SlideShare a Scribd company logo

Ch9

Download as PPT, PDF
P
phanleson

The document discusses how to specify requirements for critical systems based on risk analysis. It explains how to identify risks, analyze and classify them, then derive safety, security, and reliability requirements to reduce risks. For reliability, it describes metrics like probability of failure on demand and mean time to failure that can be used to specify quantitative reliability levels. The goal is to develop requirements that eliminate intolerable risks and minimize other risks given cost and schedule constraints.

BusinessTechnology
1 of 50
Downloaded 34 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
Critical Systems Specification
Objectives To explain how dependability requirements may be identified by analysing the risks faced by critical systems To explain how safety requirements are generated from the system risk analysis To explain the derivation of security requirements To describe metrics used for reliability specification
Topics covered Risk-driven specification Safety specification Security specification Software reliability specification
Dependability requirements Functional requirements to define error checking and recovery facilities and protection against system failures. Non-functional requirements defining the required reliability and availability of the system. Excluding requirements that define states and conditions that must not arise.
Risk-driven specification Critical systems specification should be risk-driven. This approach has been widely used in safety and security-critical systems. The aim of the specification process should be to understand the risks (safety, security, etc.) faced by the system and to define requirements that reduce these risks.
Stages of risk-based analysis Risk identification Identify potential risks that may arise. Risk analysis and classification Assess the seriousness of each risk. Risk decomposition Decompose risks to discover their potential root causes. Risk reduction assessment Define how each risk must be taken into eliminated or reduced when the system is designed.
Risk-driven specification
Risk identification Identify the risks faced by the critical system. In safety-critical systems, the risks are the hazards that can lead to accidents. In security-critical systems, the risks are the potential attacks on the system. In risk identification, you should identify risk classes and position risks in these classes Service failure; Electrical risks; …
Insulin pump risks Insulin overdose (service failure). Insulin underdose (service failure). Power failure due to exhausted battery (electrical). Electrical interference with other medical equipment (electrical). Poor sensor and actuator contact (physical). Parts of machine break off in body (physical). Infection caused by introduction of machine (biological). Allergic reaction to materials or insulin (biological).
Risk analysis and classification The process is concerned with understanding the likelihood that a risk will arise and the potential consequences if an accident or incident should occur. Risks may be categorised as: Intolerable. Must never arise or result in an accident As low as reasonably practical(ALARP). Must minimise the possibility of risk given cost and schedule constraints Acceptable. The consequences of the risk are acceptable and no extra costs should be incurred to reduce hazard probability
Levels of risk
Social acceptability of risk The acceptability of a risk is determined by human, social and political considerations. In most societies, the boundaries between the regions are pushed upwards with time i.e. society is less willing to accept risk For example, the costs of cleaning up pollution may be less than the costs of preventing it but this may not be socially acceptable. Risk assessment is subjective Risks are identified as probable, unlikely, etc. This depends on who is making the assessment.
Risk assessment Estimate the risk probability and the risk severity. It is not normally possible to do this precisely so relative values are used such as ‘unlikely’, ‘rare’, ‘very high’, etc. The aim must be to exclude risks that are likely to arise or that have high severity.
Risk assessment - insulin pump
Risk decomposition Concerned with discovering the root causes of risks in a particular system. Techniques have been mostly derived from safety-critical systems and can be Inductive, bottom-up techniques. Start with a proposed system failure and assess the hazards that could arise from that failure; Deductive, top-down techniques. Start with a hazard and deduce what the causes of this could be.
Fault-tree analysis A deductive top-down technique. Put the risk or hazard at the root of the tree and identify the system states that could lead to that hazard. Where appropriate, link these with ‘and’ or ‘or’ conditions. A goal should be to minimise the number of single causes of system failure.
Insulin pump fault tree
Risk reduction assessment The aim of this process is to identify dependability requirements that specify how the risks should be managed and ensure that accidents/incidents do not arise. Risk reduction strategies Risk avoidance; Risk detection and removal; Damage limitation.
Strategy use Normally, in critical systems, a mix of risk reduction strategies are used. In a chemical plant control system, the system will include sensors to detect and correct excess pressure in the reactor. However, it will also include an independent protection system that opens a relief valve if dangerously high pressure is detected.
Insulin pump - software risks Arithmetic error A computation causes the value of a variable to overflow or underflow; Maybe include an exception handler for each type of arithmetic error. Algorithmic error Compare dose to be delivered with previous dose or safe maximum doses. Reduce dose if too high.
Safety requirements - insulin pump
Safety specification The safety requirements of a system should be separately specified. These requirements should be based on an analysis of the possible hazards and risks as previously discussed. Safety requirements usually apply to the system as a whole rather than to individual sub-systems. In systems engineering terms, the safety of a system is an emergent property.
IEC 61508 An international standard for safety management that was specifically designed for protection systems - it is not applicable to all safety-critical systems. Incorporates a model of the safety life cycle and covers all aspects of safety management from scope definition to system decommissioning.
Control system safety requirements
The safety life-cycle ©Ian Sommerville 2000 Dependable systems specification Slide
Safety requirements Functional safety requirements These define the safety functions of the protection system i.e. the define how the system should provide protection. Safety integrity requirements These define the reliability and availability of the protection system. They are based on expected usage and are classified using a safety integrity level from 1 to 4.
Security specification Has some similarities to safety specification Not possible to specify security requirements quantitatively; The requirements are often ‘shall not’ rather than ‘shall’ requirements. Differences No well-defined notion of a security life cycle for security management; No standards; Generic threats rather than system specific hazards; Mature security technology (encryption, etc.). However, there are problems in transferring this into general use; The dominance of a single supplier (Microsoft) means that huge numbers of systems may be affected by security failure.
The security specification process
Stages in security specification Asset identification and evaluation The assets (data and programs) and their required degree of protection are identified. The degree of required protection depends on the asset value so that a password file (say) is more valuable than a set of public web pages. Threat analysis and risk assessment Possible security threats are identified and the risks associated with each of these threats is estimated. Threat assignment Identified threats are related to the assets so that, for each identified asset, there is a list of associated threats.
Stages in security specification Technology analysis Available security technologies and their applicability against the identified threats are assessed. Security requirements specification The security requirements are specified. Where appropriate, these will explicitly identified the security technologies that may be used to protect against different threats to the system.
Types of security requirement Identification requirements. Authentication requirements. Authorisation requirements. Immunity requirements. Integrity requirements. Intrusion detection requirements. Non-repudiation requirements. Privacy requirements. Security auditing requirements. System maintenance security requirements.
LIBSYS security requirements
System reliability specification Hardware reliability What is the probability of a hardware component failing and how long does it take to repair that component? Software reliability How likely is it that a software component will produce an incorrect output. Software failures are different from hardware failures in that software does not wear out. It can continue in operation even after an incorrect result has been produced. Operator reliability How likely is it that the operator of a system will make an error?
Functional reliability requirements A predefined range for all values that are input by the operator shall be defined and the system shall check that all operator inputs fall within this predefined range. The system shall check all disks for bad blocks when it is initialised. The system must use N-version programming to implement the braking control system. The system must be implemented in a safe subset of Ada and checked using static analysis.
The required level of system reliability required should be expressed quantitatively. Reliability is a dynamic system attribute- reliability specifications related to the source code are meaningless. No more than N faults/1000 lines; This is only useful for a post-delivery process analysis where you are trying to assess how good your development techniques are. An appropriate reliability metric should be chosen to specify the overall system reliability. Non-functional reliability specification
Reliability metrics are units of measurement of system reliability. System reliability is measured by counting the number of operational failures and, where appropriate, relating these to the demands made on the system and the time that the system has been operational. A long-term measurement programme is required to assess the reliability of critical systems. Reliability metrics
Reliability metrics
Probability of failure on demand This is the probability that the system will fail when a service request is made. Useful when demands for service are intermittent and relatively infrequent. Appropriate for protection systems where services are demanded occasionally and where there are serious consequence if the service is not delivered. Relevant for many safety-critical systems with exception management components Emergency shutdown system in a chemical plant.
Rate of fault occurrence (ROCOF) Reflects the rate of occurrence of failure in the system. ROCOF of 0.002 means 2 failures are likely in each 1000 operational time units e.g. 2 failures per 1000 hours of operation. Relevant for operating systems, transaction processing systems where the system has to process a large number of similar requests that are relatively frequent Credit card processing system, airline booking system.
Mean time to failure Measure of the time between observed failures of the system. Is the reciprocal of ROCOF for stable systems. MTTF of 500 means that the mean time between failures is 500 time units. Relevant for systems with long transactions i.e. where system processing takes a long time. MTTF should be longer than transaction length Computer-aided design systems where a designer will work on a design for several hours, word processor systems.
Availability Measure of the fraction of the time that the system is available for use. Takes repair and restart time into account Availability of 0.998 means software is available for 998 out of 1000 time units. Relevant for non-stop, continuously running systems telephone switching systems, railway signalling systems.
Non-functional requirements spec. Reliability measurements do NOT take the consequences of failure into account. Transient faults may have no real consequences but other faults may cause data loss or corruption and loss of system service. May be necessary to identify different failure classes and use different metrics for each of these. The reliability specification must be structured.
Failure consequences When specifying reliability, it is not just the number of system failures that matter but the consequences of these failures. Failures that have serious consequences are clearly more damaging than those where repair and recovery is straightforward. In some cases, therefore, different reliability specifications for different types of failure may be defined.
Failure classification
For each sub-system, analyse the consequences of possible system failures. From the system failure analysis, partition failures into appropriate classes. For each failure class identified, set out the reliability using an appropriate metric. Different metrics may be used for different reliability requirements. Identify functional reliability requirements to reduce the chances of critical failures. Steps to a reliability specification
Bank auto-teller system Each machine in a network is used 300 times a day Bank has 1000 machines Lifetime of software release is 2 years Each machine handles about 200, 000 transactions About 300, 000 database transactions in total per day
Reliability specification for an ATM
Specification validation It is impossible to empirically validate very high reliability specifications. No database corruptions means POFOD of less than 1 in 200 million. If a transaction takes 1 second, then simulating one day’s transactions takes 3.5 days. It would take longer than the system’s lifetime to test it for reliability.
Key points Risk analysis is the basis for identifying system reliability requirements. Risk analysis is concerned with assessing the chances of a risk arising and classifying risks according to their seriousness. Security requirements should identify assets and define how these should be protected. Reliability requirements may be defined quantitatively.
Key points Reliability metrics include POFOD, ROCOF, MTTF and availability. Non-functional reliability specifications can lead to functional system requirements to reduce failures or deal with their occurrence.

More Related Content

PPT
Software safety in embedded systems & software safety why, what, and how
bdemchak
 
PPT
Concepts in Software Safety
dalesanders
 
PPTX
Safety specification (CS 5032 2012)
Ian Sommerville
 
PPT
Ch20
phanleson
 
PPTX
Ch12-Software Engineering 9
Ian Sommerville
 
PDF
Layer of protection analysis
Sandip Sonawane
 
PPTX
Reliability and security specification (CS 5032 2012)
Ian Sommerville
 
PPT
Ch24
phanleson
 
Software safety in embedded systems & software safety why, what, and how
bdemchak
 
Concepts in Software Safety
dalesanders
 
Safety specification (CS 5032 2012)
Ian Sommerville
 
Ch20
phanleson
 
Ch12-Software Engineering 9
Ian Sommerville
 
Layer of protection analysis
Sandip Sonawane
 
Reliability and security specification (CS 5032 2012)
Ian Sommerville
 
Ch24
phanleson
 

What's hot (20)

PPTX
INFOSECFORCE Risk Management Framework Transition Plan
Bill Ross
 
PDF
Continuous Monitoring: Monitoring Strategy – Part 2 of 3
EMC
 
PPTX
RMF Roles and Responsibilities (Part 1)
Donald E. Hester
 
PDF
LOPA | Layer Of Protection Analysis | Gaurav Singh Rajput
Gaurav Singh Rajput
 
PPTX
NIST Risk Management Framework (RMF)
James W. De Rienzo
 
PDF
Understanding the Risk Management Framework & (ISC)2 CAP Module 7: Select Con...
Donald E. Hester
 
PDF
Understanding the Risk Management Framework & (ISC)2 CAP Module 10: Authorize
Donald E. Hester
 
PDF
Understanding the Risk Management Framework & (ISC)2 CAP Module 11: Monitor
Donald E. Hester
 
PDF
Guide for Applying The Risk Management Framework to Federal Information Systems
Guillermo Remache
 
PDF
Understanding the Risk Management Framework & (ISC)2 CAP Module 8: Implement ...
Donald E. Hester
 
DOCX
Priliminary hazard analysis
Amansharma1378
 
PDF
Understanding the Risk Management Framework & (ISC)2 CAP Module 3: Roles
Donald E. Hester
 
PDF
Understanding the Risk Management Framework & (ISC)2 CAP Module 2: Introduction
Donald E. Hester
 
PDF
Understanding the Risk Management Framework & (ISC)2 CAP Module 9: Assess Con...
Donald E. Hester
 
PPTX
Industrial safety unit iv ppt
kannagi varadarajan
 
PPTX
Achieving Continuous Monitoring with Security Automation
Tripwire
 
PPTX
Developing a Continuous Monitoring Action Plan
Tripwire
 
DOCX
Elements to Consider for Risk Assessment in SaMDs
EMMAIntl
 
PDF
Reliability centred maintenance service types & schematic
vasishta bhargava
 
PPT
Lecture 8
Hayat khan
 
INFOSECFORCE Risk Management Framework Transition Plan
Bill Ross
 
Continuous Monitoring: Monitoring Strategy – Part 2 of 3
EMC
 
RMF Roles and Responsibilities (Part 1)
Donald E. Hester
 
LOPA | Layer Of Protection Analysis | Gaurav Singh Rajput
Gaurav Singh Rajput
 
NIST Risk Management Framework (RMF)
James W. De Rienzo
 
Understanding the Risk Management Framework & (ISC)2 CAP Module 7: Select Con...
Donald E. Hester
 
Understanding the Risk Management Framework & (ISC)2 CAP Module 10: Authorize
Donald E. Hester
 
Understanding the Risk Management Framework & (ISC)2 CAP Module 11: Monitor
Donald E. Hester
 
Guide for Applying The Risk Management Framework to Federal Information Systems
Guillermo Remache
 
Understanding the Risk Management Framework & (ISC)2 CAP Module 8: Implement ...
Donald E. Hester
 
Priliminary hazard analysis
Amansharma1378
 
Understanding the Risk Management Framework & (ISC)2 CAP Module 3: Roles
Donald E. Hester
 
Understanding the Risk Management Framework & (ISC)2 CAP Module 2: Introduction
Donald E. Hester
 
Understanding the Risk Management Framework & (ISC)2 CAP Module 9: Assess Con...
Donald E. Hester
 
Industrial safety unit iv ppt
kannagi varadarajan
 
Achieving Continuous Monitoring with Security Automation
Tripwire
 
Developing a Continuous Monitoring Action Plan
Tripwire
 
Elements to Consider for Risk Assessment in SaMDs
EMMAIntl
 
Reliability centred maintenance service types & schematic
vasishta bhargava
 
Lecture 8
Hayat khan
 
Ad

Viewers also liked (9)

PPT
Ch1
phanleson
 
PPT
Ch2
phanleson
 
PPT
Ch25
phanleson
 
PPT
Ch4
phanleson
 
PPT
Ch29
phanleson
 
PPT
Ch01
phanleson
 
PPT
Ch13
phanleson
 
PPT
Ch3
phanleson
 
PPT
Ch11
phanleson
 
Ch1
phanleson
 
Ch2
phanleson
 
Ch25
phanleson
 
Ch4
phanleson
 
Ch29
phanleson
 
Ch01
phanleson
 
Ch13
phanleson
 
Ch3
phanleson
 
Ch11
phanleson
 
Ad

Similar to Ch9 (20)

DOC
Critical systems specification
Aryan Ajmer
 
PPT
Critical System Specification in Software Engineering SE17
koolkampus
 
PPT
Critical System Validation in Software Engineering SE21
koolkampus
 
PPT
Ch3
Saad Gabr
 
PPTX
Ch12
Keith Jasper Mier
 
PPT
Depandability in Software Engineering SE16
koolkampus
 
PPT
8. operational risk management
Sekaransrinivasan Srini
 
PPTX
SEPM_MODULE 2 PPT.pptx
VaishaliBagewadikar
 
PDF
Sil explained in valve actuators
John Kingsley
 
PDF
Reliability Instrumented System | Arrelic Insights
Arrelic
 
PPTX
Software reliability & quality
Nur Islam
 
DOCX
Running head Risk Assessment Repot (RAR) .docx
SUBHI7
 
PPTX
lec 17.pptxlec 17.pptxlec 17.pptxlec 17.pptx
nawasyt700
 
PPT
Safety Integrity Levels
Sandeep Patalay
 
PPT
Safety system
jafarhosseini123
 
PDF
Defense In Depth Using NIST 800-30
Kevin M. Moker, CFE, CISSP, ISSMP, CISM
 
PDF
Optimization of different objective function in risk assessment system
Alexander Decker
 
PPT
Risk Assessment Methodologies
Philippe A. R. Schaeffer
 
PPT
Risk Assessment and Management.ppt
BasauKhator1
 
PPT
Risk assessment and management
TaekHyeun Kim
 
Critical systems specification
Aryan Ajmer
 
Critical System Specification in Software Engineering SE17
koolkampus
 
Critical System Validation in Software Engineering SE21
koolkampus
 
Ch3
Saad Gabr
 
Ch12
Keith Jasper Mier
 
Depandability in Software Engineering SE16
koolkampus
 
8. operational risk management
Sekaransrinivasan Srini
 
SEPM_MODULE 2 PPT.pptx
VaishaliBagewadikar
 
Sil explained in valve actuators
John Kingsley
 
Reliability Instrumented System | Arrelic Insights
Arrelic
 
Software reliability & quality
Nur Islam
 
Running head Risk Assessment Repot (RAR) .docx
SUBHI7
 
lec 17.pptxlec 17.pptxlec 17.pptxlec 17.pptx
nawasyt700
 
Safety Integrity Levels
Sandeep Patalay
 
Safety system
jafarhosseini123
 
Defense In Depth Using NIST 800-30
Kevin M. Moker, CFE, CISSP, ISSMP, CISM
 
Optimization of different objective function in risk assessment system
Alexander Decker
 
Risk Assessment Methodologies
Philippe A. R. Schaeffer
 
Risk Assessment and Management.ppt
BasauKhator1
 
Risk assessment and management
TaekHyeun Kim
 

More from phanleson (20)

PDF
Learning spark ch01 - Introduction to Data Analysis with Spark
phanleson
 
PPT
Firewall - Network Defense in Depth Firewalls
phanleson
 
PPT
Mobile Security - Wireless hacking
phanleson
 
PPT
Authentication in wireless - Security in Wireless Protocols
phanleson
 
PPT
E-Commerce Security - Application attacks - Server Attacks
phanleson
 
PPT
Hacking web applications
phanleson
 
PPTX
HBase In Action - Chapter 04: HBase table design
phanleson
 
PPT
HBase In Action - Chapter 10 - Operations
phanleson
 
PPT
Hbase in action - Chapter 09: Deploying HBase
phanleson
 
PPTX
Learning spark ch11 - Machine Learning with MLlib
phanleson
 
PPTX
Learning spark ch10 - Spark Streaming
phanleson
 
PPTX
Learning spark ch09 - Spark SQL
phanleson
 
PPT
Learning spark ch07 - Running on a Cluster
phanleson
 
PPTX
Learning spark ch06 - Advanced Spark Programming
phanleson
 
PPTX
Learning spark ch05 - Loading and Saving Your Data
phanleson
 
PPTX
Learning spark ch04 - Working with Key/Value Pairs
phanleson
 
PPTX
Learning spark ch01 - Introduction to Data Analysis with Spark
phanleson
 
PPT
Hướng Dẫn Đăng Ký LibertaGia - A guide and introduciton about Libertagia
phanleson
 
PPT
Lecture 1 - Getting to know XML
phanleson
 
PPTX
Lecture 4 - Adding XTHML for the Web
phanleson
 
Learning spark ch01 - Introduction to Data Analysis with Spark
phanleson
 
Firewall - Network Defense in Depth Firewalls
phanleson
 
Mobile Security - Wireless hacking
phanleson
 
Authentication in wireless - Security in Wireless Protocols
phanleson
 
E-Commerce Security - Application attacks - Server Attacks
phanleson
 
Hacking web applications
phanleson
 
HBase In Action - Chapter 04: HBase table design
phanleson
 
HBase In Action - Chapter 10 - Operations
phanleson
 
Hbase in action - Chapter 09: Deploying HBase
phanleson
 
Learning spark ch11 - Machine Learning with MLlib
phanleson
 
Learning spark ch10 - Spark Streaming
phanleson
 
Learning spark ch09 - Spark SQL
phanleson
 
Learning spark ch07 - Running on a Cluster
phanleson
 
Learning spark ch06 - Advanced Spark Programming
phanleson
 
Learning spark ch05 - Loading and Saving Your Data
phanleson
 
Learning spark ch04 - Working with Key/Value Pairs
phanleson
 
Learning spark ch01 - Introduction to Data Analysis with Spark
phanleson
 
Hướng Dẫn Đăng Ký LibertaGia - A guide and introduciton about Libertagia
phanleson
 
Lecture 1 - Getting to know XML
phanleson
 
Lecture 4 - Adding XTHML for the Web
phanleson
 

Recently uploaded (20)

PDF
Laughter Yoga Basic Learning Workshop Manual
yeechensee
 
DOCX
unit 2 cost accounting- Tender and Quotation & Reconciliation Statement
MANJU N
 
PDF
kom-180-proposal-for-a-directive-amending-directive-2014-45-eu-and-directive-...
nlusch08
 
PDF
Elevate Cleaning Efficiency Using Tallfly Hair Remover Roller Factory Expertise
farsookmon97766765
 
PPTX
Amazon (Business Studies) management studies
AbhirupVerma
 
PPTX
Business Ethics - An introduction and its overview.pptx
Keerthana Chinnathambi
 
PPTX
5 Stages of group development guide.pptx
keerthanashanmugam201
 
PPTX
HR Introduction Slide (1).pptx on hr intro
suhanidwivedi227
 
PDF
COST SHEET- Tender and Quotation unit 2.pdf
MANJU N
 
PDF
Types of control:Qualitative vs Quantitative
reshmaaslm06
 
PDF
Nidhal Samdaie CV - International Business Consultant
Nidhal Samdaie
 
PPTX
New Microsoft PowerPoint Presentation - Copy.pptx
itsmesumedh96
 
PDF
Unit 1 Cost Accounting - Cost sheet
MANJU N
 
PPTX
Belch_12e_PPT_Ch18_Accessible_university.pptx
Haitham327103
 
PDF
IFRS Notes in your pocket for study all the time
jjj81507
 
PPT
Chapter four Project-Preparation material
argachewbochena1
 
PPT
340036916-American-Literature-Literary-Period-Overview.ppt
carinaherdiles611
 
PDF
WRN_Investor_Presentation_August 2025.pdf
cmagee4
 
DOCX
Euro SEO Services 1st 3 General Updates.docx
AmirNazir49
 
PDF
20250805_A. Stotz All Weather Strategy - Performance review July 2025.pdf
FINNOMENAMarketing
 
Laughter Yoga Basic Learning Workshop Manual
yeechensee
 
unit 2 cost accounting- Tender and Quotation & Reconciliation Statement
MANJU N
 
kom-180-proposal-for-a-directive-amending-directive-2014-45-eu-and-directive-...
nlusch08
 
Elevate Cleaning Efficiency Using Tallfly Hair Remover Roller Factory Expertise
farsookmon97766765
 
Amazon (Business Studies) management studies
AbhirupVerma
 
Business Ethics - An introduction and its overview.pptx
Keerthana Chinnathambi
 
5 Stages of group development guide.pptx
keerthanashanmugam201
 
HR Introduction Slide (1).pptx on hr intro
suhanidwivedi227
 
COST SHEET- Tender and Quotation unit 2.pdf
MANJU N
 
Types of control:Qualitative vs Quantitative
reshmaaslm06
 
Nidhal Samdaie CV - International Business Consultant
Nidhal Samdaie
 
New Microsoft PowerPoint Presentation - Copy.pptx
itsmesumedh96
 
Unit 1 Cost Accounting - Cost sheet
MANJU N
 
Belch_12e_PPT_Ch18_Accessible_university.pptx
Haitham327103
 
IFRS Notes in your pocket for study all the time
jjj81507
 
Chapter four Project-Preparation material
argachewbochena1
 
340036916-American-Literature-Literary-Period-Overview.ppt
carinaherdiles611
 
WRN_Investor_Presentation_August 2025.pdf
cmagee4
 
Euro SEO Services 1st 3 General Updates.docx
AmirNazir49
 
20250805_A. Stotz All Weather Strategy - Performance review July 2025.pdf
FINNOMENAMarketing
 

Ch9

  • 2. Objectives To explain how dependability requirements may be identified by analysing the risks faced by critical systems To explain how safety requirements are generated from the system risk analysis To explain the derivation of security requirements To describe metrics used for reliability specification
  • 3. Topics covered Risk-driven specification Safety specification Security specification Software reliability specification
  • 4. Dependability requirements Functional requirements to define error checking and recovery facilities and protection against system failures. Non-functional requirements defining the required reliability and availability of the system. Excluding requirements that define states and conditions that must not arise.
  • 5. Risk-driven specification Critical systems specification should be risk-driven. This approach has been widely used in safety and security-critical systems. The aim of the specification process should be to understand the risks (safety, security, etc.) faced by the system and to define requirements that reduce these risks.
  • 6. Stages of risk-based analysis Risk identification Identify potential risks that may arise. Risk analysis and classification Assess the seriousness of each risk. Risk decomposition Decompose risks to discover their potential root causes. Risk reduction assessment Define how each risk must be taken into eliminated or reduced when the system is designed.
  • 8. Risk identification Identify the risks faced by the critical system. In safety-critical systems, the risks are the hazards that can lead to accidents. In security-critical systems, the risks are the potential attacks on the system. In risk identification, you should identify risk classes and position risks in these classes Service failure; Electrical risks; …
  • 9. Insulin pump risks Insulin overdose (service failure). Insulin underdose (service failure). Power failure due to exhausted battery (electrical). Electrical interference with other medical equipment (electrical). Poor sensor and actuator contact (physical). Parts of machine break off in body (physical). Infection caused by introduction of machine (biological). Allergic reaction to materials or insulin (biological).
  • 10. Risk analysis and classification The process is concerned with understanding the likelihood that a risk will arise and the potential consequences if an accident or incident should occur. Risks may be categorised as: Intolerable. Must never arise or result in an accident As low as reasonably practical(ALARP). Must minimise the possibility of risk given cost and schedule constraints Acceptable. The consequences of the risk are acceptable and no extra costs should be incurred to reduce hazard probability
  • 12. Social acceptability of risk The acceptability of a risk is determined by human, social and political considerations. In most societies, the boundaries between the regions are pushed upwards with time i.e. society is less willing to accept risk For example, the costs of cleaning up pollution may be less than the costs of preventing it but this may not be socially acceptable. Risk assessment is subjective Risks are identified as probable, unlikely, etc. This depends on who is making the assessment.
  • 13. Risk assessment Estimate the risk probability and the risk severity. It is not normally possible to do this precisely so relative values are used such as ‘unlikely’, ‘rare’, ‘very high’, etc. The aim must be to exclude risks that are likely to arise or that have high severity.
  • 14. Risk assessment - insulin pump
  • 15. Risk decomposition Concerned with discovering the root causes of risks in a particular system. Techniques have been mostly derived from safety-critical systems and can be Inductive, bottom-up techniques. Start with a proposed system failure and assess the hazards that could arise from that failure; Deductive, top-down techniques. Start with a hazard and deduce what the causes of this could be.
  • 16. Fault-tree analysis A deductive top-down technique. Put the risk or hazard at the root of the tree and identify the system states that could lead to that hazard. Where appropriate, link these with ‘and’ or ‘or’ conditions. A goal should be to minimise the number of single causes of system failure.
  • 18. Risk reduction assessment The aim of this process is to identify dependability requirements that specify how the risks should be managed and ensure that accidents/incidents do not arise. Risk reduction strategies Risk avoidance; Risk detection and removal; Damage limitation.
  • 19. Strategy use Normally, in critical systems, a mix of risk reduction strategies are used. In a chemical plant control system, the system will include sensors to detect and correct excess pressure in the reactor. However, it will also include an independent protection system that opens a relief valve if dangerously high pressure is detected.
  • 20. Insulin pump - software risks Arithmetic error A computation causes the value of a variable to overflow or underflow; Maybe include an exception handler for each type of arithmetic error. Algorithmic error Compare dose to be delivered with previous dose or safe maximum doses. Reduce dose if too high.
  • 21. Safety requirements - insulin pump
  • 22. Safety specification The safety requirements of a system should be separately specified. These requirements should be based on an analysis of the possible hazards and risks as previously discussed. Safety requirements usually apply to the system as a whole rather than to individual sub-systems. In systems engineering terms, the safety of a system is an emergent property.
  • 23. IEC 61508 An international standard for safety management that was specifically designed for protection systems - it is not applicable to all safety-critical systems. Incorporates a model of the safety life cycle and covers all aspects of safety management from scope definition to system decommissioning.
  • 24. Control system safety requirements
  • 25. The safety life-cycle ©Ian Sommerville 2000 Dependable systems specification Slide
  • 26. Safety requirements Functional safety requirements These define the safety functions of the protection system i.e. the define how the system should provide protection. Safety integrity requirements These define the reliability and availability of the protection system. They are based on expected usage and are classified using a safety integrity level from 1 to 4.
  • 27. Security specification Has some similarities to safety specification Not possible to specify security requirements quantitatively; The requirements are often ‘shall not’ rather than ‘shall’ requirements. Differences No well-defined notion of a security life cycle for security management; No standards; Generic threats rather than system specific hazards; Mature security technology (encryption, etc.). However, there are problems in transferring this into general use; The dominance of a single supplier (Microsoft) means that huge numbers of systems may be affected by security failure.
  • 29. Stages in security specification Asset identification and evaluation The assets (data and programs) and their required degree of protection are identified. The degree of required protection depends on the asset value so that a password file (say) is more valuable than a set of public web pages. Threat analysis and risk assessment Possible security threats are identified and the risks associated with each of these threats is estimated. Threat assignment Identified threats are related to the assets so that, for each identified asset, there is a list of associated threats.
  • 30. Stages in security specification Technology analysis Available security technologies and their applicability against the identified threats are assessed. Security requirements specification The security requirements are specified. Where appropriate, these will explicitly identified the security technologies that may be used to protect against different threats to the system.
  • 31. Types of security requirement Identification requirements. Authentication requirements. Authorisation requirements. Immunity requirements. Integrity requirements. Intrusion detection requirements. Non-repudiation requirements. Privacy requirements. Security auditing requirements. System maintenance security requirements.
  • 33. System reliability specification Hardware reliability What is the probability of a hardware component failing and how long does it take to repair that component? Software reliability How likely is it that a software component will produce an incorrect output. Software failures are different from hardware failures in that software does not wear out. It can continue in operation even after an incorrect result has been produced. Operator reliability How likely is it that the operator of a system will make an error?
  • 34. Functional reliability requirements A predefined range for all values that are input by the operator shall be defined and the system shall check that all operator inputs fall within this predefined range. The system shall check all disks for bad blocks when it is initialised. The system must use N-version programming to implement the braking control system. The system must be implemented in a safe subset of Ada and checked using static analysis.
  • 35. The required level of system reliability required should be expressed quantitatively. Reliability is a dynamic system attribute- reliability specifications related to the source code are meaningless. No more than N faults/1000 lines; This is only useful for a post-delivery process analysis where you are trying to assess how good your development techniques are. An appropriate reliability metric should be chosen to specify the overall system reliability. Non-functional reliability specification
  • 36. Reliability metrics are units of measurement of system reliability. System reliability is measured by counting the number of operational failures and, where appropriate, relating these to the demands made on the system and the time that the system has been operational. A long-term measurement programme is required to assess the reliability of critical systems. Reliability metrics
  • 38. Probability of failure on demand This is the probability that the system will fail when a service request is made. Useful when demands for service are intermittent and relatively infrequent. Appropriate for protection systems where services are demanded occasionally and where there are serious consequence if the service is not delivered. Relevant for many safety-critical systems with exception management components Emergency shutdown system in a chemical plant.
  • 39. Rate of fault occurrence (ROCOF) Reflects the rate of occurrence of failure in the system. ROCOF of 0.002 means 2 failures are likely in each 1000 operational time units e.g. 2 failures per 1000 hours of operation. Relevant for operating systems, transaction processing systems where the system has to process a large number of similar requests that are relatively frequent Credit card processing system, airline booking system.
  • 40. Mean time to failure Measure of the time between observed failures of the system. Is the reciprocal of ROCOF for stable systems. MTTF of 500 means that the mean time between failures is 500 time units. Relevant for systems with long transactions i.e. where system processing takes a long time. MTTF should be longer than transaction length Computer-aided design systems where a designer will work on a design for several hours, word processor systems.
  • 41. Availability Measure of the fraction of the time that the system is available for use. Takes repair and restart time into account Availability of 0.998 means software is available for 998 out of 1000 time units. Relevant for non-stop, continuously running systems telephone switching systems, railway signalling systems.
  • 42. Non-functional requirements spec. Reliability measurements do NOT take the consequences of failure into account. Transient faults may have no real consequences but other faults may cause data loss or corruption and loss of system service. May be necessary to identify different failure classes and use different metrics for each of these. The reliability specification must be structured.
  • 43. Failure consequences When specifying reliability, it is not just the number of system failures that matter but the consequences of these failures. Failures that have serious consequences are clearly more damaging than those where repair and recovery is straightforward. In some cases, therefore, different reliability specifications for different types of failure may be defined.
  • 45. For each sub-system, analyse the consequences of possible system failures. From the system failure analysis, partition failures into appropriate classes. For each failure class identified, set out the reliability using an appropriate metric. Different metrics may be used for different reliability requirements. Identify functional reliability requirements to reduce the chances of critical failures. Steps to a reliability specification
  • 46. Bank auto-teller system Each machine in a network is used 300 times a day Bank has 1000 machines Lifetime of software release is 2 years Each machine handles about 200, 000 transactions About 300, 000 database transactions in total per day
  • 48. Specification validation It is impossible to empirically validate very high reliability specifications. No database corruptions means POFOD of less than 1 in 200 million. If a transaction takes 1 second, then simulating one day’s transactions takes 3.5 days. It would take longer than the system’s lifetime to test it for reliability.
  • 49. Key points Risk analysis is the basis for identifying system reliability requirements. Risk analysis is concerned with assessing the chances of a risk arising and classifying risks according to their seriousness. Security requirements should identify assets and define how these should be protected. Reliability requirements may be defined quantitatively.
  • 50. Key points Reliability metrics include POFOD, ROCOF, MTTF and availability. Non-functional reliability specifications can lead to functional system requirements to reduce failures or deal with their occurrence.