Engineering Corporation


Linking and navigation 2
Linking and Navigation (2)

  • Results of following links from high-level requirements into the model.

  • Backward and forward buttons ease model traversal

Safeware Engineering Corporation


Preliminary hazard analysis
Preliminary Hazard Analysis

  • Begins with the identification of hazards

    • There may not be many

    • Distinguish between hazards and causes

  • Translate system hazards into high-level system safety design constraints

  • Establish the hazard log

Safeware Engineering Corporation


System design
System Design

  • Preliminary hazard analysis results feed into the system design process

  • Links from the safety constraints point into the system design to trace decisions that eliminate or control hazards

  • System design information is used in System Hazard Analysis, which feeds back into the design

  • System design becomes the basis of the SpecTRM-RL requirements model at level 3 of the intent specification

Safeware Engineering Corporation


Spectrm rl models
SpecTRM-RL Models

  • Completeness criteria are built into the design of SpecTRM-RL’s syntax

Safeware Engineering Corporation


Spectrm rl outputs

Output definitions enforce several safety-related completeness criteria

Timing behavior, including environmental capacity for handling outputs, is addressed

Feedback criteria are enforced

Output reversal information is included

Outputs are sent when the triggering condition is true

SpecTRM-RL Outputs

Safeware Engineering Corporation


Spectrm rl states and modes

States represent the state of the controlled process as inferred by the software

Modes are groupings of software behavior

To enforce completeness, all states must include an “Unknown” state

SpecTRM-RL States and Modes

Safeware Engineering Corporation


Spectrm rl inputs

Input definitions address several completeness criteria inferred by the software

Possible value attributes define handling for nonsensical values

Timing behavior specifies what to do with late or missing input

Obsolete forces considering data age: no data is good forever

SpecTRM-RL Inputs

Safeware Engineering Corporation


Software hazard analysis
Software Hazard Analysis inferred by the software

  • SpecTRM and SpecTRM-RL build toward software hazard analysis

  • Software hazard analysis is a subsystem hazard analysis technique

  • The goal is to

    • Validate that specified software blackbox behavior satisfies system safety design constraints

    • Check that specified software behavior satisfies general software safety design criteria

Safeware Engineering Corporation


Spectrm tool capabilities 3
SpecTRM Tool Capabilities (3) inferred by the software

  • Editing tools tailored to specification and model development

  • Links and navigation support traceability

  • Automated validation to ensure well-formed blackbox models

    • Catches missing or malformed model elements

    • Reduces time for model development

    • Prerequisite for execution and analysis

Safeware Engineering Corporation


Model validation
Model Validation inferred by the software

  • SpecTRM’s validator automatically checks models

  • Errors, such as references to nonexistent model elements, are highlighted in red

Safeware Engineering Corporation


Model validation 2
Model Validation (2) inferred by the software

  • Tool tips provide descriptions of errors

  • Easy navigation between validation errors is provided

Safeware Engineering Corporation


Spectrm tool capabilities 4
SpecTRM Tool Capabilities (4) inferred by the software

  • Editing tools tailored to specification and model development

  • Links and navigation support traceability

  • Automated validation to ensure well-formed blackbox models

  • Execution of models

    • Evaluating software before design and code greatly reduces the cost of correcting requirements errors

    • Enforcement of safety constraints can be verified early

    • Execution animates the control loop view of the model

Safeware Engineering Corporation


Model execution
Model Execution inferred by the software

  • SpecTRM executes requirements models

  • Adherence to safety constraints can be observed before design and code are generated

  • SpecTRM animates the graphical view

Safeware Engineering Corporation


Model execution 2
Model Execution (2) inferred by the software

  • Input and output message values are displayed in blue

  • States and modes are lit up in yellow

  • The graphical view is animated as the simulation progresses

Safeware Engineering Corporation


Model execution 3
Model Execution (3) inferred by the software

  • Using the simulator control panel, it is possible to pause the simulator and advance in single steps

  • Input is provided by text files and other values may be logged to text files

Safeware Engineering Corporation


Spectrm tool capabilities 5
SpecTRM Tool Capabilities (5) inferred by the software

  • Editing tools tailored to specification and model development

  • Links and navigation support traceability

  • Automated validation to ensure well-formed blackbox models

  • Execution of models

  • Slicing of models assists reviewers

    • Data flow slices show what elements affect each other

    • Scenario slices show how software operates under a given set of circumstances

Safeware Engineering Corporation


Slicing
Slicing inferred by the software

  • Slicing abstracts irrelevant detail from the model

  • Important properties, such as safety-related behavior, are made to stand out to reviewers

  • SpecTRM has three slicing operations

    • Forward data flow slicing

    • Backward data flow slicing

    • Scenario slicing

Safeware Engineering Corporation


Slicing 2
Slicing (2) inferred by the software

  • Forward data flow slices show what parts of the model are affected by the selected element

  • Irrelevant elements are hidden

Safeware Engineering Corporation


Slicing 3
Slicing (3) inferred by the software

  • Backward data flow slices show what parts of the model can affect a selected element, such as a safety-critical output

  • Color highlighting can be used for the slice result set

Safeware Engineering Corporation


Slicing 4
Slicing (4) inferred by the software

  • Many accidents stem from inadequate requirements for off-nominal processing

  • Scenario slicing facilitates review of model behavior in off-nominal modes

Safeware Engineering Corporation


Spectrm tool capabilities 6
SpecTRM Tool Capabilities (6) inferred by the software

  • Editing tools tailored to specification and model development

  • Links and navigation support traceability

  • Automated validation to ensure well-formed blackbox models

  • Execution of models

  • Slicing of models assists reviewers

  • Specification completeness criteria enforcement

    • Professor Leveson developed a set of ~60 criteria for specification completeness (validated by Lutz at JPL)

    • Many are enforced by SpecTRM-RL syntax

    • SpecTRM enforces others with automated analyses

      • Robustness analysis searches transitions for unhandled cases

      • Nondeterminism analysis searches for multiple transition cases

Safeware Engineering Corporation


Robustness

Robustness is one of Professor Leveson’s completeness criteria

Informally, a state or mode is robust if, for all scenarios, at least one AND/OR table is true

SpecTRM offers an automated robustness analysis

Robustness

Safeware Engineering Corporation


Nondeterminism

Another completeness criteria SpecTRM automates criteria

No more than one AND/OR table can be true at one time

In practice behavior is implementation dependent

It is difficult to assure the safety of such a system

Nondeterminism

Safeware Engineering Corporation


Spectrm benefits
SpecTRM Benefits criteria

  • Finding specification errors early in development so they can be fixed with the lowest cost and impact on the system design

  • Tracing not only requirements but also design rationale and safety constraints throughout the system design and documentation

  • Building safety and other required system properties into the design from the beginning, rather than emphasizing assessment at the end of the development process

Safeware Engineering Corporation


Discussion
Discussion criteria

Safeware Engineering Corporation


The end
The End criteria

Safeware Engineering Corporation


ad