Lessons in System Safety: Proceedings of the Eighth Safety-Critical Systems Symposium, Southampton, UK, 2000
Software safety: where's the evidence?
SCS '01 Proceedings of the Sixth Australian workshop on Safety critical systems and software - Volume 3
IEEE Software
Towards Agile Engineering of High-Integrity Systems
SAFECOMP '08 Proceedings of the 27th international conference on Computer Safety, Reliability, and Security
Assurance of automotive safety - a safety case approach
SAFECOMP'10 Proceedings of the 29th international conference on Computer safety, reliability, and security
Agile requirements traceability using domain-specific modelling languages
Proceedings of the 2012 Extreme Modeling Workshop
Hi-index | 0.00 |
Many current safety certification standards are process-based, i.e. they prescribe a set of development techniques and methods. This is perhaps best exemplified by the use of Safety Integrity Levels (SILs), e.g. as defined by IEC 61508 and UK Defence Standard 00-55. SILs are defined according to the level of the risk posed by a system, and hence prescribe the tools, techniques and methods that should be adopted by the development and assessment lifecycle. Product-based certification relies on the generation and assurance of product-specific evidence that meets safety requirements derived from hazard analysis. This evidence can be used as the argument basis in a safety case. However, uncertainty about the provenance of evidence in such a safety case can undermine confidence. To address this problem, we argue that process arguments remain an essential element of any safety case. However, unlike the sweeping process-based integrity arguments of the past, we suggest instead that highly directed process arguments should be linked to the items of evidence used in the product case. Such arguments can address issues of tool integrity, competency of personnel, and configuration management. Much as deductive software safety arguments are desirable, there will always be inductive elements. Process-based arguments of the type we suggest address partly this problem by tackling the otherwise implicit assumptions underlying certification evidence.