Dept. of Nuclear and Quantum Engineering Software Requirements Safety Analysis on the Model Specified by NuSCR and SMV Input Language Aug. 26, 2005 Kwang Yong Koh Dept. of Nuclear and Quantum Engineering KAIST

Contents Introduction Main Process Summary Further Study Reference Process Overview Terminology Safety Analysis Hazard Analysis Summary Further Study Reference

Software Requirements safety Analysis Software Design Safety Analysis Introduction Research Scope or Subject Software Development Life Cycle Concept Requirements Design Implement Test Software Development Development Works Software V&V V&V Activities Software Safety Analysis Software Requirements safety Analysis Software Design Safety Analysis

Introduction (Cont’d) Research Scope or Subject Software Development Life Cycle Concept Requirements Design Implement Test Formal Specification + Formal Verification Software Development Development Work Software V&V V&V Activities Software Requirements safety Analysis Software Design Safety Analysis Software Safety Analysis

Main Process (Process Overview) NuSCR Spec. + SMV automatically translated SMV Input Lang. mainly used for V&V purpose can be used for safety analysis Object (target) of Hazard Analysis Both or one of two Under consideration

Main Process (Terminology) Reliability Is the probability that a piece of equipment or component will perform its intended function satisfactorily for a prescribed time and under stipulated environmental conditions. Failure Is the nonperformance or inability of the system or component to perform its intended function for a specified time under specified environmental conditions. Error Is a design flaw or deviation from a desired or intended state. Accident Is an undesired and unplanned (but not necessarily unexpected) event that results in (at least) a specified level of loss. Main differences of these two are that a failure is defined as an event (a behavior) while an err is a static condition (a state). And a failure occurs at a particular instant in time; an error remains until removed.

Main Process (Terminology (Cont’d)) Incident Is an event that involves no loss (or only minor loss) but with the potential for loss under different circumstances. Hazard Is a state or set of conditions of a system (or an object) that, together with other conditions in the environment of the system (or object), will lead inevitably to an accident (loss event). Risk Is the hazard level combined with (1) the likelihood of the hazard leading to an accident (sometimes called danger) and (2) hazard exposure or duration (sometimes called latency). Safety Is freedom from accidents or losses. A hazard has two important characteristics : 1.severity defined as the worst possible accident and 2. likelihood of occurrence. But when we say whether a system is safe or not, because there is no perfectly safe system, we can just say the system is safe against this or that hazard, that is, the specific hazards. And also if the attendant risks are judged to be acceptable, we say the system is safe.

Main Process (Safety Analysis) Safety Analysis Process Hazard and risk analysis Assess the hazards and the risks of damage associated with the system Safety requirements specification Specify a set of safety requirements which apply to the system Designation of safety-critical systems Identify the sub-systems whose incorrect operation may compromise system safety Safety validation Check the overall system safety Hazard analysis is at the heart of any effective safety program. Although hazard analysis alone cannot ensure safety, it is a necessary first step before hazards can be eliminated or controlled through design or operational procedure. These two are strongly related to software development, and surely my research concern is not the software develop. It is beyond research scope. Safety validation will be substituted to safety verification because the application model is a small part of the system, not whole system.

Main Process (Hazard Analysis) What is it ? Identifying all possible hazards potentially created by a product, process or application. Structured into various classes of hazard analysis and carried out throughout software process. A risk analysis should be carried out and documented for each identified hazard. Hazard Analysis Stages Hazard identification: Identify potential hazards which may arise Hazard classification: Assess the risk associated with each hazard Hazard decomposition: Decompose hazards to discover their potential root causes Safety specification: Define how each hazard must be taken into account when the system is designed and usually carried out throughout software process but as I told you in my research it is limited only at requirements phase. I’ll not do quantitative analysis. Hazard identification is core work of the hazard analysis.

Main Process (Process Overview (Cont’d)) Object (target) of Hazard Analysis NuSCR Spec. SMV Input Lang. automatically translated Both or one of two Under consideration How? Under consideration using the most adequate technique new approach (combination of techniques or on my own, but intuitively) Hazard Identification

Main Process (Hazard Analysis (Cont’d)) Types of System Model Material models versus Symbolic models or Formal models Dynamic models versus Static models Stochastic models versus deterministic models General Types of Analysis Simplification In other to make modeling and analysis practical, simplification of complex system behavior is required. Search techniques Search strategy depends on the type of structure being searched. Typical relationship of the basic elements of the model Temporal (time or sequence related) : Identifying prior or succeeding events Structural (whole-part) : Refining the event into constituent events Every hazard analysis requires some type of model the system. And the model is a representation of a system that can be manipulated in order to obtain information about the system itself.

Main Process (Hazard Analysis (Cont’d)) Search Technique Forward and backward search Useful when the underlying structure is temporal and the elements are events, condition, or task Forward From an initiating event (or state), tracing it forward in time often limited to only a small set of temporally ordered events Backward From a final event (or state), determining the preceding events (or states) fits well with chain-of-event accident model

Main Process (Hazard Analysis (Cont’d)) Top-down and bottom-up search The relationship being investigated is structural (whole-part) Top-down Refining higher-level abstractions into their constituent parts Bottom-up To determine the result, subcomponents are put together useful for determining the effect of a particular component failure of system behavior Combinations of these two

Main Process (Process Overview (Cont’d)) Object (target) of Hazard Analysis NuSCR Spec. SMV Input Lang. automatically translated Both or one of two Under consideration Why? (from my research viewpoint, not general purpose) To check whether hazard is non-reachable Reachability and safety properties have exactly opposite meaning : !(EF P) ≡ AG !P Hazard Identification Once hazards are discovered, after tracking the paths to hazard and translating them to CTL expression, whether a model or system are safe can be checked using SMV

Safety Analysis Process of My Research Summary Safety Analysis Process of My Research Tracking or checking possible paths and translating to CTL expression (safety property) Hazard analysis (Hazard identification) Model Model is safe or unsafe against specific hazards Checking safety property using SMV

Determine the two considerations yet fixed Further Study Determine the two considerations yet fixed Object of hazard analysis Method or technique of hazard identification Hazard Analysis on the Determined Model Hazard identification Tracking paths and translating to CTL expression Checking using SMV

Reference M. Bidoit, et al. , “System and Software Verification” Nancy G. Leveson, “SAFEWARE – System Safety and Computers” IEC61508 –Functional Safety of E/E/PES Systems Koo, Seo Ryong, “An Integrated Environment of Software Development and V&V for PLC Based Safety-Critical Systems”