Safety-Driven Design for Software-Intensive Aerospace and Automotive Systems

Stringfellow, Margaret V.; Leveson, Nancy G.; Owens, Brandon D.

doi:10.1109/jproc.2009.2039551

Cited by 46 publications

(24 citation statements)

References 11 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…To this end it is proposed that a hazard modelling and inference process be developed, as described in Figure 3. In this process the actual HAZOP is to be styled upon the approach as adopted for STPA [15,18], whilst an additional method is to be developed to cater for the iterative nature of hazard assessment with dynamical modelling supported by an inference mechanism connecting and validating the apparent dynamical behaviour with respect to the assessed causes. …”

Section: Hazop As (Semi)automated Propagation Methodsmentioning

confidence: 99%

“…In adopting the STAMP framework, and in particular the "Systems Theoretic Process Analysis" (STPA) [15,18], an approach can be developed that considers the likely nature of an applicable range of "Inadequate Control Actions" (ICA), effectively deviations, in the context of a simplified model of the Low-level Process Control Loop [18].…”

Section: Incorporating Stamp -Stpamentioning

confidence: 99%

“…To this end, Figure 5 includes additional places representing such layered behavioural models, the further inclusion of a "state information" model to represent the "perceptions" that the behavioural models will have of the state of the environment, and a representation of the coupling of the process output space with any other related entities to the right. Control Loop, styled on the generic STPA process [18].…”

Section: Stpa and The Low-level Process Control Loopmentioning

confidence: 99%

“…Otherwise, the manner by which this representation is used to systematically identify hazards remains the same as for the described STPA process [18]. Start by identifying the controlled parameter ("manoeuvre" -in the case of the Collision Avoidance System) along with the applicable set of guidewords; for each deviation identify all likely design or "control flaws" (CFxx) associated with each of the relevant parts of the model by applying each deviation (ICAnn) whilst working around the loop (including any connecting components that might be assigned to other related entities); for each flaw then identify any additional safety constraint (SCyy) as mitigation; and finally detail the associated design decisions (DDzz) required to implement or enforce these additional safety constraints.…”

Section: Stpa and The Low-level Process Control Loopmentioning

confidence: 99%

“…Furthermore, this study has been pursued to develop a broader Systems approach towards hazard assessment so as to evaluate hypothetical deviations from declared intent -wherein a behavioural modelling framework is to be styled upon that of a STAMP [9] (Systems Theoretic Accident Model and Processes) based hazard assessment methodology and drawing upon STPA [15,18]. It is proposed that one might combine the associated system models, undertake exploratory dynamic hazard assessment, and conduct this within the context of a Preliminary Aircraft Safety Assessment (PASA); as a possible extension to the process guidelines as described in Aerospace Recommended Practice (ARP) 4754A [3]; as outlined in Figure 1.…”

Section: Introductionmentioning

confidence: 99%

See 4 more Smart Citations

Hazards in advising autonomy: incorporating hazard modelling with system dynamics into the aerospace safety assessment process for UAS

Downes¹,

Chung²

2011

6th IET International Conference on System Safety 2011

View full text Add to dashboard Cite

Section: Hazop As (Semi)automated Propagation Methodsmentioning

confidence: 99%

Section: Incorporating Stamp -Stpamentioning

confidence: 99%

Section: Stpa and The Low-level Process Control Loopmentioning

confidence: 99%

Section: Stpa and The Low-level Process Control Loopmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 3 more Smart Citations

Hazards in advising autonomy: incorporating hazard modelling with system dynamics into the aerospace safety assessment process for UAS

Downes¹,

Chung²

2011

6th IET International Conference on System Safety 2011

View full text Add to dashboard Cite

Procedure rework: a dynamic process with implications for the “rework cycle” and “disaster dynamics”

Owens

Leveson

Hoffman

2011

System Dynamics Review

View full text Add to dashboard Cite

Archetypal dynamic structures link the behaviors of the diverse systems of interest to system dynamics modelers. In this article, dynamic behaviors of Procedure Rework processes-used in system operations to update procedures as they are invalidated by changes in the system state and its environment-are linked to two archetypal structures: the "rework cycle" and "disaster dynamics". A case study focused on procedure rework in Space Shuttle Mission Control and involving the development of simulation models of procedure rework calibrated with data from five Space Shuttle missions is presented. A detrimental effect in the process-the rework propagation end-of-mission effect-is identified and linked to three general aspects of rework (rework time horizons, propagation of rework beyond the time horizons, and events forcing timely completion of all remaining rework) that may be improved upon in this and other rework processes. Furthermore, the effect's causes are characterized as examples of endogenous causal mechanisms for disaster dynamics.

show abstract

Identifying safety issues from energy conservation requirements

Madala¹,

Tenbergen

2022

J Software Evolu Process

View full text Add to dashboard Cite

In cyber-physical systems such as robots and automated vehicles that rely heavily on batteries, safety, and energy conservation can result conflicting requirements when not considered together. In systems engineering, the development begins at a concept phase where we have high-level information of different components of the system. During the concept phase, we perform hazard analysis and risk assessment, define safety goals, and derive safety requirements. This means requirement engineering occurs at the end of the concept phase. However, energy conservation recommendations are not taken into consideration until the detailed design with specific hardware and software is known. Hence, it is possible to recommend energy conservation behaviors that can compromise system's safety. If we perform a trade-off analysis between safety and energy conservation at a concept phase, we can propose various design alternatives and choose the best one that offers a safe and energy saving architecture. To achieve this goal, we propose an approach for identifying safety issues that can be caused by energy conservation recommendations. To evaluate the effectiveness of our approach, we performed an empirical study on four robotic systems. Our results show that we can find energy conservation recommendations that can compromise safety at a concept phase.

show abstract

Safety-Driven Design for Software-Intensive Aerospace and Automotive Systems

Abstract: A new hazard-analysis technique, that gives system designers the information they need to make good decisions before their designs are completed, has been successfully applied to many diverse systems.

Cited by 46 publications

References 11 publications

Hazards in advising autonomy: incorporating hazard modelling with system dynamics into the aerospace safety assessment process for UAS

Hazards in advising autonomy: incorporating hazard modelling with system dynamics into the aerospace safety assessment process for UAS

Procedure rework: a dynamic process with implications for the “rework cycle” and “disaster dynamics”

Identifying safety issues from energy conservation requirements

Contact Info

Product

Resources

About