Embed Size (px)
DESCRIPTION
Propose Safety Case Architecture. What is a ‘Safety Case Architecture (SCA)’?. Top level view of the Modular Safety Argument A Safety Case Architecture includes Overview of the major SC Modules Detailed definition of the interfaces between SC Modules Each SC Module can be either - PowerPoint PPT Presentation
Citation preview
Industrial Avionics Working Group
18/04/07
Propose Safety Case Architecture
Industrial Avionics Working Group
18/04/07
What is a ‘Safety Case Architecture (SCA)’?
• Top level view of the Modular Safety Argument
• A Safety Case Architecture includes– Overview of the major SC Modules– Detailed definition of the interfaces between SC Modules
• Each SC Module can be either– A standard Safety Case Module– A Safety Case Contract Module
• Each SC Module provides either– Argument over elements within the Software System– Integration Arguments
• Linking Modular Arguments– Goals requiring Support from Other Modules
• Module Reference• Away Goal Reference• Safety Case Contract
Industrial Avionics Working Group
18/04/07
Modularity in the Safety Case (SC)
• Success of containing change strongly influenced by the Modularity in the design– More difficult to define SC boundaries for a legacy system that does not
strongly feature modularity in the design
• SC module boundaries should be influenced by the design
• SC boundaries should yield SC modules that typically exhibit– High cohesion– Low Coupling– Well defined boundaries– Information hiding
• Other factors– Anticipated future change– Use of COTs
• Granularity of the safety case – Few modules limits ability to deal with change– Many modules could significantly increase complexity (and costs)
Industrial Avionics Working Group
18/04/07
Modular Safety Argument Overview
•Argument over elements within the Software System
– Blocks in the Application Layer– OSL– MSL
• Integration Arguments regarding
– Architecture• Integration of OSL and MSL• Provision and performance of services
– Application Layer• Integration of the Software Applications• Integration of the Arguments for each Block
– Overall Integration• Integration of the Applications with the Architecture
Industrial Avionics Working Group
18/04/07
Safety Case Argument Modules
APOS
MOS
Safety Requirements
Application Integration
Applications
Operating System Layer
Module Support Layer
Architecture Integration
RTBP
Industrial Avionics Working Group
18/04/07
Example Safety Case Architecture – Argument Modules
Safety Requirements
Application 1 Application 2 Application 3
Application Integration
RTBP
Architecture Integration
Operating System Layer
Module Support Layer
Industrial Avionics Working Group
18/04/07
Application Layer (AL) Partitioning (1) – Physical Domain
Application Layer
P1
P2
P3
Pn
App P
S1
S2
S3
Sn
App S
R1
R2
R3
Rn
App R
Q1
Q2
Q3
Qn
App Q
P1
P2
Q3
Q2
R2
R1
P3
Q1
R3
Application Layer
CELL: All the inter-cell interactions are via the architecture
Industrial Avionics Working Group
18/04/07
ExtensibleCore
LowAssurance
Low Change
HighAssurance
Low Change
HighAssurance
High Change
LowAssurance
High Change
Regions: Blocks:
Block
Susceptibility to Change Low High
Hig
hLo
wA
ssur
ance
Region
AL Partitioning (2) – Safety Domain
Cell
Block Interactions – Contracted Behaviour
Industrial Avionics Working Group
18/04/07
AL Partitioning (3) – Logical Partitioning Rationale
Too many blocks
- Very Extensible
- Expensive to set-up contracts between blocks
Too Coarse
- Limited Extensibility
- Reduced set-up costs
Compromise
- Extensible in HC/HA
- Some extensibility in
HC/LA & LA/HC
Change
Assurance
Change
Assurance
Change
Assurance
Industrial Avionics Working Group
18/04/07
AL Partitioning (4) – Partitioning Guidelines
• Assurance – Each LA cell, map to block in LA regions– HA/mixed assurance cells, map to blocks in HA regions
• Susceptibility to Change – Each LC cell, map to block in LC regions– HC/mixed susceptibility to change cells, map to blocks in HC regions
• All cells that are LC & LA, map to one Block in LCLA region
• Example considerations for grouping cells into Blocks– Impact of Change Scenario
• Isolate sets of cells that are affected by groups of changes • Likelihood of future change in assurance• Impact of future change uncertain
– Synergy
Industrial Avionics Working Group
18/04/07
AL Partitioning (5) – Example Partitioning
Susceptibility To Change
Assurance
LCHA1
LCHA2
LCHA3
LCLA1
HCHA1
HCHA5
HCHA4
HCHA3
HCHA2
HCHA{N}
HCHA6
HCLA4
HCLA3
HCLA2
HCLA1
Industrial Avionics Working Group
18/04/07
IMSSC Process - Modules
APOS
MOS
OSL
MSL
Arch Int
AL Int
RTBP
{Block X}Safety_Req
Industrial Avionics Working Group
18/04/07
Safety Case Architecture for IMSCC Process
• A basic set of SC Modules are specified
– Modules names may be varied to meet project preferences, but the intent and underlying meaning should be maintained
– Modules may be created iteratively, in parallel and in any order– Product and Process argument may be included, as required
• Flexibility to facilitate optimisation of the SCA
– Additional SC Modules may be added to cover the arguments described for each of the specified SC Modules
– Containment may be employed to scope the argument– Tailoring possible e.g. the whole application layer could be
argued about should this be required to meet design constraints
Industrial Avionics Working Group
18/04/07
Safety Case Architecture – Initial Proposal
Safety_Req
Block X Block Y Block Z
AL Int
Arch Int
OSL
MSLRTBP
